For details see:
https://mmonit.com/monit/changes/
New: Issue #715: The PostgreSQL protocol test has been improved and
now supports authentication with username, password and database
when testing connection. Example:
if failed port 5432
protocol pgsql username "username" password "12345" database "test"
then alert
Previous Monit versions used hardcoded credentials when testing
connection to postgresql (user=root and database=root). This could
trigger thousands of messages like this in the postgresql log:
root@root FATAL: password authentication failed for user "root"
root@root DETAIL: Role "root" does not exist.
Note: Monit will continue to use the hardcoded credentials (for
backward compatibility) unless username and password are set.
New: Issue #973: You can now test program output using a regular
expression. Syntax:
IF CONTENT [!]= <regex> THEN action
Example:
check program disk0_smart with path "/usr/sbin/nvme smart-log /dev/nvme0"
if content != "critical_warning[ ]+: 0" then alert
New: Issue #974: Monit CLI: Added support for the -g (group) option
to the report command. Example:
monit -g database report
Fixed: Issue #991 (Monit 5.28.1 regression): MacOS: Monit didn't
compile on MacOS 10.13 or older. Thanks to Lutz Mader.
Fixed: Issue #994 (Monit 5.28.1 regression): The check program
statement with every did not work properly.
Fixed: Issue #995: Monit start delay was vulnerable to time jumps
when Monit is waiting for the delay to pass. Thanks to Daniel Crowe.
Fixed: Issue #975: Monit CLI: Monit did not report a warning if -s,
-p, -l, -g or -c command-line options were specified multiple times
and silently used the last value only. Monit will generate a warning
now.
Fixed: Issue #972: Monit GUI: The log view had no size limit when
reading the Monit log file and could block the browser if the log
file was large.
Fixed: Issue #955: If more than one every statement is used in
a check-service context only the last value is (silently) used.
We now report a warning in this case.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 28 Sep 2021 21:21:16 +0000 (23:21 +0200)]
shairport-sync: Update to version 3.3.8
- Update from 3.3.7 to 3.3.8
- Update of rootfile not required
- Changelog
Version 3.3.8
**Enhancements**
* Documentation for the MQTT interface. Many thanks to [minix1234](https://github.com/minix1234)!
**Bug Fixes**
* Fix a bug in the `alsa` back end. In the interval between checking that the alsa
device handle was non-`NULL` and actually using it, the handle could be set to
`NULL`. The interval between check and usage is now protected.
* Fix a bug in the `alsa` precision timing code. Thanks to
[durwin99](https://github.com/durwin99),
[Nicolas Da Mutten](https://github.com/cleverer),
[mistakenideas](https://github.com/mistakenideas),
[Ben Willmore](https://github.com/ben-willmore) and
[giggywithit](https://github.com/giggywithit) for the
[report](https://github.com/mikebrady/shairport-sync/issues/1158).
* Fix a bug that caused Shairport Sync to hang, but not actually crash, if an
`on-...` script failed.
* Fix a crash that occurred if metadata support is enabled during compilation but
turned off in the configuration file. Thanks to
[Tim Curtis](https://github.com/moodeaudio) for the report.
* Fix a crash that occurred playing from AirPower on Android. Thanks to
[Ircama](https://github.com/Ircama) for the report.
* Fix the configure.ac file so that `--without-<feature>` configuration options
are not interpreted as `--with-<feature>` options instead! Thanks to
[David Racine](https://github.com/bassdr) for the report.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 6 Oct 2021 13:48:35 +0000 (15:48 +0200)]
logwatch: mdadm status missing - Fix for Bug 12080
- Addition of mdadm module to logwatch
- Addition of logwatch to sudoers list to run mdadm commands
- patch to change logwatch mdadm.conf to allow scan for raid drives, change mdadm script
to run mdadm scan commands with sudo, allow clean but degraded drives to be listed
in the output.
Fixes: 12080 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 20 Oct 2021 20:28:43 +0000 (22:28 +0200)]
ghostscript: Update to version 9.55.0
- Update from 9.54 to 9.55.0
- Update rootfile
- Changelog
Version 9.55.0 (2021-09-27)
Highlights in this release include:
This release includes the fix for the %pipe% security issue (CVE-2021-3781).
New PDF Interpreter: This is an entirely new implementation written in C (rather
than PostScript, as before). For a full discussion of this change and reasons for
it see: Changes Coming to the PDF Interpreter.
In this (9.55.0) release, the new PDF interpreter is disabled by default in
Ghostscript, but can be used by specifying -dNEWPDF. We hope to make it the
default in 9.56.0, and fully deprecate the PostScript implementation shortly
after that (depending on the feedback we get).
This also allows us to offer a new executable (gpdf, or gpdfwin??.exe on Windows)
which is purely for PDF input. For this release, those new binaries are not
included in the "install" make targets, nor in the Windows installers (they will
be from 9.56.0 onwards).
We would ask that as many users as possible take the opportunity to test with the
new PDF implementation (i.e. using -dNEWPDF on your gs command line), and discuss
any problems with us, before the new implementation becomes the default.
The pdfwrite device now supports "passthrough" for JPX/JPG2000 data images (as
well as the already supported JPEG/DCT Encoded). That means that if no rescaling
or color conversion of the image data is required, the encoded/compressed image
data from the input file will be written unchanged to the output, preventing
potential image degradation caused by decompressing and recompressing.
The Ghostscript/GhostPDL demo apps for C, C#, Java and Python have all had
improvements and the C#/Java/Python language bindings have now been documented,
see Ghostscript Language Bindings
The Zugferd compliant PDF generating definitions (lib/zugferd.ps) have been
updated and expanded to support the current version (2.1.1) of the Zugferd spec,
and optionally different versions of the specification.
The PCL/m output devices now support Duplex/Tumble.
The internal support for "n-up" style simple imposition (introduced in 9.54.0) has
been extended and improved for better support across all input formats.
Ghostscript now supports object specific halftone - for example, different
halftones can be specified for text and images, reflecting the differing needs of
rendering those two types of object.
Our efforts in code hygiene and maintainability continue.
The usual round of bug fixes, compatibility changes, and incremental improvements.
(9.53.0) We have added the capability to build with the Tesseract OCR engine. In
such a build, new devices are available (pdfocr8/pdfocr24/pdfocr32) which render
the output file to an image, OCR that image, and output the image "wrapped" up as
a PDF file, with the OCR generated text information included as "invisible" text
(in PDF terms, text rendering mode 3).
Mainly due to time constraints, we only support including Tesseract from source
included in our release packages, and not linking to Tesseract/Leptonica shared
libraries. Whether we add this capability will be largely dependent on community
demand for the feature.
See Enabling OCR for more details.
For a list of open issues, or to report problems, please visit bugs.ghostscript.com.
Incompatible changes
(9.55.0) Changes to the device API. This will affect developers and maintainers of
Ghostscript devices. Firstly, and most importantly, the way device-specific
"procs" are specified has been rewritten to make it (we think!) clearer and less
confusing. See The Interface between Ghostscript and Device Drivers and The Great
Device Rework Of 2021 for more details.
(9.55.0) The command line options -sGraphicsICCProfile=___, -dGraphicsIntent=#,
-dGraphicsBlackPt=#, -dGraphicsKPreserve=# have been changed to
-sVectorICCProfile=___, -dVectorIntent=#, -dVectorBlackPt=#,
-dVectorKPreserve=#.
From 9.55.0 onwards, in recognition of how unwieldy very large HTML files can become
(History9.html had reached 8.1Mb!), we intend to only include the summary
highlights (above).
For anyone wanting the full details of the changes in a release, we ask them to look
at the history in our public git repository: ghostpdl-9.55.0 log.
If this change does not draw negative feedback, History?.htm file(s) will be removed
from the release archives.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 8 Oct 2021 13:43:49 +0000 (15:43 +0200)]
pcengines-apu-firmware: Update to version 4.14.0.4
- Update from 4.14.0.2 to 4.14.0.4
- Update of rootfile
- Changelog
v4.14.0.4 Release date: 2021-09-17
Changed:
Rebased with official coreboot repository commit d9f5d90
Enabled EHCI controller by default on apu3-apu6 platforms
Updated sortbootorder to v4.6.22
Added:
Safeguard against setting watchdog timeout too low
Known issues:
apuled driver doesn't work in FreeBSD. Check the GPIOs document for workaround.
Some PCIe cards are not detected on certain OSes and/or in certain mPCIe slots.
Check the mPCIe modules document for solution/workaround.
Booting with 2 USB 3.x sticks plugged in apu4 sometimes results in detecting
only 1 stick
Certain USB 3.x sticks happen to not appear in boot menu
Booting Xen is unstable
v4.14.0.3 Release date: 2021-08-06
Changed:
Rebased with official coreboot repository commit c049c80
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 25 Sep 2021 09:41:29 +0000 (11:41 +0200)]
update ca-certificates CA bundle
Update the CA certificates list to what Mozilla NSS ships currently.
The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 25 Sep 2021 07:07:58 +0000 (09:07 +0200)]
Tor: Enable syscall sandbox
This makes post-exploitation activities harder, in case the local Tor
instance has been compromised. It is worth noticing that Tor won't
respond to a "GETINFO address" command on the control port if sandboxed,
but our CGI does not make use of it, and neither is any legitimate
service on IPFire doing so.
Tested on a small middle relay running on an IPFire machine.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 11 Sep 2021 10:57:09 +0000 (12:57 +0200)]
krb5: Update to version 1.19.2
- Update from 1.19.1 to 1.19.2
- Update of rootfile not required
- Changelog
Major changes in 1.19.2 (2021-07-22)
This is a bug fix release.
* Fix a denial of service attack against the KDC encrypted challenge
code [CVE-2021-36222].
* Fix a memory leak when gss_inquire_cred() is called without a
credential handle.
krb5-1.19.2 changes by ticket ID
8989 Fix typo in enctypes.rst
8992 Avoid rand() in aes-gen test program
9005 Fix argument type errors on Windows
9006 doc build fails with Sphinx 4.0.2
9007 Fix KDC null deref on bad encrypted challenge
9014 Using locking in MEMORY krb5_cc_get_principal()
9015 Fix use-after-free during krad remote_shutdown()
9016 Memory leak in krb5_gss_inquire_cred
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 9 Sep 2021 11:53:30 +0000 (13:53 +0200)]
exfatprogs: Provide package to work with exfat formats
- Create lfs and rootfile
- Add exfatprogs to make.sh
- exfat is supported as a native kernel module since kernel 5.7
- This package requires CONFIG_EXFAT_FS=m to be set for the kernel module for each
architecture that will be supported. Currently that is only i586
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 8 Sep 2021 21:21:14 +0000 (23:21 +0200)]
dosfstools: Update to version 4.2
- Update from 3.0.9 (2013) to 4.2 (2021)
- Update rootfile
- Program names changed in version 2.0.18
dosfslabel became fatlabel
dosfsck became fsck.fat
and mkdosfs became mkfs.fat
- Added --enable-compat-symlinks to ./configure command to maintain original names as
symlinks
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Mon, 18 Oct 2021 19:09:58 +0000 (21:09 +0200)]
pakfire.cgi: Implement logic to lock the page until pakfire has been fully launched.
When performing any action which requires pakfire, the page gets locked
with an message informing the user that pakfire is working. The page
will be reloaded when pakfire has been launched and is doing the
requested operation - showing the well known log output. This also
happens when pakfire has been launched via any kind of terminal or SSH
session and the CGI gets accessed.
Internally before pakfire gets started a variable called page_lock will
be set to lock the page. An while loop will keep the page locked until
pakfire is launched fully and has written it's lock_file.
This approach will prevent us from any kind of required time intervall
or race conditions.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 18 Oct 2021 20:36:02 +0000 (22:36 +0200)]
squid-asnbl: update to 0.2.3
Upstream commit 500b9137d0a9dd31e40f0d1effdba0aafeb94ca4 changes the
behaviour of this script in case of invalid or unresolvable FQDNs,
preventing Squid from eventually shutting down due to too many BH's per
time.
Since this allows (authenticated) users to run a DoS against the Squid
instance, it is considered to be security relevant.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:22 +0000 (10:10 +0000)]
firewall: Keep REPEAT bit when saving rest to CONNMARK
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:21 +0000 (10:10 +0000)]
suricata: Introduce IPSBYPASS chain
NFQUEUE does not let the packet continue where it was processed, but
inserts it back into iptables at the start. That is why we need an
extra IPSBYPASS chain which has the following tasks:
* Make the BYPASS bit permanent for the entire connection
* Clear the REPEAT bit
The latter is more of cosmetic nature so that we can identify packets
that have come from suricata again and those which have bypassed the IPS
straight away.
The IPS_* chain will now only be sent traffic to, when none of the two
relevant bits has been set. Otherwise the packet has already been
processed by suricata in the first pass or suricata has decided to
bypass the connection.
This massively reduces load on the IPS which allows many common
connections (TLS connections with downloads) to bypass the IPS bringing
us back to line speed.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:20 +0000 (10:10 +0000)]
suricata: Store bypass flag in connmark and restore
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:19 +0000 (10:10 +0000)]
suricata: Add rule to skip IPS if a packet has the bypass bit set
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:18 +0000 (10:10 +0000)]
suricata: Always append rules instead of inserting them
This allows us to add rules in a consistent order like they are in the
script.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:17 +0000 (10:10 +0000)]
suricata: Enable bypassing unhandled streams
If a stream cannot be identified or if suricata has decided that it
cannot do anything useful any more (e.g. TLS sessions after the
handshake), we will allow suricata to bypass any following packets in
that flow
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:16 +0000 (10:10 +0000)]
suricata: Define bypass mark
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:15 +0000 (10:10 +0000)]
suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK
This should avoid confusion when we add more marks
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:14 +0000 (10:10 +0000)]
suricata: Set most significant bit as repeat marker
I have no idea why some odd value was chosen here, but one bit should be
enough.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Thu, 14 Oct 2021 13:26:30 +0000 (13:26 +0000)]
index.cgi: Remove left-over DNSSEC status warning
An error message is still shown although there is no option to disable
DNSSEC at the moment. The old marker file could still be present on
older machines.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 24 Aug 2021 10:34:53 +0000 (12:34 +0200)]
python: removal of python2 from IPFire
- Final patch for removal of python2 from IPFire. This can be implemented in an
appropriate Core Update after all other python2 related patches have been implemented
and confirmed working.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sun, 10 Oct 2021 19:43:14 +0000 (21:43 +0200)]
proxy.cgi: Remove option to show Squid's version entirely
There is no sense to display this to anybody, and we do not reveal
version information anywhere else on purpose. The IT staff knows which
version of IPFire they are running (hopefully the latest), and it's
none of the rest of the world's business.
Fixes: #12665 (in some way) Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sun, 10 Oct 2021 17:44:06 +0000 (19:44 +0200)]
langs: Add English and German translations for newly added web proxy features
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sun, 10 Oct 2021 17:43:41 +0000 (19:43 +0200)]
proxy.cgi: Implement proactive Fast Flux detection and detection for selectively announced destinations
This patch adds two new features to IPFire's web proxy:
(a) Proactive Fast Flux detection
FQDNs are resolved to their IP addresses, which are then resolved to
corresponding Autonomous System Numbers using IPFire's location
database. Most destinations will scatter across a very low number of
ASNs (not to be confused with IP addresses!). FQDNs hosted on Fast
Flux setups have a significantly higher ASN diversity (5 is usually
a good threshold), so they can be proactively detected.
