commit 0b946b848c72511922fa211b6a4db0da092d204c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 16:37:27 2025 +0200
ddns.cgi: Escape the variables when they are being sent back to the browser
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 67db35c8a536b54d169336269853aaa6eae85ab5
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:44 2025 +0200
ddns.cgi: Fixes bug 13884
Fixes: bug 13884 - ddns.cgi LOGIN PASSWORD SERVICE Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
sync IPFire fwhosts.cgi
commit 2398cc431a3fb2cd4141b6a846f0cd0742f6a97c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:05:32 2025 +0200
fwhosts.cgi: Escape PROT in the right place
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ad995081302f6b28ea11c74e56306d94a7bee076
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:02:18 2025 +0200
fwhosts.cgi: Check country code before proceeding
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit a2c624b99dbcecb469e6001505731049ef5cbbd3
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:37 2025 +0200
fwhosts.cgi Fix for bug 13876 & bug 13877
Fixes: Bug 13876 savelocationgrp COUNTRY_CODE Stored Cross-Site Scripting
Fixes: Bug 13877 saveservice PROT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 798556ec29207d5131a7600d5489f1ee92a7b87a
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Jun 23 17:16:57 2025 +0000
fwhosts.cgi: Move the tooltip into the usage counter
This will clutter the page less as we don't have any good icon sets.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 61b277aa9c578a9a69e552f593a8bde421b811bc
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Jun 23 17:16:56 2025 +0000
fwhosts.cgi: Don't show anything if a host/group is unused
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ca811a746a79f0e02cfb780cbd4543a057131e3a
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Jun 23 17:16:55 2025 +0000
fwhosts.cgi: Remove whitespace issues
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 5511d94ed0d8ea6fd372d52cba515b4d6726abed
Author: Peer Dietzmann <dietzmann@brecht-schule.hamburg>
Date: Mon Jun 23 17:16:54 2025 +0000
fwhosts.cgi: Show in which firewall rule objects are being used
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 341eb00a821c4254ddd04968beed2e98e5a33aff
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat May 3 15:10:16 2025 +0200
fwhosts.cgi: Correctly show IP addresses for WireGuard RW peers
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 61f447ff341d2f7720fb6c5b483cc9fb063e869c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:07:36 2025 +0200
ids.cgi: Escape the remark before sending it back to the browser
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit f0015fefe6d2523c5bb9818fa6aeeb064f6e45db
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:38 2025 +0200
ids.cgi: Fixes bug 13878
Fixes: bug 13878 - IGNORE_ENTRY_REMARK Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit a461fd70445aec9dfa34bf9c5a29a85e0ad0e2fe
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Sat May 10 12:30:56 2025 +0200
chpasswd.cgi: Fixes bug12755 - v3 with password verification correction
- v3 version based on feedback from @Michael to use the status value returned from
using the htpasswd command.
- Also simplified the whole section to carry out the change if the status is 0, ie all
went well, otherwise give an error but without identifying if the error is in the
username or the password. This makes it more secure as any attacker only knows it
failed and doesn't know if any part of the authentication was correct or not.
- Changed the error messages in line with this so the language file changes are in the
other part of this patch set submission.
- Tested out on my vm test bed and worked fine. If the username was incorrect or the
password was incorrect or both were incorrect the same error message is given. If
both are correct then the update is carried out.
Fixes: bug12755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 9c0dab3d3ca807e836823253aced80a14bc1970a
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed May 7 09:06:12 2025 +0000
chpasswd.cgi: Add missing $
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 4c39e38f90fea60ef62e07267fd84f1b89de0297
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue May 6 16:10:11 2025 +0200
chpasswd.cgi: Make swroot refs the same as for other cgi files
- This uses the swroot definition from general-functions.pl and makes the definition
the same as used in the majority of other IPFire cgi files.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 6c1549ff7a9c8e3f9f17a29a6b169fce175fea42
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue May 6 16:10:09 2025 +0200
chpasswd.cgi: Fixes bug12755 - proxy auth password problem longer than 8 chars
- The existing version of the perl module Apache::Htpasswd was using the crypt hash for
the password hashing, which is very insecure. The only alternative with this module
is the md5 and sha1 hashes which are also considered weak now.
- The module was last updated in Nov 2012 and there is no alternative module available.
- This patch replaces that perl module with using the apache htpasswd program. This can
be set to use the bcrypt hash which is considered secure. This is used for the
generation of the root and admin passwords during the IPFire install.
- Tested out on my vm testbed system and the password for a specific user name was
changed successfully without any restriction to the length of the password.
- Existing passwords with the existing md5 or crypt options will still work as htpasswd
can manage different encoding hashes in the one file.
Fixes: bug12755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit f7c4f7d2968be6c9b786b7f7e46fdb8ac96c8104
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:32:51 2025 +0200
proxy.cgi: Escape parameters in the right place
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit e22ecef885c34462565ae20020a32a27d0585dc3
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:52 2025 +0200
proxy.cgi: Further fix for bug 13893
- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 4cf0694e55305e368c4ca28da2db7481c8f08c5a
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:51 2025 +0200
proxy.cgi: Fixes bug 13893
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit a63c51da8ea03896c3340960821fbacece58f861
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue May 6 16:10:10 2025 +0200
proxy.cgi: Fixes bug12755 - proxy auth problem with password longer than 8 chars
- This makes the proxy local password management the same between chpasswd.cgi and
proxy.cgi
- Tested out on my vm testbed and was able to create and modify users and their passwords
in the proxy.cgi page or modify a password for a specified user on the chpasswd.cgi
page. This all happened successfully and was confirmed by testing out the local
authentication.
Fixes: bug12755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit f34349dd754c6cdb29058b603028a7155ebfa830
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Oct 2 13:10:14 2025 +0200
dns.cgi: Fix for XSS potential
- Related to CVE-2025-50976
- Fixes NAMESERVER & REMARK
- TLS_HOSTNAME was already fixed in a previous patch
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit db042629c0cae5b78eeddb8a9db8783c557138b0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:29:35 2025 +0200
dns.cgi: Validate the TLS hostname irregardless of TLS being used
That way, we won't have to perform escaping later on and can rely on
having a valid value.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 98616a36c00b7fc845995c5cc4d8e301e58a20a7
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:50 2025 +0200
dns.cgi: Fixes bug 13892
Fixes: bug 13892 - dns.cgi TLS_HOSTNAME Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 21539d63dfcb15f186309b3107f63d455e4008ea
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Oct 2 13:10:15 2025 +0200
firewall.cgi: Fixes XSS potential
- Related to CVE-2025-50975
- Fixes PROT
- ruleremark was already escaped when firewall.cgi was initially merged back in Core
Update 77.
- SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as
ports or port ranges.
- std_net_tgt is a string defined in the code and not a variable
- The variable key ignores any input that is not a digit and subsequently uses the next
free rulenumber digit
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit c2eba600d753df95a81707f7da0ab172ed864ab0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Sep 20 14:02:01 2025 +0000
arpwatch: Fix the envelope sender
arpwatch invokes sendmail without passing the envelope sender
explicitely. This causes that mails can get rejected if the From: header
does not match the envelope sender.
This patch passes the correct address as the envelope sender.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
this is initial kdump and kdump scripts, it looks when run kdump-config
load the first time, the kdump kernel can be loaded, and test crash dump
with echo c > /proc/sysrq-trigger result in system hang forever, then
had to power reset. after power reset, kdump-config load could no longer
load the kdump kernel, errors out with:
[root@bpfire-3 crash]# kdump-config load
cp: cannot stat '/etc/kdump/sysctl.conf': No such file or directory
Creating symlink /var/lib/kdump/vmlinuz.
ln: failed to create symbolic link '/var/lib/kdump/vmlinuz': No such file or directory
Unable to locate kernel hook ... failed!
Can't find kernel text map area from kcore
Cannot load /boot/vmlinuz-6.15.6-ipfire
failed to load kdump kernel ... failed!
so kdump is not working properly, but add the kdump scripts anyway, the
issue can be investigated later in future.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
makedumpfile build by default in BPFire use static libdw.a, libelf.a but
libdw.a, libelf.a are not build with zstd which makdedumpfile static
build requires, so build makedumpfile dynamically, see [0].
[0]: https://github.com/vincentmli/bpfire/issues/109
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 68a3334413efb1a963b7cc6c6dca1ec0126e1cc1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Jul 18 08:42:12 2025 +0000
wireguard-functions.pl: Automatically skip IPv6 subnets
Since we do not support this and some VPN providers generate
configuration files that send any data over to them, we simply ignore
any IPv6 subnets.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit f7565a885b55384a64edd8bd73079143a04da519
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Jul 18 09:57:34 2025 +0000
wireguard-functions.pl: Remove any carriage returns on import
Some files might include carriage returns which won't be removed by
chomp() on Linux. To be extra safe, we remove them manually.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Choose one IP from client pool and add it to road warrior interface
wg0 so road warrior VPN client could reach firewall through the VPN
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
6.15.6 include:
From 06a34f7db773e01efa8a90c5b4d912207a80dd60 Mon Sep 17 00:00:00 2001
From: Daniel Borkmann <daniel@iogearbox.net>
Date: Sun, 17 Nov 2024 22:20:30 +0100
Subject: [PATCH] wireguard: device: support big tcp GSO
Advertise GSO_MAX_SIZE as TSO max size in order support BIG TCP for wireguard.
This helps to improve wireguard performance a bit when enabled as it allows
wireguard to aggregate larger skbs in wg_packet_consume_data_done() via
napi_gro_receive(), but also allows the stack to build larger skbs on xmit
where the driver then segments them before encryption inside wg_xmit().
We've seen a 15% improvement in TCP stream performance.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://patch.msgid.link/20241117212030.629159-5-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
drivers/net/wireguard/device.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c
index a2ba71fbbed46..6cf173a008e78 100644
--- a/drivers/net/wireguard/device.c
+++ b/drivers/net/wireguard/device.c
@@ -302,6 +302,8 @@ static void wg_setup(struct net_device *dev)
/* We need to keep the dst around in case of icmp replies. */
netif_keep_dst(dev);
+ netif_set_tso_max_size(dev, GSO_MAX_SIZE);
+
wg->dev = dev;
}
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 0ee4f61deaf50b5c091d94afbedd5615c002cfae
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed Jun 25 15:22:32 2025 +0100
firewall.cgi: Remove some left-over debugging code
This code prevented that any firewall rules could have been created due
to the WUI always assuming that there would be some error.
Fixes: #13860 - Error message when creating a firewall rule with a subnet for src
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
ipfire has changed theme css style and wireguard.cgi relies
on the new css style, replace the bpfire css style with ipfire style
breaks other cgi style, so make the change minium that is only
relevant to wireguard.cgi VPN peers status.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
wireguard.cgi calls errorbox and opensection/closesection,
but they are missing from header.pl. ipfire had functons.pl
removed and moved subroutines to header.pl and added errorbox
in header.pl. to keep the change minimum so not affect other
features, add errorbox and opensection/closesection in functions.pl
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
missing set_defaults sub result in error when generate
flash image during build after add wireguard UI
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit c29a07b2ee505811a6cd78ca643bf816beb77375
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon May 26 11:38:57 2025 +0200
index.cgi: Show WireGuard status using the function library
The settings file is also loaded all the time and we don't need to load
it again.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit d6868ae94c63d0f708985e6bb6604a4bd40cf1a8
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Sep 6 18:20:46 2024 +0200
firewall: Allow WG traffic when the firewall is in permissive mode
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 50b4c402226cda390832d3124a2a46187cc635c3
Author: Stephen Cuka <stephen@firemypi.org>
Date: Thu Feb 27 16:34:16 2025 -0700
fwhosts.cgi: Add button spacing on 'Firewall/Firewall Groups' page.
Add spacing between showmenu() buttons on Firewall/Firewall Groups page to improve the look of the page.
No changes to the functions of the page.
Signed-off-by: Stephen Cuka <stephen@firemypi.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 1de96a83d6d6cec5d4d3eda1792aa80bfbd8fafe
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed Apr 23 12:35:52 2025 +0200
firewall: Add support for WireGuard peers to groups
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 468e9831d5c7b99a2dc20b66d881f43ecb0a424b
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 22 17:41:12 2025 +0200
firewall.cgi: Add dropdown to add WireGuard peers to a firewall rule
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 37174e29de670a33f9be4b90c88b0a96c695dad1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Sep 27 17:55:46 2024 +0200
wireguard.cgi: Normalize filenames
This is because Windows clients won't import any configurations that
have spaces in the filename. Therefore we replace it and remove anything
else unwanted on the way.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 06dbc836a47160d51ab10f8b9d4ca356beaa7cdb
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 16 18:06:47 2024 +0200
wireguard.cgi: Add a basic CGI to configure the global settings
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 8fa1831bff7e1d76eb83b145976211aa703062e1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Mar 31 16:31:43 2025 +0200
firewall: Collect all networks that should not be NATed in an array
No functional changes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
firewall: Explicitely don't NAT any aliases
It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
readhash is added in functions, but it appears not used
in initscripts except for testing, assume no impact to
bpfire initscripts.
commit 1c1ff05cdc37fe9ccabda9413c270935c3a45478
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Mar 31 16:35:26 2025 +0200
firewall: Explicitely don't NAT any aliases
It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ff4ff2cfe0c8565a431bf499708dcb6e5c2fb3dc
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Dec 6 16:42:17 2024 +0000
initscripts: readhash: Fix handling = signs
The function expected that a line only contains exactly one equals sign
(=) which is not fit for purpose. In the WireGuard code we hold key
material that is encoded in base64 and therefore contains padding that
uses =.
This patch fixes that we expect exactly one equals sign immediately
after the key and we will then accept more = in the value - which was
already permitted.
Furthermore, this patch fixes the splitting if the key and value at the
first =.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
commit 73661e5ee1acc30e40e41493c8dfca10aa1097d0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Dec 6 16:42:16 2024 +0000
initscripts: readhash: Only strip quotes if they exist
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
commit 80c1cb5a0a
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:44 2024 +0200
initscripts fkt: Fix shebang
We use features only available in bash. So we should state correctly
that the script should be executed in bash. As sh is a symlink to bash
this makes not differences on a ipfire system. But my linter is less
chatty with this change.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 14ecdd86f1
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:43 2024 +0200
initscripts fkt: keep readhash compatible with older implementation
With the use of eval BLUE_DEV='blue0 net0' stored "blue0 net0" in the
variable BLUE_DEV not "'blue0 net0'"
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit f1d94e7457
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:42 2024 +0200
initscripts fkt: readhash should only parse lines with a =
A line without a = is clearly invalid.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 9f72b7bc5f
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:41 2024 +0200
initscripts fkt: Check for invalid values in readhash
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 02254f5543
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:40 2024 +0200
initscripts fkt: ignore invalid keys in readhash
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit d289bc28be
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:39 2024 +0200
initscripts fkt: Ignore comments in readhash
As '#Another Comment' is a valid key we test this change by checking if
the comments do not end up as keys in our array.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 59e3c2a217
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:38 2024 +0200
initscript fkt: ignore blank lines in readhash
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 96bb3ba8b8
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:37 2024 +0200
initscript functions: add readhash
To avoid the usage of eval and to store the config in an key value
array, we introduce an new function. The tests only check if we
read the correct value to the correct variable.
One comment on the implementation as this has created some headache:
>From https://www.gnu.org/software/bash/manual/bash.html#Bourne-Shell-Builtins
"When used in a function, declare makes each name local, as with the local command, unless the -g option is used."
So we need to use -g here
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit db09ea9e5c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Mar 23 14:35:39 2024 +0100
initscripts: Don't overwrite the PID file
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 5900a95059
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Mar 23 14:31:49 2024 +0100
initscripts: Fix reading PIDs
An incorrect variable has been used.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 6e47a143c9
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Mar 23 14:30:33 2024 +0100
initscripts: Handle command arguments as array
For some reason, the function is refusing to launch a command that has
extra arguments.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ed91103e22
Author: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Wed Mar 27 20:39:17 2024 +0100
initscripts: Add generic function to get the filesystem type of a volume
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
commit c3019331df
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Jan 11 15:59:34 2024 +0100
initscripts: Implement storing PIDs in loadproc
Some programs do not write their own PID files any more, but since our
initscripts heavily rely on those, this extension allows to store it
easily.
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
commit dd8ef8cc10
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Jan 11 15:57:50 2024 +0100
initscripts: Fix wrong variable check for $PIDFILE in getpids
getpids() checked whether it needed to pass a pid file to pidofproc, but
the check was inverted.
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit fc32e7b9147d2eeeb6e2bc1497859fb050001eb5
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 16 16:20:55 2024 +0200
firewall: Automatically open ports for WireGuard
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 459bb750298c09990c0c8d4677f0f442887304d0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Apr 26 14:30:44 2025 +0200
wireguard: Automatically apply MASQUERADE for peers with local address
In this case we are the client and we cannot leak any local subnets.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
