From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 80745fb58f832ce4cd7476ab9d7aaf96dd8c8203 Date: Mon, 13 Jun 2022 15:50:41 +0000 Message-ID: <4LMGHk1XFBz2xf4@people01.haj.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1756995330409321470==" List-Id: --===============1756995330409321470== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 80745fb58f832ce4cd7476ab9d7aaf96dd8c8203 (commit) via 0360d235c8c4ab2d672b40d745c1b1dc14becadb (commit) via 84d6e931508cf0c2b31a0b1b7923d6bda84414c2 (commit) via d90b39982baff221ff52ac97cdc9acb1f29e3d82 (commit) via cf7f5004ac116d90be07e4da36887efc8ef69552 (commit) via b41631c1904690c3a6075dc5572a24f39aee2dd4 (commit) via 17aaad5d968e8486dc83cd65cddb1cc1a7ff5211 (commit) via 1fad035a1f20771740faf0dd5e0802d779370b94 (commit) via 883e29630cb1f5b16c8508b585c32d7f54a86e1a (commit) via 9b28e9d02be9c0e0c488434cfd731d47bb227838 (commit) via db8639bbfa41f34fcc33345648d3100ac5da001d (commit) from 0d84103c04f67d913ee5cd0187f49ab178fb33e1 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 80745fb58f832ce4cd7476ab9d7aaf96dd8c8203 Author: Peter M=C3=BCller Date: Tue Jun 7 20:22:30 2022 +0000 unbound.conf: Aggressive NSEC is enabled by default since Unbound 1.15.0 =20 Signed-off-by: Peter M=C3=BCller commit 0360d235c8c4ab2d672b40d745c1b1dc14becadb Author: Peter M=C3=BCller Date: Mon Jun 13 15:49:40 2022 +0000 Core Update 169: Ship and apply sysctl changes =20 Signed-off-by: Peter M=C3=BCller commit 84d6e931508cf0c2b31a0b1b7923d6bda84414c2 Author: Peter M=C3=BCller Date: Tue Jun 7 20:09:07 2022 +0000 sysctl: For the sake of completeness, do not accept IPv6 redirects =20 While IPFire 2.x' web interface does not support IPv6, users can technically run it with IPv6 by conducting the necessary configuration changes manually. =20 To provide these systems as well, we should disable acceptance of ICMPv6 redirect packets - which is apparently not default in Linux, yet. :-/ =20 Signed-off-by: Peter M=C3=BCller Reviewed-by: Michael Tremer commit d90b39982baff221ff52ac97cdc9acb1f29e3d82 Author: Peter M=C3=BCller Date: Mon Jun 13 15:48:13 2022 +0000 Core Update 169: Ship localnet initscript =20 Signed-off-by: Peter M=C3=BCller commit cf7f5004ac116d90be07e4da36887efc8ef69552 Author: Peter M=C3=BCller Date: Tue Jun 7 19:31:57 2022 +0000 localnet: Add "edns0" to /etc/resolv.conf options for RFC 2671 support =20 Signed-off-by: Peter M=C3=BCller Reviewed-by: Michael Tremer commit b41631c1904690c3a6075dc5572a24f39aee2dd4 Author: Peter M=C3=BCller Date: Mon Jun 13 15:46:50 2022 +0000 Core Updatw 169: Ship and apply updated Linux kernel =20 Signed-off-by: Peter M=C3=BCller commit 17aaad5d968e8486dc83cd65cddb1cc1a7ff5211 Author: Peter M=C3=BCller Date: Sat Jun 11 06:47:49 2022 +0000 flash-images: Harden mount options of /boot =20 Signed-off-by: Peter M=C3=BCller Reviewed-by: Michael Tremer commit 1fad035a1f20771740faf0dd5e0802d779370b94 Author: Peter M=C3=BCller Date: Sat Jun 11 18:42:08 2022 +0000 Kernel: Mitigate Straight-Line-Speculation on x86_64 =20 See https://lwn.net/Articles/877845/ for the rationale behind this. The feature is currently only available on the x86_64 platform. =20 Signed-off-by: Peter M=C3=BCller Reviewed-by: Michael Tremer commit 883e29630cb1f5b16c8508b585c32d7f54a86e1a Author: Peter M=C3=BCller Date: Sat Jun 11 18:47:31 2022 +0000 Kernel: Disable support for RPC dprintk debugging =20 This is solely needed for debugging of NFS issues. Due to the attack surface it introduces, grsecurity recommends to disable it; as we do not have a strict necessity for this feature, it is best to follow that recommendation for security reasons. =20 Signed-off-by: Peter M=C3=BCller Reviewed-by: Michael Tremer commit 9b28e9d02be9c0e0c488434cfd731d47bb227838 Author: Peter M=C3=BCller Date: Sat Jun 11 18:53:10 2022 +0000 Kernel: Enable YAMA support =20 See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for the upstream rationale. Enabling YAMA gives us the benefit of additional hardening options available, without any obvious downsides. =20 Signed-off-by: Peter M=C3=BCller Reviewed-by: Michael Tremer commit db8639bbfa41f34fcc33345648d3100ac5da001d Author: Peter M=C3=BCller Date: Sat Jun 11 18:13:57 2022 +0000 linux: Update to 5.15.46 =20 Please refer to https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.