Rene Zingel <linuxadmin@ea5c0bd1-69bd-2848-81d8-4f18e57aeed8>
Ronald Wiesinger <rowie@ipfire.org>
Stéphane Pautrel <steph78630@gmail.com>
+Erik Kapfer <ummeegge@ipfire.org>
--- /dev/null
+/etc/sudoers.d/zabbix.user
+/etc/zabbix_agentd/*
nut:x:115:
cdrom:x:116:
usb:x:117:
+zabbix:x:118:
samba:x:1000:
cyrus:x:111:12:Cyrus user:/usr/cyrus:
filter:x:112:12:Spam user:/home/filter:/bin/false
asterisk:x:114:114:Asterisk user:/var/empty:/bin/false
+zabbix:x:118:118:Zabbix Monitoring:/var/empty:/bin/false
samba:x:1000:1000:Samba User:/var/empty:/bin/false
net.ipv4.tcp_wmem = 4096 16384 16777216
net.ipv4.udp_mem = 3145728 4194304 16777216
-# Approximate time in us to busy loop waiting for packets on the device queue
-net.core.busy_read=50
-net.core.busy_poll=50
-
# Enable TCP fast-open
net.ipv4.tcp_fastopen = 3
}
}
}
+sub get_ipsec_id {
+ my $val = shift;
+
+ foreach my $key (keys %ipsecconf) {
+ if ($ipsecconf{$key}[1] eq $val) {
+ return $key;
+ }
+ }
+}
sub get_ovpn_n2n_ip
{
my $val=shift;
my @parts = split(/\|/, $value);
push(@ret, [$parts[1], ""]);
}else{
- my $network_address = &get_ipsec_net_ip($value, 11);
- my @nets = split(/\|/, $network_address);
- foreach my $net (@nets) {
- push(@ret, [$net, ""]);
+ my $interface_mode = &get_ipsec_net_ip($value, 36);
+ if ($interface_mode ~~ ["gre", "vti"]) {
+ my $id = &get_ipsec_id($value);
+ push(@ret, ["0.0.0.0/0", "${interface_mode}${id}"]);
+ } else {
+ my $network_address = &get_ipsec_net_ip($value, 11);
+ my @nets = split(/\|/, $network_address);
+ foreach my $net (@nets) {
+ push(@ret, [$net, ""]);
+ }
}
}
VPN_CONFIG="/var/ipfire/vpn/config"
+eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
+
+VARS=(
+ id status name lefthost type ctype psk local local_id leftsubnets
+ remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+ x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+ route x23 mode interface_mode interface_address interface_mtu rest
+)
+
block_subnet() {
local subnet="${1}"
local action="${2}"
return 0
}
-block_ipsec() {
- # Flush all exists rules
+install_policy() {
+ # Flush existing rules
+ iptables -F IPSECINPUT
+ iptables -F IPSECOUTPUT
iptables -F IPSECBLOCK
- local action
+ # We are done when IPsec is not enabled
+ [ "${ENABLED}" = "on" ] || exit 0
- local vars="id status name lefthost type ctype x1 x2 x3 leftsubnets"
- vars="${vars} x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12"
- vars="${vars} x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24"
- vars="${vars} route rest"
+ # IKE
+ iptables -A IPSECINPUT -p udp --dport 500 -j ACCEPT
+ iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT
+
+ # IKE NAT
+ iptables -A IPSECINPUT -p udp --dport 4500 -j ACCEPT
+ iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT
# Register local variables
- local ${vars}
+ local "${VARS[@]}"
+ local action
- while IFS="," read -r ${vars}; do
+ while IFS="," read -r "${VARS[@]}"; do
# Check if the connection is enabled
[ "${status}" = "on" ] || continue
# Check if this a net-to-net connection
[ "${type}" = "net" ] || continue
+ # Default local to 0.0.0.0/0
+ if [ "${local}" = "" -o "${local}" = "off" ]; then
+ local="0.0.0.0/0"
+ fi
+
+ # Install permissions for GRE traffic
+ case "${interface_mode}" in
+ gre)
+ if [ -n "${remote}" ]; then
+ iptables -A IPSECINPUT -p gre \
+ -s "${remote}" -d "${local}" -j ACCEPT
+
+ iptables -A IPSECOUTPUT -p gre \
+ -s "${local}" -d "${remote}" -j ACCEPT
+ fi
+ ;;
+ esac
+
+ # Install firewall rules only for interfaces without interface
+ [ -n "${interface_mode}" ] && continue
+
# Split multiple subnets
rightsubnets="${rightsubnets//\|/ }"
done < "${VPN_CONFIG}"
}
-block_ipsec || exit $?
+install_policy || exit $?
#usr/bin/objcopy
#usr/bin/objdump
#usr/bin/ranlib
-#usr/bin/readelf
+usr/bin/readelf
#usr/bin/size
-#usr/bin/strings
+usr/bin/strings
#usr/bin/strip
#usr/include/ansidecl.h
#usr/include/bfd.h
#usr/lib
usr/lib/firewall
usr/lib/firewall/firewall-lib.pl
-usr/lib/firewall/ipsec-block
+usr/lib/firewall/ipsec-policy
usr/lib/firewall/rules.pl
#usr/lib/libgcc_s.so
usr/lib/libgcc_s.so.1
usr/local/bin/consort.sh
usr/local/bin/convert-ovpn
usr/local/bin/hddshutdown
+usr/local/bin/ipsec-interfaces
usr/local/bin/makegraphs
usr/local/bin/qosd
usr/local/bin/readhash
#usr/bin/objcopy
#usr/bin/objdump
#usr/bin/ranlib
-#usr/bin/readelf
+usr/bin/readelf
#usr/bin/size
-#usr/bin/strings
+usr/bin/strings
#usr/bin/strip
#usr/include/ansidecl.h
#usr/include/bfd.h
#usr/lib/libbind9.la
#usr/lib/libbind9.so
usr/lib/libbind9.so.161
-usr/lib/libbind9.so.161.0.0
+usr/lib/libbind9.so.161.0.1
#usr/lib/libdns.la
#usr/lib/libdns.so
-usr/lib/libdns.so.1104
-usr/lib/libdns.so.1104.0.1
+usr/lib/libdns.so.1105
+usr/lib/libdns.so.1105.0.0
#usr/lib/libisc.la
#usr/lib/libisc.so
usr/lib/libisc.so.1100
-usr/lib/libisc.so.1100.0.0
+usr/lib/libisc.so.1100.0.1
#usr/lib/libisccc.la
#usr/lib/libisccc.so
usr/lib/libisccc.so.161
-usr/lib/libisccc.so.161.0.0
+usr/lib/libisccc.so.161.0.1
#usr/lib/libisccfg.la
#usr/lib/libisccfg.so
usr/lib/libisccfg.so.163
-usr/lib/libisccfg.so.163.0.0
+usr/lib/libisccfg.so.163.0.1
#usr/lib/liblwres.la
#usr/lib/liblwres.so
usr/lib/liblwres.so.161
-usr/lib/liblwres.so.161.0.0
+usr/lib/liblwres.so.161.0.1
#usr/share/man/man1/dig.1
#usr/share/man/man1/host.1
#usr/share/man/man1/nslookup.1
#usr/bin/objcopy
#usr/bin/objdump
#usr/bin/ranlib
-#usr/bin/readelf
+usr/bin/readelf
#usr/bin/size
-#usr/bin/strings
+usr/bin/strings
#usr/bin/strip
#usr/include/ansidecl.h
#usr/include/bfd.h
#usr/include/libipset/args.h
#usr/include/libipset/data.h
#usr/include/libipset/errcode.h
+#usr/include/libipset/ipset.h
#usr/include/libipset/linux_ip_set.h
#usr/include/libipset/linux_ip_set_bitmap.h
#usr/include/libipset/linux_ip_set_hash.h
#usr/include/libipset/session.h
#usr/include/libipset/transport.h
#usr/include/libipset/types.h
-#usr/include/libipset/ui.h
#usr/include/libipset/utils.h
#usr/lib/libipset.la
#usr/lib/libipset.so
-usr/lib/libipset.so.11
-usr/lib/libipset.so.11.1.0
+usr/lib/libipset.so.13
+usr/lib/libipset.so.13.1.0
#usr/lib/pkgconfig/libipset.pc
usr/sbin/ipset
+#usr/share/man/man3/libipset.3
#usr/share/man/man8/ipset.8
#lib/libxtables.la
lib/libxtables.so
lib/libxtables.so.12
-lib/libxtables.so.12.0.0
+lib/libxtables.so.12.2.0
#lib/xtables
-lib/xtables/libebt_802_3.so
-lib/xtables/libebt_ip.so
-lib/xtables/libebt_log.so
-lib/xtables/libebt_mark_m.so
lib/xtables/libip6t_DNAT.so
lib/xtables/libip6t_DNPT.so
lib/xtables/libip6t_HL.so
lib/xtables/libxt_length.so
lib/xtables/libxt_limit.so
lib/xtables/libxt_mac.so
-lib/xtables/libxt_mangle.so
lib/xtables/libxt_mark.so
lib/xtables/libxt_multiport.so
lib/xtables/libxt_nfacct.so
lib/xtables/libxt_u32.so
lib/xtables/libxt_udp.so
sbin/ip6tables
+#sbin/ip6tables-legacy
+#sbin/ip6tables-legacy-restore
+#sbin/ip6tables-legacy-save
sbin/ip6tables-restore
sbin/ip6tables-save
sbin/iptables
+#sbin/iptables-legacy
+#sbin/iptables-legacy-restore
+#sbin/iptables-legacy-save
sbin/iptables-restore
sbin/iptables-save
sbin/iptables-xml
#sbin/nfnl_osf
-sbin/xtables-multi
+sbin/xtables-legacy-multi
#usr/include/libipq.h
#usr/include/libiptc
#usr/include/libiptc/ipt_kernel_headers.h
#usr/share/man/man8/iptables-save.8
#usr/share/man/man8/iptables.8
#usr/share/man/man8/nfnl_osf.8
+#usr/share/man/man8/xtables-legacy.8
+#usr/share/man/man8/xtables-monitor.8
+#usr/share/man/man8/xtables-nft.8
+#usr/share/man/man8/xtables-translate.8
#usr/share/xtables
usr/share/xtables/pf.os
#usr/lib/libgcrypt.la
#usr/lib/libgcrypt.so
usr/lib/libgcrypt.so.20
-usr/lib/libgcrypt.so.20.2.3
+usr/lib/libgcrypt.so.20.2.4
#usr/share/aclocal/libgcrypt.m4
#usr/share/info/gcrypt.info
#usr/share/info/gcrypt.info-1
#usr/share/doc/openssl/html/man3/OPENSSL_INIT_free.html
#usr/share/doc/openssl/html/man3/OPENSSL_INIT_new.html
#usr/share/doc/openssl/html/man3/OPENSSL_INIT_set_config_appname.html
+#usr/share/doc/openssl/html/man3/OPENSSL_INIT_set_config_file_flags.html
+#usr/share/doc/openssl/html/man3/OPENSSL_INIT_set_config_filename.html
#usr/share/doc/openssl/html/man3/OPENSSL_LH_COMPFUNC.html
#usr/share/doc/openssl/html/man3/OPENSSL_LH_DOALL_FUNC.html
#usr/share/doc/openssl/html/man3/OPENSSL_LH_HASHFUNC.html
#usr/share/man/man3/OPENSSL_INIT_free.3
#usr/share/man/man3/OPENSSL_INIT_new.3
#usr/share/man/man3/OPENSSL_INIT_set_config_appname.3
+#usr/share/man/man3/OPENSSL_INIT_set_config_file_flags.3
+#usr/share/man/man3/OPENSSL_INIT_set_config_filename.3
#usr/share/man/man3/OPENSSL_LH_COMPFUNC.3
#usr/share/man/man3/OPENSSL_LH_DOALL_FUNC.3
#usr/share/man/man3/OPENSSL_LH_HASHFUNC.3
#usr/share/man/man7/passphrase-encoding.7
#usr/share/man/man7/scrypt.7
#usr/share/man/man7/ssl.7
-#usr/share/man/man7/x509.7
\ No newline at end of file
+#usr/share/man/man7/x509.7
#usr/lib
usr/lib/firewall
usr/lib/firewall/firewall-lib.pl
-usr/lib/firewall/ipsec-block
+usr/lib/firewall/ipsec-policy
usr/lib/firewall/rules.pl
#usr/lib/libgcc_s.so
usr/lib/libgcc_s.so.1
usr/local/bin/consort.sh
usr/local/bin/convert-ovpn
usr/local/bin/hddshutdown
+usr/local/bin/ipsec-interfaces
usr/local/bin/makegraphs
usr/local/bin/qosd
usr/local/bin/readhash
#usr/lib/libunbound.la
#usr/lib/libunbound.so
usr/lib/libunbound.so.8
-usr/lib/libunbound.so.8.0.3
+usr/lib/libunbound.so.8.1.0
#usr/lib/pkgconfig/libunbound.pc
usr/sbin/unbound
usr/sbin/unbound-anchor
#usr/bin/objcopy
#usr/bin/objdump
#usr/bin/ranlib
-#usr/bin/readelf
+usr/bin/readelf
#usr/bin/size
-#usr/bin/strings
+usr/bin/strings
#usr/bin/strip
#usr/include/ansidecl.h
#usr/include/bfd.h
#usr/lib
usr/lib/firewall
usr/lib/firewall/firewall-lib.pl
-usr/lib/firewall/ipsec-block
+usr/lib/firewall/ipsec-policy
usr/lib/firewall/rules.pl
#usr/lib/libgcc_s.so
usr/lib/libgcc_s.so.1
usr/local/bin/consort.sh
usr/local/bin/convert-ovpn
usr/local/bin/hddshutdown
+usr/local/bin/ipsec-interfaces
usr/local/bin/makegraphs
usr/local/bin/qosd
usr/local/bin/readhash
--- /dev/null
+boot/config.txt
+boot/grub/grub.cfg
+boot/grub/grubenv
+etc/alternatives
+etc/collectd.custom
+etc/default/grub
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/shadow
+etc/snort/snort.conf
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/dma
+var/ipfire/time
+var/ipfire/ovpn
+var/lib/alternatives
+var/log/cache
+var/log/dhcpcd.log
+var/log/messages
+var/state/dhcp/dhcpd.leases
+var/updatecache
--- /dev/null
+../../../common/bind
\ No newline at end of file
--- /dev/null
+etc/system-release
+etc/issue
+var/ipfire/langs
+etc/rc.d/init.d/firewall
+etc/rc.d/init.d/network
+etc/rc.d/init.d/networking/red.up/50-ipsec
+srv/web/ipfire/cgi-bin/credits.cgi
+srv/web/ipfire/cgi-bin/index.cgi
+srv/web/ipfire/cgi-bin/netovpnsrv.cgi
+srv/web/ipfire/cgi-bin/proxy.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
+usr/bin/readelf
+usr/bin/strings
+usr/lib/firewall/firewall-lib.pl
+usr/lib/firewall/ipsec-policy
+usr/local/bin/ipsec-interfaces
+usr/local/bin/ipsecctrl
--- /dev/null
+../../../common/ipset
\ No newline at end of file
--- /dev/null
+../../../common/less
\ No newline at end of file
--- /dev/null
+../../../common/libgcrypt
\ No newline at end of file
--- /dev/null
+../../../common/openvpn
\ No newline at end of file
--- /dev/null
+../../../common/squid
\ No newline at end of file
--- /dev/null
+../../../common/tar
\ No newline at end of file
--- /dev/null
+../../../common/unbound
\ No newline at end of file
--- /dev/null
+../../../common/wpa_supplicant
\ No newline at end of file
--- /dev/null
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2019 IPFire-Team <info@ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+core=129
+
+# Remove old core updates from pakfire cache to save space...
+for (( i=1; i<=$core; i++ )); do
+ rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+# Stop services
+/etc/init.d/squid stop
+/usr/local/bin/openvpnctrl -k
+/usr/local/bin/openvpnctrl -kn2n
+/usr/local/bin/ipsecctrl D
+/etc/init.d/unbound stop
+
+# Remove files
+rm -vf \
+ /usr/lib/firewall/ipsec-block
+
+# Extract files
+extract_files
+
+# update linker config
+ldconfig
+
+# Update Language cache
+/usr/local/bin/update-lang-cache
+
+# Start services
+/etc/init.d/firewall restart
+/etc/init.d/unbound start
+/usr/local/bin/ipsecctrl S
+/usr/local/bin/openvpnctrl -s
+/usr/local/bin/openvpnctrl -sn2n
+/etc/init.d/squid start
+
+# This update needs a reboot...
+#touch /var/run/need_reboot
+
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+
+# Update grub config to display new core version
+if [ -e /boot/grub/grub.cfg ]; then
+ grub-mkconfig -o /boot/grub/grub.cfg
+fi
+
+sync
+
+# Don't report the exitcode last command
+exit 0
--- /dev/null
+../../../../common/i586/openssl-sse2
\ No newline at end of file
--- /dev/null
+../../../common/openssl
\ No newline at end of file
--- /dev/null
+../../../common/strongswan
\ No newline at end of file
+etc/rc.d/init.d/netsnmpd
etc/rc.d/rc0.d/K02netsnmpd
etc/rc.d/rc3.d/S65netsnmpd
etc/rc.d/rc6.d/K02netsnmpd
etc/snmpd.conf
usr/bin/agentxtrap
+usr/bin/checkbandwidth
usr/bin/encode_keychange
usr/bin/fixproc
usr/bin/ipf-mod.pl
usr/bin/snmpgetnext
usr/bin/snmpinform
usr/bin/snmpnetstat
+usr/bin/snmppcap
+usr/bin/snmpping
+usr/bin/snmpps
usr/bin/snmpset
usr/bin/snmpstatus
usr/bin/snmptable
usr/bin/snmptest
+usr/bin/snmptop
usr/bin/snmptranslate
usr/bin/snmptrap
usr/bin/snmpusm
#usr/include/net-snmp/agent/mode_end_call.h
#usr/include/net-snmp/agent/multiplexer.h
#usr/include/net-snmp/agent/net-snmp-agent-includes.h
+#usr/include/net-snmp/agent/netsnmp_close_fds.h
#usr/include/net-snmp/agent/null.h
#usr/include/net-snmp/agent/old_api.h
#usr/include/net-snmp/agent/read_only.h
#usr/include/net-snmp/library/md5.h
#usr/include/net-snmp/library/mib.h
#usr/include/net-snmp/library/mt_support.h
+#usr/include/net-snmp/library/netsnmp-attribute-format.h
#usr/include/net-snmp/library/oid.h
#usr/include/net-snmp/library/oid_stash.h
#usr/include/net-snmp/library/parse.h
#usr/include/net-snmp/library/snmpAliasDomain.h
#usr/include/net-snmp/library/snmpCallbackDomain.h
#usr/include/net-snmp/library/snmpIPv4BaseDomain.h
+#usr/include/net-snmp/library/snmpIPv6BaseDomain.h
#usr/include/net-snmp/library/snmpSocketBaseDomain.h
#usr/include/net-snmp/library/snmpTCPBaseDomain.h
#usr/include/net-snmp/library/snmpTCPDomain.h
+#usr/include/net-snmp/library/snmpTCPIPv6Domain.h
#usr/include/net-snmp/library/snmpUDPBaseDomain.h
#usr/include/net-snmp/library/snmpUDPDomain.h
#usr/include/net-snmp/library/snmpUDPIPv4BaseDomain.h
+#usr/include/net-snmp/library/snmpUDPIPv6Domain.h
#usr/include/net-snmp/library/snmpUnixDomain.h
#usr/include/net-snmp/library/snmp_alarm.h
#usr/include/net-snmp/library/snmp_api.h
#usr/include/net-snmp/system/cygwin.h
#usr/include/net-snmp/system/darwin.h
#usr/include/net-snmp/system/darwin10.h
+#usr/include/net-snmp/system/darwin11.h
+#usr/include/net-snmp/system/darwin12.h
+#usr/include/net-snmp/system/darwin13.h
+#usr/include/net-snmp/system/darwin14.h
+#usr/include/net-snmp/system/darwin15.h
+#usr/include/net-snmp/system/darwin16.h
+#usr/include/net-snmp/system/darwin17.h
#usr/include/net-snmp/system/darwin7.h
#usr/include/net-snmp/system/darwin8.h
#usr/include/net-snmp/system/darwin9.h
#usr/include/net-snmp/system/generic.h
#usr/include/net-snmp/system/hpux.h
#usr/include/net-snmp/system/irix.h
+#usr/include/net-snmp/system/kfreebsd.h
#usr/include/net-snmp/system/linux.h
#usr/include/net-snmp/system/mingw32.h
+#usr/include/net-snmp/system/mingw32msvc.h
#usr/include/net-snmp/system/mips.h
#usr/include/net-snmp/system/netbsd.h
+#usr/include/net-snmp/system/nto-qnx6.h
#usr/include/net-snmp/system/openbsd.h
#usr/include/net-snmp/system/openbsd4.h
#usr/include/net-snmp/system/openbsd5.h
+#usr/include/net-snmp/system/openbsd6.h
#usr/include/net-snmp/system/osf5.h
#usr/include/net-snmp/system/solaris.h
#usr/include/net-snmp/system/solaris2.3.h
#usr/include/net-snmp/version.h
#usr/lib/libnetsnmp.a
#usr/lib/libnetsnmp.la
-usr/lib/libnetsnmp.so
-usr/lib/libnetsnmp.so.30
-usr/lib/libnetsnmp.so.30.0.3
+#usr/lib/libnetsnmp.so
+usr/lib/libnetsnmp.so.35
+usr/lib/libnetsnmp.so.35.0.0
#usr/lib/libnetsnmpagent.a
#usr/lib/libnetsnmpagent.la
-usr/lib/libnetsnmpagent.so
-usr/lib/libnetsnmpagent.so.30
-usr/lib/libnetsnmpagent.so.30.0.3
+#usr/lib/libnetsnmpagent.so
+usr/lib/libnetsnmpagent.so.35
+usr/lib/libnetsnmpagent.so.35.0.0
#usr/lib/libnetsnmphelpers.a
#usr/lib/libnetsnmphelpers.la
-usr/lib/libnetsnmphelpers.so
-usr/lib/libnetsnmphelpers.so.30
-usr/lib/libnetsnmphelpers.so.30.0.3
+#usr/lib/libnetsnmphelpers.so
+usr/lib/libnetsnmphelpers.so.35
+usr/lib/libnetsnmphelpers.so.35.0.0
#usr/lib/libnetsnmpmibs.a
#usr/lib/libnetsnmpmibs.la
-usr/lib/libnetsnmpmibs.so
-usr/lib/libnetsnmpmibs.so.30
-usr/lib/libnetsnmpmibs.so.30.0.3
+#usr/lib/libnetsnmpmibs.so
+usr/lib/libnetsnmpmibs.so.35
+usr/lib/libnetsnmpmibs.so.35.0.0
#usr/lib/libnetsnmptrapd.a
#usr/lib/libnetsnmptrapd.la
-usr/lib/libnetsnmptrapd.so
-usr/lib/libnetsnmptrapd.so.30
-usr/lib/libnetsnmptrapd.so.30.0.3
+#usr/lib/libnetsnmptrapd.so
+usr/lib/libnetsnmptrapd.so.35
+usr/lib/libnetsnmptrapd.so.35.0.0
#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Bundle
-#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Bundle/Makefile.subs.pl
+usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Bundle/MakefileSubs.pm
#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/NetSNMP
usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/NetSNMP/ASN.pm
usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/NetSNMP/OID.pm
#usr/share/man/man1/snmpgetnext.1
#usr/share/man/man1/snmpinform.1
#usr/share/man/man1/snmpnetstat.1
+#usr/share/man/man1/snmpps.1
#usr/share/man/man1/snmpset.1
#usr/share/man/man1/snmpstatus.1
#usr/share/man/man1/snmptable.1
#usr/share/man/man1/snmptest.1
+#usr/share/man/man1/snmptop.1
#usr/share/man/man1/snmptranslate.1
#usr/share/man/man1/snmptrap.1
#usr/share/man/man1/snmpusm.1
#usr/share/man/man5/variables.5
#usr/share/man/man8/snmpd.8
#usr/share/man/man8/snmptrapd.8
-usr/share/snmp
-usr/share/snmp/mib2c-data
+#usr/share/snmp
+#usr/share/snmp/mib2c-data
usr/share/snmp/mib2c-data/default-mfd-top.m2c
usr/share/snmp/mib2c-data/details-enums.m2i
usr/share/snmp/mib2c-data/details-node.m2i
usr/share/snmp/mib2c.mfd.conf
usr/share/snmp/mib2c.notify.conf
usr/share/snmp/mib2c.old-api.conf
+usr/share/snmp/mib2c.org-mode.conf
usr/share/snmp/mib2c.perl.conf
usr/share/snmp/mib2c.raw-table.conf
usr/share/snmp/mib2c.scalar.conf
usr/share/snmp/mib2c.table_data.conf
-usr/share/snmp/mibs
+#usr/share/snmp/mibs
usr/share/snmp/mibs/AGENTX-MIB.txt
usr/share/snmp/mibs/BRIDGE-MIB.txt
usr/share/snmp/mibs/DISMAN-EVENT-MIB.txt
usr/share/snmp/mibs/SNMP-USER-BASED-SM-MIB.txt
usr/share/snmp/mibs/SNMP-USM-AES-MIB.txt
usr/share/snmp/mibs/SNMP-USM-DH-OBJECTS-MIB.txt
+usr/share/snmp/mibs/SNMP-USM-HMAC-SHA2-MIB.txt
usr/share/snmp/mibs/SNMP-VIEW-BASED-ACM-MIB.txt
usr/share/snmp/mibs/SNMPv2-CONF.txt
usr/share/snmp/mibs/SNMPv2-MIB.txt
usr/share/snmp/mibs/UDP-MIB.txt
usr/share/snmp/snmp_perl.pl
usr/share/snmp/snmp_perl_trapd.pl
-usr/share/snmp/snmpconf-data
-usr/share/snmp/snmpconf-data/snmp-data
+#usr/share/snmp/snmpconf-data
+#usr/share/snmp/snmpconf-data/snmp-data
usr/share/snmp/snmpconf-data/snmp-data/authopts
usr/share/snmp/snmpconf-data/snmp-data/debugging
usr/share/snmp/snmpconf-data/snmp-data/mibs
usr/share/snmp/snmpconf-data/snmp-data/output
usr/share/snmp/snmpconf-data/snmp-data/snmpconf-config
-usr/share/snmp/snmpconf-data/snmpd-data
+#usr/share/snmp/snmpconf-data/snmpd-data
usr/share/snmp/snmpconf-data/snmpd-data/acl
usr/share/snmp/snmpconf-data/snmpd-data/basic_setup
usr/share/snmp/snmpconf-data/snmpd-data/extending
usr/share/snmp/snmpconf-data/snmpd-data/snmpconf-config
usr/share/snmp/snmpconf-data/snmpd-data/system
usr/share/snmp/snmpconf-data/snmpd-data/trapsinks
-usr/share/snmp/snmpconf-data/snmptrapd-data
+#usr/share/snmp/snmpconf-data/snmptrapd-data
usr/share/snmp/snmpconf-data/snmptrapd-data/authentication
usr/share/snmp/snmpconf-data/snmptrapd-data/formatting
usr/share/snmp/snmpconf-data/snmptrapd-data/logging
usr/share/snmp/snmpconf-data/snmptrapd-data/runtime
usr/share/snmp/snmpconf-data/snmptrapd-data/snmpconf-config
usr/share/snmp/snmpconf-data/snmptrapd-data/traphandle
-var/ipfire/backup/addons/includes/netsnmpd
-etc/rc.d/init.d/netsnmpd
+var/ipfire/backup/addons/includes/netsnmpd
\ No newline at end of file
usr/lib/postfix/postfix-script
usr/lib/postfix/postfix-tls-script
usr/lib/postfix/postfix-wrapper
+usr/lib/postfix/postlogd
usr/lib/postfix/postmulti-script
usr/lib/postfix/postscreen
usr/lib/postfix/proxymap
#usr/share/man/man8/oqmgr.8
#usr/share/man/man8/pickup.8
#usr/share/man/man8/pipe.8
+#usr/share/man/man8/postlogd.8
#usr/share/man/man8/postscreen.8
#usr/share/man/man8/proxymap.8
#usr/share/man/man8/qmgr.8
--- /dev/null
+usr/sbin/spectre-meltdown-checker
--- /dev/null
+etc/logrotate.d/zabbix_agentd
+etc/rc.d/init.d/zabbix_agentd
+etc/sudoers.d/zabbix.user
+etc/zabbix_agentd
+etc/zabbix_agentd/scripts
+etc/zabbix_agentd/zabbix_agentd.conf
+etc/zabbix_agentd/zabbix_agentd.d
+usr/bin/zabbix_get
+usr/bin/zabbix_sender
+usr/lib/modules
+usr/lib/zabbix
+usr/sbin/zabbix_agentd
+#usr/share/man/man1/zabbix_get.1
+#usr/share/man/man1/zabbix_sender.1
+#usr/share/man/man8/zabbix_agentd.8
+var/ipfire/backup/addons/includes/zabbix_agentd
+#var/log/zabbix
# Install routes into a separate routing table for established IPsec
# tunnels.
- # install_routes = yes
+ install_routes = no
# Install virtual IP addresses.
# install_virtual_ip = yes
--- /dev/null
+/var/log/zabbix/zabbix_agentd.log {
+ monthly
+ rotate 12
+ compress
+ delaycompress
+ missingok
+ notifempty
+ create 0640 zabbix zabbix
+}
--- /dev/null
+# Include file for sudoers file
+#
+# This is needed for some userparameters to be able to execute commands that only run as root (using sudo)
+# e.g. /usr/bin/openssl or /usr/sbin/smartctl
+#
+# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH!
