From 4a0e9b63184ad7dc280299d6619fd91e91d0f895 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 7 Mar 2015 10:17:17 +0100 Subject: [PATCH 01/17] initskripts: rootfile update. --- config/rootfiles/common/armv5tel/initscripts | 1 + config/rootfiles/common/i586/initscripts | 1 + 2 files changed, 2 insertions(+) mode change 100755 => 100644 config/rootfiles/common/armv5tel/initscripts mode change 100755 => 100644 config/rootfiles/common/i586/initscripts diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts old mode 100755 new mode 100644 index 53bc64f9a..52487669a --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -34,6 +34,7 @@ etc/rc.d/init.d/firstsetup etc/rc.d/init.d/functions #etc/rc.d/init.d/gnump3d etc/rc.d/init.d/halt +#etc/rc.d/init.d/haproxy #etc/rc.d/init.d/hostapd #etc/rc.d/init.d/imspector etc/rc.d/init.d/ipsec diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts old mode 100755 new mode 100644 index 7bab7c4f9..845ae504b --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -36,6 +36,7 @@ etc/rc.d/init.d/firstsetup etc/rc.d/init.d/functions #etc/rc.d/init.d/gnump3d etc/rc.d/init.d/halt +#etc/rc.d/init.d/haproxy #etc/rc.d/init.d/hostapd #etc/rc.d/init.d/imspector etc/rc.d/init.d/ipsec From 42c545b1f5848767251cffc9ffb6d29b3cd7a4c3 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 7 Mar 2015 10:18:50 +0100 Subject: [PATCH 02/17] set version to 2.17-core88. --- make.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/make.sh b/make.sh index 7d41b591c..d04988815 100755 --- a/make.sh +++ b/make.sh @@ -25,8 +25,8 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.17" # Version number -CORE="87" # Core Level (Filename) -PAKFIRE_CORE="87" # Core Level (PAKFIRE) +CORE="88" # Core Level (Filename) +PAKFIRE_CORE="88" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir From a71beeb2342c5dcc3c99c5523e74c3914b9cbee9 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 10 Mar 2015 00:04:55 +0100 Subject: [PATCH 03/17] lang.pl: Always fall back to English Fixes #10769 --- config/cfgroot/lang.pl | 3 +++ config/rootfiles/core/88/filelists/files | 1 + 2 files changed, 4 insertions(+) diff --git a/config/cfgroot/lang.pl b/config/cfgroot/lang.pl index 3b001ad9d..c77e0a066 100644 --- a/config/cfgroot/lang.pl +++ b/config/cfgroot/lang.pl @@ -169,6 +169,9 @@ sub FindWebLanguage() { my ($language, $country) = split(/_/, $shortlang); push(@options, $language); + # Add English as fallback + push(@options, "en"); + foreach my $option (@options) { return $option if (-e "${General::swroot}/langs/$option.pl"); } diff --git a/config/rootfiles/core/88/filelists/files b/config/rootfiles/core/88/filelists/files index 0251b5d6b..fb7073ee4 100644 --- a/config/rootfiles/core/88/filelists/files +++ b/config/rootfiles/core/88/filelists/files @@ -4,3 +4,4 @@ srv/web/ipfire/cgi-bin/fwhosts.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi var/ipfire/backup/bin/backup.pl var/ipfire/langs +var/ipfire/lang.pl From 33bfe91f5b3a332f8a711d00de8f967243daf6c5 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 12 Mar 2015 12:55:05 +0100 Subject: [PATCH 04/17] Revert "openssl: Disable SSLv2 and SSLv3." This reverts commit 98a5192ef2f3cde9b9c6867f69f3a400f3c62ec5. --- lfs/crda | 1 - lfs/openssl | 2 -- .../crda-3.13-crypto_use_optional.patch | 22 ------------------- 3 files changed, 25 deletions(-) delete mode 100644 src/patches/crda-3.13-crypto_use_optional.patch diff --git a/lfs/crda b/lfs/crda index 2b1aff816..8bee2584b 100644 --- a/lfs/crda +++ b/lfs/crda @@ -71,7 +71,6 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/crda-3.13-crypto_use_optional.patch cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install @rm -rf $(DIR_APP) diff --git a/lfs/openssl b/lfs/openssl index 82f26bd25..eae2c6e53 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -105,8 +105,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) no-mdc2 \ no-rc5 \ no-srp \ - no-ssl2 \ - no-ssl3 \ $(CONFIGURE_ARGS) \ -DSSL_FORBID_ENULL \ -DHAVE_CRYPTODEV \ diff --git a/src/patches/crda-3.13-crypto_use_optional.patch b/src/patches/crda-3.13-crypto_use_optional.patch deleted file mode 100644 index 56ad6b768..000000000 --- a/src/patches/crda-3.13-crypto_use_optional.patch +++ /dev/null @@ -1,22 +0,0 @@ -Submitted By: hauke from OpenWRT -Date: 2009-04-17 -Initial Package Version: 1.0.2 -Origin: https://dev.openwrt.org/changeset/15405/trunk/package/crda/patches/101-make_crypto_use_optional.patch -Description: The patch was modified for version crda-3.13 by Erik Kapfer .. -This patch provides the following improvements: - * Crypto usage is optional. - -diff -Nur crda-3.13.orig/Makefile crda-3.13/Makefile ---- crda-3.13.orig/Makefile 2015-01-12 07:55:08.791183765 +0100 -+++ crda-3.13/Makefile 2015-01-12 07:56:35.437381029 +0100 -@@ -43,7 +43,9 @@ - - $(LIBREG): keys-ssl.c - --else -+endif -+ -+ifeq ($(USE_GCRYPT),1) - CFLAGS += -DUSE_GCRYPT - LDLIBS += -lgcrypt - From d0bd5afe1b27020b41d0e7e043578e313a0ebf39 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 12 Mar 2015 12:55:40 +0100 Subject: [PATCH 05/17] openssl: Disable SSLv3 and SSLv2 by default This patch will disable SSLv3 and SSLv2 by default but leaves the protocol compiled in into the library so that applications can use it when they still need it (e.g. sslscan). --- lfs/openssl | 1 + src/patches/openssl-disable-sslv2-sslv3.patch | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 src/patches/openssl-disable-sslv2-sslv3.patch diff --git a/lfs/openssl b/lfs/openssl index eae2c6e53..df068f3a7 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -86,6 +86,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-cryptodev.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-fix_parallel_build-1.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-weak-ciphers.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-disable-sslv2-sslv3.patch cd $(DIR_APP) && find crypto/ -name Makefile -exec \ sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \; diff --git a/src/patches/openssl-disable-sslv2-sslv3.patch b/src/patches/openssl-disable-sslv2-sslv3.patch new file mode 100644 index 000000000..ebf542907 --- /dev/null +++ b/src/patches/openssl-disable-sslv2-sslv3.patch @@ -0,0 +1,13 @@ +diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c +--- openssl-1.0.1h/ssl/ssl_lib.c.v2v3 2014-06-11 16:02:52.000000000 +0200 ++++ openssl-1.0.1h/ssl/ssl_lib.c 2014-06-30 14:18:04.290248080 +0200 +@@ -1875,6 +1875,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + */ + ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + ++ /* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */ ++ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; ++ + return(ret); + err: + SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE); From 6409aa7e549d236eedaeae35c84d5e9c1a10ff18 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Sun, 7 Sep 2014 15:44:19 +0200 Subject: [PATCH 06/17] ddns.cgi: Add token handling for zzzz.io. --- html/cgi-bin/ddns.cgi | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi index ea3031936..044aa9718 100644 --- a/html/cgi-bin/ddns.cgi +++ b/html/cgi-bin/ddns.cgi @@ -667,7 +667,8 @@ sub GenerateDDNSConfigFile { my $use_token = 0; # Handle token based auth for various providers. - if ($provider ~~ ["dns.lightningwirelabs.com", "entrydns.net", "regfish.com", "spdns.de"] && $username eq "token") { + if ($provider ~~ ["dns.lightningwirelabs.com", "entrydns.net", "regfish.com", + "spdns.de", "zzzz.io"] && $username eq "token") { $use_token = 1; # Handle token auth for freedns.afraid.org and regfish.com. From 6f67121767baf299bb118da35dfe35732f98a9f7 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 12 Mar 2015 12:58:04 +0100 Subject: [PATCH 07/17] core88: Add ddns.cgi to updater --- config/rootfiles/core/88/filelists/files | 1 + 1 file changed, 1 insertion(+) diff --git a/config/rootfiles/core/88/filelists/files b/config/rootfiles/core/88/filelists/files index fb7073ee4..bc2efb327 100644 --- a/config/rootfiles/core/88/filelists/files +++ b/config/rootfiles/core/88/filelists/files @@ -1,5 +1,6 @@ etc/system-release etc/issue +srv/web/ipfire/cgi-bin/ddns.cgi srv/web/ipfire/cgi-bin/fwhosts.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi var/ipfire/backup/bin/backup.pl From de7abd2cd52e3751ac94d5d56ae9ff510311fc67 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 10 Mar 2015 16:22:09 +0100 Subject: [PATCH 08/17] dnsmasq: Enable DNSSEC timestamp feature This disables DNSSEC until the system clock has been set correctly. There is a circular dependency on working DNS and being able to resolve DNS records in order to reach a time server. Systems without a RTC or empty RTC battery will start up with time way in the past in which all DNSSEC signatures are invalid. --- src/initscripts/init.d/dnsmasq | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/initscripts/init.d/dnsmasq b/src/initscripts/init.d/dnsmasq index 48b9d19d0..4e3792517 100644 --- a/src/initscripts/init.d/dnsmasq +++ b/src/initscripts/init.d/dnsmasq @@ -26,7 +26,7 @@ SHOW_SRV=1 TRUST_ANCHOR=".,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" function dnssec_args() { - local cmdline="--dnssec" + local cmdline="--dnssec --dnssec-timestamp" if [ -n "${TRUST_ANCHOR}" ]; then cmdline="${cmdline} --trust-anchor=${TRUST_ANCHOR}" From e5f58910c522420511f793e84282343b2e6506a6 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 10 Mar 2015 16:21:58 +0100 Subject: [PATCH 09/17] dnsmasq: Import more patches from upstream --- lfs/dnsmasq | 2 + ...6-New-version-of-contrib-reverse-dns.patch | 194 +++++++++++++++++ ...estamp-code-to-create-file-later-rem.patch | 202 ++++++++++++++++++ 3 files changed, 398 insertions(+) create mode 100644 src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch create mode 100644 src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch diff --git a/lfs/dnsmasq b/lfs/dnsmasq index c256f75b4..4bb7f9f0d 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -128,6 +128,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0053-Log-parsing-utils-in-contrib-reverse-dns.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0054-Add-dnssec-timestamp-option-and-facility.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0055-Fix-last-commit-to-not-crash-if-uid-changing-not-con.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch cd $(DIR_APP) && sed -i src/config.h \ -e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \ diff --git a/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch b/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch new file mode 100644 index 000000000..9a052152c --- /dev/null +++ b/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch @@ -0,0 +1,194 @@ +From 4c960fa90a975d20f75a1ecabd217247f1922c8f Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Wed, 4 Mar 2015 20:32:26 +0000 +Subject: [PATCH 56/57] New version of contrib/reverse-dns + +--- + contrib/reverse-dns/README | 22 +++--- + contrib/reverse-dns/reverse_replace.sh | 131 ++++++++++++++++++++++++++++----- + 2 files changed, 125 insertions(+), 28 deletions(-) + +diff --git a/contrib/reverse-dns/README b/contrib/reverse-dns/README +index f87eb77c4c22..2ec4df1f957e 100644 +--- a/contrib/reverse-dns/README ++++ b/contrib/reverse-dns/README +@@ -1,18 +1,18 @@ +-Hi. ++The script reads stdin and replaces all IP addresses with names before ++outputting it again. IPs from private networks are reverse looked up ++via dns. Other IP adresses are searched for in the dnsmasq query log. ++This gives names (CNAMEs if I understand DNS correctly) that are closer ++to the name the client originally asked for then the names obtained by ++reverse lookup. Just run + +-To translate my routers netstat-nat output into names that actually talk +-to me I have started writing to simple shell scripts. They require ++netstat -n -4 | ./reverse_replace.sh ++ ++to see what it does. It needs + + log-queries + log-facility=/var/log/dnsmasq.log + +-to be set. With +- +-netstat-nat -n -4 | reverse_replace.sh +- +-I get retranslated output. +- +-Sincerely, +-Joachim ++in the dnsmasq configuration. + ++The script runs on debian (with ash installed) and on busybox. + +diff --git a/contrib/reverse-dns/reverse_replace.sh b/contrib/reverse-dns/reverse_replace.sh +index a11c164b7f19..5b4aebd71456 100644 +--- a/contrib/reverse-dns/reverse_replace.sh ++++ b/contrib/reverse-dns/reverse_replace.sh +@@ -1,28 +1,125 @@ +-#!/bin/bash +-# $Id: reverse_replace.sh 4 2015-02-17 20:14:59Z jo $ ++#!/bin/ash ++# $Id: reverse_replace.sh 18 2015-03-01 16:12:35Z jo $ + # + # Usage e.g.: netstat -n -4 | reverse_replace.sh + # Parses stdin for IP4 addresses and replaces them +-# with names retrieved by reverse_dns.sh ++# with names retrieved by parsing the dnsmasq log. ++# This currently only gives CNAMEs. But these ++# usually tell ou more than the mones from reverse ++# lookups. ++# ++# This has been tested on debian and asuswrt. Plese ++# report successful tests on other platforms. ++# ++# Author: Joachim Zobel ++# License: Consider this MIT style licensed. You can ++# do as you ike, but you must not remove my name. + # + +-DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +-DNS=$DIR/reverse_dns.sh ++LOG=/var/log/dnsmasq.log ++MAX_LINES=15000 + +-# sed regex ++# sed regex do match IPs + IP_regex='[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' ++# private IP ranges ++IP_private='\(^127\.\)\|\(^192\.168\.\)\|\(^10\.\)\|\(^172\.1[6-9]\.\)\|\(^172\.2[0-9]\.\)\|\(^172\.3[0-1]\.\)' + +-while read LINE; do +- if grep --quiet $IP_regex <<< "$LINE"; then +- IPs=`sed "s#.*\b\($IP_regex\)\b.*#\1 #g" <<< "$LINE"` +- IPs=($IPs) +- for IP in "${IPs[@]}" +- do +- NAME=`$DNS $IP` +- # echo "$NAME is $IP"; +- LINE="${LINE/$IP/$NAME}" +- done ++####################################################################### ++# Find Commands ++ ++HOST=nslookup ++if type host > /dev/null 2>&1; then ++ # echo "No need for nslookup, host is there" ++ HOST=host ++fi ++ ++####################################################################### ++# Functions ++ ++# Use shell variables for an (IP) lookup table ++create_lookup_table() ++{ ++ # Parse log into lookup table ++ local CMDS="$( tail -"$MAX_LINES" "$LOG" | \ ++ grep " is $IP_regex" | \ ++ sed "s#.* \([^ ]*\) is \($IP_regex\).*#set_val \2 \1;#" )" ++ ++ local IFS=' ++' ++ for CMD in $CMDS ++ do ++ eval $CMD ++ done ++} ++ ++set_val() ++{ ++ local _IP=$(echo $1 | tr . _) ++ local KEY="__IP__$_IP" ++ eval "$KEY"=$2 ++} ++ ++get_val() ++{ ++ local _IP=$(echo $1 | tr . _) ++ local KEY="__IP__$_IP" ++ eval echo -n '${'"$KEY"'}' ++} ++ ++dns_lookup() ++{ ++ local IP=$1 ++ ++ local RTN="$($HOST $IP | \ ++ sed 's#\s\+#\n#g' | \ ++ grep -v '^$' | \ ++ tail -1 | tr -d '\n' | \ ++ sed 's#\.$##')" ++ if echo $RTN | grep -q NXDOMAIN; then ++ echo -n $IP ++ else ++ echo -n "$RTN" ++ fi ++} ++ ++reverse_dns() ++{ ++ local IP=$1 ++ ++ # Skip if it is not an IP ++ if ! echo $IP | grep -q "^$IP_regex$"; then ++ echo -n $IP ++ return ++ fi ++ ++ # Do a dns lookup, if it is a local IP ++ if echo $IP | grep -q $IP_private; then ++ dns_lookup $IP ++ return + fi ++ ++ local NAME="$(get_val $IP)" ++ ++ if [ -z "$NAME" ]; then ++ echo -n $IP ++ else ++ echo -n $NAME ++ fi ++} ++ ++####################################################################### ++# Main ++create_lookup_table ++ ++while read LINE; do ++ for IP in $(echo "$LINE" | \ ++ sed "s#\b\($IP_regex\)\b#\n\1\n#g" | \ ++ grep $IP_regex) ++ do ++ NAME=`reverse_dns $IP ` ++ # echo "$NAME $IP" ++ LINE=`echo "$LINE" | sed "s#$IP#$NAME#" ` ++ done + echo $LINE +-done < /dev/stdin ++done + +-- +2.1.0 + diff --git a/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch b/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch new file mode 100644 index 000000000..df47cd0e3 --- /dev/null +++ b/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch @@ -0,0 +1,202 @@ +From 360f2513ab12a9bf1e262d388dd2ea8a566590a3 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Sat, 7 Mar 2015 18:28:06 +0000 +Subject: [PATCH 57/57] Tweak DNSSEC timestamp code to create file later, + removing need to chown it. + +--- + man/dnsmasq.8 | 3 ++- + src/dnsmasq.c | 35 ++++++++++++++++++++++------------- + src/dnsmasq.h | 3 ++- + src/dnssec.c | 18 ++++++++++-------- + 4 files changed, 36 insertions(+), 23 deletions(-) + +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index 097e7d75145c..2db780d90987 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -678,7 +678,8 @@ which have not been throughly checked. + Enables an alternative way of checking the validity of the system time for DNSSEC (see --dnssec-no-timecheck). In this case, the + system time is considered to be valid once it becomes later than the timestamp on the specified file. The file is created and + its timestamp set automatically by dnsmasq. The file must be stored on a persistent filesystem, so