Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

2026-04-11 11:35:54 +02:00 · 2018-07-08 08:34:37 +02:00
parent b56b67330c 9aefd1ed07
commit fb22c9ffd9
131 changed files with 11740 additions and 323 deletions
--- a/config/cfgroot/aws-functions.pl
+++ b/config/cfgroot/aws-functions.pl
@@ -0,0 +1,34 @@
+#!/usr/bin/perl -w
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 2 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2018 IPFire Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+
+package AWS;
+
+sub running_on_ec2() {
+	if (-e "/var/run/aws-instance-id") {
+		return 1;
+	}
+
+	return 0;
+}
+
+1;
--- a/config/cfgroot/header.pl
+++ b/config/cfgroot/header.pl
@@ -19,6 +19,8 @@ use Time::Local;

 $|=1; # line buffering

+require "/var/ipfire/aws-functions.pl";
+
 $Header::revision = 'final';
 $Header::swroot = '/var/ipfire';
 $Header::graphdir='/srv/web/ipfire/html/graphs';
@@ -97,6 +99,14 @@ require "${swroot}/langs/en.pl";
 require "${swroot}/langs/${language}.pl";
 eval `/bin/cat /srv/web/ipfire/html/themes/$THEME_NAME/include/functions.pl`;

+sub green_used() {
+    if ($ethsettings{'GREEN_DEV'} && $ethsettings{'GREEN_DEV'} ne "") {
+        return 1;
+    }
+
+    return 0;
+}
+
 sub orange_used () {
    if ($ethsettings{'CONFIG_TYPE'} =~ /^[24]$/) {
 	return 1;
@@ -161,6 +171,20 @@ sub genmenu {
    if ( $ethsettings{'RED_TYPE'} eq "PPPOE" && $pppsettings{'MONPORT'} ne "" ) {
        $menu->{'02.status'}{'subMenu'}->{'74.modem-status'}{'enabled'} = 1;
    }
+
+    # Disbale unusable things on EC2
+    if (&AWS::running_on_ec2()) {
+        $menu->{'03.network'}{'subMenu'}->{'30.dhcp'}{'enabled'} = 0;
+        $menu->{'03.network'}{'subMenu'}->{'80.macadressmenu'}{'enabled'} = 0;
+        $menu->{'03.network'}{'subMenu'}->{'90.wakeonlan'}{'enabled'} = 0;
+    }
+
+    # Disable proxy when no GREEN is available
+    if (!&green_used()) {
+        $menu->{'03.network'}{'subMenu'}->{'20.proxy'}{'enabled'} = 0;
+        $menu->{'03.network'}{'subMenu'}->{'21.urlfilter'}{'enabled'} = 0;
+        $menu->{'03.network'}{'subMenu'}->{'22.updxlrator'}{'enabled'} = 0;
+    }
  }
 }

--- a/config/cfgroot/main-settings
+++ b/config/cfgroot/main-settings
@@ -0,0 +1,5 @@
+THEME=ipfire
+LANGUAGE=en
+RRDLOG=/var/log/rrd
+KEYMAP=/lib/kbd/keymaps/i386/qwerty/us.map.gz
+TIMEZONE=/usr/share/zoneinfo/posix/UTC
--- a/config/cfgroot/ssh-settings
+++ b/config/cfgroot/ssh-settings
@@ -1,6 +1,5 @@
 ENABLE_SSH_KEYS=off
-ENABLE_SSH_PROTOCOL1=off
 ENABLE_SSH_PASSWORDS=on
 ENABLE_SSH_PORTFW=off
 ENABLE_SSH=off
-__CGI__=CGI=HASH(0x840b7a0)
+SSH_PORT=on
--- a/config/etc/nsswitch.conf
+++ b/config/etc/nsswitch.conf
@@ -4,7 +4,7 @@ passwd: files
 group: files
 shadow: files

-hosts: files dns
+hosts: files dns myhostname
 networks: files

 protocols: files
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -42,3 +42,9 @@ net.netfilter.nf_conntrack_acct=1
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
+
+# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
+kernel.kptr_restrict = 1
+
+# Avoid kernel memory address exposures via dmesg.
+kernel.dmesg_restrict = 1
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -58,7 +58,9 @@ HAVE_OPENVPN="true"
 # INPUT

 # Allow access from GREEN
-iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+if [ -n "${GREEN_DEV}" ]; then
+	iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+fi

 # Allow access from BLUE
 if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
@@ -119,12 +121,14 @@ case "${POLICY}" in

 	*)
 		# Access from GREEN is granted to everywhere
-		if [ "${IFACE}" = "${GREEN_DEV}" ]; then
-			# internet via green
-			# don't check source IP/NET if IFACE is GREEN
-			iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT
-		else
-			iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+		if [ -n "${GREEN_DEV}" ]; then
+			if [ "${IFACE}" = "${GREEN_DEV}" ]; then
+				# internet via green
+				# don't check source IP/NET if IFACE is GREEN
+				iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT
+			else
+				iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+			fi
 		fi

