diff --git a/config/rootfiles/core/120/update.sh b/config/rootfiles/core/120/update.sh index 0744f3a7f..c465d315b 100644 --- a/config/rootfiles/core/120/update.sh +++ b/config/rootfiles/core/120/update.sh @@ -58,6 +58,9 @@ if [ -e /var/ipfire/ovpn/server.conf ]; then sed -i -e 's/script-security 3 system/script-security 3/' \ -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf + # Disable Path MTU discovery settings + sed -e "/^mtu-disc/d" -i /var/ipfire/ovpn/server.conf + # Update the OpenVPN CRL openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem \ -cert /var/ipfire/ovpn/ca/cacert.pem \ @@ -67,19 +70,28 @@ if [ -e /var/ipfire/ovpn/server.conf ]; then /usr/local/bin/openvpnctrl -s fi +# Update OpenVPN N2N configurations +/usr/local/bin/openvpnctrl -kn2n + +for file in /var/ipfire/ovpn/n2nconf/*/*.conf; do + sed -e "/^mtu-disc/d" -i ${file} +done + +/usr/local/bin/openvpnctrl -sn2n + # Start services /etc/init.d/apache restart /etc/init.d/unbound restart +# Regenerate IPsec configuration +sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi +if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then + /etc/init.d/ipsec restart +fi + # Remove deprecated SSH configuration option sed -e "/UsePrivilegeSeparation/d" -i /etc/ssh/sshd_config -# Remove any pakfire keys stored in / -rm -rfv /.gnupg - -# Move old pakfire keystore into new place -mv -v /root/.gnupg /opt/pakfire/etc/.gnupg - # Import new Pakfire key /etc/init.d/pakfire start diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index ff3d05509..94e723ba2 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -92,7 +92,6 @@ $cgiparams{'ROUTES_PUSH'} = ''; $cgiparams{'DCOMPLZO'} = 'off'; $cgiparams{'MSSFIX'} = ''; $cgiparams{'number'} = ''; -$cgiparams{'PMTU_DISCOVERY'} = ''; $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; @@ -234,10 +233,6 @@ sub writeserverconf { { print CONF "tun-mtu 1500\n"; } elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') { print CONF "tun-mtu 1500\n"; } - elsif (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) - { print CONF "tun-mtu 1500\n"; } else { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; } @@ -277,13 +272,6 @@ sub writeserverconf { print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; } - # Check if a valid operating mode has been choosen and use it. - if (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) { - print CONF "mtu-disc $sovpnsettings{'PMTU_DISCOVERY'}\n"; - } - if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) { print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n"; } @@ -755,7 +743,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; - $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); @@ -777,16 +764,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; } - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { - - if (($cgiparams{'MSSFIX'} eq 'on') || ($cgiparams{'FRAGMENT'} ne '')) { - $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'}; - goto ADV_ERROR; - } - } - if ($cgiparams{'DHCP_DOMAIN'} ne ''){ unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) { $errormessage = $Lang::tr{'invalid input for dhcp domain'}; @@ -952,16 +929,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; }; } - # Check if a valid operating mode has been choosen and use it. - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { - if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) { - if($cgiparams{'MTU'} eq '1500') { - print SERVERCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n"; - } - } - } print SERVERCONF "# Auth. Server\n"; print SERVERCONF "tls-server\n"; print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; @@ -1058,16 +1025,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; }; } - # Check if a valid operating mode has been choosen and use it. - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { - if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) { - if ($cgiparams{'MTU'} eq '1500') { - print CLIENTCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n"; - } - } - } # Check host certificate if X509 is RFC3280 compliant. # If not, old --ns-cert-type directive will be used. # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. @@ -2279,10 +2236,6 @@ else { print CLIENTCONF "tun-mtu 1500\r\n"; } elsif ($vpnsettings{MSSFIX} eq 'on') { print CLIENTCONF "tun-mtu 1500\r\n"; } - elsif (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') || - ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || - ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' )) - { print CLIENTCONF "tun-mtu 1500\r\n"; } else { print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; } @@ -2382,15 +2335,6 @@ else print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n"; } - # Check if a valid operating mode has been choosen and use it. - if (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') || - ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || - ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' )) { - if(($vpnsettings{MSSFIX} ne 'on') || ($vpnsettings{FRAGMENT} eq '')) { - print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n"; - } - } - if ($include_certs) { print CLIENTCONF "\r\n"; @@ -2668,9 +2612,6 @@ ADV_ERROR: if ($cgiparams{'LOG_VERB'} eq '') { $cgiparams{'LOG_VERB'} = '3'; } - if ($cgiparams{'PMTU_DISCOVERY'} eq '') { - $cgiparams{'PMTU_DISCOVERY'} = 'off'; - } if ($cgiparams{'DAUTH'} eq '') { $cgiparams{'DAUTH'} = 'SHA512'; } @@ -2689,7 +2630,6 @@ ADV_ERROR: $checked{'MSSFIX'}{'off'} = ''; $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; - $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{'1'} = ''; $selected{'LOG_VERB'}{'2'} = ''; @@ -2812,14 +2752,6 @@ print < - - - $Lang::tr{'ovpn mtu-disc'} - $Lang::tr{'ovpn mtu-disc yes'} - $Lang::tr{'ovpn mtu-disc maybe'} - $Lang::tr{'ovpn mtu-disc no'} - $Lang::tr{'ovpn mtu-disc off'} -
@@ -3650,7 +3582,6 @@ if ($confighash{$cgiparams{'KEY'}}) { $cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35]; $cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36]; $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37]; - $cgiparams{'PMTU_DISCOVERY'} = $confighash{$cgiparams{'KEY'}}[38]; $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39]; $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40]; $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41]; @@ -3919,22 +3850,6 @@ if ($cgiparams{'TYPE'} eq 'net') { goto VPNCONF_ERROR; } - if ($cgiparams{'PMTU_DISCOVERY'} ne 'off') { - if (($cgiparams{'FRAGMENT'} ne '') || ($cgiparams{'MSSFIX'} eq 'on')) { - $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'}; - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - goto VPNCONF_ERROR; - } - } - - if (($cgiparams{'PMTU_DISCOVERY'} ne 'off') && ($cgiparams{'MTU'} ne '1500')) { - $errormessage = $Lang::tr{'ovpn mtu-disc and mtu not 1500'}; - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - goto VPNCONF_ERROR; - } - if ( &validdotmask ($cgiparams{'LOCAL_SUBNET'})) { $errormessage = $Lang::tr{'openvpn prefix local subnet'}; unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; @@ -4378,7 +4293,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[35] = $cgiparams{'CCD_DNS1'}; $confighash{$key}[36] = $cgiparams{'CCD_DNS2'}; $confighash{$key}[37] = $cgiparams{'CCD_WINS'}; - $confighash{$key}[38] = $cgiparams{'PMTU_DISCOVERY'}; $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'}; @@ -4494,7 +4408,6 @@ if ($cgiparams{'TYPE'} eq 'net') { ### $cgiparams{'MSSFIX'} = 'on'; $cgiparams{'FRAGMENT'} = '1300'; - $cgiparams{'PMTU_DISCOVERY'} = 'off'; $cgiparams{'DAUTH'} = 'SHA512'; ### # m.a.d n2n end @@ -4556,11 +4469,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; - if ($cgiparams{'PMTU_DISCOVERY'} eq '') { - $cgiparams{'PMTU_DISCOVERY'} = 'off'; - } - $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; - $selected{'DCIPHER'}{'AES-256-GCM'} = ''; $selected{'DCIPHER'}{'AES-192-GCM'} = ''; $selected{'DCIPHER'}{'AES-128-GCM'} = ''; @@ -4721,15 +4629,6 @@ if ($cgiparams{'TYPE'} eq 'net') { - $Lang::tr{'ovpn mtu-disc'} - - $Lang::tr{'ovpn mtu-disc yes'} - $Lang::tr{'ovpn mtu-disc maybe'} - $Lang::tr{'ovpn mtu-disc no'} - $Lang::tr{'ovpn mtu-disc off'} - - -
$Lang::tr{'ovpn crypt options'}: diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index a52b4d64d..378acb326 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -436,12 +436,6 @@ sub writeipsecfiles { if ($start_action eq 'route' && $inactivity_timeout > 0) { print CONF "\tinactivity=$inactivity_timeout\n"; } - - # Restart the connection immediately when it has gone down - # unexpectedly - if ($start_action eq 'start') { - print CONF "\tcloseaction=restart\n"; - } } # Fragmentation diff --git a/lfs/dma b/lfs/dma index 507967158..085c9c2ee 100644 --- a/lfs/dma +++ b/lfs/dma @@ -75,6 +75,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) touch /var/ipfire/dma/mail.conf cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.10-better-authentication.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.10-better-tls.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.11-compile-fixes.patch cd $(DIR_APP) && sed -i '/PREFIX/s/usr\/local/usr/g' Makefile cd $(DIR_APP) && sed -i '/CONFDIR/s/etc\/dma/var\/ipfire\/dma/g' Makefile cd $(DIR_APP) && make diff --git a/lfs/htop b/lfs/htop index 6fba6c0bb..fa5d862d7 100644 --- a/lfs/htop +++ b/lfs/htop @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = htop -PAK_VER = 10 +PAK_VER = 11 DEPS = "" diff --git a/lfs/iptraf-ng b/lfs/iptraf-ng index e962b2c5e..f76ff9f33 100644 --- a/lfs/iptraf-ng +++ b/lfs/iptraf-ng @@ -17,7 +17,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = iptraf-ng -PAK_VER = 2 +PAK_VER = 3 DEPS = "" diff --git a/lfs/lcd4linux b/lfs/lcd4linux index 31bcf12e6..79e9d5a2e 100644 --- a/lfs/lcd4linux +++ b/lfs/lcd4linux @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/lcd4linux TARGET = $(DIR_INFO)/$(THISAPP) PROG = lcd4linux -PAK_VER = 5 +PAK_VER = 6 DEPS = "dpfhack libmpdclient" diff --git a/lfs/nano b/lfs/nano index 936b4778b..6269ea208 100644 --- a/lfs/nano +++ b/lfs/nano @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nano -PAK_VER = 19 +PAK_VER = 20 DEPS = "" diff --git a/src/patches/dma-0.11-compile-fixes.patch b/src/patches/dma-0.11-compile-fixes.patch new file mode 100644 index 000000000..a6e5165c9 --- /dev/null +++ b/src/patches/dma-0.11-compile-fixes.patch @@ -0,0 +1,29 @@ +From 60cf6f03a4b13ec0e491a282ab5233a1619a7a66 Mon Sep 17 00:00:00 2001 +From: Michael Tremer +Date: Tue, 24 Apr 2018 12:30:13 +0100 +Subject: [PATCH] net.c: Include string.h + +Various functions that have been used come from string.h. GCC compiled +dma without this header, but unfortunately the binary segfaulted at random +times. + +Signed-off-by: Michael Tremer +--- + net.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net.c b/net.c +index a1cc3e3bfd79..221dda131a23 100644 +--- a/net.c ++++ b/net.c +@@ -53,6 +53,7 @@ + #include + #include + #include ++#include + #include + #include + +-- +2.14.3 +