Date: Sun, 30 Apr 2006 21:30:20 GMT From: Joerg Pulz <Joerg.Pulz@frm2.tum.de> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/96368: security/ipsec-tools: use OPTIONS, extend featureset Message-ID: <200604302130.k3ULUKOr055577@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/96368; it has been noted by GNATS.
From: Joerg Pulz <Joerg.Pulz@frm2.tum.de>
To: VANHULLEBUS Yvan <yvan.vanhullebus@netasq.com>,
Renato Botelho <garga@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/96368: security/ipsec-tools: use OPTIONS, extend featureset
Date: Sun, 30 Apr 2006 23:20:51 +0200 (CEST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi again,
here is a new version of my patch.
What has changed:
- - default settings for OPTIONS changed
* STATS, PAM and HYBRID default off (requested by Yvan)
- - added some descriptive output if NATT is enabled (to please Yvan ;) )
- - small change to pkg-plist to create and delete the STATEDIR
Why is there still --localstatedir=${STATEDIR:S/\/racoon//} ?
I triple checked the statedir thing, and it turned out, that this
directory defaults to ${PREFIX}/var/racoon and is created by the
ipsec-tools Makefiles regardless wether adminport or stats are enabled or
not. In my opinion, ${PREFIX}/var/racoon is a very bad place for a
communication socket between racconctl or libracoon based programs and
racoon or to store statistical logs. This kind of data belongs to
/var/db/racoon and therefor --localstatedir should be used every time.
Yvan should have knowledge of this as there is the line
"@dirrmtry var/racoon" in the pkg-plist to remove this directory when
deinstalling the port/package.
There was also an inconsistency what gets installed when built and
installed manually from ports or from a package. The statedir was only
created when installed manually from a port, but not when it was installed
from a package.
This is fixed now.
I hope i get an approval for this version of the patch as would really
like to see this in the tree.
Regards
Joerg
- --- security_ipsec-tools.diff2 begins here ---
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/Makefile,v
retrieving revision 1.11
diff -u -r1.11 Makefile
- --- Makefile 23 Feb 2006 10:38:57 -0000 1.11
+++ Makefile 30 Apr 2006 20:58:24 -0000
@@ -4,15 +4,14 @@
#
# $FreeBSD: ports/security/ipsec-tools/Makefile,v 1.11 2006/02/23 10:38:57 ade Exp $
- -# TODO: - configurable --enable-xxx
- -# - libipsec issue ?
+# TODO: - libipsec issue ?
# - cleanup...
# - SYSCONFDIR
# - $LOCALBASE/sbin/setkey Vs /usr/sbin/setkey
PORTNAME= ipsec-tools
PORTVERSION= 0.6.5
- -PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= security net
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ipsec-tools
@@ -26,22 +25,142 @@
USE_OPENSSL= yes
USE_BZIP2= yes
- -WRKSRC= ${WRKDIR}/${DISTNAME}
GNU_CONFIGURE= yes
INSTALLS_SHLIB= yes
- -LDFLAGS= -L${LOCALBASE}/lib
CONFIGURE_TARGET= --build=${MACHINE_ARCH}-portbld-freebsd${OSREL}
- -CONFIGURE_ARGS= --enable-debug --enable-dpd --enable-natt=kernel \
- - --enable-frag --enable-ipv6 --enable-shared \
- - --sysconfdir=${PREFIX}/etc/racoon \
+CONFIGURE_ARGS= --enable-shared --sysconfdir=${PREFIX}/etc/racoon \
+ --localstatedir=${STATEDIR:S/\/racoon//} \
--with-pkgversion=freebsd-${PORTVERSION}
+STATEDIR= ${DESTDIR}/var/db/racoon
+SUB_LIST+= STATEDIR=${STATEDIR}
+PLIST_SUB+= STATEDIR=${STATEDIR}
+
+OPTIONS= DEBUG "enable Debug support" on \
+ IPV6 "enable IPV6 support" on \
+ ADMINPORT "enable Admin port" on \
+ STATS "enable Statistics logging function" off \
+ DPD "enable Dead Peer Detection" on \
+ NATT "enable NAT-Traversal (kernel-patch required)" on \
+ FRAG "enable IKE fragmentation payload support" on \
+ HYBRID "enable Hybrid Mode-cfg and Xauth support" off \
+ PAM "enable PAM authentication" off \
+ GSSAPI "enable GSS-API authentication" off \
+ RADIUS "enable Radius authentication" off \
+ SAUNSPEC "enable Unspecified SA mode" off \
+ RC5 "enable RC5 encryption (patented)" off \
+ IDEA "enable IDEA encryption (patented)" off
+
MAN3= ipsec_set_policy.3 ipsec_strerror.3
MAN5= racoon.conf.5
MAN8= racoon.8 racoonctl.8 setkey.8 plainrsa-gen.8
PORTDOCS= *
+.include <bsd.port.pre.mk>
+
+.ifdef(WITH_DEBUG)
+CONFIGURE_ARGS+= --enable-debug
+.else
+CONFIGURE_ARGS+= --disable-debug
+.endif
+
+.ifdef(WITH_IPV6)
+CONFIGURE_ARGS+= --enable-ipv6
+.else
+CONFIGURE_ARGS+= --disable-ipv6
+.endif
+
+.ifdef(WITH_ADMINPORT)
+CONFIGURE_ARGS+= --enable-adminport
+.else
+CONFIGURE_ARGS+= --disable-adminport
+.endif
+
+.ifdef(WITH_STATS)
+CONFIGURE_ARGS+= --enable-stats
+.else
+CONFIGURE_ARGS+= --disable-stats
+.endif
+
+.ifdef(WITH_DPD)
+CONFIGURE_ARGS+= --enable-dpd
+.else
+CONFIGURE_ARGS+= --disable-dpd
+.endif
+
+.ifdef(WITH_NATT)
+CONFIGURE_ARGS+= --enable-natt=kernel
+.else
+CONFIGURE_ARGS+= --disable-natt
+.endif
+
+.ifdef(WITH_FRAG)
+CONFIGURE_ARGS+= --enable-frag
+.else
+CONFIGURE_ARGS+= --disable-frag
+.endif
+
+.ifdef(WITH_HYBRID)
+CONFIGURE_ARGS+= --enable-hybrid
+.else
+CONFIGURE_ARGS+= --disable-hybrid
+.endif
+
+.ifdef(WITH_PAM)
+CONFIGURE_ARGS+= --with-libpam
+.else
+CONFIGURE_ARGS+= --without-libpam
+.endif
+
+.ifdef(WITH_GSSAPI)
+USE_ICONV= yes
+CFLAGS+= -I${LOCALBASE}/include
+LDFLAGS+= -L${LOCALBASE}/lib
+CONFIGURE_ARGS+= --enable-gssapi
+.else
+CONFIGURE_ARGS+= --disable-gssapi
+.endif
+
+.ifdef(WITH_RADIUS)
+CONFIGURE_ARGS+= --with-libradius
+.else
+CONFIGURE_ARGS+= --without-libradius
+.endif
+
+.ifdef(WITH_SAUNSPEC)
+CONFIGURE_ARGS+= --enable-samode-unspec
+.else
+CONFIGURE_ARGS+= --disable-samode-unspec
+.endif
+
+.ifdef(WITH_RC5)
+CONFIGURE_ARGS+= --enable-rc5
+.else
+CONFIGURE_ARGS+= --disable-rc5
+.endif
+
+.ifdef(WITH_IDEA)
+CONFIGURE_ARGS+= --enable-idea
+.else
+CONFIGURE_ARGS+= --disable-idea
+.endif
+
+.ifdef(WITH_NATT)
+pre-configure:
+ @${ECHO_MSG} "===> -------------------------------------------------------------------------"
+ @${ECHO_MSG} "===> ATTENTION: You need a kernel patch to enable NAT-Traversal functionality!"
+ @${ECHO_MSG} "===> You can download the patch here:"
+. if ${OSVERSION} < 500000
+ @${ECHO_MSG} "===> http://ipsec-tools.sf.net/freebsd_nat-t.diff"
+. else
+ @${ECHO_MSG} "===> http://ipsec-tools.sf.net/freebsd6-natt.diff"
+. endif
+ @${ECHO_MSG} "===> You might possibly have to do some steps manually if it fails to apply."
+ @${ECHO_MSG} "===> -------------------------------------------------------------------------"
+ @sleep 3
+.endif
+
post-install:
@if [ -z `/sbin/sysctl -a | ${GREP} -q ipsec && ${ECHO_CMD} ipsec` ]; then \
${ECHO_MSG} "WARNING: IPsec feature is disabled on this host"; \
@@ -55,4 +174,4 @@
@${INSTALL_DATA} ${WRKSRC}/src/racoon/doc/* ${DOCSDIR}
.endif
- -.include <bsd.port.mk>
+.include <bsd.port.post.mk>
Index: pkg-descr
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/pkg-descr,v
retrieving revision 1.2
diff -u -r1.2 pkg-descr
- --- pkg-descr 15 Sep 2005 12:11:48 -0000 1.2
+++ pkg-descr 30 Apr 2006 20:58:24 -0000
@@ -4,8 +4,7 @@
This is the IPSec-tools version of racoon.
Enchancements:
- -- Support of NAT-T.
- -- Support of IKE fragmentation.
+- Support of NAT-T and IKE fragmentation.
- Support of many authentication algorithms.
- Tons of bugfixes.
Index: pkg-plist
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/pkg-plist,v
retrieving revision 1.4
diff -u -r1.4 pkg-plist
- --- pkg-plist 23 Feb 2006 10:38:57 -0000 1.4
+++ pkg-plist 30 Apr 2006 20:58:24 -0000
@@ -1,4 +1,6 @@
+sbin/plainrsa-gen
sbin/racoon
+sbin/racoonctl
sbin/setkey
include/libipsec/libpfkey.h
include/racoon/admin.h
@@ -24,8 +26,6 @@
lib/libracoon.la
lib/libracoon.so
lib/libracoon.so.0
- -sbin/plainrsa-gen
- -sbin/racoonctl
%%EXAMPLESDIR%%/psk.txt
%%EXAMPLESDIR%%/psk.txt.sample
%%EXAMPLESDIR%%/racoon.conf
@@ -47,4 +47,6 @@
@dirrm %%EXAMPLESDIR%%/roadwarrior/client
@dirrm %%EXAMPLESDIR%%/roadwarrior
@dirrm %%EXAMPLESDIR%%
- -@dirrmtry var/racoon
+@cwd /
+@exec mkdir -p %%STATEDIR%%
+@dirrmtry %%STATEDIR%%
Index: files/patch-configure
===================================================================
RCS file: files/patch-configure
diff -N files/patch-configure
- --- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/patch-configure 30 Apr 2006 20:58:25 -0000
@@ -0,0 +1,77 @@
+--- configure.orig Wed Apr 26 15:28:47 2006
++++ configure Wed Apr 26 15:28:56 2006
+@@ -25122,6 +25122,74 @@
+ fi
+
+
++ echo "$as_me:$LINENO: checking for iconv_open in -liconv" >&5
++echo $ECHO_N "checking for iconv_open in -liconv... $ECHO_C" >&6
++if test "${ac_cv_lib_iconv_iconv_open+set}" = set; then
++ echo $ECHO_N "(cached) $ECHO_C" >&6
++else
++ ac_check_lib_save_LIBS=$LIBS
++LIBS="-liconv $LIBS"
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++/* Override any gcc2 internal prototype to avoid an error. */
++#ifdef __cplusplus
++extern "C"
++#endif
++/* We use char because int might match the return type of a gcc2
++ builtin and then its argument prototype would still apply. */
++char iconv_open ();
++int
++main ()
++{
++iconv_open ();
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext conftest$ac_exeext
++if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
++ (eval $ac_link) 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } &&
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
++ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
++ (eval $ac_try) 2>&5
++ ac_status=$?
++ echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); }; } &&
++ { ac_try='test -s conftest$ac_exeext'
++ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
++ (eval $ac_try) 2>&5
++ ac_status=$?
++ echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); }; }; then
++ ac_cv_lib_iconv_iconv_open=yes
++else
++ echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ac_cv_lib_iconv_iconv_open=no
++fi
++rm -f conftest.err conftest.$ac_objext \
++ conftest$ac_exeext conftest.$ac_ext
++LIBS=$ac_check_lib_save_LIBS
++fi
++echo "$as_me:$LINENO: result: $ac_cv_lib_iconv_iconv_open" >&5
++echo "${ECHO_T}$ac_cv_lib_iconv_iconv_open" >&6
++if test $ac_cv_lib_iconv_iconv_open = yes; then
++ LIBS="$LIBS -liconv"
++fi
++
+ echo "$as_me:$LINENO: checking if iconv second argument needs const" >&5
+ echo $ECHO_N "checking if iconv second argument needs const... $ECHO_C" >&6
+ saved_CFLAGS=$CFLAGS
Index: files/racoon.sh.in
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/files/racoon.sh.in,v
retrieving revision 1.3
diff -u -r1.3 racoon.sh.in
- --- files/racoon.sh.in 20 Feb 2006 20:47:39 -0000 1.3
+++ files/racoon.sh.in 30 Apr 2006 20:58:25 -0000
@@ -32,6 +32,7 @@
command="${prefix}/sbin/racoon"
pidfile="/var/run/racoon.pid"
required_files="${prefix}/etc/racoon/racoon.conf"
+required_dirs="%%STATEDIR%%"
stop_postcmd="racoon_poststop"
racoon_poststop() {
- --- security_ipsec-tools.diff2 ends here ---
- --
The beginning is the most important part of the work.
-Plato
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)
iD8DBQFEVSo2SPOsGF+KA+MRAvqnAKCPLbqHVKCW/Uv8ax0iOCbnU3mzhQCfVdTP
4cnUzXTeJKZaP0cQQDwfo6s=
=3KNp
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604302130.k3ULUKOr055577>