dns.cgi: Set kdig params for timeout and retry back to default.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

stage2: update rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge remote-tracking branch 'ms/next-dns-ng' into next

Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

filesystem-cleanup: Add parameter to show changes

Use --dry-run to only show files that would be deleted, but do
not actually delete them.

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

filesystem-cleanup: Automatically remove old libraries

This script runs through /usr/lib and /lib and tries to find
all libraries which are no longer being used and more and
deletes them.

This will help us to free space on root partitions that
are limited to 2GB.

However, the script does not cover 100% of the cases, so that
some files still need to be deleted manually (e.g. boost with
their weird versioning schema).

This script should be executed after a Core Update has been
installed.

Fixes: #12270
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

amazon-ssm-agent: Move source to GOPATH

Go won't build when this is only symlinked any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

unbound: Make dhcp-leases.conf readable for everyone

unbound runs as nobody and cannot reload its configuration
when this file is only readable for root.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Do not reset safe search again

This is now done in the reload stage and we do not need to
take care about it again.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Drop some unused variables

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Drop function to reload forwarders on the fly

This is now being done by updating and re-reading forward.conf.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dnsforward.cgi: Reloading unbound is enough to apply changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hosts.cgi: Hosts can now be imported when reloading unbound

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Write hosts to unbound configuration file

This will allow us to read more hosts in a shorter time.

Fixes: #11743
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: There is no need to rewrite tuning.conf

The number of CPU cores and memory normally does not change

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Reload own hostname, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dns.cgi: Fix check for undefined variable

This was positive when zero was returned.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dns.cgi: Show error when trying to use ISP nameservers and TLS at the same time.

Because the ISP-assigned nameservers do not have any TLS-hostname
information they cannot be used, when TLS is activated.

They only can be used if they will be added as "regular" DNS servers
with a TLS-hostname.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

setup: Remove DNS settings

This is no longer required since we have a new CGI script
that takes care of all DNS settings and stores things in
another format.

Fixes: #12235
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Fix id compare when adding a new nameserver.

I do not know why perl when using "le" which means "less-or-equal"
defines a "10" as "1".

This commit fixes the issue that it was not possible to add more than 8
nameservers.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

geoip: ship database 20191217

Maxmind has disabled the download so we ship the last free (creative commons)
database with the iso and core until we build an alternative.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core140: fix build on armv5tel and i586

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Go: Move the cache to the ccache directory

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Go: Cleanup Go Path after build

Go leaves temporary build files in the directory
which we do not need and we should clean up after
every build.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

amazon-ssm-agent: New package

AWS Systems Manager Agent (SSM Agent) is Amazon software that can be
installed and configured on an Amazon EC2 instance, an on-premises
server, or a virtual machine (VM). SSM Agent makes it possible for
Systems Manager to update, manage, and configure these resources. The
agent processes requests from the Systems Manager service in the AWS
Cloud, and then runs them as specified in the request. SSM Agent then
sends status and execution information back to the Systems Manager
service by using the Amazon Message Delivery Service.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

python3: exclude __pycache__ from iso, core and packages

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

ids.cgi: Do reload instead of restarting unbound

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

initscripts/unbound: Add support for reload the service

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

unboundctrl: Add support for calling reload.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Only perform reverse lookup if DNS is working.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

unbound: No longer try to include safe-search.conf

This file is no longer generated and therefore cannot
be imported any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core140: ship updated vpnmain.cgi

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

update translation files for vpnmain.cgi changes

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

vpnmain.cgi: set SubjectAlternativeName default during root certificate generation

Some IPsec implementations such as OpenIKED require SubjectAlternativeName
data on certificates and refuse to establish connections otherwise.

The StrongSwan project also recommends it (see:
https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
it is currently not enforced by their IPsec software.

For convenience purposes and to raise awareness, this patch adds a default
SubjectAlternativeName based on the machines hostname or IP address. Existing
certificates remain unchanged for obvious reasons.

The third version of this patch fixes a duplicate DNS query reported by Michael.

Fixes #11594

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

suricata: update rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

elinks: move to core system.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

pathon: update to 3.8 and move pyhton to core

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

make.sh: update IPFire and Toolchain verion

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

gcc: update armv5tel rootfile

convert-dns-settings: Set correct ownership after convert is done.

Otherwise it may happen, that the created config files have wrong
permissions and the WUI will break.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Restart suricata if neccessary.

When the DNS configuration of the system is changed,
we need to re-generate the file which contains the DNS Server
details for suricata and to restart the service.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

index.cgi: Do not longer display the DNS servers.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ids-functions.pl: Update generate_dns_servers_file() function.

The function now uses the newly introduced get_nameservers() function
while generating the DNS servers file.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

general-functions.pl: Add get_nameservers().

This function simply return an array of all used nameservers.

It also takes care if the usage of ISP assigned nameservers
is enabled or not and if user-added nameservers are enabled or not.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian: Remove code for DNS servers.

In the past this code was used to add the DNS servers
to the ignore list and prevent them from being blocked by
guardian.

Because of the switch to suricata as IPS, guardian now prevents
from password brute-forcing on SSH and/or the webserver, so this
code is not longer needed and safly can be removed.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Move grab_address_from_file function to general-functions.pl

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Also restart unbound if a server got enabled/disabled

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Remove accidently commited debug code

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Restart unbound

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Display DNS system status.

For this, a test query to the local unbound instance will be
sent and if the DNS system work properly can be answerd.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Perform server checks on user request

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Remove hard-coded box title.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Do not perform kdig tests when adding a server

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Check for empty server address.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Perform kdig tests only if the system is online.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Introduce red_is_active()

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Always display the input field for TLS_HOSTNAME

* Mark it as required if the protocol is set to TLS.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dns.cgi: Only perform reverse lookups if the system is online

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

unbound: Implement setting qname minimisation into strict mode

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Try to set time when DNS is not working

Since DNSSEC relies on time to validate its signatures,
a common problem is that some systems (usually those without
a working RTC) are not being able to reach their time server.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Do not update the forwarders when we are running in TLS mode

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Read configuration globally

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Update forwarders when system connects/disconnects

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Update setting Safe Search redirects

When the system comes online, we must update entries
in the unbound cache to point to the "safe" IP addresses.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dns.cgi: Show ISP name servers as disabled

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dns.cgi: Fix handling of WARNINGs from kdig

There might be multiple warnings which must all be shown
to the user.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dns.cgi: Remove smartmatch operator

Perl likes to make things difficult

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dns.cgi: Timeout after 2 seconds for DNS server checks

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

DNS: Write name servers received from ISP to /var/run/dns{1,2}

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Drop live checks

Those checks have caused us a lot of trouble and are now being dropped.

Users must make sure to choose servers that support DNSSEC or enable
any of the tunneling mechanisms to be able to reach them.

Fixes: #12239
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Add path to TLS CA bundle

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: No longer read old configuration file

The old configuration file in /etc/sysconfig/unbound is no
longer being used and all settings should be in
/var/ipfire/dns/settings.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Write upstream name servers to forward.conf

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Remove test-name-server command

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Convert forward zones to stub zones

It was incorrect to use forward zones here, because that
assumes that unbound is talking a recursive resolver here.

The feature is however designed to be talking to an authoritative
server.

Fixes: #12230
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Allow forcing to speak TLS to upstream servers only

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Set EDNS buffer size to 1232 bytes

Fixes: #12240
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dns.cgi: Set EDNS buffer size to 1232

References: #12240
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update English translation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

webif: Show menu entry for DNS all the time

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

netexternal.cgi: Drop DNSSEC status

This has now been moved to the new dns.cgi.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

DNS: Add converter to migrate settings

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

langs/en.pl: Add new strings for modified dns.cgi.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dns.cgi: Rework to allow central DNS configuration.

Fixes #12237.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

pppsetup.cgi: Remove support for configure DNS settings.

Fixes #12234.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

core140: add gcc changes to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Tor: update to 0.4.2.5

Please refer to https://blog.torproject.org/new-release-0425-also-0417-0406-and-0359
for release notes.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

libseccomp: update to 2.4.2

Please refer to https://github.com/seccomp/libseccomp/releases/tag/v2.4.2
for release notes.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

openvmtools: Update to 11.0.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

glib: Fix compiling with GCC 9

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

efivar: Update to 37

This also fixes some build issues with GCC 9.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

mdadm: Update to 4.1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

mpc: Update to 1.1.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

mpfr: Update to 4.0.2

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

gcc: Update to 9.2.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

lang: Fix typo in "Writen Bytes" and fix grammar

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core140: add convert-snort to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

convert-snort: Check and convert snort user and group.

Fixes #12102.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>