diff --git a/config/rootfiles/core/94/filelists/files b/config/rootfiles/core/94/filelists/files index 9b0811406..8ea85826a 100644 --- a/config/rootfiles/core/94/filelists/files +++ b/config/rootfiles/core/94/filelists/files @@ -1,5 +1,6 @@ etc/system-release etc/issue +etc/rc.d/init.d/snort etc/rc.d/init.d/sshd srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/mail.cgi diff --git a/lfs/cdrom b/lfs/cdrom index 3a9591113..79920b8dd 100644 --- a/lfs/cdrom +++ b/lfs/cdrom @@ -93,9 +93,7 @@ ifneq "$(MACHINE_TYPE)" "arm" cp /boot/vmlinuz-$(KVER)-ipfire /install/cdrom/boot/isolinux/vmlinuz dracut --force -a "installer" --strip --xz /install/cdrom/boot/isolinux/instroot $(KVER)-ipfire cp $(DIR_SRC)/config/syslinux/boot.png /install/cdrom/boot/isolinux/boot.png -ifeq "$(MACHINE)" "i586" cp /usr/lib/memtest86+/memtest.bin /install/cdrom/boot/isolinux/memtest -endif cp /usr/share/ipfire-netboot/ipxe.lkrn /install/cdrom/boot/isolinux/netboot cp /usr/share/syslinux/isolinux.bin /install/cdrom/boot/isolinux/isolinux.bin cp /usr/share/hwdata/pci.ids /install/cdrom/boot/isolinux/pci.ids diff --git a/lfs/dnsmasq b/lfs/dnsmasq index f16c7618a..db5609102 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -76,6 +76,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_addresses.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch cd $(DIR_APP) && sed -i src/config.h \ diff --git a/lfs/memtest b/lfs/memtest index d98ea872b..cef29d69e 100644 --- a/lfs/memtest +++ b/lfs/memtest @@ -31,7 +31,7 @@ DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) -SUP_ARCH = i586 +SUP_ARCH = i586 x86_64 ############################################################################### # Top-level Rules @@ -71,11 +71,19 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + -mkdir -p /usr/lib/memtest86+ + +ifeq "$(MACHINE)" "i586" # Enable SMP as default cd $(DIR_APP) && sed -i -e "s|CONSERVATIVE_SMP 1|CONSERVATIVE_SMP 0|g" config.h cd $(DIR_APP) && sed -i -e "s|scp |echo |g" Makefile cd $(DIR_APP) && make $(EXTRA_MAKE) - -mkdir -p /usr/lib/memtest86+ cd $(DIR_APP) && cp -f memtest.bin /usr/lib/memtest86+ +else + # 64bit only systems cannot link mentest without 32bit gcc libs + # so we use the precompiled binary from memtest author + cd $(DIR_APP) && cp -f precomp.bin /usr/lib/memtest86+/memtest.bin +endif + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/make.sh b/make.sh index fb417d57e..4a8c50bdf 100755 --- a/make.sh +++ b/make.sh @@ -906,6 +906,10 @@ buildpackages() { mv $LFS/install/images/*.bz2 $BASEDIR >> $LOGFILE 2>&1 cd $BASEDIR + + # remove not useable iso on armv5tel (needed to build flash images) + [ "${TARGET_ARCH}" = "armv5tel" ] && rm -rf *.iso + for i in `ls *.bz2 *.img.gz *.iso`; do md5sum $i > $i.md5 done diff --git a/src/initscripts/init.d/snort b/src/initscripts/init.d/snort index 42968d8da..e03c80fea 100644 --- a/src/initscripts/init.d/snort +++ b/src/initscripts/init.d/snort @@ -74,7 +74,7 @@ case "$1" in for DEVICE in $DEVICES; do boot_mesg "Starting Intrusion Detection System on $DEVICE..." - /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run/ + /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run evaluate_retval sleep 1 chmod 644 /var/run/snort_$DEVICE.pid diff --git a/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch b/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch new file mode 100644 index 000000000..492ada9c8 --- /dev/null +++ b/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch @@ -0,0 +1,38 @@ +From 5e3e464ac4022ee0b3794513abe510817e2cf3ca Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Tue, 25 Aug 2015 23:08:39 +0100 +Subject: [PATCH] Fix behaviour of empty dhcp-option=option6:dns-server, which + should inhibit sending option. + +--- + src/rfc3315.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/rfc3315.c b/src/rfc3315.c +index 2665d0d..3f1f9ee 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -1320,15 +1320,16 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh) + + if (opt_cfg->opt == OPTION6_REFRESH_TIME) + done_refresh = 1; ++ ++ if (opt_cfg->opt == OPTION6_DNS_SERVER) ++ done_dns = 1; + +- if (opt_cfg->flags & DHOPT_ADDR6) ++ /* Empty DNS_SERVER option will not set DHOPT_ADDR6 */ ++ if ((opt_cfg->flags & DHOPT_ADDR6) || opt_cfg->opt == OPTION6_DNS_SERVER) + { + int len, j; + struct in6_addr *a; + +- if (opt_cfg->opt == OPTION6_DNS_SERVER) +- done_dns = 1; +- + for (a = (struct in6_addr *)opt_cfg->val, len = opt_cfg->len, j = 0; + j < opt_cfg->len; j += IN6ADDRSZ, a++) + if ((IN6_IS_ADDR_ULA_ZERO(a) && IN6_IS_ADDR_UNSPECIFIED(state->ula_addr)) || +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch b/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch new file mode 100644 index 000000000..c7cee6042 --- /dev/null +++ b/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch @@ -0,0 +1,50 @@ +From 9cdcfe9f19ffd45bac4e5b459879bf7c50a287ed Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Wed, 26 Aug 2015 22:38:08 +0100 +Subject: [PATCH] Suggest solution to ENOMEM error with IPv6 multicast. + +--- + src/network.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/network.c b/src/network.c +index a1d90c8..819302f 100644 +--- a/src/network.c ++++ b/src/network.c +@@ -1076,23 +1076,30 @@ void join_multicast(int dienow) + + if ((daemon->doing_dhcp6 || daemon->relay6) && + setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1) +- err = 1; ++ err = errno; + + inet_pton(AF_INET6, ALL_SERVERS, &mreq.ipv6mr_multiaddr); + + if (daemon->doing_dhcp6 && + setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1) +- err = 1; ++ err = errno; + + inet_pton(AF_INET6, ALL_ROUTERS, &mreq.ipv6mr_multiaddr); + + if (daemon->doing_ra && + setsockopt(daemon->icmp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1) +- err = 1; ++ err = errno; + + if (err) + { + char *s = _("interface %s failed to join DHCPv6 multicast group: %s"); ++ errno = err; ++ ++#ifdef HAVE_LINUX_NETWORK ++ if (errno == ENOMEM) ++ my_syslog(LOG_ERR, _("try increasing /proc/sys/net/core/optmem_max")); ++#endif ++ + if (dienow) + die(s, iface->name, EC_BADNET); + else +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch b/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch new file mode 100644 index 000000000..19c76e630 --- /dev/null +++ b/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch @@ -0,0 +1,35 @@ +From 20fd11e11a9d09edcea94de135396ae1541fbbab Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Wed, 26 Aug 2015 22:48:13 +0100 +Subject: [PATCH] Clarify man page on RDNSS set in router advertisement. + +--- + man/dnsmasq.8 | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index a23c898..d51b10f 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -1687,15 +1687,15 @@ creation are handled by a different protocol. When DHCP is in use, + only a subset of this is needed, and dnsmasq can handle it, using + existing DHCP configuration to provide most data. When RA is enabled, + dnsmasq will advertise a prefix for each dhcp-range, with default +-router and recursive DNS server as the relevant link-local address on +-the machine running dnsmasq. By default, he "managed address" bits are set, and ++router as the relevant link-local address on ++the machine running dnsmasq. By default, the "managed address" bits are set, and + the "use SLAAC" bit is reset. This can be changed for individual + subnets with the mode keywords described in + .B --dhcp-range. + RFC6106 DNS parameters are included in the advertisements. By default, + the relevant link-local address of the machine running dnsmasq is sent + as recursive DNS server. If provided, the DHCPv6 options dns-server and +-domain-search are used for RDNSS and