]> git.ipfire.org Git - ipfire-2.x.git/log
ipfire-2.x.git
4 years agonano: Update to 4.6
Matthias Fischer [Sat, 30 Nov 2019 15:57:46 +0000 (16:57 +0100)] 
nano: Update to 4.6

For details see:
https://www.nano-editor.org/news.php

... and a long list of other changes in https://www.nano-editor.org/dist/latest/ChangeLog ...

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agospectre-meltdown-checker: update to 0.42
Peter Müller [Thu, 28 Nov 2019 21:43:00 +0000 (21:43 +0000)] 
spectre-meltdown-checker: update to 0.42

See https://github.com/speed47/spectre-meltdown-checker/releases/tag/v0.42
for release announcements.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoPostfix: update to 3.4.8
Peter Müller [Thu, 28 Nov 2019 21:14:00 +0000 (21:14 +0000)] 
Postfix: update to 3.4.8

See http://www.postfix.org/announcements/postfix-3.4.8.html for release
announcements.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoupdate ca-certificates CA bundle
Peter Müller [Thu, 28 Nov 2019 17:19:00 +0000 (17:19 +0000)] 
update ca-certificates CA bundle

Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore139: add hwdata to updater
Arne Fitzenreiter [Mon, 2 Dec 2019 17:05:15 +0000 (17:05 +0000)] 
core139: add hwdata to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agohwdata: update PCI/USB databases
Peter Müller [Thu, 28 Nov 2019 17:08:00 +0000 (17:08 +0000)] 
hwdata: update PCI/USB databases

PCI IDs: 2019-11-26 03:15:03
USB IDs: 2019-11-05 20:34:06

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agodhcpcd.exe: remove red.down run on "NOCARRIER"
Arne Fitzenreiter [Sun, 1 Dec 2019 17:33:19 +0000 (18:33 +0100)] 
dhcpcd.exe: remove red.down run on "NOCARRIER"

after "NOCARRIER" the dhcp client always run "EXPIRE" event.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoMerge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Sun, 1 Dec 2019 15:36:43 +0000 (16:36 +0100)] 
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

4 years agoup/down beep: move from ppp ip-up/down to general red.up/down
Arne Fitzenreiter [Sun, 1 Dec 2019 14:29:59 +0000 (15:29 +0100)] 
up/down beep: move from ppp ip-up/down to general red.up/down

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years ago70-dhcpdd.exe: don't run red.down scripts at "PREINIT"
Arne Fitzenreiter [Sun, 1 Dec 2019 13:03:46 +0000 (14:03 +0100)] 
70-dhcpdd.exe: don't run red.down scripts at "PREINIT"

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore139: add dhcp and network changes to updater
Arne Fitzenreiter [Sat, 30 Nov 2019 23:45:02 +0000 (00:45 +0100)] 
core139: add dhcp and network changes to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agonetworking red: add delay to wait for carrier
Arne Fitzenreiter [Sat, 30 Nov 2019 21:26:00 +0000 (22:26 +0100)] 
networking red: add delay to wait for carrier

some nic's need some time after link up to get a carrier

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agodhcpcd: 10-mtu break if carrier was lost
Arne Fitzenreiter [Sat, 30 Nov 2019 21:21:42 +0000 (22:21 +0100)] 
dhcpcd: 10-mtu break if carrier was lost

some nic's like Intel e1000e needs a reinit to change the
mtu. In this case the dhcp hook reinit the nic and terminate now
to let the dhcpcd reinit the card in backgrounnd without running the
rest of the hooks.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoclamav: Allow downloads to take up to 10 minutes
Michael Tremer [Mon, 25 Nov 2019 11:09:58 +0000 (11:09 +0000)] 
clamav: Allow downloads to take up to 10 minutes

freshclam did not have a receive timeout set and a default of
60s was used. That causes that the large main database cannot
be downloaded over a line with a 16 MBit/s downlink.

This patch increases that timeout and should allow a successful
download on slower connections, too.

Suggested-by: Tim Fitzgeorge <ipfb@tfitzgeorge.me.uk>
Fixes: #12246
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agobind: Update to 9.11.13
Matthias Fischer [Fri, 22 Nov 2019 18:26:59 +0000 (19:26 +0100)] 
bind: Update to 9.11.13

For details see:

https://downloads.isc.org/isc/bind9/9.11.13/RELEASE-NOTES-bind-9.11.13.html

"Security Fixes

    Set a limit on the number of concurrently served pipelined TCP queries.
    This flaw is disclosed in CVE-2019-6477. [GL #1264]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoclamav: Update to 0.102.1
Matthias Fischer [Thu, 21 Nov 2019 16:57:48 +0000 (17:57 +0100)] 
clamav: Update to 0.102.1

For details see:
https://blog.clamav.net/2019/11/clamav-01021-and-01015-patches-have.html

"Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:

CVE-2019-15961:
A Denial-of-Service (DoS) vulnerability may occur when scanning
a specially crafted email file as a result of excessively long scan
times. The issue is resolved by implementing several maximums in parsing
MIME messages and by optimizing use of memory allocation.

Build system fixes to build clamav-milter, to correctly link with
libxml2 when detected, and to correctly detect fanotify for on-access
scanning feature support.

Signature load time is significantly reduced by changing to a more
efficient algorithm for loading signature patterns and allocating the AC
trie. Patch courtesy of Alberto Wu.

Introduced a new configure option to statically link libjson-c with
libclamav. Static linking with libjson is highly recommended to prevent
crashes in applications that use libclamav alongside another JSON
parsing library.

Null-dereference fix in email parser when using the --gen-json metadata
option.

Fixes for Authenticode parsing and certificate signature (.crb database)
bugs."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore139: add unbound to updater
Arne Fitzenreiter [Sat, 30 Nov 2019 09:56:29 +0000 (09:56 +0000)] 
core139: add unbound to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agounbound: Update to 1.9.5
Matthias Fischer [Wed, 20 Nov 2019 16:24:01 +0000 (17:24 +0100)] 
unbound: Update to 1.9.5

For details see:
https://nlnetlabs.nl/pipermail/unbound-users/2019-November/011897.html

"This release is a fix for vulnerability CVE-2019-18934, that can cause
shell execution in ipsecmod.

Bug Fixes:
- Fix for the reported vulnerability.

The CVE number for this vulnerability is CVE-2019-18934"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore139: add captive.cgi to updater
Arne Fitzenreiter [Sat, 30 Nov 2019 09:54:14 +0000 (09:54 +0000)] 
core139: add captive.cgi to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoBUG12245: captive portal - clients are not automatically removed
Alexander Marx [Wed, 20 Nov 2019 10:45:18 +0000 (11:45 +0100)] 
BUG12245: captive portal - clients are not automatically removed

With this patch the clients are updated and those who are expired get deleted from the hash.
In addition the table of active clients is now sorted.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agobird: Fix path of configuration file in backup
Michael Tremer [Tue, 19 Nov 2019 15:28:22 +0000 (15:28 +0000)] 
bird: Fix path of configuration file in backup

The backup did not pack the configuration file
due to an incorrect path.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore139: add pcregrep to updater
Arne Fitzenreiter [Sat, 30 Nov 2019 09:49:58 +0000 (09:49 +0000)] 
core139: add pcregrep to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agopcre: Add pcregrep to core system
Erik Kapfer [Tue, 19 Nov 2019 07:09:42 +0000 (08:09 +0100)] 
pcre: Add pcregrep to core system

Triggered by --> https://community.ipfire.org/t/pcregrep-on-ipfire/259 .

This patch adds pcregrep only from the actual package not from pcre-compat.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore139: add updated calamaris mkreport
Arne Fitzenreiter [Sat, 30 Nov 2019 09:48:00 +0000 (09:48 +0000)] 
core139: add updated calamaris mkreport

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocalamaris: Bug fix for proxy reports staying empty after Core 136 upgrade
Matthias Fischer [Thu, 14 Nov 2019 18:03:46 +0000 (19:03 +0100)] 
calamaris: Bug fix for proxy reports staying empty after Core 136 upgrade

After upgrading to Core 136, 'calamaris' "Proxy reports" stayed empty.
GUI always show "No reports available".

Tested manually on console stops and throws an error:

...
root@ipfire: ~ # /usr/bin/perl /var/ipfire/proxy/calamaris/bin/mkreport
1 0 2019 8 10 2019 -d 10 -P 30 -t 10 -D 2 -u -r -1 -R 100 -s
Can't use 'defined(%hash)' (Maybe you should just omit the defined()?)
at /var/ipfire/proxy/calamaris/bin/calamaris line 2609.
...

Line 2609 was changed and reports are built again.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agopython: update to 2.7.17
Arne Fitzenreiter [Thu, 28 Nov 2019 17:41:18 +0000 (18:41 +0100)] 
python: update to 2.7.17

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agokernel: fix x86_64 rootfile
Arne Fitzenreiter [Fri, 15 Nov 2019 15:29:42 +0000 (16:29 +0100)] 
kernel: fix x86_64 rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoset core to 139 and pakfire to 138
Arne Fitzenreiter [Fri, 15 Nov 2019 15:28:02 +0000 (16:28 +0100)] 
set core to 139 and pakfire to 138

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoMerge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Thu, 14 Nov 2019 21:13:23 +0000 (22:13 +0100)] 
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

4 years agokernel: update to 4.14.154
Arne Fitzenreiter [Thu, 14 Nov 2019 21:12:12 +0000 (22:12 +0100)] 
kernel: update to 4.14.154

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agovulnearabilities.cgi: add tsx async abort and itlb_multihit
Arne Fitzenreiter [Thu, 14 Nov 2019 21:10:04 +0000 (22:10 +0100)] 
vulnearabilities.cgi: add tsx async abort and itlb_multihit

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agorename core138 -> core139 to insert a emergency core update
Arne Fitzenreiter [Thu, 14 Nov 2019 17:28:38 +0000 (17:28 +0000)] 
rename core138 -> core139 to insert a emergency core update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore138: fix rootfile
Arne Fitzenreiter [Thu, 14 Nov 2019 02:42:54 +0000 (02:42 +0000)] 
core138: fix rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agointel-microcode: fix rootfile
Arne Fitzenreiter [Thu, 14 Nov 2019 01:55:46 +0000 (01:55 +0000)] 
intel-microcode: fix rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agobash: fix rootfile
Arne Fitzenreiter [Thu, 14 Nov 2019 01:55:09 +0000 (01:55 +0000)] 
bash: fix rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore138: fix intel-microcode rootfile link
Arne Fitzenreiter [Wed, 13 Nov 2019 20:08:41 +0000 (20:08 +0000)] 
core138: fix intel-microcode rootfile link

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agointel-microcode: update to 20191112
Peter Müller [Wed, 13 Nov 2019 19:18:00 +0000 (19:18 +0000)] 
intel-microcode: update to 20191112

For release notes, refer to:
- https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/
- https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20191112

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoqemu: remove sdl from dependency list
Arne Fitzenreiter [Wed, 13 Nov 2019 19:56:11 +0000 (19:56 +0000)] 
qemu: remove sdl from dependency list

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoqemu: switch to xz compressed source
Arne Fitzenreiter [Wed, 13 Nov 2019 19:55:17 +0000 (19:55 +0000)] 
qemu: switch to xz compressed source

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore138: add bash, readline and readline-compat
Arne Fitzenreiter [Wed, 13 Nov 2019 19:45:14 +0000 (19:45 +0000)] 
core138: add bash, readline and readline-compat

4 years agobash: update to 5.0 (patchlevel 11)
Peter Müller [Tue, 12 Nov 2019 17:15:00 +0000 (17:15 +0000)] 
bash: update to 5.0 (patchlevel 11)

The third version of this patch also includes patches 1-11
for version 5.0, drops orphaned 4.3 patches, and fixes rootfile
mistakes reported by Arne.

Please refer to https://tiswww.case.edu/php/chet/bash/bashtop.html
for release notes.

Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoreadline: update to 8.0 (patchlevel 1)
Peter Müller [Tue, 12 Nov 2019 17:14:00 +0000 (17:14 +0000)] 
readline: update to 8.0 (patchlevel 1)

The third version of this patch fixes missing rootfile changes, drops
orphaned readline 5.2 patches (as they became obsolete due to
readline-compat changes), includes readline 8.0 upstream patch, and
keeps the for-loop in LFS file (as commented by Michael).

Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoreadline-compat: update to 6.3
peter.mueller@ipfire.org [Tue, 12 Nov 2019 15:59:00 +0000 (15:59 +0000)] 
readline-compat: update to 6.3

This is necessary as many add-ons still need readline-compat as they
cannot link against readline 8.0, yet.

