[net-misc/oidentd] add fedora patches, selinux dep, eapi6

This commit is contained in:
Robert Förster 2017-03-27 03:29:07 +02:00
parent 62226e213b
commit 8216e363b9
16 changed files with 399 additions and 0 deletions

View File

@ -0,0 +1 @@
DIST oidentd-2.0.8.tar.gz 212354 SHA256 a54cbed187281f8d5a301d1d8fd5cb0f30bfb13a5a8e9ab752ace76c1010fb6f SHA512 86229a4ef9892121c25a7140616e180f862ca34b73ea3ad9f0fbb008f657abb17e9f14c2c25ae14c14bfc14bf1ea10b50fd68318631a9c52227bbfd6e6d43288 WHIRLPOOL ac36130273ec6a4fc7f715a9518f99445c3f4af50b03e647846b152800940fd8f83222b78b7a12385a0c722a8d89b6bdbc557812d0b64e3253aa3231f95215cb

View File

@ -0,0 +1,4 @@
# oidentd start-up options
USER="nobody"
GROUP="nobody"
OPTIONS=""

View File

@ -0,0 +1,40 @@
#!/sbin/openrc-run
# Copyright 1999-2004 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
depend() {
need net
}
check_config() {
if [ -z "${USER}" ]
then
eerror "Please set \$USER in /etc/conf.d/oidentd!"
return 1
fi
if [ -z "${GROUP}" ]
then
eerror "Please set \$GROUP in /etc/conf.d/oidentd!"
return 1
fi
if [ "$(sysctl -n security.bsd.see_other_uids 2>/dev/null)" = "0" ]; then
eerror "${SVCNAME} cannot work if the sysctl security.bsd.see_other_uids is 0"
return 1
fi
}
start() {
check_config || return 1
ebegin "Starting oidentd"
OPTIONS="${OPTIONS} -u ${USER} -g ${GROUP}"
start-stop-daemon --start --quiet --exec /usr/sbin/oidentd -- $OPTIONS
eend $?
}
stop() {
ebegin "Stopping oidentd"
start-stop-daemon --stop --quiet --exec /usr/sbin/oidentd
eend $?
}

View File

@ -0,0 +1,17 @@
Patch to bind to ipv6 socket as well
Patch supplied by Fabian Knittel <fabian.knittel@avona.com>
--- oidentd-2.0.8/src/oidentd_inet_util.c 2006-05-22 02:31:19.000000000 +0200
+++ oidentd-2.0.8/src/oidentd_inet_util.c 2010-03-01 20:26:11.000000000 +0100
@@ -60,6 +60,12 @@
#ifdef WANT_IPV6
case AF_INET6:
SIN6(ai->ai_addr)->sin6_port = listen_port;
+
+ if (setsockopt(listenfd, IPPROTO_IPV6, IPV6_V6ONLY, &one,
+ sizeof(one)) != 0) {
+ debug("setsockopt IPV6_V6ONLY: %s", strerror(errno));
+ return (-1);
+ }
break;
#endif

View File

@ -0,0 +1,25 @@
Description: Fix a failure to build with gcc5.
Bug: http://bugs.debian.org/778035
--- a/src/oidentd_util.c 2015-07-03 05:56:24.000000000 -0400
+++ b/src/oidentd_util.c 2015-07-03 05:56:47.671378000 -0400
@@ -75,7 +75,7 @@
** PRNG functions on systems whose libraries provide them.)
*/
-inline int randval(int i) {
+extern __attribute__ ((gnu_inline)) int randval(int i) {
/* Per _Numerical Recipes in C_: */
return ((double) i * rand() / (RAND_MAX+1.0));
}
--- a/src/oidentd_util.h 2015-07-03 05:56:32.000000000 -0400
+++ b/src/oidentd_util.h 2015-07-03 05:56:53.835378000 -0400
@@ -58,7 +58,7 @@
int find_group(const char *temp_group, gid_t *gid);
int random_seed(void);
-inline int randval(int i);
+extern __attribute__ ((gnu_inline)) int randval(int i);
#ifndef HAVE_SNPRINTF
int snprintf(char *str, size_t n, char const *fmt, ...);

View File

@ -0,0 +1,52 @@
From 612f1d85dd59fc39b124392df38586769ebc8add Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 11 Mar 2016 10:00:59 +0100
Subject: [PATCH] Log Linux core_init failures as normal error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Opening Linux conntracking table file failure for different reason than
missing the file is fatal for deamon initizalization. But the failure
was logged inly in debugging build.
This patch makes the fatal error visible in normal log.
https://bugzilla.redhat.com/show_bug.cgi?id=1316308
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/kernel/linux.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/kernel/linux.c b/src/kernel/linux.c
index 8bf265f..9103dbf 100644
--- a/src/kernel/linux.c
+++ b/src/kernel/linux.c
@@ -73,21 +73,21 @@ bool core_init(void) {
masq_fp = fopen(MASQFILE, "r");
if (masq_fp == NULL) {
if (errno != ENOENT) {
- debug("fopen: %s: %s", MASQFILE, strerror(errno));
+ o_log(NORMAL, "fopen: %s: %s", MASQFILE, strerror(errno));
return false;
}
masq_fp = fopen(CONNTRACK, "r");
if (masq_fp == NULL) {
if (errno != ENOENT) {
- debug("fopen: %s: %s", CONNTRACK, strerror(errno));
+ o_log(NORMAL, "fopen: %s: %s", CONNTRACK, strerror(errno));
return false;
}
masq_fp = fopen(NFCONNTRACK, "r");
if (masq_fp == NULL) {
if (errno != ENOENT) {
- debug("fopen: %s: %s", NFCONNTRACK, strerror(errno));
+ o_log(NORMAL, "fopen: %s: %s", NFCONNTRACK, strerror(errno));
return false;
}
masq_fp = fopen("/dev/null", "r");
--
2.5.0

View File

@ -0,0 +1,43 @@
--- oidentd-2.0.8/src/kernel/linux.c 2006-05-22 06:58:53.000000000 +0300
+++ oidentd-2.0.8/src/kernel/linux.c 2007-07-11 21:28:56.000000000 +0300
@@ -48,6 +48,7 @@
#define CFILE6 "/proc/net/tcp6"
#define MASQFILE "/proc/net/ip_masquerade"
#define CONNTRACK "/proc/net/ip_conntrack"
+#define NFCONNTRACK "/proc/net/nf_conntrack"
static int netlink_sock;
extern struct sockaddr_storage proxy;
@@ -82,7 +83,15 @@
debug("fopen: %s: %s", CONNTRACK, strerror(errno));
return false;
}
- masq_fp = fopen("/dev/null", "r");
+
+ masq_fp = fopen(NFCONNTRACK, "r");
+ if (masq_fp == NULL) {
+ if (errno != ENOENT) {
+ debug("fopen: %s: %s", NFCONNTRACK, strerror(errno));
+ return false;
+ }
+ masq_fp = fopen("/dev/null", "r");
+ }
}
netfilter = true;
@@ -367,6 +376,15 @@
&nport_temp, &mport_temp);
}
+ if (ret != 21) {
+ ret = sscanf(buf,
+ "%*15s %*d %15s %*d %*d ESTABLISHED src=%d.%d.%d.%d dst=%d.%d.%d.%d sport=%d dport=%d packets=%*d bytes=%*d src=%d.%d.%d.%d dst=%d.%d.%d.%d sport=%d dport=%d",
+ proto, &l1, &l2, &l3, &l4, &r1, &r2, &r3, &r4,
+ &masq_lport_temp, &masq_fport_temp,
+ &nl1, &nl2, &nl3, &nl4, &nr1, &nr2, &nr3, &nr4,
+ &nport_temp, &mport_temp);
+ }
+
if (ret != 21)
continue;

View File

@ -0,0 +1,41 @@
From 20a63ad8a90c36397cceedd34887298890dbafa3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 11 Mar 2016 10:38:10 +0100
Subject: [PATCH] Linux: Do not open conntracking table if masquerading is not
enabled
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The contracking table was always opened. This is unnecessary because
the table is used only when masquerading feature is requested on run
time.
This patch skips opening the conntracking table on Linux if
masquerading is not requested.
https://bugzilla.redhat.com/show_bug.cgi?id=1316308
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/kernel/linux.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/kernel/linux.c b/src/kernel/linux.c
index 9103dbf..859f554 100644
--- a/src/kernel/linux.c
+++ b/src/kernel/linux.c
@@ -70,6 +70,11 @@ bool netfilter;
*/
bool core_init(void) {
#ifdef MASQ_SUPPORT
+ if (!opt_enabled(MASQ)) {
+ masq_fp = NULL;
+ return true;
+ }
+
masq_fp = fopen(MASQFILE, "r");
if (masq_fp == NULL) {
if (errno != ENOENT) {
--
2.5.0

View File

@ -0,0 +1,22 @@
# Configuration for oidentd
# see oidentd.conf(5)
#
default {
default {
deny spoof
deny spoof_all
deny spoof_privport
allow random
allow random_numeric
allow numeric
deny hide
}
}
# you may want to hide root connections
#user "root" {
# default {
# force reply "UNKNOWN"
# }
#}

View File

@ -0,0 +1,9 @@
[Unit]
Description=TCP/IP IDENT protocol server
[Service]
ExecStart=/usr/sbin/oidentd -i -S -u nobody -g nobody
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,10 @@
[Unit]
Description=Ident (RFC 1413) socket
Conflicts=oidentd.service
[Socket]
ListenStream=113
Accept=yes
[Install]
WantedBy=sockets.target

View File

@ -0,0 +1,7 @@
[Unit]
Description=Ident (RFC 1413) per-connection server
[Service]
ExecStart=/usr/sbin/oidentd -I -S -u nobody -g nobody
ExecReload=/bin/kill -HUP $MAINPID
StandardInput=socket

View File

@ -0,0 +1,10 @@
# oident masquarded connections configuration
# use this file if your host is masquarading connections for several
# hosts and you want to return a reply based on the hostname of
# the originating machine
# add "-f" to OIDENT_OPTIONS in /etc/conf.d/oidentd if you want
# to forward ident requests to the real host
# add hosts in the following format, see oidentd_masq.conf(5) for details:
# <ip or host>[/mask] <username> <os>

View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<use>
<flag name="masquerade">Enable support for masqueraded/NAT connections</flag>
</use>
<upstream>
<remote-id type="sourceforge">ojnk</remote-id>
</upstream>
</pkgmetadata>

View File

@ -0,0 +1,53 @@
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=5
inherit eutils systemd
DESCRIPTION="Another (RFC1413 compliant) ident daemon"
HOMEPAGE="http://ojnk.sourceforge.net/"
SRC_URI="mirror://sourceforge/ojnk/${P}.tar.gz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ~s390 ~sh sparc x86 ~x86-fbsd"
IUSE="debug ipv6 masquerade"
PATCHES=(
"${FILESDIR}/${P}-masquerading.patch"
"${FILESDIR}/${P}-bind-to-ipv6-too.patch"
"${FILESDIR}/${P}-gcc5.patch"
)
src_prepare() {
epatch -p1 "${PATCHES[@]}"
}
src_configure() {
econf \
$(use_enable debug) \
$(use_enable ipv6) \
$(use_enable masquerade masq) \
$(use_enable masquerade nat)
}
src_install() {
default
dodoc AUTHORS ChangeLog README TODO NEWS \
"${FILESDIR}"/${PN}_masq.conf "${FILESDIR}"/${PN}.conf
newinitd "${FILESDIR}"/${PN}-2.0.7-init ${PN}
newconfd "${FILESDIR}"/${PN}-2.0.7-confd ${PN}
systemd_newunit "${FILESDIR}"/${PN}_at.service ${PN}@.service
systemd_dounit "${FILESDIR}"/${PN}.socket
systemd_dounit "${FILESDIR}"/${PN}.service
}
pkg_postinst() {
echo
elog "Example configuration files are in /usr/share/doc/${PF}"
echo
}

View File

@ -0,0 +1,55 @@
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
inherit systemd
DESCRIPTION="Another (RFC1413 compliant) ident daemon"
HOMEPAGE="http://ojnk.sourceforge.net/"
SRC_URI="mirror://sourceforge/ojnk/${P}.tar.gz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
IUSE="debug ipv6 masquerade selinux"
DEPEND=""
RDEPEND="${DEPEND}
selinux? ( sec-policy/selinux-oident )"
DOCS=( AUTHORS ChangeLog README TODO NEWS "${FILESDIR}"/${PN}_masq.conf "${FILESDIR}"/${PN}.conf )
PATCHES=(
"${FILESDIR}/${P}-masquerading.patch"
"${FILESDIR}/${P}-bind-to-ipv6-too.patch"
"${FILESDIR}/${P}-gcc5.patch"
"${FILESDIR}/${P}-log-conntrack-fails.patch"
"${FILESDIR}/${P}-no-conntrack-masquerading.patch"
)
src_configure() {
econf \
$(use_enable debug) \
$(use_enable ipv6) \
$(use_enable masquerade masq) \
$(use_enable masquerade nat)
}
src_install() {
default
newinitd "${FILESDIR}"/${PN}-2.0.7-init ${PN}
newconfd "${FILESDIR}"/${PN}-2.0.7-confd ${PN}
systemd_newunit "${FILESDIR}"/${PN}_at.service ${PN}@.service
systemd_dounit "${FILESDIR}"/${PN}.socket
systemd_dounit "${FILESDIR}"/${PN}.service
}
pkg_postinst() {
echo
elog "Example configuration files are in /usr/share/doc/${PF}"
echo
}