From 6aa3bb5fa833a87ee69f8b77be9d48647601e3b9 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sun, 22 Dec 2024 11:59:17 +0100 Subject: T6674: use common .gitignore file for Package build artifacts/sources --- scripts/package-build/.gitignore | 8 ++++++++ scripts/package-build/amazon-cloudwatch-agent/.gitignore | 8 +------- scripts/package-build/amazon-ssm-agent/.gitignore | 8 +------- scripts/package-build/aws-gwlbtun/.gitignore | 9 +-------- scripts/package-build/ddclient/.gitignore | 8 +------- scripts/package-build/dropbear/.gitignore | 8 +------- scripts/package-build/ethtool/.gitignore | 8 +------- scripts/package-build/frr/.gitignore | 12 +++--------- scripts/package-build/frr_exporter/.gitignore | 7 +------ scripts/package-build/hostap/.gitignore | 9 ++------- scripts/package-build/hsflowd/.gitignore | 8 +------- scripts/package-build/isc-dhcp/.gitignore | 8 +------- scripts/package-build/kea/.gitignore | 8 +------- scripts/package-build/keepalived/.gitignore | 8 +------- scripts/package-build/ndppd/.gitignore | 8 +------- scripts/package-build/net-snmp/.gitignore | 7 +------ scripts/package-build/netfilter/.gitignore | 6 ------ scripts/package-build/node_exporter/.gitignore | 6 ------ scripts/package-build/opennhrp/.gitignore | 7 +------ scripts/package-build/openvpn-otp/.gitignore | 8 +------- scripts/package-build/owamp/.gitignore | 7 +------ scripts/package-build/pmacct/.gitignore | 7 +------ scripts/package-build/podman/.gitignore | 8 +------- scripts/package-build/pyhumps/.gitignore | 8 +------- scripts/package-build/radvd/.gitignore | 7 +------ scripts/package-build/strongswan/.gitignore | 8 +------- scripts/package-build/tacacs/.gitignore | 12 +++--------- scripts/package-build/telegraf/.gitignore | 7 +------ scripts/package-build/waagent/.gitignore | 9 +-------- scripts/package-build/wide-dhcpv6/.gitignore | 8 +------- scripts/package-build/xen-guest-agent/.gitignore | 8 +------- 31 files changed, 41 insertions(+), 207 deletions(-) create mode 100644 scripts/package-build/.gitignore diff --git a/scripts/package-build/.gitignore b/scripts/package-build/.gitignore new file mode 100644 index 00000000..a1b8b226 --- /dev/null +++ b/scripts/package-build/.gitignore @@ -0,0 +1,8 @@ +*.buildinfo +*.build +*.changes +*.deb +*.udeb +*.dsc +*.tar.gz +*.tar.xz diff --git a/scripts/package-build/amazon-cloudwatch-agent/.gitignore b/scripts/package-build/amazon-cloudwatch-agent/.gitignore index 7f8e0127..5eb3e42a 100644 --- a/scripts/package-build/amazon-cloudwatch-agent/.gitignore +++ b/scripts/package-build/amazon-cloudwatch-agent/.gitignore @@ -1,7 +1 @@ -amazon-cloudwatch-agent/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc -*.tar.gz +/amazon-cloudwatch-agent/ diff --git a/scripts/package-build/amazon-ssm-agent/.gitignore b/scripts/package-build/amazon-ssm-agent/.gitignore index f70728cf..78fa9ab9 100644 --- a/scripts/package-build/amazon-ssm-agent/.gitignore +++ b/scripts/package-build/amazon-ssm-agent/.gitignore @@ -1,7 +1 @@ -amazon-ssm-agent/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc -*.tar.gz +/amazon-ssm-agent/ diff --git a/scripts/package-build/aws-gwlbtun/.gitignore b/scripts/package-build/aws-gwlbtun/.gitignore index 0fe7946f..dab49f62 100644 --- a/scripts/package-build/aws-gwlbtun/.gitignore +++ b/scripts/package-build/aws-gwlbtun/.gitignore @@ -1,8 +1 @@ -aws-gwlbtun*/ -*.tar.gz -*.tar.xz -*.deb -*.dsc -*.buildinfo -*.build -*.changes \ No newline at end of file +/aws-gwlbtun*/ diff --git a/scripts/package-build/ddclient/.gitignore b/scripts/package-build/ddclient/.gitignore index aeb8af66..17d0b753 100644 --- a/scripts/package-build/ddclient/.gitignore +++ b/scripts/package-build/ddclient/.gitignore @@ -1,7 +1 @@ -ddclient/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc - +/ddclient/ diff --git a/scripts/package-build/dropbear/.gitignore b/scripts/package-build/dropbear/.gitignore index 3d080d7c..58c2ff3d 100644 --- a/scripts/package-build/dropbear/.gitignore +++ b/scripts/package-build/dropbear/.gitignore @@ -1,7 +1 @@ -dropbear/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc -*.tar.gz +/dropbear/ diff --git a/scripts/package-build/ethtool/.gitignore b/scripts/package-build/ethtool/.gitignore index f964bd07..16adf9e5 100644 --- a/scripts/package-build/ethtool/.gitignore +++ b/scripts/package-build/ethtool/.gitignore @@ -1,7 +1 @@ -ethtool/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc - +/ethtool/ diff --git a/scripts/package-build/frr/.gitignore b/scripts/package-build/frr/.gitignore index f22f6747..93dfaca8 100644 --- a/scripts/package-build/frr/.gitignore +++ b/scripts/package-build/frr/.gitignore @@ -1,9 +1,3 @@ -frr/ -rtrlib/ -libyang/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc -*.tar.gz +/frr/ +/rtrlib/ +/libyang/ diff --git a/scripts/package-build/frr_exporter/.gitignore b/scripts/package-build/frr_exporter/.gitignore index 4880abf9..aee4cba5 100644 --- a/scripts/package-build/frr_exporter/.gitignore +++ b/scripts/package-build/frr_exporter/.gitignore @@ -1,6 +1 @@ -frr_exporter / -*.buildinfo -*.build -*.changes -*.deb -*.dsc +/frr_exporter/ diff --git a/scripts/package-build/hostap/.gitignore b/scripts/package-build/hostap/.gitignore index f9c7eb32..1a2c97d8 100644 --- a/scripts/package-build/hostap/.gitignore +++ b/scripts/package-build/hostap/.gitignore @@ -1,7 +1,2 @@ -hostap/ -wpa/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc +/hostap/ +/wpa/ diff --git a/scripts/package-build/hsflowd/.gitignore b/scripts/package-build/hsflowd/.gitignore index ecb384cd..aebf1d06 100644 --- a/scripts/package-build/hsflowd/.gitignore +++ b/scripts/package-build/hsflowd/.gitignore @@ -1,7 +1 @@ -host-sflow/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc -*.tar.gz +/host-sflow/ diff --git a/scripts/package-build/isc-dhcp/.gitignore b/scripts/package-build/isc-dhcp/.gitignore index 3f2ca44a..41aa96b8 100644 --- a/scripts/package-build/isc-dhcp/.gitignore +++ b/scripts/package-build/isc-dhcp/.gitignore @@ -1,7 +1 @@ -isc-dhcp/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc -*.tar.gz +/isc-dhcp/ diff --git a/scripts/package-build/kea/.gitignore b/scripts/package-build/kea/.gitignore index 1f9d42c9..70219f63 100644 --- a/scripts/package-build/kea/.gitignore +++ b/scripts/package-build/kea/.gitignore @@ -1,7 +1 @@ -isc-kea/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc - +/isc-kea/ diff --git a/scripts/package-build/keepalived/.gitignore b/scripts/package-build/keepalived/.gitignore index fa96cd3f..b6513f29 100644 --- a/scripts/package-build/keepalived/.gitignore +++ b/scripts/package-build/keepalived/.gitignore @@ -1,7 +1 @@ -keepalived/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc - +/keepalived/ diff --git a/scripts/package-build/ndppd/.gitignore b/scripts/package-build/ndppd/.gitignore index 2b71e9fb..4983088e 100644 --- a/scripts/package-build/ndppd/.gitignore +++ b/scripts/package-build/ndppd/.gitignore @@ -1,7 +1 @@ -ndppd/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc - +/ndppd/ diff --git a/scripts/package-build/net-snmp/.gitignore b/scripts/package-build/net-snmp/.gitignore index 67811e63..ce30b515 100644 --- a/scripts/package-build/net-snmp/.gitignore +++ b/scripts/package-build/net-snmp/.gitignore @@ -1,6 +1 @@ -net-snmp/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc +/net-snmp/ diff --git a/scripts/package-build/netfilter/.gitignore b/scripts/package-build/netfilter/.gitignore index c6444404..ea401bf3 100644 --- a/scripts/package-build/netfilter/.gitignore +++ b/scripts/package-build/netfilter/.gitignore @@ -1,8 +1,2 @@ /pkg-libnftnl/ /pkg-nftables/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc -*.tar.gz diff --git a/scripts/package-build/node_exporter/.gitignore b/scripts/package-build/node_exporter/.gitignore index 0e010f4d..25d6ffd3 100644 --- a/scripts/package-build/node_exporter/.gitignore +++ b/scripts/package-build/node_exporter/.gitignore @@ -1,7 +1 @@ node_exporter/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc - diff --git a/scripts/package-build/opennhrp/.gitignore b/scripts/package-build/opennhrp/.gitignore index 65d0752b..a06f6fde 100644 --- a/scripts/package-build/opennhrp/.gitignore +++ b/scripts/package-build/opennhrp/.gitignore @@ -1,6 +1 @@ -opennhrp/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc +/opennhrp/ diff --git a/scripts/package-build/openvpn-otp/.gitignore b/scripts/package-build/openvpn-otp/.gitignore index 60dd3cad..90268525 100644 --- a/scripts/package-build/openvpn-otp/.gitignore +++ b/scripts/package-build/openvpn-otp/.gitignore @@ -1,7 +1 @@ -openvpn-otp/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc -*.tar.gz +/openvpn-otp/ diff --git a/scripts/package-build/owamp/.gitignore b/scripts/package-build/owamp/.gitignore index 4a97524e..c6efde63 100644 --- a/scripts/package-build/owamp/.gitignore +++ b/scripts/package-build/owamp/.gitignore @@ -1,6 +1 @@ -owamp/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc +/owamp/ diff --git a/scripts/package-build/pmacct/.gitignore b/scripts/package-build/pmacct/.gitignore index 7007417a..65042174 100644 --- a/scripts/package-build/pmacct/.gitignore +++ b/scripts/package-build/pmacct/.gitignore @@ -1,6 +1 @@ -pmacct/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc +/pmacct/ diff --git a/scripts/package-build/podman/.gitignore b/scripts/package-build/podman/.gitignore index 22c40b0e..dfba60a6 100644 --- a/scripts/package-build/podman/.gitignore +++ b/scripts/package-build/podman/.gitignore @@ -1,7 +1 @@ -podman/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc - +/podman/ diff --git a/scripts/package-build/pyhumps/.gitignore b/scripts/package-build/pyhumps/.gitignore index 6a90d1c9..27979294 100644 --- a/scripts/package-build/pyhumps/.gitignore +++ b/scripts/package-build/pyhumps/.gitignore @@ -1,7 +1 @@ -humps/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc - +/humps/ diff --git a/scripts/package-build/radvd/.gitignore b/scripts/package-build/radvd/.gitignore index 9c37832b..b3761965 100644 --- a/scripts/package-build/radvd/.gitignore +++ b/scripts/package-build/radvd/.gitignore @@ -1,6 +1 @@ -radvd/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc +/radvd/ diff --git a/scripts/package-build/strongswan/.gitignore b/scripts/package-build/strongswan/.gitignore index f1ad761d..e4c36e8f 100644 --- a/scripts/package-build/strongswan/.gitignore +++ b/scripts/package-build/strongswan/.gitignore @@ -1,7 +1 @@ -strongswan/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc -*.tar.gz +/strongswan/ diff --git a/scripts/package-build/tacacs/.gitignore b/scripts/package-build/tacacs/.gitignore index 142020c5..3579fc4d 100644 --- a/scripts/package-build/tacacs/.gitignore +++ b/scripts/package-build/tacacs/.gitignore @@ -1,9 +1,3 @@ -libnss-tacplus/ -libpam-tacplus/ -libtacplus-map/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc -*.tar.gz +/libnss-tacplus/ +/libpam-tacplus/ +/libtacplus-map/ diff --git a/scripts/package-build/telegraf/.gitignore b/scripts/package-build/telegraf/.gitignore index bf2fcf43..f634da68 100644 --- a/scripts/package-build/telegraf/.gitignore +++ b/scripts/package-build/telegraf/.gitignore @@ -1,6 +1 @@ -telegraf/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc +/telegraf/ diff --git a/scripts/package-build/waagent/.gitignore b/scripts/package-build/waagent/.gitignore index 80401271..a91839ef 100644 --- a/scripts/package-build/waagent/.gitignore +++ b/scripts/package-build/waagent/.gitignore @@ -1,8 +1 @@ -waagent/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc -*.tar.gz -*.tar.xz +/waagent/ diff --git a/scripts/package-build/wide-dhcpv6/.gitignore b/scripts/package-build/wide-dhcpv6/.gitignore index 990f3c6c..b7f6e063 100644 --- a/scripts/package-build/wide-dhcpv6/.gitignore +++ b/scripts/package-build/wide-dhcpv6/.gitignore @@ -1,7 +1 @@ -wide-dhcpv6/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc -*.udeb +/wide-dhcpv6/ diff --git a/scripts/package-build/xen-guest-agent/.gitignore b/scripts/package-build/xen-guest-agent/.gitignore index 373bd76a..d34885ab 100644 --- a/scripts/package-build/xen-guest-agent/.gitignore +++ b/scripts/package-build/xen-guest-agent/.gitignore @@ -1,7 +1 @@ -xen-guest-agent/ -*.buildinfo -*.build -*.changes -*.deb -*.dsc - +/xen-guest-agent/ -- cgit v1.2.3 From 53ceb249883ed0dafef2c30db6ff9bef621aba1e Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sun, 22 Dec 2024 12:00:10 +0100 Subject: T6674: move patches to "package/" subfolder This prevents the accidental applying of a patch to multiple source directories defined in package.toml. Example FRR: Package consits of build instructions for libyang, rtrlib and frr itself. Previously patches in frr/patches folder got applied to libyang, rtrlib and frr which made no sense and could also fail a build. --- scripts/package-build/build.py | 3 +- .../dropbear/patches/0001-Enable-PAM-support.patch | 61 --- .../patches/dropbear/0001-Enable-PAM-support.patch | 61 +++ ...001-Enable-PCRE2-in-Debian-package-builds.patch | 24 - .../patches/0003-Clear-Babel-Config-On-Stop.patch | 29 -- ...001-Enable-PCRE2-in-Debian-package-builds.patch | 24 + .../frr/0003-Clear-Babel-Config-On-Stop.patch | 29 ++ ...001-Add-support-for-raw-IP-interface-type.patch | 248 --------- .../patches/0002-Checkpoint-improved-patch.patch | 170 ------ .../patches/0003-fix-compilation-errors.patch | 48 -- ...dd-support-for-ARPHRD_NONE-interface-type.patch | 29 -- ...001-Add-support-for-raw-IP-interface-type.patch | 248 +++++++++ .../isc-dhcp/0002-Checkpoint-improved-patch.patch | 170 ++++++ .../isc-dhcp/0003-fix-compilation-errors.patch | 48 ++ ...dd-support-for-ARPHRD_NONE-interface-type.patch | 29 ++ ...-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch | 129 ----- ...-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch | 129 +++++ ...skip-route-table-if-there-is-no-auto-rule.patch | 83 --- .../ndppd/patches/0002-set-vyos-version.patch | 25 - ...skip-route-table-if-there-is-no-auto-rule.patch | 83 +++ .../patches/ndppd/0002-set-vyos-version.patch | 25 + .../add-linux-6.7-compatibility-parsing.patch | 119 ----- .../add-linux-6.7-compatibility-parsing.patch | 119 +++++ scripts/package-build/netfilter/build.py | 196 +------ ...-SEGV-when-ICMP-ICMPv6-traffic-was-proces.patch | 49 -- ...-SEGV-when-ICMP-ICMPv6-traffic-was-proces.patch | 49 ++ ...optional-source-and-remote-overrides-for-.patch | 579 --------------------- ...-vici-send-certificates-for-ike-sa-events.patch | 140 ----- ...d-support-for-individual-sa-state-changes.patch | 159 ------ ...e-options-enabled-by-Debian-that-are-unus.patch | 115 ---- ...optional-source-and-remote-overrides-for-.patch | 579 +++++++++++++++++++++ ...-vici-send-certificates-for-ike-sa-events.patch | 140 +++++ ...d-support-for-individual-sa-state-changes.patch | 159 ++++++ ...e-options-enabled-by-Debian-that-are-unus.patch | 115 ++++ ...dhcpc6-support-per-interface-client-DUIDs.patch | 230 -------- .../patches/0024-bind-to-single-socket.patch | 17 - .../0025-option-to-prevent-ia-release.patch | 155 ------ ...dhcpc6-support-per-interface-client-DUIDs.patch | 230 ++++++++ .../wide-dhcpv6/0024-bind-to-single-socket.patch | 17 + .../0025-option-to-prevent-ia-release.patch | 155 ++++++ 40 files changed, 2411 insertions(+), 2606 deletions(-) delete mode 100644 scripts/package-build/dropbear/patches/0001-Enable-PAM-support.patch create mode 100644 scripts/package-build/dropbear/patches/dropbear/0001-Enable-PAM-support.patch delete mode 100644 scripts/package-build/frr/patches/0001-Enable-PCRE2-in-Debian-package-builds.patch delete mode 100644 scripts/package-build/frr/patches/0003-Clear-Babel-Config-On-Stop.patch create mode 100644 scripts/package-build/frr/patches/frr/0001-Enable-PCRE2-in-Debian-package-builds.patch create mode 100644 scripts/package-build/frr/patches/frr/0003-Clear-Babel-Config-On-Stop.patch delete mode 100644 scripts/package-build/isc-dhcp/patches/0001-Add-support-for-raw-IP-interface-type.patch delete mode 100644 scripts/package-build/isc-dhcp/patches/0002-Checkpoint-improved-patch.patch delete mode 100644 scripts/package-build/isc-dhcp/patches/0003-fix-compilation-errors.patch delete mode 100644 scripts/package-build/isc-dhcp/patches/0004-add-support-for-ARPHRD_NONE-interface-type.patch create mode 100644 scripts/package-build/isc-dhcp/patches/isc-dhcp/0001-Add-support-for-raw-IP-interface-type.patch create mode 100644 scripts/package-build/isc-dhcp/patches/isc-dhcp/0002-Checkpoint-improved-patch.patch create mode 100644 scripts/package-build/isc-dhcp/patches/isc-dhcp/0003-fix-compilation-errors.patch create mode 100644 scripts/package-build/isc-dhcp/patches/isc-dhcp/0004-add-support-for-ARPHRD_NONE-interface-type.patch delete mode 100644 scripts/package-build/keepalived/patches/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch create mode 100644 scripts/package-build/keepalived/patches/keepalived/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch delete mode 100644 scripts/package-build/ndppd/patches/0001-skip-route-table-if-there-is-no-auto-rule.patch delete mode 100644 scripts/package-build/ndppd/patches/0002-set-vyos-version.patch create mode 100644 scripts/package-build/ndppd/patches/ndppd/0001-skip-route-table-if-there-is-no-auto-rule.patch create mode 100644 scripts/package-build/ndppd/patches/ndppd/0002-set-vyos-version.patch delete mode 100644 scripts/package-build/net-snmp/patches/add-linux-6.7-compatibility-parsing.patch create mode 100644 scripts/package-build/net-snmp/patches/net-snmp/add-linux-6.7-compatibility-parsing.patch mode change 100755 => 120000 scripts/package-build/netfilter/build.py delete mode 100644 scripts/package-build/pmacct/patches/0001-fix-pmacctd-SEGV-when-ICMP-ICMPv6-traffic-was-proces.patch create mode 100644 scripts/package-build/pmacct/patches/pmacct/0001-fix-pmacctd-SEGV-when-ICMP-ICMPv6-traffic-was-proces.patch delete mode 100644 scripts/package-build/strongswan/patches/0001-charon-add-optional-source-and-remote-overrides-for-.patch delete mode 100644 scripts/package-build/strongswan/patches/0002-vici-send-certificates-for-ike-sa-events.patch delete mode 100644 scripts/package-build/strongswan/patches/0003-vici-add-support-for-individual-sa-state-changes.patch delete mode 100644 scripts/package-build/strongswan/patches/0004-VyOS-disable-options-enabled-by-Debian-that-are-unus.patch create mode 100644 scripts/package-build/strongswan/patches/strongswan/0001-charon-add-optional-source-and-remote-overrides-for-.patch create mode 100644 scripts/package-build/strongswan/patches/strongswan/0002-vici-send-certificates-for-ike-sa-events.patch create mode 100644 scripts/package-build/strongswan/patches/strongswan/0003-vici-add-support-for-individual-sa-state-changes.patch create mode 100644 scripts/package-build/strongswan/patches/strongswan/0004-VyOS-disable-options-enabled-by-Debian-that-are-unus.patch delete mode 100644 scripts/package-build/wide-dhcpv6/patches/0023-dhcpc6-support-per-interface-client-DUIDs.patch delete mode 100644 scripts/package-build/wide-dhcpv6/patches/0024-bind-to-single-socket.patch delete mode 100644 scripts/package-build/wide-dhcpv6/patches/0025-option-to-prevent-ia-release.patch create mode 100644 scripts/package-build/wide-dhcpv6/patches/wide-dhcpv6/0023-dhcpc6-support-per-interface-client-DUIDs.patch create mode 100644 scripts/package-build/wide-dhcpv6/patches/wide-dhcpv6/0024-bind-to-single-socket.patch create mode 100644 scripts/package-build/wide-dhcpv6/patches/wide-dhcpv6/0025-option-to-prevent-ia-release.patch diff --git a/scripts/package-build/build.py b/scripts/package-build/build.py index 7212b6cf..d64a7378 100755 --- a/scripts/package-build/build.py +++ b/scripts/package-build/build.py @@ -58,7 +58,6 @@ def apply_patches(repo_dir: Path, patch_dir: Path) -> None: series.write(patch.name + '\n') print(f"I: Applied patch: {patch.name}") - def prepare_package(repo_dir: Path, install_data: str) -> None: """Prepare a package""" if not install_data: @@ -95,7 +94,7 @@ def build_package(package: list, patch_dir: Path) -> None: # Apply patches if any if (repo_dir / 'patches'): - apply_patches(repo_dir, patch_dir) + apply_patches(repo_dir, patch_dir / repo_name) # Sanitize the commit ID and build a tarball for the package commit_id_sanitized = package['commit_id'].replace('/', '_') diff --git a/scripts/package-build/dropbear/patches/0001-Enable-PAM-support.patch b/scripts/package-build/dropbear/patches/0001-Enable-PAM-support.patch deleted file mode 100644 index fa6cf620..00000000 --- a/scripts/package-build/dropbear/patches/0001-Enable-PAM-support.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 861bfb53de5909e25a952a83654c63de61af02b5 Mon Sep 17 00:00:00 2001 -From: Christian Breunig -Date: Sun, 28 May 2023 15:45:32 +0200 -Subject: [PATCH] Enable PAM support - ---- - debian/control | 1 + - debian/rules | 2 +- - default_options.h | 4 ++-- - 3 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/debian/control b/debian/control -index 77ea036..b252b97 100644 ---- a/debian/control -+++ b/debian/control -@@ -6,6 +6,7 @@ Build-Depends: debhelper, - debhelper-compat (= 13), - libtomcrypt-dev (>= 1.18.2~), - libtommath-dev (>= 1.2.0~), -+ libpam0g-dev, - libz-dev - Rules-Requires-Root: no - Standards-Version: 4.6.1 -diff --git a/debian/rules b/debian/rules -index 7dab64c..ce11aa4 100755 ---- a/debian/rules -+++ b/debian/rules -@@ -24,7 +24,7 @@ endif - dh $@ - - override_dh_auto_configure: -- dh_auto_configure -- --disable-bundled-libtom \ -+ dh_auto_configure -- --disable-bundled-libtom --enable-pam \ - CC='$(CC)' CFLAGS='$(CFLAGS)' $(CONFFLAGS) - - execute_before_dh_auto_build: -diff --git a/default_options.h b/default_options.h -index 5132775..e7d274c 100644 ---- a/default_options.h -+++ b/default_options.h -@@ -223,7 +223,7 @@ group1 in Dropbear server too */ - - /* Authentication Types - at least one required. - RFC Draft requires pubkey auth, and recommends password */ --#define DROPBEAR_SVR_PASSWORD_AUTH 1 -+#define DROPBEAR_SVR_PASSWORD_AUTH 0 - - /* Note: PAM auth is quite simple and only works for PAM modules which just do - * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). -@@ -231,7 +231,7 @@ group1 in Dropbear server too */ - * but there's an interface via a PAM module. It won't work for more complex - * PAM challenge/response. - * You can't enable both PASSWORD and PAM. */ --#define DROPBEAR_SVR_PAM_AUTH 0 -+#define DROPBEAR_SVR_PAM_AUTH 1 - - /* ~/.ssh/authorized_keys authentication. - * You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins. */ --- -2.30.2 - diff --git a/scripts/package-build/dropbear/patches/dropbear/0001-Enable-PAM-support.patch b/scripts/package-build/dropbear/patches/dropbear/0001-Enable-PAM-support.patch new file mode 100644 index 00000000..fa6cf620 --- /dev/null +++ b/scripts/package-build/dropbear/patches/dropbear/0001-Enable-PAM-support.patch @@ -0,0 +1,61 @@ +From 861bfb53de5909e25a952a83654c63de61af02b5 Mon Sep 17 00:00:00 2001 +From: Christian Breunig +Date: Sun, 28 May 2023 15:45:32 +0200 +Subject: [PATCH] Enable PAM support + +--- + debian/control | 1 + + debian/rules | 2 +- + default_options.h | 4 ++-- + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/debian/control b/debian/control +index 77ea036..b252b97 100644 +--- a/debian/control ++++ b/debian/control +@@ -6,6 +6,7 @@ Build-Depends: debhelper, + debhelper-compat (= 13), + libtomcrypt-dev (>= 1.18.2~), + libtommath-dev (>= 1.2.0~), ++ libpam0g-dev, + libz-dev + Rules-Requires-Root: no + Standards-Version: 4.6.1 +diff --git a/debian/rules b/debian/rules +index 7dab64c..ce11aa4 100755 +--- a/debian/rules ++++ b/debian/rules +@@ -24,7 +24,7 @@ endif + dh $@ + + override_dh_auto_configure: +- dh_auto_configure -- --disable-bundled-libtom \ ++ dh_auto_configure -- --disable-bundled-libtom --enable-pam \ + CC='$(CC)' CFLAGS='$(CFLAGS)' $(CONFFLAGS) + + execute_before_dh_auto_build: +diff --git a/default_options.h b/default_options.h +index 5132775..e7d274c 100644 +--- a/default_options.h ++++ b/default_options.h +@@ -223,7 +223,7 @@ group1 in Dropbear server too */ + + /* Authentication Types - at least one required. + RFC Draft requires pubkey auth, and recommends password */ +-#define DROPBEAR_SVR_PASSWORD_AUTH 1 ++#define DROPBEAR_SVR_PASSWORD_AUTH 0 + + /* Note: PAM auth is quite simple and only works for PAM modules which just do + * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). +@@ -231,7 +231,7 @@ group1 in Dropbear server too */ + * but there's an interface via a PAM module. It won't work for more complex + * PAM challenge/response. + * You can't enable both PASSWORD and PAM. */ +-#define DROPBEAR_SVR_PAM_AUTH 0 ++#define DROPBEAR_SVR_PAM_AUTH 1 + + /* ~/.ssh/authorized_keys authentication. + * You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins. */ +-- +2.30.2 + diff --git a/scripts/package-build/frr/patches/0001-Enable-PCRE2-in-Debian-package-builds.patch b/scripts/package-build/frr/patches/0001-Enable-PCRE2-in-Debian-package-builds.patch deleted file mode 100644 index c31c4a85..00000000 --- a/scripts/package-build/frr/patches/0001-Enable-PCRE2-in-Debian-package-builds.