DNSSL. ++domain-search are used for the DNS server (RDNSS) and the domain serach list (DNSSL). + .TP + .B --ra-param=,[high|low],[[],] + Set non-default values for router advertisements sent via an +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch b/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch new file mode 100644 index 000000000..832a22e02 --- /dev/null +++ b/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch @@ -0,0 +1,30 @@ +From 6de81f1250fd323c9155de065d5a9dc200a6f20b Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Wed, 9 Sep 2015 22:51:13 +0100 +Subject: [PATCH] Handle signed dangling CNAME replies to DS queries. + +--- + src/dnssec.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/src/dnssec.c b/src/dnssec.c +index 4deda24..67ce486 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -1232,11 +1232,8 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char + + /* If we return STAT_NO_SIG, name contains the name of the DS query */ + if (val == STAT_NO_SIG) +- { +- *keyname = 0; +- return val; +- } +- ++ return val; ++ + /* If the key needed to validate the DS is on the same domain as the DS, we'll + loop getting nowhere. Stop that now. This can happen of the DS answer comes + from the DS's zone, and not the parent zone. */ +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch b/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch new file mode 100644 index 000000000..fdccd0ebc --- /dev/null +++ b/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch @@ -0,0 +1,25 @@ +From 102208df695e886a3086754d32bf7f8c541fbe46 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Thu, 10 Sep 2015 21:50:00 +0100 +Subject: [PATCH] DHCPv6 option 56 does not hold an address list. (RFC 5908). + +--- + src/dhcp-common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dhcp-common.c b/src/dhcp-common.c +index bc48f41..8fc171a 100644 +--- a/src/dhcp-common.c ++++ b/src/dhcp-common.c +@@ -599,7 +599,7 @@ static const struct opttab_t opttab6[] = { + { "sntp-server", 31, OT_ADDR_LIST }, + { "information-refresh-time", 32, OT_TIME }, + { "FQDN", 39, OT_INTERNAL | OT_RFC1035_NAME }, +- { "ntp-server", 56, OT_ADDR_LIST }, ++ { "ntp-server", 56, 0 }, + { "bootfile-url", 59, OT_NAME }, + { "bootfile-param", 60, OT_CSTRING }, + { NULL, 0, 0 } +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch b/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch new file mode 100644 index 000000000..2014fdb21 --- /dev/null +++ b/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch @@ -0,0 +1,47 @@ +From 77607cbea0ad0f876dfb79c8b2c121ee400d57d0 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Thu, 10 Sep 2015 23:08:43 +0100 +Subject: [PATCH] Respect the --no-resolv flag in inotify code. + +--- + CHANGELOG | 7 ++++++- + debian/changelog | 6 ++++++ + src/inotify.c | 3 +++ + 3 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG b/CHANGELOG +index bbc2834..d6e309f 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -7,8 +7,13 @@ version 2.76 + + Enhance --add-subnet to allow arbitrary subnet addresses. + Thanks to Ed Barsley for the patch. ++ ++ Respect the --no-resolv flag in inotify code. Fixes bug ++ which caused dnsmasq to fail to start if a resolv-file ++ was a dangling symbolic link, even of --no-resolv set. ++ Thanks to Alexander Kurtz for spotting the problem. ++ + +- + version 2.75 + Fix reversion on 2.74 which caused 100% CPU use when a + dhcp-script is configured. Thanks to Adrian Davey for +diff --git a/src/inotify.c b/src/inotify.c +index 52d412f..ef05c58 100644 +--- a/src/inotify.c ++++ b/src/inotify.c +@@ -90,6 +90,9 @@ void inotify_dnsmasq_init() + + if (daemon->inotifyfd == -1) + die(_("failed to create inotify: %s"), NULL, EC_MISC); ++ ++ if (option_bool(OPT_NO_RESOLV)) ++ return; + + for (res = daemon->resolv_files; res; res = res->next) + { +-- +1.7.10.4 +