ipfire-2.x.git
2 days agoRevert "dhcpcd: Update to 8.0.2" core137 master next
Arne Fitzenreiter [Tue, 15 Oct 2019 07:50:12 +0000 (07:50 +0000)] 
Revert "dhcpcd: Update to 8.0.2"

This reverts commit 0184e5806da57226bbe24dbcbf11b093299cb9f4.

2 days agoRevert "dhcpcd: Update to 8.0.3"
Arne Fitzenreiter [Tue, 15 Oct 2019 07:49:31 +0000 (07:49 +0000)] 
Revert "dhcpcd: Update to 8.0.3"

This reverts commit 8a001e556c02af3f34eacead4e8a44f482a67509.

2 days agoRevert "dhcpcd: Update to 8.0.6"
Arne Fitzenreiter [Tue, 15 Oct 2019 07:48:56 +0000 (07:48 +0000)] 
Revert "dhcpcd: Update to 8.0.6"

This reverts commit a4bb11243f0d43b7e95ec0195879aa0dd6a94b9e.

2 days agoRevert "dhcpcd: Update to 8.1.0"
Arne Fitzenreiter [Tue, 15 Oct 2019 07:48:12 +0000 (07:48 +0000)] 
Revert "dhcpcd: Update to 8.1.0"

This reverts commit 4863f2096cde6fd93618d1f774c6d16499ee3f63.

2 days agoRevert "bash: update to 5.0"
Arne Fitzenreiter [Tue, 15 Oct 2019 07:38:21 +0000 (07:38 +0000)] 
Revert "bash: update to 5.0"

This reverts commit 700f11b305e941bb42b0a0b4e451af962b1bc23d.

2 days agoRevert "readline: update to 8.0"
Arne Fitzenreiter [Tue, 15 Oct 2019 07:37:54 +0000 (07:37 +0000)] 
Revert "readline: update to 8.0"

This reverts commit 6e8e8ee41cfcec7338a5674c21c0e8aa62a59a04.

2 days agoRevert "update rootfiles for bash and readline"
Arne Fitzenreiter [Tue, 15 Oct 2019 07:37:23 +0000 (07:37 +0000)] 
Revert "update rootfiles for bash and readline"

This reverts commit f41d936026b576ef7207754fa1d667d983fded06.

2 days agoRevert "bash: add patches 001 - 011 for 5.0 version"
Arne Fitzenreiter [Tue, 15 Oct 2019 07:36:47 +0000 (07:36 +0000)] 
Revert "bash: add patches 001 - 011 for 5.0 version"

This reverts commit 2c0ee2b9624c4c7c3b3ce7b1deadae9df6ca9a32.

2 days agoRevert "readline: add patch 001 for version 8.0"
Arne Fitzenreiter [Tue, 15 Oct 2019 07:36:00 +0000 (07:36 +0000)] 
Revert "readline: add patch 001 for version 8.0"

This reverts commit c5f0c44451737c543021e4ba958404a019ed7562.

2 days agoRevert "bash/readline: drop orphaned patches"
Arne Fitzenreiter [Tue, 15 Oct 2019 07:35:22 +0000 (07:35 +0000)] 
Revert "bash/readline: drop orphaned patches"

This reverts commit 95f1c332d8c63896b540c3a07335236ef08cee01.

2 days agoRevert "ship updated bash and readline"
Arne Fitzenreiter [Tue, 15 Oct 2019 07:31:56 +0000 (07:31 +0000)] 
Revert "ship updated bash and readline"

there are missing files libs/bash/* in the rootfiles and there
are addons linked against readline-6.3 so we still need this
as readline-compat

This reverts commit 5c0345f5c1c247c8fc33c9447221caa134f27d86.

3 days agovpnmain.cgi+ovpnmain.cgi: Fix file upload with new versions of Perl
Michael Tremer [Mon, 14 Oct 2019 17:11:37 +0000 (19:11 +0200)] 
vpnmain.cgi+ovpnmain.cgi: Fix file upload with new versions of Perl

File uploads did not work since Perl was upgraded. This patch
fixes that problem by only checking if an object was returned
instead of performing a string comparison.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agocore137: add qos changes to updater
Arne Fitzenreiter [Mon, 14 Oct 2019 18:09:39 +0000 (18:09 +0000)] 
core137: add qos changes to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoQoS: Increase queue size and quantum for fq_codel
Michael Tremer [Mon, 14 Oct 2019 16:46:27 +0000 (16:46 +0000)] 
QoS: Increase queue size and quantum for fq_codel

This optimises the QoS to process more bandwidth.

The limit variable sets the maximum number of packets in the
queue which was regularly exceeded on fast connections with
the old setting. This now allows up to 10G of data transfer
and is set to the default of fq_codel.

Quantum sets how many bytes can be read from the queue per
iteration. This is now set to the default again, which is
the size of an Ethernet frame including its header.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoQoS: No longer set TOS bits for ACK packets
Michael Tremer [Mon, 14 Oct 2019 16:46:26 +0000 (16:46 +0000)] 
QoS: No longer set TOS bits for ACK packets

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoQoS: Drop support for setting TOS bits per class
Michael Tremer [Mon, 14 Oct 2019 16:46:25 +0000 (16:46 +0000)] 
QoS: Drop support for setting TOS bits per class

This is useless since no ISP will evaluate those settings
any more and it has a rather large impact on throughput.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoQoS: Drop support for subclasses
Michael Tremer [Mon, 14 Oct 2019 16:46:24 +0000 (16:46 +0000)] 
QoS: Drop support for subclasses

This feature was never properly implemented and the UI was dead

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoQoS: Drop tc filter rules to move marked packets into the correct class
Michael Tremer [Mon, 14 Oct 2019 16:46:23 +0000 (16:46 +0000)] 
QoS: Drop tc filter rules to move marked packets into the correct class

This is no longer necessary since we are now using CLASSIFY

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoQoS: Use CLASSIFY iptables target instead of MARK
Michael Tremer [Mon, 14 Oct 2019 16:46:22 +0000 (16:46 +0000)] 
QoS: Use CLASSIFY iptables target instead of MARK

We have been running into loads of conflicts by using MARK for
various components on the OS (suricata, IPsec, QoS, ...) which
was sometimes hard to resolve.

iptables comes with a target which directly sorts packets into
the correct class which results in less code and not using the
mark.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoQoS: Move packet classification to FORWARD chain for ingress
Michael Tremer [Mon, 14 Oct 2019 16:46:21 +0000 (16:46 +0000)] 
QoS: Move packet classification to FORWARD chain for ingress

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoQoS: Suppress an error message when cleaning up from previous runs
Michael Tremer [Mon, 14 Oct 2019 16:46:20 +0000 (16:46 +0000)] 
QoS: Suppress an error message when cleaning up from previous runs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agolinux+iptables: Drop support for IMQ
Michael Tremer [Mon, 14 Oct 2019 16:46:19 +0000 (16:46 +0000)] 
linux+iptables: Drop support for IMQ

This is no longer needed since we are using IFB now

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoQoS: Start qosd immediately
Michael Tremer [Mon, 14 Oct 2019 16:46:17 +0000 (16:46 +0000)] 
QoS: Start qosd immediately

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoQoS: Do not delete egress qdisc after classes have been created
Michael Tremer [Mon, 14 Oct 2019 16:46:18 +0000 (16:46 +0000)] 
QoS: Do not delete egress qdisc after classes have been created

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoQoS: Silence RRD tool warnings
Michael Tremer [Mon, 14 Oct 2019 16:46:16 +0000 (16:46 +0000)] 
QoS: Silence RRD tool warnings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoQoS: Process incoming packets in PREROUTING only
Michael Tremer [Mon, 14 Oct 2019 16:46:15 +0000 (16:46 +0000)] 
QoS: Process incoming packets in PREROUTING only

