Processors in virtual machines are *virtual*. Therefore this
only degrades the performance of the guest, but does not increase
it's security.
This patch always leaves SMT enabled in all virtual environments.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
If this module is not being loaded, the kernel will mark any
GRE connection as INVALID in connection tracking, which will
be then silently dropped by a firewall rule.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
AWS supports jumbo-frames which IPFire can take advantage of
to increase network throughput internally.
The MTU for RED was left as 1500 to avoid packet fragmentation
in the cloud network and have IPFire do that job.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since more processes depend on good randomness, we need to
make sure that the kernel's PRNG is initialized as early as
possible.
For systems without a HWRNG, we will need to fall back to our
noisy loop and wait until we have enough randomness.
This patch also removes saving and restoring the seed. This
is no longer useful because the kernel's PRNG only takes any
input after it has successfully been seeded from other sources.
Hence adding this seed does not increase its randomness.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
the mame of main.cvd has changed to main.cld on my system.
Add both types and also ad bytecode.c?d
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Added the new 'vnstatd' daemon to 'start' and 'stop' section.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
dhcpcd 9.x adds privelege seperation by creating a chroot
and running parts of the client not as root.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Records which are from the same domain than the IPFire hostname
might not be returned by unbound. This change explicitely instructs
unbound to check local data before checking the global DNS.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Due to strange NFQUEUE behaviour, traffic to remote VPN (IPsec or
OpenVPN) destinations was emitted to the internet (ppp0 or red0
interface) directly if the IPS was enabled but crashed during operation.
This patch places the IPSECBLOCK and OVPNBLOCK chains before the
ones responsible for forwarding traffic into the IPS.
Thanks to Michael for his debugging effort.
Partially fixes#12257
Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Since we are running unbound locally which always runs DNSSEC
validation, we can simply trust it and pass the ad flag on to
applications which make use of it.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
on some machines the i2c sensor search take very long time
which cause hang at first boot.
Now the search is started in background and waited for max one
minute before continue load of collectd.
On such machines collectd will not get all sensors at first startup.
fixes#12329
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
When unbound is running multiple threads, we have observed
that queries where sent for each thread.
Since no user should have so much DNS traffic that more than
one processor core is being saturated, this is a safe change.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
this functions has only reloaded unbound config
which is useless at shutting down the red interface.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This package is outdated and unmaintained for many many years.
I am not sure if this even works and if there are any users.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This is mostly aesthetic because there are no ISP nameservers
anyways that we could use here.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
