SNAT and DNAT should consider interface settings. #48
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
e.g. useful if you only want to SNAT on red
|
Could you please open a bug report on the IPFire bug tracker and elaborate a bit more about why you need this and what it is supposed to do? |
|
red is a /29 subnet. I use different external IPs for green, blue and DMZ. green is using the main IP, blue and DMZ are using aliases on red. To ensure that outgoing traffic from blue and DMZ origin from the according alias IP address, I set up SNAT for traffic from BLUE to the internet (and DMZ to the internet respectively). If I set up a firewall rule in the GUI from DMZ -> red with SNAT to the alias IP, the iptables entry is the following: instead of this means, that SNAT is also "active" for traffic from DMZ to blue/green which is not what users would expect if they explicitly set the rule for DMZ to red. |
|
this pr can be closed now since this bug has been fixed w/ 306098a however DNAT should be bound to an (incoming) interface, too... |
mtremer
pushed a commit
that referenced
this pull request
Apr 14, 2021
- Update from 2.3.3 to 2.3.3op2
- OpenPrinting statement from March 2021:-
CUPS has new home at OpenPrinting
Due to the fact that CUPS development at Apple has stopped since the
beginning of 2020 we had forked CUPS some months ago to incorporate
patches and fixes from the distributions. As Apple did not resume the
upstream work on CUPS, we have made OpenPrinting now the official
upstream home for CUPS.
This especially means that we can now continue developing CUPS,
independent of Apple. So we can add features and lead CUPS into the new
architecture without PPD files and with Printer Applications.
CUPS has a new home page now and what was formerly our fork is now the
official CUPS repository. Upcoming releases will be of the new 2.4.x
series, without “opX” suffix as now. Also all documentation files which
come with it are updated to point to the OpenPrinting resources.
- Update of rootfile not required.
- Changelog
Changes in CUPS v2.3.3op2
- Security: Fixed a buffer (read) overflow in the `ippReadIO` function
(CVE-2020-10001)
- Clarified the documentation for the "Listen" directive (Issue #53)
- Fixed duplicate ColorModel entries for AirPrint printers (Issue 59)
- Fixed directory/permission defaults for Debian kfreebsd-based systems
(Issue #60, Issue #61)
- Fixed crash bug in `ppdOpen` (Issue #64, Issue #78)
- Fixed regression in `snprintf` emulation function (Issue #67)
- The scheduler's systemd service file now waits for the nslcd service to start
(Issue #69)
- The libusb-based USB backend now uses a simpler read timer implementation to
avoid a regression in a previous change (Issue #72)
- The PPD caching code now only tracks the `APPrinterIconPath` value on macOS
(Issue #73)
- Fixed segfault in help.cgi when searching in man pages (Issue #81)
- Root certificates were incorrectly stored in "~/.cups/ssl".
Changes in CUPS v2.3.3op1
- The automated test suite can now be activated using `make test` for
consistency with other projects and CI environments - the old `make check`
continues to work as well, and the previous test server behavior can be
accessed by running `make testserver`.
- ippeveprinter now supports multiple icons and strings files.
- ippeveprinter now uses the system's FQDN with Avahi.
- ippeveprinter now supports Get-Printer-Attributes on "/".
- ippeveprinter now uses a deterministic "printer-uuid" value.
- ippeveprinter now uses system sounds on macOS for Identify-Printer.
- Updated ippfind to look for files in "~/Desktop" on Windows.
- Updated ippfind to honor `SKIP-XXX` directives with `PAUSE`.
- Updated IPP Everywhere support to work around printers that only advertise
color raster support but really also support grayscale (Issue #1)
- ipptool now supports DNS-SD URIs like `ipps://My%20Printer._ipps._tcp.local`
(Issue #5)
- The scheduler now allows root backends to have world read permissions but not
world execute permissions (Issue #21)
- Failures to bind IPv6 listener sockets no longer cause errors if IPv6 is
disabled on the host (Issue #25)
- The SNMP backend now supports the HP and Ricoh vendor MIBs (Issue #28)
- The scheduler no longer includes a timestamp in files it writes (Issue #29)
- The systemd service names are now "cups.service" and "cups-lpd.service"
(Issue #30, Issue #31)
- The scheduler no longer adds the local hostname to the ServerAlias list
(Issue #32)
- Added `LogFileGroup` directive in "cups-files.conf" to control the group
owner of log files (Issue #34)
- Added `--with-max-log-size` configure option (Issue #35)
- Added `--enable-sync-on-close` configure option (Issue #37)
- Added `--with-error-policy` configure option (Issue #38)
- IPP Everywhere PPDs could have an "unknown" default InputSlot (Issue #44)
- The `httpAddrListen` function now uses a listen backlog of 128.
- Added USB quirks (Apple issue #5789, #5823, #5831)
- Fixed IPP Everywhere v1.1 conformance issues in ippeveprinter.
- Fixed DNS-SD name collision support in ippeveprinter.
- Fixed compiler and code analyzer warnings.
- Fixed TLS support on Windows.
- Fixed ippfind sub-type searches with Avahi.
- Fixed the default hostname used by ippeveprinter on macOS.
- Fixed resolution of local IPP-USB printers with Avahi.
- Fixed coverity issues (Issue #2)
- Fixed `httpAddrConnect` issues (Issue #3)
- Fixed web interface device URI issue (Issue #4)
- Fixed lp/lpr "printer/class not found" error reporting (Issue #6)
- Fixed xinetd support for LPD clients (Issue #7)
- Fixed libtool build issue (Issue #11)
- Fixed a memory leak in the scheduler (Issue #12)
- Fixed a potential integer overflow in the PPD hashing code (Issue #13)
- Fixed output-bin and print-quality handling issues (Issue #18)
- Fixed PPD options getting mapped to odd IPP values like "tray---4" (Issue #23)
- Fixed remote access to the cupsd.conf and log files (Issue #24)
- Fixed the automated test suite when running in certain build/CI environments
(Issue #25)
- Fixed a logging regression caused by a previous change for Apple issue #5604
(Issue #25)
- Fixed fax phone number handling with GNOME (Issue #40)
- Fixed potential rounding error in rastertopwg filter (Issue #41)
- Fixed the "uri-security-supported" value from the scheduler (Issue #42)
- Fixed IPP backend crash bug with "printer-alert" values (Issue #43)
- Removed old Solaris inetconv(1m) reference in cups-lpd man page (Issue #46)
- Fixed default options that incorrectly use the "custom" prefix (Issue #48)
- Fixed a memory leak when resolving DNS-SD URIs (Issue #49)
- Fixed systemd status reporting by adopting the notify interface (Issue #51)
- Fixed crash in rastertopwg (Apple issue #5773)
- Fixed cupsManualCopies values in IPP Everywhere PPDs (Apple issue #5807)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
mtremer
pushed a commit
that referenced
this pull request
Sep 5, 2021
- Update from 2.8.8 to 2.10.0
- Update of rootfile carried out
- Changelog
2.10.0:
[ tatsuz ]
* updated Visual Studio projects to VS 2019 (#54)
[ Fabian Greffrath ]
* mp4read.c: fix stack-buffer-overflow in stringin()/ftypin()
* fix heap-buffer-overflow in mp4read.c
[ Clayton Smith ]
* Remove non-ASCII characters
* Remove trailing whitespace
[ Andrew Wesie ]
* Check return value of ltp_data.
* Restrict SBR frame length to 960 and 1024 samples.
* Support object type 29.
* Support implicit SBR signaling in frontend.
* Fix PNS decoding when only right channel is noise.
* Initialize element_id array with an invalid id.
* Fix NULL pointer dereferences.
* Fix infinite loop in adts_parse.
* Fix infinite loop in huffman_getescape.
* Check for error after each channel decode.
* Check for inconsistent number of channels.
