ppp: Fixes bug#13164 - Update to version 2.5.0

Message ID 20230702095432.3804-1-adolf.belka@ipfire.org
State Staged
Commit 27a3ef9834eed9d17e89b7751823998bf309a1f5
Headers
Series ppp: Fixes bug#13164 - Update to version 2.5.0 |

Commit Message

Adolf Belka July 2, 2023, 9:54 a.m. UTC
  - Update from version 2.4.9 to 2.5.0
   This includes breaking changes for third-party plugins but as far as I can see IPFire
    is not using any third party plugins
- Update of rootfile
- Update of patches and sed commands
   - pcap-int.h and if_pppol2tp.h files have not been in source file since at least 2014
   - Some of the patches required updates as additional lines needing to be patched are
      now present. nThis was related to the O_CLOEXEC & SOCK_CLOEXEC related patches
   - connect-errors file location is now defined by a configure command --with-logfile-dir
- install-etcppp is no longer provided. However the install command in this version still
   has the same files available in /etc/ppp as previously. There is a new file,
   openssl.cnf, which I have commented out. If it is required in future it can always be
   uncommented in future releases.
- Build went without any problems with the updated patches.
- I cannot test this as I don't use ppp, however the original bug reporter has agreed to
   test this out when it is released into Testing unless anyone else is capable of testing
   it.
- Changelog
    What's new in ppp-2.5.0.
	The 2.5.0 release is a major release of pppd which contains breaking
	 changes for third-party plugins, a complete revamp of the build-system
	 and that allows for flexibility of configuring features as needed.
	In Summary:
		* Support for PEAP authentication by Eivind Næss and Rustam Kovhaev
		* Support for loading PKCS12 certificate envelopes
		* Adoption of GNU Autoconf / Automake build environment, by Eivind Næss
		  and others.
		* Support for pkgconfig tool has been added by Eivind Næss.
		* Bunch of fixes and cleanup to PPPoE and IPv6 support by Pali Rohár.
		* Major revision to PPPD's Plugin API by Eivind Næss.
		  - Defines in which describes what features was included in pppd
		  - Functions now prefixed with explicit ppp_* to indicate that
		    pppd functions being called.
		  - Header files were renamed to better align with their features,
		    and now use proper include guards
		  - A pppdconf.h file is supplied to allow third-party modules to use
		    the same feature defines pppd was compiled with.
		  - No extern declarations of internal variable names of pppd,
		    continued use of these extern variables are considered
		    unstable.
		* Lots of internal fixes and cleanups for Radius and PPPoE by Jaco Kroon
		* Dropped IPX support, as Linux has dropped support in version 5.15
		  for this protocol.
		* Many more fixes and cleanups.
		* Pppd is no longer installed setuid-root.
		* New pppd options:
		  - ipv6cp-noremote, ipv6cp-nosend, ipv6cp-use-remotenumber,
		    ipv6-up-script, ipv6-down-script
		  - -v, show-options
		  - usepeerwins, ipcp-no-address, ipcp-no-addresses, nosendip
		* On Linux, any baud rate can be set on a serial port provided the
		  kernel serial driver supports that.
	Note that if you have built and installed previous versions of this
	 package and you want to continue having configuration and TDB files in
	 /etc/ppp, you will need to use the --sysconfdir option to ./configure.
	For a list of the changes made during the 2.4 series releases of this
	 package, see the Changes-2.4 file.
	Compression methods.
		This package supports two packet compression methods: Deflate and
		 BSD-Compress.  Other compression methods which are in common use
		 include Predictor, LZS, and MPPC.  These methods are not supported for
		 two reasons - they are patent-encumbered, and they cause some packets
		 to expand slightly, which pppd doesn't currently allow for.
		 BSD-Compress and Deflate (which uses the same algorithm as gzip) don't
		 ever expand packets.

Fixes: bug#13164
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/ppp                   |  58 +++---
 lfs/ppp                                       |  28 +--
 ...se-SOCK_CLOEXEC-when-creating-socket.patch | 165 ------------------
 ...ppp-2.4.6-increase-max-padi-attempts.patch |  13 --
 src/patches/ppp/ppp-2.4.7-headers_4.9.patch   |  12 --
 ...-configure-to-handle-cflags-properly.patch |  15 --
 ...don-t-want-to-accidentally-leak-fds.patch} | 115 +++++++-----
 ...2.5.0-2-everywhere-O_CLOEXEC-harder.patch} | 136 ++++++---------
 ...se-SOCK_CLOEXEC-when-creating-socket.patch | 135 ++++++++++++++
 ...p-2.5.0-4-increase-max-padi-attempts.patch |  12 ++
 src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch |  12 ++
 ...-configure-to-handle-cflags-properly.patch |  18 ++
 12 files changed, 344 insertions(+), 375 deletions(-)
 delete mode 100644 src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
 delete mode 100644 src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
 delete mode 100644 src/patches/ppp/ppp-2.4.7-headers_4.9.patch
 delete mode 100644 src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
 rename src/patches/ppp/{0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch => ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch} (54%)
 rename src/patches/ppp/{0013-everywhere-O_CLOEXEC-harder.patch => ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch} (63%)
 create mode 100644 src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
 create mode 100644 src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
 create mode 100644 src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
 create mode 100644 src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
  

Comments

Michael Tremer July 3, 2023, 2:11 p.m. UTC | #1
Hello Adolf,

This might be a tricky version update...

> On 2 Jul 2023, at 10:54, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> - Update from version 2.4.9 to 2.5.0
>   This includes breaking changes for third-party plugins but as far as I can see IPFire
>    is not using any third party plugins

No, we should no longer build the Roaring Penguin PPPoE plugin from their source, but use the included one.

> - Update of rootfile
> - Update of patches and sed commands
>   - pcap-int.h and if_pppol2tp.h files have not been in source file since at least 2014
>   - Some of the patches required updates as additional lines needing to be patched are
>      now present. nThis was related to the O_CLOEXEC & SOCK_CLOEXEC related patches

Yes, these can go. We should be able to rely on upstream to build this for modern OSes.

>   - connect-errors file location is now defined by a configure command --with-logfile-dir
> - install-etcppp is no longer provided. However the install command in this version still
>   has the same files available in /etc/ppp as previously. There is a new file,
>   openssl.cnf, which I have commented out. If it is required in future it can always be
>   uncommented in future releases.
> - Build went without any problems with the updated patches.
> - I cannot test this as I don't use ppp, however the original bug reporter has agreed to
>   test this out when it is released into Testing unless anyone else is capable of testing
>   it.

So, we didn’t have any issues with this in the past, but however, if we break this, then people won’t have an Internet connection any more to download any fixes. So let’s please make sure that we give this all extra attention and this won’t happen.

Sadly, I don’t have a PPP connection either.

Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>

> - Changelog
>    What's new in ppp-2.5.0.
> The 2.5.0 release is a major release of pppd which contains breaking
> changes for third-party plugins, a complete revamp of the build-system
> and that allows for flexibility of configuring features as needed.
> In Summary:
> * Support for PEAP authentication by Eivind Næss and Rustam Kovhaev
> * Support for loading PKCS12 certificate envelopes
> * Adoption of GNU Autoconf / Automake build environment, by Eivind Næss
>  and others.
> * Support for pkgconfig tool has been added by Eivind Næss.
> * Bunch of fixes and cleanup to PPPoE and IPv6 support by Pali Rohár.
> * Major revision to PPPD's Plugin API by Eivind Næss.
>  - Defines in which describes what features was included in pppd
>  - Functions now prefixed with explicit ppp_* to indicate that
>    pppd functions being called.
>  - Header files were renamed to better align with their features,
>    and now use proper include guards
>  - A pppdconf.h file is supplied to allow third-party modules to use
>    the same feature defines pppd was compiled with.
>  - No extern declarations of internal variable names of pppd,
>    continued use of these extern variables are considered
>    unstable.
> * Lots of internal fixes and cleanups for Radius and PPPoE by Jaco Kroon
> * Dropped IPX support, as Linux has dropped support in version 5.15
>  for this protocol.
> * Many more fixes and cleanups.
> * Pppd is no longer installed setuid-root.

CAP_NET_ADMIN should be sufficient. We will however still run pppd as root only.

> * New pppd options:
>  - ipv6cp-noremote, ipv6cp-nosend, ipv6cp-use-remotenumber,
>    ipv6-up-script, ipv6-down-script
>  - -v, show-options
>  - usepeerwins, ipcp-no-address, ipcp-no-addresses, nosendip
> * On Linux, any baud rate can be set on a serial port provided the
>  kernel serial driver supports that.
> Note that if you have built and installed previous versions of this
> package and you want to continue having configuration and TDB files in
> /etc/ppp, you will need to use the --sysconfdir option to ./configure.
> For a list of the changes made during the 2.4 series releases of this
> package, see the Changes-2.4 file.
> Compression methods.
> This package supports two packet compression methods: Deflate and
> BSD-Compress.  Other compression methods which are in common use
> include Predictor, LZS, and MPPC.  These methods are not supported for
> two reasons - they are patent-encumbered, and they cause some packets
> to expand slightly, which pppd doesn't currently allow for.
> BSD-Compress and Deflate (which uses the same algorithm as gzip) don't
> ever expand packets.

-Michael

> Fixes: bug#13164
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> config/rootfiles/common/ppp                   |  58 +++---
> lfs/ppp                                       |  28 +--
> ...se-SOCK_CLOEXEC-when-creating-socket.patch | 165 ------------------
> ...ppp-2.4.6-increase-max-padi-attempts.patch |  13 --
> src/patches/ppp/ppp-2.4.7-headers_4.9.patch   |  12 --
> ...-configure-to-handle-cflags-properly.patch |  15 --
> ...don-t-want-to-accidentally-leak-fds.patch} | 115 +++++++-----
> ...2.5.0-2-everywhere-O_CLOEXEC-harder.patch} | 136 ++++++---------
> ...se-SOCK_CLOEXEC-when-creating-socket.patch | 135 ++++++++++++++
> ...p-2.5.0-4-increase-max-padi-attempts.patch |  12 ++
> src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch |  12 ++
> ...-configure-to-handle-cflags-properly.patch |  18 ++
> 12 files changed, 344 insertions(+), 375 deletions(-)
> delete mode 100644 src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
> delete mode 100644 src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
> delete mode 100644 src/patches/ppp/ppp-2.4.7-headers_4.9.patch
> delete mode 100644 src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
> rename src/patches/ppp/{0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch => ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch} (54%)
> rename src/patches/ppp/{0013-everywhere-O_CLOEXEC-harder.patch => ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch} (63%)
> create mode 100644 src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
> create mode 100644 src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
> create mode 100644 src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
> create mode 100644 src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
> 
> diff --git a/config/rootfiles/common/ppp b/config/rootfiles/common/ppp
> index d61fdf811..6098fa7c3 100644
> --- a/config/rootfiles/common/ppp
> +++ b/config/rootfiles/common/ppp
> @@ -7,49 +7,57 @@ etc/ppp/dialer
> etc/ppp/ioptions
> etc/ppp/ip-down
> etc/ppp/ip-up
> +#etc/ppp/openssl.cnf
> etc/ppp/options
> etc/ppp/pap-secrets
> etc/ppp/standardloginscript
> #usr/include/pppd
> +#usr/include/pppd/cbcp.h
> #usr/include/pppd/ccp.h
> -#usr/include/pppd/chap-new.h
> +#usr/include/pppd/chap.h
> #usr/include/pppd/chap_ms.h
> -#usr/include/pppd/eap-tls.h
> +#usr/include/pppd/crypto.h
> +#usr/include/pppd/crypto_ms.h
> #usr/include/pppd/eap.h
> #usr/include/pppd/ecp.h
> #usr/include/pppd/eui64.h
> #usr/include/pppd/fsm.h
> #usr/include/pppd/ipcp.h
> #usr/include/pppd/ipv6cp.h
> -#usr/include/pppd/ipxcp.h
> #usr/include/pppd/lcp.h
> #usr/include/pppd/magic.h
> -#usr/include/pppd/md4.h
> -#usr/include/pppd/md5.h
> #usr/include/pppd/mppe.h
> -#usr/include/pppd/patchlevel.h
> -#usr/include/pppd/pathnames.h
> -#usr/include/pppd/pppcrypt.h
> +#usr/include/pppd/multilink.h
> +#usr/include/pppd/options.h
> #usr/include/pppd/pppd.h
> +#usr/include/pppd/pppdconf.h
> #usr/include/pppd/session.h
> -#usr/include/pppd/sha1.h
> -#usr/include/pppd/spinlock.h
> -#usr/include/pppd/tdb.h
> #usr/include/pppd/upap.h
> +#usr/lib/pkgconfig/pppd.pc
> usr/lib/pppd
> -usr/lib/pppd/2.4.9
> -usr/lib/pppd/2.4.9/minconn.so
> -usr/lib/pppd/2.4.9/openl2tp.so
> -usr/lib/pppd/2.4.9/passprompt.so
> -usr/lib/pppd/2.4.9/passwordfd.so
> -usr/lib/pppd/2.4.9/pppoatm.so
> -usr/lib/pppd/2.4.9/pppoe.so
> -usr/lib/pppd/2.4.9/pppol2tp.so
> -usr/lib/pppd/2.4.9/radattr.so
> -usr/lib/pppd/2.4.9/radius.so
> -usr/lib/pppd/2.4.9/radrealms.so
> -usr/lib/pppd/2.4.9/rp-pppoe.so
> -usr/lib/pppd/2.4.9/winbind.so
> +usr/lib/pppd/2.5.0
> +#usr/lib/pppd/2.5.0/minconn.la
> +usr/lib/pppd/2.5.0/minconn.so
> +#usr/lib/pppd/2.5.0/openl2tp.la
> +usr/lib/pppd/2.5.0/openl2tp.so
> +#usr/lib/pppd/2.5.0/passprompt.la
> +usr/lib/pppd/2.5.0/passprompt.so
> +#usr/lib/pppd/2.5.0/passwordfd.la
> +usr/lib/pppd/2.5.0/passwordfd.so
> +#usr/lib/pppd/2.5.0/pppoatm.la
> +usr/lib/pppd/2.5.0/pppoatm.so
> +#usr/lib/pppd/2.5.0/pppoe.la
> +usr/lib/pppd/2.5.0/pppoe.so
> +#usr/lib/pppd/2.5.0/pppol2tp.la
> +usr/lib/pppd/2.5.0/pppol2tp.so
> +#usr/lib/pppd/2.5.0/radattr.la
> +usr/lib/pppd/2.5.0/radattr.so
> +#usr/lib/pppd/2.5.0/radius.la
> +usr/lib/pppd/2.5.0/radius.so
> +#usr/lib/pppd/2.5.0/radrealms.la
> +usr/lib/pppd/2.5.0/radrealms.so
> +#usr/lib/pppd/2.5.0/winbind.la
> +usr/lib/pppd/2.5.0/winbind.so
> usr/sbin/chat
> usr/sbin/pppd
> usr/sbin/pppdump
> @@ -60,5 +68,7 @@ usr/sbin/pppstats
> #usr/share/man/man8/pppd-radius.8
> #usr/share/man/man8/pppd.8
> #usr/share/man/man8/pppdump.8
> +#usr/share/man/man8/pppoe-discovery.8
> #usr/share/man/man8/pppstats.8
> var/log/connect-errors
> +
> diff --git a/lfs/ppp b/lfs/ppp
> index fb46d8aac..fc4528ece 100644
> --- a/lfs/ppp
> +++ b/lfs/ppp
> @@ -1,7 +1,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
> +# Copyright (C) 2007-2023  IPFire Team  <info@ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -24,7 +24,7 @@
> 
> include Config
> 
> -VER        = 2.4.9
> +VER        = 2.5.0
> 
> THISAPP    = ppp-$(VER)
> DL_FILE    = $(THISAPP).tar.gz
> @@ -42,7 +42,7 @@ objects = $(DL_FILE)
> 
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> 
> -$(DL_FILE)_BLAKE2 = 2cc885c32b7d33dc48766097f1f4c9cd0754924a8c0630ccaa58b2989e6b43a197ca0d41f5f16956c395278a12023d490e085f5635e23b53c5603ba61cfc40d5
> +$(DL_FILE)_BLAKE2 = 6a0e9efcbff3cb499705071cc7d0e3411cf4871fd53b2bfedbb1f2cf3ad80728eb436050cf33b78e36d473be64f15907a21da17f283337455f0af379bc18272d
> 
> install : $(TARGET)
> 
> @@ -72,18 +72,20 @@ $(subst %,%_BLAKE2,$(objects)) :
> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> @$(PREBUILD)
> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
> - cd $(DIR_APP) && rm -f include/pcap-int.h include/linux/if_pppol2tp.h
> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch
> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch
> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.7-headers_4.9.patch
> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
> - cd $(DIR_APP) && sed -i -e "s+/etc/ppp/connect-errors+/var/log/connect-errors+" pppd/pathnames.h
> - cd $(DIR_APP) && ./configure --prefix=/usr --cc="gcc" --cflags="$(CFLAGS)" --disable-nls
> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
> + cd $(DIR_APP) && ./configure \
> + --prefix=/usr \
> + --sysconfdir=/etc \
> + --with-logfile-dir=/var/log \
> + cc="gcc" \
> + cflags="$(CFLAGS)"
> cd $(DIR_APP) && make $(MAKETUNING)
> cd $(DIR_APP) && make install
> - cd $(DIR_APP) && make install-etcppp
> touch /var/log/connect-errors
> -mkdir -p /etc/ppp
> for i in $(DIR_SRC)/src/ppp/* ; do \
> diff --git a/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch b/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
> deleted file mode 100644
> index fffda981d..000000000
> --- a/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
> +++ /dev/null
> @@ -1,165 +0,0 @@
> -From 2a97ab28ee00586e5f06b3ef3a0e43ea0c7c6499 Mon Sep 17 00:00:00 2001
> -From: Michal Sekletar <msekleta@redhat.com>
> -Date: Mon, 7 Apr 2014 14:21:41 +0200
> -Subject: [PATCH 14/25] everywhere: use SOCK_CLOEXEC when creating socket
> -
> ----
> - pppd/plugins/pppoatm/pppoatm.c          |  2 +-
> - pppd/plugins/pppol2tp/openl2tp.c        |  2 +-
> - pppd/plugins/pppol2tp/pppol2tp.c        |  2 +-
> - pppd/plugins/pppoe/if.c                 |  2 +-
> - pppd/plugins/pppoe/plugin.c             |  6 +++---
> - pppd/plugins/pppoe/pppoe-discovery.c    |  2 +-
> - pppd/sys-linux.c                        | 10 +++++-----
> - pppd/tty.c                              |  2 +-
> - 8 files changed, 14 insertions(+), 14 deletions(-)
> -
> -diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c
> -index d693350..c31bb34 100644
> ---- a/pppd/plugins/pppoatm/pppoatm.c
> -+++ b/pppd/plugins/pppoatm/pppoatm.c
> -@@ -135,7 +135,7 @@ static int connect_pppoatm(void)
> - 
> - if (!device_got_set)
> - no_device_given_pppoatm();
> -- fd = socket(AF_ATMPVC, SOCK_DGRAM, 0);
> -+ fd = socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> - if (fd < 0)
> - fatal("failed to create socket: %m");
> - memset(&qos, 0, sizeof qos);
> -diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/openl2tp.c
> -index 9643b96..1099575 100644
> ---- a/pppd/plugins/pppol2tp/openl2tp.c
> -+++ b/pppd/plugins/pppol2tp/openl2tp.c
> -@@ -83,7 +83,7 @@ static int openl2tp_client_create(void)
> - int result;
> - 
> - if (openl2tp_fd < 0) {
> -- openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM, 0);
> -+ openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> - if (openl2tp_fd < 0) {
> - error("openl2tp connection create: %m");
> - return -ENOTCONN;
> -diff --git a/pppd/plugins/pppol2tp/pppol2tp.c b/pppd/plugins/pppol2tp/pppol2tp.c
> -index a7e3400..e64a778 100644
> ---- a/pppd/plugins/pppol2tp/pppol2tp.c
> -+++ b/pppd/plugins/pppol2tp/pppol2tp.c
> -@@ -208,7 +208,7 @@ static void send_config_pppol2tp(int mtu,
> - struct ifreq ifr;
> - int fd;
> - 
> -- fd = socket(AF_INET, SOCK_DGRAM, 0);
> -+ fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> - if (fd >= 0) {
> - memset (&ifr, '\0', sizeof (ifr));
> - strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
> -diff --git a/pppd/plugins/pppoe/if.c b/pppd/plugins/pppoe/if.c
> -index 91e9a57..72aba41 100644
> ---- a/pppd/plugins/pppoe/if.c
> -+++ b/pppd/plugins/pppoe/if.c
> -@@ -116,7 +116,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr)
> -     stype = SOCK_PACKET;
> - #endif
> - 
> --    if ((fd = socket(domain, stype, htons(type))) < 0) {
> -+    if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) {
> - /* Give a more helpful message for the common error case */
> - if (errno == EPERM) {
> -    fatal("Cannot create raw socket -- pppoe must be run as root.");
> -diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c
> -index a8c2bb4..24bdf8f 100644
> ---- a/pppd/plugins/pppoe/plugin.c
> -+++ b/pppd/plugins/pppoe/plugin.c
> -@@ -137,7 +137,7 @@ PPPOEConnectDevice(void)
> -     /* server equipment).                                                  */
> -     /* Opening this socket just before waitForPADS in the discovery()      */
> -     /* function would be more appropriate, but it would mess-up the code   */
> --    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE);
> -+    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, PX_PROTO_OE);
> -     if (conn->sessionSocket < 0) {
> - error("Failed to create PPPoE socket: %m");
> - return -1;
> -@@ -148,7 +148,7 @@ PPPOEConnectDevice(void)
> -     lcp_wantoptions[0].mru = conn->mru;
> - 
> -     /* Update maximum MRU */
> --    s = socket(AF_INET, SOCK_DGRAM, 0);
> -+    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> -     if (s < 0) {
> - error("Can't get MTU for %s: %m", conn->ifName);
> - goto errout;
> -@@ -320,7 +320,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit)
> -     }
> - 
> -     /* Open a socket */
> --    if ((fd = socket(PF_PACKET, SOCK_RAW, 0)) < 0) {
> -+    if ((fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) {
> - r = 0;
> -     }
> - 
> -diff --git a/pppd/plugins/pppoe/pppoe-discovery.c b/pppd/plugins/pppoe/pppoe-discovery.c
> -index 3d3bf4e..c0d927d 100644
> ---- a/pppd/plugins/pppoe/pppoe-discovery.c
> -+++ b/pppd/plugins/pppoe/pppoe-discovery.c
> -@@ -121,7 +121,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr)
> -     stype = SOCK_PACKET;
> - #endif
> - 
> --    if ((fd = socket(domain, stype, htons(type))) < 0) {
> -+    if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) {
> - /* Give a more helpful message for the common error case */
> - if (errno == EPERM) {
> -    rp_fatal("Cannot create raw socket -- pppoe must be run as root.");
> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
> -index 00a2cf5..0690019 100644
> ---- a/pppd/sys-linux.c
> -+++ b/pppd/sys-linux.c
> -@@ -308,12 +308,12 @@ static int modify_flags(int fd, int clear_bits, int set_bits)
> - void sys_init(void)
> - {
> -     /* Get an internet socket for doing socket ioctls. */
> --    sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
> -+    sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> -     if (sock_fd < 0)
> - fatal("Couldn't create IP socket: %m(%d)", errno);
> - 
> - #ifdef INET6
> --    sock6_fd = socket(AF_INET6, SOCK_DGRAM, 0);
> -+    sock6_fd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> -     if (sock6_fd < 0)
> - sock6_fd = -errno; /* save errno for later */
> - #endif
> -@@ -1857,7 +1857,7 @@ get_if_hwaddr(u_char *addr, char *name)
> - struct ifreq ifreq;
> - int ret, sock_fd;
> - 
> -- sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
> -+ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> - if (sock_fd < 0)
> - return 0;
> - memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
> -@@ -2067,7 +2067,7 @@ int ppp_available(void)
> - /*
> -  * Open a socket for doing the ioctl operations.
> -  */
> --    s = socket(AF_INET, SOCK_DGRAM, 0);
> -+    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> -     if (s < 0)
> - return 0;
> - 
> -diff --git a/pppd/tty.c b/pppd/tty.c
> -index bc96695..8e76a5d 100644
> ---- a/pppd/tty.c
> -+++ b/pppd/tty.c
> -@@ -896,7 +896,7 @@ open_socket(dest)
> -     *sep = ':';
> - 
> -     /* get a socket and connect it to the other end */
> --    sock = socket(PF_INET, SOCK_STREAM, 0);
> -+    sock = socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
> -     if (sock < 0) {
> - error("Can't create socket: %m");
> - return -1;
> --- 
> -1.8.3.1
> -
> diff --git a/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch b/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
> deleted file mode 100644
> index 1b36e8369..000000000
> --- a/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
> +++ /dev/null
> @@ -1,13 +0,0 @@
> -diff --git a/pppd/plugins/pppoe/pppoe.h b/pppd/plugins/pppoe/pppoe.h
> -index 9ab2eee..86762bd 100644
> ---- a/pppd/plugins/pppoe/pppoe.h
> -+++ b/pppd/plugins/pppoe/pppoe.h
> -@@ -148,7 +148,7 @@ extern UINT16_t Eth_PPPOE_Session;
> - #define STATE_TERMINATED    4
> - 
> - /* How many PADI/PADS attempts? */
> --#define MAX_PADI_ATTEMPTS 3
> -+#define MAX_PADI_ATTEMPTS 4
> - 
> - /* Initial timeout for PADO/PADS */
> - #define PADI_TIMEOUT 5
> diff --git a/src/patches/ppp/ppp-2.4.7-headers_4.9.patch b/src/patches/ppp/ppp-2.4.7-headers_4.9.patch
> deleted file mode 100644
> index 686db9204..000000000
> --- a/src/patches/ppp/ppp-2.4.7-headers_4.9.patch
> +++ /dev/null
> @@ -1,12 +0,0 @@
> -diff -Naur ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c ppp-2.4.7/pppd/plugins/pppoe/plugin.c
> ---- ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c 2014-08-09 14:31:39.000000000 +0200
> -+++ ppp-2.4.7/pppd/plugins/pppoe/plugin.c 2017-02-09 08:45:12.567493723 +0100
> -@@ -49,6 +49,8 @@
> - #include <net/ethernet.h>
> - #include <net/if_arp.h>
> - #include <linux/ppp_defs.h>
> -+#define _LINUX_IN_H
> -+#define _LINUX_IN6_H
> - #include <linux/if_pppox.h>
> - 
> - #ifndef _ROOT_PATH
> diff --git a/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch b/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
> deleted file mode 100644
> index b36ace192..000000000
> --- a/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
> +++ /dev/null
> @@ -1,15 +0,0 @@
> ---- ppp-2.4.9.orig/configure 2021-03-30 21:38:27.415735914 +0200
> -+++ ppp-2.4.9/configure 2021-04-01 19:10:48.632314447 +0200
> -@@ -121,9 +121,9 @@
> -     rm -f $2
> -     if [ -f $1 ]; then
> - echo "  $2 <= $1"
> -- sed -e "s,@DESTDIR@,$DESTDIR,g" -e "s,@SYSCONF@,$SYSCONF,g" \
> --    -e "s,@CROSS_COMPILE@,$CROSS_COMPILE,g" -e "s,@CC@,$CC,g" \
> --    -e "s,@CFLAGS@,$CFLAGS,g" $1 >$2
> -+ sed -e "s#@DESTDIR@#$DESTDIR#g" -e "s#@SYSCONF@#$SYSCONF#g" \
> -+    -e "s#@CROSS_COMPILE@#$CROSS_COMPILE#g" -e "s#@CC@#$CC#g" \
> -+    -e "s#@CFLAGS@#$CFLAGS#g" $1 >$2
> -     fi
> - }
> - 
> diff --git a/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch b/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
> similarity index 54%
> rename from src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch
> rename to src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
> index 90bb2d161..98ab03119 100644
> --- a/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch
> +++ b/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
> @@ -1,20 +1,8 @@
> -From 82cd789df0f022eb6f3d28646e7a61d1d0715805 Mon Sep 17 00:00:00 2001
> -From: Michal Sekletar <msekleta@redhat.com>
> -Date: Mon, 7 Apr 2014 12:23:36 +0200
> -Subject: [PATCH 12/25] pppd: we don't want to accidentally leak fds
> -
> ----
> - pppd/auth.c      | 20 ++++++++++----------
> - pppd/options.c   |  2 +-
> - pppd/sys-linux.c |  4 ++--
> - 3 files changed, 13 insertions(+), 13 deletions(-)
> -
> -diff --git a/pppd/auth.c b/pppd/auth.c
> -index 4271af6..9e957fa 100644
> ---- a/pppd/auth.c
> -+++ b/pppd/auth.c
> -@@ -428,7 +428,7 @@ setupapfile(argv)
> - option_error("unable to reset uid before opening %s: %m", fname);
> +diff -Naur pppd.orig/auth.c pppd/auth.c
> +--- pppd.orig/auth.c 2023-03-25 05:38:30.000000000 +0100
> ++++ pppd/auth.c 2023-06-30 12:38:13.748482796 +0200
> +@@ -518,7 +518,7 @@
> +         free(fname);
>   return 0;
>      }
> -    ufile = fopen(fname, "r");
> @@ -22,8 +10,8 @@ index 4271af6..9e957fa 100644
>      if (seteuid(euid) == -1)
>   fatal("unable to regain privileges: %m");
>      if (ufile == NULL) {
> -@@ -1413,7 +1413,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg)
> -     filename = _PATH_UPAPFILE;
> +@@ -1535,7 +1535,7 @@
> +     filename = PPP_PATH_UPAPFILE;
>      addrs = opts = NULL;
>      ret = UPAP_AUTHNAK;
> -    f = fopen(filename, "r");
> @@ -31,52 +19,52 @@ index 4271af6..9e957fa 100644
>      if (f == NULL) {
>   error("Can't open PAP password file %s: %m", filename);
> 
> -@@ -1512,7 +1512,7 @@ null_login(unit)
> +@@ -1635,7 +1635,7 @@
>      if (ret <= 0) {
> - filename = _PATH_UPAPFILE;
> + filename = PPP_PATH_UPAPFILE;
>   addrs = NULL;
> - f = fopen(filename, "r");
> + f = fopen(filename, "re");
>   if (f == NULL)
>      return 0;
>   check_access(f, filename);
> -@@ -1559,7 +1559,7 @@ get_pap_passwd(passwd)
> +@@ -1681,7 +1681,7 @@
>      }
> 
> -     filename = _PATH_UPAPFILE;
> +     filename = PPP_PATH_UPAPFILE;
> -    f = fopen(filename, "r");
> +    f = fopen(filename, "re");
>      if (f == NULL)
>   return 0;
>      check_access(f, filename);
> -@@ -1597,7 +1597,7 @@ have_pap_secret(lacks_ipp)
> +@@ -1718,7 +1718,7 @@
>      }
> 
> -     filename = _PATH_UPAPFILE;
> +     filename = PPP_PATH_UPAPFILE;
> -    f = fopen(filename, "r");
> +    f = fopen(filename, "re");
>      if (f == NULL)
>   return 0;
> 
> -@@ -1642,7 +1642,7 @@ have_chap_secret(client, server, need_ip, lacks_ipp)
> +@@ -1760,7 +1760,7 @@
>      }
> 
> -     filename = _PATH_CHAPFILE;
> +     filename = PPP_PATH_CHAPFILE;
> -    f = fopen(filename, "r");
> +    f = fopen(filename, "re");
>      if (f == NULL)
>   return 0;
> 
> -@@ -1684,7 +1684,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp)
> +@@ -1798,7 +1798,7 @@
>      struct wordlist *addrs;
> 
> -     filename = _PATH_SRPFILE;
> +     filename = PPP_PATH_SRPFILE;
> -    f = fopen(filename, "r");
> +    f = fopen(filename, "re");
>      if (f == NULL)
>   return 0;
> 
> -@@ -1740,7 +1740,7 @@ get_secret(unit, client, server, secret, secret_len, am_server)
> +@@ -1849,7 +1849,7 @@
>   addrs = NULL;
>   secbuf[0] = 0;
> 
> @@ -85,8 +73,8 @@ index 4271af6..9e957fa 100644
>   if (f == NULL) {
>      error("Can't open chap secret file %s: %m", filename);
>      return 0;
> -@@ -1797,7 +1797,7 @@ get_srp_secret(unit, client, server, secret, am_server)
> - filename = _PATH_SRPFILE;
> +@@ -1902,7 +1902,7 @@
> + filename = PPP_PATH_SRPFILE;
>   addrs = NULL;
> 
> - fp = fopen(filename, "r");
> @@ -94,7 +82,7 @@ index 4271af6..9e957fa 100644
>   if (fp == NULL) {
>      error("Can't open srp secret file %s: %m", filename);
>      return 0;
> -@@ -2203,7 +2203,7 @@ scan_authfile(f, client, server, secret, addrs, opts, filename, flags)
> +@@ -2291,7 +2291,7 @@
>       */
>      if (word[0] == '@' && word[1] == '/') {
>   strlcpy(atfile, word+1, sizeof(atfile));
> @@ -103,12 +91,38 @@ index 4271af6..9e957fa 100644
>      warn("can't open indirect secret file %s", atfile);
>      continue;
>   }
> -diff --git a/pppd/options.c b/pppd/options.c
> -index 45fa742..1d754ae 100644
> ---- a/pppd/options.c
> -+++ b/pppd/options.c
> -@@ -427,7 +427,7 @@ options_from_file(filename, must_exist, check_prot, priv)
> - option_error("unable to drop privileges to open %s: %m", filename);
> +@@ -2461,7 +2461,7 @@
> +     char pkfile[MAXWORDLEN];
> + 
> +     filename = PPP_PATH_EAPTLSSERVFILE;
> +-    f = fopen(filename, "r");
> ++    f = fopen(filename, "re");
> +     if (f == NULL)
> + return 0;
> + 
> +@@ -2518,7 +2518,7 @@
> + return 1;
> + 
> +     filename = PPP_PATH_EAPTLSCLIFILE;
> +-    f = fopen(filename, "r");
> ++    f = fopen(filename, "re");
> +     if (f == NULL)
> + return 0;
> + 
> +@@ -2738,7 +2738,7 @@
> + filename = (am_server ? PPP_PATH_EAPTLSSERVFILE : PPP_PATH_EAPTLSCLIFILE);
> + addrs = NULL;
> + 
> +- fp = fopen(filename, "r");
> ++ fp = fopen(filename, "re");
> + if (fp == NULL)
> + {
> + error("Can't open eap-tls secret file %s: %m", filename);
> +diff -Naur pppd.orig/options.c pppd/options.c
> +--- pppd.orig/options.c 2023-03-25 05:38:30.000000000 +0100
> ++++ pppd/options.c 2023-06-30 12:42:19.262593140 +0200
> +@@ -555,7 +555,7 @@
> + ppp_option_error("unable to drop privileges to open %s: %m", filename);
>   return 0;
>      }
> -    f = fopen(filename, "r");
> @@ -116,11 +130,10 @@ index 45fa742..1d754ae 100644
>      err = errno;
>      if (check_prot && seteuid(euid) == -1)
>   fatal("unable to regain privileges");
> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
> -index 72a7727..8a12fa0 100644
> ---- a/pppd/sys-linux.c
> -+++ b/pppd/sys-linux.c
> -@@ -1412,7 +1412,7 @@ static char *path_to_procfs(const char *tail)
> +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c
> +--- pppd.orig/sys-linux.c 2023-03-10 02:50:41.000000000 +0100
> ++++ pppd/sys-linux.c 2023-06-30 12:43:20.634453475 +0200
> +@@ -1978,7 +1978,7 @@
>   /* Default the mount location of /proc */
>   strlcpy (proc_path, "/proc", sizeof(proc_path));
>   proc_path_len = 5;
> @@ -129,7 +142,7 @@ index 72a7727..8a12fa0 100644
>   if (fp != NULL) {
>      while ((mntent = getmntent(fp)) != NULL) {
>   if (strcmp(mntent->mnt_type, MNTTYPE_IGNORE) == 0)
> -@@ -1472,7 +1472,7 @@ static int open_route_table (void)
> +@@ -2038,7 +2038,7 @@
>      close_route_table();
> 
>      path = path_to_procfs("/net/route");
> @@ -138,6 +151,12 @@ index 72a7727..8a12fa0 100644
>      if (route_fd == NULL) {
>   error("can't open routing table %s: %m", path);
>   return 0;
> --- 
> -1.8.3.1
> -
> +@@ -2322,7 +2322,7 @@
> +     close_route_table();
> + 
> +     path = path_to_procfs("/net/ipv6_route");
> +-    route_fd = fopen (path, "r");
> ++    route_fd = fopen (path, "re");
> +     if (route_fd == NULL) {
> + error("can't open routing table %s: %m", path);
> + return 0;
> diff --git a/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch b/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
> similarity index 63%
> rename from src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch
> rename to src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
> index 0fb028779..c205c0e08 100644
> --- a/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch
> +++ b/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
> @@ -1,23 +1,7 @@
> -From 302c1b736cb656c7885a0cba270fd953a672d8a8 Mon Sep 17 00:00:00 2001
> -From: Michal Sekletar <msekleta@redhat.com>
> -Date: Mon, 7 Apr 2014 13:56:34 +0200
> -Subject: [PATCH 13/25] everywhere: O_CLOEXEC harder
> -
> ----
> - pppd/eap.c       |  2 +-
> - pppd/main.c      |  4 ++--
> - pppd/options.c   |  4 ++--
> - pppd/sys-linux.c | 22 +++++++++++-----------
> - pppd/tdb.c       |  4 ++--
> - pppd/tty.c       |  4 ++--
> - pppd/utils.c     |  6 +++---
> - 7 files changed, 23 insertions(+), 23 deletions(-)
> -
> -diff --git a/pppd/eap.c b/pppd/eap.c
> -index 6ea6c1f..faced53 100644
> ---- a/pppd/eap.c
> -+++ b/pppd/eap.c
> -@@ -1226,7 +1226,7 @@ mode_t modebits;
> +diff -Naur pppd.orig/eap.c pppd/eap.c
> +--- pppd.orig/eap.c 2023-03-25 05:38:30.000000000 +0100
> ++++ pppd/eap.c 2023-06-30 12:58:07.984676045 +0200
> +@@ -1542,7 +1542,7 @@
> 
>   if ((path = name_of_pn_file()) == NULL)
>   return (-1);
> @@ -26,34 +10,23 @@ index 6ea6c1f..faced53 100644
>   err = errno;
>   free(path);
>   errno = err;
> -diff --git a/pppd/main.c b/pppd/main.c
> -index 87a5d29..152e4a2 100644
> ---- a/pppd/main.c
> -+++ b/pppd/main.c
> -@@ -400,7 +400,7 @@ main(int argc, char *argv[])
> +diff -Naur pppd.orig/main.c pppd/main.c
> +--- pppd.orig/main.c 2023-03-25 05:38:30.000000000 +0100
> ++++ pppd/main.c 2023-06-30 13:00:15.155195676 +0200
> +@@ -479,7 +479,7 @@
>   die(0);
> 
>      /* Make sure fds 0, 1, 2 are open to somewhere. */
> --    fd_devnull = open(_PATH_DEVNULL, O_RDWR);
> -+    fd_devnull = open(_PATH_DEVNULL, O_RDWR | O_CLOEXEC);
> +-    fd_devnull = open(PPP_DEVNULL, O_RDWR);
> ++    fd_devnull = open(PPP_DEVNULL, O_RDWR | O_CLOEXEC);
>      if (fd_devnull < 0)
> - fatal("Couldn't open %s: %m", _PATH_DEVNULL);
> + fatal("Couldn't open %s: %m", PPP_DEVNULL);
>      while (fd_devnull <= 2) {
> -@@ -1642,7 +1642,7 @@ device_script(char *program, int in, int out, int dont_wait)
> -     if (log_to_fd >= 0)
> - errfd = log_to_fd;
> -     else
> -- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644);
> -+ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, 0644);
> - 
> -     ++conn_running;
> -     pid = safe_fork(in, out, errfd);
> -diff --git a/pppd/options.c b/pppd/options.c
> -index 1d754ae..8e62635 100644
> ---- a/pppd/options.c
> -+++ b/pppd/options.c
> -@@ -1544,9 +1544,9 @@ setlogfile(argv)
> - option_error("unable to drop permissions to open %s: %m", *argv);
> +diff -Naur pppd.orig/options.c pppd/options.c
> +--- pppd.orig/options.c 2023-06-30 12:42:19.262593140 +0200
> ++++ pppd/options.c 2023-06-30 13:01:58.388323345 +0200
> +@@ -1718,9 +1718,9 @@
> + ppp_option_error("unable to drop permissions to open %s: %m", *argv);
>   return 0;
>      }
> -    fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL, 0644);
> @@ -64,11 +37,10 @@ index 1d754ae..8e62635 100644
>      err = errno;
>      if (!privileged_option && seteuid(euid) == -1)
>   fatal("unable to regain privileges: %m");
> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
> -index 8a12fa0..00a2cf5 100644
> ---- a/pppd/sys-linux.c
> -+++ b/pppd/sys-linux.c
> -@@ -459,7 +459,7 @@ int generic_establish_ppp (int fd)
> +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c
> +--- pppd.orig/sys-linux.c 2023-06-30 12:43:20.634453475 +0200
> ++++ pppd/sys-linux.c 2023-06-30 13:11:25.715511251 +0200
> +@@ -666,7 +666,7 @@
>      goto err;
>   }
>   dbglog("using channel %d", chindex);
> @@ -77,7 +49,7 @@ index 8a12fa0..00a2cf5 100644
>   if (fd < 0) {
>      error("Couldn't reopen /dev/ppp: %m");
>      goto err;
> -@@ -619,7 +619,7 @@ static int make_ppp_unit()
> +@@ -904,7 +904,7 @@
>   dbglog("in make_ppp_unit, already had /dev/ppp open?");
>   close(ppp_dev_fd);
>   }
> @@ -86,7 +58,7 @@ index 8a12fa0..00a2cf5 100644
>   if (ppp_dev_fd < 0)
>   fatal("Couldn't open /dev/ppp: %m");
>   flags = fcntl(ppp_dev_fd, F_GETFL);
> -@@ -693,7 +693,7 @@ int bundle_attach(int ifnum)
> +@@ -1025,7 +1025,7 @@
>   if (!new_style_driver)
>   return -1;
> 
> @@ -95,7 +67,7 @@ index 8a12fa0..00a2cf5 100644
>   if (master_fd < 0)
>   fatal("Couldn't open /dev/ppp: %m");
>   if (ioctl(master_fd, PPPIOCATTACH, &ifnum) < 0) {
> -@@ -1715,7 +1715,7 @@ int sifproxyarp (int unit, u_int32_t his_adr)
> +@@ -2533,7 +2533,7 @@
>   if (tune_kernel) {
>      forw_path = path_to_procfs("/sys/net/ipv4/ip_forward");
>      if (forw_path != 0) {
> @@ -104,7 +76,7 @@ index 8a12fa0..00a2cf5 100644
>   if (fd >= 0) {
>      if (write(fd, "1", 1) != 1)
>   error("Couldn't enable IP forwarding: %m");
> -@@ -2030,7 +2030,7 @@ int ppp_available(void)
> +@@ -2878,7 +2878,7 @@
>      sscanf(utsname.release, "%d.%d.%d", &osmaj, &osmin, &ospatch);
>      kernel_version = KVERSION(osmaj, osmin, ospatch);
> 
> @@ -113,7 +85,7 @@ index 8a12fa0..00a2cf5 100644
>      if (fd >= 0) {
>   new_style_driver = 1;
> 
> -@@ -2208,7 +2208,7 @@ void logwtmp (const char *line, const char *name, const char *host)
> +@@ -3056,7 +3056,7 @@
>  #if __GLIBC__ >= 2
>      updwtmp(_PATH_WTMP, &ut);
>  #else
> @@ -122,7 +94,7 @@ index 8a12fa0..00a2cf5 100644
>      if (wtmp >= 0) {
>   flock(wtmp, LOCK_EX);
> 
> -@@ -2394,7 +2394,7 @@ int sifaddr (int unit, u_int32_t our_adr, u_int32_t his_adr,
> +@@ -3280,7 +3280,7 @@
>   int fd;
> 
>   path = path_to_procfs("/sys/net/ipv4/ip_dynaddr");
> @@ -131,7 +103,7 @@ index 8a12fa0..00a2cf5 100644
>      if (write(fd, "1", 1) != 1)
>   error("Couldn't enable dynamic IP addressing: %m");
>      close(fd);
> -@@ -2570,7 +2570,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid)
> +@@ -3534,7 +3534,7 @@
>      /*
>       * Try the unix98 way first.
>       */
> @@ -140,17 +112,17 @@ index 8a12fa0..00a2cf5 100644
>      if (mfd >= 0) {
>   int ptn;
>   if (ioctl(mfd, TIOCGPTN, &ptn) >= 0) {
> -@@ -2851,7 +2851,8 @@
> +@@ -3545,7 +3545,8 @@
>      if (ioctl(mfd, TIOCSPTLCK, &ptn) < 0)
>   warn("Couldn't unlock pty slave %s: %m", pty_name);
>  #endif
> -    if ((sfd = open(pty_name, O_RDWR | O_NOCTTY)) < 0)
> +
> -+            if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0)
> -    {
> ++    if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0)
> +    {
>   warn("Couldn't open pty slave %s: %m", pty_name);
> - close(mfd);
> -@@ -2865,10 +2866,10 @@
> + close(mfd);
> +@@ -3559,10 +3560,10 @@
>   for (i = 0; i < 64; ++i) {
>      slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x",
>       'p' + i / 16, i % 16);
> @@ -161,13 +133,12 @@ index 8a12fa0..00a2cf5 100644
> - sfd = open(pty_name, O_RDWR | O_NOCTTY, 0);
> + sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC, 0);
>   if (sfd >= 0) {
> -    fchown(sfd, uid, -1);
> -    fchmod(sfd, S_IRUSR | S_IWUSR);
> -diff --git a/pppd/tdb.c b/pppd/tdb.c
> -index bdc5828..c7ab71c 100644
> ---- a/pppd/tdb.c
> -+++ b/pppd/tdb.c
> -@@ -1724,7 +1724,7 @@ TDB_CONTEXT *tdb_open_ex(const char *name, int hash_size, int tdb_flags,
> +    ret = fchown(sfd, uid, -1);
> +    if (ret != 0) {
> +diff -Naur pppd.orig/tdb.c pppd/tdb.c
> +--- pppd.orig/tdb.c 2021-07-23 06:41:07.000000000 +0200
> ++++ pppd/tdb.c 2023-06-30 13:12:55.034900600 +0200
> +@@ -1728,7 +1728,7 @@
>   goto internal;
>   }
> 
> @@ -176,7 +147,7 @@ index bdc5828..c7ab71c 100644
>   TDB_LOG((tdb, 5, "tdb_open_ex: could not open file %s: %s\n",
>   name, strerror(errno)));
>   goto fail; /* errno set by open(2) */
> -@@ -1967,7 +1967,7 @@ int tdb_reopen(TDB_CONTEXT *tdb)
> +@@ -1971,7 +1971,7 @@
>   }
>   if (close(tdb->fd) != 0)
>   TDB_LOG((tdb, 0, "tdb_reopen: WARNING closing tdb->fd failed!\n"));
> @@ -185,12 +156,11 @@ index bdc5828..c7ab71c 100644
>   if (tdb->fd == -1) {
>   TDB_LOG((tdb, 0, "tdb_reopen: open failed (%s)\n", strerror(errno)));
>   goto fail;
> -diff --git a/pppd/tty.c b/pppd/tty.c
> -index d571b11..bc96695 100644
> ---- a/pppd/tty.c
> -+++ b/pppd/tty.c
> -@@ -569,7 +569,7 @@ int connect_tty()
> - status = EXIT_OPEN_FAILED;
> +diff -Naur pppd.orig/tty.c pppd/tty.c
> +--- pppd.orig/tty.c 2023-03-25 05:38:30.000000000 +0100
> ++++ pppd/tty.c 2023-06-30 13:14:06.450418113 +0200
> +@@ -621,7 +621,7 @@
> + ppp_set_status(EXIT_OPEN_FAILED);
>   goto errret;
>   }
> - real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0);
> @@ -198,7 +168,7 @@ index d571b11..bc96695 100644
>   err = errno;
>   if (prio < OPRIO_ROOT && seteuid(0) == -1)
>   fatal("Unable to regain privileges");
> -@@ -723,7 +723,7 @@ int connect_tty()
> +@@ -775,7 +775,7 @@
>   if (connector == NULL && modem && devnam[0] != 0) {
>   int i;
>   for (;;) {
> @@ -207,12 +177,11 @@ index d571b11..bc96695 100644
>   break;
>   if (errno != EINTR) {
>   error("Failed to reopen %s: %m", devnam);
> -diff --git a/pppd/utils.c b/pppd/utils.c
> -index 29bf970..6051b9a 100644
> ---- a/pppd/utils.c
> -+++ b/pppd/utils.c
> -@@ -918,14 +918,14 @@ lock(dev)
> -     slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", LOCK_DIR, dev);
> +diff -Naur pppd.orig/utils.c pppd/utils.c
> +--- pppd.orig/utils.c 2022-12-30 02:12:39.000000000 +0100
> ++++ pppd/utils.c 2023-06-30 13:15:47.860182369 +0200
> +@@ -843,14 +843,14 @@
> +     slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", PPP_PATH_LOCKDIR, dev);
>  #endif
> 
> -    while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR, 0644)) < 0) {
> @@ -228,7 +197,7 @@ index 29bf970..6051b9a 100644
>   if (fd < 0) {
>      if (errno == ENOENT) /* This is just a timing problem. */
>   continue;
> -@@ -1004,7 +1004,7 @@ relock(pid)
> +@@ -933,7 +933,7 @@
> 
>      if (lock_file[0] == 0)
>   return -1;
> @@ -237,6 +206,3 @@ index 29bf970..6051b9a 100644
>      if (fd < 0) {
>   error("Couldn't reopen lock file %s: %m", lock_file);
>   lock_file[0] = 0;
> --- 
> -1.8.3.1
> -
> diff --git a/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch b/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
> new file mode 100644
> index 000000000..cfd72e468
> --- /dev/null
> +++ b/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
> @@ -0,0 +1,135 @@
> +diff -Naur pppd.orig/plugins/pppoatm/pppoatm.c pppd/plugins/pppoatm/pppoatm.c
> +--- pppd.orig/plugins/pppoatm/pppoatm.c 2023-03-25 05:38:30.000000000 +0100
> ++++ pppd/plugins/pppoatm/pppoatm.c 2023-06-30 13:21:33.397378347 +0200
> +@@ -146,7 +146,7 @@
> + 
> + if (!device_got_set)
> + no_device_given_pppoatm();
> +- fd = socket(AF_ATMPVC, SOCK_DGRAM, 0);
> ++ fd = socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> + if (fd < 0)
> + fatal("failed to create socket: %m");
> + memset(&qos, 0, sizeof qos);
> +diff -Naur pppd.orig/plugins/pppoe/if.c pppd/plugins/pppoe/if.c
> +--- pppd.orig/plugins/pppoe/if.c 2022-12-30 02:12:39.000000000 +0100
> ++++ pppd/plugins/pppoe/if.c 2023-06-30 13:24:11.372183452 +0200
> +@@ -116,7 +116,7 @@
> +     stype = SOCK_PACKET;
> + #endif
> + 
> +-    if ((fd = socket(domain, stype, htons(type))) < 0) {
> ++    if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) {
> + /* Give a more helpful message for the common error case */
> + if (errno == EPERM) {
> +    fatal("Cannot create raw socket -- pppoe must be run as root.");
> +diff -Naur pppd.orig/plugins/pppoe/plugin.c pppd/plugins/pppoe/plugin.c
> +--- pppd.orig/plugins/pppoe/plugin.c 2023-03-25 05:38:30.000000000 +0100
> ++++ pppd/plugins/pppoe/plugin.c 2023-06-30 13:25:58.798782323 +0200
> +@@ -155,7 +155,7 @@
> +     /* server equipment).                                                  */
> +     /* Opening this socket just before waitForPADS in the discovery()      */
> +     /* function would be more appropriate, but it would mess-up the code   */
> +-    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE);
> ++    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, PX_PROTO_OE);
> +     if (conn->sessionSocket < 0) {
> + error("Failed to create PPPoE socket: %m");
> + return -1;
> +@@ -166,7 +166,7 @@
> +     lcp_wantoptions[0].mru = conn->mru = conn->storedmru;
> + 
> +     /* Update maximum MRU */
> +-    s = socket(AF_INET, SOCK_DGRAM, 0);
> ++    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> +     if (s < 0) {
> + error("Can't get MTU for %s: %m", conn->ifName);
> + goto errout;
> +@@ -364,7 +364,7 @@
> +     }
> + 
> +     /* Open a socket */
> +-    if ((fd = socket(PF_PACKET, SOCK_RAW, 0)) < 0) {
> ++    if ((fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) {
> + r = 0;
> +     }
> + 
> +diff -Naur pppd.orig/plugins/pppol2tp/openl2tp.c pppd/plugins/pppol2tp/openl2tp.c
> +--- pppd.orig/plugins/pppol2tp/openl2tp.c 2023-03-10 02:50:41.000000000 +0100
> ++++ pppd/plugins/pppol2tp/openl2tp.c 2023-06-30 13:22:30.055768865 +0200
> +@@ -93,7 +93,7 @@
> + int result;
> + 
> + if (openl2tp_fd < 0) {
> +- openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM, 0);
> ++ openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> + if (openl2tp_fd < 0) {
> + error("openl2tp connection create: %m");
> + return -ENOTCONN;
> +diff -Naur pppd.orig/plugins/pppol2tp/pppol2tp.c pppd/plugins/pppol2tp/pppol2tp.c
> +--- pppd.orig/plugins/pppol2tp/pppol2tp.c 2022-12-30 02:12:39.000000000 +0100
> ++++ pppd/plugins/pppol2tp/pppol2tp.c 2023-06-30 13:23:13.493756755 +0200
> +@@ -220,7 +220,7 @@
> + struct ifreq ifr;
> + int fd;
> + 
> +- fd = socket(AF_INET, SOCK_DGRAM, 0);
> ++ fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> + if (fd >= 0) {
> + memset (&ifr, '\0', sizeof (ifr));
> + ppp_get_ifname(ifr.ifr_name, sizeof(ifr.ifr_name));
> +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c
> +--- pppd.orig/sys-linux.c 2023-06-30 13:11:25.715511251 +0200
> ++++ pppd/sys-linux.c 2023-06-30 13:32:50.021272249 +0200
> +@@ -499,12 +499,12 @@
> + void sys_init(void)
> + {
> +     /* Get an internet socket for doing socket ioctls. */
> +-    sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
> ++    sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> +     if (sock_fd < 0)
> + fatal("Couldn't create IP socket: %m(%d)", errno);
> + 
> + #ifdef PPP_WITH_IPV6CP
> +-    sock6_fd = socket(AF_INET6, SOCK_DGRAM, 0);
> ++    sock6_fd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> +     if (sock6_fd < 0)
> + sock6_fd = -errno; /* save errno for later */
> + #endif
> +@@ -2675,7 +2675,7 @@
> + struct ifreq ifreq;
> + int ret, sock_fd;
> + 
> +- sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
> ++ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> + if (sock_fd < 0)
> + return -1;
> + memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
> +@@ -2698,7 +2698,7 @@
> + struct ifreq ifreq;
> + int ret, sock_fd;
> + 
> +- sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
> ++ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> + if (sock_fd < 0)
> + return -1;
> + 
> +@@ -2915,7 +2915,7 @@
> + /*
> +  * Open a socket for doing the ioctl operations.
> +  */
> +-    s = socket(AF_INET, SOCK_DGRAM, 0);
> ++    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
> +     if (s < 0)
> + return 0;
> + 
> +diff -Naur pppd.orig/tty.c pppd/tty.c
> +--- pppd.orig/tty.c 2023-06-30 13:14:06.450418113 +0200
> ++++ pppd/tty.c 2023-06-30 13:33:31.285858278 +0200
> +@@ -942,7 +942,7 @@
> +     *sep = ':';
> + 
> +     /* get a socket and connect it to the other end */
> +-    sock = socket(PF_INET, SOCK_STREAM, 0);
> ++    sock = socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
> +     if (sock < 0) {
> + error("Can't create socket: %m");
> + return -1;
> diff --git a/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch b/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
> new file mode 100644
> index 000000000..002b6066d
> --- /dev/null
> +++ b/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
> @@ -0,0 +1,12 @@
> +diff -Naur pppd.orig/plugins/pppoe/pppoe.h pppd/plugins/pppoe/pppoe.h
> +--- pppd.orig/plugins/pppoe/pppoe.h 2022-12-30 02:12:39.000000000 +0100
> ++++ pppd/plugins/pppoe/pppoe.h 2023-06-30 13:37:07.189078090 +0200
> +@@ -143,7 +143,7 @@
> + #define STATE_TERMINATED    4
> + 
> + /* How many PADI/PADS attempts? */
> +-#define MAX_PADI_ATTEMPTS 3
> ++#define MAX_PADI_ATTEMPTS 4
> + 
> + /* Initial timeout for PADO/PADS */
> + #define PADI_TIMEOUT 5
> diff --git a/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch b/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
> new file mode 100644
> index 000000000..dc6c22852
> --- /dev/null
> +++ b/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
> @@ -0,0 +1,12 @@
> +diff -Naur pppd.orig/plugins/pppoe/plugin.c pppd/plugins/pppoe/plugin.c
> +--- pppd.orig/plugins/pppoe/plugin.c 2023-06-30 13:25:58.798782323 +0200
> ++++ pppd/plugins/pppoe/plugin.c 2023-06-30 13:50:23.150026201 +0200
> +@@ -46,6 +46,8 @@
> + #include <signal.h>
> + #include <net/if_arp.h>
> + #include <linux/ppp_defs.h>
> ++#define _LINUX_IN_H
> ++#define _LINUX_IN6_H
> + #include <linux/if_pppox.h>
> + 
> + #include <pppd/pppd.h>
> diff --git a/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch b/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
> new file mode 100644
> index 000000000..0e9eab6ed
> --- /dev/null
> +++ b/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
> @@ -0,0 +1,18 @@
> +diff -Naur ppp-2.5.0.orig/configure ppp-2.5.0/configure
> +--- ppp-2.5.0.orig/configure 2023-03-25 05:38:36.000000000 +0100
> ++++ ppp-2.5.0/configure 2023-06-30 14:05:14.773950477 +0200
> +@@ -17774,10 +17774,10 @@
> +         rm -f $2
> +         if [ -f $1 ]; then
> +             echo "  $2 <= $1"
> +-            sed -e "s,@DESTDIR@,$prefix,g" \
> +-                -e "s,@SYSCONF@,$sysconfdir,g" \
> +-                -e "s,@CC@,$CC,g" \
> +-                -e "s|@CFLAGS@|$CFLAGS|g" $1 > $2
> ++            sed -e "s#@DESTDIR@#$prefix#g" \
> ++                -e "s#@SYSCONF@#$sysconfdir#g" \
> ++                -e "s#@CC@#$CC#g" \
> ++                -e "s#@CFLAGS@#$CFLAGS#g" $1 > $2
> +         fi
> +     }
> + 
> -- 
> 2.41.0
>
  
Adolf Belka July 3, 2023, 3:37 p.m. UTC | #2
Hi Michael,

On 03/07/2023 16:11, Michael Tremer wrote:
> Hello Adolf,
> 
> This might be a tricky version update...
I will work on it till everyone is happy to move forward with it.
> 
>> On 2 Jul 2023, at 10:54, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> - Update from version 2.4.9 to 2.5.0
>>    This includes breaking changes for third-party plugins but as far as I can see IPFire
>>     is not using any third party plugins
> 
> No, we should no longer build the Roaring Penguin PPPoE plugin from their source, but use the included one.
In the ppp-2.4.9 there was an pppoe.so and rp-pppoe.so library. In the 
ppp-2.5.0 there is only the pppoe.so library so it looks like the 
roaring penguin plugin is removed by default now.

