This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via 9deeda77b6fc4d62dce279b9854094ae8fcf4a4a (commit) via 668119063c630ff3fd7e8b6f1b608374c6c43f60 (commit) via eaf004a4683518d80a1ad1ab0d0666aed34408cc (commit) via b57220aacdc2868f2ffab38348cf6f04af5c02a0 (commit) via c448474fc7032d9c522ba468b532d7920e0da6f4 (commit) via beac5489627eafefcc6dd3adabfd1c74ffacc4d0 (commit) via e26e86dcaa2b35d7e6500c088d4f2afba4c4ddd8 (commit) via 56947acb12176f397cbd5078c5544cdc4f19b27b (commit) via f1042a5d4401ff6feb16eb18f1fcd48936e8c878 (commit) via 8288c0394bb96f5aa3878ea86c05c2d92d677347 (commit) via 04f9321955606822aad7719fed4e80e26a1f82f9 (commit) via 199db95a705e059972d34b578b55606a65851904 (commit) via 61424e9c67334f2940ec8be66612b0a6b4df7adb (commit) via 9f7524c8b0832353838255d4b64cf36555e92d56 (commit) via e29c6d29c9b800ca9c8b818f16e571672cd90a9f (commit) via 15b1a3e360a277dc7481103f8ddcbf189033e3a6 (commit) via 50fcec161cb56ceb850d6cbda16d34f43d2d653b (commit) via 3d0a1908438dbb7bd6f19c436bdb91f0b6b8fb81 (commit) via 7996c5fee9627f4fff0fd910d147341846788408 (commit) via 661fdb02c28c64748b98a305dc63281a9225bbd8 (commit) via 06fc6170a2b8827125977c2f4e9c6f94e7d93c0a (commit) via 57d1564b3efdffb713d915b0dc66a2a24074c5f9 (commit) via c0ac5ae2a77d85ab4575bbbca022f18898bead5f (commit) via ea8a02c232835200d5ea37d4c72e75b864beb8b0 (commit) via 1ececb67a1f83dd931e31d66893893ce542d0814 (commit) via 025d8e63185e49d252ee6abb37008c8e5c26bf6b (commit) via 71a355c3a246a5de886ffee0376d83be942f48df (commit) via b15b70bc6b6b5f6d8b62e5b730b68d86f59810e6 (commit) via eb09c90ef47606f616201fddc5e783149aee9228 (commit) via 297473d5f4d7ba6734762ec71a8d86c07332a99c (commit) via 9ff5b381eb8a4e129978c34f969e312c302ea7b1 (commit) via d53537ced9f0c52dbd8446e5e582275ba0053847 (commit) via a843073c8e93e15fd8e18064abde5e3d3af67368 (commit) via 7691a1bfe73067cb2f3ad3470d0000faf029a24f (commit) via eeee108f183e8d39e27154ee19c1ee0a8b27be11 (commit) via 77c863a2f113404a7f30b8591b9972291328980b (commit) via e4ee36fa170d08bccbbd32fe0d56e53f072a2f97 (commit) via deffc27598806b43ae03a4fb666f2f0254a94066 (commit) via 85560933590e6ef401216b3b4fba9df917b25a22 (commit) via 23164efba5f57b3d8ccb07a166b613f2f951e1b6 (commit) via ea9cb48ae775a7040edaf58224535b71dcde25ea (commit) via b2ee5e8aa4056c7ce07fa753b677768b954e8c0b (commit) via d6d5999af1cf53a4a7609935f41e2ca03bf92d6c (commit) via 146c837e78449c63e858378dfc84cba9d6a490ce (commit) via 5a3c9ef298b9004876691f95a63905c11cfdab84 (commit) via 758a1893a190249e3bd6a0cca7d9ab21be20a4a8 (commit) via 3f2341da8d3b517466f42338956342fde6e45eec (commit) via 26796f3a4b9f6900e46812fc91090894b1d75658 (commit) via a079f7aaeefbb66283a10466e80be5695828217a (commit) via d50a78220d220d755d5d86fe0dcfc249f8dd2afb (commit) via 3d01a8f1a66d84024f3c9472dfda749d8c224a34 (commit) via 46a073f1b5538d3606c8f3b67787be6d0f29f03a (commit) via 7c57cbe24b4a48dbce6cdede9f0211bca9707890 (commit) via 6ca3265c41d5cfa0232a6c2c87d244fc159a0453 (commit) via 15c71234ca3762c0565f96507e17fc4d6397f254 (commit) via ae45fb5193d1e45acf9b4405064571edaafb0b31 (commit) via ae4ca7ef1305a66937a98c687375032c74b1429c (commit) via aa88b2ef592401863585d7f6fc1eb7b63849f7d0 (commit) via e1982c695c6faf86fb74c48c151985acb1f9250e (commit) via 771c9b78eeb54a405608884dc3a4e9e5fa961b1a (commit) via d6af912c83827b231eb989ff1349a3243fd52902 (commit) via fb47c465e8e46c3a0c22fb9b2575eec2adb3ad82 (commit) via ebda3cb93b2227831ced8e55bdf8c05139304819 (commit) via f907865389cb8e0b8cf8ab962dd03a07c4bf04a8 (commit) via 7c85ff1362c3ebc3d9d54f4ac31dc8eebbc4c530 (commit) via 31672dc8bdb223ebf425ff96be64318f2d68e0d7 (commit) via 4eb23a91987a39c504e10d96d89bd1de46f9c0fe (commit) via 820ab96c6927c4e3ecbbe2df1342b635cc598ce7 (commit) via 2f7e8b59a69e3b1ca14a1d6c6b2ccb62e118a1f0 (commit) via f6a1d9e929041315d122ddd0babed554bdaeb23f (commit) via 97499aa8a3c7b85de7609126f77ec41ab03cf469 (commit) via ab83c4876a83c643d64d128828f50146710b7799 (commit) via 82b405615f47bb1dc34f4a3b488cb282058e9be3 (commit) via 0675a66d83d8a06f29e33e7c9533cfac676b1720 (commit) via cc0104dce371265e15484d666606b33d924cc609 (commit) via b66c2faac28aa63d4b8a1275ee9b7d224deeb786 (commit) via 07b73b195c8c6cf40cd80ed323e7719f77ebb96e (commit) via 97a238f4bf11d8f1964c764216bc55020a54e3d4 (commit) via 59db01c753d0a6240ccfd10e3561e88958fc1da0 (commit) via 50d1bbf0f56b76148f10bbe2195df45ad3b60cb3 (commit) via b5ef99df2c34d9e9f614c0b3d57d32a8890139c0 (commit) via 8be516b3bcc2b9f30f8d44f44450be57b68d0025 (commit) via 41f3351320d603d2445471743c7e1c72e435eda6 (commit) via 1e2b25778909f3e64bdbe67ec81fa5937940a594 (commit) via 7ba652af8c16d9d0c84292cdc75f35af5cd628f3 (commit) via f9dd13464554b7b7915a7f792fcdf0b96381ccf0 (commit) via d985ce5ae91b5749b629ad24a028249bfbd76372 (commit) via 38f6bdb74081bd68493d6636a20cda9b884d6bff (commit) via 517683eeb17637acfda9895fd64d9347cde7e08e (commit) via 26c2cc580b37ee4ae7ad68c874ba844eafa79ae4 (commit) via 68263645802e5eb00350fbd50a90fe2583186ec2 (commit) via 1ca2f88a74caa32f534434f4b095bde6107d7760 (commit) via c32fc72e36daf8510949aa8a0fea695cc080c9d3 (commit) via ae0d069827a3ca07b6688869a108d7edce268b32 (commit) via 455fdcb17a1c826f7d979368716def3884a5e590 (commit) via 7e25093d42e4198cc0f0233e5303fa2175672095 (commit) via 605c391aafd73583edaf4378fca62cae61afa3a0 (commit) via c94aa254759e544aa8dd50bb5c4c370ac97e78e6 (commit) via 327d1223f3564660a1d02181e32ae119318fc7a6 (commit) via c821440cedffe2a2d464c473130f1991b061b791 (commit) via 6a45a1f1015ff1d23de0f5b7510b00835243c107 (commit) via 54bac01402419bf109be43be8832f2a064af3baf (commit) via 3dc21d43bf5aafc1e34032e30bcf05ff493d62f2 (commit) via 1a45f9a70abe266938d9e6bd6a6ea8858cbbef7e (commit) via a56357b8be20e4a3d31d2a541518b74d6741d57c (commit) via 216bd9b389b984dd991d1a9011901e68ef5f0a6b (commit) via 4cf038dcfeec1cbba5e1453e776d02976eef9524 (commit) via 05af70c2f32988cc38f1c50d37e8d191170a26ce (commit) via f2d45a45ab78d6b2a557d515d84785a8daaa182f (commit) via 68e69b676fa5e588cbf1db951aa9cbc4547e8b55 (commit) via 3446a17293bfcbda19a353b755aa9d61530074ad (commit) via b8c153bca5064a2e40e5c71be91df30b520e4824 (commit) via 90aa4f1083c28a95d74bae58876bbd77c691771c (commit) via b89ae1a4e3596153a192da3f220dc54565078cac (commit) via 5a9c9ff3127e3266b4dd00dd0a57f9774647db27 (commit) via b54cd874b9c3f566cf65d290f13982c134c5a28b (commit) via 2704dbbc28c0192d4b3dcd903496c2fb37e87c2e (commit) via 4cf4f8f62310e508173de650b867ded5933d7d56 (commit) via 6cf8bc9161c21dd7c274d09473ab46e3094204ac (commit) via 6c920b19cd768445a66f5be58c4701b878d5b943 (commit) via b01c17e9d0096c87185dfd1e04d712ec225d25aa (commit) via 55842dda690b077eeb3b0ed0af8f06827ef03f43 (commit) via 746413170688bc0e05d689fe539bea716752f34f (commit) via 8ebe72541619278f97fc0be145057f5fc59581c6 (commit) via 1e9457ac6fa032dc9e7d9f01e3780236e544ef6b (commit) via cae1f4a7a82f47703afb0cc25ff71f7585b28c2b (commit) via 5e6fa03e1ec00bbecf4c786c9e097617ec7f8aa3 (commit) via 326728d53d1ed4cedf8d180ab51ddfedb1488045 (commit) via 29f5e0e2b9e0f3996ade9d9ba5a8834ae8480f28 (commit) from e37e796206b575d87d652c5c68a96296dbbb8543 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 9deeda77b6fc4d62dce279b9854094ae8fcf4a4a Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Mar 13 15:18:52 2019 +0100
core129: finish update
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 668119063c630ff3fd7e8b6f1b608374c6c43f60 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Mar 13 15:17:28 2019 +0100
u-boot: try to boot without ramdisk if the system cannot load it
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit eaf004a4683518d80a1ad1ab0d0666aed34408cc Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Mar 13 15:06:23 2019 +0100
knot: update to 2.8.0 and build/install only kdig
This fix compile errors on small arm boards. (cc1 internal error)
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit b57220aacdc2868f2ffab38348cf6f04af5c02a0 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Mar 13 15:04:40 2019 +0100
groff: update to 1.22.4
This fix compile problems on small arm boards. (cc1 internal error)
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit c448474fc7032d9c522ba468b532d7920e0da6f4 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Mar 13 09:38:21 2019 +0100
Revert "kernel: cleanup unused rpi patch"
This reverts commit a2d49659f3947e5a5a77cbc1bf384eb0b2760ca9.
The patch is still needed to prevent strange crashes
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit beac5489627eafefcc6dd3adabfd1c74ffacc4d0 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 11 15:58:45 2019 +0000
Update list of contributors
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e26e86dcaa2b35d7e6500c088d4f2afba4c4ddd8 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 11 15:58:04 2019 +0000
core129: Ship updated dnsforward.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 56947acb12176f397cbd5078c5544cdc4f19b27b Merge: f1042a5d4 1ececb67a Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 11 15:57:15 2019 +0000
Merge remote-tracking branch 'ms/dns-forwarding' into next
commit f1042a5d4401ff6feb16eb18f1fcd48936e8c878 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 11 09:54:19 2019 +0000
core129: Ship updated dhcp.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8288c0394bb96f5aa3878ea86c05c2d92d677347 Merge: 04f932195 31672dc8b Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 11 09:53:56 2019 +0000
Merge remote-tracking branch 'ms/dhcp' into next
commit 04f9321955606822aad7719fed4e80e26a1f82f9 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Mar 8 19:17:00 2019 +0000
Tor WebUI: drop relay bandwith options < 1 MBit/s
Tor requires at least 1 MBit/s in order to participate.
Fixes #12001
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 199db95a705e059972d34b578b55606a65851904 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 11 09:38:56 2019 +0000
dnsdist: Limit to fewer concurrent build processes
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 61424e9c67334f2940ec8be66612b0a6b4df7adb Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Mar 10 18:23:22 2019 +0000
core129: Ship updated less
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9f7524c8b0832353838255d4b64cf36555e92d56 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Mar 8 19:19:00 2019 +0000
less: update to 530
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e29c6d29c9b800ca9c8b818f16e571672cd90a9f Author: Peter Müller peter.mueller@ipfire.org Date: Fri Mar 8 19:22:00 2019 +0000
Postfix: update to 3.4.1
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 15b1a3e360a277dc7481103f8ddcbf189033e3a6 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Mar 10 18:04:31 2019 +0100
slang: revert parallelized build
This partially reverts https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=lfs/slang;h=217e74c77317d4...
'slang 2.3.0' doesn't like "$(MAKETUNING)"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 50fcec161cb56ceb850d6cbda16d34f43d2d653b Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 8 10:11:23 2019 +0000
/etc/group: Order groups by ID
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3d0a1908438dbb7bd6f19c436bdb91f0b6b8fb81 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 8 10:08:02 2019 +0000
/etc/passwd: Order users by ID
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7996c5fee9627f4fff0fd910d147341846788408 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 8 10:04:28 2019 +0000
zabbix_agent: Create /var/run/zabbix in initscript
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 661fdb02c28c64748b98a305dc63281a9225bbd8 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 8 09:58:56 2019 +0000
zabbix_agent: Ensure that the user exists on all systems
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 06fc6170a2b8827125977c2f4e9c6f94e7d93c0a Author: Alexander Koch ipfire@starkstromkonsument.de Date: Thu Feb 14 00:06:19 2019 +0100
zabbix_agentd: New addon
New addon for monitoring IPFire by Zabbix Monitoring (https://www.zabbix.com/features). See https://forum.ipfire.org/viewtopic.php?f=52&t=22039 and https://lists.ipfire.org/pipermail/development/2019-February/005324.html for further details.
Best regards, Alex
Signed-off-by: Alexander Koch ipfire@starkstromkonsument.de Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 57d1564b3efdffb713d915b0dc66a2a24074c5f9 Author: Erik Kapfer ummeegge@ipfire.org Date: Fri Mar 8 05:51:55 2019 +0100
iptables: Commented legacy ip(6)tables entries from ROOTFILE
Signed-off-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c0ac5ae2a77d85ab4575bbbca022f18898bead5f Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 7 11:27:19 2019 +0000
installer: Download ISO via HTTPS
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ea8a02c232835200d5ea37d4c72e75b864beb8b0 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 7 10:29:31 2019 +0000
Revert "boost: Build with -O2 only"
This reverts commit 9ff5b381eb8a4e129978c34f969e312c302ea7b1.
Boost wants to build with -O3 no matter what
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1ececb67a1f83dd931e31d66893893ce542d0814 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 5 16:58:29 2019 +0000
unbound: Mark domains as insecure from DNS forwarding
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 025d8e63185e49d252ee6abb37008c8e5c26bf6b Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 5 16:10:17 2019 +0000
DNS Forwarding: Add UI to Allow to disable DNSSEC for a zone
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 71a355c3a246a5de886ffee0376d83be942f48df Merge: 26796f3a4 b15b70bc6 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 5 15:25:36 2019 +0000
Merge branch 'ipsec-on-demand' into next
commit b15b70bc6b6b5f6d8b62e5b730b68d86f59810e6 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 5 15:24:19 2019 +0000
vpnmain.cgi: Make on-demand mode default for IPsec VPNs
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit eb09c90ef47606f616201fddc5e783149aee9228 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 5 15:23:33 2019 +0000
vpnmain.cgi: Carry over START_ACTION attribute correctly
This setting was not carried correctly and therefore the default was ignored.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 297473d5f4d7ba6734762ec71a8d86c07332a99c Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 4 17:21:15 2019 +0000
make.sh: Fit more processes into memory
Because we have a good way to limit processes now, we should increase the default size a little bit
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9ff5b381eb8a4e129978c34f969e312c302ea7b1 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 4 17:20:52 2019 +0000
boost: Build with -O2 only
This should increase build speed
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d53537ced9f0c52dbd8446e5e582275ba0053847 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 4 11:57:22 2019 +0000
Config: Builds don't seem to like the space
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a843073c8e93e15fd8e18064abde5e3d3af67368 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 4 11:52:34 2019 +0000
perl: Limit build to 23 parallel processes
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7691a1bfe73067cb2f3ad3470d0000faf029a24f Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 4 11:51:08 2019 +0000
make.sh: Introduce MAX_PARALLELISM
This will now adjust MAKETUNING to not launch more processes than MAX_PARALLELISM. Handy to limit builds that use a lot of memory.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit eeee108f183e8d39e27154ee19c1ee0a8b27be11 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 4 11:45:30 2019 +0000
make.sh: Drop MAKETUNING
This is now set in lfs/Config
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 77c863a2f113404a7f30b8591b9972291328980b Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 4 11:43:47 2019 +0000
make.sh: Introduce DEFAULT_PARALLELISM
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e4ee36fa170d08bccbbd32fe0d56e53f072a2f97 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 4 11:38:38 2019 +0000
make.sh: Use variable instead of calling system_processors function again
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit deffc27598806b43ae03a4fb666f2f0254a94066 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 4 11:35:15 2019 +0000
make.sh: Rename HOST_MEM to SYSTEM_MEMORY
We had two variables holding the same data
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 85560933590e6ef401216b3b4fba9df917b25a22 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 4 11:33:50 2019 +0000
make.sh: Pass number of processors and total memory so that we can adjust MAKETUNING
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 23164efba5f57b3d8ccb07a166b613f2f951e1b6 Author: Wolfgang Apolinarski wolfgang.apolinarski@ipfire.org Date: Wed Feb 20 20:18:06 2019 +0100
Parallelized build for several packages
Added $(MAKETUNING) to several packages. Marked packages that do not support parallel build.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ea9cb48ae775a7040edaf58224535b71dcde25ea Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 4 09:25:13 2019 +0000
core129: Ship wpa_supplicant
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b2ee5e8aa4056c7ce07fa753b677768b954e8c0b Author: Matthias Fischer matthias.fischer@ipfire.org Date: Tue Mar 5 19:12:52 2019 +0100
wpa_supplicant: Update to 2.7
For details see: https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d6d5999af1cf53a4a7609935f41e2ca03bf92d6c Author: Matthias Fischer matthias.fischer@ipfire.org Date: Tue Mar 5 19:12:51 2019 +0100
hostapd: Update to 2.7
For details see: https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
This patch sticks to 'wpa_supplicant: Update to 2.7'.
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 146c837e78449c63e858378dfc84cba9d6a490ce Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Mar 3 13:33:52 2019 +0000
netsnmp: Fix rootfile to build on other architectures
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5a3c9ef298b9004876691f95a63905c11cfdab84 Author: Erik Kapfer ummeegge@ipfire.org Date: Wed Feb 27 06:03:48 2019 +0100
netsnmpd: OpenSSL patch is incl. in new version
Signed-off-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 758a1893a190249e3bd6a0cca7d9ab21be20a4a8 Author: Erik Kapfer ummeegge@ipfire.org Date: Wed Feb 27 06:03:47 2019 +0100
netsnmpd: Update to version 5.8
Overview of the changes can be found in here https://sourceforge.net/p/net-snmp/mailman/message/36386084/ .
Signed-off-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3f2341da8d3b517466f42338956342fde6e45eec Author: Erik Kapfer ummeegge@ipfire.org Date: Sun Mar 3 09:09:18 2019 +0100
iptables: Update to 1.8.2
netfilter-layer7 has also been updated to v2.23 .
Signed-off-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 26796f3a4b9f6900e46812fc91090894b1d75658 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 2 14:55:04 2019 +0000
Unpack intel microcode before initramfs images are being built
Previously, the microcode updates were not packaged in the shipped initramfs images which causes that Intel processors are still running on outdated microcode.
This patch moves intel-microcode before we build the initramfs images.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a079f7aaeefbb66283a10466e80be5695828217a Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 2 14:14:14 2019 +0000
core129: Ship updated proxy.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d50a78220d220d755d5d86fe0dcfc249f8dd2afb Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Mar 3 09:37:01 2019 +0100
Bug 12008 - Typo in 'proxy.cgi' leads to wrong path for 'basic_ldap_auth'
Hi,
This should fix https://bugzilla.ipfire.org/show_bug.cgi?id=12008
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3d01a8f1a66d84024f3c9472dfda749d8c224a34 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 2 14:12:18 2019 +0000
core129: Ship updated ipset
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 46a073f1b5538d3606c8f3b67787be6d0f29f03a Author: Erik Kapfer ummeegge@ipfire.org Date: Sun Mar 3 09:22:50 2019 +0100
ipset: Update to version 7.1
Signed-off-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7c57cbe24b4a48dbce6cdede9f0211bca9707890 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 2 14:11:02 2019 +0000
core129: Ship updated tar
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6ca3265c41d5cfa0232a6c2c87d244fc159a0453 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Mar 2 21:24:15 2019 +0100
tar: Update to 1.32
For details see: http://git.savannah.gnu.org/cgit/tar.git/log/
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 15c71234ca3762c0565f96507e17fc4d6397f254 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 2 14:10:21 2019 +0000
core129: Ship updated bind
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ae45fb5193d1e45acf9b4405064571edaafb0b31 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Mar 2 21:19:03 2019 +0100
bind: Update to 9.11.6
For details see: http://ftp.isc.org/isc/bind9/9.11.6/RELEASE-NOTES-bind-9.11.6.html
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ae4ca7ef1305a66937a98c687375032c74b1429c Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 2 14:09:00 2019 +0000
core129: Ship updated squid
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit aa88b2ef592401863585d7f6fc1eb7b63849f7d0 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Mar 2 21:08:06 2019 +0100
squid: Update to 4.6
For details see: http://www.squid-cache.org/Versions/v4/changesets/
The 'configure'-option "--disable-ipv6" was removed, it is no longer necessary.
See: https://lists.ipfire.org/pipermail/development/2016-April/002046.html
"The --disable-ipv6 build option is now deprecated. ... Squid-3.5.7 and later will perform IPv6 availability tests on startup in all builds.
- Where IPv6 is unavailable Squid will continue exactly as it would have had the build option not been used.
These Squid can have the build option removed now."
The warning message concerning a "BCP 177 violation" while starting 'squid' can be ignored.
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e1982c695c6faf86fb74c48c151985acb1f9250e Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 2 13:24:44 2019 +0000
spectre-meltdown-checker: New package
This makes it easy to install the script and check the vulnerability status of a system IPFire is running on.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 771c9b78eeb54a405608884dc3a4e9e5fa961b1a Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 2 13:01:42 2019 +0000
binutils: Ship strings & readelf
This is needed by the spectre meltdown checker script
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d6af912c83827b231eb989ff1349a3243fd52902 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 2 12:01:06 2019 +0000
Update German translation
Mainly adds translation for new IPsec features
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit fb47c465e8e46c3a0c22fb9b2575eec2adb3ad82 Author: Stéphane Pautrel stephane.pautrel@gmail.com Date: Sat Mar 2 11:48:05 2019 +0000
Update of French translation
- Several syntax / vocabulary improvements - A 2 text missing in the French version - Improvement of text offering a donation for the users
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ebda3cb93b2227831ced8e55bdf8c05139304819 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Feb 27 03:52:26 2019 +0000
Update openssl rootfile
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f907865389cb8e0b8cf8ab962dd03a07c4bf04a8 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Feb 26 17:25:11 2019 +0000
core129: Ship updated OpenSSL
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7c85ff1362c3ebc3d9d54f4ac31dc8eebbc4c530 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Feb 26 16:42:49 2019 +0000
openssl: Update to 1.1.1b
This is a bug fix only release
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 31672dc8bdb223ebf425ff96be64318f2d68e0d7 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Feb 26 11:02:56 2019 +0000
DHCP: Fix error when editing a newly added fixed lease
They key was remembered but then the array was sorted which resulted the key showing a wrong line.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4eb23a91987a39c504e10d96d89bd1de46f9c0fe Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Feb 26 10:18:33 2019 +0000
DHCP: Restart server in background
This allows for the CGI to return quicker.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 820ab96c6927c4e3ecbbe2df1342b635cc598ce7 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Feb 26 10:16:21 2019 +0000
DHCP: Escape slashes in filename
Fixes: #12006 Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2f7e8b59a69e3b1ca14a1d6c6b2ccb62e118a1f0 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 25 02:31:23 2019 +0000
core129: Ship updated credits.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f6a1d9e929041315d122ddd0babed554bdaeb23f Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 25 02:30:56 2019 +0000
Update list of contributors
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 97499aa8a3c7b85de7609126f77ec41ab03cf469 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 25 02:29:29 2019 +0000
core129: Ship updated OpenVPN
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ab83c4876a83c643d64d128828f50146710b7799 Author: Erik Kapfer ummeegge@ipfire.org Date: Tue Feb 26 11:56:47 2019 +0100
OpenVPN: Update to version 2.4.7
Changelog can be found in here https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 .
Signed-off-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 82b405615f47bb1dc34f4a3b488cb282058e9be3 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Feb 23 16:54:00 2019 +0000
update Tor to 0.3.5.8
See https://blog.torproject.org/new-releases-tor-0402-alpha-0358-03411-and-03312 for release notes.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0675a66d83d8a06f29e33e7c9533cfac676b1720 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Feb 23 16:54:00 2019 +0000
update metrics links in Tor WebUI
https://atlas.torproject.org/ is deprecated in favour of https://metrics.torproject.org/ by now.
Fixes #11781.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit cc0104dce371265e15484d666606b33d924cc609 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 25 00:58:04 2019 +0000
core129: Ship updated libgcrypt
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b66c2faac28aa63d4b8a1275ee9b7d224deeb786 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Feb 23 16:58:00 2019 +0000
libgcrypt: update to 1.8.4
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 07b73b195c8c6cf40cd80ed323e7719f77ebb96e Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 25 00:56:49 2019 +0000
core129: Ship updated unbound
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 97a238f4bf11d8f1964c764216bc55020a54e3d4 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Feb 9 10:40:36 2019 +0100
unbound: Update to 1.9.0
For details see: https://nlnetlabs.nl/svn/unbound/tags/release-1.9.0/doc/Changelog
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 59db01c753d0a6240ccfd10e3561e88958fc1da0 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 25 00:55:31 2019 +0000
core129: Ship changes from ipsec branch
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 50d1bbf0f56b76148f10bbe2195df45ad3b60cb3 Merge: b5ef99df2 8be516b3b Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 25 00:48:08 2019 +0000
Merge branch 'ipsec' into next
commit b5ef99df2c34d9e9f614c0b3d57d32a8890139c0 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 25 00:47:28 2019 +0000
Start Core Update 129
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8be516b3bcc2b9f30f8d44f44450be57b68d0025 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 4 18:38:24 2019 +0000
strongswan: Do not create any NAT rules when using VTI/GRE
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 41f3351320d603d2445471743c7e1c72e435eda6 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jan 22 13:19:00 2019 +0000
Drop "OpenVPN" part from VPN N2N stats page
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1e2b25778909f3e64bdbe67ec81fa5937940a594 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jan 22 13:15:48 2019 +0000
Add routed IPsec connections to traffic graphs section
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7ba652af8c16d9d0c84292cdc75f35af5cd628f3 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jan 22 12:46:53 2019 +0000
firewall: Write correct rules bound to interface for routes IPsec tunnels
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f9dd13464554b7b7915a7f792fcdf0b96381ccf0 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jan 22 11:34:49 2019 +0000
ipsec-interfaces: Resolve any remote hostnames
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d985ce5ae91b5749b629ad24a028249bfbd76372 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jan 22 11:26:32 2019 +0000
ipsec-interfaces: Move conditional block into the loop
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 38f6bdb74081bd68493d6636a20cda9b884d6bff Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jan 21 17:40:12 2019 +0000
ipsec: Drop delayed restart setting
This is a very bad race-condition situation and is not solved by an unintuitive setting.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 517683eeb17637acfda9895fd64d9347cde7e08e Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jan 21 17:08:57 2019 +0000
ipsec: Drop VPN_IP setting
This is now a per-connection setting
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 26c2cc580b37ee4ae7ad68c874ba844eafa79ae4 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jan 21 16:52:39 2019 +0000
ipsec: Add translation strings for recent changes
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 68263645802e5eb00350fbd50a90fe2583186ec2 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jan 21 16:44:03 2019 +0000
ipsec-*: Name some more configuration variables
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1ca2f88a74caa32f534434f4b095bde6107d7760 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jan 21 16:41:16 2019 +0000
ipsec-interfaces: Uses local IP address from connection first, then default
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c32fc72e36daf8510949aa8a0fea695cc080c9d3 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jan 21 16:33:53 2019 +0000
ipsec-policy: Correct open ports for connections on aliases
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ae0d069827a3ca07b6688869a108d7edce268b32 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jan 21 16:20:13 2019 +0000
ipsec: Allow to select local IP address used for peer on UI
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 455fdcb17a1c826f7d979368716def3884a5e590 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jan 21 15:36:16 2019 +0000
ipsec: Re-arrange inputs for peer addresses, subnets, etc.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7e25093d42e4198cc0f0233e5303fa2175672095 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jan 21 15:32:08 2019 +0000
ipsec: Don't allow to select VTI in transport mode
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 605c391aafd73583edaf4378fca62cae61afa3a0 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jan 21 14:34:19 2019 +0000
vpnmain.cgi: Don't populate GREEN subnet when green doesn't exist
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c94aa254759e544aa8dd50bb5c4c370ac97e78e6 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 16 20:29:25 2019 +0100
ipsec-interfaces: Fix typo in variable name
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 327d1223f3564660a1d02181e32ae119318fc7a6 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 9 20:23:42 2019 +0100
strongswan: No longer create any routes automatically
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c821440cedffe2a2d464c473130f1991b061b791 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 9 20:10:02 2019 +0100
ipsec: Filter better for GRE/VTI interfaces
This tried to delete the GREEN interface before
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6a45a1f1015ff1d23de0f5b7510b00835243c107 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 9 19:56:01 2019 +0100
ipsec: TTL only applies for GRE interfaces and not VTI
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 54bac01402419bf109be43be8832f2a064af3baf Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 9 19:52:46 2019 +0100
ipsec: Find correct RED IP address when using %defaultroute
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3dc21d43bf5aafc1e34032e30bcf05ff493d62f2 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jan 9 19:52:24 2019 +0100
ipsec: Log a message when an interface could not be created
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1a45f9a70abe266938d9e6bd6a6ea8858cbbef7e Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Dec 10 16:57:12 2018 +0000
ipsec-interfaces: Don't add any interfaces when IPsec is disabled
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a56357b8be20e4a3d31d2a541518b74d6741d57c Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Dec 10 16:55:53 2018 +0000
Revert "ipsec-interfaces: Run when IPsec is disabled"
This reverts commit 3c3a1cfdb9b473fae9b792e8c211c9940fafc658.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 216bd9b389b984dd991d1a9011901e68ef5f0a6b Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Dec 10 16:44:06 2018 +0000
vpnmain.cgi: Move advanced IPsec settings to connection page
This is required to make the initial setup easier for GRE/VTI connections
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4cf038dcfeec1cbba5e1453e776d02976eef9524 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Dec 10 16:08:58 2018 +0000
ipsec-interfaces: Run when IPsec is disabled
This needs to run even when IPsec is disable to remove and interfaces
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 05af70c2f32988cc38f1c50d37e8d191170a26ce Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Dec 10 16:01:00 2018 +0000
ipsec-interfaces: Use correct righthost variable
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f2d45a45ab78d6b2a557d515d84785a8daaa182f Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Dec 5 17:10:16 2018 +0000
IPsec: Do not allow 0.0.0.0/0 as remote subnet
This renders the whole machine inaccessible
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 68e69b676fa5e588cbf1db951aa9cbc4547e8b55 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Dec 5 16:24:52 2018 +0000
network: Create IPsec interfaces when network is brought up
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3446a17293bfcbda19a353b755aa9d61530074ad Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Dec 5 16:23:06 2018 +0000
ipsecctrl: Call ipsec-interfaces script when turning up/shutting down connections
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b8c153bca5064a2e40e5c71be91df30b520e4824 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Dec 5 16:12:48 2018 +0000
IPsec: Add (experimental) script that creates GRE/VTI interfaces
Signed-off-by: root root@interim-edge-a.ec2.internal
commit 90aa4f1083c28a95d74bae58876bbd77c691771c Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Dec 3 11:21:29 2018 +0000
IPsec: Use left/rightprotoport in GRE mode
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b89ae1a4e3596153a192da3f220dc54565078cac Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 29 16:12:45 2018 +0000
ipsecctrl: Don't wait when a connection is to be started
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5a9c9ff3127e3266b4dd00dd0a57f9774647db27 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 29 16:00:52 2018 +0000
ipsec-policy: Don't install any block rules for connections with an interface
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b54cd874b9c3f566cf65d290f13982c134c5a28b Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 29 15:58:55 2018 +0000
ipsec-policy: Permit GRE traffic for GRE connections
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2704dbbc28c0192d4b3dcd903496c2fb37e87c2e Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 29 15:58:39 2018 +0000
ipsec-policy: Variables don't match those from the CGI
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4cf4f8f62310e508173de650b867ded5933d7d56 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 29 15:45:52 2018 +0000
ipsec-policy: Parse all configuration settings
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6cf8bc9161c21dd7c274d09473ab46e3094204ac Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 29 15:43:39 2018 +0000
IPsec: Move opening ports from ipsecctrl into ipsec-policy script
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6c920b19cd768445a66f5be58c4701b878d5b943 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 29 15:04:28 2018 +0000
IPsec: Rename ipsec-block script to ipsec-policy
This is a more general name for a script that will be extended soon to do more than just add blocking rules.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b01c17e9d0096c87185dfd1e04d712ec225d25aa Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Nov 28 20:37:32 2018 +0000
IPsec: Update ipsec.conf for GRE/VTI changes
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 55842dda690b077eeb3b0ed0af8f06827ef03f43 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Nov 28 14:46:15 2018 +0000
IPsec: Add UI for set interface MTU
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 746413170688bc0e05d689fe539bea716752f34f Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Nov 28 14:38:11 2018 +0000
IPsec: Add option to configure IP address for tunnel interface
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8ebe72541619278f97fc0be145057f5fc59581c6 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Nov 28 14:24:03 2018 +0000
IPsec: Set default inactivity timeout to half an hour
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1e9457ac6fa032dc9e7d9f01e3780236e544ef6b Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Nov 28 14:23:26 2018 +0000
IPsec: New connections should defatul to on-demand mode
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit cae1f4a7a82f47703afb0cc25ff71f7585b28c2b Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Nov 28 14:21:33 2018 +0000
IPsec: Add dropdown to select tunnel interface mode
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5e6fa03e1ec00bbecf4c786c9e097617ec7f8aa3 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Nov 28 14:07:30 2018 +0000
vpnmain.cgi: Correctly carry over INACTIVITY_TIMEOUT
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 326728d53d1ed4cedf8d180ab51ddfedb1488045 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Nov 27 18:42:07 2018 +0000
IPsec: Write tunnel/transport mode to strongSwan configuration
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 29f5e0e2b9e0f3996ade9d9ba5a8834ae8480f28 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Nov 27 18:38:51 2018 +0000
IPsec: Add selection for transport/tunnel mode
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: .mailmap | 1 + config/backup/includes/zabbix_agentd | 2 + config/etc/group | 1 + config/etc/passwd | 1 + config/firewall/firewall-lib.pl | 23 +- config/firewall/{ipsec-block => ipsec-policy} | 57 +- config/rootfiles/common/aarch64/binutils | 4 +- config/rootfiles/common/aarch64/stage2 | 3 +- config/rootfiles/common/armv5tel/binutils | 4 +- config/rootfiles/common/bind | 14 +- config/rootfiles/common/groff | 1023 ++++++++++---------- config/rootfiles/common/i586/binutils | 4 +- config/rootfiles/common/ipset | 7 +- config/rootfiles/common/iptables | 19 +- config/rootfiles/common/knot | 98 +- config/rootfiles/common/libgcrypt | 2 +- config/rootfiles/common/openssl | 6 +- config/rootfiles/common/stage2 | 3 +- config/rootfiles/common/unbound | 2 +- config/rootfiles/common/x86_64/binutils | 4 +- config/rootfiles/common/x86_64/stage2 | 3 +- config/rootfiles/{oldcore/124 => core/129}/exclude | 0 .../129/filelists/aarch64/u-boot} | 0 .../129/filelists/armv5tel/u-boot} | 0 .../{oldcore/100 => core/129}/filelists/bind | 0 config/rootfiles/core/129/filelists/files | 20 + .../{oldcore/90 => core/129}/filelists/groff | 0 .../core/{128 => 129}/filelists/i586/openssl-sse2 | 0 .../{oldcore/106 => core/129}/filelists/ipset | 0 config/rootfiles/core/{128 => 129}/filelists/knot | 0 .../{oldcore/103 => core/129}/filelists/less | 0 .../{oldcore/105 => core/129}/filelists/libgcrypt | 0 .../rootfiles/core/{128 => 129}/filelists/openssl | 0 .../{oldcore/100 => core/129}/filelists/openvpn | 0 .../{oldcore/100 => core/129}/filelists/squid | 0 .../core/{128 => 129}/filelists/strongswan | 0 .../{oldcore/121 => core/129}/filelists/tar | 0 .../{oldcore/106 => core/129}/filelists/unbound | 0 .../103 => core/129}/filelists/wpa_supplicant | 0 .../rootfiles/{oldcore/125 => core/129}/update.sh | 29 +- config/rootfiles/{core => oldcore}/128/exclude | 0 .../{core => oldcore}/128/filelists/aarch64/linux | 0 .../128/filelists/aarch64/linux-initrd | 0 .../{core => oldcore}/128/filelists/apache2 | 0 .../rootfiles/{core => oldcore}/128/filelists/apr | 0 .../128/filelists/armv5tel/linux-initrd-kirkwood | 0 .../128/filelists/armv5tel/linux-initrd-multi | 0 .../128/filelists/armv5tel/linux-kirkwood | 0 .../128/filelists/armv5tel/linux-multi | 0 .../128/filelists/ca-certificates | 0 .../rootfiles/{core => oldcore}/128/filelists/curl | 0 .../{core => oldcore}/128/filelists/dhcpcd | 0 .../{core => oldcore}/128/filelists/files | 0 .../{core => oldcore}/128/filelists/i586/linux | 0 .../128/filelists/i586/linux-initrd | 0 .../128/filelists/i586/openssl-sse2 | 0 .../rootfiles/{core => oldcore}/128/filelists/knot | 0 .../{core => oldcore}/128/filelists/libedit | 0 .../{core => oldcore}/128/filelists/logrotate | 0 .../{core => oldcore}/128/filelists/openldap | 0 .../{core => oldcore}/128/filelists/openssh | 0 .../{core => oldcore}/128/filelists/openssl | 0 .../{core => oldcore}/128/filelists/strongswan | 0 .../{core => oldcore}/128/filelists/tzdata | 0 .../{core => oldcore}/128/filelists/x86_64/linux | 0 .../128/filelists/x86_64/linux-initrd | 0 config/rootfiles/{core => oldcore}/128/update.sh | 0 config/rootfiles/packages/netsnmpd | 75 +- config/rootfiles/packages/postfix | 2 + config/rootfiles/packages/spectre-meltdown-checker | 1 + config/rootfiles/packages/zabbix_agentd | 17 + config/strongswan/charon.conf | 2 +- config/u-boot/boot.cmd | 3 + config/u-boot/boot.scr | Bin 2463 -> 2544 bytes config/zabbix_agentd/logrotate | 9 + config/zabbix_agentd/sudoers | 17 + config/zabbix_agentd/zabbix_agentd.conf | 395 ++++++++ doc/language_issues.de | 9 +- doc/language_issues.en | 28 +- doc/language_issues.es | 28 +- doc/language_issues.fr | 27 +- doc/language_issues.it | 28 +- doc/language_issues.nl | 28 +- doc/language_issues.pl | 28 +- doc/language_issues.ru | 28 +- doc/language_issues.tr | 24 +- doc/language_missings | 155 ++- html/cgi-bin/credits.cgi | 6 +- html/cgi-bin/dhcp.cgi | 21 +- html/cgi-bin/dnsforward.cgi | 40 +- html/cgi-bin/index.cgi | 3 +- html/cgi-bin/netovpnsrv.cgi | 26 +- html/cgi-bin/proxy.cgi | 2 +- html/cgi-bin/tor.cgi | 15 +- html/cgi-bin/vpnmain.cgi | 309 ++++-- langs/de/cgi-bin/de.pl | 25 +- langs/en/cgi-bin/en.pl | 25 +- langs/fr/cgi-bin/fr.pl | 63 +- langs/tr/cgi-bin/tr.pl | 4 +- lfs/Config | 10 + lfs/bind | 7 +- lfs/boost | 7 +- lfs/collectd | 2 +- lfs/configroot | 1 - lfs/cyrus-imapd | 2 +- lfs/dhcp | 2 +- lfs/dnsdist | 4 +- lfs/gcc | 4 +- lfs/gettext | 8 +- lfs/groff | 4 +- lfs/gutenprint | 2 +- lfs/hostapd | 21 +- lfs/installer | 2 +- lfs/ipfire-netboot | 4 +- lfs/ipset | 6 +- lfs/iptables | 17 +- lfs/knot | 11 +- lfs/krb5 | 2 +- lfs/lcd4linux | 2 +- lfs/less | 6 +- lfs/libgcrypt | 6 +- lfs/linux | 4 +- lfs/netpbm | 2 +- lfs/netsnmpd | 13 +- lfs/nut | 2 +- lfs/openssl | 6 +- lfs/openvpn | 6 +- lfs/perl | 3 + lfs/postfix | 6 +- lfs/rrdtool | 2 +- lfs/samba | 4 +- lfs/snort | 2 +- lfs/{jansson => spectre-meltdown-checker} | 13 +- lfs/squid | 9 +- lfs/stage2 | 4 +- lfs/strongswan | 1 + lfs/tar | 6 +- lfs/tor | 6 +- lfs/unbound | 4 +- lfs/wpa_supplicant | 16 +- lfs/xfsprogs | 2 +- lfs/{guardian => zabbix_agentd} | 73 +- make.sh | 62 +- src/initscripts/networking/red.up/50-ipsec | 6 +- src/initscripts/packages/zabbix_agentd | 50 + src/initscripts/system/firewall | 4 +- src/initscripts/system/network | 3 + src/initscripts/system/unbound | 9 +- src/misc-progs/ipsecctrl.c | 138 +-- src/paks/{freeradius => zabbix_agentd}/install.sh | 28 +- .../{mdns-repeater => zabbix_agentd}/uninstall.sh | 6 +- src/paks/{apcupsd => zabbix_agentd}/update.sh | 0 src/patches/hostapd/hostapd-2.6-noscan.patch | 62 -- .../hostapd-2.7-increase_EAPOL-timeouts.patch} | 14 +- src/patches/hostapd/hostapd-2.7-noscan.patch | 62 ++ ...ux-4.14-Revert-usb-dwc2-Fix-DMA-alignment.patch | 99 ++ src/patches/net-snmp-5.7.3-openssl.patch | 303 ------ ...ch => squid-4.6-fix-max-file-descriptors.patch} | 0 src/patches/strongswan-ipfire-interfaces.patch | 72 ++ ...-Avoid-key-reinstallation-in-FT-handshake.patch | 174 ---- ...nstallation-of-an-already-in-use-group-ke.patch | 259 ----- ...ection-of-GTK-IGTK-reinstallation-of-WNM-.patch | 193 ---- ...04-Prevent-installation-of-an-all-zero-TK.patch | 87 -- ...Fix-PTK-rekeying-to-generate-a-new-ANonce.patch | 64 -- .../0006-TDLS-Reject-TPK-TK-reconfiguration.patch | 132 --- ...WNM-Sleep-Mode-Response-without-pending-r.patch | 43 - ...llow-multiple-Reassociation-Response-fram.patch | 82 -- ...-Avoid-key-reinstallation-in-FT-handshake.patch | 174 ---- ...nstallation-of-an-already-in-use-group-ke.patch | 250 ----- ...ection-of-GTK-IGTK-reinstallation-of-WNM-.patch | 184 ---- ...04-Prevent-installation-of-an-all-zero-TK.patch | 79 -- ...Fix-PTK-rekeying-to-generate-a-new-ANonce.patch | 64 -- ...6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch | 132 --- ...WNM-Sleep-Mode-Response-without-pending-r.patch | 43 - ...llow-multiple-Reassociation-Response-fram.patch | 82 -- src/scripts/ipsec-interfaces | 172 ++++ 176 files changed, 2620 insertions(+), 3599 deletions(-) create mode 100644 config/backup/includes/zabbix_agentd rename config/firewall/{ipsec-block => ipsec-policy} (65%) copy config/rootfiles/{oldcore/124 => core/129}/exclude (100%) copy config/rootfiles/{oldcore/124/filelists/aarch64/files-aarch64 => core/129/filelists/aarch64/u-boot} (100%) copy config/rootfiles/{oldcore/124/filelists/aarch64/files-aarch64 => core/129/filelists/armv5tel/u-boot} (100%) copy config/rootfiles/{oldcore/100 => core/129}/filelists/bind (100%) create mode 100644 config/rootfiles/core/129/filelists/files copy config/rootfiles/{oldcore/90 => core/129}/filelists/groff (100%) copy config/rootfiles/core/{128 => 129}/filelists/i586/openssl-sse2 (100%) copy config/rootfiles/{oldcore/106 => core/129}/filelists/ipset (100%) copy config/rootfiles/core/{128 => 129}/filelists/knot (100%) copy config/rootfiles/{oldcore/103 => core/129}/filelists/less (100%) copy config/rootfiles/{oldcore/105 => core/129}/filelists/libgcrypt (100%) copy config/rootfiles/core/{128 => 129}/filelists/openssl (100%) copy config/rootfiles/{oldcore/100 => core/129}/filelists/openvpn (100%) copy config/rootfiles/{oldcore/100 => core/129}/filelists/squid (100%) copy config/rootfiles/core/{128 => 129}/filelists/strongswan (100%) copy config/rootfiles/{oldcore/121 => core/129}/filelists/tar (100%) copy config/rootfiles/{oldcore/106 => core/129}/filelists/unbound (100%) copy config/rootfiles/{oldcore/103 => core/129}/filelists/wpa_supplicant (100%) copy config/rootfiles/{oldcore/125 => core/129}/update.sh (85%) rename config/rootfiles/{core => oldcore}/128/exclude (100%) rename config/rootfiles/{core => oldcore}/128/filelists/aarch64/linux (100%) rename config/rootfiles/{core => oldcore}/128/filelists/aarch64/linux-initrd (100%) rename config/rootfiles/{core => oldcore}/128/filelists/apache2 (100%) rename config/rootfiles/{core => oldcore}/128/filelists/apr (100%) rename config/rootfiles/{core => oldcore}/128/filelists/armv5tel/linux-initrd-kirkwood (100%) rename config/rootfiles/{core => oldcore}/128/filelists/armv5tel/linux-initrd-multi (100%) rename config/rootfiles/{core => oldcore}/128/filelists/armv5tel/linux-kirkwood (100%) rename config/rootfiles/{core => oldcore}/128/filelists/armv5tel/linux-multi (100%) rename config/rootfiles/{core => oldcore}/128/filelists/ca-certificates (100%) rename config/rootfiles/{core => oldcore}/128/filelists/curl (100%) rename config/rootfiles/{core => oldcore}/128/filelists/dhcpcd (100%) rename config/rootfiles/{core => oldcore}/128/filelists/files (100%) rename config/rootfiles/{core => oldcore}/128/filelists/i586/linux (100%) rename config/rootfiles/{core => oldcore}/128/filelists/i586/linux-initrd (100%) rename config/rootfiles/{core => oldcore}/128/filelists/i586/openssl-sse2 (100%) rename config/rootfiles/{core => oldcore}/128/filelists/knot (100%) rename config/rootfiles/{core => oldcore}/128/filelists/libedit (100%) rename config/rootfiles/{core => oldcore}/128/filelists/logrotate (100%) rename config/rootfiles/{core => oldcore}/128/filelists/openldap (100%) rename config/rootfiles/{core => oldcore}/128/filelists/openssh (100%) rename config/rootfiles/{core => oldcore}/128/filelists/openssl (100%) rename config/rootfiles/{core => oldcore}/128/filelists/strongswan (100%) rename config/rootfiles/{core => oldcore}/128/filelists/tzdata (100%) rename config/rootfiles/{core => oldcore}/128/filelists/x86_64/linux (100%) rename config/rootfiles/{core => oldcore}/128/filelists/x86_64/linux-initrd (100%) rename config/rootfiles/{core => oldcore}/128/update.sh (100%) create mode 100644 config/rootfiles/packages/spectre-meltdown-checker create mode 100644 config/rootfiles/packages/zabbix_agentd create mode 100644 config/zabbix_agentd/logrotate create mode 100644 config/zabbix_agentd/sudoers create mode 100644 config/zabbix_agentd/zabbix_agentd.conf copy lfs/{jansson => spectre-meltdown-checker} (92%) copy lfs/{guardian => zabbix_agentd} (68%) create mode 100644 src/initscripts/packages/zabbix_agentd copy src/paks/{freeradius => zabbix_agentd}/install.sh (77%) copy src/paks/{mdns-repeater => zabbix_agentd}/uninstall.sh (95%) copy src/paks/{apcupsd => zabbix_agentd}/update.sh (100%) delete mode 100644 src/patches/hostapd/hostapd-2.6-noscan.patch rename src/patches/{hostapd-2.3_increase_EAPOL-timeouts.patch => hostapd/hostapd-2.7-increase_EAPOL-timeouts.patch} (50%) create mode 100644 src/patches/hostapd/hostapd-2.7-noscan.patch create mode 100644 src/patches/linux/linux-4.14-Revert-usb-dwc2-Fix-DMA-alignment.patch delete mode 100644 src/patches/net-snmp-5.7.3-openssl.patch rename src/patches/squid/{squid-4.5-fix-max-file-descriptors.patch => squid-4.6-fix-max-file-descriptors.patch} (100%) create mode 100644 src/patches/strongswan-ipfire-interfaces.patch delete mode 100644 src/patches/wpa_supplicant/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch delete mode 100644 src/patches/wpa_supplicant/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch delete mode 100644 src/patches/wpa_supplicant/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch delete mode 100644 src/patches/wpa_supplicant/0004-Prevent-installation-of-an-all-zero-TK.patch delete mode 100644 src/patches/wpa_supplicant/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch delete mode 100644 src/patches/wpa_supplicant/0006-TDLS-Reject-TPK-TK-reconfiguration.patch delete mode 100644 src/patches/wpa_supplicant/0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch delete mode 100644 src/patches/wpa_supplicant/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch create mode 100644 src/scripts/ipsec-interfaces
