people/pmueller/ipfire-2.x.git
8 months agocore129: Ship updated OpenVPN
Michael Tremer [Mon, 25 Feb 2019 02:29:29 +0000 (02:29 +0000)] 
core129: Ship updated OpenVPN

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 months agoOpenVPN: Update to version 2.4.7
Erik Kapfer [Tue, 26 Feb 2019 10:56:47 +0000 (11:56 +0100)] 
OpenVPN: Update to version 2.4.7

Changelog can be found in here https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 months agoupdate Tor to 0.3.5.8
Peter Müller [Sat, 23 Feb 2019 16:54:00 +0000 (16:54 +0000)] 
update Tor to 0.3.5.8

See https://blog.torproject.org/new-releases-tor-0402-alpha-0358-03411-and-03312
for release notes.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 months agoupdate metrics links in Tor WebUI
Peter Müller [Sat, 23 Feb 2019 16:54:00 +0000 (16:54 +0000)] 
update metrics links in Tor WebUI

https://atlas.torproject.org/ is deprecated in favour of
https://metrics.torproject.org/ by now.

Fixes #11781.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 months agocore129: Ship updated libgcrypt
Michael Tremer [Mon, 25 Feb 2019 00:58:04 +0000 (00:58 +0000)] 
core129: Ship updated libgcrypt

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 months agolibgcrypt: update to 1.8.4
Peter Müller [Sat, 23 Feb 2019 16:58:00 +0000 (16:58 +0000)] 
libgcrypt: update to 1.8.4

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 months agocore129: Ship updated unbound
Michael Tremer [Mon, 25 Feb 2019 00:56:49 +0000 (00:56 +0000)] 
core129: Ship updated unbound

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 months agounbound: Update to 1.9.0
Matthias Fischer [Sat, 9 Feb 2019 09:40:36 +0000 (10:40 +0100)] 
unbound: Update to 1.9.0

For details see:
https://nlnetlabs.nl/svn/unbound/tags/release-1.9.0/doc/Changelog

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 months agocore129: Ship changes from ipsec branch
Michael Tremer [Mon, 25 Feb 2019 00:55:31 +0000 (00:55 +0000)] 
core129: Ship changes from ipsec branch

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 months agoMerge branch 'ipsec' into next
Michael Tremer [Mon, 25 Feb 2019 00:48:08 +0000 (00:48 +0000)] 
Merge branch 'ipsec' into next

8 months agoStart Core Update 129
Michael Tremer [Mon, 25 Feb 2019 00:47:28 +0000 (00:47 +0000)] 
Start Core Update 129

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 months agoAdd script to search for missing libraries
Michael Tremer [Sun, 24 Feb 2019 11:45:55 +0000 (11:45 +0000)] 
Add script to search for missing libraries

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 months agocore128: Drop old openssl engines
Michael Tremer [Sun, 24 Feb 2019 04:06:52 +0000 (04:06 +0000)] 
core128: Drop old openssl engines

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 months agocups: Depends on bluetooth library
Michael Tremer [Sun, 24 Feb 2019 04:04:51 +0000 (04:04 +0000)] 
cups: Depends on bluetooth library

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 months agocore128: add openldap to update
Arne Fitzenreiter [Sun, 24 Feb 2019 19:50:16 +0000 (20:50 +0100)] 
core128: add openldap to update

openldap was linked against old openssl lib

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 months agocore128: add sse2 openssl libs
Arne Fitzenreiter [Sun, 24 Feb 2019 16:04:44 +0000 (17:04 +0100)] 
core128: add sse2 openssl libs

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 months agocore128: apply local sshd config
Arne Fitzenreiter [Sun, 24 Feb 2019 09:55:49 +0000 (10:55 +0100)] 
core128: apply local sshd config

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 months agokernel: update to 4.14.103
Arne Fitzenreiter [Sat, 23 Feb 2019 14:56:21 +0000 (15:56 +0100)] 
kernel: update to 4.14.103

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 months agocore128: finish core128
Arne Fitzenreiter [Fri, 22 Feb 2019 20:33:45 +0000 (21:33 +0100)] 
core128: finish core128

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 months agokernel: import cve-2019-8912 patch
Arne Fitzenreiter [Fri, 22 Feb 2019 20:20:57 +0000 (21:20 +0100)] 
kernel: import cve-2019-8912 patch

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 months agocore128: stop apache before replacing files
Arne Fitzenreiter [Fri, 22 Feb 2019 18:26:08 +0000 (19:26 +0100)] 
core128: stop apache before replacing files

apache will not restart without stopped before
the files was replaced.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 months agokernel: apu leds: add more id's
Arne Fitzenreiter [Fri, 22 Feb 2019 17:02:45 +0000 (18:02 +0100)] 
kernel: apu leds: add more id's

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 months agopartresize: add "apu1" for apus with new bios.
Arne Fitzenreiter [Fri, 22 Feb 2019 17:01:18 +0000 (18:01 +0100)] 
partresize: add "apu1" for apus with new bios.

8 months agocore128: add kernel to updater
Arne Fitzenreiter [Thu, 21 Feb 2019 18:23:05 +0000 (19:23 +0100)] 
core128: add kernel to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 months agokernel: cleanup unused rpi patch
Arne Fitzenreiter [Thu, 21 Feb 2019 18:13:27 +0000 (19:13 +0100)] 
kernel: cleanup unused rpi patch

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 months agokernel: update to 4.14.102
Arne Fitzenreiter [Thu, 21 Feb 2019 09:50:15 +0000 (10:50 +0100)] 
kernel: update to 4.14.102

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 months agopartresize: enable serial console on PC Engines APU
Arne Fitzenreiter [Tue, 19 Feb 2019 12:48:12 +0000 (13:48 +0100)] 
partresize: enable serial console on PC Engines APU

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 months agokernel: update apu led patch for apu3 and 4
Arne Fitzenreiter [Tue, 19 Feb 2019 00:04:19 +0000 (01:04 +0100)] 
kernel: update apu led patch for apu3 and 4

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 months agounbound: Drop certificates for local control connection
Michael Tremer [Sun, 17 Feb 2019 13:46:51 +0000 (13:46 +0000)] 
unbound: Drop certificates for local control connection

These are a cause of worry because they are sometimes generated with
an invalid timestamp and therefore render unbound being unusable.

There is no strong reason to use self-signed certificates for extra
security here.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoAdded 'CONFIG_X86_MSR=y for 'powertop' to i586 and x86_64 builds for fixing #11997
Matthias Fischer [Sun, 10 Feb 2019 19:21:22 +0000 (20:21 +0100)] 
Added 'CONFIG_X86_MSR=y for 'powertop' to i586 and x86_64 builds for fixing #11997

Triggered by:
https://forum.ipfire.org/viewtopic.php?f=69&t=22274

This - probably - fixes Bug #11997.

Needs testing on 64bit installations!

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoFix ownership of sendEmail script
Rob Brewer [Wed, 13 Feb 2019 22:49:11 +0000 (22:49 +0000)] 
Fix ownership of sendEmail script

The script used to be owned by a non-privileged user and it should
just be owned by root.root like any other binary.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoborgbackup: fix build on armv5tel
Arne Fitzenreiter [Sat, 16 Feb 2019 21:49:47 +0000 (22:49 +0100)] 
borgbackup: fix build on armv5tel

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 months agokernel: enable PCA953X GPIO extender for ClearFog boards
Arne Fitzenreiter [Sat, 16 Feb 2019 20:40:50 +0000 (21:40 +0100)] 
kernel: enable PCA953X GPIO extender for ClearFog boards

fixes: #12000

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 months agokernel: update to 4.14.101
Arne Fitzenreiter [Fri, 15 Feb 2019 16:46:54 +0000 (17:46 +0100)] 
kernel: update to 4.14.101

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 months agocore128: Ship kdig
Michael Tremer [Wed, 13 Feb 2019 11:32:00 +0000 (11:32 +0000)] 
core128: Ship kdig

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoknot: Reduced version of knot with kdig only
Erik Kapfer [Sat, 9 Feb 2019 07:41:15 +0000 (08:41 +0100)] 
knot: Reduced version of knot with kdig only

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agocore128: Ship libedit
Michael Tremer [Wed, 13 Feb 2019 11:31:24 +0000 (11:31 +0000)] 
core128: Ship libedit

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agolibedit: A command line editor library
Erik Kapfer [Sat, 9 Feb 2019 07:41:14 +0000 (08:41 +0100)] 
libedit: A command line editor library

Dependency for knot (kdig).

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agopowertop: Update to 2.10
Matthias Fischer [Sun, 10 Feb 2019 19:13:17 +0000 (20:13 +0100)] 
powertop: Update to 2.10

Hi,

Triggered by:
https://forum.ipfire.org/viewtopic.php?f=69&t=22274

For details see:
https://01.org/powertop/downloads/powertop-v2.10

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agodhcpcd: Update to 7.1.1
Matthias Fischer [Sat, 9 Feb 2019 09:59:08 +0000 (10:59 +0100)] 
dhcpcd: Update to 7.1.1

For details see:
https://roy.marples.name/blog/dhcpcd-7-1-1-released

"A minor update, highlights include:

 IPv4LL: Fixed build with this disabled
 IPv4LL: Remember last address between carrier resets
 BSD: Fixed initial link infos reported as LINK_STATE_UNKNOWN
 FreeBSD: Avoid panicing kernel when RTA_IFP is set for IPv6 prefix routes"

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agocurl: Update to 7.64.0
Matthias Fischer [Sat, 9 Feb 2019 09:37:22 +0000 (10:37 +0100)] 
curl: Update to 7.64.0

Hi,

For details see:
https://curl.haxx.se/changes.html

This came rather unexpected - if I'd known, I'd have waited with 7.63.0.

"Changes:
cookies: leave secure cookies alone
hostip: support wildcard hosts
http: Implement trailing headers for chunked transfers
http: added options for allowing HTTP/0.9 responses
timeval: Use high resolution timestamps on Windows

Bugfixes:
CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
CVE-2019-3823: SMTP end-of-response out-of-bounds read
FAQ: remove mention of sourceforge for github
OS400: handle memory error in list conversion
OS400: upgrade ILE/RPG binding.
README: add codacy code quality badge
Revert http_negotiate: do not close connection
THANKS: added several missing names from year <= 2000
build: make 'tidy' target work for metalink builds
cmake: added checks for variadic macros
cmake: updated check for HAVE_POLL_FINE to match autotools
cmake: use lowercase for function name like the rest of the code
configure: detect xlclang separately from clang
configure: fix recv/send/select detection on Android
configure: rewrite --enable-code-coverage
conncache_unlock: avoid indirection by changing input argument type
cookie: fix comment typo
cookies: allow secure override when done over HTTPS
cookies: extend domain checks to non psl builds
cookies: skip custom cookies when redirecting cross-site
curl --xattr: strip credentials from any URL that is stored
curl -J: refuse to append to the destination file
curl/urlapi.h: include "curl.h" first
curl_multi_remove_handle() don't block terminating c-ares requests
darwinssl: accept setting max-tls with default min-tls
disconnect: separate connections and easy handles better
disconnect: set conn->data for protocol disconnect
docs/version.d: mention MultiSSL
docs: fix the --tls-max description
docs: use $(INSTALL_DATA) to install man page
docs: use meaningless port number in CURLOPT_LOCALPORT example
gopher: always include the entire gopher-path in request
http2: clear pause stream id if it gets closed
if2ip: remove unused function Curl_if_is_interface_name
libssh: do not let libssh create socket
libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
libssh: free sftp_canonicalize_path() data correctly
libtest/stub_gssapi: use "real" snprintf
mbedtls: use VERIFYHOST
multi: multiplexing improvements
multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
ntlm: fix NTMLv2 compliance
ntlm_sspi: add support for channel binding
openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
openssl: fix the SSL_get_tlsext_status_ocsp_resp call
openvms: fix OpenSSL discovery on VAX
openvms: fix typos in documentation
os400: add a missing closing bracket
os400: fix extra parameter syntax error
pingpong: change default response timeout to 120 seconds
pingpong: ignore regular timeout in disconnect phase
printf: fix format specifiers
runtests.pl: Fix perl call to include srcdir
schannel: fix compiler warning
schannel: preserve original certificate path parameter
schannel: stop calling it "winssl"
sigpipe: if mbedTLS is used, ignore SIGPIPE
smb: fix incorrect path in request if connection reused
ssh: log the libssh2 error message when ssh session startup fails
test1558: verify CURLINFO_PROTOCOL on file:// transfer
test1561: improve test name
test1653: make it survive torture tests
tests: allow tests to pass by 2037-02-12
tests: move objnames-* from lib into tests
timediff: fix math for unsigned time_t
timeval: Disable MSVC Analyzer GetTickCount warning
tool_cb_prg: avoid integer overflow
travis: added cmake build for osx
urlapi: Fix port parsing of eol colon
urlapi: distinguish possibly empty query
urlapi: fix parsing ipv6 with zone index
urldata: rename easy_conn to just conn
winbuild: conditionally use /DZLIB_WINAPI
wolfssl: fix memory-leak in threaded use
spnego_sspi: add support for channel binding"

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agokernel: update to 4.14.98
Arne Fitzenreiter [Fri, 8 Feb 2019 19:50:37 +0000 (20:50 +0100)] 
kernel: update to 4.14.98

todo: check if RPi dwc dma patch still need to reverted before release

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 months agoborgbackup: Fix build on i586
Matthias Fischer [Fri, 8 Feb 2019 11:01:42 +0000 (12:01 +0100)] 
borgbackup: Fix build on i586

Fixes

...
'/usr/src/config/rootfiles/packages//borgbackup' -> '/install/packages/package/ROOTFILES'
tar: usr/lib/python3.6/site-packages/borg/chunker.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/compress.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/crypto.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/hashindex.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/platform_linux.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: Exiting with failure status due to previous errors
make: *** [borgbackup:58: dist] Error 2
...

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agopython3-llfuse: Fix build on i586
Matthias Fischer [Fri, 8 Feb 2019 10:57:47 +0000 (11:57 +0100)] 
python3-llfuse: Fix build on i586

Fixes

"tar: usr/lib/python3.6/site-packages/llfuse.cpython-36m-i586-linux-gnu.so:
Cannot stat: No such file or directory"

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agocore128: Ship updated firewall initscript
Michael Tremer [Thu, 7 Feb 2019 15:13:50 +0000 (15:13 +0000)] 
core128: Ship updated firewall initscript

Require reboot after the update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoapply default firewall policy for ORANGE, too
Peter Müller [Wed, 6 Feb 2019 21:00:00 +0000 (21:00 +0000)] 
apply default firewall policy for ORANGE, too

If firewall default policy is set to DROP, this setting was not
applied to outgoing ORANGE traffic as well, which was misleading.

Fixes #11973

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Oliver Fuhrer <oliver.fuhrer@bluewin.ch>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoTor: update to 0.3.5.7
Peter Müller [Wed, 6 Feb 2019 19:21:00 +0000 (19:21 +0000)] 
Tor: update to 0.3.5.7

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agostrongswan: Do not create any NAT rules when using VTI/GRE
Michael Tremer [Mon, 4 Feb 2019 18:38:24 +0000 (18:38 +0000)] 
strongswan: Do not create any NAT rules when using VTI/GRE

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoDrop "OpenVPN" part from VPN N2N stats page
Michael Tremer [Tue, 22 Jan 2019 13:19:00 +0000 (13:19 +0000)] 
Drop "OpenVPN" part from VPN N2N stats page

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoAdd routed IPsec connections to traffic graphs section
Michael Tremer [Tue, 22 Jan 2019 13:15:48 +0000 (13:15 +0000)] 
Add routed IPsec connections to traffic graphs section

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agofirewall: Write correct rules bound to interface for routes IPsec tunnels
Michael Tremer [Tue, 22 Jan 2019 12:46:53 +0000 (12:46 +0000)] 
firewall: Write correct rules bound to interface for routes IPsec tunnels

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec-interfaces: Resolve any remote hostnames
Michael Tremer [Tue, 22 Jan 2019 11:34:49 +0000 (11:34 +0000)] 
ipsec-interfaces: Resolve any remote hostnames

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec-interfaces: Move conditional block into the loop
Michael Tremer [Tue, 22 Jan 2019 11:26:32 +0000 (11:26 +0000)] 
ipsec-interfaces: Move conditional block into the loop

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec: Drop delayed restart setting
Michael Tremer [Mon, 21 Jan 2019 17:40:12 +0000 (17:40 +0000)] 
ipsec: Drop delayed restart setting

This is a very bad race-condition situation and is not solved by
an unintuitive setting.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec: Drop VPN_IP setting
Michael Tremer [Mon, 21 Jan 2019 17:08:57 +0000 (17:08 +0000)] 
ipsec: Drop VPN_IP setting

This is now a per-connection setting

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec: Add translation strings for recent changes
Michael Tremer [Mon, 21 Jan 2019 16:52:39 +0000 (16:52 +0000)] 
ipsec: Add translation strings for recent changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec-*: Name some more configuration variables
Michael Tremer [Mon, 21 Jan 2019 16:44:03 +0000 (16:44 +0000)] 
ipsec-*: Name some more configuration variables

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec-interfaces: Uses local IP address from connection first, then default
Michael Tremer [Mon, 21 Jan 2019 16:41:16 +0000 (16:41 +0000)] 
ipsec-interfaces: Uses local IP address from connection first, then default

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec-policy: Correct open ports for connections on aliases
Michael Tremer [Mon, 21 Jan 2019 16:33:53 +0000 (16:33 +0000)] 
ipsec-policy: Correct open ports for connections on aliases

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec: Allow to select local IP address used for peer on UI
Michael Tremer [Mon, 21 Jan 2019 16:20:13 +0000 (16:20 +0000)] 
ipsec: Allow to select local IP address used for peer on UI

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec: Re-arrange inputs for peer addresses, subnets, etc.
Michael Tremer [Mon, 21 Jan 2019 15:36:16 +0000 (15:36 +0000)] 
ipsec: Re-arrange inputs for peer addresses, subnets, etc.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec: Don't allow to select VTI in transport mode
Michael Tremer [Mon, 21 Jan 2019 15:32:08 +0000 (15:32 +0000)] 
ipsec: Don't allow to select VTI in transport mode

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agovpnmain.cgi: Don't populate GREEN subnet when green doesn't exist
Michael Tremer [Mon, 21 Jan 2019 14:34:19 +0000 (14:34 +0000)] 
vpnmain.cgi: Don't populate GREEN subnet when green doesn't exist

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec-interfaces: Fix typo in variable name
Michael Tremer [Wed, 16 Jan 2019 19:29:25 +0000 (20:29 +0100)] 
ipsec-interfaces: Fix typo in variable name

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agostrongswan: No longer create any routes automatically
Michael Tremer [Wed, 9 Jan 2019 19:23:42 +0000 (20:23 +0100)] 
strongswan: No longer create any routes automatically

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec: Filter better for GRE/VTI interfaces
Michael Tremer [Wed, 9 Jan 2019 19:10:02 +0000 (20:10 +0100)] 
ipsec: Filter better for GRE/VTI interfaces

This tried to delete the GREEN interface before

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec: TTL only applies for GRE interfaces and not VTI
Michael Tremer [Wed, 9 Jan 2019 18:56:01 +0000 (19:56 +0100)] 
ipsec: TTL only applies for GRE interfaces and not VTI

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec: Find correct RED IP address when using %defaultroute
Michael Tremer [Wed, 9 Jan 2019 18:52:46 +0000 (19:52 +0100)] 
ipsec: Find correct RED IP address when using %defaultroute

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec: Log a message when an interface could not be created
Michael Tremer [Wed, 9 Jan 2019 18:52:24 +0000 (19:52 +0100)] 
ipsec: Log a message when an interface could not be created

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec-interfaces: Don't add any interfaces when IPsec is disabled
Michael Tremer [Mon, 10 Dec 2018 16:57:12 +0000 (16:57 +0000)] 
ipsec-interfaces: Don't add any interfaces when IPsec is disabled

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoRevert "ipsec-interfaces: Run when IPsec is disabled"
Michael Tremer [Mon, 10 Dec 2018 16:55:53 +0000 (16:55 +0000)] 
Revert "ipsec-interfaces: Run when IPsec is disabled"

This reverts commit 3c3a1cfdb9b473fae9b792e8c211c9940fafc658.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agovpnmain.cgi: Move advanced IPsec settings to connection page
Michael Tremer [Mon, 10 Dec 2018 16:44:06 +0000 (16:44 +0000)] 
vpnmain.cgi: Move advanced IPsec settings to connection page

This is required to make the initial setup easier for GRE/VTI connections

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec-interfaces: Run when IPsec is disabled
Michael Tremer [Mon, 10 Dec 2018 16:08:58 +0000 (16:08 +0000)] 
ipsec-interfaces: Run when IPsec is disabled

This needs to run even when IPsec is disable to remove
and interfaces

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec-interfaces: Use correct righthost variable
Michael Tremer [Mon, 10 Dec 2018 16:01:00 +0000 (16:01 +0000)] 
ipsec-interfaces: Use correct righthost variable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoIPsec: Do not allow 0.0.0.0/0 as remote subnet
Michael Tremer [Wed, 5 Dec 2018 17:10:16 +0000 (17:10 +0000)] 
IPsec: Do not allow 0.0.0.0/0 as remote subnet

This renders the whole machine inaccessible

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agonetwork: Create IPsec interfaces when network is brought up
Michael Tremer [Wed, 5 Dec 2018 16:24:52 +0000 (16:24 +0000)] 
network: Create IPsec interfaces when network is brought up

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsecctrl: Call ipsec-interfaces script when turning up/shutting down connections
Michael Tremer [Wed, 5 Dec 2018 16:23:06 +0000 (16:23 +0000)] 
ipsecctrl: Call ipsec-interfaces script when turning up/shutting down connections

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoIPsec: Add (experimental) script that creates GRE/VTI interfaces
Michael Tremer [Wed, 5 Dec 2018 16:12:48 +0000 (16:12 +0000)] 
IPsec: Add (experimental) script that creates GRE/VTI interfaces

Signed-off-by: root <root@interim-edge-a.ec2.internal>
9 months agoIPsec: Use left/rightprotoport in GRE mode
Michael Tremer [Mon, 3 Dec 2018 11:21:29 +0000 (11:21 +0000)] 
IPsec: Use left/rightprotoport in GRE mode

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsecctrl: Don't wait when a connection is to be started
Michael Tremer [Thu, 29 Nov 2018 16:12:45 +0000 (16:12 +0000)] 
ipsecctrl: Don't wait when a connection is to be started

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec-policy: Don't install any block rules for connections with an interface
Michael Tremer [Thu, 29 Nov 2018 16:00:52 +0000 (16:00 +0000)] 
ipsec-policy: Don't install any block rules for connections with an interface

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec-policy: Permit GRE traffic for GRE connections
Michael Tremer [Thu, 29 Nov 2018 15:58:55 +0000 (15:58 +0000)] 
ipsec-policy: Permit GRE traffic for GRE connections

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec-policy: Variables don't match those from the CGI
Michael Tremer [Thu, 29 Nov 2018 15:58:39 +0000 (15:58 +0000)] 
ipsec-policy: Variables don't match those from the CGI

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoipsec-policy: Parse all configuration settings
Michael Tremer [Thu, 29 Nov 2018 15:45:52 +0000 (15:45 +0000)] 
ipsec-policy: Parse all configuration settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoIPsec: Move opening ports from ipsecctrl into ipsec-policy script
Michael Tremer [Thu, 29 Nov 2018 15:43:39 +0000 (15:43 +0000)] 
IPsec: Move opening ports from ipsecctrl into ipsec-policy script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoIPsec: Rename ipsec-block script to ipsec-policy
Michael Tremer [Thu, 29 Nov 2018 15:04:28 +0000 (15:04 +0000)] 
IPsec: Rename ipsec-block script to ipsec-policy

This is a more general name for a script that will be extended
soon to do more than just add blocking rules.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoIPsec: Update ipsec.conf for GRE/VTI changes
Michael Tremer [Wed, 28 Nov 2018 20:37:32 +0000 (20:37 +0000)] 
IPsec: Update ipsec.conf for GRE/VTI changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoIPsec: Add UI for set interface MTU
Michael Tremer [Wed, 28 Nov 2018 14:46:15 +0000 (14:46 +0000)] 
IPsec: Add UI for set interface MTU

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoIPsec: Add option to configure IP address for tunnel interface
Michael Tremer [Wed, 28 Nov 2018 14:38:11 +0000 (14:38 +0000)] 
IPsec: Add option to configure IP address for tunnel interface

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoIPsec: Set default inactivity timeout to half an hour
Michael Tremer [Wed, 28 Nov 2018 14:24:03 +0000 (14:24 +0000)] 
IPsec: Set default inactivity timeout to half an hour

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoIPsec: New connections should defatul to on-demand mode
Michael Tremer [Wed, 28 Nov 2018 14:23:26 +0000 (14:23 +0000)] 
IPsec: New connections should defatul to on-demand mode

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoIPsec: Add dropdown to select tunnel interface mode
Michael Tremer [Wed, 28 Nov 2018 14:21:33 +0000 (14:21 +0000)] 
IPsec: Add dropdown to select tunnel interface mode

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agovpnmain.cgi: Correctly carry over INACTIVITY_TIMEOUT
Michael Tremer [Wed, 28 Nov 2018 14:07:30 +0000 (14:07 +0000)] 
vpnmain.cgi: Correctly carry over INACTIVITY_TIMEOUT

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoIPsec: Write tunnel/transport mode to strongSwan configuration
Michael Tremer [Tue, 27 Nov 2018 18:42:07 +0000 (18:42 +0000)] 
IPsec: Write tunnel/transport mode to strongSwan configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agoIPsec: Add selection for transport/tunnel mode
Michael Tremer [Tue, 27 Nov 2018 18:38:51 +0000 (18:38 +0000)] 
IPsec: Add selection for transport/tunnel mode

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agopython3-msgpack: Fix build on i586
Jonatan Schlag [Tue, 5 Feb 2019 18:33:31 +0000 (18:33 +0000)] 
python3-msgpack: Fix build on i586

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agopython3-dateutil: Update rootfiles
Michael Tremer [Mon, 4 Feb 2019 07:00:13 +0000 (07:00 +0000)] 
python3-dateutil: Update rootfiles

Changed because of new python3-setuptools

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agocore128: Ship updated dhcpcd
Michael Tremer [Mon, 4 Feb 2019 00:40:02 +0000 (00:40 +0000)] 
core128: Ship updated dhcpcd

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agodhcpcd: Update to 7.1.0
Matthias Fischer [Mon, 4 Feb 2019 17:38:44 +0000 (18:38 +0100)] 
dhcpcd: Update to 7.1.0

For some informations about this update see:
https://roy.marples.name/blog/dhcpcd-7-1-0-released

"dhcpcd-7.1.0 has been released with the following changes:

- OpenBSD: works alongside slaacd(8)
- NetBSD: sets SO_RERROR on to detect receive socket overflow
- BSD: route improvements to avoid listening for own changes
- Linux: use NETLINK_BROADCAST_ERROR
- BSD: avoid late address deletion messages by testing address existance
- IP6: implement IP6 address sharing
- BSD: catch UP/DOWN events when interfaces does support media changes
- IPv4LL: remember old address when carrier is lost

Many other minor fixes and documenation updates have been submitted by various
community members for this release..."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
9 months agocore128: Ship updated curl
Michael Tremer [Mon, 4 Feb 2019 00:15:24 +0000 (00:15 +0000)] 
core128: Ship updated curl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>