add tcpddosctrl to start/stop/status XDP
TCP DDoS program from tcp-ddos.cgi safely.
permission of tcpddosctrl
chown root.nobody /usr/local/bin/tcpddosctrl
chmod u+s /usr/local/bin/tcpddosctrl
result:
-rwsr-x--- 1 root nobody 14672 Mar 19 09:58 /usr/local/bin/ddosctrl
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add ddos init to load/attach XDP DDoS main
program with empty tail call table as place
holder for tcp, udp, icmp...etc XDP DDoS program
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
We recently started to have problems when a new installation was
launched from the flash image that creating the journal corrupted the
filesystem on the next mount operation.
Since we would like all IPFire installations to have a journal, we
create this now when we create the image and won't try to add it later.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
It was possible to install a new system without a journal. I think this
is a very outdated concept now and should be avoided in favour of
filesystem integrity.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This option needs to be configurable since some (braindead) ISPs have
started running broken DHCP servers to be bug-compatible with cheap
broken plastic routers.
By default we keep this option enabled, but it can now be turned off
whenever needed.
Suggested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
I don't like this messy bootup screen that we have with all sorts of
warnings that actually don't cause any problems, but make the boot
messy and send the wrong message to users.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- removal of lfs, rootfile and config files
- backup includes file is also removed, althouigh it was an empty file, so not backing
anything up.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- removal of lfs, rootfile, backup, paks, misc-progs, mpfire perl, language file
content, mpfire.cgi, mpfire menu references and files, mpfire specific image,
web-user-interface references and references in manualpages.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version commit e1266c7 to 2.5.1
- Version 2.5.1 has around 34 additional commits from e1266c7. To me all look minor
changes, some related to other system types such as Solaris that we don't use.
- Update of rootfile
- They have added example to the configuration files to prevent accidental overwriting
of configuration systems.
- Changelog - There is no longer any changelog provided. Even the one that used to
exist for version 2.5.0 has been removed. The only option now is to look through the
commits - https://github.com/ppp-project/ppp/commits/master/?before=d5aeec65752d4a9b3bb46771d0b221c4a4a6539e+35
- Some of the patches had to be updated as the changes were enough that some hunks did
not get found for patching. Patch file number 6 has been removed as the sed lines are
no longer to be found in the configure file. The other files that patched successfully
were renamed to 2.5.1
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
this remove a warning at boot that user and group should
seperated by ":" and not by "."
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 4.0.5 to 4.0.6
- Update of rootfile not required
- Bundled miniupnpc not working with build of 4.0.6 As we prefer not to use bundled
packages where possible, this patch set builds miniupnpc prior to transmission. As
miniupnpc is only required for the build of transmission, nothing is installed from
miniupnpc.
- miniupnpc-2.2.8 has a problem with transmission and needs a patch to fix it. Added
into the transmission lfs file
- Changelog
4.0.6
All Platforms
Improved parsing HTTP tracker announce response. (#6223)
Fixed 4.0.0 bug that caused some user scripts to have an invalid TR_TORRENT_TRACKERS environment variable. (#6434)
Fixed 4.0.0 bug where alt-speed-enabled had no effect in settings.json. (#6483)
Fixed 4.0.0 bug where the GTK client's "Use authentication" option was not saved between's sessions. (#6514)
Fixed 4.0.0 bug where the filename for single-file torrents aren't sanitized. (#6846)
macOS Client
Fix: Sparkle support for handling beta version updates. (#5263)
Fixed app unable to start when having many torrents and TimeMachine enabled. (#6523)
Fix: Sparkle Version Comparator. (#6623)
Qt Client
Fixed 4.0.0 bug where piece size description text and slider state in torrent creation dialog are not always up-to-date. (#6516)
GTK Client
Fixed build when compiling with GTKMM 4. (#6393)
Added developer name to metainfo files. (#6598)
Added the launchable desktop-id to metainfo files. (#6779)
Fixed build when compiling on BSD. (#6812)
Web Client
Fixed a 4.0.0 bug where the infinite ratio symbol was displayed incorrectly in the WebUI. (#6491, #6500)
Fixed layout issue in speed display. (#6570)
General UI improvement related to filterbar and fixes download/upload speed info wrap. (#6761)
Daemon
Fixed a couple of logging issues. (#6463)
Everything Else
Updated flatpak release metainfo. (#6357)
Fixed libtransmission build on very old cmake versions. (#6418)
UTP peer connections follow user-defined speed limits better now. (#6551)
Only use a single concurrent queue for timeMachineExclude instead of one queue per torrent (#6523). (#6558)
Fixed 4.0.5 bug where svg and png icons in the WebUI might not be displayed. (#6563)
Fixed 4.0.0 bug where alt-speed-enabled had no effect in settings.json. (#6564)
Fixed 4.0.0 bugs where some RPC methods don't put torrents in recently-active anymore. (#6565)
Improved parsing HTTP tracker announce response. (#6567)
Fixed compatibility with clang-format 18. (#6690)
Fixed build when compiling with mbedtls 3.x . (#6823)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Even if there are no rules, if this does not exist, collectd will be
unhappy and we cannot generate the graph.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
We cannot use the PREROUTING/POSTROUTING chains here because Suricata
will fail to track NAT-ed connections.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The PID file does not get written when Suricata is not being started in
daemon mode and therefore we need to pass it as a command line
parameter.
The initscript should not deal with the PID file when starting but needs
it to terminate the process and to check the process status.
The web UI can use the PID file again.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is because we might still land in the scenario where Suricata
crashes and NFQUEUE will simply ACCEPT all packets which will terminate
the processing of the mangle table.
Therefore the NFQUEUE rule should be the last one so that we never skip
any of the other processing.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch adds a watcher process that will restart suricata when it is
being killed by SIGKILL (e.g. by the OOM killer) or after a SEGV.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch changes that we introduce a new mark which allows us to
identify any newly bypassed connections and permanently store the bypass
flag.
We also only restore marks from the connection tracking when a packet
has no marks, yet.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This allows us to workaround better against any problems in Suricata
because we never send any whitelisted packets to the IPS in the first
place.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This should make the IPS more efficient, we should have fewer rules and
the IPS will now sit at the edge of the networking stack as it will see
packets immediately when they come and and just before they leave.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch will also ensure the maximum supported key length
is used for ECDSA. Existing installations will remain unaffected.
Note that the key size for ED25519 is fixed, and explicitly
setting it to 521 bytes will not have any impact.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- As requested in bug 13074, create a collectd.d directory to enable any addon definitions
to be created.
- Added include statement in conf file to load everything that is stored in the collectd.d
directory.
- collectd.precache and collectd.thermal have been left in their original locations
- Removed the arm section in the initscript as only aarch64 is now used.
- Modified the lfs to create the collectd.d directory
- Removal of collectd.custom file as this was the previous way to define custom collectd
profiles but would have been overwritten by any update of collectd.
- Update of rootfile to take account of new path and removal of collectd.custom
- Tested out in vm testbed with Core Update 188 and all existing graphs were still created
and updated. From my evaluation the changes have not affected anything.
- The creation of the collectd.d directory now allows users to add their own desired
profiles but also if it is decided that an addon should be included in the processes
graph, or if a new graph for addons is created then profiles for that addon can be
placed in the collectd.d directory and will be automatically included by collectd.
Fixes: Bug13074
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Due to the update of openssh to version 9.8 in CU187, logwatch no longer found the sshd
login data from the messages log as the daemon was changed to sshd-session.
- Therefore the daily logwatch files were missing the sshd information in them.
- A patch to add support for openssh-9.8 sshd-session and port info has been merged into
the logwatch git system and will be included into the next released version of logwatch
- Update logwatch from version 7.8 to 7.11 and add patch for openssh-9.8 support.
- Update the previous three logwatch patches for version 7.11
- Tested on my vm testbed. Confirmed that logwatch now includes back the sshd information
into the Log Summary page.
- When logwatch is updated to version 7.12 then the openssh-9.8 support patch will be able
to be removed.
Fixes: bug13762
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Addition of patch to enable protobuf-c to be built with protobuf version > 26
- When protobuf-c is upgraded to version 1.5.1 it will include this patch
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 10.0.8 to 10.0.10
- Update of rootfile not required
- Patch for free selection of MTU has been removed as in version 10.0.9 the MTU code
was changed to not apply limits to it.
- Changelog
10.0.10
Reversion of commit "linux: make if_getnetworknamespace static"
10.0.9
Option 2: Fix stdin parsing by @holmanb in #289
IPv4LL: Restart ARP probling on address conflict by @LeoRuan in #340
DHCP: Handle option 108 correctly when receiving 0.0.0.0 OFFER by @taoyl-g
in #342
DHCP: No longer set interface mtu by @rsmarples in #346
Update privsep-linux.c to allow statx by @Jabrwock in #349
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
