Merge branch 'next'

config/rootfiles/core/90/exclude

@@ -0,0 +1,28 @@
+boot/config.txt
+etc/collectd.custom
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/rc.d/rcsysinit.d/S19checkfstab
+etc/rc.d/rcsysinit.d/S70console
+etc/shadow
+etc/ssh/ssh_config
+etc/ssh/sshd_config
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/modules
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/firewall/geoipblock
+var/ipfire/fwhosts/custmgeoipgrp
+var/ipfire/ovpn/ccd.conf
+var/ipfire/ovpn/ccdroute
+var/ipfire/ovpn/ccdroute2
+var/ipfire/time
+var/log/cache
+var/state/dhcp/dhcpd.leases
+var/updatecache

config/rootfiles/core/90/filelists/Locale-Country

@@ -0,0 +1 @@
+../../../common/Locale-Country

config/rootfiles/core/90/filelists/apache2

@@ -0,0 +1 @@
+../../../common/apache2

config/rootfiles/core/90/filelists/armv5tel/glibc

@@ -0,0 +1 @@
+../../../../common/armv5tel/glibc

config/rootfiles/core/90/filelists/armv5tel/linux-kirkwood

@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-kirkwood

config/rootfiles/core/90/filelists/armv5tel/linux-multi

@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-multi

config/rootfiles/core/90/filelists/armv5tel/linux-rpi

@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-rpi

config/rootfiles/core/90/filelists/curl

@@ -0,0 +1 @@
+../../../common/curl

config/rootfiles/core/90/filelists/cyrus-sasl

@@ -0,0 +1 @@
+../../../common/cyrus-sasl

config/rootfiles/core/90/filelists/ddns

@@ -0,0 +1 @@
+../../../common/ddns

config/rootfiles/core/90/filelists/dhcp

@@ -0,0 +1 @@
+../../../common/dhcp

config/rootfiles/core/90/filelists/dhcpcd

@@ -0,0 +1 @@
+../../../common/dhcpcd

config/rootfiles/core/90/filelists/dnsmasq

@@ -0,0 +1 @@
+../../../common/dnsmasq

config/rootfiles/core/90/filelists/dracut

@@ -0,0 +1 @@
+../../../common/dracut

config/rootfiles/core/90/filelists/expat

@@ -0,0 +1 @@
+../../../common/expat

config/rootfiles/core/90/filelists/files

@@ -0,0 +1,36 @@
+etc/system-release
+etc/issue
+etc/rc.d/init.d/firewall
+etc/rc.d/init.d/network-trigger
+etc/rc.d/init.d/networking/functions.network
+etc/rc.d/init.d/networking/red.up/99-geoip-database
+etc/rc.d/rcsysinit.d/S90network-trigger
+srv/web/ipfire/cgi-bin/country.cgi
+srv/web/ipfire/cgi-bin/ddns.cgi
+srv/web/ipfire/cgi-bin/firewall.cgi
+srv/web/ipfire/cgi-bin/fwhosts.cgi
+srv/web/ipfire/cgi-bin/geoip-block.cgi
+srv/web/ipfire/cgi-bin/index.cgi
+srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat
+srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat
+srv/web/ipfire/cgi-bin/logs.cgi/firewalllogip.dat
+srv/web/ipfire/cgi-bin/netovpnsrv.cgi
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
+srv/web/ipfire/html/themes/darkdos/include/style.css
+srv/web/ipfire/html/themes/ipfire-legacy/include/style.css
+srv/web/ipfire/html/themes/ipfire/include/css/style.css
+srv/web/ipfire/html/themes/maniac/include/style.css
+usr/lib/firewall/firewall-lib.pl
+usr/lib/firewall/rules.pl
+usr/local/bin/backupiso
+usr/local/bin/ddnsctrl
+usr/local/bin/ipsecctrl
+usr/local/bin/xt_geoip_build
+usr/local/bin/xt_geoip_update
+var/ipfire/general-functions.pl
+var/ipfire/geoip-functions.pl
+var/ipfire/header.pl
+var/ipfire/backup/include
+var/ipfire/langs
+var/ipfire/menu.d/50-firewall.menu

config/rootfiles/core/90/filelists/fireinfo

@@ -0,0 +1 @@
+../../../common/fireinfo

config/rootfiles/core/90/filelists/flag-icons

@@ -0,0 +1 @@
+../../../common/flag-icons

config/rootfiles/core/90/filelists/groff

@@ -0,0 +1 @@
+../../../common/groff

config/rootfiles/core/90/filelists/i586/acpid

@@ -0,0 +1 @@
+../../../../common/i586/acpid

config/rootfiles/core/90/filelists/i586/glibc

@@ -0,0 +1 @@
+../../../../common/i586/glibc

config/rootfiles/core/90/filelists/i586/linux

@@ -0,0 +1 @@
+../../../../common/i586/linux

config/rootfiles/core/90/filelists/i586/linux-initrd

@@ -0,0 +1 @@
+../../../../common/i586/linux-initrd

config/rootfiles/core/90/filelists/i586/openssl-sse2

@@ -0,0 +1 @@
+../../../../common/i586/openssl-sse2

config/rootfiles/core/90/filelists/iptables

@@ -0,0 +1 @@
+../../../common/iptables

config/rootfiles/core/90/filelists/iputils

@@ -0,0 +1 @@
+../../../common/iputils

config/rootfiles/core/90/filelists/libjpeg

@@ -0,0 +1 @@
+../../../common/libjpeg

config/rootfiles/core/90/filelists/logrotate

@@ -0,0 +1 @@
+../../../common/logrotate

config/rootfiles/core/90/filelists/logwatch

@@ -0,0 +1 @@
+../../../common/logwatch

config/rootfiles/core/90/filelists/openssl

@@ -0,0 +1 @@
+../../../common/openssl

config/rootfiles/core/90/filelists/openssl-0.9.8-files

@@ -0,0 +1,19 @@
+lib/security/pam_mysql.so
+usr/lib/gnupg/gpgkeys_ldap
+usr/lib/gnupg/gpgkeys_hkp
+usr/lib/gnupg/gpgkeys_curl
+usr/lib/apache/libphp5.so
+usr/lib/squid/digest_ldap_auth
+usr/lib/squid/basic_ldap_auth
+usr/lib/squid/ext_kerberos_ldap_group_acl
+usr/lib/squid/ext_edirectory_userip_acl
+usr/lib/squid/ext_ldap_group_acl
+usr/lib/python2.7/lib-dynload/_ssl.so
+usr/lib/python2.7/lib-dynload/_hashlib.so
+usr/lib/collectd/write_http.so
+usr/lib/collectd/ascent.so
+usr/lib/collectd/curl_xml.so
+usr/lib/collectd/apache.so
+usr/lib/collectd/bind.so
+usr/lib/collectd/curl.so
+usr/bin/php

config/rootfiles/core/90/filelists/perl-Text-CSV_XS

@@ -0,0 +1 @@
+../../../common/perl-Text-CSV_XS

config/rootfiles/core/90/filelists/squid

@@ -0,0 +1 @@
+../../../common/squid

config/rootfiles/core/90/filelists/strongswan

@@ -0,0 +1 @@
+../../../common/strongswan

config/rootfiles/core/90/filelists/tzdata

@@ -0,0 +1 @@
+../../../common/tzdata

config/rootfiles/core/90/filelists/udev

@@ -0,0 +1 @@
+../../../common/udev

config/rootfiles/core/90/filelists/wpa_supplicant

@@ -0,0 +1 @@
+../../../common/wpa_supplicant

config/rootfiles/core/90/filelists/xtables-addons

@@ -0,0 +1 @@
+../../../common/xtables-addons

config/rootfiles/core/90/filelists/xz

@@ -0,0 +1 @@
+../../../common/xz

config/rootfiles/core/90/meta

@@ -0,0 +1 @@
+DEPS=""

config/rootfiles/core/90/update.sh

@@ -0,0 +1,305 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 3 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2014 IPFire-Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+
+function find_device() {
+	local mountpoint="${1}"
+
+	local root
+	local dev mp fs flags rest
+	while read -r dev mp fs flags rest; do
+		# Skip unwanted entries
+		[ "${dev}" = "rootfs" ] && continue
+
+		if [ "${mp}" = "${mountpoint}" ] && [ -b "${dev}" ]; then
+			root="$(basename "${dev}")"
+			break
+		fi
+	done < /proc/mounts
+
+	# Get the actual device from the partition that holds /
+	while [ -n "${root}" ]; do
+		if [ -e "/sys/block/${root}" ]; then
+			echo "${root}"
+			return 0
+		fi
+
+		# Remove last character
+		root="${root::-1}"
+	done
+
+	return 1
+}
+
+
+#
+# Remove old core updates from pakfire cache to save space...
+core=90
+for (( i=1; i<=${core}; i++ ))
+do
+	rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+#
+# Do some sanity checks.
+case $(uname -r) in
+	*-ipfire-versatile )
+		/usr/bin/logger -p syslog.emerg -t ipfire \
+			"core-update-${core}: ERROR cannot update. versatile support is dropped."
+		# Report no error to pakfire. So it does not try to install it again.
+		exit 0
+		;;
+	*-ipfire* )
+		# Ok.
+		;;
+	* )
+		/usr/bin/logger -p syslog.emerg -t ipfire \
+			"core-update-${core}: ERROR cannot update. No IPFire Kernel."
+		exit 1
+	;;
+esac
+
+
+#
+#
+KVER="xxxKVERxxx"
+
+# Check diskspace on root
+ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+
+if [ $ROOTSPACE -lt 100000 ]; then
+	/usr/bin/logger -p syslog.emerg -t ipfire \
+		"core-update-${core}: ERROR cannot update because not enough free space on root."
+	exit 2
+fi
+
+
+echo
+echo Update Kernel to $KVER ...
+#
+# Remove old kernel, configs, initrd, modules, dtb's ...
+#
+rm -rf /boot/System.map-*
+rm -rf /boot/config-*
+rm -rf /boot/ipfirerd-*
+rm -rf /boot/initramfs-*
+rm -rf /boot/vmlinuz-*
+rm -rf /boot/uImage-ipfire-*
+rm -rf /boot/uInit-ipfire-*
+rm -rf /boot/dtb-*-ipfire-*
+rm -rf /lib/modules
+
+case "$(uname -m)" in
+	armv*)
+		# Backup uEnv.txt if exist
+		if [ -e /boot/uEnv.txt ]; then
+			cp -vf /boot/uEnv.txt /boot/uEnv.txt.org
+		fi
+
+		# work around the u-boot folder detection bug
+		mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood
+		mkdir -pv /boot/dtb-$KVER-ipfire-multi
+		;;
+esac
+
+#
+#Stop services
+/etc/init.d/snort stop
+/etc/init.d/squid stop
+/etc/init.d/ipsec stop
+/etc/init.d/apache stop
+
+# Drop old flag icons, before extracting the new ones.
+rm /srv/web/ipfire/html/images/flags/*
+
+#
+#Extract files
+tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C /
+
+#
+# restart init because glibc was updated.
+telinit u
+
+# Remove old openssl libraries
+rm -vf /usr/lib/libcrypto.so.0.9.8 /usr/lib/libssl.so.0.9.8
+
+# Check diskspace on boot
+BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+
+if [ $BOOTSPACE -lt 1000 ]; then
+	case $(uname -r) in
+		*-ipfire-kirkwood )
+			# Special handling for old kirkwood images.
+			# (install only kirkwood kernel)
+			rm -rf /boot/*
+			# work around the u-boot folder detection bug
+			mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood
+			tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p \
+				--numeric-owner -C / --wildcards 'boot/*-kirkwood*'
+			;;
+		* )
+			/usr/bin/logger -p syslog.emerg -t ipfire \
+				"core-update-${core}: FATAL-ERROR space run out on boot. System is not bootable..."
+			/etc/init.d/apache start
+			exit 4
+			;;
+	esac
+fi
+
+# Create GeoIP related files if they do not exist yet.
+if [ ! -e "/var/ipfire/firewall/geoipblock" ]; then
+	touch /var/ipfire/firewall/geoipblock
+	chown nobody:nobody /var/ipfire/firewall/geoipblock
+
+	# Insert default value into file.
+	echo "GEOIPBLOCK_ENABLED=off" >> /var/ipfire/firewall/geoipblock
+fi
+if [ ! -e "/var/ipfire/fwhosts/customgeoipgrp" ]; then
+	touch /var/ipfire/fwhosts/customgeoipgrp
+	chown nobody:nobody /var/ipfire/fwhosts/customgeoipgrp
+fi
+
+#Fix BUG10812 (openvpn server.conf has wrong collectd logfile path)
+if grep -q "status /var/log/ovpnserver.log 30" /var/ipfire/ovpn/server.conf; then
+	sed -i "s/\/var\/log\/ovpnserver.log 30/\/var\/run\/ovpnserver.log 30/" /var/ipfire/ovpn/server.conf
+fi
+
+# Download/Update GeoIP databases.
+/usr/local/bin/xt_geoip_update
+
+# Update crontab
+grep -q /usr/local/bin/xt_geoip_update /var/spool/cron/root.orig || cat <<EOF >> /var/spool/cron/root.orig
+
+# Update GeoIP database once a month.
+%monthly,random * * * [ -f "/var/ipfire/red/active" ] && /usr/local/bin/xt_geoip_update >/dev/null 2>&1
+EOF
+
+fcrontab -z &>/dev/null
+
+# Generate ddns configuration file
+sudo -u nobody /srv/web/ipfire/cgi-bin/ddns.cgi
+
+# Regenerate IPsec configuration
+sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi
+
+# Update Language cache
+perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
+
+#
+# Start services
+#
+/etc/init.d/apache start
+/etc/init.d/squid start
+/etc/init.d/snort start
+if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then
+	/etc/init.d/ipsec start
+fi
+
+case "$(uname -m)" in
+	i?86)
+	case "$(find_device "/")" in
+		xvd* )
+			echo Skip remove grub2 files, because pygrub fail.
+			rm -f /boot/grub/*
+			echo config will recreated by linux-pae install.
+			;;
+		* )
+			#
+			# Update to GRUB2 config
+			#
+			grub-mkconfig > /boot/grub/grub.cfg
+			;;
+	esac
+esac
+
+# Upadate Kernel version uEnv.txt
+if [ -e /boot/uEnv.txt ]; then
+	sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt
+fi
+
+# call user update script (needed for some arm boards)
+if [ -e /boot/pakfire-kernel-update ]; then
+	/boot/pakfire-kernel-update ${KVER}
+fi
+
+
+# Force (re)install pae kernel if pae is supported
+rm -rf /opt/pakfire/db/*/meta-linux-pae
+if [ ! "$(grep "^flags.* pae " /proc/cpuinfo)" == "" ]; then
+	ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+	BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+	if [ $BOOTSPACE -lt 12000 -o $ROOTSPACE -lt 90000 ]; then
+		/usr/bin/logger -p syslog.emerg -t ipfire \
+			"core-update-${core}: WARNING not enough space for pae kernel."
+	else
+		echo "Name: linux-pae" > /opt/pakfire/db/installed/meta-linux-pae
+		echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-pae
+		echo "Release: 0"     >> /opt/pakfire/db/installed/meta-linux-pae
+		echo "Name: linux-pae" > /opt/pakfire/db/meta/meta-linux-pae
+		echo "ProgVersion: 0" >> /opt/pakfire/db/meta/meta-linux-pae
+		echo "Release: 0"     >> /opt/pakfire/db/meta/meta-linux-pae
+	fi
+fi
+
+#
+# After pakfire has ended run it again and update the lists and do upgrade
+#
+echo '#!/bin/bash'                                        >  /tmp/pak_update
+echo 'while [ "$(ps -A | grep " update.sh")" != "" ]; do' >> /tmp/pak_update
+echo '    sleep 1'                                        >> /tmp/pak_update
+echo 'done'                                               >> /tmp/pak_update
+echo 'while [ "$(ps -A | grep " pakfire")" != "" ]; do'   >> /tmp/pak_update
+echo '    sleep 1'                                        >> /tmp/pak_update
+echo 'done'                                               >> /tmp/pak_update
+echo '/opt/pakfire/pakfire update -y --force'             >> /tmp/pak_update
+echo '/opt/pakfire/pakfire upgrade -y'                    >> /tmp/pak_update
+echo '/opt/pakfire/pakfire upgrade -y'                    >> /tmp/pak_update
+echo '/opt/pakfire/pakfire upgrade -y'                    >> /tmp/pak_update
+echo '/usr/bin/logger -p syslog.emerg -t ipfire "Core-upgrade finished. If you use a customized grub/uboot config"' >> /tmp/pak_update
+echo '/usr/bin/logger -p syslog.emerg -t ipfire "Check it before reboot !!!"' >> /tmp/pak_update
+echo '/usr/bin/logger -p syslog.emerg -t ipfire " *** Please reboot... *** "' >> /tmp/pak_update
+echo 'touch /var/run/need_reboot ' >> /tmp/pak_update
+#
+killall -KILL pak_update
+chmod +x /tmp/pak_update
+/tmp/pak_update &
+
+sync
+
+#
+#Finish
+(
+	/etc/init.d/fireinfo start
+	sendprofile
+) >/dev/null 2>&1 &
+
+echo
+echo Please wait until pakfire has ended...
+echo
+
+# Don't report the exitcode last command
+exit 0
+