Specifying required_dirs and creating it at prestart stage does not work
because required_dirs is checked before running prestart these days.
So it fails to start for mfs-based /var even if racoon_create_dirs=YES
Unbreak this by replacing "required_dirs" and "mkdir -p"
in the racoon_prestart with "install -d" that returns error in case
of failure and does nothing if the directory already exists.
Reported by: Cybil Courraud <freebsd@cyb.fr>
Wilcard patch exposures existing bug where agressive tunnels using ip addresses
for identification were not matching the entry in the PSK file,
due to the identifier not being cast to a 'xxx.xxx.xxx.xxx' notation.
PR: 203308
Submitted by: andywhite@gmail.com (based on)
This change fixes rare case for "site to site" IPSec tunnel mode
when remote peer is behind NAT and has its own LAN behind.
Now this works too (previously NATT worked only for single host behind NAT).
The racoon daemon in IPsec-Tools 0.8.2 contains a remotely exploitable
computational-complexity attack when parsing and storing ISAKMP fragments.
The implementation permits a remote attacker to exhaust computational
resources on the remote endpoint by repeatedly sending ISAKMP fragment
packets in a particular order such that the worst-case computational
complexity is realized in the algorithm utilized to determine
if reassembly of the fragments can take place.
The fix obtained from NetBSD CVS head with a command:
cvs diff -D 2017-01-24 -D 2017-09-01 \
src/racoon/handler.h \
src/racoon/isakmp.c \
src/racoon/isakmp_frag.c \
src/racoon/isakmp_inf.c
While here, add LICENSE.
PR: 225066
Approved by: VANHULLEBUS Yvan (maintainer timeout, 3 months)
Obtained from: NetBSD
MFH: 2018Q1
Security: CVE-2016-10396
The natt.diff patch contains the following changes:
* added support for SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR PF_KEY messages;
* used NAT address instead of original for SAs created by racoon;
* NAT-T keep-alives now sends only by NATed host.
Tested with 11.0-STABLE after projects/ipsec merge.
PR: 217131
Submitted by: Andrey V. Elsukov
Approved by: VANHULLEBUS Yvan (maintainer timeout, 2 months), vsevolod (mentor)
From ChangeLog:
- Fix admin port establish-sa for tunnel mode SAs (Alexander Sbitnev)
- Fix source port selection regression from version 0.8.1
- Various logging improvements
- Additional compliance and build fixes
From submitter:
- extra patch to adding wildcard psk option
PR: 196930
Submitted by: Harald Schmalzbauer <bugzilla.freebsd@omnilan.de>,
Ed Schouten <ed@80368.nl>
Approved by: vanhu (maintainer)
exists, libtool will add all libraries libB.la refers to (dependency_libs
field) to the linker command line and store them in the dependency_libs
field of libA.la. So everything that subsequently links with libA will also
link to these extra libraries. This causes too much overlinking.
This commit modifies Mk/Uses/libtool.mk so it empties the dependency_libs
field in .la libraries during staging. However, because .la libraries have
very limited use when dependency_libs is empty it makes sense to completely
remove them during staging.
So with this commit USES=libtool is modified to remove .la libraries and a
new form (USES=libtool:keepla) is introduced in case they need to be kept
(dependency_libs is still emptied).
PORTREVISION is bumped on all ports with USES=libtool that install .la
libraries. Most ports are also changed to add :keepla because .la
libraries have to be kept around as long as there are dependent ports with
.la libraries that refer to them in their dependency_libs field. In most
cases :keepla can be removed again as soon as all dependent ports that
install .la libraries have some form of USES=libtool added to their
Makefile.
PR: ports/188759
Exp-run: bdrewery
Approved by: portmgr (bdrewery)
literal name_enable wherever possible, and ${name}_enable
when it's not, to prepare for the demise of set_rcvar().
In cases where I had to hand-edit unusual instances also
modify formatting slightly to be more uniform (and in
some cases, correct). This includes adding some $FreeBSD$
tags, and most importantly moving rcvar= to right after
name= so it's clear that one is derived from the other.
-Update libtool and libltdl to 2.2.6a.
-Remove devel/libtool15 and devel/libltdl15.
-Fix ports build with libtool22/libltdl22.
-Bump ports that depend on libltdl22 due to shared library version change.
-Explain what to do update in the UPDATING.
It has been tested with GNOME2, XFCE4, KDE3, KDE4 and other many wm/desktop
and applications in the runtime.
With help: marcus and kwm
Pointyhat-exp: a few times by pav
Tested by: pgollucci, "Romain Tartière" <romain@blogreen.org>, and
a few MarcusCom CVS users. Also, I might have missed a few.
Repocopy by: marcus
Approved by: portmgr
propogated by copy and paste.
1. Primarily the "empty variable" default assignment, which is mostly
${name}_flags="", but fix a few others as well.
2. Where they are not already documented, add the existence of the _flags
(or other deleted empties) option to the comments, and in some cases add
comments from scratch.
3. Replace things that look like:
prefix=%%PREFIX%%
command=${prefix}/sbin/foo
to just use %%PREFIX%%. In many cases the $prefix variable is only used
once, and in some cases it is not used at all.
4. In a few cases remove ${name}_flags from command_args
5. Remove a long-stale comment about putting the port's rc.d script in
/etc/rc.d (which is no longer necessary).
No PORTREVISION bumps because all of these changes are noops.
Specifically, newer autoconf (> 2.13) has different semantic of the
configure target. In short, one should use --build=CONFIGURE_TARGET
instead of CONFIGURE_TARGET directly. Otherwise, you will get a warning
and the old semantic may be removed in later autoconf releases.
To workaround this issue, many ports hack the CONFIGURE_TARGET variable
so that it contains the ``--build='' prefix.
To solve this issue, under the fact that some ports still have
configure script generated by the old autoconf, we use runtime detection
in the do-configure target so that the proper argument can be used.
Changes to Mk/*:
- Add runtime detection magic in bsd.port.mk
- Remove CONFIGURE_TARGET hack in various bsd.*.mk
- USE_GNOME=gnometarget is now an no-op
Changes to individual ports, other than removing the CONFIGURE_TARGET hack:
= pkg-plist changed (due to the ugly CONFIGURE_TARGET prefix in * executables)
- comms/gnuradio
- science/abinit
- science/elmer-fem
- science/elmer-matc
- science/elmer-meshgen2d
- science/elmerfront
- science/elmerpost
= use x86_64 as ARCH
- devel/g-wrap
= other changes
- print/magicfilter
GNU_CONFIGURE -> HAS_CONFIGURE since it's not generated by autoconf
Total # of ports modified: 1,027
Total # of ports affected: ~7,000 (set GNU_CONFIGURE to yes)
PR: 126524 (obsoletes 52917)
Submitted by: rafan
Tested on: two pointyhat 7-amd64 exp runs (by pav)
Approved by: portmgr (pav)
