Merge branch 'next' into temp-c169-development

2026-04-14 13:02:58 +02:00 · 2022-05-30 19:09:46 +00:00
parent 690d420840 71d53192d3
commit 3f6238f7c1
7 changed files with 219 additions and 15 deletions
--- a/config/rootfiles/common/aarch64/stage2
+++ b/config/rootfiles/common/aarch64/stage2
@@ -99,6 +99,7 @@ usr/local/bin/ipsec-interfaces
 usr/local/bin/makegraphs
 usr/local/bin/qosd
 usr/local/bin/readhash
+usr/local/bin/repair-mdraid
 usr/local/bin/run-parts
 usr/local/bin/scanhd
 usr/local/bin/settime
--- a/config/rootfiles/common/armv6l/stage2
+++ b/config/rootfiles/common/armv6l/stage2
@@ -97,6 +97,7 @@ usr/local/bin/ipsec-interfaces
 usr/local/bin/makegraphs
 usr/local/bin/qosd
 usr/local/bin/readhash
+usr/local/bin/repair-mdraid
 usr/local/bin/run-parts
 usr/local/bin/scanhd
 usr/local/bin/settime
--- a/config/rootfiles/common/x86_64/stage2
+++ b/config/rootfiles/common/x86_64/stage2
@@ -99,6 +99,7 @@ usr/local/bin/ipsec-interfaces
 usr/local/bin/makegraphs
 usr/local/bin/qosd
 usr/local/bin/readhash
+usr/local/bin/repair-mdraid
 usr/local/bin/run-parts
 usr/local/bin/scanhd
 usr/local/bin/settime
--- a/config/rootfiles/oldcore/168/filelists/files
+++ b/config/rootfiles/oldcore/168/filelists/files
@@ -391,7 +391,6 @@ lib/firmware/rtw88/rtw8821c_fw.bin
 lib/firmware/rtw88/rtw8822c_fw.bin
 lib/firmware/rtw89/rtw8852a_fw.bin
 lib/firmware/wfx/wfm_wf200_C0.sec
-usr/bin/fcrontab
 usr/lib/firewall/rules.pl
 usr/local/bin/update-ids-ruleset
 usr/sbin/convert-ids-backend-files
--- a/config/rootfiles/oldcore/168/update.sh
+++ b/config/rootfiles/oldcore/168/update.sh
@@ -120,6 +120,13 @@ case "$(uname -m)" in
                ;;
 esac

+# Add rd.auto to kernel command line
+if ! grep -q rd.auto /etc/default/grub; then
+	sed -e "s/panic=10/& rd.auto/" -i /etc/default/grub
+fi
+
+# Repair any broken MDRAID arrays
+/usr/local/bin/repair-mdraid

 # Start services
 /etc/init.d/fcron restart
--- a/src/patches/strongswan-ipfire.patch
+++ b/src/patches/strongswan-ipfire.patch
@@ -1,13 +1,13 @@
-commit 654e2b7688c5fbd4e1fc46648bc1864301fb6027
-Author: Michael Tremer <michael.tremer@ipfire.org>
-Date:   Mon Mar 21 19:49:02 2022 +0000
+commit b439f74361d393bcb85109b6c41a905cf613a296
+Author: Peter Müller <peter.mueller@ipfire.org>
+Date:   Wed May 18 17:46:57 2022 +0000

    IPFire modifications to _updown script
    
-    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+    Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

 diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
-index 34eaf68c7..514ecb578 100644
+index 34eaf68c7..9ed387a0a 100644
 --- a/src/_updown/_updown.in
 +++ b/src/_updown/_updown.in
@@ -242,10 +242,10 @@ up-host:iptables)
@@ -98,7 +98,7 @@ index 34eaf68c7..514ecb578 100644
 	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
 	fi
 	#
-@@ -342,10 +324,10 @@ up-client:iptables)
+@@ -342,47 +324,37 @@ up-client:iptables)
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
@@ -110,8 +110,20 @@ index 34eaf68c7..514ecb578 100644
 +	      "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	# Open Firewall for IPinIP + AH + ESP Traffic
+	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IPIP \
+		-s $PLUTO_PEER $S_PEER_PORT \
+		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
+		-s $PLUTO_PEER $S_PEER_PORT \
+		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
+		-s $PLUTO_PEER $S_PEER_PORT \
+		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
+
 	;;
-@@ -353,36 +335,14 @@ down-client:iptables)
+ down-client:iptables)
 	# connection to client subnet, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
@@ -149,7 +161,7 @@ index 34eaf68c7..514ecb578 100644
 	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
 	fi
 	#
-@@ -392,10 +352,10 @@ down-client:iptables)
+@@ -392,12 +364,24 @@ down-client:iptables)
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
@@ -161,8 +173,22 @@ index 34eaf68c7..514ecb578 100644
 +	      "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	# Close Firewall for IPinIP + AH + ESP Traffic
+	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IPIP \
+		-s $PLUTO_PEER $S_PEER_PORT \
+		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
+		-s $PLUTO_PEER $S_PEER_PORT \
+		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
+		-s $PLUTO_PEER $S_PEER_PORT \
+		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
+
 	;;
-@@ -422,10 +382,10 @@ up-host-v6:iptables)
+ #
+ # IPv6
+@@ -422,10 +406,10 @@ up-host-v6:iptables)
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
@@ -175,7 +201,7 @@ index 34eaf68c7..514ecb578 100644
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
-@@ -454,10 +414,10 @@ down-host-v6:iptables)
+@@ -454,10 +438,10 @@ down-host-v6:iptables)
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
@@ -188,7 +214,7 @@ index 34eaf68c7..514ecb578 100644
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
-@@ -487,10 +447,10 @@ up-client-v6:iptables)
+@@ -487,10 +471,10 @@ up-client-v6:iptables)
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
@@ -201,7 +227,7 @@ index 34eaf68c7..514ecb578 100644
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 	fi
-@@ -499,10 +459,10 @@ up-client-v6:iptables)
+@@ -499,10 +483,10 @@ up-client-v6:iptables)
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
@@ -214,7 +240,7 @@ index 34eaf68c7..514ecb578 100644
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
-@@ -535,11 +495,11 @@ down-client-v6:iptables)
+@@ -535,11 +519,11 @@ down-client-v6:iptables)
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
@@ -228,7 +254,7 @@ index 34eaf68c7..514ecb578 100644
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
-@@ -549,11 +509,11 @@ down-client-v6:iptables)
+@@ -549,11 +533,11 @@ down-client-v6:iptables)
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
--- a/src/scripts/repair-mdraid
+++ b/src/scripts/repair-mdraid
@@ -0,0 +1,169 @@
+#!/bin/bash
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2022 IPFire Team  <info@ipfire.org>                           #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+#
+# This script is supposed to repair any broken RAID installations
+# where the system has been booted from only one of the RAID devices
+# without the software RAID being activated first.
+#
+# This script does as follows:
+#
+# * It tries to find an inactive RAID called "ipfire:0"
+# * It will then destroy any devices that are still part of this RAID.
+#   This is required because if the RAID is being assembled correctly,
+#   data from the disk that has NOT been mounted will be replicated
+#   back to the device that has been changed. That causes that any
+#   data that has been written to the mounted disk will be lost.
+#   To avoid this, we will partially destroy the RAID.
+# * We will then erase any partition tables and destroy any filesystems
+#   on the devices so that they do not get accidentially mounted again.
+# * The system will then need to be rebooted where the RAID will be
+#   mounted again in a degraded state which might take some extra
+#   time at boot (the system stands still for about a minute).
+# * After the system has been booted up correctly, we will re-add
+#   the devices back to the RAID which will resync and the system
+#   will be back to its intended configuration.
+
+find_inactive_raid() {
+	local status
+	local device
+	local arg
+	local args
+
+	while read -r status device args; do
+		if [ "${status}" = "INACTIVE-ARRAY" ]; then
+			for arg in ${args}; do
+				case "${arg}" in
+					name=ipfire:0)
+						echo "${device}"
+						return 0
+						;;
+				esac
+			done
+		fi
+	done <<< "$(mdadm --detail --scan)"
+
+	return 1
+}
+
+find_root() {
+	local device
+	local mp
+	local fs
+	local args
+
+	while read -r device mp fs args; do
+		if [ "${mp}" = "/" ]; then
+			echo "${device:0:-1}"
+			return 0
+		fi
+	done < /proc/mounts
+
+	return 1
+}
+
+find_raid_devices() {
+	local raid="${1}"
+
+	local IFS=,
+
+	local device
+	for device in $(mdadm -v --detail --scan "${raid}" | awk -F= '/^[ ]+devices/ { print $2 }'); do
+		echo "${device}"
+	done
+
+	return 0
+}
+
+destroy_everything() {
+	local device="${1}"
+	local part
+
+	# Destroy the RAID superblock
+	mdadm --zero-superblock "${device}"
+
+	# Wipe the partition table
+	wipefs -a "${device}"
+
+	# Wipe any partition signatures
+	for part in ${device}*; do
+		wipefs -a "${part}"
+	done
+}
+
+raid_rebuild() {
+	local devices=( "$@" )
+
+	cat > /etc/rc.d/rcsysinit.d/S99fix-raid <<EOF
+#!/bin/bash
+
+case "\${1}" in
+	start)
+		if [ -e "/dev/md/ipfire:0" ]; then
+			for device in ${devices[@]}; do
+				mdadm --add "/dev/md/ipfire:0" "\${device}"
+			done
+
+			# Delete this script
+			rm "\${0}"
+		fi
+		;;
+esac
+EOF
+
+	chmod a+x /etc/rc.d/rcsysinit.d/S99fix-raid
+}
+
+main() {
+	local raid="$(find_inactive_raid)"
+
+	# Nothing to do if no RAID device found
+	if [ -z "${raid}" ]; then
+		return 0
+	fi
+
+	echo "Fixing RAID ${raid}..."
+
+	local root="$(find_root)"
+
+	# Finding any devices in this RAID
+	local devices=(
+		$(find_raid_devices "${raid}")
+	)
+
+	# Stop the RAID
+	mdadm --stop "${raid}" &>/dev/null
+
+	# Destroy any useful data on all remaining RAID devices
+	local device
+	for device in ${devices[@]}; do
+		# Skip root
+		[ "${device}" = "${root}" ] && continue
+
+		destroy_everything "${device}"
+	done &>/dev/null
+
+	# Re-add devices to the RAID
+	raid_rebuild "${device}"
+
+	return 0
+}
+
+main "$@" || return $?