These include rootfiles, firewall menue entries that have been
unmaintained for a long time, and firewall chains which were never used
in recent time.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since more processes depend on good randomness, we need to
make sure that the kernel's PRNG is initialized as early as
possible.
For systems without a HWRNG, we will need to fall back to our
noisy loop and wait until we have enough randomness.
This patch also removes saving and restoring the seed. This
is no longer useful because the kernel's PRNG only takes any
input after it has successfully been seeded from other sources.
Hence adding this seed does not increase its randomness.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
We should initialise the kernel's PRNG as early as we can.
Starting rngd very early will seed the random number generator
when RDRAND or other hardware random number generators are available.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
When using a swap file, it is not being activated correctly
when the filesystem it is residing on is not mounted, yet.
The root file system is mounted read-only here before
S40mountfs is being executed.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
this functions has only reloaded unbound config
which is useless at shutting down the red interface.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This daemon needs to be launched in order to use LVM
devices in IPFire.
It will run on all installations after this patch has been
merged but only consumes very little memory.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The safe search code relied on working DNS resolution, but
was executed before unbound was even started and no network
was brought up.
That resulted in no records being created and nothing being
filtered.
This will now set/reset safe search when the system connects
to the Internet.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
this remove a bunch of unbound errors at shutdown because
network down try to reconfigure unbond. (e.g. disable forwarders)
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
add check if red interface has an IPv4 address before test the servers at
red up and simply remove forwarders at down process.
This also fix the hung at dhcpd shutdown.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
SMT can be forced on.
By default, all systems that are vulnerable to RIDL/Fallout
will have SMT disabled by default.
Systems that are not vulnerable to that will keep SMT enabled.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The helper script will be automatically called when the red interface gets up
and will re-generate the HOME_NET file, to take care if the IP-address of this
interface has changed.
Fixes#11989
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This is useful when the user-data script is installing
packages. For that it will need valid keys for course.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is done at boot time and doesn't normally need to be done again.
On AWS or in the setup, renaming any network interfaces is being
handled automatically.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Add a very basic initscript, which currently allows to start/stop/restart suricata and
check if the daemon is running.
The script will detect when starting suricata how many CPU cores are present on the system and
will launch suricata in inline mode (NFQUEUE) and listen to as much queues as CPU cores are
detected.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
the script wait until crng is correct initialized before restore the
random seed and make some disc io to work around low entropy at boot
on some machines. Not really a fix but it should be better than reverting
CVE-2018-1108 fixes from kernel.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This didn't build and run in ages and has been removed from
the repositories quite a while ago.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Till now all init scripts going into src/initscripts/init.d so they are
installed by the lfs file initscripts. Because of that they also appear
in the rootfile of the "package" initscripts.
This has some disadvantages:
- the initscripts of the packages appear in the 3 rootfiles (one for
each arch) which are annoying because for every package with an
initscript 4 rootfiles (the 3 of the initscript package + the rootfile
of the package) are important.
- The rootfiles for a package are installed by lfs/initscripts but this
should happen only in the build of the package
To solve this issues all rootfiles for the core system are moved into
src/initscripts/init.d/common. Only the initscript in this directory are
installed by lfs/initscripts. So all initscripts for packages are
located in src/initscripts/init.d and are not installed by
lfs/initscripts.
So only the initscripts of the system appear in the 3 rootfiles of the
initscripts package. The initscript of a package appear only in the
rootfile of the package. This makes the maintaining of initscript
easier.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
