the flashimage is build without journal to not destroy
usb thumbdrives or sd cards. On real ssd's and virtual
machines it should enabled for higher data security.
So this patch add the journal is drive support smart.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- the helper programs in misc-progs get the correct permissions and ownerships
automatically so adjustment not required in this script.
- permissions of menus in menu.d are provided automatically. Historically, these were
root:root but were changed a while back but did not get applied to wio as it was
modified by this script.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- The base version has not changed but patches to fix 4 bugs have been released.
- Update to rootfile not required.
- Bug fix changelog
1 A test of the thousands separator in tsprintf.c is based on the output from
the GNU C Library up to 2.36, which is incorrect. The output has changed in
2.37 (partly fixed), so that tsprintf fails with glibc 2.37. The
tsprintf-thousands patch modifies the test to conform to POSIX and also
avoid the buggy case in 2.36 and below. However, this new test, which was
expected to succeed, triggers a serious bug in 2.37
(bug 30068 / CVE-2023-25139). We did not modify the test again since this
bug affects MPFR's mpfr_sprintf function, with a possible buffer overflow
in particular cases. This bug has been fixed in the 2.37 branch. In short,
this patch is useful (and needed) for a fixed glibc 2.37 and some other
libraries, depending on the current locales.
Corresponding changesets in the 4.2 branch: 4f03d40b5, 78ff7526d, e66bb7121.
2 The mpfr_ui_pow_ui function has infinite loop in case of overflow. This can
affect mpfr_log10, which uses this function (this is how this bug was
found). This bug is fixed by the ui_pow_ui-overflow patch (with testcases).
Corresponding changeset in the 4.2 branch: 0216f40ed.
3 The tfprintf and tprintf tests may fail in locales where decimal_point has
several bytes, such as ps_AF. This is fixed by the multibyte-decimal_point
patch, which makes the tests aware of the length of decimal_point.
Corresponding changeset in the 4.2 branch: 0383bea85.
4 In particular cases that are very hard to round, mpfr_rec_sqrt may yield a
stack overflow due to many small allocations in the stack, based on alloca().
This is due to the fact that the working precision is increased each step
(Ziv loop) by 32 or 64 bits only, until the approximate result can be
rounded (thus we have an arithmetic progression here, while a geometric
progression is used for the other functions), and that at each iteration,
the previous allocations in the stack cannot be freed. Individual
allocations in the stack are limited to 16384 bytes, so that the issue can
occur only when there are many iterations in working precisions that are
not too large, which is possible with an arithmetic progression. This bug
is fixed by the rec_sqrt-zivloop patch, which changes the Ziv loop to use
the standard MPFR_ZIV_* macros; the patch also provides a testcase obtained
by a function that constructs a hard-to-round case involving large enough
precisions (this function is commonly used in the MPFR testsuite, but not
with so large precisions). This bug was originally reported by Fredrik
Johansson.
Corresponding changeset in the 4.2 branch: 934dd8842.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- With the last update of lvm2 lvmetad was removed from lvm2. I did not recognise that
lvmetad had been setup as an automatic initscript, so it no longer works as the
binary is no longer provided.
- This patch removes the lvmetad initscript, the reference to lvmetad in the initscript
lfs file and the lvmetad initscript entries in the rootfile for each architecture.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- start_service added to install.sh and stop_service to uninstall.sh
This ensures that the modules are loaded after install
- The /etc/asound.state file was touched by the install.sh cript but the alsactl store and
restore commands have default location of /var/lib/alsa/ so the touch command created
an asound.state file that was then not used subsequently. It also meant that the first
start of alsa would fail as it would try and restore from /var/lib/alsa/asound.state
but the file did not exist.
- This patch corrects the path for the touch command for asound.state
- The install.sh script also checks if /etc/asound.state, that was never used, exists and
if it does removes it.
- Uninstalling alsa left the sound modules installed until a reboot was carried out.
Uninstallation should unload the alsa kernel modules.
This patch adds the modprobe -r commands to the uninstall.sh file to unload all the snd
modules when alsa is uninstalled.
- make_backup and restore_backup commands added to ther install.sh and uninstall.sh scripts
Fixes: Bug#13087
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Configure Zabbix Agent to log to syslog instead of its own logs.
- Remove old zabbix log-dir and logrotate settings from rootfile, lfs
and install-script.
- Update log.dat to view Zabbix Agent logging from syslog.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
- The dbus install.sh script useradd command causes an error:
"failed adding user 'messagebus', exit code: 9"
- This patch adds a check to only do the useradd if the user does not exist.
- See the bump PAK_VER for dbus that Adolf publised. See this patch:
https://lists.ipfire.org/pipermail/development/2023-April/015816.html
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- The uninstall.sh script had stop_service ${NAME} but the package name is dbus while the
initscript is named messagebus. Therefore the stop_service never stops the dbus daemon.
- This patch changes the line to stop_service messagebus
- The install.sh script already has start_service messagebus
- Bump PAK_VER for dbus
Fixes: Bug#13094
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Version 2.4.2 had some bugs that caused the self signed certificates to not be read or
created properly. The two involved bug fix patches are applied in this submission.
- Corrected the configure options related to avahi and TLS. Using Openssl for the TLS.
- Built .ipfire package installed into vm testbed and tested. With existing 2.4.2
any https pages come up with an error for the secure connection. With this version
the https admin page opens up and config file was able to be successfully modified
via it.
Fixes: Bug#12924
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
this patch add nanopi r2c plus support.
if this u-boot is installed on the eMMC this is also
supported.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Is XFS is being selected as file system, the minimum size requirement is
300 MiB. In order to keep it to a round number, this patch increases the
size of /boot to 512 MiB.
To keep all systems consistent, we will also do this on systems that are
being formatted using different file systems.
Fixes: #13077 - xfs cannot installed anymore because boot is to small
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These rules where created to permit any local traffic to the firewall
when using a PPP connection that utilised Ethernet as transport.
This is however nonsensical and a security issue for any other
connection methods that call the RED interface "red0" and use PPP (e.g.
QMI).
Since PPPoE packets do not flow through iptables, these rules can be
dropped safely. We do not know whether PPTP works at all these days.
Fixes: #13088 - firewall: INPUT accepts all packets when using QMI for dial-in
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Tested-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
In a future Core Update, the following remnants of OpenSSL 1.1.1 need to
be removed:
/usr/lib/engines-1.1/afalg.so
/usr/lib/engines-1.1/capi.so
/usr/lib/engines-1.1/padlock.so
/usr/lib/libcrypto.so.1.1
/usr/lib/libssl.so.1.1
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 1.7.6 to 1.7.8
- Update of rootfile not required
- patch to remove Werror no longer required as the build with this version of pmacct
had no problems with errors being flagged as warnings anymore unlike with the
previous version.
- Changelog
The keys used are:
!: fixed/modified feature, -: deleted feature, +: new feature
1.7.8 -- 31-12-2022
+ Introduced support for eBPF for all daemons: if SO_REUSEPORT is
supported by the OS and eBPF support is compiled in, this allows
to load a custom load-balancer. To load-share, daemons have to
be part of the same cluster_name and each be configured with a
distinct cluster_id.
+ Introduced support for listening on VRF interfaces on Linux for
all daemons. The feature can be enabled via nfacctd_interface,
bgp_daemon_interface and equivalent knobs. Many thanks to
Marcel Menzel ( @WRMSRwasTaken ) for this contribution.
+ pre_tag_map: introduced limited tagging / labelling support for
BGP (pmbgpd), BMP (pmbmpd), Streaming Telemetry (pmtelemetryd)
daemons. ip, set_tag, set_label keys being currently supported.
+ pre_tag_map: defined a new pre_tag_label_encode_as_map config
knob to encode the output 'label' value as a map for JSON and
Apache Avro encodings, ie. in JSON "label": { "key1": "value1",
"key2": "value2" }. For keys and values to be correctly mapped,
the '%' delimiter is used when composing a pre_tag_map, ie.
"set_label=key1%value1,key2%value2 ip=0.0.0.0/0". Thanks to
Salvatore Cuzzilla ( @scuzzilla ) for this contribution.
+ pre_tag_map: introduced support for IP prefixes for src_net
and dst_net keys for indexed maps (maps_index set to true).
Indexing being an hash map, this feature currently tests data
against all defined IP prefix lenghts in the map for a match
(first defined matching prefix wins).
+ pre_tag_map: introduced two new 'is_nsel', 'is_nel' keys to
check for the presence of firewallEvent field (233) and
natEvent field (230) in NetFlow/IPFIX respectively in order
to infer whether data is NSEL / NEL. If set to 'true' this
does match NSEL / NEL data, if set to 'false' it does match
non NSEL / NEL data respectively.
+ Introduced a new mpls_label_stack primitive, encoded as a
string and includes a comma-separated list of integers (label
values). Thanks to Salvatore Cuzzilla ( @scuzzilla ) for this
contribution.
+ Introduced a new fw_event primitive, to support NetFlow v9/
IPFIX firewallEvent 233 Information Element.
+ Introduced a new tunnel_tcp_flags primitive for pmacctd and
sfacctd to record TCP flags for the inner layer of a tunneled
technology (ie. VXLAN). Also tunnel_dst_port decoding was
fixed for sfacctd.
+ Introduced support for in/out VLAN support for sfacctd. To be
savy, 'in_vlan' and 'vlan' were muxed onto the same primitive
depending on the daemon being used. Thanks to Jim Westfall
( @jwestfall69 ) for this contribution.
+ Introduced a new mpls_label_stack_encode_as_array config knob
to encode the MPLS label stack as an array for JSON and Apache
Avro encodings, ie. in JSON "mpls_label_stack": [ "0-label0",
"1-label1", "2-label2", "3-label3", "4-label4", "5-label5" ]
and in Avro "name": "mpls_label_stack", "type": { "type":
"array", "items": { "type": "string" } }. Thanks to Salvatore
Cuzzilla ( @scuzzilla ) for this contribution.
+ Introduced a new tcpflags_encode_as_array config knob to encode
TCP flags as an array for JSON and Apache Avro, ie. in JSON
"tcp_flags": [ "URG", "ACK", "PSH", "RST", "SYN", "FIN" ] and
in Avro "name": "tcp_flags", "type": { "type": "array",
"items": { "type": "string" } }. Thanks to Salvatore Cuzzilla
( @scuzzilla ) for this contribution.
+ Introduced a new fwd_status_encode_as_string config knob to
encode the 'fwd_status' primitive in human-readable format
like described by RFC-7270 Section 4.12 when JSON or Avro
formats are selected for output. Thanks to Salvatore Cuzzilla
( @scuzzilla ) for this contribution.
+ Introduced a new protos_file to define a list of (known/
interesting/meaningful) IP protocols. Both protocol names, ie.
"tcp", and protocol numbers, ie. 1 (for icmp), are accepted.
IANA reserved protocol value 255 is used to bucket as 'others'
those IP protocols not matching the ones defined in the list.
+ Introduced a new tos_file to define a list of (meaningful) IP
ToS values; if tos_encode_as_dscp is set to true then DSCP
values are expected as part of the file. The directive uses
value 255 to bucket as 'others' those ToS/DSCP values not
matching the ones defined in the list.
+ A new tos_encode_as_dscp config knob makes pmacct to honour
only the 6 bits used by DSCP and report only on those.
+ BGP, BMP, Streaming Telemetry daemons: introduced a new
dump_time_slots config knob to spread the load deriving by
dumps over the configured refresh time interval. The interval
is divided into time slots and nodes are assigned to such
slots. The slot for each node is determined using its IP
address. Thanks to Raphael Barazzutti ( @rbarazzutti ) for
this contribution.
+ BGP, BMP daemons: End-of-RIB messages are now being exposed
in the output feed in order to facilitate tracking their
arrival (or not!).
