2 ############################################################################
4 # This file is part of the IPFire Firewall. #
6 # IPFire is free software; you can redistribute it and/or modify #
7 # it under the terms of the GNU General Public License as published by #
8 # the Free Software Foundation; either version 3 of the License, or #
9 # (at your option) any later version. #
11 # IPFire is distributed in the hope that it will be useful, #
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
14 # GNU General Public License for more details. #
16 # You should have received a copy of the GNU General Public License #
17 # along with IPFire; if not, write to the Free Software #
18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
20 # Copyright (C) 2014 IPFire-Team <info@ipfire.org>. #
22 ############################################################################
24 .
/opt
/pakfire
/lib
/functions.sh
25 /usr
/local
/bin
/backupctrl exclude
>/dev
/null
2>&1
27 function add_to_backup
()
29 # Add path to ROOTFILES but remove old entries to prevent double
31 grep -v "^$1" /opt
/pakfire
/tmp
/ROOTFILES
> /opt
/pakfire
/tmp
/ROOTFILES.tmp
32 mv /opt
/pakfire
/tmp
/ROOTFILES.tmp
/opt
/pakfire
/tmp
/ROOTFILES
33 echo $1 >> /opt
/pakfire
/tmp
/ROOTFILES
37 # Remove old core updates from pakfire cache to save space...
39 for (( i
=1; i
<=${core}; i
++ ))
41 rm -f /var
/cache
/pakfire
/core-upgrade-
*-$i.ipfire
45 # Do some sanity checks.
48 /usr
/bin
/logger
-p syslog.emerg
-t ipfire \
49 "core-update-${core}: ERROR cannot update. versatile support is dropped."
50 # Report no error to pakfire. So it does not try to install it again.
54 BOOTSIZE
=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f2 | tail -n 1`
55 if [ $BOOTSIZE -lt 28000 ]; then
56 /usr
/bin
/logger
-p syslog.emerg
-t ipfire \
57 "core-update-${core}: ERROR cannot update because not enough space on boot."
65 /usr
/bin
/logger
-p syslog.emerg
-t ipfire \
66 "core-update-${core}: ERROR cannot update. No IPFire Kernel."
75 MOUNT
=`grep "kernel" /boot/grub/grub.conf 2>/dev/null | tail -n 1 `
76 # Nur den letzten Parameter verwenden
77 echo $MOUNT > /dev
/null
79 if [ ! $MOUNT == "rw" ]; then
84 # check if we the backup file already exist
85 if [ -e /var
/ipfire
/backup
/core-upgrade
${core}_
${KVER}.
tar.xz
]; then
86 echo Moving backup to backup-old ...
87 mv -f /var
/ipfire
/backup
/core-upgrade
${core}_
${KVER}.
tar.xz \
88 /var
/ipfire
/backup
/core-upgrade
${core}_
${KVER}-old.
tar.xz
90 echo First we made a backup of all files that was inside of the
91 echo update archive. This may take a
while ...
92 # Add some files that are not in the package to backup
93 add_to_backup lib
/modules
94 add_to_backup etc
/udev
95 add_to_backup lib
/udev
97 add_to_backup etc
/sysconfig
/lm_sensors
98 add_to_backup etc
/sysconfig
/rc.
local
99 add_to_backup srv
/web
/ipfire
/html
/themes
/ipfire
100 add_to_backup usr
/lib
/engines
101 add_to_backup etc
/rc.d
/init.d
/networking
/red.up
/22-outgoingfwctrl
102 add_to_backup etc
/rc.d
/init.d
/networking
/red.up
/25-portfw
103 add_to_backup etc
/rc.d
/init.d
/networking
/red.up
/26-xtaccess
104 add_to_backup usr
/local
/bin
/setportfw
105 add_to_backup usr
/local
/bin
/setdmzholes
106 add_to_backup usr
/local
/bin
/setxtaccess
107 add_to_backup usr
/local
/bin
/outgoingfwctrl
108 add_to_backup srv
/web
/ipfire
/cgi-bin
/{dmzholes
,outgoingfw
,portfw
,xtaccess
}.cgi
109 add_to_backup var
/ipfire
/{dmzholes
,portfw
,outgoing
,xtaccess
}
110 add_to_backup etc
/inittab
111 add_to_backup etc
/fstab
112 add_to_backup usr
/share
/usb_modeswitch
113 add_to_backup etc
/rc.d
/init.d
/networking
/red.down
/99-D-dialctrl.pl
114 add_to_backup etc
/rc.d
/init.d
/networking
/red.up
/99-U-dialctrl.pl
115 add_to_backup usr
/local
/bin
/dialctrl.pl
118 tar cJvf
/var
/ipfire
/backup
/core-upgrade
${core}_
${KVER}.
