From: Arne Fitzenreiter Date: Mon, 8 Apr 2019 19:47:12 +0000 (+0200) Subject: Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next X-Git-Tag: v2.23-core131~46 X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=47204d12f1387502612e8a66b4a1a8a853e33ebf;hp=5f9bf17d76e43b1ee0bb4b880a9aa001844e4d4a Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next Signed-off-by: Arne Fitzenreiter --- diff --git a/config/rootfiles/core/130/filelists/Net_SSLeay b/config/rootfiles/core/130/filelists/Net_SSLeay new file mode 120000 index 0000000000..13fe0560cf --- /dev/null +++ b/config/rootfiles/core/130/filelists/Net_SSLeay @@ -0,0 +1 @@ +../../../common/Net_SSLeay \ No newline at end of file diff --git a/config/rootfiles/core/130/update.sh b/config/rootfiles/core/130/update.sh index c039f30d8e..71c63a3f76 100644 --- a/config/rootfiles/core/130/update.sh +++ b/config/rootfiles/core/130/update.sh @@ -133,6 +133,9 @@ rm -rfv \ # Update pakfire database /usr/local/bin/pakfire update --force +# Search sensors again after reboot into the new kernel +rm -f /etc/sysconfig/lm_sensors + # Upadate Kernel version uEnv.txt if [ -e /boot/uEnv.txt ]; then sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt diff --git a/lfs/strongswan b/lfs/strongswan index 4174f78fe5..714537e360 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -73,6 +73,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-interfaces.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-revert.patch cd $(DIR_APP) && ./configure \ --prefix="/usr" \ diff --git a/src/patches/strongswan-ipfire-revert.patch b/src/patches/strongswan-ipfire-revert.patch new file mode 100644 index 0000000000..91c76212e6 --- /dev/null +++ b/src/patches/strongswan-ipfire-revert.patch @@ -0,0 +1,113 @@ +--- strongswan-5.7.2/src/_updown/_updown.in.bak 2019-04-08 16:27:08.549214441 +0100 ++++ strongswan-5.7.2/src/_updown/_updown.in 2019-04-08 16:30:30.195868788 +0100 +@@ -130,36 +130,6 @@ + # address family. + # + +-VARS=( +- id status name lefthost type ctype psk local local_id leftsubnets +- remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 +- x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22 +- route x23 mode interface_mode interface_address interface_mtu rest +-) +- +-function ip_encode() { +- local IFS=. +- +- local int=0 +- for field in $1; do +- int=$(( $(( $int << 8 )) | $field )) +- done +- +- echo $int +-} +- +-function ip_in_subnet() { +- local netmask +- netmask=$(_netmask $2) +- [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ] +-} +- +-function _netmask() { +- local vlsm +- vlsm=${1#*/} +- [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) )) +-} +- + # define a minimum PATH environment in case it is not set + PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" + export PATH +@@ -326,13 +296,6 @@ + fi + ;; + up-client:iptables) +- # Read IPsec configuration +- while IFS="," read -r "${VARS[@]}"; do +- if [ "${PLUTO_CONNECTION}" = "${name}" ]; then +- break +- fi +- done < /var/ipfire/vpn/config +- + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +@@ -396,30 +359,6 @@ + logger -t $TAG -p $FAC_PRIO \ + "tunnel+ $PLUTO_PEER -- $PLUTO_ME" + fi +- +- if [ -z "${interface_mode}" ]; then +- # Add source nat so also the gateway can access the other nets +- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) +- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do +- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" +- if [ $? -eq 0 ]; then +- src=${_src} +- break +- fi +- done +- +- if [ -n "${src}" ]; then +- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src +- logger -t $TAG -p $FAC_PRIO \ +- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" +- else +- logger -t $TAG -p $FAC_PRIO \ +- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" +- fi +- fi +- +- # Flush routing cache +- ip route flush cache + ;; + down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down +@@ -487,28 +426,6 @@ + logger -t $TAG -p $FAC_PRIO \ + "tunnel- $PLUTO_PEER -- $PLUTO_ME" + fi +- +- # remove source nat +- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) +- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do +- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" +- if [ $? -eq 0 ]; then +- src=${_src} +- break +- fi +- done +- +- if [ -n "${src}" ]; then +- iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src +- logger -t $TAG -p $FAC_PRIO \ +- "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" +- else +- logger -t $TAG -p $FAC_PRIO \ +- "Cannot remove NAT rule because no IP of the IPFire does match the subnet." +- fi +- +- # Flush routing cache +- ip route flush cache + ;; + # + # IPv6 diff --git a/src/scripts/ipsec-interfaces b/src/scripts/ipsec-interfaces index cb55fdf795..2546f8927d 100644 --- a/src/scripts/ipsec-interfaces +++ b/src/scripts/ipsec-interfaces @@ -23,9 +23,19 @@ shopt -s nullglob VPN_CONFIG="/var/ipfire/vpn/config" +ROUTE_TABLE="220" +ROUTE_TABLE_PRIO="128" + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings) +# Get RED interface name +if [ -r "/var/ipfire/red/iface" ]; then + RED_INTF="$(