bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-12 12:15:52 +02:00

Author	SHA1	Message	Date
Michael Tremer	bc4d4da870	QoS: Drop support for subclasses This feature was never properly implemented and the UI was dead Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:04:39 +00:00
Michael Tremer	63f7d7475e	QoS: Drop tc filter rules to move marked packets into the correct class This is no longer necessary since we are now using CLASSIFY Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:03:59 +00:00
Michael Tremer	3e151d19f9	QoS: Use CLASSIFY iptables target instead of MARK We have been running into loads of conflicts by using MARK for various components on the OS (suricata, IPsec, QoS, ...) which was sometimes hard to resolve. iptables comes with a target which directly sorts packets into the correct class which results in less code and not using the mark. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:03:44 +00:00
Michael Tremer	424a332fd3	QoS: Move packet classification to FORWARD chain for ingress Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:03:32 +00:00
Michael Tremer	cebad6e2b9	QoS: Suppress an error message when cleaning up from previous runs Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:03:20 +00:00
Michael Tremer	59b9a6bd22	linux+iptables: Drop support for IMQ This is no longer needed since we are using IFB now Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:02:55 +00:00
Michael Tremer	6a9bcd6c1d	QoS: Start qosd immediately Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:02:28 +00:00
Michael Tremer	39ff91ecf8	QoS: Do not delete egress qdisc after classes have been created Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:02:07 +00:00
Michael Tremer	607365bccb	QoS: Silence RRD tool warnings Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:01:50 +00:00
Michael Tremer	e6341c5856	QoS: Process incoming packets in PREROUTING only Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:01:37 +00:00
Michael Tremer	eedf7b06c0	QoS: Tidy up qdiscs after QoS is being stopped Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:01:18 +00:00
Michael Tremer	ec01ebe246	Revert "Make IMQ Switchable between PREROUTING and POSTROUTING" This reverts commit `88b8ffac6b`. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:01:06 +00:00
Michael Tremer	3c33d9d854	QoS: Use Intermediate Functional Block This is an alternative implementation to the Intermediate Queuing Device (IMQ) which is an out-of-tree kernel patch and has been criticised for being slow, especially with mutliple processors. IFB is part of the mainline kernel and a lot less code. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:00:51 +00:00
Michael Tremer	cae6916d59	QoS: Do not manually load iptables modules This should not be necessary and causes the script to wait for two seconds. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:00:33 +00:00
Arne Fitzenreiter	ec5b30f39b	core137: add updated sysctl.conf Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 17:57:58 +00:00
Michael Tremer	58b3c9b58a	sysctl: Adopt more settings from the IBM HPC guidelines https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Welcome%20to%20High%20Performance%20Computing%20%28HPC%29%20Central/page/Linux%20System%20Tuning%20Recommendations Since we have already configured most of our IP/TCP stack for low latency and fast throughput, these settings complete those efforts. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 17:56:30 +00:00
Arne Fitzenreiter	d3ef457692	core137: add updated 99-geoip-database Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 17:49:32 +00:00
Arne Fitzenreiter	bb64cd092c	core137: add updated xt_geoip_update Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 17:46:27 +00:00
Arne Fitzenreiter	efa43d82b5	core137: add dns.cgi to update Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 17:42:35 +00:00
Arne Fitzenreiter	6f828b103e	core137: add updated ruleset-sources Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 17:36:36 +00:00
Stefan Schantl	6a56ee2a3e	ruleset-sources: Update snort dl urls. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 17:34:03 +00:00
Arne Fitzenreiter	ff42e56224	core137: add updated backup.pl Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 17:30:37 +00:00
Tim FitzGeorge	28797d488e	Restart logging after restoring backup Send SIGHUP to syslogd and suricata after restoring backup. This ensures that if the restored backup includes log files that any new log messages get appended to the restored log files. Otherwise they will be written to the old log files which are pending deletion. httpd is told to restart using apachectl, which is the equivalent of sending a signal. 'graceful' (USR1) is used rather than 'restart' (HUP) because the latter immediately kills the process restoring the backup, preventing converters from running. Fixes: 12196 Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 17:27:54 +00:00
Arne Fitzenreiter	57ff953341	core137: add ipset to update Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 17:22:44 +00:00
peter.mueller@ipfire.org	5c0345f5c1	ship updated bash and readline Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 17:12:53 +00:00
peter.mueller@ipfire.org	f41d936026	update rootfiles for bash and readline Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 17:12:06 +00:00
Arne Fitzenreiter	fcb0e92dec	core137: restart updated services Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-12 15:56:40 +00:00
Arne Fitzenreiter	2fabddb44d	rust: update armv5tel rootfile Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-09 20:23:05 +02:00
Arne Fitzenreiter	194c7b16e4	rust: add i586 and aarch64 rootfile todo: armv5tel is still missing... Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-09 18:11:32 +02:00
Arne Fitzenreiter	f947ce9af1	sane: add special aarch64 rootfile libsane-qcam is not available for aarch64 so we need an extra rootfile Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-09 18:10:23 +02:00
Arne Fitzenreiter	c67519ac7c	sane: rootfile update Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-09 18:06:54 +02:00
Arne Fitzenreiter	3791a79239	tshark: rootfile update Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-09 18:05:50 +02:00
Arne Fitzenreiter	e29eb3a6c1	speedtest-cli: add rootfile Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-09 18:04:30 +02:00
Stefan Schantl	5b87687cb1	suricata: Enable rust support Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 19:08:37 +00:00
Stefan Schantl	59fe973584	rust: New package. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 19:08:23 +00:00
Erik Kapfer	692d6e012b	nmap: Update to version 7.80 Several improvements, NSE scripts and libraries has been added. The complete changelog can be found in here --> https://seclists.org/nmap-announce/2019/0 . Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 19:06:34 +00:00
Arne Fitzenreiter	2513c3bba9	core137: ship libpcap Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 19:05:50 +00:00
Matthias Fischer	64243e995b	libpcap: Update to 1.9.1 For details see: https://www.tcpdump.org/libpcap-changes.txt Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 19:04:36 +00:00
Arne Fitzenreiter	a647499b10	core137: ship unbound Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 19:03:50 +00:00
Matthias Fischer	146c8a58ab	unbound: Update to 1.9.4 For details see: https://nlnetlabs.nl/pipermail/unbound-users/2019-October/011832.html "This release is a fix for vulnerability CVE-2019-16866 that causes a failure when a specially crafted query is received." Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 19:01:41 +00:00
Matthias Fischer	a92ede2487	clamav: Update to 0.102.0 For details see: https://blog.clamav.net/2019/10/clamav-01020-has-been-released.html Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 19:01:02 +00:00
Erik Kapfer	1da6583980	tshark: Update to version 3.0.5 The jump from 3.0.2 to 3.0.5 includes several bugfixes, updated protocols and new and updated capture support. The complete release notes can be found in here --> https://www.wireshark.org/docs/relnotes/ . Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 18:57:43 +00:00
Arne Fitzenreiter	5fe5334daa	core137: ship strongwan and vpnmain.cgi Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 18:56:47 +00:00
Stephan Feddersen	b64b3c110e	WIO: Add french translation file Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 18:52:05 +00:00
Arne Fitzenreiter	f1e1e9072d	core137: ship updated unbound initskript Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 18:50:04 +00:00
peter.mueller@ipfire.org	70cd5c42f0	firewall: always allow outgoing DNS traffic to root servers Allowing outgoing DNS traffic (destination port 53, both TCP and UDP) to the root servers is BCP for some reasons. First, RFC 5011 assumes resolvers are able to fetch new trust ancors from the root servers for a certain time period in order to do key rollovers. Second, Unbound shows some side effects if it cannot do trust anchor signaling (see RFC 8145) or fetch the current trust anchor, resulting in SERVFAILs for arbitrary requests a few minutes. There is little security implication of allowing DNS traffic to the root servers: An attacker might abuse this for exfiltrating data via DNS queries, but is unable to infiltrate data unless he gains control over at least one root server instance. If there is no firewall ruleset in place which prohibits any other DNS traffic than to chosen DNS servers, this patch will not have security implications at all. The second version of this patch does not use unnecessary xargs- call nor changes anything else not related to this issue. Fixes #12183 Cc: Michael Tremer <michael.tremer@ipfire.org> Suggested-by: Horace Michael <horace.michael@gmx.com> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 18:48:40 +00:00
Michael Tremer	1ad45a5a09	sane: Update to 1.0.28 This patch updates the package and removes the sanedloop script which was needed to launch saned, but that program can now run in standalone mode. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 18:39:47 +00:00
Arne Fitzenreiter	c132fed64d	core137: ship suricata Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 18:38:52 +00:00
Matthias Fischer	80d5bb76dd	iproute2: Update to 5.3.0 For details see: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/?h=v5.3.0 Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 18:37:03 +00:00
Arne Fitzenreiter	563ac9b13e	core137: ship knot Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 18:36:24 +00:00

1 2 3 4 5 ...

6912 Commits