webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-14 13:02:58 +02:00
Code Issues Packages Projects Releases Wiki Activity
14,067 Commits 2 Branches 1 Tag
94a51c64bb7aead36ea0e6d40de06a8cc195cd5d
Commit Graph

3620 Commits

Author SHA1 Message Date
Michael Tremer
94a51c64bb unbound: Remove test-name-server command 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-01-07 11:18:41 +00:00
Michael Tremer
15cf79e3b8 unbound: Convert forward zones to stub zones 
It was incorrect to use forward zones here, because that
assumes that unbound is talking a recursive resolver here.

The feature is however designed to be talking to an authoritative
server.

Fixes: #12230
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-01-07 11:14:30 +00:00
Michael Tremer
dea5f34914 unbound: Allow forcing to speak TLS to upstream servers only 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-01-07 11:14:05 +00:00
Michael Tremer
372576e0ab unbound: Set EDNS buffer size to 1232 bytes 
Fixes: #12240
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-01-07 11:12:33 +00:00
Michael Tremer
ecbf66761f DNS: Add converter to migrate settings 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-01-07 10:43:19 +00:00
Stefan Schantl
0bb159bbfc Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next 2020-01-05 12:15:00 +01:00
Michael Tremer
321c211528 glib: Fix compiling with GCC 9 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-01-04 18:24:15 +00:00
Michael Tremer
d04fb4ee34 efivar: Update to 37 
This also fixes some build issues with GCC 9.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-01-04 18:23:54 +00:00
Michael Tremer
3e8dd2d3ed mdadm: Update to 4.1 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-01-04 18:23:52 +00:00
Stefan Schantl
c5d20f9665 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next 2020-01-03 11:06:47 +01:00
Arne Fitzenreiter
c846ed1616 pakfire: use HTTPS if no protocol is specified 
also use HTTPS on fallback to mainserver if no mirror was left

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2020-01-02 16:17:54 +00:00
Michael Tremer
25d5058974 stripper: Strip all unneeded relocation information 
Libraries were treated differently and therfore it could
happen that they were not stripped from any unnecessary
relocation information at all.

This patch changes that and strips everything from
libraries that we do not need.

The ISO was 3MB smaller.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-12-29 19:20:44 +00:00
Stefan Schantl
0db643ce38 rfkill: New package. 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-12-29 19:14:30 +00:00
Stefan Schantl
51b63b4186 IDS: Allow to inspect traffic from or to OpenVPN 
This commit allows to configure suricata to monitor traffic from or to
OpenVPN tunnels. This includes the RW server and all established N2N
connections.

Because the RW server and/or each N2N connection uses it's own tun?
device, it is only possible to enable monitoring all of them or to disable
monitoring entirely.

Fixes #12111.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-12-29 19:12:06 +00:00
Michael Tremer
d7190078ce unbound: Configure Safe Search dynamically 
The safe search code relied on working DNS resolution, but
was executed before unbound was even started and no network
was brought up.

That resulted in no records being created and nothing being
filtered.

This will now set/reset safe search when the system connects
to the Internet.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-12-29 08:51:21 +00:00
Stéphane Pautrel
1ec1e499d0 Update of French translations 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-12-29 08:50:52 +00:00
Stefan Schantl
1cb8ffe84d Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next 2019-12-16 09:04:29 +01:00
Arne Fitzenreiter
dd12d8c54c leds: use new APUx ACPI Bios leds if exist. 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-12-09 14:50:44 +01:00
Stefan Schantl
93a985cc05 Introduce update-location-database script. 
This script obsoletes the old xt_geoip_update script.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-12-09 14:14:34 +01:00
Peter Müller
bf9fa6d864 hwdata: update PCI/USB databases 
PCI IDs: 2019-11-26 03:15:03
USB IDs: 2019-11-05 20:34:06

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-12-02 17:02:20 +00:00
Arne Fitzenreiter
bedfda83c9 dhcpcd.exe: remove red.down run on "NOCARRIER" 
after "NOCARRIER" the dhcp client always run "EXPIRE" event.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-12-01 18:33:19 +01:00
Arne Fitzenreiter
941520c69c Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next 2019-12-01 16:36:43 +01:00
Arne Fitzenreiter
d346d47467 up/down beep: move from ppp ip-up/down to general red.up/down 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-12-01 15:29:59 +01:00
Arne Fitzenreiter
455291f90e 70-dhcpdd.exe: don't run red.down scripts at "PREINIT" 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-12-01 14:43:49 +01:00
Arne Fitzenreiter
fff96e3945 networking red: add delay to wait for carrier 
some nic's need some time after link up to get a carrier

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-30 22:26:00 +01:00
Arne Fitzenreiter
f938083fb5 dhcpcd: 10-mtu break if carrier was lost 
some nic's like Intel e1000e needs a reinit to change the
mtu. In this case the dhcp hook reinit the nic and terminate now
to let the dhcpcd reinit the card in backgrounnd without running the
rest of the hooks.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-30 22:21:42 +01:00
Matthias Fischer
ee506d5027 calamaris: Bug fix for proxy reports staying empty after Core 136 upgrade 
After upgrading to Core 136, 'calamaris' "Proxy reports" stayed empty.
GUI always show "No reports available".

Tested manually on console stops and throws an error:

...
root@ipfire: ~ # /usr/bin/perl /var/ipfire/proxy/calamaris/bin/mkreport
1 0 2019 8 10 2019 -d 10 -P 30 -t 10 -D 2 -u -r -1 -R 100 -s
Can't use 'defined(%hash)' (Maybe you should just omit the defined()?)
at /var/ipfire/proxy/calamaris/bin/calamaris line 2609.
...

Line 2609 was changed and reports are built again.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-30 09:46:19 +00:00
Peter Müller
415fb8b5bd bash: update to 5.0 (patchlevel 11) 
The third version of this patch also includes patches 1-11
for version 5.0, drops orphaned 4.3 patches, and fixes rootfile
mistakes reported by Arne.

Please refer to https://tiswww.case.edu/php/chet/bash/bashtop.html
for release notes.

Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:42:59 +00:00
Peter Müller
c82aa03e2c readline: update to 8.0 (patchlevel 1) 
The third version of this patch fixes missing rootfile changes, drops
orphaned readline 5.2 patches (as they became obsolete due to
readline-compat changes), includes readline 8.0 upstream patch, and
keeps the for-loop in LFS file (as commented by Michael).

Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:42:43 +00:00
Stephan Feddersen
83596e7059 wio-1.3.2-7: fixed bug with arp client import 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:41:37 +00:00
Stefan Schantl
4ae9d47ba3 ddns: Import rename NoIP.com handle back to no-ip.com patch 
This patch is required for compatiblity reasons for any existing
configurations.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:40:52 +00:00
Jonatan Schlag
9cc131cc5a Update qemu to version 4.1.0 
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:40:39 +00:00
Jonatan Schlag
3e5d4e6f83 libvirt: use a custom config file 
The patch which adjusts the options for IPFire in the libvirtd.conf does
not apply in a newer version of libvirt. Creating this patch is harder
than to use a separate config file.

This separate config file also enables us to adjust options much faster.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:38:59 +00:00
Stefan Schantl
527c3f39b8 ddns: Import upstream patch for NoIP.com 
Reference: #11561.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:36:11 +00:00
Stefan Schantl
c8b068a2b5 red.up: Generate Suricata DNS servers file on reconnect. 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:14:20 +00:00
peter.mueller@ipfire.org
e153efaf11 OpenSSL: drop preferring of Chacha20/Poly1305 over AES-GCM 
As hardware acceleration for AES is emerging (Fireinfo indicates
30.98% of reporting installations support this, compared to
28.22% in summer), there is no more reason to manually prefer
Chacha20/Poly1305 over it.

Further, overall performance is expected to increase as server
CPUs usually come with AES-NI today, where Chacha/Poly would
be an unnecessary bottleneck. Small systems without AES-NI,
however, compute Chacha/Poly measurable, but not significantly faster,
so there only was a small advantage of this.

This patch changes the OpenSSL default ciphersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:01:19 +00:00
Michael Tremer
cdf373c8fc unbound: Fix whitespace error in initscript 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:53:50 +00:00
Michael Tremer
31a36bb951 initscripts: Tell users to report bugs on Bugzilla 
I have been receiving a couple of emails recently directed
at info@ipfire.org with bug reports when a system did not
boot up or shut down properly.

This is obviously not the right way to report bugs, but
we are telling our users to do so.

This patch changes this to report bugs to Bugzilla like
it should be.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:47:38 +00:00
Erik Kapfer
bc456dd750 lz4: Update to version 1.9.2 
Several fixes and improvements has been integrated. The changes list through the different versions since
the current version 1.8.1.2 can be found in here --> https://github.com/lz4/lz4/releases

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:43:04 +00:00
peter.mueller@ipfire.org
c772b7550c Tor: fix permissions of /var/ipfire/tor/torrc after installation 
Fixes #12220

Reported-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-29 19:50:32 +00:00
Michael Tremer
951a9f9ba0 linux+iptables: Drop support for IMQ 
This is no longer needed since we are using IFB now

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-21 18:58:08 +00:00
Arne Fitzenreiter
c27fdd8697 Revert "linux+iptables: Drop support for IMQ" 
This reverts commit 59b9a6bd22.
 2019-10-20 20:20:26 +00:00
Arne Fitzenreiter
be967dc920 Revert "firewall: always allow outgoing DNS traffic to root servers" 
This reverts commit 70cd5c42f0.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-18 16:13:49 +02:00
Arne Fitzenreiter
ea16154f5c Revert "bash: add patches 001 - 011 for 5.0 version" 
This reverts commit 2c0ee2b962.
 2019-10-15 07:36:47 +00:00
Arne Fitzenreiter
918a57cfeb Revert "readline: add patch 001 for version 8.0" 
This reverts commit c5f0c44451.
 2019-10-15 07:36:00 +00:00
Arne Fitzenreiter
d19c82678b Revert "bash/readline: drop orphaned patches" 
This reverts commit 95f1c332d8.
 2019-10-15 07:35:22 +00:00
Michael Tremer
59b9a6bd22 linux+iptables: Drop support for IMQ 
This is no longer needed since we are using IFB now

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 18:02:55 +00:00
Michael Tremer
a3f4b8c6f7 99-geoip-database: Fix download 
This script started a fresh download every time it was called,
which is unnecessary.

The check to skip the download did not work because it was
looking for the old data format.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:47:31 +00:00
Daniel Weismüller
a18addb946 xt_geoip_update: Always call the cleanup function when some step fails 
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:45:29 +00:00
Daniel Weismüller
7b2d933055 xt_geoip_update: Do not create temporary directories again 
These already exist

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-14 17:45:27 +00:00