* [git.ipfire.org] IPFire 2.x development tree branch, master, updated. b7c958992df0b2e9275c4df42133e2ebd50e1b8b
@ 2023-04-09 16:27 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2023-04-09 16:27 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 16665 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via b7c958992df0b2e9275c4df42133e2ebd50e1b8b (commit)
via ca06e817b84b8bb737b2811bdc5ad43d034e2c48 (commit)
via 65df34a6f60714706cc48386c3ed60ee6e100cf3 (commit)
via a201764e756895ed5fc23028863ba3b0e8bb406d (commit)
via d3a520fa68d2d0198ddca827a96a4e2cbb595d8a (commit)
via 7970d3937287171035336bd63ee28d0cd1c82d62 (commit)
via 41d3d33dde1312d6e1556d3279d9c09d925b7452 (commit)
via a84b9ed2feb926681ad94273d8c2efc5d7b71b4f (commit)
from 11f4726b0d72b6a4a0799bb4548e9ce93bf16911 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b7c958992df0b2e9275c4df42133e2ebd50e1b8b
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Fri Apr 7 14:37:05 2023 +0000
Core Update 174: Ship parse-func.pl
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit ca06e817b84b8bb737b2811bdc5ad43d034e2c48
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Fri Apr 7 14:35:11 2023 +0000
parse-func.pl: Adjust regular expression to changed 'tc' output
It is not clear at all why they choose to change the tool's output this
way in upstream commit 010a8388aea11e767ba3a2506728b9ad9760df0e, but
we'll have to make do with this.
Fixes: #13075
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 65df34a6f60714706cc48386c3ed60ee6e100cf3
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Apr 4 21:12:39 2023 +0000
Do not mark migrate.pl as executable in Git
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit a201764e756895ed5fc23028863ba3b0e8bb406d
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Apr 4 20:25:55 2023 +0000
ovpnmain.cgi: Do not determine certificate expiry status for N2N connections
https://wiki.ipfire.org/devel/telco/2023-04-03
Fixes: #13066
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit d3a520fa68d2d0198ddca827a96a4e2cbb595d8a
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Apr 4 20:04:11 2023 +0000
Revert "e2fsprogs: Update to version 1.47.0"
This reverts commit 1f3f26702144ef600eb7937c4ab78e4833e6636f.
Symlink will remain in place to ensure the reverted version is always
shipped to our users, including those that have installed Core Update
174 (testing).
Fixes: #13073
Reported-by: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 7970d3937287171035336bd63ee28d0cd1c82d62
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Apr 4 20:02:58 2023 +0000
Core Update 174: Ship ipblocklist-related changes
https://wiki.ipfire.org/devel/telco/2023-04-03
Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 41d3d33dde1312d6e1556d3279d9c09d925b7452
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Mar 28 18:05:42 2023 +0200
update-ipblocklists: Fix loading new blocklists after update
* The script needs to run with root permissions in order to
do the ipset operations. So remove code to drop the permissions
on startup.
* Adjust execute calls to use the proper functions from
general functions.
* Add some code to set the correct ownership (nobody:nobody) for
changed files during script runtime.
Fixes #13072.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit a84b9ed2feb926681ad94273d8c2efc5d7b71b4f
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Thu Mar 16 11:34:03 2023 +0100
header.pl: Add reference to colors.txt into header.pl
- With change of common css entries into header.pl with commit
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=b52a84ddc77f9db7e4ad7b129f21fbf528c6f990
I had missed that color20 and color22 etc, that come from colors.txt, are not known in
header.pl so that the alternate colours in tables were missing. Even though I tested the
previous commit I obviously did not look well enough because I missed that the tables
had no alternate colours. I just found it now when looking at Core Update 174 Testing.
- Confirmed by copying this version of header.pl into my CU174 Testing system and the
alternate colour rows came back again as they should be. I am sure now that they are
correct.
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
Tested-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/cfgroot/header.pl | 3 +++
config/cfgroot/ipblocklist-functions.pl | 27 +++++++++++++++++++
config/qos/migrate.pl | 0
config/qos/parse-func.pl | 10 +++----
config/rootfiles/core/174/filelists/files | 3 +++
config/rootfiles/core/174/update.sh | 3 +++
html/cgi-bin/ovpnmain.cgi | 43 +++++++++++++++++++------------
lfs/e2fsprogs | 4 +--
src/scripts/update-ipblocklists | 28 +++++++++-----------
9 files changed, 82 insertions(+), 39 deletions(-)
mode change 100755 => 100644 config/qos/migrate.pl
Difference in files:
diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl
index 955ed2646..3f80ce9b4 100644
--- a/config/cfgroot/header.pl
+++ b/config/cfgroot/header.pl
@@ -17,6 +17,9 @@ use HTML::Entities();
use Socket;
use Time::Local;
+our %color = ();
+&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
+
$|=1; # line buffering
$Header::revision = 'final';
diff --git a/config/cfgroot/ipblocklist-functions.pl b/config/cfgroot/ipblocklist-functions.pl
index ecabf42e8..bd026a01d 100644
--- a/config/cfgroot/ipblocklist-functions.pl
+++ b/config/cfgroot/ipblocklist-functions.pl
@@ -383,4 +383,31 @@ sub get_holdoff_rate($) {
return $value;
}
+#
+## sub set_ownership(file)
+##
+## Function to set the correct ownership (nobody:nobody) to a given file.
+##
+#
+sub set_ownership($) {
+ my ($file) = @_;
+
+ # User and group of the WUI.
+ my $uname = "nobody";
+ my $grname = "nobody";
+
+ # The chown function implemented in perl requies the user and group as nummeric id's.
+ my $uid = getpwnam($uname);
+ my $gid = getgrnam($grname);
+
+ # Check if the given file exists.
+ unless ($file) {
+ # Stop the script and print error message.
+ die "The given $file does not exist. Cannot change the ownership!\n";
+ }
+
+ # Change ownership of the file.
+ chown($uid, $gid, "$file");
+}
+
1;
diff --git a/config/qos/migrate.pl b/config/qos/migrate.pl
old mode 100755
new mode 100644
diff --git a/config/qos/parse-func.pl b/config/qos/parse-func.pl
index 991757f92..04ca85b7f 100644
--- a/config/qos/parse-func.pl
+++ b/config/qos/parse-func.pl
@@ -46,24 +46,24 @@ class htb 1:10 parent 1:1 prio 0 rate 80Kbit ceil 320Kbit burst 1701b cburst 200
lended: 230876 borrowed: 17112 giants: 0
tokens: 127200 ctokens: 37940
-class htb 1:20 parent 1:1 leaf 4220: prio 1 rate 100Kbit ceil 200Kbit burst 1727b cburst 1855b
+class htb 1:20 parent 1:1 leaf 4220prio 1 rate 100Kbit ceil 200Kbit burst 1727b cburst 1855b
Sent 2495181573 bytes 44034303 pkts (dropped 5837, overlimits 0)
lended: 43825585 borrowed: 208718 giants: 0
tokens: 103424 ctokens: 55808
-class htb 1:30 parent 1:1 leaf 4230: prio 3 rate 80Kbit ceil 400Kbit burst 1701b cburst 2111b
+class htb 1:30 parent 1:1 leaf 4230prio 3 rate 80Kbit ceil 400Kbit burst 1701b cburst 2111b
Sent 2060213567 bytes 5465574 pkts (dropped 121, overlimits 0)
rate 16851bps 35pps
lended: 4556992 borrowed: 908582 giants: 0
tokens: -25364 ctokens: 32897
-class htb 1:50 parent 1:1 leaf 4250: prio 5 rate 40Kbit ceil 120Kbit burst 1650b cburst 1752b
+class htb 1:50 parent 1:1 leaf 4250prio 5 rate 40Kbit ceil 120Kbit burst 1650b cburst 1752b
Sent 6071486687 bytes 24448436 pkts (dropped 8086739, overlimits 0)
rate 15801bps 85pps backlog 126p
lended: 8324530 borrowed: 16123780 giants: 0
tokens: -202717 ctokens: -172499
-class htb 1:666 parent 1:1 leaf 666: prio 7 rate 4Kbit ceil 40Kbit burst 1604b cburst 1650b
+class htb 1:666 parent 1:1 leaf 666prio 7 rate 4Kbit ceil 40Kbit burst 1604b cburst 1650b
Sent 2148626078 bytes 6771069 pkts (dropped 2078536, overlimits 0)
rate 5221bps 17pps backlog 125p
lended: 675330 borrowed: 6095613 giants: 0
@@ -94,7 +94,7 @@ sub parse_class($) {
my $line=$tc_output[$i];
# Parsing HTB:
# ------------
- if ( $line =~ m/class htb (\d+):(\d+)( root| parent )?(\d+:\d+)?( leaf )?(\d+)?:?( prio )?(\d+)? rate (.*) ceil (.*) burst (.*) cburst (.*)/ ) {
+ if ( $line =~ m/class htb (\d+):(\d+)( root| parent )?(\d+:\d+)?( leaf )?(\d+)?(prio )?(\d+)? rate (.*) ceil (.*) burst (.*) cburst (.*)/ ) {
my $type = "htb";
my $major = $1;
my $minor = $2;
diff --git a/config/rootfiles/core/174/filelists/files b/config/rootfiles/core/174/filelists/files
index 8b7058f81..53b01dca6 100644
--- a/config/rootfiles/core/174/filelists/files
+++ b/config/rootfiles/core/174/filelists/files
@@ -92,7 +92,10 @@ srv/web/ipfire/cgi-bin/proxy.cgi
srv/web/ipfire/cgi-bin/traffic.cgi
srv/web/ipfire/cgi-bin/updatexlrator.cgi
usr/lib/firewall/rules.pl
+usr/local/bin/update-ipblocklists
var/ipfire/graphs.pl
var/ipfire/header.pl
var/ipfire/ids-functions.pl
+var/ipfire/ipblocklist-functions.pl
var/ipfire/network-functions.pl
+var/ipfire/qos/bin/parse-func.pl
diff --git a/config/rootfiles/core/174/update.sh b/config/rootfiles/core/174/update.sh
index 7acaad64e..25474a7b2 100644
--- a/config/rootfiles/core/174/update.sh
+++ b/config/rootfiles/core/174/update.sh
@@ -184,6 +184,9 @@ if [ -e "/opt/pakfire/db/installed/meta-perl-TimeDate" ] && [ -e "/opt/pakfire/d
/opt/pakfire/db/rootfiles/perl-TimeDate
fi
+# Update IP blocklists to resolve fallout of #13072 as quickly as possible
+/usr/local/bin/update-location-database
+
# This update needs a reboot...
touch /var/run/need_reboot
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 87bda4f1e..51d6e8431 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2022 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -5354,26 +5354,37 @@ END
}
if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
- # Fetch information about the certificate
- my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text",
- "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
+ # Create some simple booleans to check the status
+ my $hasExpired;
+ my $expiresSoon;
- my $expiryDate = 0;
+ # Fetch information about the certificate for non-N2N connections only
+ if ($confighash{$key}[3] ne 'net') {
+ my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text",
+ "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
- # Parse the certificate information
- foreach my $line (@cavalid) {
- if ($line =~ /Not After : (.*)[\n]/) {
- $expiryDate = &Date::Parse::str2time($1);
- last;
+ my $expiryDate = 0;
+
+ # Parse the certificate information
+ foreach my $line (@cavalid) {
+ if ($line =~ /Not After : (.*)[\n]/) {
+ $expiryDate = &Date::Parse::str2time($1);
+ last;
+ }
}
- }
- # Calculate the remaining time
- my $remainingTime = $expiryDate - time();
+ # Calculate the remaining time
+ my $remainingTime = $expiryDate - time();
- # Create some simple booleans to check the status
- my $hasExpired = ($remainingTime <= 0);
- my $expiresSoon = ($remainingTime <= 30 * 24 * 3600);
+ # Determine whether the certificate has already expired, or will so soon
+ $hasExpired = ($remainingTime <= 0);
+ $expiresSoon = ($remainingTime <= 30 * 24 * 3600);
+
+ } else {
+ # Populate booleans with dummy values for N2N connections (#13066)
+ $hasExpired = 0;
+ $expiresSoon = 0;
+ }
print "<tr>";
diff --git a/lfs/e2fsprogs b/lfs/e2fsprogs
index 8db1c215c..4758b5401 100644
--- a/lfs/e2fsprogs
+++ b/lfs/e2fsprogs
@@ -24,7 +24,7 @@
include Config
-VER = 1.47.0
+VER = 1.46.5
THISAPP = e2fsprogs-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 84f58b05a9f0e14e1a66c6e5171ff23b022f51c4e9a02d4d6d1d26c91909f3c7ec9c9f0462663a4457b4479043774502b8891f691e58a61f4ef6bf9ba33f33aa
+$(DL_FILE)_BLAKE2 = 8d8c02e891c464782a7cff518c41d793fc73366b57e17d80ffc5afd96e6144e354290e667e9710509a9dde4e5dab7e7185c5bf084c5bfd26219f05e5e92e0830
install : $(TARGET)
diff --git a/src/scripts/update-ipblocklists b/src/scripts/update-ipblocklists
index 9918cac41..a17b47999 100644
--- a/src/scripts/update-ipblocklists
+++ b/src/scripts/update-ipblocklists
@@ -32,19 +32,6 @@ require "${General::swroot}/lang.pl";
# Hash to store the settings.
my %settings = ();
-# The user and group name as which this script should be run.
-my $run_as = 'nobody';
-
-# Get user and group id of the user.
-my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ];
-
-# Check if the script currently runs as root.
-if ( $> == 0 ) {
- # Drop privileges and switch to the specified user and group.
- POSIX::setgid( $gid );
- POSIX::setuid( $uid );
-}
-
# Establish the connection to the syslog service.
openlog('ipblocklist', 'cons', 'user');
@@ -122,6 +109,12 @@ foreach my $blocklist (@blocklists) {
&_log_to_syslog("<ERROR> Could not update $blocklist blocklist - Unexpected error\!");
}
} else {
+ # Get the filename of the blocklist.
+ my $ipset_db_file = &IPblocklist::get_ipset_db_file($blocklist);
+
+ # Set the correct ownership.
+ &IPblocklist::set_ownership($ipset_db_file);
+
# Log successfull update.
&_log_to_syslog("<INFO> Successfully updated $blocklist blocklist.");
@@ -132,22 +125,25 @@ foreach my $blocklist (@blocklists) {
# Check if a blocklist has been updated and therefore needs to be reloaded.
if (@updated_blocklists) {
+ # Set correct ownership to the modified file.
+ &IPblocklist::set_ownership($IPblocklist::modified_file);
+
# Loop through the array.
foreach my $updated_blocklist (@updated_blocklists) {
# Get the blocklist file.
my $ipset_db_file = &IPblocklist::get_ipset_db_file($updated_blocklist);
# Call safe system function to reload/update the blocklist.
- &General::system("ipset", "restore", "-f", "$ipset_db_file");
+ &General::safe_system("ipset", "restore", "-f", "$ipset_db_file");
# The set name contains a "v4" as suffix.
my $set_name = "$updated_blocklist" . "v4";
# Swap the sets to use the new one.
- &General::system("ipset", "swap", "$set_name", "$updated_blocklist");
+ &General::safe_system("ipset", "swap", "$set_name", "$updated_blocklist");
# Destroy the old blocklist.
- &General::system("ipset", "destroy", "$set_name");
+ &General::safe_system("ipset", "destroy", "$set_name");
}
}
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-04-09 16:27 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-09 16:27 [git.ipfire.org] IPFire 2.x development tree branch, master, updated. b7c958992df0b2e9275c4df42133e2ebd50e1b8b Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox