webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 19:15:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,917 Commits 2 Branches 1 Tag
856cdf15df30e3cab170581b2cd3e4c19fbb9170
Commit Graph

13917 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Arne Fitzenreiter
856cdf15df core138: add openssl 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:04:48 +00:00
peter.mueller@ipfire.org
e153efaf11 OpenSSL: drop preferring of Chacha20/Poly1305 over AES-GCM 
As hardware acceleration for AES is emerging (Fireinfo indicates
30.98% of reporting installations support this, compared to
28.22% in summer), there is no more reason to manually prefer
Chacha20/Poly1305 over it.

Further, overall performance is expected to increase as server
CPUs usually come with AES-NI today, where Chacha/Poly would
be an unnecessary bottleneck. Small systems without AES-NI,
however, compute Chacha/Poly measurable, but not significantly faster,
so there only was a small advantage of this.

This patch changes the OpenSSL default ciphersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:01:19 +00:00
Arne Fitzenreiter
1826c42b9e core138: add ovpnmain.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:55:53 +00:00
Erik Kapfer
fa5274763c OpenVPN: Fix max-clients option 
Fix: Triggered by https://forum.ipfire.org/viewtopic.php?f=16&t=23551

Since the 'DHCP_WINS' cgiparam has been set for the max-client directive, changes in the WUI has not been adapted to server.conf.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:55:15 +00:00
Arne Fitzenreiter
c86bf0bf24 core138: add unbound initscript 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:54:28 +00:00
Michael Tremer
cdf373c8fc unbound: Fix whitespace error in initscript 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:53:50 +00:00
Arne Fitzenreiter
d93b76a00e core138: add openvpn 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:52:15 +00:00
Erik Kapfer
a0926f75e0 OpenVPN: Update to version 2.4.8 
This is primarily a maintenance release with bugfixes and improvements. All changes can be overviewed in here -->
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:51:21 +00:00
Arne Fitzenreiter
64e0b8a5af core138: add init.d/functions 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:50:07 +00:00
Michael Tremer
31a36bb951 initscripts: Tell users to report bugs on Bugzilla 
I have been receiving a couple of emails recently directed
at info@ipfire.org with bug reports when a system did not
boot up or shut down properly.

This is obviously not the right way to report bugs, but
we are telling our users to do so.

This patch changes this to report bugs to Bugzilla like
it should be.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:47:38 +00:00
Erik Kapfer
cb41e4a9a9 libarchiv: Update to version 3.4.0 
Version 3.4.0 is a feature and security release. The changelog can be found in here --> https://github.com/libarchive/libarchive/releases .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:45:32 +00:00
Arne Fitzenreiter
eeb1a2a219 core138: add lz4 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:44:36 +00:00
Erik Kapfer
bc456dd750 lz4: Update to version 1.9.2 
Several fixes and improvements has been integrated. The changes list through the different versions since
the current version 1.8.1.2 can be found in here --> https://github.com/lz4/lz4/releases

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:43:04 +00:00
Arne Fitzenreiter
39bf8c6341 core138: add mail.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:42:17 +00:00
Michael Tremer
095bf49407 mail.cgi: Do not print content of input fields 
This was printed unescaped and could therefore be used
for a stored XSS attack.

Fixes: #12226
Reported-by: Pisher Honda <pisher24@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:41:02 +00:00
Michael Tremer
0a340fbe1e mail.cgi: Always check content of fields 
These checks did not do anything but clear all fields
when mailing was disabled.

It makes a lot more sense to retain people's settings,
even when they have been disabled.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:41:01 +00:00
peter.mueller@ipfire.org
8f9c4081b4 Core Update 138: ship ca-certificates 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:40:04 +00:00
peter.mueller@ipfire.org
d5ccd924e0 update ca-certificates CA bundle 
Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:39:50 +00:00
peter.mueller@ipfire.org
c772b7550c Tor: fix permissions of /var/ipfire/tor/torrc after installation 
Fixes #12220

Reported-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-29 19:50:32 +00:00
Arne Fitzenreiter
94c09bd9c4 core138: add firewall-lib.pl to update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-29 13:25:55 +00:00
Stefan Schantl
dba780a784 firewall-lib.pl: Populate GeoIP rules only if location is available. 
In case a GeoIP related firewall rule should be created, the script
now will check if the given location is still available.

Fixes #12054.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-29 13:23:43 +00:00
Arne Fitzenreiter
75612f0644 start core138 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-29 13:22:31 +00:00
Michael Tremer
a42dfb216d speedtest-cli: Use Python 3 instead of Python 2 
This seems to be required although the documentation says
that Python 2 is supported.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-29 13:17:11 +00:00
Michael Tremer
45a3168ef1 python3: Bump release version to redistribute package 
Python 3 was linked against an old version of OpenSSL on my
system and to avoid this, we need to ship it again being built
against the current version of it.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-29 13:17:07 +00:00
Michael Tremer
d704e75d75 QoS: Do no classify as default when L7 filter isn't done 
We need to allow some more packets to pass through the
mangle chains so that the layer 7 filter can determine
what protocol it finds.

If L7 filter decides that a connection is of type "unknown",
we mark it as default, or it is marked with the correct class.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-22 15:57:01 +00:00
Arne Fitzenreiter
41c242bff8 Revert "Revert "Revert "core137: Remove imq0 and unload imq module after QoS has been stopped""" 
This reverts commit e4d242da4a.

this fails because we let QoS running and it doesn't like if the imq0
device was removed. (why imq0 can removed when it is up?)
 2019-10-22 15:54:37 +00:00
Matthias Fischer
4ba4645d12 bind: Update to 9.11.12 
For details see:
https://downloads.isc.org/isc/bind9/9.11.12/RELEASE-NOTES-bind-9.11.12.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 19:01:32 +00:00
Michael Tremer
b3ce3510ad grub: Build after Python is available 
The build sometimes aborted because python was not found
when Grub was being built for EFI.

Fixes: #12209
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 19:01:03 +00:00
Arne Fitzenreiter
e4d242da4a Revert "Revert "core137: Remove imq0 and unload imq module after QoS has been stopped"" 
This reverts commit 39c4ed4427.
 2019-10-21 19:00:19 +00:00
Michael Tremer
615bf6e0f0 QoS: Delete more unused iptables commands 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:36 +00:00
Michael Tremer
76bf53db8b QoS: Drop support for setting TOS bits per class 
This is useless since no ISP will evaluate those settings
any more and it has a rather large impact on throughput.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:31 +00:00
Michael Tremer
6f07564242 QoS: No longer set TOS bits for ACK packets 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:29 +00:00
Michael Tremer
1e35eeac59 QoS: Remove some IPsec rules which never worked 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:25 +00:00
Michael Tremer
fc09b98296 QoS: Classify incoming traffic in PREROUTING 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:23 +00:00
Daniel Weismüller
4b5aa97393 QoS: Use CONNMARK to mark connections in connection tracking 
This patch modifies the connection tracking in that ways that
it sets a connection mark which will be retrieved when a packet
is being redirected to the IFB interface.

This way, we can use classification without having the packet
being sent through iptables first.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:20 +00:00
Michael Tremer
7d770777e0 Revert "Make IMQ Switchable between PREROUTING and POSTROUTING" 
This reverts commit 88b8ffac6b.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:14 +00:00
Michael Tremer
afe23fbb52 QoS: Drop support for subclasses 
This feature was never properly implemented and the UI was dead

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:12 +00:00
Michael Tremer
8d6b654369 QoS: Suppress an error message when cleaning up from previous runs 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:10 +00:00
Michael Tremer
951a9f9ba0 linux+iptables: Drop support for IMQ 
This is no longer needed since we are using IFB now

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:08 +00:00
Michael Tremer
50ed363e89 QoS: Do not delete egress qdisc after classes have been created 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:06 +00:00
Michael Tremer
677c1f47d7 QoS: Start qosd immediately 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:57:59 +00:00
Michael Tremer
96f16b8501 QoS: Tidy up qdiscs after QoS is being stopped 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:57:53 +00:00
Michael Tremer
0dfb3984d0 QoS: Use Intermediate Functional Block 
This is an alternative implementation to the Intermediate Queuing
Device (IMQ) which is an out-of-tree kernel patch and has been
criticised for being slow, especially with mutliple processors.

IFB is part of the mainline kernel and a lot less code.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:57:41 +00:00
Michael Tremer
c37af2f004 QoS: Do not manually load iptables modules 
This should not be necessary and causes the script to
wait for two seconds.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:57:14 +00:00
Arne Fitzenreiter
3670ac5622 core137: remove QoS stop at update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-20 20:29:50 +00:00
Arne Fitzenreiter
39c4ed4427 Revert "core137: Remove imq0 and unload imq module after QoS has been stopped" 
This reverts commit f48920d84f.
 2019-10-20 20:28:10 +00:00
Arne Fitzenreiter
fb41342122 Revert "QoS: Do not manually load iptables modules" 
This reverts commit cae6916d59.
 2019-10-20 20:25:24 +00:00
Arne Fitzenreiter
bd122644e4 Revert "QoS: Use Intermediate Functional Block" 
This reverts commit 3c33d9d854.
 2019-10-20 20:24:43 +00:00
Arne Fitzenreiter
707e0471ce Revert "Revert "Make IMQ Switchable between PREROUTING and POSTROUTING"" 
This reverts commit ec01ebe246.
 2019-10-20 20:24:16 +00:00
Arne Fitzenreiter
5e661eb533 Revert "QoS: Tidy up qdiscs after QoS is being stopped" 
This reverts commit eedf7b06c0.
 2019-10-20 20:23:54 +00:00