This change is necessary because we are using the right-hand two bytes
for storing the QoS classes.
All IPsec traffic will now be skipped and never classified by the QoS.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
In order to use the highest two bits for surciata bypass, we will need
to make sure that whenever we compare any other marks, we do not care
about anything else.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Since systemd, many programs no longer behave like a well-behaved
daemon. To avoid any extra solutions, this patch adds a -b switch which
will start a program in the background and throw away any output.
The behaviour remains unchanged for any other programs.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
AWS for some time now has a serial console feature which is enabled by
default on all systems. The VGA console is not enabled for any new
non-x86 instance types and not interactive.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
we have no supported armv5tel board left so we can switch to the higher
arch. This now can use the vpu (still in softfp calling convention to
not break existing installations.)
this fix many compile problems, also boost is now working again.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
These include rootfiles, firewall menue entries that have been
unmaintained for a long time, and firewall chains which were never used
in recent time.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
"wireless extensions" is the old interface to speak to the kernel.
All newer drivers support nl80211 now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The SSH init script only kills the main daemon which leads to any child
processes (for remaining connections) being untouched.
killproc returns 4 (unknown error) when not all processes were killed
which is not intended here. Therefore we ignore the error and do not
pause the shut down process for a minute.
Fixes: #12544
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Newer kernels seem to return this in lowercase format which makes the
comparison to "EC2" fail.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When safe search is enabled, it is being enabled on YouTube, too.
This creates problems in some scenarios like schools where politics
is being tought as well as other subjects that might be censored by
YouTube (i.e. election TV spots).
Therefore it is now possible to exclude YouTube from Safe Search
but keep it enabled for the search engines.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The SSH daemon was not terminated properly because killproc
tried to terminate all processes with that name. That caused
that the master daemon respawned some processed which were
therefore not killed because killproc determined a list of
PIDs only once before starting sending signals.
This patch only kills the master process which is being
determined by using sshd's pid file.
That results in all established connections not being
interrupted any more.
Furthermore, the loadproc function checks if any processes
with the given name are already running which could be true
if there are any connections still open.
That check is being disabled with the -f switch and sshd
will always be launched.
"/etc/init.d/sshd stop" might now print FAIL if only the
master process, but no connection processes were terminated.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Processors in virtual machines are *virtual*. Therefore this
only degrades the performance of the guest, but does not increase
it's security.
This patch always leaves SMT enabled in all virtual environments.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
If this module is not being loaded, the kernel will mark any
GRE connection as INVALID in connection tracking, which will
be then silently dropped by a firewall rule.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since more processes depend on good randomness, we need to
make sure that the kernel's PRNG is initialized as early as
possible.
For systems without a HWRNG, we will need to fall back to our
noisy loop and wait until we have enough randomness.
This patch also removes saving and restoring the seed. This
is no longer useful because the kernel's PRNG only takes any
input after it has successfully been seeded from other sources.
Hence adding this seed does not increase its randomness.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Added the new 'vnstatd' daemon to 'start' and 'stop' section.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
dhcpcd 9.x adds privelege seperation by creating a chroot
and running parts of the client not as root.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