that it and its mtime are carried +-over system restarts. ++over system restarts. The timestamp file is created after dnsmasq has dropped root, so it must be in a location writable by the ++unprivileged user that dnsmasq runs as. + .TP + .B --proxy-dnssec + Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an +diff --git a/src/dnsmasq.c b/src/dnsmasq.c +index 9e05c0e31569..f3e5bcffec4f 100644 +--- a/src/dnsmasq.c ++++ b/src/dnsmasq.c +@@ -58,9 +58,6 @@ int main (int argc, char **argv) + struct dhcp_context *context; + struct dhcp_relay *relay; + #endif +-#ifdef HAVE_DNSSEC +- int badtime; +-#endif + + #ifdef LOCALEDIR + setlocale(LC_ALL, ""); +@@ -156,10 +153,10 @@ int main (int argc, char **argv) + { + #ifdef HAVE_DNSSEC + if (!daemon->ds) +- die(_("No trust anchors provided for DNSSEC"), NULL, EC_BADCONF); ++ die(_("no trust anchors provided for DNSSEC"), NULL, EC_BADCONF); + + if (daemon->cachesize < CACHESIZ) +- die(_("Cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF); ++ die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF); + #else + die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF); + #endif +@@ -172,10 +169,10 @@ int main (int argc, char **argv) + + #ifdef HAVE_CONNTRACK + if (option_bool(OPT_CONNTRACK) && (daemon->query_port != 0 || daemon->osport)) +- die (_("Cannot use --conntrack AND --query-port"), NULL, EC_BADCONF); ++ die (_("cannot use --conntrack AND --query-port"), NULL, EC_BADCONF); + #else + if (option_bool(OPT_CONNTRACK)) +- die(_("Conntrack support not available: set HAVE_CONNTRACK in src/config.h"), NULL, EC_BADCONF); ++ die(_("conntrack support not available: set HAVE_CONNTRACK in src/config.h"), NULL, EC_BADCONF); + #endif + + #ifdef HAVE_SOLARIS_NETWORK +@@ -195,7 +192,7 @@ int main (int argc, char **argv) + + #ifndef HAVE_LOOP + if (option_bool(OPT_LOOP_DETECT)) +- die(_("Loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF); ++ die(_("loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF); + #endif + + now = dnsmasq_time(); +@@ -373,10 +370,6 @@ int main (int argc, char **argv) + if (baduser) + die(_("unknown user or group: %s"), baduser, EC_BADCONF); + +-#ifdef HAVE_DNSSEC +- badtime = setup_timestamp(ent_pw); +-#endif +- + /* implement group defaults, "dip" if available, or group associated with uid */ + if (!daemon->group_set && !gp) + { +@@ -693,10 +686,23 @@ int main (int argc, char **argv) + #ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID)) + { ++ int rc; ++ ++ /* Delay creating the timestamp file until here, after we've changed user, so that ++ it has the correct owner to allow updating the mtime later. ++ This means we have to report fatal errors via the pipe. */ ++ if ((rc = setup_timestamp()) == -1) ++ { ++ send_event(err_pipe[1], EVENT_TIME_ERR, errno, daemon->timestamp_file); ++ _exit(0); ++ } ++ + my_syslog(LOG_INFO, _("DNSSEC validation enabled")); ++ + if (option_bool(OPT_DNSSEC_TIME)) + my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload")); +- if (badtime) ++ ++ if (rc == 1) + my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until system time valid")); + } + #endif +@@ -1170,6 +1176,9 @@ static void fatal_event(struct event_desc *ev, char *msg) + + case EVENT_TFTP_ERR: + die(_("TFTP directory %s inaccessible: %s"), msg, EC_FILE); ++ ++ case EVENT_TIME_ERR: ++ die(_("cannot create timestamp file %s: %s" ), msg, EC_BADCONF); + } + } + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index a451cb4dd03c..fc7259881358 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -167,6 +167,7 @@ struct event_desc { + #define EVENT_INIT 21 + #define EVENT_NEWADDR 22 + #define EVENT_NEWROUTE 23 ++#define EVENT_TIME_ERR 24 + + /* Exit codes. */ + #define EC_GOOD 0 +@@ -1152,7 +1153,7 @@ int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char + int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen); + size_t filter_rrsigs(struct dns_header *header, size_t plen); + unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name); +-int setup_timestamp(struct passwd *ent_pw); ++int setup_timestamp(void); + + /* util.c */ + void rand_init(void); +diff --git a/src/dnssec.c b/src/dnssec.c +index c60eacf73c6b..ad0d6f072ba2 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -397,18 +397,21 @@ static int serial_compare_32(unsigned long s1, unsigned long s2) + + /* Called at startup. If the timestamp file is configured and exists, put its mtime on + timestamp_time. If it doesn't exist, create it, and set the mtime to 1-1-2015. +- Change the ownership to the user we'll be running as, so that we can update the mtime. ++ return -1 -> Cannot create file. ++ 0 -> not using timestamp, or timestamp exists and is in past. ++ 1 -> timestamp exists and is in future. + */ ++ + static time_t timestamp_time; + static int back_to_the_future; + +-int setup_timestamp(struct passwd *ent_pw) ++int setup_timestamp(void) + { + struct stat statbuf; + + back_to_the_future = 0; + +- if (!option_bool(OPT_DNSSEC_VALID) || !daemon->timestamp_file) ++ if (!daemon->timestamp_file) + return 0; + + if (stat(daemon->timestamp_file, &statbuf) != -1) +@@ -428,7 +431,8 @@ int setup_timestamp(struct passwd *ent_pw) + + if (errno == ENOENT) + { +- int fd = open(daemon->timestamp_file, O_WRONLY | O_CREAT | O_NONBLOCK, 0666); ++ /* NB. for explanation of O_EXCL flag, see comment on pidfile in dnsmasq.c */ ++ int fd = open(daemon->timestamp_file, O_WRONLY | O_CREAT | O_NONBLOCK | O_EXCL, 0666); + if (fd != -1) + { + struct utimbuf timbuf; +@@ -436,14 +440,12 @@ int setup_timestamp(struct passwd *ent_pw) + close(fd); + + timestamp_time = timbuf.actime = timbuf.modtime = 1420070400; /* 1-1-2015 */ +- if (utime(daemon->timestamp_file, &timbuf) == 0 && +- (!ent_pw || getuid() != 0 || chown(daemon->timestamp_file, ent_pw->pw_uid, -1) == 0)) ++ if (utime(daemon->timestamp_file, &timbuf) == 0) + goto check_and_exit; + } + } + +- die(_("Cannot create timestamp file %s: %s" ), daemon->timestamp_file, EC_BADCONF); +- return 0; ++ return -1; + } + + /* Check whether today/now is between date_start and date_end */ +-- +2.1.0 + From 9029c9d056e2251b6c1130b2b3a8f0e5a77bff40 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 12 Mar 2015 13:07:44 +0100 Subject: [PATCH 10/17] Add more missing files of Core Update 88 --- config/rootfiles/core/88/filelists/files | 10 ++++++++++ config/rootfiles/core/88/filelists/strongswan | 1 + config/rootfiles/core/88/filelists/tzdata | 1 + 3 files changed, 12 insertions(+) create mode 120000 config/rootfiles/core/88/filelists/strongswan create mode 120000 config/rootfiles/core/88/filelists/tzdata diff --git a/config/rootfiles/core/88/filelists/files b/config/rootfiles/core/88/filelists/files index bc2efb327..5ed719449 100644 --- a/config/rootfiles/core/88/filelists/files +++ b/config/rootfiles/core/88/filelists/files @@ -1,8 +1,18 @@ etc/system-release etc/issue +etc/collectd.conf +etc/collectd.vpn +etc/rc.d/init.d/dnsmasq srv/web/ipfire/cgi-bin/ddns.cgi +srv/web/ipfire/cgi-bin/firewall.cgi srv/web/ipfire/cgi-bin/fwhosts.cgi +srv/web/ipfire/cgi-bin/ids.cgi +srv/web/ipfire/cgi-bin/netovpnrw.cgi +srv/web/ipfire/cgi-bin/netovpnsrv.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi var/ipfire/backup/bin/backup.pl +var/ipfire/graphs.pl var/ipfire/langs var/ipfire/lang.pl +var/ipfire/menu.d/20-status.menu diff --git a/config/rootfiles/core/88/filelists/strongswan b/config/rootfiles/core/88/filelists/strongswan new file mode 120000 index 000000000..90c727e26 --- /dev/null +++ b/config/rootfiles/core/88/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/88/filelists/tzdata b/config/rootfiles/core/88/filelists/tzdata new file mode 120000 index 000000000..5a6e3252f --- /dev/null +++ b/config/rootfiles/core/88/filelists/tzdata @@ -0,0 +1 @@ +../../../common/tzdata \ No newline at end of file From 3b90253598c5ceea9f4c92e1b363a72d9424c7b8 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 12 Mar 2015 13:14:26 +0100 Subject: [PATCH 11/17] openssl-compat: Disable SSLv3 and SSLv2 as well --- config/rootfiles/core/88/filelists/openssh | 1 + config/rootfiles/core/88/filelists/openssl | 1 + config/rootfiles/core/88/filelists/openssl-compat | 1 + lfs/openssl-compat | 1 + 4 files changed, 4 insertions(+) create mode 120000 config/rootfiles/core/88/filelists/openssh create mode 120000 config/rootfiles/core/88/filelists/openssl create mode 120000 config/rootfiles/core/88/filelists/openssl-compat diff --git a/config/rootfiles/core/88/filelists/openssh b/config/rootfiles/core/88/filelists/openssh new file mode 120000 index 000000000..d8c77fd8e --- /dev/null +++ b/config/rootfiles/core/88/filelists/openssh @@ -0,0 +1 @@ +../../../common/openssh \ No newline at end of file diff --git a/config/rootfiles/core/88/filelists/openssl b/config/rootfiles/core/88/filelists/openssl new file mode 120000 index 000000000..e011a9266 --- /dev/null +++ b/config/rootfiles/core/88/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file diff --git a/config/rootfiles/core/88/filelists/openssl-compat b/config/rootfiles/core/88/filelists/openssl-compat new file mode 120000 index 000000000..c9fa42132 --- /dev/null +++ b/config/rootfiles/core/88/filelists/openssl-compat @@ -0,0 +1 @@ +../../../common/openssl-compat \ No newline at end of file diff --git a/lfs/openssl-compat b/lfs/openssl-compat index 52a8e9113..8e22a348a 100644 --- a/lfs/openssl-compat +++ b/lfs/openssl-compat @@ -72,6 +72,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-0.9.8u-cryptodev.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-disable-sslv2-sslv3.patch cd $(DIR_APP) && sed -i -e 's/mcpu/march/' config cd $(DIR_APP) && sed -i -e 's/-O3/-O2/' -e 's/-march=i486/-march=i586/' Configure From 3d53eb68afe9b9a1feffdd7e68af21767461ee48 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 12 Mar 2015 13:25:29 +0100 Subject: [PATCH 12/17] core88: Add collectd to updater --- config/rootfiles/core/88/filelists/collectd | 1 + 1 file changed, 1 insertion(+) create mode 120000 config/rootfiles/core/88/filelists/collectd diff --git a/config/rootfiles/core/88/filelists/collectd b/config/rootfiles/core/88/filelists/collectd new file mode 120000 index 000000000..871b32f14 --- /dev/null +++ b/config/rootfiles/core/88/filelists/collectd @@ -0,0 +1 @@ +../../../common/collectd \ No newline at end of file From 20aa2ca56261c2a39c995af2cb824fc9bdc76fb1 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Tue, 17 Mar 2015 13:50:38 +0100 Subject: [PATCH 13/17] move core88 to 89. --- config/rootfiles/core/{88 => 89}/exclude | 0 config/rootfiles/core/{88 => 89}/filelists/collectd | 0 config/rootfiles/core/{88 => 89}/filelists/daq | 0 config/rootfiles/core/{88 => 89}/filelists/ddns | 0 config/rootfiles/core/{88 => 89}/filelists/dnsmasq | 0 config/rootfiles/core/{88 => 89}/filelists/ethtool | 0 config/rootfiles/core/{88 => 89}/filelists/fcron | 0 config/rootfiles/core/{88 => 89}/filelists/file | 0 config/rootfiles/core/{88 => 89}/filelists/files | 0 config/rootfiles/core/{88 => 89}/filelists/gnupg | 0 config/rootfiles/core/{88 => 89}/filelists/grep | 0 config/rootfiles/core/{88 => 89}/filelists/hdparm | 0 config/rootfiles/core/{88 => 89}/filelists/libart | 0 config/rootfiles/core/{88 => 89}/filelists/libcap | 0 config/rootfiles/core/{88 => 89}/filelists/libffi | 0 config/rootfiles/core/{88 => 89}/filelists/libpcap | 0 config/rootfiles/core/{88 => 89}/filelists/openssh | 0 config/rootfiles/core/{88 => 89}/filelists/openssl | 0 config/rootfiles/core/{88 => 89}/filelists/openssl-compat | 0 config/rootfiles/core/{88 => 89}/filelists/pcre | 0 config/rootfiles/core/{88 => 89}/filelists/screen | 0 config/rootfiles/core/{88 => 89}/filelists/smartmontools | 0 config/rootfiles/core/{88 => 89}/filelists/snort | 0 config/rootfiles/core/{88 => 89}/filelists/sqlite | 0 config/rootfiles/core/{88 => 89}/filelists/squid | 0 config/rootfiles/core/{88 => 89}/filelists/strongswan | 0 config/rootfiles/core/{88 => 89}/filelists/tar | 0 config/rootfiles/core/{88 => 89}/filelists/tzdata | 0 config/rootfiles/core/{88 => 89}/filelists/wget | 0 config/rootfiles/core/{88 => 89}/filelists/zlib | 0 config/rootfiles/core/{88 => 89}/meta | 0 config/rootfiles/core/{88 => 89}/update.sh | 2 +- 32 files changed, 1 insertion(+), 1 deletion(-) rename config/rootfiles/core/{88 => 89}/exclude (100%) rename config/rootfiles/core/{88 => 89}/filelists/collectd (100%) rename config/rootfiles/core/{88 => 89}/filelists/daq (100%) rename config/rootfiles/core/{88 => 89}/filelists/ddns (100%) rename config/rootfiles/core/{88 => 89}/filelists/dnsmasq (100%) rename config/rootfiles/core/{88 => 89}/filelists/ethtool (100%) rename config/rootfiles/core/{88 => 89}/filelists/fcron (100%) rename config/rootfiles/core/{88 => 89}/filelists/file (100%) rename config/rootfiles/core/{88 => 89}/filelists/files (100%) rename config/rootfiles/core/{88 => 89}/filelists/gnupg (100%) rename config/rootfiles/core/{88 => 89}/filelists/grep (100%) rename config/rootfiles/core/{88 => 89}/filelists/hdparm (100%) rename config/rootfiles/core/{88 => 89}/filelists/libart (100%) rename config/rootfiles/core/{88 => 89}/filelists/libcap (100%) rename config/rootfiles/core/{88 => 89}/filelists/libffi (100%) rename config/rootfiles/core/{88 => 89}/filelists/libpcap (100%) rename config/rootfiles/core/{88 => 89}/filelists/openssh (100%) rename config/rootfiles/core/{88 => 89}/filelists/openssl (100%) rename config/rootfiles/core/{88 => 89}/filelists/openssl-compat (100%) rename config/rootfiles/core/{88 => 89}/filelists/pcre (100%) rename config/rootfiles/core/{88 => 89}/filelists/screen (100%) rename config/rootfiles/core/{88 => 89}/filelists/smartmontools (100%) rename config/rootfiles/core/{88 => 89}/filelists/snort (100%) rename config/rootfiles/core/{88 => 89}/filelists/sqlite (100%) rename config/rootfiles/core/{88 => 89}/filelists/squid (100%) rename config/rootfiles/core/{88 => 89}/filelists/strongswan (100%) rename config/rootfiles/core/{88 => 89}/filelists/tar (100%) rename config/rootfiles/core/{88 => 89}/filelists/tzdata (100%) rename config/rootfiles/core/{88 => 89}/filelists/wget (100%) rename config/rootfiles/core/{88 => 89}/filelists/zlib (100%) rename config/rootfiles/core/{88 => 89}/meta (100%) rename config/rootfiles/core/{88 => 89}/update.sh (99%) diff --git a/config/rootfiles/core/88/exclude b/config/rootfiles/core/89/exclude similarity index 100% rename from config/rootfiles/core/88/exclude rename to config/rootfiles/core/89/exclude diff --git a/config/rootfiles/core/88/filelists/collectd b/config/rootfiles/core/89/filelists/collectd similarity index 100% rename from config/rootfiles/core/88/filelists/collectd rename to config/rootfiles/core/89/filelists/collectd diff --git a/config/rootfiles/core/88/filelists/daq b/config/rootfiles/core/89/filelists/daq similarity index 100% rename from config/rootfiles/core/88/filelists/daq rename to config/rootfiles/core/89/filelists/daq diff --git a/config/rootfiles/core/88/filelists/ddns b/config/rootfiles/core/89/filelists/ddns similarity index 100% rename from config/rootfiles/core/88/filelists/ddns rename to config/rootfiles/core/89/filelists/ddns diff --git a/config/rootfiles/core/88/filelists/dnsmasq b/config/rootfiles/core/89/filelists/dnsmasq similarity index 100% rename from config/rootfiles/core/88/filelists/dnsmasq rename to config/rootfiles/core/89/filelists/dnsmasq diff --git a/config/rootfiles/core/88/filelists/ethtool b/config/rootfiles/core/89/filelists/ethtool similarity index 100% rename from config/rootfiles/core/88/filelists/ethtool rename to config/rootfiles/core/89/filelists/ethtool diff --git a/config/rootfiles/core/88/filelists/fcron b/config/rootfiles/core/89/filelists/fcron similarity index 100% rename from config/rootfiles/core/88/filelists/fcron rename to config/rootfiles/core/89/filelists/fcron diff --git a/config/rootfiles/core/88/filelists/file b/config/rootfiles/core/89/filelists/file similarity index 100% rename from config/rootfiles/core/88/filelists/file rename to config/rootfiles/core/89/filelists/file diff --git a/config/rootfiles/core/88/filelists/files b/config/rootfiles/core/89/filelists/files similarity index 100% rename from config/rootfiles/core/88/filelists/files rename to config/rootfiles/core/89/filelists/files diff --git a/config/rootfiles/core/88/filelists/gnupg b/config/rootfiles/core/89/filelists/gnupg similarity index 100% rename from config/rootfiles/core/88/filelists/gnupg rename to config/rootfiles/core/89/filelists/gnupg diff --git a/config/rootfiles/core/88/filelists/grep b/config/rootfiles/core/89/filelists/grep similarity index 100% rename from config/rootfiles/core/88/filelists/grep rename to config/rootfiles/core/89/filelists/grep diff --git a/config/rootfiles/core/88/filelists/hdparm b/config/rootfiles/core/89/filelists/hdparm similarity index 100% rename from config/rootfiles/core/88/filelists/hdparm rename to config/rootfiles/core/89/filelists/hdparm diff --git a/config/rootfiles/core/88/filelists/libart b/config/rootfiles/core/89/filelists/libart similarity index 100% rename from config/rootfiles/core/88/filelists/libart rename to config/rootfiles/core/89/filelists/libart diff --git a/config/rootfiles/core/88/filelists/libcap b/config/rootfiles/core/89/filelists/libcap similarity index 100% rename from config/rootfiles/core/88/filelists/libcap rename to config/rootfiles/core/89/filelists/libcap diff --git a/config/rootfiles/core/88/filelists/libffi b/config/rootfiles/core/89/filelists/libffi similarity index 100% rename from config/rootfiles/core/88/filelists/libffi rename to config/rootfiles/core/89/filelists/libffi diff --git a/config/rootfiles/core/88/filelists/libpcap b/config/rootfiles/core/89/filelists/libpcap similarity index 100% rename from config/rootfiles/core/88/filelists/libpcap rename to config/rootfiles/core/89/filelists/libpcap diff --git a/config/rootfiles/core/88/filelists/openssh b/config/rootfiles/core/89/filelists/openssh similarity index 100% rename from config/rootfiles/core/88/filelists/openssh rename to config/rootfiles/core/89/filelists/openssh diff --git a/config/rootfiles/core/88/filelists/openssl b/config/rootfiles/core/89/filelists/openssl similarity index 100% rename from config/rootfiles/core/88/filelists/openssl rename to config/rootfiles/core/89/filelists/openssl diff --git a/config/rootfiles/core/88/filelists/openssl-compat b/config/rootfiles/core/89/filelists/openssl-compat similarity index 100% rename from config/rootfiles/core/88/filelists/openssl-compat rename to config/rootfiles/core/89/filelists/openssl-compat diff --git a/config/rootfiles/core/88/filelists/pcre b/config/rootfiles/core/89/filelists/pcre similarity index 100% rename from config/rootfiles/core/88/filelists/pcre rename to config/rootfiles/core/89/filelists/pcre diff --git a/config/rootfiles/core/88/filelists/screen b/config/rootfiles/core/89/filelists/screen similarity index 100% rename from config/rootfiles/core/88/filelists/screen rename to config/rootfiles/core/89/filelists/screen diff --git a/config/rootfiles/core/88/filelists/smartmontools b/config/rootfiles/core/89/filelists/smartmontools similarity index 100% rename from config/rootfiles/core/88/filelists/smartmontools rename to config/rootfiles/core/89/filelists/smartmontools diff --git a/config/rootfiles/core/88/filelists/snort b/config/rootfiles/core/89/filelists/snort similarity index 100% rename from config/rootfiles/core/88/filelists/snort rename to config/rootfiles/core/89/filelists/snort diff --git a/config/rootfiles/core/88/filelists/sqlite b/config/rootfiles/core/89/filelists/sqlite similarity index 100% rename from config/rootfiles/core/88/filelists/sqlite rename to config/rootfiles/core/89/filelists/sqlite diff --git a/config/rootfiles/core/88/filelists/squid b/config/rootfiles/core/89/filelists/squid similarity index 100% rename from config/rootfiles/core/88/filelists/squid rename to config/rootfiles/core/89/filelists/squid diff --git a/config/rootfiles/core/88/filelists/strongswan b/config/rootfiles/core/89/filelists/strongswan similarity index 100% rename from config/rootfiles/core/88/filelists/strongswan rename to config/rootfiles/core/89/filelists/strongswan diff --git a/config/rootfiles/core/88/filelists/tar b/config/rootfiles/core/89/filelists/tar similarity index 100% rename from config/rootfiles/core/88/filelists/tar rename to config/rootfiles/core/89/filelists/tar diff --git a/config/rootfiles/core/88/filelists/tzdata b/config/rootfiles/core/89/filelists/tzdata similarity index 100% rename from config/rootfiles/core/88/filelists/tzdata rename to config/rootfiles/core/89/filelists/tzdata diff --git a/config/rootfiles/core/88/filelists/wget b/config/rootfiles/core/89/filelists/wget similarity index 100% rename from config/rootfiles/core/88/filelists/wget rename to config/rootfiles/core/89/filelists/wget diff --git a/config/rootfiles/core/88/filelists/zlib b/config/rootfiles/core/89/filelists/zlib similarity index 100% rename from config/rootfiles/core/88/filelists/zlib rename to config/rootfiles/core/89/filelists/zlib diff --git a/config/rootfiles/core/88/meta b/config/rootfiles/core/89/meta similarity index 100% rename from config/rootfiles/core/88/meta rename to config/rootfiles/core/89/meta diff --git a/config/rootfiles/core/88/update.sh b/config/rootfiles/core/89/update.sh similarity index 99% rename from config/rootfiles/core/88/update.sh rename to config/rootfiles/core/89/update.sh index 18dd9af52..dc115bbb9 100644 --- a/config/rootfiles/core/88/update.sh +++ b/config/rootfiles/core/89/update.sh @@ -25,7 +25,7 @@ /usr/local/bin/backupctrl exclude >/dev/null 2>&1 # Remove old core updates from pakfire cache to save space... -core=88 +core=89 for (( i=1; i<=$core; i++ )) do rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire From 3e0982277a6a69048ab2e1eaf029a4b610c0c31d Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Tue, 17 Mar 2015 13:54:19 +0100 Subject: [PATCH 14/17] core89: remove all sqlite meta-data files. --- config/rootfiles/core/89/update.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/core/89/update.sh b/config/rootfiles/core/89/update.sh index dc115bbb9..5c18401aa 100644 --- a/config/rootfiles/core/89/update.sh +++ b/config/rootfiles/core/89/update.sh @@ -43,9 +43,9 @@ extract_files # Update Language cache perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" -# Uninstall the sqlite package. +# Prevent uninstall sqlite (now common package). rm -f \ - /opt/pakfire/db/installed/meta-sqlite \ + /opt/pakfire/db/*/meta-sqlite \ /opt/pakfire/db/rootfiles/sqlite # Fix #10625 From 22ecf3100a1cefd3e07f34ba400c7b2e254866fe Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Tue, 17 Mar 2015 13:56:51 +0100 Subject: [PATCH 15/17] core89: add changed packages to updater. --- config/rootfiles/core/89/filelists/fuse | 1 + config/rootfiles/core/89/filelists/ntfs-3g | 1 + config/rootfiles/core/89/filelists/setup | 1 + 3 files changed, 3 insertions(+) create mode 120000 config/rootfiles/core/89/filelists/fuse create mode 120000 config/rootfiles/core/89/filelists/ntfs-3g create mode 120000 config/rootfiles/core/89/filelists/setup diff --git a/config/rootfiles/core/89/filelists/fuse b/config/rootfiles/core/89/filelists/fuse new file mode 120000 index 000000000..570edaade --- /dev/null +++ b/config/rootfiles/core/89/filelists/fuse @@ -0,0 +1 @@ +../../../common/fuse \ No newline at end of file diff --git a/config/rootfiles/core/89/filelists/ntfs-3g b/config/rootfiles/core/89/filelists/ntfs-3g new file mode 120000 index 000000000..d93adc2a1 --- /dev/null +++ b/config/rootfiles/core/89/filelists/ntfs-3g @@ -0,0 +1 @@ +../../../common/ntfs-3g \ No newline at end of file diff --git a/config/rootfiles/core/89/filelists/setup b/config/rootfiles/core/89/filelists/setup new file mode 120000 index 000000000..209374bbc --- /dev/null +++ b/config/rootfiles/core/89/filelists/setup @@ -0,0 +1 @@ +../../../common/setup \ No newline at end of file From a810e7665e3e039981d2caec9d1dda3c20a08b56 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Tue, 17 Mar 2015 14:03:31 +0100 Subject: [PATCH 16/17] core89: stop/start ipsec, rewrite ddns config with new cgi. --- config/rootfiles/core/89/update.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/config/rootfiles/core/89/update.sh b/config/rootfiles/core/89/update.sh index 5c18401aa..f3de863ec 100644 --- a/config/rootfiles/core/89/update.sh +++ b/config/rootfiles/core/89/update.sh @@ -32,13 +32,21 @@ do done # Stop services +/etc/init.d/ipsec stop # Remove old files # Extract files extract_files +# Generate ddns configuration file +sudo -u nobody /srv/web/ipfire/cgi-bin/ddns.cgi + # Start services +/etc/init.d/dnsmasq restart +if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then + /etc/init.d/ipsec start +fi # Update Language cache perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" From 0fbf41404c75702d73b5234c6dde210c346ae0e6 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Tue, 17 Mar 2015 14:08:13 +0100 Subject: [PATCH 17/17] prepare core88. --- config/rootfiles/core/88/exclude | 20 +++++++ config/rootfiles/core/88/filelists/files | 2 + config/rootfiles/core/88/filelists/openssh | 1 + config/rootfiles/core/88/filelists/openssl | 1 + .../core/88/filelists/openssl-compat | 1 + config/rootfiles/core/88/meta | 1 + config/rootfiles/core/88/update.sh | 57 +++++++++++++++++++ 7 files changed, 83 insertions(+) create mode 100644 config/rootfiles/core/88/exclude create mode 100644 config/rootfiles/core/88/filelists/files create mode 120000 config/rootfiles/core/88/filelists/openssh create mode 120000 config/rootfiles/core/88/filelists/openssl create mode 120000 config/rootfiles/core/88/filelists/openssl-compat create mode 100644 config/rootfiles/core/88/meta create mode 100644 config/rootfiles/core/88/update.sh diff --git a/config/rootfiles/core/88/exclude b/config/rootfiles/core/88/exclude new file mode 100644 index 000000000..18e9b4d24 --- /dev/null +++ b/config/rootfiles/core/88/exclude @@ -0,0 +1,20 @@ +boot/config.txt +etc/collectd.custom +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/ovpn +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/88/filelists/files b/config/rootfiles/core/88/filelists/files new file mode 100644 index 000000000..409e5fe8a --- /dev/null +++ b/config/rootfiles/core/88/filelists/files @@ -0,0 +1,2 @@ +etc/system-release +etc/issue diff --git a/config/rootfiles/core/88/filelists/openssh b/config/rootfiles/core/88/filelists/openssh new file mode 120000 index 000000000..d8c77fd8e --- /dev/null +++ b/config/rootfiles/core/88/filelists/openssh @@ -0,0 +1 @@ +../../../common/openssh \ No newline at end of file diff --git a/config/rootfiles/core/88/filelists/openssl b/config/rootfiles/core/88/filelists/openssl new file mode 120000 index 000000000..e011a9266 --- /dev/null +++ b/config/rootfiles/core/88/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file diff --git a/config/rootfiles/core/88/filelists/openssl-compat b/config/rootfiles/core/88/filelists/openssl-compat new file mode 120000 index 000000000..c9fa42132 --- /dev/null +++ b/config/rootfiles/core/88/filelists/openssl-compat @@ -0,0 +1 @@ +../../../common/openssl-compat \ No newline at end of file diff --git a/config/rootfiles/core/88/meta b/config/rootfiles/core/88/meta new file mode 100644 index 000000000..d547fa86f --- /dev/null +++ b/config/rootfiles/core/88/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/88/update.sh b/config/rootfiles/core/88/update.sh new file mode 100644 index 000000000..6ef1f483e --- /dev/null +++ b/config/rootfiles/core/88/update.sh @@ -0,0 +1,57 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2014 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# Remove old core updates from pakfire cache to save space... +core=88 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services + +# Remove old files + +# Extract files +extract_files + +# Start services + +# Update Language cache +#perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + + +sync + +# This update need a reboot... +#touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Don't report the exitcode last command +exit 0