+ pmtelemetryd: aligned daemon to the latest Unyte UDP-Notif API
(0.6.1) and related standardization draft-ietf-netconf-udp-notif
+ RPKI daemon: added case for input "asn" value being integer (ie.
"asn" : 2914) on top of the string case (ie. "asn" : "AS2914").
+ Kafka, amqp plugins: introduced a new writer_id_string config
knob to allow to customize the the "writer_id" field value. A
few variables are supported along with static text definitions.
+ Added a new aggregate_unknown_etype config knob to account also
frames with EtherTypes for which there is no decoding support
and allow to aggregate them by the available Ethernet L2 fields
(ie. 'src_mac', 'dst_mac', 'vlan', 'cos', 'etype'). Thanks to
@singularsyntax for this contribution.
+ Added a new bgp_daemon_add_path_ignore config knob to ignore
(do not advertise back) the ADD-PATH capability advertised by
remote BGP peers.
+ nfacctd, sfacctd: extended the possibility to run daemons from
a user with non root privileges to these daemons.
+ nfacctd: if Information Element 90 (MPLS VPN RD) is present in
NetFlow v9/IPFIX, make it available for BGP/BMP correlation.
+ pmacctd, sfacctd: introduced basic support for QinQ, 802.1AD.
+ [print|kafka|amqp]_preprocess: added suppport for 'maxp',
'maxb' and 'maxf' keys when preprocessing aggregates of non-
SQL plugins. Thanks to Andrew R. Lake ( @arlake228 ) for this
contribution.
+ nDPI: newer versions of the library (ie. >= 4.0) bring changes
to the API. pmacct is now aligned to compile against these. At
the same time support for nDPI 3.x was dropped.
! fix, plugin_common.[ch]: when stitching feature was enabled,
ie. nfacctd_stitching, timestamp_min was never reset. Also both
timestamp_min and timestamp_max were clamped to sec granularity.
! fix, BGP, BMP daemons: added a tmp_bgp_daemon_origin_type_int to
print out BGP "origin" field as int (legacy behaviour) instead
of string (current behaviour). In a future major release the
legacy behaviour will be dropped.
! fix, BGP, BMP daemons: MPLS labels are now encoded in both JSON
and Apache Avro as 'mpls_label' instead of 'label'. This is to
align behaviour with pre_tag_map where 'label' has a different
semantic.
! fix, BGP, BMP daemons: resolved memory leak when encoding log
messaging (logmsg) in Avro format with Schema Registry support.
! fix, BGP daemon: improved handling of ADD-PATH capability,
making it per-AF (as it is supposed to be) and not global.
! fix, BMP daemon: now checking that ADD-PATH capability is
enabled at both ends of the monitored session (check both BGP
OPEN in a Peer Up message) in order to infer that the capability
exchange was successful. Also some heuristics were added to
conciliate BGP Open vs BGP Update 4-bytes ASN reality.
! fix, nfacctd: improved parsing of NetFlow v9 Options data
particularly when multiple IEs are packed as part of a flowset.
! fix, nfacctd: corrected parsing of Information Element 351
(layer2SegmentId).
! fix, pmacctd: improved processing of pcap_interfaces_map for
cases where the same interface is present multiple times (maybe
with different directions). Also, if the map is empty then bail
out at startup.
! fix, pmacctd: SEGV when ICMP/ICMPv6 traffic was processed and
'flows' primitive was enabled.
! fix, pmacctd: sampling_rate primitive value was not reported
correctly when 'sampling_rate' config directive was specified.
! fix, pmbgpd, pmpmbd, pmtelemtryd: changed SIGCHLD handler to
prevent zombification of last spawned data dump writer.
! fix, Kafka plugin: moved the schema registration from the dump
writer to the plugin process in order to register the schemas
only once at plugin startup and not on every start of a writer
process. Thanks to Uwe Storbeck ( @ustorbeck ) for this
contribution.
! fix, Kafka plugin: a check for kafka_partition was missing,
leading the plugin to always use the default partitioner
instead of sending data to the configured fixed partition.
Thanks to Martin Pels ( @rodecker ) for this contribution.
! fix, nfprobe plugin: BGP data enrichment was not working due to
a mistakenly moved pointer.
! fix, sfprobe plugin: AS-PATH was being populated even when null;
added a check to see if the destination AS is not zero in order
to put the destination AS into the AS-PATH for sFlow packets.
Thanks to Marcel Menzel ( @WRMSRwasTaken ) for this contribution.
! fix, networks_file: remove_dupes() was making partial commits
of valid rows hence creating data inconsistencies.
! fix, pre_tag_map: resolved a potential string overflow that was
being triggered in pretag_append_label() when data would be
assigned more than one single label. Also now allow ',' chars
in set_label.
! fix, maps_index: uninitialized var could cause SEGV in case no
results are found in the map index. Also introduced support for
catch-all rules, ie. "set_label=unknown".
! fix, maps_index: optimized the case of no 'ip' key specified
(for nfacctd and sfacctd): when indexing is enabled, prevent
recirculation from happening, ie. test v4 first then v6, since
the 'ip' key is not going to be part of the hash serializer.
! fix, pretag.c: allow to allocate maps greater than 2GB in size.
Also several optimizations were carried out yelding to a better
memory utilization for allocated maps along with improved times
to resolve JEQs.
! fix, pre_tag_label_filter: optimized and improved runtime
evaluation part of this feature, avoiding a costly strdup() and
returning immediately on certain basic mismatch conditions.
! fix, kafka_common.[ch]: a new p_kafka_produce_data_and_free()
is invoked to optimize memory allocations and releases.
! fix, plugin_cmn_avro.c: when a schema registry is being defined,
ie. kafka_avro_schema_registry, the logic to generate the schema
name has been changed: use topic plus record name as the schema
name, use underscore as separator within the record name, stop
adding a "-value" suffix. Thanks to Uwe Storbeck ( @ustorbeck )
for this contribution.
! fix, util.c: roundoff_time() to reason always with the locally
configured time, like for the rest of functional (as in non-data)
timestamps, ie. refresh time, deadline, etc.
! fix, log.c: when log messages are longer than message buffer,
the message gets cut off. As the trailing newline also gets cut
off the message will be concatenated with the following message
which makes the log hard to read. Thanks to Uwe Storbeck
( @ustorbeck ) for this contribution.
- Completed the retirement of legacy packet classification based
on home-grown code (Shared Objects) and the L7 layer project.
- Removed the mpls_stck_depth primitive due to the introduction
of the mpls_label_stack primitive.
1.7.7 -- 07-11-2021
+ BGP, BMP, Streaming Telemetry daemons: introduced parallelization
of dump events via a configurable amount of workers where the unit
of parallelization is the exporter (BGP, BMP, telemetry exporter),
ie. in a scenario where there are 4 workers and 4 exporters each
worker is assigned one exporter data to dump.
+ pmtelemetryd: added support for draft-ietf-netconf-udp-notif:
a UDP-based notification mechanism to collect data from networking
devices. A shim header is proposed to facilitate the data streaming
directly from the publishing process on network processor of line
cards to receivers. The objective is a lightweight approach to
enable higher frequency and less performance impact on publisher
and receiver process compared to already established notification
mechanisms. Many thanks to Alex Huang Feng ( @ahuangfeng ) and the
whole Unyte team.
+ BGP, BMP, Streaming Telemetry daemons: now correctly honouring the
supplied Kafka partition key for BGP, BMP and Telemetry msg logs
and dump events.
+ BGP, BMP daemons: a new "rd_origin" field is added to output log/
dump to specify the source of Route Distinguisher information (ie.
flow vs BGP vs BMP).
+ pre_tag_map: added ability to tag new NetFlow/IPFIX and sFlow
sample_type types: "flow-ipv4", "flow-ipv6", "flow-mpls-ipv4" and
"flow-mpls-ipv6". Also added a new "is_bi_flow" true/false key to
tag (or exclude) NSEL bidirectional flows. Added as well a new
"is_multicast" true/false config key to tag (or exclude) IPv4/IPv6
multicast destinations.
+ maps_index: enables indexing of maps to increase lookup speeds on
large maps and/or sustained lookup rates. The feature has been
remplemented using stream-lined structures from libcdada. This is
a major work that helps preventing the unpredictable behaviours
caused by the homegrown map indexing mechanism. Many thanks to
Marc Sune ( @msune ).
+ maps_index: support for indexing src_net and dst_net keywords has
been added.
+ Added <daemon_name>_ipv6_only config directives to optionally
enable the IPV6_V6ONLY socket option. Also changed the wrong
setsockopt() IPV6_BINDV6ONLY id to IPV6_V6ONLY.
+ Added log function to libserdes to debug transactions with the
Schema Registry when kafka_avro_schema_registry is set.
+ nDPI: newer versions of the library (ie. >= 3.5) bring changes
to the API. pmacct is now aligned to compile against these.
+ pmacctd: added pcap_arista_trailer_offset config directive since
Arista has changed the structure of the trailer format in recent
releases of EOS. Thanks to Jeremiah Millay ( @floatingstatic )
for his patch.
+ More improvements carried out on the Continuous Integration
(CI) side by migrating from Travis CI to GitHub Actions. Huge
thanks to Marc Sune ( @msune ) to make all of this possible.
+ More improvements also carried out in the space of the Docker
images being created: optimized image size and a better layered
pipeline. Thanks to Marc Sune ( @msune ) and Daniel Caballero
( @dcaba ) to make all of this possible.
+ libcdada shipped with pmacct was upgraded to version 0.3.5. Many
thanks Marc Sune ( @msune ) for his work with libcdada.
! build system: several improvements carried out in this area,
ie. improved MySQL checks, introduced pcap-config tool for
libpcap, compiling on BSD/old compilers, etc. Monumental thanks
to Marc Sune ( @msune ) for his continued help.
! fix, nfacctd: improved euristics to support the case of flows
with both IPv4 and IPv6 source / destination addresses (either
or populated). Also improved euristics to distinguish event data
vs traffic data in NetFlow v9/IPFIX from Cisco 9300/9500, ASA
firewalls and Cisco 4500X.
! fix, nfacctd: improved support for initiatorOctets (IE #231) and
responderOctets (IE #232). Thanks to Esben Laursen ( @hyberdk )
for reporting the issue.
! fix, nfacctd: in NF_mpls_vpn_id_handler() double ntohl() calls
were applied for the case of 'vrfid'-encoded mpls_vpn_rd field.
! fix, sfacctd: wrong ethertype set for VLAN-tagged, MPLS-labelled
IPv6 traffic. Impacting BGP resolution among others. Thanks to
Jeremiah Millay ( @floatingstatic ) for his help resolving the
problem.
! fix, BGP, BMP daemons: parsing improvements: added a check for
BGP Open message and BGP Open Options lengths. Strengthened
parsing of Peer Up, Route Monitoring and Peer Down v4 messages.
! fix, BGP, BMP daemon: when using Avro encoding and Avro Schema
Registry, attempt to reconnect if serdes schemas are voided.
Also now checking for serdes schema definitions before doing a
serdes_schema_serialize_avro() to avoid triggering a SEGV.
Finally improved serdes logging.
! fix, BGP, Streaming Telemetry daemons: in daemon logs, summary
counters for amount of tables / entries dumped were wrong.
! fix, BGP daemon: distinguish among null and zero value AIGP
and Prefix SID attributes. Same applies for Local Preference
and MED attributes.
! fix, BMP daemon: resolved a memory leak in bgp_peers_free().
Thanks to Pether Pothier ( @pothier-peter ) for his patch. Also
resolved a leak caused by an invalid BGP message contained in a
BMP Route Message v4.
! fix, BMP daemon: correctly setting peer_ip and peer_tcp_port
JSON fields for Term messages. Also the correct bmp_router
value when bmp_daemon_parse_proxy_header feature is enabled.
! fix, BMP daemon: several encoding issues when using Apache Avro
ie. u_int64_t now correctly encoded with avro_value_set_long(),
certain u_int32_t fields switched to avro_value_set_long() due
to lack of unsignedness in Avro encoding, improved various
aspectes of Avro-JSON format output, etc.
! fix, pmtelemetryd: wrong parsing of pm_tfind() output was
leading to mistaken data attribution of UDP-based peers (always
first peer to connect was being picked).
! fix, pmtelemetryd: when set, the pidfile config directive was
not being correctly honoured.
! fix, RPKI: the RTR PDU element for maxLength is uint8, therefore
it might have been possible to transmit incorrect RTR data.
Thanks to Job Snijders ( @job ) for his patch.
! fix, SQL plugins: amended the text composition of SQL queries
that are involving latitude and longitude keys.
! fix, MySQL plugin: check for 'unix:' prefix string only when a
sql_host configuration directive is specified.
! fix, nfprobe: modernized Application Information export. Until
the previous release pmacct was adhering to aging NBAR model
whereas now NBAR2 has been implemented. Thanks to Rob Cowart
( @robcowart ) for helping out resolving this issue.
! fix, tee plugin: restored usefulness of tee_source_ip which was
broken in 1.7.6. Thanks to Jeremiah Millay ( @floatingstatic )
for reporting the issue.
! fix, maps_index: indexing of mpls_pw_id was broken. Also now,
when the feature is enabled, actual data is being referenced in
the index structure instead of creating a copy of it; thanks to
Sander van Delden ( @SanderDelden ) for reporting the memory
leak that was resulting from the copy.
! fix, kafka_common.c: solved memory leak in p_kafka_set_topic()
when Kafka session was getting in down state. Many thanks to
Peter Pothier ( @pothier-peter ) for nailing the issue.
! fix, net_aggr.[ch]: when a networks_file is specified in the
config, gracefully handle max memory structure depth; added
also de-duplication of entries.
! fix, pmacct-defines.h: if PCAP_NETMASK_UNKNOWN is not defined,
ie. in libpcap < 1.1.0, let's define it.
! fix, SO_REUSEPORT feature was being restricted to Linux only in
previous releases: now it has been unlocked to all other OS that
do support the feature.
! fix, split SO_REUSEPORT and SO_REUSEADDR setsockopt() calls.
Thanks to @eduarrrd for reporting and resolving the issue.
! fix, several code warnings catched gcc9 and clang.
- Obsoleted sql_history_since_epoch, pre_tag_map_entries and
refresh_maps configuration directives.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 5.2 patches 1-9 to 5.2 patches 1-15
- Update of rootfile not required
- Changelog
bash52-015
There are several cases where bash is too aggressive when optimizing out forks
in subshells. For example, `eval' and traps should never be optimized.
bash52-014
Bash defers processing additional terminating signals when running the
EXIT trap while exiting due to a terminating signal. This patch allows the
new terminating signal to kill the shell immediately.
bash52-013
Bash can leak memory when referencing a non-existent associative array
element.
bash52-012
When running in bash compatibility mode, nested command substitutions can
leave the `extglob' option enabled.
bash52-011
Using timeouts and readline editing with the `read' builtin (read -e -t) can
leave the readline timeout enabled, potentially resulting in an erroneous
timeout on the next call.
bash52-010
Bash-5.2 checks the first 128 characters of an executable file that execve()
refuses to execute to see whether it's a binary file before trying to
execute it as a shell script. This defeats some previously-supported use
cases like "self-executing" jar files or "self-uncompressing" scripts.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 9.2p1 to 9.3p1
- Update of rootfile not required
- Removal of patch as this was only required for i586 builds which are no longer done in
IPFire
- Changelog
9.3p1 (2023-03-15)
This release fixes a number of security bugs.
Security
This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in OpenSSH
8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This problem
was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the system's
standard library lacks this function and portable OpenSSH was not
compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
problem was found by the Coverity static analyzer.
New features
* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
outputting SSHFP fingerprints to allow algorithm selection. bz3493
* sshd(8): add a `sshd -G` option that parses and prints the
effective configuration without attempting to load private keys
and perform other checks. This allows usage of the option before
keys have been generated and for configuration evaluation and
verification by unprivileged users.
Bugfixes
* scp(1), sftp(1): fix progressmeter corruption on wide displays;
bz3534
* ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
of private keys as some systems are starting to disable RSA/SHA1
in libcrypto.
* sftp-server(8): fix a memory leak. GHPR363
* ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
compatibility code and simplify what's left.
* Fix a number of low-impact Coverity static analysis findings.
These include several reported via bz2687
* ssh_config(5), sshd_config(5): mention that some options are not
first-match-wins.
* Rework logging for the regression tests. Regression tests will now
capture separate logs for each ssh and sshd invocation in a test.
* ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
says it should; bz3532.
* ssh(1): ensure that there is a terminating newline when adding a
new entry to known_hosts; bz3529
Portability
* sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
mmap(2), madvise(2) and futex(2) flags, removing some concerning
kernel attack surface.
* sshd(8): improve Linux seccomp-bpf sandbox for older systems;
bz3537
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
* The script needs to run with root permissions in order to
do the ipset operations. So remove code to drop the permissions
on startup.
* Adjust execute calls to use the proper functions from
general functions.
* Add some code to set the correct ownership (nobody:nobody) for
changed files during script runtime.
Fixes#13072.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This is necessary since the certdata2pem.py script does not take
meta information such as "distrust after date" into account, hence
Mozilla's changes to TrustCor's root CAs are not sufficient to have them
removed from or distrusted on IPFire installations.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 6.8 to 7.0.2
- Update of rootfile
- Removal of patch which was needed due to inability to build texinfo-6.8 with glibc-2.34
Problem was fixed for building with glibc-2.34 and onwards with texinfo-7.0
- Changelog
7.0.2 (22 January 2023)
This is a bug-fix release with minimal changes.
* texi2any
. do not distribute architecture-dependent files
. build fixed on OpenIndiana 11
* info
. further fix of recoding of UTF-8 files to ASCII
. fix check for presence of man pages on Solaris
* install-info
. fix build by avoiding function name clash on some platforms
. compiler warning re strncat silenced
7.0.1 (30 November 2022)
This is a bug-fix release with minimal changes.
* texi2any
. avoid crashes on empty @image argument and other potential crashes
(with "Can't use an undefined value as an ARRAY reference" message)
. avoid hang on @ref command inside section command
* info
. fix recoding of UTF-8 files to ASCII when run in C locale
* js
. index search fixed for new HTML output
. some obsolete files removed from distribution
7.0 (7 November 2022)
* texi2any
. LaTeX added as an output format, selected with --latex
. EPUB 3 added as an output format, selected with --epub3
. reform throughout the code in general
. thorough review of character encoding issues
. new customization variables involved with character encoding:
INPUT_FILE_NAME_ENCODING, OUTPUT_FILE_NAME_ENCODING,
DOC_ENCODING_FOR_INPUT_FILE_NAME, DOC_ENCODING_FOR_OUTPUT_FILE_NAME,
MESSAGE_ENCODING and COMMAND_LINE_ENCODING
. warn if full-text commands (@ref, @footnote, @anchor) appear in @w
. new variable NO_TOP_NODE_OUTPUT
. IGNORE_BEFORE_SETFILENAME variable removed. former effect
is now always on.
. HTML output:
. use manual_name_html as output directory for split HTML instead of
manual_name or manual_name.html
. default DOCTYPE declaration changed to plain HTML5 style rather than
HTML4 DTD reference
. output only the CSS rules that are needed in an output file
. remove CSS_LINES variable and add SHOW_BUILTIN_CSS_RULES
(custom CSS can still be output using EXTRA_HEAD)
. use <code> tag for the output of @t and @verb instead of <tt>
. use <abbr> for @acronym instead of <acronym>
. link to table of contents from short table of contents only if a
table of contents is actually output
. prefix classes from @example arguments with `user-'
. percent encode URL in @url/@uref, @email, @image and external
manual file
. new USE_XML_SYNTAX, HTML_ROOT_ELEMENT_ATTRIBUTES and
NO_CUSTOM_HTML_ATTRIBUTE variables can be used to output
valid XHTML
. systematic addition of classes attribute in HTML elements based on the
Texinfo @-command names. renaming of class attributes to avoid
confusion with @-commands formatting and describe the role in the
document rather than the formatting style.
. COPIABLE_ANCHORS renamed to COPIABLE_LINKS
. do not add a title by default; SHOW_TITLE or NO_TOP_NODE_OUTPUT has
to be set
. USE_TITLEPAGE_FOR_TITLE is now true by default
. L2H variable removed, replaced by HTML_MATH set to `l2h'
. rename OVERVIEW_LINK_TO_TOC to SHORT_TOC_LINK_TO_TOC
. rename BEFORE_OVERVIEW to BEFORE_SHORT_TOC_LINE
. rename AFTER_OVERVIEW to AFTER_SHORT_TOC_LINES
. remove PRE_ABOUT, AFTER_ABOUT, and add PROGRAM_NAME_IN_ABOUT
. remove KEEP_TOP_EXTERNAL_REF
. new variables IGNORE_REF_TO_TOP_NODE_UP, CONVERT_TO_LATEX_IN_MATH,
HTMLXREF_MODE and HTMLXREF_FILE
. DocBook output:
. do not output Top node or text before the first @node or sectioning
@-command. NO_TOP_NODE_OUTPUT can be set to false to output Top node
for now.
. replace @definfocenlose defined @-commands by the argument as-is
to be more consistent with printed output
. HTML/DocBook output:
. USE_NUMERIC_ENTITY changed to mean to use numeric entities instead
of named entities. former effect is now always on.
. ENABLE_ENCODING_USE_ENTITY variable removed. former effect is now
always off.
. Info output
. quote problematic node names (with :, comma...) by default
. new customization variable ASCII_PUNCTUATION to use plain ASCII
characters for quotation marks and a few other symbols
* texinfo.tex
. `@microtype on' uses microtypography in formatting for pdfTeX and LuaTeX
. do not ignore @part page immediately following Top node
. do `@set txicodevaristt' to get slanted typewriter for @var in code,
`@clear txicodevaristt' to use slanted, variable-width roman font for
@var everywhere. flag is @set by default, but we may turn this off
in the future.
. new file doc/texinfo-zh.tex for Texinfo documents in Chinese.
new support file doc/txi-zh.tex for Chinese. doc/short-sample-zh.texi is
a sample document.
* info
. better support for index entries containing parentheses
. better support for getting bold text etc. when displaying manpages
. bug fixed where the first index entry in a file could be ignored
. M-C-f closes as well as opens footnotes window
. do not crash if run in Brazilian Portuguese locale
* Language
. @deftype* commands use typewriter font in argument list
. new commands @latex, @iflatex, @ifnotlatex for new LaTeX output format
. do `@set txidefnamenospace' to omit space after a definition name
* Other
. build fixed for glibc 2.34
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 7.87.0 to 7.88.1
- Update of rootfile not required
- Patch removed as fix now built into source tarball
- Changelog
Fixed in 7.88.1 - February 20 2023
Bugfixes:
build-openssl.bat: keep OpenSSL 3 engine binaries
cmake: fix Windows check for CryptAcquireContext
connnect: fix timeout handling to use full duration
curl: make --silent work stand-alone
curl_setup: Suppress OpenSSL 3 deprecation warnings
CURLOPT_WS_OPTIONS.3: fix the availability version
GHA: update rustls dependency to 0.9.2
http2: buffer/pausedata and output flush fix.
http2: set drain on stream end
http: include stdint.h more readily
krb5: silence cast-align warning
lib1560: add IPv6 canonicalization tests
os400: correct Curl_os400_sendto()
remote-header-name.d: mention that filename* is not supported
runtests: fix "uninitialized value $port"
setopt: allow HTTP3 when HTTP2 is not defined
socketpair: allow EWOULDBLOCK when reading the pair check bytes
socks: allow using DoH to resolve host names
tests-httpd: add proxy tests
tests: make sure gnuserv-tls has SRP support before using it
tests: make the telnet server shut down a socket gracefully
tool_getparam: make --get a true boolean
tool_operate: allow debug builds to set buffersize
urlapi: do the port number extraction without using sscanf()
urldata: remove `now` from struct SingleRequest - not needed
Fixed in 7.88.0 - February 15 2023
Changes:
curl.h: add CURL_HTTP_VERSION_3ONLY
share: add sharing of HSTS cache among handles
src: add --http3-only
tool_operate: share HSTS between handles
urlapi: add CURLU_PUNYCODE
writeout: add %{certs} and %{num_certs}
Bugfixes:
cf-socket: fix build when not HAVE_GETPEERNAME
cf-socket: keep sockaddr local in the socket filters
cfilters:Curl_conn_get_select_socks: use the first non-connected filter
CI: add a workflow to automatically label pull requests
CI: add pytest GHA to CI test/tests-httpd on a HTTP/3 setup
CI: Retry failed downloads to reduce spurious failures
CI: update wolfssl / wolfssh to 5.5.4 / 1.4.12
cmake: bump requirement to 3.7
cmake: check for sendmsg
cmake: delete redundant macro definition `SECURITY_WIN32`
cmake: fix dev warning due to mismatched arg
cmake: fix the snprintf detection
cmake: remove deprecated symbols check
cmake: set SOVERSION also for macOS
cmake: use list APPEND syntax for CMAKE_REQUIRED_DEFINITIONS
cmdline-opts/Makefile: on error, do not leave a partial
CODEOWNERS: remove the peeps mentioned as CI owners
connect: fix access of pointer before NULL check
connect: fix build when not ENABLE_IPV6
connect: fix strategy testing for attempts, timeouts and happy-eyeball
connections: introduce http/3 happy eyeballs
content_encoding: do not reset stage counter for each header
CONTRIBUTE: More formally specify the commit description
cookies: fp is always not NULL
copyright.pl: cease doing year verifications
copyright: update all copyright lines and remove year ranges
curl.1: make help, version and manual sections "custom"
curl.h: allow up to 10M buffer size
curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
curl/websockets.h: extend the websocket frame struct
curl: output warning at --verbose output for debug-enabled version
curl_free.3: fix return type of `curl_free`
curl_global_sslset.3: clarify the openssl situation
curl_log: for failf/infof and debug logging implementations
curl_setup: Disable by default recv-before-send in Windows
curl_version_info.3: fix typo
curl_ws_send.3: clarify how to send multi-frame messages
CURLOPT_HEADERDATA.3: warn DLL users must set write function
CURLOPT_READFUNCTION.3: the callback 'size' arg is always 1
CURLOPT_WRITEFUNCTION.3: fix memory leak in example
dict: URL decode the entire path always
docs/DEPRECATE.md: deprecate gskit
docs: add link to GitHub Discussions
docs: mention indirect effects of --insecure
docs: POSTFIELDSIZE must be set to -1 with read function
doh: ifdef IPv6 code
easyoptions: fix header printing in generation script
escape: hex decode with a lookup-table
escape: use table lookup when adding %-codes to output
examples: remove the curlgtk.c example
fopen: remove unnecessary assignment
ftpserver: lower the DATA connect timeout to speed up torture tests
GHA/macos.yml: bump to gcc-12
GHA/macos: use Xcode_14.0.1 for cmake builds
GHA: add job on Slackware 15.0
GHA: bump ngtcp2 workflow dependencies
GHA: enable websockets in the torture job
GHA: move the quiche job here from zuul
GHA: use designated ngtcp2 and its dependencies versions
haxproxy: send before TLS handhshake
header.d: add a header file example
hsts.d: explain hsts more
hsts: handle adding the same host name again
HTTP/[23]: continue upload when state.drain is set
http2: aggregate small SETTINGS/PRIO/WIN_UPDATE frames
http2: fix compiler warning due to uninitialized variable
http2: minor buffer and error path fixes
http2: when using printf %.*s, the length arg must be 'int'
HTTP3: mention what needs to be in place to remove EXPERIMENTAL label
http: add additional condition for including stdint.h
http: decode transfer encoding first
http: fix "part of conditional expression is always false"
http: remove the trace message "Mark bundle... multiuse"
http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
http_proxy: do not assign data->req.p.http use local copy
INSTALL: document how to use multiple TLS backends
lib670: make test.h the first include
lib: connect/h2/h3 refactor
lib: fix typos
lib: fix typos in comments which repeat a word
libssh2: try sha2 algos for hostkey methods
libtest: add a sleep macro for Windows
Linux CI: update some dependecies to latest tag
Makefile.mk: fix wolfssl and mbedtls default paths
man pages: call the custom user pointer 'clientp' consistently
md4: fix build with GnuTLS + OpenSSL v1
misc: fix grammar and spelling
misc: fix spelling
misc: reduce struct and struct field sizes
msh3: add support for request payload
msh3: update to v0.5 Release
msh3: update to v0.6
multi: stop sending empty HTTP/3 UDP datagrams on Windows
multihandle: turn bool struct fields into bits
ngtcp2: add CURLOPT_SSL_CTX_FUNCTION support for openssl+wolfssl
ngtcp2: fix the build without 'sendmsg'
ngtcp2: replace removed define and stop using removed function
no-clobber.d: only use long form options in man page text
noproxy: support for space-separated names is deprecated
nss: implement data_pending method
openldap: fix missing sasl symbols at build in specific configs
openssl: adapt to boringssl's error code type
openssl: don't ignore CA paths when using Windows CA store (redux)
openssl: don't log raw record headers
openssl: make the BIO_METHOD a local variable in the connection filter
openssl: only use CA_BLOB if verifying peer
openssl: remove attached easy handles from SSL instances
openssl: store the CA after first send (ClientHello)
os400: fixes to make-lib.sh and initscript.sh
packages: remove Android, update README
release-notes.pl: check fixes/closes lines better
Revert "x509asn1: avoid freeing unallocated pointers"
runtest.pl: add expected fourth return value
runtests: tear down http2/http3 servers when https server is stopped
runtests: consider warnings fatal and error on them
runtests: fix detection of TLS backends
runtests: make 'mbedtls' a testable feature
rustls: improve error messages
scripts/delta: show percent of number of files changed since last tag
scripts: fix Appveyor job detection in cijobs.pl
scripts: set file mode +x on all perl and shell scripts
sectransp: fix for incomplete read/writes
SECURITY-PROCESS.md: document severity levels
setopt: Address undefined behaviour by checking for null
setopt: move the SHA256 opt within #ifdef libssh2
setopt: use >, not >=, when checking if uarg is larger than uint-max
smb: return error on upload without size
socketpair: allow localhost MITM sniffers
strdup: name it Curl_strdup
system.h: assume OS400 is always built with ILEC compiler
test1560: use a UTF8-using locale when run
test2304: remove stdout verification
tests-httpd: basic infra to run curl against an apache httpd
tests: add 3 new HTTP/2 test cases, plus https: support for nghttpx
tests: add tests for HTTP/2 and HTTP/3 to verify the header API
tests: avoid use of sha1 in certificates
tls: fixes for wolfssl + openssl combo builds
tool_getparam: fix hiding of command line secrets
tool_operate: fix `CURLOPT_SOCKS5_GSSAPI_NEC` type
tool_operate: fix error codes during DOS filename sanitize
tool_operate: fix error codes on bad URL & OOM
tool_operate: fix headerfile writing
tool_operate: repair --rate
transfer: break the read loop when RECV is cleared
typecheck: accept expressions for option/info parameters
url: fix part of conditional expression is always true
urlapi: avoid Curl_dyn_addf() for hex outputs
urlapi: fix part of conditional expression is always true: qlen
urlapi: skip path checks if path is just "/"
urlapi: skip the extra dedotdot alloc if no dot in path
urldata: cease storing TLS auth type
urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
urldata: make set.http200aliases conditional on HTTP being present
urldata: move the cookefilelist to the 'set' struct
urldata: remove unused struct fields, made more conditional
vquic: stabilization and improvements
vtls: fix hostname handling in filters
vtls: manage current easy handle in nested cfilter calls
vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
winbuild: document that arm64 is supported
windows: always use curl's basename() implementation
wolfssl: remove deprecated post-quantum algorithms
workflows/linux.yml: merge 3 common packages
write-out.d: add 'since version' to %{header_json} documentation
write-out.d: clarify Windows % symbol escaping
ws: fix autoping handling
ws: fix multiframe send handling
ws: fix recv of larger frames
ws: remove bad assert
ws: unstick connect-only shutdown
ws: use %Ou for outputting curl_off_t with info()
x509asn1: fix compile errors and warnings
zuul: stop using this CI service
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 0.13.0.6 to 0.14.7
- Update of rootfile
- patch from colm commit fc61ecb required to fix bug of make looking for static and
dynamic libs even if one of them was disabled
- Changelog is not available in source tarball or on website etc. Changes have to be
reviewed by the commits https://github.com/adrian-thurston/colm/commits/0.14.7
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Thunderbird and Roundcube mail clients presume that any mail with Content Type of
multipart/mixed has an attachment included rather than actually checking for
disposition attachment. This means that any mail with multipart/mixed gets the
attachment icon marked up even though there is no attachment.
- Although this is a problem of the clients involved, in this case the simplest solution
is to change multipart/mixed to multipart/alternative as WIO Mail only sends text
without any attachment or other part to indicate that a client is active or inactive.
- Confirmed on my vm testbed
Fixes: Bug#13040
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Original poster found this effect with using Vivaldi at 100% zoom.
- I tested it with Vivaldi and Firefox on Arch Linux and was not able to show the effect but
running SeaMonkey and changing the zoom from 100% to lower or higher caused the input
boxes to go outside of the WUI boundary as described by the bug reporter.
- It looks like the effect is dependent on the browser, the zoom setting and the OS
Distribution.
- In all cases the similar three input boxes in a row in the dhcp.cgi code for entering a
fixed lease stayed fixed in ratrio to the WUI page whatever zoom or browser was used.
- This patch changes the wio code for those three input boxes to use the approach from the
dhcp.cgi code.
- Tested on my vm testbed and change confirmed to fix the size of the input boxes
irrespective of the browser or zoom setting.
Fixes: Bug#13039
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- This patch is to move the rng-tools package from a core package to an addon. With the
kernel changes from 5.6 rngd is no longer needed to create the required kernel entropy.
- The results from HRNG's via rngd are used with an XOR after the entropy is
collected by the kernel. So the HWRNG output is used to dilute the kernel random number
data, which is already merged from several sources.
- Based on the above and @Paul's request in the bug report to have rng-tools kept as an
addon this patch set is submitted for consideration to keep rng-tools but as an addon.
- move rng-tools rootfile from common to packages
- Modify rng-tools lfs from core package to addon package
- Create rng-tools pak to install and uninstall - creating rc.d links for start & stop.
- Move rngd initscript from system to packages directory.
- Installed into my vm testbed and confirmed that it works. No rngd daemon installed
from iso install. After addon install rngd is present and running. Added various files
to be able to test the services wui page. rngd shows up and can be turned off and on
Fixes: Bug#12900
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
There used to be a time where the authenticator crashed when the OpenVPN
daemon went away which is causing issues.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
