Michael Tremer [Mon, 21 Oct 2019 18:45:37 +0000 (20:45 +0200)]
QoS: Drop support for setting TOS bits per class
This is useless since no ISP will evaluate those settings
any more and it has a rather large impact on throughput.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
QoS: Use CONNMARK to mark connections in connection tracking
This patch modifies the connection tracking in that ways that
it sets a connection mark which will be retrieved when a packet
is being redirected to the IFB interface.
This way, we can use classification without having the packet
being sent through iptables first.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 21 Oct 2019 18:45:32 +0000 (20:45 +0200)]
QoS: Drop support for subclasses
This feature was never properly implemented and the UI was dead
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 21 Oct 2019 18:45:31 +0000 (20:45 +0200)]
QoS: Suppress an error message when cleaning up from previous runs
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 21 Oct 2019 18:45:30 +0000 (20:45 +0200)]
linux+iptables: Drop support for IMQ
This is no longer needed since we are using IFB now
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 21 Oct 2019 18:45:29 +0000 (20:45 +0200)]
QoS: Do not delete egress qdisc after classes have been created
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 21 Oct 2019 18:45:28 +0000 (20:45 +0200)]
QoS: Start qosd immediately
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 21 Oct 2019 18:45:27 +0000 (20:45 +0200)]
QoS: Tidy up qdiscs after QoS is being stopped
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 21 Oct 2019 18:45:26 +0000 (20:45 +0200)]
QoS: Use Intermediate Functional Block
This is an alternative implementation to the Intermediate Queuing
Device (IMQ) which is an out-of-tree kernel patch and has been
criticised for being slow, especially with mutliple processors.
IFB is part of the mainline kernel and a lot less code.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 21 Oct 2019 18:45:25 +0000 (20:45 +0200)]
QoS: Do not manually load iptables modules
This should not be necessary and causes the script to
wait for two seconds.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 14 Oct 2019 17:11:37 +0000 (19:11 +0200)]
vpnmain.cgi+ovpnmain.cgi: Fix file upload with new versions of Perl
File uploads did not work since Perl was upgraded. This patch
fixes that problem by only checking if an object was returned
instead of performing a string comparison.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 14 Oct 2019 16:46:27 +0000 (16:46 +0000)]
QoS: Increase queue size and quantum for fq_codel
This optimises the QoS to process more bandwidth.
The limit variable sets the maximum number of packets in the
queue which was regularly exceeded on fast connections with
the old setting. This now allows up to 10G of data transfer
and is set to the default of fq_codel.
Quantum sets how many bytes can be read from the queue per
iteration. This is now set to the default again, which is
the size of an Ethernet frame including its header.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 14 Oct 2019 16:46:22 +0000 (16:46 +0000)]
QoS: Use CLASSIFY iptables target instead of MARK
We have been running into loads of conflicts by using MARK for
various components on the OS (suricata, IPsec, QoS, ...) which
was sometimes hard to resolve.
iptables comes with a target which directly sorts packets into
the correct class which results in less code and not using the
mark.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 14 Oct 2019 16:46:12 +0000 (16:46 +0000)]
QoS: Use Intermediate Functional Block
This is an alternative implementation to the Intermediate Queuing
Device (IMQ) which is an out-of-tree kernel patch and has been
criticised for being slow, especially with mutliple processors.
IFB is part of the mainline kernel and a lot less code.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Fixes: #11851 Reported-by: Dani W <assgex@gmail.com> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Fixes: #11237 Reported-by: Tom Rymes <tomvend@rymes.com> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Fri, 11 Oct 2019 18:44:00 +0000 (20:44 +0200)]
ruleset-sources: Update snort dl urls.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Tim FitzGeorge [Fri, 11 Oct 2019 18:42:05 +0000 (19:42 +0100)]
Restart logging after restoring backup
Send SIGHUP to syslogd and suricata after restoring backup. This ensures that
if the restored backup includes log files that any new log messages get
appended to the restored log files. Otherwise they will be written to the
old log files which are pending deletion.
httpd is told to restart using apachectl, which is the equivalent of sending
a signal. 'graceful' (USR1) is used rather than 'restart' (HUP) because the
latter immediately kills the process restoring the backup, preventing
converters from running.
Fixes: 12196 Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Sat, 12 Oct 2019 23:05:57 +0000 (01:05 +0200)]
dhcpcd: Update to 8.1.0
For details see:
https://roy.marples.name/blog/dhcpcd-8-1-0-released
"DragonFlyBSD: Improved rc.d handling
Fix carrier status after a route socket overflow
Allow domain spaced options
DHCP: Allow not sending Force Renew Nonce or Reconf Accept
IPv4LL: Now passes Apple Bonjour test versions 1.4 and 1.5
ARP: Fix a typo and remove pragma (thus working with old gcc)
DHCP6: Fix a cosmetic issue with infinite leases
DHCP6: SLA 0 and Prefix Len 0 will now add a delegated /64 address
Ignore some virtual interfaces such as Tap and Bridge by default
BPF: Move validation logic out of BPF and back into dhcpcd"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>