[git.ipfire.org] IPFire 2.x development tree branch, master, updated. df00a3f1cd6a23ef48c80e431b8e472a4a340e5b
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via df00a3f1cd6a23ef48c80e431b8e472a4a340e5b (commit) via 54206b6e35cacf20218addcbaaaf50029afd6e69 (commit) via 4d7f9a81ac575207edb6bb69f8bbea8762feab96 (commit) via b84a9b078dae234641a3708fbd7c1624c0731468 (commit) via 44fb4620ee2a314070fbf47de6cd7a6a2c7365f2 (commit) via 1e1b03d5819269184a85dc5bcc042c978666bc08 (commit) via fbcc3cb7841f10c1390550074d676ddf2afa2c1a (commit) via 78af2f67bba5900eb97989ed271b45a74448b457 (commit) via b42a7ec1a663b356dde786cc7eeb1bb54ddcc662 (commit) via d9ef106e5cb1e2476101090caeac4609a41a1906 (commit) via a8d24cee436f87939625f9506e6f84fc092f4200 (commit) via 306098a49811868e2ffc4e19ce8cd62f69a2e9f3 (commit) via 08729f79fb7b31326d367a74a50e372e4fb688d7 (commit) via 429524c0406baeddf270d6e2df6e5a60a410e61a (commit) via 73a000f9d1e1f43807156cfb9a9c56843330d4c6 (commit) via 93d6eed9a48a509e910fb4e248a70de9cdc15f0c (commit) via 50923742ba537464986269c8eb3442676b315267 (commit) via c4b28466d1004bd7fdb43299e18cbfa44b2a52ae (commit) via 1b169a72daae63d435ee74b7ca9f28f1813fb177 (commit) via ca762aaf6e9e0062168b145b935171713c88d2b5 (commit) via 0909a0a1d8873ac694a3eab0c91e10e0f5cd486f (commit) via b5e1360eb9ca4da5c68dd7dcea79151276003622 (commit) via 24f2144dd26388215ab204b0e48217ffa4d40bfb (commit) via ffeaaef6182adc81f01684a98cd1f5975d22b4be (commit) via ea6fa9de5afc5a0d0b258ff08fe7bfbc0c6dbb30 (commit) via 600ac5c6573a2c942c462c0f2aa844a417da310d (commit) via db1404051fa3f84ede679969ace44c0020946a7a (commit) via b7488afd894de0ca908563d4b058f7f9ed0f92fc (commit) via 4955d7239b2d42347a246d610eaf294f7ab4966d (commit) via db7d2b13124e5388214f55564c6eab36373ed125 (commit) via e0eb23de56d5a207d755ea8380f9f5e2abfbaace (commit) via 1e656e8adccae48639e3ce66a50b85017cadf75b (commit) via b1372c3befd4ba4541fad1a90200ae7c1628ff00 (commit) via e46f7c44ca3bc0f2eb42692866294ed6924e65e1 (commit) via 24f05f327190bb245a11ca6d9a726f6c6d7cdfcb (commit) via 688a79a45e8b145561a26791b8f762bd046589fe (commit) via b51ffa68db18e26d0a7ee25334ebe608c3fcfe94 (commit) via 2b163f4497855bc56d00a8cc626c669517e8b95d (commit) via 74e43e149346a5bffb7d6c6ca91d5442d297659b (commit) via 5b2155bfdd1de0553f88c7a19a15e355e74c8001 (commit) via 5b2e3ab6830ac81b3678b3e3b6c9372ed4f60ff9 (commit) via e31708279ac112ac0b0c7dc912765e1977e6cd22 (commit) via fb39daffef9dc7396d65b6b2da0b73d6f625eabb (commit) via 5c424125051c9fbacfe1a2293168bbd36ec135aa (commit) via a5ba61b89b9bcc818fb3f856ae44f4234680e07e (commit) via c7762365dc67c671b79e8869b617ad2e316bcce5 (commit) via 228bec09bf8245e03193d8d69a0999c7059ac915 (commit) via 6146d1904aad28f0bacbb6986205c28bb7020356 (commit) via 84c5f0d66d5312005a2c7528dbf686dc1968cd10 (commit) via ee3dec50a36c175f0eb4f258855de27051bb76ac (commit) via 5258a65deaba155637d44dba97958b90ed942197 (commit) via c4a451eeadaade76900c0e8f8c6a90502473eada (commit) via 74e5c32e19b3752e64c83a4762c7dacfee532bb6 (commit) via 7fd716f81c2ef856be5e69645340aebc7d4d6901 (commit) via 5a0ddc615deaf0268139c61930f9af986f9b8ba7 (commit) via 40e1bbda54635bfa6d9894044b7bce603b12e855 (commit) via e546449f6ac1203c397cd94e12a73640f35518cd (commit) via aaf67a64c3498ab8ed0a453d433807e4b014cb0a (commit) via a74ade6d9a854bd76bd7eecf59eb6954c87dffef (commit) via 0b075172af1ae899337e7f072fc8490ae57e5501 (commit) via 0cf6bacad2cafcacdee5810c2a4080cb19aa85ae (commit) via b00797e260bc84be15cea26a144f560244be4c6e (commit) via 915c88931a2c5c4cd34ece5dc754cb8da984d2e3 (commit) via 06988eaf4961be6c74a9aefb8203eb7b53157bd6 (commit) via c77e962d565b1ae07c9b44e3c864c9bacc9f6b78 (commit) via e9fbc1cecf856ccc7f5f2b2c504aa4318e879a7d (commit) via dccbe309d2b568147c47a4d37c59b5686a7babbe (commit) via 4e17785fc101be1bef918fe5c739a2aa8e68075c (commit) via cfac8f9476678259698b14463fdd0c1b3ffeff23 (commit) from e5d5819437632e36ccc2950db378e99bb4988443 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit df00a3f1cd6a23ef48c80e431b8e472a4a340e5b Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Dec 20 20:19:43 2015 +0100
core96: set pakfire version to 96.
commit 54206b6e35cacf20218addcbaaaf50029afd6e69 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Dec 19 14:12:29 2015 +0000
curl: Fix certificate validation
curl did not find the certificate bundle so that server certificates could not be verified.
Fixes #10995
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4d7f9a81ac575207edb6bb69f8bbea8762feab96 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Dec 19 14:09:10 2015 +0000
strongswan: Update to 5.3.5
Also ships a fix for #853 upstream.
Fixes #10998
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b84a9b078dae234641a3708fbd7c1624c0731468 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Dec 18 23:42:15 2015 +0000
core96: Ship updated grub
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 44fb4620ee2a314070fbf47de6cd7a6a2c7365f2 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Dec 18 21:28:52 2015 +0100
grub 2.00: Bugfix for CVE-2015-8370
See: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
"A vulnerability in Grub2 has been found. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer."
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1e1b03d5819269184a85dc5bcc042c978666bc08 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Dec 18 15:11:25 2015 +0100
dnsmasq 2.75: latest upstream patches ;-)
The neverending story continues...
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit fbcc3cb7841f10c1390550074d676ddf2afa2c1a Author: Matthias Fischer matthias.fischer@ipfire.org Date: Wed Dec 16 21:42:41 2015 +0100
dnsmasq 2.75: latest upstream patches
Since 'Makefile' was affected, I had to rewrite 'dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch', too.
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 78af2f67bba5900eb97989ed271b45a74448b457 Author: Alexander Marx alexander.marx@ipfire.org Date: Thu Dec 17 11:31:30 2015 +0100
Squid-Accounting: Bugfix & clean up data
There was a Bug in the addon so that no data was displayed because of a typo. Additionally the computeraccounts are now filtered out of trafficdata collection. Only Proxy/AD/LDAP Accounts and IP adresses are collected.
Signed-off-by: Alexander Marx alexander.marx@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b42a7ec1a663b356dde786cc7eeb1bb54ddcc662 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Dec 15 18:32:55 2015 +0000
Rootfile update
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d9ef106e5cb1e2476101090caeac4609a41a1906 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Dec 13 18:04:40 2015 +0100
Midnight Commander 4.8.15: Update for rootfile
There was a syntax file which I overlooked...
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a8d24cee436f87939625f9506e6f84fc092f4200 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Dec 15 13:54:04 2015 +0000
core96: Ship rules.pl
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 306098a49811868e2ffc4e19ce8cd62f69a2e9f3 Author: Alexander Marx alexander.marx@ipfire.org Date: Mon Dec 7 15:57:32 2015 +0100
BUG10994: SNAT rules are missing the outgoing interface
When creating SNAT rules, the outgoing interface is not set. As a side effect, traffic that should be send unnatted to a vpn tunnel can be natted which is a BUG. With this patch the SNAT rules are getting a outgoing interface according to the configuration. When selecting the RED Target network, all SNAT rules will be configured with "-o red0". Otherwise if "all" is selected, there is no interface in the rule, which matches all networks.
Signed-off-by: Alexander Marx alexander.marx@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 08729f79fb7b31326d367a74a50e372e4fb688d7 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Dec 15 13:47:52 2015 +0000
ramdisk: Backup ramdisks once a night
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 429524c0406baeddf270d6e2df6e5a60a410e61a Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Dec 15 12:49:27 2015 +0000
ntp: Prefer local clock
For some reason, ntp won't use a local clock even if it is there and up and running. Therefore we need to "prefer" our only source of time.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Tested-by: Daniel WeismÃŒller daniel.weismueller@ipfire.org
commit 73a000f9d1e1f43807156cfb9a9c56843330d4c6 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Tue Dec 15 00:07:10 2015 +0100
ntp 4.2.8p4: Update for rootfile
'/usr/share/ntp/lib/NTP/Util.pm' is needed for 'ntptrace' to run correctly
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 93d6eed9a48a509e910fb4e248a70de9cdc15f0c Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Dec 15 12:37:16 2015 +0000
ntp: Fix syncing with local clock
This is a bug that was introduced with the latest release from upstream
Fixes #10997 Upstream: http://bugs.ntp.org/show_bug.cgi?id=2965
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 50923742ba537464986269c8eb3442676b315267 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Dec 13 18:54:25 2015 +0100
nano: Update to 2.5.0
Changelog: http://www.nano-editor.org/dist/v2.5/ChangeLog
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c4b28466d1004bd7fdb43299e18cbfa44b2a52ae Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Dec 13 18:58:10 2015 +0100
arping 2.15: Update for rootfile
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1b169a72daae63d435ee74b7ca9f28f1813fb177 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Dec 12 17:06:10 2015 +0000
Speed up rootfile generation
The old usage of find walked through the entire filesystem tree and excluded some paths from being printed. The more efficient solution is to skip walking through excluded directories entirely.
This is a slight speedup of the build process by a few minutes.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ca762aaf6e9e0062168b145b935171713c88d2b5 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Dec 12 14:10:16 2015 +0100
arping: Update to 2.15
arping: Update to 2.15
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0909a0a1d8873ac694a3eab0c91e10e0f5cd486f Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Dec 12 11:52:18 2015 +0000
Update rootfiles
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b5e1360eb9ca4da5c68dd7dcea79151276003622 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Dec 12 12:46:02 2015 +0100
ramdisk: Remove temporary directory recursively
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 24f2144dd26388215ab204b0e48217ffa4d40bfb Author: root root@ipfire.localdomain Date: Sat Dec 12 12:35:24 2015 +0100
ramdisk: Fix copying files
The shell expansion wasn't used because of the quotation marks.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ffeaaef6182adc81f01684a98cd1f5975d22b4be Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Dec 12 09:50:19 2015 +0000
connections.cgi: Fix page crash with IPsec connections with one subnet only
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ea6fa9de5afc5a0d0b258ff08fe7bfbc0c6dbb30 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Dec 11 18:48:19 2015 +0000
core96: Ship missing libnet
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 600ac5c6573a2c942c462c0f2aa844a417da310d Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Dec 5 20:11:59 2015 +0100
libnet 1.1.6: Fix for rootfile
libnet 1.1.6: Fix for rootfile
See: https://forum.ipfire.org/viewtopic.php?f=27&t=15377, "error with arping and libnet.so.1" Should fix: Bug #10996 / https://bugzilla.ipfire.org/show_bug.cgi?id=10996
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit db1404051fa3f84ede679969ace44c0020946a7a Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Dec 5 04:12:51 2015 +0100
clamav: Update to 0.99
clamav: Update to 0.99
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b7488afd894de0ca908563d4b058f7f9ed0f92fc Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Dec 11 18:43:39 2015 +0000
core96: Ship updated rrdtool
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4955d7239b2d42347a246d610eaf294f7ab4966d Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Dec 5 04:08:49 2015 +0100
rrdtool: Update to 1.5.5
rrdtool: Update to 1.5.5
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit db7d2b13124e5388214f55564c6eab36373ed125 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Dec 3 19:09:45 2015 +0100
Midnight Commander: Update to 4.8.15
Removed uncognized option: --with-samba
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e0eb23de56d5a207d755ea8380f9f5e2abfbaace Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Dec 10 16:38:36 2015 +0000
core96: Ship routing.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1e656e8adccae48639e3ce66a50b85017cadf75b Author: Alexander Marx alexander.marx@ipfire.org Date: Mon Dec 7 14:36:31 2015 +0100
BUG10993: fix errormessage when editing static routes
When editing existing static routes and clicking on apply button, there was an errormessage saying that this route is already in use. Now the errormessage is only displayed if a new route has the same ip than an existing one.
Signed-off-by: Alexander Marx alexander.marx@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b1372c3befd4ba4541fad1a90200ae7c1628ff00 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Dec 10 16:35:09 2015 +0000
dma: Import patch for better authentication
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e46f7c44ca3bc0f2eb42692866294ed6924e65e1 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Dec 4 22:22:55 2015 +0000
Update translations
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 24f05f327190bb245a11ca6d9a726f6c6d7cdfcb Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Dec 4 22:22:41 2015 +0000
Update rootfiles
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 688a79a45e8b145561a26791b8f762bd046589fe Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Dec 4 22:13:44 2015 +0000
libpri: Honour CFLAGS
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b51ffa68db18e26d0a7ee25334ebe608c3fcfe94 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Dec 4 22:11:28 2015 +0000
openvmtools: Update to version 10.0.5
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2b163f4497855bc56d00a8cc626c669517e8b95d Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Dec 4 21:41:56 2015 +0000
Drop tripwire
This add-on is likely to be unused
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 74e43e149346a5bffb7d6c6ca91d5442d297659b Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Dec 4 21:38:05 2015 +0000
xtables-addons: Make sure kernel module directory exists
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5b2155bfdd1de0553f88c7a19a15e355e74c8001 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Dec 4 21:32:58 2015 +0000
Drop cryptodev
This module isn't used by openssl any more and therefore quite unnecessary.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5b2e3ab6830ac81b3678b3e3b6c9372ed4f60ff9 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Dec 4 21:18:11 2015 +0000
mISDNuser: Don't build with -Werror
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e31708279ac112ac0b0c7dc912765e1977e6cd22 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Dec 4 21:17:27 2015 +0000
liboping: Don't build with -Werror
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit fb39daffef9dc7396d65b6b2da0b73d6f625eabb Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Dec 4 22:17:51 2015 +0000
core96: Ship updated mdadm
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5c424125051c9fbacfe1a2293168bbd36ec135aa Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Dec 4 21:15:18 2015 +0000
mdadm: Update to 3.3.4
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a5ba61b89b9bcc818fb3f856ae44f4234680e07e Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Dec 4 21:14:47 2015 +0000
ebtables: Honour CFLAGS
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c7762365dc67c671b79e8869b617ad2e316bcce5 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Dec 3 16:59:48 2015 +0000
openssl: Update to 1.0.2e
OpenSSL Security Advisory [3 Dec 2015] =======================================
NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE 0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS.
BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193) ==================================================================
Severity: Moderate
There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites.
This issue affects OpenSSL version 1.0.2.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
This issue was reported to OpenSSL on August 13 2015 by Hanno Böck. The fix was developed by Andy Polyakov of the OpenSSL development team.
Certificate verify crash with missing PSS parameter (CVE-2015-3194) ===================================================================
Severity: Moderate
The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. Since these routines are used to verify certificate signature algorithms this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2e OpenSSL 1.0.1 users should upgrade to 1.0.1q
This issue was reported to OpenSSL on August 27 2015 by Loïc Jonas Etienne (Qnective AG). The fix was developed by Dr. Stephen Henson of the OpenSSL development team.
X509_ATTRIBUTE memory leak (CVE-2015-3195) ==========================================
Severity: Moderate
When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak memory. This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected.
This issue affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2e OpenSSL 1.0.1 users should upgrade to 1.0.1q OpenSSL 1.0.0 users should upgrade to 1.0.0t OpenSSL 0.9.8 users should upgrade to 0.9.8zh
This issue was reported to OpenSSL on November 9 2015 by Adam Langley (Google/BoringSSL) using libFuzzer. The fix was developed by Dr. Stephen Henson of the OpenSSL development team.
Race condition handling PSK identify hint (CVE-2015-3196) =========================================================
Severity: Low
If PSK identity hints are received by a multi-threaded client then the values are wrongly updated in the parent SSL_CTX structure. This can result in a race condition potentially leading to a double free of the identify hint data.
This issue was fixed in OpenSSL 1.0.2d and 1.0.1p but has not been previously listed in an OpenSSL security advisory. This issue also affects OpenSSL 1.0.0 and has not been previously fixed in an OpenSSL 1.0.0 release.
OpenSSL 1.0.2 users should upgrade to 1.0.2d OpenSSL 1.0.1 users should upgrade to 1.0.1p OpenSSL 1.0.0 users should upgrade to 1.0.0t
The fix for this issue can be identified in the OpenSSL git repository by commit ids 3c66a669dfc7 (1.0.2), d6be3124f228 (1.0.1) and 1392c238657e (1.0.0).
The fix was developed by Dr. Stephen Henson of the OpenSSL development team.
Note ====
As per our previous announcements and our Release Strategy (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these versions will be provided after that date. In the absence of significant security issues being identified prior to that date, the 1.0.0t and 0.9.8zh releases will be the last for those versions. Users of these versions are advised to upgrade.
References ==========
URL for this Security Advisory: https://www.openssl.org/news/secadv/20151203.txt
Note: the online version of the advisory may be updated with additional details over time.
For details of OpenSSL severity classifications please see: https://www.openssl.org/about/secpolicy.html
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 228bec09bf8245e03193d8d69a0999c7059ac915 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Dec 3 16:34:59 2015 +0000
ramdisk: Migrate everything during the update
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6146d1904aad28f0bacbb6986205c28bb7020356 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Dec 3 16:03:29 2015 +0000
ramdisk: Avoid copying data if no ramdisk is used
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 84c5f0d66d5312005a2c7528dbf686dc1968cd10 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Dec 3 14:57:30 2015 +0000
ramdisk: Move crontab back to disk
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ee3dec50a36c175f0eb4f258855de27051bb76ac Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Dec 3 14:41:49 2015 +0000
ramdisk: Make usage of ramdisk configurable
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5258a65deaba155637d44dba97958b90ed942197 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Dec 3 14:27:33 2015 +0000
initscripts: functions: Fix indentation
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c4a451eeadaade76900c0e8f8c6a90502473eada Author: Alexander Marx alexander.marx@ipfire.org Date: Thu Dec 3 13:14:23 2015 +0000
Remove ramdisks for RRD databases
Ramdisks are very limited in space and as new graphs are generated for OpenVPN N2N connections, etc. more space is necessary.
This patch will enable ramdisks for all systems with more than 490M of memory and allows the user to force using a ramdisk on systems with less memory.
Signed-off-by: Alexander Marx alexander.marx@ipfire.org Acked-by: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 74e5c32e19b3752e64c83a4762c7dacfee532bb6 Merge: 7fd716f e5d5819 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Dec 2 21:39:20 2015 +0100
Merge branch 'master' into next
commit 7fd716f81c2ef856be5e69645340aebc7d4d6901 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Dec 1 22:37:07 2015 +0000
core96: Don't restart services that have not been updated
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5a0ddc615deaf0268139c61930f9af986f9b8ba7 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Dec 1 22:36:21 2015 +0000
core96: Ship updated dnsmasq
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 40e1bbda54635bfa6d9894044b7bce603b12e855 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Nov 27 22:11:41 2015 +0100
dnsmasq 2.75: latest upstream patches
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e546449f6ac1203c397cd94e12a73640f35518cd Author: Ersan Yildirim ersan73@gmail.com Date: Mon Nov 23 13:42:45 2015 +0000
Update Turkish translation
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit aaf67a64c3498ab8ed0a453d433807e4b014cb0a Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Nov 23 13:42:08 2015 +0000
Update translations
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a74ade6d9a854bd76bd7eecf59eb6954c87dffef Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Nov 21 14:27:04 2015 +0000
installer+setup: Update translations
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0b075172af1ae899337e7f072fc8490ae57e5501 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 19 12:54:41 2015 +0000
core96: Ship changed files
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0cf6bacad2cafcacdee5810c2a4080cb19aa85ae Author: Alexander Marx alexander.marx@ipfire.org Date: Mon Nov 16 12:01:07 2015 +0100
BUG10984: Fix portforwardconverter for upgrades before core 77
When upgrading from a post core-77 installation, the portforwarding rules seem to get broken. With this patch the sourceports and the subnetmasks from the rules are converted correctly.
Signed-off-by: Alexander Marx alexander.marx@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b00797e260bc84be15cea26a144f560244be4c6e Author: Alexander Marx alexander.marx@ipfire.org Date: Thu Nov 19 11:09:49 2015 +0100
BUG10963: implement a better email verification
We now check all allowed chars in the address before the @ sign. The domainpart after the '@' sign is just checked for valid chars, so that user@ipfire is valid, too
Signed-off-by: Alexander Marx alexander.marx@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 915c88931a2c5c4cd34ece5dc754cb8da984d2e3 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 19 12:52:31 2015 +0000
strongswan: Update to 5.3.4
Fixes a security vulnerability in the EAP-MSCHAPv2 plugin that is filed under CVE-2015-8023.
https://www.strongswan.org/blog/2015/11/16/strongswan-vulnerability-%28cve-2...
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 06988eaf4961be6c74a9aefb8203eb7b53157bd6 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Nov 18 17:31:32 2015 +0000
core96: Ship updated core initscript
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c77e962d565b1ae07c9b44e3c864c9bacc9f6b78 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Oct 16 18:49:15 2015 +0200
snort: Also monitor assigned alias addresses on red.
These changes will allow snort to also inspect the traffic for one or more configured alias addresses, which has not been done in the past.
The current situation is, that snort if enabled on red, only inspects the traffic which is desired to the statically configured red address.
If some alias addresses have been assigned to the red interface the traffic to these addresses will not be checked by snort and completely bypasses the IDS.
There is no user interaction required, nor visible-effects or any backward-compatiblity required, only a restart of snort after the update process to protect all red addresses.
To do this we will now check if, the RED interface has been set to STATIC (which is required to use the aliases function) and any aliases have been configured. In case of this, the modified code will add all enabled alias addresses to the HOMENET variable in which snort is storing all the monitored addresses.
Fixes #10619.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e9fbc1cecf856ccc7f5f2b2c504aa4318e879a7d Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Nov 11 22:05:15 2015 +0100
boost: build also on x86 with -j2
boost need to much memory if it was build with more than 2 parallel processes.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit dccbe309d2b568147c47a4d37c59b5686a7babbe Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Nov 11 15:01:13 2015 +0100
core96: add pakfire changes to updater
commit 4e17785fc101be1bef918fe5c739a2aa8e68075c Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Nov 11 14:54:21 2015 +0100
pakfire: remove wrong version of installed addons
in the installed addon list pakfire has showed the latest version of the addon not the installed.
Fixes: #10875
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit cfac8f9476678259698b14463fdd0c1b3ffeff23 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Nov 11 14:49:02 2015 +0100
start core96
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/cfgroot/general-functions.pl | 29 +- config/cron/crontab | 5 +- config/firewall/convert-portfw | 29 +- config/firewall/rules.pl | 4 + config/menu/EX-tripwire.menu | 5 - config/rootfiles/common/armv5tel/initscripts | 25 +- config/rootfiles/common/arping | 1 + config/rootfiles/common/configroot | 4 - config/rootfiles/common/i586/initscripts | 21 +- config/rootfiles/common/installer | 2 + config/rootfiles/common/libnet | 6 +- config/rootfiles/common/misc-progs | 1 - config/rootfiles/common/ntp | 2 +- config/rootfiles/common/rrdtool | 188 +- config/rootfiles/common/setup | 2 + config/rootfiles/common/stage2 | 1 + config/rootfiles/common/web-user-interface | 1 - config/rootfiles/common/x86_64/initscripts | 21 +- config/rootfiles/core/{95 => 96}/exclude | 0 .../{oldcore/92 => core/96}/filelists/curl | 0 config/rootfiles/core/{95 => 96}/filelists/dma | 0 .../{oldcore/94 => core/96}/filelists/dnsmasq | 0 config/rootfiles/core/96/filelists/files | 17 + .../{oldcore/87 => core/96}/filelists/i586/grub | 0 .../91 => core/96}/filelists/i586/openssl-sse2 | 0 .../{95 => 96}/filelists/i586/strongswan-padlock | 0 .../{oldcore/91 => core/96}/filelists/libnet | 0 .../{oldcore/87 => core/96}/filelists/mdadm | 0 config/rootfiles/core/{95 => 96}/filelists/ntp | 0 .../{oldcore/92 => core/96}/filelists/openssl | 0 .../{oldcore/94 => core/96}/filelists/rrdtool | 0 .../rootfiles/core/{95 => 96}/filelists/strongswan | 0 config/rootfiles/core/96/filelists/x86_64/grub | 1 + config/rootfiles/core/{95 => 96}/meta | 0 config/rootfiles/{oldcore/93 => core/96}/update.sh | 59 +- config/rootfiles/{core => oldcore}/95/exclude | 1 - .../95/filelists/armv5tel/linux-kirkwood | 0 .../95/filelists/armv5tel/linux-multi | 0 .../95/filelists/armv5tel/linux-rpi | 0 .../rootfiles/{core => oldcore}/95/filelists/ddns | 0 config/rootfiles/oldcore/{94 => 95}/filelists/dma | 0 .../rootfiles/{core => oldcore}/95/filelists/files | 0 .../{core => oldcore}/95/filelists/i586/linux | 0 .../95/filelists/i586/linux-initrd | 0 .../{91 => 95}/filelists/i586/strongswan-padlock | 0 .../rootfiles/{core => oldcore}/95/filelists/ipset | 0 .../rootfiles/{core => oldcore}/95/filelists/lzo | 0 config/rootfiles/oldcore/{28 => 95}/filelists/ntp | 0 .../rootfiles/{core => oldcore}/95/filelists/snort | 0 .../oldcore/{91 => 95}/filelists/strongswan | 0 .../{core => oldcore}/95/filelists/x86_64/linux | 0 .../95/filelists/x86_64/linux-initrd | 0 config/rootfiles/oldcore/{94 => 95}/meta | 0 config/rootfiles/{core => oldcore}/95/update.sh | 0 config/rootfiles/packages/clamav | 12 +- config/rootfiles/packages/mc | 1 + config/rootfiles/packages/openvmtools | 52 +- config/rootfiles/packages/tripwire | 13 - config/tripwire/settings | 0 config/tripwire/twcfg.txt | 18 - config/tripwire/twpol.txt | 75 - doc/language_issues.de | 27 + doc/language_issues.en | 27 + doc/language_issues.es | 28 + doc/language_issues.fr | 28 + doc/language_issues.it | 28 + doc/language_issues.nl | 28 + doc/language_issues.pl | 28 + doc/language_issues.ru | 28 + doc/language_issues.tr | 87 +- doc/language_missings | 4 + html/cgi-bin/connections.cgi | 2 +- html/cgi-bin/routing.cgi | 2 +- html/cgi-bin/tripwire.cgi | 540 ----- langs/tr/cgi-bin/tr.pl | 65 +- lfs/Config | 5 +- lfs/arping | 12 +- lfs/boost | 4 +- lfs/clamav | 8 +- lfs/configroot | 4 +- lfs/cryptodev | 89 - lfs/curl | 5 +- lfs/dma | 1 + lfs/dnsmasq | 15 + lfs/ebtables | 2 +- lfs/grub | 3 +- lfs/initscripts | 9 +- lfs/liboping | 1 + lfs/libpri | 3 +- lfs/mISDNuser | 1 + lfs/mc | 11 +- lfs/mdadm | 4 +- lfs/nano | 6 +- lfs/ntp | 3 +- lfs/openssl | 8 +- lfs/openvmtools | 15 +- lfs/rrdtool | 4 +- lfs/squid-accounting | 2 +- lfs/strongswan | 5 +- lfs/tripwire | 98 - lfs/vnstat | 2 +- lfs/xtables-addons | 1 + make.sh | 11 +- src/initscripts/init.d/cleanfs | 31 +- src/initscripts/init.d/collectd | 25 +- src/initscripts/init.d/fcron | 1 - src/initscripts/init.d/functions | 82 + src/initscripts/init.d/snort | 15 + src/initscripts/init.d/tmpfs | 93 - src/initscripts/init.d/vnstat | 38 + src/initscripts/sysconfig/modules | 4 - src/installer/po/LINGUAS | 2 + src/installer/po/de.po | 19 +- src/installer/po/{jv.po => pt.po} | 4 +- src/installer/po/{jv.po => ro.po} | 6 +- src/installer/po/tr.po | 6 +- src/misc-progs/Makefile | 2 +- src/misc-progs/tripwirectrl.c | 142 -- src/pakfire/lib/functions.pl | 9 +- ...E-2015-8370-Grub2-user-pass-vulnerability.patch | 45 + src/patches/dma-0.10-better-authentication.patch | 373 ++++ ...q-Add-support-to-read-ISC-DHCP-lease-file.patch | 83 +- ..._5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch | 26 + ...11-Catch_errors_from_sendmsg_in_DHCP_code.patch | 32 + ...12-Update_list_of_subnet_for_--bogus-priv.patch | 48 + ...y_address_from_DNS_overlays_A_record_from.patch | 43 + ...14-Handle_unknown_DS_hash_algos_correctly.patch | 39 + .../015-Fix_crash_at_start_up_with_conf-dir.patch | 38 + ...ajor_rationalisation_of_DNSSEC_validation.patch | 2209 ++++++++++++++++++++ ...hing_RRSIGs_and_returning_them_from_cache.patch | 612 ++++++ ...caches_DS_records_to_a_more_logical_place.patch | 269 +++ ...lise_RR-filtering_code_for_use_with_EDNS0.patch | 755 +++++++ .../dnsmasq/020-DNSSEC_validation_tweak.patch | 134 ++ ...1-Tweaks_to_EDNS0_handling_in_DNS_replies.patch | 133 ++ ..._code_Check_zone_status_is_NSEC_proof_bad.patch | 409 ++++ ...023-Fix_brace_botch_in_dnssec_validate_ds.patch | 98 + ...ning_which_DNSSEC_sig_algos_are_supported.patch | 145 ++ src/patches/ntp-fix-sycing-with-local-clock.patch | 23 + ...n-event-when-deleting-redundant-CHILD_SAs.patch | 56 + src/setup/po/LINGUAS | 2 + src/setup/po/de.po | 11 +- src/setup/po/{jv.po => pt.po} | 4 +- src/setup/po/{jv.po => ro.po} | 6 +- src/setup/po/ru.po | 57 +- src/setup/po/sq.po | 8 +- src/squid-accounting/acct.pl | 3 +- 146 files changed, 6496 insertions(+), 1494 deletions(-) delete mode 100644 config/menu/EX-tripwire.menu copy config/rootfiles/core/{95 => 96}/exclude (100%) copy config/rootfiles/{oldcore/92 => core/96}/filelists/curl (100%) rename config/rootfiles/core/{95 => 96}/filelists/dma (100%) copy config/rootfiles/{oldcore/94 => core/96}/filelists/dnsmasq (100%) create mode 100644 config/rootfiles/core/96/filelists/files copy config/rootfiles/{oldcore/87 => core/96}/filelists/i586/grub (100%) copy config/rootfiles/{oldcore/91 => core/96}/filelists/i586/openssl-sse2 (100%) rename config/rootfiles/core/{95 => 96}/filelists/i586/strongswan-padlock (100%) copy config/rootfiles/{oldcore/91 => core/96}/filelists/libnet (100%) copy config/rootfiles/{oldcore/87 => core/96}/filelists/mdadm (100%) rename config/rootfiles/core/{95 => 96}/filelists/ntp (100%) copy config/rootfiles/{oldcore/92 => core/96}/filelists/openssl (100%) copy config/rootfiles/{oldcore/94 => core/96}/filelists/rrdtool (100%) rename config/rootfiles/core/{95 => 96}/filelists/strongswan (100%) create mode 120000 config/rootfiles/core/96/filelists/x86_64/grub rename config/rootfiles/core/{95 => 96}/meta (100%) copy config/rootfiles/{oldcore/93 => core/96}/update.sh (63%) rename config/rootfiles/{core => oldcore}/95/exclude (95%) rename config/rootfiles/{core => oldcore}/95/filelists/armv5tel/linux-kirkwood (100%) rename config/rootfiles/{core => oldcore}/95/filelists/armv5tel/linux-multi (100%) rename config/rootfiles/{core => oldcore}/95/filelists/armv5tel/linux-rpi (100%) rename config/rootfiles/{core => oldcore}/95/filelists/ddns (100%) copy config/rootfiles/oldcore/{94 => 95}/filelists/dma (100%) rename config/rootfiles/{core => oldcore}/95/filelists/files (100%) rename config/rootfiles/{core => oldcore}/95/filelists/i586/linux (100%) rename config/rootfiles/{core => oldcore}/95/filelists/i586/linux-initrd (100%) copy config/rootfiles/oldcore/{91 => 95}/filelists/i586/strongswan-padlock (100%) rename config/rootfiles/{core => oldcore}/95/filelists/ipset (100%) rename config/rootfiles/{core => oldcore}/95/filelists/lzo (100%) copy config/rootfiles/oldcore/{28 => 95}/filelists/ntp (100%) rename config/rootfiles/{core => oldcore}/95/filelists/snort (100%) copy config/rootfiles/oldcore/{91 => 95}/filelists/strongswan (100%) rename config/rootfiles/{core => oldcore}/95/filelists/x86_64/linux (100%) rename config/rootfiles/{core => oldcore}/95/filelists/x86_64/linux-initrd (100%) copy config/rootfiles/oldcore/{94 => 95}/meta (100%) rename config/rootfiles/{core => oldcore}/95/update.sh (100%) delete mode 100644 config/rootfiles/packages/tripwire delete mode 100755 config/tripwire/settings delete mode 100644 config/tripwire/twcfg.txt delete mode 100644 config/tripwire/twpol.txt delete mode 100644 html/cgi-bin/tripwire.cgi delete mode 100644 lfs/cryptodev delete mode 100644 lfs/tripwire delete mode 100644 src/initscripts/init.d/tmpfs create mode 100755 src/initscripts/init.d/vnstat copy src/installer/po/{jv.po => pt.po} (98%) copy src/installer/po/{jv.po => ro.po} (96%) delete mode 100644 src/misc-progs/tripwirectrl.c create mode 100644 src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch create mode 100644 src/patches/dma-0.10-better-authentication.patch create mode 100644 src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch create mode 100644 src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch create mode 100644 src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch create mode 100644 src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch create mode 100644 src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch create mode 100644 src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch create mode 100644 src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validation.patch create mode 100644 src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_returning_them_from_cache.patch create mode 100644 src/patches/dnsmasq/018-Move_code_which_caches_DS_records_to_a_more_logical_place.patch create mode 100644 src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_with_EDNS0.patch create mode 100644 src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch create mode 100644 src/patches/dnsmasq/021-Tweaks_to_EDNS0_handling_in_DNS_replies.patch create mode 100644 src/patches/dnsmasq/022-Tidy_up_DNSSEC_non-existence_code_Check_zone_status_is_NSEC_proof_bad.patch create mode 100644 src/patches/dnsmasq/023-Fix_brace_botch_in_dnssec_validate_ds.patch create mode 100644 src/patches/dnsmasq/024-Do_a_better_job_of_determining_which_DNSSEC_sig_algos_are_supported.patch create mode 100644 src/patches/ntp-fix-sycing-with-local-clock.patch create mode 100644 src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch copy src/setup/po/{jv.po => pt.po} (99%) copy src/setup/po/{jv.po => ro.po} (98%)
Difference in files: diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 2b5cd19..f3a2e47 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -655,7 +655,7 @@ sub validfqdn my @parts = split (/./, $fqdn); # Split hostname at the '.' if (scalar(@parts) < 2) { # At least two parts should return 0;} # exist in a FQDN - # (i.e. hostname.domain) + # (i.e.hostname.domain) foreach $part (@parts) { # Each part should be at least one character in length # but no more than 63 characters @@ -747,14 +747,25 @@ sub ipcidr2msk { }
sub validemail { - my $mail = shift; - return 0 if ( $mail !~ /^[0-9a-zA-Z.-_]+@[0-9a-zA-Z.-]+$/ ); - return 0 if ( $mail =~ /^[^0-9a-zA-Z]|[^0-9a-zA-Z]$/); - return 0 if ( $mail !~ /([0-9a-zA-Z]{1})@./ ); - return 0 if ( $mail !~ /.@([0-9a-zA-Z]{1})/ ); - return 0 if ( $mail =~ /..-.|.-..|....|.--./g ); - return 0 if ( $mail =~ /.._.|.-_.|._..|._-.|.__./g ); - return 0 if ( $mail !~ /.([a-zA-Z]{2,4})$/ ); + my $address = shift; + my @parts = split( /@/, $address ); + my $count=@parts; + + #check if we have one part before and after '@' + return 0 if ( $count != 2 ); + + #check if one of the parts starts or ends with a dot + return 0 if ( substr($parts[0],0,1) eq '.' ); + return 0 if ( substr($parts[0],-1,1) eq '.' ); + return 0 if ( substr($parts[1],0,1) eq '.' ); + return 0 if ( substr($parts[1],-1,1) eq '.' ); + + #check first addresspart (before '@' sign) + return 0 if ( $parts[0] !~ m/^[a-zA-Z0-9.!-+#]+$/ ); + + #check second addresspart (after '@' sign) + return 0 if ( $parts[1] !~ m/^[a-zA-Z0-9.-]+$/ ); + return 1; }
diff --git a/config/cron/crontab b/config/cron/crontab index 02abadc..c42c650 100644 --- a/config/cron/crontab +++ b/config/cron/crontab @@ -22,7 +22,10 @@ HOME=/
# Make some nice graphs */5 * * * * /usr/local/bin/makegraphs >/dev/null -17 5 * * * /etc/init.d/tmpfs backup >/dev/null + +# Backup ramdisks if necessary +%nightly,random * 23-4 /etc/init.d/collectd backup &>/dev/null +%nightly,random * 23-4 /etc/init.d/vnstat backup &>/dev/null
# Update dynamic DNS records every five minutes. */5 * * * * [ -f "/var/ipfire/red/active" ] && /usr/bin/ddns update-all diff --git a/config/firewall/convert-portfw b/config/firewall/convert-portfw index 8660e7c..8383b5a 100755 --- a/config/firewall/convert-portfw +++ b/config/firewall/convert-portfw @@ -60,24 +60,24 @@ close(ALIAS); &write_rules; sub get_config { + my $baseipfireport; + my $basesource; print LOG "STEP 1: Get config from old portforward\n#########################################\n"; foreach my $line (@current){ - if($jump eq '1'){ - $jump=''; - $count++; - next; - } my $u=$count+1; ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line); ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]); - if ($flag1 eq '1'){ - $source=$source1; - $jump='1'; + if ($key == $key1 && $flag == '0'){ + $baseipfireport = $ipfireport; + } + if ($key == $key1 && $flag1 == '1'){ + $count++; + next; } my $now=localtime; chomp($remark); - print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n"; - push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark); + print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $baseipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n"; + push (@values,$prot.",".$baseipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark); $count++; } } @@ -101,10 +101,15 @@ sub build_rules }else{ $src = 'src_addr'; my ($a,$b) = split("/",$source); - $src1 = $a."/32"; + if ($b != ''){ + $b = &General::iporsubtocidr($b); + }else{ + $b = "32"; + } + $src1 = $a."/".$b; } #get ipfire ip - if($alias eq '0.0.0.0'){ + if($alias eq '0.0.0.0' || $alias eq '0'){ $alias='Default IP'; }else{ foreach my $ali (@alias){ diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index daa9565..8b0c6dd 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -467,6 +467,10 @@ sub buildrules { } elsif ($NAT_MODE eq "SNAT") { my @nat_options = @options;
+ if ($destination_intf) { + push(@nat_options, ("-o", $destination_intf)); + } + push(@nat_options, @source_options); push(@nat_options, @destination_options);
diff --git a/config/menu/EX-tripwire.menu b/config/menu/EX-tripwire.menu deleted file mode 100644 index 6a23312..0000000 --- a/config/menu/EX-tripwire.menu +++ /dev/null @@ -1,5 +0,0 @@ - $subipfire->{'40.tripwire'} = {'caption' => $Lang::tr{'tripwire'}, - 'uri' => '/cgi-bin/tripwire.cgi', - 'title' => $Lang::tr{'tripwire'}, - 'enabled' => 1, - }; diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index a174c5b..a2a2ea0 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -1,3 +1,4 @@ +etc/init.d #etc/rc.d #etc/rc.d/helper etc/rc.d/helper/getdnsfromdhcpc.pl @@ -12,7 +13,6 @@ etc/rc.d/init.d/apache etc/rc.d/init.d/beep #etc/rc.d/init.d/bluetooth etc/rc.d/init.d/checkfs -etc/rc.d/init.d/waitdrives #etc/rc.d/init.d/clamav etc/rc.d/init.d/cleanfs #etc/rc.d/init.d/client175 @@ -31,6 +31,7 @@ etc/rc.d/init.d/fcron etc/rc.d/init.d/fireinfo etc/rc.d/init.d/firewall etc/rc.d/init.d/firstsetup +etc/rc.d/init.d/fsresize etc/rc.d/init.d/functions #etc/rc.d/init.d/gnump3d etc/rc.d/init.d/halt @@ -52,8 +53,8 @@ etc/rc.d/init.d/mISDN #etc/rc.d/init.d/miniupnpd #etc/rc.d/init.d/mldonkey etc/rc.d/init.d/modules -#etc/rc.d/init.d/motion #etc/rc.d/init.d/monit +#etc/rc.d/init.d/motion etc/rc.d/init.d/mountfs etc/rc.d/init.d/mountkernfs etc/rc.d/init.d/mounttmpfs @@ -75,12 +76,14 @@ etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq etc/rc.d/init.d/networking/red.down/10-ipsec etc/rc.d/init.d/networking/red.down/10-miniupnpd etc/rc.d/init.d/networking/red.down/10-ovpn +etc/rc.d/init.d/networking/red.down/10-static-routes etc/rc.d/init.d/networking/red.down/20-firewall #etc/rc.d/init.d/networking/red.up etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast +etc/rc.d/init.d/networking/red.up/10-static-routes etc/rc.d/init.d/networking/red.up/20-firewall etc/rc.d/init.d/networking/red.up/23-RS-snort etc/rc.d/init.d/networking/red.up/24-RS-qos @@ -99,7 +102,6 @@ etc/rc.d/init.d/ntp #etc/rc.d/init.d/nut #etc/rc.d/init.d/openvmtools etc/rc.d/init.d/partresize -etc/rc.d/init.d/fsresize #etc/rc.d/init.d/portmap #etc/rc.d/init.d/postfix #etc/rc.d/init.d/pound @@ -125,14 +127,16 @@ etc/rc.d/init.d/sysctl etc/rc.d/init.d/sysklogd etc/rc.d/init.d/template #etc/rc.d/init.d/tftpd -etc/rc.d/init.d/tmpfs #etc/rc.d/init.d/tor +#etc/rc.d/init.d/transmission etc/rc.d/init.d/udev etc/rc.d/init.d/udev_retry etc/rc.d/init.d/upnpd #etc/rc.d/init.d/vdr #etc/rc.d/init.d/vdradmin +etc/rc.d/init.d/vnstat #etc/rc.d/init.d/vsftpd +etc/rc.d/init.d/waitdrives #etc/rc.d/init.d/watchdog etc/rc.d/init.d/wlanclient #etc/rc.d/init.d/xinetd @@ -149,13 +153,13 @@ etc/rc.d/rc0.d/K30sshd etc/rc.d/rc0.d/K45random etc/rc.d/rc0.d/K47setclock etc/rc.d/rc0.d/K49cyrus-sasl +etc/rc.d/rc0.d/K51vnstat etc/rc.d/rc0.d/K78snort etc/rc.d/rc0.d/K79leds etc/rc.d/rc0.d/K80network etc/rc.d/rc0.d/K82wlanclient #etc/rc.d/rc0.d/K84bluetooth #etc/rc.d/rc0.d/K85messagebus -etc/rc.d/rc0.d/K85tmpfs etc/rc.d/rc0.d/K90sysklogd etc/rc.d/rc0.d/S60sendsignals etc/rc.d/rc0.d/S70localnet @@ -163,8 +167,9 @@ etc/rc.d/rc0.d/S80mountfs etc/rc.d/rc0.d/S90swap etc/rc.d/rc0.d/S99halt #etc/rc.d/rc3.d -etc/rc.d/rc3.d/S01tmpfs +etc/rc.d/rc3.d/S01vnstat etc/rc.d/rc3.d/S10sysklogd +etc/rc.d/rc3.d/S15fireinfo #etc/rc.d/rc3.d/S15messagebus #etc/rc.d/rc3.d/S16bluetooth #etc/rc.d/rc3.d/S18cpufreq @@ -197,13 +202,13 @@ etc/rc.d/rc6.d/K30sshd etc/rc.d/rc6.d/K45random etc/rc.d/rc6.d/K47setclock etc/rc.d/rc6.d/K49cyrus-sasl +etc/rc.d/rc6.d/K51vnstat etc/rc.d/rc6.d/K78snort etc/rc.d/rc6.d/K79leds etc/rc.d/rc6.d/K80network etc/rc.d/rc6.d/K82wlanclient #etc/rc.d/rc6.d/K84bluetooth #etc/rc.d/rc6.d/K85messagebus -etc/rc.d/rc6.d/K85tmpfs etc/rc.d/rc6.d/K90sysklogd etc/rc.d/rc6.d/S60sendsignals etc/rc.d/rc6.d/S70mountfs @@ -232,14 +237,10 @@ etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S85firewall etc/rc.d/rcsysinit.d/S90network-trigger etc/rc.d/rcsysinit.d/S92rngd -etc/rc.d/rc3.d/S15fireinfo #etc/sysconfig etc/sysconfig/createfiles etc/sysconfig/firewall.local etc/sysconfig/modules +etc/sysconfig/ramdisk etc/sysconfig/rc etc/sysconfig/rc.local -etc/init.d -etc/rc.d/init.d/networking/red.down/10-static-routes -etc/rc.d/init.d/networking/red.up/10-static-routes -#etc/rc.d/init.d/transmission diff --git a/config/rootfiles/common/arping b/config/rootfiles/common/arping index 9599f6d..74b4acf 100644 --- a/config/rootfiles/common/arping +++ b/config/rootfiles/common/arping @@ -1 +1,2 @@ usr/sbin/arping +#usr/share/man/man8/arping.8 diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index f6cbb61..71539ef 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -115,7 +115,6 @@ var/ipfire/menu.d/70-log.menu #var/ipfire/menu.d/EX-mpfire.menu #var/ipfire/menu.d/EX-samba.menu #var/ipfire/menu.d/EX-tor.menu -#var/ipfire/menu.d/EX-tripwire.menu #var/ipfire/menu.d/EX-wlanap.menu var/ipfire/modem #var/ipfire/modem/defaults @@ -182,9 +181,6 @@ var/ipfire/snort #var/ipfire/snort/settings var/ipfire/time #var/ipfire/time/settings -#var/ipfire/tripwire -#var/ipfire/tripwire/report -#var/ipfire/tripwire/settings var/ipfire/updatexlrator var/ipfire/updatexlrator/autocheck var/ipfire/updatexlrator/bin diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 84c432a..aabc8a6 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -1,3 +1,4 @@ +etc/init.d #etc/rc.d #etc/rc.d/helper etc/rc.d/helper/getdnsfromdhcpc.pl @@ -14,7 +15,6 @@ etc/rc.d/init.d/beep #etc/rc.d/init.d/bluetooth etc/rc.d/init.d/checkfs etc/rc.d/init.d/checkfstab -etc/rc.d/init.d/waitdrives #etc/rc.d/init.d/clamav etc/rc.d/init.d/cleanfs #etc/rc.d/init.d/client175 @@ -33,6 +33,7 @@ etc/rc.d/init.d/fcron etc/rc.d/init.d/fireinfo etc/rc.d/init.d/firewall etc/rc.d/init.d/firstsetup +etc/rc.d/init.d/fsresize etc/rc.d/init.d/functions #etc/rc.d/init.d/gnump3d etc/rc.d/init.d/halt @@ -77,12 +78,14 @@ etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq etc/rc.d/init.d/networking/red.down/10-ipsec etc/rc.d/init.d/networking/red.down/10-miniupnpd etc/rc.d/init.d/networking/red.down/10-ovpn +etc/rc.d/init.d/networking/red.down/10-static-routes etc/rc.d/init.d/networking/red.down/20-firewall #etc/rc.d/init.d/networking/red.up etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast +etc/rc.d/init.d/networking/red.up/10-static-routes etc/rc.d/init.d/networking/red.up/20-firewall etc/rc.d/init.d/networking/red.up/23-RS-snort etc/rc.d/init.d/networking/red.up/24-RS-qos @@ -101,7 +104,6 @@ etc/rc.d/init.d/ntp #etc/rc.d/init.d/nut #etc/rc.d/init.d/openvmtools etc/rc.d/init.d/partresize -etc/rc.d/init.d/fsresize #etc/rc.d/init.d/portmap #etc/rc.d/init.d/postfix #etc/rc.d/init.d/pound @@ -126,7 +128,6 @@ etc/rc.d/init.d/sysctl etc/rc.d/init.d/sysklogd etc/rc.d/init.d/template #etc/rc.d/init.d/tftpd -etc/rc.d/init.d/tmpfs #etc/rc.d/init.d/tor #etc/rc.d/init.d/transmission etc/rc.d/init.d/udev @@ -134,7 +135,9 @@ etc/rc.d/init.d/udev_retry etc/rc.d/init.d/upnpd #etc/rc.d/init.d/vdr #etc/rc.d/init.d/vdradmin +etc/rc.d/init.d/vnstat #etc/rc.d/init.d/vsftpd +etc/rc.d/init.d/waitdrives #etc/rc.d/init.d/watchdog etc/rc.d/init.d/wlanclient #etc/rc.d/init.d/xinetd @@ -151,13 +154,13 @@ etc/rc.d/rc0.d/K30sshd etc/rc.d/rc0.d/K45random etc/rc.d/rc0.d/K47setclock etc/rc.d/rc0.d/K49cyrus-sasl +etc/rc.d/rc0.d/K51vnstat etc/rc.d/rc0.d/K78snort etc/rc.d/rc0.d/K79leds etc/rc.d/rc0.d/K80network etc/rc.d/rc0.d/K82wlanclient #etc/rc.d/rc0.d/K84bluetooth #etc/rc.d/rc0.d/K85messagebus -etc/rc.d/rc0.d/K85tmpfs etc/rc.d/rc0.d/K87acpid etc/rc.d/rc0.d/K90sysklogd etc/rc.d/rc0.d/S60sendsignals @@ -166,9 +169,10 @@ etc/rc.d/rc0.d/S80mountfs etc/rc.d/rc0.d/S90swap etc/rc.d/rc0.d/S99halt #etc/rc.d/rc3.d -etc/rc.d/rc3.d/S01tmpfs +etc/rc.d/rc3.d/S01vnstat etc/rc.d/rc3.d/S10sysklogd etc/rc.d/rc3.d/S12acpid +etc/rc.d/rc3.d/S15fireinfo #etc/rc.d/rc3.d/S15messagebus #etc/rc.d/rc3.d/S16bluetooth #etc/rc.d/rc3.d/S18cpufreq @@ -201,13 +205,13 @@ etc/rc.d/rc6.d/K30sshd etc/rc.d/rc6.d/K45random etc/rc.d/rc6.d/K47setclock etc/rc.d/rc6.d/K49cyrus-sasl +etc/rc.d/rc6.d/K51vnstat etc/rc.d/rc6.d/K78snort etc/rc.d/rc6.d/K79leds etc/rc.d/rc6.d/K80network etc/rc.d/rc6.d/K82wlanclient #etc/rc.d/rc6.d/K84bluetooth #etc/rc.d/rc6.d/K85messagebus -etc/rc.d/rc6.d/K85tmpfs etc/rc.d/rc6.d/K87acpid etc/rc.d/rc6.d/K90sysklogd etc/rc.d/rc6.d/S60sendsignals @@ -237,13 +241,10 @@ etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S85firewall etc/rc.d/rcsysinit.d/S90network-trigger etc/rc.d/rcsysinit.d/S92rngd -etc/rc.d/rc3.d/S15fireinfo #etc/sysconfig etc/sysconfig/createfiles etc/sysconfig/firewall.local etc/sysconfig/modules +etc/sysconfig/ramdisk etc/sysconfig/rc etc/sysconfig/rc.local -etc/init.d -etc/rc.d/init.d/networking/red.down/10-static-routes -etc/rc.d/init.d/networking/red.up/10-static-routes diff --git a/config/rootfiles/common/installer b/config/rootfiles/common/installer index 63a072f..ff8cda5 100644 --- a/config/rootfiles/common/installer +++ b/config/rootfiles/common/installer @@ -25,8 +25,10 @@ #usr/share/locale/km_KH/LC_MESSAGES/installer.mo #usr/share/locale/nl/LC_MESSAGES/installer.mo #usr/share/locale/pl/LC_MESSAGES/installer.mo +#usr/share/locale/pt/LC_MESSAGES/installer.mo #usr/share/locale/pt_BR/LC_MESSAGES/installer.mo #usr/share/locale/pt_PT/LC_MESSAGES/installer.mo +#usr/share/locale/ro/LC_MESSAGES/installer.mo #usr/share/locale/ro_RO/LC_MESSAGES/installer.mo #usr/share/locale/ru/LC_MESSAGES/installer.mo #usr/share/locale/rw/LC_MESSAGES/installer.mo diff --git a/config/rootfiles/common/libnet b/config/rootfiles/common/libnet index e36695e..ffa20fd 100644 --- a/config/rootfiles/common/libnet +++ b/config/rootfiles/common/libnet @@ -9,9 +9,9 @@ #usr/include/libnet/libnet-types.h #usr/lib/libnet.a #usr/lib/libnet.la -#usr/lib/libnet.so -#usr/lib/libnet.so.1 -#usr/lib/libnet.so.1.7.0 +usr/lib/libnet.so +usr/lib/libnet.so.1 +usr/lib/libnet.so.1.7.0 #usr/share/man/man3/libnet-functions.h.3 #usr/share/man/man3/libnet-macros.h.3 #usr/share/man/man3/libnet.h.3 diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index 349aac7..1917884 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -33,7 +33,6 @@ usr/local/bin/sshctrl usr/local/bin/syslogdctrl usr/local/bin/timectrl #usr/local/bin/torctrl -#usr/local/bin/tripwirectrl usr/local/bin/updxlratorctrl usr/local/bin/upnpctrl usr/local/bin/urlfilterctrl diff --git a/config/rootfiles/common/ntp b/config/rootfiles/common/ntp index 4baa074..c6b95a5 100644 --- a/config/rootfiles/common/ntp +++ b/config/rootfiles/common/ntp @@ -283,7 +283,7 @@ usr/bin/update-leap #usr/share/ntp #usr/share/ntp/lib #usr/share/ntp/lib/NTP -#usr/share/ntp/lib/NTP/Util.pm +usr/share/ntp/lib/NTP/Util.pm var/ipfire/time/counter.conf var/ipfire/time/enable var/ipfire/time/settime.conf diff --git a/config/rootfiles/common/rrdtool b/config/rootfiles/common/rrdtool index 6a79679..98d76b5 100644 --- a/config/rootfiles/common/rrdtool +++ b/config/rootfiles/common/rrdtool @@ -11,12 +11,12 @@ usr/bin/rrdupdate #usr/lib/librrd.la #usr/lib/librrd.so usr/lib/librrd.so.4 -usr/lib/librrd.so.4.3.0 +usr/lib/librrd.so.4.3.5 #usr/lib/librrd_th.a #usr/lib/librrd_th.la #usr/lib/librrd_th.so usr/lib/librrd_th.so.4 -usr/lib/librrd_th.so.4.3.0 +usr/lib/librrd_th.so.4.3.5 usr/lib/perl5/site_perl/5.12.3/RRDp.pm usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/RRDs.pm #usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/RRDp @@ -26,98 +26,98 @@ usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/RRDs.pm #usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/RRDs/RRDs.bs usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/RRDs/RRDs.so #usr/lib/pkgconfig/librrd.pc -#usr/share/doc/rrdtool-1.5.4 -#usr/share/doc/rrdtool-1.5.4/html -#usr/share/doc/rrdtool-1.5.4/html/RRDp.html -#usr/share/doc/rrdtool-1.5.4/html/RRDs.html -#usr/share/doc/rrdtool-1.5.4/html/bin_dec_hex.html -#usr/share/doc/rrdtool-1.5.4/html/cdeftutorial.html -#usr/share/doc/rrdtool-1.5.4/html/index.html -#usr/share/doc/rrdtool-1.5.4/html/librrd.html -#usr/share/doc/rrdtool-1.5.4/html/rpntutorial.html -#usr/share/doc/rrdtool-1.5.4/html/rrd-beginners.html -#usr/share/doc/rrdtool-1.5.4/html/rrdbuild.html -#usr/share/doc/rrdtool-1.5.4/html/rrdcached.html -#usr/share/doc/rrdtool-1.5.4/html/rrdcgi.html -#usr/share/doc/rrdtool-1.5.4/html/rrdcreate.html -#usr/share/doc/rrdtool-1.5.4/html/rrddump.html -#usr/share/doc/rrdtool-1.5.4/html/rrdfetch.html -#usr/share/doc/rrdtool-1.5.4/html/rrdfirst.html -#usr/share/doc/rrdtool-1.5.4/html/rrdflushcached.html -#usr/share/doc/rrdtool-1.5.4/html/rrdgraph.html -#usr/share/doc/rrdtool-1.5.4/html/rrdgraph_data.html -#usr/share/doc/rrdtool-1.5.4/html/rrdgraph_examples.html -#usr/share/doc/rrdtool-1.5.4/html/rrdgraph_graph.html -#usr/share/doc/rrdtool-1.5.4/html/rrdgraph_rpn.html -#usr/share/doc/rrdtool-1.5.4/html/rrdinfo.html -#usr/share/doc/rrdtool-1.5.4/html/rrdlast.html -#usr/share/doc/rrdtool-1.5.4/html/rrdlastupdate.html -#usr/share/doc/rrdtool-1.5.4/html/rrdresize.html -#usr/share/doc/rrdtool-1.5.4/html/rrdrestore.html -#usr/share/doc/rrdtool-1.5.4/html/rrdthreads.html -#usr/share/doc/rrdtool-1.5.4/html/rrdtool.html -#usr/share/doc/rrdtool-1.5.4/html/rrdtune.html -#usr/share/doc/rrdtool-1.5.4/html/rrdtutorial.html -#usr/share/doc/rrdtool-1.5.4/html/rrdupdate.html -#usr/share/doc/rrdtool-1.5.4/html/rrdxport.html -#usr/share/doc/rrdtool-1.5.4/txt -#usr/share/doc/rrdtool-1.5.4/txt/bin_dec_hex.pod -#usr/share/doc/rrdtool-1.5.4/txt/bin_dec_hex.txt -#usr/share/doc/rrdtool-1.5.4/txt/cdeftutorial.pod -#usr/share/doc/rrdtool-1.5.4/txt/cdeftutorial.txt -#usr/share/doc/rrdtool-1.5.4/txt/librrd.txt -#usr/share/doc/rrdtool-1.5.4/txt/rpntutorial.pod -#usr/share/doc/rrdtool-1.5.4/txt/rpntutorial.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrd-beginners.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrd-beginners.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdbuild.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdbuild.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdcached.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdcached.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdcgi.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdcgi.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdcreate.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdcreate.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrddump.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrddump.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdfetch.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdfetch.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdfirst.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdfirst.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdflushcached.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdflushcached.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdgraph.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdgraph.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdgraph_data.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdgraph_data.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdgraph_examples.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdgraph_examples.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdgraph_graph.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdgraph_graph.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdgraph_rpn.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdgraph_rpn.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdinfo.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdinfo.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdlast.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdlast.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdlastupdate.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdlastupdate.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdresize.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdresize.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdrestore.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdrestore.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdthreads.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdthreads.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdtool.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdtool.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdtune.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdtune.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdtutorial.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdtutorial.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdupdate.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdupdate.txt -#usr/share/doc/rrdtool-1.5.4/txt/rrdxport.pod -#usr/share/doc/rrdtool-1.5.4/txt/rrdxport.txt +#usr/share/doc/rrdtool-1.5.5 +#usr/share/doc/rrdtool-1.5.5/html +#usr/share/doc/rrdtool-1.5.5/html/RRDp.html +#usr/share/doc/rrdtool-1.5.5/html/RRDs.html +#usr/share/doc/rrdtool-1.5.5/html/bin_dec_hex.html +#usr/share/doc/rrdtool-1.5.5/html/cdeftutorial.html +#usr/share/doc/rrdtool-1.5.5/html/index.html +#usr/share/doc/rrdtool-1.5.5/html/librrd.html +#usr/share/doc/rrdtool-1.5.5/html/rpntutorial.html +#usr/share/doc/rrdtool-1.5.5/html/rrd-beginners.html +#usr/share/doc/rrdtool-1.5.5/html/rrdbuild.html +#usr/share/doc/rrdtool-1.5.5/html/rrdcached.html +#usr/share/doc/rrdtool-1.5.5/html/rrdcgi.html +#usr/share/doc/rrdtool-1.5.5/html/rrdcreate.html +#usr/share/doc/rrdtool-1.5.5/html/rrddump.html +#usr/share/doc/rrdtool-1.5.5/html/rrdfetch.html +#usr/share/doc/rrdtool-1.5.5/html/rrdfirst.html +#usr/share/doc/rrdtool-1.5.5/html/rrdflushcached.html +#usr/share/doc/rrdtool-1.5.5/html/rrdgraph.html +#usr/share/doc/rrdtool-1.5.5/html/rrdgraph_data.html +#usr/share/doc/rrdtool-1.5.5/html/rrdgraph_examples.html +#usr/share/doc/rrdtool-1.5.5/html/rrdgraph_graph.html +#usr/share/doc/rrdtool-1.5.5/html/rrdgraph_rpn.html +#usr/share/doc/rrdtool-1.5.5/html/rrdinfo.html +#usr/share/doc/rrdtool-1.5.5/html/rrdlast.html +#usr/share/doc/rrdtool-1.5.5/html/rrdlastupdate.html +#usr/share/doc/rrdtool-1.5.5/html/rrdresize.html +#usr/share/doc/rrdtool-1.5.5/html/rrdrestore.html +#usr/share/doc/rrdtool-1.5.5/html/rrdthreads.html +#usr/share/doc/rrdtool-1.5.5/html/rrdtool.html +#usr/share/doc/rrdtool-1.5.5/html/rrdtune.html +#usr/share/doc/rrdtool-1.5.5/html/rrdtutorial.html +#usr/share/doc/rrdtool-1.5.5/html/rrdupdate.html +#usr/share/doc/rrdtool-1.5.5/html/rrdxport.html +#usr/share/doc/rrdtool-1.5.5/txt +#usr/share/doc/rrdtool-1.5.5/txt/bin_dec_hex.pod +#usr/share/doc/rrdtool-1.5.5/txt/bin_dec_hex.txt +#usr/share/doc/rrdtool-1.5.5/txt/cdeftutorial.pod +#usr/share/doc/rrdtool-1.5.5/txt/cdeftutorial.txt +#usr/share/doc/rrdtool-1.5.5/txt/librrd.txt +#usr/share/doc/rrdtool-1.5.5/txt/rpntutorial.pod +#usr/share/doc/rrdtool-1.5.5/txt/rpntutorial.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrd-beginners.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrd-beginners.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdbuild.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdbuild.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdcached.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdcached.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdcgi.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdcgi.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdcreate.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdcreate.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrddump.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrddump.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdfetch.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdfetch.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdfirst.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdfirst.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdflushcached.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdflushcached.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdgraph.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdgraph.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdgraph_data.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdgraph_data.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdgraph_examples.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdgraph_examples.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdgraph_graph.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdgraph_graph.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdgraph_rpn.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdgraph_rpn.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdinfo.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdinfo.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdlast.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdlast.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdlastupdate.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdlastupdate.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdresize.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdresize.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdrestore.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdrestore.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdthreads.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdthreads.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdtool.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdtool.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdtune.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdtune.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdtutorial.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdtutorial.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdupdate.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdupdate.txt +#usr/share/doc/rrdtool-1.5.5/txt/rrdxport.pod +#usr/share/doc/rrdtool-1.5.5/txt/rrdxport.txt #usr/share/man/man1/bin_dec_hex.1 #usr/share/man/man1/cdeftutorial.1 #usr/share/man/man1/rpntutorial.1 diff --git a/config/rootfiles/common/setup b/config/rootfiles/common/setup index 6e4d351..c5bd361 100644 --- a/config/rootfiles/common/setup +++ b/config/rootfiles/common/setup @@ -26,10 +26,12 @@ usr/share/locale/jv/LC_MESSAGES/setup.mo usr/share/locale/km_KH/LC_MESSAGES/setup.mo usr/share/locale/nl/LC_MESSAGES/setup.mo usr/share/locale/pl/LC_MESSAGES/setup.mo +usr/share/locale/pt/LC_MESSAGES/setup.mo usr/share/locale/pt_BR/LC_MESSAGES/setup.mo #usr/share/locale/pt_PT #usr/share/locale/pt_PT/LC_MESSAGES usr/share/locale/pt_PT/LC_MESSAGES/setup.mo +usr/share/locale/ro/LC_MESSAGES/setup.mo #usr/share/locale/ro_RO #usr/share/locale/ro_RO/LC_MESSAGES usr/share/locale/ro_RO/LC_MESSAGES/setup.mo diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 4021caf..5b763fd 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -40,6 +40,7 @@ etc/profile.d/term256.sh etc/profile.d/umask.sh etc/resolv.conf etc/securetty +etc/sysconfig/ramdisk etc/sysctl.conf etc/syslog.conf etc/system-release diff --git a/config/rootfiles/common/web-user-interface b/config/rootfiles/common/web-user-interface index d22c1a3..b9780ea 100644 --- a/config/rootfiles/common/web-user-interface +++ b/config/rootfiles/common/web-user-interface @@ -78,7 +78,6 @@ srv/web/ipfire/cgi-bin/system.cgi srv/web/ipfire/cgi-bin/time.cgi #srv/web/ipfire/cgi-bin/tor.cgi srv/web/ipfire/cgi-bin/traffic.cgi -#srv/web/ipfire/cgi-bin/tripwire.cgi srv/web/ipfire/cgi-bin/updatexlrator.cgi #srv/web/ipfire/cgi-bin/upnp.cgi srv/web/ipfire/cgi-bin/urlfilter.cgi diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index 84c432a..aabc8a6 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -1,3 +1,4 @@ +etc/init.d #etc/rc.d #etc/rc.d/helper etc/rc.d/helper/getdnsfromdhcpc.pl @@ -14,7 +15,6 @@ etc/rc.d/init.d/beep #etc/rc.d/init.d/bluetooth etc/rc.d/init.d/checkfs etc/rc.d/init.d/checkfstab -etc/rc.d/init.d/waitdrives #etc/rc.d/init.d/clamav etc/rc.d/init.d/cleanfs #etc/rc.d/init.d/client175 @@ -33,6 +33,7 @@ etc/rc.d/init.d/fcron etc/rc.d/init.d/fireinfo etc/rc.d/init.d/firewall etc/rc.d/init.d/firstsetup +etc/rc.d/init.d/fsresize etc/rc.d/init.d/functions #etc/rc.d/init.d/gnump3d etc/rc.d/init.d/halt @@ -77,12 +78,14 @@ etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq etc/rc.d/init.d/networking/red.down/10-ipsec etc/rc.d/init.d/networking/red.down/10-miniupnpd etc/rc.d/init.d/networking/red.down/10-ovpn +etc/rc.d/init.d/networking/red.down/10-static-routes etc/rc.d/init.d/networking/red.down/20-firewall #etc/rc.d/init.d/networking/red.up etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast +etc/rc.d/init.d/networking/red.up/10-static-routes etc/rc.d/init.d/networking/red.up/20-firewall etc/rc.d/init.d/networking/red.up/23-RS-snort etc/rc.d/init.d/networking/red.up/24-RS-qos @@ -101,7 +104,6 @@ etc/rc.d/init.d/ntp #etc/rc.d/init.d/nut #etc/rc.d/init.d/openvmtools etc/rc.d/init.d/partresize -etc/rc.d/init.d/fsresize #etc/rc.d/init.d/portmap #etc/rc.d/init.d/postfix #etc/rc.d/init.d/pound @@ -126,7 +128,6 @@ etc/rc.d/init.d/sysctl etc/rc.d/init.d/sysklogd etc/rc.d/init.d/template #etc/rc.d/init.d/tftpd -etc/rc.d/init.d/tmpfs #etc/rc.d/init.d/tor #etc/rc.d/init.d/transmission etc/rc.d/init.d/udev @@ -134,7 +135,9 @@ etc/rc.d/init.d/udev_retry etc/rc.d/init.d/upnpd #etc/rc.d/init.d/vdr #etc/rc.d/init.d/vdradmin +etc/rc.d/init.d/vnstat #etc/rc.d/init.d/vsftpd +etc/rc.d/init.d/waitdrives #etc/rc.d/init.d/watchdog etc/rc.d/init.d/wlanclient #etc/rc.d/init.d/xinetd @@ -151,13 +154,13 @@ etc/rc.d/rc0.d/K30sshd etc/rc.d/rc0.d/K45random etc/rc.d/rc0.d/K47setclock etc/rc.d/rc0.d/K49cyrus-sasl +etc/rc.d/rc0.d/K51vnstat etc/rc.d/rc0.d/K78snort etc/rc.d/rc0.d/K79leds etc/rc.d/rc0.d/K80network etc/rc.d/rc0.d/K82wlanclient #etc/rc.d/rc0.d/K84bluetooth #etc/rc.d/rc0.d/K85messagebus -etc/rc.d/rc0.d/K85tmpfs etc/rc.d/rc0.d/K87acpid etc/rc.d/rc0.d/K90sysklogd etc/rc.d/rc0.d/S60sendsignals @@ -166,9 +169,10 @@ etc/rc.d/rc0.d/S80mountfs etc/rc.d/rc0.d/S90swap etc/rc.d/rc0.d/S99halt #etc/rc.d/rc3.d -etc/rc.d/rc3.d/S01tmpfs +etc/rc.d/rc3.d/S01vnstat etc/rc.d/rc3.d/S10sysklogd etc/rc.d/rc3.d/S12acpid +etc/rc.d/rc3.d/S15fireinfo #etc/rc.d/rc3.d/S15messagebus #etc/rc.d/rc3.d/S16bluetooth #etc/rc.d/rc3.d/S18cpufreq @@ -201,13 +205,13 @@ etc/rc.d/rc6.d/K30sshd etc/rc.d/rc6.d/K45random etc/rc.d/rc6.d/K47setclock etc/rc.d/rc6.d/K49cyrus-sasl +etc/rc.d/rc6.d/K51vnstat etc/rc.d/rc6.d/K78snort etc/rc.d/rc6.d/K79leds etc/rc.d/rc6.d/K80network etc/rc.d/rc6.d/K82wlanclient #etc/rc.d/rc6.d/K84bluetooth #etc/rc.d/rc6.d/K85messagebus -etc/rc.d/rc6.d/K85tmpfs etc/rc.d/rc6.d/K87acpid etc/rc.d/rc6.d/K90sysklogd etc/rc.d/rc6.d/S60sendsignals @@ -237,13 +241,10 @@ etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S85firewall etc/rc.d/rcsysinit.d/S90network-trigger etc/rc.d/rcsysinit.d/S92rngd -etc/rc.d/rc3.d/S15fireinfo #etc/sysconfig etc/sysconfig/createfiles etc/sysconfig/firewall.local etc/sysconfig/modules +etc/sysconfig/ramdisk etc/sysconfig/rc etc/sysconfig/rc.local -etc/init.d -etc/rc.d/init.d/networking/red.down/10-static-routes -etc/rc.d/init.d/networking/red.up/10-static-routes diff --git a/config/rootfiles/core/95/exclude b/config/rootfiles/core/95/exclude deleted file mode 100644 index d87f175..0000000 --- a/config/rootfiles/core/95/exclude +++ /dev/null @@ -1,25 +0,0 @@ -boot/config.txt -etc/alternatives -etc/collectd.custom -etc/ipsec.conf -etc/ipsec.secrets -etc/ipsec.user.conf -etc/ipsec.user.secrets -etc/localtime -etc/shadow -etc/snort/snort.conf -etc/ssh/ssh_config -etc/ssh/sshd_config -etc/ssl/openssl.cnf -etc/sudoers -etc/sysconfig/firewall.local -etc/sysconfig/rc.local -etc/udev/rules.d/30-persistent-network.rules -srv/web/ipfire/html/proxy.pac -var/ipfire/dma -var/ipfire/time -var/ipfire/ovpn -var/lib/alternatives -var/log/cache -var/state/dhcp/dhcpd.leases -var/updatecache diff --git a/config/rootfiles/core/95/filelists/armv5tel/linux-kirkwood b/config/rootfiles/core/95/filelists/armv5tel/linux-kirkwood deleted file mode 120000 index 7217107..0000000 --- a/config/rootfiles/core/95/filelists/armv5tel/linux-kirkwood +++ /dev/null @@ -1 +0,0 @@ -../../../../common/armv5tel/linux-kirkwood \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/armv5tel/linux-multi b/config/rootfiles/core/95/filelists/armv5tel/linux-multi deleted file mode 120000 index 204eb4c..0000000 --- a/config/rootfiles/core/95/filelists/armv5tel/linux-multi +++ /dev/null @@ -1 +0,0 @@ -../../../../common/armv5tel/linux-multi \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/armv5tel/linux-rpi b/config/rootfiles/core/95/filelists/armv5tel/linux-rpi deleted file mode 120000 index a651a49..0000000 --- a/config/rootfiles/core/95/filelists/armv5tel/linux-rpi +++ /dev/null @@ -1 +0,0 @@ -../../../../common/armv5tel/linux-rpi \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/ddns b/config/rootfiles/core/95/filelists/ddns deleted file mode 120000 index 7395164..0000000 --- a/config/rootfiles/core/95/filelists/ddns +++ /dev/null @@ -1 +0,0 @@ -../../../common/ddns \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/dma b/config/rootfiles/core/95/filelists/dma deleted file mode 120000 index 60f4682..0000000 --- a/config/rootfiles/core/95/filelists/dma +++ /dev/null @@ -1 +0,0 @@ -../../../common/dma \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/files b/config/rootfiles/core/95/filelists/files deleted file mode 100644 index 2c458a1..0000000 --- a/config/rootfiles/core/95/filelists/files +++ /dev/null @@ -1,27 +0,0 @@ -etc/system-release -etc/issue -etc/rc.d/init.d/dnsmasq -etc/rc.d/init.d/firewall -etc/rc.d/init.d/networking/red.up/99-geoip-database -lib/udev/network-hotplug-vlan -lib/udev/rules.d/60-net.rules -srv/web/ipfire/cgi-bin/connections.cgi -srv/web/ipfire/cgi-bin/credits.cgi -srv/web/ipfire/cgi-bin/dhcp.cgi -srv/web/ipfire/cgi-bin/firewall.cgi -srv/web/ipfire/cgi-bin/ids.cgi -srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat -srv/web/ipfire/cgi-bin/mail.cgi -srv/web/ipfire/cgi-bin/ovpnmain.cgi -srv/web/ipfire/cgi-bin/pppsetup.cgi -srv/web/ipfire/cgi-bin/routing.cgi -srv/web/ipfire/cgi-bin/vpnmain.cgi -usr/lib/firewall/firewall-lib.pl -usr/lib/firewall/ipsec-block -usr/local/bin/ipsecctrl -usr/local/bin/settime -usr/local/bin/timecheck -var/ipfire/backup/exclude -var/ipfire/dhcpc/dhcpcd.conf -var/ipfire/langs -var/ipfire/network-functions.pl diff --git a/config/rootfiles/core/95/filelists/i586/linux b/config/rootfiles/core/95/filelists/i586/linux deleted file mode 120000 index 693ec4b..0000000 --- a/config/rootfiles/core/95/filelists/i586/linux +++ /dev/null @@ -1 +0,0 @@ -../../../../common/i586/linux \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/i586/linux-initrd b/config/rootfiles/core/95/filelists/i586/linux-initrd deleted file mode 120000 index 32a03e6..0000000 --- a/config/rootfiles/core/95/filelists/i586/linux-initrd +++ /dev/null @@ -1 +0,0 @@ -../../../../common/i586/linux-initrd \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/i586/strongswan-padlock b/config/rootfiles/core/95/filelists/i586/strongswan-padlock deleted file mode 120000 index 2412824..0000000 --- a/config/rootfiles/core/95/filelists/i586/strongswan-padlock +++ /dev/null @@ -1 +0,0 @@ -../../../../common/i586/strongswan-padlock \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/ipset b/config/rootfiles/core/95/filelists/ipset deleted file mode 120000 index 2b43691..0000000 --- a/config/rootfiles/core/95/filelists/ipset +++ /dev/null @@ -1 +0,0 @@ -../../../common/ipset \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/lzo b/config/rootfiles/core/95/filelists/lzo deleted file mode 120000 index 8e11e78..0000000 --- a/config/rootfiles/core/95/filelists/lzo +++ /dev/null @@ -1 +0,0 @@ -../../../common/lzo \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/ntp b/config/rootfiles/core/95/filelists/ntp deleted file mode 120000 index 7542d86..0000000 --- a/config/rootfiles/core/95/filelists/ntp +++ /dev/null @@ -1 +0,0 @@ -../../../common/ntp \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/snort b/config/rootfiles/core/95/filelists/snort deleted file mode 120000 index 9406ce0..0000000 --- a/config/rootfiles/core/95/filelists/snort +++ /dev/null @@ -1 +0,0 @@ -../../../common/snort \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/strongswan b/config/rootfiles/core/95/filelists/strongswan deleted file mode 120000 index 90c727e..0000000 --- a/config/rootfiles/core/95/filelists/strongswan +++ /dev/null @@ -1 +0,0 @@ -../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/x86_64/linux b/config/rootfiles/core/95/filelists/x86_64/linux deleted file mode 120000 index 0615b5b..0000000 --- a/config/rootfiles/core/95/filelists/x86_64/linux +++ /dev/null @@ -1 +0,0 @@ -../../../../common/x86_64/linux \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/x86_64/linux-initrd b/config/rootfiles/core/95/filelists/x86_64/linux-initrd deleted file mode 120000 index 1b9fff7..0000000 --- a/config/rootfiles/core/95/filelists/x86_64/linux-initrd +++ /dev/null @@ -1 +0,0 @@ -../../../../common/x86_64/linux-initrd \ No newline at end of file diff --git a/config/rootfiles/core/95/meta b/config/rootfiles/core/95/meta deleted file mode 100644 index d547fa8..0000000 --- a/config/rootfiles/core/95/meta +++ /dev/null @@ -1 +0,0 @@ -DEPS="" diff --git a/config/rootfiles/core/95/update.sh b/config/rootfiles/core/95/update.sh deleted file mode 100644 index 538a074..0000000 --- a/config/rootfiles/core/95/update.sh +++ /dev/null @@ -1,256 +0,0 @@ -#!/bin/bash -############################################################################ -# # -# This file is part of the IPFire Firewall. # -# # -# IPFire is free software; you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation; either version 3 of the License, or # -# (at your option) any later version. # -# # -# IPFire is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with IPFire; if not, write to the Free Software # -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -# # -# Copyright (C) 2015 IPFire-Team info@ipfire.org. # -# # -############################################################################ -# -. /opt/pakfire/lib/functions.sh -/usr/local/bin/backupctrl exclude >/dev/null 2>&1 - - -function find_device() { - local mountpoint="${1}" - - local root - local dev mp fs flags rest - while read -r dev mp fs flags rest; do - # Skip unwanted entries - [ "${dev}" = "rootfs" ] && continue - - if [ "${mp}" = "${mountpoint}" ] && [ -b "${dev}" ]; then - root="$(basename "${dev}")" - break - fi - done < /proc/mounts - - # Get the actual device from the partition that holds / - while [ -n "${root}" ]; do - if [ -e "/sys/block/${root}" ]; then - echo "${root}" - return 0 - fi - - # Remove last character - root="${root::-1}" - done - - return 1 -} - - -# -# Remove old core updates from pakfire cache to save space... -core=95 -for (( i=1; i<=$core; i++ )) -do - rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire -done - -# -# Do some sanity checks. -case $(uname -r) in - *-ipfire-versatile ) - /usr/bin/logger -p syslog.emerg -t ipfire \ - "core-update-${core}: ERROR cannot update. versatile support is dropped." - # Report no error to pakfire. So it does not try to install it again. - exit 0 - ;; - *-ipfire* ) - # Ok. - ;; - * ) - /usr/bin/logger -p syslog.emerg -t ipfire \ - "core-update-${core}: ERROR cannot update. No IPFire Kernel." - exit 1 - ;; -esac - - -# -# -KVER="xxxKVERxxx" - -# Check diskspace on root -ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` - -if [ $ROOTSPACE -lt 100000 ]; then - /usr/bin/logger -p syslog.emerg -t ipfire \ - "core-update-${core}: ERROR cannot update because not enough free space on root." - exit 2 -fi - - -echo -echo Update Kernel to $KVER ... -# -# Remove old kernel, configs, initrd, modules, dtb's ... -# -rm -rf /boot/System.map-* -rm -rf /boot/config-* -rm -rf /boot/ipfirerd-* -rm -rf /boot/initramfs-* -rm -rf /boot/vmlinuz-* -rm -rf /boot/uImage-ipfire-* -rm -rf /boot/uInit-ipfire-* -rm -rf /boot/dtb-*-ipfire-* -rm -rf /lib/modules - -case "$(uname -m)" in - armv*) - # Backup uEnv.txt if exist - if [ -e /boot/uEnv.txt ]; then - cp -vf /boot/uEnv.txt /boot/uEnv.txt.org - fi - - # work around the u-boot folder detection bug - mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood - mkdir -pv /boot/dtb-$KVER-ipfire-multi - ;; -esac - -# Remove files -rm -f /etc/rc.d/init.d/network-vlans -rm -f /etc/rc.d/rcsysinit.d/S91network-vlans - -# -#Stop services -/etc/init.d/snort stop -/etc/init.d/squid stop -/etc/init.d/ipsec stop -/etc/init.d/ntp stop -/etc/init.d/apache stop - -# -#Extract files -tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C / - -# Check diskspace on boot -BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` - -if [ $BOOTSPACE -lt 1000 ]; then - case $(uname -r) in - *-ipfire-kirkwood ) - # Special handling for old kirkwood images. - # (install only kirkwood kernel) - rm -rf /boot/* - # work around the u-boot folder detection bug - mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood - tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p \ - --numeric-owner -C / --wildcards 'boot/*-kirkwood*' - ;; - * ) - /usr/bin/logger -p syslog.emerg -t ipfire \ - "core-update-${core}: FATAL-ERROR space run out on boot. System is not bootable..." - /etc/init.d/apache start - exit 4 - ;; - esac -fi - -# Regenerate IPsec configuration -sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi - -# Update Language cache -/usr/local/bin/update-lang-cache - -# -# Start services -# -/etc/init.d/apache start -/etc/init.d/ntp start -/etc/init.d/squid start -/etc/init.d/snort start -if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then - /etc/init.d/ipsec start -fi - -if [ -e /boot/grub/grub.cfg ]; then - grub-mkconfig > /boot/grub/grub.cfg -fi - -# Upadate Kernel version uEnv.txt -if [ -e /boot/uEnv.txt ]; then - sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt -fi - -# call user update script (needed for some arm boards) -if [ -e /boot/pakfire-kernel-update ]; then - /boot/pakfire-kernel-update ${KVER} -fi - -case "$(uname -m)" in - i?86) - # Force (re)install pae kernel if pae is supported - rm -rf /opt/pakfire/db/installed/meta-linux-pae - if [ ! "$(grep "^flags.* pae " /proc/cpuinfo)" == "" ]; then - ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` - BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` - if [ $BOOTSPACE -lt 12000 -o $ROOTSPACE -lt 90000 ]; then - /usr/bin/logger -p syslog.emerg -t ipfire \ - "core-update-${core}: WARNING not enough space for pae kernel." - else - echo "Name: linux-pae" > /opt/pakfire/db/installed/meta-linux-pae - echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-pae - echo "Release: 0" >> /opt/pakfire/db/installed/meta-linux-pae - fi - fi - ;; -esac -# -# After pakfire has ended run it again and update the lists and do upgrade -# -echo '#!/bin/bash' > /tmp/pak_update -echo 'while [ "$(ps -A | grep " update.sh")" != "" ]; do' >> /tmp/pak_update -echo ' sleep 1' >> /tmp/pak_update -echo 'done' >> /tmp/pak_update -echo 'while [ "$(ps -A | grep " pakfire")" != "" ]; do' >> /tmp/pak_update -echo ' sleep 1' >> /tmp/pak_update -echo 'done' >> /tmp/pak_update -echo '/opt/pakfire/pakfire update -y --force' >> /tmp/pak_update -echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update -echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update -echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update -echo '/usr/bin/logger -p syslog.emerg -t ipfire "Core-upgrade finished. If you use a customized grub/uboot config"' >> /tmp/pak_update -echo '/usr/bin/logger -p syslog.emerg -t ipfire "Check it before reboot !!!"' >> /tmp/pak_update -echo '/usr/bin/logger -p syslog.emerg -t ipfire " *** Please reboot... *** "' >> /tmp/pak_update -echo 'touch /var/run/need_reboot ' >> /tmp/pak_update -# -killall -KILL pak_update -chmod +x /tmp/pak_update -/tmp/pak_update & - -sync - -# -#Finish -/etc/init.d/fireinfo start -sendprofile -# Update grub config to display new core version -if [ -e /boot/grub/grub.cfg ]; then - grub-mkconfig -o /boot/grub/grub.cfg -fi -sync - -echo -echo Please wait until pakfire has ended... -echo - -# Don't report the exitcode last command -exit 0 diff --git a/config/rootfiles/core/96/exclude b/config/rootfiles/core/96/exclude new file mode 100644 index 0000000..d87f175 --- /dev/null +++ b/config/rootfiles/core/96/exclude @@ -0,0 +1,25 @@ +boot/config.txt +etc/alternatives +etc/collectd.custom +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/snort/snort.conf +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/96/filelists/curl b/config/rootfiles/core/96/filelists/curl new file mode 120000 index 0000000..4b84bef --- /dev/null +++ b/config/rootfiles/core/96/filelists/curl @@ -0,0 +1 @@ +../../../common/curl \ No newline at end of file diff --git a/config/rootfiles/core/96/filelists/dma b/config/rootfiles/core/96/filelists/dma new file mode 120000 index 0000000..60f4682 --- /dev/null +++ b/config/rootfiles/core/96/filelists/dma @@ -0,0 +1 @@ +../../../common/dma \ No newline at end of file diff --git a/config/rootfiles/core/96/filelists/dnsmasq b/config/rootfiles/core/96/filelists/dnsmasq new file mode 120000 index 0000000..d469c74 --- /dev/null +++ b/config/rootfiles/core/96/filelists/dnsmasq @@ -0,0 +1 @@ +../../../common/dnsmasq \ No newline at end of file diff --git a/config/rootfiles/core/96/filelists/files b/config/rootfiles/core/96/filelists/files new file mode 100644 index 0000000..85fb05a --- /dev/null +++ b/config/rootfiles/core/96/filelists/files @@ -0,0 +1,17 @@ +etc/system-release +etc/issue +etc/rc.d/init.d/snort +etc/vnstat.conf +etc/rc.d/init.d/cleanfs +etc/rc.d/init.d/collectd +etc/rc.d/init.d/functions +etc/rc.d/init.d/vnstat +etc/rc.d/rc0.d/K51vnstat +etc/rc.d/rc3.d/S01vnstat +etc/rc.d/rc6.d/K51vnstat +opt/pakfire/lib/functions.pl +srv/web/ipfire/cgi-bin/connections.cgi +srv/web/ipfire/cgi-bin/routing.cgi +usr/lib/firewall/rules.pl +usr/sbin/convert-portfw +var/ipfire/general-functions.pl diff --git a/config/rootfiles/core/96/filelists/i586/grub b/config/rootfiles/core/96/filelists/i586/grub new file mode 120000 index 0000000..feb236a --- /dev/null +++ b/config/rootfiles/core/96/filelists/i586/grub @@ -0,0 +1 @@ +../../../../common/i586/grub \ No newline at end of file diff --git a/config/rootfiles/core/96/filelists/i586/openssl-sse2 b/config/rootfiles/core/96/filelists/i586/openssl-sse2 new file mode 120000 index 0000000..f424713 --- /dev/null +++ b/config/rootfiles/core/96/filelists/i586/openssl-sse2 @@ -0,0 +1 @@ +../../../../common/i586/openssl-sse2 \ No newline at end of file diff --git a/config/rootfiles/core/96/filelists/i586/strongswan-padlock b/config/rootfiles/core/96/filelists/i586/strongswan-padlock new file mode 120000 index 0000000..2412824 --- /dev/null +++ b/config/rootfiles/core/96/filelists/i586/strongswan-padlock @@ -0,0 +1 @@ +../../../../common/i586/strongswan-padlock \ No newline at end of file diff --git a/config/rootfiles/core/96/filelists/libnet b/config/rootfiles/core/96/filelists/libnet new file mode 120000 index 0000000..26e5f79 --- /dev/null +++ b/config/rootfiles/core/96/filelists/libnet @@ -0,0 +1 @@ +../../../common/libnet \ No newline at end of file diff --git a/config/rootfiles/core/96/filelists/mdadm b/config/rootfiles/core/96/filelists/mdadm new file mode 120000 index 0000000..465808b --- /dev/null +++ b/config/rootfiles/core/96/filelists/mdadm @@ -0,0 +1 @@ +../../../common/mdadm \ No newline at end of file diff --git a/config/rootfiles/core/96/filelists/ntp b/config/rootfiles/core/96/filelists/ntp new file mode 120000 index 0000000..7542d86 --- /dev/null +++ b/config/rootfiles/core/96/filelists/ntp @@ -0,0 +1 @@ +../../../common/ntp \ No newline at end of file diff --git a/config/rootfiles/core/96/filelists/openssl b/config/rootfiles/core/96/filelists/openssl new file mode 120000 index 0000000..e011a92 --- /dev/null +++ b/config/rootfiles/core/96/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file diff --git a/config/rootfiles/core/96/filelists/rrdtool b/config/rootfiles/core/96/filelists/rrdtool new file mode 120000 index 0000000..7a82e41 --- /dev/null +++ b/config/rootfiles/core/96/filelists/rrdtool @@ -0,0 +1 @@ +../../../common/rrdtool \ No newline at end of file diff --git a/config/rootfiles/core/96/filelists/strongswan b/config/rootfiles/core/96/filelists/strongswan new file mode 120000 index 0000000..90c727e --- /dev/null +++ b/config/rootfiles/core/96/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/96/filelists/x86_64/grub b/config/rootfiles/core/96/filelists/x86_64/grub new file mode 120000 index 0000000..78d3bd7 --- /dev/null +++ b/config/rootfiles/core/96/filelists/x86_64/grub @@ -0,0 +1 @@ +../../../../common/x86_64/grub \ No newline at end of file diff --git a/config/rootfiles/core/96/meta b/config/rootfiles/core/96/meta new file mode 100644 index 0000000..d547fa8 --- /dev/null +++ b/config/rootfiles/core/96/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/96/update.sh b/config/rootfiles/core/96/update.sh new file mode 100644 index 0000000..a3cf5cf --- /dev/null +++ b/config/rootfiles/core/96/update.sh @@ -0,0 +1,104 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2015 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# Remove old core updates from pakfire cache to save space... +core=96 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services +/etc/init.d/fcron stop +/etc/init.d/collectd stop +qosctrl stop + +# Backup RRDs +if [ -d "/var/log/rrd.bak" ]; then + # Umount ramdisk + umount -l "/var/log/rrd" + rm -f "/var/log/rrd" + + mv "/var/log/rrd.bak/vnstat" "/var/log/vnstat" + mv "/var/log/rrd.bak" "/var/log/rrd" +fi + +# Remove old scripts +rm -f /etc/rc.d/init.d/tmpfs \ + /etc/rc.d/rc0.d/K85tmpfs \ + /etc/rc.d/rc3.d/S01tmpfs \ + /etc/rc.d/rc6.d/K85tmpfs + +# Extract files +extract_files + +# Update Language cache +# /usr/local/bin/update-lang-cache + +# Keep (almost) old ramdisk behaviour +if [ ! -e "/etc/sysconfig/ramdisk" ]; then + echo "RAMDISK_MODE=2" > /etc/sysconfig/ramdisk +fi + +if [ -L "/var/spool/cron" ]; then + rm -f /var/spool/cron + mv /var/log/rrd/cron /var/spool/cron + chown cron:cron /var/spool/cron + + # Add new crontab entries + sed -i /var/spool/cron/root.orig -e "/tmpfs backup/d" + grep -q "collectd backup" /var/spool/cron/root.orig || cat <<EOF >> /var/spool/cron/root.orig +# Backup ramdisks if necessary +%nightly,random * 23-4 /etc/init.d/collectd backup &>/dev/null +%nightly,random * 23-4 /etc/init.d/vnstat backup &>/dev/null +EOF + fcrontab -z +fi + +# Start services +/etc/init.d/collectd start +/etc/init.d/vnstat start +/etc/init.d/fcron start +/etc/init.d/dnsmasq restart +qosctrl start + +# Disable loading of cryptodev +sed -e "s/^cryptodev/# &/g" -i /etc/sysconfig/modules + +# This update need a reboot... +#touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/oldcore/95/exclude b/config/rootfiles/oldcore/95/exclude new file mode 100644 index 0000000..fe5e6a5 --- /dev/null +++ b/config/rootfiles/oldcore/95/exclude @@ -0,0 +1,24 @@ +boot/config.txt +etc/alternatives +etc/collectd.custom +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/oldcore/95/filelists/armv5tel/linux-kirkwood b/config/rootfiles/oldcore/95/filelists/armv5tel/linux-kirkwood new file mode 120000 index 0000000..7217107 --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/armv5tel/linux-kirkwood @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-kirkwood \ No newline at end of file diff --git a/config/rootfiles/oldcore/95/filelists/armv5tel/linux-multi b/config/rootfiles/oldcore/95/filelists/armv5tel/linux-multi new file mode 120000 index 0000000..204eb4c --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/armv5tel/linux-multi @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-multi \ No newline at end of file diff --git a/config/rootfiles/oldcore/95/filelists/armv5tel/linux-rpi b/config/rootfiles/oldcore/95/filelists/armv5tel/linux-rpi new file mode 120000 index 0000000..a651a49 --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/armv5tel/linux-rpi @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-rpi \ No newline at end of file diff --git a/config/rootfiles/oldcore/95/filelists/ddns b/config/rootfiles/oldcore/95/filelists/ddns new file mode 120000 index 0000000..7395164 --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/ddns @@ -0,0 +1 @@ +../../../common/ddns \ No newline at end of file diff --git a/config/rootfiles/oldcore/95/filelists/dma b/config/rootfiles/oldcore/95/filelists/dma new file mode 120000 index 0000000..60f4682 --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/dma @@ -0,0 +1 @@ +../../../common/dma \ No newline at end of file diff --git a/config/rootfiles/oldcore/95/filelists/files b/config/rootfiles/oldcore/95/filelists/files new file mode 100644 index 0000000..2c458a1 --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/files @@ -0,0 +1,27 @@ +etc/system-release +etc/issue +etc/rc.d/init.d/dnsmasq +etc/rc.d/init.d/firewall +etc/rc.d/init.d/networking/red.up/99-geoip-database +lib/udev/network-hotplug-vlan +lib/udev/rules.d/60-net.rules +srv/web/ipfire/cgi-bin/connections.cgi +srv/web/ipfire/cgi-bin/credits.cgi +srv/web/ipfire/cgi-bin/dhcp.cgi +srv/web/ipfire/cgi-bin/firewall.cgi +srv/web/ipfire/cgi-bin/ids.cgi +srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat +srv/web/ipfire/cgi-bin/mail.cgi +srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/cgi-bin/pppsetup.cgi +srv/web/ipfire/cgi-bin/routing.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi +usr/lib/firewall/firewall-lib.pl +usr/lib/firewall/ipsec-block +usr/local/bin/ipsecctrl +usr/local/bin/settime +usr/local/bin/timecheck +var/ipfire/backup/exclude +var/ipfire/dhcpc/dhcpcd.conf +var/ipfire/langs +var/ipfire/network-functions.pl diff --git a/config/rootfiles/oldcore/95/filelists/i586/linux b/config/rootfiles/oldcore/95/filelists/i586/linux new file mode 120000 index 0000000..693ec4b --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/i586/linux @@ -0,0 +1 @@ +../../../../common/i586/linux \ No newline at end of file diff --git a/config/rootfiles/oldcore/95/filelists/i586/linux-initrd b/config/rootfiles/oldcore/95/filelists/i586/linux-initrd new file mode 120000 index 0000000..32a03e6 --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/i586/linux-initrd @@ -0,0 +1 @@ +../../../../common/i586/linux-initrd \ No newline at end of file diff --git a/config/rootfiles/oldcore/95/filelists/i586/strongswan-padlock b/config/rootfiles/oldcore/95/filelists/i586/strongswan-padlock new file mode 120000 index 0000000..2412824 --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/i586/strongswan-padlock @@ -0,0 +1 @@ +../../../../common/i586/strongswan-padlock \ No newline at end of file diff --git a/config/rootfiles/oldcore/95/filelists/ipset b/config/rootfiles/oldcore/95/filelists/ipset new file mode 120000 index 0000000..2b43691 --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/ipset @@ -0,0 +1 @@ +../../../common/ipset \ No newline at end of file diff --git a/config/rootfiles/oldcore/95/filelists/lzo b/config/rootfiles/oldcore/95/filelists/lzo new file mode 120000 index 0000000..8e11e78 --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/lzo @@ -0,0 +1 @@ +../../../common/lzo \ No newline at end of file diff --git a/config/rootfiles/oldcore/95/filelists/ntp b/config/rootfiles/oldcore/95/filelists/ntp new file mode 120000 index 0000000..7542d86 --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/ntp @@ -0,0 +1 @@ +../../../common/ntp \ No newline at end of file diff --git a/config/rootfiles/oldcore/95/filelists/snort b/config/rootfiles/oldcore/95/filelists/snort new file mode 120000 index 0000000..9406ce0 --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/snort @@ -0,0 +1 @@ +../../../common/snort \ No newline at end of file diff --git a/config/rootfiles/oldcore/95/filelists/strongswan b/config/rootfiles/oldcore/95/filelists/strongswan new file mode 120000 index 0000000..90c727e --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/oldcore/95/filelists/x86_64/linux b/config/rootfiles/oldcore/95/filelists/x86_64/linux new file mode 120000 index 0000000..0615b5b --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/x86_64/linux @@ -0,0 +1 @@ +../../../../common/x86_64/linux \ No newline at end of file diff --git a/config/rootfiles/oldcore/95/filelists/x86_64/linux-initrd b/config/rootfiles/oldcore/95/filelists/x86_64/linux-initrd new file mode 120000 index 0000000..1b9fff7 --- /dev/null +++ b/config/rootfiles/oldcore/95/filelists/x86_64/linux-initrd @@ -0,0 +1 @@ +../../../../common/x86_64/linux-initrd \ No newline at end of file diff --git a/config/rootfiles/oldcore/95/meta b/config/rootfiles/oldcore/95/meta new file mode 100644 index 0000000..d547fa8 --- /dev/null +++ b/config/rootfiles/oldcore/95/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/oldcore/95/update.sh b/config/rootfiles/oldcore/95/update.sh new file mode 100644 index 0000000..538a074 --- /dev/null +++ b/config/rootfiles/oldcore/95/update.sh @@ -0,0 +1,256 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2015 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + + +function find_device() { + local mountpoint="${1}" + + local root + local dev mp fs flags rest + while read -r dev mp fs flags rest; do + # Skip unwanted entries + [ "${dev}" = "rootfs" ] && continue + + if [ "${mp}" = "${mountpoint}" ] && [ -b "${dev}" ]; then + root="$(basename "${dev}")" + break + fi + done < /proc/mounts + + # Get the actual device from the partition that holds / + while [ -n "${root}" ]; do + if [ -e "/sys/block/${root}" ]; then + echo "${root}" + return 0 + fi + + # Remove last character + root="${root::-1}" + done + + return 1 +} + + +# +# Remove old core updates from pakfire cache to save space... +core=95 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# +# Do some sanity checks. +case $(uname -r) in + *-ipfire-versatile ) + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: ERROR cannot update. versatile support is dropped." + # Report no error to pakfire. So it does not try to install it again. + exit 0 + ;; + *-ipfire* ) + # Ok. + ;; + * ) + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: ERROR cannot update. No IPFire Kernel." + exit 1 + ;; +esac + + +# +# +KVER="xxxKVERxxx" + +# Check diskspace on root +ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + +if [ $ROOTSPACE -lt 100000 ]; then + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: ERROR cannot update because not enough free space on root." + exit 2 +fi + + +echo +echo Update Kernel to $KVER ... +# +# Remove old kernel, configs, initrd, modules, dtb's ... +# +rm -rf /boot/System.map-* +rm -rf /boot/config-* +rm -rf /boot/ipfirerd-* +rm -rf /boot/initramfs-* +rm -rf /boot/vmlinuz-* +rm -rf /boot/uImage-ipfire-* +rm -rf /boot/uInit-ipfire-* +rm -rf /boot/dtb-*-ipfire-* +rm -rf /lib/modules + +case "$(uname -m)" in + armv*) + # Backup uEnv.txt if exist + if [ -e /boot/uEnv.txt ]; then + cp -vf /boot/uEnv.txt /boot/uEnv.txt.org + fi + + # work around the u-boot folder detection bug + mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood + mkdir -pv /boot/dtb-$KVER-ipfire-multi + ;; +esac + +# Remove files +rm -f /etc/rc.d/init.d/network-vlans +rm -f /etc/rc.d/rcsysinit.d/S91network-vlans + +# +#Stop services +/etc/init.d/snort stop +/etc/init.d/squid stop +/etc/init.d/ipsec stop +/etc/init.d/ntp stop +/etc/init.d/apache stop + +# +#Extract files +tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C / + +# Check diskspace on boot +BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + +if [ $BOOTSPACE -lt 1000 ]; then + case $(uname -r) in + *-ipfire-kirkwood ) + # Special handling for old kirkwood images. + # (install only kirkwood kernel) + rm -rf /boot/* + # work around the u-boot folder detection bug + mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood + tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p \ + --numeric-owner -C / --wildcards 'boot/*-kirkwood*' + ;; + * ) + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: FATAL-ERROR space run out on boot. System is not bootable..." + /etc/init.d/apache start + exit 4 + ;; + esac +fi + +# Regenerate IPsec configuration +sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi + +# Update Language cache +/usr/local/bin/update-lang-cache + +# +# Start services +# +/etc/init.d/apache start +/etc/init.d/ntp start +/etc/init.d/squid start +/etc/init.d/snort start +if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then + /etc/init.d/ipsec start +fi + +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig > /boot/grub/grub.cfg +fi + +# Upadate Kernel version uEnv.txt +if [ -e /boot/uEnv.txt ]; then + sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt +fi + +# call user update script (needed for some arm boards) +if [ -e /boot/pakfire-kernel-update ]; then + /boot/pakfire-kernel-update ${KVER} +fi + +case "$(uname -m)" in + i?86) + # Force (re)install pae kernel if pae is supported + rm -rf /opt/pakfire/db/installed/meta-linux-pae + if [ ! "$(grep "^flags.* pae " /proc/cpuinfo)" == "" ]; then + ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + if [ $BOOTSPACE -lt 12000 -o $ROOTSPACE -lt 90000 ]; then + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: WARNING not enough space for pae kernel." + else + echo "Name: linux-pae" > /opt/pakfire/db/installed/meta-linux-pae + echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-pae + echo "Release: 0" >> /opt/pakfire/db/installed/meta-linux-pae + fi + fi + ;; +esac +# +# After pakfire has ended run it again and update the lists and do upgrade +# +echo '#!/bin/bash' > /tmp/pak_update +echo 'while [ "$(ps -A | grep " update.sh")" != "" ]; do' >> /tmp/pak_update +echo ' sleep 1' >> /tmp/pak_update +echo 'done' >> /tmp/pak_update +echo 'while [ "$(ps -A | grep " pakfire")" != "" ]; do' >> /tmp/pak_update +echo ' sleep 1' >> /tmp/pak_update +echo 'done' >> /tmp/pak_update +echo '/opt/pakfire/pakfire update -y --force' >> /tmp/pak_update +echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update +echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update +echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update +echo '/usr/bin/logger -p syslog.emerg -t ipfire "Core-upgrade finished. If you use a customized grub/uboot config"' >> /tmp/pak_update +echo '/usr/bin/logger -p syslog.emerg -t ipfire "Check it before reboot !!!"' >> /tmp/pak_update +echo '/usr/bin/logger -p syslog.emerg -t ipfire " *** Please reboot... *** "' >> /tmp/pak_update +echo 'touch /var/run/need_reboot ' >> /tmp/pak_update +# +killall -KILL pak_update +chmod +x /tmp/pak_update +/tmp/pak_update & + +sync + +# +#Finish +/etc/init.d/fireinfo start +sendprofile +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi +sync + +echo +echo Please wait until pakfire has ended... +echo + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/packages/clamav b/config/rootfiles/packages/clamav index d79f6e6..d7636e9 100644 --- a/config/rootfiles/packages/clamav +++ b/config/rootfiles/packages/clamav @@ -10,16 +10,16 @@ usr/bin/sigtool #usr/include/clamav.h #usr/lib/libclamav.la usr/lib/libclamav.so -usr/lib/libclamav.so.6 -usr/lib/libclamav.so.6.1.26 +usr/lib/libclamav.so.7 +usr/lib/libclamav.so.7.1.1 #usr/lib/libclamunrar.la usr/lib/libclamunrar.so -usr/lib/libclamunrar.so.6 -usr/lib/libclamunrar.so.6.1.26 +usr/lib/libclamunrar.so.7 +usr/lib/libclamunrar.so.7.1.1 #usr/lib/libclamunrar_iface.la usr/lib/libclamunrar_iface.so -usr/lib/libclamunrar_iface.so.6 -usr/lib/libclamunrar_iface.so.6.1.26 +usr/lib/libclamunrar_iface.so.7 +usr/lib/libclamunrar_iface.so.7.1.1 #usr/lib/pkgconfig/libclamav.pc usr/sbin/clamd usr/share/clamav diff --git a/config/rootfiles/packages/mc b/config/rootfiles/packages/mc index c612edf..d09a21b 100644 --- a/config/rootfiles/packages/mc +++ b/config/rootfiles/packages/mc @@ -181,6 +181,7 @@ usr/share/mc/syntax/po.syntax usr/share/mc/syntax/povray.syntax usr/share/mc/syntax/procmail.syntax usr/share/mc/syntax/properties.syntax +usr/share/mc/syntax/puppet.syntax usr/share/mc/syntax/python.syntax usr/share/mc/syntax/ruby.syntax usr/share/mc/syntax/sh.syntax diff --git a/config/rootfiles/packages/openvmtools b/config/rootfiles/packages/openvmtools index 29f1177..caeb568 100644 --- a/config/rootfiles/packages/openvmtools +++ b/config/rootfiles/packages/openvmtools @@ -3,37 +3,71 @@ etc/rc.d/rc0.d/K01openvmtools etc/rc.d/rc3.d/S60openvmtools etc/rc.d/rc6.d/K01openvmtools etc/vmware-tools -etc/vmware-tools/plugins +etc/vmware-tools/guestproxy-ssl.conf etc/vmware-tools/poweroff-vm-default etc/vmware-tools/poweron-vm-default etc/vmware-tools/resume-vm-default +etc/vmware-tools/scripts +etc/vmware-tools/scripts/vmware +etc/vmware-tools/scripts/vmware/network +etc/vmware-tools/statechange.subr etc/vmware-tools/suspend-vm-default etc/vmware-tools/vm-support sbin/mount.vmhgfs +usr/bin/vmhgfs-fuse usr/bin/vmtoolsd usr/bin/vmware-checkvm +usr/bin/vmware-guestproxycerttool usr/bin/vmware-hgfsclient usr/bin/vmware-rpctool usr/bin/vmware-toolbox-cmd usr/bin/vmware-vmblock-fuse usr/bin/vmware-xferlogs -usr/lib/libguestlib.a -usr/lib/libguestlib.la -usr/lib/libguestlib.so +#usr/include/vmGuestLib +#usr/include/vmGuestLib/includeCheck.h +#usr/include/vmGuestLib/vmGuestLib.h +#usr/include/vmGuestLib/vmSessionId.h +#usr/include/vmGuestLib/vm_basic_types.h +#usr/lib/libguestlib.a +#usr/lib/libguestlib.la +#usr/lib/libguestlib.so usr/lib/libguestlib.so.0 usr/lib/libguestlib.so.0.0.0 -usr/lib/libvmtools.a -usr/lib/libvmtools.la -usr/lib/libvmtools.so +#usr/lib/libhgfs.a +#usr/lib/libhgfs.la +#usr/lib/libhgfs.so +usr/lib/libhgfs.so.0 +usr/lib/libhgfs.so.0.0.0 +#usr/lib/libvmtools.a +#usr/lib/libvmtools.la +#usr/lib/libvmtools.so usr/lib/libvmtools.so.0 usr/lib/libvmtools.so.0.0.0 usr/lib/open-vm-tools usr/lib/open-vm-tools/plugins +#usr/lib/open-vm-tools/plugins/common +#usr/lib/open-vm-tools/plugins/common/libhgfsServer.la +usr/lib/open-vm-tools/plugins/common/libhgfsServer.so +#usr/lib/open-vm-tools/plugins/common/libvix.la +usr/lib/open-vm-tools/plugins/common/libvix.so usr/lib/open-vm-tools/plugins/vmsvc +usr/lib/open-vm-tools/plugins/vmsvc/libgrabbitmqProxy.so usr/lib/open-vm-tools/plugins/vmsvc/libguestInfo.so -usr/lib/open-vm-tools/plugins/vmsvc/libhgfsServer.so usr/lib/open-vm-tools/plugins/vmsvc/libpowerOps.so usr/lib/open-vm-tools/plugins/vmsvc/libtimeSync.so -usr/lib/open-vm-tools/plugins/vmsvc/libvix.so usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so +#usr/lib/pkgconfig/vmguestlib.pc usr/sbin/mount.vmhgfs +#usr/share/open-vm-tools +#usr/share/open-vm-tools/messages +#usr/share/open-vm-tools/messages/de +#usr/share/open-vm-tools/messages/de/toolboxcmd.vmsg +#usr/share/open-vm-tools/messages/de/vmtoolsd.vmsg +#usr/share/open-vm-tools/messages/ja +#usr/share/open-vm-tools/messages/ja/toolboxcmd.vmsg +#usr/share/open-vm-tools/messages/ja/vmtoolsd.vmsg +#usr/share/open-vm-tools/messages/ko +#usr/share/open-vm-tools/messages/ko/toolboxcmd.vmsg +#usr/share/open-vm-tools/messages/ko/vmtoolsd.vmsg +#usr/share/open-vm-tools/messages/zh_CN +#usr/share/open-vm-tools/messages/zh_CN/toolboxcmd.vmsg diff --git a/config/rootfiles/packages/tripwire b/config/rootfiles/packages/tripwire deleted file mode 100644 index b30e843..0000000 --- a/config/rootfiles/packages/tripwire +++ /dev/null @@ -1,13 +0,0 @@ -#etc/rc.d/init.d/tripwire -usr/local/bin/tripwirectrl -usr/sbin/siggen -usr/sbin/tripwire -usr/sbin/twadmin -usr/sbin/twprint -var/ipfire/tripwire -#var/ipfire/tripwire/twcfg.default -#var/ipfire/tripwire/twcfg.txt -#var/ipfire/tripwire/twpol.default -#var/ipfire/tripwire/twpol.txt -srv/web/ipfire/cgi-bin/tripwire.cgi -var/ipfire/menu.d/EX-tripwire.menu diff --git a/config/tripwire/settings b/config/tripwire/settings deleted file mode 100755 index e69de29..0000000 diff --git a/config/tripwire/twcfg.txt b/config/tripwire/twcfg.txt deleted file mode 100644 index 195819c..0000000 --- a/config/tripwire/twcfg.txt +++ /dev/null @@ -1,18 +0,0 @@ -ROOT =/usr/sbin -POLFILE =/var/ipfire/tripwire/tw.pol -DBFILE =/var/ipfire/tripwire/$(HOSTNAME).twd -REPORTFILE =/var/ipfire/tripwire/report/$(DATE).twr -SITEKEYFILE =/var/ipfire/tripwire/site.key -LOCALKEYFILE =/var/ipfire/tripwire/local.key -EDITOR =/usr/bin/vi -LATEPROMPTING =false -LOOSEDIRECTORYCHECKING =false -MAILNOVIOLATIONS =false -EMAILREPORTLEVEL =3 -REPORTLEVEL =3 -#MAILMETHOD =SENDMAIL -#MAILMETHOD =SMTP -#SMTPHOST =phoenix.e-vector.com -#SMTPPORT =25 -SYSLOGREPORTING =false -#MAILPROGRAM =/usr/sbin/sendmail -oi -t diff --git a/config/tripwire/twpol.txt b/config/tripwire/twpol.txt deleted file mode 100644 index 9cdcce8..0000000 --- a/config/tripwire/twpol.txt +++ /dev/null @@ -1,75 +0,0 @@ -@@section GLOBAL -TWROOT=/usr/sbin; -TWBIN=/usr/sbin; -TWPOL="/var/ipfire/tripwire"; -TWDB="/var/ipfire/tripwire"; -TWSKEY="/var/ipfire/tripwire"; -TWLKEY="/var/ipfire/tripwire"; -TWREPORT="/var/ipfire/tripwire/report"; -HOSTNAME=ipfire; - -@@section FS -SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change -SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often -SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership -SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership -SIG_LOW = 33 ; # Non-critical files that are of minimal security impact -SIG_MED = 66 ; # Non-critical files that are of significant security impact -SIG_HI = 100 ; # Critical files that are significant points of vulnerability - -# System Files - -( - rulename = "System Files", - severity = $(SIG_HI) -) -{ - $(TWDB) -> $(SEC_CRIT) ; - $(TWPOL)/tw.pol -> $(SEC_CRIT) -i ; - $(TWPOL)/tw.cfg -> $(SEC_CRIT) -i ; - $(TWLKEY)/local.key -> $(SEC_CRIT) ; - $(TWSKEY)/site.key -> $(SEC_CRIT) ; - - /bin -> $(SEC_CRIT) ; - /boot -> $(SEC_CRIT) ; - /etc -> $(SEC_CRIT) ; - /etc/snort/rules/ -> $(Dynamic) ; - /lib -> $(SEC_CRIT) ; - /root -> $(SEC_CRIT) ; - /root/.bash_history -> $(Dynamic) ; - /sbin -> $(SEC_CRIT) ; - /usr -> $(SEC_CRIT) ; - /usr/share/clamav -> $(Dynamic) ; - /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount - - #don't scan the individual reports - $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; -} - -# Commonly accessed directories that should remain static with regards to owner and group -( - rulename = "Invariant Directories", - severity = $(SIG_MED) -) -{ - / -> $(SEC_INVARIANT) (recurse = 0) ; - /home -> $(SEC_INVARIANT) (recurse = 0) ; - /tmp -> $(SEC_INVARIANT) ; -} - -# Critical Devices - -( - rulename = "Critical devices", - severity = $(SIG_HI), - recurse = false -) -{ - /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. - /dev/initctl -> $(SEC_CONFIG) ; /dev/log -> $(SEC_CONFIG) ; - /proc/modules -> $(Device) ; - /proc/mounts -> $(Device) ; - /proc/filesystems -> $(Device) ; - /proc/misc -> $(Device) ; - /var/log -> $(SEC_LOG) ; -} diff --git a/doc/language_issues.de b/doc/language_issues.de index 6c47184..3660356 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -13,6 +13,7 @@ WARNING: translation string unused: Verbose WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add a new rule +WARNING: translation string unused: add cron WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service @@ -128,6 +129,8 @@ WARNING: translation string unused: deep scan directories WARNING: translation string unused: default ip WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: defaultwarning +WARNING: translation string unused: delete cron WARNING: translation string unused: description WARNING: translation string unused: destination ip bad WARNING: translation string unused: destination ip or net @@ -170,6 +173,7 @@ WARNING: translation string unused: email server can not be empty WARNING: translation string unused: email subject WARNING: translation string unused: email success WARNING: translation string unused: email text +WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards WARNING: translation string unused: enabled on @@ -264,6 +268,10 @@ WARNING: translation string unused: fwhost reset WARNING: translation string unused: fwhost wo subnet WARNING: translation string unused: gen static key WARNING: translation string unused: generate +WARNING: translation string unused: generate tripwire keys and init +WARNING: translation string unused: generatekeys +WARNING: translation string unused: generatepolicy +WARNING: translation string unused: generatereport WARNING: translation string unused: genkey WARNING: translation string unused: geoipblock country code WARNING: translation string unused: geoipblock country name @@ -318,11 +326,14 @@ WARNING: translation string unused: javascript menu error1 WARNING: translation string unused: javascript menu error2 WARNING: translation string unused: kernel version WARNING: translation string unused: key stuff +WARNING: translation string unused: keyreset +WARNING: translation string unused: keys WARNING: translation string unused: lateprompting WARNING: translation string unused: length WARNING: translation string unused: line WARNING: translation string unused: loaded modules WARNING: translation string unused: local hard disk +WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer @@ -339,6 +350,8 @@ WARNING: translation string unused: ls_pam_unix WARNING: translation string unused: ls_sshd WARNING: translation string unused: ls_syslogd WARNING: translation string unused: mac address error not 00 +WARNING: translation string unused: mailmethod +WARNING: translation string unused: mailprogramm WARNING: translation string unused: manage ovpn WARNING: translation string unused: manual control and status WARNING: translation string unused: marked @@ -479,9 +492,11 @@ WARNING: translation string unused: refresh update list WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile +WARNING: translation string unused: reportlevel WARNING: translation string unused: requested data WARNING: translation string unused: reserved dst port WARNING: translation string unused: reserved src port +WARNING: translation string unused: resetpolicy WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path @@ -509,8 +524,11 @@ WARNING: translation string unused: shaping list options WARNING: translation string unused: shutdown ask WARNING: translation string unused: shutdown sure WARNING: translation string unused: shutdown2 +WARNING: translation string unused: sitekey WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: smtphost +WARNING: translation string unused: smtpport WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -585,12 +603,21 @@ WARNING: translation string unused: trafficsum WARNING: translation string unused: trafficto WARNING: translation string unused: transfer limits WARNING: translation string unused: transparent on +WARNING: translation string unused: tripwire +WARNING: translation string unused: tripwire cronjob +WARNING: translation string unused: tripwire functions +WARNING: translation string unused: tripwire reports +WARNING: translation string unused: tripwireoperating +WARNING: translation string unused: tripwirewarningdatabase +WARNING: translation string unused: tripwirewarningkeys +WARNING: translation string unused: tripwirewarningpolicy WARNING: translation string unused: umount WARNING: translation string unused: umount removable media before to unplug WARNING: translation string unused: unblock WARNING: translation string unused: unblock all WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript +WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 diff --git a/doc/language_issues.en b/doc/language_issues.en index 68e351c..a419afa 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -13,6 +13,7 @@ WARNING: translation string unused: Verbose WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add a new rule +WARNING: translation string unused: add cron WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service @@ -147,6 +148,8 @@ WARNING: translation string unused: deep scan directories WARNING: translation string unused: default ip WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: defaultwarning +WARNING: translation string unused: delete cron WARNING: translation string unused: description WARNING: translation string unused: destination ip bad WARNING: translation string unused: destination ip or net @@ -193,6 +196,7 @@ WARNING: translation string unused: email server can not be empty WARNING: translation string unused: email subject WARNING: translation string unused: email success WARNING: translation string unused: email text +WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards WARNING: translation string unused: enabled on @@ -289,6 +293,10 @@ WARNING: translation string unused: g.dtm WARNING: translation string unused: g.lite WARNING: translation string unused: gen static key WARNING: translation string unused: generate +WARNING: translation string unused: generate tripwire keys and init +WARNING: translation string unused: generatekeys +WARNING: translation string unused: generatepolicy +WARNING: translation string unused: generatereport WARNING: translation string unused: genkey WARNING: translation string unused: geoipblock country code WARNING: translation string unused: geoipblock country name @@ -344,11 +352,14 @@ WARNING: translation string unused: javascript menu error1 WARNING: translation string unused: javascript menu error2 WARNING: translation string unused: kernel version WARNING: translation string unused: key stuff +WARNING: translation string unused: keyreset +WARNING: translation string unused: keys WARNING: translation string unused: lateprompting WARNING: translation string unused: length WARNING: translation string unused: line WARNING: translation string unused: loaded modules WARNING: translation string unused: local hard disk +WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer @@ -365,6 +376,8 @@ WARNING: translation string unused: ls_pam_unix WARNING: translation string unused: ls_sshd WARNING: translation string unused: ls_syslogd WARNING: translation string unused: mac address error not 00 +WARNING: translation string unused: mailmethod +WARNING: translation string unused: mailprogramm WARNING: translation string unused: manage ovpn WARNING: translation string unused: manual control and status WARNING: translation string unused: marked @@ -506,9 +519,11 @@ WARNING: translation string unused: refresh update list WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile +WARNING: translation string unused: reportlevel WARNING: translation string unused: requested data WARNING: translation string unused: reserved dst port WARNING: translation string unused: reserved src port +WARNING: translation string unused: resetpolicy WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path @@ -539,8 +554,11 @@ WARNING: translation string unused: show lines WARNING: translation string unused: shutdown ask WARNING: translation string unused: shutdown sure WARNING: translation string unused: shutdown2 +WARNING: translation string unused: sitekey WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: smtphost +WARNING: translation string unused: smtpport WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -618,12 +636,21 @@ WARNING: translation string unused: trafficsum WARNING: translation string unused: trafficto WARNING: translation string unused: transfer limits WARNING: translation string unused: transparent on +WARNING: translation string unused: tripwire +WARNING: translation string unused: tripwire cronjob +WARNING: translation string unused: tripwire functions +WARNING: translation string unused: tripwire reports +WARNING: translation string unused: tripwireoperating +WARNING: translation string unused: tripwirewarningdatabase +WARNING: translation string unused: tripwirewarningkeys +WARNING: translation string unused: tripwirewarningpolicy WARNING: translation string unused: umount WARNING: translation string unused: umount removable media before to unplug WARNING: translation string unused: unblock WARNING: translation string unused: unblock all WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript +WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 diff --git a/doc/language_issues.es b/doc/language_issues.es index 84298f4..d375f69 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -14,6 +14,7 @@ WARNING: translation string unused: Verbose WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add a new rule +WARNING: translation string unused: add cron WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service @@ -139,6 +140,8 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: defaultwarning +WARNING: translation string unused: delete cron WARNING: translation string unused: description WARNING: translation string unused: destination ip bad WARNING: translation string unused: destination ip or net @@ -180,6 +183,7 @@ WARNING: translation string unused: edit service WARNING: translation string unused: editor WARNING: translation string unused: eg WARNING: translation string unused: email server can not be empty +WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards WARNING: translation string unused: enabled on @@ -233,6 +237,10 @@ WARNING: translation string unused: g.dtm WARNING: translation string unused: g.lite WARNING: translation string unused: gen static key WARNING: translation string unused: generate +WARNING: translation string unused: generate tripwire keys and init +WARNING: translation string unused: generatekeys +WARNING: translation string unused: generatepolicy +WARNING: translation string unused: generatereport WARNING: translation string unused: genkey WARNING: translation string unused: geoipblock country code WARNING: translation string unused: geoipblock country name @@ -287,11 +295,14 @@ WARNING: translation string unused: javascript menu error1 WARNING: translation string unused: javascript menu error2 WARNING: translation string unused: kernel version WARNING: translation string unused: key stuff +WARNING: translation string unused: keyreset +WARNING: translation string unused: keys WARNING: translation string unused: lateprompting WARNING: translation string unused: length WARNING: translation string unused: line WARNING: translation string unused: loaded modules WARNING: translation string unused: local hard disk +WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer @@ -308,6 +319,8 @@ WARNING: translation string unused: ls_pam_unix WARNING: translation string unused: ls_sshd WARNING: translation string unused: ls_syslogd WARNING: translation string unused: mac address error not 00 +WARNING: translation string unused: mailmethod +WARNING: translation string unused: mailprogramm WARNING: translation string unused: manage ovpn WARNING: translation string unused: manual control and status WARNING: translation string unused: marked @@ -433,9 +446,11 @@ WARNING: translation string unused: refresh update list WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile +WARNING: translation string unused: reportlevel WARNING: translation string unused: requested data WARNING: translation string unused: reserved dst port WARNING: translation string unused: reserved src port +WARNING: translation string unused: resetpolicy WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path @@ -466,8 +481,11 @@ WARNING: translation string unused: show lines WARNING: translation string unused: shutdown ask WARNING: translation string unused: shutdown sure WARNING: translation string unused: shutdown2 +WARNING: translation string unused: sitekey WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: smtphost +WARNING: translation string unused: smtpport WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -537,10 +555,19 @@ WARNING: translation string unused: trafficsum WARNING: translation string unused: trafficto WARNING: translation string unused: transfer limits WARNING: translation string unused: transparent on +WARNING: translation string unused: tripwire +WARNING: translation string unused: tripwire cronjob +WARNING: translation string unused: tripwire functions +WARNING: translation string unused: tripwire reports +WARNING: translation string unused: tripwireoperating +WARNING: translation string unused: tripwirewarningdatabase +WARNING: translation string unused: tripwirewarningkeys +WARNING: translation string unused: tripwirewarningpolicy WARNING: translation string unused: umount WARNING: translation string unused: umount removable media before to unplug WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript +WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 @@ -674,6 +701,7 @@ WARNING: untranslated string: dhcp dns key name WARNING: untranslated string: dhcp dns update WARNING: untranslated string: dhcp dns update algo WARNING: untranslated string: dhcp dns update secret +WARNING: untranslated string: dl client arch insecure WARNING: untranslated string: dnat address WARNING: untranslated string: dns servers WARNING: untranslated string: dnsforward diff --git a/doc/language_issues.fr b/doc/language_issues.fr index e9915c8..f0f5ec4 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -14,6 +14,7 @@ WARNING: translation string unused: Verbose WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add a new rule +WARNING: translation string unused: add cron WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service @@ -139,6 +140,8 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: defaultwarning +WARNING: translation string unused: delete cron WARNING: translation string unused: description WARNING: translation string unused: destination ip bad WARNING: translation string unused: destination ip or net @@ -180,6 +183,7 @@ WARNING: translation string unused: edit service WARNING: translation string unused: editor WARNING: translation string unused: eg WARNING: translation string unused: email server can not be empty +WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards WARNING: translation string unused: enabled on @@ -233,6 +237,10 @@ WARNING: translation string unused: g.dtm WARNING: translation string unused: g.lite WARNING: translation string unused: gen static key WARNING: translation string unused: generate +WARNING: translation string unused: generate tripwire keys and init +WARNING: translation string unused: generatekeys +WARNING: translation string unused: generatepolicy +WARNING: translation string unused: generatereport WARNING: translation string unused: genkey WARNING: translation string unused: green interface WARNING: translation string unused: gz with key @@ -284,11 +292,14 @@ WARNING: translation string unused: javascript menu error1 WARNING: translation string unused: javascript menu error2 WARNING: translation string unused: kernel version WARNING: translation string unused: key stuff +WARNING: translation string unused: keyreset +WARNING: translation string unused: keys WARNING: translation string unused: lateprompting WARNING: translation string unused: length WARNING: translation string unused: line WARNING: translation string unused: loaded modules WARNING: translation string unused: local hard disk +WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer @@ -305,6 +316,8 @@ WARNING: translation string unused: ls_pam_unix WARNING: translation string unused: ls_sshd WARNING: translation string unused: ls_syslogd WARNING: translation string unused: mac address error not 00 +WARNING: translation string unused: mailmethod +WARNING: translation string unused: mailprogramm WARNING: translation string unused: manage ovpn WARNING: translation string unused: manual control and status WARNING: translation string unused: marked @@ -441,9 +454,11 @@ WARNING: translation string unused: refresh update list WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile +WARNING: translation string unused: reportlevel WARNING: translation string unused: requested data WARNING: translation string unused: reserved dst port WARNING: translation string unused: reserved src port +WARNING: translation string unused: resetpolicy WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path @@ -474,8 +489,11 @@ WARNING: translation string unused: show lines WARNING: translation string unused: shutdown ask WARNING: translation string unused: shutdown sure WARNING: translation string unused: shutdown2 +WARNING: translation string unused: sitekey WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: smtphost +WARNING: translation string unused: smtpport WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -545,10 +563,19 @@ WARNING: translation string unused: trafficsum WARNING: translation string unused: trafficto WARNING: translation string unused: transfer limits WARNING: translation string unused: transparent on +WARNING: translation string unused: tripwire +WARNING: translation string unused: tripwire cronjob +WARNING: translation string unused: tripwire functions +WARNING: translation string unused: tripwire reports +WARNING: translation string unused: tripwireoperating +WARNING: translation string unused: tripwirewarningdatabase +WARNING: translation string unused: tripwirewarningkeys +WARNING: translation string unused: tripwirewarningpolicy WARNING: translation string unused: umount WARNING: translation string unused: umount removable media before to unplug WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript +WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 @@ -681,6 +708,7 @@ WARNING: untranslated string: dhcp dns key name WARNING: untranslated string: dhcp dns update WARNING: untranslated string: dhcp dns update algo WARNING: untranslated string: dhcp dns update secret +WARNING: untranslated string: dl client arch insecure WARNING: untranslated string: dnat address WARNING: untranslated string: dns address deleted txt WARNING: untranslated string: dns servers diff --git a/doc/language_issues.it b/doc/language_issues.it index 420a46c..65643e8 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -14,6 +14,7 @@ WARNING: translation string unused: Verbose WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add a new rule +WARNING: translation string unused: add cron WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service @@ -146,6 +147,8 @@ WARNING: translation string unused: deep scan directories WARNING: translation string unused: default ip WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: defaultwarning +WARNING: translation string unused: delete cron WARNING: translation string unused: description WARNING: translation string unused: destination ip bad WARNING: translation string unused: destination ip or net @@ -188,6 +191,7 @@ WARNING: translation string unused: edit service WARNING: translation string unused: editor WARNING: translation string unused: eg WARNING: translation string unused: email server can not be empty +WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards WARNING: translation string unused: enabled on @@ -283,6 +287,10 @@ WARNING: translation string unused: g.dtm WARNING: translation string unused: g.lite WARNING: translation string unused: gen static key WARNING: translation string unused: generate +WARNING: translation string unused: generate tripwire keys and init +WARNING: translation string unused: generatekeys +WARNING: translation string unused: generatepolicy +WARNING: translation string unused: generatereport WARNING: translation string unused: genkey WARNING: translation string unused: green interface WARNING: translation string unused: gz with key @@ -335,11 +343,14 @@ WARNING: translation string unused: javascript menu error1 WARNING: translation string unused: javascript menu error2 WARNING: translation string unused: kernel version WARNING: translation string unused: key stuff +WARNING: translation string unused: keyreset +WARNING: translation string unused: keys WARNING: translation string unused: lateprompting WARNING: translation string unused: length WARNING: translation string unused: line WARNING: translation string unused: loaded modules WARNING: translation string unused: local hard disk +WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer @@ -356,6 +367,8 @@ WARNING: translation string unused: ls_pam_unix WARNING: translation string unused: ls_sshd WARNING: translation string unused: ls_syslogd WARNING: translation string unused: mac address error not 00 +WARNING: translation string unused: mailmethod +WARNING: translation string unused: mailprogramm WARNING: translation string unused: manage ovpn WARNING: translation string unused: manual control and status WARNING: translation string unused: marked @@ -497,9 +510,11 @@ WARNING: translation string unused: refresh update list WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile +WARNING: translation string unused: reportlevel WARNING: translation string unused: requested data WARNING: translation string unused: reserved dst port WARNING: translation string unused: reserved src port +WARNING: translation string unused: resetpolicy WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path @@ -530,8 +545,11 @@ WARNING: translation string unused: show lines WARNING: translation string unused: shutdown ask WARNING: translation string unused: shutdown sure WARNING: translation string unused: shutdown2 +WARNING: translation string unused: sitekey WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: smtphost +WARNING: translation string unused: smtpport WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -609,10 +627,19 @@ WARNING: translation string unused: trafficsum WARNING: translation string unused: trafficto WARNING: translation string unused: transfer limits WARNING: translation string unused: transparent on +WARNING: translation string unused: tripwire +WARNING: translation string unused: tripwire cronjob +WARNING: translation string unused: tripwire functions +WARNING: translation string unused: tripwire reports +WARNING: translation string unused: tripwireoperating +WARNING: translation string unused: tripwirewarningdatabase +WARNING: translation string unused: tripwirewarningkeys +WARNING: translation string unused: tripwirewarningpolicy WARNING: translation string unused: umount WARNING: translation string unused: umount removable media before to unplug WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript +WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 @@ -680,6 +707,7 @@ WARNING: untranslated string: dhcp dns key name WARNING: untranslated string: dhcp dns update WARNING: untranslated string: dhcp dns update algo WARNING: untranslated string: dhcp dns update secret +WARNING: untranslated string: dl client arch insecure WARNING: untranslated string: email config WARNING: untranslated string: email empty field WARNING: untranslated string: email invalid diff --git a/doc/language_issues.nl b/doc/language_issues.nl index c876987..3b57bdf 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -14,6 +14,7 @@ WARNING: translation string unused: Verbose WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add a new rule +WARNING: translation string unused: add cron WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service @@ -146,6 +147,8 @@ WARNING: translation string unused: deep scan directories WARNING: translation string unused: default ip WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: defaultwarning +WARNING: translation string unused: delete cron WARNING: translation string unused: description WARNING: translation string unused: destination ip bad WARNING: translation string unused: destination ip or net @@ -187,6 +190,7 @@ WARNING: translation string unused: edit service WARNING: translation string unused: editor WARNING: translation string unused: eg WARNING: translation string unused: email server can not be empty +WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards WARNING: translation string unused: enabled on @@ -282,6 +286,10 @@ WARNING: translation string unused: g.dtm WARNING: translation string unused: g.lite WARNING: translation string unused: gen static key WARNING: translation string unused: generate +WARNING: translation string unused: generate tripwire keys and init +WARNING: translation string unused: generatekeys +WARNING: translation string unused: generatepolicy +WARNING: translation string unused: generatereport WARNING: translation string unused: genkey WARNING: translation string unused: green interface WARNING: translation string unused: gz with key @@ -334,11 +342,14 @@ WARNING: translation string unused: javascript menu error1 WARNING: translation string unused: javascript menu error2 WARNING: translation string unused: kernel version WARNING: translation string unused: key stuff +WARNING: translation string unused: keyreset +WARNING: translation string unused: keys WARNING: translation string unused: lateprompting WARNING: translation string unused: length WARNING: translation string unused: line WARNING: translation string unused: loaded modules WARNING: translation string unused: local hard disk +WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer @@ -355,6 +366,8 @@ WARNING: translation string unused: ls_pam_unix WARNING: translation string unused: ls_sshd WARNING: translation string unused: ls_syslogd WARNING: translation string unused: mac address error not 00 +WARNING: translation string unused: mailmethod +WARNING: translation string unused: mailprogramm WARNING: translation string unused: manage ovpn WARNING: translation string unused: manual control and status WARNING: translation string unused: marked @@ -494,9 +507,11 @@ WARNING: translation string unused: refresh update list WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile +WARNING: translation string unused: reportlevel WARNING: translation string unused: requested data WARNING: translation string unused: reserved dst port WARNING: translation string unused: reserved src port +WARNING: translation string unused: resetpolicy WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path @@ -527,8 +542,11 @@ WARNING: translation string unused: show lines WARNING: translation string unused: shutdown ask WARNING: translation string unused: shutdown sure WARNING: translation string unused: shutdown2 +WARNING: translation string unused: sitekey WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: smtphost +WARNING: translation string unused: smtpport WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -605,10 +623,19 @@ WARNING: translation string unused: trafficsum WARNING: translation string unused: trafficto WARNING: translation string unused: transfer limits WARNING: translation string unused: transparent on +WARNING: translation string unused: tripwire +WARNING: translation string unused: tripwire cronjob +WARNING: translation string unused: tripwire functions +WARNING: translation string unused: tripwire reports +WARNING: translation string unused: tripwireoperating +WARNING: translation string unused: tripwirewarningdatabase +WARNING: translation string unused: tripwirewarningkeys +WARNING: translation string unused: tripwirewarningpolicy WARNING: translation string unused: umount WARNING: translation string unused: umount removable media before to unplug WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript +WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 @@ -685,6 +712,7 @@ WARNING: untranslated string: dhcp dns key name WARNING: untranslated string: dhcp dns update WARNING: untranslated string: dhcp dns update algo WARNING: untranslated string: dhcp dns update secret +WARNING: untranslated string: dl client arch insecure WARNING: untranslated string: dns servers WARNING: untranslated string: dnssec aware WARNING: untranslated string: dnssec information diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 84298f4..d375f69 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -14,6 +14,7 @@ WARNING: translation string unused: Verbose WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add a new rule +WARNING: translation string unused: add cron WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service @@ -139,6 +140,8 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: defaultwarning +WARNING: translation string unused: delete cron WARNING: translation string unused: description WARNING: translation string unused: destination ip bad WARNING: translation string unused: destination ip or net @@ -180,6 +183,7 @@ WARNING: translation string unused: edit service WARNING: translation string unused: editor WARNING: translation string unused: eg WARNING: translation string unused: email server can not be empty +WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards WARNING: translation string unused: enabled on @@ -233,6 +237,10 @@ WARNING: translation string unused: g.dtm WARNING: translation string unused: g.lite WARNING: translation string unused: gen static key WARNING: translation string unused: generate +WARNING: translation string unused: generate tripwire keys and init +WARNING: translation string unused: generatekeys +WARNING: translation string unused: generatepolicy +WARNING: translation string unused: generatereport WARNING: translation string unused: genkey WARNING: translation string unused: geoipblock country code WARNING: translation string unused: geoipblock country name @@ -287,11 +295,14 @@ WARNING: translation string unused: javascript menu error1 WARNING: translation string unused: javascript menu error2 WARNING: translation string unused: kernel version WARNING: translation string unused: key stuff +WARNING: translation string unused: keyreset +WARNING: translation string unused: keys WARNING: translation string unused: lateprompting WARNING: translation string unused: length WARNING: translation string unused: line WARNING: translation string unused: loaded modules WARNING: translation string unused: local hard disk +WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer @@ -308,6 +319,8 @@ WARNING: translation string unused: ls_pam_unix WARNING: translation string unused: ls_sshd WARNING: translation string unused: ls_syslogd WARNING: translation string unused: mac address error not 00 +WARNING: translation string unused: mailmethod +WARNING: translation string unused: mailprogramm WARNING: translation string unused: manage ovpn WARNING: translation string unused: manual control and status WARNING: translation string unused: marked @@ -433,9 +446,11 @@ WARNING: translation string unused: refresh update list WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile +WARNING: translation string unused: reportlevel WARNING: translation string unused: requested data WARNING: translation string unused: reserved dst port WARNING: translation string unused: reserved src port +WARNING: translation string unused: resetpolicy WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path @@ -466,8 +481,11 @@ WARNING: translation string unused: show lines WARNING: translation string unused: shutdown ask WARNING: translation string unused: shutdown sure WARNING: translation string unused: shutdown2 +WARNING: translation string unused: sitekey WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: smtphost +WARNING: translation string unused: smtpport WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -537,10 +555,19 @@ WARNING: translation string unused: trafficsum WARNING: translation string unused: trafficto WARNING: translation string unused: transfer limits WARNING: translation string unused: transparent on +WARNING: translation string unused: tripwire +WARNING: translation string unused: tripwire cronjob +WARNING: translation string unused: tripwire functions +WARNING: translation string unused: tripwire reports +WARNING: translation string unused: tripwireoperating +WARNING: translation string unused: tripwirewarningdatabase +WARNING: translation string unused: tripwirewarningkeys +WARNING: translation string unused: tripwirewarningpolicy WARNING: translation string unused: umount WARNING: translation string unused: umount removable media before to unplug WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript +WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 @@ -674,6 +701,7 @@ WARNING: untranslated string: dhcp dns key name WARNING: untranslated string: dhcp dns update WARNING: untranslated string: dhcp dns update algo WARNING: untranslated string: dhcp dns update secret +WARNING: untranslated string: dl client arch insecure WARNING: untranslated string: dnat address WARNING: untranslated string: dns servers WARNING: untranslated string: dnsforward diff --git a/doc/language_issues.ru b/doc/language_issues.ru index a03f300..05d9e91 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -14,6 +14,7 @@ WARNING: translation string unused: Verbose WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add a new rule +WARNING: translation string unused: add cron WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service @@ -138,6 +139,8 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: defaultwarning +WARNING: translation string unused: delete cron WARNING: translation string unused: description WARNING: translation string unused: destination ip bad WARNING: translation string unused: destination ip or net @@ -179,6 +182,7 @@ WARNING: translation string unused: edit service WARNING: translation string unused: editor WARNING: translation string unused: eg WARNING: translation string unused: email server can not be empty +WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards WARNING: translation string unused: enabled on @@ -229,6 +233,10 @@ WARNING: translation string unused: g.dtm WARNING: translation string unused: g.lite WARNING: translation string unused: gen static key WARNING: translation string unused: generate +WARNING: translation string unused: generate tripwire keys and init +WARNING: translation string unused: generatekeys +WARNING: translation string unused: generatepolicy +WARNING: translation string unused: generatereport WARNING: translation string unused: genkey WARNING: translation string unused: green interface WARNING: translation string unused: gz with key @@ -279,11 +287,14 @@ WARNING: translation string unused: javascript menu error1 WARNING: translation string unused: javascript menu error2 WARNING: translation string unused: kernel version WARNING: translation string unused: key stuff +WARNING: translation string unused: keyreset +WARNING: translation string unused: keys WARNING: translation string unused: lateprompting WARNING: translation string unused: length WARNING: translation string unused: line WARNING: translation string unused: loaded modules WARNING: translation string unused: local hard disk +WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer @@ -300,6 +311,8 @@ WARNING: translation string unused: ls_pam_unix WARNING: translation string unused: ls_sshd WARNING: translation string unused: ls_syslogd WARNING: translation string unused: mac address error not 00 +WARNING: translation string unused: mailmethod +WARNING: translation string unused: mailprogramm WARNING: translation string unused: manage ovpn WARNING: translation string unused: manual control and status WARNING: translation string unused: marked @@ -435,9 +448,11 @@ WARNING: translation string unused: refresh update list WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile +WARNING: translation string unused: reportlevel WARNING: translation string unused: requested data WARNING: translation string unused: reserved dst port WARNING: translation string unused: reserved src port +WARNING: translation string unused: resetpolicy WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path @@ -468,8 +483,11 @@ WARNING: translation string unused: show lines WARNING: translation string unused: shutdown ask WARNING: translation string unused: shutdown sure WARNING: translation string unused: shutdown2 +WARNING: translation string unused: sitekey WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: smtphost +WARNING: translation string unused: smtpport WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -539,10 +557,19 @@ WARNING: translation string unused: trafficsum WARNING: translation string unused: trafficto WARNING: translation string unused: transfer limits WARNING: translation string unused: transparent on +WARNING: translation string unused: tripwire +WARNING: translation string unused: tripwire cronjob +WARNING: translation string unused: tripwire functions +WARNING: translation string unused: tripwire reports +WARNING: translation string unused: tripwireoperating +WARNING: translation string unused: tripwirewarningdatabase +WARNING: translation string unused: tripwirewarningkeys +WARNING: translation string unused: tripwirewarningpolicy WARNING: translation string unused: umount WARNING: translation string unused: umount removable media before to unplug WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript +WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 @@ -676,6 +703,7 @@ WARNING: untranslated string: dhcp dns update WARNING: untranslated string: dhcp dns update algo WARNING: untranslated string: dhcp dns update secret WARNING: untranslated string: disk access per +WARNING: untranslated string: dl client arch insecure WARNING: untranslated string: dnat address WARNING: untranslated string: dns servers WARNING: untranslated string: dnsforward diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 5d1ceb7..a419afa 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -13,6 +13,7 @@ WARNING: translation string unused: Verbose WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add a new rule +WARNING: translation string unused: add cron WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service @@ -93,6 +94,7 @@ WARNING: translation string unused: bewan adsl pci st WARNING: translation string unused: bewan adsl usb WARNING: translation string unused: bitrate WARNING: translation string unused: bleeding rules +WARNING: translation string unused: block WARNING: translation string unused: blue access use hint WARNING: translation string unused: blue interface WARNING: translation string unused: cache management @@ -146,6 +148,8 @@ WARNING: translation string unused: deep scan directories WARNING: translation string unused: default ip WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: defaultwarning +WARNING: translation string unused: delete cron WARNING: translation string unused: description WARNING: translation string unused: destination ip bad WARNING: translation string unused: destination ip or net @@ -187,7 +191,12 @@ WARNING: translation string unused: edit network WARNING: translation string unused: edit service WARNING: translation string unused: editor WARNING: translation string unused: eg +WARNING: translation string unused: email error WARNING: translation string unused: email server can not be empty +WARNING: translation string unused: email subject +WARNING: translation string unused: email success +WARNING: translation string unused: email text +WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards WARNING: translation string unused: enabled on @@ -267,6 +276,7 @@ WARNING: translation string unused: fwhost Standard Network WARNING: translation string unused: fwhost attention WARNING: translation string unused: fwhost blue WARNING: translation string unused: fwhost changeremark +WARNING: translation string unused: fwhost cust geoip WARNING: translation string unused: fwhost err addrgrp WARNING: translation string unused: fwhost err hostorip WARNING: translation string unused: fwhost err mac @@ -283,7 +293,14 @@ WARNING: translation string unused: g.dtm WARNING: translation string unused: g.lite WARNING: translation string unused: gen static key WARNING: translation string unused: generate +WARNING: translation string unused: generate tripwire keys and init +WARNING: translation string unused: generatekeys +WARNING: translation string unused: generatepolicy +WARNING: translation string unused: generatereport WARNING: translation string unused: genkey +WARNING: translation string unused: geoipblock country code +WARNING: translation string unused: geoipblock country name +WARNING: translation string unused: geoipblock flag WARNING: translation string unused: green interface WARNING: translation string unused: gz with key WARNING: translation string unused: hint @@ -335,11 +352,14 @@ WARNING: translation string unused: javascript menu error1 WARNING: translation string unused: javascript menu error2 WARNING: translation string unused: kernel version WARNING: translation string unused: key stuff +WARNING: translation string unused: keyreset +WARNING: translation string unused: keys WARNING: translation string unused: lateprompting WARNING: translation string unused: length WARNING: translation string unused: line WARNING: translation string unused: loaded modules WARNING: translation string unused: local hard disk +WARNING: translation string unused: localkey WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer @@ -356,6 +376,8 @@ WARNING: translation string unused: ls_pam_unix WARNING: translation string unused: ls_sshd WARNING: translation string unused: ls_syslogd WARNING: translation string unused: mac address error not 00 +WARNING: translation string unused: mailmethod +WARNING: translation string unused: mailprogramm WARNING: translation string unused: manage ovpn WARNING: translation string unused: manual control and status WARNING: translation string unused: marked @@ -497,9 +519,11 @@ WARNING: translation string unused: refresh update list WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile +WARNING: translation string unused: reportlevel WARNING: translation string unused: requested data WARNING: translation string unused: reserved dst port WARNING: translation string unused: reserved src port +WARNING: translation string unused: resetpolicy WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path @@ -530,8 +554,11 @@ WARNING: translation string unused: show lines WARNING: translation string unused: shutdown ask WARNING: translation string unused: shutdown sure WARNING: translation string unused: shutdown2 +WARNING: translation string unused: sitekey WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: smtphost +WARNING: translation string unused: smtpport WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -609,10 +636,21 @@ WARNING: translation string unused: trafficsum WARNING: translation string unused: trafficto WARNING: translation string unused: transfer limits WARNING: translation string unused: transparent on +WARNING: translation string unused: tripwire +WARNING: translation string unused: tripwire cronjob +WARNING: translation string unused: tripwire functions +WARNING: translation string unused: tripwire reports +WARNING: translation string unused: tripwireoperating +WARNING: translation string unused: tripwirewarningdatabase +WARNING: translation string unused: tripwirewarningkeys +WARNING: translation string unused: tripwirewarningpolicy WARNING: translation string unused: umount WARNING: translation string unused: umount removable media before to unplug +WARNING: translation string unused: unblock +WARNING: translation string unused: unblock all WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript +WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 @@ -666,62 +704,13 @@ WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Scan for Songs WARNING: untranslated string: bytes -WARNING: untranslated string: check all -WARNING: untranslated string: dhcp dns enable update -WARNING: untranslated string: dhcp dns key name -WARNING: untranslated string: dhcp dns update -WARNING: untranslated string: dhcp dns update algo -WARNING: untranslated string: dhcp dns update secret -WARNING: untranslated string: email config -WARNING: untranslated string: email empty field -WARNING: untranslated string: email invalid -WARNING: untranslated string: email invalid mailfqdn -WARNING: untranslated string: email invalid mailip -WARNING: untranslated string: email invalid mailport -WARNING: untranslated string: email mailaddr -WARNING: untranslated string: email mailpass -WARNING: untranslated string: email mailport -WARNING: untranslated string: email mailrcpt -WARNING: untranslated string: email mailsender -WARNING: untranslated string: email mailuser -WARNING: untranslated string: email settings -WARNING: untranslated string: email testmail -WARNING: untranslated string: email tls -WARNING: untranslated string: email usemail -WARNING: untranslated string: fwhost addgeoipgrp -WARNING: untranslated string: fwhost cust geoipgroup WARNING: untranslated string: fwhost cust geoipgrp -WARNING: untranslated string: fwhost cust geoiplocation WARNING: untranslated string: fwhost err hostip -WARNING: untranslated string: fwhost newgeoipgrp -WARNING: untranslated string: geoip -WARNING: untranslated string: geoipblock -WARNING: untranslated string: geoipblock block countries -WARNING: untranslated string: geoipblock configuration -WARNING: untranslated string: geoipblock country is allowed -WARNING: untranslated string: geoipblock country is blocked -WARNING: untranslated string: geoipblock enable feature WARNING: untranslated string: ike lifetime should be between 1 and 8 hours -WARNING: untranslated string: incoming compression in bytes per second -WARNING: untranslated string: incoming overhead in bytes per second WARNING: untranslated string: info messages -WARNING: untranslated string: invalid input for valid till days WARNING: untranslated string: no data -WARNING: untranslated string: none -WARNING: untranslated string: outgoing compression in bytes per second -WARNING: untranslated string: outgoing overhead in bytes per second -WARNING: untranslated string: ovpn add conf -WARNING: untranslated string: pptp netconfig -WARNING: untranslated string: pptp peer -WARNING: untranslated string: pptp route -WARNING: untranslated string: required field WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table -WARNING: untranslated string: search -WARNING: untranslated string: uncheck all -WARNING: untranslated string: vpn force mobike -WARNING: untranslated string: vpn statistic n2n -WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n diff --git a/doc/language_missings b/doc/language_missings index 9da0122..c490f2d 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -94,6 +94,7 @@ < dh key warn < dh key warn1 < dh parameter +< dl client arch insecure < dnat address < dns address deleted txt < dnsforward @@ -704,6 +705,7 @@ < dh key warn < dh key warn1 < dh parameter +< dl client arch insecure < dnat address < dnsforward < dnsforward add a new entry @@ -1295,6 +1297,7 @@ < dh key warn < dh key warn1 < dh parameter +< dl client arch insecure < dnat address < dnsforward < dnsforward add a new entry @@ -1875,6 +1878,7 @@ < dh key warn1 < dh parameter < disk access per +< dl client arch insecure < dnat address < dnsforward < dnsforward add a new entry diff --git a/html/cgi-bin/connections.cgi b/html/cgi-bin/connections.cgi index 85a9cd7..96f0901 100644 --- a/html/cgi-bin/connections.cgi +++ b/html/cgi-bin/connections.cgi @@ -262,7 +262,7 @@ close(IPSEC); foreach my $line (@ipsec) { my @vpn = split(',', $line);
- my @subnets = split('|', $vpn[12]); + my @subnets = split(/|/, $vpn[12]); for my $subnet (@subnets) { my ($network, $mask) = split("/", $subnet);
diff --git a/html/cgi-bin/routing.cgi b/html/cgi-bin/routing.cgi index 7636d1e..15989bd 100644 --- a/html/cgi-bin/routing.cgi +++ b/html/cgi-bin/routing.cgi @@ -149,7 +149,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'add'}) { $temp[2] ='' unless defined $temp[2]; # not always populated $temp[3] ='' unless defined $temp[2]; # not always populated #Same ip already used? - if($temp[1] eq $settings{'IP'}){ + if($temp[1] eq $settings{'IP'} && $settings{'KEY1'} eq ''){ $errormessage = $Lang::tr{'ccd err irouteexist'}; last; } diff --git a/html/cgi-bin/tripwire.cgi b/html/cgi-bin/tripwire.cgi deleted file mode 100644 index fb48a27..0000000 --- a/html/cgi-bin/tripwire.cgi +++ /dev/null @@ -1,540 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### - -use strict; -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -my %tripwiresettings = (); -my %checked = (); -my %netsettings = (); -my $message = ""; -my $errormessage = ""; -my @Logs = `ls -r /var/ipfire/tripwire/report/ 2>/dev/null`; -my $file = `ls -tr /var/ipfire/tripwire/report/ | tail -1 2>/dev/null`; -my @cronjobs = `ls /etc/fcron.daily/tripwire* 2>/dev/null`; -my $Log =$Lang::tr{'no log selected'}; - -my %color = (); -my %mainsettings = (); -&General::readhash("${General::swroot}/main/settings", %mainsettings); -&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", %color); - -############################################################################################################################ -################################################# Tripwire Default Variablen ################################################ - -$tripwiresettings{'ROOT'} = '/usr/sbin'; -$tripwiresettings{'POLFILE'} = '/var/ipfire/tripwire/tw.pol'; -$tripwiresettings{'DBFILE'} = '/var/ipfire/tripwire/$(HOSTNAME).twd'; -$tripwiresettings{'REPORTFILE'} = '/var/ipfire/tripwire/report/$(DATE).twr'; -$tripwiresettings{'SITEKEYFILE'} = '/var/ipfire/tripwire/site.key'; -$tripwiresettings{'LOCALKEYFILE'} = '/var/ipfire/tripwire/local.key'; -$tripwiresettings{'EDITOR'} = '/usr/bin/vi'; -$tripwiresettings{'LATEPROMPTING'} = 'false'; -$tripwiresettings{'LOOSEDIRECTORYCHECKING'} = 'false'; -$tripwiresettings{'MAILNOVIOLATIONS'} = 'false'; -$tripwiresettings{'EMAILREPORTLEVEL'} = '3'; -$tripwiresettings{'REPORTLEVEL'} = '3'; -$tripwiresettings{'MAILMETHOD'} = 'SENDMAIL'; -$tripwiresettings{'SMTPHOST'} = 'ipfire.myipfire.de'; -$tripwiresettings{'SMTPPORT'} = '25'; -$tripwiresettings{'SYSLOGREPORTING'} = 'false'; -$tripwiresettings{'MAILPROGRAM'} = '/usr/sbin/sendmail -oi -t'; -$tripwiresettings{'SITEKEY'} = 'ipfire'; -$tripwiresettings{'LOCALKEY'} = 'ipfire'; -$tripwiresettings{'ACTION'} = ''; - -&General::readhash("${General::swroot}/tripwire/settings", %tripwiresettings); - -############################################################################################################################ -######################################################### Tripwire HTML Part ############################################### - -&Header::showhttpheaders(); - -&Header::getcgihash(%tripwiresettings); -&Header::openpage('Tripwire', 1,); -&Header::openbigbox('100%', 'left', '', $errormessage); - -############################################################################################################################ -############################################### Tripwire Config Datei erstellen ############################################ - -if ($tripwiresettings{'ACTION'} eq $Lang::tr{'save'}) -{ -system("/usr/local/bin/tripwirectrl readconfig >/dev/null 2>&1"); -open (FILE, ">${General::swroot}/tripwire/twcfg.txt") or die "Can't save tripwire config: $!"; -flock (FILE, 2); - -print FILE <<END - -ROOT =$tripwiresettings{'ROOT'} -POLFILE =$tripwiresettings{'POLFILE'} -DBFILE =$tripwiresettings{'DBFILE'} -REPORTFILE =$tripwiresettings{'REPORTFILE'} -SITEKEYFILE =$tripwiresettings{'SITEKEYFILE'} -LOCALKEYFILE =$tripwiresettings{'LOCALKEYFILE'} -EDITOR =$tripwiresettings{'EDITOR'} -LATEPROMPTING =$tripwiresettings{'LATEPROMPTING'} -LOOSEDIRECTORYCHECKING =$tripwiresettings{'LOOSEDIRECTORYCHECKING'} -MAILNOVIOLATIONS =$tripwiresettings{'MAILNOVIOLATIONS'} -EMAILREPORTLEVEL =$tripwiresettings{'EMAILREPORTLEVEL'} -REPORTLEVEL =$tripwiresettings{'REPORTLEVEL'} -MAILMETHOD =$tripwiresettings{'MAILMETHOD'} -SMTPHOST =$tripwiresettings{'SMTPHOST'} -SMTPPORT =$tripwiresettings{'SMTPPORT'} -SYSLOGREPORTING =$tripwiresettings{'SYSLOGREPORTING'} -MAILPROGRAM =$tripwiresettings{'MAILPROGRAM'} - -END -; -close FILE; - -&General::writehash("${General::swroot}/tripwire/settings", %tripwiresettings); -system("/usr/local/bin/tripwirectrl lockconfig >/dev/null 2>&1"); -} - -############################################################################################################################ -################################################## Sicherheitsabfrage für CGI ############################################## - -if ($tripwiresettings{'ACTION'} eq 'addcron') - { - print <<END - <br /> - <table width='95%' cellspacing='0'> - <tr><td bgcolor='$color{'color20'}' colspan='2' align='center'><b>$Lang::tr{'add cron'}</b> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <tr><td align='center' colspan='2'>HH<input type='text' size='2' name='HOUR' value='08'/>MM<input type='text' size='2' name='MINUTE' value='00'/><br /><br /></td></tr> - <tr><td align='right' width='50%'> - $Lang::tr{'ok'} <input type='image' alt='$Lang::tr{'ok'}' title='$Lang::tr{'ok'}' src='/images/edit-redo.png' /> - <input type='hidden' name='ACTION' value='addcronyes' /></form></td> - <td align='left' width='50%'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' alt='$Lang::tr{'cancel'}' title='$Lang::tr{'cancel'}' src='/images/dialog-error.png' /> $Lang::tr{'cancel'} - <input type='hidden' name='ACTION' value='cancel' /></form></td> - </tr> - </table> -END -; -} - -if ($tripwiresettings{'ACTION'} eq 'globalreset') - { - print <<END - <br /> - <table width='95%' cellspacing='0'> - <tr><td bgcolor='$color{'color20'}' colspan='2' align='center'><b>$Lang::tr{'resetglobals'}</b> - <tr><td colspan='2' align='center'><font color=red>$Lang::tr{'defaultwarning'}<br /><br /></font></td></tr> - <tr><td align='right' width='50%'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - $Lang::tr{'ok'} <input type='image' alt='$Lang::tr{'ok'}' title='$Lang::tr{'ok'}' src='/images/edit-redo.png' /> - <input type='hidden' name='ACTION' value='globalresetyes' /></form></td> - <td align='left' width='50%'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' alt='$Lang::tr{'cancel'}' title='$Lang::tr{'cancel'}' src='/images/dialog-error.png' /> $Lang::tr{'cancel'} - <input type='hidden' name='ACTION' value='cancel' /></form></td> - </tr> - </table> -END -; -} - -if ($tripwiresettings{'ACTION'} eq 'generatepolicypw') - { - print <<END - <br /> - <table width='95%' cellspacing='0'> - <tr><td bgcolor='$color{'color20'}' colspan='2' align='center'><b>$Lang::tr{'generatepolicy'}</b> - <tr><td colspan='2' align='center'><font color=red>$Lang::tr{'tripwirewarningpolicy'}<br /><br /></font></td></tr> - <tr><td align='left' width='40%'><form method='post' action='$ENV{'SCRIPT_NAME'}'>$Lang::tr{'sitekey'}</td><td align='left'><input type='password' name='SITEKEY' value='$tripwiresettings{'SITEKEY'}' size="30" /></td></tr> - <tr><td align='left' width='40%'><form method='post' action='$ENV{'SCRIPT_NAME'}'>$Lang::tr{'localkey'}</td><td align='left'><input type='password' name='LOCALKEY' value='$tripwiresettings{'LOCALKEY'}' size="30" /><br /><br /></td></tr> - <tr><td align='right' width='50%'> - $Lang::tr{'ok'} <input type='image' alt='$Lang::tr{'ok'}' title='$Lang::tr{'ok'}' src='/images/edit-redo.png' /> - <input type='hidden' name='ACTION' value='generatepolicyyes' /></form></td> - <td align='left' width='50%'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' alt='$Lang::tr{'cancel'}' title='$Lang::tr{'cancel'}' src='/images/dialog-error.png' /> $Lang::tr{'cancel'} - <input type='hidden' name='ACTION' value='cancel' /></form></td> - </tr> - </table> -END -; -} - -if ($tripwiresettings{'ACTION'} eq 'policyresetpw') - { - print <<END - <br /> - <table width='95%' cellspacing='0'> - <tr><td bgcolor='$color{'color20'}' colspan='2' align='center'><b>$Lang::tr{'resetpolicy'}</b> - <tr><td colspan='2' align='center'><font color=red>$Lang::tr{'tripwirewarningpolicy'}<br /><br /></font></td></tr> - <tr><td align='left' width='40%'><form method='post' action='$ENV{'SCRIPT_NAME'}'>$Lang::tr{'sitekey'}</td><td align='left'><input type='password' name='SITEKEY' value='$tripwiresettings{'SITEKEY'}' size="30" /></td></tr> - <tr><td align='left' width='40%'><form method='post' action='$ENV{'SCRIPT_NAME'}'>$Lang::tr{'localkey'}</td><td align='left'><input type='password' name='LOCALKEY' value='$tripwiresettings{'LOCALKEY'}' size="30" /><br /><br /></td></tr> - <tr><td align='right' width='50%'> - $Lang::tr{'ok'} <input type='image' alt='$Lang::tr{'ok'}' title='$Lang::tr{'ok'}' src='/images/edit-redo.png' /> - <input type='hidden' name='ACTION' value='resetpolicyyes' /></form></td> - <td align='left' width='50%'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' alt='$Lang::tr{'cancel'}' title='$Lang::tr{'cancel'}' src='/images/dialog-error.png' /> $Lang::tr{'cancel'} - <input type='hidden' name='ACTION' value='cancel' /></form></td> - </tr> - </table> -END -; -} - -if ($tripwiresettings{'ACTION'} eq 'updatedatabasepw') - { - print <<END - <br /> - <table width='95%' cellspacing='0'> - <tr><td bgcolor='$color{'color20'}' colspan='2' align='center'><b>$Lang::tr{'updatedatabase'}</b> - <tr><td colspan='2' align='center'><font color=red>$Lang::tr{'tripwirewarningdatabase'}<br /><br /></font></td></tr> - <tr><td align='left' width='40%'><form method='post' action='$ENV{'SCRIPT_NAME'}'>$Lang::tr{'localkey'}</td><td align='left'><input type='password' name='LOCALKEY' value='$tripwiresettings{'LOCALKEY'}' size="30" /><br /><br /></td></tr> - <tr><td align='right' width='50%'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - $Lang::tr{'ok'} <input type='image' alt='$Lang::tr{'ok'}' title='$Lang::tr{'ok'}' src='/images/edit-redo.png' /> - <input type='hidden' name='ACTION' value='updatedatabaseyes' /></form></td> - <td align='left' width='50%'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' alt='$Lang::tr{'cancel'}' title='$Lang::tr{'cancel'}' src='/images/dialog-error.png' /> $Lang::tr{'cancel'} - <input type='hidden' name='ACTION' value='cancel' /></form></td> - </tr> - </table> -END -; -} -if ($tripwiresettings{'ACTION'} eq 'keyreset') - { - print <<END - <br /> - <table width='95%' cellspacing='0'> - <tr><td bgcolor='$color{'color20'}' colspan='2' align='center'><b>$Lang::tr{'keyreset'}</b> - <tr><td colspan='2' align='center'><font color=red>$Lang::tr{'tripwirewarningkeys'}<br /><br /></font></td></tr> - <tr><td align='right' width='50%'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - $Lang::tr{'ok'} <input type='image' alt='$Lang::tr{'ok'}' title='$Lang::tr{'ok'}' src='/images/edit-redo.png' /> - <input type='hidden' name='ACTION' value='keyresetyes' /></form></td> - <td align='left' width='50%'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' alt='$Lang::tr{'cancel'}' title='$Lang::tr{'cancel'}' src='/images/dialog-error.png' /> $Lang::tr{'cancel'} - <input type='hidden' name='ACTION' value='cancel' /></form></td> - </tr> - </table> -END -; -} - -if ($tripwiresettings{'ACTION'} eq 'generatekeys') - { - print <<END - <br /> - <table width='95%' cellspacing='0'> - <tr><td bgcolor='$color{'color20'}' colspan='2' align='center'><b>$Lang::tr{'generatekeys'}</b> - <tr><td colspan='2' align='center'><font color=red>$Lang::tr{'tripwirewarningkeys'}<br /><br /></font></td></tr> - <tr><td align='right' width='50%'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - $Lang::tr{'ok'} <input type='image' alt='$Lang::tr{'ok'}' title='$Lang::tr{'ok'}' src='/images/edit-redo.png' /> - <input type='hidden' name='ACTION' value='generatekeysyes' /></form></td> - <td align='left' width='50%'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' alt='$Lang::tr{'cancel'}' title='$Lang::tr{'cancel'}' src='/images/dialog-error.png' /> $Lang::tr{'cancel'} - <input type='hidden' name='ACTION' value='cancel' /></form></td> - </tr> - </table> -END -; -} - -############################################################################################################################ -######################################################## Tripwire Funktionen ############################################### - -if ($tripwiresettings{'ACTION'} eq 'globalresetyes') -{ -&Header::openbox( 'Waiting', 1, "<meta http-equiv='refresh' content='1;'>" );print "<center><img src='/images/clock.gif' alt='' /><br/><font color='red'>$Lang::tr{'tripwireoperating'}</font></center>";&Header::closebox(); -$tripwiresettings{'ROOT'} = '/usr/sbin'; -$tripwiresettings{'POLFILE'} = '/var/ipfire/tripwire/tw.pol'; -$tripwiresettings{'DBFILE'} = '/var/ipfire/tripwire/$(HOSTNAME).twd'; -$tripwiresettings{'REPORTFILE'} = '/var/ipfire/tripwire/report/$(DATE).twr'; -$tripwiresettings{'SITEKEYFILE'} = '/var/ipfire/tripwire/site.key'; -$tripwiresettings{'LOCALKEYFILE'} = '/var/ipfire/tripwire/local.key'; -$tripwiresettings{'EDITOR'} = '/usr/bin/vi'; -$tripwiresettings{'LATEPROMPTING'} = 'false'; -$tripwiresettings{'LOOSEDIRECTORYCHECKING'} = 'false'; -$tripwiresettings{'MAILNOVIOLATIONS'} = 'false'; -$tripwiresettings{'EMAILREPORTLEVEL'} = '3'; -$tripwiresettings{'REPORTLEVEL'} = '3'; -$tripwiresettings{'MAILMETHOD'} = 'SENDMAIL'; -$tripwiresettings{'SMTPHOST'} = 'ipfire.myipfire.de'; -$tripwiresettings{'SMTPPORT'} = '25'; -$tripwiresettings{'SYSLOGREPORTING'} = 'false'; -$tripwiresettings{'MAILPROGRAM'} = '/usr/sbin/sendmail -oi -t'; -$tripwiresettings{'SITEKEY'} = 'ipfire'; -$tripwiresettings{'LOCALKEY'} = 'ipfire'; -$tripwiresettings{'ACTION'} = ''; -system("/usr/local/bin/tripwirectrl readconfig >/dev/null 2>&1"); -open (FILE, ">${General::swroot}/tripwire/twcfg.txt") or die "Can't save tripwire config: $!"; -flock (FILE, 2); -print FILE <<END - -ROOT =$tripwiresettings{'ROOT'} -POLFILE =$tripwiresettings{'POLFILE'} -DBFILE =$tripwiresettings{'DBFILE'} -REPORTFILE =$tripwiresettings{'REPORTFILE'} -SITEKEYFILE =$tripwiresettings{'SITEKEYFILE'} -LOCALKEYFILE =$tripwiresettings{'LOCALKEYFILE'} -EDITOR =$tripwiresettings{'EDITOR'} -LATEPROMPTING =$tripwiresettings{'LATEPROMPTING'} -LOOSEDIRECTORYCHECKING =$tripwiresettings{'LOOSEDIRECTORYCHECKING'} -MAILNOVIOLATIONS =$tripwiresettings{'MAILNOVIOLATIONS'} -EMAILREPORTLEVEL =$tripwiresettings{'EMAILREPORTLEVEL'} -REPORTLEVEL =$tripwiresettings{'REPORTLEVEL'} -MAILMETHOD =$tripwiresettings{'MAILMETHOD'} -SMTPHOST =$tripwiresettings{'SMTPHOST'} -SMTPPORT =$tripwiresettings{'SMTPPORT'} -SYSLOGREPORTING =$tripwiresettings{'SYSLOGREPORTING'} -MAILPROGRAM =$tripwiresettings{'MAILPROGRAM'} - -END -; -close FILE; -&General::writehash("${General::swroot}/tripwire/settings", %tripwiresettings); -system("/usr/local/bin/tripwirectrl lockconfig >/dev/null 2>&1l"); -system("/usr/local/bin/tripwirectrl keys ipfire ipfire >/dev/null 2>&1");$tripwiresettings{'SITEKEY'} = 'ipfire';$tripwiresettings{'LOCALKEY'} = 'ipfire'; -} -if ($tripwiresettings{'ACTION'} eq 'generatekeysyes'){&Header::openbox( 'Waiting', 1, "<meta http-equiv='refresh' content='1;'>" );print "<center><img src='/images/clock.gif' alt='' /><br/><font color='red'>$Lang::tr{'tripwireoperating'}</font></center>";system("/usr/local/bin/tripwirectrl keys $tripwiresettings{'SITEKEY'} $tripwiresettings{'LOCALKEY'} >/dev/null 2>&1");$tripwiresettings{'SITEKEY'} = 'ipfire';$tripwiresettings{'LOCALKEY'} = 'ipfire';} -if ($tripwiresettings{'ACTION'} eq 'keyresetyes'){&Header::openbox( 'Waiting', 1, "<meta http-equiv='refresh' content='1;'>" );print "<center><img src='/images/clock.gif' alt='' /><br/><font color='red'>$Lang::tr{'tripwireoperating'}</font></center>";system("/usr/local/bin/tripwirectrl keys ipfire ipfire >/dev/null 2>&1");$tripwiresettings{'SITEKEY'} = 'ipfire';$tripwiresettings{'LOCALKEY'} = 'ipfire';} -if ($tripwiresettings{'ACTION'} eq 'resetpolicyyes'){&Header::openbox( 'Waiting', 1, "<meta http-equiv='refresh' content='1;'>" );print "<center><img src='/images/clock.gif' alt='' /><br/><font color='red'>$Lang::tr{'tripwireoperating'}</font></center>";system("/usr/local/bin/tripwirectrl resetpolicy tripwiresettings{'SITEKEY'} $tripwiresettings{'LOCALKEY'} >/dev/null 2>&1");$tripwiresettings{'SITEKEY'} = 'ipfire';$tripwiresettings{'LOCALKEY'} = 'ipfire';} -if ($tripwiresettings{'ACTION'} eq 'generatepolicyyes'){&Header::openbox( 'Waiting', 1, "<meta http-equiv='refresh' content='1;'>" );print "<center><img src='/images/clock.gif' alt='' /><br/><font color='red'>$Lang::tr{'tripwireoperating'}</font></center>";system("/usr/local/bin/tripwirectrl generatepolicy $tripwiresettings{'SITEKEY'} $tripwiresettings{'LOCALKEY'} >/dev/null 2>&1");$tripwiresettings{'SITEKEY'} = 'ipfire';$tripwiresettings{'LOCALKEY'} = 'ipfire';} -if ($tripwiresettings{'ACTION'} eq 'updatedatabaseyes'){&Header::openbox( 'Waiting', 1, "<meta http-equiv='refresh' content='1;'>" );print "<center><img src='/images/clock.gif' alt='' /><br/><font color='red'>$Lang::tr{'tripwireoperating'}</font></center>";system("/usr/local/bin/tripwirectrl updatedatabase $tripwiresettings{'LOCALKEY'} /var/ipfire/tripwire/report/$file >/dev/null 2>&1");$tripwiresettings{'LOCALKEY'} = 'ipfire';} -if ($tripwiresettings{'ACTION'} eq 'generatereport'){&Header::openbox( 'Waiting', 1, "<meta http-equiv='refresh' content='1;'>" );print "<center><img src='/images/clock.gif' alt='' /><br/><font color='red'>$Lang::tr{'tripwireoperating'}</font></center>";system("/usr/local/bin/tripwirectrl generatereport >/dev/null 2>&1");} -if ($tripwiresettings{'ACTION'} eq 'addcronyes'){system("/usr/local/bin/tripwirectrl addcron $tripwiresettings{'HOUR'} $tripwiresettings{'MINUTE'} >/dev/null 2>&1");} -if ($tripwiresettings{'ACTION'} eq 'deletecron'){system("/usr/local/bin/tripwirectrl disablecron $tripwiresettings{'CRON'} >/dev/null 2>&1");@cronjobs = `ls /etc/fcron.daily/tripwire* 2>/dev/null`;} - -############################################################################################################################ -##################################################### Tripwire globale Optionen ############################################ - -&Header::openbox('100%', 'center', 'Tripwire'); -print <<END -<br /> - -<form method='post' action='$ENV{'SCRIPT_NAME'}'> -<table width='95%' cellspacing='0'> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'basic options'}</b></td></tr> -<tr><td align='left' width='40%'>$Lang::tr{'emailreportlevel'}</td><td align='left'><input type='text' name='EMAILREPORTLEVEL' value='$tripwiresettings{'EMAILREPORTLEVEL'}' size="30" /></td></tr> -<tr><td align='left' width='40%'>$Lang::tr{'reportlevel'}</td><td align='left'><input type='text' name='REPORTLEVEL' value='$tripwiresettings{'REPORTLEVEL'}' size="30" /></td></tr> -<tr><td align='left' width='40%'>$Lang::tr{'mailmethod'}</td><td align='left'><input type='text' name='MAILMETHOD' value='$tripwiresettings{'MAILMETHOD'}' size="30" /></td></tr> -<tr><td align='left' width='40%'>$Lang::tr{'smtphost'}</td><td align='left'><input type='text' name='SMTPHOST' value='$tripwiresettings{'SMTPHOST'}' size="30" /></td></tr> -<tr><td align='left' width='40%'>$Lang::tr{'smtpport'}</td><td align='left'><input type='text' name='SMTPPORT' value='$tripwiresettings{'SMTPPORT'}' size="30" /></td></tr> -<tr><td align='left' width='40%'>$Lang::tr{'mailprogramm'}</td><td align='left'><input type='text' name='MAILPROGRAM' value='$tripwiresettings{'MAILPROGRAM'}' size="30" /></td></tr> -</table> -<br /> -<table width='10%' cellspacing='0'> -<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value=$Lang::tr{'save'} /> - <input type='image' alt='$Lang::tr{'save'}' title='$Lang::tr{'save'}' src='/images/media-floppy.png' /></form></td> -<td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='globalreset' /> - <input type='image' alt='$Lang::tr{'reset'}' title='$Lang::tr{'reset'}' src='/images/reload.gif' /></form></td> -<td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='globalcaption' /> - <input type='image' alt='$Lang::tr{'caption'}' title='$Lang::tr{'caption'}' src='/images/help-browser.png' /></form></td></tr> -</table> -</from> -END -; -if ($tripwiresettings{'ACTION'} eq 'globalcaption') -{ -print <<END -<br /> -<table width='95%' cellspacing='0'> -<tr><td align='center' colspan='2'><b>$Lang::tr{'caption'}</b></td></tr> -<tr><td align='right' width='33%'><img src='/images/media-floppy.png' alt='$Lang::tr{'save settings'}' /></td><td align='left'>$Lang::tr{'save settings'}</td></tr> -<tr><td align='right' width='33%'><img src='/images/reload.gif' alt='$Lang::tr{'restore settings'}' /></td><td align='left'>$Lang::tr{'restore settings'}</td></tr> -</table> -END -; - -} - -&Header::closebox(); - -############################################################################################################################ -################################################### Tripwire Init Policy and keygen ######################################## - -&Header::openbox('100%', 'center', $Lang::tr{'generate tripwire keys and init'}); -print <<END -<br /> - -<form method='post' action='$ENV{'SCRIPT_NAME'}'> -<table width='95%' cellspacing='0'> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'keys'}</b></td></tr> -<tr><td align='left' width='40%'>$Lang::tr{'sitekey'}</td><td align='left'><input type='password' name='SITEKEY' value='$tripwiresettings{'SITEKEY'}' size="30" /></td></tr> -<tr><td align='left' width='40%'>$Lang::tr{'localkey'}</td><td align='left'><input type='password' name='LOCALKEY' value='$tripwiresettings{'LOCALKEY'}' size="30" /></td></tr> -</table> -<br /> -<table width='10%' cellspacing='0'> -<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='generatekeys'/> - <input type='image' alt='$Lang::tr{'generatekeys'}' title='$Lang::tr{'generatekeys'}' src='/images/system-lock-screen.png' /></form></td> -<td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='keyreset' /> - <input type='image' alt='$Lang::tr{'reset'}' title='$Lang::tr{'reset'}' src='/images/reload.gif' /></form></td> -<td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='keycaption' /> - <input type='image' alt='$Lang::tr{'caption'}' title='$Lang::tr{'caption'}' src='/images/help-browser.png' /></form></td></tr> -</table> -</from> -END -; -if ($tripwiresettings{'ACTION'} eq 'keycaption') -{ -print <<END -<br /> -<table width='95%' cellspacing='0'> -<tr><td align='center' colspan='2'><b>$Lang::tr{'caption'}</b></td></tr> -<tr><td align='right' width='33%'><img src='/images/system-lock-screen.png' alt='$Lang::tr{'generatekeys'}' /></td><td align='left'>$Lang::tr{'generatekeys'}</td></tr> -<tr><td align='right' width='33%'><img src='/images/reload.gif' alt='$Lang::tr{'keyreset'}' /></td><td align='left'>$Lang::tr{'keyreset'}</td></tr> -</table> -END -; - -} - -&Header::closebox(); - -############################################################################################################################ -################################################# Tripwire general functions ############################################### - -&Header::openbox('100%', 'center', $Lang::tr{'tripwire functions'}); -print <<END -<br /> - -<table width='95%' cellspacing='0'> -<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='generatepolicypw'/> - <input type='image' alt='$Lang::tr{'generatepolicy'}' title='$Lang::tr{'generatepolicy'}' src='/images/document-new.png' /></form></td> -<td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='policyresetpw' /> - <input type='image' alt='$Lang::tr{'resetpolicy'}' title='$Lang::tr{'resetpolicy'}' src='/images/reload.gif' /></form></td> -<td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='generatereport' /> - <input type='image' alt='$Lang::tr{'generatereport'}' title='$Lang::tr{'generatereport'}' src='/images/document-properties.png' /></form></td> -<td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='updatedatabasepw' /> - <input type='image' alt='$Lang::tr{'updatedatabase'}' title='$Lang::tr{'updatedatabase'}' src='/images/network-server.png' /></form></td> -<td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='policycaption' /> - <input type='image' alt='$Lang::tr{'caption'}' title='$Lang::tr{'caption'}' src='/images/help-browser.png' /></form></td></tr> -</table> -END -; -if ($tripwiresettings{'ACTION'} eq 'policycaption') -{ -print <<END -<br /> -<table width='95%' cellspacing='0'> -<tr><td align='center' colspan='2'><b>$Lang::tr{'caption'}</b></td></tr> -<tr><td align='right' width='33%'><img src='/images/document-new.png' alt='$Lang::tr{'generatepolicy'}' /></td><td align='left'>$Lang::tr{'generatepolicy'}</td></tr> -<tr><td align='right' width='33%'><img src='/images/reload.gif' alt='$Lang::tr{'resetpolicy'}' /></td><td align='left'>$Lang::tr{'resetpolicy'}</td></tr> -<tr><td align='right' width='33%'><img src='/images/document-properties.png' alt='$Lang::tr{'generatereport'}' /></td><td align='left'>$Lang::tr{'generatereport'}</td></tr> -<tr><td align='right' width='33%'><img src='/images/network-server.png' alt='$Lang::tr{'updatedatabase'}' /></td><td align='left'>$Lang::tr{'updatedatabase'}</td></tr> -</table> -END -; - -} -&Header::closebox(); - -############################################################################################################################ -####################################################### Tripwire Log View ################################################## - -&Header::openbox('100%', 'center', $Lang::tr{'tripwire reports'}); -print <<END -<a name="$Lang::tr{'log view'}"</a> -<br /> -<form method='post' action='$ENV{'SCRIPT_NAME'}#$Lang::tr{'log view'}'> -<table width='95%' cellspacing='0'> -<tr><td bgcolor='$color{'color20'}' colspan='3' align='left'><b>$Lang::tr{'log view'}</b></td></tr> -<tr><td colspan='3' align='left'><br /></td></tr> -<tr><td align='left'><select name='LOG' style="width: 500px"> -END -; -foreach my $log (@Logs) {chomp $log;print"<option value='$log'>$log</option>";} -print <<END - -</select></td><td align='left'><input type='hidden' name='ACTION' value='showlog' /><input type='image' alt='view Log' title='view log' src='/images/format-justify-fill.png' /></td></tr> -</table> -</form> -END -; -if ($tripwiresettings{'ACTION'} eq 'showlog') -{ -$Log = qx(/usr/local/bin/tripwirectrl tripwirelog $tripwiresettings{'LOG'}); -$Log=~s/--cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol//g; -print <<END -<table width='95%' cellspacing='0'> -<tr><td><br /></td></tr> -<tr><td><pre>$Log</pre></td></tr> -<tr><td><br /></td></tr> -<tr><td align='center'>$tripwiresettings{'LOG'}</td></tr> -</table> -END -; - -} - -&Header::closebox(); - -############################################################################################################################ -####################################################### Tripwire Cronjob ################################################## -# -#&Header::openbox('100%', 'center', $Lang::tr{'tripwire cronjob'}); -#print <<END -#<br /> -#<table width='95%' cellspacing='0'> -#<tr><td colspan='3' align='left'><br /></td></tr> -#END -#; -#foreach my $cronjob (@cronjobs) {chomp $cronjob;my $time=$cronjob; $time=~s//etc/fcron.daily/tripwire//g;print"<form method='post' action='$ENV{'SCRIPT_NAME'}'><tr><td align='left' colspan='2'>$cronjob at $time daily</td><td><input type='hidden' name='ACTION' value='deletecron' /><input type='hidden' name='CRON' value='$time' /><input type='image' alt='delete cron' title='delete cron' src='/images/user-trash.png' /></td></tr></form>";} -#print <<END -#</table> -#<br /> -#<table width='10%' cellspacing='0'> -#<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> -# <input type='hidden' name='ACTION' value='addcron'/> -# <input type='image' alt='$Lang::tr{'add cron'}' title='$Lang::tr{'add cron'}' src='/images/appointment-new.png' /></form></td> -#<td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> -# <input type='hidden' name='ACTION' value='croncaption' /> -# <input type='image' alt='$Lang::tr{'caption'}' title='$Lang::tr{'caption'}' src='/images/help-browser.png' /></form></td></tr> -#</table> -#END -#; - -#if ($tripwiresettings{'ACTION'} eq 'croncaption') -#{ -#print <<END -#<br /> -#<table width='95%' cellspacing='0'> -#<tr><td align='center' colspan='2'><b>$Lang::tr{'caption'}</b></td></tr> -#<tr><td align='right' width='33%'><img src='/images/appointment-new.png' /></td><td align='left'>$Lang::tr{'add cron'}</td></tr> -#<tr><td align='right' width='33%'><img src='/images/user-trash.png' /></td><td align='left'>$Lang::tr{'delete cron'}</td></tr> -#</table> -#END -#; -#} -# -#&Header::closebox(); - -&Header::closebigbox(); -&Header::closepage(); diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 782bc00..3af2339 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -9,7 +9,7 @@ 'Async logging enabled' => 'Syslog dosyanın eÅzamansız yazmasını aktifleÅtirin', 'Choose Rule' => 'AÅaÄıdaki kurallardan <u>birini</u> seçin.', 'Class' => 'Sınıf', -'Class was deleted' => 'with potential subclasses was deleted', +'Class was deleted' => 'Potansiyel alt sınıfları ile silindi', 'ConnSched action' => 'Eylem:', 'ConnSched add action' => 'Eylem ekle', 'ConnSched change profile title' => 'Profili deÄitirin:', @@ -435,6 +435,7 @@ 'bit' => 'Bit', 'bitrate' => 'Bit hızı', 'bleeding rules' => 'Bleeding Edge Snort Rules', +'block' => 'Engelle', 'blue' => 'MAVÄ°', 'blue access' => 'Mavi EriÅim', 'blue access use hint' => 'Bu MAC ya da cihaz için bir IP adresi girmeniz gerekir. Ayrıca her ikiside girilebilir.', @@ -550,6 +551,7 @@ 'chain' => 'Zincir', 'change passwords' => 'Parola deÄiÅtir', 'change share' => 'paylaÅım seçeneklerini dÃŒzenle', +'check all' => 'TÃŒmÃŒnÃŒ seç', 'check for net traffic update' => 'AÄ-Trafik gÃŒncelleÅtirmeleri denetle', 'check vpn lr' => 'Kontrol', 'choose config' => 'Yapılandırmayı seçin', @@ -720,6 +722,11 @@ 'dhcp bootp pxe data' => 'Sabit kira için isteÄe baÄlı bootp pxe verileri girin', 'dhcp configuration' => 'DHCP yapılandırması', 'dhcp create fixed leases' => 'Sabit kiralama oluÅtur', +'dhcp dns enable update' => 'DNS gÃŒncelleÅtirmesini aktifleÅtir (RFC2136):', +'dhcp dns key name' => 'Anahtar adı:', +'dhcp dns update' => 'DNS gÃŒncelleme', +'dhcp dns update algo' => 'Algoritma:', +'dhcp dns update secret' => 'Gizli:', 'dhcp fixed lease err1' => 'Bu dÃŒzeltme için MAC adresini, ana bilgisayar adını veya her ikisinide girmeniz gerekir', 'dhcp fixed lease help1' => 'IP adresleri tam tanımlanmıŠalan adları (FQDN) Åeklinde girilmelidir.', 'dhcp mode' => 'DHCP', @@ -749,6 +756,7 @@ 'display traffic at home' => 'BaÅlangıç sayfasının ÃŒzerinde hesaplanan trafiÄi göster', 'display webinterface effects' => 'Efektleri aktifleÅtir', 'dl client arch' => 'Ä°stemci paketlerini indir (zip)', +'dl client arch insecure' => 'GÃŒvenli olamayan istemci paketini indir (zip)', 'dmz' => 'AÃIK BÃLGE', 'dmz pinhole configuration' => 'Açık bölge yapılandırma', 'dmz pinhole rule added' => 'Açık bölge kuralı eklendi; Açık bölge yeniden baÅlatılıyor', @@ -857,7 +865,27 @@ 'edit share' => 'PaylaÅımı dÃŒzenle', 'editor' => 'DÃŒzenleyici', 'eg' => 'e.g.:', +'email config' => 'Ayarlar', +'email empty field' => 'BoÅ alan', +'email error' => 'HATA: Test e-posta gönderilemedi', +'email invalid' => 'Geçersiz alan', +'email invalid mailfqdn' => 'Geçersiz e-posta sunucu fqdn si', +'email invalid mailip' => 'Geçersiz posta sunucusu IP adresi', +'email invalid mailport' => 'Geçersiz posta sunucusu baÄlantı noktası', +'email mailaddr' => 'Posta sunucu adresi', +'email mailpass' => 'Parola', +'email mailport' => 'Posta sunucu baÄlantı noktası', +'email mailrcpt' => 'Posta alıcısı', +'email mailsender' => 'Posta göndericisi', +'email mailuser' => 'Kullanıcı adı', 'email server can not be empty' => 'E-posta sunucusu boÅ olamaz', +'email settings' => 'E-posta Hizmeti', +'email subject' => 'IPFire Test E-posta', +'email success' => 'Test e-posta baÅarıyla gönderildi', +'email testmail' => 'Test e-posta gönder', +'email text' => 'IpFire e-posta servisinden test e-posta.', +'email tls' => 'TLS kullan', +'email usemail' => 'Posta hizmetini aktifleÅtir', 'emailreportlevel' => 'E-posta rapor seviyesi', 'emerging rules' => 'Emergingthreats.net Topluluk Kuralları', 'empty' => 'Bu alan boÅ bırakılabilir', @@ -1094,6 +1122,7 @@ 'fwhost OpenVPN static host' => 'OpenVPN statik ana bilgisayar', 'fwhost OpenVPN static network' => 'OpenVPN statik aÄ', 'fwhost Standard Network' => 'Standart aÄ', +'fwhost addgeoipgrp' => 'Yeni GeoIP grubu ekle', 'fwhost addgrp' => 'Yeni aÄ/ana bilgisayar grubu ekle:', 'fwhost addgrpname' => 'Grup adı:', 'fwhost addhost' => 'Yeni bir ana bilgisayar ekle:', @@ -1109,6 +1138,9 @@ 'fwhost change' => 'DeÄiÅtir', 'fwhost changeremark' => 'Sadece açıklamalar deÄiÅtirilmiÅ', 'fwhost cust addr' => 'Ana bilgisayarlar', +'fwhost cust geoip' => 'GeoIP Grupları', +'fwhost cust geoipgroup' => 'GeoIP Grupları', +'fwhost cust geoiplocation' => 'GeoIP Konumları', 'fwhost cust grp' => 'AÄ/Ana Bilgisayar Grupları:', 'fwhost cust net' => 'AÄlar', 'fwhost cust service' => 'Hizmetler:', @@ -1155,6 +1187,7 @@ 'fwhost ipsec net' => 'IPsec aÄları:', 'fwhost menu' => 'GÃŒvenlik Duvarı Grupları', 'fwhost netaddress' => 'AÄ adresi', +'fwhost newgeoipgrp' => 'GeoIP Grupları', 'fwhost newgrp' => 'AÄ/Ana Bilgisayar Grupları', 'fwhost newhost' => 'Ana Bilgisayarlar', 'fwhost newnet' => 'AÄlar', @@ -1191,6 +1224,16 @@ 'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient' => 'Yönetici ve sunucu sertifikalarının oluÅturulması biraz zaman alır. Eski donanımlarda bu sÃŒre birkaç dakikayı bulabilir. LÃŒtfen bekleyin.', 'genkey' => 'PSK oluÅtur', 'genre' => 'TÃŒr', +'geoip' => 'GeoIP', +'geoipblock' => 'GeoIP Engelleme', +'geoipblock block countries' => 'Engellenen ÃŒlkeler', +'geoipblock configuration' => 'GeoIP Yapılandırması', +'geoipblock country code' => 'Ãlke Kodu', +'geoipblock country is allowed' => 'Bu ÃŒlkeden gelen trafiÄe izin ver', +'geoipblock country is blocked' => 'Bu ÃŒlkeden gelen trafiÄi engelle', +'geoipblock country name' => 'Ãlke Adı', +'geoipblock enable feature' => 'GeoIP tabanlı engellemeyi aktifleÅtir:', +'geoipblock flag' => 'Bayrak', 'global settings' => 'Genel ayarlar', 'gpl i accept these terms and conditions' => 'Bu Åartları kabul ediyorum', 'gpl license agreement' => 'Lisans SözleÅmesi', @@ -1270,7 +1313,9 @@ 'inactive' => 'Pasif', 'include logfiles' => 'GÃŒnlÃŒk dosyaları dahil', 'incoming' => 'gelen', +'incoming compression in bytes per second' => 'Gelen SıkıÅtırma', 'incoming firewall access' => 'Gelen gÃŒvenlik duvarı baÄlantısı', +'incoming overhead in bytes per second' => 'gelen ek yÃŒk', 'incoming traffic in bytes per second' => 'gelen trafik', 'incorrect password' => 'YanlıŠparola', 'info' => 'Bilgi', @@ -1325,6 +1370,7 @@ 'invalid input for organization' => 'KuruluÅ için geçersiz giriÅ.', 'invalid input for remote host/ip' => 'Ana bilgisayar/ip uzak giriÅ için geçersiz giriÅ.', 'invalid input for state or province' => 'Devlet veya il için geçersiz giriÅ.', +'invalid input for valid till days' => 'Geçerli kadar (gÃŒn) geçersiz girdi.', 'invalid ip' => 'Geçersiz IP adresi', 'invalid keep time' => 'Tutma zamanı geçerli bir sayı olmalıdır.', 'invalid key' => 'Geçersiz anahtar.', @@ -1625,6 +1671,7 @@ 'no modem selected' => 'Modem seçilmedi', 'no set selected' => 'Hiçbir ayar seçilmedi', 'no time limit' => 'sınırsız zaman', +'none' => 'hiçbiri', 'none found' => 'hiçbiri bulunamadı', 'nonetworkname' => 'AÄ adı girilmedi', 'noservicename' => 'Hizmet adı girilmedi', @@ -1695,6 +1742,7 @@ 'our donors' => 'Destekçimiz', 'out' => 'DıÅarı', 'outgoing' => 'giden', +'outgoing compression in bytes per second' => 'Giden sıkıÅtırma', 'outgoing firewall' => 'Giden gÃŒvenlik duvarı', 'outgoing firewall access' => 'Giden gÃŒvenlik duvarı baÄlantısı', 'outgoing firewall add ip group' => 'IP Adres Grubu Ekle', @@ -1717,9 +1765,11 @@ 'outgoing firewall reset' => 'TÃŒmÃŒnÃŒ sıfırla', 'outgoing firewall view group' => 'Grup bilgileri', 'outgoing firewall warning' => 'Kaynak IP veya MAC seçildiÄinde bunlar yok sayılır', +'outgoing overhead in bytes per second' => 'giden ek yÃŒk', 'outgoing traffic in bytes per second' => 'giden trafik', 'override mtu' => 'Varsayılan MTU seçeneÄini geçersiz kıl', 'ovpn' => 'OpenVPN', +'ovpn add conf' => 'Ek yapılandırma', 'ovpn con stat' => 'OpenVPN BaÄlantı Ä°statistiÄi', 'ovpn config' => 'OVPN-Yapılandırması', 'ovpn crypt options' => 'Åifreleme seçenekleri', @@ -1772,7 +1822,7 @@ 'ovpnstatus log' => 'OVPN-Durum-GÃŒnlÃŒk', 'ovpnsys log' => 'OVPN-Durum-GÃŒnlÃŒk', 'p2p block' => 'P2P AÄları', -'p2p block save notice' => 'YaptıÄınız deÄiÅiklikleri uygulamak için gÃŒvenlik duvarı kural ayarlarını lÃŒtfen yeniden yÃŒkleyin.', +'p2p block save notice' => 'YaptıÄınız deÄiÅiklikleri uygulamak için gÃŒvenlik duvarı kuralı ayarlarını lÃŒtfen yeniden yÃŒkleyin.', 'package failed to install' => 'Paket yÃŒklenemedi.', 'pagerefresh' => 'Sayfa yenileniyor. LÃŒtfen bekleyin.', 'pakfire accept all' => 'TÃŒm paketleri yÃŒklemek istiyor musunuz?', @@ -1829,6 +1879,9 @@ 'ppp setup' => 'PPP kurulumu', 'pppoe' => 'PPPoE', 'pppoe settings' => 'Ek PPPoE ayarları:', +'pptp netconfig' => 'AÄ yapılandırma', +'pptp peer' => 'Denk', +'pptp route' => 'PPTP Yolu', 'pptp settings' => 'Ek PPTP ayarları:', 'pre-shared key is too short' => 'Ãn paylaÅımlı anahtar çok kısa.', 'prefered master' => 'Tercih edilen yönetici', @@ -1921,6 +1974,7 @@ 'reportlevel' => 'Seviye raporu', 'request' => 'Talep', 'requested data' => '1. BaÄlantı Ayarları:', +'required field' => 'Gerekli alan', 'reserved dst port' => 'IPFire için ayrılmıŠhedef baÄlantı noktası numarası:', 'reserved src port' => 'IPFire için ayrılmıŠkaynak baÄlantı noktası numarası:', 'reset' => 'Sıfırla', @@ -1959,6 +2013,7 @@ 'save settings' => 'Ayarları kaydet', 'save-adv-options' => 'GeliÅmiÅ Seçenekleri Kaydet', 'script name' => 'Komut adı:', +'search' => 'Ara', 'secondary dns' => 'Ä°kincil DNS:', 'secondary ntp server' => 'Ä°kincil NTP sunucusu', 'secondary wins server address' => 'Ä°kincil WINS sunucu adresi', @@ -2248,6 +2303,9 @@ 'umount removable media before to unplug' => 'TaÅınabilir aygıtı çıkartmadan önce <b>Ayır</b> dÃŒÄmesi ile sistemden ayırın', 'unable to alter profiles while red is active' => 'KIRMIZI aktifken profil deÄiÅtirilemez.', 'unable to contact' => 'BaÄlantı Kurulamadı', +'unblock' => 'Engeli kaldır', +'unblock all' => 'TÃŒm engeli kaldır', +'uncheck all' => 'TÃŒmÃŒnÃŒ bırak', 'unencrypted' => 'Åifresiz', 'uninstall' => 'Kaldır', 'unix charset' => 'UNIX karakterleri', @@ -2596,6 +2654,7 @@ 'vpn configuration main' => 'VPN yapılandırma - Ana', 'vpn delayed start' => 'VPN baÅlamadan önce bekle (saniye)', 'vpn delayed start help' => 'EÄer gerekirse, bu gecikme Dinamik DNS gÃŒncelleÅtirmelerini dÃŒzgÃŒn yayılmasına olanak saÄlamak için kullanılabilir. 60, KIRMIZI dinamik IP için ortak bir deÄerdir.', +'vpn force mobike' => 'MOBIKE kullanmaya zorla (sadece IKEv2)', 'vpn incompatible use of defaultroute' => 'hostname=%defaultroute izin verilmiyor', 'vpn keyexchange' => 'Anahtar deÄiÅimi', 'vpn local id' => 'Yerel kimlik', @@ -2608,6 +2667,8 @@ 'vpn payload compression' => 'YÃŒk sıkıÅtırma anlaÅması', 'vpn red name' => 'KIRMIZI arabirim veya <%defaultroute> için gerçek IP veya FQDN', 'vpn remote id' => 'Uzak kimlik (ID)', +'vpn statistic n2n' => 'AÄdan AÄa OpenVPN Ä°statistiÄi', +'vpn statistic rw' => 'Roadwarrior OpenVPN Ä°statistiÄi', 'vpn subjectaltname' => 'Alternatif konu adı', 'vpn watch' => 'KarÅı eÅ IP deÄiÅtirdiÄinde (dyndns) aÄdan-aÄa VPN baÄlantısını yeniden baÅlat. Bu DPD ye yardımcı olur.', 'waiting to synchronize clock' => 'Saat eÅleÅtirmesi bekleniyor', diff --git a/lfs/Config b/lfs/Config index 415766d..a65b0cf 100644 --- a/lfs/Config +++ b/lfs/Config @@ -66,8 +66,9 @@ DIR_TMP = /tmp # define FIND_FILES cd $(ROOT)/ && find -mount \ - -not -path './tools*' -not -path './tmp*' -not -path './usr/src*' -not -path './run/*' \ - -not -path './dev*' -not -path './proc*' -not -path './install*' | sort + ( -path './tools' -or -path './tmp' -or -path './usr/src' \ + -or -path './run' -or -path './dev' -or -path './proc' \ + -or -path './install' ) -prune -or -print | sort endef
# This is common starting logic for builds. diff --git a/lfs/arping b/lfs/arping index 13eb05e..86f7279 100644 --- a/lfs/arping +++ b/lfs/arping @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2015 Michael Tremer & Christian Schmidt # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 2.05 +VER = 2.15
THISAPP = arping-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 96e7c2ce8ae09046e264a314eeaac4dd +$(DL_FILE)_MD5 = 676584f6eb4ccc8c70fc6b2c702df75d
install : $(TARGET)
@@ -70,7 +70,11 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && ./bootstrap.sh + cd $(DIR_APP) && ./configure --prefix=/usr + cd $(DIR_APP) && make $(MAKETUNING) - cd $(DIR_APP) && install -m 0755 arping /usr/sbin + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/boost b/lfs/boost index b9b5015..12c0a5b 100644 --- a/lfs/boost +++ b/lfs/boost @@ -48,9 +48,7 @@ CONFIGURE_OPTIONS = \ debug-symbols=off \ pch=off
-ifeq "$(MACHINE)" "armv5tel" - MAKETUNING = -j2 -endif +MAKETUNING = -j2
############################################################################### # Top-level Rules diff --git a/lfs/clamav b/lfs/clamav index 5fd8426..ea6efc3 100644 --- a/lfs/clamav +++ b/lfs/clamav @@ -24,7 +24,7 @@
include Config
-VER = 0.98.7 +VER = 0.99
THISAPP = clamav-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = clamav -PAK_VER = 29 +PAK_VER = 30
DEPS = ""
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 157c601161da1c2d5a0e48ea1b49e067 +$(DL_FILE)_MD5 = ae79c3982761ba1815dbce17f846bab6
install : $(TARGET)
@@ -58,7 +58,7 @@ download :$(patsubst %,$(DIR_DL)/%,$(objects))
md5 : $(subst %,%_MD5,$(objects))
-dist: +dist: $(PAK)
############################################################################### diff --git a/lfs/configroot b/lfs/configroot index 601cdf6..cb74996 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -54,7 +54,7 @@ $(TARGET) : ethernet extrahd/bin fwlogs fwhosts firewall isdn key langs logging mac main \ menu.d modem net-traffic net-traffic/templates nfs optionsfw \ ovpn patches pakfire portfw ppp private proxy/advanced/cre \ - proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \ + proxy/calamaris/bin qos/bin red remote sensors snort time \ updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \ wakeonlan wireless ; do \ mkdir -p $(CONFIG_ROOT)/$$i; \ @@ -69,7 +69,7 @@ $(TARGET) : isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ ppp/settings-5 ppp/settings proxy/settings proxy/squid.conf proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \ - qos/tosconfig snort/settings tripwire/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \ + qos/tosconfig snort/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \ vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \ touch $(CONFIG_ROOT)/$$i; \ done diff --git a/lfs/cryptodev b/lfs/cryptodev deleted file mode 100644 index 00e83e7..0000000 --- a/lfs/cryptodev +++ /dev/null @@ -1,89 +0,0 @@ -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007-2011 IPFire Team info@ipfire.org # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### - -############################################################################### -# Definitions -############################################################################### - -include Config - -ifeq "$(KCFG)" "-xen" - KVER = 2.6.32.61 -endif - -VERSUFIX=ipfire$(KCFG) - -VER = 6aa62a2c320b04f55fdfe0ed015c3d9b48997239 - -THISAPP = cryptodev-linux-$(VER) -DL_FILE = $(THISAPP).tar.gz -DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/$(THISAPP) -TARGET = $(DIR_INFO)/$(THISAPP)-kmod-$(KVER)-$(VERSUFIX) - -############################################################################### -# Top-level Rules -############################################################################### - -objects = $(DL_FILE) - -$(DL_FILE) = $(DL_FROM)/$(DL_FILE) - -$(DL_FILE)_MD5 = ddf7876487c876f6676ef0e050e9d204 - -install : $(TARGET) - -check : $(patsubst %,$(DIR_CHK)/%,$(objects)) - -download :$(patsubst %,$(DIR_DL)/%,$(objects)) - -md5 : $(subst %,%_MD5,$(objects)) - -dist: - $(PAK) - -############################################################################### -# Downloading, checking, md5sum -############################################################################### - -$(patsubst %,$(DIR_CHK)/%,$(objects)) : - @$(CHECK) - -$(patsubst %,$(DIR_DL)/%,$(objects)) : - @$(LOAD) - -$(subst %,%_MD5,$(objects)) : - @$(MD5) - -############################################################################### -# Installation Details -############################################################################### - -$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) - @$(PREBUILD) - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && make build \ - KERNEL_DIR=/lib/modules/$(KVER)-$(VERSUFIX)/build - - -mkdir -pv /usr/include/crypto - cd $(DIR_APP) && make install \ - KERNEL_DIR=/lib/modules/$(KVER)-$(VERSUFIX)/build - @rm -rf $(DIR_APP) - @$(POSTBUILD) diff --git a/lfs/curl b/lfs/curl index 7de9aa3..29de280 100644 --- a/lfs/curl +++ b/lfs/curl @@ -70,7 +70,10 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xvf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && ./configure --prefix=/usr --disable-ipv6 + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --disable-ipv6 \ + --with-ca-bundle=/etc/ssl/certs/ca-bundle.crt cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install # Create symlink to new curl lib for old binaries diff --git a/lfs/dma b/lfs/dma index cf264ea..64ed944 100644 --- a/lfs/dma +++ b/lfs/dma @@ -73,6 +73,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) mkdir -pv /var/ipfire/dma touch /var/ipfire/dma/mail.conf + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.10-better-authentication.patch cd $(DIR_APP) && sed -i '/PREFIX/s/usr/local/usr/g' Makefile cd $(DIR_APP) && sed -i '/CONFDIR/s/etc/dma/var/ipfire/dma/g' Makefile cd $(DIR_APP) && make diff --git a/lfs/dnsmasq b/lfs/dnsmasq index db56091..c8fd7db 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -82,6 +82,21 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validation.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_returning_them_from_cache.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/018-Move_code_which_caches_DS_records_to_a_more_logical_place.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_with_EDNS0.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/021-Tweaks_to_EDNS0_handling_in_DNS_replies.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/022-Tidy_up_DNSSEC_non-existence_code_Check_zone_status_is_NSEC_proof_bad.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/023-Fix_brace_botch_in_dnssec_validate_ds.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/024-Do_a_better_job_of_determining_which_DNSSEC_sig_algos_are_supported.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \ diff --git a/lfs/ebtables b/lfs/ebtables index a7da349..0c55a21 100644 --- a/lfs/ebtables +++ b/lfs/ebtables @@ -77,7 +77,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make $(MAKETUNING) CFLAGS="$(CFLAGS)" cd $(DIR_APP) && make install @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/grub b/lfs/grub index bcbcbd0..3e613a8 100644 --- a/lfs/grub +++ b/lfs/grub @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2015 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.00_disable_vga_fallback.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch cd $(DIR_APP) && \ ./configure \ --prefix=/usr \ diff --git a/lfs/initscripts b/lfs/initscripts index 141fd66..538ea4d 100755 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -61,6 +61,9 @@ $(TARGET) : -rm -rf /etc/init.d ln -svf rc.d/init.d /etc/init.d
+ # Create default ramdisk configuration + echo "RAMDISK_MODE=0" > /etc/sysconfig/ramdisk + for i in $(DIR_SRC)/src/initscripts/init.d/*; do \ install -v -m 754 $$i /etc/rc.d/init.d/; \ done @@ -128,9 +131,6 @@ $(TARGET) : ln -sf ../init.d/random /etc/rc.d/rc3.d/S25random ln -sf ../init.d/random /etc/rc.d/rc6.d/K45random ln -sf ../../sysconfig/rc.local /etc/rc.d/rc3.d/S98rc.local - ln -sf ../init.d/tmpfs /etc/rc.d/rc0.d/K85tmpfs - ln -sf ../init.d/tmpfs /etc/rc.d/rc3.d/S01tmpfs - ln -sf ../init.d/tmpfs /etc/rc.d/rc6.d/K85tmpfs ln -sf ../init.d/mediatomb /etc/rc.d/rc3.d/S98mediatomb ln -sf ../init.d/mediatomb /etc/rc.d/rc0.d/K02mediatomb ln -sf ../init.d/mediatomb /etc/rc.d/rc6.d/K02mediatomb @@ -178,6 +178,9 @@ $(TARGET) : ln -sf ../init.d/firewall /etc/rc.d/rcsysinit.d/S85firewall ln -sf ../init.d/network-trigger /etc/rc.d/rcsysinit.d/S90network-trigger ln -sf ../init.d/rngd /etc/rc.d/rcsysinit.d/S92rngd + ln -sf ../init.d/vnstat /etc/rc.d/rc3.d/S01vnstat + ln -sf ../init.d/vnstat /etc/rc.d/rc0.d/K51vnstat + ln -sf ../init.d/vnstat /etc/rc.d/rc6.d/K51vnstat ln -sf ../init.d/wlanclient /etc/rc.d/rc0.d/K82wlanclient ln -sf ../init.d/wlanclient /etc/rc.d/rc3.d/S19wlanclient ln -sf ../init.d/wlanclient /etc/rc.d/rc6.d/K82wlanclient diff --git a/lfs/liboping b/lfs/liboping index cfe985c..2437959 100644 --- a/lfs/liboping +++ b/lfs/liboping @@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && sed -e "s/-Werror//g" -i src/Makefile.* cd $(DIR_APP) && ./configure --prefix=/usr cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/lfs/libpri b/lfs/libpri index 4e1f2e5..60c9498 100644 --- a/lfs/libpri +++ b/lfs/libpri @@ -77,7 +77,8 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && make $(MAKETUNING) clean all KVERS=$(KVER) + cd $(DIR_APP) && make $(MAKETUNING) clean all KVERS=$(KVER) \ + CFLAGS="$(CFLAGS)" cd $(DIR_APP) && make install KVERS=$(KVER) @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/mISDNuser b/lfs/mISDNuser index c471c76..923696a 100644 --- a/lfs/mISDNuser +++ b/lfs/mISDNuser @@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_SRC)/mISDNuser && cd $(DIR_SRC) && tar Jxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_SRC)/mISDNuser && sed -e "s/-Werror//g" -i */Makefile.* cd $(DIR_SRC)/mISDNuser && make cd $(DIR_SRC)/mISDNuser && ./configure --prefix=/usr --with-AF_ISDN=34 cd $(DIR_SRC)/mISDNuser && make MISDNDIR=/usr/src/linux diff --git a/lfs/mc b/lfs/mc index 4dc937c..091b58a 100644 --- a/lfs/mc +++ b/lfs/mc @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2015 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 4.8.13 +VER = 4.8.15
THISAPP = mc-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = mc -PAK_VER = 10 +PAK_VER = 11
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = d967caa12765eb86e52a6a63ca202500 +$(DL_FILE)_MD5 = 7c1935433866fdf59a3c2d9b7dae81ad
install : $(TARGET)
@@ -54,7 +54,7 @@ download :$(patsubst %,$(DIR_DL)/%,$(objects))
md5 : $(subst %,%_MD5,$(objects))
-dist: +dist: @$(PAK)
############################################################################### @@ -80,7 +80,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && ./configure --prefix=/usr \ --sysconfdir=/etc \ --without-x --disable-nls \ - --with-samba \ --with-screen=ncurses cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/lfs/mdadm b/lfs/mdadm index 29d495d..de97034 100644 --- a/lfs/mdadm +++ b/lfs/mdadm @@ -24,7 +24,7 @@
include Config
-VER = 3.3.2 +VER = 3.3.4
THISAPP = mdadm-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 44698d351501cac6a89072dc877eb220 +$(DL_FILE)_MD5 = 7ca8b114710f98f53f20c5787b674a09
install : $(TARGET)
diff --git a/lfs/nano b/lfs/nano index bf80810..c08ec88 100644 --- a/lfs/nano +++ b/lfs/nano @@ -24,7 +24,7 @@
include Config
-VER = 2.4.2 +VER = 2.5.0
THISAPP = nano-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nano -PAK_VER = 6 +PAK_VER = 7
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = ce6968992fec4283c17984b53554168b +$(DL_FILE)_MD5 = 751ed96457017572bab15be18cb873ba
install : $(TARGET)
diff --git a/lfs/ntp b/lfs/ntp index c03624e..2d04b17 100644 --- a/lfs/ntp +++ b/lfs/ntp @@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/ntp-fix-sycing-with-local-clock.patch cd $(DIR_APP) && \ ./configure \ --prefix=/usr \ @@ -85,7 +86,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown -R ntp:ntp /etc/ntp echo "disable monitor" > /etc/ntp.conf echo "restrict default nomodify noquery" >> /etc/ntp.conf - echo "server 127.127.1.0" >> /etc/ntp.conf + echo "server 127.127.1.0 prefer" >> /etc/ntp.conf echo "fudge 127.127.1.0 stratum 10" >> /etc/ntp.conf echo "driftfile /etc/ntp/drift" >> /etc/ntp.conf
diff --git a/lfs/openssl b/lfs/openssl index 153a6b9..1dc24ac 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@
include Config
-VER = 1.0.2d +VER = 1.0.2e
THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -86,7 +86,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 38dd619b2e77cbac69b99f52a053d25a +$(DL_FILE)_MD5 = 2218c1a6f807f7206c11eb3ee3a5ec80
install : $(TARGET)
@@ -127,6 +127,10 @@ ifeq "$(MACHINE)" "i586" cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a_disable_ssse3_for_amd.patch endif
+ # With openssl 1.0.2e, pod2mantest is missing + echo -e "#!/bin/bash\necho $$(which pod2man)" > $(DIR_APP)/util/pod2mantest + chmod a+x $(DIR_APP)/util/pod2mantest + # Apply our CFLAGS cd $(DIR_APP) && sed -i Configure \ -e "s/-O3 -fomit-frame-pointer/$(CFLAGS)/g" diff --git a/lfs/openvmtools b/lfs/openvmtools index d12a63c..72101d5 100644 --- a/lfs/openvmtools +++ b/lfs/openvmtools @@ -24,7 +24,7 @@
include Config
-VER = 8.4.2-261024 +VER = 10.0.5-3227872
THISAPP = open-vm-tools-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -33,11 +33,11 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) SUP_ARCH = x86_64 i586 PROG = openvmtools -PAK_VER = 1 +PAK_VER = 2
DEPS = ""
-CFLAGS += -fno-PIC +#CFLAGS += -fno-PIC
############################################################################### # Top-level Rules @@ -47,7 +47,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4d9ddc865b42fc6982c3078031500486 +$(DL_FILE)_MD5 = 734eccf6e9e007cb37dc4eb3ed6707b5
install : $(TARGET)
@@ -79,12 +79,15 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && sed -e "s/-Werror//g" -i configure.ac + cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP) && ./configure --prefix=/usr \ --with-kernel-release=$(KVER)-ipfire --without-pam \ --disable-unity --without-gtk2 --without-gtkmm \ - --without-procps --without-dnet --without-icu \ + --without-procps --without-icu \ --without-x --with-linuxdir=/usr/src/linux \ - --without-kernel-modules + --without-kernel-modules --disable-deploypkg \ + --without-xerces-c --without-xerces cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install ln -sf ../init.d/openvmtools /etc/rc.d/rc3.d/S60openvmtools diff --git a/lfs/rrdtool b/lfs/rrdtool index f156400..b85c797 100644 --- a/lfs/rrdtool +++ b/lfs/rrdtool @@ -24,7 +24,7 @@
include Config
-VER = 1.5.4 +VER = 1.5.5
THISAPP = rrdtool-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4daea1e628e1c70d91800d6a06427dc1 +$(DL_FILE)_MD5 = d8b3dcb3d193c2d6ad0a282bde69ee11
install : $(TARGET)
diff --git a/lfs/squid-accounting b/lfs/squid-accounting index 2e45c24..ff78d36 100644 --- a/lfs/squid-accounting +++ b/lfs/squid-accounting @@ -15,7 +15,7 @@ THISAPP = squid-accounting-$(VER) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = squid-accounting -PAK_VER = 8 +PAK_VER = 9
DEPS = "perl-DBI perl-DBD-SQLite perl-File-ReadBackwards perl-PDF-API2"
diff --git a/lfs/strongswan b/lfs/strongswan index 2a181a3..c6d655b 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@
include Config
-VER = 5.3.3 +VER = 5.3.5
THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -48,7 +48,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 5a25f3d1c31a77ef44d14a2e7b3eaad0 +$(DL_FILE)_MD5 = a2f9ea185f27e7f8413d4cd2ee61efe4
install : $(TARGET)
@@ -79,6 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch
cd $(DIR_APP) && ./configure \ --prefix="/usr" \ diff --git a/lfs/tripwire b/lfs/tripwire deleted file mode 100644 index 9942441..0000000 --- a/lfs/tripwire +++ /dev/null @@ -1,98 +0,0 @@ -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### - -############################################################################### -# Definitions -############################################################################### - -include Config - -VER = 2.4.1.2 - -THISAPP = tripwire-$(VER) -DL_FILE = $(THISAPP)-src.tar.bz2 -DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/$(THISAPP) -TARGET = $(DIR_INFO)/$(THISAPP) -PROG = tripwire -PAK_VER = 1 -CFLAGS = -CXXFLAGS = - -DEPS = "" - -############################################################################### -# Top-level Rules -############################################################################### - -objects = $(DL_FILE) - -$(DL_FILE) = $(DL_FROM)/$(DL_FILE) - -$(DL_FILE)_MD5 = 8a1147c278b528ed593023912c4b649a - -install : $(TARGET) - -check : $(patsubst %,$(DIR_CHK)/%,$(objects)) - -download :$(patsubst %,$(DIR_DL)/%,$(objects)) - -md5 : $(subst %,%_MD5,$(objects)) - -dist: - $(PAK) - -############################################################################### -# Downloading, checking, md5sum -############################################################################### - -$(patsubst %,$(DIR_CHK)/%,$(objects)) : - @$(CHECK) - -$(patsubst %,$(DIR_DL)/%,$(objects)) : - @$(LOAD) - -$(subst %,%_MD5,$(objects)) : - @$(MD5) - -############################################################################### -# Installation Details -############################################################################### - -$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) - @$(PREBUILD) - @rm -rf $(DIR_APP)* && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP)-src && ln -fs contrib install - cd $(DIR_APP)-src && sed -i -e 's@TWDB="$${prefix}@TWDB="/var@' \ - -e 's@^CLOBBER="false"@CLOBBER="true"@' install/install.cfg - cd $(DIR_APP)-src && sed -i -e 's@^PROMPT="true"@PROMPT="false"@' \ - -e 's@^TW_SITE_PASS=""@TW_SITE_PASS="ipfire"@' \ - -e 's@^TW_LOCAL_PASS=""@TW_LOCAL_PASS="ipfire"@' \ - install/install.sh - cd $(DIR_APP)-src && ./configure --prefix=/usr --sysconfdir=/var/ipfire/tripwire - cd $(DIR_APP)-src && make $(MAKETUNING) $(EXTRA_MAKE) - cd $(DIR_APP)-src && for i in siggen tripwire twadmin twprint; do \ - cp -vf $(DIR_APP)-src/bin/$$i /usr/sbin; \ - done - cp -vrf $(DIR_SRC)/config/tripwire/* /var/ipfire/tripwire/ - cp -vfp /var/ipfire/tripwire/twcfg.txt /var/ipfire/tripwire/twcfg.default - cp -vfp /var/ipfire/tripwire/twpol.txt /var/ipfire/tripwire/twpol.default - @rm -rf $(DIR_APP)* - @$(POSTBUILD) diff --git a/lfs/vnstat b/lfs/vnstat index b8c8b27..1c1333b 100644 --- a/lfs/vnstat +++ b/lfs/vnstat @@ -76,6 +76,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && make all $(MAKETUNING) LOCAL_CONFIGURE_OPTIONS="--enable-readline=yes" cd $(DIR_APP) && make install sed -i 's|eth0|green0|g' /etc/vnstat.conf - sed -i 's|/var/lib/vnstat|/var/log/rrd/vnstat|g' /etc/vnstat.conf + sed -i 's|/var/lib/vnstat|/var/log/vnstat|g' /etc/vnstat.conf @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/xtables-addons b/lfs/xtables-addons index 1848dc9..e2d9c6f 100644 --- a/lfs/xtables-addons +++ b/lfs/xtables-addons @@ -102,6 +102,7 @@ else
# Install the built kernel modules. cd $(DIR_APP) && for f in $$(ls extensions/*.ko); do \ + mkdir -p $(MODPATH); \ install -m 644 $$f $(MODPATH); \ done endif diff --git a/make.sh b/make.sh index ff67537..39089cd 100755 --- a/make.sh +++ b/make.sh @@ -25,8 +25,8 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.17" # Version number -CORE="95" # Core Level (Filename) -PAKFIRE_CORE="95" # Core Level (PAKFIRE) +CORE="96" # Core Level (Filename) +PAKFIRE_CORE="96" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir @@ -422,7 +422,6 @@ buildipfire() { x86_64) ipfiremake linux KCFG="" ipfiremake backports KCFG="" - ipfiremake cryptodev KCFG="" ipfiremake e1000e KCFG="" ipfiremake igb KCFG="" ipfiremake ixgbe KCFG="" @@ -433,7 +432,6 @@ buildipfire() { # x86-pae (Native and new XEN) kernel build ipfiremake linux KCFG="-pae" ipfiremake backports KCFG="-pae" - ipfiremake cryptodev KCFG="-pae" ipfiremake e1000e KCFG="-pae" ipfiremake igb KCFG="-pae" ipfiremake ixgbe KCFG="-pae" @@ -443,7 +441,6 @@ buildipfire() { # x86 kernel build ipfiremake linux KCFG="" ipfiremake backports KCFG="" - ipfiremake cryptodev KCFG="" ipfiremake e1000e KCFG="" ipfiremake igb KCFG="" ipfiremake ixgbe KCFG="" @@ -455,14 +452,12 @@ buildipfire() { # arm-rpi (Raspberry Pi) kernel build ipfiremake linux KCFG="-rpi" ipfiremake backports KCFG="-rpi" - ipfiremake cryptodev KCFG="-rpi" ipfiremake xtables-addons KCFG="-rpi" ipfiremake linux-initrd KCFG="-rpi"
# arm multi platform (Panda, Wandboard ...) kernel build ipfiremake linux KCFG="-multi" ipfiremake backports KCFG="-multi" - ipfiremake cryptodev KCFG="-multi" ipfiremake e1000e KCFG="-multi" ipfiremake igb KCFG="-multi" ipfiremake ixgbe KCFG="-multi" @@ -472,7 +467,6 @@ buildipfire() { # arm-kirkwood (Dreamplug, ICY-Box ...) kernel build ipfiremake linux KCFG="-kirkwood" ipfiremake backports KCFG="-kirkwood" - ipfiremake cryptodev KCFG="-kirkwood" ipfiremake e1000e KCFG="-kirkwood" ipfiremake igb KCFG="-kirkwood" ipfiremake ixgbe KCFG="-kirkwood" @@ -685,7 +679,6 @@ buildipfire() { ipfiremake ncftp ipfiremake etherwake ipfiremake bwm-ng - ipfiremake tripwire ipfiremake sysstat ipfiremake vsftpd ipfiremake strongswan diff --git a/src/initscripts/init.d/cleanfs b/src/initscripts/init.d/cleanfs index e8c8c8b..2d5778d 100644 --- a/src/initscripts/init.d/cleanfs +++ b/src/initscripts/init.d/cleanfs @@ -77,7 +77,36 @@ case "${1}" in rm -rf /var/run ln -s ../run /var/run fi - + # + # create some folders + # + if [ ! -e /var/lock/subsys ]; then + mkdir -p /var/lock/subsys + fi + if [ ! -e /var/lock/time ]; then + mkdir -p /var/lock/time + chown nobody.root /var/lock/time + fi + if [ ! -e /var/run/clamav ]; then + mkdir -p /var/run/clamav + chown clamav:clamav /var/run/clamav + fi + if [ ! -e /var/run/cups ]; then + mkdir -p /var/run/cups + fi + if [ ! -e /var/run/dbus ]; then + mkdir -p /var/run/dbus + fi + if [ ! -e /var/run/mysql ]; then + mkdir -p /var/run/mysql + chown mysql:mysql /var/run/mysql + fi + if [ ! -e /var/run/saslauthd ]; then + mkdir -p /var/run/saslauthd + fi + if [ ! -e /var/log/vnstat ]; then + mkdir -p /var/log/vnstat + fi boot_mesg -n "Cleaning file systems:" ${INFO}
boot_mesg -n " /tmp" ${NORMAL} diff --git a/src/initscripts/init.d/collectd b/src/initscripts/init.d/collectd index 96bd126..761e9c3 100644 --- a/src/initscripts/init.d/collectd +++ b/src/initscripts/init.d/collectd @@ -1,7 +1,6 @@ #!/bin/sh # Begin $rc_base/init.d/collecd
- . /etc/sysconfig/rc . $rc_functions
@@ -13,6 +12,12 @@ fi
case "$1" in start) + if use_ramdisk; then + boot_mesg "Mounting RRD ramdisk..." + mount_ramdisk "${RRDLOG}" + evaluate_retval + fi + # If run from init and collectd alrady started then exit silent if [ "$(basename $0)" != "collectd" ]; then if [ "$(ps -A | grep " collectd$")" != "" ]; then @@ -106,12 +111,9 @@ case "$1" in boot_mesg "Stopping Collection daemon..." killproc /usr/sbin/collectd evaluate_retval - # Save the ramdisk at manual stop but not at shutdown - if [ "$(basename $0)" == "collectd" ]; then - /etc/init.d/tmpfs backup - fi - # sync after backup... - sync + + # Umount the ramdisk (if any) + umount_ramdisk "${RRDLOG}" ;; restart) ${0} stop @@ -122,8 +124,15 @@ case "$1" in statusproc /usr/sbin/collectd ;;
+ backup) + # Backup all data if ramdisk is used + if mountpoint "${RRDLOG}" &>/dev/null; then + ${0} restart + fi + ;; + *) - echo "Usage: $0 {start|stop|restart|status}" + echo "Usage: $0 {start|stop|restart|status|backup}" exit 1 ;; esac diff --git a/src/initscripts/init.d/fcron b/src/initscripts/init.d/fcron index 0260d4a..00a70bd 100644 --- a/src/initscripts/init.d/fcron +++ b/src/initscripts/init.d/fcron @@ -13,7 +13,6 @@ case "$1" in start) boot_mesg "Starting fcron..." - chown cron:cron /var/spool/cron loadproc /usr/sbin/fcron -y # remove -y to reenable fcron logging ;; diff --git a/src/initscripts/init.d/functions b/src/initscripts/init.d/functions index e2e058d..0d9b013 100644 --- a/src/initscripts/init.d/functions +++ b/src/initscripts/init.d/functions @@ -702,4 +702,86 @@ run_subdir() { done }
+mem_amount() { + local pagesize="$(getconf PAGESIZE)" + local pages="$(getconf _PHYS_PAGES)" + + echo "$(( ${pagesize} * ${pages} / 1024 / 1024 ))" +} + +use_ramdisk() { + eval $(/usr/local/bin/readhash /etc/sysconfig/ramdisk) + + case "${RAMDISK_MODE}" in + # Don't use ramdisk + 0) + return 1 + ;; + + # Always use ramdisk + 1) + return 0 + ;; + + # Automatic mode - use ramdisk if sufficient + # memory is available + 2) + local mem_avail="$(mem_amount)" + + if [ ${mem_avail} -ge 490 ]; then + return 0 + else + return 1 + fi + ;; + + # Fail for everything else + *) + return 2 + ;; + esac +} + +mount_ramdisk() { + local path="${1}" + local path_tmpfs="${path}.tmpfs" + + # Check if the ramdisk is already mounted + if mountpoint "${path}" &>/dev/null; then + return 0 + fi + + # Create ramdisk + mkdir -p "${path_tmpfs}" + mount -t tmpfs none "${path_tmpfs}" + + # Restore ramdisk content + cp -pR ${path}/* "${path_tmpfs}" + + # Move ramdisk to final destination + mount --move "${path_tmpfs}" "${path}" + rm -rf "${path_tmpfs}" +} + +umount_ramdisk() { + local path="${1}" + local path_tmpfs="${path}.tmpfs" + + # Check if a ramdisk is actually mounted + if ! mountpoint "${path}" &>/dev/null; then + return 0 + fi + + # Move the ramdisk + mkdir -p "${path_tmpfs}" + mount --move "${path}" "${path_tmpfs}" + + # Backup ramdisk content + cp -pR ${path_tmpfs}/* "${path}" + + # Destroy the ramdisk + umount "${path_tmpfs}" + rm -rf "${path_tmpfs}" +} + # End $rc_base/init.d/functions diff --git a/src/initscripts/init.d/snort b/src/initscripts/init.d/snort index e03c80f..58edf1e 100644 --- a/src/initscripts/init.d/snort +++ b/src/initscripts/init.d/snort @@ -20,6 +20,8 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
+ALIASFILE="/var/ipfire/ethernet/aliases" + case "$1" in start) if [ "$BLUE_NETADDRESS" ]; then @@ -59,6 +61,19 @@ case "$1" in if [ "$LOCAL_IP" ]; then HOMENET+="$LOCAL_IP," fi + + # Check if the red device is set to static and + # any aliases have been configured. + if [ "${RED_TYPE}" == "STATIC" ] && [ -s "${ALIASFILE}" ]; then + # Read in aliases file. + while IFS="," read -r address mode remark; do + # Check if the alias is enabled. + [ "${mode}" = "on" ] || continue + + # Add alias to the list of HOMENET addresses. + HOMENET+="${address}," + done < "${ALIASFILE}" + fi fi HOMENET+="127.0.0.1" echo "ipvar HOME_NET [$HOMENET]" > /etc/snort/vars diff --git a/src/initscripts/init.d/tmpfs b/src/initscripts/init.d/tmpfs deleted file mode 100644 index 2ee2ffb..0000000 --- a/src/initscripts/init.d/tmpfs +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/sh -# Begin $rc_base/init.d/tmpfs - -. /etc/sysconfig/rc -. $rc_functions - -eval $(/usr/local/bin/readhash /var/ipfire/main/settings) - -if [ "$RRDLOG" = '' ]; then - RRDLOG=/var/log/rrd -fi - -case "$1" in - start) - $0 restore - if [ ! -e $RRDLOG.bak/vnstat ]; then - mkdir -p $RRDLOG.bak/vnstat - fi - if [ ! -e $RRDLOG/vnstat ]; then - mkdir -p $RRDLOG/vnstat - fi - # - # create some folders - # - if [ ! -e /var/lock/subsys ]; then - mkdir -p /var/lock/subsys - fi - if [ ! -e /var/lock/time ]; then - mkdir -p /var/lock/time - chown nobody.root /var/lock/time - fi - if [ ! -e /var/run/clamav ]; then - mkdir -p /var/run/clamav - chown clamav:clamav /var/run/clamav - fi - if [ ! -e /var/run/cups ]; then - mkdir -p /var/run/cups - fi - if [ ! -e /var/run/dbus ]; then - mkdir -p /var/run/dbus - fi - if [ ! -e /var/run/mysql ]; then - mkdir -p /var/run/mysql - chown mysql:mysql /var/run/mysql - fi - if [ ! -e /var/run/saslauthd ]; then - mkdir -p /var/run/saslauthd - fi - - # - # Move /var/spool/cron to ramdisk and make a symlink - # - if [ ! -L /var/spool/cron ]; then - cp -pR /var/spool/cron /var/log/rrd.bak/cron - mv /var/spool/cron /var/log/rrd/cron - ln -s /var/log/rrd/cron /var/spool/cron - fi - - echo_ok - ;; - stop) - $0 backup - ;; - - backup) - boot_mesg "Save ramdisk..." - cp -pR $RRDLOG/* $RRDLOG.bak/ - evaluate_retval - ;; - restore) - if ! mountpoint $RRDLOG &>/dev/null; then - mount -t tmpfs -o size=64M none "$RRDLOG" - fi - - if [ -e $RRDLOG.bak/cron/new.root ]; then - if [ -e $RRDLOG.bak/cron/root ]; then - rm -f $RRDLOG.bak/cron/new.root - fi - fi - if [ -e $RRDLOG.bak ];then - boot_mesg "Restore ramdisk..." - cp -pR $RRDLOG.bak/* $RRDLOG/ - fi - ;; - - - *) - echo "Usage: $0 {start|stop|backup}" - exit 1 - ;; -esac - -# End $rc_base/init.d/tmpfs diff --git a/src/initscripts/init.d/vnstat b/src/initscripts/init.d/vnstat new file mode 100755 index 0000000..518b2d7 --- /dev/null +++ b/src/initscripts/init.d/vnstat @@ -0,0 +1,38 @@ +#!/bin/sh +# Begin $rc_base/init.d/vnstat + +. /etc/sysconfig/rc +. $rc_functions + +eval $(/usr/local/bin/readhash /var/ipfire/main/settings) + +if [ "$VNSTATLOG" = '' ]; then + VNSTATLOG=/var/log/vnstat +fi + +case "$1" in + start) + if use_ramdisk; then + boot_mesg "Mounting vnstat ramdisk..." + mount_ramdisk "${VNSTATLOG}" + evaluate_retval + fi + ;; + stop) + umount_ramdisk "${VNSTATLOG}" + ;; + + backup) + # Backup all data if ramdisk is used + if mountpoint "${RRDLOG}" &>/dev/null; then + ${0} restart + fi + ;; + + *) + echo "Usage: $0 {start|stop|backup}" + exit 1 + ;; +esac + +# End $rc_base/init.d/vnstat diff --git a/src/initscripts/sysconfig/modules b/src/initscripts/sysconfig/modules index cdbcca4..5f8a77d 100644 --- a/src/initscripts/sysconfig/modules +++ b/src/initscripts/sysconfig/modules @@ -33,8 +33,4 @@ lp ### fusion # fusion
-### cryptodev -# -cryptodev - # End /etc/sysconfig/modules diff --git a/src/installer/po/LINGUAS b/src/installer/po/LINGUAS index 8678850..6cba810 100644 --- a/src/installer/po/LINGUAS +++ b/src/installer/po/LINGUAS @@ -16,8 +16,10 @@ jv km_KH nl pl +pt pt_BR pt_PT +ro ro_RO ru rw diff --git a/src/installer/po/de.po b/src/installer/po/de.po index 93893d9..eab3da5 100644 --- a/src/installer/po/de.po +++ b/src/installer/po/de.po @@ -6,14 +6,15 @@ # Michael Tremer michael.tremer@ipfire.org, 2014 # Peter Cloudstone rmg-mainz@web.de, 2014 # Stefan Schantl stefan.schantl@ipfire.org, 2014 +# Sun Tiger, 2015 msgid "" msgstr "" "Project-Id-Version: IPFire Project\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2014-11-05 01:29+0000\n" -"PO-Revision-Date: 2014-11-07 15:02+0000\n" -"Last-Translator: Peter Cloudstone rmg-mainz@web.de\n" -"Language-Team: German (http://www.transifex.com/projects/p/ipfire/language/de/)%5Cn" +"PO-Revision-Date: 2015-05-07 16:56+0000\n" +"Last-Translator: Sun Tiger\n" +"Language-Team: German (http://www.transifex.com/mstremer/ipfire/language/de/)%5Cn" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" @@ -47,7 +48,7 @@ msgstr "WÀhlen Sie die gewÌnschte Sprache fÌr den Installationsprozess aus."
#: main.c:418 msgid "Unattended mode" -msgstr "Automatikmodus" +msgstr "Automatischer Modus"
#: main.c:420 msgid "<Tab>/<Alt-Tab> between elements | <Space> selects | <F12> next screen" @@ -134,7 +135,7 @@ msgstr "Lizenzvereinbarung"
#: main.c:544 msgid "License not accepted!" -msgstr "Lizenz nicht akzeptiert!" +msgstr "Lizenz wurde nicht akzeptiert!"
#: main.c:566 msgid "No hard disk found." @@ -170,7 +171,7 @@ msgstr "Das Installationsprogramm wird die folgende Festplatte nun vorbereiten:
#: main.c:619 msgid "Disk Setup" -msgstr "Disk-Setup" +msgstr "Festplatten-Setup"
#: main.c:620 main.c:630 msgid "Delete all data" @@ -254,7 +255,7 @@ msgstr "Die Dateisysteme konnten nicht erstellt werden."
#: main.c:749 msgid "Unable to mount filesystems." -msgstr "Die Dateisysteme konnten nicht eingehangen werden." +msgstr "Die Dateisysteme konnten nicht eingehÀngt werden."
#: main.c:760 msgid "Installing the system..." @@ -266,11 +267,11 @@ msgstr "Das System konnte nicht installiert werden."
#: main.c:777 msgid "Installing the language cache..." -msgstr "Installiere den Sprachdateicache..." +msgstr "Installiere den Sprachdateizwischenspeicher..."
#: main.c:778 msgid "Unable to install the language cache." -msgstr "Der Sprachdateicache konnte nicht erstellt werden." +msgstr "Der Sprachdateizwischenspeicher konnte nicht erstellt werden."
