FreeBSD Bugzilla – Attachment 212682 Details for
Bug 245036
net/ocserv: Update to 1.0.0
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
net/ocserv: Update to 1.0.0
net_ocserv-1.0.0.patch (text/plain), 7.63 KB, created by
Juraj Lutter
on 2020-03-24 22:44:01 UTC
(
hide
)
Description:
net/ocserv: Update to 1.0.0
Filename:
MIME Type:
Creator:
Juraj Lutter
Created:
2020-03-24 22:44:01 UTC
Size:
7.63 KB
patch
obsolete
>diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile >index b2875639ce3e..8a202bca6b9a 100644 >--- a/net/ocserv/Makefile >+++ b/net/ocserv/Makefile >@@ -2,8 +2,7 @@ > # $FreeBSD$ > > PORTNAME= ocserv >-PORTVERSION= 0.12.4 >-PORTREVISION= 2 >+PORTVERSION= 1.0.0 > CATEGORIES= net net-vpn security > MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/ > >@@ -54,11 +53,12 @@ RADIUS_LIB_DEPENDS= libradcli.so:net/radcli > RADIUS_CONFIGURE_OFF= --without-radius > > post-patch: >- @${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${LOCALBASE}/bin/ocserv-fw|g' \ >+ @${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \ > ${WRKSRC}/src/main-user.c \ > ${WRKSRC}/doc/sample.config >- @${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${LOCALBASE}/bin/ocserv\\-fw|g' \ >+ @${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \ > ${WRKSRC}/doc/ocserv.8 >+ @${REINPLACE_CMD} 's|%%PREFIX%%|${PREFIX}|g' ${WRKSRC}/src/config.c > > post-install: > @${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv >diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo >index c14282c66ad5..c33db00e7d0d 100644 >--- a/net/ocserv/distinfo >+++ b/net/ocserv/distinfo >@@ -1,3 +1,3 @@ >-TIMESTAMP = 1562531995 >-SHA256 (ocserv-0.12.4.tar.xz) = 05c01effa8a7c2f022616fcb62bade4df51aa7f0035248671da12819d62cb185 >-SIZE (ocserv-0.12.4.tar.xz) = 763540 >+TIMESTAMP = 1585072635 >+SHA256 (ocserv-1.0.0.tar.xz) = 17440e78aadc800836824adb17088534740ebdce3e0cbd3a615fdbbd326b9e91 >+SIZE (ocserv-1.0.0.tar.xz) = 785020 >diff --git a/net/ocserv/files/ocserv.conf b/net/ocserv/files/ocserv.conf >index cf0f1eebd140..490a6a81c9c4 100644 >--- a/net/ocserv/files/ocserv.conf >+++ b/net/ocserv/files/ocserv.conf >@@ -26,7 +26,7 @@ > # One entry must be listed per line, and 'ocpasswd' should be used > # to generate password entries. The 'otp' suboption allows one to specify > # an oath password file to be used for one time passwords; the format of >-# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile >+# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile > # > # radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: > # The radius option requires specifying freeradius-client configuration >@@ -77,6 +77,10 @@ auth = "plain[passwd=./sample.passwd]" > # hostname. > #listen-host = [IP|HOSTNAME] > >+# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided >+# hostname. if not set, listen-host will be used >+#udp-listen-host = [IP|HOSTNAME] >+ > # When the server has a dynamic DNS address (that may change), > # should set that to true to ask the client to resolve again on > # reconnects. >@@ -172,6 +176,16 @@ ca-cert = ../tests/certs/ca.pem > ### failures during the reloading time. > > >+# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of >+# system calls allowed to a worker process, in order to reduce damage from a >+# bug in the worker process. It is available on Linux systems at a performance cost. >+# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). >+# Note however, that process isolation is restricted to the specific libc versions >+# the isolation was tested at. If you get random failures on worker processes, try >+# disabling that option and report the failures you, along with system and debugging >+# information at: https://gitlab.com/ocserv/ocserv/issues >+isolate-workers = true >+ > # A banner to be displayed on clients > #banner = "Welcome" > >@@ -391,7 +405,8 @@ rekey-method = ssl > # client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client), > # will contain a space separated list of routes or DNS servers. A version > # of these variables with the 4 or 6 suffix will contain only the IPv4 or >-# IPv6 values. >+# IPv6 values. The connect script must return zero as exit code, or the >+# client connection will be refused. > > # The disconnect script will receive the additional values: STATS_BYTES_IN, > # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes >@@ -566,7 +581,7 @@ no-route = 192.168.5.0/255.255.255.0 > # keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns, > # restrict-user-to-routes, user-profile, cgroup, stats-report-time, > # mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports, >-# and session-timeout. >+# split-dns and session-timeout. > # > # Note that the 'iroute' option allows one to add routes on the server > # based on a user or group. The syntax depends on the input accepted >diff --git a/net/ocserv/files/patch-src_config.c b/net/ocserv/files/patch-src_config.c >index 46cdb1798c5b..437e31de7504 100644 >--- a/net/ocserv/files/patch-src_config.c >+++ b/net/ocserv/files/patch-src_config.c >@@ -5,7 +5,7 @@ > > #define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf" > -#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf" >-+#define DEFAULT_CFG_FILE "/usr/local/etc/ocserv/conf" >++#define DEFAULT_CFG_FILE "%%PREFIX%%/etc/ocserv/conf" > > static void print_version(void); > >diff --git a/net/ocserv/files/patch-src_main-ban.c b/net/ocserv/files/patch-src_main-ban.c >new file mode 100644 >index 000000000000..1018d8b381a5 >--- /dev/null >+++ b/net/ocserv/files/patch-src_main-ban.c >@@ -0,0 +1,19 @@ >+Commit c1428689: ban log: only log once when adding, not when >+increasing score when already banned >+ >+https://gitlab.com/openconnect/ocserv/-/commit/c142868909490e65acea22add83ff4e6237fb63a >+ >+--- src/main-ban.c.orig 2020-03-24 20:04:58 UTC >++++ src/main-ban.c >+@@ -155,9 +155,9 @@ int add_ip_to_ban_list(main_server_st *s >+ * periodically polls the server */ >+ if (e->score < GETCONFIG(s)->max_ban_score) { >+ e->expires = expiration; >+- print_msg = 0; >+- } else >+ print_msg = 1; >++ } else >++ print_msg = 0; >+ >+ /* prevent overflow */ >+ e->score = (e->score + score) > e->score ? (e->score + score) : (e->score); >diff --git a/net/ocserv/files/patch-src_tun.c b/net/ocserv/files/patch-src_tun.c >deleted file mode 100644 >index 6fe5ed5e6246..000000000000 >--- a/net/ocserv/files/patch-src_tun.c >+++ /dev/null >@@ -1,25 +0,0 @@ >---- src/tun.c.orig 2018-04-14 07:52:35 UTC >-+++ src/tun.c >-@@ -895,3 +895,22 @@ ssize_t tun_read(int sockfd, void *buf, size_t len) >- return read(sockfd, buf, len); >- } >- #endif >-+ >-+#ifndef __FreeBSD__ >-+int tun_claim(int sockfd) >-+{ >-+ >-+ return (0); >-+} >-+#else >-+/* >-+ * FreeBSD has a mechanism by which a tunnel has a single controlling process, >-+ * and only that one process may close it. When the controlling process closes >-+ * the tunnel, the state is torn down. >-+ */ >-+int tun_claim(int sockfd) >-+{ >-+ >-+ return (ioctl(sockfd, TUNSIFPID, 0)); >-+} >-+#endif /* !__FreeBSD__ */ >diff --git a/net/ocserv/files/patch-src_tun.h b/net/ocserv/files/patch-src_tun.h >deleted file mode 100644 >index 0311177f3f78..000000000000 >--- a/net/ocserv/files/patch-src_tun.h >+++ /dev/null >@@ -1,9 +0,0 @@ >---- src/tun.h.orig 2018-01-13 18:43:41 UTC >-+++ src/tun.h >-@@ -35,5 +35,6 @@ struct tun_lease_st { >- >- ssize_t tun_write(int sockfd, const void *buf, size_t len); >- ssize_t tun_read(int sockfd, void *buf, size_t len); >-+int tun_claim(int sockfd); >- >- #endif >diff --git a/net/ocserv/files/patch-src_worker-auth.c b/net/ocserv/files/patch-src_worker-auth.c >deleted file mode 100644 >index f7e01eeed392..000000000000 >--- a/net/ocserv/files/patch-src_worker-auth.c >+++ /dev/null >@@ -1,14 +0,0 @@ >---- src/worker-auth.c.orig 2019-01-19 18:47:47 UTC >-+++ src/worker-auth.c >-@@ -605,7 +605,10 @@ static int recv_cookie_auth_reply(worker_st * ws) >- case AUTH__REP__OK: >- if (socketfd != -1) { >- ws->tun_fd = socketfd; >-- >-+ if (tun_claim(ws->tun_fd) != 0) { >-+ ret = ERR_AUTH_FAIL; >-+ goto cleanup; >-+ } >- if (msg->vname == NULL || msg->config == NULL || msg->user_name == NULL || msg->sid.len != sizeof(ws->sid)) { >- ret = ERR_AUTH_FAIL; >- goto cleanup;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 245036
: 212682