From 4b94860d07b5124e90711c802e87cce8547c3043 Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Mon, 14 Feb 2022 17:32:27 +0100
Subject: [PATCH 1/3] firewall: Revert strict martian check on loopback
 interface
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If the firewall is talking to itself using one of its private IP
addresses (e.g. the primary green interface IP address), it will use the
loopback interface.

This is due to the local routing table which will be looked up first:

  [root@ipfire ~]# ip rule
  0:      from all lookup local
  128:    from all lookup 220
  220:    from all lookup 220
  32765:  from all lookup static
  32766:  from all lookup main
  32767:  from all lookup default

It contains:

  [root@ipfire ~]# ip route show table local
  local 8x.1x.1x.1x dev ppp0 proto kernel scope host src 8x.1x.1x.1x
  local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
  local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
  broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
  local 192.168.x.1 dev green0 proto kernel scope host src 192.168.x.1
  broadcast 192.168.x.255 dev green0 proto kernel scope link src 192.168.x.1

Any lookup for the green IP address will show this:

  local 192.168.x.1 dev lo table local src 192.168.x.1 uid 0
      cache <local>

A test ping shows this in tcpdump:

  [root@ipfire ~]# tcpdump -i any icmp -nn
  tcpdump: data link type LINUX_SLL2
  tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
  listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
  17:24:22.864293 lo    In  IP 127.0.0.1 > 127.0.0.1: ICMP echo request, id 10420, seq 1, length 64
  17:24:22.864422 lo    In  IP 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 10420, seq 1, length 64
  17:24:29.162021 lo    In  IP 192.168.x.1 > 192.168.x.1: ICMP echo request, id 1555, seq 1, length 64
  17:24:29.162201 lo    In  IP 192.168.x.1 > 192.168.x.1: ICMP echo reply, id 1555, seq 1, length 64

For this reason, we will have to accept any source and destination IP
address on the loopback interface, which is what this patch does.

We can however, continue to check whether we received any packets with
the loopback address on any other interface.

This regression was introduced in commit a36cd34e.

Fixes: #12776 - New spoofed or martian filter block
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 src/initscripts/system/firewall | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 48653ff57..fc355cd5d 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -200,14 +200,10 @@ iptables_init() {
 	iptables -A INPUT -j ICMPINPUT
 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
 
-	# Accept everything on loopback if source/destination is loopback space...
+	# Accept everything on loopback
 	iptables -N LOOPBACK
-	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
-	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
-
-	# ... and drop everything else on the loopback interface, since no other traffic should appear there
-	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
-	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
+	iptables -A LOOPBACK -i lo -j ACCEPT
+	iptables -A LOOPBACK -o lo -j ACCEPT
 
 	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
 	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN

From 1217807d09933ed3760132498360d13d17b98155 Mon Sep 17 00:00:00 2001
From: Matthias Fischer <matthias.fischer@ipfire.org>
Date: Sat, 12 Feb 2022 18:16:20 +0100
Subject: [PATCH 2/3] squid: Update from 5.2 => 5.4.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For details see:
http://www.squid-cache.org/Versions/v5/changesets/SQUID_5_4_1.html

This is 'squid 5.4.1', containing the previous patch for Bug #5055.

Prior to this patch I reverted my previous patches 'squid: Update 5.2 => 5.4" and
'squid 5.4: Latest patch - Bug #5055 - from upstream' and  marked them as
'superseded' in patchwork.

For a better overview the 'squid-gcc11'-patch has been renamed again and moved
to an own squid-patch-directory.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
---
 lfs/squid                                                  | 7 ++++---
 .../{squid-gcc11.patch => squid/01_squid-gcc11.patch}      | 0
 2 files changed, 4 insertions(+), 3 deletions(-)
 rename src/patches/{squid-gcc11.patch => squid/01_squid-gcc11.patch} (100%)

diff --git a/lfs/squid b/lfs/squid
index b25f594a9..4b723a8e1 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 5.2
+VER        = 5.4.1
 
 THISAPP    = squid-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -46,7 +46,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 102984f3ea382a1fa5bd917c2ee155ec
+$(DL_FILE)_MD5 = a6d55b34ee8d32052026db1db98f4d0d
 
 install : $(TARGET)
 
@@ -77,7 +77,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
 
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/squid-gcc11.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/squid/01_squid-gcc11.patch
+
 	cd $(DIR_APP) && autoreconf -vfi
 	cd $(DIR_APP)/libltdl && autoreconf -vfi
 
diff --git a/src/patches/squid-gcc11.patch b/src/patches/squid/01_squid-gcc11.patch
similarity index 100%
rename from src/patches/squid-gcc11.patch
rename to src/patches/squid/01_squid-gcc11.patch

From 10148970eb431e8a1a99aaca67c531dc3b6f1492 Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Thu, 17 Feb 2022 17:07:28 +0000
Subject: [PATCH 3/3] core164: fix adding additional optionfw settings

the old code erase the settings and cannot reinstalled.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 config/rootfiles/core/164/update.sh | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/config/rootfiles/core/164/update.sh b/config/rootfiles/core/164/update.sh
index a0650dbda..e6847359c 100644
--- a/config/rootfiles/core/164/update.sh
+++ b/config/rootfiles/core/164/update.sh
@@ -100,9 +100,13 @@ ldconfig
 # Run convert script for IDS multiple providers
 /usr/sbin/convert-ids-multiple-providers
 
-# Add missing configuration settings to optionsfw configuration
-echo "DROPHOSTILE=off" > /var/ipfire/optionsfw/settings
-echo "DROPSPOOFEDMARTIAN=on" > /var/ipfire/optionsfw/settings
+# Add configuration settings to optionsfw if they are missing
+if [ "$(grep "^DROPHOSTILE" /var/ipfire/optionsfw/settings)" == "" ]; then
+	echo "DROPHOSTILE=off" >> /var/ipfire/optionsfw/settings
+fi
+if [ "$(grep "^DROPSPOOFEDMARTIAN" /var/ipfire/optionsfw/settings)" == "" ]; then
+	echo "DROPSPOOFEDMARTIAN=on" >> /var/ipfire/optionsfw/settings
+fi
 
 # Apply sysctl changes
 /etc/init.d/sysctl start