Reported-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agowio-1.3.2-7: fixed bug with arp client import
Stephan Feddersen [Tue, 12 Nov 2019 20:34:00 +0000 (21:34 +0100)] 
wio-1.3.2-7: fixed bug with arp client import

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoddns: Import rename NoIP.com handle back to no-ip.com patch
Stefan Schantl [Tue, 12 Nov 2019 08:09:01 +0000 (09:09 +0100)] 
ddns: Import rename NoIP.com handle back to no-ip.com patch

This patch is required for compatiblity reasons for any existing
configurations.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoUpdate qemu to version 4.1.0
Jonatan Schlag [Sun, 10 Nov 2019 13:03:02 +0000 (13:03 +0000)] 
Update qemu to version 4.1.0

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoqemu: disable sdl and documentation
Jonatan Schlag [Sun, 10 Nov 2019 13:03:01 +0000 (13:03 +0000)] 
qemu: disable sdl and documentation

A newer version of qemu does not build anymore with our version of sdl. I
tried around a little bit and as I have not got a clue why we are using
sdl (spice and remote access still works)  I think we should disable it.

I disabled the generation of the documentation as well but this switch
does not seem to have any effect.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoLibvirt: enable lvm
Jonatan Schlag [Sun, 10 Nov 2019 13:03:00 +0000 (13:03 +0000)] 
Libvirt: enable lvm

This was requested in the forum:

https://forum.ipfire.org/viewtopic.php?f=17&t=21872&p=120243&hilit=lvm#p120243

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoLibvirt: update to version 5.6.0
Jonatan Schlag [Sun, 10 Nov 2019 13:02:59 +0000 (13:02 +0000)] 
Libvirt: update to version 5.6.0

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agolibvirt: use a custom config file
Jonatan Schlag [Sun, 10 Nov 2019 13:02:58 +0000 (13:02 +0000)] 
libvirt: use a custom config file

The patch which adjusts the options for IPFire in the libvirtd.conf does
not apply in a newer version of libvirt. Creating this patch is harder
than to use a separate config file.

This separate config file also enables us to adjust options much faster.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoLibvirt: disable Wireshark
Jonatan Schlag [Sun, 10 Nov 2019 13:02:57 +0000 (13:02 +0000)] 
Libvirt: disable Wireshark

When I try to build libvirt a second-time without ./make.sh clean
between the two builds, libvirt tries to link against Wireshark and
fails.
This configure option solves the problem.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore138: add squid
Arne Fitzenreiter [Wed, 13 Nov 2019 19:37:47 +0000 (19:37 +0000)] 
core138: add squid

4 years agosquid: Update to 4.9
Matthias Fischer [Fri, 8 Nov 2019 16:47:06 +0000 (17:47 +0100)] 
squid: Update to 4.9

For details see:
http://www.squid-cache.org/Versions/v4/changesets/

Fixes CVE-2019-12526, CVE-2019-12523, CVE-2019-18676, CVE-2019-18677, CVE-2019-18678 and
CVE-2019-18679

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoddns: Import upstream patch for NoIP.com
Stefan Schantl [Tue, 5 Nov 2019 18:23:41 +0000 (19:23 +0100)] 
ddns: Import upstream patch for NoIP.com

Reference: #11561.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore138: add ddns
Arne Fitzenreiter [Wed, 13 Nov 2019 19:33:53 +0000 (19:33 +0000)] 
core138: add ddns

4 years agocore138: add logwatch
Arne Fitzenreiter [Wed, 13 Nov 2019 19:33:31 +0000 (19:33 +0000)] 
core138: add logwatch

4 years agoddns: Update to 012
Stefan Schantl [Tue, 5 Nov 2019 09:37:44 +0000 (10:37 +0100)] 
ddns: Update to 012

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore138: add suricata changes
Arne Fitzenreiter [Wed, 13 Nov 2019 19:20:17 +0000 (19:20 +0000)] 
core138: add suricata changes

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agosuricata: Use DNS_SERVERS declaration from external file.
Stefan Schantl [Tue, 5 Nov 2019 09:32:02 +0000 (10:32 +0100)] 
suricata: Use DNS_SERVERS declaration from external file.

These settings now will be read from
/var/ipfire/suricata/suricata-dns-servers.yaml, which will be
generated by the generate_dns_servers_file() function, located in
ids-functions.pl and called by various scripts.

Fixes #12166.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agored.up: Generate Suricata DNS servers file on reconnect.
Stefan Schantl [Tue, 5 Nov 2019 09:32:01 +0000 (10:32 +0100)] 
red.up: Generate Suricata DNS servers file on reconnect.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoconvert-snort: Generate DNS servers file.
Stefan Schantl [Tue, 5 Nov 2019 09:32:00 +0000 (10:32 +0100)] 
convert-snort: Generate DNS servers file.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoids.cgi: Generate and store the DNS server configuration.
Stefan Schantl [Tue, 5 Nov 2019 09:31:59 +0000 (10:31 +0100)] 
ids.cgi: Generate and store the DNS server configuration.

This will be done by the recently added generate_dns_servers_file()
function from ids-functions.pl.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoids-functions.pl: Introduce generate_dns_servers_file()
Stefan Schantl [Tue, 5 Nov 2019 09:31:58 +0000 (10:31 +0100)] 
ids-functions.pl: Introduce generate_dns_servers_file()

This function is used to generate a yaml file which take care of the
current used DNS configuration and should be included in the main
suricata config file.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agologwatch: Update to 7.5.2
Matthias Fischer [Tue, 5 Nov 2019 08:07:46 +0000 (09:07 +0100)] 
logwatch: Update to 7.5.2

For details see:
https://build.opensuse.org/package/view_file/server:monitoring/logwatch/ChangeLog?expand=1

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoApache: deny framing of WebUI from different origins
peter.mueller@ipfire.org [Mon, 4 Nov 2019 18:53:00 +0000 (18:53 +0000)] 
Apache: deny framing of WebUI from different origins

There is no legitimate reason to do this. Setting header X-Frame-Options
to "sameorigin" is necessary for displaying some collectd graphs on the
WebUI.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore138: add ipfire-interface.conf
Arne Fitzenreiter [Wed, 13 Nov 2019 19:10:03 +0000 (19:10 +0000)] 
core138: add ipfire-interface.conf

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoApache: prevent Referrer leaks via WebUI
peter.mueller@ipfire.org [Mon, 4 Nov 2019 18:52:00 +0000 (18:52 +0000)] 
Apache: prevent Referrer leaks via WebUI

By default, even modern browsers sent the URL of ther originating
site to another one when accessing hyperlinks. This is an information
leak and may expose internal details (such as FQDN or IP address)
of an IPFire installation to a third party.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore138: add ipfire-interface-ssl.conf
Arne Fitzenreiter [Wed, 13 Nov 2019 19:08:02 +0000 (19:08 +0000)] 
core138: add ipfire-interface-ssl.conf

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoApache: drop CBC ciphers for WebUI
peter.mueller@ipfire.org [Mon, 4 Nov 2019 18:35:00 +0000 (18:35 +0000)] 
Apache: drop CBC ciphers for WebUI

CBC ciphers contain some known vulnerabilities and should not be used
anymore. While dropping them for OpenSSL clients or public web servers
still causes interoperability problems with legacy setups, they can
be safely removed from IPFire's administrative UI.

This patch changes the used cipersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD

Since TLS 1.3 ciphers will be added automatically by OpenSSL, mentioning
them in "SSLCipherSuite" is unnecessary. ECDSA is preferred over RSA for
performance reasons.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore138: add openssl
Arne Fitzenreiter [Wed, 13 Nov 2019 19:04:48 +0000 (19:04 +0000)] 
core138: add openssl

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoOpenSSL: drop preferring of Chacha20/Poly1305 over AES-GCM
peter.mueller@ipfire.org [Mon, 4 Nov 2019 18:24:00 +0000 (18:24 +0000)] 
OpenSSL: drop preferring of Chacha20/Poly1305 over AES-GCM

As hardware acceleration for AES is emerging (Fireinfo indicates
30.98% of reporting installations support this, compared to
28.22% in summer), there is no more reason to manually prefer
Chacha20/Poly1305 over it.

Further, overall performance is expected to increase as server
CPUs usually come with AES-NI today, where Chacha/Poly would
be an unnecessary bottleneck. Small systems without AES-NI,
however, compute Chacha/Poly measurable, but not significantly faster,
so there only was a small advantage of this.

This patch changes the OpenSSL default ciphersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore138: add ovpnmain.cgi
Arne Fitzenreiter [Wed, 13 Nov 2019 18:55:53 +0000 (18:55 +0000)] 
core138: add ovpnmain.cgi

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoOpenVPN: Fix max-clients option
Erik Kapfer [Mon, 4 Nov 2019 14:52:26 +0000 (15:52 +0100)] 
OpenVPN: Fix max-clients option

Fix: Triggered by https://forum.ipfire.org/viewtopic.php?f=16&t=23551

Since the 'DHCP_WINS' cgiparam has been set for the max-client directive, changes in the WUI has not been adapted to server.conf.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore138: add unbound initscript
Arne Fitzenreiter [Wed, 13 Nov 2019 18:54:28 +0000 (18:54 +0000)] 
core138: add unbound initscript

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agounbound: Fix whitespace error in initscript
Michael Tremer [Mon, 4 Nov 2019 12:02:46 +0000 (12:02 +0000)] 
unbound: Fix whitespace error in initscript

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore138: add openvpn
Arne Fitzenreiter [Wed, 13 Nov 2019 18:52:15 +0000 (18:52 +0000)] 
core138: add openvpn

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoOpenVPN: Update to version 2.4.8
Erik Kapfer [Fri, 1 Nov 2019 13:33:06 +0000 (14:33 +0100)] 
OpenVPN: Update to version 2.4.8

This is primarily a maintenance release with bugfixes and improvements. All changes can be overviewed in here -->
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore138: add init.d/functions
Arne Fitzenreiter [Wed, 13 Nov 2019 18:50:07 +0000 (18:50 +0000)] 
core138: add init.d/functions

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoinitscripts: Tell users to report bugs on Bugzilla
Michael Tremer [Thu, 31 Oct 2019 18:09:05 +0000 (18:09 +0000)] 
initscripts: Tell users to report bugs on Bugzilla

I have been receiving a couple of emails recently directed
at info@ipfire.org with bug reports when a system did not
boot up or shut down properly.

This is obviously not the right way to report bugs, but
we are telling our users to do so.

This patch changes this to report bugs to Bugzilla like
it should be.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agolibarchiv: Update to version 3.4.0
Erik Kapfer [Thu, 31 Oct 2019 07:58:30 +0000 (08:58 +0100)] 
libarchiv: Update to version 3.4.0

Version 3.4.0 is a feature and security release. The changelog can be found in here --> https://github.com/libarchive/libarchive/releases .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore138: add lz4
Arne Fitzenreiter [Wed, 13 Nov 2019 18:44:36 +0000 (18:44 +0000)] 
core138: add lz4

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agolz4: Update to version 1.9.2
Erik Kapfer [Thu, 31 Oct 2019 07:49:55 +0000 (08:49 +0100)] 
lz4: Update to version 1.9.2

Several fixes and improvements has been integrated. The changes list through the different versions since
the current version 1.8.1.2 can be found in here --> https://github.com/lz4/lz4/releases

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agocore138: add mail.cgi
Arne Fitzenreiter [Wed, 13 Nov 2019 18:42:17 +0000 (18:42 +0000)] 
core138: add mail.cgi

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agomail.cgi: Do not print content of input fields
Michael Tremer [Wed, 30 Oct 2019 10:59:00 +0000 (10:59 +0000)] 
mail.cgi: Do not print content of input fields

This was printed unescaped and could therefore be used
for a stored XSS attack.

Fixes: #12226
Reported-by: Pisher Honda <pisher24@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agomail.cgi: Always check content of fields
Michael Tremer [Wed, 30 Oct 2019 10:58:59 +0000 (10:58 +0000)] 
mail.cgi: Always check content of fields

These checks did not do anything but clear all fields
when mailing was disabled.

