From owner-svn-ports-head@freebsd.org  Fri Sep 20 18:44:39 2019
Return-Path: <owner-svn-ports-head@freebsd.org>
Delivered-To: svn-ports-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id DC0481243D3;
 Fri, 20 Sep 2019 18:44:39 +0000 (UTC) (envelope-from pi@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46ZjLb5YSfz4TJ1;
 Fri, 20 Sep 2019 18:44:39 +0000 (UTC) (envelope-from pi@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9E8DF1EEF;
 Fri, 20 Sep 2019 18:44:39 +0000 (UTC) (envelope-from pi@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x8KIidqh012739;
 Fri, 20 Sep 2019 18:44:39 GMT (envelope-from pi@FreeBSD.org)
Received: (from pi@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id x8KIic1f012736;
 Fri, 20 Sep 2019 18:44:38 GMT (envelope-from pi@FreeBSD.org)
Message-Id: <201909201844.x8KIic1f012736@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: pi set sender to pi@FreeBSD.org
 using -f
From: Kurt Jaeger <pi@FreeBSD.org>
Date: Fri, 20 Sep 2019 18:44:38 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r512424 - in head: . net-mgmt/p0f net-mgmt/p0f/files
X-SVN-Group: ports-head
X-SVN-Commit-Author: pi
X-SVN-Commit-Paths: in head: . net-mgmt/p0f net-mgmt/p0f/files
X-SVN-Commit-Revision: 512424
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-head>, 
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2019 18:44:39 -0000

Author: pi
Date: Fri Sep 20 18:44:38 2019
New Revision: 512424
URL: https://svnweb.freebsd.org/changeset/ports/512424

Log:
  net-mgmt/p0f: add rc script
  
  Added rc script to run p0f in daemon mode as as unprivileged user.
  That is useful to provide access to p0f API via unix socket for
  various clients (e.g. anti-spam filters like rspamd, haraka-plugin-p0f,
  etc.).
  
  PR:		240712
  Submitted by:	Alexander Moisseev <moiseev@mezonplus.ru>

Added:
  head/net-mgmt/p0f/files/p0f.in   (contents, props changed)
Modified:
  head/GIDs
  head/UIDs
  head/net-mgmt/p0f/Makefile

Modified: head/GIDs
==============================================================================
--- head/GIDs	Fri Sep 20 17:06:15 2019	(r512423)
+++ head/GIDs	Fri Sep 20 18:44:38 2019	(r512424)
@@ -792,7 +792,7 @@ graylog:*:848:
 chronyd:*:849:
 qbittorrent:*:850:
 cassandra:*:851:
-# free: 852
+p0f:*:852:
 _geodns:*:853:
 # free: 854
 # free: 855

Modified: head/UIDs
==============================================================================
--- head/UIDs	Fri Sep 20 17:06:15 2019	(r512423)
+++ head/UIDs	Fri Sep 20 18:44:38 2019	(r512424)
@@ -797,7 +797,7 @@ graylog:*:848:848::0:0:Graylog user:/nonexistent:/usr/
 chronyd:*:849:849::0:0:chronyd user:/nonexistent:/usr/sbin/nologin
 qbittorrent:*:850:850::0:0:qBittorrent Daemon User:/var/db/qbittorrent/conf:/usr/sbin/nologin
 cassandra:*:851:851::0:0:Cassandra DB Daemon User:/var/db/cassandra:/usr/sbin/nologin
-# free: 852
+p0f:*:852:852::0:0:p0f unprivileged user:/var/empty:/usr/sbin/nologin
 _geodns:*:853:853::0:0:GeoDNS User:/var/empty:/usr/sbin/nologin
 # free: 854
 # free: 855

Modified: head/net-mgmt/p0f/Makefile
==============================================================================
--- head/net-mgmt/p0f/Makefile	Fri Sep 20 17:06:15 2019	(r512423)
+++ head/net-mgmt/p0f/Makefile	Fri Sep 20 18:44:38 2019	(r512424)
@@ -3,15 +3,21 @@
 
 PORTNAME=	p0f
 PORTVERSION=	3.09b
+PORTREVISION=	1
 CATEGORIES=	net-mgmt security
 MASTER_SITES=	http://lcamtuf.coredump.cx/p0f3/releases/ \
 		http://fossies.org/unix/privat/
-EXTRACT_SUFX=	.tgz
 
 MAINTAINER=	pi@FreeBSD.org
 COMMENT=	Passive OS fingerprinting tool
 
 LICENSE=	LGPL21
+
+USES=		tar:tgz
+USE_RC_SUBR=	p0f
+
+USERS=		p0f
+GROUPS=		p0f
 
 PLIST_FILES=	bin/p0f bin/p0f-client bin/p0f-sendsyn \
 		bin/p0f-sendsyn6 etc/p0f.fp

Added: head/net-mgmt/p0f/files/p0f.in
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net-mgmt/p0f/files/p0f.in	Fri Sep 20 18:44:38 2019	(r512424)
@@ -0,0 +1,76 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: p0f
+# REQUIRE: LOGIN
+# KEYWORD: shutdown
+
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+
+# p0f_enable (bool):	Set it to YES to enable p0f.
+#			Default: NO.
+#
+# p0f_user (str)	User to drop privileges and change to.
+#			Default: p0f.
+#
+# p0f_sock (path):	Path to socket used to communicate with p0f.
+#			Default: /var/run/p0f.sock
+#
+# p0f_db (path):	Location of fingerprint db.
+#			Default: %%PREFIX%%/etc/p0f.fp
+#
+# p0f_flags (str):	Options passed to the p0f daemon.
+#			Default: "-d -u ${p0f_user} -s ${p0f_sock} -f ${p0f_db}"
+#
+# command_args (str):	Optional pcap-style traffic filtering rules.
+#			See p0f README for details.
+
+. /etc/rc.subr
+
+name="p0f"
+rcvar=p0f_enable
+
+load_rc_config "$name"
+
+: ${p0f_enable:="NO"}
+: ${p0f_user:="p0f"}
+: ${p0f_sock:="/var/run/${name}.sock"}
+: ${p0f_db:="%%PREFIX%%/etc/p0f.fp"}
+: ${p0f_flags:="-d -u ${p0f_user} -s ${p0f_sock} -f ${p0f_db}"}
+
+command="%%PREFIX%%/bin/${name}"
+
+pidfile="/var/run/${name}.pid"
+required_files="${p0f_db}"
+
+start_cmd="${name}_start"
+stop_postcmd="rm -f ${p0f_sock} $pidfile"
+
+extra_commands="reload"
+
+p0f_get_pid() {
+	PID=$(/bin/ps waux | /usr/bin/grep ${command} | /usr/bin/grep -v grep | /usr/bin/grep ${p0f_sock} | /usr/bin/awk '{print $2}')
+}
+
+p0f_start() {
+	p0f_get_pid
+	if [ -z "${PID}" ] ; then
+		echo "Starting ${name}."
+		if [ ! -z "${command_args}" ] ; then
+			${command} ${p0f_flags} "${command_args}"
+		else
+			${command} ${p0f_flags}
+		fi
+		if [ ! -z "${pidfile}" ] ; then
+			p0f_get_pid
+			[ -z "${PID}" ] || echo ${PID} > ${pidfile}
+		fi
+	else
+		echo "${name} already running? (pid=${PID})."
+	fi
+}
+
+run_rc_command "$1"