webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-12 12:15:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/kernel-update' into glibc-update2

Browse Source
This commit is contained in:
Michael Tremer
2012-08-13 16:34:23 -04:00
parent de473c48bc 21df33072c
commit db95c20736
21 changed files with 318 additions and 598 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
config/rootfiles/common/stage2
View File

@@ -13,8 +13,8 @@ etc/hddtemp.db
etc/host.conf
etc/inittab
etc/inputrc
#etc/ipsec.user.conf
#etc/ipsec.user.secrets
etc/ipsec.user.conf
etc/ipsec.user.secrets
etc/issue
etc/ld.so.conf
etc/localtime
@@ -75,7 +75,6 @@ usr/local/bin/setddns.pl
usr/local/bin/settime
usr/local/bin/timecheck
#usr/local/bin/uname
usr/local/bin/vpn-watch
#usr/local/include
#usr/local/lib
#usr/local/sbin

90
config/rootfiles/common/strongswan
View File

@@ -13,133 +13,62 @@ etc/strongswan.conf
#usr/lib/ipsec
#usr/lib/ipsec/libcharon.a
#usr/lib/ipsec/libcharon.la
usr/lib/ipsec/libcharon.so
#usr/lib/ipsec/libcharon.so
usr/lib/ipsec/libcharon.so.0
usr/lib/ipsec/libcharon.so.0.0.0
#usr/lib/ipsec/libhydra.a
#usr/lib/ipsec/libhydra.la
usr/lib/ipsec/libhydra.so
#usr/lib/ipsec/libhydra.so
usr/lib/ipsec/libhydra.so.0
usr/lib/ipsec/libhydra.so.0.0.0
#usr/lib/ipsec/libstrongswan.a
#usr/lib/ipsec/libstrongswan.la
usr/lib/ipsec/libstrongswan.so
#usr/lib/ipsec/libstrongswan.so
usr/lib/ipsec/libstrongswan.so.0
usr/lib/ipsec/libstrongswan.so.0.0.0
#usr/lib/ipsec/plugins
#usr/lib/ipsec/plugins/libstrongswan-aes.a
#usr/lib/ipsec/plugins/libstrongswan-aes.la
usr/lib/ipsec/plugins/libstrongswan-aes.so
#usr/lib/ipsec/plugins/libstrongswan-attr.a
#usr/lib/ipsec/plugins/libstrongswan-attr.la
usr/lib/ipsec/plugins/libstrongswan-attr.so
#usr/lib/ipsec/plugins/libstrongswan-cmac.a
#usr/lib/ipsec/plugins/libstrongswan-cmac.la
usr/lib/ipsec/plugins/libstrongswan-cmac.so
#usr/lib/ipsec/plugins/libstrongswan-constraints.a
#usr/lib/ipsec/plugins/libstrongswan-constraints.la
usr/lib/ipsec/plugins/libstrongswan-constraints.so
#usr/lib/ipsec/plugins/libstrongswan-curl.a
#usr/lib/ipsec/plugins/libstrongswan-curl.la
usr/lib/ipsec/plugins/libstrongswan-curl.so
#usr/lib/ipsec/plugins/libstrongswan-des.a
#usr/lib/ipsec/plugins/libstrongswan-des.la
usr/lib/ipsec/plugins/libstrongswan-des.so
#usr/lib/ipsec/plugins/libstrongswan-dnskey.a
#usr/lib/ipsec/plugins/libstrongswan-dnskey.la
usr/lib/ipsec/plugins/libstrongswan-dnskey.so
#usr/lib/ipsec/plugins/libstrongswan-fips-prf.a
#usr/lib/ipsec/plugins/libstrongswan-fips-prf.la
usr/lib/ipsec/plugins/libstrongswan-fips-prf.so
#usr/lib/ipsec/plugins/libstrongswan-gmp.a
#usr/lib/ipsec/plugins/libstrongswan-gmp.la
usr/lib/ipsec/plugins/libstrongswan-gmp.so
#usr/lib/ipsec/plugins/libstrongswan-hmac.a
#usr/lib/ipsec/plugins/libstrongswan-hmac.la
usr/lib/ipsec/plugins/libstrongswan-hmac.so
#usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.a
#usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.la
usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so
#usr/lib/ipsec/plugins/libstrongswan-md5.a
#usr/lib/ipsec/plugins/libstrongswan-md5.la
usr/lib/ipsec/plugins/libstrongswan-md5.so
#usr/lib/ipsec/plugins/libstrongswan-pem.a
#usr/lib/ipsec/plugins/libstrongswan-pem.la
usr/lib/ipsec/plugins/libstrongswan-nonce.so
usr/lib/ipsec/plugins/libstrongswan-openssl.so
usr/lib/ipsec/plugins/libstrongswan-padlock.so
usr/lib/ipsec/plugins/libstrongswan-pem.so
#usr/lib/ipsec/plugins/libstrongswan-pgp.a
#usr/lib/ipsec/plugins/libstrongswan-pgp.la
usr/lib/ipsec/plugins/libstrongswan-pgp.so
#usr/lib/ipsec/plugins/libstrongswan-pkcs1.a
#usr/lib/ipsec/plugins/libstrongswan-pkcs1.la
usr/lib/ipsec/plugins/libstrongswan-pkcs1.so
#usr/lib/ipsec/plugins/libstrongswan-pkcs8.a
#usr/lib/ipsec/plugins/libstrongswan-pkcs8.la
usr/lib/ipsec/plugins/libstrongswan-pkcs8.so
#usr/lib/ipsec/plugins/libstrongswan-pubkey.a
#usr/lib/ipsec/plugins/libstrongswan-pubkey.la
usr/lib/ipsec/plugins/libstrongswan-pubkey.so
#usr/lib/ipsec/plugins/libstrongswan-random.a
#usr/lib/ipsec/plugins/libstrongswan-random.la
usr/lib/ipsec/plugins/libstrongswan-random.so
#usr/lib/ipsec/plugins/libstrongswan-resolve.a
#usr/lib/ipsec/plugins/libstrongswan-resolve.la
usr/lib/ipsec/plugins/libstrongswan-resolve.so
#usr/lib/ipsec/plugins/libstrongswan-revocation.a
#usr/lib/ipsec/plugins/libstrongswan-revocation.la
usr/lib/ipsec/plugins/libstrongswan-revocation.so
#usr/lib/ipsec/plugins/libstrongswan-sha1.a
#usr/lib/ipsec/plugins/libstrongswan-sha1.la
usr/lib/ipsec/plugins/libstrongswan-sha1.so
#usr/lib/ipsec/plugins/libstrongswan-sha2.a
#usr/lib/ipsec/plugins/libstrongswan-sha2.la
usr/lib/ipsec/plugins/libstrongswan-sha2.so
#usr/lib/ipsec/plugins/libstrongswan-socket-raw.a
#usr/lib/ipsec/plugins/libstrongswan-socket-raw.la
usr/lib/ipsec/plugins/libstrongswan-socket-raw.so
#usr/lib/ipsec/plugins/libstrongswan-stroke.a
#usr/lib/ipsec/plugins/libstrongswan-stroke.la
usr/lib/ipsec/plugins/libstrongswan-socket-default.so
usr/lib/ipsec/plugins/libstrongswan-stroke.so
#usr/lib/ipsec/plugins/libstrongswan-updown.a
#usr/lib/ipsec/plugins/libstrongswan-updown.la
usr/lib/ipsec/plugins/libstrongswan-updown.so
#usr/lib/ipsec/plugins/libstrongswan-x509.a
#usr/lib/ipsec/plugins/libstrongswan-x509.la
usr/lib/ipsec/plugins/libstrongswan-x509.so
#usr/lib/ipsec/plugins/libstrongswan-xauth.a
#usr/lib/ipsec/plugins/libstrongswan-xauth.la
usr/lib/ipsec/plugins/libstrongswan-xauth.so
#usr/lib/ipsec/plugins/libstrongswan-xcbc.a
#usr/lib/ipsec/plugins/libstrongswan-xcbc.la
usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
usr/lib/ipsec/plugins/libstrongswan-xcbc.so
#usr/libexec/ipsec
usr/libexec/ipsec/_copyright
usr/libexec/ipsec/_pluto_adns
usr/libexec/ipsec/_updown
usr/libexec/ipsec/_updown_espmark
usr/libexec/ipsec/charon
usr/libexec/ipsec/openac
usr/libexec/ipsec/pki
usr/libexec/ipsec/pluto
usr/libexec/ipsec/scepclient
usr/libexec/ipsec/starter
usr/libexec/ipsec/stroke
usr/libexec/ipsec/whack
usr/sbin/ipsec
#usr/share/man/man3/anyaddr.3
#usr/share/man/man3/atoaddr.3
#usr/share/man/man3/atoasr.3
#usr/share/man/man3/atoul.3
#usr/share/man/man3/goodmask.3
#usr/share/man/man3/initaddr.3
#usr/share/man/man3/initsubnet.3
#usr/share/man/man3/portof.3
#usr/share/man/man3/rangetosubnet.3
#usr/share/man/man3/sameaddr.3
#usr/share/man/man3/subnetof.3
#usr/share/man/man3/ttoaddr.3
#usr/share/man/man3/ttodata.3
#usr/share/man/man3/ttosa.3
#usr/share/man/man3/ttoul.3
#usr/share/man/man5/ipsec.conf.5
#usr/share/man/man5/ipsec.secrets.5
#usr/share/man/man5/strongswan.conf.5
@@ -147,7 +76,4 @@ usr/sbin/ipsec
#usr/share/man/man8/_updown_espmark.8
#usr/share/man/man8/ipsec.8
#usr/share/man/man8/openac.8
#usr/share/man/man8/pluto.8
#usr/share/man/man8/scepclient.8
etc/ipsec.user.conf
etc/ipsec.user.secrets

12
config/rootfiles/core/strongswan/exclude Normal file
View File

@@ -0,0 +1,12 @@
srv/web/ipfire/html/proxy.pac
etc/udev/rules.d/30-persistent-network.rules
etc/ipsec.conf
etc/ipsec.secrets
etc/ipsec.user.conf
etc/ipsec.user.secrets
var/updatecache
etc/localtime
var/ipfire/ovpn
etc/ssh/ssh_config
etc/ssh/sshd_config
etc/ssl/openssl.cnf

6
config/rootfiles/core/strongswan/filelists/files Normal file
View File

@@ -0,0 +1,6 @@
etc/system-release
etc/issue
etc/rc.d/init.d/tmpfs
srv/web/ipfire/cgi-bin/services.cgi
srv/web/ipfire/cgi-bin/vpnmain.cgi
usr/local/bin/ipsecctrl

1
config/rootfiles/core/strongswan/filelists/strongswan Symbolic link
View File

@@ -0,0 +1 @@
../../../common/strongswan

1
config/rootfiles/core/strongswan/meta Normal file
View File

@@ -0,0 +1 @@
DEPS=""

89
config/rootfiles/core/strongswan/update.sh Normal file
View File

@@ -0,0 +1,89 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 3 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2012 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
/usr/local/bin/backupctrl exclude >/dev/null 2>&1
#
# Remove old core updates from pakfire cache to save space...
core=61
for (( i=1; i<=$core; i++ ))
do
rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
done
#
#Stop services
ipsecctrl D
#
#Extract files
extract_files
# Remove old pluto binaries.
rm -f /usr/libexec/ipsec/{pluto,_pluto_adns,whack}
rm -f /usr/local/bin/vpn-watch
#
#Start services
# Call the CGI script to regenerate the configuration files.
/srv/web/ipfire/cgi-bin/vpnmain.cgi
ipsecctrl S
#
#Update Language cache
perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
#Rebuild module dep's
#arch=`uname -m`
#if [ ${arch::3} == "arm" ]; then
# depmod -a 2.6.32.45-ipfire-versatile >/dev/null 2>&1
# depmod -a 2.6.32.45-ipfire-kirkwood >/dev/null 2>&1
#else
# depmod -a 2.6.32.45-ipfire >/dev/null 2>&1
# depmod -a 2.6.32.45-ipfire-pae >/dev/null 2>&1
# depmod -a 2.6.32.45-ipfire-xen >/dev/null 2>&1
#fi
#Rebuild initrd's because some compat-wireless modules are inside
#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45.img 2.6.32.45-ipfire
#if [ -e /boot/ipfirerd-2.6.32.45-pae.img ]; then
#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45-pae.img 2.6.32.45-ipfire-pae
#fi
#if [ -e /boot/ipfirerd-2.6.32.45-xen.img ]; then
#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45-xen.img 2.6.32.45-ipfire-xen
#fi
sync
# This update need a reboot...
#touch /var/run/need_reboot
#
#Finish
/etc/init.d/fireinfo start
sendprofile
#Don't report the exitcode last command
exit 0

1
config/rootfiles/installer/findutils Symbolic link
View File

@@ -0,0 +1 @@
../common/findutils

2
html/cgi-bin/services.cgi
View File

@@ -54,7 +54,7 @@ my %servicenames =(
$Lang::tr{'kernel logging server'} => 'klogd',
$Lang::tr{'ntp server'} => 'ntpd',
$Lang::tr{'secure shell server'} => 'sshd',
$Lang::tr{'vpn'} => 'pluto',
$Lang::tr{'vpn'} => 'charon',
$Lang::tr{'web proxy'} => 'squid',
'OpenVPN' => 'openvpn'
);