 		# Grant access for IPsec VPN connections
--- a/config/kernel/kernel.config.aarch64-ipfire-multi
+++ b/config/kernel/kernel.config.aarch64-ipfire-multi
--- a/config/rootfiles/common/aarch64/initscripts
+++ b/config/rootfiles/common/aarch64/initscripts
@@ -1,10 +1,12 @@
 etc/init.d
 #etc/rc.d
 #etc/rc.d/helper
+etc/rc.d/helper/aws-setup
 etc/rc.d/helper/getdnsfromdhcpc.pl
 #etc/rc.d/init.d
 etc/rc.d/init.d/acpid
 etc/rc.d/init.d/apache
+etc/rc.d/init.d/aws
 etc/rc.d/init.d/beep
 etc/rc.d/init.d/checkfs
 etc/rc.d/init.d/cleanfs
@@ -117,6 +119,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S11unbound
@@ -130,7 +133,6 @@ etc/rc.d/rc3.d/S19wlanclient
 etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron
@@ -184,6 +186,7 @@ etc/rc.d/rcsysinit.d/S50cleanfs
 etc/rc.d/rcsysinit.d/S60setclock
 etc/rc.d/rcsysinit.d/S70console
 etc/rc.d/rcsysinit.d/S73swconfig
+etc/rc.d/rcsysinit.d/S74aws
 etc/rc.d/rcsysinit.d/S75firstsetup
 etc/rc.d/rcsysinit.d/S80localnet
 etc/rc.d/rcsysinit.d/S81pakfire
--- a/config/rootfiles/common/aarch64/linux-initrd-multi
+++ b/config/rootfiles/common/aarch64/linux-initrd-multi
@@ -0,0 +1,2 @@
+#boot/uInit-KVER-ipfire-multi
+boot/initramfs-KVER-ipfire-multi.img
--- a/config/rootfiles/common/aarch64/linux-multi
+++ b/config/rootfiles/common/aarch64/linux-multi
--- a/config/rootfiles/common/aarch64/rpi-firmware
+++ b/config/rootfiles/common/aarch64/rpi-firmware
@@ -0,0 +1,18 @@
+#boot/LICENCE.broadcom
+boot/bootcode.bin
+boot/cmdline.txt
+boot/config.txt
+boot/fixup.dat
+boot/fixup_cd.dat
+boot/fixup_db.dat
+boot/fixup_x.dat
+boot/start.elf
+boot/start_cd.elf
+boot/start_db.elf
+boot/start_x.elf
+lib/firmware/brcm/brcmfmac43430-sdio.bin
+lib/firmware/brcm/brcmfmac43430-sdio.txt
+lib/firmware/brcm/brcmfmac43430a0-sdio.bin
+lib/firmware/brcm/brcmfmac43455-sdio.bin
+lib/firmware/brcm/brcmfmac43455-sdio.clm_blob
+lib/firmware/brcm/brcmfmac43455-sdio.txt
--- a/config/rootfiles/common/aarch64/u-boot
+++ b/config/rootfiles/common/aarch64/u-boot
@@ -0,0 +1,9 @@
+boot/boot.cmd
+boot/boot.mk
+boot/boot.scr
+boot/kernel8.img
+boot/uEnv.txt
+boot/uboot.env
+#usr/share/u-boot
+#usr/share/u-boot/rpi3
+usr/share/u-boot/rpi3/kernel8.img
--- a/config/rootfiles/common/aarch64/u-boot-mkimage
+++ b/config/rootfiles/common/aarch64/u-boot-mkimage
@@ -0,0 +1 @@
+usr/bin/mkimage
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -1,10 +1,12 @@
 etc/init.d
 #etc/rc.d
 #etc/rc.d/helper
+etc/rc.d/helper/aws-setup
 etc/rc.d/helper/getdnsfromdhcpc.pl
 #etc/rc.d/init.d
 etc/rc.d/init.d/acpid
 etc/rc.d/init.d/apache
+etc/rc.d/init.d/aws
 etc/rc.d/init.d/beep
 etc/rc.d/init.d/checkfs
 etc/rc.d/init.d/cleanfs
@@ -117,6 +119,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S11unbound
@@ -130,7 +133,6 @@ etc/rc.d/rc3.d/S19wlanclient
 etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron
@@ -184,6 +186,7 @@ etc/rc.d/rcsysinit.d/S50cleanfs
 etc/rc.d/rcsysinit.d/S60setclock
 etc/rc.d/rcsysinit.d/S70console
 etc/rc.d/rcsysinit.d/S73swconfig
+etc/rc.d/rcsysinit.d/S74aws
 etc/rc.d/rcsysinit.d/S75firstsetup
 etc/rc.d/rcsysinit.d/S80localnet
 etc/rc.d/rcsysinit.d/S81pakfire
--- a/config/rootfiles/common/configroot
+++ b/config/rootfiles/common/configroot
@@ -7,6 +7,7 @@ usr/sbin/firewall-policy
 var/ipfire/addon-lang
 var/ipfire/auth
 #var/ipfire/auth/users
+var/ipfire/aws-functions.pl
 #var/ipfire/backup
 var/ipfire/backup/exclude.user
 var/ipfire/backup/include.user
--- a/config/rootfiles/common/conntrack-tools
+++ b/config/rootfiles/common/conntrack-tools
@@ -1,13 +1,26 @@
 #usr/lib/conntrack-tools
+#usr/lib/conntrack-tools/ct_helper_amanda.la
+usr/lib/conntrack-tools/ct_helper_amanda.so
+#usr/lib/conntrack-tools/ct_helper_dhcpv6.la
+#usr/lib/conntrack-tools/ct_helper_dhcpv6.so
 #usr/lib/conntrack-tools/ct_helper_ftp.la
 usr/lib/conntrack-tools/ct_helper_ftp.so
+#usr/lib/conntrack-tools/ct_helper_mdns.la
+usr/lib/conntrack-tools/ct_helper_mdns.so
 #usr/lib/conntrack-tools/ct_helper_rpc.la
 usr/lib/conntrack-tools/ct_helper_rpc.so
+#usr/lib/conntrack-tools/ct_helper_sane.la
+usr/lib/conntrack-tools/ct_helper_sane.so
+#usr/lib/conntrack-tools/ct_helper_ssdp.la
+usr/lib/conntrack-tools/ct_helper_ssdp.so
+#usr/lib/conntrack-tools/ct_helper_tftp.la
+usr/lib/conntrack-tools/ct_helper_tftp.so
 #usr/lib/conntrack-tools/ct_helper_tns.la
 usr/lib/conntrack-tools/ct_helper_tns.so
 usr/sbin/conntrack
 usr/sbin/conntrackd
 usr/sbin/nfct
+#usr/share/man/man5/conntrackd.conf.5
 #usr/share/man/man8/conntrack.8
 #usr/share/man/man8/conntrackd.8
 #usr/share/man/man8/nfct.8
--- a/config/rootfiles/common/dhcp
+++ b/config/rootfiles/common/dhcp
@@ -18,7 +18,7 @@ etc/dhcp/dhcpd.conf
 #usr/lib/libdhcp.a
 #usr/lib/libdhcpctl.a
 #usr/lib/libomapi.a
-#usr/sbin/dhclient
+usr/sbin/dhclient
 usr/sbin/dhcpd
 usr/sbin/dhcrelay
 #usr/share/man/man1/omshell.1
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -1,10 +1,12 @@
 etc/init.d
 #etc/rc.d
 #etc/rc.d/helper
+etc/rc.d/helper/aws-setup
 etc/rc.d/helper/getdnsfromdhcpc.pl
 #etc/rc.d/init.d
 etc/rc.d/init.d/acpid
 etc/rc.d/init.d/apache
+etc/rc.d/init.d/aws
 etc/rc.d/init.d/beep
 etc/rc.d/init.d/checkfs
 etc/rc.d/init.d/cleanfs
@@ -116,6 +118,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S12acpid
@@ -129,7 +132,6 @@ etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S11unbound
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron
@@ -182,6 +184,7 @@ etc/rc.d/rcsysinit.d/S45udev_retry
 etc/rc.d/rcsysinit.d/S50cleanfs
 etc/rc.d/rcsysinit.d/S60setclock
 etc/rc.d/rcsysinit.d/S70console
+etc/rc.d/rcsysinit.d/S74aws
 etc/rc.d/rcsysinit.d/S75firstsetup
 etc/rc.d/rcsysinit.d/S80localnet
 etc/rc.d/rcsysinit.d/S81pakfire
--- a/config/rootfiles/common/iptables
+++ b/config/rootfiles/common/iptables
@@ -16,9 +16,13 @@ lib/libiptc.so.0
 lib/libiptc.so.0.0.0
 #lib/libxtables.la
 lib/libxtables.so
-lib/libxtables.so.10
-lib/libxtables.so.10.0.0
-lib/xtables
+lib/libxtables.so.12
+lib/libxtables.so.12.0.0
+#lib/xtables
+#lib/xtables/libebt_802_3.so
+#lib/xtables/libebt_ip.so
+#lib/xtables/libebt_log.so
+#lib/xtables/libebt_mark_m.so
 #lib/xtables/libip6t_DNAT.so
 #lib/xtables/libip6t_DNPT.so
 #lib/xtables/libip6t_HL.so
@@ -39,16 +43,15 @@ lib/xtables
 #lib/xtables/libip6t_ipv6header.so
 #lib/xtables/libip6t_mh.so
 #lib/xtables/libip6t_rt.so
+#lib/xtables/libip6t_srh.so
 #lib/xtables/libipt_CLUSTERIP.so
 #lib/xtables/libipt_DNAT.so
 #lib/xtables/libipt_ECN.so
 #lib/xtables/libipt_LOG.so
 #lib/xtables/libipt_MASQUERADE.so
-#lib/xtables/libipt_MIRROR.so
 #lib/xtables/libipt_NETMAP.so
 #lib/xtables/libipt_REDIRECT.so
 #lib/xtables/libipt_REJECT.so
-#lib/xtables/libipt_SAME.so
 #lib/xtables/libipt_SNAT.so
 #lib/xtables/libipt_TTL.so
 #lib/xtables/libipt_ULOG.so
@@ -56,7 +59,6 @@ lib/xtables
 #lib/xtables/libipt_icmp.so
 #lib/xtables/libipt_realm.so
 #lib/xtables/libipt_ttl.so
-#lib/xtables/libipt_unclean.so
 #lib/xtables/libxt_AUDIT.so
 #lib/xtables/libxt_CHECKSUM.so
 #lib/xtables/libxt_CLASSIFY.so
@@ -84,6 +86,7 @@ lib/xtables
 #lib/xtables/libxt_TRACE.so
 #lib/xtables/libxt_addrtype.so
 #lib/xtables/libxt_bpf.so
+#lib/xtables/libxt_cgroup.so
 #lib/xtables/libxt_cluster.so
 #lib/xtables/libxt_comment.so
 #lib/xtables/libxt_connbytes.so
@@ -99,12 +102,14 @@ lib/xtables
 #lib/xtables/libxt_esp.so
 #lib/xtables/libxt_hashlimit.so
 #lib/xtables/libxt_helper.so
+#lib/xtables/libxt_ipcomp.so
 #lib/xtables/libxt_iprange.so
 #lib/xtables/libxt_ipvs.so
 #lib/xtables/libxt_layer7.so
 #lib/xtables/libxt_length.so
 #lib/xtables/libxt_limit.so
 #lib/xtables/libxt_mac.so
+#lib/xtables/libxt_mangle.so
 #lib/xtables/libxt_mark.so
 #lib/xtables/libxt_multiport.so
 #lib/xtables/libxt_nfacct.so
@@ -172,5 +177,6 @@ sbin/xtables-multi
 #usr/share/man/man8/iptables-restore.8
 #usr/share/man/man8/iptables-save.8
 #usr/share/man/man8/iptables.8
+#usr/share/man/man8/nfnl_osf.8
 #usr/share/xtables
 usr/share/xtables/pf.os
--- a/config/rootfiles/common/libgcrypt
+++ b/config/rootfiles/common/libgcrypt
@@ -6,7 +6,9 @@
 #usr/lib/libgcrypt.la
 #usr/lib/libgcrypt.so
 usr/lib/libgcrypt.so.20
-usr/lib/libgcrypt.so.20.2.2
+usr/lib/libgcrypt.so.20.2.3
 #usr/share/aclocal/libgcrypt.m4
 #usr/share/info/gcrypt.info
+#usr/share/info/gcrypt.info-1
+#usr/share/info/gcrypt.info-2
 #usr/share/man/man1/hmac256.1
--- a/config/rootfiles/common/libnetfilter_conntrack
+++ b/config/rootfiles/common/libnetfilter_conntrack
@@ -7,9 +7,10 @@
 #usr/include/libnetfilter_conntrack/libnetfilter_conntrack_sctp.h
 #usr/include/libnetfilter_conntrack/libnetfilter_conntrack_tcp.h
 #usr/include/libnetfilter_conntrack/libnetfilter_conntrack_udp.h
+#usr/include/libnetfilter_conntrack/linux_nf_conntrack_common.h
 #usr/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
 #usr/lib/libnetfilter_conntrack.la
 #usr/lib/libnetfilter_conntrack.so
 usr/lib/libnetfilter_conntrack.so.3
-usr/lib/libnetfilter_conntrack.so.3.6.0
+usr/lib/libnetfilter_conntrack.so.3.7.0
 #usr/lib/pkgconfig/libnetfilter_conntrack.pc
--- a/config/rootfiles/common/multipath-tools
+++ b/config/rootfiles/common/multipath-tools
@@ -1,4 +1,4 @@
-#etc/udev/rules.d/kpartx.rules
-#lib/udev/kpartx_id
 #sbin/kpartx
+#usr/lib/udev/rules.d/11-dm-parts.rules
+#usr/lib/udev/rules.d/68-del-part-nodes.rules
 #usr/share/man/man8/kpartx.8.gz
--- a/config/rootfiles/common/nss-myhostname
+++ b/config/rootfiles/common/nss-myhostname
@@ -0,0 +1,4 @@
+lib/libnss_myhostname.so.2
+#usr/share/doc/nss-myhostname
+#usr/share/doc/nss-myhostname/README.html
+#usr/share/doc/nss-myhostname/style.css
--- a/config/rootfiles/common/spice-protocol
+++ b/config/rootfiles/common/spice-protocol
@@ -16,4 +16,5 @@
 #usr/include/spice-1/spice/types.h
 #usr/include/spice-1/spice/vd_agent.h
 #usr/include/spice-1/spice/vdi_dev.h
+#usr/share/pkgconfig
 #usr/share/pkgconfig/spice-protocol.pc
--- a/config/rootfiles/common/strongswan
+++ b/config/rootfiles/common/strongswan
@@ -17,6 +17,7 @@ etc/strongswan.d/charon.conf
 etc/strongswan.d/charon/aes.conf
 etc/strongswan.d/charon/attr.conf
 etc/strongswan.d/charon/ccm.conf
+etc/strongswan.d/charon/chapoly.conf
 etc/strongswan.d/charon/cmac.conf
 etc/strongswan.d/charon/constraints.conf
 etc/strongswan.d/charon/counters.conf
@@ -51,7 +52,6 @@ etc/strongswan.d/charon/pkcs7.conf
 etc/strongswan.d/charon/pkcs8.conf
 etc/strongswan.d/charon/pubkey.conf
 etc/strongswan.d/charon/random.conf
-etc/strongswan.d/charon/rc2.conf
 etc/strongswan.d/charon/resolve.conf
 etc/strongswan.d/charon/revocation.conf
 etc/strongswan.d/charon/sha1.conf
@@ -112,6 +112,7 @@ usr/lib/ipsec/libvici.so.0.0.0
 usr/lib/ipsec/plugins/libstrongswan-aes.so
 usr/lib/ipsec/plugins/libstrongswan-attr.so
 usr/lib/ipsec/plugins/libstrongswan-ccm.so
+usr/lib/ipsec/plugins/libstrongswan-chapoly.so
 usr/lib/ipsec/plugins/libstrongswan-cmac.so
 usr/lib/ipsec/plugins/libstrongswan-constraints.so
 usr/lib/ipsec/plugins/libstrongswan-counters.so
@@ -146,7 +147,6 @@ usr/lib/ipsec/plugins/libstrongswan-pkcs7.so
 usr/lib/ipsec/plugins/libstrongswan-pkcs8.so
 usr/lib/ipsec/plugins/libstrongswan-pubkey.so
 usr/lib/ipsec/plugins/libstrongswan-random.so
-usr/lib/ipsec/plugins/libstrongswan-rc2.so
 usr/lib/ipsec/plugins/libstrongswan-resolve.so
 usr/lib/ipsec/plugins/libstrongswan-revocation.so
 usr/lib/ipsec/plugins/libstrongswan-sha1.so
@@ -197,6 +197,7 @@ usr/sbin/swanctl
 #usr/share/strongswan/templates/config/plugins/aes.conf
 #usr/share/strongswan/templates/config/plugins/attr.conf
 #usr/share/strongswan/templates/config/plugins/ccm.conf
+#usr/share/strongswan/templates/config/plugins/chapoly.conf
 #usr/share/strongswan/templates/config/plugins/cmac.conf
 #usr/share/strongswan/templates/config/plugins/constraints.conf
 #usr/share/strongswan/templates/config/plugins/counters.conf
@@ -231,7 +232,6 @@ usr/sbin/swanctl
 #usr/share/strongswan/templates/config/plugins/pkcs8.conf
 #usr/share/strongswan/templates/config/plugins/pubkey.conf
 #usr/share/strongswan/templates/config/plugins/random.conf
-#usr/share/strongswan/templates/config/plugins/rc2.conf
 #usr/share/strongswan/templates/config/plugins/resolve.conf
 #usr/share/strongswan/templates/config/plugins/revocation.conf
 #usr/share/strongswan/templates/config/plugins/sha1.conf
--- a/config/rootfiles/common/unbound
+++ b/config/rootfiles/common/unbound
@@ -11,7 +11,7 @@ etc/unbound/unbound.conf
 #usr/lib/libunbound.la
 #usr/lib/libunbound.so
 usr/lib/libunbound.so.2
-usr/lib/libunbound.so.2.5.10
+usr/lib/libunbound.so.2.5.11
 #usr/lib/pkgconfig/libunbound.pc
 usr/sbin/unbound
 usr/sbin/unbound-anchor
--- a/config/rootfiles/common/usbutils
+++ b/config/rootfiles/common/usbutils
@@ -2,7 +2,6 @@ usr/bin/lsusb
 usr/bin/lsusb.py
 usr/bin/usb-devices
 usr/bin/usbhid-dump
-usr/sbin/update-usbids.sh
 #usr/share/hwdata
 #usr/share/hwdata/usb.ids
 #usr/share/man/man1/usb-devices.1
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -1,10 +1,12 @@
 etc/init.d
 #etc/rc.d
 #etc/rc.d/helper
+etc/rc.d/helper/aws-setup
 etc/rc.d/helper/getdnsfromdhcpc.pl
 #etc/rc.d/init.d
 etc/rc.d/init.d/acpid
 etc/rc.d/init.d/apache
+etc/rc.d/init.d/aws
 etc/rc.d/init.d/beep
 etc/rc.d/init.d/checkfs
 etc/rc.d/init.d/cleanfs
@@ -116,6 +118,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S12acpid
@@ -129,7 +132,6 @@ etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S11unbound
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron
@@ -182,6 +184,7 @@ etc/rc.d/rcsysinit.d/S45udev_retry
 etc/rc.d/rcsysinit.d/S50cleanfs
 etc/rc.d/rcsysinit.d/S60setclock
 etc/rc.d/rcsysinit.d/S70console
+etc/rc.d/rcsysinit.d/S74aws
 etc/rc.d/rcsysinit.d/S75firstsetup
 etc/rc.d/rcsysinit.d/S80localnet
 etc/rc.d/rcsysinit.d/S81pakfire
--- a/config/rootfiles/core/123/filelists/conntrack-tools
+++ b/config/rootfiles/core/123/filelists/conntrack-tools
@@ -0,0 +1 @@
+../../../common/conntrack-tools
--- a/config/rootfiles/core/123/filelists/files
+++ b/config/rootfiles/core/123/filelists/files
@@ -1,7 +1,19 @@
 etc/system-release
 etc/issue
+etc/rc.d/helper/aws-setup
+etc/rc.d/init.d/aws
+etc/rc.d/init.d/collectd
+etc/rc.d/rcsysinit.d/S74aws
+etc/sysctl.conf
 srv/web/ipfire/cgi-bin/ids.cgi
 srv/web/ipfire/cgi-bin/index.cgi
 srv/web/ipfire/cgi-bin/ovpnmain.cgi
+srv/web/ipfire/cgi-bin/proxy.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
+usr/sbin/dhclient
+usr/share/GeoIP/GeoIP.dat
 var/ipfire/backup/exclude
 var/ipfire/langs
+var/ipfire/aws-functions.pl
+var/ipfire/header.pl
+var/ipfire/general-functions.pl
--- a/config/rootfiles/core/123/filelists/iptables
+++ b/config/rootfiles/core/123/filelists/iptables
@@ -0,0 +1 @@
+../../../common/iptables
--- a/config/rootfiles/core/123/filelists/nss-myhostname
+++ b/config/rootfiles/core/123/filelists/nss-myhostname
@@ -0,0 +1 @@
+../../../common/nss-myhostname
--- a/config/rootfiles/core/123/filelists/strongswan
+++ b/config/rootfiles/core/123/filelists/strongswan
@@ -0,0 +1 @@
+../../../common/strongswan
--- a/config/rootfiles/core/123/filelists/usbutils
+++ b/config/rootfiles/core/123/filelists/usbutils
@@ -0,0 +1 @@
+../../../common/usbutils
--- a/config/rootfiles/core/123/update.sh
+++ b/config/rootfiles/core/123/update.sh
@@ -36,6 +36,9 @@ done
 # Extract files
 extract_files

+# move exec random initskript earlier
+mv /etc/rc.d/rc3.d/S??random /etc/rc.d/rc3.d/S00random
+
 # update linker config
 ldconfig

@@ -61,3 +64,4 @@ sync

 # Don't report the exitcode last command
 exit 0
+
--- a/config/rootfiles/oldcore/121/filelists/files
+++ b/config/rootfiles/oldcore/121/filelists/files
@@ -1,20 +1,6 @@
 etc/system-release
 etc/issue
-etc/rc.d/init.d/acpid
-etc/rc.d/init.d/collectd
-etc/rc.d/init.d/firstsetup
-etc/rc.d/init.d/leds
-etc/rc.d/init.d/partresize
 etc/rc.d/init.d/rngd
-etc/rc.d/rc0.d/K87acpid
-etc/rc.d/rc3.d/S12acpid
-etc/rc.d/rc6.d/K87acpid
 etc/ssl/certs/ca-bundle.crt
-srv/web/ipfire/cgi-bin/entropy.cgi
-srv/web/ipfire/cgi-bin/firewall.cgi
-srv/web/ipfire/cgi-bin/fwhosts.cgi
-srv/web/ipfire/cgi-bin/ovpnmain.cgi
-srv/web/ipfire/cgi-bin/remote.cgi
-usr/lib/firewall/firewall-lib.pl
-var/ipfire/langs
-var/ipfire/qos/bin/makeqosscripts.pl
+opt/pakfire/etc/pakfire.conf
+usr/sbin/setup
--- a/config/rootfiles/oldcore/121/update.sh
+++ b/config/rootfiles/oldcore/121/update.sh
@@ -29,6 +29,8 @@ core=121
 exit_with_error() {
 	# Set last succesfull installed core.
 	echo $(($core-1)) > /opt/pakfire/db/core/mine
+	# don't start pakfire again at error
+	killall -KILL pak_update
 	/usr/bin/logger -p syslog.emerg -t ipfire \
 		"core-update-${core}: $1"
 	exit $2
@@ -39,13 +41,6 @@ for (( i=1; i<=$core; i++ )); do
 	rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
 done

-# This update cannot be applied on ARM
-case "$(uname -a)" in
-	arm*)
-		exit_with_error "ERROR: Cannot update on ARM. Please re-install." 1
-		;;
-esac
-
 # Do some sanity checks.
 case $(uname -r) in
 	*-ipfire*)
@@ -59,23 +54,11 @@ esac
 # Check diskspace on root
 ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`

-if [ $ROOTSPACE -lt 100000 ]; then
+if [ $ROOTSPACE -lt 220000 ]; then
 	exit_with_error "ERROR cannot update because not enough free space on root." 2
 	exit 2
 fi

-# Remove the old kernel
-rm -rf /boot/System.map-*
-rm -rf /boot/config-*
-rm -rf /boot/ipfirerd-*
-rm -rf /boot/initramfs-*
-rm -rf /boot/vmlinuz-*
-rm -rf /boot/uImage-ipfire-*
-rm -rf /boot/zImage-ipfire-*
-rm -rf /boot/uInit-ipfire-*
-rm -rf /boot/dtb-*-ipfire-*
-rm -rf /lib/modules
-
 # Stop services

 # Extract files
@@ -85,27 +68,12 @@ extract_files
 ldconfig

 # Update Language cache
-/usr/local/bin/update-lang-cache
-
-# Remove Nagios files, if any...
-rm -rvf \
-	/etc/rc.d/init.d/nagios \
-	/usr/bin/nagios \
-	/etc/rc.d/rc6.d/K33nagios \
-	/etc/rc.d/rc3.d/off/S67nagios \
-	/etc/rc.d/rc0.d/K33nagios \
-	/etc/httpd/conf/conf.d/nagios.conf \
-	/etc/nagios/nagios.cfg \
-	/usr/bin/p1.pl \
-	/usr/bin/nagiostats \
-	/usr/share/nagios/ \
-	/var/nagios/

 # Start services
 /etc/init.d/apache restart

 # This update needs a reboot...
-touch /var/run/need_reboot
+#touch /var/run/need_reboot

 # Finish
 /etc/init.d/fireinfo start
@@ -116,7 +84,32 @@ if [ -e /boot/grub/grub.cfg ]; then
 	grub-mkconfig -o /boot/grub/grub.cfg
 fi

+
+#
+# After pakfire has ended run it again and update the lists and do upgrade
+#
+echo '#!/bin/bash'                                        >  /tmp/pak_update
+echo 'while [ "$(ps -A | grep " update.sh")" != "" ]; do' >> /tmp/pak_update
+echo '    sleep 1'                                        >> /tmp/pak_update
+echo 'done'                                               >> /tmp/pak_update
+echo 'while [ "$(ps -A | grep " pakfire")" != "" ]; do'   >> /tmp/pak_update
+echo '    sleep 1'                                        >> /tmp/pak_update
+echo 'done'                                               >> /tmp/pak_update
+echo '/opt/pakfire/pakfire update -y --force'             >> /tmp/pak_update
+echo '/opt/pakfire/pakfire upgrade -y'                    >> /tmp/pak_update
+echo '/opt/pakfire/pakfire upgrade -y'                    >> /tmp/pak_update
+echo '/opt/pakfire/pakfire upgrade -y'                    >> /tmp/pak_update
+echo '/usr/bin/logger -p syslog.emerg -t ipfire "Core-upgrade finished. If you use a customized grub/uboot config"' >> /tmp/pak_update
+echo '/usr/bin/logger -p syslog.emerg -t ipfire "Check it before reboot !!!"' >> /tmp/pak_update
+echo '/usr/bin/logger -p syslog.emerg -t ipfire " *** Please reboot... *** "' >> /tmp/pak_update
+echo 'touch /var/run/need_reboot ' >> /tmp/pak_update
+#
+killall -KILL pak_update
+chmod +x /tmp/pak_update
+/tmp/pak_update &
+
 sync