Difference in files: diff --git a/.mailmap b/.mailmap index ec5ad1987..f920b448f 100644 --- a/.mailmap +++ b/.mailmap @@ -32,3 +32,4 @@ Peter Pfeiffer root@VMipfire.pfeiffer-privat.de Rene Zingel linuxadmin@ea5c0bd1-69bd-2848-81d8-4f18e57aeed8 Ronald Wiesinger rowie@ipfire.org Stéphane Pautrel steph78630@gmail.com +Erik Kapfer ummeegge@ipfire.org diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd new file mode 100644 index 000000000..b410dbe16 --- /dev/null +++ b/config/backup/includes/zabbix_agentd @@ -0,0 +1,2 @@ +/etc/sudoers.d/zabbix.user +/etc/zabbix_agentd/* diff --git a/config/etc/group b/config/etc/group index 198b68aa3..5b84eca92 100644 --- a/config/etc/group +++ b/config/etc/group @@ -41,4 +41,5 @@ asterisk:x:114: nut:x:115: cdrom:x:116: usb:x:117: +zabbix:x:118: samba:x:1000: diff --git a/config/etc/passwd b/config/etc/passwd index 7eb4718f1..7c0f7dffa 100644 --- a/config/etc/passwd +++ b/config/etc/passwd @@ -20,4 +20,5 @@ amavis:x:110:110:Amavisd-new user:/var/amavis: cyrus:x:111:12:Cyrus user:/usr/cyrus: filter:x:112:12:Spam user:/home/filter:/bin/false asterisk:x:114:114:Asterisk user:/var/empty:/bin/false +zabbix:x:118:118:Zabbix Monitoring:/var/empty:/bin/false samba:x:1000:1000:Samba User:/var/empty:/bin/false diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index 2820eea65..118744fd6 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -169,6 +169,15 @@ sub get_ipsec_host_ip } } } +sub get_ipsec_id { + my $val = shift; + + foreach my $key (keys %ipsecconf) { + if ($ipsecconf{$key}[1] eq $val) { + return $key; + } + } +} sub get_ovpn_n2n_ip { my $val=shift; @@ -399,10 +408,16 @@ sub get_address my @parts = split(/|/, $value); push(@ret, [$parts[1], ""]); }else{ - my $network_address = &get_ipsec_net_ip($value, 11); - my @nets = split(/|/, $network_address); - foreach my $net (@nets) { - push(@ret, [$net, ""]); + my $interface_mode = &get_ipsec_net_ip($value, 36); + if ($interface_mode ~~ ["gre", "vti"]) { + my $id = &get_ipsec_id($value); + push(@ret, ["0.0.0.0/0", "${interface_mode}${id}"]); + } else { + my $network_address = &get_ipsec_net_ip($value, 11); + my @nets = split(/|/, $network_address); + foreach my $net (@nets) { + push(@ret, [$net, ""]); + } } }
diff --git a/config/firewall/ipsec-block b/config/firewall/ipsec-policy similarity index 65% rename from config/firewall/ipsec-block rename to config/firewall/ipsec-policy index 96682b894..1ad4de650 100644 --- a/config/firewall/ipsec-block +++ b/config/firewall/ipsec-policy @@ -21,6 +21,15 @@
VPN_CONFIG="/var/ipfire/vpn/config"
+eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings) + +VARS=( + id status name lefthost type ctype psk local local_id leftsubnets + remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 + x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22 + route x23 mode interface_mode interface_address interface_mtu rest +) + block_subnet() { local subnet="${1}" local action="${2}" @@ -45,27 +54,55 @@ block_subnet() { return 0 }
-block_ipsec() { - # Flush all exists rules +install_policy() { + # Flush existing rules + iptables -F IPSECINPUT + iptables -F IPSECOUTPUT iptables -F IPSECBLOCK
- local action + # We are done when IPsec is not enabled + [ "${ENABLED}" = "on" ] || exit 0
- local vars="id status name lefthost type ctype x1 x2 x3 leftsubnets" - vars="${vars} x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12" - vars="${vars} x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24" - vars="${vars} route rest" + # IKE + iptables -A IPSECINPUT -p udp --dport 500 -j ACCEPT + iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT + + # IKE NAT + iptables -A IPSECINPUT -p udp --dport 4500 -j ACCEPT + iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT
# Register local variables - local ${vars} + local "${VARS[@]}" + local action
- while IFS="," read -r ${vars}; do + while IFS="," read -r "${VARS[@]}"; do # Check if the connection is enabled [ "${status}" = "on" ] || continue
# Check if this a net-to-net connection [ "${type}" = "net" ] || continue
+ # Default local to 0.0.0.0/0 + if [ "${local}" = "" -o "${local}" = "off" ]; then + local="0.0.0.0/0" + fi + + # Install permissions for GRE traffic + case "${interface_mode}" in + gre) + if [ -n "${remote}" ]; then + iptables -A IPSECINPUT -p gre \ + -s "${remote}" -d "${local}" -j ACCEPT + + iptables -A IPSECOUTPUT -p gre \ + -s "${local}" -d "${remote}" -j ACCEPT + fi + ;; + esac + + # Install firewall rules only for interfaces without interface + [ -n "${interface_mode}" ] && continue + # Split multiple subnets rightsubnets="${rightsubnets//|/ }"
@@ -85,4 +122,4 @@ block_ipsec() { done < "${VPN_CONFIG}" }
-block_ipsec || exit $? +install_policy || exit $? diff --git a/config/rootfiles/common/aarch64/binutils b/config/rootfiles/common/aarch64/binutils index a276d5d23..5a37c770e 100644 --- a/config/rootfiles/common/aarch64/binutils +++ b/config/rootfiles/common/aarch64/binutils @@ -10,9 +10,9 @@ #usr/bin/objcopy #usr/bin/objdump #usr/bin/ranlib -#usr/bin/readelf +usr/bin/readelf #usr/bin/size -#usr/bin/strings +usr/bin/strings #usr/bin/strip #usr/include/ansidecl.h #usr/include/bfd.h diff --git a/config/rootfiles/common/aarch64/stage2 b/config/rootfiles/common/aarch64/stage2 index 110114c47..c6d19a5f6 100644 --- a/config/rootfiles/common/aarch64/stage2 +++ b/config/rootfiles/common/aarch64/stage2 @@ -76,7 +76,7 @@ usr/bin/captive-cleanup #usr/lib usr/lib/firewall usr/lib/firewall/firewall-lib.pl -usr/lib/firewall/ipsec-block +usr/lib/firewall/ipsec-policy usr/lib/firewall/rules.pl #usr/lib/libgcc_s.so usr/lib/libgcc_s.so.1 @@ -93,6 +93,7 @@ usr/local/bin/connscheduler usr/local/bin/consort.sh usr/local/bin/convert-ovpn usr/local/bin/hddshutdown +usr/local/bin/ipsec-interfaces usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash diff --git a/config/rootfiles/common/armv5tel/binutils b/config/rootfiles/common/armv5tel/binutils index c12b90fe2..a94ecfa1a 100644 --- a/config/rootfiles/common/armv5tel/binutils +++ b/config/rootfiles/common/armv5tel/binutils @@ -10,9 +10,9 @@ #usr/bin/objcopy #usr/bin/objdump #usr/bin/ranlib -#usr/bin/readelf +usr/bin/readelf #usr/bin/size -#usr/bin/strings +usr/bin/strings #usr/bin/strip #usr/include/ansidecl.h #usr/include/bfd.h diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind index bbe0e0741..8c8a55d19 100644 --- a/config/rootfiles/common/bind +++ b/config/rootfiles/common/bind @@ -266,27 +266,27 @@ usr/bin/nsupdate #usr/lib/libbind9.la #usr/lib/libbind9.so usr/lib/libbind9.so.161 -usr/lib/libbind9.so.161.0.0 +usr/lib/libbind9.so.161.0.1 #usr/lib/libdns.la #usr/lib/libdns.so -usr/lib/libdns.so.1104 -usr/lib/libdns.so.1104.0.1 +usr/lib/libdns.so.1105 +usr/lib/libdns.so.1105.0.0 #usr/lib/libisc.la #usr/lib/libisc.so usr/lib/libisc.so.1100 -usr/lib/libisc.so.1100.0.0 +usr/lib/libisc.so.1100.0.1 #usr/lib/libisccc.la #usr/lib/libisccc.so usr/lib/libisccc.so.161 -usr/lib/libisccc.so.161.0.0 +usr/lib/libisccc.so.161.0.1 #usr/lib/libisccfg.la #usr/lib/libisccfg.so usr/lib/libisccfg.so.163 -usr/lib/libisccfg.so.163.0.0 +usr/lib/libisccfg.so.163.0.1 #usr/lib/liblwres.la #usr/lib/liblwres.so usr/lib/liblwres.so.161 -usr/lib/liblwres.so.161.0.0 +usr/lib/liblwres.so.161.0.1 #usr/share/man/man1/dig.1 #usr/share/man/man1/host.1 #usr/share/man/man1/nslookup.1 diff --git a/config/rootfiles/common/groff b/config/rootfiles/common/groff index de5908498..92dc92806 100644 --- a/config/rootfiles/common/groff +++ b/config/rootfiles/common/groff @@ -63,514 +63,523 @@ #usr/lib/groff/groffer/version.sh #usr/lib/groff/grog #usr/lib/groff/grog/subs.pl -#usr/lib/groff/refer #usr/lib/groff/site-tmac -#usr/share/doc/groff-1.22.3 -#usr/share/doc/groff-1.22.3/examples -#usr/share/doc/groff-1.22.3/examples/chem -#usr/share/doc/groff-1.22.3/examples/chem/122 -#usr/share/doc/groff-1.22.3/examples/chem/122/README -#usr/share/doc/groff-1.22.3/examples/chem/122/ch2a_ethyl.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch2b_benzene.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch2c_benzene_right.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4a_stick.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4b_methyl_acetate.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4c_colon.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4d_HCl.H2O.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4e_CaSO4.2H2O.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4f_C.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4g_BP.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4h_methacrylate.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4i_cyclo.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4j_ring4.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4k_ring3.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4l_vertex.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4m_double.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4n_triple.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4o_aromatic.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4p_cholestanol.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4q_rings.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4r_spiro.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4s_heteroatoms.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4t_polycyclic.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4u_nicotine.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4v_histidine.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4w_lsd.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4x_anisole.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4y_reserpine.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4z1_eqn_glutamic.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch4z2_text.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch5a_size.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch6a_pic.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/ch6b_dna.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/chAa_polymer.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/chAb_vinyl_chloro.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/chAc_morphine.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/chAd_chlorophyll.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/chAe_chair.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/chAf_arrow.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/chAg_circle.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/chAh_brackets.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/chAi_poly_vinyl_chloride.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/chBa_jump.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/chBb_bonds.chem -#usr/share/doc/groff-1.22.3/examples/chem/122/chBc_rings.chem -#usr/share/doc/groff-1.22.3/examples/chem/README -#usr/share/doc/groff-1.22.3/examples/chem/atp.chem -#usr/share/doc/groff-1.22.3/examples/chem/cholesterin.chem -#usr/share/doc/groff-1.22.3/examples/chem/ethamivan.chem -#usr/share/doc/groff-1.22.3/examples/chem/lsd.chem -#usr/share/doc/groff-1.22.3/examples/chem/morphine.chem -#usr/share/doc/groff-1.22.3/examples/chem/penicillin.chem -#usr/share/doc/groff-1.22.3/examples/chem/reserpine.chem -#usr/share/doc/groff-1.22.3/examples/gnu.eps -#usr/share/doc/groff-1.22.3/examples/grnexmpl.g -#usr/share/doc/groff-1.22.3/examples/grnexmpl.me -#usr/share/doc/groff-1.22.3/examples/grnexmpl.ps -#usr/share/doc/groff-1.22.3/examples/groff.css -#usr/share/doc/groff-1.22.3/examples/hdtbl -#usr/share/doc/groff-1.22.3/examples/hdtbl/chess_board.ps -#usr/share/doc/groff-1.22.3/examples/hdtbl/chess_board.roff -#usr/share/doc/groff-1.22.3/examples/hdtbl/col_rowspan_colors.ps -#usr/share/doc/groff-1.22.3/examples/hdtbl/col_rowspan_colors.roff -#usr/share/doc/groff-1.22.3/examples/hdtbl/color_boxes.ps -#usr/share/doc/groff-1.22.3/examples/hdtbl/color_boxes.roff -#usr/share/doc/groff-1.22.3/examples/hdtbl/color_nested_tables.ps -#usr/share/doc/groff-1.22.3/examples/hdtbl/color_nested_tables.roff -#usr/share/doc/groff-1.22.3/examples/hdtbl/color_table_cells.ps -#usr/share/doc/groff-1.22.3/examples/hdtbl/color_table_cells.roff -#usr/share/doc/groff-1.22.3/examples/hdtbl/color_transitions.ps -#usr/share/doc/groff-1.22.3/examples/hdtbl/color_transitions.roff -#usr/share/doc/groff-1.22.3/examples/hdtbl/common.roff -#usr/share/doc/groff-1.22.3/examples/hdtbl/fonts_n.ps -#usr/share/doc/groff-1.22.3/examples/hdtbl/fonts_n.roff -#usr/share/doc/groff-1.22.3/examples/hdtbl/fonts_x.ps -#usr/share/doc/groff-1.22.3/examples/hdtbl/fonts_x.roff -#usr/share/doc/groff-1.22.3/examples/hdtbl/gnu.eps -#usr/share/doc/groff-1.22.3/examples/hdtbl/mixed_pickles.ps -#usr/share/doc/groff-1.22.3/examples/hdtbl/mixed_pickles.roff -#usr/share/doc/groff-1.22.3/examples/hdtbl/rainbow.ps -#usr/share/doc/groff-1.22.3/examples/hdtbl/rainbow.roff -#usr/share/doc/groff-1.22.3/examples/hdtbl/short_reference.ps -#usr/share/doc/groff-1.22.3/examples/hdtbl/short_reference.roff -#usr/share/doc/groff-1.22.3/examples/mom -#usr/share/doc/groff-1.22.3/examples/mom/README.txt -#usr/share/doc/groff-1.22.3/examples/mom/elvis_syntax -#usr/share/doc/groff-1.22.3/examples/mom/elvis_syntax.new -#usr/share/doc/groff-1.22.3/examples/mom/letter.mom -#usr/share/doc/groff-1.22.3/examples/mom/mom-pdf.mom -#usr/share/doc/groff-1.22.3/examples/mom/mom.vim -#usr/share/doc/groff-1.22.3/examples/mom/penguin.pdf -#usr/share/doc/groff-1.22.3/examples/mom/penguin.ps -#usr/share/doc/groff-1.22.3/examples/mom/sample_docs.mom -#usr/share/doc/groff-1.22.3/examples/mom/typesetting.mom -#usr/share/doc/groff-1.22.3/examples/webpage.ms -#usr/share/doc/groff-1.22.3/examples/webpage.ps -#usr/share/doc/groff-1.22.3/html -#usr/share/doc/groff-1.22.3/html/mom -#usr/share/doc/groff-1.22.3/html/mom/appendices.html -#usr/share/doc/groff-1.22.3/html/mom/color.html -#usr/share/doc/groff-1.22.3/html/mom/cover.html -#usr/share/doc/groff-1.22.3/html/mom/definitions.html -#usr/share/doc/groff-1.22.3/html/mom/docelement.html -#usr/share/doc/groff-1.22.3/html/mom/docprocessing.html -#usr/share/doc/groff-1.22.3/html/mom/goodies.html -#usr/share/doc/groff-1.22.3/html/mom/graphical.html -#usr/share/doc/groff-1.22.3/html/mom/headfootpage.html -#usr/share/doc/groff-1.22.3/html/mom/images.html -#usr/share/doc/groff-1.22.3/html/mom/inlines.html -#usr/share/doc/groff-1.22.3/html/mom/intro.html -#usr/share/doc/groff-1.22.3/html/mom/letters.html -#usr/share/doc/groff-1.22.3/html/mom/macrolist.html -#usr/share/doc/groff-1.22.3/html/mom/rectoverso.html -#usr/share/doc/groff-1.22.3/html/mom/refer.html -#usr/share/doc/groff-1.22.3/html/mom/reserved.html -#usr/share/doc/groff-1.22.3/html/mom/stylesheet.css -#usr/share/doc/groff-1.22.3/html/mom/tables-of-contents.html -#usr/share/doc/groff-1.22.3/html/mom/toc.html -#usr/share/doc/groff-1.22.3/html/mom/typesetting.html -#usr/share/doc/groff-1.22.3/html/mom/using.html -#usr/share/doc/groff-1.22.3/html/mom/version-2.html -#usr/share/doc/groff-1.22.3/meintro.me -#usr/share/doc/groff-1.22.3/meintro.ps -#usr/share/doc/groff-1.22.3/meintro_fr.me -#usr/share/doc/groff-1.22.3/meintro_fr.ps -#usr/share/doc/groff-1.22.3/meref.me -#usr/share/doc/groff-1.22.3/meref.ps -#usr/share/doc/groff-1.22.3/pic.ms -#usr/share/doc/groff-1.22.3/pic.ps +#usr/share/doc/groff-1.22.4 +#usr/share/doc/groff-1.22.4/examples +#usr/share/doc/groff-1.22.4/examples/chem +#usr/share/doc/groff-1.22.4/examples/chem/122 +#usr/share/doc/groff-1.22.4/examples/chem/122/README +#usr/share/doc/groff-1.22.4/examples/chem/122/ch2a_ethyl.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch2b_benzene.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch2c_benzene_right.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4a_stick.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4b_methyl_acetate.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4c_colon.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4d_HCl.H2O.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4e_CaSO4.2H2O.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4f_C.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4g_BP.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4h_methacrylate.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4i_cyclo.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4j_ring4.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4k_ring3.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4l_vertex.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4m_double.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4n_triple.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4o_aromatic.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4p_cholestanol.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4q_rings.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4r_spiro.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4s_heteroatoms.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4t_polycyclic.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4u_nicotine.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4v_histidine.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4w_lsd.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4x_anisole.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4y_reserpine.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4z1_eqn_glutamic.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch4z2_text.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch5a_size.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch6a_pic.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/ch6b_dna.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/chAa_polymer.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/chAb_vinyl_chloro.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/chAc_morphine.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/chAd_chlorophyll.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/chAe_chair.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/chAf_arrow.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/chAg_circle.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/chAh_brackets.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/chAi_poly_vinyl_chloride.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/chBa_jump.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/chBb_bonds.chem +#usr/share/doc/groff-1.22.4/examples/chem/122/chBc_rings.chem +#usr/share/doc/groff-1.22.4/examples/chem/README +#usr/share/doc/groff-1.22.4/examples/chem/atp.chem +#usr/share/doc/groff-1.22.4/examples/chem/cholesterin.chem +#usr/share/doc/groff-1.22.4/examples/chem/ethamivan.chem +#usr/share/doc/groff-1.22.4/examples/chem/lsd.chem +#usr/share/doc/groff-1.22.4/examples/chem/morphine.chem +#usr/share/doc/groff-1.22.4/examples/chem/penicillin.chem +#usr/share/doc/groff-1.22.4/examples/chem/reserpine.chem +#usr/share/doc/groff-1.22.4/examples/gnu.eps +#usr/share/doc/groff-1.22.4/examples/grnexmpl.g +#usr/share/doc/groff-1.22.4/examples/grnexmpl.me +#usr/share/doc/groff-1.22.4/examples/grnexmpl.ps +#usr/share/doc/groff-1.22.4/examples/groff.css +#usr/share/doc/groff-1.22.4/examples/hdtbl +#usr/share/doc/groff-1.22.4/examples/hdtbl/chess_board.ps +#usr/share/doc/groff-1.22.4/examples/hdtbl/chess_board.roff +#usr/share/doc/groff-1.22.4/examples/hdtbl/col_rowspan_colors.ps +#usr/share/doc/groff-1.22.4/examples/hdtbl/col_rowspan_colors.roff +#usr/share/doc/groff-1.22.4/examples/hdtbl/color_boxes.ps +#usr/share/doc/groff-1.22.4/examples/hdtbl/color_boxes.roff +#usr/share/doc/groff-1.22.4/examples/hdtbl/color_nested_tables.ps +#usr/share/doc/groff-1.22.4/examples/hdtbl/color_nested_tables.roff +#usr/share/doc/groff-1.22.4/examples/hdtbl/color_table_cells.ps +#usr/share/doc/groff-1.22.4/examples/hdtbl/color_table_cells.roff +#usr/share/doc/groff-1.22.4/examples/hdtbl/color_transitions.ps +#usr/share/doc/groff-1.22.4/examples/hdtbl/color_transitions.roff +#usr/share/doc/groff-1.22.4/examples/hdtbl/common.roff +#usr/share/doc/groff-1.22.4/examples/hdtbl/fonts_n.ps +#usr/share/doc/groff-1.22.4/examples/hdtbl/fonts_n.roff +#usr/share/doc/groff-1.22.4/examples/hdtbl/fonts_x.ps +#usr/share/doc/groff-1.22.4/examples/hdtbl/fonts_x.roff +#usr/share/doc/groff-1.22.4/examples/hdtbl/gnu.eps +#usr/share/doc/groff-1.22.4/examples/hdtbl/mixed_pickles.ps +#usr/share/doc/groff-1.22.4/examples/hdtbl/mixed_pickles.roff +#usr/share/doc/groff-1.22.4/examples/hdtbl/rainbow.ps +#usr/share/doc/groff-1.22.4/examples/hdtbl/rainbow.roff +#usr/share/doc/groff-1.22.4/examples/hdtbl/short_reference.ps +#usr/share/doc/groff-1.22.4/examples/hdtbl/short_reference.roff +#usr/share/doc/groff-1.22.4/examples/mm +#usr/share/doc/groff-1.22.4/examples/mm/letter.mm +#usr/share/doc/groff-1.22.4/examples/mom +#usr/share/doc/groff-1.22.4/examples/mom/README-fr.txt +#usr/share/doc/groff-1.22.4/examples/mom/README.txt +#usr/share/doc/groff-1.22.4/examples/mom/elvis_syntax +#usr/share/doc/groff-1.22.4/examples/mom/elvis_syntax.new +#usr/share/doc/groff-1.22.4/examples/mom/letter.mom +#usr/share/doc/groff-1.22.4/examples/mom/mom-pdf.mom +#usr/share/doc/groff-1.22.4/examples/mom/mom.vim +#usr/share/doc/groff-1.22.4/examples/mom/mon_premier_doc.mom +#usr/share/doc/groff-1.22.4/examples/mom/penguin.pdf +#usr/share/doc/groff-1.22.4/examples/mom/penguin.ps +#usr/share/doc/groff-1.22.4/examples/mom/sample_docs.mom +#usr/share/doc/groff-1.22.4/examples/mom/slide-demo.mom +#usr/share/doc/groff-1.22.4/examples/mom/typesetting.mom +#usr/share/doc/groff-1.22.4/examples/webpage.ms +#usr/share/doc/groff-1.22.4/examples/webpage.ps +#usr/share/doc/groff-1.22.4/html +#usr/share/doc/groff-1.22.4/html/mom +#usr/share/doc/groff-1.22.4/html/mom/appendices.html +#usr/share/doc/groff-1.22.4/html/mom/color.html +#usr/share/doc/groff-1.22.4/html/mom/cover.html +#usr/share/doc/groff-1.22.4/html/mom/definitions.html +#usr/share/doc/groff-1.22.4/html/mom/docelement.html +#usr/share/doc/groff-1.22.4/html/mom/docprocessing.html +#usr/share/doc/groff-1.22.4/html/mom/goodies.html +#usr/share/doc/groff-1.22.4/html/mom/graphical.html +#usr/share/doc/groff-1.22.4/html/mom/headfootpage.html +#usr/share/doc/groff-1.22.4/html/mom/images.html +#usr/share/doc/groff-1.22.4/html/mom/inlines.html +#usr/share/doc/groff-1.22.4/html/mom/intro.html +#usr/share/doc/groff-1.22.4/html/mom/letters.html +#usr/share/doc/groff-1.22.4/html/mom/macrolist.html +#usr/share/doc/groff-1.22.4/html/mom/rectoverso.html +#usr/share/doc/groff-1.22.4/html/mom/refer.html +#usr/share/doc/groff-1.22.4/html/mom/reserved.html +#usr/share/doc/groff-1.22.4/html/mom/stylesheet.css +#usr/share/doc/groff-1.22.4/html/mom/tables-of-contents.html +#usr/share/doc/groff-1.22.4/html/mom/toc.html +#usr/share/doc/groff-1.22.4/html/mom/typesetting.html +#usr/share/doc/groff-1.22.4/html/mom/using.html +#usr/share/doc/groff-1.22.4/html/mom/version-2.html +#usr/share/doc/groff-1.22.4/meintro.me +#usr/share/doc/groff-1.22.4/meintro.ps +#usr/share/doc/groff-1.22.4/meintro_fr.me +#usr/share/doc/groff-1.22.4/meintro_fr.ps +#usr/share/doc/groff-1.22.4/meref.me +#usr/share/doc/groff-1.22.4/meref.ps +#usr/share/doc/groff-1.22.4/pic.ms +#usr/share/doc/groff-1.22.4/pic.ps #usr/share/groff -#usr/share/groff/1.22.3 -#usr/share/groff/1.22.3/eign -#usr/share/groff/1.22.3/font -#usr/share/groff/1.22.3/font/devascii -#usr/share/groff/1.22.3/font/devascii/B -#usr/share/groff/1.22.3/font/devascii/BI -#usr/share/groff/1.22.3/font/devascii/DESC -#usr/share/groff/1.22.3/font/devascii/I -#usr/share/groff/1.22.3/font/devascii/R -#usr/share/groff/1.22.3/font/devdvi -#usr/share/groff/1.22.3/font/devdvi/CW -#usr/share/groff/1.22.3/font/devdvi/CWEC -#usr/share/groff/1.22.3/font/devdvi/CWI -#usr/share/groff/1.22.3/font/devdvi/CWIEC -#usr/share/groff/1.22.3/font/devdvi/CWITC -#usr/share/groff/1.22.3/font/devdvi/CWTC -#usr/share/groff/1.22.3/font/devdvi/DESC -#usr/share/groff/1.22.3/font/devdvi/EX -#usr/share/groff/1.22.3/font/devdvi/HB -#usr/share/groff/1.22.3/font/devdvi/HBEC -#usr/share/groff/1.22.3/font/devdvi/HBI -#usr/share/groff/1.22.3/font/devdvi/HBIEC -#usr/share/groff/1.22.3/font/devdvi/HBITC -#usr/share/groff/1.22.3/font/devdvi/HBTC -#usr/share/groff/1.22.3/font/devdvi/HI -#usr/share/groff/1.22.3/font/devdvi/HIEC -#usr/share/groff/1.22.3/font/devdvi/HITC -#usr/share/groff/1.22.3/font/devdvi/HR -#usr/share/groff/1.22.3/font/devdvi/HREC -#usr/share/groff/1.22.3/font/devdvi/HRTC -#usr/share/groff/1.22.3/font/devdvi/MI -#usr/share/groff/1.22.3/font/devdvi/S -#usr/share/groff/1.22.3/font/devdvi/SA -#usr/share/groff/1.22.3/font/devdvi/SB -#usr/share/groff/1.22.3/font/devdvi/SC -#usr/share/groff/1.22.3/font/devdvi/TB -#usr/share/groff/1.22.3/font/devdvi/TBEC -#usr/share/groff/1.22.3/font/devdvi/TBI -#usr/share/groff/1.22.3/font/devdvi/TBIEC -#usr/share/groff/1.22.3/font/devdvi/TBITC -#usr/share/groff/1.22.3/font/devdvi/TBTC -#usr/share/groff/1.22.3/font/devdvi/TI -#usr/share/groff/1.22.3/font/devdvi/TIEC -#usr/share/groff/1.22.3/font/devdvi/TITC -#usr/share/groff/1.22.3/font/devdvi/TR -#usr/share/groff/1.22.3/font/devdvi/TREC -#usr/share/groff/1.22.3/font/devdvi/TRTC -#usr/share/groff/1.22.3/font/devdvi/generate -#usr/share/groff/1.22.3/font/devdvi/generate/CompileFonts -#usr/share/groff/1.22.3/font/devdvi/generate/Makefile -#usr/share/groff/1.22.3/font/devdvi/generate/ec.map -#usr/share/groff/1.22.3/font/devdvi/generate/msam.map -#usr/share/groff/1.22.3/font/devdvi/generate/msbm.map -#usr/share/groff/1.22.3/font/devdvi/generate/tc.map -#usr/share/groff/1.22.3/font/devdvi/generate/texb.map -#usr/share/groff/1.22.3/font/devdvi/generate/texex.map -#usr/share/groff/1.22.3/font/devdvi/generate/texi.map -#usr/share/groff/1.22.3/font/devdvi/generate/texmi.map -#usr/share/groff/1.22.3/font/devdvi/generate/texr.map -#usr/share/groff/1.22.3/font/devdvi/generate/texsy.map -#usr/share/groff/1.22.3/font/devdvi/generate/textex.map -#usr/share/groff/1.22.3/font/devdvi/generate/textt.map -#usr/share/groff/1.22.3/font/devhtml -#usr/share/groff/1.22.3/font/devhtml/B -#usr/share/groff/1.22.3/font/devhtml/BI -#usr/share/groff/1.22.3/font/devhtml/CB -#usr/share/groff/1.22.3/font/devhtml/CBI -#usr/share/groff/1.22.3/font/devhtml/CI -#usr/share/groff/1.22.3/font/devhtml/CR -#usr/share/groff/1.22.3/font/devhtml/DESC -#usr/share/groff/1.22.3/font/devhtml/I -#usr/share/groff/1.22.3/font/devhtml/R -#usr/share/groff/1.22.3/font/devhtml/S -#usr/share/groff/1.22.3/font/devlatin1 -#usr/share/groff/1.22.3/font/devlatin1/B -#usr/share/groff/1.22.3/font/devlatin1/BI -#usr/share/groff/1.22.3/font/devlatin1/DESC -#usr/share/groff/1.22.3/font/devlatin1/I -#usr/share/groff/1.22.3/font/devlatin1/R -#usr/share/groff/1.22.3/font/devlbp -#usr/share/groff/1.22.3/font/devlbp/CB -#usr/share/groff/1.22.3/font/devlbp/CI -#usr/share/groff/1.22.3/font/devlbp/CR -#usr/share/groff/1.22.3/font/devlbp/DESC -#usr/share/groff/1.22.3/font/devlbp/EB -#usr/share/groff/1.22.3/font/devlbp/EI -#usr/share/groff/1.22.3/font/devlbp/ER -#usr/share/groff/1.22.3/font/devlbp/HB -#usr/share/groff/1.22.3/font/devlbp/HBI -#usr/share/groff/1.22.3/font/devlbp/HI -#usr/share/groff/1.22.3/font/devlbp/HNB -#usr/share/groff/1.22.3/font/devlbp/HNBI -#usr/share/groff/1.22.3/font/devlbp/HNI -#usr/share/groff/1.22.3/font/devlbp/HNR -#usr/share/groff/1.22.3/font/devlbp/HR -#usr/share/groff/1.22.3/font/devlbp/TB -#usr/share/groff/1.22.3/font/devlbp/TBI -#usr/share/groff/1.22.3/font/devlbp/TI -#usr/share/groff/1.22.3/font/devlbp/TR -#usr/share/groff/1.22.3/font/devlj4 -#usr/share/groff/1.22.3/font/devlj4/AB -#usr/share/groff/1.22.3/font/devlj4/ABI -#usr/share/groff/1.22.3/font/devlj4/AI -#usr/share/groff/1.22.3/font/devlj4/ALBB -#usr/share/groff/1.22.3/font/devlj4/ALBR -#usr/share/groff/1.22.3/font/devlj4/AOB -#usr/share/groff/1.22.3/font/devlj4/AOI -#usr/share/groff/1.22.3/font/devlj4/AOR -#usr/share/groff/1.22.3/font/devlj4/AR -#usr/share/groff/1.22.3/font/devlj4/CB -#usr/share/groff/1.22.3/font/devlj4/CBI -#usr/share/groff/1.22.3/font/devlj4/CI -#usr/share/groff/1.22.3/font/devlj4/CLARENDON -#usr/share/groff/1.22.3/font/devlj4/CORONET -#usr/share/groff/1.22.3/font/devlj4/CR -#usr/share/groff/1.22.3/font/devlj4/DESC -#usr/share/groff/1.22.3/font/devlj4/GB -#usr/share/groff/1.22.3/font/devlj4/GBI -#usr/share/groff/1.22.3/font/devlj4/GI -#usr/share/groff/1.22.3/font/devlj4/GR -#usr/share/groff/1.22.3/font/devlj4/LGB -#usr/share/groff/1.22.3/font/devlj4/LGI -#usr/share/groff/1.22.3/font/devlj4/LGR -#usr/share/groff/1.22.3/font/devlj4/MARIGOLD -#usr/share/groff/1.22.3/font/devlj4/OB -#usr/share/groff/1.22.3/font/devlj4/OBI -#usr/share/groff/1.22.3/font/devlj4/OI -#usr/share/groff/1.22.3/font/devlj4/OR -#usr/share/groff/1.22.3/font/devlj4/S -#usr/share/groff/1.22.3/font/devlj4/SYMBOL -#usr/share/groff/1.22.3/font/devlj4/TB -#usr/share/groff/1.22.3/font/devlj4/TBI -#usr/share/groff/1.22.3/font/devlj4/TI -#usr/share/groff/1.22.3/font/devlj4/TNRB -#usr/share/groff/1.22.3/font/devlj4/TNRBI -#usr/share/groff/1.22.3/font/devlj4/TNRI -#usr/share/groff/1.22.3/font/devlj4/TNRR -#usr/share/groff/1.22.3/font/devlj4/TR -#usr/share/groff/1.22.3/font/devlj4/UB -#usr/share/groff/1.22.3/font/devlj4/UBI -#usr/share/groff/1.22.3/font/devlj4/UCB -#usr/share/groff/1.22.3/font/devlj4/UCBI -#usr/share/groff/1.22.3/font/devlj4/UCI -#usr/share/groff/1.22.3/font/devlj4/UCR -#usr/share/groff/1.22.3/font/devlj4/UI -#usr/share/groff/1.22.3/font/devlj4/UR -#usr/share/groff/1.22.3/font/devlj4/WINGDINGS -#usr/share/groff/1.22.3/font/devlj4/generate -#usr/share/groff/1.22.3/font/devlj4/generate/Makefile -#usr/share/groff/1.22.3/font/devlj4/generate/special.awk -#usr/share/groff/1.22.3/font/devlj4/generate/special.map -#usr/share/groff/1.22.3/font/devlj4/generate/symbol.map -#usr/share/groff/1.22.3/font/devlj4/generate/text.map -#usr/share/groff/1.22.3/font/devlj4/generate/wingdings.map -#usr/share/groff/1.22.3/font/devpdf -#usr/share/groff/1.22.3/font/devpdf/CB -#usr/share/groff/1.22.3/font/devpdf/CBI -#usr/share/groff/1.22.3/font/devpdf/CI -#usr/share/groff/1.22.3/font/devpdf/CR -#usr/share/groff/1.22.3/font/devpdf/DESC -#usr/share/groff/1.22.3/font/devpdf/EURO -#usr/share/groff/1.22.3/font/devpdf/Foundry -#usr/share/groff/1.22.3/font/devpdf/HB -#usr/share/groff/1.22.3/font/devpdf/HBI -#usr/share/groff/1.22.3/font/devpdf/HI -#usr/share/groff/1.22.3/font/devpdf/HR -#usr/share/groff/1.22.3/font/devpdf/S -#usr/share/groff/1.22.3/font/devpdf/TB -#usr/share/groff/1.22.3/font/devpdf/TBI -#usr/share/groff/1.22.3/font/devpdf/TI -#usr/share/groff/1.22.3/font/devpdf/TR -#usr/share/groff/1.22.3/font/devpdf/ZD -#usr/share/groff/1.22.3/font/devpdf/download -#usr/share/groff/1.22.3/font/devpdf/enc -#usr/share/groff/1.22.3/font/devpdf/enc/text.enc -#usr/share/groff/1.22.3/font/devpdf/map -#usr/share/groff/1.22.3/font/devpdf/map/dingbats.map -#usr/share/groff/1.22.3/font/devpdf/map/symbolchars -#usr/share/groff/1.22.3/font/devpdf/map/symbolmap -#usr/share/groff/1.22.3/font/devpdf/map/textmap -#usr/share/groff/1.22.3/font/devpdf/util -#usr/share/groff/1.22.3/font/devpdf/util/BuildFoundries -#usr/share/groff/1.22.3/font/devps -#usr/share/groff/1.22.3/font/devps/AB -#usr/share/groff/1.22.3/font/devps/ABI -#usr/share/groff/1.22.3/font/devps/AI -#usr/share/groff/1.22.3/font/devps/AR -#usr/share/groff/1.22.3/font/devps/BMB -#usr/share/groff/1.22.3/font/devps/BMBI -#usr/share/groff/1.22.3/font/devps/BMI -#usr/share/groff/1.22.3/font/devps/BMR -#usr/share/groff/1.22.3/font/devps/CB -#usr/share/groff/1.22.3/font/devps/CBI -#usr/share/groff/1.22.3/font/devps/CI -#usr/share/groff/1.22.3/font/devps/CR -#usr/share/groff/1.22.3/font/devps/DESC -#usr/share/groff/1.22.3/font/devps/EURO -#usr/share/groff/1.22.3/font/devps/HB -#usr/share/groff/1.22.3/font/devps/HBI -#usr/share/groff/1.22.3/font/devps/HI -#usr/share/groff/1.22.3/font/devps/HNB -#usr/share/groff/1.22.3/font/devps/HNBI -#usr/share/groff/1.22.3/font/devps/HNI -#usr/share/groff/1.22.3/font/devps/HNR -#usr/share/groff/1.22.3/font/devps/HR -#usr/share/groff/1.22.3/font/devps/NB -#usr/share/groff/1.22.3/font/devps/NBI -#usr/share/groff/1.22.3/font/devps/NI -#usr/share/groff/1.22.3/font/devps/NR -#usr/share/groff/1.22.3/font/devps/PB -#usr/share/groff/1.22.3/font/devps/PBI -#usr/share/groff/1.22.3/font/devps/PI -#usr/share/groff/1.22.3/font/devps/PR -#usr/share/groff/1.22.3/font/devps/S -#usr/share/groff/1.22.3/font/devps/SS -#usr/share/groff/1.22.3/font/devps/TB -#usr/share/groff/1.22.3/font/devps/TBI -#usr/share/groff/1.22.3/font/devps/TI -#usr/share/groff/1.22.3/font/devps/TR -#usr/share/groff/1.22.3/font/devps/ZCMI -#usr/share/groff/1.22.3/font/devps/ZD -#usr/share/groff/1.22.3/font/devps/ZDR -#usr/share/groff/1.22.3/font/devps/download -#usr/share/groff/1.22.3/font/devps/freeeuro.afm -#usr/share/groff/1.22.3/font/devps/freeeuro.pfa -#usr/share/groff/1.22.3/font/devps/generate -#usr/share/groff/1.22.3/font/devps/generate/Makefile -#usr/share/groff/1.22.3/font/devps/generate/afmname -#usr/share/groff/1.22.3/font/devps/generate/dingbats.map -#usr/share/groff/1.22.3/font/devps/generate/dingbats.rmap -#usr/share/groff/1.22.3/font/devps/generate/lgreekmap -#usr/share/groff/1.22.3/font/devps/generate/symbol.sed -#usr/share/groff/1.22.3/font/devps/generate/symbolchars -#usr/share/groff/1.22.3/font/devps/generate/symbolsl.afm -#usr/share/groff/1.22.3/font/devps/generate/textmap -#usr/share/groff/1.22.3/font/devps/prologue -#usr/share/groff/1.22.3/font/devps/symbolsl.pfa -#usr/share/groff/1.22.3/font/devps/text.enc -#usr/share/groff/1.22.3/font/devps/zapfdr.pfa -#usr/share/groff/1.22.3/font/devutf8 -#usr/share/groff/1.22.3/font/devutf8/B -#usr/share/groff/1.22.3/font/devutf8/BI -#usr/share/groff/1.22.3/font/devutf8/DESC -#usr/share/groff/1.22.3/font/devutf8/I -#usr/share/groff/1.22.3/font/devutf8/R -#usr/share/groff/1.22.3/oldfont -#usr/share/groff/1.22.3/oldfont/devps -#usr/share/groff/1.22.3/oldfont/devps/CB -#usr/share/groff/1.22.3/oldfont/devps/CBI -#usr/share/groff/1.22.3/oldfont/devps/CI -#usr/share/groff/1.22.3/oldfont/devps/CR -#usr/share/groff/1.22.3/oldfont/devps/HB -#usr/share/groff/1.22.3/oldfont/devps/HBI -#usr/share/groff/1.22.3/oldfont/devps/HI -#usr/share/groff/1.22.3/oldfont/devps/HNB -#usr/share/groff/1.22.3/oldfont/devps/HNBI -#usr/share/groff/1.22.3/oldfont/devps/HNI -#usr/share/groff/1.22.3/oldfont/devps/HNR -#usr/share/groff/1.22.3/oldfont/devps/HR -#usr/share/groff/1.22.3/oldfont/devps/NB -#usr/share/groff/1.22.3/oldfont/devps/NBI -#usr/share/groff/1.22.3/oldfont/devps/NI -#usr/share/groff/1.22.3/oldfont/devps/NR -#usr/share/groff/1.22.3/oldfont/devps/PB -#usr/share/groff/1.22.3/oldfont/devps/PBI -#usr/share/groff/1.22.3/oldfont/devps/PI -#usr/share/groff/1.22.3/oldfont/devps/PR -#usr/share/groff/1.22.3/oldfont/devps/S -#usr/share/groff/1.22.3/oldfont/devps/SS -#usr/share/groff/1.22.3/oldfont/devps/TB -#usr/share/groff/1.22.3/oldfont/devps/TBI -#usr/share/groff/1.22.3/oldfont/devps/TI -#usr/share/groff/1.22.3/oldfont/devps/TR -#usr/share/groff/1.22.3/oldfont/devps/symbol.afm -#usr/share/groff/1.22.3/oldfont/devps/symbolsl.afm -#usr/share/groff/1.22.3/oldfont/devps/zapfdr.afm -#usr/share/groff/1.22.3/oldfont/devps/zapfdr.ps -#usr/share/groff/1.22.3/pic -#usr/share/groff/1.22.3/pic/chem.pic -#usr/share/groff/1.22.3/tmac -#usr/share/groff/1.22.3/tmac/62bit.tmac -#usr/share/groff/1.22.3/tmac/X.tmac -#usr/share/groff/1.22.3/tmac/Xps.tmac -#usr/share/groff/1.22.3/tmac/a4.tmac -#usr/share/groff/1.22.3/tmac/an-ext.tmac -#usr/share/groff/1.22.3/tmac/an-old.tmac -#usr/share/groff/1.22.3/tmac/an.tmac -#usr/share/groff/1.22.3/tmac/andoc.tmac -#usr/share/groff/1.22.3/tmac/composite.tmac -#usr/share/groff/1.22.3/tmac/cp1047.tmac -#usr/share/groff/1.22.3/tmac/cs.tmac -#usr/share/groff/1.22.3/tmac/de.tmac -#usr/share/groff/1.22.3/tmac/den.tmac -#usr/share/groff/1.22.3/tmac/devtag.tmac -#usr/share/groff/1.22.3/tmac/doc-old.tmac -#usr/share/groff/1.22.3/tmac/doc.tmac -#usr/share/groff/1.22.3/tmac/dvi.tmac -#usr/share/groff/1.22.3/tmac/e.tmac -#usr/share/groff/1.22.3/tmac/ec.tmac -#usr/share/groff/1.22.3/tmac/eqnrc -#usr/share/groff/1.22.3/tmac/europs.tmac -#usr/share/groff/1.22.3/tmac/fallbacks.tmac -#usr/share/groff/1.22.3/tmac/fr.tmac -#usr/share/groff/1.22.3/tmac/hdmisc.tmac -#usr/share/groff/1.22.3/tmac/hdtbl.tmac -#usr/share/groff/1.22.3/tmac/html-end.tmac -#usr/share/groff/1.22.3/tmac/html.tmac -#usr/share/groff/1.22.3/tmac/hyphen.cs -#usr/share/groff/1.22.3/tmac/hyphen.den -#usr/share/groff/1.22.3/tmac/hyphen.det -#usr/share/groff/1.22.3/tmac/hyphen.fr -#usr/share/groff/1.22.3/tmac/hyphen.sv -#usr/share/groff/1.22.3/tmac/hyphen.us -#usr/share/groff/1.22.3/tmac/hyphenex.cs -#usr/share/groff/1.22.3/tmac/hyphenex.det -#usr/share/groff/1.22.3/tmac/hyphenex.us -#usr/share/groff/1.22.3/tmac/ja.tmac -#usr/share/groff/1.22.3/tmac/latin1.tmac -#usr/share/groff/1.22.3/tmac/latin2.tmac -#usr/share/groff/1.22.3/tmac/latin5.tmac -#usr/share/groff/1.22.3/tmac/latin9.tmac -#usr/share/groff/1.22.3/tmac/lbp.tmac -#usr/share/groff/1.22.3/tmac/lj4.tmac -#usr/share/groff/1.22.3/tmac/m.tmac -#usr/share/groff/1.22.3/tmac/man.tmac -#usr/share/groff/1.22.3/tmac/mandoc.tmac -#usr/share/groff/1.22.3/tmac/mdoc -#usr/share/groff/1.22.3/tmac/mdoc.tmac -#usr/share/groff/1.22.3/tmac/mdoc/doc-common -#usr/share/groff/1.22.3/tmac/mdoc/doc-ditroff -#usr/share/groff/1.22.3/tmac/mdoc/doc-nroff -#usr/share/groff/1.22.3/tmac/mdoc/doc-syms -#usr/share/groff/1.22.3/tmac/me.tmac -#usr/share/groff/1.22.3/tmac/mm -#usr/share/groff/1.22.3/tmac/mm.tmac -#usr/share/groff/1.22.3/tmac/mm/0.MT -#usr/share/groff/1.22.3/tmac/mm/4.MT -#usr/share/groff/1.22.3/tmac/mm/5.MT -#usr/share/groff/1.22.3/tmac/mm/locale -#usr/share/groff/1.22.3/tmac/mm/ms.cov -#usr/share/groff/1.22.3/tmac/mm/se_locale -#usr/share/groff/1.22.3/tmac/mm/se_ms.cov -#usr/share/groff/1.22.3/tmac/mmse.tmac -#usr/share/groff/1.22.3/tmac/mom.tmac -#usr/share/groff/1.22.3/tmac/ms.tmac -#usr/share/groff/1.22.3/tmac/mse.tmac -#usr/share/groff/1.22.3/tmac/om.tmac -#usr/share/groff/1.22.3/tmac/papersize.tmac -#usr/share/groff/1.22.3/tmac/pdf.tmac -#usr/share/groff/1.22.3/tmac/pdfmark.tmac -#usr/share/groff/1.22.3/tmac/pic.tmac -#usr/share/groff/1.22.3/tmac/ps.tmac -#usr/share/groff/1.22.3/tmac/psatk.tmac -#usr/share/groff/1.22.3/tmac/psold.tmac -#usr/share/groff/1.22.3/tmac/pspic.tmac -#usr/share/groff/1.22.3/tmac/refer-me.tmac -#usr/share/groff/1.22.3/tmac/refer-mm.tmac -#usr/share/groff/1.22.3/tmac/refer-ms.tmac -#usr/share/groff/1.22.3/tmac/refer.tmac -#usr/share/groff/1.22.3/tmac/s.tmac -#usr/share/groff/1.22.3/tmac/safer.tmac -#usr/share/groff/1.22.3/tmac/spdf.tmac -#usr/share/groff/1.22.3/tmac/sv.tmac -#usr/share/groff/1.22.3/tmac/trace.tmac -#usr/share/groff/1.22.3/tmac/trans.tmac -#usr/share/groff/1.22.3/tmac/troffrc -#usr/share/groff/1.22.3/tmac/troffrc-end -#usr/share/groff/1.22.3/tmac/tty-char.tmac -#usr/share/groff/1.22.3/tmac/tty.tmac -#usr/share/groff/1.22.3/tmac/unicode.tmac -#usr/share/groff/1.22.3/tmac/www.tmac +#usr/share/groff/1.22.4 +#usr/share/groff/1.22.4/eign +#usr/share/groff/1.22.4/font +#usr/share/groff/1.22.4/font/devascii +#usr/share/groff/1.22.4/font/devascii/B +#usr/share/groff/1.22.4/font/devascii/BI +#usr/share/groff/1.22.4/font/devascii/DESC +#usr/share/groff/1.22.4/font/devascii/I +#usr/share/groff/1.22.4/font/devascii/R +#usr/share/groff/1.22.4/font/devcp1047 +#usr/share/groff/1.22.4/font/devcp1047/B +#usr/share/groff/1.22.4/font/devcp1047/BI +#usr/share/groff/1.22.4/font/devcp1047/DESC +#usr/share/groff/1.22.4/font/devcp1047/I +#usr/share/groff/1.22.4/font/devcp1047/R +#usr/share/groff/1.22.4/font/devdvi +#usr/share/groff/1.22.4/font/devdvi/CW +#usr/share/groff/1.22.4/font/devdvi/CWEC +#usr/share/groff/1.22.4/font/devdvi/CWI +#usr/share/groff/1.22.4/font/devdvi/CWIEC +#usr/share/groff/1.22.4/font/devdvi/CWITC +#usr/share/groff/1.22.4/font/devdvi/CWTC +#usr/share/groff/1.22.4/font/devdvi/DESC +#usr/share/groff/1.22.4/font/devdvi/EX +#usr/share/groff/1.22.4/font/devdvi/HB +#usr/share/groff/1.22.4/font/devdvi/HBEC +#usr/share/groff/1.22.4/font/devdvi/HBI +#usr/share/groff/1.22.4/font/devdvi/HBIEC +#usr/share/groff/1.22.4/font/devdvi/HBITC +#usr/share/groff/1.22.4/font/devdvi/HBTC +#usr/share/groff/1.22.4/font/devdvi/HI +#usr/share/groff/1.22.4/font/devdvi/HIEC +#usr/share/groff/1.22.4/font/devdvi/HITC +#usr/share/groff/1.22.4/font/devdvi/HR +#usr/share/groff/1.22.4/font/devdvi/HREC +#usr/share/groff/1.22.4/font/devdvi/HRTC +#usr/share/groff/1.22.4/font/devdvi/MI +#usr/share/groff/1.22.4/font/devdvi/S +#usr/share/groff/1.22.4/font/devdvi/SA +#usr/share/groff/1.22.4/font/devdvi/SB +#usr/share/groff/1.22.4/font/devdvi/SC +#usr/share/groff/1.22.4/font/devdvi/TB +#usr/share/groff/1.22.4/font/devdvi/TBEC +#usr/share/groff/1.22.4/font/devdvi/TBI +#usr/share/groff/1.22.4/font/devdvi/TBIEC +#usr/share/groff/1.22.4/font/devdvi/TBITC +#usr/share/groff/1.22.4/font/devdvi/TBTC +#usr/share/groff/1.22.4/font/devdvi/TI +#usr/share/groff/1.22.4/font/devdvi/TIEC +#usr/share/groff/1.22.4/font/devdvi/TITC +#usr/share/groff/1.22.4/font/devdvi/TR +#usr/share/groff/1.22.4/font/devdvi/TREC +#usr/share/groff/1.22.4/font/devdvi/TRTC +#usr/share/groff/1.22.4/font/devdvi/generate +#usr/share/groff/1.22.4/font/devdvi/generate/CompileFonts +#usr/share/groff/1.22.4/font/devdvi/generate/Makefile +#usr/share/groff/1.22.4/font/devdvi/generate/ec.map +#usr/share/groff/1.22.4/font/devdvi/generate/msam.map +#usr/share/groff/1.22.4/font/devdvi/generate/msbm.map +#usr/share/groff/1.22.4/font/devdvi/generate/tc.map +#usr/share/groff/1.22.4/font/devdvi/generate/texb.map +#usr/share/groff/1.22.4/font/devdvi/generate/texex.map +#usr/share/groff/1.22.4/font/devdvi/generate/texi.map +#usr/share/groff/1.22.4/font/devdvi/generate/texmi.map +#usr/share/groff/1.22.4/font/devdvi/generate/texr.map +#usr/share/groff/1.22.4/font/devdvi/generate/texsy.map +#usr/share/groff/1.22.4/font/devdvi/generate/textex.map +#usr/share/groff/1.22.4/font/devdvi/generate/textt.map +#usr/share/groff/1.22.4/font/devhtml +#usr/share/groff/1.22.4/font/devhtml/B +#usr/share/groff/1.22.4/font/devhtml/BI +#usr/share/groff/1.22.4/font/devhtml/CB +#usr/share/groff/1.22.4/font/devhtml/CBI +#usr/share/groff/1.22.4/font/devhtml/CI +#usr/share/groff/1.22.4/font/devhtml/CR +#usr/share/groff/1.22.4/font/devhtml/DESC +#usr/share/groff/1.22.4/font/devhtml/I +#usr/share/groff/1.22.4/font/devhtml/R +#usr/share/groff/1.22.4/font/devhtml/S +#usr/share/groff/1.22.4/font/devlatin1 +#usr/share/groff/1.22.4/font/devlatin1/B +#usr/share/groff/1.22.4/font/devlatin1/BI +#usr/share/groff/1.22.4/font/devlatin1/DESC +#usr/share/groff/1.22.4/font/devlatin1/I +#usr/share/groff/1.22.4/font/devlatin1/R +#usr/share/groff/1.22.4/font/devlbp +#usr/share/groff/1.22.4/font/devlbp/CB +#usr/share/groff/1.22.4/font/devlbp/CI +#usr/share/groff/1.22.4/font/devlbp/CR +#usr/share/groff/1.22.4/font/devlbp/DESC +#usr/share/groff/1.22.4/font/devlbp/EB +#usr/share/groff/1.22.4/font/devlbp/EI +#usr/share/groff/1.22.4/font/devlbp/ER +#usr/share/groff/1.22.4/font/devlbp/HB +#usr/share/groff/1.22.4/font/devlbp/HBI +#usr/share/groff/1.22.4/font/devlbp/HI +#usr/share/groff/1.22.4/font/devlbp/HNB +#usr/share/groff/1.22.4/font/devlbp/HNBI +#usr/share/groff/1.22.4/font/devlbp/HNI +#usr/share/groff/1.22.4/font/devlbp/HNR +#usr/share/groff/1.22.4/font/devlbp/HR +#usr/share/groff/1.22.4/font/devlbp/TB +#usr/share/groff/1.22.4/font/devlbp/TBI +#usr/share/groff/1.22.4/font/devlbp/TI +#usr/share/groff/1.22.4/font/devlbp/TR +#usr/share/groff/1.22.4/font/devlj4 +#usr/share/groff/1.22.4/font/devlj4/AB +#usr/share/groff/1.22.4/font/devlj4/ABI +#usr/share/groff/1.22.4/font/devlj4/AI +#usr/share/groff/1.22.4/font/devlj4/ALBB +#usr/share/groff/1.22.4/font/devlj4/ALBR +#usr/share/groff/1.22.4/font/devlj4/AOB +#usr/share/groff/1.22.4/font/devlj4/AOI +#usr/share/groff/1.22.4/font/devlj4/AOR +#usr/share/groff/1.22.4/font/devlj4/AR +#usr/share/groff/1.22.4/font/devlj4/CB +#usr/share/groff/1.22.4/font/devlj4/CBI +#usr/share/groff/1.22.4/font/devlj4/CI +#usr/share/groff/1.22.4/font/devlj4/CLARENDON +#usr/share/groff/1.22.4/font/devlj4/CORONET +#usr/share/groff/1.22.4/font/devlj4/CR +#usr/share/groff/1.22.4/font/devlj4/DESC +#usr/share/groff/1.22.4/font/devlj4/GB +#usr/share/groff/1.22.4/font/devlj4/GBI +#usr/share/groff/1.22.4/font/devlj4/GI +#usr/share/groff/1.22.4/font/devlj4/GR +#usr/share/groff/1.22.4/font/devlj4/LGB +#usr/share/groff/1.22.4/font/devlj4/LGI +#usr/share/groff/1.22.4/font/devlj4/LGR +#usr/share/groff/1.22.4/font/devlj4/MARIGOLD +#usr/share/groff/1.22.4/font/devlj4/OB +#usr/share/groff/1.22.4/font/devlj4/OBI +#usr/share/groff/1.22.4/font/devlj4/OI +#usr/share/groff/1.22.4/font/devlj4/OR +#usr/share/groff/1.22.4/font/devlj4/S +#usr/share/groff/1.22.4/font/devlj4/SYMBOL +#usr/share/groff/1.22.4/font/devlj4/TB +#usr/share/groff/1.22.4/font/devlj4/TBI +#usr/share/groff/1.22.4/font/devlj4/TI +#usr/share/groff/1.22.4/font/devlj4/TNRB +#usr/share/groff/1.22.4/font/devlj4/TNRBI +#usr/share/groff/1.22.4/font/devlj4/TNRI +#usr/share/groff/1.22.4/font/devlj4/TNRR +#usr/share/groff/1.22.4/font/devlj4/TR +#usr/share/groff/1.22.4/font/devlj4/UB +#usr/share/groff/1.22.4/font/devlj4/UBI +#usr/share/groff/1.22.4/font/devlj4/UCB +#usr/share/groff/1.22.4/font/devlj4/UCBI +#usr/share/groff/1.22.4/font/devlj4/UCI +#usr/share/groff/1.22.4/font/devlj4/UCR +#usr/share/groff/1.22.4/font/devlj4/UI +#usr/share/groff/1.22.4/font/devlj4/UR +#usr/share/groff/1.22.4/font/devlj4/WINGDINGS +#usr/share/groff/1.22.4/font/devlj4/generate +#usr/share/groff/1.22.4/font/devlj4/generate/Makefile +#usr/share/groff/1.22.4/font/devlj4/generate/special.awk +#usr/share/groff/1.22.4/font/devlj4/generate/special.map +#usr/share/groff/1.22.4/font/devlj4/generate/symbol.map +#usr/share/groff/1.22.4/font/devlj4/generate/text.map +#usr/share/groff/1.22.4/font/devlj4/generate/wingdings.map +#usr/share/groff/1.22.4/font/devpdf +#usr/share/groff/1.22.4/font/devpdf/CB +#usr/share/groff/1.22.4/font/devpdf/CBI +#usr/share/groff/1.22.4/font/devpdf/CI +#usr/share/groff/1.22.4/font/devpdf/CR +#usr/share/groff/1.22.4/font/devpdf/DESC +#usr/share/groff/1.22.4/font/devpdf/EURO +#usr/share/groff/1.22.4/font/devpdf/Foundry +#usr/share/groff/1.22.4/font/devpdf/HB +#usr/share/groff/1.22.4/font/devpdf/HBI +#usr/share/groff/1.22.4/font/devpdf/HI +#usr/share/groff/1.22.4/font/devpdf/HR +#usr/share/groff/1.22.4/font/devpdf/S +#usr/share/groff/1.22.4/font/devpdf/TB +#usr/share/groff/1.22.4/font/devpdf/TBI +#usr/share/groff/1.22.4/font/devpdf/TI +#usr/share/groff/1.22.4/font/devpdf/TR +#usr/share/groff/1.22.4/font/devpdf/ZD +#usr/share/groff/1.22.4/font/devpdf/download +#usr/share/groff/1.22.4/font/devpdf/enc +#usr/share/groff/1.22.4/font/devpdf/enc/text.enc +#usr/share/groff/1.22.4/font/devpdf/map +#usr/share/groff/1.22.4/font/devpdf/map/dingbats.map +#usr/share/groff/1.22.4/font/devpdf/map/symbolchars +#usr/share/groff/1.22.4/font/devpdf/map/symbolmap +#usr/share/groff/1.22.4/font/devpdf/map/textmap +#usr/share/groff/1.22.4/font/devps +#usr/share/groff/1.22.4/font/devps/AB +#usr/share/groff/1.22.4/font/devps/ABI +#usr/share/groff/1.22.4/font/devps/AI +#usr/share/groff/1.22.4/font/devps/AR +#usr/share/groff/1.22.4/font/devps/BMB +#usr/share/groff/1.22.4/font/devps/BMBI +#usr/share/groff/1.22.4/font/devps/BMI +#usr/share/groff/1.22.4/font/devps/BMR +#usr/share/groff/1.22.4/font/devps/CB +#usr/share/groff/1.22.4/font/devps/CBI +#usr/share/groff/1.22.4/font/devps/CI +#usr/share/groff/1.22.4/font/devps/CR +#usr/share/groff/1.22.4/font/devps/DESC +#usr/share/groff/1.22.4/font/devps/EURO +#usr/share/groff/1.22.4/font/devps/HB +#usr/share/groff/1.22.4/font/devps/HBI +#usr/share/groff/1.22.4/font/devps/HI +#usr/share/groff/1.22.4/font/devps/HNB +#usr/share/groff/1.22.4/font/devps/HNBI +#usr/share/groff/1.22.4/font/devps/HNI +#usr/share/groff/1.22.4/font/devps/HNR +#usr/share/groff/1.22.4/font/devps/HR +#usr/share/groff/1.22.4/font/devps/NB +#usr/share/groff/1.22.4/font/devps/NBI +#usr/share/groff/1.22.4/font/devps/NI +#usr/share/groff/1.22.4/font/devps/NR +#usr/share/groff/1.22.4/font/devps/PB +#usr/share/groff/1.22.4/font/devps/PBI +#usr/share/groff/1.22.4/font/devps/PI +#usr/share/groff/1.22.4/font/devps/PR +#usr/share/groff/1.22.4/font/devps/S +#usr/share/groff/1.22.4/font/devps/SS +#usr/share/groff/1.22.4/font/devps/TB +#usr/share/groff/1.22.4/font/devps/TBI +#usr/share/groff/1.22.4/font/devps/TI +#usr/share/groff/1.22.4/font/devps/TR +#usr/share/groff/1.22.4/font/devps/ZCMI +#usr/share/groff/1.22.4/font/devps/ZD +#usr/share/groff/1.22.4/font/devps/ZDR +#usr/share/groff/1.22.4/font/devps/download +#usr/share/groff/1.22.4/font/devps/freeeuro.afm +#usr/share/groff/1.22.4/font/devps/freeeuro.pfa +#usr/share/groff/1.22.4/font/devps/generate +#usr/share/groff/1.22.4/font/devps/generate/Makefile +#usr/share/groff/1.22.4/font/devps/generate/afmname +#usr/share/groff/1.22.4/font/devps/generate/dingbats.map +#usr/share/groff/1.22.4/font/devps/generate/dingbats.rmap +#usr/share/groff/1.22.4/font/devps/generate/lgreekmap +#usr/share/groff/1.22.4/font/devps/generate/symbol.sed +#usr/share/groff/1.22.4/font/devps/generate/symbolchars +#usr/share/groff/1.22.4/font/devps/generate/symbolsl.afm +#usr/share/groff/1.22.4/font/devps/generate/textmap +#usr/share/groff/1.22.4/font/devps/prologue +#usr/share/groff/1.22.4/font/devps/symbolsl.pfa +#usr/share/groff/1.22.4/font/devps/text.enc +#usr/share/groff/1.22.4/font/devps/zapfdr.pfa +#usr/share/groff/1.22.4/font/devutf8 +#usr/share/groff/1.22.4/font/devutf8/B +#usr/share/groff/1.22.4/font/devutf8/BI +#usr/share/groff/1.22.4/font/devutf8/DESC +#usr/share/groff/1.22.4/font/devutf8/I +#usr/share/groff/1.22.4/font/devutf8/R +#usr/share/groff/1.22.4/oldfont +#usr/share/groff/1.22.4/oldfont/devps +#usr/share/groff/1.22.4/oldfont/devps/CB +#usr/share/groff/1.22.4/oldfont/devps/CBI +#usr/share/groff/1.22.4/oldfont/devps/CI +#usr/share/groff/1.22.4/oldfont/devps/CR +#usr/share/groff/1.22.4/oldfont/devps/HB +#usr/share/groff/1.22.4/oldfont/devps/HBI +#usr/share/groff/1.22.4/oldfont/devps/HI +#usr/share/groff/1.22.4/oldfont/devps/HNB +#usr/share/groff/1.22.4/oldfont/devps/HNBI +#usr/share/groff/1.22.4/oldfont/devps/HNI +#usr/share/groff/1.22.4/oldfont/devps/HNR +#usr/share/groff/1.22.4/oldfont/devps/HR +#usr/share/groff/1.22.4/oldfont/devps/NB +#usr/share/groff/1.22.4/oldfont/devps/NBI +#usr/share/groff/1.22.4/oldfont/devps/NI +#usr/share/groff/1.22.4/oldfont/devps/NR +#usr/share/groff/1.22.4/oldfont/devps/PB +#usr/share/groff/1.22.4/oldfont/devps/PBI +#usr/share/groff/1.22.4/oldfont/devps/PI +#usr/share/groff/1.22.4/oldfont/devps/PR +#usr/share/groff/1.22.4/oldfont/devps/S +#usr/share/groff/1.22.4/oldfont/devps/SS +#usr/share/groff/1.22.4/oldfont/devps/TB +#usr/share/groff/1.22.4/oldfont/devps/TBI +#usr/share/groff/1.22.4/oldfont/devps/TI +#usr/share/groff/1.22.4/oldfont/devps/TR +#usr/share/groff/1.22.4/oldfont/devps/symbol.afm +#usr/share/groff/1.22.4/oldfont/devps/symbolsl.afm +#usr/share/groff/1.22.4/oldfont/devps/zapfdr.afm +#usr/share/groff/1.22.4/oldfont/devps/zapfdr.ps +#usr/share/groff/1.22.4/pic +#usr/share/groff/1.22.4/pic/chem.pic +#usr/share/groff/1.22.4/tmac +#usr/share/groff/1.22.4/tmac/62bit.tmac +#usr/share/groff/1.22.4/tmac/X.tmac +#usr/share/groff/1.22.4/tmac/Xps.tmac +#usr/share/groff/1.22.4/tmac/a4.tmac +#usr/share/groff/1.22.4/tmac/an-ext.tmac +#usr/share/groff/1.22.4/tmac/an-old.tmac +#usr/share/groff/1.22.4/tmac/an.tmac +#usr/share/groff/1.22.4/tmac/andoc.tmac +#usr/share/groff/1.22.4/tmac/composite.tmac +#usr/share/groff/1.22.4/tmac/cp1047.tmac +#usr/share/groff/1.22.4/tmac/cs.tmac +#usr/share/groff/1.22.4/tmac/de.tmac +#usr/share/groff/1.22.4/tmac/den.tmac +#usr/share/groff/1.22.4/tmac/devtag.tmac +#usr/share/groff/1.22.4/tmac/doc-old.tmac +#usr/share/groff/1.22.4/tmac/doc.tmac +#usr/share/groff/1.22.4/tmac/dvi.tmac +#usr/share/groff/1.22.4/tmac/e.tmac +#usr/share/groff/1.22.4/tmac/ec.tmac +#usr/share/groff/1.22.4/tmac/eqnrc +#usr/share/groff/1.22.4/tmac/europs.tmac +#usr/share/groff/1.22.4/tmac/fallbacks.tmac +#usr/share/groff/1.22.4/tmac/fr.tmac +#usr/share/groff/1.22.4/tmac/hdmisc.tmac +#usr/share/groff/1.22.4/tmac/hdtbl.tmac +#usr/share/groff/1.22.4/tmac/html-end.tmac +#usr/share/groff/1.22.4/tmac/html.tmac +#usr/share/groff/1.22.4/tmac/hyphen.cs +#usr/share/groff/1.22.4/tmac/hyphen.den +#usr/share/groff/1.22.4/tmac/hyphen.det +#usr/share/groff/1.22.4/tmac/hyphen.fr +#usr/share/groff/1.22.4/tmac/hyphen.sv +#usr/share/groff/1.22.4/tmac/hyphen.us +#usr/share/groff/1.22.4/tmac/hyphenex.cs +#usr/share/groff/1.22.4/tmac/hyphenex.us +#usr/share/groff/1.22.4/tmac/ja.tmac +#usr/share/groff/1.22.4/tmac/latin1.tmac +#usr/share/groff/1.22.4/tmac/latin2.tmac +#usr/share/groff/1.22.4/tmac/latin5.tmac +#usr/share/groff/1.22.4/tmac/latin9.tmac +#usr/share/groff/1.22.4/tmac/lbp.tmac +#usr/share/groff/1.22.4/tmac/lj4.tmac +#usr/share/groff/1.22.4/tmac/m.tmac +#usr/share/groff/1.22.4/tmac/man.tmac +#usr/share/groff/1.22.4/tmac/mandoc.tmac +#usr/share/groff/1.22.4/tmac/mdoc +#usr/share/groff/1.22.4/tmac/mdoc.tmac +#usr/share/groff/1.22.4/tmac/mdoc/doc-common +#usr/share/groff/1.22.4/tmac/mdoc/doc-ditroff +#usr/share/groff/1.22.4/tmac/mdoc/doc-nroff +#usr/share/groff/1.22.4/tmac/mdoc/doc-syms +#usr/share/groff/1.22.4/tmac/me.tmac +#usr/share/groff/1.22.4/tmac/mm +#usr/share/groff/1.22.4/tmac/mm.tmac +#usr/share/groff/1.22.4/tmac/mm/0.MT +#usr/share/groff/1.22.4/tmac/mm/4.MT +#usr/share/groff/1.22.4/tmac/mm/5.MT +#usr/share/groff/1.22.4/tmac/mm/locale +#usr/share/groff/1.22.4/tmac/mm/ms.cov +#usr/share/groff/1.22.4/tmac/mm/se_locale +#usr/share/groff/1.22.4/tmac/mm/se_ms.cov +#usr/share/groff/1.22.4/tmac/mmse.tmac +#usr/share/groff/1.22.4/tmac/mom.tmac +#usr/share/groff/1.22.4/tmac/ms.tmac +#usr/share/groff/1.22.4/tmac/mse.tmac +#usr/share/groff/1.22.4/tmac/om.tmac +#usr/share/groff/1.22.4/tmac/papersize.tmac +#usr/share/groff/1.22.4/tmac/pdf.tmac +#usr/share/groff/1.22.4/tmac/pdfmark.tmac +#usr/share/groff/1.22.4/tmac/pdfpic.tmac +#usr/share/groff/1.22.4/tmac/pic.tmac +#usr/share/groff/1.22.4/tmac/ps.tmac +#usr/share/groff/1.22.4/tmac/psatk.tmac +#usr/share/groff/1.22.4/tmac/psold.tmac +#usr/share/groff/1.22.4/tmac/pspic.tmac +#usr/share/groff/1.22.4/tmac/refer-me.tmac +#usr/share/groff/1.22.4/tmac/refer-mm.tmac +#usr/share/groff/1.22.4/tmac/refer-ms.tmac +#usr/share/groff/1.22.4/tmac/refer.tmac +#usr/share/groff/1.22.4/tmac/s.tmac +#usr/share/groff/1.22.4/tmac/safer.tmac +#usr/share/groff/1.22.4/tmac/spdf.tmac +#usr/share/groff/1.22.4/tmac/sv.tmac +#usr/share/groff/1.22.4/tmac/trace.tmac +#usr/share/groff/1.22.4/tmac/trans.tmac +#usr/share/groff/1.22.4/tmac/troffrc +#usr/share/groff/1.22.4/tmac/troffrc-end +#usr/share/groff/1.22.4/tmac/tty-char.tmac +#usr/share/groff/1.22.4/tmac/tty.tmac +#usr/share/groff/1.22.4/tmac/unicode.tmac +#usr/share/groff/1.22.4/tmac/www.tmac +#usr/share/groff/1.22.4/tmac/zh.tmac #usr/share/groff/current #usr/share/groff/site-font #usr/share/groff/site-tmac @@ -624,6 +633,7 @@ #usr/share/man/man1/tbl.1 #usr/share/man/man1/tfmtodit.1 #usr/share/man/man1/troff.1 +#usr/share/man/man5/groff_filenames.5 #usr/share/man/man5/groff_font.5 #usr/share/man/man5/groff_out.5 #usr/share/man/man5/groff_tmac.5 @@ -632,7 +642,6 @@ #usr/share/man/man7/groff.7 #usr/share/man/man7/groff_char.7 #usr/share/man/man7/groff_diff.7 -#usr/share/man/man7/groff_filenames.7 #usr/share/man/man7/groff_hdtbl.7 #usr/share/man/man7/groff_man.7 #usr/share/man/man7/groff_mdoc.7 diff --git a/config/rootfiles/common/i586/binutils b/config/rootfiles/common/i586/binutils index 42c82cbd7..20d8972a8 100644 --- a/config/rootfiles/common/i586/binutils +++ b/config/rootfiles/common/i586/binutils @@ -10,9 +10,9 @@ #usr/bin/objcopy #usr/bin/objdump #usr/bin/ranlib -#usr/bin/readelf +usr/bin/readelf #usr/bin/size -#usr/bin/strings +usr/bin/strings #usr/bin/strip #usr/include/ansidecl.h #usr/include/bfd.h diff --git a/config/rootfiles/common/ipset b/config/rootfiles/common/ipset index 24f5e95f5..b3fcb640b 100644 --- a/config/rootfiles/common/ipset +++ b/config/rootfiles/common/ipset @@ -3,6 +3,7 @@ etc/ipset #usr/include/libipset/args.h #usr/include/libipset/data.h #usr/include/libipset/errcode.h +#usr/include/libipset/ipset.h #usr/include/libipset/linux_ip_set.h #usr/include/libipset/linux_ip_set_bitmap.h #usr/include/libipset/linux_ip_set_hash.h @@ -16,12 +17,12 @@ etc/ipset #usr/include/libipset/session.h #usr/include/libipset/transport.h #usr/include/libipset/types.h -#usr/include/libipset/ui.h #usr/include/libipset/utils.h #usr/lib/libipset.la #usr/lib/libipset.so -usr/lib/libipset.so.11 -usr/lib/libipset.so.11.1.0 +usr/lib/libipset.so.13 +usr/lib/libipset.so.13.1.0 #usr/lib/pkgconfig/libipset.pc usr/sbin/ipset +#usr/share/man/man3/libipset.3 #usr/share/man/man8/ipset.8 diff --git a/config/rootfiles/common/iptables b/config/rootfiles/common/iptables index d7584c0ad..f1a6af00e 100644 --- a/config/rootfiles/common/iptables +++ b/config/rootfiles/common/iptables @@ -17,12 +17,8 @@ lib/libiptc.so.0.0.0 #lib/libxtables.la lib/libxtables.so lib/libxtables.so.12 -lib/libxtables.so.12.0.0 +lib/libxtables.so.12.2.0 #lib/xtables -lib/xtables/libebt_802_3.so -lib/xtables/libebt_ip.so -lib/xtables/libebt_log.so -lib/xtables/libebt_mark_m.so lib/xtables/libip6t_DNAT.so lib/xtables/libip6t_DNPT.so lib/xtables/libip6t_HL.so @@ -109,7 +105,6 @@ lib/xtables/libxt_layer7.so lib/xtables/libxt_length.so lib/xtables/libxt_limit.so lib/xtables/libxt_mac.so -lib/xtables/libxt_mangle.so lib/xtables/libxt_mark.so lib/xtables/libxt_multiport.so lib/xtables/libxt_nfacct.so @@ -136,14 +131,20 @@ lib/xtables/libxt_tos.so lib/xtables/libxt_u32.so lib/xtables/libxt_udp.so sbin/ip6tables +#sbin/ip6tables-legacy +#sbin/ip6tables-legacy-restore +#sbin/ip6tables-legacy-save sbin/ip6tables-restore sbin/ip6tables-save sbin/iptables +#sbin/iptables-legacy +#sbin/iptables-legacy-restore +#sbin/iptables-legacy-save sbin/iptables-restore sbin/iptables-save sbin/iptables-xml #sbin/nfnl_osf -sbin/xtables-multi +sbin/xtables-legacy-multi #usr/include/libipq.h #usr/include/libiptc #usr/include/libiptc/ipt_kernel_headers.h @@ -178,5 +179,9 @@ sbin/xtables-multi #usr/share/man/man8/iptables-save.8 #usr/share/man/man8/iptables.8 #usr/share/man/man8/nfnl_osf.8 +#usr/share/man/man8/xtables-legacy.8 +#usr/share/man/man8/xtables-monitor.8 +#usr/share/man/man8/xtables-nft.8 +#usr/share/man/man8/xtables-translate.8 #usr/share/xtables usr/share/xtables/pf.os diff --git a/config/rootfiles/common/knot b/config/rootfiles/common/knot index 68d1e702e..c0d900e6b 100644 --- a/config/rootfiles/common/knot +++ b/config/rootfiles/common/knot @@ -1,93 +1,15 @@ usr/bin/kdig -#usr/bin/khost -#usr/bin/knsec3hash -#usr/bin/knsupdate -#usr/include/knot -#usr/include/knot/module.h -#usr/include/libdnssec -#usr/include/libdnssec/binary.h -#usr/include/libdnssec/crypto.h -#usr/include/libdnssec/dnssec.h -#usr/include/libdnssec/error.h -#usr/include/libdnssec/key.h -#usr/include/libdnssec/keyid.h -#usr/include/libdnssec/keystore.h -#usr/include/libdnssec/keytag.h -#usr/include/libdnssec/list.h -#usr/include/libdnssec/nsec.h -#usr/include/libdnssec/random.h -#usr/include/libdnssec/sign.h -#usr/include/libdnssec/tsig.h -#usr/include/libdnssec/version.h -#usr/include/libknot -#usr/include/libknot/attribute.h -#usr/include/libknot/codes.h -#usr/include/libknot/consts.h -#usr/include/libknot/control -#usr/include/libknot/control/control.h -#usr/include/libknot/cookies.h -#usr/include/libknot/db -#usr/include/libknot/db/db.h -#usr/include/libknot/db/db_lmdb.h -#usr/include/libknot/db/db_trie.h -#usr/include/libknot/descriptor.h -#usr/include/libknot/dname.h -#usr/include/libknot/endian.h -#usr/include/libknot/errcode.h -#usr/include/libknot/error.h -#usr/include/libknot/libknot.h -#usr/include/libknot/lookup.h -#usr/include/libknot/mm_ctx.h -#usr/include/libknot/packet -#usr/include/libknot/packet/compr.h -#usr/include/libknot/packet/pkt.h -#usr/include/libknot/packet/rrset-wire.h -#usr/include/libknot/packet/wire.h -#usr/include/libknot/rdata.h -#usr/include/libknot/rdataset.h -#usr/include/libknot/rrset-dump.h -#usr/include/libknot/rrset.h -#usr/include/libknot/rrtype -#usr/include/libknot/rrtype/dnskey.h -#usr/include/libknot/rrtype/ds.h -#usr/include/libknot/rrtype/naptr.h -#usr/include/libknot/rrtype/nsec.h -#usr/include/libknot/rrtype/nsec3.h -#usr/include/libknot/rrtype/nsec3param.h -#usr/include/libknot/rrtype/opt.h -#usr/include/libknot/rrtype/rdname.h -#usr/include/libknot/rrtype/rrsig.h -#usr/include/libknot/rrtype/soa.h -#usr/include/libknot/rrtype/tsig.h -#usr/include/libknot/tsig-op.h -#usr/include/libknot/tsig.h -#usr/include/libknot/version.h -#usr/include/libknot/wire.h -#usr/include/libknot/yparser -#usr/include/libknot/yparser/yparser.h -#usr/include/libknot/yparser/ypformat.h -#usr/include/libknot/yparser/ypschema.h -#usr/include/libknot/yparser/yptrafo.h -#usr/include/libzscanner -#usr/include/libzscanner/error.h -#usr/include/libzscanner/scanner.h -#usr/include/libzscanner/version.h +#usr/lib/libcontrib.a +#usr/lib/libcontrib.la #usr/lib/libdnssec.la +#usr/lib/libdnssec.lai #usr/lib/libdnssec.so -usr/lib/libdnssec.so.6 -usr/lib/libdnssec.so.6.0.0 +usr/lib/libdnssec.so.7 +usr/lib/libdnssec.so.7.0.0 #usr/lib/libknot.la +#usr/lib/libknot.lai #usr/lib/libknot.so -usr/lib/libknot.so.8 -usr/lib/libknot.so.8.0.0 -#usr/lib/libzscanner.la -#usr/lib/libzscanner.so -usr/lib/libzscanner.so.2 -usr/lib/libzscanner.so.2.0.0 -#usr/lib/pkgconfig/libdnssec.pc -#usr/lib/pkgconfig/libknot.pc -#usr/lib/pkgconfig/libzscanner.pc -#usr/share/man/man1/kdig.1 -#usr/share/man/man1/khost.1 -#usr/share/man/man1/knsec3hash.1 -#usr/share/man/man1/knsupdate.1 +usr/lib/libknot.so.9 +usr/lib/libknot.so.9.0.0 +#usr/lib/libknotus.a +#usr/lib/libknotus.la diff --git a/config/rootfiles/common/libgcrypt b/config/rootfiles/common/libgcrypt index e092ebbc7..efd9ac46a 100644 --- a/config/rootfiles/common/libgcrypt +++ b/config/rootfiles/common/libgcrypt @@ -6,7 +6,7 @@ #usr/lib/libgcrypt.la #usr/lib/libgcrypt.so usr/lib/libgcrypt.so.20 -usr/lib/libgcrypt.so.20.2.3 +usr/lib/libgcrypt.so.20.2.4 #usr/share/aclocal/libgcrypt.m4 #usr/share/info/gcrypt.info #usr/share/info/gcrypt.info-1 diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl index 51867d6d0..f6f3dc687 100644 --- a/config/rootfiles/common/openssl +++ b/config/rootfiles/common/openssl @@ -2029,6 +2029,8 @@ usr/lib/libssl.so.1.1 #usr/share/doc/openssl/html/man3/OPENSSL_INIT_free.html #usr/share/doc/openssl/html/man3/OPENSSL_INIT_new.html #usr/share/doc/openssl/html/man3/OPENSSL_INIT_set_config_appname.html +#usr/share/doc/openssl/html/man3/OPENSSL_INIT_set_config_file_flags.html +#usr/share/doc/openssl/html/man3/OPENSSL_INIT_set_config_filename.html #usr/share/doc/openssl/html/man3/OPENSSL_LH_COMPFUNC.html #usr/share/doc/openssl/html/man3/OPENSSL_LH_DOALL_FUNC.html #usr/share/doc/openssl/html/man3/OPENSSL_LH_HASHFUNC.html @@ -5941,6 +5943,8 @@ usr/lib/libssl.so.1.1 #usr/share/man/man3/OPENSSL_INIT_free.3 #usr/share/man/man3/OPENSSL_INIT_new.3 #usr/share/man/man3/OPENSSL_INIT_set_config_appname.3 +#usr/share/man/man3/OPENSSL_INIT_set_config_file_flags.3 +#usr/share/man/man3/OPENSSL_INIT_set_config_filename.3 #usr/share/man/man3/OPENSSL_LH_COMPFUNC.3 #usr/share/man/man3/OPENSSL_LH_DOALL_FUNC.3 #usr/share/man/man3/OPENSSL_LH_HASHFUNC.3 @@ -7955,4 +7959,4 @@ usr/lib/libssl.so.1.1 #usr/share/man/man7/passphrase-encoding.7 #usr/share/man/man7/scrypt.7 #usr/share/man/man7/ssl.7 -#usr/share/man/man7/x509.7 \ No newline at end of file +#usr/share/man/man7/x509.7 diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 5665f2301..ea941cdbe 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -75,7 +75,7 @@ usr/bin/captive-cleanup #usr/lib usr/lib/firewall usr/lib/firewall/firewall-lib.pl -usr/lib/firewall/ipsec-block +usr/lib/firewall/ipsec-policy usr/lib/firewall/rules.pl #usr/lib/libgcc_s.so usr/lib/libgcc_s.so.1 @@ -91,6 +91,7 @@ usr/local/bin/connscheduler usr/local/bin/consort.sh usr/local/bin/convert-ovpn usr/local/bin/hddshutdown +usr/local/bin/ipsec-interfaces usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound index 9a8126c15..843e0eeca 100644 --- a/config/rootfiles/common/unbound +++ b/config/rootfiles/common/unbound @@ -11,7 +11,7 @@ etc/unbound/unbound.conf #usr/lib/libunbound.la #usr/lib/libunbound.so usr/lib/libunbound.so.8 -usr/lib/libunbound.so.8.0.3 +usr/lib/libunbound.so.8.1.0 #usr/lib/pkgconfig/libunbound.pc usr/sbin/unbound usr/sbin/unbound-anchor diff --git a/config/rootfiles/common/x86_64/binutils b/config/rootfiles/common/x86_64/binutils index 42c82cbd7..20d8972a8 100644 --- a/config/rootfiles/common/x86_64/binutils +++ b/config/rootfiles/common/x86_64/binutils @@ -10,9 +10,9 @@ #usr/bin/objcopy #usr/bin/objdump #usr/bin/ranlib -#usr/bin/readelf +usr/bin/readelf #usr/bin/size -#usr/bin/strings +usr/bin/strings #usr/bin/strip #usr/include/ansidecl.h #usr/include/bfd.h diff --git a/config/rootfiles/common/x86_64/stage2 b/config/rootfiles/common/x86_64/stage2 index 110114c47..c6d19a5f6 100644 --- a/config/rootfiles/common/x86_64/stage2 +++ b/config/rootfiles/common/x86_64/stage2 @@ -76,7 +76,7 @@ usr/bin/captive-cleanup #usr/lib usr/lib/firewall usr/lib/firewall/firewall-lib.pl -usr/lib/firewall/ipsec-block +usr/lib/firewall/ipsec-policy usr/lib/firewall/rules.pl #usr/lib/libgcc_s.so usr/lib/libgcc_s.so.1 @@ -93,6 +93,7 @@ usr/local/bin/connscheduler usr/local/bin/consort.sh usr/local/bin/convert-ovpn usr/local/bin/hddshutdown +usr/local/bin/ipsec-interfaces usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash diff --git a/config/rootfiles/core/129/exclude b/config/rootfiles/core/129/exclude new file mode 100644 index 000000000..b22159878 --- /dev/null +++ b/config/rootfiles/core/129/exclude @@ -0,0 +1,28 @@ +boot/config.txt +boot/grub/grub.cfg +boot/grub/grubenv +etc/alternatives +etc/collectd.custom +etc/default/grub +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/snort/snort.conf +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/log/dhcpcd.log +var/log/messages +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/129/filelists/aarch64/u-boot b/config/rootfiles/core/129/filelists/aarch64/u-boot new file mode 100644 index 000000000..6a00446f4 --- /dev/null +++ b/config/rootfiles/core/129/filelists/aarch64/u-boot @@ -0,0 +1,2 @@ +boot/boot.cmd +boot/boot.scr diff --git a/config/rootfiles/core/129/filelists/armv5tel/u-boot b/config/rootfiles/core/129/filelists/armv5tel/u-boot new file mode 100644 index 000000000..6a00446f4 --- /dev/null +++ b/config/rootfiles/core/129/filelists/armv5tel/u-boot @@ -0,0 +1,2 @@ +boot/boot.cmd +boot/boot.scr diff --git a/config/rootfiles/core/129/filelists/bind b/config/rootfiles/core/129/filelists/bind new file mode 120000 index 000000000..48a0ebaef --- /dev/null +++ b/config/rootfiles/core/129/filelists/bind @@ -0,0 +1 @@ +../../../common/bind \ No newline at end of file diff --git a/config/rootfiles/core/129/filelists/files b/config/rootfiles/core/129/filelists/files new file mode 100644 index 000000000..8e040cbbb --- /dev/null +++ b/config/rootfiles/core/129/filelists/files @@ -0,0 +1,20 @@ +etc/system-release +etc/issue +var/ipfire/langs +etc/rc.d/init.d/firewall +etc/rc.d/init.d/network +etc/rc.d/init.d/networking/red.up/50-ipsec +etc/rc.d/init.d/unbound +srv/web/ipfire/cgi-bin/credits.cgi +srv/web/ipfire/cgi-bin/dhcp.cgi +srv/web/ipfire/cgi-bin/dnsforward.cgi +srv/web/ipfire/cgi-bin/index.cgi +srv/web/ipfire/cgi-bin/netovpnsrv.cgi +srv/web/ipfire/cgi-bin/proxy.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi +usr/bin/readelf +usr/bin/strings +usr/lib/firewall/firewall-lib.pl +usr/lib/firewall/ipsec-policy +usr/local/bin/ipsec-interfaces +usr/local/bin/ipsecctrl diff --git a/config/rootfiles/core/129/filelists/groff b/config/rootfiles/core/129/filelists/groff new file mode 120000 index 000000000..232291e52 --- /dev/null +++ b/config/rootfiles/core/129/filelists/groff @@ -0,0 +1 @@ +../../../common/groff \ No newline at end of file diff --git a/config/rootfiles/core/128/filelists/i586/openssl-sse2 b/config/rootfiles/core/129/filelists/i586/openssl-sse2 similarity index 100% rename from config/rootfiles/core/128/filelists/i586/openssl-sse2 rename to config/rootfiles/core/129/filelists/i586/openssl-sse2 diff --git a/config/rootfiles/core/129/filelists/ipset b/config/rootfiles/core/129/filelists/ipset new file mode 120000 index 000000000..2b43691f2 --- /dev/null +++ b/config/rootfiles/core/129/filelists/ipset @@ -0,0 +1 @@ +../../../common/ipset \ No newline at end of file diff --git a/config/rootfiles/core/128/filelists/knot b/config/rootfiles/core/129/filelists/knot similarity index 100% rename from config/rootfiles/core/128/filelists/knot rename to config/rootfiles/core/129/filelists/knot diff --git a/config/rootfiles/core/129/filelists/less b/config/rootfiles/core/129/filelists/less new file mode 120000 index 000000000..65c0e0771 --- /dev/null +++ b/config/rootfiles/core/129/filelists/less @@ -0,0 +1 @@ +../../../common/less \ No newline at end of file diff --git a/config/rootfiles/core/129/filelists/libgcrypt b/config/rootfiles/core/129/filelists/libgcrypt new file mode 120000 index 000000000..2df12a20e --- /dev/null +++ b/config/rootfiles/core/129/filelists/libgcrypt @@ -0,0 +1 @@ +../../../common/libgcrypt \ No newline at end of file diff --git a/config/rootfiles/core/128/filelists/openssl b/config/rootfiles/core/129/filelists/openssl similarity index 100% rename from config/rootfiles/core/128/filelists/openssl rename to config/rootfiles/core/129/filelists/openssl diff --git a/config/rootfiles/core/129/filelists/openvpn b/config/rootfiles/core/129/filelists/openvpn new file mode 120000 index 000000000..493f3f7a4 --- /dev/null +++ b/config/rootfiles/core/129/filelists/openvpn @@ -0,0 +1 @@ +../../../common/openvpn \ No newline at end of file diff --git a/config/rootfiles/core/129/filelists/squid b/config/rootfiles/core/129/filelists/squid new file mode 120000 index 000000000..2dc8372a0 --- /dev/null +++ b/config/rootfiles/core/129/filelists/squid @@ -0,0 +1 @@ +../../../common/squid \ No newline at end of file diff --git a/config/rootfiles/core/128/filelists/strongswan b/config/rootfiles/core/129/filelists/strongswan similarity index 100% rename from config/rootfiles/core/128/filelists/strongswan rename to config/rootfiles/core/129/filelists/strongswan diff --git a/config/rootfiles/core/129/filelists/tar b/config/rootfiles/core/129/filelists/tar new file mode 120000 index 000000000..3e585d2eb --- /dev/null +++ b/config/rootfiles/core/129/filelists/tar @@ -0,0 +1 @@ +../../../common/tar \ No newline at end of file diff --git a/config/rootfiles/core/129/filelists/unbound b/config/rootfiles/core/129/filelists/unbound new file mode 120000 index 000000000..66adf0924 --- /dev/null +++ b/config/rootfiles/core/129/filelists/unbound @@ -0,0 +1 @@ +../../../common/unbound \ No newline at end of file diff --git a/config/rootfiles/core/129/filelists/wpa_supplicant b/config/rootfiles/core/129/filelists/wpa_supplicant new file mode 120000 index 000000000..1d04c03c0 --- /dev/null +++ b/config/rootfiles/core/129/filelists/wpa_supplicant @@ -0,0 +1 @@ +../../../common/wpa_supplicant \ No newline at end of file diff --git a/config/rootfiles/core/129/update.sh b/config/rootfiles/core/129/update.sh new file mode 100644 index 000000000..62a278ce5 --- /dev/null +++ b/config/rootfiles/core/129/update.sh @@ -0,0 +1,77 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2019 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +core=129 + +# Remove old core updates from pakfire cache to save space... +for (( i=1; i<=$core; i++ )); do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services +/etc/init.d/squid stop +/usr/local/bin/openvpnctrl -k +/usr/local/bin/openvpnctrl -kn2n +/usr/local/bin/ipsecctrl D +/etc/init.d/unbound stop + +# Remove files +rm -vf \ + /usr/lib/firewall/ipsec-block + +# Extract files +extract_files + +# update linker config +ldconfig + +# Update Language cache +/usr/local/bin/update-lang-cache + +# Start services +/etc/init.d/firewall restart +/etc/init.d/unbound start +/usr/local/bin/ipsecctrl S +/usr/local/bin/openvpnctrl -s +/usr/local/bin/openvpnctrl -sn2n +/etc/init.d/squid start + +# This update needs a reboot... +#touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi + +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/core/128/exclude b/config/rootfiles/oldcore/128/exclude similarity index 100% rename from config/rootfiles/core/128/exclude rename to config/rootfiles/oldcore/128/exclude diff --git a/config/rootfiles/core/128/filelists/aarch64/linux b/config/rootfiles/oldcore/128/filelists/aarch64/linux similarity index 100% rename from config/rootfiles/core/128/filelists/aarch64/linux rename to config/rootfiles/oldcore/128/filelists/aarch64/linux diff --git a/config/rootfiles/core/128/filelists/aarch64/linux-initrd b/config/rootfiles/oldcore/128/filelists/aarch64/linux-initrd similarity index 100% rename from config/rootfiles/core/128/filelists/aarch64/linux-initrd rename to config/rootfiles/oldcore/128/filelists/aarch64/linux-initrd diff --git a/config/rootfiles/core/128/filelists/apache2 b/config/rootfiles/oldcore/128/filelists/apache2 similarity index 100% rename from config/rootfiles/core/128/filelists/apache2 rename to config/rootfiles/oldcore/128/filelists/apache2 diff --git a/config/rootfiles/core/128/filelists/apr b/config/rootfiles/oldcore/128/filelists/apr similarity index 100% rename from config/rootfiles/core/128/filelists/apr rename to config/rootfiles/oldcore/128/filelists/apr diff --git a/config/rootfiles/core/128/filelists/armv5tel/linux-initrd-kirkwood b/config/rootfiles/oldcore/128/filelists/armv5tel/linux-initrd-kirkwood similarity index 100% rename from config/rootfiles/core/128/filelists/armv5tel/linux-initrd-kirkwood rename to config/rootfiles/oldcore/128/filelists/armv5tel/linux-initrd-kirkwood diff --git a/config/rootfiles/core/128/filelists/armv5tel/linux-initrd-multi b/config/rootfiles/oldcore/128/filelists/armv5tel/linux-initrd-multi similarity index 100% rename from config/rootfiles/core/128/filelists/armv5tel/linux-initrd-multi rename to config/rootfiles/oldcore/128/filelists/armv5tel/linux-initrd-multi diff --git a/config/rootfiles/core/128/filelists/armv5tel/linux-kirkwood b/config/rootfiles/oldcore/128/filelists/armv5tel/linux-kirkwood similarity index 100% rename from config/rootfiles/core/128/filelists/armv5tel/linux-kirkwood rename to config/rootfiles/oldcore/128/filelists/armv5tel/linux-kirkwood diff --git a/config/rootfiles/core/128/filelists/armv5tel/linux-multi b/config/rootfiles/oldcore/128/filelists/armv5tel/linux-multi similarity index 100% rename from config/rootfiles/core/128/filelists/armv5tel/linux-multi rename to config/rootfiles/oldcore/128/filelists/armv5tel/linux-multi diff --git a/config/rootfiles/core/128/filelists/ca-certificates b/config/rootfiles/oldcore/128/filelists/ca-certificates similarity index 100% rename from config/rootfiles/core/128/filelists/ca-certificates rename to config/rootfiles/oldcore/128/filelists/ca-certificates diff --git a/config/rootfiles/core/128/filelists/curl b/config/rootfiles/oldcore/128/filelists/curl similarity index 100% rename from config/rootfiles/core/128/filelists/curl rename to config/rootfiles/oldcore/128/filelists/curl diff --git a/config/rootfiles/core/128/filelists/dhcpcd b/config/rootfiles/oldcore/128/filelists/dhcpcd similarity index 100% rename from config/rootfiles/core/128/filelists/dhcpcd rename to config/rootfiles/oldcore/128/filelists/dhcpcd diff --git a/config/rootfiles/core/128/filelists/files b/config/rootfiles/oldcore/128/filelists/files similarity index 100% rename from config/rootfiles/core/128/filelists/files rename to config/rootfiles/oldcore/128/filelists/files diff --git a/config/rootfiles/core/128/filelists/i586/linux b/config/rootfiles/oldcore/128/filelists/i586/linux similarity index 100% rename from config/rootfiles/core/128/filelists/i586/linux rename to config/rootfiles/oldcore/128/filelists/i586/linux diff --git a/config/rootfiles/core/128/filelists/i586/linux-initrd b/config/rootfiles/oldcore/128/filelists/i586/linux-initrd similarity index 100% rename from config/rootfiles/core/128/filelists/i586/linux-initrd rename to config/rootfiles/oldcore/128/filelists/i586/linux-initrd diff --git a/config/rootfiles/oldcore/128/filelists/i586/openssl-sse2 b/config/rootfiles/oldcore/128/filelists/i586/openssl-sse2 new file mode 120000 index 000000000..f424713d6 --- /dev/null +++ b/config/rootfiles/oldcore/128/filelists/i586/openssl-sse2 @@ -0,0 +1 @@ +../../../../common/i586/openssl-sse2 \ No newline at end of file diff --git a/config/rootfiles/oldcore/128/filelists/knot b/config/rootfiles/oldcore/128/filelists/knot new file mode 120000 index 000000000..28e96f878 --- /dev/null +++ b/config/rootfiles/oldcore/128/filelists/knot @@ -0,0 +1 @@ +../../../common/knot \ No newline at end of file diff --git a/config/rootfiles/core/128/filelists/libedit b/config/rootfiles/oldcore/128/filelists/libedit similarity index 100% rename from config/rootfiles/core/128/filelists/libedit rename to config/rootfiles/oldcore/128/filelists/libedit diff --git a/config/rootfiles/core/128/filelists/logrotate b/config/rootfiles/oldcore/128/filelists/logrotate similarity index 100% rename from config/rootfiles/core/128/filelists/logrotate rename to config/rootfiles/oldcore/128/filelists/logrotate diff --git a/config/rootfiles/core/128/filelists/openldap b/config/rootfiles/oldcore/128/filelists/openldap similarity index 100% rename from config/rootfiles/core/128/filelists/openldap rename to config/rootfiles/oldcore/128/filelists/openldap diff --git a/config/rootfiles/core/128/filelists/openssh b/config/rootfiles/oldcore/128/filelists/openssh similarity index 100% rename from config/rootfiles/core/128/filelists/openssh rename to config/rootfiles/oldcore/128/filelists/openssh diff --git a/config/rootfiles/oldcore/128/filelists/openssl b/config/rootfiles/oldcore/128/filelists/openssl new file mode 120000 index 000000000..e011a9266 --- /dev/null +++ b/config/rootfiles/oldcore/128/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file diff --git a/config/rootfiles/oldcore/128/filelists/strongswan b/config/rootfiles/oldcore/128/filelists/strongswan new file mode 120000 index 000000000..90c727e26 --- /dev/null +++ b/config/rootfiles/oldcore/128/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/128/filelists/tzdata b/config/rootfiles/oldcore/128/filelists/tzdata similarity index 100% rename from config/rootfiles/core/128/filelists/tzdata rename to config/rootfiles/oldcore/128/filelists/tzdata diff --git a/config/rootfiles/core/128/filelists/x86_64/linux b/config/rootfiles/oldcore/128/filelists/x86_64/linux similarity index 100% rename from config/rootfiles/core/128/filelists/x86_64/linux rename to config/rootfiles/oldcore/128/filelists/x86_64/linux diff --git a/config/rootfiles/core/128/filelists/x86_64/linux-initrd b/config/rootfiles/oldcore/128/filelists/x86_64/linux-initrd similarity index 100% rename from config/rootfiles/core/128/filelists/x86_64/linux-initrd rename to config/rootfiles/oldcore/128/filelists/x86_64/linux-initrd diff --git a/config/rootfiles/core/128/update.sh b/config/rootfiles/oldcore/128/update.sh similarity index 100% rename from config/rootfiles/core/128/update.sh rename to config/rootfiles/oldcore/128/update.sh diff --git a/config/rootfiles/packages/netsnmpd b/config/rootfiles/packages/netsnmpd index 9d80ec2ad..7a0ad242e 100644 --- a/config/rootfiles/packages/netsnmpd +++ b/config/rootfiles/packages/netsnmpd @@ -1,8 +1,10 @@ +etc/rc.d/init.d/netsnmpd etc/rc.d/rc0.d/K02netsnmpd etc/rc.d/rc3.d/S65netsnmpd etc/rc.d/rc6.d/K02netsnmpd etc/snmpd.conf usr/bin/agentxtrap +usr/bin/checkbandwidth usr/bin/encode_keychange usr/bin/fixproc usr/bin/ipf-mod.pl @@ -22,10 +24,14 @@ usr/bin/snmpget usr/bin/snmpgetnext usr/bin/snmpinform usr/bin/snmpnetstat +usr/bin/snmppcap +usr/bin/snmpping +usr/bin/snmpps usr/bin/snmpset usr/bin/snmpstatus usr/bin/snmptable usr/bin/snmptest +usr/bin/snmptop usr/bin/snmptranslate usr/bin/snmptrap usr/bin/snmpusm @@ -58,6 +64,7 @@ usr/bin/traptoemail #usr/include/net-snmp/agent/mode_end_call.h #usr/include/net-snmp/agent/multiplexer.h #usr/include/net-snmp/agent/net-snmp-agent-includes.h +#usr/include/net-snmp/agent/netsnmp_close_fds.h #usr/include/net-snmp/agent/null.h #usr/include/net-snmp/agent/old_api.h #usr/include/net-snmp/agent/read_only.h @@ -114,6 +121,7 @@ usr/bin/traptoemail #usr/include/net-snmp/library/md5.h #usr/include/net-snmp/library/mib.h #usr/include/net-snmp/library/mt_support.h +#usr/include/net-snmp/library/netsnmp-attribute-format.h #usr/include/net-snmp/library/oid.h #usr/include/net-snmp/library/oid_stash.h #usr/include/net-snmp/library/parse.h @@ -124,12 +132,15 @@ usr/bin/traptoemail #usr/include/net-snmp/library/snmpAliasDomain.h #usr/include/net-snmp/library/snmpCallbackDomain.h #usr/include/net-snmp/library/snmpIPv4BaseDomain.h +#usr/include/net-snmp/library/snmpIPv6BaseDomain.h #usr/include/net-snmp/library/snmpSocketBaseDomain.h #usr/include/net-snmp/library/snmpTCPBaseDomain.h #usr/include/net-snmp/library/snmpTCPDomain.h +#usr/include/net-snmp/library/snmpTCPIPv6Domain.h #usr/include/net-snmp/library/snmpUDPBaseDomain.h #usr/include/net-snmp/library/snmpUDPDomain.h #usr/include/net-snmp/library/snmpUDPIPv4BaseDomain.h +#usr/include/net-snmp/library/snmpUDPIPv6Domain.h #usr/include/net-snmp/library/snmpUnixDomain.h #usr/include/net-snmp/library/snmp_alarm.h #usr/include/net-snmp/library/snmp_api.h @@ -174,6 +185,13 @@ usr/bin/traptoemail #usr/include/net-snmp/system/cygwin.h #usr/include/net-snmp/system/darwin.h #usr/include/net-snmp/system/darwin10.h +#usr/include/net-snmp/system/darwin11.h +#usr/include/net-snmp/system/darwin12.h +#usr/include/net-snmp/system/darwin13.h +#usr/include/net-snmp/system/darwin14.h +#usr/include/net-snmp/system/darwin15.h +#usr/include/net-snmp/system/darwin16.h +#usr/include/net-snmp/system/darwin17.h #usr/include/net-snmp/system/darwin7.h #usr/include/net-snmp/system/darwin8.h #usr/include/net-snmp/system/darwin9.h @@ -194,13 +212,17 @@ usr/bin/traptoemail #usr/include/net-snmp/system/generic.h #usr/include/net-snmp/system/hpux.h #usr/include/net-snmp/system/irix.h +#usr/include/net-snmp/system/kfreebsd.h #usr/include/net-snmp/system/linux.h #usr/include/net-snmp/system/mingw32.h +#usr/include/net-snmp/system/mingw32msvc.h #usr/include/net-snmp/system/mips.h #usr/include/net-snmp/system/netbsd.h +#usr/include/net-snmp/system/nto-qnx6.h #usr/include/net-snmp/system/openbsd.h #usr/include/net-snmp/system/openbsd4.h #usr/include/net-snmp/system/openbsd5.h +#usr/include/net-snmp/system/openbsd6.h #usr/include/net-snmp/system/osf5.h #usr/include/net-snmp/system/solaris.h #usr/include/net-snmp/system/solaris2.3.h @@ -217,31 +239,31 @@ usr/bin/traptoemail #usr/include/net-snmp/version.h #usr/lib/libnetsnmp.a #usr/lib/libnetsnmp.la -usr/lib/libnetsnmp.so -usr/lib/libnetsnmp.so.30 -usr/lib/libnetsnmp.so.30.0.3 +#usr/lib/libnetsnmp.so +usr/lib/libnetsnmp.so.35 +usr/lib/libnetsnmp.so.35.0.0 #usr/lib/libnetsnmpagent.a #usr/lib/libnetsnmpagent.la -usr/lib/libnetsnmpagent.so -usr/lib/libnetsnmpagent.so.30 -usr/lib/libnetsnmpagent.so.30.0.3 +#usr/lib/libnetsnmpagent.so +usr/lib/libnetsnmpagent.so.35 +usr/lib/libnetsnmpagent.so.35.0.0 #usr/lib/libnetsnmphelpers.a #usr/lib/libnetsnmphelpers.la -usr/lib/libnetsnmphelpers.so -usr/lib/libnetsnmphelpers.so.30 -usr/lib/libnetsnmphelpers.so.30.0.3 +#usr/lib/libnetsnmphelpers.so +usr/lib/libnetsnmphelpers.so.35 +usr/lib/libnetsnmphelpers.so.35.0.0 #usr/lib/libnetsnmpmibs.a #usr/lib/libnetsnmpmibs.la -usr/lib/libnetsnmpmibs.so -usr/lib/libnetsnmpmibs.so.30 -usr/lib/libnetsnmpmibs.so.30.0.3 +#usr/lib/libnetsnmpmibs.so +usr/lib/libnetsnmpmibs.so.35 +usr/lib/libnetsnmpmibs.so.35.0.0 #usr/lib/libnetsnmptrapd.a #usr/lib/libnetsnmptrapd.la -usr/lib/libnetsnmptrapd.so -usr/lib/libnetsnmptrapd.so.30 -usr/lib/libnetsnmptrapd.so.30.0.3 +#usr/lib/libnetsnmptrapd.so +usr/lib/libnetsnmptrapd.so.35 +usr/lib/libnetsnmptrapd.so.35.0.0 #usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Bundle -#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Bundle/Makefile.subs.pl +usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Bundle/MakefileSubs.pm #usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/NetSNMP usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/NetSNMP/ASN.pm usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/NetSNMP/OID.pm @@ -305,10 +327,12 @@ usr/sbin/snmptrapd #usr/share/man/man1/snmpgetnext.1 #usr/share/man/man1/snmpinform.1 #usr/share/man/man1/snmpnetstat.1 +#usr/share/man/man1/snmpps.1 #usr/share/man/man1/snmpset.1 #usr/share/man/man1/snmpstatus.1 #usr/share/man/man1/snmptable.1 #usr/share/man/man1/snmptest.1 +#usr/share/man/man1/snmptop.1 #usr/share/man/man1/snmptranslate.1 #usr/share/man/man1/snmptrap.1 #usr/share/man/man1/snmpusm.1 @@ -427,8 +451,8 @@ usr/sbin/snmptrapd #usr/share/man/man5/variables.5 #usr/share/man/man8/snmpd.8 #usr/share/man/man8/snmptrapd.8 -usr/share/snmp -usr/share/snmp/mib2c-data +#usr/share/snmp +#usr/share/snmp/mib2c-data usr/share/snmp/mib2c-data/default-mfd-top.m2c usr/share/snmp/mib2c-data/details-enums.m2i usr/share/snmp/mib2c-data/details-node.m2i @@ -513,11 +537,12 @@ usr/share/snmp/mib2c.iterate_access.conf usr/share/snmp/mib2c.mfd.conf usr/share/snmp/mib2c.notify.conf usr/share/snmp/mib2c.old-api.conf +usr/share/snmp/mib2c.org-mode.conf usr/share/snmp/mib2c.perl.conf usr/share/snmp/mib2c.raw-table.conf usr/share/snmp/mib2c.scalar.conf usr/share/snmp/mib2c.table_data.conf -usr/share/snmp/mibs +#usr/share/snmp/mibs usr/share/snmp/mibs/AGENTX-MIB.txt usr/share/snmp/mibs/BRIDGE-MIB.txt usr/share/snmp/mibs/DISMAN-EVENT-MIB.txt @@ -570,6 +595,7 @@ usr/share/snmp/mibs/SNMP-TSM-MIB.txt usr/share/snmp/mibs/SNMP-USER-BASED-SM-MIB.txt usr/share/snmp/mibs/SNMP-USM-AES-MIB.txt usr/share/snmp/mibs/SNMP-USM-DH-OBJECTS-MIB.txt +usr/share/snmp/mibs/SNMP-USM-HMAC-SHA2-MIB.txt usr/share/snmp/mibs/SNMP-VIEW-BASED-ACM-MIB.txt usr/share/snmp/mibs/SNMPv2-CONF.txt usr/share/snmp/mibs/SNMPv2-MIB.txt @@ -587,14 +613,14 @@ usr/share/snmp/mibs/UCD-SNMP-MIB.txt usr/share/snmp/mibs/UDP-MIB.txt usr/share/snmp/snmp_perl.pl usr/share/snmp/snmp_perl_trapd.pl -usr/share/snmp/snmpconf-data -usr/share/snmp/snmpconf-data/snmp-data +#usr/share/snmp/snmpconf-data +#usr/share/snmp/snmpconf-data/snmp-data usr/share/snmp/snmpconf-data/snmp-data/authopts usr/share/snmp/snmpconf-data/snmp-data/debugging usr/share/snmp/snmpconf-data/snmp-data/mibs usr/share/snmp/snmpconf-data/snmp-data/output usr/share/snmp/snmpconf-data/snmp-data/snmpconf-config -usr/share/snmp/snmpconf-data/snmpd-data +#usr/share/snmp/snmpconf-data/snmpd-data usr/share/snmp/snmpconf-data/snmpd-data/acl usr/share/snmp/snmpconf-data/snmpd-data/basic_setup usr/share/snmp/snmpconf-data/snmpd-data/extending @@ -603,12 +629,11 @@ usr/share/snmp/snmpconf-data/snmpd-data/operation usr/share/snmp/snmpconf-data/snmpd-data/snmpconf-config usr/share/snmp/snmpconf-data/snmpd-data/system usr/share/snmp/snmpconf-data/snmpd-data/trapsinks -usr/share/snmp/snmpconf-data/snmptrapd-data +#usr/share/snmp/snmpconf-data/snmptrapd-data usr/share/snmp/snmpconf-data/snmptrapd-data/authentication usr/share/snmp/snmpconf-data/snmptrapd-data/formatting usr/share/snmp/snmpconf-data/snmptrapd-data/logging usr/share/snmp/snmpconf-data/snmptrapd-data/runtime usr/share/snmp/snmpconf-data/snmptrapd-data/snmpconf-config usr/share/snmp/snmpconf-data/snmptrapd-data/traphandle -var/ipfire/backup/addons/includes/netsnmpd -etc/rc.d/init.d/netsnmpd +var/ipfire/backup/addons/includes/netsnmpd \ No newline at end of file diff --git a/config/rootfiles/packages/postfix b/config/rootfiles/packages/postfix index 138c1dd7f..23e1efb25 100644 --- a/config/rootfiles/packages/postfix +++ b/config/rootfiles/packages/postfix @@ -39,6 +39,7 @@ usr/lib/postfix/post-install usr/lib/postfix/postfix-script usr/lib/postfix/postfix-tls-script usr/lib/postfix/postfix-wrapper +usr/lib/postfix/postlogd usr/lib/postfix/postmulti-script usr/lib/postfix/postscreen usr/lib/postfix/proxymap @@ -122,6 +123,7 @@ usr/sbin/sendmail.postfix #usr/share/man/man8/oqmgr.8 #usr/share/man/man8/pickup.8 #usr/share/man/man8/pipe.8 +#usr/share/man/man8/postlogd.8 #usr/share/man/man8/postscreen.8 #usr/share/man/man8/proxymap.8 #usr/share/man/man8/qmgr.8 diff --git a/config/rootfiles/packages/spectre-meltdown-checker b/config/rootfiles/packages/spectre-meltdown-checker new file mode 100644 index 000000000..7f4fbfab9 --- /dev/null +++ b/config/rootfiles/packages/spectre-meltdown-checker @@ -0,0 +1 @@ +usr/sbin/spectre-meltdown-checker diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd new file mode 100644 index 000000000..db852381e --- /dev/null +++ b/config/rootfiles/packages/zabbix_agentd @@ -0,0 +1,17 @@ +etc/logrotate.d/zabbix_agentd +etc/rc.d/init.d/zabbix_agentd +etc/sudoers.d/zabbix.user +etc/zabbix_agentd +etc/zabbix_agentd/scripts +etc/zabbix_agentd/zabbix_agentd.conf +etc/zabbix_agentd/zabbix_agentd.d +usr/bin/zabbix_get +usr/bin/zabbix_sender +usr/lib/modules +usr/lib/zabbix +usr/sbin/zabbix_agentd +#usr/share/man/man1/zabbix_get.1 +#usr/share/man/man1/zabbix_sender.1 +#usr/share/man/man8/zabbix_agentd.8 +var/ipfire/backup/addons/includes/zabbix_agentd +#var/log/zabbix diff --git a/config/strongswan/charon.conf b/config/strongswan/charon.conf index a5ff0bee5..05dab0b9a 100644 --- a/config/strongswan/charon.conf +++ b/config/strongswan/charon.conf @@ -86,7 +86,7 @@ charon {
