Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
authorArne Fitzenreiter <arne_f@ipfire.org>
Mon, 8 Apr 2019 19:47:12 +0000 (21:47 +0200)
committerArne Fitzenreiter <arne_f@ipfire.org>
Mon, 8 Apr 2019 19:47:12 +0000 (21:47 +0200)
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
config/rootfiles/core/130/filelists/Net_SSLeay [new symlink]
config/rootfiles/core/130/update.sh
lfs/strongswan
src/patches/strongswan-ipfire-revert.patch [new file with mode: 0644]
src/scripts/ipsec-interfaces

diff --git a/config/rootfiles/core/130/filelists/Net_SSLeay b/config/rootfiles/core/130/filelists/Net_SSLeay
new file mode 120000 (symlink)
index 0000000..13fe056
--- /dev/null
@@ -0,0 +1 @@
+../../../common/Net_SSLeay
\ No newline at end of file
index c039f30..71c63a3 100644 (file)
@@ -133,6 +133,9 @@ rm -rfv \
 # Update pakfire database
 /usr/local/bin/pakfire update --force
 
+# Search sensors again after reboot into the new kernel
+rm -f  /etc/sysconfig/lm_sensors
+
 # Upadate Kernel version uEnv.txt
 if [ -e /boot/uEnv.txt ]; then
        sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt
index 4174f78..714537e 100644 (file)
@@ -73,6 +73,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch
        cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
        cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-interfaces.patch
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-revert.patch
 
        cd $(DIR_APP) && ./configure \
                --prefix="/usr" \
diff --git a/src/patches/strongswan-ipfire-revert.patch b/src/patches/strongswan-ipfire-revert.patch
new file mode 100644 (file)
index 0000000..91c7621
--- /dev/null
@@ -0,0 +1,113 @@
+--- strongswan-5.7.2/src/_updown/_updown.in.bak        2019-04-08 16:27:08.549214441 +0100
++++ strongswan-5.7.2/src/_updown/_updown.in    2019-04-08 16:30:30.195868788 +0100
+@@ -130,36 +130,6 @@
+ #              address family.
+ #
+-VARS=(
+-      id status name lefthost type ctype psk local local_id leftsubnets
+-      remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+-      x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+-      route x23 mode interface_mode interface_address interface_mtu rest
+-)
+-
+-function ip_encode() {
+-      local IFS=.
+-
+-      local int=0
+-      for field in $1; do
+-              int=$(( $(( $int << 8 )) | $field ))
+-      done
+-
+-      echo $int
+-}
+-
+-function ip_in_subnet() {
+-      local netmask
+-      netmask=$(_netmask $2)
+-      [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
+-}
+-
+-function _netmask() {
+-      local vlsm
+-      vlsm=${1#*/}
+-      [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+-}
+-
+ # define a minimum PATH environment in case it is not set
+ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+ export PATH
+@@ -326,13 +296,6 @@
+       fi
+       ;;
+ up-client:iptables)
+-      # Read IPsec configuration
+-      while IFS="," read -r "${VARS[@]}"; do
+-              if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
+-                      break
+-              fi
+-      done < /var/ipfire/vpn/config
+-
+       # connection to client subnet, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+@@ -396,30 +359,6 @@
+           logger -t $TAG -p $FAC_PRIO \
+             "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+       fi
+-
+-      if [ -z "${interface_mode}" ]; then
+-              # Add source nat so also the gateway can access the other nets
+-              eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+-              for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+-                      ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+-                      if [ $? -eq 0 ]; then
+-                              src=${_src}
+-                              break
+-                      fi
+-              done
+-
+-              if [ -n "${src}" ]; then
+-                      iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+-                      logger -t $TAG -p $FAC_PRIO \
+-                              "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+-              else
+-                      logger -t $TAG -p $FAC_PRIO \
+-                              "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+-              fi
+-      fi
+-
+-      # Flush routing cache
+-      ip route flush cache
+       ;;
+ down-client:iptables)
+       # connection to client subnet, with (left/right)firewall=yes, going down
+@@ -487,28 +426,6 @@
+           logger -t $TAG -p $FAC_PRIO \
+             "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+       fi
+-
+-      # remove source nat
+-      eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+-      for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+-              ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+-              if [ $? -eq 0 ]; then
+-                      src=${_src}
+-                      break
+-              fi
+-      done
+-
+-      if [ -n "${src}" ]; then
+-              iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+-              logger -t $TAG -p $FAC_PRIO \
+-                      "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+-      else
+-              logger -t $TAG -p $FAC_PRIO \
+-                      "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
+-      fi
+-
+-      # Flush routing cache
+-      ip route flush cache
+       ;;
+ #
+ # IPv6
index cb55fdf..2546f89 100644 (file)
@@ -23,9 +23,19 @@ shopt -s nullglob
 
 VPN_CONFIG="/var/ipfire/vpn/config"
 
+ROUTE_TABLE="220"
+ROUTE_TABLE_PRIO="128"
+
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
 
+# Get RED interface name
+if [ -r "/var/ipfire/red/iface" ]; then
+       RED_INTF="$(</var/ipfire/red/iface)"
+else
+       RED_INTF="red0"
+fi
+
 VARS=(
        id status name lefthost type ctype psk local local_id leftsubnets
        remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
@@ -43,6 +53,52 @@ resolve_hostname() {
        dig +short A "${hostname}" | tail -n1
 }
 
+ip_encode() {
+       local address="${1}"
+
+       local int=0
+       for field in ${address//./ }; do
+               int=$(( $(( ${int} << 8 )) | ${field} ))
+       done
+
+       echo ${int}
+}
+
+function ip_in_subnet() {
+       local address="${1}"
+       local subnet="${2}"
+
+       local netmask="${subnet#*/}"
+
+       # Convert netmask to prefix if necessary
+       case "${netmask}" in
+               [0-9]+)
+                       ;;
+               *)
+                       netmask="$(netmask2prefix "${netmask}")"
+                       ;;
+       esac
+
+       local vlsm=$(( -1 << $(( 32 - ${netmask} )) ))
+
+       [ "$(( $(ip_encode "${address}") & ${vlsm} ))" -eq "$(( $(ip_encode "${subnet%/*}") & ${vlsm} ))" ]
+}
+
+netmask2prefix() {
+       local netmask="${1}"
+       local mask="$(ip_encode "${netmask}")"
+
+       local cidr=0
+       local x="$(( 128 << 24 ))" # 0x80000000
+
+       while [ $(( ${x} & ${mask} )) -ne 0 ]; do
+               [ ${mask} -eq ${x} ] && mask=0 || mask=$(( ${mask} << 1 ))
+               cidr=$(( ${cidr} + 1 ))
+       done
+
+       echo "${cidr}"
+}
+
 main() {
        # Register local variables
        local "${VARS[@]}"
@@ -50,8 +106,17 @@ main() {
 
        local interfaces=()
 
+       # Flush IPsec routes
+       ip route flush table "${ROUTE_TABLE}"
+
+       # Remove lookups
+       ip rule del lookup "${ROUTE_TABLE}"
+
        # We are done when IPsec is not enabled
        if [ "${ENABLED}" = "on" ]; then
+               # Enable route table lookup
+               ip rule add lookup "${ROUTE_TABLE}" prio "${ROUTE_TABLE_PRIO}"
+
                while IFS="," read -r "${VARS[@]}"; do
                        # Check if the connection is enabled
                        [ "${status}" = "on" ] || continue
@@ -65,6 +130,38 @@ main() {
                                        local intf="${interface_mode}${id}"
                                        ;;
                                *)
+                                       # Install routes
+                                       local address
+
+                                       local _address
+                                       for _address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+                                               local leftsubnet
+                                               for leftsubnet in ${leftsubnets//\|/ }; do
+                                                       if ip_in_subnet "${_address}" "${leftsubnet}"; then
+                                                               address="${_address}"
+                                                               break
+                                                       fi
+                                               done
+
+                                               # End loop when address is set
+                                               [ -n "${address}" ] && break
+                                       done
+
+                                       local rightsubnet
+                                       for rightsubnet in ${rightsubnets//\|/ }; do
+                                               # Ignore default
+                                               case "${rightsubnet}" in
+                                                       0.0.0.0/*)
+                                                               continue
+                                                               ;;
+                                               esac
+
+                                               log "Creating route to ${rightsubnet} (via ${address} and ${RED_INTF})"
+                                               ip route add table "${ROUTE_TABLE}" "${rightsubnet}" proto static \
+                                                       dev "${RED_INTF}" src "${address}"
+                                       done
+
+                                       # No interface processing required
                                        continue
                                        ;;
                        esac