 # Don't report the exitcode last command
 exit 0
+
--- a/config/rootfiles/oldcore/122/exclude
+++ b/config/rootfiles/oldcore/122/exclude
@@ -0,0 +1,30 @@
+boot/config.txt
+boot/grub/grub.cfg
+boot/grub/grubenv
+etc/alternatives
+etc/collectd.custom
+etc/default/grub
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/shadow
+etc/snort/snort.conf
+etc/ssh/ssh_config
+etc/ssh/sshd_config
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/dma
+var/ipfire/time
+var/ipfire/ovpn
+var/lib/alternatives
+var/log/cache
+var/log/dhcpcd.log
+var/log/messages
+var/state/dhcp/dhcpd.leases
+var/updatecache
--- a/config/rootfiles/oldcore/122/filelists/acpid
+++ b/config/rootfiles/oldcore/122/filelists/acpid
@@ -0,0 +1 @@
+../../../common/acpid
--- a/config/rootfiles/oldcore/122/filelists/apache2
+++ b/config/rootfiles/oldcore/122/filelists/apache2
@@ -0,0 +1 @@
+../../../common/apache2
--- a/config/rootfiles/oldcore/122/filelists/apr
+++ b/config/rootfiles/oldcore/122/filelists/apr
@@ -0,0 +1 @@
+../../../common/apr
--- a/config/rootfiles/oldcore/122/filelists/aprutil
+++ b/config/rootfiles/oldcore/122/filelists/aprutil
@@ -0,0 +1 @@
+../../../common/aprutil
--- a/config/rootfiles/oldcore/122/filelists/armv5tel/files
+++ b/config/rootfiles/oldcore/122/filelists/armv5tel/files
@@ -0,0 +1 @@
+etc/rc.d/init.d/swconfig
--- a/config/rootfiles/oldcore/122/filelists/armv5tel/linux-initrd-kirkwood
+++ b/config/rootfiles/oldcore/122/filelists/armv5tel/linux-initrd-kirkwood
@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-initrd-kirkwood
--- a/config/rootfiles/oldcore/122/filelists/armv5tel/linux-initrd-multi
+++ b/config/rootfiles/oldcore/122/filelists/armv5tel/linux-initrd-multi
@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-initrd-multi
--- a/config/rootfiles/oldcore/122/filelists/armv5tel/linux-kirkwood
+++ b/config/rootfiles/oldcore/122/filelists/armv5tel/linux-kirkwood
@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-kirkwood
--- a/config/rootfiles/oldcore/122/filelists/armv5tel/linux-multi
+++ b/config/rootfiles/oldcore/122/filelists/armv5tel/linux-multi
@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-multi
--- a/config/rootfiles/oldcore/122/filelists/armv5tel/rpi-firmware
+++ b/config/rootfiles/oldcore/122/filelists/armv5tel/rpi-firmware
@@ -0,0 +1 @@
+../../../../common/armv5tel/rpi-firmware
--- a/config/rootfiles/oldcore/122/filelists/armv5tel/u-boot
+++ b/config/rootfiles/oldcore/122/filelists/armv5tel/u-boot
@@ -0,0 +1 @@
+../../../../common/armv5tel/u-boot
--- a/config/rootfiles/oldcore/122/filelists/armv5tel/u-boot-kirkwood
+++ b/config/rootfiles/oldcore/122/filelists/armv5tel/u-boot-kirkwood
@@ -0,0 +1 @@
+../../../../common/armv5tel/u-boot-kirkwood
--- a/config/rootfiles/oldcore/122/filelists/armv5tel/u-boot-mkimage
+++ b/config/rootfiles/oldcore/122/filelists/armv5tel/u-boot-mkimage
@@ -0,0 +1 @@
+../../../../common/armv5tel/u-boot-mkimage
--- a/config/rootfiles/oldcore/122/filelists/beep
+++ b/config/rootfiles/oldcore/122/filelists/beep
@@ -0,0 +1 @@
+../../../common/beep
--- a/config/rootfiles/oldcore/122/filelists/cmake
+++ b/config/rootfiles/oldcore/122/filelists/cmake
@@ -0,0 +1 @@
+../../../common/cmake
--- a/config/rootfiles/oldcore/122/filelists/crda
+++ b/config/rootfiles/oldcore/122/filelists/crda
@@ -0,0 +1 @@
+../../../common/crda
--- a/config/rootfiles/oldcore/122/filelists/dhcp
+++ b/config/rootfiles/oldcore/122/filelists/dhcp
@@ -0,0 +1 @@
+../../../common/dhcp
--- a/config/rootfiles/oldcore/122/filelists/files
+++ b/config/rootfiles/oldcore/122/filelists/files
@@ -0,0 +1,19 @@
+etc/system-release
+etc/issue
+etc/rc.d/init.d/acpid
+etc/rc.d/init.d/collectd
+etc/rc.d/init.d/firstsetup
+etc/rc.d/init.d/leds
+etc/rc.d/init.d/partresize
+etc/rc.d/init.d/random
+etc/rc.d/rc0.d/K87acpid
+etc/rc.d/rc3.d/S12acpid
+etc/rc.d/rc6.d/K87acpid
+srv/web/ipfire/cgi-bin/entropy.cgi
+srv/web/ipfire/cgi-bin/firewall.cgi
+srv/web/ipfire/cgi-bin/fwhosts.cgi
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
+srv/web/ipfire/cgi-bin/remote.cgi
+usr/lib/firewall/firewall-lib.pl
+var/ipfire/langs
+var/ipfire/qos/bin/makeqosscripts.pl
--- a/config/rootfiles/oldcore/122/filelists/flex
+++ b/config/rootfiles/oldcore/122/filelists/flex
@@ -0,0 +1 @@
+../../../common/flex
--- a/config/rootfiles/oldcore/122/filelists/i586/grub
+++ b/config/rootfiles/oldcore/122/filelists/i586/grub
@@ -0,0 +1 @@
+../../../../common/i586/grub
--- a/config/rootfiles/oldcore/122/filelists/i586/intel-microcode
+++ b/config/rootfiles/oldcore/122/filelists/i586/intel-microcode
@@ -0,0 +1 @@
+../../../../common/i586/intel-microcode
--- a/config/rootfiles/oldcore/122/filelists/i586/linux
+++ b/config/rootfiles/oldcore/122/filelists/i586/linux
@@ -0,0 +1 @@
+../../../../common/i586/linux
--- a/config/rootfiles/oldcore/122/filelists/i586/linux-initrd
+++ b/config/rootfiles/oldcore/122/filelists/i586/linux-initrd
@@ -0,0 +1 @@
+../../../../common/i586/linux-initrd
--- a/config/rootfiles/oldcore/122/filelists/iw
+++ b/config/rootfiles/oldcore/122/filelists/iw
@@ -0,0 +1 @@
+../../../common/iw
--- a/config/rootfiles/oldcore/122/filelists/jwhois
+++ b/config/rootfiles/oldcore/122/filelists/jwhois
@@ -0,0 +1 @@
+../../../common/jwhois
--- a/config/rootfiles/oldcore/122/filelists/libidn
+++ b/config/rootfiles/oldcore/122/filelists/libidn
@@ -0,0 +1 @@
+../../../common/libidn
--- a/config/rootfiles/oldcore/122/filelists/multipath-tools
+++ b/config/rootfiles/oldcore/122/filelists/multipath-tools
@@ -0,0 +1 @@
+../../../common/multipath-tools
--- a/config/rootfiles/oldcore/122/filelists/pcre
+++ b/config/rootfiles/oldcore/122/filelists/pcre
@@ -0,0 +1 @@
+../../../common/pcre
--- a/config/rootfiles/oldcore/122/filelists/tar
+++ b/config/rootfiles/oldcore/122/filelists/tar
@@ -0,0 +1 @@
+../../../common/tar
--- a/config/rootfiles/oldcore/122/filelists/unbound
+++ b/config/rootfiles/oldcore/122/filelists/unbound
@@ -0,0 +1 @@
+../../../common/unbound
--- a/config/rootfiles/oldcore/122/filelists/wget
+++ b/config/rootfiles/oldcore/122/filelists/wget
@@ -0,0 +1 @@
+../../../common/wget
--- a/config/rootfiles/oldcore/122/filelists/x86_64/grub
+++ b/config/rootfiles/oldcore/122/filelists/x86_64/grub
@@ -0,0 +1 @@
+../../../../common/x86_64/grub
--- a/config/rootfiles/oldcore/122/filelists/x86_64/intel-microcode
+++ b/config/rootfiles/oldcore/122/filelists/x86_64/intel-microcode
@@ -0,0 +1 @@
+../../../../common/x86_64/intel-microcode
--- a/config/rootfiles/oldcore/122/filelists/x86_64/linux
+++ b/config/rootfiles/oldcore/122/filelists/x86_64/linux
@@ -0,0 +1 @@
+../../../../common/x86_64/linux
--- a/config/rootfiles/oldcore/122/filelists/x86_64/linux-initrd
+++ b/config/rootfiles/oldcore/122/filelists/x86_64/linux-initrd
@@ -0,0 +1 @@
+../../../../common/x86_64/linux-initrd
--- a/config/rootfiles/oldcore/122/filelists/xtables-addons
+++ b/config/rootfiles/oldcore/122/filelists/xtables-addons
@@ -0,0 +1 @@
+../../../common/xtables-addons
--- a/config/rootfiles/oldcore/122/meta
+++ b/config/rootfiles/oldcore/122/meta
@@ -0,0 +1 @@
+DEPS=""
--- a/config/rootfiles/oldcore/122/update.sh
+++ b/config/rootfiles/oldcore/122/update.sh
@@ -0,0 +1,162 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 3 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2018 IPFire-Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+core=122
+
+exit_with_error() {
+	# Set last succesfull installed core.
+	echo $(($core-1)) > /opt/pakfire/db/core/mine
+	# don't start pakfire again at error
+	killall -KILL pak_update
+	/usr/bin/logger -p syslog.emerg -t ipfire \
+		"core-update-${core}: $1"
+	exit $2
+}
+
+# Remove old core updates from pakfire cache to save space...
+for (( i=1; i<=$core; i++ )); do
+	rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+KVER="xxxKVERxxx"
+
+# Backup uEnv.txt if exist
+if [ -e /boot/uEnv.txt ]; then
+	cp -vf /boot/uEnv.txt /boot/uEnv.txt.org
+fi
+
+# Do some sanity checks.
+case $(uname -r) in
+	*-ipfire*)
+		# Ok.
+		;;
+	*)
+		exit_with_error "ERROR cannot update. No IPFire Kernel." 1
+		;;
+esac
+
+# Check diskspace on root
+ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+
+if [ $ROOTSPACE -lt 80000 ]; then
+	exit_with_error "ERROR cannot update because not enough free space on root." 2
+	exit 2
+fi
+
+# Remove the old kernel
+rm -rf /boot/System.map-*
+rm -rf /boot/config-*
+rm -rf /boot/ipfirerd-*
+rm -rf /boot/initramfs-*
+rm -rf /boot/vmlinuz-*
+rm -rf /boot/uImage-ipfire-*
+rm -rf /boot/zImage-ipfire-*
+rm -rf /boot/uInit-ipfire-*
+rm -rf /boot/dtb-*-ipfire-*
+rm -rf /lib/modules
+rm -f  /etc/sysconfig/lm_sensors
+
+# Stop services
+
+# Extract files
+extract_files
+
+# update linker config
+ldconfig
+
+# Update Language cache
+/usr/local/bin/update-lang-cache
+
+# Remove Nagios files, if any...
+rm -rvf \
+	/etc/rc.d/init.d/nagios \
+	/usr/bin/nagios \
+	/etc/rc.d/rc6.d/K33nagios \
+	/etc/rc.d/rc3.d/off/S67nagios \
+	/etc/rc.d/rc0.d/K33nagios \
+	/etc/httpd/conf/conf.d/nagios.conf \
+	/etc/nagios/nagios.cfg \
+	/usr/bin/p1.pl \
+	/usr/bin/nagiostats \
+	/usr/share/nagios/ \
+	/var/nagios/
+
+# Start services
+/etc/init.d/apache restart
+
+# Upadate Kernel version uEnv.txt
+if [ -e /boot/uEnv.txt ]; then
+	sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt
+fi
+
+# call user update script (needed for some arm boards)
+if [ -e /boot/pakfire-kernel-update ]; then
+	/boot/pakfire-kernel-update ${KVER}
+fi
+
+mv /etc/rc.d/rc3.d/S??random /etc/rc.d/rc3.d/S00random
+
+case "$(uname -m)" in
+	i?86)
+		# Force (re)install pae kernel if pae is supported
+		rm -rf /opt/pakfire/db/installed/meta-linux-pae
+		if [ ! "$(grep "^flags.* pae " /proc/cpuinfo)" == "" ]; then
+			ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+			BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+			if [ $BOOTSPACE -lt 22000 -o $ROOTSPACE -lt 120000 ]; then
+				/usr/bin/logger -p syslog.emerg -t ipfire \
+				"core-update-${core}: WARNING not enough space for pae kernel."
+			else
+				echo "Name: linux-pae" > /opt/pakfire/db/installed/meta-linux-pae
+				echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-pae
+				echo "Release: 0"     >> /opt/pakfire/db/installed/meta-linux-pae
+			fi
+		fi
+		;;
+esac
+
+# This update needs a reboot...
+#touch /var/run/need_reboot
+
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+
+# Install new grub and update config
+if [ -e /boot/grub/grub.cfg ]; then
+	/usr/local/bin/update-bootloader
+fi
+
+sync
+
+# Reload microcode
+modprobe microcode
+if [ -w "/sys/devices/system/cpu/microcode/reload" ]; then
+	echo 1 > /sys/devices/system/cpu/microcode/reload
+fi
+
+# Don't report the exitcode last command
+exit 0
--- a/config/rootfiles/packages/hplip
+++ b/config/rootfiles/packages/hplip
--- a/config/rootfiles/packages/lynis
+++ b/config/rootfiles/packages/lynis
@@ -1,15 +1,43 @@
 var/ipfire/lynis
-#var/ipfire/lynis/CONTRIBUTORS
+#var/ipfire/lynis/CHANGELOG.md
+#var/ipfire/lynis/CODE_OF_CONDUCT.md
+#var/ipfire/lynis/CONTRIBUTING.md
+#var/ipfire/lynis/CONTRIBUTORS.md
 #var/ipfire/lynis/db
 var/ipfire/lynis/db/fileperms.db
 var/ipfire/lynis/db/hints.db
 var/ipfire/lynis/db/integrity.db
+var/ipfire/lynis/db/languages
+var/ipfire/lynis/db/languages/br
+var/ipfire/lynis/db/languages/cn
+var/ipfire/lynis/db/languages/de
+var/ipfire/lynis/db/languages/en
+var/ipfire/lynis/db/languages/en-GB
+var/ipfire/lynis/db/languages/en-US
+var/ipfire/lynis/db/languages/es
+var/ipfire/lynis/db/languages/fi
+var/ipfire/lynis/db/languages/fr
+var/ipfire/lynis/db/languages/gr
+var/ipfire/lynis/db/languages/he
+var/ipfire/lynis/db/languages/hu
+var/ipfire/lynis/db/languages/it
+var/ipfire/lynis/db/languages/ja
+var/ipfire/lynis/db/languages/nb-NO
+var/ipfire/lynis/db/languages/nl
+var/ipfire/lynis/db/languages/nl-BE
+var/ipfire/lynis/db/languages/nl-NL
+var/ipfire/lynis/db/languages/pl
+var/ipfire/lynis/db/languages/pt
+var/ipfire/lynis/db/languages/ru
+var/ipfire/lynis/db/languages/se
+var/ipfire/lynis/db/languages/tr
 var/ipfire/lynis/db/malware-susp.db
 var/ipfire/lynis/db/malware.db
 var/ipfire/lynis/db/sbl.db
+var/ipfire/lynis/db/tests.db
 var/ipfire/lynis/default.prf
+var/ipfire/lynis/developer.prf
 #var/ipfire/lynis/extras
-var/ipfire/lynis/extras/.bzrignore
 #var/ipfire/lynis/extras/README
 #var/ipfire/lynis/extras/bash_completion.d
 var/ipfire/lynis/extras/bash_completion.d/lynis
@@ -22,11 +50,18 @@ var/ipfire/lynis/extras/lynis.spec
 #var/ipfire/lynis/extras/systemd
 #var/ipfire/lynis/extras/systemd/lynis.service
 #var/ipfire/lynis/extras/systemd/lynis.timer
+#var/ipfire/lynis/extras/travis-ci
+#var/ipfire/lynis/extras/travis-ci/before_script.sh
 #var/ipfire/lynis/include
 var/ipfire/lynis/include/binaries
 var/ipfire/lynis/include/consts
 var/ipfire/lynis/include/data_upload
 var/ipfire/lynis/include/functions
+var/ipfire/lynis/include/helper_audit_dockerfile
+var/ipfire/lynis/include/helper_configure
+var/ipfire/lynis/include/helper_show
+var/ipfire/lynis/include/helper_system_remote_scan
+var/ipfire/lynis/include/helper_update
 var/ipfire/lynis/include/osdetection
 var/ipfire/lynis/include/parameters
 var/ipfire/lynis/include/profiles
@@ -35,15 +70,16 @@ var/ipfire/lynis/include/tests_accounting
 var/ipfire/lynis/include/tests_authentication
 var/ipfire/lynis/include/tests_banners
 var/ipfire/lynis/include/tests_boot_services
+var/ipfire/lynis/include/tests_containers
 var/ipfire/lynis/include/tests_crypto
 var/ipfire/lynis/include/tests_custom.template
 var/ipfire/lynis/include/tests_databases
+var/ipfire/lynis/include/tests_dns
 var/ipfire/lynis/include/tests_file_integrity
 var/ipfire/lynis/include/tests_file_permissions
 var/ipfire/lynis/include/tests_filesystems
 var/ipfire/lynis/include/tests_firewalls
 var/ipfire/lynis/include/tests_hardening
-var/ipfire/lynis/include/tests_hardening_tools
 var/ipfire/lynis/include/tests_homedirs
 var/ipfire/lynis/include/tests_insecure_services
 var/ipfire/lynis/include/tests_kernel
@@ -62,16 +98,17 @@ var/ipfire/lynis/include/tests_printers_spools
 var/ipfire/lynis/include/tests_scheduling
 var/ipfire/lynis/include/tests_shells
 var/ipfire/lynis/include/tests_snmp
-#var/ipfire/lynis/include/tests_solaris
 var/ipfire/lynis/include/tests_squid
 var/ipfire/lynis/include/tests_ssh
 var/ipfire/lynis/include/tests_storage
 var/ipfire/lynis/include/tests_storage_nfs
-var/ipfire/lynis/include/tests_tcpwrappers
+var/ipfire/lynis/include/tests_system_integrity
 var/ipfire/lynis/include/tests_time
 var/ipfire/lynis/include/tests_tooling
+var/ipfire/lynis/include/tests_usb
 var/ipfire/lynis/include/tests_virtualization
 var/ipfire/lynis/include/tests_webservers
+var/ipfire/lynis/include/tool_tips
 var/ipfire/lynis/lynis
 var/ipfire/lynis/lynis.8
 #var/ipfire/lynis/plugins
--- a/config/u-boot/boot.cmd
+++ b/config/u-boot/boot.cmd
@@ -65,6 +65,7 @@ else
 	setenv ramdisk_addr -;
 fi ;
 bootz ${kernel_addr_r} ${ramdisk_addr} ${fdt_addr_r};
+booti ${kernel_addr_r} ${ramdisk_addr} ${fdt_addr_r};

