* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 80745fb58f832ce4cd7476ab9d7aaf96dd8c8203
@ 2022-06-13 15:50 Peter Müller
0 siblings, 0 replies; only message in thread
From: Peter Müller @ 2022-06-13 15:50 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 37294 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 80745fb58f832ce4cd7476ab9d7aaf96dd8c8203 (commit)
via 0360d235c8c4ab2d672b40d745c1b1dc14becadb (commit)
via 84d6e931508cf0c2b31a0b1b7923d6bda84414c2 (commit)
via d90b39982baff221ff52ac97cdc9acb1f29e3d82 (commit)
via cf7f5004ac116d90be07e4da36887efc8ef69552 (commit)
via b41631c1904690c3a6075dc5572a24f39aee2dd4 (commit)
via 17aaad5d968e8486dc83cd65cddb1cc1a7ff5211 (commit)
via 1fad035a1f20771740faf0dd5e0802d779370b94 (commit)
via 883e29630cb1f5b16c8508b585c32d7f54a86e1a (commit)
via 9b28e9d02be9c0e0c488434cfd731d47bb227838 (commit)
via db8639bbfa41f34fcc33345648d3100ac5da001d (commit)
from 0d84103c04f67d913ee5cd0187f49ab178fb33e1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 80745fb58f832ce4cd7476ab9d7aaf96dd8c8203
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Jun 7 20:22:30 2022 +0000
unbound.conf: Aggressive NSEC is enabled by default since Unbound 1.15.0
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 0360d235c8c4ab2d672b40d745c1b1dc14becadb
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Jun 13 15:49:40 2022 +0000
Core Update 169: Ship and apply sysctl changes
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 84d6e931508cf0c2b31a0b1b7923d6bda84414c2
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Jun 7 20:09:07 2022 +0000
sysctl: For the sake of completeness, do not accept IPv6 redirects
While IPFire 2.x' web interface does not support IPv6, users can
technically run it with IPv6 by conducting the necessary configuration
changes manually.
To provide these systems as well, we should disable acceptance of ICMPv6
redirect packets - which is apparently not default in Linux, yet. :-/
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit d90b39982baff221ff52ac97cdc9acb1f29e3d82
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Jun 13 15:48:13 2022 +0000
Core Update 169: Ship localnet initscript
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit cf7f5004ac116d90be07e4da36887efc8ef69552
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Jun 7 19:31:57 2022 +0000
localnet: Add "edns0" to /etc/resolv.conf options for RFC 2671 support
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b41631c1904690c3a6075dc5572a24f39aee2dd4
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Jun 13 15:46:50 2022 +0000
Core Updatw 169: Ship and apply updated Linux kernel
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 17aaad5d968e8486dc83cd65cddb1cc1a7ff5211
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Sat Jun 11 06:47:49 2022 +0000
flash-images: Harden mount options of /boot
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 1fad035a1f20771740faf0dd5e0802d779370b94
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Sat Jun 11 18:42:08 2022 +0000
Kernel: Mitigate Straight-Line-Speculation on x86_64
See https://lwn.net/Articles/877845/ for the rationale behind this. The
feature is currently only available on the x86_64 platform.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 883e29630cb1f5b16c8508b585c32d7f54a86e1a
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Sat Jun 11 18:47:31 2022 +0000
Kernel: Disable support for RPC dprintk debugging
This is solely needed for debugging of NFS issues. Due to the attack
surface it introduces, grsecurity recommends to disable it; as we do not
have a strict necessity for this feature, it is best to follow that
recommendation for security reasons.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 9b28e9d02be9c0e0c488434cfd731d47bb227838
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Sat Jun 11 18:53:10 2022 +0000
Kernel: Enable YAMA support
See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for
the upstream rationale. Enabling YAMA gives us the benefit of additional
hardening options available, without any obvious downsides.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit db8639bbfa41f34fcc33345648d3100ac5da001d
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Sat Jun 11 18:13:57 2022 +0000
linux: Update to 5.15.46
Please refer to https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.46
for the changelog of this version.
Due to operational constraints, ARM rootfile changes are simulated.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/etc/sysctl.conf | 4 ++
config/kernel/kernel.config.aarch64-ipfire | 5 +-
config/kernel/kernel.config.armv6l-ipfire | 5 +-
config/kernel/kernel.config.riscv64-ipfire | 5 +-
config/kernel/kernel.config.x86_64-ipfire | 7 +-
config/rootfiles/common/aarch64/linux | 5 +-
config/rootfiles/common/armv6l/linux | 4 +-
config/rootfiles/common/x86_64/linux | 6 +-
.../124 => core/169}/filelists/aarch64/linux | 0
.../159 => core/169}/filelists/armv6l/linux | 0
config/rootfiles/core/169/filelists/files | 2 +
.../100 => core/169}/filelists/x86_64/linux | 0
config/rootfiles/core/169/update.sh | 67 ++++++++++++++++++
config/unbound/unbound.conf | 1 -
lfs/flash-images | 4 +-
lfs/linux | 6 +-
src/initscripts/system/localnet | 2 +-
....17-layer7.patch => linux-5.15.46-layer7.patch} | 82 +++++++++++-----------
18 files changed, 134 insertions(+), 71 deletions(-)
copy config/rootfiles/{oldcore/124 => core/169}/filelists/aarch64/linux (100%)
copy config/rootfiles/{oldcore/159 => core/169}/filelists/armv6l/linux (100%)
copy config/rootfiles/{oldcore/100 => core/169}/filelists/x86_64/linux (100%)
rename src/patches/linux/{linux-5.15.17-layer7.patch => linux-5.15.46-layer7.patch} (94%)
Difference in files:
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 7fe397bb7..6bf3bc887 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -31,6 +31,10 @@ vm.min_free_kbytes = 8192
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
+# However, enable some IPv6 hardening sysctl's in case this system is run customly _with_ IPv6.
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
# Enable netfilter accounting
net.netfilter.nf_conntrack_acct = 1
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 6dfeae595..f2bdf2a3d 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7433,7 +7433,6 @@ CONFIG_NFS_V4_SECURITY_LABEL=y
CONFIG_NFS_FSCACHE=y
# CONFIG_NFS_USE_LEGACY_DNS is not set
CONFIG_NFS_USE_KERNEL_DNS=y
-CONFIG_NFS_DEBUG=y
CONFIG_NFS_DISABLE_UDP_SUPPORT=y
# CONFIG_NFS_V4_2_READ_PLUS is not set
CONFIG_NFSD=m
@@ -7457,7 +7456,7 @@ CONFIG_SUNRPC_GSS=m
CONFIG_SUNRPC_BACKCHANNEL=y
CONFIG_RPCSEC_GSS_KRB5=m
# CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES is not set
-CONFIG_SUNRPC_DEBUG=y
+# CONFIG_SUNRPC_DEBUG is not set
# CONFIG_CEPH_FS is not set
CONFIG_CIFS=m
# CONFIG_CIFS_STATS2 is not set
@@ -7555,7 +7554,7 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_LOADPIN is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_YAMA=y
# CONFIG_SECURITY_SAFESETID is not set
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 1bb745a87..3fb7b98a2 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7439,7 +7439,6 @@ CONFIG_NFS_V4_SECURITY_LABEL=y
CONFIG_NFS_FSCACHE=y
# CONFIG_NFS_USE_LEGACY_DNS is not set
CONFIG_NFS_USE_KERNEL_DNS=y
-CONFIG_NFS_DEBUG=y
CONFIG_NFS_DISABLE_UDP_SUPPORT=y
# CONFIG_NFS_V4_2_READ_PLUS is not set
CONFIG_NFSD=m
@@ -7463,7 +7462,7 @@ CONFIG_SUNRPC_GSS=m
CONFIG_SUNRPC_BACKCHANNEL=y
CONFIG_RPCSEC_GSS_KRB5=m
# CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES is not set
-CONFIG_SUNRPC_DEBUG=y
+# CONFIG_SUNRPC_DEBUG is not set
# CONFIG_CEPH_FS is not set
CONFIG_CIFS=m
# CONFIG_CIFS_STATS2 is not set
@@ -7561,7 +7560,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_LOADPIN is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_YAMA=y
# CONFIG_SECURITY_SAFESETID is not set
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index 2d1fdbd28..f1364d143 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6071,7 +6071,6 @@ CONFIG_NFS_V4_SECURITY_LABEL=y
CONFIG_NFS_FSCACHE=y
# CONFIG_NFS_USE_LEGACY_DNS is not set
CONFIG_NFS_USE_KERNEL_DNS=y
-CONFIG_NFS_DEBUG=y
CONFIG_NFS_DISABLE_UDP_SUPPORT=y
CONFIG_NFS_V4_2_READ_PLUS=y
CONFIG_NFSD=m
@@ -6095,7 +6094,7 @@ CONFIG_SUNRPC_GSS=m
CONFIG_SUNRPC_BACKCHANNEL=y
CONFIG_RPCSEC_GSS_KRB5=m
# CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES is not set
-CONFIG_SUNRPC_DEBUG=y
+# CONFIG_SUNRPC_DEBUG is not set
# CONFIG_CEPH_FS is not set
CONFIG_CIFS=m
# CONFIG_CIFS_STATS2 is not set
@@ -6193,7 +6192,7 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_LOADPIN is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_YAMA=y
# CONFIG_SECURITY_SAFESETID is not set
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index b84698235..68c6e7b34 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -322,6 +322,8 @@ CONFIG_X86_X2APIC=y
CONFIG_X86_MPPARSE=y
# CONFIG_GOLDFISH is not set
CONFIG_RETPOLINE=y
+CONFIG_CC_HAS_SLS=y
+CONFIG_SLS=y
# CONFIG_X86_CPU_RESCTRL is not set
CONFIG_X86_EXTENDED_PLATFORM=y
# CONFIG_X86_VSMP is not set
@@ -6847,7 +6849,6 @@ CONFIG_NFS_V4_SECURITY_LABEL=y
CONFIG_NFS_FSCACHE=y
# CONFIG_NFS_USE_LEGACY_DNS is not set
CONFIG_NFS_USE_KERNEL_DNS=y
-CONFIG_NFS_DEBUG=y
CONFIG_NFS_DISABLE_UDP_SUPPORT=y
CONFIG_NFS_V4_2_READ_PLUS=y
CONFIG_NFSD=m
@@ -6871,7 +6872,7 @@ CONFIG_SUNRPC_GSS=m
CONFIG_SUNRPC_BACKCHANNEL=y
CONFIG_RPCSEC_GSS_KRB5=m
# CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES is not set
-CONFIG_SUNRPC_DEBUG=y
+# CONFIG_SUNRPC_DEBUG is not set
# CONFIG_CEPH_FS is not set
CONFIG_CIFS=m
# CONFIG_CIFS_STATS2 is not set
@@ -6971,7 +6972,7 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_LOADPIN is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_YAMA=y
# CONFIG_SECURITY_SAFESETID is not set
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux
index a88af0a37..73177bd71 100644
--- a/config/rootfiles/common/aarch64/linux
+++ b/config/rootfiles/common/aarch64/linux
@@ -6878,6 +6878,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/CC_CAN_LINK
#lib/modules/KVER-ipfire/build/include/config/CC_CAN_LINK_STATIC
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO
+#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_TIED_OUTPUT
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_OUTPUT
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_INLINE
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_BRANCH_PROT_PAC_RET
@@ -7107,7 +7108,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_KPP2
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_AES
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_ARC4
-#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_BLAKE2S
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_BLAKE2S_GENERIC
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA20POLY1305
@@ -15293,7 +15293,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/trace/events/qdisc.h
#lib/modules/KVER-ipfire/build/include/trace/events/qla.h
#lib/modules/KVER-ipfire/build/include/trace/events/qrtr.h
-#lib/modules/KVER-ipfire/build/include/trace/events/random.h
#lib/modules/KVER-ipfire/build/include/trace/events/rcu.h
#lib/modules/KVER-ipfire/build/include/trace/events/rdma.h
#lib/modules/KVER-ipfire/build/include/trace/events/rdma_core.h
@@ -20520,8 +20519,6 @@ lib/modules/KVER-ipfire/kernel
#lib/modules/KVER-ipfire/kernel/lib/crc8.ko.xz
#lib/modules/KVER-ipfire/kernel/lib/crypto
#lib/modules/KVER-ipfire/kernel/lib/crypto/libarc4.ko.xz
-#lib/modules/KVER-ipfire/kernel/lib/crypto/libblake2s-generic.ko.xz
-#lib/modules/KVER-ipfire/kernel/lib/crypto/libblake2s.ko.xz
#lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha.ko.xz
#lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha20poly1305.ko.xz
#lib/modules/KVER-ipfire/kernel/lib/crypto/libcurve25519-generic.ko.xz
diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/armv6l/linux
index 11da0fb3c..e8e10463c 100644
--- a/config/rootfiles/common/armv6l/linux
+++ b/config/rootfiles/common/armv6l/linux
@@ -7317,6 +7317,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/CC_CAN_LINK
#lib/modules/KVER-ipfire/build/include/config/CC_CAN_LINK_STATIC
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO
+#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_TIED_OUTPUT
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_OUTPUT
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_INLINE
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_KASAN_GENERIC
@@ -7569,7 +7570,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_KPP2
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_AES
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_ARC4
-#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_BLAKE2S
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA20POLY1305
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA_GENERIC
@@ -15743,7 +15743,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/trace/events/qdisc.h
#lib/modules/KVER-ipfire/build/include/trace/events/qla.h
#lib/modules/KVER-ipfire/build/include/trace/events/qrtr.h
-#lib/modules/KVER-ipfire/build/include/trace/events/random.h
#lib/modules/KVER-ipfire/build/include/trace/events/rcu.h
#lib/modules/KVER-ipfire/build/include/trace/events/rdma.h
#lib/modules/KVER-ipfire/build/include/trace/events/rdma_core.h
@@ -20739,7 +20738,6 @@ lib/modules/KVER-ipfire/kernel
#lib/modules/KVER-ipfire/kernel/lib/crc8.ko.xz
#lib/modules/KVER-ipfire/kernel/lib/crypto
#lib/modules/KVER-ipfire/kernel/lib/crypto/libarc4.ko.xz
-#lib/modules/KVER-ipfire/kernel/lib/crypto/libblake2s.ko.xz
#lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha.ko.xz
#lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha20poly1305.ko.xz
#lib/modules/KVER-ipfire/kernel/lib/crypto/libcurve25519-generic.ko.xz
diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux
index a578435d3..04e636046 100644
--- a/config/rootfiles/common/x86_64/linux
+++ b/config/rootfiles/common/x86_64/linux
@@ -6780,12 +6780,14 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/CC_CAN_LINK_STATIC
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_OUTPUT
+#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_TIED_OUTPUT
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_INLINE
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_INT128
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_KASAN_GENERIC
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_NO_PROFILE_FN_ATTR
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_SANCOV_TRACE_PC
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_SANE_STACKPROTECTOR
+#lib/modules/KVER-ipfire/build/include/config/CC_HAS_SLS
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_WORKING_NOSANITIZE_ADDRESS
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ZERO_CALL_USED_REGS
#lib/modules/KVER-ipfire/build/include/config/CC_IS_GCC
@@ -6999,7 +7001,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_KPP2
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_AES
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_ARC4
-#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_BLAKE2S
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_BLAKE2S_GENERIC
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA
#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA20POLY1305
@@ -15730,7 +15731,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/trace/events/qdisc.h
#lib/modules/KVER-ipfire/build/include/trace/events/qla.h
#lib/modules/KVER-ipfire/build/include/trace/events/qrtr.h
-#lib/modules/KVER-ipfire/build/include/trace/events/random.h
#lib/modules/KVER-ipfire/build/include/trace/events/rcu.h
#lib/modules/KVER-ipfire/build/include/trace/events/rdma.h
#lib/modules/KVER-ipfire/build/include/trace/events/rdma_core.h
@@ -21621,8 +21621,6 @@ lib/modules/KVER-ipfire/kernel
#lib/modules/KVER-ipfire/kernel/lib/crc8.ko.xz
#lib/modules/KVER-ipfire/kernel/lib/crypto
#lib/modules/KVER-ipfire/kernel/lib/crypto/libarc4.ko.xz
-#lib/modules/KVER-ipfire/kernel/lib/crypto/libblake2s-generic.ko.xz
-#lib/modules/KVER-ipfire/kernel/lib/crypto/libblake2s.ko.xz
#lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha.ko.xz
#lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha20poly1305.ko.xz
#lib/modules/KVER-ipfire/kernel/lib/crypto/libcurve25519-generic.ko.xz
diff --git a/config/rootfiles/core/169/filelists/aarch64/linux b/config/rootfiles/core/169/filelists/aarch64/linux
new file mode 120000
index 000000000..3a2532bc7
--- /dev/null
+++ b/config/rootfiles/core/169/filelists/aarch64/linux
@@ -0,0 +1 @@
+../../../../common/aarch64/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/169/filelists/armv6l/linux b/config/rootfiles/core/169/filelists/armv6l/linux
new file mode 120000
index 000000000..aee1f4d73
--- /dev/null
+++ b/config/rootfiles/core/169/filelists/armv6l/linux
@@ -0,0 +1 @@
+../../../../common/armv6l/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/169/filelists/files b/config/rootfiles/core/169/filelists/files
index 0eee92b92..5bc109be4 100644
--- a/config/rootfiles/core/169/filelists/files
+++ b/config/rootfiles/core/169/filelists/files
@@ -3,6 +3,8 @@ etc/rc.d/helper/azure-setup
etc/rc.d/helper/aws-setup
etc/rc.d/helper/exoscale-setup
etc/rc.d/helper/gcp-setup
+etc/rc.d/init.d/localnet
+etc/sysctl.conf
opt/pakfire/etc/pakfire.conf
srv/web/ipfire/cgi-bin/ovpnmain.cgi
srv/web/ipfire/html/themes/ipfire/include/functions.pl
diff --git a/config/rootfiles/core/169/filelists/x86_64/linux b/config/rootfiles/core/169/filelists/x86_64/linux
new file mode 120000
index 000000000..0615b5b9a
--- /dev/null
+++ b/config/rootfiles/core/169/filelists/x86_64/linux
@@ -0,0 +1 @@
+../../../../common/x86_64/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/169/update.sh b/config/rootfiles/core/169/update.sh
index ca50723cb..ad118cdf9 100644
--- a/config/rootfiles/core/169/update.sh
+++ b/config/rootfiles/core/169/update.sh
@@ -26,6 +26,18 @@
core=169
+exit_with_error() {
+ # Set last succesfull installed core.
+ echo $(($core-1)) > /opt/pakfire/db/core/mine
+ # force fsck at next boot, this may fix free space on xfs
+ touch /forcefsck
+ # don't start pakfire again at error
+ killall -KILL pak_update
+ /usr/bin/logger -p syslog.emerg -t ipfire \
+ "core-update-${core}: $1"
+ exit $2
+}
+
# Remove old core updates from pakfire cache to save space...
for (( i=1; i<=$core; i++ )); do
rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
@@ -36,6 +48,44 @@ done
/etc/init.d/squid stop
/etc/init.d/apache stop
+KVER="xxxKVERxxx"
+
+# Backup uEnv.txt if exist
+if [ -e /boot/uEnv.txt ]; then
+ cp -vf /boot/uEnv.txt /boot/uEnv.txt.org
+fi
+
+# Do some sanity checks prior to the kernel update
+case $(uname -r) in
+ *-ipfire*)
+ # Ok.
+ ;;
+ *)
+ exit_with_error "ERROR cannot update. No IPFire Kernel." 1
+ ;;
+esac
+
+# Check diskspace on root
+ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+
+if [ $ROOTSPACE -lt 100000 ]; then
+ exit_with_error "ERROR cannot update because not enough free space on root." 2
+ exit 2
+fi
+
+# Remove the old kernel
+rm -rvf \
+ /boot/System.map-* \
+ /boot/config-* \
+ /boot/ipfirerd-* \
+ /boot/initramfs-* \
+ /boot/vmlinuz-* \
+ /boot/uImage-* \
+ /boot/zImage-* \
+ /boot/uInit-* \
+ /boot/dtb-* \
+ /lib/modules
+
# Remove files
rm -rvf \
/lib/libxtables.so.12.4.0 \
@@ -61,6 +111,9 @@ ldconfig
# Filesytem cleanup
/usr/local/bin/filesystem-cleanup
+# Apply sysctl changes
+/etc/init.d/sysctl start
+
# Start services
telinit u
/etc/init.d/firewall restart
@@ -75,6 +128,20 @@ touch /var/run/need_reboot
/etc/init.d/fireinfo start
sendprofile
+# remove lm_sensor config after collectd was started
+# to reserch sensors at next boot with updated kernel
+rm -f /etc/sysconfig/lm_sensors
+
+# Upadate Kernel version in uEnv.txt
+if [ -e /boot/uEnv.txt ]; then
+ sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt
+fi
+
+# Call user update script (needed for some ARM boards)
+if [ -e /boot/pakfire-kernel-update ]; then
+ /boot/pakfire-kernel-update ${KVER}
+fi
+
# Update grub config to display new core version
if [ -e /boot/grub/grub.cfg ]; then
grub-mkconfig -o /boot/grub/grub.cfg
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 9d5e840dd..012beab54 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -39,7 +39,6 @@ server:
# Hardening Options
harden-large-queries: yes
harden-referral-path: yes
- aggressive-nsec: yes
# TLS
tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
diff --git a/lfs/flash-images b/lfs/flash-images
index 3cf81fb6d..8a033c310 100644
--- a/lfs/flash-images
+++ b/lfs/flash-images
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2021 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2022 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -167,7 +167,7 @@ endif
# Create /etc/fstab
printf "$(FSTAB_FMT)" "$$(blkid -o value -s UUID $(PART_BOOT))" "/boot" \
- "auto" "defaults" 1 2 > $(MNThdd)/etc/fstab
+ "auto" "defaults,nodev,noexec,nosuid" 1 2 > $(MNThdd)/etc/fstab
ifeq "$(EFI)" "1"
printf "$(FSTAB_FMT)" "$$(blkid -o value -s UUID $(PART_EFI))" "/boot/efi" \
"auto" "defaults" 1 2 >> $(MNThdd)/etc/fstab
diff --git a/lfs/linux b/lfs/linux
index d9637ef94..df3b348d4 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -24,7 +24,7 @@
include Config
-VER = 5.15.35
+VER = 5.15.46
ARM_PATCHES = 5.15-ipfire5
THISAPP = linux-$(VER)
@@ -78,7 +78,7 @@ objects =$(DL_FILE) \
$(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE)
arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
-$(DL_FILE)_BLAKE2 = 15f1af609ae4a233dc6bdae84c1231c2335be6320ddbb9a5d76c7983498a9ca72c13b55cc1408dac477f707fb84df99435994c1a7eeb91396481c2f7b11ecc2e
+$(DL_FILE)_BLAKE2 = 26fdc4bbed153f7a5a511b7c1a804f794dd6e4b8b44d0317a4cad304b2c824183fd6054b7ca94f22b3e49e22a13ec9dbd24373b628b01bdcdb5392eafe6b3dbe
arm-multi-patches-$(ARM_PATCHES).patch.xz_BLAKE2 = 58a70e757a9121a0aac83604a37aa787ec7ac0ee4970c5a3ac3bcb2dbaca32b00089cae6c0da5cf2fe0a2e156427b5165c6a86e0371a3e896f4c7cdd699c34a0
install : $(TARGET)
@@ -116,7 +116,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
ln -svf linux-$(VER) $(DIR_SRC)/linux
# Layer7-patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.17-layer7.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.46-layer7.patch
# DVB Patches
cd $(DIR_APP) && patch -Np2 < $(DIR_SRC)/src/patches/v4l-dvb_fix_tua6034_pll.patch
diff --git a/src/initscripts/system/localnet b/src/initscripts/system/localnet
index f260a1f29..ffa05e397 100644
--- a/src/initscripts/system/localnet
+++ b/src/initscripts/system/localnet
@@ -26,7 +26,7 @@ write_resolv_conf() {
(
[ -n "${DOMAINNAME}" ] && echo "search ${DOMAINNAME}"
echo "nameserver 127.0.0.1"
- echo "options trust-ad"
+ echo "options edns0 trust-ad"
) > /etc/resolv.conf
}
diff --git a/src/patches/linux/linux-5.15.17-layer7.patch b/src/patches/linux/linux-5.15.46-layer7.patch
similarity index 94%
rename from src/patches/linux/linux-5.15.17-layer7.patch
rename to src/patches/linux/linux-5.15.46-layer7.patch
index 0dafa16c7..d6b46142c 100644
--- a/src/patches/linux/linux-5.15.17-layer7.patch
+++ b/src/patches/linux/linux-5.15.46-layer7.patch
@@ -1,6 +1,6 @@
-diff -Naur a/include/linux/skbuff.h b/include/linux/skbuff.h
---- a/include/linux/skbuff.h 2022-01-27 10:05:44.000000000 +0000
-+++ b/include/linux/skbuff.h 2022-01-29 08:04:32.984637671 +0000
+diff -Naur linux-5.15.46.orig/include/linux/skbuff.h linux-5.15.46/include/linux/skbuff.h
+--- linux-5.15.46.orig/include/linux/skbuff.h 2022-06-11 14:51:47.639775333 +0000
++++ linux-5.15.46/include/linux/skbuff.h 2022-06-11 14:53:07.977494189 +0000
@@ -772,6 +772,9 @@
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
unsigned long _nfct;
@@ -11,10 +11,10 @@ diff -Naur a/include/linux/skbuff.h b/include/linux/skbuff.h
unsigned int len,
data_len;
__u16 mac_len,
-diff -Naur a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
---- a/include/net/netfilter/nf_conntrack.h 2022-01-27 10:05:44.000000000 +0000
-+++ b/include/net/netfilter/nf_conntrack.h 2022-01-29 08:04:32.984637671 +0000
-@@ -117,6 +117,23 @@
+diff -Naur linux-5.15.46.orig/include/net/netfilter/nf_conntrack.h linux-5.15.46/include/net/netfilter/nf_conntrack.h
+--- linux-5.15.46.orig/include/net/netfilter/nf_conntrack.h 2022-06-11 14:51:48.471834543 +0000
++++ linux-5.15.46/include/net/netfilter/nf_conntrack.h 2022-06-11 14:53:07.977494189 +0000
+@@ -119,6 +119,23 @@
/* Extensions */
struct nf_ct_ext *ext;
@@ -38,9 +38,9 @@ diff -Naur a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_con
/* Storage reserved for other modules, must be the last member */
union nf_conntrack_proto proto;
};
-diff -Naur a/include/uapi/linux/netfilter/xt_layer7.h b/include/uapi/linux/netfilter/xt_layer7.h
---- a/include/uapi/linux/netfilter/xt_layer7.h 1970-01-01 00:00:00.000000000 +0000
-+++ b/include/uapi/linux/netfilter/xt_layer7.h 2022-01-29 08:04:32.984637671 +0000
+diff -Naur linux-5.15.46.orig/include/uapi/linux/netfilter/xt_layer7.h linux-5.15.46/include/uapi/linux/netfilter/xt_layer7.h
+--- linux-5.15.46.orig/include/uapi/linux/netfilter/xt_layer7.h 1970-01-01 00:00:00.000000000 +0000
