when mouse select, vim automatically turns into
visual mode, this is not convienent when copy
and paste in vim with mouse select. create this
setting for root user.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
when loxilb is enabled and started, enable the
firewall SNAT for green network so green network
could have initiate outgoing traffic like internet
access.
we can achieve this by restoring firewall SNAT setting
from default /var/ipfire/loxilb/FWconfig.txt when loxilb
start up with --config-path=/var/ipfire/loxilb thanks
to the enhancement addressed in issue:
https://github.com/loxilb-io/loxilb/issues/706
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
LoxiLB 0.9.4 lack of SNAT feature for egress traffic
initiated from BPFire green network, when loxilb is
enabled, it breaks BPFire green network client Internet
access, this issue is fixed in the loxilb development
branch, temporarily I make loxilb development branch
as 0.9.5 in BPFire so I could test the SNAT feature and
it works.
see detail in https://github.com/loxilb-io/loxilb/issues/718
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
When loxilb and keepalived are enabled, after BPFire
rebooted, loxilb and keepalived failed to start and
shows as "STOPPED" from UI, this is not expected since
we want to loxilb and keepalived to continue to be enabled
after reboot based on the enabled state of loxilb and
keepalived before reboot.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
BPFire red0 does not support multicast, need to
have unicast peer configured, then the virtual
ipaddress can be added to red0 interface.
the UI requires /var/ipfire/keepalived/runsettings
/var/ipfire/keepalived/settings to be created, so
add them lfs/configroot
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
change keepalived default config to
/var/ipfire/keepalived/keepalived.conf so keepalived WebUI
could read/write the configuration file. also add
/var/ipfire/keepalived directory
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
keepalived: create /var/ipfire/keepalived
upgrade procedure:
git clone https://github.com/loxilb-io/loxicmd.git
cd loxicmd
git checkout -b v0.9.4 v0.9.4
go mod vendor
cd ..
mv loxicmd loxicmd-0.9.4
tar cvf loxicmd-0.9.4.tar loxicmd-0.9.4
gzip loxicmd-0.9.4.tar
cp loxicmd-0.9.4.tar.gz <BPFire source>/cache/
b2sum <BPFire source>/cache/loxicmd-0.9.4.tar.gz
modify lfs/loxicmd to change the version and b2sum checksum
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
upgrade procedure:
git clone --recurse-submodules https://github.com/loxilb-io/loxilb.git
cd loxilb
git checkout -b v0.9.4 v0.9.4
go mod vendor
cd ..
mv loxilb loxilb-0.9.4
tar cvf loxilb-0.9.4.tar loxilb-0.9.4
gzip loxilb-0.9.4.tar
cp loxilb-0.9.4.tar.gz <BPFire source>/cache/
b2sum <BPFire source>/cache/loxilb-0.9.4.tar.gz
modify lfs/loxilb to change the version and b2sum checksum
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Avoid downloading golang dependency packages
during build time due to issue [0], run
go mod vendor so loxicmd source include vendor
directory to include golang dependency packages
[0]: https://github.com/vincentmli/BPFire/issues/18
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP dns rate limit program has static tail call
which requires revert xdp-tool commit:
(039bdea "xdp-loader: Only load the BPF program we need from object files")
XDP dns rate limit program also uses bpf_printk helper which is not
supported on FireBeeOS since kernel CONFIG_BPF_EVENTS which allows user
to do kprobe, uprobe, tracepoint is not enabled, so bpf_printk helper is
not available, so removed bpf_printk
see discussion in [0] xdp-loader load xdp program with bpf tail call result in Bad file descriptor(-9)
[0] https://github.com/xdp-project/xdp-tools/issues/377
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This reverts commit 0864b3a5ba.
User might be concerned firewall admin user capture SSL clear
text, so remove ecapture.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
when mouse select, vim automatically turns into
visual mode, this is not convienent when copy
and paste in vim with mouse select.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
bpftool comes with Linux kernel source and
it is handy to have bpftool on ipfire kernel
with BPF/BTF enabled to diagnosis BPF related
issue.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
We disable cores if the are affected by some cpu vulnerabilities
this cores report errors if you try to change the settings.
So only print the output for core0 and hide it for all cores.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
the initskript loads a test-modul for amd-pstate (which traces on intel)
and off course reports errors if firmware settings are missing.
this also fix the error at start because also amd-pstate doesn't support
ondemand mode.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- OpenSSL was updated to 3.1.4 in CU181 and to 3.2.1 in CU183 but in both cases freeradius
was not incremented to cause it to be shipped.
- This patch increments the freeradius PAK_VER to ensure it will be shipped.
Fixes: Bug#13590
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.5.0 to 2.6.0
- Update of rootfile
- This update fixes two CVE's. Not sure if IPFire would be vulnerable or not but safer
to update anyway.
- Changelog
2.6.0
Security fixes:
#789#814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
that can cause denial of service, in partial where
dealing with compressed XML input. Applications
that parsed a document in one go -- a single call to
functions XML_Parse or XML_ParseBuffer -- were not affected.
The smaller the chunks/buffers you use for parsing
previously, the bigger the problem prior to the fix.
Backporters should be careful to no omit parts of
pull request #789 and to include earlier pull request #771,
in order to not break the fix.
#777 CVE-2023-52426 -- Fix billion laughs attacks for users
compiling *without* XML_DTD defined (which is not common).
Users with XML_DTD defined have been protected since
Expat >=2.4.0 (and that was CVE-2013-0340 back then).
Bug fixes:
#753 Fix parse-size-dependent "invalid token" error for
external entities that start with a byte order mark
#780 Fix NULL pointer dereference in setContext via
XML_ExternalEntityParserCreate for compilation with
XML_DTD undefined
#812#813 Protect against closing entities out of order
Other changes:
#723 Improve support for arc4random/arc4random_buf
#771#788 Improve buffer growth in XML_GetBuffer and XML_Parse
#761#770 xmlwf: Support --help and --version
#759#770 xmlwf: Support custom buffer size for XML_GetBuffer and read
#744 xmlwf: Improve language and URL clickability in help output
#673 examples: Add new example "element_declarations.c"
#764 Be stricter about macro XML_CONTEXT_BYTES at build time
#765 Make inclusion to expat_config.h consistent
#726#727 Autotools: configure.ac: Support --disable-maintainer-mode
#678#705 ..
#706#733#792 Autotools: Sync CMake templates with CMake 3.26
#795 Autotools: Make installation of shipped man page doc/xmlwf.1
independent of docbook2man availability
#815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
section "Cflags.private" in order to fix compilation
against static libexpat using pkg-config on Windows
#724#751 Autotools|CMake: Require a C99 compiler
(a de-facto requirement already since Expat 2.2.2 of 2017)
#793 Autotools|CMake: Fix PACKAGE_BUGREPORT variable
#750#786 Autotools|CMake: Make test suite require a C++11 compiler
#749 CMake: Require CMake >=3.5.0
#672 CMake: Lowercase off_t and size_t to help a bug in Meson
#746 CMake: Sort xmlwf sources alphabetically
#785 CMake|Windows: Fix generation of DLL file version info
#790 CMake: Build tests/benchmark/benchmark.c as well for
a build with -DEXPAT_BUILD_TESTS=ON
#745#757 docs: Document the importance of isFinal + adjust tests
accordingly
#736 docs: Improve use of "NULL" and "null"
#713 docs: Be specific about version of XML (XML 1.0r4)
and version of C (C99); (XML 1.0r5 will need a sponsor.)
#762 docs: reference.html: Promote function XML_ParseBuffer more
#779 docs: reference.html: Add HTML anchors to XML_* macros
#760 docs: reference.html: Upgrade to OK.css 1.2.0
#763#739 docs: Fix typos
#696 docs|CI: Use HTTPS URLs instead of HTTP at various places
#669#670 ..
#692#703 ..
#733#772 Address compiler warnings
#798#800 Address clang-tidy warnings
#775#776 Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
for what these numbers do
Infrastructure:
#700#701 docs: Document security policy in file SECURITY.md
#766 docs: Improve parse buffer variables in-code documentation
#674#738 ..
#740#747 ..
#748#781#782 Refactor coverage and conformance tests
#714#716 Refactor debug level variables to unsigned long
#671 Improve handling of empty environment variable value
in function getDebugLevel (without visible user effect)
#755#774 ..
#758#783 ..
#784#787 tests: Improve test coverage with regard to parse chunk size
#660#797#801 Fuzzing: Improve fuzzing coverage
#367#799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests
#698#721 CI: Resolve some Travis CI leftovers
#669 CI: Be robust towards absence of Git tags
#693#694 CI: Set permissions to "contents: read" for security
#709 CI: Pin all GitHub Actions to specific commits for security
#739 CI: Reject spelling errors using codespell
#798 CI: Enforce clang-tidy clean code
#773#808 ..
#809#810 CI: Upgrade Clang from 15 to 18
#796 CI: Start using Clang's Control Flow Integrity sanitizer
#675#720#722 CI: Adapt to breaking changes in GitHub Actions Ubuntu images
#689 CI: Adapt to breaking changes in Clang/LLVM Debian packaging
#763 CI: Adapt to breaking changes in codespell
#803 CI: Adapt to breaking changes in Cppcheck
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
There seems to be some problem that this package does not build from
source, but as we don't currently have any hardware that supports thise,
there is no point in debugging it.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Updated lfs file to core program type
- Moved rootfile from packages to common
- Older suricata versions required elfutils only for building but suricata-7.0.2 fails to
start if elfutils is not present due to libelf.so.1 being missing.
- The requirement for elfutils is not mentioned at all in the changelog.
Fixes: Bug#13516
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