+#
+# Some hints:
+# - It is strongly recommended to edit this file only using the visudo -f <filename> command. If you mess up this file,
+# you might end up locking yourself out of your system!
+# - Append the full path to each command, using "," as separator.
+# - Only add commands you really need. Zabbix should not have more rights than it has to.
+#
+# Uncomment the following two lines and edit the example of commands to fit your needs:
+#
+#Defaults:zabbix !requiretty
+#zabbix ALL=(ALL) NOPASSWD: <path to command1>, <path to command2>
--- /dev/null
+# This is a configuration file for Zabbix agent daemon (Unix)
+# To get more information about Zabbix, visit http://www.zabbix.com
+
+############ GENERAL PARAMETERS #################
+
+### Option: PidFile
+# Name of PID file.
+#
+# Mandatory: no
+# Default:
+# PidFile=/tmp/zabbix_agentd.pid
+
+PidFile=/var/run/zabbix/zabbix_agentd.pid
+
+### Option: LogType
+# Specifies where log messages are written to:
+# system - syslog
+# file - file specified with LogFile parameter
+# console - standard output
+#
+# Mandatory: no
+# Default:
+# LogType=file
+
+### Option: LogFile
+# Log file name for LogType 'file' parameter.
+#
+# Mandatory: yes, if LogType is set to file, otherwise no
+# Default:
+# LogFile=
+
+LogFile=/var/log/zabbix/zabbix_agentd.log
+
+### Option: LogFileSize
+# Maximum size of log file in MB.
+# 0 - disable automatic log rotation.
+#
+# Mandatory: no
+# Range: 0-1024
+# Default:
+# LogFileSize=1
+
+LogFileSize=0
+
+### Option: DebugLevel
+# Specifies debug level:
+# 0 - basic information about starting and stopping of Zabbix processes
+# 1 - critical information
+# 2 - error information
+# 3 - warnings
+# 4 - for debugging (produces lots of information)
+# 5 - extended debugging (produces even more information)
+#
+# Mandatory: no
+# Range: 0-5
+# Default:
+# DebugLevel=3
+
+### Option: SourceIP
+# Source IP address for outgoing connections.
+#
+# Mandatory: no
+# Default:
+# SourceIP=
+
+### Option: EnableRemoteCommands
+# Whether remote commands from Zabbix server are allowed.
+# 0 - not allowed
+# 1 - allowed
+#
+# Mandatory: no
+# Default:
+# EnableRemoteCommands=0
+
+### Option: LogRemoteCommands
+# Enable logging of executed shell commands as warnings.
+# 0 - disabled
+# 1 - enabled
+#
+# Mandatory: no
+# Default:
+# LogRemoteCommands=0
+
+##### Passive checks related
+
+### Option: Server
+# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies.
+# Incoming connections will be accepted only from the hosts listed here.
+# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally
+# and '::/0' will allow any IPv4 or IPv6 address.
+# '0.0.0.0/0' can be used to allow any IPv4 address.
+# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com
+#
+# Mandatory: yes, if StartAgents is not explicitly set to 0
+# Default:
+# Server=
+
+Server=127.0.0.1
+
+### Option: ListenPort
+# Agent will listen on this port for connections from the server.
+#
+# Mandatory: no
+# Range: 1024-32767
+# Default:
+# ListenPort=10050
+
+### Option: ListenIP
+# List of comma delimited IP addresses that the agent should listen on.
+# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks.
+#
+# Mandatory: no
+# Default:
+# ListenIP=0.0.0.0
+
+### Option: StartAgents
+# Number of pre-forked instances of zabbix_agentd that process passive checks.
+# If set to 0, disables passive checks and the agent will not listen on any TCP port.
+#
+# Mandatory: no
+# Range: 0-100
+# Default:
+# StartAgents=3
+
+##### Active checks related
+
+### Option: ServerActive
+# List of comma delimited IP:port (or DNS name:port) pairs of Zabbix servers and Zabbix proxies for active checks.
+# If port is not specified, default port is used.
+# IPv6 addresses must be enclosed in square brackets if port for that host is specified.
+# If port is not specified, square brackets for IPv6 addresses are optional.
+# If this parameter is not specified, active checks are disabled.
+# Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1]
+#
+# Mandatory: no
+# Default:
+# ServerActive=
+
+ServerActive=127.0.0.1
+
+### Option: Hostname
+# Unique, case sensitive hostname.
+# Required for active checks and must match hostname as configured on the server.
+# Value is acquired from HostnameItem if undefined.
+#
+# Mandatory: no
+# Default:
+# Hostname=
+
+### Option: HostnameItem
+# Item used for generating Hostname if it is undefined. Ignored if Hostname is defined.
+# Does not support UserParameters or aliases.
+#
+# Mandatory: no
+# Default:
+# HostnameItem=system.hostname
+
+### Option: HostMetadata
+# Optional parameter that defines host metadata.
+# Host metadata is used at host auto-registration process.
+# An agent will issue an error and not start if the value is over limit of 255 characters.
+# If not defined, value will be acquired from HostMetadataItem.
+#
+# Mandatory: no
+# Range: 0-255 characters
+# Default:
+# HostMetadata=
+
+### Option: HostMetadataItem
+# Optional parameter that defines an item used for getting host metadata.
+# Host metadata is used at host auto-registration process.
+# During an auto-registration request an agent will log a warning message if
+# the value returned by specified item is over limit of 255 characters.
+# This option is only used when HostMetadata is not defined.
+#
+# Mandatory: no
+# Default:
+# HostMetadataItem=
+
+### Option: RefreshActiveChecks
+# How often list of active checks is refreshed, in seconds.
+#
+# Mandatory: no
+# Range: 60-3600
+# Default:
+# RefreshActiveChecks=120
+
+### Option: BufferSend
+# Do not keep data longer than N seconds in buffer.
+#
+# Mandatory: no
+# Range: 1-3600
+# Default:
+# BufferSend=5
+
+### Option: BufferSize
+# Maximum number of values in a memory buffer. The agent will send
+# all collected data to Zabbix Server or Proxy if the buffer is full.
+#
+# Mandatory: no
+# Range: 2-65535
+# Default:
+# BufferSize=100
+
+### Option: MaxLinesPerSecond
+# Maximum number of new lines the agent will send per second to Zabbix Server
+# or Proxy processing 'log' and 'logrt' active checks.
+# The provided value will be overridden by the parameter 'maxlines',
+# provided in 'log' or 'logrt' item keys.
+#
+# Mandatory: no
+# Range: 1-1000
+# Default:
+# MaxLinesPerSecond=20
+
+############ ADVANCED PARAMETERS #################
+
+### Option: Alias
+# Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one.
+# Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed.
+# Different Alias keys may reference the same item key.
+# For example, to retrieve the ID of user 'zabbix':
+# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1]
+# Now shorthand key zabbix.userid may be used to retrieve data.
+# Aliases can be used in HostMetadataItem but not in HostnameItem parameters.
+#
+# Mandatory: no
+# Range:
+# Default:
+
+### Option: Timeout
+# Spend no more than Timeout seconds on processing
+#
+# Mandatory: no
+# Range: 1-30
+# Default:
+# Timeout=3
+
+### Option: AllowRoot
+# Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent
+# will try to switch to the user specified by the User configuration option instead.
+# Has no effect if started under a regular user.
+# 0 - do not allow
+# 1 - allow
+#
+# Mandatory: no
+# Default:
+# AllowRoot=0
+
+### Option: User
+# Drop privileges to a specific, existing user on the system.
+# Only has effect if run as 'root' and AllowRoot is disabled.
+#
+# Mandatory: no
+# Default:
+# User=zabbix
+
+### Option: Include
+# You may include individual files or all files in a directory in the configuration file.
+# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time.
+#
+# Mandatory: no
+# Default:
+# Include=
+
+Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
+
+
+####### USER-DEFINED MONITORED PARAMETERS #######
+
+### Option: UnsafeUserParameters
+# Allow all characters to be passed in arguments to user-defined parameters.
+# The following characters are not allowed:
+# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @
+# Additionally, newline characters are not allowed.
+# 0 - do not allow
+# 1 - allow
+#
+# Mandatory: no
+# Range: 0-1
+# Default:
+# UnsafeUserParameters=0
+
+### Option: UserParameter
+# User-defined parameter to monitor. There can be several user-defined parameters.
+# Format: UserParameter=<key>,<shell command>
+# See 'zabbix_agentd' directory for examples.
+#
+# Mandatory: no
+# Default:
+# UserParameter=
+
+####### LOADABLE MODULES #######
+
+### Option: LoadModulePath
+# Full path to location of agent modules.
+# Default depends on compilation options.
+# To see the default path run command "zabbix_agentd --help".
+#
+# Mandatory: no
+# Default:
+# LoadModulePath=/usr/lib/modules
+
+LoadModulePath=/usr/lib/zabbix
+
+### Option: LoadModule
+# Module to load at agent startup. Modules are used to extend functionality of the agent.
+# Format: LoadModule=<module.so>
+# The modules must be located in directory specified by LoadModulePath.
+# It is allowed to include multiple LoadModule parameters.
+#
+# Mandatory: no
+# Default:
+# LoadModule=
+
+####### TLS-RELATED PARAMETERS #######
+
+### Option: TLSConnect
+# How the agent should connect to server or proxy. Used for active checks.
+# Only one value can be specified:
+# unencrypted - connect without encryption
+# psk - connect using TLS and a pre-shared key
+# cert - connect using TLS and a certificate
+#
+# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection)
+# Default:
+# TLSConnect=unencrypted
+
+### Option: TLSAccept
+# What incoming connections to accept.
+# Multiple values can be specified, separated by comma:
+# unencrypted - accept connections without encryption
+# psk - accept connections secured with TLS and a pre-shared key
+# cert - accept connections secured with TLS and a certificate
+#
+# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection)
+# Default:
+# TLSAccept=unencrypted
+
+### Option: TLSCAFile
+# Full pathname of a file containing the top-level CA(s) certificates for
+# peer certificate verification.
+#
+# Mandatory: no
+# Default:
+# TLSCAFile=
+
+### Option: TLSCRLFile
+# Full pathname of a file containing revoked certificates.
+#
+# Mandatory: no
+# Default:
+# TLSCRLFile=
+
+### Option: TLSServerCertIssuer
+# Allowed server certificate issuer.
+#
+# Mandatory: no
+# Default:
+# TLSServerCertIssuer=
+
+### Option: TLSServerCertSubject
+# Allowed server certificate subject.
+#
+# Mandatory: no
+# Default:
+# TLSServerCertSubject=
+
+### Option: TLSCertFile
+# Full pathname of a file containing the agent certificate or certificate chain.
+#
+# Mandatory: no
+# Default:
+# TLSCertFile=
+
+### Option: TLSKeyFile
+# Full pathname of a file containing the agent private key.
+#
+# Mandatory: no
+# Default:
+# TLSKeyFile=
+
+### Option: TLSPSKIdentity
+# Unique, case sensitive string used to identify the pre-shared key.
+#
+# Mandatory: no
+# Default:
+# TLSPSKIdentity=
+
+### Option: TLSPSKFile
+# Full pathname of a file containing the pre-shared key.
+#
+# Mandatory: no
+# Default:
+# TLSPSKFile=
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: use ibod
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: bytes = unknown string
WARNING: untranslated string: community rules = Snort/VRT GPLv2 Community Rules
WARNING: untranslated string: dead peer detection = Dead Peer Detection
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: emerging rules = Emergingthreats.net Community Rules
WARNING: untranslated string: fwhost cust geoipgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
WARNING: untranslated string: guardian watch snort alertfile = unknown string
WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string
WARNING: untranslated string: info messages = unknown string
+WARNING: untranslated string: interface mode = Interface
WARNING: untranslated string: no data = unknown string
-WARNING: untranslated string: none = none
-WARNING: untranslated string: qos add subclass = Add subclass
WARNING: untranslated string: route config changed = unknown string
WARNING: untranslated string: routing config added = unknown string
WARNING: untranslated string: routing config changed = unknown string
WARNING: untranslated string: routing table = unknown string
WARNING: untranslated string: show tls-auth key = Show tls-auth key
-WARNING: untranslated string: vpn force mobike = Force using MOBIKE (only IKEv2)
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: december = December
WARNING: untranslated string: def lease time = Default Lease Time
WARNING: untranslated string: default = Default
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: default lease time = Default lease time (mins):
WARNING: untranslated string: default renewal time = Default Renewal Time
WARNING: untranslated string: delete = Delete
WARNING: untranslated string: instant update = Instant Update
WARNING: untranslated string: integrity = Integrity:
WARNING: untranslated string: interface = Interface
+WARNING: untranslated string: interface mode = Interface
WARNING: untranslated string: interfaces = Interfaces
WARNING: untranslated string: internet = INTERNET
WARNING: untranslated string: intrusion detection = Intrusion Detection
WARNING: untranslated string: invalid input for hostname = Invalid input for hostname.
WARNING: untranslated string: invalid input for ike lifetime = Invalid input for IKE lifetime
WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
WARNING: untranslated string: invalid input for keepalive 1 = Invalid input for Keepalive ping
WARNING: untranslated string: invalid input for keepalive 1:2 = Invalid input for Keepalive use at least a ratio of 1:2
WARNING: untranslated string: invalid input for keepalive 2 = Invalid input for Keepalive ping-restart
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
WARNING: untranslated string: invalid input for max clients = Invalid input for Max Clients
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
WARNING: untranslated string: invalid input for name = Invalid input for user's full name or system hostname
WARNING: untranslated string: invalid input for oink code = Invalid input for Oink code
WARNING: untranslated string: invalid input for organization = Invalid input for organization
WARNING: untranslated string: ipfires hostname = IPFire's Hostname
WARNING: untranslated string: ipinfo = IP info
WARNING: untranslated string: ipsec = IPsec
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: iptmangles = IPTable Mangles
WARNING: untranslated string: iptnats = IPTable Network Address Translation
WARNING: untranslated string: ipts = iptables
WARNING: untranslated string: lifetime = Lifetime:
WARNING: untranslated string: linkq = Link Quality
WARNING: untranslated string: load printer = Load Printer
+WARNING: untranslated string: local ip address = Local IP Address
WARNING: untranslated string: local master = Local Master
WARNING: untranslated string: local ntp server specified but not enabled = Local NTP server specified but not enabled
WARNING: untranslated string: local subnet = Local subnet:
WARNING: untranslated string: minute = Minute
WARNING: untranslated string: minutes = Minutes
WARNING: untranslated string: misc-options = Miscellaneous options
+WARNING: untranslated string: mode = Mode
WARNING: untranslated string: model = Model
WARNING: untranslated string: modem = Modem
WARNING: untranslated string: modem configuration = Modem configuration
WARNING: untranslated string: mpfire search = MPFire Search
WARNING: untranslated string: mpfire songs = MPFire songlist
WARNING: untranslated string: mpfire webradio = MPFire Webradio
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: my new share = My new share
WARNING: untranslated string: name = Name
WARNING: untranslated string: name is invalid = Name is invalid
WARNING: untranslated string: stop ovpn server = Stop OpenVPN Server
WARNING: untranslated string: stopped = STOPPED
WARNING: untranslated string: subject = Subject
+WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: subscripted user rules = Sourcefire VRT rules with subscription
WARNING: untranslated string: summaries kept = Keep summaries for
WARNING: untranslated string: sunday = Sunday
WARNING: untranslated string: total hits for log section = Total hits for log section
WARNING: untranslated string: traffic on = Traffic on
WARNING: untranslated string: traffics = Utilization-overview
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: tuesday = Tuesday
WARNING: untranslated string: twelve hours = 12 Hours
WARNING: untranslated string: two weeks = Two Weeks
WARNING: untranslated string: vpn auth-dn = Peer is identified by either IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN string in remote ID field
WARNING: untranslated string: vpn broken = Broken
WARNING: untranslated string: vpn connecting = CONNECTING
-WARNING: untranslated string: vpn delayed start = Delay before launching VPN (seconds)
-WARNING: untranslated string: vpn delayed start help = If required, this delay can be used to allow dynamic DNS updates to propagate properly. 60 is a common value when RED is a dynamic IP.
WARNING: untranslated string: vpn force mobike = Force using MOBIKE (only IKEv2)
WARNING: untranslated string: vpn inactivity timeout = Inactivity Timeout
WARNING: untranslated string: vpn keyexchange = Keyexchange
WARNING: untranslated string: vpn no full pki = missing private key to generate cert
WARNING: untranslated string: vpn on-demand = ON-DEMAND
WARNING: untranslated string: vpn payload compression = Negotiate payload compression
-WARNING: untranslated string: vpn red name = Public IP or FQDN for RED interface or <%defaultroute>
WARNING: untranslated string: vpn remote id = Remote ID
WARNING: untranslated string: vpn start action = Start Action
WARNING: untranslated string: vpn start action add = Wait for connection initiation
WARNING: untranslated string: vpn start action route = On Demand
WARNING: untranslated string: vpn start action start = Always On
-WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics
-WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics
+WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics
+WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: vpn subjectaltname = Subject Alt Name
WARNING: untranslated string: vpn wait = WAITING
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
WARNING: translation string unused: vpn configuration main
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: crypto warning = Cryptographic warning
WARNING: untranslated string: dead peer detection = Dead Peer Detection
WARNING: untranslated string: default = Default
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: deprecated fs warn = Deprecated filesystem! Newer kernel drop the support. Backup and reformat!
WARNING: untranslated string: details = Details
WARNING: untranslated string: dh = Diffie-Hellman parameters
WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead
WARNING: untranslated string: info messages = unknown string
WARNING: untranslated string: integrity = Integrity:
+WARNING: untranslated string: interface mode = Interface
WARNING: untranslated string: invalid input for dpd delay = Invalid input for DPD delay
WARNING: untranslated string: invalid input for dpd timeout = Invalid input for DPD timeout
WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days).
WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
WARNING: untranslated string: ipsec = IPsec
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: last = Last
WARNING: untranslated string: least preferred = least preferred
WARNING: untranslated string: lifetime = Lifetime:
+WARNING: untranslated string: local ip address = Local IP Address
WARNING: untranslated string: log server protocol = protocol:
WARNING: untranslated string: mac filter = MAC filter
WARNING: untranslated string: masquerade blue = Masquerade BLUE
WARNING: untranslated string: modem status = Modem Status
WARNING: untranslated string: monitor interface = Monitor Interface
WARNING: untranslated string: most preferred = most preferred
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: nameserver = Nameserver
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
WARNING: untranslated string: static routes = Static Routes
+WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: support donation = Support the IPFire project with your donation
WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND.
WARNING: untranslated string: system information = System Information
WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reached. Not accepting any new connections.
WARNING: untranslated string: tor traffic read written = Total traffic (read/written)
WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one per line)
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: twelve hours = 12 Hours
WARNING: untranslated string: two weeks = Two Weeks
WARNING: untranslated string: udp less overhead = UDP (less overhead)
WARNING: untranslated string: vpn start action add = Wait for connection initiation
WARNING: untranslated string: vpn start action route = On Demand
WARNING: untranslated string: vpn start action start = Always On
-WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics
-WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics
+WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics
+WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: vpn wait = WAITING
WARNING: untranslated string: vpn weak = Weak
WARNING: translation string unused: dmz pinhole rule removed
WARNING: translation string unused: dmzpinholes for same net not necessary
WARNING: translation string unused: dns server
-WARNING: translation string unused: dnsforward forward_server
WARNING: translation string unused: do not log this port list
WARNING: translation string unused: domain not set
WARNING: translation string unused: donation-link
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
WARNING: translation string unused: vpn configuration main
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: Captive clients = unknown string
WARNING: untranslated string: Scan for Songs = unknown string
WARNING: untranslated string: bytes = unknown string
-WARNING: untranslated string: dnsforward forward_servers = Nameservers
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: fwhost cust geoipgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
WARNING: untranslated string: guardian block a host = unknown string
WARNING: untranslated string: guardian watch snort alertfile = unknown string
WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string
WARNING: untranslated string: info messages = unknown string
-WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
+WARNING: untranslated string: interface mode = Interface
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec settings = IPsec Settings
+WARNING: untranslated string: local ip address = Local IP Address
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: pakfire ago = ago.
WARNING: untranslated string: route config changed = unknown string
WARNING: untranslated string: routing config added = unknown string
WARNING: untranslated string: routing config changed = unknown string
WARNING: untranslated string: routing table = unknown string
+WARNING: untranslated string: subnet mask = Subnet Mask
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
WARNING: translation string unused: vpn configuration main
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: check all = Check all
WARNING: untranslated string: crypto error = Cryptographic error
WARNING: untranslated string: crypto warning = Cryptographic warning
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: dhcp dns enable update = Enable DNS Update (RFC2136):
WARNING: untranslated string: dhcp dns key name = Key Name:
WARNING: untranslated string: dhcp dns update = DNS Update
WARNING: untranslated string: incoming compression in bytes per second = Incoming Compression
WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead
WARNING: untranslated string: info messages = unknown string
+WARNING: untranslated string: interface mode = Interface
WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days).
WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec settings = IPsec Settings
+WARNING: untranslated string: local ip address = Local IP Address
WARNING: untranslated string: log server protocol = protocol:
WARNING: untranslated string: masquerade blue = Masquerade BLUE
WARNING: untranslated string: masquerade green = Masquerade GREEN
WARNING: untranslated string: masquerading disabled = Masquerading disabled
WARNING: untranslated string: masquerading enabled = Masquerading enabled
WARNING: untranslated string: messages = Messages
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: one hour = One Hour
WARNING: untranslated string: ssh login time = Logged in since
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
+WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: tcp more reliable = TCP (more reliable)
WARNING: untranslated string: ten minutes = 10 Minutes
WARNING: untranslated string: thirty minutes = 30 Minutes
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: twelve hours = 12 Hours
WARNING: untranslated string: two weeks = Two Weeks
WARNING: untranslated string: udp less overhead = UDP (less overhead)
WARNING: untranslated string: vpn start action add = Wait for connection initiation
WARNING: untranslated string: vpn start action route = On Demand
WARNING: untranslated string: vpn start action start = Always On
-WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics
-WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics
+WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics
+WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: vpn wait = WAITING
WARNING: untranslated string: vpn weak = Weak
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
WARNING: translation string unused: vpn configuration main
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: crypto error = Cryptographic error
WARNING: untranslated string: crypto warning = Cryptographic warning
WARNING: untranslated string: default = Default
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: dh = Diffie-Hellman parameters
WARNING: untranslated string: dh key move failed = Diffie-Hellman parameters move failed.
WARNING: untranslated string: dh key warn = Creating DH-parameters with a length of 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.
WARNING: untranslated string: incoming compression in bytes per second = Incoming Compression
WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead
WARNING: untranslated string: info messages = unknown string
+WARNING: untranslated string: interface mode = Interface
WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days).
WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec settings = IPsec Settings
+WARNING: untranslated string: local ip address = Local IP Address
WARNING: untranslated string: log server protocol = protocol:
WARNING: untranslated string: masquerade blue = Masquerade BLUE
WARNING: untranslated string: masquerade green = Masquerade GREEN
WARNING: untranslated string: modem sim information = SIM Information
WARNING: untranslated string: modem status = Modem Status
WARNING: untranslated string: monitor interface = Monitor Interface
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: nameserver = Nameserver
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: ssh login time = Logged in since
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
+WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: ta key = TLS-Authentification-Key
WARNING: untranslated string: tcp more reliable = TCP (more reliable)
WARNING: untranslated string: ten minutes = 10 Minutes
WARNING: untranslated string: thirty minutes = 30 Minutes
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: twelve hours = 12 Hours
WARNING: untranslated string: two weeks = Two Weeks
WARNING: untranslated string: udp less overhead = UDP (less overhead)
WARNING: untranslated string: vpn start action add = Wait for connection initiation
WARNING: untranslated string: vpn start action route = On Demand
WARNING: untranslated string: vpn start action start = Always On
-WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics
-WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics
+WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics
+WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: vpn wait = WAITING
WARNING: untranslated string: vpn weak = Weak
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
WARNING: translation string unused: vpn configuration main
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: crypto warning = Cryptographic warning
WARNING: untranslated string: dead peer detection = Dead Peer Detection
WARNING: untranslated string: default = Default
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: deprecated fs warn = Deprecated filesystem! Newer kernel drop the support. Backup and reformat!
WARNING: untranslated string: details = Details
WARNING: untranslated string: dh = Diffie-Hellman parameters
WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead
WARNING: untranslated string: info messages = unknown string
WARNING: untranslated string: integrity = Integrity:
+WARNING: untranslated string: interface mode = Interface
WARNING: untranslated string: invalid input for dpd delay = Invalid input for DPD delay
WARNING: untranslated string: invalid input for dpd timeout = Invalid input for DPD timeout
WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days).
WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
WARNING: untranslated string: ipsec = IPsec
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: last = Last
WARNING: untranslated string: least preferred = least preferred
WARNING: untranslated string: lifetime = Lifetime:
+WARNING: untranslated string: local ip address = Local IP Address
WARNING: untranslated string: log server protocol = protocol:
WARNING: untranslated string: mac filter = MAC filter
WARNING: untranslated string: masquerade blue = Masquerade BLUE
WARNING: untranslated string: modem status = Modem Status
WARNING: untranslated string: monitor interface = Monitor Interface
WARNING: untranslated string: most preferred = most preferred
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: nameserver = Nameserver
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
WARNING: untranslated string: static routes = Static Routes
+WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: support donation = Support the IPFire project with your donation
WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND.
WARNING: untranslated string: system information = System Information
WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reached. Not accepting any new connections.
WARNING: untranslated string: tor traffic read written = Total traffic (read/written)
WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one per line)
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: twelve hours = 12 Hours
WARNING: untranslated string: two weeks = Two Weeks
WARNING: untranslated string: udp less overhead = UDP (less overhead)
WARNING: untranslated string: vpn start action add = Wait for connection initiation
WARNING: untranslated string: vpn start action route = On Demand
WARNING: untranslated string: vpn start action start = Always On
-WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics
-WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics
+WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics
+WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: vpn wait = WAITING
WARNING: untranslated string: vpn weak = Weak
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
WARNING: translation string unused: vpn configuration main
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: crypto warning = Cryptographic warning
WARNING: untranslated string: dead peer detection = Dead Peer Detection
WARNING: untranslated string: default = Default
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: deprecated fs warn = Deprecated filesystem! Newer kernel drop the support. Backup and reformat!
WARNING: untranslated string: details = Details
WARNING: untranslated string: dh = Diffie-Hellman parameters
WARNING: untranslated string: incoming traffic in bytes per second = Incoming Traffic
WARNING: untranslated string: info messages = unknown string
WARNING: untranslated string: integrity = Integrity:
+WARNING: untranslated string: interface mode = Interface
WARNING: untranslated string: invalid input for dpd delay = Invalid input for DPD delay
WARNING: untranslated string: invalid input for dpd timeout = Invalid input for DPD timeout
WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days).
WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
WARNING: untranslated string: ipsec = IPsec
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: last = Last
WARNING: untranslated string: least preferred = least preferred
WARNING: untranslated string: lifetime = Lifetime:
+WARNING: untranslated string: local ip address = Local IP Address
WARNING: untranslated string: log server protocol = protocol:
WARNING: untranslated string: mac filter = MAC filter
WARNING: untranslated string: masquerade blue = Masquerade BLUE
WARNING: untranslated string: modem status = Modem Status
WARNING: untranslated string: monitor interface = Monitor Interface
WARNING: untranslated string: most preferred = most preferred
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: nameserver = Nameserver
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
WARNING: untranslated string: static routes = Static Routes
+WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: support donation = Support the IPFire project with your donation
WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND.
WARNING: untranslated string: ta key = TLS-Authentification-Key
WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reached. Not accepting any new connections.
WARNING: untranslated string: tor traffic read written = Total traffic (read/written)
WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one per line)
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: twelve hours = 12 Hours
WARNING: untranslated string: two weeks = Two Weeks
WARNING: untranslated string: udp less overhead = UDP (less overhead)
WARNING: untranslated string: vpn start action add = Wait for connection initiation
WARNING: untranslated string: vpn start action route = On Demand
WARNING: untranslated string: vpn start action start = Always On
-WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics
-WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics
+WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics
+WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: vpn wait = WAITING
WARNING: untranslated string: vpn weak = Weak
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
WARNING: translation string unused: vpn configuration main
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: bytes = unknown string
WARNING: untranslated string: crypto error = Cryptographic error
WARNING: untranslated string: crypto warning = Cryptographic warning
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: dnsforward forward_servers = Nameservers
WARNING: untranslated string: fwdfw all subnets = All subnets
WARNING: untranslated string: fwhost cust geoipgrp = unknown string
WARNING: untranslated string: guardian watch snort alertfile = unknown string
WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string
WARNING: untranslated string: info messages = unknown string
+WARNING: untranslated string: interface mode = Interface
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec settings = IPsec Settings
+WARNING: untranslated string: local ip address = Local IP Address
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: ovpn error dh = The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>
WARNING: untranslated string: ovpn error md5 = You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>
WARNING: untranslated string: ssh login time = Logged in since
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
+WARNING: untranslated string: subnet mask = Subnet Mask
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: vpn start action add = Wait for connection initiation
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: vpn wait = WAITING
< choose media
< community rules
< could not connect to www ipfire org
+< cryptographic settings
< dead peer detection
+< default IP address
< dhcp server disabled on blue interface
< dhcp server enabled on blue interface
< dh name is invalid
< g.lite
< guardian
< insert removable device
-< none
+< interface mode
< notes
-< qos add subclass
< quick control
< shaping add options
< show areas
< updxlrtr used by
< upload fcdsl.o
< vpn configuration main
-< vpn force mobike
############################################################################
# Checking cgi-bin translations for language: es #
############################################################################
< countrycode
< country codes and flags
< crypto error
+< cryptographic settings
< crypto warning
< dead peer detection
< default
< default ip
+< default IP address
< deprecated fs warn
< details
< dh
< incoming firewall access
< incoming overhead in bytes per second
< integrity
+< interface mode
< invalid input for dpd delay
< invalid input for dpd timeout
< invalid input for inactivity timeout
+< invalid input for interface address
+< invalid input for interface mode
+< invalid input for interface mtu
+< invalid input for local ip address
+< invalid input for mode
< invalid input for valid till days
< invalid ip or hostname
< invalid logserver protocol
< ipsec
+< ipsec connection
+< ipsec interface mode gre
+< ipsec interface mode none
+< ipsec interface mode vti
+< ipsec mode transport
+< ipsec mode tunnel
< ipsec network
< ipsec no connections
+< ipsec settings
< last
< least preferred
< lifetime
+< local ip address
< log server protocol
< mac filter
< masquerade blue
< modem status
< monitor interface
< most preferred
+< mtu
< MTU settings
< nameserver
< never
< ssh no active logins
< ssh username
< static routes
+< subnet mask
< support donation
< system has hwrng
< system has rdrand
< tor traffic limit soft
< tor traffic read written
< tor use exit nodes
+< transport mode does not support vti
< twelve hours
< two weeks
< udp less overhead
############################################################################
# Checking cgi-bin translations for language: fr #
############################################################################
-< dnsforward forward_servers
-< invalid ip or hostname
+< cryptographic settings
+< default IP address
+< interface mode
+< invalid input for interface address
+< invalid input for interface mode
+< invalid input for interface mtu
+< invalid input for local ip address
+< invalid input for mode
+< ipsec connection
+< ipsec interface mode gre
+< ipsec interface mode none
+< ipsec interface mode vti
+< ipsec mode transport
+< ipsec mode tunnel
+< ipsec settings
+< local ip address
+< mtu
+< subnet mask
+< transport mode does not support vti
############################################################################
# Checking cgi-bin translations for language: it #
############################################################################
< Captive wrong ext
< check all
< crypto error
+< cryptographic settings
< crypto warning
+< default IP address
< dhcp dns enable update
< dhcp dns key name
< dhcp dns update
< guardian
< incoming compression in bytes per second
< incoming overhead in bytes per second
+< interface mode
< invalid input for inactivity timeout
+< invalid input for interface address
+< invalid input for interface mode
+< invalid input for interface mtu
+< invalid input for local ip address
+< invalid input for mode
< invalid input for valid till days
< invalid ip or hostname
< invalid logserver protocol
+< ipsec connection
+< ipsec interface mode gre
+< ipsec interface mode none
+< ipsec interface mode vti
+< ipsec mode transport
+< ipsec mode tunnel
+< ipsec settings
+< local ip address
< log server protocol
< masquerade blue
< masquerade green
< masquerading disabled
< masquerading enabled
< messages
+< mtu
< MTU settings
< none
< Number of Countries for the pie chart
< ssh login time
< ssh no active logins
< ssh username
+< subnet mask
< tcp more reliable
< ten minutes
< thirty minutes
+< transport mode does not support vti
< twelve hours
< two weeks
< udp less overhead
< Captive wrong ext
< check all
< crypto error
+< cryptographic settings
< crypto warning
< default
+< default IP address
< dh
< dhcp dns enable update
< dhcp dns key name
< imsi
< incoming compression in bytes per second
< incoming overhead in bytes per second
+< interface mode
< invalid input for inactivity timeout
+< invalid input for interface address
+< invalid input for interface mode
+< invalid input for interface mtu
+< invalid input for local ip address
+< invalid input for mode
< invalid input for valid till days
< invalid ip or hostname
< invalid logserver protocol
+< ipsec connection
+< ipsec interface mode gre
+< ipsec interface mode none
+< ipsec interface mode vti
+< ipsec mode transport
+< ipsec mode tunnel
+< ipsec settings
+< local ip address
< log server protocol
< masquerade blue
< masquerade green
< modem sim information
< modem status
< monitor interface
+< mtu
< MTU settings
< nameserver
< never
< ssh login time
< ssh no active logins
< ssh username
+< subnet mask
< ta key
< tcp more reliable
< ten minutes
< teovpn_fragment
< thirty minutes
+< transport mode does not support vti
< twelve hours
< two weeks
< udp less overhead
< countrycode
< country codes and flags
< crypto error
+< cryptographic settings
< crypto warning
< dead peer detection
< default
< default ip
+< default IP address
< deprecated fs warn
< details
< dh
< incoming firewall access
< incoming overhead in bytes per second
< integrity
+< interface mode
< invalid input for dpd delay
< invalid input for dpd timeout
< invalid input for inactivity timeout
+< invalid input for interface address
+< invalid input for interface mode
+< invalid input for interface mtu
+< invalid input for local ip address
+< invalid input for mode
< invalid input for valid till days
< invalid ip or hostname
< invalid logserver protocol
< ipsec
+< ipsec connection
+< ipsec interface mode gre
+< ipsec interface mode none
+< ipsec interface mode vti
+< ipsec mode transport
+< ipsec mode tunnel
< ipsec network
< ipsec no connections
+< ipsec settings
< last
< least preferred
< lifetime
+< local ip address
< log server protocol
< mac filter
< masquerade blue
< modem status
< monitor interface
< most preferred
+< mtu
< MTU settings
< nameserver
< never
< ssh no active logins
< ssh username
< static routes
+< subnet mask
< support donation
< system has hwrng
< system has rdrand
< tor traffic limit soft
< tor traffic read written
< tor use exit nodes
+< transport mode does not support vti
< twelve hours
< two weeks
< udp less overhead
< countrycode
< country codes and flags
< crypto error
+< cryptographic settings
< crypto warning
< day-graph
< dead peer detection
< default
< default ip
+< default IP address
< deprecated fs warn
< details
< dh
< incoming overhead in bytes per second
< incoming traffic in bytes per second
< integrity
+< interface mode
< invalid input for dpd delay
< invalid input for dpd timeout
< invalid input for inactivity timeout
+< invalid input for interface address
+< invalid input for interface mode
+< invalid input for interface mtu
+< invalid input for local ip address
+< invalid input for mode
< invalid input for valid till days
< invalid ip or hostname
< invalid logserver protocol
< ipsec
+< ipsec connection
+< ipsec interface mode gre
+< ipsec interface mode none
+< ipsec interface mode vti
+< ipsec mode transport
+< ipsec mode tunnel
< ipsec network
< ipsec no connections
+< ipsec settings
< last
< least preferred
< lifetime
+< local ip address
< log server protocol
< mac filter
< masquerade blue
< monitor interface
< month-graph
< most preferred
+< mtu
< MTU settings
< nameserver
< never
< ssh no active logins
< ssh username
< static routes
+< subnet mask
< support donation
< system has hwrng
< system has rdrand
< tor traffic limit soft
< tor traffic read written
< tor use exit nodes
+< transport mode does not support vti
< twelve hours
< two weeks
< udp less overhead
# Checking cgi-bin translations for language: tr #
############################################################################
< crypto error
+< cryptographic settings
< crypto warning
+< default IP address
< dnsforward forward_servers
< fwdfw all subnets
+< interface mode
+< invalid input for interface address
+< invalid input for interface mode
+< invalid input for interface mtu
+< invalid input for local ip address
+< invalid input for mode
< invalid ip or hostname
+< ipsec connection
+< ipsec interface mode gre
+< ipsec interface mode none
+< ipsec interface mode vti
+< ipsec mode transport
+< ipsec mode tunnel
+< ipsec settings
+< local ip address
+< mtu
< ovpn error dh
< ovpn error md5
< ovpn warning rfc3280
< ssh login time
< ssh no active logins
< ssh username
+< subnet mask
+< transport mode does not support vti
< vpn start action add
< vpn wait
< wlanap neighbor scan
Marcus Scholz,
Ersan Yildirim,
Joern-Ingo Weigert,
-Alfred Haas,
Wolfgang Apolinarski,
+Alfred Haas,
Lars Schuhmacher,
Rene Zingel,
Sascha Kilian,
Bernhard Bitsch,
Dominik Hassler,
Larsen,
-Gabriel Rolland,
Stéphane Pautrel,
+Gabriel Rolland,
Anton D. Seliverstov,
Bernhard Bittner,
David Kleuker,
Nico Prenzel,
Osmar Gonzalez,
Paul T. Simmons,
+Rob Brewer,
Robert Möker,
Stefan Ernst,
Stefan Ferstl,
}
#check if IPSEC is running
if ( $vpnsettings{'ENABLED'} eq 'on' || $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {
- my $ipsecip = $vpnsettings{'VPN_IP'};
print<<END;
<tr>
<td style='width:25%; text-align:center; background-color:$Header::colourvpn;'>
<a href='/cgi-bin/vpnmain.cgi' style='color:white'><b>$Lang::tr{'ipsec'}</b></a>
</td>
- <td style='width:30%; text-align:center;'>$ipsecip</td>
+ <td style='width:30%; text-align:center;'></td>
<td style='width:45%; text-align:center; color:$Header::colourgreen;'>Online</td>
</tr>
END
&General::readhash("${General::swroot}/main/settings", \%mainsettings);
&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+my %vpnsettings = ();
+&General::readhasharray("${General::swroot}/vpn/config", \%vpnsettings);
+
my @vpns=();
+# Make list of all IPsec graphs
+my %ipsecgraphs = ();
+foreach my $key (sort {$vpnsettings{$a}[1] <=> $vpnsettings{$b}[1]} keys %vpnsettings) {
+ my $interface_mode = $vpnsettings{$key}[36];
+ next unless ($interface_mode);
+
+ $ipsecgraphs{$vpnsettings{$key}[1]} = "${interface_mode}${key}";
+}
+
my @querry = split(/\?/,$ENV{'QUERY_STRING'});
$querry[0] = '' unless defined $querry[0];
$querry[1] = 'week' unless defined $querry[1];
if ( $querry[0] ne ""){
print "Content-type: image/png\n\n";
binmode(STDOUT);
- &Graphs::updatevpnn2ngraph($querry[0],$querry[1]);
+ if (grep { $_ eq $querry[0] } values %ipsecgraphs) {
+ &Graphs::updateifgraph($querry[0],$querry[1]);
+ } else {
+ &Graphs::updatevpnn2ngraph($querry[0],$querry[1]);
+ }
}else{
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'vpn statistic n2n'}, 1, '');
push(@vpns,$2);
}
}
- if (@vpns){
+ if (@vpns || %ipsecgraphs) {
+ foreach my $name (sort keys %ipsecgraphs) {
+ &Header::openbox('100%', 'center', "$Lang::tr{'ipsec connection'}: $name");
+ &Graphs::makegraphbox("netovpnsrv.cgi", $ipsecgraphs{$name}, "day");
+ &Header::closebox();
+ }
+
foreach (@vpns) {
&Header::openbox('100%', 'center', "$_ $Lang::tr{'graph'}");
&Graphs::makegraphbox("netovpnsrv.cgi",$_, "day");
my $identhosts = "$identdir/hosts";
-my $authdir = "/usr/lib/squid/";
+my $authdir = "/usr/lib/squid";
my $errordir = "/usr/lib/squid/errors";
my $acl_src_subnets = "$acldir/src_subnets.acl";
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2013-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
undef (@dummy);
my @bandwidth_limits = (
- 1000 * 1024, # 1G
+ 1000 * 1024, # 1 GBit/s
500 * 1024,
200 * 1024,
- 100 * 1024, # 100M
+ 100 * 1024, # 100 MBit/s
64 * 1024,
50 * 1024,
25 * 1024,
8 * 1024,
4 * 1024,
2 * 1024,
- 1024, # 1M
- 512,
- 256,
- 160
+ 1024 # 1 MBit/s
);
my @accounting_periods = ('daily', 'weekly', 'monthly');
<tr>
<td width='40%' class='base'>$Lang::tr{'tor relay fingerprint'}:</td>
<td width='60%'>
- <a href='https://atlas.torproject.org/#details/$fingerprint' target='_blank'>$fingerprint</a>
+ <a href='https://metrics.torproject.org/rs.html#details/$fingerprint' target='_blank'>$fingerprint</a>
</td>
</tr>
END
print <<END;
<tr>
<td width='40%'>
- <a href='https://atlas.torproject.org/#details/$node->{'fingerprint'}' target='_blank'>
+ <a href='https://metrics.torproject.org/rs.html#details/$node->{'fingerprint'}' target='_blank'>
$node->{'name'}
</a>
</td>
0 => "- $Lang::tr{'unlimited'} -",
);
+# Load aliases
+my %aliases;
+&General::get_aliases(\%aliases);
+
my $col="";
$cgiparams{'ENABLED'} = 'off';
$cgiparams{'NAME'} = '';
$cgiparams{'LOCAL_SUBNET'} = '';
$cgiparams{'REMOTE_SUBNET'} = '';
+$cgiparams{'LOCAL'} = '';
$cgiparams{'REMOTE'} = '';
$cgiparams{'LOCAL_ID'} = '';
$cgiparams{'REMOTE_ID'} = '';
$cgiparams{'DPD_DELAY'} = '30';
$cgiparams{'DPD_TIMEOUT'} = '120';
$cgiparams{'FORCE_MOBIKE'} = 'off';
-$cgiparams{'START_ACTION'} = 'start';
-$cgiparams{'INACTIVITY_TIMEOUT'} = 900;
+$cgiparams{'START_ACTION'} = 'route';
+$cgiparams{'INACTIVITY_TIMEOUT'} = 1800;
+$cgiparams{'MODE'} = "tunnel";
+$cgiparams{'INTERFACE_MODE'} = "";
+$cgiparams{'INTERFACE_ADDRESS'} = "";
+$cgiparams{'INTERFACE_MTU'} = 1500;
&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
###
#remote peer is not set? => use '%any'
$lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq '');
+ # Field 6 might be "off" on old installations
+ if ($lconfighash{$key}[6] eq "off") {
+ $lconfighash{$key}[6] = $lvpnsettings{"VPN_IP"};
+ }
+
my $localside;
- if ($lconfighash{$key}[26] eq 'BLUE') {
- $localside = $netsettings{'BLUE_ADDRESS'};
- } elsif ($lconfighash{$key}[26] eq 'GREEN') {
- $localside = $netsettings{'GREEN_ADDRESS'};
- } elsif ($lconfighash{$key}[26] eq 'ORANGE') {
- $localside = $netsettings{'ORANGE_ADDRESS'};
- } else { # it is RED
- $localside = $lvpnsettings{'VPN_IP'};
+ if ($lconfighash{$key}[6]) {
+ $localside = $lconfighash{$key}[6];
+ } else {
+ $localside = "%defaultroute";
}
+ my $interface_mode = $lconfighash{$key}[36];
+
print CONF "conn $lconfighash{$key}[1]\n";
print CONF "\tleft=$localside\n";
- print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n";
+
+ if ($interface_mode eq "gre") {
+ print CONF "\tleftprotoport=gre\n";
+ } elsif ($interface_mode eq "vti") {
+ print CONF "\tleftsubnet=0.0.0.0/0\n";
+ } else {
+ print CONF "\tleftsubnet=" . &make_subnets("left", $lconfighash{$key}[8]) . "\n";
+ }
+
print CONF "\tleftfirewall=yes\n";
print CONF "\tlefthostaccess=yes\n";
print CONF "\tright=$lconfighash{$key}[10]\n";
if ($lconfighash{$key}[3] eq 'net') {
- print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n";
+ if ($interface_mode eq "gre") {
+ print CONF "\trightprotoport=gre\n";
+ } elsif ($interface_mode eq "vti") {
+ print CONF "\trightsubnet=0.0.0.0/0\n";
+ } else {
+ print CONF "\trightsubnet=" . &make_subnets("right", $lconfighash{$key}[11]) . "\n";
+ }
}
# Local Cert and Remote Cert (unless auth is DN dn-auth)
print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]);
print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]);
+ # Set mode
+ if ($lconfighash{$key}[35] eq "transport") {
+ print CONF "\ttype=transport\n";
+ } else {
+ print CONF "\ttype=tunnel\n";
+ }
+
+ # Add mark for VTI
+ if ($interface_mode eq "vti") {
+ print CONF "\tmark=$key\n";
+ }
+
# Is PFS enabled?
my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off';
if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
&General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
- unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})
- || $cgiparams{'VPN_IP'} eq '%defaultroute' ) {
- $errormessage = $Lang::tr{'invalid input for hostname'};
- goto SAVE_ERROR;
- }
-
- unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds !
- $errormessage = $Lang::tr{'invalid time period'};
- goto SAVE_ERROR;
- }
-
if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) {
$errormessage = $Lang::tr{'urlfilter invalid ip or mask error'};
goto SAVE_ERROR;
}
$vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
- $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
- $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
$vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
&General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
&writeipsecfiles();
$cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
$cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
$cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
- #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6];
+ $cgiparams{'LOCAL'} = $confighash{$cgiparams{'KEY'}}[6];
$cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7];
my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]);
$cgiparams{'LOCAL_SUBNET'} = join(/\|/, @local_subnets);
$cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30];
$cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31];
$cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32];
+ $cgiparams{'START_ACTION'} = $confighash{$cgiparams{'KEY'}}[33];
$cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34];
+ $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35];
+ $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36];
+ $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37];
+ $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38];
if (!$cgiparams{'DPD_DELAY'}) {
$cgiparams{'DPD_DELAY'} = 30;
$cgiparams{'INACTIVITY_TIMEOUT'} = 900;
}
+ if ($cgiparams{'MODE'} eq "") {
+ $cgiparams{'MODE'} = "tunnel";
+ }
+
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
$cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
goto VPNCONF_ERROR;
}
+ if ($cgiparams{'LOCAL'}) {
+ if (($cgiparams{'LOCAL'} ne "") && (!&General::validip($cgiparams{'LOCAL'}))) {
+ $errormessage = $Lang::tr{'invalid input for local ip address'};
+ goto VPNCONF_ERROR;
+ }
+ }
+
if ($cgiparams{'REMOTE'}) {
if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) {
if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
goto VPNCONF_ERROR;
}
}
+
+ if ($cgiparams{'MODE'} !~ /^(tunnel|transport)$/) {
+ $errormessage = $Lang::tr{'invalid input for mode'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'INTERFACE_MODE'} !~ /^(|gre|vti)$/) {
+ $errormessage = $Lang::tr{'invalid input for interface mode'};
+ goto VPNCONF_ERROR;
+ }
+
+ if (($cgiparams{'INTERFACE_MODE'} eq "vti") && ($cgiparams{'MODE'} eq "transport")) {
+ $errormessage = $Lang::tr{'transport mode does not support vti'};
+ goto VPNCONF_ERROR;
+ }
+
+ if (($cgiparams{'INTERFACE_MODE'} ne "") && !&Network::check_subnet($cgiparams{'INTERFACE_ADDRESS'})) {
+ $errormessage = $Lang::tr{'invalid input for interface address'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'INTERFACE_MTU'} !~ /^\d+$/) {
+ $errormessage = $Lang::tr{'invalid input for interface mtu'};
+ goto VPNCONF_ERROR;
+ }
}
if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
my $key = $cgiparams{'KEY'};
if (! $key) {
$key = &General::findhasharraykey (\%confighash);
- foreach my $i (0 .. 34) { $confighash{$key}[$i] = "";}
+ foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";}
}
$confighash{$key}[0] = $cgiparams{'ENABLED'};
$confighash{$key}[1] = $cgiparams{'NAME'};
my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'});
$confighash{$key}[11] = join('|', @remote_subnets);
}
+ $confighash{$key}[6] = $cgiparams{'LOCAL'};
$confighash{$key}[7] = $cgiparams{'LOCAL_ID'};
my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'});
$confighash{$key}[8] = join('|', @local_subnets);
$confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'};
$confighash{$key}[31] = $cgiparams{'DPD_DELAY'};
$confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'};
+ $confighash{$key}[33] = $cgiparams{'START_ACTION'};
$confighash{$key}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
+ $confighash{$key}[35] = $cgiparams{'MODE'};
+ $confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'};
+ $confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'};
+ $confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'};
# free unused fields!
- $confighash{$key}[6] = 'off';
$confighash{$key}[15] = 'off';
&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
} else {
$cgiparams{'AUTH'} = 'certgen';
}
- $cgiparams{'LOCAL_SUBNET'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+
+ if ($netsettings{"GREEN_NETADDRESS"} && $netsettings{"GREEN_NETMASK"}) {
+ $cgiparams{"LOCAL_SUBNET"} = $netsettings{'GREEN_NETADDRESS'} . "/" . $netsettings{'GREEN_NETMASK'};
+ } else {
+ $cgiparams{"LOCAL_SUBNET"} = "";
+ }
$cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'};
$cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'};
$cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
$cgiparams{'ONLY_PROPOSED'} = 'on'; #[24];
$cgiparams{'PFS'} = 'on'; #[28];
$cgiparams{'INACTIVITY_TIMEOUT'} = 900;
+ $cgiparams{'MODE'} = "tunnel";
+ $cgiparams{'INTERFACE_MODE'} = "";
+ $cgiparams{'INTERFACE_ADDRESS'} = "";
+ $cgiparams{'INTERFACE_MTU'} = 1500;
}
VPNCONF_ERROR:
$checked{'AUTH'}{'auth-dn'} = '';
$checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
+ $selected{'MODE'}{'tunnel'} = '';
+ $selected{'MODE'}{'transport'} = '';
+ $selected{'MODE'}{$cgiparams{'MODE'}} = "selected='selected'";
+
+ $selected{'INTERFACE_MODE'}{''} = '';
+ $selected{'INTERFACE_MODE'}{'gre'} = '';
+ $selected{'INTERFACE_MODE'}{'vti'} = '';
+ $selected{'INTERFACE_MODE'}{$cgiparams{'INTERFACE_MODE'}} = "selected='selected'";
+
+ $selected{'LOCAL'}{''} = '';
+ foreach my $alias (sort keys %aliases) {
+ my $address = $aliases{$alias}{'IPT'};
+
+ $selected{'LOCAL'}{$address} = '';
+ }
+ $selected{'LOCAL'}{$cgiparams{'LOCAL'}} = "selected='selected'";
+
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'ipsec'}, 1, '');
&Header::openbigbox('100%', 'left', '', $errormessage);
<input type='hidden' name='DPD_DELAY' value='$cgiparams{'DPD_DELAY'}' />
<input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' />
<input type='hidden' name='FORCE_MOBIKE' value='$cgiparams{'FORCE_MOBIKE'}' />
+ <input type='hidden' name='START_ACTION' value='$cgiparams{'START_ACTION'}' />
+ <input type='hidden' name='INACTIVITY_TIMEOUT' value='$cgiparams{'INACTIVITY_TIMEOUT'}' />
END
;
if ($cgiparams{'KEY'}) {
my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'});
my $remote_subnets = join(",", @remote_subnets);
- print <<END
+ print <<END;
<tr>
<td width='20%'>$Lang::tr{'enabled'}</td>
<td width='30%'>
<input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} />
</td>
- <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' alt='*' /></td>
- <td width='30%'>
- <input type='text' name='LOCAL_SUBNET' value='$local_subnets' />
- </td>
+ <td colspan="2"></td>
</tr>
<tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'local ip address'}:</td>
+ <td width='30%'>
+ <select name="LOCAL">
+ <option value="" $selected{'LOCAL'}{''}>- $Lang::tr{'default IP address'} -</option>
+END
+
+ foreach my $alias (sort keys %aliases) {
+ my $address = $aliases{$alias}{'IPT'};
+ print <<END;
+ <option value="$address" $selected{'LOCAL'}{$address}>$alias ($address)</option>
+END
+ }
+
+ print <<END;
+ </select>
+ </td>
<td class='boldbase' width='20%'>$Lang::tr{'remote host/ip'}: $blob</td>
<td width='30%'>
<input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size="25" />
</td>
+ </tr>
+ <tr>
+ <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' alt='*' /></td>
+ <td width='30%'>
+ <input type='text' name='LOCAL_SUBNET' value='$local_subnets' size="25" />
+ </td>
<td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'} $blob</td>
<td width='30%'>
- <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' />
+ <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" />
</td>
</tr>
<tr>
print "</table>";
&Header::closebox();
+ if ($cgiparams{'TYPE'} eq 'net') {
+ &Header::openbox('100%', 'left', $Lang::tr{'ipsec settings'});
+ print <<EOF;
+ <table width='100%'>
+ <tbody>
+ <tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'mode'}:</td>
+ <td width='30%'>
+ <select name='MODE'>
+ <option value='tunnel' $selected{'MODE'}{'tunnel'}>$Lang::tr{'ipsec mode tunnel'}</option>
+ <option value='transport' $selected{'MODE'}{'transport'}>$Lang::tr{'ipsec mode transport'}</option>
+ </select>
+ </td>
+ <td colspan='2'></td>
+ </tr>
+
+ <tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'interface mode'}:</td>
+ <td width='30%'>
+ <select name='INTERFACE_MODE'>
+ <option value='' $selected{'INTERFACE_MODE'}{''}>$Lang::tr{'ipsec interface mode none'}</option>
+ <option value='gre' $selected{'INTERFACE_MODE'}{'gre'}>$Lang::tr{'ipsec interface mode gre'}</option>
+ <option value='vti' $selected{'INTERFACE_MODE'}{'vti'}>$Lang::tr{'ipsec interface mode vti'}</option>
+ </select>
+ </td>
+
+ <td class='boldbase' width='20%'>$Lang::tr{'ip address'}/$Lang::tr{'subnet mask'}:</td>
+ <td width='30%'>
+ <input type="text" name="INTERFACE_ADDRESS" value="$cgiparams{'INTERFACE_ADDRESS'}">
+ </td>
+ </tr>
+
+ <tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'mtu'}:</td>
+ <td width='30%'>
+ <input type="number" name="INTERFACE_MTU" value="$cgiparams{'INTERFACE_MTU'}" min="576" max="9000">
+ </td>
+ <td colspan='2'></td>
+ </tr>
+ </tbody>
+ </table>
+EOF
+ &Header::closebox();
+ }
+
if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
&Header::openbox('100%', 'left', $Lang::tr{'authentication'});
print <<END
$cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32];
$cgiparams{'START_ACTION'} = $confighash{$cgiparams{'KEY'}}[33];
$cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34];
+ $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35];
+ $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36];
+ $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37];
+ $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38];
if (!$cgiparams{'DPD_DELAY'}) {
$cgiparams{'DPD_DELAY'} = 30;
if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") {
$cgiparams{'INACTIVITY_TIMEOUT'} = 900; # 15 min
}
+
+ if ($cgiparams{'MODE'} eq "") {
+ $cgiparams{'MODE'} = "tunnel";
+ }
}
ADVANCED_ERROR:
my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`;
- # suggest a default name for this side
- if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
- if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
- my $ipaddr = <IPADDR>;
- close IPADDR;
- chomp ($ipaddr);
- $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
- if ($cgiparams{'VPN_IP'} eq '') {
- $cgiparams{'VPN_IP'} = $ipaddr;
- }
- }
- }
- # no IP found, use %defaultroute
- $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq '');
-
- $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'}));
$checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
&Header::showhttpheaders();
print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<table width='100%'>
- <tr>
- <td width='20%' class='base' nowrap='nowrap'>$Lang::tr{'vpn red name'}: <img src='/blob.gif' alt='*' /></td>
- <td width='20%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td>
- <td width='20%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td>
- </tr>
-END
-;
-print <<END
- <tr>
- <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td>
- <td ><input type='text' name='VPN_DELAYED_START' value='$cgiparams{'VPN_DELAYED_START'}' /></td>
- </tr>
- <tr>
- <td class='base' nowrap='nowrap'>$Lang::tr{'host to net vpn'}:</td>
- <td ><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
- </tr>
-</table>
-<br>
-<hr />
-<table width='100%'>
-<tr>
- <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td>
- <td width='70%' class='base' valign='top'>$Lang::tr{'required field'}</td><td width='30%' align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
-</tr>
-<tr>
- <td class='base' valign='top' nowrap='nowrap'><img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /> </td>
- <td class='base'> <font class='base'>$Lang::tr{'vpn delayed start help'}</font></td>
- <td></td>
-</tr>
+ <tr>
+ <td width='60%' class='base'>
+ $Lang::tr{'enabled'}
+ </td>
+ <td width="40%">
+ <input type='checkbox' name='ENABLED' $checked{'ENABLED'} />
+ </td>
+ </tr>
+ <tr>
+ <td class='base' nowrap='nowrap' width="60%">$Lang::tr{'host to net vpn'}:</td>
+ <td width="40%"><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
+ </tr>
+ <tr>
+ <td width='100%' colspan="2" align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
+ </tr>
</table>
END
;
return &array_unique(\@algos);
}
-sub make_subnets($) {
+sub make_subnets($$) {
+ my $direction = shift;
my $subnets = shift;
my @nets = split(/\|/, $subnets);
my @cidr_nets = ();
foreach my $net (@nets) {
my $cidr_net = &General::ipcidr($net);
+
+ # Skip 0.0.0.0/0 for remote because this renders the
+ # while system inaccessible
+ next if (($direction eq "right") && ($cidr_net eq "0.0.0.0/0"));
+
push(@cidr_nets, $cidr_net);
}
'invalid input for hostname' => 'Ungültige Eingabe für Hostname',
'invalid input for ike lifetime' => 'Ungültige Eingabe für IKE Lebensdauer',
'invalid input for inactivity timeout' => 'Ungültige Eingabe für Inaktivitätstimeout',
+'invalid input for interface address' => 'Ungültige Eingabe für die Interface-Adresse',
+'invalid input for interface mode' => 'Ungültige Eingabe des Interface-Modus',
+'invalid input for interface mtu' => 'Ungültige Eingabe für die Interface-MTU',
'invalid input for keepalive 1' => 'Ungültige Eingabe für Keepalive ping',
'invalid input for keepalive 1:2' => 'Ungültige Eingabe für Keepalive (mindestens ein Verhältnis von 1:2)',
'invalid input for keepalive 2' => 'Ungültige Eingabe für Keepalive ping-restart',
+'invalid input for local ip address' => 'Ungültige Eingabe für die lokale IP-Adresse',
'invalid input for max clients' => 'Ungültige Eingabe für Max Clients',
+'invalid input for mode' => 'Ungültige Eingabe des Modus',
'invalid input for name' => 'Ungültige Eingabe für vollen Namen des Benutzers oder des System Hostnamens',
'invalid input for oink code' => 'Ungültige Eingabe für Oink Code',
'invalid input for organization' => 'Ungültige Eingabe für Organisation',
'ipfires hostname' => 'IPFire\'s Hostname',
'ipinfo' => 'IP-Info',
'ipsec' => 'IPsec',
+'ipsec connection' => 'IPsec-Verbindung',
+'ipsec interface mode gre' => 'GRE',
+'ipsec interface mode none' => '- Kein Interface (Standard) -',
+'ipsec interface mode vti' => 'VTI',
+'ipsec mode transport' => 'Transport',
+'ipsec mode tunnel' => 'Tunnel',
'ipsec network' => 'IPsec-Netzwerk',
'ipsec no connections' => 'Keine aktiven IPsec-Verbindungen',
+'ipsec settings' => 'IPsec-Einstellungen',
'iptable rules' => 'IPTable-Regeln',
'iptmangles' => 'IPTable Mangles',
'iptnats' => 'IPTable Network Address Translation',
'load printer' => 'Lade Drucker',
'loaded modules' => 'Geladene Module:',
'local hard disk' => 'Festplatte',
+'local ip address' => 'Lokale IP-Adresse',
'local master' => 'Local Master',
'local ntp server specified but not enabled' => 'Lokaler NTP Server angegeben aber nicht aktiviert',
'local subnet' => 'Lokales Subnetz:',
'mpfire search' => 'MPFire Suche',
'mpfire songs' => 'MPFire Songliste',
'mpfire webradio' => 'MPFire Webradio',
+'mtu' => 'MTU',
'mtu QoS' => 'Diese Einstellung ändert die MTU nicht global sondern nur für das QoS.',
'my new share' => 'Meine neue Freigabe',
'name' => 'Name',
'no modem selected' => 'Kein Modem ausgewählt',
'no set selected' => 'Es wurde kein Satz ausgewählt',
'no time limit' => 'unbregenzte Zeit',
+'none' => 'keiner',
'none found' => 'nichts gefunden',
'nonetworkname' => 'Kein Netzwerkname wurde eingegeben',
'noservicename' => 'Kein Dienstname wurde eingegeben',
'psk' => 'PSK',
'pulse' => 'Puls',
'pulse dial' => 'Pulswahl:',
+'qos add subclass' => 'Unterklasse hinzufügen',
'qos enter bandwidths' => 'Bitte geben Sie ihre Downstream- und Upstream-Bandbreite an!',
'qos graphs' => 'Qos Diagramme',
'qos warning' => 'Die Regel <strong>muss</strong> wieder gespeichert werden, ansonsten wird sie verworfen!',
'subject warn' => 'Warnung - Warnlevel erreicht',
'subnet' => 'Subnet',
'subnet is invalid' => 'Netzmaske ist ungültig',
+'subnet mask' => 'Subnetzmaske',
'subscripted user rules' => 'Sourcefire VRT Regeln mit Abonnement',
'successfully refreshed updates list' => 'Update-Liste erfolgreich aktualisiert.',
'summaries kept' => 'Zusammenfassungen aufheben für',
'trafficto' => 'Nach',
'transfer limits' => 'Transferbeschränkungen',
'transparent on' => 'Transparent auf',
+'transport mode does not support vti' => 'VTI wird im Transport-Modus nicht unterstützt',
'tripwire' => 'Tripwire',
'tripwire cronjob' => 'Tripwire Cronjob',
'tripwire functions' => 'Tripwire Funktionen',
'vpn connecting' => 'VERBINDUNGSAUFBAU',
'vpn delayed start' => 'Verzögerung, bevor VPN gestartet wird (Sek.)',
'vpn delayed start help' => 'Falls notwendig, kann diese Verzögerung dazu verwendet werden, um Dynamic-DNS-Updates ordnungsgemäß anzuwenden. 60 ist ein gängiger Wert, wenn ROT (RED) eine dynamische IP Adresse ist.',
+'vpn force mobike' => 'MOBIKE erzwingen (nur IKEv2)',
'vpn inactivity timeout' => 'Inaktivitätstimeout',
'vpn incompatible use of defaultroute' => 'Hostname=%defaultroute nicht zulässig',
'vpn keyexchange' => 'Schlüsseltausch',
'vpn start action add' => 'Auf Verbindungseingang warten',
'vpn start action route' => 'Bei Bedarf',
'vpn start action start' => 'Immer An',
-'vpn statistic n2n' => 'OpenVPN-Netz-zu-Netz-Statistik',
-'vpn statistic rw' => 'OpenVPN-Roadwarrior-Statistik',
+'vpn statistic n2n' => 'VPN: Netz-zu-Netz-Statistik',
+'vpn statistic rw' => 'VPN: Roadwarrior-Statistik',
'vpn subjectaltname' => 'Subjekt Alternativer Name',
'vpn wait' => 'WARTE',
'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).',
'cron server' => 'CRON Server',
'crypto error' => 'Cryptographic error',
'crypto warning' => 'Cryptographic warning',
+'cryptographic settings' => 'Cryptographic Settings',
'current' => 'Current',
'current aliases' => 'Current aliases',
'current class' => 'Current class',
'deep scan directories' => 'Scan recursive',
'def lease time' => 'Default Lease Time',
'default' => 'Default',
+'default IP address' => 'Default IP Address',
'default ip' => 'Default IP address',
'default lease time' => 'Default lease time (mins):',
'default networks' => 'Default networks',
'instant update' => 'Instant Update',
'integrity' => 'Integrity:',
'interface' => 'Interface',
+'interface mode' => 'Interface',
'interfaces' => 'Interfaces',
'internet' => 'INTERNET',
'intrusion detection' => 'Intrusion Detection',
'invalid input for hostname' => 'Invalid input for hostname.',
'invalid input for ike lifetime' => 'Invalid input for IKE lifetime',
'invalid input for inactivity timeout' => 'Invalid input for Inactivity Timeout',
+'invalid input for interface address' => 'Invalid input for interface address',
+'invalid input for interface mode' => 'Invalid input for interface mode',
+'invalid input for interface mtu' => 'Invalid input to interface MTU',
'invalid input for keepalive 1' => 'Invalid input for Keepalive ping',
'invalid input for keepalive 1:2' => 'Invalid input for Keepalive use at least a ratio of 1:2',
'invalid input for keepalive 2' => 'Invalid input for Keepalive ping-restart',
+'invalid input for local ip address' => 'Invalid input for local IP address',
'invalid input for max clients' => 'Invalid input for Max Clients',
+'invalid input for mode' => 'Invalid input for mode',
'invalid input for name' => 'Invalid input for user\'s full name or system hostname',
'invalid input for oink code' => 'Invalid input for Oink code',
'invalid input for organization' => 'Invalid input for organization',
'ipfires hostname' => 'IPFire\'s Hostname',
'ipinfo' => 'IP info',
'ipsec' => 'IPsec',
+'ipsec connection' => 'IPsec Connection',
+'ipsec interface mode gre' => 'GRE',
+'ipsec interface mode none' => '- None (Default) -',
+'ipsec interface mode vti' => 'VTI',
+'ipsec mode transport' => 'Transport',
+'ipsec mode tunnel' => 'Tunnel',
'ipsec network' => 'IPsec network',
'ipsec no connections' => 'No active IPsec connections',
+'ipsec settings' => 'IPsec Settings',
'iptable rules' => 'IPTable rules',
'iptmangles' => 'IPTable Mangles',
'iptnats' => 'IPTable Network Address Translation',
'load printer' => 'Load Printer',
'loaded modules' => 'Loaded modules:',
'local hard disk' => 'Hard disk',
+'local ip address' => 'Local IP Address',
'local master' => 'Local Master',
'local ntp server specified but not enabled' => 'Local NTP server specified but not enabled',
'local subnet' => 'Local subnet:',
'mpfire search' => 'MPFire Search',
'mpfire songs' => 'MPFire songlist',
'mpfire webradio' => 'MPFire Webradio',
+'mtu' => 'MTU',
'mtu QoS' => 'This does not change the global MTU, it only sets MTU for QoS.',
'my new share' => 'My new share',
'name' => 'Name',
'subject warn' => 'Warning - warnlevel reached',
'subnet' => 'Subnet',
'subnet is invalid' => 'Netmask is invalid',
+'subnet mask' => 'Subnet Mask',
'subscripted user rules' => 'Sourcefire VRT rules with subscription',
'successfully refreshed updates list' => 'Successfully refreshed updates list.',
'summaries kept' => 'Keep summaries for',
'trafficto' => 'To',
'transfer limits' => 'Transfer limits',
'transparent on' => 'Transparent on',
+'transport mode does not support vti' => 'VTI is not support in transport mode',
'tripwire' => 'Tripwire',
'tripwire cronjob' => 'tripwire cronjob',
'tripwire functions' => 'tripwire functions',
'vpn start action add' => 'Wait for connection initiation',
'vpn start action route' => 'On Demand',
'vpn start action start' => 'Always On',
-'vpn statistic n2n' => 'OpenVPN Net-to-Net Statistics',
-'vpn statistic rw' => 'OpenVPN Roadwarrior Statistics',
+'vpn statistic n2n' => 'VPN: Net-to-Net Statistics',
+'vpn statistic rw' => 'VPN: Roadwarrior Statistics',
'vpn subjectaltname' => 'Subject Alt Name',
'vpn wait' => 'WAITING',
'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).',
'Captive 1day' => '1 jour',
'Captive 1month' => '1 mois',
'Captive 1week' => '1 semaine',
-'Captive ACTIVATE' => 'ACTIVATION',
-'Captive GAIN ACCESS' => 'GAIN ACCESS',
+'Captive ACTIVATE' => 'ACTIVER',
+'Captive GAIN ACCESS' => 'ACCEDER',
'Captive WiFi coupon' => 'Coupon wifi',
'Captive activate' => 'Activation',
'Captive activated' => 'Activé',
'Captive auth_lic' => 'Licence',
'Captive auth_vou' => 'Reçu',
'Captive authentication' => 'Type d\'accès',
-'Captive brand color' => 'Couleur de la marque',
+'Captive brand color' => 'Couleur de fond personnalisée',
'Captive branding' => 'Personnalisation',
'Captive client session expiry time' => 'Délai d\'expiration de la session',
'Captive config' => 'Paramètres',
'Captive noexpiretime' => 'Aucune plage de temps de connexion valide donnée',
'Captive nolimit' => 'illimité',
'Captive nr' => 'Number',
-'Captive please accept the terms and conditions' => 'Veuillez accepter les termes & conditions',
+'Captive please accept the terms and conditions' => 'Veuillez accepter les termes et conditions',
'Captive please enter a coupon code' => 'Veuillez saisir un code de coupon',
'Captive portal' => 'Portail captif IPFire',
'Captive portal coupons' => 'Coupons portail captif',
'connections' => 'Connexions',
'connections are associated with this ca. deleting the ca will delete these connections as well.' => 'Les connexions sont associées avec ce CA. La suppression de ce CA entraînera la suppression des connexions associées.',
'connscheduler' => 'Planificateur de connexion',
-'core notice 1' => '<strong>Remarque :</strong> Il y a une mise à jour de',
-'core notice 2' => 'pour',
-'core notice 3' => 'disponible.',
+'core notice 1' => '<strong>Remarque :</strong> Il y a une mise à jour disponible de',
+'core notice 2' => 'vers',
+'core notice 3' => '.',
'could not be opened' => 'ne peut pas être ouvert',
'could not connect to' => 'Impossible de se connecter à ',
'could not connect to www ipcop org' => 'Impossible de se connecter à www.ipcop.org',
'dnsforward configuration' => 'Configuration de transfert DNS',
'dnsforward edit an entry' => 'Modifier une entrée existante',
'dnsforward entries' => 'Entrées actuelles',
-'dnsforward forward_server' => 'Nom du serveur ',
+'dnsforward forward_servers' => 'Nom des serveurs ',
'dnsforward zone' => 'Zone ',
'dnssec aware' => 'DNSSEC Aware',
'dnssec disabled warning' => 'AVERTISSEMENT : DNSSEC a été désactivé',
'domain not set' => 'Domaine non établi.',
'donation' => 'Faire un don',
'donation-link' => 'https://www.paypal.com/en_US/GB/i/btn/btn_donateCC_LG.gif',
-'donation-text' => '<strong>IPFire</strong> est développé et maintenu par des volontaires durant leur temps libre.<br>Afin d\'assurer les coûts du projet et si vous souhaitez nous encourager, vous pouvez effectuer un don.',
+'donation-text' => '<strong>IPFire</strong> est développé et maintenu par des volontaires durant leur temps libre.<br>Afin d\'assurer les coûts du projet et nous encourager, vous pouvez effectuer un don.',
'done' => 'Faites le',
'dos charset' => 'DOS Charset',
'down and up speed' => 'Entrez votre débit descendant et montant <br /> et cliquez sur <i>Sauvegarder</i>.',
'download tls-auth key' => 'Télécharger la clé tls-auth',
'dpd action' => 'Détection du peer mort',
'dpd delay' => 'Retard',
-'dpd timeout' => 'Timeout',
+'dpd timeout' => 'Délai dépassé',
'driver' => 'Pilote',
'drop action' => 'Comportement par défaut du pare-feu (avancé) en mode "Bloqué"',
'drop action1' => 'Comportement par défaut du pare-feu (sortant) en mode "Bloqué"',
'editor' => 'Editeur',
'eg' => 'ex. :',
'eight hours' => '8 heures',
-'email config' => 'Configuration',
-'email empty field' => 'Champs vide',
+'email config' => 'Configuration du courrier',
+'email empty field' => 'Champ vide',
'email error' => 'ERREUR : Le message de test n\'a pas pu être envoyé',
'email invalid' => 'Champ invalide',
'email invalid mailfqdn' => 'Serveur de mail fqdn invalide',
'email invalid mailip' => 'Adresse IP serveur de mail invalide',
'email invalid mailport' => 'Port serveur de mail invalide',
-'email mailaddr' => 'Adresse serveur email (smtp)',
+'email mailaddr' => 'Adresse du serveur (SMTP)',
'email mailpass' => 'Mot de passe',
-'email mailport' => 'Port serveur email',
-'email mailrcpt' => 'Destinataire email',
-'email mailsender' => 'Expéditeur email',
+'email mailport' => 'Port du serveur (SMTP)',
+'email mailrcpt' => 'Email du destinataire',
+'email mailsender' => 'Email de l\'expéditeur',
'email mailuser' => 'Nom d\'utilisateur',
'email server can not be empty' => 'Le serveur mail ne peut pas être vide',
-'email settings' => 'Service email',
+'email settings' => 'Service de messagerie',
'email subject' => 'Test email IPFire',
'email success' => 'Email de test envoyé avec succès',
-'email testmail' => 'Envoyer email de test',
+'email testmail' => 'Envoyer un message de test',
'email text' => 'Email de test depuis le service de mail IPFire',
'email tls' => 'Utiliser une connexion chiffrée TLS',
-'email usemail' => 'Activation service email',
+'email usemail' => 'Activation du service',
'emailreportlevel' => 'Niveau de rapport des mails',
'emerging rules' => 'Règles de la communauté Emergingthreats.net',
'empty' => 'Ce champ peut être laissé vide',
'fwdfw dnat nochoice' => 'Veuillez choisir un NAT source ou un NAT de destination dans la section NAT.',
'fwdfw dnat porterr' => 'Vous devez choisir un seul port ou plage de ports (tcp / udp) pour NAT',
'fwdfw dnat porterr2' => 'Impossible d\'utiliser un port externe (NAT) si aucun port de destination n\'est défini.',
-'fwdfw edit' => 'Edit',
+'fwdfw edit' => 'Edition',
'fwdfw err concon' => 'Nombre invalide pour les connexions concurrentes',
'fwdfw err nosrc' => 'Aucune source sélectionnée.',
'fwdfw err nosrcip' => 'Veuillez fournir une adresse IP source.',
'fwdfw wd_thu' => 'Jeu',
'fwdfw wd_tue' => 'Mar',
'fwdfw wd_wed' => 'Mer',
-'fwdfw xt access' => 'Input',
+'fwdfw xt access' => 'Entrée',
'fwhost Custom Host' => 'Hôte',
'fwhost Custom Network' => 'Réseau',
'fwhost IpSec Host' => 'Hôte IPsec',
'graph per' => 'par',
'green' => 'VERT',
'green interface' => 'Interface VERTE',
-'grouptype' => 'Grouptype :',
+'grouptype' => 'Type de groupe :',
'guaranteed bandwith' => 'Bande passante garantie',
'guardian' => 'Gardien',
'guest ok' => 'autoriser l\'accès aux invités',
'invalid input for state or province' => 'Région ou département non valide.',
'invalid input for valid till days' => 'Entrée invalide pour Valide jusqu\à (jours).',
'invalid ip' => 'IP Adresse non valide',
+'invalid ip or hostname' => 'Adresse IP ou nom d\'hôte invalide',
'invalid keep time' => 'Le temps restant doit être un nombre valide',
'invalid key' => 'Clef non valide.',
'invalid loaded file' => 'Fichier chargé non valide',
'pakfire ago' => '',
'pakfire available addons' => 'Modules disponibles :',
'pakfire configuration' => 'Configuration Pakfire',
-'pakfire core update auto' => 'Installer les mises à jour du noyau et des modules automatiquement :',
+'pakfire core update auto' => 'Installer automatiquement les mises à jour du noyau et des modules :',
'pakfire core update level' => 'Niveau de mise à jour du noyau ',
'pakfire health check' => 'Vérifier si le miroir est accessible (ping) :',
'pakfire install description' => 'Veuillez choisir un ou plusieurs modules dans la liste ci-dessous<br>et cliquez sur le signe PLUS pour les installer.',
-'pakfire install package' => 'Vous voulez installer les paquets suivants : ',
+'pakfire install package' => 'Vous souhaitez installer les paquets suivants : ',
'pakfire installed addons' => 'Modules installés :',
'pakfire last core list update' => 'Dernière mise à jour de la liste du noyau : ',
'pakfire last package update' => 'Dernière mise à jour de la liste des paquets : ',
'reconnect' => 'Reconnecter',
'reconnection' => 'Reconnexion',
'red' => 'Internet',
-'red1' => 'RED',
+'red1' => 'ROUGE',
'references' => 'Références',
'refresh' => 'Rafraîchir',
'refresh index page while connected' => 'Rafraîchir la page index.cgi tout en restant connecté',
'tor 0 = disabled' => '0 = désactivé',
'tor accounting' => 'Accounting',
'tor accounting bytes' => 'Trafic (lu / écrit)',
-'tor accounting bytes left' => 'left',
+'tor accounting bytes left' => 'restant',
'tor accounting interval' => 'Interval (UTC)',
'tor accounting limit' => 'Accounting limit (Mo)',
'tor accounting period' => 'Accounting period',
'unlimited' => 'illimité',
'unnamed' => 'Sans nom',
'update' => 'Mettre à jour',
-'update accelerator' => 'Paramètres accélérateur',
+'update accelerator' => 'Accélérateur (cache)',
'update time' => 'Mettre à jour l\'heure :',
'update transcript' => 'Mettre à jour transcript',
'updatedatabase' => 'Mettre à jour la base de données avec le dernier rapport',
'updxlrtr condition outdated' => 'Périmé',
'updxlrtr condition suspended' => 'Suspendu',
'updxlrtr condition unknown' => 'Inconnu',
-'updxlrtr configuration' => 'Mise à jour de l\'accélérateur',
+'updxlrtr configuration' => 'Paramètres de l\'accélérateur',
'updxlrtr current downloads' => 'Les fichiers suivants sont en cours de téléchargement dans le cache local :',
-'updxlrtr current files' => 'Les fichiers courants sont dans le cache local',
+'updxlrtr current files' => 'Les fichiers suivants sont dans le cache local',
'updxlrtr daily' => 'Quotidienne',
'updxlrtr data from cache' => 'Données du cache (octets)',
'updxlrtr disk usage' => 'Utilisation du disque',
'used swap' => 'Swap utilisée',
'user' => 'Utilisateur',
'user log' => 'log utilisateur',
-'user proxy logs' => 'user proxy log',
+'user proxy logs' => 'log utilisateur proxy',
'username' => 'Nom utilisateur :',
'username not set' => 'Nom d\'utilisateur non défini.',
'users department' => 'Département de l\'utilisateur',
'vpn connecting' => 'CONNEXION',
'vpn delayed start' => 'Délai avant le lancement du VPN (secondes) ',
'vpn delayed start help' => 'Si requis, ce délai peut être utilisé pour autoriser les mises à jour de DNS dynamique à la propagation appropriée. 60 est une valeur souvent utilisée lorsque l\'interface ROUGE est une IP dynamique.',
-'vpn force mobike' => 'Force using MOBIKE (only IKEv2)',
+'vpn force mobike' => 'Force utilisation MOBIKE (seulement IKEv2)',
'vpn inactivity timeout' => 'Délai dépassé inactivité',
'vpn incompatible use of defaultroute' => 'hostname=%defaultroute non admis',
'vpn keyexchange' => 'Keyexchange',
'vpn start action' => 'Hareketi BaÅŸlat',
'vpn start action route' => 'Ä°stek Ãœzerine',
'vpn start action start' => 'Her Zaman',
-'vpn statistic n2n' => 'AÄŸdan AÄŸa OpenVPN Ä°statistiÄŸi',
-'vpn statistic rw' => 'Roadwarrior OpenVPN Ä°statistiÄŸi',
+'vpn statistic n2n' => 'AÄŸdan AÄŸa VPN Ä°statistiÄŸi',
+'vpn statistic rw' => 'Roadwarrior VPN Ä°statistiÄŸi',
'vpn subjectaltname' => 'Alternatif konu adı',
'vpn watch' => 'Karşı eş IP değiştirdiğinde (dyndns) ağdan-ağa VPN bağlantısını yeniden başlat. Bu DPD ye yardımcı olur.',
'vpn weak' => 'Hafta',
# Cleanup environment from any variables
unexport BUILD_ARCH BUILD_PLATFORM BUILDTARGET CROSSTARGET TOOLCHAIN TOOLS_DIR
+PARALLELISM = $(shell echo $$( \
+ if [ -n "$(MAX_PARALLELISM)" ] && [ $(MAX_PARALLELISM) -lt $(DEFAULT_PARALLELISM) ]; then \
+ echo $(MAX_PARALLELISM); \
+ else \
+ echo $(DEFAULT_PARALLELISM); \
+ fi) \
+)
+
+MAKETUNING = -j$(PARALLELISM)
+
ifeq "$(BUILD_ARCH)" "aarch64"
IS_64BIT = 1
endif
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 9.11.5-P1
+VER = 9.11.6
THISAPP = bind-$(VER)
DL_FILE = $(THISAPP).tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 2825d818db51008f88a0030507edfa8a
+$(DL_FILE)_MD5 = 4882bd3eeef779e05b515b32354cc081
install : $(TARGET)
--prefix=/usr \
--enable-threads \
--with-libtool \
+ --without-python \
--disable-static
cd $(DIR_APP) && make -C lib/isc install
cd $(DIR_APP) && make -C lib/dns install
CFLAGS += -O3 -fno-strict-aliasing
CXXFLAGS += -O3 -fno-strict-aliasing
+# The compiler uses a lot of memory to compile boost, hence we reduce
+# the total number of processes a little bit to be able to build on
+# smaller machines
+MAX_PARALLELISM = $(shell echo $$(( $(SYSTEM_MEMORY) / 512)))
+
CONFIGURE_OPTIONS = \
--prefix=/usr \
--layout=tagged \
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && ./bootstrap.sh --with-toolset=gcc
- cd $(DIR_APP) && ./b2 -d+2 -q $(CONFIGURE_OPTIONS) stage
+ cd $(DIR_APP) && ./b2 -d+2 -q $(MAKETUNING) $(CONFIGURE_OPTIONS) stage
cd $(DIR_APP) && ./b2 $(CONFIGURE_OPTIONS) install
@rm -rf $(DIR_APP)
--enable-{network,nfs,ntpd,ping,processes,rrdtool,sensors,swap,syslog} \
--enable-{tcpconns,unixsock,users,wireless} \
--with-librrd=/usr/share/rrdtool-1.2.30
- cd $(DIR_APP) && make install
+ cd $(DIR_APP) && make install #collectd-4 does not support parallel build
cp -vf $(DIR_SRC)/config/collectd/collectd.* /etc/
mv /etc/collectd.vpn /var/ipfire/ovpn/collectd.vpn
chown nobody.nobody /var/ipfire/ovpn/collectd.vpn
cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices.default
# Oneliner configfiles
echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings
- echo "VPN_DELAYED_START=0" >>$(CONFIG_ROOT)/vpn/settings
echo "01" > $(CONFIG_ROOT)/certs/serial
echo "nameserver 1.2.3.4" > $(CONFIG_ROOT)/ppp/fake-resolv.conf
echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings
--enable-autocreate \
--enable-idled
- cd $(DIR_APP) && make $(EXTRA_MAKE)
+ cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
cd $(DIR_APP) && make install
-mkdir /var/imap
chown cyrus:mail /var/imap
--enable-early-chroot \
--disable-dhcpv6
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make #This package does not support parallel build
cd $(DIR_APP) && make install
mkdir -pv /var/state/dhcp
DEPS = ""
+MAX_PARALLELISM = $(shell echo $$(( $(SYSTEM_MEMORY) / 512)))
+
###############################################################################
# Top-level Rules
###############################################################################
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
#install initscripts
$(EXTRA_ENV) \
$(DIR_APP)/libstdc++-v3/configure \
$(EXTRA_CONFIG)
- cd $(DIR_SRC)/gcc-build && make $(EXTRA_MAKE)
+ cd $(DIR_SRC)/gcc-build && make $(MAKETUNING) $(EXTRA_MAKE)
cd $(DIR_SRC)/gcc-build && make $(EXTRA_INSTALL) install
else
$(EXTRA_ENV) \
$(DIR_APP)/configure \
$(EXTRA_CONFIG)
- cd $(DIR_SRC)/gcc-build && make $(EXTRA_MAKE)
+ cd $(DIR_SRC)/gcc-build && make $(MAKETUNING) $(EXTRA_MAKE)
cd $(DIR_SRC)/gcc-build && make $(EXTRA_INSTALL) install
endif
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
ifeq "$(ROOT)" ""
cd $(DIR_APP) && ./configure $(EXTRA_CONFIG)
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
else
cd $(DIR_APP)/gettext-tools && ./configure $(EXTRA_CONFIG)
- cd $(DIR_APP)/gettext-tools && make -C gnulib-lib
- cd $(DIR_APP)/gettext-tools && make -C intl pluralx.c
- cd $(DIR_APP)/gettext-tools && make -C src msgfmt
+ cd $(DIR_APP)/gettext-tools && make $(MAKETUNING) -C gnulib-lib
+ cd $(DIR_APP)/gettext-tools && make $(MAKETUNING) -C intl pluralx.c
+ cd $(DIR_APP)/gettext-tools && make $(MAKETUNING) -C src msgfmt
cd $(DIR_APP)/gettext-tools && cp -v src/msgfmt $(TOOLS_DIR)/bin
endif
@rm -rf $(DIR_APP)
cd $(DIR_APP) && PAGE=A4 ./configure \
--prefix=/usr
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make #This package does not support parallel build
cd $(DIR_APP) && make install
ln -svf eqn /usr/bin/geqn
ln -svf tbl /usr/bin/gtbl
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
$(UPDATE_AUTOMAKE)
cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
@rm -rf $(DIR_APP)
@$(POSTBUILD)
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 2.6
+VER = 2.7
THISAPP = hostapd-$(VER)
DL_FILE = $(THISAPP).tar.gz
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = hostapd
-PAK_VER = 43
+PAK_VER = 44
DEPS = ""
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = eaa56dce9bd8f1d195eb62596eab34c7
+$(DL_FILE)_MD5 = 8d3799f3a3c247cff47d41503698721b
install : $(TARGET)
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- # Security Patches https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
-
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd-2.3_increase_EAPOL-timeouts.patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.6-noscan.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.7-increase_EAPOL-timeouts.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.7-noscan.patch
cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config
cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile
TARGET = $(DIR_INFO)/$(THISAPP)
SLOGAN = An Open Source Firewall Solution
-DOWNLOAD_URL = http://downloads.ipfire.org/releases/ipfire-2.x/$(VERSION)-core$(CORE)/$(SNAME)-$(VERSION).$(BUILD_ARCH)-full-core$(CORE).iso
+DOWNLOAD_URL = https://downloads.ipfire.org/releases/ipfire-2.x/$(VERSION)-core$(CORE)/$(SNAME)-$(VERSION).$(BUILD_ARCH)-full-core$(CORE).iso
###############################################################################
# Top-level Rules
# Extract iPXE source
cd $(DIR_APP) && tar axf $(DIR_DL)/ipxe-$(PXE_VER).tar.gz
cd $(DIR_APP) && rm -rfv ipxe && ln -s ipxe-$(PXE_VER) ipxe
- cd $(DIR_APP) && make bin/ipxe.lkrn
+ cd $(DIR_APP) && make $(MAKETUNING) bin/ipxe.lkrn
ifeq "$(BUILD_ARCH)" "x86_64"
- cd $(DIR_APP) && make bin-x86_64-efi/ipxe.efi
+ cd $(DIR_APP) && make $(MAKETUNING) bin-x86_64-efi/ipxe.efi
endif
# Installation
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 6.38
+VER = 7.1
THISAPP = ipset-$(VER)
DL_FILE = $(THISAPP).tar.bz2
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 0e5d9c85f6b78e7dff0c996e2900574b
+$(DL_FILE)_MD5 = 72b477d1ce076d681b0799f88280f2f3
install : $(TARGET)
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 1.6.2
+VER = 1.8.2
THISAPP = iptables-$(VER)
DL_FILE = $(THISAPP).tar.bz2
# Top-level Rules
###############################################################################
objects = $(DL_FILE) \
- netfilter-layer7-v2.22.tar.gz
+ netfilter-layer7-v2.23.tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-netfilter-layer7-v2.22.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.22.tar.gz
+netfilter-layer7-v2.23.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.23.tar.gz
-$(DL_FILE)_MD5 = 7d2b7847e4aa8832a18437b8a4c1873d
-netfilter-layer7-v2.22.tar.gz_MD5 = 98dff8a3d5a31885b73341633f69501f
+$(DL_FILE)_MD5 = 944558e88ddcc3b9b0d9550070fa3599
+netfilter-layer7-v2.23.tar.gz_MD5 = 10910b6173d18e426cb56ae7e1300eeb
install : $(TARGET)
@cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
# Layer7
- cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-v2.22.tar.gz
- cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* \
+ cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-v2.23.tar.gz
+ cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/* \
./extensions/
# imq
--libdir=/lib \
--includedir=/usr/include \
--enable-libipq \
+ --with-xtlibdir=/lib/xtables \
--libexecdir=/lib \
--bindir=/sbin \
--sbindir=/sbin \
--enable-dns-for-realm \
CPPFLAGS="-I/usr/include/et"
- cd $(DIR_APP) && make #$(MAKETUNING)
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
for LIB in gssapi_krb5 gssrpc k5crypto kadm5clnt kadm5srv \
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
$(UPDATE_AUTOMAKE)
cd $(DIR_APP) && ./configure --with-plugins=all,!qnaplog,!dbus --prefix=/usr
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
#install initscripts
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 481
+VER = 530
THISAPP = less-$(VER)
DL_FILE = $(THISAPP).tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 50ef46065c65257141a7340123527767
+$(DL_FILE)_MD5 = 6a39bccf420c946b0fd7ffc64961315b
install : $(TARGET)
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 1.8.3
+VER = 1.8.4
THISAPP = libgcrypt-$(VER)
DL_FILE = $(THISAPP).tar.bz2
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 3139c2402e844985a67fb288a930534d
+$(DL_FILE)_MD5 = fbfdaebbbc6d7e5fbbf6ffdb3e139573
install : $(TARGET)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
rm -rf /usr/netpbm
cp $(DIR_SRC)/config/netpbm/config.mk $(DIR_APP)
- cd $(DIR_APP) && make CFLAGS="$(CFLAGS)"
+ cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" #The build of this version cannot be parallelized
cd $(DIR_APP) && make package PKGDIR=/usr/netpbm
mkdir -pv /usr/include/netpbm
mkdir -pv /usr/share/netpbm
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 5.7.3
+VER = 5.8
THISAPP = net-snmp-$(VER)
DL_FILE = $(THISAPP).tar.gz
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = netsnmpd
-PAK_VER = 7
+PAK_VER = 8
DEPS = ""
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = d4a3459e1577d0efa8d96ca70a885e53
+$(DL_FILE)_MD5 = 63bfc65fbb86cdb616598df1aff6458a
install : $(TARGET)
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/net-snmp-5.7.3-openssl.patch
+
$(UPDATE_AUTOMAKE)
cd $(DIR_APP) && ./configure \
--prefix=/usr \
sctp-mib rmon-mib etherlike-mib ucd-snmp/lmsensorsMib"
--libdir=/usr/lib \
--sysconfdir="/etc"
- cd $(DIR_APP) && make
+
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
install -v -m 644 $(DIR_SRC)/config/netsnmpd/snmpd.conf /etc/snmpd.conf
install -v -m 644 $(DIR_SRC)/config/backup/includes/netsnmpd \
cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc/nut \
--with-usb --with-user=root --with-group=nut \
--with-wrap=no --with-udev-dir=/etc/udev
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
# sed -i -e "s|ATTR{|SYSFS{|g" /etc/udev/rules.d/52-nut-usbups.rules
mkdir -p /var/state/ups
include Config
-VER = 1.1.1a
+VER = 1.1.1b
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 963deb2272d6be7d4c2458afd2517b73
+$(DL_FILE)_MD5 = 4532712e7bcc9414f5bce995e4e13930
install : $(TARGET)
$(CFLAGS) $(LDFLAGS)
cd $(DIR_APP) && make depend
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
ifeq "$(KCFG)" "-sse2"
-mkdir -pv /usr/lib/sse2
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 2.4.6
+VER = 2.4.7
THISAPP = openvpn-$(VER)
DL_FILE = $(THISAPP).tar.xz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 3a1f3f63bdaede443b4df49957df9405
+$(DL_FILE)_MD5 = 4ad8a008e1e7f261b3aa0024e79e7fb7
install : $(TARGET)
TARGET = $(DIR_INFO)/$(THISAPP)-tools
endif
+# Perl does not build with -j larger than 23
+MAX_PARALLELISM = 23
+
###############################################################################
# Top-level Rules
###############################################################################
include Config
-VER = 3.3.2
+VER = 3.4.1
THISAPP = postfix-$(VER)
DL_FILE = $(THISAPP).tar.gz
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = postfix
-PAK_VER = 17
+PAK_VER = 18
DEPS = ""
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4e6ed7056576e0c54cfce6040a0bb0ad
+$(DL_FILE)_MD5 = d292bb49a1c79ff6d2eb9c5e88c51425
install : $(TARGET)
--disable-tcl \
--disable-ruby \
--disable-python
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
-mkdir -p /srv/web/ipfire/html/graphs/
chmod 777 /srv/web/ipfire/html/graphs/
--enable-cups \
--disable-avahi \
--with-syslog
- cd $(DIR_APP)/source3 && make idl_full
- cd $(DIR_APP)/source3 && make proto && make all $(MAKETUNING) $(EXTRA_MAKE)
+ cd $(DIR_APP)/source3 && make $(MAKETUNING) idl_full
+ cd $(DIR_APP)/source3 && make $(MAKETUNING) proto && make all $(MAKETUNING) $(EXTRA_MAKE)
cd $(DIR_APP)/source3 && make install
cd $(DIR_APP)/source3 && chmod -v 644 /usr/include/libsmbclient.h
#cd $(DIR_APP)/source3 && install -v -m755 nsswitch/libnss_wins.so /lib
--enable-react \
--enable-flexresp3
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
mv /usr/bin/snort /usr/sbin/
-mkdir -p /etc/snort/rules
--- /dev/null
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER = 0.40
+
+THISAPP = spectre-meltdown-checker-$(VER)
+DL_FILE = $(THISAPP).tar.gz
+DL_FROM = $(URL_IPFIRE)
+DIR_APP = $(DIR_SRC)/$(THISAPP)
+TARGET = $(DIR_INFO)/$(THISAPP)
+PROG = spectre-meltdown-checker
+PAK_VER = 1
+
+DEPS = ""
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = cc1ed68faf3fde13b1ff3bd15a22d46d
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+dist:
+ @$(PAK)
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+ @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+ @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+ @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ @$(PREBUILD)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && install -v -m 754 spectre-meltdown-checker.sh \
+ /usr/sbin/spectre-meltdown-checker
+ @rm -rf $(DIR_APP)
+ @$(POSTBUILD)
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 4.5
+VER = 4.6
THISAPP = squid-$(VER)
DL_FILE = $(THISAPP).tar.xz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 8275da5846f9f2243ad2625e5aef2ee0
+$(DL_FILE)_MD5 = e25e7cc37754ad14d8aa368c0c210e54
install : $(TARGET)
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.5-fix-max-file-descriptors.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.6-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi
cd $(DIR_APP)/libltdl && autoreconf -vfi
--disable-kqueue \
--disable-esi \
--disable-arch-native \
- --enable-ipv6 \
--enable-poll \
--enable-ident-lookups \
--enable-storeio=aufs,diskd,ufs \
/usr/lib/firewall/rules.pl
install -m 644 $(DIR_SRC)/config/firewall/firewall-lib.pl \
/usr/lib/firewall/firewall-lib.pl
- install -m 755 $(DIR_SRC)/config/firewall/ipsec-block \
- /usr/lib/firewall/ipsec-block
+ install -m 755 $(DIR_SRC)/config/firewall/ipsec-policy \
+ /usr/lib/firewall/ipsec-policy
# Nobody user
-mkdir -p /home/nobody
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-interfaces.patch
cd $(DIR_APP) && ./configure \
--prefix="/usr" \
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 1.31
+VER = 1.32
THISAPP = tar-$(VER)
DL_FILE = $(THISAPP).tar.bz2
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 77afa35b696c8d760331fa0e12c2fac9
+$(DL_FILE)_MD5 = 17917356fff5cb4bd3cd5a6c3e727b05
install : $(TARGET)
include Config
-VER = 0.3.5.7
+VER = 0.3.5.8
THISAPP = tor-$(VER)
DL_FILE = $(THISAPP).tar.gz
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = tor
-PAK_VER = 32
+PAK_VER = 34
DEPS = ""
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 8076f11045b5a94fd4ef0a0114b845f6
+$(DL_FILE)_MD5 = e4b0feca80cc221ab235c9544851b146
install : $(TARGET)
include Config
-VER = 1.8.3
+VER = 1.9.0
THISAPP = unbound-$(VER)
DL_FILE = $(THISAPP).tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4646203343d3b8f5aeb1b57753c27ead
+$(DL_FILE)_MD5 = 1026159991a3883518525bc18e25582f
install : $(TARGET)
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 2.6
+VER = 2.7
THISAPP = wpa_supplicant-$(VER)
DL_FILE = $(THISAPP).tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 091569eb4440b7d7f2b4276dbfc03c3c
+$(DL_FILE)_MD5 = a68538fb62766f40f890125026c42c10
install : $(TARGET)
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- # Security Patches https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
-
cd $(DIR_APP)/wpa_supplicant && cp $(DIR_SRC)/config/wpa_supplicant/config ./.config
cd $(DIR_APP)/wpa_supplicant && sed -e "s/wpa_cli\ dynamic_eap_methods/wpa_cli\ #dynamic_eap_methods/" -i Makefile
cd $(DIR_APP)/wpa_supplicant && sed -e "s@/usr/local@/usr@g" -i Makefile
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && make DEBUG=-DNDEBUG INSTALL_USER=root INSTALL_GROUP=root \
+ cd $(DIR_APP) && make $(MAKETUNING) DEBUG=-DNDEBUG INSTALL_USER=root INSTALL_GROUP=root \
LOCAL_CONFIGURE_OPTIONS="--enable-readline=yes"
cd $(DIR_APP) && make install install-dev
cd $(DIR_APP) && install -v -m755 -D libhandle/libhandle.la /usr/lib/libhandle.la
--- /dev/null
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER = 4.0.4
+
+THISAPP = zabbix-$(VER)
+DL_FILE = $(THISAPP).tar.gz
+DL_FROM = $(URL_IPFIRE)
+DIR_APP = $(DIR_SRC)/$(THISAPP)
+TARGET = $(DIR_INFO)/$(THISAPP)
+PROG = zabbix_agentd
+PAK_VER = 1
+DEPS = ""
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = 46fdb83d4b24e13127a20a3e874b1d8f
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+dist:
+ @$(PAK)
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+ @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+ @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+ @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ @$(PREBUILD)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axvf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && ./configure \
+ --prefix=/usr \
+ --enable-agent \
+ --sysconfdir=/etc/zabbix_agentd \
+ --with-openssl
+
+ cd $(DIR_APP) && make
+ cd $(DIR_APP) && make install
+
+ # Create config directory and create files
+ -rmdir /etc/zabbix_agentd/zabbix_agentd.conf.d
+ -mkdir -pv /etc/zabbix_agentd/zabbix_agentd.d
+ -mkdir -pv /etc/zabbix_agentd/scripts
+ install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/zabbix_agentd.conf \
+ /etc/zabbix_agentd/zabbix_agentd.conf
+
+ # Create directory for additional agent modules
+ -mkdir -pv /usr/lib/zabbix
+
+ # Create directory for logging
+ -mkdir -pv /var/log/zabbix
+ chown zabbix.zabbix /var/log/zabbix
+
+ # Create directory for pid.
+ -mkdir -pv /var/run/zabbix
+ chown zabbix.zabbix /var/run/zabbix
+
+ # Install initscripts
+ $(call INSTALL_INITSCRIPT,zabbix_agentd)
+
+ # Install sudoers include file
+ install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/sudoers \
+ /etc/sudoers.d/zabbix.user
+
+ # Install include file for backup
+ install -v -m 644 $(DIR_SRC)/config/backup/includes/zabbix_agentd \
+ /var/ipfire/backup/addons/includes/zabbix_agentd
+
+ # Install include file for Logrotate
+ -mkdir -pv /etc/logrotate.d
+ install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/logrotate \
+ /etc/logrotate.d/zabbix_agentd
+
+ @rm -rf $(DIR_APP)
+ @$(POSTBUILD)
NAME="IPFire" # Software name
SNAME="ipfire" # Short name
VERSION="2.21" # Version number
-CORE="128" # Core Level (Filename)
+CORE="129" # Core Level (Filename)
PAKFIRE_CORE="128" # Core Level (PAKFIRE)
GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch
SLOGAN="www.ipfire.org" # Software slogan
CXXFLAGS="${CFLAGS}"
# Determine parallelism
- if [ -z "${MAKETUNING}" ]; then
- # We assume that each process consumes about
- # 192MB of memory. Therefore we find out how
- # many processes fit into memory.
- local mem_max=$(( ${HOST_MEM} / 192 ))
-
- local processors="$(system_processors)"
- local cpu_max=$(( ${processors} + 1 ))
-
- local parallelism
- if [ ${mem_max} -lt ${cpu_max} ]; then
- parallelism=${mem_max}
- else
- parallelism=${cpu_max}
- fi
-
- # limit to -j23 because perl will not build
- # more
- if [ ${parallelism} -gt 23 ]; then
- parallelism=23
- fi
-
- MAKETUNING="-j${parallelism}"
+ # We assume that each process consumes about
+ # 128MB of memory. Therefore we find out how
+ # many processes fit into memory.
+ local mem_max=$(( ${SYSTEM_MEMORY} / 128 ))
+ local cpu_max=$(( ${SYSTEM_PROCESSORS} + 1 ))
+
+ local parallelism
+ if [ ${mem_max} -lt ${cpu_max} ]; then
+ parallelism=${mem_max}
+ else
+ parallelism=${cpu_max}
fi
+ # Use this as default PARALLELISM
+ DEFAULT_PARALLELISM="${parallelism}"
+
# Compression parameters
# We use mode 8 for reasonable memory usage when decompressing
# but with overall good compression
# We need to limit memory because XZ uses too much when running
# in parallel and it isn't very smart in limiting itself.
# We allow XZ to use up to 70% of all system memory.
- local xz_memory=$(( HOST_MEM * 7 / 10 ))
+ local xz_memory=$(( SYSTEM_MEMORY * 7 / 10 ))
# XZ memory cannot be larger than 2GB on 32 bit systems
case "${build_arch}" in
# Setup environment
set +h
LC_ALL=POSIX
- export LFS LC_ALL CFLAGS CXXFLAGS MAKETUNING
+ export LFS LC_ALL CFLAGS CXXFLAGS DEFAULT_PARALLELISM
unset CC CXX CPP LD_LIBRARY_PATH LD_PRELOAD
# Make some extra directories
CCACHE_COMPILERCHECK="${CCACHE_COMPILERCHECK}" \
KVER="${KVER}" \
XZ_OPT="${XZ_OPT}" \
+ DEFAULT_PARALLELISM="${DEFAULT_PARALLELISM}" \
+ SYSTEM_PROCESSORS="${SYSTEM_PROCESSORS}" \
+ SYSTEM_MEMORY="${SYSTEM_MEMORY}" \
$(fake_environ) \
$(qemu_environ) \
"$@"
CCACHE_COMPILERCHECK="${CCACHE_COMPILERCHECK}" \
CFLAGS="${CFLAGS}" \
CXXFLAGS="${CXXFLAGS}" \
- MAKETUNING="${MAKETUNING}" \
+ DEFAULT_PARALLELISM="${DEFAULT_PARALLELISM}" \
+ SYSTEM_PROCESSORS="${SYSTEM_PROCESSORS}" \
+ SYSTEM_MEMORY="${SYSTEM_MEMORY}" \
make -f $* \
TOOLCHAIN=1 \
TOOLS_DIR="${TOOLS_DIR}" \
enterchroot \
${EXTRA_PATH}bash -x -c "cd /usr/src/lfs && \
- MAKETUNING=${MAKETUNING} \
make -f $* \
LFS_BASEDIR=/usr/src install" \
>> ${LOGFILE} 2>&1 &
unset TARGET_ARCH
fi
-# Get the amount of memory in this build system
-HOST_MEM=$(system_memory)
+# Get some information about the host system
+SYSTEM_PROCESSORS="$(system_processors)"
+SYSTEM_MEMORY="$(system_memory)"
if [ -n "${BUILD_ARCH}" ]; then
configure_build "${BUILD_ARCH}"
lfsmake2 xr819-firmware
lfsmake2 zd1211-firmware
lfsmake2 rpi-firmware
+ lfsmake2 intel-microcode
lfsmake2 bc
lfsmake2 u-boot MKIMAGE=1
lfsmake2 cpio
lfsmake2 linux-initrd KCFG="-multi"
;;
esac
- lfsmake2 intel-microcode
lfsmake2 xtables-addons USPACE="1"
lfsmake2 libgpg-error
lfsmake2 libgcrypt
lfsmake2 borgbackup
lfsmake2 libedit
lfsmake2 knot
+ lfsmake2 spectre-meltdown-checker
+ lfsmake2 zabbix_agentd
}
buildinstaller() {
#!/bin/bash
-eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
-
-sleep $VPN_DELAYED_START && /usr/local/bin/ipsecctrl S &
-
-exit 0
+exec /usr/local/bin/ipsecctrl S
--- /dev/null
+#!/bin/sh
+########################################################################
+# Begin $rc_base/init.d/zabbix_agentd
+#
+# Description : This script starts the Zabbix Agent as a daemon (zabbix_agentd)
+#
+# Authors : Alexander Koch (ipfire@starkstromkonsument.de)
+#
+# Version : 01.00
+#
+# Notes :
+#
+########################################################################
+
+. /etc/sysconfig/rc
+. ${rc_functions}
+
+case "${1}" in
+ start)
+ if [ ! -d "/var/run/zabbix" ]; then
+ mkdir -p /var/run/zabbix
+ chown zabbix.zabbix /var/run/zabbix
+ fi
+
+ boot_mesg "Starting Zabbix Agent..."
+ loadproc /usr/sbin/zabbix_agentd -c /etc/zabbix_agentd/zabbix_agentd.conf
+ ;;
+
+ stop)
+ boot_mesg "Stopping Zabbix Agent..."
+ killproc /usr/sbin/zabbix_agentd
+ ;;
+
+ restart)
+ ${0} stop
+ sleep 1
+ ${0} start
+ ;;
+
+ status)
+ statusproc /usr/sbin/zabbix_agentd
+ ;;
+
+ *)
+ echo "Usage: ${0} {start|stop|restart|status}"
+ exit 1
+ ;;
+esac
+
+# End $rc_base/init.d/zabbix_agentd
iptables -t nat -N REDNAT
iptables -t nat -A POSTROUTING -j REDNAT
- # Populate IPsec block chain
- /usr/lib/firewall/ipsec-block
+ # Populate IPsec chains
+ /usr/lib/firewall/ipsec-policy
# Apply OpenVPN firewall rules
/usr/local/bin/openvpnctrl --firewall-rules
fi
fi
+ # Create IPsec interfaces
+ /usr/local/bin/ipsec-interfaces
+
/etc/rc.d/init.d/static-routes start
;;
safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
}
-/*
- ACCEPT the ipsec protocol ah, esp & udp (for nat traversal) on the specified interface
-*/
-void open_physical (char *interface, int nat_traversal_port) {
- char str[STRING_SIZE];
-
- // IKE
- sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
- safe_system(str);
- sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface);
- safe_system(str);
- sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
- safe_system(str);
- sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT", interface);
- safe_system(str);
-
- if (! nat_traversal_port)
- return;
-
- sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
- safe_system(str);
- sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
- safe_system(str);
- sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
- safe_system(str);
- sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT", interface, nat_traversal_port);
- safe_system(str);
-}
-
-void ipsec_norules() {
- /* clear input rules */
- safe_system("/sbin/iptables --wait -F IPSECINPUT");
- safe_system("/sbin/iptables --wait -F IPSECFORWARD");
- safe_system("/sbin/iptables --wait -F IPSECOUTPUT");
-}
-
/*
return values from the vpn config file or false if not 'on'
*/
"/usr/sbin/ipsec down %s >/dev/null", name);
safe_system(command);
- // Reload the IPsec block chain
- safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
+ // Reload the IPsec firewall policy
+ safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");
+
+ // Create or destroy interfaces
+ safe_system("/usr/local/bin/ipsec-interfaces >/dev/null");
// Reload the configuration into the daemon (#10339).
ipsec_reload();
// Bring the connection up again.
snprintf(command, STRING_SIZE - 1,
- "/usr/sbin/ipsec up %s >/dev/null", name);
+ "/usr/sbin/ipsec stroke up-nb %s >/dev/null", name);
safe_system(command);
}
// Reload, so the connection is dropped.
ipsec_reload();
- // Reload the IPsec block chain
- safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
+ // Reload the IPsec firewall policy
+ safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");
+
+ // Create or destroy interfaces
+ safe_system("/usr/local/bin/ipsec-interfaces >/dev/null");
}
int main(int argc, char *argv[]) {
- char configtype[STRING_SIZE];
- char redtype[STRING_SIZE] = "";
struct keyvalue *kv = NULL;
if (argc < 2) {
}
if (!(initsetuid()))
exit(1);
-
- FILE *file = NULL;
-
+
+ FILE *file = NULL;
if (strcmp(argv[1], "I") == 0) {
safe_system("/usr/sbin/ipsec status");
if (argc == 2) {
if (strcmp(argv[1], "D") == 0) {
safe_system("/usr/sbin/ipsec stop >/dev/null 2>&1");
- ipsec_norules();
+ safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");
+ safe_system("/usr/local/bin/ipsec-interfaces >/dev/null");
exit(0);
}
}
exit(0);
}
- /* read interface settings */
- kv=initkeyvalues();
- if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
- {
- fprintf(stderr, "Cannot read ethernet settings\n");
- exit(1);
- }
- if (!findkey(kv, "CONFIG_TYPE", configtype))
- {
- fprintf(stderr, "Cannot read CONFIG_TYPE\n");
- exit(1);
- }
- findkey(kv, "RED_TYPE", redtype);
-
-
- /* Loop through the config file to find physical interface that will accept IPSEC */
- int enable_red=0; // states 0: not used
- int enable_green=0; // 1: error condition
- int enable_orange=0; // 2: good
- int enable_blue=0;
- char if_red[STRING_SIZE] = "";
- char if_green[STRING_SIZE] = "";
- char if_orange[STRING_SIZE] = "";
- char if_blue[STRING_SIZE] = "";
char s[STRING_SIZE];
- // when RED is up, find interface name in special file
- FILE *ifacefile = NULL;
- if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) {
- if (fgets(if_red, STRING_SIZE, ifacefile)) {
- if (if_red[strlen(if_red) - 1] == '\n')
- if_red[strlen(if_red) - 1] = '\0';
- }
- fclose (ifacefile);
-
- if (VALID_DEVICE(if_red))
- enable_red++;
- }
-
- // Check if GREEN is enabled.
- findkey(kv, "GREEN_DEV", if_green);
- if (VALID_DEVICE(if_green))
- enable_green++;
-
- // Check if ORANGE is enabled.
- findkey(kv, "ORANGE_DEV", if_orange);
- if (VALID_DEVICE(if_orange))
- enable_orange++;
-
- // Check if BLUE is enabled.
- findkey(kv, "BLUE_DEV", if_blue);
- if (VALID_DEVICE(if_blue))
- enable_blue++;
-
- freekeyvalues(kv);
-
- // exit if nothing to do
- if ((enable_red+enable_green+enable_orange+enable_blue) == 0)
- exit(0);
-
- // open needed ports
- if (enable_red > 0)
- open_physical(if_red, 4500);
-
- if (enable_green > 0)
- open_physical(if_green, 4500);
-
- if (enable_orange > 0)
- open_physical(if_orange, 4500);
-
- if (enable_blue > 0)
- open_physical(if_blue, 4500);
-
- // start the system
+ // start the system
if ((argc == 2) && strcmp(argv[1], "S") == 0) {
- safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
+ safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");
+ safe_system("/usr/local/bin/ipsec-interfaces >/dev/null");
safe_system("/usr/sbin/ipsec restart >/dev/null");
exit(0);
}
--- /dev/null
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 2 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+
+if ! getent group zabbix &>/dev/null; then
+ groupadd -g 118 zabbix
+fi
+
+if ! getent passwd zabbix; then
+ useradd -u 118 -g zabbix -d /var/empty -s /bin/false zabbix
+fi
+
+extract_files
+
+# Create symlinks for runlevel interaction.
+ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc3.d/S65zabbix_agentd
+ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc0.d/K02zabbix_agentd
+ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc6.d/K02zabbix_agentd
+
+# Create additonal directories and set permissions
+mkdir -pv /var/log/zabbix
+chown zabbix.zabbix /var/log/zabbix
+
+restore_backup ${NAME}
+start_service --background ${NAME}
--- /dev/null
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 2 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+stop_service ${NAME}
+make_backup ${NAME}
+remove_files
+
+# Remove init-scripts and symlinks
+rm -rfv /etc/rc.d/rc*.d/*zabbix_agentd
--- /dev/null
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 2 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+./uninstall.sh
+./install.sh
+++ /dev/null
-diff -Naur hostapd-2.6.org/hostapd/config_file.c hostapd-2.6/hostapd/config_file.c
---- hostapd-2.6.org/hostapd/config_file.c 2016-10-02 20:51:11.000000000 +0200
-+++ hostapd-2.6/hostapd/config_file.c 2018-10-26 09:16:34.393456086 +0200
-@@ -2863,6 +2863,10 @@
- }
- #endif /* CONFIG_IEEE80211W */
- #ifdef CONFIG_IEEE80211N
-+ } else if (os_strcmp(buf, "noscan") == 0) {
-+ conf->noscan = atoi(pos);
-+ } else if (os_strcmp(buf, "ht_coex") == 0) {
-+ conf->no_ht_coex = !atoi(pos);
- } else if (os_strcmp(buf, "ieee80211n") == 0) {
- conf->ieee80211n = atoi(pos);
- } else if (os_strcmp(buf, "ht_capab") == 0) {
-diff -Naur hostapd-2.6.org/src/ap/ap_config.h hostapd-2.6/src/ap/ap_config.h
---- hostapd-2.6.org/src/ap/ap_config.h 2016-10-02 20:51:11.000000000 +0200
-+++ hostapd-2.6/src/ap/ap_config.h 2018-10-26 09:16:34.393456086 +0200
-@@ -664,6 +664,8 @@
-
- int ht_op_mode_fixed;
- u16 ht_capab;
-+ int noscan;
-+ int no_ht_coex;
- int ieee80211n;
- int secondary_channel;
- int no_pri_sec_switch;
-diff -Naur hostapd-2.6.org/src/ap/hw_features.c hostapd-2.6/src/ap/hw_features.c
---- hostapd-2.6.org/src/ap/hw_features.c 2016-10-02 20:51:11.000000000 +0200
-+++ hostapd-2.6/src/ap/hw_features.c 2018-10-26 09:16:34.393456086 +0200
-@@ -474,7 +474,8 @@
- int ret;
-
- /* Check that HT40 is used and PRI / SEC switch is allowed */
-- if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch)
-+ if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch ||
-+ iface->conf->noscan)
- return 0;
-
- hostapd_set_state(iface, HAPD_IFACE_HT_SCAN);
-diff -Naur hostapd-2.6.org/src/ap/ieee802_11_ht.c hostapd-2.6/src/ap/ieee802_11_ht.c
---- hostapd-2.6.org/src/ap/ieee802_11_ht.c 2016-10-02 20:51:11.000000000 +0200
-+++ hostapd-2.6/src/ap/ieee802_11_ht.c 2018-10-26 09:17:42.976793198 +0200
-@@ -244,6 +244,9 @@
- if (!(iface->conf->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET))
- return;
-
-+ if (iface->conf->noscan || iface->conf->no_ht_coex)
-+ return;
-+
- if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie))
- return;
-
-@@ -368,6 +371,9 @@
- if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G)
- return;
-
-+ if (iface->conf->noscan || iface->conf->no_ht_coex)
-+ return;
-+
- wpa_printf(MSG_INFO, "HT: Forty MHz Intolerant is set by STA " MACSTR
- " in Association Request", MAC2STR(sta->addr));
-
-diff -Naur hostapd-2.3.org/src/ap/wpa_auth.c hostapd-2.3/src/ap/wpa_auth.c
---- hostapd-2.3.org/src/ap/wpa_auth.c 2014-10-09 16:41:31.000000000 +0200
-+++ hostapd-2.3/src/ap/wpa_auth.c 2015-04-07 16:32:10.671422975 +0200
-@@ -45,9 +45,9 @@
+diff U3 a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
+--- a/src/ap/wpa_auth.c Sun Dec 2 20:34:59 2018
++++ b/src/ap/wpa_auth.c Mon Mar 4 15:47:26 2019
+@@ -63,9 +63,9 @@
+ struct wpa_group *group);
+ static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
- static const u32 dot11RSNAConfigGroupUpdateCount = 4;
- static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
-static const u32 eapol_key_timeout_first = 100; /* ms */
-static const u32 eapol_key_timeout_subseq = 1000; /* ms */
-static const u32 eapol_key_timeout_first_group = 500; /* ms */
+static const u32 eapol_key_timeout_first = 300; /* ms */
+static const u32 eapol_key_timeout_subseq = 3000; /* ms */
+static const u32 eapol_key_timeout_first_group = 1500; /* ms */
+ static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
/* TODO: make these configurable */
- static const int dot11RSNAConfigPMKLifetime = 43200;
--- /dev/null
+diff U3 a/src/ap/ap_config.h b/src/ap/ap_config.h
+--- a/src/ap/ap_config.h Sun Dec 2 20:34:59 2018
++++ b/src/ap/ap_config.h Mon Mar 4 15:58:05 2019
+@@ -779,6 +779,8 @@
+
+ int ht_op_mode_fixed;
+ u16 ht_capab;
++ int noscan;
++ int no_ht_coex;
+ int ieee80211n;
+ int secondary_channel;
+ int no_pri_sec_switch;
+diff U3 a/hostapd/config_file.c b/hostapd/config_file.c
+--- a/hostapd/config_file.c Sun Dec 2 20:34:59 2018
++++ b/hostapd/config_file.c Mon Mar 4 15:56:51 2019
+@@ -3317,6 +3317,10 @@
+ }
+ #endif /* CONFIG_IEEE80211W */
+ #ifdef CONFIG_IEEE80211N
++ } else if (os_strcmp(buf, "noscan") == 0) {
++ conf->noscan = atoi(pos);
++ } else if (os_strcmp(buf, "ht_coex") == 0) {
++ conf->no_ht_coex = !atoi(pos);
+ } else if (os_strcmp(buf, "ieee80211n") == 0) {
+ conf->ieee80211n = atoi(pos);
+ } else if (os_strcmp(buf, "ht_capab") == 0) {
+diff U3 a/src/ap/hw_features.c b/src/ap/hw_features.c
+--- a/src/ap/hw_features.c Sun Dec 2 20:34:59 2018
++++ b/src/ap/hw_features.c Mon Mar 4 15:59:08 2019
+@@ -480,7 +480,8 @@
+ int ret;
+
+ /* Check that HT40 is used and PRI / SEC switch is allowed */
+- if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch)
++ if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch ||
++ iface->conf->noscan)
+ return 0;
+
+ hostapd_set_state(iface, HAPD_IFACE_HT_SCAN);
+diff U3 a/src/ap/ieee802_11_ht.c b/src/ap/ieee802_11_ht.c
+--- a/src/ap/ieee802_11_ht.c Sun Dec 2 20:34:59 2018
++++ b/src/ap/ieee802_11_ht.c Mon Mar 4 16:02:13 2019
+@@ -252,6 +252,9 @@
+ return;
+ }
+
++ if (iface->conf->noscan || iface->conf->no_ht_coex)
++ return;
++
+ if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie)) {
+ wpa_printf(MSG_DEBUG,
+ "Ignore too short 20/40 BSS Coexistence Management frame");
+@@ -410,6 +413,9 @@
+ void ht40_intolerant_add(struct hostapd_iface *iface, struct sta_info *sta)
+ {
+ if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G)
++ return;
++
++ if (iface->conf->noscan || iface->conf->no_ht_coex)
+ return;
+
+ wpa_printf(MSG_INFO, "HT: Forty MHz Intolerant is set by STA " MACSTR
+++ /dev/null
-diff -urNp old/apps/snmpusm.c new/apps/snmpusm.c
---- old/apps/snmpusm.c 2014-12-08 21:23:22.000000000 +0100
-+++ new/apps/snmpusm.c 2017-02-20 15:20:36.994022905 +0100
-@@ -190,7 +190,7 @@ get_USM_DH_key(netsnmp_variable_list *va
- oid *keyoid, size_t keyoid_len) {
- u_char *dhkeychange;
- DH *dh;
-- BIGNUM *other_pub;
-+ BIGNUM *p, *g, *pub_key, *other_pub;
- u_char *key;
- size_t key_len;
-
-@@ -205,25 +205,29 @@ get_USM_DH_key(netsnmp_variable_list *va
- dh = d2i_DHparams(NULL, &cp, dhvar->val_len);
- }
-
-- if (!dh || !dh->g || !dh->p) {
-+ if (dh)
-+ DH_get0_pqg(dh, &p, NULL, &g);
-+
-+ if (!dh || !g || !p) {
- SNMP_FREE(dhkeychange);
- return SNMPERR_GENERR;
- }
-
-- DH_generate_key(dh);
-- if (!dh->pub_key) {
-+ if (!DH_generate_key(dh)) {
- SNMP_FREE(dhkeychange);
- return SNMPERR_GENERR;
- }
-
-- if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) {
-+ DH_get0_key(dh, &pub_key, NULL);
-+
-+ if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) {
- SNMP_FREE(dhkeychange);
- fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n",
-- (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key));
-+ (unsigned long)vars->val_len, BN_num_bytes(pub_key));
- return SNMPERR_GENERR;
- }
-
-- BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len);
-+ BN_bn2bin(pub_key, dhkeychange + vars->val_len);
-
- key_len = DH_size(dh);
- if (!key_len) {
-diff -urNp old/configure new/configure
---- old/configure 2017-02-20 10:08:16.440396223 +0100
-+++ new/configure 2017-02-20 10:57:15.749734281 +0100
-@@ -23176,9 +23176,9 @@ $as_echo "#define HAVE_AES_CFB128_ENCRYP
- fi
-
-
-- as_ac_Lib=`$as_echo "ac_cv_lib_${CRYPTO}''_EVP_MD_CTX_create" | $as_tr_sh`
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_MD_CTX_create in -l${CRYPTO}" >&5
--$as_echo_n "checking for EVP_MD_CTX_create in -l${CRYPTO}... " >&6; }
-+ as_ac_Lib=`$as_echo "ac_cv_lib_${CRYPTO}''_EVP_MD_CTX_new" | $as_tr_sh`
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_MD_CTX_new in -l${CRYPTO}" >&5
-+$as_echo_n "checking for EVP_MD_CTX_new in -l${CRYPTO}... " >&6; }
- if eval \${$as_ac_Lib+:} false; then :
- $as_echo_n "(cached) " >&6
- else
-@@ -23193,11 +23193,11 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_
- #ifdef __cplusplus
- extern "C"
- #endif
--char EVP_MD_CTX_create ();
-+char EVP_MD_CTX_new ();
- int
- main ()
- {
--return EVP_MD_CTX_create ();
-+return EVP_MD_CTX_new ();
- ;
- return 0;
- }
-@@ -23216,10 +23216,10 @@ eval ac_res=\$$as_ac_Lib
- $as_echo "$ac_res" >&6; }
- if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
-
--$as_echo "#define HAVE_EVP_MD_CTX_CREATE /**/" >>confdefs.h
-+$as_echo "#define HAVE_EVP_MD_CTX_NEW /**/" >>confdefs.h
-
-
--$as_echo "#define HAVE_EVP_MD_CTX_DESTROY /**/" >>confdefs.h
-+$as_echo "#define HAVE_EVP_MD_CTX_FREE /**/" >>confdefs.h
-
- fi
-
-@@ -23293,7 +23293,7 @@ char SSL_library_init ();
- int
- main ()
- {
--return SSL_library_init ();
-+return OPENSSL_init_ssl(0, NULL);
- ;
- return 0;
- }
-diff -urNp old/configure.d/config_os_libs2 new/configure.d/config_os_libs2
---- old/configure.d/config_os_libs2 2014-12-08 21:23:22.000000000 +0100
-+++ new/configure.d/config_os_libs2 2017-02-20 10:56:21.041616611 +0100
-@@ -292,11 +292,11 @@ if test "x$tryopenssl" != "xno" -a "x$tr
- AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1,
- [Define to 1 if you have the `AES_cfb128_encrypt' function.]))
-
-- AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create,
-- AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [],
-- [Define to 1 if you have the `EVP_MD_CTX_create' function.])
-- AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [],
-- [Define to 1 if you have the `EVP_MD_CTX_destroy' function.]))
-+ AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_new,
-+ AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [],
-+ [Define to 1 if you have the `EVP_MD_CTX_new' function.])
-+ AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [],
-+ [Define to 1 if you have the `EVP_MD_CTX_free' function.]))
- fi
- if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then
- AC_CHECK_LIB(ssl, DTLSv1_method,
-@@ -307,7 +307,7 @@ if test "x$tryopenssl" != "xno" -a "x$tr
- TLSPROG=yes
- fi
- if echo " $transport_result_list " | $GREP "TLS" > /dev/null; then
-- AC_CHECK_LIB(ssl, SSL_library_init,
-+ AC_CHECK_LIB(ssl, OPENSSL_init_ssl,
- AC_DEFINE(HAVE_LIBSSL, 1,
- [Define to 1 if you have the `ssl' library (-lssl).])
- LIBCRYPTO=" -lssl $LIBCRYPTO",
-diff -urNp old/include/net-snmp/net-snmp-config.h.in new/include/net-snmp/net-snmp-config.h.in
---- old/include/net-snmp/net-snmp-config.h.in 2017-02-20 10:08:16.443522417 +0100
-+++ new/include/net-snmp/net-snmp-config.h.in 2017-02-20 10:24:05.790584283 +0100
-@@ -149,11 +149,11 @@
- /* Define to 1 if you have the `eval_pv' function. */
- #undef HAVE_EVAL_PV
-
--/* Define to 1 if you have the `EVP_MD_CTX_create' function. */
--#undef HAVE_EVP_MD_CTX_CREATE
-+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
-+#undef HAVE_EVP_MD_CTX_NEW
-
--/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */
--#undef HAVE_EVP_MD_CTX_DESTROY
-+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */
-+#undef HAVE_EVP_MD_CTX_FREE
-
- /* Define if you have EVP_sha224/256 in openssl */
- #undef HAVE_EVP_SHA224
-diff -urNp old/snmplib/keytools.c new/snmplib/keytools.c
---- old/snmplib/keytools.c 2014-12-08 21:23:22.000000000 +0100
-+++ new/snmplib/keytools.c 2017-02-20 10:30:27.412068264 +0100
-@@ -149,8 +149,8 @@ generate_Ku(const oid * hashtype, u_int
- */
- #ifdef NETSNMP_USE_OPENSSL
-
--#ifdef HAVE_EVP_MD_CTX_CREATE
-- ctx = EVP_MD_CTX_create();
-+#ifdef HAVE_EVP_MD_CTX_NEW
-+ ctx = EVP_MD_CTX_new();
- #else
- ctx = malloc(sizeof(*ctx));
- if (!EVP_MD_CTX_init(ctx))
-@@ -259,8 +259,8 @@ generate_Ku(const oid * hashtype, u_int
- memset(buf, 0, sizeof(buf));
- #ifdef NETSNMP_USE_OPENSSL
- if (ctx) {
--#ifdef HAVE_EVP_MD_CTX_DESTROY
-- EVP_MD_CTX_destroy(ctx);
-+#ifdef HAVE_EVP_MD_CTX_FREE
-+ EVP_MD_CTX_free(ctx);
- #else
- EVP_MD_CTX_cleanup(ctx);
- free(ctx);
-diff -urNp old/snmplib/scapi.c new/snmplib/scapi.c
---- old/snmplib/scapi.c 2014-12-08 21:23:22.000000000 +0100
-+++ new/snmplib/scapi.c 2017-02-20 10:27:34.152379515 +0100
-@@ -486,14 +486,14 @@ sc_hash(const oid * hashtype, size_t has
- }
-
- /** initialize the pointer */
--#ifdef HAVE_EVP_MD_CTX_CREATE
-- cptr = EVP_MD_CTX_create();
-+#ifdef HAVE_EVP_MD_CTX_NEW
-+ cptr = EVP_MD_CTX_new();
- #else
- cptr = malloc(sizeof(*cptr));
- #if defined(OLD_DES)
- memset(cptr, 0, sizeof(*cptr));
- #else
-- EVP_MD_CTX_init(cptr);
-+ EVP_MD_CTX_init(&cptr);
- #endif
- #endif
- if (!EVP_DigestInit(cptr, hashfn)) {
-@@ -507,11 +507,11 @@ sc_hash(const oid * hashtype, size_t has
- /** do the final pass */
- EVP_DigestFinal(cptr, MAC, &tmp_len);
- *MAC_len = tmp_len;
--#ifdef HAVE_EVP_MD_CTX_DESTROY
-- EVP_MD_CTX_destroy(cptr);
-+#ifdef HAVE_EVP_MD_CTX_FREE
-+ EVP_MD_CTX_free(cptr);
- #else
- #if !defined(OLD_DES)
-- EVP_MD_CTX_cleanup(cptr);
-+ EVP_MD_CTX_cleanup(&cptr);
- #endif
- free(cptr);
- #endif
-diff -urNp old/snmplib/snmp_openssl.c new/snmplib/snmp_openssl.c
---- old/snmplib/snmp_openssl.c 2014-12-08 21:23:22.000000000 +0100
-+++ new/snmplib/snmp_openssl.c 2017-02-20 12:46:00.059727928 +0100
-@@ -47,7 +47,7 @@ void netsnmp_init_openssl(void) {
- DEBUGMSGTL(("snmp_openssl", "initializing\n"));
-
- /* Initializing OpenSSL */
-- SSL_library_init();
-+ OPENSSL_init_ssl(0, NULL);
- SSL_load_error_strings();
- ERR_load_BIO_strings();
- OpenSSL_add_all_algorithms();
-@@ -164,11 +164,11 @@ netsnmp_openssl_cert_dump_names(X509 *oc
- oname_entry = X509_NAME_get_entry(osubj_name, i);
- netsnmp_assert(NULL != oname_entry);
-
-- if (oname_entry->value->type != V_ASN1_PRINTABLESTRING)
-+ if (X509_NAME_ENTRY_get_data(oname_entry)->type != V_ASN1_PRINTABLESTRING)
- continue;
-
- /** get NID */
-- onid = OBJ_obj2nid(oname_entry->object);
-+ onid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(oname_entry));
- if (onid == NID_undef) {
- prefix_long = prefix_short = "UNKNOWN";
- }
-@@ -179,9 +179,9 @@ netsnmp_openssl_cert_dump_names(X509 *oc
-
- DEBUGMSGT(("9:cert:dump:names",
- "[%02d] NID type %d, ASN type %d\n", i, onid,
-- oname_entry->value->type));
-+ X509_NAME_ENTRY_get_data(oname_entry)->type));
- DEBUGMSGT(("9:cert:dump:names", "%s/%s: '%s'\n", prefix_long,
-- prefix_short, ASN1_STRING_data(oname_entry->value)));
-+ prefix_short, ASN1_STRING_data(X509_NAME_ENTRY_get_data(oname_entry))));
- }
- }
- #endif /* NETSNMP_FEATURE_REMOVE_CERT_DUMP_NAMES */
-@@ -470,7 +470,7 @@ netsnmp_openssl_cert_get_hash_type(X509
- if (NULL == ocert)
- return 0;
-
-- return _nid2ht(OBJ_obj2nid(ocert->sig_alg->algorithm));
-+ return _nid2ht(X509_get_signature_nid(ocert));
- }
-
- /**
-@@ -487,7 +487,7 @@ netsnmp_openssl_cert_get_fingerprint(X50
- if (NULL == ocert)
- return NULL;
-
-- nid = OBJ_obj2nid(ocert->sig_alg->algorithm);
-+ nid = X509_get_signature_nid(ocert);
- DEBUGMSGT(("9:openssl:fingerprint", "alg %d, cert nid %d (%d)\n", alg, nid,
- _nid2ht(nid)));
-
-diff -urNp old/win32/net-snmp/net-snmp-config.h new/win32/net-snmp/net-snmp-config.h
---- old/win32/net-snmp/net-snmp-config.h 2014-12-08 21:23:22.000000000 +0100
-+++ new/win32/net-snmp/net-snmp-config.h 2017-02-20 10:23:20.796778512 +0100
-@@ -1366,11 +1366,11 @@
- /* Define to 1 if you have the <openssl/aes.h> header file. */
- #define HAVE_OPENSSL_AES_H 1
-
--/* Define to 1 if you have the `EVP_MD_CTX_create' function. */
--#define HAVE_EVP_MD_CTX_CREATE 1
-+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
-+#define HAVE_EVP_MD_CTX_NEW 1
-
--/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */
--#define HAVE_EVP_MD_CTX_DESTROY 1
-+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */
-+#define HAVE_EVP_MD_CTX_FREE 1
-
- /* Define to 1 if you have the `AES_cfb128_encrypt' function. */
- #define HAVE_AES_CFB128_ENCRYPT 1
-diff -urNp old/win32/net-snmp/net-snmp-config.h.in new/win32/net-snmp/net-snmp-config.h.in
---- old/win32/net-snmp/net-snmp-config.h.in 2014-12-08 21:23:22.000000000 +0100
-+++ new/win32/net-snmp/net-snmp-config.h.in 2017-02-20 10:22:51.348367754 +0100
-@@ -1366,11 +1366,11 @@
- /* Define to 1 if you have the <openssl/aes.h> header file. */
- #define HAVE_OPENSSL_AES_H 1
-
--/* Define to 1 if you have the `EVP_MD_CTX_create' function. */
--#define HAVE_EVP_MD_CTX_CREATE 1
-+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
-+#define HAVE_EVP_MD_CTX_NEW 1
-
--/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */
--#define HAVE_EVP_MD_CTX_DESTROY 1
-+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */
-+#define HAVE_EVP_MD_CTX_FREE 1
-
- /* Define to 1 if you have the `AES_cfb128_encrypt' function. */
- #define HAVE_AES_CFB128_ENCRYPT 1
--- /dev/null
+--- strongswan-5.7.0/src/_updown/_updown.in.bak 2019-02-06 18:19:25.723893992 +0000
++++ strongswan-5.7.0/src/_updown/_updown.in 2019-02-06 18:28:21.520560665 +0000
+@@ -130,6 +130,13 @@
+ # address family.
+ #
+
++VARS=(
++ id status name lefthost type ctype psk local local_id leftsubnets
++ remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
++ x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
++ route x23 mode interface_mode interface_address interface_mtu rest
++)
++
+ function ip_encode() {
+ local IFS=.
+
+@@ -319,6 +326,13 @@
+ fi
+ ;;
+ up-client:iptables)
++ # Read IPsec configuration
++ while IFS="," read -r "${VARS[@]}"; do
++ if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
++ break
++ fi
++ done < /var/ipfire/vpn/config
++
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+@@ -383,23 +397,25 @@
+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+ fi
+
+- # Add source nat so also the gateway can access the other nets
+- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+- if [ $? -eq 0 ]; then
+- src=${_src}
+- break
++ if [ -z "${interface_mode}" ]; then
++ # Add source nat so also the gateway can access the other nets
++ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
++ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
++ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
++ if [ $? -eq 0 ]; then
++ src=${_src}
++ break
++ fi
++ done
++
++ if [ -n "${src}" ]; then
++ iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
++ logger -t $TAG -p $FAC_PRIO \
++ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
++ else
++ logger -t $TAG -p $FAC_PRIO \
++ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+ fi
+- done
+-
+- if [ -n "${src}" ]; then
+- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+- logger -t $TAG -p $FAC_PRIO \
+- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+ fi
+
+ # Flush routing cache
+++ /dev/null
-From 3692833a62280a0270e4e1ba30f9acf5a8c8f808 Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-Date: Fri, 14 Jul 2017 15:15:35 +0200
-Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake
-
-Do not reinstall TK to the driver during Reassociation Response frame
-processing if the first attempt of setting the TK succeeded. This avoids
-issues related to clearing the TX/RX PN that could result in reusing
-same PN values for transmitted frames (e.g., due to CCM nonce reuse and
-also hitting replay protection on the receiver) and accepting replayed
-frames on RX side.
-
-This issue was introduced by the commit
-0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
-authenticator') which allowed wpa_ft_install_ptk() to be called multiple
-times with the same PTK. While the second configuration attempt is
-needed with some drivers, it must be done only if the first attempt
-failed.
-
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
----
- src/ap/ieee802_11.c | 16 +++++++++++++---
- src/ap/wpa_auth.c | 11 +++++++++++
- src/ap/wpa_auth.h | 3 ++-
- src/ap/wpa_auth_ft.c | 10 ++++++++++
- src/ap/wpa_auth_i.h | 1 +
- 5 files changed, 37 insertions(+), 4 deletions(-)
-
-diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
-index 5163139..174af8b 100644
---- a/src/ap/ieee802_11.c
-+++ b/src/ap/ieee802_11.c
-@@ -2552,6 +2552,7 @@ static int add_associated_sta(struct hostapd_data *hapd,
- {
- struct ieee80211_ht_capabilities ht_cap;
- struct ieee80211_vht_capabilities vht_cap;
-+ int set = 1;
-
- /*
- * Remove the STA entry to ensure the STA PS state gets cleared and
-@@ -2559,9 +2560,18 @@ static int add_associated_sta(struct hostapd_data *hapd,
- * FT-over-the-DS, where a station re-associates back to the same AP but
- * skips the authentication flow, or if working with a driver that
- * does not support full AP client state.
-+ *
-+ * Skip this if the STA has already completed FT reassociation and the
-+ * TK has been configured since the TX/RX PN must not be reset to 0 for
-+ * the same key.
- */
-- if (!sta->added_unassoc)
-+ if (!sta->added_unassoc &&
-+ (!(sta->flags & WLAN_STA_AUTHORIZED) ||
-+ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) {
- hostapd_drv_sta_remove(hapd, sta->addr);
-+ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
-+ set = 0;
-+ }
-
- #ifdef CONFIG_IEEE80211N
- if (sta->flags & WLAN_STA_HT)
-@@ -2584,11 +2594,11 @@ static int add_associated_sta(struct hostapd_data *hapd,
- sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
- sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
- sta->vht_opmode, sta->p2p_ie ? 1 : 0,
-- sta->added_unassoc)) {
-+ set)) {
- hostapd_logger(hapd, sta->addr,
- HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
- "Could not %s STA to kernel driver",
-- sta->added_unassoc ? "set" : "add");
-+ set ? "set" : "add");
-
- if (sta->added_unassoc) {
- hostapd_drv_sta_remove(hapd, sta->addr);
-diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
-index aca687c..42ef0bf 100644
---- a/src/ap/wpa_auth.c
-+++ b/src/ap/wpa_auth.c
-@@ -1785,6 +1785,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
- #else /* CONFIG_FILS */
- break;
- #endif /* CONFIG_FILS */
-+ case WPA_DRV_STA_REMOVED:
-+ sm->tk_already_set = FALSE;
-+ return 0;
- }
-
- #ifdef CONFIG_IEEE80211R_AP
-@@ -3939,6 +3942,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
- }
-
-
-+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
-+{
-+ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
-+ return 0;
-+ return sm->tk_already_set;
-+}
-+
-+
- int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
- struct rsn_pmksa_cache_entry *entry)
- {
-diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
-index 5e8a4cc..f92f8b6 100644
---- a/src/ap/wpa_auth.h
-+++ b/src/ap/wpa_auth.h
-@@ -300,7 +300,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
- u8 *data, size_t data_len);
- enum wpa_event {
- WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
-- WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_ASSOC_FILS
-+ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_ASSOC_FILS, WPA_DRV_STA_REMOVED
- };
- void wpa_remove_ptk(struct wpa_state_machine *sm);
- int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event);
-@@ -313,6 +313,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm);
- int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
- int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
- int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
-+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm);
- int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
- struct rsn_pmksa_cache_entry *entry);
- struct rsn_pmksa_cache_entry *
-diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
-index dd99db7..2120cfd 100644
---- a/src/ap/wpa_auth_ft.c
-+++ b/src/ap/wpa_auth_ft.c
-@@ -1937,6 +1937,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
- return;
- }
-
-+ if (sm->tk_already_set) {
-+ /* Must avoid TK reconfiguration to prevent clearing of TX/RX
-+ * PN in the driver */
-+ wpa_printf(MSG_DEBUG,
-+ "FT: Do not re-install same PTK to the driver");
-+ return;
-+ }
-+
- /* FIX: add STA entry to kernel/driver here? The set_key will fail
- * most likely without this.. At the moment, STA entry is added only
- * after association has been completed. This function will be called
-@@ -1949,6 +1957,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
-
- /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
- sm->pairwise_set = TRUE;
-+ sm->tk_already_set = TRUE;
- }
-
-
-@@ -2152,6 +2161,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
-
- sm->pairwise = pairwise;
- sm->PTK_valid = TRUE;
-+ sm->tk_already_set = FALSE;
- wpa_ft_install_ptk(sm);
-
- buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
-diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
-index 23d2af3..b779af7 100644
---- a/src/ap/wpa_auth_i.h
-+++ b/src/ap/wpa_auth_i.h
-@@ -61,6 +61,7 @@ struct wpa_state_machine {
- struct wpa_ptk PTK;
- Boolean PTK_valid;
- Boolean pairwise_set;
-+ Boolean tk_already_set;
- int keycount;
- Boolean Pair;
- struct wpa_key_replay_counter {
---
-2.7.4
-
+++ /dev/null
-From cf62cadcadc68377d72e2238a0f06b21c0777f90 Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-Date: Wed, 12 Jul 2017 16:03:24 +0200
-Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key
-
-Track the current GTK and IGTK that is in use and when receiving a
-(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
-not install the given key if it is already in use. This prevents an
-attacker from trying to trick the client into resetting or lowering the
-sequence counter associated to the group key.
-
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
----
- src/common/wpa_common.h | 11 +++++
- src/rsn_supp/wpa.c | 118 ++++++++++++++++++++++++++++++------------------
- src/rsn_supp/wpa_i.h | 4 ++
- 3 files changed, 88 insertions(+), 45 deletions(-)
-
-diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
-index cc8edf8..0872b12 100644
---- a/src/common/wpa_common.h
-+++ b/src/common/wpa_common.h
-@@ -221,6 +221,17 @@ struct wpa_ptk {
- size_t tk_len;
- };
-
-+struct wpa_gtk {
-+ u8 gtk[WPA_GTK_MAX_LEN];
-+ size_t gtk_len;
-+};
-+
-+#ifdef CONFIG_IEEE80211W
-+struct wpa_igtk {
-+ u8 igtk[WPA_IGTK_MAX_LEN];
-+ size_t igtk_len;
-+};
-+#endif /* CONFIG_IEEE80211W */
-
- /* WPA IE version 1
- * 00-50-f2:1 (OUI:OUI type)
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 739689d..5e5fb2a 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -800,6 +800,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- const u8 *_gtk = gd->gtk;
- u8 gtk_buf[32];
-
-+ /* Detect possible key reinstallation */
-+ if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
-+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
-+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
-+ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
-+ gd->keyidx, gd->tx, gd->gtk_len);
-+ return 0;
-+ }
-+
- wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
-@@ -834,6 +843,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- }
- os_memset(gtk_buf, 0, sizeof(gtk_buf));
-
-+ sm->gtk.gtk_len = gd->gtk_len;
-+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
-+
- return 0;
- }
-
-@@ -940,6 +952,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
- }
-
-
-+#ifdef CONFIG_IEEE80211W
-+static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
-+ const struct wpa_igtk_kde *igtk)
-+{
-+ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
-+ u16 keyidx = WPA_GET_LE16(igtk->keyid);
-+
-+ /* Detect possible key reinstallation */
-+ if (sm->igtk.igtk_len == len &&
-+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
-+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
-+ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
-+ keyidx);
-+ return 0;
-+ }
-+
-+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
-+ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
-+ keyidx, MAC2STR(igtk->pn));
-+ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
-+ if (keyidx > 4095) {
-+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-+ "WPA: Invalid IGTK KeyID %d", keyidx);
-+ return -1;
-+ }
-+ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
-+ broadcast_ether_addr,
-+ keyidx, 0, igtk->pn, sizeof(igtk->pn),
-+ igtk->igtk, len) < 0) {
-+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-+ "WPA: Failed to configure IGTK to the driver");
-+ return -1;
-+ }
-+
-+ sm->igtk.igtk_len = len;
-+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
-+
-+ return 0;
-+}
-+#endif /* CONFIG_IEEE80211W */
-+
-+
- static int ieee80211w_set_keys(struct wpa_sm *sm,
- struct wpa_eapol_ie_parse *ie)
- {
-@@ -950,30 +1004,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
- if (ie->igtk) {
- size_t len;
- const struct wpa_igtk_kde *igtk;
-- u16 keyidx;
-+
- len = wpa_cipher_key_len(sm->mgmt_group_cipher);
- if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
- return -1;
-+
- igtk = (const struct wpa_igtk_kde *) ie->igtk;
-- keyidx = WPA_GET_LE16(igtk->keyid);
-- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
-- "pn %02x%02x%02x%02x%02x%02x",
-- keyidx, MAC2STR(igtk->pn));
-- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
-- igtk->igtk, len);
-- if (keyidx > 4095) {
-- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-- "WPA: Invalid IGTK KeyID %d", keyidx);
-- return -1;
-- }
-- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
-- broadcast_ether_addr,
-- keyidx, 0, igtk->pn, sizeof(igtk->pn),
-- igtk->igtk, len) < 0) {
-- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-- "WPA: Failed to configure IGTK to the driver");
-+ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
- return -1;
-- }
- }
-
- return 0;
-@@ -2491,7 +2529,7 @@ void wpa_sm_deinit(struct wpa_sm *sm)
- */
- void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- {
-- int clear_ptk = 1;
-+ int clear_keys = 1;
-
- if (sm == NULL)
- return;
-@@ -2517,7 +2555,7 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- /* Prepare for the next transition */
- wpa_ft_prepare_auth_request(sm, NULL);
-
-- clear_ptk = 0;
-+ clear_keys = 0;
- }
- #endif /* CONFIG_IEEE80211R */
- #ifdef CONFIG_FILS
-@@ -2527,11 +2565,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- * AUTHENTICATED state to get the EAPOL port Authorized.
- */
- wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
-- clear_ptk = 0;
-+ clear_keys = 0;
- }
- #endif /* CONFIG_FILS */
-
-- if (clear_ptk) {
-+ if (clear_keys) {
- /*
- * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
- * this is not part of a Fast BSS Transition.
-@@ -2541,6 +2579,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- os_memset(&sm->ptk, 0, sizeof(sm->ptk));
- sm->tptk_set = 0;
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
-+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+#ifdef CONFIG_IEEE80211W
-+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+#endif /* CONFIG_IEEE80211W */
- }
-
- #ifdef CONFIG_TDLS
-@@ -3117,6 +3159,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
- os_memset(sm->pmk, 0, sizeof(sm->pmk));
- os_memset(&sm->ptk, 0, sizeof(sm->ptk));
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
-+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+#ifdef CONFIG_IEEE80211W
-+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+#endif /* CONFIG_IEEE80211W */
- #ifdef CONFIG_IEEE80211R
- os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
- os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
-@@ -3189,29 +3235,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
- os_memset(&gd, 0, sizeof(gd));
- #ifdef CONFIG_IEEE80211W
- } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
-- struct wpa_igtk_kde igd;
-- u16 keyidx;
--
-- os_memset(&igd, 0, sizeof(igd));
-- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
-- os_memcpy(igd.keyid, buf + 2, 2);
-- os_memcpy(igd.pn, buf + 4, 6);
--
-- keyidx = WPA_GET_LE16(igd.keyid);
-- os_memcpy(igd.igtk, buf + 10, keylen);
--
-- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
-- igd.igtk, keylen);
-- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
-- broadcast_ether_addr,
-- keyidx, 0, igd.pn, sizeof(igd.pn),
-- igd.igtk, keylen) < 0) {
-- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
-- "WNM mode");
-- os_memset(&igd, 0, sizeof(igd));
-+ const struct wpa_igtk_kde *igtk;
-+
-+ igtk = (const struct wpa_igtk_kde *) (buf + 2);
-+ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
- return -1;
-- }
-- os_memset(&igd, 0, sizeof(igd));
- #endif /* CONFIG_IEEE80211W */
- } else {
- wpa_printf(MSG_DEBUG, "Unknown element id");
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index 82e1941..2827ed6 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -31,6 +31,10 @@ struct wpa_sm {
- u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
- int rx_replay_counter_set;
- u8 request_counter[WPA_REPLAY_COUNTER_LEN];
-+ struct wpa_gtk gtk;
-+#ifdef CONFIG_IEEE80211W
-+ struct wpa_igtk igtk;
-+#endif /* CONFIG_IEEE80211W */
-
- struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
-
---
-2.7.4
-
+++ /dev/null
-From a0d426a662997b87095c87edc1d2bdc6e1c8fd11 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Oct 2017 12:12:24 +0300
-Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep
- Mode cases
-
-This extends the protection to track last configured GTK/IGTK value
-separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
-corner case where these two different mechanisms may get used when the
-GTK/IGTK has changed and tracking a single value is not sufficient to
-detect a possible key reconfiguration.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/rsn_supp/wpa.c | 55 +++++++++++++++++++++++++++++++++++++---------------
- src/rsn_supp/wpa_i.h | 2 ++
- 2 files changed, 41 insertions(+), 16 deletions(-)
-
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 5e5fb2a..3c8871d 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -795,14 +795,17 @@ struct wpa_gtk_data {
-
- static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- const struct wpa_gtk_data *gd,
-- const u8 *key_rsc)
-+ const u8 *key_rsc, int wnm_sleep)
- {
- const u8 *_gtk = gd->gtk;
- u8 gtk_buf[32];
-
- /* Detect possible key reinstallation */
-- if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
-- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
-+ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
-+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
-+ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
-+ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
-+ sm->gtk_wnm_sleep.gtk_len) == 0)) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
- gd->keyidx, gd->tx, gd->gtk_len);
-@@ -843,8 +846,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- }
- os_memset(gtk_buf, 0, sizeof(gtk_buf));
-
-- sm->gtk.gtk_len = gd->gtk_len;
-- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
-+ if (wnm_sleep) {
-+ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
-+ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
-+ sm->gtk_wnm_sleep.gtk_len);
-+ } else {
-+ sm->gtk.gtk_len = gd->gtk_len;
-+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
-+ }
-
- return 0;
- }
-@@ -938,7 +947,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
- (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
- gtk_len, gtk_len,
- &gd.key_rsc_len, &gd.alg) ||
-- wpa_supplicant_install_gtk(sm, &gd, key_rsc))) {
-+ wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "RSN: Failed to install GTK");
- os_memset(&gd, 0, sizeof(gd));
-@@ -954,14 +963,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
-
- #ifdef CONFIG_IEEE80211W
- static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
-- const struct wpa_igtk_kde *igtk)
-+ const struct wpa_igtk_kde *igtk,
-+ int wnm_sleep)
- {
- size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
- u16 keyidx = WPA_GET_LE16(igtk->keyid);
-
- /* Detect possible key reinstallation */
-- if (sm->igtk.igtk_len == len &&
-- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
-+ if ((sm->igtk.igtk_len == len &&
-+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
-+ (sm->igtk_wnm_sleep.igtk_len == len &&
-+ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
-+ sm->igtk_wnm_sleep.igtk_len) == 0)) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
- keyidx);
-@@ -986,8 +999,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
- return -1;
- }
-
-- sm->igtk.igtk_len = len;
-- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
-+ if (wnm_sleep) {
-+ sm->igtk_wnm_sleep.igtk_len = len;
-+ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
-+ sm->igtk_wnm_sleep.igtk_len);
-+ } else {
-+ sm->igtk.igtk_len = len;
-+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
-+ }
-
- return 0;
- }
-@@ -1010,7 +1029,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
- return -1;
-
- igtk = (const struct wpa_igtk_kde *) ie->igtk;
-- if (wpa_supplicant_install_igtk(sm, igtk) < 0)
-+ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
- return -1;
- }
-
-@@ -1659,7 +1678,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
- if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
- key_rsc = null_rsc;
-
-- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) ||
-+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
- wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
- goto failed;
- os_memset(&gd, 0, sizeof(gd));
-@@ -2580,8 +2599,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- sm->tptk_set = 0;
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
- os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
- #ifdef CONFIG_IEEE80211W
- os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
- #endif /* CONFIG_IEEE80211W */
- }
-
-@@ -3160,8 +3181,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
- os_memset(&sm->ptk, 0, sizeof(sm->ptk));
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
- os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
- #ifdef CONFIG_IEEE80211W
- os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
- #endif /* CONFIG_IEEE80211W */
- #ifdef CONFIG_IEEE80211R
- os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
-@@ -3226,7 +3249,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
-
- wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
- gd.gtk, gd.gtk_len);
-- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
-+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
- os_memset(&gd, 0, sizeof(gd));
- wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
- "WNM mode");
-@@ -3238,7 +3261,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
- const struct wpa_igtk_kde *igtk;
-
- igtk = (const struct wpa_igtk_kde *) (buf + 2);
-- if (wpa_supplicant_install_igtk(sm, igtk) < 0)
-+ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
- return -1;
- #endif /* CONFIG_IEEE80211W */
- } else {
-@@ -4132,7 +4155,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
- os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
-
- wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
-- if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery) < 0) {
-+ if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
- wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
- goto fail;
- }
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index 2827ed6..156e6cb 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -32,8 +32,10 @@ struct wpa_sm {
- int rx_replay_counter_set;
- u8 request_counter[WPA_REPLAY_COUNTER_LEN];
- struct wpa_gtk gtk;
-+ struct wpa_gtk gtk_wnm_sleep;
- #ifdef CONFIG_IEEE80211W
- struct wpa_igtk igtk;
-+ struct wpa_igtk igtk_wnm_sleep;
- #endif /* CONFIG_IEEE80211W */
-
- struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
---
-2.7.4
-
+++ /dev/null
-From 327b6d780f2667e99e9b74d4c064531c0208b22b Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-Date: Fri, 29 Sep 2017 04:22:51 +0200
-Subject: [PATCH 4/8] Prevent installation of an all-zero TK
-
-Properly track whether a PTK has already been installed to the driver
-and the TK part cleared from memory. This prevents an attacker from
-trying to trick the client into installing an all-zero TK.
-
-This fixes the earlier fix in commit
-ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
-driver in EAPOL-Key 3/4 retry case') which did not take into account
-possibility of an extra message 1/4 showing up between retries of
-message 3/4.
-
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
----
- src/common/wpa_common.h | 1 +
- src/rsn_supp/wpa.c | 6 +++---
- src/rsn_supp/wpa_i.h | 1 -
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
-index 0872b12..8411686 100644
---- a/src/common/wpa_common.h
-+++ b/src/common/wpa_common.h
-@@ -219,6 +219,7 @@ struct wpa_ptk {
- size_t kck_len;
- size_t kek_len;
- size_t tk_len;
-+ int installed; /* 1 if key has already been installed to driver */
- };
-
- struct wpa_gtk {
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 3c8871d..cf9bf1c 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -594,7 +594,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
- os_memset(buf, 0, sizeof(buf));
- }
- sm->tptk_set = 1;
-- sm->tk_to_set = 1;
-
- kde = sm->assoc_wpa_ie;
- kde_len = sm->assoc_wpa_ie_len;
-@@ -701,7 +700,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
- enum wpa_alg alg;
- const u8 *key_rsc;
-
-- if (!sm->tk_to_set) {
-+ if (sm->ptk.installed) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Do not re-install same PTK to the driver");
- return 0;
-@@ -745,7 +744,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
-
- /* TK is not needed anymore in supplicant */
- os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
-- sm->tk_to_set = 0;
-+ sm->ptk.installed = 1;
-
- if (sm->wpa_ptk_rekey) {
- eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
-@@ -4183,6 +4182,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
- * takes care of association frame encryption/decryption. */
- /* TK is not needed anymore in supplicant */
- os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
-+ sm->ptk.installed = 1;
-
- /* FILS HLP Container */
- fils_process_hlp_container(sm, ie_start, end - ie_start);
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index 156e6cb..3b42245 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -24,7 +24,6 @@ struct wpa_sm {
- struct wpa_ptk ptk, tptk;
- int ptk_set, tptk_set;
- unsigned int msg_3_of_4_ok:1;
-- unsigned int tk_to_set:1;
- u8 snonce[WPA_NONCE_LEN];
- u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
- int renew_snonce;
---
-2.7.4
-
+++ /dev/null
-From f1800cce24e8f81e909a68fe8ef1f13abfdec9e3 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Oct 2017 12:32:57 +0300
-Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce
-
-The Authenticator state machine path for PTK rekeying ended up bypassing
-the AUTHENTICATION2 state where a new ANonce is generated when going
-directly to the PTKSTART state since there is no need to try to
-determine the PMK again in such a case. This is far from ideal since the
-new PTK would depend on a new nonce only from the supplicant.
-
-Fix this by generating a new ANonce when moving to the PTKSTART state
-for the purpose of starting new 4-way handshake to rekey PTK.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/ap/wpa_auth.c | 24 +++++++++++++++++++++---
- 1 file changed, 21 insertions(+), 3 deletions(-)
-
-diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
-index 42ef0bf..3b2f97c 100644
---- a/src/ap/wpa_auth.c
-+++ b/src/ap/wpa_auth.c
-@@ -1953,6 +1953,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
- }
-
-
-+static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
-+{
-+ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
-+ wpa_printf(MSG_ERROR,
-+ "WPA: Failed to get random data for ANonce");
-+ sm->Disconnect = TRUE;
-+ return -1;
-+ }
-+ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
-+ WPA_NONCE_LEN);
-+ sm->TimeoutCtr = 0;
-+ return 0;
-+}
-+
-+
- SM_STATE(WPA_PTK, INITPMK)
- {
- u8 msk[2 * PMK_LEN];
-@@ -3129,9 +3144,12 @@ SM_STEP(WPA_PTK)
- SM_ENTER(WPA_PTK, AUTHENTICATION);
- else if (sm->ReAuthenticationRequest)
- SM_ENTER(WPA_PTK, AUTHENTICATION2);
-- else if (sm->PTKRequest)
-- SM_ENTER(WPA_PTK, PTKSTART);
-- else switch (sm->wpa_ptk_state) {
-+ else if (sm->PTKRequest) {
-+ if (wpa_auth_sm_ptk_update(sm) < 0)
-+ SM_ENTER(WPA_PTK, DISCONNECTED);
-+ else
-+ SM_ENTER(WPA_PTK, PTKSTART);
-+ } else switch (sm->wpa_ptk_state) {
- case WPA_PTK_INITIALIZE:
- break;
- case WPA_PTK_DISCONNECT:
---
-2.7.4
-
+++ /dev/null
-From 1b198fae80a4c97ecf358fe825c0488d6ac0e65e Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 22 Sep 2017 11:03:15 +0300
-Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration
-
-Do not try to reconfigure the same TPK-TK to the driver after it has
-been successfully configured. This is an explicit check to avoid issues
-related to resetting the TX/RX packet number. There was already a check
-for this for TPK M2 (retries of that message are ignored completely), so
-that behavior does not get modified.
-
-For TPK M3, the TPK-TK could have been reconfigured, but that was
-followed by immediate teardown of the link due to an issue in updating
-the STA entry. Furthermore, for TDLS with any real security (i.e.,
-ignoring open/WEP), the TPK message exchange is protected on the AP path
-and simple replay attacks are not feasible.
-
-As an additional corner case, make sure the local nonce gets updated if
-the peer uses a very unlikely "random nonce" of all zeros.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++--
- 1 file changed, 36 insertions(+), 2 deletions(-)
-
-diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
-index 7c95bed..5e350ed 100644
---- a/src/rsn_supp/tdls.c
-+++ b/src/rsn_supp/tdls.c
-@@ -112,6 +112,7 @@ struct wpa_tdls_peer {
- u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
- } tpk;
- int tpk_set;
-+ int tk_set; /* TPK-TK configured to the driver */
- int tpk_success;
- int tpk_in_progress;
-
-@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
- u8 rsc[6];
- enum wpa_alg alg;
-
-+ if (peer->tk_set) {
-+ /*
-+ * This same TPK-TK has already been configured to the driver
-+ * and this new configuration attempt (likely due to an
-+ * unexpected retransmitted frame) would result in clearing
-+ * the TX/RX sequence number which can break security, so must
-+ * not allow that to happen.
-+ */
-+ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
-+ " has already been configured to the driver - do not reconfigure",
-+ MAC2STR(peer->addr));
-+ return -1;
-+ }
-+
- os_memset(rsc, 0, 6);
-
- switch (peer->cipher) {
-@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
- return -1;
- }
-
-+ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
-+ MAC2STR(peer->addr));
- if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
- rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
- wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
- "driver");
- return -1;
- }
-+ peer->tk_set = 1;
- return 0;
- }
-
-@@ -693,7 +711,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
- peer->cipher = 0;
- peer->qos_info = 0;
- peer->wmm_capable = 0;
-- peer->tpk_set = peer->tpk_success = 0;
-+ peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
- peer->chan_switch_enabled = 0;
- os_memset(&peer->tpk, 0, sizeof(peer->tpk));
- os_memset(peer->inonce, 0, WPA_NONCE_LEN);
-@@ -1156,6 +1174,7 @@ skip_rsnie:
- wpa_tdls_peer_free(sm, peer);
- return -1;
- }
-+ peer->tk_set = 0; /* A new nonce results in a new TK */
- wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
- peer->inonce, WPA_NONCE_LEN);
- os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
-@@ -1749,6 +1768,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
- }
-
-
-+static int tdls_nonce_set(const u8 *nonce)
-+{
-+ int i;
-+
-+ for (i = 0; i < WPA_NONCE_LEN; i++) {
-+ if (nonce[i])
-+ return 1;
-+ }
-+
-+ return 0;
-+}
-+
-+
- static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
- const u8 *buf, size_t len)
- {
-@@ -2002,7 +2034,8 @@ skip_rsn:
- peer->rsnie_i_len = kde.rsn_ie_len;
- peer->cipher = cipher;
-
-- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
-+ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
-+ !tdls_nonce_set(peer->inonce)) {
- /*
- * There is no point in updating the RNonce for every obtained
- * TPK M1 frame (e.g., retransmission due to timeout) with the
-@@ -2018,6 +2051,7 @@ skip_rsn:
- "TDLS: Failed to get random data for responder nonce");
- goto error;
- }
-+ peer->tk_set = 0; /* A new nonce results in a new TK */
- }
-
- #if 0
---
-2.7.4
-
+++ /dev/null
-From b839814391abb4f95486ef2e24eb5498267eccf5 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 22 Sep 2017 11:25:02 +0300
-Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending
- request
-
-Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
-Mode Response if WNM-Sleep Mode has not been used') started ignoring the
-response when no WNM-Sleep Mode Request had been used during the
-association. This can be made tighter by clearing the used flag when
-successfully processing a response. This adds an additional layer of
-protection against unexpected retransmissions of the response frame.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- wpa_supplicant/wnm_sta.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
-index 7339ed2..28346ea 100644
---- a/wpa_supplicant/wnm_sta.c
-+++ b/wpa_supplicant/wnm_sta.c
-@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
-
- if (!wpa_s->wnmsleep_used) {
- wpa_printf(MSG_DEBUG,
-- "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association");
-+ "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested");
- return;
- }
-
-@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
- return;
- }
-
-+ wpa_s->wnmsleep_used = 0;
-+
- if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT ||
- wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) {
- wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response "
---
-2.7.4
-
+++ /dev/null
-From dc55ea1e483125145459ae1e55be3b95e6263302 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 22 Sep 2017 12:06:37 +0300
-Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames
-
-The driver is expected to not report a second association event without
-the station having explicitly request a new association. As such, this
-case should not be reachable. However, since reconfiguring the same
-pairwise or group keys to the driver could result in nonce reuse issues,
-be extra careful here and do an additional state check to avoid this
-even if the local driver ends up somehow accepting an unexpected
-Reassociation Response frame.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/rsn_supp/wpa.c | 3 +++
- src/rsn_supp/wpa_ft.c | 8 ++++++++
- src/rsn_supp/wpa_i.h | 1 +
- 3 files changed, 12 insertions(+)
-
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index cf9bf1c..ed467e6 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -2637,6 +2637,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
- #ifdef CONFIG_FILS
- sm->fils_completed = 0;
- #endif /* CONFIG_FILS */
-+#ifdef CONFIG_IEEE80211R
-+ sm->ft_reassoc_completed = 0;
-+#endif /* CONFIG_IEEE80211R */
-
- /* Keys are not needed in the WPA state machine anymore */
- wpa_sm_drop_sa(sm);
-diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
-index aeb7aff..1ff7afe 100644
---- a/src/rsn_supp/wpa_ft.c
-+++ b/src/rsn_supp/wpa_ft.c
-@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
- u16 capab;
-
- sm->ft_completed = 0;
-+ sm->ft_reassoc_completed = 0;
-
- buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
- 2 + sm->r0kh_id_len + ric_ies_len + 100;
-@@ -687,6 +688,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
- return -1;
- }
-
-+ if (sm->ft_reassoc_completed) {
-+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
-+ return 0;
-+ }
-+
- if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
- wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
- return -1;
-@@ -787,6 +793,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
- return -1;
- }
-
-+ sm->ft_reassoc_completed = 1;
-+
- if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
- return -1;
-
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index 3b42245..148c654 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -128,6 +128,7 @@ struct wpa_sm {
- size_t r0kh_id_len;
- u8 r1kh_id[FT_R1KH_ID_LEN];
- int ft_completed;
-+ int ft_reassoc_completed;
- int over_the_ds_in_progress;
- u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
- int set_ptk_after_assoc;
---
-2.7.4
-
+++ /dev/null
-From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-Date: Fri, 14 Jul 2017 15:15:35 +0200
-Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake
-
-Do not reinstall TK to the driver during Reassociation Response frame
-processing if the first attempt of setting the TK succeeded. This avoids
-issues related to clearing the TX/RX PN that could result in reusing
-same PN values for transmitted frames (e.g., due to CCM nonce reuse and
-also hitting replay protection on the receiver) and accepting replayed
-frames on RX side.
-
-This issue was introduced by the commit
-0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
-authenticator') which allowed wpa_ft_install_ptk() to be called multiple
-times with the same PTK. While the second configuration attempt is
-needed with some drivers, it must be done only if the first attempt
-failed.
-
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
----
- src/ap/ieee802_11.c | 16 +++++++++++++---
- src/ap/wpa_auth.c | 11 +++++++++++
- src/ap/wpa_auth.h | 3 ++-
- src/ap/wpa_auth_ft.c | 10 ++++++++++
- src/ap/wpa_auth_i.h | 1 +
- 5 files changed, 37 insertions(+), 4 deletions(-)
-
-diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
-index 4e04169..333035f 100644
---- a/src/ap/ieee802_11.c
-+++ b/src/ap/ieee802_11.c
-@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd,
- {
- struct ieee80211_ht_capabilities ht_cap;
- struct ieee80211_vht_capabilities vht_cap;
-+ int set = 1;
-
- /*
- * Remove the STA entry to ensure the STA PS state gets cleared and
-@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd,
- * FT-over-the-DS, where a station re-associates back to the same AP but
- * skips the authentication flow, or if working with a driver that
- * does not support full AP client state.
-+ *
-+ * Skip this if the STA has already completed FT reassociation and the
-+ * TK has been configured since the TX/RX PN must not be reset to 0 for
-+ * the same key.
- */
-- if (!sta->added_unassoc)
-+ if (!sta->added_unassoc &&
-+ (!(sta->flags & WLAN_STA_AUTHORIZED) ||
-+ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) {
- hostapd_drv_sta_remove(hapd, sta->addr);
-+ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
-+ set = 0;
-+ }
-
- #ifdef CONFIG_IEEE80211N
- if (sta->flags & WLAN_STA_HT)
-@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd,
- sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
- sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
- sta->vht_opmode, sta->p2p_ie ? 1 : 0,
-- sta->added_unassoc)) {
-+ set)) {
- hostapd_logger(hapd, sta->addr,
- HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
- "Could not %s STA to kernel driver",
-- sta->added_unassoc ? "set" : "add");
-+ set ? "set" : "add");
-
- if (sta->added_unassoc) {
- hostapd_drv_sta_remove(hapd, sta->addr);
-diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
-index 3587086..707971d 100644
---- a/src/ap/wpa_auth.c
-+++ b/src/ap/wpa_auth.c
-@@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
- #else /* CONFIG_IEEE80211R */
- break;
- #endif /* CONFIG_IEEE80211R */
-+ case WPA_DRV_STA_REMOVED:
-+ sm->tk_already_set = FALSE;
-+ return 0;
- }
-
- #ifdef CONFIG_IEEE80211R
-@@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
- }
-
-
-+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
-+{
-+ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
-+ return 0;
-+ return sm->tk_already_set;
-+}
-+
-+
- int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
- struct rsn_pmksa_cache_entry *entry)
- {
-diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
-index 0de8d97..97461b0 100644
---- a/src/ap/wpa_auth.h
-+++ b/src/ap/wpa_auth.h
-@@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
- u8 *data, size_t data_len);
- enum wpa_event {
- WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
-- WPA_REAUTH_EAPOL, WPA_ASSOC_FT
-+ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED
- };
- void wpa_remove_ptk(struct wpa_state_machine *sm);
- int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event);
-@@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm);
- int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
- int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
- int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
-+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm);
- int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
- struct rsn_pmksa_cache_entry *entry);
- struct rsn_pmksa_cache_entry *
-diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
-index 42242a5..e63b99a 100644
---- a/src/ap/wpa_auth_ft.c
-+++ b/src/ap/wpa_auth_ft.c
-@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
- return;
- }
-
-+ if (sm->tk_already_set) {
-+ /* Must avoid TK reconfiguration to prevent clearing of TX/RX
-+ * PN in the driver */
-+ wpa_printf(MSG_DEBUG,
-+ "FT: Do not re-install same PTK to the driver");
-+ return;
-+ }
-+
- /* FIX: add STA entry to kernel/driver here? The set_key will fail
- * most likely without this.. At the moment, STA entry is added only
- * after association has been completed. This function will be called
-@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
-
- /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
- sm->pairwise_set = TRUE;
-+ sm->tk_already_set = TRUE;
- }
-
-
-@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
-
- sm->pairwise = pairwise;
- sm->PTK_valid = TRUE;
-+ sm->tk_already_set = FALSE;
- wpa_ft_install_ptk(sm);
-
- buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
-diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
-index 72b7eb3..7fd8f05 100644
---- a/src/ap/wpa_auth_i.h
-+++ b/src/ap/wpa_auth_i.h
-@@ -65,6 +65,7 @@ struct wpa_state_machine {
- struct wpa_ptk PTK;
- Boolean PTK_valid;
- Boolean pairwise_set;
-+ Boolean tk_already_set;
- int keycount;
- Boolean Pair;
- struct wpa_key_replay_counter {
---
-2.7.4
-
+++ /dev/null
-From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-Date: Wed, 12 Jul 2017 16:03:24 +0200
-Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key
-
-Track the current GTK and IGTK that is in use and when receiving a
-(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
-not install the given key if it is already in use. This prevents an
-attacker from trying to trick the client into resetting or lowering the
-sequence counter associated to the group key.
-
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
----
- src/common/wpa_common.h | 11 +++++
- src/rsn_supp/wpa.c | 116 ++++++++++++++++++++++++++++++------------------
- src/rsn_supp/wpa_i.h | 4 ++
- 3 files changed, 87 insertions(+), 44 deletions(-)
-
-diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
-index af1d0f0..d200285 100644
---- a/src/common/wpa_common.h
-+++ b/src/common/wpa_common.h
-@@ -217,6 +217,17 @@ struct wpa_ptk {
- size_t tk_len;
- };
-
-+struct wpa_gtk {
-+ u8 gtk[WPA_GTK_MAX_LEN];
-+ size_t gtk_len;
-+};
-+
-+#ifdef CONFIG_IEEE80211W
-+struct wpa_igtk {
-+ u8 igtk[WPA_IGTK_MAX_LEN];
-+ size_t igtk_len;
-+};
-+#endif /* CONFIG_IEEE80211W */
-
- /* WPA IE version 1
- * 00-50-f2:1 (OUI:OUI type)
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 3c47879..95bd7be 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- const u8 *_gtk = gd->gtk;
- u8 gtk_buf[32];
-
-+ /* Detect possible key reinstallation */
-+ if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
-+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
-+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
-+ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
-+ gd->keyidx, gd->tx, gd->gtk_len);
-+ return 0;
-+ }
-+
- wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
-@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- }
- os_memset(gtk_buf, 0, sizeof(gtk_buf));
-
-+ sm->gtk.gtk_len = gd->gtk_len;
-+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
-+
- return 0;
- }
-
-@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
- }
-
-
-+#ifdef CONFIG_IEEE80211W
-+static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
-+ const struct wpa_igtk_kde *igtk)
-+{
-+ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
-+ u16 keyidx = WPA_GET_LE16(igtk->keyid);
-+
-+ /* Detect possible key reinstallation */
-+ if (sm->igtk.igtk_len == len &&
-+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
-+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
-+ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
-+ keyidx);
-+ return 0;
-+ }
-+
-+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
-+ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
-+ keyidx, MAC2STR(igtk->pn));
-+ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
-+ if (keyidx > 4095) {
-+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-+ "WPA: Invalid IGTK KeyID %d", keyidx);
-+ return -1;
-+ }
-+ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
-+ broadcast_ether_addr,
-+ keyidx, 0, igtk->pn, sizeof(igtk->pn),
-+ igtk->igtk, len) < 0) {
-+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-+ "WPA: Failed to configure IGTK to the driver");
-+ return -1;
-+ }
-+
-+ sm->igtk.igtk_len = len;
-+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
-+
-+ return 0;
-+}
-+#endif /* CONFIG_IEEE80211W */
-+
-+
- static int ieee80211w_set_keys(struct wpa_sm *sm,
- struct wpa_eapol_ie_parse *ie)
- {
-@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
- if (ie->igtk) {
- size_t len;
- const struct wpa_igtk_kde *igtk;
-- u16 keyidx;
-+
- len = wpa_cipher_key_len(sm->mgmt_group_cipher);
- if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
- return -1;
-+
- igtk = (const struct wpa_igtk_kde *) ie->igtk;
-- keyidx = WPA_GET_LE16(igtk->keyid);
-- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
-- "pn %02x%02x%02x%02x%02x%02x",
-- keyidx, MAC2STR(igtk->pn));
-- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
-- igtk->igtk, len);
-- if (keyidx > 4095) {
-- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-- "WPA: Invalid IGTK KeyID %d", keyidx);
-- return -1;
-- }
-- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
-- broadcast_ether_addr,
-- keyidx, 0, igtk->pn, sizeof(igtk->pn),
-- igtk->igtk, len) < 0) {
-- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-- "WPA: Failed to configure IGTK to the driver");
-+ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
- return -1;
-- }
- }
-
- return 0;
-@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm)
- */
- void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- {
-- int clear_ptk = 1;
-+ int clear_keys = 1;
-
- if (sm == NULL)
- return;
-@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- /* Prepare for the next transition */
- wpa_ft_prepare_auth_request(sm, NULL);
-
-- clear_ptk = 0;
-+ clear_keys = 0;
- }
- #endif /* CONFIG_IEEE80211R */
-
-- if (clear_ptk) {
-+ if (clear_keys) {
- /*
- * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
- * this is not part of a Fast BSS Transition.
-@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- os_memset(&sm->ptk, 0, sizeof(sm->ptk));
- sm->tptk_set = 0;
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
-+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+#ifdef CONFIG_IEEE80211W
-+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+#endif /* CONFIG_IEEE80211W */
- }
-
- #ifdef CONFIG_TDLS
-@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
- os_memset(sm->pmk, 0, sizeof(sm->pmk));
- os_memset(&sm->ptk, 0, sizeof(sm->ptk));
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
-+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+#ifdef CONFIG_IEEE80211W
-+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+#endif /* CONFIG_IEEE80211W */
- #ifdef CONFIG_IEEE80211R
- os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
- os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
-@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
- os_memset(&gd, 0, sizeof(gd));
- #ifdef CONFIG_IEEE80211W
- } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
-- struct wpa_igtk_kde igd;
-- u16 keyidx;
--
-- os_memset(&igd, 0, sizeof(igd));
-- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
-- os_memcpy(igd.keyid, buf + 2, 2);
-- os_memcpy(igd.pn, buf + 4, 6);
--
-- keyidx = WPA_GET_LE16(igd.keyid);
-- os_memcpy(igd.igtk, buf + 10, keylen);
--
-- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
-- igd.igtk, keylen);
-- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
-- broadcast_ether_addr,
-- keyidx, 0, igd.pn, sizeof(igd.pn),
-- igd.igtk, keylen) < 0) {
-- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
-- "WNM mode");
-- os_memset(&igd, 0, sizeof(igd));
-+ const struct wpa_igtk_kde *igtk;
-+
-+ igtk = (const struct wpa_igtk_kde *) (buf + 2);
-+ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
- return -1;
-- }
-- os_memset(&igd, 0, sizeof(igd));
- #endif /* CONFIG_IEEE80211W */
- } else {
- wpa_printf(MSG_DEBUG, "Unknown element id");
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index f653ba6..afc9e37 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -31,6 +31,10 @@ struct wpa_sm {
- u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
- int rx_replay_counter_set;
- u8 request_counter[WPA_REPLAY_COUNTER_LEN];
-+ struct wpa_gtk gtk;
-+#ifdef CONFIG_IEEE80211W
-+ struct wpa_igtk igtk;
-+#endif /* CONFIG_IEEE80211W */
-
- struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
-
---
-2.7.4
-
+++ /dev/null
-From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Oct 2017 12:12:24 +0300
-Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep
- Mode cases
-
-This extends the protection to track last configured GTK/IGTK value
-separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
-corner case where these two different mechanisms may get used when the
-GTK/IGTK has changed and tracking a single value is not sufficient to
-detect a possible key reconfiguration.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/rsn_supp/wpa.c | 53 +++++++++++++++++++++++++++++++++++++---------------
- src/rsn_supp/wpa_i.h | 2 ++
- 2 files changed, 40 insertions(+), 15 deletions(-)
-
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 95bd7be..7a2c68d 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -709,14 +709,17 @@ struct wpa_gtk_data {
-
- static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- const struct wpa_gtk_data *gd,
-- const u8 *key_rsc)
-+ const u8 *key_rsc, int wnm_sleep)
- {
- const u8 *_gtk = gd->gtk;
- u8 gtk_buf[32];
-
- /* Detect possible key reinstallation */
-- if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
-- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
-+ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
-+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
-+ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
-+ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
-+ sm->gtk_wnm_sleep.gtk_len) == 0)) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
- gd->keyidx, gd->tx, gd->gtk_len);
-@@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- }
- os_memset(gtk_buf, 0, sizeof(gtk_buf));
-
-- sm->gtk.gtk_len = gd->gtk_len;
-- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
-+ if (wnm_sleep) {
-+ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
-+ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
-+ sm->gtk_wnm_sleep.gtk_len);
-+ } else {
-+ sm->gtk.gtk_len = gd->gtk_len;
-+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
-+ }
-
- return 0;
- }
-@@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
- (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
- gtk_len, gtk_len,
- &gd.key_rsc_len, &gd.alg) ||
-- wpa_supplicant_install_gtk(sm, &gd, key_rsc))) {
-+ wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "RSN: Failed to install GTK");
- os_memset(&gd, 0, sizeof(gd));
-@@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
-
- #ifdef CONFIG_IEEE80211W
- static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
-- const struct wpa_igtk_kde *igtk)
-+ const struct wpa_igtk_kde *igtk,
-+ int wnm_sleep)
- {
- size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
- u16 keyidx = WPA_GET_LE16(igtk->keyid);
-
- /* Detect possible key reinstallation */
-- if (sm->igtk.igtk_len == len &&
-- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
-+ if ((sm->igtk.igtk_len == len &&
-+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
-+ (sm->igtk_wnm_sleep.igtk_len == len &&
-+ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
-+ sm->igtk_wnm_sleep.igtk_len) == 0)) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
- keyidx);
-@@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
- return -1;
- }
-
-- sm->igtk.igtk_len = len;
-- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
-+ if (wnm_sleep) {
-+ sm->igtk_wnm_sleep.igtk_len = len;
-+ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
-+ sm->igtk_wnm_sleep.igtk_len);
-+ } else {
-+ sm->igtk.igtk_len = len;
-+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
-+ }
-
- return 0;
- }
-@@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
- return -1;
-
- igtk = (const struct wpa_igtk_kde *) ie->igtk;
-- if (wpa_supplicant_install_igtk(sm, igtk) < 0)
-+ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
- return -1;
- }
-
-@@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
- if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
- key_rsc = null_rsc;
-
-- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) ||
-+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
- wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
- goto failed;
- os_memset(&gd, 0, sizeof(gd));
-@@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- sm->tptk_set = 0;
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
- os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
- #ifdef CONFIG_IEEE80211W
- os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
- #endif /* CONFIG_IEEE80211W */
- }
-
-@@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
- os_memset(&sm->ptk, 0, sizeof(sm->ptk));
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
- os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
- #ifdef CONFIG_IEEE80211W
- os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
- #endif /* CONFIG_IEEE80211W */
- #ifdef CONFIG_IEEE80211R
- os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
-@@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
-
- wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
- gd.gtk, gd.gtk_len);
-- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
-+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
- os_memset(&gd, 0, sizeof(gd));
- wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
- "WNM mode");
-@@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
- const struct wpa_igtk_kde *igtk;
-
- igtk = (const struct wpa_igtk_kde *) (buf + 2);
-- if (wpa_supplicant_install_igtk(sm, igtk) < 0)
-+ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
- return -1;
- #endif /* CONFIG_IEEE80211W */
- } else {
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index afc9e37..9a54631 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -32,8 +32,10 @@ struct wpa_sm {
- int rx_replay_counter_set;
- u8 request_counter[WPA_REPLAY_COUNTER_LEN];
- struct wpa_gtk gtk;
-+ struct wpa_gtk gtk_wnm_sleep;
- #ifdef CONFIG_IEEE80211W
- struct wpa_igtk igtk;
-+ struct wpa_igtk igtk_wnm_sleep;
- #endif /* CONFIG_IEEE80211W */
-
- struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
---
-2.7.4
-
+++ /dev/null
-From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-Date: Fri, 29 Sep 2017 04:22:51 +0200
-Subject: [PATCH 4/8] Prevent installation of an all-zero TK
-
-Properly track whether a PTK has already been installed to the driver
-and the TK part cleared from memory. This prevents an attacker from
-trying to trick the client into installing an all-zero TK.
-
-This fixes the earlier fix in commit
-ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
-driver in EAPOL-Key 3/4 retry case') which did not take into account
-possibility of an extra message 1/4 showing up between retries of
-message 3/4.
-
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
----
- src/common/wpa_common.h | 1 +
- src/rsn_supp/wpa.c | 5 ++---
- src/rsn_supp/wpa_i.h | 1 -
- 3 files changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
-index d200285..1021ccb 100644
---- a/src/common/wpa_common.h
-+++ b/src/common/wpa_common.h
-@@ -215,6 +215,7 @@ struct wpa_ptk {
- size_t kck_len;
- size_t kek_len;
- size_t tk_len;
-+ int installed; /* 1 if key has already been installed to driver */
- };
-
- struct wpa_gtk {
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 7a2c68d..0550a41 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
- os_memset(buf, 0, sizeof(buf));
- }
- sm->tptk_set = 1;
-- sm->tk_to_set = 1;
-
- kde = sm->assoc_wpa_ie;
- kde_len = sm->assoc_wpa_ie_len;
-@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
- enum wpa_alg alg;
- const u8 *key_rsc;
-
-- if (!sm->tk_to_set) {
-+ if (sm->ptk.installed) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Do not re-install same PTK to the driver");
- return 0;
-@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
-
- /* TK is not needed anymore in supplicant */
- os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
-- sm->tk_to_set = 0;
-+ sm->ptk.installed = 1;
-
- if (sm->wpa_ptk_rekey) {
- eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index 9a54631..41f371f 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -24,7 +24,6 @@ struct wpa_sm {
- struct wpa_ptk ptk, tptk;
- int ptk_set, tptk_set;
- unsigned int msg_3_of_4_ok:1;
-- unsigned int tk_to_set:1;
- u8 snonce[WPA_NONCE_LEN];
- u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
- int renew_snonce;
---
-2.7.4
-
+++ /dev/null
-From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Oct 2017 12:32:57 +0300
-Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce
-
-The Authenticator state machine path for PTK rekeying ended up bypassing
-the AUTHENTICATION2 state where a new ANonce is generated when going
-directly to the PTKSTART state since there is no need to try to
-determine the PMK again in such a case. This is far from ideal since the
-new PTK would depend on a new nonce only from the supplicant.
-
-Fix this by generating a new ANonce when moving to the PTKSTART state
-for the purpose of starting new 4-way handshake to rekey PTK.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/ap/wpa_auth.c | 24 +++++++++++++++++++++---
- 1 file changed, 21 insertions(+), 3 deletions(-)
-
-diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
-index 707971d..bf10cc1 100644
---- a/src/ap/wpa_auth.c
-+++ b/src/ap/wpa_auth.c
-@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
- }
-
-
-+static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
-+{
-+ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
-+ wpa_printf(MSG_ERROR,
-+ "WPA: Failed to get random data for ANonce");
-+ sm->Disconnect = TRUE;
-+ return -1;
-+ }
-+ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
-+ WPA_NONCE_LEN);
-+ sm->TimeoutCtr = 0;
-+ return 0;
-+}
-+
-+
- SM_STATE(WPA_PTK, INITPMK)
- {
- u8 msk[2 * PMK_LEN];
-@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK)
- SM_ENTER(WPA_PTK, AUTHENTICATION);
- else if (sm->ReAuthenticationRequest)
- SM_ENTER(WPA_PTK, AUTHENTICATION2);
-- else if (sm->PTKRequest)
-- SM_ENTER(WPA_PTK, PTKSTART);
-- else switch (sm->wpa_ptk_state) {
-+ else if (sm->PTKRequest) {
-+ if (wpa_auth_sm_ptk_update(sm) < 0)
-+ SM_ENTER(WPA_PTK, DISCONNECTED);
-+ else
-+ SM_ENTER(WPA_PTK, PTKSTART);
-+ } else switch (sm->wpa_ptk_state) {
- case WPA_PTK_INITIALIZE:
- break;
- case WPA_PTK_DISCONNECT:
---
-2.7.4
-
+++ /dev/null
-From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 22 Sep 2017 11:03:15 +0300
-Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration
-
-Do not try to reconfigure the same TPK-TK to the driver after it has
-been successfully configured. This is an explicit check to avoid issues
-related to resetting the TX/RX packet number. There was already a check
-for this for TPK M2 (retries of that message are ignored completely), so
-that behavior does not get modified.
-
-For TPK M3, the TPK-TK could have been reconfigured, but that was
-followed by immediate teardown of the link due to an issue in updating
-the STA entry. Furthermore, for TDLS with any real security (i.e.,
-ignoring open/WEP), the TPK message exchange is protected on the AP path
-and simple replay attacks are not feasible.
-
-As an additional corner case, make sure the local nonce gets updated if
-the peer uses a very unlikely "random nonce" of all zeros.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++--
- 1 file changed, 36 insertions(+), 2 deletions(-)
-
-diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
-index e424168..9eb9738 100644
---- a/src/rsn_supp/tdls.c
-+++ b/src/rsn_supp/tdls.c
-@@ -112,6 +112,7 @@ struct wpa_tdls_peer {
- u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
- } tpk;
- int tpk_set;
-+ int tk_set; /* TPK-TK configured to the driver */
- int tpk_success;
- int tpk_in_progress;
-
-@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
- u8 rsc[6];
- enum wpa_alg alg;
-
-+ if (peer->tk_set) {
-+ /*
-+ * This same TPK-TK has already been configured to the driver
-+ * and this new configuration attempt (likely due to an
-+ * unexpected retransmitted frame) would result in clearing
-+ * the TX/RX sequence number which can break security, so must
-+ * not allow that to happen.
-+ */
-+ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
-+ " has already been configured to the driver - do not reconfigure",
-+ MAC2STR(peer->addr));
-+ return -1;
-+ }
-+
- os_memset(rsc, 0, 6);
-
- switch (peer->cipher) {
-@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
- return -1;
- }
-
-+ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
-+ MAC2STR(peer->addr));
- if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
- rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
- wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
- "driver");
- return -1;
- }
-+ peer->tk_set = 1;
- return 0;
- }
-
-@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
- peer->cipher = 0;
- peer->qos_info = 0;
- peer->wmm_capable = 0;
-- peer->tpk_set = peer->tpk_success = 0;
-+ peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
- peer->chan_switch_enabled = 0;
- os_memset(&peer->tpk, 0, sizeof(peer->tpk));
- os_memset(peer->inonce, 0, WPA_NONCE_LEN);
-@@ -1159,6 +1177,7 @@ skip_rsnie:
- wpa_tdls_peer_free(sm, peer);
- return -1;
- }
-+ peer->tk_set = 0; /* A new nonce results in a new TK */
- wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
- peer->inonce, WPA_NONCE_LEN);
- os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
-@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
- }
-
-
-+static int tdls_nonce_set(const u8 *nonce)
-+{
-+ int i;
-+
-+ for (i = 0; i < WPA_NONCE_LEN; i++) {
-+ if (nonce[i])
-+ return 1;
-+ }
-+
-+ return 0;
-+}
-+
-+
- static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
- const u8 *buf, size_t len)
- {
-@@ -2004,7 +2036,8 @@ skip_rsn:
- peer->rsnie_i_len = kde.rsn_ie_len;
- peer->cipher = cipher;
-
-- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
-+ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
-+ !tdls_nonce_set(peer->inonce)) {
- /*
- * There is no point in updating the RNonce for every obtained
- * TPK M1 frame (e.g., retransmission due to timeout) with the
-@@ -2020,6 +2053,7 @@ skip_rsn:
- "TDLS: Failed to get random data for responder nonce");
- goto error;
- }
-+ peer->tk_set = 0; /* A new nonce results in a new TK */
- }
-
- #if 0
---
-2.7.4
-
+++ /dev/null
-From 53c5eb58e95004f86e65ee9fbfccbc291b139057 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 22 Sep 2017 11:25:02 +0300
-Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending
- request
-
-Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
-Mode Response if WNM-Sleep Mode has not been used') started ignoring the
-response when no WNM-Sleep Mode Request had been used during the
-association. This can be made tighter by clearing the used flag when
-successfully processing a response. This adds an additional layer of
-protection against unexpected retransmissions of the response frame.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- wpa_supplicant/wnm_sta.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
-index 1b3409c..67a07ff 100644
---- a/wpa_supplicant/wnm_sta.c
-+++ b/wpa_supplicant/wnm_sta.c
-@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
-
- if (!wpa_s->wnmsleep_used) {
- wpa_printf(MSG_DEBUG,
-- "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association");
-+ "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested");
- return;
- }
-
-@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
- return;
- }
-
-+ wpa_s->wnmsleep_used = 0;
-+
- if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT ||
- wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) {
- wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response "
---
-2.7.4
-
+++ /dev/null
-From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 22 Sep 2017 12:06:37 +0300
-Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames
-
-The driver is expected to not report a second association event without
-the station having explicitly request a new association. As such, this
-case should not be reachable. However, since reconfiguring the same
-pairwise or group keys to the driver could result in nonce reuse issues,
-be extra careful here and do an additional state check to avoid this
-even if the local driver ends up somehow accepting an unexpected
-Reassociation Response frame.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/rsn_supp/wpa.c | 3 +++
- src/rsn_supp/wpa_ft.c | 8 ++++++++
- src/rsn_supp/wpa_i.h | 1 +
- 3 files changed, 12 insertions(+)
-
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 0550a41..2a53c6f 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
- #ifdef CONFIG_TDLS
- wpa_tdls_disassoc(sm);
- #endif /* CONFIG_TDLS */
-+#ifdef CONFIG_IEEE80211R
-+ sm->ft_reassoc_completed = 0;
-+#endif /* CONFIG_IEEE80211R */
-
- /* Keys are not needed in the WPA state machine anymore */
- wpa_sm_drop_sa(sm);
-diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
-index 205793e..d45bb45 100644
---- a/src/rsn_supp/wpa_ft.c
-+++ b/src/rsn_supp/wpa_ft.c
-@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
- u16 capab;
-
- sm->ft_completed = 0;
-+ sm->ft_reassoc_completed = 0;
-
- buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
- 2 + sm->r0kh_id_len + ric_ies_len + 100;
-@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
- return -1;
- }
-
-+ if (sm->ft_reassoc_completed) {
-+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
-+ return 0;
-+ }
-+
- if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
- wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
- return -1;
-@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
- return -1;
- }
-
-+ sm->ft_reassoc_completed = 1;
-+
- if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
- return -1;
-
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index 41f371f..56f88dc 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -128,6 +128,7 @@ struct wpa_sm {
- size_t r0kh_id_len;
- u8 r1kh_id[FT_R1KH_ID_LEN];
- int ft_completed;
-+ int ft_reassoc_completed;
- int over_the_ds_in_progress;
- u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
- int set_ptk_after_assoc;
---
-2.7.4
-
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2015 IPFire Team #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+shopt -s nullglob
+
+VPN_CONFIG="/var/ipfire/vpn/config"
+
+eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
+
+VARS=(
+ id status name lefthost type ctype psk local local_id leftsubnets
+ remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+ x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+ route x23 mode interface_mode interface_address interface_mtu rest
+)
+
+log() {
+ logger -t ipsec "$@"
+}
+
+resolve_hostname() {
+ local hostname="${1}"
+
+ dig +short A "${hostname}" | tail -n1
+}
+
+main() {
+ # Register local variables
+ local "${VARS[@]}"
+ local action
+
+ local interfaces=()
+
+ # We are done when IPsec is not enabled
+ if [ "${ENABLED}" = "on" ]; then
+ while IFS="," read -r "${VARS[@]}"; do
+ # Check if the connection is enabled
+ [ "${status}" = "on" ] || continue
+
+ # Check if this a net-to-net connection
+ [ "${type}" = "net" ] || continue
+
+ # Determine the interface name
+ case "${interface_mode}" in
+ gre|vti)
+ local intf="${interface_mode}${id}"
+ ;;
+ *)
+ continue
+ ;;
+ esac
+
+ # Add the interface to the list of all interfaces
+ interfaces+=( "${intf}" )
+
+ # Compat for older connections
+ if [ "${local}" = "off" ]; then
+ if [ "${VPN_IP}" = "%defaultroute" ]; then
+ local=""
+ else
+ local="${VPN_IP}"
+ fi
+ fi
+
+ # Handle %defaultroute
+ if [ -z "${local}" ]; then
+ if [ -r "/var/ipfire/red/local-ipaddress" ]; then
+ local="$(</var/ipfire/red/local-ipaddress)"
+
+ elif [ "${RED_TYPE}" = "STATIC" -a -n "${RED_ADDRESS}" ]; then
+ local="${RED_ADDRESS}"
+ fi
+ fi
+
+ # Resolve any hostnames
+ if [[ ! ${remote} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+ remote="$(resolve_hostname "${remote}")"
+ fi
+
+ local args=(
+ "local" "${local}"
+ "remote" "${remote}"
+ )
+
+ case "${interface_mode}" in
+ gre)
+ # Add TTL
+ args+=( "ttl" "255" )
+ ;;
+
+ vti)
+ # Add key for VTI
+ args+=( "key" "${id}" )
+ ;;
+ esac
+
+ # Update the settings when the interface already exists
+ if [ -d "/sys/class/net/${intf}" ]; then
+ ip link change dev "${intf}" \
+ type "${interface_mode}" "${args[@]}" &>/dev/null
+
+ # Create a new interface and bring it up
+ else
+ log "Creating interface ${intf}"
+ if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then
+ log "Could not create interface ${intf}"
+ continue
+ fi
+ fi
+
+ # Add an IP address
+ ip addr flush dev "${intf}"
+ ip addr add "${interface_address}" dev "${intf}"
+
+ # Set MTU
+ ip link set dev "${intf}" mtu "${interface_mtu}"
+
+ # Bring up the interface
+ ip link set dev "${intf}" up
+ done < "${VPN_CONFIG}"
+ fi
+
+ # Delete all other interfaces
+ local intf
+ for intf in /sys/class/net/gre[0-9]* /sys/class/net/vti[0-9]*; do
+ intf="$(basename "${intf}")"
+
+ # Ignore a couple of interfaces that cannot be deleted
+ case "${intf}" in
+ gre0|gretap0)
+ continue
+ ;;
+ esac
+
+ # Check if interface is on the list
+ local i found="false"
+ for i in ${interfaces[@]}; do
+ if [ "${intf}" = "${i}" ]; then
+ found="true"
+ break
+ fi
+ done
+
+ # Nothing to do if interface was found
+ ${found} && continue
+
+ # Delete the interface
+ log "Deleting interface ${intf}"
+ ip link del "${intf}" &>/dev/null
+ done
+}
+
+main || exit $?