From a554acea163fa51e0a9e5081003e4148ffdfc24b Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Wed, 4 Apr 2018 21:38:24 +0200 Subject: [PATCH 1/7] core120: don't (re)move old packfire/gpg databases Signed-off-by: Arne Fitzenreiter --- config/rootfiles/core/120/update.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/config/rootfiles/core/120/update.sh b/config/rootfiles/core/120/update.sh index 0744f3a7f..459262c86 100644 --- a/config/rootfiles/core/120/update.sh +++ b/config/rootfiles/core/120/update.sh @@ -74,12 +74,6 @@ fi # Remove deprecated SSH configuration option sed -e "/UsePrivilegeSeparation/d" -i /etc/ssh/sshd_config -# Remove any pakfire keys stored in / -rm -rfv /.gnupg - -# Move old pakfire keystore into new place -mv -v /root/.gnupg /opt/pakfire/etc/.gnupg - # Import new Pakfire key /etc/init.d/pakfire start From f5b2d0a14a5e109948bc0d024ffcba63cffcab48 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 9 Apr 2018 11:32:07 +0100 Subject: [PATCH 2/7] OpenVPN: Drop Path MTU discovery settings These have to be dropped since the entire system does not support Path MTU discovery any more. This should not have any disadvantage on any tunnels since PMTU didn't really work in the first place. Signed-off-by: Michael Tremer --- html/cgi-bin/ovpnmain.cgi | 101 -------------------------------------- 1 file changed, 101 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index ff3d05509..94e723ba2 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -92,7 +92,6 @@ $cgiparams{'ROUTES_PUSH'} = ''; $cgiparams{'DCOMPLZO'} = 'off'; $cgiparams{'MSSFIX'} = ''; $cgiparams{'number'} = ''; -$cgiparams{'PMTU_DISCOVERY'} = ''; $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; @@ -234,10 +233,6 @@ sub writeserverconf { { print CONF "tun-mtu 1500\n"; } elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') { print CONF "tun-mtu 1500\n"; } - elsif (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) - { print CONF "tun-mtu 1500\n"; } else { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; } @@ -277,13 +272,6 @@ sub writeserverconf { print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; } - # Check if a valid operating mode has been choosen and use it. - if (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) { - print CONF "mtu-disc $sovpnsettings{'PMTU_DISCOVERY'}\n"; - } - if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) { print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n"; } @@ -755,7 +743,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; - $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); @@ -777,16 +764,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; } - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { - - if (($cgiparams{'MSSFIX'} eq 'on') || ($cgiparams{'FRAGMENT'} ne '')) { - $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'}; - goto ADV_ERROR; - } - } - if ($cgiparams{'DHCP_DOMAIN'} ne ''){ unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) { $errormessage = $Lang::tr{'invalid input for dhcp domain'}; @@ -952,16 +929,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; }; } - # Check if a valid operating mode has been choosen and use it. - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { - if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) { - if($cgiparams{'MTU'} eq '1500') { - print SERVERCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n"; - } - } - } print SERVERCONF "# Auth. Server\n"; print SERVERCONF "tls-server\n"; print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; @@ -1058,16 +1025,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; }; } - # Check if a valid operating mode has been choosen and use it. - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { - if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) { - if ($cgiparams{'MTU'} eq '1500') { - print CLIENTCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n"; - } - } - } # Check host certificate if X509 is RFC3280 compliant. # If not, old --ns-cert-type directive will be used. # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. @@ -2279,10 +2236,6 @@ else { print CLIENTCONF "tun-mtu 1500\r\n"; } elsif ($vpnsettings{MSSFIX} eq 'on') { print CLIENTCONF "tun-mtu 1500\r\n"; } - elsif (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') || - ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || - ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' )) - { print CLIENTCONF "tun-mtu 1500\r\n"; } else { print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; } @@ -2382,15 +2335,6 @@ else print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n"; } - # Check if a valid operating mode has been choosen and use it. - if (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') || - ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || - ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' )) { - if(($vpnsettings{MSSFIX} ne 'on') || ($vpnsettings{FRAGMENT} eq '')) { - print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n"; - } - } - if ($include_certs) { print CLIENTCONF "\r\n"; @@ -2668,9 +2612,6 @@ ADV_ERROR: if ($cgiparams{'LOG_VERB'} eq '') { $cgiparams{'LOG_VERB'} = '3'; } - if ($cgiparams{'PMTU_DISCOVERY'} eq '') { - $cgiparams{'PMTU_DISCOVERY'} = 'off'; - } if ($cgiparams{'DAUTH'} eq '') { $cgiparams{'DAUTH'} = 'SHA512'; } @@ -2689,7 +2630,6 @@ ADV_ERROR: $checked{'MSSFIX'}{'off'} = ''; $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; - $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{'1'} = ''; $selected{'LOG_VERB'}{'2'} = ''; @@ -2812,14 +2752,6 @@ print < - - - $Lang::tr{'ovpn mtu-disc'} - $Lang::tr{'ovpn mtu-disc yes'} - $Lang::tr{'ovpn mtu-disc maybe'} - $Lang::tr{'ovpn mtu-disc no'} - $Lang::tr{'ovpn mtu-disc off'} -
@@ -3650,7 +3582,6 @@ if ($confighash{$cgiparams{'KEY'}}) { $cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35]; $cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36]; $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37]; - $cgiparams{'PMTU_DISCOVERY'} = $confighash{$cgiparams{'KEY'}}[38]; $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39]; $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40]; $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41]; @@ -3919,22 +3850,6 @@ if ($cgiparams{'TYPE'} eq 'net') { goto VPNCONF_ERROR; } - if ($cgiparams{'PMTU_DISCOVERY'} ne 'off') { - if (($cgiparams{'FRAGMENT'} ne '') || ($cgiparams{'MSSFIX'} eq 'on')) { - $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'}; - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - goto VPNCONF_ERROR; - } - } - - if (($cgiparams{'PMTU_DISCOVERY'} ne 'off') && ($cgiparams{'MTU'} ne '1500')) { - $errormessage = $Lang::tr{'ovpn mtu-disc and mtu not 1500'}; - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - goto VPNCONF_ERROR; - } - if ( &validdotmask ($cgiparams{'LOCAL_SUBNET'})) { $errormessage = $Lang::tr{'openvpn prefix local subnet'}; unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; @@ -4378,7 +4293,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[35] = $cgiparams{'CCD_DNS1'}; $confighash{$key}[36] = $cgiparams{'CCD_DNS2'}; $confighash{$key}[37] = $cgiparams{'CCD_WINS'}; - $confighash{$key}[38] = $cgiparams{'PMTU_DISCOVERY'}; $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'}; @@ -4494,7 +4408,6 @@ if ($cgiparams{'TYPE'} eq 'net') { ### $cgiparams{'MSSFIX'} = 'on'; $cgiparams{'FRAGMENT'} = '1300'; - $cgiparams{'PMTU_DISCOVERY'} = 'off'; $cgiparams{'DAUTH'} = 'SHA512'; ### # m.a.d n2n end @@ -4556,11 +4469,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; - if ($cgiparams{'PMTU_DISCOVERY'} eq '') { - $cgiparams{'PMTU_DISCOVERY'} = 'off'; - } - $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; - $selected{'DCIPHER'}{'AES-256-GCM'} = ''; $selected{'DCIPHER'}{'AES-192-GCM'} = ''; $selected{'DCIPHER'}{'AES-128-GCM'} = ''; @@ -4721,15 +4629,6 @@ if ($cgiparams{'TYPE'} eq 'net') { - $Lang::tr{'ovpn mtu-disc'} - - $Lang::tr{'ovpn mtu-disc yes'} - $Lang::tr{'ovpn mtu-disc maybe'} - $Lang::tr{'ovpn mtu-disc no'} - $Lang::tr{'ovpn mtu-disc off'} - - -
$Lang::tr{'ovpn crypt options'}: From c79cbc15941fb4f950fbb7aad6c98fd1344bf348 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 9 Apr 2018 11:36:46 +0100 Subject: [PATCH 3/7] core120: Update OepnVPN configurations for PMTU changes Signed-off-by: Michael Tremer --- config/rootfiles/core/120/update.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/config/rootfiles/core/120/update.sh b/config/rootfiles/core/120/update.sh index 0744f3a7f..e4ee15b52 100644 --- a/config/rootfiles/core/120/update.sh +++ b/config/rootfiles/core/120/update.sh @@ -58,6 +58,9 @@ if [ -e /var/ipfire/ovpn/server.conf ]; then sed -i -e 's/script-security 3 system/script-security 3/' \ -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf + # Disable Path MTU discovery settings + sed -e "/^mtu-disc/d" -i /var/ipfire/ovpn/server.conf + # Update the OpenVPN CRL openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem \ -cert /var/ipfire/ovpn/ca/cacert.pem \ @@ -67,6 +70,15 @@ if [ -e /var/ipfire/ovpn/server.conf ]; then /usr/local/bin/openvpnctrl -s fi +# Update OpenVPN N2N configurations +/usr/local/bin/openvpnctrl -kn2n + +for file in /var/ipfire/ovpn/n2nconf/*/*.conf; do + sed -e "/^mtu-disc/d" -i ${file} +done + +/usr/local/bin/openvpnctrl -sn2n + # Start services /etc/init.d/apache restart /etc/init.d/unbound restart From 3509cd985fd5a92de5eb3e3b1bc153fcea2d3d31 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 14 