From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4bwgpk0rBVz30Js for ; Mon, 4 Aug 2025 15:44:30 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4bwgpk0YVpz2y9V for ; Mon, 4 Aug 2025 15:44:30 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4bwgpj2HFYz1XY for ; Mon, 4 Aug 2025 15:44:29 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1754322269; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=rR1ZEybh1M5Gbd3oVBexbDBFbLiSBUAMWmb0UlPt4iI=; b=f16vrdiz8Q0aaDoIEsUIgVlMTd5aCa9XxdUgIpBqeXDk8S2S5/O0PVoRtMEoUzEjNUau1V kf/fiPJkrjf0teDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1754322269; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=rR1ZEybh1M5Gbd3oVBexbDBFbLiSBUAMWmb0UlPt4iI=; b=sft/VH8bpUFgie9SzvmSBksHUMYDWn05eCBT+ccUJE8Kcx8iRvJUPRqLbndfWYP5d4/2WG R7VqO2LWVFxrQ/MJldubBCWcaC5oaPWa6q0PgD5ciBXcZWNz0CBykWqI+CEhhWEQMt3K9C ydZfxdZGApyiGuq9Wf4WsV4mKTN3O95v4ycPMyoPzOd10Byb+ZSjBcRWcpcdHQp02Iqnt5 bkCyCwHpSfQPOD6E0EY90Zk/zdIHPwFUIhyxB8qILbwTi/RViMtR7+iP8nlOg3xskm9oOT nWy2VifAodn+Or/cC0tR3QwBAG05n7i+KjSb7QcAMKMqk4M3tB0YmyknyrHiAw== Received: by people01.haj.ipfire.org (Postfix, from userid 1000) id 4bwgph5xFMz2xN7; Mon, 04 Aug 2025 15:44:28 +0000 (UTC) To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 306516d99a8333ca7d91adba835c206ebbaf9b9b X-Git-Refname: refs/heads/next X-Git-Reftype: branch X-Git-Oldrev: 0105e8685da8dac43690d7e47ed8531550ce5863 X-Git-Newrev: 306516d99a8333ca7d91adba835c206ebbaf9b9b Message-Id: <4bwgph5xFMz2xN7@people01.haj.ipfire.org> Date: Mon, 04 Aug 2025 15:44:28 +0000 (UTC) From: Michael Tremer Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 306516d99a8333ca7d91adba835c206ebbaf9b9b (commit) via 52d53e52737f05ff8cba02c3245bcb74d1b8cfbe (commit) via 993d5838f31ceeef8bc103b177e6a95f371f36c3 (commit) via a5a1b2c2c16473990b9eee81cf9502af369bcdf6 (commit) via dd67715a493e372936d815cd9d46904fa4681073 (commit) via 5152d450ff943eeea0be1c0aa1bcc87e1c89755a (commit) via 991e99a4fbfca7f1992c4d57b2686a58bde05ef7 (commit) via 5c903c529978dff6c100819dff785ffc9b507a0b (commit) via f5f70cb85c1537de6f760869f20cb29abc0a95f4 (commit) via 8aa06d9fc3f7024611b00f00ca02ce14392d1e33 (commit) via c8540f81307e1027e05dc5e8953f0b722ad44233 (commit) from 0105e8685da8dac43690d7e47ed8531550ce5863 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 306516d99a8333ca7d91adba835c206ebbaf9b9b Author: Michael Tremer Date: Mon Aug 4 16:24:29 2025 +0200 ovpnmain.cgi: Fix layout issues when editing N2N No functional changes. Signed-off-by: Michael Tremer commit 52d53e52737f05ff8cba02c3245bcb74d1b8cfbe Author: Michael Tremer Date: Tue Jul 29 14:50:17 2025 +0000 core197: Ship bonding changes Signed-off-by: Michael Tremer commit 993d5838f31ceeef8bc103b177e6a95f371f36c3 Author: Michael Tremer Date: Tue Jul 29 14:42:20 2025 +0000 network: Ensure that we only run once at a time Signed-off-by: Michael Tremer commit a5a1b2c2c16473990b9eee81cf9502af369bcdf6 Author: Michael Tremer Date: Tue Jul 29 14:42:19 2025 +0000 network: Add support for some more auxiliary zones Signed-off-by: Michael Tremer commit dd67715a493e372936d815cd9d46904fa4681073 Author: Michael Tremer Date: Tue Jul 29 14:42:18 2025 +0000 network: Fail if no master device has been configured for slave zones Signed-off-by: Michael Tremer commit 5152d450ff943eeea0be1c0aa1bcc87e1c89755a Author: Michael Tremer Date: Tue Jul 29 14:42:17 2025 +0000 network: Rename the bridge hotplug script Since it is now creating more than just bridges, this had to have a new name. Signed-off-by: Michael Tremer commit 991e99a4fbfca7f1992c4d57b2686a58bde05ef7 Author: Michael Tremer Date: Tue Jul 29 14:42:16 2025 +0000 network: Add support for bonds This is a bare-minimum implementation to realise this. It changes the bridge script because the two of them have quite a bit in common, so we should avoid further code duplication. Signed-off-by: Michael Tremer commit 5c903c529978dff6c100819dff785ffc9b507a0b Author: Michael Tremer Date: Tue Jul 29 14:42:15 2025 +0000 linux: Don't create bond0 when bonding is being loaded Signed-off-by: Michael Tremer commit f5f70cb85c1537de6f760869f20cb29abc0a95f4 Author: Michael Tremer Date: Tue Jul 29 14:38:20 2025 +0000 firewall: Completely throw away any output when restarting Tor Signed-off-by: Michael Tremer commit 8aa06d9fc3f7024611b00f00ca02ce14392d1e33 Author: Michael Tremer Date: Tue Jul 29 14:36:54 2025 +0000 initscripts: Fix process check for processes with PID file This check tests whether a process is still alive, but it fails for those processes when we are using a PID file. Signed-off-by: Michael Tremer commit c8540f81307e1027e05dc5e8953f0b722ad44233 Author: Michael Tremer Date: Tue Jul 29 14:34:28 2025 +0000 arpwatch: New package This allows to receive an email notification if a new host is detected on a network. Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/backup/includes/arpwatch | 2 + config/rootfiles/common/aarch64/linux | 1 + config/rootfiles/common/riscv64/linux | 1 + config/rootfiles/common/udev | 2 +- config/rootfiles/common/x86_64/linux | 1 + config/rootfiles/core/197/filelists/files | 4 + config/rootfiles/core/197/update.sh | 1 + config/rootfiles/packages/arpwatch | 5 + config/udev/60-net.rules | 4 +- ...work-hotplug-bridges => network-hotplug-master} | 111 +++++--- config/udev/network-hotplug-rename | 4 +- html/cgi-bin/ovpnmain.cgi | 280 +++++++++++---------- lfs/{frr => arpwatch} | 73 +++--- lfs/linux | 3 + lfs/udev | 4 +- make.sh | 1 + src/initscripts/packages/{openvmtools => arpwatch} | 68 ++--- src/initscripts/system/firewall | 2 +- src/initscripts/system/functions | 6 +- src/paks/{haproxy => arpwatch}/install.sh | 8 +- src/paks/{default => arpwatch}/uninstall.sh | 1 + src/paks/{amazon-ssm-agent => arpwatch}/update.sh | 0 src/patches/arpwatch/53_stop-using-_getshort.patch | 25 ++ 23 files changed, 373 insertions(+), 234 deletions(-) create mode 100644 config/backup/includes/arpwatch create mode 100644 config/rootfiles/packages/arpwatch rename config/udev/{network-hotplug-bridges => network-hotplug-master} (61%) copy lfs/{frr => arpwatch} (71%) copy src/initscripts/packages/{openvmtools => arpwatch} (66%) copy src/paks/{haproxy => arpwatch}/install.sh (90%) copy src/paks/{default => arpwatch}/uninstall.sh (98%) copy src/paks/{amazon-ssm-agent => arpwatch}/update.sh (100%) create mode 100644 src/patches/arpwatch/53_stop-using-_getshort.patch Difference in files: diff --git a/config/backup/includes/arpwatch b/config/backup/includes/arpwatch new file mode 100644 index 0000000000..3316475307 --- /dev/null +++ b/config/backup/includes/arpwatch @@ -0,0 +1,2 @@ +/etc/sysconfig/arpwatch +/var/lib/arpwatch diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index 9b848d2117..7d3124685a 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -573,6 +573,7 @@ boot/dtb-KVER #boot/dtb-KVER/synaptics/berlin4ct-stb.dtb boot/vmlinuz-KVER #etc/cpufreq-bench.conf +etc/modprobe.d/bonding.conf etc/modprobe.d/ipv6.conf #lib/modules #lib/modules/KVER diff --git a/config/rootfiles/common/riscv64/linux b/config/rootfiles/common/riscv64/linux index bf0deb05ff..4cb6a0dda9 100644 --- a/config/rootfiles/common/riscv64/linux +++ b/config/rootfiles/common/riscv64/linux @@ -13,6 +13,7 @@ boot/dtb-KVER #boot/dtb-KVER/starfive/jh7110-starfive-visionfive-2-v1.3b.dtb boot/vmlinuz-KVER #etc/cpufreq-bench.conf +etc/modprobe.d/bonding.conf etc/modprobe.d/ipv6.conf #lib/modules #lib/modules/KVER diff --git a/config/rootfiles/common/udev b/config/rootfiles/common/udev index 3eea437188..94da6f7722 100644 --- a/config/rootfiles/common/udev +++ b/config/rootfiles/common/udev @@ -49,7 +49,7 @@ lib/udev/hwdb.d lib/udev/iocost lib/udev/mtd_probe lib/udev/network-aqm -lib/udev/network-hotplug-bridges +lib/udev/network-hotplug-master lib/udev/network-hotplug-rename lib/udev/network-hotplug-vlan lib/udev/network-offloading diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux index c58d0a4bb6..66484034d8 100644 --- a/config/rootfiles/common/x86_64/linux +++ b/config/rootfiles/common/x86_64/linux @@ -2,6 +2,7 @@ boot/System.map-KVER boot/config-KVER boot/vmlinuz-KVER #etc/cpufreq-bench.conf +etc/modprobe.d/bonding.conf etc/modprobe.d/ipv6.conf #lib/modules #lib/modules/KVER diff --git a/config/rootfiles/core/197/filelists/files b/config/rootfiles/core/197/filelists/files index a38e3118f8..b49f7d984a 100644 --- a/config/rootfiles/core/197/filelists/files +++ b/config/rootfiles/core/197/filelists/files @@ -1,4 +1,5 @@ etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf +etc/modprobe.d/bonding.conf etc/rc.d/init.d/cpupower etc/rc.d/init.d/firewall etc/rc.d/init.d/functions @@ -11,6 +12,9 @@ etc/rc.d/rc3.d/S51openvpn-n2n etc/rc.d/rc6.d/K10openvpn-rw etc/rc.d/rc6.d/K11openvpn-n2n etc/rc.d/rcsysinit.d/S46cpupower +lib/udev/network-hotplug-master +lib/udev/network-hotplug-rename +lib/udev/rules.d/60-net.rules srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/services.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi diff --git a/config/rootfiles/core/197/update.sh b/config/rootfiles/core/197/update.sh index 8e109d140d..dc91494993 100644 --- a/config/rootfiles/core/197/update.sh +++ b/config/rootfiles/core/197/update.sh @@ -93,6 +93,7 @@ rm -rvf \ rm -vf \ /etc/rc.d/init.d/networking/red.down/10-ovpn \ /etc/rc.d/init.d/networking/red.up/50-ovpn \ + /lib/udev/network-hotplug-bridge \ /usr/lib/libbtrfs.so.0.? \ /usr/lib/libbtrfsutil.so.1.? diff --git a/config/rootfiles/packages/arpwatch b/config/rootfiles/packages/arpwatch new file mode 100644 index 0000000000..d173da2698 --- /dev/null +++ b/config/rootfiles/packages/arpwatch @@ -0,0 +1,5 @@ +etc/rc.d/init.d/arpwatch +usr/sbin/arpsnmp +usr/sbin/arpwatch +#var/lib/arpwatch +var/lib/arpwatch/ethercodes.dat diff --git a/config/udev/60-net.rules b/config/udev/60-net.rules index fff7513bc1..f4850b9dd5 100644 --- a/config/udev/60-net.rules +++ b/config/udev/60-net.rules @@ -6,5 +6,5 @@ ACTION=="add", SUBSYSTEM=="net", PROGRAM="/lib/udev/network-hotplug-rename", RES # that has just come up. ACTION=="add", SUBSYSTEM=="net", RUN+="/lib/udev/network-hotplug-vlan" -# Call a script that will set up zones as bridges -ACTION=="add", SUBSYSTEM=="net", RUN+="/lib/udev/network-hotplug-bridges" +# Call a script that will set up interfaces that have a master interface (bridges, bonding, ..) +ACTION=="add", SUBSYSTEM=="net", RUN+="/lib/udev/network-hotplug-master" diff --git a/config/udev/network-hotplug-bridges b/config/udev/network-hotplug-master similarity index 61% rename from config/udev/network-hotplug-bridges rename to config/udev/network-hotplug-master index 39faeb5a9e..ed9cd58c3f 100644 --- a/config/udev/network-hotplug-bridges +++ b/config/udev/network-hotplug-master @@ -25,13 +25,19 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) +# Only run this script once at a time +if [ -z "${LOCKED}" ]; then + export LOCKED=1 + exec flock "${0}" "${0}" "$@" +fi + detect_zone() { local intf="${INTERFACE%?}" intf="${intf%phys}" intf="${intf^^}" local zone - for zone in GREEN BLUE ORANGE RED; do + for zone in GREEN BLUE ORANGE RED INTF0 INTF1 INTF2 INTF3; do # Try to find if INTERFACE is the *phys version of a zone if [ "${intf}" = "${zone}" ]; then echo "${zone}" @@ -71,57 +77,92 @@ ZONE=$(detect_zone) # Cannot proceed if we could not find a zone if [ -z "${ZONE}" ]; then - logger "Could not find a bridged zone for ${INTERFACE}" + logger "Could not find a master zone for ${INTERFACE}" exit 0 fi # Determine the mode of this zone MODE="$(get_value "${ZONE}_MODE")" -# The name of the virtual bridge -BRIDGE="$(get_value "${ZONE}_DEV")" +# Exit if there is no MODE +if [ -z "${MODE}" ]; then + exit 0 +fi + +# The name of the virtual master interface +MASTER="$(get_value "${ZONE}_DEV")" + +# Fail if no master device has been configured +if [ -z "${MASTER}" ]; then + logger "No ${ZONE}_DEV configured" + exit 1 +fi + +# Fetch the MTU MTU="$(get_value "${ZONE}_MTU")" -STP="$(get_value "${ZONE}_STP")" -STP_PRIORITY="$(get_value "${ZONE}_STP_PRIORITY")" + +# Set default MTU if nothing is set +if [ -z "${MTU}" ]; then + MTU=1500 +fi + +# Fetch the MAC address of the master interface +ADDRESS="$(get_value "${ZONE}_MACADDR")" + +# If no address has been configured, generate a random one +if [ -z "${ADDRESS}" ]; then + ADDRESS="$(random_mac_address)" +fi case "${MODE}" in - bridge) - # Set default MTU if nothing is set - if [ -z "${MTU}" ]; then - MTU=1500 + # Bond + bond) + BOND_MODE="$(get_value "${ZONE}_BOND_MODE")" + if [ -z "${BOND_MODE}" ]; then + BOND_MODE="802.3ad" + fi + + # Check for some valid BOND_MODE + case "${BOND_MODE}" in + balance-rr|active-backup|balance-xor|broadcast|802.3ad|balance-tlb|balance-alb) + ;; + *) + logger "Invalid bond mode ${BOND_MODE} for ${MASTER}. Falling back to 802.3ad" + BOND_MODE="802.3ad" + ;; + esac + + # Create the master interface if it does not exist + if [ ! -d "/sys/class/net/${MASTER}" ]; then + if ! ip link add "${MASTER}" address "${ADDRESS}" mtu "${MTU}" \ + type bond mode "${BOND_MODE}"; then + logger "Failed to create bonding interface ${MASTER}" + exit 1 + fi fi + ;; + + # Bridge + bridge) + # Fetch spanning tree settings + STP="$(get_value "${ZONE}_STP")" + STP_PRIORITY="$(get_value "${ZONE}_STP_PRIORITY")" # We need to check if $STP_PRIORITY has a valid value if not set it if [ -z "${STP_PRIORITY}" ]; then STP_PRIORITY=16384 fi - ADDRESS="$(get_value "${ZONE}_MACADDR")" - [ -n "${ADDRESS}" ] || ADDRESS="$(random_mac_address)" - # We need to create the bridge if it doesn't exist, yet - if [ ! -d "/sys/class/net/${BRIDGE}" ]; then - ip link add "${BRIDGE}" address "${ADDRESS}" mtu "${MTU}" type bridge \ + if [ ! -d "/sys/class/net/${MASTER}" ]; then + ip link add "${MASTER}" address "${ADDRESS}" mtu "${MTU}" type bridge \ $([ "${STP}" = "on" ] && echo "stp_state 1 priority ${STP_PRIORITY}" ) - #ip link set "${BRIDGE}" up fi # Try setting wireless interfaces into master mode if [ -d "/sys/class/net/${INTERFACE}/phy80211" ]; then iw dev "${INTERFACE}" set type __ap fi - - # Attempt to set the MTU - ip link set dev "${INTERFACE}" mtu "${MTU}" - - # Attach the physical device - logger "Attach ${INTERFACE} to ${BRIDGE}" - ip link set dev "${INTERFACE}" master "${BRIDGE}" - ip link set dev "${INTERFACE}" up - ;; - - "") - exit 0 ;; *) @@ -129,3 +170,17 @@ case "${MODE}" in exit 1 ;; esac + +# Attempt to set the MTU +ip link set dev "${INTERFACE}" mtu "${MTU}" + +# Ensure the physical interface is down +ip link set dev "${INTERFACE}" down + +# Attach the physical device +logger "Attach ${INTERFACE} to ${MASTER}" +ip link set dev "${INTERFACE}" master "${MASTER}" +ip link set dev "${INTERFACE}" up + +# Done! +exit 0 diff --git a/config/udev/network-hotplug-rename b/config/udev/network-hotplug-rename index 7c81bdb781..b4e694ed34 100644 --- a/config/udev/network-hotplug-rename +++ b/config/udev/network-hotplug-rename @@ -57,7 +57,7 @@ fi eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) # Standard zones -ZONES="RED GREEN ORANGE BLUE" +ZONES="RED GREEN ORANGE BLUE INTF0 INTF1 INTF2 INTF3" # Determine the address of INTERFACE ADDRESS="$( + + + + $Lang::tr{'remark title'} + + + + + +END + + if ($cgiparams{'TYPE'} eq 'host') { + print < + + $Lang::tr{'enabled'} + + + + + + + + + $Lang::tr{'enable otp'} + + + + + END + } if ($cgiparams{'TYPE'} eq 'net') { # If GCM ciphers are in usage, HMAC menu is disabled @@ -4572,105 +4603,144 @@ END }; print <  -   - $Lang::tr{'Act as'} - - - - $Lang::tr{'remote host/ip'}: - - + + $Lang::tr{'Act as'} + + + + - $Lang::tr{'local subnet'} * - + + $Lang::tr{'remote host/ip'}: + + + + - $Lang::tr{'remote subnet'} * - - + + $Lang::tr{'local subnet'} * + + + + - $Lang::tr{'ovpn subnet'} * - + + $Lang::tr{'remote subnet'} * + + + + - $Lang::tr{'protocol'} - - + + $Lang::tr{'ovpn subnet'} * + + + + - - $Lang::tr{'destination port'}: * - + + $Lang::tr{'protocol'} + + + + - Management Port ($Lang::tr{'openvpn default'}: $Lang::tr{'destination port'}): - - + + $Lang::tr{'destination port'}: * + + + + -
+ + Management Port ($Lang::tr{'openvpn default'}: $Lang::tr{'destination port'}): + + + + + - - $Lang::tr{'MTU settings'} - +
+ $Lang::tr{'MTU settings'} +
- $Lang::tr{'MTU'} - - $Lang::tr{'openvpn default'}: udp/tcp 1500/1400 - + + + + + - - - - + + + + - - - - + + + + - - - + + + + +
$Lang::tr{'MTU'} + +
fragment:$Lang::tr{'openvpn default'}: 1300
fragment: + +
mssfix:$Lang::tr{'openvpn default'}: on
mssfix: + +
$Lang::tr{'comp-lzo'}
$Lang::tr{'comp-lzo'} + +
-
- - $Lang::tr{'ovpn crypto settings'}: - +
+ $Lang::tr{'ovpn crypto settings'}: +
- $Lang::tr{'cipher'} - - - - $Lang::tr{'ovpn ha'}: - - - -
+ + + + + + + + + +
$Lang::tr{'cipher'} + +
$Lang::tr{'ovpn ha'}: + +
END ; @@ -4690,48 +4760,6 @@ print< - - $Lang::tr{'remark title'} - - - - - -END - - # Enabled? - if ($cgiparams{'TYPE'} eq 'host') { - print < - - $Lang::tr{'enabled'} - - - - - -END - } - - # OTP? - if ($cgiparams{'TYPE'} eq 'host') { - print < - - $Lang::tr{'enable otp'} - - - - - -END - } - - print ""; - if ($cgiparams{'TYPE'} eq 'host') { print ""; my %vpnnet=(); diff --git a/lfs/arpwatch b/lfs/arpwatch new file mode 100644 index 0000000000..0ccfa66a25 --- /dev/null +++ b/lfs/arpwatch @@ -0,0 +1,116 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2025 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +SUMMARY = Monitoring tool for ARP traffic on a network + +VER = 3.8 +ETHERCODES_DATE = 20200628 + +# From: https://ee.lbl.gov/downloads/arpwatch/ + +THISAPP = arpwatch-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) +PROG = arpwatch +PAK_VER = 1 + +DEPS = + +SERVICES = arpwatch + +# Enable debugging code +CFLAGS += -DDEBUG=1 + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) ethercodes.dat-$(ETHERCODES_DATE).xz + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_BLAKE2 = 2ec0360ed12722e09cfccd06a1ab48ed77ea017d9ebf182cf2792dac53b61b1f0d6b5895fe30ec4d6b9e05d78aa75762775e548573f7bd5b2918ce8ca775eed3 +ethercodes.dat-$(ETHERCODES_DATE).xz_BLAKE2 = e702b9109ef3ccce73e2637f96126bf19e7dfa533774c0bd623042b3609f147981263b84397ec155a65ae12fa57247c32644e1e7e57c2c749ef768156d853027 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +b2 : $(subst %,%_BLAKE2,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, b2sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_BLAKE2,$(objects)) : + @$(B2SUM) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + + # Fix compilation issues + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/arpwatch/53_stop-using-_getshort.patch + cd $(DIR_APP) && sed -i '1i#include ' report.c + + # Don't install the initscript + cd $(DIR_APP) && sed -i '/@HAVE_FREEBSD_TRUE@/d' Makefile.in + + # Build! + cd $(DIR_APP) && ./configure --prefix=/usr + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + + # Install initscripts + $(call INSTALL_INITSCRIPTS,$(SERVICES)) + + # Install the data directory + -mkdir -pv /var/lib/arpwatch + + # Install ethercodes.dat + xz -dvv \ + < $(DIR_DL)/ethercodes.dat-$(ETHERCODES_DATE).xz \ + > /var/lib/arpwatch/ethercodes.dat + + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/linux b/lfs/linux index 52f8cb4279..118a0fcf22 100644 --- a/lfs/linux +++ b/lfs/linux @@ -232,6 +232,9 @@ endif # Disable ipv6 at runtime echo "options ipv6 disable_ipv6=1" > /etc/modprobe.d/ipv6.conf + # Do not automatically create bond0 when bonding is being loaded + echo "options bonding max_bonds=0" > /etc/modprobe.d/bonding.conf + # build cpupower utility cd $(DIR_APP)/tools/power/cpupower && make $(MAKETUNING) cd $(DIR_APP)/tools/power/cpupower && make install diff --git a/lfs/udev b/lfs/udev index 19e0557a30..2b1be02cd5 100644 --- a/lfs/udev +++ b/lfs/udev @@ -148,8 +148,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /lib/udev/network-hotplug-rename install -v -m 755 $(DIR_SRC)/config/udev/network-hotplug-vlan \ /lib/udev/network-hotplug-vlan - install -v -m 755 $(DIR_SRC)/config/udev/network-hotplug-bridges \ - /lib/udev/network-hotplug-bridges + install -v -m 755 $(DIR_SRC)/config/udev/network-hotplug-master \ + /lib/udev/network-hotplug-master install -v -m 644 $(DIR_SRC)/config/udev/60-net.rules \ /lib/udev/rules.d diff --git a/make.sh b/make.sh index 56fd9be22b..c3de610b9b 100755 --- a/make.sh +++ b/make.sh @@ -2089,6 +2089,7 @@ build_system() { lfsmake2 inotify-tools lfsmake2 grub-btrfs lfsmake2 fort-validator + lfsmake2 arpwatch lfsmake2 linux lfsmake2 rtl8812au diff --git a/src/initscripts/packages/arpwatch b/src/initscripts/packages/arpwatch new file mode 100644 index 0000000000..09dcdf1ba7 --- /dev/null +++ b/src/initscripts/packages/arpwatch @@ -0,0 +1,81 @@ +#!/bin/sh +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2022 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +. /etc/sysconfig/rc +. ${rc_functions} + +# Optionally load the configuration file +if [ -r "/etc/sysconfig/arpwatch" ]; then + . /etc/sysconfig/arpwatch +fi + +case "${1}" in + start) + args=( + -D /var/lib/arpwatch + ) + + # Add the watcher + if [ -n "${WATCHER}" ]; then + args+=( "-w" "${WATCHER}" ) + fi + + # Add the watchee + if [ -n "${WATCHEE}" ]; then + args+=( "-W" "${WATCHEE}" ) + fi + + for intf in ${INTERFACES}; do + boot_mesg "Starting ARP Watch on ${intf}..." + + # Create the data file for this interface + if [ ! -e "/var/lib/arpwatch/${intf}.dat" ]; then + : > "/var/lib/arpwatch/${intf}.dat" + fi + + PIDFILE="/var/run/arpwatch-${intf}.pid" \ + loadproc -f \ + /usr/sbin/arpwatch "${args[@]}" \ + -P "/var/run/arpwatch-${intf}.pid" \ + -f "/var/lib/arpwatch/${intf}.dat" \ + -i "${intf}" + done + ;; + + stop) + for intf in ${INTERFACES}; do + boot_mesg "Stopping ARP Watch on ${intf}..." + PIDFILE="/var/run/arpwatch-${intf}.pid" \ + killproc /usr/sbin/arpwatch + done + ;; + + restart) + ${0} stop + sleep 1 + ${0} start + ;; + + *) + echo "Usage: ${0} {start|stop|restart}" + exit 1 + ;; +esac diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 304c7c3cc9..45b4bd56af 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -434,7 +434,7 @@ iptables_init() { # If a Tor relay is enabled apply firewall rules if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ]; then - /usr/local/bin/torctrl restart 1> /dev/null + /usr/local/bin/torctrl restart &>/dev/null fi # POLICY CHAIN diff --git a/src/initscripts/system/functions b/src/initscripts/system/functions index 85eb3e975b..c4b7cb39e6 100644 --- a/src/initscripts/system/functions +++ b/src/initscripts/system/functions @@ -620,7 +620,11 @@ killproc() done if [ -z "${killsig}" ]; then - pidofproc -s "${1}" + if [ -z "${pidfile}" ]; then + pidofproc -s "${1}" + else + pidofproc -s -p "${pidfile}" "${1}" + fi # Program was terminated if [ "$?" != "0" ]; then diff --git a/src/paks/arpwatch/install.sh b/src/paks/arpwatch/install.sh new file mode 100644 index 0000000000..12ff2ab360 --- /dev/null +++ b/src/paks/arpwatch/install.sh @@ -0,0 +1,33 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +extract_files +restore_backup ${NAME} + +start_service ${NAME} + +# Enable autostart +ln -vsf ../init.d/arpwatch /etc/rc.d/rc0.d/K12arpwatch +ln -vsf ../init.d/arpwatch /etc/rc.d/rc3.d/S64arpwatch +ln -vsf ../init.d/arpwatch /etc/rc.d/rc6.d/K12arpwatch diff --git a/src/paks/arpwatch/uninstall.sh b/src/paks/arpwatch/uninstall.sh new file mode 100644 index 0000000000..e27cc13451 --- /dev/null +++ b/src/paks/arpwatch/uninstall.sh @@ -0,0 +1,28 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +stop_service ${NAME} +make_backup ${NAME} +remove_files +rm -rfv /etc/rc.d/rc*.d/*arpwatch diff --git a/src/paks/arpwatch/update.sh b/src/paks/arpwatch/update.sh new file mode 100644 index 0000000000..99776659c3 --- /dev/null +++ b/src/paks/arpwatch/update.sh @@ -0,0 +1,27 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007-2020 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +extract_backup_includes +./uninstall.sh +./install.sh diff --git a/src/patches/arpwatch/53_stop-using-_getshort.patch b/src/patches/arpwatch/53_stop-using-_getshort.patch new file mode 100644 index 0000000000..da83f4b438 --- /dev/null +++ b/src/patches/arpwatch/53_stop-using-_getshort.patch @@ -0,0 +1,25 @@ +Description: replace private function _getshort with ns_get16 + _getshort is a private function, triggers a build log warning because it's + not present in any header file. We switch to the functionally equivalent + ns_get16. +Author: Lukas Schwaighofer + +--- + dns.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/dns.c ++++ b/dns.c +@@ -115,10 +115,10 @@ + (u_char *)cp, (char *)bp, buflen)) < 0) + break; + cp += n; +- type = _getshort(cp); ++ type = ns_get16(cp); + cp += sizeof(u_short); /* class */ + cp += sizeof(u_short) + sizeof(u_int32_t); +- n = _getshort(cp); ++ n = ns_get16(cp); + cp += sizeof(u_short); + if (type == T_HINFO) { + /* Unpack */ hooks/post-receive -- IPFire 2.x development tree

$Lang::tr{'ccd choose net'}