tar.xz \
119 -C / -T /opt
/pakfire
/tmp
/ROOTFILES
--exclude='#*' --exclude='/var/cache' > /dev
/null
2>&1
121 # Check diskspace on root
122 ROOTSPACE
=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
124 if [ $ROOTSPACE -lt 100000 ]; then
125 /usr
/bin
/logger
-p syslog.emerg
-t ipfire \
126 "core-update-${core}: ERROR cannot update because not enough free space on root."
132 echo Update Kernel to
$KVER ...
134 # Remove old kernel, configs, initrd, modules ...
136 rm -rf /boot
/System.map-
*
137 rm -rf /boot
/config-
*
138 rm -rf /boot
/ipfirerd-
*
139 rm -rf /boot
/vmlinuz-
*
140 rm -rf /boot
/uImage-ipfire-
*
141 rm -rf /boot
/uInit-ipfire-
*
144 # Remove old usb_modeswitch_data
145 rm -rf /usr
/share
/usb_modeswitch
147 rm -rf /usr
/share
/zoneinfo
149 # Remove dialctrl.pl script
151 /etc
/rc.d
/init.d
/networking
/red.down
/99-D-dialctrl.pl \
152 /etc
/rc.d
/init.d
/networking
/red.up
/99-U-dialctrl.pl \
153 /usr
/local
/bin
/dialctrl.pl
156 # Remove old udev rules.
158 if [ -e /etc
/udev
/rules.d
/29-ct-server-network.rules
]; then
159 cp /etc
/udev
/rules.d
/29-ct-server-network.rules
/tmp
/
161 cp /etc
/udev
/rules.d
/30-persistent-network.rules
/tmp
/
164 mkdir
-p /etc
/udev
/rules.d
165 if [ -e /tmp
/rules.d
/29-ct-server-network.rules
]; then
166 mv /tmp
/29-ct-server-network.rules
/etc
/udev
/rules.d
/
168 mv /tmp
/30-persistent-network.rules
/etc
/udev
/rules.d
/
175 cp -vf /boot
/grub
/grub.conf
/boot
/grub
/grub.conf.org
180 /etc
/init.d
/snort stop
181 /etc
/init.d
/squid stop
182 /etc
/init.d
/ipsec stop
183 /etc
/init.d
/apache stop
185 # Remove the old default theme
186 rm -rf /srv
/web
/ipfire
/html
/themes
/ipfire
188 # rename /etc/modprobe.d files
189 for i
in $
(find /etc
/modprobe.d
/* |
grep -v ".conf"); do
193 # Move /var/run to /run.
194 if [ -L "/run" ]; then
199 if mountpoint
/var
/run
; then
200 mount
--move /var
/run
/run
204 ln -svf ..
/run
/var
/run
206 # Creating directories for new firewall.
207 mkdir
-p /var
/ipfire
/firewall
208 mkdir
-p /var
/ipfire
/fwhosts
210 # Remove old ntp binaries
211 rm -f /usr
/sbin
/ntp-keygen
212 rm -f /usr
/sbin
/ntp-wait
214 rm -f /usr
/sbin
/ntptime
215 rm -f /usr
/sbin
/ntptrace
216 rm -f /usr
/sbin
/tickadj
218 # Remove old firewall helper link
219 rm -f /etc
/rc.d
/init.d
/networking
/red.up
/22-forwardfwctrl
223 tar xavf
/opt
/pakfire
/tmp
/files
* --no-overwrite-dir -p --numeric-owner -C /
225 # Check diskspace on boot
226 BOOTSPACE
=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
228 if [ $BOOTSPACE -lt 1000 ]; then
231 # Special handling for old kirkwood images.
232 # (install only kirkwood kernel)
234 tar xavf
/opt
/pakfire
/tmp
/files
* --no-overwrite-dir -p \
235 --numeric-owner -C / --wildcards 'boot/*-kirkwood*'
238 /usr
/bin
/logger
-p syslog.emerg
-t ipfire \
239 "core-update-${core}: FATAL-ERROR space run out on boot. System is not bootable..."
240 /etc
/init.d
/apache start
247 #Reload init to close old linker/glibc
250 # Regenerate ipsec configuration files.
251 /srv
/web
/ipfire
/cgi-bin
/vpnmain.cgi
253 # Update Language cache
254 perl
-e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
256 # Remove old openssl engines
257 rm -rf /usr
/lib
/engines
259 # Remove old initscripts
260 rm -f /etc
/rc.d
/init.d
/networking
/red.up
/22-outgoingfwctrl
261 rm -f /etc
/rc.d
/init.d
/networking
/red.up
/25-portfw
262 rm -f /etc
/rc.d
/init.d
/networking
/red.up
/26-xtaccess
263 rm -f /etc
/rc.d
/rcsysinit.d
/S90sysctl
265 # Remove old firewallscripts
266 rm -f /usr
/local
/bin
/setportfw
267 rm -f /usr
/local
/bin
/setdmzholes
268 rm -f /usr
/local
/bin
/setxtaccess
269 rm -f /usr
/local
/bin
/outgoingfwctrl
271 # Remove old CGI files
272 rm -f /srv
/web
/ipfire
/cgi-bin
/{dmzholes
,outgoingfw
,portfw
,xtaccess
}.cgi
274 # Generate chains for new firewall
275 /sbin
/iptables
-N INPUTFW
2>/dev
/null
276 /sbin
/iptables
-N FORWARDFW
2>/dev
/null
277 /sbin
/iptables
-N POLICYFWD
2>/dev
/null
278 /sbin
/iptables
-N POLICYIN
2>/dev
/null
279 /sbin
/iptables
-N POLICYOUT
2>/dev
/null
280 /sbin
/iptables
-t nat
-N NAT_SOURCE
2>/dev
/null
281 /sbin
/iptables
-t nat
-N NAT_DESTINATION
2>/dev
/null
282 /sbin
/iptables
-t mangle
-N NAT_DESTINATION
2>/dev
/null
284 # Create config files for firewall and fix permissions.
285 touch /var
/ipfire
/firewall
/config
286 touch /var
/ipfire
/firewall
/input
287 touch /var
/ipfire
/firewall
/outgoing
288 touch /var
/ipfire
/firewall
/settings
289 touch /var
/ipfire
/fwhosts
/customhosts
290 touch /var
/ipfire
/fwhosts
/customnetworks
291 touch /var
/ipfire
/fwhosts
/customgroups
292 touch /var
/ipfire
/fwhosts
/customservices
293 touch /var
/ipfire
/fwhosts
/customservicegrp
295 if [ ! -s "/var/ipfire/fwhosts/customservices" ];then
296 cp /var
/ipfire
/fwhosts
/customservices.default
/var
/ipfire
/fwhosts
/customservices
300 chown
-R nobody
:nobody
/var
/ipfire
/firewall
301 chown
-R nobody
:nobody
/var
/ipfire
/fwhosts
303 # Convert firewall configuration
304 /usr
/sbin
/convert-xtaccess
305 /usr
/sbin
/convert-outgoingfw
306 /usr
/sbin
/convert-portfw
307 /usr
/sbin
/convert-dmz
309 # Remove old firewall configuration files
310 rm -rf /var
/ipfire
/{dmzholes
,portfw
,outgoing
,xtaccess
}
312 # In previously released IPFire versions the DROPOUTPUT and DROPINPUT
313 # option have two identical lines in the optionsfw/settings file as long as
314 # the user hasn't done any changes on the WUI.
316 # To prevent from any kind of side effects we are going to solve this issue now.
318 # Fix doubble enties of DROPOUTPUT when the default settings are still in use
319 # (the save button on the WUI page never has been clicked) or convert to the
320 # new option name required by the firewall of IPFire 2.15.
322 optionsfw_file
="/var/ipfire/optionsfw/settings"
324 if [ $
(grep -c "DROPOUTPUT" ${optionsfw_file}) -gt 1 ] ; then
326 # Drop all DROPUTPUT entries.
327 sed -e "/DROPOUTPUT/d" -i ${optionsfw_file}
329 # Add default line for new option.
330 echo "DROPOUTGOING=on" >> ${optionsfw_file}
333 # Convert option name to new format.
334 sed -e "s/DROPOUTPUT/DROPOUTGOING/g" -i ${optionsfw_file}
337 # Fix doubble enties of DROPINPUT when the default settings are still in use
338 # (the save button on the WUI page never has been clicked).
339 if [ $
(grep -c "DROPINPUT" ${optionsfw_file}) -gt 1 ] ; then
341 # We only can remove all entries with an defined string.
342 sed -e "/DROPINPUT/d" -i ${optionsfw_file}
344 # Afterwards we have to add the required string with the default
346 echo "DROPINPUT=on" >> ${optionsfw_file}
349 # Add strings and default values for new options of the firewall.
350 echo "DROPFORWARD=on" >> ${optionsfw_file}
351 echo "FWPOLICY=DROP" >> ${optionsfw_file}
352 echo "FWPOLICY1=DROP" >> ${optionsfw_file}
353 echo "FWPOLICY2=DROP" >> ${optionsfw_file}
354 echo "DROPSAMBA=off" >> ${optionsfw_file}
355 echo "DROPPROXY=off" >> ${optionsfw_file}
356 echo "SHOWREMARK=on" >> ${optionsfw_file}
357 echo "SHOWCOLORS=on" >> ${optionsfw_file}
358 echo "SHOWTABLES=off" >> ${optionsfw_file}
359 echo "SHOWDROPDOWN=off" >> ${optionsfw_file}
360 echo "DROPWIRELESSINPUT=on" >> ${optionsfw_file}
361 echo "DROPWIRELESSFORWARD=on" >> ${optionsfw_file}
365 # Convert inittab and fstab
366 sed -i -e "s/tty1 9600$/tty1 9600 --noclear/g" /etc
/inittab
367 sed -i -e "s/xvc0 9600$/xvc0 9600 --noclear/g" /etc
/inittab
368 sed -i -e "s/^proc/#proc/g" /etc
/fstab
369 sed -i -e "s/^sysfs/#sysfs/g" /etc
/fstab
370 sed -i -e "s/^devpts/#devpts/g" /etc
/fstab
371 sed -i -e "s|^none\s/var/run|#none /var/run|g" /etc
/fstab
373 # Convert udev persistent network rules
374 sed -i -e "s/SYSFS{/ATTR{/g" /etc
/udev
/rules.d
/30-persistent-network.rules
376 # Firstsetup was already run
377 touch /var
/ipfire
/main
/firstsetup_ok
382 /etc
/init.d
/apache start
383 /etc
/init.d
/squid start
384 /etc
/init.d
/snort start
385 if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then
386 /etc
/init.d
/ipsec start
390 # Rebuild qosscript if enabled
392 if [ -e /var
/ipfire
/qos
/enable ]; then
393 /usr
/local
/bin
/qosctrl stop
394 /usr
/local
/bin
/qosctrl generate
395 /usr
/local
/bin
/qosctrl start
399 cat <<EOF >> /var/spool/cron/root.orig
401 # Re-read firewall rules every Sunday in March, October and November to take care of daylight saving time
402 00 3 * 3 0 /usr/local/bin/timezone-transition /usr/local/bin/firewallctrl
403 00 2 * 10-11 0 /usr/local/bin/timezone-transition /usr/local/bin/firewallctrl
405 fcrontab
-z &>/dev
/null
414 echo Update grub configuration ...
415 ROOT
=`mount | grep " / " | cut -d" " -f1`
417 if [ ! -z $ROOT ]; then
418 ROOTUUID
=`blkid -c /dev/null -sUUID $ROOT | cut -d'"' -f2`
421 if [ ! -z $ROOTUUID ]; then
422 sed -i "s|ROOT|UUID=$ROOTUUID|g" /boot
/grub
/grub.conf
424 sed -i "s|ROOT|$ROOT|g" /boot
/grub
/grub.conf
426 sed -i "s|KVER|$KVER|g" /boot
/grub
/grub.conf
427 sed -i "s|MOUNT|$MOUNT|g" /boot
/grub
/grub.conf
429 if [ "$(grep "^serial
" /boot/grub/grub.conf.org)" == "" ]; then
430 echo "grub use default console ..."
432 echo "grub use serial console ..."
433 sed -i -e "s|splashimage|#splashimage|g" /boot
/grub
/grub.conf
434 sed -i -e "s|#serial|serial|g" /boot
/grub
/grub.conf
435 sed -i -e "s|#terminal|terminal|g" /boot
/grub
/grub.conf
436 sed -i -e "s| panic=10 | console=ttyS0,115200n8 panic=10 |g" /boot
/grub
/grub.conf
442 echo "(hd0) ${ROOT::`expr length $ROOT`-1}" > /boot
/grub
/device.map
443 grub-install
--no-floppy ${ROOT::`expr length $ROOT`-1}
447 # Delete old lm-sensor modullist to force search at next boot
449 rm -rf /etc
/sysconfig
/lm_sensors
452 # Force (re)install pae kernel if pae is supported
453 rm -rf /opt
/pakfire
/db
/*/meta-linux-pae
454 if [ ! "$(grep "^flags.
* pae
" /proc/cpuinfo)" == "" ]; then
455 ROOTSPACE
=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
456 BOOTSPACE
=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
457 if [ $BOOTSPACE -lt 12000 -o $ROOTSPACE -lt 90000 ]; then
458 /usr
/bin
/logger
-p syslog.emerg
-t ipfire \
459 "core-update-${core}: WARNING not enough space for pae kernel."
461 echo "Name: linux-pae" > /opt
/pakfire
/db
/installed
/meta-linux-pae
462 echo "ProgVersion: 0" >> /opt
/pakfire
/db
/installed
/meta-linux-pae
463 echo "Release: 0" >> /opt
/pakfire
/db
/installed
/meta-linux-pae
464 echo "Name: linux-pae" > /opt
/pakfire
/db
/meta
/meta-linux-pae
465 echo "ProgVersion: 0" >> /opt
/pakfire
/db
/meta
/meta-linux-pae
466 echo "Release: 0" >> /opt
/pakfire
/db
/meta
/meta-linux-pae
470 # Force reinstall xen kernel if it was installed
471 if [ -e "/opt/pakfire/db/installed/meta-linux-xen" ]; then
472 echo "Name: linux-xen" > /opt
/pakfire
/db
/installed
/meta-linux-xen
473 echo "ProgVersion: 0" >> /opt
/pakfire
/db
/installed
/meta-linux-xen
474 echo "Release: 0" >> /opt
/pakfire
/db
/installed
/meta-linux-xen
475 echo "Name: linux-xen" > /opt
/pakfire
/db
/meta
/meta-linux-xen
476 echo "ProgVersion: 0" >> /opt
/pakfire
/db
/meta
/meta-linux-xen
477 echo "Release: 0" >> /opt
/pakfire
/db
/meta
/meta-linux-xen
478 # Add xvc0 to /etc/securetty
479 echo "xvc0" >> /etc
/securetty
483 # After pakfire has ended run it again and update the lists and do upgrade
485 echo '#!/bin/bash' > /tmp
/pak_update
486 echo 'while [ "$(ps -A | grep " update.sh")" != "" ]; do' >> /tmp
/pak_update
487 echo ' sleep 1' >> /tmp
/pak_update
488 echo 'done' >> /tmp
/pak_update
489 echo 'while [ "$(ps -A | grep " pakfire")" != "" ]; do' >> /tmp
/pak_update
490 echo ' sleep 1' >> /tmp
/pak_update
491 echo 'done' >> /tmp
/pak_update
492 echo '/opt/pakfire/pakfire update -y --force' >> /tmp
/pak_update
493 echo '/opt/pakfire/pakfire upgrade -y' >> /tmp
/pak_update
494 echo '/opt/pakfire/pakfire upgrade -y' >> /tmp
/pak_update
495 echo '/opt/pakfire/pakfire upgrade -y' >> /tmp
/pak_update
496 echo '/usr/bin/logger -p syslog.emerg -t ipfire "Core-upgrade finished. If you use a customized grub.cfg"' >> /tmp
/pak_update
497 echo '/usr/bin/logger -p syslog.emerg -t ipfire "Check it before reboot !!!"' >> /tmp
/pak_update
498 echo '/usr/bin/logger -p syslog.emerg -t ipfire " *** Please reboot... *** "' >> /tmp
/pak_update
499 echo 'touch /var/run/need_reboot ' >> /tmp
/pak_update
501 killall
-KILL pak_update
502 chmod +x
/tmp
/pak_update
510 /etc
/init.d
/fireinfo start
514 # Update Package list for addon installation
515 /opt
/pakfire
/pakfire update
-y --force
518 echo Please
wait until pakfire has ended...
520 #Don't report the exitcode last command