Adolf Belka [Thu, 21 Jan 2021 20:17:06 +0000 (21:17 +0100)]
iptables: Update to version 1.8.7
- Update from 1.8.6 to 1.8.7
Florian Westphal (4):
xtables-monitor: fix rule printing
xtables-monitor: fix packet family protocol
xtables-monitor: print packet first
xtables-monitor:
Pablo Neira Ayuso (2):
tests: shell: update format of registers in bitwise payloads.
configure: bump version for 1.8.7 release
Phil Sutter (21):
nft: Optimize class-based IP prefix matches
ebtables: Optimize masked MAC address matches
tests/shell: Add test for bitwise avoidance fixes
ebtables: Fix for broken chain renaming
iptables-test.py: Accept multiple test files on commandline
iptables-test.py: Try to unshare netns by default
libxtables: Extend MAC address printing/parsing support
xtables-arp: Don't use ARPT_INV_*
xshared: Merge some command option-related code
tests/shell: Test for fixed extension registration
extensions: dccp: Fix for DCCP type 'INVALID'
nft: Fix selective chain compatibility checks
nft: cache: Introduce nft_cache_add_chain()
nft: Implement nft_chain_foreach()
nft: cache: Move nft_chain_find() over
nft: Introduce struct nft_chain
nft: Introduce a dedicated base chain array
nft: cache: Sort custom chains by name
tests: shell: Drop any dump sorting in place
nft: Avoid pointless table/chain creation
tests/shell: Fix nft-only/0009-needless-bitwise_0
- Rootfile updated
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 16 Jan 2021 15:57:56 +0000 (16:57 +0100)]
logrotate: Update to 3.18.0
Exerpt from 'ChangeLog.md':
"## [3.18.0] - 2021-01-08
- allow UIDs and GIDs to be specified numerically (#217)
- add support for Zstandard compressed files (#355)
- make `delaycompress` not to fail with `rotate 0` (#341)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 14 Jan 2021 18:37:11 +0000 (19:37 +0100)]
sudo: Upgrade to 1.9.5p1
- Upgrade sudo from 1.8.10p3 to 1.9.5p1
- Move sudo from legacy release (1.8) branch to stable release (1.9) branch
- Update rootfile
- Changelog available at https://www.sudo.ws/changes.html
- Tested out on vm testbed and sudo is working correctly
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 13 Jan 2021 11:12:03 +0000 (11:12 +0000)]
ssh: Ignore any errors when stopping daemon
The SSH init script only kills the main daemon which leads to any child
processes (for remaining connections) being untouched.
killproc returns 4 (unknown error) when not all processes were killed
which is not intended here. Therefore we ignore the error and do not
pause the shut down process for a minute.
Fixes: #12544 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Giovanni Aneloni [Mon, 27 Apr 2020 22:23:57 +0000 (00:23 +0200)]
unbound: make local zone transparent
Change local zone to "trasnparent" instead of "typetrasnparent" to avoid NXDOMAIN when querying local hosts
Fixes: #12391 Signed-off-by: Giovanni Aneloni <giovanni.aneloni@live.com> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Wed, 6 Jan 2021 14:18:27 +0000 (15:18 +0100)]
ddns.cgi: Make dealing with auth tokens more user-friendly.
If a provider supports authentication with a token, now
the username and password fileds will be swapped by some
Java Script code in favour of an input field for the token.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Jonatan Schlag [Wed, 6 Jan 2021 10:16:49 +0000 (10:16 +0000)]
unbound: keep probing when servers are down
Till now when a server was in the "blocking regime" there was one probe
made every 15 min, to see if this server is up again. In situations
where all servers where down (e.g. because of a massive package loss)
it could take up to 15 min to have a working dns again.
This patch changes this behaviour in a way that a server marked down is
probed every 2 min.
Fixes: #12557 Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 5 Jan 2021 14:20:57 +0000 (15:20 +0100)]
sshfs: Update to 3.7.1
- Update sshfs from 2.2 to 3.7.1
- Changelog is available at https://github.com/libfuse/sshfs/releases
- Build had to be changed from autotools to meson/ninja
- Change in rootfiles
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 5 Jan 2021 14:21:19 +0000 (15:21 +0100)]
fuse: Update to 3.10.1
- Update fuse from 2.9.7 to 3.10.1
- Update also required by sshfs update
- Changelog is available at https://github.com/libfuse/libfuse/releases
- Build had to be changed from autools to meson/ninja
- Rootfiles changed
- namespace conflict fix patch no longer required. Fix now built into kernel.h
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 6 Jan 2021 13:43:27 +0000 (14:43 +0100)]
iptables: Update to 1.8.6
- Update from 1.8.5 to 1.8.6
- Changelog info
Arturo Borrero Gonzalez (1):
xtables-translate: don't fail if help was requested
Giuseppe Scrivano (1):
iptables: accept lock file name at runtime
Jan Engelhardt (2):
doc: document danger of applying REJECT to INVALID CTs
build: resolve iptables-apply not getting installed
Maciej Żenczykowski (1):
libxtables: compiler warning fixes for NO_SHARED_LIBS
Pablo Neira Ayuso (4):
extensions: libxt_conntrack: provide translation for DNAT and SNAT --ctstate
iptables: replace libnftnl table list by linux list
iptables-nft: fix basechain policy configuration
configure: bump version for 1.8.6 release
Phil Sutter (31):
xtables-restore: Fix verbose mode table flushing
build: Fix for failing 'make uninstall'
xtables-translate: Use proper clear_cs function
tests: shell: Add help output to run-tests.sh
nft: Make table creation purely implicit
nft: Be lazy when flushing
nft: cache: Drop duplicate chain check
nft: Drop pointless nft_xt_builtin_init() call
nft: Turn nft_chain_save() into a foreach-callback
nft: Use nft_chain_find() in two more places
nft: Reorder enum nft_table_type
nft: Eliminate table list from cache
nft: Fix command name in ip6tables error message
tests: shell: Merge and extend return codes test
xtables-monitor: Fix ip6tables rule printing
nft: Fix for ruleset flush while restoring
Makefile: Add missing man pages to CLEANFILES
nft: cache: Check consistency with NFT_CL_FAKE, too
nft: Extend use of nftnl_chain_list_foreach()
nft: Fold nftnl_rule_list_chain_save() into caller
nft: Use nft_chain_find() in nft_chain_builtin_init()
nft: Fix for broken address mask match detection
extensions: libipt_icmp: Fix translation of type 'any'
libxtables: Make sure extensions register in revision order
libxtables: Simplify pending extension registration
libxtables: Register multiple extensions in ascending order
nft: Make batch_add_chain() return the added batch object
nft: Fix error reporting for refreshed transactions
libiptc: Avoid gcc-10 zero-length array warning
nft: Fix for concurrent noflush restore calls
tests: shell: Improve concurrent noflush restore test a bit
- Rootfiles updated
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 5 Jan 2021 17:35:16 +0000 (18:35 +0100)]
stunnel: Update to 5.57
- Update of stunnel from 5.56 to 5.57
- Changelog Version 5.57, 2020.10.11, urgency: HIGH
Security bugfixes
The "redirect" option was fixed to properly handle "verifyChain = yes" (thx to Rob Hoes).
OpenSSL DLLs updated to version 1.1.1h.
New features
New securityLevel configuration file option.
FIPS support for RHEL-based distributions.
Support for modern PostgreSQL clients (thx to Bram Geron).
Windows tooltip texts updated to mention "stunnel".
TLS 1.3 configuration updated for better compatibility.
Bugfixes
Fixed a transfer() loop bug.
Fixed memory leaks on configuration reloading errors.
DH/ECDH initialization restored for client sections.
Delay startup with systemd until network is online.
bin\libssp-0.dll removed when uninstalling.
A number of testing framework fixes and improvements.
- No change to rootfiles
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 2 Jan 2021 12:54:45 +0000 (13:54 +0100)]
general-functions.pl: Update to fix bug #12428
- Patch of general-functions.pl for implementation of fix provided
by Bernhard Bitsch in bug #12428.
Had to be modified as that fix gave a failure for single character hostnames.
Updated version prevents spaces being put into hostnames and works for single
character hostnames
- Updated subroutine validfqdn to apply consistent rules for hostname & domain name
portions of fqdn
- Minor updates for consistency across validhostname, validdomainname & validfqdn
- Patch implemented into testbed system and confirmed working for hostnames, domain names
and FQDN's.
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Dec 2020 11:06:27 +0000 (12:06 +0100)]
bacula: Update to 9.6.7
- Update bacula from 9.6.6 to 9.6.7
This is a minor bug release
See https://sourceforge.net/projects/bacula/files/bacula/9.6.7/ReleaseNotes/
- This is the last of the version 9 series. The next update will be the version 11 series.
- Update of lfs and rootfiles
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Dec 2020 18:59:29 +0000 (19:59 +0100)]
iperf3: Update to version 3.9
- Update iperf3 from 3.7 to 3.9
- No changes to rootfiles
- Update patch file to remove pg flag
- Release notes from version 3.8 onwards:-
iperf 3.9 2020-08-17
--------------------
* Notable user-visible changes
* A --timestamps flag has been added, which prepends a timestamp to
each output line. An optional argument to this flag, which is a
format specification to strftime(3), allows for custom timestamp
formats (#909, #1028).
* A --server-bitrate-limit flag has been added as a server-side
command-line argument. It allows a server to enforce a maximum
throughput rate; client connections that specify a higher bitrate
or exceed this bitrate during a test will be terminated. The
bitrate is expressed in bits per second, with an optional trailing
slash and integer count that specifies an averaging interval over
which to enforce the limit (#999).
* A bug that caused increased CPU usage with the --bidir option has
been fixed (#1011).
* Notable developer-visible changes
* Fixed various minor memory leaks (#1023).
iperf 3.8.1 2020-06-10
----------------------
* Notable user-visible changes
* A regression with "make install", where the libiperf shared
library files were not getting installed, has been fixed (#1013 /
#1014).
iperf 3.8 2020-06-08
--------------------
* Notable user-visible changes
* Profiled libraries and binaries are no longer built by default
(#950).
* A minimal Dockerfile has been added (#824).
* A bug with burst mode and unlimited rate has been fixed (#898).
* Configuring with the --enable-static-bin flag will now cause
a statically-linked iperf3 binary to be built (#989).
* Configuring with the --without-sctp flag will now prevent SCTP
from being auto-detected (#1008). This flag allows building a
static binary (see above item) on a CentOS system with SCTP
installed, because no static SCTP libraries are available.
* Clock skew between the iperf3 client and server will no longer
skew the computation of jitter during UDP tests (#842 / #990).
* A possible buffer overflow in the authentication feature has been
fixed. This was only relevant when configuration authentication
using the libiperf3 API, and did not affect command-line usage.
Various other improvements and fixes in this area were also made
(#996).
* Notable developer-visible changes
* The embedded version of cJSON has been updated to 1.7.13 (#978).
* Some server authentication functions have been added to the API
(#911).
* API access has been added to the connection timeout parameter
(#1001).
* Tests for some authentication functions have been added.
* Various compiler errors and warnings have been fixed.
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Dec 2020 18:51:45 +0000 (19:51 +0100)]
iperf: Update to 2.0.14a
- Update from version 2.0.13 to 2.0.14a
- No change in rootfiles
- Release notes for change:-
o scaling improvements for -P, i.e. improved support for large numbers of traffic threads
o major code refactoring (see doc/DESIGN_NOTES) for maintainability, extensibilty, performance, scaling, memory usage
o support for full duplex traffic using --full-duplex
o support for reverse traffic using --reverse
o support for role-reversal character of asterisk in the transfer id
o transfer id now an incrementing integer and no longer the socket id
o support for TCP connect only tests with --connect-only
o isochronous support compiled in by default, must use config to disable
o support --isochronous for both UDP or TCP traffic to simulate video streams
o use of clock_nanosleep when supported to schedule isochronous burst starts, otherwise use nanosleep delay
o support for --trip-times indicating the client and server clocks are synchronized to an accuracy sufficient, note: consider the use of precision time protocol as well as ask your data center to provide access to a GPS disciplined reference time source
o support for --trip-times with -d and -r bidirectional tests
o output TCP connect times (3WHS) in connect reports
o support for application level tcp connect retries via --connect-retries n
o rate-limited options of -b and --fq-rate supported for unidirectional, full duplex and reverse traffic
o reporter thread designed to automatically cause packet reports to aggregate - mitigating and hopefully removing thread thrashing
o support for frame or burst based reporting or sampling vs time based via -i [f|F] (experimental)
o support for UDP traffic only from client to server with --no-udp-fin
o support for write to read latencies (UDP and TCP) with --trip-times
o support for sum only outputs with --sum-only
o support for little's law calculations in --trip-time outputs
o support for --txstart-time <epoch-time> to schedule client traffic start, timestamp support microseconds, e.g. unix $(expr $(date +%s) + 1).$(date +%N)
o support for --txdelay-time to insert delay between TCP three way handshake (3WHS) and data transfer
o support for --no-connect-sync which disables transmit traffic start synchronization when -P is used, defaults to synchronized
o option of --full-duplex implementation uses a barrier on the client side to synchronize full duplex traffic
o no limits to group sum reports, i.e. all clients will get its own sum report per a server
o improved report timestamps, e.g. end to end or client and server based timestamps with --trip-times
o improved settings messaging
o improved messaging for --tcp-congestion or -Z
o re-implemented -U for single UDP server with minimal threading interactions
o re-implemented -1 or --singleclient where server will serialize traffic runs
o warning message if the test were likely CPU bound instead of network i/o bound
o fix the case when -P <value> is set on the server such that summing output is displayed
o multicast listener will autoset -U (single server), e.g -P > 1 not supported for multicast
o multicast listener no longer busy drops multicast packets during traffic test, i.e. only server thread receives them
o immediate bail out on mutually exclusive command line options
o fix -o or --output using freopen to redirect stdout and stderr to a file
o man page updates with examples
o tested with 1000's of traffic streams, WiFi, 10G and 100G
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 26 Dec 2020 16:40:32 +0000 (17:40 +0100)]
procps: Update to 3.3.16
- update from 3.2.8 to 3.3.16
This is also an update from procps to procps-ng
The previous version was no longer being maintained.
- Added autogen.sh into lfs as ity is needed to create the config script.
- Added libdir=/lib line into configure command as default is /usr/lib
- Added mv commands for kill, ps & sysctl to place them into the same locations
as the previous version of procps
- Moved lfsmake2 procps line to after pkg-config in make.sh
The autogen line requires autoconf, libtool, gettext and pkg-config
to be available so procps moved to after them.
- procps-3.2.8-fix_unknown_HZ_value.patch no longer required with new
version so removed.
- rootfile updated.
- libprocps library being maintained by the same people now maitaining this
version of procps.
- information on the releases from 3.3.13 to 3.3.16 available on
https://gitlab.com/procps-ng/procps/-/releases
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sat, 26 Dec 2020 17:09:23 +0000 (18:09 +0100)]
ninja: Allow to limit the parallel build processes.
When run, ninja normally runs a maximum number of processes in parallel.
By default this is the number of cores on the system plus two. In some cases this can
overheat a CPU or run a system out of memory. If run from the command line, passing a
-jN parameter will limit the number of parallel processes, but some packages embed the
execution of ninja and do not pass a -j parameter.
Using this optional procedure allows us to limit the number of parallel processes
via an environment variable, NINJAJOBS.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 24 Dec 2020 00:09:04 +0000 (01:09 +0100)]
Update (and cosmetic fixes) for 'pakfire.cgi': Added GUI entry for existing, but unused translation string
While preparing the Core153 update, I found by chance that a language string had been added from
Core152 to Core153 which I couldn't find in any CGI-file.
The translation suggested that this string ('Available Updates') could belong to 'pakfire.cgi'.
And I thought that on the pakfire GUI something was actually missing: the heading above the
box listing the 'Available Updates'. Don't know why I didn't saw this before.
So tried to add these missing heading. I hope I made it right...
Some cosmetic fixes:
I also added some space around the text for 'Available Addons' and 'Installed Addons'
because the text lines weren't separated. There is no seen wordwrapping. This required deleting
some unwanted '<br />' in the affected translation strings.
I tried this about 4 years ago, but somehow this patch got lost.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 24 Dec 2020 10:56:13 +0000 (11:56 +0100)]
country.cgi: Cosmetic fix for 'Back'-button'
While testing Peter's patch for Bug #12560 I noticed that the standard 'back'-button
at the end of the page - like in 'ipinfo.cgi' - was implemented as a text string.
I just took the code segment with the 'back'-*image* from 'ipinfo.cgi' to make this
link looking similar to the other pages.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 23 Dec 2020 14:03:32 +0000 (15:03 +0100)]
libloc: update to 0.9.5 and backport fix for #12554
This patch updates libloc to 0.9.5, deletes the upstream patchset from
version 0.9.4, and includes a latest upstream patch to backport a fix
for #12554.
Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>