]>
git.ipfire.org Git - people/mfischer/ipfire-2.x.git/log
Michael Tremer [Sat, 2 Mar 2019 13:24:44 +0000 (13:24 +0000)]
spectre-meltdown-checker: New package
This makes it easy to install the script and check the vulnerability status
of a system IPFire is running on.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 2 Mar 2019 13:01:42 +0000 (13:01 +0000)]
binutils: Ship strings & readelf
This is needed by the spectre meltdown checker script
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 2 Mar 2019 12:01:06 +0000 (12:01 +0000)]
Update German translation
Mainly adds translation for new IPsec features
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stéphane Pautrel [Sat, 2 Mar 2019 11:48:05 +0000 (11:48 +0000)]
Update of French translation
- Several syntax / vocabulary improvements
- A 2 text missing in the French version
- Improvement of text offering a donation for the users
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 27 Feb 2019 03:52:26 +0000 (03:52 +0000)]
Update openssl rootfile
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 26 Feb 2019 17:25:11 +0000 (17:25 +0000)]
core129: Ship updated OpenSSL
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 26 Feb 2019 16:42:49 +0000 (16:42 +0000)]
openssl: Update to 1.1.1b
This is a bug fix only release
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 25 Feb 2019 02:31:23 +0000 (02:31 +0000)]
core129: Ship updated credits.cgi
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 25 Feb 2019 02:30:56 +0000 (02:30 +0000)]
Update list of contributors
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 25 Feb 2019 02:29:29 +0000 (02:29 +0000)]
core129: Ship updated OpenVPN
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Tue, 26 Feb 2019 10:56:47 +0000 (11:56 +0100)]
OpenVPN: Update to version 2.4.7
Changelog can be found in here https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 23 Feb 2019 16:54:00 +0000 (16:54 +0000)]
update Tor to 0.3.5.8
See https://blog.torproject.org/new-releases-tor-0402-alpha-0358-03411-and-03312
for release notes.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 23 Feb 2019 16:54:00 +0000 (16:54 +0000)]
update metrics links in Tor WebUI
https://atlas.torproject.org/ is deprecated in favour of
https://metrics.torproject.org/ by now.
Fixes #11781.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 25 Feb 2019 00:58:04 +0000 (00:58 +0000)]
core129: Ship updated libgcrypt
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 23 Feb 2019 16:58:00 +0000 (16:58 +0000)]
libgcrypt: update to 1.8.4
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 25 Feb 2019 00:56:49 +0000 (00:56 +0000)]
core129: Ship updated unbound
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 9 Feb 2019 09:40:36 +0000 (10:40 +0100)]
unbound: Update to 1.9.0
For details see:
https://nlnetlabs.nl/svn/unbound/tags/release-1.9.0/doc/Changelog
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 25 Feb 2019 00:55:31 +0000 (00:55 +0000)]
core129: Ship changes from ipsec branch
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 25 Feb 2019 00:48:08 +0000 (00:48 +0000)]
Merge branch 'ipsec' into next
Michael Tremer [Mon, 25 Feb 2019 00:47:28 +0000 (00:47 +0000)]
Start Core Update 129
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 24 Feb 2019 11:45:55 +0000 (11:45 +0000)]
Add script to search for missing libraries
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 24 Feb 2019 04:06:52 +0000 (04:06 +0000)]
core128: Drop old openssl engines
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 24 Feb 2019 04:04:51 +0000 (04:04 +0000)]
cups: Depends on bluetooth library
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Sun, 24 Feb 2019 19:50:16 +0000 (20:50 +0100)]
core128: add openldap to update
openldap was linked against old openssl lib
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sun, 24 Feb 2019 16:04:44 +0000 (17:04 +0100)]
core128: add sse2 openssl libs
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sun, 24 Feb 2019 09:55:49 +0000 (10:55 +0100)]
core128: apply local sshd config
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 23 Feb 2019 14:56:21 +0000 (15:56 +0100)]
kernel: update to 4.14.103
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Fri, 22 Feb 2019 20:33:45 +0000 (21:33 +0100)]
core128: finish core128
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Fri, 22 Feb 2019 20:20:57 +0000 (21:20 +0100)]
kernel: import cve-2019-8912 patch
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Fri, 22 Feb 2019 18:26:08 +0000 (19:26 +0100)]
core128: stop apache before replacing files
apache will not restart without stopped before
the files was replaced.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Fri, 22 Feb 2019 17:02:45 +0000 (18:02 +0100)]
kernel: apu leds: add more id's
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Fri, 22 Feb 2019 17:01:18 +0000 (18:01 +0100)]
partresize: add "apu1" for apus with new bios.
Arne Fitzenreiter [Thu, 21 Feb 2019 18:23:05 +0000 (19:23 +0100)]
core128: add kernel to updater
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 21 Feb 2019 18:13:27 +0000 (19:13 +0100)]
kernel: cleanup unused rpi patch
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 21 Feb 2019 09:50:15 +0000 (10:50 +0100)]
kernel: update to 4.14.102
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Tue, 19 Feb 2019 12:48:12 +0000 (13:48 +0100)]
partresize: enable serial console on PC Engines APU
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Tue, 19 Feb 2019 00:04:19 +0000 (01:04 +0100)]
kernel: update apu led patch for apu3 and 4
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Sun, 17 Feb 2019 13:46:51 +0000 (13:46 +0000)]
unbound: Drop certificates for local control connection
These are a cause of worry because they are sometimes generated with
an invalid timestamp and therefore render unbound being unusable.
There is no strong reason to use self-signed certificates for extra
security here.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sun, 10 Feb 2019 19:21:22 +0000 (20:21 +0100)]
Added 'CONFIG_X86_MSR=y for 'powertop' to i586 and x86_64 builds for fixing #11997
Triggered by:
https://forum.ipfire.org/viewtopic.php?f=69&t=22274
This - probably - fixes Bug #11997.
Needs testing on 64bit installations!
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Rob Brewer [Wed, 13 Feb 2019 22:49:11 +0000 (22:49 +0000)]
Fix ownership of sendEmail script
The script used to be owned by a non-privileged user and it should
just be owned by root.root like any other binary.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Sat, 16 Feb 2019 21:49:47 +0000 (22:49 +0100)]
borgbackup: fix build on armv5tel
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 16 Feb 2019 20:40:50 +0000 (21:40 +0100)]
kernel: enable PCA953X GPIO extender for ClearFog boards
fixes: #12000
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Fri, 15 Feb 2019 16:46:54 +0000 (17:46 +0100)]
kernel: update to 4.14.101
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 13 Feb 2019 11:32:00 +0000 (11:32 +0000)]
core128: Ship kdig
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Sat, 9 Feb 2019 07:41:15 +0000 (08:41 +0100)]
knot: Reduced version of knot with kdig only
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 13 Feb 2019 11:31:24 +0000 (11:31 +0000)]
core128: Ship libedit
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Sat, 9 Feb 2019 07:41:14 +0000 (08:41 +0100)]
libedit: A command line editor library
Dependency for knot (kdig).
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sun, 10 Feb 2019 19:13:17 +0000 (20:13 +0100)]
powertop: Update to 2.10
Hi,
Triggered by:
https://forum.ipfire.org/viewtopic.php?f=69&t=22274
For details see:
https://01.org/powertop/downloads/powertop-v2.10
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 9 Feb 2019 09:59:08 +0000 (10:59 +0100)]
dhcpcd: Update to 7.1.1
For details see:
https://roy.marples.name/blog/dhcpcd-7-1-1-released
"A minor update, highlights include:
IPv4LL: Fixed build with this disabled
IPv4LL: Remember last address between carrier resets
BSD: Fixed initial link infos reported as LINK_STATE_UNKNOWN
FreeBSD: Avoid panicing kernel when RTA_IFP is set for IPv6 prefix routes"
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 9 Feb 2019 09:37:22 +0000 (10:37 +0100)]
curl: Update to 7.64.0
Hi,
For details see:
https://curl.haxx.se/changes.html
This came rather unexpected - if I'd known, I'd have waited with 7.63.0.
"Changes:
cookies: leave secure cookies alone
hostip: support wildcard hosts
http: Implement trailing headers for chunked transfers
http: added options for allowing HTTP/0.9 responses
timeval: Use high resolution timestamps on Windows
Bugfixes:
CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
CVE-2019-3823: SMTP end-of-response out-of-bounds read
FAQ: remove mention of sourceforge for github
OS400: handle memory error in list conversion
OS400: upgrade ILE/RPG binding.
README: add codacy code quality badge
Revert http_negotiate: do not close connection
THANKS: added several missing names from year <= 2000
build: make 'tidy' target work for metalink builds
cmake: added checks for variadic macros
cmake: updated check for HAVE_POLL_FINE to match autotools
cmake: use lowercase for function name like the rest of the code
configure: detect xlclang separately from clang
configure: fix recv/send/select detection on Android
configure: rewrite --enable-code-coverage
conncache_unlock: avoid indirection by changing input argument type
cookie: fix comment typo
cookies: allow secure override when done over HTTPS
cookies: extend domain checks to non psl builds
cookies: skip custom cookies when redirecting cross-site
curl --xattr: strip credentials from any URL that is stored
curl -J: refuse to append to the destination file
curl/urlapi.h: include "curl.h" first
curl_multi_remove_handle() don't block terminating c-ares requests
darwinssl: accept setting max-tls with default min-tls
disconnect: separate connections and easy handles better
disconnect: set conn->data for protocol disconnect
docs/version.d: mention MultiSSL
docs: fix the --tls-max description
docs: use $(INSTALL_DATA) to install man page
docs: use meaningless port number in CURLOPT_LOCALPORT example
gopher: always include the entire gopher-path in request
http2: clear pause stream id if it gets closed
if2ip: remove unused function Curl_if_is_interface_name
libssh: do not let libssh create socket
libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
libssh: free sftp_canonicalize_path() data correctly
libtest/stub_gssapi: use "real" snprintf
mbedtls: use VERIFYHOST
multi: multiplexing improvements
multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
ntlm: fix NTMLv2 compliance
ntlm_sspi: add support for channel binding
openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
openssl: fix the SSL_get_tlsext_status_ocsp_resp call
openvms: fix OpenSSL discovery on VAX
openvms: fix typos in documentation
os400: add a missing closing bracket
os400: fix extra parameter syntax error
pingpong: change default response timeout to 120 seconds
pingpong: ignore regular timeout in disconnect phase
printf: fix format specifiers
runtests.pl: Fix perl call to include srcdir
schannel: fix compiler warning
schannel: preserve original certificate path parameter
schannel: stop calling it "winssl"
sigpipe: if mbedTLS is used, ignore SIGPIPE
smb: fix incorrect path in request if connection reused
ssh: log the libssh2 error message when ssh session startup fails
test1558: verify CURLINFO_PROTOCOL on file:// transfer
test1561: improve test name
test1653: make it survive torture tests
tests: allow tests to pass by 2037-02-12
tests: move objnames-* from lib into tests
timediff: fix math for unsigned time_t
timeval: Disable MSVC Analyzer GetTickCount warning
tool_cb_prg: avoid integer overflow
travis: added cmake build for osx
urlapi: Fix port parsing of eol colon
urlapi: distinguish possibly empty query
urlapi: fix parsing ipv6 with zone index
urldata: rename easy_conn to just conn
winbuild: conditionally use /DZLIB_WINAPI
wolfssl: fix memory-leak in threaded use
spnego_sspi: add support for channel binding"
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Fri, 8 Feb 2019 19:50:37 +0000 (20:50 +0100)]
kernel: update to 4.14.98
todo: check if RPi dwc dma patch still need to reverted before release
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Fri, 8 Feb 2019 11:01:42 +0000 (12:01 +0100)]
borgbackup: Fix build on i586
Fixes
...
'/usr/src/config/rootfiles/packages//borgbackup' -> '/install/packages/package/ROOTFILES'
tar: usr/lib/python3.6/site-packages/borg/chunker.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/compress.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/crypto.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/hashindex.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/platform_linux.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: Exiting with failure status due to previous errors
make: *** [borgbackup:58: dist] Error 2
...
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Fri, 8 Feb 2019 10:57:47 +0000 (11:57 +0100)]
python3-llfuse: Fix build on i586
Fixes
"tar: usr/lib/python3.6/site-packages/llfuse.cpython-36m-i586-linux-gnu.so:
Cannot stat: No such file or directory"
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 7 Feb 2019 15:13:50 +0000 (15:13 +0000)]
core128: Ship updated firewall initscript
Require reboot after the update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 6 Feb 2019 21:00:00 +0000 (21:00 +0000)]
apply default firewall policy for ORANGE, too
If firewall default policy is set to DROP, this setting was not
applied to outgoing ORANGE traffic as well, which was misleading.
Fixes #11973
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Oliver Fuhrer <oliver.fuhrer@bluewin.ch>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 6 Feb 2019 19:21:00 +0000 (19:21 +0000)]
Tor: update to 0.3.5.7
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 4 Feb 2019 18:38:24 +0000 (18:38 +0000)]
strongswan: Do not create any NAT rules when using VTI/GRE
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 22 Jan 2019 13:19:00 +0000 (13:19 +0000)]
Drop "OpenVPN" part from VPN N2N stats page
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 22 Jan 2019 13:15:48 +0000 (13:15 +0000)]
Add routed IPsec connections to traffic graphs section
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 22 Jan 2019 12:46:53 +0000 (12:46 +0000)]
firewall: Write correct rules bound to interface for routes IPsec tunnels
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 22 Jan 2019 11:34:49 +0000 (11:34 +0000)]
ipsec-interfaces: Resolve any remote hostnames
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 22 Jan 2019 11:26:32 +0000 (11:26 +0000)]
ipsec-interfaces: Move conditional block into the loop
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 21 Jan 2019 17:40:12 +0000 (17:40 +0000)]
ipsec: Drop delayed restart setting
This is a very bad race-condition situation and is not solved by
an unintuitive setting.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 21 Jan 2019 17:08:57 +0000 (17:08 +0000)]
ipsec: Drop VPN_IP setting
This is now a per-connection setting
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 21 Jan 2019 16:52:39 +0000 (16:52 +0000)]
ipsec: Add translation strings for recent changes
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 21 Jan 2019 16:44:03 +0000 (16:44 +0000)]
ipsec-*: Name some more configuration variables
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 21 Jan 2019 16:41:16 +0000 (16:41 +0000)]
ipsec-interfaces: Uses local IP address from connection first, then default
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 21 Jan 2019 16:33:53 +0000 (16:33 +0000)]
ipsec-policy: Correct open ports for connections on aliases
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 21 Jan 2019 16:20:13 +0000 (16:20 +0000)]
ipsec: Allow to select local IP address used for peer on UI
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 21 Jan 2019 15:36:16 +0000 (15:36 +0000)]
ipsec: Re-arrange inputs for peer addresses, subnets, etc.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 21 Jan 2019 15:32:08 +0000 (15:32 +0000)]
ipsec: Don't allow to select VTI in transport mode
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 21 Jan 2019 14:34:19 +0000 (14:34 +0000)]
vpnmain.cgi: Don't populate GREEN subnet when green doesn't exist
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 16 Jan 2019 19:29:25 +0000 (20:29 +0100)]
ipsec-interfaces: Fix typo in variable name
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 9 Jan 2019 19:23:42 +0000 (20:23 +0100)]
strongswan: No longer create any routes automatically
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 9 Jan 2019 19:10:02 +0000 (20:10 +0100)]
ipsec: Filter better for GRE/VTI interfaces
This tried to delete the GREEN interface before
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 9 Jan 2019 18:56:01 +0000 (19:56 +0100)]
ipsec: TTL only applies for GRE interfaces and not VTI
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 9 Jan 2019 18:52:46 +0000 (19:52 +0100)]
ipsec: Find correct RED IP address when using %defaultroute
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 9 Jan 2019 18:52:24 +0000 (19:52 +0100)]
ipsec: Log a message when an interface could not be created
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 10 Dec 2018 16:57:12 +0000 (16:57 +0000)]
ipsec-interfaces: Don't add any interfaces when IPsec is disabled
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 10 Dec 2018 16:55:53 +0000 (16:55 +0000)]
Revert "ipsec-interfaces: Run when IPsec is disabled"
This reverts commit
3c3a1cfdb9b473fae9b792e8c211c9940fafc658 .
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 10 Dec 2018 16:44:06 +0000 (16:44 +0000)]
vpnmain.cgi: Move advanced IPsec settings to connection page
This is required to make the initial setup easier for GRE/VTI connections
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 10 Dec 2018 16:08:58 +0000 (16:08 +0000)]
ipsec-interfaces: Run when IPsec is disabled
This needs to run even when IPsec is disable to remove
and interfaces
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 10 Dec 2018 16:01:00 +0000 (16:01 +0000)]
ipsec-interfaces: Use correct righthost variable
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Dec 2018 17:10:16 +0000 (17:10 +0000)]
IPsec: Do not allow 0.0.0.0/0 as remote subnet
This renders the whole machine inaccessible
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Dec 2018 16:24:52 +0000 (16:24 +0000)]
network: Create IPsec interfaces when network is brought up
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Dec 2018 16:23:06 +0000 (16:23 +0000)]
ipsecctrl: Call ipsec-interfaces script when turning up/shutting down connections
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Dec 2018 16:12:48 +0000 (16:12 +0000)]
IPsec: Add (experimental) script that creates GRE/VTI interfaces
Signed-off-by: root <root@interim-edge-a.ec2.internal>
Michael Tremer [Mon, 3 Dec 2018 11:21:29 +0000 (11:21 +0000)]
IPsec: Use left/rightprotoport in GRE mode
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 29 Nov 2018 16:12:45 +0000 (16:12 +0000)]
ipsecctrl: Don't wait when a connection is to be started
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 29 Nov 2018 16:00:52 +0000 (16:00 +0000)]
ipsec-policy: Don't install any block rules for connections with an interface
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 29 Nov 2018 15:58:55 +0000 (15:58 +0000)]
ipsec-policy: Permit GRE traffic for GRE connections
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 29 Nov 2018 15:58:39 +0000 (15:58 +0000)]
ipsec-policy: Variables don't match those from the CGI
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 29 Nov 2018 15:45:52 +0000 (15:45 +0000)]
ipsec-policy: Parse all configuration settings
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 29 Nov 2018 15:43:39 +0000 (15:43 +0000)]
IPsec: Move opening ports from ipsecctrl into ipsec-policy script
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 29 Nov 2018 15:04:28 +0000 (15:04 +0000)]
IPsec: Rename ipsec-block script to ipsec-policy
This is a more general name for a script that will be extended
soon to do more than just add blocking rules.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 28 Nov 2018 20:37:32 +0000 (20:37 +0000)]
IPsec: Update ipsec.conf for GRE/VTI changes
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 28 Nov 2018 14:46:15 +0000 (14:46 +0000)]
IPsec: Add UI for set interface MTU
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 28 Nov 2018 14:38:11 +0000 (14:38 +0000)]
IPsec: Add option to configure IP address for tunnel interface
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 28 Nov 2018 14:24:03 +0000 (14:24 +0000)]
IPsec: Set default inactivity timeout to half an hour
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 28 Nov 2018 14:23:26 +0000 (14:23 +0000)]
IPsec: New connections should defatul to on-demand mode
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>