From d1347595abe451baa2ad4b1a81c15e160135ecf0 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 3 Jul 2013 21:38:17 +0200 Subject: [PATCH 01/61] gperf: New package. --- config/rootfiles/common/gperf | 4 ++ lfs/gperf | 76 +++++++++++++++++++++++++++++++++++ make.sh | 1 + 3 files changed, 81 insertions(+) create mode 100644 config/rootfiles/common/gperf create mode 100644 lfs/gperf diff --git a/config/rootfiles/common/gperf b/config/rootfiles/common/gperf new file mode 100644 index 000000000..7c3a1cb61 --- /dev/null +++ b/config/rootfiles/common/gperf @@ -0,0 +1,4 @@ +#usr/bin/gperf +#usr/share/doc/gperf.html +#usr/share/info/gperf.info +#usr/share/man/man1/gperf.1 diff --git a/lfs/gperf b/lfs/gperf new file mode 100644 index 000000000..ac33857f1 --- /dev/null +++ b/lfs/gperf @@ -0,0 +1,76 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 IPFire Development Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 3.0.4 + +THISAPP = gperf-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = c1f1db32fb6598d6a93e6e88796a8632 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && ./configure --prefix=/usr --disable-nls + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 71df2c9b2..662f2c0de 100755 --- a/make.sh +++ b/make.sh @@ -333,6 +333,7 @@ buildbase() { lfsmake2 gettext lfsmake2 grep lfsmake2 groff + lfsmake2 gperf lfsmake2 gzip lfsmake2 inetutils lfsmake2 iproute2 From 3f7ae7b7158e6d15a273815c676e63794346fffe Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 4 Jul 2013 12:41:25 +0200 Subject: [PATCH 02/61] strongswan: Update to 5.1.0dr1. --- config/rootfiles/common/strongswan | 3 +++ lfs/strongswan | 8 +++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan index 2d5d42b43..978802917 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -51,15 +51,18 @@ usr/lib/ipsec/plugins/libstrongswan-openssl.so usr/lib/ipsec/plugins/libstrongswan-pem.so usr/lib/ipsec/plugins/libstrongswan-pgp.so usr/lib/ipsec/plugins/libstrongswan-pkcs1.so +usr/lib/ipsec/plugins/libstrongswan-pkcs12.so usr/lib/ipsec/plugins/libstrongswan-pkcs7.so usr/lib/ipsec/plugins/libstrongswan-pkcs8.so usr/lib/ipsec/plugins/libstrongswan-pubkey.so usr/lib/ipsec/plugins/libstrongswan-random.so +usr/lib/ipsec/plugins/libstrongswan-rc2.so usr/lib/ipsec/plugins/libstrongswan-resolve.so usr/lib/ipsec/plugins/libstrongswan-revocation.so usr/lib/ipsec/plugins/libstrongswan-sha1.so usr/lib/ipsec/plugins/libstrongswan-sha2.so usr/lib/ipsec/plugins/libstrongswan-socket-default.so +usr/lib/ipsec/plugins/libstrongswan-sshkey.so usr/lib/ipsec/plugins/libstrongswan-stroke.so usr/lib/ipsec/plugins/libstrongswan-updown.so usr/lib/ipsec/plugins/libstrongswan-x509.so diff --git a/lfs/strongswan b/lfs/strongswan index b3ce846b7..c370181ff 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,12 +24,13 @@ include Config -VER = 5.0.4 +VER = 5.1.0dr1 +GIT_VER = 1d72875 THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/$(THISAPP) +DIR_APP = $(DIR_SRC)/strongswan-$(GIT_VER) TARGET = $(DIR_INFO)/$(THISAPP) ifeq "$(MACHINE)" "i586" @@ -46,7 +47,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 7085ac1d28dcc250096553fa51c3a4ea +$(DL_FILE)_MD5 = c5698c2c56f3ce08e5515f375fc99cef install : $(TARGET) @@ -79,6 +80,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch + cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh cd $(DIR_APP) && ./configure \ --prefix="/usr" \ --sysconfdir="/etc" \ From 82efdd4f22af3a3f37c99444c1ee65934920ea24 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 14 Jul 2013 12:58:38 +0200 Subject: [PATCH 03/61] strongswan: Update to 5.1.0dr2. --- lfs/strongswan | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/lfs/strongswan b/lfs/strongswan index c370181ff..372320705 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,13 +24,12 @@ include Config -VER = 5.1.0dr1 -GIT_VER = 1d72875 +VER = 5.1.0dr2 THISAPP = strongswan-$(VER) -DL_FILE = $(THISAPP).tar.gz +DL_FILE = $(THISAPP).tar.bz2 DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/strongswan-$(GIT_VER) +DIR_APP = $(DIR_SRC)/strongswan-$(VER) TARGET = $(DIR_INFO)/$(THISAPP) ifeq "$(MACHINE)" "i586" @@ -47,7 +46,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = c5698c2c56f3ce08e5515f375fc99cef +$(DL_FILE)_MD5 = fce82d733d6aaaafdea652eb157ba45a install : $(TARGET) @@ -89,7 +88,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-eap-radius \ $(PADLOCK) - cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make $(MAKETUNING) LDFLAGS="-lrt" cd $(DIR_APP) && make install # Remove all library files we don't want or need. From 15be554282c3c424d5d9eab9de62f6fde4203585 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 16 Jul 2013 20:54:28 +0200 Subject: [PATCH 04/61] strongswan: Enable EAP authentication algorithms. --- config/rootfiles/common/strongswan | 10 ++++++++++ lfs/strongswan | 6 ++++++ 2 files changed, 16 insertions(+) diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan index 2d5d42b43..c94ce6f3b 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -31,6 +31,11 @@ usr/lib/ipsec/libradius.so.0.0.0 usr/lib/ipsec/libstrongswan.so usr/lib/ipsec/libstrongswan.so.0 usr/lib/ipsec/libstrongswan.so.0.0.0 +#usr/lib/ipsec/libtls.a +#usr/lib/ipsec/libtls.la +usr/lib/ipsec/libtls.so +usr/lib/ipsec/libtls.so.0 +usr/lib/ipsec/libtls.so.0.0.0 #usr/lib/ipsec/plugins usr/lib/ipsec/plugins/libstrongswan-aes.so usr/lib/ipsec/plugins/libstrongswan-attr.so @@ -39,7 +44,12 @@ usr/lib/ipsec/plugins/libstrongswan-constraints.so usr/lib/ipsec/plugins/libstrongswan-curl.so usr/lib/ipsec/plugins/libstrongswan-des.so usr/lib/ipsec/plugins/libstrongswan-dnskey.so +usr/lib/ipsec/plugins/libstrongswan-eap-identity.so +usr/lib/ipsec/plugins/libstrongswan-eap-mschapv2.so +usr/lib/ipsec/plugins/libstrongswan-eap-peap.so usr/lib/ipsec/plugins/libstrongswan-eap-radius.so +usr/lib/ipsec/plugins/libstrongswan-eap-tls.so +usr/lib/ipsec/plugins/libstrongswan-eap-ttls.so usr/lib/ipsec/plugins/libstrongswan-fips-prf.so usr/lib/ipsec/plugins/libstrongswan-gmp.so usr/lib/ipsec/plugins/libstrongswan-hmac.so diff --git a/lfs/strongswan b/lfs/strongswan index b3ce846b7..a6075a289 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -84,7 +84,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --sysconfdir="/etc" \ --enable-curl \ --enable-openssl \ + --enable-xauth-eap \ --enable-eap-radius \ + --enable-eap-tls \ + --enable-eap-ttls \ + --enable-eap-peap \ + --enable-eap-mschapv2 \ + --enable-eap-identity \ $(PADLOCK) cd $(DIR_APP) && make $(MAKETUNING) From e0cdf670a3d79b6d607f7eade6d99743f5cd5769 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 16 Jul 2013 12:04:29 +0200 Subject: [PATCH 05/61] ipsecctrl: Re-read everything when configuration is reloaded. --- src/misc-progs/ipsecctrl.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 633004e23..365807c9e 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -144,8 +144,8 @@ void turn_connection_on(char *name, char *type) { "/usr/sbin/ipsec down %s >/dev/null", name); safe_system(command); - // Reload the configuration into the daemon. - safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); + // Reload the configuration into the daemon (#10339). + ipsec_reload(); // Bring the connection up again. snprintf(command, STRING_SIZE - 1, @@ -169,7 +169,15 @@ void turn_connection_off (char *name) { safe_system(command); // Reload, so the connection is dropped. - safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); + ipsec_reload(); +} + +void ipsec_reload() { + /* Re-read all configuration files and secrets and + * reload the daemon (#10339). + */ + safe_system("/usr/sbin/ipsec rereadall >/dev/null 2>&1"); + safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); } int main(int argc, char *argv[]) { @@ -193,7 +201,7 @@ int main(int argc, char *argv[]) { } if (strcmp(argv[1], "R") == 0) { - safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); + ipsec_reload(); exit(0); } From cdbe35044232c89db38f045c70b1ef1948f4d6e4 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 17 Jul 2013 18:53:13 +0200 Subject: [PATCH 06/61] openvpnctrl: Save the binary from crashing with wrong input. See #10390. --- src/misc-progs/openvpnctrl.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c index e366294b5..76916f147 100644 --- a/src/misc-progs/openvpnctrl.c +++ b/src/misc-progs/openvpnctrl.c @@ -362,6 +362,10 @@ char* calcTransferNetAddress(const connection* conn) { char *subnetmask = strdup(conn->transfer_subnet); char *address = strsep(&subnetmask, "/"); + if ((address == NULL) || (subnetmask == NULL)) { + goto ERROR; + } + in_addr_t _address = inet_addr(address); in_addr_t _subnetmask = inet_addr(subnetmask); _address &= _subnetmask; @@ -496,12 +500,11 @@ void setFirewallRules(void) { local_subnet_address = getLocalSubnetAddress(conn); transfer_subnet_address = calcTransferNetAddress(conn); - if ((!local_subnet_address) || (!transfer_subnet_address)) - continue; - - snprintf(command, STRING_SIZE, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s", - OVPNNAT, transfer_subnet_address, local_subnet_address); - executeCommand(command); + if ((local_subnet_address) && (transfer_subnet_address)) { + snprintf(command, STRING_SIZE, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s", + OVPNNAT, transfer_subnet_address, local_subnet_address); + executeCommand(command); + } } conn = conn->next; From f48074bacbf1e3835ca8975d82e5dd2dc514bcb1 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 17 Jul 2013 19:58:20 +0200 Subject: [PATCH 07/61] ovpnmain.cgi: Add check for a valid N2N network. Fixes #10390. --- html/cgi-bin/ovpnmain.cgi | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index a4953ffe4..38dad1ded 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -3520,6 +3520,14 @@ if ($cgiparams{'TYPE'} eq 'net') { goto VPNCONF_ERROR; } + # Check if the input for the transfer net is valid. + if (!&General::validipandmask($cgiparams{'OVPN_SUBNET'})){ + $errormessage = $Lang::tr{'ccd err invalidnet'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + if ($cgiparams{'OVPN_SUBNET'} eq $vpnsettings{'DOVPN_SUBNET'}) { $errormessage = $Lang::tr{'openvpn subnet is used'}; unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; From 92b87e17f1497be27cc61038b4852b00e84f5d15 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 17 Jul 2013 21:01:14 +0200 Subject: [PATCH 08/61] ovpnmain.cgi: Set mtu-disc to off if not configured. Fixes #10391. --- html/cgi-bin/ovpnmain.cgi | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 38dad1ded..8622f6d63 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2339,6 +2339,9 @@ ADV_ERROR: if ($cgiparams{'LOG_VERB'} eq '') { $cgiparams{'LOG_VERB'} = '3'; } + if ($cgiparams{'PMTU_DISCOVERY'} eq '') { + $cgiparams{'PMTU_DISCOVERY'} = 'off'; + } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED'; @@ -4155,6 +4158,9 @@ if ($cgiparams{'TYPE'} eq 'net') { $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; + if ($cgiparams{'PMTU_DISCOVERY'} eq '') { + $cgiparams{'PMTU_DISCOVERY'} = 'off'; + } $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; From 3d454690b7e4a8b4b17b8db38a21a88c407de3e3 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 18 Jul 2013 13:06:42 +0200 Subject: [PATCH 09/61] vdr: Disable debugging logging. 3 is default and includes a lot of debugging output which leads to really heavy IO with installations with a lot of channels (satellite mainly). http://www.vdr-wiki.de/wiki/index.php/VDR_Optionen --- config/vdr/vdr.sysconfig | 2 +- lfs/vdr | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/vdr/vdr.sysconfig b/config/vdr/vdr.sysconfig index a1cebf10f..9c7906912 100644 --- a/config/vdr/vdr.sysconfig +++ b/config/vdr/vdr.sysconfig @@ -3,7 +3,7 @@ # The "master" options. Some examples of options you may want to set # here are -r, -t, and --rcu. See the vdr(1) man page for more info. # -VDR_OPTIONS=(--vfat) +VDR_OPTIONS=(--vfat --log=1) # VDR_PLUGIN_ORDER is a space separated list of plugins that should be # loaded in a specific order. This affects eg. the order the plugins' diff --git a/lfs/vdr b/lfs/vdr index 0dd2c0f46..b1feb0152 100644 --- a/lfs/vdr +++ b/lfs/vdr @@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = vdr -PAK_VER = 6 +PAK_VER = 7 DEPS = "vdr_streamdev" From 1892a329f652188544a70ec0c614ef81c4f44acc Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 18 Jul 2013 13:10:22 +0200 Subject: [PATCH 10/61] vdr: Add /etc/sysconfig/vdr to backup. --- config/backup/includes/vdr | 1 + 1 file changed, 1 insertion(+) diff --git a/config/backup/includes/vdr b/config/backup/includes/vdr index 38bd82a44..a2b5d83f0 100644 --- a/config/backup/includes/vdr +++ b/config/backup/includes/vdr @@ -1 +1,2 @@ /etc/vdr +/etc/sysconfig/vdr From 0d33245b56127b333fd4cc63f9abbc09cab42116 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 18 Jul 2013 21:22:10 +0200 Subject: [PATCH 11/61] strongswan: Update rootfile. --- config/rootfiles/common/strongswan | 1 + 1 file changed, 1 insertion(+) diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan index c94ce6f3b..627b8d2d0 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -73,6 +73,7 @@ usr/lib/ipsec/plugins/libstrongswan-socket-default.so usr/lib/ipsec/plugins/libstrongswan-stroke.so usr/lib/ipsec/plugins/libstrongswan-updown.so usr/lib/ipsec/plugins/libstrongswan-x509.so +usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so usr/lib/ipsec/plugins/libstrongswan-xcbc.so #usr/libexec/ipsec From c92602f1615b9d1073de93e8653a743bc2d5bf81 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Fri, 19 Jul 2013 10:03:22 +0200 Subject: [PATCH 12/61] start core72. --- config/rootfiles/core/72/exclude | 17 +++++++ config/rootfiles/core/72/filelists/files | 3 ++ config/rootfiles/core/72/meta | 1 + config/rootfiles/core/72/update.sh | 62 ++++++++++++++++++++++++ make.sh | 2 +- 5 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 config/rootfiles/core/72/exclude create mode 100644 config/rootfiles/core/72/filelists/files create mode 100644 config/rootfiles/core/72/meta create mode 100644 config/rootfiles/core/72/update.sh diff --git a/config/rootfiles/core/72/exclude b/config/rootfiles/core/72/exclude new file mode 100644 index 000000000..321a931ca --- /dev/null +++ b/config/rootfiles/core/72/exclude @@ -0,0 +1,17 @@ +srv/web/ipfire/html/proxy.pac +boot/config.txt +etc/udev/rules.d/30-persistent-network.rules +etc/collectd.custom +etc/shadow +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +var/log/cache +var/updatecache +etc/localtime +var/ipfire/ovpn +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +var/state/dhcp/dhcpd.leases diff --git a/config/rootfiles/core/72/filelists/files b/config/rootfiles/core/72/filelists/files new file mode 100644 index 000000000..efa475945 --- /dev/null +++ b/config/rootfiles/core/72/filelists/files @@ -0,0 +1,3 @@ +etc/system-release +etc/issue +usr/local/bin/openvpnctrl diff --git a/config/rootfiles/core/72/meta b/config/rootfiles/core/72/meta new file mode 100644 index 000000000..d547fa86f --- /dev/null +++ b/config/rootfiles/core/72/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/72/update.sh b/config/rootfiles/core/72/update.sh new file mode 100644 index 000000000..f365abb0e --- /dev/null +++ b/config/rootfiles/core/72/update.sh @@ -0,0 +1,62 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2013 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# +# Remove old core updates from pakfire cache to save space... +core=72 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# +#Stop services + + +# +#Extract files +extract_files + + +# +#Start services + +# +#Update Language cache +#perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + +sync + +# This update need a reboot... +#touch /var/run/need_reboot + +# +#Finish +/etc/init.d/fireinfo start +sendprofile +#Don't report the exitcode last command +exit 0 + diff --git a/make.sh b/make.sh index 88af89876..8ca36bf9c 100755 --- a/make.sh +++ b/make.sh @@ -25,7 +25,7 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.13" # Version number -CORE="71" # Core Level (Filename) +CORE="72" # Core Level (Filename) PAKFIRE_CORE="71" # Core Level (PAKFIRE) GIT_BRANCH=`git status | head -n1 | cut -d" " -f4` # Git Branch SLOGAN="www.ipfire.org" # Software slogan From 6666897c5c4f6e328e56e66e53750a906ef04ee6 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Fri, 19 Jul 2013 18:19:40 +0200 Subject: [PATCH 13/61] transmission: update to 2.81. --- lfs/transmission | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/transmission b/lfs/transmission index b20ae8852..9d5dfa578 100644 --- a/lfs/transmission +++ b/lfs/transmission @@ -24,7 +24,7 @@ include Config -VER = 2.80 +VER = 2.81 THISAPP = transmission-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = transmission -PAK_VER = 7 +PAK_VER = 8 DEPS = "libevent2" @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 2bde600d4b0a75d0bd3784550d59a8af +$(DL_FILE)_MD5 = db1ad10ecff07150486dab2365ccb3a8 install : $(TARGET) From c125d8a2b4770e3cd63ef18ae720dd6e5fb8576c Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 17 Jul 2013 22:30:29 +0200 Subject: [PATCH 14/61] ovpnmain.cgi: Allow to keep the Remote field empty for N2N connections. * It's now possible to keep the Remote Host/IP field empty. * Cleaned up code. Fixes #10392. --- html/cgi-bin/ovpnmain.cgi | 55 +++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 31 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 8622f6d63..5e18d3cb5 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -127,21 +127,6 @@ sub sizeformat{ return("$newsize $units[$i]"); } -sub valid_dns_host { - my $hostname = $_[0]; - unless ($hostname) { return "No hostname"}; - my $res = new Net::DNS::Resolver; - my $query = $res->search("$hostname"); - if ($query) { - foreach my $rr ($query->answer) { - ## Potential bug - we are only looking at A records: - return 0 if $rr->type eq "A"; - } - } else { - return $res->errorstring; - } -} - sub cleanssldatabase { if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) { @@ -982,7 +967,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "persist-key\n"; print SERVERCONF "script-security 2\n"; print SERVERCONF "# IP/DNS for remote Server Gateway\n"; + + if ($cgiparams{'REMOTE'} ne '') { print SERVERCONF "remote $cgiparams{'REMOTE'}\n"; + } + print SERVERCONF "float\n"; print SERVERCONF "# IP adresses of the VPN Subnet\n"; print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n"; @@ -3614,34 +3603,38 @@ if ($cgiparams{'TYPE'} eq 'net') { } } - if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) { + # Check if a remote host/IP has been set for the client. + if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'SIDE'} ne 'server') { $errormessage = $Lang::tr{'invalid input for remote host/ip'}; + + # Check if this is a N2N connection and drop temporary config. if ($cgiparams{'TYPE'} eq 'net') { - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - } + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + } goto VPNCONF_ERROR; } - if ($cgiparams{'REMOTE'}) { + # Check if a remote host/IP has been configured - the field can be empty on the server side. + if ($cgiparams{'REMOTE'} ne '') { + + # Check if the given IP is valid - otherwise check if it is a valid domain. if (! &General::validip($cgiparams{'REMOTE'})) { + + # Check for a valid domain. if (! &General::validfqdn ($cgiparams{'REMOTE'})) { $errormessage = $Lang::tr{'invalid input for remote host/ip'}; - if ($cgiparams{'TYPE'} eq 'net') { - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - } - goto VPNCONF_ERROR; - } else { - if (&valid_dns_host($cgiparams{'REMOTE'})) { - $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; - if ($cgiparams{'TYPE'} eq 'net') { - } - } + # Check if this is a N2N connection and drop temporary config. + if ($cgiparams{'TYPE'} eq 'net') { + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + } + goto VPNCONF_ERROR; } } } + if ($cgiparams{'TYPE'} ne 'host') { unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { $errormessage = $Lang::tr{'local subnet is invalid'}; From 05f4061d10a1bacb9a3c60205d8d88b84f216d29 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 20 Jul 2013 12:49:46 +0200 Subject: [PATCH 15/61] ipsec: Add ECP cryptography. Allow selecting ECDH for IPsec VPN connections. --- html/cgi-bin/vpnmain.cgi | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 26f179341..2e3ef9a57 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -316,9 +316,16 @@ sub writeipsecfiles { foreach my $j (@ints) { foreach my $k (@groups) { if ($comma != 0) { print CONF ","; } else { $comma = 1; } - print CONF "$i-$j-modp$k"; - } + + my @l = split("", $k); + if ($l[0] eq "e") { + shift @l; + print CONF "$i-$j-ecp".join("", @l); + } else { + print CONF "$i-$j-modp$k"; + } } + } } if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? print CONF "!\n"; @@ -339,7 +346,12 @@ sub writeipsecfiles { foreach my $k (@groups) { if ($comma != 0) { print CONF ","; } else { $comma = 1; } if ($pfs eq "on") { - $modp = "-modp$k"; + my @l = split("", $k); + if ($l[0] eq "e") { + $modp = ""; + } else { + $modp = "-modp$k"; + } } else { $modp = ""; } @@ -411,7 +423,7 @@ sub writeipsecfiles { # Hook to regenerate the configuration files. if ($ENV{"REMOTE_ADDR"} eq "") { - writeipsecfiles; + writeipsecfiles(); exit(0); } @@ -2111,7 +2123,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(1024|1536|2048|3072|4096|6144|8192)$/) { + if ($val !~ /^(e521|e384|e256|e224|e192|1024|1536|2048|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2147,6 +2159,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || } } if ($cgiparams{'ESP_GROUPTYPE'} ne '' && + $cgiparams{'ESP_GROUPTYPE'} !~ /^ecp(192|224|256|384|512)$/ && $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; @@ -2305,6 +2318,11 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $Lang::tr{'ike grouptype'} + + + + + From 6ab7955c31ab01cf8fcac874fd5553bc9da89049 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 20 Jul 2013 18:47:51 +0200 Subject: [PATCH 18/61] Add IPsec ECP changes to core update 72. --- config/rootfiles/core/72/filelists/files | 1 + 1 file changed, 1 insertion(+) diff --git a/config/rootfiles/core/72/filelists/files b/config/rootfiles/core/72/filelists/files index efa475945..7ab00d485 100644 --- a/config/rootfiles/core/72/filelists/files +++ b/config/rootfiles/core/72/filelists/files @@ -1,3 +1,4 @@ etc/system-release etc/issue +srv/web/ipfire/cgi-bin/vpnmain.cgi usr/local/bin/openvpnctrl From 463f9edeb2034b0e0a360f372b9752cc1a0540cf Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 21 Jul 2013 20:33:36 +0200 Subject: [PATCH 19/61] network: red: Remove duplicate MRU option. --- src/initscripts/init.d/networking/red | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/initscripts/init.d/networking/red b/src/initscripts/init.d/networking/red index b33c03f13..28df55103 100644 --- a/src/initscripts/init.d/networking/red +++ b/src/initscripts/init.d/networking/red @@ -389,7 +389,7 @@ case "${1}" in # PPP_STD_OPTIONS="$PLUGOPTS $DNS defaultroute noipdefault noauth" PPP_STD_OPTIONS+=" default-asyncmap hide-password nodetach" - PPP_STD_OPTIONS+=" mru ${MRU} noaccomp nodeflate nopcomp novj novjccomp" + PPP_STD_OPTIONS+=" noaccomp nodeflate nopcomp novj novjccomp" PPP_STD_OPTIONS+=" nobsdcomp user ${USERNAME} lcp-echo-interval 20" PPP_STD_OPTIONS+=" lcp-echo-failure 5 ${AUTH}" From 8e2683f70da85bd099fdbdb70d47facac5246606 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 16 Jul 2013 12:04:29 +0200 Subject: [PATCH 20/61] ipsecctrl: Re-read everything when configuration is reloaded. --- src/misc-progs/ipsecctrl.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 633004e23..365807c9e 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -144,8 +144,8 @@ void turn_connection_on(char *name, char *type) { "/usr/sbin/ipsec down %s >/dev/null", name); safe_system(command); - // Reload the configuration into the daemon. - safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); + // Reload the configuration into the daemon (#10339). + ipsec_reload(); // Bring the connection up again. snprintf(command, STRING_SIZE - 1, @@ -169,7 +169,15 @@ void turn_connection_off (char *name) { safe_system(command); // Reload, so the connection is dropped. - safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); + ipsec_reload(); +} + +void ipsec_reload() { + /* Re-read all configuration files and secrets and + * reload the daemon (#10339). + */ + safe_system("/usr/sbin/ipsec rereadall >/dev/null 2>&1"); + safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); } int main(int argc, char *argv[]) { @@ -193,7 +201,7 @@ int main(int argc, char *argv[]) { } if (strcmp(argv[1], "R") == 0) { - safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); + ipsec_reload(); exit(0); } From aea35c5aca126e10d6aeb803b5c929b136ca9f97 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 25 Jul 2013 16:46:54 +0200 Subject: [PATCH 21/61] vpnmain.cgi: Use MODP groups with smaller key lengths by default. https://bugzilla.ipfire.org/show_bug.cgi?id=10396 --- html/cgi-bin/vpnmain.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 2e3ef9a57..58645c39c 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1840,7 +1840,7 @@ END #use default advanced value $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[18]; $cgiparams{'IKE_INTEGRITY'} = 'sha2_256|sha|md5'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = '8192|6144|4096|3072|2048|1536|1024'; #[20]; + $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20]; $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[21]; $cgiparams{'ESP_INTEGRITY'} = 'sha2_256|sha1|md5'; #[22]; From b312967ce3f9d66dbc6b8521d70725eafd1b68e3 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 19 Jul 2013 11:40:14 +0200 Subject: [PATCH 22/61] tor: New package. --- config/backup/includes/tor | 1 + config/rootfiles/common/armv5tel/initscripts | 1 + config/rootfiles/common/i586/initscripts | 1 + config/rootfiles/packages/tor | 25 +++++ config/tor/defaults-torrc | 3 + config/tor/tor.logrotate | 13 +++ lfs/tor | 110 +++++++++++++++++++ make.sh | 1 + src/initscripts/init.d/tor | 48 ++++++++ 9 files changed, 203 insertions(+) create mode 100644 config/backup/includes/tor create mode 100644 config/rootfiles/packages/tor create mode 100644 config/tor/defaults-torrc create mode 100644 config/tor/tor.logrotate create mode 100644 lfs/tor create mode 100644 src/initscripts/init.d/tor diff --git a/config/backup/includes/tor b/config/backup/includes/tor new file mode 100644 index 000000000..02fc3edea --- /dev/null +++ b/config/backup/includes/tor @@ -0,0 +1 @@ +/etc/tor diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index ff6d73188..25fca8db4 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -126,6 +126,7 @@ etc/rc.d/init.d/teamspeak etc/rc.d/init.d/template #etc/rc.d/init.d/tftpd etc/rc.d/init.d/tmpfs +#etc/rc.d/init.d/tor etc/rc.d/init.d/udev etc/rc.d/init.d/udev_retry etc/rc.d/init.d/upnpd diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 55cee863d..3aca59ece 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -128,6 +128,7 @@ etc/rc.d/init.d/teamspeak etc/rc.d/init.d/template #etc/rc.d/init.d/tftpd etc/rc.d/init.d/tmpfs +#etc/rc.d/init.d/tor #etc/rc.d/init.d/transmission etc/rc.d/init.d/udev etc/rc.d/init.d/udev_retry diff --git a/config/rootfiles/packages/tor b/config/rootfiles/packages/tor new file mode 100644 index 000000000..7f4502f30 --- /dev/null +++ b/config/rootfiles/packages/tor @@ -0,0 +1,25 @@ +#etc/logrotate.d +etc/logrotate.d/tor +etc/rc.d/init.d/tor +#etc/tor +etc/tor/tor-tsocks.conf +etc/tor/torrc +usr/bin/tor +usr/bin/tor-gencert +usr/bin/tor-resolve +usr/bin/torify +#usr/share/doc/tor +#usr/share/doc/tor/tor-gencert.html +#usr/share/doc/tor/tor-resolve.html +#usr/share/doc/tor/tor.html +#usr/share/doc/tor/torify.html +#usr/share/man/man1/tor-gencert.1 +#usr/share/man/man1/tor-resolve.1 +#usr/share/man/man1/tor.1 +#usr/share/man/man1/torify.1 +usr/share/tor +usr/share/tor/defaults-torrc +usr/share/tor/geoip +var/ipfire/backup/addons/includes/tor +var/lib/tor +var/log/tor diff --git a/config/tor/defaults-torrc b/config/tor/defaults-torrc new file mode 100644 index 000000000..703d821fe --- /dev/null +++ b/config/tor/defaults-torrc @@ -0,0 +1,3 @@ +DataDirectory /var/lib/tor +User nobody +Log notice syslog diff --git a/config/tor/tor.logrotate b/config/tor/tor.logrotate new file mode 100644 index 000000000..49fe00294 --- /dev/null +++ b/config/tor/tor.logrotate @@ -0,0 +1,13 @@ +/var/log/tor/*.log { + daily + rotate 5 + compress + delaycompress + missingok + notifempty + create 0640 nobody nobody + sharedscripts + postrotate + /etc/init.d/tor reload >/dev/null 2>&1 || : + endscript +} diff --git a/lfs/tor b/lfs/tor new file mode 100644 index 000000000..559ca5b02 --- /dev/null +++ b/lfs/tor @@ -0,0 +1,110 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 0.2.3.25 + +THISAPP = tor-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) +PROG = tor +PAK_VER = 1 + +DEPS = "libevent2" + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = a1c364189a9a66ed9daa8e6436489daf + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && \ + ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --with-tor-user=nobody \ + --with-tor-group=nobody + + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + + # Install configuration file. + mv /etc/tor/torrc{.sample,} + + mkdir -pv /var/lib/tor /var/log/tor + chown nobody:nobody /var/lib/tor + + # Logrotate + mkdir -pv /etc/logrotate.d + install -v -m 644 $(DIR_SRC)/config/tor/tor.logrotate \ + /etc/logrotate.d/tor + + # Defaults + mkdir -pv /usr/share/tor + install -v -m 644 $(DIR_SRC)/config/tor/defaults-torrc \ + /usr/share/tor/defaults-torrc + + install -v -m 644 $(DIR_SRC)/config/backup/includes/tor \ + /var/ipfire/backup/addons/includes/tor + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 8ca36bf9c..e2dc1700d 100755 --- a/make.sh +++ b/make.sh @@ -779,6 +779,7 @@ buildipfire() { ipfiremake perl-File-Tail ipfiremake perl-TimeDate ipfiremake swatch + ipfiremake tor echo Build on $HOSTNAME > $BASEDIR/build/var/ipfire/firebuild cat /proc/version >> $BASEDIR/build/var/ipfire/firebuild echo >> $BASEDIR/build/var/ipfire/firebuild diff --git a/src/initscripts/init.d/tor b/src/initscripts/init.d/tor new file mode 100644 index 000000000..6ae03130e --- /dev/null +++ b/src/initscripts/init.d/tor @@ -0,0 +1,48 @@ +#!/bin/sh +######################################################################## +# Begin $rc_base/init.d/tor +# +# Description : Anonymizing overlay network for TCP +# +######################################################################## + +. /etc/sysconfig/rc +. ${rc_functions} + +case "${1}" in + start) + boot_mesg "Starting tor..." + loadproc /usr/bin/tor \ + --runasdaemon 1 \ + --defaults-torrc /usr/share/tor/defaults-torrc \ + -f /etc/tor/torrc \ + --quiet + ;; + + stop) + boot_mesg "Stopping tor..." + killproc /usr/bin/tor + ;; + + reload) + boot_mesg "Reloading tor..." + reloadproc /usr/bin/tor + ;; + + restart) + ${0} stop + sleep 1 + ${0} start + ;; + + status) + statusproc /usr/bin/tor + ;; + + *) + echo "Usage: ${0} {start|stop|reload|restart|status}" + exit 1 + ;; +esac + +# End $rc_base/init.d/tor From ce33eb3e3b2422954081bdf7c8cfd3fc8af8ede0 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 19 Jul 2013 14:34:14 +0200 Subject: [PATCH 23/61] arm: New package. Resource monitor for tor. --- config/rootfiles/packages/arm | 166 ++++++++++++++++++++++++++++++++++ lfs/arm | 82 +++++++++++++++++ make.sh | 1 + 3 files changed, 249 insertions(+) create mode 100644 config/rootfiles/packages/arm create mode 100644 lfs/arm diff --git a/config/rootfiles/packages/arm b/config/rootfiles/packages/arm new file mode 100644 index 000000000..eb9d128d4 --- /dev/null +++ b/config/rootfiles/packages/arm @@ -0,0 +1,166 @@ +usr/bin/arm +#usr/share/arm +#usr/share/arm-1.4.5.0-py2.7.egg-info +usr/share/arm/TorCtl +usr/share/arm/TorCtl/GeoIPSupport.py +usr/share/arm/TorCtl/GeoIPSupport.pyc +usr/share/arm/TorCtl/PathSupport.py +usr/share/arm/TorCtl/PathSupport.pyc +usr/share/arm/TorCtl/SQLSupport.py +usr/share/arm/TorCtl/SQLSupport.pyc +usr/share/arm/TorCtl/ScanSupport.py +usr/share/arm/TorCtl/ScanSupport.pyc +usr/share/arm/TorCtl/StatsSupport.py +usr/share/arm/TorCtl/StatsSupport.pyc +usr/share/arm/TorCtl/TorCtl.py +usr/share/arm/TorCtl/TorCtl.pyc +usr/share/arm/TorCtl/TorUtil.py +usr/share/arm/TorCtl/TorUtil.pyc +usr/share/arm/TorCtl/__init__.py +usr/share/arm/TorCtl/__init__.pyc +usr/share/arm/TorCtl/example.py +usr/share/arm/TorCtl/example.pyc +usr/share/arm/__init__.py +usr/share/arm/__init__.pyc +usr/share/arm/cli +usr/share/arm/cli/__init__.py +usr/share/arm/cli/__init__.pyc +usr/share/arm/cli/configPanel.py +usr/share/arm/cli/configPanel.pyc +usr/share/arm/cli/connections +usr/share/arm/cli/connections/__init__.py +usr/share/arm/cli/connections/__init__.pyc +usr/share/arm/cli/connections/circEntry.py +usr/share/arm/cli/connections/circEntry.pyc +usr/share/arm/cli/connections/connEntry.py +usr/share/arm/cli/connections/connEntry.pyc +usr/share/arm/cli/connections/connPanel.py +usr/share/arm/cli/connections/connPanel.pyc +usr/share/arm/cli/connections/countPopup.py +usr/share/arm/cli/connections/countPopup.pyc +usr/share/arm/cli/connections/descriptorPopup.py +usr/share/arm/cli/connections/descriptorPopup.pyc +usr/share/arm/cli/connections/entries.py +usr/share/arm/cli/connections/entries.pyc +usr/share/arm/cli/controller.py +usr/share/arm/cli/controller.pyc +usr/share/arm/cli/graphing +usr/share/arm/cli/graphing/__init__.py +usr/share/arm/cli/graphing/__init__.pyc +usr/share/arm/cli/graphing/bandwidthStats.py +usr/share/arm/cli/graphing/bandwidthStats.pyc +usr/share/arm/cli/graphing/connStats.py +usr/share/arm/cli/graphing/connStats.pyc +usr/share/arm/cli/graphing/graphPanel.py +usr/share/arm/cli/graphing/graphPanel.pyc +usr/share/arm/cli/graphing/resourceStats.py +usr/share/arm/cli/graphing/resourceStats.pyc +usr/share/arm/cli/headerPanel.py +usr/share/arm/cli/headerPanel.pyc +usr/share/arm/cli/interpretorPanel.py +usr/share/arm/cli/interpretorPanel.pyc +usr/share/arm/cli/logPanel.py +usr/share/arm/cli/logPanel.pyc +usr/share/arm/cli/menu +usr/share/arm/cli/menu/__init__.py +usr/share/arm/cli/menu/__init__.pyc +usr/share/arm/cli/menu/actions.py +usr/share/arm/cli/menu/actions.pyc +usr/share/arm/cli/menu/item.py +usr/share/arm/cli/menu/item.pyc +usr/share/arm/cli/menu/menu.py +usr/share/arm/cli/menu/menu.pyc +usr/share/arm/cli/popups.py +usr/share/arm/cli/popups.pyc +usr/share/arm/cli/torrcPanel.py +usr/share/arm/cli/torrcPanel.pyc +usr/share/arm/cli/wizard.py +usr/share/arm/cli/wizard.pyc +usr/share/arm/gui +usr/share/arm/gui/__init__.py +usr/share/arm/gui/__init__.pyc +usr/share/arm/gui/arm.xml +usr/share/arm/gui/configPanel.py +usr/share/arm/gui/configPanel.pyc +usr/share/arm/gui/connections +usr/share/arm/gui/connections/__init__.py +usr/share/arm/gui/connections/__init__.pyc +usr/share/arm/gui/connections/circEntry.py +usr/share/arm/gui/connections/circEntry.pyc +usr/share/arm/gui/connections/connEntry.py +usr/share/arm/gui/connections/connEntry.pyc +usr/share/arm/gui/connections/connPanel.py +usr/share/arm/gui/connections/connPanel.pyc +usr/share/arm/gui/controller.py +usr/share/arm/gui/controller.pyc +usr/share/arm/gui/generalPanel.py +usr/share/arm/gui/generalPanel.pyc +usr/share/arm/gui/graphing +usr/share/arm/gui/graphing/__init__.py +usr/share/arm/gui/graphing/__init__.pyc +usr/share/arm/gui/graphing/bandwidthStats.py +usr/share/arm/gui/graphing/bandwidthStats.pyc +usr/share/arm/gui/graphing/graphPanel.py +usr/share/arm/gui/graphing/graphPanel.pyc +usr/share/arm/gui/logPanel.py +usr/share/arm/gui/logPanel.pyc +usr/share/arm/prereq.py +usr/share/arm/prereq.pyc +#usr/share/arm/resources +#usr/share/arm/resources/arm.1 +#usr/share/arm/resources/exitNotice +#usr/share/arm/resources/exitNotice/how_tor_works_thumb.png +#usr/share/arm/resources/exitNotice/index.html +#usr/share/arm/resources/startTor +#usr/share/arm/resources/tor-arm.desktop +#usr/share/arm/resources/tor-arm.svg +#usr/share/arm/resources/torConfigDesc.txt +#usr/share/arm/resources/torrcOverride +#usr/share/arm/resources/torrcOverride/override.c +#usr/share/arm/resources/torrcOverride/override.h +#usr/share/arm/resources/torrcOverride/override.py +#usr/share/arm/resources/torrcTemplate.txt +usr/share/arm/settings.cfg +usr/share/arm/starter.py +usr/share/arm/starter.pyc +usr/share/arm/test.py +usr/share/arm/test.pyc +#usr/share/arm/uninstall +usr/share/arm/util +usr/share/arm/util/__init__.py +usr/share/arm/util/__init__.pyc +usr/share/arm/util/conf.py +usr/share/arm/util/conf.pyc +usr/share/arm/util/connections.py +usr/share/arm/util/connections.pyc +usr/share/arm/util/enum.py +usr/share/arm/util/enum.pyc +usr/share/arm/util/gtkTools.py +usr/share/arm/util/gtkTools.pyc +usr/share/arm/util/hostnames.py +usr/share/arm/util/hostnames.pyc +usr/share/arm/util/log.py +usr/share/arm/util/log.pyc +usr/share/arm/util/panel.py +usr/share/arm/util/panel.pyc +usr/share/arm/util/procName.py +usr/share/arm/util/procName.pyc +usr/share/arm/util/procTools.py +usr/share/arm/util/procTools.pyc +usr/share/arm/util/sysTools.py +usr/share/arm/util/sysTools.pyc +usr/share/arm/util/textInput.py +usr/share/arm/util/textInput.pyc +usr/share/arm/util/torConfig.py +usr/share/arm/util/torConfig.pyc +usr/share/arm/util/torInterpretor.py +usr/share/arm/util/torInterpretor.pyc +usr/share/arm/util/torTools.py +usr/share/arm/util/torTools.pyc +usr/share/arm/util/uiTools.py +usr/share/arm/util/uiTools.pyc +usr/share/arm/version.py +usr/share/arm/version.pyc +#usr/share/doc/arm +#usr/share/doc/arm/armrc.sample +#usr/share/man/man1/arm.1.gz diff --git a/lfs/arm b/lfs/arm new file mode 100644 index 000000000..3c042a42e --- /dev/null +++ b/lfs/arm @@ -0,0 +1,82 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 1.4.5.0 + +THISAPP = arm-$(VER) +DL_FILE = $(THISAPP).tar.bz2 +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/arm +TARGET = $(DIR_INFO)/$(THISAPP) +PROG = arm +PAK_VER = 1 + +DEPS = "" + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = f85f306e50b90796ab7097d948e8fcf2 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && ./install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index e2dc1700d..f74288d53 100755 --- a/make.sh +++ b/make.sh @@ -780,6 +780,7 @@ buildipfire() { ipfiremake perl-TimeDate ipfiremake swatch ipfiremake tor + ipfiremake arm echo Build on $HOSTNAME > $BASEDIR/build/var/ipfire/firebuild cat /proc/version >> $BASEDIR/build/var/ipfire/firebuild echo >> $BASEDIR/build/var/ipfire/firebuild From 295649ff27854d6899dd72f4dd587dbee45d74ff Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 30 Jul 2013 21:39:50 +0200 Subject: [PATCH 24/61] tor: Configuration file updates. --- config/backup/includes/tor | 3 +++ config/rootfiles/packages/tor | 3 +++ lfs/tor | 11 +++++++---- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/config/backup/includes/tor b/config/backup/includes/tor index 02fc3edea..bff495611 100644 --- a/config/backup/includes/tor +++ b/config/backup/includes/tor @@ -1 +1,4 @@ /etc/tor +/var/ipfire/tor +/var/lib/tor/fingerprint +/var/lib/tor/keys diff --git a/config/rootfiles/packages/tor b/config/rootfiles/packages/tor index 7f4502f30..864db663c 100644 --- a/config/rootfiles/packages/tor +++ b/config/rootfiles/packages/tor @@ -21,5 +21,8 @@ usr/share/tor usr/share/tor/defaults-torrc usr/share/tor/geoip var/ipfire/backup/addons/includes/tor +var/ipfire/tor +var/ipfire/tor/settings +var/ipfire/tor/torrc var/lib/tor var/log/tor diff --git a/lfs/tor b/lfs/tor index 559ca5b02..a61ac400f 100644 --- a/lfs/tor +++ b/lfs/tor @@ -88,11 +88,14 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install - # Install configuration file. - mv /etc/tor/torrc{.sample,} + # Install configuration files. + mkdir -pv /var/ipfire/tor /var/lib/tor /var/log/tor + touch /var/ipfire/tor/settings + mv /etc/tor/torrc.sample /var/ipfire/tor/torrc + ln -svf /var/ipfire/tor/torrc /etc/tor/torrc - mkdir -pv /var/lib/tor /var/log/tor - chown nobody:nobody /var/lib/tor + # Adjust ownerships. + chown nobody:nobody /var/lib/tor /var/ipfire/tor # Logrotate mkdir -pv /etc/logrotate.d From 13b5ce6e4068de1719ba69b67ea5b96291b7fe71 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 30 Jul 2013 21:53:16 +0200 Subject: [PATCH 25/61] tor: Import CGI script. --- config/rootfiles/packages/tor | 1 + doc/language_issues.de | 4 + doc/language_issues.en | 6 + doc/language_issues.es | 46 ++ doc/language_issues.fr | 46 ++ doc/language_issues.nl | 46 ++ doc/language_issues.pl | 46 ++ doc/language_issues.ru | 46 ++ doc/language_issues.tr | 46 ++ doc/language_missings | 200 ++++++++ html/cgi-bin/tor.cgi | 895 ++++++++++++++++++++++++++++++++++ langs/de/cgi-bin/de.pl | 43 ++ langs/en/cgi-bin/en.pl | 45 ++ 13 files changed, 1470 insertions(+) create mode 100644 html/cgi-bin/tor.cgi diff --git a/config/rootfiles/packages/tor b/config/rootfiles/packages/tor index 864db663c..53ca8b0c4 100644 --- a/config/rootfiles/packages/tor +++ b/config/rootfiles/packages/tor @@ -21,6 +21,7 @@ usr/share/tor usr/share/tor/defaults-torrc usr/share/tor/geoip var/ipfire/backup/addons/includes/tor +srv/web/ipfire/cgi-bin/tor.cgi var/ipfire/tor var/ipfire/tor/settings var/ipfire/tor/torrc diff --git a/doc/language_issues.de b/doc/language_issues.de index 3b6e117ec..bbe5e1de7 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -406,6 +406,10 @@ WARNING: translation string unused: to email adr WARNING: translation string unused: to install an update WARNING: translation string unused: to warn email bad WARNING: translation string unused: too long 80 char max +WARNING: translation string unused: tor accounting period daily +WARNING: translation string unused: tor accounting period monthly +WARNING: translation string unused: tor accounting period weekly +WARNING: translation string unused: tor exit country WARNING: translation string unused: traffic back WARNING: translation string unused: traffic calc time WARNING: translation string unused: traffic calc time bad diff --git a/doc/language_issues.en b/doc/language_issues.en index 8f530a3f3..12489577b 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -437,6 +437,12 @@ WARNING: translation string unused: to email adr WARNING: translation string unused: to install an update WARNING: translation string unused: to warn email bad WARNING: translation string unused: too long 80 char max +WARNING: translation string unused: tor accounting period daily +WARNING: translation string unused: tor accounting period monthly +WARNING: translation string unused: tor accounting period weekly +WARNING: translation string unused: tor bridge enabled +WARNING: translation string unused: tor errmsg invalid node id +WARNING: translation string unused: tor exit country WARNING: translation string unused: traffic back WARNING: translation string unused: traffic calc time WARNING: translation string unused: traffic calc time bad diff --git a/doc/language_issues.es b/doc/language_issues.es index 2258d1b55..7756f2644 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -549,6 +549,13 @@ WARNING: untranslated string: ccd routes WARNING: untranslated string: ccd subnet WARNING: untranslated string: ccd used WARNING: untranslated string: deprecated fs warn +WARNING: untranslated string: dnsforward +WARNING: untranslated string: dnsforward add a new entry +WARNING: untranslated string: dnsforward configuration +WARNING: untranslated string: dnsforward edit an entry +WARNING: untranslated string: dnsforward entries +WARNING: untranslated string: dnsforward forward_server +WARNING: untranslated string: dnsforward zone WARNING: untranslated string: emerging rules WARNING: untranslated string: fireinfo ipfire version WARNING: untranslated string: fireinfo is disabled @@ -618,6 +625,45 @@ WARNING: untranslated string: routing table WARNING: untranslated string: server restart WARNING: untranslated string: static routes WARNING: untranslated string: system information +WARNING: untranslated string: tor accounting +WARNING: untranslated string: tor accounting bytes +WARNING: untranslated string: tor accounting bytes left +WARNING: untranslated string: tor accounting interval +WARNING: untranslated string: tor accounting limit +WARNING: untranslated string: tor accounting period +WARNING: untranslated string: tor acls +WARNING: untranslated string: tor allowed subnets +WARNING: untranslated string: tor bandwidth burst +WARNING: untranslated string: tor bandwidth rate +WARNING: untranslated string: tor bandwidth settings +WARNING: untranslated string: tor bandwidth unlimited +WARNING: untranslated string: tor common settings +WARNING: untranslated string: tor configuration +WARNING: untranslated string: tor connected relays +WARNING: untranslated string: tor contact info +WARNING: untranslated string: tor do not advertise relay +WARNING: untranslated string: tor enabled +WARNING: untranslated string: tor errmsg invalid ip or mask +WARNING: untranslated string: tor exit country any +WARNING: untranslated string: tor exit nodes +WARNING: untranslated string: tor relay address +WARNING: untranslated string: tor relay configuration +WARNING: untranslated string: tor relay enabled +WARNING: untranslated string: tor relay external address +WARNING: untranslated string: tor relay fingerprint +WARNING: untranslated string: tor relay mode +WARNING: untranslated string: tor relay mode bridge +WARNING: untranslated string: tor relay mode exit +WARNING: untranslated string: tor relay mode private bridge +WARNING: untranslated string: tor relay mode relay +WARNING: untranslated string: tor relay nickname +WARNING: untranslated string: tor relay port +WARNING: untranslated string: tor socks port +WARNING: untranslated string: tor stats +WARNING: untranslated string: tor traffic limit hard +WARNING: untranslated string: tor traffic limit soft +WARNING: untranslated string: tor traffic read written +WARNING: untranslated string: tor use exit nodes WARNING: untranslated string: uptime load average WARNING: untranslated string: visit us at WARNING: untranslated string: vpn keyexchange diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 58f44541a..21fa1ad17 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -549,6 +549,13 @@ WARNING: untranslated string: ccd subnet WARNING: untranslated string: ccd used WARNING: untranslated string: deprecated fs warn WARNING: untranslated string: dns address deleted txt +WARNING: untranslated string: dnsforward +WARNING: untranslated string: dnsforward add a new entry +WARNING: untranslated string: dnsforward configuration +WARNING: untranslated string: dnsforward edit an entry +WARNING: untranslated string: dnsforward entries +WARNING: untranslated string: dnsforward forward_server +WARNING: untranslated string: dnsforward zone WARNING: untranslated string: emerging rules WARNING: untranslated string: fireinfo ipfire version WARNING: untranslated string: fireinfo is disabled @@ -603,6 +610,45 @@ WARNING: untranslated string: server restart WARNING: untranslated string: snort working WARNING: untranslated string: static routes WARNING: untranslated string: system information +WARNING: untranslated string: tor accounting +WARNING: untranslated string: tor accounting bytes +WARNING: untranslated string: tor accounting bytes left +WARNING: untranslated string: tor accounting interval +WARNING: untranslated string: tor accounting limit +WARNING: untranslated string: tor accounting period +WARNING: untranslated string: tor acls +WARNING: untranslated string: tor allowed subnets +WARNING: untranslated string: tor bandwidth burst +WARNING: untranslated string: tor bandwidth rate +WARNING: untranslated string: tor bandwidth settings +WARNING: untranslated string: tor bandwidth unlimited +WARNING: untranslated string: tor common settings +WARNING: untranslated string: tor configuration +WARNING: untranslated string: tor connected relays +WARNING: untranslated string: tor contact info +WARNING: untranslated string: tor do not advertise relay +WARNING: untranslated string: tor enabled +WARNING: untranslated string: tor errmsg invalid ip or mask +WARNING: untranslated string: tor exit country any +WARNING: untranslated string: tor exit nodes +WARNING: untranslated string: tor relay address +WARNING: untranslated string: tor relay configuration +WARNING: untranslated string: tor relay enabled +WARNING: untranslated string: tor relay external address +WARNING: untranslated string: tor relay fingerprint +WARNING: untranslated string: tor relay mode +WARNING: untranslated string: tor relay mode bridge +WARNING: untranslated string: tor relay mode exit +WARNING: untranslated string: tor relay mode private bridge +WARNING: untranslated string: tor relay mode relay +WARNING: untranslated string: tor relay nickname +WARNING: untranslated string: tor relay port +WARNING: untranslated string: tor socks port +WARNING: untranslated string: tor stats +WARNING: untranslated string: tor traffic limit hard +WARNING: untranslated string: tor traffic limit soft +WARNING: untranslated string: tor traffic read written +WARNING: untranslated string: tor use exit nodes WARNING: untranslated string: upload new ruleset WARNING: untranslated string: uptime load average WARNING: untranslated string: urlfilter file ext block diff --git a/doc/language_issues.nl b/doc/language_issues.nl index d7a7ff760..3a8f682b5 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -513,6 +513,13 @@ WARNING: untranslated string: age sminute WARNING: untranslated string: age ssecond WARNING: untranslated string: bytes WARNING: untranslated string: ccd iroute2 +WARNING: untranslated string: dnsforward +WARNING: untranslated string: dnsforward add a new entry +WARNING: untranslated string: dnsforward configuration +WARNING: untranslated string: dnsforward edit an entry +WARNING: untranslated string: dnsforward entries +WARNING: untranslated string: dnsforward forward_server +WARNING: untranslated string: dnsforward zone WARNING: untranslated string: new WARNING: untranslated string: outgoing firewall reserved groupname WARNING: untranslated string: qos enter bandwidths @@ -520,6 +527,45 @@ WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table +WARNING: untranslated string: tor accounting +WARNING: untranslated string: tor accounting bytes +WARNING: untranslated string: tor accounting bytes left +WARNING: untranslated string: tor accounting interval +WARNING: untranslated string: tor accounting limit +WARNING: untranslated string: tor accounting period +WARNING: untranslated string: tor acls +WARNING: untranslated string: tor allowed subnets +WARNING: untranslated string: tor bandwidth burst +WARNING: untranslated string: tor bandwidth rate +WARNING: untranslated string: tor bandwidth settings +WARNING: untranslated string: tor bandwidth unlimited +WARNING: untranslated string: tor common settings +WARNING: untranslated string: tor configuration +WARNING: untranslated string: tor connected relays +WARNING: untranslated string: tor contact info +WARNING: untranslated string: tor do not advertise relay +WARNING: untranslated string: tor enabled +WARNING: untranslated string: tor errmsg invalid ip or mask +WARNING: untranslated string: tor exit country any +WARNING: untranslated string: tor exit nodes +WARNING: untranslated string: tor relay address +WARNING: untranslated string: tor relay configuration +WARNING: untranslated string: tor relay enabled +WARNING: untranslated string: tor relay external address +WARNING: untranslated string: tor relay fingerprint +WARNING: untranslated string: tor relay mode +WARNING: untranslated string: tor relay mode bridge +WARNING: untranslated string: tor relay mode exit +WARNING: untranslated string: tor relay mode private bridge +WARNING: untranslated string: tor relay mode relay +WARNING: untranslated string: tor relay nickname +WARNING: untranslated string: tor relay port +WARNING: untranslated string: tor socks port +WARNING: untranslated string: tor stats +WARNING: untranslated string: tor traffic limit hard +WARNING: untranslated string: tor traffic limit soft +WARNING: untranslated string: tor traffic read written +WARNING: untranslated string: tor use exit nodes WARNING: untranslated string: uptime load average WARNING: untranslated string: wlan client WARNING: untranslated string: wlan client advanced settings diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 2258d1b55..7756f2644 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -549,6 +549,13 @@ WARNING: untranslated string: ccd routes WARNING: untranslated string: ccd subnet WARNING: untranslated string: ccd used WARNING: untranslated string: deprecated fs warn +WARNING: untranslated string: dnsforward +WARNING: untranslated string: dnsforward add a new entry +WARNING: untranslated string: dnsforward configuration +WARNING: untranslated string: dnsforward edit an entry +WARNING: untranslated string: dnsforward entries +WARNING: untranslated string: dnsforward forward_server +WARNING: untranslated string: dnsforward zone WARNING: untranslated string: emerging rules WARNING: untranslated string: fireinfo ipfire version WARNING: untranslated string: fireinfo is disabled @@ -618,6 +625,45 @@ WARNING: untranslated string: routing table WARNING: untranslated string: server restart WARNING: untranslated string: static routes WARNING: untranslated string: system information +WARNING: untranslated string: tor accounting +WARNING: untranslated string: tor accounting bytes +WARNING: untranslated string: tor accounting bytes left +WARNING: untranslated string: tor accounting interval +WARNING: untranslated string: tor accounting limit +WARNING: untranslated string: tor accounting period +WARNING: untranslated string: tor acls +WARNING: untranslated string: tor allowed subnets +WARNING: untranslated string: tor bandwidth burst +WARNING: untranslated string: tor bandwidth rate +WARNING: untranslated string: tor bandwidth settings +WARNING: untranslated string: tor bandwidth unlimited +WARNING: untranslated string: tor common settings +WARNING: untranslated string: tor configuration +WARNING: untranslated string: tor connected relays +WARNING: untranslated string: tor contact info +WARNING: untranslated string: tor do not advertise relay +WARNING: untranslated string: tor enabled +WARNING: untranslated string: tor errmsg invalid ip or mask +WARNING: untranslated string: tor exit country any +WARNING: untranslated string: tor exit nodes +WARNING: untranslated string: tor relay address +WARNING: untranslated string: tor relay configuration +WARNING: untranslated string: tor relay enabled +WARNING: untranslated string: tor relay external address +WARNING: untranslated string: tor relay fingerprint +WARNING: untranslated string: tor relay mode +WARNING: untranslated string: tor relay mode bridge +WARNING: untranslated string: tor relay mode exit +WARNING: untranslated string: tor relay mode private bridge +WARNING: untranslated string: tor relay mode relay +WARNING: untranslated string: tor relay nickname +WARNING: untranslated string: tor relay port +WARNING: untranslated string: tor socks port +WARNING: untranslated string: tor stats +WARNING: untranslated string: tor traffic limit hard +WARNING: untranslated string: tor traffic limit soft +WARNING: untranslated string: tor traffic read written +WARNING: untranslated string: tor use exit nodes WARNING: untranslated string: uptime load average WARNING: untranslated string: visit us at WARNING: untranslated string: vpn keyexchange diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 7b8329523..324c47720 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -542,6 +542,13 @@ WARNING: untranslated string: ccd used WARNING: untranslated string: community rules WARNING: untranslated string: deprecated fs warn WARNING: untranslated string: disk access per +WARNING: untranslated string: dnsforward +WARNING: untranslated string: dnsforward add a new entry +WARNING: untranslated string: dnsforward configuration +WARNING: untranslated string: dnsforward edit an entry +WARNING: untranslated string: dnsforward entries +WARNING: untranslated string: dnsforward forward_server +WARNING: untranslated string: dnsforward zone WARNING: untranslated string: emerging rules WARNING: untranslated string: extrahd because there is already a device mounted WARNING: untranslated string: extrahd cant umount @@ -583,6 +590,45 @@ WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table WARNING: untranslated string: server restart WARNING: untranslated string: static routes +WARNING: untranslated string: tor accounting +WARNING: untranslated string: tor accounting bytes +WARNING: untranslated string: tor accounting bytes left +WARNING: untranslated string: tor accounting interval +WARNING: untranslated string: tor accounting limit +WARNING: untranslated string: tor accounting period +WARNING: untranslated string: tor acls +WARNING: untranslated string: tor allowed subnets +WARNING: untranslated string: tor bandwidth burst +WARNING: untranslated string: tor bandwidth rate +WARNING: untranslated string: tor bandwidth settings +WARNING: untranslated string: tor bandwidth unlimited +WARNING: untranslated string: tor common settings +WARNING: untranslated string: tor configuration +WARNING: untranslated string: tor connected relays +WARNING: untranslated string: tor contact info +WARNING: untranslated string: tor do not advertise relay +WARNING: untranslated string: tor enabled +WARNING: untranslated string: tor errmsg invalid ip or mask +WARNING: untranslated string: tor exit country any +WARNING: untranslated string: tor exit nodes +WARNING: untranslated string: tor relay address +WARNING: untranslated string: tor relay configuration +WARNING: untranslated string: tor relay enabled +WARNING: untranslated string: tor relay external address +WARNING: untranslated string: tor relay fingerprint +WARNING: untranslated string: tor relay mode +WARNING: untranslated string: tor relay mode bridge +WARNING: untranslated string: tor relay mode exit +WARNING: untranslated string: tor relay mode private bridge +WARNING: untranslated string: tor relay mode relay +WARNING: untranslated string: tor relay nickname +WARNING: untranslated string: tor relay port +WARNING: untranslated string: tor socks port +WARNING: untranslated string: tor stats +WARNING: untranslated string: tor traffic limit hard +WARNING: untranslated string: tor traffic limit soft +WARNING: untranslated string: tor traffic read written +WARNING: untranslated string: tor use exit nodes WARNING: untranslated string: uptime load average WARNING: untranslated string: visit us at WARNING: untranslated string: vpn keyexchange diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 17568408d..31a18c92a 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -510,12 +510,58 @@ WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Scan for Songs WARNING: untranslated string: bytes +WARNING: untranslated string: dnsforward +WARNING: untranslated string: dnsforward add a new entry +WARNING: untranslated string: dnsforward configuration +WARNING: untranslated string: dnsforward edit an entry +WARNING: untranslated string: dnsforward entries +WARNING: untranslated string: dnsforward forward_server +WARNING: untranslated string: dnsforward zone WARNING: untranslated string: new WARNING: untranslated string: outgoing firewall reserved groupname WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table +WARNING: untranslated string: tor accounting +WARNING: untranslated string: tor accounting bytes +WARNING: untranslated string: tor accounting bytes left +WARNING: untranslated string: tor accounting interval +WARNING: untranslated string: tor accounting limit +WARNING: untranslated string: tor accounting period +WARNING: untranslated string: tor acls +WARNING: untranslated string: tor allowed subnets +WARNING: untranslated string: tor bandwidth burst +WARNING: untranslated string: tor bandwidth rate +WARNING: untranslated string: tor bandwidth settings +WARNING: untranslated string: tor bandwidth unlimited +WARNING: untranslated string: tor common settings +WARNING: untranslated string: tor configuration +WARNING: untranslated string: tor connected relays +WARNING: untranslated string: tor contact info +WARNING: untranslated string: tor do not advertise relay +WARNING: untranslated string: tor enabled +WARNING: untranslated string: tor errmsg invalid ip or mask +WARNING: untranslated string: tor exit country any +WARNING: untranslated string: tor exit nodes +WARNING: untranslated string: tor relay address +WARNING: untranslated string: tor relay configuration +WARNING: untranslated string: tor relay enabled +WARNING: untranslated string: tor relay external address +WARNING: untranslated string: tor relay fingerprint +WARNING: untranslated string: tor relay mode +WARNING: untranslated string: tor relay mode bridge +WARNING: untranslated string: tor relay mode exit +WARNING: untranslated string: tor relay mode private bridge +WARNING: untranslated string: tor relay mode relay +WARNING: untranslated string: tor relay nickname +WARNING: untranslated string: tor relay port +WARNING: untranslated string: tor socks port +WARNING: untranslated string: tor stats +WARNING: untranslated string: tor traffic limit hard +WARNING: untranslated string: tor traffic limit soft +WARNING: untranslated string: tor traffic read written +WARNING: untranslated string: tor use exit nodes WARNING: untranslated string: wlan client WARNING: untranslated string: wlan client advanced settings WARNING: untranslated string: wlan client and diff --git a/doc/language_missings b/doc/language_missings index b78b367b0..e47da816f 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -60,6 +60,13 @@ < ccd used < deprecated fs warn < dns address deleted txt +< dnsforward +< dnsforward add a new entry +< dnsforward configuration +< dnsforward edit an entry +< dnsforward entries +< dnsforward forward_server +< dnsforward zone < fireinfo ipfire version < fireinfo is disabled < fireinfo is enabled @@ -109,6 +116,49 @@ < snort working < static routes < system information +< tor accounting +< tor accounting bytes +< tor accounting bytes left +< tor accounting interval +< tor accounting limit +< tor accounting period +< tor accounting period daily +< tor accounting period monthly +< tor accounting period weekly +< tor acls +< tor allowed subnets +< tor bandwidth burst +< tor bandwidth rate +< tor bandwidth settings +< tor bandwidth unlimited +< tor common settings +< tor configuration +< tor connected relays +< tor contact info +< tor do not advertise relay +< tor enabled +< tor errmsg invalid ip or mask +< tor exit country +< tor exit country any +< tor exit nodes +< tor relay address +< tor relay configuration +< tor relay enabled +< tor relay external address +< tor relay fingerprint +< tor relay mode +< tor relay mode bridge +< tor relay mode exit +< tor relay mode private bridge +< tor relay mode relay +< tor relay nickname +< tor relay port +< tor socks port +< tor stats +< tor traffic limit hard +< tor traffic limit soft +< tor traffic read written +< tor use exit nodes < updxlrtr sources < updxlrtr standard view < upload new ruleset @@ -224,6 +274,13 @@ < ccd subnet < ccd used < deprecated fs warn +< dnsforward +< dnsforward add a new entry +< dnsforward configuration +< dnsforward edit an entry +< dnsforward entries +< dnsforward forward_server +< dnsforward zone < fireinfo ipfire version < fireinfo is disabled < fireinfo is enabled @@ -289,6 +346,49 @@ < Set time on boot < static routes < system information +< tor accounting +< tor accounting bytes +< tor accounting bytes left +< tor accounting interval +< tor accounting limit +< tor accounting period +< tor accounting period daily +< tor accounting period monthly +< tor accounting period weekly +< tor acls +< tor allowed subnets +< tor bandwidth burst +< tor bandwidth rate +< tor bandwidth settings +< tor bandwidth unlimited +< tor common settings +< tor configuration +< tor connected relays +< tor contact info +< tor do not advertise relay +< tor enabled +< tor errmsg invalid ip or mask +< tor exit country +< tor exit country any +< tor exit nodes +< tor relay address +< tor relay configuration +< tor relay enabled +< tor relay external address +< tor relay fingerprint +< tor relay mode +< tor relay mode bridge +< tor relay mode exit +< tor relay mode private bridge +< tor relay mode relay +< tor relay nickname +< tor relay port +< tor socks port +< tor stats +< tor traffic limit hard +< tor traffic limit soft +< tor traffic read written +< tor use exit nodes < updxlrtr sources < updxlrtr standard view < uptime @@ -380,6 +480,13 @@ < ccd subnet < ccd used < deprecated fs warn +< dnsforward +< dnsforward add a new entry +< dnsforward configuration +< dnsforward edit an entry +< dnsforward entries +< dnsforward forward_server +< dnsforward zone < extrahd because there is already a device mounted < extrahd cant umount < extrahd install or load driver @@ -421,6 +528,49 @@ < qos enter bandwidths < server restart < static routes +< tor accounting +< tor accounting bytes +< tor accounting bytes left +< tor accounting interval +< tor accounting limit +< tor accounting period +< tor accounting period daily +< tor accounting period monthly +< tor accounting period weekly +< tor acls +< tor allowed subnets +< tor bandwidth burst +< tor bandwidth rate +< tor bandwidth settings +< tor bandwidth unlimited +< tor common settings +< tor configuration +< tor connected relays +< tor contact info +< tor do not advertise relay +< tor enabled +< tor errmsg invalid ip or mask +< tor exit country +< tor exit country any +< tor exit nodes +< tor relay address +< tor relay configuration +< tor relay enabled +< tor relay external address +< tor relay fingerprint +< tor relay mode +< tor relay mode bridge +< tor relay mode exit +< tor relay mode private bridge +< tor relay mode relay +< tor relay nickname +< tor relay port +< tor socks port +< tor stats +< tor traffic limit hard +< tor traffic limit soft +< tor traffic read written +< tor use exit nodes < updxlrtr sources < updxlrtr standard view < uptime @@ -515,6 +665,13 @@ < day-graph < deprecated fs warn < disk access per +< dnsforward +< dnsforward add a new entry +< dnsforward configuration +< dnsforward edit an entry +< dnsforward entries +< dnsforward forward_server +< dnsforward zone < Edit an existing route < extrahd because there is already a device mounted < extrahd cant umount @@ -558,6 +715,49 @@ < qos enter bandwidths < server restart < static routes +< tor accounting +< tor accounting bytes +< tor accounting bytes left +< tor accounting interval +< tor accounting limit +< tor accounting period +< tor accounting period daily +< tor accounting period monthly +< tor accounting period weekly +< tor acls +< tor allowed subnets +< tor bandwidth burst +< tor bandwidth rate +< tor bandwidth settings +< tor bandwidth unlimited +< tor common settings +< tor configuration +< tor connected relays +< tor contact info +< tor do not advertise relay +< tor enabled +< tor errmsg invalid ip or mask +< tor exit country +< tor exit country any +< tor exit nodes +< tor relay address +< tor relay configuration +< tor relay enabled +< tor relay external address +< tor relay fingerprint +< tor relay mode +< tor relay mode bridge +< tor relay mode exit +< tor relay mode private bridge +< tor relay mode relay +< tor relay nickname +< tor relay port +< tor socks port +< tor stats +< tor traffic limit hard +< tor traffic limit soft +< tor traffic read written +< tor use exit nodes < updxlrtr sources < updxlrtr standard view < uptime diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi new file mode 100644 index 000000000..6b4d9cc1b --- /dev/null +++ b/html/cgi-bin/tor.cgi @@ -0,0 +1,895 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +use strict; +use Locale::Country; + +# enable only the following on debugging purpose +use warnings; +use CGI::Carp 'fatalsToBrowser'; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/header.pl"; + +#workaround to suppress a warning when a variable is used only once +my @dummy = ( ${Header::colouryellow} ); +undef (@dummy); + +my @bandwidth_limits = ( + 1000 * 1024, # 1G + 500 * 1024, + 200 * 1024, + 100 * 1024, # 100M + 64 * 1024, + 50 * 1024, + 25 * 1024, + 20 * 1024, + 16 * 1024, + 10 * 1024, + 8 * 1024, + 4 * 1024, + 2 * 1024, + 1024, # 1M + 512, + 256, + 128, + 64 +); +my @accounting_periods = ('daily', 'weekly', 'monthly'); + +my $TOR_CONTROL_PORT = 9051; + +our %netsettings = (); +&General::readhash("${General::swroot}/ethernet/settings", \%netsettings); + +our %settings = (); + +$settings{'TOR_ENABLED'} = 'off'; +$settings{'TOR_SOCKS_PORT'} = 9050; +$settings{'TOR_EXIT_COUNTRY'} = ''; +$settings{'TOR_USE_EXIT_NODES'} = ''; +$settings{'TOR_ALLOWED_SUBNETS'} = "$netsettings{'GREEN_NETADDRESS'}\/$netsettings{'GREEN_NETMASK'}"; +if (&Header::blue_used()) { + $settings{'TOR_ALLOWED_SUBNETS'} .= ",$netsettings{'BLUE_NETADDRESS'}\/$netsettings{'BLUE_NETMASK'}"; +} + +$settings{'TOR_RELAY_ENABLED'} = 'off'; +$settings{'TOR_RELAY_MODE'} = 'exit'; +$settings{'TOR_RELAY_PORT'} = 9001; +$settings{'TOR_RELAY_NOADVERTISE'} = 'off'; +$settings{'TOR_RELAY_BANDWIDTH_RATE'} = 0; +$settings{'TOR_RELAY_BANDWIDTH_BURST'} = 0; +$settings{'TOR_RELAY_ACCOUNTING_LIMIT'} = 0; +$settings{'TOR_RELAY_ACCOUNTING_PERIOD'} = 'daily'; + +$settings{'ACTION'} = ''; + +my $errormessage = ''; +my $warnmessage = ''; + +&Header::showhttpheaders(); + +# Load settings from file. +&General::readhash("${General::swroot}/tor/settings", \%settings); + +# Get GUI values. +&Header::getcgihash(\%settings); + +# Create tor command connection. +our $torctrl = &TorConnect(); + +# Toggle enable/disable field. +if ($settings{'ACTION'} eq $Lang::tr{'save'}) { + my @temp = split(/[\n,]/,$settings{'TOR_ALLOWED_SUBNETS'}); + $settings{'TOR_ALLOWED_SUBNETS'} = ""; + foreach (@temp) { + s/^\s+//g; s/\s+$//g; + if ($_) { + unless (&General::validipandmask($_)) { + $errormessage = "$Lang::tr{'tor errmsg invalid ip or mask'}: $_"; + } + $settings{'TOR_ALLOWED_SUBNETS'} .= $_.","; + } + } + + @temp = split(/[\n,]/,$settings{'TOR_USE_EXIT_NODES'}); + $settings{'TOR_USE_EXIT_NODES'} = ""; + foreach (@temp) { + s/^\s+//g; s/\s+$//g; + if ($_) { + $settings{'TOR_USE_EXIT_NODES'} .= $_.","; + } + } + + if ($errormessage eq '') { + # Write configuration settings to file. + &General::writehash("${General::swroot}/tor/settings", \%settings); + + # Update configuration files. + &BuildConfiguration(); + } + + # Reset ACTION. + $settings{'ACTION'} = ''; +} + +&showMainBox(); + +# Close Tor control connection. +&TorClose($torctrl); + +# Functions + +sub showMainBox() { + my %checked = (); + my %selected = (); + + $checked{'TOR_ENABLED'}{'on'} = ''; + $checked{'TOR_ENABLED'}{'off'} = ''; + $checked{'TOR_ENABLED'}{$settings{'TOR_ENABLED'}} = 'checked'; + + $checked{'TOR_RELAY_ENABLED'}{'on'} = ''; + $checked{'TOR_RELAY_ENABLED'}{'off'} = ''; + $checked{'TOR_RELAY_ENABLED'}{$settings{'TOR_RELAY_ENABLED'}} = 'checked'; + + &Header::openpage($Lang::tr{'tor configuration'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "$errormessage \n"; + &Header::closebox(); + } + + print "
\n"; + + &Header::openbox('100%', 'left', $Lang::tr{'tor configuration'}); + + print < + + $Lang::tr{'tor common settings'} + + + $Lang::tr{'tor enabled'}: + + + + + + $Lang::tr{'tor relay enabled'}: + + + + + +END + + &Header::closebox(); + + if ($settings{'TOR_ENABLED'} eq 'on') { + my @temp = split(",", $settings{'TOR_ALLOWED_SUBNETS'}); + $settings{'TOR_ALLOWED_SUBNETS'} = join("\n", @temp); + + @temp = split(",", $settings{'TOR_USE_EXIT_NODES'}); + $settings{'TOR_USE_EXIT_NODES'} = join("\n", @temp); + + &Header::openbox('100%', 'left', $Lang::tr{'tor configuration'}); + + print < + + $Lang::tr{'tor socks port'}: + + + + + +
+ + + + + + + + + + + + + +
$Lang::tr{'tor acls'}
+ $Lang::tr{'tor allowed subnets'}: +
+ +
+ +
+ + + + + + + + + + + + + +
$Lang::tr{'tor exit nodes'}
$Lang::tr{'tor use exit nodes'}:
+ + +
+END + + &Header::closebox(); + } + + if ($settings{'TOR_RELAY_ENABLED'} eq 'on') { + $checked{'TOR_RELAY_NOADVERTISE'}{'on'} = ''; + $checked{'TOR_RELAY_NOADVERTISE'}{'off'} = ''; + $checked{'TOR_RELAY_NOADVERTISE'}{$settings{'TOR_RELAY_NOADVERTISE'}} = 'checked'; + + $selected{'TOR_RELAY_MODE'}{'bridge'} = ''; + $selected{'TOR_RELAY_MODE'}{'exit'} = ''; + $selected{'TOR_RELAY_MODE'}{'private-bridge'} = ''; + $selected{'TOR_RELAY_MODE'}{'relay'} = ''; + $selected{'TOR_RELAY_MODE'}{$settings{'TOR_RELAY_MODE'}} = 'selected'; + + $selected{'TOR_RELAY_BANDWIDTH_RATE'}{'0'} = ''; + foreach (@bandwidth_limits) { + $selected{'TOR_RELAY_BANDWIDTH_RATE'}{$_} = ''; + } + $selected{'TOR_RELAY_BANDWIDTH_RATE'}{$settings{'TOR_RELAY_BANDWIDTH_RATE'}} = 'selected'; + + $selected{'TOR_RELAY_BANDWIDTH_BURST'}{'0'} = ''; + foreach (@bandwidth_limits) { + $selected{'TOR_RELAY_BANDWIDTH_BURST'}{$_} = ''; + } + $selected{'TOR_RELAY_BANDWIDTH_BURST'}{$settings{'TOR_RELAY_BANDWIDTH_BURST'}} = 'selected'; + + foreach (@accounting_periods) { + $selected{'TOR_RELAY_ACCOUNTING_PERIOD'}{$_} = ''; + } + $selected{'TOR_RELAY_ACCOUNTING_PERIOD'}{$settings{'TOR_RELAY_ACCOUNTING_PERIOD'}} = 'selected'; + + &Header::openbox('100%', 'left', $Lang::tr{'tor relay configuration'}); + + print < + + $Lang::tr{'tor relay mode'}: + + + + $Lang::tr{'tor relay port'}: + + + + + + $Lang::tr{'tor relay address'}: * + + + + $Lang::tr{'tor do not advertise relay'}: + + + + + + $Lang::tr{'tor relay nickname'}: * + + + + + + + $Lang::tr{'tor contact info'}: * + + + + + + +
+ + + + + + + + + + + + + + + + + +
$Lang::tr{'tor bandwidth settings'}
$Lang::tr{'tor bandwidth rate'}: + + $Lang::tr{'tor accounting limit'}: + +
$Lang::tr{'tor bandwidth burst'}: + + $Lang::tr{'tor accounting period'}: +
+END + + &Header::closebox(); + } + + print < + + + * $Lang::tr{'this field may be blank'} + +   + + + +
+ + + + + + + +
  
+END + + # If we have a control connection, show the stats. + if ($torctrl) { + &Header::openbox('100%', 'left', $Lang::tr{'tor stats'}); + + my @traffic = &TorTrafficStats($torctrl); + + if (@traffic) { + print < +END + + if ($settings{'TOR_RELAY_ENABLED'} eq 'on') { + my $fingerprint = &TorRelayFingerprint($torctrl); + if ($fingerprint) { + print < + $Lang::tr{'tor relay fingerprint'}: + + $fingerprint + + +END + } + } + + my $address = TorGetInfo($torctrl, "address"); + if ($address) { + print < + $Lang::tr{'tor relay external address'}: + $address + +END + } + + print < + $Lang::tr{'tor traffic read written'}: +END + print "" . &FormatBytes($traffic[0]) ."/". &FormatBytes($traffic[1]) . ""; + print < + +END + } + + my $accounting = &TorAccountingStats($torctrl); + if ($accounting) { + print < + + $Lang::tr{'tor accounting'} + +END + + if ($accounting->{'hibernating'} eq "hard") { + print < + + $Lang::tr{'tor traffic limit hard'} + + +END + } elsif ($accounting->{'hibernating'} eq "soft") { + print < + + $Lang::tr{'tor traffic limit soft'} + + +END + } + + print < + $Lang::tr{'tor accounting interval'} + + $accounting->{'interval-start'} - $accounting->{'interval-end'} + + + + $Lang::tr{'tor accounting bytes'} + +END + + print &FormatBytes($accounting->{'bytes_read'}) . "/" . &FormatBytes($accounting->{'bytes_written'}); + print " (" . &FormatBytes($accounting->{'bytes-left_read'}) . "/" . &FormatBytes($accounting->{'bytes-left_written'}); + print " $Lang::tr{'tor accounting bytes left'})"; + + print < + + +END + } + + my @nodes = &TorORConnStatus($torctrl); + if (@nodes) { + print < + + $Lang::tr{'tor connected relays'} + +END + + foreach my $node (@nodes) { + print < + + + $node->{'name'} + + + +END + + if (exists($node->{'country_code'})) { + print "$node->{"; + } + + print <$node->{'address'}:$node->{'port'} + + + ~$node->{'bandwidth_string'} + + +END + } + print ""; + } + + &Header::closebox(); + } + + print "\n"; + + &Header::closebigbox(); + &Header::closepage(); +} + +sub BuildConfiguration() { + my %settings = (); + &General::readhash("${General::swroot}/tor/settings", \%settings); + + my $torrc = "${General::swroot}/tor/torrc"; + + open(FILE, ">$torrc"); + + # Global settings. + print FILE "ControlPort $TOR_CONTROL_PORT\n"; + + if ($settings{'TOR_ENABLED'} eq 'on') { + my $strict_nodes = 0; + + print FILE "SocksPort 0.0.0.0:$settings{'TOR_SOCKS_PORT'}\n"; + + my @subnets = split(",", $settings{'TOR_ALLOWED_SUBNETS'}); + foreach (@subnets) { + print FILE "SocksPolicy accept $_\n" if (&General::validipandmask($_)); + } + print FILE "SocksPolicy reject *\n" if (@subnets); + + if ($settings{'TOR_EXIT_COUNTRY'} ne '') { + $strict_nodes = 1; + + print FILE "ExitNodes {$settings{'TOR_EXIT_COUNTRY'}}\n"; + } + + if ($settings{'TOR_USE_EXIT_NODES'} ne '') { + $strict_nodes = 1; + + my @nodes = split(",", $settings{'TOR_USE_EXIT_NODES'}); + foreach (@nodes) { + print FILE "ExitNode $_\n"; + } + } + + if ($strict_nodes > 0) { + print FILE "StrictNodes 1\n"; + } + } + + if ($settings{'TOR_RELAY_ENABLED'} eq 'on') { + # Reject access to private networks. + print FILE "ExitPolicyRejectPrivate 1\n"; + + print FILE "ORPort $settings{'TOR_RELAY_PORT'}"; + if ($settings{'TOR_RELAY_NOADVERTISE'} eq 'on') { + print FILE " NoAdvertise"; + } + print FILE "\n"; + + if ($settings{'TOR_RELAY_ADDRESS'} ne '') { + print FILE "Address $settings{'TOR_RELAY_ADDRESS'}\n"; + } + + if ($settings{'TOR_RELAY_NICKNAME'} ne '') { + print FILE "Nickname $settings{'TOR_RELAY_NICKNAME'}\n"; + } + + if ($settings{'TOR_RELAY_CONTACT_INFO'} ne '') { + print FILE "ContactInfo $settings{'TOR_RELAY_CONTACT_INFO'}\n"; + } + + # Limit to bridge mode. + my $is_bridge = 0; + + if ($settings{'TOR_RELAY_MODE'} eq 'bridge') { + $is_bridge++; + + # Private bridge. + } elsif ($settings{'TOR_RELAY_MODE'} eq 'private-bridge') { + $is_bridge++; + + print FILE "PublishServerDescriptor 0\n"; + + # Exit node. + } elsif ($settings{'TOR_RELAY_MODE'} eq 'exit') { + print FILE "ExitPolicy accept *:*\n"; + + # Relay only. + } elsif ($settings{'TOR_RELAY_MODE'} eq 'relay') { + print FILE "ExitPolicy reject *:*\n"; + } + + if ($is_bridge > 0) { + print FILE "BridgeRelay 1\n"; + print FILE "Exitpolicy reject *:*\n"; + } + + if ($settings{'TOR_RELAY_BANDWIDTH_RATE'} > 0) { + print FILE "RelayBandwidthRate "; + print FILE $settings{'TOR_RELAY_BANDWIDTH_RATE'} / 8; + print FILE " KB\n"; + + if ($settings{'TOR_RELAY_BANDWIDTH_BURST'} > 0) { + print FILE "RelayBandwidthBurst "; + print FILE $settings{'TOR_RELAY_BANDWIDTH_BURST'} / 8; + print FILE " KB\n"; + } + } + + if ($settings{'TOR_RELAY_ACCOUNTING_LIMIT'} > 0) { + print FILE "AccountingMax ".$settings{'TOR_RELAY_ACCOUNTING_LIMIT'}." MB\n"; + + if ($settings{'TOR_RELAY_ACCOUNTING_PERIOD'} eq 'daily') { + print FILE "AccountingStart day 00:00\n"; + } elsif ($settings{'TOR_RELAY_ACCOUNTING_PERIOD'} eq 'weekly') { + print FILE "AccountingStart week 1 00:00\n"; + } elsif ($settings{'TOR_RELAY_ACCOUNTING_PERIOD'} eq 'monthly') { + print FILE "AccountingStart month 1 00:00\n"; + } + } + } + + close(FILE); + + # Restart the service. + if (($settings{'TOR_ENABLED'} eq 'on') || ($settings{'TOR_RELAY_ENABLED'} eq 'on')) { + system("/usr/local/bin/torctrl restart"); + } else { + system("/usr/local/bin/torctrl stop"); + } +} + +sub TorConnect() { + my $socket = new IO::Socket::INET( + Proto => 'tcp', PeerAddr => '127.0.0.1', PeerPort => $TOR_CONTROL_PORT, + ) or return; + + $socket->autoflush(1); + + # Authenticate. + &TorSendCommand($socket, "AUTHENTICATE"); + + return $socket; +} + +sub TorSendCommand() { + my ($socket, $cmd) = @_; + + # Replace line ending with \r\n. + chomp $cmd; + $cmd .= "\r\n"; + + $socket->send($cmd); + + my @output = (); + while (my $line = <$socket>) { + # Skip empty lines. + if ($line =~ /^.\r\n$/) { + next; + } + + # Command has been successfully executed. + if ($line =~ /250 OK/) { + last; + + # Error. + } elsif ($line =~ /^5\d+/) { + last; + + } else { + # Remove line endings. + $line =~ s/\r\n$//; + + push(@output, $line); + } + } + + return @output; +} + +sub TorSendCommandOneLine() { + my ($tor, $cmd) = @_; + + my @output = &TorSendCommand($tor, $cmd); + return $output[0]; +} + +sub TorGetInfo() { + my ($tor, $cmd) = @_; + + my $output = &TorSendCommandOneLine($tor, "GETINFO ".$cmd); + + my ($key, $value) = split("=", $output); + return $value; +} + +sub TorClose() { + my $socket = shift; + + if ($socket) { + $socket->shutdown(2); + } +} + +sub TorTrafficStats() { + my $tor = shift; + + my $output_read = &TorGetInfo($tor, "traffic/read"); + my $output_written = &TorGetInfo($tor, "traffic/written"); + + return ($output_read, $output_written); +} + +sub TorRelayFingerprint() { + my $tor = shift; + + return &TorGetInfo($tor, "fingerprint"); +} + +sub TorORConnStatus() { + my $tor = shift; + my @nodes = (); + + my @output = &TorSendCommand($tor, "GETINFO orconn-status"); + foreach (@output) { + $_ =~ s/^250[\+-]orconn-status=//; + next if ($_ eq ""); + last if ($_ eq "."); + next unless ($_ =~ /^\$/); + + my @line = split(" ", $_); + my @node = split(/[=~]/, $line[0]); + + my $node = &TorNodeDescription($tor, $node[0]); + if ($node) { + push(@nodes, $node); + } + } + + # Sort by names. + @nodes = sort { $a->{'name'} cmp $b->{'name'} } @nodes; + + return @nodes; +} + +sub TorNodeDescription() { + my ($tor, $fingerprint) = @_; + $fingerprint =~ s/\$//; + + my $node = { + fingerprint => $fingerprint, + exit_node => 0, + }; + + my @output = &TorSendCommand($tor, "GETINFO ns/id/$node->{'fingerprint'}"); + + foreach (@output) { + # Router + if ($_ =~ /^r (\w+) (.*) (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (\d+)/) { + $node->{'name'} = $1; + $node->{'address'} = $3; + $node->{'port'} = $4; + + my $country_code = &TorGetInfo($tor, "ip-to-country/$node->{'address'}"); + $node->{'country_code'} = $country_code; + + # Flags + } elsif ($_ =~ /^s (.*)$/) { + $node->{'flags'} = split(" ", $1); + + foreach my $flag ($node->{'flags'}) { + if ($flag eq "Exit") { + $node->{'exit_node'}++; + } + } + + # Bandwidth + } elsif ($_ =~ /^w Bandwidth=(\d+)/) { + $node->{'bandwidth'} = $1 * 8; + $node->{'bandwidth_string'} = &FormatBitsPerSecond($node->{'bandwidth'}); + } + } + + if (exists($node->{'name'})) { + return $node; + } +} + +sub TorAccountingStats() { + my $tor = shift; + my $ret = {}; + + my $enabled = &TorGetInfo($tor, "accounting/enabled"); + if ($enabled ne '1') { + return; + } + + my @cmds = ("hibernating", "interval-start", "interval-end"); + foreach (@cmds) { + $ret->{$_} = &TorGetInfo($tor, "accounting/$_"); + } + + my @cmds = ("bytes", "bytes-left"); + foreach (@cmds) { + my $output = &TorGetInfo($tor, "accounting/$_"); + my @bytes = split(" ", $output); + + $ret->{$_."_read"} = $bytes[0]; + $ret->{$_."_written"} = $bytes[1]; + } + + return $ret; +} + +sub FormatBytes() { + my $bytes = shift; + + my @units = ("B", "KB", "MB", "GB", "TB"); + my $units_index = 0; + + while (($units_index <= $#units) && ($bytes >= 1024)) { + $units_index++; + $bytes /= 1024; + } + + return sprintf("%.2f %s", $bytes, $units[$units_index]); +} + +sub FormatBitsPerSecond() { + my $bits = shift; + + my @units = ("Bit/s", "KBit/s", "MBit/s", "GBit/s", "TBit/s"); + my $units_index = 0; + + while (($units_index <= $#units) && ($bits >= 1024)) { + $units_index++; + $bits /= 1024; + } + + return sprintf("%.2f %s", $bits, $units[$units_index]); +} diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index d1ad7b0fc..848aaefa2 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1797,6 +1797,49 @@ 'tone' => 'Ton', 'tone dial' => 'Tonwahl:', 'too long 80 char max' => ' ist zu lang, es sind maximal 80 Zeichen erlaubt', +'tor accounting' => 'Accounting', +'tor accounting bytes' => 'Traffic (empfangen/gesendet)', +'tor accounting bytes left' => 'übrig', +'tor accounting interval' => 'Intervall (UTC)', +'tor accounting limit' => 'Übertragungslimit (MB)', +'tor accounting period' => 'Accounting-Periode', +'tor accounting period daily' => 'täglich', +'tor accounting period monthly' => 'monatlich', +'tor accounting period weekly' => 'wöchentlich', +'tor acls' => 'Zugriffskontrolle', +'tor allowed subnets' => 'Erlaubte Subnetze (eins pro Zeile)', +'tor bandwidth burst' => 'Max. Spitzenwert (Burst)', +'tor bandwidth rate' => 'Max. Bandbreite', +'tor bandwidth settings' => 'Bandbreiteneinstellungen', +'tor bandwidth unlimited' => 'unlimitiert', +'tor common settings' => 'Einstellungen', +'tor configuration' => 'Tor-Konfiguration', +'tor connected relays' => 'Verbundene Relays', +'tor contact info' => 'Kontaktinformationen', +'tor do not advertise relay' => 'Relay nicht announcieren', +'tor enabled' => 'Tor einschalten', +'tor errmsg invalid ip or mask' => 'Ungültiges IP-Subnetz', +'tor exit country' => 'Exit-Land', +'tor exit country any' => 'Beliebig', +'tor exit nodes' => 'Exit-Nodes', +'tor relay address' => 'Relay-Adresse', +'tor relay configuration' => 'Tor-Relay-Konfiguration', +'tor relay enabled' => 'Tor-Relay einschalten', +'tor relay external address' => 'Externe Relay-Adresse', +'tor relay fingerprint' => 'Relay-Fingerabdruck', +'tor relay mode' => 'Relay-Modues', +'tor relay mode bridge' => 'Bridge', +'tor relay mode exit' => 'Exit-Node', +'tor relay mode private bridge' => 'private Bridge', +'tor relay mode relay' => 'Nur Relay', +'tor relay nickname' => 'Relay-Nickname', +'tor relay port' => 'Relay-Port', +'tor socks port' => 'SOCKS-Port', +'tor stats' => 'Statistiken', +'tor traffic limit hard' => 'Das Übertragungslimit wurde erreicht.', +'tor traffic limit soft' => 'Das Übertragungslimit wurde fast erreicht. Es werden keine neuen Verbindungen akzeptiert.', +'tor traffic read written' => 'Gesamter Traffic (empfangen/gesendet)', +'tor use exit nodes' => 'Nur diese Exit-Nodes benutzen (eins pro Zeile)', 'total connection time' => 'Verbindungszeit', 'total hits for log section' => 'Gesamte Treffer für Log Sektion', 'traffic back' => 'Zurück', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 30d07345d..150411a4a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1831,6 +1831,51 @@ 'tone' => 'Tone', 'tone dial' => 'Tone dial:', 'too long 80 char max' => ' is too long, maximum allowed is 80 characters', +'tor accounting' => 'Accounting', +'tor accounting bytes' => 'Traffic (read/written)', +'tor accounting bytes left' => 'left', +'tor accounting interval' => 'Interval (UTC)', +'tor accounting limit' => 'Accounting limit (MB)', +'tor accounting period' => 'Accounting period', +'tor accounting period daily' => 'daily', +'tor accounting period monthly' => 'monthly', +'tor accounting period weekly' => 'weekly', +'tor acls' => 'Access Control', +'tor allowed subnets' => 'Allowed subnets (one per line)', +'tor bandwidth burst' => 'Max. burst', +'tor bandwidth rate' => 'Max. rate', +'tor bandwidth settings' => 'Bandwidth Settings', +'tor bandwidth unlimited' => 'unlimited', +'tor bridge enabled' => 'Enable Tor bridge', +'tor common settings' => 'Common Settings', +'tor configuration' => 'Tor Configuration', +'tor connected relays' => 'Connected relays', +'tor contact info' => 'Contact Info', +'tor do not advertise relay' => 'Do not advertise the relay', +'tor enabled' => 'Enable Tor', +'tor errmsg invalid ip or mask' => 'Invalid IP subnet', +'tor errmsg invalid node id' => 'Invalid node ID', +'tor exit country' => 'Exit country', +'tor exit country any' => 'Any country', +'tor exit nodes' => 'Exit Nodes', +'tor relay address' => 'Relay address', +'tor relay configuration' => 'Tor Relay Configuration', +'tor relay enabled' => 'Enable Tor Relay', +'tor relay external address' => 'Relay external address', +'tor relay fingerprint' => 'Relay fingerprint', +'tor relay mode' => 'Relay mode', +'tor relay mode bridge' => 'Bridge', +'tor relay mode exit' => 'Exit-Node', +'tor relay mode private bridge' => 'Private bridge', +'tor relay mode relay' => 'Relay only', +'tor relay nickname' => 'Relay nickname', +'tor relay port' => 'Relay port', +'tor socks port' => 'SOCKS port', +'tor stats' => 'Statistics', +'tor traffic limit hard' => 'Traffic limit has been reached.', +'tor traffic limit soft' => 'Traffic limit almost reached. Not accepting any new connections.', +'tor traffic read written' => 'Total traffic (read/written)', +'tor use exit nodes' => 'Use only these exit nodes (one per line)', 'total connection time' => 'Total connection time', 'total hits for log section' => 'Total hits for log section', 'traffic back' => 'Back', From 27cb780589dd7436f16f68b12694898a171b3829 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Jul 2013 12:52:26 +0200 Subject: [PATCH 26/61] tor: Add torctrl binary. --- src/initscripts/init.d/tor | 11 ++++++++++- src/misc-progs/Makefile | 5 ++++- src/misc-progs/torctrl.c | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 46 insertions(+), 2 deletions(-) create mode 100644 src/misc-progs/torctrl.c diff --git a/src/initscripts/init.d/tor b/src/initscripts/init.d/tor index 6ae03130e..82dab68bd 100644 --- a/src/initscripts/init.d/tor +++ b/src/initscripts/init.d/tor @@ -35,12 +35,21 @@ case "${1}" in ${0} start ;; + reload-or-restart) + # Reload the process if it is already running. Otherwise, restart. + if pidofproc -s /usr/bin/tor; then + $0 reload + else + $0 restart + fi + ;; + status) statusproc /usr/bin/tor ;; *) - echo "Usage: ${0} {start|stop|reload|restart|status}" + echo "Usage: ${0} {start|stop|reload|restart|reload-or-restart|status}" exit 1 ;; esac diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index 2ec7878b5..df5a37038 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -33,7 +33,7 @@ SUID_PROGS = setdmzholes setportfw setxtaccess \ redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \ - getconntracktable wirelessclient dnsmasqctrl + getconntracktable wirelessclient dnsmasqctrl torctrl SUID_UPDX = updxsetperms install : all @@ -164,3 +164,6 @@ wirelessclient: wirelessclient.c setuid.o ../install+setup/libsmooth/varval.o dnsmasqctrl: dnsmasqctrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ dnsmasqctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ + +torctrl: toctrl.c setuid.o ../install+setup/libsmooth/varval.o + $(COMPILE) -I../install+setup/libsmooth/ torctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ diff --git a/src/misc-progs/torctrl.c b/src/misc-progs/torctrl.c new file mode 100644 index 000000000..686a8da40 --- /dev/null +++ b/src/misc-progs/torctrl.c @@ -0,0 +1,32 @@ +/* This file is part of the IPFire Firewall. + * + * This program is distributed under the terms of the GNU General Public + * Licence. See the file COPYING for details. + * + */ + +#include +#include +#include +#include +#include +#include "setuid.h" + +int main(int argc, char *argv[]) { + if (!(initsetuid())) + exit(1); + + if (argc < 2) { + fprintf(stderr, "\nNo argument given.\n\ntorctrl (restart)\n\n"); + exit(1); + } + + if (strcmp(argv[1], "restart") == 0) { + safe_system("/etc/rc.d/init.d/tor reload-or-restart"); + } else { + fprintf(stderr, "\nBad argument given.\n\ntorctrl (restart)\n\n"); + exit(1); + } + + return 0; +} From c60301c06a340cdd7a1bc619a3fa081d4771fc76 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Jul 2013 12:52:40 +0200 Subject: [PATCH 27/61] tor: Add necessary firewall rules. --- src/initscripts/init.d/firewall | 4 ++++ src/initscripts/init.d/tor | 25 +++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 844618a30..0237297e7 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -188,6 +188,10 @@ case "$1" in /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT + # TOR + /sbin/iptables -N TOR_INPUT + /sbin/iptables -A INPUT -j TOR_INPUT + # Outgoing Firewall /sbin/iptables -A FORWARD -j OUTGOINGFWMAC diff --git a/src/initscripts/init.d/tor b/src/initscripts/init.d/tor index 82dab68bd..d37617824 100644 --- a/src/initscripts/init.d/tor +++ b/src/initscripts/init.d/tor @@ -9,8 +9,27 @@ . /etc/sysconfig/rc . ${rc_functions} +function setup_firewall() { + eval $(readhash /var/ipfire/tor/settings) + + # Flush all rules. + flush_firewall + + if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ]; then + iptables -A TOR_INPUT -p tcp --dport "${TOR_RELAY_PORT}" -j ACCEPT + fi +} + +function flush_firewall() { + # Flush all rules. + iptables -F TOR_INPUT +} + case "${1}" in start) + # Setup firewall. + setup_firewall + boot_mesg "Starting tor..." loadproc /usr/bin/tor \ --runasdaemon 1 \ @@ -20,11 +39,17 @@ case "${1}" in ;; stop) + # Flush firewall. + flush_firewall + boot_mesg "Stopping tor..." killproc /usr/bin/tor ;; reload) + # Setup firewall. + setup_firewall + boot_mesg "Reloading tor..." reloadproc /usr/bin/tor ;; From 9e7591e7256f69f80325cf851cbeb0730fa5d5b9 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Jul 2013 12:55:08 +0200 Subject: [PATCH 28/61] torctrl: Add stop action. --- src/misc-progs/Makefile | 2 +- src/misc-progs/torctrl.c | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index df5a37038..4d09fbf65 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -165,5 +165,5 @@ wirelessclient: wirelessclient.c setuid.o ../install+setup/libsmooth/varval.o dnsmasqctrl: dnsmasqctrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ dnsmasqctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ -torctrl: toctrl.c setuid.o ../install+setup/libsmooth/varval.o +torctrl: torctrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ torctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ diff --git a/src/misc-progs/torctrl.c b/src/misc-progs/torctrl.c index 686a8da40..39d49561d 100644 --- a/src/misc-progs/torctrl.c +++ b/src/misc-progs/torctrl.c @@ -17,14 +17,18 @@ int main(int argc, char *argv[]) { exit(1); if (argc < 2) { - fprintf(stderr, "\nNo argument given.\n\ntorctrl (restart)\n\n"); + fprintf(stderr, "\nNo argument given.\n\ntorctrl (restart|stop)\n\n"); exit(1); } if (strcmp(argv[1], "restart") == 0) { safe_system("/etc/rc.d/init.d/tor reload-or-restart"); + + } else if (strcmp(argv[1], "stop") == 0) { + safe_system("/etc/rc.d/init.d/tor stop"); + } else { - fprintf(stderr, "\nBad argument given.\n\ntorctrl (restart)\n\n"); + fprintf(stderr, "\nBad argument given.\n\ntorctrl (restart|stop)\n\n"); exit(1); } From d3f2ac3f5d591aa7b78d198feeea75f693ba4910 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Jul 2013 12:56:17 +0200 Subject: [PATCH 29/61] torctrl: Add new binary to rootfiles. --- config/rootfiles/common/misc-progs | 1 + config/rootfiles/packages/tor | 1 + 2 files changed, 2 insertions(+) diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index a8dac5972..8fd9b0bfc 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -32,6 +32,7 @@ usr/local/bin/squidctrl usr/local/bin/sshctrl usr/local/bin/syslogdctrl usr/local/bin/timectrl +#usr/local/bin/torctrl #usr/local/bin/tripwirectrl usr/local/bin/updxlratorctrl usr/local/bin/upnpctrl diff --git a/config/rootfiles/packages/tor b/config/rootfiles/packages/tor index 53ca8b0c4..e670be2d5 100644 --- a/config/rootfiles/packages/tor +++ b/config/rootfiles/packages/tor @@ -8,6 +8,7 @@ usr/bin/tor usr/bin/tor-gencert usr/bin/tor-resolve usr/bin/torify +usr/local/bin/torctrl #usr/share/doc/tor #usr/share/doc/tor/tor-gencert.html #usr/share/doc/tor/tor-resolve.html From ae4bf64b6af924b6cace4515daca3e1eeca8184c Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Jul 2013 12:56:58 +0200 Subject: [PATCH 30/61] core72: Add updated firewall script. --- config/rootfiles/core/72/filelists/files | 1 + 1 file changed, 1 insertion(+) diff --git a/config/rootfiles/core/72/filelists/files b/config/rootfiles/core/72/filelists/files index 7ab00d485..3a1767ca1 100644 --- a/config/rootfiles/core/72/filelists/files +++ b/config/rootfiles/core/72/filelists/files @@ -1,4 +1,5 @@ etc/system-release etc/issue +etc/rc.d/init.d/firewall srv/web/ipfire/cgi-bin/vpnmain.cgi usr/local/bin/openvpnctrl From 6869929e9ac66287494e2da14b0634036d25e588 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Jul 2013 18:06:05 +0200 Subject: [PATCH 31/61] arm: Don't require distutils. We don't have that module shipped and we don't really need it for arm either. --- lfs/arm | 1 + src/patches/arm-dont-require-distutils.patch | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 src/patches/arm-dont-require-distutils.patch diff --git a/lfs/arm b/lfs/arm index 3c042a42e..2fbf65eac 100644 --- a/lfs/arm +++ b/lfs/arm @@ -77,6 +77,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/arm-dont-require-distutils.patch cd $(DIR_APP) && ./install @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/patches/arm-dont-require-distutils.patch b/src/patches/arm-dont-require-distutils.patch new file mode 100644 index 000000000..1fe2b8aff --- /dev/null +++ b/src/patches/arm-dont-require-distutils.patch @@ -0,0 +1,20 @@ +diff -Nur arm.vanilla/src/util/hostnames.py arm/src/util/hostnames.py +--- arm.vanilla/src/util/hostnames.py 2012-04-29 05:59:24.000000000 +0200 ++++ arm/src/util/hostnames.py 2013-07-31 17:59:19.245591564 +0200 +@@ -30,7 +30,6 @@ + import threading + import itertools + import Queue +-import distutils.sysconfig + + from util import log, sysTools + +@@ -264,7 +263,7 @@ + # 'socket.gethostbyaddr'. The following checks if the system has the + # gethostbyname_r function, which determines if python resolutions can be + # done in parallel or not. If so, this is preferable. +- isSocketResolutionParallel = distutils.sysconfig.get_config_var("HAVE_GETHOSTBYNAME_R") ++ isSocketResolutionParallel = True #distutils.sysconfig.get_config_var("HAVE_GETHOSTBYNAME_R") + self.useSocketResolution = CONFIG["queries.hostnames.useSocketModule"] and isSocketResolutionParallel + + for _ in range(CONFIG["queries.hostnames.poolSize"]): From 005db20668d04046ad4a9b256fa17dc961258977 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Jul 2013 19:11:59 +0200 Subject: [PATCH 32/61] tor.cgi: Minor functionality fixes and layout improvements. --- html/cgi-bin/tor.cgi | 43 ++++++++++++++++++------------------------- 1 file changed, 18 insertions(+), 25 deletions(-) diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index 6b4d9cc1b..2ae9b6aeb 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -88,9 +88,6 @@ my $warnmessage = ''; &Header::showhttpheaders(); -# Load settings from file. -&General::readhash("${General::swroot}/tor/settings", \%settings); - # Get GUI values. &Header::getcgihash(\%settings); @@ -132,6 +129,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { $settings{'ACTION'} = ''; } +# Load settings from file. +&General::readhash("${General::swroot}/tor/settings", \%settings); + &showMainBox(); # Close Tor control connection. @@ -171,21 +171,19 @@ sub showMainBox() { $Lang::tr{'tor enabled'}: - - - + + $Lang::tr{'tor socks port'}: + $Lang::tr{'tor relay enabled'}: - + - + END - &Header::closebox(); - if ($settings{'TOR_ENABLED'} eq 'on') { my @temp = split(",", $settings{'TOR_ALLOWED_SUBNETS'}); $settings{'TOR_ALLOWED_SUBNETS'} = join("\n", @temp); @@ -193,18 +191,10 @@ END @temp = split(",", $settings{'TOR_USE_EXIT_NODES'}); $settings{'TOR_USE_EXIT_NODES'} = join("\n", @temp); - &Header::openbox('100%', 'left', $Lang::tr{'tor configuration'}); - print < - - $Lang::tr{'tor socks port'}: - - - - - +
+
@@ -224,7 +214,9 @@ END
+
+
@@ -250,16 +242,17 @@ END print < -
+
+

END - - &Header::closebox(); } + &Header::closebox(); + if ($settings{'TOR_RELAY_ENABLED'} eq 'on') { $checked{'TOR_RELAY_NOADVERTISE'}{'on'} = ''; $checked{'TOR_RELAY_NOADVERTISE'}{'off'} = ''; @@ -678,9 +671,9 @@ sub BuildConfiguration() { # Restart the service. if (($settings{'TOR_ENABLED'} eq 'on') || ($settings{'TOR_RELAY_ENABLED'} eq 'on')) { - system("/usr/local/bin/torctrl restart"); + system("/usr/local/bin/torctrl restart &>/dev/null"); } else { - system("/usr/local/bin/torctrl stop"); + system("/usr/local/bin/torctrl stop &>/dev/null"); } } From 0830129a3c5065be7d3af416de16481f2d5a612f Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Jul 2013 19:20:42 +0200 Subject: [PATCH 33/61] WUI: Add Tor menu entry. --- config/menu/EX-tor.menu | 6 ++++++ config/rootfiles/common/configroot | 1 + config/rootfiles/packages/tor | 3 ++- doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_missings | 4 ++++ langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 12 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 config/menu/EX-tor.menu diff --git a/config/menu/EX-tor.menu b/config/menu/EX-tor.menu new file mode 100644 index 000000000..00ddffe8d --- /dev/null +++ b/config/menu/EX-tor.menu @@ -0,0 +1,6 @@ +$subipfire->{'50.tor'} = { + 'caption' => $Lang::tr{'tor'}, + 'uri' => '/cgi-bin/tor.cgi', + 'title' => $Lang::tr{'tor'}, + 'enabled' => 1, +}; diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index cd33ec496..8965ff70e 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -91,6 +91,7 @@ var/ipfire/menu.d/70-log.menu #var/ipfire/menu.d/EX-imspector.menu #var/ipfire/menu.d/EX-mpfire.menu #var/ipfire/menu.d/EX-samba.menu +#var/ipfire/menu.d/EX-tor.menu #var/ipfire/menu.d/EX-tripwire.menu #var/ipfire/menu.d/EX-wlanap.menu var/ipfire/modem diff --git a/config/rootfiles/packages/tor b/config/rootfiles/packages/tor index e670be2d5..1861f4f49 100644 --- a/config/rootfiles/packages/tor +++ b/config/rootfiles/packages/tor @@ -4,6 +4,7 @@ etc/rc.d/init.d/tor #etc/tor etc/tor/tor-tsocks.conf etc/tor/torrc +srv/web/ipfire/cgi-bin/tor.cgi usr/bin/tor usr/bin/tor-gencert usr/bin/tor-resolve @@ -22,7 +23,7 @@ usr/share/tor usr/share/tor/defaults-torrc usr/share/tor/geoip var/ipfire/backup/addons/includes/tor -srv/web/ipfire/cgi-bin/tor.cgi +var/ipfire/menu.d/EX-tor.menu var/ipfire/tor var/ipfire/tor/settings var/ipfire/tor/torrc diff --git a/doc/language_issues.es b/doc/language_issues.es index 7756f2644..8adc0f4ef 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -625,6 +625,7 @@ WARNING: untranslated string: routing table WARNING: untranslated string: server restart WARNING: untranslated string: static routes WARNING: untranslated string: system information +WARNING: untranslated string: tor WARNING: untranslated string: tor accounting WARNING: untranslated string: tor accounting bytes WARNING: untranslated string: tor accounting bytes left diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 21fa1ad17..b5361a7b4 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -610,6 +610,7 @@ WARNING: untranslated string: server restart WARNING: untranslated string: snort working WARNING: untranslated string: static routes WARNING: untranslated string: system information +WARNING: untranslated string: tor WARNING: untranslated string: tor accounting WARNING: untranslated string: tor accounting bytes WARNING: untranslated string: tor accounting bytes left diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 3a8f682b5..febebf9d1 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -527,6 +527,7 @@ WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table +WARNING: untranslated string: tor WARNING: untranslated string: tor accounting WARNING: untranslated string: tor accounting bytes WARNING: untranslated string: tor accounting bytes left diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 7756f2644..8adc0f4ef 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -625,6 +625,7 @@ WARNING: untranslated string: routing table WARNING: untranslated string: server restart WARNING: untranslated string: static routes WARNING: untranslated string: system information +WARNING: untranslated string: tor WARNING: untranslated string: tor accounting WARNING: untranslated string: tor accounting bytes WARNING: untranslated string: tor accounting bytes left diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 324c47720..47c2da477 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -590,6 +590,7 @@ WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table WARNING: untranslated string: server restart WARNING: untranslated string: static routes +WARNING: untranslated string: tor WARNING: untranslated string: tor accounting WARNING: untranslated string: tor accounting bytes WARNING: untranslated string: tor accounting bytes left diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 31a18c92a..6679e73b3 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -523,6 +523,7 @@ WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table +WARNING: untranslated string: tor WARNING: untranslated string: tor accounting WARNING: untranslated string: tor accounting bytes WARNING: untranslated string: tor accounting bytes left diff --git a/doc/language_missings b/doc/language_missings index e47da816f..a9fa8756e 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -116,6 +116,7 @@ < snort working < static routes < system information +< tor < tor accounting < tor accounting bytes < tor accounting bytes left @@ -346,6 +347,7 @@ < Set time on boot < static routes < system information +< tor < tor accounting < tor accounting bytes < tor accounting bytes left @@ -528,6 +530,7 @@ < qos enter bandwidths < server restart < static routes +< tor < tor accounting < tor accounting bytes < tor accounting bytes left @@ -715,6 +718,7 @@ < qos enter bandwidths < server restart < static routes +< tor < tor accounting < tor accounting bytes < tor accounting bytes left diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 848aaefa2..a21f75ab3 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1797,6 +1797,7 @@ 'tone' => 'Ton', 'tone dial' => 'Tonwahl:', 'too long 80 char max' => ' ist zu lang, es sind maximal 80 Zeichen erlaubt', +'tor' => 'Tor', 'tor accounting' => 'Accounting', 'tor accounting bytes' => 'Traffic (empfangen/gesendet)', 'tor accounting bytes left' => 'übrig', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 150411a4a..b16ecbf84 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1831,6 +1831,7 @@ 'tone' => 'Tone', 'tone dial' => 'Tone dial:', 'too long 80 char max' => ' is too long, maximum allowed is 80 characters', +'tor' => 'Tor', 'tor accounting' => 'Accounting', 'tor accounting bytes' => 'Traffic (read/written)', 'tor accounting bytes left' => 'left', From cee75a0d96e33b04764d121f43bedeb64b8623f6 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Jul 2013 19:22:00 +0200 Subject: [PATCH 34/61] tor: Don't ship torify. This will need tsocks, which is not present on IPFire. --- config/rootfiles/packages/tor | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/rootfiles/packages/tor b/config/rootfiles/packages/tor index 1861f4f49..8eb6dad17 100644 --- a/config/rootfiles/packages/tor +++ b/config/rootfiles/packages/tor @@ -8,7 +8,7 @@ srv/web/ipfire/cgi-bin/tor.cgi usr/bin/tor usr/bin/tor-gencert usr/bin/tor-resolve -usr/bin/torify +#usr/bin/torify usr/local/bin/torctrl #usr/share/doc/tor #usr/share/doc/tor/tor-gencert.html From f16bcc3e310ef5118dfbf3258306ab20d6b93916 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 31 Jul 2013 19:26:37 +0200 Subject: [PATCH 35/61] tor.cgi: Show number of connected relays. --- html/cgi-bin/tor.cgi | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index 2ae9b6aeb..0c173e0cc 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -509,10 +509,12 @@ END my @nodes = &TorORConnStatus($torctrl); if (@nodes) { + my $nodes_length = scalar @nodes; print < - $Lang::tr{'tor connected relays'} + $Lang::tr{'tor connected relays'} + ($nodes_length) END From 80002fe433b0a983fbee13c1f4ad6760596531f9 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 1 Aug 2013 17:38:12 +0200 Subject: [PATCH 36/61] DDNS: Support for all-inkl.com. Requested by Daniel Kovacs . --- config/rootfiles/core/72/filelists/files | 2 ++ html/cgi-bin/ddns.cgi | 2 ++ src/scripts/setddns.pl | 21 +++++++++++++++++++++ 3 files changed, 25 insertions(+) diff --git a/config/rootfiles/core/72/filelists/files b/config/rootfiles/core/72/filelists/files index 7ab00d485..f20186d7b 100644 --- a/config/rootfiles/core/72/filelists/files +++ b/config/rootfiles/core/72/filelists/files @@ -1,4 +1,6 @@ etc/system-release etc/issue +srv/web/ipfire/cgi-bin/ddns.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/local/bin/openvpnctrl +usr/local/bin/setddns.pl diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi index d840d3946..88847a050 100644 --- a/html/cgi-bin/ddns.cgi +++ b/html/cgi-bin/ddns.cgi @@ -232,6 +232,7 @@ if ($settings{'ACTION'} eq '') &Header::openbigbox('100%', 'left', '', $errormessage); my %checked =(); # Checkbox manipulations +$checked{'SERVICE'}{'all-inkl.com'} = ''; $checked{'SERVICE'}{'cjb.net'} = ''; $checked{'SERVICE'}{'dhs.org'} = ''; $checked{'SERVICE'}{'dnspark.com'} = ''; @@ -327,6 +328,7 @@ print < $Lang::tr{'service'}: - - - - + + + + + + + + + + + + +
$Lang::tr{'tor acls'}
+ $Lang::tr{'tor allowed subnets'}: +
+ +
-
-
-
+
+
+
- - - - - - - - - - + + +
$Lang::tr{'tor exit nodes'}
$Lang::tr{'tor use exit nodes'}:
- + + + + + + + + + - - -
$Lang::tr{'tor exit nodes'}
$Lang::tr{'tor use exit nodes'}:
+ - -
-

+ print < + 		+ +
+

END - } &Header::closebox(); - if ($settings{'TOR_RELAY_ENABLED'} eq 'on') { - $checked{'TOR_RELAY_NOADVERTISE'}{'on'} = ''; - $checked{'TOR_RELAY_NOADVERTISE'}{'off'} = ''; - $checked{'TOR_RELAY_NOADVERTISE'}{$settings{'TOR_RELAY_NOADVERTISE'}} = 'checked'; + # Tor relay box + $checked{'TOR_RELAY_NOADVERTISE'}{'on'} = ''; + $checked{'TOR_RELAY_NOADVERTISE'}{'off'} = ''; + $checked{'TOR_RELAY_NOADVERTISE'}{$settings{'TOR_RELAY_NOADVERTISE'}} = 'checked'; - $selected{'TOR_RELAY_MODE'}{'bridge'} = ''; - $selected{'TOR_RELAY_MODE'}{'exit'} = ''; - $selected{'TOR_RELAY_MODE'}{'private-bridge'} = ''; - $selected{'TOR_RELAY_MODE'}{'relay'} = ''; - $selected{'TOR_RELAY_MODE'}{$settings{'TOR_RELAY_MODE'}} = 'selected'; + $selected{'TOR_RELAY_MODE'}{'bridge'} = ''; + $selected{'TOR_RELAY_MODE'}{'exit'} = ''; + $selected{'TOR_RELAY_MODE'}{'private-bridge'} = ''; + $selected{'TOR_RELAY_MODE'}{'relay'} = ''; + $selected{'TOR_RELAY_MODE'}{$settings{'TOR_RELAY_MODE'}} = 'selected'; - $selected{'TOR_RELAY_BANDWIDTH_RATE'}{'0'} = ''; - foreach (@bandwidth_limits) { - $selected{'TOR_RELAY_BANDWIDTH_RATE'}{$_} = ''; - } - $selected{'TOR_RELAY_BANDWIDTH_RATE'}{$settings{'TOR_RELAY_BANDWIDTH_RATE'}} = 'selected'; - - $selected{'TOR_RELAY_BANDWIDTH_BURST'}{'0'} = ''; - foreach (@bandwidth_limits) { - $selected{'TOR_RELAY_BANDWIDTH_BURST'}{$_} = ''; - } - $selected{'TOR_RELAY_BANDWIDTH_BURST'}{$settings{'TOR_RELAY_BANDWIDTH_BURST'}} = 'selected'; - - foreach (@accounting_periods) { - $selected{'TOR_RELAY_ACCOUNTING_PERIOD'}{$_} = ''; - } - $selected{'TOR_RELAY_ACCOUNTING_PERIOD'}{$settings{'TOR_RELAY_ACCOUNTING_PERIOD'}} = 'selected'; - - &Header::openbox('100%', 'left', $Lang::tr{'tor relay configuration'}); - - print < - - $Lang::tr{'tor relay mode'}: - - - - $Lang::tr{'tor relay port'}: - - - - - - $Lang::tr{'tor relay address'}: * - - - - $Lang::tr{'tor do not advertise relay'}: - - - - - - $Lang::tr{'tor relay nickname'}: * - - - - - - - $Lang::tr{'tor contact info'}: * - - - - - - -
- - - - - - - - - - - - - - - - - -
$Lang::tr{'tor bandwidth settings'}
$Lang::tr{'tor bandwidth rate'}: - - $Lang::tr{'tor accounting limit'}: - -
$Lang::tr{'tor bandwidth burst'}: - - $Lang::tr{'tor accounting period'}: -
-END - - &Header::closebox(); + $selected{'TOR_RELAY_BANDWIDTH_RATE'}{'0'} = ''; + foreach (@bandwidth_limits) { + $selected{'TOR_RELAY_BANDWIDTH_RATE'}{$_} = ''; } + $selected{'TOR_RELAY_BANDWIDTH_RATE'}{$settings{'TOR_RELAY_BANDWIDTH_RATE'}} = 'selected'; + + $selected{'TOR_RELAY_BANDWIDTH_BURST'}{'0'} = ''; + foreach (@bandwidth_limits) { + $selected{'TOR_RELAY_BANDWIDTH_BURST'}{$_} = ''; + } + $selected{'TOR_RELAY_BANDWIDTH_BURST'}{$settings{'TOR_RELAY_BANDWIDTH_BURST'}} = 'selected'; + + foreach (@accounting_periods) { + $selected{'TOR_RELAY_ACCOUNTING_PERIOD'}{$_} = ''; + } + $selected{'TOR_RELAY_ACCOUNTING_PERIOD'}{$settings{'TOR_RELAY_ACCOUNTING_PERIOD'}} = 'selected'; + + &Header::openbox('100%', 'left', $Lang::tr{'tor relay configuration'}); + + print < + + $Lang::tr{'tor relay mode'}: + + + + $Lang::tr{'tor relay port'}: + + + + + + $Lang::tr{'tor relay address'}: * + + + + $Lang::tr{'tor do not advertise relay'}: + + + + + + $Lang::tr{'tor relay nickname'}: * + + + + + + + $Lang::tr{'tor contact info'}: * + + + + + + +
+ + + + + + + + + + + + + + + + + +
$Lang::tr{'tor bandwidth settings'}
$Lang::tr{'tor bandwidth rate'}: + + $Lang::tr{'tor accounting limit'}: + +
$Lang::tr{'tor bandwidth burst'}: + + $Lang::tr{'tor accounting period'}: +
+END + + &Header::closebox(); print < From dfdda7588d53a32a007ad2be47fe9aa67141d962 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 3 Aug 2013 13:36:19 +0200 Subject: [PATCH 48/61] DDNS: Use HTTPS for all-inkl.com. --- src/scripts/setddns.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/scripts/setddns.pl b/src/scripts/setddns.pl index 0833b49c0..f943ac83e 100644 --- a/src/scripts/setddns.pl +++ b/src/scripts/setddns.pl @@ -158,7 +158,7 @@ if ($ip ne $ipcache) { Net::SSLeay::set_proxy($peer,$peerport,$proxysettings{'UPSTREAM_USER'},$proxysettings{'UPSTREAM_PASSWORD'} ); } - my ($out, $response) = Net::SSLeay::get_http("dyndns.kasserver.com", 80, "/", Net::SSLeay::make_headers( + my ($out, $response) = Net::SSLeay::get_https("dyndns.kasserver.com", 443, "/", Net::SSLeay::make_headers( 'User-Agent' => 'IPFire', 'Authorization' => 'Basic ' . encode_base64("$settings{'LOGIN'}:$settings{'PASSWORD'}") )); From 726a85b8c10d4b991c7944b19a1f4c54621c5079 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Tue, 6 Aug 2013 15:01:26 +0200 Subject: [PATCH 49/61] samba: update to 3.6.17. --- lfs/samba | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/samba b/lfs/samba index cf7b4b9df..b5980087f 100644 --- a/lfs/samba +++ b/lfs/samba @@ -24,7 +24,7 @@ include Config -VER = 3.6.16 +VER = 3.6.17 THISAPP = samba-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = samba -PAK_VER = 50 +PAK_VER = 51 DEPS = "cups" @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 12c6785802813c2c5bf66e5c4c4e1d93 +$(DL_FILE)_MD5 = c67c3330545c8f1f7ee26e017c28439b install : $(TARGET) From 7323724196db7b63d83bea9774e2b1356b1854aa Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 7 Aug 2013 22:15:31 +0200 Subject: [PATCH 50/61] squid: Fix two security issues. * CVE-2013-4115 * CVE-2013-4123 http://www.squid-cache.org/Versions/v3/3.1/changesets/ --- config/rootfiles/core/72/filelists/squid | 1 + lfs/squid | 3 + src/patches/squid-3.1-10486.patch | 54 ++++++++++++++++++ src/patches/squid-3.1-10487.patch | 73 ++++++++++++++++++++++++ 4 files changed, 131 insertions(+) create mode 120000 config/rootfiles/core/72/filelists/squid create mode 100644 src/patches/squid-3.1-10486.patch create mode 100644 src/patches/squid-3.1-10487.patch diff --git a/config/rootfiles/core/72/filelists/squid b/config/rootfiles/core/72/filelists/squid new file mode 120000 index 000000000..2dc8372a0 --- /dev/null +++ b/config/rootfiles/core/72/filelists/squid @@ -0,0 +1 @@ +../../../common/squid \ No newline at end of file diff --git a/lfs/squid b/lfs/squid index fde8606db..81118c2c3 100644 --- a/lfs/squid +++ b/lfs/squid @@ -71,6 +71,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xjf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.1-10486.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.1-10487.patch + cd $(DIR_APP) && ./configure --prefix=/usr --disable-nls \ --datadir=/usr/lib/squid \ --mandir=/usr/share/man --libexecdir=/usr/lib/squid \ diff --git a/src/patches/squid-3.1-10486.patch b/src/patches/squid-3.1-10486.patch new file mode 100644 index 000000000..6a0388e5b --- /dev/null +++ b/src/patches/squid-3.1-10486.patch @@ -0,0 +1,54 @@ +------------------------------------------------------------ +revno: 10486 +revision-id: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h +parent: squid3@treenet.co.nz-20130109021503-hqg7ufldrudpzr9l +fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3790 +author: Reinhard Sojka +committer: Amos Jeffries +branch nick: SQUID_3_1 +timestamp: Fri 2013-02-22 04:13:25 -0700 +message: + Bug 3790: cachemgr.cgi crash with authentication +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h +# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ +# /SQUID_3_1 +# testament_sha1: 121adf68a9c3b2eca766cfb768256b6b57d9816b +# timestamp: 2013-02-22 11:17:18 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ +# /SQUID_3_1 +# base_revision_id: squid3@treenet.co.nz-20130109021503-\ +# hqg7ufldrudpzr9l +# +# Begin patch +=== modified file 'tools/cachemgr.cc' +--- tools/cachemgr.cc 2013-01-08 23:11:51 +0000 ++++ tools/cachemgr.cc 2013-02-22 11:13:25 +0000 +@@ -1162,7 +1162,6 @@ + { + static char buf[1024]; + size_t stringLength = 0; +- const char *str64; + + if (!req->passwd) + return ""; +@@ -1171,15 +1170,12 @@ + req->user_name ? req->user_name : "", + req->passwd); + +- str64 = base64_encode(buf); +- +- stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", str64); ++ stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", base64_encode(buf)); + + assert(stringLength < sizeof(buf)); + +- snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", str64); ++ snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", base64_encode(buf)); + +- xxfree(str64); + return buf; + } + + diff --git a/src/patches/squid-3.1-10487.patch b/src/patches/squid-3.1-10487.patch new file mode 100644 index 000000000..2ca4848c2 --- /dev/null +++ b/src/patches/squid-3.1-10487.patch @@ -0,0 +1,73 @@ +------------------------------------------------------------ +revno: 10487 +revision-id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx +parent: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h +author: Nathan Hoad +committer: Amos Jeffries +branch nick: SQUID_3_1 +timestamp: Wed 2013-07-10 06:47:48 -0600 +message: + Protect against buffer overrun in DNS query generation + + see SQUID-2013:2. + + This bug has been present as long as the internal DNS component however + most code reaching this point is passing through URL validation first. + With Squid-3.2 Host header verification using DNS directly we may have + problems. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx +# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ +# /SQUID_3_1 +# testament_sha1: b5be85c8876ce15ec8fa173845e61755b6942fe0 +# timestamp: 2013-07-10 12:48:57 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ +# /SQUID_3_1 +# base_revision_id: squid3@treenet.co.nz-20130222111325-\ +# zizr296kq3te4g7h +# +# Begin patch +=== modified file 'src/dns_internal.cc' +--- src/dns_internal.cc 2011-10-11 02:12:56 +0000 ++++ src/dns_internal.cc 2013-07-10 12:47:48 +0000 +@@ -1532,22 +1532,26 @@ + void + idnsALookup(const char *name, IDNSCB * callback, void *data) + { +- unsigned int i; ++ size_t nameLength = strlen(name); ++ ++ // Prevent buffer overflow on q->name ++ if (nameLength > NS_MAXDNAME) { ++ debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details."); ++ callback(data, NULL, 0, "Internal error"); ++ return; ++ } ++ ++ if (idnsCachedLookup(name, callback, data)) ++ return; ++ ++ idns_query *q = cbdataAlloc(idns_query); ++ q->id = idnsQueryID(); + int nd = 0; +- idns_query *q; +- +- if (idnsCachedLookup(name, callback, data)) +- return; +- +- q = cbdataAlloc(idns_query); +- +- q->id = idnsQueryID(); +- +- for (i = 0; i < strlen(name); i++) ++ for (unsigned int i = 0; i < nameLength; ++i) + if (name[i] == '.') + nd++; + +- if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') { ++ if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') { + q->do_searchpath = 1; + } else { + q->do_searchpath = 0; + From bfcb3212dc3f316368f4632b1adf4579b586200f Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 10 Aug 2013 11:08:25 +0200 Subject: [PATCH 51/61] OpenVPN verify: Fix login for RW clients with >= 2 spaces in name. http://forum.ipfire.org/index.php?topic=8702.0 --- config/ovpn/verify | 2 +- config/rootfiles/core/72/filelists/files | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/config/ovpn/verify b/config/ovpn/verify index 72334296c..44ed1105d 100644 --- a/config/ovpn/verify +++ b/config/ovpn/verify @@ -49,7 +49,7 @@ if (-f "${General::swroot}/ovpn/ovpnconfig"){ exit 0 if ($cn eq $CN); # Compatibility code for incorrectly saved CNs. - $cn =~ s/\ /_/; + $cn =~ s/\ /_/g; exit 0 if ($cn eq $CN); } } diff --git a/config/rootfiles/core/72/filelists/files b/config/rootfiles/core/72/filelists/files index f25463113..baa5d6cc4 100644 --- a/config/rootfiles/core/72/filelists/files +++ b/config/rootfiles/core/72/filelists/files @@ -5,3 +5,4 @@ srv/web/ipfire/cgi-bin/ddns.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/local/bin/openvpnctrl usr/local/bin/setddns.pl +var/ipfire/ovpn/verify From 919a50208bc63214cda9c0cab7845c8f9391b8c2 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 10 Aug 2013 12:14:29 +0200 Subject: [PATCH 52/61] tor.cgi: Remove NoAdvertise option. This does not make much sense with our setup. --- doc/language_issues.es | 1 - doc/language_issues.fr | 1 - doc/language_issues.nl | 1 - doc/language_issues.pl | 1 - doc/language_issues.ru | 1 - doc/language_issues.tr | 1 - doc/language_missings | 4 ---- html/cgi-bin/tor.cgi | 28 ++++++---------------------- langs/de/cgi-bin/de.pl | 1 - langs/en/cgi-bin/en.pl | 1 - 10 files changed, 6 insertions(+), 34 deletions(-) diff --git a/doc/language_issues.es b/doc/language_issues.es index 9d241abb9..790ce1acc 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -642,7 +642,6 @@ WARNING: untranslated string: tor common settings WARNING: untranslated string: tor configuration WARNING: untranslated string: tor connected relays WARNING: untranslated string: tor contact info -WARNING: untranslated string: tor do not advertise relay WARNING: untranslated string: tor enabled WARNING: untranslated string: tor errmsg invalid accounting limit WARNING: untranslated string: tor errmsg invalid ip or mask diff --git a/doc/language_issues.fr b/doc/language_issues.fr index dffd62024..41d8d9d78 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -627,7 +627,6 @@ WARNING: untranslated string: tor common settings WARNING: untranslated string: tor configuration WARNING: untranslated string: tor connected relays WARNING: untranslated string: tor contact info -WARNING: untranslated string: tor do not advertise relay WARNING: untranslated string: tor enabled WARNING: untranslated string: tor errmsg invalid accounting limit WARNING: untranslated string: tor errmsg invalid ip or mask diff --git a/doc/language_issues.nl b/doc/language_issues.nl index b57eaeabf..46838b024 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -544,7 +544,6 @@ WARNING: untranslated string: tor common settings WARNING: untranslated string: tor configuration WARNING: untranslated string: tor connected relays WARNING: untranslated string: tor contact info -WARNING: untranslated string: tor do not advertise relay WARNING: untranslated string: tor enabled WARNING: untranslated string: tor errmsg invalid accounting limit WARNING: untranslated string: tor errmsg invalid ip or mask diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 9d241abb9..790ce1acc 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -642,7 +642,6 @@ WARNING: untranslated string: tor common settings WARNING: untranslated string: tor configuration WARNING: untranslated string: tor connected relays WARNING: untranslated string: tor contact info -WARNING: untranslated string: tor do not advertise relay WARNING: untranslated string: tor enabled WARNING: untranslated string: tor errmsg invalid accounting limit WARNING: untranslated string: tor errmsg invalid ip or mask diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 0a468036c..670069683 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -607,7 +607,6 @@ WARNING: untranslated string: tor common settings WARNING: untranslated string: tor configuration WARNING: untranslated string: tor connected relays WARNING: untranslated string: tor contact info -WARNING: untranslated string: tor do not advertise relay WARNING: untranslated string: tor enabled WARNING: untranslated string: tor errmsg invalid accounting limit WARNING: untranslated string: tor errmsg invalid ip or mask diff --git a/doc/language_issues.tr b/doc/language_issues.tr index a9d565933..6c4502fd6 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -540,7 +540,6 @@ WARNING: untranslated string: tor common settings WARNING: untranslated string: tor configuration WARNING: untranslated string: tor connected relays WARNING: untranslated string: tor contact info -WARNING: untranslated string: tor do not advertise relay WARNING: untranslated string: tor enabled WARNING: untranslated string: tor errmsg invalid accounting limit WARNING: untranslated string: tor errmsg invalid ip or mask diff --git a/doc/language_missings b/doc/language_missings index 6aac6b857..3c611e617 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -136,7 +136,6 @@ < tor configuration < tor connected relays < tor contact info -< tor do not advertise relay < tor enabled < tor errmsg invalid accounting limit < tor errmsg invalid ip or mask @@ -372,7 +371,6 @@ < tor configuration < tor connected relays < tor contact info -< tor do not advertise relay < tor enabled < tor errmsg invalid accounting limit < tor errmsg invalid ip or mask @@ -560,7 +558,6 @@ < tor configuration < tor connected relays < tor contact info -< tor do not advertise relay < tor enabled < tor errmsg invalid accounting limit < tor errmsg invalid ip or mask @@ -753,7 +750,6 @@ < tor configuration < tor connected relays < tor contact info -< tor do not advertise relay < tor enabled < tor errmsg invalid accounting limit < tor errmsg invalid ip or mask diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index 2b578810d..2a31dd4bf 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -77,7 +77,6 @@ $settings{'TOR_RELAY_ADDRESS'} = ''; $settings{'TOR_RELAY_PORT'} = 9001; $settings{'TOR_RELAY_NICKNAME'} = ''; $settings{'TOR_RELAY_CONTACT_INFO'} = ''; -$settings{'TOR_RELAY_NOADVERTISE'} = 'off'; $settings{'TOR_RELAY_BANDWIDTH_RATE'} = 0; $settings{'TOR_RELAY_BANDWIDTH_BURST'} = 0; $settings{'TOR_RELAY_ACCOUNTING_LIMIT'} = 0; @@ -283,10 +282,6 @@ END &Header::closebox(); # Tor relay box - $checked{'TOR_RELAY_NOADVERTISE'}{'on'} = ''; - $checked{'TOR_RELAY_NOADVERTISE'}{'off'} = ''; - $checked{'TOR_RELAY_NOADVERTISE'}{$settings{'TOR_RELAY_NOADVERTISE'}} = 'checked'; - $selected{'TOR_RELAY_MODE'}{'bridge'} = ''; $selected{'TOR_RELAY_MODE'}{'exit'} = ''; $selected{'TOR_RELAY_MODE'}{'private-bridge'} = ''; @@ -324,9 +319,9 @@ END - $Lang::tr{'tor relay port'}: + $Lang::tr{'tor relay nickname'}: * - + @@ -334,22 +329,15 @@ END - $Lang::tr{'tor do not advertise relay'}: + $Lang::tr{'tor relay port'}: - + - - $Lang::tr{'tor relay nickname'}: * - - - - - $Lang::tr{'tor contact info'}: * - + @@ -628,11 +616,7 @@ sub BuildConfiguration() { # Reject access to private networks. print FILE "ExitPolicyRejectPrivate 1\n"; - print FILE "ORPort $settings{'TOR_RELAY_PORT'}"; - if ($settings{'TOR_RELAY_NOADVERTISE'} eq 'on') { - print FILE " NoAdvertise"; - } - print FILE "\n"; + print FILE "ORPort $settings{'TOR_RELAY_PORT'}\n"; if ($settings{'TOR_RELAY_ADDRESS'} ne '') { print FILE "Address $settings{'TOR_RELAY_ADDRESS'}\n"; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 021682f70..a0c426f3f 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1817,7 +1817,6 @@ 'tor configuration' => 'Tor-Konfiguration', 'tor connected relays' => 'Verbundene Relays', 'tor contact info' => 'Kontaktinformationen', -'tor do not advertise relay' => 'Relay nicht announcieren', 'tor enabled' => 'Tor einschalten', 'tor errmsg invalid accounting limit' => 'Ungültiges Accounting-Limit', 'tor errmsg invalid ip or mask' => 'Ungültiges IP-Subnetz', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 2e04c468d..b12ae7d2e 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1852,7 +1852,6 @@ 'tor configuration' => 'Tor Configuration', 'tor connected relays' => 'Connected relays', 'tor contact info' => 'Contact Info', -'tor do not advertise relay' => 'Do not advertise the relay', 'tor enabled' => 'Enable Tor', 'tor errmsg invalid accounting limit' => 'Invalid accounting limit', 'tor errmsg invalid ip or mask' => 'Invalid IP subnet', From ba47633494e56d63a23ee54377007772aa59cbfb Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 10 Aug 2013 18:48:16 +0200 Subject: [PATCH 53/61] snort: enable non-ether-decoder for ppp support. --- config/rootfiles/core/72/exclude | 1 + config/rootfiles/core/72/filelists/snort | 1 + config/rootfiles/core/72/update.sh | 3 ++- lfs/snort | 1 + 4 files changed, 5 insertions(+), 1 deletion(-) create mode 120000 config/rootfiles/core/72/filelists/snort diff --git a/config/rootfiles/core/72/exclude b/config/rootfiles/core/72/exclude index 321a931ca..a524207cb 100644 --- a/config/rootfiles/core/72/exclude +++ b/config/rootfiles/core/72/exclude @@ -15,3 +15,4 @@ etc/ssh/ssh_config etc/ssh/sshd_config etc/ssl/openssl.cnf var/state/dhcp/dhcpd.leases +etc/snort/snort.conf diff --git a/config/rootfiles/core/72/filelists/snort b/config/rootfiles/core/72/filelists/snort new file mode 120000 index 000000000..9406ce01c --- /dev/null +++ b/config/rootfiles/core/72/filelists/snort @@ -0,0 +1 @@ +../../../common/snort \ No newline at end of file diff --git a/config/rootfiles/core/72/update.sh b/config/rootfiles/core/72/update.sh index 4a5b943ad..6ed39c532 100644 --- a/config/rootfiles/core/72/update.sh +++ b/config/rootfiles/core/72/update.sh @@ -35,7 +35,7 @@ done # #Stop services ipsec stop - +/etc/init.d/snort stop # #Extract files @@ -44,6 +44,7 @@ extract_files # #Start services +/etc/init.d/snort start ipsec start # diff --git a/lfs/snort b/lfs/snort index daec62113..a15599c2b 100644 --- a/lfs/snort +++ b/lfs/snort @@ -75,6 +75,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-linux-smp-stats --enable-smb-alerts \ --enable-gre --enable-mpls --enable-targetbased \ --enable-decoder-preprocessor-rules --enable-ppm \ + --enable-non-ether-decoders \ --enable-perfprofiling --enable-zlib --enable-active-response \ --enable-normalizer --enable-reload --enable-react --enable-flexresp3 cd $(DIR_APP) && make From 7bcfd0dd83873ac476cb49caceb753abb64dfc7f Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 10 Aug 2013 20:09:03 +0200 Subject: [PATCH 54/61] daq: update to 2.0.1. --- config/rootfiles/common/daq | 2 +- config/rootfiles/core/72/filelists/daq | 1 + lfs/daq | 6 +++--- 3 files changed, 5 insertions(+), 4 deletions(-) create mode 120000 config/rootfiles/core/72/filelists/daq diff --git a/config/rootfiles/common/daq b/config/rootfiles/common/daq index 10ec777b2..4467545ae 100644 --- a/config/rootfiles/common/daq +++ b/config/rootfiles/common/daq @@ -21,7 +21,7 @@ usr/lib/daq #usr/lib/libdaq.la #usr/lib/libdaq.so usr/lib/libdaq.so.2 -usr/lib/libdaq.so.2.0.0 +usr/lib/libdaq.so.2.0.1 #usr/lib/libdaq_static.a #usr/lib/libdaq_static.la #usr/lib/libdaq_static_modules.a diff --git a/config/rootfiles/core/72/filelists/daq b/config/rootfiles/core/72/filelists/daq new file mode 120000 index 000000000..d0e0956f2 --- /dev/null +++ b/config/rootfiles/core/72/filelists/daq @@ -0,0 +1 @@ +../../../common/daq \ No newline at end of file diff --git a/lfs/daq b/lfs/daq index cac012bec..e6fd8fbdf 100644 --- a/lfs/daq +++ b/lfs/daq @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2013 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 2.0.0 +VER = 2.0.1 THISAPP = daq-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = a00855a153647df76d47f1ea454f74ae +$(DL_FILE)_MD5 = 044aa3663d44580d005293eeb8ccf175 install : $(TARGET) From f2665db1adb48ecbdfc59619c4693525be21974a Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 10 Aug 2013 20:10:00 +0200 Subject: [PATCH 55/61] snort: update to 2.9.5.3. --- config/rootfiles/core/72/filelists/files | 1 + html/cgi-bin/ids.cgi | 2 +- lfs/snort | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/core/72/filelists/files b/config/rootfiles/core/72/filelists/files index baa5d6cc4..47eb3585d 100644 --- a/config/rootfiles/core/72/filelists/files +++ b/config/rootfiles/core/72/filelists/files @@ -2,6 +2,7 @@ etc/system-release etc/issue etc/rc.d/init.d/firewall srv/web/ipfire/cgi-bin/ddns.cgi +srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/local/bin/openvpnctrl usr/local/bin/setddns.pl diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 62bb03a2b..4bd0128cb 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -263,7 +263,7 @@ if (-e "/etc/snort/snort.conf") { ####################### End added for snort rules control ################################# if ($snortsettings{'RULES'} eq 'subscripted') { - $url=" http://www.snort.org/sub-rules/snortrules-snapshot-2950.tar.gz/$snortsettings{'OINKCODE'}"; + $url=" http://www.snort.org/sub-rules/snortrules-snapshot-2953.tar.gz/$snortsettings{'OINKCODE'}"; } elsif ($snortsettings{'RULES'} eq 'registered') { $url=" http://www.snort.org/reg-rules/snortrules-snapshot-2950.tar.gz/$snortsettings{'OINKCODE'}"; } elsif ($snortsettings{'RULES'} eq 'community') { diff --git a/lfs/snort b/lfs/snort index a15599c2b..2d5d04a12 100644 --- a/lfs/snort +++ b/lfs/snort @@ -24,7 +24,7 @@ include Config -VER = 2.9.5 +VER = 2.9.5.3 THISAPP = snort-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = f5fc0e176afca5989d47509478758fc7 +$(DL_FILE)_MD5 = f99465c0734a6173bfca899dcb72266b install : $(TARGET) From b9c6c0ecd3b2eb67025dcfcc7ae5a2920c7440c8 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sun, 11 Aug 2013 09:33:25 +0200 Subject: [PATCH 56/61] core72: add language files to update. --- config/rootfiles/core/72/filelists/files | 1 + config/rootfiles/core/72/update.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/core/72/filelists/files b/config/rootfiles/core/72/filelists/files index 47eb3585d..fe7ddcc18 100644 --- a/config/rootfiles/core/72/filelists/files +++ b/config/rootfiles/core/72/filelists/files @@ -6,4 +6,5 @@ srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/local/bin/openvpnctrl usr/local/bin/setddns.pl +var/ipfire/langs var/ipfire/ovpn/verify diff --git a/config/rootfiles/core/72/update.sh b/config/rootfiles/core/72/update.sh index 6ed39c532..11664f420 100644 --- a/config/rootfiles/core/72/update.sh +++ b/config/rootfiles/core/72/update.sh @@ -49,7 +49,7 @@ ipsec start # #Update Language cache -#perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" +perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" sync From 93443c472f1e7f8bf9df4f5daa3cbc16ac20e182 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sun, 11 Aug 2013 09:34:52 +0200 Subject: [PATCH 57/61] core72: stop/start squid while update. --- config/rootfiles/core/72/update.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/rootfiles/core/72/update.sh b/config/rootfiles/core/72/update.sh index 11664f420..15d1bf2f9 100644 --- a/config/rootfiles/core/72/update.sh +++ b/config/rootfiles/core/72/update.sh @@ -36,6 +36,7 @@ done #Stop services ipsec stop /etc/init.d/snort stop +/etc/init.d/squid stop # #Extract files @@ -44,6 +45,7 @@ extract_files # #Start services +/etc/init.d/squid start /etc/init.d/snort start ipsec start From 9d838dad03acbe38447df8db970bc472f3abe584 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sun, 11 Aug 2013 09:40:03 +0200 Subject: [PATCH 58/61] core72: add ovpnmain.cgi to update. --- config/rootfiles/core/72/filelists/files | 1 + html/cgi-bin/wirelessclient.cgi | 0 2 files changed, 1 insertion(+) mode change 100755 => 100644 html/cgi-bin/wirelessclient.cgi diff --git a/config/rootfiles/core/72/filelists/files b/config/rootfiles/core/72/filelists/files index fe7ddcc18..e8f90a120 100644 --- a/config/rootfiles/core/72/filelists/files +++ b/config/rootfiles/core/72/filelists/files @@ -4,6 +4,7 @@ etc/rc.d/init.d/firewall srv/web/ipfire/cgi-bin/ddns.cgi srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi +srv/web/ipfire/cgi-bin/ovpnmain.cgi usr/local/bin/openvpnctrl usr/local/bin/setddns.pl var/ipfire/langs diff --git a/html/cgi-bin/wirelessclient.cgi b/html/cgi-bin/wirelessclient.cgi old mode 100755 new mode 100644 From bdc9033f08bce0c76f7d134de4a21e2b11f3671e Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sun, 11 Aug 2013 09:40:54 +0200 Subject: [PATCH 59/61] core72: allow to update "ovpn verify script". Don't forget to readd this exclude to next core updater to prevent overwrite the user ca at a openvpn update. --- config/rootfiles/core/72/exclude | 1 - 1 file changed, 1 deletion(-) diff --git a/config/rootfiles/core/72/exclude b/config/rootfiles/core/72/exclude index a524207cb..e8ae55d97 100644 --- a/config/rootfiles/core/72/exclude +++ b/config/rootfiles/core/72/exclude @@ -10,7 +10,6 @@ etc/ipsec.user.secrets var/log/cache var/updatecache etc/localtime -var/ipfire/ovpn etc/ssh/ssh_config etc/ssh/sshd_config etc/ssl/openssl.cnf From 0251dca9e865ca677aedc613e90c2a1ef96d2b0b Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sun, 11 Aug 2013 09:46:16 +0200 Subject: [PATCH 60/61] core72: start ipsec only if enabled after update. --- config/rootfiles/core/72/update.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/core/72/update.sh b/config/rootfiles/core/72/update.sh index 15d1bf2f9..c3dc20a81 100644 --- a/config/rootfiles/core/72/update.sh +++ b/config/rootfiles/core/72/update.sh @@ -34,7 +34,7 @@ done # #Stop services -ipsec stop +/etc/init.d/ipsec stop /etc/init.d/snort stop /etc/init.d/squid stop @@ -47,7 +47,10 @@ extract_files #Start services /etc/init.d/squid start /etc/init.d/snort start -ipsec start +if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then + /etc/init.d/ipsec start +fi + # #Update Language cache @@ -64,4 +67,3 @@ sync sendprofile #Don't report the exitcode last command exit 0 - From 028c88f46f5db2c466e77122914b5aa134286859 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sun, 11 Aug 2013 11:50:50 +0200 Subject: [PATCH 61/61] close core72. --- make.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/make.sh b/make.sh index 7fcb69f93..eb9421ca5 100755 --- a/make.sh +++ b/make.sh @@ -26,7 +26,7 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.13" # Version number CORE="72" # Core Level (Filename) -PAKFIRE_CORE="71" # Core Level (PAKFIRE) +PAKFIRE_CORE="72" # Core Level (PAKFIRE) GIT_BRANCH=`git status | head -n1 | cut -d" " -f4` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir