From c99e540b9c7c16b0ba419d7e6f685f091631104c 2018-11-22 14:28:33
From: Unknown <xyz258@abwesend.de>
Date: 2018-11-22 14:28:33
Subject: [PATCH] update from master
---

diff --git a/bootstrap.d/11-apt.sh b/bootstrap.d/11-apt.sh
index f4014e0..544781c 100644
--- a/bootstrap.d/11-apt.sh
+++ b/bootstrap.d/11-apt.sh
@@ -11,29 +11,23 @@ if [ -z "$APT_PROXY" ] ; then
   sed -i "s/\"\"/\"${APT_PROXY}\"/" "${ETC_DIR}/apt/apt.conf.d/10proxy"
 fi
 
-#if [ "$BUILD_KERNEL" = false ] ; then
-#  echo "Downloading precompiled kernel"
-#  echo "error: not configured"
-#  exit 1;
-# BUILD_KERNEL=true
-#else
-#  echo "No precompiled kernel repositories were added"
-#fi
-
 # Upgrade package index and update all installed packages and changed dependencies
 chroot_exec apt-get -qq -y update
 chroot_exec apt-get -qq -y -u dist-upgrade
 
+# Install additional packages
 if [ "$APT_INCLUDES_LATE" ] ; then
   chroot_exec apt-get -qq -y install "$(echo "$APT_INCLUDES_LATE" |tr , ' ')"
 fi
 
+# Install Debian custom packages
 if [ -d packages ] ; then
   for package in packages/*.deb ; do
     cp "$package" "${R}"/tmp
     chroot_exec dpkg --unpack /tmp/"$(basename "$package")"
   done
 fi
+
 chroot_exec apt-get -qq -y -f install
 
 chroot_exec apt-get -qq -y check
diff --git a/bootstrap.d/20-networking.sh b/bootstrap.d/20-networking.sh
index f92e76d..3ca9f60 100644
--- a/bootstrap.d/20-networking.sh
+++ b/bootstrap.d/20-networking.sh
@@ -95,7 +95,7 @@ fi
 # Download the firmware binary blob required to use the RPi3 wireless interface
 if [ "$ENABLE_WIRELESS" = true ] ; then
   if [ ! -d "${WLAN_FIRMWARE_DIR}" ] ; then
-	mkdir -p "${WLAN_FIRMWARE_DIR}"
+    mkdir -p "${WLAN_FIRMWARE_DIR}"
   fi
 
   # Create temporary directory for firmware binary blob
@@ -103,20 +103,21 @@ if [ "$ENABLE_WIRELESS" = true ] ; then
 
   # Fetch firmware binary blob for RPI3B+
   if [ "$RPI_MODEL" = 3P ] ; then
-  as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.bin"
-  as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.txt"
-  as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.clm_blob" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.clm_blob"
+    # Fetch firmware binary blob for RPi3P
+    as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.bin"
+    as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.txt"
+    as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.clm_blob" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.clm_blob"
   elif [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 0 ] ; then
-  # Fetch firmware binary blob for RPI3
-  as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.bin"
-  as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.txt"
+    # Fetch firmware binary blob for RPi3
+    as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.bin"
+    as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.txt"
   fi
   
   # Move downloaded firmware binary blob
   if [ "$RPI_MODEL" = 3P ] ; then
-  mv "${temp_dir}/brcmfmac43455-sdio."* "${WLAN_FIRMWARE_DIR}/"
+    mv "${temp_dir}/brcmfmac43455-sdio."* "${WLAN_FIRMWARE_DIR}/"
   elif [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 0 ] ; then
-  mv "${temp_dir}/brcmfmac43430-sdio."* "${WLAN_FIRMWARE_DIR}/"
+    mv "${temp_dir}/brcmfmac43430-sdio."* "${WLAN_FIRMWARE_DIR}/"
   fi
   
   # Remove temporary directory for firmware binary blob
@@ -124,10 +125,10 @@ if [ "$ENABLE_WIRELESS" = true ] ; then
 
   # Set permissions of the firmware binary blob
   if [ "$RPI_MODEL" = 3P ] ; then
-  chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."*
-  chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."*  
+    chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."*
+    chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."*
   elif [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 0 ] ; then
-  chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
-  chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
+    chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
+    chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
   fi
 fi
diff --git a/bootstrap.d/43-videocore.sh b/bootstrap.d/43-videocore.sh
new file mode 100644
index 0000000..d42590c
--- /dev/null
+++ b/bootstrap.d/43-videocore.sh
@@ -0,0 +1,53 @@
+#
+# Setup videocore - Raspberry Userland
+#
+
+# Load utility functions
+. ./functions.sh
+
+if [ "$ENABLE_VIDEOCORE" = true ] ; then
+  # Copy existing videocore sources into chroot directory
+  if [ -n "$VIDEOCORESRC_DIR" ] && [ -d "$VIDEOCORESRC_DIR" ] ; then
+    # Copy local U-Boot sources
+    cp -r "${VIDEOCORESRC_DIR}" "${R}/tmp/userland"
+  else
+    # Create temporary directory for U-Boot sources
+    temp_dir=$(as_nobody mktemp -d)
+
+    # Fetch U-Boot sources
+    as_nobody git -C "${temp_dir}" clone "${VIDEOCORE_URL}"
+
+    # Copy downloaded U-Boot sources
+    mv "${temp_dir}/userland" "${R}/tmp/"
+
+    # Set permissions of the U-Boot sources
+    chown -R root:root "${R}/tmp/userland"
+
+    # Remove temporary directory for U-Boot sources
+    rm -fr "${temp_dir}"
+  fi
+  
+  # Create build dir
+  mkdir "${R}"/tmp/userland/build
+
+  # push us to build directory
+  pushd "${R}"/tmp/userland/build
+
+  if [ "$RELEASE_ARCH" = "arm64" ] ; then
+  cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DARM64=ON -DCMAKE_C_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_CXX_COMPILER=aarch64-linux-gnu-g++ -DCMAKE_ASM_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
+  fi
+
+  if [ "$RELEASE_ARCH" = "armel" ] ; then
+  cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_C_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_CXX_COMPILER=arm-linux-gnueabi-g++ -DCMAKE_ASM_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DCMAKE_SYSTEM_PROCESSOR="arm" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
+  fi
+
+  if [ "$RELEASE_ARCH" = "armhf" ] ; then
+  cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_TOOLCHAIN_FILE="${R}"/tmp/userland/makefiles/cmake/toolchains/arm-linux-gnueabihf.cmake -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
+  fi
+
+  #build userland
+  make -j "$(nproc)"
+
+  #pop us out of build dir
+  popd
+fi
diff --git a/files/iptables/nftables.rules b/files/iptables/nftables.rules
new file mode 100644
index 0000000..6881564
--- /dev/null
+++ b/files/iptables/nftables.rules
@@ -0,0 +1,21 @@
+add table ip filter
+add chain ip filter INPUT { type filter hook input priority 0; }
+add chain ip filter FORWARD { type filter hook forward priority 0; }
+add chain ip filter OUTPUT { type filter hook output priority 0; }
+add chain ip filter TCP
+add chain ip filter UDP
+add chain ip filter SSH
+add rule ip filter INPUT icmp type echo-request limit rate 30/minute burst 8 packets counter accept
+add rule ip filter INPUT icmp type echo-request counter drop
+add rule ip filter INPUT ct state related,established counter accept
+add rule ip filter INPUT iifname lo counter accept
+add rule ip filter INPUT ct state invalid counter drop
+add rule ip filter INPUT tcp dport 22 ct state new counter jump SSH
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --set -j ACCEPT 
+add rule ip filter INPUT ip protocol udp ct state new counter jump UDP
+add rule ip filter INPUT tcp flags & fin|syn|rst|ack == syn ct state new counter jump TCP
+add rule ip filter INPUT ip protocol udp counter reject
+add rule ip filter INPUT ip protocol tcp counter reject with tcp reset
+add rule ip filter INPUT counter reject with icmp type prot-unreachable
diff --git a/files/iptables/nftables6.rules b/files/iptables/nftables6.rules
new file mode 100644
index 0000000..38f1755
--- /dev/null
+++ b/files/iptables/nftables6.rules
@@ -0,0 +1,24 @@
+add table ip6 filter
+add chain ip6 filter INPUT { type filter hook input priority 0; }
+add chain ip6 filter FORWARD { type filter hook forward priority 0; }
+add chain ip6 filter OUTPUT { type filter hook output priority 0; }
+add chain ip6 filter TCP
+add chain ip6 filter UDP
+add chain ip6 filter SSH
+add rule ip6 filter INPUT rt type 0 counter drop
+add rule ip6 filter OUTPUT rt type 0 counter drop
+add rule ip6 filter FORWARD rt type 0 counter drop
+add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request  limit rate 30/minute burst 8 packets counter accept
+add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request  counter drop
+add rule ip6 filter INPUT ct state related,established counter accept
+add rule ip6 filter INPUT iifname lo counter accept
+add rule ip6 filter INPUT ct state invalid counter drop
+add rule ip6 filter INPUT tcp dport 22 ct state new counter jump SSH
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP 
+# -t filter -A SSH -m recent --name sshbf --set -j ACCEPT 
+add rule ip6 filter INPUT meta l4proto udp ct state new counter jump UDP
+add rule ip6 filter INPUT tcp flags & fin|syn|rst|ack == syn ct state new counter jump TCP
+add rule ip6 filter INPUT meta l4proto udp counter reject with icmpv6 type admin-prohibited
+add rule ip6 filter INPUT meta l4proto tcp counter reject with icmpv6 type admin-prohibited
+add rule ip6 filter INPUT counter reject with icmpv6 type admin-prohibited
diff --git a/rpi23-gen-image.sh b/rpi23-gen-image.sh
index aca9d5d..4b80786 100755
--- a/rpi23-gen-image.sh
+++ b/rpi23-gen-image.sh
@@ -253,11 +253,12 @@ if [ -n "$SET_ARCH" ] ; then
   # 64 bit config
   ##################################
   if [ "$SET_ARCH" = 64 ] ; then
-    # 64 bit depended settings
+    # General 64 bit depended settings
     QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-aarch64-static}
     KERNEL_ARCH=${KERNEL_ARCH:=arm64}
     KERNEL_BIN_IMAGE=${KERNEL_BIN_IMAGE:="Image"}
 
+    # Board specific settings
     if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
       REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-arm64"
       KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcmrpi3_defconfig}
@@ -265,21 +266,19 @@ if [ -n "$SET_ARCH" ] ; then
       KERNEL_IMAGE=${KERNEL_IMAGE:=kernel8.img}
       CROSS_COMPILE=${CROSS_COMPILE:=aarch64-linux-gnu-}
     else
-      echo "error: Only Raspberry PI 3 and 3B+ support 64bit"
+      echo "error: Only Raspberry PI 3 and 3B+ support 64 bit"
       exit 1
     fi
   fi
 
-  ##################################
-  # 32 bit config
-  ##################################
+  # 32 bit configuration
   if [ "$SET_ARCH" = 32 ] ; then
-    #General 32bit configuration
+    # General 32 bit dependend settings
     QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-arm-static}
     KERNEL_ARCH=${KERNEL_ARCH:=arm}
     KERNEL_BIN_IMAGE=${KERNEL_BIN_IMAGE:="zImage"}
 
-    #Raspberry setting grouped by board compability
+    # Hardware specific settings
     if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 1 ] || [ "$RPI_MODEL" = 1P ] ; then
       REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armel"
       KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcmrpi_defconfig}
@@ -287,6 +286,8 @@ if [ -n "$SET_ARCH" ] ; then
       KERNEL_IMAGE=${KERNEL_IMAGE:=kernel.img}
       CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabi-}
     fi
+
+    # Hardware specific settings
     if [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
       REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armhf"
       KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2709_defconfig}
@@ -300,8 +301,7 @@ else
   echo "error: Please set '32' or '64' as value for SET_ARCH"
   exit 1
 fi
-
-    #Device specific configuration
+    # Device specific configuration and U-Boot configuration
     case "$RPI_MODEL" in
     0)
       DTB_FILE=${DTB_FILE:=bcm2708-rpi-0-w.dtb}
@@ -352,6 +352,7 @@ if [ -n "$DISABLE_UNDERVOLT_WARNINGS" ] ; then
   fi
 fi
 
+# Add cmake to compile videocore sources
 if [ "$ENABLE_VIDEOCORE" = true ] ; then
   REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cmake"
 fi
@@ -564,6 +565,11 @@ if [ "$ENABLE_REDUCE" = true ] ; then
   fi
 fi
 
+# Configure systemd-sysv exclude to make halt/reboot/shutdown scripts available
+if [ "$ENABLE_SYSVINIT" = false ] ; then
+  APT_EXCLUDES="--exclude=${APT_EXCLUDES},init,systemd-sysv"
+fi
+
 # Configure kernel sources if no KERNELSRC_DIR
 if [ "$BUILD_KERNEL" = true ] && [ -z "$KERNELSRC_DIR" ] ; then
   KERNELSRC_CONFIG=true
diff --git a/templates/rpi3-stretch-arm64-4.14.y b/templates/rpi3-stretch-arm64-4.14.y
new file mode 100644
index 0000000..0c5cfaf
--- /dev/null
+++ b/templates/rpi3-stretch-arm64-4.14.y
@@ -0,0 +1,15 @@
+# Configuration template file used by rpi23-gen-image.sh
+# Debian Stretch using the Arm64 for kernel compilation and Debian distribution.
+
+RPI_MODEL=3
+RELEASE=stretch
+BUILD_KERNEL=true
+KERNEL_ARCH=arm64
+RELEASE_ARCH=arm64
+CROSS_COMPILE=aarch64-linux-gnu-
+QEMU_BINARY=/usr/bin/qemu-aarch64-static
+KERNEL_DEFCONFIG=bcmrpi3_defconfig
+KERNEL_BIN_IMAGE=Image
+KERNEL_IMAGE=kernel8.img
+KERNEL_BRANCH=rpi-4.14.y
+ENABLE_WIRELESS=true