diff options
Diffstat (limited to 'net-firewall/fwknop')
-rw-r--r-- | net-firewall/fwknop/Manifest | 9 | ||||
-rw-r--r-- | net-firewall/fwknop/files/fwknopd.confd | 21 | ||||
-rw-r--r-- | net-firewall/fwknop/files/fwknopd.init | 91 | ||||
-rw-r--r-- | net-firewall/fwknop/files/fwknopd.service | 12 | ||||
-rw-r--r-- | net-firewall/fwknop/files/fwknopd.tmpfiles.conf | 1 | ||||
-rw-r--r-- | net-firewall/fwknop/fwknop-2.6.9-r1.ebuild | 138 | ||||
-rw-r--r-- | net-firewall/fwknop/metadata.xml | 26 |
7 files changed, 298 insertions, 0 deletions
diff --git a/net-firewall/fwknop/Manifest b/net-firewall/fwknop/Manifest new file mode 100644 index 000000000000..cce67c03a143 --- /dev/null +++ b/net-firewall/fwknop/Manifest @@ -0,0 +1,9 @@ +AUX fwknopd.confd 475 SHA256 818366d8012cf50771ab427bcf645de697e7d05e4bb80d5eb2f98291e071d510 SHA512 a23e42ca59f2d86b0ff1456773419d9b075bdae83fcd307d506dd9e282b58d24c6f6c50ea3418d5cce07a447f32f0089f747516e8f108b7e3c03944ea59a6412 WHIRLPOOL 79a7efe36d88bd4d313a342aa75bcb2a02acbb954c46947c5b9470277cabdd5c1cc66ccae5eb0b4e6a8002b5b0fde7ee4c069d160e2e19f2de8d48b3875a9382 +AUX fwknopd.init 2706 SHA256 ace9569324d049a226d09c91373644c0181e7f714eebd5bacd13c04e2d5fa093 SHA512 6e58cb40bd2c69b624fa5bb320f79e6befd91bc39e4aa66ec0b2a2a014b9342377ea919b364cf52cfda76b924d5d497a79b0d66f2e0c7339894b75bfa9e165fa WHIRLPOOL 7ffa1eb97bc2bace6e4d40d180bd3087db236947dfbc551b133c4f1cff3ec5fbe891ba9b8a7aebca824637cfcd5f5c7aba043ae3be8eace02368411f829f6d81 +AUX fwknopd.service 235 SHA256 c88fbe0588731a5dea7d358680d5625876d36b6732ac51d8812390affc8d79b9 SHA512 890bbba586183275cbd3b420a9c0d609ff3eca0fd239b4af97e2730e2790f317fc114f51d60107ba4fbddd2cabb60c70d8b615e2a75bb80cf27d352c894a1c6d WHIRLPOOL 1389d12053c0a0904e661065095ee6d3102ae2fe2934814aabce7e282b7fc512e80c01a53cc9d74c78c861f95b738c47148dc1446e3f3271187c04da42ee3a3a +AUX fwknopd.tmpfiles.conf 31 SHA256 ba9eed2ec8f4230ab2070865a829e0da290761e93a0979212481c974314e77b7 SHA512 73b56a42c7728c9dabd82cd81bd6ffa1b948fe80fa67feee348ad65f957f1f2ea53c6b5d74fa2784ea75c45c2c27b5d989da4a618f3a4cf67914c927e04b74ae WHIRLPOOL 06466f7d6a70edc7a7a02b0c492e37143aab3735b7d294ea88a1371e4bf9ed70b47e871cdd293e9e879e7e40783bfaba90f6aa81580ac1a785f3e275ba21399a +DIST fwknop-2.6.9.tar.gz 3043542 SHA256 0a8de8d3e2073ad08f5834d39def6c33fd035809cfddbea252174e7dc06a5a51 SHA512 4706560d44c911c8604059d88dded9c1b8c333399d90ec7dc366c0fba96c79680bdbf1b8b5e76cc34aaf3a1e58fff80db8f5f20c96d57481bdb476a9b99f4d1b WHIRLPOOL e9ac76f39f8991af4a56f85f50f2ea982a7d043cfb17c824cbaf3ebd18e34630b86abdf198e9e91239c4acf67db56539a9dee00ee379ec39314adb5bc233344c +EBUILD fwknop-2.6.9-r1.ebuild 3691 SHA256 e40b1f14afcb70bf39d8cd91b29a1bf87175dbf251002f17267c33092264d941 SHA512 ee6a6065e916cf745dfa9e8903166ab0de571138720134568349767f9f63ea0b00d5991a2b29206279f17d0e2968fb573195d3191c89bd0d1b2ca34c21a18473 WHIRLPOOL c44e1adcde5cb0a221a1a0c8ecb43472f060aaafa6328f962a708a04d306fe5e5f3f29e7f2e6e637392ebc7179f12e887fad92256661839b8afd5026af71514c +MISC ChangeLog 8140 SHA256 35c7b993e77213cd8fd5ab04ce14e1ad1559e94eb2548c935410e5f7109194ca SHA512 13f15847d75607dd3592693264b86be4895e9776ef4a1d6447feb2ab76733740b1126d36a355c8d6e388e7fa671a67c1bd2b168b074933a6f9ed430f7d86612f WHIRLPOOL f10627e102edab784c3ca2a830e028e7a7e71b4e2b4c3c09b58344ffd24362e1e398bc6d9d90d474f011cf81f41a6536c6ef2dd68222fe18bbb43a67fa1d8d0f +MISC ChangeLog-2015 1964 SHA256 9ae9b87ddd19f9aa29b820260929906c94dca2b6b05dab5a88b4f33c29e1fe89 SHA512 f8e8d28aa3c3bf6e8cb9dd9706188e0b54e254ccc66144bfd3e43268410bf2fe1540a5a0ba9a0afd7804e7c43adc7077002d805bbac269a3d6f1132168d3313b WHIRLPOOL a41b48ea32db7becb4bd5af50baea40a69d51fe3594bab79197653e01c0465868b1342c8456d6179cd09ba7de6ff62592983c256724f05c923530afbc447d9fc +MISC metadata.xml 1217 SHA256 79101e3c34af737f9399fa485ceb72efa82bf9bc6dca1e2ba51097c7eb9d92de SHA512 5f6c53eedff6224d8c282d4c8d1ecde4efaa975ecb7ed330ab2ccd01a9584f9ed71f5cca74fc4ad6d6aa241b2c95b8cb091546538ae64577ba61bbbd3b652954 WHIRLPOOL c85f4250fb47f7958f400fef75c601fd0c4058086ce88cff7adad20d638b7d3f95ab6bbbb1bc5704662c413e0fb32b0c49bd1520bd1acc5a6aa57a0b26ee5db0 diff --git a/net-firewall/fwknop/files/fwknopd.confd b/net-firewall/fwknop/files/fwknopd.confd new file mode 100644 index 000000000000..63bcd01dd82f --- /dev/null +++ b/net-firewall/fwknop/files/fwknopd.confd @@ -0,0 +1,21 @@ +# /etc/conf.d/fwknopd: config file for /etc/init.d/fwknopd + +# Path to the fwknopd config directory (needs to be an absolute path). + +FWKNOPD_CONFDIR="/etc/fwknop" + + +# Additional options to pass to fwknopd. +# Refer to the fwknopd(8) manpage for more information. + +#FWKNOPD_OPTS="" + + +# Pid file to use (needs to be an absolute path). + +#FWKNOPD_PIDFILE="/run/fwknop/fwknopd.pid" + + +# Path to the fwknopd binary (needs to be an absolute path). + +#FWKNOPD_BINARY="/usr/sbin/fwknopd" diff --git a/net-firewall/fwknop/files/fwknopd.init b/net-firewall/fwknop/files/fwknopd.init new file mode 100644 index 000000000000..dda1bf03156e --- /dev/null +++ b/net-firewall/fwknop/files/fwknopd.init @@ -0,0 +1,91 @@ +#!/sbin/openrc-run +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="checkconfig" +extra_started_commands="reload" + +: ${FWKNOPD_BINARY:=/usr/sbin/fwknopd} +: ${FWKNOPD_CONFDIR:=/etc/fwknop} +: ${FWKNOPD_CONFIG:=${FWKNOPD_CONFDIR}/fwknopd.conf} +: ${FWKNOPD_PIDFILE:=/run/fwknop/${SVCNAME}.pid} + +depend() { + after iptables ip6tables ebtables firewall + use logger + if [ "${rc_need+set}" = "set" ]; then + : # Do nothing, the user has explicitly set rc_need + elif [ -f "${FWKNOPD_CONFIG}" ]; then + local x warn_intf + for x in $(awk '/^[[:blank:]]*PCAP_INTF/{ sub(";$", ""); print $2 }' "${FWKNOPD_CONFIG}" 2>/dev/null); do + warn_intf="${warn_intf} ${x}" + done + if [ -n "${warn_intf}" ]; then + need net + ewarn "You are binding an interface in PCAP_INTF statement in your fwknopd.conf!" + ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/${SVCNAME}," + ewarn "where FOO is the following interface(s):" + ewarn "${warn_intf}" + else + # If PCAP_INTF and PCAP_FILE are not set, then fwknopd uses eth0 + if ! grep -q '^[[:blank:]]*PCAP_FILE' "${FWKNOPD_CONFIG}"; then + need net + ewarn "You are not binding any interface in PCAP_INTF statement in your fwknopd.conf," + ewarn "neither you are providing PCAP_FILE option. Thus fwknopd will listen on eth0." + ewarn "You must add rc_need=\"net.eth0\" to your /etc/conf.d/${SVCNAME}." + fi + fi + fi +} + +checkconfig() { + if [ ! -e "${FWKNOPD_CONFDIR}"/fwknopd.conf ]; then + eerror "You need ${FWKNOPD_CONFDIR}/fwknopd.conf file to run fwknopd" + eerror "Example is located at /etc/fwknop/fwknopd.conf.example" + return 1 + fi + + if [ ! -e "${FWKNOPD_CONFDIR}"/access.conf ]; then + eerror "You need ${FWKNOPD_CONFDIR}/access.conf file to run fwknopd" + eerror "Example is located at /etc/fwknop/access.conf.example" + return 1 + fi + + [ "${FWKNOPD_PIDFILE}" != "/run/fwknop/${SVCNAME}.pid" ] \ + && FWKNOPD_OPTS="${FWKNOPD_OPTS} --pid-file=${FWKNOPD_PIDFILE}" + + [ "${FWKNOPD_CONFDIR}" != "/etc/fwknop" ] \ + && FWKNOPD_OPTS="${FWKNOPD_OPTS} \ + --config=${FWKNOPD_CONFDIR}/fwknopd.conf \ + --access-file=${FWKNOPD_CONFDIR}/access.conf" + + return 0 +} + +start() { + checkconfig || return 1 + + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start \ + --exec ${FWKNOPD_BINARY} --pidfile ${FWKNOPD_PIDFILE} \ + -- ${FWKNOPD_OPTS} + eend $? +} + +stop() { + if [ "${RC_CMD}" = "restart" ]; then + checkconfig || return 1 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --pidfile ${FWKNOPD_PIDFILE} + eend $? +} + +reload() { + checkconfig || return 1 + + ebegin "Reloading ${SVCNAME} configuration" + start-stop-daemon --signal HUP --pidfile ${FWKNOPD_PIDFILE} + eend $? +} diff --git a/net-firewall/fwknop/files/fwknopd.service b/net-firewall/fwknop/files/fwknopd.service new file mode 100644 index 000000000000..d2e8c3125200 --- /dev/null +++ b/net-firewall/fwknop/files/fwknopd.service @@ -0,0 +1,12 @@ +[Unit] +Description=Firewall Knock Operator Daemon +After=network-online.target + +[Service] +Type=forking +PIDFile=/run/fwknop/fwknopd.pid +ExecStart=/usr/sbin/fwknopd +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/net-firewall/fwknop/files/fwknopd.tmpfiles.conf b/net-firewall/fwknop/files/fwknopd.tmpfiles.conf new file mode 100644 index 000000000000..b7cb3856b056 --- /dev/null +++ b/net-firewall/fwknop/files/fwknopd.tmpfiles.conf @@ -0,0 +1 @@ +d /run/fwknop 0700 root root - diff --git a/net-firewall/fwknop/fwknop-2.6.9-r1.ebuild b/net-firewall/fwknop/fwknop-2.6.9-r1.ebuild new file mode 100644 index 000000000000..5c86df5bfb0c --- /dev/null +++ b/net-firewall/fwknop/fwknop-2.6.9-r1.ebuild @@ -0,0 +1,138 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +# Python extension supports only Python 2. +# See https://github.com/mrash/fwknop/issues/167 +PYTHON_COMPAT=( python2_7 ) +DISTUTILS_OPTIONAL=1 + +inherit autotools distutils-r1 eutils linux-info readme.gentoo-r1 systemd + +DESCRIPTION="Single Packet Authorization and Port Knocking application" +HOMEPAGE="https://www.cipherdyne.org/fwknop/ https://github.com/mrash/fwknop" +SRC_URI="https://github.com/mrash/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-2+" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="+client extras firewalld gdbm gpg +iptables nfqueue python +server udp-server" + +DEPEND=" + client? ( net-misc/wget[ssl] ) + firewalld? ( net-firewall/firewalld[${PYTHON_USEDEP}] ) + gdbm? ( sys-libs/gdbm ) + gpg? ( + app-crypt/gpgme + dev-libs/libassuan + dev-libs/libgpg-error + ) + iptables? ( net-firewall/iptables ) + nfqueue? ( net-libs/libnetfilter_queue ) + python? ( ${PYTHON_DEPS} ) + server? ( !nfqueue? ( !udp-server? ( net-libs/libpcap ) ) ) +" +RDEPEND="${DEPEND}" + +REQUIRED_USE=" + nfqueue? ( server ) + python? ( ${PYTHON_REQUIRED_USE} ) + server? ( ^^ ( firewalld iptables ) ) + udp-server? ( server ) +" + +DOCS=( AUTHORS ChangeLog README.md ) + +DISABLE_AUTOFORMATTING=1 +DOC_CONTENTS=" +Example configuration files were installed to '${EPREFIX}/etc/fwknopd/'. +Please edit them to suit your needs and then remove the .example suffix. + +fwknopd supports several backends: firewalld, iptables, ipfw, pf, ipf. +You can set the desired backend via FIREWALL_EXE option in fwknopd.conf +instead of the default one chosen at compile time. +" + +src_prepare() { + default_src_prepare + + # Install example configs with .example suffix. + if use server; then + sed -i -e 's|conf;|conf.example;|g' Makefile.am || die + fi + + eautoreconf +} + +src_configure() { + local myeconfargs=( + --localstatedir="${EPREFIX}/run" + $(use_enable client) + $(use_enable !gdbm file-cache) + $(use_enable nfqueue nfq-capture) + $(use_enable server) + $(use_enable udp-server) + $(use_with gpg gpgme) + ) + use firewalld && myeconfargs+=(--with-firewalld="${EPREFIX}/usr/sbin/firewalld") + use iptables && myeconfargs+=(--with-iptables="${EPREFIX}/sbin/iptables") + + econf "${myeconfargs[@]}" +} + +src_compile() { + default_src_compile + + if use python; then + cd python || die + distutils-r1_src_compile + fi +} + +src_install() { + default_src_install + prune_libtool_files --modules + + if use extras; then + dodoc extras/apparmor/usr.sbin.fwknopd + dodoc extras/console-qr/console-qr.sh + dodoc extras/fwknop-launcher/* + fi + + if use server; then + newinitd "${FILESDIR}/fwknopd.init" fwknopd + newconfd "${FILESDIR}/fwknopd.confd" fwknopd + systemd_dounit extras/systemd/fwknopd.service + systemd_newtmpfilesd extras/systemd/fwknopd.tmpfiles.conf fwknopd.conf + readme.gentoo_create_doc + fi + + if use python; then + # Redefine DOCS, otherwise distutils-r1 eclass interferes. + local DOCS=() + cd python || die + distutils-r1_src_install + fi +} + +pkg_postinst() { + if use server; then + readme.gentoo_print_elog + + if ! linux_config_exists || ! linux_chkconfig_present NETFILTER_XT_MATCH_COMMENT; then + echo + ewarn "fwknopd daemon relies on the 'comment' match in order to expire" + ewarn "created firewall rules, which is an important security feature." + ewarn "Please enable NETFILTER_XT_MATCH_COMMENT support in your kernel." + echo + fi + if use nfqueue && \ + ! linux_config_exists || ! linux_chkconfig_present NETFILTER_XT_TARGET_NFQUEUE; then + echo + ewarn "fwknopd daemon relies on the 'NFQUEUE' target for NFQUEUE mode." + ewarn "Please enable NETFILTER_XT_TARGET_NFQUEUE support in your kernel." + echo + fi + fi +} diff --git a/net-firewall/fwknop/metadata.xml b/net-firewall/fwknop/metadata.xml new file mode 100644 index 000000000000..3f95120e273b --- /dev/null +++ b/net-firewall/fwknop/metadata.xml @@ -0,0 +1,26 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> + <maintainer type="person"> + <email>itumaykin+gentoo@gmail.com</email> + <name>Coacher</name> + </maintainer> + <maintainer type="project"> + <email>proxy-maint@gentoo.org</email> + <name>Proxy Maintainers</name> + </maintainer> + <use> + <flag name="client">Build fwknop client</flag> + <flag name="extras">Install utility scripts and AppArmor policy for fwknopd</flag> + <flag name="firewalld">Use <pkg>net-firewall/firewalld</pkg> as the default server backend</flag> + <flag name="gdbm">Use <pkg>sys-libs/gdbm</pkg> to store fwknopd digest cache</flag> + <flag name="gpg">Enable GPG support via <pkg>app-crypt/gpgme</pkg></flag> + <flag name="iptables">Use <pkg>net-firewall/iptables</pkg> as the default server backend</flag> + <flag name="nfqueue">Enable UDP-only NFQUEUE server mode (no <pkg>net-libs/libpcap</pkg> dependency)</flag> + <flag name="server">Build fwknopd server</flag> + <flag name="udp-server">Enable UDP-only server mode (no <pkg>net-libs/libpcap</pkg> dependency)</flag> + </use> + <upstream> + <remote-id type="github">mrash/fwknop</remote-id> + </upstream> +</pkgmetadata> |