From: Arne Fitzenreiter <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, master, updated. 6fc3f2e685d42d9c6261ca281740ce067ab6e00d
Date: Tue, 09 Apr 2019 06:35:26 +0100 [thread overview]
Message-ID: <20190409053527.66D7B84FDB0@people01.i.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 22865 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via 6fc3f2e685d42d9c6261ca281740ce067ab6e00d (commit)
via e7dafc3e3eb7be7e685fe0e7b3999fd6f264c80b (commit)
via f0ce8b2c8853041cd708a0cef88b1bd22cbf88df (commit)
via d66433fca6323940ac217d7a0834a0b178d509eb (commit)
via 49ce16f9bea9f1812be5cb41ef7b390556fc2364 (commit)
via 8d76eb20852a695b15e6fd32076128a25fad01d1 (commit)
via bfd5cfa9c6949eca6319a774b871007c9da8fd0e (commit)
via a485606c27781a5439d38fcde662a786cb5671d9 (commit)
from 4fc1a0045b48b1a459256d146030279c9905a13e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6fc3f2e685d42d9c6261ca281740ce067ab6e00d
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Tue Apr 9 07:31:23 2019 +0200
core130: insert a core update for urgent fixes.
the bigger changes for suricata and kernel need longer time for test
so we insert a core with smaller but important fixes.
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit e7dafc3e3eb7be7e685fe0e7b3999fd6f264c80b
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Tue Apr 9 07:30:26 2019 +0200
core130: ship strongswan
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit f0ce8b2c8853041cd708a0cef88b1bd22cbf88df
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Apr 8 11:56:58 2019 +0100
core130: Ship perl-Net-SSLeay
This was still using the old version of OpenSSL.
Instead of linking the module (which we should have found earlier)
the module uses dlopen :(
Fixes: #12044
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit d66433fca6323940ac217d7a0834a0b178d509eb
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Apr 8 16:41:24 2019 +0100
strongswan: Manually install all routes for non-routed VPNs
This is a regression from disabling charon.install_routes.
VPNs are routing fine as long as traffic is passing through
the firewall. Traps are not propertly used as long as these
routes are not present and therefore we won't trigger any
tunnels when traffic originates from the firewall.
Fixes: #12045
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 49ce16f9bea9f1812be5cb41ef7b390556fc2364
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 4 02:07:16 2019 +0100
core130: Ship updated wget
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 8d76eb20852a695b15e6fd32076128a25fad01d1
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Thu Apr 4 09:43:50 2019 +0200
wget: Update to 1.20.2
For details see:
https://fossies.org/linux/wget/ChangeLog
Excerpt from "NEWS":
* Changes in Wget 1.20.2
** NTLM authentication will retry under certain cases
** Fixed a buffer overflow vulnerability"
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit bfd5cfa9c6949eca6319a774b871007c9da8fd0e
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Wed Mar 27 20:54:10 2019 +0100
clamav: Update to 0.101.2
For details see:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
"ClamAV 0.101.2 is a patch release to address a handful of security related bugs."
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit a485606c27781a5439d38fcde662a786cb5671d9
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 18 15:24:56 2019 +0000
ipsec-interfaces: Apply static routes (again) after creating IPsec interfaces
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/{129 => 130}/exclude | 0
.../{oldcore/120 => core/130}/filelists/Net_SSLeay | 0
config/rootfiles/core/130/filelists/files | 3 +
.../core/{129 => 130}/filelists/strongswan | 0
.../{oldcore/104 => core/130}/filelists/wget | 0
config/rootfiles/core/{129 => 130}/update.sh | 2 +-
config/rootfiles/packages/clamav | 6 +-
lfs/clamav | 8 +-
lfs/strongswan | 1 +
lfs/wget | 6 +-
make.sh | 4 +-
src/patches/strongswan-ipfire-revert.patch | 113 +++++++++++++++++++++
src/scripts/ipsec-interfaces | 100 ++++++++++++++++++
13 files changed, 230 insertions(+), 13 deletions(-)
copy config/rootfiles/core/{129 => 130}/exclude (100%)
copy config/rootfiles/{oldcore/120 => core/130}/filelists/Net_SSLeay (100%)
create mode 100644 config/rootfiles/core/130/filelists/files
copy config/rootfiles/core/{129 => 130}/filelists/strongswan (100%)
copy config/rootfiles/{oldcore/104 => core/130}/filelists/wget (100%)
copy config/rootfiles/core/{129 => 130}/update.sh (99%)
create mode 100644 src/patches/strongswan-ipfire-revert.patch
Difference in files:
diff --git a/config/rootfiles/core/130/exclude b/config/rootfiles/core/130/exclude
new file mode 100644
index 000000000..b22159878
--- /dev/null
+++ b/config/rootfiles/core/130/exclude
@@ -0,0 +1,28 @@
+boot/config.txt
+boot/grub/grub.cfg
+boot/grub/grubenv
+etc/alternatives
+etc/collectd.custom
+etc/default/grub
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/shadow
+etc/snort/snort.conf
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/dma
+var/ipfire/time
+var/ipfire/ovpn
+var/lib/alternatives
+var/log/cache
+var/log/dhcpcd.log
+var/log/messages
+var/state/dhcp/dhcpd.leases
+var/updatecache
diff --git a/config/rootfiles/core/130/filelists/Net_SSLeay b/config/rootfiles/core/130/filelists/Net_SSLeay
new file mode 120000
index 000000000..13fe0560c
--- /dev/null
+++ b/config/rootfiles/core/130/filelists/Net_SSLeay
@@ -0,0 +1 @@
+../../../common/Net_SSLeay
\ No newline at end of file
diff --git a/config/rootfiles/core/130/filelists/files b/config/rootfiles/core/130/filelists/files
new file mode 100644
index 000000000..98b8fec39
--- /dev/null
+++ b/config/rootfiles/core/130/filelists/files
@@ -0,0 +1,3 @@
+etc/system-release
+etc/issue
+usr/local/bin/ipsec-interfaces
diff --git a/config/rootfiles/core/130/filelists/strongswan b/config/rootfiles/core/130/filelists/strongswan
new file mode 120000
index 000000000..90c727e26
--- /dev/null
+++ b/config/rootfiles/core/130/filelists/strongswan
@@ -0,0 +1 @@
+../../../common/strongswan
\ No newline at end of file
diff --git a/config/rootfiles/core/130/filelists/wget b/config/rootfiles/core/130/filelists/wget
new file mode 120000
index 000000000..fcb57dfec
--- /dev/null
+++ b/config/rootfiles/core/130/filelists/wget
@@ -0,0 +1 @@
+../../../common/wget
\ No newline at end of file
diff --git a/config/rootfiles/core/130/update.sh b/config/rootfiles/core/130/update.sh
new file mode 100644
index 000000000..f072e8052
--- /dev/null
+++ b/config/rootfiles/core/130/update.sh
@@ -0,0 +1,77 @@
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2019 IPFire-Team <info(a)ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+core=130
+
+# Remove old core updates from pakfire cache to save space...
+for (( i=1; i<=$core; i++ )); do
+ rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+# Stop services
+/etc/init.d/squid stop
+/usr/local/bin/openvpnctrl -k
+/usr/local/bin/openvpnctrl -kn2n
+/usr/local/bin/ipsecctrl D
+/etc/init.d/unbound stop
+
+# Remove files
+rm -vf \
+ /usr/lib/firewall/ipsec-block
+
+# Extract files
+extract_files
+
+# update linker config
+ldconfig
+
+# Update Language cache
+/usr/local/bin/update-lang-cache
+
+# Start services
+/etc/init.d/firewall restart
+/etc/init.d/unbound start
+/usr/local/bin/ipsecctrl S
+/usr/local/bin/openvpnctrl -s
+/usr/local/bin/openvpnctrl -sn2n
+/etc/init.d/squid start
+
+# This update needs a reboot...
+#touch /var/run/need_reboot
+
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+
+# Update grub config to display new core version
+if [ -e /boot/grub/grub.cfg ]; then
+ grub-mkconfig -o /boot/grub/grub.cfg
+fi
+
+sync
+
+# Don't report the exitcode last command
+exit 0
diff --git a/config/rootfiles/packages/clamav b/config/rootfiles/packages/clamav
index e95d4dc6e..9d6d68647 100644
--- a/config/rootfiles/packages/clamav
+++ b/config/rootfiles/packages/clamav
@@ -13,7 +13,7 @@ usr/bin/sigtool
#usr/lib/libclamav.la
usr/lib/libclamav.so
usr/lib/libclamav.so.9
-usr/lib/libclamav.so.9.0.1
+usr/lib/libclamav.so.9.0.2
#usr/lib/libclammspack.la
usr/lib/libclammspack.so
usr/lib/libclammspack.so.0
@@ -21,11 +21,11 @@ usr/lib/libclammspack.so.0.1.0
#usr/lib/libclamunrar.la
usr/lib/libclamunrar.so
usr/lib/libclamunrar.so.9
-usr/lib/libclamunrar.so.9.0.1
+usr/lib/libclamunrar.so.9.0.2
#usr/lib/libclamunrar_iface.la
usr/lib/libclamunrar_iface.so
usr/lib/libclamunrar_iface.so.9
-usr/lib/libclamunrar_iface.so.9.0.1
+usr/lib/libclamunrar_iface.so.9.0.2
#usr/lib/pkgconfig/libclamav.pc
usr/sbin/clamd
#usr/share/man/man1/clambc.1
diff --git a/lfs/clamav b/lfs/clamav
index a6e44ebf2..640691408 100644
--- a/lfs/clamav
+++ b/lfs/clamav
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 0.101.1
+VER = 0.101.2
THISAPP = clamav-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = clamav
-PAK_VER = 43
+PAK_VER = 44
DEPS = ""
@@ -50,7 +50,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 9c137d6172f6e132e08e61fe25b636f8
+$(DL_FILE)_MD5 = faeb0e286e76c2a26e2e10845e4b68db
install : $(TARGET)
diff --git a/lfs/strongswan b/lfs/strongswan
index 4174f78fe..714537e36 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -73,6 +73,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-interfaces.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-revert.patch
cd $(DIR_APP) && ./configure \
--prefix="/usr" \
diff --git a/lfs/wget b/lfs/wget
index b8c83d10d..ac2fa826c 100644
--- a/lfs/wget
+++ b/lfs/wget
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 1.20.1
+VER = 1.20.2
THISAPP = wget-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = f6ebe9c7b375fc9832fb1b2028271fb7
+$(DL_FILE)_MD5 = 2692f6678e93601441306b5c1fc6a77a
install : $(TARGET)
diff --git a/make.sh b/make.sh
index 3453c6719..08cf31901 100755
--- a/make.sh
+++ b/make.sh
@@ -25,8 +25,8 @@
NAME="IPFire" # Software name
SNAME="ipfire" # Short name
VERSION="2.21" # Version number
-CORE="129" # Core Level (Filename)
-PAKFIRE_CORE="129" # Core Level (PAKFIRE)
+CORE="130" # Core Level (Filename)
+PAKFIRE_CORE="130" # Core Level (PAKFIRE)
GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch
SLOGAN="www.ipfire.org" # Software slogan
CONFIG_ROOT=/var/ipfire # Configuration rootdir
diff --git a/src/patches/strongswan-ipfire-revert.patch b/src/patches/strongswan-ipfire-revert.patch
new file mode 100644
index 000000000..91c76212e
--- /dev/null
+++ b/src/patches/strongswan-ipfire-revert.patch
@@ -0,0 +1,113 @@
+--- strongswan-5.7.2/src/_updown/_updown.in.bak 2019-04-08 16:27:08.549214441 +0100
++++ strongswan-5.7.2/src/_updown/_updown.in 2019-04-08 16:30:30.195868788 +0100
+@@ -130,36 +130,6 @@
+ # address family.
+ #
+
+-VARS=(
+- id status name lefthost type ctype psk local local_id leftsubnets
+- remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+- x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+- route x23 mode interface_mode interface_address interface_mtu rest
+-)
+-
+-function ip_encode() {
+- local IFS=.
+-
+- local int=0
+- for field in $1; do
+- int=$(( $(( $int << 8 )) | $field ))
+- done
+-
+- echo $int
+-}
+-
+-function ip_in_subnet() {
+- local netmask
+- netmask=$(_netmask $2)
+- [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
+-}
+-
+-function _netmask() {
+- local vlsm
+- vlsm=${1#*/}
+- [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+-}
+-
+ # define a minimum PATH environment in case it is not set
+ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+ export PATH
+@@ -326,13 +296,6 @@
+ fi
+ ;;
+ up-client:iptables)
+- # Read IPsec configuration
+- while IFS="," read -r "${VARS[@]}"; do
+- if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
+- break
+- fi
+- done < /var/ipfire/vpn/config
+-
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+@@ -396,30 +359,6 @@
+ logger -t $TAG -p $FAC_PRIO \
+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+ fi
+-
+- if [ -z "${interface_mode}" ]; then
+- # Add source nat so also the gateway can access the other nets
+- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+- if [ $? -eq 0 ]; then
+- src=${_src}
+- break
+- fi
+- done
+-
+- if [ -n "${src}" ]; then
+- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+- logger -t $TAG -p $FAC_PRIO \
+- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+- fi
+- fi
+-
+- # Flush routing cache
+- ip route flush cache
+ ;;
+ down-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+@@ -487,28 +426,6 @@
+ logger -t $TAG -p $FAC_PRIO \
+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+ fi
+-
+- # remove source nat
+- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+- if [ $? -eq 0 ]; then
+- src=${_src}
+- break
+- fi
+- done
+-
+- if [ -n "${src}" ]; then
+- iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+- logger -t $TAG -p $FAC_PRIO \
+- "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
+- fi
+-
+- # Flush routing cache
+- ip route flush cache
+ ;;
+ #
+ # IPv6
diff --git a/src/scripts/ipsec-interfaces b/src/scripts/ipsec-interfaces
index 0e43fccbc..2546f8927 100644
--- a/src/scripts/ipsec-interfaces
+++ b/src/scripts/ipsec-interfaces
@@ -23,9 +23,19 @@ shopt -s nullglob
VPN_CONFIG="/var/ipfire/vpn/config"
+ROUTE_TABLE="220"
+ROUTE_TABLE_PRIO="128"
+
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
+# Get RED interface name
+if [ -r "/var/ipfire/red/iface" ]; then
+ RED_INTF="$(</var/ipfire/red/iface)"
+else
+ RED_INTF="red0"
+fi
+
VARS=(
id status name lefthost type ctype psk local local_id leftsubnets
remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
@@ -43,6 +53,52 @@ resolve_hostname() {
dig +short A "${hostname}" | tail -n1
}
+ip_encode() {
+ local address="${1}"
+
+ local int=0
+ for field in ${address//./ }; do
+ int=$(( $(( ${int} << 8 )) | ${field} ))
+ done
+
+ echo ${int}
+}
+
+function ip_in_subnet() {
+ local address="${1}"
+ local subnet="${2}"
+
+ local netmask="${subnet#*/}"
+
+ # Convert netmask to prefix if necessary
+ case "${netmask}" in
+ [0-9]+)
+ ;;
+ *)
+ netmask="$(netmask2prefix "${netmask}")"
+ ;;
+ esac
+
+ local vlsm=$(( -1 << $(( 32 - ${netmask} )) ))
+
+ [ "$(( $(ip_encode "${address}") & ${vlsm} ))" -eq "$(( $(ip_encode "${subnet%/*}") & ${vlsm} ))" ]
+}
+
+netmask2prefix() {
+ local netmask="${1}"
+ local mask="$(ip_encode "${netmask}")"
+
+ local cidr=0
+ local x="$(( 128 << 24 ))" # 0x80000000
+
+ while [ $(( ${x} & ${mask} )) -ne 0 ]; do
+ [ ${mask} -eq ${x} ] && mask=0 || mask=$(( ${mask} << 1 ))
+ cidr=$(( ${cidr} + 1 ))
+ done
+
+ echo "${cidr}"
+}
+
main() {
# Register local variables
local "${VARS[@]}"
@@ -50,8 +106,17 @@ main() {
local interfaces=()
+ # Flush IPsec routes
+ ip route flush table "${ROUTE_TABLE}"
+
+ # Remove lookups
+ ip rule del lookup "${ROUTE_TABLE}"
+
# We are done when IPsec is not enabled
if [ "${ENABLED}" = "on" ]; then
+ # Enable route table lookup
+ ip rule add lookup "${ROUTE_TABLE}" prio "${ROUTE_TABLE_PRIO}"
+
while IFS="," read -r "${VARS[@]}"; do
# Check if the connection is enabled
[ "${status}" = "on" ] || continue
@@ -65,6 +130,38 @@ main() {
local intf="${interface_mode}${id}"
;;
*)
+ # Install routes
+ local address
+
+ local _address
+ for _address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+ local leftsubnet
+ for leftsubnet in ${leftsubnets//\|/ }; do
+ if ip_in_subnet "${_address}" "${leftsubnet}"; then
+ address="${_address}"
+ break
+ fi
+ done
+
+ # End loop when address is set
+ [ -n "${address}" ] && break
+ done
+
+ local rightsubnet
+ for rightsubnet in ${rightsubnets//\|/ }; do
+ # Ignore default
+ case "${rightsubnet}" in
+ 0.0.0.0/*)
+ continue
+ ;;
+ esac
+
+ log "Creating route to ${rightsubnet} (via ${address} and ${RED_INTF})"
+ ip route add table "${ROUTE_TABLE}" "${rightsubnet}" proto static \
+ dev "${RED_INTF}" src "${address}"
+ done
+
+ # No interface processing required
continue
;;
esac
@@ -167,6 +264,9 @@ main() {
log "Deleting interface ${intf}"
ip link del "${intf}" &>/dev/null
done
+
+ # (Re-)Apply all static routes
+ /etc/init.d/static-routes start
}
main || exit $?
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2019-04-09 5:35 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190409053527.66D7B84FDB0@people01.i.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox