Remove custom functions and use network-functions.pl instead to detect
the available zones correctly. This also removes the requirement that
a device must be assigned for a zone to become visible/configurable.
Fixes: #12568
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changes & new features:
- Add CSS for STP options, add texts to language files
- Read STP settings from ethernet configuration and display inputs
- Validate and save STP settings
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- When patch 3724 was created for bug #10743 a curly bracket was placed in the wrong place
This results in the overlap of two if loops meaning that there will be no validity
check carried out on Default Lease Time if Deny Known Clients is not checked.
- This patch moves the { bracket to the right location.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Wirelessclient shows priority 0 to be most preferred and priority 4 as
least preferred. Based on forum posters experience and the wpa_supplicant
man page it is the other way round.
- This patch moves the least preferred title to priority 0 and vice versa
- Will ask bug reporter to test out the patch and confirm it works. The page
is only shown if you have a wifi connection on red.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
There is no need for this being implemented and it is dangerous to allow
the user to create any shell accounts or users that belong to groups
with higher privileges.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The helper binary is being dropped and etherwake is enabled
for CAP_NET_RAW. This allows execution by unprivileged users
as needed by the web user interface (nobody).
Reported-by: Albert Schwarzkopf <ipfire@quitesimple.org>
Fixes: #12562
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This function nicely translates the ethernet/settings "CONFIG_TYPE"
into a list of available zones. Therefore it should be more accessible!
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If a provider supports authentication with a token, now
the username and password fileds will be swapped by some
Java Script code in favour of an input field for the token.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
While preparing the Core153 update, I found by chance that a language string had been added from
Core152 to Core153 which I couldn't find in any CGI-file.
The translation suggested that this string ('Available Updates') could belong to 'pakfire.cgi'.
And I thought that on the pakfire GUI something was actually missing: the heading above the
box listing the 'Available Updates'. Don't know why I didn't saw this before.
So tried to add these missing heading. I hope I made it right...
Some cosmetic fixes:
I also added some space around the text for 'Available Addons' and 'Installed Addons'
because the text lines weren't separated. There is no seen wordwrapping. This required deleting
some unwanted '<br />' in the affected translation strings.
I tried this about 4 years ago, but somehow this patch got lost.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
While testing Peter's patch for Bug #12560 I noticed that the standard 'back'-button
at the end of the page - like in 'ipinfo.cgi' - was implemented as a text string.
I just took the code segment with the 'back'-*image* from 'ipinfo.cgi' to make this
link looking similar to the other pages.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Swap colour generation to improve readability in case of no active SSH logins
- Unify table layout
- Improve German "SSH host key" translation to avoid Deppenleerzeichen
This patch does not introduce functional changes.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This adds in the option to have "deny known clients" in dhcpd.conf
This is applied to the range command so applies to the dynamic addresses
given.
If you have just a range statement say in blue then if you are not using
vlans you could have the situation where a known host in green might end
up getting a lease from the blue range. Here a deny known-clients makes
sense. Your range in this case would be limited to only unknown clients if
deny known-clients was selected.
dhcp WUI has been modified to add in this command. Error message has been
added to check that a range has been specified if the deny unknown clients
checkbox has been selected.
Language files updated with additional items (English, German & Dutch).
For more information on the history of this please see the bugzilla entry
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The installer recognises cups and cups-filters both as cups and puts
two instances of cups in the add-on services table.
Based on input from Michael Tremer this patch replaces the command
returning the second element between hyphens with one that takes
what comes after "meta-" using Perl code rather than a shell command.
The second find command was changed as per Michael's suggestion.
Tested in my ipfire test bed system and only results in one cups
entry.
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is really hard to maintain when adding new or altering existing
providers.
Reference #12415.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This line was accidentially messed up while merging two patchsets
together, causing tor.cgi to crash with an HTTP error 500 in testing.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This improves the usability of the zone configuration by marking assigned
NICs in the zone color. The highlighting is initially applied to the static
HTML output, and JavaScript is used to follow changes made by the user.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Add an element id so that the styling only affects the zone table
- Alternating row colors are now generated by CSS, remove unneeded Perl code
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This fixes two minor violations of the HTML standard:
- <a> elements may not contain nested <button> elements:
Replace the button with a simple hyperlink, because it was only used as a link anyway.
