From owner-freebsd-ports-bugs@FreeBSD.ORG Sun Apr 30 21:30:21 2006 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B3BF16A41A for ; Sun, 30 Apr 2006 21:30:21 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F9BA43D46 for ; Sun, 30 Apr 2006 21:30:20 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k3ULUKSs055578 for ; Sun, 30 Apr 2006 21:30:20 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k3ULUKOr055577; Sun, 30 Apr 2006 21:30:20 GMT (envelope-from gnats) Date: Sun, 30 Apr 2006 21:30:20 GMT Message-Id: <200604302130.k3ULUKOr055577@freefall.freebsd.org> To: freebsd-ports-bugs@FreeBSD.org From: Joerg Pulz Cc: Subject: Re: ports/96368: security/ipsec-tools: use OPTIONS, extend featureset X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Joerg Pulz List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Apr 2006 21:30:23 -0000 The following reply was made to PR ports/96368; it has been noted by GNATS. From: Joerg Pulz To: VANHULLEBUS Yvan , Renato Botelho Cc: bug-followup@FreeBSD.org Subject: Re: ports/96368: security/ipsec-tools: use OPTIONS, extend featureset Date: Sun, 30 Apr 2006 23:20:51 +0200 (CEST) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi again, here is a new version of my patch. What has changed: - - default settings for OPTIONS changed * STATS, PAM and HYBRID default off (requested by Yvan) - - added some descriptive output if NATT is enabled (to please Yvan ;) ) - - small change to pkg-plist to create and delete the STATEDIR Why is there still --localstatedir=${STATEDIR:S/\/racoon//} ? I triple checked the statedir thing, and it turned out, that this directory defaults to ${PREFIX}/var/racoon and is created by the ipsec-tools Makefiles regardless wether adminport or stats are enabled or not. In my opinion, ${PREFIX}/var/racoon is a very bad place for a communication socket between racconctl or libracoon based programs and racoon or to store statistical logs. This kind of data belongs to /var/db/racoon and therefor --localstatedir should be used every time. Yvan should have knowledge of this as there is the line "@dirrmtry var/racoon" in the pkg-plist to remove this directory when deinstalling the port/package. There was also an inconsistency what gets installed when built and installed manually from ports or from a package. The statedir was only created when installed manually from a port, but not when it was installed from a package. This is fixed now. I hope i get an approval for this version of the patch as would really like to see this in the tree. Regards Joerg - --- security_ipsec-tools.diff2 begins here --- Index: Makefile =================================================================== RCS file: /home/ncvs/ports/security/ipsec-tools/Makefile,v retrieving revision 1.11 diff -u -r1.11 Makefile - --- Makefile 23 Feb 2006 10:38:57 -0000 1.11 +++ Makefile 30 Apr 2006 20:58:24 -0000 @@ -4,15 +4,14 @@ # # $FreeBSD: ports/security/ipsec-tools/Makefile,v 1.11 2006/02/23 10:38:57 ade Exp $ - -# TODO: - configurable --enable-xxx - -# - libipsec issue ? +# TODO: - libipsec issue ? # - cleanup... # - SYSCONFDIR # - $LOCALBASE/sbin/setkey Vs /usr/sbin/setkey PORTNAME= ipsec-tools PORTVERSION= 0.6.5 - -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security net MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ipsec-tools @@ -26,22 +25,142 @@ USE_OPENSSL= yes USE_BZIP2= yes - -WRKSRC= ${WRKDIR}/${DISTNAME} GNU_CONFIGURE= yes INSTALLS_SHLIB= yes - -LDFLAGS= -L${LOCALBASE}/lib CONFIGURE_TARGET= --build=${MACHINE_ARCH}-portbld-freebsd${OSREL} - -CONFIGURE_ARGS= --enable-debug --enable-dpd --enable-natt=kernel \ - - --enable-frag --enable-ipv6 --enable-shared \ - - --sysconfdir=${PREFIX}/etc/racoon \ +CONFIGURE_ARGS= --enable-shared --sysconfdir=${PREFIX}/etc/racoon \ + --localstatedir=${STATEDIR:S/\/racoon//} \ --with-pkgversion=freebsd-${PORTVERSION} +STATEDIR= ${DESTDIR}/var/db/racoon +SUB_LIST+= STATEDIR=${STATEDIR} +PLIST_SUB+= STATEDIR=${STATEDIR} + +OPTIONS= DEBUG "enable Debug support" on \ + IPV6 "enable IPV6 support" on \ + ADMINPORT "enable Admin port" on \ + STATS "enable Statistics logging function" off \ + DPD "enable Dead Peer Detection" on \ + NATT "enable NAT-Traversal (kernel-patch required)" on \ + FRAG "enable IKE fragmentation payload support" on \ + HYBRID "enable Hybrid Mode-cfg and Xauth support" off \ + PAM "enable PAM authentication" off \ + GSSAPI "enable GSS-API authentication" off \ + RADIUS "enable Radius authentication" off \ + SAUNSPEC "enable Unspecified SA mode" off \ + RC5 "enable RC5 encryption (patented)" off \ + IDEA "enable IDEA encryption (patented)" off + MAN3= ipsec_set_policy.3 ipsec_strerror.3 MAN5= racoon.conf.5 MAN8= racoon.8 racoonctl.8 setkey.8 plainrsa-gen.8 PORTDOCS= * +.include + +.ifdef(WITH_DEBUG) +CONFIGURE_ARGS+= --enable-debug +.else +CONFIGURE_ARGS+= --disable-debug +.endif + +.ifdef(WITH_IPV6) +CONFIGURE_ARGS+= --enable-ipv6 +.else +CONFIGURE_ARGS+= --disable-ipv6 +.endif + +.ifdef(WITH_ADMINPORT) +CONFIGURE_ARGS+= --enable-adminport +.else +CONFIGURE_ARGS+= --disable-adminport +.endif + +.ifdef(WITH_STATS) +CONFIGURE_ARGS+= --enable-stats +.else +CONFIGURE_ARGS+= --disable-stats +.endif + +.ifdef(WITH_DPD) +CONFIGURE_ARGS+= --enable-dpd +.else +CONFIGURE_ARGS+= --disable-dpd +.endif + +.ifdef(WITH_NATT) +CONFIGURE_ARGS+= --enable-natt=kernel +.else +CONFIGURE_ARGS+= --disable-natt +.endif + +.ifdef(WITH_FRAG) +CONFIGURE_ARGS+= --enable-frag +.else +CONFIGURE_ARGS+= --disable-frag +.endif + +.ifdef(WITH_HYBRID) +CONFIGURE_ARGS+= --enable-hybrid +.else +CONFIGURE_ARGS+= --disable-hybrid +.endif + +.ifdef(WITH_PAM) +CONFIGURE_ARGS+= --with-libpam +.else +CONFIGURE_ARGS+= --without-libpam +.endif + +.ifdef(WITH_GSSAPI) +USE_ICONV= yes +CFLAGS+= -I${LOCALBASE}/include +LDFLAGS+= -L${LOCALBASE}/lib +CONFIGURE_ARGS+= --enable-gssapi +.else +CONFIGURE_ARGS+= --disable-gssapi +.endif + +.ifdef(WITH_RADIUS) +CONFIGURE_ARGS+= --with-libradius +.else +CONFIGURE_ARGS+= --without-libradius +.endif + +.ifdef(WITH_SAUNSPEC) +CONFIGURE_ARGS+= --enable-samode-unspec +.else +CONFIGURE_ARGS+= --disable-samode-unspec +.endif + +.ifdef(WITH_RC5) +CONFIGURE_ARGS+= --enable-rc5 +.else +CONFIGURE_ARGS+= --disable-rc5 +.endif + +.ifdef(WITH_IDEA) +CONFIGURE_ARGS+= --enable-idea +.else +CONFIGURE_ARGS+= --disable-idea +.endif + +.ifdef(WITH_NATT) +pre-configure: + @${ECHO_MSG} "===> -------------------------------------------------------------------------" + @${ECHO_MSG} "===> ATTENTION: You need a kernel patch to enable NAT-Traversal functionality!" + @${ECHO_MSG} "===> You can download the patch here:" +. if ${OSVERSION} < 500000 + @${ECHO_MSG} "===> http://ipsec-tools.sf.net/freebsd_nat-t.diff" +. else + @${ECHO_MSG} "===> http://ipsec-tools.sf.net/freebsd6-natt.diff" +. endif + @${ECHO_MSG} "===> You might possibly have to do some steps manually if it fails to apply." + @${ECHO_MSG} "===> -------------------------------------------------------------------------" + @sleep 3 +.endif + post-install: @if [ -z `/sbin/sysctl -a | ${GREP} -q ipsec && ${ECHO_CMD} ipsec` ]; then \ ${ECHO_MSG} "WARNING: IPsec feature is disabled on this host"; \ @@ -55,4 +174,4 @@ @${INSTALL_DATA} ${WRKSRC}/src/racoon/doc/* ${DOCSDIR} .endif - -.include +.include Index: pkg-descr =================================================================== RCS file: /home/ncvs/ports/security/ipsec-tools/pkg-descr,v retrieving revision 1.2 diff -u -r1.2 pkg-descr - --- pkg-descr 15 Sep 2005 12:11:48 -0000 1.2 +++ pkg-descr 30 Apr 2006 20:58:24 -0000 @@ -4,8 +4,7 @@ This is the IPSec-tools version of racoon. Enchancements: - -- Support of NAT-T. - -- Support of IKE fragmentation. +- Support of NAT-T and IKE fragmentation. - Support of many authentication algorithms. - Tons of bugfixes. Index: pkg-plist =================================================================== RCS file: /home/ncvs/ports/security/ipsec-tools/pkg-plist,v retrieving revision 1.4 diff -u -r1.4 pkg-plist - --- pkg-plist 23 Feb 2006 10:38:57 -0000 1.4 +++ pkg-plist 30 Apr 2006 20:58:24 -0000 @@ -1,4 +1,6 @@ +sbin/plainrsa-gen sbin/racoon +sbin/racoonctl sbin/setkey include/libipsec/libpfkey.h include/racoon/admin.h @@ -24,8 +26,6 @@ lib/libracoon.la lib/libracoon.so lib/libracoon.so.0 - -sbin/plainrsa-gen - -sbin/racoonctl %%EXAMPLESDIR%%/psk.txt %%EXAMPLESDIR%%/psk.txt.sample %%EXAMPLESDIR%%/racoon.conf @@ -47,4 +47,6 @@ @dirrm %%EXAMPLESDIR%%/roadwarrior/client @dirrm %%EXAMPLESDIR%%/roadwarrior @dirrm %%EXAMPLESDIR%% - -@dirrmtry var/racoon +@cwd / +@exec mkdir -p %%STATEDIR%% +@dirrmtry %%STATEDIR%% Index: files/patch-configure =================================================================== RCS file: files/patch-configure diff -N files/patch-configure - --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-configure 30 Apr 2006 20:58:25 -0000 @@ -0,0 +1,77 @@ +--- configure.orig Wed Apr 26 15:28:47 2006 ++++ configure Wed Apr 26 15:28:56 2006 +@@ -25122,6 +25122,74 @@ + fi + + ++ echo "$as_me:$LINENO: checking for iconv_open in -liconv" >&5 ++echo $ECHO_N "checking for iconv_open in -liconv... $ECHO_C" >&6 ++if test "${ac_cv_lib_iconv_iconv_open+set}" = set; then ++ echo $ECHO_N "(cached) $ECHO_C" >&6 ++else ++ ac_check_lib_save_LIBS=$LIBS ++LIBS="-liconv $LIBS" ++cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++/* Override any gcc2 internal prototype to avoid an error. */ ++#ifdef __cplusplus ++extern "C" ++#endif ++/* We use char because int might match the return type of a gcc2 ++ builtin and then its argument prototype would still apply. */ ++char iconv_open (); ++int ++main () ++{ ++iconv_open (); ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext conftest$ac_exeext ++if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 ++ (eval $ac_link) 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' ++ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 ++ (eval $ac_try) 2>&5 ++ ac_status=$? ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); }; } && ++ { ac_try='test -s conftest$ac_exeext' ++ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 ++ (eval $ac_try) 2>&5 ++ ac_status=$? ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); }; }; then ++ ac_cv_lib_iconv_iconv_open=yes ++else ++ echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ac_cv_lib_iconv_iconv_open=no ++fi ++rm -f conftest.err conftest.$ac_objext \ ++ conftest$ac_exeext conftest.$ac_ext ++LIBS=$ac_check_lib_save_LIBS ++fi ++echo "$as_me:$LINENO: result: $ac_cv_lib_iconv_iconv_open" >&5 ++echo "${ECHO_T}$ac_cv_lib_iconv_iconv_open" >&6 ++if test $ac_cv_lib_iconv_iconv_open = yes; then ++ LIBS="$LIBS -liconv" ++fi ++ + echo "$as_me:$LINENO: checking if iconv second argument needs const" >&5 + echo $ECHO_N "checking if iconv second argument needs const... $ECHO_C" >&6 + saved_CFLAGS=$CFLAGS Index: files/racoon.sh.in =================================================================== RCS file: /home/ncvs/ports/security/ipsec-tools/files/racoon.sh.in,v retrieving revision 1.3 diff -u -r1.3 racoon.sh.in - --- files/racoon.sh.in 20 Feb 2006 20:47:39 -0000 1.3 +++ files/racoon.sh.in 30 Apr 2006 20:58:25 -0000 @@ -32,6 +32,7 @@ command="${prefix}/sbin/racoon" pidfile="/var/run/racoon.pid" required_files="${prefix}/etc/racoon/racoon.conf" +required_dirs="%%STATEDIR%%" stop_postcmd="racoon_poststop" racoon_poststop() { - --- security_ipsec-tools.diff2 ends here --- - -- The beginning is the most important part of the work. -Plato -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEVSo2SPOsGF+KA+MRAvqnAKCPLbqHVKCW/Uv8ax0iOCbnU3mzhQCfVdTP 4cnUzXTeJKZaP0cQQDwfo6s= =3KNp -----END PGP SIGNATURE-----