Initial commit.debian/0.1

11 files changed, 514 insertions, 0 deletions

diff --git a/debian/README b/debian/README
new file mode 100644
index 0000000..b7a8b29
--- /dev/null
+++ b/debian/README
@@ -0,0 +1,6 @@
+The Debian Package vyatta-cfg-system
+----------------------------
+
+This package has Vyatta connection tracking configuration templates and scripts.
+
+ -- Daniil Baturin <daniil.baturin@vyatta.com>  Thu, 3 Nov 2011 12:31:53 -0700
diff --git a/debian/autogen.sh b/debian/autogen.sh
new file mode 100755
index 0000000..e8c94af
--- /dev/null
+++ b/debian/autogen.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+
+rm -rf config
+rm -f aclocal.m4 config.guess config.statusconfig.sub configure INSTALL
+
+autoreconf --force --install
+
+rm -f config.sub config.guess
+ln -s /usr/share/misc/config.sub .
+ln -s /usr/share/misc/config.guess .
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..91b73a8
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,6 @@
+vyatta-conntrack (0.1) unstable; urgency=low
+
+  * Initial Release.
+
+ -- Daniil Baturin <daniil.baturin@vyatta.com>  Thu, 3 Nov 2011 12:31:53 -0700
+
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..7ed6ff8
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+5
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..8671c1f
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,64 @@
+Source: vyatta-conntrack
+Section: contrib/net
+Priority: extra
+Maintainer: Vyatta Package Maintainers <maintainers@vyatta.com>
+Build-Depends: debhelper (>= 5), autotools-dev
+Standards-Version: 3.7.2
+
+Package: vyatta-conntrack
+Architecture: any
+Depends:  acpid,
+ adduser,
+ sed (>= 4.1.5),
+ perl (>= 5.10.1),
+ libnetaddr-ip-perl,
+ procps (>= 1:3.2.7-3),
+ coreutils (>= 5.97-5.3),
+ libpam-radius-auth,
+ vyatta-cfg (>= 0.18.58),
+ libc6 (>= 2.7-6),
+ libpam-runtime (>= 1.0.1-5),
+ vyatta-bash | bash (>= 3.1),
+ sysv-rc,
+ ntp (>= 4.2.4p6+vyatta-7),
+ udev (>= 160-1),
+ rsyslog | system-log-daemon,
+ vyatta-busybox,
+ sudo,
+ snmpd (>= 5.4.2.1-vyatta11),
+ vyatta-keepalived (>= 1.1.15-1-vyatta-5),
+ bridge-utils,
+ ethtool,
+ ssh (>= 1:5.1p1-5),
+ openssh-server (>= 1:5.1p1-5),
+ ed,
+ ifupdown,
+ tshark,
+ iputils-arping,
+ installation-report,
+ laptop-detect,
+ usbutils,
+ mgetty,
+ tasksel,
+ snmp,
+ tcpdump,
+ dnsmasq (>= 2.45-1+lenny1),
+ mdadm,
+ ddclient (>= 3.7.3-4.2),
+ libio-socket-ssl-perl,
+ vyatta-biosdevname,
+ ipvsadm (>= 1:1.24-2.1),
+ radvd (>= 1:1.1-3),
+ apt-transport-https,
+ hostapd (>= 1:0.6.9-3),
+ cpufrequtils,
+ grub-pc (>= 1.98+20100804),
+ libcap2-bin (>= 2.19)
+Pre-Depends: bash-completion
+Suggests: util-linux (>= 2.13-5),
+ net-tools,
+ ncurses-bin (>= 5.5-5),
+ ntpdate
+Replaces: vyatta-cfg-system
+Description: Vyatta conntrack configuration
+ Vyatta conntrack configuration utiliites, templates and scripts.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..8262ab8
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,36 @@
+This package was debianized by Daniil Baturin <daniil.baturin@vyatta.com> on
+Thu, 3 Nov 2011.
+
+It's original content from the GIT repository 
+   <http://vyatt.com/git/vyatta-conntrack>
+
+Upstream Author: 
+
+    <eng@vyatta.com>
+
+Copyright: 
+
+    Copyright (C) 2011 Vyatta, Inc.
+    All Rights Reserved.
+
+License:
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+A copy of the GNU General Public License is available as
+`/usr/share/common-licenses/GPL' in the Debian GNU/Linux distribution
+or on the World Wide Web at `http://www.gnu.org/copyleft/gpl.html'.
+You can also obtain it by writing to the Free Software Foundation,
+Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+MA 02110-1301, USA.
+
+The Debian packaging is (C) 2007, Daniil Baturin <daniil.baturin@vyatta.com> and
+is licensed under the GPL, see above.
diff --git a/debian/docs b/debian/docs
new file mode 100644
index 0000000..50bd824
--- /dev/null
+++ b/debian/docs
@@ -0,0 +1,2 @@
+NEWS
+README
diff --git a/debian/lintian b/debian/lintian
new file mode 100644
index 0000000..dde999b
--- /dev/null
+++ b/debian/lintian
@@ -0,0 +1,2 @@
+vyatta-conntrack: file-in-unusual-dir
+vyatta-conntrack: dir-or-file-in-opt
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..07138a2
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,105 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Sample debian/rules that uses debhelper.
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+
+# These are used for cross-compiling and for saving the configure script
+# from having to guess our platform (since we know it already)
+DEB_HOST_GNU_TYPE   ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
+DEB_BUILD_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
+PACKAGE=vyatta-conntrack
+PKGDIR=$(CURDIR)/debian/$(PACKAGE)
+
+CFLAGS = -Wall -g
+
+configure	 = ./configure
+configure	+= --host=$(DEB_HOST_GNU_TYPE)
+configure	+= --build=$(DEB_BUILD_GNU_TYPE)
+configure	+= --prefix=/opt/vyatta
+configure	+= --mandir=\$${prefix}/share/man
+configure	+= --infodir=\$${prefix}/share/info
+configure	+= CFLAGS="$(CFLAGS)"
+configure	+= LDFLAGS="-Wl,-z,defs"
+
+ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
+	CFLAGS += -O0
+else
+	CFLAGS += -O2
+endif
+
+configure: configure.ac Makefile.am
+	chmod +x debian/autogen.sh
+	debian/autogen.sh
+
+config.status: configure
+	dh_testdir
+	rm -f config.cache
+	$(configure)
+
+build: build-stamp
+
+build-stamp:  config.status
+	dh_testdir
+	$(MAKE)
+	touch $@
+
+clean: clean-patched
+
+# Clean everything up, including everything auto-generated
+# at build time that needs not to be kept around in the Debian diff
+clean-patched:
+	dh_testdir
+	dh_testroot
+	if test -f Makefile ; then $(MAKE) clean distclean ; fi
+	rm -f build-stamp
+	rm -f config.status config.sub config.guess config.log
+	rm -f aclocal.m4 configure Makefile.in Makefile INSTALL
+	rm -rf config
+	dh_clean 
+
+install: build
+	dh_testdir
+	dh_testroot
+	dh_clean -k 
+	dh_installdirs
+
+	$(MAKE) DESTDIR=$(PKGDIR) install
+
+	install -D --mode=0644 debian/lintian $(PKGDIR)/usr/share/lintian/overrides/$(PACKAGE)
+
+# Build architecture-independent files here.
+binary-indep: build install
+	rm -f debian/files
+	dh_testdir
+	dh_testroot
+	dh_installchangelogs ChangeLog
+	dh_installdocs
+	dh_install
+	dh_installdebconf	
+	dh_link
+	dh_strip
+	dh_compress
+	dh_fixperms
+	dh_installdeb
+	if [ -f "../.VYATTA_DEV_BUILD" ]; then \
+		dh_gencontrol -- -v999.dev; \
+	else \
+		dh_gencontrol; \
+	fi
+	dh_md5sums
+	dh_builddeb
+
+# Build architecture-dependent files here.
+binary-arch: build install
+# This is an architecture independent package
+# so; we have nothing to do by default.
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install 
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
new file mode 100644
index 0000000..4e07288
--- /dev/null
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -0,0 +1,269 @@
+#!/bin/bash
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+sysconfdir=@sysconfdir@
+bindir=@bindir@
+sbindir=@sbindir@
+
+# remove init of daemons that are controlled by Vyatta configuration process
+for init in ntp ssh snmpd openhpid logd \
+            ipvsadm dnsmasq ddclient radvd hostapd conntrackd
+do
+  update-rc.d -f ${init} remove >/dev/null
+done
+
+# remove extra call to clock setup only need one. this speeds up boot 
+# Mystery: why does Debian do it twice?
+if [ -L /etc/rcS.d/S*hwclockfirst.sh -a -L /etc/rcS.d/S*hwclock.sh ]; then
+    rm /etc/rcS.d/S*hwclock.sh
+fi
+
+# Udev package asks for user 'tss' early in boot process.
+#  Want to avoid going out to remote services to look for this local user
+if ! grep -q '^tss' /etc/passwd; then
+    adduser --system --group --shell /usr/sbin/nologin --home /var/lib/tpm tss
+fi
+
+# Remove leftover udev files from earlier release
+if [ -d /etc/udev/rules.d/ ]; then
+    rm -f /etc/udev/rules.d/*vyatta-net.rules
+fi
+
+# Remove rsyslog logrotate since it has hardcoded assumptions about syslog files
+rm -f /etc/logrotate.d/rsyslog
+
+# Force screenblanker to be off, it can be enabled later if desired
+if [ -f /etc/console-tools/config ]; then
+    sed -i -e '/^POWERDOWN/s/=.*$/=0/' \
+	   -e '/^BLANK_TIME/s/=.*$/=0/' \
+	   -e '/^BLANK_DPMS/s/=.*$/=off/' /etc/console-tools/config
+fi
+
+if [ "$sysconfdir" != "/etc" ]; then
+    touch /etc/sudoers
+    cp -p /etc/sudoers /etc/sudoers.bak
+
+    # enable ssh banner
+    sed -i 's/^#Banner/Banner/' /etc/ssh/sshd_config
+    # make sure PermitRoot is off
+    sed -i '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
+    # make sure PasswordAuthentication is on
+    sed -i 's/^#PasswordAuthentication/PasswordAuthentication/' /etc/ssh/sshd_config
+    sed -i '/^PasswordAuthentication/s/no/yes/' /etc/ssh/sshd_config
+
+    # add HostKeys for protocol version 1
+    if ! grep -q '^HostKey /etc/ssh/ssh_host_key' /etc/ssh/sshd_config; then
+	echo '# HostKey for protocol version 1' >> /etc/ssh/sshd_config
+	echo 'HostKey /etc/ssh/ssh_host_key' >> /etc/ssh/sshd_config
+    fi
+
+    # add UseDNS line
+    sed -i '/^UseDNS/d' /etc/ssh/sshd_config
+    echo 'UseDNS yes' >>/etc/ssh/sshd_config
+
+    # for "admin" level
+    sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers
+    if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then
+	echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers
+    fi
+
+    # cleanup any old entries from previous versions
+    sed -i /etc/sudoers \
+	-e '/### BEGIN VYATTA/,/### END VYATTA/d' \
+	-e '/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d' \
+	-e '/sudo-users/d' \
+	-e '/env_keep+=VYATTA/d' || true
+
+    # Add Vyatta entries
+    cat <<"EOF" >>/etc/sudoers
+### BEGIN VYATTA 
+Defaults syslog_goodpri=info
+Defaults env_keep+=VYATTA_*
+
+Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\
+		      /sbin/iptables -L -vn,\
+                      /sbin/iptables -L * -vn,\
+		      /sbin/iptables -t * -L *, \
+                      /sbin/iptables -Z *,\
+		      /sbin/iptables -Z -t nat, \
+                      /sbin/iptables -t * -Z *
+Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \
+                       /sbin/ip6tables -t * -L *
+Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \
+                       /usr/sbin/conntrack -G *, \
+		       /usr/sbin/conntrack -E *
+Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \
+		     /sbin/ip route flush cache *,\
+		     /sbin/ip neigh flush to *, \
+		     /sbin/ip neigh flush dev *, \
+                     /sbin/ip -f inet6 route flush cache, \
+		     /sbin/ip -f inet6 route flush cache *,\
+		     /sbin/ip -f inet6 neigh flush to *, \
+		     /sbin/ip -f inet6 neigh flush dev * 
+Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \
+                     /sbin/ethtool -S *, \
+                     /sbin/ethtool -a *, \
+                     /sbin/ethtool -c *, \
+                     /sbin/ethtool -i *
+Cmnd_Alias DISK    = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d *
+Cmnd_Alias DATE    = /bin/date, /usr/sbin/ntpdate
+Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats
+Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump
+Cmnd_Alias HWINFO   = /usr/bin/lspci
+%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
+			PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
+                        DISK, CONNTRACK, IP6TABLES
+EOF
+    cat <<EOF >>/etc/sudoers
+%users ALL=NOPASSWD: ${bindir}/sudo-users/
+### END VYATTA
+EOF
+
+    # set up blacklists
+    for f in blacklist.DSA-1024 blacklist.RSA-2048; do
+        if [ -r "/etc/ssh/$f" ]; then
+            l=$(head -1 $sysconfdir/$f)
+            if ! grep -q "$l" /etc/ssh/$f; then
+                tmp=$(mktemp /tmp/bl.XXXXXXXXXX)
+                cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp
+                mv $tmp /etc/ssh/$f
+            fi
+        else
+            cp $sysconfdir/$f /etc/ssh/$f
+        fi
+    done
+
+    # purge off ancient devfs stuff from /etc/securetty
+    cp $sysconfdir/securetty /etc/securetty
+
+    for f in issue issue.net; do
+	if [ ! -e /etc/$f.old ]; then
+            cp $sysconfdir/$f /etc/$f
+        fi
+    done
+
+    cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf
+
+     # Set file capabilities
+    sed -r -e '/^#/d' -e '/^[[:blank:]]*$/d' < $sysconfdir/filecaps | \
+    while read capability path; do 
+       touch -c $path
+       setcap $capability $path
+    done
+
+    # Install pam_cap config
+    cp $sysconfdir/capability.conf /etc/security/capability.conf
+
+    # Install our own version of rsyslog.conf without
+    # default targets
+    mv /etc/rsyslog.conf /etc/rsyslog.conf.orig
+    cp $sysconfdir/rsyslog.conf /etc/rsyslog.conf
+
+    # Install own version of cpufrequtils config
+    cp $sysconfdir/cpufrequtils /etc/default/cpufrequtils
+fi
+
+# create needed directories
+mkdir -p /var/log/user
+mkdir -p /var/core
+mkdir -p /opt/vyatta/etc/config/auth
+mkdir -p /opt/vyatta/etc/config/scripts
+mkdir -p /opt/vyatta/etc/config/user-data
+mkdir -p /opt/vyatta/etc/config/support
+chown -R root.vyattacfg /opt/vyatta/etc/config
+chmod -R 775 /opt/vyatta/etc/config
+
+# create /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
+# this should be after 'mkdir -p /opt/vyatta/etc/config/scripts' above
+if [ ! -x /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script ]; then
+    touch /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
+    chmod 755 /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
+    cat <<EOF >>/opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
+#!/bin/sh
+# This script is called from /etc/rc.local on boot after the Vyatta
+# configuration is fully applied. Any modifications done to work around
+# unfixed bugs and implement enhancements which are not complete in the Vyatta
+# system can be placed here.
+EOF
+fi
+
+# call vyatta-postconfig-bootup.script from /etc/rc.local
+if ! grep -q /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script \
+    /etc/rc.local
+then
+    cat <<EOF >>/etc/rc.local
+# Do not remove the following call to vyatta-postconfig-bootup.script.
+# Any boot time workarounds should be put in script below so that they
+# get preserved for the new image during image upgrade.
+sudo /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
+EOF
+    sh -c "sed -i -e '/exit 0/d' /etc/rc.local"
+    cat <<EOF >>/etc/rc.local
+exit 0
+EOF
+fi
+
+touch /etc/environment
+
+if [ ! -f /etc/bash_completion ]; then
+  echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion
+  echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion
+fi
+
+sed -i 's/^set /builtin set /' /etc/bash_completion
+
+dpkg-reconfigure -f noninteractive openssh-server
+rm -f /etc/ssh/*.broken
+update-rc.d -f ssh remove >/dev/null
+
+# Fix up PAM configuration for login so that invalid users are prompted
+# for password
+sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login
+
+# Change default shell for new accounts
+sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf
+
+# Do not allow users to change full name field (controlled by Vyatta config)
+sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs
+
+# Only allow root to use passwd command
+if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then
+    sed -i -e '/^@include/i \
+password	requisite pam_succeed_if.so user = root
+' /etc/pam.d/passwd
+fi
+
+#
+# Ask mdadm to call our own event handling daemon
+#
+if [ -e /etc/default/mdadm ]; then
+    sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm
+fi
+
+# remove unnecessary ddclient script in /etc/ppp/ip-up.d/
+# this logs unnecessary messages trying to start ddclient
+rm -f /etc/ppp/ip-up.d/ddclient
+
+# remove old init that should have been cleaned up during upgrade but isn't
+if [ -f /etc/init.d/vyatta-ofr ]; then
+    update-rc.d -f /etc/init.d/vyatta-ofr remove
+    rm -f /etc/init.d/vyatta-ofr
+fi
+
+# comply with Squeeze version of modprobe
+# remove old versions of files during upgrade
+for modprobe in vyatta_blacklist_ipv6 vyatta_disable_ipv6
+do
+  if [ -f /etc/modprobe.d/${modprobe} ]; then
+      mv -f /etc/modprobe.d/${modprobe} /etc/modprobe.d/${modprobe}.conf
+  fi
+done
+
+# add vyatta-config-reboot-params to start at boot up
+update-rc.d vyatta-config-reboot-params defaults
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 4
+# End:
diff --git a/debian/vyatta-cfg-system.postrm b/debian/vyatta-cfg-system.postrm
new file mode 100644
index 0000000..413780b
--- /dev/null
+++ b/debian/vyatta-cfg-system.postrm
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+if [ "$1" = "purge" ]; then
+    sed -i -e '/### BEGIN VYATTA/,/### END VYATTA/d' /etc/sudoers
+    sed -i -e 'g/^password/d' /etc/pam.d/password
+    update-rc.d vyatta-config-reboot-params remove
+fi
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 4
+# End: