From 1a7db134068cc0ed6e599413090b18fa19743142 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 26 Oct 2018 11:23:55 +0000 Subject: [PATCH 01/21] json-c: New package Signed-off-by: Michael Tremer --- config/rootfiles/common/json-c | 21 +++++++++ lfs/json-c | 80 ++++++++++++++++++++++++++++++++++ make.sh | 2 + 3 files changed, 103 insertions(+) create mode 100644 config/rootfiles/common/json-c create mode 100644 lfs/json-c diff --git a/config/rootfiles/common/json-c b/config/rootfiles/common/json-c new file mode 100644 index 000000000..6be4bbe68 --- /dev/null +++ b/config/rootfiles/common/json-c @@ -0,0 +1,21 @@ +#usr/include/json-c +#usr/include/json-c/arraylist.h +#usr/include/json-c/bits.h +#usr/include/json-c/debug.h +#usr/include/json-c/json.h +#usr/include/json-c/json_c_version.h +#usr/include/json-c/json_config.h +#usr/include/json-c/json_inttypes.h +#usr/include/json-c/json_object.h +#usr/include/json-c/json_object_iterator.h +#usr/include/json-c/json_pointer.h +#usr/include/json-c/json_tokener.h +#usr/include/json-c/json_util.h +#usr/include/json-c/json_visit.h +#usr/include/json-c/linkhash.h +#usr/include/json-c/printbuf.h +#usr/lib/libjson-c.la +#usr/lib/libjson-c.so +usr/lib/libjson-c.so.4 +usr/lib/libjson-c.so.4.0.0 +#usr/lib/pkgconfig/json-c.pc diff --git a/lfs/json-c b/lfs/json-c new file mode 100644 index 000000000..51a20ccbf --- /dev/null +++ b/lfs/json-c @@ -0,0 +1,80 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2018 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 0.13.1 + +THISAPP = json-c-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 04969ad59cc37bddd83741a08b98f350 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && ./configure --prefix=/usr --disable-static + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index d8b7856cb..47e8f3fc1 100755 --- a/make.sh +++ b/make.sh @@ -1176,6 +1176,7 @@ buildipfire() { lfsmake2 libgcrypt lfsmake2 libassuan lfsmake2 nettle + lfsmake2 json-c lfsmake2 libevent lfsmake2 libevent2 lfsmake2 expat @@ -1555,6 +1556,7 @@ buildipfire() { lfsmake2 lua lfsmake2 dnsdist lfsmake2 bird + lfsmake2 frr lfsmake2 dmidecode lfsmake2 mcelog lfsmake2 rtpproxy From feaa3d91bdd88683a433287f8be9277691e09a4c Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 29 Oct 2018 11:43:04 +0000 Subject: [PATCH 02/21] frr: New package Signed-off-by: Michael Tremer --- config/rootfiles/packages/frr | 127 ++++++++++++++++++++++++++++++++++ lfs/frr | 106 ++++++++++++++++++++++++++++ 2 files changed, 233 insertions(+) create mode 100644 config/rootfiles/packages/frr create mode 100644 lfs/frr diff --git a/config/rootfiles/packages/frr b/config/rootfiles/packages/frr new file mode 100644 index 000000000..845fea3c4 --- /dev/null +++ b/config/rootfiles/packages/frr @@ -0,0 +1,127 @@ +#etc/frr +etc/frr/bgpd.conf.sample +etc/frr/bgpd.conf.sample2 +etc/frr/bgpd.conf.vnc.sample +etc/frr/ospfd.conf.sample +etc/frr/ripngd.conf.sample +etc/frr/staticd.conf.sample +etc/frr/vtysh.conf.sample +etc/frr/zebra.conf.sample +usr/bin/bgp_btoa +usr/bin/vtysh +#usr/include/frr +#usr/include/frr/bfd.h +#usr/include/frr/bitfield.h +#usr/include/frr/buffer.h +#usr/include/frr/checksum.h +#usr/include/frr/command.h +#usr/include/frr/command_graph.h +#usr/include/frr/command_match.h +#usr/include/frr/compiler.h +#usr/include/frr/csv.h +#usr/include/frr/debug.h +#usr/include/frr/distribute.h +#usr/include/frr/eigrpd +#usr/include/frr/eigrpd/eigrp_dump.h +#usr/include/frr/eigrpd/eigrp_topology.h +#usr/include/frr/eigrpd/eigrpd.h +#usr/include/frr/event_counter.h +#usr/include/frr/ferr.h +#usr/include/frr/fifo.h +#usr/include/frr/filter.h +#usr/include/frr/freebsd-queue.h +#usr/include/frr/frr_pthread.h +#usr/include/frr/frratomic.h +#usr/include/frr/frrstr.h +#usr/include/frr/getopt.h +#usr/include/frr/graph.h +#usr/include/frr/hash.h +#usr/include/frr/hook.h +#usr/include/frr/if.h +#usr/include/frr/if_rmap.h +#usr/include/frr/imsg.h +#usr/include/frr/ipaddr.h +#usr/include/frr/jhash.h +#usr/include/frr/json.h +#usr/include/frr/keychain.h +#usr/include/frr/lib_errors.h +#usr/include/frr/libfrr.h +#usr/include/frr/libospf.h +#usr/include/frr/linklist.h +#usr/include/frr/log.h +#usr/include/frr/logicalrouter.h +#usr/include/frr/md5.h +#usr/include/frr/memory.h +#usr/include/frr/memory_vty.h +#usr/include/frr/module.h +#usr/include/frr/monotime.h +#usr/include/frr/mpls.h +#usr/include/frr/network.h +#usr/include/frr/nexthop.h +#usr/include/frr/nexthop_group.h +#usr/include/frr/ns.h +#usr/include/frr/openbsd-queue.h +#usr/include/frr/openbsd-tree.h +#usr/include/frr/ospfd +#usr/include/frr/ospfd/ospf_api.h +#usr/include/frr/ospfd/ospf_asbr.h +#usr/include/frr/ospfd/ospf_dump.h +#usr/include/frr/ospfd/ospf_dump_api.h +#usr/include/frr/ospfd/ospf_ism.h +#usr/include/frr/ospfd/ospf_lsa.h +#usr/include/frr/ospfd/ospf_lsdb.h +#usr/include/frr/ospfd/ospf_nsm.h +#usr/include/frr/ospfd/ospf_opaque.h +#usr/include/frr/ospfd/ospfd.h +#usr/include/frr/pbr.h +#usr/include/frr/plist.h +#usr/include/frr/pqueue.h +#usr/include/frr/prefix.h +#usr/include/frr/privs.h +#usr/include/frr/ptm_lib.h +#usr/include/frr/pw.h +#usr/include/frr/qobj.h +#usr/include/frr/queue.h +#usr/include/frr/ringbuf.h +#usr/include/frr/route_types.h +#usr/include/frr/routemap.h +#usr/include/frr/sbuf.h +#usr/include/frr/sha256.h +#usr/include/frr/sigevent.h +#usr/include/frr/skiplist.h +#usr/include/frr/sockopt.h +#usr/include/frr/sockunion.h +#usr/include/frr/spf_backoff.h +#usr/include/frr/srcdest_table.h +#usr/include/frr/stream.h +#usr/include/frr/systemd.h +#usr/include/frr/table.h +#usr/include/frr/termtable.h +#usr/include/frr/thread.h +#usr/include/frr/vector.h +#usr/include/frr/version.h +#usr/include/frr/vlan.h +#usr/include/frr/vrf.h +#usr/include/frr/vrf_int.h +#usr/include/frr/vty.h +#usr/include/frr/vxlan.h +#usr/include/frr/wheel.h +#usr/include/frr/workqueue.h +#usr/include/frr/zassert.h +#usr/include/frr/zclient.h +#usr/include/frr/zebra.h +#usr/lib/libfrr.a +#usr/lib/libfrr.la +#usr/lib/libfrr.so +usr/lib/libfrr.so.0 +usr/lib/libfrr.so.0.0.0 +usr/sbin/bgpd +usr/sbin/frr +usr/sbin/frr-reload +usr/sbin/frr-reload.py +usr/sbin/ospfd +usr/sbin/rfptest +usr/sbin/ssd +usr/sbin/staticd +usr/sbin/watchfrr +usr/sbin/zebra diff --git a/lfs/frr b/lfs/frr new file mode 100644 index 000000000..756b87729 --- /dev/null +++ b/lfs/frr @@ -0,0 +1,106 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2018 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 6.0 + +THISAPP = frr-$(VER) +DL_FILE = $(THISAPP).tar.xz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) +PROG = frr +PAK_VER = 1 + +DEPS = "" + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = d725c08e0093f58e5fcac0969c781813 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --sysconfdir=/etc/frr \ + --localstatedir=/var/run/frr \ + --enable-user="frr" \ + --enable-group="frr" \ + --enable-vty-group="frrvty" \ + --enable-multipath=64 \ + --disable-doc \ + --disable-babeld \ + --disable-bfdd \ + --disable-eigrpd \ + --disable-irdp \ + --disable-isisd \ + --disable-ldpd \ + --disable-nhrpd \ + --disable-ospf6d \ + --disable-ospfapi \ + --disable-pbrd \ + --disable-pimd \ + --disable-ripd \ + --disable-ripngd + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) + From 1b24eec502f9b97dfed2ea82489b3dc2a9681274 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Tue, 30 Oct 2018 18:15:14 +0100 Subject: [PATCH 03/21] toolchain: bump version Signed-off-by: Arne Fitzenreiter --- make.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/make.sh b/make.sh index c5cfab151..d23d57535 100755 --- a/make.sh +++ b/make.sh @@ -37,7 +37,7 @@ KVER=`grep --max-count=1 VER lfs/linux | awk '{ print $3 }'` GIT_TAG=$(git tag | tail -1) # Git Tag GIT_LASTCOMMIT=$(git log | head -n1 | cut -d" " -f2 |head -c8) # Last commit -TOOLCHAINVER=20181024 +TOOLCHAINVER=20181030 ############################################################################### # From a90f7faf78e8d7a4220d4be51f6eb1b3f726e657 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 30 Oct 2018 17:20:37 +0000 Subject: [PATCH 04/21] frr: Install users and make backup when package is installed/uinstalled Signed-off-by: Michael Tremer --- src/paks/frr/install.sh | 45 +++++++++++++++++++++++++++++++++++++++ src/paks/frr/uninstall.sh | 35 ++++++++++++++++++++++++++++++ src/paks/frr/update.sh | 26 ++++++++++++++++++++++ 3 files changed, 106 insertions(+) create mode 100644 src/paks/frr/install.sh create mode 100644 src/paks/frr/uninstall.sh create mode 100644 src/paks/frr/update.sh diff --git a/src/paks/frr/install.sh b/src/paks/frr/install.sh new file mode 100644 index 000000000..60d77a015 --- /dev/null +++ b/src/paks/frr/install.sh @@ -0,0 +1,45 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh + +if ! getent group frr &>/dev/null; then + groupadd -r frr +fi + +if ! getent group frrvty &>/dev/null; then + groupadd -r frrvty +fi + +if ! getent passwd frr &>/dev/null; then + useradd -r frr -g frr -s /bin/false -b /var/empty -G frrvty +fi + +# Extract files +extract_files + +# Restore any backups +restore_backup "${NAME}" + +# Start services +start_service "${NAME}" diff --git a/src/paks/frr/uninstall.sh b/src/paks/frr/uninstall.sh new file mode 100644 index 000000000..49e3fdd7d --- /dev/null +++ b/src/paks/frr/uninstall.sh @@ -0,0 +1,35 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh + +# Stop services +stop_service "${NAME}" + +# Create backup +extract_backup_includes +make_backup "${NAME}" + +# Remove all files +rm -rfv /etc/rc.d/rc*.d/*frr +remove_files diff --git a/src/paks/frr/update.sh b/src/paks/frr/update.sh new file mode 100644 index 000000000..89c40d0d7 --- /dev/null +++ b/src/paks/frr/update.sh @@ -0,0 +1,26 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +./uninstall.sh +./install.sh From ebd6fe2b50a4f51a93475fc33f385b5477480a43 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 30 Oct 2018 17:24:34 +0000 Subject: [PATCH 05/21] frr: Add initscript Signed-off-by: Michael Tremer --- config/rootfiles/packages/frr | 1 + lfs/frr | 4 +++ src/initscripts/packages/frr | 54 +++++++++++++++++++++++++++++++++++ src/paks/frr/install.sh | 7 +++++ 4 files changed, 66 insertions(+) create mode 100755 src/initscripts/packages/frr diff --git a/config/rootfiles/packages/frr b/config/rootfiles/packages/frr index 845fea3c4..5db055de6 100644 --- a/config/rootfiles/packages/frr +++ b/config/rootfiles/packages/frr @@ -7,6 +7,7 @@ etc/frr/ripngd.conf.sample etc/frr/staticd.conf.sample etc/frr/vtysh.conf.sample etc/frr/zebra.conf.sample +etc/rc.d/init.d/frr usr/bin/bgp_btoa usr/bin/vtysh #usr/include/frr diff --git a/lfs/frr b/lfs/frr index 756b87729..c90340fed 100644 --- a/lfs/frr +++ b/lfs/frr @@ -101,6 +101,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --disable-ripngd cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install + + # Install initscript + $(call INSTALL_INITSCRIPT,frr) + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/initscripts/packages/frr b/src/initscripts/packages/frr new file mode 100755 index 000000000..9ebb5f85b --- /dev/null +++ b/src/initscripts/packages/frr @@ -0,0 +1,54 @@ +#!/bin/sh +######################################################################## +# Begin $rc_base/init.d/frr +# +# Description : FRRouting Suite +# +######################################################################## + +. /etc/sysconfig/rc +. ${rc_functions} + +DAEMONS="zebra bgpd ospfd staticd" + +case "${1}" in + start) + for daemon in ${DAEMONS}; do + if [ -f "/etc/frr/${daemon}.conf" ]; then + boot_mesg "Starting FRRouting ${daemon}..." + loadproc "/usr/sbin/${daemon}" --daemon + fi + done + ;; + + stop) + for daemon in ${DAEMONS}; do + boot_mesg "Stopping FRRouting ${daemon}..." + killproc "/usr/sbin/${daemon}" + done + ;; + + reload) + boot_mesg "Reloading FRRouting..." + reloadproc /usr/sbin/frr-reload + ;; + + restart) + ${0} stop + sleep 1 + ${0} start + ;; + + status) + for daemon in ${DAEMONS}; do + statusproc "/usr/sbin/${daemon}" + done + ;; + + *) + echo "Usage: ${0} {start|stop|reload|restart|status}" + exit 1 + ;; +esac + +# End $rc_base/init.d/frr diff --git a/src/paks/frr/install.sh b/src/paks/frr/install.sh index 60d77a015..7e0222246 100644 --- a/src/paks/frr/install.sh +++ b/src/paks/frr/install.sh @@ -43,3 +43,10 @@ restore_backup "${NAME}" # Start services start_service "${NAME}" + +# Enable autostart +ln -svf ../init.d/frr /etc/rc.d/rc0.d/K40frr +ln -svf ../init.d/frr /etc/rc.d/rc3.d/S50frr +ln -svf ../init.d/frr /etc/rc.d/rc6.d/K40frr + +exit 0 From e1def10e29c8fedcf9357c2a7919ff9e3b70611a Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 30 Oct 2018 17:32:48 +0000 Subject: [PATCH 06/21] frr: Set configuration file permissions correctly Signed-off-by: Michael Tremer --- src/initscripts/packages/frr | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/initscripts/packages/frr b/src/initscripts/packages/frr index 9ebb5f85b..5fa4e9fa8 100755 --- a/src/initscripts/packages/frr +++ b/src/initscripts/packages/frr @@ -13,8 +13,17 @@ DAEMONS="zebra bgpd ospfd staticd" case "${1}" in start) + # Fix permissions of configuration directory + if [ -d "/etc/frr" ]; then + chown root.frr /etc/frr + chmod 775 /etc/frr + fi + for daemon in ${DAEMONS}; do if [ -f "/etc/frr/${daemon}.conf" ]; then + # Set permissions + chown frr.frr "/etc/frr/${daemon}.conf" + boot_mesg "Starting FRRouting ${daemon}..." loadproc "/usr/sbin/${daemon}" --daemon fi From 58e0aa18cca8e690e720376913fd71582689eb26 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Oct 2018 09:30:20 +0000 Subject: [PATCH 07/21] frr: Add backup include file Signed-off-by: Michael Tremer --- config/backup/includes/frr | 1 + config/rootfiles/packages/frr | 1 + lfs/frr | 4 ++++ 3 files changed, 6 insertions(+) create mode 100644 config/backup/includes/frr diff --git a/config/backup/includes/frr b/config/backup/includes/frr new file mode 100644 index 000000000..ca74d4891 --- /dev/null +++ b/config/backup/includes/frr @@ -0,0 +1 @@ +/etc/frr diff --git a/config/rootfiles/packages/frr b/config/rootfiles/packages/frr index 5db055de6..8aafc7c6c 100644 --- a/config/rootfiles/packages/frr +++ b/config/rootfiles/packages/frr @@ -126,3 +126,4 @@ usr/sbin/ssd usr/sbin/staticd usr/sbin/watchfrr usr/sbin/zebra +var/ipfire/backup/addons/includes/frr diff --git a/lfs/frr b/lfs/frr index c90340fed..a14dc5981 100644 --- a/lfs/frr +++ b/lfs/frr @@ -102,6 +102,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install + # Install backup include + install -v -m 644 $(DIR_SRC)/config/backup/includes/frr \ + /var/ipfire/backup/addons/includes/frr + # Install initscript $(call INSTALL_INITSCRIPT,frr) From 0faf9c7869cfca07dc51f297ba8f7b16623c3469 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Oct 2018 09:32:01 +0000 Subject: [PATCH 08/21] core125: Ship JSON-C Signed-off-by: Michael Tremer --- config/rootfiles/core/125/filelists/json-c | 1 + 1 file changed, 1 insertion(+) create mode 120000 config/rootfiles/core/125/filelists/json-c diff --git a/config/rootfiles/core/125/filelists/json-c b/config/rootfiles/core/125/filelists/json-c new file mode 120000 index 000000000..2da263e3d --- /dev/null +++ b/config/rootfiles/core/125/filelists/json-c @@ -0,0 +1 @@ +../../../common/json-c \ No newline at end of file From b3cc1932e4afe74f450d3c05d630da16af5b3846 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Oct 2018 10:56:24 +0000 Subject: [PATCH 09/21] Rootfile update Signed-off-by: Michael Tremer --- config/rootfiles/common/bison | 2 ++ config/rootfiles/common/kmod | 3 +++ config/rootfiles/packages/nfs | 19 +++++++++++++++++++ 3 files changed, 24 insertions(+) diff --git a/config/rootfiles/common/bison b/config/rootfiles/common/bison index 2ecfc75fb..d56db029e 100644 --- a/config/rootfiles/common/bison +++ b/config/rootfiles/common/bison @@ -51,6 +51,8 @@ #usr/share/locale/ast #usr/share/locale/ast/LC_MESSAGES #usr/share/locale/ast/LC_MESSAGES/bison-runtime.mo +#usr/share/locale/ca/LC_MESSAGES/bison-runtime.mo +#usr/share/locale/ca/LC_MESSAGES/bison.mo #usr/share/locale/da/LC_MESSAGES/bison-runtime.mo #usr/share/locale/da/LC_MESSAGES/bison.mo #usr/share/locale/de/LC_MESSAGES/bison-runtime.mo diff --git a/config/rootfiles/common/kmod b/config/rootfiles/common/kmod index b3d45e25d..4c9b448f7 100644 --- a/config/rootfiles/common/kmod +++ b/config/rootfiles/common/kmod @@ -5,7 +5,10 @@ sbin/lsmod sbin/modinfo sbin/modprobe sbin/rmmod +#usr/include/libkmod.h +#usr/lib/libkmod.la #usr/lib/libkmod.so usr/lib/libkmod.so.2 usr/lib/libkmod.so.2.3.3 +#usr/lib/pkgconfig/libkmod.pc #usr/share/bash-completion/completions/kmod diff --git a/config/rootfiles/packages/nfs b/config/rootfiles/packages/nfs index 048762650..f2637fec2 100644 --- a/config/rootfiles/packages/nfs +++ b/config/rootfiles/packages/nfs @@ -5,9 +5,26 @@ sbin/nfsdcltrack sbin/osd_login sbin/umount.nfs sbin/umount.nfs4 +#usr/include/nfsidmap.h #usr/include/nfsidmap_plugin.h +#usr/lib/libnfsidmap +#usr/lib/libnfsidmap.a +#usr/lib/libnfsidmap.la +#usr/lib/libnfsidmap.so +usr/lib/libnfsidmap.so.0 +usr/lib/libnfsidmap.so.0.3.0 usr/lib/libnfsidmap.so.1 usr/lib/libnfsidmap.so.1.0.0 +#usr/lib/libnfsidmap/nsswitch.a +#usr/lib/libnfsidmap/nsswitch.la +usr/lib/libnfsidmap/nsswitch.so +#usr/lib/libnfsidmap/static.a +#usr/lib/libnfsidmap/static.la +usr/lib/libnfsidmap/static.so +#usr/lib/libnfsidmap/umich_ldap.a +#usr/lib/libnfsidmap/umich_ldap.la +usr/lib/libnfsidmap/umich_ldap.so +#usr/lib/pkgconfig/libnfsidmap.pc usr/sbin/exportfs usr/sbin/mountstats usr/sbin/nfsconf @@ -22,7 +39,9 @@ usr/sbin/rpcdebug usr/sbin/showmount usr/sbin/sm-notify usr/sbin/start-statd +#usr/share/man/man3/nfs4_uid_to_name.3 #usr/share/man/man5/exports.5 +#usr/share/man/man5/idmapd.conf.5 #usr/share/man/man5/nfs.5 #usr/share/man/man5/nfs.conf.5 #usr/share/man/man5/nfsmount.conf.5 From 33d20027679cc4a51a9d4f39160fa972b2b08fac Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Oct 2018 12:08:57 +0000 Subject: [PATCH 10/21] backup: Include custom include/exclude files Signed-off-by: Michael Tremer --- config/backup/include | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/backup/include b/config/backup/include index 6982b1c92..da8954b83 100644 --- a/config/backup/include +++ b/config/backup/include @@ -23,6 +23,8 @@ /root/.gitconfig /root/.ssh /var/ipfire/auth/users +/var/ipfire/backup/exclude.user +/var/ipfire/backup/include.user /var/ipfire/captive/* /var/ipfire/*/*.conf /var/ipfire/*/config From ac1fc6ea5ea8dcfe30e5a47560ae4fb9210a2053 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Oct 2018 12:10:18 +0000 Subject: [PATCH 11/21] backup: Include addon backups in main backup Signed-off-by: Michael Tremer --- config/backup/include | 1 + 1 file changed, 1 insertion(+) diff --git a/config/backup/include b/config/backup/include index da8954b83..75bd85807 100644 --- a/config/backup/include +++ b/config/backup/include @@ -23,6 +23,7 @@ /root/.gitconfig /root/.ssh /var/ipfire/auth/users +/var/ipfire/backup/addons/backup /var/ipfire/backup/exclude.user /var/ipfire/backup/include.user /var/ipfire/captive/* From c81dffc942d95005f40d2db4c99139e139cd41bb Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Oct 2018 12:55:55 +0000 Subject: [PATCH 12/21] core125: Ship updated backup include Signed-off-by: Michael Tremer --- config/rootfiles/core/125/filelists/files | 1 + 1 file changed, 1 insertion(+) diff --git a/config/rootfiles/core/125/filelists/files b/config/rootfiles/core/125/filelists/files index f2afb62fb..d019c0c0a 100644 --- a/config/rootfiles/core/125/filelists/files +++ b/config/rootfiles/core/125/filelists/files @@ -7,4 +7,5 @@ srv/web/ipfire/cgi-bin/hardwaregraphs.cgi srv/web/ipfire/cgi-bin/media.cgi srv/web/ipfire/cgi-bin/pakfire.cgi usr/local/bin/makegraphs +var/ipfire/backup/include var/ipfire/langs From c7b7a70deba70d6952898f4183c96d8ef8a91373 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Oct 2018 14:21:41 +0000 Subject: [PATCH 13/21] backup: Rewrite backup script The old script was quite messy and written in perl although it was only calling shell commands. This version is now written in shell although keeping the .pl file suffix and is a drop-in replacement. Signed-off-by: Michael Tremer --- config/backup/backup.pl | 331 +++++++++++++--------- config/rootfiles/core/125/filelists/files | 1 + 2 files changed, 192 insertions(+), 140 deletions(-) diff --git a/config/backup/backup.pl b/config/backup/backup.pl index ce8911635..ddf2bf2b1 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/bin/bash ############################################################################### # # # IPFire.org - A linux based firewall # @@ -19,148 +19,199 @@ # # ############################################################################### -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; -use File::Path; -my $debug = 1; -my @include = ""; -my ($Sekunden, $Minuten, $Stunden, $Monatstag, $Monat, $Jahr, $Wochentag, $Jahrestag, $Sommerzeit) = localtime(time); -$Jahr = $Jahr + 1900;$Monat = $Monat + 1; -$Monat = sprintf("%02d", $Monat); -$Monatstag = sprintf("%02d", $Monatstag); -$Stunden = sprintf("%02d", $Stunden); -$Minuten = sprintf("%02d", $Minuten); +NOW="$(date "+%Y-%m-%d-%H:%M")" -if (($ARGV[0] eq 'include') || ($ARGV[0] eq 'iso')) { - &createinclude; - my @files = `find / -name *.log* 2>/dev/null`; - foreach (@files){ - push(@include,$_); - } - my @files = `find /var/log/ -name *messages* 2>/dev/null`; - foreach (@files){ - push(@include,$_); - } - open(DATEI, ">/tmp/include") || die "Could not save temp include file"; - print DATEI @include; - print "/var/log/messages"; - close(DATEI); - system("tar -cvzf /var/ipfire/backup/$Jahr$Monat$Monatstag-$Stunden$Minuten.ipf --exclude-from='/var/ipfire/backup/exclude' --exclude-from='/var/ipfire/backup/exclude.user' --files-from='/tmp/include' --files-from='/var/ipfire/backup/include.user'"); - system("rm /tmp/include"); - if ($ARGV[0] eq 'iso') { - system("/usr/local/bin/backupiso $Jahr$Monat$Monatstag-$Stunden$Minuten &"); - } -} -elsif ($ARGV[0] eq 'exclude') { - &createinclude; - open(DATEI, ">/tmp/include") || die "Could not save temp include file"; - print DATEI @include; - close(DATEI); - system("tar -cvzf /var/ipfire/backup/$Jahr$Monat$Monatstag-$Stunden$Minuten.ipf --exclude-from='/var/ipfire/backup/exclude' --exclude-from='/var/ipfire/backup/exclude.user' --files-from='/tmp/include' --files-from='/var/ipfire/backup/include.user'"); - system("rm /tmp/include"); -} -elsif ($ARGV[0] eq 'restore') { - system("cd / && tar -xvz -p -f /tmp/restore.ipf"); - #Here some converter scripts to correct old Backups (before core 65) - system("/usr/sbin/ovpn-ccd-convert"); - #OUTGOINGFW CONVERTER - if( -d "${General::swroot}/outgoing"){ - if( -f "${General::swroot}/firewall/config" ){ - unlink("${General::swroot}/firewall/config"); - system("touch ${General::swroot}/firewall/config"); - chown 99,99,"${General::swroot}/firewall/config"; - } - if( -f "${General::swroot}/firewall/outgoing" ){ - unlink("${General::swroot}/firewall/outgoing"); - system("touch ${General::swroot}/firewall/outgoing"); - chown 99,99,"${General::swroot}/firewall/outgoing"; - } - unlink("${General::swroot}/fwhosts/customgroups"); - unlink("${General::swroot}/fwhosts/customhosts"); - unlink("${General::swroot}/fwhosts/customgroups"); - unlink("${General::swroot}/fwhosts/customnetworks"); - unlink("${General::swroot}/fwhosts/customservicegrp"); - unlink("${General::swroot}/fwhosts/customnetworks"); - system("touch ${General::swroot}/fwhosts/customgroups"); - system("touch ${General::swroot}/fwhosts/customhosts"); - system("touch ${General::swroot}/fwhosts/customnetworks"); - system("touch ${General::swroot}/fwhosts/customservicegrp"); - #START CONVERTER "OUTGOINGFW" - system("/usr/sbin/convert-outgoingfw"); - chown 99,99,"${General::swroot}/fwhosts/customgroups"; - chown 99,99,"${General::swroot}/fwhosts/customhosts"; - chown 99,99,"${General::swroot}/fwhosts/customnetworks"; - chown 99,99,"${General::swroot}/fwhosts/customservicegrp"; - #START CONVERTER "OUTGOINGFW" - rmtree("${General::swroot}/outgoing"); - } - #XTACCESS CONVERTER - if( -d "${General::swroot}/xtaccess"){ - if( -f "${General::swroot}/firewall/input" ){ - unlink("${General::swroot}/firewall/input"); - system("touch ${General::swroot}/firewall/input"); - } - #START CONVERTER "XTACCESS" - system("/usr/sbin/convert-xtaccess"); - chown 99,99,"${General::swroot}/firewall/input"; - rmtree("${General::swroot}/xtaccess"); - } - #DMZ-HOLES CONVERTER - if( -d "${General::swroot}/dmzholes" || -d "${General::swroot}/portfw"){ - if( -f "${General::swroot}/firewall/config" ){ - unlink("${General::swroot}/firewall/config"); - system("touch ${General::swroot}/firewall/config"); - } - #START CONVERTER "DMZ-HOLES" - system("/usr/sbin/convert-dmz"); - chown 99,99,"${General::swroot}/firewall/config"; - rmtree("${General::swroot}/dmzholes"); - } - #PORTFORWARD CONVERTER - if( -d "${General::swroot}/portfw"){ - #START CONVERTER "PORTFW" - system("/usr/sbin/convert-portfw"); - rmtree("${General::swroot}/portfw"); - } - system("/usr/local/bin/firewallctrl"); +list_addons() { + local file + for file in /var/ipfire/backup/addons/includes/*; do + if [ -f "${file}" ]; then + basename "${file}" + fi + done - # Convert old OpenVPN CCD files (CN change, core 75). - system("/usr/local/bin/convert-ovpn"); -} -elsif ($ARGV[0] eq 'restoreaddon') { - if ( -e "/tmp/$ARGV[1]" ){system("mv /tmp/$ARGV[1] /var/ipfire/backup/addons/backup/$ARGV[1]");} - system("cd / && tar -xvz -p -f /var/ipfire/backup/addons/backup/$ARGV[1]"); -} -elsif ($ARGV[0] eq 'cli') { - system("tar -cvzf /var/ipfire/backup/$Jahr$Monat$Monatstag-$Stunden$Minuten-$ARGV[1].ipf --files-from='$ARGV[2]' --exclude-from='$ARGV[3]'"); -} -elsif ($ARGV[0] eq 'addonbackup') { - system("tar -cvzf /var/ipfire/backup/addons/backup/$ARGV[1].ipf --files-from='/var/ipfire/backup/addons/includes/$ARGV[1]'"); -} -elsif ($ARGV[0] =~ /\.(iso|ipf)$/ ) { - unlink("$ARGV[0]"); -} -elsif ($ARGV[0] eq '') { - printf "No argument given, please use \n" -} -elsif ($ARGV[0] eq 'makedirs') { - system("mkdir -p /var/ipfire/backup/addons"); - system("mkdir -p /var/ipfire/backup/addons/backup"); - system("mkdir -p /var/ipfire/backup/addons/includes"); + return 0 } -sub createinclude(){ +process_includes() { + local include - open(DATEI, "<${General::swroot}/backup/include") || die "Can not open include file"; - my @Zeilen = ; - close(DATEI); - - foreach (@Zeilen){ - chomp($_); - my @files = `find $_ -maxdepth 0 2>/dev/null`; - foreach (@files){ - push(@include,$_); - } - } + for include in $@; do + local file + while read -r file; do + while read file; do + if [ -e "${file}" ]; then + echo "${file}" + fi + done <<< ${file} + done < "${include}" + done | sort -u } + +make_backup() { + local filename="${1}" + shift + + # Backup all addons first + local addon + for addon in $(list_addons); do + make_addon_backup "${addon}" + done + + tar cvzf "${filename}" \ + --exclude-from="/var/ipfire/backup/exclude" \ + --exclude-from="/var/ipfire/backup/exclude.user" \ + $(process_includes "/var/ipfire/backup/include" "/var/ipfire/backup/include.user") \ + "$@" + + return 0 +} + +restore_backup() { + local filename="${1}" + + tar xvzpf "${filename}" -C / + + # Run converters + + # Outgoing Firewall + if [ -d "/var/ipfire/outgoing" ]; then + # Reset files + local file + for file in /var/ipfire/firewall/{config,outgoing} \ + /var/ipfire/fwhosts/custom{hosts,groups,networks}; do + : > "${file}" + chown nobody:nobody "${file}" + done + + # Run converter + convert-outgoingfw + + # Remove old configuration + rm -rf "/var/ipfire/outgoing" + fi + + # External Access + if [ -d "/var/ipfire/xtaccess" ]; then + : > /var/ipfire/firewall/config + chown nobody:nobody "/var/ipfire/firewall/config" + + # Run converter + convert-xtaccess + + # Remove old configuration + rm -rf "/var/ipfire/xtaccess" + fi + + # DMZ Holes + if [ -d "/var/ipfire/dmzholes" ] || [ -d "/var/ipfire/portfw" ]; then + : > /var/ipfire/firewall/config + chown nobody:nobody "/var/ipfire/firewall/config" + + # Run converter + convert-dmz + + # Remove old configuration + rm -rf "/var/ipfire/dmzholes" + fi + + # Port Forwardings + if [ -d "/var/ipfire/portfw" ]; then + # Run converter + convert-portfw + + # Remove old configuration + rm -rf "/var/ipfire/portfw" + fi + + # Reload firewall + firewallctrl + + # Convert old OpenVPN CCD files (CN change, Core Update 75) + convert-ovpn + + return 0 +} + +find_logfiles() { + local filelist=( /var/log/messages* /var/log/*.log /var/log/**/*.log ) + + echo "${filelist[@]}" +} + +make_addon_backup() { + local name="${1}" + shift + + if [ ! -f "/var/ipfire/backup/addons/includes/${name}" ]; then + echo "${name} does not have any backup includes" >&2 + return 1 + fi + + local filename="/var/ipfire/backup/addons/backup/${name}.ipf" + + tar cvzf "${filename}" \ + $(process_includes "/var/ipfire/backup/addons/includes/${name}") +} + +restore_addon_backup() { + local name="${1}" + + if [ -d "/tmp/${name}.ipf" ]; then + mv "/tmp/${name}.ipf" "/var/ipfire/backup/addons/backup/${name}.ipf" + fi + + tar xvzpf "/var/ipfire/backup/addons/backup/${name}.ipf" -C / +} + +main() { + local command="${1}" + shift + + # Desired backup filename + local filename="/var/ipfire/backup/${NOW}.ipf" + + case "${command}" in + include) + make_backup "${filename}" $(find_logfiles) + ;; + + exclude) + make_backup "${filename}" + ;; + + restore) + restore_backup "/tmp/restore.ipf" + ;; + + addonbackup) + make_addon_backup "$@" + ;; + + restoreaddon) + restore_addon_backup "${1/.ipf/}" + ;; + + iso) + if make_backup "${filename}"; then + /usr/local/bin/backupiso "${NOW}" & + fi + ;; + + makedirs) + mkdir -p /var/ipfire/backup/addons/{backup,includes} + ;; + + /var/ipfire/backup/*.ipf|/var/ipfire/backup/addons/backup/*.ipf|/var/tmp/backupiso/*.iso) + unlink "${command}" + ;; + + *) + echo "${0}: [include|exclude|restore|addonbackup |restoreaddon |iso]" >&2 + return 2 + ;; + esac + + return $? +} + +main "$@" || exit $? diff --git a/config/rootfiles/core/125/filelists/files b/config/rootfiles/core/125/filelists/files index d019c0c0a..59de43460 100644 --- a/config/rootfiles/core/125/filelists/files +++ b/config/rootfiles/core/125/filelists/files @@ -7,5 +7,6 @@ srv/web/ipfire/cgi-bin/hardwaregraphs.cgi srv/web/ipfire/cgi-bin/media.cgi srv/web/ipfire/cgi-bin/pakfire.cgi usr/local/bin/makegraphs +var/ipfire/backup/bin/backup.pl var/ipfire/backup/include var/ipfire/langs From 4f10c0b3a3a3441f352ff10d1a46c702a93f84f4 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 1 Nov 2018 10:27:09 +0000 Subject: [PATCH 14/21] backup: Fix expanding glogging Signed-off-by: Michael Tremer --- config/backup/backup.pl | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/config/backup/backup.pl b/config/backup/backup.pl index ddf2bf2b1..3accbcfff 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -38,11 +38,11 @@ process_includes() { for include in $@; do local file while read -r file; do - while read file; do + for file in ${file}; do if [ -e "${file}" ]; then echo "${file}" fi - done <<< ${file} + done done < "${include}" done | sort -u } @@ -201,6 +201,10 @@ main() { mkdir -p /var/ipfire/backup/addons/{backup,includes} ;; + list) + process_includes "/var/ipfire/backup/include" "/var/ipfire/backup/include.user" + ;; + /var/ipfire/backup/*.ipf|/var/ipfire/backup/addons/backup/*.ipf|/var/tmp/backupiso/*.iso) unlink "${command}" ;; From e2bd68dfad370340c343aa3d18b2fabf87c3f221 Mon Sep 17 00:00:00 2001 From: Matthias Fischer Date: Thu, 1 Nov 2018 09:24:24 +0100 Subject: [PATCH 15/21] squid 3.5.28: latest patches (01-02) For details see: http://www.squid-cache.org/Versions/v3/3.5/changesets/ Best, Matthias Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer --- lfs/squid | 2 + ...via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch | 72 +++++++++++++++++++ ...ry_leak_when_parsing_SNMP_packet_313.patch | 22 ++++++ 3 files changed, 96 insertions(+) create mode 100644 src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch create mode 100644 src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch diff --git a/lfs/squid b/lfs/squid index cae56407c..11b84d719 100644 --- a/lfs/squid +++ b/lfs/squid @@ -72,6 +72,8 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5.28-fix-max-file-descriptors.patch cd $(DIR_APP) && autoreconf -vfi diff --git a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch new file mode 100644 index 000000000..fadb1d48c --- /dev/null +++ b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch @@ -0,0 +1,72 @@ +commit f1657a9decc820f748fa3aff68168d3145258031 +Author: Christos Tsantilas +Date: 2018-10-17 15:14:07 +0000 + + Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306) + + %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all + ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template. + + Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet). + + Thanks to Nikolas Lohmann [eBlocker] for identifying the problem. + + TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional. + + This is a Measurement Factory project. + +diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc +index b5030e3..314e998 100644 +--- a/src/ssl/ErrorDetail.cc ++++ b/src/ssl/ErrorDetail.cc +@@ -8,6 +8,8 @@ + + #include "squid.h" + #include "errorpage.h" ++#include "fatal.h" ++#include "html_quote.h" + #include "ssl/ErrorDetail.h" + + #include +@@ -432,8 +434,11 @@ const char *Ssl::ErrorDetail::subject() const + { + if (broken_cert.get()) { + static char tmpBuffer[256]; // A temporary buffer +- if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) +- return tmpBuffer; ++ if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) { ++ // quote to avoid possible html code injection through ++ // certificate subject ++ return html_quote(tmpBuffer); ++ } + } + return "[Not available]"; + } +@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const + static String tmpStr; ///< A temporary string buffer + tmpStr.clean(); + Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn); +- if (tmpStr.size()) +- return tmpStr.termedBuf(); ++ if (tmpStr.size()) { ++ // quote to avoid possible html code injection through ++ // certificate subject ++ return html_quote(tmpStr.termedBuf()); ++ } + } + return "[Not available]"; + } +@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const + { + if (broken_cert.get()) { + static char tmpBuffer[256]; // A temporary buffer +- if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) +- return tmpBuffer; ++ if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) { ++ // quote to avoid possible html code injection through ++ // certificate issuer subject ++ return html_quote(tmpBuffer); ++ } + } + return "[Not available]"; + } diff --git a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch new file mode 100644 index 000000000..2ae034c20 --- /dev/null +++ b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch @@ -0,0 +1,22 @@ +commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5) +Author: flozilla +Date: 2018-10-24 14:12:01 +0200 + + Fix memory leak when parsing SNMP packet (#313) + + SNMP queries denied by snmp_access rules and queries with certain + unsupported SNMPv2 commands were leaking a few hundred bytes each. Such + queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log. + +diff --git a/src/snmp_core.cc b/src/snmp_core.cc +index c4d21c1..16c2993 100644 +--- a/src/snmp_core.cc ++++ b/src/snmp_core.cc +@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq) + snmpConstructReponse(rq); + } else { + debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from); ++ snmp_free_pdu(PDU); + } + xfree(Community); + From c3070d32e3f1223ff3a35f190978883b0804eb3f Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 1 Nov 2018 10:29:48 +0000 Subject: [PATCH 16/21] core125: Ship updated squid Signed-off-by: Michael Tremer --- config/rootfiles/core/125/filelists/squid | 1 + config/rootfiles/core/125/update.sh | 2 ++ 2 files changed, 3 insertions(+) create mode 120000 config/rootfiles/core/125/filelists/squid diff --git a/config/rootfiles/core/125/filelists/squid b/config/rootfiles/core/125/filelists/squid new file mode 120000 index 000000000..2dc8372a0 --- /dev/null +++ b/config/rootfiles/core/125/filelists/squid @@ -0,0 +1 @@ +../../../common/squid \ No newline at end of file diff --git a/config/rootfiles/core/125/update.sh b/config/rootfiles/core/125/update.sh index 9d056f921..a4ae0993c 100644 --- a/config/rootfiles/core/125/update.sh +++ b/config/rootfiles/core/125/update.sh @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do done # Stop services +/etc/init.d/squid stop # Extract files extract_files @@ -46,6 +47,7 @@ ldconfig /etc/init.d/unbound restart /etc/init.d/apache restart /etc/init.d/sshd restart +/etc/init.d/squid start # Reload sysctl.conf sysctl -p From 0c451a4a3262d564e298a13a252fd59e573da3a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Mon, 29 Oct 2018 18:49:49 +0100 Subject: [PATCH 17/21] fix downloading Snort rules if behind upstream proxy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently, the wget call only uses proxy information for HTTP. Since rulesets are downloaded via HTTPS now, the same information also needs to be applied for HTTPS. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- html/cgi-bin/ids.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index d9d697deb..eddfc387c 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -692,7 +692,7 @@ sub downloadrulesfile { } if ($peer) { - system("wget -r --proxy=on --proxy-user=$proxysettings{'UPSTREAM_USER'} --proxy-passwd=$proxysettings{'UPSTREAM_PASSWORD'} -e http_proxy=http://$peer:$peerport/ -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url"); + system("wget -r --proxy=on --proxy-user=$proxysettings{'UPSTREAM_USER'} --proxy-passwd=$proxysettings{'UPSTREAM_PASSWORD'} -e http_proxy=http://$peer:$peerport/ -e https_proxy=http://$peer:$peerport/ -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url"); } else { system("wget -r -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url"); } From c22498887d13776a694d25f6aa465c4e0eb47cee Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 1 Nov 2018 10:30:49 +0000 Subject: [PATCH 18/21] core125: Ship updated ids.cgi Signed-off-by: Michael Tremer --- config/rootfiles/core/125/filelists/files | 1 + 1 file changed, 1 insertion(+) diff --git a/config/rootfiles/core/125/filelists/files b/config/rootfiles/core/125/filelists/files index 59de43460..ab7eeee47 100644 --- a/config/rootfiles/core/125/filelists/files +++ b/config/rootfiles/core/125/filelists/files @@ -4,6 +4,7 @@ etc/ssh/sshd_config etc/sysctl.conf srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/hardwaregraphs.cgi +srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/media.cgi srv/web/ipfire/cgi-bin/pakfire.cgi usr/local/bin/makegraphs From 2e0660f9ce59433831d619dad546e3d31bc22612 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Sat, 27 Oct 2018 15:44:02 +0200 Subject: [PATCH 19/21] Unbound: output statistics daily instead of just on shutdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently, Unbound only prints statistics if it is being shutdown (mostly because of a machine reboot). This makes detecting DNS anomalies hard as no intermediate statistic result is being logged. This patch changes Unbound's behaviour in order to log statistics every 86,400 seconds (i.e. 24 hours). Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- config/unbound/unbound.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index cda591dab..2cc5bab8a 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -28,7 +28,7 @@ server: log-queries: no # Unbound Statistics - statistics-interval: 0 + statistics-interval: 86400 statistics-cumulative: yes extended-statistics: yes From 6eb221c2e5529945a6f31bf5be466795d917cf55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Sat, 27 Oct 2018 15:37:45 +0200 Subject: [PATCH 20/21] update ca-certificates CA bundle MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update the CA certificates list to what Mozilla NSS ships currently. The original file can be retrieved from: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt The second version of this patch superseds the first one and bumps the LFS version of ca-certificate, too. Me stupid... Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- config/ca-certificates/certdata.txt | 140 ---------------------------- lfs/ca-certificates | 2 +- 2 files changed, 1 insertion(+), 141 deletions(-) diff --git a/config/ca-certificates/certdata.txt b/config/ca-certificates/certdata.txt index 193cef38f..61c37a8bd 100644 --- a/config/ca-certificates/certdata.txt +++ b/config/ca-certificates/certdata.txt @@ -2144,146 +2144,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "Visa eCommerce Root" -# -# Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US -# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62 -# Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US -# Not Valid Before: Wed Jun 26 02:18:36 2002 -# Not Valid After : Fri Jun 24 00:16:12 2022 -# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02 -# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Visa eCommerce Root" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061 -\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057 -\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156 -\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166 -\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061 -\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145 -\103\157\155\155\145\162\143\145\040\122\157\157\164 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061 -\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057 -\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156 -\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166 -\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061 -\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145 -\103\157\155\155\145\162\143\145\040\122\157\157\164 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220 -\034\142 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\003\242\060\202\002\212\240\003\002\001\002\002\020\023 -\206\065\115\035\077\006\362\301\371\145\005\325\220\034\142\060 -\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\153 -\061\013\060\011\006\003\125\004\006\023\002\125\123\061\015\060 -\013\006\003\125\004\012\023\004\126\111\123\101\061\057\060\055 -\006\003\125\004\013\023\046\126\151\163\141\040\111\156\164\145 -\162\156\141\164\151\157\156\141\154\040\123\145\162\166\151\143 -\145\040\101\163\163\157\143\151\141\164\151\157\156\061\034\060 -\032\006\003\125\004\003\023\023\126\151\163\141\040\145\103\157 -\155\155\145\162\143\145\040\122\157\157\164\060\036\027\015\060 -\062\060\066\062\066\060\062\061\070\063\066\132\027\015\062\062 -\060\066\062\064\060\060\061\066\061\062\132\060\153\061\013\060 -\011\006\003\125\004\006\023\002\125\123\061\015\060\013\006\003 -\125\004\012\023\004\126\111\123\101\061\057\060\055\006\003\125 -\004\013\023\046\126\151\163\141\040\111\156\164\145\162\156\141 -\164\151\157\156\141\154\040\123\145\162\166\151\143\145\040\101 -\163\163\157\143\151\141\164\151\157\156\061\034\060\032\006\003 -\125\004\003\023\023\126\151\163\141\040\145\103\157\155\155\145 -\162\143\145\040\122\157\157\164\060\202\001\042\060\015\006\011 -\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000 -\060\202\001\012\002\202\001\001\000\257\127\336\126\036\156\241 -\332\140\261\224\047\313\027\333\007\077\200\205\117\310\234\266 -\320\364\157\117\317\231\330\341\333\302\110\134\072\254\071\063 -\307\037\152\213\046\075\053\065\365\110\261\221\301\002\116\004 -\226\221\173\260\063\360\261\024\116\021\157\265\100\257\033\105 -\245\112\357\176\266\254\362\240\037\130\077\022\106\140\074\215 -\241\340\175\317\127\076\063\036\373\107\361\252\025\227\007\125 -\146\245\265\055\056\330\200\131\262\247\015\267\106\354\041\143 -\377\065\253\245\002\317\052\364\114\376\173\365\224\135\204\115 -\250\362\140\217\333\016\045\074\237\163\161\317\224\337\112\352 -\333\337\162\070\214\363\226\275\361\027\274\322\272\073\105\132 -\306\247\366\306\027\213\001\235\374\031\250\052\203\026\270\072 -\110\376\116\076\240\253\006\031\351\123\363\200\023\007\355\055 -\277\077\012\074\125\040\071\054\054\000\151\164\225\112\274\040 -\262\251\171\345\030\211\221\250\334\034\115\357\273\176\067\013 -\135\376\071\245\210\122\214\000\154\354\030\174\101\275\366\213 -\165\167\272\140\235\204\347\376\055\002\003\001\000\001\243\102 -\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060\003 -\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003 -\002\001\006\060\035\006\003\125\035\016\004\026\004\024\025\070 -\203\017\077\054\077\160\063\036\315\106\376\007\214\040\340\327 -\303\267\060\015\006\011\052\206\110\206\367\015\001\001\005\005 -\000\003\202\001\001\000\137\361\101\175\174\134\010\271\053\340 -\325\222\107\372\147\134\245\023\303\003\041\233\053\114\211\106 -\317\131\115\311\376\245\100\266\143\315\335\161\050\225\147\021 -\314\044\254\323\104\154\161\256\001\040\153\003\242\217\030\267 -\051\072\175\345\026\140\123\170\074\300\257\025\203\367\217\122 -\063\044\275\144\223\227\356\213\367\333\030\250\155\161\263\367 -\054\027\320\164\045\151\367\376\153\074\224\276\115\113\101\214 -\116\342\163\320\343\220\042\163\103\315\363\357\352\163\316\105 -\212\260\246\111\377\114\175\235\161\210\304\166\035\220\133\035 -\356\375\314\367\356\375\140\245\261\172\026\161\321\026\320\174 -\022\074\154\151\227\333\256\137\071\232\160\057\005\074\031\106 -\004\231\040\066\320\140\156\141\006\273\026\102\214\160\367\060 -\373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213 -\115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000 -\346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355 -\337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026 -\222\340\134\366\007\017 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for Certificate "Visa eCommerce Root" -# Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US -# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62 -# Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US -# Not Valid Before: Wed Jun 26 02:18:36 2002 -# Not Valid After : Fri Jun 24 00:16:12 2022 -# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02 -# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Visa eCommerce Root" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\160\027\233\206\214\000\244\372\140\221\122\042\077\237\076\062 -\275\340\005\142 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\374\021\270\330\010\223\060\000\155\043\371\176\353\122\036\002 -END -CKA_ISSUER MULTILINE_OCTAL -\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061 -\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057 -\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156 -\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166 -\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061 -\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145 -\103\157\155\155\145\162\143\145\040\122\157\157\164 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220 -\034\142 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "Certum Root CA" # diff --git a/lfs/ca-certificates b/lfs/ca-certificates index e063b6439..6c684702a 100644 --- a/lfs/ca-certificates +++ b/lfs/ca-certificates @@ -24,7 +24,7 @@ include Config -VER = 20180910 +VER = 20181027 THISAPP = ca-certificates DIR_APP = $(DIR_SRC)/$(THISAPP) From 898b355abd27b86193dd6496a43e49e5bdf672a6 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 1 Nov 2018 10:31:45 +0000 Subject: [PATCH 21/21] core125: Ship updated ca-certificates Signed-off-by: Michael Tremer --- config/rootfiles/core/125/filelists/ca-certificates | 1 + 1 file changed, 1 insertion(+) create mode 120000 config/rootfiles/core/125/filelists/ca-certificates diff --git a/config/rootfiles/core/125/filelists/ca-certificates b/config/rootfiles/core/125/filelists/ca-certificates new file mode 120000 index 000000000..320fea8f4 --- /dev/null +++ b/config/rootfiles/core/125/filelists/ca-certificates @@ -0,0 +1 @@ +../../../common/ca-certificates \ No newline at end of file