From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. f0728c790ffce0acc5373bc340596a5e9974c8c1
Date: Tue, 29 Jul 2014 22:01:57 +0200 [thread overview]
Message-ID: <20140729200157.5AE0D21264@argus.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 9878 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via f0728c790ffce0acc5373bc340596a5e9974c8c1 (commit)
via dccbf1bf4e38401bc8be2d74c9bbc41e4f55e3ad (commit)
via cea4fc3aaf3fb9b776a2209ccdaff6452e099f8e (commit)
via 8df091d9680ca0230723fc62b56c9e1d29acb481 (commit)
via bc70c8273792c3cbe41edca1a90f62b4ff0666a1 (commit)
via 5b861b054576b43e5564289ca08875ee28859cbf (commit)
via cb8a29b10bcbfa25a135a180ca8cc2c74f54cd52 (commit)
via fffc646e743adb4aebdf75972bb2c9fb12e0675e (commit)
via 7535861c50af78230d509e0440e00abacf3057cb (commit)
from 4e9a2b57320fc17a2eaee06b60ee508ec79e59b0 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f0728c790ffce0acc5373bc340596a5e9974c8c1
Merge: dccbf1b cea4fc3
Author: Arne Fitzenreiter <arne_f(a)git.ipfire.org>
Date: Tue Jul 29 22:01:19 2014 +0200
Merge remote-tracking branch 'origin/master' into next
Conflicts:
config/cfgroot/general-functions.pl
commit dccbf1bf4e38401bc8be2d74c9bbc41e4f55e3ad
Author: Arne Fitzenreiter <arne_f(a)git.ipfire.org>
Date: Tue Jul 29 21:57:07 2014 +0200
firewall: add more pscan matches and filter INVALID conntrack packages.
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/common/stage2 | 1 +
config/rootfiles/core/80/filelists/files | 3 +++
config/rootfiles/core/80/update.sh | 6 ++---
html/cgi-bin/logs.cgi/log.dat | 2 ++
lfs/ddns | 2 ++
src/initscripts/init.d/firewall | 29 ++++++++--------------
src/initscripts/init.d/rngd | 10 ++++++--
...3-Add-a-program-prefix-to-syslog-messages.patch | 25 +++++++++++++++++++
8 files changed, 54 insertions(+), 24 deletions(-)
create mode 100644 src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch
Difference in files:
diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2
index 39bf555..eb97040 100644
--- a/config/rootfiles/common/stage2
+++ b/config/rootfiles/common/stage2
@@ -98,6 +98,7 @@ usr/local/bin/timezone-transition
usr/local/bin/update-lang-cache
#usr/local/include
#usr/local/lib
+#usr/local/lib/sse2
#usr/local/sbin
#usr/local/share
#usr/local/share/doc
diff --git a/config/rootfiles/core/80/filelists/files b/config/rootfiles/core/80/filelists/files
index 822baa2..a12048d 100644
--- a/config/rootfiles/core/80/filelists/files
+++ b/config/rootfiles/core/80/filelists/files
@@ -4,9 +4,12 @@ etc/logrotate.conf
etc/rc.d/init.d/cleanfs
etc/rc.d/init.d/dhcrelay
etc/rc.d/init.d/dnsmasq
+etc/rc.d/init.d/firewall
etc/rc.d/init.d/networking/red.up/30-ddns
+etc/rc.d/init.d/rngd
srv/web/ipfire/cgi-bin/ddns.cgi
srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat
+srv/web/ipfire/cgi-bin/logs.cgi/log.dat
srv/web/ipfire/cgi-bin/netexternal.cgi
srv/web/ipfire/cgi-bin/ovpnmain.cgi
srv/web/ipfire/cgi-bin/proxy.cgi
diff --git a/config/rootfiles/core/80/update.sh b/config/rootfiles/core/80/update.sh
index b8b5b58..67244c6 100644
--- a/config/rootfiles/core/80/update.sh
+++ b/config/rootfiles/core/80/update.sh
@@ -60,9 +60,6 @@ rm -f \
/opt/pakfire/db/installed/meta-libgpg-error \
/opt/pakfire/db/rootfiles/libgpg-error
-# Regenerate squid configuration file
-sudo -u nobody /srv/web/ipfire/cgi-bin/proxy.cgi
-
# Fix broken proxy configuration permissions
chown -R nobody.nobody \
/var/ipfire/proxy/advanced \
@@ -72,6 +69,9 @@ chown -R nobody.nobody \
/var/ipfire/proxy/squid.conf \
/var/ipfire/proxy/transparent
+# Regenerate squid configuration file
+sudo -u nobody /srv/web/ipfire/cgi-bin/proxy.cgi
+
# Generate ddns configuration file
sudo -u nobody /srv/web/ipfire/cgi-bin/ddns.cgi
diff --git a/html/cgi-bin/logs.cgi/log.dat b/html/cgi-bin/logs.cgi/log.dat
index dacd518..1813862 100644
--- a/html/cgi-bin/logs.cgi/log.dat
+++ b/html/cgi-bin/logs.cgi/log.dat
@@ -51,6 +51,7 @@ $cgiparams{'SECTION'} = 'ipfire';
my %sections = (
'ipfire' => '(ipfire: )',
'red' => '(red:|pppd\[.*\]: |chat\[.*\]|pppoe\[.*\]|pptp\[.*\]|pppoa\[.*\]|pppoa3\[.*\]|pppoeci\[.*\]|ipppd|ipppd\[.*\]|kernel: ippp\d|kernel: isdn.*|ibod\[.*\]|dhcpcd\[.*\]|modem_run\[.*\])',
+ 'ddns' => '(ddns\[\d+\]:)',
'dns' => '(dnsmasq\[.*\]: )',
'dhcp' => '(dhcpd: )',
'clamav' => '(clamd\[.*\]: |freshclam\[.*\]: )',
