webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-13 04:22:58 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
3110d7a98fa4e41edb8eec3c052d8bcc728e677e
bpfire/config/rootfiles/oldcore/164/update.sh
Peter Müller 8269c8319c firewall: Make logging of conntrack INVALIDs configureable 
In theory, logging of dropped packets classified by conntrack as being
INVALID should never be disabled, since one wants to have a paper trail
of what his/her firewall is doing.

However, conntrack seems to drop a lot of (at the first glance
legitimate) packets, hence bloating the logs, making spotting the
important firewall hits more difficult.

This patch therefore adds the option to disable logging of packets being
dropped by conntrack due to INVALID state.

Please note:
- This patch does not add this category to the firewall hits graph.
- The variables in this patch ("LOGDROPCTINVALID") should make it clear
  that it is about toggling _logging_, not the actual _dropping_. Other
  variables are still in need of being renamed to clarify this, which
  will be done in a dedicated patch.
- Also, the changes made to update.sh need to take place in
  config/rootfiles/core/164/update.sh for "master", since this patch has
  been developed against "next". Kindly cherry-pick the necessary
  changes.

Partially fixes: #12778

Reported-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2022-02-18 22:40:55 +00:00

154 lines
4.6 KiB
Bash
Raw Blame History

#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 3 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2022 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
/usr/local/bin/backupctrl exclude >/dev/null 2>&1
core=164
exit_with_error() {
# Set last succesfull installed core.
echo $(($core-1)) > /opt/pakfire/db/core/mine
# force fsck at next boot, this may fix free space on xfs
touch /forcefsck
# don't start pakfire again at error
killall -KILL pak_update
/usr/bin/logger -p syslog.emerg -t ipfire \
"core-update-${core}: $1"
exit $2
}
# Remove old core updates from pakfire cache to save space...
for (( i=1; i<=$core; i++ )); do
rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
done
KVER="xxxKVERxxx"
# Backup uEnv.txt if exist
if [ -e /boot/uEnv.txt ]; then
cp -vf /boot/uEnv.txt /boot/uEnv.txt.org
fi
# Do some sanity checks.
case $(uname -r) in
*-ipfire*)
# Ok.
;;
*)
exit_with_error "ERROR cannot update. No IPFire Kernel." 1
;;
esac
# Check diskspace on root
ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
if [ $ROOTSPACE -lt 100000 ]; then
exit_with_error "ERROR cannot update because not enough free space on root." 2
exit 2
fi
# Remove files
# Remove the old kernel
rm -rf /boot/System.map-*
rm -rf /boot/config-*
rm -rf /boot/ipfirerd-*
rm -rf /boot/initramfs-*
rm -rf /boot/vmlinuz-*
rm -rf /boot/uImage-*
rm -rf /boot/zImage-*
rm -rf /boot/uInit-*
rm -rf /boot/dtb-*
rm -rf /lib/modules
# Stop services
/etc/init.d/collectd stop
/etc/init.d/suricata stop
# Extract files
extract_files
# update linker config
ldconfig
# Update Language cache
/usr/local/bin/update-lang-cache
# Filesytem cleanup
/usr/local/bin/filesystem-cleanup
# Run convert script for IDS multiple providers
/usr/sbin/convert-ids-multiple-providers
# Add configuration settings to optionsfw if they are missing
if [ "$(grep "^DROPHOSTILE" /var/ipfire/optionsfw/settings)" == "" ]; then
echo "DROPHOSTILE=off" >> /var/ipfire/optionsfw/settings
fi
if [ "$(grep "^DROPSPOOFEDMARTIAN" /var/ipfire/optionsfw/settings)" == "" ]; then
echo "DROPSPOOFEDMARTIAN=on" >> /var/ipfire/optionsfw/settings
fi
if [ "$(grep "^LOGDROPCTINVALID" /var/ipfire/optionsfw/settings)" == "" ]; then
echo "LOGDROPCTINVALID=on" >> /var/ipfire/optionsfw/settings
fi
# Apply sysctl changes
/etc/init.d/sysctl start
# Start services
/etc/init.d/firewall restart
/etc/init.d/collectd start
/etc/init.d/squid restart
/etc/init.d/suricata start
# remove lm_sensor config after collectd was started
# to reserch sensors at next boot with updated kernel
rm -f /etc/sysconfig/lm_sensors
# Upadate Kernel version uEnv.txt
if [ -e /boot/uEnv.txt ]; then
sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt
fi
# call user update script (needed for some arm boards)
if [ -e /boot/pakfire-kernel-update ]; then
/boot/pakfire-kernel-update ${KVER}
fi
# This update needs a reboot...
touch /var/run/need_reboot
# Finish
/etc/init.d/fireinfo start
sendprofile
# Update grub config to display new core version
if [ -e /boot/grub/grub.cfg ]; then
grub-mkconfig -o /boot/grub/grub.cfg
fi
sync
# Don't report the exitcode last command
exit 0
Reference in New Issue View Git Blame Copy Permalink