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 21800432167ac022c01772df993efca8d4969b38 Mon Sep 17 00:00:00 2001 -From: Daniil Baturin -Date: Wed, 6 Nov 2024 15:58:10 +0000 -Subject: [PATCH] Enable PCRE2 in Debian package builds - ---- - debian/rules | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/debian/rules b/debian/rules -index 43e5d7e61..1f971ab22 100755 ---- a/debian/rules -+++ b/debian/rules -@@ -69,6 +69,7 @@ override_dh_auto_configure: - --enable-vty-group=frrvty \ - --enable-configfile-mask=0640 \ - --enable-logfile-mask=0640 \ -+ --enable-pcre2posix \ - # end - - override_dh_auto_install: --- -2.47.0 - diff --git a/scripts/package-build/frr/patches/0003-Clear-Babel-Config-On-Stop.patch b/scripts/package-build/frr/patches/0003-Clear-Babel-Config-On-Stop.patch deleted file mode 100644 index fea45891..00000000 --- a/scripts/package-build/frr/patches/0003-Clear-Babel-Config-On-Stop.patch +++ /dev/null @@ -1,29 +0,0 @@ -From c3c70e87b040233263b9594d14582dfedfecc92e Mon Sep 17 00:00:00 2001 -From: Yaroslav Kholod -Date: Wed, 18 Dec 2024 11:48:29 +0200 -Subject: [PATCH] #17413: Clean babeld config on stop - ---- - babeld/babeld.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/babeld/babeld.c b/babeld/babeld.c -index b562f0b70..6f1a9a3d7 100644 ---- a/babeld/babeld.c -+++ b/babeld/babeld.c -@@ -304,6 +304,12 @@ void babel_clean_routing_process(void) - flush_all_routes(); - babel_interface_close_all(); - -+ /* Clean babel config */ -+ diversity_kind = DIVERSITY_NONE; -+ diversity_factor = BABEL_DEFAULT_DIVERSITY_FACTOR; -+ resend_delay = BABEL_DEFAULT_RESEND_DELAY; -+ smoothing_half_life = BABEL_DEFAULT_SMOOTHING_HALF_LIFE; -+ - /* cancel events */ - event_cancel(&babel_routing_process->t_read); - event_cancel(&babel_routing_process->t_update); --- -2.43.0 - diff --git a/scripts/package-build/frr/patches/frr/0001-Enable-PCRE2-in-Debian-package-builds.patch b/scripts/package-build/frr/patches/frr/0001-Enable-PCRE2-in-Debian-package-builds.patch new file mode 100644 index 00000000..545e7d5e --- /dev/null +++ b/scripts/package-build/frr/patches/frr/0001-Enable-PCRE2-in-Debian-package-builds.patch @@ -0,0 +1,24 @@ +From 21800432167ac022c01772df993efca8d4969b38 Mon Sep 17 00:00:00 2001 +From: Daniil Baturin +Date: Wed, 6 Nov 2024 15:58:10 +0000 +Subject: [PATCH] Enable PCRE2 in Debian package builds + +--- + debian/rules | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/debian/rules b/debian/rules +index 43e5d7e61..1f971ab22 100755 +--- a/debian/rules ++++ b/debian/rules +@@ -69,6 +69,7 @@ override_dh_auto_configure: + --enable-vty-group=frrvty \ + --enable-configfile-mask=0640 \ + --enable-logfile-mask=0640 \ ++ --enable-pcre2posix \ + # end + + override_dh_auto_install: +-- +2.47.0 + diff --git a/scripts/package-build/frr/patches/frr/0003-Clear-Babel-Config-On-Stop.patch b/scripts/package-build/frr/patches/frr/0003-Clear-Babel-Config-On-Stop.patch new file mode 100644 index 00000000..fea45891 --- /dev/null +++ b/scripts/package-build/frr/patches/frr/0003-Clear-Babel-Config-On-Stop.patch @@ -0,0 +1,29 @@ +From c3c70e87b040233263b9594d14582dfedfecc92e Mon Sep 17 00:00:00 2001 +From: Yaroslav Kholod +Date: Wed, 18 Dec 2024 11:48:29 +0200 +Subject: [PATCH] #17413: Clean babeld config on stop + +--- + babeld/babeld.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/babeld/babeld.c b/babeld/babeld.c +index b562f0b70..6f1a9a3d7 100644 +--- a/babeld/babeld.c ++++ b/babeld/babeld.c +@@ -304,6 +304,12 @@ void babel_clean_routing_process(void) + flush_all_routes(); + babel_interface_close_all(); + ++ /* Clean babel config */ ++ diversity_kind = DIVERSITY_NONE; ++ diversity_factor = BABEL_DEFAULT_DIVERSITY_FACTOR; ++ resend_delay = BABEL_DEFAULT_RESEND_DELAY; ++ smoothing_half_life = BABEL_DEFAULT_SMOOTHING_HALF_LIFE; ++ + /* cancel events */ + event_cancel(&babel_routing_process->t_read); + event_cancel(&babel_routing_process->t_update); +-- +2.43.0 + diff --git a/scripts/package-build/isc-dhcp/patches/0001-Add-support-for-raw-IP-interface-type.patch b/scripts/package-build/isc-dhcp/patches/0001-Add-support-for-raw-IP-interface-type.patch deleted file mode 100644 index c13569ad..00000000 --- a/scripts/package-build/isc-dhcp/patches/0001-Add-support-for-raw-IP-interface-type.patch +++ /dev/null @@ -1,248 +0,0 @@ -From 8d9e8ace96ad9e2dba9f2d4069228dee5daf6772 Mon Sep 17 00:00:00 2001 -From: Loic Poulain -Date: Mon, 2 Nov 2020 06:42:12 -0500 -Subject: [PATCH 1/4] Add support for raw IP interface type -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Under linux some devices can expose raw IP interfaces, such as WWAN -modems. In that case IP data is not encapsulated in any lower level -protocol. - -dhclient does not support this currently and this patch adds support -for such pure IP interfaces. - -The original patch comes from Bjørn Mork on Network-Manage mailing list: -https://mail.gnome.org/archives/networkmanager-list/2015-December/msg00044.html - ---- - common/bpf.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++- - common/lpf.c | 59 +++++++++++++++++++++++++++++++++++++----------- - common/packet.c | 7 ++++++ - includes/dhcp.h | 1 + - 4 files changed, 113 insertions(+), 14 deletions(-) - -diff --git a/common/bpf.c b/common/bpf.c -index 658e5db..0c08574 100644 ---- a/common/bpf.c -+++ b/common/bpf.c -@@ -198,6 +198,34 @@ struct bpf_insn dhcp_bpf_filter [] = { - BPF_STMT (BPF_RET + BPF_K, 0), - }; - -+int dhcp_bpf_filter_len = sizeof dhcp_bpf_filter / sizeof (struct bpf_insn); -+ -+struct bpf_insn dhcp_bpf_pureip_filter [] = { -+ /* Make sure it's a UDP packet... */ -+ BPF_STMT (BPF_LD + BPF_B + BPF_ABS, 9), -+ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 0, 6), -+ -+ /* Make sure this isn't a fragment... */ -+ BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 6), -+ BPF_JUMP(BPF_JMP + BPF_JSET + BPF_K, 0x1fff, 4, 0), -+ -+ /* Get the IP header length... */ -+ BPF_STMT (BPF_LDX + BPF_B + BPF_MSH, 0), -+ -+ /* Make sure it's to the right port... */ -+ BPF_STMT (BPF_LD + BPF_H + BPF_IND, 2), -+ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 37, 0, 1), /* patch */ -+ -+ /* If we passed all the tests, ask for the whole packet. */ -+ BPF_STMT(BPF_RET+BPF_K, (u_int)-1), -+ -+ /* Otherwise, drop it. */ -+ BPF_STMT(BPF_RET+BPF_K, 0), -+}; -+ -+int dhcp_bpf_pureip_filter_len = -+ sizeof dhcp_bpf_pureip_filter / sizeof (struct bpf_insn); -+ - #if defined(RELAY_PORT) - /* - * For relay port extension -@@ -235,13 +263,43 @@ struct bpf_insn dhcp_bpf_relay_filter [] = { - - int dhcp_bpf_relay_filter_len = - sizeof dhcp_bpf_relay_filter / sizeof (struct bpf_insn); -+ -+struct bpf_insn dhcp_bpf_pureip_relay_filter [] = { -+ /* Make sure it's a UDP packet... */ -+ BPF_STMT (BPF_LD + BPF_B + BPF_ABS, 9), -+ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 0, 8), -+ -+ /* Make sure this isn't a fragment... */ -+ BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 6), -+ BPF_JUMP(BPF_JMP + BPF_JSET + BPF_K, 0x1fff, 6, 0), -+ -+ /* Get the IP header length... */ -+ BPF_STMT (BPF_LDX + BPF_B + BPF_MSH, 0), -+ -+ /* Make sure it's to the right port... */ -+ BPF_STMT (BPF_LD + BPF_H + BPF_IND, 16), -+ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 37, 2, 0), /* patch */ -+ -+ /* relay can have an alternative port... */ -+ BPF_STMT (BPF_LD + BPF_H + BPF_IND, 16), -+ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 37, 0, 1), /* patch */ -+ -+ /* If we passed all the tests, ask for the whole packet. */ -+ BPF_STMT (BPF_RET + BPF_K, (u_int)-1), -+ -+ /* Otherwise, drop it. */ -+ BPF_STMT (BPF_RET + BPF_K, 0), -+}; -+ -+int dhcp_bpf_pureip_relay_filter_len = -+ sizeof dhcp_bpf_pureip_relay_filter / sizeof (struct bpf_insn); -+ - #endif - - #if defined (DEC_FDDI) - struct bpf_insn *bpf_fddi_filter = NULL; - #endif - --int dhcp_bpf_filter_len = sizeof dhcp_bpf_filter / sizeof (struct bpf_insn); - #if defined (HAVE_TR_SUPPORT) - struct bpf_insn dhcp_bpf_tr_filter [] = { - /* accept all token ring packets due to variable length header */ -diff --git a/common/lpf.c b/common/lpf.c -index bb8822a..d8f34a4 100644 ---- a/common/lpf.c -+++ b/common/lpf.c -@@ -177,9 +177,15 @@ void if_deregister_send (info) - extern struct sock_filter dhcp_bpf_filter []; - extern int dhcp_bpf_filter_len; - -+extern struct sock_filter dhcp_bpf_pureip_filter []; -+extern int dhcp_bpf_pureip_filter_len; -+ - #if defined(RELAY_PORT) - extern struct sock_filter dhcp_bpf_relay_filter []; - extern int dhcp_bpf_relay_filter_len; -+ -+extern struct sock_filter dhcp_bpf_pureip_relay_filter []; -+extern int dhcp_bpf_pureip_relay_filter_len; - #endif - - #if defined (HAVE_TR_SUPPORT) -@@ -249,31 +255,52 @@ void if_deregister_receive (info) - static void lpf_gen_filter_setup (info) - struct interface_info *info; - { -+ int pure_ip = info -> hw_address.hbuf [0] == HTYPE_PUREIP; - struct sock_fprog p; - - memset(&p, 0, sizeof(p)); - -- /* Set up the bpf filter program structure. This is defined in -- bpf.c */ -- p.len = dhcp_bpf_filter_len; -- p.filter = dhcp_bpf_filter; -+ /* Set up the bpf filter program structure and patch port(s). -+ * -+ * This is defined in bpf.c, XXX changes to filter program may -+ * require changes to the insn number(s) used below! XXX -+ */ -+ -+ if (pure_ip) { -+ p.len = dhcp_bpf_pureip_filter_len; -+ p.filter = dhcp_bpf_pureip_filter; -+ -+ /* patch port */ -+ dhcp_bpf_pureip_filter [6].k = ntohs (local_port); -+ } else { -+ p.len = dhcp_bpf_filter_len; -+ p.filter = dhcp_bpf_filter; -+ -+ /* patch port */ -+ dhcp_bpf_filter [8].k = ntohs (local_port); -+ } - -- /* Patch the server port into the LPF program... -- XXX changes to filter program may require changes -- to the insn number(s) used below! XXX */ - #if defined(RELAY_PORT) -- if (relay_port) { -- /* -- * If user defined relay UDP port, we need to filter -- * also on the user UDP port. -- */ -+ /* -+ * If user defined relay UDP port, we need to filter -+ * also on the user UDP port. -+ */ -+ if (relay_port && pure_ip) { -+ p.len = dhcp_bpf_pureip_relay_filter_len; -+ p.filter = dhcp_bpf_pureip_relay_filter; -+ -+ /* patch ports */ -+ dhcp_bpf_pureip_relay_filter [6].k = ntohs (local_port); -+ dhcp_bpf_pureip_relay_filter [8].k = ntohs (relay_port); -+ } else if (relay_port) { - p.len = dhcp_bpf_relay_filter_len; - p.filter = dhcp_bpf_relay_filter; - -+ /* patch ports */ -+ dhcp_bpf_relay_filter [8].k = ntohs (local_port); - dhcp_bpf_relay_filter [10].k = ntohs (relay_port); - } - #endif -- dhcp_bpf_filter [8].k = ntohs (local_port); - - if (setsockopt (info -> rfdesc, SOL_SOCKET, SO_ATTACH_FILTER, &p, - sizeof p) < 0) { -@@ -578,6 +605,12 @@ get_hw_addr(const char *name, struct hardware *hw) { - hw->hbuf[3] = 0xbe; - hw->hbuf[4] = 0xef; - break; -+#endif -+#ifdef ARPHRD_RAWIP -+ case ARPHRD_RAWIP: -+ hw->hlen = 1; -+ hw->hbuf[0] = HTYPE_PUREIP; -+ break; - #endif - default: - log_fatal("Unsupported device type %ld for \"%s\"", -diff --git a/common/packet.c b/common/packet.c -index 49795c4..6745db7 100644 ---- a/common/packet.c -+++ b/common/packet.c -@@ -119,6 +119,10 @@ void assemble_hw_header (interface, buf, bufix, to) - case HTYPE_INFINIBAND: - log_error("Attempt to assemble hw header for infiniband"); - break; -+ case HTYPE_PUREIP: -+ /* Nothing to do, there is no hw header */ -+ *bufix = 0; -+ break; - case HTYPE_ETHER: - default: - assemble_ethernet_header(interface, buf, bufix, to); -@@ -219,6 +223,9 @@ ssize_t decode_hw_header (interface, buf, bufix, from) - case HTYPE_INFINIBAND: - log_error("Attempt to decode hw header for infiniband"); - return (0); -+ case HTYPE_PUREIP: -+ /* Nothing to do, there is no hw header */ -+ return 0; - case HTYPE_ETHER: - default: - return (decode_ethernet_header(interface, buf, bufix, from)); -diff --git a/includes/dhcp.h b/includes/dhcp.h -index d519821..75be1fb 100644 ---- a/includes/dhcp.h -+++ b/includes/dhcp.h -@@ -76,6 +76,7 @@ struct dhcp_packet { - #define HTYPE_IEEE802 6 /* IEEE 802.2 Token Ring... */ - #define HTYPE_FDDI 8 /* FDDI... */ - #define HTYPE_INFINIBAND 32 /* IP over Infiniband */ -+#define HTYPE_PUREIP 35 /* Pure IP */ - #define HTYPE_IPMP 255 /* IPMP - random hw address - there - * is no standard for this so we - * just steal a type */ --- -2.39.2 - diff --git a/scripts/package-build/isc-dhcp/patches/0002-Checkpoint-improved-patch.patch b/scripts/package-build/isc-dhcp/patches/0002-Checkpoint-improved-patch.patch deleted file mode 100644 index 60b693f6..00000000 --- a/scripts/package-build/isc-dhcp/patches/0002-Checkpoint-improved-patch.patch +++ /dev/null @@ -1,170 +0,0 @@ -From e67d1b6b4178f412084459c4cb7e54a8c0019bd2 Mon Sep 17 00:00:00 2001 -From: Francis Dupont -Date: Fri, 6 Nov 2020 10:46:09 +0100 -Subject: [PATCH 2/4] Checkpoint: improved patch - ---- - common/bpf.c | 10 +++--- - common/lpf.c | 89 +++++++++++++++++++++++++++++++++++----------------- - 2 files changed, 65 insertions(+), 34 deletions(-) - -diff --git a/common/bpf.c b/common/bpf.c -index 0c08574..30dcaa5 100644 ---- a/common/bpf.c -+++ b/common/bpf.c -@@ -214,13 +214,13 @@ struct bpf_insn dhcp_bpf_pureip_filter [] = { - - /* Make sure it's to the right port... */ - BPF_STMT (BPF_LD + BPF_H + BPF_IND, 2), -- BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 37, 0, 1), /* patch */ -+ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 67, 0, 1), /* patch */ - - /* If we passed all the tests, ask for the whole packet. */ -- BPF_STMT(BPF_RET+BPF_K, (u_int)-1), -+ BPF_STMT(BPF_RET + BPF_K, (u_int)-1), - - /* Otherwise, drop it. */ -- BPF_STMT(BPF_RET+BPF_K, 0), -+ BPF_STMT(BPF_RET + BPF_K, 0), - }; - - int dhcp_bpf_pureip_filter_len = -@@ -278,11 +278,11 @@ struct bpf_insn dhcp_bpf_pureip_relay_filter [] = { - - /* Make sure it's to the right port... */ - BPF_STMT (BPF_LD + BPF_H + BPF_IND, 16), -- BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 37, 2, 0), /* patch */ -+ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 67, 2, 0), /* patch */ - - /* relay can have an alternative port... */ - BPF_STMT (BPF_LD + BPF_H + BPF_IND, 16), -- BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 37, 0, 1), /* patch */ -+ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 67, 0, 1), /* patch */ - - /* If we passed all the tests, ask for the whole packet. */ - BPF_STMT (BPF_RET + BPF_K, (u_int)-1), -diff --git a/common/lpf.c b/common/lpf.c -index d8f34a4..75609f5 100644 ---- a/common/lpf.c -+++ b/common/lpf.c -@@ -221,6 +221,9 @@ void if_register_receive (info) - lpf_tr_filter_setup (info); - else - #endif -+ if (info -> hw_address.hbuf [0] == HTYPE_PUREIP) -+ lpf_pureip_filter_setup (info); -+ else - lpf_gen_filter_setup (info); - - if (!quiet_interface_discovery) -@@ -255,50 +258,78 @@ void if_deregister_receive (info) - static void lpf_gen_filter_setup (info) - struct interface_info *info; - { -- int pure_ip = info -> hw_address.hbuf [0] == HTYPE_PUREIP; - struct sock_fprog p; - - memset(&p, 0, sizeof(p)); - -- /* Set up the bpf filter program structure and patch port(s). -- * -- * This is defined in bpf.c, XXX changes to filter program may -- * require changes to the insn number(s) used below! XXX -- */ -+ /* Set up the bpf filter program structure. This is defined in -+ bpf.c */ -+ p.len = dhcp_bpf_filter_len; -+ p.filter = dhcp_bpf_filter; -+ -+ dhcp_bpf_filter [8].k = ntohs (local_port); - -- if (pure_ip) { -- p.len = dhcp_bpf_pureip_filter_len; -- p.filter = dhcp_bpf_pureip_filter; -+ /* Patch the server port into the LPF program... -+ XXX changes to filter program may require changes -+ to the insn number(s) used below! XXX */ -+#if defined(RELAY_PORT) -+ if (relay_port) { -+ /* -+ * If user defined relay UDP port, we need to filter -+ * also on the user UDP port. -+ */ -+ p.len = dhcp_bpf_relay_filter_len; -+ p.filter = dhcp_bpf_relay_filter; - -- /* patch port */ -- dhcp_bpf_pureip_filter [6].k = ntohs (local_port); -- } else { -- p.len = dhcp_bpf_filter_len; -- p.filter = dhcp_bpf_filter; -+ dhcp_bpf_relay_filter [8].k = ntohs (local_port); -+ dhcp_bpf_relay_filter [10].k = ntohs (relay_port); -+ } -+#endif - -- /* patch port */ -- dhcp_bpf_filter [8].k = ntohs (local_port); -+ if (setsockopt (info -> rfdesc, SOL_SOCKET, SO_ATTACH_FILTER, &p, -+ sizeof p) < 0) { -+ if (errno == ENOPROTOOPT || errno == EPROTONOSUPPORT || -+ errno == ESOCKTNOSUPPORT || errno == EPFNOSUPPORT || -+ errno == EAFNOSUPPORT) { -+ log_error ("socket: %m - make sure"); -+ log_error ("CONFIG_PACKET (Packet socket) %s", -+ "and CONFIG_FILTER"); -+ log_error ("(Socket Filtering) are enabled %s", -+ "in your kernel"); -+ log_fatal ("configuration!"); -+ } -+ log_fatal ("Can't install packet filter program: %m"); - } -+} -+ -+static void lpf_pureip_gen_filter_setup (info) -+ struct interface_info *info; -+{ -+ struct sock_fprog p; -+ -+ memset(&p, 0, sizeof(p)); -+ -+ /* Set up the bpf filter program structure. This is defined in -+ bpf.c */ -+ p.len = dhcp_bpf_pureip_filter_len; -+ p.filter = dhcp_bpf_pureip_filter; -+ -+ dhcp_bpf_pureip_filter [6].k = ntohs (local_port); - -+ /* Patch the server port into the LPF program... -+ XXX changes to filter program may require changes -+ to the insn number(s) used below! XXX */ - #if defined(RELAY_PORT) -- /* -- * If user defined relay UDP port, we need to filter -- * also on the user UDP port. -- */ -- if (relay_port && pure_ip) { -+ if (relay_port) { -+ /* -+ * If user defined relay UDP port, we need to filter -+ * also on the user UDP port. -+ */ - p.len = dhcp_bpf_pureip_relay_filter_len; - p.filter = dhcp_bpf_pureip_relay_filter; - -- /* patch ports */ - dhcp_bpf_pureip_relay_filter [6].k = ntohs (local_port); - dhcp_bpf_pureip_relay_filter [8].k = ntohs (relay_port); -- } else if (relay_port) { -- p.len = dhcp_bpf_relay_filter_len; -- p.filter = dhcp_bpf_relay_filter; -- -- /* patch ports */ -- dhcp_bpf_relay_filter [8].k = ntohs (local_port); -- dhcp_bpf_relay_filter [10].k = ntohs (relay_port); - } - #endif - --- -2.39.2 - diff --git a/scripts/package-build/isc-dhcp/patches/0003-fix-compilation-errors.patch b/scripts/package-build/isc-dhcp/patches/0003-fix-compilation-errors.patch deleted file mode 100644 index c66e0c7c..00000000 --- a/scripts/package-build/isc-dhcp/patches/0003-fix-compilation-errors.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 58e0d3317795987b2f1ca788645196d0e3543f88 Mon Sep 17 00:00:00 2001 -From: Adam Smith -Date: Tue, 23 Jan 2024 21:47:00 -0500 -Subject: [PATCH 3/4] fix compilation errors - ---- - common/lpf.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/common/lpf.c b/common/lpf.c -index 75609f5..1561d71 100644 ---- a/common/lpf.c -+++ b/common/lpf.c -@@ -195,6 +195,7 @@ static void lpf_tr_filter_setup (struct interface_info *); - #endif - - static void lpf_gen_filter_setup (struct interface_info *); -+static void lpf_pureip_gen_filter_setup (struct interface_info *); - - void if_register_receive (info) - struct interface_info *info; -@@ -215,14 +216,13 @@ void if_register_receive (info) - } - #endif - -- - #if defined (HAVE_TR_SUPPORT) - if (info -> hw_address.hbuf [0] == HTYPE_IEEE802) - lpf_tr_filter_setup (info); - else - #endif - if (info -> hw_address.hbuf [0] == HTYPE_PUREIP) -- lpf_pureip_filter_setup (info); -+ lpf_pureip_gen_filter_setup (info); - else - lpf_gen_filter_setup (info); - -@@ -349,6 +349,7 @@ static void lpf_pureip_gen_filter_setup (info) - } - } - -+ - #if defined (HAVE_TR_SUPPORT) - static void lpf_tr_filter_setup (info) - struct interface_info *info; --- -2.39.2 - diff --git a/scripts/package-build/isc-dhcp/patches/0004-add-support-for-ARPHRD_NONE-interface-type.patch b/scripts/package-build/isc-dhcp/patches/0004-add-support-for-ARPHRD_NONE-interface-type.patch deleted file mode 100644 index 32089b4d..00000000 --- a/scripts/package-build/isc-dhcp/patches/0004-add-support-for-ARPHRD_NONE-interface-type.patch +++ /dev/null @@ -1,29 +0,0 @@ -From fd96a11b31cd05aae450ec65fde0b5c6e0b718c2 Mon Sep 17 00:00:00 2001 -From: Adam Smith -Date: Tue, 23 Jan 2024 22:35:54 -0500 -Subject: [PATCH 4/4] add support for ARPHRD_NONE interface type - ---- - common/lpf.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/common/lpf.c b/common/lpf.c -index 1561d71..f7e84b1 100644 ---- a/common/lpf.c -+++ b/common/lpf.c -@@ -643,6 +643,12 @@ get_hw_addr(const char *name, struct hardware *hw) { - hw->hlen = 1; - hw->hbuf[0] = HTYPE_PUREIP; - break; -+#endif -+#ifdef ARPHRD_NONE -+ case ARPHRD_NONE: -+ hw->hlen = 1; -+ hw->hbuf[0] = HTYPE_PUREIP; -+ break; - #endif - default: - log_fatal("Unsupported device type %ld for \"%s\"", --- -2.39.2 - diff --git a/scripts/package-build/isc-dhcp/patches/isc-dhcp/0001-Add-support-for-raw-IP-interface-type.patch b/scripts/package-build/isc-dhcp/patches/isc-dhcp/0001-Add-support-for-raw-IP-interface-type.patch new file mode 100644 index 00000000..c13569ad --- /dev/null +++ b/scripts/package-build/isc-dhcp/patches/isc-dhcp/0001-Add-support-for-raw-IP-interface-type.patch @@ -0,0 +1,248 @@ +From 8d9e8ace96ad9e2dba9f2d4069228dee5daf6772 Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Mon, 2 Nov 2020 06:42:12 -0500 +Subject: [PATCH 1/4] Add support for raw IP interface type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Under linux some devices can expose raw IP interfaces, such as WWAN +modems. In that case IP data is not encapsulated in any lower level +protocol. + +dhclient does not support this currently and this patch adds support +for such pure IP interfaces. + +The original patch comes from Bjørn Mork on Network-Manage mailing list: +https://mail.gnome.org/archives/networkmanager-list/2015-December/msg00044.html + +--- + common/bpf.