1 |
commit: 3655190898eff1e14dbf435f04aa8d14946eeaf8 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Nov 27 22:31:31 2015 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Nov 27 22:31:31 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36551908 |
7 |
|
8 |
net-firewall/ipsec-tools: add systemd unit files. |
9 |
|
10 |
See: https://github.com/gentoo/gentoo/pull/350 |
11 |
|
12 |
Package-Manager: portage-2.2.20.1 |
13 |
|
14 |
net-firewall/ipsec-tools/files/ipsec.service | 12 + |
15 |
net-firewall/ipsec-tools/files/racoon.service | 11 + |
16 |
.../ipsec-tools/ipsec-tools-0.8.2-r1.ebuild | 279 +++++++++++++++++++++ |
17 |
3 files changed, 302 insertions(+) |
18 |
|
19 |
diff --git a/net-firewall/ipsec-tools/files/ipsec.service b/net-firewall/ipsec-tools/files/ipsec.service |
20 |
new file mode 100644 |
21 |
index 0000000..0341aa7 |
22 |
--- /dev/null |
23 |
+++ b/net-firewall/ipsec-tools/files/ipsec.service |
24 |
@@ -0,0 +1,12 @@ |
25 |
+[Unit] |
26 |
+Description=Load IPSec Security Policy Database |
27 |
+After=syslog.target network.target |
28 |
+ |
29 |
+[Service] |
30 |
+Type=oneshot |
31 |
+RemainAfterExit=true |
32 |
+ExecStart=/usr/sbin/setkey -k -f /etc/ipsec-tools.conf |
33 |
+ExecStop=/usr/sbin/setkey -F -P ; /usr/sbin/setkey -F |
34 |
+ |
35 |
+[Install] |
36 |
+WantedBy=multi-user.target |
37 |
|
38 |
diff --git a/net-firewall/ipsec-tools/files/racoon.service b/net-firewall/ipsec-tools/files/racoon.service |
39 |
new file mode 100644 |
40 |
index 0000000..dd72827 |
41 |
--- /dev/null |
42 |
+++ b/net-firewall/ipsec-tools/files/racoon.service |
43 |
@@ -0,0 +1,11 @@ |
44 |
+[Unit] |
45 |
+Description=Racoon IKEv1 key management daemon for IPSEC |
46 |
+After=syslog.target network.target |
47 |
+Requires=ipsec.service |
48 |
+ |
49 |
+[Service] |
50 |
+Type=forking |
51 |
+ExecStart=/usr/sbin/racoon -f /etc/racoon/racoon.conf |
52 |
+ |
53 |
+[Install] |
54 |
+WantedBy=multi-user.target |
55 |
|
56 |
diff --git a/net-firewall/ipsec-tools/ipsec-tools-0.8.2-r1.ebuild b/net-firewall/ipsec-tools/ipsec-tools-0.8.2-r1.ebuild |
57 |
new file mode 100644 |
58 |
index 0000000..1f45d9e |
59 |
--- /dev/null |
60 |
+++ b/net-firewall/ipsec-tools/ipsec-tools-0.8.2-r1.ebuild |
61 |
@@ -0,0 +1,279 @@ |
62 |
+# Copyright 1999-2015 Gentoo Foundation |
63 |
+# Distributed under the terms of the GNU General Public License v2 |
64 |
+# $Id$ |
65 |
+ |
66 |
+EAPI="5" |
67 |
+ |
68 |
+inherit eutils flag-o-matic autotools linux-info pam systemd |
69 |
+ |
70 |
+DESCRIPTION="A port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation" |
71 |
+HOMEPAGE="http://ipsec-tools.sourceforge.net/" |
72 |
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2" |
73 |
+ |
74 |
+LICENSE="BSD GPL-2" |
75 |
+SLOT="0" |
76 |
+KEYWORDS="~amd64 ~arm ~ia64 ~mips ~ppc ~ppc64 ~x86" |
77 |
+IUSE="hybrid idea ipv6 kerberos ldap nat pam rc5 readline selinux stats" |
78 |
+ |
79 |
+CDEPEND=" |
80 |
+ dev-libs/openssl:0= |
81 |
+ kerberos? ( virtual/krb5 ) |
82 |
+ ldap? ( net-nds/openldap ) |
83 |
+ pam? ( sys-libs/pam ) |
84 |
+ readline? ( sys-libs/readline:0= ) |
85 |
+ selinux? ( sys-libs/libselinux )" |
86 |
+ |
87 |
+DEPEND="${CDEPEND} |
88 |
+ >=sys-kernel/linux-headers-2.6.30" |
89 |
+ |
90 |
+RDEPEND="${CDEPEND} |
91 |
+ selinux? ( sec-policy/selinux-ipsec ) |
92 |
+" |
93 |
+ |
94 |
+pkg_preinst() { |
95 |
+ if has_version "<${CATEGORY}/${PN}-0.8.0-r5" ; then |
96 |
+ ewarn |
97 |
+ ewarn "\033[1;33m**************************************************\033[00m" |
98 |
+ ewarn |
99 |
+ if ! has_version "net-misc/strongswan" && |
100 |
+ ! has_version "net-misc/openswan" && |
101 |
+ ! has_version "net-misc/libreswan"; then |
102 |
+ ewarn "We found an earlier version of ${PN} installed." |
103 |
+ ewarn "As of ${PN}-0.8.0-r5, the old configuration file," |
104 |
+ ewarn "ipsec.conf, has been changed to ipsec-tools.conf to avoid" |
105 |
+ ewarn "a conflict with net-misc/strongswan; bug #436144. We will" |
106 |
+ ewarn "rename this file for you with this upgrade. However, if" |
107 |
+ ewarn "you later downgrade, you'll have to rename the file to" |
108 |
+ ewarn "its orignal manually or change /etc/conf.d/racoon to point" |
109 |
+ ewarn "to the new file." |
110 |
+ |
111 |
+ if [[ -f /etc/ipsec.conf && ! -f /etc/ipsec-tools.conf ]] ; then |
112 |
+ mv /etc/ipsec.conf /etc/ipsec-tools.conf |
113 |
+ else |
114 |
+ ewarn |
115 |
+ ewarn "Oops! I can't move ipsec.conf to ipsec-tools.conf!" |
116 |
+ ewarn "Either the former doesn't exist or the later does and" |
117 |
+ ewarn "I won't clobber it. Please fix this situation manually." |
118 |
+ fi |
119 |
+ else |
120 |
+ ewarn "You had both an earlier version of ${PN} and" |
121 |
+ ewarn "net-misc/strongswan installed. I can't tell whether" |
122 |
+ ewarn "the configuration file, ipsec.conf, belongs to one" |
123 |
+ ewarn "package or the other due to a file conflict; bug #436144." |
124 |
+ ewarn "The current version of ${PN} uses ipsec-tools.conf" |
125 |
+ ewarn "as its configuration file, as will future versions." |
126 |
+ ewarn "Please fix this situation manually." |
127 |
+ fi |
128 |
+ ewarn |
129 |
+ ewarn "\033[1;33m**************************************************\033[00m" |
130 |
+ ewarn |
131 |
+ fi |
132 |
+} |
133 |
+ |
134 |
+pkg_setup() { |
135 |
+ linux-info_pkg_setup |
136 |
+ |
137 |
+ get_version |
138 |
+ |
139 |
+ if linux_config_exists && kernel_is -ge 2 6 19; then |
140 |
+ ewarn |
141 |
+ ewarn "\033[1;33m**************************************************\033[00m" |
142 |
+ ewarn |
143 |
+ ewarn "Checking kernel configuration in /usr/src/linux or" |
144 |
+ ewarn "or /proc/config.gz for compatibility with ${PN}." |
145 |
+ ewarn "Here are the potential problems:" |
146 |
+ ewarn |
147 |
+ |
148 |
+ local nothing="1" |
149 |
+ |
150 |
+ # Check options for all flavors of IPSec |
151 |
+ local msg="" |
152 |
+ for i in XFRM_USER NET_KEY; do |
153 |
+ if ! linux_chkconfig_present ${i}; then |
154 |
+ msg="${msg} ${i}" |
155 |
+ fi |
156 |
+ done |
157 |
+ if [[ ! -z "$msg" ]]; then |
158 |
+ nothing="0" |
159 |
+ ewarn |
160 |
+ ewarn "ALL IPSec may fail. CHECK:" |
161 |
+ ewarn "${msg}" |
162 |
+ fi |
163 |
+ |
164 |
+ # Check unencrypted IPSec |
165 |
+ if ! linux_chkconfig_present CRYPTO_NULL; then |
166 |
+ nothing="0" |
167 |
+ ewarn |
168 |
+ ewarn "Unencrypted IPSec may fail. CHECK:" |
169 |
+ ewarn " CRYPTO_NULL" |
170 |
+ fi |
171 |
+ |
172 |
+ # Check IPv4 IPSec |
173 |
+ msg="" |
174 |
+ for i in \ |
175 |
+ INET_IPCOMP INET_AH INET_ESP \ |
176 |
+ INET_XFRM_MODE_TRANSPORT \ |
177 |
+ INET_XFRM_MODE_TUNNEL \ |
178 |
+ INET_XFRM_MODE_BEET |
179 |
+ do |
180 |
+ if ! linux_chkconfig_present ${i}; then |
181 |
+ msg="${msg} ${i}" |
182 |
+ fi |
183 |
+ done |
184 |
+ if [[ ! -z "$msg" ]]; then |
185 |
+ nothing="0" |
186 |
+ ewarn |
187 |
+ ewarn "IPv4 IPSec may fail. CHECK:" |
188 |
+ ewarn "${msg}" |
189 |
+ fi |
190 |
+ |
191 |
+ # Check IPv6 IPSec |
192 |
+ if use ipv6; then |
193 |
+ msg="" |
194 |
+ for i in INET6_IPCOMP INET6_AH INET6_ESP \ |
195 |
+ INET6_XFRM_MODE_TRANSPORT \ |
196 |
+ INET6_XFRM_MODE_TUNNEL \ |
197 |
+ INET6_XFRM_MODE_BEET |
198 |
+ do |
199 |
+ if ! linux_chkconfig_present ${i}; then |
200 |
+ msg="${msg} ${i}" |
201 |
+ fi |
202 |
+ done |
203 |
+ if [[ ! -z "$msg" ]]; then |
204 |
+ nothing="0" |
205 |
+ ewarn |
206 |
+ ewarn "IPv6 IPSec may fail. CHECK:" |
207 |
+ ewarn "${msg}" |
208 |
+ fi |
209 |
+ fi |
210 |
+ |
211 |
+ # Check IPSec behind NAT |
212 |
+ if use nat; then |
213 |
+ if ! linux_chkconfig_present NETFILTER_XT_MATCH_POLICY; then |
214 |
+ nothing="0" |
215 |
+ ewarn |
216 |
+ ewarn "IPSec behind NAT may fail. CHECK:" |
217 |
+ ewarn " NETFILTER_XT_MATCH_POLICY" |
218 |
+ fi |
219 |
+ fi |
220 |
+ |
221 |
+ if [[ $nothing == "1" ]]; then |
222 |
+ ewarn "NO PROBLEMS FOUND" |
223 |
+ fi |
224 |
+ |
225 |
+ ewarn |
226 |
+ ewarn "WARNING: If your *configured* and *running* kernel" |
227 |
+ ewarn "differ either now or in the future, then these checks" |
228 |
+ ewarn "may lead to misleading results." |
229 |
+ ewarn |
230 |
+ ewarn "\033[1;33m**************************************************\033[00m" |
231 |
+ ewarn |
232 |
+ else |
233 |
+ eerror |
234 |
+ eerror "\033[1;31m**************************************************\033[00m" |
235 |
+ eerror "Make sure that your *running* kernel is/will be >=2.6.19." |
236 |
+ eerror "Building ${PN} now, assuming that you know what you're doing." |
237 |
+ eerror "\033[1;31m**************************************************\033[00m" |
238 |
+ eerror |
239 |
+ fi |
240 |
+} |
241 |
+ |
242 |
+src_prepare() { |
243 |
+ # fix for bug #124813 |
244 |
+ sed -i 's:-Werror::g' "${S}"/configure.ac || die |
245 |
+ # fix for building with gcc-4.6 |
246 |
+ sed -i 's: -R: -Wl,-R:' "${S}"/configure.ac || die |
247 |
+ |
248 |
+ epatch "${FILESDIR}/${PN}-def-psk.patch" |
249 |
+ epatch "${FILESDIR}/${PN}-include-vendoridh.patch" |
250 |
+ epatch "${FILESDIR}"/${PN}-0.8.0-sysctl.patch #425770 |
251 |
+ |
252 |
+ AT_M4DIR="${S}" eautoreconf |
253 |
+} |
254 |
+ |
255 |
+src_configure() { |
256 |
+ #--with-{libiconv,libradius} lead to "Broken getaddrinfo()" |
257 |
+ #--enable-samode-unspec is not supported in linux |
258 |
+ local myconf |
259 |
+ myconf="--with-kernel-headers=/usr/include \ |
260 |
+ --enable-adminport \ |
261 |
+ --enable-dependency-tracking \ |
262 |
+ --enable-dpd \ |
263 |
+ --enable-frag \ |
264 |
+ --without-libiconv \ |
265 |
+ --without-libradius \ |
266 |
+ --disable-samode-unspec \ |
267 |
+ $(use_enable idea) \ |
268 |
+ $(use_enable ipv6) \ |
269 |
+ $(use_enable kerberos gssapi) \ |
270 |
+ $(use_with ldap libldap) \ |
271 |
+ $(use_enable nat natt) \ |
272 |
+ $(use_with pam libpam) \ |
273 |
+ $(use_enable rc5) \ |
274 |
+ $(use_with readline) \ |
275 |
+ $(use_enable selinux security-context) \ |
276 |
+ $(use_enable stats)" |
277 |
+ |
278 |
+ use nat && myconf="${myconf} --enable-natt-versions=yes" |
279 |
+ |
280 |
+ # enable mode-cfg and xauth support |
281 |
+ if use pam; then |
282 |
+ myconf="${myconf} --enable-hybrid" |
283 |
+ else |
284 |
+ myconf="${myconf} $(use_enable hybrid)" |
285 |
+ fi |
286 |
+ |
287 |
+ econf ${myconf} |
288 |
+} |
289 |
+ |
290 |
+src_install() { |
291 |
+ emake DESTDIR="${D}" install |
292 |
+ keepdir /var/lib/racoon |
293 |
+ newconfd "${FILESDIR}"/racoon.conf.d-r2 racoon |
294 |
+ newinitd "${FILESDIR}"/racoon.init.d-r3 racoon |
295 |
+ systemd_dounit "${FILESDIR}/ipsec.service" |
296 |
+ systemd_dounit "${FILESDIR}/racoon.service" |
297 |
+ use pam && newpamd "${FILESDIR}"/racoon.pam.d racoon |
298 |
+ |
299 |
+ insinto /etc |
300 |
+ doins "${FILESDIR}"/ipsec-tools.conf |
301 |
+ insinto /etc/racoon |
302 |
+ doins "${FILESDIR}"/racoon.conf |
303 |
+ doins "${FILESDIR}"/psk.txt |
304 |
+ chmod 400 "${D}"/etc/racoon/psk.txt |
305 |
+ |
306 |
+ dodoc ChangeLog README NEWS |
307 |
+ dodoc -r src/racoon/samples |
308 |
+ dodoc -r src/racoon/doc |
309 |
+ docinto samples |
310 |
+ newdoc src/setkey/sample.cf ipsec-tools.conf |
311 |
+} |
312 |
+ |
313 |
+pkg_postinst() { |
314 |
+ if use nat; then |
315 |
+ elog |
316 |
+ elog "You have enabled the nat traversal functionnality." |
317 |
+ elog "Nat versions wich are enabled by default are 00,02,rfc" |
318 |
+ elog "you can find those drafts in the CVS repository:" |
319 |
+ elog "cvs -d anoncvs@××××××××××××××.org:/cvsroot co ipsec-tools" |
320 |
+ elog |
321 |
+ elog "If you feel brave enough and you know what you are" |
322 |
+ elog "doing, you can consider emerging this ebuild with" |
323 |
+ elog "EXTRA_ECONF=\"--enable-natt-versions=08,07,06\"" |
324 |
+ elog |
325 |
+ fi |
326 |
+ |
327 |
+ if use ldap; then |
328 |
+ elog |
329 |
+ elog "You have enabled ldap support with {$PN}." |
330 |
+ elog "The man page does NOT contain any information on it yet." |
331 |
+ elog "Consider using a more recent version or CVS." |
332 |
+ elog |
333 |
+ fi |
334 |
+ |
335 |
+ elog |
336 |
+ elog "Please have a look in /usr/share/doc/${P} and visit" |
337 |
+ elog "http://www.netbsd.org/Documentation/network/ipsec/" |
338 |
+ elog "to find more information on how to configure this tool." |
339 |
+ elog |
340 |
+} |