From 7f156022b50ef8add8d55bb2983cbf105e6ba976 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 27 Apr 2019 00:21:39 +0100 Subject: [PATCH 1/8] sarg: Fix build with newer GCCs Signed-off-by: Michael Tremer --- lfs/sarg | 3 ++ src/patches/sarg/sarg-2.3.11-configure.patch | 38 ++++++++++++++ src/patches/sarg/sarg-2.3.11-format.patch | 52 +++++++++++--------- 3 files changed, 70 insertions(+), 23 deletions(-) create mode 100644 src/patches/sarg/sarg-2.3.11-configure.patch diff --git a/lfs/sarg b/lfs/sarg index c35ca8df0..622f719fd 100644 --- a/lfs/sarg +++ b/lfs/sarg @@ -80,6 +80,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) $(UPDATE_AUTOMAKE) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/sarg/sarg-2.3.11-format.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/sarg/sarg-2.3.11-configure.patch + + cd $(DIR_APP) && autoreconf -vfi # Update gettext Makefile cd $(DIR_APP) && cp -vf /usr/share/gettext/po/Makefile.in.in po/Makefile.in.in diff --git a/src/patches/sarg/sarg-2.3.11-configure.patch b/src/patches/sarg/sarg-2.3.11-configure.patch new file mode 100644 index 000000000..ca9695595 --- /dev/null +++ b/src/patches/sarg/sarg-2.3.11-configure.patch @@ -0,0 +1,38 @@ +--- sarg-2.3.11/configure.ac~ 2019-04-26 22:34:33.499022406 +0000 ++++ sarg-2.3.11/configure.ac 2019-04-26 22:35:11.886556020 +0000 +@@ -29,35 +29,6 @@ + # Report more warnings to improve code quality. + CFLAGS="${CFLAGS} -Wall -Wno-sign-compare" + +-dnl Check for supported compiler options +- +-AC_MSG_CHECKING([for extra warnings flag in $CC]) +-saved_CFLAGS="${CFLAGS}" +-CFLAGS="${CFLAGS} -Wextra -Wno-unused-parameter" +-AC_COMPILE_IFELSE([AC_LANG_SOURCE([])],[have_extra_warnings="yes"],[have_extra_warnings="no"]) +-AC_MSG_RESULT($have_extra_warnings) +-if test "$have_extra_warnings" = "no" ; then +- CFLAGS="${saved_CFLAGS}" +-fi +- +-AC_MSG_CHECKING([for implicit-function-declaration error flag in $CC]) +-saved_CFLAGS="${CFLAGS}" +-CFLAGS="${CFLAGS} -Werror=implicit-function-declaration" +-AC_COMPILE_IFELSE([AC_LANG_SOURCE([])],[have_implicit_function_declaration="yes"],[have_implicit_function_declaration="no"]) +-AC_MSG_RESULT($have_implicit_function_declaration) +-if test "$have_implicit_function_declaration" = "no" ; then +- CFLAGS="${saved_CFLAGS}" +-fi +- +-AC_MSG_CHECKING([for format error flag in $CC]) +-saved_CFLAGS="${CFLAGS}" +-CFLAGS="${CFLAGS} -Werror=format" +-AC_COMPILE_IFELSE([AC_LANG_SOURCE([])],[have_error_format="yes"],[have_error_format="no"]) +-AC_MSG_RESULT($have_error_format) +-if test "$have_error_format" = "no" ; then +- CFLAGS="${saved_CFLAGS}" +-fi +- + case "$host" in + *-solaris*) + LDFLAGS="${LDFLAGS} -lsocket -lnsl" diff --git a/src/patches/sarg/sarg-2.3.11-format.patch b/src/patches/sarg/sarg-2.3.11-format.patch index b03636d0c..d8ed22028 100644 --- a/src/patches/sarg/sarg-2.3.11-format.patch +++ b/src/patches/sarg/sarg-2.3.11-format.patch @@ -1,39 +1,45 @@ -diff -Naur sarg-2.3.11.org/index.c sarg-2.3.11/index.c ---- sarg-2.3.11.org/index.c 2018-01-14 19:00:22.000000000 +0100 -+++ sarg-2.3.11/index.c 2018-01-24 14:38:19.746338020 +0100 -@@ -89,9 +89,9 @@ - char monthdir[MAXLEN]; - char monthname1[9], monthname2[9]; - char nmonth[30]; -- char monthnum[10]; -+ char monthnum[15]; - char dayindex[MAXLEN]; -- char daynum[10]; -+ char daynum[15]; - char title[80]; - int yearsort[150]; - int nyears; -diff -Naur sarg-2.3.11.org/report.c sarg-2.3.11/report.c ---- sarg-2.3.11.org/report.c 2018-01-14 19:00:23.000000000 +0100 -+++ sarg-2.3.11/report.c 2018-01-24 14:38:19.742337939 +0100 +diff -wbBur sarg-2.3.11/index.c sarg-2.3.11.my/index.c +--- sarg-2.3.11/index.c 2018-01-14 21:00:22.000000000 +0300 ++++ sarg-2.3.11.my/index.c 2018-02-19 12:20:15.896203347 +0300 +@@ -208,7 +208,7 @@ + m1=month / 16; + if(month % 16 != 0) { + m2=month % 16; +- sprintf(monthnum,"%02d-%02d",m1,m2); ++ sprintf(monthnum,"%02u-%02u",(unsigned int)m1,(unsigned int)m2); + sprintf(monthname1,"%02d",m1); + sprintf(monthname2,"%02d",m2); + name_month(monthname1,sizeof(monthname1)); +@@ -269,7 +269,7 @@ + d1=day / 32; + if(day % 32 != 0) { + d2=day % 32; +- sprintf(daynum,"%02d-%02d",d1,d2); ++ sprintf(daynum,"%02u-%02u",(unsigned int)d1,(unsigned int)d2); + } else { + sprintf(daynum,"%02d",d1); + } +diff -wbBur sarg-2.3.11/report.c sarg-2.3.11.my/report.c +--- sarg-2.3.11/report.c 2018-01-14 21:00:23.000000000 +0300 ++++ sarg-2.3.11.my/report.c 2018-02-19 12:18:45.151207192 +0300 @@ -54,7 +54,7 @@ char accsmart[MAXLEN]; char crc2[MAXLEN/2 -1]; char siteind[MAX_TRUNCATED_URL]; - char arqtt[256]; -+ char arqtt[MAX_USER_FNAME_LEN * 2 + MAXLEN + 10]; ++ char arqtt[267]; char *oldurltt=NULL; char oldaccdiatt[11],oldacchoratt[9]; char tmp3[MAXLEN]; -diff -Naur sarg-2.3.11.org/userinfo.c sarg-2.3.11/userinfo.c ---- sarg-2.3.11.org/userinfo.c 2013-06-01 20:02:04.000000000 +0200 -+++ sarg-2.3.11/userinfo.c 2018-01-24 14:38:19.746338020 +0100 +diff -wbBur sarg-2.3.11/userinfo.c sarg-2.3.11.my/userinfo.c +--- sarg-2.3.11/userinfo.c 2013-06-01 22:02:04.000000000 +0400 ++++ sarg-2.3.11.my/userinfo.c 2018-02-19 12:21:16.103200796 +0300 @@ -67,7 +67,7 @@ int skip; int flen; int count, clen; - char cstr[9]; -+ char cstr[10]; ++ char cstr[11]; last=NULL; for (group=first_user_group ; group ; group=group->next) { From bab38dad60b7385127a26a9beb8d3fd637e77e8c Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 27 Apr 2019 01:40:43 +0100 Subject: [PATCH 2/8] ipfire-netboot: Fix compiling and linking with new GCC & binutils Signed-off-by: Michael Tremer --- lfs/ipfire-netboot | 2 ++ ...ngop-truncation-warning-with-gcc-8-x.patch | 32 +++++++++++++++++++ src/patches/ipxe-handle-R_X86_64_PLT32.patch | 23 +++++++++++++ 3 files changed, 57 insertions(+) create mode 100644 src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch create mode 100644 src/patches/ipxe-handle-R_X86_64_PLT32.patch diff --git a/lfs/ipfire-netboot b/lfs/ipfire-netboot index b316c9bbd..23f5d4375 100644 --- a/lfs/ipfire-netboot +++ b/lfs/ipfire-netboot @@ -77,6 +77,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Extract iPXE source cd $(DIR_APP) && tar axf $(DIR_DL)/ipxe-$(PXE_VER).tar.gz + cd $(DIR_APP)/ipxe-$(PXE_VER) && patch -Np1 < $(DIR_SRC)/src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch + cd $(DIR_APP)/ipxe-$(PXE_VER) && patch -Np1 < $(DIR_SRC)/src/patches/ipxe-handle-R_X86_64_PLT32.patch cd $(DIR_APP) && rm -rfv ipxe && ln -s ipxe-$(PXE_VER) ipxe cd $(DIR_APP) && make $(MAKETUNING) bin/ipxe.lkrn ifeq "$(BUILD_ARCH)" "x86_64" diff --git a/src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch b/src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch new file mode 100644 index 000000000..af4bd5926 --- /dev/null +++ b/src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch @@ -0,0 +1,32 @@ +From ddfb60813c74e988ba7c16dbbe1b163593c9da4e Mon Sep 17 00:00:00 2001 +From: Christian Hesse +Date: Tue, 15 May 2018 23:25:01 +0200 +Subject: [PATCH] [build] fix stringop truncation warning with GCC 8.x +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +GCC 8.x gives a warning about stringop truncation: + +util/elf2efi.c:497:2: error: ‘strncpy’ specified bound 8 equals destination +size [-Werror=stringop-truncation] + +It assumes that strncpy() is intended to copy strings, which are NULL +terminated. We do copy fixed size memory regions, so use memcpy() instead. +--- + src/util/elf2efi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/util/elf2efi.c b/src/util/elf2efi.c +index 6718df777..de3c92463 100644 +--- a/src/util/elf2efi.c ++++ b/src/util/elf2efi.c +@@ -494,7 +494,7 @@ static struct pe_section * process_section ( struct elf_file *elf, + memset ( new, 0, sizeof ( *new ) + section_filesz ); + + /* Fill in section header details */ +- strncpy ( ( char * ) new->hdr.Name, name, sizeof ( new->hdr.Name ) ); ++ memcpy ( ( char * ) new->hdr.Name, name, sizeof ( new->hdr.Name ) ); + new->hdr.Misc.VirtualSize = section_memsz; + new->hdr.VirtualAddress = shdr->sh_addr; + new->hdr.SizeOfRawData = section_filesz; diff --git a/src/patches/ipxe-handle-R_X86_64_PLT32.patch b/src/patches/ipxe-handle-R_X86_64_PLT32.patch new file mode 100644 index 000000000..ef2d4343e --- /dev/null +++ b/src/patches/ipxe-handle-R_X86_64_PLT32.patch @@ -0,0 +1,23 @@ +From 5dce2d454b2829431e0484ac0f993b7a2759e0df Mon Sep 17 00:00:00 2001 +From: Christian Hesse +Date: Sat, 25 Aug 2018 13:53:08 +0200 +Subject: [PATCH] [build] handle R_X86_64_PLT32 from binutils 2.31 + +Starting from binutils 2.31.0 (commit bd7ab16b) x86-64 assembler +generates R_X86_64_PLT32 instead of R_X86_64_PC32. +--- + src/util/elf2efi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/util/elf2efi.c b/src/util/elf2efi.c +index 6718df777..2c5b9df8a 100644 +--- a/src/util/elf2efi.c ++++ b/src/util/elf2efi.c +@@ -636,6 +636,7 @@ static void process_reloc ( struct elf_file *elf, const Elf_Shdr *shdr, + case ELF_MREL ( EM_ARM, R_ARM_THM_JUMP24 ) : + case ELF_MREL ( EM_ARM, R_ARM_V4BX ): + case ELF_MREL ( EM_X86_64, R_X86_64_PC32 ) : ++ case ELF_MREL ( EM_X86_64, R_X86_64_PLT32 ) : + case ELF_MREL ( EM_AARCH64, R_AARCH64_CALL26 ) : + case ELF_MREL ( EM_AARCH64, R_AARCH64_JUMP26 ) : + case ELF_MREL ( EM_AARCH64, R_AARCH64_ADR_PREL_LO21 ) : From 4987d0ed19a3e485a584899a6424f76813982f7a Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 27 Apr 2019 03:58:44 +0100 Subject: [PATCH 3/8] grub: Fix relocation type issue Signed-off-by: Michael Tremer --- lfs/grub | 1 + src/patches/grub-2.02-X86_64_PLT32.patch | 75 ++++++++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 src/patches/grub-2.02-X86_64_PLT32.patch diff --git a/lfs/grub b/lfs/grub index 56cc9b557..67a9e1002 100644 --- a/lfs/grub +++ b/lfs/grub @@ -101,6 +101,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02_disable_vga_fallback.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-xfs-accept-filesystem-with-sparse-inodes.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-fix-packed-not-aligned-error-on-gcc-8.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-X86_64_PLT32.patch # Install unifont cp -v $(DIR_DL)/unifont-7.0.03.pcf.gz $(DIR_APP)/unifont.pcf.gz diff --git a/src/patches/grub-2.02-X86_64_PLT32.patch b/src/patches/grub-2.02-X86_64_PLT32.patch new file mode 100644 index 000000000..2c65cb78a --- /dev/null +++ b/src/patches/grub-2.02-X86_64_PLT32.patch @@ -0,0 +1,75 @@ +From 02702bdfe14d8a04643a45b03715f734ae34dbac Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Sat, 17 Feb 2018 06:47:28 -0800 +Subject: x86-64: Treat R_X86_64_PLT32 as R_X86_64_PC32 + +Starting from binutils commit bd7ab16b4537788ad53521c45469a1bdae84ad4a: + +https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd7ab16b4537788ad53521c45469a1bdae84ad4a + +x86-64 assembler generates R_X86_64_PLT32, instead of R_X86_64_PC32, for +32-bit PC-relative branches. Grub2 should treat R_X86_64_PLT32 as +R_X86_64_PC32. + +Signed-off-by: H.J. Lu +Reviewed-by: Daniel Kiper + +Origin: upstream, https://git.savannah.gnu.org/cgit/grub.git/commit/?id=842c390469e2c2e10b5aa36700324cd3bde25875 +Last-Update: 2018-07-30 + +Patch-Name: R_X86_64_PLT32.patch +--- + grub-core/efiemu/i386/loadcore64.c | 1 + + grub-core/kern/x86_64/dl.c | 1 + + util/grub-mkimagexx.c | 1 + + util/grub-module-verifier.c | 1 + + 4 files changed, 4 insertions(+) + +diff --git a/grub-core/efiemu/i386/loadcore64.c b/grub-core/efiemu/i386/loadcore64.c +index e49d0b6ff..18facf47f 100644 +--- a/grub-core/efiemu/i386/loadcore64.c ++++ b/grub-core/efiemu/i386/loadcore64.c +@@ -98,6 +98,7 @@ grub_arch_efiemu_relocate_symbols64 (grub_efiemu_segment_t segs, + break; + + case R_X86_64_PC32: ++ case R_X86_64_PLT32: + err = grub_efiemu_write_value (addr, + *addr32 + rel->r_addend + + sym.off +diff --git a/grub-core/kern/x86_64/dl.c b/grub-core/kern/x86_64/dl.c +index 440690673..3a73e6e6c 100644 +--- a/grub-core/kern/x86_64/dl.c ++++ b/grub-core/kern/x86_64/dl.c +@@ -70,6 +70,7 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr, + break; + + case R_X86_64_PC32: ++ case R_X86_64_PLT32: + { + grub_int64_t value; + value = ((grub_int32_t) *addr32) + rel->r_addend + sym->st_value - +diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c +index e63f148e4..f20255a28 100644 +--- a/util/grub-mkimagexx.c ++++ b/util/grub-mkimagexx.c +@@ -832,6 +832,7 @@ SUFFIX (relocate_addresses) (Elf_Ehdr *e, Elf_Shdr *sections, + break; + + case R_X86_64_PC32: ++ case R_X86_64_PLT32: + { + grub_uint32_t *t32 = (grub_uint32_t *) target; + *t32 = grub_host_to_target64 (grub_target_to_host32 (*t32) +diff --git a/util/grub-module-verifier.c b/util/grub-module-verifier.c +index 9179285a5..a79271f66 100644 +--- a/util/grub-module-verifier.c ++++ b/util/grub-module-verifier.c +@@ -19,6 +19,7 @@ struct grub_module_verifier_arch archs[] = { + -1 + }, (int[]){ + R_X86_64_PC32, ++ R_X86_64_PLT32, + -1 + } + }, From a7e185c5904d3dfc0f53d42ee539991b5bf193d1 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 28 Apr 2019 09:41:50 +0100 Subject: [PATCH 4/8] grub: Fix rootfile Signed-off-by: Michael Tremer --- config/rootfiles/common/x86_64/grub | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/rootfiles/common/x86_64/grub b/config/rootfiles/common/x86_64/grub index c73e33986..c6fcfc78f 100644 --- a/config/rootfiles/common/x86_64/grub +++ b/config/rootfiles/common/x86_64/grub @@ -146,6 +146,8 @@ usr/lib/grub/i386-pc/drivemap.mod usr/lib/grub/i386-pc/drivemap.module usr/lib/grub/i386-pc/echo.mod usr/lib/grub/i386-pc/echo.module +usr/lib/grub/i386-pc/efiemu.mod +usr/lib/grub/i386-pc/efiemu.module usr/lib/grub/i386-pc/ehci.mod usr/lib/grub/i386-pc/ehci.module usr/lib/grub/i386-pc/elf.mod From 68e0cf6714b4b2db76793bb36f5ccf11b76e5c02 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 30 Apr 2019 10:45:02 +0100 Subject: [PATCH 5/8] grub: Update rootfile on i586 Signed-off-by: Michael Tremer --- config/rootfiles/common/i586/grub | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/rootfiles/common/i586/grub b/config/rootfiles/common/i586/grub index d8bd62113..bc28d4593 100644 --- a/config/rootfiles/common/i586/grub +++ b/config/rootfiles/common/i586/grub @@ -146,6 +146,8 @@ usr/lib/grub/i386-pc #usr/lib/grub/i386-pc/drivemap.module #usr/lib/grub/i386-pc/echo.mod #usr/lib/grub/i386-pc/echo.module +#usr/lib/grub/i386-pc/efiemu.mod +#usr/lib/grub/i386-pc/efiemu.module #usr/lib/grub/i386-pc/ehci.mod #usr/lib/grub/i386-pc/ehci.module #usr/lib/grub/i386-pc/elf.mod From ae93dd3deb6524036943513e90d1fba84e3608bd Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 30 Apr 2019 10:45:34 +0100 Subject: [PATCH 6/8] firewall: Add more rules to input/output when adding rules to forward The special_input/output_targets array assumed that firewall access will always be denied. However, rules also need to be created when access is granted. Therefore the ACCEPT target needs to be included in this list and rules must be created in INPUTFW/OUTGOINGFW too when ACCEPT rules are created in FORWARDFW. Signed-off-by: Michael Tremer --- config/firewall/rules.pl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 9817634c8..a87fc5274 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -175,9 +175,9 @@ sub buildrules { } if ($POLICY_INPUT_ACTION eq "DROP") { - push(@special_input_targets, "REJECT"); + push(@special_input_targets, ("ACCEPT", "REJECT")); } elsif ($POLICY_INPUT_ACTION eq "REJECT") { - push(@special_input_targets, "DROP"); + push(@special_input_targets, ("ACCEPT", "DROP")); } my @special_output_targets = (); @@ -187,9 +187,9 @@ sub buildrules { push(@special_output_targets, "ACCEPT"); if ($POLICY_OUTPUT_ACTION eq "DROP") { - push(@special_output_targets, "REJECT"); + push(@special_output_targets, ("ACCEPT", "REJECT")); } elsif ($POLICY_OUTPUT_ACTION eq "REJECT") { - push(@special_output_targets, "DROP"); + push(@special_output_targets, ("ACCEPT", "DROP")); } } From 249839b0ca06f81eaf3b75b03ac41ab2f7b6c352 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 30 Apr 2019 10:56:05 +0100 Subject: [PATCH 7/8] firewall: Fix source/destination interface settings When a forwarding rule is being created, we sometimes create INPUT/OUTPUT rules, too. Those were slightly invalid because the source and destination interfaces where passed, too. This could render some rules in certain circumstances useless. This patch fixes this and only adds -i for INPUT and -o for OUTPUT rules. Signed-off-by: Michael Tremer --- config/firewall/rules.pl | 41 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index a87fc5274..d2971566c 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -383,6 +383,19 @@ sub buildrules { push(@destination_options, ("-d", $destination)); } + # Add source and destination interface to the filter rules. + # These are supposed to help filtering forged packets that originate + # from BLUE with an IP address from GREEN for instance. + my @source_intf_options = (); + if ($source_intf) { + push(@source_intf_options, ("-i", $source_intf)); + } + + my @destination_intf_options = (); + if ($destination_intf) { + push(@destination_intf_options, ("-o", $destination_intf)); + } + # Add time constraint options. push(@options, @time_options); @@ -467,10 +480,7 @@ sub buildrules { } elsif ($NAT_MODE eq "SNAT") { my @nat_options = @options; - if ($destination_intf) { - push(@nat_options, ("-o", $destination_intf)); - } - + push(@nat_options, @destination_intf_options); push(@nat_options, @source_options); push(@nat_options, @destination_options); @@ -481,25 +491,14 @@ sub buildrules { } } - # Add source and destination interface to the filter rules. - # These are supposed to help filtering forged packets that originate - # from BLUE with an IP address from GREEN for instance. - if ($source_intf) { - push(@source_options, ("-i", $source_intf)); - } - - if ($destination_intf) { - push(@destination_options, ("-o", $destination_intf)); - } - push(@options, @source_options); push(@options, @destination_options); # Insert firewall rule. if ($LOG && !$NAT) { - run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '"); + run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options @log_limit_options -j LOG --log-prefix '$chain '"); } - run("$IPTABLES -A $chain @options -j $target"); + run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target"); # Handle forwarding rules and add corresponding rules for firewall access. if ($chain eq $CHAIN_FORWARD) { @@ -508,17 +507,17 @@ sub buildrules { # for the firewall, too. if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) { if ($LOG && !$NAT) { - run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '"); + run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '"); } - run("$IPTABLES -A $CHAIN_INPUT @options -j $target"); + run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options -j $target"); } # Likewise. if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) { if ($LOG && !$NAT) { - run("$IPTABLES -A $CHAIN_OUTPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '"); + run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '"); } - run("$IPTABLES -A $CHAIN_OUTPUT @options -j $target"); + run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options -j $target"); } } } From 5a4617a8711d69ba6ce19ca05a4fd21033dc72d1 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 30 Apr 2019 10:58:31 +0100 Subject: [PATCH 8/8] core132: Ship updated firewall rules generator This patch also requires a reboot after installing this update so that the changed ruleset is being applied. Signed-off-by: Michael Tremer --- config/rootfiles/core/132/filelists/files | 1 + config/rootfiles/core/132/update.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/core/132/filelists/files b/config/rootfiles/core/132/filelists/files index 346b79c91..875dd3048 100644 --- a/config/rootfiles/core/132/filelists/files +++ b/config/rootfiles/core/132/filelists/files @@ -5,6 +5,7 @@ etc/rc.d/init.d/suricata etc/suricata/suricata.yaml srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/proxy.cgi +usr/lib/firewall/rules.pl usr/sbin/convert-snort var/ipfire/ids-functions.pl var/ipfire/langs diff --git a/config/rootfiles/core/132/update.sh b/config/rootfiles/core/132/update.sh index 53db5cb96..518c5b38c 100644 --- a/config/rootfiles/core/132/update.sh +++ b/config/rootfiles/core/132/update.sh @@ -46,7 +46,7 @@ ldconfig /etc/init.d/suricata restart # This update needs a reboot... -#touch /var/run/need_reboot +touch /var/run/need_reboot # Finish /etc/init.d/fireinfo start