Attachment #218625 for bug #250225

View | Details | Raw Unified | Return to bug 250225
Collapse All | Expand All




# Created by: Carlos J Puga Medina <cpm@fbsd.es>
# $FreeBSD$

PORTNAME=	ocserv
PORTVERSION=	1.1.1
PORTREVISION=	1
CATEGORIES=	net net-vpn security
MASTER_SITES=	ftp://ftp.infradead.org/pub/ocserv/

MAINTAINER=	ports@FreeBSD.org
COMMENT=	Server implementing the AnyConnect SSL VPN protocol

LICENSE=	GPLv2+
LICENSE_FILE=	${WRKSRC}/LICENSE

BUILD_DEPENDS=	bash:shells/bash \
		gsed:textproc/gsed
LIB_DEPENDS=	liblz4.so:archivers/liblz4 \
		libiconv.so:converters/libiconv \
		libev.so:devel/libev \
		libtalloc.so:devel/talloc \
		libprotobuf-c.so:devel/protobuf-c \
		libgnutls.so:security/gnutls \
		libtasn1.so:security/libtasn1 \
		libnettle.so:security/nettle \
		liboath.so:security/oath-toolkit \
		libpcl.so:devel/pcl

USES=		autoreconf cpe gperf libtool localbase ncurses \
		pathfix pkgconfig readline tar:xz

CPE_VENDOR=	infradead
GNU_CONFIGURE=	yes
CONFIGURE_ARGS=	--without-geoip \
		--without-http-parser \
		--disable-namespaces

USERS=		_ocserv
GROUPS=		_ocserv

USE_RC_SUBR=	ocserv

PLIST_SUB=	USERS="${USERS}" GROUPS="${GROUPS}"

OPTIONS_DEFINE=		DOCS EXAMPLES GSSAPI MAXMIND RADIUS

PORTDOCS=	AUTHORS ChangeLog NEWS README TODO
PORTEXAMPLES=	profile.xml sample.config sample.passwd

GSSAPI_USES=		gssapi:mit
GSSAPI_LIB_DEPENDS=	libkrb5support.so:security/krb5
GSSAPI_CONFIGURE_OFF=	--without-gssapi

RADIUS_LIB_DEPENDS=	libradcli.so:net/radcli
RADIUS_CONFIGURE_OFF=	--without-radius

MAXMIND_DESC=		Use Maxmind GeoIP library
MAXMIND_LIB_DEPENDS=	libmaxminddb.so:net/libmaxminddb
MAXMIND_CONFIGURE_OFF=	--without-maxmind

.include <bsd.port.pre.mk>

post-patch:
	${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \
		${WRKSRC}/src/main-user.c
	${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \
		${WRKSRC}/doc/ocserv.8
.if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr"
	${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c
.endif

post-install:
	${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv
	${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample
	${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8

post-install-DOCS-on:
	${MKDIR} ${STAGEDIR}${DOCSDIR}
	cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}

post-install-EXAMPLES-on:
	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
	cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}

.include <bsd.port.post.mk>

Lines 1-3 Link Here

(-)b/net/ocserv/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1586552655	1	TIMESTAMP = 1602242932
2	SHA256 (ocserv-1.0.1.tar.xz) = 59d9ef7a1aeb95ff6e762e2a0f231b3fae2ea420f68a1cf09d39a26395040f4b	2	SHA256 (ocserv-1.1.1.tar.xz) = 9c7aaf46e53e28cfa7be329b18f3951e7e851153ff6a27e946496fd4e8e5765a
3	SIZE (ocserv-1.0.1.tar.xz) = 787800	3	SIZE (ocserv-1.1.1.tar.xz) = 818988




--- configure.ac.orig	2020-10-09 11:32:59 UTC
+++ configure.ac
@@ -15,7 +15,7 @@ AM_PROG_AR
 AM_PROG_CC_C_O
 AC_PROG_SED
 if test "$GCC" = "yes" && ! expr "$CC" : clang >/dev/null 2>&1;then
-	CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-truncation"
+	CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers"
 fi
 
 AC_PATH_PROG(CTAGS, ctags, [:])
@@ -222,7 +222,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
@@ -199,7 +199,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
 fi
 
 have_readline=no
-AC_LIB_HAVE_LINKFLAGS(readline,, [
+AC_LIB_HAVE_LINKFLAGS(readline,ncurses, [
 #include <stdio.h>
 #include <readline/readline.h>], [rl_replace_line(0,0);])
   if test x$ac_cv_libreadline = xyes; then




--- doc/sample.config.orig	2020-09-20 19:49:01 UTC
+++ doc/sample.config
@@ -19,7 +19,7 @@
 #  This enabled PAM authentication of the user. The gid-min option is used
 # by auto-select-group option, in order to select the minimum valid group ID.
 #
-# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
+# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
 #  The plain option requires specifying a password file which contains
 # entries of the following format.
 # "username:groupname1,groupname2:encoded-password"
@@ -110,8 +110,8 @@ udp-port = 443
 # The user the worker processes will be run as. This should be a dedicated
 # unprivileged user (e.g., 'ocserv') and no other services should run as this
 # user.
-run-as-user = nobody
-run-as-group = daemon
+run-as-user = _ocserv
+run-as-group = _ocserv
 
 # socket file used for IPC with occtl. You only need to set that,
 # if you use more than a single servers.
@@ -180,15 +180,9 @@ ca-cert = ../tests/certs/ca.pem
 ### failures during the reloading time.
 
 
-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
-# system calls allowed to a worker process, in order to reduce damage from a
-# bug in the worker process. It is available on Linux systems at a performance cost.
-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
-# Note however, that process isolation is restricted to the specific libc versions
-# the isolation was tested at. If you get random failures on worker processes, try
-# disabling that option and report the failures you, along with system and debugging
-# information at: https://gitlab.com/ocserv/ocserv/issues
-isolate-workers = true
+# ocserv 1.1.1 on FreeBSD does not currently support process isolation,
+# because ocserv only supports Linux's seccomp system, but not capsicum(4).
+#isolate-workers = false
 
 # A banner to be displayed on clients after connection
 #banner = "Welcome"
@@ -553,15 +547,15 @@ no-route = 192.168.5.0/255.255.255.0
 # Note the that following two firewalling options currently are available
 # in Linux systems with iptables software. 
 
-# If set, the script /usr/bin/ocserv-fw will be called to restrict
+# If set, the script /usr/local/bin/ocserv-fw will be called to restrict
 # the user to its allowed routes and prevent him from accessing
 # any other routes. In case of defaultroute, the no-routes are restricted.
-# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
+# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw
 # --removeall. This option can be set globally or in the per-user configuration.
 #restrict-user-to-routes = true
 
 # This option implies restrict-user-to-routes set to true. If set, the
-# script /usr/bin/ocserv-fw will be called to restrict the user to
+# script /usr/local/bin/ocserv-fw will be called to restrict the user to
 # access specific ports in the network. This option can be set globally
 # or in the per-user configuration.
 #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
@@ -609,13 +603,13 @@ no-route = 192.168.5.0/255.255.255.0
 # hostname to override any proposed by the user. Note also, that, any 
 # routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
 
-#config-per-user = /etc/ocserv/config-per-user/
-#config-per-group = /etc/ocserv/config-per-group/
+#config-per-user = /usr/local/etc/ocserv/config-per-user/
+#config-per-group = /usr/local/etc/ocserv/config-per-group/
 
 # When config-per-xxx is specified and there is no group or user that
 # matches, then utilize the following configuration.
-#default-user-config = /etc/ocserv/defaults/user.conf
-#default-group-config = /etc/ocserv/defaults/group.conf
+#default-user-config = /usr/local/etc/ocserv/defaults/user.conf
+#default-group-config = /usr/local/etc/ocserv/defaults/group.conf
 
 # The system command to use to setup a route. %{R} will be replaced with the
 # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.

Lines 1-9 Link Here

(-)b/net/ocserv/pkg-plist (+1 lines)
1	bin/occtl	1	bin/occtl
2	bin/ocpasswd	2	bin/ocpasswd
3	bin/ocserv-fw	3	bin/ocserv-fw
4	man/man8/occtl.8.gz	4	man/man8/occtl.8.gz
5	man/man8/ocpasswd.8.gz	5	man/man8/ocpasswd.8.gz
6	man/man8/ocserv.8.gz	6	man/man8/ocserv.8.gz
7	@sample etc/ocserv/ocserv.conf.sample	7	@sample etc/ocserv/ocserv.conf.sample
8	sbin/ocserv	8	sbin/ocserv
		9	sbin/ocserv-worker
9	@dir(%%USERS%%,%%GROUPS%%,750) /var/run/ocserv	10	@dir(%%USERS%%,%%GROUPS%%,750) /var/run/ocserv

Return to bug 250225

Lines 1-80 Link Here

(-)b/net/ocserv/Makefile (-4 / +8 lines)
1	# Created by: Carlos J Puga Medina <cpm@fbsd.es>	1	# Created by: Carlos J Puga Medina <cpm@fbsd.es>
2	# $FreeBSD$	2	# $FreeBSD$
3		3
4	PORTNAME= ocserv	4	PORTNAME= ocserv
5	PORTVERSION= 1.0.1	5	PORTVERSION= 1.1.1
6	PORTREVISION= 1
7	CATEGORIES= net net-vpn security	6	CATEGORIES= net net-vpn security
8	MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/	7	MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/
9		8
10	MAINTAINER= ports@FreeBSD.org	9	MAINTAINER= ports@FreeBSD.org
11	COMMENT= Server implementing the AnyConnect SSL VPN protocol	10	COMMENT= Server implementing the AnyConnect SSL VPN protocol
12		11
13	LICENSE= GPLv2+	12	LICENSE= GPLv2+
14	LICENSE_FILE= ${WRKSRC}/LICENSE	13	LICENSE_FILE= ${WRKSRC}/LICENSE
15		14
16	BUILD_DEPENDS= bash:shells/bash \	15	BUILD_DEPENDS= bash:shells/bash \
17	gsed:textproc/gsed	16	gsed:textproc/gsed
18	LIB_DEPENDS= liblz4.so:archivers/liblz4 \	17	LIB_DEPENDS= liblz4.so:archivers/liblz4 \
19	libiconv.so:converters/libiconv \	18	libiconv.so:converters/libiconv \
20	libev.so:devel/libev \	19	libev.so:devel/libev \
21	libtalloc.so:devel/talloc \	20	libtalloc.so:devel/talloc \
22	libprotobuf-c.so:devel/protobuf-c \	21	libprotobuf-c.so:devel/protobuf-c \
23	libgnutls.so:security/gnutls \	22	libgnutls.so:security/gnutls \
24	libtasn1.so:security/libtasn1 \	23	libtasn1.so:security/libtasn1 \
25	libnettle.so:security/nettle \	24	libnettle.so:security/nettle \
26	liboath.so:security/oath-toolkit \	25	liboath.so:security/oath-toolkit \
27	libpcl.so:devel/pcl	26	libpcl.so:devel/pcl
28		27
29	USES= autoreconf cpe gperf libtool localbase ncurses \	28	USES= autoreconf cpe gperf libtool localbase ncurses \
30	pathfix pkgconfig readline tar:xz	29	pathfix pkgconfig readline tar:xz
31		30
32	CPE_VENDOR= infradead	31	CPE_VENDOR= infradead
33	GNU_CONFIGURE= yes	32	GNU_CONFIGURE= yes
34	CONFIGURE_ARGS= --without-geoip \	33	CONFIGURE_ARGS= --without-geoip \
35	--without-http-parser	34	--without-http-parser \
		35	--disable-namespaces
36		36
37	USERS= _ocserv	37	USERS= _ocserv
38	GROUPS= _ocserv	38	GROUPS= _ocserv
39		39
40	USE_RC_SUBR= ocserv	40	USE_RC_SUBR= ocserv
41		41
42	PLIST_SUB= USERS="${USERS}" GROUPS="${GROUPS}"	42	PLIST_SUB= USERS="${USERS}" GROUPS="${GROUPS}"
43		43
44	OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI RADIUS	44	OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI MAXMIND RADIUS
45		45
46	PORTDOCS= AUTHORS ChangeLog NEWS README TODO	46	PORTDOCS= AUTHORS ChangeLog NEWS README TODO
47	PORTEXAMPLES= profile.xml sample.config sample.passwd	47	PORTEXAMPLES= profile.xml sample.config sample.passwd
48		48
49	GSSAPI_USES= gssapi:mit	49	GSSAPI_USES= gssapi:mit
50	GSSAPI_LIB_DEPENDS= libkrb5support.so:security/krb5	50	GSSAPI_LIB_DEPENDS= libkrb5support.so:security/krb5
51	GSSAPI_CONFIGURE_OFF= --without-gssapi	51	GSSAPI_CONFIGURE_OFF= --without-gssapi
52		52
53	RADIUS_LIB_DEPENDS= libradcli.so:net/radcli	53	RADIUS_LIB_DEPENDS= libradcli.so:net/radcli
54	RADIUS_CONFIGURE_OFF= --without-radius	54	RADIUS_CONFIGURE_OFF= --without-radius
55		55
		56	MAXMIND_DESC= Use Maxmind GeoIP library
		57	MAXMIND_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb
		58	MAXMIND_CONFIGURE_OFF= --without-maxmind
		59
56	.include <bsd.port.pre.mk>	60	.include <bsd.port.pre.mk>
57		61
58	post-patch:	62	post-patch:
59	${REINPLACE_CMD} 's\|/usr/bin/ocserv-fw\|${PREFIX}/bin/ocserv-fw\|g' \	63	${REINPLACE_CMD} 's\|/usr/bin/ocserv-fw\|${PREFIX}/bin/ocserv-fw\|g' \
60	${WRKSRC}/src/main-user.c	64	${WRKSRC}/src/main-user.c
61	${REINPLACE_CMD} 's\|/usr/bin/ocserv\\-fw\|${PREFIX}/bin/ocserv\\-fw\|g' \	65	${REINPLACE_CMD} 's\|/usr/bin/ocserv\\-fw\|${PREFIX}/bin/ocserv\\-fw\|g' \
62	${WRKSRC}/doc/ocserv.8	66	${WRKSRC}/doc/ocserv.8
63	.if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr"	67	.if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr"
64	${REINPLACE_CMD} -E 's\|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")\|\1${PREFIX}\2\|' ${WRKSRC}/src/config.c	68	${REINPLACE_CMD} -E 's\|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")\|\1${PREFIX}\2\|' ${WRKSRC}/src/config.c
65	.endif	69	.endif
66		70
67	post-install:	71	post-install:
68	${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv	72	${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv
69	${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample	73	${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample
70	${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8	74	${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8
71		75
72	post-install-DOCS-on:	76	post-install-DOCS-on:
73	${MKDIR} ${STAGEDIR}${DOCSDIR}	77	${MKDIR} ${STAGEDIR}${DOCSDIR}
74	cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}	78	cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}
75		79
76	post-install-EXAMPLES-on:	80	post-install-EXAMPLES-on:
77	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}	81	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
78	cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}	82	cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}
79		83
80	.include <bsd.port.post.mk>	84	.include <bsd.port.post.mk>

Lines 1-20 Link Here

(-)b/net/ocserv/files/patch-configure.ac (-4 / +4 lines)
1	--- configure.ac.orig 2020-04-09 21:07:12 UTC	1	--- configure.ac.orig 2020-10-09 11:32:59 UTC
2	+++ configure.ac	2	+++ configure.ac
3	@@ -15,7 +15,7 @@ AM_PROG_AR	3	@@ -15,7 +15,7 @@ AM_PROG_AR
4	AM_PROG_CC_C_O	4	AM_PROG_CC_C_O
5	AC_PROG_SED	5	AC_PROG_SED
6	if [ test "$GCC" = "yes" ];then	6	if test "$GCC" = "yes" && ! expr "$CC" : clang >/dev/null 2>&1;then
7	- CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-truncation"	7	- CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-truncation"
8	+ CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers"	8	+ CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers"
9	fi	9	fi
		10
10	AC_PATH_PROG(CTAGS, ctags, [:])	11	AC_PATH_PROG(CTAGS, ctags, [:])
11	AC_PATH_PROG(CSCOPE, cscope, [:])	12	@@ -222,7 +222,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
12	@@ -199,7 +199,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
13	fi	13	fi
14		14
15	have_readline=no	15	have_readline=no
16	-AC_LIB_HAVE_LINKFLAGS(readline,, [	16	-AC_LIB_HAVE_LINKFLAGS(readline,, [
17	+AC_LIB_HAVE_LINKFLAGS(readline,ncurses, [	17	+AC_LIB_HAVE_LINKFLAGS(readline,ncurses, [
18	#include <stdio.h>	18	#include <stdio.h>
19	#include <readline/readline.h>], [rl_replace_line(0,0);])	19	#include <readline/readline.h>], [rl_replace_line(0,0);])
20	if test x$ac_cv_libreadline = xyes; then	20	if test x$ac_cv_libreadline = xyes; then

Lines 1-78 Link Here

(-)b/net/ocserv/files/patch-doc_sample.config (-10 / +10 lines)
1	--- doc/sample.config.orig 2020-04-09 20:56:20 UTC	1	--- doc/sample.config.orig 2020-09-20 19:49:01 UTC
2	+++ doc/sample.config	2	+++ doc/sample.config
3	@@ -19,7 +19,7 @@	3	@@ -19,7 +19,7 @@
4	# This enabled PAM authentication of the user. The gid-min option is used	4	# This enabled PAM authentication of the user. The gid-min option is used
5	# by auto-select-group option, in order to select the minimum valid group ID.	5	# by auto-select-group option, in order to select the minimum valid group ID.
6	#	6	#
7	-# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]	7	-# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
8	+# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]	8	+# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
9	# The plain option requires specifying a password file which contains	9	# The plain option requires specifying a password file which contains
10	# entries of the following format.	10	# entries of the following format.
11	# "username:groupname1,groupname2:encoded-password"	11	# "username:groupname1,groupname2:encoded-password"
12	@@ -106,8 +106,8 @@ udp-port = 443	12	@@ -110,8 +110,8 @@ udp-port = 443
13		13	# The user the worker processes will be run as. This should be a dedicated
14	# The user the worker processes will be run as. It should be	14	# unprivileged user (e.g., 'ocserv') and no other services should run as this
15	# unique (no other services run as this user).	15	# user.
16	-run-as-user = nobody	16	-run-as-user = nobody
17	-run-as-group = daemon	17	-run-as-group = daemon
18	+run-as-user = _ocserv	18	+run-as-user = _ocserv
19	+run-as-group = _ocserv	19	+run-as-group = _ocserv
20		20
21	# socket file used for IPC with occtl. You only need to set that,	21	# socket file used for IPC with occtl. You only need to set that,
22	# if you use more than a single servers.	22	# if you use more than a single servers.
23	@@ -176,15 +176,9 @@ ca-cert = ../tests/certs/ca.pem	23	@@ -180,15 +180,9 @@ ca-cert = ../tests/certs/ca.pem
24	### failures during the reloading time.	24	### failures during the reloading time.
25		25
26		26
27	-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of	27	-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
28	-# system calls allowed to a worker process, in order to reduce damage from a	28	-# system calls allowed to a worker process, in order to reduce damage from a
29	-# bug in the worker process. It is available on Linux systems at a performance cost.	29	-# bug in the worker process. It is available on Linux systems at a performance cost.
30	-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).	30	-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
31	-# Note however, that process isolation is restricted to the specific libc versions	31	-# Note however, that process isolation is restricted to the specific libc versions
32	-# the isolation was tested at. If you get random failures on worker processes, try	32	-# the isolation was tested at. If you get random failures on worker processes, try
33	-# disabling that option and report the failures you, along with system and debugging	33	-# disabling that option and report the failures you, along with system and debugging
34	-# information at: https://gitlab.com/ocserv/ocserv/issues	34	-# information at: https://gitlab.com/ocserv/ocserv/issues
35	-isolate-workers = true	35	-isolate-workers = true
36	+# ocserv 1.0.1 on FreeBSD does not currently support process isolation,	36	+# ocserv 1.1.1 on FreeBSD does not currently support process isolation,
37	+# because ocserv only supports Linux's seccomp system, but not capsicum(4).	37	+# because ocserv only supports Linux's seccomp system, but not capsicum(4).
38	+#isolate-workers = false	38	+#isolate-workers = false
39		39
40	# A banner to be displayed on clients	40	# A banner to be displayed on clients after connection
41	#banner = "Welcome"	41	#banner = "Welcome"
42	@@ -535,15 +529,15 @@ no-route = 192.168.5.0/255.255.255.0	42	@@ -553,15 +547,15 @@ no-route = 192.168.5.0/255.255.255.0
43	# Note the that following two firewalling options currently are available	43	# Note the that following two firewalling options currently are available
44	# in Linux systems with iptables software.	44	# in Linux systems with iptables software.
45		45
46	-# If set, the script /usr/bin/ocserv-fw will be called to restrict	46	-# If set, the script /usr/bin/ocserv-fw will be called to restrict
47	+# If set, the script /usr/local/bin/ocserv-fw will be called to restrict	47	+# If set, the script /usr/local/bin/ocserv-fw will be called to restrict
48	# the user to its allowed routes and prevent him from accessing	48	# the user to its allowed routes and prevent him from accessing
49	# any other routes. In case of defaultroute, the no-routes are restricted.	49	# any other routes. In case of defaultroute, the no-routes are restricted.
50	-# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw	50	-# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
51	+# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw	51	+# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw
52	# --removeall. This option can be set globally or in the per-user configuration.	52	# --removeall. This option can be set globally or in the per-user configuration.
53	#restrict-user-to-routes = true	53	#restrict-user-to-routes = true
54		54
55	# This option implies restrict-user-to-routes set to true. If set, the	55	# This option implies restrict-user-to-routes set to true. If set, the
56	-# script /usr/bin/ocserv-fw will be called to restrict the user to	56	-# script /usr/bin/ocserv-fw will be called to restrict the user to
57	+# script /usr/local/bin/ocserv-fw will be called to restrict the user to	57	+# script /usr/local/bin/ocserv-fw will be called to restrict the user to
58	# access specific ports in the network. This option can be set globally	58	# access specific ports in the network. This option can be set globally
59	# or in the per-user configuration.	59	# or in the per-user configuration.
60	#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"	60	#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
61	@@ -591,13 +585,13 @@ no-route = 192.168.5.0/255.255.255.0	61	@@ -609,13 +603,13 @@ no-route = 192.168.5.0/255.255.255.0
62	# hostname to override any proposed by the user. Note also, that, any	62	# hostname to override any proposed by the user. Note also, that, any
63	# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.	63	# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
64		64
65	-#config-per-user = /etc/ocserv/config-per-user/	65	-#config-per-user = /etc/ocserv/config-per-user/
66	-#config-per-group = /etc/ocserv/config-per-group/	66	-#config-per-group = /etc/ocserv/config-per-group/
67	+#config-per-user = /usr/local/etc/ocserv/config-per-user/	67	+#config-per-user = /usr/local/etc/ocserv/config-per-user/
68	+#config-per-group = /usr/local/etc/ocserv/config-per-group/	68	+#config-per-group = /usr/local/etc/ocserv/config-per-group/
69		69
70	# When config-per-xxx is specified and there is no group or user that	70	# When config-per-xxx is specified and there is no group or user that
71	# matches, then utilize the following configuration.	71	# matches, then utilize the following configuration.
72	-#default-user-config = /etc/ocserv/defaults/user.conf	72	-#default-user-config = /etc/ocserv/defaults/user.conf
73	-#default-group-config = /etc/ocserv/defaults/group.conf	73	-#default-group-config = /etc/ocserv/defaults/group.conf
74	+#default-user-config = /usr/local/etc/ocserv/defaults/user.conf	74	+#default-user-config = /usr/local/etc/ocserv/defaults/user.conf
75	+#default-group-config = /usr/local/etc/ocserv/defaults/group.conf	75	+#default-group-config = /usr/local/etc/ocserv/defaults/group.conf
76		76
77	# The system command to use to setup a route. %{R} will be replaced with the	77	# The system command to use to setup a route. %{R} will be replaced with the
78	# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.	78	# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.