Merge remote-tracking branch 'origin/master' into kernel-test

config/firewall/firewall-lib.pl

@@ -217,7 +217,7 @@ sub get_std_net_ip
 	}elsif($val eq 'BLUE'){
 		return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
 	}elsif($val eq 'RED'){
-		return "0.0.0.0/0 -o $con";
+		return "0.0.0.0/0";
 	}elsif($val =~ /OpenVPN/i){
 		return "$ovpnsettings{'DOVPN_SUBNET'}";
 	}elsif($val =~ /IPsec/i){
@@ -226,6 +226,23 @@ sub get_std_net_ip
 		return ;
 	}
 }
+sub get_interface
+{
+	my $net=shift;
+	if($net eq "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"){
+		return "$netsettings{'GREEN_DEV'}";
+	}
+	if($net eq "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"){
+		return "$netsettings{'ORANGE_DEV'}";
+	}
+	if($net eq "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"){
+		return "$netsettings{'BLUE_DEV'}";
+	}
+	if($net eq "0.0.0.0/0"){
+		return "$netsettings{'RED_DEV'}";
+	}
+	return "";
+}
 sub get_net_ip
 {
 	my $val=shift;
@@ -305,9 +322,9 @@ sub get_address
 	# address. Otherwise, we assume that it is an IP address.
 	if ($key ~~ ["src_addr", "tgt_addr"]) {
 		if (&General::validmac($value)) {
-			push(@ret, "-m mac --mac-source $value");
+			push(@ret, ["-m mac --mac-source $value", ""]);
 		} else {
-			push(@ret, $value);
+			push(@ret, [$value, ""]);
 		}
 
 	# If a default network interface (GREEN, BLUE, etc.) is selected, we
@@ -316,88 +333,90 @@ sub get_address
 		my $external_interface = &get_external_interface();
 
 		my $network_address = &get_std_net_ip($value, $external_interface);
+
 		if ($network_address) {
-			push(@ret, $network_address);
+			my $interface = &get_interface($network_address);
+			push(@ret, [$network_address, $interface]);
 		}
 
 	# Custom networks.
 	} elsif ($key ~~ ["cust_net_src", "cust_net_tgt", "Custom Network"]) {
 		my $network_address = &get_net_ip($value);
 		if ($network_address) {
-			push(@ret, $network_address);
+			push(@ret, [$network_address, ""]);
 		}
 
 	# Custom hosts.
 	} elsif ($key ~~ ["cust_host_src", "cust_host_tgt", "Custom Host"]) {
 		my $host_address = &get_host_ip($value, $type);
 		if ($host_address) {
-			push(@ret, $host_address);
+			push(@ret, [$host_address, ""]);
 		}
 
 	# OpenVPN networks.
 	} elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) {
 		my $network_address = &get_ovpn_net_ip($value, 1);
 		if ($network_address) {
-			push(@ret, $network_address);
+			push(@ret, [$network_address, ""]);
 		}
 
 	# OpenVPN hosts.
 	} elsif ($key ~~ ["ovpn_host_src", "ovpn_host_tgt", "OpenVPN static host"]) {
 		my $host_address = &get_ovpn_host_ip($value, 33);
 		if ($host_address) {
-			push(@ret, $host_address);
+			push(@ret, [$host_address, ""]);
 		}
 
 	# OpenVPN N2N.
 	} elsif ($key ~~ ["ovpn_n2n_src", "ovpn_n2n_tgt", "OpenVPN N-2-N"]) {
 		my $network_address = &get_ovpn_n2n_ip($value, 11);
 		if ($network_address) {
-			push(@ret, $network_address);
+			push(@ret, [$network_address, ""]);
 		}
 
 	# IPsec networks.
 	} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
 		my $network_address = &get_ipsec_net_ip($value, 11);
 		if ($network_address) {
-			push(@ret, $network_address);
+			push(@ret, [$network_address, ""]);
 		}
 
 	# The firewall's own IP addresses.
 	} elsif ($key ~~ ["ipfire", "ipfire_src"]) {
 		# ALL
 		if ($value eq "ALL") {
-			push(@ret, "0/0");
+			push(@ret, ["0/0", ""]);
 
 		# GREEN
 		} elsif ($value eq "GREEN") {
-			push(@ret, $netsettings{"GREEN_ADDRESS"});
+			push(@ret, [$netsettings{"GREEN_ADDRESS"}, ""]);
 
 		# BLUE
 		} elsif ($value eq "BLUE") {
-			push(@ret, $netsettings{"BLUE_ADDRESS"});
+			push(@ret, [$netsettings{"BLUE_ADDRESS"}, ""]);
 
 		# ORANGE
 		} elsif ($value eq "ORANGE") {
-			push(@ret, $netsettings{"ORANGE_ADDRESS"});
+			push(@ret, [$netsettings{"ORANGE_ADDRESS"}, ""]);
 
 		# RED
 		} elsif ($value ~~ ["RED", "RED1"]) {
 			my $address = &get_external_address();
 			if ($address) {
-				push(@ret, $address);
+				push(@ret, [$address, ""]);
 			}
 
 		# Aliases
 		} else {
 			my $alias = &get_alias($value);
 			if ($alias) {
-				push(@ret, $alias);
+				push(@ret, [$alias, ""]);
 			}
 		}
 
 	# If nothing was selected, we assume "any".
 	} else {
-		push(@ret, "0/0");
+		push(@ret, ["0/0", ""]);
 	}
 
 	return @ret;

config/firewall/rules.pl

@@ -131,6 +131,12 @@ sub print_rule {
 	print "\n";
 }
 
+sub count_elements {
+	my $hash = shift;
+
+	return scalar @$hash;
+}
+
 sub flush {
 	run("$IPTABLES -F $CHAIN_INPUT");
 	run("$IPTABLES -F $CHAIN_FORWARD");
@@ -186,6 +192,9 @@ sub buildrules {
 		# Skip disabled rules.
 		next unless ($$hash{$key}[2] eq 'ON');
 
+		# Count number of elements in this line
+		my $elements = &count_elements($$hash{$key});
+
 		if ($DEBUG) {
 			print_rule($$hash{$key});
 		}
@@ -268,6 +277,34 @@ sub buildrules {
 			}
 		}
 
+		# Concurrent connection limit
+		my @ratelimit_options = ();
+
+		if (($elements gt 34) && ($$hash{$key}[32] eq 'ON')) {
+			my $conn_limit = $$hash{$key}[33];
+
+			if ($conn_limit ge 1) {
+				push(@ratelimit_options, ("-m", "connlimit"));
+
+				# Use the the entire source IP address
+				push(@ratelimit_options, "--connlimit-saddr");
+				push(@ratelimit_options, ("--connlimit-mask", "32"));
+
+				# Apply the limit
+				push(@ratelimit_options, ("--connlimit-upto", $conn_limit));
+			}
+		}
+
+		# Ratelimit
+		if (($elements gt 37) && ($$hash{$key}[34] eq 'ON')) {
+			my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]";
+
+				if ($rate_limit) {
+					push(@ratelimit_options, ("-m", "limit"));
+					push(@ratelimit_options, ("--limit", $rate_limit));
+				}
+		}
+
 		# Check which protocols are used in this rule and so that we can
 		# later group rules by protocols.
 		my @protocols = &get_protocols($hash, $key);
@@ -295,22 +332,26 @@ sub buildrules {
 				next unless ($src);
 
 				# Sanitize source.
-				my $source = $src;
+				my $source = @$src[0];
 				if ($source ~~ @ANY_ADDRESSES) {
 					$source = "";
 				}
 
+				my $source_intf = @$src[1];
+
 				foreach my $dst (@destinations) {
 					# Skip invalid rules.
 					next unless (defined $dst);
 					next if (!$dst || ($dst eq "none"));
 
 					# Sanitize destination.
-					my $destination = $dst;
+					my $destination = @$dst[0];
 					if ($destination ~~ @ANY_ADDRESSES) {
 						$destination = "";
 					}
 
+					my $destination_intf = @$dst[1];
+
 					# Array with iptables arguments.
 					my @options = ();
 
@@ -327,15 +368,26 @@ sub buildrules {
 						push(@source_options, ("-s", $source));
 					}
 
+					if ($source_intf) {
+						push(@source_options, ("-i", $source_intf));
+					}
+
 					# Prepare destination options.
 					my @destination_options = ();
 					if ($destination) {
 						push(@destination_options, ("-d", $destination));
 					}
 
+					if ($destination_intf) {
+						push(@destination_options, ("-o", $destination_intf));
+					}
+
 					# Add time constraint options.
 					push(@options, @time_options);
 
+					# Add ratelimiting option
+					push(@options, @ratelimit_options);
+
 					my $firewall_is_in_source_subnet = 1;
 					if ($source) {
 						$firewall_is_in_source_subnet = &firewall_is_in_subnet($source);
@@ -366,7 +418,7 @@ sub buildrules {
 							# Make port-forwardings useable from the internal networks.
 							my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
 							unless ($nat_address ~~ @internal_addresses) {
-								&add_dnat_mangle_rules($nat_address, @nat_options);
+								&add_dnat_mangle_rules($nat_address, $source_intf, @nat_options);
 							}
 
 							push(@nat_options, @source_options);
@@ -457,6 +509,10 @@ sub buildrules {
 			}
 		}
 	}
+	#Reload firewall.local if present
+	if ( -f '/etc/sysconfig/firewall.local'){
+		run("/etc/sysconfig/firewall.local reload");
+	}
 }
 
 # Formats the given timestamp into the iptables format which is "hh:mm" UTC.
@@ -683,6 +739,7 @@ sub get_dnat_target_port {
 
 sub add_dnat_mangle_rules {
 	my $nat_address = shift;
+	my $interface = shift;
 	my @options = @_;
 
 	my $mark = 0;
@@ -693,6 +750,8 @@ sub add_dnat_mangle_rules {
 		next unless (exists $defaultNetworks{$zone . "_NETADDRESS"});
 		next unless (exists $defaultNetworks{$zone . "_NETMASK"});
 
+		next if ($interface && $interface ne $defaultNetworks{$zone . "_DEV"});
+
 		my @mangle_options = @options;
 
 		my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"};

config/rootfiles/common/bash

@@ -1,6 +1,73 @@
-bin/sh
-bin/bash
 #bin/bashbug
+#usr/share/doc/bash
+#usr/share/doc/bash/CHANGES
+#usr/share/doc/bash/COMPAT
+#usr/share/doc/bash/FAQ
+#usr/share/doc/bash/INTRO
+#usr/share/doc/bash/NEWS
+#usr/share/doc/bash/POSIX
+#usr/share/doc/bash/RBASH
+#usr/share/doc/bash/README
+#usr/share/doc/bash/bash.html
+#usr/share/doc/bash/bashref.html
 #usr/share/info/bash.info
+#usr/share/locale/af
+#usr/share/locale/af/LC_MESSAGES
+#usr/share/locale/af/LC_MESSAGES/bash.mo
+#usr/share/locale/bg/LC_MESSAGES/bash.mo
+#usr/share/locale/ca/LC_MESSAGES/bash.mo
+#usr/share/locale/cs/LC_MESSAGES/bash.mo
+#usr/share/locale/da/LC_MESSAGES/bash.mo
+#usr/share/locale/de/LC_MESSAGES/bash.mo
+#usr/share/locale/el/LC_MESSAGES/bash.mo
+#usr/share/locale/en@boldquot
+#usr/share/locale/en@boldquot/LC_MESSAGES
+#usr/share/locale/en@boldquot/LC_MESSAGES/bash.mo
+#usr/share/locale/en@quot
+#usr/share/locale/en@quot/LC_MESSAGES
+#usr/share/locale/en@quot/LC_MESSAGES/bash.mo
+#usr/share/locale/eo
+#usr/share/locale/eo/LC_MESSAGES
+#usr/share/locale/eo/LC_MESSAGES/bash.mo
+#usr/share/locale/es/LC_MESSAGES/bash.mo
+#usr/share/locale/et
+#usr/share/locale/et/LC_MESSAGES
+#usr/share/locale/et/LC_MESSAGES/bash.mo
+#usr/share/locale/fi/LC_MESSAGES/bash.mo
+#usr/share/locale/fr/LC_MESSAGES/bash.mo
+#usr/share/locale/ga
+#usr/share/locale/ga/LC_MESSAGES
+#usr/share/locale/ga/LC_MESSAGES/bash.mo
+#usr/share/locale/gl/LC_MESSAGES/bash.mo
+#usr/share/locale/hr/LC_MESSAGES/bash.mo
+#usr/share/locale/hu/LC_MESSAGES/bash.mo
+#usr/share/locale/id/LC_MESSAGES/bash.mo
+#usr/share/locale/it/LC_MESSAGES/bash.mo
+#usr/share/locale/ja/LC_MESSAGES/bash.mo
+#usr/share/locale/lt/LC_MESSAGES/bash.mo
+#usr/share/locale/nl/LC_MESSAGES/bash.mo
+#usr/share/locale/pl/LC_MESSAGES/bash.mo
+#usr/share/locale/pt_BR/LC_MESSAGES/bash.mo
+#usr/share/locale/ro
+#usr/share/locale/ro/LC_MESSAGES
+#usr/share/locale/ro/LC_MESSAGES/bash.mo
+#usr/share/locale/ru/LC_MESSAGES/bash.mo
+#usr/share/locale/sk/LC_MESSAGES/bash.mo
+#usr/share/locale/sl
+#usr/share/locale/sl/LC_MESSAGES
+#usr/share/locale/sl/LC_MESSAGES/bash.mo
+#usr/share/locale/sr
+#usr/share/locale/sr/LC_MESSAGES
+#usr/share/locale/sr/LC_MESSAGES/bash.mo
+#usr/share/locale/sv/LC_MESSAGES/bash.mo
+#usr/share/locale/tr/LC_MESSAGES/bash.mo
+#usr/share/locale/uk
+#usr/share/locale/uk/LC_MESSAGES
+#usr/share/locale/uk/LC_MESSAGES/bash.mo
+#usr/share/locale/vi/LC_MESSAGES/bash.mo
+#usr/share/locale/zh_CN/LC_MESSAGES/bash.mo
+#usr/share/locale/zh_TW/LC_MESSAGES/bash.mo
 #usr/share/man/man1/bash.1
 #usr/share/man/man1/bashbug.1
+bin/sh
+bin/bash

config/rootfiles/common/readline

@@ -9,10 +9,14 @@
 #usr/include/readline/tilde.h
 #usr/lib/libhistory.so
 usr/lib/libhistory.so.6
-usr/lib/libhistory.so.6.2
+usr/lib/libhistory.so.6.3
 #usr/lib/libreadline.so
 usr/lib/libreadline.so.6
-usr/lib/libreadline.so.6.2
+usr/lib/libreadline.so.6.3
+#usr/share/doc/readline
+#usr/share/doc/readline/CHANGES
+#usr/share/doc/readline/INSTALL
+#usr/share/doc/readline/README
 #usr/share/info/history.info
 #usr/share/info/readline.info
 #usr/share/info/rluserman.info

config/rootfiles/core/84/filelists/dnsmasq

@@ -0,0 +1 @@
+../../../common/dnsmasq

config/rootfiles/core/84/filelists/files

@@ -0,0 +1,10 @@
+etc/system-release
+etc/issue
+etc/rc.d/init.d/firewall
+etc/rc.d/init.d/network
+srv/web/ipfire/cgi-bin/firewall.cgi
+srv/web/ipfire/cgi-bin/fwhosts.cgi
+srv/web/ipfire/cgi-bin/urlfilter.cgi
+usr/lib/firewall/firewall-lib.pl
+usr/lib/firewall/rules.pl
+var/ipfire/langs

config/rootfiles/core/84/filelists/readline

@@ -0,0 +1 @@
+../../../common/readline

config/rootfiles/core/84/update.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 3 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2014 IPFire-Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+# Remove old core updates from pakfire cache to save space...
+core=84
+for (( i=1; i<=$core; i++ ))
+do
+	rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+# Stop services
+/etc/init.d/squid stop
+/etc/init.d/dnsmasq stop
+
+# Remove old files
+
+# Extract files
+extract_files
+
+# Start services
+/etc/init.d/dnsmasq start
+/etc/init.d/squid start
+
+# Update Language cache
+perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
+
+sync
+
+# This update need a reboot...
+touch /var/run/need_reboot
+
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+
+# Don't report the exitcode last command
+exit 0

config/rootfiles/oldcore/83/exclude

@@ -0,0 +1,20 @@
+boot/config.txt
+etc/collectd.custom
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/shadow
+etc/ssh/ssh_config
+etc/ssh/sshd_config
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/ovpn
+var/log/cache
+var/state/dhcp/dhcpd.leases
+var/updatecache

config/rootfiles/oldcore/83/filelists/bash

@@ -0,0 +1 @@
+../../../common/bash

config/rootfiles/oldcore/83/filelists/squid

@@ -0,0 +1 @@
+../../../common/squid

config/rootfiles/oldcore/83/meta

@@ -0,0 +1 @@
+DEPS=""

config/rootfiles/packages/parted

@@ -10,11 +10,16 @@
 #usr/include/parted/parted.h
 #usr/include/parted/timer.h
 #usr/include/parted/unit.h
+#usr/lib/libparted-fs-resize.a
+#usr/lib/libparted-fs-resize.la
+#usr/lib/libparted-fs-resize.so
+usr/lib/libparted-fs-resize.so.0
+usr/lib/libparted-fs-resize.so.0.0.0
 #usr/lib/libparted.a
 #usr/lib/libparted.la
 #usr/lib/libparted.so
-usr/lib/libparted.so.0
-usr/lib/libparted.so.0.0.1
+usr/lib/libparted.so.2
+usr/lib/libparted.so.2.0.0
 #usr/lib/pkgconfig/libparted.pc
 usr/sbin/parted
 usr/sbin/partprobe
@@ -38,6 +43,8 @@ usr/sbin/partprobe
 #usr/share/locale/ru/LC_MESSAGES/parted.mo
 #usr/share/locale/rw/LC_MESSAGES/parted.mo
 #usr/share/locale/sk/LC_MESSAGES/parted.mo
+#usr/share/locale/sl/LC_MESSAGES/parted.mo
+#usr/share/locale/sr/LC_MESSAGES/parted.mo
 #usr/share/locale/sv/LC_MESSAGES/parted.mo
 #usr/share/locale/tr/LC_MESSAGES/parted.mo
 #usr/share/locale/uk/LC_MESSAGES/parted.mo