Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
authorMatthias Fischer <fischerm@ipfire.org>
Fri, 24 Apr 2015 22:32:20 +0000 (00:32 +0200)
committerMatthias Fischer <fischerm@ipfire.org>
Fri, 24 Apr 2015 22:32:20 +0000 (00:32 +0200)
155 files changed:
config/cfgroot/general-functions.pl
config/cfgroot/geoip-functions.pl [new file with mode: 0644]
config/cfgroot/header.pl
config/cron/crontab
config/firewall/firewall-lib.pl [changed mode: 0755->0644]
config/firewall/geoipblock [new file with mode: 0644]
config/firewall/rules.pl [changed mode: 0755->0644]
config/menu/50-firewall.menu
config/rootfiles/common/Locale-Country
config/rootfiles/common/apache2
config/rootfiles/common/armv5tel/initscripts
config/rootfiles/common/collectd
config/rootfiles/common/configroot
config/rootfiles/common/i586/initscripts
config/rootfiles/common/i586/openssl-sse2 [new file with mode: 0644]
config/rootfiles/common/openssl-compat [deleted file]
config/rootfiles/common/perl-Text-CSV_XS [new file with mode: 0644]
config/rootfiles/common/stage2
config/rootfiles/common/xtables-addons [new file with mode: 0644]
config/rootfiles/core/90/exclude
config/rootfiles/core/90/filelists/dnsmasq [new symlink]
config/rootfiles/core/90/filelists/files
config/rootfiles/core/90/filelists/i586/openssl-sse2 [new symlink]
config/rootfiles/core/90/filelists/iptables [new symlink]
config/rootfiles/core/90/filelists/openssl-0.9.8-files [new file with mode: 0644]
config/rootfiles/core/90/filelists/perl-Text-CSV_XS [new symlink]
config/rootfiles/core/90/filelists/xtables-addons [new symlink]
config/rootfiles/core/90/update.sh
config/xtables-addons/mconfig [new file with mode: 0644]
doc/language_issues.de
doc/language_issues.en
doc/language_issues.es
doc/language_issues.fr
doc/language_issues.it
doc/language_issues.nl
doc/language_issues.pl
doc/language_issues.ru
doc/language_issues.tr
doc/language_missings
html/cgi-bin/country.cgi
html/cgi-bin/firewall.cgi
html/cgi-bin/fwhosts.cgi
html/cgi-bin/geoip-block.cgi [new file with mode: 0644]
html/cgi-bin/index.cgi
html/cgi-bin/ovpnmain.cgi
html/cgi-bin/tor.cgi
html/cgi-bin/vpnmain.cgi
html/html/themes/darkdos/include/style.css
html/html/themes/ipfire-legacy/include/style.css
html/html/themes/ipfire/include/css/style.css
html/html/themes/maniac/include/style.css
langs/de/cgi-bin/de.pl
langs/en/cgi-bin/en.pl
langs/es/cgi-bin/es.pl
lfs/Locale-Country
lfs/asterisk
lfs/configroot
lfs/dnsmasq
lfs/iptables
lfs/libsrtp
lfs/linux
lfs/openssl
lfs/perl-Text-CSV_XS [moved from lfs/openssl-compat with 73% similarity]
lfs/squid-accounting
lfs/stage2
lfs/tor
lfs/xtables-addons [new file with mode: 0644]
make.sh
src/initscripts/init.d/firewall
src/initscripts/init.d/networking/functions.network
src/initscripts/init.d/networking/red.up/99-geoip-database [new file with mode: 0644]
src/patches/dnsmasq/0001-Add-newline-at-the-end-of-example-config-file.patch
src/patches/dnsmasq/0002-crash-at-startup-when-an-empty-suffix-is-supplied-to.patch
src/patches/dnsmasq/0003-Debian-build-fixes-for-kFreeBSD.patch
src/patches/dnsmasq/0004-Set-conntrack-mark-before-connect-call.patch
src/patches/dnsmasq/0005-Fix-typo-in-new-Dbus-code.patch
src/patches/dnsmasq/0006-Fit-example-conf-file-typo.patch
src/patches/dnsmasq/0007-Improve-RFC-compliance-when-unable-to-supply-address.patch
src/patches/dnsmasq/0008-Fix-conntrack-with-bind-interfaces.patch
src/patches/dnsmasq/0009-Use-inotify-instead-of-polling-on-Linux.patch
src/patches/dnsmasq/0010-Teach-the-new-inotify-code-about-symlinks.patch
src/patches/dnsmasq/0011-Remove-floor-on-EDNS0-packet-size-with-DNSSEC.patch
src/patches/dnsmasq/0012-CHANGELOG-re.-inotify.patch
src/patches/dnsmasq/0013-Fix-breakage-of-domain-domain-subnet-local.patch
src/patches/dnsmasq/0014-Remove-redundant-IN6_IS_ADDR_ULA-a-macro-defn.patch
src/patches/dnsmasq/0015-Eliminate-IPv6-privacy-addresses-from-interface-name.patch
src/patches/dnsmasq/0016-Tweak-field-width-in-cache-dump-to-avoid-truncating-.patch
src/patches/dnsmasq/0017-Fix-crash-in-DNSSEC-code-when-attempting-to-verify-l.patch
src/patches/dnsmasq/0018-Make-caching-work-for-CNAMEs-pointing-to-A-AAAA-reco.patch
src/patches/dnsmasq/0019-Fix-problems-validating-NSEC3-and-wildcards.patch
src/patches/dnsmasq/0020-Initialise-return-value.patch
src/patches/dnsmasq/0021-Add-ignore-address-option.patch
src/patches/dnsmasq/0022-Bad-packet-protection.patch
src/patches/dnsmasq/0023-Fix-build-failure-in-new-inotify-code-on-BSD.patch
src/patches/dnsmasq/0024-Implement-makefile-dependencies-on-COPTS-variable.patch
src/patches/dnsmasq/0025-Fix-race-condition-issue-in-makefile.patch
src/patches/dnsmasq/0026-DNSSEC-do-top-down-search-for-limit-of-secure-delega.patch
src/patches/dnsmasq/0027-Add-log-queries-extra-option-for-more-complete-loggi.patch
src/patches/dnsmasq/0028-Add-min-cache-ttl-option.patch
src/patches/dnsmasq/0029-Log-port-of-requestor-when-doing-extra-logging.patch
src/patches/dnsmasq/0030-Don-t-answer-from-cache-RRsets-from-wildcards-as-we-.patch
src/patches/dnsmasq/0031-Logs-for-DS-records-consistent.patch
src/patches/dnsmasq/0032-Cope-with-multiple-interfaces-with-the-same-LL-addre.patch
src/patches/dnsmasq/0033-Don-t-treat-SERVFAIL-as-a-recoverable-error.patch
src/patches/dnsmasq/0034-Add-dhcp-hostsdir-config-option.patch
src/patches/dnsmasq/0035-Update-German-translation.patch
src/patches/dnsmasq/0036-Don-t-reply-to-DHCPv6-SOLICIT-messages-when-not-conf.patch
src/patches/dnsmasq/0037-Allow-inotify-to-be-disabled-at-compile-time-on-Linu.patch
src/patches/dnsmasq/0038-Expand-inotify-code-to-dhcp-hostsdir-dhcp-optsdir-an.patch
src/patches/dnsmasq/0039-Update-copyrights-for-dawn-of-2015.patch
src/patches/dnsmasq/0040-inotify-documentation-updates.patch
src/patches/dnsmasq/0041-Fix-broken-ECDSA-DNSSEC-signatures.patch
src/patches/dnsmasq/0042-BSD-make-support.patch
src/patches/dnsmasq/0043-Fix-build-failure-on-openBSD.patch
src/patches/dnsmasq/0044-Manpage-typo-fix.patch
src/patches/dnsmasq/0045-Fixup-dhcp-configs-after-reading-extra-hostfiles-wit.patch
src/patches/dnsmasq/0046-Extra-logging-for-inotify-code.patch
src/patches/dnsmasq/0047-man-page-typo.patch
src/patches/dnsmasq/0048-Fix-get-version-script-which-returned-wrong-tag-in-s.patch
src/patches/dnsmasq/0049-Typos.patch
src/patches/dnsmasq/0050-Make-dynamic-hosts-files-work-when-no-hosts-set.patch
src/patches/dnsmasq/0051-Fix-trivial-memory-leaks-to-quieten-valgrind.patch
src/patches/dnsmasq/0052-Fix-uninitialized-value-used-in-get_client_mac.patch
src/patches/dnsmasq/0053-Log-parsing-utils-in-contrib-reverse-dns.patch
src/patches/dnsmasq/0054-Add-dnssec-timestamp-option-and-facility.patch
src/patches/dnsmasq/0055-Fix-last-commit-to-not-crash-if-uid-changing-not-con.patch
src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch
src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch
src/patches/dnsmasq/0058-Fix-boilerplate-code-for-re-running-system-calls-on-.patch
src/patches/dnsmasq/0059-Make-address-example.com-equivalent-to-server-exampl.patch
src/patches/dnsmasq/0060-dhcp-set-outbound-interface-via-cmsg-in-unicast-repl.patch
src/patches/dnsmasq/0061-Don-t-fail-DNSSEC-when-a-signed-CNAME-dangles-into-a.patch
src/patches/dnsmasq/0062-Return-SERVFAIL-when-validation-abandoned.patch
src/patches/dnsmasq/0063-Protect-against-broken-DNSSEC-upstreams.patch
src/patches/dnsmasq/0064-DNSSEC-fix-for-non-ascii-characters-in-labels.patch
src/patches/dnsmasq/0065-Allow-control-characters-in-names-in-the-cache-handl.patch
src/patches/dnsmasq/0066-Fix-crash-in-last-commit.patch
src/patches/dnsmasq/0067-Merge-message-translations.patch
src/patches/dnsmasq/0068-add-tftp-no-fail-to-ignore-missing-tftp-root.patch
src/patches/dnsmasq/0069-Whitespace-fixes.patch
src/patches/dnsmasq/0070-Return-INSECURE-rather-than-BOGUS-when-DS-proved-not.patch
src/patches/dnsmasq/0071-Fix-compiler-warning-when-not-including-DNSSEC.patch
src/patches/dnsmasq/0072-Fix-crash-caused-by-looking-up-servers.bind-when-man.patch [new file with mode: 0644]
src/patches/dnsmasq/0073-Fix-crash-on-receipt-of-certain-malformed-DNS-reques.patch [new file with mode: 0644]
src/patches/dnsmasq/0074-Fix-crash-in-auth-code-with-odd-configuration.patch [new file with mode: 0644]
src/patches/dnsmasq/0075-Auth-correct-replies-to-NS-and-SOA-in-.arpa-zones.patch [new file with mode: 0644]
src/patches/dnsmasq/0076-Fix-srk-induced-crash-in-new-tftp_no_fail-code.patch [new file with mode: 0644]
src/patches/dnsmasq/0077-Note-CVE-2015-3294.patch [new file with mode: 0644]
src/patches/dnsmasq/0078-Log-domain-when-reporting-DNSSEC-validation-failure.patch [new file with mode: 0644]
src/patches/openssl-1.0.2a-rpmbuild.patch [moved from src/patches/openssl-1.0.1e-rpmbuild.patch with 60% similarity]
src/scripts/xt_geoip_build [new file with mode: 0644]
src/scripts/xt_geoip_update [new file with mode: 0644]
src/squid-accounting/accounting.cgi
src/squid-accounting/acct-lib.pl
src/squid-accounting/acct.pl

index 35ae7c0..2b5cd19 100644 (file)
@@ -17,6 +17,7 @@ package General;
 use strict;
 use Socket;
 use IO::Socket;
+use Locale::Codes::Country;
 use Net::SSLeay;
 use Net::IPv4Addr qw(:all);
 $|=1; # line buffering
diff --git a/config/cfgroot/geoip-functions.pl b/config/cfgroot/geoip-functions.pl
new file mode 100644 (file)
index 0000000..85a8dc8
--- /dev/null
@@ -0,0 +1,90 @@
+#!/usr/bin/perl -w
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 2 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2015 IPFire Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+
+package GeoIP;
+
+use Locale::Codes::Country;
+
+# Function to get the flag icon for a specified country code.
+sub get_flag_icon($) {
+       my ($input) = @_;
+
+       # Webserver's root dir. (Required for generating full path)
+       my $webroot = "/srv/web/ipfire/html";
+
+       # Directory which contains the flag icons.
+       my $flagdir = "/images/flags";
+
+       # File extension of the country flags.
+       my $ext = "png";
+
+       # Remove whitespaces.
+       chomp($input);
+
+       # Convert given country code to lower case.
+       my $ccode = lc($input);
+
+       # Generate filename, based on the contry code in lower case
+       # and the defined file extension.
+       my $file = join('.', $ccode,$ext);
+
+       # Generate path inside webroot to the previously generated file.
+       my $flag_icon = join('/', $flagdir,$file);
+
+       # Generate absolute path to the icon file.
+       my $absolute_path = join('', $webroot,$flag_icon);
+       # Check if the a icon file exists.
+       if (-e "$absolute_path") {
+               # Return content of flag_icon.
+               return $flag_icon;
+       }
+}
+
+# Function to get the county name by a given country code.
+sub get_full_country_name($) {
+       my ($input) = @_;
+       my $name;
+
+       # Remove whitespaces.
+       chomp($input);
+
+       # Convert input into lower case format.
+       my $code = lc($input);
+
+       # Handle country codes which are not in the list.
+       if ($code eq "a1") { $name = "Anonymous Proxy" }
+       elsif ($code eq "a2") { $name = "Satellite Provider" }
+       elsif ($code eq "o1") { $name = "Other Country" }
+       elsif ($code eq "ap") { $name = "Asia/Pacific Region" }
+       elsif ($code eq "eu") { $name = "Europe" }
+       elsif ($code eq "yu") { $name = "Yugoslavia" }
+       else {
+               # Use perl built-in module to get the country code.
+               $name = &Locale::Codes::Country::code2country($code);
+       }
+
+       return $name;
+}
+
+1;
index cf895bf..974c4d8 100644 (file)
@@ -263,7 +263,7 @@ sub getcgihash {
        return if ($ENV{'REQUEST_METHOD'} ne 'POST');
        if (!$params->{'wantfile'}) {
                $CGI::DISABLE_UPLOADS = 1;
-               $CGI::POST_MAX        = 512 * 1024;
+               $CGI::POST_MAX        = 1024 * 1024;
        } else {
                $CGI::POST_MAX = 10 * 1024 * 1024;
        }
index d78d08f..d5e5d7e 100644 (file)
@@ -57,3 +57,6 @@ HOME=/
 # Re-read firewall rules every Sunday in March, October and November to take care of daylight saving time
 00 3 * 3 0          /usr/local/bin/timezone-transition /usr/local/bin/firewallctrl
 00 2 * 10-11 0      /usr/local/bin/timezone-transition /usr/local/bin/firewallctrl
+
+# Update GeoIP database once a month.
+%monthly,random * * * [ -f "/var/ipfire/red/active" ] && /usr/local/bin/xt_geoip_update >/dev/null 2>&1
old mode 100755 (executable)
new mode 100644 (file)
index f3cd67f..b389fac
@@ -27,6 +27,7 @@ package fwlib;
 my %customnetwork=();
 my %customhost=();
 my %customgrp=();
+my %customgeoipgrp=();
 my %customservice=();
 my %customservicegrp=();
 my %ccdnet=();
@@ -42,6 +43,7 @@ require '/var/ipfire/general-functions.pl';
 my $confignet          = "${General::swroot}/fwhosts/customnetworks";
 my $confighost         = "${General::swroot}/fwhosts/customhosts";
 my $configgrp          = "${General::swroot}/fwhosts/customgroups";
+my $configgeoipgrp     = "${General::swroot}/fwhosts/customgeoipgrp";
 my $configsrv          = "${General::swroot}/fwhosts/customservices";
 my $configsrvgrp       = "${General::swroot}/fwhosts/customservicegrp";
 my $configccdnet       = "${General::swroot}/ovpn/ccd.conf";
@@ -59,6 +61,7 @@ my $netsettings               = "${General::swroot}/ethernet/settings";
 &General::readhasharray("$confignet", \%customnetwork);
 &General::readhasharray("$confighost", \%customhost);
 &General::readhasharray("$configgrp", \%customgrp);
+&General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
 &General::readhasharray("$configccdnet", \%ccdnet);
 &General::readhasharray("$configccdhost", \%ccdhost);
 &General::readhasharray("$configipsec", \%ipsecconf);
@@ -295,6 +298,17 @@ sub get_addresses
                        if ($customgrp{$grp}[0] eq $value) {
                                my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type);
 
+                               if (@address) {
+                                       push(@addresses, @address);
+                               }
+                       }
+               }
+       }elsif ($addr_type ~~ ["cust_geoip_src", "cust_geoip_tgt"] && $value =~ "group:") {
+               $value=substr($value,6);
+               foreach my $grp (sort {$a <=> $b} keys %customgeoipgrp) {
+                       if ($customgeoipgrp{$grp}[0] eq $value) {
+                               my @address = &get_address($addr_type, $customgeoipgrp{$grp}[2], $type);
+
                                if (@address) {
                                        push(@addresses, @address);
                                }
@@ -414,6 +428,20 @@ sub get_address
                        }
                }
 
+       # Handle rule options with GeoIP as source.
+       } elsif ($key eq "cust_geoip_src") {
+               # Get external interface.
+               my $external_interface = &get_external_interface();
+
+               push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
+
+       # Handle rule options with GeoIP as target.
+       } elsif ($key eq "cust_geoip_tgt") {
+               # Get external interface.
+               my $external_interface = &get_external_interface();
+
+               push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
+
        # If nothing was selected, we assume "any".
        } else {
                push(@ret, ["0/0", ""]);
@@ -552,4 +580,37 @@ sub get_internal_firewall_ip_address
        return 0;
 }
 
+sub get_geoip_locations() {
+       # Path to the directory which contains the binary geoip
+       # databases.
+       my $directory="/usr/share/xt_geoip/LE";
+
+       # Array to store the final country list.
+       my @country_codes = ();
+
+       # Open location and do a directory listing.
+       opendir(DIR, "$directory");
+       my @locations = readdir(DIR);
+       closedir(DIR);
+
+       # Loop through the directory listing, and cut of the file extensions.
+       foreach my $location (sort @locations) {
+               # skip . and ..
+               next if($location =~ /^\.$/);
+               next if($location =~ /^\.\.$/);
+
+               # Remove whitespaces.
+               chomp($location);
+
+               # Cut-off file extension.
+               my ($country_code, $extension) = split(/\./, $location);
+
+               # Add country code to array.
+               push(@country_codes, $country_code);
+       }
+
+       # Return final array.
+       return @country_codes;
+}
+
 return 1;
diff --git a/config/firewall/geoipblock b/config/firewall/geoipblock
new file mode 100644 (file)
index 0000000..4d483d3
--- /dev/null
@@ -0,0 +1 @@
+GEOIPBLOCK_ENABLED=off
old mode 100755 (executable)
new mode 100644 (file)
index 8abc675..daa9565
@@ -60,6 +60,7 @@ my $configfwdfw               = "${General::swroot}/firewall/config";
 my $configinput            = "${General::swroot}/firewall/input";
 my $configoutgoing  = "${General::swroot}/firewall/outgoing";
 my $p2pfile                    = "${General::swroot}/firewall/p2protocols";
+my $geoipfile          = "${General::swroot}/firewall/geoipblock";
 my $configgrp          = "${General::swroot}/fwhosts/customgroups";
 my $netsettings                = "${General::swroot}/ethernet/settings";
 
@@ -102,6 +103,9 @@ sub main {
        # Load P2P block rules.
        &p2pblock();
 
+       # Load GeoIP block rules.
+       &geoipblock();
+
        # Reload firewall policy.
        run("/usr/sbin/firewall-policy");
 
@@ -365,13 +369,17 @@ sub buildrules {
                                        my @source_options = ();
                                        if ($source =~ /mac/) {
                                                push(@source_options, $source);
-                                       } elsif ($source) {
+                                       } elsif ($source =~ /-m geoip/) {
+                                               push(@source_options, $source);
+                                       } elsif($source) {
                                                push(@source_options, ("-s", $source));
                                        }
 
                                        # Prepare destination options.
                                        my @destination_options = ();
-                                       if ($destination) {
+                                       if ($destination =~ /-m geoip/) {
+                                               push(@destination_options,  $destination);
+                                       } elsif ($destination) {
                                                push(@destination_options, ("-d", $destination));
                                        }
 
@@ -570,6 +578,38 @@ sub p2pblock {
        }
 }
 
+sub geoipblock {
+       my %geoipsettings = ();
+       $geoipsettings{'GEOIPBLOCK_ENABLED'} = "off";
+
+       # Flush iptables chain.
+       run("$IPTABLES -F GEOIPBLOCK");
+
+       # Check if the geoip settings file exists
+       if (-e "$geoipfile") {
+               # Read settings file
+               &General::readhash("$geoipfile", \%geoipsettings);
+       }
+
+       # If geoip blocking is not enabled, we are finished here.
+       if ($geoipsettings{'GEOIPBLOCK_ENABLED'} ne "on") {
+               # Exit submodule. Process remaining script.
+               return;
+       }
+
+       # Get supported locations.
+       my @locations = &fwlib::get_geoip_locations();
+
+       # Loop through all supported geoip locations and
+       # create iptables rules, if blocking this country
+       # is enabled.
+       foreach my $location (@locations) {
+               if($geoipsettings{$location} eq "on") {
+                       run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP");
+               }
+       }
+}
+
 sub get_protocols {
        my $hash = shift;
        my $key = shift;
index e872e64..7271b32 100644 (file)
                                'title' => "P2P-Block",
                                'enabled' => 1,
                                };
+    $subfirewall->{'50.geoipblock'} = {
+                               'caption' => $Lang::tr{'geoipblock'},
+                               'uri' => '/cgi-bin/geoip-block.cgi',
+                               'title' => $Lang::tr{'geoipblock'},
+                               'enabled' => 1,
+                               };
     $subfirewall->{'60.wireless'} = {
                                'caption' => $Lang::tr{'blue access'},
                                'uri' => '/cgi-bin/wireless.cgi',
index bbe51ee..58c2406 100644 (file)
@@ -1,13 +1,50 @@
-#usr/lib/perl5/site_perl/5.12.3/Locale
-usr/lib/perl5/site_perl/5.12.3/Locale/Constants.pm
-usr/lib/perl5/site_perl/5.12.3/Locale/Constants.pod
-usr/lib/perl5/site_perl/5.12.3/Locale/Country.pm
-usr/lib/perl5/site_perl/5.12.3/Locale/Country.pod
-usr/lib/perl5/site_perl/5.12.3/Locale/Currency.pm
-usr/lib/perl5/site_perl/5.12.3/Locale/Currency.pod
-usr/lib/perl5/site_perl/5.12.3/Locale/Language.pm
-usr/lib/perl5/site_perl/5.12.3/Locale/Language.pod
-usr/lib/perl5/site_perl/5.12.3/Locale/Script.pm
-usr/lib/perl5/site_perl/5.12.3/Locale/Script.pod
-#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Locale-Codes
-#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Locale-Codes/.packlist
+#usr/lib/perl5/5.12.3/Locale/Codes
+usr/lib/perl5/5.12.3/Locale/Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes.pod
+usr/lib/perl5/5.12.3/Locale/Codes/API.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Changes.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Constants.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Constants.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Country.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Country.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Country_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Country_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Currency.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Currency.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Currency_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Currency_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangExt.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangExt.pod
+usr/lib/perl5/5.12.3/Locale/Codes/LangExt_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangExt_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangFam.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangFam.pod
+usr/lib/perl5/5.12.3/Locale/Codes/LangFam_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangFam_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangVar.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangVar.pod
+usr/lib/perl5/5.12.3/Locale/Codes/LangVar_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangVar_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Language.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Language.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Language_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Language_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Script.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Script.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Script_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Script_Retired.pm
+#usr/lib/perl5/5.12.3/MACHINE-linux-thread-multi/auto/Locale
+#usr/lib/perl5/5.12.3/MACHINE-linux-thread-multi/auto/Locale/Codes
+#usr/lib/perl5/5.12.3/MACHINE-linux-thread-multi/auto/Locale/Codes/.packlist
+#usr/share/man/man3/Locale::Codes.3
+#usr/share/man/man3/Locale::Codes::API.3
+#usr/share/man/man3/Locale::Codes::Changes.3
+#usr/share/man/man3/Locale::Codes::Constants.3
+#usr/share/man/man3/Locale::Codes::Country.3
+#usr/share/man/man3/Locale::Codes::Currency.3
+#usr/share/man/man3/Locale::Codes::LangExt.3
+#usr/share/man/man3/Locale::Codes::LangFam.3
+#usr/share/man/man3/Locale::Codes::LangFam_Retired.3
+#usr/share/man/man3/Locale::Codes::LangVar.3
+#usr/share/man/man3/Locale::Codes::Language.3
+#usr/share/man/man3/Locale::Codes::Script.3
index 55dd04e..8033a87 100644 (file)
@@ -1402,6 +1402,7 @@ srv/web/ipfire/cgi-bin/extrahd.cgi
 srv/web/ipfire/cgi-bin/fireinfo.cgi
 srv/web/ipfire/cgi-bin/firewall.cgi
 srv/web/ipfire/cgi-bin/fwhosts.cgi
+srv/web/ipfire/cgi-bin/geoip-block.cgi
 srv/web/ipfire/cgi-bin/gpl.cgi
 srv/web/ipfire/cgi-bin/gui.cgi
 srv/web/ipfire/cgi-bin/hardwaregraphs.cgi
index 8ddf34a..b4cd8f8 100644 (file)
@@ -92,6 +92,7 @@ etc/rc.d/init.d/networking/red.up/50-ipsec
 etc/rc.d/init.d/networking/red.up/50-ovpn
 etc/rc.d/init.d/networking/red.up/98-leds
 etc/rc.d/init.d/networking/red.up/99-fireinfo
+etc/rc.d/init.d/networking/red.up/99-geoip-database
 etc/rc.d/init.d/networking/red.up/99-pakfire-update
 etc/rc.d/init.d/networking/wpa_supplicant.exe
 #etc/rc.d/init.d/nfs-server
index 2732494..cac4c3d 100644 (file)
@@ -218,11 +218,11 @@ usr/lib/libcollectdclient.so.0.0.0
 #usr/lib/perl5/Collectd/Plugins
 #usr/lib/perl5/Collectd/Plugins/OpenVZ.pm
 #usr/lib/perl5/Collectd/Unixsock.pm
-#usr/lib/perl5/i586-linux-thread-multi
-#usr/lib/perl5/i586-linux-thread-multi/auto
-#usr/lib/perl5/i586-linux-thread-multi/auto/Collectd
-#usr/lib/perl5/i586-linux-thread-multi/auto/Collectd/.packlist
-#usr/lib/perl5/i586-linux-thread-multi/perllocal.pod
+#usr/lib/perl5/MACHINE-linux-thread-multi
+#usr/lib/perl5/MACHINE-linux-thread-multi/auto
+#usr/lib/perl5/MACHINE-linux-thread-multi/auto/Collectd
+#usr/lib/perl5/MACHINE-linux-thread-multi/auto/Collectd/.packlist
+#usr/lib/perl5/MACHINE-linux-thread-multi/perllocal.pod
 #usr/lib/pkgconfig/libcollectdclient.pc
 #usr/man/man3/Collectd::Unixsock.3
 usr/sbin/collectd
index eaf1af6..f6cbb61 100644 (file)
@@ -52,6 +52,7 @@ var/ipfire/extrahd
 var/ipfire/firewall
 #var/ipfire/firewall/config
 #var/ipfire/firewall/dmz
+#var/ipfire/firewall/geoipblock
 #var/ipfire/firewall/input
 #var/ipfire/firewall/nat
 #var/ipfire/firewall/outgoing
@@ -59,6 +60,7 @@ var/ipfire/firewall
 #var/ipfire/firewall/settings
 var/ipfire/fwhosts
 #var/ipfire/fwhosts/customgroups
+#var/ipfire/fwhosts/customgeoipgrp
 #var/ipfire/fwhosts/customhosts
 #var/ipfire/fwhosts/customnetworks
 #var/ipfire/fwhosts/customservicegrp
@@ -69,6 +71,7 @@ var/ipfire/fwlogs
 #var/ipfire/fwlogs/ipsettings
 #var/ipfire/fwlogs/portsettings
 var/ipfire/general-functions.pl
+var/ipfire/geoip-functions.pl
 var/ipfire/graphs.pl
 var/ipfire/header.pl
 var/ipfire/isdn
index 3d4dd62..878ba66 100644 (file)
@@ -94,6 +94,7 @@ etc/rc.d/init.d/networking/red.up/50-ipsec
 etc/rc.d/init.d/networking/red.up/50-ovpn
 etc/rc.d/init.d/networking/red.up/98-leds
 etc/rc.d/init.d/networking/red.up/99-fireinfo
+etc/rc.d/init.d/networking/red.up/99-geoip-database
 etc/rc.d/init.d/networking/red.up/99-pakfire-update
 etc/rc.d/init.d/networking/wpa_supplicant.exe
 #etc/rc.d/init.d/nfs-server
diff --git a/config/rootfiles/common/i586/openssl-sse2 b/config/rootfiles/common/i586/openssl-sse2
new file mode 100644 (file)
index 0000000..59bfce3
--- /dev/null
@@ -0,0 +1,2 @@
+usr/lib/sse2/libcrypto.so.10
+usr/lib/sse2/libssl.so.10
diff --git a/config/rootfiles/common/openssl-compat b/config/rootfiles/common/openssl-compat
deleted file mode 100644 (file)
index ccf89d0..0000000
+++ /dev/null
@@ -1,2 +0,0 @@
-usr/lib/libcrypto.so.0.9.8
-usr/lib/libssl.so.0.9.8
diff --git a/config/rootfiles/common/perl-Text-CSV_XS b/config/rootfiles/common/perl-Text-CSV_XS
new file mode 100644 (file)
index 0000000..bbc7d9b
--- /dev/null
@@ -0,0 +1,8 @@
+#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Text
+usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Text/CSV_XS.pm
+#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Text
+#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Text/CSV_XS
+#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Text/CSV_XS/.packlist
+#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Text/CSV_XS/CSV_XS.bs
+usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Text/CSV_XS/CSV_XS.so
+#usr/share/man/man3/Text::CSV_XS.3
index f506daf..90e28d9 100644 (file)
@@ -101,6 +101,8 @@ usr/local/bin/timecheck
 usr/local/bin/timezone-transition
 usr/local/bin/update-bootloader
 usr/local/bin/update-lang-cache
+usr/local/bin/xt_geoip_build
+usr/local/bin/xt_geoip_update
 #usr/local/include
 #usr/local/lib
 #usr/local/lib/sse2
@@ -120,6 +122,7 @@ usr/local/bin/update-lang-cache
 #usr/local/share/man/man8
 #usr/local/share/misc
 #usr/local/share/terminfo
+#usr/local/share/xt_geoip
 #usr/local/share/zoneinfo
 #usr/local/src
 #usr/sbin
@@ -142,6 +145,7 @@ usr/share/doc/licenses/GPLv3
 #usr/share/man/man8
 #usr/share/misc
 #usr/share/terminfo
+#usr/share/xt_geoip
 #usr/share/zoneinfo
 #var
 #var/cache
diff --git a/config/rootfiles/common/xtables-addons b/config/rootfiles/common/xtables-addons
new file mode 100644 (file)
index 0000000..f6e85ae
--- /dev/null
@@ -0,0 +1,33 @@
+lib/xtables/libxt_ACCOUNT.so
+lib/xtables/libxt_CHAOS.so
+lib/xtables/libxt_DELUDE.so
+lib/xtables/libxt_DHCPMAC.so
+lib/xtables/libxt_DNETMAP.so
+lib/xtables/libxt_ECHO.so
+lib/xtables/libxt_IPMARK.so
+lib/xtables/libxt_LOGMARK.so
+lib/xtables/libxt_TARPIT.so
+lib/xtables/libxt_condition.so
+lib/xtables/libxt_dhcpmac.so
+lib/xtables/libxt_fuzzy.so
+lib/xtables/libxt_geoip.so
+lib/xtables/libxt_iface.so
+lib/xtables/libxt_ipp2p.so
+lib/xtables/libxt_ipv4options.so
+lib/xtables/libxt_length2.so
+lib/xtables/libxt_lscan.so
+lib/xtables/libxt_pknock.so
+lib/xtables/libxt_psd.so
+lib/xtables/libxt_quota2.so
+#usr/lib/libxt_ACCOUNT_cl.la
+#usr/lib/libxt_ACCOUNT_cl.so
+usr/lib/libxt_ACCOUNT_cl.so.0
+usr/lib/libxt_ACCOUNT_cl.so.0.0.0
+#usr/libexec/xtables-addons
+usr/libexec/xtables-addons/xt_geoip_build
+usr/libexec/xtables-addons/xt_geoip_dl
+usr/sbin/iptaccount
+#usr/share/man/man1/xt_geoip_build.1
+#usr/share/man/man1/xt_geoip_dl.1
+#usr/share/man/man8/iptaccount.8
+#usr/share/man/man8/xtables-addons.8
index 5be5371..56e840d 100644 (file)
@@ -17,10 +17,12 @@ etc/sysconfig/modules
 etc/sysconfig/rc.local
 etc/udev/rules.d/30-persistent-network.rules
 srv/web/ipfire/html/proxy.pac
-var/ipfire/time
+var/ipfire/firewall/geoipblock
+var/ipfire/fwhosts/custmgeoipgrp
 var/ipfire/ovpn/ccd.conf
 var/ipfire/ovpn/ccdroute
 var/ipfire/ovpn/ccdroute2
+var/ipfire/time
 var/log/cache
 var/state/dhcp/dhcpd.leases
 var/updatecache
diff --git a/config/rootfiles/core/90/filelists/dnsmasq b/config/rootfiles/core/90/filelists/dnsmasq
new file mode 120000 (symlink)
index 0000000..d469c74
--- /dev/null
@@ -0,0 +1 @@
+../../../common/dnsmasq
\ No newline at end of file
index 2ef5ded..69d7421 100644 (file)
@@ -1,7 +1,29 @@
 etc/system-release
 etc/issue
+etc/rc.d/init.d/firewall
 etc/rc.d/init.d/network-trigger
+etc/rc.d/init.d/networking/functions.network
+etc/rc.d/init.d/networking/red.up/99-geoip-database
 etc/rc.d/rcsysinit.d/S90network-trigger
+srv/web/ipfire/cgi-bin/country.cgi
+srv/web/ipfire/cgi-bin/firewall.cgi
+srv/web/ipfire/cgi-bin/fwhosts.cgi
+srv/web/ipfire/cgi-bin/geoip-block.cgi
+srv/web/ipfire/cgi-bin/index.cgi
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
+srv/web/ipfire/html/themes/darkdos/include/style.css
+srv/web/ipfire/html/themes/ipfire-legacy/include/style.css
+srv/web/ipfire/html/themes/ipfire/include/css/style.css
+srv/web/ipfire/html/themes/maniac/include/style.css
+usr/lib/firewall/firewall-lib.pl
 usr/lib/firewall/rules.pl
+usr/local/bin/backupiso
+usr/local/bin/xt_geoip_build
+usr/local/bin/xt_geoip_update
+var/ipfire/general-functions.pl
+var/ipfire/geoip-functions.pl
+var/ipfire/header.pl
 var/ipfire/backup/include
 var/ipfire/langs
+var/ipfire/menu.d/50-firewall.menu
diff --git a/config/rootfiles/core/90/filelists/i586/openssl-sse2 b/config/rootfiles/core/90/filelists/i586/openssl-sse2
new file mode 120000 (symlink)
index 0000000..f424713
--- /dev/null
@@ -0,0 +1 @@
+../../../../common/i586/openssl-sse2
\ No newline at end of file
diff --git a/config/rootfiles/core/90/filelists/iptables b/config/rootfiles/core/90/filelists/iptables
new file mode 120000 (symlink)
index 0000000..8caf12b
--- /dev/null
@@ -0,0 +1 @@
+../../../common/iptables
\ No newline at end of file
diff --git a/config/rootfiles/core/90/filelists/openssl-0.9.8-files b/config/rootfiles/core/90/filelists/openssl-0.9.8-files
new file mode 100644 (file)
index 0000000..e80a57d
--- /dev/null
@@ -0,0 +1,19 @@
+lib/security/pam_mysql.so
+usr/lib/gnupg/gpgkeys_ldap
+usr/lib/gnupg/gpgkeys_hkp
+usr/lib/gnupg/gpgkeys_curl
+usr/lib/apache/libphp5.so
+usr/lib/squid/digest_ldap_auth
+usr/lib/squid/basic_ldap_auth
+usr/lib/squid/ext_kerberos_ldap_group_acl
+usr/lib/squid/ext_edirectory_userip_acl
+usr/lib/squid/ext_ldap_group_acl
+usr/lib/python2.7/lib-dynload/_ssl.so
+usr/lib/python2.7/lib-dynload/_hashlib.so
+usr/lib/collectd/write_http.so
+usr/lib/collectd/ascent.so
+usr/lib/collectd/curl_xml.so
+usr/lib/collectd/apache.so
+usr/lib/collectd/bind.so
+usr/lib/collectd/curl.so
+usr/bin/php
diff --git a/config/rootfiles/core/90/filelists/perl-Text-CSV_XS b/config/rootfiles/core/90/filelists/perl-Text-CSV_XS
new file mode 120000 (symlink)
index 0000000..ec1202f
--- /dev/null
@@ -0,0 +1 @@
+../../../common/perl-Text-CSV_XS
\ No newline at end of file
diff --git a/config/rootfiles/core/90/filelists/xtables-addons b/config/rootfiles/core/90/filelists/xtables-addons
new file mode 120000 (symlink)
index 0000000..2e24c42
--- /dev/null
@@ -0,0 +1 @@
+../../../common/xtables-addons
\ No newline at end of file
index 6af052c..573d5a7 100644 (file)
@@ -136,6 +136,9 @@ esac
 #Extract files
 tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C /
 
+# Remove old openssl libraries
+rm -vf /usr/lib/libcrypto.so.0.9.8 /usr/lib/libssl.so.0.9.8
+
 # Check diskspace on boot
 BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
 
@@ -159,6 +162,37 @@ if [ $BOOTSPACE -lt 1000 ]; then
        esac
 fi
 
+# Create GeoIP related files if they do not exist yet.
+if [ ! -e "/var/ipfire/firewall/geoipblock" ]; then
+       touch /var/ipfire/firewall/geoipblock
+       chown nobody:nobody /var/ipfire/firewall/geoipblock
+
+       # Insert default value into file.
+       echo "GEOIPBLOCK_ENABLED=off" >> /var/ipfire/firewall/geoipblock
+fi
+if [ ! -e "/var/ipfire/fwhosts/customgeoipgrp" ]; then
+       touch /var/ipfire/fwhosts/customgeoipgrp
+       chown nobody:nobody /var/ipfire/fwhosts/customgeoipgrp
+fi
+
+#Fix BUG10812 (openvpn server.conf has wrong collectd logfile path)
+if grep -q "status /var/log/ovpnserver.log 30" /var/ipfire/ovpn/server.conf; then
+       sed -i "s/\/var\/log\/ovpnserver.log 30/\/var\/run\/ovpnserver.log 30/" /var/ipfire/ovpn/server.conf
+fi
+
+# Download/Update GeoIP databases.
+/usr/local/bin/xt_geoip_update
+
+# Update crontab
+grep -q /usr/local/bin/xt_geoip_update /var/spool/cron/root.orig || cat <<EOF >> /var/spool/cron/root.orig
+
+# Update GeoIP database once a month.
+%monthly,random * * * [ -f "/var/ipfire/red/active" ] && /usr/local/bin/xt_geoip_update >/dev/null 2>&1
+EOF
+
+fcrontab -z &>/dev/null
+
+
 # Update Language cache
 perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
 
diff --git a/config/xtables-addons/mconfig b/config/xtables-addons/mconfig
new file mode 100644 (file)
index 0000000..933d717
--- /dev/null
@@ -0,0 +1,24 @@
+# -*- Makefile -*-
+#
+build_ACCOUNT=m
+build_CHAOS=m
+build_DELUDE=m
+build_DHCPMAC=m
+build_DNETMAP=m
+build_ECHO=m
+build_IPMARK=m
+build_LOGMARK=m
+build_SYSRQ=n
+build_TARPIT=m
+build_condition=m
+build_fuzzy=m
+build_geoip=m
+build_gradm=n
+build_iface=m
+build_ipp2p=m
+build_ipv4options=m
+build_length2=m
+build_lscan=m
+build_pknock=m
+build_psd=m
+build_quota2=m
index 3a31661..1ccc654 100644 (file)
@@ -75,6 +75,7 @@ WARNING: translation string unused: bad characters in
 WARNING: translation string unused: behind a proxy
 WARNING: translation string unused: bitrate
 WARNING: translation string unused: bleeding rules
+WARNING: translation string unused: block
 WARNING: translation string unused: blue access use hint
 WARNING: translation string unused: blue interface
 WARNING: translation string unused: cache management
@@ -243,6 +244,7 @@ WARNING: translation string unused: fwhost Standard Network
 WARNING: translation string unused: fwhost attention
 WARNING: translation string unused: fwhost blue
 WARNING: translation string unused: fwhost changeremark
+WARNING: translation string unused: fwhost cust geoip
 WARNING: translation string unused: fwhost err addrgrp
 WARNING: translation string unused: fwhost err hostorip
 WARNING: translation string unused: fwhost err mac
@@ -258,6 +260,9 @@ WARNING: translation string unused: fwhost wo subnet
 WARNING: translation string unused: gen static key
 WARNING: translation string unused: generate
 WARNING: translation string unused: genkey
+WARNING: translation string unused: geoipblock country code
+WARNING: translation string unused: geoipblock country name
+WARNING: translation string unused: geoipblock flag
 WARNING: translation string unused: green interface
 WARNING: translation string unused: gz with key
 WARNING: translation string unused: hint
@@ -576,6 +581,8 @@ WARNING: translation string unused: transfer limits
 WARNING: translation string unused: transparent on
 WARNING: translation string unused: umount
 WARNING: translation string unused: umount removable media before to unplug
+WARNING: translation string unused: unblock
+WARNING: translation string unused: unblock all
 WARNING: translation string unused: unencrypted
 WARNING: translation string unused: update transcript
 WARNING: translation string unused: updates
@@ -632,6 +639,7 @@ WARNING: untranslated string: bytes
 WARNING: untranslated string: community rules
 WARNING: untranslated string: dead peer detection
 WARNING: untranslated string: emerging rules
+WARNING: untranslated string: fwhost cust geoipgrp
 WARNING: untranslated string: fwhost err hostip
 WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
 WARNING: untranslated string: no data
index da14d97..b7be862 100644 (file)
@@ -93,6 +93,7 @@ WARNING: translation string unused: bewan adsl pci st
 WARNING: translation string unused: bewan adsl usb
 WARNING: translation string unused: bitrate
 WARNING: translation string unused: bleeding rules
+WARNING: translation string unused: block
 WARNING: translation string unused: blue access use hint
 WARNING: translation string unused: blue interface
 WARNING: translation string unused: cache management
@@ -266,6 +267,7 @@ WARNING: translation string unused: fwhost Standard Network
 WARNING: translation string unused: fwhost attention
 WARNING: translation string unused: fwhost blue
 WARNING: translation string unused: fwhost changeremark
+WARNING: translation string unused: fwhost cust geoip
 WARNING: translation string unused: fwhost err addrgrp
 WARNING: translation string unused: fwhost err hostorip
 WARNING: translation string unused: fwhost err mac
@@ -283,6 +285,9 @@ WARNING: translation string unused: g.lite
 WARNING: translation string unused: gen static key
 WARNING: translation string unused: generate
 WARNING: translation string unused: genkey
+WARNING: translation string unused: geoipblock country code
+WARNING: translation string unused: geoipblock country name
+WARNING: translation string unused: geoipblock flag
 WARNING: translation string unused: green interface
 WARNING: translation string unused: gz with key
 WARNING: translation string unused: hint
@@ -609,6 +614,8 @@ WARNING: translation string unused: transfer limits
 WARNING: translation string unused: transparent on
 WARNING: translation string unused: umount
 WARNING: translation string unused: umount removable media before to unplug
+WARNING: translation string unused: unblock
+WARNING: translation string unused: unblock all
 WARNING: translation string unused: unencrypted
 WARNING: translation string unused: update transcript
 WARNING: translation string unused: updates
@@ -664,6 +671,7 @@ WARNING: translation string unused: year-graph
 WARNING: translation string unused: yearly firewallhits
 WARNING: untranslated string: Scan for Songs
 WARNING: untranslated string: bytes
+WARNING: untranslated string: fwhost cust geoipgrp
 WARNING: untranslated string: fwhost err hostip
 WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
 WARNING: untranslated string: no data
index f76cd5e..086dfbd 100644 (file)
@@ -233,6 +233,9 @@ WARNING: translation string unused: g.lite
 WARNING: translation string unused: gen static key
 WARNING: translation string unused: generate
 WARNING: translation string unused: genkey
+WARNING: translation string unused: geoipblock country code
+WARNING: translation string unused: geoipblock country name
+WARNING: translation string unused: geoipblock flag
 WARNING: translation string unused: green interface
 WARNING: translation string unused: gz with key
 WARNING: translation string unused: hint
@@ -650,6 +653,7 @@ WARNING: untranslated string: ccd none
 WARNING: untranslated string: ccd routes
 WARNING: untranslated string: ccd subnet
 WARNING: untranslated string: ccd used
+WARNING: untranslated string: check all
 WARNING: untranslated string: count
 WARNING: untranslated string: countries
 WARNING: untranslated string: country codes and flags
@@ -794,6 +798,7 @@ WARNING: untranslated string: fwdfw wd_thu
 WARNING: untranslated string: fwdfw wd_tue
 WARNING: untranslated string: fwdfw wd_wed
 WARNING: untranslated string: fwhost OpenVPN N-2-N
+WARNING: untranslated string: fwhost addgeoipgrp
 WARNING: untranslated string: fwhost addgrp
 WARNING: untranslated string: fwhost addgrpname
 WARNING: untranslated string: fwhost addhost
@@ -806,6 +811,9 @@ WARNING: untranslated string: fwhost ccdhost
 WARNING: untranslated string: fwhost ccdnet
 WARNING: untranslated string: fwhost change
 WARNING: untranslated string: fwhost cust addr
+WARNING: untranslated string: fwhost cust geoipgroup
+WARNING: untranslated string: fwhost cust geoipgrp
+WARNING: untranslated string: fwhost cust geoiplocation
 WARNING: untranslated string: fwhost cust grp
 WARNING: untranslated string: fwhost cust net
 WARNING: untranslated string: fwhost cust service
@@ -845,6 +853,7 @@ WARNING: untranslated string: fwhost ip_mac
 WARNING: untranslated string: fwhost ipsec net
 WARNING: untranslated string: fwhost menu
 WARNING: untranslated string: fwhost netaddress
+WARNING: untranslated string: fwhost newgeoipgrp
 WARNING: untranslated string: fwhost newgrp
 WARNING: untranslated string: fwhost newhost
 WARNING: untranslated string: fwhost newnet
@@ -1025,6 +1034,7 @@ WARNING: untranslated string: tor traffic limit hard
 WARNING: untranslated string: tor traffic limit soft
 WARNING: untranslated string: tor traffic read written
 WARNING: untranslated string: tor use exit nodes
+WARNING: untranslated string: uncheck all
 WARNING: untranslated string: uplink
 WARNING: untranslated string: upload dh key
 WARNING: untranslated string: uptime load average
index 178ddff..47ee3fb 100644 (file)
@@ -660,6 +660,7 @@ WARNING: untranslated string: ccd none
 WARNING: untranslated string: ccd routes
 WARNING: untranslated string: ccd subnet
 WARNING: untranslated string: ccd used
+WARNING: untranslated string: check all
 WARNING: untranslated string: count
 WARNING: untranslated string: countries
 WARNING: untranslated string: country codes and flags
@@ -805,6 +806,7 @@ WARNING: untranslated string: fwdfw wd_thu
 WARNING: untranslated string: fwdfw wd_tue
 WARNING: untranslated string: fwdfw wd_wed
 WARNING: untranslated string: fwhost OpenVPN N-2-N
+WARNING: untranslated string: fwhost addgeoipgrp
 WARNING: untranslated string: fwhost addgrp
 WARNING: untranslated string: fwhost addgrpname
 WARNING: untranslated string: fwhost addhost
@@ -817,6 +819,9 @@ WARNING: untranslated string: fwhost ccdhost
 WARNING: untranslated string: fwhost ccdnet
 WARNING: untranslated string: fwhost change
 WARNING: untranslated string: fwhost cust addr
+WARNING: untranslated string: fwhost cust geoipgroup
+WARNING: untranslated string: fwhost cust geoipgrp
+WARNING: untranslated string: fwhost cust geoiplocation
 WARNING: untranslated string: fwhost cust grp
 WARNING: untranslated string: fwhost cust net
 WARNING: untranslated string: fwhost cust service
@@ -856,6 +861,7 @@ WARNING: untranslated string: fwhost ip_mac
 WARNING: untranslated string: fwhost ipsec net
 WARNING: untranslated string: fwhost menu
 WARNING: untranslated string: fwhost netaddress
+WARNING: untranslated string: fwhost newgeoipgrp
 WARNING: untranslated string: fwhost newgrp
 WARNING: untranslated string: fwhost newhost
 WARNING: untranslated string: fwhost newnet
@@ -872,6 +878,13 @@ WARNING: untranslated string: fwhost used
 WARNING: untranslated string: fwhost welcome
 WARNING: untranslated string: gen dh
 WARNING: untranslated string: generate dh key
+WARNING: untranslated string: geoip
+WARNING: untranslated string: geoipblock
+WARNING: untranslated string: geoipblock block countries
+WARNING: untranslated string: geoipblock configuration
+WARNING: untranslated string: geoipblock country is allowed
+WARNING: untranslated string: geoipblock country is blocked
+WARNING: untranslated string: geoipblock enable feature
 WARNING: untranslated string: grouptype
 WARNING: untranslated string: hardware support
 WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
@@ -1033,6 +1046,7 @@ WARNING: untranslated string: tor traffic limit hard
 WARNING: untranslated string: tor traffic limit soft
 WARNING: untranslated string: tor traffic read written
 WARNING: untranslated string: tor use exit nodes
+WARNING: untranslated string: uncheck all
 WARNING: untranslated string: uplink
 WARNING: untranslated string: upload dh key
 WARNING: untranslated string: upload new ruleset
index 0f69ce8..098f440 100644 (file)
@@ -672,13 +672,26 @@ WARNING: untranslated string: advproxy basic authentication
 WARNING: untranslated string: advproxy group access control
 WARNING: untranslated string: advproxy group required
 WARNING: untranslated string: bytes
+WARNING: untranslated string: check all
 WARNING: untranslated string: fwdfw err concon
 WARNING: untranslated string: fwdfw err ratecon
 WARNING: untranslated string: fwdfw limitconcon
 WARNING: untranslated string: fwdfw maxconcon
 WARNING: untranslated string: fwdfw numcon
 WARNING: untranslated string: fwdfw ratelimit
+WARNING: untranslated string: fwhost addgeoipgrp
+WARNING: untranslated string: fwhost cust geoipgroup
+WARNING: untranslated string: fwhost cust geoipgrp
+WARNING: untranslated string: fwhost cust geoiplocation
 WARNING: untranslated string: fwhost err hostip
+WARNING: untranslated string: fwhost newgeoipgrp
+WARNING: untranslated string: geoip
+WARNING: untranslated string: geoipblock
+WARNING: untranslated string: geoipblock block countries
+WARNING: untranslated string: geoipblock configuration
+WARNING: untranslated string: geoipblock country is allowed
+WARNING: untranslated string: geoipblock country is blocked
+WARNING: untranslated string: geoipblock enable feature
 WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
 WARNING: untranslated string: incoming compression in bytes per second
 WARNING: untranslated string: incoming overhead in bytes per second
@@ -700,3 +713,7 @@ WARNING: untranslated string: routing config changed
 WARNING: untranslated string: routing table
 WARNING: untranslated string: samba join a domain
 WARNING: untranslated string: samba join domain
+WARNING: untranslated string: uncheck all
+WARNING: untranslated string: vpn statistic n2n
+WARNING: untranslated string: vpn statistic rw
+WARNING: untranslated string: vpn statistics n2n
index 1053474..602441d 100644 (file)
@@ -671,6 +671,7 @@ WARNING: untranslated string: advproxy group required
 WARNING: untranslated string: atm device
 WARNING: untranslated string: bytes
 WARNING: untranslated string: capabilities
+WARNING: untranslated string: check all
 WARNING: untranslated string: default
 WARNING: untranslated string: dh
 WARNING: untranslated string: dh key move failed
@@ -691,9 +692,21 @@ WARNING: untranslated string: fwdfw limitconcon
 WARNING: untranslated string: fwdfw maxconcon
 WARNING: untranslated string: fwdfw numcon
 WARNING: untranslated string: fwdfw ratelimit
+WARNING: untranslated string: fwhost addgeoipgrp
+WARNING: untranslated string: fwhost cust geoipgroup
+WARNING: untranslated string: fwhost cust geoipgrp
+WARNING: untranslated string: fwhost cust geoiplocation
 WARNING: untranslated string: fwhost err hostip
+WARNING: untranslated string: fwhost newgeoipgrp
 WARNING: untranslated string: gen dh
 WARNING: untranslated string: generate dh key
+WARNING: untranslated string: geoip
+WARNING: untranslated string: geoipblock
+WARNING: untranslated string: geoipblock block countries
+WARNING: untranslated string: geoipblock configuration
+WARNING: untranslated string: geoipblock country is allowed
+WARNING: untranslated string: geoipblock country is blocked
+WARNING: untranslated string: geoipblock enable feature
 WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
 WARNING: untranslated string: imei
 WARNING: untranslated string: imsi
@@ -747,6 +760,7 @@ WARNING: untranslated string: show tls-auth key
 WARNING: untranslated string: software version
 WARNING: untranslated string: source ip country
 WARNING: untranslated string: ta key
+WARNING: untranslated string: uncheck all
 WARNING: untranslated string: upload dh key
 WARNING: untranslated string: vendor
 WARNING: untranslated string: vpn statistic n2n
index f76cd5e..086dfbd 100644 (file)
@@ -233,6 +233,9 @@ WARNING: translation string unused: g.lite
 WARNING: translation string unused: gen static key
 WARNING: translation string unused: generate
 WARNING: translation string unused: genkey
+WARNING: translation string unused: geoipblock country code
+WARNING: translation string unused: geoipblock country name
+WARNING: translation string unused: geoipblock flag
 WARNING: translation string unused: green interface
 WARNING: translation string unused: gz with key
 WARNING: translation string unused: hint
@@ -650,6 +653,7 @@ WARNING: untranslated string: ccd none
 WARNING: untranslated string: ccd routes
 WARNING: untranslated string: ccd subnet
 WARNING: untranslated string: ccd used
+WARNING: untranslated string: check all
 WARNING: untranslated string: count
 WARNING: untranslated string: countries
 WARNING: untranslated string: country codes and flags
@@ -794,6 +798,7 @@ WARNING: untranslated string: fwdfw wd_thu
 WARNING: untranslated string: fwdfw wd_tue
 WARNING: untranslated string: fwdfw wd_wed
 WARNING: untranslated string: fwhost OpenVPN N-2-N
+WARNING: untranslated string: fwhost addgeoipgrp
 WARNING: untranslated string: fwhost addgrp
 WARNING: untranslated string: fwhost addgrpname
 WARNING: untranslated string: fwhost addhost
@@ -806,6 +811,9 @@ WARNING: untranslated string: fwhost ccdhost
 WARNING: untranslated string: fwhost ccdnet
 WARNING: untranslated string: fwhost change
 WARNING: untranslated string: fwhost cust addr
+WARNING: untranslated string: fwhost cust geoipgroup
+WARNING: untranslated string: fwhost cust geoipgrp
+WARNING: untranslated string: fwhost cust geoiplocation
 WARNING: untranslated string: fwhost cust grp
 WARNING: untranslated string: fwhost cust net
 WARNING: untranslated string: fwhost cust service
@@ -845,6 +853,7 @@ WARNING: untranslated string: fwhost ip_mac
 WARNING: untranslated string: fwhost ipsec net
 WARNING: untranslated string: fwhost menu
 WARNING: untranslated string: fwhost netaddress
+WARNING: untranslated string: fwhost newgeoipgrp
 WARNING: untranslated string: fwhost newgrp
 WARNING: untranslated string: fwhost newhost
 WARNING: untranslated string: fwhost newnet
@@ -1025,6 +1034,7 @@ WARNING: untranslated string: tor traffic limit hard
 WARNING: untranslated string: tor traffic limit soft
 WARNING: untranslated string: tor traffic read written
 WARNING: untranslated string: tor use exit nodes
+WARNING: untranslated string: uncheck all
 WARNING: untranslated string: uplink
 WARNING: untranslated string: upload dh key
 WARNING: untranslated string: uptime load average
index f524498..94724d4 100644 (file)
@@ -653,6 +653,7 @@ WARNING: untranslated string: ccd none
 WARNING: untranslated string: ccd routes
 WARNING: untranslated string: ccd subnet
 WARNING: untranslated string: ccd used
+WARNING: untranslated string: check all
 WARNING: untranslated string: community rules
 WARNING: untranslated string: count
 WARNING: untranslated string: countries
@@ -789,6 +790,7 @@ WARNING: untranslated string: fwdfw wd_thu
 WARNING: untranslated string: fwdfw wd_tue
 WARNING: untranslated string: fwdfw wd_wed
 WARNING: untranslated string: fwhost OpenVPN N-2-N
+WARNING: untranslated string: fwhost addgeoipgrp
 WARNING: untranslated string: fwhost addgrp
 WARNING: untranslated string: fwhost addgrpname
 WARNING: untranslated string: fwhost addhost
@@ -801,6 +803,9 @@ WARNING: untranslated string: fwhost ccdhost
 WARNING: untranslated string: fwhost ccdnet
 WARNING: untranslated string: fwhost change
 WARNING: untranslated string: fwhost cust addr
+WARNING: untranslated string: fwhost cust geoipgroup
+WARNING: untranslated string: fwhost cust geoipgrp
+WARNING: untranslated string: fwhost cust geoiplocation
 WARNING: untranslated string: fwhost cust grp
 WARNING: untranslated string: fwhost cust net
 WARNING: untranslated string: fwhost cust service
@@ -840,6 +845,7 @@ WARNING: untranslated string: fwhost ip_mac
 WARNING: untranslated string: fwhost ipsec net
 WARNING: untranslated string: fwhost menu
 WARNING: untranslated string: fwhost netaddress
+WARNING: untranslated string: fwhost newgeoipgrp
 WARNING: untranslated string: fwhost newgrp
 WARNING: untranslated string: fwhost newhost
 WARNING: untranslated string: fwhost newnet
@@ -856,6 +862,13 @@ WARNING: untranslated string: fwhost used
 WARNING: untranslated string: fwhost welcome
 WARNING: untranslated string: gen dh
 WARNING: untranslated string: generate dh key
+WARNING: untranslated string: geoip
+WARNING: untranslated string: geoipblock
+WARNING: untranslated string: geoipblock block countries
+WARNING: untranslated string: geoipblock configuration
+WARNING: untranslated string: geoipblock country is allowed
+WARNING: untranslated string: geoipblock country is blocked
+WARNING: untranslated string: geoipblock enable feature
 WARNING: untranslated string: grouptype
 WARNING: untranslated string: hardware support
 WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
@@ -1014,6 +1027,7 @@ WARNING: untranslated string: tor traffic limit hard
 WARNING: untranslated string: tor traffic limit soft
 WARNING: untranslated string: tor traffic read written
 WARNING: untranslated string: tor use exit nodes
+WARNING: untranslated string: uncheck all
 WARNING: untranslated string: uplink
 WARNING: untranslated string: upload dh key
 WARNING: untranslated string: uptime load average
index 310b636..6f846c7 100644 (file)
@@ -664,7 +664,20 @@ WARNING: translation string unused: year-graph
 WARNING: translation string unused: yearly firewallhits
 WARNING: untranslated string: Scan for Songs
 WARNING: untranslated string: bytes
+WARNING: untranslated string: check all
+WARNING: untranslated string: fwhost addgeoipgrp
+WARNING: untranslated string: fwhost cust geoipgroup
+WARNING: untranslated string: fwhost cust geoipgrp
+WARNING: untranslated string: fwhost cust geoiplocation
 WARNING: untranslated string: fwhost err hostip
+WARNING: untranslated string: fwhost newgeoipgrp
+WARNING: untranslated string: geoip
+WARNING: untranslated string: geoipblock
+WARNING: untranslated string: geoipblock block countries
+WARNING: untranslated string: geoipblock configuration
+WARNING: untranslated string: geoipblock country is allowed
+WARNING: untranslated string: geoipblock country is blocked
+WARNING: untranslated string: geoipblock enable feature
 WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
 WARNING: untranslated string: incoming compression in bytes per second
 WARNING: untranslated string: incoming overhead in bytes per second
@@ -677,6 +690,7 @@ WARNING: untranslated string: route config changed
 WARNING: untranslated string: routing config added
 WARNING: untranslated string: routing config changed
 WARNING: untranslated string: routing table
+WARNING: untranslated string: uncheck all
 WARNING: untranslated string: vpn statistic n2n
 WARNING: untranslated string: vpn statistic rw
 WARNING: untranslated string: vpn statistics n2n
index 0d73d2a..9fdc0d2 100644 (file)
@@ -29,6 +29,7 @@
 < atm device
 < attention
 < bit
+< block
 < capabilities
 < ccd add
 < ccd choose net
@@ -70,6 +71,7 @@
 < ccd routes
 < ccd subnet
 < ccd used
+< check all
 < ConnSched dial
 < ConnSched hangup
 < ConnSched reboot
 < fwdfw wd_tue
 < fwdfw wd_wed
 < fwdfw xt access
+< fwhost addgeoipgrp
 < fwhost addgrp
 < fwhost addgrpname
 < fwhost addhost
 < fwhost change
 < fwhost changeremark
 < fwhost cust addr
+< fwhost cust geoip
+< fwhost cust geoipgroup
+< fwhost cust geoiplocation
 < fwhost cust grp
 < fwhost cust net
 < fwhost Custom Host
 < fwhost IpSec Network
 < fwhost menu
 < fwhost netaddress
+< fwhost newgeoipgrp
 < fwhost newgrp
 < fwhost newhost
 < fwhost newnet
 < fw settings ruletable
 < gen dh
 < generate dh key
+< geoip
+< geoipblock
+< geoipblock block countries
+< geoipblock configuration
+< geoipblock country code
+< geoipblock country is allowed
+< geoipblock country is blocked
+< geoipblock country name
+< geoipblock enable feature
+< geoipblock flag
 < grouptype
 < hardware support
 < imei
 < tor traffic limit soft
 < tor traffic read written
 < tor use exit nodes
+< unblock
+< unblock all
+< uncheck all
 < updxlrtr sources
 < updxlrtr standard view
 < uplink
 < atm device
 < attention
 < bit
+< block
 < capabilities
 < ccd add
 < ccd choose net
 < ccd routes
 < ccd subnet
 < ccd used
+< check all
 < ConnSched dial
 < ConnSched hangup
 < ConnSched reboot
 < fwdfw wd_tue
 < fwdfw wd_wed
 < fwdfw xt access
+< fwhost addgeoipgrp
 < fwhost addgrp
 < fwhost addgrpname
 < fwhost addhost
 < fwhost change
 < fwhost changeremark
 < fwhost cust addr
+< fwhost cust geoip
+< fwhost cust geoipgroup
+< fwhost cust geoiplocation
 < fwhost cust grp
 < fwhost cust net
 < fwhost Custom Host
 < fwhost IpSec Network
 < fwhost menu
 < fwhost netaddress
+< fwhost newgeoipgrp
 < fwhost newgrp
 < fwhost newhost
 < fwhost newnet
 < tor traffic limit soft
 < tor traffic read written
 < tor use exit nodes
+< unblock
+< unblock all
+< uncheck all
 < updxlrtr sources
 < updxlrtr standard view
 < uplink
 < atm device
 < attention
 < bit
+< block
 < capabilities
 < ccd add
 < ccd choose net
 < ccd routes
 < ccd subnet
 < ccd used
+< check all
 < ConnSched dial
 < ConnSched hangup
 < ConnSched reboot
 < fwdfw wd_tue
 < fwdfw wd_wed
 < fwdfw xt access
+< fwhost addgeoipgrp
 < fwhost addgrp
 < fwhost addgrpname
 < fwhost addhost
 < fwhost change
 < fwhost changeremark
 < fwhost cust addr
+< fwhost cust geoip
+< fwhost cust geoipgroup
+< fwhost cust geoiplocation
 < fwhost cust grp
 < fwhost cust net
 < fwhost Custom Host
 < fwhost IpSec Network
 < fwhost menu
 < fwhost netaddress
+< fwhost newgeoipgrp
 < fwhost newgrp
 < fwhost newhost
 < fwhost newnet
 < fw settings ruletable
 < gen dh
 < generate dh key
+< geoip
+< geoipblock
+< geoipblock block countries
+< geoipblock configuration
+< geoipblock country code
+< geoipblock country is allowed
+< geoipblock country is blocked
+< geoipblock country name
+< geoipblock enable feature
+< geoipblock flag
 < grouptype
 < hardware support
 < imei
 < tor traffic limit soft
 < tor traffic read written
 < tor use exit nodes
+< unblock
+< unblock all
+< uncheck all
 < updxlrtr sources
 < updxlrtr standard view
 < uplink
 < atm device
 < attention
 < bit
+< block
 < capabilities
 < ccd add
 < ccd choose net
 < ccd routes
 < ccd subnet
 < ccd used
+< check all
 < ConnSched dial
 < ConnSched hangup
 < ConnSched reboot
 < fwdfw wd_tue
 < fwdfw wd_wed
 < fwdfw xt access
+< fwhost addgeoipgrp
 < fwhost addgrp
 < fwhost addgrpname
 < fwhost addhost
 < fwhost change
 < fwhost changeremark
 < fwhost cust addr
+< fwhost cust geoip
+< fwhost cust geoipgroup
+< fwhost cust geoiplocation
 < fwhost cust grp
 < fwhost cust net
 < fwhost Custom Host
 < fwhost IpSec Network
 < fwhost menu
 < fwhost netaddress
+< fwhost newgeoipgrp
 < fwhost newgrp
 < fwhost newhost
 < fwhost newnet
 < fw settings ruletable
 < gen dh
 < generate dh key
+< geoip
+< geoipblock
+< geoipblock block countries
+< geoipblock configuration
+< geoipblock country code
+< geoipblock country is allowed
+< geoipblock country is blocked
+< geoipblock country name
+< geoipblock enable feature
+< geoipblock flag
 < grouptype
 < hardware support
 < hour-graph
 < tor traffic limit soft
 < tor traffic read written
 < tor use exit nodes
+< unblock
+< unblock all
+< uncheck all
 < updxlrtr sources
 < updxlrtr standard view
 < uplink
index 76035fb..65ce154 100644 (file)
@@ -21,7 +21,7 @@
 
 use strict;
 
-use Locale::Country;
+use Locale::Codes::Country;
 
 my $flagdir = '/srv/web/ipfire/html/images/flags';
 my $lines = '1';
index 39b732c..c207ec7 100644 (file)
@@ -33,6 +33,7 @@ no warnings 'uninitialized';
 require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/lang.pl";
 require "${General::swroot}/header.pl";
+require "${General::swroot}/geoip-functions.pl";
 require "/usr/lib/firewall/firewall-lib.pl";
 
 unless (-d "${General::swroot}/firewall")                      { system("mkdir ${General::swroot}/firewall"); }
@@ -47,6 +48,7 @@ my %defaultNetworks=();
 my %netsettings=();
 my %customhost=();
 my %customgrp=();
+my %customgeoipgrp=();
 my %customnetworks=();
 my %customservice=();
 my %customservicegrp=();
@@ -74,6 +76,7 @@ my $color;
 my $confignet          = "${General::swroot}/fwhosts/customnetworks";
 my $confighost         = "${General::swroot}/fwhosts/customhosts";
 my $configgrp          = "${General::swroot}/fwhosts/customgroups";
+my $configgeoipgrp     = "${General::swroot}/fwhosts/customgeoipgrp";
 my $configsrv          = "${General::swroot}/fwhosts/customservices";
 my $configsrvgrp       = "${General::swroot}/fwhosts/customservicegrp";
 my $configccdnet       = "${General::swroot}/ovpn/ccd.conf";
@@ -154,6 +157,19 @@ print<<END;
                        \$("#actions").toggle();
                });
 
+               // Hide SNAT items when DNAT is selected and vice versa.
+               if (\$('input[name=nat]:checked').val() == 'dnat') {
+                       \$('.snat').hide();
+               } else {
+                       \$('.dnat').hide();
+               }
+
+               // Show/Hide elements when SNAT/DNAT get changed.
+               \$('input[name=nat]').change(function() {
+                       \$('.snat').toggle();
+                       \$('.dnat').toggle();
+               });
+
                // Time constraints
                if(!\$("#USE_TIME_CONSTRAINTS").attr("checked")) {
                        \$("#TIME_CONSTRAINTS").hide();
@@ -1060,6 +1076,54 @@ END
                }
                print"</select></td>";
        }
+       # geoip locations / groups.
+       my @geoip_locations = &fwlib::get_geoip_locations();
+
+       print "<tr>\n";
+       print "<td valign='top'><input type='radio' name='$grp' id='cust_geoip_$srctgt' value='cust_geoip_$srctgt' $checked{$grp}{'cust_geoip_'.$srctgt}></td>\n";
+       print "<td>$Lang::tr{'geoip'}</td>\n";
+       print "<td align='right'><select name='cust_geoip_$srctgt' style='width:200px;'>\n";
+
+       # Add GeoIP groups to dropdown.
+       if (!-z $configgeoipgrp) {
+               print "<optgroup label='$Lang::tr{'fwhost cust geoipgroup'}'>\n";
+               foreach my $key (sort { ncmp($customgeoipgrp{$a}[0],$customgeoipgrp{$b}[0]) } keys %customgeoipgrp) {
+                       my $selected;
+
+                       # Generate stored value for select detection.
+                       my $stored = join(':', "group",$customgeoipgrp{$key}[0]);
+
+                       # Only show a group once and group with elements.
+                       if($helper ne $customgeoipgrp{$key}[0] && $customgeoipgrp{$key}[2] ne 'none') {
+                               # Mark current entry as selected.
+                               if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $stored) {
+                                       $selected = "selected='selected'";
+                               }
+                                print"<option $selected value='group:$customgeoipgrp{$key}[0]'>$customgeoipgrp{$key}[0]</option>\n";
+                        }
+                        $helper=$customgeoipgrp{$key}[0];
+                }
+               print "</optgroup>\n";
+       }
+
+       # Add locations.
+       print "<optgroup label='$Lang::tr{'fwhost cust geoiplocation'}'>\n";
+       foreach my $location (@geoip_locations) {
+               # Get country name.
+               my $country_name = &GeoIP::get_full_country_name($location);
+
+               # Mark current entry as selected.
+               my $selected;
+               if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $location) {
+                       $selected = "selected='selected'";
+               }
+               print "<option $selected value='$location'>$location - $country_name</option>\n";
+       }
+       print "</optgroup>\n";
+
+       # Close GeoIP dropdown.
+       print "</select></td>\n";
+
        #End left table. start right table (vpn)
        print"</tr></table></td><td valign='top'><table width='95%' border='0' align='right'><tr>";
        # CCD networks
@@ -1397,6 +1461,7 @@ sub newrule
        &General::readhasharray("$confighost", \%customhost);
        &General::readhasharray("$configccdhost", \%ccdhost);
        &General::readhasharray("$configgrp", \%customgrp);
+       &General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
        &General::readhasharray("$configipsec", \%ipsecconf);
        &General::get_aliases(\%aliases);
        my %checked=();
@@ -1591,7 +1656,7 @@ END
                                $Lang::tr{'fwdfw use nat'}
                        </label>
                        <div class="NAT">
-                               <table width='100%' border='0'>
+                               <table class='fw-nat' width='100%' border='0'>
                                        <tr>
                                                <td width='5%'></td>
                                                <td width='40%'>
@@ -1603,9 +1668,9 @@ END
 END
 
        print <<END;
-                                               <td width='25%' align='right'>$Lang::tr{'dnat address'}:</td>
+                                               <td width='25%' align='right'><span class='dnat'>$Lang::tr{'dnat address'}:</span></td>
                                                <td width='30%'>
-                                                       <select name='dnat' style='width: 100%;'>
+                                                       <select name='dnat' class='dnat' style='width: 100%;'>
                                                                <option value='AUTO' $selected{'dnat'}{'AUTO'}>- $Lang::tr{'automatic'} -</option>
                                                                <option value='Default IP' $selected{'dnat'}{'Default IP'}>$Lang::tr{'red1'} ($redip)</option>
 END
@@ -1636,9 +1701,9 @@ END
                                                                $Lang::tr{'fwdfw snat'}
                                                        </label>
                                                </td>
-                                               <td width='25%' align='right'>$Lang::tr{'snat new source ip address'}:</td>
+                                               <td width='25%' align='right'><span class='snat'>$Lang::tr{'snat new source ip address'}:</span></td>
                                                <td width='30%'>
-                                                       <select name='snat' style='width: 100%;'>
+                                                       <select name='snat' class='snat' style='width: 100%;'>
 END
 
                foreach my $alias (sort keys %aliases) {
@@ -2525,6 +2590,13 @@ END
                                }else{
                                        print $$hash{$key}[4];
                                }
+                       }elsif ($$hash{$key}[3] eq 'cust_geoip_src') {
+                               my ($split1,$split2) = split(":", $$hash{$key}[4]);
+                               if ($split2) {
+                                       print "$split2\n";
+                               }else{
+                                       print "$Lang::tr{'geoip'}: $$hash{$key}[4]\n";
+                               }
                        }elsif ($$hash{$key}[4] eq 'RED1'){
                                print "$ipfireiface $Lang::tr{'fwdfw red'}";
                        }elsif ($$hash{$key}[4] eq 'ALL'){
@@ -2601,6 +2673,13 @@ END
                                }else{
                                        print $$hash{$key}[6];
                                }
+                       }elsif ($$hash{$key}[5] eq 'cust_geoip_tgt') {
+                               my ($split1,$split2) = split(":", $$hash{$key}[6]);
+                               if ($split2) {
+                                       print "$split2\n";
+                               }else{
+                                       print "$Lang::tr{'geoip'}: $$hash{$key}[6]\n";
+                               }
                        }elsif ($$hash{$key}[5] eq 'tgt_addr'){
                                my ($split1,$split2) = split("/",$$hash{$key}[6]);
                                if ($split2 eq '32'){
@@ -2618,7 +2697,6 @@ END
                        #RULE ACTIVE
                        if($$hash{$key}[2] eq 'ON'){
                                $gif="/images/on.gif"
-                               
                        }else{
                                $gif="/images/off.gif"
                        }
index f42947e..994a50a 100644 (file)
@@ -27,6 +27,8 @@ use Sort::Naturally;
 use CGI::Carp 'fatalsToBrowser';
 no warnings 'uninitialized';
 require '/var/ipfire/general-functions.pl';
+require "/var/ipfire/geoip-functions.pl";
+require "/usr/lib/firewall/firewall-lib.pl";
 require "${General::swroot}/lang.pl";
 require "${General::swroot}/header.pl";
 
@@ -36,6 +38,7 @@ my %customhost=();
 my %customgrp=();
 my %customservice=();
 my %customservicegrp=();
+my %customgeoipgrp=();
 my %ccdnet=();
 my %ccdhost=();
 my %ipsecconf=();
@@ -62,6 +65,7 @@ my $configccdhost     = "${General::swroot}/ovpn/ovpnconfig";
 my $configipsec                = "${General::swroot}/vpn/config";
 my $configsrv          = "${General::swroot}/fwhosts/customservices";
 my $configsrvgrp       = "${General::swroot}/fwhosts/customservicegrp";
+my $configgeoipgrp     = "${General::swroot}/fwhosts/customgeoipgrp";
 my $fwconfigfwd                = "${General::swroot}/firewall/config";
 my $fwconfiginp                = "${General::swroot}/firewall/input";
 my $fwconfigout                = "${General::swroot}/firewall/outgoing";
@@ -73,6 +77,7 @@ unless (-e $confighost)   { system("touch $confighost"); }
 unless (-e $configgrp)    { system("touch $configgrp"); }
 unless (-e $configsrv)    { system("touch $configsrv"); }
 unless (-e $configsrvgrp) { system("touch $configsrvgrp"); }
+unless (-e $configgeoipgrp) { system("touch $configgeoipgrp"); }
 
 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
 &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
@@ -671,6 +676,87 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
                &addgrp;
                &viewtablegrp;
 }
+if ($fwhostsettings{'ACTION'} eq 'savegeoipgrp')
+{
+       my $grp=$fwhostsettings{'grp_name'};
+       my $rem=$fwhostsettings{'remark'};
+       my $count;
+       my $type;
+       my @target;
+       my @newgrp;
+       &General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
+       &General::readhasharray("$fwconfigfwd", \%fwfwd);
+       &General::readhasharray("$fwconfiginp", \%fwinp);
+       &General::readhasharray("$fwconfigout", \%fwout);
+
+       # Check for existing group name.
+       if (!&checkgroup($grp) && $fwhostsettings{'update'} ne 'on'){
+               $errormessage = $Lang::tr{'fwhost err grpexist'};
+       }
+
+       # Check remark.
+       if ($rem ne '' && !&validremark($rem) && $fwhostsettings{'update'} ne 'on'){
+               $errormessage = $Lang::tr{'fwhost err remark'};
+       }
+
+       if ($fwhostsettings{'update'} eq 'on'){
+               @target=$fwhostsettings{'COUNTRY_CODE'};
+               $type='GeoIP Group';
+
+               #check if host/net exists in grp
+               my $test="$grp,$fwhostsettings{'oldremark'},@target";
+               foreach my $key (keys %customgeoipgrp) {
+                       my $test1="$customgeoipgrp{$key}[0],$customgeoipgrp{$key}[1],$customgeoipgrp{$key}[2]";
+                       if ($test1 eq $test){
+                               $errormessage=$Lang::tr{'fwhost err isingrp'};
+                               $fwhostsettings{'update'} = 'on';
+                       }
+               }
+       }
+
+       if (!$errormessage){
+               #on first save, we have an empty @target, so fill it with nothing
+               my $targetvalues=@target;
+               if ($targetvalues == '0'){
+                       @target="none";
+               }
+               #on update, we have to delete the dummy entry
+               foreach my $key (keys %customgeoipgrp){
+                       if ($customgeoipgrp{$key}[0] eq $grp && $customgeoipgrp{$key}[2] eq "none"){
+                               delete $customgeoipgrp{$key};
+                               last;
+                       }
+               }
+               &General::writehasharray("$configgeoipgrp", \%customgeoipgrp);
+               &General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
+               #create array with new lines
+               foreach my $line (@target){
+                       push (@newgrp,"$grp,$rem,$line");
+               }
+               #append new entries
+               my $key = &General::findhasharraykey (\%customgeoipgrp);
+               foreach my $line (@newgrp){
+                       foreach my $i (0 .. 3) { $customgeoipgrp{$key}[$i] = "";}
+                       my ($a,$b,$c,$d) = split (",",$line);
+                       $customgeoipgrp{$key}[0] = $a;
+                       $customgeoipgrp{$key}[1] = $b;
+                       $customgeoipgrp{$key}[2] = $c;
+                       $customgeoipgrp{$key}[3] = $type;
+               }
+               &General::writehasharray("$configgeoipgrp", \%customgeoipgrp);
+               #update counter in Host/Net
+               $fwhostsettings{'update'}='on';
+       }
+               #check if ruleupdate is needed
+               my $geoipgrpcount=0;
+               $geoipgrpcount=&getgeoipcount($grp);
+               if($geoipgrpcount > 0 )
+               {
+                       &General::firewall_config_changed();
+               }
+               &addgeoipgrp;
+               &viewtablegeoipgrp;
+}
 if ($fwhostsettings{'ACTION'} eq 'saveservice')
 {
        my $ICMP;
@@ -798,6 +884,12 @@ if ($fwhostsettings{'ACTION'} eq 'editgrp')
        &addgrp;
        &viewtablegrp;
 }
+if ($fwhostsettings{'ACTION'} eq 'editgeoipgrp')
+{
+       $fwhostsettings{'update'}='on';
+       &addgeoipgrp;
+       &viewtablegeoipgrp;
+}
 if ($fwhostsettings{'ACTION'} eq 'editservice')
 {
        $fwhostsettings{'updatesrv'}='on';
@@ -830,6 +922,12 @@ if ($fwhostsettings{'ACTION'} eq 'resetgrp')
        $fwhostsettings{'remark'}       ="";
        &showmenu;
 }
+if ($fwhostsettings{'ACTION'} eq 'resetgeoipgrp')
+{
+       $fwhostsettings{'grp_name'} ="";
+       $fwhostsettings{'remark'}       ="";
+       &showmenu;
+}
 # delete
 if ($fwhostsettings{'ACTION'} eq 'delnet')
 {
@@ -887,6 +985,37 @@ if ($fwhostsettings{'ACTION'} eq 'deletegrphost')
        &addgrp;
        &viewtablegrp;
 }
+if ($fwhostsettings{'ACTION'} eq 'deletegeoipgrpentry')
+{
+        my $grpremark;
+        my $grpname;
+        &General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
+        foreach my $key (keys %customgeoipgrp){
+                if($customgeoipgrp{$key}[0].",".$customgeoipgrp{$key}[1].",".$customgeoipgrp{$key}[2].",".$customgeoipgrp{$key}[3] eq $fwhostsettings{'delentry'}){
+                        $grpname=$customgeoipgrp{$key}[0];
+                        $grpremark=$customgeoipgrp{$key}[1];
+                        #check if we delete the last entry, then generate dummy
+                        if ($fwhostsettings{'last'} eq 'on'){
+                                $customgeoipgrp{$key}[1] = '';
+                                $customgeoipgrp{$key}[2] = 'none';
+                                $customgeoipgrp{$key}[3] = '';
+                                $fwhostsettings{'last'}='';
+                                last;
+                        }else{
+                                delete $customgeoipgrp{$key};
+                        }
+                }
+        }
+        &General::writehasharray("$configgeoipgrp", \%customgeoipgrp);
+        &General::firewall_config_changed();
+        if ($fwhostsettings{'update'} eq 'on'){
+                $fwhostsettings{'remark'}= $grpremark;
+                $fwhostsettings{'grp_name'}=$grpname;
+        }
+        &addgeoipgrp;
+        &viewtablegeoipgrp;
+}
+
 if ($fwhostsettings{'ACTION'} eq 'delgrp')
 {
        &General::readhasharray("$configgrp", \%customgrp);
@@ -903,6 +1032,22 @@ if ($fwhostsettings{'ACTION'} eq 'delgrp')
        &addgrp;
        &viewtablegrp;
 }
+if ($fwhostsettings{'ACTION'} eq 'delgeoipgrp')
+{
+       &General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
+       &decrease($fwhostsettings{'grp_name'});
+       foreach my $key (sort keys %customgeoipgrp)
+       {
+               if($customgeoipgrp{$key}[0] eq $fwhostsettings{'grp_name'})
+               {
+                       delete $customgeoipgrp{$key};
+               }
+       }
+       &General::writehasharray("$configgeoipgrp", \%customgeoipgrp);
+       $fwhostsettings{'grp_name'}='';
+       &addgeoipgrp;
+       &viewtablegeoipgrp;
+}
 if ($fwhostsettings{'ACTION'} eq 'delservice')
 {
        &General::readhasharray("$configsrv", \%customservice);
@@ -977,6 +1122,11 @@ if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newgrp'})
        &addgrp;
        &viewtablegrp;
 }
+if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newgeoipgrp'})
+{
+       &addgeoipgrp;
+       &viewtablegeoipgrp;
+}
 if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newservice'})
 {
        &addservice;
@@ -1011,6 +1161,31 @@ if ($fwhostsettings{'ACTION'} eq 'changegrpremark')
        &addgrp;
        &viewtablegrp;
 }
+if ($fwhostsettings{'ACTION'} eq 'changegeoipgrpremark')
+{
+       &General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
+       if ($fwhostsettings{'oldrem'} ne $fwhostsettings{'newrem'} && (&validremark($fwhostsettings{'newrem'}) || $fwhostsettings{'newrem'} eq '')){
+               foreach my $key (sort keys %customgeoipgrp)
+                       {
+                               if($customgeoipgrp{$key}[0] eq $fwhostsettings{'grp'} && $customgeoipgrp{$key}[1] eq $fwhostsettings{'oldrem'})
+                               {
+                                       $customgeoipgrp{$key}[1]='';
+                                       $customgeoipgrp{$key}[1]=$fwhostsettings{'newrem'};
+                               }
+                       }
+                       &General::writehasharray("$configgeoipgrp", \%customgeoipgrp);
+                       $fwhostsettings{'update'}='on';
+                       $fwhostsettings{'remark'}=$fwhostsettings{'newrem'};
+       }else{
+               $errormessage=$Lang::tr{'fwhost err remark'};
+               $fwhostsettings{'remark'}=$fwhostsettings{'oldrem'};
+               $fwhostsettings{'grp_name'}=$fwhostsettings{'grp'};
+               $fwhostsettings{'update'} = 'on';
+       }
+       $fwhostsettings{'grp_name'}=$fwhostsettings{'grp'};
+       &addgeoipgrp;
+       &viewtablegeoipgrp;
+}
 if ($fwhostsettings{'ACTION'} eq 'changesrvgrpremark')
 {
        &General::readhasharray("$configsrvgrp", \%customservicegrp );
@@ -1085,6 +1260,29 @@ if ($fwhostsettings{'ACTION'} eq 'changegrpname')
        &addgrp;
        &viewtablegrp;
 }
+if ($fwhostsettings{'ACTION'} eq 'changegeoipgrpname')
+{
+       &General::readhasharray("$configgeoipgrp", \%customgeoipgrp );
+       if ($fwhostsettings{'oldgrpname'} ne $fwhostsettings{'grp'}){
+               #Check new groupname
+               if (!&validhostname($fwhostsettings{'grp'})){
+                       $errormessage.=$Lang::tr{'fwhost err name'}."<br>";
+               }
+               if (!$errormessage){
+                       # Rename group.
+                       foreach my $key (keys %customgeoipgrp) {
+                               if($customgeoipgrp{$key}[0] eq $fwhostsettings{'oldgrpname'}){
+                                       $customgeoipgrp{$key}[0]=$fwhostsettings{'grp'};
+                               }
+                       }
+                       &General::writehasharray("$configgeoipgrp", \%customgeoipgrp );
+                       #change name in FW Rules
+                       &changenameinfw($fwhostsettings{'oldgrpname'},$fwhostsettings{'grp'},6);
+               }
+       }
+       &addgeoipgrp;
+       &viewtablegeoipgrp;
+}
 ###  VIEW  ###
 if($fwhostsettings{'ACTION'} eq '')
 {
@@ -1096,7 +1294,7 @@ sub showmenu {
        print "$Lang::tr{'fwhost welcome'}";
        print<<END;
        <br><br><table border='0' width='100%'>
-       <tr><td><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newnet'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newhost'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newgrp'}' ></form></td>
+       <tr><td><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newnet'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newhost'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newgrp'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newgeoipgrp'}' ></form></td>
        <td align='right'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservice'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservicegrp'}' ></form></td></tr>
        <tr><td colspan='6'></td></tr></table>
 END
@@ -1381,6 +1579,113 @@ END
                print"<tr><td style='text-align:right;'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='oldremark' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='update' value=\"$fwhostsettings{'update'}\"><input type='hidden' name='ACTION' value='savegrp' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='resetgrp'></form></td></table>";
        &Header::closebox();
 }
+sub addgeoipgrp
+{
+       &hint;
+       &error;
+       &showmenu;
+       &Header::openbox('100%', 'left', $Lang::tr{'fwhost addgeoipgrp'});
+
+       my %checked=();
+       my $show='';
+       $checked{'check1'}{'off'} = '';
+       $checked{'check1'}{'on'} = '';
+       $checked{'grp2'}{$fwhostsettings{'grp2'}} = 'CHECKED';
+       $fwhostsettings{'oldremark'}=$fwhostsettings{'remark'};
+       $fwhostsettings{'oldgrpname'}=$fwhostsettings{'grp_name'};
+       my $grp=$fwhostsettings{'grp_name'};
+       my $rem=$fwhostsettings{'remark'};
+               if ($fwhostsettings{'update'} eq ''){
+                       print<<END;
+               <table width='100%' border='0'>
+                       <tr>
+                               <td style='width:15%;'>$Lang::tr{'fwhost addgrpname'}</td>
+                               <td><form method='post'><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}' size='30'></td>
+                       </tr>
+                       <tr>
+                               <td>$Lang::tr{'remark'}:</td>
+                               <td ><input type='TEXT' name='remark' value='$fwhostsettings{'remark'}' style='width: 99%;'></td>
+                       </tr>
+                       <tr>
+                               <td colspan='2'><br></td>
+                       </tr>
+               </table>
+END
+               } else {
+                       print<<END;
+                       <table width='100%' border='0'>
+                               <form method='post'><tr>
+                                       <td style='width:15%;'>$Lang::tr{'fwhost addgrpname'}</td>
+                                       <td style='width:30%;'><input type='TEXT' name='grp'  value='$fwhostsettings{'grp_name'}' size='30'></td>
+                                       <td>
+                                               <input type='submit' value='$Lang::tr{'fwhost change'}'>
+                                               <input type='hidden' name='oldgrpname' value='$fwhostsettings{'oldgrpname'}'>
+                                               <input type='hidden' name='ACTION' value='changegeoipgrpname'>
+                                       </td>
+                                       <td></td>
+                               </tr></form>
+                               <tr><form method='post' style='display:inline'>
+                                       <td>$Lang::tr{'remark'}:</td>
+                                       <td colspan='2' style='width:98%;'>
+                                               <input type='TEXT' name='newrem' value='$fwhostsettings{'remark'}' style='width:98%;'>
+                                       </td>
+                                       <td align='right'>
+                                               <input type='submit' value='$Lang::tr{'fwhost change'}'>
+                                               <input type='hidden' name='grp' value='$fwhostsettings{'grp_name'}'>
+                                               <input type='hidden' name='oldrem' value='$fwhostsettings{'oldremark'}'>
+                                               <input type='hidden' name='ACTION' value='changegeoipgrpremark'>
+                                       </td>
+                               </tr></form>
+                       </table>
+                       <br><br>
+END
+               }
+               if ($fwhostsettings{'update'} eq 'on') {
+                       my @geoip_locations = &fwlib::get_geoip_locations();
+
+                       print<<END;
+                       <form method='post'>
+                       <input type='hidden' name='remark' value='$rem'>
+                       <input type='hidden' name='grp_name' value='$grp'>
+
+                       <table width='100%' border='0'>
+                               <tr>
+                                       <td style='text-align:left;'>
+                                               <select name='COUNTRY_CODE' style='width:16em;'>";
+END
+                               foreach my $location (@geoip_locations) {
+                                       # Get full country name.
+                                       my $fullname = &GeoIP::get_full_country_name($location);
+
+                                       print"<option value='$location'>$location - $fullname</option>\n";
+                               }
+       print <<END;
+                                               </select>
+                                       </td>
+                               </tr>
+                       </table>
+                       <br><br>
+END
+               }
+       print <<END;
+               <table width='100%'>
+                       <tr><td style='text-align:right;'>
+                               <input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' />
+                               <input type='hidden' name='oldremark' value='$fwhostsettings{'oldremark'}'>
+                               <input type='hidden' name='update' value=\"$fwhostsettings{'update'}\">
+                               <input type='hidden' name='ACTION' value='savegeoipgrp' >
+                       </form>
+
+                       <form method='post' style='display:inline'>
+
+                       <input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'>
+                       <input type='hidden' name='ACTION' value='resetgeoipgrp'>
+
+                       </form>
+                       </td></tr></table>
+END
+       &Header::closebox();
+}
 sub addservice
 {
        &error;
@@ -1838,6 +2143,195 @@ sub viewtablegrp
        &Header::closebox();
 }
 
+}
+sub viewtablegeoipgrp
+{
+       # If our filesize is "zero" there is nothing to read-in.
+       if (-z "$configgeoipgrp") {
+               return;
+       }
+
+       &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust geoipgrp'});
+       &General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
+       &General::readhasharray("$fwconfigfwd", \%fwfwd);
+       &General::readhasharray("$fwconfiginp", \%fwinp);
+       &General::readhasharray("$fwconfigout", \%fwout);
+       my @grp=();
+       my $helper='';
+       my $count=1;
+       my $country_code;
+       my $grpname;
+       my $remark;
+       my $number;
+       my $delflag;
+       my @counter;
+       my %hash;
+
+       # If there are no groups we are finished here.
+       if (!keys %customgeoipgrp) {
+               print "<center><b>$Lang::tr{'fwhost err emptytable'}</b>";
+               return;
+       }
+
+       # Put all groups in a hash.
+       foreach my $key (sort { ncmp($customgeoipgrp{$a}[0],$customgeoipgrp{$b}[0]) }
+                        sort { ncmp($customgeoipgrp{$a}[2],$customgeoipgrp{$b}[2]) } keys %customgeoipgrp) {
+                               push (@counter,$customgeoipgrp{$key}[0]);
+       }
+
+       # Increase current used key.
+       foreach my $key1 (@counter) {
+               $hash{$key1}++ ;
+       }
+
+       # Sort hash.
+       foreach my $key (sort { ncmp($customgeoipgrp{$a}[0],$customgeoipgrp{$b}[0]) }
+                        sort { ncmp($customgeoipgrp{$a}[2],$customgeoipgrp{$b}[2]) } keys %customgeoipgrp) {
+               $count++;
+               if ($helper ne $customgeoipgrp{$key}[0]) {
+                       $delflag='0';
+
+                       foreach my $key1 (sort { ncmp($customgeoipgrp{$a}[0],$customgeoipgrp{$b}[0]) }
+                                         sort { ncmp($customgeoipgrp{$a}[2],$customgeoipgrp{$b}[2]) } keys %customgeoipgrp) {
+
+                               if ($customgeoipgrp{$key}[0] eq $customgeoipgrp{$key1}[0])
+                               {
+                                       $delflag++;
+                               }
+                               if($delflag > 1){
+                                       last;
+                               }
+                       }
+
+                       $number=1;
+
+                       # Groupname.
+                       $grpname=$customgeoipgrp{$key}[0];
+
+                       # Group remark.
+                       $remark="$customgeoipgrp{$key}[1]";
+
+                       # Country code.
+                       $country_code="$customgeoipgrp{$key}[2]";
+
+                       if ($count gt 1){
+                               print"</table>";
+                               $count=1;
+                       }
+
+                       # Display groups header.
+                       print "<br><b><u>$grpname</u></b>&nbsp; &nbsp;\n";
+                       print "<b>$Lang::tr{'remark'}:</b>&nbsp $remark &nbsp\n" if ($remark ne '');
+
+                       # Get group count.
+                       my $geoipgrpcount=&getgeoipcount($grpname);
+                       print "<b>$Lang::tr{'used'}:</b> $geoipgrpcount x";
+
+                       # Only display delete icon, if the group is not used by a firewall rule.
+                       if($geoipgrpcount == '0') {
+                               print"<form method='post' style='display:inline'>\n";
+                               print"<input type='image' src='/images/delete.gif' alt='$Lang::tr{'delete'}' title='$Lang::tr{'delete'}' align='right' />\n";
+                               print"<input type='hidden' name='grp_name' value='$grpname' >\n";
+                               print"<input type='hidden' name='ACTION' value='delgeoipgrp'>\n";
+                               print"</form>";
+                       }
+
+                       # Icon for group editing.
+print <<END;
+                       <form method='post' style='display:inline'>
+                               <input type='image' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' align='right'/>
+                               <input type='hidden' name='grp_name' value='$grpname' >
+                               <input type='hidden' name='remark' value='$remark' >
+                               <input type='hidden' name='ACTION' value='editgeoipgrp'>
+                       </form>
+
+                       <table width='100%' cellspacing='0' class='tbl'>
+END
+                       # Display headlines if the group contains any entries.
+                       if ($country_code ne "none") {
+print <<END;
+                               <tr>
+                                       <td width='10%' align='center'>
+                                               <b>$Lang::tr{'flag'}</b>
+                                       </td>
+
+                                       <td width='10%'align='center'>
+                                               <b>$Lang::tr{'countrycode'}</b>
+                                       </td>
+
+                                       <td width='70%'align='left'>
+                                               <b>$Lang::tr{'country'}</b>
+                                       </td>
+
+                                       <td width='10%' align='right'></td>
+                               </tr>
+END
+                       }
+               }
+
+               # Check if our group contains any entries.
+               if ($country_code eq "none") {
+                       print "<tr><td>$Lang::tr{'fwhost err emptytable'}</td></tr>\n";
+               } else {
+                       # Check if we are currently editing a group and assign column backgound colors.
+                       my $col='';
+                       if ( ($fwhostsettings{'ACTION'} eq 'editgeoipgrp' || $fwhostsettings{'update'} ne '')
+                               && $fwhostsettings{'grp_name'} eq $customgeoipgrp{$key}[0]) {
+                               $col="bgcolor='${Header::colouryellow}'";
+                       } elsif ($count %2 == 0){
+                               $col="bgcolor='$color{'color20'}'";
+                       } else {
+                               $col="bgcolor='$color{'color22'}'";
+                       }
+
+                       # Get country flag.
+                       my $icon = &GeoIP::get_flag_icon($customgeoipgrp{$key}[2]);
+
+                       # Print column with flag icon.
+                       my $col_content;
+                       if ($icon) {
+                               $col_content = "<img src='$icon' alt='$customgeoipgrp{$key}[2]' title='$customgeoipgrp{$key}[2]'>";
+                       } else {
+                               $col_content = "<b>N/A</b>";
+                       }
+
+                       print "<td align='center' $col>$col_content</td>\n";
+
+                       # Print column with country code.
+                       print "<td align='center' $col>$customgeoipgrp{$key}[2]</td>\n";
+
+                       # Print column with full country name.
+                       my $country_name = &GeoIP::get_full_country_name($customgeoipgrp{$key}[2]);
+                       print "<td align='left' $col>$country_name</td>\n";
+
+                       # Generate from for removing entries from a group.
+                       print "<td align='right' width='1%' $col><form method='post'>\n";
+
+                       if ($delflag > 0){
+                               print"<input type='image' src='/images/delete.gif' align='middle' alt='$Lang::tr{'delete'}' title='$Lang::tr{'delete'}'/>\n";
+
+                               # Check if this group only has a single entry.
+                               foreach my $key2 (keys %hash) {
+                                       if ($hash{$key2}<2 && $key2 eq $customgeoipgrp{$key}[0]){
+                                               print "<input type='hidden' name='last' value='on'>"  ;
+                                       }
+                               }
+                       }
+
+                       print "<input type='hidden' name='ACTION' value='deletegeoipgrpentry'>\n";
+                       print "<input type='hidden' name='update' value='$fwhostsettings{'update'}'>\n";
+                       print "<input type='hidden' name='delentry' value='$grpname,$remark,$customgeoipgrp{$key}[2],$customgeoipgrp{$key}[3]'>\n";
+                       print "</form>\n";
+                       print "</td>\n";
+                       print "</tr>\n";
+               }
+
+               $helper=$customgeoipgrp{$key}[0];
+               $number++;
+       }
+
+       print"</table>\n";
+       &Header::closebox();
 }
 sub viewtableservice
 {
@@ -2196,6 +2690,44 @@ sub gethostcount
        }
        return $srvcounter;
 }
+sub getgeoipcount
+{
+       my $groupname=shift;
+       my $counter=0;
+
+       # GeoIP groups are stored as "group:groupname" in the
+       # firewall settings files.
+       my $searchstring = join(':', "group",$groupname);
+
+       # Count services used in firewall - forward
+       foreach my $key1 (keys %fwfwd) {
+               if($fwfwd{$key1}[4] eq $searchstring){
+                       $counter++;
+               }
+               if($fwfwd{$key1}[6] eq $searchstring){
+                       $counter++;
+               }
+       }
+       #Count services used in firewall - input
+       foreach my $key2 (keys %fwinp) {
+               if($fwinp{$key2}[4] eq $searchstring){
+                       $counter++;
+               }
+               if($fwinp{$key2}[6] eq $searchstring){
+                       $counter++;
+               }
+       }
+       #Count services used in firewall - outgoing
+       foreach my $key3 (keys %fwout) {
+               if($fwout{$key3}[4] eq $searchstring){
+                       $counter++;
+               }
+               if($fwout{$key3}[6] eq $searchstring){
+                       $counter++;
+               }
+       }
+       return $counter;
+}
 sub getnetcount
 {
        my $searchstring=shift;
diff --git a/html/cgi-bin/geoip-block.cgi b/html/cgi-bin/geoip-block.cgi
new file mode 100644 (file)
index 0000000..ccbfa92
--- /dev/null
@@ -0,0 +1,263 @@
+#!/usr/bin/perl
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2014 IPFire Developemnt Team <info@ipfire.org>                #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+use strict;
+# enable only the following on debugging purpose
+#use warnings;
+#use CGI::Carp 'fatalsToBrowser';
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/geoip-functions.pl";
+require "${General::swroot}/lang.pl";
+require "${General::swroot}/header.pl";
+require "/usr/lib/firewall/firewall-lib.pl";
+
+my $notice;
+my $settingsfile = "${General::swroot}/firewall/geoipblock";
+
+my %color = ();
+my %mainsettings = ();
+my %settings = ();
+my %cgiparams = ();
+
+# Read configuration file.
+&General::readhash("$settingsfile", \%settings);
+
+&General::readhash("${General::swroot}/main/settings", \%mainsettings);
+&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+
+&Header::showhttpheaders();
+
+#Get GUI values
+&Header::getcgihash(\%cgiparams);
+
+# Call subfunction to get all available locations.
+my @locations = &fwlib::get_geoip_locations();
+
+if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
+       # Check if we want to disable geoipblock.
+       if (exists $cgiparams{'GEOIPBLOCK_ENABLED'}) {
+               $settings{'GEOIPBLOCK_ENABLED'} = "on";
+       } else {
+               $settings{'GEOIPBLOCK_ENABLED'} = "off";
+       }
+
+       # Loop through our locations array to prevent from
+       # non existing countries or code.
+       foreach my $cn (@locations) {
+               # Check if blocking for this country should be enabled/disabled.
+               if (exists $cgiparams{$cn}) {
+                       $settings{$cn} = "on";
+               } else {
+                       $settings{$cn} = "off";
+               }
+       }
+
+       &General::writehash("$settingsfile", \%settings);
+
+       # Mark the firewall config as changed.
+       &General::firewall_config_changed();
+
+       # Assign reload notice. We directly can use
+       # the notice from p2p block.
+       $notice = $Lang::tr{'p2p block save notice'};
+}
+
+&Header::openpage($Lang::tr{'geoipblock configuration'}, 1, '');
+
+# Print notice that a firewall reload is required.
+if ($notice) {
+       &Header::openbox('100%', 'left', $Lang::tr{'notice'});
+       print "<font class='base'>$notice</font>";
+       &Header::closebox();
+}
+
+# Checkbox pre-selection.
+my $checked;
+if ($settings{'GEOIPBLOCK_ENABLED'} eq "on") {
+       $checked = "checked='checked'";
+}
+
+# Print box to enable/disable geoipblock.
+print"<form method='POST' action='$ENV{'SCRIPT_NAME'}'>\n";
+
+&Header::openbox('100%', 'center', $Lang::tr{'geoipblock'});
+print <<END;
+       <table width='95%'>
+               <tr>
+                       <td width='25%' class='base'>$Lang::tr{'geoipblock enable feature'}
+                       <td><input type='checkbox' name='GEOIPBLOCK_ENABLED' $checked></td>
+               </tr>
+               <tr>
+                       <td colspan='2'><br></td>
+               </tr>
+       </table>
+
+       <hr>
+
+       <table width='95%'>
+               <tr>
+                       <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}'></td>
+               </tr>
+       </table>
+END
+
+&Header::closebox();
+
+&Header::openbox('100%', 'center', $Lang::tr{'geoipblock block countries'});
+### JAVA SCRIPT ###
+print <<END;
+<script>
+       // Function to allow checking all checkboxes at once.
+       function check_all() {
+               \$("#countries").find(":checkbox").prop("checked", true);
+       }
+
+       function uncheck_all() {
+               \$("#countries").find(":checkbox").prop("checked", false);
+       }
+</script>
+
+<table width='95%' class='tbl' id="countries">
+       <tr>
+               <td width='5%' align='center' bgcolor='$color{'color20'}'></td>
+               <td width='5%' align='center' bgcolor='$color{'color20'}'>
+                       <b>$Lang::tr{'flag'}</b>
+               </td>
+               <td width='5%' align='center' bgcolor='$color{'color20'}'>
+                       <b>$Lang::tr{'countrycode'}</b>
+               </td>
+               <td with='35%' align='left' bgcolor='$color{'color20'}'>
+                       <b>$Lang::tr{'country'}</b>
+               </td>
+
+               <td width='5%' bgcolor='$color{'color20'}'>&nbsp;</td>
+
+               <td width='5%' align='center' bgcolor='$color{'color20'}'></td>
+               <td width='5%' align='center' bgcolor='$color{'color20'}'>
+                       <b>$Lang::tr{'flag'}</b>
+               </td>
+               <td width='5%' align='center' bgcolor='$color{'color20'}'>
+                       <b>$Lang::tr{'countrycode'}</b>
+               </td>
+               <td with='35%' align='left' bgcolor='$color{'color20'}'>
+                       <b>$Lang::tr{'country'}</b>
+               </td>
+       </tr>
+END
+
+my $lines;
+my $lines2;
+my $col;
+foreach my $location (@locations) {
+       # Country code in upper case. (DE)
+       my $ccode_uc = $location;
+
+       # County code in lower case. (de)
+       my $ccode_lc = lc($location);
+
+       # Full name of the country based on the country code.
+       my $cname = &GeoIP::get_full_country_name($ccode_lc);
+
+       # Get flag icon for of the country.
+       my $flag_icon = &GeoIP::get_flag_icon($ccode_uc);
+
+       my $flag;
+       # Check if a flag for the country is available.
+       if ($flag_icon) {
+               $flag="<img src='$flag_icon' alt='$ccode_uc' title='$ccode_uc'>";
+       } else {
+               $flag="<b>N/A</b>";
+       }
+
+       # Checkbox pre-selection.
+       my $checked;
+       if ($settings{$ccode_uc} eq "on") {
+               $checked = "checked='checked'";
+       }
+
+       # Colour lines.
+       if ($lines % 2) {
+               $col="bgcolor='$color{'color20'}'";
+       } else {
+               $col="bgcolor='$color{'color22'}'";
+       }
+
+       # Grouping elements.
+       my $line_start;
+       my $line_end;
+       if ($lines2 % 2) {
+               # Increase lines (background color by once.
+               $lines++;
+
+               # Add empty column in front.
+               $line_start="<td $col>&nbsp;</td>";
+
+               # When the line number can be diveded by "2",
+               # we are going to close the line.
+               $line_end="</tr>";
+       } else {
+               # When the line number is  not divideable by "2",
+               # we are starting a new line.
+               $line_start="<tr>";
+               $line_end;
+       }
+
+       print "$line_start<td align='center' $col><input type='checkbox' name='$ccode_uc' $checked></td>\n";
+       print "<td align='center' $col>$flag</td>\n";
+       print "<td align='center' $col>$ccode_uc</td>\n";
+       print "<td align='left' $col>$cname</td>$line_end\n";
+                       
+$lines2++;
+}
+
+print <<END;
+</table>
+
+<table width='95%'>
+       <tr>
+               <td align='right'>
+                       <a href="javascript:check_all()">$Lang::tr{'check all'}</a> /
+                       <a href="javascript:uncheck_all()">$Lang::tr{'uncheck all'}</a>
+               </td>
+       </tr>
+       <tr>
+               <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}'></td>
+       </tr>
+</table>
+
+<hr>
+
+<table width='70%'>
+       <tr>
+               <td width='5%'><img src='/images/on.gif'></td>
+               <td>$Lang::tr{'geoipblock country is blocked'}</td>
+               <td width='5%'><img src='/images/off.gif'></td>
+               <td>$Lang::tr{'geoipblock country is allowed'}</td>
+       </tr>
+</table>
+END
+
+&Header::closebox();
+print"</form>\n";
+
+&Header::closebigbox();
+&Header::closepage();
index 53adeac..eafbdb1 100644 (file)
@@ -301,7 +301,7 @@ END
                print '</td>';
                print '</tr>';
        }
-if ( $netsettings{'BLUE_DEV'} ) {
+if (&Header::blue_used()) {
                my $sub=&General::iporsubtocidr($netsettings{'BLUE_NETMASK'});
                print <<END;
                <tr>
@@ -318,7 +318,7 @@ END
                print '</td>';
                print '</tr>';
        }
-if ( $netsettings{'ORANGE_DEV'} ) {
+if (&Header::orange_used()) {
                my $sub=&General::iporsubtocidr($netsettings{'ORANGE_NETMASK'});
                print <<END;
                <tr>
index 6bf7b2b..fb52e68 100644 (file)
@@ -2346,7 +2346,9 @@ else
        &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
 
        if ($confighash{$cgiparams{'KEY'}}) {
+               # Revoke certificate if certificate was deleted and rewrite the CRL
                my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
+               my $tempA = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
 
 ###
 # m.a.d net2net
index 228b5d4..e00bc5f 100644 (file)
@@ -20,7 +20,7 @@
 ###############################################################################
 
 use strict;
-use Locale::Country;
+use Locale::Codes::Country;
 
 # enable only the following on debugging purpose
 use warnings;
@@ -323,9 +323,9 @@ END
                                                <option value=''>- $Lang::tr{'tor exit country any'} -</option>
 END
 
-               my @country_names = Locale::Country::all_country_names();
+               my @country_names = Locale::Codes::Country::all_country_names();
                foreach my $country_name (sort @country_names) {
-                       my $country_code = Locale::Country::country2code($country_name);
+                       my $country_code = Locale::Codes::Country::country2code($country_name);
                        $country_code = uc($country_code);
                        print "<option value='$country_code'";
 
index b0041ef..0d23d0d 100644 (file)
@@ -310,67 +310,33 @@ sub writeipsecfiles {
 
        # Algorithms
        if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {
-           print CONF "\tike=";
-           my @encs   = split('\|', $lconfighash{$key}[18]);
-           my @ints   = split('\|', $lconfighash{$key}[19]);
-           my @groups = split('\|', $lconfighash{$key}[20]);
-           my $comma = 0;
-           foreach my $i (@encs) {
-               foreach my $j (@ints) {
-                   foreach my $k (@groups) {
-                       if ($comma != 0) { print CONF ","; } else { $comma = 1; }
-
-                       my @l = split("", $k);
-                       if ($l[0] eq "e") {
-                           shift @l;
-                           print CONF "$i-$j-ecp".join("", @l);
-                       } else {
-                           print CONF "$i-$j-modp$k";
-                       }
-                   }
-               }
-           }
-           if ($lconfighash{$key}[24] eq 'on') {       #only proposed algorythms?
-               print CONF "!\n";
-           } else {
-               print CONF "\n";
-           }
+               my @encs   = split('\|', $lconfighash{$key}[18]);
+               my @ints   = split('\|', $lconfighash{$key}[19]);
+               my @groups = split('\|', $lconfighash{$key}[20]);
+
+               my @algos = &make_algos("ike", \@encs, \@ints, \@groups, 1);
+               print CONF "\tike=" . join(",", @algos);
+
+               if ($lconfighash{$key}[24] eq 'on') {   #only proposed algorythms?
+                       print CONF "!\n";
+               } else {
+                       print CONF "\n";
+               }
        }
+
        if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) {
-           print CONF "\tesp=";
-           my @encs   = split('\|', $lconfighash{$key}[21]);
-           my @ints   = split('\|', $lconfighash{$key}[22]);
-           my @groups = split('\|', $lconfighash{$key}[20]);
-           my $comma = 0;
-           foreach my $i (@encs) {
-               foreach my $j (@ints) {
-                       my $modp = "";
-                       if ($pfs eq "on") {
-                               foreach my $k (@groups) {
-                                   if ($comma != 0) { print CONF ","; } else { $comma = 1; }
-                                   if ($pfs eq "on") {
-                                       my @l = split("", $k);
-                                       if ($l[0] eq "e") {
-                                               $modp = "";
-                                       } else {
-                                               $modp = "-modp$k";
-                                       }
-                                   } else {
-                                       $modp = "";
-                                   }
-                                   print CONF "$i-$j$modp";
-                               }
-                       } else {
-                               if ($comma != 0) { print CONF ","; } else { $comma = 1; }
-                               print CONF "$i-$j";
-                       }
+               my @encs   = split('\|', $lconfighash{$key}[21]);
+               my @ints   = split('\|', $lconfighash{$key}[22]);
+               my @groups = split('\|', $lconfighash{$key}[20]);
+
+               my @algos = &make_algos("esp", \@encs, \@ints, \@groups, ($pfs eq "on"));
+               print CONF "\tesp=" . join(",", @algos);
+
+               if ($lconfighash{$key}[24] eq 'on') {   #only proposed algorythms?
+                       print CONF "!\n";
+               } else {
+                       print CONF "\n";
                }
-           }
-           if ($lconfighash{$key}[24] eq 'on') {       #only proposed algorythms?
-               print CONF "!\n";
-           } else {
-               print CONF "\n";
-           }
        }
 
        # IKE V1 or V2
@@ -435,6 +401,10 @@ sub writeipsecfiles {
        } else {
            print CONF "\tauto=start\n";
        }
+
+       # Fragmentation
+       print CONF "\tfragmentation=yes\n";
+
        print CONF "\n";
     }#foreach key
     print SECRETS $last_secrets if ($last_secrets);
@@ -1673,7 +1643,7 @@ END
            (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
            (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
 
-           # Create the Host certificate request
+           # Create the Client certificate request
            &General::log("ipsec", "Creating a cert...");
 
            if (open(STDIN, "-|")) {
@@ -1700,7 +1670,7 @@ END
                exit (0);
            }
            
-           # Sign the host certificate request
+           # Sign the client certificate request
            &General::log("ipsec", "Signing the cert $cgiparams{'NAME'}...");
 
            #No easy way for specifying the contain of subjectAltName without writing a config file...
@@ -1709,6 +1679,7 @@ END
            basicConstraints=CA:FALSE
            nsComment="OpenSSL Generated Certificate"
            subjectKeyIdentifier=hash
+           extendedKeyUsage=clientAuth
            authorityKeyIdentifier=keyid,issuer:always
 END
 ;
@@ -1878,11 +1849,11 @@ END
        $cgiparams{'REMOTE_ID'} = '';
 
        #use default advanced value
-       $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|aes256gcm128|aes192gcm128|aes128gcm128|aes256gcm96|aes192gcm96|aes128gcm96|aes256gcm64|aes192gcm64|aes128gcm64';   #[18];
+       $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128';   #[18];
        $cgiparams{'IKE_INTEGRITY'}  = 'sha2_512|sha2_256|sha'; #[19];
        $cgiparams{'IKE_GROUPTYPE'}  = '4096|3072|2048|1536|1024';              #[20];
        $cgiparams{'IKE_LIFETIME'}   = '3';             #[16];
-       $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|aes256gcm128|aes192gcm128|aes128gcm128|aes256gcm96|aes192gcm96|aes128gcm96|aes256gcm64|aes192gcm64|aes128gcm64';   #[21];
+       $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128';   #[21];
        $cgiparams{'ESP_INTEGRITY'}  = 'sha2_512|sha2_256|sha1';        #[22];
        $cgiparams{'ESP_GROUPTYPE'}  = '';              #[23];
        $cgiparams{'ESP_KEYLIFE'}    = '1';             #[17];
@@ -2416,42 +2387,42 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                        <td class='boldbase' width="15%">$Lang::tr{'encryption'}</td>
                        <td class='boldbase'>
                                <select name='IKE_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
-                                       <option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
-                                       <option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
-                                       <option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
                                        <option value='aes256gcm128' $checked{'IKE_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
-                                       <option value='aes192gcm128' $checked{'IKE_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
-                                       <option value='aes128gcm128' $checked{'IKE_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
                                        <option value='aes256gcm96' $checked{'IKE_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
-                                       <option value='aes192gcm96' $checked{'IKE_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
-                                       <option value='aes128gcm96' $checked{'IKE_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
                                        <option value='aes256gcm64' $checked{'IKE_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
-                                       <option value='aes192gcm64' $checked{'IKE_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
-                                       <option value='aes128gcm64' $checked{'IKE_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
-                                       <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
+                                       <option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
                                        <option value='camellia256' $checked{'IKE_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option>
+                                       <option value='aes192gcm128' $checked{'IKE_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
+                                       <option value='aes192gcm96' $checked{'IKE_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
+                                       <option value='aes192gcm64' $checked{'IKE_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
+                                       <option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
                                        <option value='camellia192' $checked{'IKE_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option>
+                                       <option value='aes128gcm128' $checked{'IKE_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
+                                       <option value='aes128gcm96' $checked{'IKE_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
+                                       <option value='aes128gcm64' $checked{'IKE_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
+                                       <option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
                                        <option value='camellia128' $checked{'IKE_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
+                                       <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
                                </select>
                        </td>
                        <td class='boldbase'>
                                <select name='ESP_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
-                                       <option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
-                                       <option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
-                                       <option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
                                        <option value='aes256gcm128' $checked{'ESP_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
-                                       <option value='aes192gcm128' $checked{'ESP_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
-                                       <option value='aes128gcm128' $checked{'ESP_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
                                        <option value='aes256gcm96' $checked{'ESP_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
-                                       <option value='aes192gcm96' $checked{'ESP_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
-                                       <option value='aes128gcm96' $checked{'ESP_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
                                        <option value='aes256gcm64' $checked{'ESP_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
-                                       <option value='aes192gcm64' $checked{'ESP_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
-                                       <option value='aes128gcm64' $checked{'ESP_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
-                                       <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
+                                       <option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
                                        <option value='camellia256' $checked{'ESP_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option>
+                                       <option value='aes192gcm128' $checked{'ESP_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
+                                       <option value='aes192gcm96' $checked{'ESP_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
+                                       <option value='aes192gcm64' $checked{'ESP_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
+                                       <option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
                                        <option value='camellia192' $checked{'ESP_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option>
+                                       <option value='aes128gcm128' $checked{'ESP_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
+                                       <option value='aes128gcm96' $checked{'ESP_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
+                                       <option value='aes128gcm64' $checked{'ESP_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
+                                       <option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
                                        <option value='camellia128' $checked{'ESP_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
+                                       <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
                                </select>
                        </td>
                </tr>
@@ -2463,9 +2434,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                                        <option value='sha2_512' $checked{'IKE_INTEGRITY'}{'sha2_512'}>SHA2 512 bit</option>
                                        <option value='sha2_384' $checked{'IKE_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
                                        <option value='sha2_256' $checked{'IKE_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
+                                       <option value='aesxcbc' $checked{'IKE_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
                                        <option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA1</option>
                                        <option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5</option>
-                                       <option value='aesxcbc' $checked{'IKE_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
                                </select>
                        </td>
                        <td class='boldbase'>
@@ -2473,9 +2444,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                                        <option value='sha2_512' $checked{'ESP_INTEGRITY'}{'sha2_512'}>SHA2 512 bit</option>
                                        <option value='sha2_384' $checked{'ESP_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
                                        <option value='sha2_256' $checked{'ESP_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
+                                       <option value='aesxcbc' $checked{'ESP_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
                                        <option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1</option>
                                        <option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5</option>
-                                       <option value='aesxcbc' $checked{'ESP_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
                                </select>
                        </td>
                </tr>
@@ -2493,14 +2464,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                        <td class='boldbase'>
                                <select name='IKE_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
                                        <option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
-                                       <option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
-                                       <option value='e256' $checked{'IKE_GROUPTYPE'}{'e256'}>ECP-256 (NIST)</option>
-                                       <option value='e224' $checked{'IKE_GROUPTYPE'}{'e224'}>ECP-224 (NIST)</option>
-                                       <option value='e192' $checked{'IKE_GROUPTYPE'}{'e192'}>ECP-192 (NIST)</option>
                                        <option value='e512bp' $checked{'IKE_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
+                                       <option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
                                        <option value='e384bp' $checked{'IKE_GROUPTYPE'}{'e384bp'}>ECP-384 (Brainpool)</option>
+                                       <option value='e256' $checked{'IKE_GROUPTYPE'}{'e256'}>ECP-256 (NIST)</option>
                                        <option value='e256bp' $checked{'IKE_GROUPTYPE'}{'e256bp'}>ECP-256 (Brainpool)</option>
+                                       <option value='e224' $checked{'IKE_GROUPTYPE'}{'e224'}>ECP-224 (NIST)</option>
                                        <option value='e224bp' $checked{'IKE_GROUPTYPE'}{'e224bp'}>ECP-224 (Brainpool)</option>
+                                       <option value='e192' $checked{'IKE_GROUPTYPE'}{'e192'}>ECP-192 (NIST)</option>
                                        <option value='8192' $checked{'IKE_GROUPTYPE'}{'8192'}>MODP-8192</option>
                                        <option value='6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</option>
                                        <option value='4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</option>
@@ -3020,3 +2991,56 @@ END
     &Header::closebox();
     &Header::closebigbox();
     &Header::closepage();
+
+sub array_unique($) {
+       my $array = shift;
+       my @unique = ();
+
+       my %seen = ();
+       foreach my $e (@$array) {
+               next if $seen{$e}++;
+               push(@unique, $e);
+       }
+
+       return @unique;
+}
+
+sub make_algos($$$$$) {
+       my ($mode, $encs, $ints, $grps, $pfs) = @_;
+       my @algos = ();
+
+       foreach my $enc (@$encs) {
+               foreach my $int (@$ints) {
+                       foreach my $grp (@$grps) {
+                               my @algo = ($enc);
+
+                               if ($mode eq "ike") {
+                                       push(@algo, $int);
+
+                                       if ($grp =~ m/^e(\d+)/) {
+                                               push(@algo, "ecp$1");
+                                       } else {
+                                               push(@algo, "modp$grp");
+                                       }
+
+                               } elsif ($mode eq "esp" && $pfs) {
+                                       my $is_aead = ($enc =~ m/[cg]cm/);
+
+                                       if (!$is_aead) {
+                                               push(@algo, $int);
+                                       }
+
+                                       if ($grp =~ m/^e\d+/) {
+                                               push(@algo, $grp);
+                                       } else {
+                                               push(@algo, "modp$grp");
+                                       }
+                               }
+
+                               push(@algos, join("-", @algo));
+                       }
+               }
+       }
+
+       return &array_unique(\@algos);
+}
index e7140cd..cc4b3c9 100644 (file)
@@ -366,6 +366,10 @@ min-width: 2.0em;
 max-width: 2.5em;
 }
 
+table.fw-nat tbody tr td {
+       height: 2.25em;
+}
+
 /* LAYOUT - 3 COLUMNS */
 
        /* Primary content */
index d2c458e..288a0fe 100644 (file)
@@ -343,6 +343,10 @@ min-width: 2.0em;
 max-width: 2.5em;
 }
 
+table.fw-nat tbody tr td {
+       height: 2.25em;
+}
+
 /* LAYOUT - 3 COLUMNS */
 
        /* Primary content */
index 0e990d6..e0ac3cd 100644 (file)
@@ -324,3 +324,7 @@ table {
 .tbl tr:last-child td {
        border-bottom: 1px solid lightgrey;
 }
+
+table.fw-nat tbody tr td {
+       height: 2.25em;
+}
index eca34cb..3cb2741 100644 (file)
@@ -372,6 +372,10 @@ min-width: 2.0em;
 max-width: 2.5em;
 }
 
+table.fw-nat tbody tr td {
+       height: 2.25em;
+}
+
 /* LAYOUT - 3 COLUMNS */
 
        /* Primary content */
index fe4a200..e295412 100644 (file)
 'bit' => 'Bit',
 'bitrate' => 'Bitrate',
 'bleeding rules' => 'Bleeding Edge Snort Rules',
+'block' => 'Blocken',
 'blue' => 'BLAU',
 'blue access' => 'Zugriff auf Blau',
 'blue access use hint' => 'Sie müssen mindestens die MAC- oder die IP-Adresse für ein Gerät angeben. Optional können Sie sowohl MAC- als auch IP-Adresse angeben.',
 'chain' => 'Verknüpfung',
 'change passwords' => 'Passwörter&nbsp;ändern',
 'change share' => 'Freigabeeinstellungen ändern',
+'check all' => 'Alle auswählen',
 'check for net traffic update' => 'Prüfe auf Net-Traffic-Updates',
 'check vpn lr' => 'Überprüfen',
 'choose config' => 'Konfiguration auswählen',
 'fwhost OpenVPN static host' => 'OpenVPN statischer Host',
 'fwhost OpenVPN static network' => 'OpenVPN statisches Netzwerk',
 'fwhost Standard Network' => 'Standard-Netzwerk',
+'fwhost addgeoipgrp' => 'Neue GeoIP-Gruppe hinzufügen',
 'fwhost addgrp' => 'Neue Gruppe hinzufügen',
 'fwhost addgrpname' => 'Gruppenname:',
 'fwhost addhost' => 'Neuen Host hinzufügen',
 'fwhost change' => 'Ändern',
 'fwhost changeremark' => 'Es wurde nur die Bemerkung angepasst.',
 'fwhost cust addr' => 'Hosts',
+'fwhost cust geoip' => 'GeoIP-Gruppen',
+'fwhost cust geoipgroup' => 'GeoIP-Gruppen',
+'fwhost cust geoiplocation' => 'GeoIP Ländercodes',
 'fwhost cust grp' => 'Gruppen',
 'fwhost cust net' => 'Netzwerke',
 'fwhost cust service' => 'Dienste',
 'fwhost ipsec net' => 'IPsec-Netzwerke:',
 'fwhost menu' => 'Firewallgruppen',
 'fwhost netaddress' => 'Netzwerkadresse',
+'fwhost newgeoipgrp' => 'GeoIP-Gruppen',
 'fwhost newgrp' => 'Netzwerk-/Hostgruppen',
 'fwhost newhost' => 'Hosts',
 'fwhost newnet' => 'Netzwerke',
 'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.  Auf älterer Hardware kann es mehrere Minuten lang dauern. Bitte haben Sie etwas Geduld.',
 'genkey' => 'PSK erzeugen',
 'genre' => 'Genre',
+'geoip' => 'GeoIP',
+'geoipblock' => 'GeoIP Block',
+'geoipblock block countries' => 'Länderfilter',
+'geoipblock configuration' => 'GeoIP Konfiguration',
+'geoipblock country code' => 'Ländercode',
+'geoipblock country is allowed' => 'Eingehende Verbindungen aus diesem Land sind erlaubt.',
+'geoipblock country is blocked' => 'Eingehende Verbindungen aus diesem Land werden blockiert.',
+'geoipblock country name' => 'Ländername',
+'geoipblock enable feature' => 'GeoIP basierte Filterung aktivieren:',
+'geoipblock flag' => 'Flagge',
 'global settings' => 'Globale Einstellungen',
 'gpl i accept these terms and conditions' => 'Ich akzeptiere diese Bedingungen und Konditionen',
 'gpl license agreement' => 'Lizenz-Vereinbarung',
 'umount removable media before to unplug' => 'Wechselmedien vor dem Entfernen unbedingt abmelden',
 'unable to alter profiles while red is active' => 'Profile können nicht geändert werden, solange ROT aktiv ist.',
 'unable to contact' => 'Kann nicht erreicht werden',
+'unblock' => 'Entblocken',
+'unblock all' => 'Alle entblocken',
+'uncheck all' => 'Alle abwählen',
 'unencrypted' => 'Nicht verschlüsselt',
 'uninstall' => 'Deinstallieren',
 'unix charset' => 'UNIX-Charset',
index 174300e..80c0552 100644 (file)
 'bit' => 'bit',
 'bitrate' => 'Bitrate',
 'bleeding rules' => 'Bleeding Edge Snort Rules',
+'block' => 'Block',
 'blue' => 'BLUE',
 'blue access' => 'Blue Access',
 'blue access use hint' => 'You have to enter the MAC or the IP Address for a device. To enter both is also possible',
 'chain' => 'Chain',
 'change passwords' => 'Change passwords',
 'change share' => 'edit share options',
+'check all' => 'Check all',
 'check for net traffic update' => 'Check for Net-Traffic updates',
 'check vpn lr' => 'Check',
 'choose config' => 'Choose config',
 'fwhost OpenVPN static host' => 'OpenVPN static host',
 'fwhost OpenVPN static network' => 'OpenVPN static network',
 'fwhost Standard Network' => 'Standard network',
+'fwhost addgeoipgrp' => 'Add new GeoIP group',
 'fwhost addgrp' => 'Add new network/host group',
 'fwhost addgrpname' => 'Group name:',
 'fwhost addhost' => 'Add new host',
 'fwhost change' => 'Modify',
 'fwhost changeremark' => 'You modified just the remark',
 'fwhost cust addr' => 'Hosts',
+'fwhost cust geoip' => 'GeoIP Groups',
+'fwhost cust geoipgroup' => 'GeoIP Groups',
+'fwhost cust geoiplocation' => 'GeoIP Locations',
 'fwhost cust grp' => 'Network/Host Groups',
 'fwhost cust net' => 'Networks',
 'fwhost cust service' => 'Services',
 'fwhost ipsec net' => 'IPsec networks:',
 'fwhost menu' => 'Firewall Groups',
 'fwhost netaddress' => 'Network address',
+'fwhost newgeoipgrp' => 'GeoIP Groups',
 'fwhost newgrp' => 'Network/Host Groups',
 'fwhost newhost' => 'Hosts',
 'fwhost newnet' => 'Networks',
 'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient' => 'Generating the root and host certificates may take a long time.  It can take up to several minutes on older hardware. Please be patient.',
 'genkey' => 'Generate PSK',
 'genre' => 'Genre',
+'geoip' => 'GeoIP',
+'geoipblock' => 'GeoIP Block',
+'geoipblock block countries' => 'Block countries',
+'geoipblock configuration' => 'GeoIP Configuration',
+'geoipblock country code' => 'Country Code',
+'geoipblock country is allowed' => 'Incoming traffic from this country is allowed',
+'geoipblock country is blocked' => 'Incoming traffic from this country will be blocked',
+'geoipblock country name' => 'Country Name',
+'geoipblock enable feature' => 'Enable GeoIP based blocking:',
+'geoipblock flag' => 'Flag',
 'global settings' => 'Global Settings',
 'gpl i accept these terms and conditions' => 'I accept these terms and conditions',
 'gpl license agreement' => 'License Agreement',
 'umount removable media before to unplug' => 'Umount removable media before unplugging the device',
 'unable to alter profiles while red is active' => 'Unable to alter profiles while RED is active.',
 'unable to contact' => 'Unable to contact',
+'unblock' => 'Unblock',
+'unblock all' => 'Unblock all',
+'uncheck all' => 'Uncheck all',
 'unencrypted' => 'Unencrypted',
 'uninstall' => 'Uninstall',
 'unix charset' => 'UNIX Charset',
index b7c50ff..90f4237 100644 (file)
 'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient' => 'Generar los certificador root y host puede tomar mucho tiempo. Puede durar varios minutos en equipos antiguos. Por favor sea paciente.',
 'genkey' => 'Generar PSK',
 'genre' => 'Género',
+'geoip' => 'GeoIP',
+'geoipblock' => 'GeoIP Block',
+'geoipblock block countries' => 'Países bloqueados',
+'geoipblock configuration' => 'Configuración GeoIP',
+'geoipblock country code' => 'Código del País',
+'geoipblock country is allowed' => 'Se permite el tráfico procedente de este País',
+'geoipblock country is blocked' => 'Se deniega el tráfico procedente de este País',
+'geoipblock country name' => 'Nombre del País',
+'geoipblock enable feature' => 'Habilitar bloqueo basado GeoIP:',
+'geoipblock flag' => 'Bandera',
 'global settings' => 'Configuraciones globales',
 'gpl i accept these terms and conditions' => 'I accept these terms and conditions',
 'gpl license agreement' => 'License Agreement',
index b2c1455..02bf7a0 100644 (file)
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 2.07
+VER        = 3.33
 
 THISAPP    = Locale-Codes-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = af0537cc4a882096d0320612c440df6d
+$(DL_FILE)_MD5 = bc7496f97889de8504e80addaa0ee40c
 
 install : $(TARGET)
 
index 2c112d0..7575246 100755 (executable)
@@ -20,7 +20,7 @@
 
 include Config
 
-VER        = 11.16.0
+VER        = 11.17.1
 
 THISAPP    = asterisk-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -28,7 +28,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = asterisk
-PAK_VER    = 15
+PAK_VER    = 16
 
 DEPS       = "libsrtp"
 
@@ -46,7 +46,7 @@ asterisk-extra-sounds-en-gsm-1.4.15.tar.gz = $(URL_IPFIRE)/asterisk-extra-sounds
 asterisk-moh-opsound-gsm-2.03.tar.gz = $(URL_IPFIRE)/asterisk-moh-opsound-gsm-2.03.tar.gz
 asterisk-1.4-de-prompts.tar.gz = $(URL_IPFIRE)/asterisk-1.4-de-prompts.tar.gz
 
-$(DL_FILE)_MD5 = de06d4ac0d1ba531c4c18805a9d5a18d
+$(DL_FILE)_MD5 = 2c6cd0f499152d0d5ff32f36e274fc2e
 asterisk-extra-sounds-en-gsm-1.4.15.tar.gz_MD5 = 5099fc65f49008e33ba7fb043a4ec995
 asterisk-moh-opsound-gsm-2.03.tar.gz_MD5 = 09066f55f1358f298bc1a6e4678a3ddf
 asterisk-1.4-de-prompts.tar.gz_MD5 = 626a2b95071a5505851e43874dfbfd5c
index e0bb346..601cdf6 100644 (file)
@@ -64,8 +64,8 @@ $(TARGET) :
        for i in auth/users backup/include.user backup/exclude.user \
            certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \
            dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
-           ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/config firewall/input firewall/outgoing \
-           fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
+           ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/config firewall/geoipblock firewall/input firewall/outgoing \
+           fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwhosts/customgeoipgrp fwlogs/ipsettings fwlogs/portsettings \
            isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \
            ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
            ppp/settings-5 ppp/settings proxy/settings proxy/squid.conf proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
@@ -78,6 +78,7 @@ $(TARGET) :
        cp $(DIR_SRC)/config/cfgroot/header.pl                  $(CONFIG_ROOT)/
        cp $(DIR_SRC)/config/cfgroot/general-functions.pl       $(CONFIG_ROOT)/
        cp $(DIR_SRC)/config/cfgroot/network-functions.pl       $(CONFIG_ROOT)/
+       cp $(DIR_SRC)/config/cfgroot/geoip-functions.pl         $(CONFIG_ROOT)/
        cp $(DIR_SRC)/config/cfgroot/lang.pl                    $(CONFIG_ROOT)/
        cp $(DIR_SRC)/config/cfgroot/countries.pl               $(CONFIG_ROOT)/
        cp $(DIR_SRC)/config/cfgroot/graphs.pl                  $(CONFIG_ROOT)/
index 15a86a5..665f424 100644 (file)
@@ -144,6 +144,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0069-Whitespace-fixes.patch
        cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0070-Return-INSECURE-rather-than-BOGUS-when-DS-proved-not.patch
        cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0071-Fix-compiler-warning-when-not-including-DNSSEC.patch
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0072-Fix-crash-caused-by-looking-up-servers.bind-when-man.patch
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0073-Fix-crash-on-receipt-of-certain-malformed-DNS-reques.patch
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0074-Fix-crash-in-auth-code-with-odd-configuration.patch
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0075-Auth-correct-replies-to-NS-and-SOA-in-.arpa-zones.patch
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0076-Fix-srk-induced-crash-in-new-tftp_no_fail-code.patch
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0077-Note-CVE-2015-3294.patch
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0078-Log-domain-when-reporting-DNSSEC-validation-failure.patch
        cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
        cd $(DIR_APP) && sed -i src/config.h \
                -e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \
index d3c8402..ec65ae0 100644 (file)
@@ -93,9 +93,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* \
                         ./extensions/
 
-       # ipp2p 0.8.2-pomng
-       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.4.14-ipp2p-0.8.2-ipfire.patch
-
        # imq
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.4.12-IMQ-test4.diff
 
index 6dfef3b..47c0cad 100644 (file)
 
 include Config
 
-VER        = 1.5.0
+VER        = 1.5.2
 THISAPP    = libsrtp-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
 DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = libsrtp
-PAK_VER    = 1
+PAK_VER    = 2
 
 DEPS       = ""
 
@@ -43,7 +43,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = ec49ba558b4fd056114df2c76935aa8e
+$(DL_FILE)_MD5 = 2309aa6027992810a4285b042c71e644
 
 install : $(TARGET)
 
@@ -78,7 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 
        cd $(DIR_APP) && ./configure --prefix=/usr 
-       cd $(DIR_APP) && make uninstall && make $(MAKETUNING) libsrtp.so
+       cd $(DIR_APP) && make uninstall && make $(MAKETUNING) shared_library
        cd $(DIR_APP) && make install
        @rm -rf $(DIR_APP)
        @$(POSTBUILD)
index 300fd87..8b4f941 100644 (file)
--- a/lfs/linux
+++ b/lfs/linux
 
 include Config
 
-VER        = 3.14.38
+VER        = 3.14.39
 
-RPI_PATCHES = 3.14.38-grsec-ipfire1
-A7M_PATCHES = 3.14.38-grsec-ipfire1
-GRS_PATCHES = grsecurity-3.1-3.14.38-201504142259.patch.xz
+RPI_PATCHES = 3.14.39-grsec-ipfire1
+A7M_PATCHES = 3.14.39-grsec-ipfire1
+GRS_PATCHES = grsecurity-3.1-3.14.39-201504190814.patch.xz
 
 THISAPP    = linux-$(VER)
 DL_FILE    = linux-$(VER).tar.xz
@@ -77,10 +77,10 @@ rpi-patches-$(RPI_PATCHES).patch.xz         = $(URL_IPFIRE)/rpi-patches-$(RPI_PATCHES).
 arm7-multi-patches-$(A7M_PATCHES).patch.xz     = $(URL_IPFIRE)/arm7-multi-patches-$(A7M_PATCHES).patch.xz
 $(GRS_PATCHES)                                 = $(URL_IPFIRE)/$(GRS_PATCHES)
 
-$(DL_FILE)_MD5                                 = c4d0154627e02dc43c67fa616ff1e569
-rpi-patches-$(RPI_PATCHES).patch.xz_MD5                = e423c8b3a408f23b9a26f8f0f4384c50
+$(DL_FILE)_MD5                                 = 3581855d0dbfcbe1140dfcd1406d0a91
+rpi-patches-$(RPI_PATCHES).patch.xz_MD5                = 5056304af0a199194abd0bcb00015f28
 arm7-multi-patches-$(A7M_PATCHES).patch.xz_MD5 = a4a4103255e93bfcb02652212b0ae3fc
-$(GRS_PATCHES)_MD5                             = 6d6ed13c08ae96f6470c30c00e08b130
+$(GRS_PATCHES)_MD5                             = 2121d0bf825da9ff6321e2940f247c5e
 
 install : $(TARGET)
 
@@ -118,9 +118,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        # Linux Intermediate Queueing Device
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.14.22-imq.patch
 
-       # ipp2p 0.8.2-ipfire
-       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.10-ipp2p-0.8.2-ipfire.patch
-
        # Layer7-patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.14-layer7-filter.patch
 
index 588cf04..9cc1b4b 100644 (file)
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2014  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2015  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
 
 include Config
 
-VER        = 1.0.1m
+VER        = 1.0.2a
 
 THISAPP    = openssl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
 DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
-TARGET     = $(DIR_INFO)/$(THISAPP)
+
+TARGET = $(DIR_INFO)/$(THISAPP)$(KCFG)
+
+CFLAGS += -DPURIFY
+export RPM_OPT_FLAGS = $(CFLAGS)
+
+CONFIGURE_OPTIONS = \
+       --prefix=/usr \
+       --openssldir=/etc/ssl \
+       --enginesdir=/usr/lib/openssl/engines \
+       shared \
+       zlib-dynamic \
+       enable-camellia \
+       enable-md2 \
+       enable-seed \
+       enable-tlsext \
+       enable-rfc3779 \
+       no-idea \
+       no-mdc2 \
+       no-rc5 \
+       no-srp \
+       -DSSL_FORBID_ENULL
 
 ifeq "$(MACHINE)" "i586"
-       CONFIGURE_ARGS = linux-elf no-asm 386
+       CONFIGURE_OPTIONS += linux-elf
+
+ifneq "$(KCFG)" "-sse2"
+       CONFIGURE_OPTIONS += no-sse2
+endif
 endif
 
 ifeq "$(MACHINE)" "armv5tel"
-       CONFIGURE_ARGS = linux-generic32
+       CONFIGURE_OPTIONS += linux-generic32
 endif
 
-CFLAGS += -DPURIFY
-export RPM_OPT_FLAGS = $(CFLAGS)
-
 ###############################################################################
 # Top-level Rules
 ###############################################################################
@@ -51,7 +73,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = d143d1555d842a069cb7cc34ba745a06
+$(DL_FILE)_MD5 = a06c547dac9044161a477211049f60ef
 
 install : $(TARGET)
 
@@ -82,7 +104,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.0-beta5-enginesdir.patch
-       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-rpmbuild.patch
+       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a-rpmbuild.patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1m-weak-ciphers.patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-disable-sslv2-sslv3.patch
 
@@ -93,27 +115,16 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        cd $(DIR_APP) && find crypto/ -name Makefile -exec \
                sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
 
-       cd $(DIR_APP) && ./Configure \
-               --prefix=/usr \
-               --openssldir=/etc/ssl \
-               --enginesdir=/usr/lib/openssl/engines \
-               shared \
-               zlib-dynamic \
-               enable-camellia \
-               enable-md2 \
-               enable-seed \
-               enable-tlsext \
-               enable-rfc3779 \
-               no-idea \
-               no-mdc2 \
-               no-rc5 \
-               no-srp \
-               $(CONFIGURE_ARGS) \
-               -DSSL_FORBID_ENULL
+       cd $(DIR_APP) && ./Configure $(CONFIGURE_OPTIONS)
 
        cd $(DIR_APP) && make depend
        cd $(DIR_APP) && make
 
+ifeq "$(KCFG)" "-sse2"
+       -mkdir -pv /usr/lib/sse2
+       cd $(DIR_APP) && install -m 755 \
+               libcrypto.so.10 libssl.so.10 /usr/lib/sse2
+else
        # Install everything.
        cd $(DIR_APP) && make install
        install -m 0644 $(DIR_SRC)/config/ssl/openssl.cnf /etc/ssl
@@ -125,6 +136,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        -mkdir -pv /usr/lib/openssl
        rm -vfr /usr/lib/openssl/engines
        mv -v /usr/lib/engines /usr/lib/openssl
+endif
 
        @rm -rf $(DIR_APP)
        @$(POSTBUILD)
similarity index 73%
rename from lfs/openssl-compat
rename to lfs/perl-Text-CSV_XS
index 5e3c1ff..f94593f 100644 (file)
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2015  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2014  IPFire Team  <info@ipfire.org>                          #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
 #                                                                             #
 ###############################################################################
 
+
 ###############################################################################
 # Definitions
 ###############################################################################
 
 include Config
+VER        = 1.12
 
-VER        = 0.9.8zf
-
-THISAPP    = openssl-$(VER)
-DL_FILE    = $(THISAPP).tar.gz
+THISAPP    = Text-CSV_XS-$(VER)
+DL_FILE    = ${THISAPP}.tgz
 DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = c69a4a679233f7df189e1ad6659511ec
+$(DL_FILE)_MD5 = b91f2d806054b68c2a29d3da5821fe87
 
 install : $(TARGET)
 
@@ -70,33 +70,8 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-
-       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-disable-sslv2-sslv3.patch
-
-       # Apply our CFLAGS
-       cd $(DIR_APP) && sed -i Configure \
-               -e "s/-O3 -fomit-frame-pointer/$(CFLAGS)/g"
-
-       cd $(DIR_APP) && sed -i -e 's/mcpu/march/' config
-       cd $(DIR_APP) && sed -i -e 's/-O3/-O2/' -e 's/-march=i486/-march=i586/' Configure
-
-       # Support for engines is disabled, because the shared objects from the
-       # new version of openssl cannot be loaded by the old one.
-
-       cd $(DIR_APP) && ./Configure \
-               --prefix=/usr \
-               --openssldir=/etc/ssl \
-               shared linux-elf \
-               zlib-dynamic \
-               no-engines \
-               no-asm 386 \
-               -DSSL_FORBID_ENULL
-
-       cd $(DIR_APP) && make depend
-       cd $(DIR_APP) && make
-
-       cd $(DIR_APP) && install -v -m 755 libcrypto.so.0.9.8 /usr/lib
-       cd $(DIR_APP) && install -v -m 755 libssl.so.0.9.8 /usr/lib
-
+       cd $(DIR_APP) && perl Makefile.PL
+       cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
+       cd $(DIR_APP) && make install
        @rm -rf $(DIR_APP)
        @$(POSTBUILD)
index 7eae4fb..af7b281 100644 (file)
@@ -9,13 +9,13 @@
 
 include Config
 
-VER        = 1.0.2
+VER        = 1.0.3
 
 THISAPP    = squid-accounting-$(VER)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = squid-accounting
-PAK_VER    = 4
+PAK_VER    = 5
 
 DEPS       = "perl-DBI perl-DBD-SQLite perl-File-ReadBackwards perl-PDF-API2 sendEmail"
 
index 53f81d1..3203983 100644 (file)
@@ -55,7 +55,7 @@ $(TARGET) :
        -install -dv -m 1777 /tmp /var/tmp
        -mkdir -pv /usr/{,local/}{bin,include,lib{,/sse2},sbin,src}
        -mkdir -pv /usr/{,local/}share/{doc,info,locale,man}
-       -mkdir -v  /usr/{,local/}share/{misc,terminfo,zoneinfo}
+       -mkdir -v  /usr/{,local/}share/{misc,terminfo,xt_geoip,zoneinfo}
        -mkdir -pv /usr/{,local/}share/man/man{1..8}
        #-for dir in /usr /usr/local; do \
        #  ln -sv share/{man,doc,info} $$dir; \
diff --git a/lfs/tor b/lfs/tor
index 2098952..8eca48d 100644 (file)
--- a/lfs/tor
+++ b/lfs/tor
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = tor
-PAK_VER    = 10
+PAK_VER    = 11
 
 DEPS       = "libevent2"
 
diff --git a/lfs/xtables-addons b/lfs/xtables-addons
new file mode 100644 (file)
index 0000000..1848dc9
--- /dev/null
@@ -0,0 +1,110 @@
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007-2014  IPFire Team <info@ipfire.org>                      #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VERSUFIX = ipfire$(KCFG)
+MODPATH = /lib/modules/$(KVER)-$(VERSUFIX)/extra/
+
+VER        = 2.6
+
+THISAPP    = xtables-addons-$(VER)
+DL_FILE    = $(THISAPP).tar.xz
+DL_FROM    = $(URL_IPFIRE)
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
+
+ifeq "$(USPACE)" "1"
+  TARGET = $(DIR_INFO)/$(THISAPP)
+else
+  TARGET = $(DIR_INFO)/$(THISAPP)-kmod-$(KVER)-$(VERSUFIX)
+endif
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = 087835ba7e564481b6fd398692268340
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+dist: 
+       $(PAK)
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+       @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+       @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+       @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+       @$(PREBUILD)
+       @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+
+       # Only build the specified modules.
+       cp -avf $(DIR_SRC)/config/xtables-addons/mconfig \
+               $(DIR_APP)/mconfig
+
+# Check if we build the modules for a kernel or the userspace parts.
+ifeq "$(USPACE)" "1"
+       cd $(DIR_APP) && ./configure \
+               --prefix=/usr \
+               --without-kbuild
+
+       cd $(DIR_APP) && make $(MAKETUNING)
+       cd $(DIR_APP) && make install
+else
+       cd $(DIR_APP) && ./configure \
+               --with-kbuild=/usr/src/linux-$(KVER)/
+
+       cd $(DIR_APP) && make $(MAKETUNING)
+
+       # Install the built kernel modules.
+       cd $(DIR_APP) && for f in $$(ls extensions/*.ko); do \
+               install -m 644 $$f $(MODPATH); \
+       done
+endif
+
+       @rm -rf $(DIR_APP)
+       @$(POSTBUILD)
diff --git a/make.sh b/make.sh
index 316917e..db40b56 100755 (executable)
--- a/make.sh
+++ b/make.sh
@@ -383,6 +383,7 @@ buildipfire() {
   export LOGFILE
   ipfiremake configroot
   ipfiremake backup
+  ipfiremake pkg-config
   ipfiremake libusb
   ipfiremake libusbx
   ipfiremake libpcap
@@ -403,6 +404,8 @@ buildipfire() {
   ipfiremake multipath-tools
   ipfiremake freetype
   ipfiremake grub
+  ipfiremake libmnl
+  ipfiremake iptables
 
   case "${TARGET_ARCH}" in
        i586)
@@ -413,6 +416,7 @@ buildipfire() {
                ipfiremake e1000e                       KCFG="-pae"
 #              ipfiremake igb                          KCFG="-pae"
                ipfiremake ixgbe                        KCFG="-pae"
+               ipfiremake xtables-addons               KCFG="-pae"
                ipfiremake linux-initrd                 KCFG="-pae"
 
                # x86 kernel build
@@ -422,6 +426,7 @@ buildipfire() {
                ipfiremake e1000e                       KCFG=""
 #              ipfiremake igb                          KCFG=""
                ipfiremake ixgbe                        KCFG=""
+               ipfiremake xtables-addons               KCFG=""
                ipfiremake linux-initrd                 KCFG=""
                ;;
 
@@ -430,6 +435,7 @@ buildipfire() {
                ipfiremake linux                        KCFG="-rpi"
                ipfiremake backports                    KCFG="-rpi"
                ipfiremake cryptodev                    KCFG="-rpi"
+               ipfiremake xtables-addons               KCFG="-rpi"
                ipfiremake linux-initrd                 KCFG="-rpi"
 
                # arm multi platform (Panda, Wandboard ...) kernel build
@@ -439,6 +445,7 @@ buildipfire() {
                ipfiremake e1000e                       KCFG="-multi"
 #              ipfiremake igb                          KCFG="-multi"
                ipfiremake ixgbe                        KCFG="-multi"
+               ipfiremake xtables-addons               KCFG="-multi"
                ipfiremake linux-initrd                 KCFG="-multi"
 
                # arm-kirkwood (Dreamplug, ICY-Box ...) kernel build
@@ -448,12 +455,13 @@ buildipfire() {
                ipfiremake e1000e                       KCFG="-kirkwood"
 #              ipfiremake igb                          KCFG="-kirkwood"
                ipfiremake ixgbe                        KCFG="-kirkwood"
+               ipfiremake xtables-addons               KCFG="-kirkwood"
                ipfiremake linux-initrd                 KCFG="-kirkwood"
                ;;
   esac
-  ipfiremake pkg-config
+  ipfiremake xtables-addons                    USPACE="1"
   ipfiremake openssl
-  ipfiremake openssl-compat
+  [ "${TARGET_ARCH}" = "i586" ] && ipfiremake openssl KCFG='-sse2'
   ipfiremake libgpg-error
   ipfiremake libgcrypt
   ipfiremake libassuan
@@ -526,8 +534,6 @@ buildipfire() {
   ipfiremake mtools
   ipfiremake initscripts
   ipfiremake whatmask
-  ipfiremake libmnl
-  ipfiremake iptables
   ipfiremake conntrack-tools
   ipfiremake libupnp
   ipfiremake ipaddr
@@ -810,6 +816,7 @@ buildipfire() {
   ipfiremake squid-accounting
   ipfiremake pigz
   ipfiremake tmux
+  ipfiremake perl-Text-CSV_XS
   ipfiremake swconfig
   ipfiremake haproxy
 }
index c383652..8ca02bc 100644 (file)
@@ -179,6 +179,11 @@ iptables_init() {
                iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
        fi
 
+       # GeoIP block
+       iptables -N GEOIPBLOCK
+       iptables -A INPUT -j GEOIPBLOCK
+       iptables -A FORWARD -j GEOIPBLOCK
+
        # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
        iptables -N IPSECINPUT
        iptables -N IPSECFORWARD
index f459b77..1af3482 100644 (file)
@@ -75,7 +75,7 @@ dhcpcd_start() {
        fi
 
        # Start dhcpcd.
-       /sbin/dhcpcd "${device}" "${dhcp_start}" >/dev/null 2>&1
+       /sbin/dhcpcd ${dhcp_start} ${device} >/dev/null 2>&1
        ret="$?"
 
        if [ "${ret}" -eq 0 ]; then
@@ -124,7 +124,7 @@ dhcpcd_stop() {
        fi
 
        # Stop dhcpcd.
-       /sbin/dhcpcd "${device}" "${dhcp_stop}" &> /dev/null
+       /sbin/dhcpcd ${dhcp_stop} ${device} &> /dev/null
        ret="$?"
 
        # Wait until dhcpd has stopped.
diff --git a/src/initscripts/init.d/networking/red.up/99-geoip-database b/src/initscripts/init.d/networking/red.up/99-geoip-database
new file mode 100644 (file)
index 0000000..4bd3ee2
--- /dev/null
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Get the GeoIP database if no one exists yet.
+
+DIR="/usr/share/xt_geoip/*"
+
+found=false
+
+# Check if the directory contains any data.
+for i in $DIR; do
+       # Ignore "." and ".."
+       if [ -d "$i" ]; then
+               found=true
+               break
+       fi
+done
+
+# Download ruleset if none has been found.
+if ! ${found}; then
+       /usr/local/bin/xt_geoip_update >/dev/null 2>&1
+fi
+
+exit 0
index 09e3858..a9d5a92 100644 (file)
@@ -1,7 +1,7 @@
 From f2658275b25ebfe691cdcb9fede85a3088cca168 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Thu, 25 Sep 2014 21:51:25 +0100
-Subject: [PATCH 01/71] Add newline at the end of example config file.
+Subject: [PATCH 01/78] Add newline at the end of example config file.
 
 ---
  dnsmasq.conf.example | 2 +-
index bcaac85..a4041ea 100644 (file)
@@ -1,7 +1,7 @@
 From 00cd9d551998307225312fd21f761cfa8868bd2c Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Thu, 2 Oct 2014 21:44:21 +0100
-Subject: [PATCH 02/71] crash at startup when an empty suffix is supplied to
+Subject: [PATCH 02/78] crash at startup when an empty suffix is supplied to
  --conf-dir
 
 ---
index a7ef611..ca62340 100644 (file)
@@ -1,7 +1,7 @@
 From 6ac3bc0452a74e16e3d620a0757b0f8caab182ec Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Fri, 3 Oct 2014 08:48:11 +0100
-Subject: [PATCH 03/71] Debian build fixes for kFreeBSD
+Subject: [PATCH 03/78] Debian build fixes for kFreeBSD
 
 ---
  src/tables.c | 6 +++++-
index e64e314..2504e62 100644 (file)
@@ -1,7 +1,7 @@
 From e9828b6f66b22ce8873f8d30a773137d1aef1b92 Mon Sep 17 00:00:00 2001
 From: Karl Vogel <karl.vogel@gmail.com>
 Date: Fri, 3 Oct 2014 21:45:15 +0100
-Subject: [PATCH 04/71] Set conntrack mark before connect() call.
+Subject: [PATCH 04/78] Set conntrack mark before connect() call.
 
 SO_MARK has to be done before issuing the connect() call on the
 TCP socket.
index 48ed92e..bec87bc 100644 (file)
@@ -1,7 +1,7 @@
 From 17b475912f6a4e72797a543dad59d4d5dde6bb1b Mon Sep 17 00:00:00 2001
 From: Daniel Collins <daniel.collins@smoothwall.net>
 Date: Fri, 3 Oct 2014 21:58:43 +0100
-Subject: [PATCH 05/71] Fix typo in new Dbus code.
+Subject: [PATCH 05/78] Fix typo in new Dbus code.
 
 Simon's fault.
 ---
index c8c5169..6b5345f 100644 (file)
@@ -1,7 +1,7 @@
 From 3d9d2dd0018603a2ae4b9cd65ac6ff959f4fd8c7 Mon Sep 17 00:00:00 2001
 From: Tomas Hozza <thozza@redhat.com>
 Date: Mon, 6 Oct 2014 10:46:48 +0100
-Subject: [PATCH 06/71] Fit example conf file typo.
+Subject: [PATCH 06/78] Fit example conf file typo.
 
 ---
  dnsmasq.conf.example | 2 +-
index c21ece4..ffad3b2 100644 (file)
@@ -1,7 +1,7 @@
 From b9ff5c8f435173cfa616e3c398bdc089ef690a07 Mon Sep 17 00:00:00 2001
 From: Vladislav Grishenko <themiron@mail.ru>
 Date: Mon, 6 Oct 2014 14:34:24 +0100
-Subject: [PATCH 07/71] Improve RFC-compliance when unable to supply addresses
+Subject: [PATCH 07/78] Improve RFC-compliance when unable to supply addresses
  in DHCPv6
 
 While testing https://github.com/sbyx/odhcp6c client I have noticed it
index 227cab7..671a70e 100644 (file)
@@ -1,7 +1,7 @@
 From 98906275a02ae260fe3f82133bd79054f8315f06 Mon Sep 17 00:00:00 2001
 From: Hans Dedecker <dedeckeh@gmail.com>
 Date: Tue, 9 Dec 2014 22:22:53 +0000
-Subject: [PATCH 08/71] Fix conntrack with --bind-interfaces
+Subject: [PATCH 08/78] Fix conntrack with --bind-interfaces
 
 Make sure dst_addr is assigned the correct address in receive_query when OPTNOWILD is
 enabled so the assigned mark can be correctly retrieved and set in forward_query when
index 7773e0b..e9c51f8 100644 (file)
@@ -1,7 +1,7 @@
 From 193de4abf59e49c6b70d54cfe9720fcb95ca2f71 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Wed, 10 Dec 2014 17:32:16 +0000
-Subject: [PATCH 09/71] Use inotify instead of polling on Linux.
+Subject: [PATCH 09/78] Use inotify instead of polling on Linux.
 
 This should solve problems people are seeing when a file changes
 twice within a second and thus is missed for polling.
index f5e0ccd..2f8574e 100644 (file)
@@ -1,7 +1,7 @@
 From 857973e6f7e0a3d03535a9df7f9373fd7a0b65cc Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Mon, 15 Dec 2014 15:58:13 +0000
-Subject: [PATCH 10/71] Teach the new inotify code about symlinks.
+Subject: [PATCH 10/78] Teach the new inotify code about symlinks.
 
 ---
  src/inotify.c | 43 +++++++++++++++++++++++++++----------------
index 800cfb6..66b6331 100644 (file)
@@ -1,7 +1,7 @@
 From 800c5cc1e7438818fd80f08c2d472df249a6942d Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Mon, 15 Dec 2014 17:50:15 +0000
-Subject: [PATCH 11/71] Remove floor on EDNS0 packet size with DNSSEC.
+Subject: [PATCH 11/78] Remove floor on EDNS0 packet size with DNSSEC.
 
 ---
  CHANGELOG     | 6 +++++-
index 1a0925a..3df5076 100644 (file)
@@ -1,7 +1,7 @@
 From ad946d555dce44eb690c7699933b6ff40ab85bb6 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Mon, 15 Dec 2014 17:52:22 +0000
-Subject: [PATCH 12/71] CHANGELOG re. inotify.
+Subject: [PATCH 12/78] CHANGELOG re. inotify.
 
 ---
  CHANGELOG | 4 ++++
index d467a9e..c80a3a2 100644 (file)
@@ -1,7 +1,7 @@
 From 3ad3f3bbd4ee716a7d2fb1e115cf89bd1b1a5de9 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Tue, 16 Dec 2014 18:25:17 +0000
-Subject: [PATCH 13/71] Fix breakage of --domain=<domain>,<subnet>,local
+Subject: [PATCH 13/78] Fix breakage of --domain=<domain>,<subnet>,local
 
 ---
  CHANGELOG    |  4 ++++
index b77acce..e322168 100644 (file)
@@ -1,7 +1,7 @@
 From bd9520b7ade7098ee423acc38965376aa57feb07 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Tue, 16 Dec 2014 20:41:29 +0000
-Subject: [PATCH 14/71] Remove redundant IN6_IS_ADDR_ULA(a) macro defn.
+Subject: [PATCH 14/78] Remove redundant IN6_IS_ADDR_ULA(a) macro defn.
 
 ---
  src/network.c | 4 ----
index 0680423..afa5f0f 100644 (file)
@@ -1,7 +1,7 @@
 From 476693678e778886b64d0b56e27eb7695cbcca99 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Wed, 17 Dec 2014 12:41:56 +0000
-Subject: [PATCH 15/71] Eliminate IPv6 privacy addresses from --interface-name
+Subject: [PATCH 15/78] Eliminate IPv6 privacy addresses from --interface-name
  answers.
 
 ---
index 6b35378..e669a50 100644 (file)
@@ -1,7 +1,7 @@
 From 3267804598047bd1781cab91508d1bc516e5ddbb Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Wed, 17 Dec 2014 20:38:20 +0000
-Subject: [PATCH 16/71] Tweak field width in cache dump to avoid truncating
+Subject: [PATCH 16/78] Tweak field width in cache dump to avoid truncating
  IPv6 addresses.
 
 ---
index 01095a2..2fe233d 100644 (file)
@@ -1,7 +1,7 @@
 From 094b5c3d904bae9aeb3206d9f3b8348926b84975 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sun, 21 Dec 2014 16:11:52 +0000
-Subject: [PATCH 17/71] Fix crash in DNSSEC code when attempting to verify
+Subject: [PATCH 17/78] Fix crash in DNSSEC code when attempting to verify
  large RRs.
 
 ---
index 49adf85..2ec47e6 100644 (file)
@@ -1,7 +1,7 @@
 From cbc652423403e3cef00e00240f6beef713142246 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sun, 21 Dec 2014 21:21:53 +0000
-Subject: [PATCH 18/71] Make caching work for CNAMEs pointing to A/AAAA records
+Subject: [PATCH 18/78] Make caching work for CNAMEs pointing to A/AAAA records
  shadowed in /etc/hosts
 
 If the answer to an upstream query is a CNAME which points to an
index 33e5180..7e6f821 100644 (file)
@@ -1,7 +1,7 @@
 From fbc5205702c7f6f431d9f1043c553d7fb62ddfdb Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Tue, 23 Dec 2014 15:46:08 +0000
-Subject: [PATCH 19/71] Fix problems validating NSEC3 and wildcards.
+Subject: [PATCH 19/78] Fix problems validating NSEC3 and wildcards.
 
 ---
  src/dnssec.c | 253 ++++++++++++++++++++++++++++++-----------------------------
index c0493df..362c596 100644 (file)
@@ -1,7 +1,7 @@
 From 83d2ed09fc0216b567d7fb2197e4ff3eae150b0d Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Tue, 23 Dec 2014 18:42:38 +0000
-Subject: [PATCH 20/71] Initialise return value.
+Subject: [PATCH 20/78] Initialise return value.
 
 ---
  src/dnssec.c | 7 +++++--
index e5422a1..b8ef47d 100644 (file)
@@ -1,7 +1,7 @@
 From 32fc6dbe03569d70dd394420ceb73532cf303c33 Mon Sep 17 00:00:00 2001
 From: Glen Huang <curvedmark@gmail.com>
 Date: Sat, 27 Dec 2014 15:28:12 +0000
-Subject: [PATCH 21/71] Add --ignore-address option.
+Subject: [PATCH 21/78] Add --ignore-address option.
 
 ---
  CHANGELOG     |  8 ++++++++
index 1fbe54c..749195f 100644 (file)
@@ -1,7 +1,7 @@
 From 0b1008d367d44e77352134a4c5178f896f0db3e7 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sat, 27 Dec 2014 15:33:32 +0000
-Subject: [PATCH 22/71] Bad packet protection.
+Subject: [PATCH 22/78] Bad packet protection.
 
 ---
  src/dnssec.c | 2 +-
index 6e57877..28fe61a 100644 (file)
@@ -1,7 +1,7 @@
 From d310ab7ecbffce79d3d90debba621e0222f9bced Mon Sep 17 00:00:00 2001
 From: Matthias Andree <matthias.andree@gmx.de>
 Date: Sat, 27 Dec 2014 15:36:38 +0000
-Subject: [PATCH 23/71] Fix build failure in new inotify code on BSD.
+Subject: [PATCH 23/78] Fix build failure in new inotify code on BSD.
 
 ---
  src/inotify.c | 4 ++--
index 867a95d..31535dc 100644 (file)
@@ -1,7 +1,7 @@
 From 81c538efcebfce2ce4a1d3a420b6c885b8f08df9 Mon Sep 17 00:00:00 2001
 From: Yousong Zhou <yszhou4tech@gmail.com>
 Date: Sat, 3 Jan 2015 16:36:14 +0000
-Subject: [PATCH 24/71] Implement makefile dependencies on COPTS variable.
+Subject: [PATCH 24/78] Implement makefile dependencies on COPTS variable.
 
 ---
  .gitignore |  2 +-
index 4a379c1..a99656d 100644 (file)
@@ -1,7 +1,7 @@
 From d8dbd903d024f84a149dac2f8a674a68dfed47a3 Mon Sep 17 00:00:00 2001
 From: Yousong Zhou <yszhou4tech@gmail.com>
 Date: Mon, 5 Jan 2015 17:03:35 +0000
-Subject: [PATCH 25/71] Fix race condition issue in makefile.
+Subject: [PATCH 25/78] Fix race condition issue in makefile.
 
 ---
  Makefile | 4 +++-
index 837c124..e0c8374 100644 (file)
@@ -1,7 +1,7 @@
 From 97e618a0e3f29465acc689d87288596b006f197e Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Wed, 7 Jan 2015 21:55:43 +0000
-Subject: [PATCH 26/71] DNSSEC: do top-down search for limit of secure
+Subject: [PATCH 26/78] DNSSEC: do top-down search for limit of secure
  delegation.
 
 ---
index 23b9471..8812bba 100644 (file)
@@ -1,7 +1,7 @@
 From 25cf5e373eb41c088d4ee5e625209c4cf6a5659e Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Fri, 9 Jan 2015 15:53:03 +0000
-Subject: [PATCH 27/71] Add --log-queries=extra option for more complete
+Subject: [PATCH 27/78] Add --log-queries=extra option for more complete
  logging.
 
 ---
index 6f7f27c..2f60995 100644 (file)
@@ -1,7 +1,7 @@
 From 28de38768e2c7d763b9aa5b7a4d251d5e56bab0b Mon Sep 17 00:00:00 2001
 From: RinSatsuki <aa65535@live.com>
 Date: Sat, 10 Jan 2015 15:22:21 +0000
-Subject: [PATCH 28/71] Add --min-cache-ttl option.
+Subject: [PATCH 28/78] Add --min-cache-ttl option.
 
 ---
  CHANGELOG     |  7 +++++++
index 4834269..3288ce8 100644 (file)
@@ -1,7 +1,7 @@
 From 9f79ee4ae34886c0319f06d8f162b81ef79d62fb Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Mon, 12 Jan 2015 20:18:18 +0000
-Subject: [PATCH 29/71] Log port of requestor when doing extra logging.
+Subject: [PATCH 29/78] Log port of requestor when doing extra logging.
 
 ---
  src/cache.c | 6 +++---
index fef0e11..81b5eb2 100644 (file)
@@ -1,7 +1,7 @@
 From 5e321739db381a1d7b5964d76e9c81471d2564c9 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Mon, 12 Jan 2015 23:16:56 +0000
-Subject: [PATCH 30/71] Don't answer from cache RRsets from wildcards, as we
+Subject: [PATCH 30/78] Don't answer from cache RRsets from wildcards, as we
  don't have NSECs.
 
 ---
index 8ebe469..ead984e 100644 (file)
@@ -1,7 +1,7 @@
 From ae4624bf46b5e37ff1a9a2ba3c927e0dede95adb Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Mon, 12 Jan 2015 23:22:08 +0000
-Subject: [PATCH 31/71] Logs for DS records consistent.
+Subject: [PATCH 31/78] Logs for DS records consistent.
 
 ---
  src/rfc1035.c | 2 +-
index 60a44b9..f571501 100644 (file)
@@ -1,7 +1,7 @@
 From 393415597c8b5b09558b789ab9ac238dbe3db65d Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sun, 18 Jan 2015 22:11:10 +0000
-Subject: [PATCH 32/71] Cope with multiple interfaces with the same LL address.
+Subject: [PATCH 32/78] Cope with multiple interfaces with the same LL address.
 
 ---
  CHANGELOG  | 4 ++++
index f426e8f..f381635 100644 (file)
@@ -1,7 +1,7 @@
 From 2ae195f5a71f7c5a75717845de1bd72fc7dd67f3 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sun, 18 Jan 2015 22:20:48 +0000
-Subject: [PATCH 33/71] Don't treat SERVFAIL as a recoverable error.....
+Subject: [PATCH 33/78] Don't treat SERVFAIL as a recoverable error.....
 
 ---
  src/forward.c | 2 +-
index 53780b2..86401c9 100644 (file)
@@ -1,7 +1,7 @@
 From 5f4dc5c6ca50655ab14f572c7e30815ed74cd51a Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Tue, 20 Jan 2015 20:51:02 +0000
-Subject: [PATCH 34/71] Add --dhcp-hostsdir config option.
+Subject: [PATCH 34/78] Add --dhcp-hostsdir config option.
 
 ---
  CHANGELOG     |   5 +++
index 2d18e76..cd9ec56 100644 (file)
@@ -1,7 +1,7 @@
 From fbf01f7046e75f9aa73fd4aab2a94e43386d9052 Mon Sep 17 00:00:00 2001
 From: Conrad Kostecki <ck@conrad-kostecki.de>
 Date: Tue, 20 Jan 2015 21:07:56 +0000
-Subject: [PATCH 35/71] Update German translation.
+Subject: [PATCH 35/78] Update German translation.
 
 ---
  po/de.po | 101 +++++++++++++++++++++++++++++----------------------------------
index ffe4cf6..144a254 100644 (file)
@@ -1,7 +1,7 @@
 From 61b838dd574c51d96fef100285a0d225824534f9 Mon Sep 17 00:00:00 2001
 From: Win King Wan <pinwing+dnsmasq@gmail.com>
 Date: Wed, 21 Jan 2015 20:41:48 +0000
-Subject: [PATCH 36/71] Don't reply to DHCPv6 SOLICIT messages when not
+Subject: [PATCH 36/78] Don't reply to DHCPv6 SOLICIT messages when not
  configured for statefull DHCPv6.
 
 ---
index 3cd7999..99606cc 100644 (file)
@@ -1,7 +1,7 @@
 From 0491805d2ff6e7727f0272c94fd97d9897d1e22c Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Mon, 26 Jan 2015 11:23:43 +0000
-Subject: [PATCH 37/71] Allow inotify to be disabled at compile time on Linux.
+Subject: [PATCH 37/78] Allow inotify to be disabled at compile time on Linux.
 
 ---
  CHANGELOG     |  4 +++-
index 08eb5b5..db0d4fc 100644 (file)
@@ -1,7 +1,7 @@
 From 70d1873dd9e70041ed4bb88c69d5b886b7cc634c Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sat, 31 Jan 2015 19:59:29 +0000
-Subject: [PATCH 38/71] Expand inotify code to dhcp-hostsdir, dhcp-optsdir and
+Subject: [PATCH 38/78] Expand inotify code to dhcp-hostsdir, dhcp-optsdir and
  hostsdir.
 
 ---
index 7303df4..28282c2 100644 (file)
@@ -1,7 +1,7 @@
 From aff3396280e944833f0e23d834aa6acd5fe2605a Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sat, 31 Jan 2015 20:13:40 +0000
-Subject: [PATCH 39/71] Update copyrights for dawn of 2015.
+Subject: [PATCH 39/78] Update copyrights for dawn of 2015.
 
 ---
  Makefile             | 2 +-
index 9c3ac9c..2fb831c 100644 (file)
@@ -1,7 +1,7 @@
 From 3d04f46334d0e345f589eda1372e638b946fe637 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sat, 31 Jan 2015 21:59:13 +0000
-Subject: [PATCH 40/71] inotify documentation updates.
+Subject: [PATCH 40/78] inotify documentation updates.
 
 ---
  man/dnsmasq.8 | 11 +++++++++--
index 1fc1c73..68e1ca6 100644 (file)
@@ -1,7 +1,7 @@
 From 6ef15b34ca83c62a939f69356d5c3f7a6bfef3d0 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sat, 31 Jan 2015 22:44:26 +0000
-Subject: [PATCH 41/71] Fix broken ECDSA DNSSEC signatures.
+Subject: [PATCH 41/78] Fix broken ECDSA DNSSEC signatures.
 
 ---
  CHANGELOG    | 2 ++
index 750f113..ced5868 100644 (file)
@@ -1,7 +1,7 @@
 From 106266761828a0acb006346ae47bf031dee46a5d Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sun, 1 Feb 2015 00:15:16 +0000
-Subject: [PATCH 42/71] BSD make support
+Subject: [PATCH 42/78] BSD make support
 
 ---
  Makefile | 6 ++++--
index aa55fe2..2aa543d 100644 (file)
@@ -1,7 +1,7 @@
 From 8d8a54ec79d9f96979fabbd97b1dd2ddebc7d78f Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sun, 1 Feb 2015 21:48:46 +0000
-Subject: [PATCH 43/71] Fix build failure on openBSD.
+Subject: [PATCH 43/78] Fix build failure on openBSD.
 
 ---
  src/tables.c | 2 +-
index bbc4d48..ef606e8 100644 (file)
@@ -1,7 +1,7 @@
 From d36b732c4cfa91ea09af64b5dc0f3a85a075e5bc Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <thiebaud@weksteen.fr>
 Date: Mon, 2 Feb 2015 21:37:27 +0000
-Subject: [PATCH 44/71] Manpage typo fix.
+Subject: [PATCH 44/78] Manpage typo fix.
 
 ---
  man/dnsmasq.8 | 2 +-
index 2d43b93..1f87a9e 100644 (file)
@@ -1,7 +1,7 @@
 From 2941d3ac898cf84b544e47c9735c5e4111711db1 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Mon, 2 Feb 2015 22:36:42 +0000
-Subject: [PATCH 45/71] Fixup dhcp-configs after reading extra hostfiles with
+Subject: [PATCH 45/78] Fixup dhcp-configs after reading extra hostfiles with
  inotify.
 
 ---
index 8b173f2..754d0a8 100644 (file)
@@ -1,7 +1,7 @@
 From f9c863708c6b0aea31ff7a466647685dc739de50 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Tue, 3 Feb 2015 21:52:48 +0000
-Subject: [PATCH 46/71] Extra logging for inotify code.
+Subject: [PATCH 46/78] Extra logging for inotify code.
 
 ---
  src/cache.c   | 9 ++++-----
index 9710dfb..9fdd87e 100644 (file)
@@ -1,7 +1,7 @@
 From efb8b5566aafc1f3ce18514a2df93af5a2e4998c Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sat, 7 Feb 2015 22:36:34 +0000
-Subject: [PATCH 47/71] man page typo.
+Subject: [PATCH 47/78] man page typo.
 
 ---
  man/dnsmasq.8 | 1 +
index fb7753c..fd0da9b 100644 (file)
@@ -1,7 +1,7 @@
 From f4f400776b3c1aa303d1a0fcd500f0ab5bc970f2 Mon Sep 17 00:00:00 2001
 From: Shantanu Gadgil <shantanugadgil@yahoo.com>
 Date: Wed, 11 Feb 2015 20:16:59 +0000
-Subject: [PATCH 48/71] Fix get-version script which returned wrong tag in some
+Subject: [PATCH 48/78] Fix get-version script which returned wrong tag in some
  situations.
 
 ---
index c843bf2..ab57c77 100644 (file)
@@ -1,7 +1,7 @@
 From 8ff70de618eb7de9147dbfbd4deca4a2dd62f0cb Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sat, 14 Feb 2015 20:02:37 +0000
-Subject: [PATCH 49/71] Typos.
+Subject: [PATCH 49/78] Typos.
 
 ---
  src/inotify.c | 3 ++-
index 7b9a1b3..df3bf18 100644 (file)
@@ -1,7 +1,7 @@
 From caeea190f12efd20139f694aac4942d1ac00019f Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sat, 14 Feb 2015 20:08:56 +0000
-Subject: [PATCH 50/71] Make dynamic hosts files work when --no-hosts set.
+Subject: [PATCH 50/78] Make dynamic hosts files work when --no-hosts set.
 
 ---
  src/cache.c | 21 +++++++++++----------
index a65ed21..ad7ecd7 100644 (file)
@@ -1,7 +1,7 @@
 From 28b879ac47b872af6e8c5e86d76806c69338434d Mon Sep 17 00:00:00 2001
 From: Chen Wei <weichen302@icloud.com>
 Date: Tue, 17 Feb 2015 22:07:35 +0000
-Subject: [PATCH 51/71] Fix trivial memory leaks to quieten valgrind.
+Subject: [PATCH 51/78] Fix trivial memory leaks to quieten valgrind.
 
 ---
  src/dnsmasq.c |  2 ++
index 69aeb92..9556f3b 100644 (file)
@@ -1,7 +1,7 @@
 From 0705a7e2d57654b27c7e14f35ca77241c1821f4d Mon Sep 17 00:00:00 2001
 From: Tomas Hozza <thozza@redhat.com>
 Date: Mon, 23 Feb 2015 21:26:26 +0000
-Subject: [PATCH 52/71] Fix uninitialized value used in get_client_mac()
+Subject: [PATCH 52/78] Fix uninitialized value used in get_client_mac()
 
 ---
  src/dhcp6.c | 4 +++-
index b37498e..03d20f6 100644 (file)
@@ -1,7 +1,7 @@
 From 47b9ac59c715827252ae6e6732903c3dabb697fb Mon Sep 17 00:00:00 2001
 From: Joachim Zobel <jz-2014@heute-morgen.de>
 Date: Mon, 23 Feb 2015 21:38:11 +0000
-Subject: [PATCH 53/71] Log parsing utils in contrib/reverse-dns
+Subject: [PATCH 53/78] Log parsing utils in contrib/reverse-dns
 
 ---
  contrib/reverse-dns/README             | 18 ++++++++++++++++++
index 5073440..2d47566 100644 (file)
@@ -1,7 +1,7 @@
 From f6e62e2af96f5fa0d1e3d93167a93a8f09bf6e61 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sun, 1 Mar 2015 18:17:54 +0000
-Subject: [PATCH 54/71] Add --dnssec-timestamp option and facility.
+Subject: [PATCH 54/78] Add --dnssec-timestamp option and facility.
 
 ---
  CHANGELOG     |  6 +++++
index 768e14a..ba48df3 100644 (file)
@@ -1,7 +1,7 @@
 From 9003b50b13da624ca45f3e0cf99abb623b8d026b Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Mon, 2 Mar 2015 22:47:23 +0000
-Subject: [PATCH 55/71] Fix last commit to not crash if uid changing not
+Subject: [PATCH 55/78] Fix last commit to not crash if uid changing not
  configured.
 
 ---
index d39a058..dc52d90 100644 (file)
@@ -1,7 +1,7 @@
 From 4c960fa90a975d20f75a1ecabd217247f1922c8f Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Wed, 4 Mar 2015 20:32:26 +0000
-Subject: [PATCH 56/71] New version of contrib/reverse-dns
+Subject: [PATCH 56/78] New version of contrib/reverse-dns
 
 ---
  contrib/reverse-dns/README             |  22 +++---
index 462d572..d17d23f 100644 (file)
@@ -1,7 +1,7 @@
 From 360f2513ab12a9bf1e262d388dd2ea8a566590a3 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sat, 7 Mar 2015 18:28:06 +0000
-Subject: [PATCH 57/71] Tweak DNSSEC timestamp code to create file later,
+Subject: [PATCH 57/78] Tweak DNSSEC timestamp code to create file later,
  removing need to chown it.
 
 ---
index aa30241..4dd9568 100644 (file)
@@ -1,7 +1,7 @@
 From ff841ebf5a5d6864ff48571f607c32ce80dbb75a Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Wed, 11 Mar 2015 21:36:30 +0000
-Subject: [PATCH 58/71] Fix boilerplate code for re-running system calls on
+Subject: [PATCH 58/78] Fix boilerplate code for re-running system calls on
  EINTR and EAGAIN etc.
 
 The nasty code with static variable in retry_send() which
index 6a2a0f4..a072474 100644 (file)
@@ -1,7 +1,7 @@
 From 979fe86bc8693f660eddea232ae39cbbb50b294c Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Thu, 19 Mar 2015 22:50:22 +0000
-Subject: [PATCH 59/71] Make --address=/example.com/ equivalent to
+Subject: [PATCH 59/78] Make --address=/example.com/ equivalent to
  --server=/example.com/
 
 ---
index 1eb504b..429f56a 100644 (file)
@@ -1,7 +1,7 @@
 From 65c721200023ef0023114459a8d12f8b0a24cfd8 Mon Sep 17 00:00:00 2001
 From: Lung-Pin Chang <changlp@cs.nctu.edu.tw>
 Date: Thu, 19 Mar 2015 23:22:21 +0000
-Subject: [PATCH 60/71] dhcp: set outbound interface via cmsg in unicast reply
+Subject: [PATCH 60/78] dhcp: set outbound interface via cmsg in unicast reply
 
   If multiple routes to the same network exist, Linux blindly picks
   the first interface (route) based on destination address, which might not be
index b566ebf..aece6fa 100644 (file)
@@ -1,7 +1,7 @@
 From 8805283088d670baecb92569252c01cf754cda51 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Thu, 26 Mar 2015 21:15:43 +0000
-Subject: [PATCH 61/71] Don't fail DNSSEC when a signed CNAME dangles into an
+Subject: [PATCH 61/78] Don't fail DNSSEC when a signed CNAME dangles into an
  unsigned zone.
 
 ---
index a660450..81280dc 100644 (file)
@@ -1,7 +1,7 @@
 From 150162bc37170a6edae9d488435e836b1e4e3a4e Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Fri, 27 Mar 2015 09:58:26 +0000
-Subject: [PATCH 62/71] Return SERVFAIL when validation abandoned.
+Subject: [PATCH 62/78] Return SERVFAIL when validation abandoned.
 
 ---
  src/forward.c | 11 +++++++++--
index 93161d0..bd79a1a 100644 (file)
@@ -1,7 +1,7 @@
 From 0b8a5a30a77331974ba24a04e43e720585dfbc61 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Fri, 27 Mar 2015 11:44:55 +0000
-Subject: [PATCH 63/71] Protect against broken DNSSEC upstreams.
+Subject: [PATCH 63/78] Protect against broken DNSSEC upstreams.
 
 ---
  src/dnssec.c | 7 +++++--
index 389beee..c020af5 100644 (file)
@@ -1,7 +1,7 @@
 From 1e153945def3c50d1e59ceea6a768db0ac770f98 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sat, 28 Mar 2015 21:34:07 +0000
-Subject: [PATCH 64/71] DNSSEC fix for non-ascii characters in labels.
+Subject: [PATCH 64/78] DNSSEC fix for non-ascii characters in labels.
 
 ---
  src/dnssec.c  | 34 +++++++++++++++++-----------------
index 69f6081..a9b6f40 100644 (file)
@@ -1,7 +1,7 @@
 From 394ff492da6af5da7e7d356be9586683bc5fc011 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sun, 29 Mar 2015 22:17:14 +0100
-Subject: [PATCH 65/71] Allow control characters in names in the cache, handle
+Subject: [PATCH 65/78] Allow control characters in names in the cache, handle
  when logging.
 
 ---
index 04a865f..8a496b0 100644 (file)
@@ -1,7 +1,7 @@
 From 794fccca7ffebfba4468bfffc6276b68bbf6afd9 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Sun, 29 Mar 2015 22:35:44 +0100
-Subject: [PATCH 66/71] Fix crash in last commit.
+Subject: [PATCH 66/78] Fix crash in last commit.
 
 ---
  src/cache.c | 7 ++++---
index 090da5c..f6c5225 100644 (file)
@@ -1,7 +1,7 @@
 From fd6ad9e481ab7c812a6b1515244908818cbb0442 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Mon, 30 Mar 2015 07:52:21 +0100
-Subject: [PATCH 67/71] Merge message translations.
+Subject: [PATCH 67/78] Merge message translations.
 
 ---
  po/de.po    | 803 +++++++++++++++++++++++++++++++++--------------------------
index 3439cc1..cf1f2af 100644 (file)
@@ -1,7 +1,7 @@
 From 30d0879ed55cb67b1b735beab3d93f3bb3ef1dd2 Mon Sep 17 00:00:00 2001
 From: Stefan Tomanek <stefan.tomanek+dnsmasq@wertarbyte.de>
 Date: Tue, 31 Mar 2015 22:32:11 +0100
-Subject: [PATCH 68/71] add --tftp-no-fail to ignore missing tftp root
+Subject: [PATCH 68/78] add --tftp-no-fail to ignore missing tftp root
 
 ---
  CHANGELOG            |  3 +++
index 6784ee3..a18c6be 100644 (file)
@@ -1,7 +1,7 @@
 From 7aa970e2c7043201663d86a4b5d8cd5c592cef39 Mon Sep 17 00:00:00 2001
 From: Stefan Tomanek <stefan.tomanek+dnsmasq@wertarbyte.de>
 Date: Wed, 1 Apr 2015 17:55:07 +0100
-Subject: [PATCH 69/71] Whitespace fixes.
+Subject: [PATCH 69/78] Whitespace fixes.
 
 ---
  src/dnsmasq.c | 14 +++++++-------
index 1350ca6..b021aab 100644 (file)
@@ -1,7 +1,7 @@
 From fe3992f9fa69fa975ea31919c53933b5f6a63527 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Fri, 3 Apr 2015 21:25:05 +0100
-Subject: [PATCH 70/71] Return INSECURE, rather than BOGUS when DS proved not
+Subject: [PATCH 70/78] Return INSECURE, rather than BOGUS when DS proved not
  to exist.
 
 Return INSECURE when validating DNS replies which have RRSIGs, but
index 83cdb0c..b8e5cf8 100644 (file)
@@ -1,7 +1,7 @@
 From 982faf402487e265ed11ac03524531d42b03c966 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Fri, 3 Apr 2015 21:42:30 +0100
-Subject: [PATCH 71/71] Fix compiler warning when not including DNSSEC.
+Subject: [PATCH 71/78] Fix compiler warning when not including DNSSEC.
 
 ---
  src/forward.c | 3 ++-
diff --git a/src/patches/dnsmasq/0072-Fix-crash-caused-by-looking-up-servers.bind-when-man.patch b/src/patches/dnsmasq/0072-Fix-crash-caused-by-looking-up-servers.bind-when-man.patch
new file mode 100644 (file)
index 0000000..e03606c
--- /dev/null
@@ -0,0 +1,54 @@
+From 04b0ac05377936d121a36873bb63d492cde292c9 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 6 Apr 2015 17:19:13 +0100
+Subject: [PATCH 72/78] Fix crash caused by looking up servers.bind when many
+ servers defined.
+
+---
+ CHANGELOG   | 7 ++++++-
+ src/cache.c | 4 ++--
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 34432ae4807f..6aa3d851a297 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -75,7 +75,12 @@ version 2.73
+           Add --tftp-no-fail option. Thanks to Stefan Tomanek for
+           the patch.
+-      
++
++          Fix crash caused by looking up servers.bind, CHAOS text record,
++          when more than about five --servers= lines are in the dnsmasq
++          config. This causes memory corruption which causes a crash later.
++          Thanks to Matt Coddington for sterling work chasing this down.
++
+       
+ version 2.72
+             Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
+diff --git a/src/cache.c b/src/cache.c
+index d7bea574c0d8..178d654ca92e 100644
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -1367,7 +1367,7 @@ int cache_make_stat(struct txt_record *t)
+               }
+           port = prettyprint_addr(&serv->addr, daemon->addrbuff);
+           lenp = p++; /* length */
+-          bytes_avail = (p - buff) + bufflen;
++          bytes_avail = bufflen - (p - buff );
+           bytes_needed = snprintf(p, bytes_avail, "%s#%d %u %u", daemon->addrbuff, port, queries, failed_queries);
+           if (bytes_needed >= bytes_avail)
+             {
+@@ -1381,7 +1381,7 @@ int cache_make_stat(struct txt_record *t)
+               lenp = p - 1;
+               buff = new;
+               bufflen = newlen;
+-              bytes_avail = (p - buff) + bufflen;
++              bytes_avail =  bufflen - (p - buff );
+               bytes_needed = snprintf(p, bytes_avail, "%s#%d %u %u", daemon->addrbuff, port, queries, failed_queries);
+             }
+           *lenp = bytes_needed;
+-- 
+2.1.0
+
diff --git a/src/patches/dnsmasq/0073-Fix-crash-on-receipt-of-certain-malformed-DNS-reques.patch b/src/patches/dnsmasq/0073-Fix-crash-on-receipt-of-certain-malformed-DNS-reques.patch
new file mode 100644 (file)
index 0000000..c333e66
--- /dev/null
@@ -0,0 +1,61 @@
+From ad4a8ff7d9097008d7623df8543df435bfddeac8 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 9 Apr 2015 21:48:00 +0100
+Subject: [PATCH 73/78] Fix crash on receipt of certain malformed DNS requests.
+
+---
+ CHANGELOG     | 3 +++
+ src/rfc1035.c | 9 ++++++---
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 6aa3d851a297..9af617056f1f 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -125,6 +125,9 @@ version 2.72
+             Fix problem with --local-service option on big-endian platforms
+           Thanks to Richard Genoud for the patch.
++          Fix crash on receipt of certain malformed DNS requests. Thanks
++          to Nick Sampanis for spotting the problem.
++      
+ version 2.71
+             Subtle change to error handling to help DNSSEC validation 
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 7a07b0cee906..a995ab50d74a 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1198,7 +1198,10 @@ unsigned int extract_request(struct dns_header *header, size_t qlen, char *name,
+ size_t setup_reply(struct dns_header *header, size_t qlen,
+               struct all_addr *addrp, unsigned int flags, unsigned long ttl)
+ {
+-  unsigned char *p = skip_questions(header, qlen);
++  unsigned char *p;
++
++  if (!(p = skip_questions(header, qlen)))
++    return 0;
+   
+   /* clear authoritative and truncated flags, set QR flag */
+   header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR;
+@@ -1214,7 +1217,7 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
+     SET_RCODE(header, NOERROR); /* empty domain */
+   else if (flags == F_NXDOMAIN)
+     SET_RCODE(header, NXDOMAIN);
+-  else if (p && flags == F_IPV4)
++  else if (flags == F_IPV4)
+     { /* we know the address */
+       SET_RCODE(header, NOERROR);
+       header->ancount = htons(1);
+@@ -1222,7 +1225,7 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
+       add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_A, C_IN, "4", addrp);
+     }
+ #ifdef HAVE_IPV6
+-  else if (p && flags == F_IPV6)
++  else if (flags == F_IPV6)
+     {
+       SET_RCODE(header, NOERROR);
+       header->ancount = htons(1);
+-- 
+2.1.0
+
diff --git a/src/patches/dnsmasq/0074-Fix-crash-in-auth-code-with-odd-configuration.patch b/src/patches/dnsmasq/0074-Fix-crash-in-auth-code-with-odd-configuration.patch
new file mode 100644 (file)
index 0000000..4a9cee0
--- /dev/null
@@ -0,0 +1,113 @@
+From 38440b204db65f9be16c4c3daa7e991e4356f6ed Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Sun, 12 Apr 2015 21:52:47 +0100
+Subject: [PATCH 74/78] Fix crash in auth code with odd configuration.
+
+---
+ CHANGELOG  | 32 +++++++++++++++++++++-----------
+ src/auth.c | 13 ++++++++-----
+ 2 files changed, 29 insertions(+), 16 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 9af617056f1f..f2142c71cbdc 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -68,18 +68,31 @@ version 2.73
+           Fix broken DNSSEC validation of ECDSA signatures.
+           Add --dnssec-timestamp option, which provides an automatic
+-          way to detect when the system time becomes valid after boot
+-          on systems without an RTC, whilst allowing DNS querie