[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 06988eaf4961be6c74a9aefb8203eb7b53157bd6

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 06988eaf4961be6c74a9aefb8203eb7b53157bd6
Date: Wed, 18 Nov 2015 18:31:56 +0100	[thread overview]
Message-ID: <20151118173156.4F15921575@argus.ipfire.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 4113 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  06988eaf4961be6c74a9aefb8203eb7b53157bd6 (commit)
       via  c77e962d565b1ae07c9b44e3c864c9bacc9f6b78 (commit)
      from  e9fbc1cecf856ccc7f5f2b2c504aa4318e879a7d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 06988eaf4961be6c74a9aefb8203eb7b53157bd6
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Wed Nov 18 17:31:32 2015 +0000

    core96: Ship updated core initscript
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

commit c77e962d565b1ae07c9b44e3c864c9bacc9f6b78
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date:   Fri Oct 16 18:49:15 2015 +0200

    snort: Also monitor assigned alias addresses on red.
    
    These changes will allow snort to also inspect the traffic for
    one or more configured alias addresses, which has not been done in the past.
    
    The current situation is, that snort if enabled on red, only inspects
    the traffic which is desired to the statically configured red address.
    
    If some alias addresses have been assigned to the red interface the
    traffic to these addresses will not be checked by snort and
    completely bypasses the IDS.
    
    There is no user interaction required, nor visible-effects or any
    backward-compatiblity required, only a restart of snort after the
    update process to protect all red addresses.
    
    To do this we will now check if, the RED interface has been set to STATIC (which
    is required to use the aliases function) and any aliases have been configured. In
    case of this, the modified code will add all enabled alias addresses to the HOMENET
    variable in which snort is storing all the monitored addresses.
    
    Fixes #10619.
    
    Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/rootfiles/core/96/filelists/files |  1 +
 src/initscripts/init.d/snort             | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

Difference in files:
diff --git a/config/rootfiles/core/96/filelists/files b/config/rootfiles/core/96/filelists/files
index c9f5f4e..9e120af 100644
--- a/config/rootfiles/core/96/filelists/files
+++ b/config/rootfiles/core/96/filelists/files
@@ -1,3 +1,4 @@
 etc/system-release
 etc/issue
+etc/rc.d/init.d/snort
 opt/pakfire/lib/functions.pl
diff --git a/src/initscripts/init.d/snort b/src/initscripts/init.d/snort
index e03c80f..58edf1e 100644
--- a/src/initscripts/init.d/snort
+++ b/src/initscripts/init.d/snort
@@ -20,6 +20,8 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
 
+ALIASFILE="/var/ipfire/ethernet/aliases"
+
 case "$1" in
         start)
 		if [ "$BLUE_NETADDRESS" ]; then
@@ -59,6 +61,19 @@ case "$1" in
 			if [ "$LOCAL_IP" ]; then
 				HOMENET+="$LOCAL_IP,"
 			fi
+
+			# Check if the red device is set to static and
+			# any aliases have been configured.
+			if [ "${RED_TYPE}" == "STATIC" ] && [ -s "${ALIASFILE}" ]; then
+				# Read in aliases file.
+				while IFS="," read -r address mode remark; do
+					# Check if the alias is enabled.
+					[ "${mode}" = "on" ] || continue
+
+					# Add alias to the list of HOMENET addresses.
+					HOMENET+="${address},"
+				done < "${ALIASFILE}"
+			fi
 		fi
 		HOMENET+="127.0.0.1"
 		echo "ipvar HOME_NET [$HOMENET]" > /etc/snort/vars


hooks/post-receive
--
IPFire 2.x development tree

                 reply	other threads:[~2015-11-18 17:31 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151118173156.4F15921575@argus.ipfire.org \
    --to=git@ipfire.org \
    --cc=ipfire-scm@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox