Michael Tremer [Sat, 23 Mar 2024 14:03:36 +0000 (15:03 +0100)]
openvpnctrl: Rewrite the entire thing
This binary because a major headache as it has been changed so many
times by so many people neglegting the code quality. Therefore, the
logic has now been moved into initscripts and the binary changed so that
it only serves as a SUID wrapper to call the initscripts.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 23 Mar 2024 13:57:19 +0000 (14:57 +0100)]
initscripts: No longer restart OpenVPN when RED comes up/goes down
This is probably a relic from when dial-up connections where on trend
and systems were offline for long times of the day. Now, we should
always be on and there is no need to restart all those services on a
reconnect.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 20 Mar 2024 19:38:52 +0000 (20:38 +0100)]
ovpnmain.cgi: Migrate to subnet topology
For dynamic pools, this change is easy and does not require any extra
steps. For CCD clients however, we need to update the configuration to
replace the server IP address with the subnet mask.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 20 Mar 2024 13:56:20 +0000 (14:56 +0100)]
ovpnmain.cgi: Drop validdotmask()
This is a totally braindead function that prevented some basic usability
by using the more modern prefix notation. It simply checks if there is a
freaking dot. Great!
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 19 Mar 2024 19:44:18 +0000 (20:44 +0100)]
ovpnmain.cgi: Force NCP on clients
This change requires that all clients support NCP if they are set up
with a new connection. Existing clients remain supported using the
fallback cipher option.
This will result that connections with OpenVPN <= 2.3 cannot be set up
any more which is totally fine since that version is EOL.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 19 Mar 2024 19:11:31 +0000 (20:11 +0100)]
ovpnmain.cgi: Completely remove compression for RW clients
We will use the "compress migrate" option which disables compression by
default. If a client has been found that wants to use compression, the
server will push "stub-v2" to disable it. If that does not work, the
server might fall back to compression.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 19 Mar 2024 15:32:33 +0000 (16:32 +0100)]
ovpnmain.cgi: Drop newcleanssldatabase()
I have no idea why this was added when there is a function that does the
same already. The remove function also had typos in the path which
probably resulted in it not working very well.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 2 Jun 2025 18:41:58 +0000 (18:41 +0000)]
core196: Ship OpenSSL
This is being shipped because it has been rebuilt with GCC 15. There has
been reports on some systems that OpenSSL triggers some compiler bug and
therefore the openssl command tends to segfault a lot.
This is now being resolved with GCC 15.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 1 Jun 2025 14:58:28 +0000 (14:58 +0000)]
linux: Backport support for BIG TCP GSO on WireGuard
Advertise GSO_MAX_SIZE as TSO max size in order support BIG TCP for wireguard.
This helps to improve wireguard performance a bit when enabled as it allows
wireguard to aggregate larger skbs in wg_packet_consume_data_done() via
napi_gro_receive(), but also allows the stack to build larger skbs on xmit
where the driver then segments them before encryption inside wg_xmit().
We've seen a 15% improvement in TCP stream performance.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 30 May 2025 12:38:17 +0000 (14:38 +0200)]
ruby: Update to version 3.4.4
- This v2 version keeps the CFLAGS line in place
- Update from version 3.4.1 to 3.4.4
- Update of rootfile
- Changelog
3.4.4
YJIT: Split the block on optimized getlocal/setlocal by k0kubun · Pull
Request #13331
Bug #21257: YJIT can generate infinite loop when OOM - Ruby - Ruby Issue
Tracking System
Bug #21286: Windows - MSYS2 just updated to GCC 15.1.0, builds failing -
Ruby - Ruby Issue Tracking System
Bug #21327: Windows builds seem broken after clock_gettime changes? -
Ruby - Ruby Issue Tracking System
Bug #21331: heap-use-after-free caused by rehash during
transform_values! - Ruby - Ruby Issue Tracking System
Bug #21289: Fix C level backtraces for USE_ELF - Ruby - Ruby Issue
Tracking System
3.4.3
Bug #21145: Prism accepts newlines in-between curly unicode escape -
Ruby - Ruby Issue Tracking System
Bug #21153: ::Foo ||= p 1 should parse - Ruby - Ruby Issue Tracking System
Bug #21030: Bug: #step with Range<ActiveSupport::Duration> behavior
broken on Ruby 3.4.1 - Ruby - Ruby Issue Tracking System
Bug #21131: IO.copy_stream: yielded string changes value when duped -
Ruby - Ruby Issue Tracking System
Feature #19521: Support for Module#name= and Class#name=. - Ruby - Ruby
Issue Tracking System
Bug #21159: Module#set_temporary_name should freeze given name - Ruby -
Ruby Issue Tracking System
Bug #21161: Crash when locale is set to Turkish tr_TR.UTF-8 - Ruby - Ruby
Issue Tracking System
Bug #21144: Win32: Use Windows time zone ID as the time zone name if TZ
is not set - Ruby - Ruby Issue Tracking System
Bug #21170: Corrupted Hash (bad VALUE and missing entry) when -1 returned
from .hash - Ruby - Ruby Issue Tracking System
Bug #21172: Race condition in register_fstring - Ruby - Ruby Issue
Tracking System
Bug #21163: Inconsistencies in Kernel.Float compared to other number
parsing methods - Ruby - Ruby Issue Tracking System
Bug #21173: RUBY_FREE_AT_EXIT does not work when error in -r - Ruby -
Ruby Issue Tracking System
Bug #21179: Introduction Happy Eyeballs Version 2 broke Socket.tcp from
secondary Ractors - Ruby - Ruby Issue Tracking System
Bug #19841: Marshal.dump stack overflow with recursive Time - Ruby - Ruby
Issue Tracking System
Bug #21180: SEGV while marking imemo_env->iseq - Ruby - Ruby Issue
Tracking System
Bug #21186: Inconsistent parsing of ?あand 0 - Ruby - Ruby Issue Tracking
System
Bug #21094: Module#set_temporary_name does not affect a name of a nested
module - Ruby - Ruby Issue Tracking System
Bug #21195: Crash when using IO#timeout - Ruby - Ruby Issue Tracking System
Bug #21196: Ruby 3.4 ignores visibility when passing arguments using ... -
Ruby - Ruby Issue Tracking System
Bug #21141: Time#utc? does not work with a timezone object - Ruby - Ruby
Issue Tracking System
Bug #21211: Incomplete Backtrace for Socket Errors in Ruby 3.4+ - Ruby -
Ruby Issue Tracking System
Bug #21197: Prism does not accept newline after defined? keyword - Ruby -
Ruby Issue Tracking System
Bug #21183: Ractor error with Prism::VERSION - Ruby - Ruby Issue Tracking
System
Bug #21217: Integer.sqrt produces wrong results even on input <= 1e18 -
Ruby - Ruby Issue Tracking System
Bug #21220: Memory corruption in update_line_coverage()
[write at index -1] - Ruby - Ruby Issue Tracking System
3.4.2
Bug #21024: Ruby including generates compilation warning with GCC 15,
header is deprecated in C++17,
Bug #21021: "try to mark T_NONE object" with 3.4.1
Bug #20997: YJIT panic assertion left == right failed: leave instruction
expects stack size 1, but was: 2
Bug #20981: rb_undefine_finalizer is missing
Bug #20989: Segmentation fault in Ripper when lexing /#{"\xcd"}/
Bug #21003: unexpected warning about ignored block
Bug #21002: Please include license information of turbo_tests
Bug #21001: unexpected nil result from proc with ensure and next
Bug #21010: Endless method definition of []= is SyntaxError in parse.y but
allowed in Prism
Bug #20992: eval(ascii_encoded_code) raises EncodingError when multibyte
local variable exists
Bug #21017: --with-parser=parse.y configure option does not work
Bug #21014: Prism doesn't set node_id on iseqs correctly
Bug #21027: not() receiver should be nil
Bug #20995: exception escapes block given to IO.popen("-") in child process
Bug #21008: Array#sum, Enumerator#sum, Numeric subclass
Bug #21044: Prism maximum recursion depth is 1_000, parse.y is 10_000
Bug #21031: Incompatibility with prism and parse.y when eval'ing unnamed
forwarding variables
Bug #21085: [BUG] Stack consistency error with -ne
Bug #21048: [Prism] rescue in modifier form with condition behaves
differently
Bug #21046: Backport: TLS fix for ARM64
Bug #21012: Compiling a['a','b'],=1 with parse.y fails
Bug #21038: Preserve errno in rb_fiber_scheduler_unblock
Bug #21032: Module#autoload? is slow when $LOAD_PATH contains a relative path
Bug #21092: error building ruby 3.4.1 on cygwin/msys2
Bug #21095: Prefer uname -n over hostname in tests.
Bug #21103: Binding problem with delegate methods
Bug #21088: TCPSocket.new raises Socket::ResolutionError instead of
Errno::ECONNREFUSED for hosts defined in /etc/hosts
Bug #21112: Typo in error message when an incorrect key is used with
WeakKeyMap
Bug #21117: Inconsistent behaviour between "_1" and "it" variables
Bug #21114: Prism hangs up while parsing deeply nested def
Bug #20984: ENV.inspect is not encoding aware
Bug #20982: Inconsistency between Hash#inspect and ENV.inspect in Ruby 3.4
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stephen Cuka [Thu, 29 May 2025 01:31:38 +0000 (19:31 -0600)]
manualpages: Fixbug13858 - Add doc link for Network/Aliases
- Add missing documentation link for 'Network/Aliases'.
Signed-off-by: Stephen Cuka <stephen@firemypi.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 May 2025 14:36:54 +0000 (16:36 +0200)]
vim: Update to version 9.1.1406
- Update from version 9.1.1153 to 9.1.1406
- Update of rootfile
- Changelog is not available. Generally each patch version number update is related to
a commit entry in the git repository. The details for all the commit changes can be
found at https://github.com/vim/vim/commits/master/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 26 May 2025 18:28:00 +0000 (18:28 +0000)]
Core Update 196: Adjust existing IPsec connections using ML-KEM
This causes existing IPsec connections using ML-KEM to always use it in
conjunction with Curve 25519, in line with the changes dfa7cd2bbac3c746569368d70fefaf1ff4e1fed2
implements for newly configured IPsec connections.
Again, we can reasonably assume an IPsec peer supporting ML-KEM also
supports Curve 25519. In case such a peer does not support RFC 9370, and
the IPsec connection was created using our default ciphers, it will fall
back to Curve 448, Curve 25519, or any other traditional algorithm.
This patch will break existing IPsec connections only if they are
exclusively using ML-KEM (which means the IPFire user reconfigured them
manually using the "advanced connection settings" section in the WebUI),
and the IPsec peer is configured in the same manner, and/or is an IPFire
machine not yet updated to Core Update 196. Any other IPFire-to-IPFire
IPsec connection will continue working, potentially falling back to
Curve 448 or 25519 until both peers are updated to Core Update 196,
after which ML-KEM in conjunction with Curve 25519 will be used again.
The second version of this patch modifies IPFire's own configuration
file for IPsec connections, rather than applying these changes directly
to /etc/ipsec.conf, where they would have been overwritten by the next
WebUI change.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 26 May 2025 18:27:00 +0000 (18:27 +0000)]
vpnmain.cgi: Use ML-KEM only as a hybrid with Curve 25519
In commit 887778e0888d51eb9942ae310a43f6d2813efad3, the post-quantum
key exchange algorithm ML-KEM was introduced, due to its support being
added in strongSwan 6.0. However, using PQC key exchanges is commonly
recommended only in conjunction with a traditional one, to avoid
encrypted traffic becoming subject to trivial decryption in case a PQC
algorithm proves weak, broken, or backdoored. OpenSSH, for instance,
combines ML-KEM 768 with Curve 25519 (mlkem768x25519-sha256), rather
than using ML-KEM alone.
This patch changes the cipher suites offered for IPsec connections to
always use ML-KEM as a hybrid with Curve 25519. This is possible due to
strongSwan 6.0 having added support for IKE intermediary key exchanges
(RFC 9370); see https://docs.strongswan.org/docs/latest/config/proposals.html#_key_exchange_methods
for additional information.
We can reasonably assume an IPsec peer supporting ML-KEM will also
support Curve 25519, as this has been around for much longer, and is
used quite commonly. Even if this is not the case, or if the IPsec peer
does not implement RFC 9370, any IPsec connection using our default
cipher selection will fall back to Curve 448, Curve 25519, or other,
hence continue working.
IPsec connections already created will need their ciphers to be changed
once during the Core Update routine where this patch will be
incorporated.
Tested-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 23 May 2025 15:23:25 +0000 (15:23 +0000)]
dnsdist: Update to 1.9.10
We released PowerDNS DNSdist 1.9.10 today, fixing several bugs including a security issue tracked as CVE-2025-30193 where a remote, unauthenticated attacker can cause a denial of service via a crafted TCP connection. The issue was reported to us via our public IRC channel so once it was clear that the issue had a security impact we prepared to release a new version as soon as possible.
While we advise upgrading to a fixed version, a work-around is to temporarily restrict the number of queries that DNSdist is willing to accept over a single incoming TCP connection, via the setMaxTCPQueriesPerConnection directive. Setting it to 50 is a safe choice that does not impact performance in our tests.
Adolf Belka [Tue, 27 May 2025 14:25:10 +0000 (16:25 +0200)]
boost: Update to version 1.88.0
- Update from version 1.83.0 to 1.88.0
- Update of rootfiles for all architectures
- Changelogs are very large so urls provided for each release changelog
1.88.0
https://www.boost.org/releases/1.88.0/
1.87.0
https://www.boost.org/releases/1.87.0/
1.86.0
https://www.boost.org/releases/1.86.0/
1.85.0
https://www.boost.org/releases/1.85.0/
1.84.0
https://www.boost.org/releases/1.84.0/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 25 May 2025 11:35:01 +0000 (13:35 +0200)]
index.cgi: Add wireguard status to home screen
- This fix adds a wireguard line to show when it is enabled.
- This fix does not show a table for any net2net connections that are enabled. I have
started working on that but as I only have an OpenVPN n2n connection in place, I can't
test out the copy of the ipsec n2n code section that I have made. I need to get ipsec
and wireguard n2n connections working first.
- If someone else wants to provide a patch for the wireguard n2n connections tables I have
no problems with that. If not then I will submit one when I have been able to test it.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / people / ms / ipfire-2.x.git / log
