}
if ($POLICY_INPUT_ACTION eq "DROP") {
- push(@special_input_targets, "REJECT");
+ push(@special_input_targets, ("ACCEPT", "REJECT"));
} elsif ($POLICY_INPUT_ACTION eq "REJECT") {
- push(@special_input_targets, "DROP");
+ push(@special_input_targets, ("ACCEPT", "DROP"));
}
my @special_output_targets = ();
push(@special_output_targets, "ACCEPT");
if ($POLICY_OUTPUT_ACTION eq "DROP") {
- push(@special_output_targets, "REJECT");
+ push(@special_output_targets, ("ACCEPT", "REJECT"));
} elsif ($POLICY_OUTPUT_ACTION eq "REJECT") {
- push(@special_output_targets, "DROP");
+ push(@special_output_targets, ("ACCEPT", "DROP"));
}
}
push(@destination_options, ("-d", $destination));
}
+ # Add source and destination interface to the filter rules.
+ # These are supposed to help filtering forged packets that originate
+ # from BLUE with an IP address from GREEN for instance.
+ my @source_intf_options = ();
+ if ($source_intf) {
+ push(@source_intf_options, ("-i", $source_intf));
+ }
+
+ my @destination_intf_options = ();
+ if ($destination_intf) {
+ push(@destination_intf_options, ("-o", $destination_intf));
+ }
+
# Add time constraint options.
push(@options, @time_options);
} elsif ($NAT_MODE eq "SNAT") {
my @nat_options = @options;
- if ($destination_intf) {
- push(@nat_options, ("-o", $destination_intf));
- }
-
+ push(@nat_options, @destination_intf_options);
push(@nat_options, @source_options);
push(@nat_options, @destination_options);
}
}
- # Add source and destination interface to the filter rules.
- # These are supposed to help filtering forged packets that originate
- # from BLUE with an IP address from GREEN for instance.
- if ($source_intf) {
- push(@source_options, ("-i", $source_intf));
- }
-
- if ($destination_intf) {
- push(@destination_options, ("-o", $destination_intf));
- }
-
push(@options, @source_options);
push(@options, @destination_options);
# Insert firewall rule.
if ($LOG && !$NAT) {
- run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '");
+ run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options @log_limit_options -j LOG --log-prefix '$chain '");
}
- run("$IPTABLES -A $chain @options -j $target");
+ run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target");
# Handle forwarding rules and add corresponding rules for firewall access.
if ($chain eq $CHAIN_FORWARD) {
# for the firewall, too.
if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) {
if ($LOG && !$NAT) {
- run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
+ run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
}
- run("$IPTABLES -A $CHAIN_INPUT @options -j $target");
+ run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options -j $target");
}
# Likewise.
if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) {
if ($LOG && !$NAT) {
- run("$IPTABLES -A $CHAIN_OUTPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");
+ run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");
}
- run("$IPTABLES -A $CHAIN_OUTPUT @options -j $target");
+ run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options -j $target");
}
}
}
#usr/lib/grub/i386-pc/drivemap.module
#usr/lib/grub/i386-pc/echo.mod
#usr/lib/grub/i386-pc/echo.module
+#usr/lib/grub/i386-pc/efiemu.mod
+#usr/lib/grub/i386-pc/efiemu.module
#usr/lib/grub/i386-pc/ehci.mod
#usr/lib/grub/i386-pc/ehci.module
#usr/lib/grub/i386-pc/elf.mod
usr/lib/grub/i386-pc/drivemap.module
usr/lib/grub/i386-pc/echo.mod
usr/lib/grub/i386-pc/echo.module
+usr/lib/grub/i386-pc/efiemu.mod
+usr/lib/grub/i386-pc/efiemu.module
usr/lib/grub/i386-pc/ehci.mod
usr/lib/grub/i386-pc/ehci.module
usr/lib/grub/i386-pc/elf.mod
etc/suricata/suricata.yaml
srv/web/ipfire/cgi-bin/credits.cgi
srv/web/ipfire/cgi-bin/proxy.cgi
+usr/lib/firewall/rules.pl
usr/sbin/convert-snort
var/ipfire/ids-functions.pl
var/ipfire/langs
/etc/init.d/suricata restart
# This update needs a reboot...
-#touch /var/run/need_reboot
+touch /var/run/need_reboot
# Finish
/etc/init.d/fireinfo start
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02_disable_vga_fallback.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-xfs-accept-filesystem-with-sparse-inodes.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-fix-packed-not-aligned-error-on-gcc-8.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-X86_64_PLT32.patch
# Install unifont
cp -v $(DIR_DL)/unifont-7.0.03.pcf.gz $(DIR_APP)/unifont.pcf.gz
# Extract iPXE source
cd $(DIR_APP) && tar axf $(DIR_DL)/ipxe-$(PXE_VER).tar.gz
+ cd $(DIR_APP)/ipxe-$(PXE_VER) && patch -Np1 < $(DIR_SRC)/src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch
+ cd $(DIR_APP)/ipxe-$(PXE_VER) && patch -Np1 < $(DIR_SRC)/src/patches/ipxe-handle-R_X86_64_PLT32.patch
cd $(DIR_APP) && rm -rfv ipxe && ln -s ipxe-$(PXE_VER) ipxe
cd $(DIR_APP) && make $(MAKETUNING) bin/ipxe.lkrn
ifeq "$(BUILD_ARCH)" "x86_64"
$(UPDATE_AUTOMAKE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/sarg/sarg-2.3.11-format.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/sarg/sarg-2.3.11-configure.patch
+
+ cd $(DIR_APP) && autoreconf -vfi
# Update gettext Makefile
cd $(DIR_APP) && cp -vf /usr/share/gettext/po/Makefile.in.in po/Makefile.in.in
--- /dev/null
+From 02702bdfe14d8a04643a45b03715f734ae34dbac Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Sat, 17 Feb 2018 06:47:28 -0800
+Subject: x86-64: Treat R_X86_64_PLT32 as R_X86_64_PC32
+
+Starting from binutils commit bd7ab16b4537788ad53521c45469a1bdae84ad4a:
+
+https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd7ab16b4537788ad53521c45469a1bdae84ad4a
+
+x86-64 assembler generates R_X86_64_PLT32, instead of R_X86_64_PC32, for
+32-bit PC-relative branches. Grub2 should treat R_X86_64_PLT32 as
+R_X86_64_PC32.
+
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Origin: upstream, https://git.savannah.gnu.org/cgit/grub.git/commit/?id=842c390469e2c2e10b5aa36700324cd3bde25875
+Last-Update: 2018-07-30
+
+Patch-Name: R_X86_64_PLT32.patch
+---
+ grub-core/efiemu/i386/loadcore64.c | 1 +
+ grub-core/kern/x86_64/dl.c | 1 +
+ util/grub-mkimagexx.c | 1 +
+ util/grub-module-verifier.c | 1 +
+ 4 files changed, 4 insertions(+)
+
+diff --git a/grub-core/efiemu/i386/loadcore64.c b/grub-core/efiemu/i386/loadcore64.c
+index e49d0b6ff..18facf47f 100644
+--- a/grub-core/efiemu/i386/loadcore64.c
++++ b/grub-core/efiemu/i386/loadcore64.c
+@@ -98,6 +98,7 @@ grub_arch_efiemu_relocate_symbols64 (grub_efiemu_segment_t segs,
+ break;
+
+ case R_X86_64_PC32:
++ case R_X86_64_PLT32:
+ err = grub_efiemu_write_value (addr,
+ *addr32 + rel->r_addend
+ + sym.off
+diff --git a/grub-core/kern/x86_64/dl.c b/grub-core/kern/x86_64/dl.c
+index 440690673..3a73e6e6c 100644
+--- a/grub-core/kern/x86_64/dl.c
++++ b/grub-core/kern/x86_64/dl.c
+@@ -70,6 +70,7 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr,
+ break;
+
+ case R_X86_64_PC32:
++ case R_X86_64_PLT32:
+ {
+ grub_int64_t value;
+ value = ((grub_int32_t) *addr32) + rel->r_addend + sym->st_value -
+diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
+index e63f148e4..f20255a28 100644
+--- a/util/grub-mkimagexx.c
++++ b/util/grub-mkimagexx.c
+@@ -832,6 +832,7 @@ SUFFIX (relocate_addresses) (Elf_Ehdr *e, Elf_Shdr *sections,
+ break;
+
+ case R_X86_64_PC32:
++ case R_X86_64_PLT32:
+ {
+ grub_uint32_t *t32 = (grub_uint32_t *) target;
+ *t32 = grub_host_to_target64 (grub_target_to_host32 (*t32)
+diff --git a/util/grub-module-verifier.c b/util/grub-module-verifier.c
+index 9179285a5..a79271f66 100644
+--- a/util/grub-module-verifier.c
++++ b/util/grub-module-verifier.c
+@@ -19,6 +19,7 @@ struct grub_module_verifier_arch archs[] = {
+ -1
+ }, (int[]){
+ R_X86_64_PC32,
++ R_X86_64_PLT32,
+ -1
+ }
+ },
--- /dev/null
+From ddfb60813c74e988ba7c16dbbe1b163593c9da4e Mon Sep 17 00:00:00 2001
+From: Christian Hesse <mail@eworm.de>
+Date: Tue, 15 May 2018 23:25:01 +0200
+Subject: [PATCH] [build] fix stringop truncation warning with GCC 8.x
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+GCC 8.x gives a warning about stringop truncation:
+
+util/elf2efi.c:497:2: error: ‘strncpy’ specified bound 8 equals destination
+size [-Werror=stringop-truncation]
+
+It assumes that strncpy() is intended to copy strings, which are NULL
+terminated. We do copy fixed size memory regions, so use memcpy() instead.
+---
+ src/util/elf2efi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/util/elf2efi.c b/src/util/elf2efi.c
+index 6718df777..de3c92463 100644
+--- a/src/util/elf2efi.c
++++ b/src/util/elf2efi.c
+@@ -494,7 +494,7 @@ static struct pe_section * process_section ( struct elf_file *elf,
+ memset ( new, 0, sizeof ( *new ) + section_filesz );
+
+ /* Fill in section header details */
+- strncpy ( ( char * ) new->hdr.Name, name, sizeof ( new->hdr.Name ) );
++ memcpy ( ( char * ) new->hdr.Name, name, sizeof ( new->hdr.Name ) );
+ new->hdr.Misc.VirtualSize = section_memsz;
+ new->hdr.VirtualAddress = shdr->sh_addr;
+ new->hdr.SizeOfRawData = section_filesz;
--- /dev/null
+From 5dce2d454b2829431e0484ac0f993b7a2759e0df Mon Sep 17 00:00:00 2001
+From: Christian Hesse <mail@eworm.de>
+Date: Sat, 25 Aug 2018 13:53:08 +0200
+Subject: [PATCH] [build] handle R_X86_64_PLT32 from binutils 2.31
+
+Starting from binutils 2.31.0 (commit bd7ab16b) x86-64 assembler
+generates R_X86_64_PLT32 instead of R_X86_64_PC32.
+---
+ src/util/elf2efi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/elf2efi.c b/src/util/elf2efi.c
+index 6718df777..2c5b9df8a 100644
+--- a/src/util/elf2efi.c
++++ b/src/util/elf2efi.c
+@@ -636,6 +636,7 @@ static void process_reloc ( struct elf_file *elf, const Elf_Shdr *shdr,
+ case ELF_MREL ( EM_ARM, R_ARM_THM_JUMP24 ) :
+ case ELF_MREL ( EM_ARM, R_ARM_V4BX ):
+ case ELF_MREL ( EM_X86_64, R_X86_64_PC32 ) :
++ case ELF_MREL ( EM_X86_64, R_X86_64_PLT32 ) :
+ case ELF_MREL ( EM_AARCH64, R_AARCH64_CALL26 ) :
+ case ELF_MREL ( EM_AARCH64, R_AARCH64_JUMP26 ) :
+ case ELF_MREL ( EM_AARCH64, R_AARCH64_ADR_PREL_LO21 ) :
--- /dev/null
+--- sarg-2.3.11/configure.ac~ 2019-04-26 22:34:33.499022406 +0000
++++ sarg-2.3.11/configure.ac 2019-04-26 22:35:11.886556020 +0000
+@@ -29,35 +29,6 @@
+ # Report more warnings to improve code quality.
+ CFLAGS="${CFLAGS} -Wall -Wno-sign-compare"
+
+-dnl Check for supported compiler options
+-
+-AC_MSG_CHECKING([for extra warnings flag in $CC])
+-saved_CFLAGS="${CFLAGS}"
+-CFLAGS="${CFLAGS} -Wextra -Wno-unused-parameter"
+-AC_COMPILE_IFELSE([AC_LANG_SOURCE([])],[have_extra_warnings="yes"],[have_extra_warnings="no"])
+-AC_MSG_RESULT($have_extra_warnings)
+-if test "$have_extra_warnings" = "no" ; then
+- CFLAGS="${saved_CFLAGS}"
+-fi
+-
+-AC_MSG_CHECKING([for implicit-function-declaration error flag in $CC])
+-saved_CFLAGS="${CFLAGS}"
+-CFLAGS="${CFLAGS} -Werror=implicit-function-declaration"
+-AC_COMPILE_IFELSE([AC_LANG_SOURCE([])],[have_implicit_function_declaration="yes"],[have_implicit_function_declaration="no"])
+-AC_MSG_RESULT($have_implicit_function_declaration)
+-if test "$have_implicit_function_declaration" = "no" ; then
+- CFLAGS="${saved_CFLAGS}"
+-fi
+-
+-AC_MSG_CHECKING([for format error flag in $CC])
+-saved_CFLAGS="${CFLAGS}"
+-CFLAGS="${CFLAGS} -Werror=format"
+-AC_COMPILE_IFELSE([AC_LANG_SOURCE([])],[have_error_format="yes"],[have_error_format="no"])
+-AC_MSG_RESULT($have_error_format)
+-if test "$have_error_format" = "no" ; then
+- CFLAGS="${saved_CFLAGS}"
+-fi
+-
+ case "$host" in
+ *-solaris*)
+ LDFLAGS="${LDFLAGS} -lsocket -lnsl"
-diff -Naur sarg-2.3.11.org/index.c sarg-2.3.11/index.c
---- sarg-2.3.11.org/index.c 2018-01-14 19:00:22.000000000 +0100
-+++ sarg-2.3.11/index.c 2018-01-24 14:38:19.746338020 +0100
-@@ -89,9 +89,9 @@
- char monthdir[MAXLEN];
- char monthname1[9], monthname2[9];
- char nmonth[30];
-- char monthnum[10];
-+ char monthnum[15];
- char dayindex[MAXLEN];
-- char daynum[10];
-+ char daynum[15];
- char title[80];
- int yearsort[150];
- int nyears;
-diff -Naur sarg-2.3.11.org/report.c sarg-2.3.11/report.c
---- sarg-2.3.11.org/report.c 2018-01-14 19:00:23.000000000 +0100
-+++ sarg-2.3.11/report.c 2018-01-24 14:38:19.742337939 +0100
+diff -wbBur sarg-2.3.11/index.c sarg-2.3.11.my/index.c
+--- sarg-2.3.11/index.c 2018-01-14 21:00:22.000000000 +0300
++++ sarg-2.3.11.my/index.c 2018-02-19 12:20:15.896203347 +0300
+@@ -208,7 +208,7 @@
+ m1=month / 16;
+ if(month % 16 != 0) {
+ m2=month % 16;
+- sprintf(monthnum,"%02d-%02d",m1,m2);
++ sprintf(monthnum,"%02u-%02u",(unsigned int)m1,(unsigned int)m2);
+ sprintf(monthname1,"%02d",m1);
+ sprintf(monthname2,"%02d",m2);
+ name_month(monthname1,sizeof(monthname1));
+@@ -269,7 +269,7 @@
+ d1=day / 32;
+ if(day % 32 != 0) {
+ d2=day % 32;
+- sprintf(daynum,"%02d-%02d",d1,d2);
++ sprintf(daynum,"%02u-%02u",(unsigned int)d1,(unsigned int)d2);
+ } else {
+ sprintf(daynum,"%02d",d1);
+ }
+diff -wbBur sarg-2.3.11/report.c sarg-2.3.11.my/report.c
+--- sarg-2.3.11/report.c 2018-01-14 21:00:23.000000000 +0300
++++ sarg-2.3.11.my/report.c 2018-02-19 12:18:45.151207192 +0300
@@ -54,7 +54,7 @@
char accsmart[MAXLEN];
char crc2[MAXLEN/2 -1];
char siteind[MAX_TRUNCATED_URL];
- char arqtt[256];
-+ char arqtt[MAX_USER_FNAME_LEN * 2 + MAXLEN + 10];
++ char arqtt[267];
char *oldurltt=NULL;
char oldaccdiatt[11],oldacchoratt[9];
char tmp3[MAXLEN];
-diff -Naur sarg-2.3.11.org/userinfo.c sarg-2.3.11/userinfo.c
---- sarg-2.3.11.org/userinfo.c 2013-06-01 20:02:04.000000000 +0200
-+++ sarg-2.3.11/userinfo.c 2018-01-24 14:38:19.746338020 +0100
+diff -wbBur sarg-2.3.11/userinfo.c sarg-2.3.11.my/userinfo.c
+--- sarg-2.3.11/userinfo.c 2013-06-01 22:02:04.000000000 +0400
++++ sarg-2.3.11.my/userinfo.c 2018-02-19 12:21:16.103200796 +0300
@@ -67,7 +67,7 @@
int skip;
int flen;
int count, clen;
- char cstr[9];
-+ char cstr[10];
++ char cstr[11];
last=NULL;
for (group=first_user_group ; group ; group=group->next) {