From 394bee00f7473c3d397b3d47930999fd9f1f93d1 Mon Sep 17 00:00:00 2001 From: hagbard Date: Tue, 8 Jan 2019 13:24:48 -0800 Subject: T1135: "firewall send-redirects enable" works only after switching from disabled state on running system - disable send-redirects per default --- data/live-build-config/hooks/live/08-sysconf.chroot | 2 ++ 1 file changed, 2 insertions(+) diff --git a/data/live-build-config/hooks/live/08-sysconf.chroot b/data/live-build-config/hooks/live/08-sysconf.chroot index 8d1616c0..f6607410 100755 --- a/data/live-build-config/hooks/live/08-sysconf.chroot +++ b/data/live-build-config/hooks/live/08-sysconf.chroot @@ -38,6 +38,8 @@ update_sysctl_conf net.ipv4.ip_forward 1 \ # "enable ipv6 forwarding" update_sysctl_conf net.core.rmem_max 223232 \ "maximize netlink buffers" +update_sysctl_conf net.ipv4.conf.all.send_redirects 0 + "disable IPv4 ICMP redirects" # Local Variables: # mode: shell-script -- cgit v1.2.3 From f8f6c5d391017796242bb9feb010ba980e280c58 Mon Sep 17 00:00:00 2001 From: hagbard Date: Tue, 8 Jan 2019 13:54:25 -0800 Subject: Type fixed. --- data/live-build-config/hooks/live/08-sysconf.chroot | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/live-build-config/hooks/live/08-sysconf.chroot b/data/live-build-config/hooks/live/08-sysconf.chroot index f6607410..b7b2f831 100755 --- a/data/live-build-config/hooks/live/08-sysconf.chroot +++ b/data/live-build-config/hooks/live/08-sysconf.chroot @@ -38,7 +38,7 @@ update_sysctl_conf net.ipv4.ip_forward 1 \ # "enable ipv6 forwarding" update_sysctl_conf net.core.rmem_max 223232 \ "maximize netlink buffers" -update_sysctl_conf net.ipv4.conf.all.send_redirects 0 +update_sysctl_conf net.ipv4.conf.all.send_redirects 0 \ "disable IPv4 ICMP redirects" # Local Variables: -- cgit v1.2.3 From 4f7117243a0dfb78c5af8c82a445d41186726aeb Mon Sep 17 00:00:00 2001 From: hagbard Date: Tue, 8 Jan 2019 14:26:16 -0800 Subject: T1135: "firewall send-redirects enable" works only after switching from disabled state on running system - set default to disable too due to the fact that set firewall did expect that at one point. Primarily, IPSec could leak data once a tunnel is established. --- data/live-build-config/hooks/live/08-sysconf.chroot | 2 ++ 1 file changed, 2 insertions(+) diff --git a/data/live-build-config/hooks/live/08-sysconf.chroot b/data/live-build-config/hooks/live/08-sysconf.chroot index b7b2f831..d403d04b 100755 --- a/data/live-build-config/hooks/live/08-sysconf.chroot +++ b/data/live-build-config/hooks/live/08-sysconf.chroot @@ -40,6 +40,8 @@ update_sysctl_conf net.core.rmem_max 223232 \ "maximize netlink buffers" update_sysctl_conf net.ipv4.conf.all.send_redirects 0 \ "disable IPv4 ICMP redirects" +update_sysctl_conf net.ipv4.conf.default.send_redirects 0 \ + "disable IPv4 ICMP redirects" # Local Variables: # mode: shell-script -- cgit v1.2.3 From 341531360338ee2642b297f839c2c4644ac1b64d Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 8 Jan 2019 22:13:34 +0100 Subject: build-submodules: fix bool logic for accel-ppp build --- scripts/build-submodules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/build-submodules b/scripts/build-submodules index ae9d131c..8cf362c9 100755 --- a/scripts/build-submodules +++ b/scripts/build-submodules @@ -241,7 +241,7 @@ build_accel-ppp() { return 0 fi - if [ -f "packages/vyos-kernel/Makefile" ]; then + if [ ! -f "packages/vyos-kernel/Makefile" ]; then error_msg "Something wrong with the kernel module?" return 1 fi -- cgit v1.2.3