In the RED initscript there is a section which specifies the rp-pppoe.so 
lib as the plugin to use

364	## Plugin Options
365	#
366	if [ "$TYPE" == "pppoe" ]; then
367	        [ "${METHOD}" == "PPPOE_PLUGIN" ] && \
368	                PLUGOPTS="plugin rp-pppoe.so"
369	fi

Does line 368 need to be changed to PLUGOPTS="plugin pppoe.so" or what?

rp-pppoe is not referenced anywhere else in IPFire that I have been able 
to find.

> 
>> - Update of rootfile
>> - Update of patches and sed commands
>>    - pcap-int.h and if_pppol2tp.h files have not been in source file since at least 2014
>>    - Some of the patches required updates as additional lines needing to be patched are
>>       now present. nThis was related to the O_CLOEXEC & SOCK_CLOEXEC related patches
> 
> Yes, these can go. We should be able to rely on upstream to build this for modern OSes.
So I should remove the two patch files that are related to CLOEXEC but 
still keep the others - correct?
> 
>>    - connect-errors file location is now defined by a configure command --with-logfile-dir
>> - install-etcppp is no longer provided. However the install command in this version still
>>    has the same files available in /etc/ppp as previously. There is a new file,
>>    openssl.cnf, which I have commented out. If it is required in future it can always be
>>    uncommented in future releases.
>> - Build went without any problems with the updated patches.
>> - I cannot test this as I don't use ppp, however the original bug reporter has agreed to
>>    test this out when it is released into Testing unless anyone else is capable of testing
>>    it.
> 
> So, we didn’t have any issues with this in the past, but however, if we break this, then people won’t have an Internet connection any more to download any fixes. So let’s please make sure that we give this all extra attention and this won’t happen. >
> Sadly, I don’t have a PPP connection either.
> 
> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
> 
>> - Changelog
>>     What's new in ppp-2.5.0.
>> The 2.5.0 release is a major release of pppd which contains breaking
>> changes for third-party plugins, a complete revamp of the build-system
>> and that allows for flexibility of configuring features as needed.
>> In Summary:
>> * Support for PEAP authentication by Eivind Næss and Rustam Kovhaev
>> * Support for loading PKCS12 certificate envelopes
>> * Adoption of GNU Autoconf / Automake build environment, by Eivind Næss
>>   and others.
>> * Support for pkgconfig tool has been added by Eivind Næss.
>> * Bunch of fixes and cleanup to PPPoE and IPv6 support by Pali Rohár.
>> * Major revision to PPPD's Plugin API by Eivind Næss.
>>   - Defines in which describes what features was included in pppd
>>   - Functions now prefixed with explicit ppp_* to indicate that
>>     pppd functions being called.
>>   - Header files were renamed to better align with their features,
>>     and now use proper include guards
>>   - A pppdconf.h file is supplied to allow third-party modules to use
>>     the same feature defines pppd was compiled with.
>>   - No extern declarations of internal variable names of pppd,
>>     continued use of these extern variables are considered
>>     unstable.
>> * Lots of internal fixes and cleanups for Radius and PPPoE by Jaco Kroon
>> * Dropped IPX support, as Linux has dropped support in version 5.15
>>   for this protocol.
>> * Many more fixes and cleanups.
>> * Pppd is no longer installed setuid-root.
> 
> CAP_NET_ADMIN should be sufficient. We will however still run pppd as root only.
Is CAP_NET_ADMIN used by default with pppd or do I need to change 
something for this?
> 
>> * New pppd options:
>>   - ipv6cp-noremote, ipv6cp-nosend, ipv6cp-use-remotenumber,
>>     ipv6-up-script, ipv6-down-script
>>   - -v, show-options
>>   - usepeerwins, ipcp-no-address, ipcp-no-addresses, nosendip
>> * On Linux, any baud rate can be set on a serial port provided the
>>   kernel serial driver supports that.
>> Note that if you have built and installed previous versions of this
>> package and you want to continue having configuration and TDB files in
>> /etc/ppp, you will need to use the --sysconfdir option to ./configure.
>> For a list of the changes made during the 2.4 series releases of this
>> package, see the Changes-2.4 file.
>> Compression methods.
>> This package supports two packet compression methods: Deflate and
>> BSD-Compress.  Other compression methods which are in common use
>> include Predictor, LZS, and MPPC.  These methods are not supported for
>> two reasons - they are patent-encumbered, and they cause some packets
>> to expand slightly, which pppd doesn't currently allow for.
>> BSD-Compress and Deflate (which uses the same algorithm as gzip) don't
>> ever expand packets.
> 
> -Michael
> 
>> Fixes: bug#13164
>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
>> ---
>> config/rootfiles/common/ppp                   |  58 +++---
>> lfs/ppp                                       |  28 +--
>> ...se-SOCK_CLOEXEC-when-creating-socket.patch | 165 ------------------
>> ...ppp-2.4.6-increase-max-padi-attempts.patch |  13 --
>> src/patches/ppp/ppp-2.4.7-headers_4.9.patch   |  12 --
>> ...-configure-to-handle-cflags-properly.patch |  15 --
>> ...don-t-want-to-accidentally-leak-fds.patch} | 115 +++++++-----
>> ...2.5.0-2-everywhere-O_CLOEXEC-harder.patch} | 136 ++++++---------
>> ...se-SOCK_CLOEXEC-when-creating-socket.patch | 135 ++++++++++++++
>> ...p-2.5.0-4-increase-max-padi-attempts.patch |  12 ++
>> src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch |  12 ++
>> ...-configure-to-handle-cflags-properly.patch |  18 ++
>> 12 files changed, 344 insertions(+), 375 deletions(-)
>> delete mode 100644 src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>> delete mode 100644 src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
>> delete mode 100644 src/patches/ppp/ppp-2.4.7-headers_4.9.patch
>> delete mode 100644 src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
>> rename src/patches/ppp/{0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch => ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch} (54%)
>> rename src/patches/ppp/{0013-everywhere-O_CLOEXEC-harder.patch => ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch} (63%)
>> create mode 100644 src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>> create mode 100644 src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
>> create mode 100644 src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
>> create mode 100644 src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
>>
>> diff --git a/config/rootfiles/common/ppp b/config/rootfiles/common/ppp
>> index d61fdf811..6098fa7c3 100644
>> --- a/config/rootfiles/common/ppp
>> +++ b/config/rootfiles/common/ppp
>> @@ -7,49 +7,57 @@ etc/ppp/dialer
>> etc/ppp/ioptions
>> etc/ppp/ip-down
>> etc/ppp/ip-up
>> +#etc/ppp/openssl.cnf
>> etc/ppp/options
>> etc/ppp/pap-secrets
>> etc/ppp/standardloginscript
>> #usr/include/pppd
>> +#usr/include/pppd/cbcp.h
>> #usr/include/pppd/ccp.h
>> -#usr/include/pppd/chap-new.h
>> +#usr/include/pppd/chap.h
>> #usr/include/pppd/chap_ms.h
>> -#usr/include/pppd/eap-tls.h
>> +#usr/include/pppd/crypto.h
>> +#usr/include/pppd/crypto_ms.h
>> #usr/include/pppd/eap.h
>> #usr/include/pppd/ecp.h
>> #usr/include/pppd/eui64.h
>> #usr/include/pppd/fsm.h
>> #usr/include/pppd/ipcp.h
>> #usr/include/pppd/ipv6cp.h
>> -#usr/include/pppd/ipxcp.h
>> #usr/include/pppd/lcp.h
>> #usr/include/pppd/magic.h
>> -#usr/include/pppd/md4.h
>> -#usr/include/pppd/md5.h
>> #usr/include/pppd/mppe.h
>> -#usr/include/pppd/patchlevel.h
>> -#usr/include/pppd/pathnames.h
>> -#usr/include/pppd/pppcrypt.h
>> +#usr/include/pppd/multilink.h
>> +#usr/include/pppd/options.h
>> #usr/include/pppd/pppd.h
>> +#usr/include/pppd/pppdconf.h
>> #usr/include/pppd/session.h
>> -#usr/include/pppd/sha1.h
>> -#usr/include/pppd/spinlock.h
>> -#usr/include/pppd/tdb.h
>> #usr/include/pppd/upap.h
>> +#usr/lib/pkgconfig/pppd.pc
>> usr/lib/pppd
>> -usr/lib/pppd/2.4.9
>> -usr/lib/pppd/2.4.9/minconn.so
>> -usr/lib/pppd/2.4.9/openl2tp.so
>> -usr/lib/pppd/2.4.9/passprompt.so
>> -usr/lib/pppd/2.4.9/passwordfd.so
>> -usr/lib/pppd/2.4.9/pppoatm.so
>> -usr/lib/pppd/2.4.9/pppoe.so
>> -usr/lib/pppd/2.4.9/pppol2tp.so
>> -usr/lib/pppd/2.4.9/radattr.so
>> -usr/lib/pppd/2.4.9/radius.so
>> -usr/lib/pppd/2.4.9/radrealms.so
>> -usr/lib/pppd/2.4.9/rp-pppoe.so
>> -usr/lib/pppd/2.4.9/winbind.so
>> +usr/lib/pppd/2.5.0
>> +#usr/lib/pppd/2.5.0/minconn.la
>> +usr/lib/pppd/2.5.0/minconn.so
>> +#usr/lib/pppd/2.5.0/openl2tp.la
>> +usr/lib/pppd/2.5.0/openl2tp.so
>> +#usr/lib/pppd/2.5.0/passprompt.la
>> +usr/lib/pppd/2.5.0/passprompt.so
>> +#usr/lib/pppd/2.5.0/passwordfd.la
>> +usr/lib/pppd/2.5.0/passwordfd.so
>> +#usr/lib/pppd/2.5.0/pppoatm.la
>> +usr/lib/pppd/2.5.0/pppoatm.so
>> +#usr/lib/pppd/2.5.0/pppoe.la
>> +usr/lib/pppd/2.5.0/pppoe.so
>> +#usr/lib/pppd/2.5.0/pppol2tp.la
>> +usr/lib/pppd/2.5.0/pppol2tp.so
>> +#usr/lib/pppd/2.5.0/radattr.la
>> +usr/lib/pppd/2.5.0/radattr.so
>> +#usr/lib/pppd/2.5.0/radius.la
>> +usr/lib/pppd/2.5.0/radius.so
>> +#usr/lib/pppd/2.5.0/radrealms.la
>> +usr/lib/pppd/2.5.0/radrealms.so
>> +#usr/lib/pppd/2.5.0/winbind.la
>> +usr/lib/pppd/2.5.0/winbind.so
>> usr/sbin/chat
>> usr/sbin/pppd
>> usr/sbin/pppdump
>> @@ -60,5 +68,7 @@ usr/sbin/pppstats
>> #usr/share/man/man8/pppd-radius.8
>> #usr/share/man/man8/pppd.8
>> #usr/share/man/man8/pppdump.8
>> +#usr/share/man/man8/pppoe-discovery.8
>> #usr/share/man/man8/pppstats.8
>> var/log/connect-errors
>> +
>> diff --git a/lfs/ppp b/lfs/ppp
>> index fb46d8aac..fc4528ece 100644
>> --- a/lfs/ppp
>> +++ b/lfs/ppp
>> @@ -1,7 +1,7 @@
>> ###############################################################################
>> #                                                                             #
>> # IPFire.org - A linux based firewall                                         #
>> -# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
>> +# Copyright (C) 2007-2023  IPFire Team  <info@ipfire.org>                     #
>> #                                                                             #
>> # This program is free software: you can redistribute it and/or modify        #
>> # it under the terms of the GNU General Public License as published by        #
>> @@ -24,7 +24,7 @@
>>
>> include Config
>>
>> -VER        = 2.4.9
>> +VER        = 2.5.0
>>
>> THISAPP    = ppp-$(VER)
>> DL_FILE    = $(THISAPP).tar.gz
>> @@ -42,7 +42,7 @@ objects = $(DL_FILE)
>>
>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>
>> -$(DL_FILE)_BLAKE2 = 2cc885c32b7d33dc48766097f1f4c9cd0754924a8c0630ccaa58b2989e6b43a197ca0d41f5f16956c395278a12023d490e085f5635e23b53c5603ba61cfc40d5
>> +$(DL_FILE)_BLAKE2 = 6a0e9efcbff3cb499705071cc7d0e3411cf4871fd53b2bfedbb1f2cf3ad80728eb436050cf33b78e36d473be64f15907a21da17f283337455f0af379bc18272d
>>
>> install : $(TARGET)
>>
>> @@ -72,18 +72,20 @@ $(subst %,%_BLAKE2,$(objects)) :
>> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> @$(PREBUILD)
>> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
>> - cd $(DIR_APP) && rm -f include/pcap-int.h include/linux/if_pppol2tp.h
>> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch
>> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch
>> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
>> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.7-headers_4.9.patch
>> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
>> - cd $(DIR_APP) && sed -i -e "s+/etc/ppp/connect-errors+/var/log/connect-errors+" pppd/pathnames.h
>> - cd $(DIR_APP) && ./configure --prefix=/usr --cc="gcc" --cflags="$(CFLAGS)" --disable-nls
>> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
>> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
>> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
>> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
>> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
>> + cd $(DIR_APP) && ./configure \
>> + --prefix=/usr \
>> + --sysconfdir=/etc \
>> + --with-logfile-dir=/var/log \
>> + cc="gcc" \
>> + cflags="$(CFLAGS)"
>> cd $(DIR_APP) && make $(MAKETUNING)
>> cd $(DIR_APP) && make install
>> - cd $(DIR_APP) && make install-etcppp
>> touch /var/log/connect-errors
>> -mkdir -p /etc/ppp
>> for i in $(DIR_SRC)/src/ppp/* ; do \
>> diff --git a/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch b/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>> deleted file mode 100644
>> index fffda981d..000000000
>> --- a/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>> +++ /dev/null
>> @@ -1,165 +0,0 @@
>> -From 2a97ab28ee00586e5f06b3ef3a0e43ea0c7c6499 Mon Sep 17 00:00:00 2001
>> -From: Michal Sekletar <msekleta@redhat.com>
>> -Date: Mon, 7 Apr 2014 14:21:41 +0200
>> -Subject: [PATCH 14/25] everywhere: use SOCK_CLOEXEC when creating socket
>> -
>> ----
>> - pppd/plugins/pppoatm/pppoatm.c          |  2 +-
>> - pppd/plugins/pppol2tp/openl2tp.c        |  2 +-
>> - pppd/plugins/pppol2tp/pppol2tp.c        |  2 +-
>> - pppd/plugins/pppoe/if.c                 |  2 +-
>> - pppd/plugins/pppoe/plugin.c             |  6 +++---
>> - pppd/plugins/pppoe/pppoe-discovery.c    |  2 +-
>> - pppd/sys-linux.c                        | 10 +++++-----
>> - pppd/tty.c                              |  2 +-
>> - 8 files changed, 14 insertions(+), 14 deletions(-)
>> -
>> -diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c
>> -index d693350..c31bb34 100644
>> ---- a/pppd/plugins/pppoatm/pppoatm.c
>> -+++ b/pppd/plugins/pppoatm/pppoatm.c
>> -@@ -135,7 +135,7 @@ static int connect_pppoatm(void)
>> -
>> - if (!device_got_set)
>> - no_device_given_pppoatm();
>> -- fd = socket(AF_ATMPVC, SOCK_DGRAM, 0);
>> -+ fd = socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> - if (fd < 0)
>> - fatal("failed to create socket: %m");
>> - memset(&qos, 0, sizeof qos);
>> -diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/openl2tp.c
>> -index 9643b96..1099575 100644
>> ---- a/pppd/plugins/pppol2tp/openl2tp.c
>> -+++ b/pppd/plugins/pppol2tp/openl2tp.c
>> -@@ -83,7 +83,7 @@ static int openl2tp_client_create(void)
>> - int result;
>> -
>> - if (openl2tp_fd < 0) {
>> -- openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM, 0);
>> -+ openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> - if (openl2tp_fd < 0) {
>> - error("openl2tp connection create: %m");
>> - return -ENOTCONN;
>> -diff --git a/pppd/plugins/pppol2tp/pppol2tp.c b/pppd/plugins/pppol2tp/pppol2tp.c
>> -index a7e3400..e64a778 100644
>> ---- a/pppd/plugins/pppol2tp/pppol2tp.c
>> -+++ b/pppd/plugins/pppol2tp/pppol2tp.c
>> -@@ -208,7 +208,7 @@ static void send_config_pppol2tp(int mtu,
>> - struct ifreq ifr;
>> - int fd;
>> -
>> -- fd = socket(AF_INET, SOCK_DGRAM, 0);
>> -+ fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> - if (fd >= 0) {
>> - memset (&ifr, '\0', sizeof (ifr));
>> - strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
>> -diff --git a/pppd/plugins/pppoe/if.c b/pppd/plugins/pppoe/if.c
>> -index 91e9a57..72aba41 100644
>> ---- a/pppd/plugins/pppoe/if.c
>> -+++ b/pppd/plugins/pppoe/if.c
>> -@@ -116,7 +116,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr)
>> -     stype = SOCK_PACKET;
>> - #endif
>> -
>> --    if ((fd = socket(domain, stype, htons(type))) < 0) {
>> -+    if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) {
>> - /* Give a more helpful message for the common error case */
>> - if (errno == EPERM) {
>> -    fatal("Cannot create raw socket -- pppoe must be run as root.");
>> -diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c
>> -index a8c2bb4..24bdf8f 100644
>> ---- a/pppd/plugins/pppoe/plugin.c
>> -+++ b/pppd/plugins/pppoe/plugin.c
>> -@@ -137,7 +137,7 @@ PPPOEConnectDevice(void)
>> -     /* server equipment).                                                  */
>> -     /* Opening this socket just before waitForPADS in the discovery()      */
>> -     /* function would be more appropriate, but it would mess-up the code   */
>> --    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE);
>> -+    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, PX_PROTO_OE);
>> -     if (conn->sessionSocket < 0) {
>> - error("Failed to create PPPoE socket: %m");
>> - return -1;
>> -@@ -148,7 +148,7 @@ PPPOEConnectDevice(void)
>> -     lcp_wantoptions[0].mru = conn->mru;
>> -
>> -     /* Update maximum MRU */
>> --    s = socket(AF_INET, SOCK_DGRAM, 0);
>> -+    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> -     if (s < 0) {
>> - error("Can't get MTU for %s: %m", conn->ifName);
>> - goto errout;
>> -@@ -320,7 +320,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit)
>> -     }
>> -
>> -     /* Open a socket */
>> --    if ((fd = socket(PF_PACKET, SOCK_RAW, 0)) < 0) {
>> -+    if ((fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) {
>> - r = 0;
>> -     }
>> -
>> -diff --git a/pppd/plugins/pppoe/pppoe-discovery.c b/pppd/plugins/pppoe/pppoe-discovery.c
>> -index 3d3bf4e..c0d927d 100644
>> ---- a/pppd/plugins/pppoe/pppoe-discovery.c
>> -+++ b/pppd/plugins/pppoe/pppoe-discovery.c
>> -@@ -121,7 +121,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr)
>> -     stype = SOCK_PACKET;
>> - #endif
>> -
>> --    if ((fd = socket(domain, stype, htons(type))) < 0) {
>> -+    if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) {
>> - /* Give a more helpful message for the common error case */
>> - if (errno == EPERM) {
>> -    rp_fatal("Cannot create raw socket -- pppoe must be run as root.");
>> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
>> -index 00a2cf5..0690019 100644
>> ---- a/pppd/sys-linux.c
>> -+++ b/pppd/sys-linux.c
>> -@@ -308,12 +308,12 @@ static int modify_flags(int fd, int clear_bits, int set_bits)
>> - void sys_init(void)
>> - {
>> -     /* Get an internet socket for doing socket ioctls. */
>> --    sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
>> -+    sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> -     if (sock_fd < 0)
>> - fatal("Couldn't create IP socket: %m(%d)", errno);
>> -
>> - #ifdef INET6
>> --    sock6_fd = socket(AF_INET6, SOCK_DGRAM, 0);
>> -+    sock6_fd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> -     if (sock6_fd < 0)
>> - sock6_fd = -errno; /* save errno for later */
>> - #endif
>> -@@ -1857,7 +1857,7 @@ get_if_hwaddr(u_char *addr, char *name)
>> - struct ifreq ifreq;
>> - int ret, sock_fd;
>> -
>> -- sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
>> -+ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> - if (sock_fd < 0)
>> - return 0;
>> - memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
>> -@@ -2067,7 +2067,7 @@ int ppp_available(void)
>> - /*
>> -  * Open a socket for doing the ioctl operations.
>> -  */
>> --    s = socket(AF_INET, SOCK_DGRAM, 0);
>> -+    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> -     if (s < 0)
>> - return 0;
>> -
>> -diff --git a/pppd/tty.c b/pppd/tty.c
>> -index bc96695..8e76a5d 100644
>> ---- a/pppd/tty.c
>> -+++ b/pppd/tty.c
>> -@@ -896,7 +896,7 @@ open_socket(dest)
>> -     *sep = ':';
>> -
>> -     /* get a socket and connect it to the other end */
>> --    sock = socket(PF_INET, SOCK_STREAM, 0);
>> -+    sock = socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
>> -     if (sock < 0) {
>> - error("Can't create socket: %m");
>> - return -1;
>> ---
>> -1.8.3.1
>> -
>> diff --git a/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch b/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
>> deleted file mode 100644
>> index 1b36e8369..000000000
>> --- a/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
>> +++ /dev/null
>> @@ -1,13 +0,0 @@
>> -diff --git a/pppd/plugins/pppoe/pppoe.h b/pppd/plugins/pppoe/pppoe.h
>> -index 9ab2eee..86762bd 100644
>> ---- a/pppd/plugins/pppoe/pppoe.h
>> -+++ b/pppd/plugins/pppoe/pppoe.h
>> -@@ -148,7 +148,7 @@ extern UINT16_t Eth_PPPOE_Session;
>> - #define STATE_TERMINATED    4
>> -
>> - /* How many PADI/PADS attempts? */
>> --#define MAX_PADI_ATTEMPTS 3
>> -+#define MAX_PADI_ATTEMPTS 4
>> -
>> - /* Initial timeout for PADO/PADS */
>> - #define PADI_TIMEOUT 5
>> diff --git a/src/patches/ppp/ppp-2.4.7-headers_4.9.patch b/src/patches/ppp/ppp-2.4.7-headers_4.9.patch
>> deleted file mode 100644
>> index 686db9204..000000000
>> --- a/src/patches/ppp/ppp-2.4.7-headers_4.9.patch
>> +++ /dev/null
>> @@ -1,12 +0,0 @@
>> -diff -Naur ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c ppp-2.4.7/pppd/plugins/pppoe/plugin.c
>> ---- ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c 2014-08-09 14:31:39.000000000 +0200
>> -+++ ppp-2.4.7/pppd/plugins/pppoe/plugin.c 2017-02-09 08:45:12.567493723 +0100
>> -@@ -49,6 +49,8 @@
>> - #include <net/ethernet.h>
>> - #include <net/if_arp.h>
>> - #include <linux/ppp_defs.h>
>> -+#define _LINUX_IN_H
>> -+#define _LINUX_IN6_H
>> - #include <linux/if_pppox.h>
>> -
>> - #ifndef _ROOT_PATH
>> diff --git a/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch b/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
>> deleted file mode 100644
>> index b36ace192..000000000
>> --- a/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
>> +++ /dev/null
>> @@ -1,15 +0,0 @@
>> ---- ppp-2.4.9.orig/configure 2021-03-30 21:38:27.415735914 +0200
>> -+++ ppp-2.4.9/configure 2021-04-01 19:10:48.632314447 +0200
>> -@@ -121,9 +121,9 @@
>> -     rm -f $2
>> -     if [ -f $1 ]; then
>> - echo "  $2 <= $1"
>> -- sed -e "s,@DESTDIR@,$DESTDIR,g" -e "s,@SYSCONF@,$SYSCONF,g" \
>> --    -e "s,@CROSS_COMPILE@,$CROSS_COMPILE,g" -e "s,@CC@,$CC,g" \
>> --    -e "s,@CFLAGS@,$CFLAGS,g" $1 >$2
>> -+ sed -e "s#@DESTDIR@#$DESTDIR#g" -e "s#@SYSCONF@#$SYSCONF#g" \
>> -+    -e "s#@CROSS_COMPILE@#$CROSS_COMPILE#g" -e "s#@CC@#$CC#g" \
>> -+    -e "s#@CFLAGS@#$CFLAGS#g" $1 >$2
>> -     fi
>> - }
>> -
>> diff --git a/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch b/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
>> similarity index 54%
>> rename from src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch
>> rename to src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
>> index 90bb2d161..98ab03119 100644
>> --- a/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch
>> +++ b/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
>> @@ -1,20 +1,8 @@
>> -From 82cd789df0f022eb6f3d28646e7a61d1d0715805 Mon Sep 17 00:00:00 2001
>> -From: Michal Sekletar <msekleta@redhat.com>
>> -Date: Mon, 7 Apr 2014 12:23:36 +0200
>> -Subject: [PATCH 12/25] pppd: we don't want to accidentally leak fds
>> -
>> ----
>> - pppd/auth.c      | 20 ++++++++++----------
>> - pppd/options.c   |  2 +-
>> - pppd/sys-linux.c |  4 ++--
>> - 3 files changed, 13 insertions(+), 13 deletions(-)
>> -
>> -diff --git a/pppd/auth.c b/pppd/auth.c
>> -index 4271af6..9e957fa 100644
>> ---- a/pppd/auth.c
>> -+++ b/pppd/auth.c
>> -@@ -428,7 +428,7 @@ setupapfile(argv)
>> - option_error("unable to reset uid before opening %s: %m", fname);
>> +diff -Naur pppd.orig/auth.c pppd/auth.c
>> +--- pppd.orig/auth.c 2023-03-25 05:38:30.000000000 +0100
>> ++++ pppd/auth.c 2023-06-30 12:38:13.748482796 +0200
>> +@@ -518,7 +518,7 @@
>> +         free(fname);
>>    return 0;
>>       }
>> -    ufile = fopen(fname, "r");
>> @@ -22,8 +10,8 @@ index 4271af6..9e957fa 100644
>>       if (seteuid(euid) == -1)
>>    fatal("unable to regain privileges: %m");
>>       if (ufile == NULL) {
>> -@@ -1413,7 +1413,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg)
>> -     filename = _PATH_UPAPFILE;
>> +@@ -1535,7 +1535,7 @@
>> +     filename = PPP_PATH_UPAPFILE;
>>       addrs = opts = NULL;
>>       ret = UPAP_AUTHNAK;
>> -    f = fopen(filename, "r");
>> @@ -31,52 +19,52 @@ index 4271af6..9e957fa 100644
>>       if (f == NULL) {
>>    error("Can't open PAP password file %s: %m", filename);
>>
>> -@@ -1512,7 +1512,7 @@ null_login(unit)
>> +@@ -1635,7 +1635,7 @@
>>       if (ret <= 0) {
>> - filename = _PATH_UPAPFILE;
>> + filename = PPP_PATH_UPAPFILE;
>>    addrs = NULL;
>> - f = fopen(filename, "r");
>> + f = fopen(filename, "re");
>>    if (f == NULL)
>>       return 0;
