diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl
index c14f9903f..f94cdbf16 100644
--- a/config/cfgroot/general-functions.pl
+++ b/config/cfgroot/general-functions.pl
@@ -401,7 +401,6 @@ sub validipandmask
sub checksubnets
{
-
my %ccdconfhash=();
my @ccdconf=();
my $ccdname=$_[0];
@@ -409,20 +408,16 @@ sub checksubnets
my $errormessage;
my ($ip,$cidr)=split(/\//,$ccdnet);
$cidr=&iporsubtocidr($cidr);
-
-
#get OVPN-Subnet (dynamic range)
my %ovpnconf=();
&readhash("${General::swroot}/ovpn/settings", \%ovpnconf);
my ($ovpnip,$ovpncidr)= split (/\//,$ovpnconf{'DOVPN_SUBNET'});
$ovpncidr=&iporsubtocidr($ovpncidr);
-
#check if we try to use same network as ovpn server
if ("$ip/$cidr" eq "$ovpnip/$ovpncidr") {
$errormessage=$errormessage.$Lang::tr{'ccd err isovpnnet'}."
";
return $errormessage;
}
-
#check if we use a network-name/subnet that already exists
&readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
foreach my $key (keys %ccdconfhash) {
@@ -438,33 +433,22 @@ sub checksubnets
$errormessage=$errormessage.$Lang::tr{'ccd err issubnet'}."
";
return $errormessage;
}
-
}
- #check if we use a name which is already used by ovpn
-
-
-
-
-
#check if we use a ipsec right network which is already defined
my %ipsecconf=();
&General::readhasharray("${General::swroot}/vpn/config", \%ipsecconf);
foreach my $key (keys %ipsecconf){
if ($ipsecconf{$key}[11] ne ''){
- #$errormessage="DRIN!";
- #return $errormessage;
-
my ($ipsecip,$ipsecsub) = split (/\//, $ipsecconf{$key}[11]);
$ipsecsub=&iporsubtodec($ipsecsub);
-
- if ( &IpInSubnet ($ip,$ipsecip,$ipsecsub) ){
- $errormessage=$Lang::tr{'ccd err isipsecnet'}." Name: $ipsecconf{$key}[2]";
- return $errormessage;
+ if($ipsecconf{$key}[1] ne $ccdname){
+ if ( &IpInSubnet ($ip,$ipsecip,$ipsecsub) ){
+ $errormessage=$Lang::tr{'ccd err isipsecnet'}." Name: $ipsecconf{$key}[1]";
+ return $errormessage;
+ }
}
}
}
-
-
#check if we use one of ipfire's networks (green,orange,blue)
my %ownnet=();
&readhash("${General::swroot}/ethernet/settings", \%ownnet);
@@ -472,9 +456,6 @@ sub checksubnets
if (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ownnet{'ORANGE_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err orange'};return $errormessage;}
if (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ownnet{'BLUE_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err blue'};return $errormessage;}
if (($ownnet{'RED_NETADDRESS'} ne '' && $ownnet{'RED_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ownnet{'RED_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err red'};return $errormessage;}
-
-
-
}
diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index 90f9be161..1a613ac34 100644
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -73,6 +73,7 @@ etc/rc.d/init.d/networking/red.down/10-ovpn
etc/rc.d/init.d/networking/red.down/20-RL-firewall
etc/rc.d/init.d/networking/red.down/99-D-dialctrl.pl
#etc/rc.d/init.d/networking/red.up
+etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq
etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
diff --git a/config/rootfiles/common/conntrack-tools b/config/rootfiles/common/conntrack-tools
new file mode 100644
index 000000000..5ce29aa4a
--- /dev/null
+++ b/config/rootfiles/common/conntrack-tools
@@ -0,0 +1,6 @@
+usr/sbin/conntrack
+#usr/sbin/conntrackd
+#usr/sbin/nfct
+#usr/share/man/man8/conntrack.8
+#usr/share/man/man8/conntrackd.8
+#usr/share/man/man8/nfct.8
diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index 737e87847..f26e2446d 100644
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -75,6 +75,7 @@ etc/rc.d/init.d/networking/red.down/10-ovpn