187
html/cgi-bin/vpnmain.cgi
View File

@@ -73,17 +73,9 @@ $cgiparams{'ENABLED'} = 'off';
$cgiparams{'EDIT_ADVANCED'} = 'off';
$cgiparams{'ACTION'} = '';
$cgiparams{'CA_NAME'} = '';
$cgiparams{'DBG_CRYPT'} = '';
$cgiparams{'DBG_PARSING'} = '';
$cgiparams{'DBG_EMITTING'} = '';
$cgiparams{'DBG_CONTROL'} = '';
$cgiparams{'DBG_KLIPS'} = '';
$cgiparams{'DBG_DNS'} = '';
$cgiparams{'DBG_NAT_T'} = '';
$cgiparams{'KEY'} = '';
$cgiparams{'TYPE'} = '';
$cgiparams{'ADVANCED'} = '';
$cgiparams{'INTERFACE'} = '';
$cgiparams{'NAME'} = '';
$cgiparams{'LOCAL_SUBNET'} = '';
$cgiparams{'REMOTE_SUBNET'} = '';
@@ -253,50 +245,8 @@ sub writeipsecfiles {
flock CONF, 2;
flock SECRETS, 2;
print CONF "version 2\n\n";
print CONF "config setup\n";
#create an ipsec Interface for each 'enabled' ones
#loop trought configuration and add physical interfaces to the list
my $interfaces = "\tinterfaces=\"";
foreach my $key (keys %lconfighash) {
next if ($lconfighash{$key}[0] ne 'on');
$interfaces .= "%defaultroute " if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED');
$interfaces .= "$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN');
$interfaces .= "$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE');
$interfaces .= "$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE');
}
print CONF $interfaces . "\"\n";
my $plutodebug = ''; # build debug list
map ($plutodebug .= $lvpnsettings{$_} eq 'on' ? lc (substr($_,4)).' ' : '',
('DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
'DBG_DNS'));
$plutodebug = 'none' if $plutodebug eq ''; # if nothing selected, use 'none'.
#print CONF "\tklipsdebug=\"none\"\n";
print CONF "\tplutodebug=\"$plutodebug\"\n";
# deprecated in ipsec.conf version 2
#print CONF "\tplutoload=%search\n";
#print CONF "\tplutostart=%search\n";
print CONF "\tuniqueids=yes\n";
print CONF "\tnat_traversal=yes\n";
print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne '');
print CONF "\tvirtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16";
print CONF ",%v4:!$green_cidr";
if (length($netsettings{'ORANGE_DEV'}) > 2) {
print CONF ",%v4:!$orange_cidr";
}
if (length($netsettings{'BLUE_DEV'}) > 2) {
print CONF ",%v4:!$blue_cidr";
}
foreach my $key (keys %lconfighash) {
if ($lconfighash{$key}[3] eq 'net') {
print CONF ",%v4:!$lconfighash{$key}[11]";
}
}
print CONF "\n\n";
print CONF "conn %default\n";
print CONF "\tkeyingtries=0\n";
#strongswan doesn't know this
#print CONF "\tdisablearrivalcheck=no\n";
print CONF "\tkeyingtries=%forever\n";
print CONF "\n";
# Add user includes to config file
@@ -329,7 +279,6 @@ sub writeipsecfiles {
print CONF "conn $lconfighash{$key}[1]\n";
print CONF "\tleft=$localside\n";
print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute');
my $cidr_net=&General::ipcidr($lconfighash{$key}[8]);
print CONF "\tleftsubnet=$cidr_net\n";
print CONF "\tleftfirewall=yes\n";
@@ -339,7 +288,6 @@ sub writeipsecfiles {
if ($lconfighash{$key}[3] eq 'net') {
my $cidr_net=&General::ipcidr($lconfighash{$key}[11]);
print CONF "\trightsubnet=$cidr_net\n";
print CONF "\trightnexthop=%defaultroute\n";
} elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors?
print CONF "\trightsubnet=vhost:%no,%priv\n";
}
@@ -354,6 +302,9 @@ sub writeipsecfiles {
print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]);
print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]);
# Is PFS enabled?
my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off';
# Algorithms
if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {
print CONF "\tike=";
@@ -379,11 +330,25 @@ sub writeipsecfiles {
print CONF "\tesp=";
my @encs = split('\|', $lconfighash{$key}[21]);
my @ints = split('\|', $lconfighash{$key}[22]);
my @groups = split('\|', $lconfighash{$key}[20]);
my $comma = 0;
foreach my $i (@encs) {
foreach my $j (@ints) {
if ($comma != 0) { print CONF ","; } else { $comma = 1; }
print CONF "$i-$j";
my $modp = "";
if ($pfs eq "on") {
foreach my $k (@groups) {
if ($comma != 0) { print CONF ","; } else { $comma = 1; }
if ($pfs eq "on") {
$modp = "-modp$k";
} else {
$modp = "";
}
print CONF "$i-$j$modp";
}
} else {
if ($comma != 0) { print CONF ","; } else { $comma = 1; }
print CONF "$i-$j";
}
}
}
if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
@@ -392,9 +357,6 @@ sub writeipsecfiles {
print CONF "\n";
}
}
if ($lconfighash{$key}[23]) {
print CONF "\tpfsgroup=$lconfighash{$key}[23]\n";
}
# IKE V1 or V2
if (! $lconfighash{$key}[29]) {
@@ -414,9 +376,6 @@ sub writeipsecfiles {
print CONF "\tdpdtimeout=120\n";
print CONF "\tdpdaction=$lconfighash{$key}[27]\n";
# Disable pfs ?
print CONF "\tpfs=". ($lconfighash{$key}[28] eq 'on' ? "yes\n" : "no\n");
# Build Authentication details: LEFTid RIGHTid : PSK psk
my $psk_line;
if ($lconfighash{$key}[4] eq 'psk') {
@@ -450,6 +409,12 @@ sub writeipsecfiles {
close(SECRETS);
}
# Hook to regenerate the configuration files.
if ($ENV{"REMOTE_ADDR"} eq "") {
writeipsecfiles;
exit(0);
}
###
### Save main settings
###
@@ -466,29 +431,13 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
goto SAVE_ERROR;
}
unless ($cgiparams{'VPN_OVERRIDE_MTU'} =~ /^(|[0-9]{1,5})$/ ) { #allow 0-99999
$errormessage = $Lang::tr{'vpn mtu invalid'};
goto SAVE_ERROR;
}
unless ($cgiparams{'VPN_WATCH'} =~ /^(|off|on)$/ ) {
$errormessage = $Lang::tr{'invalid input'};
goto SAVE_ERROR;
}
if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) {
$errormessage = $Lang::tr{'urlfilter invalid ip or mask error'};
goto SAVE_ERROR;
}
map ($vpnsettings{$_} = $cgiparams{$_},
('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
'DBG_DNS'));
$vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
$vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
$vpnsettings{'VPN_OVERRIDE_MTU'} = $cgiparams{'VPN_OVERRIDE_MTU'};
$vpnsettings{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'};
$vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
&General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
&writeipsecfiles();
@@ -1298,7 +1247,6 @@ END
$cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
$cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
$cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
$cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
$cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27];
$cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29];
$cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
@@ -1801,7 +1749,7 @@ END
$confighash{$key}[9] = $cgiparams{'REMOTE_ID'};
$confighash{$key}[10] = $cgiparams{'REMOTE'};
$confighash{$key}[25] = $cgiparams{'REMARK'};
$confighash{$key}[26] = $cgiparams{'INTERFACE'};
$confighash{$key}[26] = ""; # Formerly INTERFACE
$confighash{$key}[27] = $cgiparams{'DPD_ACTION'};
$confighash{$key}[29] = $cgiparams{'IKE_VERSION'};
@@ -1859,28 +1807,25 @@ END
$cgiparams{'DPD_ACTION'} = 'restart';
}
# Default IKE Version to V1
if (! $cgiparams{'IKE_VERSION'}) {
$cgiparams{'IKE_VERSION'} = 'ikev1';
# Default IKE Version to v2
if (!$cgiparams{'IKE_VERSION'}) {
$cgiparams{'IKE_VERSION'} = 'ikev2';
}
# Default is yes for 'pfs'
$cgiparams{'PFS'} = 'on';
# ID are empty
$cgiparams{'LOCAL_ID'} = '';
$cgiparams{'REMOTE_ID'} = '';
#use default advanced value
$cgiparams{'IKE_ENCRYPTION'} = 'aes128|3des'; #[18];
$cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes128|3des'; #[18];
$cgiparams{'IKE_INTEGRITY'} = 'sha|md5'; #[19];
$cgiparams{'IKE_GROUPTYPE'} = '1536|1024'; #[20];
$cgiparams{'IKE_GROUPTYPE'} = '2048'; #[20];
$cgiparams{'IKE_LIFETIME'} = '1'; #[16];
$cgiparams{'ESP_ENCRYPTION'} = 'aes128|3des'; #[21];
$cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes128|3des'; #[21];
$cgiparams{'ESP_INTEGRITY'} = 'sha1|md5'; #[22];
$cgiparams{'ESP_GROUPTYPE'} = ''; #[23];
$cgiparams{'ESP_KEYLIFE'} = '8'; #[17];
$cgiparams{'COMPRESSION'} = 'off'; #[13];
$cgiparams{'COMPRESSION'} = 'on'; #[13];
$cgiparams{'ONLY_PROPOSED'} = 'off'; #[24];
$cgiparams{'PFS'} = 'on'; #[28];
$cgiparams{'VHOST'} = 'on'; #[14];
@@ -1903,12 +1848,6 @@ END
$checked{'AUTH'}{'auth-dn'} = '';
$checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
$selected{'INTERFACE'}{'RED'} = '';
$selected{'INTERFACE'}{'ORANGE'} = '';
$selected{'INTERFACE'}{'GREEN'} = '';
$selected{'INTERFACE'}{'BLUE'} = '';
$selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = "selected='selected'";
$selected{'DPD_ACTION'}{'clear'} = '';
$selected{'DPD_ACTION'}{'hold'} = '';
$selected{'DPD_ACTION'}{'restart'} = '';
@@ -1975,22 +1914,24 @@ END
$blob = "<img src='/blob.gif' alt='*' />";
};
print "<tr><td>$Lang::tr{'host ip'}:</td>";
print "<td><select name='INTERFACE'>";
print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED ($vpnsettings{'VPN_IP'})</option>";
print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN ($netsettings{'GREEN_ADDRESS'})</option>";
print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE ($netsettings{'BLUE_ADDRESS'})</option>" if ($netsettings{'BLUE_DEV'} ne '');
print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE ($netsettings{'ORANGE_ADDRESS'})</option>" if ($netsettings{'ORANGE_DEV'} ne '');
print "</select></td>";
print <<END
<tr>
<td class='boldbase'>$Lang::tr{'remote host/ip'}:&nbsp;$blob</td>
<td><input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size='30' /></td>
</tr><tr>
<td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td>
<td><input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' /></td>
<td>
<input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size='30' />
</td>
<td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}</td>
<td><input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size='30' /></td>
</tr><tr>
<td>
<input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size='30' />
</td>
</tr>
<tr>
<td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td>
<td colspan='3'>
<input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' />
</td>
</tr>
<tr>
<td class='boldbase'>$Lang::tr{'vpn local id'}:<br />($Lang::tr{'eg'} <tt>&#64;xy.example.com</tt>)</td>
<td><input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' /></td>
<td class='boldbase'>$Lang::tr{'vpn remote id'}:</td>
@@ -1999,22 +1940,18 @@ END
</tr><td><br /></td><tr>
<td>$Lang::tr{'vpn keyexchange'}:</td>
<td><select name='IKE_VERSION'>
<option value='ikev1' $selected{'IKE_VERSION'}{'ikev1'}>IKEv1</option>
<option value='ikev2' $selected{'IKE_VERSION'}{'ikev2'}>IKEv2</option>
</select></a>
<option value='ikev1' $selected{'IKE_VERSION'}{'ikev1'}>IKEv1</option>
</select>
</td>
<td>$Lang::tr{'dpd action'}:</td>
<td><select name='DPD_ACTION'>
<option value='clear' $selected{'DPD_ACTION'}{'clear'}>clear</option>
<option value='hold' $selected{'DPD_ACTION'}{'hold'}>hold</option>
<option value='restart' $selected{'DPD_ACTION'}{'restart'}>restart</option>
</select>&nbsp; <a href='http://www.openswan.com/docs/local/README.DPD'>?</a>
</select>
</td>
</tr><tr>
<!--http://www.openswan.com/docs/local/README.DPD
http://bugs.xelerance.com/view.php?id=156
restart = clear + reinitiate connection
-->
<td class='boldbase'>$Lang::tr{'remark title'}&nbsp;<img src='/blob.gif' alt='*' /></td>
<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td>
</tr>
@@ -2447,11 +2384,7 @@ EOF
$cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq '');
$cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'}));
$checked{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'} eq 'on' ? "checked='checked'" : '' ;
map ($checked{$_} = $cgiparams{$_} eq 'on' ? "checked='checked'" : '',
('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
'DBG_DNS'));
$checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
@@ -2473,13 +2406,6 @@ EOF
<td width='20%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td>
<td width='20%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td>
</tr>
END
;
print <<END
<tr>
<td class='base' nowrap='nowrap'>$Lang::tr{'override mtu'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
<td ><input type='text' name='VPN_OVERRIDE_MTU' value='$cgiparams{'VPN_OVERRIDE_MTU'}' /></td>
</tr>
END
;
print <<END
@@ -2492,13 +2418,6 @@ print <<END
<td ><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
</tr>
</table>
<p>$Lang::tr{'vpn watch'}:<input type='checkbox' name='VPN_WATCH' $checked{'VPN_WATCH'} /></p>
<p>PLUTO DEBUG&nbsp;=
crypt:<input type='checkbox' name='DBG_CRYPT' $checked{'DBG_CRYPT'} />,&nbsp;
parsing:<input type='checkbox' name='DBG_PARSING' $checked{'DBG_PARSING'} />,&nbsp;
emitting:<input type='checkbox' name='DBG_EMITTING' $checked{'DBG_EMITTING'} />,&nbsp;
control:<input type='checkbox' name='DBG_CONTROL' $checked{'DBG_CONTROL'} />,&nbsp;
dns:<input type='checkbox' name='DBG_DNS' $checked{'DBG_DNS'} />&nbsp;
<hr />
<table width='100%'>
<tr>

15
lfs/compat-wireless
View File

@@ -26,7 +26,7 @@ include Config
VERSUFIX=ipfire$(KCFG)
VER = 3.5-1-snpc
VER = 3.5-3-snpc
ifeq "$(KCFG)" "-xen"
KVER = 2.6.32.59
@@ -47,7 +47,7 @@ objects = $(DL_FILE) asix-4.4.0.tar.xz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
asix-4.4.0.tar.xz = $(DL_FROM)/asix-4.4.0.tar.xz
$(DL_FILE)_MD5 = 7099f748a9d2c05fffea7e5ea4f41a0b
$(DL_FILE)_MD5 = 66f27eed39aacd567f67025305273cd7
asix-4.4.0.tar.xz_MD5=633609e889de41554826e0e2cd7bffde
install : $(TARGET)
@@ -82,6 +82,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# kfifo has no license info and taints kernel
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/compat-wireless-2.6.39_kfifo_module_info.patch
# Build ath5k only if target has pci
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/compat-wireless-3.5-build_ath5k_only_with_pci.patch
# Copy USB-Net drivers from Kernel...
mkdir $(DIR_APP)/drivers/net/usb/new
cp $(DIR_APP)/drivers/net/usb/*.c $(DIR_APP)/drivers/net/usb/new
@@ -101,12 +104,12 @@ ifneq "$(KCFG)" "-xen"
cd $(DIR_APP) && echo export CONFIG_LIBERTAS_UAP=m >> config.mk
endif
#ifeq "$(MACHINE_TYPE)" "arm"
# # fix atomic64 functions
# cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/compat-wireless-3.2.5-1-fix_atomic64_t_on_arm.patch
#endif
# Erase some modules that are obsolete or moved to other path
rm -rf /lib/modules/$(KVER)-$(VERSUFIX)/kernel/net/bluetooth
rm -rf /lib/modules/$(KVER)-$(VERSUFIX)/kernel/drivers/net/wireless/wl12*
cd $(DIR_APP) && make KLIB=/lib/modules/$(KVER)-$(VERSUFIX) \
KLIB_BUILD=/lib/modules/$(KVER)-$(VERSUFIX)/build \
KMODPATH_ARG='INSTALL_MOD_PATH=' KMODDIR=kernel install-modules
# Install firmware udev files...

27
lfs/strongswan
View File

@@ -24,7 +24,7 @@
include Config
VER = 4.6.4
VER = 5.0.0
THISAPP = strongswan-$(VER)
DL_FILE = $(THISAPP).tar.bz2
@@ -32,6 +32,12 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
ifeq "$(MACHINE)" "i586"
PADLOCK = --enable-padlock
else
PADLOCK = --disable-padlock
endif
###############################################################################
# Top-level Rules
###############################################################################
@@ -40,7 +46,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 4c0999c42faa0860ae0afc4f8efd9d04
$(DL_FILE)_MD5 = c8b861305def7c0abae04f7bbefec212
install : $(TARGET)
@@ -73,18 +79,19 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch
# Customize the welcome banner.
sed -i $(DIR_APP)/src/pluto/modecfg.c \
-e 's/^#define.*DEFAULT_UNITY_BANNER.*/#define DEFAULT_UNITY_BANNER "Welcome to IPFire - An Open Source Firewall Solution.\\n"/'
cd $(DIR_APP) && ./configure --prefix="/usr" --sysconfdir="/etc" \
--enable-cisco-quirks \
--enable-curl \
--enable-nat-transport
cd $(DIR_APP) && ./configure \
--prefix="/usr" \
--sysconfdir="/etc" \
--enable-curl \
--enable-openssl \
$(PADLOCK)
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
# Remove all library files we don't want or need.
rm -vf /usr/lib/ipsec/plugins/*.{,l}a
-rm -rfv /etc/rc*.d/*ipsec
cd $(DIR_SRC) && cp src/initscripts/init.d/ipsec /etc/rc.d/init.d/ipsec
rm -f /etc/ipsec.conf /etc/ipsec.secrets

4
make.sh
View File

@@ -441,7 +441,7 @@ buildipfire() {
# ipfiremake mISDN KCFG="-rpi"
# ipfiremake dahdi KCFG="-rpi" KMOD=1
ipfiremake cryptodev KCFG="-rpi"
# ipfiremake compat-wireless KCFG="-rpi"
ipfiremake compat-wireless KCFG="-rpi"
# ipfiremake r8169 KCFG="-rpi"
# ipfiremake r8168 KCFG="-rpi"
# ipfiremake r8101 KCFG="-rpi"
@@ -455,7 +455,7 @@ buildipfire() {
# ipfiremake mISDN KCFG="-omap"
# ipfiremake dahdi KCFG="-omap" KMOD=1
ipfiremake cryptodev KCFG="-omap"
# ipfiremake compat-wireless KCFG="-omap"
ipfiremake compat-wireless KCFG="-omap"
# ipfiremake r8169 KCFG="-omap"
# ipfiremake r8168 KCFG="-omap"
# ipfiremake r8101 KCFG="-omap"

4
src/initscripts/init.d/tmpfs
View File

@@ -43,10 +43,6 @@ case "$1" in
mkdir -p /var/run/mysql
chown mysql:mysql /var/run/mysql
fi
if [ ! -e /var/run/pluto ]; then
mkdir -p /var/run/pluto
chmod 700 /var/run/pluto
fi
if [ ! -e /var/run/saslauthd ]; then
mkdir -p /var/run/saslauthd
fi

8
src/install+setup/install/main.c
View File

@@ -132,7 +132,7 @@ int main(int argc, char *argv[])
// Load common modules
mysystem("/sbin/modprobe iso9660"); // CDROM
mysystem("/sbin/modprobe ext2"); // Boot patition
// mysystem("/sbin/modprobe ext2"); // Boot patition
mysystem("/sbin/modprobe vfat"); // USB key
/* German is the default */
@@ -375,16 +375,16 @@ int main(int argc, char *argv[])
}
if (fstype == EXT2) {
mysystem("/sbin/modprobe ext2");
// mysystem("/sbin/modprobe ext2");
sprintf(mkfscommand, "/sbin/mke2fs -T ext2");
} else if (fstype == REISERFS) {
mysystem("/sbin/modprobe reiserfs");
sprintf(mkfscommand, "/sbin/mkreiserfs -f");
} else if (fstype == EXT3) {
mysystem("/sbin/modprobe ext3");
// mysystem("/sbin/modprobe ext3");
sprintf(mkfscommand, "/sbin/mke2fs -T ext3");
} else if (fstype == EXT4) {
mysystem("/sbin/modprobe ext4");
// mysystem("/sbin/modprobe ext4");
sprintf(mkfscommand, "/sbin/mke2fs -T ext4");
}

78
src/install+setup/install/mountdest.sh
View File

@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007 Michael Tremer & Christian Schmidt #
# Copyright (C) 2007-2012 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -21,30 +21,10 @@
echo "Scanning for possible destination drives"
# scan IDE devices
echo "--> IDE"
for DEVICE in $(kudzu -qps -t 30 -c HD -b IDE | grep device: | cut -d ' ' -f 2 | sort | uniq); do
if [ "$(grep ${DEVICE} /proc/partitions)" = "" ]; then
umount /harddisk 2> /dev/null
echo "${DEVICE} is empty - SKIP"
continue
fi
mount /dev/${DEVICE}1 /harddisk 2> /dev/null
if [ -n "$(ls /harddisk/ipfire-*.tlz 2>/dev/null)" ]; then
umount /harddisk 2> /dev/null
echo "${DEVICE}1 is source drive - SKIP"
continue
else
umount /harddisk 2> /dev/null
echo -n "$DEVICE" > /tmp/dest_device
echo "${DEVICE} - yes, it is our destination"
exit 0 # IDE / use DEVICE for grub
fi
done
# scan USB/SCSI devices
echo "--> USB/SCSI"
for DEVICE in $(kudzu -qps -t 30 -c HD -b SCSI | grep device: | cut -d ' ' -f 2 | sort | uniq); do
# scan sd?
echo "--> sd?"
for DEVICE in `find /sys/block/* -maxdepth 0 -name sd* -exec basename {} \; | sort | uniq`
do
if [ "$(grep ${DEVICE} /proc/partitions)" = "" ]; then
umount /harddisk 2> /dev/null
echo "${DEVICE} is empty - SKIP"
@@ -66,19 +46,15 @@ for DEVICE in $(kudzu -qps -t 30 -c HD -b SCSI | grep device: | cut -d ' ' -f 2
umount /harddisk 2> /dev/null
echo -n "$DEVICE" > /tmp/dest_device
echo "${DEVICE} - yes, it is our destination"
exit 1 # SCSI/USB (always use /dev/sda as bootdevicename)
exit 1 # (always use /dev/sda as bootdevicename)
fi
fi
done
# scan RAID devices
echo "--> RAID"
for DEVICE in $(kudzu -qps -t 30 -c HD -b RAID | grep device: | cut -d ' ' -f 2 | sort | uniq); do
if [ "$(grep ${DEVICE}p1 /proc/partitions)" = "" ]; then
umount /harddisk 2> /dev/null
echo "${DEVICE}p1 is empty - SKIP"
continue
fi
# scan other
echo "--> other"
for DEVICE in `find /sys/block/* -maxdepth 0 ! -name sd* ! -name sr* ! -name fd* ! -name loop* ! -name ram* -exec basename {} \; | sort | uniq`
do
mount /dev/${DEVICE}p1 /harddisk 2> /dev/null
if [ -n "$(ls /harddisk/ipfire-*.tlz 2>/dev/null)" ]; then
umount /harddisk 2> /dev/null
@@ -112,38 +88,4 @@ for DEVICE in $(kudzu -qps -t 30 -c HD -b RAID | grep device: | cut -d ' ' -f 2
fi
done
# Virtio devices
echo "--> Virtio"
for DEVICE in vda vdb vdc vdd; do
if [ ! -e /dev/${DEVICE} ]; then
continue
else
if [ "$(grep ${DEVICE} /proc/partitions)" = "" ]; then
umount /harddisk 2> /dev/null
echo "${DEVICE} is empty - SKIP"
continue
fi
mount /dev/${DEVICE} /harddisk 2> /dev/null
if [ -n "$(ls /harddisk/ipfire-*.tlz 2>/dev/null)" ]; then
umount /harddisk 2> /dev/null
echo "${DEVICE} is source drive - SKIP"
continue
else
umount /harddisk 2> /dev/null
mount /dev/${DEVICE}1 /harddisk 2> /dev/null
if [ -n "$(ls /harddisk/ipfire-*.tlz 2>/dev/null)" ]; then
umount /harddisk 2> /dev/null
echo "${DEVICE}1 is source drive - SKIP"
continue
else
umount /harddisk 2> /dev/null
echo -n "$DEVICE" > /tmp/dest_device
echo "${DEVICE} - yes, it is our destination"
exit 0 # like ide / use device for grub
fi
fi
fi
done
exit 10 # Nothing found

29
src/install+setup/install/mountsource.sh
View File

@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007 Michael Tremer & Christian Schmidt #
# Copyright (C) 2007-2012 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -21,8 +21,9 @@
echo "Scanning source media"
# scan CDROM devices
for DEVICE in $(kudzu -qps -t 30 -c CDROM | grep device: | cut -d ' ' -f 2 | sort | uniq); do
# scan all Block devices
for DEVICE in `find /sys/block/* -maxdepth 0 ! -name fd* ! -name loop* ! -name ram* -exec basename {} \;`
do
mount /dev/${DEVICE} /cdrom 2> /dev/null
if [ -n "$(ls /cdrom/ipfire-*.tlz 2>/dev/null)" ]; then
echo -n ${DEVICE} > /tmp/source_device
@@ -34,9 +35,10 @@ for DEVICE in $(kudzu -qps -t 30 -c CDROM | grep device: | cut -d ' ' -f 2 | sor
umount /cdrom 2> /dev/null
done
# scan HD device part1 (usb sticks, etc.)
for DEVICE in $(kudzu -qps -t 30 -c HD | grep device: | cut -d ' ' -f 2 | sort | uniq); do
for DEVICEP in $(ls /dev/${DEVICE}? | sed "s/\/dev\///");do
# scan all Partitions on block devices
for DEVICE in `find /sys/block/* -maxdepth 0 ! -name fd* ! -name loop* ! -name ram* -exec basename {} \;`
do
for DEVICEP in $(ls /dev/${DEVICE}? | sed "s/\/dev\///" 2> /dev/null);do
mount /dev/${DEVICEP} /cdrom 2> /dev/null
if [ -n "$(ls /cdrom/ipfire-*.tlz 2>/dev/null)" ]; then
echo -n ${DEVICEP} > /tmp/source_device
@@ -49,17 +51,20 @@ for DEVICE in $(kudzu -qps -t 30 -c HD | grep device: | cut -d ' ' -f 2 | sort |
done
done
# scan HD device unpart (usb sticks, etc.)
for DEVICE in $(kudzu -qps -t 30 -c HD | grep device: | cut -d ' ' -f 2 | sort | uniq); do
mount /dev/${DEVICE} /cdrom 2> /dev/null
# scan all Partitions on raid/mmc devices
for DEVICE in `find /sys/block/* -maxdepth 0 ! -name fd* ! -name loop* ! -name ram* -exec basename {} \;`
do
for DEVICEP in $(ls /dev/${DEVICE}p? | sed "s/\/dev\///");do
mount /dev/${DEVICEP} /cdrom 2> /dev/null
if [ -n "$(ls /cdrom/ipfire-*.tlz 2>/dev/null)" ]; then
echo -n ${DEVICE} > /tmp/source_device
echo "Found tarball on ${DEVICE}"
echo -n ${DEVICEP} > /tmp/source_device
echo "Found tarball on ${DEVICEP}"
exit 0
else
echo "Found no tarballs on ${DEVICE} - SKIP"
echo "Found no tarballs on ${DEVICEP} - SKIP"
fi
umount /cdrom 2> /dev/null
done
done
exit 10

221
src/misc-progs/ipsecctrl.c
View File

@@ -78,7 +78,6 @@ void ipsec_norules() {
safe_system("/sbin/iptables -F IPSECINPUT");
safe_system("/sbin/iptables -F IPSECFORWARD");
safe_system("/sbin/iptables -F IPSECOUTPUT");
}
/*
@@ -87,8 +86,7 @@ void ipsec_norules() {
int decode_line (char *s,
char **key,
char **name,
char **type,
char **interface
char **type
) {
int count = 0;
*key = NULL;
@@ -108,8 +106,6 @@ int decode_line (char *s,
*name = result;
if (count == 4)
*type = result;
if (count == 27)
*interface = result;
count++;
result = strsep(&s, ",");
}
@@ -128,11 +124,6 @@ int decode_line (char *s,
return 0;
}
if (! (strcmp(*interface, "RED") == 0 || strcmp(*interface, "GREEN") == 0 ||
strcmp(*interface, "ORANGE") == 0 || strcmp(*interface, "BLUE") == 0)) {
fprintf(stderr, "Bad interface name: %s\n", *interface);
return 0;
}
//it's a valid & active line
return 1;
}
@@ -140,69 +131,48 @@ int decode_line (char *s,
/*
issue ipsec commmands to turn on connection 'name'
*/
void turn_connection_on (char *name, char *type) {
/*
Rename the connection and run ipsec update and rename it back to readd
a deleted connection. Because ipsec update ignores connection that have
not changed since last load.
*/
void turn_connection_on(char *name, char *type) {
/*
* To bring up a connection, we need to reload the configuration
* and issue ipsec up afterwards. To make sure the connection
* is not established from the start, we bring it down in advance.
*/
char command[STRING_SIZE];
memset(command, 0, STRING_SIZE);
// Bring down the connection (if established).
snprintf(command, STRING_SIZE - 1,
"sed -i -e 's|^conn %s$|conn %s-renamed|g' /var/ipfire/vpn/ipsec.conf >/dev/null", name, name);
"/usr/sbin/ipsec down %s >/dev/null", name);
safe_system(command);
// Down and delete IKEv2 Tunnel before ipsec update
snprintf(command, STRING_SIZE - 1,
"/usr/sbin/ipsec stroke down %s >/dev/null", name);
safe_system(command);
snprintf(command, STRING_SIZE - 1,
"/usr/sbin/ipsec stroke delete %s >/dev/null", name);
safe_system(command);
// Reload the configuration into the daemon.
safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
safe_system("/etc/rc.d/init.d/ipsec update >/dev/null");
sleep(1);
// Back to original name
snprintf(command, STRING_SIZE - 1,
"sed -i -e 's|^conn %s-renamed$|conn %s|g' /var/ipfire/vpn/ipsec.conf >/dev/null", name, name);
safe_system(command);
// Down and delete IKEv2 Tunnel before ipsec update
snprintf(command, STRING_SIZE - 1,
"/usr/sbin/ipsec stroke down %s-renamed >/dev/null", name);
safe_system(command);
snprintf(command, STRING_SIZE - 1,
"/usr/sbin/ipsec stroke delete %s-renamed >/dev/null", name);
safe_system(command);
safe_system("/etc/rc.d/init.d/ipsec update >/dev/null");
// Bring the connection up again.
snprintf(command, STRING_SIZE - 1,
"/usr/sbin/ipsec up %s >/dev/null", name);
safe_system(command);
}
/*
issue ipsec commmands to turn off connection 'name'
*/
void turn_connection_off (char *name) {
/*
* To turn off a connection, all SAs must be turned down.
* After that, the configuration must be reloaded.
*/
char command[STRING_SIZE];
memset(command, 0, STRING_SIZE);
// Bring down the connection.
snprintf(command, STRING_SIZE - 1,
"/usr/sbin/ipsec whack --delete --name %s >/dev/null", name);
safe_system(command);
snprintf(command, STRING_SIZE - 1,
"/usr/sbin/ipsec stroke down %s >/dev/null", name);
safe_system(command);
snprintf(command, STRING_SIZE - 1,
"/usr/sbin/ipsec stroke delete %s >/dev/null", name);
"/usr/sbin/ipsec down %s >/dev/null", name);
safe_system(command);
safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null");
safe_system("/usr/sbin/ipsec stroke rereadall >/dev/null");
// Reload, so the connection is dropped.
safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
}
int main(int argc, char *argv[]) {
char configtype[STRING_SIZE];
char redtype[STRING_SIZE] = "";
struct keyvalue *kv = NULL;
@@ -218,26 +188,15 @@ int main(int argc, char *argv[]) {
if (strcmp(argv[1], "I") == 0) {
safe_system("/usr/sbin/ipsec whack --status");
safe_system("/usr/sbin/ipsec stroke status");
safe_system("/usr/sbin/ipsec status");
exit(0);
}
if (strcmp(argv[1], "R") == 0) {
safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null");
safe_system("/usr/sbin/ipsec stroke rereadall >/dev/null");
safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
exit(0);
}
/* Get vpnwatch pid */
if ((argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) {
safe_system("kill -9 $(cat /var/run/vpn-watch.pid)");
safe_system("unlink /var/run/vpn-watch.pid");
close(file);
}
/* FIXME: workaround for pclose() issue - still no real idea why
* this is happening */
signal(SIGCHLD, SIG_DFL);
@@ -245,16 +204,10 @@ int main(int argc, char *argv[]) {
/* handle operations that doesn't need start the ipsec system */
if (argc == 2) {
if (strcmp(argv[1], "D") == 0) {
/* Only shutdown pluto if it really is running */
/* Get pluto pid */
if (file = fopen("/var/run/pluto.pid", "r")) {
safe_system("/etc/rc.d/init.d/ipsec stop 2> /dev/null >/dev/null");
close(file);
}
safe_system("/usr/sbin/ipsec stop >/dev/null 2>&1");
ipsec_norules();
exit(0);
}
}
/* read vpn config */
@@ -300,97 +253,69 @@ int main(int argc, char *argv[]) {
char if_blue[STRING_SIZE] = "";
char s[STRING_SIZE];
if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {
fprintf(stderr, "Couldn't open vpn settings file");
exit(1);
// when RED is up, find interface name in special file
FILE *ifacefile = NULL;
if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) {
if (fgets(if_red, STRING_SIZE, ifacefile)) {
if (if_red[strlen(if_red) - 1] == '\n')
if_red[strlen(if_red) - 1] = '\0';
}
fclose (ifacefile);
if (VALID_DEVICE(if_red))
enable_red++;
}
while (fgets(s, STRING_SIZE, file) != NULL) {
char *key;
char *name;
char *type;
char *interface;
if (!decode_line(s,&key,&name,&type,&interface))
continue;
/* search interface */
if (!enable_red && strcmp (interface, "RED") == 0) {
// when RED is up, find interface name in special file
FILE *ifacefile = NULL;
if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) {
if (fgets(if_red, STRING_SIZE, ifacefile)) {
if (if_red[strlen(if_red) - 1] == '\n')
if_red[strlen(if_red) - 1] = '\0';
}
fclose (ifacefile);
if (VALID_DEVICE(if_red))
enable_red+=2; // present and running
}
}
// Check if GREEN is enabled.
findkey(kv, "GREEN_DEV", if_green);
if (VALID_DEVICE(if_green))
enable_green++;
else
fprintf(stderr, "IPSec enabled on green but green interface is invalid or not found\n");
if (!enable_green && strcmp (interface, "GREEN") == 0) {
enable_green = 1;
findkey(kv, "GREEN_DEV", if_green);
if (VALID_DEVICE(if_green))
enable_green++;
else
fprintf(stderr, "IPSec enabled on green but green interface is invalid or not found\n");
}
// Check if ORANGE is enabled.
findkey(kv, "ORANGE_DEV", if_orange);
if (VALID_DEVICE(if_orange))
enable_orange++;
else
fprintf(stderr, "IPSec enabled on orange but orange interface is invalid or not found\n");
if (!enable_orange && strcmp (interface, "ORANGE") == 0) {
enable_orange = 1;
findkey(kv, "ORANGE_DEV", if_orange);
if (VALID_DEVICE(if_orange))
enable_orange++;
else
fprintf(stderr, "IPSec enabled on orange but orange interface is invalid or not found\n");
}
// Check if BLUE is enabled.
findkey(kv, "BLUE_DEV", if_blue);
if (VALID_DEVICE(if_blue))
enable_blue++;
else
fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n");
if (!enable_blue && strcmp (interface, "BLUE") == 0) {
enable_blue++;
findkey(kv, "BLUE_DEV", if_blue);
if (VALID_DEVICE(if_blue))
enable_blue++;
else
fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n");
}
}
fclose(file);
freekeyvalues(kv);
// do nothing if something is in error condition
if ((enable_red==1) || (enable_green==1) || (enable_orange==1) || (enable_blue==1) )
exit(1);
// exit if nothing to do
if ( (enable_red+enable_green+enable_orange+enable_blue) == 0 )
if ((enable_red+enable_green+enable_orange+enable_blue) == 0)
exit(0);
// open needed ports
// todo: read a nat_t indicator to allow or not openning UDP/4500
if (enable_red==2)
if (enable_red > 0)
open_physical(if_red, 4500);
if (enable_green==2)
if (enable_green > 0)
open_physical(if_green, 4500);
if (enable_orange==2)
if (enable_orange > 0)
open_physical(if_orange, 4500);
if (enable_blue==2)
if (enable_blue > 0)
open_physical(if_blue, 4500);
// start the system
if ((argc == 2) && strcmp(argv[1], "S") == 0) {
safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
safe_system("/usr/local/bin/vpn-watch &");
safe_system("/usr/sbin/ipsec restart >/dev/null");
exit(0);
}
// it is a selective start or stop
// second param is only a number 'key'
if ((argc == 2) || strspn(argv[2], NUMBERS) != strlen(argv[2])) {
fprintf(stderr, "Bad arg\n");
fprintf(stderr, "Bad arg: %s\n", argv[2]);
usage();
exit(1);
}
@@ -404,26 +329,17 @@ int main(int argc, char *argv[]) {
char *key;
char *name;
char *type;
char *interface;
if (!decode_line(s,&key,&name,&type,&interface))
if (!decode_line(s,&key,&name,&type))
continue;
// start/stop a vpn if belonging to specified interface
if (strcmp(argv[1], interface) == 0 ) {
if (strcmp(argv[2], "0")==0)
turn_connection_off (name);
else
turn_connection_on (name, type);
continue;
}
// is it the 'key' requested ?
if (strcmp(argv[2], key) != 0)
continue;
// Start or Delete this Connection
if (strcmp(argv[1], "S") == 0)
turn_connection_on (name, type);
else
if (strcmp(argv[1], "D") == 0)
else if (strcmp(argv[1], "D") == 0)
turn_connection_off (name);
else {
fprintf(stderr, "Bad command\n");
@@ -431,5 +347,6 @@ int main(int argc, char *argv[]) {
}
}
fclose(file);
return 0;
}

37
src/patches/compat-wireless-3.2.5-1-fix_atomic64_t_on_arm.patch
View File

@@ -1,37 +0,0 @@
diff -Naur compat-wireless-3.2.5-1.org/compat/compat_atomic.c compat-wireless-3.2.5-1/compat/compat_atomic.c
--- compat-wireless-3.2.5-1.org/compat/compat_atomic.c 2012-02-07 04:45:51.000000000 +0100
+++ compat-wireless-3.2.5-1/compat/compat_atomic.c 2012-02-18 15:39:42.000000000 +0100
@@ -3,6 +3,8 @@
#if !((LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)) && (defined(CONFIG_UML) || defined(CONFIG_X86))) && !((LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,33)) && defined(CONFIG_ARM) && !defined(CONFIG_GENERIC_ATOMIC64))
+#include <asm-generic/atomic64.h>
+
static DEFINE_SPINLOCK(lock);
long long atomic64_read(const atomic64_t *v)
diff -Naur compat-wireless-3.2.5-1.org/compat/Makefile compat-wireless-3.2.5-1/compat/Makefile
--- compat-wireless-3.2.5-1.org/compat/Makefile 2012-02-07 05:25:54.000000000 +0100
+++ compat-wireless-3.2.5-1/compat/Makefile 2012-02-18 13:35:18.000000000 +0100
@@ -38,3 +38,9 @@
cordic.o \
crc8.o
+
+ifndef CONFIG_64BIT
+ifndef CONFIG_GENERIC_ATOMIC64
+ compat-y += compat_atomic.o
+endif
+endif
diff -Naur compat-wireless-3.2.5-1.org/net/mac80211/key.h compat-wireless-3.2.5-1/net/mac80211/key.h
--- compat-wireless-3.2.5-1.org/net/mac80211/key.h 2012-02-07 05:25:53.000000000 +0100
+++ compat-wireless-3.2.5-1/net/mac80211/key.h 2012-02-18 15:40:44.000000000 +0100
@@ -32,6 +32,8 @@
#define NUM_RX_DATA_QUEUES 16
+#include <asm-generic/atomic64.h>
+
struct ieee80211_local;
struct ieee80211_sub_if_data;
struct sta_info;

16
src/patches/compat-wireless-3.5-build_ath5k_only_with_pci.patch Normal file
View File

@@ -0,0 +1,16 @@
diff -Naur compat-wireless-3.5-1-snpc.org/config.mk compat-wireless-3.5/config.mk
--- compat-wireless-3.5-1-snpc.org/config.mk 2012-07-31 17:22:29.000000000 -0400
+++ compat-wireless-3.5/config.mk 2012-08-13 13:09:55.913234600 -0400
@@ -246,10 +246,12 @@
# mac80211 test driver
export CONFIG_MAC80211_HWSIM=m
+ifdef CONFIG_PCI
export CONFIG_ATH5K=m
# export CONFIG_ATH5K_DEBUG=y
# export CONFIG_ATH5K_TRACER=y
# export CONFIG_ATH5K_AHB=y
+endif #CONFIG_PCI
export CONFIG_ATH9K=m
export CONFIG_ATH9K_HW=m

83
src/scripts/vpn-watch
View File

@@ -1,83 +0,0 @@
#!/usr/bin/perl
##################################################
##### VPN-Watch.pl Version 0.7 #####
##################################################
# #
# VPN-Watch is part of the IPFire Firewall #
# #
##################################################
use strict;
require '/var/ipfire/general-functions.pl';
my @vpnsettings;
my $i = 0;
my $file = "/var/run/vpn-watch.pid";
my $debug = 0;
if ( -e $file ){
logger("There my be another vpn-watch runnning because $file exists, vpn-watch will try kill the process.");
open(FILE, "<$file");
my $PID = <FILE>;
close(FILE);
system("kill -9 $PID");
}
system("echo $$ > $file");
my $round=0;
while ( $i == 0){
if ($debug){logger("We will wait 60 seconds before next action.");}
sleep(60);
$round++;
# Reset roundcounter after 10 min. To do established check.
if ($round > 9) { $round=0; }
if (open(FILE, "<${General::swroot}/vpn/config")) { @vpnsettings = <FILE>;
close(FILE);
unless(@vpnsettings) {exit 1;}
}
my $status = `ipsec status`;
foreach (@vpnsettings){
my @settings = split(/,/,$_);
chomp($settings[30]);
if ($settings[27] ne 'RED'){next;}
if ($settings[4] ne 'net'){next;}
if ($settings[1] ne 'on'){next;}chomp($settings[29]);
if ($settings[29] ne 'on'){next;}
my $remotehostname = $settings[11];
if ($debug){logger("Checking connection to $remotehostname.");}
my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print \$3}' | tr -d '()' | tr -d ':'`;chomp($remoteip);
if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}}
my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`;
my $established= `echo "$status" | grep '$settings[2]' | grep -e 'erouted;' -e 'INSTALLED'`;
my $known= `echo "$status" | grep '$settings[2]'`;
if ( $ipmatch eq '' && $known ne '' ){
logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec.");
system("/usr/local/bin/ipsecctrl S $settings[0]");
$round=0;
}
if ($debug){logger("Round=".$round." and established=".$established);}
if ( ($round == 0) && ($established eq '')) {
logger("Connection to $remotehostname($remoteip) not erouted, restarting ipsec.");
system("/usr/local/bin/ipsecctrl S $settings[0]");
$round=0;
}
}
if ($debug){logger("All connections may be fine nothing was done.");}
}
sub logger {
my $log = shift;
system("logger -t vpnwatch \"$log\"");
}