++++ linux-5.15.46/include/uapi/linux/netfilter/xt_layer7.h 2022-06-11 14:53:07.977494189 +0000
@@ -0,0 +1,13 @@
+#ifndef _XT_LAYER7_H
+#define _XT_LAYER7_H
@@ -55,9 +55,9 @@ diff -Naur a/include/uapi/linux/netfilter/xt_layer7.h b/include/uapi/linux/netfi
+};
+
+#endif /* _XT_LAYER7_H */
-diff -Naur a/net/netfilter/Kconfig b/net/netfilter/Kconfig
---- a/net/netfilter/Kconfig 2022-01-27 10:05:44.000000000 +0000
-+++ b/net/netfilter/Kconfig 2022-01-29 08:04:32.988637605 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/Kconfig linux-5.15.46/net/netfilter/Kconfig
+--- linux-5.15.46.orig/net/netfilter/Kconfig 2022-06-11 14:51:48.599843652 +0000
++++ linux-5.15.46/net/netfilter/Kconfig 2022-06-11 14:53:07.977494189 +0000
@@ -1389,6 +1389,26 @@
To compile it as a module, choose M here. If unsure, say N.
@@ -85,9 +85,9 @@ diff -Naur a/net/netfilter/Kconfig b/net/netfilter/Kconfig
config NETFILTER_XT_MATCH_LENGTH
tristate '"length" match support'
depends on NETFILTER_ADVANCED
-diff -Naur a/net/netfilter/Makefile b/net/netfilter/Makefile
---- a/net/netfilter/Makefile 2022-01-27 10:05:44.000000000 +0000
-+++ b/net/netfilter/Makefile 2022-01-29 08:04:32.988637605 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/Makefile linux-5.15.46/net/netfilter/Makefile
+--- linux-5.15.46.orig/net/netfilter/Makefile 2022-06-11 14:51:48.599843652 +0000
++++ linux-5.15.46/net/netfilter/Makefile 2022-06-11 14:53:07.981494474 +0000
@@ -201,6 +201,7 @@
obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o
@@ -96,10 +96,10 @@ diff -Naur a/net/netfilter/Makefile b/net/netfilter/Makefile
obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
-diff -Naur a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
---- a/net/netfilter/nf_conntrack_core.c 2022-01-27 10:05:44.000000000 +0000
-+++ b/net/netfilter/nf_conntrack_core.c 2022-01-29 08:04:32.992637539 +0000
-@@ -636,6 +636,11 @@
+diff -Naur linux-5.15.46.orig/net/netfilter/nf_conntrack_core.c linux-5.15.46/net/netfilter/nf_conntrack_core.c
+--- linux-5.15.46.orig/net/netfilter/nf_conntrack_core.c 2022-06-11 14:51:48.599843652 +0000
++++ linux-5.15.46/net/netfilter/nf_conntrack_core.c 2022-06-11 14:53:07.981494474 +0000
+@@ -648,6 +648,11 @@
*/
nf_ct_remove_expectations(ct);
@@ -111,24 +111,24 @@ diff -Naur a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core
nf_ct_del_from_dying_or_unconfirmed_list(ct);
local_bh_enable();
-diff -Naur a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
---- a/net/netfilter/nf_conntrack_standalone.c 2022-01-27 10:05:44.000000000 +0000
-+++ b/net/netfilter/nf_conntrack_standalone.c 2022-01-29 08:04:32.992637539 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/nf_conntrack_standalone.c linux-5.15.46/net/netfilter/nf_conntrack_standalone.c
+--- linux-5.15.46.orig/net/netfilter/nf_conntrack_standalone.c 2022-06-11 14:51:48.603843938 +0000
++++ linux-5.15.46/net/netfilter/nf_conntrack_standalone.c 2022-06-11 14:54:23.322859367 +0000
@@ -370,6 +370,11 @@
ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR);
ct_show_delta_time(s, ct);
-+#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ #if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
+ if(ct->layer7.app_proto)
+ seq_printf(s, "l7proto=%s ", ct->layer7.app_proto);
-+#endif
++ #endif
+
- seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use));
+ seq_printf(s, "use=%u\n", refcount_read(&ct->ct_general.use));
if (seq_has_overflowed(s))
-diff -Naur a/net/netfilter/regexp/regexp.c b/net/netfilter/regexp/regexp.c
---- a/net/netfilter/regexp/regexp.c 1970-01-01 00:00:00.000000000 +0000
-+++ b/net/netfilter/regexp/regexp.c 2022-01-29 08:04:32.992637539 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/regexp/regexp.c linux-5.15.46/net/netfilter/regexp/regexp.c
+--- linux-5.15.46.orig/net/netfilter/regexp/regexp.c 1970-01-01 00:00:00.000000000 +0000
++++ linux-5.15.46/net/netfilter/regexp/regexp.c 2022-06-11 14:53:07.985494758 +0000
@@ -0,0 +1,1197 @@
+/*
+ * regcomp and regexec -- regsub and regerror are elsewhere
@@ -1327,9 +1327,9 @@ diff -Naur a/net/netfilter/regexp/regexp.c b/net/netfilter/regexp/regexp.c
+#endif
+
+
-diff -Naur a/net/netfilter/regexp/regexp.h b/net/netfilter/regexp/regexp.h
---- a/net/netfilter/regexp/regexp.h 1970-01-01 00:00:00.000000000 +0000
-+++ b/net/netfilter/regexp/regexp.h 2022-01-29 08:04:32.992637539 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/regexp/regexp.h linux-5.15.46/net/netfilter/regexp/regexp.h
+--- linux-5.15.46.orig/net/netfilter/regexp/regexp.h 1970-01-01 00:00:00.000000000 +0000
++++ linux-5.15.46/net/netfilter/regexp/regexp.h 2022-06-11 14:53:07.985494758 +0000
@@ -0,0 +1,41 @@
+/*
+ * Definitions etc. for regexp(3) routines.
@@ -1372,18 +1372,18 @@ diff -Naur a/net/netfilter/regexp/regexp.h b/net/netfilter/regexp/regexp.h
+void regerror(char *s);
+
+#endif
-diff -Naur a/net/netfilter/regexp/regmagic.h b/net/netfilter/regexp/regmagic.h
---- a/net/netfilter/regexp/regmagic.h 1970-01-01 00:00:00.000000000 +0000
-+++ b/net/netfilter/regexp/regmagic.h 2022-01-29 08:04:32.992637539 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/regexp/regmagic.h linux-5.15.46/net/netfilter/regexp/regmagic.h
+--- linux-5.15.46.orig/net/netfilter/regexp/regmagic.h 1970-01-01 00:00:00.000000000 +0000
++++ linux-5.15.46/net/netfilter/regexp/regmagic.h 2022-06-11 14:53:07.985494758 +0000
@@ -0,0 +1,5 @@
+/*
+ * The first byte of the regexp internal "program" is actually this magic
+ * number; the start node begins in the second byte.
+ */
+#define MAGIC 0234
-diff -Naur a/net/netfilter/regexp/regsub.c b/net/netfilter/regexp/regsub.c
---- a/net/netfilter/regexp/regsub.c 1970-01-01 00:00:00.000000000 +0000
-+++ b/net/netfilter/regexp/regsub.c 2022-01-29 08:04:32.992637539 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/regexp/regsub.c linux-5.15.46/net/netfilter/regexp/regsub.c
+--- linux-5.15.46.orig/net/netfilter/regexp/regsub.c 1970-01-01 00:00:00.000000000 +0000
++++ linux-5.15.46/net/netfilter/regexp/regsub.c 2022-06-11 14:53:07.985494758 +0000
@@ -0,0 +1,95 @@
+/*
+ * regsub
@@ -1480,9 +1480,9 @@ diff -Naur a/net/netfilter/regexp/regsub.c b/net/netfilter/regexp/regsub.c
+ }
+ *dst++ = '\0';
+}
-diff -Naur a/net/netfilter/xt_layer7.c b/net/netfilter/xt_layer7.c
---- a/net/netfilter/xt_layer7.c 1970-01-01 00:00:00.000000000 +0000
-+++ b/net/netfilter/xt_layer7.c 2022-01-29 08:04:32.992637539 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/xt_layer7.c linux-5.15.46/net/netfilter/xt_layer7.c
+--- linux-5.15.46.orig/net/netfilter/xt_layer7.c 1970-01-01 00:00:00.000000000 +0000
++++ linux-5.15.46/net/netfilter/xt_layer7.c 2022-06-11 14:53:07.985494758 +0000
@@ -0,0 +1,666 @@
+/*
+ Kernel module to match application layer (OSI layer 7) data in connections.
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-06-13 15:50 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-13 15:50 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 80745fb58f832ce4cd7476ab9d7aaf96dd8c8203 Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox