use strict;
use Socket;
use IO::Socket;
+use Locale::Codes::Country;
use Net::SSLeay;
use Net::IPv4Addr qw(:all);
$|=1; # line buffering
--- /dev/null
+#!/usr/bin/perl -w
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 2 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2015 IPFire Team <info@ipfire.org>. #
+# #
+############################################################################
+
+package GeoIP;
+
+use Locale::Codes::Country;
+
+# Function to get the flag icon for a specified country code.
+sub get_flag_icon($) {
+ my ($input) = @_;
+
+ # Webserver's root dir. (Required for generating full path)
+ my $webroot = "/srv/web/ipfire/html";
+
+ # Directory which contains the flag icons.
+ my $flagdir = "/images/flags";
+
+ # File extension of the country flags.
+ my $ext = "png";
+
+ # Remove whitespaces.
+ chomp($input);
+
+ # Convert given country code to lower case.
+ my $ccode = lc($input);
+
+ # Generate filename, based on the contry code in lower case
+ # and the defined file extension.
+ my $file = join('.', $ccode,$ext);
+
+ # Generate path inside webroot to the previously generated file.
+ my $flag_icon = join('/', $flagdir,$file);
+
+ # Generate absolute path to the icon file.
+ my $absolute_path = join('', $webroot,$flag_icon);
+
+ # Check if the a icon file exists.
+ if (-e "$absolute_path") {
+ # Return content of flag_icon.
+ return $flag_icon;
+ }
+}
+
+# Function to get the county name by a given country code.
+sub get_full_country_name($) {
+ my ($input) = @_;
+ my $name;
+
+ # Remove whitespaces.
+ chomp($input);
+
+ # Convert input into lower case format.
+ my $code = lc($input);
+
+ # Handle country codes which are not in the list.
+ if ($code eq "a1") { $name = "Anonymous Proxy" }
+ elsif ($code eq "a2") { $name = "Satellite Provider" }
+ elsif ($code eq "o1") { $name = "Other Country" }
+ elsif ($code eq "ap") { $name = "Asia/Pacific Region" }
+ elsif ($code eq "eu") { $name = "Europe" }
+ elsif ($code eq "yu") { $name = "Yugoslavia" }
+ else {
+ # Use perl built-in module to get the country code.
+ $name = &Locale::Codes::Country::code2country($code);
+ }
+
+ return $name;
+}
+
+1;
return if ($ENV{'REQUEST_METHOD'} ne 'POST');
if (!$params->{'wantfile'}) {
$CGI::DISABLE_UPLOADS = 1;
- $CGI::POST_MAX = 512 * 1024;
+ $CGI::POST_MAX = 1024 * 1024;
} else {
$CGI::POST_MAX = 10 * 1024 * 1024;
}
# Re-read firewall rules every Sunday in March, October and November to take care of daylight saving time
00 3 * 3 0 /usr/local/bin/timezone-transition /usr/local/bin/firewallctrl
00 2 * 10-11 0 /usr/local/bin/timezone-transition /usr/local/bin/firewallctrl
+
+# Update GeoIP database once a month.
+%monthly,random * * * [ -f "/var/ipfire/red/active" ] && /usr/local/bin/xt_geoip_update >/dev/null 2>&1
my %customnetwork=();
my %customhost=();
my %customgrp=();
+my %customgeoipgrp=();
my %customservice=();
my %customservicegrp=();
my %ccdnet=();
my $confignet = "${General::swroot}/fwhosts/customnetworks";
my $confighost = "${General::swroot}/fwhosts/customhosts";
my $configgrp = "${General::swroot}/fwhosts/customgroups";
+my $configgeoipgrp = "${General::swroot}/fwhosts/customgeoipgrp";
my $configsrv = "${General::swroot}/fwhosts/customservices";
my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
my $configccdnet = "${General::swroot}/ovpn/ccd.conf";
&General::readhasharray("$confignet", \%customnetwork);
&General::readhasharray("$confighost", \%customhost);
&General::readhasharray("$configgrp", \%customgrp);
+&General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
&General::readhasharray("$configccdnet", \%ccdnet);
&General::readhasharray("$configccdhost", \%ccdhost);
&General::readhasharray("$configipsec", \%ipsecconf);
if ($customgrp{$grp}[0] eq $value) {
my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type);
+ if (@address) {
+ push(@addresses, @address);
+ }
+ }
+ }
+ }elsif ($addr_type ~~ ["cust_geoip_src", "cust_geoip_tgt"] && $value =~ "group:") {
+ $value=substr($value,6);
+ foreach my $grp (sort {$a <=> $b} keys %customgeoipgrp) {
+ if ($customgeoipgrp{$grp}[0] eq $value) {
+ my @address = &get_address($addr_type, $customgeoipgrp{$grp}[2], $type);
+
if (@address) {
push(@addresses, @address);
}
}
}
+ # Handle rule options with GeoIP as source.
+ } elsif ($key eq "cust_geoip_src") {
+ # Get external interface.
+ my $external_interface = &get_external_interface();
+
+ push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
+
+ # Handle rule options with GeoIP as target.
+ } elsif ($key eq "cust_geoip_tgt") {
+ # Get external interface.
+ my $external_interface = &get_external_interface();
+
+ push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
+
# If nothing was selected, we assume "any".
} else {
push(@ret, ["0/0", ""]);
return 0;
}
+sub get_geoip_locations() {
+ # Path to the directory which contains the binary geoip
+ # databases.
+ my $directory="/usr/share/xt_geoip/LE";
+
+ # Array to store the final country list.
+ my @country_codes = ();
+
+ # Open location and do a directory listing.
+ opendir(DIR, "$directory");
+ my @locations = readdir(DIR);
+ closedir(DIR);
+
+ # Loop through the directory listing, and cut of the file extensions.
+ foreach my $location (sort @locations) {
+ # skip . and ..
+ next if($location =~ /^\.$/);
+ next if($location =~ /^\.\.$/);
+
+ # Remove whitespaces.
+ chomp($location);
+
+ # Cut-off file extension.
+ my ($country_code, $extension) = split(/\./, $location);
+
+ # Add country code to array.
+ push(@country_codes, $country_code);
+ }
+
+ # Return final array.
+ return @country_codes;
+}
+
return 1;
--- /dev/null
+GEOIPBLOCK_ENABLED=off
my $configinput = "${General::swroot}/firewall/input";
my $configoutgoing = "${General::swroot}/firewall/outgoing";
my $p2pfile = "${General::swroot}/firewall/p2protocols";
+my $geoipfile = "${General::swroot}/firewall/geoipblock";
my $configgrp = "${General::swroot}/fwhosts/customgroups";
my $netsettings = "${General::swroot}/ethernet/settings";
# Load P2P block rules.
&p2pblock();
+ # Load GeoIP block rules.
+ &geoipblock();
+
# Reload firewall policy.
run("/usr/sbin/firewall-policy");
my @source_options = ();
if ($source =~ /mac/) {
push(@source_options, $source);
- } elsif ($source) {
+ } elsif ($source =~ /-m geoip/) {
+ push(@source_options, $source);
+ } elsif($source) {
push(@source_options, ("-s", $source));
}
# Prepare destination options.
my @destination_options = ();
- if ($destination) {
+ if ($destination =~ /-m geoip/) {
+ push(@destination_options, $destination);
+ } elsif ($destination) {
push(@destination_options, ("-d", $destination));
}
}
}
+sub geoipblock {
+ my %geoipsettings = ();
+ $geoipsettings{'GEOIPBLOCK_ENABLED'} = "off";
+
+ # Flush iptables chain.
+ run("$IPTABLES -F GEOIPBLOCK");
+
+ # Check if the geoip settings file exists
+ if (-e "$geoipfile") {
+ # Read settings file
+ &General::readhash("$geoipfile", \%geoipsettings);
+ }
+
+ # If geoip blocking is not enabled, we are finished here.
+ if ($geoipsettings{'GEOIPBLOCK_ENABLED'} ne "on") {
+ # Exit submodule. Process remaining script.
+ return;
+ }
+
+ # Get supported locations.
+ my @locations = &fwlib::get_geoip_locations();
+
+ # Loop through all supported geoip locations and
+ # create iptables rules, if blocking this country
+ # is enabled.
+ foreach my $location (@locations) {
+ if($geoipsettings{$location} eq "on") {
+ run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP");
+ }
+ }
+}
+
sub get_protocols {
my $hash = shift;
my $key = shift;
'title' => "P2P-Block",
'enabled' => 1,
};
+ $subfirewall->{'50.geoipblock'} = {
+ 'caption' => $Lang::tr{'geoipblock'},
+ 'uri' => '/cgi-bin/geoip-block.cgi',
+ 'title' => $Lang::tr{'geoipblock'},
+ 'enabled' => 1,
+ };
$subfirewall->{'60.wireless'} = {
'caption' => $Lang::tr{'blue access'},
'uri' => '/cgi-bin/wireless.cgi',
-#usr/lib/perl5/site_perl/5.12.3/Locale
-usr/lib/perl5/site_perl/5.12.3/Locale/Constants.pm
-usr/lib/perl5/site_perl/5.12.3/Locale/Constants.pod
-usr/lib/perl5/site_perl/5.12.3/Locale/Country.pm
-usr/lib/perl5/site_perl/5.12.3/Locale/Country.pod
-usr/lib/perl5/site_perl/5.12.3/Locale/Currency.pm
-usr/lib/perl5/site_perl/5.12.3/Locale/Currency.pod
-usr/lib/perl5/site_perl/5.12.3/Locale/Language.pm
-usr/lib/perl5/site_perl/5.12.3/Locale/Language.pod
-usr/lib/perl5/site_perl/5.12.3/Locale/Script.pm
-usr/lib/perl5/site_perl/5.12.3/Locale/Script.pod
-#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Locale-Codes
-#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Locale-Codes/.packlist
+#usr/lib/perl5/5.12.3/Locale/Codes
+usr/lib/perl5/5.12.3/Locale/Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes.pod
+usr/lib/perl5/5.12.3/Locale/Codes/API.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Changes.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Constants.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Constants.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Country.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Country.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Country_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Country_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Currency.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Currency.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Currency_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Currency_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangExt.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangExt.pod
+usr/lib/perl5/5.12.3/Locale/Codes/LangExt_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangExt_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangFam.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangFam.pod
+usr/lib/perl5/5.12.3/Locale/Codes/LangFam_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangFam_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangVar.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangVar.pod
+usr/lib/perl5/5.12.3/Locale/Codes/LangVar_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangVar_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Language.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Language.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Language_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Language_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Script.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Script.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Script_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Script_Retired.pm
+#usr/lib/perl5/5.12.3/MACHINE-linux-thread-multi/auto/Locale
+#usr/lib/perl5/5.12.3/MACHINE-linux-thread-multi/auto/Locale/Codes
+#usr/lib/perl5/5.12.3/MACHINE-linux-thread-multi/auto/Locale/Codes/.packlist
+#usr/share/man/man3/Locale::Codes.3
+#usr/share/man/man3/Locale::Codes::API.3
+#usr/share/man/man3/Locale::Codes::Changes.3
+#usr/share/man/man3/Locale::Codes::Constants.3
+#usr/share/man/man3/Locale::Codes::Country.3
+#usr/share/man/man3/Locale::Codes::Currency.3
+#usr/share/man/man3/Locale::Codes::LangExt.3
+#usr/share/man/man3/Locale::Codes::LangFam.3
+#usr/share/man/man3/Locale::Codes::LangFam_Retired.3
+#usr/share/man/man3/Locale::Codes::LangVar.3
+#usr/share/man/man3/Locale::Codes::Language.3
+#usr/share/man/man3/Locale::Codes::Script.3
srv/web/ipfire/cgi-bin/fireinfo.cgi
srv/web/ipfire/cgi-bin/firewall.cgi
srv/web/ipfire/cgi-bin/fwhosts.cgi
+srv/web/ipfire/cgi-bin/geoip-block.cgi
srv/web/ipfire/cgi-bin/gpl.cgi
srv/web/ipfire/cgi-bin/gui.cgi
srv/web/ipfire/cgi-bin/hardwaregraphs.cgi
etc/rc.d/init.d/networking/red.up/50-ovpn
etc/rc.d/init.d/networking/red.up/98-leds
etc/rc.d/init.d/networking/red.up/99-fireinfo
+etc/rc.d/init.d/networking/red.up/99-geoip-database
etc/rc.d/init.d/networking/red.up/99-pakfire-update
etc/rc.d/init.d/networking/wpa_supplicant.exe
#etc/rc.d/init.d/nfs-server
#usr/lib/perl5/Collectd/Plugins
#usr/lib/perl5/Collectd/Plugins/OpenVZ.pm
#usr/lib/perl5/Collectd/Unixsock.pm
-#usr/lib/perl5/i586-linux-thread-multi
-#usr/lib/perl5/i586-linux-thread-multi/auto
-#usr/lib/perl5/i586-linux-thread-multi/auto/Collectd
-#usr/lib/perl5/i586-linux-thread-multi/auto/Collectd/.packlist
-#usr/lib/perl5/i586-linux-thread-multi/perllocal.pod
+#usr/lib/perl5/MACHINE-linux-thread-multi
+#usr/lib/perl5/MACHINE-linux-thread-multi/auto
+#usr/lib/perl5/MACHINE-linux-thread-multi/auto/Collectd
+#usr/lib/perl5/MACHINE-linux-thread-multi/auto/Collectd/.packlist
+#usr/lib/perl5/MACHINE-linux-thread-multi/perllocal.pod
#usr/lib/pkgconfig/libcollectdclient.pc
#usr/man/man3/Collectd::Unixsock.3
usr/sbin/collectd
var/ipfire/firewall
#var/ipfire/firewall/config
#var/ipfire/firewall/dmz
+#var/ipfire/firewall/geoipblock
#var/ipfire/firewall/input
#var/ipfire/firewall/nat
#var/ipfire/firewall/outgoing
#var/ipfire/firewall/settings
var/ipfire/fwhosts
#var/ipfire/fwhosts/customgroups
+#var/ipfire/fwhosts/customgeoipgrp
#var/ipfire/fwhosts/customhosts
#var/ipfire/fwhosts/customnetworks
#var/ipfire/fwhosts/customservicegrp
#var/ipfire/fwlogs/ipsettings
#var/ipfire/fwlogs/portsettings
var/ipfire/general-functions.pl
+var/ipfire/geoip-functions.pl
var/ipfire/graphs.pl
var/ipfire/header.pl
var/ipfire/isdn
etc/rc.d/init.d/networking/red.up/50-ovpn
etc/rc.d/init.d/networking/red.up/98-leds
etc/rc.d/init.d/networking/red.up/99-fireinfo
+etc/rc.d/init.d/networking/red.up/99-geoip-database
etc/rc.d/init.d/networking/red.up/99-pakfire-update
etc/rc.d/init.d/networking/wpa_supplicant.exe
#etc/rc.d/init.d/nfs-server
--- /dev/null
+usr/lib/sse2/libcrypto.so.10
+usr/lib/sse2/libssl.so.10
+++ /dev/null
-usr/lib/libcrypto.so.0.9.8
-usr/lib/libssl.so.0.9.8
--- /dev/null
+#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Text
+usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Text/CSV_XS.pm
+#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Text
+#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Text/CSV_XS
+#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Text/CSV_XS/.packlist
+#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Text/CSV_XS/CSV_XS.bs
+usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Text/CSV_XS/CSV_XS.so
+#usr/share/man/man3/Text::CSV_XS.3
usr/local/bin/timezone-transition
usr/local/bin/update-bootloader
usr/local/bin/update-lang-cache
+usr/local/bin/xt_geoip_build
+usr/local/bin/xt_geoip_update
#usr/local/include
#usr/local/lib
#usr/local/lib/sse2
#usr/local/share/man/man8
#usr/local/share/misc
#usr/local/share/terminfo
+#usr/local/share/xt_geoip
#usr/local/share/zoneinfo
#usr/local/src
#usr/sbin
#usr/share/man/man8
#usr/share/misc
#usr/share/terminfo
+#usr/share/xt_geoip
#usr/share/zoneinfo
#var
#var/cache
--- /dev/null
+lib/xtables/libxt_ACCOUNT.so
+lib/xtables/libxt_CHAOS.so
+lib/xtables/libxt_DELUDE.so
+lib/xtables/libxt_DHCPMAC.so
+lib/xtables/libxt_DNETMAP.so
+lib/xtables/libxt_ECHO.so
+lib/xtables/libxt_IPMARK.so
+lib/xtables/libxt_LOGMARK.so
+lib/xtables/libxt_TARPIT.so
+lib/xtables/libxt_condition.so
+lib/xtables/libxt_dhcpmac.so
+lib/xtables/libxt_fuzzy.so
+lib/xtables/libxt_geoip.so
+lib/xtables/libxt_iface.so
+lib/xtables/libxt_ipp2p.so
+lib/xtables/libxt_ipv4options.so
+lib/xtables/libxt_length2.so
+lib/xtables/libxt_lscan.so
+lib/xtables/libxt_pknock.so
+lib/xtables/libxt_psd.so
+lib/xtables/libxt_quota2.so
+#usr/lib/libxt_ACCOUNT_cl.la
+#usr/lib/libxt_ACCOUNT_cl.so
+usr/lib/libxt_ACCOUNT_cl.so.0
+usr/lib/libxt_ACCOUNT_cl.so.0.0.0
+#usr/libexec/xtables-addons
+usr/libexec/xtables-addons/xt_geoip_build
+usr/libexec/xtables-addons/xt_geoip_dl
+usr/sbin/iptaccount
+#usr/share/man/man1/xt_geoip_build.1
+#usr/share/man/man1/xt_geoip_dl.1
+#usr/share/man/man8/iptaccount.8
+#usr/share/man/man8/xtables-addons.8
etc/sysconfig/rc.local
etc/udev/rules.d/30-persistent-network.rules
srv/web/ipfire/html/proxy.pac
-var/ipfire/time
+var/ipfire/firewall/geoipblock
+var/ipfire/fwhosts/custmgeoipgrp
var/ipfire/ovpn/ccd.conf
var/ipfire/ovpn/ccdroute
var/ipfire/ovpn/ccdroute2
+var/ipfire/time
var/log/cache
var/state/dhcp/dhcpd.leases
var/updatecache
--- /dev/null
+../../../common/dnsmasq
\ No newline at end of file
etc/system-release
etc/issue
+etc/rc.d/init.d/firewall
etc/rc.d/init.d/network-trigger
+etc/rc.d/init.d/networking/functions.network
+etc/rc.d/init.d/networking/red.up/99-geoip-database
etc/rc.d/rcsysinit.d/S90network-trigger
+srv/web/ipfire/cgi-bin/country.cgi
+srv/web/ipfire/cgi-bin/firewall.cgi
+srv/web/ipfire/cgi-bin/fwhosts.cgi
+srv/web/ipfire/cgi-bin/geoip-block.cgi
+srv/web/ipfire/cgi-bin/index.cgi
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
+srv/web/ipfire/html/themes/darkdos/include/style.css
+srv/web/ipfire/html/themes/ipfire-legacy/include/style.css
+srv/web/ipfire/html/themes/ipfire/include/css/style.css
+srv/web/ipfire/html/themes/maniac/include/style.css
+usr/lib/firewall/firewall-lib.pl
usr/lib/firewall/rules.pl
+usr/local/bin/backupiso
+usr/local/bin/xt_geoip_build
+usr/local/bin/xt_geoip_update
+var/ipfire/general-functions.pl
+var/ipfire/geoip-functions.pl
+var/ipfire/header.pl
var/ipfire/backup/include
var/ipfire/langs
+var/ipfire/menu.d/50-firewall.menu
--- /dev/null
+../../../../common/i586/openssl-sse2
\ No newline at end of file
--- /dev/null
+../../../common/iptables
\ No newline at end of file
--- /dev/null
+lib/security/pam_mysql.so
+usr/lib/gnupg/gpgkeys_ldap
+usr/lib/gnupg/gpgkeys_hkp
+usr/lib/gnupg/gpgkeys_curl
+usr/lib/apache/libphp5.so
+usr/lib/squid/digest_ldap_auth
+usr/lib/squid/basic_ldap_auth
+usr/lib/squid/ext_kerberos_ldap_group_acl
+usr/lib/squid/ext_edirectory_userip_acl
+usr/lib/squid/ext_ldap_group_acl
+usr/lib/python2.7/lib-dynload/_ssl.so
+usr/lib/python2.7/lib-dynload/_hashlib.so
+usr/lib/collectd/write_http.so
+usr/lib/collectd/ascent.so
+usr/lib/collectd/curl_xml.so
+usr/lib/collectd/apache.so
+usr/lib/collectd/bind.so
+usr/lib/collectd/curl.so
+usr/bin/php
--- /dev/null
+../../../common/perl-Text-CSV_XS
\ No newline at end of file
--- /dev/null
+../../../common/xtables-addons
\ No newline at end of file
#Extract files
tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C /
+# Remove old openssl libraries
+rm -vf /usr/lib/libcrypto.so.0.9.8 /usr/lib/libssl.so.0.9.8
+
# Check diskspace on boot
BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
esac
fi
+# Create GeoIP related files if they do not exist yet.
+if [ ! -e "/var/ipfire/firewall/geoipblock" ]; then
+ touch /var/ipfire/firewall/geoipblock
+ chown nobody:nobody /var/ipfire/firewall/geoipblock
+
+ # Insert default value into file.
+ echo "GEOIPBLOCK_ENABLED=off" >> /var/ipfire/firewall/geoipblock
+fi
+if [ ! -e "/var/ipfire/fwhosts/customgeoipgrp" ]; then
+ touch /var/ipfire/fwhosts/customgeoipgrp
+ chown nobody:nobody /var/ipfire/fwhosts/customgeoipgrp
+fi
+
+#Fix BUG10812 (openvpn server.conf has wrong collectd logfile path)
+if grep -q "status /var/log/ovpnserver.log 30" /var/ipfire/ovpn/server.conf; then
+ sed -i "s/\/var\/log\/ovpnserver.log 30/\/var\/run\/ovpnserver.log 30/" /var/ipfire/ovpn/server.conf
+fi
+
+# Download/Update GeoIP databases.