>>    check_access(f, filename);
>> -@@ -1559,7 +1559,7 @@ get_pap_passwd(passwd)
>> +@@ -1681,7 +1681,7 @@
>>       }
>>
>> -     filename = _PATH_UPAPFILE;
>> +     filename = PPP_PATH_UPAPFILE;
>> -    f = fopen(filename, "r");
>> +    f = fopen(filename, "re");
>>       if (f == NULL)
>>    return 0;
>>       check_access(f, filename);
>> -@@ -1597,7 +1597,7 @@ have_pap_secret(lacks_ipp)
>> +@@ -1718,7 +1718,7 @@
>>       }
>>
>> -     filename = _PATH_UPAPFILE;
>> +     filename = PPP_PATH_UPAPFILE;
>> -    f = fopen(filename, "r");
>> +    f = fopen(filename, "re");
>>       if (f == NULL)
>>    return 0;
>>
>> -@@ -1642,7 +1642,7 @@ have_chap_secret(client, server, need_ip, lacks_ipp)
>> +@@ -1760,7 +1760,7 @@
>>       }
>>
>> -     filename = _PATH_CHAPFILE;
>> +     filename = PPP_PATH_CHAPFILE;
>> -    f = fopen(filename, "r");
>> +    f = fopen(filename, "re");
>>       if (f == NULL)
>>    return 0;
>>
>> -@@ -1684,7 +1684,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp)
>> +@@ -1798,7 +1798,7 @@
>>       struct wordlist *addrs;
>>
>> -     filename = _PATH_SRPFILE;
>> +     filename = PPP_PATH_SRPFILE;
>> -    f = fopen(filename, "r");
>> +    f = fopen(filename, "re");
>>       if (f == NULL)
>>    return 0;
>>
>> -@@ -1740,7 +1740,7 @@ get_secret(unit, client, server, secret, secret_len, am_server)
>> +@@ -1849,7 +1849,7 @@
>>    addrs = NULL;
>>    secbuf[0] = 0;
>>
>> @@ -85,8 +73,8 @@ index 4271af6..9e957fa 100644
>>    if (f == NULL) {
>>       error("Can't open chap secret file %s: %m", filename);
>>       return 0;
>> -@@ -1797,7 +1797,7 @@ get_srp_secret(unit, client, server, secret, am_server)
>> - filename = _PATH_SRPFILE;
>> +@@ -1902,7 +1902,7 @@
>> + filename = PPP_PATH_SRPFILE;
>>    addrs = NULL;
>>
>> - fp = fopen(filename, "r");
>> @@ -94,7 +82,7 @@ index 4271af6..9e957fa 100644
>>    if (fp == NULL) {
>>       error("Can't open srp secret file %s: %m", filename);
>>       return 0;
>> -@@ -2203,7 +2203,7 @@ scan_authfile(f, client, server, secret, addrs, opts, filename, flags)
>> +@@ -2291,7 +2291,7 @@
>>        */
>>       if (word[0] == '@' && word[1] == '/') {
>>    strlcpy(atfile, word+1, sizeof(atfile));
>> @@ -103,12 +91,38 @@ index 4271af6..9e957fa 100644
>>       warn("can't open indirect secret file %s", atfile);
>>       continue;
>>    }
>> -diff --git a/pppd/options.c b/pppd/options.c
>> -index 45fa742..1d754ae 100644
>> ---- a/pppd/options.c
>> -+++ b/pppd/options.c
>> -@@ -427,7 +427,7 @@ options_from_file(filename, must_exist, check_prot, priv)
>> - option_error("unable to drop privileges to open %s: %m", filename);
>> +@@ -2461,7 +2461,7 @@
>> +     char pkfile[MAXWORDLEN];
>> +
>> +     filename = PPP_PATH_EAPTLSSERVFILE;
>> +-    f = fopen(filename, "r");
>> ++    f = fopen(filename, "re");
>> +     if (f == NULL)
>> + return 0;
>> +
>> +@@ -2518,7 +2518,7 @@
>> + return 1;
>> +
>> +     filename = PPP_PATH_EAPTLSCLIFILE;
>> +-    f = fopen(filename, "r");
>> ++    f = fopen(filename, "re");
>> +     if (f == NULL)
>> + return 0;
>> +
>> +@@ -2738,7 +2738,7 @@
>> + filename = (am_server ? PPP_PATH_EAPTLSSERVFILE : PPP_PATH_EAPTLSCLIFILE);
>> + addrs = NULL;
>> +
>> +- fp = fopen(filename, "r");
>> ++ fp = fopen(filename, "re");
>> + if (fp == NULL)
>> + {
>> + error("Can't open eap-tls secret file %s: %m", filename);
>> +diff -Naur pppd.orig/options.c pppd/options.c
>> +--- pppd.orig/options.c 2023-03-25 05:38:30.000000000 +0100
>> ++++ pppd/options.c 2023-06-30 12:42:19.262593140 +0200
>> +@@ -555,7 +555,7 @@
>> + ppp_option_error("unable to drop privileges to open %s: %m", filename);
>>    return 0;
>>       }
>> -    f = fopen(filename, "r");
>> @@ -116,11 +130,10 @@ index 45fa742..1d754ae 100644
>>       err = errno;
>>       if (check_prot && seteuid(euid) == -1)
>>    fatal("unable to regain privileges");
>> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
>> -index 72a7727..8a12fa0 100644
>> ---- a/pppd/sys-linux.c
>> -+++ b/pppd/sys-linux.c
>> -@@ -1412,7 +1412,7 @@ static char *path_to_procfs(const char *tail)
>> +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c
>> +--- pppd.orig/sys-linux.c 2023-03-10 02:50:41.000000000 +0100
>> ++++ pppd/sys-linux.c 2023-06-30 12:43:20.634453475 +0200
>> +@@ -1978,7 +1978,7 @@
>>    /* Default the mount location of /proc */
>>    strlcpy (proc_path, "/proc", sizeof(proc_path));
>>    proc_path_len = 5;
>> @@ -129,7 +142,7 @@ index 72a7727..8a12fa0 100644
>>    if (fp != NULL) {
>>       while ((mntent = getmntent(fp)) != NULL) {
>>    if (strcmp(mntent->mnt_type, MNTTYPE_IGNORE) == 0)
>> -@@ -1472,7 +1472,7 @@ static int open_route_table (void)
>> +@@ -2038,7 +2038,7 @@
>>       close_route_table();
>>
>>       path = path_to_procfs("/net/route");
>> @@ -138,6 +151,12 @@ index 72a7727..8a12fa0 100644
>>       if (route_fd == NULL) {
>>    error("can't open routing table %s: %m", path);
>>    return 0;
>> ---
>> -1.8.3.1
>> -
>> +@@ -2322,7 +2322,7 @@
>> +     close_route_table();
>> +
>> +     path = path_to_procfs("/net/ipv6_route");
>> +-    route_fd = fopen (path, "r");
>> ++    route_fd = fopen (path, "re");
>> +     if (route_fd == NULL) {
>> + error("can't open routing table %s: %m", path);
>> + return 0;
>> diff --git a/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch b/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
>> similarity index 63%
>> rename from src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch
>> rename to src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
>> index 0fb028779..c205c0e08 100644
>> --- a/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch
>> +++ b/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
>> @@ -1,23 +1,7 @@
>> -From 302c1b736cb656c7885a0cba270fd953a672d8a8 Mon Sep 17 00:00:00 2001
>> -From: Michal Sekletar <msekleta@redhat.com>
>> -Date: Mon, 7 Apr 2014 13:56:34 +0200
>> -Subject: [PATCH 13/25] everywhere: O_CLOEXEC harder
>> -
>> ----
>> - pppd/eap.c       |  2 +-
>> - pppd/main.c      |  4 ++--
>> - pppd/options.c   |  4 ++--
>> - pppd/sys-linux.c | 22 +++++++++++-----------
>> - pppd/tdb.c       |  4 ++--
>> - pppd/tty.c       |  4 ++--
>> - pppd/utils.c     |  6 +++---
>> - 7 files changed, 23 insertions(+), 23 deletions(-)
>> -
>> -diff --git a/pppd/eap.c b/pppd/eap.c
>> -index 6ea6c1f..faced53 100644
>> ---- a/pppd/eap.c
>> -+++ b/pppd/eap.c
>> -@@ -1226,7 +1226,7 @@ mode_t modebits;
>> +diff -Naur pppd.orig/eap.c pppd/eap.c
>> +--- pppd.orig/eap.c 2023-03-25 05:38:30.000000000 +0100
>> ++++ pppd/eap.c 2023-06-30 12:58:07.984676045 +0200
>> +@@ -1542,7 +1542,7 @@
>>
>>    if ((path = name_of_pn_file()) == NULL)
>>    return (-1);
>> @@ -26,34 +10,23 @@ index 6ea6c1f..faced53 100644
>>    err = errno;
>>    free(path);
>>    errno = err;
>> -diff --git a/pppd/main.c b/pppd/main.c
>> -index 87a5d29..152e4a2 100644
>> ---- a/pppd/main.c
>> -+++ b/pppd/main.c
>> -@@ -400,7 +400,7 @@ main(int argc, char *argv[])
>> +diff -Naur pppd.orig/main.c pppd/main.c
>> +--- pppd.orig/main.c 2023-03-25 05:38:30.000000000 +0100
>> ++++ pppd/main.c 2023-06-30 13:00:15.155195676 +0200
>> +@@ -479,7 +479,7 @@
>>    die(0);
>>
>>       /* Make sure fds 0, 1, 2 are open to somewhere. */
>> --    fd_devnull = open(_PATH_DEVNULL, O_RDWR);
>> -+    fd_devnull = open(_PATH_DEVNULL, O_RDWR | O_CLOEXEC);
>> +-    fd_devnull = open(PPP_DEVNULL, O_RDWR);
>> ++    fd_devnull = open(PPP_DEVNULL, O_RDWR | O_CLOEXEC);
>>       if (fd_devnull < 0)
>> - fatal("Couldn't open %s: %m", _PATH_DEVNULL);
>> + fatal("Couldn't open %s: %m", PPP_DEVNULL);
>>       while (fd_devnull <= 2) {
>> -@@ -1642,7 +1642,7 @@ device_script(char *program, int in, int out, int dont_wait)
>> -     if (log_to_fd >= 0)
>> - errfd = log_to_fd;
>> -     else
>> -- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644);
>> -+ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, 0644);
>> -
>> -     ++conn_running;
>> -     pid = safe_fork(in, out, errfd);
>> -diff --git a/pppd/options.c b/pppd/options.c
>> -index 1d754ae..8e62635 100644
>> ---- a/pppd/options.c
>> -+++ b/pppd/options.c
>> -@@ -1544,9 +1544,9 @@ setlogfile(argv)
>> - option_error("unable to drop permissions to open %s: %m", *argv);
>> +diff -Naur pppd.orig/options.c pppd/options.c
>> +--- pppd.orig/options.c 2023-06-30 12:42:19.262593140 +0200
>> ++++ pppd/options.c 2023-06-30 13:01:58.388323345 +0200
>> +@@ -1718,9 +1718,9 @@
>> + ppp_option_error("unable to drop permissions to open %s: %m", *argv);
>>    return 0;
>>       }
>> -    fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL, 0644);
>> @@ -64,11 +37,10 @@ index 1d754ae..8e62635 100644
>>       err = errno;
>>       if (!privileged_option && seteuid(euid) == -1)
>>    fatal("unable to regain privileges: %m");
>> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
>> -index 8a12fa0..00a2cf5 100644
>> ---- a/pppd/sys-linux.c
>> -+++ b/pppd/sys-linux.c
>> -@@ -459,7 +459,7 @@ int generic_establish_ppp (int fd)
>> +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c
>> +--- pppd.orig/sys-linux.c 2023-06-30 12:43:20.634453475 +0200
>> ++++ pppd/sys-linux.c 2023-06-30 13:11:25.715511251 +0200
>> +@@ -666,7 +666,7 @@
>>       goto err;
>>    }
>>    dbglog("using channel %d", chindex);
>> @@ -77,7 +49,7 @@ index 8a12fa0..00a2cf5 100644
>>    if (fd < 0) {
>>       error("Couldn't reopen /dev/ppp: %m");
>>       goto err;
>> -@@ -619,7 +619,7 @@ static int make_ppp_unit()
>> +@@ -904,7 +904,7 @@
>>    dbglog("in make_ppp_unit, already had /dev/ppp open?");
>>    close(ppp_dev_fd);
>>    }
>> @@ -86,7 +58,7 @@ index 8a12fa0..00a2cf5 100644
>>    if (ppp_dev_fd < 0)
>>    fatal("Couldn't open /dev/ppp: %m");
>>    flags = fcntl(ppp_dev_fd, F_GETFL);
>> -@@ -693,7 +693,7 @@ int bundle_attach(int ifnum)
>> +@@ -1025,7 +1025,7 @@
>>    if (!new_style_driver)
>>    return -1;
>>
>> @@ -95,7 +67,7 @@ index 8a12fa0..00a2cf5 100644
>>    if (master_fd < 0)
>>    fatal("Couldn't open /dev/ppp: %m");
>>    if (ioctl(master_fd, PPPIOCATTACH, &ifnum) < 0) {
>> -@@ -1715,7 +1715,7 @@ int sifproxyarp (int unit, u_int32_t his_adr)
>> +@@ -2533,7 +2533,7 @@
>>    if (tune_kernel) {
>>       forw_path = path_to_procfs("/sys/net/ipv4/ip_forward");
>>       if (forw_path != 0) {
>> @@ -104,7 +76,7 @@ index 8a12fa0..00a2cf5 100644
>>    if (fd >= 0) {
>>       if (write(fd, "1", 1) != 1)
>>    error("Couldn't enable IP forwarding: %m");
>> -@@ -2030,7 +2030,7 @@ int ppp_available(void)
>> +@@ -2878,7 +2878,7 @@
>>       sscanf(utsname.release, "%d.%d.%d", &osmaj, &osmin, &ospatch);
>>       kernel_version = KVERSION(osmaj, osmin, ospatch);
>>
>> @@ -113,7 +85,7 @@ index 8a12fa0..00a2cf5 100644
>>       if (fd >= 0) {
>>    new_style_driver = 1;
>>
>> -@@ -2208,7 +2208,7 @@ void logwtmp (const char *line, const char *name, const char *host)
>> +@@ -3056,7 +3056,7 @@
>>   #if __GLIBC__ >= 2
>>       updwtmp(_PATH_WTMP, &ut);
>>   #else
>> @@ -122,7 +94,7 @@ index 8a12fa0..00a2cf5 100644
>>       if (wtmp >= 0) {
>>    flock(wtmp, LOCK_EX);
>>
>> -@@ -2394,7 +2394,7 @@ int sifaddr (int unit, u_int32_t our_adr, u_int32_t his_adr,
>> +@@ -3280,7 +3280,7 @@
>>    int fd;
>>
>>    path = path_to_procfs("/sys/net/ipv4/ip_dynaddr");
>> @@ -131,7 +103,7 @@ index 8a12fa0..00a2cf5 100644
>>       if (write(fd, "1", 1) != 1)
>>    error("Couldn't enable dynamic IP addressing: %m");
>>       close(fd);
>> -@@ -2570,7 +2570,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid)
>> +@@ -3534,7 +3534,7 @@
>>       /*
>>        * Try the unix98 way first.
>>        */
>> @@ -140,17 +112,17 @@ index 8a12fa0..00a2cf5 100644
>>       if (mfd >= 0) {
>>    int ptn;
>>    if (ioctl(mfd, TIOCGPTN, &ptn) >= 0) {
>> -@@ -2851,7 +2851,8 @@
>> +@@ -3545,7 +3545,8 @@
>>       if (ioctl(mfd, TIOCSPTLCK, &ptn) < 0)
>>    warn("Couldn't unlock pty slave %s: %m", pty_name);
>>   #endif
>> -    if ((sfd = open(pty_name, O_RDWR | O_NOCTTY)) < 0)
>> +
>> -+            if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0)
>> -    {
>> ++    if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0)
>> +    {
>>    warn("Couldn't open pty slave %s: %m", pty_name);
>> - close(mfd);
>> -@@ -2865,10 +2866,10 @@
>> + close(mfd);
>> +@@ -3559,10 +3560,10 @@
>>    for (i = 0; i < 64; ++i) {
>>       slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x",
>>        'p' + i / 16, i % 16);
>> @@ -161,13 +133,12 @@ index 8a12fa0..00a2cf5 100644
>> - sfd = open(pty_name, O_RDWR | O_NOCTTY, 0);
>> + sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC, 0);
>>    if (sfd >= 0) {
>> -    fchown(sfd, uid, -1);
>> -    fchmod(sfd, S_IRUSR | S_IWUSR);
>> -diff --git a/pppd/tdb.c b/pppd/tdb.c
>> -index bdc5828..c7ab71c 100644
>> ---- a/pppd/tdb.c
>> -+++ b/pppd/tdb.c
>> -@@ -1724,7 +1724,7 @@ TDB_CONTEXT *tdb_open_ex(const char *name, int hash_size, int tdb_flags,
>> +    ret = fchown(sfd, uid, -1);
>> +    if (ret != 0) {
>> +diff -Naur pppd.orig/tdb.c pppd/tdb.c
>> +--- pppd.orig/tdb.c 2021-07-23 06:41:07.000000000 +0200
>> ++++ pppd/tdb.c 2023-06-30 13:12:55.034900600 +0200
>> +@@ -1728,7 +1728,7 @@
>>    goto internal;
>>    }
>>
>> @@ -176,7 +147,7 @@ index bdc5828..c7ab71c 100644
>>    TDB_LOG((tdb, 5, "tdb_open_ex: could not open file %s: %s\n",
>>    name, strerror(errno)));
>>    goto fail; /* errno set by open(2) */
>> -@@ -1967,7 +1967,7 @@ int tdb_reopen(TDB_CONTEXT *tdb)
>> +@@ -1971,7 +1971,7 @@
>>    }
>>    if (close(tdb->fd) != 0)
>>    TDB_LOG((tdb, 0, "tdb_reopen: WARNING closing tdb->fd failed!\n"));
>> @@ -185,12 +156,11 @@ index bdc5828..c7ab71c 100644
>>    if (tdb->fd == -1) {
>>    TDB_LOG((tdb, 0, "tdb_reopen: open failed (%s)\n", strerror(errno)));
>>    goto fail;
>> -diff --git a/pppd/tty.c b/pppd/tty.c
>> -index d571b11..bc96695 100644
>> ---- a/pppd/tty.c
>> -+++ b/pppd/tty.c
>> -@@ -569,7 +569,7 @@ int connect_tty()
>> - status = EXIT_OPEN_FAILED;
>> +diff -Naur pppd.orig/tty.c pppd/tty.c
>> +--- pppd.orig/tty.c 2023-03-25 05:38:30.000000000 +0100
>> ++++ pppd/tty.c 2023-06-30 13:14:06.450418113 +0200
>> +@@ -621,7 +621,7 @@
>> + ppp_set_status(EXIT_OPEN_FAILED);
>>    goto errret;
>>    }
>> - real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0);
>> @@ -198,7 +168,7 @@ index d571b11..bc96695 100644
>>    err = errno;
>>    if (prio < OPRIO_ROOT && seteuid(0) == -1)
>>    fatal("Unable to regain privileges");
>> -@@ -723,7 +723,7 @@ int connect_tty()
>> +@@ -775,7 +775,7 @@
>>    if (connector == NULL && modem && devnam[0] != 0) {
>>    int i;
>>    for (;;) {
>> @@ -207,12 +177,11 @@ index d571b11..bc96695 100644
>>    break;
>>    if (errno != EINTR) {
>>    error("Failed to reopen %s: %m", devnam);
>> -diff --git a/pppd/utils.c b/pppd/utils.c
>> -index 29bf970..6051b9a 100644
>> ---- a/pppd/utils.c
>> -+++ b/pppd/utils.c
>> -@@ -918,14 +918,14 @@ lock(dev)
>> -     slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", LOCK_DIR, dev);
>> +diff -Naur pppd.orig/utils.c pppd/utils.c
>> +--- pppd.orig/utils.c 2022-12-30 02:12:39.000000000 +0100
>> ++++ pppd/utils.c 2023-06-30 13:15:47.860182369 +0200
>> +@@ -843,14 +843,14 @@
>> +     slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", PPP_PATH_LOCKDIR, dev);
>>   #endif
>>
>> -    while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR, 0644)) < 0) {
>> @@ -228,7 +197,7 @@ index 29bf970..6051b9a 100644
>>    if (fd < 0) {
>>       if (errno == ENOENT) /* This is just a timing problem. */
>>    continue;
>> -@@ -1004,7 +1004,7 @@ relock(pid)
>> +@@ -933,7 +933,7 @@
>>
>>       if (lock_file[0] == 0)
>>    return -1;
>> @@ -237,6 +206,3 @@ index 29bf970..6051b9a 100644
>>       if (fd < 0) {
>>    error("Couldn't reopen lock file %s: %m", lock_file);
>>    lock_file[0] = 0;
>> ---
>> -1.8.3.1
>> -
>> diff --git a/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch b/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>> new file mode 100644
>> index 000000000..cfd72e468
>> --- /dev/null
>> +++ b/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>> @@ -0,0 +1,135 @@
>> +diff -Naur pppd.orig/plugins/pppoatm/pppoatm.c pppd/plugins/pppoatm/pppoatm.c
>> +--- pppd.orig/plugins/pppoatm/pppoatm.c 2023-03-25 05:38:30.000000000 +0100
>> ++++ pppd/plugins/pppoatm/pppoatm.c 2023-06-30 13:21:33.397378347 +0200
>> +@@ -146,7 +146,7 @@
>> +
>> + if (!device_got_set)
>> + no_device_given_pppoatm();
>> +- fd = socket(AF_ATMPVC, SOCK_DGRAM, 0);
>> ++ fd = socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> + if (fd < 0)
>> + fatal("failed to create socket: %m");
>> + memset(&qos, 0, sizeof qos);
>> +diff -Naur pppd.orig/plugins/pppoe/if.c pppd/plugins/pppoe/if.c
>> +--- pppd.orig/plugins/pppoe/if.c 2022-12-30 02:12:39.000000000 +0100
>> ++++ pppd/plugins/pppoe/if.c 2023-06-30 13:24:11.372183452 +0200
>> +@@ -116,7 +116,7 @@
>> +     stype = SOCK_PACKET;
>> + #endif
>> +
>> +-    if ((fd = socket(domain, stype, htons(type))) < 0) {
>> ++    if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) {
>> + /* Give a more helpful message for the common error case */
>> + if (errno == EPERM) {
>> +    fatal("Cannot create raw socket -- pppoe must be run as root.");
>> +diff -Naur pppd.orig/plugins/pppoe/plugin.c pppd/plugins/pppoe/plugin.c
>> +--- pppd.orig/plugins/pppoe/plugin.c 2023-03-25 05:38:30.000000000 +0100
>> ++++ pppd/plugins/pppoe/plugin.c 2023-06-30 13:25:58.798782323 +0200
>> +@@ -155,7 +155,7 @@
>> +     /* server equipment).                                                  */
>> +     /* Opening this socket just before waitForPADS in the discovery()      */
>> +     /* function would be more appropriate, but it would mess-up the code   */
>> +-    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE);
>> ++    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, PX_PROTO_OE);
>> +     if (conn->sessionSocket < 0) {
>> + error("Failed to create PPPoE socket: %m");
>> + return -1;
>> +@@ -166,7 +166,7 @@
>> +     lcp_wantoptions[0].mru = conn->mru = conn->storedmru;
>> +
>> +     /* Update maximum MRU */
>> +-    s = socket(AF_INET, SOCK_DGRAM, 0);
>> ++    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> +     if (s < 0) {
>> + error("Can't get MTU for %s: %m", conn->ifName);
>> + goto errout;
>> +@@ -364,7 +364,7 @@
>> +     }
>> +
>> +     /* Open a socket */
>> +-    if ((fd = socket(PF_PACKET, SOCK_RAW, 0)) < 0) {
>> ++    if ((fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) {
>> + r = 0;
>> +     }
>> +
>> +diff -Naur pppd.orig/plugins/pppol2tp/openl2tp.c pppd/plugins/pppol2tp/openl2tp.c
>> +--- pppd.orig/plugins/pppol2tp/openl2tp.c 2023-03-10 02:50:41.000000000 +0100
>> ++++ pppd/plugins/pppol2tp/openl2tp.c 2023-06-30 13:22:30.055768865 +0200
>> +@@ -93,7 +93,7 @@
>> + int result;
>> +
>> + if (openl2tp_fd < 0) {
>> +- openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM, 0);
>> ++ openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> + if (openl2tp_fd < 0) {
>> + error("openl2tp connection create: %m");
>> + return -ENOTCONN;
>> +diff -Naur pppd.orig/plugins/pppol2tp/pppol2tp.c pppd/plugins/pppol2tp/pppol2tp.c
>> +--- pppd.orig/plugins/pppol2tp/pppol2tp.c 2022-12-30 02:12:39.000000000 +0100
>> ++++ pppd/plugins/pppol2tp/pppol2tp.c 2023-06-30 13:23:13.493756755 +0200
>> +@@ -220,7 +220,7 @@
>> + struct ifreq ifr;
>> + int fd;
>> +
>> +- fd = socket(AF_INET, SOCK_DGRAM, 0);
>> ++ fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> + if (fd >= 0) {
>> + memset (&ifr, '\0', sizeof (ifr));
>> + ppp_get_ifname(ifr.ifr_name, sizeof(ifr.ifr_name));
>> +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c
>> +--- pppd.orig/sys-linux.c 2023-06-30 13:11:25.715511251 +0200
>> ++++ pppd/sys-linux.c 2023-06-30 13:32:50.021272249 +0200
>> +@@ -499,12 +499,12 @@
>> + void sys_init(void)
>> + {
>> +     /* Get an internet socket for doing socket ioctls. */
>> +-    sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
>> ++    sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> +     if (sock_fd < 0)
>> + fatal("Couldn't create IP socket: %m(%d)", errno);
>> +
>> + #ifdef PPP_WITH_IPV6CP
>> +-    sock6_fd = socket(AF_INET6, SOCK_DGRAM, 0);
>> ++    sock6_fd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> +     if (sock6_fd < 0)
>> + sock6_fd = -errno; /* save errno for later */
>> + #endif
>> +@@ -2675,7 +2675,7 @@
>> + struct ifreq ifreq;
>> + int ret, sock_fd;
>> +
>> +- sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
>> ++ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> + if (sock_fd < 0)
>> + return -1;
>> + memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
>> +@@ -2698,7 +2698,7 @@
>> + struct ifreq ifreq;
>> + int ret, sock_fd;
>> +
>> +- sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
>> ++ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> + if (sock_fd < 0)
>> + return -1;
>> +
>> +@@ -2915,7 +2915,7 @@
>> + /*
>> +  * Open a socket for doing the ioctl operations.
>> +  */
>> +-    s = socket(AF_INET, SOCK_DGRAM, 0);
>> ++    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>> +     if (s < 0)
>> + return 0;
>> +
>> +diff -Naur pppd.orig/tty.c pppd/tty.c
>> +--- pppd.orig/tty.c 2023-06-30 13:14:06.450418113 +0200
>> ++++ pppd/tty.c 2023-06-30 13:33:31.285858278 +0200
>> +@@ -942,7 +942,7 @@
>> +     *sep = ':';
>> +
>> +     /* get a socket and connect it to the other end */
>> +-    sock = socket(PF_INET, SOCK_STREAM, 0);
>> ++    sock = socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
>> +     if (sock < 0) {
>> + error("Can't create socket: %m");
>> + return -1;
>> diff --git a/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch b/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
>> new file mode 100644
>> index 000000000..002b6066d
>> --- /dev/null
>> +++ b/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
>> @@ -0,0 +1,12 @@
>> +diff -Naur pppd.orig/plugins/pppoe/pppoe.h pppd/plugins/pppoe/pppoe.h
>> +--- pppd.orig/plugins/pppoe/pppoe.h 2022-12-30 02:12:39.000000000 +0100
>> ++++ pppd/plugins/pppoe/pppoe.h 2023-06-30 13:37:07.189078090 +0200
>> +@@ -143,7 +143,7 @@
>> + #define STATE_TERMINATED    4
>> +
>> + /* How many PADI/PADS attempts? */
>> +-#define MAX_PADI_ATTEMPTS 3
>> ++#define MAX_PADI_ATTEMPTS 4
>> +
>> + /* Initial timeout for PADO/PADS */
>> + #define PADI_TIMEOUT 5
>> diff --git a/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch b/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
>> new file mode 100644
>> index 000000000..dc6c22852
>> --- /dev/null
>> +++ b/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
>> @@ -0,0 +1,12 @@
>> +diff -Naur pppd.orig/plugins/pppoe/plugin.c pppd/plugins/pppoe/plugin.c
>> +--- pppd.orig/plugins/pppoe/plugin.c 2023-06-30 13:25:58.798782323 +0200
>> ++++ pppd/plugins/pppoe/plugin.c 2023-06-30 13:50:23.150026201 +0200
>> +@@ -46,6 +46,8 @@
>> + #include <signal.h>
>> + #include <net/if_arp.h>
>> + #include <linux/ppp_defs.h>
>> ++#define _LINUX_IN_H
>> ++#define _LINUX_IN6_H
>> + #include <linux/if_pppox.h>
>> +
>> + #include <pppd/pppd.h>
>> diff --git a/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch b/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
>> new file mode 100644
>> index 000000000..0e9eab6ed
>> --- /dev/null
>> +++ b/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
>> @@ -0,0 +1,18 @@
>> +diff -Naur ppp-2.5.0.orig/configure ppp-2.5.0/configure
>> +--- ppp-2.5.0.orig/configure 2023-03-25 05:38:36.000000000 +0100
>> ++++ ppp-2.5.0/configure 2023-06-30 14:05:14.773950477 +0200
>> +@@ -17774,10 +17774,10 @@
>> +         rm -f $2
>> +         if [ -f $1 ]; then
>> +             echo "  $2 <= $1"
>> +-            sed -e "s,@DESTDIR@,$prefix,g" \
>> +-                -e "s,@SYSCONF@,$sysconfdir,g" \
>> +-                -e "s,@CC@,$CC,g" \
>> +-                -e "s|@CFLAGS@|$CFLAGS|g" $1 > $2
>> ++            sed -e "s#@DESTDIR@#$prefix#g" \
>> ++                -e "s#@SYSCONF@#$sysconfdir#g" \
>> ++                -e "s#@CC@#$CC#g" \
>> ++                -e "s#@CFLAGS@#$CFLAGS#g" $1 > $2
>> +         fi
>> +     }
>> +
>> -- 
>> 2.41.0
>>
>
  
Michael Tremer July 3, 2023, 5:18 p.m. UTC | #3
Hello,

> On 3 Jul 2023, at 16:37, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi Michael,
> 
> On 03/07/2023 16:11, Michael Tremer wrote:
>> Hello Adolf,
>> This might be a tricky version update...
> I will work on it till everyone is happy to move forward with it.
>>> On 2 Jul 2023, at 10:54, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>> 
>>> - Update from version 2.4.9 to 2.5.0
>>>   This includes breaking changes for third-party plugins but as far as I can see IPFire
>>>    is not using any third party plugins
>> No, we should no longer build the Roaring Penguin PPPoE plugin from their source, but use the included one.
> In the ppp-2.4.9 there was an pppoe.so and rp-pppoe.so library. In the ppp-2.5.0 there is only the pppoe.so library so it looks like the roaring penguin plugin is removed by default now.

This is from the change log:

* The rp-pppoe plugin has been renamed to pppoe, to distinguish it
  from the upstream rp-pppoe code.  Its options have changed names,
  but the old names are kept as aliases.

Weirdly it is for ppp 2.4.9 which we should be on right now and we still have the plugin (https://github.com/ppp-project/ppp/blob/master/Changes-2.4).

> In the RED initscript there is a section which specifies the rp-pppoe.so lib as the plugin to use
> 
> 364 ## Plugin Options
> 365 #
> 366 if [ "$TYPE" == "pppoe" ]; then
> 367         [ "${METHOD}" == "PPPOE_PLUGIN" ] && \
> 368                 PLUGOPTS="plugin rp-pppoe.so"
> 369 fi
> 
> Does line 368 need to be changed to PLUGOPTS="plugin pppoe.so" or what?

According to the change log, yes.

> rp-pppoe is not referenced anywhere else in IPFire that I have been able to find.

It has been removed in 2010: https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=df3943b0297da787571c9f1eb9079a8dcca0e64a

> 
>>> - Update of rootfile
>>> - Update of patches and sed commands
>>>   - pcap-int.h and if_pppol2tp.h files have not been in source file since at least 2014
>>>   - Some of the patches required updates as additional lines needing to be patched are
>>>      now present. nThis was related to the O_CLOEXEC & SOCK_CLOEXEC related patches
>> Yes, these can go. We should be able to rely on upstream to build this for modern OSes.
> So I should remove the two patch files that are related to CLOEXEC but still keep the others - correct?

If they still apply then keep them. If not, then not.

Some of the patches should have been merged upstream.

>>>   - connect-errors file location is now defined by a configure command --with-logfile-dir
>>> - install-etcppp is no longer provided. However the install command in this version still
>>>   has the same files available in /etc/ppp as previously. There is a new file,
>>>   openssl.cnf, which I have commented out. If it is required in future it can always be
>>>   uncommented in future releases.
>>> - Build went without any problems with the updated patches.
>>> - I cannot test this as I don't use ppp, however the original bug reporter has agreed to
>>>   test this out when it is released into Testing unless anyone else is capable of testing
>>>   it.
>> So, we didn’t have any issues with this in the past, but however, if we break this, then people won’t have an Internet connection any more to download any fixes. So let’s please make sure that we give this all extra attention and this won’t happen. >
>> Sadly, I don’t have a PPP connection either.
>> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
>>> - Changelog
>>>    What's new in ppp-2.5.0.
>>> The 2.5.0 release is a major release of pppd which contains breaking
>>> changes for third-party plugins, a complete revamp of the build-system
>>> and that allows for flexibility of configuring features as needed.
>>> In Summary:
>>> * Support for PEAP authentication by Eivind Næss and Rustam Kovhaev
>>> * Support for loading PKCS12 certificate envelopes
>>> * Adoption of GNU Autoconf / Automake build environment, by Eivind Næss
>>>  and others.
>>> * Support for pkgconfig tool has been added by Eivind Næss.
>>> * Bunch of fixes and cleanup to PPPoE and IPv6 support by Pali Rohár.
>>> * Major revision to PPPD's Plugin API by Eivind Næss.
>>>  - Defines in which describes what features was included in pppd
>>>  - Functions now prefixed with explicit ppp_* to indicate that
>>>    pppd functions being called.
>>>  - Header files were renamed to better align with their features,
>>>    and now use proper include guards
>>>  - A pppdconf.h file is supplied to allow third-party modules to use
>>>    the same feature defines pppd was compiled with.
>>>  - No extern declarations of internal variable names of pppd,
>>>    continued use of these extern variables are considered
>>>    unstable.
>>> * Lots of internal fixes and cleanups for Radius and PPPoE by Jaco Kroon
>>> * Dropped IPX support, as Linux has dropped support in version 5.15
>>>  for this protocol.
>>> * Many more fixes and cleanups.
>>> * Pppd is no longer installed setuid-root.
>> CAP_NET_ADMIN should be sufficient. We will however still run pppd as root only.
> Is CAP_NET_ADMIN used by default with pppd or do I need to change something for this?

No, that is something the daemon should do itself.

Basically it drops all privileges apart from those for networking.

>>> * New pppd options:
>>>  - ipv6cp-noremote, ipv6cp-nosend, ipv6cp-use-remotenumber,
>>>    ipv6-up-script, ipv6-down-script
>>>  - -v, show-options
>>>  - usepeerwins, ipcp-no-address, ipcp-no-addresses, nosendip
>>> * On Linux, any baud rate can be set on a serial port provided the
>>>  kernel serial driver supports that.
>>> Note that if you have built and installed previous versions of this
>>> package and you want to continue having configuration and TDB files in
>>> /etc/ppp, you will need to use the --sysconfdir option to ./configure.
>>> For a list of the changes made during the 2.4 series releases of this
>>> package, see the Changes-2.4 file.
>>> Compression methods.
>>> This package supports two packet compression methods: Deflate and
>>> BSD-Compress.  Other compression methods which are in common use
>>> include Predictor, LZS, and MPPC.  These methods are not supported for
>>> two reasons - they are patent-encumbered, and they cause some packets
>>> to expand slightly, which pppd doesn't currently allow for.
>>> BSD-Compress and Deflate (which uses the same algorithm as gzip) don't
>>> ever expand packets.
>> -Michael
>>> Fixes: bug#13164
>>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
>>> ---
>>> config/rootfiles/common/ppp                   |  58 +++---
>>> lfs/ppp                                       |  28 +--
>>> ...se-SOCK_CLOEXEC-when-creating-socket.patch | 165 ------------------
>>> ...ppp-2.4.6-increase-max-padi-attempts.patch |  13 --
>>> src/patches/ppp/ppp-2.4.7-headers_4.9.patch   |  12 --
>>> ...-configure-to-handle-cflags-properly.patch |  15 --
>>> ...don-t-want-to-accidentally-leak-fds.patch} | 115 +++++++-----
>>> ...2.5.0-2-everywhere-O_CLOEXEC-harder.patch} | 136 ++++++---------
>>> ...se-SOCK_CLOEXEC-when-creating-socket.patch | 135 ++++++++++++++
>>> ...p-2.5.0-4-increase-max-padi-attempts.patch |  12 ++
>>> src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch |  12 ++
>>> ...-configure-to-handle-cflags-properly.patch |  18 ++
>>> 12 files changed, 344 insertions(+), 375 deletions(-)
>>> delete mode 100644 src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>>> delete mode 100644 src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
>>> delete mode 100644 src/patches/ppp/ppp-2.4.7-headers_4.9.patch
>>> delete mode 100644 src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
>>> rename src/patches/ppp/{0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch => ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch} (54%)
>>> rename src/patches/ppp/{0013-everywhere-O_CLOEXEC-harder.patch => ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch} (63%)
>>> create mode 100644 src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>>> create mode 100644 src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
>>> create mode 100644 src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
>>> create mode 100644 src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
>>> 
>>> diff --git a/config/rootfiles/common/ppp b/config/rootfiles/common/ppp
>>> index d61fdf811..6098fa7c3 100644
>>> --- a/config/rootfiles/common/ppp
>>> +++ b/config/rootfiles/common/ppp
>>> @@ -7,49 +7,57 @@ etc/ppp/dialer
>>> etc/ppp/ioptions
>>> etc/ppp/ip-down
>>> etc/ppp/ip-up
>>> +#etc/ppp/openssl.cnf
>>> etc/ppp/options
>>> etc/ppp/pap-secrets
>>> etc/ppp/standardloginscript
>>> #usr/include/pppd
>>> +#usr/include/pppd/cbcp.h
>>> #usr/include/pppd/ccp.h
>>> -#usr/include/pppd/chap-new.h
>>> +#usr/include/pppd/chap.h
>>> #usr/include/pppd/chap_ms.h
>>> -#usr/include/pppd/eap-tls.h
>>> +#usr/include/pppd/crypto.h
>>> +#usr/include/pppd/crypto_ms.h
>>> #usr/include/pppd/eap.h
>>> #usr/include/pppd/ecp.h
>>> #usr/include/pppd/eui64.h
>>> #usr/include/pppd/fsm.h
>>> #usr/include/pppd/ipcp.h
>>> #usr/include/pppd/ipv6cp.h
>>> -#usr/include/pppd/ipxcp.h
>>> #usr/include/pppd/lcp.h
>>> #usr/include/pppd/magic.h
>>> -#usr/include/pppd/md4.h
>>> -#usr/include/pppd/md5.h
>>> #usr/include/pppd/mppe.h
>>> -#usr/include/pppd/patchlevel.h
>>> -#usr/include/pppd/pathnames.h
>>> -#usr/include/pppd/pppcrypt.h
>>> +#usr/include/pppd/multilink.h
>>> +#usr/include/pppd/options.h
>>> #usr/include/pppd/pppd.h
>>> +#usr/include/pppd/pppdconf.h
>>> #usr/include/pppd/session.h
>>> -#usr/include/pppd/sha1.h
>>> -#usr/include/pppd/spinlock.h
>>> -#usr/include/pppd/tdb.h
>>> #usr/include/pppd/upap.h
>>> +#usr/lib/pkgconfig/pppd.pc
>>> usr/lib/pppd
>>> -usr/lib/pppd/2.4.9
>>> -usr/lib/pppd/2.4.9/minconn.so
>>> -usr/lib/pppd/2.4.9/openl2tp.so
>>> -usr/lib/pppd/2.4.9/passprompt.so
>>> -usr/lib/pppd/2.4.9/passwordfd.so
>>> -usr/lib/pppd/2.4.9/pppoatm.so
>>> -usr/lib/pppd/2.4.9/pppoe.so
>>> -usr/lib/pppd/2.4.9/pppol2tp.so
>>> -usr/lib/pppd/2.4.9/radattr.so
>>> -usr/lib/pppd/2.4.9/radius.so
>>> -usr/lib/pppd/2.4.9/radrealms.so
>>> -usr/lib/pppd/2.4.9/rp-pppoe.so
>>> -usr/lib/pppd/2.4.9/winbind.so
>>> +usr/lib/pppd/2.5.0
>>> +#usr/lib/pppd/2.5.0/minconn.la
>>> +usr/lib/pppd/2.5.0/minconn.so
>>> +#usr/lib/pppd/2.5.0/openl2tp.la
>>> +usr/lib/pppd/2.5.0/openl2tp.so
>>> +#usr/lib/pppd/2.5.0/passprompt.la
>>> +usr/lib/pppd/2.5.0/passprompt.so
>>> +#usr/lib/pppd/2.5.0/passwordfd.la
>>> +usr/lib/pppd/2.5.0/passwordfd.so
>>> +#usr/lib/pppd/2.5.0/pppoatm.la
>>> +usr/lib/pppd/2.5.0/pppoatm.so
>>> +#usr/lib/pppd/2.5.0/pppoe.la
>>> +usr/lib/pppd/2.5.0/pppoe.so
>>> +#usr/lib/pppd/2.5.0/pppol2tp.la
>>> +usr/lib/pppd/2.5.0/pppol2tp.so
>>> +#usr/lib/pppd/2.5.0/radattr.la
>>> +usr/lib/pppd/2.5.0/radattr.so
>>> +#usr/lib/pppd/2.5.0/radius.la
>>> +usr/lib/pppd/2.5.0/radius.so
>>> +#usr/lib/pppd/2.5.0/radrealms.la
>>> +usr/lib/pppd/2.5.0/radrealms.so
>>> +#usr/lib/pppd/2.5.0/winbind.la
>>> +usr/lib/pppd/2.5.0/winbind.so
>>> usr/sbin/chat
>>> usr/sbin/pppd
>>> usr/sbin/pppdump
>>> @@ -60,5 +68,7 @@ usr/sbin/pppstats
>>> #usr/share/man/man8/pppd-radius.8
>>> #usr/share/man/man8/pppd.8
>>> #usr/share/man/man8/pppdump.8
>>> +#usr/share/man/man8/pppoe-discovery.8
>>> #usr/share/man/man8/pppstats.8
>>> var/log/connect-errors
>>> +
>>> diff --git a/lfs/ppp b/lfs/ppp
>>> index fb46d8aac..fc4528ece 100644
>>> --- a/lfs/ppp
>>> +++ b/lfs/ppp
>>> @@ -1,7 +1,7 @@
>>> ###############################################################################
>>> #                                                                             #
>>> # IPFire.org - A linux based firewall                                         #
>>> -# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
>>> +# Copyright (C) 2007-2023  IPFire Team  <info@ipfire.org>                     #
>>> #                                                                             #
>>> # This program is free software: you can redistribute it and/or modify        #
>>> # it under the terms of the GNU General Public License as published by        #
>>> @@ -24,7 +24,7 @@
>>> 
>>> include Config
>>> 
>>> -VER        = 2.4.9
>>> +VER        = 2.5.0
>>> 
>>> THISAPP    = ppp-$(VER)
>>> DL_FILE    = $(THISAPP).tar.gz
>>> @@ -42,7 +42,7 @@ objects = $(DL_FILE)
>>> 
>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>> 
>>> -$(DL_FILE)_BLAKE2 = 2cc885c32b7d33dc48766097f1f4c9cd0754924a8c0630ccaa58b2989e6b43a197ca0d41f5f16956c395278a12023d490e085f5635e23b53c5603ba61cfc40d5
>>> +$(DL_FILE)_BLAKE2 = 6a0e9efcbff3cb499705071cc7d0e3411cf4871fd53b2bfedbb1f2cf3ad80728eb436050cf33b78e36d473be64f15907a21da17f283337455f0af379bc18272d
>>> 
>>> install : $(TARGET)
>>> 
>>> @@ -72,18 +72,20 @@ $(subst %,%_BLAKE2,$(objects)) :
>>> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>> @$(PREBUILD)
>>> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
>>> - cd $(DIR_APP) && rm -f include/pcap-int.h include/linux/if_pppol2tp.h
>>> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch
>>> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch
>>> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>>> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
>>> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.7-headers_4.9.patch
>>> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
>>> - cd $(DIR_APP) && sed -i -e "s+/etc/ppp/connect-errors+/var/log/connect-errors+" pppd/pathnames.h
>>> - cd $(DIR_APP) && ./configure --prefix=/usr --cc="gcc" --cflags="$(CFLAGS)" --disable-nls
>>> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
>>> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
>>> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>>> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
>>> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
>>> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
>>> + cd $(DIR_APP) && ./configure \
>>> + --prefix=/usr \
>>> + --sysconfdir=/etc \
>>> + --with-logfile-dir=/var/log \
>>> + cc="gcc" \
>>> + cflags="$(CFLAGS)"
>>> cd $(DIR_APP) && make $(MAKETUNING)
>>> cd $(DIR_APP) && make install
>>> - cd $(DIR_APP) && make install-etcppp
>>> touch /var/log/connect-errors
>>> -mkdir -p /etc/ppp
>>> for i in $(DIR_SRC)/src/ppp/* ; do \
>>> diff --git a/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch b/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>>> deleted file mode 100644
>>> index fffda981d..000000000
>>> --- a/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>>> +++ /dev/null
>>> @@ -1,165 +0,0 @@
>>> -From 2a97ab28ee00586e5f06b3ef3a0e43ea0c7c6499 Mon Sep 17 00:00:00 2001
>>> -From: Michal Sekletar <msekleta@redhat.com>
>>> -Date: Mon, 7 Apr 2014 14:21:41 +0200
>>> -Subject: [PATCH 14/25] everywhere: use SOCK_CLOEXEC when creating socket
>>> -
>>> ----
>>> - pppd/plugins/pppoatm/pppoatm.c          |  2 +-
>>> - pppd/plugins/pppol2tp/openl2tp.c        |  2 +-
>>> - pppd/plugins/pppol2tp/pppol2tp.c        |  2 +-
>>> - pppd/plugins/pppoe/if.c                 |  2 +-
>>> - pppd/plugins/pppoe/plugin.c             |  6 +++---
>>> - pppd/plugins/pppoe/pppoe-discovery.c    |  2 +-
>>> - pppd/sys-linux.c                        | 10 +++++-----
>>> - pppd/tty.c                              |  2 +-
>>> - 8 files changed, 14 insertions(+), 14 deletions(-)
>>> -
>>> -diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c
>>> -index d693350..c31bb34 100644
>>> ---- a/pppd/plugins/pppoatm/pppoatm.c
>>> -+++ b/pppd/plugins/pppoatm/pppoatm.c
>>> -@@ -135,7 +135,7 @@ static int connect_pppoatm(void)
>>> -
>>> - if (!device_got_set)
>>> - no_device_given_pppoatm();
>>> -- fd = socket(AF_ATMPVC, SOCK_DGRAM, 0);
>>> -+ fd = socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> - if (fd < 0)
>>> - fatal("failed to create socket: %m");
>>> - memset(&qos, 0, sizeof qos);
>>> -diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/openl2tp.c
>>> -index 9643b96..1099575 100644
>>> ---- a/pppd/plugins/pppol2tp/openl2tp.c
>>> -+++ b/pppd/plugins/pppol2tp/openl2tp.c
>>> -@@ -83,7 +83,7 @@ static int openl2tp_client_create(void)
>>> - int result;
>>> -
>>> - if (openl2tp_fd < 0) {
>>> -- openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM, 0);
>>> -+ openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> - if (openl2tp_fd < 0) {
>>> - error("openl2tp connection create: %m");
>>> - return -ENOTCONN;
>>> -diff --git a/pppd/plugins/pppol2tp/pppol2tp.c b/pppd/plugins/pppol2tp/pppol2tp.c
>>> -index a7e3400..e64a778 100644
>>> ---- a/pppd/plugins/pppol2tp/pppol2tp.c
>>> -+++ b/pppd/plugins/pppol2tp/pppol2tp.c
>>> -@@ -208,7 +208,7 @@ static void send_config_pppol2tp(int mtu,
>>> - struct ifreq ifr;
>>> - int fd;
>>> -
>>> -- fd = socket(AF_INET, SOCK_DGRAM, 0);
>>> -+ fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> - if (fd >= 0) {
>>> - memset (&ifr, '\0', sizeof (ifr));
>>> - strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
>>> -diff --git a/pppd/plugins/pppoe/if.c b/pppd/plugins/pppoe/if.c
>>> -index 91e9a57..72aba41 100644
>>> ---- a/pppd/plugins/pppoe/if.c
>>> -+++ b/pppd/plugins/pppoe/if.c
>>> -@@ -116,7 +116,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr)
>>> -     stype = SOCK_PACKET;
>>> - #endif
>>> -
>>> --    if ((fd = socket(domain, stype, htons(type))) < 0) {
>>> -+    if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) {
>>> - /* Give a more helpful message for the common error case */
>>> - if (errno == EPERM) {
>>> -    fatal("Cannot create raw socket -- pppoe must be run as root.");
>>> -diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c
>>> -index a8c2bb4..24bdf8f 100644
>>> ---- a/pppd/plugins/pppoe/plugin.c
>>> -+++ b/pppd/plugins/pppoe/plugin.c
>>> -@@ -137,7 +137,7 @@ PPPOEConnectDevice(void)
>>> -     /* server equipment).                                                  */
>>> -     /* Opening this socket just before waitForPADS in the discovery()      */
>>> -     /* function would be more appropriate, but it would mess-up the code   */
>>> --    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE);
>>> -+    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, PX_PROTO_OE);
>>> -     if (conn->sessionSocket < 0) {
>>> - error("Failed to create PPPoE socket: %m");
>>> - return -1;
>>> -@@ -148,7 +148,7 @@ PPPOEConnectDevice(void)
>>> -     lcp_wantoptions[0].mru = conn->mru;
>>> -
>>> -     /* Update maximum MRU */
>>> --    s = socket(AF_INET, SOCK_DGRAM, 0);
>>> -+    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> -     if (s < 0) {
>>> - error("Can't get MTU for %s: %m", conn->ifName);
>>> - goto errout;
>>> -@@ -320,7 +320,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit)
>>> -     }
>>> -
>>> -     /* Open a socket */
>>> --    if ((fd = socket(PF_PACKET, SOCK_RAW, 0)) < 0) {
>>> -+    if ((fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) {
>>> - r = 0;
>>> -     }
>>> -
>>> -diff --git a/pppd/plugins/pppoe/pppoe-discovery.c b/pppd/plugins/pppoe/pppoe-discovery.c
>>> -index 3d3bf4e..c0d927d 100644
>>> ---- a/pppd/plugins/pppoe/pppoe-discovery.c
>>> -+++ b/pppd/plugins/pppoe/pppoe-discovery.c
>>> -@@ -121,7 +121,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr)
>>> -     stype = SOCK_PACKET;
>>> - #endif
>>> -
>>> --    if ((fd = socket(domain, stype, htons(type))) < 0) {
>>> -+    if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) {
>>> - /* Give a more helpful message for the common error case */
>>> - if (errno == EPERM) {
>>> -    rp_fatal("Cannot create raw socket -- pppoe must be run as root.");
>>> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
>>> -index 00a2cf5..0690019 100644
>>> ---- a/pppd/sys-linux.c
>>> -+++ b/pppd/sys-linux.c
>>> -@@ -308,12 +308,12 @@ static int modify_flags(int fd, int clear_bits, int set_bits)
>>> - void sys_init(void)
>>> - {
>>> -     /* Get an internet socket for doing socket ioctls. */
>>> --    sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
>>> -+    sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> -     if (sock_fd < 0)
>>> - fatal("Couldn't create IP socket: %m(%d)", errno);
>>> -
>>> - #ifdef INET6
>>> --    sock6_fd = socket(AF_INET6, SOCK_DGRAM, 0);
>>> -+    sock6_fd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> -     if (sock6_fd < 0)
>>> - sock6_fd = -errno; /* save errno for later */
>>> - #endif
>>> -@@ -1857,7 +1857,7 @@ get_if_hwaddr(u_char *addr, char *name)
>>> - struct ifreq ifreq;
>>> - int ret, sock_fd;
>>> -
>>> -- sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
>>> -+ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> - if (sock_fd < 0)
>>> - return 0;
>>> - memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
>>> -@@ -2067,7 +2067,7 @@ int ppp_available(void)
>>> - /*
>>> -  * Open a socket for doing the ioctl operations.
>>> -  */
>>> --    s = socket(AF_INET, SOCK_DGRAM, 0);
>>> -+    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> -     if (s < 0)
>>> - return 0;
>>> -
>>> -diff --git a/pppd/tty.c b/pppd/tty.c
>>> -index bc96695..8e76a5d 100644
>>> ---- a/pppd/tty.c
>>> -+++ b/pppd/tty.c
>>> -@@ -896,7 +896,7 @@ open_socket(dest)
>>> -     *sep = ':';
>>> -
>>> -     /* get a socket and connect it to the other end */
>>> --    sock = socket(PF_INET, SOCK_STREAM, 0);
>>> -+    sock = socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
>>> -     if (sock < 0) {
>>> - error("Can't create socket: %m");
>>> - return -1;
>>> ---
>>> -1.8.3.1
>>> -
>>> diff --git a/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch b/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
>>> deleted file mode 100644
>>> index 1b36e8369..000000000
>>> --- a/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
>>> +++ /dev/null
>>> @@ -1,13 +0,0 @@
>>> -diff --git a/pppd/plugins/pppoe/pppoe.h b/pppd/plugins/pppoe/pppoe.h
>>> -index 9ab2eee..86762bd 100644
>>> ---- a/pppd/plugins/pppoe/pppoe.h
>>> -+++ b/pppd/plugins/pppoe/pppoe.h
>>> -@@ -148,7 +148,7 @@ extern UINT16_t Eth_PPPOE_Session;
>>> - #define STATE_TERMINATED    4
>>> -
>>> - /* How many PADI/PADS attempts? */
>>> --#define MAX_PADI_ATTEMPTS 3
>>> -+#define MAX_PADI_ATTEMPTS 4
>>> -
>>> - /* Initial timeout for PADO/PADS */
>>> - #define PADI_TIMEOUT 5
>>> diff --git a/src/patches/ppp/ppp-2.4.7-headers_4.9.patch b/src/patches/ppp/ppp-2.4.7-headers_4.9.patch
>>> deleted file mode 100644
>>> index 686db9204..000000000
>>> --- a/src/patches/ppp/ppp-2.4.7-headers_4.9.patch
>>> +++ /dev/null
>>> @@ -1,12 +0,0 @@
>>> -diff -Naur ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c ppp-2.4.7/pppd/plugins/pppoe/plugin.c
>>> ---- ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c 2014-08-09 14:31:39.000000000 +0200
>>> -+++ ppp-2.4.7/pppd/plugins/pppoe/plugin.c 2017-02-09 08:45:12.567493723 +0100
>>> -@@ -49,6 +49,8 @@
>>> - #include <net/ethernet.h>
>>> - #include <net/if_arp.h>
>>> - #include <linux/ppp_defs.h>
>>> -+#define _LINUX_IN_H
>>> -+#define _LINUX_IN6_H
>>> - #include <linux/if_pppox.h>
>>> -
>>> - #ifndef _ROOT_PATH
>>> diff --git a/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch b/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
>>> deleted file mode 100644
>>> index b36ace192..000000000
>>> --- a/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
>>> +++ /dev/null
>>> @@ -1,15 +0,0 @@
>>> ---- ppp-2.4.9.orig/configure 2021-03-30 21:38:27.415735914 +0200
>>> -+++ ppp-2.4.9/configure 2021-04-01 19:10:48.632314447 +0200
>>> -@@ -121,9 +121,9 @@
>>> -     rm -f $2
>>> -     if [ -f $1 ]; then
>>> - echo "  $2 <= $1"
>>> -- sed -e "s,@DESTDIR@,$DESTDIR,g" -e "s,@SYSCONF@,$SYSCONF,g" \
>>> --    -e "s,@CROSS_COMPILE@,$CROSS_COMPILE,g" -e "s,@CC@,$CC,g" \
>>> --    -e "s,@CFLAGS@,$CFLAGS,g" $1 >$2
>>> -+ sed -e "s#@DESTDIR@#$DESTDIR#g" -e "s#@SYSCONF@#$SYSCONF#g" \
>>> -+    -e "s#@CROSS_COMPILE@#$CROSS_COMPILE#g" -e "s#@CC@#$CC#g" \
>>> -+    -e "s#@CFLAGS@#$CFLAGS#g" $1 >$2
>>> -     fi
>>> - }
>>> -
>>> diff --git a/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch b/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
>>> similarity index 54%
>>> rename from src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch
>>> rename to src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
>>> index 90bb2d161..98ab03119 100644
>>> --- a/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch
>>> +++ b/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
>>> @@ -1,20 +1,8 @@
>>> -From 82cd789df0f022eb6f3d28646e7a61d1d0715805 Mon Sep 17 00:00:00 2001
>>> -From: Michal Sekletar <msekleta@redhat.com>
>>> -Date: Mon, 7 Apr 2014 12:23:36 +0200
>>> -Subject: [PATCH 12/25] pppd: we don't want to accidentally leak fds
>>> -
>>> ----
>>> - pppd/auth.c      | 20 ++++++++++----------
>>> - pppd/options.c   |  2 +-
>>> - pppd/sys-linux.c |  4 ++--
>>> - 3 files changed, 13 insertions(+), 13 deletions(-)
>>> -
>>> -diff --git a/pppd/auth.c b/pppd/auth.c
>>> -index 4271af6..9e957fa 100644
>>> ---- a/pppd/auth.c
>>> -+++ b/pppd/auth.c
>>> -@@ -428,7 +428,7 @@ setupapfile(argv)
>>> - option_error("unable to reset uid before opening %s: %m", fname);
>>> +diff -Naur pppd.orig/auth.c pppd/auth.c
>>> +--- pppd.orig/auth.c 2023-03-25 05:38:30.000000000 +0100
>>> ++++ pppd/auth.c 2023-06-30 12:38:13.748482796 +0200
>>> +@@ -518,7 +518,7 @@
>>> +         free(fname);
>>>   return 0;
>>>      }
>>> -    ufile = fopen(fname, "r");
>>> @@ -22,8 +10,8 @@ index 4271af6..9e957fa 100644
>>>      if (seteuid(euid) == -1)
>>>   fatal("unable to regain privileges: %m");
>>>      if (ufile == NULL) {
>>> -@@ -1413,7 +1413,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg)
>>> -     filename = _PATH_UPAPFILE;
>>> +@@ -1535,7 +1535,7 @@
>>> +     filename = PPP_PATH_UPAPFILE;
>>>      addrs = opts = NULL;
>>>      ret = UPAP_AUTHNAK;
>>> -    f = fopen(filename, "r");
>>> @@ -31,52 +19,52 @@ index 4271af6..9e957fa 100644
>>>      if (f == NULL) {
>>>   error("Can't open PAP password file %s: %m", filename);
>>> 
>>> -@@ -1512,7 +1512,7 @@ null_login(unit)
>>> +@@ -1635,7 +1635,7 @@
>>>      if (ret <= 0) {
>>> - filename = _PATH_UPAPFILE;
>>> + filename = PPP_PATH_UPAPFILE;
>>>   addrs = NULL;
>>> - f = fopen(filename, "r");
>>> + f = fopen(filename, "re");
>>>   if (f == NULL)
>>>      return 0;
>>>   check_access(f, filename);
>>> -@@ -1559,7 +1559,7 @@ get_pap_passwd(passwd)
>>> +@@ -1681,7 +1681,7 @@
>>>      }
>>> 
>>> -     filename = _PATH_UPAPFILE;
>>> +     filename = PPP_PATH_UPAPFILE;
>>> -    f = fopen(filename, "r");
>>> +    f = fopen(filename, "re");
>>>      if (f == NULL)
>>>   return 0;
>>>      check_access(f, filename);
>>> -@@ -1597,7 +1597,7 @@ have_pap_secret(lacks_ipp)
>>> +@@ -1718,7 +1718,7 @@
>>>      }
>>> 
>>> -     filename = _PATH_UPAPFILE;
>>> +     filename = PPP_PATH_UPAPFILE;
>>> -    f = fopen(filename, "r");
>>> +    f = fopen(filename, "re");
>>>      if (f == NULL)
>>>   return 0;
>>> 
>>> -@@ -1642,7 +1642,7 @@ have_chap_secret(client, server, need_ip, lacks_ipp)
>>> +@@ -1760,7 +1760,7 @@
>>>      }
>>> 
>>> -     filename = _PATH_CHAPFILE;
>>> +     filename = PPP_PATH_CHAPFILE;
>>> -    f = fopen(filename, "r");
>>> +    f = fopen(filename, "re");
>>>      if (f == NULL)
>>>   return 0;
>>> 
>>> -@@ -1684,7 +1684,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp)
>>> +@@ -1798,7 +1798,7 @@
>>>      struct wordlist *addrs;
>>> 
>>> -     filename = _PATH_SRPFILE;
>>> +     filename = PPP_PATH_SRPFILE;
>>> -    f = fopen(filename, "r");
>>> +    f = fopen(filename, "re");
>>>      if (f == NULL)
>>>   return 0;
>>> 
>>> -@@ -1740,7 +1740,7 @@ get_secret(unit, client, server, secret, secret_len, am_server)
>>> +@@ -1849,7 +1849,7 @@
>>>   addrs = NULL;
>>>   secbuf[0] = 0;
>>> 
>>> @@ -85,8 +73,8 @@ index 4271af6..9e957fa 100644
>>>   if (f == NULL) {
>>>      error("Can't open chap secret file %s: %m", filename);
>>>      return 0;
>>> -@@ -1797,7 +1797,7 @@ get_srp_secret(unit, client, server, secret, am_server)
>>> - filename = _PATH_SRPFILE;
>>> +@@ -1902,7 +1902,7 @@
>>> + filename = PPP_PATH_SRPFILE;
>>>   addrs = NULL;
>>> 
>>> - fp = fopen(filename, "r");
>>> @@ -94,7 +82,7 @@ index 4271af6..9e957fa 100644
>>>   if (fp == NULL) {
>>>      error("Can't open srp secret file %s: %m", filename);
>>>      return 0;
>>> -@@ -2203,7 +2203,7 @@ scan_authfile(f, client, server, secret, addrs, opts, filename, flags)
>>> +@@ -2291,7 +2291,7 @@
>>>       */
>>>      if (word[0] == '@' && word[1] == '/') {
>>>   strlcpy(atfile, word+1, sizeof(atfile));
>>> @@ -103,12 +91,38 @@ index 4271af6..9e957fa 100644
>>>      warn("can't open indirect secret file %s", atfile);
>>>      continue;
>>>   }
>>> -diff --git a/pppd/options.c b/pppd/options.c
>>> -index 45fa742..1d754ae 100644
>>> ---- a/pppd/options.c
>>> -+++ b/pppd/options.c
>>> -@@ -427,7 +427,7 @@ options_from_file(filename, must_exist, check_prot, priv)
>>> - option_error("unable to drop privileges to open %s: %m", filename);
>>> +@@ -2461,7 +2461,7 @@
>>> +     char pkfile[MAXWORDLEN];
>>> +
>>> +     filename = PPP_PATH_EAPTLSSERVFILE;
>>> +-    f = fopen(filename, "r");
>>> ++    f = fopen(filename, "re");
>>> +     if (f == NULL)
>>> + return 0;
>>> +
>>> +@@ -2518,7 +2518,7 @@
>>> + return 1;
>>> +
>>> +     filename = PPP_PATH_EAPTLSCLIFILE;
>>> +-    f = fopen(filename, "r");
>>> ++    f = fopen(filename, "re");
>>> +     if (f == NULL)
>>> + return 0;
>>> +
>>> +@@ -2738,7 +2738,7 @@
>>> + filename = (am_server ? PPP_PATH_EAPTLSSERVFILE : PPP_PATH_EAPTLSCLIFILE);
>>> + addrs = NULL;
>>> +
>>> +- fp = fopen(filename, "r");
>>> ++ fp = fopen(filename, "re");
>>> + if (fp == NULL)
>>> + {
>>> + error("Can't open eap-tls secret file %s: %m", filename);
>>> +diff -Naur pppd.orig/options.c pppd/options.c
>>> +--- pppd.orig/options.c 2023-03-25 05:38:30.000000000 +0100
>>> ++++ pppd/options.c 2023-06-30 12:42:19.262593140 +0200
>>> +@@ -555,7 +555,7 @@
>>> + ppp_option_error("unable to drop privileges to open %s: %m", filename);
>>>   return 0;
>>>      }
>>> -    f = fopen(filename, "r");
>>> @@ -116,11 +130,10 @@ index 45fa742..1d754ae 100644
>>>      err = errno;
>>>      if (check_prot && seteuid(euid) == -1)
>>>   fatal("unable to regain privileges");
>>> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
>>> -index 72a7727..8a12fa0 100644
>>> ---- a/pppd/sys-linux.c
>>> -+++ b/pppd/sys-linux.c
>>> -@@ -1412,7 +1412,7 @@ static char *path_to_procfs(const char *tail)
>>> +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c
>>> +--- pppd.orig/sys-linux.c 2023-03-10 02:50:41.000000000 +0100
>>> ++++ pppd/sys-linux.c 2023-06-30 12:43:20.634453475 +0200
>>> +@@ -1978,7 +1978,7 @@
>>>   /* Default the mount location of /proc */
>>>   strlcpy (proc_path, "/proc", sizeof(proc_path));
>>>   proc_path_len = 5;
>>> @@ -129,7 +142,7 @@ index 72a7727..8a12fa0 100644
>>>   if (fp != NULL) {
>>>      while ((mntent = getmntent(fp)) != NULL) {
>>>   if (strcmp(mntent->mnt_type, MNTTYPE_IGNORE) == 0)
>>> -@@ -1472,7 +1472,7 @@ static int open_route_table (void)
>>> +@@ -2038,7 +2038,7 @@
>>>      close_route_table();
>>> 
>>>      path = path_to_procfs("/net/route");
>>> @@ -138,6 +151,12 @@ index 72a7727..8a12fa0 100644
>>>      if (route_fd == NULL) {
>>>   error("can't open routing table %s: %m", path);
>>>   return 0;
>>> ---
>>> -1.8.3.1
>>> -
>>> +@@ -2322,7 +2322,7 @@
>>> +     close_route_table();
>>> +
>>> +     path = path_to_procfs("/net/ipv6_route");
>>> +-    route_fd = fopen (path, "r");
>>> ++    route_fd = fopen (path, "re");
>>> +     if (route_fd == NULL) {
>>> + error("can't open routing table %s: %m", path);
>>> + return 0;
>>> diff --git a/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch b/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
>>> similarity index 63%
>>> rename from src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch
>>> rename to src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
>>> index 0fb028779..c205c0e08 100644
>>> --- a/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch
>>> +++ b/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
>>> @@ -1,23 +1,7 @@
>>> -From 302c1b736cb656c7885a0cba270fd953a672d8a8 Mon Sep 17 00:00:00 2001
>>> -From: Michal Sekletar <msekleta@redhat.com>
>>> -Date: Mon, 7 Apr 2014 13:56:34 +0200
>>> -Subject: [PATCH 13/25] everywhere: O_CLOEXEC harder
>>> -
>>> ----
>>> - pppd/eap.c       |  2 +-
>>> - pppd/main.c      |  4 ++--
>>> - pppd/options.c   |  4 ++--
>>> - pppd/sys-linux.c | 22 +++++++++++-----------
>>> - pppd/tdb.c       |  4 ++--
>>> - pppd/tty.c       |  4 ++--
>>> - pppd/utils.c     |  6 +++---
>>> - 7 files changed, 23 insertions(+), 23 deletions(-)
>>> -
>>> -diff --git a/pppd/eap.c b/pppd/eap.c
>>> -index 6ea6c1f..faced53 100644
>>> ---- a/pppd/eap.c
>>> -+++ b/pppd/eap.c
>>> -@@ -1226,7 +1226,7 @@ mode_t modebits;
>>> +diff -Naur pppd.orig/eap.c pppd/eap.c
>>> +--- pppd.orig/eap.c 2023-03-25 05:38:30.000000000 +0100
>>> ++++ pppd/eap.c 2023-06-30 12:58:07.984676045 +0200
>>> +@@ -1542,7 +1542,7 @@
>>> 
>>>   if ((path = name_of_pn_file()) == NULL)
>>>   return (-1);
>>> @@ -26,34 +10,23 @@ index 6ea6c1f..faced53 100644
>>>   err = errno;
>>>   free(path);
>>>   errno = err;
>>> -diff --git a/pppd/main.c b/pppd/main.c
>>> -index 87a5d29..152e4a2 100644
>>> ---- a/pppd/main.c
>>> -+++ b/pppd/main.c
>>> -@@ -400,7 +400,7 @@ main(int argc, char *argv[])
>>> +diff -Naur pppd.orig/main.c pppd/main.c
>>> +--- pppd.orig/main.c 2023-03-25 05:38:30.000000000 +0100
>>> ++++ pppd/main.c 2023-06-30 13:00:15.155195676 +0200
>>> +@@ -479,7 +479,7 @@
>>>   die(0);
>>> 
>>>      /* Make sure fds 0, 1, 2 are open to somewhere. */
>>> --    fd_devnull = open(_PATH_DEVNULL, O_RDWR);
>>> -+    fd_devnull = open(_PATH_DEVNULL, O_RDWR | O_CLOEXEC);
>>> +-    fd_devnull = open(PPP_DEVNULL, O_RDWR);
>>> ++    fd_devnull = open(PPP_DEVNULL, O_RDWR | O_CLOEXEC);
>>>      if (fd_devnull < 0)
>>> - fatal("Couldn't open %s: %m", _PATH_DEVNULL);
>>> + fatal("Couldn't open %s: %m", PPP_DEVNULL);
>>>      while (fd_devnull <= 2) {
>>> -@@ -1642,7 +1642,7 @@ device_script(char *program, int in, int out, int dont_wait)
>>> -     if (log_to_fd >= 0)
>>> - errfd = log_to_fd;
>>> -     else
>>> -- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644);
>>> -+ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, 0644);
>>> -
>>> -     ++conn_running;
>>> -     pid = safe_fork(in, out, errfd);
>>> -diff --git a/pppd/options.c b/pppd/options.c
>>> -index 1d754ae..8e62635 100644
>>> ---- a/pppd/options.c
>>> -+++ b/pppd/options.c
>>> -@@ -1544,9 +1544,9 @@ setlogfile(argv)
>>> - option_error("unable to drop permissions to open %s: %m", *argv);
>>> +diff -Naur pppd.orig/options.c pppd/options.c
>>> +--- pppd.orig/options.c 2023-06-30 12:42:19.262593140 +0200
>>> ++++ pppd/options.c 2023-06-30 13:01:58.388323345 +0200
>>> +@@ -1718,9 +1718,9 @@
>>> + ppp_option_error("unable to drop permissions to open %s: %m", *argv);
>>>   return 0;
>>>      }
>>> -    fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL, 0644);
>>> @@ -64,11 +37,10 @@ index 1d754ae..8e62635 100644
>>>      err = errno;
>>>      if (!privileged_option && seteuid(euid) == -1)
>>>   fatal("unable to regain privileges: %m");
>>> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
>>> -index 8a12fa0..00a2cf5 100644
>>> ---- a/pppd/sys-linux.c
>>> -+++ b/pppd/sys-linux.c
>>> -@@ -459,7 +459,7 @@ int generic_establish_ppp (int fd)
>>> +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c
>>> +--- pppd.orig/sys-linux.c 2023-06-30 12:43:20.634453475 +0200
>>> ++++ pppd/sys-linux.c 2023-06-30 13:11:25.715511251 +0200
>>> +@@ -666,7 +666,7 @@
>>>      goto err;
>>>   }
>>>   dbglog("using channel %d", chindex);
>>> @@ -77,7 +49,7 @@ index 8a12fa0..00a2cf5 100644
>>>   if (fd < 0) {
>>>      error("Couldn't reopen /dev/ppp: %m");
>>>      goto err;
>>> -@@ -619,7 +619,7 @@ static int make_ppp_unit()
>>> +@@ -904,7 +904,7 @@
>>>   dbglog("in make_ppp_unit, already had /dev/ppp open?");
>>>   close(ppp_dev_fd);
>>>   }
>>> @@ -86,7 +58,7 @@ index 8a12fa0..00a2cf5 100644
>>>   if (ppp_dev_fd < 0)
>>>   fatal("Couldn't open /dev/ppp: %m");
>>>   flags = fcntl(ppp_dev_fd, F_GETFL);
>>> -@@ -693,7 +693,7 @@ int bundle_attach(int ifnum)
>>> +@@ -1025,7 +1025,7 @@
>>>   if (!new_style_driver)
>>>   return -1;
>>> 
>>> @@ -95,7 +67,7 @@ index 8a12fa0..00a2cf5 100644
>>>   if (master_fd < 0)
>>>   fatal("Couldn't open /dev/ppp: %m");
>>>   if (ioctl(master_fd, PPPIOCATTACH, &ifnum) < 0) {
>>> -@@ -1715,7 +1715,7 @@ int sifproxyarp (int unit, u_int32_t his_adr)
>>> +@@ -2533,7 +2533,7 @@
>>>   if (tune_kernel) {
>>>      forw_path = path_to_procfs("/sys/net/ipv4/ip_forward");
>>>      if (forw_path != 0) {
>>> @@ -104,7 +76,7 @@ index 8a12fa0..00a2cf5 100644
>>>   if (fd >= 0) {
>>>      if (write(fd, "1", 1) != 1)
>>>   error("Couldn't enable IP forwarding: %m");
>>> -@@ -2030,7 +2030,7 @@ int ppp_available(void)
>>> +@@ -2878,7 +2878,7 @@
>>>      sscanf(utsname.release, "%d.%d.%d", &osmaj, &osmin, &ospatch);
>>>      kernel_version = KVERSION(osmaj, osmin, ospatch);
>>> 
>>> @@ -113,7 +85,7 @@ index 8a12fa0..00a2cf5 100644
>>>      if (fd >= 0) {
>>>   new_style_driver = 1;
>>> 
>>> -@@ -2208,7 +2208,7 @@ void logwtmp (const char *line, const char *name, const char *host)
>>> +@@ -3056,7 +3056,7 @@
>>>  #if __GLIBC__ >= 2
>>>      updwtmp(_PATH_WTMP, &ut);
>>>  #else
>>> @@ -122,7 +94,7 @@ index 8a12fa0..00a2cf5 100644
>>>      if (wtmp >= 0) {
>>>   flock(wtmp, LOCK_EX);
>>> 
>>> -@@ -2394,7 +2394,7 @@ int sifaddr (int unit, u_int32_t our_adr, u_int32_t his_adr,
>>> +@@ -3280,7 +3280,7 @@
>>>   int fd;
>>> 
>>>   path = path_to_procfs("/sys/net/ipv4/ip_dynaddr");
>>> @@ -131,7 +103,7 @@ index 8a12fa0..00a2cf5 100644
>>>      if (write(fd, "1", 1) != 1)
>>>   error("Couldn't enable dynamic IP addressing: %m");
>>>      close(fd);
>>> -@@ -2570,7 +2570,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid)
>>> +@@ -3534,7 +3534,7 @@
>>>      /*
>>>       * Try the unix98 way first.
>>>       */
>>> @@ -140,17 +112,17 @@ index 8a12fa0..00a2cf5 100644
>>>      if (mfd >= 0) {
>>>   int ptn;
>>>   if (ioctl(mfd, TIOCGPTN, &ptn) >= 0) {
>>> -@@ -2851,7 +2851,8 @@
>>> +@@ -3545,7 +3545,8 @@
>>>      if (ioctl(mfd, TIOCSPTLCK, &ptn) < 0)
>>>   warn("Couldn't unlock pty slave %s: %m", pty_name);
>>>  #endif
>>> -    if ((sfd = open(pty_name, O_RDWR | O_NOCTTY)) < 0)
>>> +
>>> -+            if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0)
>>> -    {
>>> ++    if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0)
>>> +    {
>>>   warn("Couldn't open pty slave %s: %m", pty_name);
>>> - close(mfd);
>>> -@@ -2865,10 +2866,10 @@
>>> + close(mfd);
>>> +@@ -3559,10 +3560,10 @@
>>>   for (i = 0; i < 64; ++i) {
>>>      slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x",
>>>       'p' + i / 16, i % 16);
>>> @@ -161,13 +133,12 @@ index 8a12fa0..00a2cf5 100644
>>> - sfd = open(pty_name, O_RDWR | O_NOCTTY, 0);
>>> + sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC, 0);
>>>   if (sfd >= 0) {
>>> -    fchown(sfd, uid, -1);
>>> -    fchmod(sfd, S_IRUSR | S_IWUSR);
>>> -diff --git a/pppd/tdb.c b/pppd/tdb.c
>>> -index bdc5828..c7ab71c 100644
>>> ---- a/pppd/tdb.c
>>> -+++ b/pppd/tdb.c
>>> -@@ -1724,7 +1724,7 @@ TDB_CONTEXT *tdb_open_ex(const char *name, int hash_size, int tdb_flags,
>>> +    ret = fchown(sfd, uid, -1);
>>> +    if (ret != 0) {
>>> +diff -Naur pppd.orig/tdb.c pppd/tdb.c
>>> +--- pppd.orig/tdb.c 2021-07-23 06:41:07.000000000 +0200
>>> ++++ pppd/tdb.c 2023-06-30 13:12:55.034900600 +0200
>>> +@@ -1728,7 +1728,7 @@
>>>   goto internal;
>>>   }
>>> 
>>> @@ -176,7 +147,7 @@ index bdc5828..c7ab71c 100644
>>>   TDB_LOG((tdb, 5, "tdb_open_ex: could not open file %s: %s\n",
>>>   name, strerror(errno)));
>>>   goto fail; /* errno set by open(2) */
>>> -@@ -1967,7 +1967,7 @@ int tdb_reopen(TDB_CONTEXT *tdb)
>>> +@@ -1971,7 +1971,7 @@
>>>   }
>>>   if (close(tdb->fd) != 0)
>>>   TDB_LOG((tdb, 0, "tdb_reopen: WARNING closing tdb->fd failed!\n"));
>>> @@ -185,12 +156,11 @@ index bdc5828..c7ab71c 100644
>>>   if (tdb->fd == -1) {
>>>   TDB_LOG((tdb, 0, "tdb_reopen: open failed (%s)\n", strerror(errno)));
>>>   goto fail;
>>> -diff --git a/pppd/tty.c b/pppd/tty.c
>>> -index d571b11..bc96695 100644
>>> ---- a/pppd/tty.c
>>> -+++ b/pppd/tty.c
>>> -@@ -569,7 +569,7 @@ int connect_tty()
>>> - status = EXIT_OPEN_FAILED;
>>> +diff -Naur pppd.orig/tty.c pppd/tty.c
>>> +--- pppd.orig/tty.c 2023-03-25 05:38:30.000000000 +0100
>>> ++++ pppd/tty.c 2023-06-30 13:14:06.450418113 +0200
>>> +@@ -621,7 +621,7 @@
>>> + ppp_set_status(EXIT_OPEN_FAILED);
>>>   goto errret;
>>>   }
>>> - real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0);
>>> @@ -198,7 +168,7 @@ index d571b11..bc96695 100644
>>>   err = errno;
>>>   if (prio < OPRIO_ROOT && seteuid(0) == -1)
>>>   fatal("Unable to regain privileges");
>>> -@@ -723,7 +723,7 @@ int connect_tty()
>>> +@@ -775,7 +775,7 @@
>>>   if (connector == NULL && modem && devnam[0] != 0) {
>>>   int i;
>>>   for (;;) {
>>> @@ -207,12 +177,11 @@ index d571b11..bc96695 100644
>>>   break;
>>>   if (errno != EINTR) {
>>>   error("Failed to reopen %s: %m", devnam);
>>> -diff --git a/pppd/utils.c b/pppd/utils.c
>>> -index 29bf970..6051b9a 100644
>>> ---- a/pppd/utils.c
>>> -+++ b/pppd/utils.c
>>> -@@ -918,14 +918,14 @@ lock(dev)
>>> -     slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", LOCK_DIR, dev);
>>> +diff -Naur pppd.orig/utils.c pppd/utils.c
>>> +--- pppd.orig/utils.c 2022-12-30 02:12:39.000000000 +0100
>>> ++++ pppd/utils.c 2023-06-30 13:15:47.860182369 +0200
>>> +@@ -843,14 +843,14 @@
>>> +     slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", PPP_PATH_LOCKDIR, dev);
>>>  #endif
>>> 
>>> -    while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR, 0644)) < 0) {
>>> @@ -228,7 +197,7 @@ index 29bf970..6051b9a 100644
>>>   if (fd < 0) {
>>>      if (errno == ENOENT) /* This is just a timing problem. */
>>>   continue;
>>> -@@ -1004,7 +1004,7 @@ relock(pid)
>>> +@@ -933,7 +933,7 @@
>>> 
>>>      if (lock_file[0] == 0)
>>>   return -1;
>>> @@ -237,6 +206,3 @@ index 29bf970..6051b9a 100644
>>>      if (fd < 0) {
>>>   error("Couldn't reopen lock file %s: %m", lock_file);
>>>   lock_file[0] = 0;
>>> ---
>>> -1.8.3.1
>>> -
>>> diff --git a/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch b/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>>> new file mode 100644
>>> index 000000000..cfd72e468
>>> --- /dev/null
>>> +++ b/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
>>> @@ -0,0 +1,135 @@
>>> +diff -Naur pppd.orig/plugins/pppoatm/pppoatm.c pppd/plugins/pppoatm/pppoatm.c
>>> +--- pppd.orig/plugins/pppoatm/pppoatm.c 2023-03-25 05:38:30.000000000 +0100
>>> ++++ pppd/plugins/pppoatm/pppoatm.c 2023-06-30 13:21:33.397378347 +0200
>>> +@@ -146,7 +146,7 @@
>>> +
>>> + if (!device_got_set)
>>> + no_device_given_pppoatm();
>>> +- fd = socket(AF_ATMPVC, SOCK_DGRAM, 0);
>>> ++ fd = socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> + if (fd < 0)
>>> + fatal("failed to create socket: %m");
>>> + memset(&qos, 0, sizeof qos);
>>> +diff -Naur pppd.orig/plugins/pppoe/if.c pppd/plugins/pppoe/if.c
>>> +--- pppd.orig/plugins/pppoe/if.c 2022-12-30 02:12:39.000000000 +0100
>>> ++++ pppd/plugins/pppoe/if.c 2023-06-30 13:24:11.372183452 +0200
>>> +@@ -116,7 +116,7 @@
>>> +     stype = SOCK_PACKET;
>>> + #endif
>>> +
>>> +-    if ((fd = socket(domain, stype, htons(type))) < 0) {
>>> ++    if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) {
>>> + /* Give a more helpful message for the common error case */
>>> + if (errno == EPERM) {
>>> +    fatal("Cannot create raw socket -- pppoe must be run as root.");
>>> +diff -Naur pppd.orig/plugins/pppoe/plugin.c pppd/plugins/pppoe/plugin.c
>>> +--- pppd.orig/plugins/pppoe/plugin.c 2023-03-25 05:38:30.000000000 +0100
>>> ++++ pppd/plugins/pppoe/plugin.c 2023-06-30 13:25:58.798782323 +0200
>>> +@@ -155,7 +155,7 @@
>>> +     /* server equipment).                                                  */
>>> +     /* Opening this socket just before waitForPADS in the discovery()      */
>>> +     /* function would be more appropriate, but it would mess-up the code   */
>>> +-    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE);
>>> ++    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, PX_PROTO_OE);
>>> +     if (conn->sessionSocket < 0) {
>>> + error("Failed to create PPPoE socket: %m");
>>> + return -1;
>>> +@@ -166,7 +166,7 @@
>>> +     lcp_wantoptions[0].mru = conn->mru = conn->storedmru;
>>> +
>>> +     /* Update maximum MRU */
>>> +-    s = socket(AF_INET, SOCK_DGRAM, 0);
>>> ++    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> +     if (s < 0) {
>>> + error("Can't get MTU for %s: %m", conn->ifName);
>>> + goto errout;
>>> +@@ -364,7 +364,7 @@
>>> +     }
>>> +
>>> +     /* Open a socket */
>>> +-    if ((fd = socket(PF_PACKET, SOCK_RAW, 0)) < 0) {
>>> ++    if ((fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) {
>>> + r = 0;
>>> +     }
>>> +
>>> +diff -Naur pppd.orig/plugins/pppol2tp/openl2tp.c pppd/plugins/pppol2tp/openl2tp.c
>>> +--- pppd.orig/plugins/pppol2tp/openl2tp.c 2023-03-10 02:50:41.000000000 +0100
>>> ++++ pppd/plugins/pppol2tp/openl2tp.c 2023-06-30 13:22:30.055768865 +0200
>>> +@@ -93,7 +93,7 @@
>>> + int result;
>>> +
>>> + if (openl2tp_fd < 0) {
>>> +- openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM, 0);
>>> ++ openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> + if (openl2tp_fd < 0) {
>>> + error("openl2tp connection create: %m");
>>> + return -ENOTCONN;
>>> +diff -Naur pppd.orig/plugins/pppol2tp/pppol2tp.c pppd/plugins/pppol2tp/pppol2tp.c
>>> +--- pppd.orig/plugins/pppol2tp/pppol2tp.c 2022-12-30 02:12:39.000000000 +0100
>>> ++++ pppd/plugins/pppol2tp/pppol2tp.c 2023-06-30 13:23:13.493756755 +0200
>>> +@@ -220,7 +220,7 @@
>>> + struct ifreq ifr;
>>> + int fd;
>>> +
>>> +- fd = socket(AF_INET, SOCK_DGRAM, 0);
>>> ++ fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> + if (fd >= 0) {
>>> + memset (&ifr, '\0', sizeof (ifr));
>>> + ppp_get_ifname(ifr.ifr_name, sizeof(ifr.ifr_name));
>>> +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c
>>> +--- pppd.orig/sys-linux.c 2023-06-30 13:11:25.715511251 +0200
>>> ++++ pppd/sys-linux.c 2023-06-30 13:32:50.021272249 +0200
>>> +@@ -499,12 +499,12 @@
>>> + void sys_init(void)
>>> + {
>>> +     /* Get an internet socket for doing socket ioctls. */
>>> +-    sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
>>> ++    sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> +     if (sock_fd < 0)
>>> + fatal("Couldn't create IP socket: %m(%d)", errno);
>>> +
>>> + #ifdef PPP_WITH_IPV6CP
>>> +-    sock6_fd = socket(AF_INET6, SOCK_DGRAM, 0);
>>> ++    sock6_fd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> +     if (sock6_fd < 0)
>>> + sock6_fd = -errno; /* save errno for later */
>>> + #endif
>>> +@@ -2675,7 +2675,7 @@
>>> + struct ifreq ifreq;
>>> + int ret, sock_fd;
>>> +
>>> +- sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
>>> ++ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> + if (sock_fd < 0)
>>> + return -1;
>>> + memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
>>> +@@ -2698,7 +2698,7 @@
>>> + struct ifreq ifreq;
>>> + int ret, sock_fd;
>>> +
>>> +- sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
>>> ++ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> + if (sock_fd < 0)
>>> + return -1;
>>> +
>>> +@@ -2915,7 +2915,7 @@
>>> + /*
>>> +  * Open a socket for doing the ioctl operations.
>>> +  */
>>> +-    s = socket(AF_INET, SOCK_DGRAM, 0);
>>> ++    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> +     if (s < 0)
>>> + return 0;
>>> +
>>> +diff -Naur pppd.orig/tty.c pppd/tty.c
>>> +--- pppd.orig/tty.c 2023-06-30 13:14:06.450418113 +0200
>>> ++++ pppd/tty.c 2023-06-30 13:33:31.285858278 +0200
>>> +@@ -942,7 +942,7 @@
>>> +     *sep = ':';
>>> +
>>> +     /* get a socket and connect it to the other end */
>>> +-    sock = socket(PF_INET, SOCK_STREAM, 0);
>>> ++    sock = socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
>>> +     if (sock < 0) {
>>> + error("Can't create socket: %m");
>>> + return -1;
>>> diff --git a/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch b/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
>>> new file mode 100644
>>> index 000000000..002b6066d
>>> --- /dev/null
>>> +++ b/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
>>> @@ -0,0 +1,12 @@
>>> +diff -Naur pppd.orig/plugins/pppoe/pppoe.h pppd/plugins/pppoe/pppoe.h
>>> +--- pppd.orig/plugins/pppoe/pppoe.h 2022-12-30 02:12:39.000000000 +0100
>>> ++++ pppd/plugins/pppoe/pppoe.h 2023-06-30 13:37:07.189078090 +0200
>>> +@@ -143,7 +143,7 @@
>>> + #define STATE_TERMINATED    4
>>> +
>>> + /* How many PADI/PADS attempts? */
>>> +-#define MAX_PADI_ATTEMPTS 3
>>> ++#define MAX_PADI_ATTEMPTS 4
>>> +
>>> + /* Initial timeout for PADO/PADS */
>>> + #define PADI_TIMEOUT 5
>>> diff --git a/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch b/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
>>> new file mode 100644
>>> index 000000000..dc6c22852
>>> --- /dev/null
>>> +++ b/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
>>> @@ -0,0 +1,12 @@
>>> +diff -Naur pppd.orig/plugins/pppoe/plugin.c pppd/plugins/pppoe/plugin.c
>>> +--- pppd.orig/plugins/pppoe/plugin.c 2023-06-30 13:25:58.798782323 +0200
>>> ++++ pppd/plugins/pppoe/plugin.c 2023-06-30 13:50:23.150026201 +0200
>>> +@@ -46,6 +46,8 @@
>>> + #include <signal.h>
>>> + #include <net/if_arp.h>
>>> + #include <linux/ppp_defs.h>
>>> ++#define _LINUX_IN_H
>>> ++#define _LINUX_IN6_H
>>> + #include <linux/if_pppox.h>
>>> +
>>> + #include <pppd/pppd.h>
>>> diff --git a/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch b/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
>>> new file mode 100644
>>> index 000000000..0e9eab6ed
>>> --- /dev/null
>>> +++ b/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
>>> @@ -0,0 +1,18 @@
>>> +diff -Naur ppp-2.5.0.orig/configure ppp-2.5.0/configure
>>> +--- ppp-2.5.0.orig/configure 2023-03-25 05:38:36.000000000 +0100
>>> ++++ ppp-2.5.0/configure 2023-06-30 14:05:14.773950477 +0200
>>> +@@ -17774,10 +17774,10 @@
>>> +         rm -f $2
>>> +         if [ -f $1 ]; then
>>> +             echo "  $2 <= $1"
>>> +-            sed -e "s,@DESTDIR@,$prefix,g" \
>>> +-                -e "s,@SYSCONF@,$sysconfdir,g" \
>>> +-                -e "s,@CC@,$CC,g" \
>>> +-                -e "s|@CFLAGS@|$CFLAGS|g" $1 > $2
>>> ++            sed -e "s#@DESTDIR@#$prefix#g" \
>>> ++                -e "s#@SYSCONF@#$sysconfdir#g" \
>>> ++                -e "s#@CC@#$CC#g" \
>>> ++                -e "s#@CFLAGS@#$CFLAGS#g" $1 > $2
>>> +         fi
>>> +     }
>>> +
>>> -- 
>>> 2.41.0
>>> 
> 
> -- 
> Sent from my laptop
  

Patch

diff --git a/config/rootfiles/common/ppp b/config/rootfiles/common/ppp
index d61fdf811..6098fa7c3 100644
--- a/config/rootfiles/common/ppp
+++ b/config/rootfiles/common/ppp
@@ -7,49 +7,57 @@  etc/ppp/dialer
 etc/ppp/ioptions
 etc/ppp/ip-down
 etc/ppp/ip-up
+#etc/ppp/openssl.cnf
 etc/ppp/options
 etc/ppp/pap-secrets
 etc/ppp/standardloginscript
 #usr/include/pppd
+#usr/include/pppd/cbcp.h
 #usr/include/pppd/ccp.h
-#usr/include/pppd/chap-new.h
+#usr/include/pppd/chap.h
 #usr/include/pppd/chap_ms.h
-#usr/include/pppd/eap-tls.h
+#usr/include/pppd/crypto.h
+#usr/include/pppd/crypto_ms.h
 #usr/include/pppd/eap.h
 #usr/include/pppd/ecp.h
 #usr/include/pppd/eui64.h
 #usr/include/pppd/fsm.h
 #usr/include/pppd/ipcp.h
 #usr/include/pppd/ipv6cp.h
-#usr/include/pppd/ipxcp.h
 #usr/include/pppd/lcp.h
 #usr/include/pppd/magic.h
-#usr/include/pppd/md4.h
-#usr/include/pppd/md5.h
 #usr/include/pppd/mppe.h
-#usr/include/pppd/patchlevel.h
-#usr/include/pppd/pathnames.h
-#usr/include/pppd/pppcrypt.h
+#usr/include/pppd/multilink.h
+#usr/include/pppd/options.h
 #usr/include/pppd/pppd.h
+#usr/include/pppd/pppdconf.h
 #usr/include/pppd/session.h
-#usr/include/pppd/sha1.h
-#usr/include/pppd/spinlock.h
-#usr/include/pppd/tdb.h
 #usr/include/pppd/upap.h
+#usr/lib/pkgconfig/pppd.pc
 usr/lib/pppd
-usr/lib/pppd/2.4.9
-usr/lib/pppd/2.4.9/minconn.so
-usr/lib/pppd/2.4.9/openl2tp.so
-usr/lib/pppd/2.4.9/passprompt.so
-usr/lib/pppd/2.4.9/passwordfd.so
-usr/lib/pppd/2.4.9/pppoatm.so
-usr/lib/pppd/2.4.9/pppoe.so
-usr/lib/pppd/2.4.9/pppol2tp.so
-usr/lib/pppd/2.4.9/radattr.so
-usr/lib/pppd/2.4.9/radius.so
-usr/lib/pppd/2.4.9/radrealms.so
-usr/lib/pppd/2.4.9/rp-pppoe.so
-usr/lib/pppd/2.4.9/winbind.so
+usr/lib/pppd/2.5.0
+#usr/lib/pppd/2.5.0/minconn.la
+usr/lib/pppd/2.5.0/minconn.so
+#usr/lib/pppd/2.5.0/openl2tp.la
+usr/lib/pppd/2.5.0/openl2tp.so
+#usr/lib/pppd/2.5.0/passprompt.la
+usr/lib/pppd/2.5.0/passprompt.so
+#usr/lib/pppd/2.5.0/passwordfd.la
+usr/lib/pppd/2.5.0/passwordfd.so
+#usr/lib/pppd/2.5.0/pppoatm.la
+usr/lib/pppd/2.5.0/pppoatm.so
+#usr/lib/pppd/2.5.0/pppoe.la
+usr/lib/pppd/2.5.0/pppoe.so
+#usr/lib/pppd/2.5.0/pppol2tp.la
+usr/lib/pppd/2.5.0/pppol2tp.so
+#usr/lib/pppd/2.5.0/radattr.la
+usr/lib/pppd/2.5.0/radattr.so
+#usr/lib/pppd/2.5.0/radius.la
+usr/lib/pppd/2.5.0/radius.so
+#usr/lib/pppd/2.5.0/radrealms.la
+usr/lib/pppd/2.5.0/radrealms.so
+#usr/lib/pppd/2.5.0/winbind.la
+usr/lib/pppd/2.5.0/winbind.so
 usr/sbin/chat
 usr/sbin/pppd
 usr/sbin/pppdump
@@ -60,5 +68,7 @@  usr/sbin/pppstats
 #usr/share/man/man8/pppd-radius.8
 #usr/share/man/man8/pppd.8
 #usr/share/man/man8/pppdump.8
+#usr/share/man/man8/pppoe-discovery.8
 #usr/share/man/man8/pppstats.8
 var/log/connect-errors
+
diff --git a/lfs/ppp b/lfs/ppp
index fb46d8aac..fc4528ece 100644
--- a/lfs/ppp
+++ b/lfs/ppp
@@ -1,7 +1,7 @@ 
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2023  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@ 
 
 include Config
 
-VER        = 2.4.9
+VER        = 2.5.0
 
 THISAPP    = ppp-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -42,7 +42,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 2cc885c32b7d33dc48766097f1f4c9cd0754924a8c0630ccaa58b2989e6b43a197ca0d41f5f16956c395278a12023d490e085f5635e23b53c5603ba61cfc40d5
+$(DL_FILE)_BLAKE2 = 6a0e9efcbff3cb499705071cc7d0e3411cf4871fd53b2bfedbb1f2cf3ad80728eb436050cf33b78e36d473be64f15907a21da17f283337455f0af379bc18272d
 
 install : $(TARGET)
 
@@ -72,18 +72,20 @@  $(subst %,%_BLAKE2,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && rm -f include/pcap-int.h include/linux/if_pppol2tp.h
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.7-headers_4.9.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
-	cd $(DIR_APP) && sed -i -e "s+/etc/ppp/connect-errors+/var/log/connect-errors+" pppd/pathnames.h
-	cd $(DIR_APP) && ./configure --prefix=/usr --cc="gcc" --cflags="$(CFLAGS)" --disable-nls
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
+	cd $(DIR_APP) && ./configure \
+					--prefix=/usr \
+					--sysconfdir=/etc \
+					--with-logfile-dir=/var/log \
+					cc="gcc" \
+					cflags="$(CFLAGS)"
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
-	cd $(DIR_APP) && make install-etcppp
 	touch /var/log/connect-errors
 	-mkdir -p /etc/ppp
 	for i in $(DIR_SRC)/src/ppp/* ; do \
diff --git a/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch b/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
deleted file mode 100644
index fffda981d..000000000
--- a/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
+++ /dev/null
@@ -1,165 +0,0 @@ 
-From 2a97ab28ee00586e5f06b3ef3a0e43ea0c7c6499 Mon Sep 17 00:00:00 2001
-From: Michal Sekletar <msekleta@redhat.com>
-Date: Mon, 7 Apr 2014 14:21:41 +0200
-Subject: [PATCH 14/25] everywhere: use SOCK_CLOEXEC when creating socket
-
----
- pppd/plugins/pppoatm/pppoatm.c          |  2 +-
- pppd/plugins/pppol2tp/openl2tp.c        |  2 +-
- pppd/plugins/pppol2tp/pppol2tp.c        |  2 +-
- pppd/plugins/pppoe/if.c                 |  2 +-
- pppd/plugins/pppoe/plugin.c             |  6 +++---
- pppd/plugins/pppoe/pppoe-discovery.c    |  2 +-
- pppd/sys-linux.c                        | 10 +++++-----
- pppd/tty.c                              |  2 +-
- 8 files changed, 14 insertions(+), 14 deletions(-)
-
-diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c
-index d693350..c31bb34 100644
---- a/pppd/plugins/pppoatm/pppoatm.c
-+++ b/pppd/plugins/pppoatm/pppoatm.c
-@@ -135,7 +135,7 @@ static int connect_pppoatm(void)
- 
- 	if (!device_got_set)
- 		no_device_given_pppoatm();
--	fd = socket(AF_ATMPVC, SOCK_DGRAM, 0);
-+	fd = socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0);
- 	if (fd < 0)
- 		fatal("failed to create socket: %m");
- 	memset(&qos, 0, sizeof qos);
-diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/openl2tp.c
-index 9643b96..1099575 100644
---- a/pppd/plugins/pppol2tp/openl2tp.c
-+++ b/pppd/plugins/pppol2tp/openl2tp.c
-@@ -83,7 +83,7 @@ static int openl2tp_client_create(void)
- 	int result;
- 
- 	if (openl2tp_fd < 0) {
--		openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM, 0);
-+		openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0);
- 		if (openl2tp_fd < 0) {
- 			error("openl2tp connection create: %m");
- 			return -ENOTCONN;
-diff --git a/pppd/plugins/pppol2tp/pppol2tp.c b/pppd/plugins/pppol2tp/pppol2tp.c
-index a7e3400..e64a778 100644
---- a/pppd/plugins/pppol2tp/pppol2tp.c
-+++ b/pppd/plugins/pppol2tp/pppol2tp.c
-@@ -208,7 +208,7 @@ static void send_config_pppol2tp(int mtu,
- 		struct ifreq ifr;
- 		int fd;
- 
--		fd = socket(AF_INET, SOCK_DGRAM, 0);
-+		fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
- 		if (fd >= 0) {
- 			memset (&ifr, '\0', sizeof (ifr));
- 			strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
-diff --git a/pppd/plugins/pppoe/if.c b/pppd/plugins/pppoe/if.c
-index 91e9a57..72aba41 100644
---- a/pppd/plugins/pppoe/if.c
-+++ b/pppd/plugins/pppoe/if.c
-@@ -116,7 +116,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr)
-     stype = SOCK_PACKET;
- #endif
- 
--    if ((fd = socket(domain, stype, htons(type))) < 0) {
-+    if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) {
- 	/* Give a more helpful message for the common error case */
- 	if (errno == EPERM) {
- 	    fatal("Cannot create raw socket -- pppoe must be run as root.");
-diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c
-index a8c2bb4..24bdf8f 100644
---- a/pppd/plugins/pppoe/plugin.c
-+++ b/pppd/plugins/pppoe/plugin.c
-@@ -137,7 +137,7 @@ PPPOEConnectDevice(void)
-     /* server equipment).                                                  */
-     /* Opening this socket just before waitForPADS in the discovery()      */
-     /* function would be more appropriate, but it would mess-up the code   */
--    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE);
-+    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, PX_PROTO_OE);
-     if (conn->sessionSocket < 0) {
- 	error("Failed to create PPPoE socket: %m");
- 	return -1;
-@@ -148,7 +148,7 @@ PPPOEConnectDevice(void)
-     lcp_wantoptions[0].mru = conn->mru;
- 
-     /* Update maximum MRU */
--    s = socket(AF_INET, SOCK_DGRAM, 0);
-+    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
-     if (s < 0) {
- 	error("Can't get MTU for %s: %m", conn->ifName);
- 	goto errout;
-@@ -320,7 +320,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit)
-     }
- 
-     /* Open a socket */
--    if ((fd = socket(PF_PACKET, SOCK_RAW, 0)) < 0) {
-+    if ((fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) {
- 	r = 0;
-     }
- 
-diff --git a/pppd/plugins/pppoe/pppoe-discovery.c b/pppd/plugins/pppoe/pppoe-discovery.c
-index 3d3bf4e..c0d927d 100644
---- a/pppd/plugins/pppoe/pppoe-discovery.c
-+++ b/pppd/plugins/pppoe/pppoe-discovery.c
-@@ -121,7 +121,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr)
-     stype = SOCK_PACKET;
- #endif
- 
--    if ((fd = socket(domain, stype, htons(type))) < 0) {
-+    if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) {
- 	/* Give a more helpful message for the common error case */
- 	if (errno == EPERM) {
- 	    rp_fatal("Cannot create raw socket -- pppoe must be run as root.");
-diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
-index 00a2cf5..0690019 100644
---- a/pppd/sys-linux.c
-+++ b/pppd/sys-linux.c
-@@ -308,12 +308,12 @@ static int modify_flags(int fd, int clear_bits, int set_bits)
- void sys_init(void)
- {
-     /* Get an internet socket for doing socket ioctls. */
--    sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
-+    sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
-     if (sock_fd < 0)
- 	fatal("Couldn't create IP socket: %m(%d)", errno);
- 
- #ifdef INET6
--    sock6_fd = socket(AF_INET6, SOCK_DGRAM, 0);
-+    sock6_fd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
-     if (sock6_fd < 0)
- 	sock6_fd = -errno;	/* save errno for later */
- #endif
-@@ -1857,7 +1857,7 @@ get_if_hwaddr(u_char *addr, char *name)
- 	struct ifreq ifreq;
- 	int ret, sock_fd;
- 
--	sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
-+	sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
- 	if (sock_fd < 0)
- 		return 0;
- 	memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
-@@ -2067,7 +2067,7 @@ int ppp_available(void)
- /*
-  * Open a socket for doing the ioctl operations.
-  */
--    s = socket(AF_INET, SOCK_DGRAM, 0);
-+    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
-     if (s < 0)
- 	return 0;
- 
-diff --git a/pppd/tty.c b/pppd/tty.c
-index bc96695..8e76a5d 100644
---- a/pppd/tty.c
-+++ b/pppd/tty.c
-@@ -896,7 +896,7 @@ open_socket(dest)
-     *sep = ':';
- 
-     /* get a socket and connect it to the other end */
--    sock = socket(PF_INET, SOCK_STREAM, 0);
-+    sock = socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
-     if (sock < 0) {
- 	error("Can't create socket: %m");
- 	return -1;
--- 
-1.8.3.1
-
diff --git a/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch b/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
deleted file mode 100644
index 1b36e8369..000000000
--- a/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
+++ /dev/null
@@ -1,13 +0,0 @@ 
-diff --git a/pppd/plugins/pppoe/pppoe.h b/pppd/plugins/pppoe/pppoe.h
-index 9ab2eee..86762bd 100644
---- a/pppd/plugins/pppoe/pppoe.h
-+++ b/pppd/plugins/pppoe/pppoe.h
-@@ -148,7 +148,7 @@ extern UINT16_t Eth_PPPOE_Session;
- #define STATE_TERMINATED    4
- 
- /* How many PADI/PADS attempts? */
--#define MAX_PADI_ATTEMPTS 3
-+#define MAX_PADI_ATTEMPTS 4
- 
- /* Initial timeout for PADO/PADS */
- #define PADI_TIMEOUT 5
diff --git a/src/patches/ppp/ppp-2.4.7-headers_4.9.patch b/src/patches/ppp/ppp-2.4.7-headers_4.9.patch
deleted file mode 100644
index 686db9204..000000000
--- a/src/patches/ppp/ppp-2.4.7-headers_4.9.patch
+++ /dev/null
@@ -1,12 +0,0 @@ 
-diff -Naur ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c ppp-2.4.7/pppd/plugins/pppoe/plugin.c
---- ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7/pppd/plugins/pppoe/plugin.c	2017-02-09 08:45:12.567493723 +0100
-@@ -49,6 +49,8 @@
- #include <net/ethernet.h>
- #include <net/if_arp.h>
- #include <linux/ppp_defs.h>
-+#define _LINUX_IN_H
-+#define _LINUX_IN6_H
- #include <linux/if_pppox.h>
- 
- #ifndef _ROOT_PATH
diff --git a/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch b/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
deleted file mode 100644
index b36ace192..000000000
--- a/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.patch
+++ /dev/null
@@ -1,15 +0,0 @@ 
---- ppp-2.4.9.orig/configure	2021-03-30 21:38:27.415735914 +0200
-+++ ppp-2.4.9/configure	2021-04-01 19:10:48.632314447 +0200
-@@ -121,9 +121,9 @@
-     rm -f $2
-     if [ -f $1 ]; then
- 	echo "  $2 <= $1"
--	sed -e "s,@DESTDIR@,$DESTDIR,g" -e "s,@SYSCONF@,$SYSCONF,g" \
--	    -e "s,@CROSS_COMPILE@,$CROSS_COMPILE,g" -e "s,@CC@,$CC,g" \
--	    -e "s,@CFLAGS@,$CFLAGS,g" $1 >$2
-+	sed -e "s#@DESTDIR@#$DESTDIR#g" -e "s#@SYSCONF@#$SYSCONF#g" \
-+	    -e "s#@CROSS_COMPILE@#$CROSS_COMPILE#g" -e "s#@CC@#$CC#g" \
-+	    -e "s#@CFLAGS@#$CFLAGS#g" $1 >$2
-     fi
- }
- 
diff --git a/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch b/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
similarity index 54%
rename from src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch
rename to src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
index 90bb2d161..98ab03119 100644
--- a/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch
+++ b/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch
@@ -1,20 +1,8 @@ 
-From 82cd789df0f022eb6f3d28646e7a61d1d0715805 Mon Sep 17 00:00:00 2001
-From: Michal Sekletar <msekleta@redhat.com>
-Date: Mon, 7 Apr 2014 12:23:36 +0200
-Subject: [PATCH 12/25] pppd: we don't want to accidentally leak fds
-
----
- pppd/auth.c      | 20 ++++++++++----------
- pppd/options.c   |  2 +-
- pppd/sys-linux.c |  4 ++--
- 3 files changed, 13 insertions(+), 13 deletions(-)
-
-diff --git a/pppd/auth.c b/pppd/auth.c
-index 4271af6..9e957fa 100644
---- a/pppd/auth.c
-+++ b/pppd/auth.c
-@@ -428,7 +428,7 @@ setupapfile(argv)
- 	option_error("unable to reset uid before opening %s: %m", fname);
+diff -Naur pppd.orig/auth.c pppd/auth.c
+--- pppd.orig/auth.c	2023-03-25 05:38:30.000000000 +0100
++++ pppd/auth.c	2023-06-30 12:38:13.748482796 +0200
+@@ -518,7 +518,7 @@
+         free(fname);
  	return 0;
      }
 -    ufile = fopen(fname, "r");
@@ -22,8 +10,8 @@  index 4271af6..9e957fa 100644
      if (seteuid(euid) == -1)
  	fatal("unable to regain privileges: %m");
      if (ufile == NULL) {
-@@ -1413,7 +1413,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg)
-     filename = _PATH_UPAPFILE;
+@@ -1535,7 +1535,7 @@
+     filename = PPP_PATH_UPAPFILE;
      addrs = opts = NULL;
      ret = UPAP_AUTHNAK;
 -    f = fopen(filename, "r");
@@ -31,52 +19,52 @@  index 4271af6..9e957fa 100644
      if (f == NULL) {
  	error("Can't open PAP password file %s: %m", filename);
  
-@@ -1512,7 +1512,7 @@ null_login(unit)
+@@ -1635,7 +1635,7 @@
      if (ret <= 0) {
- 	filename = _PATH_UPAPFILE;
+ 	filename = PPP_PATH_UPAPFILE;
  	addrs = NULL;
 -	f = fopen(filename, "r");
 +	f = fopen(filename, "re");
  	if (f == NULL)
  	    return 0;
  	check_access(f, filename);
-@@ -1559,7 +1559,7 @@ get_pap_passwd(passwd)
+@@ -1681,7 +1681,7 @@
      }
  
-     filename = _PATH_UPAPFILE;
+     filename = PPP_PATH_UPAPFILE;
 -    f = fopen(filename, "r");
 +    f = fopen(filename, "re");
      if (f == NULL)
  	return 0;
      check_access(f, filename);
-@@ -1597,7 +1597,7 @@ have_pap_secret(lacks_ipp)
+@@ -1718,7 +1718,7 @@
      }
  
-     filename = _PATH_UPAPFILE;
+     filename = PPP_PATH_UPAPFILE;
 -    f = fopen(filename, "r");
 +    f = fopen(filename, "re");
      if (f == NULL)
  	return 0;
  
-@@ -1642,7 +1642,7 @@ have_chap_secret(client, server, need_ip, lacks_ipp)
+@@ -1760,7 +1760,7 @@
      }
  
-     filename = _PATH_CHAPFILE;
+     filename = PPP_PATH_CHAPFILE;
 -    f = fopen(filename, "r");
 +    f = fopen(filename, "re");
      if (f == NULL)
  	return 0;
  
-@@ -1684,7 +1684,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp)
+@@ -1798,7 +1798,7 @@
      struct wordlist *addrs;
  
-     filename = _PATH_SRPFILE;
+     filename = PPP_PATH_SRPFILE;
 -    f = fopen(filename, "r");
 +    f = fopen(filename, "re");
      if (f == NULL)
  	return 0;
  
-@@ -1740,7 +1740,7 @@ get_secret(unit, client, server, secret, secret_len, am_server)
+@@ -1849,7 +1849,7 @@
  	addrs = NULL;
  	secbuf[0] = 0;
  
@@ -85,8 +73,8 @@  index 4271af6..9e957fa 100644
  	if (f == NULL) {
  	    error("Can't open chap secret file %s: %m", filename);
  	    return 0;
-@@ -1797,7 +1797,7 @@ get_srp_secret(unit, client, server, secret, am_server)
- 	filename = _PATH_SRPFILE;
+@@ -1902,7 +1902,7 @@
+ 	filename = PPP_PATH_SRPFILE;
  	addrs = NULL;
  
 -	fp = fopen(filename, "r");
@@ -94,7 +82,7 @@  index 4271af6..9e957fa 100644
  	if (fp == NULL) {
  	    error("Can't open srp secret file %s: %m", filename);
  	    return 0;
-@@ -2203,7 +2203,7 @@ scan_authfile(f, client, server, secret, addrs, opts, filename, flags)
+@@ -2291,7 +2291,7 @@
  	     */
  	    if (word[0] == '@' && word[1] == '/') {
  		strlcpy(atfile, word+1, sizeof(atfile));
@@ -103,12 +91,38 @@  index 4271af6..9e957fa 100644
  		    warn("can't open indirect secret file %s", atfile);
  		    continue;
  		}
-diff --git a/pppd/options.c b/pppd/options.c
-index 45fa742..1d754ae 100644
---- a/pppd/options.c
-+++ b/pppd/options.c
-@@ -427,7 +427,7 @@ options_from_file(filename, must_exist, check_prot, priv)
- 	option_error("unable to drop privileges to open %s: %m", filename);
+@@ -2461,7 +2461,7 @@
+     char pkfile[MAXWORDLEN];
+ 
+     filename = PPP_PATH_EAPTLSSERVFILE;
+-    f = fopen(filename, "r");
++    f = fopen(filename, "re");
+     if (f == NULL)
+ 		return 0;
+ 
+@@ -2518,7 +2518,7 @@
+ 		return 1;
+ 
+     filename = PPP_PATH_EAPTLSCLIFILE;
+-    f = fopen(filename, "r");
++    f = fopen(filename, "re");
+     if (f == NULL)
+ 		return 0;
+ 
+@@ -2738,7 +2738,7 @@
+ 		filename = (am_server ? PPP_PATH_EAPTLSSERVFILE : PPP_PATH_EAPTLSCLIFILE);
+ 		addrs = NULL;
+ 
+-		fp = fopen(filename, "r");
++		fp = fopen(filename, "re");
+ 		if (fp == NULL)
+ 		{
+ 			error("Can't open eap-tls secret file %s: %m", filename);
+diff -Naur pppd.orig/options.c pppd/options.c
+--- pppd.orig/options.c	2023-03-25 05:38:30.000000000 +0100
++++ pppd/options.c	2023-06-30 12:42:19.262593140 +0200
+@@ -555,7 +555,7 @@
+ 	ppp_option_error("unable to drop privileges to open %s: %m", filename);
  	return 0;
      }
 -    f = fopen(filename, "r");
@@ -116,11 +130,10 @@  index 45fa742..1d754ae 100644
      err = errno;
      if (check_prot && seteuid(euid) == -1)
  	fatal("unable to regain privileges");
-diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
-index 72a7727..8a12fa0 100644
---- a/pppd/sys-linux.c
-+++ b/pppd/sys-linux.c
-@@ -1412,7 +1412,7 @@ static char *path_to_procfs(const char *tail)
+diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c
+--- pppd.orig/sys-linux.c	2023-03-10 02:50:41.000000000 +0100
++++ pppd/sys-linux.c	2023-06-30 12:43:20.634453475 +0200
+@@ -1978,7 +1978,7 @@
  	/* Default the mount location of /proc */
  	strlcpy (proc_path, "/proc", sizeof(proc_path));
  	proc_path_len = 5;
@@ -129,7 +142,7 @@  index 72a7727..8a12fa0 100644
  	if (fp != NULL) {
  	    while ((mntent = getmntent(fp)) != NULL) {
  		if (strcmp(mntent->mnt_type, MNTTYPE_IGNORE) == 0)
-@@ -1472,7 +1472,7 @@ static int open_route_table (void)
+@@ -2038,7 +2038,7 @@
      close_route_table();
  
      path = path_to_procfs("/net/route");
@@ -138,6 +151,12 @@  index 72a7727..8a12fa0 100644
      if (route_fd == NULL) {
  	error("can't open routing table %s: %m", path);
  	return 0;
--- 
-1.8.3.1
-
+@@ -2322,7 +2322,7 @@
+     close_route_table();
+ 
+     path = path_to_procfs("/net/ipv6_route");
+-    route_fd = fopen (path, "r");
++    route_fd = fopen (path, "re");
+     if (route_fd == NULL) {
+ 	error("can't open routing table %s: %m", path);
+ 	return 0;
diff --git a/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch b/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
similarity index 63%
rename from src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch
rename to src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
index 0fb028779..c205c0e08 100644
--- a/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch
+++ b/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch
@@ -1,23 +1,7 @@ 
-From 302c1b736cb656c7885a0cba270fd953a672d8a8 Mon Sep 17 00:00:00 2001
-From: Michal Sekletar <msekleta@redhat.com>
-Date: Mon, 7 Apr 2014 13:56:34 +0200
-Subject: [PATCH 13/25] everywhere: O_CLOEXEC harder
-
----
- pppd/eap.c       |  2 +-
- pppd/main.c      |  4 ++--
- pppd/options.c   |  4 ++--
- pppd/sys-linux.c | 22 +++++++++++-----------
- pppd/tdb.c       |  4 ++--
- pppd/tty.c       |  4 ++--
- pppd/utils.c     |  6 +++---
- 7 files changed, 23 insertions(+), 23 deletions(-)
-
-diff --git a/pppd/eap.c b/pppd/eap.c
-index 6ea6c1f..faced53 100644
---- a/pppd/eap.c
-+++ b/pppd/eap.c
-@@ -1226,7 +1226,7 @@ mode_t modebits;
+diff -Naur pppd.orig/eap.c pppd/eap.c
+--- pppd.orig/eap.c	2023-03-25 05:38:30.000000000 +0100
++++ pppd/eap.c	2023-06-30 12:58:07.984676045 +0200
+@@ -1542,7 +1542,7 @@
  
  	if ((path = name_of_pn_file()) == NULL)
  		return (-1);
@@ -26,34 +10,23 @@  index 6ea6c1f..faced53 100644
  	err = errno;
  	free(path);
  	errno = err;
-diff --git a/pppd/main.c b/pppd/main.c
-index 87a5d29..152e4a2 100644
---- a/pppd/main.c
-+++ b/pppd/main.c
-@@ -400,7 +400,7 @@ main(int argc, char *argv[])
+diff -Naur pppd.orig/main.c pppd/main.c
+--- pppd.orig/main.c	2023-03-25 05:38:30.000000000 +0100
++++ pppd/main.c	2023-06-30 13:00:15.155195676 +0200
+@@ -479,7 +479,7 @@
  	die(0);
  
      /* Make sure fds 0, 1, 2 are open to somewhere. */
--    fd_devnull = open(_PATH_DEVNULL, O_RDWR);
-+    fd_devnull = open(_PATH_DEVNULL, O_RDWR | O_CLOEXEC);
+-    fd_devnull = open(PPP_DEVNULL, O_RDWR);
++    fd_devnull = open(PPP_DEVNULL, O_RDWR | O_CLOEXEC);
      if (fd_devnull < 0)
- 	fatal("Couldn't open %s: %m", _PATH_DEVNULL);
+ 	fatal("Couldn't open %s: %m", PPP_DEVNULL);
      while (fd_devnull <= 2) {
-@@ -1642,7 +1642,7 @@ device_script(char *program, int in, int out, int dont_wait)
-     if (log_to_fd >= 0)
- 	errfd = log_to_fd;
-     else
--	errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644);
-+	errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, 0644);
- 
-     ++conn_running;
-     pid = safe_fork(in, out, errfd);
-diff --git a/pppd/options.c b/pppd/options.c
-index 1d754ae..8e62635 100644
---- a/pppd/options.c
-+++ b/pppd/options.c
-@@ -1544,9 +1544,9 @@ setlogfile(argv)
- 	option_error("unable to drop permissions to open %s: %m", *argv);
+diff -Naur pppd.orig/options.c pppd/options.c
+--- pppd.orig/options.c	2023-06-30 12:42:19.262593140 +0200
++++ pppd/options.c	2023-06-30 13:01:58.388323345 +0200
+@@ -1718,9 +1718,9 @@
+ 	ppp_option_error("unable to drop permissions to open %s: %m", *argv);
  	return 0;
      }
 -    fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL, 0644);
@@ -64,11 +37,10 @@  index 1d754ae..8e62635 100644
      err = errno;
      if (!privileged_option && seteuid(euid) == -1)
  	fatal("unable to regain privileges: %m");
-diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
-index 8a12fa0..00a2cf5 100644
---- a/pppd/sys-linux.c
-+++ b/pppd/sys-linux.c
-@@ -459,7 +459,7 @@ int generic_establish_ppp (int fd)
+diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c
+--- pppd.orig/sys-linux.c	2023-06-30 12:43:20.634453475 +0200
++++ pppd/sys-linux.c	2023-06-30 13:11:25.715511251 +0200
+@@ -666,7 +666,7 @@
  	    goto err;
  	}
  	dbglog("using channel %d", chindex);
@@ -77,7 +49,7 @@  index 8a12fa0..00a2cf5 100644
  	if (fd < 0) {
  	    error("Couldn't reopen /dev/ppp: %m");
  	    goto err;
-@@ -619,7 +619,7 @@ static int make_ppp_unit()
+@@ -904,7 +904,7 @@
  		dbglog("in make_ppp_unit, already had /dev/ppp open?");
  		close(ppp_dev_fd);
  	}
@@ -86,7 +58,7 @@  index 8a12fa0..00a2cf5 100644
  	if (ppp_dev_fd < 0)
  		fatal("Couldn't open /dev/ppp: %m");
  	flags = fcntl(ppp_dev_fd, F_GETFL);
-@@ -693,7 +693,7 @@ int bundle_attach(int ifnum)
+@@ -1025,7 +1025,7 @@
  	if (!new_style_driver)
  		return -1;
  
@@ -95,7 +67,7 @@  index 8a12fa0..00a2cf5 100644
  	if (master_fd < 0)
  		fatal("Couldn't open /dev/ppp: %m");
  	if (ioctl(master_fd, PPPIOCATTACH, &ifnum) < 0) {
-@@ -1715,7 +1715,7 @@ int sifproxyarp (int unit, u_int32_t his_adr)
+@@ -2533,7 +2533,7 @@
  	if (tune_kernel) {
  	    forw_path = path_to_procfs("/sys/net/ipv4/ip_forward");
  	    if (forw_path != 0) {
@@ -104,7 +76,7 @@  index 8a12fa0..00a2cf5 100644
  		if (fd >= 0) {
  		    if (write(fd, "1", 1) != 1)
  			error("Couldn't enable IP forwarding: %m");
-@@ -2030,7 +2030,7 @@ int ppp_available(void)
+@@ -2878,7 +2878,7 @@
      sscanf(utsname.release, "%d.%d.%d", &osmaj, &osmin, &ospatch);
      kernel_version = KVERSION(osmaj, osmin, ospatch);
  
@@ -113,7 +85,7 @@  index 8a12fa0..00a2cf5 100644
      if (fd >= 0) {
  	new_style_driver = 1;
  
-@@ -2208,7 +2208,7 @@ void logwtmp (const char *line, const char *name, const char *host)
+@@ -3056,7 +3056,7 @@
  #if __GLIBC__ >= 2
      updwtmp(_PATH_WTMP, &ut);
  #else
@@ -122,7 +94,7 @@  index 8a12fa0..00a2cf5 100644
      if (wtmp >= 0) {
  	flock(wtmp, LOCK_EX);
  
-@@ -2394,7 +2394,7 @@ int sifaddr (int unit, u_int32_t our_adr, u_int32_t his_adr,
+@@ -3280,7 +3280,7 @@
  	int fd;
  
  	path = path_to_procfs("/sys/net/ipv4/ip_dynaddr");
@@ -131,7 +103,7 @@  index 8a12fa0..00a2cf5 100644
  	    if (write(fd, "1", 1) != 1)
  		error("Couldn't enable dynamic IP addressing: %m");
  	    close(fd);
-@@ -2570,7 +2570,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid)
+@@ -3534,7 +3534,7 @@
      /*
       * Try the unix98 way first.
       */
@@ -140,17 +112,17 @@  index 8a12fa0..00a2cf5 100644
      if (mfd >= 0) {
  	int ptn;
  	if (ioctl(mfd, TIOCGPTN, &ptn) >= 0) {
-@@ -2851,7 +2851,8 @@
+@@ -3545,7 +3545,8 @@
  	    if (ioctl(mfd, TIOCSPTLCK, &ptn) < 0)
  		warn("Couldn't unlock pty slave %s: %m", pty_name);
  #endif
 -	    if ((sfd = open(pty_name, O_RDWR | O_NOCTTY)) < 0)
 +
-+            if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0)
-	    {
++	    if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0)
+ 	    {
  		warn("Couldn't open pty slave %s: %m", pty_name);
-		close(mfd);
-@@ -2865,10 +2866,10 @@
+ 		close(mfd);
+@@ -3559,10 +3560,10 @@
  	for (i = 0; i < 64; ++i) {
  	    slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x",
  		     'p' + i / 16, i % 16);
@@ -161,13 +133,12 @@  index 8a12fa0..00a2cf5 100644
 -		sfd = open(pty_name, O_RDWR | O_NOCTTY, 0);
 +		sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC, 0);
  		if (sfd >= 0) {
- 		    fchown(sfd, uid, -1);
- 		    fchmod(sfd, S_IRUSR | S_IWUSR);
-diff --git a/pppd/tdb.c b/pppd/tdb.c
-index bdc5828..c7ab71c 100644
---- a/pppd/tdb.c
-+++ b/pppd/tdb.c
-@@ -1724,7 +1724,7 @@ TDB_CONTEXT *tdb_open_ex(const char *name, int hash_size, int tdb_flags,
+ 		    ret = fchown(sfd, uid, -1);
+ 		    if (ret != 0) {
+diff -Naur pppd.orig/tdb.c pppd/tdb.c
+--- pppd.orig/tdb.c	2021-07-23 06:41:07.000000000 +0200
++++ pppd/tdb.c	2023-06-30 13:12:55.034900600 +0200
+@@ -1728,7 +1728,7 @@
  		goto internal;
  	}
  
@@ -176,7 +147,7 @@  index bdc5828..c7ab71c 100644
  		TDB_LOG((tdb, 5, "tdb_open_ex: could not open file %s: %s\n",
  			 name, strerror(errno)));
  		goto fail;	/* errno set by open(2) */
-@@ -1967,7 +1967,7 @@ int tdb_reopen(TDB_CONTEXT *tdb)
+@@ -1971,7 +1971,7 @@
  	}
  	if (close(tdb->fd) != 0)
  		TDB_LOG((tdb, 0, "tdb_reopen: WARNING closing tdb->fd failed!\n"));
@@ -185,12 +156,11 @@  index bdc5828..c7ab71c 100644
  	if (tdb->fd == -1) {
  		TDB_LOG((tdb, 0, "tdb_reopen: open failed (%s)\n", strerror(errno)));
  		goto fail;
-diff --git a/pppd/tty.c b/pppd/tty.c
-index d571b11..bc96695 100644
---- a/pppd/tty.c
-+++ b/pppd/tty.c
-@@ -569,7 +569,7 @@ int connect_tty()
- 				status = EXIT_OPEN_FAILED;
+diff -Naur pppd.orig/tty.c pppd/tty.c
+--- pppd.orig/tty.c	2023-03-25 05:38:30.000000000 +0100
++++ pppd/tty.c	2023-06-30 13:14:06.450418113 +0200
+@@ -621,7 +621,7 @@
+ 				ppp_set_status(EXIT_OPEN_FAILED);
  				goto errret;
  			}
 -			real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0);
@@ -198,7 +168,7 @@  index d571b11..bc96695 100644
  			err = errno;
  			if (prio < OPRIO_ROOT && seteuid(0) == -1)
  				fatal("Unable to regain privileges");
-@@ -723,7 +723,7 @@ int connect_tty()
+@@ -775,7 +775,7 @@
  	if (connector == NULL && modem && devnam[0] != 0) {
  		int i;
  		for (;;) {
@@ -207,12 +177,11 @@  index d571b11..bc96695 100644
  				break;
  			if (errno != EINTR) {
  				error("Failed to reopen %s: %m", devnam);
-diff --git a/pppd/utils.c b/pppd/utils.c
-index 29bf970..6051b9a 100644
---- a/pppd/utils.c
-+++ b/pppd/utils.c
-@@ -918,14 +918,14 @@ lock(dev)
-     slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", LOCK_DIR, dev);
+diff -Naur pppd.orig/utils.c pppd/utils.c
+--- pppd.orig/utils.c	2022-12-30 02:12:39.000000000 +0100
++++ pppd/utils.c	2023-06-30 13:15:47.860182369 +0200
+@@ -843,14 +843,14 @@
+     slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", PPP_PATH_LOCKDIR, dev);
  #endif
  
 -    while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR, 0644)) < 0) {
@@ -228,7 +197,7 @@  index 29bf970..6051b9a 100644
  	if (fd < 0) {
  	    if (errno == ENOENT) /* This is just a timing problem. */
  		continue;
-@@ -1004,7 +1004,7 @@ relock(pid)
+@@ -933,7 +933,7 @@
  
      if (lock_file[0] == 0)
  	return -1;
@@ -237,6 +206,3 @@  index 29bf970..6051b9a 100644
      if (fd < 0) {
  	error("Couldn't reopen lock file %s: %m", lock_file);
  	lock_file[0] = 0;
--- 
-1.8.3.1
-
diff --git a/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch b/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
new file mode 100644
index 000000000..cfd72e468
--- /dev/null
+++ b/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
@@ -0,0 +1,135 @@ 
+diff -Naur pppd.orig/plugins/pppoatm/pppoatm.c pppd/plugins/pppoatm/pppoatm.c
+--- pppd.orig/plugins/pppoatm/pppoatm.c	2023-03-25 05:38:30.000000000 +0100
++++ pppd/plugins/pppoatm/pppoatm.c	2023-06-30 13:21:33.397378347 +0200
+@@ -146,7 +146,7 @@
+ 
+ 	if (!device_got_set)
+ 		no_device_given_pppoatm();
+-	fd = socket(AF_ATMPVC, SOCK_DGRAM, 0);
++	fd = socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0);
+ 	if (fd < 0)
+ 		fatal("failed to create socket: %m");
+ 	memset(&qos, 0, sizeof qos);
+diff -Naur pppd.orig/plugins/pppoe/if.c pppd/plugins/pppoe/if.c
+--- pppd.orig/plugins/pppoe/if.c	2022-12-30 02:12:39.000000000 +0100
++++ pppd/plugins/pppoe/if.c	2023-06-30 13:24:11.372183452 +0200
+@@ -116,7 +116,7 @@
+     stype = SOCK_PACKET;
+ #endif
+ 
+-    if ((fd = socket(domain, stype, htons(type))) < 0) {
++    if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) {
+ 	/* Give a more helpful message for the common error case */
+ 	if (errno == EPERM) {
+ 	    fatal("Cannot create raw socket -- pppoe must be run as root.");
+diff -Naur pppd.orig/plugins/pppoe/plugin.c pppd/plugins/pppoe/plugin.c
+--- pppd.orig/plugins/pppoe/plugin.c	2023-03-25 05:38:30.000000000 +0100
++++ pppd/plugins/pppoe/plugin.c	2023-06-30 13:25:58.798782323 +0200
+@@ -155,7 +155,7 @@
+     /* server equipment).                                                  */
+     /* Opening this socket just before waitForPADS in the discovery()      */
+     /* function would be more appropriate, but it would mess-up the code   */
+-    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE);
++    conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, PX_PROTO_OE);
+     if (conn->sessionSocket < 0) {
+ 	error("Failed to create PPPoE socket: %m");
+ 	return -1;
+@@ -166,7 +166,7 @@
+     lcp_wantoptions[0].mru = conn->mru = conn->storedmru;
+ 
+     /* Update maximum MRU */
+-    s = socket(AF_INET, SOCK_DGRAM, 0);
++    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
+     if (s < 0) {
+ 	error("Can't get MTU for %s: %m", conn->ifName);
+ 	goto errout;
+@@ -364,7 +364,7 @@
+     }
+ 
+     /* Open a socket */
+-    if ((fd = socket(PF_PACKET, SOCK_RAW, 0)) < 0) {
++    if ((fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) {
+ 	r = 0;
+     }
+ 
+diff -Naur pppd.orig/plugins/pppol2tp/openl2tp.c pppd/plugins/pppol2tp/openl2tp.c
+--- pppd.orig/plugins/pppol2tp/openl2tp.c	2023-03-10 02:50:41.000000000 +0100
++++ pppd/plugins/pppol2tp/openl2tp.c	2023-06-30 13:22:30.055768865 +0200
+@@ -93,7 +93,7 @@
+ 	int result;
+ 
+ 	if (openl2tp_fd < 0) {
+-		openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM, 0);
++		openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0);
+ 		if (openl2tp_fd < 0) {
+ 			error("openl2tp connection create: %m");
+ 			return -ENOTCONN;
+diff -Naur pppd.orig/plugins/pppol2tp/pppol2tp.c pppd/plugins/pppol2tp/pppol2tp.c
+--- pppd.orig/plugins/pppol2tp/pppol2tp.c	2022-12-30 02:12:39.000000000 +0100
++++ pppd/plugins/pppol2tp/pppol2tp.c	2023-06-30 13:23:13.493756755 +0200
+@@ -220,7 +220,7 @@
+ 		struct ifreq ifr;
+ 		int fd;
+ 
+-		fd = socket(AF_INET, SOCK_DGRAM, 0);
++		fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
+ 		if (fd >= 0) {
+ 			memset (&ifr, '\0', sizeof (ifr));
+ 			ppp_get_ifname(ifr.ifr_name, sizeof(ifr.ifr_name));
+diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c
+--- pppd.orig/sys-linux.c	2023-06-30 13:11:25.715511251 +0200
++++ pppd/sys-linux.c	2023-06-30 13:32:50.021272249 +0200
+@@ -499,12 +499,12 @@
+ void sys_init(void)
+ {
+     /* Get an internet socket for doing socket ioctls. */
+-    sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
++    sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
+     if (sock_fd < 0)
+ 	fatal("Couldn't create IP socket: %m(%d)", errno);
+ 
+ #ifdef PPP_WITH_IPV6CP
+-    sock6_fd = socket(AF_INET6, SOCK_DGRAM, 0);
++    sock6_fd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
+     if (sock6_fd < 0)
+ 	sock6_fd = -errno;	/* save errno for later */
+ #endif
+@@ -2675,7 +2675,7 @@
+ 	struct ifreq ifreq;
+ 	int ret, sock_fd;
+ 
+-	sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
++	sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
+ 	if (sock_fd < 0)
+ 		return -1;
+ 	memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
+@@ -2698,7 +2698,7 @@
+ 	struct ifreq ifreq;
+ 	int ret, sock_fd;
+ 
+-	sock_fd = socket(AF_INET, SOCK_DGRAM, 0);
++	sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
+ 	if (sock_fd < 0)
+ 		return -1;
+ 
+@@ -2915,7 +2915,7 @@
+ /*
+  * Open a socket for doing the ioctl operations.
+  */
+-    s = socket(AF_INET, SOCK_DGRAM, 0);
++    s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
+     if (s < 0)
+ 	return 0;
+ 
+diff -Naur pppd.orig/tty.c pppd/tty.c
+--- pppd.orig/tty.c	2023-06-30 13:14:06.450418113 +0200
++++ pppd/tty.c	2023-06-30 13:33:31.285858278 +0200
+@@ -942,7 +942,7 @@
+     *sep = ':';
+ 
+     /* get a socket and connect it to the other end */
+-    sock = socket(PF_INET, SOCK_STREAM, 0);
++    sock = socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
+     if (sock < 0) {
+ 	error("Can't create socket: %m");
+ 	return -1;
diff --git a/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch b/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
new file mode 100644
index 000000000..002b6066d
--- /dev/null
+++ b/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch
@@ -0,0 +1,12 @@ 
+diff -Naur pppd.orig/plugins/pppoe/pppoe.h pppd/plugins/pppoe/pppoe.h
+--- pppd.orig/plugins/pppoe/pppoe.h	2022-12-30 02:12:39.000000000 +0100
++++ pppd/plugins/pppoe/pppoe.h	2023-06-30 13:37:07.189078090 +0200
+@@ -143,7 +143,7 @@
+ #define STATE_TERMINATED    4
+ 
+ /* How many PADI/PADS attempts? */
+-#define MAX_PADI_ATTEMPTS 3
++#define MAX_PADI_ATTEMPTS 4
+ 
+ /* Initial timeout for PADO/PADS */
+ #define PADI_TIMEOUT 5
diff --git a/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch b/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
new file mode 100644
index 000000000..dc6c22852
--- /dev/null
+++ b/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch
@@ -0,0 +1,12 @@ 
+diff -Naur pppd.orig/plugins/pppoe/plugin.c pppd/plugins/pppoe/plugin.c
+--- pppd.orig/plugins/pppoe/plugin.c	2023-06-30 13:25:58.798782323 +0200
++++ pppd/plugins/pppoe/plugin.c	2023-06-30 13:50:23.150026201 +0200
+@@ -46,6 +46,8 @@
+ #include <signal.h>
+ #include <net/if_arp.h>
+ #include <linux/ppp_defs.h>
++#define _LINUX_IN_H
++#define _LINUX_IN6_H
+ #include <linux/if_pppox.h>
+ 
+ #include <pppd/pppd.h>
diff --git a/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch b/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
new file mode 100644
index 000000000..0e9eab6ed
--- /dev/null
+++ b/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch
@@ -0,0 +1,18 @@ 
+diff -Naur ppp-2.5.0.orig/configure ppp-2.5.0/configure
+--- ppp-2.5.0.orig/configure	2023-03-25 05:38:36.000000000 +0100
++++ ppp-2.5.0/configure	2023-06-30 14:05:14.773950477 +0200
+@@ -17774,10 +17774,10 @@
+         rm -f $2
+         if [ -f $1 ]; then
+             echo "  $2 <= $1"
+-            sed -e "s,@DESTDIR@,$prefix,g" \
+-                -e "s,@SYSCONF@,$sysconfdir,g" \
+-                -e "s,@CC@,$CC,g" \
+-                -e "s|@CFLAGS@|$CFLAGS|g" $1 > $2
++            sed -e "s#@DESTDIR@#$prefix#g" \
++                -e "s#@SYSCONF@#$sysconfdir#g" \
++                -e "s#@CC@#$CC#g" \
++                -e "s#@CFLAGS@#$CFLAGS#g" $1 > $2
+         fi
+     }
+