Apr 2018 16:14:31 +0200 Subject: [PATCH 4/7] bump packages the old packages are linked against removed libs fixes: 11685 Signed-off-by: Arne Fitzenreiter --- lfs/htop | 2 +- lfs/iptraf-ng | 2 +- lfs/lcd4linux | 2 +- lfs/nano | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lfs/htop b/lfs/htop index 6fba6c0bb..fa5d862d7 100644 --- a/lfs/htop +++ b/lfs/htop @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = htop -PAK_VER = 10 +PAK_VER = 11 DEPS = "" diff --git a/lfs/iptraf-ng b/lfs/iptraf-ng index e962b2c5e..f76ff9f33 100644 --- a/lfs/iptraf-ng +++ b/lfs/iptraf-ng @@ -17,7 +17,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = iptraf-ng -PAK_VER = 2 +PAK_VER = 3 DEPS = "" diff --git a/lfs/lcd4linux b/lfs/lcd4linux index 31bcf12e6..79e9d5a2e 100644 --- a/lfs/lcd4linux +++ b/lfs/lcd4linux @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/lcd4linux TARGET = $(DIR_INFO)/$(THISAPP) PROG = lcd4linux -PAK_VER = 5 +PAK_VER = 6 DEPS = "dpfhack libmpdclient" diff --git a/lfs/nano b/lfs/nano index 936b4778b..6269ea208 100644 --- a/lfs/nano +++ b/lfs/nano @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nano -PAK_VER = 19 +PAK_VER = 20 DEPS = "" From 196b9090f96064d5772e01b875106397a9c898da Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 24 Apr 2018 12:34:53 +0100 Subject: [PATCH 5/7] dma: Apply compile fix dma segfaulted when built without string.h. Fixes: #11701 Submitted upstream: https://github.com/corecode/dma/pull/58 Signed-off-by: Michael Tremer --- lfs/dma | 1 + src/patches/dma-0.11-compile-fixes.patch | 29 ++++++++++++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 src/patches/dma-0.11-compile-fixes.patch diff --git a/lfs/dma b/lfs/dma index 507967158..085c9c2ee 100644 --- a/lfs/dma +++ b/lfs/dma @@ -75,6 +75,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) touch /var/ipfire/dma/mail.conf cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.10-better-authentication.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.10-better-tls.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.11-compile-fixes.patch cd $(DIR_APP) && sed -i '/PREFIX/s/usr\/local/usr/g' Makefile cd $(DIR_APP) && sed -i '/CONFDIR/s/etc\/dma/var\/ipfire\/dma/g' Makefile cd $(DIR_APP) && make diff --git a/src/patches/dma-0.11-compile-fixes.patch b/src/patches/dma-0.11-compile-fixes.patch new file mode 100644 index 000000000..a6e5165c9 --- /dev/null +++ b/src/patches/dma-0.11-compile-fixes.patch @@ -0,0 +1,29 @@ +From 60cf6f03a4b13ec0e491a282ab5233a1619a7a66 Mon Sep 17 00:00:00 2001 +From: Michael Tremer +Date: Tue, 24 Apr 2018 12:30:13 +0100 +Subject: [PATCH] net.c: Include string.h + +Various functions that have been used come from string.h. GCC compiled +dma without this header, but unfortunately the binary segfaulted at random +times. + +Signed-off-by: Michael Tremer +--- + net.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net.c b/net.c +index a1cc3e3bfd79..221dda131a23 100644 +--- a/net.c ++++ b/net.c +@@ -53,6 +53,7 @@ + #include + #include + #include ++#include + #include + #include + +-- +2.14.3 + From ef623d3e68fdf97d2f96a5b9d1c22de771e05d49 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 19 Apr 2018 15:36:37 +0100 Subject: [PATCH 6/7] Revert "IPsec: Try to restart always-on tunnels immediately" This reverts commit a261cb06c6cdd3ba14ad0163c8c9e714ae94fc5b. Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 6 ------ 1 file changed, 6 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index a52b4d64d..378acb326 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -436,12 +436,6 @@ sub writeipsecfiles { if ($start_action eq 'route' && $inactivity_timeout > 0) { print CONF "\tinactivity=$inactivity_timeout\n"; } - - # Restart the connection immediately when it has gone down - # unexpectedly - if ($start_action eq 'start') { - print CONF "\tcloseaction=restart\n"; - } } # Fragmentation From 39f4488a62cc97a1a60573e57eb8a14a7743f5e3 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 24 Apr 2018 14:25:55 +0100 Subject: [PATCH 7/7] core120: Regenerate IPsec configuration Signed-off-by: Michael Tremer --- config/rootfiles/core/120/update.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config/rootfiles/core/120/update.sh b/config/rootfiles/core/120/update.sh index 1ba9df96f..c465d315b 100644 --- a/config/rootfiles/core/120/update.sh +++ b/config/rootfiles/core/120/update.sh @@ -83,6 +83,12 @@ done /etc/init.d/apache restart /etc/init.d/unbound restart +# Regenerate IPsec configuration +sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi +if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then + /etc/init.d/ipsec restart +fi + # Remove deprecated SSH configuration option sed -e "/UsePrivilegeSeparation/d" -i /etc/ssh/sshd_config