diff -Nru netscript-2.4-5.4.11ubuntu1/debian/changelog netscript-2.4-5.5.2/debian/changelog --- netscript-2.4-5.4.11ubuntu1/debian/changelog 2015-12-07 20:01:51.000000000 +0000 +++ netscript-2.4-5.5.2/debian/changelog 2017-07-07 22:57:38.000000000 +0000 @@ -1,12 +1,43 @@ -netscript-2.4 (5.4.11ubuntu1) xenial; urgency=low +netscript-2.4 (5.5.2) unstable; urgency=medium - * Merge from Debian unstable (LP: #1523653). Remaining changes: - - upstart: rename upstart scripts and install - - upstart: start netscript on 'or container', to let us optimize the - udevtrigger job. - - transitional package for netscripts-2.4-upstart. + * Fix sub-string interface name clashes. - -- Andy Whitcroft Mon, 07 Dec 2015 20:01:40 +0000 + -- Matthew Grant Sat, 08 Jul 2017 10:57:38 +1200 + +netscript-2.4 (5.5.1) unstable; urgency=medium + + * Don't hotplug bridges. Works around a kernel race. + * Add note to not default disable IPv6 for Openstack. + + -- Matthew Grant Tue, 27 Dec 2016 11:12:09 +1300 + +netscript-2.4 (5.5.0) unstable; urgency=medium + + * Add /etc/netscript/network.conf.d + * Add proper systemd support, and fixes + * Update changelog for 5.4.12~2.gbp2c652b release + * Update gbp.conf + * Convert ifupdown hotplug script for netscript + * Update changelog for 5.4.12~3.gbp183f7f release + * Add depends on lsb-base for init scripts + * Update changelog for 5.4.12~4.gbp7a776d release + * Update debhelper to v6 and deb standards to 3.9.8 + * Update changelog for 5.4.12~5.gbpa05941 release + * Update debhelper compat version to 10. + * Update changelog for 5.4.12~6.gbpe6fab5 release + * Fix network.conf.d include line in network.conf + * Convert inbrdr outbrdr to use ICMP RETURN chain. + * Update changelog for 5.4.12~7.gbpd5fe80 release + * Update changelog for 5.4.12~8.gbp323004 release + * Add IPV6 DAD wait address settle time on boot. + * Fix one line type in ipf6_icmphost exec function. + * Make Interface functions handle - in dev names + * Fix icmpv6 protocol psecfication in outbrdr + * More IPv6 CIMP filter fixes for inbrdr and outbrdr + * Fix IPv6 ipf6_log() icmpv6 rule + * Update changelog for 5.4.12~15.gbpc73267 release + + -- Matthew Grant Thu, 15 Dec 2016 23:13:59 +1300 netscript-2.4 (5.4.11) unstable; urgency=medium @@ -15,16 +46,6 @@ -- Matthew Grant Sun, 11 Oct 2015 08:06:44 +1300 -netscript-2.4 (5.4.10ubuntu1) wily; urgency=low - - * Merge from Debian unstable (LP: #1486804). Remaining changes: - - upstart: rename upstart scripts and install - - upstart: start netscript on 'or container', to let us optimize the - udevtrigger job. - - transitional package for netscripts-2.4-upstart. - - -- Andy Whitcroft Thu, 20 Aug 2015 03:08:40 +0100 - netscript-2.4 (5.4.10) unstable; urgency=medium * Fix /etc/init.d dependency loop with ifupdown (Closes: #717871) @@ -113,16 +134,6 @@ -- Matthew Grant Tue, 07 Jan 2014 17:58:40 +1300 -netscript-2.4 (5.3.0ubuntu1) trusty; urgency=low - - * Merge from Debian unstable. Remaining changes: - - debian/control: add isc-dhcp-client to Depends: - - debian/rules: reinstate the netscript-2.4-upstart support - - upstart: start netscript on 'or container', to let us optimize the - udevtrigger job. - - -- Andy Whitcroft Mon, 06 Jan 2014 14:08:24 +0000 - netscript-2.4 (5.3.0) unstable; urgency=medium * Add full IPv6 filter helper function support @@ -136,16 +147,6 @@ -- Matthew Grant Mon, 06 Jan 2014 13:12:28 +1300 -netscript-2.4 (5.2.12ubuntu1) raring; urgency=low - - * Merge from Debian unstable. Remaining changes: - - debian/control: add isc-dhcp-client to Depends: - - debian/rules: reinstate the netscript-2.4-upstart support - - upstart: start netscript on 'or container', to let us optimize the - udevtrigger job. - - -- Andy Whitcroft Wed, 14 Nov 2012 13:18:34 +0000 - netscript-2.4 (5.2.12) unstable; urgency=low * Fix missing quotes in brg_iface up call (Closes: #681641) @@ -169,20 +170,6 @@ -- Matthew Grant Sun, 19 Feb 2012 10:05:01 +1300 -netscript-2.4 (5.2.9ubuntu2) quantal; urgency=low - - * Switch dependancies from the now obsolete transitional package - dhcp3-client to the replacement isc-dhcp-client. - - -- Andy Whitcroft Wed, 11 Jul 2012 10:13:23 +0100 - -netscript-2.4 (5.2.9ubuntu1) precise; urgency=low - - * Start netscript on 'or container', to let us optimize the udevtrigger - job. - - -- Steve Langasek Wed, 04 Apr 2012 17:52:53 -0700 - netscript-2.4 (5.2.9) unstable; urgency=low * Made netscript depend on /bin/bash as it needs the ability to list @@ -330,7 +317,7 @@ * Fix init.d script dependency headers (Closes: 542246). -- Petter Reinholdtsen Sun, 13 Sep 2009 11:58:38 +0200 - + netscript-2.4 (5.1.7) unstable; urgency=low * Remove suggests entry in debian/control for waproamd. (Closes: #509392) @@ -395,6 +382,7 @@ -- Matthew Grant Sat, 18 Feb 2006 20:21:57 +0000 + netscript-2.4 (5.1.0) unstable; urgency=low * Added initial support for laptops and whereami. This still needs some @@ -807,4 +795,3 @@ Local variables: mode: debian-changelog End: - diff -Nru netscript-2.4-5.4.11ubuntu1/debian/compat netscript-2.4-5.5.2/debian/compat --- netscript-2.4-5.4.11ubuntu1/debian/compat 2015-10-11 04:29:42.000000000 +0000 +++ netscript-2.4-5.5.2/debian/compat 2016-12-07 05:45:04.000000000 +0000 @@ -1 +1 @@ -5 +10 diff -Nru netscript-2.4-5.4.11ubuntu1/debian/control netscript-2.4-5.5.2/debian/control --- netscript-2.4-5.4.11ubuntu1/debian/control 2015-12-07 19:54:41.000000000 +0000 +++ netscript-2.4-5.5.2/debian/control 2016-12-07 05:45:50.000000000 +0000 @@ -1,18 +1,16 @@ Source: netscript-2.4 Section: net Priority: optional -Maintainer: Ubuntu Developers -XSBC-Original-Maintainer: Matthew Grant -Standards-Version: 3.9.6 -Build-Depends: debhelper (>= 7), dh-systemd +Maintainer: Matthew Grant +Standards-Version: 3.9.8 +Build-Depends: debhelper (>= 10), dh-systemd Package: netscript-2.4 Architecture: all -Depends: iproute2 | iproute (>= 20001007), bridge-utils (>= 0.9.3), iptables, netbase, bash (>= 2.03), isc-dhcp-client | dhcpcd | pump, ${misc:Depends} +Depends: iproute2 | iproute (>= 20001007), bridge-utils (>= 0.9.3), iptables, netbase, bash (>= 2.03), isc-dhcp-client | dhcpcd | pump, lsb-base, ${misc:Depends} Provides: netscript, ifupdown Conflicts: netscript, netscript-2.2, ifupdown, netscript-ipfilter -Breaks: netscript-2.4-upstart (<< 5.4.10) -Replaces: netscript-2.4-upstart (<< 5.4.10), netscript, ifupdown +Replaces: netscript, ifupdown Suggests: whereami, dnsmasq, resolvconf, wpasupplicant, wicd, quagga, radvd, bird Description: Linux 2.4/2.6/3.x router/firewall/VM host network config system. This is a router and firewall network configuration system. It is specific to @@ -39,15 +37,9 @@ lightweight scripting footprint. When it comes to firewall configuration though, have a look at the mason package if you are faint of heart. -Package: netscript-2.4-upstart -Architecture: all -Depends: netscript-2.4 (>= 5.4.10) -Description: Transitional package. - This package will alays depend on netscript-2.4 - Package: netscript-ipfilter Architecture: all -Depends: iptables, netbase, bash (>= 2.03), ${misc:Depends} +Depends: iptables, netbase, bash (>= 2.03), lsb-base, ${misc:Depends} Provides: netscript-ipfilter Conflicts: netscript-2.4 Description: Linux 2.6/3.x iptables management system. diff -Nru netscript-2.4-5.4.11ubuntu1/debian/copyright netscript-2.4-5.5.2/debian/copyright --- netscript-2.4-5.4.11ubuntu1/debian/copyright 2015-10-11 04:29:42.000000000 +0000 +++ netscript-2.4-5.5.2/debian/copyright 2016-12-06 22:35:45.000000000 +0000 @@ -8,12 +8,19 @@ Copyright 1995-2000 Matthew Grant Portions copyright 1998,1999 David Cinege + 1999-2009 Anthony Towns + 2010-2015 Andrew Shadura + 2015 Guus Sliepen +License: GPL-2 -Produced with the support of Plain Communications Ltd, htp://www.plain.co.nz - -You are free to distribute and use this software under the terms of -the GNU General Public License. - -On Debian systems, the complete text of the GNU General Public -License can be found in /usr/share/common-licenses/GPL file. + Produced with the support of Plain Communications Ltd, htp://www.plain.co.nz + . + You are free to distribute and use this software under the terms of + the GNU General Public License. + . + Systemd setup and udev scripts copied and adapted from ifupdown 0.18.6, + which is licensed GPL 2+ + . + On Debian systems, the complete text of the GNU General Public + License can be found in /usr/share/common-licenses/GPL file. diff -Nru netscript-2.4-5.4.11ubuntu1/debian/gbp.conf netscript-2.4-5.5.2/debian/gbp.conf --- netscript-2.4-5.4.11ubuntu1/debian/gbp.conf 2015-10-11 04:29:42.000000000 +0000 +++ netscript-2.4-5.5.2/debian/gbp.conf 2016-12-06 22:55:02.000000000 +0000 @@ -2,11 +2,11 @@ #upstream-branch=master #debian-branch=deb-package -[git-buildpackage] +[buildpackage] #upstream-tag = v%(version)s #submodules = True -[git-dch] +[dch] spawn-editor = always commit = True diff -Nru netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4.netscript-interface.upstart netscript-2.4-5.5.2/debian/netscript-2.4.netscript-interface.upstart --- netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4.netscript-interface.upstart 2015-01-28 16:11:46.000000000 +0000 +++ netscript-2.4-5.5.2/debian/netscript-2.4.netscript-interface.upstart 1970-01-01 00:00:00.000000000 +0000 @@ -1,31 +0,0 @@ -# network-interface - configure network device -# -# This service causes network devices to be brought up or down as a result -# of hardware being added or removed, including that which isn't ordinarily -# removable. -# -# Based on work by -# Scott James Remnant Tue, 15 Sep 2009 03:30:29 +0100 -# copyright 2009 Canonical Limited. License GPL v2 -# changes for netscript-2.4 -# copyright 2011 Matthew Alexander Grant License GPL V2 -# Matthew Grant - -description "configure network device" - -start on stopped rc RUNLEVEL=[2345] and net-device-added -stop on runlevel [2345] and net-device-removed INTERFACE=$INTERFACE - -instance $INTERFACE - -pre-start script - if [ "$INTERFACE" != "lo" ]; then - exec netscript ifup $INTERFACE - fi -end script - -post-stop script - if [ "$INTERFACE" != "lo" ]; then - exec netscript ifdown $INTERFACE - fi -end script diff -Nru netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4.netscript.service netscript-2.4-5.5.2/debian/netscript-2.4.netscript.service --- netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4.netscript.service 2015-10-11 04:29:42.000000000 +0000 +++ netscript-2.4-5.5.2/debian/netscript-2.4.netscript.service 2016-12-06 22:20:36.000000000 +0000 @@ -1,16 +1,25 @@ [Unit] -Description=Network and IP tables for system -Before=network.target +Description=Netscript network interfaces and iptables +Documentation=man:netscript(8) +DefaultDependencies=no Wants=network.target -# If you want to run openvswitch for software switching underneath +After=local-fs.target network-pre.target apparmor.service systemd-sysctl.service systemd-modules-load.service +#If you want to run openvswitch for software switching underneath # primary networking #After=openvswitch-switch.service +Before=network.target shutdown.target network-online.target +Conflicts=shutdown.target + +[Install] +WantedBy=multi-user.target +WantedBy=network-online.target [Service] Type=oneshot -RemainAfterExit=yes +EnvironmentFile=-/etc/netscript/network.conf +ExecStartPre=-/bin/sh -c '[ -n "$IF_AUTO" ] && udevadm settle' ExecStart=/sbin/netscript start ExecStop=/sbin/netscript stop +RemainAfterExit=true +TimeoutStartSec=5min -[Install] -WantedBy=multi-user.target diff -Nru netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4.netscript@.service netscript-2.4-5.5.2/debian/netscript-2.4.netscript@.service --- netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4.netscript@.service 2015-10-11 04:29:42.000000000 +0000 +++ netscript-2.4-5.5.2/debian/netscript-2.4.netscript@.service 2016-12-06 22:22:40.000000000 +0000 @@ -1,8 +1,17 @@ [Unit] -Description=Dummy ifup for %I -#BindTo=sys-subsystem-net-devices-%i.device +Description=Netscript ifup for %I +After=local-fs.target network-pre.target apparmor.service systemd-sysctl.service +Before=network.target shutdown.target network-online.target +Conflicts=shutdown.target +BindsTo=sys-subsystem-net-devices-%i.device +DefaultDependencies=no +IgnoreOnIsolate=yes [Service] -Type=oneshot -ExecStart=/sbin/netscript ifup %I +# avoid stopping on shutdown via stopping system-ifup.slice +Slice=system.slice +ExecStart=/bin/sh -ec 'netscript ifup %I' ExecStop=/sbin/netscript ifdown %I +RemainAfterExit=true +TimeoutStartSec=5min + diff -Nru netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4.netscript-shutdown.upstart netscript-2.4-5.5.2/debian/netscript-2.4.netscript-shutdown.upstart --- netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4.netscript-shutdown.upstart 2015-01-28 16:11:46.000000000 +0000 +++ netscript-2.4-5.5.2/debian/netscript-2.4.netscript-shutdown.upstart 1970-01-01 00:00:00.000000000 +0000 @@ -1,12 +0,0 @@ -# netscript shutdown - shutdown system networking controlled by netscript -# -# This task stops all the network daemons and interfaces controlled by -# netscript - -description "shutdown system networking controlled by netscript" - -start on runlevel [06] - -task - -exec netscript stop diff -Nru netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4.netscript.udev netscript-2.4-5.5.2/debian/netscript-2.4.netscript.udev --- netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4.netscript.udev 2015-10-11 04:29:42.000000000 +0000 +++ netscript-2.4-5.5.2/debian/netscript-2.4.netscript.udev 2016-12-07 05:35:30.000000000 +0000 @@ -2,16 +2,9 @@ # of hardware being added or removed, including that which isn't ordinarily # removable. # See udev(7) for syntax. +# Allow rfkill for users in the netdev group +KERNEL=="rfkill", MODE="0664", GROUP="netdev" -SUBSYSTEM=="net", DRIVERS=="?*", GOTO="netscript_start" -GOTO="netscript_end" - -LABEL="netscript_start" - -# Bring devices up and down. -# Use start-stop-daemon so we don't wait on any network daemons that are invoked. -ACTION=="add", RUN+="/sbin/start-stop-daemon --start --background --pidfile /var/run/network/bogus --startas /sbin/netscript -- ifup $env{INTERFACE}" -ACTION=="remove", RUN+="/sbin/start-stop-daemon --start --background --pidfile /var/run/network/bogus --startas /sbin/netscript -- ifdown $env{INTERFACE}" - -LABEL="netscript_end" +# Handle allow-hotplug interfaces +SUBSYSTEM=="net", ACTION=="add|remove", RUN+="netscript-hotplug" diff -Nru netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4.netscript.upstart netscript-2.4-5.5.2/debian/netscript-2.4.netscript.upstart --- netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4.netscript.upstart 2015-01-28 16:11:46.000000000 +0000 +++ netscript-2.4-5.5.2/debian/netscript-2.4.netscript.upstart 1970-01-01 00:00:00.000000000 +0000 @@ -1,18 +0,0 @@ -# netscript - configure network devices controlled by netscript -# -# -# -# Based on work by -# Scott James Remnant Tue, 15 Sep 2009 03:30:29 +0100 -# copyright 2009 Canonical Limited. License GPL v2 -# Adaptation for netscript-2.4 -# copyright 2011 Matthew Alexander Grant - -description "configure virtual network devices" - -start on (local-filesystems - and (stopped udevtrigger or container)) - -task - -exec netscript start diff -Nru netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4-upstart.dirs netscript-2.4-5.5.2/debian/netscript-2.4-upstart.dirs --- netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4-upstart.dirs 1970-01-01 00:00:00.000000000 +0000 +++ netscript-2.4-5.5.2/debian/netscript-2.4-upstart.dirs 2014-07-19 04:17:08.000000000 +0000 @@ -0,0 +1 @@ +etc/init diff -Nru netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4-upstart.netscript-interface.upstart netscript-2.4-5.5.2/debian/netscript-2.4-upstart.netscript-interface.upstart --- netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4-upstart.netscript-interface.upstart 1970-01-01 00:00:00.000000000 +0000 +++ netscript-2.4-5.5.2/debian/netscript-2.4-upstart.netscript-interface.upstart 2014-07-19 04:17:08.000000000 +0000 @@ -0,0 +1,31 @@ +# network-interface - configure network device +# +# This service causes network devices to be brought up or down as a result +# of hardware being added or removed, including that which isn't ordinarily +# removable. +# +# Based on work by +# Scott James Remnant Tue, 15 Sep 2009 03:30:29 +0100 +# copyright 2009 Canonical Limited. License GPL v2 +# changes for netscript-2.4 +# copyright 2011 Matthew Alexander Grant License GPL V2 +# Matthew Grant + +description "configure network device" + +start on stopped rc RUNLEVEL=[2345] and net-device-added +stop on runlevel [2345] and net-device-removed INTERFACE=$INTERFACE + +instance $INTERFACE + +pre-start script + if [ "$INTERFACE" != "lo" ]; then + exec netscript ifup $INTERFACE + fi +end script + +post-stop script + if [ "$INTERFACE" != "lo" ]; then + exec netscript ifdown $INTERFACE + fi +end script diff -Nru netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4-upstart.netscript-shutdown.upstart netscript-2.4-5.5.2/debian/netscript-2.4-upstart.netscript-shutdown.upstart --- netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4-upstart.netscript-shutdown.upstart 1970-01-01 00:00:00.000000000 +0000 +++ netscript-2.4-5.5.2/debian/netscript-2.4-upstart.netscript-shutdown.upstart 2014-07-19 04:17:08.000000000 +0000 @@ -0,0 +1,12 @@ +# netscript shutdown - shutdown system networking controlled by netscript +# +# This task stops all the network daemons and interfaces controlled by +# netscript + +description "shutdown system networking controlled by netscript" + +start on runlevel [06] + +task + +exec netscript stop diff -Nru netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4-upstart.netscript.upstart netscript-2.4-5.5.2/debian/netscript-2.4-upstart.netscript.upstart --- netscript-2.4-5.4.11ubuntu1/debian/netscript-2.4-upstart.netscript.upstart 1970-01-01 00:00:00.000000000 +0000 +++ netscript-2.4-5.5.2/debian/netscript-2.4-upstart.netscript.upstart 2014-07-19 04:17:08.000000000 +0000 @@ -0,0 +1,18 @@ +# netscript - configure network devices controlled by netscript +# +# +# +# Based on work by +# Scott James Remnant Tue, 15 Sep 2009 03:30:29 +0100 +# copyright 2009 Canonical Limited. License GPL v2 +# Adaptation for netscript-2.4 +# copyright 2011 Matthew Alexander Grant + +description "configure virtual network devices" + +start on (local-filesystems + and stopped udevtrigger) + +task + +exec netscript start diff -Nru netscript-2.4-5.4.11ubuntu1/debian/README.Debian netscript-2.4-5.5.2/debian/README.Debian --- netscript-2.4-5.4.11ubuntu1/debian/README.Debian 2015-10-11 04:29:42.000000000 +0000 +++ netscript-2.4-5.5.2/debian/README.Debian 2016-12-06 22:36:26.000000000 +0000 @@ -21,7 +21,7 @@ CONFIGURATION ------------- -Sysvinit is no longer supported, thanks to ome irresolvable boot order +Sysvinit is no longer supported, thanks to some irresolvable boot order dependency loops with the ifupdown package. For systemd: diff -Nru netscript-2.4-5.4.11ubuntu1/debian/rules netscript-2.4-5.5.2/debian/rules --- netscript-2.4-5.4.11ubuntu1/debian/rules 2015-10-11 04:29:42.000000000 +0000 +++ netscript-2.4-5.5.2/debian/rules 2015-01-04 05:20:33.000000000 +0000 @@ -49,8 +49,6 @@ dh_systemd_enable --package=netscript-2.4 --name=netscript\@ --no-enable dh_systemd_enable --package=netscript-ipfilter --name=netscript dh_installinit --package=netscript-2.4 --name=netscript --no-start -- start 35 0 6 . start 40 S . - dh_installinit --package=netscript-2.4 --name=netscript-interface --noscripts - dh_installinit --package=netscript-2.4 --name=netscript-shutdown --noscripts dh_installinit --package=netscript-ipfilter --name=netscript --no-start -- start 35 0 6 . start 40 S . dh_installudev --package=netscript-2.4 --name=netscript --priority=85 dh_installman diff -Nru netscript-2.4-5.4.11ubuntu1/if.conf netscript-2.4-5.5.2/if.conf --- netscript-2.4-5.4.11ubuntu1/if.conf 2015-10-11 04:29:41.000000000 +0000 +++ netscript-2.4-5.5.2/if.conf 2016-12-14 08:57:31.000000000 +0000 @@ -172,6 +172,7 @@ esac fi local IFTYPE=`echo $1 | sed -e $SED_IFSTR` + local IFTYPE_NODASH=`echo "$IFTYPE" | sed -e 's/\-/_/g'` # Do dee global bridge stuff brg_global @@ -183,12 +184,12 @@ ifv4_setproc all accept_redirects $ALLIF_ACCEPT_REDIRECTS # Set up each interface - if qt type ${1}_start ; then + if qt type ${IF_NODASH}_start ; then # execute user supplied individual interface start up - ${1}_start $1 - elif qt type ${IFTYPE}_start ; then + ${IF_NODASH}_start $1 + elif qt type ${IFTYPE_NODASH}_start ; then # execute user supplied typed interface start up - ${IFTYPE}_start $1 + ${IFTYPE_NODASH}_start $1 else # default interface startup brg_iface $1 up "$BRIDGE" "$IPV6_DISABLE" @@ -209,8 +210,8 @@ ipv6_default_route $1 # Set up routes and ARP etc - if qt type ${1}_network ; then - ${1}_network $1 + if qt type ${IF_NODASH}_network ; then + ${IF_NODASH}_network $1 fi # Resolvconf support @@ -246,7 +247,9 @@ } if_down () { + local IF_NODASH=`echo "$1" | sed -e 's/\-/_/g'` local IFTYPE=`echo $1 | sed -e $SED_IFSTR` + local IFTYPE_NODASH=`echo "$IFTYPE" | sed -e 's/\-/_/g'` # Clean up any resolvconf stuff if_resolvconf_down $1 @@ -254,12 +257,12 @@ # Do Dee global bridge stuff brg_global - if qt type ${1}_stop ; then + if qt type ${IF_NODASH}_stop ; then # execute user supplied individual interface shutdown - ${1}_stop $1 - elif qt type ${IFTYPE}_stop ; then + ${IF_NODASH}_stop $1 + elif qt type ${IFTYPE_NODASH}_stop ; then # execute user supplied typed interface shutdown - ${IFTYPE}_stop $1 + ${IFTYPE_NODASH}_stop $1 else # default action brg_iface $1 down $IPV6_DISABLE diff -Nru netscript-2.4-5.4.11ubuntu1/ipfilter.conf netscript-2.4-5.5.2/ipfilter.conf --- netscript-2.4-5.4.11ubuntu1/ipfilter.conf 2015-10-11 04:29:41.000000000 +0000 +++ netscript-2.4-5.5.2/ipfilter.conf 2016-12-15 09:37:00.000000000 +0000 @@ -440,17 +440,22 @@ -s `echoIpPort '$2' ' --sport $3' '$3' $SRC` done; unset SRC - # Get rid of unwanted ICMP packets - $IPTBL -A $CHAIN -j icmpfwd - # Get rid of incoming Martians $IPTBL -A $CHAIN -j martians # Prevent RFC 1918/1627/1597 IP packets from coming in - $IPTBL -A $CHAIN -j DROP -d 10.0.0.0/8 - $IPTBL -A $CHAIN -j DROP -d 192.168.0.0/16 - $IPTBL -A $CHAIN -j DROP -d 172.16.0.0/12 - + # Bypass checks for certain netblocks that are internal. + for NET in $MARTIAN_BYPASS; do + $IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 10.0.0.0/8 + $IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 192.168.0.0/16 + $IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 172.16.0.0/12 + done + if [ -z "$MARTIAN_BYPASS" ]; then + $IPTBL -A $CHAIN -j DROP -d 10.0.0.0/8 + $IPTBL -A $CHAIN -j DROP -d 192.168.0.0/16 + $IPTBL -A $CHAIN -j DROP -d 172.16.0.0/12 + fi + # Allow icmp/BGP in on out link net if [ -n "$LINK_NET" ]; then $IPTBL -A $CHAIN -j ACCEPT -p icmp -s $LINK_NET @@ -480,6 +485,9 @@ -d `echoIpPort '$2' ' --dport $3' '$3' $DEST` done; unset DEST + # Get rid of unwanted ICMP packets + $IPTBL -A $CHAIN -j icmpfwd + # SNMP control - Prevent SNMP access to our network if [ "$SNMP_BLOCK" = "YES" -o "$SNMP_BLOCK" = "Yes" \ -o "$SNMP_BLOCK" = "yes" ] ; then @@ -523,9 +531,17 @@ ipv4_createChain martians martians # Stop outgoing RFC 1918/1627/1597 packets - $IPTBL -A $CHAIN -j DROP -d 10.0.0.0/8 - $IPTBL -A $CHAIN -j DROP -d 192.168.0.0/16 - $IPTBL -A $CHAIN -j DROP -d 172.16.0.0/12 + # Bypass checks for certain netblocks that are internal. + for NET in $MARTIAN_BYPASS; do + $IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 10.0.0.0/8 + $IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 192.168.0.0/16 + $IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 172.16.0.0/12 + done + if [ -z "$MARTIAN_BYPASS" ]; then + $IPTBL -A $CHAIN -j DROP -d 10.0.0.0/8 + $IPTBL -A $CHAIN -j DROP -d 192.168.0.0/16 + $IPTBL -A $CHAIN -j DROP -d 172.16.0.0/12 + fi # Log and stop certain outgoing traffic for DEST in $BLOCKED_OUTDEST; do @@ -659,7 +675,7 @@ # DROP all ICMP packets as it does not make sense # to reply to these - $IP6TBL -A $CHAIN -p icmp -j DROP + $IP6TBL -A $CHAIN -p icmpv6 -j DROP if [ -z "$2" ]; then $IP6TBL -A $CHAIN -j $IPV6_LOG_TARGET @@ -673,11 +689,16 @@ ipf6_icmphost () { local CHAIN=$1 + local TARGET=$2 if [ -z "$CHAIN" ]; then CHAIN=icmphost fi + if [ -z "$TARGET" ]; then + TARGET=${IPV6_ICMPHOST_TARGET:='ACCEPT'} + + fi # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null @@ -704,7 +725,7 @@ 148 149 \ 151 152 153 do - $IP6TBL -A $CHAIN -j ACCEPT -m limit \ + $IP6TBL -A $CHAIN -j $TARGET -m limit \ --limit $IPV6_ICMPHOST_MAXRATE/second \ -p icmpv6 --icmpv6-type $TYPE done @@ -712,13 +733,13 @@ # ICMPv6 - Things we optionally want for TYPE in $IPV6_ICMPHOST_OPTIONAL do - $IP6TBL -A $CHAIN -j ACCEPT -m limit \ + $IP6TBL -A $CHAIN -j $TARGET -m limit \ --limit $IPV6_ICMPHOST_MAXRATE/second \ -p icmpv6 --icmpv6-type $TYPE done # Accept local DHCPv6 replies - $IP6TBL -A $CHAIN -j ACCEPT -s fe80::/10 \ + $IP6TBL -A $CHAIN -j $TARGET -s fe80::/10 \ -p udp --dport 546 # Log ICMP we don't want @@ -727,11 +748,16 @@ ipf6_icmpfwd () { local CHAIN=$1 + local TARGET=$2 if [ -z "$CHAIN" ]; then CHAIN=icmpfwd fi + if [ -z "$TARGET" ]; then + TARGET=${IPV6_ICMPFWD_TARGET:='RETURN'} + fi + # Clean out any existing chain $IP6TBL -F $CHAIN >& /dev/null $IP6TBL -N $CHAIN >& /dev/null @@ -748,21 +774,20 @@ echo-request \ echo-reply; do - $IP6TBL -A $CHAIN -j ACCEPT -m limit \ + $IP6TBL -A $CHAIN -j $TARGET -m limit \ --limit $IPV6_ICMPFWD_MAXRATE/second \ -p icmpv6 --icmpv6-type $TYPE done # ICMPv6 - Things we optionally want to forward for TYPE in $IPV6_ICMPFWD_OPTIONAL do - $IP6TBL -A $CHAIN -j ACCEPT -m limit \ + $IP6TBL -A $CHAIN -j $TARGET -m limit \ --limit $IPV6_ICMPFWD_MAXRATE/second \ -p icmpv6 --icmpv6-type $TYPE done # ICMP - we don't want these # Also stops ICMP time stamp messages and redirects - don't need these $IP6TBL -A $CHAIN -j log -p icmpv6 - } # A function to filter out Martian source addresses @@ -973,8 +998,8 @@ # Create chains if they do not exsist ipv6_createChain log log log REJECT - ipv6_createChain droplog log droplog DROP - ipv6_createChain icmpfwd icmpfwd + ipv6_createChain droplog log droplog DROP + ipv6_createChain icmpbrdr icmpfwd icmpbrdr RETURN ipv6_createChain martians martians # Source blocking @@ -987,18 +1012,26 @@ -s `echoIpPort '$2' ' --sport $3' '$3' $SRC` done; unset SRC - # Get rid of unwanted ICMP packets - $IP6TBL -A $CHAIN -j icmpfwd - # Get rid of incoming Martians $IP6TBL -A $CHAIN -j martians # Prevent ULA IP packets from coming in - $IP6TBL -A $CHAIN -j DROP -d fc00::/7 + # Bypass checks for certain netblocks that are internal. + for NET in $IPV6_MARTIAN_BYPASS; do + $IP6TBL -A $CHAIN -j DROP \! -s "$NET" -d fc00::/7 + done + if [ -z "$IPV6_MARTIAN_BYPASS" ]; then + $IP6TBL -A $CHAIN -j DROP -d fc00::/7 + fi # Allow icmp/BGP in on our link net if [ -n "$IPV6_LINK_NET" ]; then - $IP6TBL -A $CHAIN -j ACCEPT -p icmp -s $IPV6_LINK_NET + # Get rid of unwanted ICMP packets + $IP6TBL -A $CHAIN -j icmpbrdr -p icmpv6 -s $IPV6_LINK_NET + # Handle icmpfwd target being RETURN. This also works + # when target is ACCEPT as chain finishes with a deny + # log rule + $IP6TBL -A $CHAIN -j ACCEPT -p icmpv6 -s $IPV6_LINK_NET $IP6TBL -A $CHAIN -j ACCEPT -p tcp -s $IPV6_LINK_NET \ -d $IPV6_LINK_NET --dport bgp $IP6TBL -A $CHAIN -j ACCEPT -p tcp -s $IPV6_LINK_NET \ @@ -1021,6 +1054,9 @@ -d `echoIpPort '$2' ' --dport $3' '$3' $DEST` done; unset DEST + # Get rid of unwanted ICMP packets + $IP6TBL -A $CHAIN -j icmpbrdr -p icmpv6 + # SNMP control - Prevent SNMP access to our network if [ "$SNMP_BLOCK" = "YES" -o "$SNMP_BLOCK" = "Yes" \ -o "$SNMP_BLOCK" = "yes" ] ; then @@ -1061,10 +1097,20 @@ # Create chains if they do not exsist ipv6_createChain log log log REJECT ipv6_createChain droplog log droplog DROP + ipv6_createChain icmpbrdr icmpfwd icmpbrdr RETURN ipv6_createChain martians martians # Stop outgoing ULA - $IP6TBL -A $CHAIN -j DROP -d fc00::/7 + # Bypass checks for certain netblocks that are internal. + for NET in $IPV6_MARTIAN_BYPASS; do + $IP6TBL -A $CHAIN -j DROP \! -s "$NET" -d fc00::/7 + done + if [ -z "$IPV6_MARTIAN_BYPASS" ]; then + $IP6TBL -A $CHAIN -j DROP -d fc00::/7 + fi + + # Drop unwanted outgoing ICMP + $IP6TBL -A $CHAIN -j icmpbrdr -p icmpv6 # Log and stop certain outgoing traffic for DEST in $IPV6_BLOCKED_OUTDEST; do diff -Nru netscript-2.4-5.4.11ubuntu1/Makefile netscript-2.4-5.5.2/Makefile --- netscript-2.4-5.4.11ubuntu1/Makefile 2015-10-11 04:29:41.000000000 +0000 +++ netscript-2.4-5.5.2/Makefile 2016-12-07 05:31:37.000000000 +0000 @@ -8,12 +8,14 @@ ETCDIR=/etc CONFDIR=$(DESTDIR)$(ETCDIR)/netscript +NCONFDIR=$(CONFDIR)/network.conf.d SBINDIR=$(DESTDIR)/sbin USRSBINDIR=$(DESTDIR)/usr/sbin INITDIR=$(DESTDIR)/etc/init.d PPPETCDIR=$(DESTDIR)/$(ETCDIR)/ppp PPPUPDIR=$(PPPETCDIR)/ip-up.d PPPDOWNDIR=$(PPPETCDIR)/ip-down.d +UDEVLIBDIR=$(DESTDIR)/lib/udev INSTALL=/usr/bin/install dummy: @@ -23,13 +25,17 @@ - mkdir -p $(SBINDIR) - mkdir -p $(UDEVLIBDIR) - mkdir -p $(CONFDIR) + - mkdir -p $(NCONFDIR) - mkdir -p $(PPPUPDIR) - mkdir -p $(PPPDOWNDIR) + - mkdir -p $(UDEVLIBDIR) $(INSTALL) -m 755 netscript $(SBINDIR)/netscript $(INSTALL) -m 755 wep.conf $(CONFDIR) $(INSTALL) -m 644 ipfilter.conf network.conf $(CONFDIR) + $(INSTALL) -m 644 network.conf.d.00default-eth0-dhcp.conf $(NCONFDIR)/00default-eth0-dhcp.conf $(INSTALL) -m 644 if.conf qos.conf $(CONFDIR) $(INSTALL) -m 644 README.etc $(CONFDIR)/README + $(INSTALL) -m 755 netscript-hotplug $(UDEVLIBDIR)/netscript-hotplug # touch $(CONFDIR)/iptables # touch $(CONFDIR)/ip6tables diff -Nru netscript-2.4-5.4.11ubuntu1/netscript netscript-2.4-5.5.2/netscript --- netscript-2.4-5.4.11ubuntu1/netscript 2015-10-11 04:29:41.000000000 +0000 +++ netscript-2.4-5.5.2/netscript 2017-07-06 23:27:48.000000000 +0000 @@ -37,6 +37,7 @@ qt () { "$@" >/dev/null 2>&1 ; } vb () { "$@" ; } source () { . $1 ; } +include () { local F; for F in "$@"; do . "$F"; done; } basename () { echo "${1##*/}"; } BANNER="# This file was generated by $0. It may be overwritten!" @@ -48,9 +49,11 @@ IPV4_FWDING_KERNEL=NO IPV6_FWDING_KERNEL=NO IP_FILTER_KERNEL=PACKET -IF_AUTO="eth0" +IF_AUTO="" +BRG_SWITCH=NO IPV4_DISABLE=NO IPV6_DISABLE=NO +IPV6_DAD_WAIT_TIME=10 BASE_MODPATH="/lib/modules/`uname -r`/kernel" MODPATH="${BASE_MODPATH}/net" KERN_VERSION=`uname -r | cut -d . -f 1,2` @@ -131,7 +134,7 @@ if [ "$DEV" = "lo" ]; then continue fi - ANS=`echo "$IF_LIST" | grep $DEV` + ANS=`echo "$IF_LIST" | grep "\<${DEV}\>"` if [ -z "$ANS" ]; then IF_LIST="$IF_LIST $DEV" fi @@ -318,6 +321,16 @@ if_up $IF && vb echo -n " $IF" done unset IF + # Wait for IPv6 DAD to happen + case "$IPV6_DISABLE" in + YES|Yes|yes) + ;; + *) + if [ $IPV6_DAD_WAIT_TIME -gt 0 ]; then + sleep "$IPV6_DAD_WAIT_TIME" + fi + ;; + esac else # Don't do anything during boot or shutdown case "$RUNLVL" in diff -Nru netscript-2.4-5.4.11ubuntu1/netscript-hotplug netscript-2.4-5.5.2/netscript-hotplug --- netscript-2.4-5.4.11ubuntu1/netscript-hotplug 1970-01-01 00:00:00.000000000 +0000 +++ netscript-2.4-5.5.2/netscript-hotplug 2016-12-26 22:06:43.000000000 +0000 @@ -0,0 +1,150 @@ +#!/bin/sh -e +# +# run /sbin/netscript for hotplug operations +# +# Taken from ifupdown package + +PATH='/sbin:/bin:/usr/sbin:/usr/bin' + +if [ -x /usr/bin/logger ]; then + LOGGER=/usr/bin/logger +elif [ -x /bin/logger ]; then + LOGGER=/bin/logger +else + unset LOGGER +fi + +# for diagnostics +if [ -t 1 -a -z "$LOGGER" ] || [ ! -e '/dev/log' ]; then + mesg() { + echo "$@" >&2 + } +elif [ -t 1 ]; then + mesg() { + echo "$@" + $LOGGER -t "${0##*/}[$$]" "$@" + } +else + mesg() { + $LOGGER -t "${0##*/}[$$]" "$@" + } +fi + +if [ -z "$INTERFACE" ]; then + mesg "Bad netscript udev helper invocation: \$INTERFACE is not set" + exit 1 +fi + +check_program() { + [ -x $1 ] && return 0 + + mesg "ERROR: $1 not found. You need to install the netscript-2.4 package." + mesg "netscript udev helper $ACTION event for $INTERFACE not handled." + exit 1 +} + +wait_for_interface() { + local interface=$1 + local state + + while :; do + read state /sys/class/net/$interface/operstate 2>/dev/null || true + if [ "$state" != down ]; then + return 0 + fi + sleep 1 + done +} + +net_ifup() { + check_program /sbin/netscript + + # Don't bring up bridge interfaces under hotplug! Can cause issues with openstack + local BRG_DEVLIST=`brctl show | sed -e '1d' | grep '^[-a-zA-Z0-9_]' | sed -e 's/^\([a-zA-Z0-9_\-]\+\)[ ].*$/\1/'` + if echo "$BRG_DEVLIST" | fgrep "$INTERFACE"; then + exit 0 + fi + + if [ -d /run/systemd/system ]; then + exec systemctl --no-block start $(systemd-escape --template netscript@.service $INTERFACE) + fi + + #local out=$(ps -C ifup ho args) + #if [ "${out%$INTERFACE*}" != "$out" ]; then + # mesg "Already ifup-ing interface $INTERFACE" + # exit 0 + #fi + + #wait_for_interface lo + + exec netscript ifup $INTERFACE +} + +net_ifdown() { + check_program /sbin/netscript + + # Don't bring down bridge interfaces under hotplug! Can cause issues with openstack + local BRG_DEVLIST=`brctl show | sed -e '1d' | grep '^[-a-zA-Z0-9_]' | sed -e 's/^\([a-zA-Z0-9_\-]\+\)[ ].*$/\1/'` + if echo "$BRG_DEVLIST" | fgrep "$INTERFACE"; then + exit 0 + fi + + # systemd will automatically ifdown the interface on device + # removal by binding the instanced service to the network device + if [ -d /run/systemd/system ]; then + exit 0 + fi + + #local out=$(ps -C ifdown ho args) + #if [ "${out%$INTERFACE*}" != "$out" ]; then + # mesg "Already ifdown-ing interface $INTERFACE" + # exit 0 + #fi + + exec netscript ifdown $INTERFACE +} + +do_everything() { + +case "$ACTION" in + add) + # these interfaces generate hotplug events *after* they are brought up + case $INTERFACE in + ppp*|ippp*|isdn*|plip*|lo|irda*|ipsec*) + exit 0 ;; + esac + + net_ifup + ;; + + remove) + # the pppd persist option may have been used, so it should not be killed + #case $INTERFACE in + # ppp*) + # exit 0 ;; + #esac + + net_ifdown + ;; + + *) + mesg "NET $ACTION event not supported" + exit 1 + ;; +esac + +} +# under systemd we don't do synchronous operations, so we can run in the +# foreground; we also need to, as forked children get killed right away under +# systemd +if [ -d /run/systemd/system ]; then + do_everything +else + # under sysvinit/upstart we need to fork as we start the long-running + # "ifup". but there, forked processes won't get killed. + # When udev_log="debug" stdout and stderr are pipes connected to udevd. + # They need to be closed or udevd will wait for this process which will + # deadlock with udevsettle until the timeout. + exec > /dev/null 2> /dev/null + do_everything & +fi diff -Nru netscript-2.4-5.4.11ubuntu1/network.conf netscript-2.4-5.5.2/network.conf --- netscript-2.4-5.4.11ubuntu1/network.conf 2015-10-11 04:29:41.000000000 +0000 +++ netscript-2.4-5.5.2/network.conf 2016-12-26 22:09:27.000000000 +0000 @@ -1,3 +1,7 @@ +# +# Source /etc/netscript/network.conf.d/*.conf +# +include /etc/netscript/network.conf.d/*.conf ############################################################################### # General Settings @@ -5,16 +9,16 @@ # # VERBOSE=(YES/NO) Default: Yes # Be verbose about settings. -VERBOSE=YES +#VERBOSE=YES # IPV6_MODULE=(YES/NO) Default: NO # If kernel is modular, enable IPv6 support by loading module. Once loaded, # it cannot be unloaded due to kernel internal dependencies. -IPV6_MODULE=NO +#IPV6_MODULE=NO # IPV6_DISABLE=(YES/NO) Default: NO # Disable IPv6 protocol on all interfaces including lo -IPV6_DISABLE=NO +#IPV6_DISABLE=NO # IPV4_FWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO # IPV6_FWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO @@ -47,6 +51,14 @@ #IPV6_DEFAULT_GW=fe80::1:11 #IPV6_DEFAULT_GWDEV=eth0 +# IPV6_DAD_WAIT_TIME="10" +# +# Wait time in seconds for DAD to happen on netscript start. This is to help +# boot sequencing and make sure interface address assignment has happened so +# network daemons can bind to static addresses. Set to 0 if you don't want +# to wait. +# IPV6_DAD_WAIT_TIME="7" + # DHCP_RA_STROKE_CMD="" # # DHCP/IPv6 RA restart/reload commmand @@ -54,7 +66,7 @@ # issues with special broadcast address routing and multicast listening # Otherwise, under IPv6, Default route can dissapear! # DHCP_RA_STROKE_CMD="service dnsmasq restart" -DHCP_RA_STROKE_CMD="systemctl restart dnsmasq" +#DHCP_RA_STROKE_CMD="systemctl restart dnsmasq" NET_GLOBAL_SYSCTL=" @@ -98,7 +110,7 @@ # interfaces like CIPE should be after the raw interfaces they depend on. # The interfaces are started in the order they occur on the list, and are # shutdown in the reverse order of IF_LIST. -IF_AUTO="eth0" +IF_AUTO="$IF_AUTO" # IF_DYNAMIC Default: "" # A space seperated list of dyanmic interfaces that are not created by @@ -107,6 +119,7 @@ # program creates it. This is so that you can start these dynamic interfaces # manually. #IF_DYNAMIC="ppp0" +IF_DYNAMIC="$IF_DYNAMIC" # IPv4 global proc flags # @@ -119,7 +132,10 @@ # IF_DEFAULT_IPV6_DISABLE Default: NO - YES/NO # Disable IPv6 on new interfaces by default. Useful when machine # is a Virtual Machine server, heavily using bridges for network -# connections. +# connections. +# WARNING: Don't turn on for openstack. It messes up its +# IPv6 detection as it uses this sysctl when it should use the 'all' one, +# rather than /proc/sys/net/ipv6/conf/default/ipv6_disable... #IF_DEFAULT_IPV6_DISABLE=NO # Need these both for interfaces run by daemons - ie PPP, CIPE, Sangoma @@ -134,7 +150,7 @@ ############################# # Enable bridging - YES/NO/number of bridges -BRG_SWITCH=no +#BRG_SWITCH=no # # AND Additional named bridges to add #BRG_LIST="brg0 inet0 dmz0 dbase0 admin0" @@ -167,10 +183,10 @@ #eth0_IPADDR="0192.0.002.07/24_brd_192.0.2.255 2001:db8:010a:0001::000:007/64" # # IP spoofing protection on this interface - YES/NO -eth0_IP_SPOOF=YES +#eth0_IP_SPOOF=YES # # Kernel logging of spoofed packets on this interface - YES/NO -eth0_IP_KRNL_LOGMARTIANS=YES +#eth0_IP_KRNL_LOGMARTIANS=YES # # This setting affects the processing of ICMP redirects. Setting it to NO # makes this more secure. Don't turn this off if you have two IP @@ -375,13 +391,13 @@ # # PPP - interface ppp0 # -ppp0_start () { - # don't run pppd if link already exists... - [ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0 - sleep 5 - # call ISP - pppd call provider updetach > /dev/null -} +#ppp0_start () { +# # don't run pppd if link already exists... +# [ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0 +# sleep 5 +# # call ISP +# pppd call provider updetach > /dev/null +#} #ppp1_start () { # # don't run pppd if link already exists... @@ -391,11 +407,11 @@ # # NB Stop function is provided as a type function as it can cover all # analogue ppp interface instances. -ppp_stop () { - [ ! -f /var/run/$1.pid ] && return 0 - qt kill `cat /var/run/$1.pid` - sleep 5 # Wait for pppd to die -} +#ppp_stop () { +# [ ! -f /var/run/$1.pid ] && return 0 +# qt kill `cat /var/run/$1.pid` +# sleep 5 # Wait for pppd to die +#} #ppp0_network_ppp () { @@ -406,26 +422,26 @@ # DHCP interface setup # # Comment out or add change 'eth_' to 'eth0_' -eth_start () { - if [ -x /sbin/dhclient ]; then - qt /sbin/dhclient $1 - elif [ -x /sbin/dhcpcd ]; then - qt /sbin/dhcpcd -R -N $1 - elif [ -x /sbin/pump ]; then - /sbin/pump -i $1 -h `cat /etc/hostname` - fi -} -# -eth_stop () { - if [ -f /var/run/dhclient.pid ]; then - qt kill `cat /var/run/dhclient.pid` - elif [ -f "/var/run/dhcpcd-${1}.pid" ]; then - qt /sbin/dhcpcd -k $1 - elif [ -e /var/run/pump.sock ]; then - /sbin/pump -i $1 -r - fi - if_addr_stop $1 -} +#eth_start () { +# if [ -x /sbin/dhclient ]; then +# qt /sbin/dhclient $1 +# elif [ -x /sbin/dhcpcd ]; then +# qt /sbin/dhcpcd -R -N $1 +# elif [ -x /sbin/pump ]; then +# /sbin/pump -i $1 -h `cat /etc/hostname` +# fi +#} +# +#eth_stop () { +# if [ -f /var/run/dhclient.pid ]; then +# qt kill `cat /var/run/dhclient.pid` +# elif [ -f "/var/run/dhcpcd-${1}.pid" ]; then +# qt /sbin/dhcpcd -k $1 +# elif [ -e /var/run/pump.sock ]; then +# /sbin/pump -i $1 -r +# fi +# if_addr_stop $1 +#} # Openvpn setup #tun_start () { @@ -694,7 +710,17 @@ LOG_TARGET=REJECT IPV6_LOG_TARGET=REJECT +######################################### +### IPv6 ICMP chains - chain output targets +########################################### + +# icmphost output target - Default ACCEPT or RETURN +#IPV6_ICMPHOST_TARGET=ACCEPT +# icmpfwd output target - ACCEPT or default RETURN +# This has to be RETURN if using the outbrdr chain +#IPV6_ICMPFWD_TARGET=RETURN + ############################### # IPv6 ICMP chains - limit rates ############################### @@ -818,4 +844,3 @@ #IPV6_OUT_TARGET=RETURN - diff -Nru netscript-2.4-5.4.11ubuntu1/network.conf.d.00default-eth0-dhcp.conf netscript-2.4-5.5.2/network.conf.d.00default-eth0-dhcp.conf --- netscript-2.4-5.4.11ubuntu1/network.conf.d.00default-eth0-dhcp.conf 1970-01-01 00:00:00.000000000 +0000 +++ netscript-2.4-5.5.2/network.conf.d.00default-eth0-dhcp.conf 2016-12-02 06:22:20.000000000 +0000 @@ -0,0 +1,232 @@ +# +# Default interface settings +# + +# IPV4_DEFAULT_GW=nnn.nnn.nnn.nnn|OTHER|OFF|NO|NONE +# IPV4_DEFAULT_GWDEV=eth0 +# IPV6_DEFAULT_GW=nnnn:nnnn:nnnn::n|OTHER|OFF|NO|NONE +# IPV6_DEFAULT_GWDEV=eth0 +# IPV6_DEFAULT_PREFIX=2000::/3 # Default value +# DEFAULT_METRIC=999999999 # Default value +# +# Default Route Setup +# Use this to set the default route if required - ONLY one to be set. +# routed or gated could be used to set this so only use if not running these. +# These routes are installed at metric DEFAULT_METRIC so that netscript +# can identify its own routes. This means that it can delete them if these +# if the IPVn_DEFAULT_GW variables are not set. You can also specify a +# Default prefix for IPv6 as the kernel does some funny things around +# default IPv6 routes. Also, later kernels will only route if next hop is +# an fe80 link local address... +# OTHER|OFF|NO|NONE - stop netscript doing ANYTHING with default routes +# Use if you are going to run a routing daemon such as +# bird, gated, mrtd, routed, or zebra. +#IPV4_DEFAULT_GW=192.0.2.11 +#IPV4_DEFAULT_GWDEV=eth0 +#IPV6_DEFAULT_GW=fe80::1:11 +#IPV6_DEFAULT_GWDEV=eth0 + +############################# +# Bridge Setup - Global stuff +############################# + +# Enable bridging - YES/NO/number of bridges +#BRG_SWITCH=no +# +# AND Additional named bridges to add +#BRG_LIST="brg0 inet0 dmz0 dbase0 admin0" +# +# Remove Bridges from Nefilter - default YES YES/NO +# Only need to turn this off if creating a transparent +# firewall! +#BRG_NETFILTER_REMOVE=YES + +############################################################################### +# Interfaces +############################################################################### + +# IF_AUTO Default: "eth0" +# A space seperated list of interfaces that get started on boot. Tunneling +# interfaces like CIPE should be after the raw interfaces they depend on. +# The interfaces are started in the order they occur on the list, and are +# shutdown in the reverse order of IF_LIST. +IF_AUTO="$IF_AUTO" + +# IF_DYNAMIC Default: "" +# A space seperated list of dyanmic interfaces that are not created by +# the loading of a hardware driver etc. Examples are ppp0 et al. +# Insert an interface in here if it does not exist until the software +# program creates it. This is so that you can start these dynamic interfaces +# manually. +#IF_DYNAMIC="ppp0" +IF_DYNAMIC="$IF_DYNAMIC" + +############################# +# Individual Interfaces setup +############################# + +# eth0 stuff +# ---------- +# ADDRESSING +#eth0_IPADDR="0192.0.002.07/24_brd_192.0.2.255 2001:db8:010a:0001::000:007/64" +# +# IP spoofing protection on this interface - YES/NO +#eth0_IP_SPOOF=YES +# +# Kernel logging of spoofed packets on this interface - YES/NO +#eth0_IP_KRNL_LOGMARTIANS=YES +# +# This setting affects the processing of ICMP redirects. Setting it to NO +# makes this more secure. Don't turn this off if you have two IP +# networks/subnets on the same media - YES/NO +#eth0_IP_SHARED_MEDIA=NO +# +# This setting configures the interface to either send redirects or not +# This is useful for use with openvpn, due to the fact it can route packets +# out the same interface they came in on! - YES/NO +#eth0_IP_SEND_REDIRECTS=NO +# +# Interface IPv6 MTU - set to 1280 (minimum) so that tunnelling works +# well without packet fragmentation +#eth0_IPV6_MTU=1500 +# +# Disable IPv6 on this interface - default NO - YES/NO +#eth0_IPV6_DISABLE=NO +# +# Set the interface up in forwarding/non-forwarding configuration modes. This +# setting does not control the forwarding of packets via this interface. Use +# iptables for this. In host mode allows the acceptance of ICMP redirects and +# router advertisement packets (overridden by above flags in host mode), as +# well as setting the IsRouter bit in Neighbour advertisements, and whether +# router solicitation packets are sent - YES/NO +#eth0_IPV6_FWDING=YES +# +# Accept ICMP IPv6 redirects in host mode on this interface - YES/NO +#eth0_IPV6_ACCEPT_REDIRECTS=NO +# +# Accept IPv6 Router Adverstisement packets in host mode default YES - YES/NO +#eth0_IPV6_ACCEPT_RA=YES +# +# Accept Prefix for SLAC addressing in IPv6 Router Adverstisement packets +# in host mode default YES - YES/NO +#eth0_IPV6_ACCEPT_RA_PINFO=YES +# +# Accept routes advertised by Router Advertisements. Debian Kernel 2.6.32+ +# This is the threshhold for the bit length of the prefixes accepted. Kernel +# defaults to zero, which means accept none. 64 will accept normal IPv6 routes +#eth0_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=64 +# +# Send router solicitations, gives number to send default 3 - YES/NO/0-9 +#eth0_IPV6_ROUTER_SOLICITATIONS=0 +# +# Enable IPV6 privacy extensions, default NO - YES/N0/0-2 +# 1 enables privacy MAC addresses for global addressing, excluding ULA +# prefixes. 2 enables it for all ULA and global addresses, not recomended +#eth0_IPV6_PRIVACY=NO +# +# Set resolvconf details here. It takes /etc/resolv.conf settings as per +# resolv.conf(5) Note that you have to uncomment whole string below! Will take +# \n as well +#eth0_RESOLVCONF="options edns0 inet6\nsearch internal.foo.org foo.org\nnameserver 192.0.2.1" +# +# Automatically start/stop these interfaces if this interface is manually +# started/stopped. Interfaces started in order of list, shutdown in reverse +# order. +#eth0_IF_CHAIN_AUTO="tun0" +# +#Same as above, except for PPP interface. +#ppp0_PPP_CHAIN_AUTO="he0" +# +# Automatically stop these interfaces if this interface is manually stopped. +# Interfaces stopped in reverse order of this list before those in +# IF_CHAIN_AUTO +#eth0_IF_CHAIN="" +# +# Bridge this interface - YES/NO/bridge interface +#eth0_BRIDGE=yes +# +# Proxy-arp from this interface, no other config required to turn on proxy ARP! +# - YES/NO +#eth0_PROXY_ARP=NO +# +# Protocol MTU for interface +# - Set to override default interface value +#eth0_MTU=1500 +# +# Multicast setting for interface +# Set to override configuration default - YES/NO|on/off +#eth0_MULTICAST=YES +# +# Simple QoS/fair queueing support +# Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO +#eth0_FAIRQ=NO +# +# Ethernet Transmit Queue Length +#eth0_TXQLEN=100 +# +# Complex QoS - Enable all of these + above to turn it on +# Device Bandwidth +#eth0_BNDWIDTH=10Mbit +# +# Queue Handles - both must be unique +# Use for running tunnel daemons or other dynamic inverfaces that +# can be here and gone very rapidly - not needed for async PPP +# eth0_HNDL1=1 +# eth0_HNDL2=2 +# +# Interactive Burst parameters - bandwidth and number of packets +#eth0_IABURST=100 # packets +#eth0_IARATE=1Mbit +# +# Device Physical MTU - includes link layer header +# NB FR has 8 bytes LL header, ethernet 14 +#eth0_PXMTU=1514 +# +# Committed Access Rate +# - if using FR, set to CIR, else to total combined bulk data +# through put (ie eth0_BULKRATE + sum of special queue rates) +#eth0_CARATE=3Mbit +# +# Optional parameters for Complex QoS +# +# Peak Rate +# Use this to set FR Burst capacity +#eth0_PEAKRATE=4MBit +# +# Parameters for Bulk Data bandwidth shaping +# Bulk Rate - set for ordinary traffic. +# MUST MUST MUST be used with special queues +# to indicate the ordinary traffic load. Has to satisfy +# BULKRATE <= (CARATE - total_special_queue_bandwidth) +#eth0_BULKRATE=2MBit +# Special Queues - see further down in fair queuing section +# as this needs unique mark values +#eth0_SPQUEUE + + + +# +# DHCP interface setup +# +IF_AUTO="$IF_AUTO eth0" +# Comment out or add change 'eth_' to 'eth0_' +eth0_start () { + if [ -x /sbin/dhclient ]; then + qt /sbin/dhclient $1 + elif [ -x /sbin/dhcpcd ]; then + qt /sbin/dhcpcd -R -N $1 + elif [ -x /sbin/pump ]; then + /sbin/pump -i $1 -h `cat /etc/hostname` + fi +} +# +eth0_stop () { + if [ -f /var/run/dhclient.pid ]; then + qt kill `cat /var/run/dhclient.pid` + elif [ -f "/var/run/dhcpcd-${1}.pid" ]; then + qt /sbin/dhcpcd -k $1 + elif [ -e /var/run/pump.sock ]; then + /sbin/pump -i $1 -r + fi + if_addr_stop $1 +} diff -Nru netscript-2.4-5.4.11ubuntu1/network-ipfilter.conf netscript-2.4-5.5.2/network-ipfilter.conf --- netscript-2.4-5.4.11ubuntu1/network-ipfilter.conf 2015-10-11 04:29:41.000000000 +0000 +++ netscript-2.4-5.5.2/network-ipfilter.conf 2016-12-08 01:54:58.000000000 +0000 @@ -48,9 +48,20 @@ LOG_TARGET=REJECT IPV6_LOG_TARGET=REJECT -############################### +######################################### +## IPv6 ICMP chains - chain output targets +########################################## + +# icmphost output target - Default ACCEPT or RETURN +#IPV6_ICMPHOST_TARGET=ACCEPT + +# icmpfwd output target - ACCEPT or default RETURN +# This has to be RETURN if using the outbrdr chain +#IPV6_ICMPFWD_TARGET=RETURN + +################################ # IPv6 ICMP chains - limit rates -############################### +################################ # NOTE - icmphost target rulle will generate martians chain and hook it in # appropriately diff -Nru netscript-2.4-5.4.11ubuntu1/TODO netscript-2.4-5.5.2/TODO --- netscript-2.4-5.4.11ubuntu1/TODO 2015-10-11 04:29:41.000000000 +0000 +++ netscript-2.4-5.5.2/TODO 2016-12-02 06:28:01.000000000 +0000 @@ -1,4 +1,2 @@ - write better man pages -- create a Makefile to install this stuff on any system -- make protable to Linux Distrubtions other than Debian -- add Makefile options to set install directories etc. +- integrate with firm for better iptables generation/management