Date: Sun, 30 Oct 2005 16:18:10 +0100 (CET) From: Lupe Christoph <lupe@lupe-christoph.de> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/88240: [maintainer update] Update security/doorman to 0.81 Message-ID: <20051030151810.5EA82A961@firewally.lupe-christoph.de> Resent-Message-ID: <200510301530.j9UFULKB043545@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 88240 >Category: ports >Synopsis: [maintainer update] Update security/doorman to 0.81 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Sun Oct 30 15:30:20 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Lupe Christoph >Release: FreeBSD 5.4-RELEASE-p7 i386 >Organization: >Environment: System: FreeBSD firewally.lupe-christoph.de 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #4: Tue Sep 13 20:23:52 CEST 2005 lupe@firewally.lupe-christoph.de:/usr/obj/usr/src/sys/FIREWALLY i386 >Description: security/doorman 0.8 had a problem with WITH_BDB_VER=0.43. (see ports/88029) This update to doorman 0.8 eliminates this problem because doorman does not use the Berkeley DB anymore. Minor improvements: Provide an example configuration file that is adapted to FreeBSD. Eliminate a non-fatal bashism in configure.ac and configure. >How-To-Repeat: >Fix: --- doorman-0.81.patch begins here --- diff -ruN /usr/ports/security/doorman/Makefile doorman-0.81/Makefile --- /usr/ports/security/doorman/Makefile Sat Jun 4 03:11:04 2005 +++ doorman-0.81/Makefile Sun Oct 30 16:08:16 2005 @@ -6,8 +6,7 @@ # PORTNAME= doorman -PORTVERSION= 0.8 -PORTREVISION= 1 +PORTVERSION= 0.81 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= doorman @@ -19,34 +18,17 @@ BUILD_DEPENDS= lsof:${PORTSDIR}/sysutils/lsof RUN_DEPENDS= ${BUILD_DEPENDS} -PKGMESSAGE= ${WRKDIR}/pkg-message -PATCH_STRIP= -p1 - -# Default to db4 -WITH_BDB_VER?= 4 - .include <bsd.port.pre.mk> -.if ${WITH_BDB_VER} == 2 -LIB_DEPENDS= db2.0:${PORTSDIR}/databases/db2 -.elif ${WITH_BDB_VER} == 3 -LIB_DEPENDS= db3.3:${PORTSDIR}/databases/db3 -.elif ${WITH_BDB_VER} == 4 -LIB_DEPENDS= db4.0:${PORTSDIR}/databases/db4 -.elif ${WITH_BDB_VER} == 41 -LIB_DEPENDS= db41.1:${PORTSDIR}/databases/db41 -.elif ${WITH_BDB_VER} == 42 -LIB_DEPENDS= db-4.2.2:${PORTSDIR}/databases/db42 -.else -.error WITH_BDB_VER must be one between 2, 3, 4, 41 and 42 -.endif - # doormand does not work with the FreeBSD 4.x version of libpcap. # Require the ports version. .if ${OSVERSION} < 500000 BUILD_DEPENDS+= ${LOCALBASE}/lib/libpcap.a:${PORTSDIR}/net/libpcap .endif +PKGMESSAGE= ${WRKDIR}/pkg-message +PATCH_STRIP= -p1 + INSTALL_TARGET= installdirs install-exec install-data MAN1= knock.1 @@ -54,24 +36,15 @@ MAN8= doormand.8 GNU_CONFIGURE= yes -SUB_FILES= pkg-message +SUB_FILES= pkg-message doormand.cf.EXAMPLE USE_RC_SUBR= doorman.sh -pre-everything:: - @${ECHO_MSG} - @${ECHO_MSG} " This port currently requires BerkeleyDB, has only been tested with the " - @${ECHO_MSG} " db4.x releases, and builds with db4 by default. If you wish to use a " - @${ECHO_MSG} " specific version please use the WITH_BDB_VER=x argument using the " - @${ECHO_MSG} " values 2, 3, 4, 41, or 42. " - @${ECHO_MSG} - @${ECHO_MSG} " CURRENTLY BUILDING WITH db${WITH_BDB_VER} " - @${ECHO_MSG} - post-install: ${RM} -f ${PREFIX}/etc/doormand/ipf_add ${INSTALL_SCRIPT} ${FILESDIR}/ipf_add.atend ${PREFIX}/etc/doormand/ipf_add.atend ${INSTALL_SCRIPT} ${FILESDIR}/ipf_add.before_block ${PREFIX}/etc/doormand/ipf_add.before_block ${INSTALL_SCRIPT} ${FILESDIR}/ipf_delete ${PREFIX}/etc/doormand/ipf_delete + ${INSTALL_DATA} ${WRKDIR}/doormand.cf.EXAMPLE ${PREFIX}/etc/doormand/doormand.cf.EXAMPLE @for man in ${MAN1}; do \ ${INSTALL_MAN} -C ${WRKSRC}/$$man ${PREFIX}/man/man1; \ done diff -ruN /usr/ports/security/doorman/distinfo doorman-0.81/distinfo --- /usr/ports/security/doorman/distinfo Thu Aug 12 19:27:31 2004 +++ doorman-0.81/distinfo Sun Oct 30 13:44:26 2005 @@ -1,2 +1,2 @@ -MD5 (doorman-0.8.tgz) = 44a495d06bf81ac9a824380612035672 -SIZE (doorman-0.8.tgz) = 139950 +MD5 (doorman-0.81.tgz) = f0f30132a541122fa46f4d6d321260d9 +SIZE (doorman-0.81.tgz) = 140643 diff -ruN /usr/ports/security/doorman/files/doormand.cf.EXAMPLE.in doorman-0.81/files/doormand.cf.EXAMPLE.in --- /usr/ports/security/doorman/files/doormand.cf.EXAMPLE.in Thu Jan 1 01:00:00 1970 +++ doorman-0.81/files/doormand.cf.EXAMPLE.in Sun Oct 30 15:58:38 2005 @@ -0,0 +1,18 @@ +# +# 'doormand.cf' +# Sample configuration file for the Doorman Daemon, "doormand". +# +# +interface tun0 +port 1033 +waitfor 10 +connection_delay_1 100000 # 1/10th second (delay is in microseconds) +connection_delay_2 2 +logfile /var/log/doorman +loglevel debug +pidfile /var/run/doormand.pid +guestlist %%PREFIX%%/etc/doormand/guestlist +firewall-add %%PREFIX%%/etc/doormand/ipf_add.before_block +firewall-del %%PREFIX%%/etc/doormand/ipf_delete +hash-archive /var/run/doormand.hash-archive +hash-archive-size 100000 diff -ruN /usr/ports/security/doorman/files/patch-Makefile.in doorman-0.81/files/patch-Makefile.in --- /usr/ports/security/doorman/files/patch-Makefile.in Thu Jan 1 01:00:00 1970 +++ doorman-0.81/files/patch-Makefile.in Sun Oct 30 15:57:52 2005 @@ -0,0 +1,20 @@ +--- Makefile.in.orig Sun Jul 25 20:35:35 2004 ++++ Makefile.in Sun Oct 30 15:57:06 2005 +@@ -197,8 +197,7 @@ + man5_MANS = knockcf.5 doormand.cf.5 guestlist.5 + man8_MANS = doormand.8 + cfgdir = $(sysconfdir)/doormand +-cfg_DATA = doormand.cf.EXAMPLE\ +- guestlist.EXAMPLE\ ++cfg_DATA = guestlist.EXAMPLE\ + iptables_add iptables_delete\ + ipchains_add ipchains_delete\ + ipf_add ipf_delete\ +@@ -864,7 +863,6 @@ + chmod 744 $(DESTDIR)$(cfgdir)/pfctl_add + chmod 744 $(DESTDIR)$(cfgdir)/pfctl_delete + chmod 600 $(DESTDIR)$(cfgdir)/guestlist.EXAMPLE +- chmod 644 $(DESTDIR)$(cfgdir)/doormand.cf.EXAMPLE + # Tell versions [3.59,3.63) of GNU make to not export all variables. + # Otherwise a system limit (for SysV at least) may be exceeded. + .NOEXPORT: diff -ruN /usr/ports/security/doorman/files/patch-configure doorman-0.81/files/patch-configure --- /usr/ports/security/doorman/files/patch-configure Thu Jan 1 01:00:00 1970 +++ doorman-0.81/files/patch-configure Sun Oct 30 14:52:52 2005 @@ -0,0 +1,11 @@ +--- configure.orig Mon Sep 5 17:07:45 2005 ++++ configure Sun Oct 30 14:52:28 2005 +@@ -4893,7 +4893,7 @@ + echo "${ECHO_T}no" >&6 + fi + +-if test "$LSOF" == "no"; then ++if test "$LSOF" = "no"; then + echo -e "\a" + echo "*** Utility 'lsof' is missing; doormand cannot function properly without it." + echo "*** (Get lsof at: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof.tar.gz)" diff -ruN /usr/ports/security/doorman/files/patch-configure.ac doorman-0.81/files/patch-configure.ac --- /usr/ports/security/doorman/files/patch-configure.ac Thu Jan 1 01:00:00 1970 +++ doorman-0.81/files/patch-configure.ac Sun Oct 30 14:53:19 2005 @@ -0,0 +1,11 @@ +--- configure.ac.orig Sun Aug 7 16:26:03 2005 ++++ configure.ac Sun Oct 30 14:53:03 2005 +@@ -22,7 +22,7 @@ + + AC_PATH_PROG([LSOF], [lsof], [no], + [/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin]) +-if test "$LSOF" == "no"; then ++if test "$LSOF" = "no"; then + echo -e "\a" + echo "*** Utility 'lsof' is missing; doormand cannot function properly without it." + echo "*** (Get lsof at: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof.tar.gz)" diff -ruN /usr/ports/security/doorman/files/patch-doormand.c doorman-0.81/files/patch-doormand.c --- /usr/ports/security/doorman/files/patch-doormand.c Mon May 30 18:31:51 2005 +++ doorman-0.81/files/patch-doormand.c Sun Oct 30 14:05:31 2005 @@ -1,165 +1,167 @@ ---- doorman-0.8.orig/doormand.c Thu Jul 29 21:24:02 2004 -+++ doorman-0.8/doormand.c Sun May 29 09:05:31 2005 -@@ -397,7 +397,11 @@ - int datalink_header_lengths[] = { - // hdr len code data link type - // ------- --- --------------------------- -+#ifdef __FreeBSD__ -+ 4, // 0 no link-layer encapsulation -+#else - 0, // 0 no link-layer encapsulation -+#endif - 14, // 1 Ethernet (10Mb) - -1, // 2 Experimental Ethernet (3Mb) - -1, // 3 Amateur Radio AX.25 -@@ -557,6 +561,14 @@ - // more readable. - // - -+/* -+// lsof on FreeBSD produces one more field. -+// This should be rewritten to use a regular expression, anyway. -+// -+// And who said using C++ style comments in C was good for portability?!? -+*/ -+ -+#ifdef __FreeBSD__ - #define LSOF()\ - sprintf (cmd, "lsof -Pn -iTCP@%s:%s", interface_ip_str, dport_string) ;\ - \ -@@ -578,6 +590,7 @@ - if ((p1 = token (&p2, " ")) == NULL) continue ;\ - if ((p1 = token (&p2, " ")) == NULL) continue ;\ - if ((p1 = token (&p2, " ")) == NULL) continue ;\ -+ if ((p1 = token (&p2, " ")) == NULL) continue ;\ - if ((p1 = token (&p2, " :")) == NULL) continue ;\ - local_ip = inet_addr(p1) ;\ - if ((p1 = token (&p2, "-")) == NULL) continue ;\ -@@ -602,7 +615,53 @@ - }\ - }\ - pclose(f) ; -- -+#else -+#define LSOF()\ -+sprintf (cmd, "lsof -Pn -iTCP@%s:%s", interface_ip_str, dport_string) ;\ -+\ -+f = popen (cmd, "r") ;\ -+if (f == NULL) {\ -+ croak (errno, "Can't execute '%s'; exiting.", cmd) ;\ -+}\ -+\ -+fgets(buffer, 254, f) ; /* throw away the first line. */ \ -+while (fgets(buffer, 254, f)) {\ -+ p2 = buffer ;\ -+ if ((p1 = token (&p2, " ")) == NULL) continue ;\ -+ dname = p1 ;\ -+ if ((p1 = token (&p2, " ")) == NULL) continue ;\ -+ pid = p1 ;\ -+ if ((p1 = token (&p2, " ")) == NULL) continue ;\ -+ uname = p1 ;\ -+ if ((p1 = token (&p2, " ")) == NULL) continue ;\ -+ if ((p1 = token (&p2, " ")) == NULL) continue ;\ -+ if ((p1 = token (&p2, " ")) == NULL) continue ;\ -+ if ((p1 = token (&p2, " ")) == NULL) continue ;\ -+ if ((p1 = token (&p2, " :")) == NULL) continue ;\ -+ local_ip = inet_addr(p1) ;\ -+ if ((p1 = token (&p2, "-")) == NULL) continue ;\ -+ local_port = atoi(p1) ;\ -+ if ((p1 = token (&p2, "->:")) == NULL) continue ;\ -+ aptr = p1 ;\ -+ remote_ip = inet_addr(p1) ;\ -+ if ((p1 = token (&p2, " ")) == NULL) continue ;\ -+ pptr = p1 ;\ -+ remote_port = atoi(p1) ;\ -+ if ((p1 = token (&p2, " ()")) == NULL) continue ;\ -+ status = p1 ;\ -+\ -+ if ((saddr == remote_ip) &&\ -+ (daddr == local_ip) &&\ -+ (sport == remote_port) &&\ -+ (dport == local_port) && \ -+ (strcmp(status, "ESTABLISHED") == 0))\ -+ {\ -+ connected = TRUE ;\ -+ break ;\ -+ }\ -+}\ -+pclose(f) ; -+#endif - - - -@@ -647,7 +706,11 @@ - snprintf (cmd, 254, "tcp and dst port %s and src %s and dst %s", - dport_string, src_addr, interface_ip_str) ; - DEBUG "open a secondary pcap: '%s'", cmd) ; -+#ifdef __FreeBSD__ -+ hdr_len = open_a_pcap (device, 1000, &cap, cmd) ; -+#else - hdr_len = open_a_pcap (device, 0, &cap, cmd) ; -+#endif - - // set broad firewall rule - sprintf (G_fw_broad_rule, " %s %s 0 %s %s", -@@ -659,7 +722,22 @@ - - for (;;) { - -+#ifdef __FreeBSD__ -+ { -+ int ret = 0; -+ struct pcap_pkthdr * packet_hdr_p; -+ -+ while (ret == 0) { -+ ret = pcap_next_ex (cap, &packet_hdr_p, (const u_char **)&p) ; -+ packet_hdr = *packet_hdr_p; -+ if (ret < 0) { -+ p = NULL; -+ } -+ } -+ } -+#else - p = (unsigned char*)pcap_next (cap, &packet_hdr) ; -+#endif - if (p == NULL) { - WARNX "manage_firewall got null from 'pcap_next'. Exiting.") ; - exit (1) ; -@@ -1222,9 +1300,13 @@ - croak (errno, "Can't get interface address of %s", device) ; - } - -+#ifdef __FreeBSD__ -+ hdr_len = open_a_pcap (device, 1000, &G_cap, "udp and port %d and dst %s", -+ port, interface_ip) ; -+#else - hdr_len = open_a_pcap (device, 0, &G_cap, "udp and port %d and dst %s", - port, interface_ip) ; -- -+#endif - if (G_reconfigure) { - G_reconfigure = FALSE ; - NOTICE "reconfigured.") ; -@@ -1252,7 +1334,22 @@ - char src_addr_buff[16] ; - - errno = 0 ; -+#ifdef __FreeBSD__ -+ { -+ int ret = 0; -+ struct pcap_pkthdr * packet_hdr_p; -+ -+ while (ret == 0) { -+ ret = pcap_next_ex (G_cap, &packet_hdr_p, (const u_char **)&p) ; -+ packet_hdr = *packet_hdr_p; -+ if (ret < 0) { -+ p = NULL; -+ } -+ } -+ } -+#else - p = (unsigned char *)pcap_next (G_cap, &packet_hdr) ; -+#endif - if (G_reconfigure) { - if (daemonize) err_closelog() ; - goto reconfigure ; +--- doorman-0.81/doormand.c 2005-10-30 14:00:27.000000000 +0100 ++++ doormand.c 2005-10-30 14:05:18.000000000 +0100 +@@ -387,7 +387,11 @@ + int datalink_header_lengths[] = { + // hdr len code data link type + // ------- --- --------------------------- ++#ifdef __FreeBSD__ ++ 4, // 0 no link-layer encapsulation ++#else + 0, // 0 no link-layer encapsulation ++#endif + 14, // 1 Ethernet (10Mb) + -1, // 2 Experimental Ethernet (3Mb) + -1, // 3 Amateur Radio AX.25 +@@ -614,6 +618,14 @@ + // more readable. + // + ++/* ++// lsof on FreeBSD produces one more field. ++// This should be rewritten to use a regular expression, anyway. ++// ++// And who said using C++ style comments in C was good for portability?!? ++*/ ++ ++#ifdef __FreeBSD__ + #define LSOF()\ + sprintf (cmd, "lsof -Pn -iTCP@%s:%s", interface_ip_str, dport_string) ;\ + \ +@@ -635,6 +647,7 @@ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ ++ if ((p1 = token (&p2, " ")) == NULL) continue ;\ + if ((p1 = token (&p2, " :")) == NULL) continue ;\ + local_ip = inet_addr(p1) ;\ + if ((p1 = token (&p2, "-")) == NULL) continue ;\ +@@ -659,7 +672,53 @@ + }\ + }\ + pclose(f) ; +- ++#else ++#define