* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. e850a61429b03cb77a9dc798e9f093500db09a87
@ 2021-10-19 18:30 Arne Fitzenreiter
0 siblings, 0 replies; only message in thread
From: Arne Fitzenreiter @ 2021-10-19 18:30 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 22187 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via e850a61429b03cb77a9dc798e9f093500db09a87 (commit)
via ef7d9d7657a3062dbba694728c4c8c6b05caa4c7 (commit)
via d4ff0694c5fa0ec1798cbf849b896b3212a262f6 (commit)
via 19357bc55e63cbde3bfae3f46bfaf5e655871763 (commit)
via 3fa8300e706227db9f72b4b1349dde3e66399298 (commit)
via 2469ca9fbab0a02502fc8086bc94517d7dcdcfaf (commit)
via 49dd3e2946435b0f4dc77ca1a9d7b14d22edca8d (commit)
via 855475580b153f05df8417d408193142a76950cf (commit)
via 9deccd1cbab7e446a362b6410fb88b36b655a7cd (commit)
via 11f7218f9cd16b32b2cb4477355e0e5057df6399 (commit)
via 4f07c279a01d076d7f788ac8635194a8bb7c51cd (commit)
via 761fadbdde805c8863a1f2a736408367a38f94da (commit)
via aaf266ac2b1c230eeb1ba897c9674aaf28cbcf53 (commit)
via ec18a1ecae60c6c3b6418e300aebd6a823844c8d (commit)
via 56702858529ae1bf75e21da3ef00f136bacedfcd (commit)
via 637eb94684cb0029ca76bb67dda8a8d2c15560ab (commit)
via 0165dd40256fb1fe8474140cf54eb30cfb9fb7f3 (commit)
via a09578f4eb954ea982926daab53c34492df05b43 (commit)
from 80909fb6da64a911c900df50805fd5866685faf0 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e850a61429b03cb77a9dc798e9f093500db09a87
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Tue Oct 19 18:27:49 2021 +0000
firewall: replace mark with --pol ipsec to exclude ipsec traffic from masquerade
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit ef7d9d7657a3062dbba694728c4c8c6b05caa4c7
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Tue Oct 19 18:25:11 2021 +0000
core161: add suricata changes
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit d4ff0694c5fa0ec1798cbf849b896b3212a262f6
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Oct 18 22:36:02 2021 +0200
squid-asnbl: update to 0.2.3
Upstream commit 500b9137d0a9dd31e40f0d1effdba0aafeb94ca4 changes the
behaviour of this script in case of invalid or unresolvable FQDNs,
preventing Squid from eventually shutting down due to too many BH's per
time.
Since this allows (authenticated) users to run a DoS against the Squid
instance, it is considered to be security relevant.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 19357bc55e63cbde3bfae3f46bfaf5e655871763
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Oct 18 10:10:22 2021 +0000
firewall: Keep REPEAT bit when saving rest to CONNMARK
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 3fa8300e706227db9f72b4b1349dde3e66399298
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Oct 18 10:10:21 2021 +0000
suricata: Introduce IPSBYPASS chain
NFQUEUE does not let the packet continue where it was processed, but
inserts it back into iptables at the start. That is why we need an
extra IPSBYPASS chain which has the following tasks:
* Make the BYPASS bit permanent for the entire connection
* Clear the REPEAT bit
The latter is more of cosmetic nature so that we can identify packets
that have come from suricata again and those which have bypassed the IPS
straight away.
The IPS_* chain will now only be sent traffic to, when none of the two
relevant bits has been set. Otherwise the packet has already been
processed by suricata in the first pass or suricata has decided to
bypass the connection.
This massively reduces load on the IPS which allows many common
connections (TLS connections with downloads) to bypass the IPS bringing
us back to line speed.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 2469ca9fbab0a02502fc8086bc94517d7dcdcfaf
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Oct 18 10:10:20 2021 +0000
suricata: Store bypass flag in connmark and restore
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 49dd3e2946435b0f4dc77ca1a9d7b14d22edca8d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Oct 18 10:10:19 2021 +0000
suricata: Add rule to skip IPS if a packet has the bypass bit set
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 855475580b153f05df8417d408193142a76950cf
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Oct 18 10:10:18 2021 +0000
suricata: Always append rules instead of inserting them
This allows us to add rules in a consistent order like they are in the
script.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 9deccd1cbab7e446a362b6410fb88b36b655a7cd
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Oct 18 10:10:17 2021 +0000
suricata: Enable bypassing unhandled streams
If a stream cannot be identified or if suricata has decided that it
cannot do anything useful any more (e.g. TLS sessions after the
handshake), we will allow suricata to bypass any following packets in
that flow
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 11f7218f9cd16b32b2cb4477355e0e5057df6399
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Oct 18 10:10:16 2021 +0000
suricata: Define bypass mark
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 4f07c279a01d076d7f788ac8635194a8bb7c51cd
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Oct 18 10:10:15 2021 +0000
suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK
This should avoid confusion when we add more marks
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 761fadbdde805c8863a1f2a736408367a38f94da
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Oct 18 10:10:14 2021 +0000
suricata: Set most significant bit as repeat marker
I have no idea why some odd value was chosen here, but one bit should be
enough.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit aaf266ac2b1c230eeb1ba897c9674aaf28cbcf53
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Tue Oct 19 11:32:00 2021 +0000
core161: add pakfire.conf and pakfire/lib/functions.pl
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit ec18a1ecae60c6c3b6418e300aebd6a823844c8d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Oct 14 19:01:49 2021 +0000
pakfire: Allow pinning Pakfire to one mirror server
This patch adds a new $mirror option to the configuration file which
will cause Pakfire to only use this one to download any files.
This feature is disabled by default but useful for development.
Fixes: #12706
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 56702858529ae1bf75e21da3ef00f136bacedfcd
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Tue Oct 19 11:27:58 2021 +0000
core161: add index.cgi and general-functions.pl
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 637eb94684cb0029ca76bb67dda8a8d2c15560ab
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Oct 14 13:26:30 2021 +0000
index.cgi: Remove left-over DNSSEC status warning
An error message is still shown although there is no option to disable
DNSSEC at the moment. The old marker file could still be present on
older machines.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 0165dd40256fb1fe8474140cf54eb30cfb9fb7f3
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Tue Oct 19 11:23:12 2021 +0000
core161: add partresize
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit a09578f4eb954ea982926daab53c34492df05b43
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Oct 14 12:00:31 2021 +0000
OCI: Enable serial console by default
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/cfgroot/general-functions.pl | 11 -----------
config/grub2/00_cloud | 8 ++++++++
config/rootfiles/core/161/filelists/files | 7 +++++++
config/suricata/suricata.yaml | 27 ++++++++++++++++++---------
html/cgi-bin/index.cgi | 5 -----
lfs/squid-asnbl | 4 ++--
src/initscripts/system/firewall | 25 +++++++++++++++++++------
src/initscripts/system/partresize | 6 +++---
src/initscripts/system/suricata | 15 +++------------
src/pakfire/lib/functions.pl | 12 ++++++++++++
src/pakfire/pakfire.conf | 3 +++
11 files changed, 75 insertions(+), 48 deletions(-)
Difference in files:
diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl
index de608e38b..f72d6588c 100644
--- a/config/cfgroot/general-functions.pl
+++ b/config/cfgroot/general-functions.pl
@@ -1238,17 +1238,6 @@ sub get_red_interface() {
return $interface;
}
-sub dnssec_status() {
- my $path = "${General::swroot}/red/dnssec-status";
-
- open(STATUS, $path) or return 0;
- my $status = <STATUS>;
- close(STATUS);
-
- chomp($status);
-
- return $status;
-}
sub number_cpu_cores() {
open my $cpuinfo, "/proc/cpuinfo" or die "Can't open cpuinfo: $!\n";
my $cores = scalar (map /^processor/, <$cpuinfo>);
diff --git a/config/grub2/00_cloud b/config/grub2/00_cloud
index 121cb2fbd..1ef5053e5 100644
--- a/config/grub2/00_cloud
+++ b/config/grub2/00_cloud
@@ -23,8 +23,16 @@ cat <<EOF
# Read the system manufacturer string from the BIOS
smbios --type 1 --get-string 4 --set system_manufacturer
+# Read the chassis asset tag
+smbios --type 3 --get-string 8 --set chassis_asset_tag
+
# Are we on Amazon EC2?
if [ "\$system_manufacturer" = "Amazon EC2" ]; then
next_entry=gnulinux-${KERNEL_RELEASE}-serial-${boot_device_id}
fi
+
+# Are we on Oracle Cloud?
+if [ "\$chassis_asset_tag" = "OracleCloud.com" ]; then
+ next_entry=gnulinux-${KERNEL_RELEASE}-serial-${boot_device_id}
+fi
EOF
diff --git a/config/rootfiles/core/161/filelists/files b/config/rootfiles/core/161/filelists/files
index adab4730d..b6a7fff92 100644
--- a/config/rootfiles/core/161/filelists/files
+++ b/config/rootfiles/core/161/filelists/files
@@ -1,4 +1,10 @@
etc/rc.d/init.d/firewall
+etc/rc.d/init.d/partresize
+etc/rc.d/init.d/suricata
+etc/suricata/suricata.yaml
+opt/pakfire/etc/pakfire.conf
+opt/pakfire/lib/functions.pl
+srv/web/ipfire/cgi-bin/index.cgi
srv/web/ipfire/cgi-bin/proxy.cgi
srv/web/ipfire/cgi-bin/qos.cgi
usr/bin/2to3
@@ -7,4 +13,5 @@ usr/lib/firewall/rules.pl
usr/libexec/ipsec/_updown
usr/local/bin/hddshutdown
usr/local/bin/makegraphs
+var/ipfire/general-functions.pl
var/ipfire/qos/bin/makeqosscripts.pl
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 4e9e39967..6f37671c8 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -346,10 +346,10 @@ logging:
nfq:
mode: repeat
- repeat-mark: 1879048192
- repeat-mask: 1879048192
-# bypass-mark: 1
-# bypass-mask: 1
+ repeat-mark: 2147483648
+ repeat-mask: 2147483648
+ bypass-mark: 1073741824
+ bypass-mask: 1073741824
# route-queue: 2
# batchcount: 20
fail-open: yes
@@ -389,11 +389,19 @@ app-layer:
# will be disabled by default, but enabled if rules require it.
ja3-fingerprints: auto
- # Completely stop processing TLS/SSL session after the handshake
- # completed. If bypass is enabled this will also trigger flow
- # bypass. If disabled (the default), TLS/SSL session is still
- # tracked for Heartbleed and other anomalies.
- #no-reassemble: yes
+ # What to do when the encrypted communications start:
+ # - default: keep tracking TLS session, check for protocol anomalies,
+ # inspect tls_* keywords. Disables inspection of unmodified
+ # 'content' signatures.
+ # - bypass: stop processing this flow as much as possible. No further
+ # TLS parsing and inspection. Offload flow bypass to kernel
+ # or hardware if possible.
+ # - full: keep tracking and inspection as normal. Unmodified content
+ # keyword signatures are inspected as well.
+ #
+ # For best performance, select 'bypass'.
+ #
+ encryption-handling: bypass
dcerpc:
enabled: yes
ftp:
@@ -810,6 +818,7 @@ stream:
prealloc-sessions: 4096
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
+ bypass: yes # Bypass packets when stream.reassembly.depth is reached.
reassembly:
memcap: 256mb
depth: 1mb # reassemble 1mb into a stream
diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi
index fafbe0aa1..948fdde55 100644
--- a/html/cgi-bin/index.cgi
+++ b/html/cgi-bin/index.cgi
@@ -536,11 +536,6 @@ END
&Header::closebox();
}
-my $dnssec_status = &General::dnssec_status();
-if ($dnssec_status eq "off") {
- $warnmessage .= "<li>$Lang::tr{'dnssec disabled warning'}</li>";
-}
-
# Fireinfo
if ( ! -e "/var/ipfire/main/send_profile") {
$warnmessage .= "<li><a style='color: white;' href='fireinfo.cgi'>$Lang::tr{'fireinfo please enable'}</a></li>";
diff --git a/lfs/squid-asnbl b/lfs/squid-asnbl
index 3fc001768..9bb7ef198 100644
--- a/lfs/squid-asnbl
+++ b/lfs/squid-asnbl
@@ -25,7 +25,7 @@
include Config
-VER = 0.2.2
+VER = 0.2.3
THISAPP = squid-asnbl-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -45,7 +45,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = d62be77baa30b16d1c2362460123d6c0
+$(DL_FILE)_MD5 = cf0a269215f06f487d1ed488ea463d6b
install : $(TARGET)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index ce428393d..776e70d6e 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -14,8 +14,10 @@ fi
NAT_MASK="0x0f000000"
-IPSEC_MARK="0x00800000"
-IPSEC_MASK="${IPSEC_MARK}"
+IPS_REPEAT_MARK="0x80000000"
+IPS_REPEAT_MASK="0x80000000"
+IPS_BYPASS_MARK="0x40000000"
+IPS_BYPASS_MASK="0x40000000"
function iptables() {
/sbin/iptables --wait "$@"
@@ -41,6 +43,16 @@ iptables_init() {
modprobe nf_log_ipv4
sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4
+ # IPS Bypass Chain which stores the BYPASS bit in connection tracking
+ iptables -N IPSBYPASS
+ iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))"
+
+ # Jump into bypass chain when the BYPASS bit is set
+ for chain in INPUT FORWARD OUTPUT; do
+ iptables -A "${chain}" -m mark \
+ --mark "$(( IPS_REPEAT_MARK | IPS_BYPASS_MARK ))/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j IPSBYPASS
+ done
+
# Empty LOG_DROP and LOG_REJECT chains
iptables -N LOG_DROP
iptables -A LOG_DROP -m limit --limit 10/second -j LOG
@@ -147,9 +159,10 @@ iptables_init() {
iptables -N IPS_INPUT
iptables -N IPS_FORWARD
iptables -N IPS_OUTPUT
- iptables -A INPUT -j IPS_INPUT
- iptables -A FORWARD -j IPS_FORWARD
- iptables -A OUTPUT -j IPS_OUTPUT
+
+ for chain in INPUT FORWARD OUTPUT; do
+ iptables -A "${chain}" -m mark --mark "0x0/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j "IPS_${chain}"
+ done
# OpenVPN transfer network translation
iptables -t nat -N OVPNNAT
@@ -380,7 +393,7 @@ iptables_red_up() {
fi
# Outgoing masquerading (don't masqerade IPsec)
- iptables -t nat -A REDNAT -m mark --mark "${IPSEC_MARK}/${IPSEC_MASK}" -o "${IFACE}" -j RETURN
+ iptables -t nat -A REDNAT -m policy --pol ipsec --dir=out -o "${IFACE}" -j RETURN
if [ "${IFACE}" = "${GREEN_DEV}" ]; then
iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN
diff --git a/src/initscripts/system/partresize b/src/initscripts/system/partresize
index 4fa1906d0..2206ca451 100644
--- a/src/initscripts/system/partresize
+++ b/src/initscripts/system/partresize
@@ -45,9 +45,9 @@ case "${1}" in
esac
fi
- # Enable the serial console on all systems on AWS EC2, Azure
- # and Google Compute Platform
- if running_on_ec2 || running_on_azure || running_on_gcp; then
+ # Enable the serial console on all systems on AWS EC2, Oracle Cloud,
+ # Azure and Google Compute Platform
+ if running_on_ec2 || running_on_oci || running_on_azure || running_on_gcp; then
scon="on"
fi
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 33633ddf9..13fcc7f34 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -34,10 +34,6 @@ network_zones=( red green blue orange ovpn )
# Array to store the network zones weather the IPS is enabled for.
enabled_ips_zones=()
-# Mark and Mask options.
-MARK="0x70000000"
-MASK="0x70000000"
-
# PID file of suricata.
PID_FILE="/var/run/suricata.pid"
@@ -137,19 +133,14 @@ function generate_fw_rules {
# Loop through the array and create firewall rules.
for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
# Create rules queue input and output related traffic and pass it to the IPS.
- iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
- iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+ iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
+ iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
# Create rules which are required to handle forwarded traffic.
for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
- iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+ iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE $NFQ_OPTIONS
done
done
-
- # Clear repeat bit, so that it does not confuse IPsec or QoS
- iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
- iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
- iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
fi
}
diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl
index f46c9acc1..4d9854a6f 100644
--- a/src/pakfire/lib/functions.pl
+++ b/src/pakfire/lib/functions.pl
@@ -30,6 +30,7 @@ use HTTP::Headers;
use HTTP::Message;
use HTTP::Request;
use Net::Ping;
+use URI;
use Switch;
@@ -297,6 +298,17 @@ sub valid_signature($) {
}
sub selectmirror {
+ if (defined ${Conf::mirror}) {
+ my $uri = URI->new("${Conf::mirror}");
+
+ # Only accept HTTPS mirrors
+ if ($uri->scheme eq "https") {
+ return ("HTTPS", $uri->host, $uri->path . "/" . ${Conf::version});
+ } else {
+ message("MIRROR ERROR: Unsupported mirror: " . ${Conf::mirror});
+ }
+ }
+
### Check if there is a current server list and read it.
# If there is no list try to get one.
my $count = 0;
diff --git a/src/pakfire/pakfire.conf b/src/pakfire/pakfire.conf
index 9930f3771..bc54dcff4 100644
--- a/src/pakfire/pakfire.conf
+++ b/src/pakfire/pakfire.conf
@@ -23,6 +23,9 @@ package Conf;
$mainserver = "pakfire.ipfire.org";
+# Only use this mirror
+#$mirror = "https://mirror1.ipfire.org/pakfire2";
+
$cachedir = "/opt/pakfire/cache";
$dbdir = "/opt/pakfire/db";
$coredir = "/opt/pakfire/db/core";
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-10-19 18:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-19 18:30 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. e850a61429b03cb77a9dc798e9f093500db09a87 Arne Fitzenreiter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox