]>
git.ipfire.org Git - people/ms/ipfire-2.x.git/log
Michael Tremer [Sun, 19 Jan 2020 16:32:14 +0000 (16:32 +0000)]
cloud-init: Remove importing DNS settings
Those scripts used to import settings from the meta-data services
and wrote them to the local configuration files.
For the DNS settings and Amazon, this is no longer possible because
their DNS servers do not support DNSSEC at all. Therefore we default
to recursor mode.
To be consistent across cloud providers, we are doing the same for
Azure.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Sun, 19 Jan 2020 15:50:21 +0000 (15:50 +0000)]
modules: Cleanup file
This file has an unsed line for the "fusion" module which
is no longer needed.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Sun, 19 Jan 2020 15:50:20 +0000 (15:50 +0000)]
modules: No longer load parallel port modules
These modules are loaded by default on all systems.
They are simply a waste of space since not many systems
have parallel ports any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Sun, 19 Jan 2020 15:03:34 +0000 (15:03 +0000)]
setup: Do not check DNS settings any more
It has been removed that DNS servers could be configured in
setup, but I forgot to remove a check which leads to new
installations not being able to complete the setup wizard.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Sat, 18 Jan 2020 09:03:06 +0000 (10:03 +0100)]
convert-dns-settings: Import all possible PPP dialin profiles.
* Avoid from adding the same imported DNS server multiple times.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sun, 19 Jan 2020 12:23:54 +0000 (12:23 +0000)]
core140: fix typo
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Fri, 17 Jan 2020 10:21:43 +0000 (11:21 +0100)]
partresize: NanoPi R1: copy also a0 config of Ampac AP6212
there is a second hardware version of the AP6212 in some NanoPi R1
boards.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 16 Jan 2020 18:28:26 +0000 (18:28 +0000)]
core140: add lvm2 to core updater
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 15 Jan 2020 15:20:12 +0000 (15:20 +0000)]
lvm2: Add initscript for lvmetad
This daemon needs to be launched in order to use LVM
devices in IPFire.
It will run on all installations after this patch has been
merged but only consumes very little memory.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 15 Jan 2020 15:20:11 +0000 (15:20 +0000)]
lvm2: Create lock files in /run/lvm
The default is /var/lock which is not mounted at the time
when udev is initialising the volumes. Therefore after a
reboot, LVM devices won't show up unless pvscan is executed
manually.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 15 Jan 2020 15:20:10 +0000 (15:20 +0000)]
lvm2: Enable lvmetad
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 15 Jan 2020 15:20:09 +0000 (15:20 +0000)]
lvm2: Build with support for udev
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 15 Jan 2020 15:20:08 +0000 (15:20 +0000)]
lvm2: Ship with core system
This was requested by some users to mount devices
with LVM.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 15 Jan 2020 11:28:01 +0000 (11:28 +0000)]
Update list of contributors
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stéphane Pautrel [Wed, 15 Jan 2020 11:26:47 +0000 (11:26 +0000)]
Many improvements for the French translation
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Thu, 16 Jan 2020 16:18:13 +0000 (17:18 +0100)]
DNS: Defaults to use the ISP nameservers.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Thu, 16 Jan 2020 16:18:12 +0000 (17:18 +0100)]
configroot: Create /var/ipfire/dns/servers file
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 16 Jan 2020 14:01:13 +0000 (15:01 +0100)]
core140: add dns changes to updater.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 15 Jan 2020 17:15:48 +0000 (17:15 +0000)]
Revert "stage2: update rootfile"
This reverts commit
a877032915898b07dcacd165c0f89e427bc672a4 .
Arne Fitzenreiter [Wed, 15 Jan 2020 17:15:25 +0000 (17:15 +0000)]
Revert "Introduce update-location-database script."
This reverts commit
93a985cc05e6b564ac1e3fc59fd37e94c77000ca .
Arne Fitzenreiter [Wed, 15 Jan 2020 17:14:57 +0000 (17:14 +0000)]
Revert "crontab: Adjust crontab to hourly launch the update-location-database"
This reverts commit
f8e7c1c9d07d348e8c3235c83fd889068269c823 .
Arne Fitzenreiter [Tue, 14 Jan 2020 21:10:15 +0000 (21:10 +0000)]
set version in backupiso and also pakfire core to 140
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Tue, 14 Jan 2020 12:53:59 +0000 (13:53 +0100)]
dns.cgi: Fix ID and greater than checks.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Tue, 14 Jan 2020 11:14:02 +0000 (12:14 +0100)]
dns.cgi: Set kdig params for timeout and retry back to default.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Tue, 14 Jan 2020 06:54:45 +0000 (06:54 +0000)]
stage2: update rootfile
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Mon, 13 Jan 2020 21:42:49 +0000 (21:42 +0000)]
Merge remote-tracking branch 'ms/next-dns-ng' into next
Arne Fitzenreiter [Mon, 13 Jan 2020 21:38:16 +0000 (21:38 +0000)]
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Daniel Weismüller [Fri, 10 Jan 2020 15:06:00 +0000 (16:06 +0100)]
filesystem-cleanup: Add parameter to show changes
Use --dry-run to only show files that would be deleted, but do
not actually delete them.
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 10 Jan 2020 11:12:36 +0000 (11:12 +0000)]
filesystem-cleanup: Automatically remove old libraries
This script runs through /usr/lib and /lib and tries to find
all libraries which are no longer being used and more and
deletes them.
This will help us to free space on root partitions that
are limited to 2GB.
However, the script does not cover 100% of the cases, so that
some files still need to be deleted manually (e.g. boost with
their weird versioning schema).
This script should be executed after a Core Update has been
installed.
Fixes: #12270
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 13 Jan 2020 21:06:38 +0000 (21:06 +0000)]
amazon-ssm-agent: Move source to GOPATH
Go won't build when this is only symlinked any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 13 Jan 2020 20:43:27 +0000 (21:43 +0100)]
unbound: Make dhcp-leases.conf readable for everyone
unbound runs as nobody and cannot reload its configuration
when this file is only readable for root.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 13 Jan 2020 20:25:10 +0000 (21:25 +0100)]
unbound: Do not reset safe search again
This is now done in the reload stage and we do not need to
take care about it again.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 13 Jan 2020 20:20:32 +0000 (21:20 +0100)]
unbound: Drop some unused variables
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 13 Jan 2020 20:19:22 +0000 (21:19 +0100)]
unbound: Drop function to reload forwarders on the fly
This is now being done by updating and re-reading forward.conf.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 13 Jan 2020 20:13:03 +0000 (21:13 +0100)]
dnsforward.cgi: Reloading unbound is enough to apply changes
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 13 Jan 2020 20:12:02 +0000 (21:12 +0100)]
hosts.cgi: Hosts can now be imported when reloading unbound
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 13 Jan 2020 20:10:18 +0000 (21:10 +0100)]
unbound: Write hosts to unbound configuration file
This will allow us to read more hosts in a shorter time.
Fixes: #11743
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 13 Jan 2020 19:55:59 +0000 (20:55 +0100)]
unbound: There is no need to rewrite tuning.conf
The number of CPU cores and memory normally does not change
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 13 Jan 2020 19:55:32 +0000 (20:55 +0100)]
unbound: Reload own hostname, too
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 13 Jan 2020 19:44:55 +0000 (20:44 +0100)]
dns.cgi: Fix check for undefined variable
This was positive when zero was returned.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Mon, 13 Jan 2020 16:40:29 +0000 (17:40 +0100)]
dns.cgi: Show error when trying to use ISP nameservers and TLS at the same time.
Because the ISP-assigned nameservers do not have any TLS-hostname
information they cannot be used, when TLS is activated.
They only can be used if they will be added as "regular" DNS servers
with a TLS-hostname.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Michael Tremer [Mon, 13 Jan 2020 16:05:27 +0000 (16:05 +0000)]
setup: Remove DNS settings
This is no longer required since we have a new CGI script
that takes care of all DNS settings and stores things in
another format.
Fixes: #12235
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Mon, 13 Jan 2020 09:42:56 +0000 (10:42 +0100)]
dns.cgi: Fix id compare when adding a new nameserver.
I do not know why perl when using "le" which means "less-or-equal"
defines a "10" as "1".
This commit fixes the issue that it was not possible to add more than 8
nameservers.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Arne Fitzenreiter [Sun, 12 Jan 2020 11:39:25 +0000 (12:39 +0100)]
geoip: ship database
20191217
Maxmind has disabled the download so we ship the last free (creative commons)
database with the iso and core until we build an alternative.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sun, 12 Jan 2020 09:48:14 +0000 (10:48 +0100)]
core140: fix build on armv5tel and i586
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 24 Dec 2019 12:58:54 +0000 (12:58 +0000)]
Go: Move the cache to the ccache directory
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 24 Dec 2019 12:58:53 +0000 (12:58 +0000)]
Go: Cleanup Go Path after build
Go leaves temporary build files in the directory
which we do not need and we should clean up after
every build.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 24 Dec 2019 12:58:52 +0000 (12:58 +0000)]
amazon-ssm-agent: New package
AWS Systems Manager Agent (SSM Agent) is Amazon software that can be
installed and configured on an Amazon EC2 instance, an on-premises
server, or a virtual machine (VM). SSM Agent makes it possible for
Systems Manager to update, manage, and configure these resources. The
agent processes requests from the Systems Manager service in the AWS
Cloud, and then runs them as specified in the request. SSM Agent then
sends status and execution information back to the Systems Manager
service by using the Amazon Message Delivery Service.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 11 Jan 2020 20:22:07 +0000 (21:22 +0100)]
python3: exclude __pycache__ from iso, core and packages
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Sat, 11 Jan 2020 18:37:50 +0000 (19:37 +0100)]
ids.cgi: Do reload instead of restarting unbound
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Sat, 11 Jan 2020 18:36:29 +0000 (19:36 +0100)]
initscripts/unbound: Add support for reload the service
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Sat, 11 Jan 2020 18:35:24 +0000 (19:35 +0100)]
unboundctrl: Add support for calling reload.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Sat, 11 Jan 2020 18:34:12 +0000 (19:34 +0100)]
dns.cgi: Only perform reverse lookup if DNS is working.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Michael Tremer [Fri, 10 Jan 2020 10:57:49 +0000 (10:57 +0000)]
unbound: No longer try to include safe-search.conf
This file is no longer generated and therefore cannot
be imported any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 11 Jan 2020 14:17:50 +0000 (14:17 +0000)]
core140: ship updated vpnmain.cgi
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 7 Jan 2020 21:47:00 +0000 (21:47 +0000)]
update translation files for vpnmain.cgi changes
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 7 Jan 2020 21:47:00 +0000 (21:47 +0000)]
vpnmain.cgi: set SubjectAlternativeName default during root certificate generation
Some IPsec implementations such as OpenIKED require SubjectAlternativeName
data on certificates and refuse to establish connections otherwise.
The StrongSwan project also recommends it (see:
https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
it is currently not enforced by their IPsec software.
For convenience purposes and to raise awareness, this patch adds a default
SubjectAlternativeName based on the machines hostname or IP address. Existing
certificates remain unchanged for obvious reasons.
The third version of this patch fixes a duplicate DNS query reported by Michael.
Fixes #11594
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 11 Jan 2020 14:11:06 +0000 (14:11 +0000)]
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Sat, 11 Jan 2020 14:10:23 +0000 (14:10 +0000)]
suricata: update rootfile
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 11 Jan 2020 14:04:48 +0000 (15:04 +0100)]
elinks: move to core system.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 11 Jan 2020 13:35:11 +0000 (14:35 +0100)]
pathon: update to 3.8 and move pyhton to core
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 11 Jan 2020 13:15:45 +0000 (14:15 +0100)]
make.sh: update IPFire and Toolchain verion
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 11 Jan 2020 13:11:12 +0000 (14:11 +0100)]
gcc: update armv5tel rootfile
Stefan Schantl [Fri, 10 Jan 2020 08:29:47 +0000 (09:29 +0100)]
convert-dns-settings: Set correct ownership after convert is done.
Otherwise it may happen, that the created config files have wrong
permissions and the WUI will break.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Thu, 9 Jan 2020 15:36:39 +0000 (16:36 +0100)]
dns.cgi: Restart suricata if neccessary.
When the DNS configuration of the system is changed,
we need to re-generate the file which contains the DNS Server
details for suricata and to restart the service.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Thu, 9 Jan 2020 15:30:10 +0000 (16:30 +0100)]
index.cgi: Do not longer display the DNS servers.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Thu, 9 Jan 2020 15:25:01 +0000 (16:25 +0100)]
ids-functions.pl: Update generate_dns_servers_file() function.
The function now uses the newly introduced get_nameservers() function
while generating the DNS servers file.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Thu, 9 Jan 2020 15:08:13 +0000 (16:08 +0100)]
general-functions.pl: Add get_nameservers().
This function simply return an array of all used nameservers.
It also takes care if the usage of ISP assigned nameservers
is enabled or not and if user-added nameservers are enabled or not.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Thu, 9 Jan 2020 08:15:05 +0000 (09:15 +0100)]
guardian: Remove code for DNS servers.
In the past this code was used to add the DNS servers
to the ignore list and prevent them from being blocked by
guardian.
Because of the switch to suricata as IPS, guardian now prevents
from password brute-forcing on SSH and/or the webserver, so this
code is not longer needed and safly can be removed.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 8 Jan 2020 17:44:41 +0000 (18:44 +0100)]
dns.cgi: Move grab_address_from_file function to general-functions.pl
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 8 Jan 2020 17:19:58 +0000 (18:19 +0100)]
dns.cgi: Also restart unbound if a server got enabled/disabled
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 8 Jan 2020 17:15:33 +0000 (18:15 +0100)]
dns.cgi: Remove accidently commited debug code
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 8 Jan 2020 17:10:23 +0000 (18:10 +0100)]
dns.cgi: Restart unbound
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 8 Jan 2020 17:00:15 +0000 (18:00 +0100)]
dns.cgi: Display DNS system status.
For this, a test query to the local unbound instance will be
sent and if the DNS system work properly can be answerd.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 8 Jan 2020 14:24:59 +0000 (15:24 +0100)]
dns.cgi: Perform server checks on user request
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 8 Jan 2020 14:22:56 +0000 (15:22 +0100)]
dns.cgi: Remove hard-coded box title.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 8 Jan 2020 11:58:50 +0000 (12:58 +0100)]
dns.cgi: Do not perform kdig tests when adding a server
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 8 Jan 2020 11:12:29 +0000 (12:12 +0100)]
dns.cgi: Check for empty server address.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 8 Jan 2020 10:13:05 +0000 (11:13 +0100)]
dns.cgi: Perform kdig tests only if the system is online.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 8 Jan 2020 10:12:42 +0000 (11:12 +0100)]
dns.cgi: Introduce red_is_active()
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 8 Jan 2020 09:35:52 +0000 (10:35 +0100)]
dns.cgi: Always display the input field for TLS_HOSTNAME
* Mark it as required if the protocol is set to TLS.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Wed, 8 Jan 2020 09:35:24 +0000 (10:35 +0100)]
dns.cgi: Only perform reverse lookups if the system is online
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 16:32:35 +0000 (16:32 +0000)]
unbound: Implement setting qname minimisation into strict mode
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 16:24:35 +0000 (16:24 +0000)]
unbound: Try to set time when DNS is not working
Since DNSSEC relies on time to validate its signatures,
a common problem is that some systems (usually those without
a working RTC) are not being able to reach their time server.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 16:02:14 +0000 (16:02 +0000)]
unbound: Do not update the forwarders when we are running in TLS mode
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 15:28:21 +0000 (15:28 +0000)]
unbound: Read configuration globally
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 15:21:59 +0000 (15:21 +0000)]
unbound: Update forwarders when system connects/disconnects
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 14:57:12 +0000 (14:57 +0000)]
unbound: Update setting Safe Search redirects
When the system comes online, we must update entries
in the unbound cache to point to the "safe" IP addresses.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 14:49:54 +0000 (14:49 +0000)]
dns.cgi: Show ISP name servers as disabled
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 14:41:13 +0000 (14:41 +0000)]
dns.cgi: Fix handling of WARNINGs from kdig
There might be multiple warnings which must all be shown
to the user.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 13:46:11 +0000 (13:46 +0000)]
dns.cgi: Remove smartmatch operator
Perl likes to make things difficult
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 13:45:21 +0000 (13:45 +0000)]
dns.cgi: Timeout after 2 seconds for DNS server checks
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 13:35:45 +0000 (13:35 +0000)]
DNS: Write name servers received from ISP to /var/run/dns{1,2}
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 13:06:09 +0000 (13:06 +0000)]
unbound: Drop live checks
Those checks have caused us a lot of trouble and are now being dropped.
Users must make sure to choose servers that support DNSSEC or enable
any of the tunneling mechanisms to be able to reach them.
Fixes: #12239
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 12:59:24 +0000 (12:59 +0000)]
unbound: Add path to TLS CA bundle
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 12:58:28 +0000 (12:58 +0000)]
unbound: No longer read old configuration file
The old configuration file in /etc/sysconfig/unbound is no
longer being used and all settings should be in
/var/ipfire/dns/settings.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 12:55:35 +0000 (12:55 +0000)]
unbound: Write upstream name servers to forward.conf
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 7 Jan 2020 11:18:41 +0000 (11:18 +0000)]
unbound: Remove test-name-server command
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 12 Nov 2019 12:43:28 +0000 (12:43 +0000)]
unbound: Convert forward zones to stub zones
It was incorrect to use forward zones here, because that
assumes that unbound is talking a recursive resolver here.
The feature is however designed to be talking to an authoritative
server.
Fixes: #12230
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 4 Nov 2019 12:04:48 +0000 (12:04 +0000)]
unbound: Allow forcing to speak TLS to upstream servers only
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>