This is a very tiring and repetitive process which is now automated in
this script which will find the latest version and create a LFS file for
it.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This does not seem to work very reliable, so we need manually disable
this for some packages.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Cargo will always require all depenendencies, even if the package is not
being built against them. In order to avoid that, we will need the
nightly build of the Rust compiler which supports skipping those
dependencies.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is a small set of commands that will be needed to build Rust
packages.
The idea is to have a couple of macros which do not have to rewritten,
but can be customised across the lfs files.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-update arm-trusted firmware to 2.6
-fix mac address generation on R2S because the CPUID fuses are not uniqe
-add support for NanoPi R4S
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details (v9.16.22-v9.16.25) see:
https://downloads.isc.org/isc/bind9/9.16.25/doc/arm/html/notes.html#notes-for-bind-9-16-25
"Notes for BIND 9.16.25
Feature Changes
Overall memory use by named has been optimized and reduced,
especially on systems with many CPU cores. The default memory
allocator has been switched from internal to external. A new
command-line option -M internal allows named to be started with the
old internal memory allocator. [GL #2398]
Bug Fixes
On FreeBSD, TCP connections leaked a small amount of heap memory,
leading to an eventual out-of-memory problem. This has been fixed.
[GL #3051]
If signatures created by the ZSK were expired and the ZSK private
key was offline, the signatures were not replaced. This behavior has
been amended to replace the expired signatures with new signatures
created using the KSK. [GL #3049]
Under certain circumstances, the signed version of an inline-signed
zone could be dumped to disk without the serial number of the
unsigned version of the zone. This prevented resynchronization
of the zone contents after named restarted, if the unsigned zone
file was modified while named was not running. This has been fixed.
[GL #3071]
...
"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
For historical reasons, we were always reluctant to reverse path
filtering, since configuration changes were tricky to evaluate for a
larger userbase, IPFire permits a number of complex scenarios, and due
to limited resources.
As a compromise, this patch suggests to enable Loose Reverse Path
Filtering, as specified in RFC 3704 (section 2.4), to gain at least some
security achievement on this end.
To quote from that:
Loose Reverse Path Forwarding (Loose RPF) is algorithmically similar
to strict RPF, but differs in that it checks only for the existence
of a route (even a default route, if applicable), not where the route
points to. Practically, this could be considered as a "route
presence check" ("loose RPF is a misnomer in a sense because there is
no "reverse path" check in the first place).
The questionable benefit of Loose RPF is found in asymmetric routing
situations: a packet is dropped if there is no route at all, such as
to "Martian addresses" or addresses that are not currently routed,
but is not dropped if a route exists.
There is no legitimate reason why we cannot enable this: If IPFire
receives a packet on some interface it cannot route on _any_ interface
at all, there is no sense in processing it.
While testing this change, I was unable to produce a situation where it
actually causes any harm. In theory, it shouldn't do so anyways.
In the future, we will hopefully be able to set these sysctl's to "1",
using Strict Reverse Path Filtering, as specified in RFC 3704 (section
2.2). Doing so was found to work fine in my testing environment as well,
but there is no asymmetric routing in place there.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
