From 3090c39efd011f4da22fb076cf9fde846619c688 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 4 Jul 2012 15:53:19 +0200 Subject: [PATCH 01/13] strongswan: Update to 5.0.0. This update removes pluto which is replaced by charon. --- config/rootfiles/common/stage2 | 4 +- config/rootfiles/common/strongswan | 90 +++--------------------------- lfs/strongswan | 27 +++++---- 3 files changed, 27 insertions(+), 94 deletions(-) diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 796e0f323..989614275 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -13,8 +13,8 @@ etc/hddtemp.db etc/host.conf etc/inittab etc/inputrc -#etc/ipsec.user.conf -#etc/ipsec.user.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets etc/issue etc/ld.so.conf etc/localtime diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan index 4c7d558b1..ac368d682 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -13,133 +13,62 @@ etc/strongswan.conf #usr/lib/ipsec #usr/lib/ipsec/libcharon.a #usr/lib/ipsec/libcharon.la -usr/lib/ipsec/libcharon.so +#usr/lib/ipsec/libcharon.so usr/lib/ipsec/libcharon.so.0 usr/lib/ipsec/libcharon.so.0.0.0 #usr/lib/ipsec/libhydra.a #usr/lib/ipsec/libhydra.la -usr/lib/ipsec/libhydra.so +#usr/lib/ipsec/libhydra.so usr/lib/ipsec/libhydra.so.0 usr/lib/ipsec/libhydra.so.0.0.0 #usr/lib/ipsec/libstrongswan.a #usr/lib/ipsec/libstrongswan.la -usr/lib/ipsec/libstrongswan.so +#usr/lib/ipsec/libstrongswan.so usr/lib/ipsec/libstrongswan.so.0 usr/lib/ipsec/libstrongswan.so.0.0.0 #usr/lib/ipsec/plugins -#usr/lib/ipsec/plugins/libstrongswan-aes.a -#usr/lib/ipsec/plugins/libstrongswan-aes.la usr/lib/ipsec/plugins/libstrongswan-aes.so -#usr/lib/ipsec/plugins/libstrongswan-attr.a -#usr/lib/ipsec/plugins/libstrongswan-attr.la usr/lib/ipsec/plugins/libstrongswan-attr.so -#usr/lib/ipsec/plugins/libstrongswan-cmac.a -#usr/lib/ipsec/plugins/libstrongswan-cmac.la usr/lib/ipsec/plugins/libstrongswan-cmac.so -#usr/lib/ipsec/plugins/libstrongswan-constraints.a -#usr/lib/ipsec/plugins/libstrongswan-constraints.la usr/lib/ipsec/plugins/libstrongswan-constraints.so -#usr/lib/ipsec/plugins/libstrongswan-curl.a -#usr/lib/ipsec/plugins/libstrongswan-curl.la usr/lib/ipsec/plugins/libstrongswan-curl.so -#usr/lib/ipsec/plugins/libstrongswan-des.a -#usr/lib/ipsec/plugins/libstrongswan-des.la usr/lib/ipsec/plugins/libstrongswan-des.so -#usr/lib/ipsec/plugins/libstrongswan-dnskey.a -#usr/lib/ipsec/plugins/libstrongswan-dnskey.la usr/lib/ipsec/plugins/libstrongswan-dnskey.so -#usr/lib/ipsec/plugins/libstrongswan-fips-prf.a -#usr/lib/ipsec/plugins/libstrongswan-fips-prf.la usr/lib/ipsec/plugins/libstrongswan-fips-prf.so -#usr/lib/ipsec/plugins/libstrongswan-gmp.a -#usr/lib/ipsec/plugins/libstrongswan-gmp.la usr/lib/ipsec/plugins/libstrongswan-gmp.so -#usr/lib/ipsec/plugins/libstrongswan-hmac.a -#usr/lib/ipsec/plugins/libstrongswan-hmac.la usr/lib/ipsec/plugins/libstrongswan-hmac.so -#usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.a -#usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.la usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so -#usr/lib/ipsec/plugins/libstrongswan-md5.a -#usr/lib/ipsec/plugins/libstrongswan-md5.la usr/lib/ipsec/plugins/libstrongswan-md5.so -#usr/lib/ipsec/plugins/libstrongswan-pem.a -#usr/lib/ipsec/plugins/libstrongswan-pem.la +usr/lib/ipsec/plugins/libstrongswan-nonce.so +usr/lib/ipsec/plugins/libstrongswan-openssl.so +usr/lib/ipsec/plugins/libstrongswan-padlock.so usr/lib/ipsec/plugins/libstrongswan-pem.so -#usr/lib/ipsec/plugins/libstrongswan-pgp.a -#usr/lib/ipsec/plugins/libstrongswan-pgp.la usr/lib/ipsec/plugins/libstrongswan-pgp.so -#usr/lib/ipsec/plugins/libstrongswan-pkcs1.a -#usr/lib/ipsec/plugins/libstrongswan-pkcs1.la usr/lib/ipsec/plugins/libstrongswan-pkcs1.so -#usr/lib/ipsec/plugins/libstrongswan-pkcs8.a -#usr/lib/ipsec/plugins/libstrongswan-pkcs8.la usr/lib/ipsec/plugins/libstrongswan-pkcs8.so -#usr/lib/ipsec/plugins/libstrongswan-pubkey.a -#usr/lib/ipsec/plugins/libstrongswan-pubkey.la usr/lib/ipsec/plugins/libstrongswan-pubkey.so -#usr/lib/ipsec/plugins/libstrongswan-random.a -#usr/lib/ipsec/plugins/libstrongswan-random.la usr/lib/ipsec/plugins/libstrongswan-random.so -#usr/lib/ipsec/plugins/libstrongswan-resolve.a -#usr/lib/ipsec/plugins/libstrongswan-resolve.la usr/lib/ipsec/plugins/libstrongswan-resolve.so -#usr/lib/ipsec/plugins/libstrongswan-revocation.a -#usr/lib/ipsec/plugins/libstrongswan-revocation.la usr/lib/ipsec/plugins/libstrongswan-revocation.so -#usr/lib/ipsec/plugins/libstrongswan-sha1.a -#usr/lib/ipsec/plugins/libstrongswan-sha1.la usr/lib/ipsec/plugins/libstrongswan-sha1.so -#usr/lib/ipsec/plugins/libstrongswan-sha2.a -#usr/lib/ipsec/plugins/libstrongswan-sha2.la usr/lib/ipsec/plugins/libstrongswan-sha2.so -#usr/lib/ipsec/plugins/libstrongswan-socket-raw.a -#usr/lib/ipsec/plugins/libstrongswan-socket-raw.la -usr/lib/ipsec/plugins/libstrongswan-socket-raw.so -#usr/lib/ipsec/plugins/libstrongswan-stroke.a -#usr/lib/ipsec/plugins/libstrongswan-stroke.la +usr/lib/ipsec/plugins/libstrongswan-socket-default.so usr/lib/ipsec/plugins/libstrongswan-stroke.so -#usr/lib/ipsec/plugins/libstrongswan-updown.a -#usr/lib/ipsec/plugins/libstrongswan-updown.la usr/lib/ipsec/plugins/libstrongswan-updown.so -#usr/lib/ipsec/plugins/libstrongswan-x509.a -#usr/lib/ipsec/plugins/libstrongswan-x509.la usr/lib/ipsec/plugins/libstrongswan-x509.so -#usr/lib/ipsec/plugins/libstrongswan-xauth.a -#usr/lib/ipsec/plugins/libstrongswan-xauth.la -usr/lib/ipsec/plugins/libstrongswan-xauth.so -#usr/lib/ipsec/plugins/libstrongswan-xcbc.a -#usr/lib/ipsec/plugins/libstrongswan-xcbc.la +usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so usr/lib/ipsec/plugins/libstrongswan-xcbc.so #usr/libexec/ipsec usr/libexec/ipsec/_copyright -usr/libexec/ipsec/_pluto_adns usr/libexec/ipsec/_updown usr/libexec/ipsec/_updown_espmark usr/libexec/ipsec/charon usr/libexec/ipsec/openac usr/libexec/ipsec/pki -usr/libexec/ipsec/pluto usr/libexec/ipsec/scepclient usr/libexec/ipsec/starter usr/libexec/ipsec/stroke -usr/libexec/ipsec/whack usr/sbin/ipsec -#usr/share/man/man3/anyaddr.3 -#usr/share/man/man3/atoaddr.3 -#usr/share/man/man3/atoasr.3 -#usr/share/man/man3/atoul.3 -#usr/share/man/man3/goodmask.3 -#usr/share/man/man3/initaddr.3 -#usr/share/man/man3/initsubnet.3 -#usr/share/man/man3/portof.3 -#usr/share/man/man3/rangetosubnet.3 -#usr/share/man/man3/sameaddr.3 -#usr/share/man/man3/subnetof.3 -#usr/share/man/man3/ttoaddr.3 -#usr/share/man/man3/ttodata.3 -#usr/share/man/man3/ttosa.3 -#usr/share/man/man3/ttoul.3 #usr/share/man/man5/ipsec.conf.5 #usr/share/man/man5/ipsec.secrets.5 #usr/share/man/man5/strongswan.conf.5 @@ -147,7 +76,4 @@ usr/sbin/ipsec #usr/share/man/man8/_updown_espmark.8 #usr/share/man/man8/ipsec.8 #usr/share/man/man8/openac.8 -#usr/share/man/man8/pluto.8 #usr/share/man/man8/scepclient.8 -etc/ipsec.user.conf -etc/ipsec.user.secrets diff --git a/lfs/strongswan b/lfs/strongswan index d0d533d11..3d220862d 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@ include Config -VER = 4.6.4 +VER = 5.0.0 THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -32,6 +32,12 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) +ifeq "$(MACHINE)" "i586" + PADLOCK = --enable-padlock +else + PADLOCK = --disable-padlock +endif + ############################################################################### # Top-level Rules ############################################################################### @@ -40,7 +46,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 4c0999c42faa0860ae0afc4f8efd9d04 +$(DL_FILE)_MD5 = c8b861305def7c0abae04f7bbefec212 install : $(TARGET) @@ -73,18 +79,19 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch - # Customize the welcome banner. - sed -i $(DIR_APP)/src/pluto/modecfg.c \ - -e 's/^#define.*DEFAULT_UNITY_BANNER.*/#define DEFAULT_UNITY_BANNER "Welcome to IPFire - An Open Source Firewall Solution.\\n"/' - - cd $(DIR_APP) && ./configure --prefix="/usr" --sysconfdir="/etc" \ - --enable-cisco-quirks \ - --enable-curl \ - --enable-nat-transport + cd $(DIR_APP) && ./configure \ + --prefix="/usr" \ + --sysconfdir="/etc" \ + --enable-curl \ + --enable-openssl \ + $(PADLOCK) cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install + # Remove all library files we don't want or need. + rm -vf /usr/lib/ipsec/plugins/*.{,l}a + -rm -rfv /etc/rc*.d/*ipsec cd $(DIR_SRC) && cp src/initscripts/init.d/ipsec /etc/rc.d/init.d/ipsec rm -f /etc/ipsec.conf /etc/ipsec.secrets From ae2782ba1ffa3365719070c031ad59317c451f2f Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 15 Jul 2012 15:34:59 +0200 Subject: [PATCH 02/13] Update VPN CGI scripts to work with strongswan 5.0.0. Pluto is not supported anymore, the following defaults have been changed: * AES 256 is enabled by default for IKE and ESP. * DH MODP group has been set to 2048. * Compression is enabled. * IKEv2 is default. Lots of code cleanup has been done as well. --- html/cgi-bin/vpnmain.cgi | 172 +++++++++++---------------------------- 1 file changed, 47 insertions(+), 125 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 0fb7c930a..e8aab43b0 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -73,17 +73,9 @@ $cgiparams{'ENABLED'} = 'off'; $cgiparams{'EDIT_ADVANCED'} = 'off'; $cgiparams{'ACTION'} = ''; $cgiparams{'CA_NAME'} = ''; -$cgiparams{'DBG_CRYPT'} = ''; -$cgiparams{'DBG_PARSING'} = ''; -$cgiparams{'DBG_EMITTING'} = ''; -$cgiparams{'DBG_CONTROL'} = ''; -$cgiparams{'DBG_KLIPS'} = ''; -$cgiparams{'DBG_DNS'} = ''; -$cgiparams{'DBG_NAT_T'} = ''; $cgiparams{'KEY'} = ''; $cgiparams{'TYPE'} = ''; $cgiparams{'ADVANCED'} = ''; -$cgiparams{'INTERFACE'} = ''; $cgiparams{'NAME'} = ''; $cgiparams{'LOCAL_SUBNET'} = ''; $cgiparams{'REMOTE_SUBNET'} = ''; @@ -253,50 +245,8 @@ sub writeipsecfiles { flock CONF, 2; flock SECRETS, 2; print CONF "version 2\n\n"; - print CONF "config setup\n"; - #create an ipsec Interface for each 'enabled' ones - #loop trought configuration and add physical interfaces to the list - my $interfaces = "\tinterfaces=\""; - foreach my $key (keys %lconfighash) { - next if ($lconfighash{$key}[0] ne 'on'); - $interfaces .= "%defaultroute " if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED'); - $interfaces .= "$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN'); - $interfaces .= "$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE'); - $interfaces .= "$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE'); - } - print CONF $interfaces . "\"\n"; - - my $plutodebug = ''; # build debug list - map ($plutodebug .= $lvpnsettings{$_} eq 'on' ? lc (substr($_,4)).' ' : '', - ('DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', - 'DBG_DNS')); - $plutodebug = 'none' if $plutodebug eq ''; # if nothing selected, use 'none'. - #print CONF "\tklipsdebug=\"none\"\n"; - print CONF "\tplutodebug=\"$plutodebug\"\n"; - # deprecated in ipsec.conf version 2 - #print CONF "\tplutoload=%search\n"; - #print CONF "\tplutostart=%search\n"; - print CONF "\tuniqueids=yes\n"; - print CONF "\tnat_traversal=yes\n"; - print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne ''); - print CONF "\tvirtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16"; - print CONF ",%v4:!$green_cidr"; - if (length($netsettings{'ORANGE_DEV'}) > 2) { - print CONF ",%v4:!$orange_cidr"; - } - if (length($netsettings{'BLUE_DEV'}) > 2) { - print CONF ",%v4:!$blue_cidr"; - } - foreach my $key (keys %lconfighash) { - if ($lconfighash{$key}[3] eq 'net') { - print CONF ",%v4:!$lconfighash{$key}[11]"; - } - } - print CONF "\n\n"; print CONF "conn %default\n"; print CONF "\tkeyingtries=0\n"; - #strongswan doesn't know this - #print CONF "\tdisablearrivalcheck=no\n"; print CONF "\n"; # Add user includes to config file @@ -329,7 +279,6 @@ sub writeipsecfiles { print CONF "conn $lconfighash{$key}[1]\n"; print CONF "\tleft=$localside\n"; - print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute'); my $cidr_net=&General::ipcidr($lconfighash{$key}[8]); print CONF "\tleftsubnet=$cidr_net\n"; print CONF "\tleftfirewall=yes\n"; @@ -339,7 +288,6 @@ sub writeipsecfiles { if ($lconfighash{$key}[3] eq 'net') { my $cidr_net=&General::ipcidr($lconfighash{$key}[11]); print CONF "\trightsubnet=$cidr_net\n"; - print CONF "\trightnexthop=%defaultroute\n"; } elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors? print CONF "\trightsubnet=vhost:%no,%priv\n"; } @@ -354,6 +302,9 @@ sub writeipsecfiles { print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]); print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]); + # Is PFS enabled? + my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; + # Algorithms if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) { print CONF "\tike="; @@ -379,11 +330,20 @@ sub writeipsecfiles { print CONF "\tesp="; my @encs = split('\|', $lconfighash{$key}[21]); my @ints = split('\|', $lconfighash{$key}[22]); + my @groups = split('\|', $lconfighash{$key}[20]); my $comma = 0; foreach my $i (@encs) { foreach my $j (@ints) { - if ($comma != 0) { print CONF ","; } else { $comma = 1; } - print CONF "$i-$j"; + my $modp = ""; + foreach my $k (@groups) { + if ($comma != 0) { print CONF ","; } else { $comma = 1; } + if ($pfs eq "on") { + $modp = "-modp$k"; + } else { + $modp = ""; + } + print CONF "$i-$j$modp"; + } } } if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? @@ -392,9 +352,6 @@ sub writeipsecfiles { print CONF "\n"; } } - if ($lconfighash{$key}[23]) { - print CONF "\tpfsgroup=$lconfighash{$key}[23]\n"; - } # IKE V1 or V2 if (! $lconfighash{$key}[29]) { @@ -414,9 +371,6 @@ sub writeipsecfiles { print CONF "\tdpdtimeout=120\n"; print CONF "\tdpdaction=$lconfighash{$key}[27]\n"; - # Disable pfs ? - print CONF "\tpfs=". ($lconfighash{$key}[28] eq 'on' ? "yes\n" : "no\n"); - # Build Authentication details: LEFTid RIGHTid : PSK psk my $psk_line; if ($lconfighash{$key}[4] eq 'psk') { @@ -450,6 +404,12 @@ sub writeipsecfiles { close(SECRETS); } +# Hook to regenerate the configuration files. +if ($ENV{"REMOTE_ADDR"} eq "") { + writeipsecfiles; + exit(0); +} + ### ### Save main settings ### @@ -466,11 +426,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SAVE_ERROR; } - unless ($cgiparams{'VPN_OVERRIDE_MTU'} =~ /^(|[0-9]{1,5})$/ ) { #allow 0-99999 - $errormessage = $Lang::tr{'vpn mtu invalid'}; - goto SAVE_ERROR; - } - unless ($cgiparams{'VPN_WATCH'} =~ /^(|off|on)$/ ) { $errormessage = $Lang::tr{'invalid input'}; goto SAVE_ERROR; @@ -481,13 +436,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SAVE_ERROR; } - map ($vpnsettings{$_} = $cgiparams{$_}, - ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', - 'DBG_DNS')); - $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; - $vpnsettings{'VPN_OVERRIDE_MTU'} = $cgiparams{'VPN_OVERRIDE_MTU'}; $vpnsettings{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'}; $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings); @@ -1298,7 +1248,6 @@ END $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; - $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26]; $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; @@ -1801,7 +1750,7 @@ END $confighash{$key}[9] = $cgiparams{'REMOTE_ID'}; $confighash{$key}[10] = $cgiparams{'REMOTE'}; $confighash{$key}[25] = $cgiparams{'REMARK'}; - $confighash{$key}[26] = $cgiparams{'INTERFACE'}; + $confighash{$key}[26] = ""; # Formerly INTERFACE $confighash{$key}[27] = $cgiparams{'DPD_ACTION'}; $confighash{$key}[29] = $cgiparams{'IKE_VERSION'}; @@ -1859,28 +1808,25 @@ END $cgiparams{'DPD_ACTION'} = 'restart'; } - # Default IKE Version to V1 - if (! $cgiparams{'IKE_VERSION'}) { - $cgiparams{'IKE_VERSION'} = 'ikev1'; + # Default IKE Version to v2 + if (!$cgiparams{'IKE_VERSION'}) { + $cgiparams{'IKE_VERSION'} = 'ikev2'; } - # Default is yes for 'pfs' - $cgiparams{'PFS'} = 'on'; - # ID are empty $cgiparams{'LOCAL_ID'} = ''; $cgiparams{'REMOTE_ID'} = ''; #use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes128|3des'; #[18]; + $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes128|3des'; #[18]; $cgiparams{'IKE_INTEGRITY'} = 'sha|md5'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = '1536|1024'; #[20]; + $cgiparams{'IKE_GROUPTYPE'} = '2048'; #[20]; $cgiparams{'IKE_LIFETIME'} = '1'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes128|3des'; #[21]; + $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes128|3des'; #[21]; $cgiparams{'ESP_INTEGRITY'} = 'sha1|md5'; #[22]; $cgiparams{'ESP_GROUPTYPE'} = ''; #[23]; $cgiparams{'ESP_KEYLIFE'} = '8'; #[17]; - $cgiparams{'COMPRESSION'} = 'off'; #[13]; + $cgiparams{'COMPRESSION'} = 'on'; #[13]; $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; $cgiparams{'PFS'} = 'on'; #[28]; $cgiparams{'VHOST'} = 'on'; #[14]; @@ -1903,12 +1849,6 @@ END $checked{'AUTH'}{'auth-dn'} = ''; $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; - $selected{'INTERFACE'}{'RED'} = ''; - $selected{'INTERFACE'}{'ORANGE'} = ''; - $selected{'INTERFACE'}{'GREEN'} = ''; - $selected{'INTERFACE'}{'BLUE'} = ''; - $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = "selected='selected'"; - $selected{'DPD_ACTION'}{'clear'} = ''; $selected{'DPD_ACTION'}{'hold'} = ''; $selected{'DPD_ACTION'}{'restart'} = ''; @@ -1975,22 +1915,24 @@ END $blob = "*"; }; - print "$Lang::tr{'host ip'}:"; - print ""; print < $Lang::tr{'remote host/ip'}: $blob - - - $Lang::tr{'local subnet'} - + + + $Lang::tr{'remote subnet'} - - + + + + + + $Lang::tr{'local subnet'} + + + + + $Lang::tr{'vpn local id'}:
($Lang::tr{'eg'} @xy.example.com) $Lang::tr{'vpn remote id'}: @@ -1999,22 +1941,18 @@ END
$Lang::tr{'vpn keyexchange'}: + + $Lang::tr{'dpd action'}:   ? + - $Lang::tr{'remark title'} * @@ -2448,10 +2386,7 @@ EOF $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'})); $checked{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'} eq 'on' ? "checked='checked'" : '' ; - map ($checked{$_} = $cgiparams{$_} eq 'on' ? "checked='checked'" : '', - ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', - 'DBG_DNS')); - + $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : ''; &Header::showhttpheaders(); &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); @@ -2473,13 +2408,6 @@ EOF $Lang::tr{'enabled'} -END - ; - print < - $Lang::tr{'override mtu'}: * - - END ; print <

$Lang::tr{'vpn watch'}:

-

PLUTO DEBUG = -crypt:,  -parsing:,  -emitting:,  -control:,  -dns: 

From 3b24acd0f33b4f803088929e5accc716e663c46f Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 15 Jul 2012 15:43:25 +0200 Subject: [PATCH 03/13] Create an strongswan update for preview. --- config/rootfiles/core/strongswan/exclude | 12 +++ .../rootfiles/core/strongswan/filelists/files | 2 + .../core/strongswan/filelists/strongswan | 1 + config/rootfiles/core/strongswan/meta | 1 + config/rootfiles/core/strongswan/update.sh | 88 +++++++++++++++++++ 5 files changed, 104 insertions(+) create mode 100644 config/rootfiles/core/strongswan/exclude create mode 100644 config/rootfiles/core/strongswan/filelists/files create mode 120000 config/rootfiles/core/strongswan/filelists/strongswan create mode 100644 config/rootfiles/core/strongswan/meta create mode 100644 config/rootfiles/core/strongswan/update.sh diff --git a/config/rootfiles/core/strongswan/exclude b/config/rootfiles/core/strongswan/exclude new file mode 100644 index 000000000..7360266bd --- /dev/null +++ b/config/rootfiles/core/strongswan/exclude @@ -0,0 +1,12 @@ +srv/web/ipfire/html/proxy.pac +etc/udev/rules.d/30-persistent-network.rules +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +var/updatecache +etc/localtime +var/ipfire/ovpn +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf diff --git a/config/rootfiles/core/strongswan/filelists/files b/config/rootfiles/core/strongswan/filelists/files new file mode 100644 index 000000000..409e5fe8a --- /dev/null +++ b/config/rootfiles/core/strongswan/filelists/files @@ -0,0 +1,2 @@ +etc/system-release +etc/issue diff --git a/config/rootfiles/core/strongswan/filelists/strongswan b/config/rootfiles/core/strongswan/filelists/strongswan new file mode 120000 index 000000000..90c727e26 --- /dev/null +++ b/config/rootfiles/core/strongswan/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/strongswan/meta b/config/rootfiles/core/strongswan/meta new file mode 100644 index 000000000..d547fa86f --- /dev/null +++ b/config/rootfiles/core/strongswan/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/strongswan/update.sh b/config/rootfiles/core/strongswan/update.sh new file mode 100644 index 000000000..3a020d019 --- /dev/null +++ b/config/rootfiles/core/strongswan/update.sh @@ -0,0 +1,88 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2012 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# +# Remove old core updates from pakfire cache to save space... +core=61 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# +#Stop services +ipsec stop + +# +#Extract files +extract_files + +# Remove old pluto binaries. +rm -f /usr/libexec/ipsec/{pluto,_pluto_adns,whack} + +# +#Start services + +# Call the CGI script to regenerate the configuration files. +/srv/web/ipfire/cgi-bin/vpnmain.cgi +ipsec start + +# +#Update Language cache +perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + +#Rebuild module dep's +#arch=`uname -m` +#if [ ${arch::3} == "arm" ]; then +# depmod -a 2.6.32.45-ipfire-versatile >/dev/null 2>&1 +# depmod -a 2.6.32.45-ipfire-kirkwood >/dev/null 2>&1 +#else +# depmod -a 2.6.32.45-ipfire >/dev/null 2>&1 +# depmod -a 2.6.32.45-ipfire-pae >/dev/null 2>&1 +# depmod -a 2.6.32.45-ipfire-xen >/dev/null 2>&1 +#fi + + +#Rebuild initrd's because some compat-wireless modules are inside +#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45.img 2.6.32.45-ipfire +#if [ -e /boot/ipfirerd-2.6.32.45-pae.img ]; then +#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45-pae.img 2.6.32.45-ipfire-pae +#fi +#if [ -e /boot/ipfirerd-2.6.32.45-xen.img ]; then +#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45-xen.img 2.6.32.45-ipfire-xen +#fi + +sync + +# This update need a reboot... +#touch /var/run/need_reboot + +# +#Finish +/etc/init.d/fireinfo start +sendprofile +#Don't report the exitcode last command +exit 0 From b871af81ed08222d92d98a8e7576b3f7386d5e92 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 15 Jul 2012 15:44:17 +0200 Subject: [PATCH 04/13] Disable vpn-watch. --- config/rootfiles/core/strongswan/filelists/files | 1 + src/scripts/vpn-watch | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/config/rootfiles/core/strongswan/filelists/files b/config/rootfiles/core/strongswan/filelists/files index 409e5fe8a..8df0b5d0b 100644 --- a/config/rootfiles/core/strongswan/filelists/files +++ b/config/rootfiles/core/strongswan/filelists/files @@ -1,2 +1,3 @@ etc/system-release etc/issue +usr/local/bin/vpn-watch diff --git a/src/scripts/vpn-watch b/src/scripts/vpn-watch index 7eae873ce..c32dc3c06 100755 --- a/src/scripts/vpn-watch +++ b/src/scripts/vpn-watch @@ -7,6 +7,11 @@ # # ################################################## +# XXX The vpn-watch daemon is disabled, because +# apparently, it is not needed anymore after +# strongswan has abandoned pluto. +exit(0); + use strict; require '/var/ipfire/general-functions.pl'; From 70e8a248c7d446655965f8e12868ed0c1e3c167c Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 15 Jul 2012 21:04:05 +0200 Subject: [PATCH 05/13] strongswan: Fix running check in services.cgi. Pluto does not exist anymore. Check for charon. --- html/cgi-bin/services.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/services.cgi b/html/cgi-bin/services.cgi index 55740cf26..58d0a1dbc 100644 --- a/html/cgi-bin/services.cgi +++ b/html/cgi-bin/services.cgi @@ -54,7 +54,7 @@ my %servicenames =( $Lang::tr{'kernel logging server'} => 'klogd', $Lang::tr{'ntp server'} => 'ntpd', $Lang::tr{'secure shell server'} => 'sshd', - $Lang::tr{'vpn'} => 'pluto', + $Lang::tr{'vpn'} => 'charon', $Lang::tr{'web proxy'} => 'squid', 'OpenVPN' => 'openvpn' ); From 9d60c9fd3d750da3c762811b30f7c23eb51a32da Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 15 Jul 2012 21:04:38 +0200 Subject: [PATCH 06/13] initscripts: Don't create tmp dirs for pluto anymore. --- src/initscripts/init.d/tmpfs | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/initscripts/init.d/tmpfs b/src/initscripts/init.d/tmpfs index 0e5a1e1e4..848dec6ad 100644 --- a/src/initscripts/init.d/tmpfs +++ b/src/initscripts/init.d/tmpfs @@ -43,10 +43,6 @@ case "$1" in mkdir -p /var/run/mysql chown mysql:mysql /var/run/mysql fi - if [ ! -e /var/run/pluto ]; then - mkdir -p /var/run/pluto - chmod 700 /var/run/pluto - fi if [ ! -e /var/run/saslauthd ]; then mkdir -p /var/run/saslauthd fi From 9f0b5c9f4dc586433c8664074fcc46cefda0f666 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 19 Jul 2012 16:46:00 +0200 Subject: [PATCH 07/13] ipsec: Improve connection reloading. As pluto is no longer present, there is a lot to clean up. The connection rename hack is no longer needed and the whole ipsec stack can be controlled with the "ipsec" command. --- .../rootfiles/core/strongswan/filelists/files | 1 + src/misc-progs/ipsecctrl.c | 221 ++++++------------ 2 files changed, 70 insertions(+), 152 deletions(-) diff --git a/config/rootfiles/core/strongswan/filelists/files b/config/rootfiles/core/strongswan/filelists/files index 8df0b5d0b..bf3185e83 100644 --- a/config/rootfiles/core/strongswan/filelists/files +++ b/config/rootfiles/core/strongswan/filelists/files @@ -1,3 +1,4 @@ etc/system-release etc/issue +usr/local/bin/ipsecctrl usr/local/bin/vpn-watch diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 0b0517713..65a96e01c 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -78,7 +78,6 @@ void ipsec_norules() { safe_system("/sbin/iptables -F IPSECINPUT"); safe_system("/sbin/iptables -F IPSECFORWARD"); safe_system("/sbin/iptables -F IPSECOUTPUT"); - } /* @@ -87,8 +86,7 @@ void ipsec_norules() { int decode_line (char *s, char **key, char **name, - char **type, - char **interface + char **type ) { int count = 0; *key = NULL; @@ -108,8 +106,6 @@ int decode_line (char *s, *name = result; if (count == 4) *type = result; - if (count == 27) - *interface = result; count++; result = strsep(&s, ","); } @@ -128,11 +124,6 @@ int decode_line (char *s, return 0; } - if (! (strcmp(*interface, "RED") == 0 || strcmp(*interface, "GREEN") == 0 || - strcmp(*interface, "ORANGE") == 0 || strcmp(*interface, "BLUE") == 0)) { - fprintf(stderr, "Bad interface name: %s\n", *interface); - return 0; - } //it's a valid & active line return 1; } @@ -140,69 +131,48 @@ int decode_line (char *s, /* issue ipsec commmands to turn on connection 'name' */ -void turn_connection_on (char *name, char *type) { -/* - Rename the connection and run ipsec update and rename it back to readd - a deleted connection. Because ipsec update ignores connection that have - not changed since last load. -*/ +void turn_connection_on(char *name, char *type) { + /* + * To bring up a connection, we need to reload the configuration + * and issue ipsec up afterwards. To make sure the connection + * is not established from the start, we bring it down in advance. + */ char command[STRING_SIZE]; - memset(command, 0, STRING_SIZE); + + // Bring down the connection (if established). snprintf(command, STRING_SIZE - 1, - "sed -i -e 's|^conn %s$|conn %s-renamed|g' /var/ipfire/vpn/ipsec.conf >/dev/null", name, name); + "/usr/sbin/ipsec down %s >/dev/null", name); safe_system(command); - // Down and delete IKEv2 Tunnel before ipsec update - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec stroke down %s >/dev/null", name); - safe_system(command); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec stroke delete %s >/dev/null", name); - safe_system(command); + // Reload the configuration into the daemon. + safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); - safe_system("/etc/rc.d/init.d/ipsec update >/dev/null"); - - sleep(1); - - // Back to original name - snprintf(command, STRING_SIZE - 1, - "sed -i -e 's|^conn %s-renamed$|conn %s|g' /var/ipfire/vpn/ipsec.conf >/dev/null", name, name); - safe_system(command); - - // Down and delete IKEv2 Tunnel before ipsec update - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec stroke down %s-renamed >/dev/null", name); - safe_system(command); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec stroke delete %s-renamed >/dev/null", name); - safe_system(command); - - safe_system("/etc/rc.d/init.d/ipsec update >/dev/null"); + // Bring the connection up again. + snprintf(command, STRING_SIZE - 1, + "/usr/sbin/ipsec up %s >/dev/null", name); + safe_system(command); } + /* issue ipsec commmands to turn off connection 'name' */ void turn_connection_off (char *name) { + /* + * To turn off a connection, all SAs must be turned down. + * After that, the configuration must be reloaded. + */ char command[STRING_SIZE]; - memset(command, 0, STRING_SIZE); + + // Bring down the connection. snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec whack --delete --name %s >/dev/null", name); - safe_system(command); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec stroke down %s >/dev/null", name); - safe_system(command); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec stroke delete %s >/dev/null", name); + "/usr/sbin/ipsec down %s >/dev/null", name); safe_system(command); - safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null"); - safe_system("/usr/sbin/ipsec stroke rereadall >/dev/null"); - + // Reload, so the connection is dropped. + safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); } - int main(int argc, char *argv[]) { - char configtype[STRING_SIZE]; char redtype[STRING_SIZE] = ""; struct keyvalue *kv = NULL; @@ -218,26 +188,15 @@ int main(int argc, char *argv[]) { if (strcmp(argv[1], "I") == 0) { - safe_system("/usr/sbin/ipsec whack --status"); - safe_system("/usr/sbin/ipsec stroke status"); + safe_system("/usr/sbin/ipsec status"); exit(0); } if (strcmp(argv[1], "R") == 0) { - safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null"); - safe_system("/usr/sbin/ipsec stroke rereadall >/dev/null"); + safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); exit(0); } - /* Get vpnwatch pid */ - - - if ((argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) { - safe_system("kill -9 $(cat /var/run/vpn-watch.pid)"); - safe_system("unlink /var/run/vpn-watch.pid"); - close(file); - } - /* FIXME: workaround for pclose() issue - still no real idea why * this is happening */ signal(SIGCHLD, SIG_DFL); @@ -245,16 +204,10 @@ int main(int argc, char *argv[]) { /* handle operations that doesn't need start the ipsec system */ if (argc == 2) { if (strcmp(argv[1], "D") == 0) { - /* Only shutdown pluto if it really is running */ - /* Get pluto pid */ - if (file = fopen("/var/run/pluto.pid", "r")) { - safe_system("/etc/rc.d/init.d/ipsec stop 2> /dev/null >/dev/null"); - close(file); - } + safe_system("/usr/sbin/ipsec stop >/dev/null 2>&1"); ipsec_norules(); exit(0); } - } /* read vpn config */ @@ -300,97 +253,69 @@ int main(int argc, char *argv[]) { char if_blue[STRING_SIZE] = ""; char s[STRING_SIZE]; - if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) { - fprintf(stderr, "Couldn't open vpn settings file"); - exit(1); + // when RED is up, find interface name in special file + FILE *ifacefile = NULL; + if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) { + if (fgets(if_red, STRING_SIZE, ifacefile)) { + if (if_red[strlen(if_red) - 1] == '\n') + if_red[strlen(if_red) - 1] = '\0'; + } + fclose (ifacefile); + + if (VALID_DEVICE(if_red)) + enable_red++; } - while (fgets(s, STRING_SIZE, file) != NULL) { - char *key; - char *name; - char *type; - char *interface; - if (!decode_line(s,&key,&name,&type,&interface)) - continue; - /* search interface */ - if (!enable_red && strcmp (interface, "RED") == 0) { - // when RED is up, find interface name in special file - FILE *ifacefile = NULL; - if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) { - if (fgets(if_red, STRING_SIZE, ifacefile)) { - if (if_red[strlen(if_red) - 1] == '\n') - if_red[strlen(if_red) - 1] = '\0'; - } - fclose (ifacefile); - if (VALID_DEVICE(if_red)) - enable_red+=2; // present and running - } - } + // Check if GREEN is enabled. + findkey(kv, "GREEN_DEV", if_green); + if (VALID_DEVICE(if_green)) + enable_green++; + else + fprintf(stderr, "IPSec enabled on green but green interface is invalid or not found\n"); - if (!enable_green && strcmp (interface, "GREEN") == 0) { - enable_green = 1; - findkey(kv, "GREEN_DEV", if_green); - if (VALID_DEVICE(if_green)) - enable_green++; - else - fprintf(stderr, "IPSec enabled on green but green interface is invalid or not found\n"); - } + // Check if ORANGE is enabled. + findkey(kv, "ORANGE_DEV", if_orange); + if (VALID_DEVICE(if_orange)) + enable_orange++; + else + fprintf(stderr, "IPSec enabled on orange but orange interface is invalid or not found\n"); - if (!enable_orange && strcmp (interface, "ORANGE") == 0) { - enable_orange = 1; - findkey(kv, "ORANGE_DEV", if_orange); - if (VALID_DEVICE(if_orange)) - enable_orange++; - else - fprintf(stderr, "IPSec enabled on orange but orange interface is invalid or not found\n"); - } + // Check if BLUE is enabled. + findkey(kv, "BLUE_DEV", if_blue); + if (VALID_DEVICE(if_blue)) + enable_blue++; + else + fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n"); - if (!enable_blue && strcmp (interface, "BLUE") == 0) { - enable_blue++; - findkey(kv, "BLUE_DEV", if_blue); - if (VALID_DEVICE(if_blue)) - enable_blue++; - else - fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n"); - - } - } - fclose(file); freekeyvalues(kv); - // do nothing if something is in error condition - if ((enable_red==1) || (enable_green==1) || (enable_orange==1) || (enable_blue==1) ) - exit(1); - // exit if nothing to do - if ( (enable_red+enable_green+enable_orange+enable_blue) == 0 ) + if ((enable_red+enable_green+enable_orange+enable_blue) == 0) exit(0); // open needed ports - // todo: read a nat_t indicator to allow or not openning UDP/4500 - if (enable_red==2) + if (enable_red > 0) open_physical(if_red, 4500); - if (enable_green==2) + if (enable_green > 0) open_physical(if_green, 4500); - if (enable_orange==2) + if (enable_orange > 0) open_physical(if_orange, 4500); - if (enable_blue==2) + if (enable_blue > 0) open_physical(if_blue, 4500); // start the system if ((argc == 2) && strcmp(argv[1], "S") == 0) { - safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null"); - safe_system("/usr/local/bin/vpn-watch &"); + safe_system("/usr/sbin/ipsec restart >/dev/null"); exit(0); } // it is a selective start or stop // second param is only a number 'key' if ((argc == 2) || strspn(argv[2], NUMBERS) != strlen(argv[2])) { - fprintf(stderr, "Bad arg\n"); + fprintf(stderr, "Bad arg: %s\n", argv[2]); usage(); exit(1); } @@ -404,26 +329,17 @@ int main(int argc, char *argv[]) { char *key; char *name; char *type; - char *interface; - if (!decode_line(s,&key,&name,&type,&interface)) + if (!decode_line(s,&key,&name,&type)) continue; - // start/stop a vpn if belonging to specified interface - if (strcmp(argv[1], interface) == 0 ) { - if (strcmp(argv[2], "0")==0) - turn_connection_off (name); - else - turn_connection_on (name, type); - continue; - } // is it the 'key' requested ? if (strcmp(argv[2], key) != 0) continue; + // Start or Delete this Connection if (strcmp(argv[1], "S") == 0) turn_connection_on (name, type); - else - if (strcmp(argv[1], "D") == 0) + else if (strcmp(argv[1], "D") == 0) turn_connection_off (name); else { fprintf(stderr, "Bad command\n"); @@ -431,5 +347,6 @@ int main(int argc, char *argv[]) { } } fclose(file); + return 0; } From e6a97a0ca27877bb6396c120a7ab6ec4187dac85 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 19 Jul 2012 16:51:50 +0200 Subject: [PATCH 08/13] Remove vpn-watch. --- config/rootfiles/common/stage2 | 1 - .../rootfiles/core/strongswan/filelists/files | 1 - config/rootfiles/core/strongswan/update.sh | 5 +- src/scripts/vpn-watch | 88 ------------------- 4 files changed, 3 insertions(+), 92 deletions(-) delete mode 100755 src/scripts/vpn-watch diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 989614275..e59763fd4 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -75,7 +75,6 @@ usr/local/bin/setddns.pl usr/local/bin/settime usr/local/bin/timecheck #usr/local/bin/uname -usr/local/bin/vpn-watch #usr/local/include #usr/local/lib #usr/local/sbin diff --git a/config/rootfiles/core/strongswan/filelists/files b/config/rootfiles/core/strongswan/filelists/files index bf3185e83..b2d3df765 100644 --- a/config/rootfiles/core/strongswan/filelists/files +++ b/config/rootfiles/core/strongswan/filelists/files @@ -1,4 +1,3 @@ etc/system-release etc/issue usr/local/bin/ipsecctrl -usr/local/bin/vpn-watch diff --git a/config/rootfiles/core/strongswan/update.sh b/config/rootfiles/core/strongswan/update.sh index 3a020d019..7ef3f2fe7 100644 --- a/config/rootfiles/core/strongswan/update.sh +++ b/config/rootfiles/core/strongswan/update.sh @@ -34,7 +34,7 @@ done # #Stop services -ipsec stop +ipsecctrl D # #Extract files @@ -42,13 +42,14 @@ extract_files # Remove old pluto binaries. rm -f /usr/libexec/ipsec/{pluto,_pluto_adns,whack} +rm -f /usr/local/bin/vpn-watch # #Start services # Call the CGI script to regenerate the configuration files. /srv/web/ipfire/cgi-bin/vpnmain.cgi -ipsec start +ipsecctrl S # #Update Language cache diff --git a/src/scripts/vpn-watch b/src/scripts/vpn-watch deleted file mode 100755 index c32dc3c06..000000000 --- a/src/scripts/vpn-watch +++ /dev/null @@ -1,88 +0,0 @@ -#!/usr/bin/perl -################################################## -##### VPN-Watch.pl Version 0.7 ##### -################################################## -# # -# VPN-Watch is part of the IPFire Firewall # -# # -################################################## - -# XXX The vpn-watch daemon is disabled, because -# apparently, it is not needed anymore after -# strongswan has abandoned pluto. -exit(0); - -use strict; - -require '/var/ipfire/general-functions.pl'; -my @vpnsettings; -my $i = 0; -my $file = "/var/run/vpn-watch.pid"; -my $debug = 0; - -if ( -e $file ){ - logger("There my be another vpn-watch runnning because $file exists, vpn-watch will try kill the process."); - open(FILE, "<$file"); - my $PID = ; - close(FILE); - system("kill -9 $PID"); - } - -system("echo $$ > $file"); -my $round=0; -while ( $i == 0){ - if ($debug){logger("We will wait 60 seconds before next action.");} - sleep(60); - - $round++; - - # Reset roundcounter after 10 min. To do established check. - if ($round > 9) { $round=0; } - - if (open(FILE, "<${General::swroot}/vpn/config")) { @vpnsettings = ; - close(FILE); - unless(@vpnsettings) {exit 1;} - } - -my $status = `ipsec status`; -foreach (@vpnsettings){ - my @settings = split(/,/,$_); - - chomp($settings[30]); - if ($settings[27] ne 'RED'){next;} - if ($settings[4] ne 'net'){next;} - if ($settings[1] ne 'on'){next;}chomp($settings[29]); - if ($settings[29] ne 'on'){next;} - - my $remotehostname = $settings[11]; - - if ($debug){logger("Checking connection to $remotehostname.");} - - my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print \$3}' | tr -d '()' | tr -d ':'`;chomp($remoteip); - if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}} - my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`; - my $established= `echo "$status" | grep '$settings[2]' | grep -e 'erouted;' -e 'INSTALLED'`; - my $known= `echo "$status" | grep '$settings[2]'`; - - if ( $ipmatch eq '' && $known ne '' ){ - logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec."); - system("/usr/local/bin/ipsecctrl S $settings[0]"); - $round=0; - } - - if ($debug){logger("Round=".$round." and established=".$established);} - - if ( ($round == 0) && ($established eq '')) { - logger("Connection to $remotehostname($remoteip) not erouted, restarting ipsec."); - system("/usr/local/bin/ipsecctrl S $settings[0]"); - $round=0; - - } - } - if ($debug){logger("All connections may be fine nothing was done.");} -} - -sub logger { - my $log = shift; - system("logger -t vpnwatch \"$log\""); -} From 7916a3bef82e2bb2ff4601c3f851e19bd762f70d Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 19 Jul 2012 16:54:05 +0200 Subject: [PATCH 09/13] vpnmain.cgi: Reflect recent changes: vpn-watch removed. --- html/cgi-bin/vpnmain.cgi | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index e8aab43b0..831ef93bf 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -246,7 +246,7 @@ sub writeipsecfiles { flock SECRETS, 2; print CONF "version 2\n\n"; print CONF "conn %default\n"; - print CONF "\tkeyingtries=0\n"; + print CONF "\tkeyingtries=%forever\n"; print CONF "\n"; # Add user includes to config file @@ -335,14 +335,19 @@ sub writeipsecfiles { foreach my $i (@encs) { foreach my $j (@ints) { my $modp = ""; - foreach my $k (@groups) { - if ($comma != 0) { print CONF ","; } else { $comma = 1; } - if ($pfs eq "on") { - $modp = "-modp$k"; - } else { - $modp = ""; - } - print CONF "$i-$j$modp"; + if ($pfs eq "on") { + foreach my $k (@groups) { + if ($comma != 0) { print CONF ","; } else { $comma = 1; } + if ($pfs eq "on") { + $modp = "-modp$k"; + } else { + $modp = ""; + } + print CONF "$i-$j$modp"; + } + } else { + if ($comma != 0) { print CONF ","; } else { $comma = 1; } + print CONF "$i-$j"; } } } @@ -426,11 +431,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SAVE_ERROR; } - unless ($cgiparams{'VPN_WATCH'} =~ /^(|off|on)$/ ) { - $errormessage = $Lang::tr{'invalid input'}; - goto SAVE_ERROR; - } - if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; goto SAVE_ERROR; @@ -438,7 +438,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; - $vpnsettings{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'}; $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings); &writeipsecfiles(); @@ -2385,7 +2384,6 @@ EOF $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq ''); $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'})); - $checked{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'} eq 'on' ? "checked='checked'" : '' ; $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : ''; &Header::showhttpheaders(); @@ -2420,7 +2418,6 @@ print <
-

$Lang::tr{'vpn watch'}:

From 2ade4613c7fe43298ea40947de6c54b07f48dfd0 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 19 Jul 2012 17:20:05 +0200 Subject: [PATCH 10/13] Add all changed files to the updater. --- config/rootfiles/core/strongswan/filelists/files | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/rootfiles/core/strongswan/filelists/files b/config/rootfiles/core/strongswan/filelists/files index b2d3df765..4aa544066 100644 --- a/config/rootfiles/core/strongswan/filelists/files +++ b/config/rootfiles/core/strongswan/filelists/files @@ -1,3 +1,6 @@ etc/system-release etc/issue +etc/rc.d/init.d/tmpfs +srv/web/ipfire/cgi-bin/services.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi usr/local/bin/ipsecctrl From acb59f3a997cd39fbcc7b13df3a662533cec08c0 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Mon, 13 Aug 2012 14:15:04 +0200 Subject: [PATCH 11/13] installer: add findutils to initrd. --- config/rootfiles/installer/findutils | 1 + 1 file changed, 1 insertion(+) create mode 120000 config/rootfiles/installer/findutils diff --git a/config/rootfiles/installer/findutils b/config/rootfiles/installer/findutils new file mode 120000 index 000000000..1114c4c47 --- /dev/null +++ b/config/rootfiles/installer/findutils @@ -0,0 +1 @@ +../common/findutils \ No newline at end of file From 337726bf3a0a21101ade7488264f386d54bbe20f Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Mon, 13 Aug 2012 14:24:27 +0200 Subject: [PATCH 12/13] installer: remove kudzu from scriots. --- src/install+setup/install/main.c | 8 +-- src/install+setup/install/mountdest.sh | 78 +++--------------------- src/install+setup/install/mountsource.sh | 29 +++++---- 3 files changed, 31 insertions(+), 84 deletions(-) diff --git a/src/install+setup/install/main.c b/src/install+setup/install/main.c index daa1c3f26..c181e4a8e 100644 --- a/src/install+setup/install/main.c +++ b/src/install+setup/install/main.c @@ -132,7 +132,7 @@ int main(int argc, char *argv[]) // Load common modules mysystem("/sbin/modprobe iso9660"); // CDROM - mysystem("/sbin/modprobe ext2"); // Boot patition +// mysystem("/sbin/modprobe ext2"); // Boot patition mysystem("/sbin/modprobe vfat"); // USB key /* German is the default */ @@ -375,16 +375,16 @@ int main(int argc, char *argv[]) } if (fstype == EXT2) { - mysystem("/sbin/modprobe ext2"); +// mysystem("/sbin/modprobe ext2"); sprintf(mkfscommand, "/sbin/mke2fs -T ext2"); } else if (fstype == REISERFS) { mysystem("/sbin/modprobe reiserfs"); sprintf(mkfscommand, "/sbin/mkreiserfs -f"); } else if (fstype == EXT3) { - mysystem("/sbin/modprobe ext3"); +// mysystem("/sbin/modprobe ext3"); sprintf(mkfscommand, "/sbin/mke2fs -T ext3"); } else if (fstype == EXT4) { - mysystem("/sbin/modprobe ext4"); +// mysystem("/sbin/modprobe ext4"); sprintf(mkfscommand, "/sbin/mke2fs -T ext4"); } diff --git a/src/install+setup/install/mountdest.sh b/src/install+setup/install/mountdest.sh index 00243a99b..700b8389f 100644 --- a/src/install+setup/install/mountdest.sh +++ b/src/install+setup/install/mountdest.sh @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2012 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -21,30 +21,10 @@ echo "Scanning for possible destination drives" -# scan IDE devices -echo "--> IDE" -for DEVICE in $(kudzu -qps -t 30 -c HD -b IDE | grep device: | cut -d ' ' -f 2 | sort | uniq); do - if [ "$(grep ${DEVICE} /proc/partitions)" = "" ]; then - umount /harddisk 2> /dev/null - echo "${DEVICE} is empty - SKIP" - continue - fi - mount /dev/${DEVICE}1 /harddisk 2> /dev/null - if [ -n "$(ls /harddisk/ipfire-*.tlz 2>/dev/null)" ]; then - umount /harddisk 2> /dev/null - echo "${DEVICE}1 is source drive - SKIP" - continue - else - umount /harddisk 2> /dev/null - echo -n "$DEVICE" > /tmp/dest_device - echo "${DEVICE} - yes, it is our destination" - exit 0 # IDE / use DEVICE for grub - fi -done - -# scan USB/SCSI devices -echo "--> USB/SCSI" -for DEVICE in $(kudzu -qps -t 30 -c HD -b SCSI | grep device: | cut -d ' ' -f 2 | sort | uniq); do +# scan sd? +echo "--> sd?" +for DEVICE in `find /sys/block/* -maxdepth 0 -name sd* -exec basename {} \; | sort | uniq` +do if [ "$(grep ${DEVICE} /proc/partitions)" = "" ]; then umount /harddisk 2> /dev/null echo "${DEVICE} is empty - SKIP" @@ -66,19 +46,15 @@ for DEVICE in $(kudzu -qps -t 30 -c HD -b SCSI | grep device: | cut -d ' ' -f 2 umount /harddisk 2> /dev/null echo -n "$DEVICE" > /tmp/dest_device echo "${DEVICE} - yes, it is our destination" - exit 1 # SCSI/USB (always use /dev/sda as bootdevicename) + exit 1 # (always use /dev/sda as bootdevicename) fi fi done -# scan RAID devices -echo "--> RAID" -for DEVICE in $(kudzu -qps -t 30 -c HD -b RAID | grep device: | cut -d ' ' -f 2 | sort | uniq); do - if [ "$(grep ${DEVICE}p1 /proc/partitions)" = "" ]; then - umount /harddisk 2> /dev/null - echo "${DEVICE}p1 is empty - SKIP" - continue - fi +# scan other +echo "--> other" +for DEVICE in `find /sys/block/* -maxdepth 0 ! -name sd* ! -name sr* ! -name fd* ! -name loop* ! -name ram* -exec basename {} \; | sort | uniq` +do mount /dev/${DEVICE}p1 /harddisk 2> /dev/null if [ -n "$(ls /harddisk/ipfire-*.tlz 2>/dev/null)" ]; then umount /harddisk 2> /dev/null @@ -112,38 +88,4 @@ for DEVICE in $(kudzu -qps -t 30 -c HD -b RAID | grep device: | cut -d ' ' -f 2 fi done -# Virtio devices -echo "--> Virtio" -for DEVICE in vda vdb vdc vdd; do - if [ ! -e /dev/${DEVICE} ]; then - continue - else - if [ "$(grep ${DEVICE} /proc/partitions)" = "" ]; then - umount /harddisk 2> /dev/null - echo "${DEVICE} is empty - SKIP" - continue - fi - mount /dev/${DEVICE} /harddisk 2> /dev/null - if [ -n "$(ls /harddisk/ipfire-*.tlz 2>/dev/null)" ]; then - umount /harddisk 2> /dev/null - echo "${DEVICE} is source drive - SKIP" - continue - else - umount /harddisk 2> /dev/null - mount /dev/${DEVICE}1 /harddisk 2> /dev/null - if [ -n "$(ls /harddisk/ipfire-*.tlz 2>/dev/null)" ]; then - umount /harddisk 2> /dev/null - echo "${DEVICE}1 is source drive - SKIP" - continue - else - umount /harddisk 2> /dev/null - echo -n "$DEVICE" > /tmp/dest_device - echo "${DEVICE} - yes, it is our destination" - exit 0 # like ide / use device for grub - fi - fi - fi -done - - exit 10 # Nothing found diff --git a/src/install+setup/install/mountsource.sh b/src/install+setup/install/mountsource.sh index 681375877..fbaec7e6e 100644 --- a/src/install+setup/install/mountsource.sh +++ b/src/install+setup/install/mountsource.sh @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2012 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -21,8 +21,9 @@ echo "Scanning source media" -# scan CDROM devices -for DEVICE in $(kudzu -qps -t 30 -c CDROM | grep device: | cut -d ' ' -f 2 | sort | uniq); do +# scan all Block devices +for DEVICE in `find /sys/block/* -maxdepth 0 ! -name fd* ! -name loop* ! -name ram* -exec basename {} \;` +do mount /dev/${DEVICE} /cdrom 2> /dev/null if [ -n "$(ls /cdrom/ipfire-*.tlz 2>/dev/null)" ]; then echo -n ${DEVICE} > /tmp/source_device @@ -34,9 +35,10 @@ for DEVICE in $(kudzu -qps -t 30 -c CDROM | grep device: | cut -d ' ' -f 2 | sor umount /cdrom 2> /dev/null done -# scan HD device part1 (usb sticks, etc.) -for DEVICE in $(kudzu -qps -t 30 -c HD | grep device: | cut -d ' ' -f 2 | sort | uniq); do - for DEVICEP in $(ls /dev/${DEVICE}? | sed "s/\/dev\///");do +# scan all Partitions on block devices +for DEVICE in `find /sys/block/* -maxdepth 0 ! -name fd* ! -name loop* ! -name ram* -exec basename {} \;` +do + for DEVICEP in $(ls /dev/${DEVICE}? | sed "s/\/dev\///" 2> /dev/null);do mount /dev/${DEVICEP} /cdrom 2> /dev/null if [ -n "$(ls /cdrom/ipfire-*.tlz 2>/dev/null)" ]; then echo -n ${DEVICEP} > /tmp/source_device @@ -49,17 +51,20 @@ for DEVICE in $(kudzu -qps -t 30 -c HD | grep device: | cut -d ' ' -f 2 | sort | done done -# scan HD device unpart (usb sticks, etc.) -for DEVICE in $(kudzu -qps -t 30 -c HD | grep device: | cut -d ' ' -f 2 | sort | uniq); do - mount /dev/${DEVICE} /cdrom 2> /dev/null +# scan all Partitions on raid/mmc devices +for DEVICE in `find /sys/block/* -maxdepth 0 ! -name fd* ! -name loop* ! -name ram* -exec basename {} \;` +do + for DEVICEP in $(ls /dev/${DEVICE}p? | sed "s/\/dev\///");do + mount /dev/${DEVICEP} /cdrom 2> /dev/null if [ -n "$(ls /cdrom/ipfire-*.tlz 2>/dev/null)" ]; then - echo -n ${DEVICE} > /tmp/source_device - echo "Found tarball on ${DEVICE}" + echo -n ${DEVICEP} > /tmp/source_device + echo "Found tarball on ${DEVICEP}" exit 0 else - echo "Found no tarballs on ${DEVICE} - SKIP" + echo "Found no tarballs on ${DEVICEP} - SKIP" fi umount /cdrom 2> /dev/null + done done exit 10 From 21df33072c3592bc445760b7c72e0e81e0b74d78 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Mon, 13 Aug 2012 13:39:34 -0400 Subject: [PATCH 13/13] compat-wireless: update to 3.5-3-snpc. --- lfs/compat-wireless | 15 +++++--- make.sh | 4 +- ...reless-3.2.5-1-fix_atomic64_t_on_arm.patch | 37 ------------------- ...reless-3.5-build_ath5k_only_with_pci.patch | 16 ++++++++ 4 files changed, 27 insertions(+), 45 deletions(-) delete mode 100644 src/patches/compat-wireless-3.2.5-1-fix_atomic64_t_on_arm.patch create mode 100644 src/patches/compat-wireless-3.5-build_ath5k_only_with_pci.patch diff --git a/lfs/compat-wireless b/lfs/compat-wireless index 436d3c3d0..24ad75bbf 100644 --- a/lfs/compat-wireless +++ b/lfs/compat-wireless @@ -26,7 +26,7 @@ include Config VERSUFIX=ipfire$(KCFG) -VER = 3.5-1-snpc +VER = 3.5-3-snpc ifeq "$(KCFG)" "-xen" KVER = 2.6.32.59 @@ -47,7 +47,7 @@ objects = $(DL_FILE) asix-4.4.0.tar.xz $(DL_FILE) = $(DL_FROM)/$(DL_FILE) asix-4.4.0.tar.xz = $(DL_FROM)/asix-4.4.0.tar.xz -$(DL_FILE)_MD5 = 7099f748a9d2c05fffea7e5ea4f41a0b +$(DL_FILE)_MD5 = 66f27eed39aacd567f67025305273cd7 asix-4.4.0.tar.xz_MD5=633609e889de41554826e0e2cd7bffde install : $(TARGET) @@ -82,6 +82,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # kfifo has no license info and taints kernel cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/compat-wireless-2.6.39_kfifo_module_info.patch + # Build ath5k only if target has pci + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/compat-wireless-3.5-build_ath5k_only_with_pci.patch + # Copy USB-Net drivers from Kernel... mkdir $(DIR_APP)/drivers/net/usb/new cp $(DIR_APP)/drivers/net/usb/*.c $(DIR_APP)/drivers/net/usb/new @@ -101,12 +104,12 @@ ifneq "$(KCFG)" "-xen" cd $(DIR_APP) && echo export CONFIG_LIBERTAS_UAP=m >> config.mk endif -#ifeq "$(MACHINE_TYPE)" "arm" -# # fix atomic64 functions -# cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/compat-wireless-3.2.5-1-fix_atomic64_t_on_arm.patch -#endif + # Erase some modules that are obsolete or moved to other path + rm -rf /lib/modules/$(KVER)-$(VERSUFIX)/kernel/net/bluetooth + rm -rf /lib/modules/$(KVER)-$(VERSUFIX)/kernel/drivers/net/wireless/wl12* cd $(DIR_APP) && make KLIB=/lib/modules/$(KVER)-$(VERSUFIX) \ + KLIB_BUILD=/lib/modules/$(KVER)-$(VERSUFIX)/build \ KMODPATH_ARG='INSTALL_MOD_PATH=' KMODDIR=kernel install-modules # Install firmware udev files... diff --git a/make.sh b/make.sh index 2bf61bac2..58f2dfaee 100755 --- a/make.sh +++ b/make.sh @@ -441,7 +441,7 @@ buildipfire() { # ipfiremake mISDN KCFG="-rpi" # ipfiremake dahdi KCFG="-rpi" KMOD=1 ipfiremake cryptodev KCFG="-rpi" -# ipfiremake compat-wireless KCFG="-rpi" + ipfiremake compat-wireless KCFG="-rpi" # ipfiremake r8169 KCFG="-rpi" # ipfiremake r8168 KCFG="-rpi" # ipfiremake r8101 KCFG="-rpi" @@ -455,7 +455,7 @@ buildipfire() { # ipfiremake mISDN KCFG="-omap" # ipfiremake dahdi KCFG="-omap" KMOD=1 ipfiremake cryptodev KCFG="-omap" -# ipfiremake compat-wireless KCFG="-omap" + ipfiremake compat-wireless KCFG="-omap" # ipfiremake r8169 KCFG="-omap" # ipfiremake r8168 KCFG="-omap" # ipfiremake r8101 KCFG="-omap" diff --git a/src/patches/compat-wireless-3.2.5-1-fix_atomic64_t_on_arm.patch b/src/patches/compat-wireless-3.2.5-1-fix_atomic64_t_on_arm.patch deleted file mode 100644 index adffdfd9c..000000000 --- a/src/patches/compat-wireless-3.2.5-1-fix_atomic64_t_on_arm.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff -Naur compat-wireless-3.2.5-1.org/compat/compat_atomic.c compat-wireless-3.2.5-1/compat/compat_atomic.c ---- compat-wireless-3.2.5-1.org/compat/compat_atomic.c 2012-02-07 04:45:51.000000000 +0100 -+++ compat-wireless-3.2.5-1/compat/compat_atomic.c 2012-02-18 15:39:42.000000000 +0100 -@@ -3,6 +3,8 @@ - - #if !((LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)) && (defined(CONFIG_UML) || defined(CONFIG_X86))) && !((LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,33)) && defined(CONFIG_ARM) && !defined(CONFIG_GENERIC_ATOMIC64)) - -+#include -+ - static DEFINE_SPINLOCK(lock); - - long long atomic64_read(const atomic64_t *v) -diff -Naur compat-wireless-3.2.5-1.org/compat/Makefile compat-wireless-3.2.5-1/compat/Makefile ---- compat-wireless-3.2.5-1.org/compat/Makefile 2012-02-07 05:25:54.000000000 +0100 -+++ compat-wireless-3.2.5-1/compat/Makefile 2012-02-18 13:35:18.000000000 +0100 -@@ -38,3 +38,9 @@ - cordic.o \ - crc8.o - -+ -+ifndef CONFIG_64BIT -+ifndef CONFIG_GENERIC_ATOMIC64 -+ compat-y += compat_atomic.o -+endif -+endif -diff -Naur compat-wireless-3.2.5-1.org/net/mac80211/key.h compat-wireless-3.2.5-1/net/mac80211/key.h ---- compat-wireless-3.2.5-1.org/net/mac80211/key.h 2012-02-07 05:25:53.000000000 +0100 -+++ compat-wireless-3.2.5-1/net/mac80211/key.h 2012-02-18 15:40:44.000000000 +0100 -@@ -32,6 +32,8 @@ - - #define NUM_RX_DATA_QUEUES 16 - -+#include -+ - struct ieee80211_local; - struct ieee80211_sub_if_data; - struct sta_info; diff --git a/src/patches/compat-wireless-3.5-build_ath5k_only_with_pci.patch b/src/patches/compat-wireless-3.5-build_ath5k_only_with_pci.patch new file mode 100644 index 000000000..2e82157aa --- /dev/null +++ b/src/patches/compat-wireless-3.5-build_ath5k_only_with_pci.patch @@ -0,0 +1,16 @@ +diff -Naur compat-wireless-3.5-1-snpc.org/config.mk compat-wireless-3.5/config.mk +--- compat-wireless-3.5-1-snpc.org/config.mk 2012-07-31 17:22:29.000000000 -0400 ++++ compat-wireless-3.5/config.mk 2012-08-13 13:09:55.913234600 -0400 +@@ -246,10 +246,12 @@ + # mac80211 test driver + export CONFIG_MAC80211_HWSIM=m + ++ifdef CONFIG_PCI + export CONFIG_ATH5K=m + # export CONFIG_ATH5K_DEBUG=y + # export CONFIG_ATH5K_TRACER=y + # export CONFIG_ATH5K_AHB=y ++endif #CONFIG_PCI + + export CONFIG_ATH9K=m + export CONFIG_ATH9K_HW=m