Merge branch 'master' into ppp-update

config/etc/ipsec.user.conf

@@ -0,0 +1,2 @@
+# user connections that should not overwritten by the webif
+#

config/etc/ipsec.user.secrets

@@ -0,0 +1,2 @@
+# user secrets that should not overwritten by the webif
+#

config/rootfiles/common/stage2

@@ -15,6 +15,8 @@ etc/hddtemp.db
 etc/host.conf
 etc/inittab
 etc/inputrc
+#etc/ipsec.user.conf
+#etc/ipsec.user.secrets
 etc/issue
 etc/ld.so.conf
 etc/logrotate.conf

config/rootfiles/common/strongswan

@@ -1,4 +1,5 @@
 etc/ipsec.conf
+etc/ipsec.user.conf
 #etc/ipsec.d
 etc/ipsec.d/aacerts
 etc/ipsec.d/acerts
@@ -9,6 +10,7 @@ etc/ipsec.d/ocspcerts
 etc/ipsec.d/private
 etc/ipsec.d/reqs
 etc/ipsec.secrets
+etc/ipsec.user.secrets
 etc/strongswan.conf
 #usr/lib/libcharon.a
 #usr/lib/libcharon.la

config/rootfiles/core/38/filelists/files

@@ -55,6 +55,7 @@ etc/rc.d/init.d/network
 etc/rc.d/init.d/ntp
 etc/rc.d/init.d/modules
 usr/local/bin/ipsecctrl
+usr/local/bin/rebuildhosts
 usr/local/bin/syslogdctrl
 usr/local/bin/wirelessctrl
 usr/local/sbin/setup

config/rootfiles/core/38/update.sh

@@ -61,6 +61,9 @@ echo boot >> /opt/pakfire/tmp/ROOTFILES
 echo etc/sysconfig/lm_sensors >> /opt/pakfire/tmp/ROOTFILES
 echo usr/lib/ipsec >> /opt/pakfire/tmp/ROOTFILES
 echo usr/libexec/ipsec >> /opt/pakfire/tmp/ROOTFILES
+# exclude squid cache from backup
+sed -i -e "s|^var/log/cache|#var/log/cache|g" /opt/pakfire/tmp/ROOTFILES
+# Backup the files
 tar cjvf /var/ipfire/backup/core-upgrade_$KVER.tar.bz2 \
     -C / -T /opt/pakfire/tmp/ROOTFILES --exclude='#*' > /dev/null 2>&1
 

config/rootfiles/core/39/filelists/files

@@ -0,0 +1 @@
+etc/system-release

config/rootfiles/core/39/meta

@@ -0,0 +1 @@
+DEPS=""

config/rootfiles/core/39/update.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 3 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2010 IPFire-Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+#
+#Stop services
+
+#
+#Extract files
+extract_files
+#
+#Start services
+
+#
+#Update Language cache
+perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
+
+#
+#Finish
+#Don't report the exitcode last command
+exit 0

html/cgi-bin/ids.cgi

@@ -143,7 +143,7 @@ if (-e "/etc/snort/snort.conf") {
 					# If see more than one dashed line, (start to) create rule file description
 					if ($dashlinecnt > 1) {
 						# Check for a line starting with a #
-						if ($ruleline =~ /^\#/) {
+						if ($ruleline =~ /^\#/ and $ruleline !~ /^\#alert/) {
 							# Create tempruleline
 							my $tempruleline = $ruleline;
 

html/cgi-bin/vpnmain.cgi

@@ -289,6 +289,12 @@ sub writeipsecfiles {
     #print CONF "\tdisablearrivalcheck=no\n";
     print CONF "\n";
 
+    # Add user includes to config file
+    print CONF "include /etc/ipsec.user.conf\n";
+    print CONF "\n";
+
+    print SECRETS "include /etc/ipsec.user/secrets\n";
+
     if (-f "${General::swroot}/certs/hostkey.pem") {
         print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n"
     }

make.sh

@@ -25,7 +25,7 @@
 NAME="IPFire"							# Software name
 SNAME="ipfire"							# Short name
 VERSION="2.7"							# Version number
-CORE="38"							# Core Level (Filename)
+CORE="39"							# Core Level (Filename)
 PAKFIRE_CORE="38"						# Core Level (PAKFIRE)
 GIT_BRANCH=`git status | head -n1 | cut -d" " -f4`		# Git Branch
 SLOGAN="www.ipfire.org"						# Software slogan

src/misc-progs/ipsecctrl.c

@@ -141,16 +141,11 @@ int decode_line (char *s,
     issue ipsec commmands to turn on connection 'name'
 */
 void turn_connection_on (char *name, char *type) {
-        char command[STRING_SIZE];
+/*
-	FILE *file = NULL;
+    if you find a way to start a single connection without changing all add it
-
+    here. Change also vpn-watch.
-	if (file = fopen("/var/run/vpn-watch.pid", "r")) {
+*/
-	    safe_system("kill -9 $(cat /var/run/vpn-watch.pid)");
-	    safe_system("unlink /var/run/vpn-watch.pid");
-	    close(file);
-	}
         safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
-        safe_system("/usr/local/bin/vpn-watch &");
 }
 /*
     issue ipsec commmands to turn off connection 'name'
@@ -193,6 +188,12 @@ int main(int argc, char *argv[]) {
 
  /* Get vpnwatch pid */
 
+
+	if ((argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) {
+	    safe_system("kill -9 $(cat /var/run/vpn-watch.pid)");
+	    safe_system("unlink /var/run/vpn-watch.pid");
+	    close(file);
+	}
  
         /* FIXME: workaround for pclose() issue - still no real idea why
          * this is happening */
@@ -338,6 +339,8 @@ int main(int argc, char *argv[]) {
 
         // start the system
         if ((argc == 2) && strcmp(argv[1], "S") == 0) {
+		safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
+		safe_system("/usr/local/bin/vpn-watch &");
                 exit(0);
         }
 

src/misc-progs/rebuildhosts.c

@@ -1,154 +1,176 @@
-/* IPCop helper program - rebuildhosts
+/* IPCop helper program - rebuildhosts
- *
+ *
- * This program is distributed under the terms of the GNU General Public
+ * This program is distributed under the terms of the GNU General Public
- * Licence.  See the file COPYING for details.
+ * Licence.  See the file COPYING for details.
- *
+ *
- * (c) Alan Hourihane, 2003
+ * (c) Alan Hourihane, 2003
- * 
+ * 
- *
+ *
- * $Id: rebuildhosts.c,v 1.3.2.6 2005/07/11 10:56:47 franck78 Exp $
+ * $Id: rebuildhosts.c,v 1.3.2.6 2005/07/11 10:56:47 franck78 Exp $
- *
+ *
- */
+ */
-
+
-#include "libsmooth.h"
+#include "libsmooth.h"
-#include <stdio.h>
+#include <stdio.h>
-#include <stdlib.h>
+#include <stdlib.h>
-#include <unistd.h>
+#include <unistd.h>
-#include <fcntl.h>
+#include <fcntl.h>
-#include <string.h>
+#include <string.h>
-#include <sys/types.h>
+#include <sys/types.h>
-#include <sys/stat.h>
+#include <sys/stat.h>
-#include <signal.h>
+#include <signal.h>
-#include "setuid.h"
+#include "setuid.h"
-
+
-FILE *fd = NULL;
+FILE *fd = NULL;
-FILE *hosts = NULL;
+FILE *hosts = NULL;
-struct keyvalue *kv = NULL;
+FILE *gw = NULL;
-
+struct keyvalue *kv = NULL;
-void exithandler(void)
+
-{
+void exithandler(void)
-	if (kv)
+{
-		freekeyvalues(kv);
+	if (kv)
-	if (fd)
+		freekeyvalues(kv);
-		fclose(fd);
+	if (fd)
-	if (hosts)
+		fclose(fd);
-		fclose(hosts);
+	if (hosts)
-}
+		fclose(hosts);
-
+	if (gw)
-int main(int argc, char *argv[])
+		fclose(gw);
-{
+}
-	int fdpid; 
+
-	char hostname[STRING_SIZE];
+int main(int argc, char *argv[])
-	char domainname[STRING_SIZE] = "";
+{
-	char buffer[STRING_SIZE];
+	int fdpid; 
-	char address[STRING_SIZE];
+	char hostname[STRING_SIZE];
-	char *active, *ip, *host, *domain;
+	char domainname[STRING_SIZE] = "";
-	int pid;
+	char gateway[STRING_SIZE] = "";
-
+	char buffer[STRING_SIZE];
-	if (!(initsetuid()))
+	char address[STRING_SIZE];
-		exit(1);
+	char *active, *ip, *host, *domain;
-
+	int pid;
-	atexit(exithandler);
+
-
+	if (!(initsetuid()))
-	memset(buffer, 0, STRING_SIZE);
+		exit(1);
-
+
-	kv = initkeyvalues();
+	atexit(exithandler);
-	if (!(readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")))
+
-	{
+	memset(buffer, 0, STRING_SIZE);
-		fprintf(stderr, "Couldn't read ethernet settings\n");
+
-		exit(1);
+	kv = initkeyvalues();
-	}
+	if (!(readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")))
-	findkey(kv, "GREEN_ADDRESS", address);
+	{
-	freekeyvalues(kv);
+		fprintf(stderr, "Couldn't read ethernet settings\n");
-
+		exit(1);
-	kv = initkeyvalues();
+	}
-	if (!(readkeyvalues(kv, CONFIG_ROOT "/main/settings")))
+	findkey(kv, "GREEN_ADDRESS", address);
-	{
+	freekeyvalues(kv);
-		fprintf(stderr, "Couldn't read main settings\n");
+
-		exit(1);
+	kv = initkeyvalues();
-	}
+	if (!(readkeyvalues(kv, CONFIG_ROOT "/main/settings")))
-	strcpy(hostname, SNAME ); 
+	{
-	findkey(kv, "HOSTNAME", hostname);
+		fprintf(stderr, "Couldn't read main settings\n");
-	findkey(kv, "DOMAINNAME", domainname);
+		exit(1);
-	freekeyvalues(kv);
+	}
-	kv = NULL;
+	strcpy(hostname, SNAME ); 
-
+	findkey(kv, "HOSTNAME", hostname);
-	if (!(fd = fopen(CONFIG_ROOT "/main/hosts", "r")))
+	findkey(kv, "DOMAINNAME", domainname);
-	{
+	freekeyvalues(kv);
-		fprintf(stderr, "Couldn't open main hosts file\n");
+	kv = NULL;
-		exit(1);
+
-	}
+	if (!(gw = fopen(CONFIG_ROOT "/red/remote-ipaddress", "r")))
-	if (!(hosts = fopen("/etc/hosts", "w")))
+	{
-	{
+		fprintf(stderr, "Couldn't open remote-ipaddress file\n");
-		fprintf(stderr, "Couldn't open /etc/hosts file\n");
+		fclose(gw);
-    		fclose(fd);
+		gw = NULL;
-		fd = NULL;
+		exit(1);
-		exit(1);
+	}
-	}
+
-	fprintf(hosts, "127.0.0.1\tlocalhost\n");
+	if (fgets(gateway, STRING_SIZE, gw) == NULL)
-	if (strlen(domainname))
+	{
-		fprintf(hosts, "%s\t%s.%s\t%s\n",address,hostname,domainname,hostname);
+		fprintf(stderr, "Couldn't read remote-ipaddress\n");
-	else
+		exit(1);
-		fprintf(hosts, "%s\t%s\n",address,hostname);
+	}
-	while (fgets(buffer, STRING_SIZE, fd))
+
-	{
+	if (!(fd = fopen(CONFIG_ROOT "/main/hosts", "r")))
-		buffer[strlen(buffer) - 1] = 0;
+	{
-		if (buffer[0]==',') continue;		/* disabled if empty field	*/
+		fprintf(stderr, "Couldn't open main hosts file\n");
-		active = strtok(buffer, ",");
+		exit(1);
-		if (strcmp(active, "off")==0) continue; /* or 'off'			*/
+	}
-		
+
-		ip = strtok(NULL, ",");
+	if (!(hosts = fopen("/etc/hosts", "w")))
-		host = strtok(NULL, ",");
+	{
-		domain = strtok(NULL, ",");
+		fprintf(stderr, "Couldn't open /etc/hosts file\n");
-
+    		fclose(fd);
-		if (!(ip && host))
+		fd = NULL;
-			continue;	// bad line ? skip
+		exit(1);
-
+	}
-		if (!VALID_IP(ip))
+	fprintf(hosts, "127.0.0.1\tlocalhost\n");
-		{
+	if (strlen(domainname))
-			fprintf(stderr, "Bad IP: %s\n", ip);
+		fprintf(hosts, "%s\t%s.%s\t%s\n",address,hostname,domainname,hostname);
-			continue;       /*  bad ip, skip */
+	else
-		}
+		fprintf(hosts, "%s\t%s\n",address,hostname);
-
+
-		if (strspn(host, LETTERS_NUMBERS "-") != strlen(host))
+	fprintf(hosts, "%s\tgateway\n",gateway);
-		{
+
-			fprintf(stderr, "Bad Host: %s\n", host);
+	while (fgets(buffer, STRING_SIZE, fd))
-			continue;       /*  bad name, skip */
+	{
-		}
+		buffer[strlen(buffer) - 1] = 0;
-
+		if (buffer[0]==',') continue;		/* disabled if empty field	*/
-		if (domain)
+		active = strtok(buffer, ",");
-			fprintf(hosts, "%s\t%s.%s\t%s\n",ip,host,domain,host);
+		if (strcmp(active, "off")==0) continue; /* or 'off'			*/
-		else
+		
-			fprintf(hosts, "%s\t%s\n",ip,host);
+		ip = strtok(NULL, ",");
-	}
+		host = strtok(NULL, ",");
-	fclose(fd);
+		domain = strtok(NULL, ",");
-	fd = NULL;
+
-	fclose(hosts);
+		if (!(ip && host))
-	hosts = NULL;
+			continue;	// bad line ? skip
-
+
-	if ((fdpid = open("/var/run/dnsmasq.pid", O_RDONLY)) == -1)
+		if (!VALID_IP(ip))
-	{
+		{
-		fprintf(stderr, "Couldn't open pid file\n");
+			fprintf(stderr, "Bad IP: %s\n", ip);
-		exit(1);
+			continue;       /*  bad ip, skip */
-	}
+		}
-	if (read(fdpid, buffer, STRING_SIZE - 1) == -1)
+
-	{
+		if (strspn(host, LETTERS_NUMBERS "-") != strlen(host))
-		fprintf(stderr, "Couldn't read from pid file\n");
+		{
-		close(fdpid);
+			fprintf(stderr, "Bad Host: %s\n", host);
-		exit(1);
+			continue;       /*  bad name, skip */
-	}
+		}
-	close(fdpid);
+
-	pid = atoi(buffer);
+		if (domain)
-	if (pid <= 1)
+			fprintf(hosts, "%s\t%s.%s\t%s\n",ip,host,domain,host);
-	{
+		else
-		fprintf(stderr, "Bad pid value\n");
+			fprintf(hosts, "%s\t%s\n",ip,host);
-		exit(1);
+	}
-	}
+	fclose(fd);
-	if (kill(pid, SIGHUP) == -1)
+	fd = NULL;
-	{
+	fclose(hosts);
-		fprintf(stderr, "Unable to send SIGHUP\n");
+	hosts = NULL;
-		exit(1);
+
-	}
+	if ((fdpid = open("/var/run/dnsmasq.pid", O_RDONLY)) == -1)
-
+	{
-	return 0;
+		fprintf(stderr, "Couldn't open pid file\n");
-}
+		exit(1);
+	}
+	if (read(fdpid, buffer, STRING_SIZE - 1) == -1)
+	{
+		fprintf(stderr, "Couldn't read from pid file\n");
+		close(fdpid);
+		exit(1);
+	}
+	close(fdpid);
+	pid = atoi(buffer);
+	if (pid <= 1)
+	{
+		fprintf(stderr, "Bad pid value\n");
+		exit(1);
+	}
+	if (kill(pid, SIGHUP) == -1)
+	{
+		fprintf(stderr, "Unable to send SIGHUP\n");
+		exit(1);
+	}
+
+	return 0;
+}

src/scripts/vpn-watch

@@ -1,6 +1,6 @@
 #!/usr/bin/perl 
 ##################################################
-#####     VPN-Watch.pl     Version 0.4c      #####
+#####     VPN-Watch.pl     Version 0.5       #####
 ##################################################
 #                                                #
 #   VPN-Watch is part of the IPFire Firewall     #
@@ -24,13 +24,17 @@ if ( -e $file ){
   }
 
 system("echo $$ > $file");
-    
+my $round=0;
 while ( $i == 0){
   if ($debug){logger("We will wait 60 seconds before next action.");}
     sleep(60);
-  
+
-  if (open(FILE, "<${General::swroot}/vpn/config")) {
+  $round++;
-    @vpnsettings = <FILE>;
+
+   # Reset roundcounter after 10 min. To do established check.
+  if ($round > 9) { $round=0 }
+
+  if (open(FILE, "<${General::swroot}/vpn/config")) {    @vpnsettings = <FILE>;
     close(FILE);
     unless(@vpnsettings) {exit 1;}
   }
@@ -50,12 +54,21 @@ foreach (@vpnsettings){
   
   my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print \$3}' | tr -d '()' | tr -d ':'`;chomp($remoteip);
   if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}}
-  my $ipmatch= `echo "$status" | grep $remoteip | grep $settings[2]`;
+  my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`;
+  my $established= `echo "$status" | grep '$settings[2]' | grep 'erouted;'`; 
   
   if ( $ipmatch eq '' ){
-    logger("Remote IP for host $remotehostname-$remoteip has changed, restarting ipsec.");
+    logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec.");
-    system("/usr/local/bin/ipsecctrl S");
+    system("/usr/local/bin/ipsecctrl S $settings[0]");
     last; #all connections will reloaded
+          #remove this if ipsecctrl can restart single con again
+  }
+  if ( ($round = 0) && ($established eq '')) {
+    logger("Connection to $remotehostname($remoteip) not erouted, restarting ipsec.");
+    system("/usr/local/bin/ipsecctrl S $settings[0]");
+    last; #all connections will reloaded
+          #remove this if ipsecctrl can restart single con again
+
   }
  }
  if ($debug){logger("All connections may be fine nothing was done.");}
@@ -65,4 +78,3 @@ sub logger {
         my $log = shift;
         system("logger -t vpnwatch \"$log\"");
 }
-