 # Recompile with:
 # mkimage -C none -A arm -T script -d /boot/boot.cmd /boot/boot.scr 
--- a/config/u-boot/boot.scr
+++ b/config/u-boot/boot.scr
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -707,7 +707,6 @@ WARNING: untranslated string: fwhost err hostip
 WARNING: untranslated string: guardian
 WARNING: untranslated string: guardian block a host
 WARNING: untranslated string: guardian block httpd brute-force
-WARNING: untranslated string: guardian block owncloud brute-force
 WARNING: untranslated string: guardian block ssh brute-force
 WARNING: untranslated string: guardian blockcount
 WARNING: untranslated string: guardian blocked hosts
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -740,7 +740,6 @@ WARNING: untranslated string: fwhost cust geoipgrp
 WARNING: untranslated string: fwhost err hostip
 WARNING: untranslated string: guardian block a host
 WARNING: untranslated string: guardian block httpd brute-force
-WARNING: untranslated string: guardian block owncloud brute-force
 WARNING: untranslated string: guardian block ssh brute-force
 WARNING: untranslated string: guardian blockcount
 WARNING: untranslated string: guardian blocked hosts
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -728,6 +728,8 @@ WARNING: untranslated string: count
 WARNING: untranslated string: countries
 WARNING: untranslated string: country codes and flags
 WARNING: untranslated string: countrycode
+WARNING: untranslated string: crypto error
+WARNING: untranslated string: crypto warning
 WARNING: untranslated string: dead peer detection
 WARNING: untranslated string: default
 WARNING: untranslated string: deprecated fs warn
@@ -978,7 +980,6 @@ WARNING: untranslated string: grouptype
 WARNING: untranslated string: guardian
 WARNING: untranslated string: guardian block a host
 WARNING: untranslated string: guardian block httpd brute-force
-WARNING: untranslated string: guardian block owncloud brute-force
 WARNING: untranslated string: guardian block ssh brute-force
 WARNING: untranslated string: guardian blockcount
 WARNING: untranslated string: guardian blocked hosts
@@ -1090,6 +1091,8 @@ WARNING: untranslated string: ovpn dh parameters
 WARNING: untranslated string: ovpn dh upload
 WARNING: untranslated string: ovpn errmsg green already pushed
 WARNING: untranslated string: ovpn errmsg invalid ip or mask
+WARNING: untranslated string: ovpn error dh
+WARNING: untranslated string: ovpn error md5
 WARNING: untranslated string: ovpn generating the root and host certificates
 WARNING: untranslated string: ovpn ha
 WARNING: untranslated string: ovpn hmac
@@ -1099,6 +1102,7 @@ WARNING: untranslated string: ovpn no connections
 WARNING: untranslated string: ovpn port in root range
 WARNING: untranslated string: ovpn routes push
 WARNING: untranslated string: ovpn routes push options
+WARNING: untranslated string: ovpn warning rfc3280
 WARNING: untranslated string: p2p block
 WARNING: untranslated string: p2p block save notice
 WARNING: untranslated string: pakfire ago
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -736,6 +736,8 @@ WARNING: untranslated string: count
 WARNING: untranslated string: countries
 WARNING: untranslated string: country codes and flags
 WARNING: untranslated string: countrycode
+WARNING: untranslated string: crypto error
+WARNING: untranslated string: crypto warning
 WARNING: untranslated string: dead peer detection
 WARNING: untranslated string: default
 WARNING: untranslated string: deprecated fs warn
@@ -994,7 +996,6 @@ WARNING: untranslated string: grouptype
 WARNING: untranslated string: guardian
 WARNING: untranslated string: guardian block a host
 WARNING: untranslated string: guardian block httpd brute-force
-WARNING: untranslated string: guardian block owncloud brute-force
 WARNING: untranslated string: guardian block ssh brute-force
 WARNING: untranslated string: guardian blockcount
 WARNING: untranslated string: guardian blocked hosts
@@ -1104,6 +1105,8 @@ WARNING: untranslated string: ovpn dh
 WARNING: untranslated string: ovpn dh new key
 WARNING: untranslated string: ovpn dh parameters
 WARNING: untranslated string: ovpn dh upload
+WARNING: untranslated string: ovpn error dh
+WARNING: untranslated string: ovpn error md5
 WARNING: untranslated string: ovpn generating the root and host certificates
 WARNING: untranslated string: ovpn ha
 WARNING: untranslated string: ovpn hmac
@@ -1111,6 +1114,7 @@ WARNING: untranslated string: ovpn mgmt in root range
 WARNING: untranslated string: ovpn mtu-disc
 WARNING: untranslated string: ovpn no connections
 WARNING: untranslated string: ovpn port in root range
+WARNING: untranslated string: ovpn warning rfc3280
 WARNING: untranslated string: p2p block
 WARNING: untranslated string: p2p block save notice
 WARNING: untranslated string: pakfire ago
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -753,6 +753,8 @@ WARNING: untranslated string: block
 WARNING: untranslated string: bytes
 WARNING: untranslated string: captive
 WARNING: untranslated string: check all
+WARNING: untranslated string: crypto error
+WARNING: untranslated string: crypto warning
 WARNING: untranslated string: dhcp dns enable update
 WARNING: untranslated string: dhcp dns key name
 WARNING: untranslated string: dhcp dns update
@@ -810,7 +812,6 @@ WARNING: untranslated string: guaranteed bandwith
 WARNING: untranslated string: guardian
 WARNING: untranslated string: guardian block a host
 WARNING: untranslated string: guardian block httpd brute-force
-WARNING: untranslated string: guardian block owncloud brute-force
 WARNING: untranslated string: guardian block ssh brute-force
 WARNING: untranslated string: guardian blockcount
 WARNING: untranslated string: guardian blocked hosts
@@ -868,6 +869,9 @@ WARNING: untranslated string: one year
 WARNING: untranslated string: outgoing compression in bytes per second
 WARNING: untranslated string: outgoing overhead in bytes per second
 WARNING: untranslated string: ovpn add conf
+WARNING: untranslated string: ovpn error dh
+WARNING: untranslated string: ovpn error md5
+WARNING: untranslated string: ovpn warning rfc3280
 WARNING: untranslated string: pptp netconfig
 WARNING: untranslated string: pptp peer
 WARNING: untranslated string: pptp route
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -752,6 +752,8 @@ WARNING: untranslated string: bytes
 WARNING: untranslated string: capabilities
 WARNING: untranslated string: captive
 WARNING: untranslated string: check all
+WARNING: untranslated string: crypto error
+WARNING: untranslated string: crypto warning
 WARNING: untranslated string: default
 WARNING: untranslated string: dh
 WARNING: untranslated string: dh key move failed
@@ -824,7 +826,6 @@ WARNING: untranslated string: geoipblock enable feature
 WARNING: untranslated string: guardian
 WARNING: untranslated string: guardian block a host
 WARNING: untranslated string: guardian block httpd brute-force
-WARNING: untranslated string: guardian block owncloud brute-force
 WARNING: untranslated string: guardian block ssh brute-force
 WARNING: untranslated string: guardian blockcount
 WARNING: untranslated string: guardian blocked hosts
@@ -905,9 +906,12 @@ WARNING: untranslated string: ovpn dh
 WARNING: untranslated string: ovpn dh new key
 WARNING: untranslated string: ovpn dh parameters
 WARNING: untranslated string: ovpn dh upload
+WARNING: untranslated string: ovpn error dh
+WARNING: untranslated string: ovpn error md5
 WARNING: untranslated string: ovpn generating the root and host certificates
 WARNING: untranslated string: ovpn ha
 WARNING: untranslated string: ovpn hmac
+WARNING: untranslated string: ovpn warning rfc3280
 WARNING: untranslated string: pptp netconfig
 WARNING: untranslated string: pptp peer
 WARNING: untranslated string: pptp route
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -728,6 +728,8 @@ WARNING: untranslated string: count
 WARNING: untranslated string: countries
 WARNING: untranslated string: country codes and flags
 WARNING: untranslated string: countrycode
+WARNING: untranslated string: crypto error
+WARNING: untranslated string: crypto warning
 WARNING: untranslated string: dead peer detection
 WARNING: untranslated string: default
 WARNING: untranslated string: deprecated fs warn
@@ -978,7 +980,6 @@ WARNING: untranslated string: grouptype
 WARNING: untranslated string: guardian
 WARNING: untranslated string: guardian block a host
 WARNING: untranslated string: guardian block httpd brute-force
-WARNING: untranslated string: guardian block owncloud brute-force
 WARNING: untranslated string: guardian block ssh brute-force
 WARNING: untranslated string: guardian blockcount
 WARNING: untranslated string: guardian blocked hosts
@@ -1090,6 +1091,8 @@ WARNING: untranslated string: ovpn dh parameters
 WARNING: untranslated string: ovpn dh upload
 WARNING: untranslated string: ovpn errmsg green already pushed
 WARNING: untranslated string: ovpn errmsg invalid ip or mask
+WARNING: untranslated string: ovpn error dh
+WARNING: untranslated string: ovpn error md5
 WARNING: untranslated string: ovpn generating the root and host certificates
 WARNING: untranslated string: ovpn ha
 WARNING: untranslated string: ovpn hmac
@@ -1099,6 +1102,7 @@ WARNING: untranslated string: ovpn no connections
 WARNING: untranslated string: ovpn port in root range
 WARNING: untranslated string: ovpn routes push
 WARNING: untranslated string: ovpn routes push options
+WARNING: untranslated string: ovpn warning rfc3280
 WARNING: untranslated string: p2p block
 WARNING: untranslated string: p2p block save notice
 WARNING: untranslated string: pakfire ago
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -731,6 +731,8 @@ WARNING: untranslated string: count
 WARNING: untranslated string: countries
 WARNING: untranslated string: country codes and flags
 WARNING: untranslated string: countrycode
+WARNING: untranslated string: crypto error
+WARNING: untranslated string: crypto warning
 WARNING: untranslated string: dead peer detection
 WARNING: untranslated string: default
 WARNING: untranslated string: deprecated fs warn
@@ -979,7 +981,6 @@ WARNING: untranslated string: grouptype
 WARNING: untranslated string: guardian
 WARNING: untranslated string: guardian block a host
 WARNING: untranslated string: guardian block httpd brute-force
-WARNING: untranslated string: guardian block owncloud brute-force
 WARNING: untranslated string: guardian block ssh brute-force
 WARNING: untranslated string: guardian blockcount
 WARNING: untranslated string: guardian blocked hosts
@@ -1089,6 +1090,8 @@ WARNING: untranslated string: ovpn dh
 WARNING: untranslated string: ovpn dh new key
 WARNING: untranslated string: ovpn dh parameters
 WARNING: untranslated string: ovpn dh upload
+WARNING: untranslated string: ovpn error dh
+WARNING: untranslated string: ovpn error md5
 WARNING: untranslated string: ovpn generating the root and host certificates
 WARNING: untranslated string: ovpn ha
 WARNING: untranslated string: ovpn hmac
@@ -1096,6 +1099,7 @@ WARNING: untranslated string: ovpn mgmt in root range
 WARNING: untranslated string: ovpn mtu-disc
 WARNING: untranslated string: ovpn no connections
 WARNING: untranslated string: ovpn port in root range
+WARNING: untranslated string: ovpn warning rfc3280
 WARNING: untranslated string: p2p block
 WARNING: untranslated string: p2p block save notice
 WARNING: untranslated string: pptp netconfig
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -736,12 +736,13 @@ WARNING: untranslated string: Captive clients
 WARNING: untranslated string: Scan for Songs
 WARNING: untranslated string: bytes
 WARNING: untranslated string: captive
+WARNING: untranslated string: crypto error
+WARNING: untranslated string: crypto warning
 WARNING: untranslated string: fwdfw all subnets
 WARNING: untranslated string: fwhost cust geoipgrp
 WARNING: untranslated string: fwhost err hostip
 WARNING: untranslated string: guardian block a host
 WARNING: untranslated string: guardian block httpd brute-force
-WARNING: untranslated string: guardian block owncloud brute-force
 WARNING: untranslated string: guardian block ssh brute-force
 WARNING: untranslated string: guardian blockcount
 WARNING: untranslated string: guardian blocked hosts
@@ -778,6 +779,9 @@ WARNING: untranslated string: guardian watch snort alertfile
 WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
 WARNING: untranslated string: info messages
 WARNING: untranslated string: no data
+WARNING: untranslated string: ovpn error dh
+WARNING: untranslated string: ovpn error md5
+WARNING: untranslated string: ovpn warning rfc3280
 WARNING: untranslated string: route config changed
 WARNING: untranslated string: routing config added
 WARNING: untranslated string: routing config changed
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -185,6 +185,8 @@
 < countries
 < countrycode
 < country codes and flags
+< crypto error
+< crypto warning
 < dead peer detection
 < default
 < default ip
@@ -579,6 +581,8 @@
 < ovpn engines
 < ovpn errmsg green already pushed
 < ovpn errmsg invalid ip or mask
+< ovpn error dh
+< ovpn error md5
 < ovpn generating the root and host certificates
 < ovpn ha
 < ovpn hmac
@@ -595,6 +599,7 @@
 < ovpn reneg sec
 < ovpn routes push
 < ovpn routes push options
+< ovpn warning rfc3280
 < p2p block
 < p2p block save notice
 < pptp netconfig
@@ -902,6 +907,8 @@
 < countries
 < countrycode
 < country codes and flags
+< crypto error
+< crypto warning
 < dead peer detection
 < default
 < default ip
@@ -1293,6 +1300,8 @@
 < ovpn dh parameters
 < ovpn dh upload
 < ovpn engines
+< ovpn error dh
+< ovpn error md5
 < ovpn generating the root and host certificates
 < ovpn ha
 < ovpn hmac
@@ -1307,6 +1316,7 @@
 < ovpn no connections
 < ovpn port in root range
 < ovpn reneg sec
+< ovpn warning rfc3280
 < p2p block
 < p2p block save notice
 < pptp netconfig
@@ -1573,6 +1583,8 @@
 < Captive WiFi coupon
 < Captive wrong ext
 < check all
+< crypto error
+< crypto warning
 < dhcp dns enable update
 < dhcp dns key name
 < dhcp dns update
@@ -1657,6 +1669,9 @@
 < outgoing compression in bytes per second
 < outgoing overhead in bytes per second
 < ovpn add conf
+< ovpn error dh
+< ovpn error md5
+< ovpn warning rfc3280
 < pptp netconfig
 < pptp peer
 < pptp route
@@ -1781,6 +1796,8 @@
 < Captive WiFi coupon
 < Captive wrong ext
 < check all
+< crypto error
+< crypto warning
 < default
 < dh
 < dhcp dns enable update
@@ -1907,10 +1924,13 @@
 < ovpn dh parameters
 < ovpn dh upload
 < ovpn engines
+< ovpn error dh
+< ovpn error md5
 < ovpn generating the root and host certificates
 < ovpn ha
 < ovpn hmac
 < ovpn reneg sec
+< ovpn warning rfc3280
 < pptp netconfig
 < pptp peer
 < pptp route
@@ -2105,6 +2125,8 @@
 < countries
 < countrycode
 < country codes and flags
+< crypto error
+< crypto warning
 < dead peer detection
 < default
 < default ip
@@ -2487,6 +2509,8 @@
 < ovpn engines
 < ovpn errmsg green already pushed
 < ovpn errmsg invalid ip or mask
+< ovpn error dh
+< ovpn error md5
 < ovpn generating the root and host certificates
 < ovpn ha
 < ovpn hmac
@@ -2503,6 +2527,7 @@
 < ovpn reneg sec
 < ovpn routes push
 < ovpn routes push options
+< ovpn warning rfc3280
 < p2p block
 < p2p block save notice
 < pptp netconfig
@@ -2810,6 +2835,8 @@
 < countries
 < countrycode
 < country codes and flags
+< crypto error
+< crypto warning
 < day-graph
 < dead peer detection
 < default
@@ -3198,6 +3225,8 @@
 < ovpn dh parameters
 < ovpn dh upload
 < ovpn engines
+< ovpn error dh
+< ovpn error md5
 < ovpn generating the root and host certificates
 < ovpn ha
 < ovpn hmac
@@ -3212,6 +3241,7 @@
 < ovpn no connections
 < ovpn port in root range
 < ovpn reneg sec
+< ovpn warning rfc3280
 < p2p block
 < p2p block save notice
 < pptp netconfig
@@ -3391,7 +3421,12 @@
 ############################################################################
 # Checking cgi-bin translations for language: tr                           #
 ############################################################################
+< crypto error
+< crypto warning
 < fwdfw all subnets
+< ovpn error dh
+< ovpn error md5
+< ovpn warning rfc3280
 < ssh active sessions
 < ssh login time
 < ssh no active logins
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -64,6 +64,8 @@ my %cahash=();
 my %selected=();
 my $warnmessage = '';
 my $errormessage = '';
+my $cryptoerror = '';
+my $cryptowarning = '';
 my %settings=();
 my $routes_push_file = '';
 my $confighost="${General::swroot}/fwhosts/customhosts";
@@ -97,6 +99,8 @@ $cgiparams{'DCIPHER'} = '';
 $cgiparams{'DAUTH'} = '';
 $cgiparams{'TLSAUTH'} = '';
 $routes_push_file = "${General::swroot}/ovpn/routes_push";
+# Perform crypto and configration test
+&pkiconfigcheck;

 # Add CCD files if not already presant
 unless (-e $routes_push_file) {
@@ -199,6 +203,45 @@ sub deletebackupcert
 	}
 }

+###
+### Check for PKI and configure problems
+###
+
+sub pkiconfigcheck
+{
+	# Warning if DH parameter is 1024 bit
+	if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
+		my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`;
+		my @dhbit = ($dhparameter =~ /(\d+)/);
+		if ($1 < 2048) {
+			$cryptoerror = "$Lang::tr{'ovpn error dh'}";
+			goto CRYPTO_ERROR;
+		}
+	}
+
+	# Warning if md5 is in usage
+	if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+		my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+		if ($signature =~ /md5WithRSAEncryption/) {
+			$cryptoerror = "$Lang::tr{'ovpn error md5'}";
+			goto CRYPTO_ERROR;
+		}
+	}
+
+	CRYPTO_ERROR:
+
+	# Warning if certificate is not compliant to RFC3280 TLS rules
+	if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+		my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+		if ($extendkeyusage !~ /TLS Web Server Authentication/) {
+			$cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
+			goto CRYPTO_WARNING;
+		}
+	}
+
+	CRYPTO_WARNING:
+}
+
 sub writeserverconf {
    my %sovpnsettings = ();  
    my @temp = ();  
@@ -1069,7 +1112,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
  close(CLIENTCONF);

 }
-  
+
 ###
 ### Save main settings
 ###
@@ -1181,7 +1224,7 @@ SETTINGS_ERROR:
 	    delete $confighash{$cgiparams{'$key'}};
 	}

-	system ("/usr/local/bin/openvpnctrl -drrd $name");
+	system ("/usr/local/bin/openvpnctrl -drrd $name &>/dev/null");
    }
    while ($file = glob("${General::swroot}/ovpn/ca/*")) {
 	unlink $file;
@@ -1336,7 +1379,7 @@ END
 	goto UPLOADCA_ERROR;
    }
    my $temp = `/usr/bin/openssl dhparam -text -in $filename`;
-    if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) {
+    if ($temp !~ /DH Parameters: \((2048|3072|4096) bit\)/) {
        $errormessage = $Lang::tr{'not a valid dh key'};
        unlink ($filename);
        goto UPLOADCA_ERROR;
@@ -5135,6 +5178,20 @@ END
 	&Header::closebox();
    }

+	if ($cryptoerror) {
+		&Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'});
+		print "<class name='base'>$cryptoerror";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+
+	if ($cryptowarning) {
+		&Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'});
+		print "<class name='base'>$cryptowarning";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+
 	if ($warnmessage) {
 		&Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
 		print "$warnmessage<br>";
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -3428,7 +3428,7 @@ END
 				my $ntlm_auth_group = $proxysettings{'NTLM_AUTH_GROUP'};
 				$ntlm_auth_group =~ s/\\/\+/;

-				print FILE " --require-membership-of=\"$ntlm_auth_group\"";
+				print FILE " --require-membership-of=$ntlm_auth_group";
 			}
 			print FILE "\n";

@@ -3441,7 +3441,7 @@ END
 					my $ntlm_auth_group = $proxysettings{'NTLM_AUTH_GROUP'};
 					$ntlm_auth_group =~ s/\\/\+/;

-					print FILE " --require-membership-of=\"$ntlm_auth_group\"";
+					print FILE " --require-membership-of=$ntlm_auth_group";
 				}
 				print FILE "\n";
 				print FILE "auth_param basic children 10\n";
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -58,16 +58,6 @@ my %mainsettings = ();

 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);

-my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}");
-my $blue_cidr = "# Blue not defined";
-if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) {
-	$blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}");
-}
-my $orange_cidr = "# Orange not defined";
-if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) {
-	$orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}");
-}
-
 my %INACTIVITY_TIMEOUTS = (
 	300		=> $Lang::tr{'five minutes'},
 	600		=> $Lang::tr{'ten minutes'},
@@ -1919,11 +1909,11 @@ END
 	$cgiparams{'REMOTE_ID'} = '';

 	#use default advanced value
-	$cgiparams{'IKE_ENCRYPTION'}	= 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
+	$cgiparams{'IKE_ENCRYPTION'}	= 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
 	$cgiparams{'IKE_INTEGRITY'}		= 'sha2_512|sha2_256'; #[19];
 	$cgiparams{'IKE_GROUPTYPE'}		= 'curve25519|4096|3072|2048'; #[20];
 	$cgiparams{'IKE_LIFETIME'}		= '3'; #[16];
-	$cgiparams{'ESP_ENCRYPTION'}	= 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
+	$cgiparams{'ESP_ENCRYPTION'}	= 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
 	$cgiparams{'ESP_INTEGRITY'}		= 'sha2_512|sha2_256'; #[22];
 	$cgiparams{'ESP_GROUPTYPE'}		= 'curve25519|4096|3072|2048'; #[23];
 	$cgiparams{'ESP_KEYLIFE'}		= '1'; #[17];
@@ -2180,7 +2170,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			goto ADVANCED_ERROR;
 		}
 		foreach my $val (@temp) {
-			if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
+			if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) {
 				$errormessage = $Lang::tr{'invalid input'};
 				goto ADVANCED_ERROR;
 			}
@@ -2221,7 +2211,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			goto ADVANCED_ERROR;
 		}
 		foreach my $val (@temp) {
-			if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
+			if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) {
 				$errormessage = $Lang::tr{'invalid input'};
 				goto ADVANCED_ERROR;
 			}
@@ -2347,6 +2337,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	}

 	ADVANCED_ERROR:
+	$checked{'IKE_ENCRYPTION'}{'chacha20poly1305'} = '';
 	$checked{'IKE_ENCRYPTION'}{'aes256'} = '';
 	$checked{'IKE_ENCRYPTION'}{'aes192'} = '';
 	$checked{'IKE_ENCRYPTION'}{'aes128'} = '';
@@ -2385,6 +2376,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	@temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
 	foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; }

+	$checked{'ESP_ENCRYPTION'}{'chacha20poly1305'} = '';
 	$checked{'ESP_ENCRYPTION'}{'aes256'} = '';
 	$checked{'ESP_ENCRYPTION'}{'aes192'} = '';
 	$checked{'ESP_ENCRYPTION'}{'aes128'} = '';
@@ -2497,6 +2489,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			<td class='boldbase' width="15%">$Lang::tr{'encryption'}</td>
 			<td class='boldbase'>
 				<select name='IKE_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
+					<option value='chacha20poly1305' $checked{'IKE_ENCRYPTION'}{'chacha20poly1305'}>256 bit ChaCha20-Poly1305/128 bit ICV</option>
 					<option value='aes256gcm128' $checked{'IKE_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
 					<option value='aes256gcm96' $checked{'IKE_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
 					<option value='aes256gcm64' $checked{'IKE_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
@@ -2517,6 +2510,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			</td>
 			<td class='boldbase'>
 				<select name='ESP_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
+					<option value='chacha20poly1305' $checked{'ESP_ENCRYPTION'}{'chacha20poly1305'}>256 bit ChaCha20-Poly1305/128 bit ICV</option>
 					<option value='aes256gcm128' $checked{'ESP_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
 					<option value='aes256gcm96' $checked{'ESP_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
 					<option value='aes256gcm64' $checked{'ESP_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -661,6 +661,8 @@
 'credits' => 'Credits',
 'crl' => 'Certificate Revocation List',
 'cron server' => 'Cron-Server',
+'crypto error' => 'Kryptografiefehler',
+'crypto warning' => 'Kryptografiewarnungen',
 'current' => 'Aktuell',
 'current aliases' => 'Aktuelle Alias-Adresse',
 'current class' => 'Aktuelle Klasse',
@@ -730,7 +732,7 @@
 'devices on blue' => 'Geräte auf BLAU',
 'dh' => 'Diffie-Hellman-Parameter',
 'dh key move failed' => 'Verschieben der Diffie-Hellman-Parameter fehlgeschlagen.',
-'dh key warn' => 'Das Generieren der DH-Parameter mit 1024 oder 2048 Bit dauert üblicherweise mehrere Minuten. Schlüssellängen von 3072 oder 4096 Bit beanspruchen mehrere Stunden. Bitte haben Sie etwas Geduld.',
+'dh key warn' => 'Das Generieren eines DH-Parameter mit 2048 Bit dauert üblicherweise mehrere Minuten. Schlüssellängen von 3072 oder 4096 Bit beanspruchen mehrere Stunden. Bitte haben Sie etwas Geduld.',
 'dh key warn1' => 'Bei schwachen Systemen oder Systeme mit wenig Entropie wird empfohlen lange Diffie-Hellman-Parameter über die Upload-Funktion hochzuladen.',
 'dh parameter' => 'Diffie-Hellman-Parameter',
 'dhcp advopt add' => 'DHCP Option hinzufügen',
@@ -1708,7 +1710,7 @@
 'nonetworkname' => 'Kein Netzwerkname wurde eingegeben',
 'noservicename' => 'Kein Dienstname wurde eingegeben',
 'not a valid ca certificate' => 'Kein gültiges CA Zertifikat.',
-'not a valid dh key' => 'Kein gültiger Diffie-Hellman-Parameter. Es sind nur Parameter mit einer Länge von 1024, 2048, 3072 oder 4096 Bit im PKCS#3-Format erlaubt.',
+'not a valid dh key' => 'Kein gültiger Diffie-Hellman-Parameter. Es sind nur Parameter mit einer Länge von 2048, 3072 oder 4096 Bit im PKCS#3-Format erlaubt.',
 'not enough disk space' => 'Nicht genügend Plattenplatz vorhanden',
 'not present' => '<B>Nicht</B> vorhanden',
 'not running' => 'nicht gestartet',
@@ -1817,6 +1819,8 @@
 'ovpn engines' => 'Krypto Engine',
 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt',
 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske',
+'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>',
+'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.',
 'ovpn ha' => 'Hash-Algorithmus',
 'ovpn hmac' => 'HMAC-Optionen',
@@ -1841,6 +1845,7 @@
 'ovpn subnet' => 'OpenVPN-Subnetz:',
 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.',
 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit  ',
+'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_fragment' => 'Fragmentgrösse',
 'ovpn_mssfix' => 'MSSFIX-Grösse',
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -682,6 +682,8 @@
 'credits' => 'Credits',
 'crl' => 'Certificate Revocation List',
 'cron server' => 'CRON Server',
+'crypto error' => 'Cryptographic error',
+'crypto warning' => 'Cryptographic warning',
 'current' => 'Current',
 'current aliases' => 'Current aliases',
 'current class' => 'Current class',
@@ -752,7 +754,7 @@
 'devices on blue' => 'Devices on BLUE',
 'dh' => 'Diffie-Hellman parameters',
 'dh key move failed' => 'Diffie-Hellman parameters move failed.',
-'dh key warn' => 'Creating DH-parameters with lengths of 1024 or 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.',
+'dh key warn' => 'Creating DH-parameters with a length of 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.',
 'dh key warn1' => 'For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function.',
 'dh name is invalid' => 'Name is invalid, please use "dh1024.pem".',
 'dh parameter' => 'Diffie-Hellman parameters',
@@ -1740,7 +1742,7 @@
 'nonetworkname' => 'No Network Name entered',
 'noservicename' => 'No Service Name entered',
 'not a valid ca certificate' => 'Not a valid CA certificate.',
-'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 1024, 2048, 3072 or 4096 bits and the PKCS#3 format.',
+'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.',
 'not enough disk space' => 'Not enough disk space',
 'not present' => '<b>Not</b> present',
 'not running' => 'not running',
@@ -1850,7 +1852,9 @@
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for green network is always set',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
-'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.',
+'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>',
+'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
+'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.',
 'ovpn ha' => 'Hash algorithm',
 'ovpn hmac' => 'HMAC options',
 'ovpn log' => 'OVPN-Log',
@@ -1874,6 +1878,7 @@
 'ovpn subnet' => 'OpenVPN subnet:',
 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
+'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_mssfix' => 'MSSFIX Size',
 'ovpn_mtudisc' => 'MTU-Discovery',
--- a/lfs/GeoIP
+++ b/lfs/GeoIP
@@ -25,7 +25,7 @@
 include Config

 VER        = 1.25
-DATVER     = 07012017
+DATVER     = 30062018

 THISAPP    = Geo-IP-PurePerl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -43,7 +43,7 @@ $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 GeoIP.dat-$(DATVER).gz = $(DL_FROM)/GeoIP.dat-$(DATVER).gz

 $(DL_FILE)_MD5 = a47a1b71f7cd7c46cca9efcc448e0726
-GeoIP.dat-$(DATVER).gz_MD5 = fac676d18785585568312f30b7851657
+GeoIP.dat-$(DATVER).gz_MD5 = d538e57ad9268fdc7955c6cf9a37c4a9

 install : $(TARGET)

--- a/lfs/apache2
+++ b/lfs/apache2
@@ -113,7 +113,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))

 	# Install apache config
 	cp -rf $(DIR_CONF)/httpd/* /etc/httpd/conf
-	ln -sf $(CONFIG_ROOT)/main/hostname.conf /etc/httpd/conf/
+	touch /etc/httpd/conf/hostname.conf

 	# Create captive logging directory
 	-mkdir -pv /var/log/httpd/captive
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -79,6 +79,7 @@ $(TARGET) :
 	cp $(DIR_SRC)/config/cfgroot/general-functions.pl	$(CONFIG_ROOT)/
 	cp $(DIR_SRC)/config/cfgroot/network-functions.pl	$(CONFIG_ROOT)/
 	cp $(DIR_SRC)/config/cfgroot/geoip-functions.pl		$(CONFIG_ROOT)/
+	cp $(DIR_SRC)/config/cfgroot/aws-functions.pl		$(CONFIG_ROOT)/
 	cp $(DIR_SRC)/config/cfgroot/lang.pl			$(CONFIG_ROOT)/
 	cp $(DIR_SRC)/config/cfgroot/countries.pl		$(CONFIG_ROOT)/
 	cp $(DIR_SRC)/config/cfgroot/graphs.pl			$(CONFIG_ROOT)/
@@ -94,6 +95,7 @@ $(TARGET) :
 	cp $(DIR_SRC)/config/cfgroot/nfs-server			$(CONFIG_ROOT)/nfs/nfs-server
 	cp $(DIR_SRC)/config/cfgroot/proxy-acl			$(CONFIG_ROOT)/proxy/acl-1.4
 	cp $(DIR_SRC)/config/qos/*						$(CONFIG_ROOT)/qos/bin/
+	cp $(DIR_SRC)/config/cfgroot/main-settings		$(CONFIG_ROOT)/main/settings
 	cp $(DIR_SRC)/config/cfgroot/ssh-settings		$(CONFIG_ROOT)/remote/settings
 	cp $(DIR_SRC)/config/cfgroot/time-settings		$(CONFIG_ROOT)/time/settings
 	cp $(DIR_SRC)/config/cfgroot/logging-settings	$(CONFIG_ROOT)/logging/settings
--- a/lfs/conntrack-tools
+++ b/lfs/conntrack-tools
@@ -24,7 +24,7 @@

 include Config

-VER        = 1.4.4
+VER        = 1.4.5

 THISAPP    = conntrack-tools-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -40,7 +40,7 @@ objects = $(DL_FILE)

 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = acd9e0b27cf16ae3092ba900e4d7560e
+$(DL_FILE)_MD5 = 9356a0cd4df81a597ac26d87ccfebac4

 install : $(TARGET)

--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`../../../../common/armv5tel/linux-initrd-kirkwood`
				`@@ -0,0 +1 @@`
				`../../../../common/armv5tel/u-boot-kirkwood`