Adolf Belka [Fri, 18 Feb 2022 14:32:39 +0000 (15:32 +0100)]
acct.en.pl: Update to use proxy accounting - Bug#12772
-Replace the variable names used for the accounting page with proxy accounting in a
consistent manner
- Tested on a vm system and confirmed to have a consistent naming approach now
Fixes: Bug#12772 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 18 Feb 2022 14:33:52 +0000 (15:33 +0100)]
accounting.cgi: Change some variables to alphanumeric - Bug#12777
- The Postcode in the address only allowed numeric postcodes. The Netherlands and Great
Britain are at lease two countries that use alphanumeric postcodes with spaces. Changed
the postcode check from numeric to alphanumeric.
- The Bank Code in the Providers details only allowed numeric Bank Codes. In Great Britain
the Bank Code, also known as the Sort Code is made up of three groups of digits separated
by a - .
- Adjusted the regex for the alphanumeric check to include a space and a - . The original
comment indicated that a - was allowed but it was not included in the regex.
- Tested on a vm system and confirmed that a postcode from The Netherlands and Great Britain
and a Sort Code from Breat Britain are now accepted.
Fixes: Bug#12777 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Matthias Fischer [Fri, 18 Feb 2022 17:13:35 +0000 (18:13 +0100)]
wpa_supplicant: Update to 2.10
For details see:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog
"2022-01-16 - v2.10
* SAE changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
- added support for the hash-to-element mechanism (sae_pwe=1 or
sae_pwe=2); this is currently disabled by default, but will likely
get enabled by default in the future
- fixed PMKSA caching with OKC
- added support for SAE-PK
* EAP-pwd changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
* fixed P2P provision discovery processing of a specially constructed
invalid frame
[https://w1.fi/security/2021-1/]
* fixed P2P group information processing of a specially constructed
invalid frame
[https://w1.fi/security/2020-2/]
* fixed PMF disconnection protection bypass in AP mode
[https://w1.fi/security/2019-7/]
* added support for using OpenSSL 3.0
* increased the maximum number of EAP message exchanges (mainly to
support cases with very large certificates)
* fixed various issues in experimental support for EAP-TEAP peer
* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
* a number of MKA/MACsec fixes and extensions
* added support for SAE (WPA3-Personal) AP mode configuration
* added P2P support for EDMG (IEEE 802.11ay) channels
* fixed EAP-FAST peer with TLS GCM/CCM ciphers
* improved throughput estimation and BSS selection
* dropped support for libnl 1.1
* added support for nl80211 control port for EAPOL frame TX/RX
* fixed OWE key derivation with groups 20 and 21; this breaks backwards
compatibility for these groups while the default group 19 remains
backwards compatible
* added support for Beacon protection
* added support for Extended Key ID for pairwise keys
* removed WEP support from the default build (CONFIG_WEP=y can be used
to enable it, if really needed)
* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
* added support for Transition Disable mechanism to allow the AP to
automatically disable transition mode to improve security
* extended D-Bus interface
* added support for PASN
* added a file-based backend for external password storage to allow
secret information to be moved away from the main configuration file
without requiring external tools
* added EAP-TLS peer support for TLS 1.3 (disabled by default for now)
* added support for SCS, MSCS, DSCP policy
* changed driver interface selection to default to automatic fallback
to other compiled in options
* a large number of other fixes, cleanup, and extensions"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Matthias Fischer [Fri, 18 Feb 2022 17:13:34 +0000 (18:13 +0100)]
hostapd: Update to 2.10
For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
"2022-01-16 - v2.10
* SAE changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
- added option send SAE Confirm immediately (sae_config_immediate=1)
after SAE Commit
- added support for the hash-to-element mechanism (sae_pwe=1 or
sae_pwe=2)
- fixed PMKSA caching with OKC
- added support for SAE-PK
* EAP-pwd changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
* fixed WPS UPnP SUBSCRIBE handling of invalid operations
[https://w1.fi/security/2020-1/]
* fixed PMF disconnection protection bypass
[https://w1.fi/security/2019-7/]
* added support for using OpenSSL 3.0
* fixed various issues in experimental support for EAP-TEAP server
* added configuration (max_auth_rounds, max_auth_rounds_short) to
increase the maximum number of EAP message exchanges (mainly to
support cases with very large certificates) for the EAP server
* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
* extended HE (IEEE 802.11ax) support, including 6 GHz support
* removed obsolete IAPP functionality
* fixed EAP-FAST server with TLS GCM/CCM ciphers
* dropped support for libnl 1.1
* added support for nl80211 control port for EAPOL frame TX/RX
* fixed OWE key derivation with groups 20 and 21; this breaks backwards
compatibility for these groups while the default group 19 remains
backwards compatible; owe_ptk_workaround=1 can be used to enabled a
a workaround for the group 20/21 backwards compatibility
* added support for Beacon protection
* added support for Extended Key ID for pairwise keys
* removed WEP support from the default build (CONFIG_WEP=y can be used
to enable it, if really needed)
* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
* added support for Transition Disable mechanism to allow the AP to
automatically disable transition mode to improve security
* added support for PASN
* added EAP-TLS server support for TLS 1.3 (disabled by default for now)
* a large number of other fixes, cleanup, and extensions"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Matthias Fischer [Thu, 17 Feb 2022 16:46:26 +0000 (17:46 +0100)]
bind: Update to 9.16.26
For details see:
https://downloads.isc.org/isc/bind9/9.16.26/doc/arm/html/notes.html#notes-for-bind-9-16-26
"Notes for BIND 9.16.26
Feature Changes
The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent
by a client are now included in the client information sent to DLZ
modules when processing queries. [GL #3082]
Bug Fixes
Previously, recvmmsg support was enabled in libuv 1.35.0 and 1.36.0,
but not in libuv versions 1.37.0 or greater, reducing the maximum
query-response performance. This has been fixed. [GL #3095]
A failed view configuration during a named reconfiguration procedure
could cause inconsistencies in BIND internal structures, causing
a crash or other unexpected errors. This has been fixed. [GL #3060]
Previously, named logged a “quota reached” message when it hit its
hard quota on the number of connections. That message was
accidentally removed but has now been restored. [GL #3125]
Build errors were introduced in some DLZ modules due to an
incomplete change in the previous release. This has been fixed. [GL
#3111]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Sun, 6 Feb 2022 21:46:08 +0000 (22:46 +0100)]
make.sh: name all perl packages to start with perl
- Currently some perl packages start with perl, others don't have perl in the name
at all and one has perl at the end of the IPFire name.
- This patch series places perl at the start of all lfs and rootfile files for perl
packages in a similar way as is done for python3.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
I have a new add-on here which I use e.g. to bring partitions from mbr to gpt without data loss.
It is also well suited for rescuing broken partitions.
GPT fdisk (consisting of the gdisk, cgdisk, sgdisk, and fixparts programs) is a set of text-mode partitioning tools for Linux,
FreeBSD, Mac OS X, and Windows.
The gdisk, cgdisk, and sgdisk programs work on Globally Unique Identifier (GUID) Partition Table (GPT) disks,
rather than on the older (and once more common) Master Boot Record (MBR) partition tables.
The fixparts program repairs certain types of damage to MBR disks and enables changing partition types from
primary to logical and vice-versa.
Signed-off-by: Marcel Follert (Smooky) <smooky@v16.de> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Matthias Fischer [Sat, 12 Feb 2022 17:16:20 +0000 (18:16 +0100)]
squid: Update from 5.2 => 5.4.1
For details see:
http://www.squid-cache.org/Versions/v5/changesets/SQUID_5_4_1.html
This is 'squid 5.4.1', containing the previous patch for Bug #5055.
Prior to this patch I reverted my previous patches 'squid: Update 5.2 => 5.4" and
'squid 5.4: Latest patch - Bug #5055 - from upstream' and marked them as
'superseded' in patchwork.
For a better overview the 'squid-gcc11'-patch has been renamed again and moved
to an own squid-patch-directory.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Stefan Schantl [Mon, 14 Feb 2022 19:08:53 +0000 (20:08 +0100)]
xtables-addons: Drop package.
None of the provided modules are in use, so this package
safely can be dropped.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Mon, 14 Feb 2022 19:03:07 +0000 (20:03 +0100)]
firewall.menu: Drop entry for P2P-Block.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Mon, 14 Feb 2022 19:03:06 +0000 (20:03 +0100)]
p2p-block.cgi: Drop CGI.
The support for creating P2P based rules has been removed from the
firewall. So this CGI file is not longer needed.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Mon, 14 Feb 2022 19:03:05 +0000 (20:03 +0100)]
configroot: Drop config file for p2protocols.
The support for creating P2P based rules has been removed from the
firewall. So this file is not longer needed.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Mon, 14 Feb 2022 19:03:04 +0000 (20:03 +0100)]
firewall: Drop support for blocking P2P protocols.
The main P2P (peer-to-peer) aera has passed for several year now, so
this kind of feature is realy out-dated.
The feature only supports a handfull of P2P protocols (mostly unencrypted)
for applications, which have been superseeded by various other
applications and protocols.
So, this fairly is not longer required and safely can be dropped.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Mon, 14 Feb 2022 18:42:56 +0000 (19:42 +0100)]
libloc: Export DB in ipset compatible format.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Mon, 14 Feb 2022 18:42:54 +0000 (19:42 +0100)]
rules.pl: Check if an ipset db file exists before call to restore it.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Mon, 14 Feb 2022 18:42:53 +0000 (19:42 +0100)]
rules.pl: Do not try to restore the same ipset multiple times.
When an ipset list get restored, this now will be documented in a hash
and this hash also will be checked before restoring a list if this has
not be done previously.
This will prevent from restoring the same list multiple times.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Stefan Schantl [Mon, 14 Feb 2022 18:42:52 +0000 (19:42 +0100)]
update-location-database: Export database to ipset compatible format now.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Mon, 14 Feb 2022 18:42:51 +0000 (19:42 +0100)]
rules.pl: Move to ipset based data for location based firewall rules.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Mon, 14 Feb 2022 18:42:50 +0000 (19:42 +0100)]
rules.pl: Move to ipset based data for LOCATIONBLOCK feature.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Mon, 14 Feb 2022 18:42:49 +0000 (19:42 +0100)]
rules.pl: Add tiny ipset_restore function.
This helper function is used to load a previously exported list of
networks for a given country code into the ipset module, so it can be
used for any kind of firewall rules.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Mon, 14 Feb 2022 18:42:47 +0000 (19:42 +0100)]
rules.pl: Move flush of LOCATIONBLOCK into main flush() function.
It is required to get rid of all ipset based rules before all of
the loaded ipset lists can be destroyed.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 15 Feb 2022 09:36:18 +0000 (10:36 +0100)]
gdbm: Update to version 1.23
- Update from 1.20 to 1.23
- Update of rootfile not required
- Changelog
Version 1.23, 2022-02-04
* Bucket cache switched from balanced tree to hash table
Change suggested by Terence Kelly.
* Speed up flushing the changed buckets on disk
* New option codes for gdbm_setopt
** GDBM_GETDBFORMAT
Return the database format.
** GDBM_GETDIRDEPTH
Return the directory depth, i.e. the number of initial (most significant)
bits in hash value that are interpreted as index to the directory.
** GDBM_GETBUCKETSIZE
Return maximum number of keys per bucket.
** GDBM_GETCACHEAUTO
Return the status of the automatic cache adjustment.
** GDBM_SETCACHEAUTO
Enable or disable automatic cache adjustment.
Version 1.22, 2021-10-19
* Fix file header validation
* Fix key verification in sequential access
* Fix testing with DejaGNU 1.6.3
* Fix stack overflow in print_usage
* Fix a leak of avail entry on pushing a new avail block
The leak would occur if the original avail table had odd number of entries.
* New gdbmtool variables: errorexit, errormask, trace, timing
"Errorexit" and "errormask" control which GDBM errors would cause the
program termination and emitting a diagnostic message,
correspondingly. Both variables are comma-delimited lists of error
codes.
The "trace" variable enables tracing of the gdbmtool commands.
The "timing" variable, when set, instructs gdbmtool to print time
spent in each command it runs.
* New gdbmtool options: -t (--trace), and -T (--timing)
Version 1.21, 2021-09-02
* Crash tolerance
By default it is possible for an abrupt crash (e.g., power failure,
OS kernel panic, or application process crash) to corrupt the gdbm
database file. A new Linux-only mechanism enables applications to
recover the database state corresponding to the most recent
successful gdbm_sync() call before the crash. See the chapter 17
"Crash Tolerance" in the GDBM manual.
* New database file format: numsync
The new "numsync" database format is designed to better support
crash tolerance. To create a database in numsync format, the gdbm_open
(or gdbm_fd_open) function must be given the GDBM_NEWDB|GDBM_NUMSYNC
flags. The GDBM_NUMSYNC flag also takes effect when used together
with GDBM_WRCREAT, provided that the new file is created.
New function gdbm_convert() is provided for converting the databases
from standard GDBM format to numsync and vice versa.
The gdbmtool tool can also be used for converting databases between
these two formats.
* Changes in gdbmtool
** Fix string output in non-ASCII encodings
Printable multi-byte sequences are correctly represented on output.
This also fixes octal representation of unprintable characters.
** The filename variable
This variable supplies the name of database file for use in "open"
command, if the latter is called without arguments. If "open" is
called with the file name argument, the "filename" variable is
initialized to this value.
** The fd variable
If set, its value must be an open file descriptor referring to a
GDBM database file. The "open" command will use gdbm_fd_open
function to use this file. Upon closing the database, this
descriptor will be closed and the variable will be unset.
The file descriptor to use can also be supplied using the
-d (--db-descriptor) command line option.
** The format variable
Defines the format in which new databases will be created. Allowed
values are: "standard" (default) and "numsync".
** New commands: upgrade and downgrade
The "upgrade" command converts current database to the numsync
(extended) format. The "downgrade" command converts current database
to the standard format.
** New command: snapshot
The "snapshot" command is part of the new crash tolerance support.
Given the names of two snapshot files, it analyzes them and selects
the one to be used for database recovery. See the GDBM manual,
section 17.5 "Manual crash recovery" for a detailed discussion of its
use.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Michael Tremer [Tue, 15 Feb 2022 13:40:27 +0000 (13:40 +0000)]
ovpnclients.dat: Fix adjusting input dates
This patch changes that we no longer interpret any dates put in by the
user as UTC. They used to be converted into localtime because, although
they have already been in local time.
This went unnoticed since in Europe we are close (enough) to UTC that
there is no significant discrepancy on the report. However, being in
North America is enough to generate confusing reports.
Reported-by: Paul <kairis@gmail.com> Fixes: #12768 Tested-by: Jon Murphy <jon.murphy@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 15 Feb 2022 09:36:56 +0000 (10:36 +0100)]
libarchive: Update to version 3.6.0
- Update from 3.5.2 to 3.6.0
- Update of rootfile
- Changelog
Libarchive 3.6.0 is a feature and bugfix release.
New features:
tar: new option "--no-read-sparse" (#1614)
tar: threads support for zstd (#1567)
RAR reader: filter support (#1503)
RAR5 reader: self-extracting archive support (#1585)
ZIP reader: zstd decompression support (#1518)
Other notable bugfixes and improvements:
tar: respect "--ignore-zeros" in c, r and u modes (#1620)
reduced size of application binaries (#1625)
internal code optimizations
Libarchive 3.5.3 is a security release
Security Fixes:
extended fix for following symlinks when processing the fixup list
(#1566, #1617, CVE-2021-31566)
fix invalid memory access and out of bounds read in RAR5 reader
(#1491, #1492, #1493, CVE-2021-36976)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Tue, 15 Feb 2022 09:37:13 +0000 (10:37 +0100)]
stunnel: Update to version 5.62
- Update from 5.58 to 5.62
- Update of rootfile
- Changelog
### Version 5.62, 2022.01.17, urgency: MEDIUM
* New features
- Added a bash completion script.
* Bugfixes
- Fixed a transfer() loop bug.
### Version 5.61, 2021.12.22, urgency: LOW
* New features sponsored by the University of Maryland
- Added new "protocol = capwin" and "protocol = capwinctrl"
configuration file options.
* New features for the Windows platform
- Added client mode allowing authenticated users to view
logs, reconfigure and terminate running stunnel services.
- Added support for multiple GUI and service instances
distinguised by the location of stunnel.conf.
- Improved log window scrolling.
- Added a new 'Pause auto-scroll' GUI checkbox.
- Double click on the icon tray replaced with single click.
- OpenSSL DLLs updated to version 3.0.1.
* Other new features
- Rewritten the testing framework in python (thx to
Peter Pentchev for inspiration and initial framework).
- Added support for missing SSL_set_options() values.
- Updated stunnel.spec to support RHEL8.
* Bugfixes
- Fixed OpenSSL 3.0 build.
- Fixed reloading configuration with
"systemctl reload stunnel.service".
- Fixed incorrect messages logged for OpenSSL errors.
- Fixed printing IPv6 socket option defaults on FreeBSD.
### Version 5.60, 2021.08.16, urgency: LOW
* New features
- New 'sessionResume' service-level option to allow
or disallow session resumption
- Added support for the new SSL_set_options() values.
- Download fresh ca-certs.pem for each new release.
* Bugfixes
- Fixed 'redirect' with 'protocol'. This combination is
not supported by 'smtp', 'pop3' and 'imap' protocols.
- Enforced minimum WIN32 log window size.
- Fixed support for password-protected private keys with
OpenSSL 3.0 (thx to Dmitry Belyavskiy).
### Version 5.59, 2021.04.05, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.1.1k.
* New features
- Client-side "protocol = ldap" support (thx to Bart
Dopheide and Seth Grover).
* Bugfixes
- The test suite fixed not to require external connectivity.
- Fixed paths in generated manuals (thx to Tatsuki Makino).
- Fixed configuration reload when compression is used.
- Fixed compilation with early releases of OpenSSL 1.1.1.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 9 Feb 2022 21:29:01 +0000 (22:29 +0100)]
lcms2: Update to version 2.13.1
- Update from 2.12 to 2.13.1
- Update of rootfile
- Changelog
2.13.1 Hot fix
Fix for pure white going gray in grayscale transforms.
2.13 Featured release
Added support for premultiplied alpha
tifficc can now handle alpha channels, both unassociated and premultiplied
Better documentation
CGATS parser can now deal with very long strings
Added Projects for Visual Studio 2020
Travis CI discontinued, GitHub actions used instead
Added a very preliminar meson build script (thanks to xclaesse)
Added ARM64 target to visual studio 2019 (thanks to gaborkertesz-linaro)
Added thread safe code to get time
Added automatic linear space detection
Added cmsGetStageContextID function
Added cmsDetectRGBProfileGamma function
configure now accepts --without-fastfloat to turn plugin off
autogen.sh has now a --distclean toggle to get rid of all autotools generated files
Checked to work on STM32 Cortex-A, Cortex-M families
Bug & typos fixing (thanks to many reporters and contributors)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 2.30 (2011) to 20220207
- Update of rootfile not required
- After version 2.30 the files from iana are no longer versioned. A git repository is
available (also used by LFS) which creates the required files by an automated script.
So the lfs just needs to copy across the services and protocols files to /etc
- There is no Changelog
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 12 Feb 2022 17:16:20 +0000 (18:16 +0100)]
squid: Update from 5.2 => 5.4.1
For details see:
http://www.squid-cache.org/Versions/v5/changesets/SQUID_5_4_1.html
This is 'squid 5.4.1', containing the previous patch for Bug #5055.
Prior to this patch I reverted my previous patches 'squid: Update 5.2 => 5.4" and
'squid 5.4: Latest patch - Bug #5055 - from upstream' and marked them as
'superseded' in patchwork.
For a better overview the 'squid-gcc11'-patch has been renamed again and moved
to an own squid-patch-directory.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
firewall: Revert strict martian check on loopback interface
If the firewall is talking to itself using one of its private IP
addresses (e.g. the primary green interface IP address), it will use the
loopback interface.
This is due to the local routing table which will be looked up first:
[root@ipfire ~]# ip rule
0: from all lookup local
128: from all lookup 220
220: from all lookup 220
32765: from all lookup static
32766: from all lookup main
32767: from all lookup default
It contains:
[root@ipfire ~]# ip route show table local
local 8x.1x.1x.1x dev ppp0 proto kernel scope host src 8x.1x.1x.1x
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.x.1 dev green0 proto kernel scope host src 192.168.x.1
broadcast 192.168.x.255 dev green0 proto kernel scope link src 192.168.x.1
Any lookup for the green IP address will show this:
local 192.168.x.1 dev lo table local src 192.168.x.1 uid 0
cache <local>
A test ping shows this in tcpdump:
[root@ipfire ~]# tcpdump -i any icmp -nn
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
17:24:22.864293 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo request, id 10420, seq 1, length 64
17:24:22.864422 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 10420, seq 1, length 64
17:24:29.162021 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo request, id 1555, seq 1, length 64
17:24:29.162201 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo reply, id 1555, seq 1, length 64
For this reason, we will have to accept any source and destination IP
address on the loopback interface, which is what this patch does.
We can however, continue to check whether we received any packets with
the loopback address on any other interface.
This regression was introduced in commit a36cd34e.
Fixes: #12776 - New spoofed or martian filter block Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
firewall: Revert strict martian check on loopback interface
If the firewall is talking to itself using one of its private IP
addresses (e.g. the primary green interface IP address), it will use the
loopback interface.
This is due to the local routing table which will be looked up first:
[root@ipfire ~]# ip rule
0: from all lookup local
128: from all lookup 220
220: from all lookup 220
32765: from all lookup static
32766: from all lookup main
32767: from all lookup default
It contains:
[root@ipfire ~]# ip route show table local
local 8x.1x.1x.1x dev ppp0 proto kernel scope host src 8x.1x.1x.1x
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.x.1 dev green0 proto kernel scope host src 192.168.x.1
broadcast 192.168.x.255 dev green0 proto kernel scope link src 192.168.x.1
Any lookup for the green IP address will show this:
local 192.168.x.1 dev lo table local src 192.168.x.1 uid 0
cache <local>
A test ping shows this in tcpdump:
[root@ipfire ~]# tcpdump -i any icmp -nn
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
17:24:22.864293 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo request, id 10420, seq 1, length 64
17:24:22.864422 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 10420, seq 1, length 64
17:24:29.162021 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo request, id 1555, seq 1, length 64
17:24:29.162201 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo reply, id 1555, seq 1, length 64
For this reason, we will have to accept any source and destination IP
address on the loopback interface, which is what this patch does.
We can however, continue to check whether we received any packets with
the loopback address on any other interface.
This regression was introduced in commit a36cd34e.
Fixes: #12776 - New spoofed or martian filter block Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Sat, 12 Feb 2022 13:21:13 +0000 (14:21 +0100)]
nano: Update to 6.1
For details see:
https://www.nano-editor.org/news.php
"The behavior of ^K at a prompt has been enhanced: when there
is text after the cursor, just this text is erased. (In the usual
situation, however, when the cursor is at the end of the answer,
the behavior is as before: the whole answer is erased.)
At a prompt, M-6 copies the current answer into the cutbuffer.
Large external pastes into nano are handled more quickly."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>