It makes a lot more sense to retain people's settings,
even when they have been disabled.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoCore Update 138: ship ca-certificates
peter.mueller@ipfire.org [Tue, 29 Oct 2019 18:17:00 +0000 (18:17 +0000)] 
Core Update 138: ship ca-certificates

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 years agoupdate ca-certificates CA bundle
peter.mueller@ipfire.org [Tue, 29 Oct 2019 18:16:00 +0000 (18:16 +0000)] 
update ca-certificates CA bundle

Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 years agoTor: fix permissions of /var/ipfire/tor/torrc after installation
peter.mueller@ipfire.org [Tue, 29 Oct 2019 18:37:00 +0000 (18:37 +0000)] 
Tor: fix permissions of /var/ipfire/tor/torrc after installation

Fixes #12220

Reported-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 years agocore138: add firewall-lib.pl to update
Arne Fitzenreiter [Tue, 29 Oct 2019 13:25:55 +0000 (13:25 +0000)] 
core138: add firewall-lib.pl to update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 years agofirewall-lib.pl: Populate GeoIP rules only if location is available.
Stefan Schantl [Tue, 16 Apr 2019 19:08:05 +0000 (21:08 +0200)] 
firewall-lib.pl: Populate GeoIP rules only if location is available.

In case a GeoIP related firewall rule should be created, the script
now will check if the given location is still available.

Fixes #12054.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 years agostart core138
Arne Fitzenreiter [Tue, 29 Oct 2019 13:22:31 +0000 (13:22 +0000)] 
start core138

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 years agospeedtest-cli: Use Python 3 instead of Python 2
Michael Tremer [Mon, 28 Oct 2019 16:51:29 +0000 (16:51 +0000)] 
speedtest-cli: Use Python 3 instead of Python 2

This seems to be required although the documentation says
that Python 2 is supported.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 years agopython3: Bump release version to redistribute package
Michael Tremer [Mon, 28 Oct 2019 16:49:54 +0000 (16:49 +0000)] 
python3: Bump release version to redistribute package

Python 3 was linked against an old version of OpenSSL on my
system and to avoid this, we need to ship it again being built
against the current version of it.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 years agoQoS: Do no classify as default when L7 filter isn't done core137 v2.23-core137
Michael Tremer [Tue, 22 Oct 2019 15:48:14 +0000 (17:48 +0200)] 
QoS: Do no classify as default when L7 filter isn't done

We need to allow some more packets to pass through the
mangle chains so that the layer 7 filter can determine
what protocol it finds.

If L7 filter decides that a connection is of type "unknown",
we mark it as default, or it is marked with the correct class.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 years agoRevert "Revert "Revert "core137: Remove imq0 and unload imq module after QoS has...
Arne Fitzenreiter [Tue, 22 Oct 2019 15:54:37 +0000 (15:54 +0000)] 
Revert "Revert "Revert "core137: Remove imq0 and unload imq module after QoS has been stopped"""

This reverts commit e4d242da4ae1074b75d5d45eeb16061ba178f6c4.

this fails because we let QoS running and it doesn't like if the imq0
device was removed. (why imq0 can removed when it is up?)

5 years agobind: Update to 9.11.12
Matthias Fischer [Thu, 17 Oct 2019 11:29:57 +0000 (13:29 +0200)] 
bind: Update to 9.11.12

For details see:
https://downloads.isc.org/isc/bind9/9.11.12/RELEASE-NOTES-bind-9.11.12.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 years agogrub: Build after Python is available
Michael Tremer [Thu, 17 Oct 2019 16:01:10 +0000 (16:01 +0000)] 
grub: Build after Python is available

The build sometimes aborted because python was not found
when Grub was being built for EFI.

Fixes: #12209
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 years agoRevert "Revert "core137: Remove imq0 and unload imq module after QoS has been stopped""
Arne Fitzenreiter [Mon, 21 Oct 2019 19:00:19 +0000 (19:00 +0000)] 
Revert "Revert "core137: Remove imq0 and unload imq module after QoS has been stopped""

This reverts commit 39c4ed442714451e380d45c9837547a081a80f6f.

5 years agoQoS: Delete more unused iptables commands
Michael Tremer [Mon, 21 Oct 2019 18:45:39 +0000 (20:45 +0200)] 
QoS: Delete more unused iptables commands

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 years agoQoS: Drop support for setting TOS bits per class
Michael Tremer [Mon, 21 Oct 2019 18:45:37 +0000 (20:45 +0200)] 
QoS: Drop support for setting TOS bits per class

This is useless since no ISP will evaluate those settings
any more and it has a rather large impact on throughput.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>