etc/rc.d/init.d/networking/red.down/20-RL-firewall
etc/rc.d/init.d/networking/red.down/99-D-dialctrl.pl
#etc/rc.d/init.d/networking/red.up
+etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq
etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
diff --git a/config/rootfiles/common/iptables b/config/rootfiles/common/iptables
index d30cbf569..39225a43b 100644
--- a/config/rootfiles/common/iptables
+++ b/config/rootfiles/common/iptables
@@ -140,6 +140,18 @@ sbin/xtables-multi
#usr/include/libiptc/xtcshared.h
#usr/include/libipulog
#usr/include/libipulog/libipulog.h
+#usr/include/libnetfilter_conntrack
+#usr/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+#usr/include/libnetfilter_conntrack/libnetfilter_conntrack_dccp.h
+#usr/include/libnetfilter_conntrack/libnetfilter_conntrack_icmp.h
+#usr/include/libnetfilter_conntrack/libnetfilter_conntrack_ipv4.h
+#usr/include/libnetfilter_conntrack/libnetfilter_conntrack_ipv6.h
+#usr/include/libnetfilter_conntrack/libnetfilter_conntrack_sctp.h
+#usr/include/libnetfilter_conntrack/libnetfilter_conntrack_tcp.h
+#usr/include/libnetfilter_conntrack/libnetfilter_conntrack_udp.h
+#usr/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
+#usr/include/libnetfilter_cttimeout
+#usr/include/libnetfilter_cttimeout/libnetfilter_cttimeout.h
#usr/include/libnetfilter_queue
#usr/include/libnetfilter_queue/libipq.h
#usr/include/libnetfilter_queue/libnetfilter_queue.h
@@ -149,14 +161,9 @@ sbin/xtables-multi
#usr/include/libnfnetlink/linux_nfnetlink.h
#usr/include/libnfnetlink/linux_nfnetlink_compat.h
#usr/include/linux/netfilter/Kbuild
-#usr/include/linux/netfilter/ipset
#usr/include/linux/netfilter/ipset/Kbuild
-#usr/include/linux/netfilter/ipset/ip_set.h
#usr/include/linux/netfilter/ipset/ip_set_ahash.h
-#usr/include/linux/netfilter/ipset/ip_set_bitmap.h
#usr/include/linux/netfilter/ipset/ip_set_getport.h
-#usr/include/linux/netfilter/ipset/ip_set_hash.h
-#usr/include/linux/netfilter/ipset/ip_set_list.h
#usr/include/linux/netfilter/ipset/ip_set_timeout.h
#usr/include/linux/netfilter/ipset/pfxlen.h
#usr/include/linux/netfilter/nf_conntrack_amanda.h
@@ -171,23 +178,20 @@ sbin/xtables-multi
#usr/include/linux/netfilter/nf_conntrack_sip.h
#usr/include/linux/netfilter/nf_conntrack_snmp.h
#usr/include/linux/netfilter/nf_conntrack_tftp.h
-#usr/include/linux/netfilter/xt_AUDIT.h
-#usr/include/linux/netfilter/xt_CHECKSUM.h
-#usr/include/linux/netfilter/xt_CT.h
-#usr/include/linux/netfilter/xt_IDLETIMER.h
#usr/include/linux/netfilter/xt_IMQ.h
-#usr/include/linux/netfilter/xt_TEE.h
-#usr/include/linux/netfilter/xt_addrtype.h
-#usr/include/linux/netfilter/xt_cpu.h
-#usr/include/linux/netfilter/xt_devgroup.h
-#usr/include/linux/netfilter/xt_ipvs.h
#usr/include/linux/netfilter/xt_layer7.h
-#usr/include/linux/netfilter/xt_set.h
-#usr/include/linux/netfilter/xt_socket.h
#usr/include/net/netfilter
#usr/include/net/netfilter/nf_conntrack_tuple.h
#usr/include/net/netfilter/nf_nat.h
#usr/include/xtables.h
+#usr/lib/libnetfilter_conntrack.la
+usr/lib/libnetfilter_conntrack.so
+usr/lib/libnetfilter_conntrack.so.3
+usr/lib/libnetfilter_conntrack.so.3.4.0
+#usr/lib/libnetfilter_cttimeout.la
+usr/lib/libnetfilter_cttimeout.so
+usr/lib/libnetfilter_cttimeout.so.1
+usr/lib/libnetfilter_cttimeout.so.1.0.0
#usr/lib/libnetfilter_queue.a
#usr/lib/libnetfilter_queue.la
usr/lib/libnetfilter_queue.so
@@ -207,6 +211,8 @@ usr/lib/libnfnetlink.so.0.2.0
#usr/lib/pkgconfig/libip6tc.pc
#usr/lib/pkgconfig/libipq.pc
#usr/lib/pkgconfig/libiptc.pc
+#usr/lib/pkgconfig/libnetfilter_conntrack.pc
+#usr/lib/pkgconfig/libnetfilter_cttimeout.pc
#usr/lib/pkgconfig/libnetfilter_queue.pc
#usr/lib/pkgconfig/libnfnetlink.pc
#usr/lib/pkgconfig/xtables.pc
diff --git a/config/rootfiles/common/libmnl b/config/rootfiles/common/libmnl
new file mode 100644
index 000000000..36732c442
--- /dev/null
+++ b/config/rootfiles/common/libmnl
@@ -0,0 +1,7 @@
+#usr/include/libmnl
+#usr/include/libmnl/libmnl.h
+#usr/lib/libmnl.la
+usr/lib/libmnl.so
+usr/lib/libmnl.so.0
+usr/lib/libmnl.so.0.1.0
+#usr/lib/pkgconfig/libmnl.pc
diff --git a/config/rootfiles/core/66/filelists/conntrack-tools b/config/rootfiles/core/66/filelists/conntrack-tools
new file mode 120000
index 000000000..88fbe061e
--- /dev/null
+++ b/config/rootfiles/core/66/filelists/conntrack-tools
@@ -0,0 +1 @@
+../../../common/conntrack-tools
\ No newline at end of file
diff --git a/config/rootfiles/core/66/filelists/files b/config/rootfiles/core/66/filelists/files
index bf51301d7..91142e0c4 100644
--- a/config/rootfiles/core/66/filelists/files
+++ b/config/rootfiles/core/66/filelists/files
@@ -7,6 +7,7 @@ etc/rc.d/init.d/halt
etc/rc.d/init.d/leds
etc/rc.d/init.d/mountfs
etc/rc.d/init.d/network
+etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
etc/rc.d/init.d/networking/red.up/98-leds
etc/rc.d/init.d/partresize
etc/rc.d/init.d/reboot
diff --git a/config/rootfiles/core/66/filelists/libmnl b/config/rootfiles/core/66/filelists/libmnl
new file mode 120000
index 000000000..f671c4175
--- /dev/null
+++ b/config/rootfiles/core/66/filelists/libmnl
@@ -0,0 +1 @@
+../../../common/libmnl
\ No newline at end of file
diff --git a/lfs/conntrack-tools b/lfs/conntrack-tools
new file mode 100644
index 000000000..f5ea3157b
--- /dev/null
+++ b/lfs/conntrack-tools
@@ -0,0 +1,77 @@
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2013 IPFire Team #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see . #
+# #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER = 1.2.2
+
+THISAPP = conntrack-tools-$(VER)
+DL_FILE = $(THISAPP).tar.bz2
+DL_FROM = $(URL_IPFIRE)
+DIR_APP = $(DIR_SRC)/$(THISAPP)
+TARGET = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = a8afc813e16265655f83991fc0df35b6
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+ @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+ @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+ @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ @$(PREBUILD)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && ./configure --prefix=/usr
+ cd $(DIR_APP) && make $(MAKETUNING)
+ cd $(DIR_APP) && make install
+ @rm -rf $(DIR_APP)
+ @$(POSTBUILD)
diff --git a/lfs/iptables b/lfs/iptables
index ceb560d95..a247ba7b3 100644
--- a/lfs/iptables
+++ b/lfs/iptables
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007 Michael Tremer & Christian Schmidt #
+# Copyright (C) 2007-2013 IPFire Team #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -38,17 +38,23 @@ TARGET = $(DIR_INFO)/$(THISAPP)
objects = $(DL_FILE) \
netfilter-layer7-v2.22.tar.gz \
libnfnetlink-1.0.0.tar.bz2 \
- libnetfilter_queue-0.0.17.tar.bz2
+ libnetfilter_queue-0.0.17.tar.bz2 \
+ libnetfilter_conntrack-1.0.2.tar.bz2 \
+ libnetfilter_cttimeout-1.0.0.tar.bz2
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
netfilter-layer7-v2.22.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.22.tar.gz
libnfnetlink-1.0.0.tar.bz2 = $(URL_IPFIRE)/libnfnetlink-1.0.0.tar.bz2
libnetfilter_queue-0.0.17.tar.bz2 = $(URL_IPFIRE)/libnetfilter_queue-0.0.17.tar.bz2
+libnetfilter_conntrack-1.0.2.tar.bz2 = $(URL_IPFIRE)/libnetfilter_conntrack-1.0.2.tar.bz2
+libnetfilter_cttimeout-1.0.0.tar.bz2 = $(URL_IPFIRE)/libnetfilter_cttimeout-1.0.0.tar.bz2
$(DL_FILE)_MD5 = 5ab24ad683f76689cfe7e0c73f44855d
netfilter-layer7-v2.22.tar.gz_MD5 = 98dff8a3d5a31885b73341633f69501f
libnfnetlink-1.0.0.tar.bz2_MD5 = 016fdec8389242615024c529acc1adb8
libnetfilter_queue-0.0.17.tar.bz2_MD5 = 2cde35e678ead3a8f9eb896bf807a159
+libnetfilter_conntrack-1.0.2.tar.bz2_MD5 = 447114b5d61bb9a9617ead3217c3d3ff
+libnetfilter_cttimeout-1.0.0.tar.bz2_MD5 = 7697437fc9ebb6f6b83df56a633db7f9
install : $(TARGET)
@@ -124,5 +130,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_SRC)/libnetfilter_queue-0.0.17 && make $(MAKETUNING) $(EXTRA_MAKE)
cd $(DIR_SRC)/libnetfilter_queue-0.0.17 && make install
+ cd $(DIR_SRC) && tar xfj $(DIR_DL)/libnetfilter_conntrack-1.0.2.tar.bz2
+ cd $(DIR_SRC)/libnetfilter_conntrack-1.0.2 && ./configure --prefix=/usr
+ cd $(DIR_SRC)/libnetfilter_conntrack-1.0.2 && make $(MAKETUNING) $(EXTRA_MAKE)
+ cd $(DIR_SRC)/libnetfilter_conntrack-1.0.2 && make install
+
+ cd $(DIR_SRC) && tar xfj $(DIR_DL)/libnetfilter_cttimeout-1.0.0.tar.bz2
+ cd $(DIR_SRC)/libnetfilter_cttimeout-1.0.0 && ./configure --prefix=/usr
+ cd $(DIR_SRC)/libnetfilter_cttimeout-1.0.0 && make $(MAKETUNING) $(EXTRA_MAKE)
+ cd $(DIR_SRC)/libnetfilter_cttimeout-1.0.0 && make install
+
@rm -rf $(DIR_APP) $(DIR_SRC)/libnfnetlink-1.0.0 $(DIR_SRC)/netfilter-layer7* $(DIR_SRC)/libnetfilter_queue-0.0.17
@$(POSTBUILD)
diff --git a/lfs/libmnl b/lfs/libmnl
new file mode 100644
index 000000000..5341e4b7c
--- /dev/null
+++ b/lfs/libmnl
@@ -0,0 +1,77 @@
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2013 IPFire Team #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see . #
+# #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER = 1.0.3
+
+THISAPP = libmnl-$(VER)
+DL_FILE = $(THISAPP).tar.bz2
+DL_FROM = $(URL_IPFIRE)
+DIR_APP = $(DIR_SRC)/$(THISAPP)
+TARGET = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = 7d95fc3bea3365bc03c48e484224f65f
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+ @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+ @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+ @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ @$(PREBUILD)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && ./configure --prefix=/usr
+ cd $(DIR_APP) && make $(MAKETUNING)
+ cd $(DIR_APP) && make install
+ @rm -rf $(DIR_APP)
+ @$(POSTBUILD)
diff --git a/make.sh b/make.sh
index 21808c968..b1d7cf6a9 100755
--- a/make.sh
+++ b/make.sh
@@ -509,7 +509,9 @@ buildipfire() {
ipfiremake mtools
ipfiremake initscripts
ipfiremake whatmask
+ ipfiremake libmnl
ipfiremake iptables
+ ipfiremake conntrack-tools
ipfiremake libupnp
ipfiremake ipaddr
ipfiremake iputils
diff --git a/src/initscripts/init.d/networking/red.up/01-conntrack-cleanup b/src/initscripts/init.d/networking/red.up/01-conntrack-cleanup
new file mode 100644
index 000000000..4bb43b9ed
--- /dev/null
+++ b/src/initscripts/init.d/networking/red.up/01-conntrack-cleanup
@@ -0,0 +1,25 @@
+#!/bin/bash
+############################################################################
+# conntrack-cleanup - remove conntrack entries with the last red ipaddress #
+############################################################################
+#
+
+curr_ip=`cat /var/ipfire/red/local-ipaddress 2>/dev/null`
+last_ip=`cat /var/lock/last-ipaddress 2>/dev/null`
+
+if [ "$curr_ip" == "$last_ip" ]; then
+ exit 0
+fi
+
+if [ -z "$curr_ip" ]; then
+ echo ERROR: cannot read current IP.
+ exit 1
+fi
+
+if [ ! -z "$last_ip" ]; then
+ conntrack -D -s $last_ip 2>&1 > /dev/null
+ conntrack -D -d $last_ip 2>&1 > /dev/null
+ conntrack -D -r $last_ip 2>&1 > /dev/null
+ conntrack -D -q $last_ip 2>&1 > /dev/null
+fi
+echo $curr_ip > /var/lock/last-ipaddress