+/usr/local/bin/xt_geoip_update
+
+# Update crontab
+grep -q /usr/local/bin/xt_geoip_update /var/spool/cron/root.orig || cat <<EOF >> /var/spool/cron/root.orig
+
+# Update GeoIP database once a month.
+%monthly,random * * * [ -f "/var/ipfire/red/active" ] && /usr/local/bin/xt_geoip_update >/dev/null 2>&1
+EOF
+
+fcrontab -z &>/dev/null
+
+
# Update Language cache
perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
--- /dev/null
+# -*- Makefile -*-
+#
+build_ACCOUNT=m
+build_CHAOS=m
+build_DELUDE=m
+build_DHCPMAC=m
+build_DNETMAP=m
+build_ECHO=m
+build_IPMARK=m
+build_LOGMARK=m
+build_SYSRQ=n
+build_TARPIT=m
+build_condition=m
+build_fuzzy=m
+build_geoip=m
+build_gradm=n
+build_iface=m
+build_ipp2p=m
+build_ipv4options=m
+build_length2=m
+build_lscan=m
+build_pknock=m
+build_psd=m
+build_quota2=m
WARNING: translation string unused: behind a proxy
WARNING: translation string unused: bitrate
WARNING: translation string unused: bleeding rules
+WARNING: translation string unused: block
WARNING: translation string unused: blue access use hint
WARNING: translation string unused: blue interface
WARNING: translation string unused: cache management
WARNING: translation string unused: fwhost attention
WARNING: translation string unused: fwhost blue
WARNING: translation string unused: fwhost changeremark
+WARNING: translation string unused: fwhost cust geoip
WARNING: translation string unused: fwhost err addrgrp
WARNING: translation string unused: fwhost err hostorip
WARNING: translation string unused: fwhost err mac
WARNING: translation string unused: gen static key
WARNING: translation string unused: generate
WARNING: translation string unused: genkey
+WARNING: translation string unused: geoipblock country code
+WARNING: translation string unused: geoipblock country name
+WARNING: translation string unused: geoipblock flag
WARNING: translation string unused: green interface
WARNING: translation string unused: gz with key
WARNING: translation string unused: hint
WARNING: translation string unused: transparent on
WARNING: translation string unused: umount
WARNING: translation string unused: umount removable media before to unplug
+WARNING: translation string unused: unblock
+WARNING: translation string unused: unblock all
WARNING: translation string unused: unencrypted
WARNING: translation string unused: update transcript
WARNING: translation string unused: updates
WARNING: untranslated string: community rules
WARNING: untranslated string: dead peer detection
WARNING: untranslated string: emerging rules
+WARNING: untranslated string: fwhost cust geoipgrp
WARNING: untranslated string: fwhost err hostip
WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
WARNING: untranslated string: no data
WARNING: translation string unused: bewan adsl usb
WARNING: translation string unused: bitrate
WARNING: translation string unused: bleeding rules
+WARNING: translation string unused: block
WARNING: translation string unused: blue access use hint
WARNING: translation string unused: blue interface
WARNING: translation string unused: cache management
WARNING: translation string unused: fwhost attention
WARNING: translation string unused: fwhost blue
WARNING: translation string unused: fwhost changeremark
+WARNING: translation string unused: fwhost cust geoip
WARNING: translation string unused: fwhost err addrgrp
WARNING: translation string unused: fwhost err hostorip
WARNING: translation string unused: fwhost err mac
WARNING: translation string unused: gen static key
WARNING: translation string unused: generate
WARNING: translation string unused: genkey
+WARNING: translation string unused: geoipblock country code
+WARNING: translation string unused: geoipblock country name
+WARNING: translation string unused: geoipblock flag
WARNING: translation string unused: green interface
WARNING: translation string unused: gz with key
WARNING: translation string unused: hint
WARNING: translation string unused: transparent on
WARNING: translation string unused: umount
WARNING: translation string unused: umount removable media before to unplug
+WARNING: translation string unused: unblock
+WARNING: translation string unused: unblock all
WARNING: translation string unused: unencrypted
WARNING: translation string unused: update transcript
WARNING: translation string unused: updates
WARNING: translation string unused: yearly firewallhits
WARNING: untranslated string: Scan for Songs
WARNING: untranslated string: bytes
+WARNING: untranslated string: fwhost cust geoipgrp
WARNING: untranslated string: fwhost err hostip
WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
WARNING: untranslated string: no data
WARNING: translation string unused: gen static key
WARNING: translation string unused: generate
WARNING: translation string unused: genkey
+WARNING: translation string unused: geoipblock country code
+WARNING: translation string unused: geoipblock country name
+WARNING: translation string unused: geoipblock flag
WARNING: translation string unused: green interface
WARNING: translation string unused: gz with key
WARNING: translation string unused: hint
WARNING: untranslated string: ccd routes
WARNING: untranslated string: ccd subnet
WARNING: untranslated string: ccd used
+WARNING: untranslated string: check all
WARNING: untranslated string: count
WARNING: untranslated string: countries
WARNING: untranslated string: country codes and flags
WARNING: untranslated string: fwdfw wd_tue
WARNING: untranslated string: fwdfw wd_wed
WARNING: untranslated string: fwhost OpenVPN N-2-N
+WARNING: untranslated string: fwhost addgeoipgrp
WARNING: untranslated string: fwhost addgrp
WARNING: untranslated string: fwhost addgrpname
WARNING: untranslated string: fwhost addhost
WARNING: untranslated string: fwhost ccdnet
WARNING: untranslated string: fwhost change
WARNING: untranslated string: fwhost cust addr
+WARNING: untranslated string: fwhost cust geoipgroup
+WARNING: untranslated string: fwhost cust geoipgrp
+WARNING: untranslated string: fwhost cust geoiplocation
WARNING: untranslated string: fwhost cust grp
WARNING: untranslated string: fwhost cust net
WARNING: untranslated string: fwhost cust service
WARNING: untranslated string: fwhost ipsec net
WARNING: untranslated string: fwhost menu
WARNING: untranslated string: fwhost netaddress
+WARNING: untranslated string: fwhost newgeoipgrp
WARNING: untranslated string: fwhost newgrp
WARNING: untranslated string: fwhost newhost
WARNING: untranslated string: fwhost newnet
WARNING: untranslated string: tor traffic limit soft
WARNING: untranslated string: tor traffic read written
WARNING: untranslated string: tor use exit nodes
+WARNING: untranslated string: uncheck all
WARNING: untranslated string: uplink
WARNING: untranslated string: upload dh key
WARNING: untranslated string: uptime load average
WARNING: untranslated string: ccd routes
WARNING: untranslated string: ccd subnet
WARNING: untranslated string: ccd used
+WARNING: untranslated string: check all
WARNING: untranslated string: count
WARNING: untranslated string: countries
WARNING: untranslated string: country codes and flags
WARNING: untranslated string: fwdfw wd_tue
WARNING: untranslated string: fwdfw wd_wed
WARNING: untranslated string: fwhost OpenVPN N-2-N
+WARNING: untranslated string: fwhost addgeoipgrp
WARNING: untranslated string: fwhost addgrp
WARNING: untranslated string: fwhost addgrpname
WARNING: untranslated string: fwhost addhost
WARNING: untranslated string: fwhost ccdnet
WARNING: untranslated string: fwhost change
WARNING: untranslated string: fwhost cust addr
+WARNING: untranslated string: fwhost cust geoipgroup
+WARNING: untranslated string: fwhost cust geoipgrp
+WARNING: untranslated string: fwhost cust geoiplocation
WARNING: untranslated string: fwhost cust grp
WARNING: untranslated string: fwhost cust net
WARNING: untranslated string: fwhost cust service
WARNING: untranslated string: fwhost ipsec net
WARNING: untranslated string: fwhost menu
WARNING: untranslated string: fwhost netaddress
+WARNING: untranslated string: fwhost newgeoipgrp
WARNING: untranslated string: fwhost newgrp
WARNING: untranslated string: fwhost newhost
WARNING: untranslated string: fwhost newnet
WARNING: untranslated string: fwhost welcome
WARNING: untranslated string: gen dh
WARNING: untranslated string: generate dh key
+WARNING: untranslated string: geoip
+WARNING: untranslated string: geoipblock
+WARNING: untranslated string: geoipblock block countries
+WARNING: untranslated string: geoipblock configuration
+WARNING: untranslated string: geoipblock country is allowed
+WARNING: untranslated string: geoipblock country is blocked
+WARNING: untranslated string: geoipblock enable feature
WARNING: untranslated string: grouptype
WARNING: untranslated string: hardware support
WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
WARNING: untranslated string: tor traffic limit soft
WARNING: untranslated string: tor traffic read written
WARNING: untranslated string: tor use exit nodes
+WARNING: untranslated string: uncheck all
WARNING: untranslated string: uplink
WARNING: untranslated string: upload dh key
WARNING: untranslated string: upload new ruleset
WARNING: untranslated string: advproxy group access control
WARNING: untranslated string: advproxy group required
WARNING: untranslated string: bytes
+WARNING: untranslated string: check all
WARNING: untranslated string: fwdfw err concon
WARNING: untranslated string: fwdfw err ratecon
WARNING: untranslated string: fwdfw limitconcon
WARNING: untranslated string: fwdfw maxconcon
WARNING: untranslated string: fwdfw numcon
WARNING: untranslated string: fwdfw ratelimit
+WARNING: untranslated string: fwhost addgeoipgrp
+WARNING: untranslated string: fwhost cust geoipgroup
+WARNING: untranslated string: fwhost cust geoipgrp
+WARNING: untranslated string: fwhost cust geoiplocation
WARNING: untranslated string: fwhost err hostip
+WARNING: untranslated string: fwhost newgeoipgrp
+WARNING: untranslated string: geoip
+WARNING: untranslated string: geoipblock
+WARNING: untranslated string: geoipblock block countries
+WARNING: untranslated string: geoipblock configuration
+WARNING: untranslated string: geoipblock country is allowed
+WARNING: untranslated string: geoipblock country is blocked
+WARNING: untranslated string: geoipblock enable feature
WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
WARNING: untranslated string: incoming compression in bytes per second
WARNING: untranslated string: incoming overhead in bytes per second
WARNING: untranslated string: routing table
WARNING: untranslated string: samba join a domain
WARNING: untranslated string: samba join domain
+WARNING: untranslated string: uncheck all
+WARNING: untranslated string: vpn statistic n2n
+WARNING: untranslated string: vpn statistic rw
+WARNING: untranslated string: vpn statistics n2n
WARNING: untranslated string: atm device
WARNING: untranslated string: bytes
WARNING: untranslated string: capabilities
+WARNING: untranslated string: check all
WARNING: untranslated string: default
WARNING: untranslated string: dh
WARNING: untranslated string: dh key move failed
WARNING: untranslated string: fwdfw maxconcon
WARNING: untranslated string: fwdfw numcon
WARNING: untranslated string: fwdfw ratelimit
+WARNING: untranslated string: fwhost addgeoipgrp
+WARNING: untranslated string: fwhost cust geoipgroup
+WARNING: untranslated string: fwhost cust geoipgrp
+WARNING: untranslated string: fwhost cust geoiplocation
WARNING: untranslated string: fwhost err hostip
+WARNING: untranslated string: fwhost newgeoipgrp
WARNING: untranslated string: gen dh
WARNING: untranslated string: generate dh key
+WARNING: untranslated string: geoip
+WARNING: untranslated string: geoipblock
+WARNING: untranslated string: geoipblock block countries
+WARNING: untranslated string: geoipblock configuration
+WARNING: untranslated string: geoipblock country is allowed
+WARNING: untranslated string: geoipblock country is blocked
+WARNING: untranslated string: geoipblock enable feature
WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
WARNING: untranslated string: imei
WARNING: untranslated string: imsi
WARNING: untranslated string: software version
WARNING: untranslated string: source ip country
WARNING: untranslated string: ta key
+WARNING: untranslated string: uncheck all
WARNING: untranslated string: upload dh key
WARNING: untranslated string: vendor
WARNING: untranslated string: vpn statistic n2n
WARNING: translation string unused: gen static key
WARNING: translation string unused: generate
WARNING: translation string unused: genkey
+WARNING: translation string unused: geoipblock country code
+WARNING: translation string unused: geoipblock country name
+WARNING: translation string unused: geoipblock flag
WARNING: translation string unused: green interface
WARNING: translation string unused: gz with key
WARNING: translation string unused: hint
WARNING: untranslated string: ccd routes
WARNING: untranslated string: ccd subnet
WARNING: untranslated string: ccd used
+WARNING: untranslated string: check all
WARNING: untranslated string: count
WARNING: untranslated string: countries
WARNING: untranslated string: country codes and flags
WARNING: untranslated string: fwdfw wd_tue
WARNING: untranslated string: fwdfw wd_wed
WARNING: untranslated string: fwhost OpenVPN N-2-N
+WARNING: untranslated string: fwhost addgeoipgrp
WARNING: untranslated string: fwhost addgrp
WARNING: untranslated string: fwhost addgrpname
WARNING: untranslated string: fwhost addhost
WARNING: untranslated string: fwhost ccdnet
WARNING: untranslated string: fwhost change
WARNING: untranslated string: fwhost cust addr
+WARNING: untranslated string: fwhost cust geoipgroup
+WARNING: untranslated string: fwhost cust geoipgrp
+WARNING: untranslated string: fwhost cust geoiplocation
WARNING: untranslated string: fwhost cust grp
WARNING: untranslated string: fwhost cust net
WARNING: untranslated string: fwhost cust service
WARNING: untranslated string: fwhost ipsec net
WARNING: untranslated string: fwhost menu
WARNING: untranslated string: fwhost netaddress
+WARNING: untranslated string: fwhost newgeoipgrp
WARNING: untranslated string: fwhost newgrp
WARNING: untranslated string: fwhost newhost
WARNING: untranslated string: fwhost newnet
WARNING: untranslated string: tor traffic limit soft
WARNING: untranslated string: tor traffic read written
WARNING: untranslated string: tor use exit nodes
+WARNING: untranslated string: uncheck all
WARNING: untranslated string: uplink
WARNING: untranslated string: upload dh key
WARNING: untranslated string: uptime load average
WARNING: untranslated string: ccd routes
WARNING: untranslated string: ccd subnet
WARNING: untranslated string: ccd used
+WARNING: untranslated string: check all
WARNING: untranslated string: community rules
WARNING: untranslated string: count
WARNING: untranslated string: countries
WARNING: untranslated string: fwdfw wd_tue
WARNING: untranslated string: fwdfw wd_wed
WARNING: untranslated string: fwhost OpenVPN N-2-N
+WARNING: untranslated string: fwhost addgeoipgrp
WARNING: untranslated string: fwhost addgrp
WARNING: untranslated string: fwhost addgrpname
WARNING: untranslated string: fwhost addhost
WARNING: untranslated string: fwhost ccdnet
WARNING: untranslated string: fwhost change
WARNING: untranslated string: fwhost cust addr
+WARNING: untranslated string: fwhost cust geoipgroup
+WARNING: untranslated string: fwhost cust geoipgrp
+WARNING: untranslated string: fwhost cust geoiplocation
WARNING: untranslated string: fwhost cust grp
WARNING: untranslated string: fwhost cust net
WARNING: untranslated string: fwhost cust service
WARNING: untranslated string: fwhost ipsec net
WARNING: untranslated string: fwhost menu
WARNING: untranslated string: fwhost netaddress
+WARNING: untranslated string: fwhost newgeoipgrp
WARNING: untranslated string: fwhost newgrp
WARNING: untranslated string: fwhost newhost
WARNING: untranslated string: fwhost newnet
WARNING: untranslated string: fwhost welcome
WARNING: untranslated string: gen dh
WARNING: untranslated string: generate dh key
+WARNING: untranslated string: geoip
+WARNING: untranslated string: geoipblock
+WARNING: untranslated string: geoipblock block countries
+WARNING: untranslated string: geoipblock configuration
+WARNING: untranslated string: geoipblock country is allowed
+WARNING: untranslated string: geoipblock country is blocked
+WARNING: untranslated string: geoipblock enable feature
WARNING: untranslated string: grouptype
WARNING: untranslated string: hardware support
WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
WARNING: untranslated string: tor traffic limit soft
WARNING: untranslated string: tor traffic read written
WARNING: untranslated string: tor use exit nodes
+WARNING: untranslated string: uncheck all
WARNING: untranslated string: uplink
WARNING: untranslated string: upload dh key
WARNING: untranslated string: uptime load average
WARNING: translation string unused: yearly firewallhits
WARNING: untranslated string: Scan for Songs
WARNING: untranslated string: bytes
+WARNING: untranslated string: check all
+WARNING: untranslated string: fwhost addgeoipgrp
+WARNING: untranslated string: fwhost cust geoipgroup
+WARNING: untranslated string: fwhost cust geoipgrp
+WARNING: untranslated string: fwhost cust geoiplocation
WARNING: untranslated string: fwhost err hostip
+WARNING: untranslated string: fwhost newgeoipgrp
+WARNING: untranslated string: geoip
+WARNING: untranslated string: geoipblock
+WARNING: untranslated string: geoipblock block countries
+WARNING: untranslated string: geoipblock configuration
+WARNING: untranslated string: geoipblock country is allowed
+WARNING: untranslated string: geoipblock country is blocked
+WARNING: untranslated string: geoipblock enable feature
WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
WARNING: untranslated string: incoming compression in bytes per second
WARNING: untranslated string: incoming overhead in bytes per second
WARNING: untranslated string: routing config added
WARNING: untranslated string: routing config changed
WARNING: untranslated string: routing table
+WARNING: untranslated string: uncheck all
WARNING: untranslated string: vpn statistic n2n
WARNING: untranslated string: vpn statistic rw
WARNING: untranslated string: vpn statistics n2n
< atm device
< attention
< bit
+< block
< capabilities
< ccd add
< ccd choose net
< ccd routes
< ccd subnet
< ccd used
+< check all
< ConnSched dial
< ConnSched hangup
< ConnSched reboot
< fwdfw wd_tue
< fwdfw wd_wed
< fwdfw xt access
+< fwhost addgeoipgrp
< fwhost addgrp
< fwhost addgrpname
< fwhost addhost
< fwhost change
< fwhost changeremark
< fwhost cust addr
+< fwhost cust geoip
+< fwhost cust geoipgroup
+< fwhost cust geoiplocation
< fwhost cust grp
< fwhost cust net
< fwhost Custom Host
< fwhost IpSec Network
< fwhost menu
< fwhost netaddress
+< fwhost newgeoipgrp
< fwhost newgrp
< fwhost newhost
< fwhost newnet
< fw settings ruletable
< gen dh
< generate dh key
+< geoip
+< geoipblock
+< geoipblock block countries
+< geoipblock configuration
+< geoipblock country code
+< geoipblock country is allowed
+< geoipblock country is blocked
+< geoipblock country name
+< geoipblock enable feature
+< geoipblock flag
< grouptype
< hardware support
< imei
< tor traffic limit soft
< tor traffic read written
< tor use exit nodes
+< unblock
+< unblock all
+< uncheck all
< updxlrtr sources
< updxlrtr standard view
< uplink
< atm device
< attention
< bit
+< block
< capabilities
< ccd add
< ccd choose net
< ccd routes
< ccd subnet
< ccd used
+< check all
< ConnSched dial
< ConnSched hangup
< ConnSched reboot
< fwdfw wd_tue
< fwdfw wd_wed
< fwdfw xt access
+< fwhost addgeoipgrp
< fwhost addgrp
< fwhost addgrpname
< fwhost addhost
< fwhost change
< fwhost changeremark
< fwhost cust addr
+< fwhost cust geoip
+< fwhost cust geoipgroup
+< fwhost cust geoiplocation
< fwhost cust grp
< fwhost cust net
< fwhost Custom Host
< fwhost IpSec Network
< fwhost menu
< fwhost netaddress
+< fwhost newgeoipgrp
< fwhost newgrp
< fwhost newhost
< fwhost newnet
< tor traffic limit soft
< tor traffic read written
< tor use exit nodes
+< unblock
+< unblock all
+< uncheck all
< updxlrtr sources
< updxlrtr standard view
< uplink
< atm device
< attention
< bit
+< block
< capabilities
< ccd add
< ccd choose net
< ccd routes
< ccd subnet
< ccd used
+< check all
< ConnSched dial
< ConnSched hangup
< ConnSched reboot
< fwdfw wd_tue
< fwdfw wd_wed
< fwdfw xt access
+< fwhost addgeoipgrp
< fwhost addgrp
< fwhost addgrpname
< fwhost addhost
< fwhost change
< fwhost changeremark
< fwhost cust addr
+< fwhost cust geoip
+< fwhost cust geoipgroup
+< fwhost cust geoiplocation
< fwhost cust grp
< fwhost cust net
< fwhost Custom Host
< fwhost IpSec Network
< fwhost menu
< fwhost netaddress
+< fwhost newgeoipgrp
< fwhost newgrp
< fwhost newhost
< fwhost newnet
< fw settings ruletable
< gen dh
< generate dh key
+< geoip
+< geoipblock
+< geoipblock block countries
+< geoipblock configuration
+< geoipblock country code
+< geoipblock country is allowed
+< geoipblock country is blocked
+< geoipblock country name
+< geoipblock enable feature
+< geoipblock flag
< grouptype
< hardware support
< imei
< tor traffic limit soft
< tor traffic read written
< tor use exit nodes
+< unblock
+< unblock all
+< uncheck all
< updxlrtr sources
< updxlrtr standard view
< uplink
< atm device
< attention
< bit
+< block
< capabilities
< ccd add
< ccd choose net
< ccd routes
< ccd subnet
< ccd used
+< check all
< ConnSched dial
< ConnSched hangup
< ConnSched reboot
< fwdfw wd_tue
< fwdfw wd_wed
< fwdfw xt access
+< fwhost addgeoipgrp
< fwhost addgrp
< fwhost addgrpname
< fwhost addhost
< fwhost change
< fwhost changeremark
< fwhost cust addr
+< fwhost cust geoip
+< fwhost cust geoipgroup
+< fwhost cust geoiplocation
< fwhost cust grp
< fwhost cust net
< fwhost Custom Host
< fwhost IpSec Network
< fwhost menu
< fwhost netaddress
+< fwhost newgeoipgrp
< fwhost newgrp
< fwhost newhost
< fwhost newnet
< fw settings ruletable
< gen dh
< generate dh key
+< geoip
+< geoipblock
+< geoipblock block countries
+< geoipblock configuration
+< geoipblock country code
+< geoipblock country is allowed
+< geoipblock country is blocked
+< geoipblock country name
+< geoipblock enable feature
+< geoipblock flag
< grouptype
< hardware support
< hour-graph
< tor traffic limit soft
< tor traffic read written
< tor use exit nodes
+< unblock
+< unblock all
+< uncheck all
< updxlrtr sources
< updxlrtr standard view
< uplink
use strict;
-use Locale::Country;
+use Locale::Codes::Country;
my $flagdir = '/srv/web/ipfire/html/images/flags';
my $lines = '1';
require '/var/ipfire/general-functions.pl';
require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
+require "${General::swroot}/geoip-functions.pl";
require "/usr/lib/firewall/firewall-lib.pl";
unless (-d "${General::swroot}/firewall") { system("mkdir ${General::swroot}/firewall"); }
my %netsettings=();
my %customhost=();
my %customgrp=();
+my %customgeoipgrp=();
my %customnetworks=();
my %customservice=();
my %customservicegrp=();
my $confignet = "${General::swroot}/fwhosts/customnetworks";
my $confighost = "${General::swroot}/fwhosts/customhosts";
my $configgrp = "${General::swroot}/fwhosts/customgroups";
+my $configgeoipgrp = "${General::swroot}/fwhosts/customgeoipgrp";
my $configsrv = "${General::swroot}/fwhosts/customservices";
my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
my $configccdnet = "${General::swroot}/ovpn/ccd.conf";
\$("#actions").toggle();
});
+ // Hide SNAT items when DNAT is selected and vice versa.
+ if (\$('input[name=nat]:checked').val() == 'dnat') {
+ \$('.snat').hide();
+ } else {
+ \$('.dnat').hide();
+ }
+
+ // Show/Hide elements when SNAT/DNAT get changed.
+ \$('input[name=nat]').change(function() {
+ \$('.snat').toggle();
+ \$('.dnat').toggle();
+ });
+
// Time constraints
if(!\$("#USE_TIME_CONSTRAINTS").attr("checked")) {
\$("#TIME_CONSTRAINTS").hide();
}
print"</select></td>";
}
+ # geoip locations / groups.
+ my @geoip_locations = &fwlib::get_geoip_locations();
+
+ print "<tr>\n";
+ print "<td valign='top'><input type='radio' name='$grp' id='cust_geoip_$srctgt' value='cust_geoip_$srctgt' $checked{$grp}{'cust_geoip_'.$srctgt}></td>\n";
+ print "<td>$Lang::tr{'geoip'}</td>\n";
+ print "<td align='right'><select name='cust_geoip_$srctgt' style='width:200px;'>\n";
+
+ # Add GeoIP groups to dropdown.
+ if (!-z $configgeoipgrp) {
+ print "<optgroup label='$Lang::tr{'fwhost cust geoipgroup'}'>\n";
+ foreach my $key (sort { ncmp($customgeoipgrp{$a}[0],$customgeoipgrp{$b}[0]) } keys %customgeoipgrp) {
+ my $selected;
+
+ # Generate stored value for select detection.
+ my $stored = join(':', "group",$customgeoipgrp{$key}[0]);
+
+ # Only show a group once and group with elements.
+ if($helper ne $customgeoipgrp{$key}[0] && $customgeoipgrp{$key}[2] ne 'none') {
+ # Mark current entry as selected.
+ if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $stored) {
+ $selected = "selected='selected'";
+ }
+ print"<option $selected value='group:$customgeoipgrp{$key}[0]'>$customgeoipgrp{$key}[0]</option>\n";
+ }
+ $helper=$customgeoipgrp{$key}[0];
+ }
+ print "</optgroup>\n";
+ }
+
+ # Add locations.
+ print "<optgroup label='$Lang::tr{'fwhost cust geoiplocation'}'>\n";
+ foreach my $location (@geoip_locations) {
+ # Get country name.
+ my $country_name = &GeoIP::get_full_country_name($location);
+
+ # Mark current entry as selected.
+ my $selected;
+ if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $location) {
+ $selected = "selected='selected'";
+ }
+ print "<option $selected value='$location'>$location - $country_name</option>\n";
+ }
+ print "</optgroup>\n";
+
+ # Close GeoIP dropdown.
+ print "</select></td>\n";
+
#End left table. start right table (vpn)
print"</tr></table></td><td valign='top'><table width='95%' border='0' align='right'><tr>";
# CCD networks
&General::readhasharray("$confighost", \%customhost);
&General::readhasharray("$configccdhost", \%ccdhost);
&General::readhasharray("$configgrp", \%customgrp);
+ &General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
&General::readhasharray("$configipsec", \%ipsecconf);
&General::get_aliases(\%aliases);
my %checked=();
$Lang::tr{'fwdfw use nat'}
</label>
<div class="NAT">
- <table width='100%' border='0'>
+ <table class='fw-nat' width='100%' border='0'>
<tr>
<td width='5%'></td>
<td width='40%'>
END
print <<END;
- <td width='25%' align='right'>$Lang::tr{'dnat address'}:</td>
+ <td width='25%' align='right'><span class='dnat'>$Lang::tr{'dnat address'}:</span></td>
<td width='30%'>
- <select name='dnat' style='width: 100%;'>
+ <select name='dnat' class='dnat' style='width: 100%;'>
<option value='AUTO' $selected{'dnat'}{'AUTO'}>- $Lang::tr{'automatic'} -</option>
<option value='Default IP' $selected{'dnat'}{'Default IP'}>$Lang::tr{'red1'} ($redip)</option>
END
$Lang::tr{'fwdfw snat'}
</label>
</td>
- <td width='25%' align='right'>$Lang::tr{'snat new source ip address'}:</td>
+ <td width='25%' align='right'><span class='snat'>$Lang::tr{'snat new source ip address'}:</span></td>
<td width='30%'>
- <select name='snat' style='width: 100%;'>
+ <select name='snat' class='snat' style='width: 100%;'>
END
foreach my $alias (sort keys %aliases) {
}else{
print $$hash{$key}[4];
}
+ }elsif ($$hash{$key}[3] eq 'cust_geoip_src') {
+ my ($split1,$split2) = split(":", $$hash{$key}[4]);
+ if ($split2) {
+ print "$split2\n";
+ }else{
+ print "$Lang::tr{'geoip'}: $$hash{$key}[4]\n";
+ }
}elsif ($$hash{$key}[4] eq 'RED1'){
print "$ipfireiface $Lang::tr{'fwdfw red'}";
}elsif ($$hash{$key}[4] eq 'ALL'){
}else{
print $$hash{$key}[6];
}
+ }elsif ($$hash{$key}[5] eq 'cust_geoip_tgt') {
+ my ($split1,$split2) = split(":", $$hash{$key}[6]);
+ if ($split2) {
+ print "$split2\n";
+ }else{
+ print "$Lang::tr{'geoip'}: $$hash{$key}[6]\n";
+ }
}elsif ($$hash{$key}[5] eq 'tgt_addr'){
my ($split1,$split2) = split("/",$$hash{$key}[6]);
if ($split2 eq '32'){
#RULE ACTIVE
if($$hash{$key}[2] eq 'ON'){
$gif="/images/on.gif"
-
}else{
$gif="/images/off.gif"
}
use CGI::Carp 'fatalsToBrowser';
no warnings 'uninitialized';
require '/var/ipfire/general-functions.pl';
+require "/var/ipfire/geoip-functions.pl";
+require "/usr/lib/firewall/firewall-lib.pl";
require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
my %customgrp=();
my %customservice=();
my %customservicegrp=();
+my %customgeoipgrp=();
my %ccdnet=();
my %ccdhost=();
my %ipsecconf=();
my $configipsec = "${General::swroot}/vpn/config";
my $configsrv = "${General::swroot}/fwhosts/customservices";
my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
+my $configgeoipgrp = "${General::swroot}/fwhosts/customgeoipgrp";
my $fwconfigfwd = "${General::swroot}/firewall/config";
my $fwconfiginp = "${General::swroot}/firewall/input";
my $fwconfigout = "${General::swroot}/firewall/outgoing";
unless (-e $configgrp) { system("touch $configgrp"); }
unless (-e $configsrv) { system("touch $configsrv"); }
unless (-e $configsrvgrp) { system("touch $configsrvgrp"); }
+unless (-e $configgeoipgrp) { system("touch $configgeoipgrp"); }
&General::readhash("${General::swroot}/main/settings", \%mainsettings);
&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
&addgrp;
&viewtablegrp;
}
+if ($fwhostsettings{'ACTION'} eq 'savegeoipgrp')
+{
+ my $grp=$fwhostsettings{'grp_name'};
+ my $rem=$fwhostsettings{'remark'};
+ my $count;
+ my $type;
+ my @target;
+ my @newgrp;
+ &General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
+ &General::readhasharray("$fwconfigfwd", \%fwfwd);
+ &General::readhasharray("$fwconfiginp", \%fwinp);
+ &General::readhasharray("$fwconfigout", \%fwout);
+
+ # Check for existing group name.
+ if (!&checkgroup($grp) && $fwhostsettings{'update'} ne 'on'){
+ $errormessage = $Lang::tr{'fwhost err grpexist'};
+ }
+
+ # Check remark.
+ if ($rem ne '' && !&validremark($rem) && $fwhostsettings{'update'} ne 'on'){
+ $errormessage = $Lang::tr{'fwhost err remark'};
+ }
+
+ if ($fwhostsettings{'update'} eq 'on'){
+ @target=$fwhostsettings{'COUNTRY_CODE'};
+ $type='GeoIP Group';
+
+ #check if host/net exists in grp
+ my $test="$grp,$fwhostsettings{'oldremark'},@target";
+ foreach my $key (keys %customgeoipgrp) {
+ my $test1="$customgeoipgrp{$key}[0],$customgeoipgrp{$key}[1],$customgeoipgrp{$key}[2]";
+ if ($test1 eq $test){
+ $errormessage=$Lang::tr{'fwhost err isingrp'};
+ $fwhostsettings{'update'} = 'on';
+ }
+ }
+ }
+
+ if (!$errormessage){
+ #on first save, we have an empty @target, so fill it with nothing
+ my $targetvalues=@target;
+ if ($targetvalues == '0'){
+ @target="none";
+ }
+ #on update, we have to delete the dummy entry
+ foreach my $key (keys %customgeoipgrp){
+ if ($customgeoipgrp{$key}[0] eq $grp && $customgeoipgrp{$key}[2] eq "none"){
+ delete $customgeoipgrp{$key};
+ last;
+ }
+ }
+ &General::writehasharray("$configgeoipgrp", \%customgeoipgrp);
+ &General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
+ #create array with new lines
+ foreach my $line (@target){
+ push (@newgrp,"$grp,$rem,$line");
+ }
+ #append new entries
+ my $key = &General::findhasharraykey (\%customgeoipgrp);
+ foreach my $line (@newgrp){
+ foreach my $i (0 .. 3) { $customgeoipgrp{$key}[$i] = "";}
+ my ($a,$b,$c,$d) = split (",",$line);
+ $customgeoipgrp{$key}[0] = $a;
+ $customgeoipgrp{$key}[1] = $b;
+ $customgeoipgrp{$key}[2] = $c;
+ $customgeoipgrp{$key}[3] = $type;
+ }
+ &General::writehasharray("$configgeoipgrp", \%customgeoipgrp);
+ #update counter in Host/Net
+ $fwhostsettings{'update'}='on';
+ }
+ #check if ruleupdate is needed
+ my $geoipgrpcount=0;
+ $geoipgrpcount=&getgeoipcount($grp);
+ if($geoipgrpcount > 0 )
+ {
+ &General::firewall_config_changed();
+ }
+ &addgeoipgrp;
+ &viewtablegeoipgrp;
+}
if ($fwhostsettings{'ACTION'} eq 'saveservice')
{
my $ICMP;
&addgrp;
&viewtablegrp;
}
+if ($fwhostsettings{'ACTION'} eq 'editgeoipgrp')
+{
+ $fwhostsettings{'update'}='on';
+ &addgeoipgrp;
+ &viewtablegeoipgrp;
+}
if ($fwhostsettings{'ACTION'} eq 'editservice')
{
$fwhostsettings{'updatesrv'}='on';
$fwhostsettings{'remark'} ="";
&showmenu;
}
+if ($fwhostsettings{'ACTION'} eq 'resetgeoipgrp')
+{
+ $fwhostsettings{'grp_name'} ="";
+ $fwhostsettings{'remark'} ="";
+ &showmenu;
+}
# delete
if ($fwhostsettings{'ACTION'} eq 'delnet')
{
&addgrp;
&viewtablegrp;
}
+if ($fwhostsettings{'ACTION'} eq 'deletegeoipgrpentry')
+{
+ my $grpremark;
+ my $grpname;
+ &General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
+ foreach my $key (keys %customgeoipgrp){
+ if($customgeoipgrp{$key}[0].",".$customgeoipgrp{$key}[1].",".$customgeoipgrp{$key}[2].",".$customgeoipgrp{$key}[3] eq $fwhostsettings{'delentry'}){
+ $grpname=$customgeoipgrp{$key}[0];
+ $grpremark=$customgeoipgrp{$key}[1];
+ #check if we delete the last entry, then generate dummy
+ if ($fwhostsettings{'last'} eq 'on'){
+ $customgeoipgrp{$key}[1] = '';
+ $customgeoipgrp{$key}[2] = 'none';
+ $customgeoipgrp{$key}[3] = '';
+ $fwhostsettings{'last'}='';
+ last;
+ }else{
+ delete $customgeoipgrp{$key};
+ }
+ }
+ }
+ &General::writehasharray("$configgeoipgrp", \%customgeoipgrp);
+ &General::firewall_config_changed();
+ if ($fwhostsettings{'update'} eq 'on'){
+ $fwhostsettings{'remark'}= $grpremark;
+ $fwhostsettings{'grp_name'}=$grpname;
+ }
+ &addgeoipgrp;
+ &viewtablegeoipgrp;
+}
+
if ($fwhostsettings{'ACTION'} eq 'delgrp')
{
&General::readhasharray("$configgrp", \%customgrp);
&addgrp;
&viewtablegrp;
}
+if ($fwhostsettings{'ACTION'} eq 'delgeoipgrp')
+{
+ &General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
+ &decrease($fwhostsettings{'grp_name'});
+ foreach my $key (sort keys %customgeoipgrp)
+ {
+ if($customgeoipgrp{$key}[0] eq $fwhostsettings{'grp_name'})
+ {
+ delete $customgeoipgrp{$key};
+ }
+ }
+ &General::writehasharray("$configgeoipgrp", \%customgeoipgrp);
+ $fwhostsettings{'grp_name'}='';
+ &addgeoipgrp;
+ &viewtablegeoipgrp;
+}
if ($fwhostsettings{'ACTION'} eq 'delservice')
{
&General::readhasharray("$configsrv", \%customservice);
&addgrp;
&viewtablegrp;
}
+if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newgeoipgrp'})
+{
+ &addgeoipgrp;
+ &viewtablegeoipgrp;
+}
if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newservice'})
{
&addservice;
&addgrp;
&viewtablegrp;
}
+if ($fwhostsettings{'ACTION'} eq 'changegeoipgrpremark')
+{
+ &General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
+ if ($fwhostsettings{'oldrem'} ne $fwhostsettings{'newrem'} && (&validremark($fwhostsettings{'newrem'}) || $fwhostsettings{'newrem'} eq '')){
+ foreach my $key (sort keys %customgeoipgrp)
+ {
+ if($customgeoipgrp{$key}[0] eq $fwhostsettings{'grp'} && $customgeoipgrp{$key}[1] eq $fwhostsettings{'oldrem'})
+ {
+ $customgeoipgrp{$key}[1]='';
+ $customgeoipgrp{$key}[1]=$fwhostsettings{'newrem'};
+ }
+ }
+ &General::writehasharray("$configgeoipgrp", \%customgeoipgrp);
+ $fwhostsettings{'update'}='on';
+ $fwhostsettings{'remark'}=$fwhostsettings{'newrem'};
+ }else{
+ $errormessage=$Lang::tr{'fwhost err remark'};
+ $fwhostsettings{'remark'}=$fwhostsettings{'oldrem'};
+ $fwhostsettings{'grp_name'}=$fwhostsettings{'grp'};
+ $fwhostsettings{'update'} = 'on';
+ }
+ $fwhostsettings{'grp_name'}=$fwhostsettings{'grp'};
+ &addgeoipgrp;
+ &viewtablegeoipgrp;
+}
if ($fwhostsettings{'ACTION'} eq 'changesrvgrpremark')
{
&General::readhasharray("$configsrvgrp", \%customservicegrp );
&addgrp;
&viewtablegrp;
}
+if ($fwhostsettings{'ACTION'} eq 'changegeoipgrpname')
+{
+ &General::readhasharray("$configgeoipgrp", \%customgeoipgrp );
+ if ($fwhostsettings{'oldgrpname'} ne $fwhostsettings{'grp'}){
+ #Check new groupname
+ if (!&validhostname($fwhostsettings{'grp'})){
+ $errormessage.=$Lang::tr{'fwhost err name'}."<br>";
+ }
+ if (!$errormessage){
+ # Rename group.
+ foreach my $key (keys %customgeoipgrp) {
+ if($customgeoipgrp{$key}[0] eq $fwhostsettings{'oldgrpname'}){
+ $customgeoipgrp{$key}[0]=$fwhostsettings{'grp'};
+ }
+ }
+ &General::writehasharray("$configgeoipgrp", \%customgeoipgrp );
+ #change name in FW Rules
+ &changenameinfw($fwhostsettings{'oldgrpname'},$fwhostsettings{'grp'},6);
+ }
+ }
+ &addgeoipgrp;
+ &viewtablegeoipgrp;
+}
### VIEW ###
if($fwhostsettings{'ACTION'} eq '')
{
print "$Lang::tr{'fwhost welcome'}";
print<<END;
<br><br><table border='0' width='100%'>
- <tr><td><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newnet'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newhost'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newgrp'}' ></form></td>
+ <tr><td><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newnet'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newhost'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newgrp'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newgeoipgrp'}' ></form></td>
<td align='right'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservice'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservicegrp'}' ></form></td></tr>
<tr><td colspan='6'></td></tr></table>
END
print"<tr><td style='text-align:right;'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='oldremark' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='update' value=\"$fwhostsettings{'update'}\"><input type='hidden' name='ACTION' value='savegrp' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='resetgrp'></form></td></table>";
&Header::closebox();
}
+sub addgeoipgrp
+{
+ &hint;
+ &error;
+ &showmenu;
+ &Header::openbox('100%', 'left', $Lang::tr{'fwhost addgeoipgrp'});
+
+ my %checked=();
+ my $show='';
+ $checked{'check1'}{'off'} = '';
+ $checked{'check1'}{'on'} = '';
+ $checked{'grp2'}{$fwhostsettings{'grp2'}} = 'CHECKED';
+ $fwhostsettings{'oldremark'}=$fwhostsettings{'remark'};
+ $fwhostsettings{'oldgrpname'}=$fwhostsettings{'grp_name'};
+ my $grp=$fwhostsettings{'grp_name'};
+ my $rem=$fwhostsettings{'remark'};
+ if ($fwhostsettings{'update'} eq ''){
+ print<<END;
+ <table width='100%' border='0'>
+ <tr>
+ <td style='width:15%;'>$Lang::tr{'fwhost addgrpname'}</td>
+ <td><form method='post'><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}' size='30'></td>
+ </tr>
+ <tr>
+ <td>$Lang::tr{'remark'}:</td>
+ <td ><input type='TEXT' name='remark' value='$fwhostsettings{'remark'}' style='width: 99%;'></td>
+ </tr>
+ <tr>
+ <td colspan='2'><br></td>
+ </tr>
+ </table>
+END
+ } else {
+ print<<END;
+ <table width='100%' border='0'>
+ <form method='post'><tr>
+ <td style='width:15%;'>$Lang::tr{'fwhost addgrpname'}</td>
+ <td style='width:30%;'><input type='TEXT' name='grp' value='$fwhostsettings{'grp_name'}' size='30'></td>
+ <td>
+ <input type='submit' value='$Lang::tr{'fwhost change'}'>
+ <input type='hidden' name='oldgrpname' value='$fwhostsettings{'oldgrpname'}'>
+ <input type='hidden' name='ACTION' value='changegeoipgrpname'>
+ </td>
+ <td></td>
+ </tr></form>
+ <tr><form method='post' style='display:inline'>
+ <td>$Lang::tr{'remark'}:</td>
+ <td colspan='2' style='width:98%;'>
+ <input type='TEXT' name='newrem' value='$fwhostsettings{'remark'}' style='width:98%;'>
+ </td>
+ <td align='right'>
+ <input type='submit' value='$Lang::tr{'fwhost change'}'>
+ <input type='hidden' name='grp' value='$fwhostsettings{'grp_name'}'>
+ <input type='hidden' name='oldrem' value='$fwhostsettings{'oldremark'}'>
+ <input type='hidden' name='ACTION' value='changegeoipgrpremark'>
+ </td>
+ </tr></form>
+ </table>
+ <br><br>
+END
+ }
+ if ($fwhostsettings{'update'} eq 'on') {
+ my @geoip_locations = &fwlib::get_geoip_locations();
+
+ print<<END;
+ <form method='post'>
+ <input type='hidden' name='remark' value='$rem'>
+ <input type='hidden' name='grp_name' value='$grp'>
+
+ <table width='100%' border='0'>
+ <tr>
+ <td style='text-align:left;'>
+ <select name='COUNTRY_CODE' style='width:16em;'>";
+END
+ foreach my $location (@geoip_locations) {
+ # Get full country name.
+ my $fullname = &GeoIP::get_full_country_name($location);
+
+ print"<option value='$location'>$location - $fullname</option>\n";
+ }
+ print <<END;
+ </select>
+ </td>
+ </tr>
+ </table>
+ <br><br>
+END
+ }
+ print <<END;
+ <table width='100%'>
+ <tr><td style='text-align:right;'>
+ <input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' />
+ <input type='hidden' name='oldremark' value='$fwhostsettings{'oldremark'}'>
+ <input type='hidden' name='update' value=\"$fwhostsettings{'update'}\">
+ <input type='hidden' name='ACTION' value='savegeoipgrp' >
+ </form>
+
+ <form method='post' style='display:inline'>
+
+ <input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'>
+ <input type='hidden' name='ACTION' value='resetgeoipgrp'>
+
+ </form>
+ </td></tr></table>
+END
+ &Header::closebox();
+}
sub addservice
{
&error;
&Header::closebox();
}
+}
+sub viewtablegeoipgrp
+{
+ # If our filesize is "zero" there is nothing to read-in.
+ if (-z "$configgeoipgrp") {
+ return;
+ }
+
+ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust geoipgrp'});
+ &General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
+ &General::readhasharray("$fwconfigfwd", \%fwfwd);
+ &General::readhasharray("$fwconfiginp", \%fwinp);
+ &General::readhasharray("$fwconfigout", \%fwout);
+ my @grp=();
+ my $helper='';
+ my $count=1;
+ my $country_code;
+ my $grpname;
+ my $remark;
+ my $number;
+ my $delflag;
+ my @counter;
+ my %hash;
+
+ # If there are no groups we are finished here.
+ if (!keys %customgeoipgrp) {
+ print "<center><b>$Lang::tr{'fwhost err emptytable'}</b>";
+ return;
+ }
+
+ # Put all groups in a hash.
+ foreach my $key (sort { ncmp($customgeoipgrp{$a}[0],$customgeoipgrp{$b}[0]) }
+ sort { ncmp($customgeoipgrp{$a}[2],$customgeoipgrp{$b}[2]) } keys %customgeoipgrp) {
+ push (@counter,$customgeoipgrp{$key}[0]);
+ }
+
+ # Increase current used key.
+ foreach my $key1 (@counter) {
+ $hash{$key1}++ ;
+ }
+
+ # Sort hash.
+ foreach my $key (sort { ncmp($customgeoipgrp{$a}[0],$customgeoipgrp{$b}[0]) }
+ sort { ncmp($customgeoipgrp{$a}[2],$customgeoipgrp{$b}[2]) } keys %customgeoipgrp) {
+ $count++;
+ if ($helper ne $customgeoipgrp{$key}[0]) {
+ $delflag='0';
+
+ foreach my $key1 (sort { ncmp($customgeoipgrp{$a}[0],$customgeoipgrp{$b}[0]) }
+ sort { ncmp($customgeoipgrp{$a}[2],$customgeoipgrp{$b}[2]) } keys %customgeoipgrp) {
+
+ if ($customgeoipgrp{$key}[0] eq $customgeoipgrp{$key1}[0])
+ {
+ $delflag++;
+ }
+ if($delflag > 1){
+ last;
+ }
+ }
+
+ $number=1;
+
+ # Groupname.
+ $grpname=$customgeoipgrp{$key}[0];
+
+ # Group remark.
+ $remark="$customgeoipgrp{$key}[1]";
+
+ # Country code.
+ $country_code="$customgeoipgrp{$key}[2]";
+
+ if ($count gt 1){
+ print"</table>";
+ $count=1;
+ }
+
+ # Display groups header.
+ print "<br><b><u>$grpname</u></b> \n";
+ print "<b>$Lang::tr{'remark'}:</b>  $remark  \n" if ($remark ne '');
+
+ # Get group count.
+ my $geoipgrpcount=&getgeoipcount($grpname);
+ print "<b>$Lang::tr{'used'}:</b> $geoipgrpcount x";
+
+ # Only display delete icon, if the group is not used by a firewall rule.
+ if($geoipgrpcount == '0') {
+ print"<form method='post' style='display:inline'>\n";
+ print"<input type='image' src='/images/delete.gif' alt='$Lang::tr{'delete'}' title='$Lang::tr{'delete'}' align='right' />\n";
+ print"<input type='hidden' name='grp_name' value='$grpname' >\n";
+ print"<input type='hidden' name='ACTION' value='delgeoipgrp'>\n";
+ print"</form>";
+ }
+
+ # Icon for group editing.
+print <<END;
+ <form method='post' style='display:inline'>
+ <input type='image' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' align='right'/>
+ <input type='hidden' name='grp_name' value='$grpname' >
+ <input type='hidden' name='remark' value='$remark' >
+ <input type='hidden' name='ACTION' value='editgeoipgrp'>
+ </form>
+
+ <table width='100%' cellspacing='0' class='tbl'>
+END
+ # Display headlines if the group contains any entries.
+ if ($country_code ne "none") {
+print <<END;
+ <tr>
+ <td width='10%' align='center'>
+ <b>$Lang::tr{'flag'}</b>
+ </td>
+
+ <td width='10%'align='center'>
+ <b>$Lang::tr{'countrycode'}</b>
+ </td>
+
+ <td width='70%'align='left'>
+ <b>$Lang::tr{'country'}</b>
+ </td>
+
+ <td width='10%' align='right'></td>
+ </tr>
+END
+ }
+ }
+
+ # Check if our group contains any entries.
+ if ($country_code eq "none") {
+ print "<tr><td>$Lang::tr{'fwhost err emptytable'}</td></tr>\n";
+ } else {
+ # Check if we are currently editing a group and assign column backgound colors.
+ my $col='';
+ if ( ($fwhostsettings{'ACTION'} eq 'editgeoipgrp' || $fwhostsettings{'update'} ne '')
+ && $fwhostsettings{'grp_name'} eq $customgeoipgrp{$key}[0]) {
+ $col="bgcolor='${Header::colouryellow}'";
+ } elsif ($count %2 == 0){
+ $col="bgcolor='$color{'color20'}'";
+ } else {
+ $col="bgcolor='$color{'color22'}'";
+ }
+
+ # Get country flag.
+ my $icon = &GeoIP::get_flag_icon($customgeoipgrp{$key}[2]);
+
+ # Print column with flag icon.
+ my $col_content;
+ if ($icon) {
+ $col_content = "<img src='$icon' alt='$customgeoipgrp{$key}[2]' title='$customgeoipgrp{$key}[2]'>";
+ } else {
+ $col_content = "<b>N/A</b>";
+ }
+
+ print "<td align='center' $col>$col_content</td>\n";
+
+ # Print column with country code.
+ print "<td align='center' $col>$customgeoipgrp{$key}[2]</td>\n";
+
+ # Print column with full country name.
+ my $country_name = &GeoIP::get_full_country_name($customgeoipgrp{$key}[2]);
+ print "<td align='left' $col>$country_name</td>\n";
+
+ # Generate from for removing entries from a group.
+ print "<td align='right' width='1%' $col><form method='post'>\n";
+
+ if ($delflag > 0){
+ print"<input type='image' src='/images/delete.gif' align='middle' alt='$Lang::tr{'delete'}' title='$Lang::tr{'delete'}'/>\n";
+
+ # Check if this group only has a single entry.
+ foreach my $key2 (keys %hash) {
+ if ($hash{$key2}<2 && $key2 eq $customgeoipgrp{$key}[0]){
+ print "<input type='hidden' name='last' value='on'>" ;
+ }
+ }
+ }
+
+ print "<input type='hidden' name='ACTION' value='deletegeoipgrpentry'>\n";
+ print "<input type='hidden' name='update' value='$fwhostsettings{'update'}'>\n";
+ print "<input type='hidden' name='delentry' value='$grpname,$remark,$customgeoipgrp{$key}[2],$customgeoipgrp{$key}[3]'>\n";
+ print "</form>\n";
+ print "</td>\n";
+ print "</tr>\n";
+ }
+
+ $helper=$customgeoipgrp{$key}[0];
+ $number++;
+ }
+
+ print"</table>\n";
+ &Header::closebox();
}
sub viewtableservice
{
}
return $srvcounter;
}
+sub getgeoipcount
+{
+ my $groupname=shift;
+ my $counter=0;
+
+ # GeoIP groups are stored as "group:groupname" in the
+ # firewall settings files.
+ my $searchstring = join(':', "group",$groupname);
+
+ # Count services used in firewall - forward
+ foreach my $key1 (keys %fwfwd) {
+ if($fwfwd{$key1}[4] eq $searchstring){
+ $counter++;
+ }
+ if($fwfwd{$key1}[6] eq $searchstring){
+ $counter++;
+ }
+ }
+ #Count services used in firewall - input
+ foreach my $key2 (keys %fwinp) {
+ if($fwinp{$key2}[4] eq $searchstring){
+ $counter++;
+ }
+ if($fwinp{$key2}[6] eq $searchstring){
+ $counter++;
+ }
+ }
+ #Count services used in firewall - outgoing
+ foreach my $key3 (keys %fwout) {
+ if($fwout{$key3}[4] eq $searchstring){
+ $counter++;
+ }
+ if($fwout{$key3}[6] eq $searchstring){
+ $counter++;
+ }
+ }
+ return $counter;
+}
sub getnetcount
{
my $searchstring=shift;
--- /dev/null
+#!/usr/bin/perl
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2014 IPFire Developemnt Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+use strict;
+# enable only the following on debugging purpose
+#use warnings;
+#use CGI::Carp 'fatalsToBrowser';
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/geoip-functions.pl";
+require "${General::swroot}/lang.pl";
+require "${General::swroot}/header.pl";
+require "/usr/lib/firewall/firewall-lib.pl";
+
+my $notice;
+my $settingsfile = "${General::swroot}/firewall/geoipblock";
+
+my %color = ();
+my %mainsettings = ();
+my %settings = ();
+my %cgiparams = ();
+
+# Read configuration file.
+&General::readhash("$settingsfile", \%settings);
+
+&General::readhash("${General::swroot}/main/settings", \%mainsettings);
+&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+
+&Header::showhttpheaders();
+
+#Get GUI values
+&Header::getcgihash(\%cgiparams);
+
+# Call subfunction to get all available locations.
+my @locations = &fwlib::get_geoip_locations();
+
+if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
+ # Check if we want to disable geoipblock.
+ if (exists $cgiparams{'GEOIPBLOCK_ENABLED'}) {
+ $settings{'GEOIPBLOCK_ENABLED'} = "on";
+ } else {
+ $settings{'GEOIPBLOCK_ENABLED'} = "off";
+ }
+
+ # Loop through our locations array to prevent from
+ # non existing countries or code.
+ foreach my $cn (@locations) {
+ # Check if blocking for this country should be enabled/disabled.
+ if (exists $cgiparams{$cn}) {
+ $settings{$cn} = "on";
+ } else {
+ $settings{$cn} = "off";
+ }
+ }
+
+ &General::writehash("$settingsfile", \%settings);
+
+ # Mark the firewall config as changed.
+ &General::firewall_config_changed();
+
+ # Assign reload notice. We directly can use
+ # the notice from p2p block.
+ $notice = $Lang::tr{'p2p block save notice'};
+}
+
+&Header::openpage($Lang::tr{'geoipblock configuration'}, 1, '');
+
+# Print notice that a firewall reload is required.
+if ($notice) {
+ &Header::openbox('100%', 'left', $Lang::tr{'notice'});
+ print "<font class='base'>$notice</font>";
+ &Header::closebox();
+}
+
+# Checkbox pre-selection.
+my $checked;
+if ($settings{'GEOIPBLOCK_ENABLED'} eq "on") {
+ $checked = "checked='checked'";
+}
+
+# Print box to enable/disable geoipblock.
+print"<form method='POST' action='$ENV{'SCRIPT_NAME'}'>\n";
+
+&Header::openbox('100%', 'center', $Lang::tr{'geoipblock'});
+print <<END;
+ <table width='95%'>
+ <tr>
+ <td width='25%' class='base'>$Lang::tr{'geoipblock enable feature'}
+ <td><input type='checkbox' name='GEOIPBLOCK_ENABLED' $checked></td>
+ </tr>
+ <tr>
+ <td colspan='2'><br></td>
+ </tr>
+ </table>
+
+ <hr>
+
+ <table width='95%'>
+ <tr>
+ <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}'></td>
+ </tr>
+ </table>
+END
+
+&Header::closebox();
+
+&Header::openbox('100%', 'center', $Lang::tr{'geoipblock block countries'});
+### JAVA SCRIPT ###
+print <<END;
+<script>
+ // Function to allow checking all checkboxes at once.
+ function check_all() {
+ \$("#countries").find(":checkbox").prop("checked", true);
+ }
+
+ function uncheck_all() {
+ \$("#countries").find(":checkbox").prop("checked", false);
+ }
+</script>
+
+<table width='95%' class='tbl' id="countries">
+ <tr>
+ <td width='5%' align='center' bgcolor='$color{'color20'}'></td>
+ <td width='5%' align='center' bgcolor='$color{'color20'}'>
+ <b>$Lang::tr{'flag'}</b>
+ </td>
+ <td width='5%' align='center' bgcolor='$color{'color20'}'>
+ <b>$Lang::tr{'countrycode'}</b>
+ </td>
+ <td with='35%' align='left' bgcolor='$color{'color20'}'>
+ <b>$Lang::tr{'country'}</b>
+ </td>
+
+ <td width='5%' bgcolor='$color{'color20'}'> </td>
+
+ <td width='5%' align='center' bgcolor='$color{'color20'}'></td>
+ <td width='5%' align='center' bgcolor='$color{'color20'}'>
+ <b>$Lang::tr{'flag'}</b>
+ </td>
+ <td width='5%' align='center' bgcolor='$color{'color20'}'>
+ <b>$Lang::tr{'countrycode'}</b>
+ </td>
+ <td with='35%' align='left' bgcolor='$color{'color20'}'>
+ <b>$Lang::tr{'country'}</b>
+ </td>
+ </tr>
+END
+
+my $lines;
+my $lines2;
+my $col;
+foreach my $location (@locations) {
+ # Country code in upper case. (DE)
+ my $ccode_uc = $location;
+
+ # County code in lower case. (de)
+ my $ccode_lc = lc($location);
+
+ # Full name of the country based on the country code.
+ my $cname = &GeoIP::get_full_country_name($ccode_lc);
+
+ # Get flag icon for of the country.
+ my $flag_icon = &GeoIP::get_flag_icon($ccode_uc);
+
+ my $flag;
+ # Check if a flag for the country is available.
+ if ($flag_icon) {
+ $flag="<img src='$flag_icon' alt='$ccode_uc' title='$ccode_uc'>";
+ } else {
+ $flag="<b>N/A</b>";
+ }
+
+ # Checkbox pre-selection.
+ my $checked;
+ if ($settings{$ccode_uc} eq "on") {
+ $checked = "checked='checked'";
+ }
+
+ # Colour lines.
+ if ($lines % 2) {
+ $col="bgcolor='$color{'color20'}'";
+ } else {
+ $col="bgcolor='$color{'color22'}'";
+ }
+
+ # Grouping elements.
+ my $line_start;
+ my $line_end;
+ if ($lines2 % 2) {
+ # Increase lines (background color by once.
+ $lines++;
+
+ # Add empty column in front.
+ $line_start="<td $col> </td>";
+
+ # When the line number can be diveded by "2",
+ # we are going to close the line.
+ $line_end="</tr>";
+ } else {
+ # When the line number is not divideable by "2",
+ # we are starting a new line.
+ $line_start="<tr>";
+ $line_end;
+ }
+
+ print "$line_start<td align='center' $col><input type='checkbox' name='$ccode_uc' $checked></td>\n";
+ print "<td align='center' $col>$flag</td>\n";
+ print "<td align='center' $col>$ccode_uc</td>\n";
+ print "<td align='left' $col>$cname</td>$line_end\n";
+
+$lines2++;
+}
+
+print <<END;
+</table>
+
+<table width='95%'>
+ <tr>
+ <td align='right'>
+ <a href="javascript:check_all()">$Lang::tr{'check all'}</a> /
+ <a href="javascript:uncheck_all()">$Lang::tr{'uncheck all'}</a>
+ </td>
+ </tr>
+ <tr>
+ <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}'></td>
+ </tr>
+</table>
+
+<hr>
+
+<table width='70%'>
+ <tr>
+ <td width='5%'><img src='/images/on.gif'></td>
+ <td>$Lang::tr{'geoipblock country is blocked'}</td>
+ <td width='5%'><img src='/images/off.gif'></td>
+ <td>$Lang::tr{'geoipblock country is allowed'}</td>
+ </tr>
+</table>
+END
+
+&Header::closebox();
+print"</form>\n";
+
+&Header::closebigbox();
+&Header::closepage();
print '</td>';
print '</tr>';
}
-if ( $netsettings{'BLUE_DEV'} ) {
+if (&Header::blue_used()) {
my $sub=&General::iporsubtocidr($netsettings{'BLUE_NETMASK'});
print <<END;
<tr>
print '</td>';
print '</tr>';
}
-if ( $netsettings{'ORANGE_DEV'} ) {
+if (&Header::orange_used()) {
my $sub=&General::iporsubtocidr($netsettings{'ORANGE_NETMASK'});
print <<END;
<tr>
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
if ($confighash{$cgiparams{'KEY'}}) {
+ # Revoke certificate if certificate was deleted and rewrite the CRL
my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
+ my $tempA = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
###
# m.a.d net2net
###############################################################################
use strict;
-use Locale::Country;
+use Locale::Codes::Country;
# enable only the following on debugging purpose
use warnings;
<option value=''>- $Lang::tr{'tor exit country any'} -</option>
END
- my @country_names = Locale::Country::all_country_names();
+ my @country_names = Locale::Codes::Country::all_country_names();
foreach my $country_name (sort @country_names) {
- my $country_code = Locale::Country::country2code($country_name);
+ my $country_code = Locale::Codes::Country::country2code($country_name);
$country_code = uc($country_code);
print "<option value='$country_code'";
# Algorithms
if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {
- print CONF "\tike=";
- my @encs = split('\|', $lconfighash{$key}[18]);
- my @ints = split('\|', $lconfighash{$key}[19]);
- my @groups = split('\|', $lconfighash{$key}[20]);
- my $comma = 0;
- foreach my $i (@encs) {
- foreach my $j (@ints) {
- foreach my $k (@groups) {
- if ($comma != 0) { print CONF ","; } else { $comma = 1; }
-
- my @l = split("", $k);
- if ($l[0] eq "e") {
- shift @l;
- print CONF "$i-$j-ecp".join("", @l);
- } else {
- print CONF "$i-$j-modp$k";
- }
- }
- }
- }
- if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
- print CONF "!\n";
- } else {
- print CONF "\n";
- }
+ my @encs = split('\|', $lconfighash{$key}[18]);
+ my @ints = split('\|', $lconfighash{$key}[19]);
+ my @groups = split('\|', $lconfighash{$key}[20]);
+
+ my @algos = &make_algos("ike", \@encs, \@ints, \@groups, 1);
+ print CONF "\tike=" . join(",", @algos);
+
+ if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
+ print CONF "!\n";
+ } else {
+ print CONF "\n";
+ }
}
+
if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) {
- print CONF "\tesp=";
- my @encs = split('\|', $lconfighash{$key}[21]);
- my @ints = split('\|', $lconfighash{$key}[22]);
- my @groups = split('\|', $lconfighash{$key}[20]);
- my $comma = 0;
- foreach my $i (@encs) {
- foreach my $j (@ints) {
- my $modp = "";
- if ($pfs eq "on") {
- foreach my $k (@groups) {
- if ($comma != 0) { print CONF ","; } else { $comma = 1; }
- if ($pfs eq "on") {
- my @l = split("", $k);
- if ($l[0] eq "e") {
- $modp = "";
- } else {
- $modp = "-modp$k";
- }
- } else {
- $modp = "";
- }
- print CONF "$i-$j$modp";
- }
- } else {
- if ($comma != 0) { print CONF ","; } else { $comma = 1; }
- print CONF "$i-$j";
- }
+ my @encs = split('\|', $lconfighash{$key}[21]);
+ my @ints = split('\|', $lconfighash{$key}[22]);
+ my @groups = split('\|', $lconfighash{$key}[20]);
+
+ my @algos = &make_algos("esp", \@encs, \@ints, \@groups, ($pfs eq "on"));
+ print CONF "\tesp=" . join(",", @algos);
+
+ if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
+ print CONF "!\n";
+ } else {
+ print CONF "\n";
}
- }
- if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
- print CONF "!\n";
- } else {
- print CONF "\n";
- }
}
# IKE V1 or V2
} else {
print CONF "\tauto=start\n";
}
+
+ # Fragmentation
+ print CONF "\tfragmentation=yes\n";
+
print CONF "\n";
}#foreach key
print SECRETS $last_secrets if ($last_secrets);
(my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
(my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
- # Create the Host certificate request
+ # Create the Client certificate request
&General::log("ipsec", "Creating a cert...");
if (open(STDIN, "-|")) {
exit (0);
}
- # Sign the host certificate request
+ # Sign the client certificate request
&General::log("ipsec", "Signing the cert $cgiparams{'NAME'}...");
#No easy way for specifying the contain of subjectAltName without writing a config file...
basicConstraints=CA:FALSE
nsComment="OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
+ extendedKeyUsage=clientAuth
authorityKeyIdentifier=keyid,issuer:always
END
;
$cgiparams{'REMOTE_ID'} = '';
#use default advanced value
- $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|aes256gcm128|aes192gcm128|aes128gcm128|aes256gcm96|aes192gcm96|aes128gcm96|aes256gcm64|aes192gcm64|aes128gcm64'; #[18];
+ $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
$cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19];
$cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20];
$cgiparams{'IKE_LIFETIME'} = '3'; #[16];
- $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|aes256gcm128|aes192gcm128|aes128gcm128|aes256gcm96|aes192gcm96|aes128gcm96|aes256gcm64|aes192gcm64|aes128gcm64'; #[21];
+ $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
$cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22];
$cgiparams{'ESP_GROUPTYPE'} = ''; #[23];
$cgiparams{'ESP_KEYLIFE'} = '1'; #[17];
<td class='boldbase' width="15%">$Lang::tr{'encryption'}</td>
<td class='boldbase'>
<select name='IKE_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
- <option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
- <option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
- <option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
<option value='aes256gcm128' $checked{'IKE_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
- <option value='aes192gcm128' $checked{'IKE_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
- <option value='aes128gcm128' $checked{'IKE_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
<option value='aes256gcm96' $checked{'IKE_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
- <option value='aes192gcm96' $checked{'IKE_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
- <option value='aes128gcm96' $checked{'IKE_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
<option value='aes256gcm64' $checked{'IKE_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
- <option value='aes192gcm64' $checked{'IKE_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
- <option value='aes128gcm64' $checked{'IKE_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
- <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
+ <option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
<option value='camellia256' $checked{'IKE_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option>
+ <option value='aes192gcm128' $checked{'IKE_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
+ <option value='aes192gcm96' $checked{'IKE_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
+ <option value='aes192gcm64' $checked{'IKE_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
+ <option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
<option value='camellia192' $checked{'IKE_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option>
+ <option value='aes128gcm128' $checked{'IKE_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
+ <option value='aes128gcm96' $checked{'IKE_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
+ <option value='aes128gcm64' $checked{'IKE_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
+ <option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
<option value='camellia128' $checked{'IKE_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
+ <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
</select>
</td>
<td class='boldbase'>
<select name='ESP_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
- <option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
- <option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
- <option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
<option value='aes256gcm128' $checked{'ESP_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
- <option value='aes192gcm128' $checked{'ESP_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
- <option value='aes128gcm128' $checked{'ESP_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
<option value='aes256gcm96' $checked{'ESP_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
- <option value='aes192gcm96' $checked{'ESP_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
- <option value='aes128gcm96' $checked{'ESP_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
<option value='aes256gcm64' $checked{'ESP_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
- <option value='aes192gcm64' $checked{'ESP_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
- <option value='aes128gcm64' $checked{'ESP_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
- <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
+ <option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
<option value='camellia256' $checked{'ESP_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option>
+ <option value='aes192gcm128' $checked{'ESP_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
+ <option value='aes192gcm96' $checked{'ESP_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
+ <option value='aes192gcm64' $checked{'ESP_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
+ <option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
<option value='camellia192' $checked{'ESP_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option>
+ <option value='aes128gcm128' $checked{'ESP_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
+ <option value='aes128gcm96' $checked{'ESP_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
+ <option value='aes128gcm64' $checked{'ESP_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
+ <option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
<option value='camellia128' $checked{'ESP_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
+ <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
</select>
</td>
</tr>
<option value='sha2_512' $checked{'IKE_INTEGRITY'}{'sha2_512'}>SHA2 512 bit</option>
<option value='sha2_384' $checked{'IKE_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
<option value='sha2_256' $checked{'IKE_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
+ <option value='aesxcbc' $checked{'IKE_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
<option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA1</option>
<option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5</option>
- <option value='aesxcbc' $checked{'IKE_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
</select>
</td>
<td class='boldbase'>
<option value='sha2_512' $checked{'ESP_INTEGRITY'}{'sha2_512'}>SHA2 512 bit</option>
<option value='sha2_384' $checked{'ESP_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
<option value='sha2_256' $checked{'ESP_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
+ <option value='aesxcbc' $checked{'ESP_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
<option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1</option>
<option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5</option>
- <option value='aesxcbc' $checked{'ESP_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
</select>
</td>
</tr>
<td class='boldbase'>
<select name='IKE_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
<option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
- <option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
- <option value='e256' $checked{'IKE_GROUPTYPE'}{'e256'}>ECP-256 (NIST)</option>
- <option value='e224' $checked{'IKE_GROUPTYPE'}{'e224'}>ECP-224 (NIST)</option>
- <option value='e192' $checked{'IKE_GROUPTYPE'}{'e192'}>ECP-192 (NIST)</option>
<option value='e512bp' $checked{'IKE_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
+ <option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
<option value='e384bp' $checked{'IKE_GROUPTYPE'}{'e384bp'}>ECP-384 (Brainpool)</option>
+ <option value='e256' $checked{'IKE_GROUPTYPE'}{'e256'}>ECP-256 (NIST)</option>
<option value='e256bp' $checked{'IKE_GROUPTYPE'}{'e256bp'}>ECP-256 (Brainpool)</option>
+ <option value='e224' $checked{'IKE_GROUPTYPE'}{'e224'}>ECP-224 (NIST)</option>
<option value='e224bp' $checked{'IKE_GROUPTYPE'}{'e224bp'}>ECP-224 (Brainpool)</option>
+ <option value='e192' $checked{'IKE_GROUPTYPE'}{'e192'}>ECP-192 (NIST)</option>
<option value='8192' $checked{'IKE_GROUPTYPE'}{'8192'}>MODP-8192</option>
<option value='6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</option>
<option value='4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</option>
&Header::closebox();
&Header::closebigbox();
&Header::closepage();
+
+sub array_unique($) {
+ my $array = shift;
+ my @unique = ();
+
+ my %seen = ();
+ foreach my $e (@$array) {
+ next if $seen{$e}++;
+ push(@unique, $e);
+ }
+
+ return @unique;
+}
+
+sub make_algos($$$$$) {
+ my ($mode, $encs, $ints, $grps, $pfs) = @_;
+ my @algos = ();
+
+ foreach my $enc (@$encs) {
+ foreach my $int (@$ints) {
+ foreach my $grp (@$grps) {
+ my @algo = ($enc);
+
+ if ($mode eq "ike") {
+ push(@algo, $int);
+
+ if ($grp =~ m/^e(\d+)/) {
+ push(@algo, "ecp$1");
+ } else {
+ push(@algo, "modp$grp");
+ }
+
+ } elsif ($mode eq "esp" && $pfs) {
+ my $is_aead = ($enc =~ m/[cg]cm/);
+
+ if (!$is_aead) {
+ push(@algo, $int);
+ }
+
+ if ($grp =~ m/^e\d+/) {
+ push(@algo, $grp);
+ } else {
+ push(@algo, "modp$grp");
+ }
+ }
+
+ push(@algos, join("-", @algo));
+ }
+ }
+ }
+
+ return &array_unique(\@algos);
+}
max-width: 2.5em;
}
+table.fw-nat tbody tr td {
+ height: 2.25em;
+}
+
/* LAYOUT - 3 COLUMNS */
/* Primary content */
max-width: 2.5em;
}
+table.fw-nat tbody tr td {
+ height: 2.25em;
+}
+
/* LAYOUT - 3 COLUMNS */
/* Primary content */
.tbl tr:last-child td {
border-bottom: 1px solid lightgrey;
}
+
+table.fw-nat tbody tr td {
+ height: 2.25em;
+}
max-width: 2.5em;
}
+table.fw-nat tbody tr td {
+ height: 2.25em;
+}
+
/* LAYOUT - 3 COLUMNS */
/* Primary content */
'bit' => 'Bit',
'bitrate' => 'Bitrate',
'bleeding rules' => 'Bleeding Edge Snort Rules',
+'block' => 'Blocken',
'blue' => 'BLAU',
'blue access' => 'Zugriff auf Blau',
'blue access use hint' => 'Sie müssen mindestens die MAC- oder die IP-Adresse für ein Gerät angeben. Optional können Sie sowohl MAC- als auch IP-Adresse angeben.',
'chain' => 'Verknüpfung',
'change passwords' => 'Passwörter ändern',
'change share' => 'Freigabeeinstellungen ändern',
+'check all' => 'Alle auswählen',
'check for net traffic update' => 'Prüfe auf Net-Traffic-Updates',
'check vpn lr' => 'Überprüfen',
'choose config' => 'Konfiguration auswählen',
'fwhost OpenVPN static host' => 'OpenVPN statischer Host',
'fwhost OpenVPN static network' => 'OpenVPN statisches Netzwerk',
'fwhost Standard Network' => 'Standard-Netzwerk',
+'fwhost addgeoipgrp' => 'Neue GeoIP-Gruppe hinzufügen',
'fwhost addgrp' => 'Neue Gruppe hinzufügen',
'fwhost addgrpname' => 'Gruppenname:',
'fwhost addhost' => 'Neuen Host hinzufügen',
'fwhost change' => 'Ändern',
'fwhost changeremark' => 'Es wurde nur die Bemerkung angepasst.',
'fwhost cust addr' => 'Hosts',
+'fwhost cust geoip' => 'GeoIP-Gruppen',
+'fwhost cust geoipgroup' => 'GeoIP-Gruppen',
+'fwhost cust geoiplocation' => 'GeoIP Ländercodes',
'fwhost cust grp' => 'Gruppen',
'fwhost cust net' => 'Netzwerke',
'fwhost cust service' => 'Dienste',
'fwhost ipsec net' => 'IPsec-Netzwerke:',
'fwhost menu' => 'Firewallgruppen',
'fwhost netaddress' => 'Netzwerkadresse',
+'fwhost newgeoipgrp' => 'GeoIP-Gruppen',
'fwhost newgrp' => 'Netzwerk-/Hostgruppen',
'fwhost newhost' => 'Hosts',
'fwhost newnet' => 'Netzwerke',
'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern. Auf älterer Hardware kann es mehrere Minuten lang dauern. Bitte haben Sie etwas Geduld.',
'genkey' => 'PSK erzeugen',
'genre' => 'Genre',
+'geoip' => 'GeoIP',
+'geoipblock' => 'GeoIP Block',
+'geoipblock block countries' => 'Länderfilter',
+'geoipblock configuration' => 'GeoIP Konfiguration',
+'geoipblock country code' => 'Ländercode',
+'geoipblock country is allowed' => 'Eingehende Verbindungen aus diesem Land sind erlaubt.',
+'geoipblock country is blocked' => 'Eingehende Verbindungen aus diesem Land werden blockiert.',
+'geoipblock country name' => 'Ländername',
+'geoipblock enable feature' => 'GeoIP basierte Filterung aktivieren:',
+'geoipblock flag' => 'Flagge',
'global settings' => 'Globale Einstellungen',
'gpl i accept these terms and conditions' => 'Ich akzeptiere diese Bedingungen und Konditionen',
'gpl license agreement' => 'Lizenz-Vereinbarung',
'umount removable media before to unplug' => 'Wechselmedien vor dem Entfernen unbedingt abmelden',
'unable to alter profiles while red is active' => 'Profile können nicht geändert werden, solange ROT aktiv ist.',
'unable to contact' => 'Kann nicht erreicht werden',
+'unblock' => 'Entblocken',
+'unblock all' => 'Alle entblocken',
+'uncheck all' => 'Alle abwählen',
'unencrypted' => 'Nicht verschlüsselt',
'uninstall' => 'Deinstallieren',
'unix charset' => 'UNIX-Charset',
'bit' => 'bit',
'bitrate' => 'Bitrate',
'bleeding rules' => 'Bleeding Edge Snort Rules',
+'block' => 'Block',
'blue' => 'BLUE',
'blue access' => 'Blue Access',
'blue access use hint' => 'You have to enter the MAC or the IP Address for a device. To enter both is also possible',
'chain' => 'Chain',
'change passwords' => 'Change passwords',
'change share' => 'edit share options',
+'check all' => 'Check all',
'check for net traffic update' => 'Check for Net-Traffic updates',
'check vpn lr' => 'Check',
'choose config' => 'Choose config',
'fwhost OpenVPN static host' => 'OpenVPN static host',
'fwhost OpenVPN static network' => 'OpenVPN static network',
'fwhost Standard Network' => 'Standard network',
+'fwhost addgeoipgrp' => 'Add new GeoIP group',
'fwhost addgrp' => 'Add new network/host group',
'fwhost addgrpname' => 'Group name:',
'fwhost addhost' => 'Add new host',
'fwhost change' => 'Modify',
'fwhost changeremark' => 'You modified just the remark',
'fwhost cust addr' => 'Hosts',
+'fwhost cust geoip' => 'GeoIP Groups',
+'fwhost cust geoipgroup' => 'GeoIP Groups',
+'fwhost cust geoiplocation' => 'GeoIP Locations',
'fwhost cust grp' => 'Network/Host Groups',
'fwhost cust net' => 'Networks',
'fwhost cust service' => 'Services',
'fwhost ipsec net' => 'IPsec networks:',
'fwhost menu' => 'Firewall Groups',
'fwhost netaddress' => 'Network address',
+'fwhost newgeoipgrp' => 'GeoIP Groups',
'fwhost newgrp' => 'Network/Host Groups',
'fwhost newhost' => 'Hosts',
'fwhost newnet' => 'Networks',
'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient' => 'Generating the root and host certificates may take a long time. It can take up to several minutes on older hardware. Please be patient.',
'genkey' => 'Generate PSK',
'genre' => 'Genre',
+'geoip' => 'GeoIP',
+'geoipblock' => 'GeoIP Block',
+'geoipblock block countries' => 'Block countries',
+'geoipblock configuration' => 'GeoIP Configuration',
+'geoipblock country code' => 'Country Code',
+'geoipblock country is allowed' => 'Incoming traffic from this country is allowed',
+'geoipblock country is blocked' => 'Incoming traffic from this country will be blocked',
+'geoipblock country name' => 'Country Name',
+'geoipblock enable feature' => 'Enable GeoIP based blocking:',
+'geoipblock flag' => 'Flag',
'global settings' => 'Global Settings',
'gpl i accept these terms and conditions' => 'I accept these terms and conditions',
'gpl license agreement' => 'License Agreement',
'umount removable media before to unplug' => 'Umount removable media before unplugging the device',
'unable to alter profiles while red is active' => 'Unable to alter profiles while RED is active.',
'unable to contact' => 'Unable to contact',
+'unblock' => 'Unblock',
+'unblock all' => 'Unblock all',
+'uncheck all' => 'Uncheck all',
'unencrypted' => 'Unencrypted',
'uninstall' => 'Uninstall',
'unix charset' => 'UNIX Charset',
'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient' => 'Generar los certificador root y host puede tomar mucho tiempo. Puede durar varios minutos en equipos antiguos. Por favor sea paciente.',
'genkey' => 'Generar PSK',
'genre' => 'Género',
+'geoip' => 'GeoIP',
+'geoipblock' => 'GeoIP Block',
+'geoipblock block countries' => 'Países bloqueados',
+'geoipblock configuration' => 'Configuración GeoIP',
+'geoipblock country code' => 'Código del País',
+'geoipblock country is allowed' => 'Se permite el tráfico procedente de este País',
+'geoipblock country is blocked' => 'Se deniega el tráfico procedente de este País',
+'geoipblock country name' => 'Nombre del País',
+'geoipblock enable feature' => 'Habilitar bloqueo basado GeoIP:',
+'geoipblock flag' => 'Bandera',
'global settings' => 'Configuraciones globales',
'gpl i accept these terms and conditions' => 'I accept these terms and conditions',
'gpl license agreement' => 'License Agreement',
include Config
-VER = 2.07
+VER = 3.33
THISAPP = Locale-Codes-$(VER)
DL_FILE = $(THISAPP).tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = af0537cc4a882096d0320612c440df6d
+$(DL_FILE)_MD5 = bc7496f97889de8504e80addaa0ee40c
install : $(TARGET)
include Config
-VER = 11.16.0
+VER = 11.17.1
THISAPP = asterisk-$(VER)
DL_FILE = $(THISAPP).tar.gz
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = asterisk
-PAK_VER = 15
+PAK_VER = 16
DEPS = "libsrtp"
asterisk-moh-opsound-gsm-2.03.tar.gz = $(URL_IPFIRE)/asterisk-moh-opsound-gsm-2.03.tar.gz
asterisk-1.4-de-prompts.tar.gz = $(URL_IPFIRE)/asterisk-1.4-de-prompts.tar.gz
-$(DL_FILE)_MD5 = de06d4ac0d1ba531c4c18805a9d5a18d
+$(DL_FILE)_MD5 = 2c6cd0f499152d0d5ff32f36e274fc2e
asterisk-extra-sounds-en-gsm-1.4.15.tar.gz_MD5 = 5099fc65f49008e33ba7fb043a4ec995
asterisk-moh-opsound-gsm-2.03.tar.gz_MD5 = 09066f55f1358f298bc1a6e4678a3ddf
asterisk-1.4-de-prompts.tar.gz_MD5 = 626a2b95071a5505851e43874dfbfd5c
for i in auth/users backup/include.user backup/exclude.user \
certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \
dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
- ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/config firewall/input firewall/outgoing \
- fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
+ ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/config firewall/geoipblock firewall/input firewall/outgoing \
+ fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwhosts/customgeoipgrp fwlogs/ipsettings fwlogs/portsettings \
isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \
ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
ppp/settings-5 ppp/settings proxy/settings proxy/squid.conf proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
cp $(DIR_SRC)/config/cfgroot/header.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/general-functions.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/network-functions.pl $(CONFIG_ROOT)/
+ cp $(DIR_SRC)/config/cfgroot/geoip-functions.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/lang.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/graphs.pl $(CONFIG_ROOT)/
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0069-Whitespace-fixes.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0070-Return-INSECURE-rather-than-BOGUS-when-DS-proved-not.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0071-Fix-compiler-warning-when-not-including-DNSSEC.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0072-Fix-crash-caused-by-looking-up-servers.bind-when-man.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0073-Fix-crash-on-receipt-of-certain-malformed-DNS-reques.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0074-Fix-crash-in-auth-code-with-odd-configuration.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0075-Auth-correct-replies-to-NS-and-SOA-in-.arpa-zones.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0076-Fix-srk-induced-crash-in-new-tftp_no_fail-code.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0077-Note-CVE-2015-3294.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0078-Log-domain-when-reporting-DNSSEC-validation-failure.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \
-e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \
cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* \
./extensions/
- # ipp2p 0.8.2-pomng
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.4.14-ipp2p-0.8.2-ipfire.patch
-
# imq
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.4.12-IMQ-test4.diff
include Config
-VER = 1.5.0
+VER = 1.5.2
THISAPP = libsrtp-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = libsrtp
-PAK_VER = 1
+PAK_VER = 2
DEPS = ""
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = ec49ba558b4fd056114df2c76935aa8e
+$(DL_FILE)_MD5 = 2309aa6027992810a4285b042c71e644
install : $(TARGET)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && ./configure --prefix=/usr
- cd $(DIR_APP) && make uninstall && make $(MAKETUNING) libsrtp.so
+ cd $(DIR_APP) && make uninstall && make $(MAKETUNING) shared_library
cd $(DIR_APP) && make install
@rm -rf $(DIR_APP)
@$(POSTBUILD)
include Config
-VER = 3.14.38
+VER = 3.14.39
-RPI_PATCHES = 3.14.38-grsec-ipfire1
-A7M_PATCHES = 3.14.38-grsec-ipfire1
-GRS_PATCHES = grsecurity-3.1-3.14.38-201504142259.patch.xz
+RPI_PATCHES = 3.14.39-grsec-ipfire1
+A7M_PATCHES = 3.14.39-grsec-ipfire1
+GRS_PATCHES = grsecurity-3.1-3.14.39-201504190814.patch.xz
THISAPP = linux-$(VER)
DL_FILE = linux-$(VER).tar.xz
arm7-multi-patches-$(A7M_PATCHES).patch.xz = $(URL_IPFIRE)/arm7-multi-patches-$(A7M_PATCHES).patch.xz
$(GRS_PATCHES) = $(URL_IPFIRE)/$(GRS_PATCHES)
-$(DL_FILE)_MD5 = c4d0154627e02dc43c67fa616ff1e569
-rpi-patches-$(RPI_PATCHES).patch.xz_MD5 = e423c8b3a408f23b9a26f8f0f4384c50
+$(DL_FILE)_MD5 = 3581855d0dbfcbe1140dfcd1406d0a91
+rpi-patches-$(RPI_PATCHES).patch.xz_MD5 = 5056304af0a199194abd0bcb00015f28
arm7-multi-patches-$(A7M_PATCHES).patch.xz_MD5 = a4a4103255e93bfcb02652212b0ae3fc
-$(GRS_PATCHES)_MD5 = 6d6ed13c08ae96f6470c30c00e08b130
+$(GRS_PATCHES)_MD5 = 2121d0bf825da9ff6321e2940f247c5e
install : $(TARGET)
# Linux Intermediate Queueing Device
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.14.22-imq.patch
- # ipp2p 0.8.2-ipfire
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.10-ipp2p-0.8.2-ipfire.patch
-
# Layer7-patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.14-layer7-filter.patch
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2014 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2015 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 1.0.1m
+VER = 1.0.2a
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
-TARGET = $(DIR_INFO)/$(THISAPP)
+
+TARGET = $(DIR_INFO)/$(THISAPP)$(KCFG)
+
+CFLAGS += -DPURIFY
+export RPM_OPT_FLAGS = $(CFLAGS)
+
+CONFIGURE_OPTIONS = \
+ --prefix=/usr \
+ --openssldir=/etc/ssl \
+ --enginesdir=/usr/lib/openssl/engines \
+ shared \
+ zlib-dynamic \
+ enable-camellia \
+ enable-md2 \
+ enable-seed \
+ enable-tlsext \
+ enable-rfc3779 \
+ no-idea \
+ no-mdc2 \
+ no-rc5 \
+ no-srp \
+ -DSSL_FORBID_ENULL
ifeq "$(MACHINE)" "i586"
- CONFIGURE_ARGS = linux-elf no-asm 386
+ CONFIGURE_OPTIONS += linux-elf
+
+ifneq "$(KCFG)" "-sse2"
+ CONFIGURE_OPTIONS += no-sse2
+endif
endif
ifeq "$(MACHINE)" "armv5tel"
- CONFIGURE_ARGS = linux-generic32
+ CONFIGURE_OPTIONS += linux-generic32
endif
-CFLAGS += -DPURIFY
-export RPM_OPT_FLAGS = $(CFLAGS)
-
###############################################################################
# Top-level Rules
###############################################################################
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = d143d1555d842a069cb7cc34ba745a06
+$(DL_FILE)_MD5 = a06c547dac9044161a477211049f60ef
install : $(TARGET)
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.0-beta5-enginesdir.patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-rpmbuild.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a-rpmbuild.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1m-weak-ciphers.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-disable-sslv2-sslv3.patch
cd $(DIR_APP) && find crypto/ -name Makefile -exec \
sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
- cd $(DIR_APP) && ./Configure \
- --prefix=/usr \
- --openssldir=/etc/ssl \
- --enginesdir=/usr/lib/openssl/engines \
- shared \
- zlib-dynamic \
- enable-camellia \
- enable-md2 \
- enable-seed \
- enable-tlsext \
- enable-rfc3779 \
- no-idea \
- no-mdc2 \
- no-rc5 \
- no-srp \
- $(CONFIGURE_ARGS) \
- -DSSL_FORBID_ENULL
+ cd $(DIR_APP) && ./Configure $(CONFIGURE_OPTIONS)
cd $(DIR_APP) && make depend
cd $(DIR_APP) && make
+ifeq "$(KCFG)" "-sse2"
+ -mkdir -pv /usr/lib/sse2
+ cd $(DIR_APP) && install -m 755 \
+ libcrypto.so.10 libssl.so.10 /usr/lib/sse2
+else
# Install everything.
cd $(DIR_APP) && make install
install -m 0644 $(DIR_SRC)/config/ssl/openssl.cnf /etc/ssl
-mkdir -pv /usr/lib/openssl
rm -vfr /usr/lib/openssl/engines
mv -v /usr/lib/engines /usr/lib/openssl
+endif
@rm -rf $(DIR_APP)
@$(POSTBUILD)
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2015 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2014 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# #
###############################################################################
+
###############################################################################
# Definitions
###############################################################################
include Config
+VER = 1.12
-VER = 0.9.8zf
-
-THISAPP = openssl-$(VER)
-DL_FILE = $(THISAPP).tar.gz
+THISAPP = Text-CSV_XS-$(VER)
+DL_FILE = ${THISAPP}.tgz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = c69a4a679233f7df189e1ad6659511ec
+$(DL_FILE)_MD5 = b91f2d806054b68c2a29d3da5821fe87
install : $(TARGET)
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-disable-sslv2-sslv3.patch
-
- # Apply our CFLAGS
- cd $(DIR_APP) && sed -i Configure \
- -e "s/-O3 -fomit-frame-pointer/$(CFLAGS)/g"
-
- cd $(DIR_APP) && sed -i -e 's/mcpu/march/' config
- cd $(DIR_APP) && sed -i -e 's/-O3/-O2/' -e 's/-march=i486/-march=i586/' Configure
-
- # Support for engines is disabled, because the shared objects from the
- # new version of openssl cannot be loaded by the old one.
-
- cd $(DIR_APP) && ./Configure \
- --prefix=/usr \
- --openssldir=/etc/ssl \
- shared linux-elf \
- zlib-dynamic \
- no-engines \
- no-asm 386 \
- -DSSL_FORBID_ENULL
-
- cd $(DIR_APP) && make depend
- cd $(DIR_APP) && make
-
- cd $(DIR_APP) && install -v -m 755 libcrypto.so.0.9.8 /usr/lib
- cd $(DIR_APP) && install -v -m 755 libssl.so.0.9.8 /usr/lib
-
+ cd $(DIR_APP) && perl Makefile.PL
+ cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
+ cd $(DIR_APP) && make install
@rm -rf $(DIR_APP)
@$(POSTBUILD)
include Config
-VER = 1.0.2
+VER = 1.0.3
THISAPP = squid-accounting-$(VER)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = squid-accounting
-PAK_VER = 4
+PAK_VER = 5
DEPS = "perl-DBI perl-DBD-SQLite perl-File-ReadBackwards perl-PDF-API2 sendEmail"
-install -dv -m 1777 /tmp /var/tmp
-mkdir -pv /usr/{,local/}{bin,include,lib{,/sse2},sbin,src}
-mkdir -pv /usr/{,local/}share/{doc,info,locale,man}
- -mkdir -v /usr/{,local/}share/{misc,terminfo,zoneinfo}
+ -mkdir -v /usr/{,local/}share/{misc,terminfo,xt_geoip,zoneinfo}
-mkdir -pv /usr/{,local/}share/man/man{1..8}
#-for dir in /usr /usr/local; do \
# ln -sv share/{man,doc,info} $$dir; \
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = tor
-PAK_VER = 10
+PAK_VER = 11
DEPS = "libevent2"
--- /dev/null
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2014 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VERSUFIX = ipfire$(KCFG)
+MODPATH = /lib/modules/$(KVER)-$(VERSUFIX)/extra/
+
+VER = 2.6
+
+THISAPP = xtables-addons-$(VER)
+DL_FILE = $(THISAPP).tar.xz
+DL_FROM = $(URL_IPFIRE)
+DIR_APP = $(DIR_SRC)/$(THISAPP)
+
+ifeq "$(USPACE)" "1"
+ TARGET = $(DIR_INFO)/$(THISAPP)
+else
+ TARGET = $(DIR_INFO)/$(THISAPP)-kmod-$(KVER)-$(VERSUFIX)
+endif
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = 087835ba7e564481b6fd398692268340
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+dist:
+ $(PAK)
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+ @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+ @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+ @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ @$(PREBUILD)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+
+ # Only build the specified modules.
+ cp -avf $(DIR_SRC)/config/xtables-addons/mconfig \
+ $(DIR_APP)/mconfig
+
+# Check if we build the modules for a kernel or the userspace parts.
+ifeq "$(USPACE)" "1"
+ cd $(DIR_APP) && ./configure \
+ --prefix=/usr \
+ --without-kbuild
+
+ cd $(DIR_APP) && make $(MAKETUNING)
+ cd $(DIR_APP) && make install
+else
+ cd $(DIR_APP) && ./configure \
+ --with-kbuild=/usr/src/linux-$(KVER)/
+
+ cd $(DIR_APP) && make $(MAKETUNING)
+
+ # Install the built kernel modules.
+ cd $(DIR_APP) && for f in $$(ls extensions/*.ko); do \
+ install -m 644 $$f $(MODPATH); \
+ done
+endif
+
+ @rm -rf $(DIR_APP)
+ @$(POSTBUILD)
export LOGFILE
ipfiremake configroot
ipfiremake backup
+ ipfiremake pkg-config
ipfiremake libusb
ipfiremake libusbx
ipfiremake libpcap
ipfiremake multipath-tools
ipfiremake freetype
ipfiremake grub
+ ipfiremake libmnl
+ ipfiremake iptables
case "${TARGET_ARCH}" in
i586)
ipfiremake e1000e KCFG="-pae"
# ipfiremake igb KCFG="-pae"
ipfiremake ixgbe KCFG="-pae"
+ ipfiremake xtables-addons KCFG="-pae"
ipfiremake linux-initrd KCFG="-pae"
# x86 kernel build
ipfiremake e1000e KCFG=""
# ipfiremake igb KCFG=""
ipfiremake ixgbe KCFG=""
+ ipfiremake xtables-addons KCFG=""
ipfiremake linux-initrd KCFG=""
;;
ipfiremake linux KCFG="-rpi"
ipfiremake backports KCFG="-rpi"
ipfiremake cryptodev KCFG="-rpi"
+ ipfiremake xtables-addons KCFG="-rpi"
ipfiremake linux-initrd KCFG="-rpi"
# arm multi platform (Panda, Wandboard ...) kernel build
ipfiremake e1000e KCFG="-multi"
# ipfiremake igb KCFG="-multi"
ipfiremake ixgbe KCFG="-multi"
+ ipfiremake xtables-addons KCFG="-multi"
ipfiremake linux-initrd KCFG="-multi"
# arm-kirkwood (Dreamplug, ICY-Box ...) kernel build
ipfiremake e1000e KCFG="-kirkwood"
# ipfiremake igb KCFG="-kirkwood"
ipfiremake ixgbe KCFG="-kirkwood"
+ ipfiremake xtables-addons KCFG="-kirkwood"
ipfiremake linux-initrd KCFG="-kirkwood"
;;
esac
- ipfiremake pkg-config
+ ipfiremake xtables-addons USPACE="1"
ipfiremake openssl
- ipfiremake openssl-compat
+ [ "${TARGET_ARCH}" = "i586" ] && ipfiremake openssl KCFG='-sse2'
ipfiremake libgpg-error
ipfiremake libgcrypt
ipfiremake libassuan
ipfiremake mtools
ipfiremake initscripts
ipfiremake whatmask
- ipfiremake libmnl
- ipfiremake iptables
ipfiremake conntrack-tools
ipfiremake libupnp
ipfiremake ipaddr
ipfiremake squid-accounting
ipfiremake pigz
ipfiremake tmux
+ ipfiremake perl-Text-CSV_XS
ipfiremake swconfig
ipfiremake haproxy
}
iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
fi
+ # GeoIP block
+ iptables -N GEOIPBLOCK
+ iptables -A INPUT -j GEOIPBLOCK
+ iptables -A FORWARD -j GEOIPBLOCK
+
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
iptables -N IPSECINPUT
iptables -N IPSECFORWARD
fi
# Start dhcpcd.
- /sbin/dhcpcd "${device}" "${dhcp_start}" >/dev/null 2>&1
+ /sbin/dhcpcd ${dhcp_start} ${device} >/dev/null 2>&1
ret="$?"
if [ "${ret}" -eq 0 ]; then
fi
# Stop dhcpcd.
- /sbin/dhcpcd "${device}" "${dhcp_stop}" &> /dev/null
+ /sbin/dhcpcd ${dhcp_stop} ${device} &> /dev/null
ret="$?"
# Wait until dhcpd has stopped.
--- /dev/null
+#!/bin/bash
+
+# Get the GeoIP database if no one exists yet.
+
+DIR="/usr/share/xt_geoip/*"
+
+found=false
+
+# Check if the directory contains any data.
+for i in $DIR; do
+ # Ignore "." and ".."
+ if [ -d "$i" ]; then
+ found=true
+ break
+ fi
+done
+
+# Download ruleset if none has been found.
+if ! ${found}; then
+ /usr/local/bin/xt_geoip_update >/dev/null 2>&1
+fi
+
+exit 0
From f2658275b25ebfe691cdcb9fede85a3088cca168 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 25 Sep 2014 21:51:25 +0100
-Subject: [PATCH 01/71] Add newline at the end of example config file.
+Subject: [PATCH 01/78] Add newline at the end of example config file.
---
dnsmasq.conf.example | 2 +-
From 00cd9d551998307225312fd21f761cfa8868bd2c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 2 Oct 2014 21:44:21 +0100
-Subject: [PATCH 02/71] crash at startup when an empty suffix is supplied to
+Subject: [PATCH 02/78] crash at startup when an empty suffix is supplied to
--conf-dir
---
From 6ac3bc0452a74e16e3d620a0757b0f8caab182ec Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 3 Oct 2014 08:48:11 +0100
-Subject: [PATCH 03/71] Debian build fixes for kFreeBSD
+Subject: [PATCH 03/78] Debian build fixes for kFreeBSD
---
src/tables.c | 6 +++++-
From e9828b6f66b22ce8873f8d30a773137d1aef1b92 Mon Sep 17 00:00:00 2001
From: Karl Vogel <karl.vogel@gmail.com>
Date: Fri, 3 Oct 2014 21:45:15 +0100
-Subject: [PATCH 04/71] Set conntrack mark before connect() call.
+Subject: [PATCH 04/78] Set conntrack mark before connect() call.
SO_MARK has to be done before issuing the connect() call on the
TCP socket.
From 17b475912f6a4e72797a543dad59d4d5dde6bb1b Mon Sep 17 00:00:00 2001
From: Daniel Collins <daniel.collins@smoothwall.net>
Date: Fri, 3 Oct 2014 21:58:43 +0100
-Subject: [PATCH 05/71] Fix typo in new Dbus code.
+Subject: [PATCH 05/78] Fix typo in new Dbus code.
Simon's fault.
---
From 3d9d2dd0018603a2ae4b9cd65ac6ff959f4fd8c7 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Mon, 6 Oct 2014 10:46:48 +0100
-Subject: [PATCH 06/71] Fit example conf file typo.
+Subject: [PATCH 06/78] Fit example conf file typo.
---
dnsmasq.conf.example | 2 +-
From b9ff5c8f435173cfa616e3c398bdc089ef690a07 Mon Sep 17 00:00:00 2001
From: Vladislav Grishenko <themiron@mail.ru>
Date: Mon, 6 Oct 2014 14:34:24 +0100
-Subject: [PATCH 07/71] Improve RFC-compliance when unable to supply addresses
+Subject: [PATCH 07/78] Improve RFC-compliance when unable to supply addresses
in DHCPv6
While testing https://github.com/sbyx/odhcp6c client I have noticed it
From 98906275a02ae260fe3f82133bd79054f8315f06 Mon Sep 17 00:00:00 2001
From: Hans Dedecker <dedeckeh@gmail.com>
Date: Tue, 9 Dec 2014 22:22:53 +0000
-Subject: [PATCH 08/71] Fix conntrack with --bind-interfaces
+Subject: [PATCH 08/78] Fix conntrack with --bind-interfaces
Make sure dst_addr is assigned the correct address in receive_query when OPTNOWILD is
enabled so the assigned mark can be correctly retrieved and set in forward_query when
From 193de4abf59e49c6b70d54cfe9720fcb95ca2f71 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 10 Dec 2014 17:32:16 +0000
-Subject: [PATCH 09/71] Use inotify instead of polling on Linux.
+Subject: [PATCH 09/78] Use inotify instead of polling on Linux.
This should solve problems people are seeing when a file changes
twice within a second and thus is missed for polling.
From 857973e6f7e0a3d03535a9df7f9373fd7a0b65cc Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 15 Dec 2014 15:58:13 +0000
-Subject: [PATCH 10/71] Teach the new inotify code about symlinks.
+Subject: [PATCH 10/78] Teach the new inotify code about symlinks.
---
src/inotify.c | 43 +++++++++++++++++++++++++++----------------
From 800c5cc1e7438818fd80f08c2d472df249a6942d Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 15 Dec 2014 17:50:15 +0000
-Subject: [PATCH 11/71] Remove floor on EDNS0 packet size with DNSSEC.
+Subject: [PATCH 11/78] Remove floor on EDNS0 packet size with DNSSEC.
---
CHANGELOG | 6 +++++-
From ad946d555dce44eb690c7699933b6ff40ab85bb6 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 15 Dec 2014 17:52:22 +0000
-Subject: [PATCH 12/71] CHANGELOG re. inotify.
+Subject: [PATCH 12/78] CHANGELOG re. inotify.
---
CHANGELOG | 4 ++++
From 3ad3f3bbd4ee716a7d2fb1e115cf89bd1b1a5de9 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 16 Dec 2014 18:25:17 +0000
-Subject: [PATCH 13/71] Fix breakage of --domain=<domain>,<subnet>,local
+Subject: [PATCH 13/78] Fix breakage of --domain=<domain>,<subnet>,local
---
CHANGELOG | 4 ++++
From bd9520b7ade7098ee423acc38965376aa57feb07 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 16 Dec 2014 20:41:29 +0000
-Subject: [PATCH 14/71] Remove redundant IN6_IS_ADDR_ULA(a) macro defn.
+Subject: [PATCH 14/78] Remove redundant IN6_IS_ADDR_ULA(a) macro defn.
---
src/network.c | 4 ----
From 476693678e778886b64d0b56e27eb7695cbcca99 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 17 Dec 2014 12:41:56 +0000
-Subject: [PATCH 15/71] Eliminate IPv6 privacy addresses from --interface-name
+Subject: [PATCH 15/78] Eliminate IPv6 privacy addresses from --interface-name
answers.
---
From 3267804598047bd1781cab91508d1bc516e5ddbb Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 17 Dec 2014 20:38:20 +0000
-Subject: [PATCH 16/71] Tweak field width in cache dump to avoid truncating
+Subject: [PATCH 16/78] Tweak field width in cache dump to avoid truncating
IPv6 addresses.
---
From 094b5c3d904bae9aeb3206d9f3b8348926b84975 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 21 Dec 2014 16:11:52 +0000
-Subject: [PATCH 17/71] Fix crash in DNSSEC code when attempting to verify
+Subject: [PATCH 17/78] Fix crash in DNSSEC code when attempting to verify
large RRs.
---
From cbc652423403e3cef00e00240f6beef713142246 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 21 Dec 2014 21:21:53 +0000
-Subject: [PATCH 18/71] Make caching work for CNAMEs pointing to A/AAAA records
+Subject: [PATCH 18/78] Make caching work for CNAMEs pointing to A/AAAA records
shadowed in /etc/hosts
If the answer to an upstream query is a CNAME which points to an
From fbc5205702c7f6f431d9f1043c553d7fb62ddfdb Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 23 Dec 2014 15:46:08 +0000
-Subject: [PATCH 19/71] Fix problems validating NSEC3 and wildcards.
+Subject: [PATCH 19/78] Fix problems validating NSEC3 and wildcards.
---
src/dnssec.c | 253 ++++++++++++++++++++++++++++++-----------------------------
From 83d2ed09fc0216b567d7fb2197e4ff3eae150b0d Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 23 Dec 2014 18:42:38 +0000
-Subject: [PATCH 20/71] Initialise return value.
+Subject: [PATCH 20/78] Initialise return value.
---
src/dnssec.c | 7 +++++--
From 32fc6dbe03569d70dd394420ceb73532cf303c33 Mon Sep 17 00:00:00 2001
From: Glen Huang <curvedmark@gmail.com>
Date: Sat, 27 Dec 2014 15:28:12 +0000
-Subject: [PATCH 21/71] Add --ignore-address option.
+Subject: [PATCH 21/78] Add --ignore-address option.
---
CHANGELOG | 8 ++++++++
From 0b1008d367d44e77352134a4c5178f896f0db3e7 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 27 Dec 2014 15:33:32 +0000
-Subject: [PATCH 22/71] Bad packet protection.
+Subject: [PATCH 22/78] Bad packet protection.
---
src/dnssec.c | 2 +-
From d310ab7ecbffce79d3d90debba621e0222f9bced Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Sat, 27 Dec 2014 15:36:38 +0000
-Subject: [PATCH 23/71] Fix build failure in new inotify code on BSD.
+Subject: [PATCH 23/78] Fix build failure in new inotify code on BSD.
---
src/inotify.c | 4 ++--
From 81c538efcebfce2ce4a1d3a420b6c885b8f08df9 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Sat, 3 Jan 2015 16:36:14 +0000
-Subject: [PATCH 24/71] Implement makefile dependencies on COPTS variable.
+Subject: [PATCH 24/78] Implement makefile dependencies on COPTS variable.
---
.gitignore | 2 +-
From d8dbd903d024f84a149dac2f8a674a68dfed47a3 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Mon, 5 Jan 2015 17:03:35 +0000
-Subject: [PATCH 25/71] Fix race condition issue in makefile.
+Subject: [PATCH 25/78] Fix race condition issue in makefile.
---
Makefile | 4 +++-
From 97e618a0e3f29465acc689d87288596b006f197e Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 7 Jan 2015 21:55:43 +0000
-Subject: [PATCH 26/71] DNSSEC: do top-down search for limit of secure
+Subject: [PATCH 26/78] DNSSEC: do top-down search for limit of secure
delegation.
---
From 25cf5e373eb41c088d4ee5e625209c4cf6a5659e Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 9 Jan 2015 15:53:03 +0000
-Subject: [PATCH 27/71] Add --log-queries=extra option for more complete
+Subject: [PATCH 27/78] Add --log-queries=extra option for more complete
logging.
---
From 28de38768e2c7d763b9aa5b7a4d251d5e56bab0b Mon Sep 17 00:00:00 2001
From: RinSatsuki <aa65535@live.com>
Date: Sat, 10 Jan 2015 15:22:21 +0000
-Subject: [PATCH 28/71] Add --min-cache-ttl option.
+Subject: [PATCH 28/78] Add --min-cache-ttl option.
---
CHANGELOG | 7 +++++++
From 9f79ee4ae34886c0319f06d8f162b81ef79d62fb Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 12 Jan 2015 20:18:18 +0000
-Subject: [PATCH 29/71] Log port of requestor when doing extra logging.
+Subject: [PATCH 29/78] Log port of requestor when doing extra logging.
---
src/cache.c | 6 +++---
From 5e321739db381a1d7b5964d76e9c81471d2564c9 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 12 Jan 2015 23:16:56 +0000
-Subject: [PATCH 30/71] Don't answer from cache RRsets from wildcards, as we
+Subject: [PATCH 30/78] Don't answer from cache RRsets from wildcards, as we
don't have NSECs.
---
From ae4624bf46b5e37ff1a9a2ba3c927e0dede95adb Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 12 Jan 2015 23:22:08 +0000
-Subject: [PATCH 31/71] Logs for DS records consistent.
+Subject: [PATCH 31/78] Logs for DS records consistent.
---
src/rfc1035.c | 2 +-
From 393415597c8b5b09558b789ab9ac238dbe3db65d Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 18 Jan 2015 22:11:10 +0000
-Subject: [PATCH 32/71] Cope with multiple interfaces with the same LL address.
+Subject: [PATCH 32/78] Cope with multiple interfaces with the same LL address.
---
CHANGELOG | 4 ++++
From 2ae195f5a71f7c5a75717845de1bd72fc7dd67f3 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 18 Jan 2015 22:20:48 +0000
-Subject: [PATCH 33/71] Don't treat SERVFAIL as a recoverable error.....
+Subject: [PATCH 33/78] Don't treat SERVFAIL as a recoverable error.....
---
src/forward.c | 2 +-
From 5f4dc5c6ca50655ab14f572c7e30815ed74cd51a Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 20 Jan 2015 20:51:02 +0000
-Subject: [PATCH 34/71] Add --dhcp-hostsdir config option.
+Subject: [PATCH 34/78] Add --dhcp-hostsdir config option.
---
CHANGELOG | 5 +++
From fbf01f7046e75f9aa73fd4aab2a94e43386d9052 Mon Sep 17 00:00:00 2001
From: Conrad Kostecki <ck@conrad-kostecki.de>
Date: Tue, 20 Jan 2015 21:07:56 +0000
-Subject: [PATCH 35/71] Update German translation.
+Subject: [PATCH 35/78] Update German translation.
---
po/de.po | 101 +++++++++++++++++++++++++++++----------------------------------
From 61b838dd574c51d96fef100285a0d225824534f9 Mon Sep 17 00:00:00 2001
From: Win King Wan <pinwing+dnsmasq@gmail.com>
Date: Wed, 21 Jan 2015 20:41:48 +0000
-Subject: [PATCH 36/71] Don't reply to DHCPv6 SOLICIT messages when not
+Subject: [PATCH 36/78] Don't reply to DHCPv6 SOLICIT messages when not
configured for statefull DHCPv6.
---
From 0491805d2ff6e7727f0272c94fd97d9897d1e22c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 26 Jan 2015 11:23:43 +0000
-Subject: [PATCH 37/71] Allow inotify to be disabled at compile time on Linux.
+Subject: [PATCH 37/78] Allow inotify to be disabled at compile time on Linux.
---
CHANGELOG | 4 +++-
From 70d1873dd9e70041ed4bb88c69d5b886b7cc634c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 31 Jan 2015 19:59:29 +0000
-Subject: [PATCH 38/71] Expand inotify code to dhcp-hostsdir, dhcp-optsdir and
+Subject: [PATCH 38/78] Expand inotify code to dhcp-hostsdir, dhcp-optsdir and
hostsdir.
---
From aff3396280e944833f0e23d834aa6acd5fe2605a Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 31 Jan 2015 20:13:40 +0000
-Subject: [PATCH 39/71] Update copyrights for dawn of 2015.
+Subject: [PATCH 39/78] Update copyrights for dawn of 2015.
---
Makefile | 2 +-
From 3d04f46334d0e345f589eda1372e638b946fe637 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 31 Jan 2015 21:59:13 +0000
-Subject: [PATCH 40/71] inotify documentation updates.
+Subject: [PATCH 40/78] inotify documentation updates.
---
man/dnsmasq.8 | 11 +++++++++--
From 6ef15b34ca83c62a939f69356d5c3f7a6bfef3d0 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 31 Jan 2015 22:44:26 +0000
-Subject: [PATCH 41/71] Fix broken ECDSA DNSSEC signatures.
+Subject: [PATCH 41/78] Fix broken ECDSA DNSSEC signatures.
---
CHANGELOG | 2 ++
From 106266761828a0acb006346ae47bf031dee46a5d Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 1 Feb 2015 00:15:16 +0000
-Subject: [PATCH 42/71] BSD make support
+Subject: [PATCH 42/78] BSD make support
---
Makefile | 6 ++++--
From 8d8a54ec79d9f96979fabbd97b1dd2ddebc7d78f Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 1 Feb 2015 21:48:46 +0000
-Subject: [PATCH 43/71] Fix build failure on openBSD.
+Subject: [PATCH 43/78] Fix build failure on openBSD.
---
src/tables.c | 2 +-
From d36b732c4cfa91ea09af64b5dc0f3a85a075e5bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <thiebaud@weksteen.fr>
Date: Mon, 2 Feb 2015 21:37:27 +0000
-Subject: [PATCH 44/71] Manpage typo fix.
+Subject: [PATCH 44/78] Manpage typo fix.
---
man/dnsmasq.8 | 2 +-
From 2941d3ac898cf84b544e47c9735c5e4111711db1 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 2 Feb 2015 22:36:42 +0000
-Subject: [PATCH 45/71] Fixup dhcp-configs after reading extra hostfiles with
+Subject: [PATCH 45/78] Fixup dhcp-configs after reading extra hostfiles with
inotify.
---
From f9c863708c6b0aea31ff7a466647685dc739de50 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 3 Feb 2015 21:52:48 +0000
-Subject: [PATCH 46/71] Extra logging for inotify code.
+Subject: [PATCH 46/78] Extra logging for inotify code.
---
src/cache.c | 9 ++++-----
From efb8b5566aafc1f3ce18514a2df93af5a2e4998c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 7 Feb 2015 22:36:34 +0000
-Subject: [PATCH 47/71] man page typo.
+Subject: [PATCH 47/78] man page typo.
---
man/dnsmasq.8 | 1 +
From f4f400776b3c1aa303d1a0fcd500f0ab5bc970f2 Mon Sep 17 00:00:00 2001
From: Shantanu Gadgil <shantanugadgil@yahoo.com>
Date: Wed, 11 Feb 2015 20:16:59 +0000
-Subject: [PATCH 48/71] Fix get-version script which returned wrong tag in some
+Subject: [PATCH 48/78] Fix get-version script which returned wrong tag in some
situations.
---
From 8ff70de618eb7de9147dbfbd4deca4a2dd62f0cb Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 14 Feb 2015 20:02:37 +0000
-Subject: [PATCH 49/71] Typos.
+Subject: [PATCH 49/78] Typos.
---
src/inotify.c | 3 ++-
From caeea190f12efd20139f694aac4942d1ac00019f Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 14 Feb 2015 20:08:56 +0000
-Subject: [PATCH 50/71] Make dynamic hosts files work when --no-hosts set.
+Subject: [PATCH 50/78] Make dynamic hosts files work when --no-hosts set.
---
src/cache.c | 21 +++++++++++----------
From 28b879ac47b872af6e8c5e86d76806c69338434d Mon Sep 17 00:00:00 2001
From: Chen Wei <weichen302@icloud.com>
Date: Tue, 17 Feb 2015 22:07:35 +0000
-Subject: [PATCH 51/71] Fix trivial memory leaks to quieten valgrind.
+Subject: [PATCH 51/78] Fix trivial memory leaks to quieten valgrind.
---
src/dnsmasq.c | 2 ++
From 0705a7e2d57654b27c7e14f35ca77241c1821f4d Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Mon, 23 Feb 2015 21:26:26 +0000
-Subject: [PATCH 52/71] Fix uninitialized value used in get_client_mac()
+Subject: [PATCH 52/78] Fix uninitialized value used in get_client_mac()
---
src/dhcp6.c | 4 +++-
From 47b9ac59c715827252ae6e6732903c3dabb697fb Mon Sep 17 00:00:00 2001
From: Joachim Zobel <jz-2014@heute-morgen.de>
Date: Mon, 23 Feb 2015 21:38:11 +0000
-Subject: [PATCH 53/71] Log parsing utils in contrib/reverse-dns
+Subject: [PATCH 53/78] Log parsing utils in contrib/reverse-dns
---
contrib/reverse-dns/README | 18 ++++++++++++++++++
From f6e62e2af96f5fa0d1e3d93167a93a8f09bf6e61 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 1 Mar 2015 18:17:54 +0000
-Subject: [PATCH 54/71] Add --dnssec-timestamp option and facility.
+Subject: [PATCH 54/78] Add --dnssec-timestamp option and facility.
---
CHANGELOG | 6 +++++
From 9003b50b13da624ca45f3e0cf99abb623b8d026b Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 2 Mar 2015 22:47:23 +0000
-Subject: [PATCH 55/71] Fix last commit to not crash if uid changing not
+Subject: [PATCH 55/78] Fix last commit to not crash if uid changing not
configured.
---
From 4c960fa90a975d20f75a1ecabd217247f1922c8f Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 4 Mar 2015 20:32:26 +0000
-Subject: [PATCH 56/71] New version of contrib/reverse-dns
+Subject: [PATCH 56/78] New version of contrib/reverse-dns
---
contrib/reverse-dns/README | 22 +++---
From 360f2513ab12a9bf1e262d388dd2ea8a566590a3 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 7 Mar 2015 18:28:06 +0000
-Subject: [PATCH 57/71] Tweak DNSSEC timestamp code to create file later,
+Subject: [PATCH 57/78] Tweak DNSSEC timestamp code to create file later,
removing need to chown it.
---
From ff841ebf5a5d6864ff48571f607c32ce80dbb75a Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 11 Mar 2015 21:36:30 +0000
-Subject: [PATCH 58/71] Fix boilerplate code for re-running system calls on
+Subject: [PATCH 58/78] Fix boilerplate code for re-running system calls on
EINTR and EAGAIN etc.
The nasty code with static variable in retry_send() which
From 979fe86bc8693f660eddea232ae39cbbb50b294c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 19 Mar 2015 22:50:22 +0000
-Subject: [PATCH 59/71] Make --address=/example.com/ equivalent to
+Subject: [PATCH 59/78] Make --address=/example.com/ equivalent to
--server=/example.com/
---
From 65c721200023ef0023114459a8d12f8b0a24cfd8 Mon Sep 17 00:00:00 2001
From: Lung-Pin Chang <changlp@cs.nctu.edu.tw>
Date: Thu, 19 Mar 2015 23:22:21 +0000
-Subject: [PATCH 60/71] dhcp: set outbound interface via cmsg in unicast reply
+Subject: [PATCH 60/78] dhcp: set outbound interface via cmsg in unicast reply
If multiple routes to the same network exist, Linux blindly picks
the first interface (route) based on destination address, which might not be
From 8805283088d670baecb92569252c01cf754cda51 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 26 Mar 2015 21:15:43 +0000
-Subject: [PATCH 61/71] Don't fail DNSSEC when a signed CNAME dangles into an
+Subject: [PATCH 61/78] Don't fail DNSSEC when a signed CNAME dangles into an
unsigned zone.
---
From 150162bc37170a6edae9d488435e836b1e4e3a4e Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 27 Mar 2015 09:58:26 +0000
-Subject: [PATCH 62/71] Return SERVFAIL when validation abandoned.
+Subject: [PATCH 62/78] Return SERVFAIL when validation abandoned.
---
src/forward.c | 11 +++++++++--
From 0b8a5a30a77331974ba24a04e43e720585dfbc61 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 27 Mar 2015 11:44:55 +0000
-Subject: [PATCH 63/71] Protect against broken DNSSEC upstreams.
+Subject: [PATCH 63/78] Protect against broken DNSSEC upstreams.
---
src/dnssec.c | 7 +++++--
From 1e153945def3c50d1e59ceea6a768db0ac770f98 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 28 Mar 2015 21:34:07 +0000
-Subject: [PATCH 64/71] DNSSEC fix for non-ascii characters in labels.
+Subject: [PATCH 64/78] DNSSEC fix for non-ascii characters in labels.
---
src/dnssec.c | 34 +++++++++++++++++-----------------
From 394ff492da6af5da7e7d356be9586683bc5fc011 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 29 Mar 2015 22:17:14 +0100
-Subject: [PATCH 65/71] Allow control characters in names in the cache, handle
+Subject: [PATCH 65/78] Allow control characters in names in the cache, handle
when logging.
---
From 794fccca7ffebfba4468bfffc6276b68bbf6afd9 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 29 Mar 2015 22:35:44 +0100
-Subject: [PATCH 66/71] Fix crash in last commit.
+Subject: [PATCH 66/78] Fix crash in last commit.
---
src/cache.c | 7 ++++---
From fd6ad9e481ab7c812a6b1515244908818cbb0442 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 30 Mar 2015 07:52:21 +0100
-Subject: [PATCH 67/71] Merge message translations.
+Subject: [PATCH 67/78] Merge message translations.
---
po/de.po | 803 +++++++++++++++++++++++++++++++++--------------------------
From 30d0879ed55cb67b1b735beab3d93f3bb3ef1dd2 Mon Sep 17 00:00:00 2001
From: Stefan Tomanek <stefan.tomanek+dnsmasq@wertarbyte.de>
Date: Tue, 31 Mar 2015 22:32:11 +0100
-Subject: [PATCH 68/71] add --tftp-no-fail to ignore missing tftp root
+Subject: [PATCH 68/78] add --tftp-no-fail to ignore missing tftp root
---
CHANGELOG | 3 +++
From 7aa970e2c7043201663d86a4b5d8cd5c592cef39 Mon Sep 17 00:00:00 2001
From: Stefan Tomanek <stefan.tomanek+dnsmasq@wertarbyte.de>
Date: Wed, 1 Apr 2015 17:55:07 +0100
-Subject: [PATCH 69/71] Whitespace fixes.
+Subject: [PATCH 69/78] Whitespace fixes.
---
src/dnsmasq.c | 14 +++++++-------
From fe3992f9fa69fa975ea31919c53933b5f6a63527 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 3 Apr 2015 21:25:05 +0100
-Subject: [PATCH 70/71] Return INSECURE, rather than BOGUS when DS proved not
+Subject: [PATCH 70/78] Return INSECURE, rather than BOGUS when DS proved not
to exist.
Return INSECURE when validating DNS replies which have RRSIGs, but
From 982faf402487e265ed11ac03524531d42b03c966 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 3 Apr 2015 21:42:30 +0100
-Subject: [PATCH 71/71] Fix compiler warning when not including DNSSEC.
+Subject: [PATCH 71/78] Fix compiler warning when not including DNSSEC.
---
src/forward.c | 3 ++-
--- /dev/null
+From 04b0ac05377936d121a36873bb63d492cde292c9 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 6 Apr 2015 17:19:13 +0100
+Subject: [PATCH 72/78] Fix crash caused by looking up servers.bind when many
+ servers defined.
+
+---
+ CHANGELOG | 7 ++++++-
+ src/cache.c | 4 ++--
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 34432ae4807f..6aa3d851a297 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -75,7 +75,12 @@ version 2.73
+
+ Add --tftp-no-fail option. Thanks to Stefan Tomanek for
+ the patch.
+-
++
++ Fix crash caused by looking up servers.bind, CHAOS text record,
++ when more than about five --servers= lines are in the dnsmasq
++ config. This causes memory corruption which causes a crash later.
++ Thanks to Matt Coddington for sterling work chasing this down.
++
+
+ version 2.72
+ Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
+diff --git a/src/cache.c b/src/cache.c
+index d7bea574c0d8..178d654ca92e 100644
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -1367,7 +1367,7 @@ int cache_make_stat(struct txt_record *t)
+ }
+ port = prettyprint_addr(&serv->addr, daemon->addrbuff);
+ lenp = p++; /* length */
+- bytes_avail = (p - buff) + bufflen;
++ bytes_avail = bufflen - (p - buff );
+ bytes_needed = snprintf(p, bytes_avail, "%s#%d %u %u", daemon->addrbuff, port, queries, failed_queries);
+ if (bytes_needed >= bytes_avail)
+ {
+@@ -1381,7 +1381,7 @@ int cache_make_stat(struct txt_record *t)
+ lenp = p - 1;
+ buff = new;
+ bufflen = newlen;
+- bytes_avail = (p - buff) + bufflen;
++ bytes_avail = bufflen - (p - buff );
+ bytes_needed = snprintf(p, bytes_avail, "%s#%d %u %u", daemon->addrbuff, port, queries, failed_queries);
+ }
+ *lenp = bytes_needed;
+--
+2.1.0
+
--- /dev/null
+From ad4a8ff7d9097008d7623df8543df435bfddeac8 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 9 Apr 2015 21:48:00 +0100
+Subject: [PATCH 73/78] Fix crash on receipt of certain malformed DNS requests.
+
+---
+ CHANGELOG | 3 +++
+ src/rfc1035.c | 9 ++++++---
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 6aa3d851a297..9af617056f1f 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -125,6 +125,9 @@ version 2.72
+ Fix problem with --local-service option on big-endian platforms
+ Thanks to Richard Genoud for the patch.
+
++ Fix crash on receipt of certain malformed DNS requests. Thanks
++ to Nick Sampanis for spotting the problem.
++
+
+ version 2.71
+ Subtle change to error handling to help DNSSEC validation
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 7a07b0cee906..a995ab50d74a 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1198,7 +1198,10 @@ unsigned int extract_request(struct dns_header *header, size_t qlen, char *name,
+ size_t setup_reply(struct dns_header *header, size_t qlen,
+ struct all_addr *addrp, unsigned int flags, unsigned long ttl)
+ {
+- unsigned char *p = skip_questions(header, qlen);
++ unsigned char *p;
++
++ if (!(p = skip_questions(header, qlen)))
++ return 0;
+
+ /* clear authoritative and truncated flags, set QR flag */
+ header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR;
+@@ -1214,7 +1217,7 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
+ SET_RCODE(header, NOERROR); /* empty domain */
+ else if (flags == F_NXDOMAIN)
+ SET_RCODE(header, NXDOMAIN);
+- else if (p && flags == F_IPV4)
++ else if (flags == F_IPV4)
+ { /* we know the address */
+ SET_RCODE(header, NOERROR);
+ header->ancount = htons(1);
+@@ -1222,7 +1225,7 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
+ add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_A, C_IN, "4", addrp);
+ }
+ #ifdef HAVE_IPV6
+- else if (p && flags == F_IPV6)
++ else if (flags == F_IPV6)
+ {
+ SET_RCODE(header, NOERROR);
+ header->ancount = htons(1);
+--
+2.1.0
+
--- /dev/null
+From 38440b204db65f9be16c4c3daa7e991e4356f6ed Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Sun, 12 Apr 2015 21:52:47 +0100
+Subject: [PATCH 74/78] Fix crash in auth code with odd configuration.
+
+---
+ CHANGELOG | 32 +++++++++++++++++++++-----------
+ src/auth.c | 13 ++++++++-----
+ 2 files changed, 29 insertions(+), 16 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 9af617056f1f..f2142c71cbdc 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -68,18 +68,31 @@ version 2.73
+ Fix broken DNSSEC validation of ECDSA signatures.
+
+ Add --dnssec-timestamp option, which provides an automatic
+- way to detect when the system time becomes valid after boot
+- on systems without an RTC, whilst allowing DNS queries before the
+- clock is valid so that NTP can run. Thanks to
+- Kevin Darbyshire-Bryant for developing this idea.
++ way to detect when the system time becomes valid after
++ boot on systems without an RTC, whilst allowing DNS
++ queries before the clock is valid so that NTP can run.
++ Thanks to Kevin Darbyshire-Bryant for developing this idea.
+
+ Add --tftp-no-fail option. Thanks to Stefan Tomanek for
+ the patch.
+
+- Fix crash caused by looking up servers.bind, CHAOS text record,
+- when more than about five --servers= lines are in the dnsmasq
+- config. This causes memory corruption which causes a crash later.
+- Thanks to Matt Coddington for sterling work chasing this down.
++ Fix crash caused by looking up servers.bind, CHAOS text
++ record, when more than about five --servers= lines are
++ in the dnsmasq config. This causes memory corruption
++ which causes a crash later. Thanks to Matt Coddington for
++ sterling work chasing this down.
++
++ Fix crash on receipt of certain malformed DNS requests.
++ Thanks to Nick Sampanis for spotting the problem.
++
++ Fix crash in authoritative DNS code, if a .arpa zone
++ is declared as authoritative, and then a PTR query which
++ is not to be treated as authoritative arrived. Normally,
++ directly declaring .arpa zone as authoritative is not
++ done, so this crash wouldn't be seen. Instead the
++ relevant .arpa zone should be specified as a subnet
++ in the auth-zone declaration. Thanks to Johnny S. Lee
++ for the bugreport and initial patch.
+
+
+ version 2.72
+@@ -125,10 +138,7 @@ version 2.72
+ Fix problem with --local-service option on big-endian platforms
+ Thanks to Richard Genoud for the patch.
+
+- Fix crash on receipt of certain malformed DNS requests. Thanks
+- to Nick Sampanis for spotting the problem.
+
+-
+ version 2.71
+ Subtle change to error handling to help DNSSEC validation
+ when servers fail to provide NODATA answers for
+diff --git a/src/auth.c b/src/auth.c
+index 15721e52793f..4a5c39fc5c07 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -141,7 +141,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+ for (zone = daemon->auth_zones; zone; zone = zone->next)
+ if ((subnet = find_subnet(zone, flag, &addr)))
+ break;
+-
++
+ if (!zone)
+ {
+ auth = 0;
+@@ -186,7 +186,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+
+ if (intr)
+ {
+- if (in_zone(zone, intr->name, NULL))
++ if (local_query || in_zone(zone, intr->name, NULL))
+ {
+ found = 1;
+ log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL);
+@@ -208,8 +208,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+ *p = 0; /* must be bare name */
+
+ /* add external domain */
+- strcat(name, ".");
+- strcat(name, zone->domain);
++ if (zone)
++ {
++ strcat(name, ".");
++ strcat(name, zone->domain);
++ }
+ log_query(flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid));
+ found = 1;
+ if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
+@@ -217,7 +220,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+ T_PTR, C_IN, "d", name))
+ anscount++;
+ }
+- else if (crecp->flags & (F_DHCP | F_HOSTS) && in_zone(zone, name, NULL))
++ else if (crecp->flags & (F_DHCP | F_HOSTS) && (local_query || in_zone(zone, name, NULL)))
+ {
+ log_query(crecp->flags & ~F_FORWARD, name, &addr, record_source(crecp->uid));
+ found = 1;
+--
+2.1.0
+
--- /dev/null
+From 78c6184752dce27849e36cce4360abc27b8d76d2 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 16 Apr 2015 15:05:30 +0100
+Subject: [PATCH 75/78] Auth: correct replies to NS and SOA in .arpa zones.
+
+---
+ CHANGELOG | 8 ++++++++
+ src/auth.c | 51 ++++++++++++++++++++++++++++++---------------------
+ 2 files changed, 38 insertions(+), 21 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index f2142c71cbdc..0619788e9cef 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -94,6 +94,14 @@ version 2.73
+ in the auth-zone declaration. Thanks to Johnny S. Lee
+ for the bugreport and initial patch.
+
++ Fix authoritative DNS code to correctly reply to NS
++ and SOA queries for .arpa zones for which we are
++ declared authoritative by means of a subnet in auth-zone.
++ Previously we provided correct answers to PTR queries
++ in such zones (including NS and SOA) but not direct
++ NS and SOA queries. Thanks to Johnny S. Lee for
++ pointing out the problem.
++
+
+ version 2.72
+ Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
+diff --git a/src/auth.c b/src/auth.c
+index 4a5c39fc5c07..2b0b7d6b052d 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -131,24 +131,27 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+ continue;
+ }
+
+- if (qtype == T_PTR)
++ if ((qtype == T_PTR || qtype == T_SOA || qtype == T_NS) &&
++ (flag = in_arpa_name_2_addr(name, &addr)) &&
++ !local_query)
+ {
+- if (!(flag = in_arpa_name_2_addr(name, &addr)))
+- continue;
+-
+- if (!local_query)
++ for (zone = daemon->auth_zones; zone; zone = zone->next)
++ if ((subnet = find_subnet(zone, flag, &addr)))
++ break;
++
++ if (!zone)
+ {
+- for (zone = daemon->auth_zones; zone; zone = zone->next)
+- if ((subnet = find_subnet(zone, flag, &addr)))
+- break;
+-
+- if (!zone)
+- {
+- auth = 0;
+- continue;
+- }
++ auth = 0;
++ continue;
+ }
++ else if (qtype == T_SOA)
++ soa = 1, found = 1;
++ else if (qtype == T_NS)
++ ns = 1, found = 1;
++ }
+
++ if (qtype == T_PTR && flag)
++ {
+ intr = NULL;
+
+ if (flag == F_IPV4)
+@@ -243,14 +246,20 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+ }
+
+ cname_restart:
+- for (zone = daemon->auth_zones; zone; zone = zone->next)
+- if (in_zone(zone, name, &cut))
+- break;
+-
+- if (!zone)
++ if (found)
++ /* NS and SOA .arpa requests have set found above. */
++ cut = NULL;
++ else
+ {
+- auth = 0;
+- continue;
++ for (zone = daemon->auth_zones; zone; zone = zone->next)
++ if (in_zone(zone, name, &cut))
++ break;
++
++ if (!zone)
++ {
++ auth = 0;
++ continue;
++ }
+ }
+
+ for (rec = daemon->mxnames; rec; rec = rec->next)
+--
+2.1.0
+
--- /dev/null
+From b4c0f092d8ce63ea4763c0ac17aa8d24318ad301 Mon Sep 17 00:00:00 2001
+From: Stefan Tomanek <stefan.tomanek+dnsmasq@wertarbyte.de>
+Date: Thu, 16 Apr 2015 15:20:59 +0100
+Subject: [PATCH 76/78] Fix (srk induced) crash in new tftp_no_fail code.
+
+---
+ src/dnsmasq.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/dnsmasq.c b/src/dnsmasq.c
+index a7c5da8fbd01..20b15c05103a 100644
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -655,7 +655,8 @@ int main (int argc, char **argv)
+ _exit(0);
+ }
+ }
+- closedir(dir);
++ else
++ closedir(dir);
+ }
+
+ for (p = daemon->if_prefix; p; p = p->next)
+@@ -670,7 +671,8 @@ int main (int argc, char **argv)
+ _exit(0);
+ }
+ }
+- closedir(dir);
++ else
++ closedir(dir);
+ }
+ }
+ #endif
+--
+2.1.0
+
--- /dev/null
+From 0df29f5e23fd2f16181847db1fcf3a8b392d869a Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 16 Apr 2015 15:24:52 +0100
+Subject: [PATCH 77/78] Note CVE-2015-3294
+
+---
+ CHANGELOG | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 0619788e9cef..7f2b1e002e9e 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -84,6 +84,9 @@ version 2.73
+
+ Fix crash on receipt of certain malformed DNS requests.
+ Thanks to Nick Sampanis for spotting the problem.
++ Note that this is could allow the dnsmasq process's
++ memory to be read by an attacker under certain
++ circumstances, so it has a CVE, CVE-2015-3294
+
+ Fix crash in authoritative DNS code, if a .arpa zone
+ is declared as authoritative, and then a PTR query which
+--
+2.1.0
+
--- /dev/null
+From 554b580e970275d5a869cb4fbfb2716f92b2f664 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 17 Apr 2015 22:50:20 +0100
+Subject: [PATCH 78/78] Log domain when reporting DNSSEC validation failure.
+
+---
+ src/forward.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/src/forward.c b/src/forward.c
+index 3f6b9a23b6ab..1c7da3f5655c 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -1014,7 +1014,7 @@ void reply_query(int fd, int family, time_t now)
+ header->hb3 |= HB3_TC;
+ else
+ {
+- char *result;
++ char *result, *domain = "result";
+
+ if (forward->work_counter == 0)
+ {
+@@ -1024,7 +1024,10 @@ void reply_query(int fd, int family, time_t now)
+ else
+ result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
+
+- log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
++ if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL))
++ domain = daemon->namebuff;
++
++ log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
+ }
+
+ if (status == STAT_SECURE)
+@@ -1975,7 +1978,7 @@ unsigned char *tcp_request(int confd, time_t now,
+ {
+ int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
+ int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
+- char *result;
++ char *result, *domain = "result";
+
+ if (status == STAT_INSECURE_DS)
+ {
+@@ -1993,8 +1996,10 @@ unsigned char *tcp_request(int confd, time_t now,
+ }
+ else
+ result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
+-
+- log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
++ if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL))
++ domain = daemon->namebuff;
++
++ log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
+
+ if (status == STAT_BOGUS)
+ {
+--
+2.1.0
+
-diff -up openssl-1.0.1e/Configure.rpmbuild openssl-1.0.1e/Configure
---- openssl-1.0.1e/Configure.rpmbuild 2014-08-13 19:19:53.211005598 +0200
-+++ openssl-1.0.1e/Configure 2014-08-13 19:29:21.704099285 +0200
-@@ -1675,7 +1676,7 @@ while (<IN>)
+diff -Nur openssl-1.0.2a-vanilla/Configure openssl-1.0.2a/Configure
+--- openssl-1.0.2a-vanilla/Configure 2015-03-19 13:30:36.000000000 +0000
++++ openssl-1.0.2a/Configure 2015-04-23 10:31:41.336569854 +0000
+@@ -348,7 +348,7 @@
+ ####
+ # *-generic* is endian-neutral target, but ./config is free to
+ # throw in -D[BL]_ENDIAN, whichever appropriate...
+-"linux-generic32","gcc:-O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic32","gcc:\$(CFLAGS) -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(CFLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-ppc", "gcc:-DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+
+ #######################################################################
+@@ -389,7 +389,7 @@
+ "linux64-mips64", "gcc:-mabi=64 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ #### IA-32 targets...
+ "linux-ia32-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-elf", "gcc:-DL_ENDIAN \$(CFLAGS) -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_SONAMEVER)",
+ "linux-aout", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
+ ####
+ "linux-generic64","gcc:-O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+@@ -1737,7 +1737,7 @@
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
{
my $sotmp = $1;
}
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
{
-diff -up openssl-1.0.1e/Makefile.org.rpmbuild openssl-1.0.1e/Makefile.org
---- openssl-1.0.1e/Makefile.org.rpmbuild 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/Makefile.org 2014-08-13 19:19:53.218005759 +0200
-@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
+diff -Nur openssl-1.0.2a-vanilla/Makefile.org openssl-1.0.2a/Makefile.org
+--- openssl-1.0.2a-vanilla/Makefile.org 2015-03-19 13:30:36.000000000 +0000
++++ openssl-1.0.2a/Makefile.org 2015-04-23 10:30:03.184371933 +0000
+@@ -10,6 +10,7 @@
SHLIB_MAJOR=
SHLIB_MINOR=
SHLIB_EXT=
PLATFORM=dist
OPTIONS=
CONFIGURE_ARGS=
-@@ -333,10 +334,9 @@ clean-shared:
+@@ -335,10 +336,9 @@
link-shared:
@ set -e; for i in $(SHLIBDIRS); do \
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
done
build-shared: do_$(SHLIB_TARGET) link-shared
-@@ -347,7 +347,7 @@ do_$(SHLIB_TARGET):
+@@ -349,7 +349,7 @@
libs="$(LIBKRB5) $$libs"; \
fi; \
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
LIBDEPS="$$libs $(EX_LIBS)" \
link_a.$(SHLIB_TARGET); \
---- a/Configure.old 2015-03-19 18:10:45.101201021 +0000
-+++ b/Configure 2015-03-19 18:11:19.324547495 +0000
-@@ -345,14 +345,14 @@
- ####
- # *-generic* is endian-neutral target, but ./config is free to
- # throw in -D[BL]_ENDIAN, whichever appropriate...
--"linux-generic32","gcc:-O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic32","gcc:-O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_SONAMEVER)",
- "linux-ppc", "gcc:-DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- # It's believed that majority of ARM toolchains predefine appropriate -march.
- # If you compiler does not, do complement config command line with one!
- "linux-armv4", "gcc:-O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- #### IA-32 targets...
- "linux-ia32-icc", "icc:-DL_ENDIAN -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_SONAMEVER)",
- "linux-aout", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
- ####
- "linux-generic64","gcc:-O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--- /dev/null
+#!/usr/bin/perl
+#
+# Converter for MaxMind CSV database to binary, for xt_geoip
+# Copyright © Jan Engelhardt, 2008-2011
+#
+use Getopt::Long;
+use IO::Handle;
+use Text::CSV_XS; # or trade for Text::CSV
+use strict;
+
+my $csv = Text::CSV_XS->new({
+ allow_whitespace => 1,
+ binary => 1,
+ eol => $/,
+}); # or Text::CSV
+my $target_dir = ".";
+
+&Getopt::Long::Configure(qw(bundling));
+&GetOptions(
+ "D=s" => \$target_dir,
+);
+
+if (!-d $target_dir) {
+ print STDERR "Target directory $target_dir does not exist.\n";
+ exit 1;
+}
+
+my $dir = "$target_dir/LE";
+if (!-e $dir && !mkdir($dir)) {
+ print STDERR "Could not mkdir $dir: $!\n";
+ exit 1;
+}
+
+&dump(&collect());
+
+sub collect
+{
+ my %country;
+
+ while (my $row = $csv->getline(*ARGV)) {
+ if (!defined($country{$row->[4]})) {
+ $country{$row->[4]} = {
+ name => $row->[5],
+ pool_v4 => [],
+ pool_v6 => [],
+ };
+ }
+ my $c = $country{$row->[4]};
+
+ push(@{$c->{pool_v4}}, [$row->[2], $row->[3]]);
+
+ if ($. % 4096 == 0) {
+ print STDERR "\r\e[2K$. entries";
+ }
+ }
+
+ print STDERR "\r\e[2K$. entries total\n";
+ return \%country;
+}
+
+sub dump
+{
+ my $country = shift @_;
+
+ foreach my $iso_code (sort keys %$country) {
+ &dump_one($iso_code, $country->{$iso_code});
+ }
+}
+
+sub dump_one
+{
+ my($iso_code, $country) = @_;
+ my($file, $fh_le, $fh_be);
+
+ printf "%5u IPv4 ranges for %s %s\n",
+ scalar(@{$country->{pool_v4}}),
+ $iso_code, $country->{name};
+
+ $file = "$target_dir/LE/".uc($iso_code).".iv4";
+ if (!open($fh_le, "> $file")) {
+ print STDERR "Error opening $file: $!\n";
+ exit 1;
+ }
+ foreach my $range (@{$country->{pool_v4}}) {
+ print $fh_le pack("VV", $range->[0], $range->[1]);
+ #print $fh_be pack("NN", $range->[0], $range->[1]);
+ }
+ close $fh_le;
+}
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2014 IPFire Development Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+TMP_PATH=$(mktemp -d)
+TMP_FILE=$(mktemp -p $TMP_PATH)
+
+SCRIPT_PATH=/usr/local/bin
+DEST_PATH=/usr/share/xt_geoip
+
+DL_URL=http://geolite.maxmind.com/download/geoip/database
+DL_FILE=GeoIPCountryCSV.zip
+
+CSV_FILE=GeoIPCountryWhois.csv
+
+ARCH=LE
+
+eval $(/usr/local/bin/readhash /var/ipfire/proxy/settings)
+
+function download() {
+ echo "Downloading latest GeoIP ruleset..."
+
+ # Create temporary directory.
+ mkdir -pv $TMP_PATH
+
+ # Proxy settings.
+ # Check if a proxy should be used.
+ if [[ $UPSTREAM_PROXY ]]; then
+ PROXYSETTINGS="-e http_proxy=http://"
+
+ # Check if authentication against the proxy is configured.
+ if [[ $UPSTREAM_USER && $UPSTREAM_PASSWORD ]]; then
+ PROXYSETTINGS="$PROXYSETTINGS$UPSTREAM_USER:$UPSTREAM_PASSWORD@"
+ fi
+
+ # Add proxy server.
+ PROXYSETTINGS="$PROXYSETTINGS$UPSTREAM_PROXY"
+ fi
+
+ # Get the latest GeoIP database from server.
+ wget $DL_URL/$DL_FILE $PROXYSETTINGS -O $TMP_FILE
+
+ # Extract files.
+ unzip $TMP_FILE -d $TMP_PATH
+
+ return 0
+}
+
+function build() {
+ echo "Convert database..."
+
+ # Check if the csv file exists.
+ if [ ! -e $TMP_PATH/$CSV_FILE ]; then
+ echo "$TMP_PATH/$CSV_FILE not found. Exiting."
+ return 1
+ fi
+
+ # Run script to convert the CSV file into several xtables
+ # compatible binary files.
+ if ! $SCRIPT_PATH/xt_geoip_build $TMP_PATH/$CSV_FILE -D $TMP_PATH; then
+ echo "Could not convert ruleset. Aborting." >&2
+ return 1
+ fi
+
+ return 0
+}
+
+function install() {
+ echo "Install databases..."
+
+ # Check if our destination exist.
+ if [ ! -e "$DEST_PATH" ]; then
+ mkdir -p $DEST_PATH &>/dev/null
+ fi
+
+ # Install databases.
+ if ! cp -af $TMP_PATH/$ARCH $DEST_PATH &>/dev/null; then
+ echo "Could not copy files. Aborting." >&2
+ return 1
+ fi
+
+ return 0
+}
+
+function cleanup() {
+ echo "Cleaning up temporary files..."
+ if ! rm -rf $TMP_PATH &>/dev/null; then
+ echo "Could not remove files. Aborting." >&2
+ return 1
+ fi
+
+ return 0
+}
+
+function main() {
+ # Download ruleset.
+ download || exit $?
+
+ # Convert the ruleset.
+ if ! build; then
+ # Do cleanup.
+ cleanup || exit $?
+ exit 1
+ fi
+
+ # Install the converted ruleset.
+ if ! install; then
+ # Do cleanup.
+ cleanup || exit $?
+ exit 1
+ fi
+
+ # Finaly remove temporary files.
+ cleanup || exit $?
+
+ return 0
+}
+
+# Run the main function.
+main
my $sth;
my $cnt=0;
#If we want to show Data from within last 2 months, get DATA from ACCT
- if ( ! $grmon < ($mon+1) && $gryear == ($year+1900)){
+ if ( $grmon == ($mon)+1 && $gryear == ($year+1900)){
$sth=&ACCT::getmonthgraphdata("ACCT",$from,$till,$grhost);
}else{
#If we want to show data from a date older than last two months, use ACCT_HIST
sub viewtablehosts{
$dbh=&ACCT::connectdb;
&Header::openbox('100%', 'left', $Lang::tr{'acct hosts'});
- my $mon=$_[0];
- my $year=$_[1];
- my ($from,$till)=&ACCT::getmonth($mon,$year);
+ my $mon1=$_[0];
+ my $year1=$_[1];
+ my ($from,$till)=&ACCT::getmonth($mon1,$year1);
$count=0;
#Menu to display another month
print<<END;
</select></td>
<td style='text-align: center;'><select name='year'>
END
- for (my $j=2014;$j<=($year);$j++){
+ for (my $j=2014;$j<=($year1);$j++){
if(($_[1]) eq $j){
print"<option selected>$j</option>";
}else{
<th></th>
</tr>
END
- my $res = $dbh->selectall_arrayref("SELECT SUM(BYTES),min(TIME_RUN),max(TIME_RUN),NAME from ACCT where TIME_RUN between ".$from." and ".$till." group by NAME;");
+ my $res;
+ if (($mon)+1 == $mon1 && ($year)+1900 == $year1){
+ $res = $dbh->selectall_arrayref("SELECT SUM(BYTES),min(TIME_RUN),max(TIME_RUN),NAME from ACCT where TIME_RUN between ".$from." and ".$till." group by NAME;");
+ }else{
+ $res = $dbh->selectall_arrayref("SELECT SUM(BYTES),min(strftime('%s',TIME_RUN)),max(strftime('%s',TIME_RUN)),NAME from ACCT_HIST where date(TIME_RUN) > date($from,'unixepoch') and date(TIME_RUN) < date($till,'unixepoch') group by NAME;");
+ }
my $sumbytes;
my $type;
my $lineval;
<input type='image' src='/images/utilities-system-monitor.png' alt="$Lang::tr{'status'}" title="$Lang::tr{'status'}" />
<input type='hidden' name='ACTION' value='viewgraph'>
<input type='hidden' name='host' value='$name'>
- <input type='hidden' name='month' value='$mon'>
- <input type='hidden' name='year' value='$year'>
+ <input type='hidden' name='month' value='$mon1'>
+ <input type='hidden' name='year' value='$year1'>
<input type='hidden' name='traffic' value="$Lang::tr{'acct sum'} $Lang::tr{'acct traffic'} $lineval $type">
</form>
}
sub movedbdata {
- $dbh->do("insert into ACCT_HIST select datetime(TIME_RUN,'unixepoch'),NAME,SUM(BYTES) from ACCT where date(TIME_RUN,'unixepoch') < date('now','-2 months') group by NAME,date(TIME_RUN,'unixepoch');");
- $dbh->do("DELETE FROM ACCT WHERE datetime(TIME_RUN,'unixepoch') < date('now','-2 months');");
+ $dbh->do("insert into ACCT_HIST select datetime(TIME_RUN,'unixepoch'),NAME,SUM(BYTES) from ACCT where datetime(TIME_RUN,'unixepoch') < datetime('now','start of month') group by NAME,datetime(TIME_RUN,'unixepoch');");
+ $dbh->do("DELETE FROM ACCT WHERE datetime(TIME_RUN,'unixepoch') < date('now','start of month');");
}
sub gethourgraphdata {
my $name=$_[3];
my $res;
$dbh=connectdb;
- if ($table eq 'ACCT'){
- $res = $dbh->selectall_arrayref( "SELECT strftime('%d.%m.%Y',xx.tag),(SELECT SUM(BYTES)/1024/1024 FROM ACCT WHERE date(TIME_RUN,'unixepoch') <= xx.tag and NAME = '".$name."') kum_bytes FROM (SELECT date(TIME_RUN,'unixepoch') tag,SUM(BYTES)/1024/1024 sbytes FROM ACCT WHERE NAME='".$name."' and TIME_RUN between ".$from." and ".$till." GROUP by date(TIME_RUN,'unixepoch')) xx;");
+ if ($table eq 'ACCT_HIST'){
+ $res = $dbh->selectall_arrayref( "SELECT strftime('%d.%m.%Y',TIME_RUN),(SELECT SUM(BYTES)/1024/1024 FROM ACCT_HIST WHERE TIME_RUN <= ah.TIME_RUN and TIME_RUN > date($from,'unixepoch') and NAME = '".$name."') kum_bytes FROM ACCT_HIST ah WHERE date(TIME_RUN) > date(".$from.",'unixepoch') AND date(TIME_RUN) < date(".$till.",'unixepoch') AND NAME = '".$name."' group by date(TIME_RUN);");
}else{
- $res = $dbh->selectall_arrayref( "SELECT TIME_RUN, (SELECT SUM(BYTES)/1024/1024 FROM ACCT_HIST WHERE TIME_RUN <= ah.TIME_RUN and NAME = '".$name."') kum_bytes FROM ACCT_HIST ah WHERE TIME_RUN BETWEEN date(".$from.",'unixepoch') AND date(".$till.",'unixepoch') AND NAME = '".$name."' group by TIME_RUN;");
+ $res = $dbh->selectall_arrayref( "SELECT strftime('%d.%m.%Y',xx.tag),(SELECT SUM(BYTES)/1024/1024 FROM ACCT WHERE date(TIME_RUN,'unixepoch') <= xx.tag and TIME_RUN > ".$from." and NAME = '".$name."') kum_bytes FROM (SELECT NAME,date(TIME_RUN,'unixepoch') tag,SUM(BYTES)/1024/1024 sbytes FROM ACCT WHERE NAME='".$name."' and TIME_RUN between ".$from." and ".$till." GROUP by NAME,date(TIME_RUN,'unixepoch')) xx;");
}
$dbh=closedb;
return $res;
open (FH,">/var/log/accounting.log");
close (FH);
chmod 0755, "/var/log/accounting.log";
- #move all db entries older than 2 months to second table and cumulate them hourly
+ #move all db entries older than this month to second table and cumulate them daily
&ACCT::movedbdata;
&ACCT::logger($settings{'LOG'},"New Month. Old trafficvalues moved to ACCT_HIST Table\n");
if ($settings{'USEMAIL'} eq 'on'){