2.9.2:
[ Michał Janiszewski ]
* Only use x86-assembly when explicitly on x86
* Use unsigned integers correctly
* Initialize pointers that might otherwise not be
[ Fabian Greffrath ]
* update README esp. WRT directory structure
[ Rosen Penev ]
* fix compilation without SBR/PS_DEC (#48)
* fix compilation with LC_ONLY_DECODER (#47)
[ Fabian Greffrath ]
* fix "inline function 'cfftf1' declared but never defined" compiler warning
* fix some inconsistencies in the frontend output
* mp4read_open: add check for failed frame buffer allocation
* stszin: add check for allocation error and integer overflow
* add a pkg-config file
[ Stefan Pöschel ]
* frontend: address compile warning + add missing LF (#50)
[ François Cartegnie ]
* library name is faad (#52)
* Unbreak PS audio (#51)
2.9.1:
[ Fabian Greffrath ]
* Include stdio.h in libfaad/ps_dec.c for stderr (Michael Fink)
* Fix Tille -> Title typo in frontend/mp4read.c (Alexander Thomas)
2.9.0:
[ Krzysztof Nikiel ]
* Build system fixes and code clean-up
[ LoRd_MuldeR ]
* Fix compiler warnings and code indentation
* Fix compilation with GCC <= 4.7.3
* MSVC solution file clean-up
[ Cameron Cawley ]
* Fix compilation with GCC 4.7.4
* Fix compilation with MinGW
[ Michael Fink ]
* MSVC 2017 project file update
[ Hugo Lefeuvre ]
* Fix crash with unsupported MP4 files (NULL pointer dereference,
division by zero)
* CVE-2019-6956: ps_dec: sanitize iid_index before mixing
* CVE-2018-20196: sbr_fbt: sanitize sbr->M (should not exceed MAX_M)
* CVE-2018-20199, CVE-2018-20360: specrec: better handle unexpected
parametric stereo (PS)
* CVE-2018-20362, CVE-2018-19504, CVE-2018-20195, CVE-2018-20198,
CVE-2018-20358: syntax.c: check for syntax element inconsistencies
* CVE-2018-20194, CVE-2018-19503, CVE-2018-20197, CVE-2018-20357,
CVE-2018-20359, CVE-2018-20361: sbr_hfadj: sanitize frequency band
borders
[ Hugo Beauzée-Luyssen ]
* CVE-2019-15296, CVE-2018-19502: Fix a couple buffer overflows
[ Filip Roséen ]
* Prevent crash on SCE followed by CPE
[ Gianfranco Costamagna ]
* Fix linking with GCC 9 and "-Wl,--as-needed"
[ Fabian Greffrath ]
* Enable the frontend to be built reproducibly
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
mtremer
pushed a commit
that referenced
this pull request
Apr 6, 2022
- Update from 1.9.9 to 1.9.10
- Update of rootfile not required
- Changelog
What's new in Sudo 1.9.10
* Added new "log_passwords" and "passprompt_regex" sudoers options.
If "log_passwords" is disabled, sudo will attempt to prevent passwords
from being logged. If sudo detects any of the regular expressions in
the "passprompt_regex" list in the terminal output, sudo will log '*'
characters instead of the terminal input until a newline or carriage
return is found in the input or an output character is received.
* Added new "log_passwords" and "passprompt_regex" settings to
sudo_logsrvd that operate like the sudoers options when logging
terminal input.
* Fixed several few bugs in the cvtsudoers utility when merging
multiple sudoers sources.
* Fixed a bug in sudo_logsrvd when parsing the sudo_logsrvd.conf
file, where the "retry_interval" in the [relay] section was not
being recognized.
* Restored the pre-1.9.9 behavior of not performing authentication
when sudo's -n option is specified. A new "noninteractive_auth"
sudoers option has been added to enable PAM authentication in
non-interactive mode. GitHub issue #131.
* On systems with /proc, if the /proc/self/stat (Linux) or
/proc/pid/psinfo (other systems) file is missing or invalid,
sudo will now check file descriptors 0-2 to determine the user's
terminal. Bug #1020.
* Fixed a compilation problem on Debian kFreeBSD. Bug #1021.
* Fixed a crash in sudo_logsrvd when running in relay mode if
an alert message is received.
* Fixed an issue that resulting in "problem with defaults entries"
email to be sent if a user ran sudo when the sudoers entry in
the nsswitch.conf file includes "sss" but no sudo provider is
configured in /etc/sssd/sssd.conf. Bug #1022.
* Updated the warning displayed when the invoking user is not
allowed to run sudo. If sudo has been configured to send mail
on failed attempts (see the mail_* flags in sudoers), it will
now print "This incident has been reported to the administrator."
If the "mailto" or "mailerpath" sudoers settings are disabled,
the message will not be printed and no mail will be sent.
GitHub issue #48.
* Fixed a bug where the user-specified command timeout was not
being honored if the sudoers rule did not also specify a timeout.
* Added support for using POSIX extended regular expressions in
sudoers rules. A command and/or arguments in sudoers are treated
as a regular expression if they start with a '^' character and
end with a '$'. The command and arguments are matched separately,
either one (or both) may be a regular expression.
Bug #578, GitHub issue #15.
* A user may now only run "sudo -U otheruser -l" if they have a
"sudo ALL" privilege where the RunAs user contains either "root"
or "otheruser". Previously, having "sudo ALL" was sufficient,
regardless of the RunAs user. GitHub issue #134.
* The sudo lecture is now displayed immediately before the password
prompt. As a result, sudo will no longer display the lecture
unless the user needs to enter a password. Authentication methods
that don't interact with the user via a terminal do not trigger
the lecture.
* Sudo now uses its own closefrom() emulation on Linux systems.
The glibc version may not work in a chroot jail where /proc is
not available. If close_range(2) is present, it will be used
in preference to /proc/self/fd.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
mtremer
pushed a commit
that referenced
this pull request
Apr 24, 2022
- Update from v3.3.16 to v4.0.0
- added --disable-static to ./configure to remove static libs from rootfile
- Update of rootfile
- Changed lib name. Ran ./make.sh find-dependencies. No dependencies on old libraries
- Changelog
procps-ng-4.0.0
* Rename pwait to pidwait
* free: Add committed line option merge #25
* free: Fix -h --si combined options issue #133, #223
* free: Fix first column justification issue #229, #204, #206, Debian #1001689
* free: Better spacing for Chinese language issue #213
* library: renamed to libproc-2 and reset to 0:0:0
* library: add support for accessing smaps_rollup issue #112, #201
* library: add support for accessing autogroups
* library: add support for LIBPROC_HIDE_KERNEL env var merge #147
* library: add support for cpu utilization to pids i/f
* pkill: Check for lt- variants of program name issue #192
* pgrep: Add newline after regex error message merge #91
* pgrep: Fix selection where uid/gid > 2^31 merge !146
* pgrep: Select on cgroup v2 paths issue #168
* ps: Add OOM and OOMADJ fields issue #198
* ps: Add IO Accounting fields issue #184
* ps: Add PSS and USS fields issue #112
* ps: Add two new autogroup fields
* ps: Ignore SIGURG merge !142
* slabtop: Don't combine d and o options issue #160
* sysctl: Add support for systemd glob patterns issue #191
* sysctl: Check resolved path to be under /proc/sys issue #179
* sysctl: return non-zero if EINVAL return for write merge #76
* sysctl.conf.5: Note max line length issue #77
* top: added LOGID similar to 3.3.13 ps LUID
* top: added EXE identical to 3.3.17 ps EXE
* top: exploit some library smaps_rollup provisions issue #112
* top: added four new IO accounting fields issue #184
* top: 'F' key is now a new forest view 'focus' toggle
* top: summary area memory lines can print two abreast
* top: added two new autogroup fields
* top: added long versions of command line options
* top: added cpu utilization & 2 time related fields
* top: the time related fields can now be user scaled
* uptime: print short/pretty format correctly issue #217
* vmstat: add -y option to remove first line merge !72
procps-ng-3.3.17
* library: Incremented to 8:3:0
(no removals or additions, internal changes only)
* all: properly handle utf8 cmdline translations issue #176
* kill: Pass int to signalled process merge #32
* pgrep: Pass int to signalled process merge #32
* pgrep: Check sanity of SG_ARG_MAX issue #152
* pgrep: Add older than selection merge #79
* pidof: Quiet mode merge #83
* pidof: show worker threads Redhat #1803640
* ps.1: Mention stime alias issue #164
* ps: check also match on truncated 16 char comm names
* ps: Add exe output option Redhat #1399206
* pwait: New command waits for a process merge #97
* sysctl: Match systemd directory order Debian #950788
* sysctl: Document directory order Debian #951550
* top: ensure config file backward compatibility Debian #951335
* top: add command line 'e' for symmetry with 'E' issue #165
* top: add '4' toggle for two abreast cpu display issue #172
* top: add '!' toggle for combining multiple cpus
* top: fix potential SEGV involving -p switch merge #114
* vmstat: Wide mode gives wider proc columns merge #48
* watch: Add environment variable for interval merge #62
* watch: Add no linewrap option issue #182
* watch: Support more colors merge #106,#109
* free,uptime,slabtop: complain about extra ops issue #181
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
mtremer
pushed a commit
that referenced
this pull request
Apr 24, 2022
- Update from 10.39 to 10.40 - Update of rootfile - Changelog Version 10.40 15-April-2022 1. Merged patch from @carenas (GitHub #35, 7db87842) to fix pcre2grep incorrect handling of multiple passes. 2. Merged patch from @carenas (GitHub #36, dae47509) to fix portability issue in pcre2grep with buffered fseek(stdin). 3. Merged patch from @carenas (GitHub #37, acc520924) to fix tests when -S is not supported. 4. Revert an unintended change in JIT repeat detection. 5. Merged patch from @carenas (GitHub #52, b037bfa1) to fix build on GNU Hurd. 6. Merged documentation and comments patches from @carenas (GitHub #47). 7. Merged patch from @carenas (GitHub #49) to remove obsolete JFriedl test code from pcre2grep. 8. Merged patch from @carenas (GitHub #48) to fix CMake install issue #46. 9. Merged patch from @carenas (GitHub #53) fixing NULL checks in matching and substituting. 10. Add null_subject and null_replacement modifiers to pcre2test. 11. Add check for NULL subject to POSIX regexec() function. 12. Add check for NULL replacement to pcre2_substitute(). 13. For the subject arguments of pcre2_match(), pcre2_dfa_match(), and pcre2_substitute(), and the replacement argument of the latter, if the pointer is NULL and the length is zero, treat as an empty string. Apparently a number of applications treat NULL/0 in this way. 14. Added support for Bidi_Class and a number of binary Unicode properties, including Bidi_Control. 15. Fix some minor issues raised by clang sanitize. 16. Very minor code speed up for maximizing character property matches. 17. A number of changes to script matching for \p and \P: (a) Script extensions for a character are now coded as a bitmap instead of a list of script numbers, which should be faster and does not need a loop. (b) Added the syntax \p{script:xxx} and \p{script_extensions:xxx} (synonyms sc and scx). (c) Changed \p{scriptname} from being the same as \p{sc:scriptname} to being the same as \p{scx:scriptname} because this change happened in Perl at release 5.26. (d) The standard Unicode 4-letter abbreviations for script names are now recognized. (e) In accordance with Unicode and Perl's "loose matching" rules, spaces, hyphens, and underscores are ignored in property names, which are then matched independent of case. 18. The Python scripts in the maint directory have been refactored. There are now three scripts that generate pcre2_ucd.c, pcre2_ucp.h, and pcre2_ucptables.c (which is #included by pcre2_tables.c). The data lists that used to be duplicated are now held in a single common Python module. 19. On CHERI, and thus Arm's Morello prototype, pointers are represented as hardware capabilities, which consist of both an integer address and additional metadata, meaning they are twice the size of the platform's size_t type, i.e. 16 bytes on a 64-bit system. The ovector member of heapframe happens to only be 8 byte aligned, and so computing frame_size ended up with a multiple of 8 but not 16. Whilst the first frame was always suitably aligned, this then misaligned the frame that follows, resulting in an alignment fault when storing a pointer to Fecode at the start of match. Patch to fix this issue by Jessica Clarke PR#72. 20. Added -LP and -LS listing options to pcre2test. 21. A user discovered that the library names in CMakeLists.txt for MSVC debugger (PDB) files were incorrect - perhaps never tried for PCRE2? 22. An item such as [Aa] is optimized into a caseless single character match. When this was quantified (e.g. [Aa]{2}) and was also the last literal item in a pattern, the optimizing "must be present for a match" character check was not being flagged as caseless, causing some matches that should have succeeded to fail. 23. Fixed a unicode properrty matching issue in JIT. The character was not fully read in caseless matching. 24. Fixed an issue affecting recursions in JIT caused by duplicated data transfers. 25. Merged patch from @carenas (GitHub #96) which fixes some problems with pcre2test and readline/readedit: * Use the right header for libedit in FreeBSD with autoconf * Really allow libedit with cmake * Avoid using readline headers with libedit Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
mtremer
pushed a commit
that referenced
this pull request
Jun 27, 2024
- Update from version 23.6 to 23.7
- Update of roiotfile not required
- Changelog
23.7
* build-sys: Make disable-statx work
* fuser: Fallback to stat() if no statx() Debian 1030747 #48
* fuser: silently ignore EACCES when scanning proc directories
* killall: small formatting fixes Debian #1037231
* pstree: Do not assume root PID #49
* pslog: include config.h #51 !36
* misc: Update gettext to 0.21
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
i need an SNAT rule to be active only on red. setting red as outgoing interface won't set SNAT rules accordingly. this fix solves that bug.
same for DNAT incoming interface.