Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

config/firewall/rules.pl

@@ -175,9 +175,9 @@ sub buildrules {
 	}
 
 	if ($POLICY_INPUT_ACTION eq "DROP") {
-		push(@special_input_targets, "REJECT");
+		push(@special_input_targets, ("ACCEPT", "REJECT"));
 	} elsif ($POLICY_INPUT_ACTION eq "REJECT") {
-		push(@special_input_targets, "DROP");
+		push(@special_input_targets, ("ACCEPT", "DROP"));
 	}
 
 	my @special_output_targets = ();
@@ -187,9 +187,9 @@ sub buildrules {
 		push(@special_output_targets, "ACCEPT");
 
 		if ($POLICY_OUTPUT_ACTION eq "DROP") {
-			push(@special_output_targets, "REJECT");
+			push(@special_output_targets, ("ACCEPT", "REJECT"));
 		} elsif ($POLICY_OUTPUT_ACTION eq "REJECT") {
-			push(@special_output_targets, "DROP");
+			push(@special_output_targets, ("ACCEPT", "DROP"));
 		}
 	}
 
@@ -383,6 +383,19 @@ sub buildrules {
 						push(@destination_options, ("-d", $destination));
 					}
 
+					# Add source and destination interface to the filter rules.
+					# These are supposed to help filtering forged packets that originate
+					# from BLUE with an IP address from GREEN for instance.
+					my @source_intf_options = ();
+					if ($source_intf) {
+						push(@source_intf_options, ("-i", $source_intf));
+					}
+
+					my @destination_intf_options = ();
+					if ($destination_intf) {
+						push(@destination_intf_options, ("-o", $destination_intf));
+					}
+
 					# Add time constraint options.
 					push(@options, @time_options);
 
@@ -467,10 +480,7 @@ sub buildrules {
 						} elsif ($NAT_MODE eq "SNAT") {
 							my @nat_options = @options;
 
-							if ($destination_intf) {
-								push(@nat_options, ("-o", $destination_intf));
-							}
-
+							push(@nat_options, @destination_intf_options);
 							push(@nat_options, @source_options);
 							push(@nat_options, @destination_options);
 
@@ -481,25 +491,14 @@ sub buildrules {
 						}
 					}
 
-					# Add source and destination interface to the filter rules.
-					# These are supposed to help filtering forged packets that originate
-					# from BLUE with an IP address from GREEN for instance.
-					if ($source_intf) {
-						push(@source_options, ("-i", $source_intf));
-					}
-
-					if ($destination_intf) {
-						push(@destination_options, ("-o", $destination_intf));
-					}
-
 					push(@options, @source_options);
 					push(@options, @destination_options);
 
 					# Insert firewall rule.
 					if ($LOG && !$NAT) {
-						run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '");
+						run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options @log_limit_options -j LOG --log-prefix '$chain '");
 					}
-					run("$IPTABLES -A $chain @options -j $target");
+					run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target");
 
 					# Handle forwarding rules and add corresponding rules for firewall access.
 					if ($chain eq $CHAIN_FORWARD) {
@@ -508,17 +507,17 @@ sub buildrules {
 						# for the firewall, too.
 						if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) {
 							if ($LOG && !$NAT) {
-								run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
+								run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
 							}
-							run("$IPTABLES -A $CHAIN_INPUT @options -j $target");
+							run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options -j $target");
 						}
 
 						# Likewise.
 						if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) {
 							if ($LOG && !$NAT) {
-								run("$IPTABLES -A $CHAIN_OUTPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");
+								run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");
 							}
-							run("$IPTABLES -A $CHAIN_OUTPUT @options -j $target");
+							run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options -j $target");
 						}
 					}
 				}

config/rootfiles/common/i586/grub

@@ -146,6 +146,8 @@ usr/lib/grub/i386-pc
 #usr/lib/grub/i386-pc/drivemap.module
 #usr/lib/grub/i386-pc/echo.mod
 #usr/lib/grub/i386-pc/echo.module
+#usr/lib/grub/i386-pc/efiemu.mod
+#usr/lib/grub/i386-pc/efiemu.module
 #usr/lib/grub/i386-pc/ehci.mod
 #usr/lib/grub/i386-pc/ehci.module
 #usr/lib/grub/i386-pc/elf.mod

config/rootfiles/common/x86_64/grub

@@ -146,6 +146,8 @@ usr/lib/grub/i386-pc/drivemap.mod
 usr/lib/grub/i386-pc/drivemap.module
 usr/lib/grub/i386-pc/echo.mod
 usr/lib/grub/i386-pc/echo.module
+usr/lib/grub/i386-pc/efiemu.mod
+usr/lib/grub/i386-pc/efiemu.module
 usr/lib/grub/i386-pc/ehci.mod
 usr/lib/grub/i386-pc/ehci.module
 usr/lib/grub/i386-pc/elf.mod

config/rootfiles/core/132/filelists/files

@@ -5,6 +5,7 @@ etc/rc.d/init.d/suricata
 etc/suricata/suricata.yaml
 srv/web/ipfire/cgi-bin/credits.cgi
 srv/web/ipfire/cgi-bin/proxy.cgi
+usr/lib/firewall/rules.pl
 usr/sbin/convert-snort
 var/ipfire/ids-functions.pl
 var/ipfire/langs

config/rootfiles/core/132/update.sh

@@ -46,7 +46,7 @@ ldconfig
 /etc/init.d/suricata restart
 
 # This update needs a reboot...
-#touch /var/run/need_reboot
+touch /var/run/need_reboot
 
 # Finish
 /etc/init.d/fireinfo start

lfs/grub

@@ -101,6 +101,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02_disable_vga_fallback.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-xfs-accept-filesystem-with-sparse-inodes.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-fix-packed-not-aligned-error-on-gcc-8.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-X86_64_PLT32.patch
 
 	# Install unifont
 	cp -v $(DIR_DL)/unifont-7.0.03.pcf.gz $(DIR_APP)/unifont.pcf.gz

lfs/ipfire-netboot

@@ -77,6 +77,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
 	# Extract iPXE source
 	cd $(DIR_APP) && tar axf $(DIR_DL)/ipxe-$(PXE_VER).tar.gz
+	cd $(DIR_APP)/ipxe-$(PXE_VER) && patch -Np1 < $(DIR_SRC)/src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch
+	cd $(DIR_APP)/ipxe-$(PXE_VER) && patch -Np1 < $(DIR_SRC)/src/patches/ipxe-handle-R_X86_64_PLT32.patch
 	cd $(DIR_APP) && rm -rfv ipxe && ln -s ipxe-$(PXE_VER) ipxe
 	cd $(DIR_APP) && make $(MAKETUNING) bin/ipxe.lkrn
 ifeq "$(BUILD_ARCH)" "x86_64"

lfs/sarg

@@ -80,6 +80,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	$(UPDATE_AUTOMAKE)
 
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/sarg/sarg-2.3.11-format.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/sarg/sarg-2.3.11-configure.patch
+
+	cd $(DIR_APP) && autoreconf -vfi
 
 	# Update gettext Makefile
 	cd $(DIR_APP) && cp -vf /usr/share/gettext/po/Makefile.in.in po/Makefile.in.in

src/patches/grub-2.02-X86_64_PLT32.patch

@@ -0,0 +1,75 @@
+From 02702bdfe14d8a04643a45b03715f734ae34dbac Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Sat, 17 Feb 2018 06:47:28 -0800
+Subject: x86-64: Treat R_X86_64_PLT32 as R_X86_64_PC32
+
+Starting from binutils commit bd7ab16b4537788ad53521c45469a1bdae84ad4a:
+
+https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd7ab16b4537788ad53521c45469a1bdae84ad4a
+
+x86-64 assembler generates R_X86_64_PLT32, instead of R_X86_64_PC32, for
+32-bit PC-relative branches.  Grub2 should treat R_X86_64_PLT32 as
+R_X86_64_PC32.
+
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Origin: upstream, https://git.savannah.gnu.org/cgit/grub.git/commit/?id=842c390469e2c2e10b5aa36700324cd3bde25875
+Last-Update: 2018-07-30
+
+Patch-Name: R_X86_64_PLT32.patch
+---
+ grub-core/efiemu/i386/loadcore64.c | 1 +
+ grub-core/kern/x86_64/dl.c         | 1 +
+ util/grub-mkimagexx.c              | 1 +
+ util/grub-module-verifier.c        | 1 +
+ 4 files changed, 4 insertions(+)
+
+diff --git a/grub-core/efiemu/i386/loadcore64.c b/grub-core/efiemu/i386/loadcore64.c
+index e49d0b6ff..18facf47f 100644
+--- a/grub-core/efiemu/i386/loadcore64.c
++++ b/grub-core/efiemu/i386/loadcore64.c
+@@ -98,6 +98,7 @@ grub_arch_efiemu_relocate_symbols64 (grub_efiemu_segment_t segs,
+ 		    break;
+ 
+ 		  case R_X86_64_PC32:
++		  case R_X86_64_PLT32:
+ 		    err = grub_efiemu_write_value (addr,
+ 						   *addr32 + rel->r_addend
+ 						   + sym.off
+diff --git a/grub-core/kern/x86_64/dl.c b/grub-core/kern/x86_64/dl.c
+index 440690673..3a73e6e6c 100644
+--- a/grub-core/kern/x86_64/dl.c
++++ b/grub-core/kern/x86_64/dl.c
+@@ -70,6 +70,7 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr,
+ 	  break;
+ 
+ 	case R_X86_64_PC32:
++	case R_X86_64_PLT32:
+ 	  {
+ 	    grub_int64_t value;
+ 	    value = ((grub_int32_t) *addr32) + rel->r_addend + sym->st_value -
+diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
+index e63f148e4..f20255a28 100644
+--- a/util/grub-mkimagexx.c
++++ b/util/grub-mkimagexx.c
+@@ -832,6 +832,7 @@ SUFFIX (relocate_addresses) (Elf_Ehdr *e, Elf_Shdr *sections,
+ 		  break;
+ 
+ 		case R_X86_64_PC32:
++		case R_X86_64_PLT32:
+ 		  {
+ 		    grub_uint32_t *t32 = (grub_uint32_t *) target;
+ 		    *t32 = grub_host_to_target64 (grub_target_to_host32 (*t32)
+diff --git a/util/grub-module-verifier.c b/util/grub-module-verifier.c
+index 9179285a5..a79271f66 100644
+--- a/util/grub-module-verifier.c
++++ b/util/grub-module-verifier.c
+@@ -19,6 +19,7 @@ struct grub_module_verifier_arch archs[] = {
+       -1
+     }, (int[]){
+       R_X86_64_PC32,
++      R_X86_64_PLT32,
+       -1
+     }
+   },

src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch

@@ -0,0 +1,32 @@
+From ddfb60813c74e988ba7c16dbbe1b163593c9da4e Mon Sep 17 00:00:00 2001
+From: Christian Hesse <mail@eworm.de>
+Date: Tue, 15 May 2018 23:25:01 +0200
+Subject: [PATCH] [build] fix stringop truncation warning with GCC 8.x
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+GCC 8.x gives a warning about stringop truncation:
+
+util/elf2efi.c:497:2: error: ‘strncpy’ specified bound 8 equals destination
+size [-Werror=stringop-truncation]
+
+It assumes that strncpy() is intended to copy strings, which are NULL
+terminated. We do copy fixed size memory regions, so use memcpy() instead.
+---
+ src/util/elf2efi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/util/elf2efi.c b/src/util/elf2efi.c
+index 6718df777..de3c92463 100644
+--- a/src/util/elf2efi.c
++++ b/src/util/elf2efi.c
+@@ -494,7 +494,7 @@ static struct pe_section * process_section ( struct elf_file *elf,
+ 	memset ( new, 0, sizeof ( *new ) + section_filesz );
+ 
+ 	/* Fill in section header details */
+-	strncpy ( ( char * ) new->hdr.Name, name, sizeof ( new->hdr.Name ) );
++	memcpy ( ( char * ) new->hdr.Name, name, sizeof ( new->hdr.Name ) );
+ 	new->hdr.Misc.VirtualSize = section_memsz;
+ 	new->hdr.VirtualAddress = shdr->sh_addr;
+ 	new->hdr.SizeOfRawData = section_filesz;

src/patches/ipxe-handle-R_X86_64_PLT32.patch

@@ -0,0 +1,23 @@
+From 5dce2d454b2829431e0484ac0f993b7a2759e0df Mon Sep 17 00:00:00 2001
+From: Christian Hesse <mail@eworm.de>
+Date: Sat, 25 Aug 2018 13:53:08 +0200
+Subject: [PATCH] [build] handle R_X86_64_PLT32 from binutils 2.31
+
+Starting from binutils 2.31.0 (commit bd7ab16b) x86-64 assembler
+generates R_X86_64_PLT32 instead of R_X86_64_PC32.
+---
+ src/util/elf2efi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/elf2efi.c b/src/util/elf2efi.c
+index 6718df777..2c5b9df8a 100644
+--- a/src/util/elf2efi.c
++++ b/src/util/elf2efi.c
+@@ -636,6 +636,7 @@ static void process_reloc ( struct elf_file *elf, const Elf_Shdr *shdr,
+ 		case ELF_MREL ( EM_ARM, R_ARM_THM_JUMP24 ) :
+ 		case ELF_MREL ( EM_ARM, R_ARM_V4BX ):
+ 		case ELF_MREL ( EM_X86_64, R_X86_64_PC32 ) :
++		case ELF_MREL ( EM_X86_64, R_X86_64_PLT32 ) :
+ 		case ELF_MREL ( EM_AARCH64, R_AARCH64_CALL26 ) :
+ 		case ELF_MREL ( EM_AARCH64, R_AARCH64_JUMP26 ) :
+ 		case ELF_MREL ( EM_AARCH64, R_AARCH64_ADR_PREL_LO21 ) :

src/patches/sarg/sarg-2.3.11-configure.patch

@@ -0,0 +1,38 @@
+--- sarg-2.3.11/configure.ac~	2019-04-26 22:34:33.499022406 +0000
++++ sarg-2.3.11/configure.ac	2019-04-26 22:35:11.886556020 +0000
+@@ -29,35 +29,6 @@
+ # Report more warnings to improve code quality.
+ CFLAGS="${CFLAGS} -Wall -Wno-sign-compare"
+ 
+-dnl Check for supported compiler options
+-
+-AC_MSG_CHECKING([for extra warnings flag in $CC])
+-saved_CFLAGS="${CFLAGS}"
+-CFLAGS="${CFLAGS} -Wextra -Wno-unused-parameter"
+-AC_COMPILE_IFELSE([AC_LANG_SOURCE([])],[have_extra_warnings="yes"],[have_extra_warnings="no"])
+-AC_MSG_RESULT($have_extra_warnings)
+-if test "$have_extra_warnings" = "no" ; then
+-    CFLAGS="${saved_CFLAGS}"
+-fi
+-
+-AC_MSG_CHECKING([for implicit-function-declaration error flag in $CC])
+-saved_CFLAGS="${CFLAGS}"
+-CFLAGS="${CFLAGS} -Werror=implicit-function-declaration"
+-AC_COMPILE_IFELSE([AC_LANG_SOURCE([])],[have_implicit_function_declaration="yes"],[have_implicit_function_declaration="no"])
+-AC_MSG_RESULT($have_implicit_function_declaration)
+-if test "$have_implicit_function_declaration" = "no" ; then
+-    CFLAGS="${saved_CFLAGS}"
+-fi
+-
+-AC_MSG_CHECKING([for format error flag in $CC])
+-saved_CFLAGS="${CFLAGS}"
+-CFLAGS="${CFLAGS} -Werror=format"
+-AC_COMPILE_IFELSE([AC_LANG_SOURCE([])],[have_error_format="yes"],[have_error_format="no"])
+-AC_MSG_RESULT($have_error_format)
+-if test "$have_error_format" = "no" ; then
+-    CFLAGS="${saved_CFLAGS}"
+-fi
+-
+ case "$host" in
+    *-solaris*)
+    LDFLAGS="${LDFLAGS} -lsocket -lnsl"

src/patches/sarg/sarg-2.3.11-format.patch

@@ -1,39 +1,45 @@
-diff -Naur sarg-2.3.11.org/index.c sarg-2.3.11/index.c
---- sarg-2.3.11.org/index.c	2018-01-14 19:00:22.000000000 +0100
-+++ sarg-2.3.11/index.c	2018-01-24 14:38:19.746338020 +0100
-@@ -89,9 +89,9 @@
- 	char monthdir[MAXLEN];
- 	char monthname1[9], monthname2[9];
- 	char nmonth[30];
--	char monthnum[10];
-+	char monthnum[15];
- 	char dayindex[MAXLEN];
--	char daynum[10];
-+	char daynum[15];
- 	char title[80];
- 	int yearsort[150];
- 	int nyears;
-diff -Naur sarg-2.3.11.org/report.c sarg-2.3.11/report.c
---- sarg-2.3.11.org/report.c	2018-01-14 19:00:23.000000000 +0100
-+++ sarg-2.3.11/report.c	2018-01-24 14:38:19.742337939 +0100
+diff -wbBur sarg-2.3.11/index.c sarg-2.3.11.my/index.c
+--- sarg-2.3.11/index.c	2018-01-14 21:00:22.000000000 +0300
++++ sarg-2.3.11.my/index.c	2018-02-19 12:20:15.896203347 +0300
+@@ -208,7 +208,7 @@
+ 			m1=month / 16;
+ 			if(month % 16 != 0) {
+ 				m2=month % 16;
+-				sprintf(monthnum,"%02d-%02d",m1,m2);
++				sprintf(monthnum,"%02u-%02u",(unsigned int)m1,(unsigned int)m2);
+ 				sprintf(monthname1,"%02d",m1);
+ 				sprintf(monthname2,"%02d",m2);
+ 				name_month(monthname1,sizeof(monthname1));
+@@ -269,7 +269,7 @@
+ 				d1=day / 32;
+ 				if(day % 32 != 0) {
+ 					d2=day % 32;
+-					sprintf(daynum,"%02d-%02d",d1,d2);
++					sprintf(daynum,"%02u-%02u",(unsigned int)d1,(unsigned int)d2);
+ 				} else {
+ 					sprintf(daynum,"%02d",d1);
+ 				}
+diff -wbBur sarg-2.3.11/report.c sarg-2.3.11.my/report.c
+--- sarg-2.3.11/report.c	2018-01-14 21:00:23.000000000 +0300
++++ sarg-2.3.11.my/report.c	2018-02-19 12:18:45.151207192 +0300
 @@ -54,7 +54,7 @@
  	char accsmart[MAXLEN];
  	char crc2[MAXLEN/2 -1];
  	char siteind[MAX_TRUNCATED_URL];
 -	char arqtt[256];
-+	char arqtt[MAX_USER_FNAME_LEN * 2 + MAXLEN + 10];
++	char arqtt[267];
  	char *oldurltt=NULL;
  	char oldaccdiatt[11],oldacchoratt[9];
  	char tmp3[MAXLEN];
-diff -Naur sarg-2.3.11.org/userinfo.c sarg-2.3.11/userinfo.c
---- sarg-2.3.11.org/userinfo.c	2013-06-01 20:02:04.000000000 +0200
-+++ sarg-2.3.11/userinfo.c	2018-01-24 14:38:19.746338020 +0100
+diff -wbBur sarg-2.3.11/userinfo.c sarg-2.3.11.my/userinfo.c
+--- sarg-2.3.11/userinfo.c	2013-06-01 22:02:04.000000000 +0400
++++ sarg-2.3.11.my/userinfo.c	2018-02-19 12:21:16.103200796 +0300
 @@ -67,7 +67,7 @@
  	int skip;
  	int flen;
  	int count, clen;
 -	char cstr[9];
-+	char cstr[10];
++	char cstr[11];
  
  	last=NULL;
  	for (group=first_user_group ; group ; group=group->next) {