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoQoS: Tidy up qdiscs after QoS is being stopped
Michael Tremer [Mon, 14 Oct 2019 16:46:14 +0000 (16:46 +0000)] 
QoS: Tidy up qdiscs after QoS is being stopped

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoRevert "Make IMQ Switchable between PREROUTING and POSTROUTING"
Michael Tremer [Mon, 14 Oct 2019 16:46:13 +0000 (16:46 +0000)] 
Revert "Make IMQ Switchable between PREROUTING and POSTROUTING"

This reverts commit 88b8ffac6b258e7b7687eb26111134bf435e23ca.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoQoS: Use Intermediate Functional Block
Michael Tremer [Mon, 14 Oct 2019 16:46:12 +0000 (16:46 +0000)] 
QoS: Use Intermediate Functional Block

This is an alternative implementation to the Intermediate Queuing
Device (IMQ) which is an out-of-tree kernel patch and has been
criticised for being slow, especially with mutliple processors.

IFB is part of the mainline kernel and a lot less code.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoQoS: Do not manually load iptables modules
Michael Tremer [Mon, 14 Oct 2019 16:46:11 +0000 (16:46 +0000)] 
QoS: Do not manually load iptables modules

This should not be necessary and causes the script to
wait for two seconds.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agocore137: add updated sysctl.conf
Arne Fitzenreiter [Mon, 14 Oct 2019 17:57:58 +0000 (17:57 +0000)] 
core137: add updated sysctl.conf

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agosysctl: Adopt more settings from the IBM HPC guidelines
Michael Tremer [Mon, 14 Oct 2019 16:44:54 +0000 (16:44 +0000)] 
sysctl: Adopt more settings from the IBM HPC guidelines

https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Welcome%20to%20High%20Performance%20Computing%20%28HPC%29%20Central/page/Linux%20System%20Tuning%20Recommendations

Since we have already configured most of our IP/TCP stack
for low latency and fast throughput, these settings complete
those efforts.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agocore137: add updated 99-geoip-database
Arne Fitzenreiter [Mon, 14 Oct 2019 17:49:32 +0000 (17:49 +0000)] 
core137: add updated 99-geoip-database

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days ago99-geoip-database: Fix download
Michael Tremer [Mon, 14 Oct 2019 16:43:58 +0000 (16:43 +0000)] 
99-geoip-database: Fix download

This script started a fresh download every time it was called,
which is unnecessary.

The check to skip the download did not work because it was
looking for the old data format.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agocore137: add updated xt_geoip_update
Arne Fitzenreiter [Mon, 14 Oct 2019 17:46:27 +0000 (17:46 +0000)] 
core137: add updated xt_geoip_update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoxt_geoip_update: Always call the cleanup function when some step fails
Daniel Weismüller [Mon, 14 Oct 2019 14:47:56 +0000 (16:47 +0200)] 
xt_geoip_update: Always call the cleanup function when some step fails

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoxt_geoip_update: Do not create temporary directories again
Daniel Weismüller [Mon, 14 Oct 2019 14:47:55 +0000 (16:47 +0200)] 
xt_geoip_update: Do not create temporary directories again

These already exist

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoxt_geoip_update: Use /var/tmp for temporary data
Daniel Weismüller [Mon, 14 Oct 2019 14:47:54 +0000 (16:47 +0200)] 
xt_geoip_update: Use /var/tmp for temporary data

Since we have some systems that are restricted to only 2GB of
space on /, we need to move this to where we have enough space.

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoxt_geoip_update: Perform cleanup after successful operation
Daniel Weismüller [Mon, 14 Oct 2019 14:47:53 +0000 (16:47 +0200)] 
xt_geoip_update: Perform cleanup after successful operation

The temporary files were never being cleaned up after the script
has finished compiling the database.

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agocore137: add dns.cgi to update
Arne Fitzenreiter [Mon, 14 Oct 2019 17:42:35 +0000 (17:42 +0000)] 
core137: add dns.cgi to update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agofix link to public DNS server list in dns.cgi
peter.mueller@ipfire.org [Sun, 13 Oct 2019 11:13:00 +0000 (11:13 +0000)] 
fix link to public DNS server list in dns.cgi

Fixes: #11851

Reported-by: Dani W <assgex@gmail.com>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agofix typo in hostapd initscript
peter.mueller@ipfire.org [Sun, 13 Oct 2019 11:09:00 +0000 (11:09 +0000)] 
fix typo in hostapd initscript

Fixes: #11237

Reported-by: Tom Rymes <tomvend@rymes.com>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agorust: fix year in LFS file
peter.mueller@ipfire.org [Sun, 13 Oct 2019 09:39:00 +0000 (09:39 +0000)] 
rust: fix year in LFS file

Tempus fugit, I know... :-)

Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agocore137: add updated ruleset-sources
Arne Fitzenreiter [Mon, 14 Oct 2019 17:36:36 +0000 (17:36 +0000)] 
core137: add updated ruleset-sources

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoruleset-sources: Update snort dl urls.
Stefan Schantl [Fri, 11 Oct 2019 18:44:00 +0000 (20:44 +0200)] 
ruleset-sources: Update snort dl urls.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agocore137: add updated backup.pl
Arne Fitzenreiter [Mon, 14 Oct 2019 17:30:37 +0000 (17:30 +0000)] 
core137: add updated backup.pl

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoRestart logging after restoring backup
Tim FitzGeorge [Fri, 11 Oct 2019 18:42:05 +0000 (19:42 +0100)] 
Restart logging after restoring backup

Send SIGHUP to syslogd and suricata after restoring backup.  This ensures that
if the restored backup includes log files that any new log messages get
appended to the restored log files.  Otherwise they will be written to the
old log files which are pending deletion.

httpd is told to restart using apachectl, which is the equivalent of sending
a signal. 'graceful' (USR1) is used rather than 'restart' (HUP) because the
latter immediately kills the process restoring the backup, preventing
converters from running.

Fixes: 12196
Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agocore137: add ipset to update
Arne Fitzenreiter [Mon, 14 Oct 2019 17:22:44 +0000 (17:22 +0000)] 
core137: add ipset to update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoipset: Update to version 7.3
Erik Kapfer [Thu, 10 Oct 2019 16:30:48 +0000 (18:30 +0200)] 
ipset: Update to version 7.3

Some kernel part fixes are included. For a overview of the changelog,
take a look in here --> http://ipset.netfilter.org/changelog.html .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoship updated bash and readline
peter.mueller@ipfire.org [Mon, 7 Oct 2019 18:19:00 +0000 (18:19 +0000)] 
ship updated bash and readline

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agobash/readline: drop orphaned patches
peter.mueller@ipfire.org [Mon, 7 Oct 2019 18:19:00 +0000 (18:19 +0000)] 
bash/readline: drop orphaned patches

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoreadline: add patch 001 for version 8.0
peter.mueller@ipfire.org [Mon, 7 Oct 2019 18:18:00 +0000 (18:18 +0000)] 
readline: add patch 001 for version 8.0

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agobash: add patches 001 - 011 for 5.0 version
peter.mueller@ipfire.org [Mon, 7 Oct 2019 18:18:00 +0000 (18:18 +0000)] 
bash: add patches 001 - 011 for 5.0 version

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoupdate rootfiles for bash and readline
peter.mueller@ipfire.org [Mon, 7 Oct 2019 18:17:00 +0000 (18:17 +0000)] 
update rootfiles for bash and readline

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoreadline: update to 8.0
peter.mueller@ipfire.org [Mon, 7 Oct 2019 18:16:00 +0000 (18:16 +0000)] 
readline: update to 8.0

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agobash: update to 5.0
peter.mueller@ipfire.org [Mon, 7 Oct 2019 18:15:00 +0000 (18:15 +0000)] 
bash: update to 5.0

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 days agodhcpcd: Update to 8.1.0
Matthias Fischer [Sat, 12 Oct 2019 23:05:57 +0000 (01:05 +0200)] 
dhcpcd: Update to 8.1.0

For details see:
https://roy.marples.name/blog/dhcpcd-8-1-0-released

"DragonFlyBSD: Improved rc.d handling
Fix carrier status after a route socket overflow
Allow domain spaced options
DHCP: Allow not sending Force Renew Nonce or Reconf Accept
IPv4LL: Now passes Apple Bonjour test versions 1.4 and 1.5
ARP: Fix a typo and remove pragma (thus working with old gcc)
DHCP6: Fix a cosmetic issue with infinite leases
DHCP6: SLA 0 and Prefix Len 0 will now add a delegated /64 address
Ignore some virtual interfaces such as Tap and Bridge by default
BPF: Move validation logic out of BPF and back into dhcpcd"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 days agocore137: close update
Arne Fitzenreiter [Sat, 12 Oct 2019 15:57:59 +0000 (15:57 +0000)] 
core137: close update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 days agocore137: restart updated services
Arne Fitzenreiter [Sat, 12 Oct 2019 15:56:40 +0000 (15:56 +0000)] 
core137: restart updated services

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 days agokernel: update to 4.14.149
Arne Fitzenreiter [Sat, 12 Oct 2019 11:12:03 +0000 (13:12 +0200)] 
kernel: update to 4.14.149

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 days agorust: update armv5tel rootfile
Arne Fitzenreiter [Wed, 9 Oct 2019 18:23:05 +0000 (20:23 +0200)] 
rust: update armv5tel rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 days agorust: add i586 and aarch64 rootfile
Arne Fitzenreiter [Wed, 9 Oct 2019 16:11:32 +0000 (18:11 +0200)] 
rust: add i586 and aarch64 rootfile

todo: armv5tel is still missing...

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 days agosane: add special aarch64 rootfile
Arne Fitzenreiter [Wed, 9 Oct 2019 16:10:23 +0000 (18:10 +0200)] 
sane: add special aarch64 rootfile

libsane-qcam is not available for aarch64 so we need an extra rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 days agosane: rootfile update
Arne Fitzenreiter [Wed, 9 Oct 2019 16:06:54 +0000 (18:06 +0200)] 
sane: rootfile update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 days agotshark: rootfile update
Arne Fitzenreiter [Wed, 9 Oct 2019 16:05:50 +0000 (18:05 +0200)] 
tshark: rootfile update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 days agospeedtest-cli: add rootfile
Arne Fitzenreiter [Wed, 9 Oct 2019 16:04:30 +0000 (18:04 +0200)] 
speedtest-cli: add rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 days agosane/stage2: remove sanedloop
Arne Fitzenreiter [Wed, 9 Oct 2019 06:37:23 +0000 (08:37 +0200)] 
sane/stage2: remove sanedloop

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agorust: fix typo
Arne Fitzenreiter [Tue, 8 Oct 2019 19:49:01 +0000 (19:49 +0000)] 
rust: fix typo

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agorust: fix md5 sums for i586 and arm
Arne Fitzenreiter [Tue, 8 Oct 2019 19:44:54 +0000 (19:44 +0000)] 
rust: fix md5 sums for i586 and arm

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agosuricata: Enable rust support
Stefan Schantl [Mon, 7 Oct 2019 18:44:05 +0000 (20:44 +0200)] 
suricata: Enable rust support

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agorust: New package.
Stefan Schantl [Mon, 7 Oct 2019 18:44:04 +0000 (20:44 +0200)] 
rust: New package.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agoncat: Update to version 7.80
Erik Kapfer [Sun, 6 Oct 2019 07:23:19 +0000 (09:23 +0200)] 
ncat: Update to version 7.80

Several improvements has been added. This update is part of the nmap-7.80 update.
For the complete changelog take a look in here --> https://seclists.org/nmap-announce/2019/0 .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agonmap: Update to version 7.80
Erik Kapfer [Sun, 6 Oct 2019 07:16:57 +0000 (09:16 +0200)] 
nmap: Update to version 7.80

Several improvements, NSE scripts and libraries has been added.
The complete changelog can be found in here --> https://seclists.org/nmap-announce/2019/0 .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agocore137: ship libpcap
Arne Fitzenreiter [Tue, 8 Oct 2019 19:05:50 +0000 (19:05 +0000)] 
core137: ship libpcap

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agolibpcap: Update to 1.9.1
Matthias Fischer [Sat, 5 Oct 2019 07:37:15 +0000 (09:37 +0200)] 
libpcap: Update to 1.9.1

For details see:
https://www.tcpdump.org/libpcap-changes.txt

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agocore137: ship unbound
Arne Fitzenreiter [Tue, 8 Oct 2019 19:03:50 +0000 (19:03 +0000)] 
core137: ship unbound

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agounbound: Update to 1.9.4
Matthias Fischer [Sat, 5 Oct 2019 07:09:29 +0000 (09:09 +0200)] 
unbound: Update to 1.9.4

For details see:
https://nlnetlabs.nl/pipermail/unbound-users/2019-October/011832.html

"This release is a fix for vulnerability CVE-2019-16866 that causes a
failure when a specially crafted query is received."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agotcpdump: Update to 4.9.3
Matthias Fischer [Sat, 5 Oct 2019 07:05:25 +0000 (09:05 +0200)] 
tcpdump: Update to 4.9.3

For details see:
https://www.tcpdump.org/tcpdump-changes.txt

"Fix buffer overflow/overread vulnerabilities:
      CVE-2017-16808 (AoE)
      CVE-2018-14468 (FrameRelay)
      CVE-2018-14469 (IKEv1)
      CVE-2018-14470 (BABEL)
      CVE-2018-14466 (AFS/RX)
      CVE-2018-14461 (LDP)
      CVE-2018-14462 (ICMP)
      CVE-2018-14465 (RSVP)
      CVE-2018-14881 (BGP)
      CVE-2018-14464 (LMP)
      CVE-2018-14463 (VRRP)
      CVE-2018-14467 (BGP)
      CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled)
      CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled)
      CVE-2018-14880 (OSPF6)
      CVE-2018-16451 (SMB)
      CVE-2018-14882 (RPL)
      CVE-2018-16227 (802.11)
      CVE-2018-16229 (DCCP)
      CVE-2018-16301 (was fixed in libpcap)
      CVE-2018-16230 (BGP)
      CVE-2018-16452 (SMB)
      CVE-2018-16300 (BGP)
      CVE-2018-16228 (HNCP)
      CVE-2019-15166 (LMP)
      CVE-2019-15167 (VRRP)
    Fix for cmdline argument/local issues:
      CVE-2018-14879 (tcpdump -V)"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agoclamav: Update to 0.102.0
Matthias Fischer [Sat, 5 Oct 2019 06:59:04 +0000 (08:59 +0200)] 
clamav: Update to 0.102.0

For details see:
https://blog.clamav.net/2019/10/clamav-01020-has-been-released.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agonano: Update to 4.5
Matthias Fischer [Sat, 5 Oct 2019 06:51:15 +0000 (08:51 +0200)] 
nano: Update to 4.5

For details see:
https://www.nano-editor.org/news.php

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agotshark: Update to version 3.0.5
Erik Kapfer [Fri, 4 Oct 2019 17:26:26 +0000 (19:26 +0200)] 
tshark: Update to version 3.0.5

The jump from 3.0.2 to 3.0.5 includes several bugfixes, updated protocols and new and updated capture support.
The complete release notes can be found in here --> https://www.wireshark.org/docs/relnotes/ .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agocore137: ship strongwan and vpnmain.cgi
Arne Fitzenreiter [Tue, 8 Oct 2019 18:56:47 +0000 (18:56 +0000)] 
core137: ship strongwan and vpnmain.cgi

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agoIPsec: Add support for Curve448
Michael Tremer [Wed, 2 Oct 2019 10:31:54 +0000 (10:31 +0000)] 
IPsec: Add support for Curve448

This is supported since strongswan 5.7.2 and is a good alternative
to Curve25519 because Curve448 is almost equally secure but performs
faster.

  https://en.wikipedia.org/wiki/Curve448

This is enabled by default although we do not expect many other
implementations to be able to support this.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agostrongswan: Update 5.8.1
Michael Tremer [Wed, 2 Oct 2019 10:31:53 +0000 (10:31 +0000)] 
strongswan: Update 5.8.1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agospeedtest-cli: New package
Michael Tremer [Wed, 2 Oct 2019 08:53:50 +0000 (08:53 +0000)] 
speedtest-cli: New package

This is a CLI implementation to test the speed of an internet
connection.

I find this quite useful when there is no access to a client
computer on the network and this will give you a rough idea
about the connection speed.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agoWIO:Add fr language
Stephan Feddersen [Tue, 1 Oct 2019 20:07:39 +0000 (22:07 +0200)] 
WIO:Add fr language

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agoWIO: Add french translation file
Stephan Feddersen [Tue, 1 Oct 2019 20:01:40 +0000 (22:01 +0200)] 
WIO: Add french translation file

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agocore137: ship updated unbound initskript
Arne Fitzenreiter [Tue, 8 Oct 2019 18:50:04 +0000 (18:50 +0000)] 
core137: ship updated unbound initskript

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agofirewall: always allow outgoing DNS traffic to root servers
peter.mueller@ipfire.org [Tue, 1 Oct 2019 15:22:00 +0000 (15:22 +0000)] 
firewall: always allow outgoing DNS traffic to root servers

Allowing outgoing DNS traffic (destination port 53, both TCP
and UDP) to the root servers is BCP for some reasons. First,
RFC 5011 assumes resolvers are able to fetch new trust ancors
from the root servers for a certain time period in order to
do key rollovers.

Second, Unbound shows some side effects if it cannot do trust
anchor signaling (see RFC 8145) or fetch the current trust anchor,
resulting in SERVFAILs for arbitrary requests a few minutes.

There is little security implication of allowing DNS traffic
to the root servers: An attacker might abuse this for exfiltrating
data via DNS queries, but is unable to infiltrate data unless
he gains control over at least one root server instance. If
there is no firewall ruleset in place which prohibits any other
DNS traffic than to chosen DNS servers, this patch will not
have security implications at all.

The second version of this patch does not use unnecessary xargs-
call nor changes anything else not related to this issue.

Fixes #12183

Cc: Michael Tremer <michael.tremer@ipfire.org>
Suggested-by: Horace Michael <horace.michael@gmx.com>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agounbound: Add option to force using TCP for upstream servers
Michael Tremer [Tue, 1 Oct 2019 11:36:16 +0000 (12:36 +0100)] 
unbound: Add option to force using TCP for upstream servers

Some users have problems to reach DNS servers. This change adds an option
which allows to force using TCP for upstream name servers.

This is a good workaround for users behind a broken Fritz!Box in modem
mode which does not allow resolving any records of the root zone.

The name server tests in the script will also only use TCP.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agoshairport-sync: Update to 3.3.2
Michael Tremer [Sun, 29 Sep 2019 15:07:58 +0000 (15:07 +0000)] 
shairport-sync: Update to 3.3.2

This version now requires libdaemon and brings various improvements
for sound quality and stability.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agosane: Update to 1.0.28
Michael Tremer [Sun, 29 Sep 2019 14:50:31 +0000 (14:50 +0000)] 
sane: Update to 1.0.28

This patch updates the package and removes the sanedloop script
which was needed to launch saned, but that program can now run
in standalone mode.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agocore137: ship suricata
Arne Fitzenreiter [Tue, 8 Oct 2019 18:38:52 +0000 (18:38 +0000)] 
core137: ship suricata

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agosuricata: Update to 4.1.5
Matthias Fischer [Fri, 27 Sep 2019 16:08:49 +0000 (18:08 +0200)] 
suricata: Update to 4.1.5

Changelog:
"4.1.5 -- 2019-09-24

Feature #3068: protocol parser: vxlan (4.1.x)
Bug #2841: False positive alerts firing after upgrade suricata 3.0 -> 4.1.0 (4.1.x)
Bug #2966: filestore (v1 and v2): dropping of "unwanted" files (4.1.x)
Bug #3008: rust: updated libc crate causes depration warnings (4.1.x)
Bug #3044: tftp: missing logs because of broken tx handling (4.1.x)
Bug #3067: GeoIP keyword depends on now discontinued legacy GeoIP database (4.1.x)
Bug #3094: Fedora rawhide af-packet compilation err (4.1.x)
Bug #3123: bypass keyword: Suricata 4.1.x Segmentation Faults (4.1.x)
Bug #3129: Fixes warning about size of integers in string formats (4.1.x)
Bug #3159: SC_ERR_PCAP_DISPATCH with message "error code -2" upon rule reload completion (4.1.x)
Bug #3164: Suricata 4.1.4: NSS Shutdown triggers crashes in test mode
Bug #3168: tls: out of bounds read
Bug #3170: defrag: out of bounds read
Bug #3173: ipv4: ts field decoding oob read
Bug #3175: File_data inspection depth while inspecting base64 decoded data (4.1.x)
Bug #3184: decode/der: crafted input can lead to resource starvation
Bug #3186: Multiple Content-Length headers causes HTP_STREAM_ERROR (4.1.x)
Bug #3187: GET/POST HTTP-request with no Content-Length, http_client_body miss (4.1.x)"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agoiproute2: Update to 5.3.0
Matthias Fischer [Thu, 26 Sep 2019 17:44:11 +0000 (19:44 +0200)] 
iproute2: Update to 5.3.0

For details see:
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/?h=v5.3.0

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agocore137: ship knot
Arne Fitzenreiter [Tue, 8 Oct 2019 18:36:24 +0000 (18:36 +0000)] 
core137: ship knot

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agoknot: Update to 2.8.4
Matthias Fischer [Thu, 26 Sep 2019 17:40:31 +0000 (19:40 +0200)] 
knot: Update to 2.8.4

For details see:
https://www.knot-dns.cz/2019-09-24-version-284.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agomtr: update to 0.93
peter.mueller@ipfire.org [Wed, 25 Sep 2019 19:05:00 +0000 (19:05 +0000)] 
mtr: update to 0.93

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agoTor: update to 0.4.1.6
peter.mueller@ipfire.org [Wed, 25 Sep 2019 15:15:00 +0000 (15:15 +0000)] 
Tor: update to 0.4.1.6

Please refer to https://blog.torproject.org/new-release-tor-0416 for
release notes. This patch has to be applied after applying 9fb607ef6
(https://patchwork.ipfire.org/patch/2407/), which was not merged at
the time of writing.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agofirewall: raise log rate limit for user generated rules, too
peter.mueller@ipfire.org [Wed, 25 Sep 2019 15:06:00 +0000 (15:06 +0000)] 
firewall: raise log rate limit for user generated rules, too

Having raised the overall log rate limit to 10 packet per second
in Core Update 136, this did not affected rules generated by the
user. In order to stay consistent, this patch also raises log rate
limit for these.

In order to avoid side effects on firewalls with slow disks, it
was probably better touch these categories separately, so testing
users won't be DoSsed instantly. :-)

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>