#: main.c:783 msgid "Installing the bootloader..." diff --git a/src/installer/po/pt.po b/src/installer/po/pt.po new file mode 100644 index 0000000..8a93730 --- /dev/null +++ b/src/installer/po/pt.po @@ -0,0 +1,329 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR The IPFire Project (www.ipfire.org) +# This file is distributed under the same license as the PACKAGE package. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: IPFire Project\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2014-11-05 01:29+0000\n" +"PO-Revision-Date: 2014-07-31 09:39+0000\n" +"Last-Translator: FULL NAME EMAIL@ADDRESS\n" +"Language-Team: Portuguese (http://www.transifex.com/mstremer/ipfire/language/pt/)%5Cn" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#: main.c:78 main.c:179 main.c:404 main.c:670 main.c:702 main.c:893 +msgid "OK" +msgstr "" + +#: main.c:79 main.c:460 main.c:487 main.c:516 main.c:620 main.c:630 main.c:670 +#: main.c:702 +msgid "Cancel" +msgstr "" + +#: main.c:176 +msgid "I accept this license" +msgstr "" + +#: main.c:384 +msgid "Warning: Unattended installation will start in 10 seconds..." +msgstr "" + +#: main.c:403 +msgid "Language selection" +msgstr "" + +#: main.c:403 +msgid "Select the language you wish to use for the installation." +msgstr "" + +#: main.c:418 +msgid "Unattended mode" +msgstr "" + +#: main.c:420 +msgid "<Tab>/<Alt-Tab> between elements | <Space> selects | <F12> next screen" +msgstr "" + +#: main.c:426 +#, c-format +msgid "" +"Welcome to the %s installation program.\n" +"\n" +"Selecting Cancel on any of the following screens will reboot the computer." +msgstr "" + +#: main.c:428 +msgid "Start installation" +msgstr "" + +#: main.c:449 +#, c-format +msgid "The installer will now try downloading the installation image." +msgstr "" + +#: main.c:452 +#, c-format +msgid "" +"No source drive could be found.\n" +"\n" +"You can try downloading the required installation image." +msgstr "" + +#: main.c:456 +msgid "" +"Please make sure to connect your machine to a network and the installer will" +" try connect to acquire an IP address." +msgstr "" + +#: main.c:460 +msgid "Download installation image" +msgstr "" + +#: main.c:473 +msgid "Trying to start networking (DHCP)..." +msgstr "" + +#: main.c:484 +msgid "" +"Networking could not be started but is required to go on with the installation.\n" +"\n" +"Please connect your machine to a network with a DHCP server and retry." +msgstr "" + +#: main.c:487 main.c:516 +msgid "Retry" +msgstr "" + +#: main.c:501 +msgid "Downloading installation image..." +msgstr "" + +#: main.c:510 +#, c-format +msgid "MD5 checksum mismatch" +msgstr "" + +#: main.c:513 +#, c-format +msgid "" +"The installation image could not be downloaded.\n" +" Reason: %s\n" +"\n" +"%s" +msgstr "" + +#: main.c:528 +#, c-format +msgid "" +"Could not mount %s to %s:\n" +" %s\n" +msgstr "" + +#: main.c:543 +msgid "License Agreement" +msgstr "" + +#: main.c:544 +msgid "License not accepted!" +msgstr "" + +#: main.c:566 +msgid "No hard disk found." +msgstr "" + +#: main.c:587 +msgid "Disk Selection" +msgstr "" + +#: main.c:588 +msgid "" +"Select the disk(s) you want to install IPFire on. First those will be partitioned, and then the partitions will have a filesystem put on them.\n" +"\n" +"ALL DATA ON THE DISK WILL BE DESTROYED." +msgstr "" + +#: main.c:599 +msgid "" +"No disk has been selected.\n" +"\n" +"Please select one or more disks you want to install IPFire on." +msgstr "" + +#: main.c:617 +#, c-format +msgid "" +"The installation program will now prepare the chosen harddisk:\n" +"\n" +" %s\n" +"\n" +"Do you agree to continue?" +msgstr "" + +#: main.c:619 +msgid "Disk Setup" +msgstr "" + +#: main.c:620 main.c:630 +msgid "Delete all data" +msgstr "" + +#: main.c:627 +#, c-format +msgid "" +"The installation program will now set up a RAID configuration on the selected harddisks:\n" +"\n" +" %s\n" +" %s\n" +"\n" +"Do you agree to continue?" +msgstr "" + +#: main.c:629 +msgid "RAID Setup" +msgstr "" + +#: main.c:640 +msgid "Your disk configuration is currently not supported." +msgstr "" + +#: main.c:655 +msgid "Your harddisk is too small." +msgstr "" + +#: main.c:671 +msgid "" +"Your harddisk is very small, but you can continue without a swap partition." +msgstr "" + +#: main.c:684 +msgid "ext4 Filesystem" +msgstr "" + +#: main.c:685 +msgid "ext4 Filesystem without journal" +msgstr "" + +#: main.c:686 +msgid "XFS Filesystem" +msgstr "" + +#: main.c:687 +msgid "ReiserFS Filesystem" +msgstr "" + +#: main.c:701 +msgid "Filesystem Selection" +msgstr "" + +#: main.c:701 +msgid "Please choose your filesystem:" +msgstr "" + +#: main.c:712 +msgid "Building RAID..." +msgstr "" + +#: main.c:716 +msgid "Unable to build the RAID." +msgstr "" + +#: main.c:728 +msgid "Partitioning disk..." +msgstr "" + +#: main.c:732 +msgid "Unable to partition the disk." +msgstr "" + +#: main.c:739 +msgid "Creating filesystems..." +msgstr "" + +#: main.c:743 +msgid "Unable to create filesystems." +msgstr "" + +#: main.c:749 +msgid "Unable to mount filesystems." +msgstr "" + +#: main.c:760 +msgid "Installing the system..." +msgstr "" + +#: main.c:761 +msgid "Unable to install the system." +msgstr "" + +#: main.c:777 +msgid "Installing the language cache..." +msgstr "" + +#: main.c:778 +msgid "Unable to install the language cache." +msgstr "" + +#: main.c:783 +msgid "Installing the bootloader..." +msgstr "" + +#: main.c:790 +msgid "Unable to open /etc/default/grub for writing." +msgstr "" + +#: main.c:812 +msgid "Unable to install the bootloader." +msgstr "" + +#: main.c:826 +msgid "" +"A backup file has been found on the installation image.\n" +"\n" +"Do you want to restore the backup?" +msgstr "" + +#: main.c:827 +msgid "Yes" +msgstr "" + +#: main.c:827 +msgid "No" +msgstr "" + +#: main.c:834 +msgid "An error occured when the backup file was restored." +msgstr "" + +#: main.c:869 +msgid "Running post-install script..." +msgstr "" + +#: main.c:870 +msgid "Post-install script failed." +msgstr "" + +#: main.c:877 +#, c-format +msgid "" +"%s was successfully installed!\n" +"\n" +"Please remove any installation mediums from this system and hit the reboot button. Once the system has restarted you will be asked to setup networking and system passwords. After that, you should point your web browser at https://%s:444 (or what ever you name your %s) for the web configuration console." +msgstr "" + +#: main.c:882 +msgid "Congratulations!" +msgstr "" + +#: main.c:882 +msgid "Reboot" +msgstr "" + +#: main.c:893 +msgid "Setup has failed. Press Ok to reboot." +msgstr "" diff --git a/src/installer/po/ro.po b/src/installer/po/ro.po new file mode 100644 index 0000000..738650f --- /dev/null +++ b/src/installer/po/ro.po @@ -0,0 +1,329 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR The IPFire Project (www.ipfire.org) +# This file is distributed under the same license as the PACKAGE package. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: IPFire Project\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2014-11-05 01:29+0000\n" +"PO-Revision-Date: 2014-07-31 09:39+0000\n" +"Last-Translator: FULL NAME EMAIL@ADDRESS\n" +"Language-Team: Romanian (http://www.transifex.com/mstremer/ipfire/language/ro/)%5Cn" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ro\n" +"Plural-Forms: nplurals=3; plural=(n==1?0:(((n%100>19)||((n%100==0)&&(n!=0)))?2:1));\n" + +#: main.c:78 main.c:179 main.c:404 main.c:670 main.c:702 main.c:893 +msgid "OK" +msgstr "" + +#: main.c:79 main.c:460 main.c:487 main.c:516 main.c:620 main.c:630 main.c:670 +#: main.c:702 +msgid "Cancel" +msgstr "" + +#: main.c:176 +msgid "I accept this license" +msgstr "" + +#: main.c:384 +msgid "Warning: Unattended installation will start in 10 seconds..." +msgstr "" + +#: main.c:403 +msgid "Language selection" +msgstr "" + +#: main.c:403 +msgid "Select the language you wish to use for the installation." +msgstr "" + +#: main.c:418 +msgid "Unattended mode" +msgstr "" + +#: main.c:420 +msgid "<Tab>/<Alt-Tab> between elements | <Space> selects | <F12> next screen" +msgstr "" + +#: main.c:426 +#, c-format +msgid "" +"Welcome to the %s installation program.\n" +"\n" +"Selecting Cancel on any of the following screens will reboot the computer." +msgstr "" + +#: main.c:428 +msgid "Start installation" +msgstr "" + +#: main.c:449 +#, c-format +msgid "The installer will now try downloading the installation image." +msgstr "" + +#: main.c:452 +#, c-format +msgid "" +"No source drive could be found.\n" +"\n" +"You can try downloading the required installation image." +msgstr "" + +#: main.c:456 +msgid "" +"Please make sure to connect your machine to a network and the installer will" +" try connect to acquire an IP address." +msgstr "" + +#: main.c:460 +msgid "Download installation image" +msgstr "" + +#: main.c:473 +msgid "Trying to start networking (DHCP)..." +msgstr "" + +#: main.c:484 +msgid "" +"Networking could not be started but is required to go on with the installation.\n" +"\n" +"Please connect your machine to a network with a DHCP server and retry." +msgstr "" + +#: main.c:487 main.c:516 +msgid "Retry" +msgstr "" + +#: main.c:501 +msgid "Downloading installation image..." +msgstr "" + +#: main.c:510 +#, c-format +msgid "MD5 checksum mismatch" +msgstr "" + +#: main.c:513 +#, c-format +msgid "" +"The installation image could not be downloaded.\n" +" Reason: %s\n" +"\n" +"%s" +msgstr "" + +#: main.c:528 +#, c-format +msgid "" +"Could not mount %s to %s:\n" +" %s\n" +msgstr "" + +#: main.c:543 +msgid "License Agreement" +msgstr "" + +#: main.c:544 +msgid "License not accepted!" +msgstr "" + +#: main.c:566 +msgid "No hard disk found." +msgstr "" + +#: main.c:587 +msgid "Disk Selection" +msgstr "" + +#: main.c:588 +msgid "" +"Select the disk(s) you want to install IPFire on. First those will be partitioned, and then the partitions will have a filesystem put on them.\n" +"\n" +"ALL DATA ON THE DISK WILL BE DESTROYED." +msgstr "" + +#: main.c:599 +msgid "" +"No disk has been selected.\n" +"\n" +"Please select one or more disks you want to install IPFire on." +msgstr "" + +#: main.c:617 +#, c-format +msgid "" +"The installation program will now prepare the chosen harddisk:\n" +"\n" +" %s\n" +"\n" +"Do you agree to continue?" +msgstr "" + +#: main.c:619 +msgid "Disk Setup" +msgstr "" + +#: main.c:620 main.c:630 +msgid "Delete all data" +msgstr "" + +#: main.c:627 +#, c-format +msgid "" +"The installation program will now set up a RAID configuration on the selected harddisks:\n" +"\n" +" %s\n" +" %s\n" +"\n" +"Do you agree to continue?" +msgstr "" + +#: main.c:629 +msgid "RAID Setup" +msgstr "" + +#: main.c:640 +msgid "Your disk configuration is currently not supported." +msgstr "" + +#: main.c:655 +msgid "Your harddisk is too small." +msgstr "" + +#: main.c:671 +msgid "" +"Your harddisk is very small, but you can continue without a swap partition." +msgstr "" + +#: main.c:684 +msgid "ext4 Filesystem" +msgstr "" + +#: main.c:685 +msgid "ext4 Filesystem without journal" +msgstr "" + +#: main.c:686 +msgid "XFS Filesystem" +msgstr "" + +#: main.c:687 +msgid "ReiserFS Filesystem" +msgstr "" + +#: main.c:701 +msgid "Filesystem Selection" +msgstr "" + +#: main.c:701 +msgid "Please choose your filesystem:" +msgstr "" + +#: main.c:712 +msgid "Building RAID..." +msgstr "" + +#: main.c:716 +msgid "Unable to build the RAID." +msgstr "" + +#: main.c:728 +msgid "Partitioning disk..." +msgstr "" + +#: main.c:732 +msgid "Unable to partition the disk." +msgstr "" + +#: main.c:739 +msgid "Creating filesystems..." +msgstr "" + +#: main.c:743 +msgid "Unable to create filesystems." +msgstr "" + +#: main.c:749 +msgid "Unable to mount filesystems." +msgstr "" + +#: main.c:760 +msgid "Installing the system..." +msgstr "" + +#: main.c:761 +msgid "Unable to install the system." +msgstr "" + +#: main.c:777 +msgid "Installing the language cache..." +msgstr "" + +#: main.c:778 +msgid "Unable to install the language cache." +msgstr "" + +#: main.c:783 +msgid "Installing the bootloader..." +msgstr "" + +#: main.c:790 +msgid "Unable to open /etc/default/grub for writing." +msgstr "" + +#: main.c:812 +msgid "Unable to install the bootloader." +msgstr "" + +#: main.c:826 +msgid "" +"A backup file has been found on the installation image.\n" +"\n" +"Do you want to restore the backup?" +msgstr "" + +#: main.c:827 +msgid "Yes" +msgstr "" + +#: main.c:827 +msgid "No" +msgstr "" + +#: main.c:834 +msgid "An error occured when the backup file was restored." +msgstr "" + +#: main.c:869 +msgid "Running post-install script..." +msgstr "" + +#: main.c:870 +msgid "Post-install script failed." +msgstr "" + +#: main.c:877 +#, c-format +msgid "" +"%s was successfully installed!\n" +"\n" +"Please remove any installation mediums from this system and hit the reboot button. Once the system has restarted you will be asked to setup networking and system passwords. After that, you should point your web browser at https://%s:444 (or what ever you name your %s) for the web configuration console." +msgstr "" + +#: main.c:882 +msgid "Congratulations!" +msgstr "" + +#: main.c:882 +msgid "Reboot" +msgstr "" + +#: main.c:893 +msgid "Setup has failed. Press Ok to reboot." +msgstr "" diff --git a/src/installer/po/tr.po b/src/installer/po/tr.po index e990bc3..ad65543 100644 --- a/src/installer/po/tr.po +++ b/src/installer/po/tr.po @@ -11,9 +11,9 @@ msgstr "" "Project-Id-Version: IPFire Project\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2014-11-05 01:29+0000\n" -"PO-Revision-Date: 2015-02-28 22:11+0000\n" +"PO-Revision-Date: 2015-04-23 16:07+0000\n" "Last-Translator: Ersan YILDIRIM ersan73@gmail.com\n" -"Language-Team: Turkish (http://www.transifex.com/projects/p/ipfire/language/tr/)%5Cn" +"Language-Team: Turkish (http://www.transifex.com/mstremer/ipfire/language/tr/)%5Cn" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" @@ -59,7 +59,7 @@ msgid "" "Welcome to the %s installation program.\n" "\n" "Selecting Cancel on any of the following screens will reboot the computer." -msgstr "%s kurulum programına hoÅ geldiniz.\n\nSonraki ekranların herhangi birinde Ä°ptal seçeneÄini seçtiÄinizde bilgisayar yeniden baÅlatılac." +msgstr "%s kurulum programına hoÅ geldiniz.\n\nSonraki ekranların herhangi birinde Ä°ptal seçeneÄini seçtiÄinizde bilgisayar yeniden baÅlatılacak."
#: main.c:428 msgid "Start installation" diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index e4bf049..ff775da 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -28,7 +28,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \ applejuicectrl rebuildhosts backupctrl collectdctrl \ logwatch openvpnctrl firewallctrl \ wirelessctrl getipstat qosctrl launch-ether-wake \ - redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \ + redctrl syslogdctrl extrahdctrl sambactrl upnpctrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \ getconntracktable wirelessclient dnsmasqctrl torctrl ddnsctrl diff --git a/src/misc-progs/tripwirectrl.c b/src/misc-progs/tripwirectrl.c deleted file mode 100644 index 8f02d0d..0000000 --- a/src/misc-progs/tripwirectrl.c +++ /dev/null @@ -1,142 +0,0 @@ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <unistd.h> -#include <sys/types.h> -#include <fcntl.h> -#include "setuid.h" - -#define BUFFER_SIZE 1024 - -char command[BUFFER_SIZE]; - -int main(int argc, char *argv[]) -{ - -if (!(initsetuid())) - exit(1); - -// Check what command is asked -if (argc==1) -{ -fprintf (stderr, "Missing tripwirectrl command!\n"); -return 1; -} - -if (strcmp(argv[1], "tripwirelog")==0) -{ -snprintf(command, BUFFER_SIZE-1, "/usr/sbin/twprint -m r --cfgfile /var/ipfire/tripwire/tw.cfg --twrfile /var/ipfire/tripwire/report/%s", argv[2]); -safe_system(command); -return 0; -} - -if (strcmp(argv[1], "generatereport")==0) -{ -safe_system("/usr/sbin/tripwire --check --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol"); -return 0; -} - -if (strcmp(argv[1], "deletereport")==0) -{ -sprintf(command, "rm -f /var/ipfire/tripwire/report/%s", argv[2]); -safe_system(command); -return 0; -} - -if (strcmp(argv[1], "updatedatabase")==0) -{ -snprintf(command, BUFFER_SIZE-1, "/usr/sbin/tripwire --update --accept-all --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol --local-passphrase %s --twrfile %s", argv[2], argv[3]); -safe_system(command); -return 0; -} - -if (strcmp(argv[1], "keys")==0) -{ -snprintf(command, BUFFER_SIZE-1, "rm -rf /var/ipfire/tripwire/site.key && /usr/sbin/twadmin --generate-keys --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase %s && chmod 640 /var/ipfire/tripwire/site.key", argv[2]); -safe_system(command); -snprintf(command, BUFFER_SIZE-1, "rm -rf /var/ipfire/tripwire/local.key && /usr/sbin/twadmin --generate-keys --local-keyfile /var/ipfire/tripwire/local.key --local-passphrase %s && chmod 640 /var/ipfire/tripwire/local.key", argv[3]); -safe_system(command); -snprintf(command, BUFFER_SIZE-1, "rm -rf /var/ipfire/tripwire/tw.cfg && /usr/sbin/twadmin --create-cfgfile --cfgfile /var/ipfire/tripwire/tw.cfg --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase %s /var/ipfire/tripwire/twcfg.txt && chmod 640 /var/ipfire/tripwire/tw.cfg", argv[2]); -safe_system(command); -snprintf(command, BUFFER_SIZE-1, "rm -rf /var/ipfire/tripwire/tw.pol && /usr/sbin/twadmin --create-polfile --cfgfile /var/ipfire/tripwire/tw.cfg --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase %s /var/ipfire/tripwire/twpol.txt && chmod 640 /var/ipfire/tripwire/tw.pol", argv[2]); -safe_system(command); -snprintf(command, BUFFER_SIZE-1, "/usr/sbin/tripwire --init --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol --local-passphrase %s", argv[3]); -safe_system(command); -return 0; -} - -if (strcmp(argv[1], "generatepolicy")==0) -{ -snprintf(command, BUFFER_SIZE-1, "/usr/sbin/twadmin --create-polfile --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase %s --polfile /var/ipfire/tripwire/tw.pol --cfgfile /var/ipfire/tripwire/tw.cfg /var/ipfire/tripwire/twpol.txt", argv[2]); -safe_system(command); -snprintf(command, BUFFER_SIZE-1, "/usr/sbin/tripwire --init --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol --local-passphrase %s", argv[3]); -safe_system(command); -return 0; -} - -if (strcmp(argv[1], "resetpolicy")==0) -{ -snprintf(command, BUFFER_SIZE-1, "/usr/sbin/twadmin --create-polfile --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase %s --polfile /var/ipfire/tripwire/tw.pol --cfgfile /var/ipfire/tripwire/tw.cfg /var/ipfire/tripwire/twpol.default", argv[2]); -safe_system(command); -snprintf(command, BUFFER_SIZE-1, "/usr/sbin/tripwire --init --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol --local-passphrase %s", argv[3]); -safe_system(command); -return 0; -} - -if (strcmp(argv[1], "readconfig")==0) -{ -safe_system("/bin/chown nobody:nobody /var/ipfire/tripwire/twcfg.txt"); -return 0; -} - -if (strcmp(argv[1], "lockconfig")==0) -{ -safe_system("/bin/chown root:root /var/ipfire/tripwire/twcfg.txt"); -return 0; -} - -if (strcmp(argv[1], "enable")==0) -{ -safe_system("touch /var/ipfire/tripwire/enable"); -safe_system("rm -rf /var/ipfire/tripwire/site.key && /usr/sbin/twadmin --generate-keys --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase ipfire && chmod 640 /var/ipfire/tripwire/site.key"); -safe_system("rm -rf /var/ipfire/tripwire/local.key && /usr/sbin/twadmin --generate-keys --local-keyfile /var/ipfire/tripwire/local.key --local-passphrase ipfire && chmod 640 /var/ipfire/tripwire/local.key"); -safe_system("rm -rf /var/ipfire/tripwire/tw.cfg && /usr/sbin/twadmin --create-cfgfile --cfgfile /var/ipfire/tripwire/tw.cfg --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase ipfire /var/ipfire/tripwire/twcfg.txt && chmod 640 /var/ipfire/tripwire/tw.cfg"); -safe_system("rm -rf /var/ipfire/tripwire/tw.pol && /usr/sbin/twadmin --create-polfile --cfgfile /var/ipfire/tripwire/tw.cfg --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase ipfire /var/ipfire/tripwire/twpol.txt && chmod 640 /var/ipfire/tripwire/tw.pol"); -safe_system("/usr/sbin/tripwire --init --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol --local-passphrase ipfire"); -safe_system("cat /usr/sbin/tripwire --check --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol > /etc/fcron.daily/tripwire0600"); -safe_system("chmod 755 /etc/fcron.daily/tripwire0600"); -safe_system("touch -t 01010600 /etc/fcron.daily/tripwire0600"); -return 0; -} - -if (strcmp(argv[1], "disable")==0) -{ -safe_system("unlink /var/ipfire/tripwire/enable"); -safe_system("unlink /etc/fcron.daily/tripwire*"); -safe_system("rm -rf /var/ipfire/tripwire/site.key"); -safe_system("rm -rf /var/ipfire/tripwire/local.key"); -safe_system("rm -rf /var/ipfire/tripwire/tw.cfg*"); -safe_system("rm -rf /var/ipfire/tripwire/tw.pol*"); -safe_system("rm -rf /var/ipfire/tripwire/*.twd*"); -safe_system("rm -rf /var/ipfire/tripwire/report/*"); -return 0; -} - -if (strcmp(argv[1], "addcron")==0) -{ -snprintf(command, BUFFER_SIZE-1, "echo "/usr/sbin/tripwire --check --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol" > /etc/fcron.daily/tripwire%s%s", argv[2], argv[3]); -safe_system(command); -snprintf(command, BUFFER_SIZE-1, "chmod 755 /etc/fcron.daily/tripwire%s%s", argv[2], argv[3]); -safe_system(command); -snprintf(command, BUFFER_SIZE-1, "touch -t 0101%s%s /etc/fcron.daily/tripwire%s%s", argv[2], argv[3], argv[2], argv[3]); -safe_system(command); -return 0; -} -if (strcmp(argv[1], "disablecron")==0) -{ -snprintf(command, BUFFER_SIZE-1, "unlink /etc/fcron.daily/tripwire%s", argv[2]); -safe_system(command); -return 0; -} -return 0; -} diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl index 96f8d14..11b1e37 100644 --- a/src/pakfire/lib/functions.pl +++ b/src/pakfire/lib/functions.pl @@ -519,8 +519,13 @@ sub dblist { } elsif ("$filter" eq "installed") { next unless ( -e "$Conf::dbdir/installed/meta-$templine[0]" ); } - if ("$forweb" eq "forweb") { - print "<option value="$templine[0]">$templine[0]-$templine[1]-$templine[2]</option>\n"; + if ("$forweb" eq "forweb") + { + if ("$filter" eq "notinstalled") { + print "<option value="$templine[0]">$templine[0]-$templine[1]-$templine[2]</option>\n"; + } else { + print "<option value="$templine[0]">$templine[0]</option>\n"; + } } else { if ("$Pakfire::enable_colors" eq "1") { if (&isinstalled("$templine[0]")) { diff --git a/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch b/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch new file mode 100644 index 0000000..2eef1ae --- /dev/null +++ b/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch @@ -0,0 +1,45 @@ +From 88c9657960a6c5d3673a25c266781e876c181add Mon Sep 17 00:00:00 2001 +From: Hector Marco-Gisbert hecmargi@upv.es +Date: Fri, 13 Nov 2015 16:21:09 +0100 +Subject: [PATCH] Fix security issue when reading username and password + + This patch fixes two integer underflows at: + * grub-core/lib/crypto.c + * grub-core/normal/auth.c + +Signed-off-by: Hector Marco-Gisbert hecmargi@upv.es +Signed-off-by: Ismael Ripoll-Ripoll iripoll@disca.upv.es +--- + grub-core/lib/crypto.c | 2 +- + grub-core/normal/auth.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c +index 010e550..524a3d8 100644 +--- a/grub-core/lib/crypto.c ++++ b/grub-core/lib/crypto.c +@@ -456,7 +456,7 @@ grub_password_get (char buf[], unsigned buf_size) + break; + } + +- if (key == '\b') ++ if (key == '\b' && cur_len) + { + cur_len--; + continue; +diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c +index c6bd96e..5782ec5 100644 +--- a/grub-core/normal/auth.c ++++ b/grub-core/normal/auth.c +@@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned buf_size) + break; + } + +- if (key == '\b') ++ if (key == '\b' && cur_len) + { + cur_len--; + grub_printf ("\b"); +-- +1.9.1 + diff --git a/src/patches/dma-0.10-better-authentication.patch b/src/patches/dma-0.10-better-authentication.patch new file mode 100644 index 0000000..596168d --- /dev/null +++ b/src/patches/dma-0.10-better-authentication.patch @@ -0,0 +1,373 @@ +From 1fa7a882dd22d5f619b3645c6597a419034e9b4e Mon Sep 17 00:00:00 2001 +From: Michael Tremer michael.tremer@ipfire.org +Date: Mon, 9 Nov 2015 21:52:08 +0000 +Subject: [PATCH] Implement better authentication + +DMA tries to authenticate by simply trying various authentication +mechanisms. This is obviously not conforming to RFC and some mail +providers detect this is spam and reject all emails. + +This patch parses the EHLO response and reads various keywords +from it that can then later in the program be used to jump into +certain code paths. + +Currently this is used to only authenticate with CRAM-MD5 and/or +LOGIN if the server supports one or both of these. The +implementation can be easily be extended though. + +Signed-off-by: Michael Tremer michael.tremer@ipfire.org +--- + crypto.c | 6 +- + dma.h | 13 +++- + net.c | 219 +++++++++++++++++++++++++++++++++++++++++++++++---------------- + 3 files changed, 181 insertions(+), 57 deletions(-) + +diff --git a/crypto.c b/crypto.c +index 897b55b..8048f20 100644 +--- a/crypto.c ++++ b/crypto.c +@@ -77,7 +77,7 @@ init_cert_file(SSL_CTX *ctx, const char *path) + } + + int +-smtp_init_crypto(int fd, int feature) ++smtp_init_crypto(int fd, int feature, struct smtp_features* features) + { + SSL_CTX *ctx = NULL; + #if (OPENSSL_VERSION_NUMBER >= 0x00909000L) +@@ -118,8 +118,7 @@ smtp_init_crypto(int fd, int feature) + /* TLS init phase, disable SSL_write */ + config.features |= NOSSL; + +- send_remote_command(fd, "EHLO %s", hostname()); +- if (read_remote(fd, 0, NULL) == 2) { ++ if (perform_server_greeting(fd, features) == 0) { + send_remote_command(fd, "STARTTLS"); + if (read_remote(fd, 0, NULL) != 2) { + if ((feature & TLS_OPP) == 0) { +@@ -131,6 +130,7 @@ smtp_init_crypto(int fd, int feature) + } + } + } ++ + /* End of TLS init phase, enable SSL_write/read */ + config.features &= ~NOSSL; + } +diff --git a/dma.h b/dma.h +index acf5e44..ee749d8 100644 +--- a/dma.h ++++ b/dma.h +@@ -51,6 +51,7 @@ + #define BUF_SIZE 2048 + #define ERRMSG_SIZE 200 + #define USERNAME_SIZE 50 ++#define EHLO_RESPONSE_SIZE BUF_SIZE + #define MIN_RETRY 300 /* 5 minutes */ + #define MAX_RETRY (3*60*60) /* retry at least every 3 hours */ + #define MAX_TIMEOUT (5*24*60*60) /* give up after 5 days */ +@@ -160,6 +161,15 @@ struct mx_hostentry { + struct sockaddr_storage sa; + }; + ++struct smtp_auth_mechanisms { ++ int cram_md5; ++ int login; ++}; ++ ++struct smtp_features { ++ struct smtp_auth_mechanisms auth; ++ int starttls; ++}; + + /* global variables */ + extern struct aliases aliases; +@@ -187,7 +197,7 @@ void parse_authfile(const char *); + /* crypto.c */ + void hmac_md5(unsigned char *, int, unsigned char *, int, unsigned char *); + int smtp_auth_md5(int, char *, char *); +-int smtp_init_crypto(int, int); ++int smtp_init_crypto(int, int, struct smtp_features*); + + /* dns.c */ + int dns_get_mx_list(const char *, int, struct mx_hostentry **, int); +@@ -196,6 +206,7 @@ int dns_get_mx_list(const char *, int, struct mx_hostentry **, int); + char *ssl_errstr(void); + int read_remote(int, int, char *); + ssize_t send_remote_command(int, const char*, ...) __attribute__((__nonnull__(2), __format__ (__printf__, 2, 3))); ++int perform_server_greeting(int, struct smtp_features*); + int deliver_remote(struct qitem *); + + /* base64.c */ +diff --git a/net.c b/net.c +index 26935a8..33ff8f5 100644 +--- a/net.c ++++ b/net.c +@@ -247,64 +247,70 @@ read_remote(int fd, int extbufsize, char *extbuf) + * Handle SMTP authentication + */ + static int +-smtp_login(int fd, char *login, char* password) ++smtp_login(int fd, char *login, char* password, const struct smtp_features* features) + { + char *temp; + int len, res = 0; + +- res = smtp_auth_md5(fd, login, password); +- if (res == 0) { +- return (0); +- } else if (res == -2) { +- /* +- * If the return code is -2, then then the login attempt failed, +- * do not try other login mechanisms +- */ +- return (1); +- } +- +- if ((config.features & INSECURE) != 0 || +- (config.features & SECURETRANS) != 0) { +- /* Send AUTH command according to RFC 2554 */ +- send_remote_command(fd, "AUTH LOGIN"); +- if (read_remote(fd, 0, NULL) != 3) { +- syslog(LOG_NOTICE, "remote delivery deferred:" +- " AUTH login not available: %s", +- neterr); ++ // CRAM-MD5 ++ if (features->auth.cram_md5) { ++ res = smtp_auth_md5(fd, login, password); ++ if (res == 0) { ++ return (0); ++ } else if (res == -2) { ++ /* ++ * If the return code is -2, then then the login attempt failed, ++ * do not try other login mechanisms ++ */ + return (1); + } ++ } + +- len = base64_encode(login, strlen(login), &temp); +- if (len < 0) { ++ // LOGIN ++ if (features->auth.login) { ++ if ((config.features & INSECURE) != 0 || ++ (config.features & SECURETRANS) != 0) { ++ /* Send AUTH command according to RFC 2554 */ ++ send_remote_command(fd, "AUTH LOGIN"); ++ if (read_remote(fd, 0, NULL) != 3) { ++ syslog(LOG_NOTICE, "remote delivery deferred:" ++ " AUTH login not available: %s", ++ neterr); ++ return (1); ++ } ++ ++ len = base64_encode(login, strlen(login), &temp); ++ if (len < 0) { + encerr: +- syslog(LOG_ERR, "can not encode auth reply: %m"); +- return (1); +- } ++ syslog(LOG_ERR, "can not encode auth reply: %m"); ++ return (1); ++ } + +- send_remote_command(fd, "%s", temp); +- free(temp); +- res = read_remote(fd, 0, NULL); +- if (res != 3) { +- syslog(LOG_NOTICE, "remote delivery %s: AUTH login failed: %s", +- res == 5 ? "failed" : "deferred", neterr); +- return (res == 5 ? -1 : 1); +- } ++ send_remote_command(fd, "%s", temp); ++ free(temp); ++ res = read_remote(fd, 0, NULL); ++ if (res != 3) { ++ syslog(LOG_NOTICE, "remote delivery %s: AUTH login failed: %s", ++ res == 5 ? "failed" : "deferred", neterr); ++ return (res == 5 ? -1 : 1); ++ } + +- len = base64_encode(password, strlen(password), &temp); +- if (len < 0) +- goto encerr; +- +- send_remote_command(fd, "%s", temp); +- free(temp); +- res = read_remote(fd, 0, NULL); +- if (res != 2) { +- syslog(LOG_NOTICE, "remote delivery %s: Authentication failed: %s", +- res == 5 ? "failed" : "deferred", neterr); +- return (res == 5 ? -1 : 1); ++ len = base64_encode(password, strlen(password), &temp); ++ if (len < 0) ++ goto encerr; ++ ++ send_remote_command(fd, "%s", temp); ++ free(temp); ++ res = read_remote(fd, 0, NULL); ++ if (res != 2) { ++ syslog(LOG_NOTICE, "remote delivery %s: Authentication failed: %s", ++ res == 5 ? "failed" : "deferred", neterr); ++ return (res == 5 ? -1 : 1); ++ } ++ } else { ++ syslog(LOG_WARNING, "non-encrypted SMTP login is disabled in config, so skipping it. "); ++ return (1); + } +- } else { +- syslog(LOG_WARNING, "non-encrypted SMTP login is disabled in config, so skipping it. "); +- return (1); + } + + return (0); +@@ -348,10 +354,115 @@ close_connection(int fd) + close(fd); + } + ++static void parse_auth_line(char* line, struct smtp_auth_mechanisms* auth) { ++ // Skip the auth prefix ++ line += strlen("AUTH "); ++ ++ char* method = strtok(line, " "); ++ while (method) { ++ if (strcmp(method, "CRAM-MD5") == 0) ++ auth->cram_md5 = 1; ++ ++ else if (strcmp(method, "LOGIN") == 0) ++ auth->login = 1; ++ ++ method = strtok(NULL, " "); ++ } ++} ++ ++int perform_server_greeting(int fd, struct smtp_features* features) { ++ /* ++ Send EHLO ++ XXX allow HELO fallback ++ */ ++ send_remote_command(fd, "EHLO %s", hostname()); ++ ++ char buffer[EHLO_RESPONSE_SIZE]; ++ memset(buffer, 0, sizeof(buffer)); ++ ++ int res = read_remote(fd, sizeof(buffer) - 1, buffer); ++ ++ // Got an unexpected response ++ if (res != 2) ++ return -1; ++ ++ // Reset all features ++ memset(features, 0, sizeof(*features)); ++ ++ // Run through the buffer line by line ++ char linebuffer[EHLO_RESPONSE_SIZE]; ++ char* p = buffer; ++ ++ while (*p) { ++ char* line = linebuffer; ++ while (*p && *p != '\n') { ++ *line++ = *p++; ++ } ++ ++ // p should never point to NULL after the loop ++ // above unless we reached the end of the buffer. ++ // In that case we will raise an error. ++ if (!*p) { ++ return -1; ++ } ++ ++ // Otherwise p points to the newline character which ++ // we will skip. ++ p++; ++ ++ // Terminte the string (and remove the carriage-return character) ++ *--line = '\0'; ++ line = linebuffer; ++ ++ // End main loop for empty lines ++ if (*line == '\0') ++ break; ++ ++ // Process the line ++ // - Must start with 250, followed by dash or space ++ // - We won't check for the correct usage of space and dash because ++ // that is already done in read_remote(). ++ if ((strncmp(line, "250-", 4) != 0) && (strncmp(line, "250 ", 4) != 0)) { ++ syslog(LOG_ERR, "Invalid line: %s\n", line); ++ return -1; ++ } ++ ++ // Skip the prefix ++ line += 4; ++ ++ // Check for STARTTLS ++ if (strcmp(line, "STARTTLS") == 0) ++ features->starttls = 1; ++ ++ // Parse authentication mechanisms ++ else if (strncmp(line, "AUTH ", 5) == 0) ++ parse_auth_line(line, &features->auth); ++ } ++ ++ syslog(LOG_DEBUG, "Server greeting successfully completed"); ++ ++ // STARTTLS ++ if (features->starttls) ++ syslog(LOG_DEBUG, " Server supports STARTTLS"); ++ else ++ syslog(LOG_DEBUG, " Server does not support STARTTLS"); ++ ++ // Authentication ++ if (features->auth.cram_md5) { ++ syslog(LOG_DEBUG, " Server supports CRAM-MD5 authentication"); ++ } ++ if (features->auth.login) { ++ syslog(LOG_DEBUG, " Server supports LOGIN authentication"); ++ } ++ ++ return 0; ++} ++ + static int + deliver_to_host(struct qitem *it, struct mx_hostentry *host) + { + struct authuser *a; ++ struct smtp_features features; + char line[1000]; + size_t linelen; + int fd, error = 0, do_auth = 0, res = 0; +@@ -389,7 +500,7 @@ deliver_to_host(struct qitem *it, struct mx_hostentry *host) + } + + if ((config.features & SECURETRANS) != 0) { +- error = smtp_init_crypto(fd, config.features); ++ error = smtp_init_crypto(fd, config.features, &features); + if (error == 0) + syslog(LOG_DEBUG, "SSL initialization successful"); + else +@@ -399,10 +510,12 @@ deliver_to_host(struct qitem *it, struct mx_hostentry *host) + READ_REMOTE_CHECK("connect", 2); + } + +- /* XXX allow HELO fallback */ +- /* XXX record ESMTP keywords */ +- send_remote_command(fd, "EHLO %s", hostname()); +- READ_REMOTE_CHECK("EHLO", 2); ++ // Say EHLO ++ if (perform_server_greeting(fd, &features) != 0) { ++ syslog(LOG_ERR, "Could not perform server greeting at %s [%s]: %s", ++ host->host, host->addr, neterr); ++ return -1; ++ } + + /* + * Use SMTP authentication if the user defined an entry for the remote +@@ -421,7 +534,7 @@ deliver_to_host(struct qitem *it, struct mx_hostentry *host) + * encryption. + */ + syslog(LOG_INFO, "using SMTP authentication for user %s", a->login); +- error = smtp_login(fd, a->login, a->password); ++ error = smtp_login(fd, a->login, a->password, &features); + if (error < 0) { + syslog(LOG_ERR, "remote delivery failed:" + " SMTP login failed: %m"); diff --git a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch b/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch index 0482c4b..f55ebe8 100644 --- a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch +++ b/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch @@ -1,21 +1,5 @@ -diff --git a/Makefile b/Makefile -index 4c87ea9..4e0ea10 100644 ---- a/Makefile -+++ b/Makefile -@@ -73,7 +73,8 @@ objs = cache.o rfc1035.o util.o option.o forward.o network.o \ - dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ - helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ -- domain.o dnssec.o blockdata.o tables.o loop.o inotify.o poll.o -+ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o poll.o \ -+ isc.o - - hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ - dns-protocol.h radv-protocol.h ip6addr.h -diff --git a/src/cache.c b/src/cache.c -index 178d654..6d0b131 100644 ---- a/src/cache.c -+++ b/src/cache.c +--- a/src/cache.c Wed Dec 16 19:24:12 2015 ++++ b/src/cache.c Wed Dec 16 19:37:37 2015 @@ -17,7 +17,7 @@ #include "dnsmasq.h"
@@ -25,7 +9,7 @@ index 178d654..6d0b131 100644 static struct crec *dhcp_spare = NULL; #endif static struct crec *new_chain = NULL; -@@ -222,6 +222,9 @@ static void cache_free(struct crec *crecp) +@@ -217,6 +217,9 @@ crecp->flags &= ~F_BIGNAME; }
@@ -35,7 +19,7 @@ index 178d654..6d0b131 100644 #ifdef HAVE_DNSSEC cache_blockdata_free(crecp); #endif -@@ -1151,7 +1154,7 @@ void cache_reload(void) +@@ -1131,7 +1134,7 @@
}
@@ -44,16 +28,7 @@ index 178d654..6d0b131 100644 struct in_addr a_record_from_hosts(char *name, time_t now) { struct crec *crecp = NULL; -@@ -1229,7 +1232,7 @@ void cache_add_dhcp_entry(char *host_name, int prot, - addrlen = sizeof(struct in6_addr); - } - #endif -- -+ - inet_ntop(prot, host_address, daemon->addrbuff, ADDRSTRLEN); - - while ((crec = cache_find_by_name(crec, host_name, 0, flags | F_CNAME))) -@@ -1294,7 +1297,11 @@ void cache_add_dhcp_entry(char *host_name, int prot, +@@ -1274,7 +1277,11 @@ else crec->ttd = ttd; crec->addr.addr = *host_address; @@ -65,11 +40,9 @@ index 178d654..6d0b131 100644 crec->uid = next_uid(); cache_hash(crec);
-diff --git a/src/dnsmasq.c b/src/dnsmasq.c -index 81254f6..ce2d1a7 100644 ---- a/src/dnsmasq.c -+++ b/src/dnsmasq.c -@@ -982,6 +982,11 @@ int main (int argc, char **argv) +--- a/src/dnsmasq.c Thu Jul 30 20:59:06 2015 ++++ b/src/dnsmasq.c Wed Dec 16 19:38:32 2015 +@@ -982,6 +982,11 @@
poll_resolv(0, daemon->last_resolv != 0, now); daemon->last_resolv = now; @@ -81,11 +54,9 @@ index 81254f6..ce2d1a7 100644 } #endif
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index cf1a782..30437aa 100644 ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -1519,3 +1519,7 @@ int poll_check(int fd, short event); +--- a/src/dnsmasq.h Wed Dec 16 19:24:12 2015 ++++ b/src/dnsmasq.h Wed Dec 16 19:40:11 2015 +@@ -1513,8 +1513,12 @@ void poll_listen(int fd, short event); int do_poll(int timeout);
@@ -93,11 +64,14 @@ index cf1a782..30437aa 100644 +#ifdef HAVE_ISC_READER +void load_dhcp(time_t now); +#endif -diff --git a/src/isc.c b/src/isc.c -new file mode 100644 -index 0000000..5106442 ---- /dev/null -+++ b/src/isc.c ++ + /* rrfilter.c */ + size_t rrfilter(struct dns_header *header, size_t plen, int mode); + u16 *rrfilter_desc(int type); + int expand_workspace(unsigned char ***wkspc, int *szp, int new); +- +--- /dev/null Wed Dec 16 19:48:08 2015 ++++ b/src/isc.c Wed Dec 16 19:41:35 2015 @@ -0,0 +1,251 @@ +/* dnsmasq is Copyright (c) 2014 John Volpe, Simon Kelley and + Michael Tremer @@ -350,11 +324,9 @@ index 0000000..5106442 +} + +#endif -diff --git a/src/option.c b/src/option.c -index ecc2619..527c5aa 100644 ---- a/src/option.c -+++ b/src/option.c -@@ -1699,7 +1699,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma +--- a/src/option.c Wed Dec 16 19:24:12 2015 ++++ b/src/option.c Wed Dec 16 19:42:48 2015 +@@ -1754,7 +1754,7 @@ ret_err(_("bad MX target")); break;
@@ -363,3 +335,14 @@ index ecc2619..527c5aa 100644 case 'l': /* --dhcp-leasefile */ daemon->lease_file = opt_string_alloc(arg); break; +--- a/Makefile Wed Dec 16 19:24:12 2015 ++++ b/Makefile Wed Dec 16 19:28:45 2015 +@@ -74,7 +74,7 @@ + helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ +- poll.o rrfilter.o ++ poll.o rrfilter.o isc.o + + hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ + dns-protocol.h radv-protocol.h ip6addr.h diff --git a/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch b/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch new file mode 100644 index 0000000..281697f --- /dev/null +++ b/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch @@ -0,0 +1,26 @@ +From 27b78d990b7cd901866ad6f1a17b9d633a95fdce Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Sat, 26 Sep 2015 21:40:45 +0100 +Subject: [PATCH] Rationalise 5e3e464ac4022ee0b3794513abe510817e2cf3ca + +--- + src/rfc3315.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/rfc3315.c b/src/rfc3315.c +index 3f1f9ee..3ed8623 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -1324,8 +1324,7 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh) + if (opt_cfg->opt == OPTION6_DNS_SERVER) + done_dns = 1; + +- /* Empty DNS_SERVER option will not set DHOPT_ADDR6 */ +- if ((opt_cfg->flags & DHOPT_ADDR6) || opt_cfg->opt == OPTION6_DNS_SERVER) ++ if (opt_cfg->flags & DHOPT_ADDR6) + { + int len, j; + struct in6_addr *a; +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch b/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch new file mode 100644 index 0000000..631495f --- /dev/null +++ b/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch @@ -0,0 +1,32 @@ +From 98079ea89851da1df4966dfdfa1852a98da02912 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Tue, 13 Oct 2015 20:30:32 +0100 +Subject: [PATCH] Catch errors from sendmsg in DHCP code. Logs, eg, iptables + DROPS of dest 255.255.255.255 + +--- + src/dhcp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/dhcp.c b/src/dhcp.c +index e6fceb1..1c85e42 100644 +--- a/src/dhcp.c ++++ b/src/dhcp.c +@@ -452,8 +452,13 @@ void dhcp_packet(time_t now, int pxe_fd) + #endif + + while(retry_send(sendmsg(fd, &msg, 0))); ++ ++ /* This can fail when, eg, iptables DROPS destination 255.255.255.255 */ ++ if (errno != 0) ++ my_syslog(MS_DHCP | LOG_WARNING, _("Error sending DHCP packet to %s: %s"), ++ inet_ntoa(dest.sin_addr), strerror(errno)); + } +- ++ + /* check against secondary interface addresses */ + static int check_listen_addrs(struct in_addr local, int if_index, char *label, + struct in_addr netmask, struct in_addr broadcast, void *vparam) +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch b/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch new file mode 100644 index 0000000..3ba98fc --- /dev/null +++ b/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch @@ -0,0 +1,48 @@ +From 90477fb79420a34124b66ebd808c578817a30e4c Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Tue, 20 Oct 2015 21:21:32 +0100 +Subject: [PATCH] Update list of subnet for --bogus-priv + +RFC6303 specifies & recommends following zones not be forwarded +to globally facing servers. ++------------------------------+-----------------------+ +| Zone | Description | ++------------------------------+-----------------------+ +| 0.IN-ADDR.ARPA | IPv4 "THIS" NETWORK | +| 127.IN-ADDR.ARPA | IPv4 Loopback NETWORK | +| 254.169.IN-ADDR.ARPA | IPv4 LINK LOCAL | +| 2.0.192.IN-ADDR.ARPA | IPv4 TEST-NET-1 | +| 100.51.198.IN-ADDR.ARPA | IPv4 TEST-NET-2 | +| 113.0.203.IN-ADDR.ARPA | IPv4 TEST-NET-3 | +| 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST | ++------------------------------+-----------------------+ + +Signed-off-by: Kevin Darbyshire-Bryant kevin@darbyshire-bryant.me.uk +--- + src/rfc1035.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 6a51b30..4eb1772 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -756,10 +756,14 @@ int private_net(struct in_addr addr, int ban_localhost) + return + (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ || + ((ip_addr & 0xFF000000) == 0x00000000) /* RFC 5735 section 3. "here" network */ || +- ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ || + ((ip_addr & 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ || + ((ip_addr & 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ || +- ((ip_addr & 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ ; ++ ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ || ++ ((ip_addr & 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ || ++ ((ip_addr & 0xFFFFFF00) == 0xC0000200) /* 192.0.2.0/24 (test-net) */ || ++ ((ip_addr & 0xFFFFFF00) == 0xC6336400) /* 198.51.100.0/24(test-net) */ || ++ ((ip_addr & 0xFFFFFF00) == 0xCB007100) /* 203.0.113.0/24 (test-net) */ || ++ ((ip_addr & 0xFFFFFFFF) == 0xFFFFFFFF) /* 255.255.255.255/32 (broadcast)*/ ; + } + + static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *header, size_t qlen, char *name, int *doctored) +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch b/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch new file mode 100644 index 0000000..736cf38 --- /dev/null +++ b/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch @@ -0,0 +1,43 @@ +From 41a8d9e99be9f2cc8b02051dd322cb45e0faac87 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Edwin=20T=C3=B6r=C3=B6k?= edwin+ml-cerowrt@etorok.net +Date: Sat, 14 Nov 2015 17:45:48 +0000 +Subject: [PATCH] Fix crash when empty address from DNS overlays A record from + hosts. + +--- + CHANGELOG | 5 +++++ + src/cache.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG b/CHANGELOG +index d6e309f..93c73d0 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -13,6 +13,11 @@ version 2.76 + was a dangling symbolic link, even of --no-resolv set. + Thanks to Alexander Kurtz for spotting the problem. + ++ Fix crash when an A or AAAA record is defined locally, ++ in a hosts file, and an upstream server sends a reply ++ that the same name is empty. Thanks to Edwin Török for ++ the patch. ++ + + version 2.75 + Fix reversion on 2.74 which caused 100% CPU use when a +diff --git a/src/cache.c b/src/cache.c +index 178d654..1b76b67 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -481,7 +481,7 @@ struct crec *cache_insert(char *name, struct all_addr *addr, + existing record is for an A or AAAA and + the record we're trying to insert is the same, + just drop the insert, but don't error the whole process. */ +- if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD)) ++ if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD) && addr) + { + if ((flags & F_IPV4) && (new->flags & F_IPV4) && + new->addr.addr.addr.addr4.s_addr == addr->addr.addr4.s_addr) +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch b/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch new file mode 100644 index 0000000..8b17431 --- /dev/null +++ b/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch @@ -0,0 +1,39 @@ +From 67ab3285b5d9a1b1e20e034cf272867fdab8a0f9 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Fri, 20 Nov 2015 23:20:47 +0000 +Subject: [PATCH] Handle unknown DS hash algos correctly. + +When we can validate a DS RRset, but don't speak the hash algo it +contains, treat that the same as an NSEC/3 proving that the DS +doesn't exist. 4025 5.2 +--- + src/dnssec.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/dnssec.c b/src/dnssec.c +index 67ce486..b4dc14e 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -1005,6 +1005,19 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch + if (crecp->flags & F_NEG) + return STAT_INSECURE_DS; + ++ /* 4035 5.2 ++ If the validator does not support any of the algorithms listed in an ++ authenticated DS RRset, then the resolver has no supported ++ authentication path leading from the parent to the child. The ++ resolver should treat this case as it would the case of an ++ authenticated NSEC RRset proving that no DS RRset exists, */ ++ for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS)) ++ if (hash_find(ds_digest_name(recp1->addr.ds.digest))) ++ break; ++ ++ if (!recp1) ++ return STAT_INSECURE_DS; ++ + /* NOTE, we need to find ONE DNSKEY which matches the DS */ + for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--) + { +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch b/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch new file mode 100644 index 0000000..a9102c1 --- /dev/null +++ b/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch @@ -0,0 +1,38 @@ +From 0007ee90646a5a78a96ee729932e89d31c69513a Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Sat, 21 Nov 2015 21:47:41 +0000 +Subject: [PATCH] Fix crash at start up with conf-dir=/path,* + +Thanks to Brian Carpenter and American Fuzzy Lop for finding the bug. +--- + src/option.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/option.c b/src/option.c +index 746cd11..71beb98 100644 +--- a/src/option.c ++++ b/src/option.c +@@ -1515,10 +1515,16 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma + li = opt_malloc(sizeof(struct list)); + if (*arg == '*') + { +- li->next = match_suffix; +- match_suffix = li; +- /* Have to copy: buffer is overwritten */ +- li->suffix = opt_string_alloc(arg+1); ++ /* "*" with no suffix is a no-op */ ++ if (arg[1] == 0) ++ free(li); ++ else ++ { ++ li->next = match_suffix; ++ match_suffix = li; ++ /* Have to copy: buffer is overwritten */ ++ li->suffix = opt_string_alloc(arg+1); ++ } + } + else + { +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validation.patch b/src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validation.patch new file mode 100644 index 0000000..7f25066 --- /dev/null +++ b/src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validation.patch @@ -0,0 +1,2209 @@ +From 9a31b68b59adcac01016d4026d906b69c4216c01 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Tue, 15 Dec 2015 10:20:39 +0000 +Subject: [PATCH] Major rationalisation of DNSSEC validation. + +Much gnarly special-case code removed and replaced with correct +general implementaion. Checking of zone-status moved to DNSSEC code, +where it should be, vastly simplifying query-forwarding code. +--- + src/dnsmasq.h | 19 +- + src/dnssec.c | 926 ++++++++++++++++++++++++++++++--------------------------- + src/forward.c | 741 ++++++++++----------------------------------- + 3 files changed, 653 insertions(+), 1033 deletions(-) + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index f42acdb..023a1cf 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -586,12 +586,8 @@ struct hostsfile { + #define STAT_NEED_KEY 5 + #define STAT_TRUNCATED 6 + #define STAT_SECURE_WILDCARD 7 +-#define STAT_NO_SIG 8 +-#define STAT_NO_DS 9 +-#define STAT_NO_NS 10 +-#define STAT_NEED_DS_NEG 11 +-#define STAT_CHASE_CNAME 12 +-#define STAT_INSECURE_DS 13 ++#define STAT_OK 8 ++#define STAT_ABANDONED 9 + + #define FREC_NOREBIND 1 + #define FREC_CHECKING_DISABLED 2 +@@ -601,8 +597,7 @@ struct hostsfile { + #define FREC_AD_QUESTION 32 + #define FREC_DO_QUESTION 64 + #define FREC_ADDED_PHEADER 128 +-#define FREC_CHECK_NOSIGN 256 +-#define FREC_TEST_PKTSZ 512 ++#define FREC_TEST_PKTSZ 256 + + #ifdef HAVE_DNSSEC + #define HASH_SIZE 20 /* SHA-1 digest size */ +@@ -626,9 +621,7 @@ struct frec { + #ifdef HAVE_DNSSEC + int class, work_counter; + struct blockdata *stash; /* Saved reply, whilst we validate */ +- struct blockdata *orig_domain; /* domain of original query, whilst +- we're seeing is if in unsigned domain */ +- size_t stash_len, name_start, name_len; ++ size_t stash_len; + struct frec *dependent; /* Query awaiting internally-generated DNSKEY or DS query */ + struct frec *blocking_query; /* Query which is blocking us. */ + #endif +@@ -1162,8 +1155,8 @@ int in_zone(struct auth_zone *zone, char *name, char **cut); + size_t dnssec_generate_query(struct dns_header *header, char *end, char *name, int class, int type, union mysockaddr *addr, int edns_pktsz); + int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t n, char *name, char *keyname, int class); + int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class); +-int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer, int *nons); +-int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname); ++int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, ++ int check_unsigned, int *neganswer, int *nons); + int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen); + size_t filter_rrsigs(struct dns_header *header, size_t plen); + unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name); +diff --git a/src/dnssec.c b/src/dnssec.c +index b4dc14e..de7b335 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -65,8 +65,10 @@ static char *algo_digest_name(int algo) + case 8: return "sha256"; + case 10: return "sha512"; + case 12: return "gosthash94"; ++#ifndef NO_NETTLE_ECC + case 13: return "sha256"; + case 14: return "sha384"; ++#endif + default: return NULL; + } + } +@@ -592,30 +594,30 @@ static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, + } + } + +-static int expand_workspace(unsigned char ***wkspc, int *sz, int new) ++static int expand_workspace(unsigned char ***wkspc, int *szp, int new) + { + unsigned char **p; +- int new_sz = *sz; +- +- if (new_sz > new) ++ int old = *szp; ++ ++ if (old >= new+1) + return 1; + + if (new >= 100) + return 0; + +- new_sz += 5; ++ new += 5; + +- if (!(p = whine_malloc((new_sz) * sizeof(unsigned char **)))) ++ if (!(p = whine_malloc(new * sizeof(unsigned char **)))) + return 0; + +- if (*wkspc) ++ if (old != 0 && *wkspc) + { +- memcpy(p, *wkspc, *sz * sizeof(unsigned char **)); ++ memcpy(p, *wkspc, old * sizeof(unsigned char **)); + free(*wkspc); + } + + *wkspc = p; +- *sz = new_sz; ++ *szp = new; + + return 1; + } +@@ -706,47 +708,28 @@ static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int + } while (swap); + } + +-/* Validate a single RRset (class, type, name) in the supplied DNS reply +- Return code: +- STAT_SECURE if it validates. +- STAT_SECURE_WILDCARD if it validates and is the result of wildcard expansion. +- (In this case *wildcard_out points to the "body" of the wildcard within name.) +- STAT_NO_SIG no RRsigs found. +- STAT_INSECURE RRset empty. +- STAT_BOGUS signature is wrong, bad packet. +- STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname) +- +- if key is non-NULL, use that key, which has the algo and tag given in the params of those names, +- otherwise find the key in the cache. ++static unsigned char **rrset = NULL, **sigs = NULL; + +- name is unchanged on exit. keyname is used as workspace and trashed. +-*/ +-static int validate_rrset(time_t now, struct dns_header *header, size_t plen, int class, int type, +- char *name, char *keyname, char **wildcard_out, struct blockdata *key, int keylen, int algo_in, int keytag_in) ++/* Get pointers to RRset menbers and signature(s) for same. ++ Check signatures, and return keyname associated in keyname. */ ++static int explore_rrset(struct dns_header *header, size_t plen, int class, int type, ++ char *name, char *keyname, int *sigcnt, int *rrcnt) + { +- static unsigned char **rrset = NULL, **sigs = NULL; +- static int rrset_sz = 0, sig_sz = 0; +- ++ static int rrset_sz = 0, sig_sz = 0; + unsigned char *p; +- int rrsetidx, sigidx, res, rdlen, j, name_labels; +- struct crec *crecp = NULL; +- int type_covered, algo, labels, orig_ttl, sig_expiration, sig_inception, key_tag; +- u16 *rr_desc = get_desc(type); +- +- if (wildcard_out) +- *wildcard_out = NULL; +- ++ int rrsetidx, sigidx, j, rdlen, res; ++ int name_labels = count_labels(name); /* For 4035 5.3.2 check */ ++ int gotkey = 0; ++ + if (!(p = skip_questions(header, plen))) + return STAT_BOGUS; +- +- name_labels = count_labels(name); /* For 4035 5.3.2 check */ + +- /* look for RRSIGs for this RRset and get pointers to each RR in the set. */ ++ /* look for RRSIGs for this RRset and get pointers to each RR in the set. */ + for (rrsetidx = 0, sigidx = 0, j = ntohs(header->ancount) + ntohs(header->nscount); + j != 0; j--) + { + unsigned char *pstart, *pdata; +- int stype, sclass; ++ int stype, sclass, algo, type_covered, labels, sig_expiration, sig_inception; + + pstart = p; + +@@ -762,14 +745,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + GETSHORT(rdlen, p); + + if (!CHECK_LEN(header, p, plen, rdlen)) +- return STAT_BOGUS; ++ return 0; + + if (res == 1 && sclass == class) + { + if (stype == type) + { + if (!expand_workspace(&rrset, &rrset_sz, rrsetidx)) +- return STAT_BOGUS; ++ return 0; + + rrset[rrsetidx++] = pstart; + } +@@ -777,14 +760,54 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + if (stype == T_RRSIG) + { + if (rdlen < 18) +- return STAT_BOGUS; /* bad packet */ ++ return 0; /* bad packet */ + + GETSHORT(type_covered, p); ++ algo = *p++; ++ labels = *p++; ++ p += 4; /* orig_ttl */ ++ GETLONG(sig_expiration, p); ++ GETLONG(sig_inception, p); ++ p += 2; /* key_tag */ + +- if (type_covered == type) ++ if (gotkey) ++ { ++ /* If there's more than one SIG, ensure they all have same keyname */ ++ if (extract_name(header, plen, &p, keyname, 0, 0) != 1) ++ return 0; ++ } ++ else ++ { ++ gotkey = 1; ++ ++ if (!extract_name(header, plen, &p, keyname, 1, 0)) ++ return 0; ++ ++ /* RFC 4035 5.3.1 says that the Signer's Name field MUST equal ++ the name of the zone containing the RRset. We can't tell that ++ for certain, but we can check that the RRset name is equal to ++ or encloses the signers name, which should be enough to stop ++ an attacker using signatures made with the key of an unrelated ++ zone he controls. Note that the root key is always allowed. */ ++ if (*keyname != 0) ++ { ++ char *name_start; ++ for (name_start = name; !hostname_isequal(name_start, keyname); ) ++ if ((name_start = strchr(name_start, '.'))) ++ name_start++; /* chop a label off and try again */ ++ else ++ return 0; ++ } ++ } ++ ++ /* Don't count signatures for algos we don't support */ ++ if (check_date_range(sig_inception, sig_expiration) && ++ labels <= name_labels && ++ type_covered == type && ++ algo_digest_name(algo)) + { + if (!expand_workspace(&sigs, &sig_sz, sigidx)) +- return STAT_BOGUS; ++ return 0; + + sigs[sigidx++] = pdata; + } +@@ -794,17 +817,45 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + } + + if (!ADD_RDLEN(header, p, plen, rdlen)) +- return STAT_BOGUS; ++ return 0; + } + +- /* RRset empty */ +- if (rrsetidx == 0) +- return STAT_INSECURE; ++ *sigcnt = sigidx; ++ *rrcnt = rrsetidx; ++ ++ return 1; ++} ++ ++/* Validate a single RRset (class, type, name) in the supplied DNS reply ++ Return code: ++ STAT_SECURE if it validates. ++ STAT_SECURE_WILDCARD if it validates and is the result of wildcard expansion. ++ (In this case *wildcard_out points to the "body" of the wildcard within name.) ++ STAT_BOGUS signature is wrong, bad packet. ++ STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname) ++ STAT_NEED_DS need DS to complete validation (name is returned in keyname) ++ ++ if key is non-NULL, use that key, which has the algo and tag given in the params of those names, ++ otherwise find the key in the cache. + +- /* no RRSIGs */ +- if (sigidx == 0) +- return STAT_NO_SIG; ++ name is unchanged on exit. keyname is used as workspace and trashed. ++ ++ Call explore_rrset first to find and count RRs and sigs. ++*/ ++static int validate_rrset(time_t now, struct dns_header *header, size_t plen, int class, int type, int sigidx, int rrsetidx, ++ char *name, char *keyname, char **wildcard_out, struct blockdata *key, int keylen, int algo_in, int keytag_in) ++{ ++ unsigned char *p; ++ int rdlen, j, name_labels; ++ struct crec *crecp = NULL; ++ int algo, labels, orig_ttl, key_tag; ++ u16 *rr_desc = get_desc(type); ++ ++ if (wildcard_out) ++ *wildcard_out = NULL; + ++ name_labels = count_labels(name); /* For 4035 5.3.2 check */ ++ + /* Sort RRset records into canonical order. + Note that at this point keyname and daemon->workspacename buffs are + unused, and used as workspace by the sort. */ +@@ -828,44 +879,16 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + algo = *p++; + labels = *p++; + GETLONG(orig_ttl, p); +- GETLONG(sig_expiration, p); +- GETLONG(sig_inception, p); ++ p += 8; /* sig_expiration, sig_inception already checked */ + GETSHORT(key_tag, p); + + if (!extract_name(header, plen, &p, keyname, 1, 0)) + return STAT_BOGUS; + +- /* RFC 4035 5.3.1 says that the Signer's Name field MUST equal +- the name of the zone containing the RRset. We can't tell that +- for certain, but we can check that the RRset name is equal to +- or encloses the signers name, which should be enough to stop +- an attacker using signatures made with the key of an unrelated +- zone he controls. Note that the root key is always allowed. */ +- if (*keyname != 0) +- { +- int failed = 0; +- +- for (name_start = name; !hostname_isequal(name_start, keyname); ) +- if ((name_start = strchr(name_start, '.'))) +- name_start++; /* chop a label off and try again */ +- else +- { +- failed = 1; +- break; +- } +- +- /* Bad sig, try another */ +- if (failed) +- continue; +- } +- +- /* Other 5.3.1 checks */ +- if (!check_date_range(sig_inception, sig_expiration) || +- labels > name_labels || +- !(hash = hash_find(algo_digest_name(algo))) || ++ if (!(hash = hash_find(algo_digest_name(algo))) || + !hash_init(hash, &ctx, &digest)) + continue; +- ++ + /* OK, we have the signature record, see if the relevant DNSKEY is in the cache. */ + if (!key && !(crecp = cache_find_by_name(NULL, keyname, now, F_DNSKEY))) + return STAT_NEED_KEY; +@@ -971,10 +994,11 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + /* The DNS packet is expected to contain the answer to a DNSKEY query. + Put all DNSKEYs in the answer which are valid into the cache. + return codes: +- STAT_SECURE At least one valid DNSKEY found and in cache. +- STAT_BOGUS No DNSKEYs found, which can be validated with DS, +- or self-sign for DNSKEY RRset is not valid, bad packet. +- STAT_NEED_DS DS records to validate a key not found, name in keyname ++ STAT_OK Done, key(s) in cache. ++ STAT_BOGUS No DNSKEYs found, which can be validated with DS, ++ or self-sign for DNSKEY RRset is not valid, bad packet. ++ STAT_NEED_DS DS records to validate a key not found, name in keyname ++ STAT_NEED_DNSKEY DNSKEY records to validate a key not found, name in keyname + */ + int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class) + { +@@ -1001,23 +1025,6 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch + return STAT_NEED_DS; + } + +- /* If we've cached that DS provably doesn't exist, result must be INSECURE */ +- if (crecp->flags & F_NEG) +- return STAT_INSECURE_DS; +- +- /* 4035 5.2 +- If the validator does not support any of the algorithms listed in an +- authenticated DS RRset, then the resolver has no supported +- authentication path leading from the parent to the child. The +- resolver should treat this case as it would the case of an +- authenticated NSEC RRset proving that no DS RRset exists, */ +- for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS)) +- if (hash_find(ds_digest_name(recp1->addr.ds.digest))) +- break; +- +- if (!recp1) +- return STAT_INSECURE_DS; +- + /* NOTE, we need to find ONE DNSKEY which matches the DS */ + for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--) + { +@@ -1070,7 +1077,8 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch + void *ctx; + unsigned char *digest, *ds_digest; + const struct nettle_hash *hash; +- ++ int sigcnt, rrcnt; ++ + if (recp1->addr.ds.algo == algo && + recp1->addr.ds.keytag == keytag && + recp1->uid == (unsigned int)class && +@@ -1088,10 +1096,14 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch + + from_wire(name); + +- if (recp1->addr.ds.keylen == (int)hash->digest_size && ++ if (!(recp1->flags & F_NEG) && ++ recp1->addr.ds.keylen == (int)hash->digest_size && + (ds_digest = blockdata_retrieve(recp1->addr.key.keydata, recp1->addr.ds.keylen, NULL)) && + memcmp(ds_digest, digest, recp1->addr.ds.keylen) == 0 && +- validate_rrset(now, header, plen, class, T_DNSKEY, name, keyname, NULL, key, rdlen - 4, algo, keytag) == STAT_SECURE) ++ explore_rrset(header, plen, class, T_DNSKEY, name, keyname, &sigcnt, &rrcnt) && ++ sigcnt != 0 && rrcnt != 0 && ++ validate_rrset(now, header, plen, class, T_DNSKEY, sigcnt, rrcnt, name, keyname, ++ NULL, key, rdlen - 4, algo, keytag) == STAT_SECURE) + { + valid = 1; + break; +@@ -1112,7 +1124,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch + { + /* Ensure we have type, class TTL and length */ + if (!(rc = extract_name(header, plen, &p, name, 0, 10))) +- return STAT_INSECURE; /* bad packet */ ++ return STAT_BOGUS; /* bad packet */ + + GETSHORT(qtype, p); + GETSHORT(qclass, p); +@@ -1198,7 +1210,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch + + /* commit cache insert. */ + cache_end_insert(); +- return STAT_SECURE; ++ return STAT_OK; + } + + log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DNSKEY"); +@@ -1207,12 +1219,14 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch + + /* The DNS packet is expected to contain the answer to a DS query + Put all DSs in the answer which are valid into the cache. ++ Also handles replies which prove that there's no DS at this location, ++ either because the zone is unsigned or this isn't a zone cut. These are ++ cached too. + return codes: +- STAT_SECURE At least one valid DS found and in cache. +- STAT_NO_DS It's proved there's no DS here. +- STAT_NO_NS It's proved there's no DS _or_ NS here. ++ STAT_OK At least one valid DS found and in cache. + STAT_BOGUS no DS in reply or not signed, fails validation, bad packet. + STAT_NEED_KEY DNSKEY records to validate a DS not found, name in keyname ++ STAT_NEED_DS DS record needed. + */ + + int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class) +@@ -1230,7 +1244,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char + if (qtype != T_DS || qclass != class) + val = STAT_BOGUS; + else +- val = dnssec_validate_reply(now, header, plen, name, keyname, NULL, &neganswer, &nons); ++ val = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons); + /* Note dnssec_validate_reply() will have cached positive answers */ + + if (val == STAT_INSECURE) +@@ -1242,22 +1256,21 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char + + if (!(p = skip_section(p, ntohs(header->ancount), header, plen))) + val = STAT_BOGUS; +- +- /* If we return STAT_NO_SIG, name contains the name of the DS query */ +- if (val == STAT_NO_SIG) +- return val; + + /* If the key needed to validate the DS is on the same domain as the DS, we'll + loop getting nowhere. Stop that now. This can happen of the DS answer comes + from the DS's zone, and not the parent zone. */ +- if (val == STAT_BOGUS || (val == STAT_NEED_KEY && hostname_isequal(name, keyname))) ++ if (val == STAT_BOGUS || (val == STAT_NEED_KEY && hostname_isequal(name, keyname))) + { + log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS"); + return STAT_BOGUS; + } ++ ++ if (val != STAT_SECURE) ++ return val; + + /* By here, the answer is proved secure, and a positive answer has been cached. */ +- if (val == STAT_SECURE && neganswer) ++ if (neganswer) + { + int rdlen, flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK; + unsigned long ttl, minttl = ULONG_MAX; +@@ -1317,15 +1330,14 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char + + cache_end_insert(); + +- log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, nons ? "no delegation" : "no DS"); ++ log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "no DS"); + } +- +- return nons ? STAT_NO_NS : STAT_NO_DS; + } + +- return val; ++ return STAT_OK; + } + ++ + /* 4034 6.1 */ + static int hostname_cmp(const char *a, const char *b) + { +@@ -1452,7 +1464,7 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi + int mask = 0x80 >> (type & 0x07); + + if (nons) +- *nons = 0; ++ *nons = 1; + + /* Find NSEC record that proves name doesn't exist */ + for (i = 0; i < nsec_count; i++) +@@ -1480,9 +1492,22 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi + /* rdlen is now length of type map, and p points to it */ + + /* If we can prove that there's no NS record, return that information. */ +- if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) == 0) +- *nons = 1; ++ if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) != 0) ++ *nons = 0; + ++ if (rdlen >= 2 && p[0] == 0) ++ { ++ /* A CNAME answer would also be valid, so if there's a CNAME is should ++ have been returned. */ ++ if ((p[2] & (0x80 >> T_CNAME)) != 0) ++ return STAT_BOGUS; ++ ++ /* If the SOA bit is set for a DS record, then we have the ++ DS from the wrong side of the delegation. */ ++ if (type == T_DS && (p[2] & (0x80 >> T_SOA)) != 0) ++ return STAT_BOGUS; ++ } ++ + while (rdlen >= 2) + { + if (!CHECK_LEN(header, p, plen, rdlen)) +@@ -1586,7 +1611,7 @@ static int base32_decode(char *in, unsigned char *out) + static int check_nsec3_coverage(struct dns_header *header, size_t plen, int digest_len, unsigned char *digest, int type, + char *workspace1, char *workspace2, unsigned char **nsecs, int nsec_count, int *nons) + { +- int i, hash_len, salt_len, base32_len, rdlen; ++ int i, hash_len, salt_len, base32_len, rdlen, flags; + unsigned char *p, *psave; + + for (i = 0; i < nsec_count; i++) +@@ -1599,7 +1624,9 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige + p += 8; /* class, type, TTL */ + GETSHORT(rdlen, p); + psave = p; +- p += 4; /* algo, flags, iterations */ ++ p++; /* algo */ ++ flags = *p++; /* flags */ ++ p += 2; /* iterations */ + salt_len = *p++; /* salt_len */ + p += salt_len; /* salt */ + hash_len = *p++; /* p now points to next hashed name */ +@@ -1626,16 +1653,29 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige + return 0; + + /* If we can prove that there's no NS record, return that information. */ +- if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) == 0) +- *nons = 1; ++ if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) != 0) ++ *nons = 0; + ++ if (rdlen >= 2 && p[0] == 0) ++ { ++ /* A CNAME answer would also be valid, so if there's a CNAME is should ++ have been returned. */ ++ if ((p[2] & (0x80 >> T_CNAME)) != 0) ++ return 0; ++ ++ /* If the SOA bit is set for a DS record, then we have the ++ DS from the wrong side of the delegation. */ ++ if (type == T_DS && (p[2] & (0x80 >> T_SOA)) != 0) ++ return 0; ++ } ++ + while (rdlen >= 2) + { + if (p[0] == type >> 8) + { + /* Does the NSEC3 say our type exists? */ + if (offset < p[1] && (p[offset+2] & mask) != 0) +- return STAT_BOGUS; ++ return 0; + + break; /* finshed checking */ + } +@@ -1643,7 +1683,7 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige + rdlen -= p[1]; + p += p[1]; + } +- ++ + return 1; + } + else if (rc < 0) +@@ -1651,16 +1691,27 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige + /* Normal case, hash falls between NSEC3 name-hash and next domain name-hash, + wrap around case, name-hash falls between NSEC3 name-hash and end */ + if (memcmp(p, digest, digest_len) >= 0 || memcmp(workspace2, p, digest_len) >= 0) +- return 1; ++ { ++ if ((flags & 0x01) && nons) /* opt out */ ++ *nons = 0; ++ ++ return 1; ++ } + } + else + { + /* wrap around case, name falls between start and next domain name */ + if (memcmp(workspace2, p, digest_len) >= 0 && memcmp(p, digest, digest_len) >= 0) +- return 1; ++ { ++ if ((flags & 0x01) && nons) /* opt out */ ++ *nons = 0; ++ ++ return 1; ++ } + } + } + } ++ + return 0; + } + +@@ -1673,7 +1724,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + char *closest_encloser, *next_closest, *wildcard; + + if (nons) +- *nons = 0; ++ *nons = 1; + + /* Look though the NSEC3 records to find the first one with + an algorithm we support (currently only algo == 1). +@@ -1813,16 +1864,81 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + + return STAT_SECURE; + } +- +-/* Validate all the RRsets in the answer and authority sections of the reply (4035:3.2.3) */ +-/* Returns are the same as validate_rrset, plus the class if the missing key is in *class */ ++ ++/* Check signing status of name. ++ returns: ++ STAT_SECURE zone is signed. ++ STAT_INSECURE zone proved unsigned. ++ STAT_NEED_DS require DS record of name returned in keyname. ++ ++ name returned unaltered. ++*/ ++static int zone_status(char *name, int class, char *keyname, time_t now) ++{ ++ int name_start = strlen(name); ++ struct crec *crecp; ++ char *p; ++ ++ while (1) ++ { ++ strcpy(keyname, &name[name_start]); ++ ++ if (!(crecp = cache_find_by_name(NULL, keyname, now, F_DS))) ++ return STAT_NEED_DS; ++ else ++ do ++ { ++ if (crecp->uid == (unsigned int)class) ++ { ++ /* F_DNSSECOK misused in DS cache records to non-existance of NS record. ++ F_NEG && !F_DNSSECOK implies that we've proved there's no DS record here, ++ but that's because there's no NS record either, ie this isn't the start ++ of a zone. We only prove that the DNS tree below a node is unsigned when ++ we prove that we're at a zone cut AND there's no DS record. ++ */ ++ if (crecp->flags & F_NEG) ++ { ++ if (crecp->flags & F_DNSSECOK) ++ return STAT_INSECURE; /* proved no DS here */ ++ } ++ else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(crecp->addr.ds.algo)) ++ return STAT_INSECURE; /* algo we can't use - insecure */ ++ } ++ } ++ while ((crecp = cache_find_by_name(crecp, keyname, now, F_DS))); ++ ++ if (name_start == 0) ++ break; ++ ++ for (p = &name[name_start-2]; (*p != '.') && (p != name); p--); ++ ++ if (p != name) ++ p++; ++ ++ name_start = p - name; ++ } ++ ++ return STAT_SECURE; ++} ++ ++/* Validate all the RRsets in the answer and authority sections of the reply (4035:3.2.3) ++ Return code: ++ STAT_SECURE if it validates. ++ STAT_INSECURE at least one RRset not validated, because in unsigned zone. ++ STAT_BOGUS signature is wrong, bad packet, no validation where there should be. ++ STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname, class in *class) ++ STAT_NEED_DS need DS to complete validation (name is returned in keyname) ++*/ + int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, +- int *class, int *neganswer, int *nons) ++ int *class, int check_unsigned, int *neganswer, int *nons) + { +- unsigned char *ans_start, *qname, *p1, *p2, **nsecs; +- int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype; +- int i, j, rc, nsec_count, cname_count = CNAME_CHAIN; +- int nsec_type = 0, have_answer = 0; ++ static unsigned char **targets = NULL; ++ static int target_sz = 0; ++ ++ unsigned char *ans_start, *p1, *p2, **nsecs; ++ int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype, targetidx; ++ int i, j, rc, nsec_count; ++ int nsec_type; + + if (neganswer) + *neganswer = 0; +@@ -1833,70 +1949,51 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + if (RCODE(header) != NXDOMAIN && RCODE(header) != NOERROR) + return STAT_INSECURE; + +- qname = p1 = (unsigned char *)(header+1); ++ p1 = (unsigned char *)(header+1); + ++ /* Find all the targets we're looking for answers to. ++ The zeroth array element is for the query, subsequent ones ++ for CNAME targets, unless the query is for a CNAME. */ ++ ++ if (!expand_workspace(&targets, &target_sz, 0)) ++ return STAT_BOGUS; ++ ++ targets[0] = p1; ++ targetidx = 1; ++ + if (!extract_name(header, plen, &p1, name, 1, 4)) + return STAT_BOGUS; +- ++ + GETSHORT(qtype, p1); + GETSHORT(qclass, p1); + ans_start = p1; +- +- if (qtype == T_ANY) +- have_answer = 1; + +- /* Can't validate an RRISG query */ ++ /* Can't validate an RRSIG query */ + if (qtype == T_RRSIG) + return STAT_INSECURE; +- +- cname_loop: +- for (j = ntohs(header->ancount); j != 0; j--) +- { +- /* leave pointer to missing name in qname */ +- +- if (!(rc = extract_name(header, plen, &p1, name, 0, 10))) +- return STAT_BOGUS; /* bad packet */ +- +- GETSHORT(type2, p1); +- GETSHORT(class2, p1); +- p1 += 4; /* TTL */ +- GETSHORT(rdlen2, p1); +- +- if (rc == 1 && qclass == class2) +- { +- /* Do we have an answer for the question? */ +- if (type2 == qtype) +- { +- have_answer = 1; +- break; +- } +- else if (type2 == T_CNAME) +- { +- qname = p1; +- +- /* looped CNAMES */ +- if (!cname_count-- || !extract_name(header, plen, &p1, name, 1, 0)) +- return STAT_BOGUS; +- +- p1 = ans_start; +- goto cname_loop; +- } +- } +- +- if (!ADD_RDLEN(header, p1, plen, rdlen2)) +- return STAT_BOGUS; +- } +- +- if (neganswer && !have_answer) +- *neganswer = 1; + +- /* No data, therefore no sigs */ +- if (ntohs(header->ancount) + ntohs(header->nscount) == 0) +- { +- *keyname = 0; +- return STAT_NO_SIG; +- } +- ++ if (qtype != T_CNAME) ++ for (j = ntohs(header->ancount); j != 0; j--) ++ { ++ if (!(p1 = skip_name(p1, header, plen, 10))) ++ return STAT_BOGUS; /* bad packet */ ++ ++ GETSHORT(type2, p1); ++ p1 += 6; /* class, TTL */ ++ GETSHORT(rdlen2, p1); ++ ++ if (type2 == T_CNAME) ++ { ++ if (!expand_workspace(&targets, &target_sz, targetidx)) ++ return STAT_BOGUS; ++ ++ targets[targetidx++] = p1; /* pointer to target name */ ++ } ++ ++ if (!ADD_RDLEN(header, p1, plen, rdlen2)) ++ return STAT_BOGUS; ++ } ++ + for (p1 = ans_start, i = 0; i < ntohs(header->ancount) + ntohs(header->nscount); i++) + { + if (!extract_name(header, plen, &p1, name, 1, 10)) +@@ -1931,7 +2028,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + /* Not done, validate now */ + if (j == i) + { +- int ttl, keytag, algo, digest, type_covered; ++ int ttl, keytag, algo, digest, type_covered, sigcnt, rrcnt; + unsigned char *psave; + struct all_addr a; + struct blockdata *key; +@@ -1939,143 +2036,186 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + char *wildname; + int have_wildcard = 0; + +- rc = validate_rrset(now, header, plen, class1, type1, name, keyname, &wildname, NULL, 0, 0, 0); +- +- if (rc == STAT_SECURE_WILDCARD) +- { +- have_wildcard = 1; +- +- /* An attacker replay a wildcard answer with a different +- answer and overlay a genuine RR. To prove this +- hasn't happened, the answer must prove that +- the gennuine record doesn't exist. Check that here. */ +- if (!nsec_type && !(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, class1))) +- return STAT_BOGUS; /* No NSECs or bad packet */ +- +- if (nsec_type == T_NSEC) +- rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1, NULL); +- else +- rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, +- keyname, name, type1, wildname, NULL); +- +- if (rc != STAT_SECURE) +- return rc; +- } +- else if (rc != STAT_SECURE) +- { +- if (class) +- *class = class1; /* Class for DS or DNSKEY */ ++ if (!explore_rrset(header, plen, class1, type1, name, keyname, &sigcnt, &rrcnt)) ++ return STAT_BOGUS; + +- if (rc == STAT_NO_SIG) ++ /* No signatures for RRset. We can be configured to assume this is OK and return a INSECURE result. */ ++ if (sigcnt == 0) ++ { ++ if (check_unsigned) + { +- /* If we dropped off the end of a CNAME chain, return +- STAT_NO_SIG and the last name is keyname. This is used for proving non-existence +- if DS records in CNAME chains. */ +- if (cname_count == CNAME_CHAIN || i < ntohs(header->ancount)) +- /* No CNAME chain, or no sig in answer section, return empty name. */ +- *keyname = 0; +- else if (!extract_name(header, plen, &qname, keyname, 1, 0)) +- return STAT_BOGUS; ++ rc = zone_status(name, class1, keyname, now); ++ if (rc == STAT_SECURE) ++ rc = STAT_BOGUS; ++ if (class) ++ *class = class1; /* Class for NEED_DS or NEED_DNSKEY */ + } +- ++ else ++ rc = STAT_INSECURE; ++ + return rc; + } + +- /* Cache RRsigs in answer section, and if we just validated a DS RRset, cache it */ +- cache_start_insert(); ++ /* explore_rrset() gives us key name from sigs in keyname. ++ Can't overwrite name here. */ ++ strcpy(daemon->workspacename, keyname); ++ rc = zone_status(daemon->workspacename, class1, keyname, now); ++ if (rc != STAT_SECURE) ++ { ++ /* Zone is insecure, don't need to validate RRset */ ++ if (class) ++ *class = class1; /* Class for NEED_DS or NEED_DNSKEY */ ++ return rc; ++ } ++ ++ rc = validate_rrset(now, header, plen, class1, type1, sigcnt, rrcnt, name, keyname, &wildname, NULL, 0, 0, 0); + +- for (p2 = ans_start, j = 0; j < ntohs(header->ancount); j++) ++ if (rc == STAT_BOGUS || rc == STAT_NEED_KEY || rc == STAT_NEED_DS) + { +- if (!(rc = extract_name(header, plen, &p2, name, 0, 10))) +- return STAT_BOGUS; /* bad packet */ ++ if (class) ++ *class = class1; /* Class for DS or DNSKEY */ ++ return rc; ++ } ++ else ++ { ++ /* rc is now STAT_SECURE or STAT_SECURE_WILDCARD */ ++ ++ /* Note if we've validated either the answer to the question ++ or the target of a CNAME. Any not noted will need NSEC or ++ to be in unsigned space. */ ++ ++ for (j = 0; j <targetidx; j++) ++ if ((p2 = targets[j])) ++ { ++ if (!(rc = extract_name(header, plen, &p2, name, 0, 10))) ++ return STAT_BOGUS; /* bad packet */ ++ ++ if (class1 == qclass && rc == 1 && (type1 == T_CNAME || type1 == qtype || qtype == T_ANY )) ++ targets[j] = NULL; ++ } ++ ++ if (rc == STAT_SECURE_WILDCARD) ++ { ++ have_wildcard = 1; + +- GETSHORT(type2, p2); +- GETSHORT(class2, p2); +- GETLONG(ttl, p2); +- GETSHORT(rdlen2, p2); +- +- if (!CHECK_LEN(header, p2, plen, rdlen2)) +- return STAT_BOGUS; /* bad packet */ +- +- if (class2 == class1 && rc == 1) +- { +- psave = p2; ++ /* An attacker replay a wildcard answer with a different ++ answer and overlay a genuine RR. To prove this ++ hasn't happened, the answer must prove that ++ the gennuine record doesn't exist. Check that here. */ ++ if (!(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, class1))) ++ return STAT_BOGUS; /* No NSECs or bad packet */ ++ ++ /* Note that we may not yet have validated the NSEC/NSEC3 RRsets. Since the check ++ below returns either SECURE or BOGUS, that's not a problem. If the RRsets later fail ++ we'll return BOGUS then. */ + +- if (type1 == T_DS && type2 == T_DS) +- { +- if (rdlen2 < 4) +- return STAT_BOGUS; /* bad packet */ +- +- GETSHORT(keytag, p2); +- algo = *p2++; +- digest = *p2++; +- +- /* Cache needs to known class for DNSSEC stuff */ +- a.addr.dnssec.class = class2; +- +- if ((key = blockdata_alloc((char*)p2, rdlen2 - 4))) +- { +- if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DS | F_DNSSECOK))) +- blockdata_free(key); +- else +- { +- a.addr.keytag = keytag; +- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %u"); +- crecp->addr.ds.digest = digest; +- crecp->addr.ds.keydata = key; +- crecp->addr.ds.algo = algo; +- crecp->addr.ds.keytag = keytag; +- crecp->addr.ds.keylen = rdlen2 - 4; +- } +- } +- } +- else if (type2 == T_RRSIG) +- { +- if (rdlen2 < 18) +- return STAT_BOGUS; /* bad packet */ ++ if (nsec_type == T_NSEC) ++ rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1, NULL); ++ else ++ rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, ++ keyname, name, type1, wildname, NULL); ++ ++ if (rc == STAT_BOGUS) ++ return rc; ++ } ++ ++ /* Cache RRsigs in answer section, and if we just validated a DS RRset, cache it */ ++ /* Also note if the RRset is the answer to the question, or the target of a CNAME */ ++ cache_start_insert(); ++ ++ for (p2 = ans_start, j = 0; j < ntohs(header->ancount); j++) ++ { ++ if (!(rc = extract_name(header, plen, &p2, name, 0, 10))) ++ return STAT_BOGUS; /* bad packet */ ++ ++ GETSHORT(type2, p2); ++ GETSHORT(class2, p2); ++ GETLONG(ttl, p2); ++ GETSHORT(rdlen2, p2); ++ ++ if (!CHECK_LEN(header, p2, plen, rdlen2)) ++ return STAT_BOGUS; /* bad packet */ ++ ++ if (class2 == class1 && rc == 1) ++ { ++ psave = p2; + +- GETSHORT(type_covered, p2); +- +- if (type_covered == type1 && +- (type_covered == T_A || type_covered == T_AAAA || +- type_covered == T_CNAME || type_covered == T_DS || +- type_covered == T_DNSKEY || type_covered == T_PTR)) ++ if (type1 == T_DS && type2 == T_DS) + { +- a.addr.dnssec.type = type_covered; +- a.addr.dnssec.class = class1; ++ if (rdlen2 < 4) ++ return STAT_BOGUS; /* bad packet */ + +- algo = *p2++; +- p2 += 13; /* labels, orig_ttl, expiration, inception */ + GETSHORT(keytag, p2); ++ algo = *p2++; ++ digest = *p2++; ++ ++ /* Cache needs to known class for DNSSEC stuff */ ++ a.addr.dnssec.class = class2; + +- /* We don't cache sigs for wildcard answers, because to reproduce the +- answer from the cache will require one or more NSEC/NSEC3 records +- which we don't cache. The lack of the RRSIG ensures that a query for +- this RRset asking for a secure answer will always be forwarded. */ +- if (!have_wildcard && (key = blockdata_alloc((char*)psave, rdlen2))) ++ if ((key = blockdata_alloc((char*)p2, rdlen2 - 4))) + { +- if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DS))) ++ if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DS | F_DNSSECOK))) + blockdata_free(key); + else + { +- crecp->addr.sig.keydata = key; +- crecp->addr.sig.keylen = rdlen2; +- crecp->addr.sig.keytag = keytag; +- crecp->addr.sig.type_covered = type_covered; +- crecp->addr.sig.algo = algo; ++ a.addr.keytag = keytag; ++ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %u"); ++ crecp->addr.ds.digest = digest; ++ crecp->addr.ds.keydata = key; ++ crecp->addr.ds.algo = algo; ++ crecp->addr.ds.keytag = keytag; ++ crecp->addr.ds.keylen = rdlen2 - 4; ++ } ++ } ++ } ++ else if (type2 == T_RRSIG) ++ { ++ if (rdlen2 < 18) ++ return STAT_BOGUS; /* bad packet */ ++ ++ GETSHORT(type_covered, p2); ++ ++ if (type_covered == type1 && ++ (type_covered == T_A || type_covered == T_AAAA || ++ type_covered == T_CNAME || type_covered == T_DS || ++ type_covered == T_DNSKEY || type_covered == T_PTR)) ++ { ++ a.addr.dnssec.type = type_covered; ++ a.addr.dnssec.class = class1; ++ ++ algo = *p2++; ++ p2 += 13; /* labels, orig_ttl, expiration, inception */ ++ GETSHORT(keytag, p2); ++ ++ /* We don't cache sigs for wildcard answers, because to reproduce the ++ answer from the cache will require one or more NSEC/NSEC3 records ++ which we don't cache. The lack of the RRSIG ensures that a query for ++ this RRset asking for a secure answer will always be forwarded. */ ++ if (!have_wildcard && (key = blockdata_alloc((char*)psave, rdlen2))) ++ { ++ if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DS))) ++ blockdata_free(key); ++ else ++ { ++ crecp->addr.sig.keydata = key; ++ crecp->addr.sig.keylen = rdlen2; ++ crecp->addr.sig.keytag = keytag; ++ crecp->addr.sig.type_covered = type_covered; ++ crecp->addr.sig.algo = algo; ++ } + } + } + } ++ ++ p2 = psave; + } + +- p2 = psave; ++ if (!ADD_RDLEN(header, p2, plen, rdlen2)) ++ return STAT_BOGUS; /* bad packet */ + } + +- if (!ADD_RDLEN(header, p2, plen, rdlen2)) +- return STAT_BOGUS; /* bad packet */ ++ cache_end_insert(); + } +- +- cache_end_insert(); + } + } + +@@ -2083,143 +2223,49 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + return STAT_BOGUS; + } + +- /* OK, all the RRsets validate, now see if we have a NODATA or NXDOMAIN reply */ +- if (have_answer) +- return STAT_SECURE; +- +- /* NXDOMAIN or NODATA reply, prove that (name, class1, type1) can't exist */ +- /* First marshall the NSEC records, if we've not done it previously */ +- if (!nsec_type && !(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, qclass))) +- { +- /* No NSEC records. If we dropped off the end of a CNAME chain, return +- STAT_NO_SIG and the last name is keyname. This is used for proving non-existence +- if DS records in CNAME chains. */ +- if (cname_count == CNAME_CHAIN) /* No CNAME chain, return empty name. */ +- *keyname = 0; +- else if (!extract_name(header, plen, &qname, keyname, 1, 0)) +- return STAT_BOGUS; +- return STAT_NO_SIG; /* No NSECs, this is probably a dangling CNAME pointing into +- an unsigned zone. Return STAT_NO_SIG to cause this to be proved. */ +- } +- +- /* Get name of missing answer */ +- if (!extract_name(header, plen, &qname, name, 1, 0)) +- return STAT_BOGUS; +- +- if (nsec_type == T_NSEC) +- return prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, nons); +- else +- return prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, NULL, nons); +-} +- +-/* Chase the CNAME chain in the packet until the first record which _doesn't validate. +- Needed for proving answer in unsigned space. +- Return STAT_NEED_* +- STAT_BOGUS - error +- STAT_INSECURE - name of first non-secure record in name +-*/ +-int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname) +-{ +- unsigned char *p = (unsigned char *)(header+1); +- int type, class, qclass, rdlen, j, rc; +- int cname_count = CNAME_CHAIN; +- char *wildname; +- +- /* Get question */ +- if (!extract_name(header, plen, &p, name, 1, 4)) +- return STAT_BOGUS; +- +- p +=2; /* type */ +- GETSHORT(qclass, p); +- +- while (1) +- { +- for (j = ntohs(header->ancount); j != 0; j--) +- { +- if (!(rc = extract_name(header, plen, &p, name, 0, 10))) +- return STAT_BOGUS; /* bad packet */ +- +- GETSHORT(type, p); +- GETSHORT(class, p); +- p += 4; /* TTL */ +- GETSHORT(rdlen, p); +- +- /* Not target, loop */ +- if (rc == 2 || qclass != class) +- { +- if (!ADD_RDLEN(header, p, plen, rdlen)) +- return STAT_BOGUS; +- continue; +- } +- +- /* Got to end of CNAME chain. */ +- if (type != T_CNAME) +- return STAT_INSECURE; +- +- /* validate CNAME chain, return if insecure or need more data */ +- rc = validate_rrset(now, header, plen, class, type, name, keyname, &wildname, NULL, 0, 0, 0); +- +- if (rc == STAT_SECURE_WILDCARD) +- { +- int nsec_type, nsec_count, i; +- unsigned char **nsecs; +- +- /* An attacker can replay a wildcard answer with a different +- answer and overlay a genuine RR. To prove this +- hasn't happened, the answer must prove that +- the genuine record doesn't exist. Check that here. */ +- if (!(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, class))) +- return STAT_BOGUS; /* No NSECs or bad packet */ +- +- /* Note that we're called here because something didn't validate in validate_reply, +- so we can't assume that any NSEC records have been validated. We do them by steam here */ +- +- for (i = 0; i < nsec_count; i++) +- { +- unsigned char *p1 = nsecs[i]; +- +- if (!extract_name(header, plen, &p1, daemon->workspacename, 1, 0)) +- return STAT_BOGUS; +- +- rc = validate_rrset(now, header, plen, class, nsec_type, daemon->workspacename, keyname, NULL, NULL, 0, 0, 0); ++ /* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */ ++ for (j = 0; j <targetidx; j++) ++ if ((p2 = targets[j])) ++ { ++ if (neganswer) ++ *neganswer = 1; + +- /* NSECs can't be wildcards. */ +- if (rc == STAT_SECURE_WILDCARD) +- rc = STAT_BOGUS; ++ if (!extract_name(header, plen, &p2, name, 1, 10)) ++ return STAT_BOGUS; /* bad packet */ ++ ++ /* NXDOMAIN or NODATA reply, unanswered question is (name, qclass, qtype) */ + +- if (rc != STAT_SECURE) ++ /* For anything other than a DS record, this situation is OK if either ++ the answer is in an unsigned zone, or there's a NSEC records. */ ++ if (!(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, qclass))) ++ { ++ /* Empty DS without NSECS */ ++ if (qtype == T_DS) ++ return STAT_BOGUS; ++ else ++ { ++ rc = zone_status(name, qclass, keyname, now); ++ if (rc != STAT_SECURE) ++ { ++ if (class) ++ *class = qclass; /* Class for NEED_DS or NEED_DNSKEY */ + return rc; +- } +- +- if (nsec_type == T_NSEC) +- rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type, NULL); +- else +- rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, +- keyname, name, type, wildname, NULL); +- +- if (rc != STAT_SECURE) +- return rc; +- } +- +- if (rc != STAT_SECURE) +- { +- if (rc == STAT_NO_SIG) +- rc = STAT_INSECURE; +- return rc; +- } ++ } ++ ++ return STAT_BOGUS; /* signed zone, no NSECs */ ++ } ++ } + +- /* Loop down CNAME chain/ */ +- if (!cname_count-- || +- !extract_name(header, plen, &p, name, 1, 0) || +- !(p = skip_questions(header, plen))) +- return STAT_BOGUS; +- +- break; +- } ++ if (nsec_type == T_NSEC) ++ rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, nons); ++ else ++ rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, NULL, nons); + +- /* End of CNAME chain */ +- return STAT_INSECURE; +- } ++ if (rc != STAT_SECURE) ++ return rc; ++ } ++ ++ return STAT_SECURE; + } + + +diff --git a/src/forward.c b/src/forward.c +index b76a974..dd22a62 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -23,15 +23,6 @@ static struct frec *lookup_frec_by_sender(unsigned short id, + static unsigned short get_id(void); + static void free_frec(struct frec *f); + +-#ifdef HAVE_DNSSEC +-static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n, +- int class, char *name, char *keyname, struct server *server, int *keycount); +-static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname); +-static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen, +- char *name, char *keyname); +-#endif +- +- + /* Send a UDP packet with its source address set as "source" + unless nowild is true, when we just send it with the kernel default */ + int send_from(int fd, int nowild, char *packet, size_t len, +@@ -825,236 +816,142 @@ void reply_query(int fd, int family, time_t now) + #ifdef HAVE_DNSSEC + if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED)) + { +- int status; ++ int status = 0; + + /* We've had a reply already, which we're validating. Ignore this duplicate */ + if (forward->blocking_query) + return; +- +- if (header->hb3 & HB3_TC) +- { +- /* Truncated answer can't be validated. ++ ++ /* Truncated answer can't be validated. + If this is an answer to a DNSSEC-generated query, we still + need to get the client to retry over TCP, so return + an answer with the TC bit set, even if the actual answer fits. + */ +- status = STAT_TRUNCATED; +- } +- else if (forward->flags & FREC_DNSKEY_QUERY) +- status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); +- else if (forward->flags & FREC_DS_QUERY) +- { +- status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); +- /* Provably no DS, everything below is insecure, even if signatures are offered */ +- if (status == STAT_NO_DS) +- /* We only cache sigs when we've validated a reply. +- Avoid caching a reply with sigs if there's a vaildated break in the +- DS chain, so we don't return replies from cache missing sigs. */ +- status = STAT_INSECURE_DS; +- else if (status == STAT_NO_SIG) +- { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- { +- status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname); +- if (status == STAT_INSECURE) +- status = STAT_INSECURE_DS; +- } +- else +- status = STAT_INSECURE_DS; +- } +- else if (status == STAT_NO_NS) +- status = STAT_BOGUS; +- } +- else if (forward->flags & FREC_CHECK_NOSIGN) +- { +- status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); +- if (status != STAT_NEED_KEY) +- status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname); +- } +- else ++ if (header->hb3 & HB3_TC) ++ status = STAT_TRUNCATED; ++ ++ while (1) + { +- status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL); +- if (status == STAT_NO_SIG) ++ /* As soon as anything returns BOGUS, we stop and unwind, to do otherwise ++ would invite infinite loops, since the answers to DNSKEY and DS queries ++ will not be cached, so they'll be repeated. */ ++ if (status != STAT_BOGUS && status != STAT_TRUNCATED && status != STAT_ABANDONED) + { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname); ++ if (forward->flags & FREC_DNSKEY_QUERY) ++ status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); ++ else if (forward->flags & FREC_DS_QUERY) ++ status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); + else +- status = STAT_INSECURE; ++ status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, ++ option_bool(OPT_DNSSEC_NO_SIGN), NULL, NULL); + } +- } +- /* Can't validate, as we're missing key data. Put this +- answer aside, whilst we get that. */ +- if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY) +- { +- struct frec *new, *orig; +- +- /* Free any saved query */ +- if (forward->stash) +- blockdata_free(forward->stash); +- +- /* Now save reply pending receipt of key data */ +- if (!(forward->stash = blockdata_alloc((char *)header, n))) +- return; +- forward->stash_len = n; + +- anotherkey: +- /* Find the original query that started it all.... */ +- for (orig = forward; orig->dependent; orig = orig->dependent); +- +- if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1))) +- status = STAT_INSECURE; +- else ++ /* Can't validate, as we're missing key data. Put this ++ answer aside, whilst we get that. */ ++ if (status == STAT_NEED_DS || status == STAT_NEED_KEY) + { +- int fd; +- struct frec *next = new->next; +- *new = *forward; /* copy everything, then overwrite */ +- new->next = next; +- new->blocking_query = NULL; +- new->sentto = server; +- new->rfd4 = NULL; +- new->orig_domain = NULL; +-#ifdef HAVE_IPV6 +- new->rfd6 = NULL; +-#endif +- new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN); ++ struct frec *new, *orig; + +- new->dependent = forward; /* to find query awaiting new one. */ +- forward->blocking_query = new; /* for garbage cleaning */ +- /* validate routines leave name of required record in daemon->keyname */ +- if (status == STAT_NEED_KEY) +- { +- new->flags |= FREC_DNSKEY_QUERY; +- nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz, +- daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->edns_pktsz); +- } +- else +- { +- if (status == STAT_NEED_DS_NEG) +- new->flags |= FREC_CHECK_NOSIGN; +- else +- new->flags |= FREC_DS_QUERY; +- nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz, +- daemon->keyname, forward->class, T_DS, &server->addr, server->edns_pktsz); +- } +- if ((hash = hash_questions(header, nn, daemon->namebuff))) +- memcpy(new->hash, hash, HASH_SIZE); +- new->new_id = get_id(); +- header->id = htons(new->new_id); +- /* Save query for retransmission */ +- if (!(new->stash = blockdata_alloc((char *)header, nn))) ++ /* Free any saved query */ ++ if (forward->stash) ++ blockdata_free(forward->stash); ++ ++ /* Now save reply pending receipt of key data */ ++ if (!(forward->stash = blockdata_alloc((char *)header, n))) + return; +- +- new->stash_len = nn; ++ forward->stash_len = n; + +- /* Don't resend this. */ +- daemon->srv_save = NULL; ++ /* Find the original query that started it all.... */ ++ for (orig = forward; orig->dependent; orig = orig->dependent); + +- if (server->sfd) +- fd = server->sfd->fd; ++ if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1))) ++ status = STAT_ABANDONED; + else + { +- fd = -1; ++ int fd; ++ struct frec *next = new->next; ++ *new = *forward; /* copy everything, then overwrite */ ++ new->next = next; ++ new->blocking_query = NULL; ++ new->sentto = server; ++ new->rfd4 = NULL; + #ifdef HAVE_IPV6 +- if (server->addr.sa.sa_family == AF_INET6) ++ new->rfd6 = NULL; ++#endif ++ new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY); ++ ++ new->dependent = forward; /* to find query awaiting new one. */ ++ forward->blocking_query = new; /* for garbage cleaning */ ++ /* validate routines leave name of required record in daemon->keyname */ ++ if (status == STAT_NEED_KEY) ++ { ++ new->flags |= FREC_DNSKEY_QUERY; ++ nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz, ++ daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->edns_pktsz); ++ } ++ else + { +- if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6))) +- fd = new->rfd6->fd; ++ new->flags |= FREC_DS_QUERY; ++ nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz, ++ daemon->keyname, forward->class, T_DS, &server->addr, server->edns_pktsz); + } ++ if ((hash = hash_questions(header, nn, daemon->namebuff))) ++ memcpy(new->hash, hash, HASH_SIZE); ++ new->new_id = get_id(); ++ header->id = htons(new->new_id); ++ /* Save query for retransmission */ ++ new->stash = blockdata_alloc((char *)header, nn); ++ new->stash_len = nn; ++ ++ /* Don't resend this. */ ++ daemon->srv_save = NULL; ++ ++ if (server->sfd) ++ fd = server->sfd->fd; + else ++ { ++ fd = -1; ++#ifdef HAVE_IPV6 ++ if (server->addr.sa.sa_family == AF_INET6) ++ { ++ if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6))) ++ fd = new->rfd6->fd; ++ } ++ else + #endif ++ { ++ if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET))) ++ fd = new->rfd4->fd; ++ } ++ } ++ ++ if (fd != -1) + { +- if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET))) +- fd = new->rfd4->fd; ++ while (retry_send(sendto(fd, (char *)header, nn, 0, ++ &server->addr.sa, ++ sa_len(&server->addr)))); ++ server->queries++; + } +- } +- +- if (fd != -1) +- { +- while (retry_send(sendto(fd, (char *)header, nn, 0, +- &server->addr.sa, +- sa_len(&server->addr)))); +- server->queries++; +- } +- ++ } + return; + } +- } + +- /* Ok, we reached far enough up the chain-of-trust that we can validate something. +- Now wind back down, pulling back answers which wouldn't previously validate +- and validate them with the new data. Note that if an answer needs multiple +- keys to validate, we may find another key is needed, in which case we set off +- down another branch of the tree. Once we get to the original answer +- (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */ +- while (forward->dependent) +- { ++ /* Validated original answer, all done. */ ++ if (!forward->dependent) ++ break; ++ ++ /* validated subsdiary query, (and cached result) ++ pop that and return to the previous query we were working on. */ + struct frec *prev = forward->dependent; + free_frec(forward); + forward = prev; + forward->blocking_query = NULL; /* already gone */ + blockdata_retrieve(forward->stash, forward->stash_len, (void *)header); + n = forward->stash_len; +- +- if (status == STAT_SECURE) +- { +- if (forward->flags & FREC_DNSKEY_QUERY) +- status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); +- else if (forward->flags & FREC_DS_QUERY) +- { +- status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); +- /* Provably no DS, everything below is insecure, even if signatures are offered */ +- if (status == STAT_NO_DS) +- /* We only cache sigs when we've validated a reply. +- Avoid caching a reply with sigs if there's a vaildated break in the +- DS chain, so we don't return replies from cache missing sigs. */ +- status = STAT_INSECURE_DS; +- else if (status == STAT_NO_SIG) +- { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- { +- status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname); +- if (status == STAT_INSECURE) +- status = STAT_INSECURE_DS; +- } +- else +- status = STAT_INSECURE_DS; +- } +- else if (status == STAT_NO_NS) +- status = STAT_BOGUS; +- } +- else if (forward->flags & FREC_CHECK_NOSIGN) +- { +- status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); +- if (status != STAT_NEED_KEY) +- status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname); +- } +- else +- { +- status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL); +- if (status == STAT_NO_SIG) +- { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname); +- else +- status = STAT_INSECURE; +- } +- } +- +- if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY) +- goto anotherkey; +- } + } ++ + + no_cache_dnssec = 0; +- +- if (status == STAT_INSECURE_DS) +- { +- /* We only cache sigs when we've validated a reply. +- Avoid caching a reply with sigs if there's a vaildated break in the +- DS chain, so we don't return replies from cache missing sigs. */ +- status = STAT_INSECURE; +- no_cache_dnssec = 1; +- } + + if (status == STAT_TRUNCATED) + header->hb3 |= HB3_TC; +@@ -1062,7 +959,7 @@ void reply_query(int fd, int family, time_t now) + { + char *result, *domain = "result"; + +- if (forward->work_counter == 0) ++ if (status == STAT_ABANDONED) + { + result = "ABANDONED"; + status = STAT_BOGUS; +@@ -1072,7 +969,7 @@ void reply_query(int fd, int family, time_t now) + + if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL)) + domain = daemon->namebuff; +- ++ + log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result); + } + +@@ -1415,315 +1312,49 @@ void receive_query(struct listener *listen, time_t now) + } + + #ifdef HAVE_DNSSEC +- +-/* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS +- and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or +- STAT_NEED_DS_NEG and keyname if we need to do the query. */ +-static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen, +- char *name, char *keyname) +-{ +- int status = dnssec_chase_cname(now, header, plen, name, keyname); +- +- if (status != STAT_INSECURE) +- return status; +- +- /* Store the domain we're trying to check. */ +- forward->name_start = strlen(name); +- forward->name_len = forward->name_start + 1; +- if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len))) +- return STAT_BOGUS; +- +- return do_check_sign(forward, 0, now, name, keyname); +-} +- +-/* We either have a a reply (header non-NULL, or we need to start by looking in the cache */ +-static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname) +-{ +- /* get domain we're checking back from blockdata store, it's stored on the original query. */ +- while (forward->dependent && !forward->orig_domain) +- forward = forward->dependent; +- +- blockdata_retrieve(forward->orig_domain, forward->name_len, name); +- +- while (1) +- { +- char *p; +- +- if (status == 0) +- { +- struct crec *crecp; +- +- /* Haven't received answer, see if in cache */ +- if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS))) +- { +- /* put name of DS record we're missing into keyname */ +- strcpy(keyname, &name[forward->name_start]); +- /* and wait for reply to arrive */ +- return STAT_NEED_DS_NEG; +- } +- +- /* F_DNSSECOK misused in DS cache records to non-existance of NS record */ +- if (!(crecp->flags & F_NEG)) +- status = STAT_SECURE; +- else if (crecp->flags & F_DNSSECOK) +- status = STAT_NO_DS; +- else +- status = STAT_NO_NS; +- } +- +- /* Have entered non-signed part of DNS tree. */ +- if (status == STAT_NO_DS) +- return forward->dependent ? STAT_INSECURE_DS : STAT_INSECURE; +- +- if (status == STAT_BOGUS) +- return STAT_BOGUS; +- +- if (status == STAT_NO_SIG && *keyname != 0) +- { +- /* There is a validated CNAME chain that doesn't end in a DS record. Start +- the search again in that domain. */ +- blockdata_free(forward->orig_domain); +- forward->name_start = strlen(keyname); +- forward->name_len = forward->name_start + 1; +- if (!(forward->orig_domain = blockdata_alloc(keyname, forward->name_len))) +- return STAT_BOGUS; +- +- strcpy(name, keyname); +- status = 0; /* force to cache when we iterate. */ +- continue; +- } +- +- /* There's a proven DS record, or we're within a zone, where there doesn't need +- to be a DS record. Add a name and try again. +- If we've already tried the whole name, then fail */ +- +- if (forward->name_start == 0) +- return STAT_BOGUS; +- +- for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--); +- +- if (p != name) +- p++; +- +- forward->name_start = p - name; +- status = 0; /* force to cache when we iterate. */ +- } +-} +- +-/* Move down from the root, until we find a signed non-existance of a DS, in which case +- an unsigned answer is OK, or we find a signed DS, in which case there should be +- a signature, and the answer is BOGUS */ +-static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name, +- char *keyname, struct server *server, int *keycount) +-{ +- size_t m; +- unsigned char *packet, *payload; +- u16 *length; +- int status, name_len; +- struct blockdata *block; +- +- char *name_start; +- +- /* Get first insecure entry in CNAME chain */ +- status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount); +- if (status == STAT_BOGUS) +- return STAT_BOGUS; +- +- if (!(packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16)))) +- return STAT_BOGUS; +- +- payload = &packet[2]; +- header = (struct dns_header *)payload; +- length = (u16 *)packet; +- +- /* Stash the name away, since the buffer will be trashed when we recurse */ +- name_len = strlen(name) + 1; +- name_start = name + name_len - 1; +- +- if (!(block = blockdata_alloc(name, name_len))) +- { +- free(packet); +- return STAT_BOGUS; +- } +- +- while (1) +- { +- unsigned char c1, c2; +- struct crec *crecp; +- +- if (--(*keycount) == 0) +- { +- free(packet); +- blockdata_free(block); +- return STAT_BOGUS; +- } +- +- while ((crecp = cache_find_by_name(NULL, name_start, now, F_DS))) +- { +- if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK)) +- { +- /* Found a secure denial of DS - delegation is indeed insecure */ +- free(packet); +- blockdata_free(block); +- return STAT_INSECURE; +- } +- +- /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation. +- Add another label and continue. */ +- +- if (name_start == name) +- { +- free(packet); +- blockdata_free(block); +- return STAT_BOGUS; /* run out of labels */ +- } +- +- name_start -= 2; +- while (*name_start != '.' && name_start != name) +- name_start--; +- if (name_start != name) +- name_start++; +- } +- +- /* Can't find it in the cache, have to send a query */ +- +- m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr, server->edns_pktsz); +- +- *length = htons(m); +- +- if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) && +- read_write(server->tcpfd, &c1, 1, 1) && +- read_write(server->tcpfd, &c2, 1, 1) && +- read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) +- { +- m = (c1 << 8) | c2; +- +- /* Note this trashes all three name workspaces */ +- status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount); +- +- if (status == STAT_NO_DS) +- { +- /* Found a secure denial of DS - delegation is indeed insecure */ +- free(packet); +- blockdata_free(block); +- return STAT_INSECURE; +- } +- +- if (status == STAT_NO_SIG && *keyname != 0) +- { +- /* There is a validated CNAME chain that doesn't end in a DS record. Start +- the search again in that domain. */ +- blockdata_free(block); +- name_len = strlen(keyname) + 1; +- name_start = name + name_len - 1; +- +- if (!(block = blockdata_alloc(keyname, name_len))) +- return STAT_BOGUS; +- +- strcpy(name, keyname); +- continue; +- } +- +- if (status == STAT_BOGUS) +- { +- free(packet); +- blockdata_free(block); +- return STAT_BOGUS; +- } +- +- /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation. +- Add another label and continue. */ +- +- /* Get name we're checking back. */ +- blockdata_retrieve(block, name_len, name); +- +- if (name_start == name) +- { +- free(packet); +- blockdata_free(block); +- return STAT_BOGUS; /* run out of labels */ +- } +- +- name_start -= 2; +- while (*name_start != '.' && name_start != name) +- name_start--; +- if (name_start != name) +- name_start++; +- } +- else +- { +- /* IO failure */ +- free(packet); +- blockdata_free(block); +- return STAT_BOGUS; /* run out of labels */ +- } +- } +-} +- + static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n, + int class, char *name, char *keyname, struct server *server, int *keycount) + { + /* Recurse up the key heirarchy */ + int new_status; ++ unsigned char *packet = NULL; ++ size_t m; ++ unsigned char *payload = NULL; ++ struct dns_header *new_header = NULL; ++ u16 *length = NULL; ++ unsigned char c1, c2; + +- /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */ +- if (--(*keycount) == 0) +- return STAT_INSECURE; +- +- if (status == STAT_NEED_KEY) +- new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class); +- else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG) ++ while (1) + { +- new_status = dnssec_validate_ds(now, header, n, name, keyname, class); +- if (status == STAT_NEED_DS) ++ /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */ ++ if (--(*keycount) == 0) ++ new_status = STAT_ABANDONED; ++ else if (status == STAT_NEED_KEY) ++ new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class); ++ else if (status == STAT_NEED_DS) ++ new_status = dnssec_validate_ds(now, header, n, name, keyname, class); ++ else ++ new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, option_bool(OPT_DNSSEC_NO_SIGN), NULL, NULL); ++ ++ if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY) ++ break; ++ ++ /* Can't validate because we need a key/DS whose name now in keyname. ++ Make query for same, and recurse to validate */ ++ if (!packet) + { +- if (new_status == STAT_NO_DS) +- new_status = STAT_INSECURE_DS; +- if (new_status == STAT_NO_SIG) +- { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- { +- new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount); +- if (new_status == STAT_INSECURE) +- new_status = STAT_INSECURE_DS; +- } +- else +- new_status = STAT_INSECURE_DS; +- } +- else if (new_status == STAT_NO_NS) +- new_status = STAT_BOGUS; ++ packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16)); ++ payload = &packet[2]; ++ new_header = (struct dns_header *)payload; ++ length = (u16 *)packet; + } +- } +- else if (status == STAT_CHASE_CNAME) +- new_status = dnssec_chase_cname(now, header, n, name, keyname); +- else +- { +- new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL); + +- if (new_status == STAT_NO_SIG) ++ if (!packet) + { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount); +- else +- new_status = STAT_INSECURE; ++ new_status = STAT_ABANDONED; ++ break; + } +- } +- +- /* Can't validate because we need a key/DS whose name now in keyname. +- Make query for same, and recurse to validate */ +- if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY) +- { +- size_t m; +- unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16)); +- unsigned char *payload = &packet[2]; +- struct dns_header *new_header = (struct dns_header *)payload; +- u16 *length = (u16 *)packet; +- unsigned char c1, c2; +- +- if (!packet) +- return STAT_INSECURE; +- +- another_tcp_key: ++ + m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class, + new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr, server->edns_pktsz); + +@@ -1733,65 +1364,22 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si + !read_write(server->tcpfd, &c1, 1, 1) || + !read_write(server->tcpfd, &c2, 1, 1) || + !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) +- new_status = STAT_INSECURE; +- else + { +- m = (c1 << 8) | c2; +- +- new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount); +- +- if (new_status == STAT_SECURE) +- { +- /* Reached a validated record, now try again at this level. +- Note that we may get ANOTHER NEED_* if an answer needs more than one key. +- If so, go round again. */ +- +- if (status == STAT_NEED_KEY) +- new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class); +- else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG) +- { +- new_status = dnssec_validate_ds(now, header, n, name, keyname, class); +- if (status == STAT_NEED_DS) +- { +- if (new_status == STAT_NO_DS) +- new_status = STAT_INSECURE_DS; +- else if (new_status == STAT_NO_SIG) +- { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- { +- new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount); +- if (new_status == STAT_INSECURE) +- new_status = STAT_INSECURE_DS; +- } +- else +- new_status = STAT_INSECURE_DS; +- } +- else if (new_status == STAT_NO_NS) +- new_status = STAT_BOGUS; +- } +- } +- else if (status == STAT_CHASE_CNAME) +- new_status = dnssec_chase_cname(now, header, n, name, keyname); +- else +- { +- new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL); +- +- if (new_status == STAT_NO_SIG) +- { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount); +- else +- new_status = STAT_INSECURE; +- } +- } +- +- if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY) +- goto another_tcp_key; +- } ++ new_status = STAT_ABANDONED; ++ break; + } ++ ++ m = (c1 << 8) | c2; + +- free(packet); ++ new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount); ++ ++ if (new_status != STAT_OK) ++ break; + } ++ ++ if (packet) ++ free(packet); ++ + return new_status; + } + #endif +@@ -2075,19 +1663,10 @@ unsigned char *tcp_request(int confd, time_t now, + if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled) + { + int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */ +- int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount); ++ int status = tcp_key_recurse(now, STAT_OK, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount); + char *result, *domain = "result"; +- +- if (status == STAT_INSECURE_DS) +- { +- /* We only cache sigs when we've validated a reply. +- Avoid caching a reply with sigs if there's a vaildated break in the +- DS chain, so we don't return replies from cache missing sigs. */ +- status = STAT_INSECURE; +- no_cache_dnssec = 1; +- } + +- if (keycount == 0) ++ if (status == STAT_ABANDONED) + { + result = "ABANDONED"; + status = STAT_BOGUS; +@@ -2179,7 +1758,6 @@ static struct frec *allocate_frec(time_t now) + f->dependent = NULL; + f->blocking_query = NULL; + f->stash = NULL; +- f->orig_domain = NULL; + #endif + daemon->frec_list = f; + } +@@ -2248,12 +1826,6 @@ static void free_frec(struct frec *f) + f->stash = NULL; + } + +- if (f->orig_domain) +- { +- blockdata_free(f->orig_domain); +- f->orig_domain = NULL; +- } +- + /* Anything we're waiting on is pointless now, too */ + if (f->blocking_query) + free_frec(f->blocking_query); +@@ -2281,14 +1853,23 @@ struct frec *get_new_frec(time_t now, int *wait, int force) + target = f; + else + { +- if (difftime(now, f->time) >= 4*TIMEOUT) +- { +- free_frec(f); +- target = f; +- } +- +- if (!oldest || difftime(f->time, oldest->time) <= 0) +- oldest = f; ++#ifdef HAVE_DNSSEC ++ /* Don't free DNSSEC sub-queries here, as we may end up with ++ dangling references to them. They'll go when their "real" query ++ is freed. */ ++ if (!f->dependent) ++#endif ++ { ++ if (difftime(now, f->time) >= 4*TIMEOUT) ++ { ++ free_frec(f); ++ target = f; ++ } ++ ++ ++ if (!oldest || difftime(f->time, oldest->time) <= 0) ++ oldest = f; ++ } + } + + if (target) +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_returning_them_from_cache.patch b/src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_returning_them_from_cache.patch new file mode 100644 index 0000000..5ffaf97 --- /dev/null +++ b/src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_returning_them_from_cache.patch @@ -0,0 +1,612 @@ +From 93be5b1e023b0c661e1ec2cd6d811a8ec9055c49 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Tue, 15 Dec 2015 12:04:40 +0000 +Subject: [PATCH] Abandon caching RRSIGs and returning them from cache. + +The list of exceptions to being able to locally answer +cached data for validated records when DNSSEC data is requested +was getting too long, so don't ever do that. This means +that the cache no longer has to hold RRSIGS and allows +us to lose lots of code. Note that cached validated +answers are still returned as long as do=0 +--- + src/cache.c | 38 ++--------- + src/dnsmasq.h | 10 +-- + src/dnssec.c | 94 ++++----------------------- + src/rfc1035.c | 197 ++++++--------------------------------------------------- + 4 files changed, 42 insertions(+), 297 deletions(-) + +diff --git a/src/cache.c b/src/cache.c +index 1b76b67..51ba7cc 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -189,12 +189,7 @@ static void cache_hash(struct crec *crecp) + static void cache_blockdata_free(struct crec *crecp) + { + if (crecp->flags & F_DNSKEY) +- { +- if (crecp->flags & F_DS) +- blockdata_free(crecp->addr.sig.keydata); +- else +- blockdata_free(crecp->addr.key.keydata); +- } ++ blockdata_free(crecp->addr.key.keydata); + else if ((crecp->flags & F_DS) && !(crecp->flags & F_NEG)) + blockdata_free(crecp->addr.ds.keydata); + } +@@ -369,13 +364,8 @@ static struct crec *cache_scan_free(char *name, struct all_addr *addr, time_t no + } + + #ifdef HAVE_DNSSEC +- /* Deletion has to be class-sensitive for DS, DNSKEY, RRSIG, also +- type-covered sensitive for RRSIG */ +- if ((flags & (F_DNSKEY | F_DS)) && +- (flags & (F_DNSKEY | F_DS)) == (crecp->flags & (F_DNSKEY | F_DS)) && +- crecp->uid == addr->addr.dnssec.class && +- (!((flags & (F_DS | F_DNSKEY)) == (F_DS | F_DNSKEY)) || +- crecp->addr.sig.type_covered == addr->addr.dnssec.type)) ++ /* Deletion has to be class-sensitive for DS and DNSKEY */ ++ if ((flags & crecp->flags & (F_DNSKEY | F_DS)) && crecp->uid == addr->addr.dnssec.class) + { + if (crecp->flags & F_CONFIG) + return crecp; +@@ -532,13 +522,9 @@ struct crec *cache_insert(char *name, struct all_addr *addr, + struct all_addr free_addr = new->addr.addr;; + + #ifdef HAVE_DNSSEC +- /* For DNSSEC records, addr holds class and type_covered for RRSIG */ ++ /* For DNSSEC records, addr holds class. */ + if (new->flags & (F_DS | F_DNSKEY)) +- { +- free_addr.addr.dnssec.class = new->uid; +- if ((new->flags & (F_DS | F_DNSKEY)) == (F_DS | F_DNSKEY)) +- free_addr.addr.dnssec.type = new->addr.sig.type_covered; +- } ++ free_addr.addr.dnssec.class = new->uid; + #endif + + free_avail = 1; /* Must be free space now. */ +@@ -653,9 +639,6 @@ struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsi + if (!is_expired(now, crecp) && !is_outdated_cname_pointer(crecp)) + { + if ((crecp->flags & F_FORWARD) && +-#ifdef HAVE_DNSSEC +- (((crecp->flags & (F_DNSKEY | F_DS)) == (prot & (F_DNSKEY | F_DS))) || (prot & F_NSIGMATCH)) && +-#endif + (crecp->flags & prot) && + hostname_isequal(cache_get_name(crecp), name)) + { +@@ -713,9 +696,6 @@ struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsi + + if (ans && + (ans->flags & F_FORWARD) && +-#ifdef HAVE_DNSSEC +- (((ans->flags & (F_DNSKEY | F_DS)) == (prot & (F_DNSKEY | F_DS))) || (prot & F_NSIGMATCH)) && +-#endif + (ans->flags & prot) && + hostname_isequal(cache_get_name(ans), name)) + return ans; +@@ -1472,11 +1452,7 @@ void dump_cache(time_t now) + #ifdef HAVE_DNSSEC + else if (cache->flags & F_DS) + { +- if (cache->flags & F_DNSKEY) +- /* RRSIG */ +- sprintf(a, "%5u %3u %s", cache->addr.sig.keytag, +- cache->addr.sig.algo, querystr("", cache->addr.sig.type_covered)); +- else if (!(cache->flags & F_NEG)) ++ if (!(cache->flags & F_NEG)) + sprintf(a, "%5u %3u %3u", cache->addr.ds.keytag, + cache->addr.ds.algo, cache->addr.ds.digest); + } +@@ -1502,8 +1478,6 @@ void dump_cache(time_t now) + else if (cache->flags & F_CNAME) + t = "C"; + #ifdef HAVE_DNSSEC +- else if ((cache->flags & (F_DS | F_DNSKEY)) == (F_DS | F_DNSKEY)) +- t = "G"; /* DNSKEY and DS set -> RRISG */ + else if (cache->flags & F_DS) + t = "S"; + else if (cache->flags & F_DNSKEY) +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index 023a1cf..4344cae 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -398,14 +398,9 @@ struct crec { + unsigned char algo; + unsigned char digest; + } ds; +- struct { +- struct blockdata *keydata; +- unsigned short keylen, type_covered, keytag; +- char algo; +- } sig; + } addr; + time_t ttd; /* time to die */ +- /* used as class if DNSKEY/DS/RRSIG, index to source for F_HOSTS */ ++ /* used as class if DNSKEY/DS, index to source for F_HOSTS */ + unsigned int uid; + unsigned short flags; + union { +@@ -445,8 +440,7 @@ struct crec { + #define F_SECSTAT (1u<<24) + #define F_NO_RR (1u<<25) + #define F_IPSET (1u<<26) +-#define F_NSIGMATCH (1u<<27) +-#define F_NOEXTRA (1u<<28) ++#define F_NOEXTRA (1u<<27) + + /* Values of uid in crecs with F_CONFIG bit set. */ + #define SRC_INTERFACE 0 +diff --git a/src/dnssec.c b/src/dnssec.c +index de7b335..1ae03a6 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -1004,7 +1004,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch + { + unsigned char *psave, *p = (unsigned char *)(header+1); + struct crec *crecp, *recp1; +- int rc, j, qtype, qclass, ttl, rdlen, flags, algo, valid, keytag, type_covered; ++ int rc, j, qtype, qclass, ttl, rdlen, flags, algo, valid, keytag; + struct blockdata *key; + struct all_addr a; + +@@ -1115,7 +1115,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch + + if (valid) + { +- /* DNSKEY RRset determined to be OK, now cache it and the RRsigs that sign it. */ ++ /* DNSKEY RRset determined to be OK, now cache it. */ + cache_start_insert(); + + p = skip_questions(header, plen); +@@ -1155,7 +1155,10 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch + if ((key = blockdata_alloc((char*)p, rdlen - 4))) + { + if (!(recp1 = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DNSSECOK))) +- blockdata_free(key); ++ { ++ blockdata_free(key); ++ return STAT_BOGUS; ++ } + else + { + a.addr.keytag = keytag; +@@ -1169,38 +1172,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch + } + } + } +- else if (qtype == T_RRSIG) +- { +- /* RRSIG, cache if covers DNSKEY RRset */ +- if (rdlen < 18) +- return STAT_BOGUS; /* bad packet */ +- +- GETSHORT(type_covered, p); +- +- if (type_covered == T_DNSKEY) +- { +- a.addr.dnssec.class = class; +- a.addr.dnssec.type = type_covered; +- +- algo = *p++; +- p += 13; /* labels, orig_ttl, expiration, inception */ +- GETSHORT(keytag, p); +- if ((key = blockdata_alloc((char*)psave, rdlen))) +- { +- if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DS))) +- blockdata_free(key); +- else +- { +- crecp->addr.sig.keydata = key; +- crecp->addr.sig.keylen = rdlen; +- crecp->addr.sig.keytag = keytag; +- crecp->addr.sig.type_covered = type_covered; +- crecp->addr.sig.algo = algo; +- } +- } +- } +- } +- ++ + p = psave; + } + +@@ -1326,7 +1298,8 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char + cache_start_insert(); + + a.addr.dnssec.class = class; +- cache_insert(name, &a, now, ttl, flags); ++ if (!cache_insert(name, &a, now, ttl, flags)) ++ return STAT_BOGUS; + + cache_end_insert(); + +@@ -2028,14 +2001,13 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + /* Not done, validate now */ + if (j == i) + { +- int ttl, keytag, algo, digest, type_covered, sigcnt, rrcnt; ++ int ttl, keytag, algo, digest, sigcnt, rrcnt; + unsigned char *psave; + struct all_addr a; + struct blockdata *key; + struct crec *crecp; + char *wildname; +- int have_wildcard = 0; +- ++ + if (!explore_rrset(header, plen, class1, type1, name, keyname, &sigcnt, &rrcnt)) + return STAT_BOGUS; + +@@ -2096,8 +2068,6 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + + if (rc == STAT_SECURE_WILDCARD) + { +- have_wildcard = 1; +- + /* An attacker replay a wildcard answer with a different + answer and overlay a genuine RR. To prove this + hasn't happened, the answer must prove that +@@ -2119,7 +2089,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + return rc; + } + +- /* Cache RRsigs in answer section, and if we just validated a DS RRset, cache it */ ++ /* If we just validated a DS RRset, cache it */ + /* Also note if the RRset is the answer to the question, or the target of a CNAME */ + cache_start_insert(); + +@@ -2168,45 +2138,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + } + } + } +- else if (type2 == T_RRSIG) +- { +- if (rdlen2 < 18) +- return STAT_BOGUS; /* bad packet */ +- +- GETSHORT(type_covered, p2); +- +- if (type_covered == type1 && +- (type_covered == T_A || type_covered == T_AAAA || +- type_covered == T_CNAME || type_covered == T_DS || +- type_covered == T_DNSKEY || type_covered == T_PTR)) +- { +- a.addr.dnssec.type = type_covered; +- a.addr.dnssec.class = class1; +- +- algo = *p2++; +- p2 += 13; /* labels, orig_ttl, expiration, inception */ +- GETSHORT(keytag, p2); +- +- /* We don't cache sigs for wildcard answers, because to reproduce the +- answer from the cache will require one or more NSEC/NSEC3 records +- which we don't cache. The lack of the RRSIG ensures that a query for +- this RRset asking for a secure answer will always be forwarded. */ +- if (!have_wildcard && (key = blockdata_alloc((char*)psave, rdlen2))) +- { +- if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DS))) +- blockdata_free(key); +- else +- { +- crecp->addr.sig.keydata = key; +- crecp->addr.sig.keylen = rdlen2; +- crecp->addr.sig.keytag = keytag; +- crecp->addr.sig.type_covered = type_covered; +- crecp->addr.sig.algo = algo; +- } +- } +- } +- } +- ++ + p2 = psave; + } + +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 4eb1772..def8fa0 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1275,11 +1275,9 @@ int check_for_local_domain(char *name, time_t now) + struct naptr *naptr; + + /* Note: the call to cache_find_by_name is intended to find any record which matches +- ie A, AAAA, CNAME, DS. Because RRSIG records are marked by setting both F_DS and F_DNSKEY, +- cache_find_by name ordinarily only returns records with an exact match on those bits (ie +- for the call below, only DS records). The F_NSIGMATCH bit changes this behaviour */ ++ ie A, AAAA, CNAME. */ + +- if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME | F_DS | F_NO_RR | F_NSIGMATCH)) && ++ if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME |F_NO_RR)) && + (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG))) + return 1; + +@@ -1566,9 +1564,11 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + GETSHORT(flags, pheader); + + if ((sec_reqd = flags & 0x8000)) +- *do_bit = 1;/* do bit */ ++ { ++ *do_bit = 1;/* do bit */ ++ *ad_reqd = 1; ++ } + +- *ad_reqd = 1; + dryrun = 1; + } + +@@ -1636,98 +1636,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + } + } + +-#ifdef HAVE_DNSSEC +- if (option_bool(OPT_DNSSEC_VALID) && (qtype == T_DNSKEY || qtype == T_DS)) +- { +- int gotone = 0; +- struct blockdata *keydata; +- +- /* Do we have RRSIG? Can't do DS or DNSKEY otherwise. */ +- if (sec_reqd) +- { +- crecp = NULL; +- while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY | F_DS))) +- if (crecp->uid == qclass && crecp->addr.sig.type_covered == qtype) +- break; +- } +- +- if (!sec_reqd || crecp) +- { +- if (qtype == T_DS) +- { +- crecp = NULL; +- while ((crecp = cache_find_by_name(crecp, name, now, F_DS))) +- if (crecp->uid == qclass) +- { +- gotone = 1; +- if (!dryrun) +- { +- if (crecp->flags & F_NEG) +- { +- if (crecp->flags & F_NXDOMAIN) +- nxdomain = 1; +- log_query(F_UPSTREAM, name, NULL, "no DS"); +- } +- else if ((keydata = blockdata_retrieve(crecp->addr.ds.keydata, crecp->addr.ds.keylen, NULL))) +- { +- struct all_addr a; +- a.addr.keytag = crecp->addr.ds.keytag; +- log_query(F_KEYTAG | (crecp->flags & F_CONFIG), name, &a, "DS keytag %u"); +- if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, +- crec_ttl(crecp, now), &nameoffset, +- T_DS, qclass, "sbbt", +- crecp->addr.ds.keytag, crecp->addr.ds.algo, +- crecp->addr.ds.digest, crecp->addr.ds.keylen, keydata)) +- anscount++; +- +- } +- } +- } +- } +- else /* DNSKEY */ +- { +- crecp = NULL; +- while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY))) +- if (crecp->uid == qclass) +- { +- gotone = 1; +- if (!dryrun && (keydata = blockdata_retrieve(crecp->addr.key.keydata, crecp->addr.key.keylen, NULL))) +- { +- struct all_addr a; +- a.addr.keytag = crecp->addr.key.keytag; +- log_query(F_KEYTAG | (crecp->flags & F_CONFIG), name, &a, "DNSKEY keytag %u"); +- if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, +- crec_ttl(crecp, now), &nameoffset, +- T_DNSKEY, qclass, "sbbt", +- crecp->addr.key.flags, 3, crecp->addr.key.algo, crecp->addr.key.keylen, keydata)) +- anscount++; +- } +- } +- } +- } +- +- /* Now do RRSIGs */ +- if (gotone) +- { +- ans = 1; +- auth = 0; +- if (!dryrun && sec_reqd) +- { +- crecp = NULL; +- while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY | F_DS))) +- if (crecp->uid == qclass && crecp->addr.sig.type_covered == qtype && +- (keydata = blockdata_retrieve(crecp->addr.sig.keydata, crecp->addr.sig.keylen, NULL))) +- { +- add_resource_record(header, limit, &trunc, nameoffset, &ansp, +- crec_ttl(crecp, now), &nameoffset, +- T_RRSIG, qclass, "t", crecp->addr.sig.keylen, keydata); +- anscount++; +- } +- } +- } +- } +-#endif +- + if (qclass == C_IN) + { + struct txt_record *t; +@@ -1736,6 +1644,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + if ((t->class == qtype || qtype == T_ANY) && hostname_isequal(name, t->name)) + { + ans = 1; ++ sec_data = 0; + if (!dryrun) + { + log_query(F_CONFIG | F_RRNAME, name, NULL, "<RR>"); +@@ -1792,6 +1701,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + + if (intr) + { ++ sec_data = 0; + ans = 1; + if (!dryrun) + { +@@ -1805,6 +1715,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + else if (ptr) + { + ans = 1; ++ sec_data = 0; + if (!dryrun) + { + log_query(F_CONFIG | F_RRNAME, name, NULL, "<PTR>"); +@@ -1819,38 +1730,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + } + else if ((crecp = cache_find_by_addr(NULL, &addr, now, is_arpa))) + { +- if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && sec_reqd) +- { +- if (!option_bool(OPT_DNSSEC_VALID) || ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))) +- crecp = NULL; +-#ifdef HAVE_DNSSEC +- else if (crecp->flags & F_DNSSECOK) +- { +- int gotsig = 0; +- struct crec *rr_crec = NULL; +- +- while ((rr_crec = cache_find_by_name(rr_crec, name, now, F_DS | F_DNSKEY))) +- { +- if (rr_crec->addr.sig.type_covered == T_PTR && rr_crec->uid == C_IN) +- { +- char *sigdata = blockdata_retrieve(rr_crec->addr.sig.keydata, rr_crec->addr.sig.keylen, NULL); +- gotsig = 1; +- +- if (!dryrun && +- add_resource_record(header, limit, &trunc, nameoffset, &ansp, +- rr_crec->ttd - now, &nameoffset, +- T_RRSIG, C_IN, "t", crecp->addr.sig.keylen, sigdata)) +- anscount++; +- } +- } +- +- if (!gotsig) +- crecp = NULL; +- } +-#endif +- } +- +- if (crecp) ++ /* Don't use cache when DNSSEC data required. */ ++ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !sec_reqd || !(crecp->flags & F_DNSSECOK)) + { + do + { +@@ -1860,19 +1741,19 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + + if (!(crecp->flags & F_DNSSECOK)) + sec_data = 0; +- ++ ++ ans = 1; ++ + if (crecp->flags & F_NEG) + { +- ans = 1; + auth = 0; + if (crecp->flags & F_NXDOMAIN) + nxdomain = 1; + if (!dryrun) + log_query(crecp->flags & ~F_FORWARD, name, &addr, NULL); + } +- else if ((crecp->flags & (F_HOSTS | F_DHCP)) || !sec_reqd || option_bool(OPT_DNSSEC_VALID)) ++ else + { +- ans = 1; + if (!(crecp->flags & (F_HOSTS | F_DHCP))) + auth = 0; + if (!dryrun) +@@ -1892,6 +1773,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + else if (is_rev_synth(is_arpa, &addr, name)) + { + ans = 1; ++ sec_data = 0; + if (!dryrun) + { + log_query(F_CONFIG | F_REVERSE | is_arpa, name, &addr, NULL); +@@ -1908,6 +1790,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + { + /* if not in cache, enabled and private IPV4 address, return NXDOMAIN */ + ans = 1; ++ sec_data = 0; + nxdomain = 1; + if (!dryrun) + log_query(F_CONFIG | F_REVERSE | F_IPV4 | F_NEG | F_NXDOMAIN, +@@ -1955,6 +1838,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + if (i == 4) + { + ans = 1; ++ sec_data = 0; + if (!dryrun) + { + addr.addr.addr4.s_addr = htonl(a); +@@ -1993,6 +1877,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + continue; + #endif + ans = 1; ++ sec_data = 0; + if (!dryrun) + { + gotit = 1; +@@ -2032,48 +1917,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + crecp = save; + } + +- /* If the client asked for DNSSEC and we can't provide RRSIGs, either +- because we've not doing DNSSEC or the cached answer is signed by negative, +- don't answer from the cache, forward instead. */ +- if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && sec_reqd) +- { +- if (!option_bool(OPT_DNSSEC_VALID) || ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))) +- crecp = NULL; +-#ifdef HAVE_DNSSEC +- else if (crecp->flags & F_DNSSECOK) +- { +- /* We're returning validated data, need to return the RRSIG too. */ +- struct crec *rr_crec = NULL; +- int sigtype = type; +- /* The signature may have expired even though the data is still in cache, +- forward instead of answering from cache if so. */ +- int gotsig = 0; +- +- if (crecp->flags & F_CNAME) +- sigtype = T_CNAME; +- +- while ((rr_crec = cache_find_by_name(rr_crec, name, now, F_DS | F_DNSKEY))) +- { +- if (rr_crec->addr.sig.type_covered == sigtype && rr_crec->uid == C_IN) +- { +- char *sigdata = blockdata_retrieve(rr_crec->addr.sig.keydata, rr_crec->addr.sig.keylen, NULL); +- gotsig = 1; +- +- if (!dryrun && +- add_resource_record(header, limit, &trunc, nameoffset, &ansp, +- rr_crec->ttd - now, &nameoffset, +- T_RRSIG, C_IN, "t", rr_crec->addr.sig.keylen, sigdata)) +- anscount++; +- } +- } +- +- if (!gotsig) +- crecp = NULL; +- } +-#endif +- } +- +- if (crecp) ++ /* If the client asked for DNSSEC don't use cached data. */ ++ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !sec_reqd || !(crecp->flags & F_DNSSECOK)) + do + { + /* don't answer wildcard queries with data not from /etc/hosts +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/018-Move_code_which_caches_DS_records_to_a_more_logical_place.patch b/src/patches/dnsmasq/018-Move_code_which_caches_DS_records_to_a_more_logical_place.patch new file mode 100644 index 0000000..ff055f7 --- /dev/null +++ b/src/patches/dnsmasq/018-Move_code_which_caches_DS_records_to_a_more_logical_place.patch @@ -0,0 +1,269 @@ +From d64c81fff7faf4392b688223ef3a617c5c07e7dc Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Tue, 15 Dec 2015 16:11:06 +0000 +Subject: [PATCH] Move code which caches DS records to a more logical place. + +--- + src/dnssec.c | 179 +++++++++++++++++++++++++++++----------------------------- + 1 file changed, 90 insertions(+), 89 deletions(-) + +diff --git a/src/dnssec.c b/src/dnssec.c +index 1ae03a6..359231f 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -1204,7 +1204,10 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch + int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class) + { + unsigned char *p = (unsigned char *)(header+1); +- int qtype, qclass, val, i, neganswer, nons; ++ int qtype, qclass, rc, i, neganswer, nons; ++ int aclass, atype, rdlen; ++ unsigned long ttl; ++ struct all_addr a; + + if (ntohs(header->qdcount) != 1 || + !(p = skip_name(p, header, plen, 4))) +@@ -1214,40 +1217,100 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char + GETSHORT(qclass, p); + + if (qtype != T_DS || qclass != class) +- val = STAT_BOGUS; ++ rc = STAT_BOGUS; + else +- val = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons); ++ rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons); + /* Note dnssec_validate_reply() will have cached positive answers */ + +- if (val == STAT_INSECURE) +- val = STAT_BOGUS; +- ++ if (rc == STAT_INSECURE) ++ rc = STAT_BOGUS; ++ + p = (unsigned char *)(header+1); + extract_name(header, plen, &p, name, 1, 4); + p += 4; /* qtype, qclass */ + +- if (!(p = skip_section(p, ntohs(header->ancount), header, plen))) +- val = STAT_BOGUS; +- + /* If the key needed to validate the DS is on the same domain as the DS, we'll + loop getting nowhere. Stop that now. This can happen of the DS answer comes + from the DS's zone, and not the parent zone. */ +- if (val == STAT_BOGUS || (val == STAT_NEED_KEY && hostname_isequal(name, keyname))) ++ if (rc == STAT_BOGUS || (rc == STAT_NEED_KEY && hostname_isequal(name, keyname))) + { + log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS"); + return STAT_BOGUS; + } + +- if (val != STAT_SECURE) +- return val; +- +- /* By here, the answer is proved secure, and a positive answer has been cached. */ +- if (neganswer) ++ if (rc != STAT_SECURE) ++ return rc; ++ ++ if (!neganswer) + { +- int rdlen, flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK; +- unsigned long ttl, minttl = ULONG_MAX; +- struct all_addr a; ++ cache_start_insert(); ++ ++ for (i = 0; i < ntohs(header->ancount); i++) ++ { ++ if (!(rc = extract_name(header, plen, &p, name, 0, 10))) ++ return STAT_BOGUS; /* bad packet */ ++ ++ GETSHORT(atype, p); ++ GETSHORT(aclass, p); ++ GETLONG(ttl, p); ++ GETSHORT(rdlen, p); ++ ++ if (!CHECK_LEN(header, p, plen, rdlen)) ++ return STAT_BOGUS; /* bad packet */ ++ ++ if (aclass == class && atype == T_DS && rc == 1) ++ { ++ int algo, digest, keytag; ++ unsigned char *psave = p; ++ struct blockdata *key; ++ struct crec *crecp; + ++ if (rdlen < 4) ++ return STAT_BOGUS; /* bad packet */ ++ ++ GETSHORT(keytag, p); ++ algo = *p++; ++ digest = *p++; ++ ++ /* Cache needs to known class for DNSSEC stuff */ ++ a.addr.dnssec.class = class; ++ ++ if ((key = blockdata_alloc((char*)p, rdlen - 4))) ++ { ++ if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DS | F_DNSSECOK))) ++ { ++ blockdata_free(key); ++ return STAT_BOGUS; ++ } ++ else ++ { ++ a.addr.keytag = keytag; ++ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %u"); ++ crecp->addr.ds.digest = digest; ++ crecp->addr.ds.keydata = key; ++ crecp->addr.ds.algo = algo; ++ crecp->addr.ds.keytag = keytag; ++ crecp->addr.ds.keylen = rdlen - 4; ++ } ++ } ++ ++ p = psave; ++ ++ if (!ADD_RDLEN(header, p, plen, rdlen)) ++ return STAT_BOGUS; /* bad packet */ ++ } ++ ++ cache_end_insert(); ++ } ++ } ++ else ++ { ++ int flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK; ++ unsigned long minttl = ULONG_MAX; ++ ++ if (!(p = skip_section(p, ntohs(header->ancount), header, plen))) ++ return STAT_BOGUS; ++ + if (RCODE(header) == NXDOMAIN) + flags |= F_NXDOMAIN; + +@@ -1261,20 +1324,20 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char + if (!(p = skip_name(p, header, plen, 0))) + return STAT_BOGUS; + +- GETSHORT(qtype, p); +- GETSHORT(qclass, p); ++ GETSHORT(atype, p); ++ GETSHORT(aclass, p); + GETLONG(ttl, p); + GETSHORT(rdlen, p); +- ++ + if (!CHECK_LEN(header, p, plen, rdlen)) + return STAT_BOGUS; /* bad packet */ +- +- if (qclass != class || qtype != T_SOA) ++ ++ if (aclass != class || atype != T_SOA) + { + p += rdlen; + continue; + } +- ++ + if (ttl < minttl) + minttl = ttl; + +@@ -1306,7 +1369,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char + log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "no DS"); + } + } +- ++ + return STAT_OK; + } + +@@ -2001,11 +2064,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + /* Not done, validate now */ + if (j == i) + { +- int ttl, keytag, algo, digest, sigcnt, rrcnt; +- unsigned char *psave; +- struct all_addr a; +- struct blockdata *key; +- struct crec *crecp; ++ int sigcnt, rrcnt; + char *wildname; + + if (!explore_rrset(header, plen, class1, type1, name, keyname, &sigcnt, &rrcnt)) +@@ -2032,6 +2091,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + Can't overwrite name here. */ + strcpy(daemon->workspacename, keyname); + rc = zone_status(daemon->workspacename, class1, keyname, now); ++ + if (rc != STAT_SECURE) + { + /* Zone is insecure, don't need to validate RRset */ +@@ -2088,65 +2148,6 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + if (rc == STAT_BOGUS) + return rc; + } +- +- /* If we just validated a DS RRset, cache it */ +- /* Also note if the RRset is the answer to the question, or the target of a CNAME */ +- cache_start_insert(); +- +- for (p2 = ans_start, j = 0; j < ntohs(header->ancount); j++) +- { +- if (!(rc = extract_name(header, plen, &p2, name, 0, 10))) +- return STAT_BOGUS; /* bad packet */ +- +- GETSHORT(type2, p2); +- GETSHORT(class2, p2); +- GETLONG(ttl, p2); +- GETSHORT(rdlen2, p2); +- +- if (!CHECK_LEN(header, p2, plen, rdlen2)) +- return STAT_BOGUS; /* bad packet */ +- +- if (class2 == class1 && rc == 1) +- { +- psave = p2; +- +- if (type1 == T_DS && type2 == T_DS) +- { +- if (rdlen2 < 4) +- return STAT_BOGUS; /* bad packet */ +- +- GETSHORT(keytag, p2); +- algo = *p2++; +- digest = *p2++; +- +- /* Cache needs to known class for DNSSEC stuff */ +- a.addr.dnssec.class = class2; +- +- if ((key = blockdata_alloc((char*)p2, rdlen2 - 4))) +- { +- if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DS | F_DNSSECOK))) +- blockdata_free(key); +- else +- { +- a.addr.keytag = keytag; +- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %u"); +- crecp->addr.ds.digest = digest; +- crecp->addr.ds.keydata = key; +- crecp->addr.ds.algo = algo; +- crecp->addr.ds.keytag = keytag; +- crecp->addr.ds.keylen = rdlen2 - 4; +- } +- } +- } +- +- p2 = psave; +- } +- +- if (!ADD_RDLEN(header, p2, plen, rdlen2)) +- return STAT_BOGUS; /* bad packet */ +- } +- +- cache_end_insert(); + } + } + } +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_with_EDNS0.patch b/src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_with_EDNS0.patch new file mode 100644 index 0000000..0a4942a --- /dev/null +++ b/src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_with_EDNS0.patch @@ -0,0 +1,755 @@ +From c2bcd1e183bcc5fdd63811c045355fc57e36ecfd Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Tue, 15 Dec 2015 17:25:21 +0000 +Subject: [PATCH] Generalise RR-filtering code, for use with EDNS0. + +--- + Makefile | 3 +- + bld/Android.mk | 2 +- + src/dnsmasq.h | 5 + + src/dnssec.c | 307 +------------------------------------------------- + src/forward.c | 2 +- + src/rrfilter.c | 339 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 6 files changed, 349 insertions(+), 309 deletions(-) + create mode 100644 src/rrfilter.c + +diff --git a/Makefile b/Makefile +index 4c87ea9..b664160 100644 +--- a/Makefile ++++ b/Makefile +@@ -73,7 +73,8 @@ objs = cache.o rfc1035.o util.o option.o forward.o network.o \ + dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ + helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ +- domain.o dnssec.o blockdata.o tables.o loop.o inotify.o poll.o ++ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ ++ poll.o rrfilter.o + + hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ + dns-protocol.h radv-protocol.h ip6addr.h +diff --git a/bld/Android.mk b/bld/Android.mk +index 5364ee7..67b9c4b 100644 +--- a/bld/Android.mk ++++ b/bld/Android.mk +@@ -10,7 +10,7 @@ LOCAL_SRC_FILES := bpf.c cache.c dbus.c dhcp.c dnsmasq.c \ + dhcp6.c rfc3315.c dhcp-common.c outpacket.c \ + radv.c slaac.c auth.c ipset.c domain.c \ + dnssec.c dnssec-openssl.c blockdata.c tables.c \ +- loop.c inotify.c poll.c ++ loop.c inotify.c poll.c rrfilter.c + + LOCAL_MODULE := dnsmasq + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index 4344cae..39a930c 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -1513,3 +1513,8 @@ int poll_check(int fd, short event); + void poll_listen(int fd, short event); + int do_poll(int timeout); + ++/* rrfilter.c */ ++size_t rrfilter(struct dns_header *header, size_t plen, int mode); ++u16 *rrfilter_desc(int type); ++int expand_workspace(unsigned char ***wkspc, int *szp, int new); ++ +diff --git a/src/dnssec.c b/src/dnssec.c +index 359231f..fa3eb81 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -507,50 +507,6 @@ static int check_date_range(unsigned long date_start, unsigned long date_end) + && serial_compare_32(curtime, date_end) == SERIAL_LT; + } + +-static u16 *get_desc(int type) +-{ +- /* List of RRtypes which include domains in the data. +- 0 -> domain +- integer -> no of plain bytes +- -1 -> end +- +- zero is not a valid RRtype, so the final entry is returned for +- anything which needs no mangling. +- */ +- +- static u16 rr_desc[] = +- { +- T_NS, 0, -1, +- T_MD, 0, -1, +- T_MF, 0, -1, +- T_CNAME, 0, -1, +- T_SOA, 0, 0, -1, +- T_MB, 0, -1, +- T_MG, 0, -1, +- T_MR, 0, -1, +- T_PTR, 0, -1, +- T_MINFO, 0, 0, -1, +- T_MX, 2, 0, -1, +- T_RP, 0, 0, -1, +- T_AFSDB, 2, 0, -1, +- T_RT, 2, 0, -1, +- T_SIG, 18, 0, -1, +- T_PX, 2, 0, 0, -1, +- T_NXT, 0, -1, +- T_KX, 2, 0, -1, +- T_SRV, 6, 0, -1, +- T_DNAME, 0, -1, +- 0, -1 /* wildcard/catchall */ +- }; +- +- u16 *p = rr_desc; +- +- while (*p != type && *p != 0) +- while (*p++ != (u16)-1); +- +- return p+1; +-} +- + /* Return bytes of canonicalised rdata, when the return value is zero, the remaining + data, pointed to by *p, should be used raw. */ + static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, char *buff, int bufflen, +@@ -594,34 +550,6 @@ static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, + } + } + +-static int expand_workspace(unsigned char ***wkspc, int *szp, int new) +-{ +- unsigned char **p; +- int old = *szp; +- +- if (old >= new+1) +- return 1; +- +- if (new >= 100) +- return 0; +- +- new += 5; +- +- if (!(p = whine_malloc(new * sizeof(unsigned char **)))) +- return 0; +- +- if (old != 0 && *wkspc) +- { +- memcpy(p, *wkspc, old * sizeof(unsigned char **)); +- free(*wkspc); +- } +- +- *wkspc = p; +- *szp = new; +- +- return 1; +-} +- + /* Bubble sort the RRset into the canonical order. + Note that the byte-streams from two RRs may get unsynced: consider + RRs which have two domain-names at the start and then other data. +@@ -849,7 +777,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + int rdlen, j, name_labels; + struct crec *crecp = NULL; + int algo, labels, orig_ttl, key_tag; +- u16 *rr_desc = get_desc(type); ++ u16 *rr_desc = rrfilter_desc(type); + + if (wildcard_out) + *wildcard_out = NULL; +@@ -2266,239 +2194,6 @@ size_t dnssec_generate_query(struct dns_header *header, char *end, char *name, i + return ret; + } + +-/* Go through a domain name, find "pointers" and fix them up based on how many bytes +- we've chopped out of the packet, or check they don't point into an elided part. */ +-static int check_name(unsigned char **namep, struct dns_header *header, size_t plen, int fixup, unsigned char **rrs, int rr_count) +-{ +- unsigned char *ansp = *namep; +- +- while(1) +- { +- unsigned int label_type; +- +- if (!CHECK_LEN(header, ansp, plen, 1)) +- return 0; +- +- label_type = (*ansp) & 0xc0; +- +- if (label_type == 0xc0) +- { +- /* pointer for compression. */ +- unsigned int offset; +- int i; +- unsigned char *p; +- +- if (!CHECK_LEN(header, ansp, plen, 2)) +- return 0; +- +- offset = ((*ansp++) & 0x3f) << 8; +- offset |= *ansp++; +- +- p = offset + (unsigned char *)header; +- +- for (i = 0; i < rr_count; i++) +- if (p < rrs[i]) +- break; +- else +- if (i & 1) +- offset -= rrs[i] - rrs[i-1]; +- +- /* does the pointer end up in an elided RR? */ +- if (i & 1) +- return 0; +- +- /* No, scale the pointer */ +- if (fixup) +- { +- ansp -= 2; +- *ansp++ = (offset >> 8) | 0xc0; +- *ansp++ = offset & 0xff; +- } +- break; +- } +- else if (label_type == 0x80) +- return 0; /* reserved */ +- else if (label_type == 0x40) +- { +- /* Extended label type */ +- unsigned int count; +- +- if (!CHECK_LEN(header, ansp, plen, 2)) +- return 0; +- +- if (((*ansp++) & 0x3f) != 1) +- return 0; /* we only understand bitstrings */ +- +- count = *(ansp++); /* Bits in bitstring */ +- +- if (count == 0) /* count == 0 means 256 bits */ +- ansp += 32; +- else +- ansp += ((count-1)>>3)+1; +- } +- else +- { /* label type == 0 Bottom six bits is length */ +- unsigned int len = (*ansp++) & 0x3f; +- +- if (!ADD_RDLEN(header, ansp, plen, len)) +- return 0; +- +- if (len == 0) +- break; /* zero length label marks the end. */ +- } +- } +- +- *namep = ansp; +- +- return 1; +-} +- +-/* Go through RRs and check or fixup the domain names contained within */ +-static int check_rrs(unsigned char *p, struct dns_header *header, size_t plen, int fixup, unsigned char **rrs, int rr_count) +-{ +- int i, type, class, rdlen; +- unsigned char *pp; +- +- for (i = 0; i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount); i++) +- { +- pp = p; +- +- if (!(p = skip_name(p, header, plen, 10))) +- return 0; +- +- GETSHORT(type, p); +- GETSHORT(class, p); +- p += 4; /* TTL */ +- GETSHORT(rdlen, p); +- +- if (type != T_NSEC && type != T_NSEC3 && type != T_RRSIG) +- { +- /* fixup name of RR */ +- if (!check_name(&pp, header, plen, fixup, rrs, rr_count)) +- return 0; +- +- if (class == C_IN) +- { +- u16 *d; +- +- for (pp = p, d = get_desc(type); *d != (u16)-1; d++) +- { +- if (*d != 0) +- pp += *d; +- else if (!check_name(&pp, header, plen, fixup, rrs, rr_count)) +- return 0; +- } +- } +- } +- +- if (!ADD_RDLEN(header, p, plen, rdlen)) +- return 0; +- } +- +- return 1; +-} +- +- +-size_t filter_rrsigs(struct dns_header *header, size_t plen) +-{ +- static unsigned char **rrs; +- static int rr_sz = 0; +- +- unsigned char *p = (unsigned char *)(header+1); +- int i, rdlen, qtype, qclass, rr_found, chop_an, chop_ns, chop_ar; +- +- if (ntohs(header->qdcount) != 1 || +- !(p = skip_name(p, header, plen, 4))) +- return plen; +- +- GETSHORT(qtype, p); +- GETSHORT(qclass, p); +- +- /* First pass, find pointers to start and end of all the records we wish to elide: +- records added for DNSSEC, unless explicity queried for */ +- for (rr_found = 0, chop_ns = 0, chop_an = 0, chop_ar = 0, i = 0; +- i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount); +- i++) +- { +- unsigned char *pstart = p; +- int type, class; +- +- if (!(p = skip_name(p, header, plen, 10))) +- return plen; +- +- GETSHORT(type, p); +- GETSHORT(class, p); +- p += 4; /* TTL */ +- GETSHORT(rdlen, p); +- +- if ((type == T_NSEC || type == T_NSEC3 || type == T_RRSIG) && +- (type != qtype || class != qclass)) +- { +- if (!expand_workspace(&rrs, &rr_sz, rr_found + 1)) +- return plen; +- +- rrs[rr_found++] = pstart; +- +- if (!ADD_RDLEN(header, p, plen, rdlen)) +- return plen; +- +- rrs[rr_found++] = p; +- +- if (i < ntohs(header->ancount)) +- chop_an++; +- else if (i < (ntohs(header->nscount) + ntohs(header->ancount))) +- chop_ns++; +- else +- chop_ar++; +- } +- else if (!ADD_RDLEN(header, p, plen, rdlen)) +- return plen; +- } +- +- /* Nothing to do. */ +- if (rr_found == 0) +- return plen; +- +- /* Second pass, look for pointers in names in the records we're keeping and make sure they don't +- point to records we're going to elide. This is theoretically possible, but unlikely. If +- it happens, we give up and leave the answer unchanged. */ +- p = (unsigned char *)(header+1); +- +- /* question first */ +- if (!check_name(&p, header, plen, 0, rrs, rr_found)) +- return plen; +- p += 4; /* qclass, qtype */ +- +- /* Now answers and NS */ +- if (!check_rrs(p, header, plen, 0, rrs, rr_found)) +- return plen; +- +- /* Third pass, elide records */ +- for (p = rrs[0], i = 1; i < rr_found; i += 2) +- { +- unsigned char *start = rrs[i]; +- unsigned char *end = (i != rr_found - 1) ? rrs[i+1] : ((unsigned char *)(header+1)) + plen; +- +- memmove(p, start, end-start); +- p += end-start; +- } +- +- plen = p - (unsigned char *)header; +- header->ancount = htons(ntohs(header->ancount) - chop_an); +- header->nscount = htons(ntohs(header->nscount) - chop_ns); +- header->arcount = htons(ntohs(header->arcount) - chop_ar); +- +- /* Fourth pass, fix up pointers in the remaining records */ +- p = (unsigned char *)(header+1); +- +- check_name(&p, header, plen, 1, rrs, rr_found); +- p += 4; /* qclass, qtype */ +- +- check_rrs(p, header, plen, 1, rrs, rr_found); +- +- return plen; +-} +- + unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name) + { + int q; +diff --git a/src/forward.c b/src/forward.c +index dd22a62..3e801c8 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -662,7 +662,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server + + /* If the requestor didn't set the DO bit, don't return DNSSEC info. */ + if (!do_bit) +- n = filter_rrsigs(header, n); ++ n = rrfilter(header, n, 1); + #endif + + /* do this after extract_addresses. Ensure NODATA reply and remove +diff --git a/src/rrfilter.c b/src/rrfilter.c +new file mode 100644 +index 0000000..ae12261 +--- /dev/null ++++ b/src/rrfilter.c +@@ -0,0 +1,339 @@ ++/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; version 2 dated June, 1991, or ++ (at your option) version 3 dated 29 June, 2007. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see http://www.gnu.org/licenses/. ++*/ ++ ++/* Code to safely remove RRs from an DNS answer */ ++ ++#include "dnsmasq.h" ++ ++/* Go through a domain name, find "pointers" and fix them up based on how many bytes ++ we've chopped out of the packet, or check they don't point into an elided part. */ ++static int check_name(unsigned char **namep, struct dns_header *header, size_t plen, int fixup, unsigned char **rrs, int rr_count) ++{ ++ unsigned char *ansp = *namep; ++ ++ while(1) ++ { ++ unsigned int label_type; ++ ++ if (!CHECK_LEN(header, ansp, plen, 1)) ++ return 0; ++ ++ label_type = (*ansp) & 0xc0; ++ ++ if (label_type == 0xc0) ++ { ++ /* pointer for compression. */ ++ unsigned int offset; ++ int i; ++ unsigned char *p; ++ ++ if (!CHECK_LEN(header, ansp, plen, 2)) ++ return 0; ++ ++ offset = ((*ansp++) & 0x3f) << 8; ++ offset |= *ansp++; ++ ++ p = offset + (unsigned char *)header; ++ ++ for (i = 0; i < rr_count; i++) ++ if (p < rrs[i]) ++ break; ++ else ++ if (i & 1) ++ offset -= rrs[i] - rrs[i-1]; ++ ++ /* does the pointer end up in an elided RR? */ ++ if (i & 1) ++ return 0; ++ ++ /* No, scale the pointer */ ++ if (fixup) ++ { ++ ansp -= 2; ++ *ansp++ = (offset >> 8) | 0xc0; ++ *ansp++ = offset & 0xff; ++ } ++ break; ++ } ++ else if (label_type == 0x80) ++ return 0; /* reserved */ ++ else if (label_type == 0x40) ++ { ++ /* Extended label type */ ++ unsigned int count; ++ ++ if (!CHECK_LEN(header, ansp, plen, 2)) ++ return 0; ++ ++ if (((*ansp++) & 0x3f) != 1) ++ return 0; /* we only understand bitstrings */ ++ ++ count = *(ansp++); /* Bits in bitstring */ ++ ++ if (count == 0) /* count == 0 means 256 bits */ ++ ansp += 32; ++ else ++ ansp += ((count-1)>>3)+1; ++ } ++ else ++ { /* label type == 0 Bottom six bits is length */ ++ unsigned int len = (*ansp++) & 0x3f; ++ ++ if (!ADD_RDLEN(header, ansp, plen, len)) ++ return 0; ++ ++ if (len == 0) ++ break; /* zero length label marks the end. */ ++ } ++ } ++ ++ *namep = ansp; ++ ++ return 1; ++} ++ ++/* Go through RRs and check or fixup the domain names contained within */ ++static int check_rrs(unsigned char *p, struct dns_header *header, size_t plen, int fixup, unsigned char **rrs, int rr_count) ++{ ++ int i, j, type, class, rdlen; ++ unsigned char *pp; ++ ++ for (i = 0; i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount); i++) ++ { ++ pp = p; ++ ++ if (!(p = skip_name(p, header, plen, 10))) ++ return 0; ++ ++ GETSHORT(type, p); ++ GETSHORT(class, p); ++ p += 4; /* TTL */ ++ GETSHORT(rdlen, p); ++ ++ /* If this RR is to be elided, don't fix up its contents */ ++ for (j = 0; j < rr_count; j += 2) ++ if (rrs[j] == pp) ++ break; ++ ++ if (j >= rr_count) ++ { ++ /* fixup name of RR */ ++ if (!check_name(&pp, header, plen, fixup, rrs, rr_count)) ++ return 0; ++ ++ if (class == C_IN) ++ { ++ u16 *d; ++ ++ for (pp = p, d = rrfilter_desc(type); *d != (u16)-1; d++) ++ { ++ if (*d != 0) ++ pp += *d; ++ else if (!check_name(&pp, header, plen, fixup, rrs, rr_count)) ++ return 0; ++ } ++ } ++ } ++ ++ if (!ADD_RDLEN(header, p, plen, rdlen)) ++ return 0; ++ } ++ ++ return 1; ++} ++ ++ ++/* mode is 0 to remove EDNS0, 1 to filter DNSSEC RRs */ ++size_t rrfilter(struct dns_header *header, size_t plen, int mode) ++{ ++ static unsigned char **rrs; ++ static int rr_sz = 0; ++ ++ unsigned char *p = (unsigned char *)(header+1); ++ int i, rdlen, qtype, qclass, rr_found, chop_an, chop_ns, chop_ar; ++ ++ if (ntohs(header->qdcount) != 1 || ++ !(p = skip_name(p, header, plen, 4))) ++ return plen; ++ ++ GETSHORT(qtype, p); ++ GETSHORT(qclass, p); ++ ++ /* First pass, find pointers to start and end of all the records we wish to elide: ++ records added for DNSSEC, unless explicity queried for */ ++ for (rr_found = 0, chop_ns = 0, chop_an = 0, chop_ar = 0, i = 0; ++ i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount); ++ i++) ++ { ++ unsigned char *pstart = p; ++ int type, class; ++ ++ if (!(p = skip_name(p, header, plen, 10))) ++ return plen; ++ ++ GETSHORT(type, p); ++ GETSHORT(class, p); ++ p += 4; /* TTL */ ++ GETSHORT(rdlen, p); ++ ++ if (!ADD_RDLEN(header, p, plen, rdlen)) ++ return plen; ++ ++ /* Don't remove the answer. */ ++ if (i < ntohs(header->ancount) && type == qtype && class == qclass) ++ continue; ++ ++ if (mode == 0) /* EDNS */ ++ { ++ /* EDNS mode, remove T_OPT from additional section only */ ++ if (i < (ntohs(header->nscount) + ntohs(header->ancount)) || type != T_OPT) ++ continue; ++ } ++ else if (type != T_NSEC && type != T_NSEC3 && type != T_RRSIG) ++ /* DNSSEC mode, remove SIGs and NSECs from all three sections. */ ++ continue; ++ ++ ++ if (!expand_workspace(&rrs, &rr_sz, rr_found + 1)) ++ return plen; ++ ++ rrs[rr_found++] = pstart; ++ rrs[rr_found++] = p; ++ ++ if (i < ntohs(header->ancount)) ++ chop_an++; ++ else if (i < (ntohs(header->nscount) + ntohs(header->ancount))) ++ chop_ns++; ++ else ++ chop_ar++; ++ } ++ ++ /* Nothing to do. */ ++ if (rr_found == 0) ++ return plen; ++ ++ /* Second pass, look for pointers in names in the records we're keeping and make sure they don't ++ point to records we're going to elide. This is theoretically possible, but unlikely. If ++ it happens, we give up and leave the answer unchanged. */ ++ p = (unsigned char *)(header+1); ++ ++ /* question first */ ++ if (!check_name(&p, header, plen, 0, rrs, rr_found)) ++ return plen; ++ p += 4; /* qclass, qtype */ ++ ++ /* Now answers and NS */ ++ if (!check_rrs(p, header, plen, 0, rrs, rr_found)) ++ return plen; ++ ++ /* Third pass, elide records */ ++ for (p = rrs[0], i = 1; i < rr_found; i += 2) ++ { ++ unsigned char *start = rrs[i]; ++ unsigned char *end = (i != rr_found - 1) ? rrs[i+1] : ((unsigned char *)(header+1)) + plen; ++ ++ memmove(p, start, end-start); ++ p += end-start; ++ } ++ ++ plen = p - (unsigned char *)header; ++ header->ancount = htons(ntohs(header->ancount) - chop_an); ++ header->nscount = htons(ntohs(header->nscount) - chop_ns); ++ header->arcount = htons(ntohs(header->arcount) - chop_ar); ++ ++ /* Fourth pass, fix up pointers in the remaining records */ ++ p = (unsigned char *)(header+1); ++ ++ check_name(&p, header, plen, 1, rrs, rr_found); ++ p += 4; /* qclass, qtype */ ++ ++ check_rrs(p, header, plen, 1, rrs, rr_found); ++ ++ return plen; ++} ++ ++/* This is used in the DNSSEC code too, hence it's exported */ ++u16 *rrfilter_desc(int type) ++{ ++ /* List of RRtypes which include domains in the data. ++ 0 -> domain ++ integer -> no of plain bytes ++ -1 -> end ++ ++ zero is not a valid RRtype, so the final entry is returned for ++ anything which needs no mangling. ++ */ ++ ++ static u16 rr_desc[] = ++ { ++ T_NS, 0, -1, ++ T_MD, 0, -1, ++ T_MF, 0, -1, ++ T_CNAME, 0, -1, ++ T_SOA, 0, 0, -1, ++ T_MB, 0, -1, ++ T_MG, 0, -1, ++ T_MR, 0, -1, ++ T_PTR, 0, -1, ++ T_MINFO, 0, 0, -1, ++ T_MX, 2, 0, -1, ++ T_RP, 0, 0, -1, ++ T_AFSDB, 2, 0, -1, ++ T_RT, 2, 0, -1, ++ T_SIG, 18, 0, -1, ++ T_PX, 2, 0, 0, -1, ++ T_NXT, 0, -1, ++ T_KX, 2, 0, -1, ++ T_SRV, 6, 0, -1, ++ T_DNAME, 0, -1, ++ 0, -1 /* wildcard/catchall */ ++ }; ++ ++ u16 *p = rr_desc; ++ ++ while (*p != type && *p != 0) ++ while (*p++ != (u16)-1); ++ ++ return p+1; ++} ++ ++int expand_workspace(unsigned char ***wkspc, int *szp, int new) ++{ ++ unsigned char **p; ++ int old = *szp; ++ ++ if (old >= new+1) ++ return 1; ++ ++ if (new >= 100) ++ return 0; ++ ++ new += 5; ++ ++ if (!(p = whine_malloc(new * sizeof(unsigned char **)))) ++ return 0; ++ ++ if (old != 0 && *wkspc) ++ { ++ memcpy(p, *wkspc, old * sizeof(unsigned char **)); ++ free(*wkspc); ++ } ++ ++ *wkspc = p; ++ *szp = new; ++ ++ return 1; ++} +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch b/src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch new file mode 100644 index 0000000..ffb412b --- /dev/null +++ b/src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch @@ -0,0 +1,134 @@ +From 2dbba34b2c1289a108f876c78b84889f2a93115d Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Wed, 16 Dec 2015 13:41:58 +0000 +Subject: [PATCH] DNSSEC validation tweak. + +A zone which has at least one key with an algorithm we don't +support should be considered as insecure. +--- + src/dnssec.c | 82 ++++++++++++++++++++++++++++++++++++++-------------------- + 1 file changed, 54 insertions(+), 28 deletions(-) + +diff --git a/src/dnssec.c b/src/dnssec.c +index fa3eb81..dc563e0 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -763,10 +763,10 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int + STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname) + STAT_NEED_DS need DS to complete validation (name is returned in keyname) + +- if key is non-NULL, use that key, which has the algo and tag given in the params of those names, ++ If key is non-NULL, use that key, which has the algo and tag given in the params of those names, + otherwise find the key in the cache. + +- name is unchanged on exit. keyname is used as workspace and trashed. ++ Name is unchanged on exit. keyname is used as workspace and trashed. + + Call explore_rrset first to find and count RRs and sigs. + */ +@@ -919,6 +919,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + return STAT_BOGUS; + } + ++ + /* The DNS packet is expected to contain the answer to a DNSKEY query. + Put all DNSKEYs in the answer which are valid into the cache. + return codes: +@@ -1831,15 +1832,15 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + + /* Check signing status of name. + returns: +- STAT_SECURE zone is signed. +- STAT_INSECURE zone proved unsigned. +- STAT_NEED_DS require DS record of name returned in keyname. +- ++ STAT_SECURE zone is signed. ++ STAT_INSECURE zone proved unsigned. ++ STAT_NEED_DS require DS record of name returned in keyname. ++ STAT_NEED_DNSKEY require DNSKEY record of name returned in keyname. + name returned unaltered. + */ + static int zone_status(char *name, int class, char *keyname, time_t now) + { +- int name_start = strlen(name); ++ int secure_ds, name_start = strlen(name); + struct crec *crecp; + char *p; + +@@ -1850,27 +1851,52 @@ static int zone_status(char *name, int class, char *keyname, time_t now) + if (!(crecp = cache_find_by_name(NULL, keyname, now, F_DS))) + return STAT_NEED_DS; + else +- do +- { +- if (crecp->uid == (unsigned int)class) +- { +- /* F_DNSSECOK misused in DS cache records to non-existance of NS record. +- F_NEG && !F_DNSSECOK implies that we've proved there's no DS record here, +- but that's because there's no NS record either, ie this isn't the start +- of a zone. We only prove that the DNS tree below a node is unsigned when +- we prove that we're at a zone cut AND there's no DS record. +- */ +- if (crecp->flags & F_NEG) +- { +- if (crecp->flags & F_DNSSECOK) +- return STAT_INSECURE; /* proved no DS here */ +- } +- else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(crecp->addr.ds.algo)) +- return STAT_INSECURE; /* algo we can't use - insecure */ +- } +- } +- while ((crecp = cache_find_by_name(crecp, keyname, now, F_DS))); +- ++ { ++ secure_ds = 0; ++ ++ do ++ { ++ if (crecp->uid == (unsigned int)class) ++ { ++ /* F_DNSSECOK misused in DS cache records to non-existance of NS record. ++ F_NEG && !F_DNSSECOK implies that we've proved there's no DS record here, ++ but that's because there's no NS record either, ie this isn't the start ++ of a zone. We only prove that the DNS tree below a node is unsigned when ++ we prove that we're at a zone cut AND there's no DS record. ++ */ ++ if (crecp->flags & F_NEG) ++ { ++ if (crecp->flags & F_DNSSECOK) ++ return STAT_INSECURE; /* proved no DS here */ ++ } ++ else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(crecp->addr.ds.algo)) ++ return STAT_INSECURE; /* algo we can't use - insecure */ ++ else ++ secure_ds = 1; ++ } ++ } ++ while ((crecp = cache_find_by_name(crecp, keyname, now, F_DS))); ++ } ++ ++ if (secure_ds) ++ { ++ /* We've found only DS records that attest to the DNSKEY RRset in the zone, so we believe ++ that RRset is good. Furthermore the DNSKEY whose hash is proved by the DS record is ++ one we can use. However the DNSKEY RRset may contain more than one key and ++ one of the other keys may use an algorithm we don't support. If that's ++ the case the zone is insecure for us. */ ++ ++ if (!(crecp = cache_find_by_name(NULL, keyname, now, F_DNSKEY))) ++ return STAT_NEED_KEY; ++ ++ do ++ { ++ if (crecp->uid == (unsigned int)class && !algo_digest_name(crecp->addr.key.algo)) ++ return STAT_INSECURE; ++ } ++ while ((crecp = cache_find_by_name(crecp, keyname, now, F_DNSKEY))); ++ } ++ + if (name_start == 0) + break; + +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/021-Tweaks_to_EDNS0_handling_in_DNS_replies.patch b/src/patches/dnsmasq/021-Tweaks_to_EDNS0_handling_in_DNS_replies.patch new file mode 100644 index 0000000..c3c74cc --- /dev/null +++ b/src/patches/dnsmasq/021-Tweaks_to_EDNS0_handling_in_DNS_replies.patch @@ -0,0 +1,133 @@ +From dd4ad9ac7ea6d51dcc34a1f2cd2da14efbb87714 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Thu, 17 Dec 2015 10:44:58 +0000 +Subject: [PATCH] Tweaks to EDNS0 handling in DNS replies. + +--- + src/dnssec.c | 20 +++++++++----------- + src/rfc1035.c | 57 +++++++++++++++++++++++++++++++++------------------------ + 2 files changed, 42 insertions(+), 35 deletions(-) + +diff --git a/src/dnssec.c b/src/dnssec.c +index dc563e0..012b2a6 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -2129,18 +2129,16 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + /* Empty DS without NSECS */ + if (qtype == T_DS) + return STAT_BOGUS; +- else ++ ++ rc = zone_status(name, qclass, keyname, now); ++ if (rc != STAT_SECURE) + { +- rc = zone_status(name, qclass, keyname, now); +- if (rc != STAT_SECURE) +- { +- if (class) +- *class = qclass; /* Class for NEED_DS or NEED_DNSKEY */ +- return rc; +- } +- +- return STAT_BOGUS; /* signed zone, no NSECs */ +- } ++ if (class) ++ *class = qclass; /* Class for NEED_DS or NEED_DNSKEY */ ++ return rc; ++ } ++ ++ return STAT_BOGUS; /* signed zone, no NSECs */ + } + + if (nsec_type == T_NSEC) +diff --git a/src/rfc1035.c b/src/rfc1035.c +index def8fa0..188d05f 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1539,7 +1539,13 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1; + struct mx_srv_record *rec; + size_t len; +- ++ ++ if (ntohs(header->ancount) != 0 || ++ ntohs(header->nscount) != 0 || ++ ntohs(header->qdcount) == 0 || ++ OPCODE(header) != QUERY ) ++ return 0; ++ + /* Don't return AD set if checking disabled. */ + if (header->hb4 & HB4_CD) + sec_data = 0; +@@ -1548,33 +1554,32 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + *ad_reqd = header->hb4 & HB4_AD; + *do_bit = 0; + +- /* If there is an RFC2671 pseudoheader then it will be overwritten by ++ /* If there is an additional data section then it will be overwritten by + partial replies, so we have to do a dry run to see if we can answer +- the query. We check to see if the do bit is set, if so we always +- forward rather than answering from the cache, which doesn't include +- security information, unless we're in DNSSEC validation mode. */ ++ the query. */ + +- if (find_pseudoheader(header, qlen, NULL, &pheader, NULL)) +- { +- unsigned short flags; +- +- have_pseudoheader = 1; ++ if (ntohs(header->arcount) != 0) ++ { ++ dryrun = 1; + +- pheader += 4; /* udp size, ext_rcode */ +- GETSHORT(flags, pheader); +- +- if ((sec_reqd = flags & 0x8000)) +- { +- *do_bit = 1;/* do bit */ +- *ad_reqd = 1; ++ /* If there's an additional section, there might be an EDNS(0) pseudoheader */ ++ if (find_pseudoheader(header, qlen, NULL, &pheader, NULL)) ++ { ++ unsigned short flags; ++ ++ have_pseudoheader = 1; ++ ++ pheader += 4; /* udp size, ext_rcode */ ++ GETSHORT(flags, pheader); ++ ++ if ((sec_reqd = flags & 0x8000)) ++ { ++ *do_bit = 1;/* do bit */ ++ *ad_reqd = 1; ++ } + } +- +- dryrun = 1; + } + +- if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY ) +- return 0; +- + for (rec = daemon->mxnames; rec; rec = rec->next) + rec->offset = 0; + +@@ -1730,8 +1735,12 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + } + else if ((crecp = cache_find_by_addr(NULL, &addr, now, is_arpa))) + { +- /* Don't use cache when DNSSEC data required. */ +- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !sec_reqd || !(crecp->flags & F_DNSSECOK)) ++ /* Don't use cache when DNSSEC data required, unless we know that ++ the zone is unsigned, which implies that we're doing ++ validation. */ ++ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || ++ !sec_reqd || ++ (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))) + { + do + { +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/022-Tidy_up_DNSSEC_non-existence_code_Check_zone_status_is_NSEC_proof_bad.patch b/src/patches/dnsmasq/022-Tidy_up_DNSSEC_non-existence_code_Check_zone_status_is_NSEC_proof_bad.patch new file mode 100644 index 0000000..60503e9 --- /dev/null +++ b/src/patches/dnsmasq/022-Tidy_up_DNSSEC_non-existence_code_Check_zone_status_is_NSEC_proof_bad.patch @@ -0,0 +1,409 @@ +From b40f26c0199235073abc37e1e1d6ed93bed372f5 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Thu, 17 Dec 2015 11:57:26 +0000 +Subject: [PATCH] Tidy up DNSSEC non-existence code. Check zone status is NSEC + proof bad. + +--- + src/dnssec.c | 207 +++++++++++++++++++++++++--------------------------------- + 1 file changed, 90 insertions(+), 117 deletions(-) + +diff --git a/src/dnssec.c b/src/dnssec.c +index 012b2a6..ddae497 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -1367,59 +1367,6 @@ static int hostname_cmp(const char *a, const char *b) + } + } + +-/* Find all the NSEC or NSEC3 records in a reply. +- return an array of pointers to them. */ +-static int find_nsec_records(struct dns_header *header, size_t plen, unsigned char ***nsecsetp, int *nsecsetl, int class_reqd) +-{ +- static unsigned char **nsecset = NULL; +- static int nsecset_sz = 0; +- +- int type_found = 0; +- unsigned char *p = skip_questions(header, plen); +- int type, class, rdlen, i, nsecs_found; +- +- /* Move to NS section */ +- if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen))) +- return 0; +- +- for (nsecs_found = 0, i = ntohs(header->nscount); i != 0; i--) +- { +- unsigned char *pstart = p; +- +- if (!(p = skip_name(p, header, plen, 10))) +- return 0; +- +- GETSHORT(type, p); +- GETSHORT(class, p); +- p += 4; /* TTL */ +- GETSHORT(rdlen, p); +- +- if (class == class_reqd && (type == T_NSEC || type == T_NSEC3)) +- { +- /* No mixed NSECing 'round here, thankyouverymuch */ +- if (type_found == T_NSEC && type == T_NSEC3) +- return 0; +- if (type_found == T_NSEC3 && type == T_NSEC) +- return 0; +- +- type_found = type; +- +- if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found)) +- return 0; +- +- nsecset[nsecs_found++] = pstart; +- } +- +- if (!ADD_RDLEN(header, p, plen, rdlen)) +- return 0; +- } +- +- *nsecsetp = nsecset; +- *nsecsetl = nsecs_found; +- +- return type_found; +-} +- + static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count, + char *workspace1, char *workspace2, char *name, int type, int *nons) + { +@@ -1436,12 +1383,12 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi + { + p = nsecs[i]; + if (!extract_name(header, plen, &p, workspace1, 1, 10)) +- return STAT_BOGUS; ++ return 0; + p += 8; /* class, type, TTL */ + GETSHORT(rdlen, p); + psave = p; + if (!extract_name(header, plen, &p, workspace2, 1, 10)) +- return STAT_BOGUS; ++ return 0; + + rc = hostname_cmp(workspace1, name); + +@@ -1449,7 +1396,7 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi + { + /* 4035 para 5.4. Last sentence */ + if (type == T_NSEC || type == T_RRSIG) +- return STAT_SECURE; ++ return 1; + + /* NSEC with the same name as the RR we're testing, check + that the type in question doesn't appear in the type map */ +@@ -1465,24 +1412,24 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi + /* A CNAME answer would also be valid, so if there's a CNAME is should + have been returned. */ + if ((p[2] & (0x80 >> T_CNAME)) != 0) +- return STAT_BOGUS; ++ return 0; + + /* If the SOA bit is set for a DS record, then we have the + DS from the wrong side of the delegation. */ + if (type == T_DS && (p[2] & (0x80 >> T_SOA)) != 0) +- return STAT_BOGUS; ++ return 0; + } + + while (rdlen >= 2) + { + if (!CHECK_LEN(header, p, plen, rdlen)) +- return STAT_BOGUS; ++ return 0; + + if (p[0] == type >> 8) + { + /* Does the NSEC say our type exists? */ + if (offset < p[1] && (p[offset+2] & mask) != 0) +- return STAT_BOGUS; ++ return 0; + + break; /* finshed checking */ + } +@@ -1491,24 +1438,24 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi + p += p[1]; + } + +- return STAT_SECURE; ++ return 1; + } + else if (rc == -1) + { + /* Normal case, name falls between NSEC name and next domain name, + wrap around case, name falls between NSEC name (rc == -1) and end */ + if (hostname_cmp(workspace2, name) >= 0 || hostname_cmp(workspace1, workspace2) >= 0) +- return STAT_SECURE; ++ return 1; + } + else + { + /* wrap around case, name falls between start and next domain name */ + if (hostname_cmp(workspace1, workspace2) >= 0 && hostname_cmp(workspace2, name) >=0 ) +- return STAT_SECURE; ++ return 1; + } + } + +- return STAT_BOGUS; ++ return 0; + } + + /* return digest length, or zero on error */ +@@ -1701,7 +1648,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + for (i = 0; i < nsec_count; i++) + { + if (!(p = skip_name(nsecs[i], header, plen, 15))) +- return STAT_BOGUS; /* bad packet */ ++ return 0; /* bad packet */ + + p += 10; /* type, class, TTL, rdlen */ + algo = *p++; +@@ -1712,14 +1659,14 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + + /* No usable NSEC3s */ + if (i == nsec_count) +- return STAT_BOGUS; ++ return 0; + + p++; /* flags */ + GETSHORT (iterations, p); + salt_len = *p++; + salt = p; + if (!CHECK_LEN(header, salt, plen, salt_len)) +- return STAT_BOGUS; /* bad packet */ ++ return 0; /* bad packet */ + + /* Now prune so we only have NSEC3 records with same iterations, salt and algo */ + for (i = 0; i < nsec_count; i++) +@@ -1730,7 +1677,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + nsecs[i] = NULL; /* Speculative, will be restored if OK. */ + + if (!(p = skip_name(nsec3p, header, plen, 15))) +- return STAT_BOGUS; /* bad packet */ ++ return 0; /* bad packet */ + + p += 10; /* type, class, TTL, rdlen */ + +@@ -1747,7 +1694,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + continue; + + if (!CHECK_LEN(header, p, plen, salt_len)) +- return STAT_BOGUS; /* bad packet */ ++ return 0; /* bad packet */ + + if (memcmp(p, salt, salt_len) != 0) + continue; +@@ -1758,13 +1705,13 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + + /* Algo is checked as 1 above */ + if (!(hash = hash_find("sha1"))) +- return STAT_BOGUS; ++ return 0; + + if ((digest_len = hash_name(name, &digest, hash, salt, salt_len, iterations)) == 0) +- return STAT_BOGUS; ++ return 0; + + if (check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, nons)) +- return STAT_SECURE; ++ return 1; + + /* Can't find an NSEC3 which covers the name directly, we need the "closest encloser NSEC3" + or an answer inferred from a wildcard record. */ +@@ -1780,14 +1727,14 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + break; + + if ((digest_len = hash_name(closest_encloser, &digest, hash, salt, salt_len, iterations)) == 0) +- return STAT_BOGUS; ++ return 0; + + for (i = 0; i < nsec_count; i++) + if ((p = nsecs[i])) + { + if (!extract_name(header, plen, &p, workspace1, 1, 0) || + !(base32_len = base32_decode(workspace1, (unsigned char *)workspace2))) +- return STAT_BOGUS; ++ return 0; + + if (digest_len == base32_len && + memcmp(digest, workspace2, digest_len) == 0) +@@ -1802,32 +1749,81 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + while ((closest_encloser = strchr(closest_encloser, '.'))); + + if (!closest_encloser) +- return STAT_BOGUS; ++ return 0; + + /* Look for NSEC3 that proves the non-existence of the next-closest encloser */ + if ((digest_len = hash_name(next_closest, &digest, hash, salt, salt_len, iterations)) == 0) +- return STAT_BOGUS; ++ return 0; + + if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL)) +- return STAT_BOGUS; ++ return 0; + + /* Finally, check that there's no seat of wildcard synthesis */ + if (!wildname) + { + if (!(wildcard = strchr(next_closest, '.')) || wildcard == next_closest) +- return STAT_BOGUS; ++ return 0; + + wildcard--; + *wildcard = '*'; + + if ((digest_len = hash_name(wildcard, &digest, hash, salt, salt_len, iterations)) == 0) +- return STAT_BOGUS; ++ return 0; + + if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL)) +- return STAT_BOGUS; ++ return 0; + } + +- return STAT_SECURE; ++ return 1; ++} ++ ++static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass, char *wildname, int *nons) ++{ ++ static unsigned char **nsecset = NULL; ++ static int nsecset_sz = 0; ++ ++ int type_found = 0; ++ unsigned char *p = skip_questions(header, plen); ++ int type, class, rdlen, i, nsecs_found; ++ ++ /* Move to NS section */ ++ if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen))) ++ return 0; ++ ++ for (nsecs_found = 0, i = ntohs(header->nscount); i != 0; i--) ++ { ++ unsigned char *pstart = p; ++ ++ if (!(p = skip_name(p, header, plen, 10))) ++ return 0; ++ ++ GETSHORT(type, p); ++ GETSHORT(class, p); ++ p += 4; /* TTL */ ++ GETSHORT(rdlen, p); ++ ++ if (class == qclass && (type == T_NSEC || type == T_NSEC3)) ++ { ++ /* No mixed NSECing 'round here, thankyouverymuch */ ++ if (type_found != 0 && type_found != type) ++ return 0; ++ ++ type_found = type; ++ ++ if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found)) ++ return 0; ++ ++ nsecset[nsecs_found++] = pstart; ++ } ++ ++ if (!ADD_RDLEN(header, p, plen, rdlen)) ++ return 0; ++ } ++ ++ if (type_found == T_NSEC) ++ return prove_non_existence_nsec(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, nons); ++ else ++ return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons); + } + + /* Check signing status of name. +@@ -1925,10 +1921,9 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + static unsigned char **targets = NULL; + static int target_sz = 0; + +- unsigned char *ans_start, *p1, *p2, **nsecs; ++ unsigned char *ans_start, *p1, *p2; + int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype, targetidx; +- int i, j, rc, nsec_count; +- int nsec_type; ++ int i, j, rc; + + if (neganswer) + *neganswer = 0; +@@ -2080,28 +2075,15 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + targets[j] = NULL; + } + +- if (rc == STAT_SECURE_WILDCARD) +- { +- /* An attacker replay a wildcard answer with a different +- answer and overlay a genuine RR. To prove this +- hasn't happened, the answer must prove that +- the gennuine record doesn't exist. Check that here. */ +- if (!(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, class1))) +- return STAT_BOGUS; /* No NSECs or bad packet */ +- +- /* Note that we may not yet have validated the NSEC/NSEC3 RRsets. Since the check +- below returns either SECURE or BOGUS, that's not a problem. If the RRsets later fail +- we'll return BOGUS then. */ +- +- if (nsec_type == T_NSEC) +- rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1, NULL); +- else +- rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, +- keyname, name, type1, wildname, NULL); +- +- if (rc == STAT_BOGUS) +- return rc; +- } ++ /* An attacker replay a wildcard answer with a different ++ answer and overlay a genuine RR. To prove this ++ hasn't happened, the answer must prove that ++ the gennuine record doesn't exist. Check that here. ++ Note that we may not yet have validated the NSEC/NSEC3 RRsets. ++ That's not a problem since if the RRsets later fail ++ we'll return BOGUS then. */ ++ if (rc == STAT_SECURE_WILDCARD && !prove_non_existence(header, plen, keyname, name, type1, class1, wildname, NULL)) ++ return STAT_BOGUS; + } + } + } +@@ -2124,14 +2106,13 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + + /* For anything other than a DS record, this situation is OK if either + the answer is in an unsigned zone, or there's a NSEC records. */ +- if (!(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, qclass))) ++ if (!prove_non_existence(header, plen, keyname, name, qtype, qclass, NULL, nons)) + { + /* Empty DS without NSECS */ + if (qtype == T_DS) + return STAT_BOGUS; + +- rc = zone_status(name, qclass, keyname, now); +- if (rc != STAT_SECURE) ++ if ((rc = zone_status(name, qclass, keyname, now)) != STAT_SECURE) + { + if (class) + *class = qclass; /* Class for NEED_DS or NEED_DNSKEY */ +@@ -2140,14 +2121,6 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + + return STAT_BOGUS; /* signed zone, no NSECs */ + } +- +- if (nsec_type == T_NSEC) +- rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, nons); +- else +- rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, NULL, nons); +- +- if (rc != STAT_SECURE) +- return rc; + } + + return STAT_SECURE; +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/023-Fix_brace_botch_in_dnssec_validate_ds.patch b/src/patches/dnsmasq/023-Fix_brace_botch_in_dnssec_validate_ds.patch new file mode 100644 index 0000000..eda6fbd --- /dev/null +++ b/src/patches/dnsmasq/023-Fix_brace_botch_in_dnssec_validate_ds.patch @@ -0,0 +1,98 @@ +From 3b799c826db05fc2da1c6d15cbe372e394209d27 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Thu, 17 Dec 2015 16:58:04 +0000 +Subject: [PATCH] Fix brace botch in dnssec_validate_ds() +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Thanks to Michaà  KÃÂpieà  for spotting this. +--- + src/dnssec.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/src/dnssec.c b/src/dnssec.c +index ddae497..1f8c954 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -923,11 +923,11 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + /* The DNS packet is expected to contain the answer to a DNSKEY query. + Put all DNSKEYs in the answer which are valid into the cache. + return codes: +- STAT_OK Done, key(s) in cache. +- STAT_BOGUS No DNSKEYs found, which can be validated with DS, +- or self-sign for DNSKEY RRset is not valid, bad packet. +- STAT_NEED_DS DS records to validate a key not found, name in keyname +- STAT_NEED_DNSKEY DNSKEY records to validate a key not found, name in keyname ++ STAT_OK Done, key(s) in cache. ++ STAT_BOGUS No DNSKEYs found, which can be validated with DS, ++ or self-sign for DNSKEY RRset is not valid, bad packet. ++ STAT_NEED_DS DS records to validate a key not found, name in keyname ++ STAT_NEED_KEY DNSKEY records to validate a key not found, name in keyname + */ + int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class) + { +@@ -1224,13 +1224,13 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char + } + + p = psave; +- +- if (!ADD_RDLEN(header, p, plen, rdlen)) +- return STAT_BOGUS; /* bad packet */ + } +- +- cache_end_insert(); ++ if (!ADD_RDLEN(header, p, plen, rdlen)) ++ return STAT_BOGUS; /* bad packet */ + } ++ ++ cache_end_insert(); ++ + } + else + { +@@ -1828,10 +1828,10 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key + + /* Check signing status of name. + returns: +- STAT_SECURE zone is signed. +- STAT_INSECURE zone proved unsigned. +- STAT_NEED_DS require DS record of name returned in keyname. +- STAT_NEED_DNSKEY require DNSKEY record of name returned in keyname. ++ STAT_SECURE zone is signed. ++ STAT_INSECURE zone proved unsigned. ++ STAT_NEED_DS require DS record of name returned in keyname. ++ STAT_NEED_KEY require DNSKEY record of name returned in keyname. + name returned unaltered. + */ + static int zone_status(char *name, int class, char *keyname, time_t now) +@@ -2028,7 +2028,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + if (rc == STAT_SECURE) + rc = STAT_BOGUS; + if (class) +- *class = class1; /* Class for NEED_DS or NEED_DNSKEY */ ++ *class = class1; /* Class for NEED_DS or NEED_KEY */ + } + else + rc = STAT_INSECURE; +@@ -2045,7 +2045,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + { + /* Zone is insecure, don't need to validate RRset */ + if (class) +- *class = class1; /* Class for NEED_DS or NEED_DNSKEY */ ++ *class = class1; /* Class for NEED_DS or NEED_KEY */ + return rc; + } + +@@ -2115,7 +2115,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + if ((rc = zone_status(name, qclass, keyname, now)) != STAT_SECURE) + { + if (class) +- *class = qclass; /* Class for NEED_DS or NEED_DNSKEY */ ++ *class = qclass; /* Class for NEED_DS or NEED_KEY */ + return rc; + } + +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/024-Do_a_better_job_of_determining_which_DNSSEC_sig_algos_are_supported.patch b/src/patches/dnsmasq/024-Do_a_better_job_of_determining_which_DNSSEC_sig_algos_are_supported.patch new file mode 100644 index 0000000..abcae5c --- /dev/null +++ b/src/patches/dnsmasq/024-Do_a_better_job_of_determining_which_DNSSEC_sig_algos_are_supported.patch @@ -0,0 +1,145 @@ +From 14a4ae883d51130d33da7133287e8867c64bab65 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Thu, 17 Dec 2015 17:23:03 +0000 +Subject: [PATCH] Do a better job of determining which DNSSEC sig algos are + supported. + +--- + src/dnssec.c | 52 +++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 37 insertions(+), 15 deletions(-) + +diff --git a/src/dnssec.c b/src/dnssec.c +index 1f8c954..82394ee 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -65,10 +65,9 @@ static char *algo_digest_name(int algo) + case 8: return "sha256"; + case 10: return "sha512"; + case 12: return "gosthash94"; +-#ifndef NO_NETTLE_ECC + case 13: return "sha256"; + case 14: return "sha384"; +-#endif ++ + default: return NULL; + } + } +@@ -129,13 +128,15 @@ static int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char + } + + static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, +- unsigned char *digest, int algo) ++ unsigned char *digest, size_t digest_len, int algo) + { + unsigned char *p; + size_t exp_len; + + static struct rsa_public_key *key = NULL; + static mpz_t sig_mpz; ++ ++ (void)digest_len; + + if (key == NULL) + { +@@ -181,7 +182,7 @@ static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len, + } + + static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, +- unsigned char *digest, int algo) ++ unsigned char *digest, size_t digest_len, int algo) + { + unsigned char *p; + unsigned int t; +@@ -189,6 +190,8 @@ static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len, + static struct dsa_public_key *key = NULL; + static struct dsa_signature *sig_struct; + ++ (void)digest_len; ++ + if (key == NULL) + { + if (!(sig_struct = whine_malloc(sizeof(struct dsa_signature))) || +@@ -292,26 +295,45 @@ static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len + } + #endif + +-static int verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, +- unsigned char *digest, size_t digest_len, int algo) ++static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, ++ unsigned char *digest, size_t digest_len, int algo) + { +- (void)digest_len; +- ++ ++ /* Enure at runtime that we have support for this digest */ ++ if (!hash_find(algo_digest_name(algo))) ++ return NULL; ++ ++ /* This switch defines which sig algorithms we support, can't introspect Nettle for that. */ + switch (algo) + { + case 1: case 5: case 7: case 8: case 10: +- return dnsmasq_rsa_verify(key_data, key_len, sig, sig_len, digest, algo); ++ return dnsmasq_rsa_verify; + + case 3: case 6: +- return dnsmasq_dsa_verify(key_data, key_len, sig, sig_len, digest, algo); ++ return dnsmasq_dsa_verify; + + #ifndef NO_NETTLE_ECC + case 13: case 14: +- return dnsmasq_ecdsa_verify(key_data, key_len, sig, sig_len, digest, digest_len, algo); ++ return dnsmasq_ecdsa_verify; + #endif + } + +- return 0; ++ return NULL; ++} ++ ++static int verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, ++ unsigned char *digest, size_t digest_len, int algo) ++{ ++ ++ int (*func)(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, ++ unsigned char *digest, size_t digest_len, int algo); ++ ++ func = verify_func(algo); ++ ++ if (!func) ++ return 0; ++ ++ return (*func)(key_data, key_len, sig, sig_len, digest, digest_len, algo); + } + + /* Convert from presentation format to wire format, in place. +@@ -732,7 +754,7 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int + if (check_date_range(sig_inception, sig_expiration) && + labels <= name_labels && + type_covered == type && +- algo_digest_name(algo)) ++ verify_func(algo)) + { + if (!expand_workspace(&sigs, &sig_sz, sigidx)) + return 0; +@@ -1865,7 +1887,7 @@ static int zone_status(char *name, int class, char *keyname, time_t now) + if (crecp->flags & F_DNSSECOK) + return STAT_INSECURE; /* proved no DS here */ + } +- else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(crecp->addr.ds.algo)) ++ else if (!hash_find(ds_digest_name(crecp->addr.ds.digest)) || !verify_func(crecp->addr.ds.algo)) + return STAT_INSECURE; /* algo we can't use - insecure */ + else + secure_ds = 1; +@@ -1887,7 +1909,7 @@ static int zone_status(char *name, int class, char *keyname, time_t now) + + do + { +- if (crecp->uid == (unsigned int)class && !algo_digest_name(crecp->addr.key.algo)) ++ if (crecp->uid == (unsigned int)class && !verify_func(crecp->addr.key.algo)) + return STAT_INSECURE; + } + while ((crecp = cache_find_by_name(crecp, keyname, now, F_DNSKEY))); +-- +1.7.10.4 + diff --git a/src/patches/ntp-fix-sycing-with-local-clock.patch b/src/patches/ntp-fix-sycing-with-local-clock.patch new file mode 100644 index 0000000..bdca2e7 --- /dev/null +++ b/src/patches/ntp-fix-sycing-with-local-clock.patch @@ -0,0 +1,23 @@ +# http://bugs.ntp.org/show_bug.cgi?id=2965 + +From 6f68f1f0fd764f0006506e3957a5b8116726d443 Mon Sep 17 00:00:00 2001 +From: <burnicki/martin@pc-martin4.> +Date: Mon, 16 Nov 2015 11:59:55 +0100 +Subject: [PATCH] [Bug 2965] Local clock didn't work since 4.2.8p4 + +--- + ntpd/refclock_local.c | 1 + + 1 files changed, 1 insertions(+) + +diff --git a/ntpd/refclock_local.c b/ntpd/refclock_local.c +index d816c55..8c0f74f 100644 +--- a/ntpd/refclock_local.c ++++ b/ntpd/refclock_local.c +@@ -205,6 +205,7 @@ local_poll( + pp->disp = 0; + pp->jitter = 0; + #else /* KERNEL_PLL LOCKCLOCK */ ++ pp->leap = LEAP_NOWARNING; + pp->disp = DISPERSION; + pp->jitter = 0; + #endif /* KERNEL_PLL LOCKCLOCK */ diff --git a/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch b/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch new file mode 100644 index 0000000..27b6f06 --- /dev/null +++ b/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch @@ -0,0 +1,56 @@ +From 0e32cbc0bc8fce3319491db360fb23b16561ec58 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner tobias@strongswan.org +Date: Tue, 15 Dec 2015 17:15:32 +0100 +Subject: [PATCH] child-rekey: Suppress updown event when deleting redundant + CHILD_SAs + +When handling a rekey collision we might have to delete an already +installed redundant CHILD_SA (or expect the other peer to do so). We don't +want to trigger updown events for these as we don't during rekeying. + +Instead of setting the state to CHILD_REKEYING we could maybe use +CHILD_REKEYED, which we currently only use for IKEv1, and set it for +all CHILD_SAs we delete or expect the other peer to delete. Would need +a small change in child-delete too. Or we could introduce a new state. + + #853. +--- + src/libcharon/sa/ikev2/tasks/child_rekey.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c +index c7a8a13..6f0c2b2 100644 +--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c ++++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c +@@ -279,11 +279,15 @@ static child_sa_t *handle_collision(private_child_rekey_t *this) + /* don't touch child other created, it has already been deleted */ + if (!this->other_child_destroyed) + { +- /* disable close action for the redundand child */ ++ /* disable close action and updown event for redundant child */ + child_sa = other->child_create->get_child(other->child_create); + if (child_sa) + { + child_sa->set_close_action(child_sa, ACTION_NONE); ++ if (child_sa->get_state(child_sa) != CHILD_REKEYING) ++ { ++ child_sa->set_state(child_sa, CHILD_REKEYING); ++ } + } + } + } +@@ -372,6 +376,11 @@ METHOD(task_t, process_i, status_t, + { + return SUCCESS; + } ++ /* disable updown event for redundant CHILD_SA */ ++ if (to_delete->get_state(to_delete) != CHILD_REKEYING) ++ { ++ to_delete->set_state(to_delete, CHILD_REKEYING); ++ } + spi = to_delete->get_spi(to_delete, TRUE); + protocol = to_delete->get_protocol(to_delete); + +-- +1.7.9.5 + diff --git a/src/setup/po/LINGUAS b/src/setup/po/LINGUAS index 8678850..6cba810 100644 --- a/src/setup/po/LINGUAS +++ b/src/setup/po/LINGUAS @@ -16,8 +16,10 @@ jv km_KH nl pl +pt pt_BR pt_PT +ro ro_RO ru rw diff --git a/src/setup/po/de.po b/src/setup/po/de.po index 12333a6..021aecb 100644 --- a/src/setup/po/de.po +++ b/src/setup/po/de.po @@ -5,14 +5,15 @@ # Translators: # Michael Tremer michael.tremer@ipfire.org, 2014 # Stefan Schantl stefan.schantl@ipfire.org, 2014 +# Sun Tiger, 2015 msgid "" msgstr "" "Project-Id-Version: IPFire Project\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2014-08-21 15:12+0000\n" -"PO-Revision-Date: 2014-08-24 19:39+0000\n" -"Last-Translator: Stefan Schantl stefan.schantl@ipfire.org\n" -"Language-Team: German (http://www.transifex.com/projects/p/ipfire/language/de/)%5Cn" +"PO-Revision-Date: 2015-05-07 16:52+0000\n" +"Last-Translator: Sun Tiger\n" +"Language-Team: German (http://www.transifex.com/mstremer/ipfire/language/de/)%5Cn" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" @@ -53,7 +54,7 @@ msgstr "DomÀnenname:" #: networking.c:442 networking.c:552 networking.c:603 networking.c:610 #: networking.c:713 timezone.c:63 msgid "Unable to open settings file" -msgstr "Settings-Datei konnte nicht geöffnet werden" +msgstr "Einstellungs-Datei konnte nicht geöffnet werden"
#: dhcp.c:111 msgid "DHCP server configuration" @@ -320,7 +321,7 @@ msgstr "Identifizieren"
#: netstuff.c:678 msgid "Device Identification" -msgstr "Device-Identifizierung" +msgstr "GerÀteidentifizierung"
#: netstuff.c:678 msgid "The lights on the selected port should flash now for 10 seconds..." diff --git a/src/setup/po/pt.po b/src/setup/po/pt.po new file mode 100644 index 0000000..bb9d285 --- /dev/null +++ b/src/setup/po/pt.po @@ -0,0 +1,584 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR The IPFire Project (www.ipfire.org) +# This file is distributed under the same license as the PACKAGE package. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: IPFire Project\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2014-08-21 15:12+0000\n" +"PO-Revision-Date: 2014-08-12 10:08+0000\n" +"Last-Translator: FULL NAME EMAIL@ADDRESS\n" +"Language-Team: Portuguese (http://www.transifex.com/mstremer/ipfire/language/pt/)%5Cn" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#: dhcp.c:50 +msgid "Start address:" +msgstr "" + +#: dhcp.c:51 +msgid "End address:" +msgstr "" + +#: dhcp.c:52 networking.c:717 +msgid "Primary DNS:" +msgstr "" + +#: dhcp.c:53 networking.c:723 +msgid "Secondary DNS:" +msgstr "" + +#: dhcp.c:54 +msgid "Default lease (mins):" +msgstr "" + +#: dhcp.c:55 +msgid "Max lease (mins):" +msgstr "" + +#: dhcp.c:56 +msgid "Domain name suffix:" +msgstr "" + +#: dhcp.c:86 dhcp.c:93 dhcp.c:101 domainname.c:34 hostname.c:37 keymap.c:70 +#: misc.c:40 misc.c:52 netstuff.c:377 netstuff.c:566 netstuff.c:704 +#: networking.c:134 networking.c:255 networking.c:291 networking.c:346 +#: networking.c:442 networking.c:552 networking.c:603 networking.c:610 +#: networking.c:713 timezone.c:63 +msgid "Unable to open settings file" +msgstr "" + +#: dhcp.c:111 +msgid "DHCP server configuration" +msgstr "" + +#: dhcp.c:116 +msgid "Configure the DHCP server by entering the settings information." +msgstr "" + +#: dhcp.c:125 +msgid "Enabled" +msgstr "" + +#: dhcp.c:142 domainname.c:43 hostname.c:47 keymap.c:86 main.c:99 main.c:172 +#: main.c:174 netstuff.c:157 netstuff.c:733 netstuff.c:756 networking.c:163 +#: networking.c:269 networking.c:305 networking.c:409 networking.c:560 +#: networking.c:642 networking.c:653 networking.c:746 passwords.c:89 +#: timezone.c:78 +msgid "OK" +msgstr "" + +#: dhcp.c:143 domainname.c:43 hostname.c:47 keymap.c:86 netstuff.c:158 +#: netstuff.c:673 netstuff.c:733 netstuff.c:756 networking.c:305 +#: networking.c:410 networking.c:560 networking.c:653 networking.c:746 +#: passwords.c:89 timezone.c:78 +msgid "Cancel" +msgstr "" + +#: dhcp.c:156 +msgid "" +"The following fields are invalid:\n" +"\n" +msgstr "" + +#: dhcp.c:159 +msgid "Start address" +msgstr "" + +#: dhcp.c:165 +msgid "End address" +msgstr "" + +#: dhcp.c:173 networking.c:755 +msgid "Primary DNS" +msgstr "" + +#: dhcp.c:182 networking.c:764 +msgid "Secondary DNS" +msgstr "" + +#: dhcp.c:189 +msgid "Default lease time" +msgstr "" + +#: dhcp.c:195 +msgid "Max. lease time" +msgstr "" + +#: domainname.c:42 main.c:70 +msgid "Domain name" +msgstr "" + +#: domainname.c:42 +msgid "Enter Domain name" +msgstr "" + +#: domainname.c:48 +msgid "Domain name cannot be empty." +msgstr "" + +#: domainname.c:50 +msgid "Domain name cannot contain spaces." +msgstr "" + +#: domainname.c:53 +msgid "Domain name may only contain letters, numbers, hyphens and periods." +msgstr "" + +#: hostname.c:46 main.c:69 +msgid "Hostname" +msgstr "" + +#: hostname.c:46 +msgid "Enter the machine's hostname." +msgstr "" + +#: hostname.c:53 +msgid "Hostname cannot be empty." +msgstr "" + +#: hostname.c:55 +msgid "Hostname cannot contain spaces." +msgstr "" + +#: hostname.c:58 +msgid "Hostname may only contain letters, numbers and hyphens." +msgstr "" + +#: keymap.c:84 main.c:67 +msgid "Keyboard mapping" +msgstr "" + +#: keymap.c:85 +msgid "Choose the type of keyboard you are using from the list below." +msgstr "" + +#: main.c:68 timezone.c:77 +msgid "Timezone" +msgstr "" + +#: main.c:71 networking.c:110 networking.c:115 networking.c:447 +msgid "Networking" +msgstr "" + +#: main.c:72 misc.c:147 +msgid "ISDN" +msgstr "" + +#: main.c:73 +msgid "'root' password" +msgstr "" + +#: main.c:74 +msgid "'admin' password" +msgstr "" + +#: main.c:90 +msgid " <Tab>/<Alt-Tab> between elements | <Space> selects" +msgstr "" + +#: main.c:97 +msgid "Section menu" +msgstr "" + +#: main.c:98 +msgid "Select the item you wish to configure." +msgstr "" + +#: main.c:99 +msgid "Quit" +msgstr "" + +#: main.c:172 +msgid "Setup is complete." +msgstr "" + +#: main.c:174 netstuff.c:733 networking.c:560 networking.c:653 +msgid "Warning" +msgstr "" + +#: main.c:175 +msgid "" +"Initial setup was not entirely complete. You must ensure that Setup is " +"properly finished by running setup again at the shell." +msgstr "" + +#: misc.c:62 +#, c-format +msgid "Unable to write %s/main/hostname.conf" +msgstr "" + +#: misc.c:71 +msgid "Unable to open main hosts file." +msgstr "" + +#: misc.c:76 +msgid "Unable to write /etc/hosts." +msgstr "" + +#: misc.c:117 +msgid "Unable to write /etc/hosts.deny." +msgstr "" + +#: misc.c:125 +msgid "Unable to write /etc/hosts.allow." +msgstr "" + +#: misc.c:136 +msgid "Unable to set hostname." +msgstr "" + +#: misc.c:147 +msgid "Scanning and configuring ISDN devices." +msgstr "" + +#: misc.c:148 +msgid "Unable to scan for ISDN devices." +msgstr "" + +#: netstuff.c:86 +#, c-format +msgid "Interface - %s" +msgstr "" + +#: netstuff.c:91 +#, c-format +msgid "Enter the IP address information for the %s interface." +msgstr "" + +#: netstuff.c:103 +msgid "Static" +msgstr "" + +#: netstuff.c:104 +msgid "DHCP" +msgstr "" + +#: netstuff.c:105 +msgid "PPP DIALUP (PPPoE, modem, ATM ...)" +msgstr "" + +#: netstuff.c:113 +msgid "DHCP Hostname:" +msgstr "" + +#: netstuff.c:115 +msgid "Force DHCP MTU:" +msgstr "" + +#: netstuff.c:134 +msgid "IP address:" +msgstr "" + +#: netstuff.c:146 +msgid "Network mask:" +msgstr "" + +#: netstuff.c:173 networking.c:749 +msgid "The following fields are invalid:" +msgstr "" + +#: netstuff.c:183 +msgid "IP address" +msgstr "" + +#: netstuff.c:189 +msgid "Network mask" +msgstr "" + +#: netstuff.c:198 +msgid "DHCP hostname" +msgstr "" + +#: netstuff.c:396 netstuff.c:709 +msgid "Unset" +msgstr "" + +#: netstuff.c:669 +#, c-format +msgid "Please choose a networkcard for the following interface - %s." +msgstr "" + +#: netstuff.c:672 +msgid "Extended Network Menu" +msgstr "" + +#: netstuff.c:673 networking.c:520 +msgid "Select" +msgstr "" + +#: netstuff.c:673 +msgid "Identify" +msgstr "" + +#: netstuff.c:678 +msgid "Device Identification" +msgstr "" + +#: netstuff.c:678 +msgid "The lights on the selected port should flash now for 10 seconds..." +msgstr "" + +#: netstuff.c:679 +msgid "Identification is not supported by this interface." +msgstr "" + +#: netstuff.c:691 +msgid "There are no unassigned interfaces on your system." +msgstr "" + +#: netstuff.c:732 +#, c-format +msgid "Do you really want to remove the assigned %s interface?" +msgstr "" + +#: netstuff.c:755 +msgid "Select network driver" +msgstr "" + +#: netstuff.c:755 +msgid "Set additional module parameters" +msgstr "" + +#: netstuff.c:762 +msgid "Loading module..." +msgstr "" + +#: netstuff.c:777 +msgid "Unable to load driver module." +msgstr "" + +#: netstuff.c:780 +msgid "Module name cannot be blank." +msgstr "" + +#: networking.c:110 +msgid "Stopping network..." +msgstr "" + +#: networking.c:115 +msgid "Restarting network..." +msgstr "" + +#: networking.c:146 +msgid "No GREEN interface assigned." +msgstr "" + +#: networking.c:152 +msgid "Missing an IP address on GREEN." +msgstr "" + +#: networking.c:163 +msgid "Error" +msgstr "" + +#: networking.c:163 +msgid "Ignore" +msgstr "" + +#: networking.c:164 +msgid "No RED interface assigned." +msgstr "" + +#: networking.c:173 +msgid "Missing an IP address on RED." +msgstr "" + +#: networking.c:183 +msgid "No ORANGE interface assigned." +msgstr "" + +#: networking.c:189 +msgid "Missing an IP address on ORANGE." +msgstr "" + +#: networking.c:199 +msgid "No BLUE interface assigned." +msgstr "" + +#: networking.c:205 +msgid "Missing an IP address on BLUE." +msgstr "" + +#: networking.c:217 +msgid "Misssing DNS." +msgstr "" + +#: networking.c:224 +msgid "Missing Default Gateway." +msgstr "" + +#: networking.c:237 networking.c:304 +msgid "Network configuration type" +msgstr "" + +#: networking.c:238 networking.c:409 +msgid "Drivers and card assignments" +msgstr "" + +#: networking.c:239 networking.c:640 +msgid "Address settings" +msgstr "" + +#: networking.c:240 networking.c:743 +msgid "DNS and Gateway settings" +msgstr "" + +#: networking.c:260 +msgid "When configuration is complete, a network restart will be required." +msgstr "" + +#: networking.c:267 +#, c-format +msgid "" +"Current config: %s\n" +"\n" +"%s" +msgstr "" + +#: networking.c:268 +msgid "Network configuration menu" +msgstr "" + +#: networking.c:269 networking.c:520 networking.c:642 +msgid "Done" +msgstr "" + +#: networking.c:300 +#, c-format +msgid "" +"Select the network configuration for %s. The following configuration types " +"list those interfaces which have ethernet attached. If you change this " +"setting, a network restart will be required, and you will have to " +"reconfigure the network driver assignments." +msgstr "" + +#: networking.c:307 +#, c-format +msgid "" +"Not enough netcards for your choice.\n" +"\n" +"Needed: %d - Available: %d\n" +msgstr "" + +#: networking.c:359 +msgid "" +"Configure network drivers, and which interface each card is assigned to. The current configuration is as follows:\n" +"\n" +msgstr "" + +#: networking.c:408 +msgid "Do you wish to change these settings?" +msgstr "" + +#: networking.c:447 +msgid "Restarting non-local network..." +msgstr "" + +#: networking.c:464 +msgid "" +"Please choose the interface you wish to change.\n" +"\n" +msgstr "" + +#: networking.c:519 +msgid "Assigned Cards" +msgstr "" + +#: networking.c:520 +msgid "Remove" +msgstr "" + +#: networking.c:556 networking.c:649 +#, c-format +msgid "" +"If you change this IP address, and you are logged in remotely, your " +"connection to the %s machine will be broken, and you will have to reconnect " +"on the new IP. This is a risky operation, and should only be attempted if " +"you have physical access to the machine, should something go wrong." +msgstr "" + +#: networking.c:641 +msgid "Select the interface you wish to reconfigure." +msgstr "" + +#: networking.c:729 +msgid "Default gateway:" +msgstr "" + +#: networking.c:744 +msgid "" +"Enter the DNS and gateway information. These settings are used only with " +"Static IP (and DHCP if DNS set) on the RED interface." +msgstr "" + +#: networking.c:773 +msgid "Default gateway" +msgstr "" + +#: networking.c:780 +msgid "Secondary DNS specified without a Primary DNS" +msgstr "" + +#: passwords.c:33 +msgid "" +"Enter the 'root' user password. Login as this user for commandline access." +msgstr "" + +#: passwords.c:38 passwords.c:61 +msgid "Setting password" +msgstr "" + +#: passwords.c:38 +msgid "Setting 'root' password...." +msgstr "" + +#: passwords.c:39 +msgid "Problem setting 'root' password." +msgstr "" + +#: passwords.c:53 +#, c-format +msgid "" +"Enter %s 'admin' user password. This is the user to use for logging into the" +" %s web administration pages." +msgstr "" + +#: passwords.c:60 +#, c-format +msgid "Setting %s 'admin' user password..." +msgstr "" + +#: passwords.c:62 +#, c-format +msgid "Problem setting %s 'admin' user password." +msgstr "" + +#: passwords.c:76 +msgid "Password:" +msgstr "" + +#: passwords.c:77 +msgid "Again:" +msgstr "" + +#: passwords.c:95 +msgid "Password cannot be blank." +msgstr "" + +#: passwords.c:102 +msgid "Passwords do not match." +msgstr "" + +#: passwords.c:109 +msgid "Password cannot contain spaces." +msgstr "" + +#: timezone.c:77 +msgid "Choose the timezone you are in from the list below." +msgstr "" diff --git a/src/setup/po/ro.po b/src/setup/po/ro.po new file mode 100644 index 0000000..1c11ba2 --- /dev/null +++ b/src/setup/po/ro.po @@ -0,0 +1,584 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR The IPFire Project (www.ipfire.org) +# This file is distributed under the same license as the PACKAGE package. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: IPFire Project\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2014-08-21 15:12+0000\n" +"PO-Revision-Date: 2014-08-12 10:08+0000\n" +"Last-Translator: FULL NAME EMAIL@ADDRESS\n" +"Language-Team: Romanian (http://www.transifex.com/mstremer/ipfire/language/ro/)%5Cn" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ro\n" +"Plural-Forms: nplurals=3; plural=(n==1?0:(((n%100>19)||((n%100==0)&&(n!=0)))?2:1));\n" + +#: dhcp.c:50 +msgid "Start address:" +msgstr "" + +#: dhcp.c:51 +msgid "End address:" +msgstr "" + +#: dhcp.c:52 networking.c:717 +msgid "Primary DNS:" +msgstr "" + +#: dhcp.c:53 networking.c:723 +msgid "Secondary DNS:" +msgstr "" + +#: dhcp.c:54 +msgid "Default lease (mins):" +msgstr "" + +#: dhcp.c:55 +msgid "Max lease (mins):" +msgstr "" + +#: dhcp.c:56 +msgid "Domain name suffix:" +msgstr "" + +#: dhcp.c:86 dhcp.c:93 dhcp.c:101 domainname.c:34 hostname.c:37 keymap.c:70 +#: misc.c:40 misc.c:52 netstuff.c:377 netstuff.c:566 netstuff.c:704 +#: networking.c:134 networking.c:255 networking.c:291 networking.c:346 +#: networking.c:442 networking.c:552 networking.c:603 networking.c:610 +#: networking.c:713 timezone.c:63 +msgid "Unable to open settings file" +msgstr "" + +#: dhcp.c:111 +msgid "DHCP server configuration" +msgstr "" + +#: dhcp.c:116 +msgid "Configure the DHCP server by entering the settings information." +msgstr "" + +#: dhcp.c:125 +msgid "Enabled" +msgstr "" + +#: dhcp.c:142 domainname.c:43 hostname.c:47 keymap.c:86 main.c:99 main.c:172 +#: main.c:174 netstuff.c:157 netstuff.c:733 netstuff.c:756 networking.c:163 +#: networking.c:269 networking.c:305 networking.c:409 networking.c:560 +#: networking.c:642 networking.c:653 networking.c:746 passwords.c:89 +#: timezone.c:78 +msgid "OK" +msgstr "" + +#: dhcp.c:143 domainname.c:43 hostname.c:47 keymap.c:86 netstuff.c:158 +#: netstuff.c:673 netstuff.c:733 netstuff.c:756 networking.c:305 +#: networking.c:410 networking.c:560 networking.c:653 networking.c:746 +#: passwords.c:89 timezone.c:78 +msgid "Cancel" +msgstr "" + +#: dhcp.c:156 +msgid "" +"The following fields are invalid:\n" +"\n" +msgstr "" + +#: dhcp.c:159 +msgid "Start address" +msgstr "" + +#: dhcp.c:165 +msgid "End address" +msgstr "" + +#: dhcp.c:173 networking.c:755 +msgid "Primary DNS" +msgstr "" + +#: dhcp.c:182 networking.c:764 +msgid "Secondary DNS" +msgstr "" + +#: dhcp.c:189 +msgid "Default lease time" +msgstr "" + +#: dhcp.c:195 +msgid "Max. lease time" +msgstr "" + +#: domainname.c:42 main.c:70 +msgid "Domain name" +msgstr "" + +#: domainname.c:42 +msgid "Enter Domain name" +msgstr "" + +#: domainname.c:48 +msgid "Domain name cannot be empty." +msgstr "" + +#: domainname.c:50 +msgid "Domain name cannot contain spaces." +msgstr "" + +#: domainname.c:53 +msgid "Domain name may only contain letters, numbers, hyphens and periods." +msgstr "" + +#: hostname.c:46 main.c:69 +msgid "Hostname" +msgstr "" + +#: hostname.c:46 +msgid "Enter the machine's hostname." +msgstr "" + +#: hostname.c:53 +msgid "Hostname cannot be empty." +msgstr "" + +#: hostname.c:55 +msgid "Hostname cannot contain spaces." +msgstr "" + +#: hostname.c:58 +msgid "Hostname may only contain letters, numbers and hyphens." +msgstr "" + +#: keymap.c:84 main.c:67 +msgid "Keyboard mapping" +msgstr "" + +#: keymap.c:85 +msgid "Choose the type of keyboard you are using from the list below." +msgstr "" + +#: main.c:68 timezone.c:77 +msgid "Timezone" +msgstr "" + +#: main.c:71 networking.c:110 networking.c:115 networking.c:447 +msgid "Networking" +msgstr "" + +#: main.c:72 misc.c:147 +msgid "ISDN" +msgstr "" + +#: main.c:73 +msgid "'root' password" +msgstr "" + +#: main.c:74 +msgid "'admin' password" +msgstr "" + +#: main.c:90 +msgid " <Tab>/<Alt-Tab> between elements | <Space> selects" +msgstr "" + +#: main.c:97 +msgid "Section menu" +msgstr "" + +#: main.c:98 +msgid "Select the item you wish to configure." +msgstr "" + +#: main.c:99 +msgid "Quit" +msgstr "" + +#: main.c:172 +msgid "Setup is complete." +msgstr "" + +#: main.c:174 netstuff.c:733 networking.c:560 networking.c:653 +msgid "Warning" +msgstr "" + +#: main.c:175 +msgid "" +"Initial setup was not entirely complete. You must ensure that Setup is " +"properly finished by running setup again at the shell." +msgstr "" + +#: misc.c:62 +#, c-format +msgid "Unable to write %s/main/hostname.conf" +msgstr "" + +#: misc.c:71 +msgid "Unable to open main hosts file." +msgstr "" + +#: misc.c:76 +msgid "Unable to write /etc/hosts." +msgstr "" + +#: misc.c:117 +msgid "Unable to write /etc/hosts.deny." +msgstr "" + +#: misc.c:125 +msgid "Unable to write /etc/hosts.allow." +msgstr "" + +#: misc.c:136 +msgid "Unable to set hostname." +msgstr "" + +#: misc.c:147 +msgid "Scanning and configuring ISDN devices." +msgstr "" + +#: misc.c:148 +msgid "Unable to scan for ISDN devices." +msgstr "" + +#: netstuff.c:86 +#, c-format +msgid "Interface - %s" +msgstr "" + +#: netstuff.c:91 +#, c-format +msgid "Enter the IP address information for the %s interface." +msgstr "" + +#: netstuff.c:103 +msgid "Static" +msgstr "" + +#: netstuff.c:104 +msgid "DHCP" +msgstr "" + +#: netstuff.c:105 +msgid "PPP DIALUP (PPPoE, modem, ATM ...)" +msgstr "" + +#: netstuff.c:113 +msgid "DHCP Hostname:" +msgstr "" + +#: netstuff.c:115 +msgid "Force DHCP MTU:" +msgstr "" + +#: netstuff.c:134 +msgid "IP address:" +msgstr "" + +#: netstuff.c:146 +msgid "Network mask:" +msgstr "" + +#: netstuff.c:173 networking.c:749 +msgid "The following fields are invalid:" +msgstr "" + +#: netstuff.c:183 +msgid "IP address" +msgstr "" + +#: netstuff.c:189 +msgid "Network mask" +msgstr "" + +#: netstuff.c:198 +msgid "DHCP hostname" +msgstr "" + +#: netstuff.c:396 netstuff.c:709 +msgid "Unset" +msgstr "" + +#: netstuff.c:669 +#, c-format +msgid "Please choose a networkcard for the following interface - %s." +msgstr "" + +#: netstuff.c:672 +msgid "Extended Network Menu" +msgstr "" + +#: netstuff.c:673 networking.c:520 +msgid "Select" +msgstr "" + +#: netstuff.c:673 +msgid "Identify" +msgstr "" + +#: netstuff.c:678 +msgid "Device Identification" +msgstr "" + +#: netstuff.c:678 +msgid "The lights on the selected port should flash now for 10 seconds..." +msgstr "" + +#: netstuff.c:679 +msgid "Identification is not supported by this interface." +msgstr "" + +#: netstuff.c:691 +msgid "There are no unassigned interfaces on your system." +msgstr "" + +#: netstuff.c:732 +#, c-format +msgid "Do you really want to remove the assigned %s interface?" +msgstr "" + +#: netstuff.c:755 +msgid "Select network driver" +msgstr "" + +#: netstuff.c:755 +msgid "Set additional module parameters" +msgstr "" + +#: netstuff.c:762 +msgid "Loading module..." +msgstr "" + +#: netstuff.c:777 +msgid "Unable to load driver module." +msgstr "" + +#: netstuff.c:780 +msgid "Module name cannot be blank." +msgstr "" + +#: networking.c:110 +msgid "Stopping network..." +msgstr "" + +#: networking.c:115 +msgid "Restarting network..." +msgstr "" + +#: networking.c:146 +msgid "No GREEN interface assigned." +msgstr "" + +#: networking.c:152 +msgid "Missing an IP address on GREEN." +msgstr "" + +#: networking.c:163 +msgid "Error" +msgstr "" + +#: networking.c:163 +msgid "Ignore" +msgstr "" + +#: networking.c:164 +msgid "No RED interface assigned." +msgstr "" + +#: networking.c:173 +msgid "Missing an IP address on RED." +msgstr "" + +#: networking.c:183 +msgid "No ORANGE interface assigned." +msgstr "" + +#: networking.c:189 +msgid "Missing an IP address on ORANGE." +msgstr "" + +#: networking.c:199 +msgid "No BLUE interface assigned." +msgstr "" + +#: networking.c:205 +msgid "Missing an IP address on BLUE." +msgstr "" + +#: networking.c:217 +msgid "Misssing DNS." +msgstr "" + +#: networking.c:224 +msgid "Missing Default Gateway." +msgstr "" + +#: networking.c:237 networking.c:304 +msgid "Network configuration type" +msgstr "" + +#: networking.c:238 networking.c:409 +msgid "Drivers and card assignments" +msgstr "" + +#: networking.c:239 networking.c:640 +msgid "Address settings" +msgstr "" + +#: networking.c:240 networking.c:743 +msgid "DNS and Gateway settings" +msgstr "" + +#: networking.c:260 +msgid "When configuration is complete, a network restart will be required." +msgstr "" + +#: networking.c:267 +#, c-format +msgid "" +"Current config: %s\n" +"\n" +"%s" +msgstr "" + +#: networking.c:268 +msgid "Network configuration menu" +msgstr "" + +#: networking.c:269 networking.c:520 networking.c:642 +msgid "Done" +msgstr "" + +#: networking.c:300 +#, c-format +msgid "" +"Select the network configuration for %s. The following configuration types " +"list those interfaces which have ethernet attached. If you change this " +"setting, a network restart will be required, and you will have to " +"reconfigure the network driver assignments." +msgstr "" + +#: networking.c:307 +#, c-format +msgid "" +"Not enough netcards for your choice.\n" +"\n" +"Needed: %d - Available: %d\n" +msgstr "" + +#: networking.c:359 +msgid "" +"Configure network drivers, and which interface each card is assigned to. The current configuration is as follows:\n" +"\n" +msgstr "" + +#: networking.c:408 +msgid "Do you wish to change these settings?" +msgstr "" + +#: networking.c:447 +msgid "Restarting non-local network..." +msgstr "" + +#: networking.c:464 +msgid "" +"Please choose the interface you wish to change.\n" +"\n" +msgstr "" + +#: networking.c:519 +msgid "Assigned Cards" +msgstr "" + +#: networking.c:520 +msgid "Remove" +msgstr "" + +#: networking.c:556 networking.c:649 +#, c-format +msgid "" +"If you change this IP address, and you are logged in remotely, your " +"connection to the %s machine will be broken, and you will have to reconnect " +"on the new IP. This is a risky operation, and should only be attempted if " +"you have physical access to the machine, should something go wrong." +msgstr "" + +#: networking.c:641 +msgid "Select the interface you wish to reconfigure." +msgstr "" + +#: networking.c:729 +msgid "Default gateway:" +msgstr "" + +#: networking.c:744 +msgid "" +"Enter the DNS and gateway information. These settings are used only with " +"Static IP (and DHCP if DNS set) on the RED interface." +msgstr "" + +#: networking.c:773 +msgid "Default gateway" +msgstr "" + +#: networking.c:780 +msgid "Secondary DNS specified without a Primary DNS" +msgstr "" + +#: passwords.c:33 +msgid "" +"Enter the 'root' user password. Login as this user for commandline access." +msgstr "" + +#: passwords.c:38 passwords.c:61 +msgid "Setting password" +msgstr "" + +#: passwords.c:38 +msgid "Setting 'root' password...." +msgstr "" + +#: passwords.c:39 +msgid "Problem setting 'root' password." +msgstr "" + +#: passwords.c:53 +#, c-format +msgid "" +"Enter %s 'admin' user password. This is the user to use for logging into the" +" %s web administration pages." +msgstr "" + +#: passwords.c:60 +#, c-format +msgid "Setting %s 'admin' user password..." +msgstr "" + +#: passwords.c:62 +#, c-format +msgid "Problem setting %s 'admin' user password." +msgstr "" + +#: passwords.c:76 +msgid "Password:" +msgstr "" + +#: passwords.c:77 +msgid "Again:" +msgstr "" + +#: passwords.c:95 +msgid "Password cannot be blank." +msgstr "" + +#: passwords.c:102 +msgid "Passwords do not match." +msgstr "" + +#: passwords.c:109 +msgid "Password cannot contain spaces." +msgstr "" + +#: timezone.c:77 +msgid "Choose the timezone you are in from the list below." +msgstr "" diff --git a/src/setup/po/ru.po b/src/setup/po/ru.po index 4869ecf..fc20907 100644 --- a/src/setup/po/ru.po +++ b/src/setup/po/ru.po @@ -6,19 +6,20 @@ # Andrei Skipin skian2007@yandex.ru, 2014 # ellviss kpe1501@gmail.com, 2015 # bubnov_pi ipfire@bubnov.su, 2014 +# Tim evargrin@gmail.com, 2015 msgid "" msgstr "" "Project-Id-Version: IPFire Project\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2014-08-21 15:12+0000\n" -"PO-Revision-Date: 2015-02-17 19:30+0000\n" -"Last-Translator: ellviss kpe1501@gmail.com\n" -"Language-Team: Russian (http://www.transifex.com/projects/p/ipfire/language/ru/)%5Cn" +"PO-Revision-Date: 2015-04-25 04:53+0000\n" +"Last-Translator: Tim evargrin@gmail.com\n" +"Language-Team: Russian (http://www.transifex.com/mstremer/ipfire/language/ru/)%5Cn" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Language: ru\n" -"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" +"Plural-Forms: nplurals=4; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<12 || n%100>14) ? 1 : n%10==0 || (n%10>=5 && n%10<=9) || (n%100>=11 && n%100<=14)? 2 : 3);\n"
#: dhcp.c:50 msgid "Start address:" @@ -214,11 +215,11 @@ msgstr "" #: misc.c:62 #, c-format msgid "Unable to write %s/main/hostname.conf" -msgstr "" +msgstr "ÐеЎПÑÑÑпМа запОÑÑ Ð² %s/main/hostname.conf"
#: misc.c:71 msgid "Unable to open main hosts file." -msgstr "" +msgstr "Ðе ÑЎаÑÑÑÑ ÐŸÑкÑÑÑÑ ÐŸÑМПвМПй hosts Ñайл."
#: misc.c:76 msgid "Unable to write /etc/hosts." @@ -234,7 +235,7 @@ msgstr "ÐеЎПÑÑÑпМа запОÑÑ Ð² /etc/hosts.allow."
#: misc.c:136 msgid "Unable to set hostname." -msgstr "" +msgstr "Ðе ÑЎаеÑÑÑ ÑказаÑÑ ÐžÐŒÑ Ñ ÐŸÑÑа."
#: misc.c:147 msgid "Scanning and configuring ISDN devices." @@ -242,7 +243,7 @@ msgstr "СкаМОÑПваМОе О кПМÑОгÑÑОÑПваМОе ISDN ÑÑÑ
#: misc.c:148 msgid "Unable to scan for ISDN devices." -msgstr "" +msgstr "Ðе ÑЎаÑÑÑÑ Ð¿ÑПÑкаМОÑПваÑÑ ISDN ÑÑÑÑПйÑÑва."
#: netstuff.c:86 #, c-format @@ -252,7 +253,7 @@ msgstr "ÐÐœÑеÑÑÐµÐ¹Ñ - %s" #: netstuff.c:91 #, c-format msgid "Enter the IP address information for the %s interface." -msgstr "" +msgstr "УкажОÑе IP аЎÑÐµÑ ÐŽÐ»Ñ %s ОМÑеÑÑейÑа."
#: netstuff.c:103 msgid "Static" @@ -264,7 +265,7 @@ msgstr "DHCP-ÑеÑвеÑ"
#: netstuff.c:105 msgid "PPP DIALUP (PPPoE, modem, ATM ...)" -msgstr "" +msgstr "PPP DIALUP (PPPoE, ЌПЎеЌ, ATM ...)"
#: netstuff.c:113 msgid "DHCP Hostname:" @@ -272,7 +273,7 @@ msgstr "ÐÐŒÑ Ñ ÐŸÑÑа DHCP:"
#: netstuff.c:115 msgid "Force DHCP MTU:" -msgstr "" +msgstr "ЀПÑÑОÑПваÑÑ DHCP MTU:"
#: netstuff.c:134 msgid "IP address:" @@ -284,7 +285,7 @@ msgstr "СеÑÐµÐ²Ð°Ñ ÐŒÐ°Ñка:"
#: netstuff.c:173 networking.c:749 msgid "The following fields are invalid:" -msgstr "" +msgstr "СлеЎÑÑÑОе Ð¿ÐŸÐ»Ñ ÐœÐµÐ²ÐµÑÐœÑ:"
#: netstuff.c:183 msgid "IP address" @@ -300,7 +301,7 @@ msgstr "ÐÐŒÑ Ñ ÐŸÑÑа DHCP"
#: netstuff.c:396 netstuff.c:709 msgid "Unset" -msgstr "" +msgstr "Ðе ÑÑÑаМПвлеМП"
#: netstuff.c:669 #, c-format @@ -317,11 +318,11 @@ msgstr "ÐÑбеÑОÑе"
#: netstuff.c:673 msgid "Identify" -msgstr "" +msgstr "ÐЎеМÑОÑОÑОÑПваÑÑ"
#: netstuff.c:678 msgid "Device Identification" -msgstr "" +msgstr "ÐпÑеЎелеМОе ÑÑÑÑПйÑÑва"
#: netstuff.c:678 msgid "The lights on the selected port should flash now for 10 seconds..." @@ -338,7 +339,7 @@ msgstr "" #: netstuff.c:732 #, c-format msgid "Do you really want to remove the assigned %s interface?" -msgstr "" +msgstr "ÐÑ ÐŽÐµÐ¹ÑÑвОÑелÑМП Ñ ÐŸÑОÑе ÑЎалОÑÑ ÐœÐ°Ð·ÐœÐ°ÑеММÑй %s ОМÑеÑÑейÑ?"
#: netstuff.c:755 msgid "Select network driver" @@ -346,7 +347,7 @@ msgstr "ÐÑбеÑОÑе ÑеÑевПй ÐŽÑайвеÑ"
#: netstuff.c:755 msgid "Set additional module parameters" -msgstr "" +msgstr "УказаÑÑ ÐŽÐŸÐ¿ÐŸÐ»ÐœÐžÑелÑÐœÑе паÑаЌеÑÑÑ ÐŒÐŸÐŽÑлÑ."
#: netstuff.c:762 msgid "Loading module..." @@ -358,7 +359,7 @@ msgstr "ÐевПзЌПжМП загÑÑзОÑÑ ÐŽÑÐ°Ð¹Ð²ÐµÑ ÐŒÐŸÐŽÑлÑ."
#: netstuff.c:780 msgid "Module name cannot be blank." -msgstr "" +msgstr "ÐÐŒÑ ÐŒÐŸÐŽÑÐ»Ñ ÐœÐµ ÐŒÐŸÐ¶ÐµÑ Ð±ÑÑÑ Ð¿ÑÑÑÑÐŒ."
#: networking.c:110 msgid "Stopping network..." @@ -370,7 +371,7 @@ msgstr "ÐеÑезапÑÑк ÑеÑО..."
#: networking.c:146 msgid "No GREEN interface assigned." -msgstr "" +msgstr "Ðе МазМаÑеМ ÐÐÐÐÐЫРОМÑеÑÑейÑ."
#: networking.c:152 msgid "Missing an IP address on GREEN." @@ -386,7 +387,7 @@ msgstr "ÐгМПÑОÑПваÑÑ"
#: networking.c:164 msgid "No RED interface assigned." -msgstr "" +msgstr "Ðе ÑказаМ ÐÐ ÐСÐЫРОМÑеÑÑейÑ."
#: networking.c:173 msgid "Missing an IP address on RED." @@ -394,7 +395,7 @@ msgstr ""
#: networking.c:183 msgid "No ORANGE interface assigned." -msgstr "" +msgstr "Ðе ÑказаМ ÐÐ ÐÐÐÐÐЫРОМÑеÑÑейÑ."
#: networking.c:189 msgid "Missing an IP address on ORANGE." @@ -402,7 +403,7 @@ msgstr ""
#: networking.c:199 msgid "No BLUE interface assigned." -msgstr "" +msgstr "Ðе ÑказаМ СÐÐÐРОМÑеÑÑейÑ."
#: networking.c:205 msgid "Missing an IP address on BLUE." @@ -418,11 +419,11 @@ msgstr "ÐÑÑÑÑÑÑвÑÐµÑ ÑлÑз пП ÑЌПлÑаМОÑ."
#: networking.c:237 networking.c:304 msgid "Network configuration type" -msgstr "" +msgstr "ТОп кПМÑОгÑÑаÑОО ÑеÑО"
#: networking.c:238 networking.c:409 msgid "Drivers and card assignments" -msgstr "" +msgstr "ÐазМаÑеМОе каÑÑ Ðž ÐŽÑайвеÑПв"
#: networking.c:239 networking.c:640 msgid "Address settings" @@ -434,7 +435,7 @@ msgstr "ÐаÑÑÑПйка DNS О КлÑза"
#: networking.c:260 msgid "When configuration is complete, a network restart will be required." -msgstr "" +msgstr "ÐПгЎа кПМÑОгÑÑаÑÐžÑ Ð·Ð°Ð²ÐµÑÑОÑÑÑÑ, ÐœÐµÐŸÐ±Ñ ÐŸÐŽÐžÐŒÐŸ бÑÐŽÐµÑ Ð¿ÐµÑезагÑÑзОÑÑ ÑеÑÑ."
#: networking.c:267 #, c-format @@ -491,7 +492,7 @@ msgstr ""
#: networking.c:519 msgid "Assigned Cards" -msgstr "" +msgstr "ÐазМаÑеМОе ÑеÑевÑÑ ÐºÐ°ÑÑ"
#: networking.c:520 msgid "Remove" @@ -555,12 +556,12 @@ msgstr "" #: passwords.c:60 #, c-format msgid "Setting %s 'admin' user password..." -msgstr "" +msgstr "УкажОÑе паÑÐŸÐ»Ñ %s ÐŽÐ»Ñ Ð¿ÐŸÐ»ÑзПваÑÐµÐ»Ñ 'admin'..."
#: passwords.c:62 #, c-format msgid "Problem setting %s 'admin' user password." -msgstr "" +msgstr "ÐÑПблеЌа Ñ ÑказаМОеЌ паÑÐŸÐ»Ñ %s ÐŽÐ»Ñ Ð¿ÐŸÐ»ÑзПваÑÐµÐ»Ñ 'admin'."
#: passwords.c:76 msgid "Password:" diff --git a/src/setup/po/sq.po b/src/setup/po/sq.po index 339dea1..9983002 100644 --- a/src/setup/po/sq.po +++ b/src/setup/po/sq.po @@ -9,9 +9,9 @@ msgstr "" "Project-Id-Version: IPFire Project\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2014-08-21 15:12+0000\n" -"PO-Revision-Date: 2015-02-02 22:35+0000\n" +"PO-Revision-Date: 2015-06-22 10:58+0000\n" "Last-Translator: Ardit Dani ardit.dani@gmail.com\n" -"Language-Team: Albanian (http://www.transifex.com/projects/p/ipfire/language/sq/)%5Cn" +"Language-Team: Albanian (http://www.transifex.com/mstremer/ipfire/language/sq/)%5Cn" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" @@ -64,7 +64,7 @@ msgstr ""
#: dhcp.c:125 msgid "Enabled" -msgstr "" +msgstr "Mundëso"
#: dhcp.c:142 domainname.c:43 hostname.c:47 keymap.c:86 main.c:99 main.c:172 #: main.c:174 netstuff.c:157 netstuff.c:733 netstuff.c:756 networking.c:163 @@ -101,7 +101,7 @@ msgstr ""
#: dhcp.c:182 networking.c:764 msgid "Secondary DNS" -msgstr "" +msgstr "DNS Dytësorë"
#: dhcp.c:189 msgid "Default lease time" diff --git a/src/squid-accounting/acct.pl b/src/squid-accounting/acct.pl index 68eb63c..e90d06e 100755 --- a/src/squid-accounting/acct.pl +++ b/src/squid-accounting/acct.pl @@ -100,7 +100,7 @@ if (-f $proxyenabled && $proxylog eq $Lang::tr{'running'}){ $dbh=&ACCT::connectdb; my $m=sprintf("%d",(localtime((time-3600)))[4]+1); &ACCT::logger($settings{'LOG'},"month before one hour $m, now is ".($mon+1)."\n"); - if ($m = ($mon+1) || $m == '12' && ($mon+1) == '1'){ + if ($m < ($mon+1) || $m == '12' && ($mon+1) == '1'){ #Logrotate my $year1=$year+1900; system ("tar", "cfz", "/var/log/accounting-$m-$year1.tar.gz", "/var/log/accounting.log"); @@ -217,6 +217,7 @@ sub fill_db{ my $tim=time(); #Fill ACCT table with accounting information foreach my $name (sort keys %counter){ + next if (substr($name,-1,1) eq '$'); foreach my $bytes (keys %{ $counter{$name} }) { $dbh->do("insert into ACCT (TIME_RUN,NAME,BYTES) values ('$tim','$name','$counter{$name}{$bytes}');"); }
hooks/post-receive -- IPFire 2.x development tree
-
git@ipfire.org