- "id" attributes may not contain whitespace:
Remove unneeded attribute, use hyphens instead of spaces.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
OpenVPN is an absolute mess. The behaviour of configuration
parameters has been changed over the time; default values have been
changed over time; and it looks like nobody is actually testing
anything any more.
I have been spending hours today on figuring out why OpenVPN
is so damn slow. On a Lightning Wire Labs IPFire Mini Appliance
it achieves about 100 MBit/s in the default configuration when
"openssl speed -evp aes-256-gcm" achieves over 3.5 GBit/s.
Changing any of the cryptography parameters does not change
anything. Throughput remains around 100 MBit/s.
I finally set "cipher none" and "auth none" which disables
encryption and authentication altogether but does not increase
throughput. From here on it was absolutely clear that it was
not a crypto issue.
OpenVPN tries to be smart here and does its own fragmentation.
This is the worst idea I have heard of all day, because that job
is normally done best by the OS.
Various settings which allow the user to "tune" this are grossly
ineffective - let alone it isn't even clear what I am supposed
to configure anywhere. Setting "fragment 1500" weirdly still
does not convince openvpn to generate a packet that is longer
than 1400 bytes. Who'd a thunk?
There is a number of other parameters to set the MTU or which
are related to it (tun-mtu, link-mtu, fragment, mssfix).
On top of all of this we have two "bugs" in ovpnmain.cgi which
are being fixed in this patch:
1) mssfix can be configured by the user. However, we always
enable it in openvpn. The default is on, we only add "mssfix"
which simply turns it on.
It is now being disabled when the user has chosen so in the
web UI. I do not know if this is backwards-compatible.
2) We cap the MTU (tun-mtu) at 1500 bytes when fragment is being
used. So it becomes pointless that the user can this and the
user is not being made aware of this when they hit the save
button.
This was added when we added path MTU discovery. Since that
did not work and was removed, we can remove this now, too.
I archived a solid 500-600 MBit/s of goodput with these settings:
* Disable mssfix
* Set "fragment" to 0
* Set MTU to 9000
I am sure the MTU could be further increased to have bigger packets,
but I did not test how badly this will affect latency of the tunnel.
OpenVPN seems to only be able to handle a certain amount of packets
a second - no matter what. With larger packets, the throughput of
the tunnel increases, but latency might as well.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Cc: Erik Kapfer <erik.kapfer@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
In order to make deanonymisation harder, especially high-risk Tor users
might want to use certain Guard relays only (for example operated by
people they trust), enforce Tor to use Guard relays in certain countries
only (for example countries with very strict data protection laws or
poor diplomatic relations), or avoid Guard relays in certain countries
entirely.
Since Tor sticks to sampled Guards for a long time (usually within the
range of months), restricting those is believed to cause less harm to a
users' anonymity than restricting Exit relays, since their diversity of
a generic Tor user is significantly higher.
This patch extends the Tor CGI for restricting Guard nodes to certain
countries or relays matching certain fingerprints.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This extends the functionality of the Tor CGI in order to be able to
select multiple countries for possible Exit relays, which is - in terms
of anonymity - less worse than limiting all Tor circuits to a single
country.
For example, a user might want to avoid Exit relays in more than one
country, and permit Tor to use Exit relays elesewhere, and vice versa.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #12529
- If a client N2N configuration will be imported into IPFire systems,
a line will be added which calls the --up script to restart the
static route initscript. Since this is IPFire specific, i will only be
added via import on IPFire system.
- Deleted unneeded line in CLIENTCONF section.
- Added description to SERVERCONF section.
Signed-off-by: ummeegge <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When safe search is enabled, it is being enabled on YouTube, too.
This creates problems in some scenarios like schools where politics
is being tought as well as other subjects that might be censored by
YouTube (i.e. election TV spots).
Therefore it is now possible to exclude YouTube from Safe Search
but keep it enabled for the search engines.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
