diff --git a/config/rootfiles/common/aarch64/stage2 b/config/rootfiles/common/aarch64/stage2 index 352c704d4..e328a4526 100644 --- a/config/rootfiles/common/aarch64/stage2 +++ b/config/rootfiles/common/aarch64/stage2 @@ -99,6 +99,7 @@ usr/local/bin/ipsec-interfaces usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash +usr/local/bin/repair-mdraid usr/local/bin/run-parts usr/local/bin/scanhd usr/local/bin/settime diff --git a/config/rootfiles/common/armv6l/stage2 b/config/rootfiles/common/armv6l/stage2 index 198461a01..2bd00d968 100644 --- a/config/rootfiles/common/armv6l/stage2 +++ b/config/rootfiles/common/armv6l/stage2 @@ -97,6 +97,7 @@ usr/local/bin/ipsec-interfaces usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash +usr/local/bin/repair-mdraid usr/local/bin/run-parts usr/local/bin/scanhd usr/local/bin/settime diff --git a/config/rootfiles/common/x86_64/stage2 b/config/rootfiles/common/x86_64/stage2 index b03a7fecf..586b88e3d 100644 --- a/config/rootfiles/common/x86_64/stage2 +++ b/config/rootfiles/common/x86_64/stage2 @@ -99,6 +99,7 @@ usr/local/bin/ipsec-interfaces usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash +usr/local/bin/repair-mdraid usr/local/bin/run-parts usr/local/bin/scanhd usr/local/bin/settime diff --git a/config/rootfiles/oldcore/168/filelists/files b/config/rootfiles/oldcore/168/filelists/files index 159d43d86..5f5e172df 100644 --- a/config/rootfiles/oldcore/168/filelists/files +++ b/config/rootfiles/oldcore/168/filelists/files @@ -391,7 +391,6 @@ lib/firmware/rtw88/rtw8821c_fw.bin lib/firmware/rtw88/rtw8822c_fw.bin lib/firmware/rtw89/rtw8852a_fw.bin lib/firmware/wfx/wfm_wf200_C0.sec -usr/bin/fcrontab usr/lib/firewall/rules.pl usr/local/bin/update-ids-ruleset usr/sbin/convert-ids-backend-files diff --git a/config/rootfiles/oldcore/168/update.sh b/config/rootfiles/oldcore/168/update.sh index e11e08b7f..84dec941c 100644 --- a/config/rootfiles/oldcore/168/update.sh +++ b/config/rootfiles/oldcore/168/update.sh @@ -120,6 +120,13 @@ case "$(uname -m)" in ;; esac +# Add rd.auto to kernel command line +if ! grep -q rd.auto /etc/default/grub; then + sed -e "s/panic=10/& rd.auto/" -i /etc/default/grub +fi + +# Repair any broken MDRAID arrays +/usr/local/bin/repair-mdraid # Start services /etc/init.d/fcron restart diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-ipfire.patch index 0f2be7483..d8e35cd52 100644 --- a/src/patches/strongswan-ipfire.patch +++ b/src/patches/strongswan-ipfire.patch @@ -1,13 +1,13 @@ -commit 654e2b7688c5fbd4e1fc46648bc1864301fb6027 -Author: Michael Tremer -Date: Mon Mar 21 19:49:02 2022 +0000 +commit b439f74361d393bcb85109b6c41a905cf613a296 +Author: Peter Müller +Date: Wed May 18 17:46:57 2022 +0000 IPFire modifications to _updown script - Signed-off-by: Michael Tremer + Signed-off-by: Peter Müller diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in -index 34eaf68c7..514ecb578 100644 +index 34eaf68c7..9ed387a0a 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -242,10 +242,10 @@ up-host:iptables) @@ -98,7 +98,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT fi # -@@ -342,10 +324,10 @@ up-client:iptables) +@@ -342,47 +324,37 @@ up-client:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ @@ -110,8 +110,20 @@ index 34eaf68c7..514ecb578 100644 + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi fi ++ ++ # Open Firewall for IPinIP + AH + ESP Traffic ++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IPIP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ ;; -@@ -353,36 +335,14 @@ down-client:iptables) + down-client:iptables) # connection to client subnet, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -149,7 +161,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT fi # -@@ -392,10 +352,10 @@ down-client:iptables) +@@ -392,12 +364,24 @@ down-client:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ @@ -161,8 +173,22 @@ index 34eaf68c7..514ecb578 100644 + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi fi ++ ++ # Close Firewall for IPinIP + AH + ESP Traffic ++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IPIP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ ;; -@@ -422,10 +382,10 @@ up-host-v6:iptables) + # + # IPv6 +@@ -422,10 +406,10 @@ up-host-v6:iptables) # connection to me, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -175,7 +201,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -454,10 +414,10 @@ down-host-v6:iptables) +@@ -454,10 +438,10 @@ down-host-v6:iptables) # connection to me, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -188,7 +214,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -487,10 +447,10 @@ up-client-v6:iptables) +@@ -487,10 +471,10 @@ up-client-v6:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -201,7 +227,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT fi -@@ -499,10 +459,10 @@ up-client-v6:iptables) +@@ -499,10 +483,10 @@ up-client-v6:iptables) # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -214,7 +240,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi -@@ -535,11 +495,11 @@ down-client-v6:iptables) +@@ -535,11 +519,11 @@ down-client-v6:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -228,7 +254,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT \ $IPSEC_POLICY_IN -j ACCEPT -@@ -549,11 +509,11 @@ down-client-v6:iptables) +@@ -549,11 +533,11 @@ down-client-v6:iptables) # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then diff --git a/src/scripts/repair-mdraid b/src/scripts/repair-mdraid new file mode 100644 index 000000000..a622ff71d --- /dev/null +++ b/src/scripts/repair-mdraid @@ -0,0 +1,169 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2022 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# +# This script is supposed to repair any broken RAID installations +# where the system has been booted from only one of the RAID devices +# without the software RAID being activated first. +# +# This script does as follows: +# +# * It tries to find an inactive RAID called "ipfire:0" +# * It will then destroy any devices that are still part of this RAID. +# This is required because if the RAID is being assembled correctly, +# data from the disk that has NOT been mounted will be replicated +# back to the device that has been changed. That causes that any +# data that has been written to the mounted disk will be lost. +# To avoid this, we will partially destroy the RAID. +# * We will then erase any partition tables and destroy any filesystems +# on the devices so that they do not get accidentially mounted again. +# * The system will then need to be rebooted where the RAID will be +# mounted again in a degraded state which might take some extra +# time at boot (the system stands still for about a minute). +# * After the system has been booted up correctly, we will re-add +# the devices back to the RAID which will resync and the system +# will be back to its intended configuration. + +find_inactive_raid() { + local status + local device + local arg + local args + + while read -r status device args; do + if [ "${status}" = "INACTIVE-ARRAY" ]; then + for arg in ${args}; do + case "${arg}" in + name=ipfire:0) + echo "${device}" + return 0 + ;; + esac + done + fi + done <<< "$(mdadm --detail --scan)" + + return 1 +} + +find_root() { + local device + local mp + local fs + local args + + while read -r device mp fs args; do + if [ "${mp}" = "/" ]; then + echo "${device:0:-1}" + return 0 + fi + done < /proc/mounts + + return 1 +} + +find_raid_devices() { + local raid="${1}" + + local IFS=, + + local device + for device in $(mdadm -v --detail --scan "${raid}" | awk -F= '/^[ ]+devices/ { print $2 }'); do + echo "${device}" + done + + return 0 +} + +destroy_everything() { + local device="${1}" + local part + + # Destroy the RAID superblock + mdadm --zero-superblock "${device}" + + # Wipe the partition table + wipefs -a "${device}" + + # Wipe any partition signatures + for part in ${device}*; do + wipefs -a "${part}" + done +} + +raid_rebuild() { + local devices=( "$@" ) + + cat > /etc/rc.d/rcsysinit.d/S99fix-raid </dev/null + + # Destroy any useful data on all remaining RAID devices + local device + for device in ${devices[@]}; do + # Skip root + [ "${device}" = "${root}" ] && continue + + destroy_everything "${device}" + done &>/dev/null + + # Re-add devices to the RAID + raid_rebuild "${device}" + + return 0 +} + +main "$@" || return $?