#!/bin/bash
############################################################################
#                                                                          #
# This file is part of the IPFire Firewall.                                #
#                                                                          #
# IPFire is free software; you can redistribute it and/or modify           #
# it under the terms of the GNU General Public License as published by     #
# the Free Software Foundation; either version 3 of the License, or        #
# (at your option) any later version.                                      #
#                                                                          #
# IPFire is distributed in the hope that it will be useful,                #
# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
# GNU General Public License for more details.                             #
#                                                                          #
# You should have received a copy of the GNU General Public License        #
# along with IPFire; if not, write to the Free Software                    #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
#                                                                          #
# Copyright (C) 2024 IPFire-Team <info@ipfire.org>.                        #
#                                                                          #
############################################################################
#
. /opt/pakfire/lib/functions.sh
/usr/local/bin/backupctrl exclude >/dev/null 2>&1

core=185

# Remove old core updates from pakfire cache to save space...
for (( i=1; i<=$core; i++ )); do
	rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
done

# Stop services
/etc/init.d/ntp stop
/etc/init.d/squid stop

# Extract files
extract_files

# Remove files
rm -rvf \
	/etc/pango \
	/lib/firmware/ath10k/WCN3990/hw1.0/notice.txt_wlanmdsp \
	/lib/firmware/ath11k/IPQ6018/hw1.0/Notice.txt \
	/lib/firmware/ath11k/IPQ8074/hw2.0/Notice.txt \
	/lib/firmware/ath11k/QCA6390/hw2.0/Notice.txt \
	/lib/firmware/ath11k/QCN9074/hw1.0/Notice.txt \
	/lib/firmware/ath11k/WCN6855/hw2.0/Notice.txt \
	/lib/firmware/intel-ucode/06-86-04 \
	/lib/firmware/intel-ucode/06-86-05 \
	/lib/firmware/intel-ucode/06-8f-04 \
	/sbin/xtables-multi \
	/srv/web/ipfire/html/themes/ipfire-rounded \
	/usr/lib/crda/pubkeys/linville.key.pub.pem \
	/usr/lib/grub/i386-pc/efiemu{32,64}.o \
	/usr/lib/grub/i386-pc/verifiers.* \
	/usr/lib/grub/i386-pc/verify.* \
	/usr/lib/grub/x86_64-efi/shim_lock.* \
	/usr/lib/grub/x86_64-efi/verifiers.* \
	/usr/lib/grub/x86_64-efi/verify.* \
	/usr/lib/pppd/2.5.0 \
	/usr/lib/snort_dynamic* \
	/usr/local/bin/snortctrl \
	/usr/share/usb_modeswitch/1033:0035 \
	/usr/share/vim/vim7* \
	/var/ipfire/geoip-functions.pl \
	/var/ipfire/dhcpc/dhcpcd-hooks/00-linux \
	/var/ipfire/dhcpc/dhcpcd-hooks/02-dump \
	/var/lib/location/tmp* \
	/usr/lib/liblzma.so.5.6.*

# update linker config
ldconfig

# Update Language cache
/usr/local/bin/update-lang-cache

# Filesytem cleanup
/usr/local/bin/filesystem-cleanup

# Apply local configuration to sshd_config
/usr/local/bin/sshctrl

# Fix permissions of /etc/sudoers.d/
chmod -v 750 /etc/sudoers.d
chmod -v 640 /etc/sudoers.d/*

# Start services
telinit u
/etc/init.d/sshd restart
/etc/init.d/apache restart
/etc/init.d/suricata restart
/etc/init.d/unbound restart
/etc/init.d/ntp start
if [ -f /var/ipfire/proxy/enable ]; then
	/etc/init.d/squid start
fi
/etc/init.d/collectd restart

## Modify ovpnconfig according to bug 13548 for no-pass entry for N2N client connections
# Check if ovpnconfig exists and is not empty
if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
       # Add blank line at top of ovpnconfig otherwise the first roadwarrior entry is treated like a blank line and missed out from update
       awk 'NR==1{print ""}1' /var/ipfire/ovpn/ovpnconfig > /var/ipfire/ovpn/tmp_file && mv /var/ipfire/ovpn/tmp_file /var/ipfire/ovpn/ovpnconfig

       # Make all N2N connections 'no-pass' since they do not use encryption
       awk '{FS=OFS=","} {if($5=="net") {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new

       # Copy all RW connections unchanged to the new ovpnconfig file
       for y in $(awk -F',' '/host/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
           awk -v var="$y" '{FS=OFS=","} {if($3==var) {print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new

       done
fi

# Replace existing ovpnconfig with updated index
mv /var/ipfire/ovpn/ovpnconfig.new /var/ipfire/ovpn/ovpnconfig
# Set correct ownership
chown nobody:nobody /var/ipfire/ovpn/ovpnconfig

# Check if the drop hostile in and out logging options need to be added
# into the optionsfw settings file and apply to firewall
if ! grep -q "^LOGDROPHOSTILEIN=" /var/ipfire/optionsfw/settings; then
	echo "LOGDROPHOSTILEIN=on" >> /var/ipfire/optionsfw/settings
fi

if ! grep -q "^LOGDROPHOSTILEOUT=" /var/ipfire/optionsfw/settings; then
	echo "LOGDROPHOSTILEOUT=on" >> /var/ipfire/optionsfw/settings
fi

# Reload all firewall rules
/usr/local/bin/firewallctrl

# Rebuild initial ramdisks
dracut --regenerate-all --force
KVER="xxxKVERxxx"
case "$(uname -m)" in
	aarch64)
		mkimage -A arm64 -T ramdisk -C lzma -d /boot/initramfs-${KVER}-ipfire.img /boot/uInit-${KVER}-ipfire
		# dont remove initramfs because grub need this to boot.
		;;
esac

# This update needs a reboot...
touch /var/run/need_reboot

# Finish
/etc/init.d/fireinfo start
sendprofile

# Update grub config to display new core version
if [ -e /boot/grub/grub.cfg ]; then
	grub-mkconfig -o /boot/grub/grub.cfg
fi

sync

# Don't report the exitcode last command
exit 0