if the system time is incorrect DNSSec validation fail but it fails sometimes for pool.ntp.org already but not for ping.ipfire.org.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This patch makes this package available for aarch64. There are no
reasons why it shouldn't be.
Compiling has become more resource-hungry which is why the memory
consumption per process has been upped to 3GiB.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
These are no longer necessary, since ddns 0.14 comes with both of them
applied.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
after removimg the mark rules this rules are useless because they should skip expensive policy matches
that now are removed.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Backup definition missing - created ro backup config file
- Update of rootfile
- Addition of backup definition install into lfs file
- Addition of restore and backup statements into install.sh and uninstall.sh pak scripts
Fixes: 12710
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
pppd 2.4.9 supports IPv6 and asks for an IPv6 configuration by default.
Setting the received prefix in the kernel will never work, however, as
the rest of IPFire 2.x does not support IPv6.
pppd notices the ISP about this, and at least Otenet (GR) and British
Telecom (several countries) decide to close a dial-up connection then.
German DTAG seems to ignore such errors silently.
This patch adds an option to the pppd call to prevent asking for an
IPv6 configuration, hence avoiding this errors.
To apply this patch, it is necessary to ship ppp 2.4.9 again. Since I
have no access to a testing machine behind an ISP supporting IPv6, this
patch unfortunately is untested.
Fixes: #12651
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Addition of mdadm module to logwatch
- Addition of logwatch to sudoers list to run mdadm commands
- patch to change logwatch mdadm.conf to allow scan for raid drives, change mdadm script
to run mdadm scan commands with sudo, allow clean but degraded drives to be listed
in the output.
Fixes: 12080
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
NFQUEUE does not let the packet continue where it was processed, but
inserts it back into iptables at the start. That is why we need an
extra IPSBYPASS chain which has the following tasks:
* Make the BYPASS bit permanent for the entire connection
* Clear the REPEAT bit
The latter is more of cosmetic nature so that we can identify packets
that have come from suricata again and those which have bypassed the IPS
straight away.
The IPS_* chain will now only be sent traffic to, when none of the two
relevant bits has been set. Otherwise the packet has already been
processed by suricata in the first pass or suricata has decided to
bypass the connection.
This massively reduces load on the IPS which allows many common
connections (TLS connections with downloads) to bypass the IPS bringing
us back to line speed.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This patch adds a new $mirror option to the configuration file which
will cause Pakfire to only use this one to download any files.
This feature is disabled by default but useful for development.
Fixes: #12706
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Modification of iostat line as per input in Bug#12702
Fixes: 12702
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Modification of iostat line as per input in Bug#12702
Fixes: 12702
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This change is necessary because we are using the right-hand two bytes
for storing the QoS classes.
All IPsec traffic will now be skipped and never classified by the QoS.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
In order to use the highest two bits for surciata bypass, we will need
to make sure that whenever we compare any other marks, we do not care
about anything else.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
u-boot for nanopi r2s (rockchip rk3328) need dtc to build the image
so this adds dtc as build dependency for u-boot
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Added --without-rlm_python to ./configure to allow running without python2
- Updated rootfile
- Updated patch for preventing cert generation during buildtime to work with new
version of source code
- Update from 3.0.21 to 3.0.23
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The mq_notify function has a potential use-after-free issue when using a
notification type of SIGEV_THREAD and a thread attribute with a non-default
affinity mask.
The fix for this introduced a NULL pointer dereference.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Patch created to convert all python modules to python3 compatibility that need it.
2to3 converter used for this.
- Start initscript changed to use python3
- No change required in rootfile
- Execution of patch added to lfs file
- Tested in vm machine. WUI page showed the same as with the python version.
scan of directory for mp3 (.flac) files was successful. Could not test actual audio
playing capability as my vm testbed does not have any audio setup at this time.
I believe that the purpose of client175 is to provide the WUI page and for that my
testing seemed to show everything working as expected.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 7.80 to 7.91
- Update of rootfile
- Changelog is too long to include here
Full details can be found in the CHANGELOG file in the source tarball
- Added patch to fix segfault - https://github.com/nmap/nmap/issues/2154
- Ran with unpatched 7.91 version
$ touch /tmp/foo
$ nc -U /tmp/foo
Segmentation fault - flagged problem in #12647
- Ran with patched 7.91 version
$ touch /tmp/foo
$ nc -U /tmp/foo
Ncat: Connection refused. - Expected behaviour
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Since systemd, many programs no longer behave like a well-behaved
daemon. To avoid any extra solutions, this patch adds a -b switch which
will start a program in the background and throw away any output.
The behaviour remains unchanged for any other programs.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 6.0.2 (2005) to 12.5.4 (2021)
- sysstat-6.0.2-sysconf.patch no longer required. Built into source as standard now.
- Update rootfile
rootfile made the same as previous version. New options are available, such as
pidstat and tapestat but they have been commented out in the rootfile. If required
in the future they can be uncommented.
- iso that was built with this sysstat was installed into vm testbed and confirmed
that all graphs working, especially those related to disk stats.
- Changelog is too large to show here. Full details for all previous versions can be
found in the CHANGES file in the source tarball.
- At least 25 bugs fixed between the two versions.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This is a major update to the latest available version of ddns.
Remove patches which are part of the upstream release.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 2.0.18 (2011) to 2.1.0 (2016 - latest version)
- Update of rootfile not required
- Changelog
2016-03-08 Dmitry Butskoy <Dmitry@Butskoy.name> - 2.1.0
* Improve the main loop for better interactivity.
Instead of waiting silently for maximum expiration time of probes
in progress, use timeout of the first probe (which will be printed
first from now) only.
* Speedup wait mechanism.
Traditional traceroute implementation always waited the whole timeout
for any probe. But if we already have some replies from the same hop,
or even from some next hop, we can use the round trip time
of such a reply as a hint to determine the actual reasonable
amount of time to wait.
Now the `-w' option has a form of three (in general) float values
separated by a comma (or a slash): `-w MAX_SECS,HERE,NEAR' .
(last two are optional). MAX_SECS specifies the maximum time
(in seconds) to wait, in any case.
The optional HERE specifies a factor to multiply the round trip time
of an already received response from the same hop.
The resulting value is used as a timeout for the probe, instead of
(but no more than) MAX_SECS. The optional NEAR specifies a similar
factor for a response from some next hop.
The time of the first found result is used in both cases.
First, we look for the same hop (of the probe which will be printed
first from now). If nothing found, then look for some next hop.
If nothing found, use MAX_SECS. If HERE and/or NEAR have zero values,
the corresponding computation is skipped.
HERE and NEAR are always set to zero if only MAX_SECS is specified
(which provides compatibility with previous versions). Thus, if your
scripts use `-w SECS', then nothing changed for you, since
the lonely SECS implies `-w SECS,0,0' .
Defaults are 5.0 seconds for MAX_SECS, 3.0 times for HERE and
10.0 times for NEAR.
Certainly, the new algorithm can lead to premature expiry
(especially when response times differ at times) and printing "*"
instead of a time. Anyway, you can always switch this algorithm off,
just by specifying `-w' with the desired timeout only (fe. `-w 5').
We continue to wait whole MAX_SECS when one probe per time
must be sent (`--sport', `-P proto'), because it seems more harmful
rather than helpful to try to wait less in such cases.
To provide compatibility with 2.0.x versions, use:
traceroute -w 5
(or any other desired `-w' value).
* Hint people to use the system traceroute(8) instead of
tcptraceroute wrapper (by providing a stderr header).
The using of this wrapper is a little bit harmful, since it has
less possibilities and a little different set of options.
For those who are used to use tcptraceroute in cmdline,
just create a link with that name to the system traceroute.
When invoked as "tcp*", it then behaves as `traceroute -T'.
(The simple manual page added for this case in the wrapper subdir).
The original tcptraceroute had some options differ ("lpNSAE"),
but they was rare used. Most common "dnFifmqwst" was just the same.
Therefore it should be painless to use the system binary directly,
instead of the limited wrapper (which is still provided indeed).
2016-02-15 Dmitry Butskoy <Dmitry@Butskoy.name> - 2.0.22
* Some portability fixing and improvements (Felix Janda)
* Require clear numbers for options and arguments (Sergey Salnikov)
* Drop compilation date from the version string (Debian #774365)
* New tcp module option `reuse', which utilize SO_REUSEADDR
to reuse local port numbers for the huge workloads (Richard Sheehan)
* Avoid poll(2) call with spurious zero timeout in some rare cases
by rounding the value properly using ceil(3)
2014-11-12 Dmitry Butskoy <Dmitry@Butskoy.name> - 2.0.21
* Fix `--mtu' and `-F' working on kernels >= 3.13
* Some manual page improving (Christopher Mann)
2014-06-14 Dmitry Butskoy <Dmitry@Butskoy.name> - 2.0.20
* Describe all complementary long options in the man page (Jan Synacek)
* Use correct service name for AS lookups (Frederic Mangano)
* Avoid some rare case null dereference (geogriffin@jsgriff.com)
* Improve expiration check for simultaneous probes
2012-11-19 Dmitry Butskoy <Dmitry@Butskoy.name> - 2.0.19
* DCCP protocol support (rfc4340), by Samuel Jero
Use "-D" option for it (the protocol-specific options
are available too).
* Update COPYING and COPYING.LIB license files to the latest
published ones (due to FSF address changes etc.) (Jan Synacek)
* Add mention of "-l" option to manual (Filip Holec)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
