xtables-addons: Fix typo in lfs

Just some typos...

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Bump kernel version to ship a new PAE kernel

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core127: Ship updated kernel modules for xtables

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core127: Ship updated firewall functions library

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall-lib.pl: Use get_geoip_locations from geoip-functions.pl

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

geoip-locations.pl: Add get_geoip_locations().

This function is used to get all available GeoIP locations.

The functions returns them as array, sorted in alphabetical order.

Reference #11959

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

clamav: Update to 0.101.1

For details see:
https://blog.clamav.net/2019/01/clamav-01011-patch-has-been-released.html

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core127: Ship updated tar

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tar: Update to 1.31, including fix for bug #11958

For details see:

http://savannah.gnu.org/forum/forum.php?forum_id=9344

"- Fix heap-buffer-overrun with --one-top-level.
- Support for zstd compression.
- The -K option interacts properly with member names given in the command line.
- Fix CVE-2018-20482"

This patch was reverted because 'tar 1.31' crashed when installing PakFire packages
with the option '--no-overwrite-dir'.
See: https://bugzilla.ipfire.org/show_bug.cgi?id=11958

Included is now a patch from https://savannah.gnu.org/bugs/?55413, which seems to fix this issue.
The test cases given in https://savannah.gnu.org/bugs/?55413#comment1 ran without problems.

As always, please check and confirm.

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core127: Ship updated GeoIP functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

geoip-functions.pl: Re-write code to lookup the iso country code of a given IP-address.

Drop the usage of the old legacy GeoIP perl module which was not able to handle the
new GeoLite2 databases.

Write some code to directly access the databases and extract the required data.

Usage of the GeoIP2 perl module would provide a lot of more functionality which is not
used/needed. Unfortunately ir requires at lot of additional perl modules which are
not available on IPFire and would only be build and shipped for this module. Buildig all
of them will slow down the entire build process, mess up the system and requires a lot
more space on disk.

Fixes #11962.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

GeoIP: Drop legacy GeoIP perl module.

The legacy GeoIP perl module cannot handle the new GeoLite2 databases
provided from maxmind and therefore needs to be dropped.

Reference #11960

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

xt_geoip_update: Adjust script to download and use the GeoLite2 database

Fixes #11961.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

xtables-addons: Use shipped xt_geoip_build

Use the shipped xt_geoip_build directly instead of holding a copy in our GIT.

Reference #11959

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

xtables-addons: Update to 3.2

Reference #11959

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

perl-Net-CIDR-Lite: Make rootfile work on other arches

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

perl-Net-CIDR-Lite: Fix whitespace

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

perl-Net-CIDR-Lite: New package.

This is a runtime dependency of the xt_geoip_build perl script
shipped by xtables-addons in version 3.2.

Reference #11960.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

IPVS: Enable connection tracking by default

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ids-functions.pl: Downloader should reads settings from correct file

In commit ea5c8eeb83a65791960d6cb5de6c7dc78db02fda the taken settings
for the ruleset have been stored into an own file.

The Downloader now uses this file to read-in which ruleset should be used
and downloaded.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

Backup conntrackd's configuration file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add initscript for conntrackd

The daemon will be started by default when a configuration
file exists.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix typo in 'html/cgi-bin/logs.cgi/log.dat'

Translation string uses capital letter: 'Captive' => 'Captive Portal',

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core127: Ship updated proxy.cgi and regenerate configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

proxy: Allow selecting throttled bandwidth in MBit/s

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

proxy: Suggest modern defaults for cache memory and disk

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

proxy: Drop support for throttling only certain mime types

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

proxy: Drop web browser check

This is neither reliable nor up to date and is therefore removed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

proxy: Set authentication TTL for NTLM authentication also

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

proxy: Use correct authentication cache TTL for AD

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

proxy: Use entered setting for auth children for AD

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

proxy: Use correct realm for AD authentication

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

proxy: Remove AUTH_IPCACHE_TTL

This is potentially dangerous to set larger than zero.

Authentication is perfomed on basis of IP addresses which is
not a good idea at all.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

proxy: Drop NTLM authentication

This is the authentication againt NT 4.0 style domain controllers.

squid has dropped support for this in the 4.5 release and nobody
should be using these old domain controllers any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid: Run as many redirectors as we have CPU cores

This makes sure that we use the optimal ratio of memory and
CPU usage.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Tested-by: Matthias Fischer <matthias.fischer@ipfire.org>

BUG 11786 - squid: Remove setting for filter processes the number of Squid processes

I added a function to determine the number of cores.
Now the number of squid processes will be equal to the number of logical cores.
Further I removed the possibility of changing the number
of squid processes in the proxy.cgi

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: root <root@ipfire.test>

Revert "core127: Ship updated tar"

This reverts commit 9ab1c9302c01f11010d0cb87a66366361465461e.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "tar: Update to 1.31"

This reverts commit bb473fd1d6e97785dee70ceb75f9b898f92fc507.

tar crashes when used with --no-overwrite-dir. See #11958.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core127: Ship updated snort

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

snort: Update to 2.9.12

For details see:

Release notes:
https://snort.org/downloads/snort/release_notes_2.9.12.txt

Changelog:
https://snort.org/downloads/snort/changelog_2.9.12.txt

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core127: ship framebuffer.conf blacklist

the file is generated at kernel build and in core126
the module commpression was changed to xz so the list was empty.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core127: remove double files from armv5tel filelist

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

python: update to 2.7.15

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

transmission: update to 2.94

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core127: Ship updated tar

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tar: Update to 1.31

For details see:
http://savannah.gnu.org/forum/forum.php?forum_id=9344

"- Fix heap-buffer-overrun with --one-top-level.
- Support for zstd compression.
- The -K option interacts properly with member names given in the command line.
- Fix CVE-2018-20482"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

fix SSH port description in WebUI again

Fixes #11881.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libvirt: The package no longer depends on jansson

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update of French translation

This improves the translation and enhances consistency in
many places.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dnsforward.cgi: fix for language string

Hi,

In https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=1a26564e95b5694337e51860544e7775d35055f3
the language string 'dnsforward forward_server' => 'DNS-Server', was deleted and replaced
by 'dnsforward forward_servers' => 'DNS-Server',

IMHO this leads to an empty string in 'dnsforward.cgi', line 223:

...
<td width='20%' class='base'>$Lang::tr{'dnsforward forward_server'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
...

I changed this line...

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

attr 2.4.47: Update for rootfile

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core127: Ship updated VPN CGI files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

database_attribute: Deliver/create index.txt.attr

Fixes #11904

Since OpenSSL-1.1.0x the database attribute file for IPSec and OpenVPN wasn´t created while initial PKI generation.
OpenVPN delivered an error message but IPSec did crashed within the first attempt.
This problem persists also after X509 deletion and new generation.

index.txt.attr will now be delivered by the system but also deleted and recreated while setting up a new x509.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

mc: Update to 4.8.22

For details see:
http://midnight-commander.org/wiki/NEWS-4.8.22

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libvirt: Bump package version

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid: Update to 4.5

For details see:
http://www.squid-cache.org/Versions/v4/changesets/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core127: Ship updated wget

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wget: Update to 1.20.1

This is a bugfix release:

"due to some privacy issues in default settings of Wget, we introduce
this bugfix release.

The --xattr option (saving original URL and Referer into extended file
attributes) was introduced and enabled by default since Wget 1.19.
It possibly saved - possibly unrecognized by the user - credentials,
access tokes etc that were included in the requested URL.

We changed three details as a countermeasure, see below in the NEWS section.

With Best Regards, Tim

...

NEWS

* Changes in Wget 1.20.1

** --xattr is no longer default since it introduces privacy issues.

** --xattr saves the Referer as scheme/host/port,
user/pw/path/query/fragment
   are no longer saved to prevent privacy issues.

   ** --xattr saves the Original URL without user/password to prevent
      privacy issues."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: fix generation of framebuffer blacklist

modules are now xz compressed.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

mpd: add soxr dependency

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata

Ship update-ids-ruleset script also on x86_64 and aarch64

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ids-functions.pl: Downloader now also uses upstream proxy for HTTPS

Fixes #11953

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ids-functions.pl: Add function to get the version of suricata

The get_suricata_version() function is used to get the version
of the on the system installed version of suricata. You can
specify the how detailed the returned result should be "major" will
return only the major version, were "minor" will provide the major
and minor version (1.2 for example). All other calls will be answered
with the full version string (1.2.3).

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ids-functions.pl: Fix typo

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ids-functions.pl: Introduce function write_modify_sids_file()

This function is used to write the corresponding file which
tells oinkmaster to alter the whole ruleset and finally
switches suricata into an IPS or IDS.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ids.cgi: Move variable declaration to ids-functions.pl

Also move some functions from the cgi file to the library file.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ids.cgi: Hack to use the correct language string for red network zone.

This hack is needed because "red" is used as "internet" in the language files
and "red1" contains the correct "red" translations.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ids.cgi: Colourize network zones

Colourize the network with the proper colour.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ids.cgi: Change RUN_MODE to MONITOR_TRAFFIC_ONLY

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ids.cgi: Seperate IPS and ruleset settings

Now each of both have their own corresponding configuration areas.
The taken settings will be saved in "/var/ipfire/suricata/settings" for
all IDS/IPS related settings and in "/var/ipfire/suricata/rules-settings" for
ruleset related settings.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

langs/en.pl: Fix typo

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

u-boot: fix x86 builds

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

ids.cgi: Prevent from starting suricata without ruleset or selected network zone

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ids.cgi: Access ruleset by its own name

This improves accessing the single rules of a rule category.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

keepalived: Fix incorrect path in initscript

This path to keepalived was just incorrect and therefore
the daemon could not easily be reloaded.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

u-boot: fix typo in boot.scr

fix serial console output on RPi3 B+ at aarch64

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core127: Ship DNS forwarding settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Use correct parameter for IP addresses and hostnames

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

DNS Forwarding: Let UI accept hostnames, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

DNS Forwarding: Allow passing multiple name servers (separated by comma)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Allow forwarding to multiple servers at the same time

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipvsadm: Update to 1.29

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pcre: Enable JIT

This is now possible because we no longer run grsecurity-enabled
kernels. The performance of PCRE increases dramatically and applications
like the IDS benefit hugely:

  https://blog.inliniac.net/2011/10/12/suricata-and-pcre-performance/

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update libvirt to version 4.10

This partially fixes #11941 as libvirt now states clearly that seccomp
needs to be disabled

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core127: Ship updated squid

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid: Update to 4.4 (stable)

For details see:
http://www.squid-cache.org/Versions/v4/changesets/

In July 2018, 'squid 4' was "released for production use", see:
https://wiki.squid-cache.org/Squid-4

"The features have been set and large code changes are reserved for later versions."

I've tested almost all 4.x-versions and patch series before with good results.
Right now, 4.4 is running here with no seen problems together with
'squidclamav', 'squidguard' and 'privoxy'.

I too would declare this version stable.

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Add TFO support for unbound

For further informations, see https://tools.ietf.org/html/rfc7413

Signed-off-by: erik.kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bind: Update to 9.11.5-P1

For details see:
http://ftp.isc.org/isc/bind9/9.11.5-P1/RELEASE-NOTES-bind-9.11.5-P1.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

sqlite: Update to 3.26.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ids.cgi: Allways use the whitelist

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ids-functions.pl: Use temporary file in downloader.

Download the requested rules tarball into a temporay file
and if every thing is fine, replace the old by the
downloaded one.

In addition with the previously implemented file size check,
we are saved now from a corrupt rules tarball on disk.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ids-functions.pl: Introduce filesize check for downloader

The downloader now requests the html header for the rulestarball
and obtain the size of the file bevore downloading it.

After success the size of the downloaded file will be compared with
the requested one before. If they do not match, an error will be gained.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ids-functions.pl: Fix sub _cleanup_rulesdir() function

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

suricata: Use "2" as repeat-mark and repeat-mask.

The previous used "1" was already used to mark source-natted
packets.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

suricata: Update to 4.0.6

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

Revert "make.sh: Build in ramdisk"

This reverts commit 6174b7b1c72cd5141e04ac2621eef90d86987a91.

This had absolutely no effect on build time or rather made it
slower. So this is being reverted to save ourselves the RAM.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>