(b) Detection for selectively announced destinations
Especially in targeted operations, miscreants host FQDNs for
exfiltrating data or malware distributions on ASNs not announced
globally, but only to the intended victim or it's upstream ISPs.
That way, security researchers located in other parts of the
internet have no insights into these attacks, hence not being able
to publish listings or send take down notices for the domains used.
While RPKI made this attack harder, it can still be observed every
now and then.
This feature also protects against accessing FQDNs resolving to IP
addresses not being globally routeable, hence providing a trivial
mitigation for so-called "rebound attacks" - which we cannot filter
at DNS level currently.
The second version of this patch consumes the user-defined whitelist for
the URL filter (if present and populated) for the ASNBL helper as well,
to make exceptions for funny destinations such as fedoraproject.org
possible. In addition, the ASNBL helper's sanity tests no longer include
publicly routable IP addresses, so failures on location01 cannot brick
IPFire installations in the field.
Thanks to Michael Tremer and Adolf Belka for these suggestions.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sun, 10 Oct 2021 17:43:18 +0000 (19:43 +0200)]
squid-asnbl: New package
This package adds an ASNBL helper for detecting Fast Flux setups and
selectively announced networks (i. e. FQDNs resolving to IP addresses
not being announced by an Autonomous System) to the distribution.
Afterwards, the helper script is located at /usr/bin/asnbl-helper.py .
The second version of this patch updates squid-asnbl to upstream version
0.2.2, improving logging in case of detected Fast Flux setups.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 9 Oct 2021 21:07:43 +0000 (23:07 +0200)]
client175: Removal of this package as it currently only works with python2
- Removal of the lfs, rootfile and initscript
- Removal of client175 entry in the make.sh file
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see (2.49):
https://dlcdn.apache.org//httpd/CHANGES_2.4.49
For 2.51:
https://dlcdn.apache.org//httpd/CHANGES_2.4.51
"SECURITY: CVE-2021-42013: Path Traversal and Remote Code
Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
fix of CVE-2021-41773) (cve.mitre.org)
It was found that the fix for CVE-2021-41773 in Apache HTTP
Server 2.4.50 was insufficient..."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 4 Oct 2021 17:52:21 +0000 (18:52 +0100)]
QoS: Make outgoing packet processing use CONNMARK
This will significantly reduce the load when classifying outgoing
traffic as there won't be any overhead as soon as the connection has
been classified. The classficiation is being stored in the iptables MARK
which will be copied to CONNMARK if changed.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 4 Oct 2021 17:52:20 +0000 (18:52 +0100)]
QoS: Drop support for hardcoded ACK rules
This feature has to go in order to take advantage of CONNMARK which will
drastically decrease CPU load when passing packets.
We no longer will see every packet in the QOS-INC chain in order to
change classification of that packet. It is also party counter-intuitive
to have parts of one connection in one class and the corresponding ACK
packets in another.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 4 Oct 2021 17:52:18 +0000 (18:52 +0100)]
QoS: Use the two right hand bytes to mark packets
In order to not deal with any marks from NAT and the IPS, this patch
adds masks to all places where packets are being marked for individual
QoS classes.
Instead of being able to use the "fw" match in tc, we have to use the
u32 to apply the mask.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 4 Oct 2021 17:52:17 +0000 (18:52 +0100)]
firewall: Only check relevant bits for NAT fix rules
In order to use the highest two bits for surciata bypass, we will need
to make sure that whenever we compare any other marks, we do not care
about anything else.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 24 Sep 2021 09:14:50 +0000 (10:14 +0100)]
media.cgi: Fix parsing output of iostat
Since the last update of sysstat, the output of iostat has changed and
the web user interface showed wrong values.
This is now being fixed in this patch.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 17 Sep 2021 11:42:29 +0000 (11:42 +0000)]
kernel: Enable all cgroups on all architectures
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 17 Sep 2021 11:42:28 +0000 (11:42 +0000)]
kernel: Zero-init all stack variables by default
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>