From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. a0bfe960372b4343b42cfe405fe9140ce18c0326
Date: Tue, 30 Sep 2025 09:00:24 +0000 (UTC) [thread overview]
Message-ID: <4cbX890RJrz2xqQ@people01.haj.ipfire.org> (raw)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 27053 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via a0bfe960372b4343b42cfe405fe9140ce18c0326 (commit)
via df09a64b08d101f7036b37c27da7bb9b06d307cc (commit)
via 345edfb9b4d2ba3eb76f2ac06647ebd7b774d09a (commit)
via 98f14a3863aa34b492c8f2d984895f5d837260cd (commit)
via 64e39a2b970010d454dfb2069954b89cd498a05a (commit)
via 3d20bc708dd24804d4da6ed311d5c04d91254a25 (commit)
via 726d4078bb3798abd6bf793c553ab4598c0037fe (commit)
via 3575c5935e9d672ad8325792f52853fceff17da9 (commit)
via cf374c870b426f87419ba14237093df1acab5975 (commit)
via 88f040b563225c164244ec1aa08b2e921b90eaa7 (commit)
from 04ea3b953a933d9b7d7b08918a8f9866c4b5f2bb (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a0bfe960372b4343b42cfe405fe9140ce18c0326
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Sep 30 08:57:04 2025 +0000
core199: Ship SSH configuration and restart the service
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit df09a64b08d101f7036b37c27da7bb9b06d307cc
Author: Peter Müller <peter.mueller@ipfire.org>
Date: Sun Sep 28 21:06:00 2025 +0000
ssh_config: Fix indentation mangled by Vim
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 345edfb9b4d2ba3eb76f2ac06647ebd7b774d09a
Author: Peter Müller <peter.mueller@ipfire.org>
Date: Sun Sep 28 21:06:00 2025 +0000
OpenSSH: Amend upstream default cipher changes
This patch implements the following change made to OpenSSH server
upstream in version 10.0:
* sshd(8): this release disables finite field (a.k.a modp)
Diffie-Hellman key exchange in sshd by default. Specifically,
this removes the "diffie-hellman-group*" and
"diffie-hellman-group-exchange-*" methods from the default
KEXAlgorithms list. The client is unchanged and continues to
support these methods by default. Finite field Diffie Hellman
is slow and computationally expensive for the same security
level as Elliptic Curve DH or PQ key agreement while offering
no redeeming advantages. ECDH has been specified for the SSH
protocol for 15 years and some form of ECDH has been the default
key exchange in OpenSSH for the last 14 years.
In addition, for both OpenSSH server and client, the following upstream
change made in version 9.9 is implemented:
* ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256
is now used by default for key agreement. This algorithm is
considered to be safe against attack by quantum computers,
is guaranteed to be no less strong than the popular
curve25519-sha256 algorithm, has been standardised by NIST
and is considerably faster than the previous default.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 98f14a3863aa34b492c8f2d984895f5d837260cd
Author: Peter Müller <peter.mueller@ipfire.org>
Date: Sun Sep 28 21:05:00 2025 +0000
OpenSSH: Prefer AES-GCM ciphers over AES-CTR
This reflects the following change made upstream in OpenSSH 9.9:
* ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher
for the connection. The default cipher preference list is now
Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR
(128/192/256).
However, we keep preferring AES-GCM over Chacha/Poly, as hardware
acceleration often grants the former a better performance, while there
is no security advance of Chacha/Poly usage over 256 bit AES-GCM.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 64e39a2b970010d454dfb2069954b89cd498a05a
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Sep 30 08:53:58 2025 +0000
core199: Ship updated initscripts
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 3d20bc708dd24804d4da6ed311d5c04d91254a25
Author: Peter Müller <peter.mueller@ipfire.org>
Date: Sun Sep 28 19:51:00 2025 +0000
initscripts: Always wait for xtables lock when running iptables commands
If not explicitly instructed to do so, iptables by default aborts with
an error message such as
> Can't lock /run/xtables.lock: Resource temporarily unavailable
> Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
if the Xtables lock is still set, i.e., another iptables operation is
currently in progress. This causes iptables commands not to be executed
at all if there are delays during the boot procedure, e.g. due to slow
PPPoE dial-up procedure or similar.
To ensure deterministic behavior, this match modifies initscripts to
always execute iptables to wait for the Xtables lock to be removed, to
make sure iptables rules are installed properly (the "firewall"
initscript is doing so already).
Fixes: #13896 - OpenVPN RW port not opened in firewall after reboot
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 726d4078bb3798abd6bf793c553ab4598c0037fe
Author: Peter Müller <peter.mueller@ipfire.org>
Date: Sun Sep 28 22:29:00 2025 +0000
Tor: Update to 0.4.8.18
Changes in version 0.4.8.18 - 2025-09-16
This is a minor release with a major onion service directory cache (HSDir)
bug fix. A series of minor bugfixes as well. As always, we strongly recommend
to upgrade as soon as possible.
o Major bugfixes (onion service directory cache):
- Preserve the download counter of an onion service descriptor
across descriptor uploads, so that recently updated descriptors
don't get pruned if there is memory pressure soon after update.
Additionally, create a separate torrc option MaxHSDirCacheBytes
that defaults to the former 20% of MaxMemInQueues threshold, but
can be controlled by relay operators under DoS. Also enforce this
theshold during HSDir uploads. Fixes bug 41006; bugfix
on 0.4.8.14.
o Minor feature (padding, logging):
- Reduce the amount of messages being logged related to channel
padding timeout when log level is "notice".
o Minor features (fallbackdir):
- Regenerate fallback directories generated on September 16, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/09/16.
o Minor bugfix (conflux):
- Remove the pending nonce if we realize that the nonce of the
unlinked circuit is not tracked anymore. Should avoid the non
fatal assert triggered with a control port circuit event. Fixes
bug 41037; bugfix on 0.4.8.15.
o Minor bugfixes (circuit handling):
- Prevent circuit_mark_for_close() from being called twice on the
same circuit. Second fix attempt Fixes bug 41106; bugfix
on 0.4.8.17
o Minor bugfixes (threads):
- Make thread control POSIX compliant. Fixes bug 41109; bugfix
on 0.4.8.17-dev.
Changes in version 0.4.8.17 - 2025-06-30
This is a minor providing a series of minor features especially in the realm
of TLS. It also brings a new set of recommended and required sub protocols.
And finally, few minor bugfixes, nothing major. As always, we strongly
recommend you upgrade as soon as possible.
o Minor features (security, TLS):
- When we are running with OpenSSL 3.5.0 or later, support using the
ML-KEM768 for post-quantum key agreement. Closes ticket 41041.
o Minor feature (client, TLS):
- Set the TLS 1.3 cipher list instead of falling back on the
default value.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on June 30, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/06/30.
o Minor features (hsdesc POW):
- Tolerate multiple PoW schemes in onion service descriptors, for
future extensibility. Implements torspec ticket 272.
o Minor features (performance TLS):
- When running with with OpenSSL 3.0.0 or later, support using
X25519 for TLS key agreement. (This should slightly improve
performance for TLS session establishment.)
o Minor features (portability):
- Fix warnings when compiling with GCC 15. Closes ticket 41079.
o Minor features (recommended protocols):
- Directory authorities now vote to recommend that clients support
certain protocols beyond those that are required. These include
improved support for connecting to relays on IPv6, NtorV3, and
congestion control. Part of ticket 40836.
o Minor features (required protocols):
- Directory authorities now vote to require clients to support the
authenticated SENDME feature, which was introduced in
0.4.1.1-alpha. Part of ticket 40836.
- Directory authorities now vote to require relays to support
certain protocols, all of which have been implemented since
0.4.7.4-alpha or earlier. These include improved support for
connecting to relays on IPv6, NtorV3, running as a rate-limited
introduction point, authenticated SENDMEs, and congestion control.
Part of ticket 40836.
o Minor bugfix (conflux):
- Avoid a non fatal assert when describing a conflux circuit on the
control port after being prepped to be freed. Fixes bug 41037;
bugfix on 0.4.8.15.
o Minor bugfixes (circuit handling):
- Prevent circuit_mark_for_close() from being called twice on the
same circuit. Fixes bug 40951; bugfix on 0.4.8.16-dev.
o Minor bugfixes (compiler warnings):
- Make sure the two bitfields in the half-closed edge struct are
unsigned, as we're using them for boolean values and assign 1 to
them. Fixes bug 40911; bugfix on 0.4.7.2-alpha.
o Minor bugfixes (threads, memory):
- Improvements in cleanup of resources used by threads. Fixes bug
40991; bugfix on 0.4.8.13-dev.
- Rework start and exit of worker threads.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 3575c5935e9d672ad8325792f52853fceff17da9
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Sep 30 08:51:37 2025 +0000
arpwatch: Bump release
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit cf374c870b426f87419ba14237093df1acab5975
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Sep 30 08:50:38 2025 +0000
arpwatch: Add "status" command to the help text
Reported-by: Jon Murphy <jon.murphy@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 88f040b563225c164244ec1aa08b2e921b90eaa7
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Sep 30 08:49:53 2025 +0000
arpwatch: Zero-pad MAC addresses
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/199/filelists/files | 7 +++++++
config/rootfiles/core/199/update.sh | 1 +
config/ssh/ssh_config | 30 +++++++++++++++---------------
config/ssh/sshd_config | 4 ++--
lfs/arpwatch | 6 ++++--
lfs/tor | 6 +++---
src/initscripts/networking/red | 4 ++--
src/initscripts/packages/arpwatch | 2 +-
src/initscripts/packages/tor | 10 +++++-----
src/initscripts/system/dhcp | 16 ++++++++--------
src/initscripts/system/openvpn-n2n | 10 +++++-----
src/initscripts/system/openvpn-rw | 6 +++---
src/initscripts/system/wireguard | 20 ++++++++++----------
13 files changed, 66 insertions(+), 56 deletions(-)
Difference in files:
diff --git a/config/rootfiles/core/199/filelists/files b/config/rootfiles/core/199/filelists/files
index 9c54b971bb..10acc3fd41 100644
--- a/config/rootfiles/core/199/filelists/files
+++ b/config/rootfiles/core/199/filelists/files
@@ -1,2 +1,9 @@
+etc/rc.d/init.d/dhcp
+etc/rc.d/init.d/networking/red
+etc/rc.d/init.d/openvpn-n2n
+etc/rc.d/init.d/openvpn-rw
+etc/rc.d/init.d/wireguard
+etc/ssh/ssh_config
+etc/ssh/sshd_config
srv/web/ipfire/cgi-bin/vulnerabilities.cgi
usr/sbin/openvpn-authenticator
diff --git a/config/rootfiles/core/199/update.sh b/config/rootfiles/core/199/update.sh
index 7c34af7255..d0a4f23c05 100644
--- a/config/rootfiles/core/199/update.sh
+++ b/config/rootfiles/core/199/update.sh
@@ -52,6 +52,7 @@ ldconfig
# Start services
/etc/init.d/unbound restart
+/etc/init.d/sshd restart
# Build initial ramdisks (for dracut-ng update)
dracut --regenerate-all --force
diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
index d5f63f315c..66cb0c2ccd 100644
--- a/config/ssh/ssh_config
+++ b/config/ssh/ssh_config
@@ -5,30 +5,30 @@
# Set some basic hardening options for all connections
Host *
- # Disable undocumented roaming feature as it is known to be vulnerable
- UseRoaming no
+ # Disable undocumented roaming feature as it is known to be vulnerable
+ UseRoaming no
- # Only use secure crypto algorithms
- KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
- Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
- MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+ # Only use secure crypto algorithms
+ KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+ Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
- # Always visualise server host keys (helps to identify key based MITM attacks)
- VisualHostKey yes
+ # Always visualise server host keys (helps to identify key based MITM attacks)
+ VisualHostKey yes
- # Use SSHFP (might work on some up-to-date networks) to look up host keys
- VerifyHostKeyDNS yes
+ # Use SSHFP (might work on some up-to-date networks) to look up host keys
+ VerifyHostKeyDNS yes
- # Send SSH-based keep alive messages to connected server to avoid broken connections
- ServerAliveInterval 10
- ServerAliveCountMax 30
+ # Send SSH-based keep alive messages to connected server to avoid broken connections
+ ServerAliveInterval 10
+ ServerAliveCountMax 30
# Disable TCP keep alive messages since they can be spoofed and we have SSH-based
# keep alive messages enabled; there is no need to do things twice here
TCPKeepAlive no
- # Ensure only allowed authentication methods are used
- PreferredAuthentications publickey,keyboard-interactive,password
+ # Ensure only allowed authentication methods are used
+ PreferredAuthentications publickey,keyboard-interactive,password
# Prevent information leak by hashing ~/.ssh/known_hosts
HashKnownHosts yes
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
index 7b687457c8..3e25e74e8c 100644
--- a/config/ssh/sshd_config
+++ b/config/ssh/sshd_config
@@ -20,8 +20,8 @@ LoginGraceTime 30s
MaxStartups 5
# Only allow safe crypto algorithms
-KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
+KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org
+Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
# Only allow cryptographically safe SSH host keys (adjust paths if needed)
diff --git a/lfs/arpwatch b/lfs/arpwatch
index 1b701cd4f2..46eac65026 100644
--- a/lfs/arpwatch
+++ b/lfs/arpwatch
@@ -37,7 +37,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = arpwatch
-PAK_VER = 2
+PAK_VER = 3
DEPS =
@@ -101,7 +101,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/arpwatch/fix-envelope-sender.patch
# Build!
- cd $(DIR_APP) && ./configure --prefix=/usr
+ cd $(DIR_APP) && ./configure \
+ --prefix=/usr \
+ --enable-zeropad
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
diff --git a/lfs/tor b/lfs/tor
index 0d57f5fed9..af16cc9824 100644
--- a/lfs/tor
+++ b/lfs/tor
@@ -26,7 +26,7 @@ include Config
SUMMARY = Anonymizing overlay network for TCP (The onion router)
-VER = 0.4.8.16
+VER = 0.4.8.18
THISAPP = tor-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = tor
-PAK_VER = 89
+PAK_VER = 90
DEPS = libseccomp
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = fdaf3d124d3e1b11589a5219033c8d37d3e6c8986ff60e930d2bf80532dd6be4c7ee1634bd0806bd283a9954e4478f3be7b9b61abd13e3274fef3b8373df1b00
+$(DL_FILE)_BLAKE2 = 8a2ff369d3b29557a4bb3018dcc5c17b04e459626d23a44bed2968c938a4073ff85c88f734b8f732273197cbb173b70906b4f553db7a432cfbefad73329f6349
install : $(TARGET)
diff --git a/src/initscripts/networking/red b/src/initscripts/networking/red
index 6d779b3652..536fc972c9 100644
--- a/src/initscripts/networking/red
+++ b/src/initscripts/networking/red
@@ -162,8 +162,8 @@ case "${1}" in
elif [ "${TYPE}" == "DHCP" ]; then
# Add firewall rules to allow comunication with the dhcp server on red.
- iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i ${DEVICE} -j ACCEPT
- iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i ${DEVICE} -j ACCEPT
+ iptables --wait -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i ${DEVICE} -j ACCEPT
+ iptables --wait -A REDINPUT -p udp --source-port 67 --destination-port 68 -i ${DEVICE} -j ACCEPT
echo -n "${DEVICE}" > /var/ipfire/red/iface
diff --git a/src/initscripts/packages/arpwatch b/src/initscripts/packages/arpwatch
index 316cf3e71c..8c0ff6c521 100644
--- a/src/initscripts/packages/arpwatch
+++ b/src/initscripts/packages/arpwatch
@@ -86,7 +86,7 @@ case "${1}" in
;;
*)
- echo "Usage: ${0} {start|stop|restart}"
+ echo "Usage: ${0} {start|stop|restart|status}"
exit 1
;;
esac
diff --git a/src/initscripts/packages/tor b/src/initscripts/packages/tor
index 47797265cf..eef9682f33 100644
--- a/src/initscripts/packages/tor
+++ b/src/initscripts/packages/tor
@@ -37,19 +37,19 @@ function setup_firewall() {
# Allow incoming traffic to Tor relay (and directory) port and
# all outgoing TCP connections from Tor user.
if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ]; then
- iptables -A TOR_INPUT -p tcp --dport "${TOR_RELAY_PORT}" -j ACCEPT
- iptables -A TOR_OUTPUT -p tcp -m owner --uid-owner tor -j ACCEPT
+ iptables --wait -A TOR_INPUT -p tcp --dport "${TOR_RELAY_PORT}" -j ACCEPT
+ iptables --wait -A TOR_OUTPUT -p tcp -m owner --uid-owner tor -j ACCEPT
fi
if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_DIRPORT}" ] && [ "${TOR_RELAY_DIRPORT}" -ne 0 ]; then
- iptables -A TOR_INPUT -p tcp --dport "${TOR_RELAY_DIRPORT}" -j ACCEPT
+ iptables --wait -A TOR_INPUT -p tcp --dport "${TOR_RELAY_DIRPORT}" -j ACCEPT
fi
}
function flush_firewall() {
# Flush all rules.
- iptables -F TOR_INPUT
- iptables -F TOR_OUTPUT
+ iptables --wait -F TOR_INPUT
+ iptables --wait -F TOR_OUTPUT
}
case "${1}" in
diff --git a/src/initscripts/system/dhcp b/src/initscripts/system/dhcp
index 61b9516588..826cd2dfe7 100644
--- a/src/initscripts/system/dhcp
+++ b/src/initscripts/system/dhcp
@@ -28,10 +28,10 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
function flush_chains() {
- iptables -F DHCPGREENINPUT
- iptables -F DHCPGREENOUTPUT
- iptables -F DHCPBLUEINPUT
- iptables -F DHCPBLUEOUTPUT
+ iptables --wait -F DHCPGREENINPUT
+ iptables --wait -F DHCPGREENOUTPUT
+ iptables --wait -F DHCPBLUEINPUT
+ iptables --wait -F DHCPBLUEOUTPUT
}
case "$1" in
@@ -41,14 +41,14 @@ case "$1" in
if [ -n "${GREEN_DEV}" -a -e "/var/ipfire/dhcp/enable_green" ]; then
LISTEN_INTERFACES+=" ${GREEN_DEV}"
- iptables -A DHCPGREENINPUT -i "${GREEN_DEV}" -j DHCPINPUT
- iptables -A DHCPGREENOUTPUT -o "${GREEN_DEV}" -j DHCPOUTPUT
+ iptables --wait -A DHCPGREENINPUT -i "${GREEN_DEV}" -j DHCPINPUT
+ iptables --wait -A DHCPGREENOUTPUT -o "${GREEN_DEV}" -j DHCPOUTPUT
fi
if [ -n "${BLUE_DEV}" -a -e "/var/ipfire/dhcp/enable_blue" ]; then
LISTEN_INTERFACES+=" ${BLUE_DEV}"
- iptables -A DHCPBLUEINPUT -i "${BLUE_DEV}" -j DHCPINPUT
- iptables -A DHCPBLUEOUTPUT -o "${BLUE_DEV}" -j DHCPOUTPUT
+ iptables --wait -A DHCPBLUEINPUT -i "${BLUE_DEV}" -j DHCPINPUT
+ iptables --wait -A DHCPBLUEOUTPUT -o "${BLUE_DEV}" -j DHCPOUTPUT
fi
boot_mesg "Starting DHCP Server..."
diff --git a/src/initscripts/system/openvpn-n2n b/src/initscripts/system/openvpn-n2n
index 9853983795..f6d554eaf1 100644
--- a/src/initscripts/system/openvpn-n2n
+++ b/src/initscripts/system/openvpn-n2n
@@ -63,10 +63,10 @@ update_firewall_rules() {
local local_address
# Flush the block chain
- iptables -F OVPNBLOCK
+ iptables --wait -F OVPNBLOCK
# Flush the NAT chain
- iptables -t nat -F OVPNNAT
+ iptables --wait -t nat -F OVPNNAT
local IFS=','
@@ -85,10 +85,10 @@ update_firewall_rules() {
fi
# Open port
- iptables -A OVPNINPUTN2N -p "${proto}" --dport "${port}" -j ACCEPT
+ iptables --wait -A OVPNINPUTN2N -p "${proto}" --dport "${port}" -j ACCEPT
# Block all communication from transfer networks
- iptables -A OVPNBLOCK -s "${transfer_subnet}" -j DROP
+ iptables --wait -A OVPNBLOCK -s "${transfer_subnet}" -j DROP
# Calculate NAT addresses
transfer_address="$(calculate_transfer_address "${transfer_subnet}" "${role}")"
@@ -96,7 +96,7 @@ update_firewall_rules() {
# NAT all outgoing connections away from the transfer net
if [ -n "${transfer_address}" -a -n "${local_address}" ]; then
- iptables -t nat -A OVPNNAT -s "${transfer_address}" \
+ iptables --wait -t nat -A OVPNNAT -s "${transfer_address}" \
-j SNAT --to-source "${local_address}"
fi
done < /var/ipfire/ovpn/ovpnconfig
diff --git a/src/initscripts/system/openvpn-rw b/src/initscripts/system/openvpn-rw
index 6359d0d08c..d506c8ebd8 100644
--- a/src/initscripts/system/openvpn-rw
+++ b/src/initscripts/system/openvpn-rw
@@ -38,10 +38,10 @@ case "${1}" in
modprobe tun &>/dev/null
# Flush all firewall rules
- iptables -F OVPNINPUTRW
+ iptables --wait -F OVPNINPUTRW
# Open the port
- iptables -A OVPNINPUTRW \
+ iptables --wait -A OVPNINPUTRW \
-p "${DPROTOCOL}" --dport "${DDEST_PORT}" -j ACCEPT
boot_mesg "Starting OpenVPN Roadwarrior Server..."
@@ -60,7 +60,7 @@ case "${1}" in
killproc /usr/sbin/openvpn
# Flush all firewall rules
- iptables -F OVPNINPUTRW
+ iptables --wait -F OVPNINPUTRW
;;
restart)
diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index caaa69cb96..ead1cdce88 100644
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -216,7 +216,7 @@ generate_config() {
ip addr add "${local_address}" dev "${intf}"
# Apply MASQUERADE
- iptables -t nat -A WGNAT -o "${intf}" -j MASQUERADE
+ iptables --wait -t nat -A WGNAT -o "${intf}" -j MASQUERADE
fi
echo "[Interface]"
@@ -230,7 +230,7 @@ generate_config() {
echo "ListenPort = ${port}"
# Open the port
- iptables -A WGINPUT -p udp --dport "${port}" -j ACCEPT
+ iptables --wait -A WGINPUT -p udp --dport "${port}" -j ACCEPT
fi
echo "[Peer]"
@@ -285,7 +285,7 @@ generate_config() {
# Set blocking rules
for local_subnet in ${local_subnets//|/ }; do
for remote_subnet in ${remote_subnets//|/ }; do
- iptables -I WGBLOCK \
+ iptables --wait -I WGBLOCK \
-s "${remote_subnet}" -d "${local_subnet}" -j RETURN
done
done
@@ -297,23 +297,23 @@ generate_config() {
reload_firewall() {
# Flush all previous rules
- iptables -F WGINPUT
- iptables -t nat -F WGNAT
+ iptables --wait -F WGINPUT
+ iptables --wait -t nat -F WGNAT
if [ "${ENABLED}" = "on" ]; then
- iptables -A WGINPUT -p udp --dport "${PORT}" -j ACCEPT
+ iptables --wait -A WGINPUT -p udp --dport "${PORT}" -j ACCEPT
fi
- iptables -F WGBLOCK
+ iptables --wait -F WGBLOCK
# Don't block any traffic from Roadwarrior peers
if [ -n "${CLIENT_POOL}" ]; then
- iptables -A WGBLOCK -s "${CLIENT_POOL}" -i wg0 -j RETURN
- iptables -A WGBLOCK -d "${CLIENT_POOL}" -o wg0 -j RETURN
+ iptables --wait -A WGBLOCK -s "${CLIENT_POOL}" -i wg0 -j RETURN
+ iptables --wait -A WGBLOCK -d "${CLIENT_POOL}" -o wg0 -j RETURN
fi
# Block all other traffic
- iptables -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited
+ iptables --wait -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited
# Flush any custom routes
ip route flush table wg 2>/dev/null
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2025-09-30 9:00 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4cbX890RJrz2xqQ@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox