Merge branch 'master' of ssh://git.ipfire.org/pub/git/ipfire-2.x

config/cfgroot/manualpages

@@ -1,7 +1,82 @@
-# User manual base URL (without trailing slash)
-BASE_URL=https://wiki.ipfire.org
+# Assign manual page URL path to CGI file ([cgi basename]=[path/to/page]) 
 
-# Assign manual page URL path to CGI file ([cgi basename]=[path/to/page])
+# Base URL (without trailing slash)
+BASE_URL=https://wiki.ipfire.org
 index=configuration/system/startpage
-pppsetup=configuration/system/dial
+
+#	System menu
+index=configuration/system/startpage
+mail=configuration/system/mail_service
+remote=configuration/system/ssh
+backup=configuration/system/backup
+gui=configuration/system/userinterface
+fireinfo=fireinfo
+vulnerabilities=configuration/system/vulnerabilities
+shutdown=configuration/system/shutdown
+credits=configuration/system/credits
+
+#	Status menu
+system=configuration/status/system
+memory=configuration/status/memory
+services=configuration/status/services
+media=configuration/status/drives
+netexternal=configuration/status/network_ext
+netinternal=configuration/status/network_int
+netother=configuration/status/network_int
+netovpnrw=configuration/status/network_ovpnrw
+#netovpnsrv=
+hardwaregraphs=configuration/status/hardware_diagrams
+entropy=configuration/status/entropy
+connections=configuration/status/connections
+traffic=configuration/status/nettraffic
+#mdstat=
+
+#	Network menu
+zoneconf=configuration/network/zoneconf
+dns=dns
+proxy=configuration/network/proxy
+urlfilter=configuration/network/proxy/url-filter
+#updatexlrator=configuration/network/proxy/update_accelerator
+dhcp=configuration/network/dhcp
+captive=configuration/network/captive
+connscheduler=configuration/network/connectionscheduler
+hosts=configuration/network/hosts
+dnsforward=configuration/network/dnsforward
+routing=configuration/network/static
+mac=configuration/network/mac-address
+wakeonlan=configuration/network/wake-on-lan
+
+#	Services menu
+vpnmain=configuration/services/ipsec
+ovpnmain=configuration/services/openvpn
+ddns=configuration/services/dyndns
+time=configuration/services/ntp
 qos=configuration/services/qos
+extrahd=configuration/services/extrahd
+
+#	Firewall menu
+firewall=configuration/firewall
+fwhosts=configuration/firewall/fwgroups
+optionsfw=configuration/firewall/options
+ids=configuration/firewall/ips
+p2p-block=configuration/firewall/p2p-block
+location-block=configuration/firewall/geoip-block
+wireless=configuration/firewall/accesstoblue
+iptables=configuration/firewall/iptables
+
+#	IPfire menu
+pakfire=configuration/ipfire/pakfire
+
+#	Logs menu
+summary=configuration/logs/summary
+config=configuration/logs/logsettings
+proxylog=configuration/logs/proxy
+calamaris=configuration/logs/proxyreports
+firewalllog=configuration/logs/firewall
+firewalllogip=configuration/logs/firewall-ip
+firewalllogport=configuration/logs/firewall-port
+firewalllogcountry=configuration/logs/firewall-country
+ids=configuration/logs/ips
+#ovpnclients=
+urlfilter=configuration/logs/url-filter
+log=configuration/logs/system

config/rootfiles/common/suricata

@@ -37,6 +37,7 @@ usr/share/suricata
 #usr/share/suricata/rules/smtp-events.rules
 #usr/share/suricata/rules/stream-events.rules
 #usr/share/suricata/rules/tls-events.rules
+var/ipfire/suricata/suricata-default-rules.yaml
 var/lib/suricata
 var/lib/suricata/classification.config
 var/lib/suricata/reference.config

config/rootfiles/packages/pcengines-apu-firmware

@@ -1,8 +1,8 @@
 #lib/firmware/pcengines
 #lib/firmware/pcengines/apu
-lib/firmware/pcengines/apu/apu1_v4.14.0.4.rom
-lib/firmware/pcengines/apu/apu2_v4.14.0.4.rom
-lib/firmware/pcengines/apu/apu3_v4.14.0.4.rom
-lib/firmware/pcengines/apu/apu4_v4.14.0.4.rom
-lib/firmware/pcengines/apu/apu5_v4.14.0.4.rom
-lib/firmware/pcengines/apu/apu6_v4.14.0.4.rom
+lib/firmware/pcengines/apu/apu1_v4.15.0.1.rom
+lib/firmware/pcengines/apu/apu2_v4.15.0.1.rom
+lib/firmware/pcengines/apu/apu3_v4.15.0.1.rom
+lib/firmware/pcengines/apu/apu4_v4.15.0.1.rom
+lib/firmware/pcengines/apu/apu5_v4.15.0.1.rom
+lib/firmware/pcengines/apu/apu6_v4.15.0.1.rom

config/suricata/suricata-default-rules.yaml

@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+# Default rules which helps
+ - /usr/share/suricata/rules/app-layer-events.rules
+ - /usr/share/suricata/rules/decoder-events.rules
+ - /usr/share/suricata/rules/dhcp-events.rules
+ - /usr/share/suricata/rules/dnp3-events.rules
+ - /usr/share/suricata/rules/dns-events.rules
+ - /usr/share/suricata/rules/files.rules
+ - /usr/share/suricata/rules/http-events.rules
+ - /usr/share/suricata/rules/ipsec-events.rules
+ - /usr/share/suricata/rules/kerberos-events.rules
+ - /usr/share/suricata/rules/modbus-events.rules
+ - /usr/share/suricata/rules/nfs-events.rules
+ - /usr/share/suricata/rules/ntp-events.rules
+ - /usr/share/suricata/rules/smb-events.rules
+ - /usr/share/suricata/rules/smtp-events.rules
+ - /usr/share/suricata/rules/stream-events.rules
+ - /usr/share/suricata/rules/tls-events.rules

config/suricata/suricata.yaml

@@ -46,28 +46,11 @@ vars:
 ##
 default-rule-path: /var/lib/suricata
 rule-files:
-    # Default rules
-    - /usr/share/suricata/rules/app-layer-events.rules
-    - /usr/share/suricata/rules/decoder-events.rules
-    - /usr/share/suricata/rules/dhcp-events.rules
-    - /usr/share/suricata/rules/dnp3-events.rules
-    - /usr/share/suricata/rules/dns-events.rules
-    - /usr/share/suricata/rules/files.rules
-    - /usr/share/suricata/rules/http2-events.rules
-    - /usr/share/suricata/rules/http-events.rules
-    - /usr/share/suricata/rules/ipsec-events.rules
-    - /usr/share/suricata/rules/kerberos-events.rules
-    - /usr/share/suricata/rules/modbus-events.rules
-    - /usr/share/suricata/rules/mqtt-events.rules
-    - /usr/share/suricata/rules/nfs-events.rules
-    - /usr/share/suricata/rules/ntp-events.rules
-    - /usr/share/suricata/rules/smb-events.rules
-    - /usr/share/suricata/rules/smtp-events.rules
-    - /usr/share/suricata/rules/stream-events.rules
-    - /usr/share/suricata/rules/tls-events.rules
-
     # Include enabled ruleset files from external file
-    - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
+    include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
+
+    # Include default rules.
+    include: /var/ipfire/suricata/suricata-default-rules.yaml
 
 classification-file: /var/lib/suricata/classification.config
 reference-config-file: /var/lib/suricata/reference.config

lfs/pcengines-apu-firmware

@@ -24,14 +24,14 @@
 
 include Config
 
-VER        = 4.14.0.4
+VER        = 4.15.0.1
 
 THISAPP    = pcengines-apu-firmware-$(VER)
 DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = pcengines-apu-firmware
-PAK_VER    = 9
+PAK_VER    = 10
 SUP_ARCH   = i586 x86_64
 
 DEPS       = firmware-update
@@ -55,12 +55,12 @@ apu4_v$(VER).rom = $(DL_FROM)/apu4_v$(VER).rom
 apu5_v$(VER).rom = $(DL_FROM)/apu5_v$(VER).rom
 apu6_v$(VER).rom = $(DL_FROM)/apu6_v$(VER).rom
 
-apu1_v$(VER).rom_MD5 = e60ce8d903cb1e301aae1160aa8413cd
-apu2_v$(VER).rom_MD5 = 00da67aecd00e7479f0194ccc4ee5739
-apu3_v$(VER).rom_MD5 = 4f935c61fc4274c0b427d16d6aa0049a
-apu4_v$(VER).rom_MD5 = 3aed8f5e1e543a3912c808fe68067dde
-apu5_v$(VER).rom_MD5 = c39dbf45aa630c273fcace35fbc6324e
-apu6_v$(VER).rom_MD5 = b81f9da0f39b355344b602868b2ddcff
+apu1_v$(VER).rom_MD5 = 6b53385232624d48ec7c8fc7f0390413
+apu2_v$(VER).rom_MD5 = 062b6fe09e22077b7155f3eb3bf8ec34
+apu3_v$(VER).rom_MD5 = caa7a5b8d4977de9e4135ab1bc1d15dd
+apu4_v$(VER).rom_MD5 = ffc0f94f2d9c6c25e1d53e0386fbd20b
+apu5_v$(VER).rom_MD5 = e63e1f3392a414942ca65cfa46868665
+apu6_v$(VER).rom_MD5 = 9264657ad3fca49101b28901cf65f4bf
 
 install : $(TARGET)
 

lfs/suricata

@@ -71,6 +71,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-disable-sid-2210059.patch
 	cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \
 		--prefix=/usr \
 		--sysconfdir=/etc \
@@ -96,6 +97,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# Install IPFire related config file.
 	install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata
 
+	# Install yaml file for loading default rules.
+	install -m 0664 $(DIR_SRC)/config/suricata/suricata-default-rules.yaml /var/ipfire/suricata
+
 	# Create emtpy rules directory.
 	-mkdir -p /var/lib/suricata
 

src/patches/suricata-disable-sid-2210059.patch

@@ -0,0 +1,12 @@
+diff -Nur a/rules/stream-events.rules b/rules/stream-events.rules
+--- a/rules/stream-events.rules	2021-11-17 16:55:12.000000000 +0100
++++ b/rules/stream-events.rules	2021-12-08 18:12:39.850189502 +0100
+@@ -89,7 +89,7 @@
+ # rule to alert if a stream has excessive retransmissions
+ alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; flowbits:isnotset,tcp.retransmission.alerted; flowint:tcp.retransmission.count,>=,10; flowbits:set,tcp.retransmission.alerted; classtype:protocol-command-decode; sid:2210054; rev:1;)
+ # Packet on wrong thread. Fires at most once per flow.
+-alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;)
++#alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;)
+ 
+ # Packet with FIN+SYN set
+ alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:fin_syn; classtype:protocol-command-decode; sid:2210060; rev:1;)