if interface does not support native mode
re-run xdp-loader with skb mode, got error
Attaching XDP program in native mode not supported - try SKB mode.
TCP Native mode not supported, try SKB
Replacing allowed ports
Added port 80
Added port 8090
libxdp: Retried more than 11 times, giving up
Couldn't attach XDP program on iface 'lo': Device or resource busy(-16)
UDP Native mode not supported, try SKB
Replacing allowed udp ports
Added port 10408
but it looks loaded ok
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
xdp-loader will only load the XDP program without
xdp dispatcher if bpffs is not mounted, flash image
has bpffs mounted already, add bpffs mount for ISO image
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP SYNPROXY rules needs to be first in filter table
INPUT user defined chain and raw table PREROUTING
user defined chain.
To list the custom chain evaluation order for example:
iptables -L INPUT --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 INSYNPROXY all -- anywhere anywhere
2 IPSBYPASS all -- anywhere anywhere mark match 0xc0000000/0xc0000000
3 BADTCP tcp -- anywhere anywhere
4 CUSTOMINPUT all -- anywhere anywhere
5 HOSTILE all -- anywhere anywhere
6 BLOCKLISTIN !icmp -- anywhere anywhere
7 GUARDIAN all -- anywhere anywhere
8 OVPNBLOCK all -- anywhere anywhere
9 IPS_INPUT all -- anywhere anywhere mark match 0x0/0xc0000000
10 IPTVINPUT all -- anywhere anywhere
11 ICMPINPUT all -- anywhere anywhere
12 LOOPBACK all -- anywhere anywhere
13 CAPTIVE_PORTAL all -- anywhere anywhere
14 CONNTRACK all -- anywhere anywhere
15 DHCPGREENINPUT all -- anywhere anywhere
16 TOR_INPUT all -- anywhere anywhere
17 LOCATIONBLOCK all -- anywhere anywhere
18 IPSECINPUT all -- anywhere anywhere
19 GUIINPUT all -- anywhere anywhere
20 WIRELESSINPUT all -- anywhere anywhere ctstate NEW
21 OVPNINPUT all -- anywhere anywhere
22 INPUTFW all -- anywhere anywhere
23 REDINPUT all -- anywhere anywhere
24 POLICYIN all -- anywhere anywhere
iptables -t raw -L PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 RAWSYNPROXY all -- anywhere anywhere
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
We disable cores if the are affected by some cpu vulnerabilities
this cores report errors if you try to change the settings.
So only print the output for core0 and hide it for all cores.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
the initskript loads a test-modul for amd-pstate (which traces on intel)
and off course reports errors if firmware settings are missing.
this also fix the error at start because also amd-pstate doesn't support
ondemand mode.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- This v3 version now has two if loops allowing logging of incoming drop hostile or
outgoing drop hostile or both or neither.
- Dependent on the choice in optionsfw.cgi this loop will either log or not log the
dropped hostile traffic.
Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Calling a global sync operation manually is generally a bad idea as it
can block for forever. If people have storage that does not retain
anything that is being written to it, they need to fix their hardware.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
myMPD is written in C and has a nice WebGUI to play
local music and also a WebRadio browser.
This is to replace the removec client175.
After install it can reached via
https://IP_OF_THE_IPFIRE:8800
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This updated version of this script avoids any errors if collectd is not
running (yet) which might happen during the boot process.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The "ping" plugin does not re-resolve the gateway IP address after
pinging it for the first time. For most people this won't be a big
problem, but if the default gateway changes, the latency graph won't
work any more.
In order to do re-resolve "gateway", the only way is to restart
collectd.
Fixes: #13522
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Previously, we sent Apache a signal to relaunch itself which caused
Apache to kill all child processes, and re-execute them.
However, when updating glibc, any newly compiled modules could not be
loaded as Apache was running with the previous version of glibc until
the next reboot.
