From 3d1fbbb02842bdc386bccd163e81b72956fa13c0 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 29 May 2013 17:16:37 +0200 Subject: [PATCH 1/8] openvpnctrl: SNAT transfer networks. --- src/misc-progs/openvpnctrl.c | 105 ++++++++++++++++++++++++++++++++++- 1 file changed, 104 insertions(+), 1 deletion(-) diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c index e7b128a3f..e0a9ed2c8 100644 --- a/src/misc-progs/openvpnctrl.c +++ b/src/misc-progs/openvpnctrl.c @@ -4,6 +4,8 @@ #include #include #include +#include +#include #include #include "setuid.h" #include "libsmooth.h" @@ -25,13 +27,17 @@ char enableorange[STRING_SIZE] = "off"; char OVPNRED[STRING_SIZE] = "OVPN"; char OVPNBLUE[STRING_SIZE] = "OVPN_BLUE_"; char OVPNORANGE[STRING_SIZE] = "OVPN_ORANGE_"; -char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.2"; +char OVPNNAT[STRING_SIZE] = "OVPNNAT"; +char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.3"; struct connection_struct { char name[STRING_SIZE]; char type[STRING_SIZE]; char proto[STRING_SIZE]; char status[STRING_SIZE]; + char local_subnet[STRING_SIZE]; + char transfer_subnet[STRING_SIZE]; + char role[STRING_SIZE]; int port; struct connection_struct *next; }; @@ -132,6 +138,12 @@ connection *getConnections() { strcpy(conn_curr->name, result); } else if (count == 4) { strcpy(conn_curr->type, result); + } else if (count == 7) { + strcpy(conn_curr->role, result); + } else if (count == 9) { + strcpy(conn_curr->local_subnet, result); + } else if (count == 28) { + strcpy(conn_curr->transfer_subnet, result); } else if (count == 29) { strcpy(conn_curr->proto, result); } else if (count == 30) { @@ -257,6 +269,13 @@ void flushChain(char *chain) { safe_system(str); } +void flushChainNAT(char *chain) { + char str[STRING_SIZE]; + + sprintf(str, "/sbin/iptables -t nat -F %s", chain); + executeCommand(str); +} + void deleteChainReference(char *chain) { char str[STRING_SIZE]; @@ -339,6 +358,80 @@ void createAllChains(void) { } } +char* calcTransferNetAddress(const connection* conn) { + char *address = strdup(conn->transfer_subnet); + address = strsep(&address, "/"); + + struct in_addr address_info; + if (!inet_aton(address, &address_info)) { + goto ERROR; + } + + if (strcmp(conn->role, "server")) { + address_info.s_addr += 1 << 24; + } else if (strcmp(conn->role, "client")) { + address_info.s_addr += 2 << 24; + } else { + goto ERROR; + } + + address = inet_ntoa(address_info); + return address; + +ERROR: + free(address); + return NULL; +} + +char* getLocalSubnetAddress(const connection* conn) { + kv = initkeyvalues(); + if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) { + fprintf(stderr, "Cannot read ethernet settings\n"); + exit(1); + } + + const char *zones[] = {"GREEN", "BLUE", "ORANGE", NULL}; + char *zone = NULL; + + // Get net address of the local openvpn subnet. + char *subnetmask = strdup(conn->local_subnet); + char *address = strsep(&subnetmask, "/"); + + if ((address == NULL) || (subnetmask == NULL)) { + goto ERROR; + } + + in_addr_t _address = inet_addr(address); + in_addr_t _subnetmask = inet_addr(subnetmask); + + in_addr_t _netaddr = (_address & _subnetmask); + in_addr_t _broadcast = (_address | ~_subnetmask); + + char zone_address_key[STRING_SIZE]; + char zone_address[STRING_SIZE]; + in_addr_t zone_addr; + + int i = 0; + while (zones[i]) { + zone = zones[i++]; + snprintf(zone_address_key, STRING_SIZE, "%s_ADDRESS", zone); + + if (!findkey(kv, zone_address_key, zone_address)) + continue; + + zone_addr = inet_addr(zone_address); + if ((zone_addr > _netaddr) && (zone_addr < _broadcast)) { + freekeyvalues(kv); + + return strdup(zone_address); + } + } + +ERROR: + freekeyvalues(kv); + return NULL; +} + void setFirewallRules(void) { char protocol[STRING_SIZE] = ""; char dport[STRING_SIZE] = ""; @@ -372,6 +465,7 @@ void setFirewallRules(void) { flushChain(OVPNRED); flushChain(OVPNBLUE); flushChain(OVPNORANGE); + flushChainNAT(OVPNNAT); // set firewall rules if (!strcmp(enablered, "on") && strlen(redif)) @@ -386,11 +480,20 @@ void setFirewallRules(void) { // set firewall rules for n2n connections char command[STRING_SIZE]; + char *local_subnet_address = NULL; + char *transfer_subnet_address = NULL; while (conn != NULL) { if (strcmp(conn->type, "net") == 0) { sprintf(command, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %d -j ACCEPT", OVPNRED, redif, conn->proto, conn->port); executeCommand(command); + + local_subnet_address = getLocalSubnetAddress(conn); + transfer_subnet_address = calcTransferNetAddress(conn); + + snprintf(command, STRING_SIZE, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s", + OVPNNAT, transfer_subnet_address, local_subnet_address); + executeCommand(command); } conn = conn->next; From a19ff965bb6b586d56907cb77bdc0f70b2b3c459 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 30 May 2013 21:49:32 +0200 Subject: [PATCH 2/8] openvpnctrl: Fixes and improvements. Handle invalid data and make the code more robust. --- src/misc-progs/openvpnctrl.c | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c index e0a9ed2c8..e366294b5 100644 --- a/src/misc-progs/openvpnctrl.c +++ b/src/misc-progs/openvpnctrl.c @@ -359,26 +359,29 @@ void createAllChains(void) { } char* calcTransferNetAddress(const connection* conn) { - char *address = strdup(conn->transfer_subnet); - address = strsep(&address, "/"); + char *subnetmask = strdup(conn->transfer_subnet); + char *address = strsep(&subnetmask, "/"); - struct in_addr address_info; - if (!inet_aton(address, &address_info)) { - goto ERROR; - } + in_addr_t _address = inet_addr(address); + in_addr_t _subnetmask = inet_addr(subnetmask); + _address &= _subnetmask; - if (strcmp(conn->role, "server")) { - address_info.s_addr += 1 << 24; - } else if (strcmp(conn->role, "client")) { - address_info.s_addr += 2 << 24; + if (strcmp(conn->role, "server") == 0) { + _address += 1 << 24; + } else if (strcmp(conn->role, "client") == 0) { + _address += 2 << 24; } else { goto ERROR; } - address = inet_ntoa(address_info); - return address; + struct in_addr address_info; + address_info.s_addr = _address; + + return inet_ntoa(address_info); ERROR: + fprintf(stderr, "Could not determine transfer net address: %s\n", conn->name); + free(address); return NULL; } @@ -428,6 +431,8 @@ char* getLocalSubnetAddress(const connection* conn) { } ERROR: + fprintf(stderr, "Could not determine local subnet address: %s\n", conn->name); + freekeyvalues(kv); return NULL; } @@ -491,6 +496,9 @@ void setFirewallRules(void) { local_subnet_address = getLocalSubnetAddress(conn); transfer_subnet_address = calcTransferNetAddress(conn); + if ((!local_subnet_address) || (!transfer_subnet_address)) + continue; + snprintf(command, STRING_SIZE, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s", OVPNNAT, transfer_subnet_address, local_subnet_address); executeCommand(command); From b2e333d4cf47bb0f88b6f2a128050fab89a95eca Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 3 Jun 2013 15:22:50 +0200 Subject: [PATCH 3/8] Pre-Firewall: added OVPNNAT to POSTROUTING Chain --- src/initscripts/init.d/firewall | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index b6dd7d5bd..d8d7712ee 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -178,12 +178,14 @@ case "$1" in /sbin/iptables -N IPSECFORWARD /sbin/iptables -N IPSECOUTPUT /sbin/iptables -N OPENSSLVIRTUAL + /sbin/iptables -N OVPNNAT /sbin/iptables -A INPUT -j IPSECINPUT /sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT" /sbin/iptables -A FORWARD -j IPSECFORWARD /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD" /sbin/iptables -A OUTPUT -j IPSECOUTPUT /sbin/iptables -t nat -N IPSECNAT + /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT # Outgoing Firewall From fcbf5eef0b6e557608340f5fd5a7ec1fc99943f3 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 5 Jun 2013 22:16:19 +0200 Subject: [PATCH 4/8] pre-firewall: added ovpnnat to firewallscript --- src/initscripts/init.d/firewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index d8d7712ee..844618a30 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -178,12 +178,12 @@ case "$1" in /sbin/iptables -N IPSECFORWARD /sbin/iptables -N IPSECOUTPUT /sbin/iptables -N OPENSSLVIRTUAL - /sbin/iptables -N OVPNNAT /sbin/iptables -A INPUT -j IPSECINPUT /sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT" /sbin/iptables -A FORWARD -j IPSECFORWARD /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD" /sbin/iptables -A OUTPUT -j IPSECOUTPUT + /sbin/iptables -t nat -N OVPNNAT /sbin/iptables -t nat -N IPSECNAT /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT From 79518a2f26e822a2f3c23bf6dc2983bd0a850e0c Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 3 Jun 2013 13:06:05 +0200 Subject: [PATCH 5/8] Replace libjpeg with libjpeg-turbo-1.3.0 --- config/rootfiles/common/libjpeg | 18 ++++++++++++++++-- lfs/libjpeg | 8 ++++---- make.sh | 2 +- 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/config/rootfiles/common/libjpeg b/config/rootfiles/common/libjpeg index 770185f2a..7ceb697d9 100644 --- a/config/rootfiles/common/libjpeg +++ b/config/rootfiles/common/libjpeg @@ -2,18 +2,32 @@ #usr/bin/djpeg #usr/bin/jpegtran #usr/bin/rdjpgcom +#usr/bin/tjbench #usr/bin/wrjpgcom #usr/include/jconfig.h #usr/include/jerror.h #usr/include/jmorecfg.h #usr/include/jpeglib.h +#usr/include/turbojpeg.h #usr/lib/libjpeg.a #usr/lib/libjpeg.la -usr/lib/libjpeg.so +#usr/lib/libjpeg.so usr/lib/libjpeg.so.62 -usr/lib/libjpeg.so.62.0.0 +usr/lib/libjpeg.so.62.1.0 +#usr/lib/libturbojpeg.a +#usr/lib/libturbojpeg.la +#usr/lib/libturbojpeg.so +usr/lib/libturbojpeg.so.0 +usr/lib/libturbojpeg.so.0.0.0 #usr/man/man1/cjpeg.1 #usr/man/man1/djpeg.1 #usr/man/man1/jpegtran.1 #usr/man/man1/rdjpgcom.1 #usr/man/man1/wrjpgcom.1 +#usr/share/doc/README +#usr/share/doc/README-turbo.txt +#usr/share/doc/example.c +#usr/share/doc/libjpeg.txt +#usr/share/doc/structure.txt +#usr/share/doc/usage.txt +#usr/share/doc/wizard.txt diff --git a/lfs/libjpeg b/lfs/libjpeg index 24d4b89e5..5e0785926 100644 --- a/lfs/libjpeg +++ b/lfs/libjpeg @@ -24,12 +24,12 @@ include Config -VER = v6b +VER = 1.3.0 -THISAPP = jpegsrc.$(VER) +THISAPP = libjpeg-turbo-$(VER) DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/jpeg-6b +DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = libjpeg PAK_VER = ipfire-beta1 @@ -42,7 +42,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = dbd5f3b47ed13132f04c685d608a7547 +$(DL_FILE)_MD5 = e1e65cc711a1ade1322c06ad4a647741 install : $(TARGET) diff --git a/make.sh b/make.sh index d09d24cba..3d9e3c3bc 100755 --- a/make.sh +++ b/make.sh @@ -462,6 +462,7 @@ buildipfire() { ipfiremake libnet ipfiremake libnl ipfiremake libidn + ipfiremake nasm ipfiremake libjpeg ipfiremake libexif ipfiremake libpng @@ -523,7 +524,6 @@ buildipfire() { ipfiremake logwatch ipfiremake misc-progs ipfiremake nano - ipfiremake nasm ipfiremake URI ipfiremake HTML-Tagset ipfiremake HTML-Parser From cfbc9ca7e93ee79650fc29651b3909cf3de13243 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 4 Jun 2013 14:19:36 +0200 Subject: [PATCH 6/8] Update motion to 3.2.12 --- lfs/motion | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/motion b/lfs/motion index fa99ea0b1..39c6b7352 100644 --- a/lfs/motion +++ b/lfs/motion @@ -24,7 +24,7 @@ include Config -VER = 3.2.11 +VER = 3.2.12 THISAPP = motion-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 3a26c00f3250eacf6fa93c7a7e0249d9 +$(DL_FILE)_MD5 = 1ba0065ed50509aaffb171594c689f46 install : $(TARGET) From d9ebb7009b6bad768ca0a478a2bd8f3fa4fdf6a0 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 3 Jun 2013 13:06:05 +0200 Subject: [PATCH 7/8] lcd4linux: updated lcd4linux to new SVN-1200 Version with samsungSPF display driver --- lfs/lcd4linux | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/lfs/lcd4linux b/lfs/lcd4linux index b31b961b2..37f0eb5a7 100644 --- a/lfs/lcd4linux +++ b/lfs/lcd4linux @@ -24,15 +24,15 @@ include Config -VER = 0.11.0-svn1158-dpf +VER = 0.11.0-svn1200-dpf THISAPP = lcd4linux-$(VER) -DL_FILE = $(THISAPP).tar.xz +DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/$(THISAPP) +DIR_APP = $(DIR_SRC)/lcd4linux TARGET = $(DIR_INFO)/$(THISAPP) PROG = lcd4linux -PAK_VER = 4 +PAK_VER = 5 DEPS = "dpfhack libmpdclient" @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 0b7eba14a92ae5d51a3ab99948192b8d +$(DL_FILE)_MD5 = 8a7ad5bbfb24db0cce68a217c2b0bfb0 install : $(TARGET) @@ -76,8 +76,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar Jxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/lcd4linux-scaletext-dpf.patch + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && ./configure --with-plugins=all,!qnaplog,!dbus --prefix=/usr cd $(DIR_APP) && make cd $(DIR_APP) && make install From 7362887f518fa367057edb9f9747907b3aa107c1 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 10 Jun 2013 12:31:30 +0200 Subject: [PATCH 8/8] lcd4linux: Fix md5 checksum. --- lfs/lcd4linux | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lfs/lcd4linux b/lfs/lcd4linux index 37f0eb5a7..a736381fe 100644 --- a/lfs/lcd4linux +++ b/lfs/lcd4linux @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 8a7ad5bbfb24db0cce68a217c2b0bfb0 +$(DL_FILE)_MD5 = 5b76a26879849dbd52a5bcfda4107ea4 install : $(TARGET)