* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 61cc563558f0bd2fed68a60e83f68d595855e7d7
@ 2020-01-13 21:44 Arne Fitzenreiter
0 siblings, 0 replies; only message in thread
From: Arne Fitzenreiter @ 2020-01-13 21:44 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 193310 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 61cc563558f0bd2fed68a60e83f68d595855e7d7 (commit)
via 7be4822f3d60eee6be75cb622b153ae2487bcdce (commit)
via 04b7a78140356b6c3288364cb1451f012e842fe4 (commit)
via ebc14e8db2c43274770153b7561d8be0ac2f7139 (commit)
via 24a694d425b3036a3334ded8a39b74833c7ab05d (commit)
via 77c454b267f4a99809226b4a5f0d2c7ca31265b4 (commit)
via d37cdb1bf80a97ea55c18d566fb3154b75d228a0 (commit)
via 6137797cb39b32e49d97eee572478a92099ded23 (commit)
via 903247fef8bb482d81aeef98a88b8acf1a024482 (commit)
via f59bc0c55d807ca37ef39654cdfb60d53bdfa65e (commit)
via a25dcda295b45ca6e5789c01c7b78f639d188bb3 (commit)
via 39a6219fff28fa4af0754683148f1fb781cef818 (commit)
via 6e61f357fbba0bee4c01a66637e6fd44cdf85905 (commit)
via 611587cf29033a8cdcd86b02a5ec40bd8a9b2a08 (commit)
via 4caa0efc595594d167d24085f7a181a4baa7bdc0 (commit)
via 0c1094770a727b2c269c5c7c88eabd4ee9d01dcd (commit)
via bdb1f38a07370c006f06ad31582abe8e0ff8c4a7 (commit)
via f03f34298bbd749211d7ee8c6c4252bb9cc1bda8 (commit)
via c73baee1f05ed75e66e5f2b894241cc38acb1072 (commit)
via 8fbb12f168f770835cd3637996ca6fac974f1c0e (commit)
via dc7466ce9a007b1fe5554d6c873d40c724ccd1a5 (commit)
via 12c49915d8ab35f3f7ae9ee404311efb6284c840 (commit)
via c8dcd46537bebe4f59cd7c22d09c45e98bfecb1f (commit)
via 9f9b2b8ebc2751064503fed22602f7608d8c316e (commit)
via 9702252470263975e972e9ea9be9a87bc5541de1 (commit)
via 8f4bde6574d83ac197b071caaf4dd857b791ce64 (commit)
via 46cc88ed22d2e4af848c5ada6319c9e2c9e790c7 (commit)
via 719db1cdb80ce4a11f932c4bc0c92196f423e902 (commit)
via 770ea81ee514c92038f1c28546d99e7872aae1ad (commit)
via 43140993025fd6fb0b4da264fe478762c63f0bf8 (commit)
via a969acc7d76d91963cab41facc611a3f78c8af70 (commit)
via 03e466de35d450853b5f7f8b82b24b64dd9f20fd (commit)
via 038f962ea0555c132287db4c20f83800becf846f (commit)
via 70187da6a665120f1af623899a10b0b1eff670e3 (commit)
via f36855fe73010235ffbcf409219cbb2dadded8a2 (commit)
via f10fb4bf4366f515f0ff523e5ae0469f55edcb70 (commit)
via 25dda4a082b6b2927cbe16039bf1ef96b955a1ff (commit)
via beebf925c38004d0703f8777a16f32adb9e1d8fa (commit)
via a33489a7aa6cd8f42c48f23b193e75fa8156b71f (commit)
via a32fd634ceb2e2227fb5e4104b5c9f1cfa5263d0 (commit)
via 4b26aac62535a79dff2882356a32a1594270f3b8 (commit)
via 2654c6694571baf4efafee6deb0b0b4dd1f85b39 (commit)
via 54898bc6c1951ec42f2cdced18235a31fcc7840e (commit)
via 77c7a94cdd6d0cf6fa1a48cd1248205dea1d6069 (commit)
via 984f14bdc4e1663200d286f98935158884366fa4 (commit)
via 71471d9bded39dc2186a96b0eb7d5f18c103636f (commit)
via dab1258a789ab3c09b6766e603bbdbab57010909 (commit)
via 1434fa0df5ab01c2e3a430f05db159a3a82bc3ba (commit)
via 4e2d3325afaf413e707e5d4db7172c7f379b59ce (commit)
via ffc46751f29af7759e051cbb0114b79b4fba4433 (commit)
via ee90aa9858451db1e93e463db4b90332bbad7320 (commit)
via 50005ad1d4da8a95dac1518d40e02344de58944f (commit)
via 94a51c64bb7aead36ea0e6d40de06a8cc195cd5d (commit)
via 15cf79e3b864bef46d32b08e3b381a654e00950e (commit)
via dea5f34914819b5f6c0801ff12eafa521c79188b (commit)
via 372576e0ab699a188e9248d73afcc00a5a635d2b (commit)
via 3bf804e83400c87398950526170b3d77bf38b8a6 (commit)
via 0fa6bde78ab9d25a078cad1b233e67c14bfe1cc9 (commit)
via cdfc93cb7abd412987bbf098117fa86cb475de72 (commit)
via e8981e3c8faafbf042e29d3896b6c81b77e5fe2c (commit)
via ecbf66761f922f821940ec063d271acae89c78cb (commit)
via 2946d562f1fa06840e576184d58a1e90a03934e7 (commit)
via 24d7c5ef6bea7b6521d309757d2fa0461935f89d (commit)
via 456f0b06f4691cd7e07b9e5ec5bb86d0117c3456 (commit)
via 0bb159bbfc6dd48bf2b6aa4b4d7e1d87f61e1655 (commit)
via c5d20f9665a659ddd5fc46fa8cba1c3133a91180 (commit)
via 1cb8ffe84d5d3ea1699fa566ce8fa03f50638f4a (commit)
via f8e7c1c9d07d348e8c3235c83fd889068269c823 (commit)
via 93a985cc05e6b564ac1e3fc59fd37e94c77000ca (commit)
from 23dc6e0b23dc519b41a26ff25ecf0e221863128f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 61cc563558f0bd2fed68a60e83f68d595855e7d7
Merge: 23dc6e0b2 7be4822f3
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Mon Jan 13 21:42:49 2020 +0000
Merge remote-tracking branch 'ms/next-dns-ng' into next
commit 7be4822f3d60eee6be75cb622b153ae2487bcdce
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Jan 13 21:43:27 2020 +0100
unbound: Make dhcp-leases.conf readable for everyone
unbound runs as nobody and cannot reload its configuration
when this file is only readable for root.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 04b7a78140356b6c3288364cb1451f012e842fe4
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Jan 13 21:25:10 2020 +0100
unbound: Do not reset safe search again
This is now done in the reload stage and we do not need to
take care about it again.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit ebc14e8db2c43274770153b7561d8be0ac2f7139
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Jan 13 21:20:32 2020 +0100
unbound: Drop some unused variables
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 24a694d425b3036a3334ded8a39b74833c7ab05d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Jan 13 21:19:22 2020 +0100
unbound: Drop function to reload forwarders on the fly
This is now being done by updating and re-reading forward.conf.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 77c454b267f4a99809226b4a5f0d2c7ca31265b4
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Jan 13 21:13:03 2020 +0100
dnsforward.cgi: Reloading unbound is enough to apply changes
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit d37cdb1bf80a97ea55c18d566fb3154b75d228a0
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Jan 13 21:12:02 2020 +0100
hosts.cgi: Hosts can now be imported when reloading unbound
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 6137797cb39b32e49d97eee572478a92099ded23
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Jan 13 21:10:18 2020 +0100
unbound: Write hosts to unbound configuration file
This will allow us to read more hosts in a shorter time.
Fixes: #11743
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 903247fef8bb482d81aeef98a88b8acf1a024482
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Jan 13 20:55:59 2020 +0100
unbound: There is no need to rewrite tuning.conf
The number of CPU cores and memory normally does not change
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit f59bc0c55d807ca37ef39654cdfb60d53bdfa65e
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Jan 13 20:55:32 2020 +0100
unbound: Reload own hostname, too
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit a25dcda295b45ca6e5789c01c7b78f639d188bb3
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Jan 13 20:44:55 2020 +0100
dns.cgi: Fix check for undefined variable
This was positive when zero was returned.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 39a6219fff28fa4af0754683148f1fb781cef818
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Jan 13 17:40:29 2020 +0100
dns.cgi: Show error when trying to use ISP nameservers and TLS at the same time.
Because the ISP-assigned nameservers do not have any TLS-hostname
information they cannot be used, when TLS is activated.
They only can be used if they will be added as "regular" DNS servers
with a TLS-hostname.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 6e61f357fbba0bee4c01a66637e6fd44cdf85905
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Jan 13 16:05:27 2020 +0000
setup: Remove DNS settings
This is no longer required since we have a new CGI script
that takes care of all DNS settings and stores things in
another format.
Fixes: #12235
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 611587cf29033a8cdcd86b02a5ec40bd8a9b2a08
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Jan 13 10:42:56 2020 +0100
dns.cgi: Fix id compare when adding a new nameserver.
I do not know why perl when using "le" which means "less-or-equal"
defines a "10" as "1".
This commit fixes the issue that it was not possible to add more than 8
nameservers.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 4caa0efc595594d167d24085f7a181a4baa7bdc0
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Jan 11 19:37:50 2020 +0100
ids.cgi: Do reload instead of restarting unbound
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 0c1094770a727b2c269c5c7c88eabd4ee9d01dcd
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Jan 11 19:36:29 2020 +0100
initscripts/unbound: Add support for reload the service
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit bdb1f38a07370c006f06ad31582abe8e0ff8c4a7
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Jan 11 19:35:24 2020 +0100
unboundctrl: Add support for calling reload.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit f03f34298bbd749211d7ee8c6c4252bb9cc1bda8
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Jan 11 19:34:12 2020 +0100
dns.cgi: Only perform reverse lookup if DNS is working.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit c73baee1f05ed75e66e5f2b894241cc38acb1072
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Jan 10 09:29:47 2020 +0100
convert-dns-settings: Set correct ownership after convert is done.
Otherwise it may happen, that the created config files have wrong
permissions and the WUI will break.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 8fbb12f168f770835cd3637996ca6fac974f1c0e
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Jan 9 16:36:39 2020 +0100
dns.cgi: Restart suricata if neccessary.
When the DNS configuration of the system is changed,
we need to re-generate the file which contains the DNS Server
details for suricata and to restart the service.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit dc7466ce9a007b1fe5554d6c873d40c724ccd1a5
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Jan 9 16:30:10 2020 +0100
index.cgi: Do not longer display the DNS servers.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 12c49915d8ab35f3f7ae9ee404311efb6284c840
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Jan 9 16:25:01 2020 +0100
ids-functions.pl: Update generate_dns_servers_file() function.
The function now uses the newly introduced get_nameservers() function
while generating the DNS servers file.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit c8dcd46537bebe4f59cd7c22d09c45e98bfecb1f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Jan 9 16:08:13 2020 +0100
general-functions.pl: Add get_nameservers().
This function simply return an array of all used nameservers.
It also takes care if the usage of ISP assigned nameservers
is enabled or not and if user-added nameservers are enabled or not.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 9f9b2b8ebc2751064503fed22602f7608d8c316e
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Jan 9 09:15:05 2020 +0100
guardian: Remove code for DNS servers.
In the past this code was used to add the DNS servers
to the ignore list and prevent them from being blocked by
guardian.
Because of the switch to suricata as IPS, guardian now prevents
from password brute-forcing on SSH and/or the webserver, so this
code is not longer needed and safly can be removed.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 9702252470263975e972e9ea9be9a87bc5541de1
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 8 18:44:41 2020 +0100
dns.cgi: Move grab_address_from_file function to general-functions.pl
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 8f4bde6574d83ac197b071caaf4dd857b791ce64
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 8 18:19:58 2020 +0100
dns.cgi: Also restart unbound if a server got enabled/disabled
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 46cc88ed22d2e4af848c5ada6319c9e2c9e790c7
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 8 18:15:33 2020 +0100
dns.cgi: Remove accidently commited debug code
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 719db1cdb80ce4a11f932c4bc0c92196f423e902
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 8 18:10:23 2020 +0100
dns.cgi: Restart unbound
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 770ea81ee514c92038f1c28546d99e7872aae1ad
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 8 18:00:15 2020 +0100
dns.cgi: Display DNS system status.
For this, a test query to the local unbound instance will be
sent and if the DNS system work properly can be answerd.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 43140993025fd6fb0b4da264fe478762c63f0bf8
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 8 15:24:59 2020 +0100
dns.cgi: Perform server checks on user request
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit a969acc7d76d91963cab41facc611a3f78c8af70
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 8 15:22:56 2020 +0100
dns.cgi: Remove hard-coded box title.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 03e466de35d450853b5f7f8b82b24b64dd9f20fd
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 8 12:58:50 2020 +0100
dns.cgi: Do not perform kdig tests when adding a server
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 038f962ea0555c132287db4c20f83800becf846f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 8 12:12:29 2020 +0100
dns.cgi: Check for empty server address.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 70187da6a665120f1af623899a10b0b1eff670e3
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 8 11:13:05 2020 +0100
dns.cgi: Perform kdig tests only if the system is online.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit f36855fe73010235ffbcf409219cbb2dadded8a2
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 8 11:12:42 2020 +0100
dns.cgi: Introduce red_is_active()
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit f10fb4bf4366f515f0ff523e5ae0469f55edcb70
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 8 10:35:52 2020 +0100
dns.cgi: Always display the input field for TLS_HOSTNAME
* Mark it as required if the protocol is set to TLS.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 25dda4a082b6b2927cbe16039bf1ef96b955a1ff
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 8 10:35:24 2020 +0100
dns.cgi: Only perform reverse lookups if the system is online
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit beebf925c38004d0703f8777a16f32adb9e1d8fa
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 16:32:35 2020 +0000
unbound: Implement setting qname minimisation into strict mode
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit a33489a7aa6cd8f42c48f23b193e75fa8156b71f
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 16:24:35 2020 +0000
unbound: Try to set time when DNS is not working
Since DNSSEC relies on time to validate its signatures,
a common problem is that some systems (usually those without
a working RTC) are not being able to reach their time server.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit a32fd634ceb2e2227fb5e4104b5c9f1cfa5263d0
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 16:02:14 2020 +0000
unbound: Do not update the forwarders when we are running in TLS mode
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 4b26aac62535a79dff2882356a32a1594270f3b8
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 15:28:21 2020 +0000
unbound: Read configuration globally
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 2654c6694571baf4efafee6deb0b0b4dd1f85b39
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 15:21:59 2020 +0000
unbound: Update forwarders when system connects/disconnects
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 54898bc6c1951ec42f2cdced18235a31fcc7840e
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 14:57:12 2020 +0000
unbound: Update setting Safe Search redirects
When the system comes online, we must update entries
in the unbound cache to point to the "safe" IP addresses.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 77c7a94cdd6d0cf6fa1a48cd1248205dea1d6069
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 14:49:54 2020 +0000
dns.cgi: Show ISP name servers as disabled
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 984f14bdc4e1663200d286f98935158884366fa4
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 14:41:13 2020 +0000
dns.cgi: Fix handling of WARNINGs from kdig
There might be multiple warnings which must all be shown
to the user.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 71471d9bded39dc2186a96b0eb7d5f18c103636f
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 13:46:11 2020 +0000
dns.cgi: Remove smartmatch operator
Perl likes to make things difficult
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit dab1258a789ab3c09b6766e603bbdbab57010909
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 13:45:21 2020 +0000
dns.cgi: Timeout after 2 seconds for DNS server checks
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 1434fa0df5ab01c2e3a430f05db159a3a82bc3ba
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 13:35:45 2020 +0000
DNS: Write name servers received from ISP to /var/run/dns{1,2}
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 4e2d3325afaf413e707e5d4db7172c7f379b59ce
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 13:06:09 2020 +0000
unbound: Drop live checks
Those checks have caused us a lot of trouble and are now being dropped.
Users must make sure to choose servers that support DNSSEC or enable
any of the tunneling mechanisms to be able to reach them.
Fixes: #12239
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit ffc46751f29af7759e051cbb0114b79b4fba4433
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 12:59:24 2020 +0000
unbound: Add path to TLS CA bundle
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit ee90aa9858451db1e93e463db4b90332bbad7320
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 12:58:28 2020 +0000
unbound: No longer read old configuration file
The old configuration file in /etc/sysconfig/unbound is no
longer being used and all settings should be in
/var/ipfire/dns/settings.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 50005ad1d4da8a95dac1518d40e02344de58944f
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 12:55:35 2020 +0000
unbound: Write upstream name servers to forward.conf
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 94a51c64bb7aead36ea0e6d40de06a8cc195cd5d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 11:18:41 2020 +0000
unbound: Remove test-name-server command
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 15cf79e3b864bef46d32b08e3b381a654e00950e
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Nov 12 12:43:28 2019 +0000
unbound: Convert forward zones to stub zones
It was incorrect to use forward zones here, because that
assumes that unbound is talking a recursive resolver here.
The feature is however designed to be talking to an authoritative
server.
Fixes: #12230
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit dea5f34914819b5f6c0801ff12eafa521c79188b
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Nov 4 12:04:48 2019 +0000
unbound: Allow forcing to speak TLS to upstream servers only
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 372576e0ab699a188e9248d73afcc00a5a635d2b
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 11:12:33 2020 +0000
unbound: Set EDNS buffer size to 1232 bytes
Fixes: #12240
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3bf804e83400c87398950526170b3d77bf38b8a6
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 11:06:10 2020 +0000
dns.cgi: Set EDNS buffer size to 1232
References: #12240
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 0fa6bde78ab9d25a078cad1b233e67c14bfe1cc9
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 10:53:34 2020 +0000
Update English translation
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit cdfc93cb7abd412987bbf098117fa86cb475de72
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 10:48:01 2020 +0000
webif: Show menu entry for DNS all the time
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e8981e3c8faafbf042e29d3896b6c81b77e5fe2c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 10:45:08 2020 +0000
netexternal.cgi: Drop DNSSEC status
This has now been moved to the new dns.cgi.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit ecbf66761f922f821940ec063d271acae89c78cb
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 7 10:43:19 2020 +0000
DNS: Add converter to migrate settings
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 2946d562f1fa06840e576184d58a1e90a03934e7
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Jan 7 10:32:43 2020 +0100
langs/en.pl: Add new strings for modified dns.cgi.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 24d7c5ef6bea7b6521d309757d2fa0461935f89d
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Jan 7 10:30:37 2020 +0100
dns.cgi: Rework to allow central DNS configuration.
Fixes #12237.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 456f0b06f4691cd7e07b9e5ec5bb86d0117c3456
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Jan 5 12:37:57 2020 +0100
pppsetup.cgi: Remove support for configure DNS settings.
Fixes #12234.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 0bb159bbfc6dd48bf2b6aa4b4d7e1d87f61e1655
Merge: c5d20f966 916859f5f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Jan 5 12:15:00 2020 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit c5d20f9665a659ddd5fc46fa8cba1c3133a91180
Merge: 1cb8ffe84 c846ed161
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Jan 3 11:06:47 2020 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit 1cb8ffe84d5d3ea1699fa566ce8fa03f50638f4a
Merge: f8e7c1c9d 6a3acff93
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Dec 16 09:04:29 2019 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit f8e7c1c9d07d348e8c3235c83fd889068269c823
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Dec 9 14:19:53 2019 +0100
crontab: Adjust crontab to hourly launch the update-location-database
script.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 93a985cc05e6b564ac1e3fc59fd37e94c77000ca
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Dec 9 14:14:34 2019 +0100
Introduce update-location-database script.
This script obsoletes the old xt_geoip_update script.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/backup/backup.pl | 3 +
config/cfgroot/general-functions.pl | 81 ++
config/cfgroot/ids-functions.pl | 35 +-
config/cron/crontab | 2 +-
config/menu/30-network.menu | 12 +-
config/rootfiles/common/aarch64/initscripts | 1 -
config/rootfiles/common/aarch64/stage2 | 1 +
config/rootfiles/common/armv5tel/initscripts | 1 -
config/rootfiles/common/i586/initscripts | 1 -
config/rootfiles/common/stage2 | 1 +
config/rootfiles/common/x86_64/initscripts | 1 -
config/rootfiles/common/x86_64/stage2 | 1 +
config/unbound/unbound-dhcp-leases-bridge | 4 +
config/unbound/unbound.conf | 10 +
doc/language_issues.de | 32 +-
doc/language_issues.en | 34 +-
doc/language_issues.es | 32 +-
doc/language_issues.fr | 32 +-
doc/language_issues.it | 32 +
doc/language_issues.nl | 32 +-
doc/language_issues.pl | 32 +-
doc/language_issues.ru | 32 +-
doc/language_issues.tr | 32 +
doc/language_missings | 112 +++
html/cgi-bin/dns.cgi | 950 ++++++++++++++++++---
html/cgi-bin/dnsforward.cgi | 6 +-
html/cgi-bin/guardian.cgi | 44 +-
html/cgi-bin/hosts.cgi | 2 +-
html/cgi-bin/index.cgi | 19 -
html/cgi-bin/netexternal.cgi | 131 ---
html/cgi-bin/pppsetup.cgi | 29 -
langs/en/cgi-bin/en.pl | 26 +-
lfs/guardian | 2 +-
src/initscripts/networking/dhcpcd.exe | 20 +-
src/initscripts/networking/red | 2 -
.../networking/red.up/05-update-dns-forwarders | 13 +-
src/initscripts/networking/red.up/06-safe-search | 3 -
src/initscripts/system/unbound | 553 +++---------
src/misc-progs/unboundctrl.c | 6 +-
src/ppp/ip-down | 5 +-
src/ppp/ip-up | 29 +-
src/scripts/convert-dns-settings | 95 +++
.../scripts/update-location-database | 41 +-
src/scripts/xt_geoip_update | 138 ---
src/setup/networking.c | 93 +-
45 files changed, 1643 insertions(+), 1120 deletions(-)
mode change 100644 => 100755 html/cgi-bin/dns.cgi
delete mode 100644 src/initscripts/networking/red.up/06-safe-search
create mode 100755 src/scripts/convert-dns-settings
copy config/dma/dma-cleanup-spool => src/scripts/update-location-database (67%)
delete mode 100644 src/scripts/xt_geoip_update
Difference in files:
diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index b1dd1d297..aae31098a 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -143,6 +143,9 @@ restore_backup() {
rm -rf "/var/ipfire/snort"
fi
+ # Convert DNS settings
+ convert-dns-settings
+
return 0
}
diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl
index aefcfb687..448f4c635 100644
--- a/config/cfgroot/general-functions.pl
+++ b/config/cfgroot/general-functions.pl
@@ -1177,4 +1177,85 @@ sub number_cpu_cores() {
return $cores;
}
+# Tiny function to grab a single IP-address from a given file.
+sub grab_address_from_file($) {
+ my ($file) = @_;
+
+ my $address;
+
+ # Check if the given file exists.
+ if(-f $file) {
+ # Open the file for reading.
+ open(FILE, $file) or die "Could not read from $file. $!\n";
+
+ # Read the address from the file.
+ $address = <FILE>;
+
+ # Close filehandle.
+ close(FILE);
+
+ # Remove newlines.
+ chomp($address);
+
+ # Check if the obtained address is valid.
+ if (&validip($address)) {
+ # Return the address.
+ return $address;
+ }
+ }
+
+ # Return nothing.
+ return;
+}
+
+# Function to get all configured and enabled nameservers.
+sub get_nameservers () {
+ my %settings;
+ my %servers;
+
+ my @nameservers;
+
+ # Read DNS configuration.
+ &readhash("$General::swroot/dns/settings", \%settings);
+
+ # Read configured DNS servers.
+ &readhasharray("$General::swroot/dns/servers", \%servers);
+
+ # Check if the ISP assigned server should be used.
+ if ($settings{'USE_ISP_NAMESERVERS'} eq "on") {
+ # Assign ISP nameserver files.
+ my @ISP_nameserver_files = ( "/var/run/dns1", "/var/run/dns2" );
+
+ # Loop through the array of ISP assigned DNS servers.
+ foreach my $file (@ISP_nameserver_files) {
+ # Grab the IP address.
+ my $address = &grab_address_from_file($file);
+
+ # Check if an address has been grabbed.
+ if ($address) {
+ # Add the address to the array of nameservers.
+ push(@nameservers, $address);
+ }
+ }
+ }
+
+ # Check if DNS servers are configured.
+ if (%servers) {
+ # Loop through the hash of configured DNS servers.
+ foreach my $id (keys %servers) {
+ my $address = $servers{$id}[0];
+ my $status = $servers{$id}[2];
+
+ # Check if the current processed server is enabled.
+ if ($status eq "enabled") {
+ # Add the address to the array of nameservers.
+ push(@nameservers, $address);
+ }
+ }
+ }
+
+ # Return the array.
+ return @nameservers;
+}
+
1;
diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 89ad90c2e..3fa19fab7 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -702,40 +702,31 @@ sub generate_home_net_file() {
# Function to generate and write the file which contains the configured and used DNS servers.
#
sub generate_dns_servers_file() {
- # Open file which contains the current used DNS configuration.
- open (FILE, "${General::swroot}/red/dns") or die "Could not read DNS configuration from ${General::swroot}/red/dns. $!\n";
-
- # Read-in whole file content and store it in a temporary array.
- my @file_content = split(' ', <FILE>);
-
- # Close file handle.
- close(FILE);
+ # Get the used DNS servers.
+ my @nameservers = &General::get_nameservers();
# Format dns servers declaration.
my $line = "\"\[";
- # Check if the current DNS configuration is using the local recursor mode.
- if ($file_content[0] eq "local" && $file_content[1] eq "recursor") {
- # The responsible DNS servers on red are directly used, and because we are not able
- # to specify each single DNS server address here, we currently have to thread each
- # address which is not part of the HOME_NET as possible DNS server.
- $line = "$line" . "!\$HOME_NET";
-
- } else {
- # Loop through the array which contains the file content.
- foreach my $server (@file_content) {
- # Remove newlines.
- chomp($server);
-
+ # Check if the system has configured nameservers.
+ if (@nameservers) {
+ # Loop through the array of nameservers.
+ foreach my $server (@nameservers) {
# Add the DNS server to the line.
$line = "$line" . "$server";
# Check if the current DNS server was the last in the array.
- if ($server ne $file_content[-1]) {
+ if ($server ne $nameservers[-1]) {
# Add "," for the next DNS server.
$line = "$line" . "\,";
}
}
+ } else {
+ # The responsible DNS servers on red are directly used, and because we are not able
+ # to specify each single DNS server address here, we currently have to thread each
+ # address which is not part of the HOME_NET as possible DNS server.
+ $line = "$line" . "!\$HOME_NET";
+
}
# Close the line...
diff --git a/config/cron/crontab b/config/cron/crontab
index 56801394e..519554195 100644
--- a/config/cron/crontab
+++ b/config/cron/crontab
@@ -60,7 +60,7 @@ HOME=/
00 2 * 10-11 0 /usr/local/bin/timezone-transition /usr/local/bin/firewallctrl
# Update GeoIP database once a month.
-%monthly,random * * * [ -f "/var/ipfire/red/active" ] && /usr/local/bin/xt_geoip_update >/dev/null 2>&1
+%hourly,random * * * [ -f "/var/ipfire/red/active" ] && /usr/local/bin/update-location-database >/dev/null 2>&1
# Retry sending spooled mails regularly
%hourly * /usr/sbin/dma -q
diff --git a/config/menu/30-network.menu b/config/menu/30-network.menu
index 629411786..19571a870 100644
--- a/config/menu/30-network.menu
+++ b/config/menu/30-network.menu
@@ -8,6 +8,12 @@
'title' => "$Lang::tr{'zoneconf title'}",
'enabled' => 1,
};
+ $subnetwork->{'12.dns'} = {
+ 'caption' => $Lang::tr{'dns title'},
+ 'uri' => '/cgi-bin/dns.cgi',
+ 'title' => "$Lang::tr{'dns title'}",
+ 'enabled' => 1,
+ };
$subnetwork->{'20.proxy'} = {'caption' => "$Lang::tr{'web proxy'}",
'uri' => '/cgi-bin/proxy.cgi',
'title' => "$Lang::tr{'web proxy'}",
@@ -45,12 +51,6 @@
'title' => "$Lang::tr{'edit hosts'}",
'enabled' => 1,
};
- $subnetwork->{'51.dnsmenu'} = {
- 'caption' => $Lang::tr{'dns menu'},
- 'uri' => '/cgi-bin/dns.cgi',
- 'title' => "$Lang::tr{'dns menu'}",
- 'enabled' => `grep "RED_TYPE=DHCP" /var/ipfire/ethernet/settings`,
- };
$subnetwork->{'52.dnsforward'} = {
'caption' => $Lang::tr{'dnsforward'},
'uri' => '/cgi-bin/dnsforward.cgi',
diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
index 6b08fcac6..202da7372 100644
--- a/config/rootfiles/common/aarch64/initscripts
+++ b/config/rootfiles/common/aarch64/initscripts
@@ -51,7 +51,6 @@ etc/rc.d/init.d/networking/red.down/99-beep
#etc/rc.d/init.d/networking/red.up
etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
-etc/rc.d/init.d/networking/red.up/06-safe-search
etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
diff --git a/config/rootfiles/common/aarch64/stage2 b/config/rootfiles/common/aarch64/stage2
index 2d9a70f81..f4169a44e 100644
--- a/config/rootfiles/common/aarch64/stage2
+++ b/config/rootfiles/common/aarch64/stage2
@@ -91,6 +91,7 @@ usr/lib64
usr/local/bin/backupiso
usr/local/bin/connscheduler
usr/local/bin/consort.sh
+usr/local/bin/convert-dns-settings
usr/local/bin/convert-ovpn
usr/local/bin/filesystem-cleanup
usr/local/bin/hddshutdown
diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index 6b08fcac6..202da7372 100644
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -51,7 +51,6 @@ etc/rc.d/init.d/networking/red.down/99-beep
#etc/rc.d/init.d/networking/red.up
etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
-etc/rc.d/init.d/networking/red.up/06-safe-search
etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index 23b1938f4..9d4f7e5f3 100644
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -51,7 +51,6 @@ etc/rc.d/init.d/networking/red.down/99-beep
#etc/rc.d/init.d/networking/red.up
etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
-etc/rc.d/init.d/networking/red.up/06-safe-search
etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2
index b0680914e..fca540431 100644
--- a/config/rootfiles/common/stage2
+++ b/config/rootfiles/common/stage2
@@ -90,6 +90,7 @@ usr/lib/libstdc++.so.6
usr/local/bin/backupiso
usr/local/bin/connscheduler
usr/local/bin/consort.sh
+usr/local/bin/convert-dns-settings
usr/local/bin/convert-ovpn
usr/local/bin/filesystem-cleanup
usr/local/bin/hddshutdown
diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
index 23b1938f4..9d4f7e5f3 100644
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -51,7 +51,6 @@ etc/rc.d/init.d/networking/red.down/99-beep
#etc/rc.d/init.d/networking/red.up
etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
-etc/rc.d/init.d/networking/red.up/06-safe-search
etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
diff --git a/config/rootfiles/common/x86_64/stage2 b/config/rootfiles/common/x86_64/stage2
index 9d3334e69..cc67837e5 100644
--- a/config/rootfiles/common/x86_64/stage2
+++ b/config/rootfiles/common/x86_64/stage2
@@ -92,6 +92,7 @@ usr/lib64
usr/local/bin/backupiso
usr/local/bin/connscheduler
usr/local/bin/consort.sh
+usr/local/bin/convert-dns-settings
usr/local/bin/convert-ovpn
usr/local/bin/filesystem-cleanup
usr/local/bin/hddshutdown
diff --git a/config/unbound/unbound-dhcp-leases-bridge b/config/unbound/unbound-dhcp-leases-bridge
index 64306bc9b..e3da4860b 100644
--- a/config/unbound/unbound-dhcp-leases-bridge
+++ b/config/unbound/unbound-dhcp-leases-bridge
@@ -28,6 +28,7 @@ import logging.handlers
import os
import re
import signal
+import stat
import subprocess
import tempfile
@@ -528,6 +529,9 @@ class UnboundConfigWriter(object):
for rr in l.rrset:
f.write("local-data: \"%s\"\n" % " ".join(rr))
+ # Make file readable for everyone
+ os.fchmod(f.fileno(), stat.S_IRUSR|stat.S_IWUSR|stat.S_IRGRP|stat.S_IROTH)
+
os.rename(filename, self.path)
def _control(self, *args):
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index e20c3330d..24822ee67 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -61,6 +61,13 @@ server:
harden-algo-downgrade: no
use-caps-for-id: yes
aggressive-nsec: yes
+ qname-minimisation: yes
+
+ # TLS
+ tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
+
+ # EDNS Buffer Size (#12240)
+ edns-buffer-size: 1232
# Harden against DNS cache poisoning
unwanted-reply-threshold: 1000000
@@ -78,6 +85,9 @@ server:
# Include DHCP leases
include: "/etc/unbound/dhcp-leases.conf"
+ # Include hosts
+ include: "/etc/unbound/hosts.conf"
+
# Include any forward zones
include: "/etc/unbound/forward.conf"
diff --git a/doc/language_issues.de b/doc/language_issues.de
index 42d9c60b5..d3539dd98 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -203,7 +203,23 @@ WARNING: translation string unused: dmz pinhole configuration
WARNING: translation string unused: dmz pinhole rule added
WARNING: translation string unused: dmz pinhole rule removed
WARNING: translation string unused: dmzpinholes for same net not necessary
+WARNING: translation string unused: dns address deleted
+WARNING: translation string unused: dns address deleted txt
+WARNING: translation string unused: dns address done
+WARNING: translation string unused: dns address recon
+WARNING: translation string unused: dns desc
+WARNING: translation string unused: dns error 0
+WARNING: translation string unused: dns error 01
+WARNING: translation string unused: dns error 1
+WARNING: translation string unused: dns header
+WARNING: translation string unused: dns list
+WARNING: translation string unused: dns menu
+WARNING: translation string unused: dns new 0
+WARNING: translation string unused: dns new 1
+WARNING: translation string unused: dns saved
+WARNING: translation string unused: dns saved txt
WARNING: translation string unused: dns server
+WARNING: translation string unused: dnssec information
WARNING: translation string unused: do not log this port list
WARNING: translation string unused: domain not set
WARNING: translation string unused: donation-link
@@ -240,7 +256,6 @@ WARNING: translation string unused: err rs 1
WARNING: translation string unused: err rs 6 decrypt
WARNING: translation string unused: err rs 7 untartst
WARNING: translation string unused: err rs 8 untar
-WARNING: translation string unused: error
WARNING: translation string unused: error config
WARNING: translation string unused: error external access
WARNING: translation string unused: esp encryption
@@ -408,6 +423,7 @@ WARNING: translation string unused: mac address error not 00
WARNING: translation string unused: mailmethod
WARNING: translation string unused: mailprogramm
WARNING: translation string unused: manage ovpn
+WARNING: translation string unused: manual
WARNING: translation string unused: manual control and status
WARNING: translation string unused: marked
WARNING: translation string unused: max incoming size
@@ -754,11 +770,22 @@ WARNING: translation string unused: zoneconf val vlan tag assignment error
WARNING: translation string unused: zoneconf val zoneslave amount error
WARNING: untranslated string: Scan for Songs = unknown string
WARNING: untranslated string: addons = Addons
+WARNING: untranslated string: broken = Broken
WARNING: untranslated string: bytes = unknown string
WARNING: untranslated string: community rules = Snort/VRT GPLv2 Community Rules
WARNING: untranslated string: dangerous = Dangerous
WARNING: untranslated string: dead peer detection = Dead Peer Detection
WARNING: untranslated string: default IP address = Default IP Address
+WARNING: untranslated string: dns = unknown string
+WARNING: untranslated string: dns configuration = DNS Configuration
+WARNING: untranslated string: dns could not add server = Could not add server - Reason:
+WARNING: untranslated string: dns enable safe-search = Enable Safe Search
+WARNING: untranslated string: dns isp assigned nameserver = ISP-assigned DNS server
+WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisation
+WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
+WARNING: untranslated string: dns tls hostname = TLS Hostname
+WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
+WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
WARNING: untranslated string: emerging pro rules = Emergingthreats.net Pro Rules
WARNING: untranslated string: emerging rules = Emergingthreats.net Community Rules
WARNING: untranslated string: enable smt = Enable Simultaneous Multi-Threading (SMT)
@@ -798,10 +825,13 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
WARNING: untranslated string: guardian no entries = unknown string
WARNING: untranslated string: guardian service = unknown string
WARNING: untranslated string: itlb multihit = iTLB MultiHit
+WARNING: untranslated string: not validating = Not validating
WARNING: untranslated string: route config changed = unknown string
WARNING: untranslated string: routing config added = unknown string
WARNING: untranslated string: routing config changed = unknown string
WARNING: untranslated string: routing table = unknown string
WARNING: untranslated string: show tls-auth key = Show tls-auth key
+WARNING: untranslated string: standard = Standard
+WARNING: untranslated string: strict = Strict
WARNING: untranslated string: taa zombieload2 = TSX Async Abort / ZombieLoad v2
WARNING: untranslated string: vpn statistics n2n = unknown string
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 885e85d75..eea6a9b7c 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -335,7 +335,7 @@ WARNING: untranslated string: august = August
WARNING: untranslated string: authentication = Authentication:
WARNING: untranslated string: automatic = Automatic
WARNING: untranslated string: average = Average
-WARNING: untranslated string: back = BACK
+WARNING: untranslated string: back = Back
WARNING: untranslated string: backup = Backup
WARNING: untranslated string: backup from = Backup from
WARNING: untranslated string: backupaddon = Addon Backup
@@ -358,6 +358,7 @@ WARNING: untranslated string: block = Block
WARNING: untranslated string: blue = BLUE
WARNING: untranslated string: blue access = Blue Access
WARNING: untranslated string: broadcast = Broadcast
+WARNING: untranslated string: broken = Broken
WARNING: untranslated string: broken pipe = Broken pipe
WARNING: untranslated string: buffered memory = Buffered Memory
WARNING: untranslated string: buffers = buffers
@@ -607,27 +608,22 @@ WARNING: untranslated string: dl client arch = Download Client Package (zip)
WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip)
WARNING: untranslated string: dmz = DMZ
WARNING: untranslated string: dnat address = Firewall Interface
-WARNING: untranslated string: dns address deleted = Successfully deleted!
-WARNING: untranslated string: dns address deleted txt = The DNS-Server addresses have been successfully deleted.<br />You have to reboot or reconnect that the changes have effect!
-WARNING: untranslated string: dns address done = The DNS-Server address settings are going to be saved.
-WARNING: untranslated string: dns address recon = Trying to reconnect!
+WARNING: untranslated string: dns = unknown string
WARNING: untranslated string: dns check failed = DNS check failed
-WARNING: untranslated string: dns desc = If the red0 interface gets the IP address information via DHCP from the provider, the DNS server addresses will be set automatically. Now here you are able to change these DNS server IP addresses with your own ones.
-WARNING: untranslated string: dns error 0 = The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.
-WARNING: untranslated string: dns error 01 = The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!
-WARNING: untranslated string: dns error 1 = The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.
+WARNING: untranslated string: dns configuration = DNS Configuration
+WARNING: untranslated string: dns could not add server = Could not add server - Reason:
+WARNING: untranslated string: dns enable safe-search = Enable Safe Search
WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous)
WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled)
-WARNING: untranslated string: dns header = Assign DNS server addresses only for DHCP on red0
-WARNING: untranslated string: dns list = List of free public DNS servers
-WARNING: untranslated string: dns menu = Assign DNS-Server
-WARNING: untranslated string: dns new 0 = New <strong>primary</strong> DNS server IP:
-WARNING: untranslated string: dns new 1 = New <strong>secondary</strong> DNS server IP:
+WARNING: untranslated string: dns isp assigned nameserver = ISP-assigned DNS server
+WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisation
+WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
WARNING: untranslated string: dns proxy server = DNS Proxy Server
-WARNING: untranslated string: dns saved = Successfully saved!
-WARNING: untranslated string: dns saved txt = The two entered DNS server addresses have been saved successfully.<br />You have to reboot or reconnect that the changes have effect!
WARNING: untranslated string: dns servers = DNS Servers
WARNING: untranslated string: dns title = Domain Name System
+WARNING: untranslated string: dns tls hostname = TLS Hostname
+WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
+WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
WARNING: untranslated string: dnsforward = DNS Forwarding
WARNING: untranslated string: dnsforward add a new entry = Add a new entry
WARNING: untranslated string: dnsforward configuration = DNS forward configuration
@@ -638,7 +634,6 @@ WARNING: untranslated string: dnsforward forward_servers = Nameservers
WARNING: untranslated string: dnsforward zone = Zone
WARNING: untranslated string: dnssec aware = DNSSEC Aware
WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled
-WARNING: untranslated string: dnssec information = DNSSEC Information
WARNING: untranslated string: dnssec not supported = DNSSEC Not supported
WARNING: untranslated string: dnssec validating = DNSSEC Validating
WARNING: untranslated string: dod = Dial on Demand
@@ -727,6 +722,7 @@ WARNING: untranslated string: enter ack class = Enter the ACK- Class <br /> and
WARNING: untranslated string: enter data = Enter your settings <br /> and then press <i>Save</i>.
WARNING: untranslated string: entropy = Entropy
WARNING: untranslated string: entropy graphs = Entropy Graphs
+WARNING: untranslated string: error = Error
WARNING: untranslated string: error messages = Error messages
WARNING: untranslated string: esp keylife should be between 1 and 24 hours = ESP keylife should be between 1 and 24 hours.
WARNING: untranslated string: every = Every
@@ -1231,7 +1227,6 @@ WARNING: untranslated string: magic packet send to: = Magic packet send to:
WARNING: untranslated string: main page = Main page
WARNING: untranslated string: manage printers = manage printers
WARNING: untranslated string: manage shares = Manage Shares
-WARNING: untranslated string: manual = Manual
WARNING: untranslated string: manually = Manually
WARNING: untranslated string: map to guest = Map to Guest
WARNING: untranslated string: march = March
@@ -1347,6 +1342,7 @@ WARNING: untranslated string: not enough disk space = Not enough disk space
WARNING: untranslated string: not present = <b>Not</b> present
WARNING: untranslated string: not running = not running
WARNING: untranslated string: not set = not set
+WARNING: untranslated string: not validating = Not validating
WARNING: untranslated string: notice = Notice
WARNING: untranslated string: november = November
WARNING: untranslated string: ntp common settings = Common settings
@@ -1670,6 +1666,7 @@ WARNING: untranslated string: ssh tempstart15 = Stop SSH demon in 15 minutes
WARNING: untranslated string: ssh tempstart30 = Stop SSH demon in 30 minutes
WARNING: untranslated string: ssh username = Username
WARNING: untranslated string: sstraffic = Net-Traffic
+WARNING: untranslated string: standard = Standard
WARNING: untranslated string: standard login script = Standard login script
WARNING: untranslated string: start = Start
WARNING: untranslated string: start address = Start address:
@@ -1684,6 +1681,7 @@ WARNING: untranslated string: std classes = Standardclasses
WARNING: untranslated string: stop = Stop
WARNING: untranslated string: stop ovpn server = Stop OpenVPN Server
WARNING: untranslated string: stopped = STOPPED
+WARNING: untranslated string: strict = Strict
WARNING: untranslated string: subject = Subject
WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: subscripted user rules = Talos VRT rules with subscription
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 7ce921f91..0c9853d12 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -194,6 +194,21 @@ WARNING: translation string unused: dmz pinhole configuration
WARNING: translation string unused: dmz pinhole rule added
WARNING: translation string unused: dmz pinhole rule removed
WARNING: translation string unused: dmzpinholes for same net not necessary
+WARNING: translation string unused: dns address deleted
+WARNING: translation string unused: dns address deleted txt
+WARNING: translation string unused: dns address done
+WARNING: translation string unused: dns address recon
+WARNING: translation string unused: dns desc
+WARNING: translation string unused: dns error 0
+WARNING: translation string unused: dns error 01
+WARNING: translation string unused: dns error 1
+WARNING: translation string unused: dns header
+WARNING: translation string unused: dns list
+WARNING: translation string unused: dns menu
+WARNING: translation string unused: dns new 0
+WARNING: translation string unused: dns new 1
+WARNING: translation string unused: dns saved
+WARNING: translation string unused: dns saved txt
WARNING: translation string unused: dns server
WARNING: translation string unused: do not log this port list
WARNING: translation string unused: domain not set
@@ -359,6 +374,7 @@ WARNING: translation string unused: mac address error not 00
WARNING: translation string unused: mailmethod
WARNING: translation string unused: mailprogramm
WARNING: translation string unused: manage ovpn
+WARNING: translation string unused: manual
WARNING: translation string unused: manual control and status
WARNING: translation string unused: marked
WARNING: translation string unused: max incoming size
@@ -740,6 +756,7 @@ WARNING: untranslated string: atm device = Device:
WARNING: untranslated string: attention = ATTENTION
WARNING: untranslated string: bit = bit
WARNING: untranslated string: block = Block
+WARNING: untranslated string: broken = Broken
WARNING: untranslated string: bytes = unknown string
WARNING: untranslated string: capabilities = Capabilities
WARNING: untranslated string: ccd add = Add network
@@ -804,9 +821,19 @@ WARNING: untranslated string: dhcp dns update algo = Algorithm
WARNING: untranslated string: dhcp dns update secret = Secret
WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip)
WARNING: untranslated string: dnat address = Firewall Interface
+WARNING: untranslated string: dns = unknown string
+WARNING: untranslated string: dns configuration = DNS Configuration
+WARNING: untranslated string: dns could not add server = Could not add server - Reason:
+WARNING: untranslated string: dns enable safe-search = Enable Safe Search
WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous)
WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled)
+WARNING: untranslated string: dns isp assigned nameserver = ISP-assigned DNS server
+WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisation
+WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
WARNING: untranslated string: dns servers = DNS Servers
+WARNING: untranslated string: dns tls hostname = TLS Hostname
+WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
+WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
WARNING: untranslated string: dnsforward = DNS Forwarding
WARNING: untranslated string: dnsforward add a new entry = Add a new entry
WARNING: untranslated string: dnsforward configuration = DNS forward configuration
@@ -817,7 +844,6 @@ WARNING: untranslated string: dnsforward forward_servers = Nameservers
WARNING: untranslated string: dnsforward zone = Zone
WARNING: untranslated string: dnssec aware = DNSSEC Aware
WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled
-WARNING: untranslated string: dnssec information = DNSSEC Information
WARNING: untranslated string: dnssec not supported = DNSSEC Not supported
WARNING: untranslated string: dnssec validating = DNSSEC Validating
WARNING: untranslated string: downlink = Downlink
@@ -852,6 +878,7 @@ WARNING: untranslated string: enable smt = Enable Simultaneous Multi-Threading (
WARNING: untranslated string: encryption = Encryption:
WARNING: untranslated string: entropy = Entropy
WARNING: untranslated string: entropy graphs = Entropy Graphs
+WARNING: untranslated string: error = Error
WARNING: untranslated string: fallout zombieload ridl = Fallout/ZombieLoad/RIDL
WARNING: untranslated string: fifteen minutes = 15 Minutes
WARNING: untranslated string: fireinfo ipfire version = IPFire version
@@ -1161,6 +1188,7 @@ WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: not a valid dh key = Not a valid Diffie-Hellman parameters file. Please use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.
WARNING: untranslated string: not affected = Not Affected
+WARNING: untranslated string: not validating = Not validating
WARNING: untranslated string: notice = Notice
WARNING: untranslated string: one hour = One Hour
WARNING: untranslated string: one month = One Month
@@ -1244,7 +1272,9 @@ WARNING: untranslated string: ssh agent forwarding = Allow SSH Agent Forwarding
WARNING: untranslated string: ssh login time = Logged in since
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
+WARNING: untranslated string: standard = Standard
WARNING: untranslated string: static routes = Static Routes
+WARNING: untranslated string: strict = Strict
WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: support donation = Support the IPFire project with your donation
WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND.
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index fdab9b4e1..c600be801 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -227,7 +227,23 @@ WARNING: translation string unused: dmz pinhole configuration
WARNING: translation string unused: dmz pinhole rule added
WARNING: translation string unused: dmz pinhole rule removed
WARNING: translation string unused: dmzpinholes for same net not necessary
+WARNING: translation string unused: dns address deleted
+WARNING: translation string unused: dns address deleted txt
+WARNING: translation string unused: dns address done
+WARNING: translation string unused: dns address recon
+WARNING: translation string unused: dns desc
+WARNING: translation string unused: dns error 0
+WARNING: translation string unused: dns error 01
+WARNING: translation string unused: dns error 1
+WARNING: translation string unused: dns header
+WARNING: translation string unused: dns list
+WARNING: translation string unused: dns menu
+WARNING: translation string unused: dns new 0
+WARNING: translation string unused: dns new 1
+WARNING: translation string unused: dns saved
+WARNING: translation string unused: dns saved txt
WARNING: translation string unused: dns server
+WARNING: translation string unused: dnssec information
WARNING: translation string unused: do not log this port list
WARNING: translation string unused: domain not set
WARNING: translation string unused: donation-link
@@ -265,7 +281,6 @@ WARNING: translation string unused: err rs 1
WARNING: translation string unused: err rs 6 decrypt
WARNING: translation string unused: err rs 7 untartst
WARNING: translation string unused: err rs 8 untar
-WARNING: translation string unused: error
WARNING: translation string unused: error config
WARNING: translation string unused: error external access
WARNING: translation string unused: esp encryption
@@ -436,6 +451,7 @@ WARNING: translation string unused: mac address error not 00
WARNING: translation string unused: mailmethod
WARNING: translation string unused: mailprogramm
WARNING: translation string unused: manage ovpn
+WARNING: translation string unused: manual
WARNING: translation string unused: manual control and status
WARNING: translation string unused: marked
WARNING: translation string unused: max incoming size
@@ -793,7 +809,18 @@ WARNING: translation string unused: zoneconf val zoneslave amount error
WARNING: untranslated string: Captive ACTIVATE = unknown string
WARNING: untranslated string: Captive clients = unknown string
WARNING: untranslated string: Scan for Songs = unknown string
+WARNING: untranslated string: broken = Broken
WARNING: untranslated string: bytes = unknown string
+WARNING: untranslated string: dns = unknown string
+WARNING: untranslated string: dns configuration = DNS Configuration
+WARNING: untranslated string: dns could not add server = Could not add server - Reason:
+WARNING: untranslated string: dns enable safe-search = Enable Safe Search
+WARNING: untranslated string: dns isp assigned nameserver = ISP-assigned DNS server
+WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisation
+WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
+WARNING: untranslated string: dns tls hostname = TLS Hostname
+WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
+WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
WARNING: untranslated string: fwhost cust geoipgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
WARNING: untranslated string: guardian block a host = unknown string
@@ -828,9 +855,12 @@ WARNING: untranslated string: guardian service = unknown string
WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string
WARNING: untranslated string: info messages = unknown string
WARNING: untranslated string: no data = unknown string
+WARNING: untranslated string: not validating = Not validating
WARNING: untranslated string: pakfire ago = ago.
WARNING: untranslated string: route config changed = unknown string
WARNING: untranslated string: routing config added = unknown string
WARNING: untranslated string: routing config changed = unknown string
WARNING: untranslated string: routing table = unknown string
+WARNING: untranslated string: standard = Standard
+WARNING: untranslated string: strict = Strict
WARNING: untranslated string: vpn statistics n2n = unknown string
diff --git a/doc/language_issues.it b/doc/language_issues.it
index b9089abfd..96feb3a3e 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -204,8 +204,24 @@ WARNING: translation string unused: dmz pinhole configuration
WARNING: translation string unused: dmz pinhole rule added
WARNING: translation string unused: dmz pinhole rule removed
WARNING: translation string unused: dmzpinholes for same net not necessary
+WARNING: translation string unused: dns address deleted
+WARNING: translation string unused: dns address deleted txt
+WARNING: translation string unused: dns address done
+WARNING: translation string unused: dns address recon
+WARNING: translation string unused: dns desc
+WARNING: translation string unused: dns error 0
+WARNING: translation string unused: dns error 01
+WARNING: translation string unused: dns error 1
+WARNING: translation string unused: dns header
+WARNING: translation string unused: dns list
+WARNING: translation string unused: dns menu
+WARNING: translation string unused: dns new 0
+WARNING: translation string unused: dns new 1
+WARNING: translation string unused: dns saved
+WARNING: translation string unused: dns saved txt
WARNING: translation string unused: dns server
WARNING: translation string unused: dnsforward forward_server
+WARNING: translation string unused: dnssec information
WARNING: translation string unused: do not log this port list
WARNING: translation string unused: domain not set
WARNING: translation string unused: donation-link
@@ -411,6 +427,7 @@ WARNING: translation string unused: mac address error not 00
WARNING: translation string unused: mailmethod
WARNING: translation string unused: mailprogramm
WARNING: translation string unused: manage ovpn
+WARNING: translation string unused: manual
WARNING: translation string unused: manual control and status
WARNING: translation string unused: marked
WARNING: translation string unused: max incoming size
@@ -813,6 +830,7 @@ WARNING: untranslated string: advproxy wpad title = Web Proxy Auto-Discovery Pro
WARNING: untranslated string: advproxy wpad view pac = Open PAC File
WARNING: untranslated string: application layer gateways = Application Layer Gateways
WARNING: untranslated string: block = Block
+WARNING: untranslated string: broken = Broken
WARNING: untranslated string: bytes = unknown string
WARNING: untranslated string: check all = Check all
WARNING: untranslated string: crypto error = Cryptographic error
@@ -825,8 +843,18 @@ WARNING: untranslated string: dhcp dns update = DNS Update
WARNING: untranslated string: dhcp dns update algo = Algorithm
WARNING: untranslated string: dhcp dns update secret = Secret
WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip)
+WARNING: untranslated string: dns = unknown string
+WARNING: untranslated string: dns configuration = DNS Configuration
+WARNING: untranslated string: dns could not add server = Could not add server - Reason:
+WARNING: untranslated string: dns enable safe-search = Enable Safe Search
WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous)
WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled)
+WARNING: untranslated string: dns isp assigned nameserver = ISP-assigned DNS server
+WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisation
+WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
+WARNING: untranslated string: dns tls hostname = TLS Hostname
+WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
+WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled
WARNING: untranslated string: dnsforward forward_servers = Nameservers
WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled
@@ -849,6 +877,7 @@ WARNING: untranslated string: email tls = Use TLS
WARNING: untranslated string: email usemail = Activate Mail Service
WARNING: untranslated string: emerging pro rules = Emergingthreats.net Pro Rules
WARNING: untranslated string: enable smt = Enable Simultaneous Multi-Threading (SMT)
+WARNING: untranslated string: error = Error
WARNING: untranslated string: fallout zombieload ridl = Fallout/ZombieLoad/RIDL
WARNING: untranslated string: fifteen minutes = 15 Minutes
WARNING: untranslated string: firewall graph country = Firewall-Diagram (Country)
@@ -968,6 +997,7 @@ WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: not affected = Not Affected
+WARNING: untranslated string: not validating = Not validating
WARNING: untranslated string: one hour = One Hour
WARNING: untranslated string: one month = One Month
WARNING: untranslated string: one week = One Week
@@ -1005,6 +1035,8 @@ WARNING: untranslated string: ssh agent forwarding = Allow SSH Agent Forwarding
WARNING: untranslated string: ssh login time = Logged in since
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
+WARNING: untranslated string: standard = Standard
+WARNING: untranslated string: strict = Strict
WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: system is offline = The system is offline.
WARNING: untranslated string: taa zombieload2 = TSX Async Abort / ZombieLoad v2
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index f8c84b2da..ab7c2e81e 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -202,6 +202,21 @@ WARNING: translation string unused: dmz pinhole configuration
WARNING: translation string unused: dmz pinhole rule added
WARNING: translation string unused: dmz pinhole rule removed
WARNING: translation string unused: dmzpinholes for same net not necessary
+WARNING: translation string unused: dns address deleted
+WARNING: translation string unused: dns address deleted txt
+WARNING: translation string unused: dns address done
+WARNING: translation string unused: dns address recon
+WARNING: translation string unused: dns desc
+WARNING: translation string unused: dns error 0
+WARNING: translation string unused: dns error 01
+WARNING: translation string unused: dns error 1
+WARNING: translation string unused: dns header
+WARNING: translation string unused: dns list
+WARNING: translation string unused: dns menu
+WARNING: translation string unused: dns new 0
+WARNING: translation string unused: dns new 1
+WARNING: translation string unused: dns saved
+WARNING: translation string unused: dns saved txt
WARNING: translation string unused: dns server
WARNING: translation string unused: dnsforward forward_server
WARNING: translation string unused: do not log this port list
@@ -409,6 +424,7 @@ WARNING: translation string unused: mac address error not 00
WARNING: translation string unused: mailmethod
WARNING: translation string unused: mailprogramm
WARNING: translation string unused: manage ovpn
+WARNING: translation string unused: manual
WARNING: translation string unused: manual control and status
WARNING: translation string unused: marked
WARNING: translation string unused: max incoming size
@@ -808,6 +824,7 @@ WARNING: untranslated string: advproxy wpad view pac = Open PAC File
WARNING: untranslated string: application layer gateways = Application Layer Gateways
WARNING: untranslated string: atm device = Device:
WARNING: untranslated string: block = Block
+WARNING: untranslated string: broken = Broken
WARNING: untranslated string: bytes = unknown string
WARNING: untranslated string: capabilities = Capabilities
WARNING: untranslated string: check all = Check all
@@ -827,14 +844,23 @@ WARNING: untranslated string: dhcp dns update = DNS Update
WARNING: untranslated string: dhcp dns update algo = Algorithm
WARNING: untranslated string: dhcp dns update secret = Secret
WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip)
+WARNING: untranslated string: dns = unknown string
+WARNING: untranslated string: dns configuration = DNS Configuration
+WARNING: untranslated string: dns could not add server = Could not add server - Reason:
+WARNING: untranslated string: dns enable safe-search = Enable Safe Search
WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous)
WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled)
+WARNING: untranslated string: dns isp assigned nameserver = ISP-assigned DNS server
+WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisation
+WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
WARNING: untranslated string: dns servers = DNS Servers
+WARNING: untranslated string: dns tls hostname = TLS Hostname
+WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
+WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled
WARNING: untranslated string: dnsforward forward_servers = Nameservers
WARNING: untranslated string: dnssec aware = DNSSEC Aware
WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled
-WARNING: untranslated string: dnssec information = DNSSEC Information
WARNING: untranslated string: dnssec not supported = DNSSEC Not supported
WARNING: untranslated string: dnssec validating = DNSSEC Validating
WARNING: untranslated string: download tls-auth key = Download tls-auth key
@@ -858,6 +884,7 @@ WARNING: untranslated string: email tls = Use TLS
WARNING: untranslated string: email usemail = Activate Mail Service
WARNING: untranslated string: emerging pro rules = Emergingthreats.net Pro Rules
WARNING: untranslated string: enable smt = Enable Simultaneous Multi-Threading (SMT)
+WARNING: untranslated string: error = Error
WARNING: untranslated string: fallout zombieload ridl = Fallout/ZombieLoad/RIDL
WARNING: untranslated string: fifteen minutes = 15 Minutes
WARNING: untranslated string: firewall graph country = Firewall-Diagram (Country)
@@ -997,6 +1024,7 @@ WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: not a valid dh key = Not a valid Diffie-Hellman parameters file. Please use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.
WARNING: untranslated string: not affected = Not Affected
+WARNING: untranslated string: not validating = Not validating
WARNING: untranslated string: one hour = One Hour
WARNING: untranslated string: one month = One Month
WARNING: untranslated string: one week = One Week
@@ -1046,6 +1074,8 @@ WARNING: untranslated string: ssh agent forwarding = Allow SSH Agent Forwarding
WARNING: untranslated string: ssh login time = Logged in since
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
+WARNING: untranslated string: standard = Standard
+WARNING: untranslated string: strict = Strict
WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: system is offline = The system is offline.
WARNING: untranslated string: ta key = TLS-Authentification-Key
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 7ce921f91..0c9853d12 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -194,6 +194,21 @@ WARNING: translation string unused: dmz pinhole configuration
WARNING: translation string unused: dmz pinhole rule added
WARNING: translation string unused: dmz pinhole rule removed
WARNING: translation string unused: dmzpinholes for same net not necessary
+WARNING: translation string unused: dns address deleted
+WARNING: translation string unused: dns address deleted txt
+WARNING: translation string unused: dns address done
+WARNING: translation string unused: dns address recon
+WARNING: translation string unused: dns desc
+WARNING: translation string unused: dns error 0
+WARNING: translation string unused: dns error 01
+WARNING: translation string unused: dns error 1
+WARNING: translation string unused: dns header
+WARNING: translation string unused: dns list
+WARNING: translation string unused: dns menu
+WARNING: translation string unused: dns new 0
+WARNING: translation string unused: dns new 1
+WARNING: translation string unused: dns saved
+WARNING: translation string unused: dns saved txt
WARNING: translation string unused: dns server
WARNING: translation string unused: do not log this port list
WARNING: translation string unused: domain not set
@@ -359,6 +374,7 @@ WARNING: translation string unused: mac address error not 00
WARNING: translation string unused: mailmethod
WARNING: translation string unused: mailprogramm
WARNING: translation string unused: manage ovpn
+WARNING: translation string unused: manual
WARNING: translation string unused: manual control and status
WARNING: translation string unused: marked
WARNING: translation string unused: max incoming size
@@ -740,6 +756,7 @@ WARNING: untranslated string: atm device = Device:
WARNING: untranslated string: attention = ATTENTION
WARNING: untranslated string: bit = bit
WARNING: untranslated string: block = Block
+WARNING: untranslated string: broken = Broken
WARNING: untranslated string: bytes = unknown string
WARNING: untranslated string: capabilities = Capabilities
WARNING: untranslated string: ccd add = Add network
@@ -804,9 +821,19 @@ WARNING: untranslated string: dhcp dns update algo = Algorithm
WARNING: untranslated string: dhcp dns update secret = Secret
WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip)
WARNING: untranslated string: dnat address = Firewall Interface
+WARNING: untranslated string: dns = unknown string
+WARNING: untranslated string: dns configuration = DNS Configuration
+WARNING: untranslated string: dns could not add server = Could not add server - Reason:
+WARNING: untranslated string: dns enable safe-search = Enable Safe Search
WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous)
WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled)
+WARNING: untranslated string: dns isp assigned nameserver = ISP-assigned DNS server
+WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisation
+WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
WARNING: untranslated string: dns servers = DNS Servers
+WARNING: untranslated string: dns tls hostname = TLS Hostname
+WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
+WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
WARNING: untranslated string: dnsforward = DNS Forwarding
WARNING: untranslated string: dnsforward add a new entry = Add a new entry
WARNING: untranslated string: dnsforward configuration = DNS forward configuration
@@ -817,7 +844,6 @@ WARNING: untranslated string: dnsforward forward_servers = Nameservers
WARNING: untranslated string: dnsforward zone = Zone
WARNING: untranslated string: dnssec aware = DNSSEC Aware
WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled
-WARNING: untranslated string: dnssec information = DNSSEC Information
WARNING: untranslated string: dnssec not supported = DNSSEC Not supported
WARNING: untranslated string: dnssec validating = DNSSEC Validating
WARNING: untranslated string: downlink = Downlink
@@ -852,6 +878,7 @@ WARNING: untranslated string: enable smt = Enable Simultaneous Multi-Threading (
WARNING: untranslated string: encryption = Encryption:
WARNING: untranslated string: entropy = Entropy
WARNING: untranslated string: entropy graphs = Entropy Graphs
+WARNING: untranslated string: error = Error
WARNING: untranslated string: fallout zombieload ridl = Fallout/ZombieLoad/RIDL
WARNING: untranslated string: fifteen minutes = 15 Minutes
WARNING: untranslated string: fireinfo ipfire version = IPFire version
@@ -1161,6 +1188,7 @@ WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: not a valid dh key = Not a valid Diffie-Hellman parameters file. Please use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.
WARNING: untranslated string: not affected = Not Affected
+WARNING: untranslated string: not validating = Not validating
WARNING: untranslated string: notice = Notice
WARNING: untranslated string: one hour = One Hour
WARNING: untranslated string: one month = One Month
@@ -1244,7 +1272,9 @@ WARNING: untranslated string: ssh agent forwarding = Allow SSH Agent Forwarding
WARNING: untranslated string: ssh login time = Logged in since
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
+WARNING: untranslated string: standard = Standard
WARNING: untranslated string: static routes = Static Routes
+WARNING: untranslated string: strict = Strict
WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: support donation = Support the IPFire project with your donation
WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND.
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 0cd31c5b4..dfea6d4cd 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -194,6 +194,21 @@ WARNING: translation string unused: dmz pinhole configuration
WARNING: translation string unused: dmz pinhole rule added
WARNING: translation string unused: dmz pinhole rule removed
WARNING: translation string unused: dmzpinholes for same net not necessary
+WARNING: translation string unused: dns address deleted
+WARNING: translation string unused: dns address deleted txt
+WARNING: translation string unused: dns address done
+WARNING: translation string unused: dns address recon
+WARNING: translation string unused: dns desc
+WARNING: translation string unused: dns error 0
+WARNING: translation string unused: dns error 01
+WARNING: translation string unused: dns error 1
+WARNING: translation string unused: dns header
+WARNING: translation string unused: dns list
+WARNING: translation string unused: dns menu
+WARNING: translation string unused: dns new 0
+WARNING: translation string unused: dns new 1
+WARNING: translation string unused: dns saved
+WARNING: translation string unused: dns saved txt
WARNING: translation string unused: dns server
WARNING: translation string unused: do not log this port list
WARNING: translation string unused: domain not set
@@ -352,6 +367,7 @@ WARNING: translation string unused: mac address error not 00
WARNING: translation string unused: mailmethod
WARNING: translation string unused: mailprogramm
WARNING: translation string unused: manage ovpn
+WARNING: translation string unused: manual
WARNING: translation string unused: manual control and status
WARNING: translation string unused: marked
WARNING: translation string unused: max incoming size
@@ -742,6 +758,7 @@ WARNING: untranslated string: atm device = Device:
WARNING: untranslated string: attention = ATTENTION
WARNING: untranslated string: bit = bit
WARNING: untranslated string: block = Block
+WARNING: untranslated string: broken = Broken
WARNING: untranslated string: bytes = unknown string
WARNING: untranslated string: capabilities = Capabilities
WARNING: untranslated string: ccd add = Add network
@@ -808,9 +825,19 @@ WARNING: untranslated string: dhcp dns update secret = Secret
WARNING: untranslated string: disk access per = Disk Access per
WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip)
WARNING: untranslated string: dnat address = Firewall Interface
+WARNING: untranslated string: dns = unknown string
+WARNING: untranslated string: dns configuration = DNS Configuration
+WARNING: untranslated string: dns could not add server = Could not add server - Reason:
+WARNING: untranslated string: dns enable safe-search = Enable Safe Search
WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous)
WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled)
+WARNING: untranslated string: dns isp assigned nameserver = ISP-assigned DNS server
+WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisation
+WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
WARNING: untranslated string: dns servers = DNS Servers
+WARNING: untranslated string: dns tls hostname = TLS Hostname
+WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
+WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
WARNING: untranslated string: dnsforward = DNS Forwarding
WARNING: untranslated string: dnsforward add a new entry = Add a new entry
WARNING: untranslated string: dnsforward configuration = DNS forward configuration
@@ -821,7 +848,6 @@ WARNING: untranslated string: dnsforward forward_servers = Nameservers
WARNING: untranslated string: dnsforward zone = Zone
WARNING: untranslated string: dnssec aware = DNSSEC Aware
WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled
-WARNING: untranslated string: dnssec information = DNSSEC Information
WARNING: untranslated string: dnssec not supported = DNSSEC Not supported
WARNING: untranslated string: dnssec validating = DNSSEC Validating
WARNING: untranslated string: downlink = Downlink
@@ -856,6 +882,7 @@ WARNING: untranslated string: enable smt = Enable Simultaneous Multi-Threading (
WARNING: untranslated string: encryption = Encryption:
WARNING: untranslated string: entropy = Entropy
WARNING: untranslated string: entropy graphs = Entropy Graphs
+WARNING: untranslated string: error = Error
WARNING: untranslated string: extrahd because there is already a device mounted = , because there is already a device mounted
WARNING: untranslated string: extrahd cant umount = Can't umount
WARNING: untranslated string: extrahd install or load driver = If your device isn't listed here, you need to install or load the driver.<br />If you can see your device but no partitions you have to create them first.
@@ -1163,6 +1190,7 @@ WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: not a valid dh key = Not a valid Diffie-Hellman parameters file. Please use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.
WARNING: untranslated string: not affected = Not Affected
+WARNING: untranslated string: not validating = Not validating
WARNING: untranslated string: notice = Notice
WARNING: untranslated string: one hour = One Hour
WARNING: untranslated string: one month = One Month
@@ -1240,7 +1268,9 @@ WARNING: untranslated string: ssh agent forwarding = Allow SSH Agent Forwarding
WARNING: untranslated string: ssh login time = Logged in since
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
+WARNING: untranslated string: standard = Standard
WARNING: untranslated string: static routes = Static Routes
+WARNING: untranslated string: strict = Strict
WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: support donation = Support the IPFire project with your donation
WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND.
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index ff2550b8d..a65712e9f 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -226,8 +226,24 @@ WARNING: translation string unused: dmz pinhole configuration
WARNING: translation string unused: dmz pinhole rule added
WARNING: translation string unused: dmz pinhole rule removed
WARNING: translation string unused: dmzpinholes for same net not necessary
+WARNING: translation string unused: dns address deleted
+WARNING: translation string unused: dns address deleted txt
+WARNING: translation string unused: dns address done
+WARNING: translation string unused: dns address recon
+WARNING: translation string unused: dns desc
+WARNING: translation string unused: dns error 0
+WARNING: translation string unused: dns error 01
+WARNING: translation string unused: dns error 1
+WARNING: translation string unused: dns header
+WARNING: translation string unused: dns list
+WARNING: translation string unused: dns menu
+WARNING: translation string unused: dns new 0
+WARNING: translation string unused: dns new 1
+WARNING: translation string unused: dns saved
+WARNING: translation string unused: dns saved txt
WARNING: translation string unused: dns server
WARNING: translation string unused: dnsforward forward_server
+WARNING: translation string unused: dnssec information
WARNING: translation string unused: do not log this port list
WARNING: translation string unused: domain not set
WARNING: translation string unused: donation-link
@@ -439,6 +455,7 @@ WARNING: translation string unused: mac address error not 00
WARNING: translation string unused: mailmethod
WARNING: translation string unused: mailprogramm
WARNING: translation string unused: manage ovpn
+WARNING: translation string unused: manual
WARNING: translation string unused: manual control and status
WARNING: translation string unused: marked
WARNING: translation string unused: max incoming size
@@ -797,17 +814,29 @@ WARNING: untranslated string: advproxy wpad label dst_noproxy_url = Excluded URL
WARNING: untranslated string: advproxy wpad notice = Notice: For WPAD/PAC to work properly, furtcher changes need to be made. Please see the <a href="https://wiki.ipfire.org/configuration/network/proxy/extend/wpad" target="_blank">Wiki</a>.
WARNING: untranslated string: advproxy wpad title = Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC)
WARNING: untranslated string: advproxy wpad view pac = Open PAC File
+WARNING: untranslated string: broken = Broken
WARNING: untranslated string: bytes = unknown string
WARNING: untranslated string: crypto error = Cryptographic error
WARNING: untranslated string: crypto warning = Cryptographic warning
WARNING: untranslated string: dangerous = Dangerous
WARNING: untranslated string: default IP address = Default IP Address
+WARNING: untranslated string: dns = unknown string
+WARNING: untranslated string: dns configuration = DNS Configuration
+WARNING: untranslated string: dns could not add server = Could not add server - Reason:
+WARNING: untranslated string: dns enable safe-search = Enable Safe Search
WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous)
WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled)
+WARNING: untranslated string: dns isp assigned nameserver = ISP-assigned DNS server
+WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisation
+WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
+WARNING: untranslated string: dns tls hostname = TLS Hostname
+WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
+WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled
WARNING: untranslated string: dnsforward forward_servers = Nameservers
WARNING: untranslated string: emerging pro rules = Emergingthreats.net Pro Rules
WARNING: untranslated string: enable smt = Enable Simultaneous Multi-Threading (SMT)
+WARNING: untranslated string: error = Error
WARNING: untranslated string: fallout zombieload ridl = Fallout/ZombieLoad/RIDL
WARNING: untranslated string: force enable = Forced
WARNING: untranslated string: foreshadow = Foreshadow
@@ -885,6 +914,7 @@ WARNING: untranslated string: mitigated = Mitigated
WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: not affected = Not Affected
+WARNING: untranslated string: not validating = Not validating
WARNING: untranslated string: ovpn error dh = The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>
WARNING: untranslated string: ovpn error md5 = You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>
WARNING: untranslated string: ovpn tls auth = TLS Channel Protection:
@@ -907,6 +937,8 @@ WARNING: untranslated string: ssh agent forwarding = Allow SSH Agent Forwarding
WARNING: untranslated string: ssh login time = Logged in since
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
+WARNING: untranslated string: standard = Standard
+WARNING: untranslated string: strict = Strict
WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: system is offline = The system is offline.
WARNING: untranslated string: taa zombieload2 = TSX Async Abort / ZombieLoad v2
diff --git a/doc/language_missings b/doc/language_missings
index 5c333f866..6283a5ed4 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -21,6 +21,7 @@
< backup protect key password
< bewan adsl pci st
< bewan adsl usb
+< broken
< Captive heading terms
< Captive heading voucher
< Captive invalid coupon
@@ -35,6 +36,15 @@
< dhcp server disabled on blue interface
< dhcp server enabled on blue interface
< dh name is invalid
+< dns configuration
+< dns could not add server
+< dns enable safe-search
+< dns isp assigned nameserver
+< dns mode for qname minimisation
+< dns no tls hostname given
+< dns tls hostname
+< dns use isp assigned nameservers
+< dns use protocol for dns queries
< done
< emerging pro rules
< emerging rules
@@ -48,11 +58,15 @@
< insert removable device
< itlb multihit
< notes
+< not validating
+< okay
< quick control
< shaping add options
< show areas
< show lines
< show tls-auth key
+< standard
+< strict
< taa zombieload2
< teovpn_fragment
< tor bridge enabled
@@ -97,6 +111,7 @@
< attention
< bit
< block
+< broken
< capabilities
< Captive
< Captive 1day
@@ -225,6 +240,9 @@
< Disabled
< dl client arch insecure
< dnat address
+< dns configuration
+< dns could not add server
+< dns enable safe-search
< dnsforward
< dnsforward add a new entry
< dnsforward configuration
@@ -235,12 +253,18 @@
< dnsforward forward_servers
< dns forwarding dnssec disabled notice
< dnsforward zone
+< dns isp assigned nameserver
+< dns mode for qname minimisation
+< dns no tls hostname given
< dnssec aware
< dnssec disabled warning
< dnssec information
< dnssec not supported
< dnssec validating
< dns servers
+< dns tls hostname
+< dns use isp assigned nameservers
+< dns use protocol for dns queries
< downlink
< download dh parameter
< download tls-auth key
@@ -606,7 +630,9 @@
< not affected
< not a valid dh key
< notice
+< not validating
< Number of Countries for the pie chart
+< okay
< one hour
< one month
< one week
@@ -710,7 +736,9 @@
< ssh login time
< ssh no active logins
< ssh username
+< standard
< static routes
+< strict
< subnet mask
< support donation
< system has hwrng
@@ -888,6 +916,20 @@
############################################################################
# Checking cgi-bin translations for language: fr #
############################################################################
+< broken
+< dns configuration
+< dns could not add server
+< dns enable safe-search
+< dns isp assigned nameserver
+< dns mode for qname minimisation
+< dns no tls hostname given
+< dns tls hostname
+< dns use isp assigned nameservers
+< dns use protocol for dns queries
+< not validating
+< okay
+< standard
+< strict
############################################################################
# Checking cgi-bin translations for language: it #
############################################################################
@@ -909,6 +951,7 @@
< advproxy wpad view pac
< application layer gateways
< block
+< broken
< Captive
< Captive 1day
< Captive 1month
@@ -977,11 +1020,20 @@
< dhcp dns update secret
< Disabled
< dl client arch insecure
+< dns configuration
+< dns could not add server
+< dns enable safe-search
< dns forward disable dnssec
< dnsforward dnssec disabled
< dnsforward forward_servers
< dns forwarding dnssec disabled notice
+< dns isp assigned nameserver
+< dns mode for qname minimisation
+< dns no tls hostname given
< dnssec disabled warning
+< dns tls hostname
+< dns use isp assigned nameservers
+< dns use protocol for dns queries
< eight hours
< email config
< email empty field
@@ -1097,7 +1149,9 @@
< MTU settings
< none
< not affected
+< not validating
< Number of Countries for the pie chart
+< okay
< one hour
< one month
< one week
@@ -1132,6 +1186,8 @@
< ssh login time
< ssh no active logins
< ssh username
+< standard
+< strict
< subnet mask
< system is offline
< taa zombieload2
@@ -1225,6 +1281,7 @@
< application layer gateways
< atm device
< block
+< broken
< capabilities
< Captive
< Captive 1day
@@ -1301,16 +1358,25 @@
< dh parameter
< Disabled
< dl client arch insecure
+< dns configuration
+< dns could not add server
+< dns enable safe-search
< dns forward disable dnssec
< dnsforward dnssec disabled
< dnsforward forward_servers
< dns forwarding dnssec disabled notice
+< dns isp assigned nameserver
+< dns mode for qname minimisation
+< dns no tls hostname given
< dnssec aware
< dnssec disabled warning
< dnssec information
< dnssec not supported
< dnssec validating
< dns servers
+< dns tls hostname
+< dns use isp assigned nameservers
+< dns use protocol for dns queries
< download dh parameter
< download tls-auth key
< drop outgoing
@@ -1450,7 +1516,9 @@
< none
< not affected
< not a valid dh key
+< not validating
< Number of Countries for the pie chart
+< okay
< one hour
< one month
< one week
@@ -1499,6 +1567,8 @@
< ssh login time
< ssh no active logins
< ssh username
+< standard
+< strict
< subnet mask
< system is offline
< taa zombieload2
@@ -1609,6 +1679,7 @@
< attention
< bit
< block
+< broken
< capabilities
< Captive
< Captive 1day
@@ -1738,6 +1809,9 @@
< Disabled
< dl client arch insecure
< dnat address
+< dns configuration
+< dns could not add server
+< dns enable safe-search
< dnsforward
< dnsforward add a new entry
< dnsforward configuration
@@ -1748,12 +1822,18 @@
< dnsforward forward_servers
< dns forwarding dnssec disabled notice
< dnsforward zone
+< dns isp assigned nameserver
+< dns mode for qname minimisation
+< dns no tls hostname given
< dnssec aware
< dnssec disabled warning
< dnssec information
< dnssec not supported
< dnssec validating
< dns servers
+< dns tls hostname
+< dns use isp assigned nameservers
+< dns use protocol for dns queries
< downlink
< download dh parameter
< download tls-auth key
@@ -2121,7 +2201,9 @@
< not affected
< not a valid dh key
< notice
+< not validating
< Number of Countries for the pie chart
+< okay
< one hour
< one month
< one week
@@ -2210,7 +2292,9 @@
< ssh login time
< ssh no active logins
< ssh username
+< standard
< static routes
+< strict
< subnet mask
< support donation
< system has hwrng
@@ -2421,6 +2505,7 @@
< attention
< bit
< block
+< broken
< capabilities
< Captive
< Captive 1day
@@ -2552,6 +2637,9 @@
< disk access per
< dl client arch insecure
< dnat address
+< dns configuration
+< dns could not add server
+< dns enable safe-search
< dnsforward
< dnsforward add a new entry
< dnsforward configuration
@@ -2562,12 +2650,18 @@
< dnsforward forward_servers
< dns forwarding dnssec disabled notice
< dnsforward zone
+< dns isp assigned nameserver
+< dns mode for qname minimisation
+< dns no tls hostname given
< dnssec aware
< dnssec disabled warning
< dnssec information
< dnssec not supported
< dnssec validating
< dns servers
+< dns tls hostname
+< dns use isp assigned nameservers
+< dns use protocol for dns queries
< downlink
< download dh parameter
< download tls-auth key
@@ -2940,7 +3034,9 @@
< not affected
< not a valid dh key
< notice
+< not validating
< Number of Countries for the pie chart
+< okay
< one hour
< one month
< one week
@@ -3026,7 +3122,9 @@
< ssh login time
< ssh no active logins
< ssh username
+< standard
< static routes
+< strict
< subnet mask
< support donation
< system has hwrng
@@ -3213,6 +3311,7 @@
< advproxy wpad notice
< advproxy wpad title
< advproxy wpad view pac
+< broken
< Captive delete logo
< crypto error
< cryptographic settings
@@ -3221,10 +3320,19 @@
< dangerous
< default IP address
< Disabled
+< dns configuration
+< dns could not add server
+< dns enable safe-search
< dns forward disable dnssec
< dnsforward dnssec disabled
< dnsforward forward_servers
< dns forwarding dnssec disabled notice
+< dns isp assigned nameserver
+< dns mode for qname minimisation
+< dns no tls hostname given
+< dns tls hostname
+< dns use isp assigned nameservers
+< dns use protocol for dns queries
< emerging pro rules
< enable smt
< error
@@ -3272,6 +3380,8 @@
< mitigated
< mtu
< not affected
+< not validating
+< okay
< ovpn error dh
< ovpn error md5
< ovpn tls auth
@@ -3291,6 +3401,8 @@
< ssh login time
< ssh no active logins
< ssh username
+< standard
+< strict
< subnet mask
< system is offline
< taa zombieload2
diff --git a/html/cgi-bin/dns.cgi b/html/cgi-bin/dns.cgi
old mode 100644
new mode 100755
index eee7a90b4..ff228422b
--- a/html/cgi-bin/dns.cgi
+++ b/html/cgi-bin/dns.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2020 IPFire Development Team #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -20,166 +20,896 @@
###############################################################################
use strict;
+use IO::Socket;
# enable only the following on debugging purpose
#use warnings;
#use CGI::Carp 'fatalsToBrowser';
require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/geoip-functions.pl";
+require "${General::swroot}/ids-functions.pl";
require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
-my %dnssettings=();
+#workaround to suppress a warning when a variable is used only once
+my @dummy = ( ${Header::colouryellow} );
+undef (@dummy);
+
+my %cgiparams=();
+my %checked=();
+my %selected=();
my $errormessage = '';
+# Config file which stores the DNS settings.
+my $settings_file = "${General::swroot}/dns/settings";
+
+# File which stores the configured DNS-Servers.
+my $servers_file = "${General::swroot}/dns/servers";
+
+# Create files if the does not exist.
+unless (-f $settings_file) { system("touch $settings_file") };
+unless (-f $servers_file) { system("touch $servers_file") };
+
+# File which stores the ISP assigned DNS servers.
+my @ISP_nameserver_files = ( "/var/run/dns1", "/var/run/dns2" );
+
+# File which contains the ca-certificates.
+my $ca_certs_file = "/etc/ssl/certs/ca-bundle.crt";
+
+# Server which is used, to determine if the whole DNS system works properly.
+my $dns_test_server = "ping.ipfire.org";
+
+my $check_servers;
+
+my %color = ();
+my %mainsettings = ();
+&General::readhash("${General::swroot}/main/settings", \%mainsettings);
+&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+
&Header::showhttpheaders();
+&Header::getcgihash(\%cgiparams);
-&General::readhash("${General::swroot}/dns/settings", \%dnssettings);
+##
+# Save general settings.
+#
+if ($cgiparams{'GENERAL'} eq $Lang::tr{'save'}) {
+ # Prevent form name from been stored in conf file.
+ delete $cgiparams{'GENERAL'};
-&Header::getcgihash(\%dnssettings);
+ # Add value for non-checked checkbox.
+ if ($cgiparams{'USE_ISP_NAMESERVERS'} ne "on") {
+ $cgiparams{'USE_ISP_NAMESERVERS'} = "off";
+ }
-&Header::openpage($Lang::tr{'dns title'}, 1, );
+ # Add value for non-checked checkbox.
+ if ($cgiparams{'ENABLE_SAFE_SEARCH'} ne "on") {
+ $cgiparams{'ENABLE_SAFE_SEARCH'} = "off";
+ }
-&Header::openbigbox('100%', 'left', '', $errormessage);
+ # Check if using ISP nameservers and TLS is enabled at the same time.
+ if (($cgiparams{'USE_ISP_NAMESERVERS'} eq "on") && ($cgiparams{'PROTO'} eq "TLS")) {
+ $errormessage = $Lang::tr{'dns isp nameservers and tls not allowed'}
+ }
+
+ # Check if there was an error.
+ if ( ! $errormessage) {
-if ($dnssettings{'ACTION'} eq $Lang::tr{'save'}) {
- if ((&General::validip($dnssettings{"DNS0"}) == 1)&&(&General::validip($dnssettings{"DNS1"}) == 1)) {
- if ($errormessage eq "") {
- &General::writehash("${General::swroot}/dns/settings", \%dnssettings);
- &Header::openbox('100%', 'left', $Lang::tr{'dns saved'});
- print "<font class='base'>$Lang::tr{'dns saved txt'}</font>\n";
- &Header::closebox();
+ # Store settings into settings file.
+ &General::writehash("$settings_file", \%cgiparams);
+
+ # Call function to handle unbound restart, etc.
+ &_handle_unbound_and_more()
+ }
+}
+
+###
+# Add / Edit entries.
+#
+if (($cgiparams{'SERVERS'} eq $Lang::tr{'save'}) || ($cgiparams{'SERVERS'} eq $Lang::tr{'update'})) {
+ # Hash to store the generic DNS settings.
+ my %settings = ();
+
+ # Read-in generic settings.
+ &General::readhash("$settings_file", \%settings);
+
+ # Check if an IP-address has been given.
+ if ($cgiparams{"NAMESERVER"} eq "") {
+ $errormessage = "$Lang::tr{'dns no address given'}";
+ }
+
+ # Check if the given DNS server is valid.
+ elsif(!&General::validip($cgiparams{"NAMESERVER"})) {
+ $errormessage = "$Lang::tr{'invalid ip'}: $cgiparams{'NAMESERVER'}";
+ }
+
+ # Check if a TLS is enabled and no TLS_HOSTNAME has benn specified.
+ elsif($settings{'PROTO'} eq "TLS") {
+ unless($cgiparams{"TLS_HOSTNAME"}) {
+ $errormessage = "$Lang::tr{'dns no tls hostname given'}";
+ } else {
+ # Check if the provided domain is valid.
+ unless(&General::validfqdn($cgiparams{"TLS_HOSTNAME"})) {
+ $errormessage = "$Lang::tr{'invalid ip or hostname'}: $cgiparams{'TLS_HOSTNAME'}";
+ }
}
- } else {
- if ((&General::validip($dnssettings{"DNS0"}) == 0)&&(&General::validip($dnssettings{"DNS1"}) == 1)){
- $errormessage = $Lang::tr{'dns error 0'};
- }
- if ((&General::validip($dnssettings{"DNS1"}) == 0)&&(&General::validip($dnssettings{"DNS0"}) == 1)){
- $errormessage = $Lang::tr{'dns error 1'};
+ }
+
+ # Go further if there was no error.
+ if ( ! $errormessage) {
+ # Check if a remark has been entered.
+ $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
+
+ my %dns_servers = ();
+ my $id;
+ my $status;
+
+ # Read-in configfile.
+ &General::readhasharray($servers_file, \%dns_servers);
+
+ # Check if we should edit an existing entry and got an ID.
+ if (($cgiparams{'SERVERS'} eq $Lang::tr{'update'}) && ($cgiparams{'ID'})) {
+ # Assin the provided id.
+ $id = $cgiparams{'ID'};
+
+ # Undef the given ID.
+ undef($cgiparams{'ID'});
+
+ # Grab the configured status of the corresponding entry.
+ $status = $dns_servers{$id}[2];
+ } else {
+ # Each newly added entry automatically should be enabled.
+ $status = "enabled";
+
+ # Generate the ID for the new entry.
+ #
+ # Sort the keys by their ID and store them in an array.
+ my @keys = sort { $a <=> $b } keys %dns_servers;
+
+ # Reverse the key array.
+ my @reversed = reverse(@keys);
+
+ # Obtain the last used id.
+ my $last_id = @reversed[0];
+
+ # Increase the last id by one and use it as id for the new entry.
+ $id = ++$last_id;
+
+ # The first allowed id is 3 to keep space for
+ # possible ISP assigned DNS servers.
+ if ($id <= "2") {
+ $id = "3";
+ }
}
- if ((&General::validip($dnssettings{"DNS1"}) == 0)&&(&General::validip($dnssettings{"DNS0"}) == 0)){
- $errormessage = $Lang::tr{'dns error 01'};
+
+ # Add/Modify the entry to/in the dns_servers hash.
+ $dns_servers{$id} = ["$cgiparams{'NAMESERVER'}", "$cgiparams{'TLS_HOSTNAME'}", "$status", "$cgiparams{'REMARK'}"];
+
+ # Write the changed hash to the config file.
+ &General::writehasharray($servers_file, \%dns_servers);
+
+ # Call function to handle unbound restart, etc.
+ &_handle_unbound_and_more();
+ } else {
+ # Switch back to previous mode.
+ $cgiparams{'SERVERS'} = $cgiparams{'MODE'};
+ }
+###
+# Toggle enable / disable.
+#
+} elsif ($cgiparams{'SERVERS'} eq $Lang::tr{'toggle enable disable'}) {
+ my %dns_servers = ();
+
+ # Only go further, if an ID has been passed.
+ if ($cgiparams{'ID'}) {
+ # Assign the given ID.
+ my $id = $cgiparams{'ID'};
+
+ # Undef the given ID.
+ undef($cgiparams{'ID'});
+
+ # Read-in configfile.
+ &General::readhasharray($servers_file, \%dns_servers);
+
+ # Grab the configured status of the corresponding entry.
+ my $status = $dns_servers{$id}[2];
+
+ # Switch the status.
+ if ($status eq "disabled") {
+ $status = "enabled";
+ } else {
+ $status = "disabled";
}
+
+ # Modify the status of the existing entry.
+ $dns_servers{$id} = ["$dns_servers{$id}[0]", "$dns_servers{$id}[1]", "$status", "$dns_servers{$id}[3]"];
+
+ # Write the changed hash back to the config file.
+ &General::writehasharray($servers_file, \%dns_servers);
+
+ # Call function to handle unbound restart, etc.
+ &_handle_unbound_and_more();
}
+
+## Remove entry from DNS servers list.
+#
+} elsif ($cgiparams{'SERVERS'} eq $Lang::tr{'remove'}) {
+ my %dns_servers = ();
+
+ # Read-in configfile.
+ &General::readhasharray($servers_file, \%dns_servers);
+
+ # Drop entry from the hash.
+ delete($dns_servers{$cgiparams{'ID'}});
+
+ # Undef the given ID.
+ undef($cgiparams{'ID'});
+
+ # Write the changed hash to the config file.
+ &General::writehasharray($servers_file, \%dns_servers);
+
+ # Call function to handle unbound restart, etc.
+ &_handle_unbound_and_more();
+
+## Handle request to check the servers.
+#
+} elsif ($cgiparams{'SERVERS'} eq $Lang::tr{'dns check servers'}) {
+ $check_servers = 1;
}
-if ($dnssettings{'ACTION'} eq $Lang::tr{'reconnect'}) {
- system("/usr/local/bin/redctrl restart >/dev/null 2>&1 &");
- &Header::openbox('100%', 'left', $Lang::tr{'dns address recon'} );
- print "<font class='base'>$Lang::tr{'dns address done'}</font>\n";
- &Header::closebox();
+# Hash to store the generic DNS settings.
+my %settings = ();
+
+# Read-in general DNS settings.
+&General::readhash("$settings_file", \%settings);
+
+# Hash which contains the configured DNS servers.
+my %dns_servers = ();
+
+# Read-in config file.
+&General::readhasharray("$servers_file", \%dns_servers);
+
+&Header::openpage($Lang::tr{'dns'}, 1, '');
+
+&Header::openbigbox('100%', 'left', '', $errormessage);
+
+###
+# Error messages layout.
+#
+if ($errormessage) {
+ &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
+ print "<class name='base'>$errormessage\n";
+ print " </class>\n";
+ &Header::closebox();
}
-if ($dnssettings{'ACTION'} eq $Lang::tr{'delete'}) {
- system("cat /dev/null > ${General::swroot}/dns/settings &");
- &Header::openbox('100%', 'left', $Lang::tr{'dns address deleted'} );
- print "<font class='base'>$Lang::tr{'dns address deleted txt'}</font>\n";
- &Header::closebox();
+# Handle if a nameserver should be added or edited.
+if (($cgiparams{'SERVERS'} eq "$Lang::tr{'add'}") || ($cgiparams{'SERVERS'} eq "$Lang::tr{'edit'}")) {
+ # Display the sub page.
+ &show_add_edit_nameserver();
+
+ # Close webpage.
+ &Header::closebigbox();
+ &Header::closepage();
+
+ # Finished here for the moment.
+ exit(0);
}
-# DPC move error message to top so it is seen!
-if ($errormessage) {
- &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
- print "<font class='base'>$errormessage </font>\n";
+$cgiparams{'GENERAL'} = '';
+$cgiparams{'SERVERS'} = '';
+$cgiparams{'NAMESERVER'} = '';
+$cgiparams{'TLS_HOSTNAME'} = '';
+$cgiparams{'REMARK'} ='';
+
+$checked{'USE_ISP_NAMESERVERS'}{'off'} = '';
+$checked{'USE_ISP_NAMESERVERS'}{'on'} = '';
+$checked{'USE_ISP_NAMESERVERS'}{$settings{'USE_ISP_NAMESERVERS'}} = "checked='checked'";
+
+$checked{'ENABLE_SAFE_SEARCH'}{'off'} = '';
+$checked{'ENABLE_SAFE_SEARCH'}{'on'} = '';
+$checked{'ENABLE_SAFE_SEARCH'}{$settings{'ENABLE_SAFE_SEARCH'}} = "checked='checked'";
+
+$selected{'PROTO'}{'UDP'} = '';
+$selected{'PROTO'}{'TLS'} = '';
+$selected{'PROTO'}{'TCP'} = '';
+$selected{'PROTO'}{$settings{'PROTO'}} = "selected='selected'";
+
+$selected{'QNAME_MIN'}{'standard'} = '';
+$selected{'QNAME_MIN'}{'strict'} = '';
+$selected{'QNAME_MIN'}{$settings{'QNAME_MIN'}} = "selected='selected'";
+
+# Display nameserver and configuration sections.
+&show_nameservers();
+&show_general_dns_configuration();
+
+&Header::closebigbox();
+&Header::closepage();
+
+###
+# General DNS-Servers sektion.
+#
+sub show_general_dns_configuration () {
+ &Header::openbox('100%', 'center', "$Lang::tr{'dns configuration'}");
+
+ print <<END;
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <table width="100%">
+ <tr>
+ <td width="33%">
+ $Lang::tr{'dns use isp assigned nameservers'}
+ </td>
+
+ <td>
+ <input type="checkbox" name="USE_ISP_NAMESERVERS" $checked{'USE_ISP_NAMESERVERS'}{'on'}>
+ </td>
+ </tr>
+
+ <tr>
+ <td colspan="2">
+ <br>
+ </td>
+ </tr>
+
+ <tr>
+ <td width="33%">
+ $Lang::tr{'dns use protocol for dns queries'}
+ </td>
+
+ <td>
+ <select name="PROTO">
+ <option value="UDP" $selected{'PROTO'}{'UDP'}>UDP</option>
+ <option value="TLS" $selected{'PROTO'}{'TLS'}>TLS</option>
+ <option value="TCP" $selected{'PROTO'}{'TCP'}>TCP</option>
+ </select>
+ </td>
+ </tr>
+
+ <tr>
+ <td colspan="2">
+ <br>
+ </td>
+ </tr>
+
+ <tr>
+ <td width="33%">
+ $Lang::tr{'dns enable safe-search'}
+ </td>
+
+ <td>
+ <input type="checkbox" name="ENABLE_SAFE_SEARCH" $checked{'ENABLE_SAFE_SEARCH'}{'on'}>
+ </td>
+ </tr>
+
+ <tr>
+ <td colspan="2">
+ <br>
+ </td>
+ </tr>
+
+ <tr>
+ <td width="33%">
+ $Lang::tr{'dns mode for qname minimisation'}
+ </td>
+
+ <td>
+ <select name="QNAME_MIN">
+ <option value="standard" $selected{'QNAME_MIN'}{'standard'}>$Lang::tr{'standard'}</option>
+ <option value="strict" $selected{'QNAME_MIN'}{'strict'}>$Lang::tr{'strict'}</option>
+ </select>
+ </td>
+ </tr>
+
+ <tr>
+ <td colspan="2" align="right">
+ <input type="submit" name="GENERAL" value="$Lang::tr{'save'}">
+ </td>
+ </tr>
+ </table>
+ </form>
+END
+
&Header::closebox();
}
-print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>\n";
+###
+# Section to display the configured and used DNS servers.
+#
+sub show_nameservers () {
+ &Header::openbox('100%', 'center', "$Lang::tr{'dns title'}");
-&Header::openbox('100%', 'left', $Lang::tr{'dns header'});
-print <<END
+ my $dns_status_string;
+ my $dns_status_col;
+ my $dns_working;
-<table border="0" width='100%'>
- <tr>
- <td colspan="2"><font class='base'>$Lang::tr{'dns desc'}<br /><img src="/images/dns_link.png" border="0" align="absmiddle"/><a href="https://wiki.ipfire.org/dns/public-servers" target="_blank">$Lang::tr{'dns list'}</a></font></td>
- </tr>
- <tr>
- <td colspan="2"> </td>
- </tr>
- <tr>
- <td width="25%"><font class='base'>$Lang::tr{'dns new 0'}</font></td>
-END
-;
-if ($dnssettings{'ACTION'} eq $Lang::tr{'delete'}) {
-print <<END
- <td width="75%"><input type="text" name="DNS0" maxlength="15" value=""/></td>
+ # Test if the DNS system is working.
+ #
+ # Simple send a request to unbound and check if it can resolve the
+ # DNS test server.
+ my $dns_status_ret = &check_nameserver("127.0.0.1", "$dns_test_server", "UDP");
+
+ if ($dns_status_ret eq "2") {
+ $dns_status_string = "$Lang::tr{'working'}";
+ $dns_status_col = "${Header::colourgreen}";
+ $dns_working = 1;
+ } else {
+ $dns_status_string = "$Lang::tr{'broken'}";
+ $dns_status_col = "${Header::colourred}";
+ }
+
+print <<END;
+ <table width='100%'>
+ <tr>
+ <td>
+ <strong>$Lang::tr{'status'}: </strong>
+ <strong><font color='$dns_status_col'>$dns_status_string</font></strong>
+ </td>
+ </tr>
+ </table>
+
+ <br>
+
+ <table class="tbl" width='100%'>
+ <tr>
+ <td align="center">
+ <strong>$Lang::tr{'nameserver'}</strong>
+ </td>
+
+ <td align="center">
+ <strong>$Lang::tr{'country'}</strong>
+ </td>
+
+ <td align="center">
+ <strong>$Lang::tr{'rdns'}</strong>
+ </td>
+
+ <td align="center">
+ <strong>$Lang::tr{'remark'}</strong>
+ </td>
END
-;
-} else {
+ # Check if the status should be displayed.
+ if ($check_servers) {
print <<END
- <td width="75%"><input type="text" name="DNS0" maxlength="15" value="$dnssettings{"DNS0"}"/></td>
+ <td align="center">
+ <strong>$Lang::tr{'status'}</strong>
+ </td>
END
-;
-}
+;
+ }
+
print <<END
- </tr>
- <tr>
- <td><font class='base'>$Lang::tr{'dns new 1'}</font></td>
+
+ <td align="center" colspan="3">
+ <strong>$Lang::tr{'action'}</strong>
+ </td>
+ </tr>
END
-;
-if ($dnssettings{'ACTION'} eq $Lang::tr{'delete'}) {
-print <<END
- <td><input type="text" name="DNS1" maxlength="15" value=""/></td>
+;
+
+ # Check the usage of ISP assigned nameservers is enabled.
+ my $id = 1;
+
+ # Loop through the array which stores the files.
+ foreach my $file (@ISP_nameserver_files) {
+ # Grab the address of the nameserver.
+ my $address = &General::grab_address_from_file($file);
+
+ # Check if we got an address.
+ if ($address) {
+ # Add the address to the hash of nameservers.
+ $dns_servers{$id} = [ "$address", "none",
+ ($settings{'USE_ISP_NAMESERVERS'} eq "on") ? "enabled" : "disabled",
+ "$Lang::tr{'dns isp assigned nameserver'}" ];
+
+ # Increase id by one.
+ $id++;
+ }
+ }
+
+ # Check some DNS servers have been configured. In this case
+ # the hash contains at least one key.
+ my $server_amount;
+ if (keys %dns_servers) {
+ # Sort the keys by their ID and store them in an array.
+ my @keys = sort { $a <=> $b } keys %dns_servers;
+
+ # Loop through all entries of the array/hash.
+ foreach my $id (@keys) {
+ # Inrease server_amount.
+ $server_amount++;
+
+ # Assign data array positions to some nice variable names.
+ my $nameserver = $dns_servers{$id}[0];
+ my $tls_hostname = $dns_servers{$id}[1];
+ my $enabled = $dns_servers{$id}[2];
+ my $remark = $dns_servers{$id}[3];
+
+ my $col = '';
+ my $toggle = '';
+ my $gif = '';
+ my $gdesc = '';
+ my $notice = "";
+
+ # Colorize columns.
+ if ($server_amount % 2) {
+ $col="bgcolor='$color{'color22'}'"; }
+ else {
+ $col="bgcolor='$color{'color20'}'";
+ }
+
+ if ($enabled eq 'enabled') {
+ $gif='on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};
+ } else {
+ $gif='off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'};
+ }
+
+ my $status;
+ my $status_short;
+ my $status_message;
+ my $status_colour;
+
+ # Only grab the status if the nameserver is enabled.
+ if (($check_servers) && ($enabled eq "enabled")) {
+ $status = &check_nameserver("$nameserver", "ping.ipfire.org", "$settings{'PROTO'}", "$tls_hostname");
+ }
+
+ if (!defined $status) {
+ $status_short = "$Lang::tr{'disabled'}";
+
+ # DNSSEC Not supported
+ } elsif ($status eq 0) {
+ $status_short = "$Lang::tr{'broken'}";
+ $status_message = $Lang::tr{'dnssec not supported'};
+ $status_colour = ${Header::colourred};
+
+ # DNSSEC Aware
+ } elsif ($status eq 1) {
+ $status_short = "$Lang::tr{'not validating'}";
+ $status_message = $Lang::tr{'dnssec aware'};
+ $status_colour = ${Header::colourblack};
+
+ # DNSSEC Validating
+ } elsif ($status eq 2) {
+ $status_short = "$Lang::tr{'ok'}";
+ $status_message = $Lang::tr{'dnssec validating'};
+ $status_colour = ${Header::colourgreen};
+
+ # Error
+ } else {
+ $status_short = "$Lang::tr{'error'}";
+ $status_message = $status;
+ $status_colour = ${Header::colourred};
+ }
+
+ # collect more information about name server (rDNS, GeoIP country code)
+ my $ccode = &GeoIP::lookup($nameserver);
+ my $flag_icon = &GeoIP::get_flag_icon($ccode);
+
+ my $rdns;
+
+ # Only do the reverse lookup if the system is online.
+ if ($dns_working) {
+ my $iaddr = inet_aton($nameserver);
+ $rdns = gethostbyaddr($iaddr, AF_INET);
+ }
+
+ if (!$rdns) { $rdns = $Lang::tr{'lookup failed'}; }
+
+ # Mark ISP name servers as disabled
+ if ($id <= 2 && $enabled eq "disabled") {
+ $nameserver = "<del>$nameserver</del>";
+ }
+
+print <<END;
+ <tr>
+ <td align="center" $col>
+ $nameserver
+ </td>
+
+ <td align="center" $col>
+ <a href='country.cgi#$ccode'><img src="$flag_icon" border="0" alt="$ccode" title="$ccode" /></a>
+ </td>
+
+ <td align="center" $col>
+ $rdns
+ </td>
+
+ <td align="center" $col>
+ $remark
+ </td>
END
-;
-} else {
+;
+ # Display server status if requested.
+ if ($check_servers) {
print <<END
- <td><input type="text" name="DNS1" maxlength="15" value="$dnssettings{"DNS1"}"/></td>
+ <td align="center" $col>
+ <strong><font color="$status_colour"><abbr title="$status_message">$status_short</abbr></font></strong>
+ </td>
END
-;
-}
-print <<END
- </tr>
- <tr>
- <td colspan="2"><hr /></td>
- </tr>
- <tr>
- <td colspan="2"><div align="center">
+;
+ }
+
+ # Check if the id is greater than "2".
+ #
+ # Nameservers with an ID's of one or two are ISP assigned,
+ # and we cannot perform any actions on them, so hide the tools for
+ # them.
+ if ($id gt "2") {
+
+print <<END;
+ <td align='center' width='5%' $col>
+ <form method='post' name='frma$id' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' title='$gdesc' alt='$gdesc' />
+ <input type='hidden' name='ID' value='$id' />
+ <input type='hidden' name='ENABLE' value='$toggle' />
+ <input type='hidden' name='SERVERS' value='$Lang::tr{'toggle enable disable'}' />
+ </form>
+ </td>
+
+ <td align='center' width='5%' $col>
+ <form method='post' name='frmb$id' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' title='$Lang::tr{'edit'}' alt='$Lang::tr{'edit'}' />
+ <input type='hidden' name='ID' value='$id' />
+ <input type='hidden' name='SERVERS' value='$Lang::tr{'edit'}' />
+ </form>
+ </td>
+
+ <td align='center' width='5%' $col>
+ <form method='post' name='frmc$id' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' title='$Lang::tr{'remove'}' alt='$Lang::tr{'remove'}' />
+ <input type='hidden' name='ID' value='$id' />
+ <input type='hidden' name='SERVERS' value='$Lang::tr{'remove'}' />
+ </form>
+ </td>
END
-;
-if ($dnssettings{'ACTION'} eq $Lang::tr{'save'} && $errormessage eq "") {
-print <<END
- <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
-
- <input type='submit' name='ACTION' value='$Lang::tr{'delete'}' />
-
- <input type='submit' name='ACTION' value='$Lang::tr{'reconnect'}' />
+;
+ } else {
+ print "<td colspan='3' $col> </td>\n";
+ }
+
+
+ print"</tr>\n";
+
+ }
+
+ print"</table>\n";
+
+ print"<table width='100%'>\n";
+
+ # Check if the usage of the ISP nameservers is enabled and there are more than 2 servers.
+ if (($settings{'USE_ISP_NAMESERVERS'} eq "on") && ($server_amount gt "2")) {
+print <<END;
+ <tr>
+ <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td>
+ <td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
+ <td class='base'>$Lang::tr{'click to disable'}</td>
+ <td> <img src='/images/off.gif' alt='$Lang::tr{'click to enable'}' /></td>
+ <td class='base'>$Lang::tr{'click to enable'}</td>
+ <td> <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
+ <td class='base'>$Lang::tr{'edit'}</td>
+ <td> <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
+ <td class='base'>$Lang::tr{'remove'}</td>
+ </tr>
END
-;
-} elsif ($dnssettings{'ACTION'} eq $Lang::tr{'delete'}) {
-print <<END
- <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
-
- <input type='submit' name='ACTION' value='$Lang::tr{'reconnect'}' />
+;
+ }
+print <<END;
+ <tr>
+ <form method="post" action="$ENV{'SCRIPT_NAME'}">
+ <td colspan="9" align="right">
+ <input type="submit" name="SERVERS" value="$Lang::tr{'add'}">
+ <input type="submit" name="SERVERS" value="$Lang::tr{'dns check servers'}">
+ </td>
+ </form>
+ </tr>
+ </table>
END
;
-} elsif ($dnssettings{'ACTION'} eq $Lang::tr{'save'}) {
-print <<END
- <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
+
+ } else {
+print <<END;
+ <table width="100%">
+ <tr>
+ <td colspan="6" align="center">
+ <br>$Lang::tr{'guardian no entries'}<br>
+ </td>
+ </tr>
+
+ <tr>
+ <form method="post" action="$ENV{'SCRIPT_NAME'}">
+ <td colspan="6" align="right"><input type="submit" name="SERVERS" value="$Lang::tr{'add'}"></td>
+ </form>
+ </tr>
+ </table>
+
END
-;
-} else {
+;
+ }
+
+ &Header::closebox();
+}
+
+###
+# Section to display the add or edit subpage.
+#
+sub show_add_edit_nameserver() {
+ print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>\n";
+
+ my $buttontext = $Lang::tr{'save'};
+ my $dnssec_checked;
+ my $dot_checked;
+ if ($cgiparams{'SERVERS'} eq $Lang::tr{'edit'}) {
+ &Header::openbox('100%', 'left', $Lang::tr{'dnsforward edit an entry'});
+
+ # Update button text for upate the existing entry.
+ $buttontext = $Lang::tr{'update'};
+
+ # Add hidden input for sending ID.
+ print"<input type='hidden' name='ID' value='$cgiparams{'ID'}'>\n";
+
+ # Check if an ID has been given.
+ if ($cgiparams{'ID'}) {
+ # Assign cgiparams values.
+ $cgiparams{'NAMESERVER'} = $dns_servers{$cgiparams{'ID'}}[0];
+ $cgiparams{'TLS_HOSTNAME'} = $dns_servers{$cgiparams{'ID'}}[1];
+ $cgiparams{'REMARK'} = $dns_servers{$cgiparams{'ID'}}[3];
+ }
+ } else {
+ &Header::openbox('100%', 'left', $Lang::tr{'dnsforward add a new entry'});
+ }
+
+ my $tls_required_image;
+
+ # If the protocol is TLS, dispaly the required image.
+ if ($settings{'PROTO'} eq "TLS") {
+ $tls_required_image = "<img src='/blob.gif' alt='*'>";
+ }
+
+ # Add hidden input to store the mode.
+ print "<input type='hidden' name='MODE' value='$cgiparams{'SERVERS'}'>\n";
+
print <<END
- <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
-
- <input type='submit' name='ACTION' value='$Lang::tr{'delete'}' />
-END
-;
-}
-print <<END
- </div>
- </td>
- </tr>
-</table>
+ <table width='100%'>
+ <tr>
+ <td width='20%' class='base'>$Lang::tr{'ip address'}: <img src='/blob.gif' alt='*' /></td>
+ <td><input type='text' name='NAMESERVER' value='$cgiparams{"NAMESERVER"}' size='24' /></td>
+ </tr>
+
+
+ <tr>
+ <td width='20%' class='base'>$Lang::tr{'dns tls hostname'}: $tls_required_image</td>
+ <td><input type='text' name='TLS_HOSTNAME' value='$cgiparams{'TLS_HOSTNAME'}' size='24'></td>
+ </tr>
+
+
+ <tr>
+ <td width ='20%' class='base'>$Lang::tr{'remark'}:</td>
+ <td><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='40' maxlength='50' /></td>
+ </tr>
+ </table>
+ <br>
+ <hr>
+
+ <table width='100%'>
+ <tr>
+ <td class='base' width='55%'><img src='/blob.gif' alt ='*' align='top' /> $Lang::tr{'required field'}</td>
+ <td width='40%' align='right'>
+ <input type="submit" name="SERVERS" value="$buttontext">
+ <input type="submit" name="SERVERS" value="$Lang::tr{'back'}">
+ </td>
+ </tr>
+ </table>
END
;
-&Header::closebox();
+ &Header::closebox();
+ print "</form>\n";
-print "</form>\n";
+ &Header::closebox();
+}
-&Header::closebigbox();
+# Private function to handle the restart of unbound and more.
+sub _handle_unbound_and_more () {
+ # Restart unbound
+ system('/usr/local/bin/unboundctrl reload >/dev/null');
-&Header::closepage();
+ # Check if the IDS is running.
+ if(&IDS::ids_is_running()) {
+ # Re-generate the file which contains the DNS Server
+ # details.
+ &IDS::generate_dns_servers_file();
+
+ # Call suricatactrl to perform a reload.
+ &IDS::call_suricatactrl("restart");
+ }
+}
+
+# Check if the system is online (RED is connected).
+sub red_is_active () {
+ # Check if the "active" file is present.
+ if ( -f "${General::swroot}/red/active") {
+ # Return "1" - True.
+ return 1;
+ } else {
+ # Return nothing - False.
+ return;
+ }
+}
+# Function to check a given nameserver against propper work.
+sub check_nameserver($$$$) {
+ my ($nameserver, $record, $proto, $tls_hostname) = @_;
+
+ # Check if the system is online.
+ unless (&red_is_active()) {
+ return "$Lang::tr{'system is offline'}";
+ }
+
+ # Default values.
+ my @command = ("kdig", "+timeout=2", "+retry=0", "+dnssec",
+ "+bufsize=1232");
+
+ # Handle different protols.
+ if ($proto eq "TCP") {
+ # Add TCP switch to the command.
+ push(@command, "+tcp");
+
+ } elsif($proto eq "TLS") {
+ # Add TLS switch to the command and provide the
+ # path to our file which contains the ca certs.
+ push(@command, "+tls-ca=$ca_certs_file");
+
+ # Check if a TLS hostname has been provided.
+ if ($tls_hostname) {
+ # Add TLS hostname to the command.
+ push(@command, "+tls-hostname=$tls_hostname");
+ } else {
+ return "$Lang::tr{'dns no tls hostname given'}";
+ }
+ }
+
+ # Add record to the command array.
+ push(@command, "$record");
+
+ # Add nameserver to the command array.
+ push(@command, "\@$nameserver");
+
+ # Connect to STDOUT and STDERR.
+ push(@command, "2>&1");
+
+ my @output = qx(@command);
+ my $output = join("", @output);
+
+ my $status = 0;
+
+ if ($output =~ m/status: (\w+)/) {
+ $status = ($1 eq "NOERROR");
+
+ if (!$status) {
+ return -1;
+ }
+ } else {
+ my $warning;
+
+ while ($output =~ m/WARNING: (.*)/g) {
+ # Add the current grabbed warning to the warning string.
+ $warning .= "$1\; ";
+ }
+
+ # Return the warning string, if we grabbed at least one.
+ if ($warning) {
+ return $warning;
+ }
+ }
+
+ my @flags = ();
+ if ($output =~ m/Flags: (.*);/) {
+ @flags = split(/ /, $1);
+ }
+
+ my $aware = ($output =~ m/RRSIG/);
+ my $validating = (grep(/ad;/, @flags));
+
+ return $aware + $validating;
+}
diff --git a/html/cgi-bin/dnsforward.cgi b/html/cgi-bin/dnsforward.cgi
index 626b664fd..ed373c09a 100644
--- a/html/cgi-bin/dnsforward.cgi
+++ b/html/cgi-bin/dnsforward.cgi
@@ -124,7 +124,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'add'})
}
}
# Restart unbound
- system('/usr/local/bin/unboundctrl restart >/dev/null');
+ system('/usr/local/bin/unboundctrl reload >/dev/null');
}
###
@@ -142,7 +142,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'})
}
close(FILE);
# Restart unbound.
- system('/usr/local/bin/unboundctrl restart >/dev/null');
+ system('/usr/local/bin/unboundctrl reload >/dev/null');
}
###
@@ -169,7 +169,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'})
}
close(FILE);
# Restart unbound.
- system('/usr/local/bin/unboundctrl restart >/dev/null');
+ system('/usr/local/bin/unboundctrl reload >/dev/null');
}
###
diff --git a/html/cgi-bin/guardian.cgi b/html/cgi-bin/guardian.cgi
index 36d84bb5b..71316523f 100644
--- a/html/cgi-bin/guardian.cgi
+++ b/html/cgi-bin/guardian.cgi
@@ -280,15 +280,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
# File declarations.
my $gatewayfile = "${General::swroot}/red/remote-ipaddress";
- my $dns1file = "${General::swroot}/red/dns1";
- my $dns2file = "${General::swroot}/red/dns2";
# Get gateway address.
- my $gateway = &_get_address_from_file($gatewayfile);
-
- # Get addresses from the used dns servers.
- my $dns1 = &_get_address_from_file($dns1file);
- my $dns2 = &_get_address_from_file($dns2file);
+ my $gateway = &General::grab_address_from_file($gatewayfile);
# Check if any input has been performed.
if ($input eq '') {
@@ -306,7 +300,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
}
# Check if the given input is one of the interface addresses or our gateway.
- elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway" || $input eq "$dns1" || $input eq "$dns2") {
+ elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway") {
$errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
}
@@ -989,8 +983,6 @@ sub GenerateIgnoreFile() {
# File declarations.
my $public_address_file = "${General::swroot}/red/local-ipaddress";
my $gatewayfile = "${General::swroot}/red/remote-ipaddress";
- my $dns1file = "${General::swroot}/red/dns1";
- my $dns2file = "${General::swroot}/red/dns2";
# Write the obtained addresses to the ignore file.
print FILE "# IPFire local interfaces.\n";
@@ -1012,8 +1004,6 @@ sub GenerateIgnoreFile() {
print FILE "# Include the corresponding files to obtain the addresses.\n";
print FILE "Include_File = $public_address_file\n";
print FILE "Include_File = $gatewayfile\n";
- print FILE "Include_File = $dns1file\n";
- print FILE "Include_File = $dns2file\n";
# Add all user defined hosts and networks to the ignore file.
#
@@ -1045,33 +1035,3 @@ sub GenerateIgnoreFile() {
close(FILE);
}
-
-# Private subfunction to obtain IP-addresses from given file names.
-#
-sub _get_address_from_file ($) {
- my $file = shift;
-
- # Check if the file exists.
- if (-e $file) {
- # Open the given file.
- open(FILE, "$file") or die "Could not open $file.";
-
- # Obtain the address from the first line of the file.
- my $address = <FILE>;
-
- # Close filehandle
- close(FILE);
-
- # Remove newlines.
- chomp $address;
-
- # Check if the grabbed address is valid.
- if (&General::validip($address)) {
- # Return the address.
- return $address;
- }
- }
-
- # Return nothing.
- return;
-}
diff --git a/html/cgi-bin/hosts.cgi b/html/cgi-bin/hosts.cgi
index 973c480b3..1c9df5a62 100644
--- a/html/cgi-bin/hosts.cgi
+++ b/html/cgi-bin/hosts.cgi
@@ -488,5 +488,5 @@ sub SortDataFile
#
sub BuildConfiguration {
system '/usr/local/bin/rebuildhosts';
- system '/usr/local/bin/unboundctrl restart &>/dev/null';
+ system '/usr/local/bin/unboundctrl reload &>/dev/null';
}
diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi
index c7bf9f323..bd6a02ef5 100644
--- a/html/cgi-bin/index.cgi
+++ b/html/cgi-bin/index.cgi
@@ -200,25 +200,6 @@ END
END
}
- my $dns_servers;
- if ( -e "${General::swroot}/red/dns" ) {
- open (TMP, "<${General::swroot}/red/dns");
- $dns_servers = <TMP>;
- chomp($dns_servers);
- close TMP;
- }
- print <<END;
- <tr>
- <td>
- <b><a href="netexternal.cgi">$Lang::tr{'dns servers'}</a>:</b>
- </td>
- <td style='text-align:center;'>
- $dns_servers
- </td>
- <td></td>
- </tr>
-END
-
if (&General::RedIsWireless()) {
my $iface = $netsettings{"RED_DEV"} || "red0";
diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexternal.cgi
index 8f29eb8a2..98ac4fe12 100644
--- a/html/cgi-bin/netexternal.cgi
+++ b/html/cgi-bin/netexternal.cgi
@@ -80,108 +80,6 @@ if ( $querry[0] ne~ ""){
&Header::closebox();
}
- ## DNSSEC
- my @nameservers = ();
- foreach my $f ("${General::swroot}/red/dns1", "${General::swroot}/red/dns2") {
- open(DNS, "<$f");
- my $nameserver = <DNS>;
- close(DNS);
-
- chomp($nameserver);
- if ($nameserver) {
- push(@nameservers, $nameserver);
- }
- }
-
- &Header::openbox('100%', 'center', $Lang::tr{'dnssec information'});
-
- print <<END;
- <table class="tbl" width='66%'>
- <thead>
- <tr>
- <th align="center">
- <strong>$Lang::tr{'nameserver'}</strong>
- </th>
- <th align="center">
- <strong>$Lang::tr{'country'}</strong>
- </th>
- <th align="center">
- <strong>$Lang::tr{'rdns'}</strong>
- </th>
- <th align="center">
- <strong>$Lang::tr{'status'}</strong>
- </th>
- </tr>
- </thead>
- <tbody>
-END
-
- my $id = 0;
- for my $nameserver (@nameservers) {
- my $status = &check_dnssec($nameserver, "ping.ipfire.org");
-
- my $colour = "";
- my $bgcolour = "";
- my $message = "";
-
- # DNSSEC Not supported
- if ($status == 0) {
- $message = $Lang::tr{'dnssec not supported'};
- $colour = "white";
- $bgcolour = ${Header::colourred};
-
- # DNSSEC Aware
- } elsif ($status == 1) {
- $message = $Lang::tr{'dnssec aware'};
- $colour = "black";
- $bgcolour = ${Header::colouryellow};
-
- # DNSSEC Validating
- } elsif ($status == 2) {
- $message = $Lang::tr{'dnssec validating'};
- $colour = "white";
- $bgcolour = ${Header::colourgreen};
-
- # Error
- } else {
- $colour = ${Header::colourred};
- }
-
- my $table_colour = ($id++ % 2) ? $color{'color22'} : $color{'color20'};
-
- # collect more information about name server (rDNS, GeoIP country code)
- my $ccode = &GeoIP::lookup($nameserver);
- my $flag_icon = &GeoIP::get_flag_icon($ccode);
-
- my $iaddr = inet_aton($nameserver);
- my $rdns = gethostbyaddr($iaddr, AF_INET);
- if (!$rdns) { $rdns = $Lang::tr{'lookup failed'}; }
-
- print <<END;
- <tr bgcolor="$table_colour">
- <td>
- $nameserver
- </td>
- <td align="center">
- <a href='country.cgi#$ccode'><img src="$flag_icon" border="0" alt="$ccode" title="$ccode" /></a>
- </td>
- <td align="center">
- $rdns
- </td>
- <td bgcolor="$bgcolour" align="center">
- <font color="$colour"><strong>$message</strong></font>
- </td>
- </tr>
-END
- }
-
- print <<END;
- </tbody>
- </table>
-END
-
- &Header::closebox();
-
if ( $netsettings{'CONFIG_TYPE'} =~ /^(1|2|3|4)$/ && $netsettings{'RED_TYPE'} eq "DHCP"){
&Header::openbox('100%', 'left', "RED $Lang::tr{'dhcp configuration'}");
@@ -268,32 +166,3 @@ END
&Header::closebigbox();
&Header::closepage();
}
-
-sub check_dnssec($$) {
- my $nameserver = shift;
- my $record = shift;
-
- my @command = ("dig", "+dnssec", $record, "\@$nameserver");
-
- my @output = qx(@command);
- my $output = join("", @output);
-
- my $status = 0;
- if ($output =~ m/status: (\w+)/) {
- $status = ($1 eq "NOERROR");
-
- if (!$status) {
- return -1;
- }
- }
-
- my @flags = ();
- if ($output =~ m/flags: (.*);/) {
- @flags = split(/ /, $1);
- }
-
- my $aware = ($output =~ m/RRSIG/);
- my $validating = ("ad" ~~ @flags);
-
- return $aware + $validating;
-}
diff --git a/html/cgi-bin/pppsetup.cgi b/html/cgi-bin/pppsetup.cgi
index 4b45ee50c..bdcd41e24 100644
--- a/html/cgi-bin/pppsetup.cgi
+++ b/html/cgi-bin/pppsetup.cgi
@@ -116,19 +116,6 @@ elsif ($pppsettings{'ACTION'} eq $Lang::tr{'save'})
$errormessage = $Lang::tr{'bad characters in script field'};
goto ERROR; }
- if ($pppsettings{'DNS1'})
- {
- if (!(&General::validip($pppsettings{'DNS1'}))) {
- $errormessage = $Lang::tr{'invalid primary dns'};
- goto ERROR; }
- }
- if ($pppsettings{'DNS2'})
- {
- if (!(&General::validip($pppsettings{'DNS2'}))) {
- $errormessage = $Lang::tr{'invalid secondary dns'};
- goto ERROR; }
- }
-
if ($pppsettings{'MAXRETRIES'} eq '') {
$errormessage = $Lang::tr{'max retries not set'};
goto ERROR; }
@@ -948,22 +935,6 @@ print <<END
<td width='25%'>$Lang::tr{'script name'}</td>
<td width='25%'><input type='text' name='LOGINSCRIPT' value='$pppsettings{'LOGINSCRIPT'}' /></td>
</tr>
-<tr><td colspan='4' width='100%'><br></br></td></tr>
-<tr>
- <td bgcolor='$color{'color20'}' colspan='4' width='100%'><b>DNS:</b></td>
-</tr>
-<tr>
- <td colspan='4' width='100%'><input type='radio' name='DNS' value='Automatic' $checked{'DNS'}{'Automatic'} />$Lang::tr{'automatic'}</td>
-</tr>
-<tr>
- <td colspan='4' width='100%'><input type='radio' name='DNS' value='Manual' $checked{'DNS'}{'Manual'} />$Lang::tr{'manual'}</td>
-</tr>
-<tr>
- <td width='25%'>$Lang::tr{'primary dns'}</td>
- <td width='25%'><input type='text' name='DNS1' value='$pppsettings{'DNS1'}'></td>
- <td width='25%'>$Lang::tr{'secondary dns'}</td>
- <td width='25%'><input type='text' name='DNS2' value='$pppsettings{'DNS2'}'></td>
-</tr>
<tr><td colspan='4' width='100%'><br></br><hr></hr><br></br></td></tr>
<tr>
<td width='25%'>$Lang::tr{'profile name'} <img src='/blob.gif' alt='*' /></td>
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 2dc325a3a..cec76c8db 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -452,7 +452,7 @@
'available updates' => 'Available updates:',
'average' => 'Average',
'avoid dod' => 'Do not use this option with Dial on Demand! Mainly used if your IPFire is behind a router. Your RED IP must be inside one of the three reserved network numbers e.g. 10/8, 172.16/12, 192.168/16',
-'back' => 'BACK',
+'back' => 'Back',
'backup' => 'Backup',
'backup archive' => 'Backup File (.dat)',
'backup clear archive' => 'Clear Backup File (.gz)',
@@ -508,6 +508,7 @@
'blue access use hint' => 'You have to enter the MAC or the IP Address for a device. To enter both is also possible',
'blue interface' => 'Blue Interface',
'broadcast' => 'Broadcast',
+'broken' => 'Broken',
'broken pipe' => 'Broken pipe',
'buffered memory' => 'Buffered Memory',
'buffers' => 'buffers',
@@ -836,27 +837,39 @@
'dmzpinholes for same net not necessary' => 'DMZ Pinholes are not necessary for same net. Select different source or destination net.',
'dnat address' => 'Firewall Interface',
'dns address deleted' => 'Successfully deleted!',
-'dns address deleted txt' => 'The DNS-Server addresses have been successfully deleted.<br />You have to reboot or reconnect that the changes have effect!',
-'dns address done' => 'The DNS-Server address settings are going to be saved.',
+'dns address deleted txt' => 'The DNS server addresses have been successfully deleted.<br />You have to reboot or reconnect that the changes have effect!',
+'dns address done' => 'The DNS server address settings are going to be saved.',
'dns address recon' => 'Trying to reconnect!',
'dns check failed' => 'DNS check failed',
+'dns check servers' => 'Check DNS Servers',
+'dns configuration' => 'DNS Configuration',
+'dns could not add server' => 'Could not add server - Reason:',
'dns desc' => 'If the red0 interface gets the IP address information via DHCP from the provider, the DNS server addresses will be set automatically. Now here you are able to change these DNS server IP addresses with your own ones.',
+'dns enable safe-search' => 'Enable Safe Search',
'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.',
'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!',
'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.',
'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)',
'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)',
'dns header' => 'Assign DNS server addresses only for DHCP on red0',
+'dns isp nameservers and tls not allowed' => 'ISP-assigned DNS servers and TLS cannot be used at the same time.',
+'dns isp assigned nameserver' => 'ISP-assigned DNS server',
'dns list' => 'List of free public DNS servers',
-'dns menu' => 'Assign DNS-Server',
+'dns menu' => 'Assign DNS Server',
+'dns mode for qname minimisation' => 'QNAME Minimisation',
'dns new 0' => 'New <strong>primary</strong> DNS server IP:',
'dns new 1' => 'New <strong>secondary</strong> DNS server IP:',
+'dns no address given' => 'No IP Address given.',
+'dns no tls hostname given' => 'No TLS hostname given.',
'dns proxy server' => 'DNS Proxy Server',
'dns saved' => 'Successfully saved!',
'dns saved txt' => 'The two entered DNS server addresses have been saved successfully.<br />You have to reboot or reconnect that the changes have effect!',
'dns server' => 'DNS Server',
'dns servers' => 'DNS Servers',
'dns title' => 'Domain Name System',
+'dns tls hostname' => 'TLS Hostname',
+'dns use isp assigned nameservers' => 'Use ISP-assigned DNS servers',
+'dns use protocol for dns queries' => 'Protocol for DNS queries',
'dnsforward' => 'DNS Forwarding',
'dnsforward add a new entry' => 'Add a new entry',
'dnsforward configuration' => 'DNS forward configuration',
@@ -1805,6 +1818,7 @@
'not present' => '<b>Not</b> present',
'not running' => 'not running',
'not set' => 'not set',
+'not validating' => 'Not validating',
'notes' => 'Notes',
'notice' => 'Notice',
'november' => 'November',
@@ -1822,6 +1836,7 @@
'october' => 'October',
'off' => 'off',
'ok' => 'OK',
+'okay' => 'Okay',
'older' => 'Older',
'on' => 'on',
'one hour' => 'One Hour',
@@ -2286,6 +2301,7 @@
'sssystem status' => 'System Status',
'sstraffic' => 'Net-Traffic',
'sstraffic graphs' => 'Traffic Graphs',
+'standard' => 'Standard',
'standard login script' => 'Standard login script',
'start' => 'Start',
'start address' => 'Start address:',
@@ -2300,6 +2316,7 @@
'stop' => 'Stop',
'stop ovpn server' => 'Stop OpenVPN Server',
'stopped' => 'STOPPED',
+'strict' => 'Strict',
'subject' => 'Subject',
'subject test' => 'Teste-mail',
'subject warn' => 'Warning - warnlevel reached',
@@ -2941,6 +2958,7 @@
'wlanap wlan status' => 'WLan Status',
'wol wakeup' => 'WakeUp',
'workgroup' => 'Workgroup',
+'working' => 'Working',
'written bytes' => 'Bytes Written',
'xtaccess all error' => 'You cannot set an external access to ALL, that is done in the port forwarding record.',
'xtaccess bad transfert' => 'If you specify a port destination range, the source range must be identical !',
diff --git a/lfs/guardian b/lfs/guardian
index 31d1dcb43..a40480c0c 100644
--- a/lfs/guardian
+++ b/lfs/guardian
@@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = guardian
-PAK_VER = 17
+PAK_VER = 18
DEPS = "perl-inotify2 perl-Net-IP"
diff --git a/src/initscripts/networking/dhcpcd.exe b/src/initscripts/networking/dhcpcd.exe
index 28d62a14e..7a9889b5b 100644
--- a/src/initscripts/networking/dhcpcd.exe
+++ b/src/initscripts/networking/dhcpcd.exe
@@ -14,9 +14,7 @@
. /etc/sysconfig/rc
. $rc_functions
-
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
dhcpcd_up()
{
@@ -30,8 +28,7 @@ dhcpcd_up()
# Only if RED_TYPE=DHCP update /var/ipfire/red
if [ "$RED_TYPE" == "DHCP" ]; then
-
- #Check if we have to restart the services at update
+ # Check if we have to restart the services at update
[ ! -e "/var/ipfire/red/active" ] && update=1;
if [ "$old_domain_name_service" != "$new_domain_name_service" ]; then
update=1;
@@ -43,15 +40,9 @@ dhcpcd_up()
update=1;
fi
- #Get DNS from dhcp
- if [ -n "$DNS0" ] && [ -n "$DNS1" ]; then
- logger -p local0.info -t dhcpcd.exe[$$] "Overwritting DNS-Server addresses with ${DNS0},${DNS1}"
- echo -n ${DNS0} > /var/ipfire/red/dns1
- echo -n ${DNS1} > /var/ipfire/red/dns2
- else
- echo -n `/etc/rc.d/helper/getdnsfromdhcpc.pl 1` > /var/ipfire/red/dns1
- echo -n `/etc/rc.d/helper/getdnsfromdhcpc.pl 2` > /var/ipfire/red/dns2
- fi
+ # Get DNS from dhcp
+ /etc/rc.d/helper/getdnsfromdhcpc.pl 1 > /var/run/dns1
+ /etc/rc.d/helper/getdnsfromdhcpc.pl 2 > /var/run/dns2
#Get IP Address
echo -n "$new_ip_address" > /var/ipfire/red/local-ipaddress
@@ -76,6 +67,9 @@ dhcpcd_down()
set | grep "^new_" | sed "s|^new_||g" | \
sort > /var/ipfire/dhcpc/dhcpcd-$interface.info
+ # Remove DNS servers
+ rm -f /var/run/dns1 /var/run/dns2
+
# Only if RED_TYPE=DHCP update /var/ipfire/red
if [ "$RED_TYPE" == "DHCP" ]; then
rm -f /var/ipfire/red/active
diff --git a/src/initscripts/networking/red b/src/initscripts/networking/red
index b8d463241..7ce0a6f47 100644
--- a/src/initscripts/networking/red
+++ b/src/initscripts/networking/red
@@ -120,8 +120,6 @@ case "${1}" in
grep -v -E "\<gateway\>" /etc/hosts > /tmp/hosts
echo "$GATEWAY gateway" >> /tmp/hosts
mv /tmp/hosts /etc/hosts
- echo -n "${DNS1}" > /var/ipfire/red/dns1
- echo -n "${DNS2}" > /var/ipfire/red/dns2
touch /var/ipfire/red/active
# Create route to default gateway
diff --git a/src/initscripts/networking/red.up/05-update-dns-forwarders b/src/initscripts/networking/red.up/05-update-dns-forwarders
index 4ff2e58ef..cdae7781f 100644
--- a/src/initscripts/networking/red.up/05-update-dns-forwarders
+++ b/src/initscripts/networking/red.up/05-update-dns-forwarders
@@ -1,13 +1,4 @@
#!/bin/bash
-# If network has not fully been brought up here, we start unbound
-# so that all following scripts can rely on DNS resolution
-
-pidof unbound > /dev/null
-if [ "${?}" = "0" ]; then
- # unbound is run so update the forwarders
- /etc/init.d/unbound update-forwarders
-else
- # Start unbound if it is not running, yet
- /etc/init.d/unbound start
-fi
+# Update DNS forwarders
+exec /etc/init.d/unbound update-forwarders
diff --git a/src/initscripts/networking/red.up/06-safe-search b/src/initscripts/networking/red.up/06-safe-search
deleted file mode 100644
index 14ff93b45..000000000
--- a/src/initscripts/networking/red.up/06-safe-search
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-
-exec /etc/init.d/unbound update-safe-search
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 61d62beb1..7df50e9d4 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -7,30 +7,12 @@
. /etc/sysconfig/rc
. ${rc_functions}
-TEST_DOMAIN="ipfire.org"
-
-# This domain will never validate
-TEST_DOMAIN_FAIL="dnssec-failed.org"
-
-INSECURE_ZONES=
-USE_FORWARDERS=1
-ENABLE_SAFE_SEARCH=off
-FORCE_TCP=off
-
# Cache any local zones for 60 seconds
LOCAL_TTL=60
-# EDNS buffer size
-EDNS_DEFAULT_BUFFER_SIZE=4096
-
-# Load optional configuration
-[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
-
-DIG_ARGS=()
-
-if [ "${FORCE_TCP}" = "on" ]; then
- DIG_ARGS+=( "+tcp" )
-fi
+# Load configuration
+eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
+eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
ip_address_revptr() {
local addr=${1}
@@ -42,26 +24,27 @@ ip_address_revptr() {
}
read_name_servers() {
- local i
- for i in 1 2; do
- echo "$(</var/ipfire/red/dns${i})"
- done 2>/dev/null | xargs echo
-}
-
-check_red_has_carrier_and_ip() {
- # Interface configured ?
- [ ! -e "/var/ipfire/red/iface" ] && return 0;
-
- # Interface present ?
- [ ! -e "/sys/class/net/$(</var/ipfire/red/iface)" ] && return 0;
-
- # has carrier ?
- [ ! "$(</sys/class/net/$(</var/ipfire/red/iface)/carrier)" = "1" ] && return 0;
+ # Read name servers from ISP
+ if [ "${USE_ISP_NAMESERVERS}" = "on" -a "${PROTO}" != "TLS" ]; then
+ local i
+ for i in 1 2; do
+ echo "$(</var/run/dns${i})"
+ done 2>/dev/null
+ fi
- # has ip ?
- [ "$(ip address show dev $(</var/ipfire/red/iface) | grep "inet")" = "" ] && return 0;
+ # Read configured name servers
+ local id address tls_hostname enabled remark
+ while IFS="," read -r id address tls_hostname enabled remark; do
+ [ "${enabled}" != "enabled" ] && continue
- return 1;
+ if [ "${PROTO}" = "TLS" ]; then
+ if [ -n "${tls_hostname}" ]; then
+ echo "${address}@853#${tls_hostname}"
+ fi
+ else
+ echo "${address}"
+ fi
+ done < /var/ipfire/dns/servers
}
config_header() {
@@ -70,151 +53,67 @@ config_header() {
echo
}
-update_forwarders() {
- check_red_has_carrier_and_ip
- if [ "${USE_FORWARDERS}" = "1" -a "${?}" = "1" ]; then
- local forwarders
- local broken_forwarders
-
- local ns
- for ns in $(read_name_servers); do
- test_name_server ${ns} &>/dev/null
- case "$?" in
- # Only use DNSSEC-validating or DNSSEC-aware name servers
- 0|2)
- forwarders="${forwarders} ${ns}"
- ;;
- *)
- broken_forwarders="${broken_forwarders} ${ns}"
- ;;
- esac
- done
-
- # Determine EDNS buffer size
- local new_edns_buffer_size=${EDNS_DEFAULT_BUFFER_SIZE}
-
- for ns in ${forwarders}; do
- local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
- if [ -n "${edns_buffer_size}" ]; then
- if [ ${edns_buffer_size} -lt ${new_edns_buffer_size} ]; then
- new_edns_buffer_size=${edns_buffer_size}
- fi
- fi
- done
-
- if [ ${new_edns_buffer_size} -lt ${EDNS_DEFAULT_BUFFER_SIZE} ]; then
- boot_mesg "EDNS buffer size reduced to ${new_edns_buffer_size}" ${WARNING}
- echo_warning
-
- unbound-control -q set_option edns-buffer-size: ${new_edns_buffer_size}
- fi
-
- # Show warning for any broken upstream name servers
- if [ -n "${broken_forwarders}" ]; then
- boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
- echo_warning
- fi
-
- if [ -n "${forwarders}" ]; then
- boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
- echo_ok
-
- # Make sure DNSSEC is activated
- enable_dnssec
-
- echo "${forwarders}" > /var/ipfire/red/dns
- unbound-control -q forward ${forwarders}
- return 0
-
- # In case we have found no working forwarders
- else
- # Test if the recursor mode is available
- if can_resolve_root +bufsize=${new_edns_buffer_size}; then
- # Make sure DNSSEC is activated
- enable_dnssec
-
- boot_mesg "Falling back to recursor mode" ${WARNING}
- echo_warning
-
- # If not, we set DNSSEC in permissive mode and allow using all recursors
- elif [ -n "${broken_forwarders}" ]; then
- disable_dnssec
-
- boot_mesg "DNSSEC has been set to permissive mode" ${FAILURE}
- echo_failure
+write_hosts_conf() {
+ (
+ config_header
- echo "${broken_forwarders}" > /var/ipfire/red/dns
- unbound-control -q forward ${broken_forwarders}
- return 0
- fi
+ # Make own hostname resolveable
+ # 1.1.1.1 is reserved for unused green, skip this
+ if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
+ echo "local-data: \"${HOSTNAME} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}\""
fi
- fi
- # If forwarders cannot be used we run in recursor mode
- echo "local recursor" > /var/ipfire/red/dns
- unbound-control -q forward off
-}
+ local address
+ for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+ [ -n "${address}" ] || continue
+ [ "${address}" = "1.1.1.1" ] && continue
-remove_forwarders() {
- enable_dnssec
- echo "local recursor" > /var/ipfire/red/dns
- unbound-control -q forward off
-
-}
-
-own_hostname() {
- local hostname=$(hostname -f)
- # 1.1.1.1 is reserved for unused green, skip this
- if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
- unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
- fi
-
- local address
- for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
- [ -n "${address}" ] || continue
- [ "${address}" = "1.1.1.1" ] && continue
-
- address=$(ip_address_revptr ${address})
- unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
- done
-}
-
-update_hosts() {
- local enabled address hostname domainname generateptr
-
- while IFS="," read -r enabled address hostname domainname generateptr; do
- [ "${enabled}" = "on" ] || continue
+ address=$(ip_address_revptr ${address})
+ echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${HOSTNAME}\""
+ done
- # Build FQDN
- local fqdn="${hostname}.${domainname}"
+ # Add all hosts
+ local enabled address hostname domainname generateptr
+ while IFS="," read -r enabled address hostname domainname generateptr; do
+ [ "${enabled}" = "on" ] || continue
- unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
+ # Build FQDN
+ local fqdn="${hostname}.${domainname}"
+ echo "local-data: \"${fqdn} ${LOCAL_TTL} IN A ${address}\""
- # Skip reverse resolution if the address equals the GREEN address
- [ "${address}" = "${GREEN_ADDRESS}" ] && continue
+ # Skip reverse resolution if the address equals the GREEN address
+ [ "${address}" = "${GREEN_ADDRESS}" ] && continue
- # Skip reverse resolution if user requested not to do so
- [ "${generateptr}" = "off" ] && continue
+ # Skip reverse resolution if user requested not to do so
+ [ "${generateptr}" = "off" ] && continue
- # Add RDNS
- address=$(ip_address_revptr ${address})
- unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
- done < /var/ipfire/main/hosts
+ # Add RDNS
+ address=$(ip_address_revptr ${address})
+ echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${fqdn}\""
+ done < /var/ipfire/main/hosts
+ ) > /etc/unbound/hosts.conf
}
write_forward_conf() {
(
config_header
+ # Enable strict QNAME minimisation
+ if [ "${QNAME_MIN}" = "strict" ]; then
+ echo "server:"
+ echo " qname-minimisation-strict: yes"
+ echo
+ fi
+
# Force using TCP for upstream servers only
- if [ "${FORCE_TCP}" = "on" ]; then
+ if [ "${PROTO}" = "TCP" ]; then
echo "# Force using TCP for upstream servers only"
echo "server:"
echo " tcp-upstream: yes"
echo
fi
- local insecure_zones="${INSECURE_ZONES}"
+ local insecure_zones=""
local enabled zone server servers remark disable_dnssec rest
while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
@@ -234,35 +133,24 @@ write_forward_conf() {
;;
esac
- # Reverse-lookup zones must be stubs
+ echo "stub-zone:"
+ echo " name: ${zone}"
+ for server in ${servers//|/ }; do
+ if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+ echo " stub-addr: ${server}"
+ else
+ echo " stub-host: ${server}"
+ fi
+ done
+ echo
+
+ # Make all reverse lookup zones transparent
case "${zone}" in
*.in-addr.arpa)
- echo "stub-zone:"
- echo " name: ${zone}"
- for server in ${servers//|/ }; do
- if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
- echo " stub-addr: ${server}"
- else
- echo " stub-host: ${server}"
- fi
- done
- echo
echo "server:"
echo " local-zone: \"${zone}\" transparent"
echo
;;
- *)
- echo "forward-zone:"
- echo " name: ${zone}"
- for server in ${servers//|/ }; do
- if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
- echo " forward-addr: ${server}"
- else
- echo " forward-host: ${server}"
- fi
- done
- echo
- ;;
esac
done < /var/ipfire/dnsforward/config
@@ -273,6 +161,20 @@ write_forward_conf() {
echo " domain-insecure: ${zone}"
done
fi
+
+ echo "forward-zone:"
+ echo " name: \".\""
+
+ # Force using TLS only
+ if [ "${PROTO}" = "TLS" ]; then
+ echo " forward-tls-upstream: yes"
+ fi
+
+ # Add upstream name servers
+ local ns
+ for ns in $(read_name_servers); do
+ echo " forward-addr: ${ns}"
+ done
) > /etc/unbound/forward.conf
}
@@ -361,190 +263,26 @@ get_memory_amount() {
done < /proc/meminfo
}
-test_name_server() {
- local ns=${1}
- local args
-
- # Return codes:
- # 0 DNSSEC validating
- # 1 Error: unreachable, etc.
- # 2 DNSSEC aware
- # 3 NOT DNSSEC-aware
-
- # Exit when the server is not reachable
- ns_is_online ${ns} || return 1
-
- # Determine the maximum edns buffer size that works
- local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
- if [ -n "${edns_buffer_size}" ]; then
- args="${args} +bufsize=${edns_buffer_size}"
- fi
-
- local errors
- for rr in DNSKEY DS RRSIG; do
- if ! ns_forwards_${rr} ${ns} ${args}; then
- errors="${errors} ${rr}"
- fi
- done
-
- if [ -n "${errors}" ]; then
- echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
- return 3
- fi
-
- if ns_is_validating ${ns} ${args}; then
- # Return 0 if validating
+fix_time_if_dns_fails() {
+ # If DNS is working, everything is fine
+ if resolve "ping.ipfire.org" &>/dev/null; then
return 0
- else
- # Is DNSSEC-aware
- return 2
fi
-}
-# Sends an A query to the nameserver w/o DNSSEC
-ns_is_online() {
- local ns=${1}
- shift
-
- dig "${DIG_ARGS[@]}" @${ns} +nodnssec A ${TEST_DOMAIN} $@ >/dev/null
-}
-
-# Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
-ns_is_validating() {
- local ns=${1}
- shift
-
- if ! dig "${DIG_ARGS[@]}" @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
- return 1
- else
- # Determine if NS replies with "ad" data flag if DNSSEC enabled
- dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
- fi
-}
-
-# Checks if we can retrieve the DNSKEY for this domain.
-# dig will print the SOA if nothing was found
-ns_forwards_DNSKEY() {
- local ns=${1}
- shift
-
- dig "${DIG_ARGS[@]}" @${ns} DNSKEY ${TEST_DOMAIN} $@ | grep -qv SOA
-}
-
-ns_forwards_DS() {
- local ns=${1}
- shift
-
- dig "${DIG_ARGS[@]}" @${ns} DS ${TEST_DOMAIN} $@ | grep -qv SOA
-}
-
-ns_forwards_RRSIG() {
- local ns=${1}
- shift
-
- dig "${DIG_ARGS[@]}" @${ns} +dnssec A ${TEST_DOMAIN} $@ | grep -q RRSIG
-}
-
-ns_supports_tcp() {
- local ns=${1}
- shift
-
- # If TCP is forced we know by now if the server responds to it
- if [ "${FORCE_TCP}" = "on" ]; then
- return 0
- fi
-
- dig "${DIG_ARGS[@]}" @${ns} +tcp A ${TEST_DOMAIN} $@ >/dev/null || return 1
-}
-
-ns_determine_edns_buffer_size() {
- local ns=${1}
- shift
-
- local b
- for b in 4096 2048 1500 1480 1464 1400 1280 512; do
- if dig "${DIG_ARGS[@]}" @${ns} +dnssec +bufsize=${b} A ${TEST_DOMAIN} $@ >/dev/null; then
- echo "${b}"
- return 0
- fi
- done
-
- return 1
-}
-
-get_root_nameservers() {
- while read -r hostname ttl record address; do
- # Searching for A records
- [ "${record}" = "A" ] || continue
-
- echo "${address}"
- done < /etc/unbound/root.hints
-}
-
-can_resolve_root() {
- local ns
- for ns in $(get_root_nameservers); do
- if dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA . $@ >/dev/null; then
- return 0
- fi
- done
-
- # none of the servers was reachable
- return 1
-}
-
-enable_dnssec() {
- local status=$(unbound-control get_option val-permissive-mode)
-
- # Log DNSSEC status
- echo "on" > /var/ipfire/red/dnssec-status
-
- # Don't do anything if DNSSEC is already activated
- [ "${status}" = "no" ] && return 0
-
- # Activate DNSSEC and flush cache with any stale and unvalidated data
- unbound-control -q set_option val-permissive-mode: no
- unbound-control -q flush_zone .
-}
-
-disable_dnssec() {
- # Log DNSSEC status
- echo "off" > /var/ipfire/red/dnssec-status
-
- unbound-control -q set_option val-permissive-mode: yes
-}
-
-fix_time_if_dns_fail() {
- # If DNS still not work try to init ntp with
- # hardcoded ntp.ipfire.org (81.3.27.46)
- check_red_has_carrier_and_ip
- if [ -e "/var/ipfire/red/iface" -a "${?}" = "1" ]; then
- host 0.ipfire.pool.ntp.org > /dev/null 2>&1
- if [ "${?}" != "0" ]; then
- boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
- loadproc /usr/local/bin/settime 81.3.27.46
- fi
- fi
+ # Try to sync time with a known time server
+ boot_mesg "DNS not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
+ loadproc /usr/local/bin/settime 81.3.27.46
}
resolve() {
local hostname="${1}"
- local found=0
- local ns
- for ns in $(read_name_servers); do
- local answer
- for answer in $(dig "${DIG_ARGS[@]}" +short "@${ns}" A "${hostname}"); do
- found=1
-
- # Filter out non-IP addresses
- if [[ ! "${answer}" =~ \.$ ]]; then
- echo "${answer}"
- fi
- done
-
- # End loop when we have got something
- [ ${found} -eq 1 ] && break
+ local answer
+ for answer in $(dig +short A "${hostname}"); do
+ # Filter out non-IP addresses
+ if [[ ! "${answer}" =~ \.$ ]]; then
+ echo "${answer}"
+ fi
done
}
@@ -809,30 +547,18 @@ case "$1" in
exit 0
fi
- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-
# Update configuration files
write_tuning_conf
+ write_hosts_conf
write_forward_conf
boot_mesg "Starting Unbound DNS Proxy..."
loadproc /usr/sbin/unbound || exit $?
- # Make own hostname resolveable
- own_hostname
-
- # Update any known forwarding name servers
- update_forwarders
-
# Install Safe Search rules when the system is already online
if [ -e "/var/ipfire/red/active" ]; then
update_safe_search
fi
-
- # Update hosts
- update_hosts
-
- fix_time_if_dns_fail
;;
stop)
@@ -845,84 +571,37 @@ case "$1" in
sleep 1
$0 start
;;
+ reload|remove-forwarders)
+ # Update configuration files
+ write_forward_conf
+ write_hosts_conf
- status)
- statusproc /usr/sbin/unbound
- ;;
-
- update-forwarders)
- # Do not try updating forwarders when unbound is not running
- if ! pgrep unbound &>/dev/null; then
- exit 0
+ # Update Safe Search rules if the system is online.
+ if [ -e "/var/ipfire/red/active" ]; then
+ update_safe_search
fi
- update_forwarders
-
- unbound-control flush_negative > /dev/null
- unbound-control flush_bogus > /dev/null
-
- fix_time_if_dns_fail
+ # Call unbound-control and perform the reload
+ /usr/sbin/unbound-control -q reload
;;
- remove-forwarders)
- # Do not try updating forwarders when unbound is not running
- if ! pgrep unbound &>/dev/null; then
- exit 0
- fi
-
- remove_forwarders
-
- unbound-control flush_negative > /dev/null
- unbound-control flush_bogus > /dev/null
+ status)
+ statusproc /usr/sbin/unbound
;;
+ update-forwarders)
+ $0 reload
- test-name-server)
- ns=${2}
-
- test_name_server ${ns}
- ret=${?}
-
- case "${ret}" in
- 0)
- echo "${ns} is validating"
- ;;
- 2)
- echo "${ns} is DNSSEC-aware"
- ;;
- 3)
- echo "${ns} is NOT DNSSEC-aware"
- ;;
- *)
- echo "Test failed for an unknown reason"
- exit ${ret}
- ;;
- esac
-
- if ns_supports_tcp ${ns}; then
- echo "${ns} supports TCP fallback"
- else
- echo "${ns} does not support TCP fallback"
- fi
-
- edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
- if [ -n "${edns_buffer_size}" ]; then
- echo "EDNS buffer size for ${ns}: ${edns_buffer_size}"
- fi
-
- exit ${ret}
+ # Make sure DNS works at this point
+ fix_time_if_dns_fails
;;
resolve)
resolve "${2}"
;;
- update-safe-search)
- update_safe_search
- ;;
-
*)
- echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|test-name-server|resolve|update-safe-search}"
+ echo "Usage: $0 {start|stop|restart|reload|status|resolve|update-forwarders|remove-forwarders}"
exit 1
;;
esac
diff --git a/src/misc-progs/unboundctrl.c b/src/misc-progs/unboundctrl.c
index fea81c671..86c6ac42b 100644
--- a/src/misc-progs/unboundctrl.c
+++ b/src/misc-progs/unboundctrl.c
@@ -19,14 +19,16 @@ int main(int argc, char *argv[]) {
exit(1);
if (argc < 2) {
- fprintf(stderr, "\nNo argument given.\n\nunboundctrl (restart)\n\n");
+ fprintf(stderr, "\nNo argument given.\n\nunboundctrl restart|reload\n\n");
exit(1);
}
if (strcmp(argv[1], "restart") == 0) {
safe_system("/etc/rc.d/init.d/unbound restart");
+ } else if (strcmp(argv[1], "reload") == 0) {
+ safe_system("/etc/rc.d/init.d/unbound reload");
} else {
- fprintf(stderr, "\nBad argument given.\n\nunboundctrl (restart)\n\n");
+ fprintf(stderr, "\nBad argument given.\n\nunboundctrl restart|reload\n\n");
exit(1);
}
diff --git a/src/ppp/ip-down b/src/ppp/ip-down
index ea0dcbf94..f67a91ea2 100644
--- a/src/ppp/ip-down
+++ b/src/ppp/ip-down
@@ -22,9 +22,8 @@
. /etc/sysconfig/rc
. $rc_functions
-eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
-
-rm -f /var/ipfire/red/active
+rm -f /var/ipfire/red/active \
+ /var/run/dns1 /var/run/dns2
run_subdir ${rc_base}/init.d/networking/red.down/
diff --git a/src/ppp/ip-up b/src/ppp/ip-up
index c7357708a..ee1683fdd 100644
--- a/src/ppp/ip-up
+++ b/src/ppp/ip-up
@@ -22,32 +22,17 @@
. /etc/sysconfig/rc
. $rc_functions
-PRIMARY_DNS=$DNS1
-SECONDARY_DNS=$DNS2
-
eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
-if [ "$DNS" == "Automatic" ]; then
- if [ "$TYPE" == "isdn" ]; then
- echo -n "$MS_DNS1" > /var/ipfire/red/dns1
- echo -n "$MS_DNS2" > /var/ipfire/red/dns2
- else
- if [ "$PRIMARY_DNS" == "10.11.12.13" ]; then
- echo -n "$DNS1" > /var/ipfire/red/dns1
- else
- echo -n "$PRIMARY_DNS" > /var/ipfire/red/dns1
- fi
- if [ "$SECONDARY_DNS" == "10.11.12.14" ]; then
- echo -n "$DNS2" > /var/ipfire/red/dns2
- else
- echo -n "$SECONDARY_DNS" > /var/ipfire/red/dns2
- fi
- fi
-else
- echo -n "$DNS1" > /var/ipfire/red/dns1
- echo -n "$DNS2" > /var/ipfire/red/dns2
+if [ "$TYPE" = "isdn" ]; then
+ DNS1="${MS_DNS1}"
+ DNS2="${MS_DNS2}"
fi
+# Write DNS servers to configuration
+echo "${DNS1}" > /var/run/dns1
+echo "${DNS2}" > /var/run/dns2
+
echo -n "$1" > /var/ipfire/red/iface
echo -n "$4" > /var/ipfire/red/local-ipaddress
echo -n "$5" > /var/ipfire/red/remote-ipaddress
diff --git a/src/scripts/convert-dns-settings b/src/scripts/convert-dns-settings
new file mode 100755
index 000000000..04a5344f7
--- /dev/null
+++ b/src/scripts/convert-dns-settings
@@ -0,0 +1,95 @@
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A Linux-based firewall #
+# Copyright (C) 2020 IPFire Team <info(a)ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+main() {
+ # Do not convert anything if we already have some servers set
+ if [ ! -s "/var/ipfire/dns/servers" ]; then
+ local DNS0 DNS1 DNS2
+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+
+ if [ -s "/var/ipfire/ppp/settings" ]; then
+ eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
+
+ # Remove DNS, DNS1 and DNS2
+ sed -i "/^DNS[12]?=/d" /var/ipfire/ppp/settings
+ elif [ -s "/var/ipfire/dns/settings" ]; then
+ eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
+ fi
+
+ local var
+ local i=3
+ for var in DNS0 DNS1 DNS2; do
+ if [ -n "${!var}" ]; then
+ echo "${i},${!var},,enabled,"
+ (( i++ ))
+ fi
+ done > /var/ipfire/dns/servers
+
+ # Empty the old settings file
+ : > /var/ipfire/dns/settings
+
+ # Disable using ISP name servers when we already have some configured
+ if [ ${i} -gt 3 ]; then
+ echo "USE_ISP_NAMESERVERS=off" \
+ >> /var/ipfire/dns/settings
+ fi
+ fi
+
+ # Set correct ownership.
+ chown nobody:nobody /var/ipfire/dns/settings
+
+ # Convert old unbound settings file
+ if [ -e "/etc/sysconfig/unbound" ]; then
+ local USE_FORWARDERS
+ local ENABLE_SAFE_SEARCH
+ local FORCE_TCP
+
+ # Read settings
+ eval $(/usr/local/bin/readhash /etc/sysconfig/unbound)
+
+ # Safe Search
+ if [ "${ENABLE_SAFE_SEARCH}" = "on" ]; then
+ echo "ENABLE_SAFE_SEARCH=${ENABLE_SAFE_SEARCH}" \
+ >> /var/ipfire/dns/settings
+ fi
+
+ # Force TCP
+ if [ "${FORCE_TCP}" = "on" ]; then
+ echo "PROTO=TCP" >> /var/ipfire/dns/settings
+ fi
+
+ # Run in recursor mode
+ if [ "${USE_FORWARDERS}" = "0" ]; then
+ # Remove all servers
+ : > /var/ipfire/dns/servers
+ fi
+
+ rm -f "/etc/sysconfig/unbound"
+ fi
+
+ # Set correct ownership.
+ chown nobody:nobody /var/ipfire/dns/servers
+
+ # Make DHCP leases readable for nobody
+ chown 644 /etc/unbound/dhcp-leases.conf
+}
+
+main "$@" || exit $?
diff --git a/src/scripts/update-location-database b/src/scripts/update-location-database
new file mode 100644
index 000000000..ebed5a095
--- /dev/null
+++ b/src/scripts/update-location-database
@@ -0,0 +1,45 @@
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2019 IPFire Development Team <info(a)ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+eval $(/usr/local/bin/readhash /var/ipfire/proxy/settings)
+
+# Proxy settings.
+# Check if a proxy should be used.
+if [[ $UPSTREAM_PROXY ]]; then
+ PROXYSETTINGS="https_proxy=http://"
+
+ # Check if authentication against the proxy is configured.
+ if [[ $UPSTREAM_USER && $UPSTREAM_PASSWORD ]]; then
+ PROXYSETTINGS="$PROXYSETTINGS$UPSTREAM_USER:$UPSTREAM_PASSWORD@"
+ fi
+
+ # Add proxy server.
+ PROXYSETTINGS="$PROXYSETTINGS$UPSTREAM_PROXY"
+
+ # Export proxy settings.
+ export HTTPS_PROXY="$PROXYSETTINGS"
+fi
+
+# Get the latest location database from server.
+/usr/bin/location-downloader update
+
+# Call initscript to reload the firewall.
+/etc/init.d/firewall reload
diff --git a/src/scripts/xt_geoip_update b/src/scripts/xt_geoip_update
deleted file mode 100644
index ebd266533..000000000
--- a/src/scripts/xt_geoip_update
+++ /dev/null
@@ -1,138 +0,0 @@
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2019 IPFire Development Team <info(a)ipfire.org> #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-TMP_PATH=$(mktemp -dp /var/tmp)
-TMP_FILE=$(mktemp -p $TMP_PATH)
-
-SCRIPT_PATH=/usr/local/bin
-DEST_PATH=/usr/share/xt_geoip
-DB_PATH=/var/lib/GeoIP
-DB1_PATH=/usr/share/GeoIP
-
-DL_URL=https://geolite.maxmind.com/download/geoip/database
-DL_FILE=GeoLite2-Country-CSV.zip
-
-eval $(/usr/local/bin/readhash /var/ipfire/proxy/settings)
-
-function download() {
- echo "Downloading latest GeoIP ruleset..."
-
- # Proxy settings.
- # Check if a proxy should be used.
- if [[ $UPSTREAM_PROXY ]]; then
- PROXYSETTINGS="-e https_proxy=http://"
-
- # Check if authentication against the proxy is configured.
- if [[ $UPSTREAM_USER && $UPSTREAM_PASSWORD ]]; then
- PROXYSETTINGS="$PROXYSETTINGS$UPSTREAM_USER:$UPSTREAM_PASSWORD@"
- fi
-
- # Add proxy server.
- PROXYSETTINGS="$PROXYSETTINGS$UPSTREAM_PROXY"
- fi
-
- # Get the latest GeoIP database from server.
- wget $DL_URL/$DL_FILE $PROXYSETTINGS -O $TMP_FILE
-
- # Extract files to database path.
- unzip $TMP_FILE -d $TMP_PATH
-
- return 0
-}
-
-function install() {
- echo "Install CSV database..."
-
- # Check if the database dir exists.
- if [ ! -e "$DB_PATH" ]; then
- mkdir -p $DB_PATH &>/dev/null
- fi
-
- # Check if the directory for binary databases exists.
- if [ ! -e "$DEST_PATH" ]; then
- mkdir -p $DEST_PATH &>/dev/null
- fi
-
- # Install CSV databases.
- if ! cp -af $TMP_PATH/*/* $DB_PATH &>/dev/null; then
- echo "Could not copy files. Aborting." >&2
- return 1
- fi
-
- return 0
-}
-
-function build_legacy() {
- echo "Convert database to legacy GeoIP.dat ..."
- cat $DB_PATH/GeoLite2-Country-Blocks-IPv4.csv | \
- $DB1_PATH/bin/geolite2-to-legacy-csv.sh $DB1_PATH/bin/countryInfo.txt > \
- $TMP_FILE
- $DB1_PATH/bin/geoip-generator -v -4 --info="$(date -u +'GEO-106FREE %Y%m%d Build -IPFire-' \
- -r $DB_PATH/GeoLite2-Country-Blocks-IPv4.csv) $(<$DB_PATH/COPYRIGHT.txt)" -o \
- $DB1_PATH/GeoIP.dat $TMP_FILE
-
- return 0
-}
-
-
-function build() {
- echo "Convert database..."
-
- # Run script to convert the CSV file into several xtables
- # compatible binary files.
- if ! $SCRIPT_PATH/xt_geoip_build -S $DB_PATH -D $DEST_PATH; then
- echo "Could not convert ruleset. Aborting." >&2
- return 1
- fi
-
- return 0
-}
-
-function cleanup() {
- echo "Cleaning up temporary files..."
- if ! rm -rf $TMP_PATH &>/dev/null; then
- echo "Could not remove files. Aborting." >&2
- return 1
- fi
-
- return 0
-}
-
-function main() {
- local func
- for func in download install build build_legacy; do
- if ! ${func}; then
- # Cleanup any temporary data
- cleanup
-
- return 1
- fi
- done
-
- # Cleanup
- cleanup || return $?
-
- # All done
- return 0
-}
-
-# Run the main function.
-main || exit $?
diff --git a/src/setup/networking.c b/src/setup/networking.c
index d6cd30cff..51dc7acb0 100644
--- a/src/setup/networking.c
+++ b/src/setup/networking.c
@@ -14,11 +14,6 @@
#include "setup.h"
-#define DNS1 0
-#define DNS2 1
-#define DEFAULT_GATEWAY 2
-#define DNSGATEWAY_TOTAL 3
-
extern FILE *flog;
extern char *mylog;
@@ -56,7 +51,7 @@ int drivermenu(void);
int changedrivers(void);
int greenaddressmenu(void);
int addressesmenu(void);
-int dnsgatewaymenu(void);
+int gatewaymenu(void);
int handlenetworking(void)
{
@@ -89,7 +84,7 @@ int handlenetworking(void)
break;
case 4:
- dnsgatewaymenu();
+ gatewaymenu();
break;
case 0:
@@ -250,7 +245,7 @@ int firstmenu(void)
_("Network configuration type"),
_("Drivers and card assignments"),
_("Address settings"),
- _("DNS and Gateway settings"),
+ _("Gateway settings"),
NULL
};
int rc;
@@ -708,14 +703,14 @@ int addressesmenu(void)
return 0;
}
-/* DNS and default gateway.... */
-int dnsgatewaymenu(void)
+/* default gateway.... */
+int gatewaymenu(void)
{
struct keyvalue *kv = initkeyvalues();
char message[1000];
char temp[STRING_SIZE] = "0";
- struct newtWinEntry entries[DNSGATEWAY_TOTAL+1];
- char *values[DNSGATEWAY_TOTAL]; /* pointers for the values. */
+ struct newtWinEntry entries[2];
+ char* values[1]; /* pointers for the values. */
int error;
int configtype;
int rc;
@@ -727,92 +722,50 @@ int dnsgatewaymenu(void)
return 0;
}
- entries[DNS1].text = _("Primary DNS:");
- strcpy(temp, ""); findkey(kv, "DNS1", temp);
- values[DNS1] = strdup(temp);
- entries[DNS1].value = &values[DNS1];
- entries[DNS1].flags = 0;
-
- entries[DNS2].text = _("Secondary DNS:");
- strcpy(temp, ""); findkey(kv, "DNS2", temp);
- values[DNS2] = strdup(temp);
- entries[DNS2].value = &values[DNS2];
- entries[DNS2].flags = 0;
-
- entries[DEFAULT_GATEWAY].text = _("Default gateway:");
+ entries[0].text = _("Default gateway:");
strcpy(temp, ""); findkey(kv, "DEFAULT_GATEWAY", temp);
- values[DEFAULT_GATEWAY] = strdup(temp);
- entries[DEFAULT_GATEWAY].value = &values[DEFAULT_GATEWAY];
- entries[DEFAULT_GATEWAY].flags = 0;
+ values[0] = strdup(temp);
+ entries[0].value = &values[0];
+ entries[0].flags = 0;
- entries[DNSGATEWAY_TOTAL].text = NULL;
- entries[DNSGATEWAY_TOTAL].value = NULL;
- entries[DNSGATEWAY_TOTAL].flags = 0;
+ entries[1].text = NULL;
+ entries[1].value = NULL;
+ entries[1].flags = 0;
do
{
error = 0;
- rc = newtWinEntries(_("DNS and Gateway settings"),
- _("Enter the DNS and gateway information. "
- "These settings are used only with Static IP (and DHCP if DNS set) on the RED interface."),
+ rc = newtWinEntries(_("Gateway settings"),
+ _("Enter the gateway information. "
+ "These settings are used only with Static IP on the RED interface."),
50, 5, 5, 18, entries, _("OK"), _("Cancel"), NULL);
if (rc == 0 || rc == 1)
{
- strcpy(message, _("The following fields are invalid:"));
- strcpy(message, "\n\n");
- if (strlen(values[DNS1]))
+ if (strlen(values[0]))
{
- if (inet_addr(values[DNS1]) == INADDR_NONE)
- {
- strcat(message, _("Primary DNS"));
- strcat(message, "\n");
- error = 1;
- }
- }
- if (strlen(values[DNS2]))
- {
- if (inet_addr(values[DNS2]) == INADDR_NONE)
- {
- strcat(message, _("Secondary DNS"));
- strcat(message, "\n");
- error = 1;
- }
- }
- if (strlen(values[DEFAULT_GATEWAY]))
- {
- if (inet_addr(values[DEFAULT_GATEWAY]) == INADDR_NONE)
+ if (inet_addr(values[0]) == INADDR_NONE)
{
strcat(message, _("Default gateway"));
strcat(message, "\n");
error = 1;
}
}
- if (!strlen(values[DNS1]) && strlen(values[DNS2]))
- {
- strcpy(message, _("Secondary DNS specified without a Primary DNS"));
- strcat(message, "\n");
- error = 1;
- }
if (error)
errorbox(message);
else
{
- replacekeyvalue(kv, "DNS1", values[DNS1]);
- replacekeyvalue(kv, "DNS2", values[DNS2]);
- replacekeyvalue(kv, "DEFAULT_GATEWAY", values[DEFAULT_GATEWAY]);
+ replacekeyvalue(kv, "DEFAULT_GATEWAY", values[0]);
netaddresschange = 1;
- free(values[DNS1]);
- free(values[DNS2]);
- free(values[DEFAULT_GATEWAY]);
+ free(values[0]);
writekeyvalues(kv, CONFIG_ROOT "/ethernet/settings");
}
}
}
while (error);
-
+
freekeyvalues(kv);
-
+
return 1;
}
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-01-13 21:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-13 21:44 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 61cc563558f0bd2fed68a60e83f68d595855e7d7 Arne Fitzenreiter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox