stripper: Handle capabilities

During the build process, we set capabilities to elevate privileges of
certain progrems (e.g. ping). These have been removed during the build
process because of strip.

This patch collects any capabilities from all files that are being
stripped and restores them after calling strip.

Fixes: #12652
Reported-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core158: Run sshctrl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Pakfire: call "sync" in function.sh after having extracted archives

After upgrading to Core Update 157, a few number of users reported their
systems to be unworkable after a reboot. Most of them (the systems, not
the users) were apparently missing the new Linux kernel in their Grub
configuration, causing a non-functional bootloader written to disk.

While we seem to be able to rule out issues related to poor storage
(SDDs, flash cards, etc.) or very high I/O load, it occurred to me we
are not calling "sync" after having extracted a Core Update's .tar.gz
file.

This patch therefore proposes to do so. It is a somewhat homeopathic
approach, though, but might ensure all parts of the system to have
properly processed the contents of an extracted archive. While we cannot
even reasonably guess it will solve the problem(s) mentioned initially,
doing so cannot hurt either.

See also:
https://community.ipfire.org/t/after-update-ipfire-to-157-no-boot/5641/45

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core158: Ship pakfire functions.sh

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pakfire: Do not delay directory restore

https://www.gnu.org/software/tar/manual/tar.html#Directory-Modification-Times-and-Permissions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pakfire: Put tar options into an array

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pakfire.cgi: Sleep after running a pakfire command

This is required to have better chances in the race of showing the log
output afterwards.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pakfire.cgi: Remove confusing dots in install message

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pakfire.cgi: Pass packages to install/uninstall as array

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

fireinfo.cgi: Fix kernel version

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ddns.cgi: Fix sanity check logic.

The input validation did not work in the proper way. It allways
reported "No password" when using a provider which supports token and
the token has been given.

This of course is wrong and leaded to unuseable providers.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core158: Ship ppp

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "ppp: update to 2.4.9"

This reverts commit 0cd9215b565e7c3ef34699b695aaab7eba1dc510.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

aws-cli: Depend on python3-six

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "python-six: Removal of python2 & 3 addon versions of six"

This reverts commit 3a61ae73fa179adb24f9feeb8ee486c1900609bf.

This module is required by awscli.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core158: Fully terminate apache before restarting it

Asking apache to restart itself fails when the binary is changed and
some symbols cannot be resolved. We therefore terminate all processes
and start them again.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core158: Fix name of vnstat initscript

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core158: Actually drop motion instead of monit

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core158: Uninstall all dropped add-ons

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update French translation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "OpenSSH: restrict file permissions for sshd_config to 0600"

This reverts commit a9fb87809eccdc7ea7736659ceec929a028761d4.

This prevents the SSH configuration being parsed by the web user
interface.

Reported-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "ncat: Update to 7.91"

This reverts commit ee3b6ba0c7d3cc88667922f96db2ac0bd5630625.

ncat segfaults straight away (#12647)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix typos.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Call correct system_output() function.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'core157'

core157: Ship lua

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix detection of used DH key lenght.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vpnmain.cgi: Fix typo.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pppsetup.cgi: Fix typos.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge remote-tracking branch 'origin/next'

nano: Update to 5.8

For details see:
https://www.nano-editor.org/news.php

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

knot: Update to 3.0.7

For details see:
https://www.knot-dns.cz/2021-06-16-version-307.html

Features:

        knotd: new configuration policy option for CDS digest algorithm setting #738
        keymgr: new command for primary SOA serial manipulation in on-secondary signing mode

Improvements:

        knotd: improved algorithm rollover to shorten the last step of old RRSIG publication

Bugfixes:

        knotd: zone is flushed upon server start, despite DNSSEC signing is up-to-date
        knotd: wildcard nonexistence is proved on empty-non-terminal query
        knotd: redundant wildcard proof for non-authoritative data in a reply
        knotd: missing wildcard proofs in a wildcard-cname loop reply
        knotd: incorrectly synthesized CNAME owner from a wildcard record #715
        knotd: zone-in-journal changeset ignores journal-max-usage limit #736
        knotd: incorrect processing of zone-in-journal changeset with SOA serial 0
        knotd: broken initialization of processing workers if SO_REUSEPORT(_LB) not available
        kjournalprint: reported journal usage is incorrect #736
        keymgr: cannot parse algorithm name ed448 #739
        keymgr: default key size not set properly
        kdig: failed to process huge DoH responses
        libknot/probe: some corner-case bugs

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Tor: update to 0.4.6.5

Please refer to the .tar.gz's ReleaseNote file for the full changelog
since version 0.4.5.8; it is too large to include it here.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

speed.cgi: Add requirement for general-functions.pl.

The CGI now requires the general-functions library, because the
get_red_interface() function is used.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

memory.cgi: Fix missing qoutes.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop obsolete files from bluetooth package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

general-functions.pl: Explicitely call new system function

Perl seems to just "guess" that someone no longer wants to use the
builtin "system" command when there is a function with the same name.

I have no idea what kind of liquid they are drinking, but because of the
side effects of that stuff, we explicitely call our system() function.

Not that that would be necessary, but why not waste a couple more CPU
cycles?

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Bump release of all packages with CGI files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

proxy.cgi: Suppress Squid version by default

While hiding version information does not come with any _actual_
security improvements, it is generally a good thing to do so by default:
Attackers will still be able to reasonably guess or enumerate the
software version running, but need to conduct additional effort to do
so, hence more likely raising alerts and drawing attention on their
operation.

In addition, we suppress version details somewhere else in IPFire 2.x by
default, too (e. g. Unbound and Apache), so we can justify this patch by
aiming to stay consistent, I guess. :-)

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core158: Ship web-user-interface

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'perl-system' into next

hardwaregraphs.cgi: Perform all sensor lookups in pure perl.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

services.cgi: Redesign isautorun() because shell globbing cannot used anymore.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

remote.cgi: Fix splitting output from ssh-keygen.

The split function requires an string as input.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dhcp.cgi: Fix typo and displaying advanced options syntax.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

fireinfo.cgi: Fix read-in profile data.

To read-in the whole file content the data type needs to be an array.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

time.cgi: Get and manipuate date and time in pure perl

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

netexternal.cgi: Grab DNS servers in pure perl

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ids-functions.pl: Use new system methods

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

network-functions.pl: Use new system methods

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

mdstat.cgi: Print mdstat status in pure perl

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

fireinfo.cgi: Use new system methods

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

vpnmain.cgi: Use new system methods

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

pppsetup.cgi: Use new system methods

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

wireless.cgi: Use new system methods

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

core158: Ship xfsprogs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

xfsprogs: Update to 5.12.0

- Update from 5.11.0 to 5.12.0
- Update of rootfile not required
- Changelog
    xfsprogs-5.12.0 (21 May 2021)
- No further changes
    xfsprogs-5.12.0-rc1 (07 May 2021)
- mkfs: don't default to too-large physical sector size (Jeff Moyer)
- repair: phase 6 speedups (Dave Chinner, Gao Xiang)
- man: Add dax mount option to man xfs(5) (Carlos Maiolino)
- xfs_admin: pick up log arguments correctly (Darrick Wong)
- xfs_growfs: support shrinking unused space (Gao Xiang)
- libfrog: report inobtcount in geometry (Darrick Wong)
- xfs_logprint: Fix buffer overflow printing quotaoff (Carlos Maiolino)
- xfsprogs: include <signal.h> for platform_crash (Leah Neukirchen)
- xfsprogs: remove BMV_IF_NO_DMAPI_READ flag (Anthony Iliopoulos)
- workqueue: bound maximum queue depth (Dave Chinner)
    xfsprogs-5.12.0-rc0 (12 Apr 2021)
- libxfs changes merged from kernel 5.12

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cups-filters: Update to 1.28.9

- Update from 1.28.8 to 1.28.9
- Update of rootfile not required
- Changelog
     CHANGES IN V1.28.9
- libcupsfilters: Silenced compiler warnings
- libcupsfilters: Removed duplicate code in the
  apply_filters() function.
- driverless: If there are no driverless IPP printers
  available let "driverless" terminate with exit code 0 and
  not 1, to follow CUPS' standard of backends in discovery
  mode terminating with 0 if there are no appropriate printers
  found (Issue #375).
- gstoraster, foomatic-rip: Fixed Ghostscript command line for
  counting pages as it took too long on PDFs from evince when
  printing DjVu files (Issue #354, Pull request #371, Ubuntu
  bug #1920730).
- cups-browsed: Renamed ldap_connect() due to conflict in
  new openldap (Issue #367, Pull request #370).
- pdftoraster: Free color data after processing of each page
  (Pull request #363).
- cups-browsed: Always save "...-default" option entries
  from printers.conf, regardless of presence or absense
  of PPD file (Pull request #359).
- cups-browsed: Start after network-online.target (Pull
  request #360).
- texttopdf: Set default margins when no PPD file is used
  (Pull request #356).

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

proxy.cgi: drop options for faking Referer and User-Agent HTTP headers

While maintaining privacy when accessing web sites probably has never
been more important than it is today, faking Referer and User-Agent
headers is both obsolete and counterproductive:

(a) Most web sites require HTTPS, thwarting manipulation attempts to
    HTTP headers in transit. Given todays' internet landscape, faking
    these headers is unlikely to work for the vast majority of web
    sites.

(b) It is trivial to detect faked HTTP User-Agent headers by obtaining
    corresponding browser information via JavaScript. Any difference
    most likely indicates (trivial) header manipulation attempts, hence
    rendering this feature useless if browsers do not behave in the same
    manner, which we cannot control on IPFire.

(c) Especially static Referer headers make users stick out like a sore
    thumb, as nobody else in the world is likely to have the same
    Referer set _all the time_.

    Modern browsers attempt to strip sensitive information from Referer
    headers, or ditch them completely, particularly to 3rd party sites.

Given the state of the web ecosystem as we know it today, enforcing
privacy in a centralised manner does not even come close to being
sufficient. Without gaining control over users' browsers, their
settings, and their infrastructure (such as setting up terminal
environments for accessing the web, preventing hardware
fingerprinting), a centralised attempt will at best fail, if not making
things worse, as highlighted in (c).

Therefore, removing these features from the Squid GUI is the least worse
option we have. We should not give our users a false sense of privacy.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core158: Ship smartmontools

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

smartmontools: update to 7.2

Release announcement of this version as per
https://www.smartmontools.org/browser/tags/RELEASE_7_2/smartmontools/NEWS:

Date 2020-12-30
Summary: smartmontools release 7.2
-----------------------------------------------------------
- smartctl: New option '--json=y[c]' selects YAML output.
- smartctl '-i': Prints ATA TRIM and Zoned Device capabilities.
- smartctl '-j': Fixed 'scsi_grown_defect_list' value.
- smartctl '-a': Prints SCSI 'Accumulated power on time'.
- smartctl '-n POWERMODE': SCSI support.
- smartctl '-s standby,now' and '-s standby,off': SCSI support.
- smartctl '-c': NVMe 1.4 additions.
- smartd: Support for staggered self-tests.
- smartd: No longer writes attribute log if no attributes were read
  due to standby mode or other error.
- smartd: Now resolves symlinks before device names are checked for
  duplicates.
- smartd: Fixed SMARTD_DEVICETYPE environment variable if DEVICESCAN is
  used without '-d TYPE'.
- ATA: Device type '-d jmb39x-q,N' for JMB39x protocol variant used by
  some QNAP NAS devices.
- ATA: Device type '-d jms56x,N' for JMS562 USB to SATA RAID bridges.
- SCSI: Improved heuristics for log subpages of new and very old disks.
- NVMe: Log transfer size limited to avoid device or kernel crashes.
- NVMe/USB: Device type '-d sntrealtek' for Realtek RTL9210 USB to
  NVMe bridges.
- update-smart-drivedb: New option '--branch X.Y'.
- HDD, SSD and USB additions to drive database.
- Dropped support for pre-C99 snprintf().
- configure: Dropped option '--without-working-snprintf'.
- configure: Fixed '-fstack-protector*' detection.
- Linux: Various fixes of smartd.service file.
- Darwin: NVMe log support.
- FreeBSD: Device scan does no longer include T_ENCLOSURE devices.
- NetBSD: Fixed timeout handling.
- NetBSD big endian: Fixed ATA register handling.
- OpenBSD: Fixed timeout handling.
- Windows: Dropped backward compatibility fixes for very old compilers.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core158: Ship hwdata

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hwdata: update PCI/USB databases

PCI IDs: 2021-05-16 03:15:02
USB IDs: 2021-06-06 20:34:10

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Postfix: update to 3.6.1

This versions' release announcement can be retrieved here:
http://www.postfix.org/announcements/postfix-3.6.1.html

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

glib: Update to 2.68.3

- Update from 2.68.2 to 2.68.3
- Update rootfile
- Changelog
   Overview of changes in GLib 2.68.3
    * Bugs fixed:
      - #2311 testfilemonitor test leaks ip_watched_file_t struct
      - #2417 GFile: `g_file_replace_contents()` reports `G_IO_ERROR_WRONG_ETAG` when saving from a symlink
      - !2133 Backport !2128 “inotify: Fix a memory leak” to glib-2-68
      - !2137 Backport !2136 “tlscertificate: Avoid possible invalid read” to glib-2-68
      - !2141 Backport !2138 “glocalfileoutputstream: Fix ETag check when replacing through a symlink” to glib-2-68

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core158: Ship fuse

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

fuse: Update to 3.10.4

- Update from 3.10.3 to 3.10.4
- Update of rootfile
- Changelog
   * Building of unit tests is now optional.
   * Fixed a test failure when running tests under XFS.
   * Fixed memory leaks in examples.
   * Minor documentation fixes.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cmake: Update to 3.20.4

- Update from 3.20.3 to 3.20.4
- Update of rootfile not required.
- Changelog
   Changes in 3.20.4 since 3.20.3:
    Ben Boeckel (1):
      ci: use consistent sccache builds
    Brad King (8):
      VS: Add special case for '-T version=14.29.16.10' under VS 16.10
      VS: Add flag table entries for '/external:W*' flags in VS 16.10
      gitlab-ci: Update Windows builds to MSVC 19.29-16.10 toolset
      Makefiles: Fix CMAKE_EXPORT_COMPILE_COMMANDS crash with custom compile rule
      presets: Fix buildPreset "jobs" field test case
      IRSL: Add Intel oneAPI redist location on Windows
      fileapi: Fix codemodel-v2 link command fragment relative paths
    John Drouhard (1):
      FindBoost: Add check for json component header in Boost 1.75+
    Marc Chevrier (1):
      Help: cmake_path: fix erroneous example for IS_PREFIX
    Raul Tambre (2):
      MSVC: C++20 final flag, C++23 support
      Clang/MSVC: C++20 final flag, C++23 support
    Sam Freed (2):
      presets: Fix buildPreset "jobs"
      presets: Fix buildPreset "targets" not allowing a single string

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Prefer curve448 over curve25519

Curve448 provides better cryptographic security. For more details see:

  https://bugzilla.ipfire.org/show_bug.cgi?id=12634

Fixes: #12634
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge remote-tracking branch 'pmueller/temp-cleanup-orphaned-items' into next

Removed several lfs options leading to: configure: WARNING: unrecognized options

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core158: Ship sudo

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

sudo: Update to 1.9.7p1

- Update from 1.9.7 to 1.9.7p1
- Update of rootfile not required.
- Changelog
   Major changes between sudo 1.9.7p1 and 1.9.7
    * Fixed an SELinux sudoedit bug when the edited temporary file
      could not be opened.  The sesh helper would still be run even
      when there are no temporary files available to install.
    * Fixed a compilation problem on FreeBSD.
    * The sudo_noexec.so file is now built as a module on all systems
      other than macOS.  This makes it possible to use other libtool
      implementations such as slibtool.  On macOS shared libraries and
      modules are not interchangeable and the version of libtool shipped
      with sudo must be used.
    * Fixed a few bugs in the getgrouplist() emulation on Solaris when
      reading from the local group file.
    * Fixed a bug in sudo_logsrvd that prevented periodic relay server
      connection retries from occurring in "store_first" mode.
    * Disabled the nss_search()-based getgrouplist() emulation on HP-UX
      due to a crash when the group source is set to "compat" in
      /etc/nsswitch.conf.  This is probably due to a mismatch between
      include/compat/nss_dbdefs.h and what HP-UX uses internally.  On
      HP-UX we now just cycle through groups the slow way using
      getgrent().  Bug #978.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tmux: Update to 3.2a

For details see:
https://raw[dot]githubusercontent[dot]com/tmux/tmux/3.2a/CHANGES

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core158: Ship libpcap

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libpcap: Update to 1.10.1

For details see:
http://www.tcpdump.org/libpcap-changes.txt

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tcpdump: Update to 4.99.1

For details see:
http://www.tcpdump.org/tcpdump-changes.txt

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec-policy: Do no create DROP rules for on-demand mode

This is not necessary and gets in the way if users have SNAT rules or
other things that make the check be in the wrong place.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Postfix: update to 3.6.0

Please refer to http://www.postfix.org/announcements/postfix-3.6.0.html
for this versions' release announcements.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

update ca-certificates CA bundle

Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core157: Fix shipping boost

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wlanap.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wirelessclient.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireless.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

webaccess.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wakeonlan.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vpnmain.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

urlfilter.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

updatexlrator.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

traffic.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tor.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

time.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

shutdown.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

services.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

samba.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

routing.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

remote.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

qos.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

proxy.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pppsetup.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>