= 15.46 for the changelog of this version. =20 Due to operational constraints, ARM rootfile changes are simulated. =20 Signed-off-by: Peter M=C3=BCller Reviewed-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/etc/sysctl.conf | 4 ++ config/kernel/kernel.config.aarch64-ipfire | 5 +- config/kernel/kernel.config.armv6l-ipfire | 5 +- config/kernel/kernel.config.riscv64-ipfire | 5 +- config/kernel/kernel.config.x86_64-ipfire | 7 +- config/rootfiles/common/aarch64/linux | 5 +- config/rootfiles/common/armv6l/linux | 4 +- config/rootfiles/common/x86_64/linux | 6 +- .../124 =3D> core/169}/filelists/aarch64/linux | 0 .../159 =3D> core/169}/filelists/armv6l/linux | 0 config/rootfiles/core/169/filelists/files | 2 + .../100 =3D> core/169}/filelists/x86_64/linux | 0 config/rootfiles/core/169/update.sh | 67 ++++++++++++++++++ config/unbound/unbound.conf | 1 - lfs/flash-images | 4 +- lfs/linux | 6 +- src/initscripts/system/localnet | 2 +- ....17-layer7.patch =3D> linux-5.15.46-layer7.patch} | 82 +++++++++++-------= ---- 18 files changed, 134 insertions(+), 71 deletions(-) copy config/rootfiles/{oldcore/124 =3D> core/169}/filelists/aarch64/linux (1= 00%) copy config/rootfiles/{oldcore/159 =3D> core/169}/filelists/armv6l/linux (10= 0%) copy config/rootfiles/{oldcore/100 =3D> core/169}/filelists/x86_64/linux (10= 0%) rename src/patches/linux/{linux-5.15.17-layer7.patch =3D> linux-5.15.46-laye= r7.patch} (94%) Difference in files: diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 7fe397bb7..6bf3bc887 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -31,6 +31,10 @@ vm.min_free_kbytes =3D 8192 net.ipv6.conf.all.disable_ipv6 =3D 1 net.ipv6.conf.default.disable_ipv6 =3D 1 =20 +# However, enable some IPv6 hardening sysctl's in case this system is run cu= stomly _with_ IPv6. +net.ipv6.conf.all.accept_redirects =3D 0 +net.ipv6.conf.default.accept_redirects =3D 0 + # Enable netfilter accounting net.netfilter.nf_conntrack_acct =3D 1 =20 diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kerne= l.config.aarch64-ipfire index 6dfeae595..f2bdf2a3d 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7433,7 +7433,6 @@ CONFIG_NFS_V4_SECURITY_LABEL=3Dy CONFIG_NFS_FSCACHE=3Dy # CONFIG_NFS_USE_LEGACY_DNS is not set CONFIG_NFS_USE_KERNEL_DNS=3Dy -CONFIG_NFS_DEBUG=3Dy CONFIG_NFS_DISABLE_UDP_SUPPORT=3Dy # CONFIG_NFS_V4_2_READ_PLUS is not set CONFIG_NFSD=3Dm @@ -7457,7 +7456,7 @@ CONFIG_SUNRPC_GSS=3Dm CONFIG_SUNRPC_BACKCHANNEL=3Dy CONFIG_RPCSEC_GSS_KRB5=3Dm # CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES is not set -CONFIG_SUNRPC_DEBUG=3Dy +# CONFIG_SUNRPC_DEBUG is not set # CONFIG_CEPH_FS is not set CONFIG_CIFS=3Dm # CONFIG_CIFS_STATS2 is not set @@ -7555,7 +7554,7 @@ CONFIG_FORTIFY_SOURCE=3Dy # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=3Dy # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=3Dy CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel= .config.armv6l-ipfire index 1bb745a87..3fb7b98a2 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7439,7 +7439,6 @@ CONFIG_NFS_V4_SECURITY_LABEL=3Dy CONFIG_NFS_FSCACHE=3Dy # CONFIG_NFS_USE_LEGACY_DNS is not set CONFIG_NFS_USE_KERNEL_DNS=3Dy -CONFIG_NFS_DEBUG=3Dy CONFIG_NFS_DISABLE_UDP_SUPPORT=3Dy # CONFIG_NFS_V4_2_READ_PLUS is not set CONFIG_NFSD=3Dm @@ -7463,7 +7462,7 @@ CONFIG_SUNRPC_GSS=3Dm CONFIG_SUNRPC_BACKCHANNEL=3Dy CONFIG_RPCSEC_GSS_KRB5=3Dm # CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES is not set -CONFIG_SUNRPC_DEBUG=3Dy +# CONFIG_SUNRPC_DEBUG is not set # CONFIG_CEPH_FS is not set CONFIG_CIFS=3Dm # CONFIG_CIFS_STATS2 is not set @@ -7561,7 +7560,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=3Dy # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=3Dy # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=3Dy CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kerne= l.config.riscv64-ipfire index 2d1fdbd28..f1364d143 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6071,7 +6071,6 @@ CONFIG_NFS_V4_SECURITY_LABEL=3Dy CONFIG_NFS_FSCACHE=3Dy # CONFIG_NFS_USE_LEGACY_DNS is not set CONFIG_NFS_USE_KERNEL_DNS=3Dy -CONFIG_NFS_DEBUG=3Dy CONFIG_NFS_DISABLE_UDP_SUPPORT=3Dy CONFIG_NFS_V4_2_READ_PLUS=3Dy CONFIG_NFSD=3Dm @@ -6095,7 +6094,7 @@ CONFIG_SUNRPC_GSS=3Dm CONFIG_SUNRPC_BACKCHANNEL=3Dy CONFIG_RPCSEC_GSS_KRB5=3Dm # CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES is not set -CONFIG_SUNRPC_DEBUG=3Dy +# CONFIG_SUNRPC_DEBUG is not set # CONFIG_CEPH_FS is not set CONFIG_CIFS=3Dm # CONFIG_CIFS_STATS2 is not set @@ -6193,7 +6192,7 @@ CONFIG_FORTIFY_SOURCE=3Dy # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=3Dy # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=3Dy CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel= .config.x86_64-ipfire index b84698235..68c6e7b34 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -322,6 +322,8 @@ CONFIG_X86_X2APIC=3Dy CONFIG_X86_MPPARSE=3Dy # CONFIG_GOLDFISH is not set CONFIG_RETPOLINE=3Dy +CONFIG_CC_HAS_SLS=3Dy +CONFIG_SLS=3Dy # CONFIG_X86_CPU_RESCTRL is not set CONFIG_X86_EXTENDED_PLATFORM=3Dy # CONFIG_X86_VSMP is not set @@ -6847,7 +6849,6 @@ CONFIG_NFS_V4_SECURITY_LABEL=3Dy CONFIG_NFS_FSCACHE=3Dy # CONFIG_NFS_USE_LEGACY_DNS is not set CONFIG_NFS_USE_KERNEL_DNS=3Dy -CONFIG_NFS_DEBUG=3Dy CONFIG_NFS_DISABLE_UDP_SUPPORT=3Dy CONFIG_NFS_V4_2_READ_PLUS=3Dy CONFIG_NFSD=3Dm @@ -6871,7 +6872,7 @@ CONFIG_SUNRPC_GSS=3Dm CONFIG_SUNRPC_BACKCHANNEL=3Dy CONFIG_RPCSEC_GSS_KRB5=3Dm # CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES is not set -CONFIG_SUNRPC_DEBUG=3Dy +# CONFIG_SUNRPC_DEBUG is not set # CONFIG_CEPH_FS is not set CONFIG_CIFS=3Dm # CONFIG_CIFS_STATS2 is not set @@ -6971,7 +6972,7 @@ CONFIG_FORTIFY_SOURCE=3Dy # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=3Dy # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=3Dy CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/= aarch64/linux index a88af0a37..73177bd71 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -6878,6 +6878,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/CC_CAN_LINK #lib/modules/KVER-ipfire/build/include/config/CC_CAN_LINK_STATIC #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO +#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_TIED_OUTPUT #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_OUTPUT #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_INLINE #lib/modules/KVER-ipfire/build/include/config/CC_HAS_BRANCH_PROT_PAC_RET @@ -7107,7 +7108,6 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/CRYPTO_KPP2 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_AES #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_ARC4 -#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_BLAKE2S #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_BLAKE2S_GENERIC #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA20POLY1305 @@ -15293,7 +15293,6 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/trace/events/qdisc.h #lib/modules/KVER-ipfire/build/include/trace/events/qla.h #lib/modules/KVER-ipfire/build/include/trace/events/qrtr.h -#lib/modules/KVER-ipfire/build/include/trace/events/random.h #lib/modules/KVER-ipfire/build/include/trace/events/rcu.h #lib/modules/KVER-ipfire/build/include/trace/events/rdma.h #lib/modules/KVER-ipfire/build/include/trace/events/rdma_core.h @@ -20520,8 +20519,6 @@ lib/modules/KVER-ipfire/kernel #lib/modules/KVER-ipfire/kernel/lib/crc8.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crypto #lib/modules/KVER-ipfire/kernel/lib/crypto/libarc4.ko.xz -#lib/modules/KVER-ipfire/kernel/lib/crypto/libblake2s-generic.ko.xz -#lib/modules/KVER-ipfire/kernel/lib/crypto/libblake2s.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha20poly1305.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crypto/libcurve25519-generic.ko.xz diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/a= rmv6l/linux index 11da0fb3c..e8e10463c 100644 --- a/config/rootfiles/common/armv6l/linux +++ b/config/rootfiles/common/armv6l/linux @@ -7317,6 +7317,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/CC_CAN_LINK #lib/modules/KVER-ipfire/build/include/config/CC_CAN_LINK_STATIC #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO +#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_TIED_OUTPUT #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_OUTPUT #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_INLINE #lib/modules/KVER-ipfire/build/include/config/CC_HAS_KASAN_GENERIC @@ -7569,7 +7570,6 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/CRYPTO_KPP2 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_AES #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_ARC4 -#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_BLAKE2S #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA20POLY1305 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA_GENERIC @@ -15743,7 +15743,6 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/trace/events/qdisc.h #lib/modules/KVER-ipfire/build/include/trace/events/qla.h #lib/modules/KVER-ipfire/build/include/trace/events/qrtr.h -#lib/modules/KVER-ipfire/build/include/trace/events/random.h #lib/modules/KVER-ipfire/build/include/trace/events/rcu.h #lib/modules/KVER-ipfire/build/include/trace/events/rdma.h #lib/modules/KVER-ipfire/build/include/trace/events/rdma_core.h @@ -20739,7 +20738,6 @@ lib/modules/KVER-ipfire/kernel #lib/modules/KVER-ipfire/kernel/lib/crc8.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crypto #lib/modules/KVER-ipfire/kernel/lib/crypto/libarc4.ko.xz -#lib/modules/KVER-ipfire/kernel/lib/crypto/libblake2s.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha20poly1305.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crypto/libcurve25519-generic.ko.xz diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x= 86_64/linux index a578435d3..04e636046 100644 --- a/config/rootfiles/common/x86_64/linux +++ b/config/rootfiles/common/x86_64/linux @@ -6780,12 +6780,14 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/CC_CAN_LINK_STATIC #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_OUTPUT +#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_TIED_OUTPUT #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_INLINE #lib/modules/KVER-ipfire/build/include/config/CC_HAS_INT128 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_KASAN_GENERIC #lib/modules/KVER-ipfire/build/include/config/CC_HAS_NO_PROFILE_FN_ATTR #lib/modules/KVER-ipfire/build/include/config/CC_HAS_SANCOV_TRACE_PC #lib/modules/KVER-ipfire/build/include/config/CC_HAS_SANE_STACKPROTECTOR +#lib/modules/KVER-ipfire/build/include/config/CC_HAS_SLS #lib/modules/KVER-ipfire/build/include/config/CC_HAS_WORKING_NOSANITIZE_ADDR= ESS #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ZERO_CALL_USED_REGS #lib/modules/KVER-ipfire/build/include/config/CC_IS_GCC @@ -6999,7 +7001,6 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/CRYPTO_KPP2 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_AES #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_ARC4 -#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_BLAKE2S #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_BLAKE2S_GENERIC #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA20POLY1305 @@ -15730,7 +15731,6 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/trace/events/qdisc.h #lib/modules/KVER-ipfire/build/include/trace/events/qla.h #lib/modules/KVER-ipfire/build/include/trace/events/qrtr.h -#lib/modules/KVER-ipfire/build/include/trace/events/random.h #lib/modules/KVER-ipfire/build/include/trace/events/rcu.h #lib/modules/KVER-ipfire/build/include/trace/events/rdma.h #lib/modules/KVER-ipfire/build/include/trace/events/rdma_core.h @@ -21621,8 +21621,6 @@ lib/modules/KVER-ipfire/kernel #lib/modules/KVER-ipfire/kernel/lib/crc8.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crypto #lib/modules/KVER-ipfire/kernel/lib/crypto/libarc4.ko.xz -#lib/modules/KVER-ipfire/kernel/lib/crypto/libblake2s-generic.ko.xz -#lib/modules/KVER-ipfire/kernel/lib/crypto/libblake2s.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha20poly1305.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crypto/libcurve25519-generic.ko.xz diff --git a/config/rootfiles/core/169/filelists/aarch64/linux b/config/rootf= iles/core/169/filelists/aarch64/linux new file mode 120000 index 000000000..3a2532bc7 --- /dev/null +++ b/config/rootfiles/core/169/filelists/aarch64/linux @@ -0,0 +1 @@ +../../../../common/aarch64/linux \ No newline at end of file diff --git a/config/rootfiles/core/169/filelists/armv6l/linux b/config/rootfi= les/core/169/filelists/armv6l/linux new file mode 120000 index 000000000..aee1f4d73 --- /dev/null +++ b/config/rootfiles/core/169/filelists/armv6l/linux @@ -0,0 +1 @@ +../../../../common/armv6l/linux \ No newline at end of file diff --git a/config/rootfiles/core/169/filelists/files b/config/rootfiles/cor= e/169/filelists/files index 0eee92b92..5bc109be4 100644 --- a/config/rootfiles/core/169/filelists/files +++ b/config/rootfiles/core/169/filelists/files @@ -3,6 +3,8 @@ etc/rc.d/helper/azure-setup etc/rc.d/helper/aws-setup etc/rc.d/helper/exoscale-setup etc/rc.d/helper/gcp-setup +etc/rc.d/init.d/localnet +etc/sysctl.conf opt/pakfire/etc/pakfire.conf srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/html/themes/ipfire/include/functions.pl diff --git a/config/rootfiles/core/169/filelists/x86_64/linux b/config/rootfi= les/core/169/filelists/x86_64/linux new file mode 120000 index 000000000..0615b5b9a --- /dev/null +++ b/config/rootfiles/core/169/filelists/x86_64/linux @@ -0,0 +1 @@ +../../../../common/x86_64/linux \ No newline at end of file diff --git a/config/rootfiles/core/169/update.sh b/config/rootfiles/core/169/= update.sh index ca50723cb..ad118cdf9 100644 --- a/config/rootfiles/core/169/update.sh +++ b/config/rootfiles/core/169/update.sh @@ -26,6 +26,18 @@ =20 core=3D169 =20 +exit_with_error() { + # Set last succesfull installed core. + echo $(($core-1)) > /opt/pakfire/db/core/mine + # force fsck at next boot, this may fix free space on xfs + touch /forcefsck + # don't start pakfire again at error + killall -KILL pak_update + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: $1" + exit $2 +} + # Remove old core updates from pakfire cache to save space... for (( i=3D1; i<=3D$core; i++ )); do rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire @@ -36,6 +48,44 @@ done /etc/init.d/squid stop /etc/init.d/apache stop =20 +KVER=3D"xxxKVERxxx" + +# Backup uEnv.txt if exist +if [ -e /boot/uEnv.txt ]; then + cp -vf /boot/uEnv.txt /boot/uEnv.txt.org +fi + +# Do some sanity checks prior to the kernel update +case $(uname -r) in + *-ipfire*) + # Ok. + ;; + *) + exit_with_error "ERROR cannot update. No IPFire Kernel." 1 + ;; +esac + +# Check diskspace on root +ROOTSPACE=3D`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + +if [ $ROOTSPACE -lt 100000 ]; then + exit_with_error "ERROR cannot update because not enough free space on ro= ot." 2 + exit 2 +fi + +# Remove the old kernel +rm -rvf \ + /boot/System.map-* \ + /boot/config-* \ + /boot/ipfirerd-* \ + /boot/initramfs-* \ + /boot/vmlinuz-* \ + /boot/uImage-* \ + /boot/zImage-* \ + /boot/uInit-* \ + /boot/dtb-* \ + /lib/modules + # Remove files rm -rvf \ /lib/libxtables.so.12.4.0 \ @@ -61,6 +111,9 @@ ldconfig # Filesytem cleanup /usr/local/bin/filesystem-cleanup =20 +# Apply sysctl changes +/etc/init.d/sysctl start + # Start services telinit u /etc/init.d/firewall restart @@ -75,6 +128,20 @@ touch /var/run/need_reboot /etc/init.d/fireinfo start sendprofile =20 +# remove lm_sensor config after collectd was started +# to reserch sensors at next boot with updated kernel +rm -f /etc/sysconfig/lm_sensors + +# Upadate Kernel version in uEnv.txt +if [ -e /boot/uEnv.txt ]; then + sed -i -e "s/KVER=3D.*/KVER=3D${KVER}/g" /boot/uEnv.txt +fi + +# Call user update script (needed for some ARM boards) +if [ -e /boot/pakfire-kernel-update ]; then + /boot/pakfire-kernel-update ${KVER} +fi + # Update grub config to display new core version if [ -e /boot/grub/grub.cfg ]; then grub-mkconfig -o /boot/grub/grub.cfg diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 9d5e840dd..012beab54 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -39,7 +39,6 @@ server: # Hardening Options harden-large-queries: yes harden-referral-path: yes - aggressive-nsec: yes =20 # TLS tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt diff --git a/lfs/flash-images b/lfs/flash-images index 3cf81fb6d..8a033c310 100644 --- a/lfs/flash-images +++ b/lfs/flash-images @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2021 IPFire Team = # +# Copyright (C) 2007-2022 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -167,7 +167,7 @@ endif =20 # Create /etc/fstab printf "$(FSTAB_FMT)" "$$(blkid -o value -s UUID $(PART_BOOT))" "/boot" \ - "auto" "defaults" 1 2 > $(MNThdd)/etc/fstab + "auto" "defaults,nodev,noexec,nosuid" 1 2 > $(MNThdd)/etc/fstab ifeq "$(EFI)" "1" printf "$(FSTAB_FMT)" "$$(blkid -o value -s UUID $(PART_EFI))" "/boot/efi" \ "auto" "defaults" 1 2 >> $(MNThdd)/etc/fstab diff --git a/lfs/linux b/lfs/linux index d9637ef94..df3b348d4 100644 --- a/lfs/linux +++ b/lfs/linux @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 5.15.35 +VER =3D 5.15.46 ARM_PATCHES =3D 5.15-ipfire5 =20 THISAPP =3D linux-$(VER) @@ -78,7 +78,7 @@ objects =3D$(DL_FILE) \ $(DL_FILE) =3D $(URL_IPFIRE)/$(DL_FILE) arm-multi-patches-$(ARM_PATCHES).patch.xz =3D $(URL_IPFIRE)/arm-multi-patche= s-$(ARM_PATCHES).patch.xz =20 -$(DL_FILE)_BLAKE2 =3D 15f1af609ae4a233dc6bdae84c1231c2335be6320ddbb9a5d76c79= 83498a9ca72c13b55cc1408dac477f707fb84df99435994c1a7eeb91396481c2f7b11ecc2e +$(DL_FILE)_BLAKE2 =3D 26fdc4bbed153f7a5a511b7c1a804f794dd6e4b8b44d0317a4cad3= 04b2c824183fd6054b7ca94f22b3e49e22a13ec9dbd24373b628b01bdcdb5392eafe6b3dbe arm-multi-patches-$(ARM_PATCHES).patch.xz_BLAKE2 =3D 58a70e757a9121a0aac8360= 4a37aa787ec7ac0ee4970c5a3ac3bcb2dbaca32b00089cae6c0da5cf2fe0a2e156427b5165c6a= 86e0371a3e896f4c7cdd699c34a0 =20 install : $(TARGET) @@ -116,7 +116,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) ln -svf linux-$(VER) $(DIR_SRC)/linux =20 # Layer7-patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.17-la= yer7.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.46-la= yer7.patch =20 # DVB Patches cd $(DIR_APP) && patch -Np2 < $(DIR_SRC)/src/patches/v4l-dvb_fix_tua6034_pl= l.patch diff --git a/src/initscripts/system/localnet b/src/initscripts/system/localnet index f260a1f29..ffa05e397 100644 --- a/src/initscripts/system/localnet +++ b/src/initscripts/system/localnet @@ -26,7 +26,7 @@ write_resolv_conf() { ( [ -n "${DOMAINNAME}" ] && echo "search ${DOMAINNAME}" echo "nameserver 127.0.0.1" - echo "options trust-ad" + echo "options edns0 trust-ad" ) > /etc/resolv.conf } =20 diff --git a/src/patches/linux/linux-5.15.17-layer7.patch b/src/patches/linux= /linux-5.15.46-layer7.patch similarity index 94% rename from src/patches/linux/linux-5.15.17-layer7.patch rename to src/patches/linux/linux-5.15.46-layer7.patch index 0dafa16c7..d6b46142c 100644 --- a/src/patches/linux/linux-5.15.17-layer7.patch +++ b/src/patches/linux/linux-5.15.46-layer7.patch @@ -1,6 +1,6 @@ -diff -Naur a/include/linux/skbuff.h b/include/linux/skbuff.h ---- a/include/linux/skbuff.h 2022-01-27 10:05:44.000000000 +0000 -+++ b/include/linux/skbuff.h 2022-01-29 08:04:32.984637671 +0000 +diff -Naur linux-5.15.46.orig/include/linux/skbuff.h linux-5.15.46/include/l= inux/skbuff.h +--- linux-5.15.46.orig/include/linux/skbuff.h 2022-06-11 14:51:47.639775333 = +0000 ++++ linux-5.15.46/include/linux/skbuff.h 2022-06-11 14:53:07.977494189 +0000 @@ -772,6 +772,9 @@ #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) unsigned long _nfct; @@ -11,10 +11,10 @@ diff -Naur a/include/linux/skbuff.h b/include/linux/skbuf= f.h unsigned int len, data_len; __u16 mac_len, -diff -Naur a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf= _conntrack.h ---- a/include/net/netfilter/nf_conntrack.h 2022-01-27 10:05:44.000000000 +00= 00 -+++ b/include/net/netfilter/nf_conntrack.h 2022-01-29 08:04:32.984637671 +00= 00 -@@ -117,6 +117,23 @@ +diff -Naur linux-5.15.46.orig/include/net/netfilter/nf_conntrack.h linux-5.1= 5.46/include/net/netfilter/nf_conntrack.h +--- linux-5.15.46.orig/include/net/netfilter/nf_conntrack.h 2022-06-11 14:51= :48.471834543 +0000 ++++ linux-5.15.46/include/net/netfilter/nf_conntrack.h 2022-06-11 14:53:07.9= 77494189 +0000 +@@ -119,6 +119,23 @@ /* Extensions */ struct nf_ct_ext *ext; =20 @@ -38,9 +38,9 @@ diff -Naur a/include/net/netfilter/nf_conntrack.h b/include= /net/netfilter/nf_con /* Storage reserved for other modules, must be the last member */ union nf_conntrack_proto proto; }; -diff -Naur a/include/uapi/linux/netfilter/xt_layer7.h b/include/uapi/linux/n= etfilter/xt_layer7.h ---- a/include/uapi/linux/netfilter/xt_layer7.h 1970-01-01 00:00:00.000000000= +0000 -+++ b/include/uapi/linux/netfilter/xt_layer7.h 2022-01-29 08:04:32.984637671= +0000 +diff -Naur linux-5.15.46.orig/include/uapi/linux/netfilter/xt_layer7.h linux= -5.15.46/include/uapi/linux/netfilter/xt_layer7.h +--- linux-5.15.46.orig/include/uapi/linux/netfilter/xt_layer7.h 1970-01-01 0= 0:00:00.000000000 +0000 ++++ linux-5.15.46/include/uapi/linux/netfilter/xt_layer7.h 2022-06-11 14:53:= 07.977494189 +0000 @@ -0,0 +1,13 @@ +#ifndef _XT_LAYER7_H +#define _XT_LAYER7_H @@ -55,9 +55,9 @@ diff -Naur a/include/uapi/linux/netfilter/xt_layer7.h b/inc= lude/uapi/linux/netfi +}; + +#endif /* _XT_LAYER7_H */ -diff -Naur a/net/netfilter/Kconfig b/net/netfilter/Kconfig ---- a/net/netfilter/Kconfig 2022-01-27 10:05:44.000000000 +0000 -+++ b/net/netfilter/Kconfig 2022-01-29 08:04:32.988637605 +0000 +diff -Naur linux-5.15.46.orig/net/netfilter/Kconfig linux-5.15.46/net/netfil= ter/Kconfig +--- linux-5.15.46.orig/net/netfilter/Kconfig 2022-06-11 14:51:48.599843652 += 0000 ++++ linux-5.15.46/net/netfilter/Kconfig 2022-06-11 14:53:07.977494189 +0000 @@ -1389,6 +1389,26 @@ =20 To compile it as a module, choose M here. If unsure, say N. @@ -85,9 +85,9 @@ diff -Naur a/net/netfilter/Kconfig b/net/netfilter/Kconfig config NETFILTER_XT_MATCH_LENGTH tristate '"length" match support' depends on NETFILTER_ADVANCED -diff -Naur a/net/netfilter/Makefile b/net/netfilter/Makefile ---- a/net/netfilter/Makefile 2022-01-27 10:05:44.000000000 +0000 -+++ b/net/netfilter/Makefile 2022-01-29 08:04:32.988637605 +0000 +diff -Naur linux-5.15.46.orig/net/netfilter/Makefile linux-5.15.46/net/netfi= lter/Makefile +--- linux-5.15.46.orig/net/netfilter/Makefile 2022-06-11 14:51:48.599843652 = +0000 ++++ linux-5.15.46/net/netfilter/Makefile 2022-06-11 14:53:07.981494474 +0000 @@ -201,6 +201,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) +=3D xt_sctp.o obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) +=3D xt_socket.o @@ -96,10 +96,10 @@ diff -Naur a/net/netfilter/Makefile b/net/netfilter/Makef= ile obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) +=3D xt_statistic.o obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) +=3D xt_string.o obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) +=3D xt_tcpmss.o -diff -Naur a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_= core.c ---- a/net/netfilter/nf_conntrack_core.c 2022-01-27 10:05:44.000000000 +0000 -+++ b/net/netfilter/nf_conntrack_core.c 2022-01-29 08:04:32.992637539 +0000 -@@ -636,6 +636,11 @@ +diff -Naur linux-5.15.46.orig/net/netfilter/nf_conntrack_core.c linux-5.15.4= 6/net/netfilter/nf_conntrack_core.c +--- linux-5.15.46.orig/net/netfilter/nf_conntrack_core.c 2022-06-11 14:51:48= .599843652 +0000 ++++ linux-5.15.46/net/netfilter/nf_conntrack_core.c 2022-06-11 14:53:07.9814= 94474 +0000 +@@ -648,6 +648,11 @@ */ nf_ct_remove_expectations(ct); =20 @@ -111,24 +111,24 @@ diff -Naur a/net/netfilter/nf_conntrack_core.c b/net/ne= tfilter/nf_conntrack_core nf_ct_del_from_dying_or_unconfirmed_list(ct); =20 local_bh_enable(); -diff -Naur a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conn= track_standalone.c ---- a/net/netfilter/nf_conntrack_standalone.c 2022-01-27 10:05:44.000000000 = +0000 -+++ b/net/netfilter/nf_conntrack_standalone.c 2022-01-29 08:04:32.992637539 = +0000 +diff -Naur linux-5.15.46.orig/net/netfilter/nf_conntrack_standalone.c linux-= 5.15.46/net/netfilter/nf_conntrack_standalone.c +--- linux-5.15.46.orig/net/netfilter/nf_conntrack_standalone.c 2022-06-11 14= :51:48.603843938 +0000 ++++ linux-5.15.46/net/netfilter/nf_conntrack_standalone.c 2022-06-11 14:54:2= 3.322859367 +0000 @@ -370,6 +370,11 @@ ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR); ct_show_delta_time(s, ct); =20 -+#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_X= T_MATCH_LAYER7_MODULE) ++ #if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_= XT_MATCH_LAYER7_MODULE) + if(ct->layer7.app_proto) + seq_printf(s, "l7proto=3D%s ", ct->layer7.app_proto); -+#endif ++ #endif + - seq_printf(s, "use=3D%u\n", atomic_read(&ct->ct_general.use)); + seq_printf(s, "use=3D%u\n", refcount_read(&ct->ct_general.use)); =20 if (seq_has_overflowed(s)) -diff -Naur a/net/netfilter/regexp/regexp.c b/net/netfilter/regexp/regexp.c ---- a/net/netfilter/regexp/regexp.c 1970-01-01 00:00:00.000000000 +0000 -+++ b/net/netfilter/regexp/regexp.c 2022-01-29 08:04:32.992637539 +0000 +diff -Naur linux-5.15.46.orig/net/netfilter/regexp/regexp.c linux-5.15.46/ne= t/netfilter/regexp/regexp.c +--- linux-5.15.46.orig/net/netfilter/regexp/regexp.c 1970-01-01 00:00:00.000= 000000 +0000 ++++ linux-5.15.46/net/netfilter/regexp/regexp.c 2022-06-11 14:53:07.98549475= 8 +0000 @@ -0,0 +1,1197 @@ +/* + * regcomp and regexec -- regsub and regerror are elsewhere @@ -1327,9 +1327,9 @@ diff -Naur a/net/netfilter/regexp/regexp.c b/net/netfil= ter/regexp/regexp.c +#endif + + -diff -Naur a/net/netfilter/regexp/regexp.h b/net/netfilter/regexp/regexp.h ---- a/net/netfilter/regexp/regexp.h 1970-01-01 00:00:00.000000000 +0000 -+++ b/net/netfilter/regexp/regexp.h 2022-01-29 08:04:32.992637539 +0000 +diff -Naur linux-5.15.46.orig/net/netfilter/regexp/regexp.h linux-5.15.46/ne= t/netfilter/regexp/regexp.h +--- linux-5.15.46.orig/net/netfilter/regexp/regexp.h 1970-01-01 00:00:00.000= 000000 +0000 ++++ linux-5.15.46/net/netfilter/regexp/regexp.h 2022-06-11 14:53:07.98549475= 8 +0000 @@ -0,0 +1,41 @@ +/* + * Definitions etc. for regexp(3) routines. @@ -1372,18 +1372,18 @@ diff -Naur a/net/netfilter/regexp/regexp.h b/net/netf= ilter/regexp/regexp.h +void regerror(char *s); + +#endif -diff -Naur a/net/netfilter/regexp/regmagic.h b/net/netfilter/regexp/regmagic= .h ---- a/net/netfilter/regexp/regmagic.h 1970-01-01 00:00:00.000000000 +0000 -+++ b/net/netfilter/regexp/regmagic.h 2022-01-29 08:04:32.992637539 +0000 +diff -Naur linux-5.15.46.orig/net/netfilter/regexp/regmagic.h linux-5.15.46/= net/netfilter/regexp/regmagic.h +--- linux-5.15.46.orig/net/netfilter/regexp/regmagic.h 1970-01-01 00:00:00.0= 00000000 +0000 ++++ linux-5.15.46/net/netfilter/regexp/regmagic.h 2022-06-11 14:53:07.985494= 758 +0000 @@ -0,0 +1,5 @@ +/* + * The first byte of the regexp internal "program" is actually this magic + * number; the start node begins in the second byte. + */ +#define MAGIC 0234 -diff -Naur a/net/netfilter/regexp/regsub.c b/net/netfilter/regexp/regsub.c ---- a/net/netfilter/regexp/regsub.c 1970-01-01 00:00:00.000000000 +0000 -+++ b/net/netfilter/regexp/regsub.c 2022-01-29 08:04:32.992637539 +0000 +diff -Naur linux-5.15.46.orig/net/netfilter/regexp/regsub.c linux-5.15.46/ne= t/netfilter/regexp/regsub.c +--- linux-5.15.46.orig/net/netfilter/regexp/regsub.c 1970-01-01 00:00:00.000= 000000 +0000 ++++ linux-5.15.46/net/netfilter/regexp/regsub.c 2022-06-11 14:53:07.98549475= 8 +0000 @@ -0,0 +1,95 @@ +/* + * regsub @@ -1480,9 +1480,9 @@ diff -Naur a/net/netfilter/regexp/regsub.c b/net/netfil= ter/regexp/regsub.c + } + *dst++ =3D '\0'; +} -diff -Naur a/net/netfilter/xt_layer7.c b/net/netfilter/xt_layer7.c ---- a/net/netfilter/xt_layer7.c 1970-01-01 00:00:00.000000000 +0000 -+++ b/net/netfilter/xt_layer7.c 2022-01-29 08:04:32.992637539 +0000 +diff -Naur linux-5.15.46.orig/net/netfilter/xt_layer7.c linux-5.15.46/net/ne= tfilter/xt_layer7.c +--- linux-5.15.46.orig/net/netfilter/xt_layer7.c 1970-01-01 00:00:00.0000000= 00 +0000 ++++ linux-5.15.46/net/netfilter/xt_layer7.c 2022-06-11 14:53:07.985494758 +0= 000 @@ -0,0 +1,666 @@ +/* + Kernel module to match application layer (OSI layer 7) data in connection= s. hooks/post-receive -- IPFire 2.x development tree --===============1756995330409321470==--