LSOF()\ ++sprintf (cmd, "lsof -Pn -iTCP@%s:%s", interface_ip_str, dport_string) ;\ ++\ ++f = popen (cmd, "r") ;\ ++if (f == NULL) {\ ++ croak (errno, "Can't execute '%s'; exiting.", cmd) ;\ ++}\ ++\ ++fgets(buffer, 254, f) ; /* throw away the first line. */ \ ++while (fgets(buffer, 254, f)) {\ ++ p2 = buffer ;\ ++ if ((p1 = token (&p2, " ")) == NULL) continue ;\ ++ dname = p1 ;\ ++ if ((p1 = token (&p2, " ")) == NULL) continue ;\ ++ pid = p1 ;\ ++ if ((p1 = token (&p2, " ")) == NULL) continue ;\ ++ uname = p1 ;\ ++ if ((p1 = token (&p2, " ")) == NULL) continue ;\ ++ if ((p1 = token (&p2, " ")) == NULL) continue ;\ ++ if ((p1 = token (&p2, " ")) == NULL) continue ;\ ++ if ((p1 = token (&p2, " ")) == NULL) continue ;\ ++ if ((p1 = token (&p2, " :")) == NULL) continue ;\ ++ local_ip = inet_addr(p1) ;\ ++ if ((p1 = token (&p2, "-")) == NULL) continue ;\ ++ local_port = atoi(p1) ;\ ++ if ((p1 = token (&p2, "->:")) == NULL) continue ;\ ++ aptr = p1 ;\ ++ remote_ip = inet_addr(p1) ;\ ++ if ((p1 = token (&p2, " ")) == NULL) continue ;\ ++ pptr = p1 ;\ ++ remote_port = atoi(p1) ;\ ++ if ((p1 = token (&p2, " ()")) == NULL) continue ;\ ++ status = p1 ;\ ++\ ++ if ((saddr == remote_ip) &&\ ++ (daddr == local_ip) &&\ ++ (sport == remote_port) &&\ ++ (dport == local_port) && \ ++ (strcmp(status, "ESTABLISHED") == 0))\ ++ {\ ++ connected = TRUE ;\ ++ break ;\ ++ }\ ++}\ ++pclose(f) ; ++#endif + + + +@@ -704,7 +763,11 @@ + snprintf (cmd, 254, "tcp and dst port %s and src %s and dst %s", + dport_string, src_addr, interface_ip_str) ; + DEBUG "open a secondary pcap: '%s'", cmd) ; ++#ifdef __FreeBSD__ ++ hdr_len = open_a_pcap (device, 1000, &cap, cmd) ; ++#else + hdr_len = open_a_pcap (device, 0, &cap, cmd) ; ++#endif + + // set broad firewall rule + sprintf (G_fw_broad_rule, " %s %s 0 %s %s", +@@ -716,7 +779,22 @@ + + for (;;) { + ++#ifdef __FreeBSD__ ++ { ++ int ret = 0; ++ struct pcap_pkthdr * packet_hdr_p; ++ ++ while (ret == 0) { ++ ret = pcap_next_ex (cap, &packet_hdr_p, (const u_char **)&p) ; ++ packet_hdr = *packet_hdr_p; ++ if (ret < 0) { ++ p = NULL; ++ } ++ } ++ } ++#else + p = (unsigned char*)pcap_next (cap, &packet_hdr) ; ++#endif + if (p == NULL) { + WARNX "manage_firewall got null from 'pcap_next': %s Exiting.", + pcap_geterr(G_cap)) ; +@@ -1300,9 +1378,13 @@ + croak (errno, "Can't get interface address of %s", device) ; + } + ++#ifdef __FreeBSD__ ++ hdr_len = open_a_pcap (device, 1000, &G_cap, "udp and port %d and dst %s", ++ port, interface_ip) ; ++#else + hdr_len = open_a_pcap (device, 0, &G_cap, "udp and port %d and dst %s", + port, interface_ip) ; +- ++#endif + if (G_reconfigure) { + G_reconfigure = FALSE ; + NOTICE "reconfigured.") ; +@@ -1330,9 +1412,22 @@ + char src_addr_buff[16] ; + + errno = 0 ; +- netdown_count = 0 ; +- ++#ifdef __FreeBSD__ ++ { ++ int ret = 0; ++ struct pcap_pkthdr * packet_hdr_p; ++ ++ while (ret == 0) { ++ ret = pcap_next_ex (G_cap, &packet_hdr_p, (const u_char **)&p) ; ++ packet_hdr = *packet_hdr_p; ++ if (ret < 0) { ++ p = NULL; ++ } ++ } ++ } ++#else + p = (unsigned char *)pcap_next (G_cap, &packet_hdr) ; ++#endif + if (G_reconfigure) { + if (daemonize) err_closelog() ; + goto reconfigure ; --- doorman-0.81.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051030151810.5EA82A961>