Date: Wed, 3 May 2006 06:10:18 GMT From: Joerg Pulz <Joerg.Pulz@frm2.tum.de> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/96368: security/ipsec-tools: use OPTIONS, extend featureset Message-ID: <200605030610.k436AIn2028024@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/96368; it has been noted by GNATS.
From: Joerg Pulz <Joerg.Pulz@frm2.tum.de>
To: VANHULLEBUS Yvan <yvan.vanhullebus@netasq.com>
Cc: Renato Botelho <garga@freebsd.org>, bug-followup@freebsd.org
Subject: Re: ports/96368: security/ipsec-tools: use OPTIONS, extend featureset
Date: Wed, 3 May 2006 08:05:20 +0200 (CEST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 2 May 2006, VANHULLEBUS Yvan wrote:
> On Sun, Apr 30, 2006 at 11:20:51PM +0200, Joerg Pulz wrote:
[...]
>> - - added some descriptive output if NATT is enabled (to please Yvan ;) )
>
> The simplest description in the option would be "enable NAT-T if
> kernel support". That is exactly what configure will do.
The OPTIONS description for NATT is already set to:
"enable NAT-Traversal (kernel-patch required)"
I think this is enough, as it is more than the current version of the
port has as description (currently there is no message at all).
> The warning message if activated is also a good thing.
There is a warning now which points the user to the URL for the
downloadable patches. It appears just before configure kicks in.
>> - - small change to pkg-plist to create and delete the STATEDIR
>
>
> I also took more time to look at the configure patch.
>
> If this is not "so urgent", the best way is to report a patch to
> configure.ac directly to ipsec-tools-devel Ml (or directly to me),
> I'll integrate it for 0.6.6 (which will soon need to be released).
I will take a look at this, maybe i can write a small patch which you can
integrate in the next release. But for now we should keep it as it is, to
have a consistent behavior for port and package.
[...]
> Ok for localstatedir.
>
> [....]
>> I hope i get an approval for this version of the patch as would really
>> like to see this in the tree.
>
> Well, I whish I'll have enough time to just get your patch and do
> quickly myself the minor changes I've requested, but I'm really very
> busy those days....
>
> The "last" remaining problem is adminport....
>
> The reason why I'm not sure it is a good idea to enable it by default
> is that it will create the socket file needed to communicate between
> racoonctl/racoon, but I know they are some caveheats where the file is
> not correctly removed (for example if racoon crashes).
>
> People may take a lot of time to understant that racoon doesn't
> restart just because the file already exists !
Just curious, i have no problem starting/restarting racoon when the socket
file already exists.
Anyway, to please you even more, I've modified the racoon.sh rcNG script a
little bit, that it removes the pidfile and the socketfile after a normal
stop of racoon and just before the racoon startup, in case racoon died
unexpectedly. Now we are sure that we have no leftovers from previously
running racoon processes.
I've also set the ADMINPORT OPTION to off by default.
The new complete patch is:
- --- security_ipsec-tools.diff3 begins here ---
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/Makefile,v
retrieving revision 1.11
diff -u -r1.11 Makefile
- --- Makefile 23 Feb 2006 10:38:57 -0000 1.11
+++ Makefile 3 May 2006 06:02:26 -0000
@@ -4,15 +4,14 @@
#
# $FreeBSD: ports/security/ipsec-tools/Makefile,v 1.11 2006/02/23 10:38:57 ade Exp $
- -# TODO: - configurable --enable-xxx
- -# - libipsec issue ?
+# TODO: - libipsec issue ?
# - cleanup...
# - SYSCONFDIR
# - $LOCALBASE/sbin/setkey Vs /usr/sbin/setkey
PORTNAME= ipsec-tools
PORTVERSION= 0.6.5
- -PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= security net
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ipsec-tools
@@ -26,22 +25,142 @@
USE_OPENSSL= yes
USE_BZIP2= yes
- -WRKSRC= ${WRKDIR}/${DISTNAME}
GNU_CONFIGURE= yes
INSTALLS_SHLIB= yes
- -LDFLAGS= -L${LOCALBASE}/lib
CONFIGURE_TARGET= --build=${MACHINE_ARCH}-portbld-freebsd${OSREL}
- -CONFIGURE_ARGS= --enable-debug --enable-dpd --enable-natt=kernel \
- - --enable-frag --enable-ipv6 --enable-shared \
- - --sysconfdir=${PREFIX}/etc/racoon \
+CONFIGURE_ARGS= --enable-shared --sysconfdir=${PREFIX}/etc/racoon \
+ --localstatedir=${STATEDIR:S/\/racoon//} \
--with-pkgversion=freebsd-${PORTVERSION}
+STATEDIR= ${DESTDIR}/var/db/racoon
+SUB_LIST+= STATEDIR=${STATEDIR}
+PLIST_SUB+= STATEDIR=${STATEDIR}
+
+OPTIONS= DEBUG "enable Debug support" on \
+ IPV6 "enable IPV6 support" on \
+ ADMINPORT "enable Admin port" off \
+ STATS "enable Statistics logging function" off \
+ DPD "enable Dead Peer Detection" on \
+ NATT "enable NAT-Traversal (kernel-patch required)" on \
+ FRAG "enable IKE fragmentation payload support" on \
+ HYBRID "enable Hybrid Mode-cfg and Xauth support" off \
+ PAM "enable PAM authentication" off \
+ GSSAPI "enable GSS-API authentication" off \
+ RADIUS "enable Radius authentication" off \
+ SAUNSPEC "enable Unspecified SA mode" off \
+ RC5 "enable RC5 encryption (patented)" off \
+ IDEA "enable IDEA encryption (patented)" off
+
MAN3= ipsec_set_policy.3 ipsec_strerror.3
MAN5= racoon.conf.5
MAN8= racoon.8 racoonctl.8 setkey.8 plainrsa-gen.8
PORTDOCS= *
+.include <bsd.port.pre.mk>
+
+.ifdef(WITH_DEBUG)
+CONFIGURE_ARGS+= --enable-debug
+.else
+CONFIGURE_ARGS+= --disable-debug
+.endif
+
+.ifdef(WITH_IPV6)
+CONFIGURE_ARGS+= --enable-ipv6
+.else
+CONFIGURE_ARGS+= --disable-ipv6
+.endif
+
+.ifdef(WITH_ADMINPORT)
+CONFIGURE_ARGS+= --enable-adminport
+.else
+CONFIGURE_ARGS+= --disable-adminport
+.endif
+
+.ifdef(WITH_STATS)
+CONFIGURE_ARGS+= --enable-stats
+.else
+CONFIGURE_ARGS+= --disable-stats
+.endif
+
+.ifdef(WITH_DPD)
+CONFIGURE_ARGS+= --enable-dpd
+.else
+CONFIGURE_ARGS+= --disable-dpd
+.endif
+
+.ifdef(WITH_NATT)
+CONFIGURE_ARGS+= --enable-natt=kernel
+.else
+CONFIGURE_ARGS+= --disable-natt
+.endif
+
+.ifdef(WITH_FRAG)
+CONFIGURE_ARGS+= --enable-frag
+.else
+CONFIGURE_ARGS+= --disable-frag
+.endif
+
+.ifdef(WITH_HYBRID)
+CONFIGURE_ARGS+= --enable-hybrid
+.else
+CONFIGURE_ARGS+= --disable-hybrid
+.endif
+
+.ifdef(WITH_PAM)
+CONFIGURE_ARGS+= --with-libpam
+.else
+CONFIGURE_ARGS+= --without-libpam
+.endif
+
+.ifdef(WITH_GSSAPI)
+USE_ICONV= yes
+CFLAGS+= -I${LOCALBASE}/include
+LDFLAGS+= -L${LOCALBASE}/lib
+CONFIGURE_ARGS+= --enable-gssapi
+.else
+CONFIGURE_ARGS+= --disable-gssapi
+.endif
+
+.ifdef(WITH_RADIUS)
+CONFIGURE_ARGS+= --with-libradius
+.else
+CONFIGURE_ARGS+= --without-libradius
+.endif
+
+.ifdef(WITH_SAUNSPEC)
+CONFIGURE_ARGS+= --enable-samode-unspec
+.else
+CONFIGURE_ARGS+= --disable-samode-unspec
+.endif
+
+.ifdef(WITH_RC5)
+CONFIGURE_ARGS+= --enable-rc5
+.else
+CONFIGURE_ARGS+= --disable-rc5
+.endif
+
+.ifdef(WITH_IDEA)
+CONFIGURE_ARGS+= --enable-idea
+.else
+CONFIGURE_ARGS+= --disable-idea
+.endif
+
+.ifdef(WITH_NATT)
+pre-configure:
+ @${ECHO_MSG} "===> -------------------------------------------------------------------------"
+ @${ECHO_MSG} "===> ATTENTION: You need a kernel patch to enable NAT-Traversal functionality!"
+ @${ECHO_MSG} "===> You can download the patch here:"
+. if ${OSVERSION} < 500000
+ @${ECHO_MSG} "===> http://ipsec-tools.sf.net/freebsd_nat-t.diff"
+. else
+ @${ECHO_MSG} "===> http://ipsec-tools.sf.net/freebsd6-natt.diff"
+. endif
+ @${ECHO_MSG} "===> You might possibly have to do some steps manually if it fails to apply."
+ @${ECHO_MSG} "===> -------------------------------------------------------------------------"
+ @sleep 3
+.endif
+
post-install:
@if [ -z `/sbin/sysctl -a | ${GREP} -q ipsec && ${ECHO_CMD} ipsec` ]; then \
${ECHO_MSG} "WARNING: IPsec feature is disabled on this host"; \
@@ -55,4 +174,4 @@
@${INSTALL_DATA} ${WRKSRC}/src/racoon/doc/* ${DOCSDIR}
.endif
- -.include <bsd.port.mk>
+.include <bsd.port.post.mk>
Index: pkg-descr
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/pkg-descr,v
retrieving revision 1.2
diff -u -r1.2 pkg-descr
- --- pkg-descr 15 Sep 2005 12:11:48 -0000 1.2
+++ pkg-descr 3 May 2006 06:02:26 -0000
@@ -4,8 +4,7 @@
This is the IPSec-tools version of racoon.
Enchancements:
- -- Support of NAT-T.
- -- Support of IKE fragmentation.
+- Support of NAT-T and IKE fragmentation.
- Support of many authentication algorithms.
- Tons of bugfixes.
Index: pkg-plist
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/pkg-plist,v
retrieving revision 1.4
diff -u -r1.4 pkg-plist
- --- pkg-plist 23 Feb 2006 10:38:57 -0000 1.4
+++ pkg-plist 3 May 2006 06:02:26 -0000
@@ -1,4 +1,6 @@
+sbin/plainrsa-gen
sbin/racoon
+sbin/racoonctl
sbin/setkey
include/libipsec/libpfkey.h
include/racoon/admin.h
@@ -24,8 +26,6 @@
lib/libracoon.la
lib/libracoon.so
lib/libracoon.so.0
- -sbin/plainrsa-gen
- -sbin/racoonctl
%%EXAMPLESDIR%%/psk.txt
%%EXAMPLESDIR%%/psk.txt.sample
%%EXAMPLESDIR%%/racoon.conf
@@ -47,4 +47,6 @@
@dirrm %%EXAMPLESDIR%%/roadwarrior/client
@dirrm %%EXAMPLESDIR%%/roadwarrior
@dirrm %%EXAMPLESDIR%%
- -@dirrmtry var/racoon
+@cwd /
+@exec mkdir -p %%STATEDIR%%
+@dirrmtry %%STATEDIR%%
Index: files/patch-configure
===================================================================
RCS file: files/patch-configure
diff -N files/patch-configure
- --- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/patch-configure 3 May 2006 06:02:26 -0000
@@ -0,0 +1,77 @@
+--- configure.orig Wed Apr 26 15:28:47 2006
++++ configure Wed Apr 26 15:28:56 2006
+@@ -25122,6 +25122,74 @@
+ fi
+
+
++ echo "$as_me:$LINENO: checking for iconv_open in -liconv" >&5
++echo $ECHO_N "checking for iconv_open in -liconv... $ECHO_C" >&6
++if test "${ac_cv_lib_iconv_iconv_open+set}" = set; then
++ echo $ECHO_N "(cached) $ECHO_C" >&6
++else
++ ac_check_lib_save_LIBS=$LIBS
++LIBS="-liconv $LIBS"
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++/* Override any gcc2 internal prototype to avoid an error. */
++#ifdef __cplusplus
++extern "C"
++#endif
++/* We use char because int might match the return type of a gcc2
++ builtin and then its argument prototype would still apply. */
++char iconv_open ();
++int
++main ()
++{
++iconv_open ();
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext conftest$ac_exeext
++if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
++ (eval $ac_link) 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } &&
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
++ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
++ (eval $ac_try) 2>&5
++ ac_status=$?
++ echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); }; } &&
++ { ac_try='test -s conftest$ac_exeext'
++ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
++ (eval $ac_try) 2>&5
++ ac_status=$?
++ echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); }; }; then
++ ac_cv_lib_iconv_iconv_open=yes
++else
++ echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ac_cv_lib_iconv_iconv_open=no
++fi
++rm -f conftest.err conftest.$ac_objext \
++ conftest$ac_exeext conftest.$ac_ext
++LIBS=$ac_check_lib_save_LIBS
++fi
++echo "$as_me:$LINENO: result: $ac_cv_lib_iconv_iconv_open" >&5
++echo "${ECHO_T}$ac_cv_lib_iconv_iconv_open" >&6
++if test $ac_cv_lib_iconv_iconv_open = yes; then
++ LIBS="$LIBS -liconv"
++fi
++
+ echo "$as_me:$LINENO: checking if iconv second argument needs const" >&5
+ echo $ECHO_N "checking if iconv second argument needs const... $ECHO_C" >&6
+ saved_CFLAGS=$CFLAGS
Index: files/racoon.sh.in
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/files/racoon.sh.in,v
retrieving revision 1.3
diff -u -r1.3 racoon.sh.in
- --- files/racoon.sh.in 20 Feb 2006 20:47:39 -0000 1.3
+++ files/racoon.sh.in 3 May 2006 06:02:26 -0000
@@ -29,13 +29,17 @@
name="racoon"
rcvar=`set_rcvar`
- -command="${prefix}/sbin/racoon"
- -pidfile="/var/run/racoon.pid"
- -required_files="${prefix}/etc/racoon/racoon.conf"
- -stop_postcmd="racoon_poststop"
+command="${prefix}/sbin/${name}"
+pidfile="/var/run/${name}.pid"
+socketfile="%%STATEDIR%%/${name}.sock"
+required_files="${prefix}/etc/${name}/${name}.conf"
+required_dirs="%%STATEDIR%%"
+start_precmd="racoon_cleanup"
+stop_postcmd="racoon_cleanup"
- -racoon_poststop() {
+racoon_cleanup() {
/bin/rm -f ${pidfile}
+ /bin/rm -f ${socketfile}
}
load_rc_config $name
- --- security_ipsec-tools.diff3 ends here ---
- --
The beginning is the most important part of the work.
-Plato
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)
iD8DBQFEWEgjSPOsGF+KA+MRAkQzAJ4kdizqEJd4dHEgqYd5tU1Iu5qs4QCgzbpo
cqUErfKsvhs+MzuU3BybQzs=
=SX5N
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605030610.k436AIn2028024>