! does not work here. So the solution here is:
https://unix.stackexchange.com/questions/60584/how-to-use-a-variable-as-part-of-an-array-name/60585#60585
This is borrowed from here: https://git.ipfire.org/?p=network.git;a=blob;f=src/functions/functions.colors;h=0bd6f97177c366f1d1ee4553043ae719430acdb2;hb=refs/heads/master
Adolf Belka [Mon, 8 Apr 2024 16:57:21 +0000 (18:57 +0200)]
configroot: Add in LOGDROPHOSTILExxx values
- I checked out doing a fresh install of CU184 and found that although the
LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries were selected as "on" the values were not
in the /var/ipfire/optionsfw/settings file.
- After some investigfation I realised that when I created the LOGDROPHOSTILE split into
incoming and outgoing I had not added them into the configroot lfs file.
- This patch adds the two entries and this was tested out with a fresh install and
confirmed to update the settings file.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 8 Apr 2024 14:57:49 +0000 (14:57 +0000)]
suricata: Enable midstream scanning
We require this because Suricata might be restarted due to development
or rule refreshment purposes. We should then try to resume any
decoders/app-layers wherever possible.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 5 Apr 2024 19:26:40 +0000 (21:26 +0200)]
suricata: Set midstream-policy to pass-packet
Set this value to the same as the exception-policy to keep in sync and
hopefully have the same behaviour. In case this option is not set an
ugly message about a not correctly set value will be logged to syslog
during startup.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 5 Apr 2024 19:26:37 +0000 (21:26 +0200)]
suricata: Update suricata.yaml
Updata the configuration file for suricata 7.
This includes:
* Default values for newly introduced features and parsers
* Enable recently added protocol parsers for HTTP2, QUIC, Telnet and Torrent
* Update of URL for documentation
* Fixes of various typos and other clarifications
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 3 Apr 2024 20:42:13 +0000 (21:42 +0100)]
suricata: Disable fail-open on NFQUEUE
This change causes that if suricata crashes, the NFQUEUE will no longer
fall into a mode where ALL packets are being accepted. This used the be
the case before which opened the entire firewall.
If suricata randomly crashes, we will fall back to the "bypass" mode
where packets will bypass suricata, but nothing else.
Fixes: #13642 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
collectd: fix cpufreq graph if virtual cores are offline
the kernel doesn't allow to read the frequency of a offline virtual core
if smt is disabled so now no error is reported in this case and NaN submited to the
database.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Wed, 27 Mar 2024 19:39:20 +0000 (20:39 +0100)]
grub-btrfsd: Drop redundant used PIDFILE mechanism
This case is already covered by the PID mechanism of the used functions
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Wed, 27 Mar 2024 19:39:19 +0000 (20:39 +0100)]
grub-btrfsd: Adjust displayed starting message
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Wed, 27 Mar 2024 19:39:18 +0000 (20:39 +0100)]
grub-btrfsd: Use generic volume_fs_type function for FS detection
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Wed, 27 Mar 2024 19:39:17 +0000 (20:39 +0100)]
initscripts: Add generic function to get the filesystem type of a volume
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 30 Mar 2024 08:14:58 +0000 (09:14 +0100)]
xz: Revert back to version 5.4.5 due to backdoor issue
- xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what looks to have
been one of the xz devs.
- IPFire looks not to be affected by the problem as we don't patch openssh to be linked
with liblzma
- However due to question marks about what else might be in these 5.6.x versions it is
better to revert back to a version that did not have the build-to-host.m4 file with the
code that modifies the build if it meets certain criteria.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 25 Mar 2024 17:44:56 +0000 (18:44 +0100)]
CU185-update.sh: Add drop hostile in & out logging entries if not already present
- This v2 patch corrects that the previous script was looking for =on. If a user had
modified the preferences to change it to =off then the script would have resulted in
both =on and =off versions being in the settings file.
- This patch ensures that those people who updated to CU184 before the CU184-update.sh
patch fix to add the logging entries was added will get their optionsfw settings file
correctly updated with CU185
- This only adds the LOGDROPHOSTILEIN & LOGDROPHOSTILEOUT entries if they do not already
exist in the optionsfw settings file.
- This change also does the check for LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT as two
separate checks and then runs the firewall update command
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sun, 24 Mar 2024 12:39:53 +0000 (13:39 +0100)]
grub-btrfs: New package
This kind of grub addon will extend the grub boot menu by a additional
submenu where a BTRFS snapshot can be selected to directly use as root
volume and boot into it.
The grub-btrfsd daemon is using inotify(tools) to watch the snapshot directory for
new or deleted snapshots and calls grub-mkconfig to adjust the snapshot grub submenu
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Sun, 24 Mar 2024 12:37:35 +0000 (13:37 +0100)]
installer: Pass choosen filesystem to hw_make_destination
This is required to proper choose if a seperate boot partition should be
created or must not created (BTRFS)
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Sat, 23 Mar 2024 10:56:21 +0000 (11:56 +0100)]
installer: Ensure to always create the /boot directory.
Ensure to always create the /boot directory during the mounting
of the various created file systems. If the /boot directory does not
exist some following mount operations could not be performed correctly
and the installation/mounting will fail.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 25 Mar 2024 13:41:38 +0000 (14:41 +0100)]
shadow: Update login.defs to remove reference to cracklib
- From shadow-15.0.0 all references to cracklib were removed from shadow. Apparently
some functions were no longer accessible and the shadow team decided to remove cracklib
references completely. This was not mentioned in the changelkog for 15.0.0
- This resulkts in gettinbg the message configuration error - unknown item
'CRACKKLIB_DICTPATH' ( notify administrator ) when logging in to the console.
- The login to the console occurs successfully so the message is only a warning that
cracklib is no longer used.
- IPfire does not use cracklkib anyway so this patch removes the section referring to
cracklib from the login.defs configuration file.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 20 Mar 2024 14:43:27 +0000 (15:43 +0100)]
CU185-update.sh: Add drop hostile in & out logging entries if not already present
- This patch ensures that those people who updated to CU184 before the CU184-update.sh
patch fix to add the logging entries was added will get their optionsfw settings file
correctly updated with CU185
- This only adds the LOGDROPHOSTILEIN & LOGDROPHOSTILEOUT entries if they do noit already
exist in the optionsfw settings file.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>