@@ -70,6 +71,7 @@ my %sections = (
my %trsections = (
'ipfire' => 'IPFire',
'red' => 'RED',
+ 'ddns' => $Lang::tr{'dynamic dns'},
'dns' => 'DNS',
'dhcp' => "$Lang::tr{'dhcp server'}",
'cron' => 'Cron',
diff --git a/lfs/ddns b/lfs/ddns
index c8348ce..975c8c3 100644
--- a/lfs/ddns
+++ b/lfs/ddns
@@ -71,6 +71,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch
+
cd $(DIR_APP) && [ -x "configure" ] || sh ./autogen.sh
cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/var/ipfire
cd $(DIR_APP) && make $(MAKETUNING)
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 7a18502..23d0c23 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -64,16 +64,20 @@ iptables_init() {
iptables -A BADTCP -i lo -j RETURN
# Disallow packets frequently used by port-scanners
- # nmap xmas
- iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
- # Null
- iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
- # FIN
+ # NMAP FIN/URG/PSH (XMAS scan)
+ iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
+ # SYN/RST/ACK/FIN/URG
+ iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN
+ # ALL/ALL
+ iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN
+ # FIN Stealth
iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN
# SYN/RST (also catches xmas variants that set SYN+RST+...)
iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
# SYN/FIN (QueSO or nmap OS probe)
iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
+ # Null
+ iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
# NEW TCP without SYN
iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
@@ -83,6 +87,7 @@ iptables_init() {
# Connection tracking chain
iptables -N CONNTRACK
iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
# Fix for braindead ISP's
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
@@ -254,20 +259,6 @@ iptables_init() {
iptables -t nat -N REDNAT
iptables -t nat -A POSTROUTING -j REDNAT
- # Filter logging of incoming broadcasts.
- iptables -N BROADCAST_FILTER
- iptables -A INPUT -j BROADCAST_FILTER
-
- iptables -A BROADCAST_FILTER -i "${GREEN_DEV}" -d "${GREEN_BROADCAST}" -j DROP
-
- if [ -n "${BLUE_DEV}" -a -n "${BLUE_BROADCAST}" ]; then
- iptables -A BROADCAST_FILTER -i "${BLUE_DEV}" -d "${BLUE_BROADCAST}" -j DROP
- fi
-
- if [ -n "${ORANGE_DEV}" -a -n "${ORANGE_BROADCAST}" ]; then
- iptables -A BROADCAST_FILTER -i "${ORANGE_DEV}" -d "${ORANGE_BROADCAST}" -j DROP
- fi
-
# Apply OpenVPN firewall rules
/usr/local/bin/openvpnctrl --firewall-rules
diff --git a/src/initscripts/init.d/rngd b/src/initscripts/init.d/rngd
index 22437fd..df4aa7d 100644
--- a/src/initscripts/init.d/rngd
+++ b/src/initscripts/init.d/rngd
@@ -28,12 +28,18 @@ case "${1}" in
fi
boot_mesg "Starting Random Number Generator Daemon..."
- loadproc /usr/sbin/rngd --no-tpm=1
+
+ if pidofproc /usr/sbin/rngd &>/dev/null; then
+ # Is already running.
+ echo_ok
+ else
+ loadproc /usr/sbin/rngd --no-tpm=1
+ fi
;;
stop)
boot_mesg "Stopping Random Number Generator Daemon..."
- killproc /usr/sbin/rngd
+ killproc -p /var/run/rngd.pid /usr/sbin/rngd
;;
restart)
diff --git a/src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch b/src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch
new file mode 100644
index 0000000..978db85
--- /dev/null
+++ b/src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch
@@ -0,0 +1,25 @@
+From 21fd4b8d26d01d622185ab8de971a9ee934220a3 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer(a)ipfire.org>
+Date: Thu, 24 Jul 2014 13:23:36 +0200
+Subject: [PATCH] Add a program prefix to syslog messages.
+
+---
+ src/ddns/__init__.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/ddns/__init__.py b/src/ddns/__init__.py
+index 22764e6..6fe3a33 100644
+--- a/src/ddns/__init__.py
++++ b/src/ddns/__init__.py
+@@ -42,6 +42,8 @@ def setup_logging():
+ handler = logging.handlers.SysLogHandler(address="/dev/log",
+ facility=logging.handlers.SysLogHandler.LOG_DAEMON
+ )
++ formatter = logging.Formatter("ddns[%(process)d]: %(message)s")
++ handler.setFormatter(formatter)
+ handler.setLevel(logging.INFO)
+ rootlogger.addHandler(handler)
+
+--
+1.9.3
+
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2014-07-29 20:01 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140729200157.5AE0D21264@argus.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox