From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4bk5gb4RHZz2ywH for ; Fri, 18 Jul 2025 10:31:39 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4bk5gb49lKz2xXK for ; Fri, 18 Jul 2025 10:31:39 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4bk5gZ6KLZz83 for ; Fri, 18 Jul 2025 10:31:38 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1752834698; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=vq0YMBBn9ugEziegk8OmguxUN1StRhhfqKwem1fNxsk=; b=cf7p2/gDhvHa1MEw0ldGmpUfaJ2U2zke9NP738MCMjvy1kyKuyxINwT7alWbyVatMUvxST XiTcPQyC4Yc3+eAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1752834698; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=vq0YMBBn9ugEziegk8OmguxUN1StRhhfqKwem1fNxsk=; b=INZyl+Svy3kXDrdk23CQuTk9ismSmAJx7lWIutk1II5a1wFuafZr8soa7salCV+qTFjLZy Lp97WN9EdkCOJ2nWONhpz/i9W/MvzqwvCfLEQKLVX6WEtiuBzKwzB+2LrNirlfQlEHfmdg k/7ULDau735iFssAOSN9C0FGKmMtUXCVq0qp+M2hlPq2UnDS6LI+EaN8MPHkdPWyhcZe4v DYjuEn966tCLdT2IdCDmXOLm0iqs2ROYkafAVCe94R1bIPB0PgLu99a8Lf4zvw9Ithzy9c hqEAp3Vg4x/8JruNBeZXG0tgsD3lmQYxOztbm+HGqIbawe7ZL5NBgod4Gt1cZA== Received: by people01.haj.ipfire.org (Postfix, from userid 1000) id 4bk5gZ3hydz2xYs; Fri, 18 Jul 2025 10:31:38 +0000 (UTC) To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 13b7e3803cfd803d42d4ef082fba37859aa1e2f7 X-Git-Refname: refs/heads/next X-Git-Reftype: branch X-Git-Oldrev: d32ce68c3e2cc0bde4407d97e1f09d8a1efba0e7 X-Git-Newrev: 13b7e3803cfd803d42d4ef082fba37859aa1e2f7 Message-Id: <4bk5gZ3hydz2xYs@people01.haj.ipfire.org> Date: Fri, 18 Jul 2025 10:31:38 +0000 (UTC) From: Michael Tremer Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 13b7e3803cfd803d42d4ef082fba37859aa1e2f7 (commit) via 6349caf6fa009ea02f93c1b6d1a589859ce3031e (commit) via ff90bed77c5fec5d9f29c6f1422cf36440b09e94 (commit) via a2cc5c320c3bd894c0cff2f9185f13f0d527e456 (commit) via 928f98326d7c82584754a9c4631b94e64ca15ae1 (commit) via c297c347d96460bcab651b4f58038d5e857fd2ff (commit) via 3f3c688181304b4676a7fbb3291270b967f09395 (commit) via 2772a5990067679bde106883f39a30aa2fe196e6 (commit) via 23fb1dfd86d1efc85a0f80228bd644287bfff682 (commit) from d32ce68c3e2cc0bde4407d97e1f09d8a1efba0e7 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 13b7e3803cfd803d42d4ef082fba37859aa1e2f7 Author: Michael Tremer Date: Fri Jul 18 10:30:29 2025 +0000 core197: Migrate OpenVPN configuration changes Signed-off-by: Michael Tremer commit 6349caf6fa009ea02f93c1b6d1a589859ce3031e Author: Michael Tremer Date: Fri Jul 18 10:11:34 2025 +0000 core197: Ship BIND Signed-off-by: Michael Tremer commit ff90bed77c5fec5d9f29c6f1422cf36440b09e94 Author: Matthias Fischer Date: Fri Jul 18 00:35:56 2025 +0200 bind: Update ot 9.20.11 For details see: https://downloads.isc.org/isc/bind9/9.20.11/doc/arm/html/notes.html#notes-for-bind-9-20-11 "Notes for BIND 9.20.11 Security Fixes Fix a possible assertion failure when stale-answer-client-timeout is set to 0. In specific circumstances the named resolver process could exit with an assertion failure when stale answers were enabled and the stale-answer-client-timeout configuration option was set to 0. This has been fixed. (CVE-2025-40777) [GL #5372] New Features Add support for the CO flag to dig. Add support for Compact Denial of Existence to dig. This includes showing the CO (Compact Answers OK) flag when displaying messages and adding an option to set the CO flag when making queries (dig +coflag). [GL #5319] Bug Fixes Correct the default interface-interval from 60s to 60m. When the interface-interval parser was changed from a uint32 parser to a duration parser, the default value stayed at plain number 60 which now means 60 seconds instead of 60 minutes. The documentation also incorrectly states that the value is in minutes. That has been fixed. [GL #5246] Fix a purge-keys bug when using multiple views of a zone. Previously, when a DNSSEC key was purged by one zone view, other zone views would return an error about missing key files. This has been fixed. [GL #5315] Use IPv6 queries in delv +ns. delv +ns invokes the same code to perform name resolution as named, but it neglected to set up an IPv6 dispatch object first. Consequently, it was behaving more like named -4. It now sets up dispatch objects for both address families, and performs resolver queries to both IPv4 and IPv6 addresses, except when one of the address families has been suppressed by using delv -4 or delv -6. [GL #5352]" Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit a2cc5c320c3bd894c0cff2f9185f13f0d527e456 Author: Robin Roevens Date: Thu Jul 17 19:52:05 2025 +0200 zabbix_agentd: Openvpn-2.6: use the helper binary to read the status log Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer commit 928f98326d7c82584754a9c4631b94e64ca15ae1 Author: Robin Roevens Date: Thu Jul 17 19:52:04 2025 +0200 zabbix_agentd: Openvpn-2.6: fix pid name for services stats Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer commit c297c347d96460bcab651b4f58038d5e857fd2ff Author: Robin Roevens Date: Thu Jul 17 19:52:03 2025 +0200 zabbix_agentd: Add LocationDB functionality Adds new IPFire specific monitoring capabilities to Zabbix Agent: - ipfire.locationdb.lookup[,,...]: Perform IPFire LocationDB lookups from within Zabbix. Returns a JSON dict. - ipfire.locationdb.version: Get LocationDB version timestamp in unixtime. Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer commit 3f3c688181304b4676a7fbb3291270b967f09395 Author: Robin Roevens Date: Thu Jul 17 19:52:02 2025 +0200 zabbix_agentd: Add WireGuard specific monitoring items Adds new IPFire specific monitoring capabilities to Zabbix Agent: - ipfire.wireguard.peers.discovery: Discovery of configured WireGuard clients. Returns a JSON array. - ipfire.wireguard.statusreport.get: Parses and returns output of `wireguardctrl dump` as a JSON array. Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer commit 2772a5990067679bde106883f39a30aa2fe196e6 Author: Robin Roevens Date: Thu Jul 17 19:52:01 2025 +0200 zabbix_agentd: Add ARPing method for checking Internet Gateway Since some ISP's block ICMP ping to their gateway ARPing can be an alternative. This change adds arping alternatives for the regular (icmp) ping checks: - ipfire.net.gateway.arping: Check if the Internet Gateway is reachable via ARPing - ipfire.net.gateway.arpingtime: Measure the time it takes to ARPing the Internet Gateway Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer commit 23fb1dfd86d1efc85a0f80228bd644287bfff682 Author: Robin Roevens Date: Thu Jul 17 19:52:00 2025 +0200 zabbix_agentd: Update to 7.0.16 (LTS) - Update from version 7.0.11 to 7.0.16 - Update of rootfile not required Bugs fixed: ZBX-26080 Fixed old file descriptors being held when external log rotation is used ZBX-26121 Added default flags to net.dns.get arguments when none are specified ZBX-26055 Fixed failure to refresh active checks when next refresh was faster than 60 seconds Full changelogs since 7.0.11: - https://www.zabbix.com/rn/rn7.0.12 - https://www.zabbix.com/rn/rn7.0.13 - https://www.zabbix.com/rn/rn7.0.14 - https://www.zabbix.com/rn/rn7.0.15 - https://www.zabbix.com/rn/rn7.0.16 Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/backup/backup.pl | 26 +++++++++++++++++++++ config/rootfiles/common/bind | 10 ++++---- .../{oldcore/100 => core/197}/filelists/bind | 0 config/rootfiles/core/197/filelists/files | 1 + config/rootfiles/core/197/update.sh | 27 ++++++++++++++++++++++ config/rootfiles/packages/zabbix_agentd | 3 +++ config/zabbix_agentd/ipfire_services.pl | 2 +- config/zabbix_agentd/sudoers | 3 ++- config/zabbix_agentd/userparameter_gateway.conf | 12 ++++++++++ config/zabbix_agentd/userparameter_ipfire.conf | 4 ---- config/zabbix_agentd/userparameter_locationdb.conf | 6 +++++ config/zabbix_agentd/userparameter_ovpn.conf | 2 +- config/zabbix_agentd/userparameter_wireguard.conf | 6 +++++ lfs/bind | 4 ++-- lfs/zabbix_agentd | 12 +++++++--- 15 files changed, 101 insertions(+), 17 deletions(-) copy config/rootfiles/{oldcore/100 => core/197}/filelists/bind (100%) create mode 100644 config/zabbix_agentd/userparameter_gateway.conf create mode 100644 config/zabbix_agentd/userparameter_locationdb.conf create mode 100644 config/zabbix_agentd/userparameter_wireguard.conf Difference in files: diff --git a/config/backup/backup.pl b/config/backup/backup.pl index fe62213e8..f49073b1e 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -349,6 +349,32 @@ restore_backup() { rm /var/log/pakfire.log fi + # Update the OpenVPN configuration + sed -r \ + -e "s/^writepid .*/writepid \/var\/run\/openvpn-rw.pid/" \ + -e "/ncp-disable/d" \ + -e "s/^cipher (.*)/data-ciphers-fallback \1/" \ + -i /var/ipfire/ovpn/server.conf + + # Change to the subnet topology + if ! grep -q "topology subnet" /var/ipfire/ovpn/server.conf; then + echo "topology subnet" >> /var/ipfire/ovpn/server.conf + fi + + # Migrate away from compression + if ! grep -q "compress migrate" /var/ipfire/ovpn/server.conf; then + echo "compress migrate" >> /var/ipfire/ovpn/server.conf + fi + + # Enable the legacy provider (just in case) + if ! grep -q "providers legacy default" /var/ipfire/ovpn/server.conf; then + echo "providers legacy default" >> /var/ipfire/ovpn/server.conf + fi + + # Enable explicit exit notification + if ! grep -q "explicit-exit-notify" /var/ipfire/ovpn/server.conf; then + echo "explicit-exit-notify" >> /var/ipfire/ovpn/server.conf + fi return 0 } diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind index f387a31a7..fb6220c47 100644 --- a/config/rootfiles/common/bind +++ b/config/rootfiles/common/bind @@ -240,18 +240,18 @@ usr/bin/nsupdate #usr/include/ns/types.h #usr/include/ns/update.h #usr/include/ns/xfrout.h -usr/lib/libdns-9.20.10.so +usr/lib/libdns-9.20.11.so #usr/lib/libdns.la #usr/lib/libdns.so -usr/lib/libisc-9.20.10.so +usr/lib/libisc-9.20.11.so #usr/lib/libisc.la #usr/lib/libisc.so -usr/lib/libisccc-9.20.10.so +usr/lib/libisccc-9.20.11.so #usr/lib/libisccc.la #usr/lib/libisccc.so -usr/lib/libisccfg-9.20.10.so +usr/lib/libisccfg-9.20.11.so #usr/lib/libisccfg.la #usr/lib/libisccfg.so -usr/lib/libns-9.20.10.so +usr/lib/libns-9.20.11.so #usr/lib/libns.la #usr/lib/libns.so diff --git a/config/rootfiles/core/197/filelists/bind b/config/rootfiles/core/197/filelists/bind new file mode 120000 index 000000000..48a0ebaef --- /dev/null +++ b/config/rootfiles/core/197/filelists/bind @@ -0,0 +1 @@ +../../../common/bind \ No newline at end of file diff --git a/config/rootfiles/core/197/filelists/files b/config/rootfiles/core/197/filelists/files index b197f3f2a..3d3aaa46a 100644 --- a/config/rootfiles/core/197/filelists/files +++ b/config/rootfiles/core/197/filelists/files @@ -14,6 +14,7 @@ srv/web/ipfire/cgi-bin/services.cgi srv/web/ipfire/cgi-bin/vulnerabilities.cgi srv/web/ipfire/html/themes/ipfire/include/css/style.css usr/local/bin/openvpnctrl +var/ipfire/backup/bin/backup.pl var/ipfire/general-functions.pl var/ipfire/header.pl var/ipfire/langs/list diff --git a/config/rootfiles/core/197/update.sh b/config/rootfiles/core/197/update.sh index b72797e24..5ed9385cc 100644 --- a/config/rootfiles/core/197/update.sh +++ b/config/rootfiles/core/197/update.sh @@ -54,6 +54,33 @@ ldconfig # Filesytem cleanup /usr/local/bin/filesystem-cleanup +# Update the OpenVPN configuration +sed -r \ + -e "s/^writepid .*/writepid \/var\/run\/openvpn-rw.pid/" \ + -e "/ncp-disable/d" \ + -e "s/^cipher (.*)/data-ciphers-fallback \1/" \ + -i /var/ipfire/ovpn/server.conf + +# Change to the subnet topology +if ! grep -q "topology subnet" /var/ipfire/ovpn/server.conf; then + echo "topology subnet" >> /var/ipfire/ovpn/server.conf +fi + +# Migrate away from compression +if ! grep -q "compress migrate" /var/ipfire/ovpn/server.conf; then + echo "compress migrate" >> /var/ipfire/ovpn/server.conf +fi + +# Enable the legacy provider (just in case) +if ! grep -q "providers legacy default" /var/ipfire/ovpn/server.conf; then + echo "providers legacy default" >> /var/ipfire/ovpn/server.conf +fi + +# Enable explicit exit notification +if ! grep -q "explicit-exit-notify" /var/ipfire/ovpn/server.conf; then + echo "explicit-exit-notify" >> /var/ipfire/ovpn/server.conf +fi + # Apply SSH configuration /usr/local/bin/sshctrl diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index ffa66f307..7f1f39b64 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -21,6 +21,9 @@ var/ipfire/zabbix_agentd/userparameters var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf +var/ipfire/zabbix_agentd/userparameters/userparameter_gateway.conf +var/ipfire/zabbix_agentd/userparameters/userparameter_wireguard.conf +var/ipfire/zabbix_agentd/userparameters/userparameter_locationdb.conf var/ipfire/zabbix_agentd/scripts var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh var/ipfire/zabbix_agentd/scripts/ipfire_services.pl diff --git a/config/zabbix_agentd/ipfire_services.pl b/config/zabbix_agentd/ipfire_services.pl index 653b606ee..d3f9855ba 100755 --- a/config/zabbix_agentd/ipfire_services.pl +++ b/config/zabbix_agentd/ipfire_services.pl @@ -100,7 +100,7 @@ my %services = ( # OpenVPN Roadwarrior 'OpenVPN Roadwarrior Server' => { "process" => "openvpn", - "pidfile" => "/var/run/openvpn.pid", + "pidfile" => "/var/run/openvpn-rw.pid", } ); diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index 78e175980..50a9e69de 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -8,6 +8,7 @@ # To add more sudo rights to zabbix agent, you should modify the sudoers file zabbix_agentd_user # Defaults:zabbix !requiretty -zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat, /bin/cat /var/run/ovpnserver.log +zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/sbin/arping, /usr/local/bin/getipstat +zabbix ALL=(ALL) NOPASSWD: /usr/local/bin/openvpnctrl rw log, /usr/local/bin/wireguardctrl dump zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_services.pl diff --git a/config/zabbix_agentd/userparameter_gateway.conf b/config/zabbix_agentd/userparameter_gateway.conf new file mode 100644 index 000000000..cfae001ae --- /dev/null +++ b/config/zabbix_agentd/userparameter_gateway.conf @@ -0,0 +1,12 @@ +# Parameters to monitor Internet gateway connectivity +# +# ICMP Ping +# Internet Gateway ping timings, can be used to measure "Internet Line Quality" +UserParameter=ipfire.net.gateway.pingtime,sudo /usr/sbin/fping -c 3 gateway 2>&1 | tail -n 1 | awk '{print $NF}' | cut -d '/' -f2 +# Internet Gateway availability, can be used to check Internet connection +UserParameter=ipfire.net.gateway.ping,sudo /usr/sbin/fping -q -r 3 gateway; [ ! $? == 0 ]; echo $? +# ARP Ping +# Internet Gateway ping timings, can be used to measure "Internet Line Quality" when ICMP ping is not available +UserParameter=ipfire.net.gateway.arpingtime,sudo /usr/sbin/arping -i red0 -c 3 gateway | awk 'match($0, /time=([0-9\.]+) (\w+)$/, arr) { n++; if (arr[2] == "usec") { arr[1]/=1000; }; sum+=arr[1] } END { print sum / n }' +# Internet Gateway availability, can be used to check Internet connection when ICMP ping is not available +UserParameter=ipfire.net.gateway.arping,sudo /usr/sbin/arping -q -c 3 gateway; [ ! $? == 0 ]; echo $? diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix_agentd/userparameter_ipfire.conf index c8ead1608..e88c20298 100644 --- a/config/zabbix_agentd/userparameter_ipfire.conf +++ b/config/zabbix_agentd/userparameter_ipfire.conf @@ -1,9 +1,5 @@ # Parameters for monitoring IPFire specific metrics # -# Internet Gateway ping timings, can be used to measure "Internet Line Quality" -UserParameter=ipfire.net.gateway.pingtime,sudo /usr/sbin/fping -c 3 gateway 2>&1 | tail -n 1 | awk '{print $NF}' | cut -d '/' -f2 -# Internet Gateway availability, can be used to check Internet connection -UserParameter=ipfire.net.gateway.ping,sudo /usr/sbin/fping -q -r 3 gateway; [ ! $? == 0 ]; echo $? # Firewall Filter Forward chain drops in bytes/chain (JSON), can be used for discovery of firewall chains and monitoring of firewall hits on each chain UserParameter=ipfire.net.fw.hits.raw,sudo /usr/local/bin/getipstat -xf | grep "/\* DROP_.* \*/$" | awk 'BEGIN { ORS = ""; print "["} { printf "%s{\"chain\": \"%s\", \"bytes\": \"%s\"}", separator, substr($11, 6), $2; separator = ", "; } END { print"]" }' # Number of currently Active DHCP leases diff --git a/config/zabbix_agentd/userparameter_locationdb.conf b/config/zabbix_agentd/userparameter_locationdb.conf new file mode 100644 index 000000000..4aa540762 --- /dev/null +++ b/config/zabbix_agentd/userparameter_locationdb.conf @@ -0,0 +1,6 @@ +# Parameters for querying IPFire Location DB +# +# Returns Location DB lookup for one or more IP addresses +UserParameter=ipfire.locationdb.lookup[*],/usr/bin/location lookup $1 $2 $3 $4 $5 $6 $7 $8 $9 2>&1 | awk -F"[[:space:]]*:[[:space:]]*" 'BEGIN { printf "{" } /[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+:/ { printf "%s\"%s\":{",separator,$$1; separator = "," } /^[[:space:]]*Network/ { printf "\"network\":\"" $$2 "\"" } /^[[:space:]]*Country/ { printf ",\"country\":\"" $$2 "\"" } /^[[:space:]]*Autonomous System/ { printf ",\"as\":\"" $$2 "\"}" } /Errno [[:digit:]]+/ { printf "\"error\":\"%s\"",$$0 } END { printf "}" }' +# Returns the Unix timestamp of the IPFire Location DB version +UserParameter=ipfire.locationdb.version,date -d"$(/usr/bin/location version)" +%s diff --git a/config/zabbix_agentd/userparameter_ovpn.conf b/config/zabbix_agentd/userparameter_ovpn.conf index a7a6d8535..d2ce10bb3 100644 --- a/config/zabbix_agentd/userparameter_ovpn.conf +++ b/config/zabbix_agentd/userparameter_ovpn.conf @@ -3,7 +3,7 @@ # Discovery of configured ovpn clients UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }' # Get OpenVPN status report -UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf "\"timestamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{\"common_name\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",\"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{\"common_name\":\"%s\",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }' +UserParameter=ipfire.ovpn.statusreport.get,sudo /usr/local/bin/openvpnctrl rw log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf "\"timestamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{\"common_name\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",\"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{\"common_name\":\"%s\",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }' # Get OpenVPN client certificate details UserParameter=ipfire.ovpn.clientcert[*],sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/certs/$1cert.pem UserParameter=ipfire.ovpn.cacert,sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/ca/cacert.pem diff --git a/config/zabbix_agentd/userparameter_wireguard.conf b/config/zabbix_agentd/userparameter_wireguard.conf new file mode 100644 index 000000000..b7925288a --- /dev/null +++ b/config/zabbix_agentd/userparameter_wireguard.conf @@ -0,0 +1,6 @@ +# Parameters for monitoring IPFire WireGuard specific metrics +# +# Discovery of configured WireGuard peers +UserParameter=ipfire.wireguard.peers.discovery,cat /var/ipfire/wireguard/peers 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#ID}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK_B64}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $4, $5, $2, $11, $3; separator = ","; } END { print "]" }' +# Get Wireguard status report +UserParameter=ipfire.wireguard.statusreport.get,sudo /usr/local/bin/wireguardctrl dump | awk 'BEGIN { ORS = ""; print "[" } NR>1 { printf "%s{\"id\":\"%s\",\"endpoint\":\"%s\",\"allowed_ip\":\"%s\",\"handshake_timestamp\":%s,\"bytes_in\":%s,\"bytes_out\":%s}", separator, $1, $3, $4, $5, $6, $7; separator = ","; } END { print "]" }' diff --git a/lfs/bind b/lfs/bind index cdba7c307..fa4d73d04 100644 --- a/lfs/bind +++ b/lfs/bind @@ -25,7 +25,7 @@ include Config -VER = 9.20.10 +VER = 9.20.11 THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = e5a7824ff5b901be447a2f4f067aa8b3345eb8187ed86f3bf6bc623e2b6c812722667eefd1f915026dab078846011e222336a30c4da640c4e54aa828398b180d +$(DL_FILE)_BLAKE2 = 582e6de2699713e870dfc853f461c78b2d2b505bed0b571f853c94a731be9006783f45a4f897692289c1a9411725eac0b4de3818f1641221e62754316f410081 install : $(TARGET) diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index dbe2088fb..db43bd611 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -26,7 +26,7 @@ include Config SUMMARY = Zabbix Agent -VER = 7.0.11 +VER = 7.0.16 THISAPP = zabbix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd -PAK_VER = 17 +PAK_VER = 18 DEPS = fping @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 0c6544c64febc51e6fc153863b46e333d9d5564c83f40b71362a15c0533d48e50e5c340b35b2ca0dd1d776d0452f4aae42dc44d4e0e4b2c5949df02efbc7fc06 +$(DL_FILE)_BLAKE2 = 5b5ae98fd9ff819b0a202ad566fc4e9523991f67a13a0967986299cafe962e54c7769dffe821b59c55bd2b6e437ea913a6f7074bf9275cdb1bf433eeeb193117 install : $(TARGET) @@ -112,6 +112,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ovpn.conf \ /var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_gateway.conf \ + /var/ipfire/zabbix_agentd/userparameters/userparameter_gateway.conf + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_wireguard.conf \ + /var/ipfire/zabbix_agentd/userparameters/userparameter_wireguard.conf + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_locationdb.conf \ + /var/ipfire/zabbix_agentd/userparameters/userparameter_locationdb.conf # Install IPFire-specific Zabbix Agent scripts -mkdir -pv /var/ipfire/zabbix_agentd/scripts hooks/post-receive -- IPFire 2.x development tree