This change will now properly stop Apache and restart it which solves
this problem.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
There is no sense in doing this only in /etc/init.d/network
and not in /etc/init.d/networking/red
This files should be always deleted before a startup
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This setting is also old (2007) and cannot be set via the webinterface
anymore. So why checking for something, which can only be true.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
A long time ago (2007) there were more config types possible then 1, 2, 3
and 4. As our installer currently only accepts config type out of the set
1, 2, 3 and 4 we do not need to check if our CONFIG_TYPE is in this set.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
/bin/sh is a symlink to /bin/bash on ipfire systems. Using /bin/sh in
the scripts as shebang hurts in two ways:
1. We use features which do not work with sh as shell. This is not
really a problem but if we rely on features of a real bash we can
state this clearly.
2. The syntay highlighting in vim does not work without a correct
shebang. As I want and need correct syntax highlighting I propose to
change the shebang.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The system should perform all write operations when sync is called and
only return when the write queues are empty.
There is no additional benefit for calling sync again as the buffers
should be empty. If data is still being lost, then that is a bug in
either the storage device or driver.
As the (re-)boot process is already so slow, I would like to get rid of
any unnecessary delays.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- This patch goes together with the patch for the ppp update to 2.5.0
- The rp-pppoe.so option is no longer available. There is only the pppoe.so available now
Fixes: Bug#13164
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is another fragment of rngd - the gift that keeps giving.
The udev rules file contains a lot of stuff for a prototype which never
went into production. So, that can be dropped.
It would have been left with one rule that starts rngd whenever a HWRNG
is being found. That is however no longer needed as rngd is being
started in the init process. We no longer need to initialize it as early
as possible to seed the kernel's PRNG.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
mount -f does nothing and also the sync calls should do nothing
on a already ro mounted filesystem.
fixes: #13195
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
the flashimage is build without journal to not destroy
usb thumbdrives or sd cards. On real ssd's and virtual
machines it should enabled for higher data security.
So this patch add the journal is drive support smart.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- With the last update of lvm2 lvmetad was removed from lvm2. I did not recognise that
lvmetad had been setup as an automatic initscript, so it no longer works as the
binary is no longer provided.
- This patch removes the lvmetad initscript, the reference to lvmetad in the initscript
lfs file and the lvmetad initscript entries in the rootfile for each architecture.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
These rules where created to permit any local traffic to the firewall
when using a PPP connection that utilised Ethernet as transport.
This is however nonsensical and a security issue for any other
connection methods that call the RED interface "red0" and use PPP (e.g.
QMI).
Since PPPoE packets do not flow through iptables, these rules can be
dropped safely. We do not know whether PPTP works at all these days.
Fixes: #13088 - firewall: INPUT accepts all packets when using QMI for dial-in
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Tested-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- This patch is to move the rng-tools package from a core package to an addon. With the
kernel changes from 5.6 rngd is no longer needed to create the required kernel entropy.
- The results from HRNG's via rngd are used with an XOR after the entropy is
collected by the kernel. So the HWRNG output is used to dilute the kernel random number
data, which is already merged from several sources.
- Based on the above and @Paul's request in the bug report to have rng-tools kept as an
addon this patch set is submitted for consideration to keep rng-tools but as an addon.
- move rng-tools rootfile from common to packages
- Modify rng-tools lfs from core package to addon package
- Create rng-tools pak to install and uninstall - creating rc.d links for start & stop.
- Move rngd initscript from system to packages directory.
- Installed into my vm testbed and confirmed that it works. No rngd daemon installed
from iso install. After addon install rngd is present and running. Added various files
to be able to test the services wui page. rngd shows up and can be turned off and on
Fixes: Bug#12900
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
This removes support for building IPFire for 32 bit ARM architectures.
This has been decided in August 2022 with six months notice as there are
not very many users and hardware is generally not available any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is really badly hacky, but I do not know a better way to solve this
with our existing "setup" program which would be a nightmare to extend.
So we are using the device number to generate a static MAC address which
can then be used as usual. I doubt many people will have more than one
device.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
