webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-14 13:02:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

Browse Source
This commit is contained in:
Arne Fitzenreiter
2015-09-16 20:28:53 +02:00
parent c97dda34de 744a04ea79
commit 40baf26143
12 changed files with 247 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/rootfiles/core/94/filelists/files
View File

@@ -1,5 +1,6 @@
etc/system-release
etc/issue
etc/rc.d/init.d/snort
etc/rc.d/init.d/sshd
srv/web/ipfire/cgi-bin/logs.cgi/log.dat
srv/web/ipfire/cgi-bin/mail.cgi

2
lfs/cdrom
View File

@@ -93,9 +93,7 @@ ifneq "$(MACHINE_TYPE)" "arm"
cp /boot/vmlinuz-$(KVER)-ipfire /install/cdrom/boot/isolinux/vmlinuz
dracut --force -a "installer" --strip --xz /install/cdrom/boot/isolinux/instroot $(KVER)-ipfire
cp $(DIR_SRC)/config/syslinux/boot.png /install/cdrom/boot/isolinux/boot.png
ifeq "$(MACHINE)" "i586"
cp /usr/lib/memtest86+/memtest.bin /install/cdrom/boot/isolinux/memtest
endif
cp /usr/share/ipfire-netboot/ipxe.lkrn /install/cdrom/boot/isolinux/netboot
cp /usr/share/syslinux/isolinux.bin /install/cdrom/boot/isolinux/isolinux.bin
cp /usr/share/hwdata/pci.ids /install/cdrom/boot/isolinux/pci.ids

6
lfs/dnsmasq
View File

@@ -76,6 +76,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_addresses.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \

12
lfs/memtest
View File

@@ -31,7 +31,7 @@ DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
SUP_ARCH = i586
SUP_ARCH = i586 x86_64
###############################################################################
# Top-level Rules
@@ -71,11 +71,19 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-mkdir -p /usr/lib/memtest86+
ifeq "$(MACHINE)" "i586"
# Enable SMP as default
cd $(DIR_APP) && sed -i -e "s|CONSERVATIVE_SMP 1|CONSERVATIVE_SMP 0|g" config.h
cd $(DIR_APP) && sed -i -e "s|scp |echo |g" Makefile
cd $(DIR_APP) && make $(EXTRA_MAKE)
-mkdir -p /usr/lib/memtest86+
cd $(DIR_APP) && cp -f memtest.bin /usr/lib/memtest86+
else
# 64bit only systems cannot link mentest without 32bit gcc libs
# so we use the precompiled binary from memtest author
cd $(DIR_APP) && cp -f precomp.bin /usr/lib/memtest86+/memtest.bin
endif
@rm -rf $(DIR_APP)
@$(POSTBUILD)

4
make.sh
View File

@@ -906,6 +906,10 @@ buildpackages() {
mv $LFS/install/images/*.bz2 $BASEDIR >> $LOGFILE 2>&1
cd $BASEDIR
# remove not useable iso on armv5tel (needed to build flash images)
[ "${TARGET_ARCH}" = "armv5tel" ] && rm -rf *.iso
for i in `ls *.bz2 *.img.gz *.iso`; do
md5sum $i > $i.md5
done

2
src/initscripts/init.d/snort
View File

@@ -74,7 +74,7 @@ case "$1" in
for DEVICE in $DEVICES; do
boot_mesg "Starting Intrusion Detection System on $DEVICE..."
/usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run/
/usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run
evaluate_retval
sleep 1
chmod 644 /var/run/snort_$DEVICE.pid

38
src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch Normal file
View File

@@ -0,0 +1,38 @@
From 5e3e464ac4022ee0b3794513abe510817e2cf3ca Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 25 Aug 2015 23:08:39 +0100
Subject: [PATCH] Fix behaviour of empty dhcp-option=option6:dns-server, which
should inhibit sending option.
---
src/rfc3315.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/rfc3315.c b/src/rfc3315.c
index 2665d0d..3f1f9ee 100644
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -1320,15 +1320,16 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh)
if (opt_cfg->opt == OPTION6_REFRESH_TIME)
done_refresh = 1;
+
+ if (opt_cfg->opt == OPTION6_DNS_SERVER)
+ done_dns = 1;
- if (opt_cfg->flags & DHOPT_ADDR6)
+ /* Empty DNS_SERVER option will not set DHOPT_ADDR6 */
+ if ((opt_cfg->flags & DHOPT_ADDR6) || opt_cfg->opt == OPTION6_DNS_SERVER)
{
int len, j;
struct in6_addr *a;
- if (opt_cfg->opt == OPTION6_DNS_SERVER)
- done_dns = 1;
-
for (a = (struct in6_addr *)opt_cfg->val, len = opt_cfg->len, j = 0;
j < opt_cfg->len; j += IN6ADDRSZ, a++)
if ((IN6_IS_ADDR_ULA_ZERO(a) && IN6_IS_ADDR_UNSPECIFIED(state->ula_addr)) ||
--
1.7.10.4

50
src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch Normal file
View File

@@ -0,0 +1,50 @@
From 9cdcfe9f19ffd45bac4e5b459879bf7c50a287ed Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 26 Aug 2015 22:38:08 +0100
Subject: [PATCH] Suggest solution to ENOMEM error with IPv6 multicast.
---
src/network.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/network.c b/src/network.c
index a1d90c8..819302f 100644
--- a/src/network.c
+++ b/src/network.c
@@ -1076,23 +1076,30 @@ void join_multicast(int dienow)
if ((daemon->doing_dhcp6 || daemon->relay6) &&
setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
- err = 1;
+ err = errno;
inet_pton(AF_INET6, ALL_SERVERS, &mreq.ipv6mr_multiaddr);
if (daemon->doing_dhcp6 &&
setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
- err = 1;
+ err = errno;
inet_pton(AF_INET6, ALL_ROUTERS, &mreq.ipv6mr_multiaddr);
if (daemon->doing_ra &&
setsockopt(daemon->icmp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
- err = 1;
+ err = errno;
if (err)
{
char *s = _("interface %s failed to join DHCPv6 multicast group: %s");
+ errno = err;
+
+#ifdef HAVE_LINUX_NETWORK
+ if (errno == ENOMEM)
+ my_syslog(LOG_ERR, _("try increasing /proc/sys/net/core/optmem_max"));
+#endif
+
if (dienow)
die(s, iface->name, EC_BADNET);
else
--
1.7.10.4

35
src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch Normal file
View File

@@ -0,0 +1,35 @@
From 20fd11e11a9d09edcea94de135396ae1541fbbab Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 26 Aug 2015 22:48:13 +0100
Subject: [PATCH] Clarify man page on RDNSS set in router advertisement.
---
man/dnsmasq.8 | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index a23c898..d51b10f 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -1687,15 +1687,15 @@ creation are handled by a different protocol. When DHCP is in use,
only a subset of this is needed, and dnsmasq can handle it, using
existing DHCP configuration to provide most data. When RA is enabled,
dnsmasq will advertise a prefix for each dhcp-range, with default
-router and recursive DNS server as the relevant link-local address on
-the machine running dnsmasq. By default, he "managed address" bits are set, and
+router as the relevant link-local address on
+the machine running dnsmasq. By default, the "managed address" bits are set, and
the "use SLAAC" bit is reset. This can be changed for individual
subnets with the mode keywords described in
.B --dhcp-range.
RFC6106 DNS parameters are included in the advertisements. By default,
the relevant link-local address of the machine running dnsmasq is sent
as recursive DNS server. If provided, the DHCPv6 options dns-server and
-domain-search are used for RDNSS and DNSSL.
+domain-search are used for the DNS server (RDNSS) and the domain serach list (DNSSL).
.TP
.B --ra-param=<interface>,[high|low],[[<ra-interval>],<router lifetime>]
Set non-default values for router advertisements sent via an
--
1.7.10.4

30
src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch Normal file
View File

@@ -0,0 +1,30 @@
From 6de81f1250fd323c9155de065d5a9dc200a6f20b Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 9 Sep 2015 22:51:13 +0100
Subject: [PATCH] Handle signed dangling CNAME replies to DS queries.
---
src/dnssec.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/src/dnssec.c b/src/dnssec.c
index 4deda24..67ce486 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1232,11 +1232,8 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
/* If we return STAT_NO_SIG, name contains the name of the DS query */
if (val == STAT_NO_SIG)
- {
- *keyname = 0;
- return val;
- }
-
+ return val;
+
/* If the key needed to validate the DS is on the same domain as the DS, we'll
loop getting nowhere. Stop that now. This can happen of the DS answer comes
from the DS's zone, and not the parent zone. */
--
1.7.10.4

25
src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch Normal file
View File

@@ -0,0 +1,25 @@
From 102208df695e886a3086754d32bf7f8c541fbe46 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 10 Sep 2015 21:50:00 +0100
Subject: [PATCH] DHCPv6 option 56 does not hold an address list. (RFC 5908).
---
src/dhcp-common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/dhcp-common.c b/src/dhcp-common.c
index bc48f41..8fc171a 100644
--- a/src/dhcp-common.c
+++ b/src/dhcp-common.c
@@ -599,7 +599,7 @@ static const struct opttab_t opttab6[] = {
{ "sntp-server", 31, OT_ADDR_LIST },
{ "information-refresh-time", 32, OT_TIME },
{ "FQDN", 39, OT_INTERNAL | OT_RFC1035_NAME },
- { "ntp-server", 56, OT_ADDR_LIST },
+ { "ntp-server", 56, 0 },
{ "bootfile-url", 59, OT_NAME },
{ "bootfile-param", 60, OT_CSTRING },
{ NULL, 0, 0 }
--
1.7.10.4

47
src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch Normal file
View File

@@ -0,0 +1,47 @@
From 77607cbea0ad0f876dfb79c8b2c121ee400d57d0 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 10 Sep 2015 23:08:43 +0100
Subject: [PATCH] Respect the --no-resolv flag in inotify code.
---
CHANGELOG | 7 ++++++-
debian/changelog | 6 ++++++
src/inotify.c | 3 +++
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/CHANGELOG b/CHANGELOG
index bbc2834..d6e309f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -7,8 +7,13 @@ version 2.76
Enhance --add-subnet to allow arbitrary subnet addresses.
Thanks to Ed Barsley for the patch.
+
+ Respect the --no-resolv flag in inotify code. Fixes bug
+ which caused dnsmasq to fail to start if a resolv-file
+ was a dangling symbolic link, even of --no-resolv set.
+ Thanks to Alexander Kurtz for spotting the problem.
+
-
version 2.75
Fix reversion on 2.74 which caused 100% CPU use when a
dhcp-script is configured. Thanks to Adrian Davey for
diff --git a/src/inotify.c b/src/inotify.c
index 52d412f..ef05c58 100644
--- a/src/inotify.c
+++ b/src/inotify.c
@@ -90,6 +90,9 @@ void inotify_dnsmasq_init()
if (daemon->inotifyfd == -1)
die(_("failed to create inotify: %s"), NULL, EC_MISC);
+
+ if (option_bool(OPT_NO_RESOLV))
+ return;
for (res = daemon->resolv_files; res; res = res->next)
{
--
1.7.10.4