diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 9817634c8..d2971566c 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -175,9 +175,9 @@ sub buildrules { } if ($POLICY_INPUT_ACTION eq "DROP") { - push(@special_input_targets, "REJECT"); + push(@special_input_targets, ("ACCEPT", "REJECT")); } elsif ($POLICY_INPUT_ACTION eq "REJECT") { - push(@special_input_targets, "DROP"); + push(@special_input_targets, ("ACCEPT", "DROP")); } my @special_output_targets = (); @@ -187,9 +187,9 @@ sub buildrules { push(@special_output_targets, "ACCEPT"); if ($POLICY_OUTPUT_ACTION eq "DROP") { - push(@special_output_targets, "REJECT"); + push(@special_output_targets, ("ACCEPT", "REJECT")); } elsif ($POLICY_OUTPUT_ACTION eq "REJECT") { - push(@special_output_targets, "DROP"); + push(@special_output_targets, ("ACCEPT", "DROP")); } } @@ -383,6 +383,19 @@ sub buildrules { push(@destination_options, ("-d", $destination)); } + # Add source and destination interface to the filter rules. + # These are supposed to help filtering forged packets that originate + # from BLUE with an IP address from GREEN for instance. + my @source_intf_options = (); + if ($source_intf) { + push(@source_intf_options, ("-i", $source_intf)); + } + + my @destination_intf_options = (); + if ($destination_intf) { + push(@destination_intf_options, ("-o", $destination_intf)); + } + # Add time constraint options. push(@options, @time_options); @@ -467,10 +480,7 @@ sub buildrules { } elsif ($NAT_MODE eq "SNAT") { my @nat_options = @options; - if ($destination_intf) { - push(@nat_options, ("-o", $destination_intf)); - } - + push(@nat_options, @destination_intf_options); push(@nat_options, @source_options); push(@nat_options, @destination_options); @@ -481,25 +491,14 @@ sub buildrules { } } - # Add source and destination interface to the filter rules. - # These are supposed to help filtering forged packets that originate - # from BLUE with an IP address from GREEN for instance. - if ($source_intf) { - push(@source_options, ("-i", $source_intf)); - } - - if ($destination_intf) { - push(@destination_options, ("-o", $destination_intf)); - } - push(@options, @source_options); push(@options, @destination_options); # Insert firewall rule. if ($LOG && !$NAT) { - run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '"); + run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options @log_limit_options -j LOG --log-prefix '$chain '"); } - run("$IPTABLES -A $chain @options -j $target"); + run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target"); # Handle forwarding rules and add corresponding rules for firewall access. if ($chain eq $CHAIN_FORWARD) { @@ -508,17 +507,17 @@ sub buildrules { # for the firewall, too. if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) { if ($LOG && !$NAT) { - run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '"); + run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '"); } - run("$IPTABLES -A $CHAIN_INPUT @options -j $target"); + run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options -j $target"); } # Likewise. if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) { if ($LOG && !$NAT) { - run("$IPTABLES -A $CHAIN_OUTPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '"); + run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '"); } - run("$IPTABLES -A $CHAIN_OUTPUT @options -j $target"); + run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options -j $target"); } } } diff --git a/config/rootfiles/common/i586/grub b/config/rootfiles/common/i586/grub index d8bd62113..bc28d4593 100644 --- a/config/rootfiles/common/i586/grub +++ b/config/rootfiles/common/i586/grub @@ -146,6 +146,8 @@ usr/lib/grub/i386-pc #usr/lib/grub/i386-pc/drivemap.module #usr/lib/grub/i386-pc/echo.mod #usr/lib/grub/i386-pc/echo.module +#usr/lib/grub/i386-pc/efiemu.mod +#usr/lib/grub/i386-pc/efiemu.module #usr/lib/grub/i386-pc/ehci.mod #usr/lib/grub/i386-pc/ehci.module #usr/lib/grub/i386-pc/elf.mod diff --git a/config/rootfiles/common/x86_64/grub b/config/rootfiles/common/x86_64/grub index c73e33986..c6fcfc78f 100644 --- a/config/rootfiles/common/x86_64/grub +++ b/config/rootfiles/common/x86_64/grub @@ -146,6 +146,8 @@ usr/lib/grub/i386-pc/drivemap.mod usr/lib/grub/i386-pc/drivemap.module usr/lib/grub/i386-pc/echo.mod usr/lib/grub/i386-pc/echo.module +usr/lib/grub/i386-pc/efiemu.mod +usr/lib/grub/i386-pc/efiemu.module usr/lib/grub/i386-pc/ehci.mod usr/lib/grub/i386-pc/ehci.module usr/lib/grub/i386-pc/elf.mod diff --git a/config/rootfiles/core/132/filelists/files b/config/rootfiles/core/132/filelists/files index 346b79c91..875dd3048 100644 --- a/config/rootfiles/core/132/filelists/files +++ b/config/rootfiles/core/132/filelists/files @@ -5,6 +5,7 @@ etc/rc.d/init.d/suricata etc/suricata/suricata.yaml srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/proxy.cgi +usr/lib/firewall/rules.pl usr/sbin/convert-snort var/ipfire/ids-functions.pl var/ipfire/langs diff --git a/config/rootfiles/core/132/update.sh b/config/rootfiles/core/132/update.sh index 53db5cb96..518c5b38c 100644 --- a/config/rootfiles/core/132/update.sh +++ b/config/rootfiles/core/132/update.sh @@ -46,7 +46,7 @@ ldconfig /etc/init.d/suricata restart # This update needs a reboot... -#touch /var/run/need_reboot +touch /var/run/need_reboot # Finish /etc/init.d/fireinfo start diff --git a/lfs/grub b/lfs/grub index 56cc9b557..67a9e1002 100644 --- a/lfs/grub +++ b/lfs/grub @@ -101,6 +101,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02_disable_vga_fallback.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-xfs-accept-filesystem-with-sparse-inodes.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-fix-packed-not-aligned-error-on-gcc-8.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-X86_64_PLT32.patch # Install unifont cp -v $(DIR_DL)/unifont-7.0.03.pcf.gz $(DIR_APP)/unifont.pcf.gz diff --git a/lfs/ipfire-netboot b/lfs/ipfire-netboot index b316c9bbd..23f5d4375 100644 --- a/lfs/ipfire-netboot +++ b/lfs/ipfire-netboot @@ -77,6 +77,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Extract iPXE source cd $(DIR_APP) && tar axf $(DIR_DL)/ipxe-$(PXE_VER).tar.gz + cd $(DIR_APP)/ipxe-$(PXE_VER) && patch -Np1 < $(DIR_SRC)/src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch + cd $(DIR_APP)/ipxe-$(PXE_VER) && patch -Np1 < $(DIR_SRC)/src/patches/ipxe-handle-R_X86_64_PLT32.patch cd $(DIR_APP) && rm -rfv ipxe && ln -s ipxe-$(PXE_VER) ipxe cd $(DIR_APP) && make $(MAKETUNING) bin/ipxe.lkrn ifeq "$(BUILD_ARCH)" "x86_64" diff --git a/lfs/sarg b/lfs/sarg index c35ca8df0..622f719fd 100644 --- a/lfs/sarg +++ b/lfs/sarg @@ -80,6 +80,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) $(UPDATE_AUTOMAKE) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/sarg/sarg-2.3.11-format.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/sarg/sarg-2.3.11-configure.patch + + cd $(DIR_APP) && autoreconf -vfi # Update gettext Makefile cd $(DIR_APP) && cp -vf /usr/share/gettext/po/Makefile.in.in po/Makefile.in.in diff --git a/src/patches/grub-2.02-X86_64_PLT32.patch b/src/patches/grub-2.02-X86_64_PLT32.patch new file mode 100644 index 000000000..2c65cb78a --- /dev/null +++ b/src/patches/grub-2.02-X86_64_PLT32.patch @@ -0,0 +1,75 @@ +From 02702bdfe14d8a04643a45b03715f734ae34dbac Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Sat, 17 Feb 2018 06:47:28 -0800 +Subject: x86-64: Treat R_X86_64_PLT32 as R_X86_64_PC32 + +Starting from binutils commit bd7ab16b4537788ad53521c45469a1bdae84ad4a: + +https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd7ab16b4537788ad53521c45469a1bdae84ad4a + +x86-64 assembler generates R_X86_64_PLT32, instead of R_X86_64_PC32, for +32-bit PC-relative branches. Grub2 should treat R_X86_64_PLT32 as +R_X86_64_PC32. + +Signed-off-by: H.J. Lu +Reviewed-by: Daniel Kiper + +Origin: upstream, https://git.savannah.gnu.org/cgit/grub.git/commit/?id=842c390469e2c2e10b5aa36700324cd3bde25875 +Last-Update: 2018-07-30 + +Patch-Name: R_X86_64_PLT32.patch +--- + grub-core/efiemu/i386/loadcore64.c | 1 + + grub-core/kern/x86_64/dl.c | 1 + + util/grub-mkimagexx.c | 1 + + util/grub-module-verifier.c | 1 + + 4 files changed, 4 insertions(+) + +diff --git a/grub-core/efiemu/i386/loadcore64.c b/grub-core/efiemu/i386/loadcore64.c +index e49d0b6ff..18facf47f 100644 +--- a/grub-core/efiemu/i386/loadcore64.c ++++ b/grub-core/efiemu/i386/loadcore64.c +@@ -98,6 +98,7 @@ grub_arch_efiemu_relocate_symbols64 (grub_efiemu_segment_t segs, + break; + + case R_X86_64_PC32: ++ case R_X86_64_PLT32: + err = grub_efiemu_write_value (addr, + *addr32 + rel->r_addend + + sym.off +diff --git a/grub-core/kern/x86_64/dl.c b/grub-core/kern/x86_64/dl.c +index 440690673..3a73e6e6c 100644 +--- a/grub-core/kern/x86_64/dl.c ++++ b/grub-core/kern/x86_64/dl.c +@@ -70,6 +70,7 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr, + break; + + case R_X86_64_PC32: ++ case R_X86_64_PLT32: + { + grub_int64_t value; + value = ((grub_int32_t) *addr32) + rel->r_addend + sym->st_value - +diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c +index e63f148e4..f20255a28 100644 +--- a/util/grub-mkimagexx.c ++++ b/util/grub-mkimagexx.c +@@ -832,6 +832,7 @@ SUFFIX (relocate_addresses) (Elf_Ehdr *e, Elf_Shdr *sections, + break; + + case R_X86_64_PC32: ++ case R_X86_64_PLT32: + { + grub_uint32_t *t32 = (grub_uint32_t *) target; + *t32 = grub_host_to_target64 (grub_target_to_host32 (*t32) +diff --git a/util/grub-module-verifier.c b/util/grub-module-verifier.c +index 9179285a5..a79271f66 100644 +--- a/util/grub-module-verifier.c ++++ b/util/grub-module-verifier.c +@@ -19,6 +19,7 @@ struct grub_module_verifier_arch archs[] = { + -1 + }, (int[]){ + R_X86_64_PC32, ++ R_X86_64_PLT32, + -1 + } + }, diff --git a/src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch b/src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch new file mode 100644 index 000000000..af4bd5926 --- /dev/null +++ b/src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch @@ -0,0 +1,32 @@ +From ddfb60813c74e988ba7c16dbbe1b163593c9da4e Mon Sep 17 00:00:00 2001 +From: Christian Hesse +Date: Tue, 15 May 2018 23:25:01 +0200 +Subject: [PATCH] [build] fix stringop truncation warning with GCC 8.x +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +GCC 8.x gives a warning about stringop truncation: + +util/elf2efi.c:497:2: error: ‘strncpy’ specified bound 8 equals destination +size [-Werror=stringop-truncation] + +It assumes that strncpy() is intended to copy strings, which are NULL +terminated. We do copy fixed size memory regions, so use memcpy() instead. +--- + src/util/elf2efi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/util/elf2efi.c b/src/util/elf2efi.c +index 6718df777..de3c92463 100644 +--- a/src/util/elf2efi.c ++++ b/src/util/elf2efi.c +@@ -494,7 +494,7 @@ static struct pe_section * process_section ( struct elf_file *elf, + memset ( new, 0, sizeof ( *new ) + section_filesz ); + + /* Fill in section header details */ +- strncpy ( ( char * ) new->hdr.Name, name, sizeof ( new->hdr.Name ) ); ++ memcpy ( ( char * ) new->hdr.Name, name, sizeof ( new->hdr.Name ) ); + new->hdr.Misc.VirtualSize = section_memsz; + new->hdr.VirtualAddress = shdr->sh_addr; + new->hdr.SizeOfRawData = section_filesz; diff --git a/src/patches/ipxe-handle-R_X86_64_PLT32.patch b/src/patches/ipxe-handle-R_X86_64_PLT32.patch new file mode 100644 index 000000000..ef2d4343e --- /dev/null +++ b/src/patches/ipxe-handle-R_X86_64_PLT32.patch @@ -0,0 +1,23 @@ +From 5dce2d454b2829431e0484ac0f993b7a2759e0df Mon Sep 17 00:00:00 2001 +From: Christian Hesse +Date: Sat, 25 Aug 2018 13:53:08 +0200 +Subject: [PATCH] [build] handle R_X86_64_PLT32 from binutils 2.31 + +Starting from binutils 2.31.0 (commit bd7ab16b) x86-64 assembler +generates R_X86_64_PLT32 instead of R_X86_64_PC32. +--- + src/util/elf2efi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/util/elf2efi.c b/src/util/elf2efi.c +index 6718df777..2c5b9df8a 100644 +--- a/src/util/elf2efi.c ++++ b/src/util/elf2efi.c +@@ -636,6 +636,7 @@ static void process_reloc ( struct elf_file *elf, const Elf_Shdr *shdr, + case ELF_MREL ( EM_ARM, R_ARM_THM_JUMP24 ) : + case ELF_MREL ( EM_ARM, R_ARM_V4BX ): + case ELF_MREL ( EM_X86_64, R_X86_64_PC32 ) : ++ case ELF_MREL ( EM_X86_64, R_X86_64_PLT32 ) : + case ELF_MREL ( EM_AARCH64, R_AARCH64_CALL26 ) : + case ELF_MREL ( EM_AARCH64, R_AARCH64_JUMP26 ) : + case ELF_MREL ( EM_AARCH64, R_AARCH64_ADR_PREL_LO21 ) : diff --git a/src/patches/sarg/sarg-2.3.11-configure.patch b/src/patches/sarg/sarg-2.3.11-configure.patch new file mode 100644 index 000000000..ca9695595 --- /dev/null +++ b/src/patches/sarg/sarg-2.3.11-configure.patch @@ -0,0 +1,38 @@ +--- sarg-2.3.11/configure.ac~ 2019-04-26 22:34:33.499022406 +0000 ++++ sarg-2.3.11/configure.ac 2019-04-26 22:35:11.886556020 +0000 +@@ -29,35 +29,6 @@ + # Report more warnings to improve code quality. + CFLAGS="${CFLAGS} -Wall -Wno-sign-compare" + +-dnl Check for supported compiler options +- +-AC_MSG_CHECKING([for extra warnings flag in $CC]) +-saved_CFLAGS="${CFLAGS}" +-CFLAGS="${CFLAGS} -Wextra -Wno-unused-parameter" +-AC_COMPILE_IFELSE([AC_LANG_SOURCE([])],[have_extra_warnings="yes"],[have_extra_warnings="no"]) +-AC_MSG_RESULT($have_extra_warnings) +-if test "$have_extra_warnings" = "no" ; then +- CFLAGS="${saved_CFLAGS}" +-fi +- +-AC_MSG_CHECKING([for implicit-function-declaration error flag in $CC]) +-saved_CFLAGS="${CFLAGS}" +-CFLAGS="${CFLAGS} -Werror=implicit-function-declaration" +-AC_COMPILE_IFELSE([AC_LANG_SOURCE([])],[have_implicit_function_declaration="yes"],[have_implicit_function_declaration="no"]) +-AC_MSG_RESULT($have_implicit_function_declaration) +-if test "$have_implicit_function_declaration" = "no" ; then +- CFLAGS="${saved_CFLAGS}" +-fi +- +-AC_MSG_CHECKING([for format error flag in $CC]) +-saved_CFLAGS="${CFLAGS}" +-CFLAGS="${CFLAGS} -Werror=format" +-AC_COMPILE_IFELSE([AC_LANG_SOURCE([])],[have_error_format="yes"],[have_error_format="no"]) +-AC_MSG_RESULT($have_error_format) +-if test "$have_error_format" = "no" ; then +- CFLAGS="${saved_CFLAGS}" +-fi +- + case "$host" in + *-solaris*) + LDFLAGS="${LDFLAGS} -lsocket -lnsl" diff --git a/src/patches/sarg/sarg-2.3.11-format.patch b/src/patches/sarg/sarg-2.3.11-format.patch index b03636d0c..d8ed22028 100644 --- a/src/patches/sarg/sarg-2.3.11-format.patch +++ b/src/patches/sarg/sarg-2.3.11-format.patch @@ -1,39 +1,45 @@ -diff -Naur sarg-2.3.11.org/index.c sarg-2.3.11/index.c ---- sarg-2.3.11.org/index.c 2018-01-14 19:00:22.000000000 +0100 -+++ sarg-2.3.11/index.c 2018-01-24 14:38:19.746338020 +0100 -@@ -89,9 +89,9 @@ - char monthdir[MAXLEN]; - char monthname1[9], monthname2[9]; - char nmonth[30]; -- char monthnum[10]; -+ char monthnum[15]; - char dayindex[MAXLEN]; -- char daynum[10]; -+ char daynum[15]; - char title[80]; - int yearsort[150]; - int nyears; -diff -Naur sarg-2.3.11.org/report.c sarg-2.3.11/report.c ---- sarg-2.3.11.org/report.c 2018-01-14 19:00:23.000000000 +0100 -+++ sarg-2.3.11/report.c 2018-01-24 14:38:19.742337939 +0100 +diff -wbBur sarg-2.3.11/index.c sarg-2.3.11.my/index.c +--- sarg-2.3.11/index.c 2018-01-14 21:00:22.000000000 +0300 ++++ sarg-2.3.11.my/index.c 2018-02-19 12:20:15.896203347 +0300 +@@ -208,7 +208,7 @@ + m1=month / 16; + if(month % 16 != 0) { + m2=month % 16; +- sprintf(monthnum,"%02d-%02d",m1,m2); ++ sprintf(monthnum,"%02u-%02u",(unsigned int)m1,(unsigned int)m2); + sprintf(monthname1,"%02d",m1); + sprintf(monthname2,"%02d",m2); + name_month(monthname1,sizeof(monthname1)); +@@ -269,7 +269,7 @@ + d1=day / 32; + if(day % 32 != 0) { + d2=day % 32; +- sprintf(daynum,"%02d-%02d",d1,d2); ++ sprintf(daynum,"%02u-%02u",(unsigned int)d1,(unsigned int)d2); + } else { + sprintf(daynum,"%02d",d1); + } +diff -wbBur sarg-2.3.11/report.c sarg-2.3.11.my/report.c +--- sarg-2.3.11/report.c 2018-01-14 21:00:23.000000000 +0300 ++++ sarg-2.3.11.my/report.c 2018-02-19 12:18:45.151207192 +0300 @@ -54,7 +54,7 @@ char accsmart[MAXLEN]; char crc2[MAXLEN/2 -1]; char siteind[MAX_TRUNCATED_URL]; - char arqtt[256]; -+ char arqtt[MAX_USER_FNAME_LEN * 2 + MAXLEN + 10]; ++ char arqtt[267]; char *oldurltt=NULL; char oldaccdiatt[11],oldacchoratt[9]; char tmp3[MAXLEN]; -diff -Naur sarg-2.3.11.org/userinfo.c sarg-2.3.11/userinfo.c ---- sarg-2.3.11.org/userinfo.c 2013-06-01 20:02:04.000000000 +0200 -+++ sarg-2.3.11/userinfo.c 2018-01-24 14:38:19.746338020 +0100 +diff -wbBur sarg-2.3.11/userinfo.c sarg-2.3.11.my/userinfo.c +--- sarg-2.3.11/userinfo.c 2013-06-01 22:02:04.000000000 +0400 ++++ sarg-2.3.11.my/userinfo.c 2018-02-19 12:21:16.103200796 +0300 @@ -67,7 +67,7 @@ int skip; int flen; int count, clen; - char cstr[9]; -+ char cstr[10]; ++ char cstr[11]; last=NULL; for (group=first_user_group ; group ; group=group->next) {