# Install routes into a separate routing table for established IPsec # tunnels. - # install_routes = yes + install_routes = no
# Install virtual IP addresses. # install_virtual_ip = yes diff --git a/config/u-boot/boot.cmd b/config/u-boot/boot.cmd index 2ba403824..5cb4b8971 100644 --- a/config/u-boot/boot.cmd +++ b/config/u-boot/boot.cmd @@ -91,5 +91,8 @@ fi ; bootz ${kernel_addr_r} ${ramdisk_addr} ${fdt_addr_r}; booti ${kernel_addr_r} ${ramdisk_addr} ${fdt_addr_r};
+bootz ${kernel_addr_r} - ${fdt_addr_r}; +booti ${kernel_addr_r} - ${fdt_addr_r}; + # Recompile with: # mkimage -C none -A arm -T script -d /boot/boot.cmd /boot/boot.scr diff --git a/config/u-boot/boot.scr b/config/u-boot/boot.scr index 2c81cef76..5143b051b 100644 Binary files a/config/u-boot/boot.scr and b/config/u-boot/boot.scr differ diff --git a/config/zabbix_agentd/logrotate b/config/zabbix_agentd/logrotate new file mode 100644 index 000000000..83bbca9fb --- /dev/null +++ b/config/zabbix_agentd/logrotate @@ -0,0 +1,9 @@ +/var/log/zabbix/zabbix_agentd.log { + monthly + rotate 12 + compress + delaycompress + missingok + notifempty + create 0640 zabbix zabbix +} diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers new file mode 100644 index 000000000..f4e4321cc --- /dev/null +++ b/config/zabbix_agentd/sudoers @@ -0,0 +1,17 @@ +# Include file for sudoers file +# +# This is needed for some userparameters to be able to execute commands that only run as root (using sudo) +# e.g. /usr/bin/openssl or /usr/sbin/smartctl +# +# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH! +# +# Some hints: +# - It is strongly recommended to edit this file only using the visudo -f <filename> command. If you mess up this file, +# you might end up locking yourself out of your system! +# - Append the full path to each command, using "," as separator. +# - Only add commands you really need. Zabbix should not have more rights than it has to. +# +# Uncomment the following two lines and edit the example of commands to fit your needs: +# +#Defaults:zabbix !requiretty +#zabbix ALL=(ALL) NOPASSWD: <path to command1>, <path to command2> diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf new file mode 100644 index 000000000..07f71c184 --- /dev/null +++ b/config/zabbix_agentd/zabbix_agentd.conf @@ -0,0 +1,395 @@ +# This is a configuration file for Zabbix agent daemon (Unix) +# To get more information about Zabbix, visit http://www.zabbix.com + +############ GENERAL PARAMETERS ################# + +### Option: PidFile +# Name of PID file. +# +# Mandatory: no +# Default: +# PidFile=/tmp/zabbix_agentd.pid + +PidFile=/var/run/zabbix/zabbix_agentd.pid + +### Option: LogType +# Specifies where log messages are written to: +# system - syslog +# file - file specified with LogFile parameter +# console - standard output +# +# Mandatory: no +# Default: +# LogType=file + +### Option: LogFile +# Log file name for LogType 'file' parameter. +# +# Mandatory: yes, if LogType is set to file, otherwise no +# Default: +# LogFile= + +LogFile=/var/log/zabbix/zabbix_agentd.log + +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Mandatory: no +# Range: 0-1024 +# Default: +# LogFileSize=1 + +LogFileSize=0 + +### Option: DebugLevel +# Specifies debug level: +# 0 - basic information about starting and stopping of Zabbix processes +# 1 - critical information +# 2 - error information +# 3 - warnings +# 4 - for debugging (produces lots of information) +# 5 - extended debugging (produces even more information) +# +# Mandatory: no +# Range: 0-5 +# Default: +# DebugLevel=3 + +### Option: SourceIP +# Source IP address for outgoing connections. +# +# Mandatory: no +# Default: +# SourceIP= + +### Option: EnableRemoteCommands +# Whether remote commands from Zabbix server are allowed. +# 0 - not allowed +# 1 - allowed +# +# Mandatory: no +# Default: +# EnableRemoteCommands=0 + +### Option: LogRemoteCommands +# Enable logging of executed shell commands as warnings. +# 0 - disabled +# 1 - enabled +# +# Mandatory: no +# Default: +# LogRemoteCommands=0 + +##### Passive checks related + +### Option: Server +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies. +# Incoming connections will be accepted only from the hosts listed here. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: yes, if StartAgents is not explicitly set to 0 +# Default: +# Server= + +Server=127.0.0.1 + +### Option: ListenPort +# Agent will listen on this port for connections from the server. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# ListenPort=10050 + +### Option: ListenIP +# List of comma delimited IP addresses that the agent should listen on. +# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks. +# +# Mandatory: no +# Default: +# ListenIP=0.0.0.0 + +### Option: StartAgents +# Number of pre-forked instances of zabbix_agentd that process passive checks. +# If set to 0, disables passive checks and the agent will not listen on any TCP port. +# +# Mandatory: no +# Range: 0-100 +# Default: +# StartAgents=3 + +##### Active checks related + +### Option: ServerActive +# List of comma delimited IP:port (or DNS name:port) pairs of Zabbix servers and Zabbix proxies for active checks. +# If port is not specified, default port is used. +# IPv6 addresses must be enclosed in square brackets if port for that host is specified. +# If port is not specified, square brackets for IPv6 addresses are optional. +# If this parameter is not specified, active checks are disabled. +# Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] +# +# Mandatory: no +# Default: +# ServerActive= + +ServerActive=127.0.0.1 + +### Option: Hostname +# Unique, case sensitive hostname. +# Required for active checks and must match hostname as configured on the server. +# Value is acquired from HostnameItem if undefined. +# +# Mandatory: no +# Default: +# Hostname= + +### Option: HostnameItem +# Item used for generating Hostname if it is undefined. Ignored if Hostname is defined. +# Does not support UserParameters or aliases. +# +# Mandatory: no +# Default: +# HostnameItem=system.hostname + +### Option: HostMetadata +# Optional parameter that defines host metadata. +# Host metadata is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostMetadataItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostMetadata= + +### Option: HostMetadataItem +# Optional parameter that defines an item used for getting host metadata. +# Host metadata is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostMetadata is not defined. +# +# Mandatory: no +# Default: +# HostMetadataItem= + +### Option: RefreshActiveChecks +# How often list of active checks is refreshed, in seconds. +# +# Mandatory: no +# Range: 60-3600 +# Default: +# RefreshActiveChecks=120 + +### Option: BufferSend +# Do not keep data longer than N seconds in buffer. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# BufferSend=5 + +### Option: BufferSize +# Maximum number of values in a memory buffer. The agent will send +# all collected data to Zabbix Server or Proxy if the buffer is full. +# +# Mandatory: no +# Range: 2-65535 +# Default: +# BufferSize=100 + +### Option: MaxLinesPerSecond +# Maximum number of new lines the agent will send per second to Zabbix Server +# or Proxy processing 'log' and 'logrt' active checks. +# The provided value will be overridden by the parameter 'maxlines', +# provided in 'log' or 'logrt' item keys. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# MaxLinesPerSecond=20 + +############ ADVANCED PARAMETERS ################# + +### Option: Alias +# Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one. +# Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed. +# Different Alias keys may reference the same item key. +# For example, to retrieve the ID of user 'zabbix': +# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1] +# Now shorthand key zabbix.userid may be used to retrieve data. +# Aliases can be used in HostMetadataItem but not in HostnameItem parameters. +# +# Mandatory: no +# Range: +# Default: + +### Option: Timeout +# Spend no more than Timeout seconds on processing +# +# Mandatory: no +# Range: 1-30 +# Default: +# Timeout=3 + +### Option: AllowRoot +# Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent +# will try to switch to the user specified by the User configuration option instead. +# Has no effect if started under a regular user. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowRoot=0 + +### Option: User +# Drop privileges to a specific, existing user on the system. +# Only has effect if run as 'root' and AllowRoot is disabled. +# +# Mandatory: no +# Default: +# User=zabbix + +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. +# +# Mandatory: no +# Default: +# Include= + +Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf + + +####### USER-DEFINED MONITORED PARAMETERS ####### + +### Option: UnsafeUserParameters +# Allow all characters to be passed in arguments to user-defined parameters. +# The following characters are not allowed: +# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @ +# Additionally, newline characters are not allowed. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Range: 0-1 +# Default: +# UnsafeUserParameters=0 + +### Option: UserParameter +# User-defined parameter to monitor. There can be several user-defined parameters. +# Format: UserParameter=<key>,<shell command> +# See 'zabbix_agentd' directory for examples. +# +# Mandatory: no +# Default: +# UserParameter= + +####### LOADABLE MODULES ####### + +### Option: LoadModulePath +# Full path to location of agent modules. +# Default depends on compilation options. +# To see the default path run command "zabbix_agentd --help". +# +# Mandatory: no +# Default: +# LoadModulePath=/usr/lib/modules + +LoadModulePath=/usr/lib/zabbix + +### Option: LoadModule +# Module to load at agent startup. Modules are used to extend functionality of the agent. +# Format: LoadModule=<module.so> +# The modules must be located in directory specified by LoadModulePath. +# It is allowed to include multiple LoadModule parameters. +# +# Mandatory: no +# Default: +# LoadModule= + +####### TLS-RELATED PARAMETERS ####### + +### Option: TLSConnect +# How the agent should connect to server or proxy. Used for active checks. +# Only one value can be specified: +# unencrypted - connect without encryption +# psk - connect using TLS and a pre-shared key +# cert - connect using TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSConnect=unencrypted + +### Option: TLSAccept +# What incoming connections to accept. +# Multiple values can be specified, separated by comma: +# unencrypted - accept connections without encryption +# psk - accept connections secured with TLS and a pre-shared key +# cert - accept connections secured with TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSAccept=unencrypted + +### Option: TLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for +# peer certificate verification. +# +# Mandatory: no +# Default: +# TLSCAFile= + +### Option: TLSCRLFile +# Full pathname of a file containing revoked certificates. +# +# Mandatory: no +# Default: +# TLSCRLFile= + +### Option: TLSServerCertIssuer +# Allowed server certificate issuer. +# +# Mandatory: no +# Default: +# TLSServerCertIssuer= + +### Option: TLSServerCertSubject +# Allowed server certificate subject. +# +# Mandatory: no +# Default: +# TLSServerCertSubject= + +### Option: TLSCertFile +# Full pathname of a file containing the agent certificate or certificate chain. +# +# Mandatory: no +# Default: +# TLSCertFile= + +### Option: TLSKeyFile +# Full pathname of a file containing the agent private key. +# +# Mandatory: no +# Default: +# TLSKeyFile= + +### Option: TLSPSKIdentity +# Unique, case sensitive string used to identify the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKIdentity= + +### Option: TLSPSKFile +# Full pathname of a file containing the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKFile= diff --git a/doc/language_issues.de b/doc/language_issues.de index c5dad0168..d9f92d062 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -417,7 +417,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -713,11 +712,14 @@ WARNING: translation string unused: use dov WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -734,6 +736,7 @@ WARNING: untranslated string: addons = Addons WARNING: untranslated string: bytes = unknown string WARNING: untranslated string: community rules = Snort/VRT GPLv2 Community Rules WARNING: untranslated string: dead peer detection = Dead Peer Detection +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: emerging rules = Emergingthreats.net Community Rules WARNING: untranslated string: fwhost cust geoipgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string @@ -775,13 +778,11 @@ WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: guardian watch snort alertfile = unknown string WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string WARNING: untranslated string: info messages = unknown string +WARNING: untranslated string: interface mode = Interface WARNING: untranslated string: no data = unknown string -WARNING: untranslated string: none = none -WARNING: untranslated string: qos add subclass = Add subclass WARNING: untranslated string: route config changed = unknown string WARNING: untranslated string: routing config added = unknown string WARNING: untranslated string: routing config changed = unknown string WARNING: untranslated string: routing table = unknown string WARNING: untranslated string: show tls-auth key = Show tls-auth key -WARNING: untranslated string: vpn force mobike = Force using MOBIKE (only IKEv2) WARNING: untranslated string: vpn statistics n2n = unknown string diff --git a/doc/language_issues.en b/doc/language_issues.en index 3e16e2180..5a3012207 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -529,6 +529,7 @@ WARNING: untranslated string: dead peer detection = Dead Peer Detection WARNING: untranslated string: december = December WARNING: untranslated string: def lease time = Default Lease Time WARNING: untranslated string: default = Default +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: default lease time = Default lease time (mins): WARNING: untranslated string: default renewal time = Default Renewal Time WARNING: untranslated string: delete = Delete @@ -605,6 +606,8 @@ WARNING: untranslated string: dns desc = If the red0 interface gets the IP addre WARNING: untranslated string: dns error 0 = The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid. WARNING: untranslated string: dns error 01 = The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries! WARNING: untranslated string: dns error 1 = The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid. +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns header = Assign DNS server addresses only for DHCP on red0 WARNING: untranslated string: dns list = List of free public DNS servers WARNING: untranslated string: dns menu = Assign DNS-Server @@ -1051,6 +1054,7 @@ WARNING: untranslated string: install = Install WARNING: untranslated string: instant update = Instant Update WARNING: untranslated string: integrity = Integrity: WARNING: untranslated string: interface = Interface +WARNING: untranslated string: interface mode = Interface WARNING: untranslated string: interfaces = Interfaces WARNING: untranslated string: internet = INTERNET WARNING: untranslated string: intrusion detection = Intrusion Detection @@ -1079,10 +1083,15 @@ WARNING: untranslated string: invalid input for esp keylife = Invalid input for WARNING: untranslated string: invalid input for hostname = Invalid input for hostname. WARNING: untranslated string: invalid input for ike lifetime = Invalid input for IKE lifetime WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU WARNING: untranslated string: invalid input for keepalive 1 = Invalid input for Keepalive ping WARNING: untranslated string: invalid input for keepalive 1:2 = Invalid input for Keepalive use at least a ratio of 1:2 WARNING: untranslated string: invalid input for keepalive 2 = Invalid input for Keepalive ping-restart +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address WARNING: untranslated string: invalid input for max clients = Invalid input for Max Clients +WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid input for name = Invalid input for user's full name or system hostname WARNING: untranslated string: invalid input for oink code = Invalid input for Oink code WARNING: untranslated string: invalid input for organization = Invalid input for organization @@ -1126,7 +1135,14 @@ WARNING: untranslated string: ipfire side is invalid = IPFire side is invalid. WARNING: untranslated string: ipfires hostname = IPFire's Hostname WARNING: untranslated string: ipinfo = IP info WARNING: untranslated string: ipsec = IPsec +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: iptmangles = IPTable Mangles WARNING: untranslated string: iptnats = IPTable Network Address Translation WARNING: untranslated string: ipts = iptables @@ -1145,6 +1161,7 @@ WARNING: untranslated string: legend = Legend WARNING: untranslated string: lifetime = Lifetime: WARNING: untranslated string: linkq = Link Quality WARNING: untranslated string: load printer = Load Printer +WARNING: untranslated string: local ip address = Local IP Address WARNING: untranslated string: local master = Local Master WARNING: untranslated string: local ntp server specified but not enabled = Local NTP server specified but not enabled WARNING: untranslated string: local subnet = Local subnet: @@ -1230,6 +1247,7 @@ WARNING: untranslated string: minimum = Minimum WARNING: untranslated string: minute = Minute WARNING: untranslated string: minutes = Minutes WARNING: untranslated string: misc-options = Miscellaneous options +WARNING: untranslated string: mode = Mode WARNING: untranslated string: model = Model WARNING: untranslated string: modem = Modem WARNING: untranslated string: modem configuration = Modem configuration @@ -1262,6 +1280,7 @@ WARNING: untranslated string: mpfire scanning = Scan for new files WARNING: untranslated string: mpfire search = MPFire Search WARNING: untranslated string: mpfire songs = MPFire songlist WARNING: untranslated string: mpfire webradio = MPFire Webradio +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: my new share = My new share WARNING: untranslated string: name = Name WARNING: untranslated string: name is invalid = Name is invalid @@ -1630,6 +1649,7 @@ WARNING: untranslated string: stop = Stop WARNING: untranslated string: stop ovpn server = Stop OpenVPN Server WARNING: untranslated string: stopped = STOPPED WARNING: untranslated string: subject = Subject +WARNING: untranslated string: subnet mask = Subnet Mask WARNING: untranslated string: subscripted user rules = Sourcefire VRT rules with subscription WARNING: untranslated string: summaries kept = Keep summaries for WARNING: untranslated string: sunday = Sunday @@ -1711,6 +1731,7 @@ WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (on WARNING: untranslated string: total hits for log section = Total hits for log section WARNING: untranslated string: traffic on = Traffic on WARNING: untranslated string: traffics = Utilization-overview +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: tuesday = Tuesday WARNING: untranslated string: twelve hours = 12 Hours WARNING: untranslated string: two weeks = Two Weeks @@ -2033,8 +2054,6 @@ WARNING: untranslated string: vpn altname syntax = SubjectAltName is a comma sep WARNING: untranslated string: vpn auth-dn = Peer is identified by either IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN string in remote ID field WARNING: untranslated string: vpn broken = Broken WARNING: untranslated string: vpn connecting = CONNECTING -WARNING: untranslated string: vpn delayed start = Delay before launching VPN (seconds) -WARNING: untranslated string: vpn delayed start help = If required, this delay can be used to allow dynamic DNS updates to propagate properly. 60 is a common value when RED is a dynamic IP. WARNING: untranslated string: vpn force mobike = Force using MOBIKE (only IKEv2) WARNING: untranslated string: vpn inactivity timeout = Inactivity Timeout WARNING: untranslated string: vpn keyexchange = Keyexchange @@ -2043,14 +2062,13 @@ WARNING: untranslated string: vpn missing remote id = You must specify a correct WARNING: untranslated string: vpn no full pki = missing private key to generate cert WARNING: untranslated string: vpn on-demand = ON-DEMAND WARNING: untranslated string: vpn payload compression = Negotiate payload compression -WARNING: untranslated string: vpn red name = Public IP or FQDN for RED interface or <%defaultroute> WARNING: untranslated string: vpn remote id = Remote ID WARNING: untranslated string: vpn start action = Start Action WARNING: untranslated string: vpn start action add = Wait for connection initiation WARNING: untranslated string: vpn start action route = On Demand WARNING: untranslated string: vpn start action start = Always On -WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics -WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics +WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics +WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics WARNING: untranslated string: vpn statistics n2n = unknown string WARNING: untranslated string: vpn subjectaltname = Subject Alt Name WARNING: untranslated string: vpn wait = WAITING diff --git a/doc/language_issues.es b/doc/language_issues.es index 236248d55..d8b49f918 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -365,7 +365,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -634,11 +633,14 @@ WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode WARNING: translation string unused: vpn configuration main +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -761,6 +763,7 @@ WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning WARNING: untranslated string: dead peer detection = Dead Peer Detection WARNING: untranslated string: default = Default +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: deprecated fs warn = Deprecated filesystem! Newer kernel drop the support. Backup and reformat! WARNING: untranslated string: details = Details WARNING: untranslated string: dh = Diffie-Hellman parameters @@ -775,6 +778,8 @@ WARNING: untranslated string: dhcp dns update algo = Algorithm: WARNING: untranslated string: dhcp dns update secret = Secret: WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) WARNING: untranslated string: dnat address = Firewall Interface +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dnsforward = DNS Forwarding WARNING: untranslated string: dnsforward add a new entry = Add a new entry @@ -1050,17 +1055,31 @@ WARNING: untranslated string: incoming firewall access = Incoming Firewall Acces WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: integrity = Integrity: +WARNING: untranslated string: interface mode = Interface WARNING: untranslated string: invalid input for dpd delay = Invalid input for DPD delay WARNING: untranslated string: invalid input for dpd timeout = Invalid input for DPD timeout WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address +WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days). WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec = IPsec +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: last = Last WARNING: untranslated string: least preferred = least preferred WARNING: untranslated string: lifetime = Lifetime: +WARNING: untranslated string: local ip address = Local IP Address WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: mac filter = MAC filter WARNING: untranslated string: masquerade blue = Masquerade BLUE @@ -1088,6 +1107,7 @@ WARNING: untranslated string: modem sim information = SIM Information WARNING: untranslated string: modem status = Modem Status WARNING: untranslated string: monitor interface = Monitor Interface WARNING: untranslated string: most preferred = most preferred +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: nameserver = Nameserver WARNING: untranslated string: no data = unknown string WARNING: untranslated string: none = none @@ -1166,6 +1186,7 @@ WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username WARNING: untranslated string: static routes = Static Routes +WARNING: untranslated string: subnet mask = Subnet Mask WARNING: untranslated string: support donation = Support the IPFire project with your donation WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND. WARNING: untranslated string: system information = System Information @@ -1221,6 +1242,7 @@ WARNING: untranslated string: tor traffic limit hard = Traffic limit has been re WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reached. Not accepting any new connections. WARNING: untranslated string: tor traffic read written = Total traffic (read/written) WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one per line) +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: twelve hours = 12 Hours WARNING: untranslated string: two weeks = Two Weeks WARNING: untranslated string: udp less overhead = UDP (less overhead) @@ -1245,8 +1267,8 @@ WARNING: untranslated string: vpn start action = Start Action WARNING: untranslated string: vpn start action add = Wait for connection initiation WARNING: untranslated string: vpn start action route = On Demand WARNING: untranslated string: vpn start action start = Always On -WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics -WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics +WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics +WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics WARNING: untranslated string: vpn statistics n2n = unknown string WARNING: untranslated string: vpn wait = WAITING WARNING: untranslated string: vpn weak = Weak diff --git a/doc/language_issues.fr b/doc/language_issues.fr index e2f20eb5c..37b43569c 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -224,7 +224,6 @@ WARNING: translation string unused: dmz pinhole rule added WARNING: translation string unused: dmz pinhole rule removed WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server -WARNING: translation string unused: dnsforward forward_server WARNING: translation string unused: do not log this port list WARNING: translation string unused: domain not set WARNING: translation string unused: donation-link @@ -445,7 +444,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -751,11 +749,14 @@ WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode WARNING: translation string unused: vpn configuration main +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -770,7 +771,9 @@ WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Captive clients = unknown string WARNING: untranslated string: Scan for Songs = unknown string WARNING: untranslated string: bytes = unknown string -WARNING: untranslated string: dnsforward forward_servers = Nameservers +WARNING: untranslated string: default IP address = Default IP Address +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: fwhost cust geoipgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string WARNING: untranslated string: guardian block a host = unknown string @@ -810,11 +813,27 @@ WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: guardian watch snort alertfile = unknown string WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string WARNING: untranslated string: info messages = unknown string -WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname +WARNING: untranslated string: interface mode = Interface +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address +WARNING: untranslated string: invalid input for mode = Invalid input for mode +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel +WARNING: untranslated string: ipsec settings = IPsec Settings +WARNING: untranslated string: local ip address = Local IP Address +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: no data = unknown string WARNING: untranslated string: pakfire ago = ago. WARNING: untranslated string: route config changed = unknown string WARNING: untranslated string: routing config added = unknown string WARNING: untranslated string: routing config changed = unknown string WARNING: untranslated string: routing table = unknown string +WARNING: untranslated string: subnet mask = Subnet Mask +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: vpn statistics n2n = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 5500eedc9..c2b0b2327 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -417,7 +417,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -723,11 +722,14 @@ WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode WARNING: translation string unused: vpn configuration main +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -789,12 +791,15 @@ WARNING: untranslated string: bytes = unknown string WARNING: untranslated string: check all = Check all WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: dhcp dns enable update = Enable DNS Update (RFC2136): WARNING: untranslated string: dhcp dns key name = Key Name: WARNING: untranslated string: dhcp dns update = DNS Update WARNING: untranslated string: dhcp dns update algo = Algorithm: WARNING: untranslated string: dhcp dns update secret = Secret: WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled WARNING: untranslated string: eight hours = 8 Hours @@ -884,10 +889,24 @@ WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unk WARNING: untranslated string: incoming compression in bytes per second = Incoming Compression WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead WARNING: untranslated string: info messages = unknown string +WARNING: untranslated string: interface mode = Interface WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address +WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days). WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel +WARNING: untranslated string: ipsec settings = IPsec Settings +WARNING: untranslated string: local ip address = Local IP Address WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: masquerade blue = Masquerade BLUE WARNING: untranslated string: masquerade green = Masquerade GREEN @@ -896,6 +915,7 @@ WARNING: untranslated string: masquerading = Masquerading WARNING: untranslated string: masquerading disabled = Masquerading disabled WARNING: untranslated string: masquerading enabled = Masquerading enabled WARNING: untranslated string: messages = Messages +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: no data = unknown string WARNING: untranslated string: none = none WARNING: untranslated string: one hour = One Hour @@ -924,9 +944,11 @@ WARNING: untranslated string: ssh active sessions = Active logins WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username +WARNING: untranslated string: subnet mask = Subnet Mask WARNING: untranslated string: tcp more reliable = TCP (more reliable) WARNING: untranslated string: ten minutes = 10 Minutes WARNING: untranslated string: thirty minutes = 30 Minutes +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: twelve hours = 12 Hours WARNING: untranslated string: two weeks = Two Weeks WARNING: untranslated string: udp less overhead = UDP (less overhead) @@ -944,8 +966,8 @@ WARNING: untranslated string: vpn start action = Start Action WARNING: untranslated string: vpn start action add = Wait for connection initiation WARNING: untranslated string: vpn start action route = On Demand WARNING: untranslated string: vpn start action start = Always On -WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics -WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics +WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics +WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics WARNING: untranslated string: vpn statistics n2n = unknown string WARNING: untranslated string: vpn wait = WAITING WARNING: untranslated string: vpn weak = Weak diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 64778ffd7..46d923fe5 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -415,7 +415,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -718,11 +717,14 @@ WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode WARNING: translation string unused: vpn configuration main +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -787,6 +789,7 @@ WARNING: untranslated string: check all = Check all WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning WARNING: untranslated string: default = Default +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: dh = Diffie-Hellman parameters WARNING: untranslated string: dh key move failed = Diffie-Hellman parameters move failed. WARNING: untranslated string: dh key warn = Creating DH-parameters with a length of 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient. @@ -798,6 +801,8 @@ WARNING: untranslated string: dhcp dns update = DNS Update WARNING: untranslated string: dhcp dns update algo = Algorithm: WARNING: untranslated string: dhcp dns update secret = Secret: WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: dnssec aware = DNSSEC Aware @@ -898,10 +903,24 @@ WARNING: untranslated string: imsi = IMSI WARNING: untranslated string: incoming compression in bytes per second = Incoming Compression WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead WARNING: untranslated string: info messages = unknown string +WARNING: untranslated string: interface mode = Interface WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address +WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days). WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel +WARNING: untranslated string: ipsec settings = IPsec Settings +WARNING: untranslated string: local ip address = Local IP Address WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: masquerade blue = Masquerade BLUE WARNING: untranslated string: masquerade green = Masquerade GREEN @@ -924,6 +943,7 @@ WARNING: untranslated string: modem no connection message = No connection to the WARNING: untranslated string: modem sim information = SIM Information WARNING: untranslated string: modem status = Modem Status WARNING: untranslated string: monitor interface = Monitor Interface +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: nameserver = Nameserver WARNING: untranslated string: no data = unknown string WARNING: untranslated string: none = none @@ -967,10 +987,12 @@ WARNING: untranslated string: ssh active sessions = Active logins WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username +WARNING: untranslated string: subnet mask = Subnet Mask WARNING: untranslated string: ta key = TLS-Authentification-Key WARNING: untranslated string: tcp more reliable = TCP (more reliable) WARNING: untranslated string: ten minutes = 10 Minutes WARNING: untranslated string: thirty minutes = 30 Minutes +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: twelve hours = 12 Hours WARNING: untranslated string: two weeks = Two Weeks WARNING: untranslated string: udp less overhead = UDP (less overhead) @@ -990,8 +1012,8 @@ WARNING: untranslated string: vpn start action = Start Action WARNING: untranslated string: vpn start action add = Wait for connection initiation WARNING: untranslated string: vpn start action route = On Demand WARNING: untranslated string: vpn start action start = Always On -WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics -WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics +WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics +WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics WARNING: untranslated string: vpn statistics n2n = unknown string WARNING: untranslated string: vpn wait = WAITING WARNING: untranslated string: vpn weak = Weak diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 236248d55..d8b49f918 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -365,7 +365,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -634,11 +633,14 @@ WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode WARNING: translation string unused: vpn configuration main +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -761,6 +763,7 @@ WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning WARNING: untranslated string: dead peer detection = Dead Peer Detection WARNING: untranslated string: default = Default +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: deprecated fs warn = Deprecated filesystem! Newer kernel drop the support. Backup and reformat! WARNING: untranslated string: details = Details WARNING: untranslated string: dh = Diffie-Hellman parameters @@ -775,6 +778,8 @@ WARNING: untranslated string: dhcp dns update algo = Algorithm: WARNING: untranslated string: dhcp dns update secret = Secret: WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) WARNING: untranslated string: dnat address = Firewall Interface +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dnsforward = DNS Forwarding WARNING: untranslated string: dnsforward add a new entry = Add a new entry @@ -1050,17 +1055,31 @@ WARNING: untranslated string: incoming firewall access = Incoming Firewall Acces WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: integrity = Integrity: +WARNING: untranslated string: interface mode = Interface WARNING: untranslated string: invalid input for dpd delay = Invalid input for DPD delay WARNING: untranslated string: invalid input for dpd timeout = Invalid input for DPD timeout WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address +WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days). WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec = IPsec +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: last = Last WARNING: untranslated string: least preferred = least preferred WARNING: untranslated string: lifetime = Lifetime: +WARNING: untranslated string: local ip address = Local IP Address WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: mac filter = MAC filter WARNING: untranslated string: masquerade blue = Masquerade BLUE @@ -1088,6 +1107,7 @@ WARNING: untranslated string: modem sim information = SIM Information WARNING: untranslated string: modem status = Modem Status WARNING: untranslated string: monitor interface = Monitor Interface WARNING: untranslated string: most preferred = most preferred +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: nameserver = Nameserver WARNING: untranslated string: no data = unknown string WARNING: untranslated string: none = none @@ -1166,6 +1186,7 @@ WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username WARNING: untranslated string: static routes = Static Routes +WARNING: untranslated string: subnet mask = Subnet Mask WARNING: untranslated string: support donation = Support the IPFire project with your donation WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND. WARNING: untranslated string: system information = System Information @@ -1221,6 +1242,7 @@ WARNING: untranslated string: tor traffic limit hard = Traffic limit has been re WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reached. Not accepting any new connections. WARNING: untranslated string: tor traffic read written = Total traffic (read/written) WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one per line) +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: twelve hours = 12 Hours WARNING: untranslated string: two weeks = Two Weeks WARNING: untranslated string: udp less overhead = UDP (less overhead) @@ -1245,8 +1267,8 @@ WARNING: untranslated string: vpn start action = Start Action WARNING: untranslated string: vpn start action add = Wait for connection initiation WARNING: untranslated string: vpn start action route = On Demand WARNING: untranslated string: vpn start action start = Always On -WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics -WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics +WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics +WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics WARNING: untranslated string: vpn statistics n2n = unknown string WARNING: untranslated string: vpn wait = WAITING WARNING: untranslated string: vpn weak = Weak diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 810b16f50..1286bcd87 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -358,7 +358,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -637,11 +636,14 @@ WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode WARNING: translation string unused: vpn configuration main +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -764,6 +766,7 @@ WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning WARNING: untranslated string: dead peer detection = Dead Peer Detection WARNING: untranslated string: default = Default +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: deprecated fs warn = Deprecated filesystem! Newer kernel drop the support. Backup and reformat! WARNING: untranslated string: details = Details WARNING: untranslated string: dh = Diffie-Hellman parameters @@ -779,6 +782,8 @@ WARNING: untranslated string: dhcp dns update secret = Secret: WARNING: untranslated string: disk access per = Disk Access per WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) WARNING: untranslated string: dnat address = Firewall Interface +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dnsforward = DNS Forwarding WARNING: untranslated string: dnsforward add a new entry = Add a new entry @@ -1052,17 +1057,31 @@ WARNING: untranslated string: incoming overhead in bytes per second = Incoming O WARNING: untranslated string: incoming traffic in bytes per second = Incoming Traffic WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: integrity = Integrity: +WARNING: untranslated string: interface mode = Interface WARNING: untranslated string: invalid input for dpd delay = Invalid input for DPD delay WARNING: untranslated string: invalid input for dpd timeout = Invalid input for DPD timeout WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address +WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days). WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec = IPsec +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: last = Last WARNING: untranslated string: least preferred = least preferred WARNING: untranslated string: lifetime = Lifetime: +WARNING: untranslated string: local ip address = Local IP Address WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: mac filter = MAC filter WARNING: untranslated string: masquerade blue = Masquerade BLUE @@ -1090,6 +1109,7 @@ WARNING: untranslated string: modem sim information = SIM Information WARNING: untranslated string: modem status = Modem Status WARNING: untranslated string: monitor interface = Monitor Interface WARNING: untranslated string: most preferred = most preferred +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: nameserver = Nameserver WARNING: untranslated string: no data = unknown string WARNING: untranslated string: none = none @@ -1162,6 +1182,7 @@ WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username WARNING: untranslated string: static routes = Static Routes +WARNING: untranslated string: subnet mask = Subnet Mask WARNING: untranslated string: support donation = Support the IPFire project with your donation WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND. WARNING: untranslated string: ta key = TLS-Authentification-Key @@ -1216,6 +1237,7 @@ WARNING: untranslated string: tor traffic limit hard = Traffic limit has been re WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reached. Not accepting any new connections. WARNING: untranslated string: tor traffic read written = Total traffic (read/written) WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one per line) +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: twelve hours = 12 Hours WARNING: untranslated string: two weeks = Two Weeks WARNING: untranslated string: udp less overhead = UDP (less overhead) @@ -1240,8 +1262,8 @@ WARNING: untranslated string: vpn start action = Start Action WARNING: untranslated string: vpn start action add = Wait for connection initiation WARNING: untranslated string: vpn start action route = On Demand WARNING: untranslated string: vpn start action start = Always On -WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics -WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics +WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics +WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics WARNING: untranslated string: vpn statistics n2n = unknown string WARNING: untranslated string: vpn wait = WAITING WARNING: untranslated string: vpn weak = Weak diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 140658346..0e95d6045 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -445,7 +445,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -751,11 +750,14 @@ WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode WARNING: translation string unused: vpn configuration main +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -772,6 +774,9 @@ WARNING: untranslated string: Scan for Songs = unknown string WARNING: untranslated string: bytes = unknown string WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning +WARNING: untranslated string: default IP address = Default IP Address +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: fwdfw all subnets = All subnets WARNING: untranslated string: fwhost cust geoipgrp = unknown string @@ -813,7 +818,22 @@ WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: guardian watch snort alertfile = unknown string WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string WARNING: untranslated string: info messages = unknown string +WARNING: untranslated string: interface mode = Interface +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address +WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel +WARNING: untranslated string: ipsec settings = IPsec Settings +WARNING: untranslated string: local ip address = Local IP Address +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: no data = unknown string WARNING: untranslated string: ovpn error dh = The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br> WARNING: untranslated string: ovpn error md5 = You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br> @@ -826,6 +846,8 @@ WARNING: untranslated string: ssh active sessions = Active logins WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username +WARNING: untranslated string: subnet mask = Subnet Mask +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: vpn start action add = Wait for connection initiation WARNING: untranslated string: vpn statistics n2n = unknown string WARNING: untranslated string: vpn wait = WAITING diff --git a/doc/language_missings b/doc/language_missings index 938a9551e..12ef6e673 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -28,7 +28,9 @@ < choose media < community rules < could not connect to www ipfire org +< cryptographic settings < dead peer detection +< default IP address < dhcp server disabled on blue interface < dhcp server enabled on blue interface < dh name is invalid @@ -38,9 +40,8 @@ < g.lite < guardian < insert removable device -< none +< interface mode < notes -< qos add subclass < quick control < shaping add options < show areas @@ -52,7 +53,6 @@ < updxlrtr used by < upload fcdsl.o < vpn configuration main -< vpn force mobike ############################################################################ # Checking cgi-bin translations for language: es # ############################################################################ @@ -186,10 +186,12 @@ < countrycode < country codes and flags < crypto error +< cryptographic settings < crypto warning < dead peer detection < default < default ip +< default IP address < deprecated fs warn < details < dh @@ -208,9 +210,11 @@ < dnsforward < dnsforward add a new entry < dnsforward configuration +< dns forward disable dnssec < dnsforward edit an entry < dnsforward entries < dnsforward forward_servers +< dns forwarding dnssec disabled notice < dnsforward zone < dnssec aware < dnssec disabled warning @@ -490,18 +494,32 @@ < incoming firewall access < incoming overhead in bytes per second < integrity +< interface mode < invalid input for dpd delay < invalid input for dpd timeout < invalid input for inactivity timeout +< invalid input for interface address +< invalid input for interface mode +< invalid input for interface mtu +< invalid input for local ip address +< invalid input for mode < invalid input for valid till days < invalid ip or hostname < invalid logserver protocol < ipsec +< ipsec connection +< ipsec interface mode gre +< ipsec interface mode none +< ipsec interface mode vti +< ipsec mode transport +< ipsec mode tunnel < ipsec network < ipsec no connections +< ipsec settings < last < least preferred < lifetime +< local ip address < log server protocol < mac filter < masquerade blue @@ -531,6 +549,7 @@ < modem status < monitor interface < most preferred +< mtu < MTU settings < nameserver < never @@ -632,6 +651,7 @@ < ssh no active logins < ssh username < static routes +< subnet mask < support donation < system has hwrng < system has rdrand @@ -696,6 +716,7 @@ < tor traffic limit soft < tor traffic read written < tor use exit nodes +< transport mode does not support vti < twelve hours < two weeks < udp less overhead @@ -782,8 +803,27 @@ ############################################################################ # Checking cgi-bin translations for language: fr # ############################################################################ -< dnsforward forward_servers -< invalid ip or hostname +< cryptographic settings +< default IP address +< dns forward disable dnssec +< dns forwarding dnssec disabled notice +< interface mode +< invalid input for interface address +< invalid input for interface mode +< invalid input for interface mtu +< invalid input for local ip address +< invalid input for mode +< ipsec connection +< ipsec interface mode gre +< ipsec interface mode none +< ipsec interface mode vti +< ipsec mode transport +< ipsec mode tunnel +< ipsec settings +< local ip address +< mtu +< subnet mask +< transport mode does not support vti ############################################################################ # Checking cgi-bin translations for language: it # ############################################################################ @@ -853,14 +893,18 @@ < Captive wrong ext < check all < crypto error +< cryptographic settings < crypto warning +< default IP address < dhcp dns enable update < dhcp dns key name < dhcp dns update < dhcp dns update algo < dhcp dns update secret < dl client arch insecure +< dns forward disable dnssec < dnsforward forward_servers +< dns forwarding dnssec disabled notice < dnssec disabled warning < eight hours < email config @@ -918,10 +962,24 @@ < guardian < incoming compression in bytes per second < incoming overhead in bytes per second +< interface mode < invalid input for inactivity timeout +< invalid input for interface address +< invalid input for interface mode +< invalid input for interface mtu +< invalid input for local ip address +< invalid input for mode < invalid input for valid till days < invalid ip or hostname < invalid logserver protocol +< ipsec connection +< ipsec interface mode gre +< ipsec interface mode none +< ipsec interface mode vti +< ipsec mode transport +< ipsec mode tunnel +< ipsec settings +< local ip address < log server protocol < masquerade blue < masquerade green @@ -930,6 +988,7 @@ < masquerading disabled < masquerading enabled < messages +< mtu < MTU settings < none < Number of Countries for the pie chart @@ -955,9 +1014,11 @@ < ssh login time < ssh no active logins < ssh username +< subnet mask < tcp more reliable < ten minutes < thirty minutes +< transport mode does not support vti < twelve hours < two weeks < udp less overhead @@ -1070,8 +1131,10 @@ < Captive wrong ext < check all < crypto error +< cryptographic settings < crypto warning < default +< default IP address < dh < dhcp dns enable update < dhcp dns key name @@ -1084,7 +1147,9 @@ < dh name is invalid < dh parameter < dl client arch insecure +< dns forward disable dnssec < dnsforward forward_servers +< dns forwarding dnssec disabled notice < dnssec aware < dnssec disabled warning < dnssec information @@ -1154,10 +1219,24 @@ < imsi < incoming compression in bytes per second < incoming overhead in bytes per second +< interface mode < invalid input for inactivity timeout +< invalid input for interface address +< invalid input for interface mode +< invalid input for interface mtu +< invalid input for local ip address +< invalid input for mode < invalid input for valid till days < invalid ip or hostname < invalid logserver protocol +< ipsec connection +< ipsec interface mode gre +< ipsec interface mode none +< ipsec interface mode vti +< ipsec mode transport +< ipsec mode tunnel +< ipsec settings +< local ip address < log server protocol < masquerade blue < masquerade green @@ -1180,6 +1259,7 @@ < modem sim information < modem status < monitor interface +< mtu < MTU settings < nameserver < never @@ -1223,11 +1303,13 @@ < ssh login time < ssh no active logins < ssh username +< subnet mask < ta key < tcp more reliable < ten minutes < teovpn_fragment < thirty minutes +< transport mode does not support vti < twelve hours < two weeks < udp less overhead @@ -1403,10 +1485,12 @@ < countrycode < country codes and flags < crypto error +< cryptographic settings < crypto warning < dead peer detection < default < default ip +< default IP address < deprecated fs warn < details < dh @@ -1425,9 +1509,11 @@ < dnsforward < dnsforward add a new entry < dnsforward configuration +< dns forward disable dnssec < dnsforward edit an entry < dnsforward entries < dnsforward forward_servers +< dns forwarding dnssec disabled notice < dnsforward zone < dnssec aware < dnssec disabled warning @@ -1709,18 +1795,32 @@ < incoming firewall access < incoming overhead in bytes per second < integrity +< interface mode < invalid input for dpd delay < invalid input for dpd timeout < invalid input for inactivity timeout +< invalid input for interface address +< invalid input for interface mode +< invalid input for interface mtu +< invalid input for local ip address +< invalid input for mode < invalid input for valid till days < invalid ip or hostname < invalid logserver protocol < ipsec +< ipsec connection +< ipsec interface mode gre +< ipsec interface mode none +< ipsec interface mode vti +< ipsec mode transport +< ipsec mode tunnel < ipsec network < ipsec no connections +< ipsec settings < last < least preferred < lifetime +< local ip address < log server protocol < mac filter < masquerade blue @@ -1750,6 +1850,7 @@ < modem status < monitor interface < most preferred +< mtu < MTU settings < nameserver < never @@ -1836,6 +1937,7 @@ < ssh no active logins < ssh username < static routes +< subnet mask < support donation < system has hwrng < system has rdrand @@ -1899,6 +2001,7 @@ < tor traffic limit soft < tor traffic read written < tor use exit nodes +< transport mode does not support vti < twelve hours < two weeks < udp less overhead @@ -2116,11 +2219,13 @@ < countrycode < country codes and flags < crypto error +< cryptographic settings < crypto warning < day-graph < dead peer detection < default < default ip +< default IP address < deprecated fs warn < details < dh @@ -2140,9 +2245,11 @@ < dnsforward < dnsforward add a new entry < dnsforward configuration +< dns forward disable dnssec < dnsforward edit an entry < dnsforward entries < dnsforward forward_servers +< dns forwarding dnssec disabled notice < dnsforward zone < dnssec aware < dnssec disabled warning @@ -2428,18 +2535,32 @@ < incoming overhead in bytes per second < incoming traffic in bytes per second < integrity +< interface mode < invalid input for dpd delay < invalid input for dpd timeout < invalid input for inactivity timeout +< invalid input for interface address +< invalid input for interface mode +< invalid input for interface mtu +< invalid input for local ip address +< invalid input for mode < invalid input for valid till days < invalid ip or hostname < invalid logserver protocol < ipsec +< ipsec connection +< ipsec interface mode gre +< ipsec interface mode none +< ipsec interface mode vti +< ipsec mode transport +< ipsec mode tunnel < ipsec network < ipsec no connections +< ipsec settings < last < least preferred < lifetime +< local ip address < log server protocol < mac filter < masquerade blue @@ -2470,6 +2591,7 @@ < monitor interface < month-graph < most preferred +< mtu < MTU settings < nameserver < never @@ -2553,6 +2675,7 @@ < ssh no active logins < ssh username < static routes +< subnet mask < support donation < system has hwrng < system has rdrand @@ -2616,6 +2739,7 @@ < tor traffic limit soft < tor traffic read written < tor use exit nodes +< transport mode does not support vti < twelve hours < two weeks < udp less overhead @@ -2705,10 +2829,29 @@ # Checking cgi-bin translations for language: tr # ############################################################################ < crypto error +< cryptographic settings < crypto warning +< default IP address +< dns forward disable dnssec < dnsforward forward_servers +< dns forwarding dnssec disabled notice < fwdfw all subnets +< interface mode +< invalid input for interface address +< invalid input for interface mode +< invalid input for interface mtu +< invalid input for local ip address +< invalid input for mode < invalid ip or hostname +< ipsec connection +< ipsec interface mode gre +< ipsec interface mode none +< ipsec interface mode vti +< ipsec mode transport +< ipsec mode tunnel +< ipsec settings +< local ip address +< mtu < ovpn error dh < ovpn error md5 < ovpn warning rfc3280 @@ -2716,6 +2859,8 @@ < ssh login time < ssh no active logins < ssh username +< subnet mask +< transport mode does not support vti < vpn start action add < vpn wait < wlanap neighbor scan diff --git a/html/cgi-bin/credits.cgi b/html/cgi-bin/credits.cgi index 51965d302..e687c9559 100644 --- a/html/cgi-bin/credits.cgi +++ b/html/cgi-bin/credits.cgi @@ -83,8 +83,8 @@ Jan Lentfer, Marcus Scholz, Ersan Yildirim, Joern-Ingo Weigert, -Alfred Haas, Wolfgang Apolinarski, +Alfred Haas, Lars Schuhmacher, Rene Zingel, Sascha Kilian, @@ -92,11 +92,11 @@ Ronald Wiesinger, Stephan Feddersen, Justin Luth, Michael Eitelwein, +Stéphane Pautrel, Bernhard Bitsch, Dominik Hassler, Larsen, Gabriel Rolland, -Stéphane Pautrel, Anton D. Seliverstov, Bernhard Bittner, David Kleuker, @@ -105,6 +105,7 @@ Jakub Ratajczak, Jorrit de Jonge, Jörn-Ingo Weigert, Przemek Zdroik, +Alexander Koch, Alexander Rudolf Gruber, Andrew Bellows, Axel Gembe, @@ -126,6 +127,7 @@ Logan Schmidt, Nico Prenzel, Osmar Gonzalez, Paul T. Simmons, +Rob Brewer, Robert Möker, Stefan Ernst, Stefan Ferstl, diff --git a/html/cgi-bin/dhcp.cgi b/html/cgi-bin/dhcp.cgi index 3eb5349a9..675d80012 100644 --- a/html/cgi-bin/dhcp.cgi +++ b/html/cgi-bin/dhcp.cgi @@ -446,15 +446,17 @@ if ($dhcpsettings{'ACTION'} eq $Lang::tr{'add'}.'2') { &General::log($Lang::tr{'fixed ip lease added'});
# Enter edit mode - $dhcpsettings{'KEY2'} = $key; + $dhcpsettings{'KEY2'} = 0; } else { @current2[$dhcpsettings{'KEY2'}] = "$dhcpsettings{'FIX_MAC'},$dhcpsettings{'FIX_ADDR'},$dhcpsettings{'FIX_ENABLED'},$dhcpsettings{'FIX_NEXTADDR'},$dhcpsettings{'FIX_FILENAME'},$dhcpsettings{'FIX_ROOTPATH'},$dhcpsettings{'FIX_REMARK'}\n"; $dhcpsettings{'KEY2'} = ''; # End edit mode &General::log($Lang::tr{'fixed ip lease modified'}); + + # sort newly added/modified entry + &sortcurrent2; }
#Write changes to dhcpd.conf. - &sortcurrent2; # sort newly added/modified entry &buildconf; # before calling buildconf which use fixed lease file ! } } @@ -1272,7 +1274,7 @@ sub buildconf { print FILE ", " . $dhcpsettings{"WINS2_${itf}"} if ($dhcpsettings{"WINS2_${itf}"}); print FILE ";\n" if ($dhcpsettings{"WINS1_${itf}"}); print FILE "\tnext-server " . $dhcpsettings{"NEXT_${itf}"} . ";\n" if ($dhcpsettings{"NEXT_${itf}"}); - print FILE "\tfilename "" . $dhcpsettings{"FILE_${itf}"} . "";\n" if ($dhcpsettings{"FILE_${itf}"}); + print FILE "\tfilename "" . &EscapeFilename($dhcpsettings{"FILE_${itf}"}) . "";\n" if ($dhcpsettings{"FILE_${itf}"}); print FILE "\tdefault-lease-time " . ($dhcpsettings{"DEFAULT_LEASE_TIME_${itf}"} * 60). ";\n"; print FILE "\tmax-lease-time " . ($dhcpsettings{"MAX_LEASE_TIME_${itf}"} * 60) . ";\n"; print FILE "\tallow bootp;\n" if ($dhcpsettings{"ENABLEBOOTP_${itf}"} eq 'on'); @@ -1325,7 +1327,7 @@ sub buildconf { print FILE "\thardware ethernet $temp[0];\n"; print FILE "\tfixed-address $temp[1];\n"; print FILE "\tnext-server $temp[3];\n" if ($temp[3]); - print FILE "\tfilename "$temp[4]";\n" if ($temp[4]); + print FILE "\tfilename "" . &EscapeFilename($temp[4]) . "";\n" if ($temp[4]); print FILE "\toption root-path "$temp[5]";\n" if ($temp[5]); print FILE "}\n"; $key++; @@ -1335,7 +1337,7 @@ sub buildconf { close FILE; if ( $dhcpsettings{"ENABLE_GREEN"} eq 'on' || $dhcpsettings{"ENABLE_BLUE"} eq 'on' ) {system '/usr/local/bin/dhcpctrl enable >/dev/null 2>&1';} else {system '/usr/local/bin/dhcpctrl disable >/dev/null 2>&1';} - system '/usr/local/bin/dhcpctrl restart >/dev/null 2>&1'; + system '/usr/local/bin/dhcpctrl restart >/dev/null 2>&1 &'; }
# @@ -1392,3 +1394,12 @@ sub IsUsedNewOptionDefinition { } return 0; } + +sub EscapeFilename($) { + my $filename = shift; + + # Replace all single / by / + $filename =~ s///\//g; + + return $filename; +} diff --git a/html/cgi-bin/dnsforward.cgi b/html/cgi-bin/dnsforward.cgi index 0439817b9..d9807c90e 100644 --- a/html/cgi-bin/dnsforward.cgi +++ b/html/cgi-bin/dnsforward.cgi @@ -52,6 +52,7 @@ $cgiparams{'ACTION'} = ''; $cgiparams{'ZONE'} = ''; $cgiparams{'FORWARD_SERVERS'} = ''; $cgiparams{'REMARK'} =''; +$cgiparams{'DISABLE_DNSSEC'} = 'off'; &Header::getcgihash(%cgiparams); open(FILE, $filename) or die 'Unable to open config file.'; my @current = <FILE>; @@ -76,6 +77,10 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) } }
+ if ($cgiparams{'DISABLE_DNSSEC'} !~ /^(on|off)?$/) { + $errormessage = $Lang::tr{'invalid input'}; + } + # Go further if there was no error. if ( ! $errormessage) { @@ -85,11 +90,16 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) # Check if a remark has been entered. $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
+ # Set to off if not enabled + if (!$cgiparams{'DISABLE_DNSSEC'}) { + $cgiparams{'DISABLE_DNSSEC'} = "off"; + } + # Check if we want to edit an existing or add a new entry. if($cgiparams{'EDITING'} eq 'no') { open(FILE,">>$filename") or die 'Unable to open config file.'; flock FILE, 2; - print FILE "$cgiparams{'ENABLED'},$cgiparams{'ZONE'},$cgiparams{'FORWARD_SERVERS'},$cgiparams{'REMARK'}\n"; + print FILE "$cgiparams{'ENABLED'},$cgiparams{'ZONE'},$cgiparams{'FORWARD_SERVERS'},$cgiparams{'REMARK'},$cgiparams{'DISABLE_DNSSEC'}\n"; } else { open(FILE, ">$filename") or die 'Unable to open config file.'; flock FILE, 2; @@ -98,7 +108,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) { $id++; if ($cgiparams{'EDITING'} eq $id) { - print FILE "$cgiparams{'ENABLED'},$cgiparams{'ZONE'},$cgiparams{'FORWARD_SERVERS'},$cgiparams{'REMARK'}\n"; + print FILE "$cgiparams{'ENABLED'},$cgiparams{'ZONE'},$cgiparams{'FORWARD_SERVERS'},$cgiparams{'REMARK'},$cgiparams{'DISABLE_DNSSEC'}\n"; } else { print FILE "$line"; } } } @@ -151,7 +161,10 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { chomp($line); my @temp = split(/,/,$line); - print FILE "$cgiparams{'ENABLE'},$temp[1],$temp[2],$temp[3]\n"; + + $temp[0] = $cgiparams{'ENABLE'}; + + print FILE join(",", @temp) . "\n"; } } close(FILE); @@ -176,6 +189,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) $cgiparams{'ZONE'} = $temp[1]; $cgiparams{'FORWARD_SERVERS'} = join(",", split(/|/, $temp[2])); $cgiparams{'REMARK'} = $temp[3]; + $cgiparams{'DISABLE_DNSSEC'} = $temp[4]; } } } @@ -184,6 +198,10 @@ $checked{'ENABLED'}{'off'} = ''; $checked{'ENABLED'}{'on'} = ''; $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'";
+$checked{'DISABLE_DNSSEC'}{'off'} = ''; +$checked{'DISABLE_DNSSEC'}{'on'} = ''; +$checked{'DISABLE_DNSSEC'}{$cgiparams{'DISABLE_DNSSEC'}} = "checked='checked'"; + &Header::openpage($Lang::tr{'dnsforward configuration'}, 1, '');
&Header::openbigbox('100%', 'left', '', $errormessage); @@ -230,6 +248,10 @@ print <<END <td width ='20%' class='base'>$Lang::tr{'remark'}:</td> <td><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='40' maxlength='50' /></td> </tr> + <tr> + <td width ='20%' class='base'>$Lang::tr{'dns forward disable dnssec'}:</td> + <td><input type='checkbox' name='DISABLE_DNSSEC' $checked{'DISABLE_DNSSEC'}' /></td> + </tr> </table> <br> <hr> @@ -291,13 +313,19 @@ foreach my $line (@current) my $gif = ''; my $gdesc = ''; my $toggle = ''; + my $notice = "";
# Format lists of servers my $servers = join(", ", split(/|/, $temp[2]));
+ my $disable_dnssec = $temp[4]; + if($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'ID'} eq $id) { print "<tr>"; $col="bgcolor='${Header::colouryellow}'"; } + elsif ($disable_dnssec eq 'on') { + print "<tr>"; + $col="bgcolor='${Header::colourred}' style='color: white'"; } elsif ($id % 2) { print "<tr>"; $col="bgcolor='$color{'color22'}'"; } @@ -308,11 +336,15 @@ foreach my $line (@current) if ($temp[0] eq 'on') { $gif='on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};} else { $gif='off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; }
+ if ($disable_dnssec eq "on") { + $notice = $Lang::tr{'dns forwarding dnssec disabled notice'}; + } + ### # Display edit page. # print <<END - <td align='center' $col>$temp[1]</td> + <td align='center' $col>$temp[1] $notice</td> <td align='center' $col>$servers</td> <td align='center' $col>$temp[3]</td> <td align='center' $col> diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index 03dc3574d..c7bf9f323 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -367,13 +367,12 @@ END } #check if IPSEC is running if ( $vpnsettings{'ENABLED'} eq 'on' || $vpnsettings{'ENABLED_BLUE'} eq 'on' ) { - my $ipsecip = $vpnsettings{'VPN_IP'}; print<<END; <tr> <td style='width:25%; text-align:center; background-color:$Header::colourvpn;'> <a href='/cgi-bin/vpnmain.cgi' style='color:white'><b>$Lang::tr{'ipsec'}</b></a> </td> - <td style='width:30%; text-align:center;'>$ipsecip</td> + <td style='width:30%; text-align:center;'></td> <td style='width:45%; text-align:center; color:$Header::colourgreen;'>Online</td> </tr> END diff --git a/html/cgi-bin/netovpnsrv.cgi b/html/cgi-bin/netovpnsrv.cgi index ddf41771a..77c69cddb 100755 --- a/html/cgi-bin/netovpnsrv.cgi +++ b/html/cgi-bin/netovpnsrv.cgi @@ -35,8 +35,20 @@ my %mainsettings = (); &General::readhash("${General::swroot}/main/settings", %mainsettings); &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", %color);
+my %vpnsettings = (); +&General::readhasharray("${General::swroot}/vpn/config", %vpnsettings); + my @vpns=();
+# Make list of all IPsec graphs +my %ipsecgraphs = (); +foreach my $key (sort {$vpnsettings{$a}[1] <=> $vpnsettings{$b}[1]} keys %vpnsettings) { + my $interface_mode = $vpnsettings{$key}[36]; + next unless ($interface_mode); + + $ipsecgraphs{$vpnsettings{$key}[1]} = "${interface_mode}${key}"; +} + my @querry = split(/?/,$ENV{'QUERY_STRING'}); $querry[0] = '' unless defined $querry[0]; $querry[1] = 'week' unless defined $querry[1]; @@ -44,7 +56,11 @@ $querry[1] = 'week' unless defined $querry[1]; if ( $querry[0] ne ""){ print "Content-type: image/png\n\n"; binmode(STDOUT); - &Graphs::updatevpnn2ngraph($querry[0],$querry[1]); + if (grep { $_ eq $querry[0] } values %ipsecgraphs) { + &Graphs::updateifgraph($querry[0],$querry[1]); + } else { + &Graphs::updatevpnn2ngraph($querry[0],$querry[1]); + } }else{ &Header::showhttpheaders(); &Header::openpage($Lang::tr{'vpn statistic n2n'}, 1, ''); @@ -56,7 +72,13 @@ if ( $querry[0] ne ""){ push(@vpns,$2); } } - if (@vpns){ + if (@vpns || %ipsecgraphs) { + foreach my $name (sort keys %ipsecgraphs) { + &Header::openbox('100%', 'center', "$Lang::tr{'ipsec connection'}: $name"); + &Graphs::makegraphbox("netovpnsrv.cgi", $ipsecgraphs{$name}, "day"); + &Header::closebox(); + } + foreach (@vpns) { &Header::openbox('100%', 'center', "$_ $Lang::tr{'graph'}"); &Graphs::makegraphbox("netovpnsrv.cgi",$_, "day"); diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 9082a7994..6daa7fbd2 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -101,7 +101,7 @@ my $cre_svhosts = "${General::swroot}/proxy/advanced/cre/supervisors";
my $identhosts = "$identdir/hosts";
-my $authdir = "/usr/lib/squid/"; +my $authdir = "/usr/lib/squid"; my $errordir = "/usr/lib/squid/errors";
my $acl_src_subnets = "$acldir/src_subnets.acl"; diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index 0d235c949..71da66666 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 IPFire Team info@ipfire.org # +# Copyright (C) 2013-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -36,10 +36,10 @@ my @dummy = ( ${Header::colouryellow} ); undef (@dummy);
my @bandwidth_limits = ( - 1000 * 1024, # 1G + 1000 * 1024, # 1 GBit/s 500 * 1024, 200 * 1024, - 100 * 1024, # 100M + 100 * 1024, # 100 MBit/s 64 * 1024, 50 * 1024, 25 * 1024, @@ -49,10 +49,7 @@ my @bandwidth_limits = ( 8 * 1024, 4 * 1024, 2 * 1024, - 1024, # 1M - 512, - 256, - 160 + 1024 # 1 MBit/s ); my @accounting_periods = ('daily', 'weekly', 'monthly');
@@ -519,7 +516,7 @@ END <tr> <td width='40%' class='base'>$Lang::tr{'tor relay fingerprint'}:</td> <td width='60%'> - <a href='https://atlas.torproject.org/#details/$fingerprint' target='_blank'>$fingerprint</a> + <a href='https://metrics.torproject.org/rs.html#details/$fingerprint' target='_blank'>$fingerprint</a> </td> </tr> END @@ -612,7 +609,7 @@ END print <<END; <tr> <td width='40%'> - <a href='https://atlas.torproject.org/#details/$node-%3E%7B%27fingerprint%27%7D' target='_blank'> + <a href='https://metrics.torproject.org/rs.html#details/$node-%3E%7B%27fingerprint%27...' target='_blank'> $node->{'name'} </a> </td> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index a5d27c8d8..00282d50b 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -69,6 +69,10 @@ my %INACTIVITY_TIMEOUTS = ( 0 => "- $Lang::tr{'unlimited'} -", );
+# Load aliases +my %aliases; +&General::get_aliases(%aliases); + my $col="";
$cgiparams{'ENABLED'} = 'off'; @@ -81,6 +85,7 @@ $cgiparams{'ADVANCED'} = ''; $cgiparams{'NAME'} = ''; $cgiparams{'LOCAL_SUBNET'} = ''; $cgiparams{'REMOTE_SUBNET'} = ''; +$cgiparams{'LOCAL'} = ''; $cgiparams{'REMOTE'} = ''; $cgiparams{'LOCAL_ID'} = ''; $cgiparams{'REMOTE_ID'} = ''; @@ -109,8 +114,12 @@ $cgiparams{'RW_NET'} = ''; $cgiparams{'DPD_DELAY'} = '30'; $cgiparams{'DPD_TIMEOUT'} = '120'; $cgiparams{'FORCE_MOBIKE'} = 'off'; -$cgiparams{'START_ACTION'} = 'start'; -$cgiparams{'INACTIVITY_TIMEOUT'} = 900; +$cgiparams{'START_ACTION'} = 'route'; +$cgiparams{'INACTIVITY_TIMEOUT'} = 1800; +$cgiparams{'MODE'} = "tunnel"; +$cgiparams{'INTERFACE_MODE'} = ""; +$cgiparams{'INTERFACE_ADDRESS'} = ""; +$cgiparams{'INTERFACE_MTU'} = 1500; &Header::getcgihash(%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
### @@ -280,26 +289,43 @@ sub writeipsecfiles { #remote peer is not set? => use '%any' $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq '');
+ # Field 6 might be "off" on old installations + if ($lconfighash{$key}[6] eq "off") { + $lconfighash{$key}[6] = $lvpnsettings{"VPN_IP"}; + } + my $localside; - if ($lconfighash{$key}[26] eq 'BLUE') { - $localside = $netsettings{'BLUE_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'GREEN') { - $localside = $netsettings{'GREEN_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'ORANGE') { - $localside = $netsettings{'ORANGE_ADDRESS'}; - } else { # it is RED - $localside = $lvpnsettings{'VPN_IP'}; + if ($lconfighash{$key}[6]) { + $localside = $lconfighash{$key}[6]; + } else { + $localside = "%defaultroute"; }
+ my $interface_mode = $lconfighash{$key}[36]; + print CONF "conn $lconfighash{$key}[1]\n"; print CONF "\tleft=$localside\n"; - print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n"; + + if ($interface_mode eq "gre") { + print CONF "\tleftprotoport=gre\n"; + } elsif ($interface_mode eq "vti") { + print CONF "\tleftsubnet=0.0.0.0/0\n"; + } else { + print CONF "\tleftsubnet=" . &make_subnets("left", $lconfighash{$key}[8]) . "\n"; + } + print CONF "\tleftfirewall=yes\n"; print CONF "\tlefthostaccess=yes\n"; print CONF "\tright=$lconfighash{$key}[10]\n";
if ($lconfighash{$key}[3] eq 'net') { - print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n"; + if ($interface_mode eq "gre") { + print CONF "\trightprotoport=gre\n"; + } elsif ($interface_mode eq "vti") { + print CONF "\trightsubnet=0.0.0.0/0\n"; + } else { + print CONF "\trightsubnet=" . &make_subnets("right", $lconfighash{$key}[11]) . "\n"; + } }
# Local Cert and Remote Cert (unless auth is DN dn-auth) @@ -312,6 +338,18 @@ sub writeipsecfiles { print CONF "\tleftid="$lconfighash{$key}[7]"\n" if ($lconfighash{$key}[7]); print CONF "\trightid="$lconfighash{$key}[9]"\n" if ($lconfighash{$key}[9]);
+ # Set mode + if ($lconfighash{$key}[35] eq "transport") { + print CONF "\ttype=transport\n"; + } else { + print CONF "\ttype=tunnel\n"; + } + + # Add mark for VTI + if ($interface_mode eq "vti") { + print CONF "\tmark=$key\n"; + } + # Is PFS enabled? my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off';
@@ -467,25 +505,12 @@ if ($ENV{"REMOTE_ADDR"} eq "") { if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { &General::readhash("${General::swroot}/vpn/settings", %vpnsettings);
- unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'}) - || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { - $errormessage = $Lang::tr{'invalid input for hostname'}; - goto SAVE_ERROR; - } - - unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds ! - $errormessage = $Lang::tr{'invalid time period'}; - goto SAVE_ERROR; - } - if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; goto SAVE_ERROR; }
$vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; - $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; - $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; &General::writehash("${General::swroot}/vpn/settings", %vpnsettings); &writeipsecfiles(); @@ -1287,7 +1312,7 @@ END $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; - #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6]; + $cgiparams{'LOCAL'} = $confighash{$cgiparams{'KEY'}}[6]; $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7]; my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]); $cgiparams{'LOCAL_SUBNET'} = join(/|/, @local_subnets); @@ -1315,7 +1340,12 @@ END $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + $cgiparams{'START_ACTION'} = $confighash{$cgiparams{'KEY'}}[33]; $cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34]; + $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35]; + $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36]; + $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37]; + $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38];
if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -1329,6 +1359,10 @@ END $cgiparams{'INACTIVITY_TIMEOUT'} = 900; }
+ if ($cgiparams{'MODE'} eq "") { + $cgiparams{'MODE'} = "tunnel"; + } + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { @@ -1366,6 +1400,13 @@ END goto VPNCONF_ERROR; }
+ if ($cgiparams{'LOCAL'}) { + if (($cgiparams{'LOCAL'} ne "") && (!&General::validip($cgiparams{'LOCAL'}))) { + $errormessage = $Lang::tr{'invalid input for local ip address'}; + goto VPNCONF_ERROR; + } + } + if ($cgiparams{'REMOTE'}) { if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) { if (! &General::validfqdn ($cgiparams{'REMOTE'})) { @@ -1407,6 +1448,31 @@ END goto VPNCONF_ERROR; } } + + if ($cgiparams{'MODE'} !~ /^(tunnel|transport)$/) { + $errormessage = $Lang::tr{'invalid input for mode'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'INTERFACE_MODE'} !~ /^(|gre|vti)$/) { + $errormessage = $Lang::tr{'invalid input for interface mode'}; + goto VPNCONF_ERROR; + } + + if (($cgiparams{'INTERFACE_MODE'} eq "vti") && ($cgiparams{'MODE'} eq "transport")) { + $errormessage = $Lang::tr{'transport mode does not support vti'}; + goto VPNCONF_ERROR; + } + + if (($cgiparams{'INTERFACE_MODE'} ne "") && !&Network::check_subnet($cgiparams{'INTERFACE_ADDRESS'})) { + $errormessage = $Lang::tr{'invalid input for interface address'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'INTERFACE_MTU'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for interface mtu'}; + goto VPNCONF_ERROR; + } }
if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { @@ -1811,7 +1877,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (%confighash); - foreach my $i (0 .. 34) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -1829,6 +1895,7 @@ END my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'}); $confighash{$key}[11] = join('|', @remote_subnets); } + $confighash{$key}[6] = $cgiparams{'LOCAL'}; $confighash{$key}[7] = $cgiparams{'LOCAL_ID'}; my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'}); $confighash{$key}[8] = join('|', @local_subnets); @@ -1855,10 +1922,14 @@ END $confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'}; $confighash{$key}[31] = $cgiparams{'DPD_DELAY'}; $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'}; + $confighash{$key}[33] = $cgiparams{'START_ACTION'}; $confighash{$key}[34] = $cgiparams{'INACTIVITY_TIMEOUT'}; + $confighash{$key}[35] = $cgiparams{'MODE'}; + $confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'}; + $confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'}; + $confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'};
# free unused fields! - $confighash{$key}[6] = 'off'; $confighash{$key}[15] = 'off';
&General::writehasharray("${General::swroot}/vpn/config", %confighash); @@ -1881,7 +1952,12 @@ END } else { $cgiparams{'AUTH'} = 'certgen'; } - $cgiparams{'LOCAL_SUBNET'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + + if ($netsettings{"GREEN_NETADDRESS"} && $netsettings{"GREEN_NETMASK"}) { + $cgiparams{"LOCAL_SUBNET"} = $netsettings{'GREEN_NETADDRESS'} . "/" . $netsettings{'GREEN_NETMASK'}; + } else { + $cgiparams{"LOCAL_SUBNET"} = ""; + } $cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'}; $cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'}; $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; @@ -1930,6 +2006,10 @@ END $cgiparams{'ONLY_PROPOSED'} = 'on'; #[24]; $cgiparams{'PFS'} = 'on'; #[28]; $cgiparams{'INACTIVITY_TIMEOUT'} = 900; + $cgiparams{'MODE'} = "tunnel"; + $cgiparams{'INTERFACE_MODE'} = ""; + $cgiparams{'INTERFACE_ADDRESS'} = ""; + $cgiparams{'INTERFACE_MTU'} = 1500; }
VPNCONF_ERROR: @@ -1949,6 +2029,23 @@ VPNCONF_ERROR: $checked{'AUTH'}{'auth-dn'} = ''; $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
+ $selected{'MODE'}{'tunnel'} = ''; + $selected{'MODE'}{'transport'} = ''; + $selected{'MODE'}{$cgiparams{'MODE'}} = "selected='selected'"; + + $selected{'INTERFACE_MODE'}{''} = ''; + $selected{'INTERFACE_MODE'}{'gre'} = ''; + $selected{'INTERFACE_MODE'}{'vti'} = ''; + $selected{'INTERFACE_MODE'}{$cgiparams{'INTERFACE_MODE'}} = "selected='selected'"; + + $selected{'LOCAL'}{''} = ''; + foreach my $alias (sort keys %aliases) { + my $address = $aliases{$alias}{'IPT'}; + + $selected{'LOCAL'}{$address} = ''; + } + $selected{'LOCAL'}{$cgiparams{'LOCAL'}} = "selected='selected'"; + &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); @@ -1985,6 +2082,8 @@ VPNCONF_ERROR: <input type='hidden' name='DPD_DELAY' value='$cgiparams{'DPD_DELAY'}' /> <input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' /> <input type='hidden' name='FORCE_MOBIKE' value='$cgiparams{'FORCE_MOBIKE'}' /> + <input type='hidden' name='START_ACTION' value='$cgiparams{'START_ACTION'}' /> + <input type='hidden' name='INACTIVITY_TIMEOUT' value='$cgiparams{'INACTIVITY_TIMEOUT'}' /> END ; if ($cgiparams{'KEY'}) { @@ -2021,25 +2120,44 @@ EOF my @remote_subnets = split(/|/, $cgiparams{'REMOTE_SUBNET'}); my $remote_subnets = join(",", @remote_subnets);
- print <<END + print <<END; <tr> <td width='20%'>$Lang::tr{'enabled'}</td> <td width='30%'> <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /> </td> - <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' alt='*' /></td> - <td width='30%'> - <input type='text' name='LOCAL_SUBNET' value='$local_subnets' /> - </td> + <td colspan="2"></td> </tr> <tr> + <td class='boldbase' width='20%'>$Lang::tr{'local ip address'}:</td> + <td width='30%'> + <select name="LOCAL"> + <option value="" $selected{'LOCAL'}{''}>- $Lang::tr{'default IP address'} -</option> +END + + foreach my $alias (sort keys %aliases) { + my $address = $aliases{$alias}{'IPT'}; + print <<END; + <option value="$address" $selected{'LOCAL'}{$address}>$alias ($address)</option> +END + } + + print <<END; + </select> + </td> <td class='boldbase' width='20%'>$Lang::tr{'remote host/ip'}: $blob</td> <td width='30%'> <input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size="25" /> </td> + </tr> + <tr> + <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' alt='*' /></td> + <td width='30%'> + <input type='text' name='LOCAL_SUBNET' value='$local_subnets' size="25" /> + </td> <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'} $blob</td> <td width='30%'> - <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' /> + <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" /> </td> </tr> <tr> @@ -2067,6 +2185,51 @@ END print "</table>"; &Header::closebox();
+ if ($cgiparams{'TYPE'} eq 'net') { + &Header::openbox('100%', 'left', $Lang::tr{'ipsec settings'}); + print <<EOF; + <table width='100%'> + <tbody> + <tr> + <td class='boldbase' width='20%'>$Lang::tr{'mode'}:</td> + <td width='30%'> + <select name='MODE'> + <option value='tunnel' $selected{'MODE'}{'tunnel'}>$Lang::tr{'ipsec mode tunnel'}</option> + <option value='transport' $selected{'MODE'}{'transport'}>$Lang::tr{'ipsec mode transport'}</option> + </select> + </td> + <td colspan='2'></td> + </tr> + + <tr> + <td class='boldbase' width='20%'>$Lang::tr{'interface mode'}:</td> + <td width='30%'> + <select name='INTERFACE_MODE'> + <option value='' $selected{'INTERFACE_MODE'}{''}>$Lang::tr{'ipsec interface mode none'}</option> + <option value='gre' $selected{'INTERFACE_MODE'}{'gre'}>$Lang::tr{'ipsec interface mode gre'}</option> + <option value='vti' $selected{'INTERFACE_MODE'}{'vti'}>$Lang::tr{'ipsec interface mode vti'}</option> + </select> + </td> + + <td class='boldbase' width='20%'>$Lang::tr{'ip address'}/$Lang::tr{'subnet mask'}:</td> + <td width='30%'> + <input type="text" name="INTERFACE_ADDRESS" value="$cgiparams{'INTERFACE_ADDRESS'}"> + </td> + </tr> + + <tr> + <td class='boldbase' width='20%'>$Lang::tr{'mtu'}:</td> + <td width='30%'> + <input type="number" name="INTERFACE_MTU" value="$cgiparams{'INTERFACE_MTU'}" min="576" max="9000"> + </td> + <td colspan='2'></td> + </tr> + </tbody> + </table> +EOF + &Header::closebox(); + } + if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); print <<END @@ -2327,6 +2490,10 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; $cgiparams{'START_ACTION'} = $confighash{$cgiparams{'KEY'}}[33]; $cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34]; + $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35]; + $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36]; + $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37]; + $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38];
if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -2343,6 +2510,10 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") { $cgiparams{'INACTIVITY_TIMEOUT'} = 900; # 15 min } + + if ($cgiparams{'MODE'} eq "") { + $cgiparams{'MODE'} = "tunnel"; + } }
ADVANCED_ERROR: @@ -2739,22 +2910,6 @@ EOF
my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`;
- # suggest a default name for this side - if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { - if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { - my $ipaddr = <IPADDR>; - close IPADDR; - chomp ($ipaddr); - $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; - if ($cgiparams{'VPN_IP'} eq '') { - $cgiparams{'VPN_IP'} = $ipaddr; - } - } - } - # no IP found, use %defaultroute - $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq ''); - - $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'})); $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
&Header::showhttpheaders(); @@ -2782,35 +2937,21 @@ EOF print <<END <form method='post' action='$ENV{'SCRIPT_NAME'}'> <table width='100%'> - <tr> - <td width='20%' class='base' nowrap='nowrap'>$Lang::tr{'vpn red name'}: <img src='/blob.gif' alt='*' /></td> - <td width='20%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td> - <td width='20%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td> - </tr> -END -; -print <<END - <tr> - <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td> - <td ><input type='text' name='VPN_DELAYED_START' value='$cgiparams{'VPN_DELAYED_START'}' /></td> - </tr> - <tr> - <td class='base' nowrap='nowrap'>$Lang::tr{'host to net vpn'}:</td> - <td ><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td> - </tr> -</table> -<br> -<hr /> -<table width='100%'> -<tr> - <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td> - <td width='70%' class='base' valign='top'>$Lang::tr{'required field'}</td><td width='30%' align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> -</tr> -<tr> - <td class='base' valign='top' nowrap='nowrap'><img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /> </td> - <td class='base'> <font class='base'>$Lang::tr{'vpn delayed start help'}</font></td> - <td></td> -</tr> + <tr> + <td width='60%' class='base'> + $Lang::tr{'enabled'} + </td> + <td width="40%"> + <input type='checkbox' name='ENABLED' $checked{'ENABLED'} /> + </td> + </tr> + <tr> + <td class='base' nowrap='nowrap' width="60%">$Lang::tr{'host to net vpn'}:</td> + <td width="40%"><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td> + </tr> + <tr> + <td width='100%' colspan="2" align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> + </tr> </table> END ; @@ -3212,13 +3353,19 @@ sub make_algos($$$$$) { return &array_unique(@algos); }
-sub make_subnets($) { +sub make_subnets($$) { + my $direction = shift; my $subnets = shift;
my @nets = split(/|/, $subnets); my @cidr_nets = (); foreach my $net (@nets) { my $cidr_net = &General::ipcidr($net); + + # Skip 0.0.0.0/0 for remote because this renders the + # while system inaccessible + next if (($direction eq "right") && ($cidr_net eq "0.0.0.0/0")); + push(@cidr_nets, $cidr_net); }
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 2f3ed41bc..ce7090c39 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -805,6 +805,8 @@ 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', +'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', +'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', 'dns list' => 'Liste von freien öffentlichen DNS Servern', 'dns menu' => 'DNS-Server zuweisen', @@ -1394,10 +1396,15 @@ 'invalid input for hostname' => 'Ungültige Eingabe für Hostname', 'invalid input for ike lifetime' => 'Ungültige Eingabe für IKE Lebensdauer', 'invalid input for inactivity timeout' => 'Ungültige Eingabe für Inaktivitätstimeout', +'invalid input for interface address' => 'Ungültige Eingabe für die Interface-Adresse', +'invalid input for interface mode' => 'Ungültige Eingabe des Interface-Modus', +'invalid input for interface mtu' => 'Ungültige Eingabe für die Interface-MTU', 'invalid input for keepalive 1' => 'Ungültige Eingabe für Keepalive ping', 'invalid input for keepalive 1:2' => 'Ungültige Eingabe für Keepalive (mindestens ein Verhältnis von 1:2)', 'invalid input for keepalive 2' => 'Ungültige Eingabe für Keepalive ping-restart', +'invalid input for local ip address' => 'Ungültige Eingabe für die lokale IP-Adresse', 'invalid input for max clients' => 'Ungültige Eingabe für Max Clients', +'invalid input for mode' => 'Ungültige Eingabe des Modus', 'invalid input for name' => 'Ungültige Eingabe für vollen Namen des Benutzers oder des System Hostnamens', 'invalid input for oink code' => 'Ungültige Eingabe für Oink Code', 'invalid input for organization' => 'Ungültige Eingabe für Organisation', @@ -1450,8 +1457,15 @@ 'ipfires hostname' => 'IPFire's Hostname', 'ipinfo' => 'IP-Info', 'ipsec' => 'IPsec', +'ipsec connection' => 'IPsec-Verbindung', +'ipsec interface mode gre' => 'GRE', +'ipsec interface mode none' => '- Kein Interface (Standard) -', +'ipsec interface mode vti' => 'VTI', +'ipsec mode transport' => 'Transport', +'ipsec mode tunnel' => 'Tunnel', 'ipsec network' => 'IPsec-Netzwerk', 'ipsec no connections' => 'Keine aktiven IPsec-Verbindungen', +'ipsec settings' => 'IPsec-Einstellungen', 'iptable rules' => 'IPTable-Regeln', 'iptmangles' => 'IPTable Mangles', 'iptnats' => 'IPTable Network Address Translation', @@ -1487,6 +1501,7 @@ 'load printer' => 'Lade Drucker', 'loaded modules' => 'Geladene Module:', 'local hard disk' => 'Festplatte', +'local ip address' => 'Lokale IP-Adresse', 'local master' => 'Local Master', 'local ntp server specified but not enabled' => 'Lokaler NTP Server angegeben aber nicht aktiviert', 'local subnet' => 'Lokales Subnetz:', @@ -1653,6 +1668,7 @@ 'mpfire search' => 'MPFire Suche', 'mpfire songs' => 'MPFire Songliste', 'mpfire webradio' => 'MPFire Webradio', +'mtu' => 'MTU', 'mtu QoS' => 'Diese Einstellung ändert die MTU nicht global sondern nur für das QoS.', 'my new share' => 'Meine neue Freigabe', 'name' => 'Name', @@ -1707,6 +1723,7 @@ 'no modem selected' => 'Kein Modem ausgewählt', 'no set selected' => 'Es wurde kein Satz ausgewählt', 'no time limit' => 'unbregenzte Zeit', +'none' => 'keiner', 'none found' => 'nichts gefunden', 'nonetworkname' => 'Kein Netzwerkname wurde eingegeben', 'noservicename' => 'Kein Dienstname wurde eingegeben', @@ -1969,6 +1986,7 @@ 'psk' => 'PSK', 'pulse' => 'Puls', 'pulse dial' => 'Pulswahl:', +'qos add subclass' => 'Unterklasse hinzufügen', 'qos enter bandwidths' => 'Bitte geben Sie ihre Downstream- und Upstream-Bandbreite an!', 'qos graphs' => 'Qos Diagramme', 'qos warning' => 'Die Regel <strong>muss</strong> wieder gespeichert werden, ansonsten wird sie verworfen!', @@ -2201,6 +2219,7 @@ 'subject warn' => 'Warnung - Warnlevel erreicht', 'subnet' => 'Subnet', 'subnet is invalid' => 'Netzmaske ist ungültig', +'subnet mask' => 'Subnetzmaske', 'subscripted user rules' => 'Sourcefire VRT Regeln mit Abonnement', 'successfully refreshed updates list' => 'Update-Liste erfolgreich aktualisiert.', 'summaries kept' => 'Zusammenfassungen aufheben für', @@ -2330,6 +2349,7 @@ 'trafficto' => 'Nach', 'transfer limits' => 'Transferbeschränkungen', 'transparent on' => 'Transparent auf', +'transport mode does not support vti' => 'VTI wird im Transport-Modus nicht unterstützt', 'tripwire' => 'Tripwire', 'tripwire cronjob' => 'Tripwire Cronjob', 'tripwire functions' => 'Tripwire Funktionen', @@ -2699,6 +2719,7 @@ 'vpn connecting' => 'VERBINDUNGSAUFBAU', 'vpn delayed start' => 'Verzögerung, bevor VPN gestartet wird (Sek.)', 'vpn delayed start help' => 'Falls notwendig, kann diese Verzögerung dazu verwendet werden, um Dynamic-DNS-Updates ordnungsgemäß anzuwenden. 60 ist ein gängiger Wert, wenn ROT (RED) eine dynamische IP Adresse ist.', +'vpn force mobike' => 'MOBIKE erzwingen (nur IKEv2)', 'vpn inactivity timeout' => 'Inaktivitätstimeout', 'vpn incompatible use of defaultroute' => 'Hostname=%defaultroute nicht zulässig', 'vpn keyexchange' => 'Schlüsseltausch', @@ -2717,8 +2738,8 @@ 'vpn start action add' => 'Auf Verbindungseingang warten', 'vpn start action route' => 'Bei Bedarf', 'vpn start action start' => 'Immer An', -'vpn statistic n2n' => 'OpenVPN-Netz-zu-Netz-Statistik', -'vpn statistic rw' => 'OpenVPN-Roadwarrior-Statistik', +'vpn statistic n2n' => 'VPN: Netz-zu-Netz-Statistik', +'vpn statistic rw' => 'VPN: Roadwarrior-Statistik', 'vpn subjectaltname' => 'Subjekt Alternativer Name', 'vpn wait' => 'WARTE', 'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 258176970..7697dc202 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -684,6 +684,7 @@ 'cron server' => 'CRON Server', 'crypto error' => 'Cryptographic error', 'crypto warning' => 'Cryptographic warning', +'cryptographic settings' => 'Cryptographic Settings', 'current' => 'Current', 'current aliases' => 'Current aliases', 'current class' => 'Current class', @@ -725,6 +726,7 @@ 'deep scan directories' => 'Scan recursive', 'def lease time' => 'Default Lease Time', 'default' => 'Default', +'default IP address' => 'Default IP Address', 'default ip' => 'Default IP address', 'default lease time' => 'Default lease time (mins):', 'default networks' => 'Default networks', @@ -830,6 +832,8 @@ 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', +'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', +'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', 'dns header' => 'Assign DNS server addresses only for DHCP on red0', 'dns list' => 'List of free public DNS servers', 'dns menu' => 'Assign DNS-Server', @@ -1392,6 +1396,7 @@ 'instant update' => 'Instant Update', 'integrity' => 'Integrity:', 'interface' => 'Interface', +'interface mode' => 'Interface', 'interfaces' => 'Interfaces', 'internet' => 'INTERNET', 'intrusion detection' => 'Intrusion Detection', @@ -1425,10 +1430,15 @@ 'invalid input for hostname' => 'Invalid input for hostname.', 'invalid input for ike lifetime' => 'Invalid input for IKE lifetime', 'invalid input for inactivity timeout' => 'Invalid input for Inactivity Timeout', +'invalid input for interface address' => 'Invalid input for interface address', +'invalid input for interface mode' => 'Invalid input for interface mode', +'invalid input for interface mtu' => 'Invalid input to interface MTU', 'invalid input for keepalive 1' => 'Invalid input for Keepalive ping', 'invalid input for keepalive 1:2' => 'Invalid input for Keepalive use at least a ratio of 1:2', 'invalid input for keepalive 2' => 'Invalid input for Keepalive ping-restart', +'invalid input for local ip address' => 'Invalid input for local IP address', 'invalid input for max clients' => 'Invalid input for Max Clients', +'invalid input for mode' => 'Invalid input for mode', 'invalid input for name' => 'Invalid input for user's full name or system hostname', 'invalid input for oink code' => 'Invalid input for Oink code', 'invalid input for organization' => 'Invalid input for organization', @@ -1481,8 +1491,15 @@ 'ipfires hostname' => 'IPFire's Hostname', 'ipinfo' => 'IP info', 'ipsec' => 'IPsec', +'ipsec connection' => 'IPsec Connection', +'ipsec interface mode gre' => 'GRE', +'ipsec interface mode none' => '- None (Default) -', +'ipsec interface mode vti' => 'VTI', +'ipsec mode transport' => 'Transport', +'ipsec mode tunnel' => 'Tunnel', 'ipsec network' => 'IPsec network', 'ipsec no connections' => 'No active IPsec connections', +'ipsec settings' => 'IPsec Settings', 'iptable rules' => 'IPTable rules', 'iptmangles' => 'IPTable Mangles', 'iptnats' => 'IPTable Network Address Translation', @@ -1518,6 +1535,7 @@ 'load printer' => 'Load Printer', 'loaded modules' => 'Loaded modules:', 'local hard disk' => 'Hard disk', +'local ip address' => 'Local IP Address', 'local master' => 'Local Master', 'local ntp server specified but not enabled' => 'Local NTP server specified but not enabled', 'local subnet' => 'Local subnet:', @@ -1684,6 +1702,7 @@ 'mpfire search' => 'MPFire Search', 'mpfire songs' => 'MPFire songlist', 'mpfire webradio' => 'MPFire Webradio', +'mtu' => 'MTU', 'mtu QoS' => 'This does not change the global MTU, it only sets MTU for QoS.', 'my new share' => 'My new share', 'name' => 'Name', @@ -2239,6 +2258,7 @@ 'subject warn' => 'Warning - warnlevel reached', 'subnet' => 'Subnet', 'subnet is invalid' => 'Netmask is invalid', +'subnet mask' => 'Subnet Mask', 'subscripted user rules' => 'Sourcefire VRT rules with subscription', 'successfully refreshed updates list' => 'Successfully refreshed updates list.', 'summaries kept' => 'Keep summaries for', @@ -2371,6 +2391,7 @@ 'trafficto' => 'To', 'transfer limits' => 'Transfer limits', 'transparent on' => 'Transparent on', +'transport mode does not support vti' => 'VTI is not support in transport mode', 'tripwire' => 'Tripwire', 'tripwire cronjob' => 'tripwire cronjob', 'tripwire functions' => 'tripwire functions', @@ -2762,8 +2783,8 @@ 'vpn start action add' => 'Wait for connection initiation', 'vpn start action route' => 'On Demand', 'vpn start action start' => 'Always On', -'vpn statistic n2n' => 'OpenVPN Net-to-Net Statistics', -'vpn statistic rw' => 'OpenVPN Roadwarrior Statistics', +'vpn statistic n2n' => 'VPN: Net-to-Net Statistics', +'vpn statistic rw' => 'VPN: Roadwarrior Statistics', 'vpn subjectaltname' => 'Subject Alt Name', 'vpn wait' => 'WAITING', 'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index b89254b59..745066715 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -12,8 +12,8 @@ 'Captive 1day' => '1 jour', 'Captive 1month' => '1 mois', 'Captive 1week' => '1 semaine', -'Captive ACTIVATE' => 'ACTIVATION', -'Captive GAIN ACCESS' => 'GAIN ACCESS', +'Captive ACTIVATE' => 'ACTIVER', +'Captive GAIN ACCESS' => 'ACCEDER', 'Captive WiFi coupon' => 'Coupon wifi', 'Captive activate' => 'Activation', 'Captive activated' => 'Activé', @@ -22,7 +22,7 @@ 'Captive auth_lic' => 'Licence', 'Captive auth_vou' => 'Reçu', 'Captive authentication' => 'Type d'accès', -'Captive brand color' => 'Couleur de la marque', +'Captive brand color' => 'Couleur de fond personnalisée', 'Captive branding' => 'Personnalisation', 'Captive client session expiry time' => 'Délai d'expiration de la session', 'Captive config' => 'Paramètres', @@ -46,7 +46,7 @@ 'Captive noexpiretime' => 'Aucune plage de temps de connexion valide donnée', 'Captive nolimit' => 'illimité', 'Captive nr' => 'Number', -'Captive please accept the terms and conditions' => 'Veuillez accepter les termes & conditions', +'Captive please accept the terms and conditions' => 'Veuillez accepter les termes et conditions', 'Captive please enter a coupon code' => 'Veuillez saisir un code de coupon', 'Captive portal' => 'Portail captif IPFire', 'Captive portal coupons' => 'Coupons portail captif', @@ -646,9 +646,9 @@ 'connections' => 'Connexions', 'connections are associated with this ca. deleting the ca will delete these connections as well.' => 'Les connexions sont associées avec ce CA. La suppression de ce CA entraînera la suppression des connexions associées.', 'connscheduler' => 'Planificateur de connexion', -'core notice 1' => '<strong>Remarque :</strong> Il y a une mise à jour de', -'core notice 2' => 'pour', -'core notice 3' => 'disponible.', +'core notice 1' => '<strong>Remarque :</strong> Il y a une mise à jour disponible de', +'core notice 2' => 'vers', +'core notice 3' => '.', 'could not be opened' => 'ne peut pas être ouvert', 'could not connect to' => 'Impossible de se connecter à', 'could not connect to www ipcop org' => 'Impossible de se connecter à www.ipcop.org', @@ -846,7 +846,7 @@ 'dnsforward configuration' => 'Configuration de transfert DNS', 'dnsforward edit an entry' => 'Modifier une entrée existante', 'dnsforward entries' => 'Entrées actuelles', -'dnsforward forward_server' => 'Nom du serveur ', +'dnsforward forward_servers' => 'Nom des serveurs ', 'dnsforward zone' => 'Zone ', 'dnssec aware' => 'DNSSEC Aware', 'dnssec disabled warning' => 'AVERTISSEMENT : DNSSEC a été désactivé', @@ -865,7 +865,7 @@ 'domain not set' => 'Domaine non établi.', 'donation' => 'Faire un don', 'donation-link' => 'https://www.paypal.com/en_US/GB/i/btn/btn_donateCC_LG.gif', -'donation-text' => '<strong>IPFire</strong> est développé et maintenu par des volontaires durant leur temps libre.<br>Afin d'assurer les coûts du projet et si vous souhaitez nous encourager, vous pouvez effectuer un don.', +'donation-text' => '<strong>IPFire</strong> est développé et maintenu par des volontaires durant leur temps libre.<br>Afin d'assurer les coûts du projet et nous encourager, vous pouvez effectuer un don.', 'done' => 'Faites le', 'dos charset' => 'DOS Charset', 'down and up speed' => 'Entrez votre débit descendant et montant <br /> et cliquez sur <i>Sauvegarder</i>.', @@ -883,7 +883,7 @@ 'download tls-auth key' => 'Télécharger la clé tls-auth', 'dpd action' => 'Détection du peer mort', 'dpd delay' => 'Retard', -'dpd timeout' => 'Timeout', +'dpd timeout' => 'Délai dépassé', 'driver' => 'Pilote', 'drop action' => 'Comportement par défaut du pare-feu (avancé) en mode "Bloqué"', 'drop action1' => 'Comportement par défaut du pare-feu (sortant) en mode "Bloqué"', @@ -925,27 +925,27 @@ 'editor' => 'Editeur', 'eg' => 'ex. :', 'eight hours' => '8 heures', -'email config' => 'Configuration', -'email empty field' => 'Champs vide', +'email config' => 'Configuration du courrier', +'email empty field' => 'Champ vide', 'email error' => 'ERREUR : Le message de test n'a pas pu être envoyé', 'email invalid' => 'Champ invalide', 'email invalid mailfqdn' => 'Serveur de mail fqdn invalide', 'email invalid mailip' => 'Adresse IP serveur de mail invalide', 'email invalid mailport' => 'Port serveur de mail invalide', -'email mailaddr' => 'Adresse serveur email (smtp)', +'email mailaddr' => 'Adresse du serveur (SMTP)', 'email mailpass' => 'Mot de passe', -'email mailport' => 'Port serveur email', -'email mailrcpt' => 'Destinataire email', -'email mailsender' => 'Expéditeur email', +'email mailport' => 'Port du serveur (SMTP)', +'email mailrcpt' => 'Email du destinataire', +'email mailsender' => 'Email de l'expéditeur', 'email mailuser' => 'Nom d'utilisateur', 'email server can not be empty' => 'Le serveur mail ne peut pas être vide', -'email settings' => 'Service email', +'email settings' => 'Service de messagerie', 'email subject' => 'Test email IPFire', 'email success' => 'Email de test envoyé avec succès', -'email testmail' => 'Envoyer email de test', +'email testmail' => 'Envoyer un message de test', 'email text' => 'Email de test depuis le service de mail IPFire', 'email tls' => 'Utiliser une connexion chiffrée TLS', -'email usemail' => 'Activation service email', +'email usemail' => 'Activation du service', 'emailreportlevel' => 'Niveau de rapport des mails', 'emerging rules' => 'Règles de la communauté Emergingthreats.net', 'empty' => 'Ce champ peut être laissé vide', @@ -1104,7 +1104,7 @@ 'fwdfw dnat nochoice' => 'Veuillez choisir un NAT source ou un NAT de destination dans la section NAT.', 'fwdfw dnat porterr' => 'Vous devez choisir un seul port ou plage de ports (tcp / udp) pour NAT', 'fwdfw dnat porterr2' => 'Impossible d'utiliser un port externe (NAT) si aucun port de destination n'est défini.', -'fwdfw edit' => 'Edit', +'fwdfw edit' => 'Edition', 'fwdfw err concon' => 'Nombre invalide pour les connexions concurrentes', 'fwdfw err nosrc' => 'Aucune source sélectionnée.', 'fwdfw err nosrcip' => 'Veuillez fournir une adresse IP source.', @@ -1181,7 +1181,7 @@ 'fwdfw wd_thu' => 'Jeu', 'fwdfw wd_tue' => 'Mar', 'fwdfw wd_wed' => 'Mer', -'fwdfw xt access' => 'Input', +'fwdfw xt access' => 'Entrée', 'fwhost Custom Host' => 'Hôte', 'fwhost Custom Network' => 'Réseau', 'fwhost IpSec Host' => 'Hôte IPsec', @@ -1311,7 +1311,7 @@ 'graph per' => 'par', 'green' => 'VERT', 'green interface' => 'Interface VERTE', -'grouptype' => 'Grouptype :', +'grouptype' => 'Type de groupe :', 'guaranteed bandwith' => 'Bande passante garantie', 'guardian' => 'Gardien', 'guest ok' => 'autoriser l'accès aux invités', @@ -1436,6 +1436,7 @@ 'invalid input for state or province' => 'Région ou département non valide.', 'invalid input for valid till days' => 'Entrée invalide pour Valide jusqu\à (jours).', 'invalid ip' => 'IP Adresse non valide', +'invalid ip or hostname' => 'Adresse IP ou nom d'hôte invalide', 'invalid keep time' => 'Le temps restant doit être un nombre valide', 'invalid key' => 'Clef non valide.', 'invalid loaded file' => 'Fichier chargé non valide', @@ -1902,11 +1903,11 @@ 'pakfire ago' => '', 'pakfire available addons' => 'Modules disponibles :', 'pakfire configuration' => 'Configuration Pakfire', -'pakfire core update auto' => 'Installer les mises à jour du noyau et des modules automatiquement :', +'pakfire core update auto' => 'Installer automatiquement les mises à jour du noyau et des modules :', 'pakfire core update level' => 'Niveau de mise à jour du noyau ', 'pakfire health check' => 'Vérifier si le miroir est accessible (ping) :', 'pakfire install description' => 'Veuillez choisir un ou plusieurs modules dans la liste ci-dessous<br>et cliquez sur le signe PLUS pour les installer.', -'pakfire install package' => 'Vous voulez installer les paquets suivants : ', +'pakfire install package' => 'Vous souhaitez installer les paquets suivants : ', 'pakfire installed addons' => 'Modules installés :', 'pakfire last core list update' => 'Dernière mise à jour de la liste du noyau : ', 'pakfire last package update' => 'Dernière mise à jour de la liste des paquets : ', @@ -2022,7 +2023,7 @@ 'reconnect' => 'Reconnecter', 'reconnection' => 'Reconnexion', 'red' => 'Internet', -'red1' => 'RED', +'red1' => 'ROUGE', 'references' => 'Références', 'refresh' => 'Rafraîchir', 'refresh index page while connected' => 'Rafraîchir la page index.cgi tout en restant connecté', @@ -2295,7 +2296,7 @@ 'tor 0 = disabled' => '0 = désactivé', 'tor accounting' => 'Accounting', 'tor accounting bytes' => 'Trafic (lu / écrit)', -'tor accounting bytes left' => 'left', +'tor accounting bytes left' => 'restant', 'tor accounting interval' => 'Interval (UTC)', 'tor accounting limit' => 'Accounting limit (Mo)', 'tor accounting period' => 'Accounting period', @@ -2400,7 +2401,7 @@ 'unlimited' => 'illimité', 'unnamed' => 'Sans nom', 'update' => 'Mettre à jour', -'update accelerator' => 'Paramètres accélérateur', +'update accelerator' => 'Accélérateur (cache)', 'update time' => 'Mettre à jour l'heure :', 'update transcript' => 'Mettre à jour transcript', 'updatedatabase' => 'Mettre à jour la base de données avec le dernier rapport', @@ -2424,9 +2425,9 @@ 'updxlrtr condition outdated' => 'Périmé', 'updxlrtr condition suspended' => 'Suspendu', 'updxlrtr condition unknown' => 'Inconnu', -'updxlrtr configuration' => 'Mise à jour de l'accélérateur', +'updxlrtr configuration' => 'Paramètres de l'accélérateur', 'updxlrtr current downloads' => 'Les fichiers suivants sont en cours de téléchargement dans le cache local :', -'updxlrtr current files' => 'Les fichiers courants sont dans le cache local', +'updxlrtr current files' => 'Les fichiers suivants sont dans le cache local', 'updxlrtr daily' => 'Quotidienne', 'updxlrtr data from cache' => 'Données du cache (octets)', 'updxlrtr disk usage' => 'Utilisation du disque', @@ -2713,7 +2714,7 @@ 'used swap' => 'Swap utilisée', 'user' => 'Utilisateur', 'user log' => 'log utilisateur', -'user proxy logs' => 'user proxy log', +'user proxy logs' => 'log utilisateur proxy', 'username' => 'Nom utilisateur :', 'username not set' => 'Nom d'utilisateur non défini.', 'users department' => 'Département de l'utilisateur', @@ -2742,7 +2743,7 @@ 'vpn connecting' => 'CONNEXION', 'vpn delayed start' => 'Délai avant le lancement du VPN (secondes) ', 'vpn delayed start help' => 'Si requis, ce délai peut être utilisé pour autoriser les mises à jour de DNS dynamique à la propagation appropriée. 60 est une valeur souvent utilisée lorsque l'interface ROUGE est une IP dynamique.', -'vpn force mobike' => 'Force using MOBIKE (only IKEv2)', +'vpn force mobike' => 'Force utilisation MOBIKE (seulement IKEv2)', 'vpn inactivity timeout' => 'Délai dépassé inactivité', 'vpn incompatible use of defaultroute' => 'hostname=%defaultroute non admis', 'vpn keyexchange' => 'Keyexchange', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 53f0afc7a..114d0a297 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -2750,8 +2750,8 @@ 'vpn start action' => 'Hareketi Başlat', 'vpn start action route' => 'İstek Üzerine', 'vpn start action start' => 'Her Zaman', -'vpn statistic n2n' => 'Ağdan Ağa OpenVPN İstatistiği', -'vpn statistic rw' => 'Roadwarrior OpenVPN İstatistiği', +'vpn statistic n2n' => 'Ağdan Ağa VPN İstatistiği', +'vpn statistic rw' => 'Roadwarrior VPN İstatistiği', 'vpn subjectaltname' => 'Alternatif konu adı', 'vpn watch' => 'Karşı eş IP değiştirdiğinde (dyndns) ağdan-ağa VPN bağlantısını yeniden başlat. Bu DPD ye yardımcı olur.', 'vpn weak' => 'Hafta', diff --git a/lfs/Config b/lfs/Config index 76f279da9..42da3f3b1 100644 --- a/lfs/Config +++ b/lfs/Config @@ -33,6 +33,16 @@ # Cleanup environment from any variables unexport BUILD_ARCH BUILD_PLATFORM BUILDTARGET CROSSTARGET TOOLCHAIN TOOLS_DIR
+PARALLELISM = $(shell echo $$( \ + if [ -n "$(MAX_PARALLELISM)" ] && [ $(MAX_PARALLELISM) -lt $(DEFAULT_PARALLELISM) ]; then \ + echo $(MAX_PARALLELISM); \ + else \ + echo $(DEFAULT_PARALLELISM); \ + fi) \ +) + +MAKETUNING = -j$(PARALLELISM) + ifeq "$(BUILD_ARCH)" "aarch64" IS_64BIT = 1 endif diff --git a/lfs/bind b/lfs/bind index 44b649fcb..f2286fe1f 100644 --- a/lfs/bind +++ b/lfs/bind @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -25,7 +25,7 @@
include Config
-VER = 9.11.5-P1 +VER = 9.11.6
THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -43,7 +43,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 2825d818db51008f88a0030507edfa8a +$(DL_FILE)_MD5 = 4882bd3eeef779e05b515b32354cc081
install : $(TARGET)
@@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --prefix=/usr \ --enable-threads \ --with-libtool \ + --without-python \ --disable-static cd $(DIR_APP) && make -C lib/isc install cd $(DIR_APP) && make -C lib/dns install diff --git a/lfs/boost b/lfs/boost index bed2b0cdb..50a3a4674 100644 --- a/lfs/boost +++ b/lfs/boost @@ -35,6 +35,11 @@ TARGET = $(DIR_INFO)/$(THISAPP) CFLAGS += -O3 -fno-strict-aliasing CXXFLAGS += -O3 -fno-strict-aliasing
+# The compiler uses a lot of memory to compile boost, hence we reduce +# the total number of processes a little bit to be able to build on +# smaller machines +MAX_PARALLELISM = $(shell echo $$(( $(SYSTEM_MEMORY) / 512))) + CONFIGURE_OPTIONS = \ --prefix=/usr \ --layout=tagged \ @@ -95,7 +100,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && ./bootstrap.sh --with-toolset=gcc - cd $(DIR_APP) && ./b2 -d+2 -q $(CONFIGURE_OPTIONS) stage + cd $(DIR_APP) && ./b2 -d+2 -q $(MAKETUNING) $(CONFIGURE_OPTIONS) stage cd $(DIR_APP) && ./b2 $(CONFIGURE_OPTIONS) install
@rm -rf $(DIR_APP) diff --git a/lfs/collectd b/lfs/collectd index 9592ec95a..e31324817 100644 --- a/lfs/collectd +++ b/lfs/collectd @@ -116,7 +116,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-{network,nfs,ntpd,ping,processes,rrdtool,sensors,swap,syslog} \ --enable-{tcpconns,unixsock,users,wireless} \ --with-librrd=/usr/share/rrdtool-1.2.30 - cd $(DIR_APP) && make install + cd $(DIR_APP) && make install #collectd-4 does not support parallel build cp -vf $(DIR_SRC)/config/collectd/collectd.* /etc/ mv /etc/collectd.vpn /var/ipfire/ovpn/collectd.vpn chown nobody.nobody /var/ipfire/ovpn/collectd.vpn diff --git a/lfs/configroot b/lfs/configroot index 3cdd780fc..4e6751eee 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -111,7 +111,6 @@ $(TARGET) : cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices.default # Oneliner configfiles echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings - echo "VPN_DELAYED_START=0" >>$(CONFIG_ROOT)/vpn/settings echo "01" > $(CONFIG_ROOT)/certs/serial echo "nameserver 1.2.3.4" > $(CONFIG_ROOT)/ppp/fake-resolv.conf echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings diff --git a/lfs/cyrus-imapd b/lfs/cyrus-imapd index 1800a08ec..50cd66875 100644 --- a/lfs/cyrus-imapd +++ b/lfs/cyrus-imapd @@ -89,7 +89,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-autocreate \ --enable-idled
- cd $(DIR_APP) && make $(EXTRA_MAKE) + cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_APP) && make install -mkdir /var/imap chown cyrus:mail /var/imap diff --git a/lfs/dhcp b/lfs/dhcp index a055d6081..4c01428f5 100644 --- a/lfs/dhcp +++ b/lfs/dhcp @@ -84,7 +84,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-early-chroot \ --disable-dhcpv6
- cd $(DIR_APP) && make + cd $(DIR_APP) && make #This package does not support parallel build cd $(DIR_APP) && make install
mkdir -pv /var/state/dhcp diff --git a/lfs/dnsdist b/lfs/dnsdist index 85a841fa5..3e10c9eb2 100644 --- a/lfs/dnsdist +++ b/lfs/dnsdist @@ -37,6 +37,8 @@ PAK_VER = 1
DEPS = ""
+MAX_PARALLELISM = $(shell echo $$(( $(SYSTEM_MEMORY) / 512))) + ############################################################################### # Top-level Rules ############################################################################### @@ -79,7 +81,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc - cd $(DIR_APP) && make + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install
#install initscripts diff --git a/lfs/gcc b/lfs/gcc index 6fdf2ea31..5aac2d382 100644 --- a/lfs/gcc +++ b/lfs/gcc @@ -264,7 +264,7 @@ ifeq "$(PASS)" "L" $(EXTRA_ENV) \ $(DIR_APP)/libstdc++-v3/configure \ $(EXTRA_CONFIG) - cd $(DIR_SRC)/gcc-build && make $(EXTRA_MAKE) + cd $(DIR_SRC)/gcc-build && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_SRC)/gcc-build && make $(EXTRA_INSTALL) install
else @@ -273,7 +273,7 @@ else $(EXTRA_ENV) \ $(DIR_APP)/configure \ $(EXTRA_CONFIG) - cd $(DIR_SRC)/gcc-build && make $(EXTRA_MAKE) + cd $(DIR_SRC)/gcc-build && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_SRC)/gcc-build && make $(EXTRA_INSTALL) install endif
diff --git a/lfs/gettext b/lfs/gettext index 632ecac43..b1d75ed2d 100644 --- a/lfs/gettext +++ b/lfs/gettext @@ -81,13 +81,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) ifeq "$(ROOT)" "" cd $(DIR_APP) && ./configure $(EXTRA_CONFIG) - cd $(DIR_APP) && make + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install else cd $(DIR_APP)/gettext-tools && ./configure $(EXTRA_CONFIG) - cd $(DIR_APP)/gettext-tools && make -C gnulib-lib - cd $(DIR_APP)/gettext-tools && make -C intl pluralx.c - cd $(DIR_APP)/gettext-tools && make -C src msgfmt + cd $(DIR_APP)/gettext-tools && make $(MAKETUNING) -C gnulib-lib + cd $(DIR_APP)/gettext-tools && make $(MAKETUNING) -C intl pluralx.c + cd $(DIR_APP)/gettext-tools && make $(MAKETUNING) -C src msgfmt cd $(DIR_APP)/gettext-tools && cp -v src/msgfmt $(TOOLS_DIR)/bin endif @rm -rf $(DIR_APP) diff --git a/lfs/groff b/lfs/groff index 4d5bf6373..36f1f8f13 100644 --- a/lfs/groff +++ b/lfs/groff @@ -24,7 +24,7 @@
include Config
-VER = 1.22.3 +VER = 1.22.4
THISAPP = groff-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = cc825fa64bc7306a885f2fb2268d3ec5 +$(DL_FILE)_MD5 = 08fb04335e2f5e73f23ea4c3adbf0c5f
install : $(TARGET)
diff --git a/lfs/gutenprint b/lfs/gutenprint index 7286b78a2..0a18aa73b 100644 --- a/lfs/gutenprint +++ b/lfs/gutenprint @@ -79,7 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) $(UPDATE_AUTOMAKE) cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc - cd $(DIR_APP) && make + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/hostapd b/lfs/hostapd index a8302ccdd..233863646 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 2.6 +VER = 2.7
THISAPP = hostapd-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 43 +PAK_VER = 44
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = eaa56dce9bd8f1d195eb62596eab34c7 +$(DL_FILE)_MD5 = 8d3799f3a3c247cff47d41503698721b
install : $(TARGET)
@@ -78,17 +78,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- # Security Patches https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages... - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch - - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd-2.3_increase_EAPOL-timeouts.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.6-noscan.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.7-increase_EAPOL-timeouts.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.7-noscan.patch
cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile diff --git a/lfs/installer b/lfs/installer index e3937624e..6a0662c93 100644 --- a/lfs/installer +++ b/lfs/installer @@ -31,7 +31,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP)
SLOGAN = An Open Source Firewall Solution -DOWNLOAD_URL = http://downloads.ipfire.org/releases/ipfire-2.x/$(VERSION)-core$(CORE)/$(SNA... +DOWNLOAD_URL = https://downloads.ipfire.org/releases/ipfire-2.x/$(VERSION)-core$(CORE)/$(SN...
############################################################################### # Top-level Rules diff --git a/lfs/ipfire-netboot b/lfs/ipfire-netboot index 9536c9514..b316c9bbd 100644 --- a/lfs/ipfire-netboot +++ b/lfs/ipfire-netboot @@ -78,9 +78,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Extract iPXE source cd $(DIR_APP) && tar axf $(DIR_DL)/ipxe-$(PXE_VER).tar.gz cd $(DIR_APP) && rm -rfv ipxe && ln -s ipxe-$(PXE_VER) ipxe - cd $(DIR_APP) && make bin/ipxe.lkrn + cd $(DIR_APP) && make $(MAKETUNING) bin/ipxe.lkrn ifeq "$(BUILD_ARCH)" "x86_64" - cd $(DIR_APP) && make bin-x86_64-efi/ipxe.efi + cd $(DIR_APP) && make $(MAKETUNING) bin-x86_64-efi/ipxe.efi endif
# Installation diff --git a/lfs/ipset b/lfs/ipset index d33e9327f..3382c668c 100644 --- a/lfs/ipset +++ b/lfs/ipset @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 6.38 +VER = 7.1
THISAPP = ipset-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 0e5d9c85f6b78e7dff0c996e2900574b +$(DL_FILE)_MD5 = 72b477d1ce076d681b0799f88280f2f3
install : $(TARGET)
diff --git a/lfs/iptables b/lfs/iptables index b4a2834b8..17817a9ef 100644 --- a/lfs/iptables +++ b/lfs/iptables @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.6.2 +VER = 1.8.2
THISAPP = iptables-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -36,13 +36,13 @@ TARGET = $(DIR_INFO)/$(THISAPP) # Top-level Rules ############################################################################### objects = $(DL_FILE) \ - netfilter-layer7-v2.22.tar.gz + netfilter-layer7-v2.23.tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE) -netfilter-layer7-v2.22.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.22.tar.gz +netfilter-layer7-v2.23.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.23.tar.gz
-$(DL_FILE)_MD5 = 7d2b7847e4aa8832a18437b8a4c1873d -netfilter-layer7-v2.22.tar.gz_MD5 = 98dff8a3d5a31885b73341633f69501f +$(DL_FILE)_MD5 = 944558e88ddcc3b9b0d9550070fa3599 +netfilter-layer7-v2.23.tar.gz_MD5 = 10910b6173d18e426cb56ae7e1300eeb
install : $(TARGET)
@@ -75,8 +75,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
# Layer7 - cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-v2.22.tar.gz - cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* \ + cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-v2.23.tar.gz + cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/* \ ./extensions/
# imq @@ -88,6 +88,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --libdir=/lib \ --includedir=/usr/include \ --enable-libipq \ + --with-xtlibdir=/lib/xtables \ --libexecdir=/lib \ --bindir=/sbin \ --sbindir=/sbin \ diff --git a/lfs/knot b/lfs/knot index 729db9147..1a7fec0cb 100644 --- a/lfs/knot +++ b/lfs/knot @@ -24,7 +24,7 @@
include Config
-VER = 2.7.6 +VER = 2.8.0
THISAPP = knot-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 6afbbaff4e9d93de8d6311958d86b323 +$(DL_FILE)_MD5 = 5b0d73e143b4c5a72faf4f1f1337ca08
install : $(TARGET)
@@ -76,14 +76,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && ./configure \ --prefix=/usr \ --enable-static=no \ + --disable-fastparser \ --disable-daemon \ --disable-modules \ --enable-maxminddb=no \ --disable-documentation
- cd $(DIR_APP) && make $(MAKETUNING) - cd $(DIR_APP) && make install + cd $(DIR_APP)/src && make $(MAKETUNING) kdig + cd $(DIR_APP)/src/.libs && cp -av kdig /usr/bin + cd $(DIR_APP)/src/.libs && cp -av lib* /usr/lib
@rm -rf $(DIR_APP) @$(POSTBUILD) - diff --git a/lfs/krb5 b/lfs/krb5 index b1ea0f76d..5a619ab84 100644 --- a/lfs/krb5 +++ b/lfs/krb5 @@ -92,7 +92,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-dns-for-realm \ CPPFLAGS="-I/usr/include/et"
- cd $(DIR_APP) && make #$(MAKETUNING) + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install
for LIB in gssapi_krb5 gssrpc k5crypto kadm5clnt kadm5srv \ diff --git a/lfs/lcd4linux b/lfs/lcd4linux index 81f994621..052c905c3 100644 --- a/lfs/lcd4linux +++ b/lfs/lcd4linux @@ -79,7 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) $(UPDATE_AUTOMAKE) cd $(DIR_APP) && ./configure --with-plugins=all,!qnaplog,!dbus --prefix=/usr - cd $(DIR_APP) && make + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install
#install initscripts diff --git a/lfs/less b/lfs/less index 531293a8a..2b4534214 100644 --- a/lfs/less +++ b/lfs/less @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 481 +VER = 530
THISAPP = less-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 50ef46065c65257141a7340123527767 +$(DL_FILE)_MD5 = 6a39bccf420c946b0fd7ffc64961315b
install : $(TARGET)
diff --git a/lfs/libgcrypt b/lfs/libgcrypt index ec99d936b..5beefbf12 100644 --- a/lfs/libgcrypt +++ b/lfs/libgcrypt @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.8.3 +VER = 1.8.4
THISAPP = libgcrypt-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 3139c2402e844985a67fb288a930534d +$(DL_FILE)_MD5 = fbfdaebbbc6d7e5fbbf6ffdb3e139573
install : $(TARGET)
diff --git a/lfs/linux b/lfs/linux index 8b309c0f7..5dde9bdf0 100644 --- a/lfs/linux +++ b/lfs/linux @@ -153,11 +153,13 @@ endif ifeq "$(KCFG)" "-multi" # Apply Arm-multiarch kernel patches. cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1 -endif + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14-Revert-usb-dwc2-Fix-DMA-alignment.patch
+endif ifeq "$(BUILD_ARCH)" "aarch64" # Apply Arm-multiarch kernel patches. cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1 + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14-Revert-usb-dwc2-Fix-DMA-alignment.patch endif cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-3.14.79-amba-fix.patch
diff --git a/lfs/netpbm b/lfs/netpbm index e22e0fbc8..58a6921a4 100644 --- a/lfs/netpbm +++ b/lfs/netpbm @@ -81,7 +81,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) rm -rf /usr/netpbm cp $(DIR_SRC)/config/netpbm/config.mk $(DIR_APP) - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" #The build of this version cannot be parallelized cd $(DIR_APP) && make package PKGDIR=/usr/netpbm mkdir -pv /usr/include/netpbm mkdir -pv /usr/share/netpbm diff --git a/lfs/netsnmpd b/lfs/netsnmpd index 06233f3e9..dde78098f 100644 --- a/lfs/netsnmpd +++ b/lfs/netsnmpd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 5.7.3 +VER = 5.8
THISAPP = net-snmp-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = netsnmpd -PAK_VER = 7 +PAK_VER = 8
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = d4a3459e1577d0efa8d96ca70a885e53 +$(DL_FILE)_MD5 = 63bfc65fbb86cdb616598df1aff6458a
install : $(TARGET)
@@ -77,7 +77,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/net-snmp-5.7.3-openssl.patch + $(UPDATE_AUTOMAKE) cd $(DIR_APP) && ./configure \ --prefix=/usr \ @@ -95,7 +95,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) sctp-mib rmon-mib etherlike-mib ucd-snmp/lmsensorsMib" --libdir=/usr/lib \ --sysconfdir="/etc" - cd $(DIR_APP) && make + + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install install -v -m 644 $(DIR_SRC)/config/netsnmpd/snmpd.conf /etc/snmpd.conf install -v -m 644 $(DIR_SRC)/config/backup/includes/netsnmpd \ diff --git a/lfs/nut b/lfs/nut index 10e146c63..c1f019274 100644 --- a/lfs/nut +++ b/lfs/nut @@ -80,7 +80,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc/nut \ --with-usb --with-user=root --with-group=nut \ --with-wrap=no --with-udev-dir=/etc/udev - cd $(DIR_APP) && make + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install # sed -i -e "s|ATTR{|SYSFS{|g" /etc/udev/rules.d/52-nut-usbups.rules mkdir -p /var/state/ups diff --git a/lfs/openssl b/lfs/openssl index 05d28ef20..f8729c2de 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@
include Config
-VER = 1.1.1a +VER = 1.1.1b
THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -87,7 +87,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 963deb2272d6be7d4c2458afd2517b73 +$(DL_FILE)_MD5 = 4532712e7bcc9414f5bce995e4e13930
install : $(TARGET)
@@ -130,7 +130,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) $(CFLAGS) $(LDFLAGS)
cd $(DIR_APP) && make depend - cd $(DIR_APP) && make + cd $(DIR_APP) && make $(MAKETUNING)
ifeq "$(KCFG)" "-sse2" -mkdir -pv /usr/lib/sse2 diff --git a/lfs/openvpn b/lfs/openvpn index 2503654f1..61c805fdb 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 2.4.6 +VER = 2.4.7
THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 3a1f3f63bdaede443b4df49957df9405 +$(DL_FILE)_MD5 = 4ad8a008e1e7f261b3aa0024e79e7fb7
install : $(TARGET)
diff --git a/lfs/perl b/lfs/perl index fa2256d6b..06491a16c 100644 --- a/lfs/perl +++ b/lfs/perl @@ -39,6 +39,9 @@ else TARGET = $(DIR_INFO)/$(THISAPP)-tools endif
+# Perl does not build with -j larger than 23 +MAX_PARALLELISM = 23 + ############################################################################### # Top-level Rules ############################################################################### diff --git a/lfs/postfix b/lfs/postfix index b22eca138..acadacbeb 100644 --- a/lfs/postfix +++ b/lfs/postfix @@ -24,7 +24,7 @@
include Config
-VER = 3.3.2 +VER = 3.4.1
THISAPP = postfix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = postfix -PAK_VER = 17 +PAK_VER = 18
DEPS = ""
@@ -66,7 +66,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4e6ed7056576e0c54cfce6040a0bb0ad +$(DL_FILE)_MD5 = d292bb49a1c79ff6d2eb9c5e88c51425
install : $(TARGET)
diff --git a/lfs/rrdtool b/lfs/rrdtool index ef67dc26d..36d373d2c 100644 --- a/lfs/rrdtool +++ b/lfs/rrdtool @@ -78,7 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --disable-tcl \ --disable-ruby \ --disable-python - cd $(DIR_APP) && make + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install -mkdir -p /srv/web/ipfire/html/graphs/ chmod 777 /srv/web/ipfire/html/graphs/ diff --git a/lfs/samba b/lfs/samba index 44f4623c0..c437793d6 100644 --- a/lfs/samba +++ b/lfs/samba @@ -180,8 +180,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-cups \ --disable-avahi \ --with-syslog - cd $(DIR_APP)/source3 && make idl_full - cd $(DIR_APP)/source3 && make proto && make all $(MAKETUNING) $(EXTRA_MAKE) + cd $(DIR_APP)/source3 && make $(MAKETUNING) idl_full + cd $(DIR_APP)/source3 && make $(MAKETUNING) proto && make all $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_APP)/source3 && make install cd $(DIR_APP)/source3 && chmod -v 644 /usr/include/libsmbclient.h #cd $(DIR_APP)/source3 && install -v -m755 nsswitch/libnss_wins.so /lib diff --git a/lfs/snort b/lfs/snort index e7b5a19f7..c66a0dd1a 100644 --- a/lfs/snort +++ b/lfs/snort @@ -88,7 +88,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-react \ --enable-flexresp3
- cd $(DIR_APP) && make + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install mv /usr/bin/snort /usr/sbin/ -mkdir -p /etc/snort/rules diff --git a/lfs/spectre-meltdown-checker b/lfs/spectre-meltdown-checker new file mode 100644 index 000000000..8bb3efb04 --- /dev/null +++ b/lfs/spectre-meltdown-checker @@ -0,0 +1,83 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 0.40 + +THISAPP = spectre-meltdown-checker-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) +PROG = spectre-meltdown-checker +PAK_VER = 1 + +DEPS = "" + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = cc1ed68faf3fde13b1ff3bd15a22d46d + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && install -v -m 754 spectre-meltdown-checker.sh \ + /usr/sbin/spectre-meltdown-checker + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/squid b/lfs/squid index 6033ab394..0115cad82 100644 --- a/lfs/squid +++ b/lfs/squid @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 4.5 +VER = 4.6
THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -42,7 +42,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 8275da5846f9f2243ad2625e5aef2ee0 +$(DL_FILE)_MD5 = e25e7cc37754ad14d8aa368c0c210e54
install : $(TARGET)
@@ -72,7 +72,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.5-fix-max-file-descriptors.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.6-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP)/libltdl && autoreconf -vfi @@ -91,7 +91,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --disable-kqueue \ --disable-esi \ --disable-arch-native \ - --enable-ipv6 \ --enable-poll \ --enable-ident-lookups \ --enable-storeio=aufs,diskd,ufs \ diff --git a/lfs/stage2 b/lfs/stage2 index 7e8dfe316..4b8f0bc81 100644 --- a/lfs/stage2 +++ b/lfs/stage2 @@ -115,8 +115,8 @@ endif /usr/lib/firewall/rules.pl install -m 644 $(DIR_SRC)/config/firewall/firewall-lib.pl \ /usr/lib/firewall/firewall-lib.pl - install -m 755 $(DIR_SRC)/config/firewall/ipsec-block \ - /usr/lib/firewall/ipsec-block + install -m 755 $(DIR_SRC)/config/firewall/ipsec-policy \ + /usr/lib/firewall/ipsec-policy
# Nobody user -mkdir -p /home/nobody diff --git a/lfs/strongswan b/lfs/strongswan index 99261ce93..4174f78fe 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -72,6 +72,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-interfaces.patch
cd $(DIR_APP) && ./configure \ --prefix="/usr" \ diff --git a/lfs/tar b/lfs/tar index 953613d51..f5c280fb2 100644 --- a/lfs/tar +++ b/lfs/tar @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.31 +VER = 1.32
THISAPP = tar-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -50,7 +50,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 77afa35b696c8d760331fa0e12c2fac9 +$(DL_FILE)_MD5 = 17917356fff5cb4bd3cd5a6c3e727b05
install : $(TARGET)
diff --git a/lfs/tor b/lfs/tor index e1027c131..384b1b213 100644 --- a/lfs/tor +++ b/lfs/tor @@ -24,7 +24,7 @@
include Config
-VER = 0.3.5.7 +VER = 0.3.5.8
THISAPP = tor-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 32 +PAK_VER = 34
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 8076f11045b5a94fd4ef0a0114b845f6 +$(DL_FILE)_MD5 = e4b0feca80cc221ab235c9544851b146
install : $(TARGET)
diff --git a/lfs/unbound b/lfs/unbound index 07501d1d6..b090010d4 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -24,7 +24,7 @@
include Config
-VER = 1.8.3 +VER = 1.9.0
THISAPP = unbound-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4646203343d3b8f5aeb1b57753c27ead +$(DL_FILE)_MD5 = 1026159991a3883518525bc18e25582f
install : $(TARGET)
diff --git a/lfs/wpa_supplicant b/lfs/wpa_supplicant index 4d8174cbb..887ec6bd5 100644 --- a/lfs/wpa_supplicant +++ b/lfs/wpa_supplicant @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 2.6 +VER = 2.7
THISAPP = wpa_supplicant-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -41,7 +41,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 091569eb4440b7d7f2b4276dbfc03c3c +$(DL_FILE)_MD5 = a68538fb62766f40f890125026c42c10
install : $(TARGET)
@@ -75,16 +75,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- # Security Patches https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages... - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch - cd $(DIR_APP)/wpa_supplicant && cp $(DIR_SRC)/config/wpa_supplicant/config ./.config cd $(DIR_APP)/wpa_supplicant && sed -e "s/wpa_cli\ dynamic_eap_methods/wpa_cli\ #dynamic_eap_methods/" -i Makefile cd $(DIR_APP)/wpa_supplicant && sed -e "s@/usr/local@/usr@g" -i Makefile diff --git a/lfs/xfsprogs b/lfs/xfsprogs index b68e1b138..af6ccce37 100644 --- a/lfs/xfsprogs +++ b/lfs/xfsprogs @@ -73,7 +73,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && make DEBUG=-DNDEBUG INSTALL_USER=root INSTALL_GROUP=root \ + cd $(DIR_APP) && make $(MAKETUNING) DEBUG=-DNDEBUG INSTALL_USER=root INSTALL_GROUP=root \ LOCAL_CONFIGURE_OPTIONS="--enable-readline=yes" cd $(DIR_APP) && make install install-dev cd $(DIR_APP) && install -v -m755 -D libhandle/libhandle.la /usr/lib/libhandle.la diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd new file mode 100644 index 000000000..b086d9f1a --- /dev/null +++ b/lfs/zabbix_agentd @@ -0,0 +1,123 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 4.0.4 + +THISAPP = zabbix-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) +PROG = zabbix_agentd +PAK_VER = 1 +DEPS = "" + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 46fdb83d4b24e13127a20a3e874b1d8f + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axvf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --enable-agent \ + --sysconfdir=/etc/zabbix_agentd \ + --with-openssl + + cd $(DIR_APP) && make + cd $(DIR_APP) && make install + + # Create config directory and create files + -rmdir /etc/zabbix_agentd/zabbix_agentd.conf.d + -mkdir -pv /etc/zabbix_agentd/zabbix_agentd.d + -mkdir -pv /etc/zabbix_agentd/scripts + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/zabbix_agentd.conf \ + /etc/zabbix_agentd/zabbix_agentd.conf + + # Create directory for additional agent modules + -mkdir -pv /usr/lib/zabbix + + # Create directory for logging + -mkdir -pv /var/log/zabbix + chown zabbix.zabbix /var/log/zabbix + + # Create directory for pid. + -mkdir -pv /var/run/zabbix + chown zabbix.zabbix /var/run/zabbix + + # Install initscripts + $(call INSTALL_INITSCRIPT,zabbix_agentd) + + # Install sudoers include file + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/sudoers \ + /etc/sudoers.d/zabbix.user + + # Install include file for backup + install -v -m 644 $(DIR_SRC)/config/backup/includes/zabbix_agentd \ + /var/ipfire/backup/addons/includes/zabbix_agentd + + # Install include file for Logrotate + -mkdir -pv /etc/logrotate.d + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/logrotate \ + /etc/logrotate.d/zabbix_agentd + + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 1fcb19994..3453c6719 100755 --- a/make.sh +++ b/make.sh @@ -25,8 +25,8 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.21" # Version number -CORE="128" # Core Level (Filename) -PAKFIRE_CORE="128" # Core Level (PAKFIRE) +CORE="129" # Core Level (Filename) +PAKFIRE_CORE="129" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir @@ -201,31 +201,22 @@ configure_build() { CXXFLAGS="${CFLAGS}"
# Determine parallelism - if [ -z "${MAKETUNING}" ]; then - # We assume that each process consumes about - # 192MB of memory. Therefore we find out how - # many processes fit into memory. - local mem_max=$(( ${HOST_MEM} / 192 )) - - local processors="$(system_processors)" - local cpu_max=$(( ${processors} + 1 )) - - local parallelism - if [ ${mem_max} -lt ${cpu_max} ]; then - parallelism=${mem_max} - else - parallelism=${cpu_max} - fi - - # limit to -j23 because perl will not build - # more - if [ ${parallelism} -gt 23 ]; then - parallelism=23 - fi - - MAKETUNING="-j${parallelism}" + # We assume that each process consumes about + # 128MB of memory. Therefore we find out how + # many processes fit into memory. + local mem_max=$(( ${SYSTEM_MEMORY} / 128 )) + local cpu_max=$(( ${SYSTEM_PROCESSORS} + 1 )) + + local parallelism + if [ ${mem_max} -lt ${cpu_max} ]; then + parallelism=${mem_max} + else + parallelism=${cpu_max} fi
+ # Use this as default PARALLELISM + DEFAULT_PARALLELISM="${parallelism}" + # Compression parameters # We use mode 8 for reasonable memory usage when decompressing # but with overall good compression @@ -237,7 +228,7 @@ configure_build() { # We need to limit memory because XZ uses too much when running # in parallel and it isn't very smart in limiting itself. # We allow XZ to use up to 70% of all system memory. - local xz_memory=$(( HOST_MEM * 7 / 10 )) + local xz_memory=$(( SYSTEM_MEMORY * 7 / 10 ))
# XZ memory cannot be larger than 2GB on 32 bit systems case "${build_arch}" in @@ -469,7 +460,7 @@ prepareenv() { # Setup environment set +h LC_ALL=POSIX - export LFS LC_ALL CFLAGS CXXFLAGS MAKETUNING + export LFS LC_ALL CFLAGS CXXFLAGS DEFAULT_PARALLELISM unset CC CXX CPP LD_LIBRARY_PATH LD_PRELOAD
# Make some extra directories @@ -554,6 +545,9 @@ enterchroot() { CCACHE_COMPILERCHECK="${CCACHE_COMPILERCHECK}" \ KVER="${KVER}" \ XZ_OPT="${XZ_OPT}" \ + DEFAULT_PARALLELISM="${DEFAULT_PARALLELISM}" \ + SYSTEM_PROCESSORS="${SYSTEM_PROCESSORS}" \ + SYSTEM_MEMORY="${SYSTEM_MEMORY}" \ $(fake_environ) \ $(qemu_environ) \ "$@" @@ -633,7 +627,9 @@ lfsmake1() { CCACHE_COMPILERCHECK="${CCACHE_COMPILERCHECK}" \ CFLAGS="${CFLAGS}" \ CXXFLAGS="${CXXFLAGS}" \ - MAKETUNING="${MAKETUNING}" \ + DEFAULT_PARALLELISM="${DEFAULT_PARALLELISM}" \ + SYSTEM_PROCESSORS="${SYSTEM_PROCESSORS}" \ + SYSTEM_MEMORY="${SYSTEM_MEMORY}" \ make -f $* \ TOOLCHAIN=1 \ TOOLS_DIR="${TOOLS_DIR}" \ @@ -662,7 +658,6 @@ lfsmake2() {
enterchroot \ ${EXTRA_PATH}bash -x -c "cd /usr/src/lfs && \ - MAKETUNING=${MAKETUNING} \ make -f $* \ LFS_BASEDIR=/usr/src install" \ >> ${LOGFILE} 2>&1 & @@ -907,8 +902,9 @@ if [ -n "${TARGET_ARCH}" ]; then unset TARGET_ARCH fi
-# Get the amount of memory in this build system -HOST_MEM=$(system_memory) +# Get some information about the host system +SYSTEM_PROCESSORS="$(system_processors)" +SYSTEM_MEMORY="$(system_memory)"
if [ -n "${BUILD_ARCH}" ]; then configure_build "${BUILD_ARCH}" @@ -1100,6 +1096,7 @@ buildipfire() { lfsmake2 xr819-firmware lfsmake2 zd1211-firmware lfsmake2 rpi-firmware + lfsmake2 intel-microcode lfsmake2 bc lfsmake2 u-boot MKIMAGE=1 lfsmake2 cpio @@ -1172,7 +1169,6 @@ buildipfire() { lfsmake2 linux-initrd KCFG="-multi" ;; esac - lfsmake2 intel-microcode lfsmake2 xtables-addons USPACE="1" lfsmake2 libgpg-error lfsmake2 libgcrypt @@ -1590,6 +1586,8 @@ buildipfire() { lfsmake2 borgbackup lfsmake2 libedit lfsmake2 knot + lfsmake2 spectre-meltdown-checker + lfsmake2 zabbix_agentd }
buildinstaller() { diff --git a/src/initscripts/networking/red.up/50-ipsec b/src/initscripts/networking/red.up/50-ipsec index 99abf4592..c5e043f21 100644 --- a/src/initscripts/networking/red.up/50-ipsec +++ b/src/initscripts/networking/red.up/50-ipsec @@ -1,7 +1,3 @@ #!/bin/bash
-eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings) - -sleep $VPN_DELAYED_START && /usr/local/bin/ipsecctrl S & - -exit 0 +exec /usr/local/bin/ipsecctrl S diff --git a/src/initscripts/packages/zabbix_agentd b/src/initscripts/packages/zabbix_agentd new file mode 100644 index 000000000..bffbc4893 --- /dev/null +++ b/src/initscripts/packages/zabbix_agentd @@ -0,0 +1,50 @@ +#!/bin/sh +######################################################################## +# Begin $rc_base/init.d/zabbix_agentd +# +# Description : This script starts the Zabbix Agent as a daemon (zabbix_agentd) +# +# Authors : Alexander Koch (ipfire@starkstromkonsument.de) +# +# Version : 01.00 +# +# Notes : +# +######################################################################## + +. /etc/sysconfig/rc +. ${rc_functions} + +case "${1}" in + start) + if [ ! -d "/var/run/zabbix" ]; then + mkdir -p /var/run/zabbix + chown zabbix.zabbix /var/run/zabbix + fi + + boot_mesg "Starting Zabbix Agent..." + loadproc /usr/sbin/zabbix_agentd -c /etc/zabbix_agentd/zabbix_agentd.conf + ;; + + stop) + boot_mesg "Stopping Zabbix Agent..." + killproc /usr/sbin/zabbix_agentd + ;; + + restart) + ${0} stop + sleep 1 + ${0} start + ;; + + status) + statusproc /usr/sbin/zabbix_agentd + ;; + + *) + echo "Usage: ${0} {start|stop|restart|status}" + exit 1 + ;; +esac + +# End $rc_base/init.d/zabbix_agentd diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index b9dd3485e..2739a6834 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -360,8 +360,8 @@ iptables_init() { iptables -t nat -N REDNAT iptables -t nat -A POSTROUTING -j REDNAT
- # Populate IPsec block chain - /usr/lib/firewall/ipsec-block + # Populate IPsec chains + /usr/lib/firewall/ipsec-policy
# Apply OpenVPN firewall rules /usr/local/bin/openvpnctrl --firewall-rules diff --git a/src/initscripts/system/network b/src/initscripts/system/network index b29ca2ca5..6e7120885 100644 --- a/src/initscripts/system/network +++ b/src/initscripts/system/network @@ -63,6 +63,9 @@ case "${DO}" in fi fi
+ # Create IPsec interfaces + /usr/local/bin/ipsec-interfaces + /etc/rc.d/init.d/static-routes start ;;
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index 2ef994e96..af9bcef73 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -197,8 +197,8 @@ write_forward_conf() {
local insecure_zones="${INSECURE_ZONES}"
- local enabled zone server servers remark - while IFS="," read -r enabled zone servers remark; do + local enabled zone server servers remark disable_dnssec rest + while IFS="," read -r enabled zone servers remark disable_dnssec rest; do # Line must be enabled. [ "${enabled}" = "on" ] || continue
@@ -208,6 +208,11 @@ write_forward_conf() { *.local) insecure_zones="${insecure_zones} ${zone}" ;; + *) + if [ "${disable_dnssec}" = "on" ]; then + insecure_zones="${insecure_zones} ${zone}" + fi + ;; esac
# Reverse-lookup zones must be stubs diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 9afc409ca..2a64775f0 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -52,42 +52,6 @@ static void ipsec_reload() { safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); }
-/* - ACCEPT the ipsec protocol ah, esp & udp (for nat traversal) on the specified interface -*/ -void open_physical (char *interface, int nat_traversal_port) { - char str[STRING_SIZE]; - - // IKE - sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT", interface); - safe_system(str); - - if (! nat_traversal_port) - return; - - sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT", interface, nat_traversal_port); - safe_system(str); -} - -void ipsec_norules() { - /* clear input rules */ - safe_system("/sbin/iptables --wait -F IPSECINPUT"); - safe_system("/sbin/iptables --wait -F IPSECFORWARD"); - safe_system("/sbin/iptables --wait -F IPSECOUTPUT"); -} - /* return values from the vpn config file or false if not 'on' */ @@ -152,15 +116,18 @@ void turn_connection_on(char *name, char *type) { "/usr/sbin/ipsec down %s >/dev/null", name); safe_system(command);
- // Reload the IPsec block chain - safe_system("/usr/lib/firewall/ipsec-block >/dev/null"); + // Reload the IPsec firewall policy + safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); + + // Create or destroy interfaces + safe_system("/usr/local/bin/ipsec-interfaces >/dev/null");
// Reload the configuration into the daemon (#10339). ipsec_reload();
// Bring the connection up again. snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec up %s >/dev/null", name); + "/usr/sbin/ipsec stroke up-nb %s >/dev/null", name); safe_system(command); }
@@ -182,13 +149,14 @@ void turn_connection_off (char *name) { // Reload, so the connection is dropped. ipsec_reload();
- // Reload the IPsec block chain - safe_system("/usr/lib/firewall/ipsec-block >/dev/null"); + // Reload the IPsec firewall policy + safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); + + // Create or destroy interfaces + safe_system("/usr/local/bin/ipsec-interfaces >/dev/null"); }
int main(int argc, char *argv[]) { - char configtype[STRING_SIZE]; - char redtype[STRING_SIZE] = ""; struct keyvalue *kv = NULL;
if (argc < 2) { @@ -197,9 +165,8 @@ int main(int argc, char *argv[]) { } if (!(initsetuid())) exit(1); - - FILE *file = NULL; - + + FILE *file = NULL;
if (strcmp(argv[1], "I") == 0) { safe_system("/usr/sbin/ipsec status"); @@ -219,7 +186,8 @@ int main(int argc, char *argv[]) { if (argc == 2) { if (strcmp(argv[1], "D") == 0) { safe_system("/usr/sbin/ipsec stop >/dev/null 2>&1"); - ipsec_norules(); + safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); + safe_system("/usr/local/bin/ipsec-interfaces >/dev/null"); exit(0); } } @@ -241,82 +209,12 @@ int main(int argc, char *argv[]) { exit(0); }
- /* read interface settings */ - kv=initkeyvalues(); - if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) - { - fprintf(stderr, "Cannot read ethernet settings\n"); - exit(1); - } - if (!findkey(kv, "CONFIG_TYPE", configtype)) - { - fprintf(stderr, "Cannot read CONFIG_TYPE\n"); - exit(1); - } - findkey(kv, "RED_TYPE", redtype); - - - /* Loop through the config file to find physical interface that will accept IPSEC */ - int enable_red=0; // states 0: not used - int enable_green=0; // 1: error condition - int enable_orange=0; // 2: good - int enable_blue=0; - char if_red[STRING_SIZE] = ""; - char if_green[STRING_SIZE] = ""; - char if_orange[STRING_SIZE] = ""; - char if_blue[STRING_SIZE] = ""; char s[STRING_SIZE];
- // when RED is up, find interface name in special file - FILE *ifacefile = NULL; - if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) { - if (fgets(if_red, STRING_SIZE, ifacefile)) { - if (if_red[strlen(if_red) - 1] == '\n') - if_red[strlen(if_red) - 1] = '\0'; - } - fclose (ifacefile); - - if (VALID_DEVICE(if_red)) - enable_red++; - } - - // Check if GREEN is enabled. - findkey(kv, "GREEN_DEV", if_green); - if (VALID_DEVICE(if_green)) - enable_green++; - - // Check if ORANGE is enabled. - findkey(kv, "ORANGE_DEV", if_orange); - if (VALID_DEVICE(if_orange)) - enable_orange++; - - // Check if BLUE is enabled. - findkey(kv, "BLUE_DEV", if_blue); - if (VALID_DEVICE(if_blue)) - enable_blue++; - - freekeyvalues(kv); - - // exit if nothing to do - if ((enable_red+enable_green+enable_orange+enable_blue) == 0) - exit(0); - - // open needed ports - if (enable_red > 0) - open_physical(if_red, 4500); - - if (enable_green > 0) - open_physical(if_green, 4500); - - if (enable_orange > 0) - open_physical(if_orange, 4500); - - if (enable_blue > 0) - open_physical(if_blue, 4500); - - // start the system + // start the system if ((argc == 2) && strcmp(argv[1], "S") == 0) { - safe_system("/usr/lib/firewall/ipsec-block >/dev/null"); + safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); + safe_system("/usr/local/bin/ipsec-interfaces >/dev/null"); safe_system("/usr/sbin/ipsec restart >/dev/null"); exit(0); } diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh new file mode 100644 index 000000000..e1450a1d8 --- /dev/null +++ b/src/paks/zabbix_agentd/install.sh @@ -0,0 +1,46 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh + +if ! getent group zabbix &>/dev/null; then + groupadd -g 118 zabbix +fi + +if ! getent passwd zabbix; then + useradd -u 118 -g zabbix -d /var/empty -s /bin/false zabbix +fi + +extract_files + +# Create symlinks for runlevel interaction. +ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc3.d/S65zabbix_agentd +ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc0.d/K02zabbix_agentd +ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc6.d/K02zabbix_agentd + +# Create additonal directories and set permissions +mkdir -pv /var/log/zabbix +chown zabbix.zabbix /var/log/zabbix + +restore_backup ${NAME} +start_service --background ${NAME} diff --git a/src/paks/zabbix_agentd/uninstall.sh b/src/paks/zabbix_agentd/uninstall.sh new file mode 100644 index 000000000..edff3b818 --- /dev/null +++ b/src/paks/zabbix_agentd/uninstall.sh @@ -0,0 +1,30 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +stop_service ${NAME} +make_backup ${NAME} +remove_files + +# Remove init-scripts and symlinks +rm -rfv /etc/rc.d/rc*.d/*zabbix_agentd diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh new file mode 100644 index 000000000..89c40d0d7 --- /dev/null +++ b/src/paks/zabbix_agentd/update.sh @@ -0,0 +1,26 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +./uninstall.sh +./install.sh diff --git a/src/patches/hostapd/hostapd-2.6-noscan.patch b/src/patches/hostapd/hostapd-2.6-noscan.patch deleted file mode 100644 index 8009fa04b..000000000 --- a/src/patches/hostapd/hostapd-2.6-noscan.patch +++ /dev/null @@ -1,62 +0,0 @@ -diff -Naur hostapd-2.6.org/hostapd/config_file.c hostapd-2.6/hostapd/config_file.c ---- hostapd-2.6.org/hostapd/config_file.c 2016-10-02 20:51:11.000000000 +0200 -+++ hostapd-2.6/hostapd/config_file.c 2018-10-26 09:16:34.393456086 +0200 -@@ -2863,6 +2863,10 @@ - } - #endif /* CONFIG_IEEE80211W */ - #ifdef CONFIG_IEEE80211N -+ } else if (os_strcmp(buf, "noscan") == 0) { -+ conf->noscan = atoi(pos); -+ } else if (os_strcmp(buf, "ht_coex") == 0) { -+ conf->no_ht_coex = !atoi(pos); - } else if (os_strcmp(buf, "ieee80211n") == 0) { - conf->ieee80211n = atoi(pos); - } else if (os_strcmp(buf, "ht_capab") == 0) { -diff -Naur hostapd-2.6.org/src/ap/ap_config.h hostapd-2.6/src/ap/ap_config.h ---- hostapd-2.6.org/src/ap/ap_config.h 2016-10-02 20:51:11.000000000 +0200 -+++ hostapd-2.6/src/ap/ap_config.h 2018-10-26 09:16:34.393456086 +0200 -@@ -664,6 +664,8 @@ - - int ht_op_mode_fixed; - u16 ht_capab; -+ int noscan; -+ int no_ht_coex; - int ieee80211n; - int secondary_channel; - int no_pri_sec_switch; -diff -Naur hostapd-2.6.org/src/ap/hw_features.c hostapd-2.6/src/ap/hw_features.c ---- hostapd-2.6.org/src/ap/hw_features.c 2016-10-02 20:51:11.000000000 +0200 -+++ hostapd-2.6/src/ap/hw_features.c 2018-10-26 09:16:34.393456086 +0200 -@@ -474,7 +474,8 @@ - int ret; - - /* Check that HT40 is used and PRI / SEC switch is allowed */ -- if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch) -+ if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch || -+ iface->conf->noscan) - return 0; - - hostapd_set_state(iface, HAPD_IFACE_HT_SCAN); -diff -Naur hostapd-2.6.org/src/ap/ieee802_11_ht.c hostapd-2.6/src/ap/ieee802_11_ht.c ---- hostapd-2.6.org/src/ap/ieee802_11_ht.c 2016-10-02 20:51:11.000000000 +0200 -+++ hostapd-2.6/src/ap/ieee802_11_ht.c 2018-10-26 09:17:42.976793198 +0200 -@@ -244,6 +244,9 @@ - if (!(iface->conf->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) - return; - -+ if (iface->conf->noscan || iface->conf->no_ht_coex) -+ return; -+ - if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie)) - return; - -@@ -368,6 +371,9 @@ - if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G) - return; - -+ if (iface->conf->noscan || iface->conf->no_ht_coex) -+ return; -+ - wpa_printf(MSG_INFO, "HT: Forty MHz Intolerant is set by STA " MACSTR - " in Association Request", MAC2STR(sta->addr)); - diff --git a/src/patches/hostapd-2.3_increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.7-increase_EAPOL-timeouts.patch similarity index 50% rename from src/patches/hostapd-2.3_increase_EAPOL-timeouts.patch rename to src/patches/hostapd/hostapd-2.7-increase_EAPOL-timeouts.patch index bbda55a63..285b54c61 100644 --- a/src/patches/hostapd-2.3_increase_EAPOL-timeouts.patch +++ b/src/patches/hostapd/hostapd-2.7-increase_EAPOL-timeouts.patch @@ -1,16 +1,16 @@ -diff -Naur hostapd-2.3.org/src/ap/wpa_auth.c hostapd-2.3/src/ap/wpa_auth.c ---- hostapd-2.3.org/src/ap/wpa_auth.c 2014-10-09 16:41:31.000000000 +0200 -+++ hostapd-2.3/src/ap/wpa_auth.c 2015-04-07 16:32:10.671422975 +0200 -@@ -45,9 +45,9 @@ +diff U3 a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c +--- a/src/ap/wpa_auth.c Sun Dec 2 20:34:59 2018 ++++ b/src/ap/wpa_auth.c Mon Mar 4 15:47:26 2019 +@@ -63,9 +63,9 @@ + struct wpa_group *group); + static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
- static const u32 dot11RSNAConfigGroupUpdateCount = 4; - static const u32 dot11RSNAConfigPairwiseUpdateCount = 4; -static const u32 eapol_key_timeout_first = 100; /* ms */ -static const u32 eapol_key_timeout_subseq = 1000; /* ms */ -static const u32 eapol_key_timeout_first_group = 500; /* ms */ +static const u32 eapol_key_timeout_first = 300; /* ms */ +static const u32 eapol_key_timeout_subseq = 3000; /* ms */ +static const u32 eapol_key_timeout_first_group = 1500; /* ms */ + static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
/* TODO: make these configurable */ - static const int dot11RSNAConfigPMKLifetime = 43200; diff --git a/src/patches/hostapd/hostapd-2.7-noscan.patch b/src/patches/hostapd/hostapd-2.7-noscan.patch new file mode 100644 index 000000000..31219c8c5 --- /dev/null +++ b/src/patches/hostapd/hostapd-2.7-noscan.patch @@ -0,0 +1,62 @@ +diff U3 a/src/ap/ap_config.h b/src/ap/ap_config.h +--- a/src/ap/ap_config.h Sun Dec 2 20:34:59 2018 ++++ b/src/ap/ap_config.h Mon Mar 4 15:58:05 2019 +@@ -779,6 +779,8 @@ + + int ht_op_mode_fixed; + u16 ht_capab; ++ int noscan; ++ int no_ht_coex; + int ieee80211n; + int secondary_channel; + int no_pri_sec_switch; +diff U3 a/hostapd/config_file.c b/hostapd/config_file.c +--- a/hostapd/config_file.c Sun Dec 2 20:34:59 2018 ++++ b/hostapd/config_file.c Mon Mar 4 15:56:51 2019 +@@ -3317,6 +3317,10 @@ + } + #endif /* CONFIG_IEEE80211W */ + #ifdef CONFIG_IEEE80211N ++ } else if (os_strcmp(buf, "noscan") == 0) { ++ conf->noscan = atoi(pos); ++ } else if (os_strcmp(buf, "ht_coex") == 0) { ++ conf->no_ht_coex = !atoi(pos); + } else if (os_strcmp(buf, "ieee80211n") == 0) { + conf->ieee80211n = atoi(pos); + } else if (os_strcmp(buf, "ht_capab") == 0) { +diff U3 a/src/ap/hw_features.c b/src/ap/hw_features.c +--- a/src/ap/hw_features.c Sun Dec 2 20:34:59 2018 ++++ b/src/ap/hw_features.c Mon Mar 4 15:59:08 2019 +@@ -480,7 +480,8 @@ + int ret; + + /* Check that HT40 is used and PRI / SEC switch is allowed */ +- if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch) ++ if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch || ++ iface->conf->noscan) + return 0; + + hostapd_set_state(iface, HAPD_IFACE_HT_SCAN); +diff U3 a/src/ap/ieee802_11_ht.c b/src/ap/ieee802_11_ht.c +--- a/src/ap/ieee802_11_ht.c Sun Dec 2 20:34:59 2018 ++++ b/src/ap/ieee802_11_ht.c Mon Mar 4 16:02:13 2019 +@@ -252,6 +252,9 @@ + return; + } + ++ if (iface->conf->noscan || iface->conf->no_ht_coex) ++ return; ++ + if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie)) { + wpa_printf(MSG_DEBUG, + "Ignore too short 20/40 BSS Coexistence Management frame"); +@@ -410,6 +413,9 @@ + void ht40_intolerant_add(struct hostapd_iface *iface, struct sta_info *sta) + { + if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G) ++ return; ++ ++ if (iface->conf->noscan || iface->conf->no_ht_coex) + return; + + wpa_printf(MSG_INFO, "HT: Forty MHz Intolerant is set by STA " MACSTR diff --git a/src/patches/linux/linux-4.14-Revert-usb-dwc2-Fix-DMA-alignment.patch b/src/patches/linux/linux-4.14-Revert-usb-dwc2-Fix-DMA-alignment.patch new file mode 100644 index 000000000..e4c8b9982 --- /dev/null +++ b/src/patches/linux/linux-4.14-Revert-usb-dwc2-Fix-DMA-alignment.patch @@ -0,0 +1,99 @@ +From a44147a09baf8c46cc0b02332df3a4656e0659d5 Mon Sep 17 00:00:00 2001 +From: Arne Fitzenreiter arne_f@ipfire.org +Date: Mon, 10 Dec 2018 13:12:00 +0100 +Subject: [PATCH] Revert "usb: dwc2: Fix DMA alignment to start at allocated + boundary" + +This reverts commit 68fc92a0f3913d539d1ac68a861f895e34099e46. +--- + drivers/usb/dwc2/hcd.c | 44 +++++++++++++++++++++----------------------- + 1 file changed, 21 insertions(+), 23 deletions(-) + +diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c +index fa20ec4..4b81d08 100644 +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -2644,29 +2644,34 @@ static int dwc2_alloc_split_dma_aligned_buf(struct dwc2_hsotg *hsotg, + + #define DWC2_USB_DMA_ALIGN 4 + ++struct dma_aligned_buffer { ++ void *kmalloc_ptr; ++ void *old_xfer_buffer; ++ u8 data[0]; ++}; ++ + static void dwc2_free_dma_aligned_buffer(struct urb *urb) + { +- void *stored_xfer_buffer; ++ struct dma_aligned_buffer *temp; + + if (!(urb->transfer_flags & URB_ALIGNED_TEMP_BUFFER)) + return; + +- /* Restore urb->transfer_buffer from the end of the allocated area */ +- memcpy(&stored_xfer_buffer, urb->transfer_buffer + +- urb->transfer_buffer_length, sizeof(urb->transfer_buffer)); ++ temp = container_of(urb->transfer_buffer, ++ struct dma_aligned_buffer, data); + + if (usb_urb_dir_in(urb)) +- memcpy(stored_xfer_buffer, urb->transfer_buffer, ++ memcpy(temp->old_xfer_buffer, temp->data, + urb->transfer_buffer_length); +- kfree(urb->transfer_buffer); +- urb->transfer_buffer = stored_xfer_buffer; ++ urb->transfer_buffer = temp->old_xfer_buffer; ++ kfree(temp->kmalloc_ptr); + + urb->transfer_flags &= ~URB_ALIGNED_TEMP_BUFFER; + } + + static int dwc2_alloc_dma_aligned_buffer(struct urb *urb, gfp_t mem_flags) + { +- void *kmalloc_ptr; ++ struct dma_aligned_buffer *temp, *kmalloc_ptr; + size_t kmalloc_size; + + if (urb->num_sgs || urb->sg || +@@ -2674,29 +2679,22 @@ static int dwc2_alloc_dma_aligned_buffer(struct urb *urb, gfp_t mem_flags) + !((uintptr_t)urb->transfer_buffer & (DWC2_USB_DMA_ALIGN - 1))) + return 0; + +- /* +- * Allocate a buffer with enough padding for original transfer_buffer +- * pointer. This allocation is guaranteed to be aligned properly for +- * DMA +- */ ++ /* Allocate a buffer with enough padding for alignment */ + kmalloc_size = urb->transfer_buffer_length + +- sizeof(urb->transfer_buffer); ++ sizeof(struct dma_aligned_buffer) + DWC2_USB_DMA_ALIGN - 1; + + kmalloc_ptr = kmalloc(kmalloc_size, mem_flags); + if (!kmalloc_ptr) + return -ENOMEM; + +- /* +- * Position value of original urb->transfer_buffer pointer to the end +- * of allocation for later referencing +- */ +- memcpy(kmalloc_ptr + urb->transfer_buffer_length, +- &urb->transfer_buffer, sizeof(urb->transfer_buffer)); +- ++ /* Position our struct dma_aligned_buffer such that data is aligned */ ++ temp = PTR_ALIGN(kmalloc_ptr + 1, DWC2_USB_DMA_ALIGN) - 1; ++ temp->kmalloc_ptr = kmalloc_ptr; ++ temp->old_xfer_buffer = urb->transfer_buffer; + if (usb_urb_dir_out(urb)) +- memcpy(kmalloc_ptr, urb->transfer_buffer, ++ memcpy(temp->data, urb->transfer_buffer, + urb->transfer_buffer_length); +- urb->transfer_buffer = kmalloc_ptr; ++ urb->transfer_buffer = temp->data; + + urb->transfer_flags |= URB_ALIGNED_TEMP_BUFFER; + +-- +2.7.4 + diff --git a/src/patches/net-snmp-5.7.3-openssl.patch b/src/patches/net-snmp-5.7.3-openssl.patch deleted file mode 100644 index 0651a24ec..000000000 --- a/src/patches/net-snmp-5.7.3-openssl.patch +++ /dev/null @@ -1,303 +0,0 @@ -diff -urNp old/apps/snmpusm.c new/apps/snmpusm.c ---- old/apps/snmpusm.c 2014-12-08 21:23:22.000000000 +0100 -+++ new/apps/snmpusm.c 2017-02-20 15:20:36.994022905 +0100 -@@ -190,7 +190,7 @@ get_USM_DH_key(netsnmp_variable_list *va - oid *keyoid, size_t keyoid_len) { - u_char *dhkeychange; - DH *dh; -- BIGNUM *other_pub; -+ BIGNUM *p, *g, *pub_key, *other_pub; - u_char *key; - size_t key_len; - -@@ -205,25 +205,29 @@ get_USM_DH_key(netsnmp_variable_list *va - dh = d2i_DHparams(NULL, &cp, dhvar->val_len); - } - -- if (!dh || !dh->g || !dh->p) { -+ if (dh) -+ DH_get0_pqg(dh, &p, NULL, &g); -+ -+ if (!dh || !g || !p) { - SNMP_FREE(dhkeychange); - return SNMPERR_GENERR; - } - -- DH_generate_key(dh); -- if (!dh->pub_key) { -+ if (!DH_generate_key(dh)) { - SNMP_FREE(dhkeychange); - return SNMPERR_GENERR; - } - -- if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) { -+ DH_get0_key(dh, &pub_key, NULL); -+ -+ if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) { - SNMP_FREE(dhkeychange); - fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n", -- (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key)); -+ (unsigned long)vars->val_len, BN_num_bytes(pub_key)); - return SNMPERR_GENERR; - } - -- BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len); -+ BN_bn2bin(pub_key, dhkeychange + vars->val_len); - - key_len = DH_size(dh); - if (!key_len) { -diff -urNp old/configure new/configure ---- old/configure 2017-02-20 10:08:16.440396223 +0100 -+++ new/configure 2017-02-20 10:57:15.749734281 +0100 -@@ -23176,9 +23176,9 @@ $as_echo "#define HAVE_AES_CFB128_ENCRYP - fi - - -- as_ac_Lib=`$as_echo "ac_cv_lib_${CRYPTO}''_EVP_MD_CTX_create" | $as_tr_sh` --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_MD_CTX_create in -l${CRYPTO}" >&5 --$as_echo_n "checking for EVP_MD_CTX_create in -l${CRYPTO}... " >&6; } -+ as_ac_Lib=`$as_echo "ac_cv_lib_${CRYPTO}''_EVP_MD_CTX_new" | $as_tr_sh` -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_MD_CTX_new in -l${CRYPTO}" >&5 -+$as_echo_n "checking for EVP_MD_CTX_new in -l${CRYPTO}... " >&6; } - if eval ${$as_ac_Lib+:} false; then : - $as_echo_n "(cached) " >&6 - else -@@ -23193,11 +23193,11 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ - #ifdef __cplusplus - extern "C" - #endif --char EVP_MD_CTX_create (); -+char EVP_MD_CTX_new (); - int - main () - { --return EVP_MD_CTX_create (); -+return EVP_MD_CTX_new (); - ; - return 0; - } -@@ -23216,10 +23216,10 @@ eval ac_res=$$as_ac_Lib - $as_echo "$ac_res" >&6; } - if eval test "x$"$as_ac_Lib"" = x"yes"; then : - --$as_echo "#define HAVE_EVP_MD_CTX_CREATE /**/" >>confdefs.h -+$as_echo "#define HAVE_EVP_MD_CTX_NEW /**/" >>confdefs.h - - --$as_echo "#define HAVE_EVP_MD_CTX_DESTROY /**/" >>confdefs.h -+$as_echo "#define HAVE_EVP_MD_CTX_FREE /**/" >>confdefs.h - - fi - -@@ -23293,7 +23293,7 @@ char SSL_library_init (); - int - main () - { --return SSL_library_init (); -+return OPENSSL_init_ssl(0, NULL); - ; - return 0; - } -diff -urNp old/configure.d/config_os_libs2 new/configure.d/config_os_libs2 ---- old/configure.d/config_os_libs2 2014-12-08 21:23:22.000000000 +0100 -+++ new/configure.d/config_os_libs2 2017-02-20 10:56:21.041616611 +0100 -@@ -292,11 +292,11 @@ if test "x$tryopenssl" != "xno" -a "x$tr - AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1, - [Define to 1 if you have the `AES_cfb128_encrypt' function.])) - -- AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create, -- AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [], -- [Define to 1 if you have the `EVP_MD_CTX_create' function.]) -- AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [], -- [Define to 1 if you have the `EVP_MD_CTX_destroy' function.])) -+ AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_new, -+ AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [], -+ [Define to 1 if you have the `EVP_MD_CTX_new' function.]) -+ AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [], -+ [Define to 1 if you have the `EVP_MD_CTX_free' function.])) - fi - if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then - AC_CHECK_LIB(ssl, DTLSv1_method, -@@ -307,7 +307,7 @@ if test "x$tryopenssl" != "xno" -a "x$tr - TLSPROG=yes - fi - if echo " $transport_result_list " | $GREP "TLS" > /dev/null; then -- AC_CHECK_LIB(ssl, SSL_library_init, -+ AC_CHECK_LIB(ssl, OPENSSL_init_ssl, - AC_DEFINE(HAVE_LIBSSL, 1, - [Define to 1 if you have the `ssl' library (-lssl).]) - LIBCRYPTO=" -lssl $LIBCRYPTO", -diff -urNp old/include/net-snmp/net-snmp-config.h.in new/include/net-snmp/net-snmp-config.h.in ---- old/include/net-snmp/net-snmp-config.h.in 2017-02-20 10:08:16.443522417 +0100 -+++ new/include/net-snmp/net-snmp-config.h.in 2017-02-20 10:24:05.790584283 +0100 -@@ -149,11 +149,11 @@ - /* Define to 1 if you have the `eval_pv' function. */ - #undef HAVE_EVAL_PV - --/* Define to 1 if you have the `EVP_MD_CTX_create' function. */ --#undef HAVE_EVP_MD_CTX_CREATE -+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */ -+#undef HAVE_EVP_MD_CTX_NEW - --/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */ --#undef HAVE_EVP_MD_CTX_DESTROY -+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */ -+#undef HAVE_EVP_MD_CTX_FREE - - /* Define if you have EVP_sha224/256 in openssl */ - #undef HAVE_EVP_SHA224 -diff -urNp old/snmplib/keytools.c new/snmplib/keytools.c ---- old/snmplib/keytools.c 2014-12-08 21:23:22.000000000 +0100 -+++ new/snmplib/keytools.c 2017-02-20 10:30:27.412068264 +0100 -@@ -149,8 +149,8 @@ generate_Ku(const oid * hashtype, u_int - */ - #ifdef NETSNMP_USE_OPENSSL - --#ifdef HAVE_EVP_MD_CTX_CREATE -- ctx = EVP_MD_CTX_create(); -+#ifdef HAVE_EVP_MD_CTX_NEW -+ ctx = EVP_MD_CTX_new(); - #else - ctx = malloc(sizeof(*ctx)); - if (!EVP_MD_CTX_init(ctx)) -@@ -259,8 +259,8 @@ generate_Ku(const oid * hashtype, u_int - memset(buf, 0, sizeof(buf)); - #ifdef NETSNMP_USE_OPENSSL - if (ctx) { --#ifdef HAVE_EVP_MD_CTX_DESTROY -- EVP_MD_CTX_destroy(ctx); -+#ifdef HAVE_EVP_MD_CTX_FREE -+ EVP_MD_CTX_free(ctx); - #else - EVP_MD_CTX_cleanup(ctx); - free(ctx); -diff -urNp old/snmplib/scapi.c new/snmplib/scapi.c ---- old/snmplib/scapi.c 2014-12-08 21:23:22.000000000 +0100 -+++ new/snmplib/scapi.c 2017-02-20 10:27:34.152379515 +0100 -@@ -486,14 +486,14 @@ sc_hash(const oid * hashtype, size_t has - } - - /** initialize the pointer */ --#ifdef HAVE_EVP_MD_CTX_CREATE -- cptr = EVP_MD_CTX_create(); -+#ifdef HAVE_EVP_MD_CTX_NEW -+ cptr = EVP_MD_CTX_new(); - #else - cptr = malloc(sizeof(*cptr)); - #if defined(OLD_DES) - memset(cptr, 0, sizeof(*cptr)); - #else -- EVP_MD_CTX_init(cptr); -+ EVP_MD_CTX_init(&cptr); - #endif - #endif - if (!EVP_DigestInit(cptr, hashfn)) { -@@ -507,11 +507,11 @@ sc_hash(const oid * hashtype, size_t has - /** do the final pass */ - EVP_DigestFinal(cptr, MAC, &tmp_len); - *MAC_len = tmp_len; --#ifdef HAVE_EVP_MD_CTX_DESTROY -- EVP_MD_CTX_destroy(cptr); -+#ifdef HAVE_EVP_MD_CTX_FREE -+ EVP_MD_CTX_free(cptr); - #else - #if !defined(OLD_DES) -- EVP_MD_CTX_cleanup(cptr); -+ EVP_MD_CTX_cleanup(&cptr); - #endif - free(cptr); - #endif -diff -urNp old/snmplib/snmp_openssl.c new/snmplib/snmp_openssl.c ---- old/snmplib/snmp_openssl.c 2014-12-08 21:23:22.000000000 +0100 -+++ new/snmplib/snmp_openssl.c 2017-02-20 12:46:00.059727928 +0100 -@@ -47,7 +47,7 @@ void netsnmp_init_openssl(void) { - DEBUGMSGTL(("snmp_openssl", "initializing\n")); - - /* Initializing OpenSSL */ -- SSL_library_init(); -+ OPENSSL_init_ssl(0, NULL); - SSL_load_error_strings(); - ERR_load_BIO_strings(); - OpenSSL_add_all_algorithms(); -@@ -164,11 +164,11 @@ netsnmp_openssl_cert_dump_names(X509 *oc - oname_entry = X509_NAME_get_entry(osubj_name, i); - netsnmp_assert(NULL != oname_entry); - -- if (oname_entry->value->type != V_ASN1_PRINTABLESTRING) -+ if (X509_NAME_ENTRY_get_data(oname_entry)->type != V_ASN1_PRINTABLESTRING) - continue; - - /** get NID */ -- onid = OBJ_obj2nid(oname_entry->object); -+ onid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(oname_entry)); - if (onid == NID_undef) { - prefix_long = prefix_short = "UNKNOWN"; - } -@@ -179,9 +179,9 @@ netsnmp_openssl_cert_dump_names(X509 *oc - - DEBUGMSGT(("9:cert:dump:names", - "[%02d] NID type %d, ASN type %d\n", i, onid, -- oname_entry->value->type)); -+ X509_NAME_ENTRY_get_data(oname_entry)->type)); - DEBUGMSGT(("9:cert:dump:names", "%s/%s: '%s'\n", prefix_long, -- prefix_short, ASN1_STRING_data(oname_entry->value))); -+ prefix_short, ASN1_STRING_data(X509_NAME_ENTRY_get_data(oname_entry)))); - } - } - #endif /* NETSNMP_FEATURE_REMOVE_CERT_DUMP_NAMES */ -@@ -470,7 +470,7 @@ netsnmp_openssl_cert_get_hash_type(X509 - if (NULL == ocert) - return 0; - -- return _nid2ht(OBJ_obj2nid(ocert->sig_alg->algorithm)); -+ return _nid2ht(X509_get_signature_nid(ocert)); - } - - /** -@@ -487,7 +487,7 @@ netsnmp_openssl_cert_get_fingerprint(X50 - if (NULL == ocert) - return NULL; - -- nid = OBJ_obj2nid(ocert->sig_alg->algorithm); -+ nid = X509_get_signature_nid(ocert); - DEBUGMSGT(("9:openssl:fingerprint", "alg %d, cert nid %d (%d)\n", alg, nid, - _nid2ht(nid))); - -diff -urNp old/win32/net-snmp/net-snmp-config.h new/win32/net-snmp/net-snmp-config.h ---- old/win32/net-snmp/net-snmp-config.h 2014-12-08 21:23:22.000000000 +0100 -+++ new/win32/net-snmp/net-snmp-config.h 2017-02-20 10:23:20.796778512 +0100 -@@ -1366,11 +1366,11 @@ - /* Define to 1 if you have the <openssl/aes.h> header file. */ - #define HAVE_OPENSSL_AES_H 1 - --/* Define to 1 if you have the `EVP_MD_CTX_create' function. */ --#define HAVE_EVP_MD_CTX_CREATE 1 -+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */ -+#define HAVE_EVP_MD_CTX_NEW 1 - --/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */ --#define HAVE_EVP_MD_CTX_DESTROY 1 -+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */ -+#define HAVE_EVP_MD_CTX_FREE 1 - - /* Define to 1 if you have the `AES_cfb128_encrypt' function. */ - #define HAVE_AES_CFB128_ENCRYPT 1 -diff -urNp old/win32/net-snmp/net-snmp-config.h.in new/win32/net-snmp/net-snmp-config.h.in ---- old/win32/net-snmp/net-snmp-config.h.in 2014-12-08 21:23:22.000000000 +0100 -+++ new/win32/net-snmp/net-snmp-config.h.in 2017-02-20 10:22:51.348367754 +0100 -@@ -1366,11 +1366,11 @@ - /* Define to 1 if you have the <openssl/aes.h> header file. */ - #define HAVE_OPENSSL_AES_H 1 - --/* Define to 1 if you have the `EVP_MD_CTX_create' function. */ --#define HAVE_EVP_MD_CTX_CREATE 1 -+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */ -+#define HAVE_EVP_MD_CTX_NEW 1 - --/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */ --#define HAVE_EVP_MD_CTX_DESTROY 1 -+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */ -+#define HAVE_EVP_MD_CTX_FREE 1 - - /* Define to 1 if you have the `AES_cfb128_encrypt' function. */ - #define HAVE_AES_CFB128_ENCRYPT 1 diff --git a/src/patches/squid/squid-4.5-fix-max-file-descriptors.patch b/src/patches/squid/squid-4.6-fix-max-file-descriptors.patch similarity index 100% rename from src/patches/squid/squid-4.5-fix-max-file-descriptors.patch rename to src/patches/squid/squid-4.6-fix-max-file-descriptors.patch diff --git a/src/patches/strongswan-ipfire-interfaces.patch b/src/patches/strongswan-ipfire-interfaces.patch new file mode 100644 index 000000000..5ec96a48a --- /dev/null +++ b/src/patches/strongswan-ipfire-interfaces.patch @@ -0,0 +1,72 @@ +--- strongswan-5.7.0/src/_updown/_updown.in.bak 2019-02-06 18:19:25.723893992 +0000 ++++ strongswan-5.7.0/src/_updown/_updown.in 2019-02-06 18:28:21.520560665 +0000 +@@ -130,6 +130,13 @@ + # address family. + # + ++VARS=( ++ id status name lefthost type ctype psk local local_id leftsubnets ++ remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 ++ x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22 ++ route x23 mode interface_mode interface_address interface_mtu rest ++) ++ + function ip_encode() { + local IFS=. + +@@ -319,6 +326,13 @@ + fi + ;; + up-client:iptables) ++ # Read IPsec configuration ++ while IFS="," read -r "${VARS[@]}"; do ++ if [ "${PLUTO_CONNECTION}" = "${name}" ]; then ++ break ++ fi ++ done < /var/ipfire/vpn/config ++ + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +@@ -383,23 +397,25 @@ + "tunnel+ $PLUTO_PEER -- $PLUTO_ME" + fi + +- # Add source nat so also the gateway can access the other nets +- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) +- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do +- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" +- if [ $? -eq 0 ]; then +- src=${_src} +- break ++ if [ -z "${interface_mode}" ]; then ++ # Add source nat so also the gateway can access the other nets ++ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) ++ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do ++ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" ++ if [ $? -eq 0 ]; then ++ src=${_src} ++ break ++ fi ++ done ++ ++ if [ -n "${src}" ]; then ++ iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src ++ logger -t $TAG -p $FAC_PRIO \ ++ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" ++ else ++ logger -t $TAG -p $FAC_PRIO \ ++ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" + fi +- done +- +- if [ -n "${src}" ]; then +- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src +- logger -t $TAG -p $FAC_PRIO \ +- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" +- else +- logger -t $TAG -p $FAC_PRIO \ +- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" + fi + + # Flush routing cache diff --git a/src/patches/wpa_supplicant/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch b/src/patches/wpa_supplicant/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch deleted file mode 100644 index 91630834c..000000000 --- a/src/patches/wpa_supplicant/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 3692833a62280a0270e4e1ba30f9acf5a8c8f808 Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be -Date: Fri, 14 Jul 2017 15:15:35 +0200 -Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake - -Do not reinstall TK to the driver during Reassociation Response frame -processing if the first attempt of setting the TK succeeded. This avoids -issues related to clearing the TX/RX PN that could result in reusing -same PN values for transmitted frames (e.g., due to CCM nonce reuse and -also hitting replay protection on the receiver) and accepting replayed -frames on RX side. - -This issue was introduced by the commit -0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in -authenticator') which allowed wpa_ft_install_ptk() to be called multiple -times with the same PTK. While the second configuration attempt is -needed with some drivers, it must be done only if the first attempt -failed. - -Signed-off-by: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be ---- - src/ap/ieee802_11.c | 16 +++++++++++++--- - src/ap/wpa_auth.c | 11 +++++++++++ - src/ap/wpa_auth.h | 3 ++- - src/ap/wpa_auth_ft.c | 10 ++++++++++ - src/ap/wpa_auth_i.h | 1 + - 5 files changed, 37 insertions(+), 4 deletions(-) - -diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c -index 5163139..174af8b 100644 ---- a/src/ap/ieee802_11.c -+++ b/src/ap/ieee802_11.c -@@ -2552,6 +2552,7 @@ static int add_associated_sta(struct hostapd_data *hapd, - { - struct ieee80211_ht_capabilities ht_cap; - struct ieee80211_vht_capabilities vht_cap; -+ int set = 1; - - /* - * Remove the STA entry to ensure the STA PS state gets cleared and -@@ -2559,9 +2560,18 @@ static int add_associated_sta(struct hostapd_data *hapd, - * FT-over-the-DS, where a station re-associates back to the same AP but - * skips the authentication flow, or if working with a driver that - * does not support full AP client state. -+ * -+ * Skip this if the STA has already completed FT reassociation and the -+ * TK has been configured since the TX/RX PN must not be reset to 0 for -+ * the same key. - */ -- if (!sta->added_unassoc) -+ if (!sta->added_unassoc && -+ (!(sta->flags & WLAN_STA_AUTHORIZED) || -+ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { - hostapd_drv_sta_remove(hapd, sta->addr); -+ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); -+ set = 0; -+ } - - #ifdef CONFIG_IEEE80211N - if (sta->flags & WLAN_STA_HT) -@@ -2584,11 +2594,11 @@ static int add_associated_sta(struct hostapd_data *hapd, - sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, - sta->flags | WLAN_STA_ASSOC, sta->qosinfo, - sta->vht_opmode, sta->p2p_ie ? 1 : 0, -- sta->added_unassoc)) { -+ set)) { - hostapd_logger(hapd, sta->addr, - HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, - "Could not %s STA to kernel driver", -- sta->added_unassoc ? "set" : "add"); -+ set ? "set" : "add"); - - if (sta->added_unassoc) { - hostapd_drv_sta_remove(hapd, sta->addr); -diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c -index aca687c..42ef0bf 100644 ---- a/src/ap/wpa_auth.c -+++ b/src/ap/wpa_auth.c -@@ -1785,6 +1785,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) - #else /* CONFIG_FILS */ - break; - #endif /* CONFIG_FILS */ -+ case WPA_DRV_STA_REMOVED: -+ sm->tk_already_set = FALSE; -+ return 0; - } - - #ifdef CONFIG_IEEE80211R_AP -@@ -3939,6 +3942,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) - } - - -+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) -+{ -+ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) -+ return 0; -+ return sm->tk_already_set; -+} -+ -+ - int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, - struct rsn_pmksa_cache_entry *entry) - { -diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h -index 5e8a4cc..f92f8b6 100644 ---- a/src/ap/wpa_auth.h -+++ b/src/ap/wpa_auth.h -@@ -300,7 +300,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, - u8 *data, size_t data_len); - enum wpa_event { - WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH, -- WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_ASSOC_FILS -+ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_ASSOC_FILS, WPA_DRV_STA_REMOVED - }; - void wpa_remove_ptk(struct wpa_state_machine *sm); - int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event); -@@ -313,6 +313,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm); - int wpa_auth_get_pairwise(struct wpa_state_machine *sm); - int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm); - int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm); -+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm); - int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, - struct rsn_pmksa_cache_entry *entry); - struct rsn_pmksa_cache_entry * -diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c -index dd99db7..2120cfd 100644 ---- a/src/ap/wpa_auth_ft.c -+++ b/src/ap/wpa_auth_ft.c -@@ -1937,6 +1937,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) - return; - } - -+ if (sm->tk_already_set) { -+ /* Must avoid TK reconfiguration to prevent clearing of TX/RX -+ * PN in the driver */ -+ wpa_printf(MSG_DEBUG, -+ "FT: Do not re-install same PTK to the driver"); -+ return; -+ } -+ - /* FIX: add STA entry to kernel/driver here? The set_key will fail - * most likely without this.. At the moment, STA entry is added only - * after association has been completed. This function will be called -@@ -1949,6 +1957,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) - - /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ - sm->pairwise_set = TRUE; -+ sm->tk_already_set = TRUE; - } - - -@@ -2152,6 +2161,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, - - sm->pairwise = pairwise; - sm->PTK_valid = TRUE; -+ sm->tk_already_set = FALSE; - wpa_ft_install_ptk(sm); - - buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + -diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h -index 23d2af3..b779af7 100644 ---- a/src/ap/wpa_auth_i.h -+++ b/src/ap/wpa_auth_i.h -@@ -61,6 +61,7 @@ struct wpa_state_machine { - struct wpa_ptk PTK; - Boolean PTK_valid; - Boolean pairwise_set; -+ Boolean tk_already_set; - int keycount; - Boolean Pair; - struct wpa_key_replay_counter { --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch b/src/patches/wpa_supplicant/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch deleted file mode 100644 index e372e329c..000000000 --- a/src/patches/wpa_supplicant/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch +++ /dev/null @@ -1,259 +0,0 @@ -From cf62cadcadc68377d72e2238a0f06b21c0777f90 Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be -Date: Wed, 12 Jul 2017 16:03:24 +0200 -Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key - -Track the current GTK and IGTK that is in use and when receiving a -(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do -not install the given key if it is already in use. This prevents an -attacker from trying to trick the client into resetting or lowering the -sequence counter associated to the group key. - -Signed-off-by: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be ---- - src/common/wpa_common.h | 11 +++++ - src/rsn_supp/wpa.c | 118 ++++++++++++++++++++++++++++++------------------ - src/rsn_supp/wpa_i.h | 4 ++ - 3 files changed, 88 insertions(+), 45 deletions(-) - -diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h -index cc8edf8..0872b12 100644 ---- a/src/common/wpa_common.h -+++ b/src/common/wpa_common.h -@@ -221,6 +221,17 @@ struct wpa_ptk { - size_t tk_len; - }; - -+struct wpa_gtk { -+ u8 gtk[WPA_GTK_MAX_LEN]; -+ size_t gtk_len; -+}; -+ -+#ifdef CONFIG_IEEE80211W -+struct wpa_igtk { -+ u8 igtk[WPA_IGTK_MAX_LEN]; -+ size_t igtk_len; -+}; -+#endif /* CONFIG_IEEE80211W */ - - /* WPA IE version 1 - * 00-50-f2:1 (OUI:OUI type) -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 739689d..5e5fb2a 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -800,6 +800,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - const u8 *_gtk = gd->gtk; - u8 gtk_buf[32]; - -+ /* Detect possible key reinstallation */ -+ if (sm->gtk.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", -+ gd->keyidx, gd->tx, gd->gtk_len); -+ return 0; -+ } -+ - wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", -@@ -834,6 +843,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - } - os_memset(gtk_buf, 0, sizeof(gtk_buf)); - -+ sm->gtk.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ - return 0; - } - -@@ -940,6 +952,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - } - - -+#ifdef CONFIG_IEEE80211W -+static int wpa_supplicant_install_igtk(struct wpa_sm *sm, -+ const struct wpa_igtk_kde *igtk) -+{ -+ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); -+ u16 keyidx = WPA_GET_LE16(igtk->keyid); -+ -+ /* Detect possible key reinstallation */ -+ if (sm->igtk.igtk_len == len && -+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", -+ keyidx); -+ return 0; -+ } -+ -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x", -+ keyidx, MAC2STR(igtk->pn)); -+ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len); -+ if (keyidx > 4095) { -+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -+ "WPA: Invalid IGTK KeyID %d", keyidx); -+ return -1; -+ } -+ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -+ broadcast_ether_addr, -+ keyidx, 0, igtk->pn, sizeof(igtk->pn), -+ igtk->igtk, len) < 0) { -+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -+ "WPA: Failed to configure IGTK to the driver"); -+ return -1; -+ } -+ -+ sm->igtk.igtk_len = len; -+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ -+ return 0; -+} -+#endif /* CONFIG_IEEE80211W */ -+ -+ - static int ieee80211w_set_keys(struct wpa_sm *sm, - struct wpa_eapol_ie_parse *ie) - { -@@ -950,30 +1004,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, - if (ie->igtk) { - size_t len; - const struct wpa_igtk_kde *igtk; -- u16 keyidx; -+ - len = wpa_cipher_key_len(sm->mgmt_group_cipher); - if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) - return -1; -+ - igtk = (const struct wpa_igtk_kde *) ie->igtk; -- keyidx = WPA_GET_LE16(igtk->keyid); -- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d " -- "pn %02x%02x%02x%02x%02x%02x", -- keyidx, MAC2STR(igtk->pn)); -- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", -- igtk->igtk, len); -- if (keyidx > 4095) { -- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -- "WPA: Invalid IGTK KeyID %d", keyidx); -- return -1; -- } -- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -- broadcast_ether_addr, -- keyidx, 0, igtk->pn, sizeof(igtk->pn), -- igtk->igtk, len) < 0) { -- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -- "WPA: Failed to configure IGTK to the driver"); -+ if (wpa_supplicant_install_igtk(sm, igtk) < 0) - return -1; -- } - } - - return 0; -@@ -2491,7 +2529,7 @@ void wpa_sm_deinit(struct wpa_sm *sm) - */ - void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - { -- int clear_ptk = 1; -+ int clear_keys = 1; - - if (sm == NULL) - return; -@@ -2517,7 +2555,7 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - /* Prepare for the next transition */ - wpa_ft_prepare_auth_request(sm, NULL); - -- clear_ptk = 0; -+ clear_keys = 0; - } - #endif /* CONFIG_IEEE80211R */ - #ifdef CONFIG_FILS -@@ -2527,11 +2565,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - * AUTHENTICATED state to get the EAPOL port Authorized. - */ - wpa_supplicant_key_neg_complete(sm, sm->bssid, 1); -- clear_ptk = 0; -+ clear_keys = 0; - } - #endif /* CONFIG_FILS */ - -- if (clear_ptk) { -+ if (clear_keys) { - /* - * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if - * this is not part of a Fast BSS Transition. -@@ -2541,6 +2579,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - sm->tptk_set = 0; - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); -+ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+#ifdef CONFIG_IEEE80211W -+ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+#endif /* CONFIG_IEEE80211W */ - } - - #ifdef CONFIG_TDLS -@@ -3117,6 +3159,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) - os_memset(sm->pmk, 0, sizeof(sm->pmk)); - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); -+ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+#ifdef CONFIG_IEEE80211W -+ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+#endif /* CONFIG_IEEE80211W */ - #ifdef CONFIG_IEEE80211R - os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); - os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); -@@ -3189,29 +3235,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - os_memset(&gd, 0, sizeof(gd)); - #ifdef CONFIG_IEEE80211W - } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { -- struct wpa_igtk_kde igd; -- u16 keyidx; -- -- os_memset(&igd, 0, sizeof(igd)); -- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher); -- os_memcpy(igd.keyid, buf + 2, 2); -- os_memcpy(igd.pn, buf + 4, 6); -- -- keyidx = WPA_GET_LE16(igd.keyid); -- os_memcpy(igd.igtk, buf + 10, keylen); -- -- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)", -- igd.igtk, keylen); -- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -- broadcast_ether_addr, -- keyidx, 0, igd.pn, sizeof(igd.pn), -- igd.igtk, keylen) < 0) { -- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in " -- "WNM mode"); -- os_memset(&igd, 0, sizeof(igd)); -+ const struct wpa_igtk_kde *igtk; -+ -+ igtk = (const struct wpa_igtk_kde *) (buf + 2); -+ if (wpa_supplicant_install_igtk(sm, igtk) < 0) - return -1; -- } -- os_memset(&igd, 0, sizeof(igd)); - #endif /* CONFIG_IEEE80211W */ - } else { - wpa_printf(MSG_DEBUG, "Unknown element id"); -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 82e1941..2827ed6 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -31,6 +31,10 @@ struct wpa_sm { - u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN]; - int rx_replay_counter_set; - u8 request_counter[WPA_REPLAY_COUNTER_LEN]; -+ struct wpa_gtk gtk; -+#ifdef CONFIG_IEEE80211W -+ struct wpa_igtk igtk; -+#endif /* CONFIG_IEEE80211W */ - - struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ - --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch b/src/patches/wpa_supplicant/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch deleted file mode 100644 index 68059de04..000000000 --- a/src/patches/wpa_supplicant/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch +++ /dev/null @@ -1,193 +0,0 @@ -From a0d426a662997b87095c87edc1d2bdc6e1c8fd11 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Sun, 1 Oct 2017 12:12:24 +0300 -Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep - Mode cases - -This extends the protection to track last configured GTK/IGTK value -separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a -corner case where these two different mechanisms may get used when the -GTK/IGTK has changed and tracking a single value is not sufficient to -detect a possible key reconfiguration. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/rsn_supp/wpa.c | 55 +++++++++++++++++++++++++++++++++++++--------------- - src/rsn_supp/wpa_i.h | 2 ++ - 2 files changed, 41 insertions(+), 16 deletions(-) - -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 5e5fb2a..3c8871d 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -795,14 +795,17 @@ struct wpa_gtk_data { - - static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - const struct wpa_gtk_data *gd, -- const u8 *key_rsc) -+ const u8 *key_rsc, int wnm_sleep) - { - const u8 *_gtk = gd->gtk; - u8 gtk_buf[32]; - - /* Detect possible key reinstallation */ -- if (sm->gtk.gtk_len == (size_t) gd->gtk_len && -- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { -+ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) || -+ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk, -+ sm->gtk_wnm_sleep.gtk_len) == 0)) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", - gd->keyidx, gd->tx, gd->gtk_len); -@@ -843,8 +846,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - } - os_memset(gtk_buf, 0, sizeof(gtk_buf)); - -- sm->gtk.gtk_len = gd->gtk_len; -- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ if (wnm_sleep) { -+ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk, -+ sm->gtk_wnm_sleep.gtk_len); -+ } else { -+ sm->gtk.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ } - - return 0; - } -@@ -938,7 +947,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, - gtk_len, gtk_len, - &gd.key_rsc_len, &gd.alg) || -- wpa_supplicant_install_gtk(sm, &gd, key_rsc))) { -+ wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "RSN: Failed to install GTK"); - os_memset(&gd, 0, sizeof(gd)); -@@ -954,14 +963,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - - #ifdef CONFIG_IEEE80211W - static int wpa_supplicant_install_igtk(struct wpa_sm *sm, -- const struct wpa_igtk_kde *igtk) -+ const struct wpa_igtk_kde *igtk, -+ int wnm_sleep) - { - size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); - u16 keyidx = WPA_GET_LE16(igtk->keyid); - - /* Detect possible key reinstallation */ -- if (sm->igtk.igtk_len == len && -- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { -+ if ((sm->igtk.igtk_len == len && -+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) || -+ (sm->igtk_wnm_sleep.igtk_len == len && -+ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk, -+ sm->igtk_wnm_sleep.igtk_len) == 0)) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", - keyidx); -@@ -986,8 +999,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm, - return -1; - } - -- sm->igtk.igtk_len = len; -- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ if (wnm_sleep) { -+ sm->igtk_wnm_sleep.igtk_len = len; -+ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk, -+ sm->igtk_wnm_sleep.igtk_len); -+ } else { -+ sm->igtk.igtk_len = len; -+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ } - - return 0; - } -@@ -1010,7 +1029,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, - return -1; - - igtk = (const struct wpa_igtk_kde *) ie->igtk; -- if (wpa_supplicant_install_igtk(sm, igtk) < 0) -+ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0) - return -1; - } - -@@ -1659,7 +1678,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, - if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) - key_rsc = null_rsc; - -- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) || -+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || - wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) - goto failed; - os_memset(&gd, 0, sizeof(gd)); -@@ -2580,8 +2599,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - sm->tptk_set = 0; - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); - os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); - #ifdef CONFIG_IEEE80211W - os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); - #endif /* CONFIG_IEEE80211W */ - } - -@@ -3160,8 +3181,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); - os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); - #ifdef CONFIG_IEEE80211W - os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); - #endif /* CONFIG_IEEE80211W */ - #ifdef CONFIG_IEEE80211R - os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); -@@ -3226,7 +3249,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - - wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", - gd.gtk, gd.gtk_len); -- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) { -+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { - os_memset(&gd, 0, sizeof(gd)); - wpa_printf(MSG_DEBUG, "Failed to install the GTK in " - "WNM mode"); -@@ -3238,7 +3261,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - const struct wpa_igtk_kde *igtk; - - igtk = (const struct wpa_igtk_kde *) (buf + 2); -- if (wpa_supplicant_install_igtk(sm, igtk) < 0) -+ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0) - return -1; - #endif /* CONFIG_IEEE80211W */ - } else { -@@ -4132,7 +4155,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len) - os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2); - - wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver"); -- if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery) < 0) { -+ if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) { - wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK"); - goto fail; - } -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 2827ed6..156e6cb 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -32,8 +32,10 @@ struct wpa_sm { - int rx_replay_counter_set; - u8 request_counter[WPA_REPLAY_COUNTER_LEN]; - struct wpa_gtk gtk; -+ struct wpa_gtk gtk_wnm_sleep; - #ifdef CONFIG_IEEE80211W - struct wpa_igtk igtk; -+ struct wpa_igtk igtk_wnm_sleep; - #endif /* CONFIG_IEEE80211W */ - - struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/0004-Prevent-installation-of-an-all-zero-TK.patch b/src/patches/wpa_supplicant/0004-Prevent-installation-of-an-all-zero-TK.patch deleted file mode 100644 index e3bfccbaf..000000000 --- a/src/patches/wpa_supplicant/0004-Prevent-installation-of-an-all-zero-TK.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 327b6d780f2667e99e9b74d4c064531c0208b22b Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be -Date: Fri, 29 Sep 2017 04:22:51 +0200 -Subject: [PATCH 4/8] Prevent installation of an all-zero TK - -Properly track whether a PTK has already been installed to the driver -and the TK part cleared from memory. This prevents an attacker from -trying to trick the client into installing an all-zero TK. - -This fixes the earlier fix in commit -ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the -driver in EAPOL-Key 3/4 retry case') which did not take into account -possibility of an extra message 1/4 showing up between retries of -message 3/4. - -Signed-off-by: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be ---- - src/common/wpa_common.h | 1 + - src/rsn_supp/wpa.c | 6 +++--- - src/rsn_supp/wpa_i.h | 1 - - 3 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h -index 0872b12..8411686 100644 ---- a/src/common/wpa_common.h -+++ b/src/common/wpa_common.h -@@ -219,6 +219,7 @@ struct wpa_ptk { - size_t kck_len; - size_t kek_len; - size_t tk_len; -+ int installed; /* 1 if key has already been installed to driver */ - }; - - struct wpa_gtk { -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 3c8871d..cf9bf1c 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -594,7 +594,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, - os_memset(buf, 0, sizeof(buf)); - } - sm->tptk_set = 1; -- sm->tk_to_set = 1; - - kde = sm->assoc_wpa_ie; - kde_len = sm->assoc_wpa_ie_len; -@@ -701,7 +700,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, - enum wpa_alg alg; - const u8 *key_rsc; - -- if (!sm->tk_to_set) { -+ if (sm->ptk.installed) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Do not re-install same PTK to the driver"); - return 0; -@@ -745,7 +744,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, - - /* TK is not needed anymore in supplicant */ - os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); -- sm->tk_to_set = 0; -+ sm->ptk.installed = 1; - - if (sm->wpa_ptk_rekey) { - eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); -@@ -4183,6 +4182,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len) - * takes care of association frame encryption/decryption. */ - /* TK is not needed anymore in supplicant */ - os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); -+ sm->ptk.installed = 1; - - /* FILS HLP Container */ - fils_process_hlp_container(sm, ie_start, end - ie_start); -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 156e6cb..3b42245 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -24,7 +24,6 @@ struct wpa_sm { - struct wpa_ptk ptk, tptk; - int ptk_set, tptk_set; - unsigned int msg_3_of_4_ok:1; -- unsigned int tk_to_set:1; - u8 snonce[WPA_NONCE_LEN]; - u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */ - int renew_snonce; --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch b/src/patches/wpa_supplicant/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch deleted file mode 100644 index b019152f3..000000000 --- a/src/patches/wpa_supplicant/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch +++ /dev/null @@ -1,64 +0,0 @@ -From f1800cce24e8f81e909a68fe8ef1f13abfdec9e3 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Sun, 1 Oct 2017 12:32:57 +0300 -Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce - -The Authenticator state machine path for PTK rekeying ended up bypassing -the AUTHENTICATION2 state where a new ANonce is generated when going -directly to the PTKSTART state since there is no need to try to -determine the PMK again in such a case. This is far from ideal since the -new PTK would depend on a new nonce only from the supplicant. - -Fix this by generating a new ANonce when moving to the PTKSTART state -for the purpose of starting new 4-way handshake to rekey PTK. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/ap/wpa_auth.c | 24 +++++++++++++++++++++--- - 1 file changed, 21 insertions(+), 3 deletions(-) - -diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c -index 42ef0bf..3b2f97c 100644 ---- a/src/ap/wpa_auth.c -+++ b/src/ap/wpa_auth.c -@@ -1953,6 +1953,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2) - } - - -+static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) -+{ -+ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { -+ wpa_printf(MSG_ERROR, -+ "WPA: Failed to get random data for ANonce"); -+ sm->Disconnect = TRUE; -+ return -1; -+ } -+ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, -+ WPA_NONCE_LEN); -+ sm->TimeoutCtr = 0; -+ return 0; -+} -+ -+ - SM_STATE(WPA_PTK, INITPMK) - { - u8 msk[2 * PMK_LEN]; -@@ -3129,9 +3144,12 @@ SM_STEP(WPA_PTK) - SM_ENTER(WPA_PTK, AUTHENTICATION); - else if (sm->ReAuthenticationRequest) - SM_ENTER(WPA_PTK, AUTHENTICATION2); -- else if (sm->PTKRequest) -- SM_ENTER(WPA_PTK, PTKSTART); -- else switch (sm->wpa_ptk_state) { -+ else if (sm->PTKRequest) { -+ if (wpa_auth_sm_ptk_update(sm) < 0) -+ SM_ENTER(WPA_PTK, DISCONNECTED); -+ else -+ SM_ENTER(WPA_PTK, PTKSTART); -+ } else switch (sm->wpa_ptk_state) { - case WPA_PTK_INITIALIZE: - break; - case WPA_PTK_DISCONNECT: --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/0006-TDLS-Reject-TPK-TK-reconfiguration.patch b/src/patches/wpa_supplicant/0006-TDLS-Reject-TPK-TK-reconfiguration.patch deleted file mode 100644 index d857e50eb..000000000 --- a/src/patches/wpa_supplicant/0006-TDLS-Reject-TPK-TK-reconfiguration.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 1b198fae80a4c97ecf358fe825c0488d6ac0e65e Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Fri, 22 Sep 2017 11:03:15 +0300 -Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration - -Do not try to reconfigure the same TPK-TK to the driver after it has -been successfully configured. This is an explicit check to avoid issues -related to resetting the TX/RX packet number. There was already a check -for this for TPK M2 (retries of that message are ignored completely), so -that behavior does not get modified. - -For TPK M3, the TPK-TK could have been reconfigured, but that was -followed by immediate teardown of the link due to an issue in updating -the STA entry. Furthermore, for TDLS with any real security (i.e., -ignoring open/WEP), the TPK message exchange is protected on the AP path -and simple replay attacks are not feasible. - -As an additional corner case, make sure the local nonce gets updated if -the peer uses a very unlikely "random nonce" of all zeros. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++-- - 1 file changed, 36 insertions(+), 2 deletions(-) - -diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c -index 7c95bed..5e350ed 100644 ---- a/src/rsn_supp/tdls.c -+++ b/src/rsn_supp/tdls.c -@@ -112,6 +112,7 @@ struct wpa_tdls_peer { - u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ - } tpk; - int tpk_set; -+ int tk_set; /* TPK-TK configured to the driver */ - int tpk_success; - int tpk_in_progress; - -@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - u8 rsc[6]; - enum wpa_alg alg; - -+ if (peer->tk_set) { -+ /* -+ * This same TPK-TK has already been configured to the driver -+ * and this new configuration attempt (likely due to an -+ * unexpected retransmitted frame) would result in clearing -+ * the TX/RX sequence number which can break security, so must -+ * not allow that to happen. -+ */ -+ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR -+ " has already been configured to the driver - do not reconfigure", -+ MAC2STR(peer->addr)); -+ return -1; -+ } -+ - os_memset(rsc, 0, 6); - - switch (peer->cipher) { -@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - return -1; - } - -+ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, -+ MAC2STR(peer->addr)); - if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, - rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { - wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " - "driver"); - return -1; - } -+ peer->tk_set = 1; - return 0; - } - -@@ -693,7 +711,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - peer->cipher = 0; - peer->qos_info = 0; - peer->wmm_capable = 0; -- peer->tpk_set = peer->tpk_success = 0; -+ peer->tk_set = peer->tpk_set = peer->tpk_success = 0; - peer->chan_switch_enabled = 0; - os_memset(&peer->tpk, 0, sizeof(peer->tpk)); - os_memset(peer->inonce, 0, WPA_NONCE_LEN); -@@ -1156,6 +1174,7 @@ skip_rsnie: - wpa_tdls_peer_free(sm, peer); - return -1; - } -+ peer->tk_set = 0; /* A new nonce results in a new TK */ - wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", - peer->inonce, WPA_NONCE_LEN); - os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); -@@ -1749,6 +1768,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, - } - - -+static int tdls_nonce_set(const u8 *nonce) -+{ -+ int i; -+ -+ for (i = 0; i < WPA_NONCE_LEN; i++) { -+ if (nonce[i]) -+ return 1; -+ } -+ -+ return 0; -+} -+ -+ - static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, - const u8 *buf, size_t len) - { -@@ -2002,7 +2034,8 @@ skip_rsn: - peer->rsnie_i_len = kde.rsn_ie_len; - peer->cipher = cipher; - -- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { -+ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || -+ !tdls_nonce_set(peer->inonce)) { - /* - * There is no point in updating the RNonce for every obtained - * TPK M1 frame (e.g., retransmission due to timeout) with the -@@ -2018,6 +2051,7 @@ skip_rsn: - "TDLS: Failed to get random data for responder nonce"); - goto error; - } -+ peer->tk_set = 0; /* A new nonce results in a new TK */ - } - - #if 0 --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch b/src/patches/wpa_supplicant/0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch deleted file mode 100644 index 890eb3471..000000000 --- a/src/patches/wpa_supplicant/0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch +++ /dev/null @@ -1,43 +0,0 @@ -From b839814391abb4f95486ef2e24eb5498267eccf5 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Fri, 22 Sep 2017 11:25:02 +0300 -Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending - request - -Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep -Mode Response if WNM-Sleep Mode has not been used') started ignoring the -response when no WNM-Sleep Mode Request had been used during the -association. This can be made tighter by clearing the used flag when -successfully processing a response. This adds an additional layer of -protection against unexpected retransmissions of the response frame. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - wpa_supplicant/wnm_sta.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c -index 7339ed2..28346ea 100644 ---- a/wpa_supplicant/wnm_sta.c -+++ b/wpa_supplicant/wnm_sta.c -@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, - - if (!wpa_s->wnmsleep_used) { - wpa_printf(MSG_DEBUG, -- "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association"); -+ "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested"); - return; - } - -@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, - return; - } - -+ wpa_s->wnmsleep_used = 0; -+ - if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT || - wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) { - wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response " --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch b/src/patches/wpa_supplicant/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch deleted file mode 100644 index e5c56b849..000000000 --- a/src/patches/wpa_supplicant/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch +++ /dev/null @@ -1,82 +0,0 @@ -From dc55ea1e483125145459ae1e55be3b95e6263302 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Fri, 22 Sep 2017 12:06:37 +0300 -Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames - -The driver is expected to not report a second association event without -the station having explicitly request a new association. As such, this -case should not be reachable. However, since reconfiguring the same -pairwise or group keys to the driver could result in nonce reuse issues, -be extra careful here and do an additional state check to avoid this -even if the local driver ends up somehow accepting an unexpected -Reassociation Response frame. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/rsn_supp/wpa.c | 3 +++ - src/rsn_supp/wpa_ft.c | 8 ++++++++ - src/rsn_supp/wpa_i.h | 1 + - 3 files changed, 12 insertions(+) - -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index cf9bf1c..ed467e6 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -2637,6 +2637,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm) - #ifdef CONFIG_FILS - sm->fils_completed = 0; - #endif /* CONFIG_FILS */ -+#ifdef CONFIG_IEEE80211R -+ sm->ft_reassoc_completed = 0; -+#endif /* CONFIG_IEEE80211R */ - - /* Keys are not needed in the WPA state machine anymore */ - wpa_sm_drop_sa(sm); -diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c -index aeb7aff..1ff7afe 100644 ---- a/src/rsn_supp/wpa_ft.c -+++ b/src/rsn_supp/wpa_ft.c -@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, - u16 capab; - - sm->ft_completed = 0; -+ sm->ft_reassoc_completed = 0; - - buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + - 2 + sm->r0kh_id_len + ric_ies_len + 100; -@@ -687,6 +688,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, - return -1; - } - -+ if (sm->ft_reassoc_completed) { -+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission"); -+ return 0; -+ } -+ - if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) { - wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); - return -1; -@@ -787,6 +793,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, - return -1; - } - -+ sm->ft_reassoc_completed = 1; -+ - if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0) - return -1; - -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 3b42245..148c654 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -128,6 +128,7 @@ struct wpa_sm { - size_t r0kh_id_len; - u8 r1kh_id[FT_R1KH_ID_LEN]; - int ft_completed; -+ int ft_reassoc_completed; - int over_the_ds_in_progress; - u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */ - int set_ptk_after_assoc; --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch b/src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch deleted file mode 100644 index 727684865..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch +++ /dev/null @@ -1,174 +0,0 @@ -From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be -Date: Fri, 14 Jul 2017 15:15:35 +0200 -Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake - -Do not reinstall TK to the driver during Reassociation Response frame -processing if the first attempt of setting the TK succeeded. This avoids -issues related to clearing the TX/RX PN that could result in reusing -same PN values for transmitted frames (e.g., due to CCM nonce reuse and -also hitting replay protection on the receiver) and accepting replayed -frames on RX side. - -This issue was introduced by the commit -0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in -authenticator') which allowed wpa_ft_install_ptk() to be called multiple -times with the same PTK. While the second configuration attempt is -needed with some drivers, it must be done only if the first attempt -failed. - -Signed-off-by: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be ---- - src/ap/ieee802_11.c | 16 +++++++++++++--- - src/ap/wpa_auth.c | 11 +++++++++++ - src/ap/wpa_auth.h | 3 ++- - src/ap/wpa_auth_ft.c | 10 ++++++++++ - src/ap/wpa_auth_i.h | 1 + - 5 files changed, 37 insertions(+), 4 deletions(-) - -diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c -index 4e04169..333035f 100644 ---- a/src/ap/ieee802_11.c -+++ b/src/ap/ieee802_11.c -@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd, - { - struct ieee80211_ht_capabilities ht_cap; - struct ieee80211_vht_capabilities vht_cap; -+ int set = 1; - - /* - * Remove the STA entry to ensure the STA PS state gets cleared and -@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd, - * FT-over-the-DS, where a station re-associates back to the same AP but - * skips the authentication flow, or if working with a driver that - * does not support full AP client state. -+ * -+ * Skip this if the STA has already completed FT reassociation and the -+ * TK has been configured since the TX/RX PN must not be reset to 0 for -+ * the same key. - */ -- if (!sta->added_unassoc) -+ if (!sta->added_unassoc && -+ (!(sta->flags & WLAN_STA_AUTHORIZED) || -+ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { - hostapd_drv_sta_remove(hapd, sta->addr); -+ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); -+ set = 0; -+ } - - #ifdef CONFIG_IEEE80211N - if (sta->flags & WLAN_STA_HT) -@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd, - sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, - sta->flags | WLAN_STA_ASSOC, sta->qosinfo, - sta->vht_opmode, sta->p2p_ie ? 1 : 0, -- sta->added_unassoc)) { -+ set)) { - hostapd_logger(hapd, sta->addr, - HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, - "Could not %s STA to kernel driver", -- sta->added_unassoc ? "set" : "add"); -+ set ? "set" : "add"); - - if (sta->added_unassoc) { - hostapd_drv_sta_remove(hapd, sta->addr); -diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c -index 3587086..707971d 100644 ---- a/src/ap/wpa_auth.c -+++ b/src/ap/wpa_auth.c -@@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) - #else /* CONFIG_IEEE80211R */ - break; - #endif /* CONFIG_IEEE80211R */ -+ case WPA_DRV_STA_REMOVED: -+ sm->tk_already_set = FALSE; -+ return 0; - } - - #ifdef CONFIG_IEEE80211R -@@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) - } - - -+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) -+{ -+ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) -+ return 0; -+ return sm->tk_already_set; -+} -+ -+ - int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, - struct rsn_pmksa_cache_entry *entry) - { -diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h -index 0de8d97..97461b0 100644 ---- a/src/ap/wpa_auth.h -+++ b/src/ap/wpa_auth.h -@@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, - u8 *data, size_t data_len); - enum wpa_event { - WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH, -- WPA_REAUTH_EAPOL, WPA_ASSOC_FT -+ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED - }; - void wpa_remove_ptk(struct wpa_state_machine *sm); - int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event); -@@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm); - int wpa_auth_get_pairwise(struct wpa_state_machine *sm); - int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm); - int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm); -+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm); - int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, - struct rsn_pmksa_cache_entry *entry); - struct rsn_pmksa_cache_entry * -diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c -index 42242a5..e63b99a 100644 ---- a/src/ap/wpa_auth_ft.c -+++ b/src/ap/wpa_auth_ft.c -@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) - return; - } - -+ if (sm->tk_already_set) { -+ /* Must avoid TK reconfiguration to prevent clearing of TX/RX -+ * PN in the driver */ -+ wpa_printf(MSG_DEBUG, -+ "FT: Do not re-install same PTK to the driver"); -+ return; -+ } -+ - /* FIX: add STA entry to kernel/driver here? The set_key will fail - * most likely without this.. At the moment, STA entry is added only - * after association has been completed. This function will be called -@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) - - /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ - sm->pairwise_set = TRUE; -+ sm->tk_already_set = TRUE; - } - - -@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, - - sm->pairwise = pairwise; - sm->PTK_valid = TRUE; -+ sm->tk_already_set = FALSE; - wpa_ft_install_ptk(sm); - - buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + -diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h -index 72b7eb3..7fd8f05 100644 ---- a/src/ap/wpa_auth_i.h -+++ b/src/ap/wpa_auth_i.h -@@ -65,6 +65,7 @@ struct wpa_state_machine { - struct wpa_ptk PTK; - Boolean PTK_valid; - Boolean pairwise_set; -+ Boolean tk_already_set; - int keycount; - Boolean Pair; - struct wpa_key_replay_counter { --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch b/src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch deleted file mode 100644 index 1802d664a..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch +++ /dev/null @@ -1,250 +0,0 @@ -From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be -Date: Wed, 12 Jul 2017 16:03:24 +0200 -Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key - -Track the current GTK and IGTK that is in use and when receiving a -(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do -not install the given key if it is already in use. This prevents an -attacker from trying to trick the client into resetting or lowering the -sequence counter associated to the group key. - -Signed-off-by: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be ---- - src/common/wpa_common.h | 11 +++++ - src/rsn_supp/wpa.c | 116 ++++++++++++++++++++++++++++++------------------ - src/rsn_supp/wpa_i.h | 4 ++ - 3 files changed, 87 insertions(+), 44 deletions(-) - -diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h -index af1d0f0..d200285 100644 ---- a/src/common/wpa_common.h -+++ b/src/common/wpa_common.h -@@ -217,6 +217,17 @@ struct wpa_ptk { - size_t tk_len; - }; - -+struct wpa_gtk { -+ u8 gtk[WPA_GTK_MAX_LEN]; -+ size_t gtk_len; -+}; -+ -+#ifdef CONFIG_IEEE80211W -+struct wpa_igtk { -+ u8 igtk[WPA_IGTK_MAX_LEN]; -+ size_t igtk_len; -+}; -+#endif /* CONFIG_IEEE80211W */ - - /* WPA IE version 1 - * 00-50-f2:1 (OUI:OUI type) -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 3c47879..95bd7be 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - const u8 *_gtk = gd->gtk; - u8 gtk_buf[32]; - -+ /* Detect possible key reinstallation */ -+ if (sm->gtk.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", -+ gd->keyidx, gd->tx, gd->gtk_len); -+ return 0; -+ } -+ - wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", -@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - } - os_memset(gtk_buf, 0, sizeof(gtk_buf)); - -+ sm->gtk.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ - return 0; - } - -@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - } - - -+#ifdef CONFIG_IEEE80211W -+static int wpa_supplicant_install_igtk(struct wpa_sm *sm, -+ const struct wpa_igtk_kde *igtk) -+{ -+ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); -+ u16 keyidx = WPA_GET_LE16(igtk->keyid); -+ -+ /* Detect possible key reinstallation */ -+ if (sm->igtk.igtk_len == len && -+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", -+ keyidx); -+ return 0; -+ } -+ -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x", -+ keyidx, MAC2STR(igtk->pn)); -+ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len); -+ if (keyidx > 4095) { -+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -+ "WPA: Invalid IGTK KeyID %d", keyidx); -+ return -1; -+ } -+ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -+ broadcast_ether_addr, -+ keyidx, 0, igtk->pn, sizeof(igtk->pn), -+ igtk->igtk, len) < 0) { -+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -+ "WPA: Failed to configure IGTK to the driver"); -+ return -1; -+ } -+ -+ sm->igtk.igtk_len = len; -+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ -+ return 0; -+} -+#endif /* CONFIG_IEEE80211W */ -+ -+ - static int ieee80211w_set_keys(struct wpa_sm *sm, - struct wpa_eapol_ie_parse *ie) - { -@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, - if (ie->igtk) { - size_t len; - const struct wpa_igtk_kde *igtk; -- u16 keyidx; -+ - len = wpa_cipher_key_len(sm->mgmt_group_cipher); - if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) - return -1; -+ - igtk = (const struct wpa_igtk_kde *) ie->igtk; -- keyidx = WPA_GET_LE16(igtk->keyid); -- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d " -- "pn %02x%02x%02x%02x%02x%02x", -- keyidx, MAC2STR(igtk->pn)); -- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", -- igtk->igtk, len); -- if (keyidx > 4095) { -- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -- "WPA: Invalid IGTK KeyID %d", keyidx); -- return -1; -- } -- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -- broadcast_ether_addr, -- keyidx, 0, igtk->pn, sizeof(igtk->pn), -- igtk->igtk, len) < 0) { -- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -- "WPA: Failed to configure IGTK to the driver"); -+ if (wpa_supplicant_install_igtk(sm, igtk) < 0) - return -1; -- } - } - - return 0; -@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm) - */ - void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - { -- int clear_ptk = 1; -+ int clear_keys = 1; - - if (sm == NULL) - return; -@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - /* Prepare for the next transition */ - wpa_ft_prepare_auth_request(sm, NULL); - -- clear_ptk = 0; -+ clear_keys = 0; - } - #endif /* CONFIG_IEEE80211R */ - -- if (clear_ptk) { -+ if (clear_keys) { - /* - * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if - * this is not part of a Fast BSS Transition. -@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - sm->tptk_set = 0; - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); -+ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+#ifdef CONFIG_IEEE80211W -+ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+#endif /* CONFIG_IEEE80211W */ - } - - #ifdef CONFIG_TDLS -@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) - os_memset(sm->pmk, 0, sizeof(sm->pmk)); - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); -+ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+#ifdef CONFIG_IEEE80211W -+ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+#endif /* CONFIG_IEEE80211W */ - #ifdef CONFIG_IEEE80211R - os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); - os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); -@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - os_memset(&gd, 0, sizeof(gd)); - #ifdef CONFIG_IEEE80211W - } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { -- struct wpa_igtk_kde igd; -- u16 keyidx; -- -- os_memset(&igd, 0, sizeof(igd)); -- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher); -- os_memcpy(igd.keyid, buf + 2, 2); -- os_memcpy(igd.pn, buf + 4, 6); -- -- keyidx = WPA_GET_LE16(igd.keyid); -- os_memcpy(igd.igtk, buf + 10, keylen); -- -- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)", -- igd.igtk, keylen); -- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -- broadcast_ether_addr, -- keyidx, 0, igd.pn, sizeof(igd.pn), -- igd.igtk, keylen) < 0) { -- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in " -- "WNM mode"); -- os_memset(&igd, 0, sizeof(igd)); -+ const struct wpa_igtk_kde *igtk; -+ -+ igtk = (const struct wpa_igtk_kde *) (buf + 2); -+ if (wpa_supplicant_install_igtk(sm, igtk) < 0) - return -1; -- } -- os_memset(&igd, 0, sizeof(igd)); - #endif /* CONFIG_IEEE80211W */ - } else { - wpa_printf(MSG_DEBUG, "Unknown element id"); -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index f653ba6..afc9e37 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -31,6 +31,10 @@ struct wpa_sm { - u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN]; - int rx_replay_counter_set; - u8 request_counter[WPA_REPLAY_COUNTER_LEN]; -+ struct wpa_gtk gtk; -+#ifdef CONFIG_IEEE80211W -+ struct wpa_igtk igtk; -+#endif /* CONFIG_IEEE80211W */ - - struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ - --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch b/src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch deleted file mode 100644 index e2937b851..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch +++ /dev/null @@ -1,184 +0,0 @@ -From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Sun, 1 Oct 2017 12:12:24 +0300 -Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep - Mode cases - -This extends the protection to track last configured GTK/IGTK value -separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a -corner case where these two different mechanisms may get used when the -GTK/IGTK has changed and tracking a single value is not sufficient to -detect a possible key reconfiguration. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/rsn_supp/wpa.c | 53 +++++++++++++++++++++++++++++++++++++--------------- - src/rsn_supp/wpa_i.h | 2 ++ - 2 files changed, 40 insertions(+), 15 deletions(-) - -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 95bd7be..7a2c68d 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -709,14 +709,17 @@ struct wpa_gtk_data { - - static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - const struct wpa_gtk_data *gd, -- const u8 *key_rsc) -+ const u8 *key_rsc, int wnm_sleep) - { - const u8 *_gtk = gd->gtk; - u8 gtk_buf[32]; - - /* Detect possible key reinstallation */ -- if (sm->gtk.gtk_len == (size_t) gd->gtk_len && -- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { -+ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) || -+ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk, -+ sm->gtk_wnm_sleep.gtk_len) == 0)) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", - gd->keyidx, gd->tx, gd->gtk_len); -@@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - } - os_memset(gtk_buf, 0, sizeof(gtk_buf)); - -- sm->gtk.gtk_len = gd->gtk_len; -- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ if (wnm_sleep) { -+ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk, -+ sm->gtk_wnm_sleep.gtk_len); -+ } else { -+ sm->gtk.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ } - - return 0; - } -@@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, - gtk_len, gtk_len, - &gd.key_rsc_len, &gd.alg) || -- wpa_supplicant_install_gtk(sm, &gd, key_rsc))) { -+ wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "RSN: Failed to install GTK"); - os_memset(&gd, 0, sizeof(gd)); -@@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - - #ifdef CONFIG_IEEE80211W - static int wpa_supplicant_install_igtk(struct wpa_sm *sm, -- const struct wpa_igtk_kde *igtk) -+ const struct wpa_igtk_kde *igtk, -+ int wnm_sleep) - { - size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); - u16 keyidx = WPA_GET_LE16(igtk->keyid); - - /* Detect possible key reinstallation */ -- if (sm->igtk.igtk_len == len && -- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { -+ if ((sm->igtk.igtk_len == len && -+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) || -+ (sm->igtk_wnm_sleep.igtk_len == len && -+ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk, -+ sm->igtk_wnm_sleep.igtk_len) == 0)) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", - keyidx); -@@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm, - return -1; - } - -- sm->igtk.igtk_len = len; -- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ if (wnm_sleep) { -+ sm->igtk_wnm_sleep.igtk_len = len; -+ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk, -+ sm->igtk_wnm_sleep.igtk_len); -+ } else { -+ sm->igtk.igtk_len = len; -+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ } - - return 0; - } -@@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, - return -1; - - igtk = (const struct wpa_igtk_kde *) ie->igtk; -- if (wpa_supplicant_install_igtk(sm, igtk) < 0) -+ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0) - return -1; - } - -@@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, - if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) - key_rsc = null_rsc; - -- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) || -+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || - wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) - goto failed; - os_memset(&gd, 0, sizeof(gd)); -@@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - sm->tptk_set = 0; - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); - os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); - #ifdef CONFIG_IEEE80211W - os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); - #endif /* CONFIG_IEEE80211W */ - } - -@@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); - os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); - #ifdef CONFIG_IEEE80211W - os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); - #endif /* CONFIG_IEEE80211W */ - #ifdef CONFIG_IEEE80211R - os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); -@@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - - wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", - gd.gtk, gd.gtk_len); -- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) { -+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { - os_memset(&gd, 0, sizeof(gd)); - wpa_printf(MSG_DEBUG, "Failed to install the GTK in " - "WNM mode"); -@@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - const struct wpa_igtk_kde *igtk; - - igtk = (const struct wpa_igtk_kde *) (buf + 2); -- if (wpa_supplicant_install_igtk(sm, igtk) < 0) -+ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0) - return -1; - #endif /* CONFIG_IEEE80211W */ - } else { -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index afc9e37..9a54631 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -32,8 +32,10 @@ struct wpa_sm { - int rx_replay_counter_set; - u8 request_counter[WPA_REPLAY_COUNTER_LEN]; - struct wpa_gtk gtk; -+ struct wpa_gtk gtk_wnm_sleep; - #ifdef CONFIG_IEEE80211W - struct wpa_igtk igtk; -+ struct wpa_igtk igtk_wnm_sleep; - #endif /* CONFIG_IEEE80211W */ - - struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch b/src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch deleted file mode 100644 index 22ee21794..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be -Date: Fri, 29 Sep 2017 04:22:51 +0200 -Subject: [PATCH 4/8] Prevent installation of an all-zero TK - -Properly track whether a PTK has already been installed to the driver -and the TK part cleared from memory. This prevents an attacker from -trying to trick the client into installing an all-zero TK. - -This fixes the earlier fix in commit -ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the -driver in EAPOL-Key 3/4 retry case') which did not take into account -possibility of an extra message 1/4 showing up between retries of -message 3/4. - -Signed-off-by: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be ---- - src/common/wpa_common.h | 1 + - src/rsn_supp/wpa.c | 5 ++--- - src/rsn_supp/wpa_i.h | 1 - - 3 files changed, 3 insertions(+), 4 deletions(-) - -diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h -index d200285..1021ccb 100644 ---- a/src/common/wpa_common.h -+++ b/src/common/wpa_common.h -@@ -215,6 +215,7 @@ struct wpa_ptk { - size_t kck_len; - size_t kek_len; - size_t tk_len; -+ int installed; /* 1 if key has already been installed to driver */ - }; - - struct wpa_gtk { -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 7a2c68d..0550a41 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, - os_memset(buf, 0, sizeof(buf)); - } - sm->tptk_set = 1; -- sm->tk_to_set = 1; - - kde = sm->assoc_wpa_ie; - kde_len = sm->assoc_wpa_ie_len; -@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, - enum wpa_alg alg; - const u8 *key_rsc; - -- if (!sm->tk_to_set) { -+ if (sm->ptk.installed) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Do not re-install same PTK to the driver"); - return 0; -@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, - - /* TK is not needed anymore in supplicant */ - os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); -- sm->tk_to_set = 0; -+ sm->ptk.installed = 1; - - if (sm->wpa_ptk_rekey) { - eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 9a54631..41f371f 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -24,7 +24,6 @@ struct wpa_sm { - struct wpa_ptk ptk, tptk; - int ptk_set, tptk_set; - unsigned int msg_3_of_4_ok:1; -- unsigned int tk_to_set:1; - u8 snonce[WPA_NONCE_LEN]; - u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */ - int renew_snonce; --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch b/src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch deleted file mode 100644 index c19c4c710..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Sun, 1 Oct 2017 12:32:57 +0300 -Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce - -The Authenticator state machine path for PTK rekeying ended up bypassing -the AUTHENTICATION2 state where a new ANonce is generated when going -directly to the PTKSTART state since there is no need to try to -determine the PMK again in such a case. This is far from ideal since the -new PTK would depend on a new nonce only from the supplicant. - -Fix this by generating a new ANonce when moving to the PTKSTART state -for the purpose of starting new 4-way handshake to rekey PTK. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/ap/wpa_auth.c | 24 +++++++++++++++++++++--- - 1 file changed, 21 insertions(+), 3 deletions(-) - -diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c -index 707971d..bf10cc1 100644 ---- a/src/ap/wpa_auth.c -+++ b/src/ap/wpa_auth.c -@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2) - } - - -+static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) -+{ -+ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { -+ wpa_printf(MSG_ERROR, -+ "WPA: Failed to get random data for ANonce"); -+ sm->Disconnect = TRUE; -+ return -1; -+ } -+ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, -+ WPA_NONCE_LEN); -+ sm->TimeoutCtr = 0; -+ return 0; -+} -+ -+ - SM_STATE(WPA_PTK, INITPMK) - { - u8 msk[2 * PMK_LEN]; -@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK) - SM_ENTER(WPA_PTK, AUTHENTICATION); - else if (sm->ReAuthenticationRequest) - SM_ENTER(WPA_PTK, AUTHENTICATION2); -- else if (sm->PTKRequest) -- SM_ENTER(WPA_PTK, PTKSTART); -- else switch (sm->wpa_ptk_state) { -+ else if (sm->PTKRequest) { -+ if (wpa_auth_sm_ptk_update(sm) < 0) -+ SM_ENTER(WPA_PTK, DISCONNECTED); -+ else -+ SM_ENTER(WPA_PTK, PTKSTART); -+ } else switch (sm->wpa_ptk_state) { - case WPA_PTK_INITIALIZE: - break; - case WPA_PTK_DISCONNECT: --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch b/src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch deleted file mode 100644 index e1bd5a572..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Fri, 22 Sep 2017 11:03:15 +0300 -Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration - -Do not try to reconfigure the same TPK-TK to the driver after it has -been successfully configured. This is an explicit check to avoid issues -related to resetting the TX/RX packet number. There was already a check -for this for TPK M2 (retries of that message are ignored completely), so -that behavior does not get modified. - -For TPK M3, the TPK-TK could have been reconfigured, but that was -followed by immediate teardown of the link due to an issue in updating -the STA entry. Furthermore, for TDLS with any real security (i.e., -ignoring open/WEP), the TPK message exchange is protected on the AP path -and simple replay attacks are not feasible. - -As an additional corner case, make sure the local nonce gets updated if -the peer uses a very unlikely "random nonce" of all zeros. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++-- - 1 file changed, 36 insertions(+), 2 deletions(-) - -diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c -index e424168..9eb9738 100644 ---- a/src/rsn_supp/tdls.c -+++ b/src/rsn_supp/tdls.c -@@ -112,6 +112,7 @@ struct wpa_tdls_peer { - u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ - } tpk; - int tpk_set; -+ int tk_set; /* TPK-TK configured to the driver */ - int tpk_success; - int tpk_in_progress; - -@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - u8 rsc[6]; - enum wpa_alg alg; - -+ if (peer->tk_set) { -+ /* -+ * This same TPK-TK has already been configured to the driver -+ * and this new configuration attempt (likely due to an -+ * unexpected retransmitted frame) would result in clearing -+ * the TX/RX sequence number which can break security, so must -+ * not allow that to happen. -+ */ -+ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR -+ " has already been configured to the driver - do not reconfigure", -+ MAC2STR(peer->addr)); -+ return -1; -+ } -+ - os_memset(rsc, 0, 6); - - switch (peer->cipher) { -@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - return -1; - } - -+ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, -+ MAC2STR(peer->addr)); - if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, - rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { - wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " - "driver"); - return -1; - } -+ peer->tk_set = 1; - return 0; - } - -@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - peer->cipher = 0; - peer->qos_info = 0; - peer->wmm_capable = 0; -- peer->tpk_set = peer->tpk_success = 0; -+ peer->tk_set = peer->tpk_set = peer->tpk_success = 0; - peer->chan_switch_enabled = 0; - os_memset(&peer->tpk, 0, sizeof(peer->tpk)); - os_memset(peer->inonce, 0, WPA_NONCE_LEN); -@@ -1159,6 +1177,7 @@ skip_rsnie: - wpa_tdls_peer_free(sm, peer); - return -1; - } -+ peer->tk_set = 0; /* A new nonce results in a new TK */ - wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", - peer->inonce, WPA_NONCE_LEN); - os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); -@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, - } - - -+static int tdls_nonce_set(const u8 *nonce) -+{ -+ int i; -+ -+ for (i = 0; i < WPA_NONCE_LEN; i++) { -+ if (nonce[i]) -+ return 1; -+ } -+ -+ return 0; -+} -+ -+ - static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, - const u8 *buf, size_t len) - { -@@ -2004,7 +2036,8 @@ skip_rsn: - peer->rsnie_i_len = kde.rsn_ie_len; - peer->cipher = cipher; - -- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { -+ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || -+ !tdls_nonce_set(peer->inonce)) { - /* - * There is no point in updating the RNonce for every obtained - * TPK M1 frame (e.g., retransmission due to timeout) with the -@@ -2020,6 +2053,7 @@ skip_rsn: - "TDLS: Failed to get random data for responder nonce"); - goto error; - } -+ peer->tk_set = 0; /* A new nonce results in a new TK */ - } - - #if 0 --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch b/src/patches/wpa_supplicant/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch deleted file mode 100644 index 85ea1d62b..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 53c5eb58e95004f86e65ee9fbfccbc291b139057 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Fri, 22 Sep 2017 11:25:02 +0300 -Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending - request - -Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep -Mode Response if WNM-Sleep Mode has not been used') started ignoring the -response when no WNM-Sleep Mode Request had been used during the -association. This can be made tighter by clearing the used flag when -successfully processing a response. This adds an additional layer of -protection against unexpected retransmissions of the response frame. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - wpa_supplicant/wnm_sta.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c -index 1b3409c..67a07ff 100644 ---- a/wpa_supplicant/wnm_sta.c -+++ b/wpa_supplicant/wnm_sta.c -@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, - - if (!wpa_s->wnmsleep_used) { - wpa_printf(MSG_DEBUG, -- "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association"); -+ "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested"); - return; - } - -@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, - return; - } - -+ wpa_s->wnmsleep_used = 0; -+ - if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT || - wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) { - wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response " --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch b/src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch deleted file mode 100644 index b9678f681..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch +++ /dev/null @@ -1,82 +0,0 @@ -From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Fri, 22 Sep 2017 12:06:37 +0300 -Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames - -The driver is expected to not report a second association event without -the station having explicitly request a new association. As such, this -case should not be reachable. However, since reconfiguring the same -pairwise or group keys to the driver could result in nonce reuse issues, -be extra careful here and do an additional state check to avoid this -even if the local driver ends up somehow accepting an unexpected -Reassociation Response frame. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/rsn_supp/wpa.c | 3 +++ - src/rsn_supp/wpa_ft.c | 8 ++++++++ - src/rsn_supp/wpa_i.h | 1 + - 3 files changed, 12 insertions(+) - -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 0550a41..2a53c6f 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm) - #ifdef CONFIG_TDLS - wpa_tdls_disassoc(sm); - #endif /* CONFIG_TDLS */ -+#ifdef CONFIG_IEEE80211R -+ sm->ft_reassoc_completed = 0; -+#endif /* CONFIG_IEEE80211R */ - - /* Keys are not needed in the WPA state machine anymore */ - wpa_sm_drop_sa(sm); -diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c -index 205793e..d45bb45 100644 ---- a/src/rsn_supp/wpa_ft.c -+++ b/src/rsn_supp/wpa_ft.c -@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, - u16 capab; - - sm->ft_completed = 0; -+ sm->ft_reassoc_completed = 0; - - buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + - 2 + sm->r0kh_id_len + ric_ies_len + 100; -@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, - return -1; - } - -+ if (sm->ft_reassoc_completed) { -+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission"); -+ return 0; -+ } -+ - if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) { - wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); - return -1; -@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, - return -1; - } - -+ sm->ft_reassoc_completed = 1; -+ - if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0) - return -1; - -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 41f371f..56f88dc 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -128,6 +128,7 @@ struct wpa_sm { - size_t r0kh_id_len; - u8 r1kh_id[FT_R1KH_ID_LEN]; - int ft_completed; -+ int ft_reassoc_completed; - int over_the_ds_in_progress; - u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */ - int set_ptk_after_assoc; --- -2.7.4 - diff --git a/src/scripts/ipsec-interfaces b/src/scripts/ipsec-interfaces new file mode 100644 index 000000000..0e43fccbc --- /dev/null +++ b/src/scripts/ipsec-interfaces @@ -0,0 +1,172 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2015 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +shopt -s nullglob + +VPN_CONFIG="/var/ipfire/vpn/config" + +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) +eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings) + +VARS=( + id status name lefthost type ctype psk local local_id leftsubnets + remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 + x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22 + route x23 mode interface_mode interface_address interface_mtu rest +) + +log() { + logger -t ipsec "$@" +} + +resolve_hostname() { + local hostname="${1}" + + dig +short A "${hostname}" | tail -n1 +} + +main() { + # Register local variables + local "${VARS[@]}" + local action + + local interfaces=() + + # We are done when IPsec is not enabled + if [ "${ENABLED}" = "on" ]; then + while IFS="," read -r "${VARS[@]}"; do + # Check if the connection is enabled + [ "${status}" = "on" ] || continue + + # Check if this a net-to-net connection + [ "${type}" = "net" ] || continue + + # Determine the interface name + case "${interface_mode}" in + gre|vti) + local intf="${interface_mode}${id}" + ;; + *) + continue + ;; + esac + + # Add the interface to the list of all interfaces + interfaces+=( "${intf}" ) + + # Compat for older connections + if [ "${local}" = "off" ]; then + if [ "${VPN_IP}" = "%defaultroute" ]; then + local="" + else + local="${VPN_IP}" + fi + fi + + # Handle %defaultroute + if [ -z "${local}" ]; then + if [ -r "/var/ipfire/red/local-ipaddress" ]; then + local="$(</var/ipfire/red/local-ipaddress)" + + elif [ "${RED_TYPE}" = "STATIC" -a -n "${RED_ADDRESS}" ]; then + local="${RED_ADDRESS}" + fi + fi + + # Resolve any hostnames + if [[ ! ${remote} =~ ^[0-9]+.[0-9]+.[0-9]+.[0-9]+$ ]]; then + remote="$(resolve_hostname "${remote}")" + fi + + local args=( + "local" "${local}" + "remote" "${remote}" + ) + + case "${interface_mode}" in + gre) + # Add TTL + args+=( "ttl" "255" ) + ;; + + vti) + # Add key for VTI + args+=( "key" "${id}" ) + ;; + esac + + # Update the settings when the interface already exists + if [ -d "/sys/class/net/${intf}" ]; then + ip link change dev "${intf}" \ + type "${interface_mode}" "${args[@]}" &>/dev/null + + # Create a new interface and bring it up + else + log "Creating interface ${intf}" + if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then + log "Could not create interface ${intf}" + continue + fi + fi + + # Add an IP address + ip addr flush dev "${intf}" + ip addr add "${interface_address}" dev "${intf}" + + # Set MTU + ip link set dev "${intf}" mtu "${interface_mtu}" + + # Bring up the interface + ip link set dev "${intf}" up + done < "${VPN_CONFIG}" + fi + + # Delete all other interfaces + local intf + for intf in /sys/class/net/gre[0-9]* /sys/class/net/vti[0-9]*; do + intf="$(basename "${intf}")" + + # Ignore a couple of interfaces that cannot be deleted + case "${intf}" in + gre0|gretap0) + continue + ;; + esac + + # Check if interface is on the list + local i found="false" + for i in ${interfaces[@]}; do + if [ "${intf}" = "${i}" ]; then + found="true" + break + fi + done + + # Nothing to do if interface was found + ${found} && continue + + # Delete the interface + log "Deleting interface ${intf}" + ip link del "${intf}" &>/dev/null + done +} + +main || exit $?
hooks/post-receive -- IPFire 2.x development tree