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++- + common/lpf.c | 59 +++++++++++++++++++++++++++++++++++++----------- + common/packet.c | 7 ++++++ + includes/dhcp.h | 1 + + 4 files changed, 113 insertions(+), 14 deletions(-) + +diff --git a/common/bpf.c b/common/bpf.c +index 658e5db..0c08574 100644 +--- a/common/bpf.c ++++ b/common/bpf.c +@@ -198,6 +198,34 @@ struct bpf_insn dhcp_bpf_filter [] = { + BPF_STMT (BPF_RET + BPF_K, 0), + }; + ++int dhcp_bpf_filter_len = sizeof dhcp_bpf_filter / sizeof (struct bpf_insn); ++ ++struct bpf_insn dhcp_bpf_pureip_filter [] = { ++ /* Make sure it's a UDP packet... */ ++ BPF_STMT (BPF_LD + BPF_B + BPF_ABS, 9), ++ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 0, 6), ++ ++ /* Make sure this isn't a fragment... */ ++ BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 6), ++ BPF_JUMP(BPF_JMP + BPF_JSET + BPF_K, 0x1fff, 4, 0), ++ ++ /* Get the IP header length... */ ++ BPF_STMT (BPF_LDX + BPF_B + BPF_MSH, 0), ++ ++ /* Make sure it's to the right port... */ ++ BPF_STMT (BPF_LD + BPF_H + BPF_IND, 2), ++ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 37, 0, 1), /* patch */ ++ ++ /* If we passed all the tests, ask for the whole packet. */ ++ BPF_STMT(BPF_RET+BPF_K, (u_int)-1), ++ ++ /* Otherwise, drop it. */ ++ BPF_STMT(BPF_RET+BPF_K, 0), ++}; ++ ++int dhcp_bpf_pureip_filter_len = ++ sizeof dhcp_bpf_pureip_filter / sizeof (struct bpf_insn); ++ + #if defined(RELAY_PORT) + /* + * For relay port extension +@@ -235,13 +263,43 @@ struct bpf_insn dhcp_bpf_relay_filter [] = { + + int dhcp_bpf_relay_filter_len = + sizeof dhcp_bpf_relay_filter / sizeof (struct bpf_insn); ++ ++struct bpf_insn dhcp_bpf_pureip_relay_filter [] = { ++ /* Make sure it's a UDP packet... */ ++ BPF_STMT (BPF_LD + BPF_B + BPF_ABS, 9), ++ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 0, 8), ++ ++ /* Make sure this isn't a fragment... */ ++ BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 6), ++ BPF_JUMP(BPF_JMP + BPF_JSET + BPF_K, 0x1fff, 6, 0), ++ ++ /* Get the IP header length... */ ++ BPF_STMT (BPF_LDX + BPF_B + BPF_MSH, 0), ++ ++ /* Make sure it's to the right port... */ ++ BPF_STMT (BPF_LD + BPF_H + BPF_IND, 16), ++ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 37, 2, 0), /* patch */ ++ ++ /* relay can have an alternative port... */ ++ BPF_STMT (BPF_LD + BPF_H + BPF_IND, 16), ++ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 37, 0, 1), /* patch */ ++ ++ /* If we passed all the tests, ask for the whole packet. */ ++ BPF_STMT (BPF_RET + BPF_K, (u_int)-1), ++ ++ /* Otherwise, drop it. */ ++ BPF_STMT (BPF_RET + BPF_K, 0), ++}; ++ ++int dhcp_bpf_pureip_relay_filter_len = ++ sizeof dhcp_bpf_pureip_relay_filter / sizeof (struct bpf_insn); ++ + #endif + + #if defined (DEC_FDDI) + struct bpf_insn *bpf_fddi_filter = NULL; + #endif + +-int dhcp_bpf_filter_len = sizeof dhcp_bpf_filter / sizeof (struct bpf_insn); + #if defined (HAVE_TR_SUPPORT) + struct bpf_insn dhcp_bpf_tr_filter [] = { + /* accept all token ring packets due to variable length header */ +diff --git a/common/lpf.c b/common/lpf.c +index bb8822a..d8f34a4 100644 +--- a/common/lpf.c ++++ b/common/lpf.c +@@ -177,9 +177,15 @@ void if_deregister_send (info) + extern struct sock_filter dhcp_bpf_filter []; + extern int dhcp_bpf_filter_len; + ++extern struct sock_filter dhcp_bpf_pureip_filter []; ++extern int dhcp_bpf_pureip_filter_len; ++ + #if defined(RELAY_PORT) + extern struct sock_filter dhcp_bpf_relay_filter []; + extern int dhcp_bpf_relay_filter_len; ++ ++extern struct sock_filter dhcp_bpf_pureip_relay_filter []; ++extern int dhcp_bpf_pureip_relay_filter_len; + #endif + + #if defined (HAVE_TR_SUPPORT) +@@ -249,31 +255,52 @@ void if_deregister_receive (info) + static void lpf_gen_filter_setup (info) + struct interface_info *info; + { ++ int pure_ip = info -> hw_address.hbuf [0] == HTYPE_PUREIP; + struct sock_fprog p; + + memset(&p, 0, sizeof(p)); + +- /* Set up the bpf filter program structure. This is defined in +- bpf.c */ +- p.len = dhcp_bpf_filter_len; +- p.filter = dhcp_bpf_filter; ++ /* Set up the bpf filter program structure and patch port(s). ++ * ++ * This is defined in bpf.c, XXX changes to filter program may ++ * require changes to the insn number(s) used below! XXX ++ */ ++ ++ if (pure_ip) { ++ p.len = dhcp_bpf_pureip_filter_len; ++ p.filter = dhcp_bpf_pureip_filter; ++ ++ /* patch port */ ++ dhcp_bpf_pureip_filter [6].k = ntohs (local_port); ++ } else { ++ p.len = dhcp_bpf_filter_len; ++ p.filter = dhcp_bpf_filter; ++ ++ /* patch port */ ++ dhcp_bpf_filter [8].k = ntohs (local_port); ++ } + +- /* Patch the server port into the LPF program... +- XXX changes to filter program may require changes +- to the insn number(s) used below! XXX */ + #if defined(RELAY_PORT) +- if (relay_port) { +- /* +- * If user defined relay UDP port, we need to filter +- * also on the user UDP port. +- */ ++ /* ++ * If user defined relay UDP port, we need to filter ++ * also on the user UDP port. ++ */ ++ if (relay_port && pure_ip) { ++ p.len = dhcp_bpf_pureip_relay_filter_len; ++ p.filter = dhcp_bpf_pureip_relay_filter; ++ ++ /* patch ports */ ++ dhcp_bpf_pureip_relay_filter [6].k = ntohs (local_port); ++ dhcp_bpf_pureip_relay_filter [8].k = ntohs (relay_port); ++ } else if (relay_port) { + p.len = dhcp_bpf_relay_filter_len; + p.filter = dhcp_bpf_relay_filter; + ++ /* patch ports */ ++ dhcp_bpf_relay_filter [8].k = ntohs (local_port); + dhcp_bpf_relay_filter [10].k = ntohs (relay_port); + } + #endif +- dhcp_bpf_filter [8].k = ntohs (local_port); + + if (setsockopt (info -> rfdesc, SOL_SOCKET, SO_ATTACH_FILTER, &p, + sizeof p) < 0) { +@@ -578,6 +605,12 @@ get_hw_addr(const char *name, struct hardware *hw) { + hw->hbuf[3] = 0xbe; + hw->hbuf[4] = 0xef; + break; ++#endif ++#ifdef ARPHRD_RAWIP ++ case ARPHRD_RAWIP: ++ hw->hlen = 1; ++ hw->hbuf[0] = HTYPE_PUREIP; ++ break; + #endif + default: + log_fatal("Unsupported device type %ld for \"%s\"", +diff --git a/common/packet.c b/common/packet.c +index 49795c4..6745db7 100644 +--- a/common/packet.c ++++ b/common/packet.c +@@ -119,6 +119,10 @@ void assemble_hw_header (interface, buf, bufix, to) + case HTYPE_INFINIBAND: + log_error("Attempt to assemble hw header for infiniband"); + break; ++ case HTYPE_PUREIP: ++ /* Nothing to do, there is no hw header */ ++ *bufix = 0; ++ break; + case HTYPE_ETHER: + default: + assemble_ethernet_header(interface, buf, bufix, to); +@@ -219,6 +223,9 @@ ssize_t decode_hw_header (interface, buf, bufix, from) + case HTYPE_INFINIBAND: + log_error("Attempt to decode hw header for infiniband"); + return (0); ++ case HTYPE_PUREIP: ++ /* Nothing to do, there is no hw header */ ++ return 0; + case HTYPE_ETHER: + default: + return (decode_ethernet_header(interface, buf, bufix, from)); +diff --git a/includes/dhcp.h b/includes/dhcp.h +index d519821..75be1fb 100644 +--- a/includes/dhcp.h ++++ b/includes/dhcp.h +@@ -76,6 +76,7 @@ struct dhcp_packet { + #define HTYPE_IEEE802 6 /* IEEE 802.2 Token Ring... */ + #define HTYPE_FDDI 8 /* FDDI... */ + #define HTYPE_INFINIBAND 32 /* IP over Infiniband */ ++#define HTYPE_PUREIP 35 /* Pure IP */ + #define HTYPE_IPMP 255 /* IPMP - random hw address - there + * is no standard for this so we + * just steal a type */ +-- +2.39.2 + diff --git a/scripts/package-build/isc-dhcp/patches/isc-dhcp/0002-Checkpoint-improved-patch.patch b/scripts/package-build/isc-dhcp/patches/isc-dhcp/0002-Checkpoint-improved-patch.patch new file mode 100644 index 00000000..60b693f6 --- /dev/null +++ b/scripts/package-build/isc-dhcp/patches/isc-dhcp/0002-Checkpoint-improved-patch.patch @@ -0,0 +1,170 @@ +From e67d1b6b4178f412084459c4cb7e54a8c0019bd2 Mon Sep 17 00:00:00 2001 +From: Francis Dupont +Date: Fri, 6 Nov 2020 10:46:09 +0100 +Subject: [PATCH 2/4] Checkpoint: improved patch + +--- + common/bpf.c | 10 +++--- + common/lpf.c | 89 +++++++++++++++++++++++++++++++++++----------------- + 2 files changed, 65 insertions(+), 34 deletions(-) + +diff --git a/common/bpf.c b/common/bpf.c +index 0c08574..30dcaa5 100644 +--- a/common/bpf.c ++++ b/common/bpf.c +@@ -214,13 +214,13 @@ struct bpf_insn dhcp_bpf_pureip_filter [] = { + + /* Make sure it's to the right port... */ + BPF_STMT (BPF_LD + BPF_H + BPF_IND, 2), +- BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 37, 0, 1), /* patch */ ++ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 67, 0, 1), /* patch */ + + /* If we passed all the tests, ask for the whole packet. */ +- BPF_STMT(BPF_RET+BPF_K, (u_int)-1), ++ BPF_STMT(BPF_RET + BPF_K, (u_int)-1), + + /* Otherwise, drop it. */ +- BPF_STMT(BPF_RET+BPF_K, 0), ++ BPF_STMT(BPF_RET + BPF_K, 0), + }; + + int dhcp_bpf_pureip_filter_len = +@@ -278,11 +278,11 @@ struct bpf_insn dhcp_bpf_pureip_relay_filter [] = { + + /* Make sure it's to the right port... */ + BPF_STMT (BPF_LD + BPF_H + BPF_IND, 16), +- BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 37, 2, 0), /* patch */ ++ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 67, 2, 0), /* patch */ + + /* relay can have an alternative port... */ + BPF_STMT (BPF_LD + BPF_H + BPF_IND, 16), +- BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 37, 0, 1), /* patch */ ++ BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, 67, 0, 1), /* patch */ + + /* If we passed all the tests, ask for the whole packet. */ + BPF_STMT (BPF_RET + BPF_K, (u_int)-1), +diff --git a/common/lpf.c b/common/lpf.c +index d8f34a4..75609f5 100644 +--- a/common/lpf.c ++++ b/common/lpf.c +@@ -221,6 +221,9 @@ void if_register_receive (info) + lpf_tr_filter_setup (info); + else + #endif ++ if (info -> hw_address.hbuf [0] == HTYPE_PUREIP) ++ lpf_pureip_filter_setup (info); ++ else + lpf_gen_filter_setup (info); + + if (!quiet_interface_discovery) +@@ -255,50 +258,78 @@ void if_deregister_receive (info) + static void lpf_gen_filter_setup (info) + struct interface_info *info; + { +- int pure_ip = info -> hw_address.hbuf [0] == HTYPE_PUREIP; + struct sock_fprog p; + + memset(&p, 0, sizeof(p)); + +- /* Set up the bpf filter program structure and patch port(s). +- * +- * This is defined in bpf.c, XXX changes to filter program may +- * require changes to the insn number(s) used below! XXX +- */ ++ /* Set up the bpf filter program structure. This is defined in ++ bpf.c */ ++ p.len = dhcp_bpf_filter_len; ++ p.filter = dhcp_bpf_filter; ++ ++ dhcp_bpf_filter [8].k = ntohs (local_port); + +- if (pure_ip) { +- p.len = dhcp_bpf_pureip_filter_len; +- p.filter = dhcp_bpf_pureip_filter; ++ /* Patch the server port into the LPF program... ++ XXX changes to filter program may require changes ++ to the insn number(s) used below! XXX */ ++#if defined(RELAY_PORT) ++ if (relay_port) { ++ /* ++ * If user defined relay UDP port, we need to filter ++ * also on the user UDP port. ++ */ ++ p.len = dhcp_bpf_relay_filter_len; ++ p.filter = dhcp_bpf_relay_filter; + +- /* patch port */ +- dhcp_bpf_pureip_filter [6].k = ntohs (local_port); +- } else { +- p.len = dhcp_bpf_filter_len; +- p.filter = dhcp_bpf_filter; ++ dhcp_bpf_relay_filter [8].k = ntohs (local_port); ++ dhcp_bpf_relay_filter [10].k = ntohs (relay_port); ++ } ++#endif + +- /* patch port */ +- dhcp_bpf_filter [8].k = ntohs (local_port); ++ if (setsockopt (info -> rfdesc, SOL_SOCKET, SO_ATTACH_FILTER, &p, ++ sizeof p) < 0) { ++ if (errno == ENOPROTOOPT || errno == EPROTONOSUPPORT || ++ errno == ESOCKTNOSUPPORT || errno == EPFNOSUPPORT || ++ errno == EAFNOSUPPORT) { ++ log_error ("socket: %m - make sure"); ++ log_error ("CONFIG_PACKET (Packet socket) %s", ++ "and CONFIG_FILTER"); ++ log_error ("(Socket Filtering) are enabled %s", ++ "in your kernel"); ++ log_fatal ("configuration!"); ++ } ++ log_fatal ("Can't install packet filter program: %m"); + } ++} ++ ++static void lpf_pureip_gen_filter_setup (info) ++ struct interface_info *info; ++{ ++ struct sock_fprog p; ++ ++ memset(&p, 0, sizeof(p)); ++ ++ /* Set up the bpf filter program structure. This is defined in ++ bpf.c */ ++ p.len = dhcp_bpf_pureip_filter_len; ++ p.filter = dhcp_bpf_pureip_filter; ++ ++ dhcp_bpf_pureip_filter [6].k = ntohs (local_port); + ++ /* Patch the server port into the LPF program... ++ XXX changes to filter program may require changes ++ to the insn number(s) used below! XXX */ + #if defined(RELAY_PORT) +- /* +- * If user defined relay UDP port, we need to filter +- * also on the user UDP port. +- */ +- if (relay_port && pure_ip) { ++ if (relay_port) { ++ /* ++ * If user defined relay UDP port, we need to filter ++ * also on the user UDP port. ++ */ + p.len = dhcp_bpf_pureip_relay_filter_len; + p.filter = dhcp_bpf_pureip_relay_filter; + +- /* patch ports */ + dhcp_bpf_pureip_relay_filter [6].k = ntohs (local_port); + dhcp_bpf_pureip_relay_filter [8].k = ntohs (relay_port); +- } else if (relay_port) { +- p.len = dhcp_bpf_relay_filter_len; +- p.filter = dhcp_bpf_relay_filter; +- +- /* patch ports */ +- dhcp_bpf_relay_filter [8].k = ntohs (local_port); +- dhcp_bpf_relay_filter [10].k = ntohs (relay_port); + } + #endif + +-- +2.39.2 + diff --git a/scripts/package-build/isc-dhcp/patches/isc-dhcp/0003-fix-compilation-errors.patch b/scripts/package-build/isc-dhcp/patches/isc-dhcp/0003-fix-compilation-errors.patch new file mode 100644 index 00000000..c66e0c7c --- /dev/null +++ b/scripts/package-build/isc-dhcp/patches/isc-dhcp/0003-fix-compilation-errors.patch @@ -0,0 +1,48 @@ +From 58e0d3317795987b2f1ca788645196d0e3543f88 Mon Sep 17 00:00:00 2001 +From: Adam Smith +Date: Tue, 23 Jan 2024 21:47:00 -0500 +Subject: [PATCH 3/4] fix compilation errors + +--- + common/lpf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/common/lpf.c b/common/lpf.c +index 75609f5..1561d71 100644 +--- a/common/lpf.c ++++ b/common/lpf.c +@@ -195,6 +195,7 @@ static void lpf_tr_filter_setup (struct interface_info *); + #endif + + static void lpf_gen_filter_setup (struct interface_info *); ++static void lpf_pureip_gen_filter_setup (struct interface_info *); + + void if_register_receive (info) + struct interface_info *info; +@@ -215,14 +216,13 @@ void if_register_receive (info) + } + #endif + +- + #if defined (HAVE_TR_SUPPORT) + if (info -> hw_address.hbuf [0] == HTYPE_IEEE802) + lpf_tr_filter_setup (info); + else + #endif + if (info -> hw_address.hbuf [0] == HTYPE_PUREIP) +- lpf_pureip_filter_setup (info); ++ lpf_pureip_gen_filter_setup (info); + else + lpf_gen_filter_setup (info); + +@@ -349,6 +349,7 @@ static void lpf_pureip_gen_filter_setup (info) + } + } + ++ + #if defined (HAVE_TR_SUPPORT) + static void lpf_tr_filter_setup (info) + struct interface_info *info; +-- +2.39.2 + diff --git a/scripts/package-build/isc-dhcp/patches/isc-dhcp/0004-add-support-for-ARPHRD_NONE-interface-type.patch b/scripts/package-build/isc-dhcp/patches/isc-dhcp/0004-add-support-for-ARPHRD_NONE-interface-type.patch new file mode 100644 index 00000000..32089b4d --- /dev/null +++ b/scripts/package-build/isc-dhcp/patches/isc-dhcp/0004-add-support-for-ARPHRD_NONE-interface-type.patch @@ -0,0 +1,29 @@ +From fd96a11b31cd05aae450ec65fde0b5c6e0b718c2 Mon Sep 17 00:00:00 2001 +From: Adam Smith +Date: Tue, 23 Jan 2024 22:35:54 -0500 +Subject: [PATCH 4/4] add support for ARPHRD_NONE interface type + +--- + common/lpf.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/common/lpf.c b/common/lpf.c +index 1561d71..f7e84b1 100644 +--- a/common/lpf.c ++++ b/common/lpf.c +@@ -643,6 +643,12 @@ get_hw_addr(const char *name, struct hardware *hw) { + hw->hlen = 1; + hw->hbuf[0] = HTYPE_PUREIP; + break; ++#endif ++#ifdef ARPHRD_NONE ++ case ARPHRD_NONE: ++ hw->hlen = 1; ++ hw->hbuf[0] = HTYPE_PUREIP; ++ break; + #endif + default: + log_fatal("Unsupported device type %ld for \"%s\"", +-- +2.39.2 + diff --git a/scripts/package-build/keepalived/patches/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch b/scripts/package-build/keepalived/patches/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch deleted file mode 100644 index b099dc7b..00000000 --- a/scripts/package-build/keepalived/patches/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch +++ /dev/null @@ -1,129 +0,0 @@ -From af4aa758c3512bec8233549e138b03741c5404f9 Mon Sep 17 00:00:00 2001 -From: Quentin Armitage -Date: Sat, 14 Oct 2023 15:37:19 +0100 -Subject: [PATCH] vrrp: Set sysctl arp_ignore to 1 on IPv6 VMACs - -Setting arp_ignore to 1 ensures that the VMAC interface does not respond -to ARP requests for IPv4 addresses not configured on the VMAC. - -Signed-off-by: Quentin Armitage ---- - keepalived/include/vrrp_if_config.h | 2 +- - keepalived/vrrp/vrrp_if_config.c | 28 ++++++++++++++++++++-------- - keepalived/vrrp/vrrp_vmac.c | 5 ++--- - 3 files changed, 23 insertions(+), 12 deletions(-) - -diff --git a/keepalived/include/vrrp_if_config.h b/keepalived/include/vrrp_if_config.h -index 35465cd..c35e56e 100644 ---- a/keepalived/include/vrrp_if_config.h -+++ b/keepalived/include/vrrp_if_config.h -@@ -34,7 +34,7 @@ extern void set_promote_secondaries(interface_t*); - extern void reset_promote_secondaries(interface_t*); - #ifdef _HAVE_VRRP_VMAC_ - extern void restore_rp_filter(void); --extern void set_interface_parameters(const interface_t*, interface_t*); -+extern void set_interface_parameters(const interface_t*, interface_t*, sa_family_t); - extern void reset_interface_parameters(interface_t*); - extern void link_set_ipv6(const interface_t*, bool); - #endif -diff --git a/keepalived/vrrp/vrrp_if_config.c b/keepalived/vrrp/vrrp_if_config.c -index cfce7e2..fbfd34c 100644 ---- a/keepalived/vrrp/vrrp_if_config.c -+++ b/keepalived/vrrp/vrrp_if_config.c -@@ -81,6 +81,11 @@ static sysctl_opts_t vmac_sysctl[] = { - { 0, 0} - }; - -+static sysctl_opts_t vmac_sysctl_6[] = { -+ { IPV4_DEVCONF_ARP_IGNORE, 1 }, -+ { 0, 0} -+}; -+ - #endif - #endif - -@@ -216,11 +221,14 @@ netlink_set_interface_flags(unsigned ifindex, const sysctl_opts_t *sys_opts) - - #ifdef _HAVE_VRRP_VMAC_ - static inline int --netlink_set_interface_parameters(const interface_t *ifp, interface_t *base_ifp) -+netlink_set_interface_parameters(const interface_t *ifp, interface_t *base_ifp, sa_family_t family) - { -- if (netlink_set_interface_flags(ifp->ifindex, vmac_sysctl)) -+ if (netlink_set_interface_flags(ifp->ifindex, family == AF_INET6 ? vmac_sysctl_6 : vmac_sysctl)) - return -1; - -+ if (family == AF_INET6) -+ return 0; -+ - /* If the underlying interface is a MACVLAN that has been moved into - * a separate network namespace from the parent, we can't access the - * parent. */ -@@ -271,9 +279,9 @@ netlink_reset_interface_parameters(const interface_t* ifp) - } - - static inline void --set_interface_parameters_devconf(const interface_t *ifp, interface_t *base_ifp) -+set_interface_parameters_devconf(const interface_t *ifp, interface_t *base_ifp, sa_family_t family) - { -- if (netlink_set_interface_parameters(ifp, base_ifp)) -+ if (netlink_set_interface_parameters(ifp, base_ifp, family)) - log_message(LOG_INFO, "Unable to set parameters for %s", ifp->ifname); - } - -@@ -310,11 +318,15 @@ reset_promote_secondaries_devconf(interface_t *ifp) - - #ifdef _HAVE_VRRP_VMAC_ - static inline void --set_interface_parameters_sysctl(const interface_t *ifp, interface_t *base_ifp) -+set_interface_parameters_sysctl(const interface_t *ifp, interface_t *base_ifp, sa_family_t family) - { - unsigned val; - - set_sysctl("net/ipv4/conf", ifp->ifname, "arp_ignore", 1); -+ -+ if (family == AF_INET6) -+ return; -+ - set_sysctl("net/ipv4/conf", ifp->ifname, "accept_local", 1); - set_sysctl("net/ipv4/conf", ifp->ifname, "rp_filter", 0); - -@@ -524,15 +536,15 @@ restore_rp_filter(void) - } - - void --set_interface_parameters(const interface_t *ifp, interface_t *base_ifp) -+set_interface_parameters(const interface_t *ifp, interface_t *base_ifp, sa_family_t family) - { - if (all_rp_filter == UINT_MAX) - clear_rp_filter(); - - #ifdef _HAVE_IPV4_DEVCONF_ -- set_interface_parameters_devconf(ifp, base_ifp); -+ set_interface_parameters_devconf(ifp, base_ifp, family); - #else -- set_interface_parameters_sysctl(ifp, base_ifp); -+ set_interface_parameters_sysctl(ifp, base_ifp, family); - #endif - } - -diff --git a/keepalived/vrrp/vrrp_vmac.c b/keepalived/vrrp/vrrp_vmac.c -index e5ff0e9..021953a 100644 ---- a/keepalived/vrrp/vrrp_vmac.c -+++ b/keepalived/vrrp/vrrp_vmac.c -@@ -407,10 +407,9 @@ netlink_link_add_vmac(vrrp_t *vrrp, const interface_t *old_interface) - if (!ifp->ifindex) - return false; - -- if (vrrp->family == AF_INET && create_interface) { -+ if (create_interface) { - /* Set the necessary kernel parameters to make macvlans work for us */ --// If this saves current base_ifp's settings, we need to be careful if multiple VMACs on same i/f -- set_interface_parameters(ifp, ifp->base_ifp); -+ set_interface_parameters(ifp, ifp->base_ifp, vrrp->family); - } - - #ifdef _WITH_FIREWALL_ --- -2.34.1 - diff --git a/scripts/package-build/keepalived/patches/keepalived/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch b/scripts/package-build/keepalived/patches/keepalived/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch new file mode 100644 index 00000000..b099dc7b --- /dev/null +++ b/scripts/package-build/keepalived/patches/keepalived/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch @@ -0,0 +1,129 @@ +From af4aa758c3512bec8233549e138b03741c5404f9 Mon Sep 17 00:00:00 2001 +From: Quentin Armitage +Date: Sat, 14 Oct 2023 15:37:19 +0100 +Subject: [PATCH] vrrp: Set sysctl arp_ignore to 1 on IPv6 VMACs + +Setting arp_ignore to 1 ensures that the VMAC interface does not respond +to ARP requests for IPv4 addresses not configured on the VMAC. + +Signed-off-by: Quentin Armitage +--- + keepalived/include/vrrp_if_config.h | 2 +- + keepalived/vrrp/vrrp_if_config.c | 28 ++++++++++++++++++++-------- + keepalived/vrrp/vrrp_vmac.c | 5 ++--- + 3 files changed, 23 insertions(+), 12 deletions(-) + +diff --git a/keepalived/include/vrrp_if_config.h b/keepalived/include/vrrp_if_config.h +index 35465cd..c35e56e 100644 +--- a/keepalived/include/vrrp_if_config.h ++++ b/keepalived/include/vrrp_if_config.h +@@ -34,7 +34,7 @@ extern void set_promote_secondaries(interface_t*); + extern void reset_promote_secondaries(interface_t*); + #ifdef _HAVE_VRRP_VMAC_ + extern void restore_rp_filter(void); +-extern void set_interface_parameters(const interface_t*, interface_t*); ++extern void set_interface_parameters(const interface_t*, interface_t*, sa_family_t); + extern void reset_interface_parameters(interface_t*); + extern void link_set_ipv6(const interface_t*, bool); + #endif +diff --git a/keepalived/vrrp/vrrp_if_config.c b/keepalived/vrrp/vrrp_if_config.c +index cfce7e2..fbfd34c 100644 +--- a/keepalived/vrrp/vrrp_if_config.c ++++ b/keepalived/vrrp/vrrp_if_config.c +@@ -81,6 +81,11 @@ static sysctl_opts_t vmac_sysctl[] = { + { 0, 0} + }; + ++static sysctl_opts_t vmac_sysctl_6[] = { ++ { IPV4_DEVCONF_ARP_IGNORE, 1 }, ++ { 0, 0} ++}; ++ + #endif + #endif + +@@ -216,11 +221,14 @@ netlink_set_interface_flags(unsigned ifindex, const sysctl_opts_t *sys_opts) + + #ifdef _HAVE_VRRP_VMAC_ + static inline int +-netlink_set_interface_parameters(const interface_t *ifp, interface_t *base_ifp) ++netlink_set_interface_parameters(const interface_t *ifp, interface_t *base_ifp, sa_family_t family) + { +- if (netlink_set_interface_flags(ifp->ifindex, vmac_sysctl)) ++ if (netlink_set_interface_flags(ifp->ifindex, family == AF_INET6 ? vmac_sysctl_6 : vmac_sysctl)) + return -1; + ++ if (family == AF_INET6) ++ return 0; ++ + /* If the underlying interface is a MACVLAN that has been moved into + * a separate network namespace from the parent, we can't access the + * parent. */ +@@ -271,9 +279,9 @@ netlink_reset_interface_parameters(const interface_t* ifp) + } + + static inline void +-set_interface_parameters_devconf(const interface_t *ifp, interface_t *base_ifp) ++set_interface_parameters_devconf(const interface_t *ifp, interface_t *base_ifp, sa_family_t family) + { +- if (netlink_set_interface_parameters(ifp, base_ifp)) ++ if (netlink_set_interface_parameters(ifp, base_ifp, family)) + log_message(LOG_INFO, "Unable to set parameters for %s", ifp->ifname); + } + +@@ -310,11 +318,15 @@ reset_promote_secondaries_devconf(interface_t *ifp) + + #ifdef _HAVE_VRRP_VMAC_ + static inline void +-set_interface_parameters_sysctl(const interface_t *ifp, interface_t *base_ifp) ++set_interface_parameters_sysctl(const interface_t *ifp, interface_t *base_ifp, sa_family_t family) + { + unsigned val; + + set_sysctl("net/ipv4/conf", ifp->ifname, "arp_ignore", 1); ++ ++ if (family == AF_INET6) ++ return; ++ + set_sysctl("net/ipv4/conf", ifp->ifname, "accept_local", 1); + set_sysctl("net/ipv4/conf", ifp->ifname, "rp_filter", 0); + +@@ -524,15 +536,15 @@ restore_rp_filter(void) + } + + void +-set_interface_parameters(const interface_t *ifp, interface_t *base_ifp) ++set_interface_parameters(const interface_t *ifp, interface_t *base_ifp, sa_family_t family) + { + if (all_rp_filter == UINT_MAX) + clear_rp_filter(); + + #ifdef _HAVE_IPV4_DEVCONF_ +- set_interface_parameters_devconf(ifp, base_ifp); ++ set_interface_parameters_devconf(ifp, base_ifp, family); + #else +- set_interface_parameters_sysctl(ifp, base_ifp); ++ set_interface_parameters_sysctl(ifp, base_ifp, family); + #endif + } + +diff --git a/keepalived/vrrp/vrrp_vmac.c b/keepalived/vrrp/vrrp_vmac.c +index e5ff0e9..021953a 100644 +--- a/keepalived/vrrp/vrrp_vmac.c ++++ b/keepalived/vrrp/vrrp_vmac.c +@@ -407,10 +407,9 @@ netlink_link_add_vmac(vrrp_t *vrrp, const interface_t *old_interface) + if (!ifp->ifindex) + return false; + +- if (vrrp->family == AF_INET && create_interface) { ++ if (create_interface) { + /* Set the necessary kernel parameters to make macvlans work for us */ +-// If this saves current base_ifp's settings, we need to be careful if multiple VMACs on same i/f +- set_interface_parameters(ifp, ifp->base_ifp); ++ set_interface_parameters(ifp, ifp->base_ifp, vrrp->family); + } + + #ifdef _WITH_FIREWALL_ +-- +2.34.1 + diff --git a/scripts/package-build/ndppd/patches/0001-skip-route-table-if-there-is-no-auto-rule.patch b/scripts/package-build/ndppd/patches/0001-skip-route-table-if-there-is-no-auto-rule.patch deleted file mode 100644 index df6d2e5c..00000000 --- a/scripts/package-build/ndppd/patches/0001-skip-route-table-if-there-is-no-auto-rule.patch +++ /dev/null @@ -1,83 +0,0 @@ -From b148ba055245cec5007ee91dd3ffbfeb58d49c5a Mon Sep 17 00:00:00 2001 -From: Henning Surmeier -Date: Sun, 9 Jan 2022 20:35:15 +0100 -Subject: [PATCH 1/2] skip route table if there is no auto rule - ---- - src/ndppd.cc | 3 ++- - src/rule.cc | 8 ++++++++ - src/rule.h | 4 ++++ - 3 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/src/ndppd.cc b/src/ndppd.cc -index bec9656..b303721 100644 ---- a/src/ndppd.cc -+++ b/src/ndppd.cc -@@ -304,7 +304,8 @@ int main(int argc, char* argv[], char* env[]) - t1.tv_sec = t2.tv_sec; - t1.tv_usec = t2.tv_usec; - -- route::update(elapsed_time); -+ if (rule::any_auto()) -+ route::update(elapsed_time); - session::update_all(elapsed_time); - } - -diff --git a/src/rule.cc b/src/rule.cc -index 9e72480..a1e8376 100644 ---- a/src/rule.cc -+++ b/src/rule.cc -@@ -24,6 +24,8 @@ - - NDPPD_NS_BEGIN - -+bool rule::_any_aut = false; -+ - rule::rule() - { - } -@@ -49,6 +51,7 @@ ptr rule::create(const ptr& pr, const address& addr, bool aut) - ru->_pr = pr; - ru->_addr = addr; - ru->_aut = aut; -+ _any_aut = _any_aut || aut; - - logger::debug() - << "rule::create() if=" << pr->ifa()->name().c_str() << ", addr=" << addr -@@ -57,6 +60,11 @@ ptr rule::create(const ptr& pr, const address& addr, bool aut) - return ru; - } - -+bool rule::any_auto() -+{ -+ return _any_aut; -+} -+ - const address& rule::addr() const - { - return _addr; -diff --git a/src/rule.h b/src/rule.h -index 6663066..ca2aa36 100644 ---- a/src/rule.h -+++ b/src/rule.h -@@ -42,6 +42,8 @@ public: - - bool check(const address& addr) const; - -+ static bool any_auto(); -+ - private: - weak_ptr _ptr; - -@@ -53,6 +55,8 @@ private: - - bool _aut; - -+ static bool _any_aut; -+ - rule(); - }; - --- -2.34.1 - diff --git a/scripts/package-build/ndppd/patches/0002-set-vyos-version.patch b/scripts/package-build/ndppd/patches/0002-set-vyos-version.patch deleted file mode 100644 index 3fef87c4..00000000 --- a/scripts/package-build/ndppd/patches/0002-set-vyos-version.patch +++ /dev/null @@ -1,25 +0,0 @@ -From b0789cf679b0179d37e22f5a936af273d982abeb Mon Sep 17 00:00:00 2001 -From: Henning Surmeier -Date: Tue, 11 Jan 2022 13:05:47 +0100 -Subject: [PATCH 2/2] set -vyos version - ---- - src/ndppd.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/ndppd.h b/src/ndppd.h -index 008726c..61ed950 100644 ---- a/src/ndppd.h -+++ b/src/ndppd.h -@@ -21,7 +21,7 @@ - #define NDPPD_NS_BEGIN namespace ndppd { - #define NDPPD_NS_END } - --#define NDPPD_VERSION "0.2.4" -+#define NDPPD_VERSION "0.2.5-vyos" - - #include - --- -2.34.1 - diff --git a/scripts/package-build/ndppd/patches/ndppd/0001-skip-route-table-if-there-is-no-auto-rule.patch b/scripts/package-build/ndppd/patches/ndppd/0001-skip-route-table-if-there-is-no-auto-rule.patch new file mode 100644 index 00000000..df6d2e5c --- /dev/null +++ b/scripts/package-build/ndppd/patches/ndppd/0001-skip-route-table-if-there-is-no-auto-rule.patch @@ -0,0 +1,83 @@ +From b148ba055245cec5007ee91dd3ffbfeb58d49c5a Mon Sep 17 00:00:00 2001 +From: Henning Surmeier +Date: Sun, 9 Jan 2022 20:35:15 +0100 +Subject: [PATCH 1/2] skip route table if there is no auto rule + +--- + src/ndppd.cc | 3 ++- + src/rule.cc | 8 ++++++++ + src/rule.h | 4 ++++ + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/ndppd.cc b/src/ndppd.cc +index bec9656..b303721 100644 +--- a/src/ndppd.cc ++++ b/src/ndppd.cc +@@ -304,7 +304,8 @@ int main(int argc, char* argv[], char* env[]) + t1.tv_sec = t2.tv_sec; + t1.tv_usec = t2.tv_usec; + +- route::update(elapsed_time); ++ if (rule::any_auto()) ++ route::update(elapsed_time); + session::update_all(elapsed_time); + } + +diff --git a/src/rule.cc b/src/rule.cc +index 9e72480..a1e8376 100644 +--- a/src/rule.cc ++++ b/src/rule.cc +@@ -24,6 +24,8 @@ + + NDPPD_NS_BEGIN + ++bool rule::_any_aut = false; ++ + rule::rule() + { + } +@@ -49,6 +51,7 @@ ptr rule::create(const ptr& pr, const address& addr, bool aut) + ru->_pr = pr; + ru->_addr = addr; + ru->_aut = aut; ++ _any_aut = _any_aut || aut; + + logger::debug() + << "rule::create() if=" << pr->ifa()->name().c_str() << ", addr=" << addr +@@ -57,6 +60,11 @@ ptr rule::create(const ptr& pr, const address& addr, bool aut) + return ru; + } + ++bool rule::any_auto() ++{ ++ return _any_aut; ++} ++ + const address& rule::addr() const + { + return _addr; +diff --git a/src/rule.h b/src/rule.h +index 6663066..ca2aa36 100644 +--- a/src/rule.h ++++ b/src/rule.h +@@ -42,6 +42,8 @@ public: + + bool check(const address& addr) const; + ++ static bool any_auto(); ++ + private: + weak_ptr _ptr; + +@@ -53,6 +55,8 @@ private: + + bool _aut; + ++ static bool _any_aut; ++ + rule(); + }; + +-- +2.34.1 + diff --git a/scripts/package-build/ndppd/patches/ndppd/0002-set-vyos-version.patch b/scripts/package-build/ndppd/patches/ndppd/0002-set-vyos-version.patch new file mode 100644 index 00000000..3fef87c4 --- /dev/null +++ b/scripts/package-build/ndppd/patches/ndppd/0002-set-vyos-version.patch @@ -0,0 +1,25 @@ +From b0789cf679b0179d37e22f5a936af273d982abeb Mon Sep 17 00:00:00 2001 +From: Henning Surmeier +Date: Tue, 11 Jan 2022 13:05:47 +0100 +Subject: [PATCH 2/2] set -vyos version + +--- + src/ndppd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/ndppd.h b/src/ndppd.h +index 008726c..61ed950 100644 +--- a/src/ndppd.h ++++ b/src/ndppd.h +@@ -21,7 +21,7 @@ + #define NDPPD_NS_BEGIN namespace ndppd { + #define NDPPD_NS_END } + +-#define NDPPD_VERSION "0.2.4" ++#define NDPPD_VERSION "0.2.5-vyos" + + #include + +-- +2.34.1 + diff --git a/scripts/package-build/net-snmp/patches/add-linux-6.7-compatibility-parsing.patch b/scripts/package-build/net-snmp/patches/add-linux-6.7-compatibility-parsing.patch deleted file mode 100644 index b6dcd77a..00000000 --- a/scripts/package-build/net-snmp/patches/add-linux-6.7-compatibility-parsing.patch +++ /dev/null @@ -1,119 +0,0 @@ -From f5ae6baf0018abda9dedc368fe6d52c0d7a8ab8f Mon Sep 17 00:00:00 2001 -From: Philippe Troin -Date: Sat, 3 Feb 2024 10:30:30 -0800 -Subject: [PATCH] Add Linux 6.7 compatibility parsing /proc/net/snmp - -Linux 6.7 adds a new OutTransmits field to Ip in /proc/net/snmp. -This breaks the hard-coded assumptions about the Ip line length. -Add compatibility to parse Linux 6.7 Ip header while keep support -for previous versions. ---- - .../ip-mib/data_access/systemstats_linux.c | 46 +++++++++++++++---- - 1 file changed, 37 insertions(+), 9 deletions(-) - -diff --git a/agent/mibgroup/ip-mib/data_access/systemstats_linux.c b/agent/mibgroup/ip-mib/data_access/systemstats_linux.c -index 49e0a34d5c..f04e828a94 100644 ---- a/agent/mibgroup/ip-mib/data_access/systemstats_linux.c -+++ b/agent/mibgroup/ip-mib/data_access/systemstats_linux.c -@@ -36,7 +36,7 @@ netsnmp_access_systemstats_arch_init(void) - } - - /* -- /proc/net/snmp -+ /proc/net/snmp - Linux 6.6 and lower - - Ip: Forwarding DefaultTTL InReceives InHdrErrors InAddrErrors ForwDatagrams InUnknownProtos InDiscards InDelivers OutRequests OutDiscards OutNoRoutes ReasmTimeout ReasmReqds ReasmOKs ReasmFails FragOKs FragFails FragCreates - Ip: 2 64 7083534 0 0 0 0 0 6860233 6548963 0 0 1 286623 63322 1 259920 0 0 -@@ -49,6 +49,26 @@ netsnmp_access_systemstats_arch_init(void) - - Udp: InDatagrams NoPorts InErrors OutDatagrams - Udp: 1491094 122 0 1466178 -+* -+ /proc/net/snmp - Linux 6.7 and higher -+ -+ Ip: Forwarding DefaultTTL InReceives InHdrErrors InAddrErrors ForwDatagrams InUnknownProtos InDiscards InDelivers OutRequests OutDiscards OutNoRoutes ReasmTimeout ReasmReqds ReasmOKs ReasmFails FragOKs FragFails FragCreates OutTransmits -+ Ip: 1 64 50859058 496 0 37470604 0 0 20472980 7515791 1756 0 0 7264 3632 0 3548 0 7096 44961424 -+ -+ Icmp: InMsgs InErrors InCsumErrors InDestUnreachs InTimeExcds InParmProbs InSrcQuenchs InRedirects InEchos InEchoReps InTimestamps InTimestampReps InAddrMasks InAddrMaskReps OutMsgs OutErrors OutRateLimitGlobal OutRateLimitHost OutDestUnreachs OutTimeExcds OutParmProbs OutSrcQuenchs OutRedirects OutEchos OutEchoReps OutTimestamps OutTimestampReps OutAddrMasks OutAddrMaskReps -+ Icmp: 114447 2655 0 17589 0 0 0 0 66905 29953 0 0 0 0 143956 0 0 572 16610 484 0 0 0 59957 66905 0 0 0 0 -+ -+ IcmpMsg: InType0 InType3 InType8 OutType0 OutType3 OutType8 OutType11 -+ IcmpMsg: 29953 17589 66905 66905 16610 59957 484 -+ -+ Tcp: RtoAlgorithm RtoMin RtoMax MaxConn ActiveOpens PassiveOpens AttemptFails EstabResets CurrEstab InSegs OutSegs RetransSegs InErrs OutRsts InCsumErrors -+ Tcp: 1 200 120000 -1 17744 13525 307 3783 6 18093137 9277788 3499 8 7442 0 -+ -+ Udp: InDatagrams NoPorts InErrors OutDatagrams RcvbufErrors SndbufErrors InCsumErrors IgnoredMulti MemErrors -+ Udp: 2257832 1422 0 2252835 0 0 0 84 0 -+ -+ UdpLite: InDatagrams NoPorts InErrors OutDatagrams RcvbufErrors SndbufErrors InCsumErrors IgnoredMulti MemErrors -+ UdpLite: 0 0 0 0 0 0 0 0 0 - */ - - -@@ -101,10 +121,10 @@ _systemstats_v4(netsnmp_container* container, u_int load_flags) - FILE *devin; - char line[1024]; - netsnmp_systemstats_entry *entry = NULL; -- int scan_count; -+ int scan_count, expected_scan_count; - char *stats, *start = line; - int len; -- unsigned long long scan_vals[19]; -+ unsigned long long scan_vals[20]; - - DEBUGMSGTL(("access:systemstats:container:arch", "load v4 (flags %x)\n", - load_flags)); -@@ -126,10 +146,17 @@ _systemstats_v4(netsnmp_container* container, u_int load_flags) - */ - NETSNMP_IGNORE_RESULT(fgets(line, sizeof(line), devin)); - len = strlen(line); -- if (224 != len) { -+ switch (len) { -+ case 224: -+ expected_scan_count = 19; -+ break; -+ case 237: -+ expected_scan_count = 20; -+ break; -+ default: - fclose(devin); - snmp_log(LOG_ERR, "systemstats_linux: unexpected header length in /proc/net/snmp." -- " %d != 224\n", len); -+ " %d not in { 224, 237 } \n", len); - return -4; - } - -@@ -178,20 +205,20 @@ _systemstats_v4(netsnmp_container* container, u_int load_flags) - memset(scan_vals, 0x0, sizeof(scan_vals)); - scan_count = sscanf(stats, - "%llu %llu %llu %llu %llu %llu %llu %llu %llu %llu" -- "%llu %llu %llu %llu %llu %llu %llu %llu %llu", -+ "%llu %llu %llu %llu %llu %llu %llu %llu %llu %llu", - &scan_vals[0],&scan_vals[1],&scan_vals[2], - &scan_vals[3],&scan_vals[4],&scan_vals[5], - &scan_vals[6],&scan_vals[7],&scan_vals[8], - &scan_vals[9],&scan_vals[10],&scan_vals[11], - &scan_vals[12],&scan_vals[13],&scan_vals[14], - &scan_vals[15],&scan_vals[16],&scan_vals[17], -- &scan_vals[18]); -+ &scan_vals[18],&scan_vals[19]); - DEBUGMSGTL(("access:systemstats", " read %d values\n", scan_count)); - -- if(scan_count != 19) { -+ if(scan_count != expected_scan_count) { - snmp_log(LOG_ERR, - "error scanning systemstats data (expected %d, got %d)\n", -- 19, scan_count); -+ expected_scan_count, scan_count); - netsnmp_access_systemstats_entry_free(entry); - return -4; - } -@@ -223,6 +250,7 @@ _systemstats_v4(netsnmp_container* container, u_int load_flags) - entry->stats.HCOutFragFails.high = scan_vals[17] >> 32; - entry->stats.HCOutFragCreates.low = scan_vals[18] & 0xffffffff; - entry->stats.HCOutFragCreates.high = scan_vals[18] >> 32; -+ /* entry->stats. = scan_vals[19]; / * OutTransmits */ - - entry->stats.columnAvail[IPSYSTEMSTATSTABLE_HCINRECEIVES] = 1; - entry->stats.columnAvail[IPSYSTEMSTATSTABLE_INHDRERRORS] = 1; diff --git a/scripts/package-build/net-snmp/patches/net-snmp/add-linux-6.7-compatibility-parsing.patch b/scripts/package-build/net-snmp/patches/net-snmp/add-linux-6.7-compatibility-parsing.patch new file mode 100644 index 00000000..b6dcd77a --- /dev/null +++ b/scripts/package-build/net-snmp/patches/net-snmp/add-linux-6.7-compatibility-parsing.patch @@ -0,0 +1,119 @@ +From f5ae6baf0018abda9dedc368fe6d52c0d7a8ab8f Mon Sep 17 00:00:00 2001 +From: Philippe Troin +Date: Sat, 3 Feb 2024 10:30:30 -0800 +Subject: [PATCH] Add Linux 6.7 compatibility parsing /proc/net/snmp + +Linux 6.7 adds a new OutTransmits field to Ip in /proc/net/snmp. +This breaks the hard-coded assumptions about the Ip line length. +Add compatibility to parse Linux 6.7 Ip header while keep support +for previous versions. +--- + .../ip-mib/data_access/systemstats_linux.c | 46 +++++++++++++++---- + 1 file changed, 37 insertions(+), 9 deletions(-) + +diff --git a/agent/mibgroup/ip-mib/data_access/systemstats_linux.c b/agent/mibgroup/ip-mib/data_access/systemstats_linux.c +index 49e0a34d5c..f04e828a94 100644 +--- a/agent/mibgroup/ip-mib/data_access/systemstats_linux.c ++++ b/agent/mibgroup/ip-mib/data_access/systemstats_linux.c +@@ -36,7 +36,7 @@ netsnmp_access_systemstats_arch_init(void) + } + + /* +- /proc/net/snmp ++ /proc/net/snmp - Linux 6.6 and lower + + Ip: Forwarding DefaultTTL InReceives InHdrErrors InAddrErrors ForwDatagrams InUnknownProtos InDiscards InDelivers OutRequests OutDiscards OutNoRoutes ReasmTimeout ReasmReqds ReasmOKs ReasmFails FragOKs FragFails FragCreates + Ip: 2 64 7083534 0 0 0 0 0 6860233 6548963 0 0 1 286623 63322 1 259920 0 0 +@@ -49,6 +49,26 @@ netsnmp_access_systemstats_arch_init(void) + + Udp: InDatagrams NoPorts InErrors OutDatagrams + Udp: 1491094 122 0 1466178 ++* ++ /proc/net/snmp - Linux 6.7 and higher ++ ++ Ip: Forwarding DefaultTTL InReceives InHdrErrors InAddrErrors ForwDatagrams InUnknownProtos InDiscards InDelivers OutRequests OutDiscards OutNoRoutes ReasmTimeout ReasmReqds ReasmOKs ReasmFails FragOKs FragFails FragCreates OutTransmits ++ Ip: 1 64 50859058 496 0 37470604 0 0 20472980 7515791 1756 0 0 7264 3632 0 3548 0 7096 44961424 ++ ++ Icmp: InMsgs InErrors InCsumErrors InDestUnreachs InTimeExcds InParmProbs InSrcQuenchs InRedirects InEchos InEchoReps InTimestamps InTimestampReps InAddrMasks InAddrMaskReps OutMsgs OutErrors OutRateLimitGlobal OutRateLimitHost OutDestUnreachs OutTimeExcds OutParmProbs OutSrcQuenchs OutRedirects OutEchos OutEchoReps OutTimestamps OutTimestampReps OutAddrMasks OutAddrMaskReps ++ Icmp: 114447 2655 0 17589 0 0 0 0 66905 29953 0 0 0 0 143956 0 0 572 16610 484 0 0 0 59957 66905 0 0 0 0 ++ ++ IcmpMsg: InType0 InType3 InType8 OutType0 OutType3 OutType8 OutType11 ++ IcmpMsg: 29953 17589 66905 66905 16610 59957 484 ++ ++ Tcp: RtoAlgorithm RtoMin RtoMax MaxConn ActiveOpens PassiveOpens AttemptFails EstabResets CurrEstab InSegs OutSegs RetransSegs InErrs OutRsts InCsumErrors ++ Tcp: 1 200 120000 -1 17744 13525 307 3783 6 18093137 9277788 3499 8 7442 0 ++ ++ Udp: InDatagrams NoPorts InErrors OutDatagrams RcvbufErrors SndbufErrors InCsumErrors IgnoredMulti MemErrors ++ Udp: 2257832 1422 0 2252835 0 0 0 84 0 ++ ++ UdpLite: InDatagrams NoPorts InErrors OutDatagrams RcvbufErrors SndbufErrors InCsumErrors IgnoredMulti MemErrors ++ UdpLite: 0 0 0 0 0 0 0 0 0 + */ + + +@@ -101,10 +121,10 @@ _systemstats_v4(netsnmp_container* container, u_int load_flags) + FILE *devin; + char line[1024]; + netsnmp_systemstats_entry *entry = NULL; +- int scan_count; ++ int scan_count, expected_scan_count; + char *stats, *start = line; + int len; +- unsigned long long scan_vals[19]; ++ unsigned long long scan_vals[20]; + + DEBUGMSGTL(("access:systemstats:container:arch", "load v4 (flags %x)\n", + load_flags)); +@@ -126,10 +146,17 @@ _systemstats_v4(netsnmp_container* container, u_int load_flags) + */ + NETSNMP_IGNORE_RESULT(fgets(line, sizeof(line), devin)); + len = strlen(line); +- if (224 != len) { ++ switch (len) { ++ case 224: ++ expected_scan_count = 19; ++ break; ++ case 237: ++ expected_scan_count = 20; ++ break; ++ default: + fclose(devin); + snmp_log(LOG_ERR, "systemstats_linux: unexpected header length in /proc/net/snmp." +- " %d != 224\n", len); ++ " %d not in { 224, 237 } \n", len); + return -4; + } + +@@ -178,20 +205,20 @@ _systemstats_v4(netsnmp_container* container, u_int load_flags) + memset(scan_vals, 0x0, sizeof(scan_vals)); + scan_count = sscanf(stats, + "%llu %llu %llu %llu %llu %llu %llu %llu %llu %llu" +- "%llu %llu %llu %llu %llu %llu %llu %llu %llu", ++ "%llu %llu %llu %llu %llu %llu %llu %llu %llu %llu", + &scan_vals[0],&scan_vals[1],&scan_vals[2], + &scan_vals[3],&scan_vals[4],&scan_vals[5], + &scan_vals[6],&scan_vals[7],&scan_vals[8], + &scan_vals[9],&scan_vals[10],&scan_vals[11], + &scan_vals[12],&scan_vals[13],&scan_vals[14], + &scan_vals[15],&scan_vals[16],&scan_vals[17], +- &scan_vals[18]); ++ &scan_vals[18],&scan_vals[19]); + DEBUGMSGTL(("access:systemstats", " read %d values\n", scan_count)); + +- if(scan_count != 19) { ++ if(scan_count != expected_scan_count) { + snmp_log(LOG_ERR, + "error scanning systemstats data (expected %d, got %d)\n", +- 19, scan_count); ++ expected_scan_count, scan_count); + netsnmp_access_systemstats_entry_free(entry); + return -4; + } +@@ -223,6 +250,7 @@ _systemstats_v4(netsnmp_container* container, u_int load_flags) + entry->stats.HCOutFragFails.high = scan_vals[17] >> 32; + entry->stats.HCOutFragCreates.low = scan_vals[18] & 0xffffffff; + entry->stats.HCOutFragCreates.high = scan_vals[18] >> 32; ++ /* entry->stats. = scan_vals[19]; / * OutTransmits */ + + entry->stats.columnAvail[IPSYSTEMSTATSTABLE_HCINRECEIVES] = 1; + entry->stats.columnAvail[IPSYSTEMSTATSTABLE_INHDRERRORS] = 1; diff --git a/scripts/package-build/netfilter/build.py b/scripts/package-build/netfilter/build.py deleted file mode 100755 index d15b5770..00000000 --- a/scripts/package-build/netfilter/build.py +++ /dev/null @@ -1,195 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2024 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# - -import glob -import shutil -import toml -import os - -from argparse import ArgumentParser -from pathlib import Path -from subprocess import run, CalledProcessError - - -def ensure_dependencies(dependencies: list) -> None: - """Ensure Debian build dependencies are met""" - if not dependencies: - print("I: No additional dependencies to install") - return - - print("I: Ensure Debian build dependencies are met") - run(['sudo', 'apt-get', 'update'], check=True) - run(['sudo', 'apt-get', 'install', '-y'] + dependencies, check=True) - - -def apply_patches(repo_dir: Path, patch_dir: Path, package_name: str) -> None: - """Apply patches from the patch directory to the repository""" - package_patch_dir = patch_dir / package_name - if package_patch_dir.exists() and package_patch_dir.is_dir(): - patches = list(package_patch_dir.glob('*')) - else: - print(f"I: No patch directory found for {package_name} in {patch_dir}") - return - - # Filter out directories from patches list - patches = [patch for patch in patches if patch.is_file()] - - if not patches: - print(f"I: No patches found in {package_patch_dir}") - return - - debian_patches_dir = repo_dir / 'debian/patches' - debian_patches_dir.mkdir(parents=True, exist_ok=True) - - series_file = debian_patches_dir / 'series' - with series_file.open('a') as series: - for patch in patches: - patch_dest = debian_patches_dir / patch.name - try: - # Ensure the patch file exists before copying - if patch.exists(): - shutil.copy(patch, patch_dest) - series.write(patch.name + '\n') - print(f"I: Applied patch: {patch.name}") - else: - print(f"W: Patch file {patch} not found, skipping") - except FileNotFoundError: - print(f"W: Patch file {patch} not found, skipping") - - -def prepare_package(repo_dir: Path, install_data: str) -> None: - """Prepare a package""" - if not install_data: - print("I: No install data provided, skipping package preparation") - return - - try: - install_file = repo_dir / 'debian/install' - install_file.parent.mkdir(parents=True, exist_ok=True) - install_file.write_text(install_data) - print("I: Prepared package") - except Exception as e: - print(f"Failed to prepare package: {e}") - raise - - -def build_package(package: dict, dependencies: list, patch_dir: Path) -> None: - """Build a package from the repository - - Args: - package (dict): Package information - dependencies (list): List of additional dependencies - patch_dir (Path): Directory containing patches - """ - repo_name = package['name'] - repo_dir = Path(repo_name) - - try: - # Clone the repository if it does not exist - if not repo_dir.exists(): - run(['git', 'clone', package['scm_url'], str(repo_dir)], check=True) - - # Check out the specific commit - run(['git', 'checkout', package['commit_id']], cwd=repo_dir, check=True) - - # Ensure dependencies - ensure_dependencies(dependencies) - - # Apply patches if any - apply_patches(repo_dir, patch_dir, repo_name) - - # Sanitize the commit ID and build a tarball for the package - commit_id_sanitized = package['commit_id'].replace('/', '_') - tarball_name = f"{repo_name}_{commit_id_sanitized}.tar.gz" - run(['tar', '-czf', tarball_name, '-C', str(repo_dir.parent), repo_name], check=True) - print(f"I: Tarball created: {tarball_name}") - - # Prepare the package if required - if package.get('prepare_package', False): - prepare_package(repo_dir, package.get('install_data', '')) - - # Build dependency package and install it - if (repo_dir / 'debian/control').exists(): - try: - run('sudo mk-build-deps --install --tool "apt-get --yes --no-install-recommends"', cwd=repo_dir, check=True, shell=True) - run('sudo dpkg -i *build-deps*.deb', cwd=repo_dir, check=True, shell=True) - except CalledProcessError as e: - print(f"Failed to build package {repo_name}: {e}") - - # Build the package, check if we have build_cmd in the package.toml - build_cmd = package.get('build_cmd', 'dpkg-buildpackage -uc -us -tc -b') - run(build_cmd, cwd=repo_dir, check=True, shell=True) - - except CalledProcessError as e: - print(f"Failed to build package {repo_name}: {e}") - finally: - # Clean up repository directory - # shutil.rmtree(repo_dir, ignore_errors=True) - pass - - -def cleanup_build_deps(repo_dir: Path) -> None: - """Clean up build dependency packages""" - try: - if repo_dir.exists(): - for file in glob.glob(str(repo_dir / '*build-deps*.deb')): - os.remove(file) - print("Cleaned up build dependency packages") - except Exception as e: - print(f"Error cleaning up build dependencies: {e}") - - -def copy_packages(repo_dir: Path) -> None: - """Copy generated .deb packages to the parent directory""" - try: - deb_files = glob.glob(str(repo_dir / '*.deb')) - for deb_file in deb_files: - shutil.copy(deb_file, repo_dir.parent) - print(f'I: copy generated "{deb_file}" package') - except Exception as e: - print(f"Error copying packages: {e}") - - -if __name__ == '__main__': - # Prepare argument parser - arg_parser = ArgumentParser() - arg_parser.add_argument('--config', - default='package.toml', - help='Path to the package configuration file') - arg_parser.add_argument('--patch-dir', - default='patches', - help='Path to the directory containing patches') - args = arg_parser.parse_args() - - # Load package configuration - with open(args.config, 'r') as file: - config = toml.load(file) - - packages = config['packages'] - patch_dir = Path(args.patch_dir) - - for package in packages: - dependencies = package.get('dependencies', {}).get('packages', []) - - # Build the package - build_package(package, dependencies, patch_dir) - - # Clean up build dependency packages after build - cleanup_build_deps(Path(package['name'])) - - # Copy generated .deb packages to parent directory - copy_packages(Path(package['name'])) diff --git a/scripts/package-build/netfilter/build.py b/scripts/package-build/netfilter/build.py new file mode 120000 index 00000000..3c76af73 --- /dev/null +++ b/scripts/package-build/netfilter/build.py @@ -0,0 +1 @@ +../build.py \ No newline at end of file diff --git a/scripts/package-build/pmacct/patches/0001-fix-pmacctd-SEGV-when-ICMP-ICMPv6-traffic-was-proces.patch b/scripts/package-build/pmacct/patches/0001-fix-pmacctd-SEGV-when-ICMP-ICMPv6-traffic-was-proces.patch deleted file mode 100644 index cb5f7399..00000000 --- a/scripts/package-build/pmacct/patches/0001-fix-pmacctd-SEGV-when-ICMP-ICMPv6-traffic-was-proces.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 58900c9d0f98f224577c28dc2323061d33823f39 Mon Sep 17 00:00:00 2001 -From: Paolo Lucente -Date: Fri, 4 Mar 2022 22:07:29 +0000 -Subject: [PATCH] * fix, pmacctd: SEGV when ICMP/ICMPv6 traffic was processed - and 'flows' primitive was enabled. To address Issue #586 - ---- - src/nl.c | 12 +++--------- - 1 file changed, 3 insertions(+), 9 deletions(-) - -diff --git a/src/nl.c b/src/nl.c -index c42689ed..6a3da94b 100644 ---- a/src/nl.c -+++ b/src/nl.c -@@ -1,6 +1,6 @@ - /* - pmacct (Promiscuous mode IP Accounting package) -- pmacct is Copyright (C) 2003-2021 by Paolo Lucente -+ pmacct is Copyright (C) 2003-2022 by Paolo Lucente - */ - - /* -@@ -293,10 +293,7 @@ int ip_handler(register struct packet_ptrs *pptrs) - } - } - else { -- if (pptrs->l4_proto != IPPROTO_ICMP) { -- pptrs->tlh_ptr = dummy_tlhdr; -- } -- -+ pptrs->tlh_ptr = dummy_tlhdr; - if (off < caplen) pptrs->payload_ptr = ptr; - } - -@@ -479,10 +476,7 @@ int ip6_handler(register struct packet_ptrs *pptrs) - } - } - else { -- if (pptrs->l4_proto != IPPROTO_ICMPV6) { -- pptrs->tlh_ptr = dummy_tlhdr; -- } -- -+ pptrs->tlh_ptr = dummy_tlhdr; - if (off < caplen) pptrs->payload_ptr = ptr; - } - --- -2.34.1 - diff --git a/scripts/package-build/pmacct/patches/pmacct/0001-fix-pmacctd-SEGV-when-ICMP-ICMPv6-traffic-was-proces.patch b/scripts/package-build/pmacct/patches/pmacct/0001-fix-pmacctd-SEGV-when-ICMP-ICMPv6-traffic-was-proces.patch new file mode 100644 index 00000000..cb5f7399 --- /dev/null +++ b/scripts/package-build/pmacct/patches/pmacct/0001-fix-pmacctd-SEGV-when-ICMP-ICMPv6-traffic-was-proces.patch @@ -0,0 +1,49 @@ +From 58900c9d0f98f224577c28dc2323061d33823f39 Mon Sep 17 00:00:00 2001 +From: Paolo Lucente +Date: Fri, 4 Mar 2022 22:07:29 +0000 +Subject: [PATCH] * fix, pmacctd: SEGV when ICMP/ICMPv6 traffic was processed + and 'flows' primitive was enabled. To address Issue #586 + +--- + src/nl.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/src/nl.c b/src/nl.c +index c42689ed..6a3da94b 100644 +--- a/src/nl.c ++++ b/src/nl.c +@@ -1,6 +1,6 @@ + /* + pmacct (Promiscuous mode IP Accounting package) +- pmacct is Copyright (C) 2003-2021 by Paolo Lucente ++ pmacct is Copyright (C) 2003-2022 by Paolo Lucente + */ + + /* +@@ -293,10 +293,7 @@ int ip_handler(register struct packet_ptrs *pptrs) + } + } + else { +- if (pptrs->l4_proto != IPPROTO_ICMP) { +- pptrs->tlh_ptr = dummy_tlhdr; +- } +- ++ pptrs->tlh_ptr = dummy_tlhdr; + if (off < caplen) pptrs->payload_ptr = ptr; + } + +@@ -479,10 +476,7 @@ int ip6_handler(register struct packet_ptrs *pptrs) + } + } + else { +- if (pptrs->l4_proto != IPPROTO_ICMPV6) { +- pptrs->tlh_ptr = dummy_tlhdr; +- } +- ++ pptrs->tlh_ptr = dummy_tlhdr; + if (off < caplen) pptrs->payload_ptr = ptr; + } + +-- +2.34.1 + diff --git a/scripts/package-build/strongswan/patches/0001-charon-add-optional-source-and-remote-overrides-for-.patch b/scripts/package-build/strongswan/patches/0001-charon-add-optional-source-and-remote-overrides-for-.patch deleted file mode 100644 index ceb47350..00000000 --- a/scripts/package-build/strongswan/patches/0001-charon-add-optional-source-and-remote-overrides-for-.patch +++ /dev/null @@ -1,579 +0,0 @@ -From db627ec8a8e72bc6b23dc8ab00f4e6b4f448d01c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Timo=20Ter=C3=A4s?= -Date: Mon, 21 Sep 2015 13:41:58 +0300 -Subject: [PATCH 1/3] charon: add optional source and remote overrides for - initiate -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This introduces support for specifying optional IKE SA specific -source and remote address for child sa initiation. This allows -to initiate wildcard connection for known address via vici. - -In addition this allows impler implementation of trap-any patches -and is a prerequisite for dmvpn support. - -Signed-off-by: Timo Teräs ---- - src/charon-cmd/cmd/cmd_connection.c | 2 +- - src/libcharon/control/controller.c | 42 +++++++++++- - src/libcharon/control/controller.h | 3 + - src/libcharon/plugins/stroke/stroke_control.c | 5 +- - src/libcharon/plugins/vici/vici_config.c | 2 +- - src/libcharon/plugins/vici/vici_control.c | 64 ++++++++++++++++--- - .../processing/jobs/start_action_job.c | 2 +- - src/libcharon/sa/ike_sa_manager.c | 50 ++++++++++++++- - src/libcharon/sa/ike_sa_manager.h | 8 ++- - src/libcharon/sa/trap_manager.c | 44 +++++-------- - src/swanctl/commands/initiate.c | 40 +++++++++++- - 11 files changed, 215 insertions(+), 47 deletions(-) - -diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c -index 2e2cb3c..b9369a8 100644 ---- a/src/charon-cmd/cmd/cmd_connection.c -+++ b/src/charon-cmd/cmd/cmd_connection.c -@@ -439,7 +439,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this) - child_cfg = create_child_cfg(this, peer_cfg); - - if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, -- controller_cb_empty, NULL, LEVEL_SILENT, 0, FALSE) != SUCCESS) -+ NULL, NULL, controller_cb_empty, NULL, LEVEL_SILENT, 0, FALSE) != SUCCESS) - { - terminate(pid); - } -diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c -index 027f48e..4ce8616 100644 ---- a/src/libcharon/control/controller.c -+++ b/src/libcharon/control/controller.c -@@ -15,6 +15,28 @@ - * for more details. - */ - -+/* -+ * Copyright (C) 2014 Timo Teräs -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -+ * THE SOFTWARE. -+ */ -+ - #include "controller.h" - - #include -@@ -107,6 +129,16 @@ struct interface_listener_t { - */ - ike_sa_t *ike_sa; - -+ /** -+ * Our host hint. -+ */ -+ host_t *my_host; -+ -+ /** -+ * Other host hint. -+ */ -+ host_t *other_host; -+ - /** - * unique ID, used for various methods - */ -@@ -417,10 +449,15 @@ METHOD(job_t, initiate_execute, job_requeue_t, - ike_sa_t *ike_sa; - interface_listener_t *listener = &job->listener; - peer_cfg_t *peer_cfg = listener->peer_cfg; -+ host_t *my_host = listener->my_host; -+ host_t *other_host = listener->other_host; - - ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, -- peer_cfg); -+ peer_cfg, my_host, other_host); - peer_cfg->destroy(peer_cfg); -+ DESTROY_IF(my_host); -+ DESTROY_IF(other_host); -+ - if (!ike_sa) - { - DESTROY_IF(listener->child_cfg); -@@ -499,6 +536,7 @@ METHOD(job_t, initiate_execute, job_requeue_t, - - METHOD(controller_t, initiate, status_t, - private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, -+ host_t *my_host, host_t *other_host, - controller_cb_t callback, void *param, level_t max_level, u_int timeout, - bool limits) - { -@@ -523,6 +561,8 @@ METHOD(controller_t, initiate, status_t, - .status = FAILED, - .child_cfg = child_cfg, - .peer_cfg = peer_cfg, -+ .my_host = my_host ? my_host->clone(my_host) : NULL, -+ .other_host = other_host ? other_host->clone(other_host) : NULL, - .lock = spinlock_create(), - .options.limits = limits, - }, -diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h -index 36a1d46..a130fbb 100644 ---- a/src/libcharon/control/controller.h -+++ b/src/libcharon/control/controller.h -@@ -81,6 +81,8 @@ struct controller_t { - * - * @param peer_cfg peer_cfg to use for IKE_SA setup - * @param child_cfg optional child_cfg to set up CHILD_SA from -+ * @param my_host optional address hint for source -+ * @param other_host optional address hint for destination - * @param cb logging callback - * @param param parameter to include in each call of cb - * @param max_level maximum log level for which cb is invoked -@@ -95,6 +97,7 @@ struct controller_t { - */ - status_t (*initiate)(controller_t *this, - peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, -+ host_t *my_host, host_t *other_host, - controller_cb_t callback, void *param, - level_t max_level, u_int timeout, bool limits); - -diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c -index 2824c93..21ff6b3 100644 ---- a/src/libcharon/plugins/stroke/stroke_control.c -+++ b/src/libcharon/plugins/stroke/stroke_control.c -@@ -109,7 +109,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg - if (msg->output_verbosity < 0) - { - charon->controller->initiate(charon->controller, peer_cfg, child_cfg, -- NULL, NULL, 0, 0, FALSE); -+ NULL, NULL, NULL, NULL, 0, 0, FALSE); - } - else - { -@@ -117,7 +117,8 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg - status_t status; - - status = charon->controller->initiate(charon->controller, -- peer_cfg, child_cfg, (controller_cb_t)stroke_log, -+ peer_cfg, child_cfg, NULL, NULL, -+ (controller_cb_t)stroke_log, - &info, msg->output_verbosity, this->timeout, FALSE); - switch (status) - { -diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c -index 5221225..b1486e3 100644 ---- a/src/libcharon/plugins/vici/vici_config.c -+++ b/src/libcharon/plugins/vici/vici_config.c -@@ -2252,7 +2252,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg, - DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg)); - charon->controller->initiate(charon->controller, - peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg), -- NULL, NULL, 0, 0, FALSE); -+ NULL, NULL, NULL, NULL, 0, 0, FALSE); - } - } - -diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c -index 1c236d2..811d8db 100644 ---- a/src/libcharon/plugins/vici/vici_control.c -+++ b/src/libcharon/plugins/vici/vici_control.c -@@ -15,6 +15,28 @@ - * for more details. - */ - -+/* -+ * Copyright (C) 2014 Timo Teräs -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -+ * THE SOFTWARE. -+ */ -+ - #include "vici_control.h" - #include "vici_builder.h" - -@@ -173,9 +195,11 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out) - CALLBACK(initiate, vici_message_t*, - private_vici_control_t *this, char *name, u_int id, vici_message_t *request) - { -+ vici_message_t* msg; - peer_cfg_t *peer_cfg = NULL; - child_cfg_t *child_cfg; -- char *child, *ike, *type, *sa; -+ host_t *my_host = NULL, *other_host = NULL; -+ char *child, *ike, *type, *sa, *my_host_str, *other_host_str; - int timeout; - bool limits; - controller_cb_t log_cb = NULL; -@@ -189,6 +213,8 @@ CALLBACK(initiate, vici_message_t*, - timeout = request->get_int(request, 0, "timeout"); - limits = request->get_bool(request, FALSE, "init-limits"); - log.level = request->get_int(request, 1, "loglevel"); -+ my_host_str = request->get_str(request, NULL, "my-host"); -+ other_host_str = request->get_str(request, NULL, "other-host"); - - if (!child && !ike) - { -@@ -199,31 +225,52 @@ CALLBACK(initiate, vici_message_t*, - log_cb = (controller_cb_t)log_vici; - } - -+ if (my_host_str) -+ { -+ my_host = host_create_from_string(my_host_str, 0); -+ } -+ if (other_host_str) -+ { -+ other_host = host_create_from_string(other_host_str, 0); -+ } -+ -+ - type = child ? "CHILD_SA" : "IKE_SA"; - sa = child ?: ike; - - child_cfg = find_child_cfg(child, ike, &peer_cfg); - -- DBG1(DBG_CFG, "vici initiate %s '%s'", type, sa); -+ DBG1(DBG_CFG, "vici initiate %s '%s', me %H, other %H, limits %d", type, sa, my_host, other_host, limits); - if (!peer_cfg) - { -- return send_reply(this, "%s config '%s' not found", type, sa); -+ msg = send_reply(this, "%s config '%s' not found", type, sa); -+ goto ret; - } -- switch (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, -- log_cb, &log, log.level, timeout, limits)) -+ switch (charon->controller->initiate(charon->controller, -+ peer_cfg, child_cfg, -+ my_host, other_host, -+ log_cb, &log, log.level, timeout, limits)) - { - case SUCCESS: -- return send_reply(this, NULL); -+ msg = send_reply(this, NULL); -+ break; - case OUT_OF_RES: -- return send_reply(this, "%s '%s' not established after %dms", type, -+ msg = send_reply(this, "%s '%s' not established after %dms", type, - sa, timeout); -+ break; - case INVALID_STATE: -- return send_reply(this, "establishing %s '%s' not possible at the " -+ msg = send_reply(this, "establishing %s '%s' not possible at the " - "moment due to limits", type, sa); -+ break; - case FAILED: - default: -- return send_reply(this, "establishing %s '%s' failed", type, sa); -+ msg = send_reply(this, "establishing %s '%s' failed", type, sa); -+ break; - } -+ret: -+ if (my_host) my_host->destroy(my_host); -+ if (other_host) other_host->destroy(other_host); -+ return msg; - } - - /** -diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c -index 122e5ce..dec458c 100644 ---- a/src/libcharon/processing/jobs/start_action_job.c -+++ b/src/libcharon/processing/jobs/start_action_job.c -@@ -84,7 +84,7 @@ METHOD(job_t, execute, job_requeue_t, - charon->controller->initiate(charon->controller, - peer_cfg->get_ref(peer_cfg), - child_cfg->get_ref(child_cfg), -- NULL, NULL, 0, 0, FALSE); -+ NULL, NULL, NULL, NULL, 0, 0, FALSE); - } - } - children->destroy(children); -diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c -index fc31c2a..51e28bc 100644 ---- a/src/libcharon/sa/ike_sa_manager.c -+++ b/src/libcharon/sa/ike_sa_manager.c -@@ -16,6 +16,28 @@ - * for more details. - */ - -+/* -+ * Copyright (C) 2014 Timo Teräs -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -+ * THE SOFTWARE. -+ */ -+ - #include - #include - -@@ -1497,7 +1519,8 @@ typedef struct { - } config_entry_t; - - METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, -- private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg) -+ private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg, -+ host_t *my_host, host_t *other_host) - { - enumerator_t *enumerator; - entry_t *entry; -@@ -1508,7 +1531,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, - u_int segment; - int i; - -- DBG2(DBG_MGR, "checkout IKE_SA by config"); -+ if (my_host && my_host->get_port(my_host) == 0) -+ { -+ my_host->set_port(my_host, IKEV2_UDP_PORT); -+ } -+ if (other_host && other_host->get_port(other_host) == 0) -+ { -+ other_host->set_port(other_host, IKEV2_UDP_PORT); -+ } -+ -+ DBG2(DBG_MGR, "checkout IKE_SA by config '%s', me %H, other %H", -+ peer_cfg->get_name(peer_cfg), my_host, other_host); - - if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1) - { /* IKE_SA reuse disabled by config (not possible for IKEv1) */ -@@ -1566,6 +1599,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, - continue; - } - -+ if (my_host && !my_host->ip_equals(my_host, entry->ike_sa->get_my_host(entry->ike_sa))) -+ { -+ continue; -+ } -+ if (other_host && !other_host->ip_equals(other_host, entry->ike_sa->get_other_host(entry->ike_sa))) -+ { -+ continue; -+ } -+ - current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); - if (current_peer && current_peer->equals(current_peer, peer_cfg)) - { -@@ -1592,6 +1634,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, - { - ike_sa->set_peer_cfg(ike_sa, peer_cfg); - checkout_new(this, ike_sa); -+ if (my_host || other_host) -+ { -+ ike_sa->update_hosts(ike_sa, my_host, other_host, TRUE); -+ } - } - } - charon->bus->set_sa(charon->bus, ike_sa); -diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h -index 004cc22..50f8246 100644 ---- a/src/libcharon/sa/ike_sa_manager.h -+++ b/src/libcharon/sa/ike_sa_manager.h -@@ -123,7 +123,8 @@ struct ike_sa_manager_t { - ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message); - - /** -- * Checkout an IKE_SA for initiation by a peer_config. -+ * Checkout an IKE_SA for initiation by a peer_config and optional -+ * source and remote host addresses. - * - * To initiate, a CHILD_SA may be established within an existing IKE_SA. - * This call checks for an existing IKE_SA by comparing the configuration. -@@ -136,9 +137,12 @@ struct ike_sa_manager_t { - * @note The peer_config is always set on the returned IKE_SA. - * - * @param peer_cfg configuration used to find an existing IKE_SA -+ * @param my_host source host address for wildcard peer_cfg -+ * @param other_host remote host address for wildcard peer_cfg - * @return checked out/created IKE_SA - */ -- ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg); -+ ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg, -+ host_t *my_host, host_t *other_host); - - /** - * Reset initiator SPI. -diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c -index d8d8a42..e7c906e 100644 ---- a/src/libcharon/sa/trap_manager.c -+++ b/src/libcharon/sa/trap_manager.c -@@ -523,7 +523,7 @@ METHOD(trap_manager_t, acquire, void, - peer_cfg_t *peer; - child_cfg_t *child; - ike_sa_t *ike_sa; -- host_t *host; -+ host_t *host, *my_host = NULL, *other_host = NULL; - bool wildcard, ignore = FALSE; - - this->lock->read_lock(this->lock); -@@ -600,37 +600,27 @@ METHOD(trap_manager_t, acquire, void, - this->lock->unlock(this->lock); - - if (wildcard) -- { /* the peer config would match IKE_SAs with other peers */ -- ike_sa = charon->ike_sa_manager->create_new(charon->ike_sa_manager, -- peer->get_ike_version(peer), TRUE); -- if (ike_sa) -- { -- ike_cfg_t *ike_cfg; -- uint16_t port; -- uint8_t mask; -- -- ike_sa->set_peer_cfg(ike_sa, peer); -- ike_cfg = ike_sa->get_ike_cfg(ike_sa); -- -- port = ike_cfg->get_other_port(ike_cfg); -- data->dst->to_subnet(data->dst, &host, &mask); -- host->set_port(host, port); -- ike_sa->set_other_host(ike_sa, host); -- -- port = ike_cfg->get_my_port(ike_cfg); -- data->src->to_subnet(data->src, &host, &mask); -- host->set_port(host, port); -- ike_sa->set_my_host(ike_sa, host); -- -- charon->bus->set_sa(charon->bus, ike_sa); -- } -- } -- else - { -- ike_sa = charon->ike_sa_manager->checkout_by_config( -- charon->ike_sa_manager, peer); -+ ike_cfg_t *ike_cfg; -+ uint16_t port; -+ uint8_t mask; -+ -+ ike_cfg = peer->get_ike_cfg(peer); -+ -+ port = ike_cfg->get_other_port(ike_cfg); -+ data->dst->to_subnet(data->dst, &other_host, &mask); -+ other_host->set_port(other_host, port); -+ -+ port = ike_cfg->get_my_port(ike_cfg); -+ data->src->to_subnet(data->src, &my_host, &mask); -+ my_host->set_port(my_host, port); - } -+ ike_sa = charon->ike_sa_manager->checkout_by_config( -+ charon->ike_sa_manager, peer, -+ my_host, other_host); - peer->destroy(peer); -+ DESTROY_IF(my_host); -+ DESTROY_IF(other_host); - - if (ike_sa) - { -diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c -index e0fffb9..dcaded5 100644 ---- a/src/swanctl/commands/initiate.c -+++ b/src/swanctl/commands/initiate.c -@@ -14,6 +14,28 @@ - * for more details. - */ - -+/* -+ * Copyright (C) 2014 Timo Teräs -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -+ * THE SOFTWARE. -+ */ -+ - #include "command.h" - - #include -@@ -38,7 +60,7 @@ static int initiate(vici_conn_t *conn) - vici_req_t *req; - vici_res_t *res; - command_format_options_t format = COMMAND_FORMAT_NONE; -- char *arg, *child = NULL, *ike = NULL; -+ char *arg, *child = NULL, *ike = NULL, *my_host = NULL, *other_host = NULL; - int ret = 0, timeout = 0, level = 1; - - while (TRUE) -@@ -65,6 +87,12 @@ static int initiate(vici_conn_t *conn) - case 'l': - level = atoi(arg); - continue; -+ case 'S': -+ my_host = arg; -+ continue; -+ case 'R': -+ other_host = arg; -+ continue; - case EOF: - break; - default: -@@ -88,6 +116,14 @@ static int initiate(vici_conn_t *conn) - { - vici_add_key_valuef(req, "ike", "%s", ike); - } -+ if (my_host) -+ { -+ vici_add_key_valuef(req, "my-host", "%s", my_host); -+ } -+ if (other_host) -+ { -+ vici_add_key_valuef(req, "other-host", "%s", other_host); -+ } - if (timeout) - { - vici_add_key_valuef(req, "timeout", "%d", timeout * 1000); -@@ -134,6 +170,8 @@ static void __attribute__ ((constructor))reg() - {"help", 'h', 0, "show usage information"}, - {"child", 'c', 1, "initiate a CHILD_SA configuration"}, - {"ike", 'i', 1, "initiate an IKE_SA, or name of child's parent"}, -+ {"source", 'S', 1, "override source address"}, -+ {"remote", 'R', 1, "override remote address"}, - {"timeout", 't', 1, "timeout in seconds before detaching"}, - {"raw", 'r', 0, "dump raw response message"}, - {"pretty", 'P', 0, "dump raw response message in pretty print"}, diff --git a/scripts/package-build/strongswan/patches/0002-vici-send-certificates-for-ike-sa-events.patch b/scripts/package-build/strongswan/patches/0002-vici-send-certificates-for-ike-sa-events.patch deleted file mode 100644 index 13e657e9..00000000 --- a/scripts/package-build/strongswan/patches/0002-vici-send-certificates-for-ike-sa-events.patch +++ /dev/null @@ -1,140 +0,0 @@ -From 39d537b875e907c63a54d5de8ba6d2ea0ede4604 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Timo=20Ter=C3=A4s?= -Date: Mon, 21 Sep 2015 13:42:05 +0300 -Subject: [PATCH 2/3] vici: send certificates for ike-sa events -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Timo Teräs ---- - src/libcharon/plugins/vici/vici_query.c | 50 +++++++++++++++++++++---- - 1 file changed, 42 insertions(+), 8 deletions(-) - -diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c -index bacb7b101..19acc0789 100644 ---- a/src/libcharon/plugins/vici/vici_query.c -+++ b/src/libcharon/plugins/vici/vici_query.c -@@ -402,7 +402,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b, - * List details of an IKE_SA - */ - static void list_ike(private_vici_query_t *this, vici_builder_t *b, -- ike_sa_t *ike_sa, time_t now) -+ ike_sa_t *ike_sa, time_t now, bool add_certs) - { - time_t t; - ike_sa_id_t *id; -@@ -411,6 +411,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, - uint32_t if_id; - uint16_t alg, ks; - host_t *host; -+ auth_cfg_t *auth_cfg; -+ enumerator_t *enumerator; - - b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa)); - b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa)); -@@ -420,11 +422,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, - b->add_kv(b, "local-host", "%H", host); - b->add_kv(b, "local-port", "%d", host->get_port(host)); - b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa)); -+ if (add_certs) -+ { -+ enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, TRUE); -+ if (enumerator->enumerate(enumerator, &auth_cfg)) -+ { -+ certificate_t *cert = auth_cfg->get(auth_cfg, AUTH_RULE_SUBJECT_CERT); -+ chunk_t encoding; -+ -+ if (cert && cert->get_encoding(cert, CERT_ASN1_DER, &encoding)) -+ { -+ b->add(b, VICI_KEY_VALUE, "local-cert-data", encoding); -+ free(encoding.ptr); -+ } -+ } -+ enumerator->destroy(enumerator); -+ } - - host = ike_sa->get_other_host(ike_sa); - b->add_kv(b, "remote-host", "%H", host); - b->add_kv(b, "remote-port", "%d", host->get_port(host)); - b->add_kv(b, "remote-id", "%Y", ike_sa->get_other_id(ike_sa)); -+ if (add_certs) -+ { -+ enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE); -+ if (enumerator->enumerate(enumerator, &auth_cfg)) -+ { -+ certificate_t *cert = auth_cfg->get(auth_cfg, AUTH_RULE_SUBJECT_CERT); -+ chunk_t encoding; -+ -+ if (cert && cert->get_encoding(cert, CERT_ASN1_DER, &encoding)) -+ { -+ b->add(b, VICI_KEY_VALUE, "remote-cert-data", encoding); -+ free(encoding.ptr); -+ } -+ } -+ enumerator->destroy(enumerator); -+ } - - eap = ike_sa->get_other_eap_id(ike_sa); - -@@ -556,7 +590,7 @@ CALLBACK(list_sas, vici_message_t*, - b = vici_builder_create(); - b->begin_section(b, ike_sa->get_name(ike_sa)); - -- list_ike(this, b, ike_sa, now); -+ list_ike(this, b, ike_sa, now, TRUE); - - b->begin_section(b, "child-sas"); - csas = ike_sa->create_child_sa_enumerator(ike_sa); -@@ -1774,7 +1808,7 @@ METHOD(listener_t, ike_updown, bool, - } - - b->begin_section(b, ike_sa->get_name(ike_sa)); -- list_ike(this, b, ike_sa, now); -+ list_ike(this, b, ike_sa, now, up); - b->end_section(b); - - this->dispatcher->raise_event(this->dispatcher, -@@ -1799,10 +1833,10 @@ METHOD(listener_t, ike_rekey, bool, - b = vici_builder_create(); - b->begin_section(b, old->get_name(old)); - b->begin_section(b, "old"); -- list_ike(this, b, old, now); -+ list_ike(this, b, old, now, TRUE); - b->end_section(b); - b->begin_section(b, "new"); -- list_ike(this, b, new, now); -+ list_ike(this, b, new, now, TRUE); - b->end_section(b); - b->end_section(b); - -@@ -1833,7 +1867,7 @@ METHOD(listener_t, ike_update, bool, - b->add_kv(b, "remote-port", "%d", remote->get_port(remote)); - - b->begin_section(b, ike_sa->get_name(ike_sa)); -- list_ike(this, b, ike_sa, now); -+ list_ike(this, b, ike_sa, now, TRUE); - b->end_section(b); - - this->dispatcher->raise_event(this->dispatcher, -@@ -1863,7 +1897,7 @@ METHOD(listener_t, child_updown, bool, - } - - b->begin_section(b, ike_sa->get_name(ike_sa)); -- list_ike(this, b, ike_sa, now); -+ list_ike(this, b, ike_sa, now, up); - b->begin_section(b, "child-sas"); - - snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa), -@@ -1898,7 +1932,7 @@ METHOD(listener_t, child_rekey, bool, - b = vici_builder_create(); - - b->begin_section(b, ike_sa->get_name(ike_sa)); -- list_ike(this, b, ike_sa, now); -+ list_ike(this, b, ike_sa, now, TRUE); - b->begin_section(b, "child-sas"); - - b->begin_section(b, old->get_name(old)); --- -2.38.1 - diff --git a/scripts/package-build/strongswan/patches/0003-vici-add-support-for-individual-sa-state-changes.patch b/scripts/package-build/strongswan/patches/0003-vici-add-support-for-individual-sa-state-changes.patch deleted file mode 100644 index 45aadc72..00000000 --- a/scripts/package-build/strongswan/patches/0003-vici-add-support-for-individual-sa-state-changes.patch +++ /dev/null @@ -1,159 +0,0 @@ -From df6b501ed29b838efde0f1cb1c906ab9befc7b45 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Timo=20Ter=C3=A4s?= -Date: Mon, 21 Sep 2015 13:42:11 +0300 -Subject: [PATCH 3/3] vici: add support for individual sa state changes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Useful for monitoring and tracking full SA. - -Signed-off-by: Timo Teräs ---- - src/libcharon/plugins/vici/vici_query.c | 105 ++++++++++++++++++++++++ - 1 file changed, 105 insertions(+) - -diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c -index 19acc0789..e008885f7 100644 ---- a/src/libcharon/plugins/vici/vici_query.c -+++ b/src/libcharon/plugins/vici/vici_query.c -@@ -1774,8 +1774,16 @@ static void manage_commands(private_vici_query_t *this, bool reg) - this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg); - this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg); - this->dispatcher->manage_event(this->dispatcher, "ike-update", reg); -+ this->dispatcher->manage_event(this->dispatcher, "ike-state-established", reg); -+ this->dispatcher->manage_event(this->dispatcher, "ike-state-destroying", reg); - this->dispatcher->manage_event(this->dispatcher, "child-updown", reg); - this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg); -+ this->dispatcher->manage_event(this->dispatcher, "child-state-installing", reg); -+ this->dispatcher->manage_event(this->dispatcher, "child-state-installed", reg); -+ this->dispatcher->manage_event(this->dispatcher, "child-state-updating", reg); -+ this->dispatcher->manage_event(this->dispatcher, "child-state-rekeying", reg); -+ this->dispatcher->manage_event(this->dispatcher, "child-state-rekeyed", reg); -+ this->dispatcher->manage_event(this->dispatcher, "child-state-destroying", reg); - manage_command(this, "list-sas", list_sas, reg); - manage_command(this, "list-policies", list_policies, reg); - manage_command(this, "list-conns", list_conns, reg); -@@ -1876,6 +1884,45 @@ METHOD(listener_t, ike_update, bool, - return TRUE; - } - -+METHOD(listener_t, ike_state_change, bool, -+ private_vici_query_t *this, ike_sa_t *ike_sa, ike_sa_state_t state) -+{ -+ char *event; -+ vici_builder_t *b; -+ time_t now; -+ -+ switch (state) -+ { -+ case IKE_ESTABLISHED: -+ event = "ike-state-established"; -+ break; -+ case IKE_DESTROYING: -+ event = "ike-state-destroying"; -+ break; -+ default: -+ return TRUE; -+ } -+ -+ if (!this->dispatcher->has_event_listeners(this->dispatcher, event)) -+ { -+ return TRUE; -+ } -+ -+ now = time_monotonic(NULL); -+ -+ b = vici_builder_create(); -+ b->begin_section(b, ike_sa->get_name(ike_sa)); -+ list_ike(this, b, ike_sa, now, state != IKE_DESTROYING); -+ b->begin_section(b, "child-sas"); -+ b->end_section(b); -+ b->end_section(b); -+ -+ this->dispatcher->raise_event(this->dispatcher, -+ event, 0, b->finalize(b)); -+ -+ return TRUE; -+} -+ - METHOD(listener_t, child_updown, bool, - private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up) - { -@@ -1955,6 +2002,62 @@ METHOD(listener_t, child_rekey, bool, - return TRUE; - } - -+METHOD(listener_t, child_state_change, bool, -+ private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state) -+{ -+ char *event; -+ vici_builder_t *b; -+ time_t now; -+ -+ switch (state) -+ { -+ case CHILD_INSTALLING: -+ event = "child-state-installing"; -+ break; -+ case CHILD_INSTALLED: -+ event = "child-state-installed"; -+ break; -+ case CHILD_UPDATING: -+ event = "child-state-updating"; -+ break; -+ case CHILD_REKEYING: -+ event = "child-state-rekeying"; -+ break; -+ case CHILD_REKEYED: -+ event = "child-state-rekeyed"; -+ break; -+ case CHILD_DESTROYING: -+ event = "child-state-destroying"; -+ break; -+ default: -+ return TRUE; -+ } -+ -+ if (!this->dispatcher->has_event_listeners(this->dispatcher, event)) -+ { -+ return TRUE; -+ } -+ -+ now = time_monotonic(NULL); -+ -+ b = vici_builder_create(); -+ b->begin_section(b, ike_sa->get_name(ike_sa)); -+ list_ike(this, b, ike_sa, now, state != CHILD_DESTROYING); -+ b->begin_section(b, "child-sas"); -+ -+ b->begin_section(b, child_sa->get_name(child_sa)); -+ list_child(this, b, child_sa, now); -+ b->end_section(b); -+ -+ b->end_section(b); -+ b->end_section(b); -+ -+ this->dispatcher->raise_event(this->dispatcher, -+ event, 0, b->finalize(b)); -+ -+ return TRUE; -+} -+ - METHOD(vici_query_t, destroy, void, - private_vici_query_t *this) - { -@@ -1975,8 +2078,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher) - .ike_updown = _ike_updown, - .ike_rekey = _ike_rekey, - .ike_update = _ike_update, -+ .ike_state_change = _ike_state_change, - .child_updown = _child_updown, - .child_rekey = _child_rekey, -+ .child_state_change = _child_state_change, - }, - .destroy = _destroy, - }, --- -2.38.1 - diff --git a/scripts/package-build/strongswan/patches/0004-VyOS-disable-options-enabled-by-Debian-that-are-unus.patch b/scripts/package-build/strongswan/patches/0004-VyOS-disable-options-enabled-by-Debian-that-are-unus.patch deleted file mode 100644 index 57a622e8..00000000 --- a/scripts/package-build/strongswan/patches/0004-VyOS-disable-options-enabled-by-Debian-that-are-unus.patch +++ /dev/null @@ -1,115 +0,0 @@ -From ee6c0b3ff6e3df5c7aef628621e19a813ff308ed Mon Sep 17 00:00:00 2001 -From: Christian Poessinger -Date: Tue, 27 Dec 2022 13:36:43 +0000 -Subject: [PATCH] VyOS: disable options enabled by Debian that are unused - -VyOS does not implement CLI options for all options exposed by Debian. - -The following options need to be disabled for the DMVPN patchset: - - mediation - - nm - -In addition we have no LED, LDAP and SQL configuration knows, thus we spare -the plugins. ---- - debian/libcharon-extra-plugins.install | 3 --- - debian/libstrongswan-extra-plugins.install | 3 --- - debian/rules | 11 ++++++++++- - debian/strongswan-nm.install | 2 -- - 4 files changed, 10 insertions(+), 9 deletions(-) - -diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install -index 94fbabd88..068708ecb 100644 ---- a/debian/libcharon-extra-plugins.install -+++ b/debian/libcharon-extra-plugins.install -@@ -13,7 +13,6 @@ usr/lib/ipsec/plugins/libstrongswan-error-notify.so - usr/lib/ipsec/plugins/libstrongswan-forecast.so - usr/lib/ipsec/plugins/libstrongswan-ha.so - usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so --usr/lib/ipsec/plugins/libstrongswan-led.so - usr/lib/ipsec/plugins/libstrongswan-lookip.so - #usr/lib/ipsec/plugins/libstrongswan-medsrv.so - #usr/lib/ipsec/plugins/libstrongswan-medcli.so -@@ -36,7 +35,6 @@ usr/share/strongswan/templates/config/plugins/error-notify.conf - usr/share/strongswan/templates/config/plugins/forecast.conf - usr/share/strongswan/templates/config/plugins/ha.conf - usr/share/strongswan/templates/config/plugins/kernel-libipsec.conf --usr/share/strongswan/templates/config/plugins/led.conf - usr/share/strongswan/templates/config/plugins/lookip.conf - #usr/share/strongswan/templates/config/plugins/medsrv.conf - #usr/share/strongswan/templates/config/plugins/medcli.conf -@@ -60,7 +58,6 @@ etc/strongswan.d/charon/error-notify.conf - etc/strongswan.d/charon/forecast.conf - etc/strongswan.d/charon/ha.conf - etc/strongswan.d/charon/kernel-libipsec.conf --etc/strongswan.d/charon/led.conf - etc/strongswan.d/charon/lookip.conf - #etc/strongswan.d/charon/medsrv.conf - #etc/strongswan.d/charon/medcli.conf -diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install -index 2846e2155..00cd0a146 100644 ---- a/debian/libstrongswan-extra-plugins.install -+++ b/debian/libstrongswan-extra-plugins.install -@@ -8,7 +8,6 @@ usr/lib/ipsec/plugins/libstrongswan-ctr.so - usr/lib/ipsec/plugins/libstrongswan-curl.so - usr/lib/ipsec/plugins/libstrongswan-curve25519.so - usr/lib/ipsec/plugins/libstrongswan-gcrypt.so --usr/lib/ipsec/plugins/libstrongswan-ldap.so - usr/lib/ipsec/plugins/libstrongswan-pkcs11.so - usr/lib/ipsec/plugins/libstrongswan-test-vectors.so - usr/lib/ipsec/plugins/libstrongswan-tpm.so -@@ -20,7 +19,6 @@ usr/share/strongswan/templates/config/plugins/ctr.conf - usr/share/strongswan/templates/config/plugins/curl.conf - usr/share/strongswan/templates/config/plugins/curve25519.conf - usr/share/strongswan/templates/config/plugins/gcrypt.conf --usr/share/strongswan/templates/config/plugins/ldap.conf - usr/share/strongswan/templates/config/plugins/pkcs11.conf - usr/share/strongswan/templates/config/plugins/test-vectors.conf - usr/share/strongswan/templates/config/plugins/tpm.conf -@@ -31,7 +29,6 @@ etc/strongswan.d/charon/ctr.conf - etc/strongswan.d/charon/curl.conf - etc/strongswan.d/charon/curve25519.conf - etc/strongswan.d/charon/gcrypt.conf --etc/strongswan.d/charon/ldap.conf - etc/strongswan.d/charon/pkcs11.conf - etc/strongswan.d/charon/test-vectors.conf - etc/strongswan.d/charon/tpm.conf -diff --git a/debian/rules b/debian/rules -index 2fed1f10f..fa0d21a0c 100755 ---- a/debian/rules -+++ b/debian/rules -@@ -3,6 +3,15 @@ export DEB_LDFLAGS_MAINT_APPEND=-Wl,-O1 - #export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 -Wl,-z,defs - export DEB_BUILD_MAINT_OPTIONS=hardening=+all - -+CONFIGUREARGS_VYOS := --disable-warnings \ -+ --disable-ldap \ -+ --disable-led \ -+ --disable-nm \ -+ --disable-mediation \ -+ --disable-mysql \ -+ --disable-sqlite \ -+ --disable-sql -+ - CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ - --enable-addrblock \ - --enable-agent \ -@@ -88,7 +97,7 @@ ifeq ($(DEB_HOST_ARCH_OS),kfreebsd) - deb_systemdsystemunitdir = $(shell pkg-config --variable=systemdsystemunitdir systemd | sed s,^/,,) - - override_dh_auto_configure: -- dh_auto_configure -- $(CONFIGUREARGS) -+ dh_auto_configure -- $(CONFIGUREARGS) $(CONFIGUREARGS_VYOS) - - override_dh_auto_clean: - dh_auto_clean -diff --git a/debian/strongswan-nm.install b/debian/strongswan-nm.install -index b0c05d94f..e69de29bb 100644 ---- a/debian/strongswan-nm.install -+++ b/debian/strongswan-nm.install -@@ -1,2 +0,0 @@ --usr/lib/ipsec/charon-nm --usr/share/dbus-1/system.d/nm-strongswan-service.conf --- -2.30.2 - diff --git a/scripts/package-build/strongswan/patches/strongswan/0001-charon-add-optional-source-and-remote-overrides-for-.patch b/scripts/package-build/strongswan/patches/strongswan/0001-charon-add-optional-source-and-remote-overrides-for-.patch new file mode 100644 index 00000000..ceb47350 --- /dev/null +++ b/scripts/package-build/strongswan/patches/strongswan/0001-charon-add-optional-source-and-remote-overrides-for-.patch @@ -0,0 +1,579 @@ +From db627ec8a8e72bc6b23dc8ab00f4e6b4f448d01c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Timo=20Ter=C3=A4s?= +Date: Mon, 21 Sep 2015 13:41:58 +0300 +Subject: [PATCH 1/3] charon: add optional source and remote overrides for + initiate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This introduces support for specifying optional IKE SA specific +source and remote address for child sa initiation. This allows +to initiate wildcard connection for known address via vici. + +In addition this allows impler implementation of trap-any patches +and is a prerequisite for dmvpn support. + +Signed-off-by: Timo Teräs +--- + src/charon-cmd/cmd/cmd_connection.c | 2 +- + src/libcharon/control/controller.c | 42 +++++++++++- + src/libcharon/control/controller.h | 3 + + src/libcharon/plugins/stroke/stroke_control.c | 5 +- + src/libcharon/plugins/vici/vici_config.c | 2 +- + src/libcharon/plugins/vici/vici_control.c | 64 ++++++++++++++++--- + .../processing/jobs/start_action_job.c | 2 +- + src/libcharon/sa/ike_sa_manager.c | 50 ++++++++++++++- + src/libcharon/sa/ike_sa_manager.h | 8 ++- + src/libcharon/sa/trap_manager.c | 44 +++++-------- + src/swanctl/commands/initiate.c | 40 +++++++++++- + 11 files changed, 215 insertions(+), 47 deletions(-) + +diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c +index 2e2cb3c..b9369a8 100644 +--- a/src/charon-cmd/cmd/cmd_connection.c ++++ b/src/charon-cmd/cmd/cmd_connection.c +@@ -439,7 +439,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this) + child_cfg = create_child_cfg(this, peer_cfg); + + if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, +- controller_cb_empty, NULL, LEVEL_SILENT, 0, FALSE) != SUCCESS) ++ NULL, NULL, controller_cb_empty, NULL, LEVEL_SILENT, 0, FALSE) != SUCCESS) + { + terminate(pid); + } +diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c +index 027f48e..4ce8616 100644 +--- a/src/libcharon/control/controller.c ++++ b/src/libcharon/control/controller.c +@@ -15,6 +15,28 @@ + * for more details. + */ + ++/* ++ * Copyright (C) 2014 Timo Teräs ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in ++ * all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN ++ * THE SOFTWARE. ++ */ ++ + #include "controller.h" + + #include +@@ -107,6 +129,16 @@ struct interface_listener_t { + */ + ike_sa_t *ike_sa; + ++ /** ++ * Our host hint. ++ */ ++ host_t *my_host; ++ ++ /** ++ * Other host hint. ++ */ ++ host_t *other_host; ++ + /** + * unique ID, used for various methods + */ +@@ -417,10 +449,15 @@ METHOD(job_t, initiate_execute, job_requeue_t, + ike_sa_t *ike_sa; + interface_listener_t *listener = &job->listener; + peer_cfg_t *peer_cfg = listener->peer_cfg; ++ host_t *my_host = listener->my_host; ++ host_t *other_host = listener->other_host; + + ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, +- peer_cfg); ++ peer_cfg, my_host, other_host); + peer_cfg->destroy(peer_cfg); ++ DESTROY_IF(my_host); ++ DESTROY_IF(other_host); ++ + if (!ike_sa) + { + DESTROY_IF(listener->child_cfg); +@@ -499,6 +536,7 @@ METHOD(job_t, initiate_execute, job_requeue_t, + + METHOD(controller_t, initiate, status_t, + private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, ++ host_t *my_host, host_t *other_host, + controller_cb_t callback, void *param, level_t max_level, u_int timeout, + bool limits) + { +@@ -523,6 +561,8 @@ METHOD(controller_t, initiate, status_t, + .status = FAILED, + .child_cfg = child_cfg, + .peer_cfg = peer_cfg, ++ .my_host = my_host ? my_host->clone(my_host) : NULL, ++ .other_host = other_host ? other_host->clone(other_host) : NULL, + .lock = spinlock_create(), + .options.limits = limits, + }, +diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h +index 36a1d46..a130fbb 100644 +--- a/src/libcharon/control/controller.h ++++ b/src/libcharon/control/controller.h +@@ -81,6 +81,8 @@ struct controller_t { + * + * @param peer_cfg peer_cfg to use for IKE_SA setup + * @param child_cfg optional child_cfg to set up CHILD_SA from ++ * @param my_host optional address hint for source ++ * @param other_host optional address hint for destination + * @param cb logging callback + * @param param parameter to include in each call of cb + * @param max_level maximum log level for which cb is invoked +@@ -95,6 +97,7 @@ struct controller_t { + */ + status_t (*initiate)(controller_t *this, + peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, ++ host_t *my_host, host_t *other_host, + controller_cb_t callback, void *param, + level_t max_level, u_int timeout, bool limits); + +diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c +index 2824c93..21ff6b3 100644 +--- a/src/libcharon/plugins/stroke/stroke_control.c ++++ b/src/libcharon/plugins/stroke/stroke_control.c +@@ -109,7 +109,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg + if (msg->output_verbosity < 0) + { + charon->controller->initiate(charon->controller, peer_cfg, child_cfg, +- NULL, NULL, 0, 0, FALSE); ++ NULL, NULL, NULL, NULL, 0, 0, FALSE); + } + else + { +@@ -117,7 +117,8 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg + status_t status; + + status = charon->controller->initiate(charon->controller, +- peer_cfg, child_cfg, (controller_cb_t)stroke_log, ++ peer_cfg, child_cfg, NULL, NULL, ++ (controller_cb_t)stroke_log, + &info, msg->output_verbosity, this->timeout, FALSE); + switch (status) + { +diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c +index 5221225..b1486e3 100644 +--- a/src/libcharon/plugins/vici/vici_config.c ++++ b/src/libcharon/plugins/vici/vici_config.c +@@ -2252,7 +2252,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg, + DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg)); + charon->controller->initiate(charon->controller, + peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg), +- NULL, NULL, 0, 0, FALSE); ++ NULL, NULL, NULL, NULL, 0, 0, FALSE); + } + } + +diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c +index 1c236d2..811d8db 100644 +--- a/src/libcharon/plugins/vici/vici_control.c ++++ b/src/libcharon/plugins/vici/vici_control.c +@@ -15,6 +15,28 @@ + * for more details. + */ + ++/* ++ * Copyright (C) 2014 Timo Teräs ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in ++ * all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN ++ * THE SOFTWARE. ++ */ ++ + #include "vici_control.h" + #include "vici_builder.h" + +@@ -173,9 +195,11 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out) + CALLBACK(initiate, vici_message_t*, + private_vici_control_t *this, char *name, u_int id, vici_message_t *request) + { ++ vici_message_t* msg; + peer_cfg_t *peer_cfg = NULL; + child_cfg_t *child_cfg; +- char *child, *ike, *type, *sa; ++ host_t *my_host = NULL, *other_host = NULL; ++ char *child, *ike, *type, *sa, *my_host_str, *other_host_str; + int timeout; + bool limits; + controller_cb_t log_cb = NULL; +@@ -189,6 +213,8 @@ CALLBACK(initiate, vici_message_t*, + timeout = request->get_int(request, 0, "timeout"); + limits = request->get_bool(request, FALSE, "init-limits"); + log.level = request->get_int(request, 1, "loglevel"); ++ my_host_str = request->get_str(request, NULL, "my-host"); ++ other_host_str = request->get_str(request, NULL, "other-host"); + + if (!child && !ike) + { +@@ -199,31 +225,52 @@ CALLBACK(initiate, vici_message_t*, + log_cb = (controller_cb_t)log_vici; + } + ++ if (my_host_str) ++ { ++ my_host = host_create_from_string(my_host_str, 0); ++ } ++ if (other_host_str) ++ { ++ other_host = host_create_from_string(other_host_str, 0); ++ } ++ ++ + type = child ? "CHILD_SA" : "IKE_SA"; + sa = child ?: ike; + + child_cfg = find_child_cfg(child, ike, &peer_cfg); + +- DBG1(DBG_CFG, "vici initiate %s '%s'", type, sa); ++ DBG1(DBG_CFG, "vici initiate %s '%s', me %H, other %H, limits %d", type, sa, my_host, other_host, limits); + if (!peer_cfg) + { +- return send_reply(this, "%s config '%s' not found", type, sa); ++ msg = send_reply(this, "%s config '%s' not found", type, sa); ++ goto ret; + } +- switch (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, +- log_cb, &log, log.level, timeout, limits)) ++ switch (charon->controller->initiate(charon->controller, ++ peer_cfg, child_cfg, ++ my_host, other_host, ++ log_cb, &log, log.level, timeout, limits)) + { + case SUCCESS: +- return send_reply(this, NULL); ++ msg = send_reply(this, NULL); ++ break; + case OUT_OF_RES: +- return send_reply(this, "%s '%s' not established after %dms", type, ++ msg = send_reply(this, "%s '%s' not established after %dms", type, + sa, timeout); ++ break; + case INVALID_STATE: +- return send_reply(this, "establishing %s '%s' not possible at the " ++ msg = send_reply(this, "establishing %s '%s' not possible at the " + "moment due to limits", type, sa); ++ break; + case FAILED: + default: +- return send_reply(this, "establishing %s '%s' failed", type, sa); ++ msg = send_reply(this, "establishing %s '%s' failed", type, sa); ++ break; + } ++ret: ++ if (my_host) my_host->destroy(my_host); ++ if (other_host) other_host->destroy(other_host); ++ return msg; + } + + /** +diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c +index 122e5ce..dec458c 100644 +--- a/src/libcharon/processing/jobs/start_action_job.c ++++ b/src/libcharon/processing/jobs/start_action_job.c +@@ -84,7 +84,7 @@ METHOD(job_t, execute, job_requeue_t, + charon->controller->initiate(charon->controller, + peer_cfg->get_ref(peer_cfg), + child_cfg->get_ref(child_cfg), +- NULL, NULL, 0, 0, FALSE); ++ NULL, NULL, NULL, NULL, 0, 0, FALSE); + } + } + children->destroy(children); +diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c +index fc31c2a..51e28bc 100644 +--- a/src/libcharon/sa/ike_sa_manager.c ++++ b/src/libcharon/sa/ike_sa_manager.c +@@ -16,6 +16,28 @@ + * for more details. + */ + ++/* ++ * Copyright (C) 2014 Timo Teräs ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in ++ * all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN ++ * THE SOFTWARE. ++ */ ++ + #include + #include + +@@ -1497,7 +1519,8 @@ typedef struct { + } config_entry_t; + + METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, +- private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg) ++ private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg, ++ host_t *my_host, host_t *other_host) + { + enumerator_t *enumerator; + entry_t *entry; +@@ -1508,7 +1531,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, + u_int segment; + int i; + +- DBG2(DBG_MGR, "checkout IKE_SA by config"); ++ if (my_host && my_host->get_port(my_host) == 0) ++ { ++ my_host->set_port(my_host, IKEV2_UDP_PORT); ++ } ++ if (other_host && other_host->get_port(other_host) == 0) ++ { ++ other_host->set_port(other_host, IKEV2_UDP_PORT); ++ } ++ ++ DBG2(DBG_MGR, "checkout IKE_SA by config '%s', me %H, other %H", ++ peer_cfg->get_name(peer_cfg), my_host, other_host); + + if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1) + { /* IKE_SA reuse disabled by config (not possible for IKEv1) */ +@@ -1566,6 +1599,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, + continue; + } + ++ if (my_host && !my_host->ip_equals(my_host, entry->ike_sa->get_my_host(entry->ike_sa))) ++ { ++ continue; ++ } ++ if (other_host && !other_host->ip_equals(other_host, entry->ike_sa->get_other_host(entry->ike_sa))) ++ { ++ continue; ++ } ++ + current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); + if (current_peer && current_peer->equals(current_peer, peer_cfg)) + { +@@ -1592,6 +1634,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, + { + ike_sa->set_peer_cfg(ike_sa, peer_cfg); + checkout_new(this, ike_sa); ++ if (my_host || other_host) ++ { ++ ike_sa->update_hosts(ike_sa, my_host, other_host, TRUE); ++ } + } + } + charon->bus->set_sa(charon->bus, ike_sa); +diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h +index 004cc22..50f8246 100644 +--- a/src/libcharon/sa/ike_sa_manager.h ++++ b/src/libcharon/sa/ike_sa_manager.h +@@ -123,7 +123,8 @@ struct ike_sa_manager_t { + ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message); + + /** +- * Checkout an IKE_SA for initiation by a peer_config. ++ * Checkout an IKE_SA for initiation by a peer_config and optional ++ * source and remote host addresses. + * + * To initiate, a CHILD_SA may be established within an existing IKE_SA. + * This call checks for an existing IKE_SA by comparing the configuration. +@@ -136,9 +137,12 @@ struct ike_sa_manager_t { + * @note The peer_config is always set on the returned IKE_SA. + * + * @param peer_cfg configuration used to find an existing IKE_SA ++ * @param my_host source host address for wildcard peer_cfg ++ * @param other_host remote host address for wildcard peer_cfg + * @return checked out/created IKE_SA + */ +- ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg); ++ ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg, ++ host_t *my_host, host_t *other_host); + + /** + * Reset initiator SPI. +diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c +index d8d8a42..e7c906e 100644 +--- a/src/libcharon/sa/trap_manager.c ++++ b/src/libcharon/sa/trap_manager.c +@@ -523,7 +523,7 @@ METHOD(trap_manager_t, acquire, void, + peer_cfg_t *peer; + child_cfg_t *child; + ike_sa_t *ike_sa; +- host_t *host; ++ host_t *host, *my_host = NULL, *other_host = NULL; + bool wildcard, ignore = FALSE; + + this->lock->read_lock(this->lock); +@@ -600,37 +600,27 @@ METHOD(trap_manager_t, acquire, void, + this->lock->unlock(this->lock); + + if (wildcard) +- { /* the peer config would match IKE_SAs with other peers */ +- ike_sa = charon->ike_sa_manager->create_new(charon->ike_sa_manager, +- peer->get_ike_version(peer), TRUE); +- if (ike_sa) +- { +- ike_cfg_t *ike_cfg; +- uint16_t port; +- uint8_t mask; +- +- ike_sa->set_peer_cfg(ike_sa, peer); +- ike_cfg = ike_sa->get_ike_cfg(ike_sa); +- +- port = ike_cfg->get_other_port(ike_cfg); +- data->dst->to_subnet(data->dst, &host, &mask); +- host->set_port(host, port); +- ike_sa->set_other_host(ike_sa, host); +- +- port = ike_cfg->get_my_port(ike_cfg); +- data->src->to_subnet(data->src, &host, &mask); +- host->set_port(host, port); +- ike_sa->set_my_host(ike_sa, host); +- +- charon->bus->set_sa(charon->bus, ike_sa); +- } +- } +- else + { +- ike_sa = charon->ike_sa_manager->checkout_by_config( +- charon->ike_sa_manager, peer); ++ ike_cfg_t *ike_cfg; ++ uint16_t port; ++ uint8_t mask; ++ ++ ike_cfg = peer->get_ike_cfg(peer); ++ ++ port = ike_cfg->get_other_port(ike_cfg); ++ data->dst->to_subnet(data->dst, &other_host, &mask); ++ other_host->set_port(other_host, port); ++ ++ port = ike_cfg->get_my_port(ike_cfg); ++ data->src->to_subnet(data->src, &my_host, &mask); ++ my_host->set_port(my_host, port); + } ++ ike_sa = charon->ike_sa_manager->checkout_by_config( ++ charon->ike_sa_manager, peer, ++ my_host, other_host); + peer->destroy(peer); ++ DESTROY_IF(my_host); ++ DESTROY_IF(other_host); + + if (ike_sa) + { +diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c +index e0fffb9..dcaded5 100644 +--- a/src/swanctl/commands/initiate.c ++++ b/src/swanctl/commands/initiate.c +@@ -14,6 +14,28 @@ + * for more details. + */ + ++/* ++ * Copyright (C) 2014 Timo Teräs ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in ++ * all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN ++ * THE SOFTWARE. ++ */ ++ + #include "command.h" + + #include +@@ -38,7 +60,7 @@ static int initiate(vici_conn_t *conn) + vici_req_t *req; + vici_res_t *res; + command_format_options_t format = COMMAND_FORMAT_NONE; +- char *arg, *child = NULL, *ike = NULL; ++ char *arg, *child = NULL, *ike = NULL, *my_host = NULL, *other_host = NULL; + int ret = 0, timeout = 0, level = 1; + + while (TRUE) +@@ -65,6 +87,12 @@ static int initiate(vici_conn_t *conn) + case 'l': + level = atoi(arg); + continue; ++ case 'S': ++ my_host = arg; ++ continue; ++ case 'R': ++ other_host = arg; ++ continue; + case EOF: + break; + default: +@@ -88,6 +116,14 @@ static int initiate(vici_conn_t *conn) + { + vici_add_key_valuef(req, "ike", "%s", ike); + } ++ if (my_host) ++ { ++ vici_add_key_valuef(req, "my-host", "%s", my_host); ++ } ++ if (other_host) ++ { ++ vici_add_key_valuef(req, "other-host", "%s", other_host); ++ } + if (timeout) + { + vici_add_key_valuef(req, "timeout", "%d", timeout * 1000); +@@ -134,6 +170,8 @@ static void __attribute__ ((constructor))reg() + {"help", 'h', 0, "show usage information"}, + {"child", 'c', 1, "initiate a CHILD_SA configuration"}, + {"ike", 'i', 1, "initiate an IKE_SA, or name of child's parent"}, ++ {"source", 'S', 1, "override source address"}, ++ {"remote", 'R', 1, "override remote address"}, + {"timeout", 't', 1, "timeout in seconds before detaching"}, + {"raw", 'r', 0, "dump raw response message"}, + {"pretty", 'P', 0, "dump raw response message in pretty print"}, diff --git a/scripts/package-build/strongswan/patches/strongswan/0002-vici-send-certificates-for-ike-sa-events.patch b/scripts/package-build/strongswan/patches/strongswan/0002-vici-send-certificates-for-ike-sa-events.patch new file mode 100644 index 00000000..13e657e9 --- /dev/null +++ b/scripts/package-build/strongswan/patches/strongswan/0002-vici-send-certificates-for-ike-sa-events.patch @@ -0,0 +1,140 @@ +From 39d537b875e907c63a54d5de8ba6d2ea0ede4604 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Timo=20Ter=C3=A4s?= +Date: Mon, 21 Sep 2015 13:42:05 +0300 +Subject: [PATCH 2/3] vici: send certificates for ike-sa events +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Timo Teräs +--- + src/libcharon/plugins/vici/vici_query.c | 50 +++++++++++++++++++++---- + 1 file changed, 42 insertions(+), 8 deletions(-) + +diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c +index bacb7b101..19acc0789 100644 +--- a/src/libcharon/plugins/vici/vici_query.c ++++ b/src/libcharon/plugins/vici/vici_query.c +@@ -402,7 +402,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b, + * List details of an IKE_SA + */ + static void list_ike(private_vici_query_t *this, vici_builder_t *b, +- ike_sa_t *ike_sa, time_t now) ++ ike_sa_t *ike_sa, time_t now, bool add_certs) + { + time_t t; + ike_sa_id_t *id; +@@ -411,6 +411,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, + uint32_t if_id; + uint16_t alg, ks; + host_t *host; ++ auth_cfg_t *auth_cfg; ++ enumerator_t *enumerator; + + b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa)); + b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa)); +@@ -420,11 +422,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, + b->add_kv(b, "local-host", "%H", host); + b->add_kv(b, "local-port", "%d", host->get_port(host)); + b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa)); ++ if (add_certs) ++ { ++ enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, TRUE); ++ if (enumerator->enumerate(enumerator, &auth_cfg)) ++ { ++ certificate_t *cert = auth_cfg->get(auth_cfg, AUTH_RULE_SUBJECT_CERT); ++ chunk_t encoding; ++ ++ if (cert && cert->get_encoding(cert, CERT_ASN1_DER, &encoding)) ++ { ++ b->add(b, VICI_KEY_VALUE, "local-cert-data", encoding); ++ free(encoding.ptr); ++ } ++ } ++ enumerator->destroy(enumerator); ++ } + + host = ike_sa->get_other_host(ike_sa); + b->add_kv(b, "remote-host", "%H", host); + b->add_kv(b, "remote-port", "%d", host->get_port(host)); + b->add_kv(b, "remote-id", "%Y", ike_sa->get_other_id(ike_sa)); ++ if (add_certs) ++ { ++ enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE); ++ if (enumerator->enumerate(enumerator, &auth_cfg)) ++ { ++ certificate_t *cert = auth_cfg->get(auth_cfg, AUTH_RULE_SUBJECT_CERT); ++ chunk_t encoding; ++ ++ if (cert && cert->get_encoding(cert, CERT_ASN1_DER, &encoding)) ++ { ++ b->add(b, VICI_KEY_VALUE, "remote-cert-data", encoding); ++ free(encoding.ptr); ++ } ++ } ++ enumerator->destroy(enumerator); ++ } + + eap = ike_sa->get_other_eap_id(ike_sa); + +@@ -556,7 +590,7 @@ CALLBACK(list_sas, vici_message_t*, + b = vici_builder_create(); + b->begin_section(b, ike_sa->get_name(ike_sa)); + +- list_ike(this, b, ike_sa, now); ++ list_ike(this, b, ike_sa, now, TRUE); + + b->begin_section(b, "child-sas"); + csas = ike_sa->create_child_sa_enumerator(ike_sa); +@@ -1774,7 +1808,7 @@ METHOD(listener_t, ike_updown, bool, + } + + b->begin_section(b, ike_sa->get_name(ike_sa)); +- list_ike(this, b, ike_sa, now); ++ list_ike(this, b, ike_sa, now, up); + b->end_section(b); + + this->dispatcher->raise_event(this->dispatcher, +@@ -1799,10 +1833,10 @@ METHOD(listener_t, ike_rekey, bool, + b = vici_builder_create(); + b->begin_section(b, old->get_name(old)); + b->begin_section(b, "old"); +- list_ike(this, b, old, now); ++ list_ike(this, b, old, now, TRUE); + b->end_section(b); + b->begin_section(b, "new"); +- list_ike(this, b, new, now); ++ list_ike(this, b, new, now, TRUE); + b->end_section(b); + b->end_section(b); + +@@ -1833,7 +1867,7 @@ METHOD(listener_t, ike_update, bool, + b->add_kv(b, "remote-port", "%d", remote->get_port(remote)); + + b->begin_section(b, ike_sa->get_name(ike_sa)); +- list_ike(this, b, ike_sa, now); ++ list_ike(this, b, ike_sa, now, TRUE); + b->end_section(b); + + this->dispatcher->raise_event(this->dispatcher, +@@ -1863,7 +1897,7 @@ METHOD(listener_t, child_updown, bool, + } + + b->begin_section(b, ike_sa->get_name(ike_sa)); +- list_ike(this, b, ike_sa, now); ++ list_ike(this, b, ike_sa, now, up); + b->begin_section(b, "child-sas"); + + snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa), +@@ -1898,7 +1932,7 @@ METHOD(listener_t, child_rekey, bool, + b = vici_builder_create(); + + b->begin_section(b, ike_sa->get_name(ike_sa)); +- list_ike(this, b, ike_sa, now); ++ list_ike(this, b, ike_sa, now, TRUE); + b->begin_section(b, "child-sas"); + + b->begin_section(b, old->get_name(old)); +-- +2.38.1 + diff --git a/scripts/package-build/strongswan/patches/strongswan/0003-vici-add-support-for-individual-sa-state-changes.patch b/scripts/package-build/strongswan/patches/strongswan/0003-vici-add-support-for-individual-sa-state-changes.patch new file mode 100644 index 00000000..45aadc72 --- /dev/null +++ b/scripts/package-build/strongswan/patches/strongswan/0003-vici-add-support-for-individual-sa-state-changes.patch @@ -0,0 +1,159 @@ +From df6b501ed29b838efde0f1cb1c906ab9befc7b45 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Timo=20Ter=C3=A4s?= +Date: Mon, 21 Sep 2015 13:42:11 +0300 +Subject: [PATCH 3/3] vici: add support for individual sa state changes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Useful for monitoring and tracking full SA. + +Signed-off-by: Timo Teräs +--- + src/libcharon/plugins/vici/vici_query.c | 105 ++++++++++++++++++++++++ + 1 file changed, 105 insertions(+) + +diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c +index 19acc0789..e008885f7 100644 +--- a/src/libcharon/plugins/vici/vici_query.c ++++ b/src/libcharon/plugins/vici/vici_query.c +@@ -1774,8 +1774,16 @@ static void manage_commands(private_vici_query_t *this, bool reg) + this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg); + this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg); + this->dispatcher->manage_event(this->dispatcher, "ike-update", reg); ++ this->dispatcher->manage_event(this->dispatcher, "ike-state-established", reg); ++ this->dispatcher->manage_event(this->dispatcher, "ike-state-destroying", reg); + this->dispatcher->manage_event(this->dispatcher, "child-updown", reg); + this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-installing", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-installed", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-updating", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-rekeying", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-rekeyed", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-destroying", reg); + manage_command(this, "list-sas", list_sas, reg); + manage_command(this, "list-policies", list_policies, reg); + manage_command(this, "list-conns", list_conns, reg); +@@ -1876,6 +1884,45 @@ METHOD(listener_t, ike_update, bool, + return TRUE; + } + ++METHOD(listener_t, ike_state_change, bool, ++ private_vici_query_t *this, ike_sa_t *ike_sa, ike_sa_state_t state) ++{ ++ char *event; ++ vici_builder_t *b; ++ time_t now; ++ ++ switch (state) ++ { ++ case IKE_ESTABLISHED: ++ event = "ike-state-established"; ++ break; ++ case IKE_DESTROYING: ++ event = "ike-state-destroying"; ++ break; ++ default: ++ return TRUE; ++ } ++ ++ if (!this->dispatcher->has_event_listeners(this->dispatcher, event)) ++ { ++ return TRUE; ++ } ++ ++ now = time_monotonic(NULL); ++ ++ b = vici_builder_create(); ++ b->begin_section(b, ike_sa->get_name(ike_sa)); ++ list_ike(this, b, ike_sa, now, state != IKE_DESTROYING); ++ b->begin_section(b, "child-sas"); ++ b->end_section(b); ++ b->end_section(b); ++ ++ this->dispatcher->raise_event(this->dispatcher, ++ event, 0, b->finalize(b)); ++ ++ return TRUE; ++} ++ + METHOD(listener_t, child_updown, bool, + private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up) + { +@@ -1955,6 +2002,62 @@ METHOD(listener_t, child_rekey, bool, + return TRUE; + } + ++METHOD(listener_t, child_state_change, bool, ++ private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state) ++{ ++ char *event; ++ vici_builder_t *b; ++ time_t now; ++ ++ switch (state) ++ { ++ case CHILD_INSTALLING: ++ event = "child-state-installing"; ++ break; ++ case CHILD_INSTALLED: ++ event = "child-state-installed"; ++ break; ++ case CHILD_UPDATING: ++ event = "child-state-updating"; ++ break; ++ case CHILD_REKEYING: ++ event = "child-state-rekeying"; ++ break; ++ case CHILD_REKEYED: ++ event = "child-state-rekeyed"; ++ break; ++ case CHILD_DESTROYING: ++ event = "child-state-destroying"; ++ break; ++ default: ++ return TRUE; ++ } ++ ++ if (!this->dispatcher->has_event_listeners(this->dispatcher, event)) ++ { ++ return TRUE; ++ } ++ ++ now = time_monotonic(NULL); ++ ++ b = vici_builder_create(); ++ b->begin_section(b, ike_sa->get_name(ike_sa)); ++ list_ike(this, b, ike_sa, now, state != CHILD_DESTROYING); ++ b->begin_section(b, "child-sas"); ++ ++ b->begin_section(b, child_sa->get_name(child_sa)); ++ list_child(this, b, child_sa, now); ++ b->end_section(b); ++ ++ b->end_section(b); ++ b->end_section(b); ++ ++ this->dispatcher->raise_event(this->dispatcher, ++ event, 0, b->finalize(b)); ++ ++ return TRUE; ++} ++ + METHOD(vici_query_t, destroy, void, + private_vici_query_t *this) + { +@@ -1975,8 +2078,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher) + .ike_updown = _ike_updown, + .ike_rekey = _ike_rekey, + .ike_update = _ike_update, ++ .ike_state_change = _ike_state_change, + .child_updown = _child_updown, + .child_rekey = _child_rekey, ++ .child_state_change = _child_state_change, + }, + .destroy = _destroy, + }, +-- +2.38.1 + diff --git a/scripts/package-build/strongswan/patches/strongswan/0004-VyOS-disable-options-enabled-by-Debian-that-are-unus.patch b/scripts/package-build/strongswan/patches/strongswan/0004-VyOS-disable-options-enabled-by-Debian-that-are-unus.patch new file mode 100644 index 00000000..57a622e8 --- /dev/null +++ b/scripts/package-build/strongswan/patches/strongswan/0004-VyOS-disable-options-enabled-by-Debian-that-are-unus.patch @@ -0,0 +1,115 @@ +From ee6c0b3ff6e3df5c7aef628621e19a813ff308ed Mon Sep 17 00:00:00 2001 +From: Christian Poessinger +Date: Tue, 27 Dec 2022 13:36:43 +0000 +Subject: [PATCH] VyOS: disable options enabled by Debian that are unused + +VyOS does not implement CLI options for all options exposed by Debian. + +The following options need to be disabled for the DMVPN patchset: + - mediation + - nm + +In addition we have no LED, LDAP and SQL configuration knows, thus we spare +the plugins. +--- + debian/libcharon-extra-plugins.install | 3 --- + debian/libstrongswan-extra-plugins.install | 3 --- + debian/rules | 11 ++++++++++- + debian/strongswan-nm.install | 2 -- + 4 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install +index 94fbabd88..068708ecb 100644 +--- a/debian/libcharon-extra-plugins.install ++++ b/debian/libcharon-extra-plugins.install +@@ -13,7 +13,6 @@ usr/lib/ipsec/plugins/libstrongswan-error-notify.so + usr/lib/ipsec/plugins/libstrongswan-forecast.so + usr/lib/ipsec/plugins/libstrongswan-ha.so + usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so +-usr/lib/ipsec/plugins/libstrongswan-led.so + usr/lib/ipsec/plugins/libstrongswan-lookip.so + #usr/lib/ipsec/plugins/libstrongswan-medsrv.so + #usr/lib/ipsec/plugins/libstrongswan-medcli.so +@@ -36,7 +35,6 @@ usr/share/strongswan/templates/config/plugins/error-notify.conf + usr/share/strongswan/templates/config/plugins/forecast.conf + usr/share/strongswan/templates/config/plugins/ha.conf + usr/share/strongswan/templates/config/plugins/kernel-libipsec.conf +-usr/share/strongswan/templates/config/plugins/led.conf + usr/share/strongswan/templates/config/plugins/lookip.conf + #usr/share/strongswan/templates/config/plugins/medsrv.conf + #usr/share/strongswan/templates/config/plugins/medcli.conf +@@ -60,7 +58,6 @@ etc/strongswan.d/charon/error-notify.conf + etc/strongswan.d/charon/forecast.conf + etc/strongswan.d/charon/ha.conf + etc/strongswan.d/charon/kernel-libipsec.conf +-etc/strongswan.d/charon/led.conf + etc/strongswan.d/charon/lookip.conf + #etc/strongswan.d/charon/medsrv.conf + #etc/strongswan.d/charon/medcli.conf +diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install +index 2846e2155..00cd0a146 100644 +--- a/debian/libstrongswan-extra-plugins.install ++++ b/debian/libstrongswan-extra-plugins.install +@@ -8,7 +8,6 @@ usr/lib/ipsec/plugins/libstrongswan-ctr.so + usr/lib/ipsec/plugins/libstrongswan-curl.so + usr/lib/ipsec/plugins/libstrongswan-curve25519.so + usr/lib/ipsec/plugins/libstrongswan-gcrypt.so +-usr/lib/ipsec/plugins/libstrongswan-ldap.so + usr/lib/ipsec/plugins/libstrongswan-pkcs11.so + usr/lib/ipsec/plugins/libstrongswan-test-vectors.so + usr/lib/ipsec/plugins/libstrongswan-tpm.so +@@ -20,7 +19,6 @@ usr/share/strongswan/templates/config/plugins/ctr.conf + usr/share/strongswan/templates/config/plugins/curl.conf + usr/share/strongswan/templates/config/plugins/curve25519.conf + usr/share/strongswan/templates/config/plugins/gcrypt.conf +-usr/share/strongswan/templates/config/plugins/ldap.conf + usr/share/strongswan/templates/config/plugins/pkcs11.conf + usr/share/strongswan/templates/config/plugins/test-vectors.conf + usr/share/strongswan/templates/config/plugins/tpm.conf +@@ -31,7 +29,6 @@ etc/strongswan.d/charon/ctr.conf + etc/strongswan.d/charon/curl.conf + etc/strongswan.d/charon/curve25519.conf + etc/strongswan.d/charon/gcrypt.conf +-etc/strongswan.d/charon/ldap.conf + etc/strongswan.d/charon/pkcs11.conf + etc/strongswan.d/charon/test-vectors.conf + etc/strongswan.d/charon/tpm.conf +diff --git a/debian/rules b/debian/rules +index 2fed1f10f..fa0d21a0c 100755 +--- a/debian/rules ++++ b/debian/rules +@@ -3,6 +3,15 @@ export DEB_LDFLAGS_MAINT_APPEND=-Wl,-O1 + #export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 -Wl,-z,defs + export DEB_BUILD_MAINT_OPTIONS=hardening=+all + ++CONFIGUREARGS_VYOS := --disable-warnings \ ++ --disable-ldap \ ++ --disable-led \ ++ --disable-nm \ ++ --disable-mediation \ ++ --disable-mysql \ ++ --disable-sqlite \ ++ --disable-sql ++ + CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ + --enable-addrblock \ + --enable-agent \ +@@ -88,7 +97,7 @@ ifeq ($(DEB_HOST_ARCH_OS),kfreebsd) + deb_systemdsystemunitdir = $(shell pkg-config --variable=systemdsystemunitdir systemd | sed s,^/,,) + + override_dh_auto_configure: +- dh_auto_configure -- $(CONFIGUREARGS) ++ dh_auto_configure -- $(CONFIGUREARGS) $(CONFIGUREARGS_VYOS) + + override_dh_auto_clean: + dh_auto_clean +diff --git a/debian/strongswan-nm.install b/debian/strongswan-nm.install +index b0c05d94f..e69de29bb 100644 +--- a/debian/strongswan-nm.install ++++ b/debian/strongswan-nm.install +@@ -1,2 +0,0 @@ +-usr/lib/ipsec/charon-nm +-usr/share/dbus-1/system.d/nm-strongswan-service.conf +-- +2.30.2 + diff --git a/scripts/package-build/wide-dhcpv6/patches/0023-dhcpc6-support-per-interface-client-DUIDs.patch b/scripts/package-build/wide-dhcpv6/patches/0023-dhcpc6-support-per-interface-client-DUIDs.patch deleted file mode 100644 index c1e71f0c..00000000 --- a/scripts/package-build/wide-dhcpv6/patches/0023-dhcpc6-support-per-interface-client-DUIDs.patch +++ /dev/null @@ -1,230 +0,0 @@ -From 1e4a9a7b61090043924f2aa9359dcbc9f5e11bfc Mon Sep 17 00:00:00 2001 -From: Brandon Stepler -Date: Mon, 25 Jan 2021 14:18:57 +0000 -Subject: [PATCH] dhcpc6: support per-interface client DUIDs - ---- - cfparse.y | 13 +++++++++++-- - cftoken.l | 10 ++++++++++ - config.c | 27 +++++++++++++++++++++++++++ - config.h | 3 ++- - dhcp6c.c | 11 ++++++++--- - dhcp6c.conf.5 | 6 ++++++ - 6 files changed, 64 insertions(+), 6 deletions(-) - -diff --git a/cfparse.y b/cfparse.y -index 9e685f4..244987c 100644 ---- a/cfparse.y -+++ b/cfparse.y -@@ -116,6 +116,7 @@ static void cleanup_cflist __P((struct cf_list *)); - %token BCMCS_SERVERS BCMCS_NAME - %token INFO_ONLY - %token SCRIPT DELAYEDKEY -+%token CLIENT_ID CLIENT_ID_DUID - %token AUTHENTICATION PROTOCOL ALGORITHM DELAYED RECONFIG HMACMD5 MONOCOUNTER - %token AUTHNAME RDM KEY - %token KEYINFO REALM KEYID SECRET KEYNAME EXPIRE -@@ -134,8 +135,8 @@ static void cleanup_cflist __P((struct cf_list *)); - struct dhcp6_poolspec *pool; - } - --%type IFNAME HOSTNAME AUTHNAME KEYNAME DUID_ID STRING QSTRING IAID --%type POOLNAME PROFILENAME -+%type IFNAME HOSTNAME CLIENT_ID_DUID AUTHNAME KEYNAME DUID_ID -+%type STRING QSTRING IAID POOLNAME PROFILENAME - %type NUMBER duration authproto authalg authrdm - %type declaration declarations dhcpoption ifparam ifparams - %type address_list address_list_ent dhcpoption_list -@@ -639,6 +640,14 @@ dhcpoption: - /* no value */ - $$ = l; - } -+ | CLIENT_ID CLIENT_ID_DUID -+ { -+ struct cf_list *l; -+ -+ MAKE_CFLIST(l, DHCPOPT_CLIENT_ID, NULL, NULL); -+ l->ptr = $2; -+ $$ = l; -+ } - | AUTHENTICATION AUTHNAME - { - struct cf_list *l; -diff --git a/cftoken.l b/cftoken.l -index e266ac2..d7edd1f 100644 ---- a/cftoken.l -+++ b/cftoken.l -@@ -119,6 +119,7 @@ ecl \} - %s S_HOST - %s S_DUID - %s S_IA -+%s S_CID - %s S_AUTH - %s S_KEY - %s S_SECRET -@@ -249,6 +250,15 @@ ecl \} - /* duration */ - infinity { DECHO; return (INFINITY); } - -+ /* client-id option */ -+client-id { DECHO; BEGIN S_CID; return (CLIENT_ID); } -+{duid} { -+ DECHO; -+ yylval.str = strdup(yytext); -+ BEGIN S_CNF; -+ return (CLIENT_ID_DUID); -+} -+ - /* authentication option */ - authentication { DECHO; BEGIN S_AUTH; return (AUTHENTICATION); } - {string} { -diff --git a/config.c b/config.c -index 70f6287..0cbe631 100644 ---- a/config.c -+++ b/config.c -@@ -100,6 +100,7 @@ struct dhcp6_ifconf { - struct dhcp6_ifconf *next; - - char *ifname; -+ struct duid duid; - - /* configuration flags */ - u_long send_flags; -@@ -1366,6 +1367,7 @@ configure_commit() - /* commit interface configuration */ - for (ifp = dhcp6_if; ifp; ifp = ifp->next) { - /* re-initialization */ -+ duidfree(&ifp->duid); - ifp->send_flags = 0; - ifp->allow_flags = 0; - dhcp6_clear_list(&ifp->reqopt_list); -@@ -1395,6 +1397,8 @@ configure_commit() - } - - /* copy new configuration */ -+ ifp->duid = ifc->duid; -+ ifc->duid.duid_id = NULL; - ifp->send_flags = ifc->send_flags; - ifp->allow_flags = ifc->allow_flags; - dhcp6_copy_list(&ifp->reqopt_list, &ifc->reqopt_list); -@@ -1505,6 +1509,7 @@ clear_ifconf(iflist) - ifc_next = ifc->next; - - free(ifc->ifname); -+ duidfree(&ifc->duid); - dhcp6_clear_list(&ifc->reqopt_list); - - clear_iaconf(&ifc->iaconf_list); -@@ -1635,6 +1640,28 @@ add_options(opcode, ifc, cfl0) - return (-1); - } - break; -+ case DHCPOPT_CLIENT_ID: -+ if (opcode != DHCPOPTCODE_SEND) { -+ debug_printf(LOG_ERR, FNAME, -+ "invalid operation (%d) " -+ "for option type (%d)", -+ opcode, cfl->type); -+ return (-1); -+ } -+ if (ifc->duid.duid_id != NULL) { -+ debug_printf(LOG_ERR, FNAME, "%s:%d " -+ "client-id is doubly specified on %s", -+ configfilename, cfl->line, ifc->ifname); -+ return (-1); -+ } -+ if ((configure_duid((char *)cfl->ptr, -+ &ifc->duid)) != 0) { -+ debug_printf(LOG_ERR, FNAME, "%s:%d " -+ "failed to configure DUID for %s", -+ configfilename, cfl->line, ifc->ifname); -+ return (-1); -+ } -+ break; - case DHCPOPT_AUTHINFO: - if (opcode != DHCPOPTCODE_SEND) { - debug_printf(LOG_ERR, FNAME, -diff --git a/config.h b/config.h -index 36a5aa3..cfcfdd5 100644 ---- a/config.h -+++ b/config.h -@@ -69,6 +69,7 @@ struct dhcp6_if { - u_int32_t linkid; /* to send link-local packets */ - /* multiple global address configuration is not supported now */ - struct in6_addr addr; /* global address */ -+ struct duid duid; - - /* configuration parameters */ - u_long send_flags; -@@ -267,7 +268,7 @@ enum { DECL_SEND, DECL_ALLOW, DECL_INFO_ONLY, DECL_REQUEST, DECL_DUID, - DECL_ADDRESS, - DECL_RANGE, DECL_ADDRESSPOOL, - IFPARAM_SLA_ID, IFPARAM_SLA_LEN, IFPARAM_IFID, IFPARAM_IFID_RAND, -- DHCPOPT_RAPID_COMMIT, DHCPOPT_AUTHINFO, -+ DHCPOPT_RAPID_COMMIT, DHCPOPT_CLIENT_ID, DHCPOPT_AUTHINFO, - DHCPOPT_DNS, DHCPOPT_DNSNAME, - DHCPOPT_IA_PD, DHCPOPT_IA_NA, DHCPOPT_NTP, - DHCPOPT_REFRESHTIME, -diff --git a/dhcp6c.c b/dhcp6c.c -index 849835e..875a147 100644 ---- a/dhcp6c.c -+++ b/dhcp6c.c -@@ -433,6 +433,11 @@ client6_start(ifp) - } - dhcp6_reset_timer(ev); - -+ if (!ifp->duid.duid_id && duidcpy(&ifp->duid, &client_duid)) { -+ debug_printf(LOG_ERR, FNAME, "failed to copy client DUID"); -+ return (-1); -+ } -+ - return (0); - } - -@@ -1249,7 +1254,7 @@ client6_send(ev) - } - - /* client ID */ -- if (duidcpy(&optinfo.clientID, &client_duid)) { -+ if (duidcpy(&optinfo.clientID, &ifp->duid)) { - debug_printf(LOG_ERR, FNAME, "failed to copy client ID"); - goto end; - } -@@ -1533,7 +1538,7 @@ client6_recvadvert(ifp, dh6, len, optinfo) - debug_printf(LOG_INFO, FNAME, "no client ID option"); - return (-1); - } -- if (duidcmp(&optinfo->clientID, &client_duid)) { -+ if (duidcmp(&optinfo->clientID, &ifp->duid)) { - debug_printf(LOG_INFO, FNAME, "client DUID mismatch"); - return (-1); - } -@@ -1805,7 +1810,7 @@ client6_recvreply(ifp, dh6, len, optinfo) - debug_printf(LOG_INFO, FNAME, "no client ID option"); - return (-1); - } -- if (duidcmp(&optinfo->clientID, &client_duid)) { -+ if (duidcmp(&optinfo->clientID, &ifp->duid)) { - debug_printf(LOG_INFO, FNAME, "client DUID mismatch"); - return (-1); - } -diff --git a/dhcp6c.conf.5 b/dhcp6c.conf.5 -index 5693fb8..589510a 100644 ---- a/dhcp6c.conf.5 -+++ b/dhcp6c.conf.5 -@@ -139,6 +139,12 @@ An - statement for - .Ar authname - must be provided. -+.It Ic client-id Ar ID -+means the client's DHCP unique identifier -+.Pq DUID . -+.Ar ID -+is a colon-separated hexadecimal sequence where each separated part -+must be composed of two hexadecimal values. - .El - .\" - .Sh Interface statement --- -2.20.1 - diff --git a/scripts/package-build/wide-dhcpv6/patches/0024-bind-to-single-socket.patch b/scripts/package-build/wide-dhcpv6/patches/0024-bind-to-single-socket.patch deleted file mode 100644 index b5751325..00000000 --- a/scripts/package-build/wide-dhcpv6/patches/0024-bind-to-single-socket.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/dhcp6c.c b/dhcp6c.c -index 1caaaa5..04ce9c5 100644 ---- a/dhcp6c.c -+++ b/dhcp6c.c -@@ -217,6 +217,12 @@ main(argc, argv) - argv[0]); - exit(1); - } -+ -+ if (setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, argv[0], strlen(argv[0])) != 0) { -+ debug_printf(LOG_ERR, FNAME, "failed to bind %s", argv[0]); -+ exit(1); -+ } -+ - argv++; - } - diff --git a/scripts/package-build/wide-dhcpv6/patches/0025-option-to-prevent-ia-release.patch b/scripts/package-build/wide-dhcpv6/patches/0025-option-to-prevent-ia-release.patch deleted file mode 100644 index 32c15814..00000000 --- a/scripts/package-build/wide-dhcpv6/patches/0025-option-to-prevent-ia-release.patch +++ /dev/null @@ -1,155 +0,0 @@ -From: 1vivy <1vivy@tutanota.com> -Date: Sat, 22 Jul 2023 13:07:10 -0600 -Subject: wide-dhcpv6: T5387: Add a no release option '-n'. - -This prevents a release signal from being sent to the ISP causing a new PD or address to be allocated. - -Co-authored-by: MrLenin <909621+MrLenin@users.noreply.github.com> -Co-authored-by: marjohn56 ---- wide-dhcpv6.orig/common.h -+++ wide-dhcpv6/common.h -@@ -120,6 +120,7 @@ sysdep_sa_len (const struct sockaddr *sa - extern int foreground; - extern int debug_thresh; - extern char *device; -+extern int opt_norelease; - - /* search option for dhcp6_find_listval() */ - #define MATCHLIST_PREFIXLEN 0x1 ---- wide-dhcpv6.orig/dhcp6c.8 -+++ wide-dhcpv6/dhcp6c.8 -@@ -88,6 +88,10 @@ is terminated. (suits for a use in shel - Since the configuration is internally generated, you cannot provide a configuration in this mode. If you want to have different actions for the stateless DHCPv6 information, you should write an appropriate configuration and invoke - .Nm - without this option. -+.It Fl n -+Prevent Release message from being sent to DHCPv6 server when -+.Nm -+stops. This is useful for preventing a new address from being configured by the DHCPv6 server when restarting the DHCPv6 client. - .It Fl p Ar pid-file - Use - .Ar pid-file -@@ -109,18 +113,22 @@ or - .Fl i - option is specified. - .Pp --Upon receipt of the --.Dv SIGHUP -+Upon receipt of a -+.Dv SIGHUP , -+.Dv SIGTERM , - or --.Dv SIGTERM --signals, --.Nm --will remove all stateful resources from the system. --In the former case the daemon will then reinvoke itself, --while it will stop running in the latter case. --In either case, -+.Dv SIGUSR1 -+signal, - .Nm --will send DHCPv6 Release messages to release resources assigned from servers. -+will remove all stateful resources from the system. After that, -+.Dv SIGHUP -+reinitializes the daemon, and -+.Dv SIGTERM -+stops the daemon. In both cases, DHCPv6 Release message will be sent to release resources assigned from servers. -+.Dv SIGUSR1 -+stops the daemon as -+.Dv SIGTERM -+does though DHCPv6 Release message will not be sent. - .\" - .Sh FILES - .Bl -tag -width /etc/wide-dhcpv6/dhcp6c.conf -compact ---- wide-dhcpv6.orig/dhcp6c.c -+++ wide-dhcpv6/dhcp6c.c -@@ -84,6 +84,7 @@ static int exit_ok = 0; - static sig_atomic_t sig_flags = 0; - #define SIGF_TERM 0x1 - #define SIGF_HUP 0x2 -+#define SIGF_USR1 0x4 - - const dhcp6_mode_t dhcp6_mode = DHCP6_MODE_CLIENT; - -@@ -108,6 +109,8 @@ static int ctldigestlen; - - static int infreq_mode = 0; - -+int opt_norelease; -+ - static inline int get_val32 __P((char **, int *, u_int32_t *)); - static inline int get_ifname __P((char **, int *, char *, int)); - -@@ -170,7 +173,7 @@ main(argc, argv) - else - progname++; - -- while ((ch = getopt(argc, argv, "c:dDfik:p:P:")) != -1) { -+ while ((ch = getopt(argc, argv, "c:dDfik:np:P:")) != -1) { - switch (ch) { - case 'c': - conffile = optarg; -@@ -190,6 +193,9 @@ main(argc, argv) - case 'k': - ctlkeyfile = optarg; - break; -+ case 'n': -+ opt_norelease = 1; -+ break; - case 'p': - pid_file = optarg; - break; -@@ -395,6 +401,11 @@ client6_init() - strerror(errno)); - exit(1); - } -+ if (signal(SIGUSR1, client6_signal) == SIG_ERR) { -+ debug_printf(LOG_WARNING, FNAME, "failed to set signal: %s", -+ strerror(errno)); -+ exit(1); -+ } - } - - int -@@ -525,6 +536,13 @@ process_signals() - free_resources(NULL); - client6_startall(1); - } -+ if ((sig_flags & SIGF_USR1)) { -+ debug_printf(LOG_INFO, FNAME, "exit without release"); -+ exit_ok = 1; -+ opt_norelease = 1; -+ free_resources(NULL); -+ check_exit(); -+ } - - sig_flags = 0; - } -@@ -1171,6 +1189,9 @@ client6_signal(sig) - case SIGHUP: - sig_flags |= SIGF_HUP; - break; -+ case SIGUSR1: -+ sig_flags |= SIGF_USR1; -+ break; - } - } - ---- wide-dhcpv6.orig/dhcp6c_ia.c -+++ wide-dhcpv6/dhcp6c_ia.c -@@ -420,7 +420,13 @@ release_all_ia(ifp) - for (ia = TAILQ_FIRST(&iac->iadata); ia; ia = ia_next) { - ia_next = TAILQ_NEXT(ia, link); - -- (void)release_ia(ia); -+ if (opt_norelease == 0) { -+ debug_printf(LOG_INFO, FNAME, "Start address " -+ "release"); -+ (void)release_ia(ia); -+ } else -+ debug_printf(LOG_INFO, FNAME, "Bypassing address " -+ "release because of -n flag"); - - /* - * The client MUST stop using all of the addresses diff --git a/scripts/package-build/wide-dhcpv6/patches/wide-dhcpv6/0023-dhcpc6-support-per-interface-client-DUIDs.patch b/scripts/package-build/wide-dhcpv6/patches/wide-dhcpv6/0023-dhcpc6-support-per-interface-client-DUIDs.patch new file mode 100644 index 00000000..c1e71f0c --- /dev/null +++ b/scripts/package-build/wide-dhcpv6/patches/wide-dhcpv6/0023-dhcpc6-support-per-interface-client-DUIDs.patch @@ -0,0 +1,230 @@ +From 1e4a9a7b61090043924f2aa9359dcbc9f5e11bfc Mon Sep 17 00:00:00 2001 +From: Brandon Stepler +Date: Mon, 25 Jan 2021 14:18:57 +0000 +Subject: [PATCH] dhcpc6: support per-interface client DUIDs + +--- + cfparse.y | 13 +++++++++++-- + cftoken.l | 10 ++++++++++ + config.c | 27 +++++++++++++++++++++++++++ + config.h | 3 ++- + dhcp6c.c | 11 ++++++++--- + dhcp6c.conf.5 | 6 ++++++ + 6 files changed, 64 insertions(+), 6 deletions(-) + +diff --git a/cfparse.y b/cfparse.y +index 9e685f4..244987c 100644 +--- a/cfparse.y ++++ b/cfparse.y +@@ -116,6 +116,7 @@ static void cleanup_cflist __P((struct cf_list *)); + %token BCMCS_SERVERS BCMCS_NAME + %token INFO_ONLY + %token SCRIPT DELAYEDKEY ++%token CLIENT_ID CLIENT_ID_DUID + %token AUTHENTICATION PROTOCOL ALGORITHM DELAYED RECONFIG HMACMD5 MONOCOUNTER + %token AUTHNAME RDM KEY + %token KEYINFO REALM KEYID SECRET KEYNAME EXPIRE +@@ -134,8 +135,8 @@ static void cleanup_cflist __P((struct cf_list *)); + struct dhcp6_poolspec *pool; + } + +-%type IFNAME HOSTNAME AUTHNAME KEYNAME DUID_ID STRING QSTRING IAID +-%type POOLNAME PROFILENAME ++%type IFNAME HOSTNAME CLIENT_ID_DUID AUTHNAME KEYNAME DUID_ID ++%type STRING QSTRING IAID POOLNAME PROFILENAME + %type NUMBER duration authproto authalg authrdm + %type declaration declarations dhcpoption ifparam ifparams + %type address_list address_list_ent dhcpoption_list +@@ -639,6 +640,14 @@ dhcpoption: + /* no value */ + $$ = l; + } ++ | CLIENT_ID CLIENT_ID_DUID ++ { ++ struct cf_list *l; ++ ++ MAKE_CFLIST(l, DHCPOPT_CLIENT_ID, NULL, NULL); ++ l->ptr = $2; ++ $$ = l; ++ } + | AUTHENTICATION AUTHNAME + { + struct cf_list *l; +diff --git a/cftoken.l b/cftoken.l +index e266ac2..d7edd1f 100644 +--- a/cftoken.l ++++ b/cftoken.l +@@ -119,6 +119,7 @@ ecl \} + %s S_HOST + %s S_DUID + %s S_IA ++%s S_CID + %s S_AUTH + %s S_KEY + %s S_SECRET +@@ -249,6 +250,15 @@ ecl \} + /* duration */ + infinity { DECHO; return (INFINITY); } + ++ /* client-id option */ ++client-id { DECHO; BEGIN S_CID; return (CLIENT_ID); } ++{duid} { ++ DECHO; ++ yylval.str = strdup(yytext); ++ BEGIN S_CNF; ++ return (CLIENT_ID_DUID); ++} ++ + /* authentication option */ + authentication { DECHO; BEGIN S_AUTH; return (AUTHENTICATION); } + {string} { +diff --git a/config.c b/config.c +index 70f6287..0cbe631 100644 +--- a/config.c ++++ b/config.c +@@ -100,6 +100,7 @@ struct dhcp6_ifconf { + struct dhcp6_ifconf *next; + + char *ifname; ++ struct duid duid; + + /* configuration flags */ + u_long send_flags; +@@ -1366,6 +1367,7 @@ configure_commit() + /* commit interface configuration */ + for (ifp = dhcp6_if; ifp; ifp = ifp->next) { + /* re-initialization */ ++ duidfree(&ifp->duid); + ifp->send_flags = 0; + ifp->allow_flags = 0; + dhcp6_clear_list(&ifp->reqopt_list); +@@ -1395,6 +1397,8 @@ configure_commit() + } + + /* copy new configuration */ ++ ifp->duid = ifc->duid; ++ ifc->duid.duid_id = NULL; + ifp->send_flags = ifc->send_flags; + ifp->allow_flags = ifc->allow_flags; + dhcp6_copy_list(&ifp->reqopt_list, &ifc->reqopt_list); +@@ -1505,6 +1509,7 @@ clear_ifconf(iflist) + ifc_next = ifc->next; + + free(ifc->ifname); ++ duidfree(&ifc->duid); + dhcp6_clear_list(&ifc->reqopt_list); + + clear_iaconf(&ifc->iaconf_list); +@@ -1635,6 +1640,28 @@ add_options(opcode, ifc, cfl0) + return (-1); + } + break; ++ case DHCPOPT_CLIENT_ID: ++ if (opcode != DHCPOPTCODE_SEND) { ++ debug_printf(LOG_ERR, FNAME, ++ "invalid operation (%d) " ++ "for option type (%d)", ++ opcode, cfl->type); ++ return (-1); ++ } ++ if (ifc->duid.duid_id != NULL) { ++ debug_printf(LOG_ERR, FNAME, "%s:%d " ++ "client-id is doubly specified on %s", ++ configfilename, cfl->line, ifc->ifname); ++ return (-1); ++ } ++ if ((configure_duid((char *)cfl->ptr, ++ &ifc->duid)) != 0) { ++ debug_printf(LOG_ERR, FNAME, "%s:%d " ++ "failed to configure DUID for %s", ++ configfilename, cfl->line, ifc->ifname); ++ return (-1); ++ } ++ break; + case DHCPOPT_AUTHINFO: + if (opcode != DHCPOPTCODE_SEND) { + debug_printf(LOG_ERR, FNAME, +diff --git a/config.h b/config.h +index 36a5aa3..cfcfdd5 100644 +--- a/config.h ++++ b/config.h +@@ -69,6 +69,7 @@ struct dhcp6_if { + u_int32_t linkid; /* to send link-local packets */ + /* multiple global address configuration is not supported now */ + struct in6_addr addr; /* global address */ ++ struct duid duid; + + /* configuration parameters */ + u_long send_flags; +@@ -267,7 +268,7 @@ enum { DECL_SEND, DECL_ALLOW, DECL_INFO_ONLY, DECL_REQUEST, DECL_DUID, + DECL_ADDRESS, + DECL_RANGE, DECL_ADDRESSPOOL, + IFPARAM_SLA_ID, IFPARAM_SLA_LEN, IFPARAM_IFID, IFPARAM_IFID_RAND, +- DHCPOPT_RAPID_COMMIT, DHCPOPT_AUTHINFO, ++ DHCPOPT_RAPID_COMMIT, DHCPOPT_CLIENT_ID, DHCPOPT_AUTHINFO, + DHCPOPT_DNS, DHCPOPT_DNSNAME, + DHCPOPT_IA_PD, DHCPOPT_IA_NA, DHCPOPT_NTP, + DHCPOPT_REFRESHTIME, +diff --git a/dhcp6c.c b/dhcp6c.c +index 849835e..875a147 100644 +--- a/dhcp6c.c ++++ b/dhcp6c.c +@@ -433,6 +433,11 @@ client6_start(ifp) + } + dhcp6_reset_timer(ev); + ++ if (!ifp->duid.duid_id && duidcpy(&ifp->duid, &client_duid)) { ++ debug_printf(LOG_ERR, FNAME, "failed to copy client DUID"); ++ return (-1); ++ } ++ + return (0); + } + +@@ -1249,7 +1254,7 @@ client6_send(ev) + } + + /* client ID */ +- if (duidcpy(&optinfo.clientID, &client_duid)) { ++ if (duidcpy(&optinfo.clientID, &ifp->duid)) { + debug_printf(LOG_ERR, FNAME, "failed to copy client ID"); + goto end; + } +@@ -1533,7 +1538,7 @@ client6_recvadvert(ifp, dh6, len, optinfo) + debug_printf(LOG_INFO, FNAME, "no client ID option"); + return (-1); + } +- if (duidcmp(&optinfo->clientID, &client_duid)) { ++ if (duidcmp(&optinfo->clientID, &ifp->duid)) { + debug_printf(LOG_INFO, FNAME, "client DUID mismatch"); + return (-1); + } +@@ -1805,7 +1810,7 @@ client6_recvreply(ifp, dh6, len, optinfo) + debug_printf(LOG_INFO, FNAME, "no client ID option"); + return (-1); + } +- if (duidcmp(&optinfo->clientID, &client_duid)) { ++ if (duidcmp(&optinfo->clientID, &ifp->duid)) { + debug_printf(LOG_INFO, FNAME, "client DUID mismatch"); + return (-1); + } +diff --git a/dhcp6c.conf.5 b/dhcp6c.conf.5 +index 5693fb8..589510a 100644 +--- a/dhcp6c.conf.5 ++++ b/dhcp6c.conf.5 +@@ -139,6 +139,12 @@ An + statement for + .Ar authname + must be provided. ++.It Ic client-id Ar ID ++means the client's DHCP unique identifier ++.Pq DUID . ++.Ar ID ++is a colon-separated hexadecimal sequence where each separated part ++must be composed of two hexadecimal values. + .El + .\" + .Sh Interface statement +-- +2.20.1 + diff --git a/scripts/package-build/wide-dhcpv6/patches/wide-dhcpv6/0024-bind-to-single-socket.patch b/scripts/package-build/wide-dhcpv6/patches/wide-dhcpv6/0024-bind-to-single-socket.patch new file mode 100644 index 00000000..b5751325 --- /dev/null +++ b/scripts/package-build/wide-dhcpv6/patches/wide-dhcpv6/0024-bind-to-single-socket.patch @@ -0,0 +1,17 @@ +diff --git a/dhcp6c.c b/dhcp6c.c +index 1caaaa5..04ce9c5 100644 +--- a/dhcp6c.c ++++ b/dhcp6c.c +@@ -217,6 +217,12 @@ main(argc, argv) + argv[0]); + exit(1); + } ++ ++ if (setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, argv[0], strlen(argv[0])) != 0) { ++ debug_printf(LOG_ERR, FNAME, "failed to bind %s", argv[0]); ++ exit(1); ++ } ++ + argv++; + } + diff --git a/scripts/package-build/wide-dhcpv6/patches/wide-dhcpv6/0025-option-to-prevent-ia-release.patch b/scripts/package-build/wide-dhcpv6/patches/wide-dhcpv6/0025-option-to-prevent-ia-release.patch new file mode 100644 index 00000000..32c15814 --- /dev/null +++ b/scripts/package-build/wide-dhcpv6/patches/wide-dhcpv6/0025-option-to-prevent-ia-release.patch @@ -0,0 +1,155 @@ +From: 1vivy <1vivy@tutanota.com> +Date: Sat, 22 Jul 2023 13:07:10 -0600 +Subject: wide-dhcpv6: T5387: Add a no release option '-n'. + +This prevents a release signal from being sent to the ISP causing a new PD or address to be allocated. + +Co-authored-by: MrLenin <909621+MrLenin@users.noreply.github.com> +Co-authored-by: marjohn56 +--- wide-dhcpv6.orig/common.h ++++ wide-dhcpv6/common.h +@@ -120,6 +120,7 @@ sysdep_sa_len (const struct sockaddr *sa + extern int foreground; + extern int debug_thresh; + extern char *device; ++extern int opt_norelease; + + /* search option for dhcp6_find_listval() */ + #define MATCHLIST_PREFIXLEN 0x1 +--- wide-dhcpv6.orig/dhcp6c.8 ++++ wide-dhcpv6/dhcp6c.8 +@@ -88,6 +88,10 @@ is terminated. (suits for a use in shel + Since the configuration is internally generated, you cannot provide a configuration in this mode. If you want to have different actions for the stateless DHCPv6 information, you should write an appropriate configuration and invoke + .Nm + without this option. ++.It Fl n ++Prevent Release message from being sent to DHCPv6 server when ++.Nm ++stops. This is useful for preventing a new address from being configured by the DHCPv6 server when restarting the DHCPv6 client. + .It Fl p Ar pid-file + Use + .Ar pid-file +@@ -109,18 +113,22 @@ or + .Fl i + option is specified. + .Pp +-Upon receipt of the +-.Dv SIGHUP ++Upon receipt of a ++.Dv SIGHUP , ++.Dv SIGTERM , + or +-.Dv SIGTERM +-signals, +-.Nm +-will remove all stateful resources from the system. +-In the former case the daemon will then reinvoke itself, +-while it will stop running in the latter case. +-In either case, ++.Dv SIGUSR1 ++signal, + .Nm +-will send DHCPv6 Release messages to release resources assigned from servers. ++will remove all stateful resources from the system. After that, ++.Dv SIGHUP ++reinitializes the daemon, and ++.Dv SIGTERM ++stops the daemon. In both cases, DHCPv6 Release message will be sent to release resources assigned from servers. ++.Dv SIGUSR1 ++stops the daemon as ++.Dv SIGTERM ++does though DHCPv6 Release message will not be sent. + .\" + .Sh FILES + .Bl -tag -width /etc/wide-dhcpv6/dhcp6c.conf -compact +--- wide-dhcpv6.orig/dhcp6c.c ++++ wide-dhcpv6/dhcp6c.c +@@ -84,6 +84,7 @@ static int exit_ok = 0; + static sig_atomic_t sig_flags = 0; + #define SIGF_TERM 0x1 + #define SIGF_HUP 0x2 ++#define SIGF_USR1 0x4 + + const dhcp6_mode_t dhcp6_mode = DHCP6_MODE_CLIENT; + +@@ -108,6 +109,8 @@ static int ctldigestlen; + + static int infreq_mode = 0; + ++int opt_norelease; ++ + static inline int get_val32 __P((char **, int *, u_int32_t *)); + static inline int get_ifname __P((char **, int *, char *, int)); + +@@ -170,7 +173,7 @@ main(argc, argv) + else + progname++; + +- while ((ch = getopt(argc, argv, "c:dDfik:p:P:")) != -1) { ++ while ((ch = getopt(argc, argv, "c:dDfik:np:P:")) != -1) { + switch (ch) { + case 'c': + conffile = optarg; +@@ -190,6 +193,9 @@ main(argc, argv) + case 'k': + ctlkeyfile = optarg; + break; ++ case 'n': ++ opt_norelease = 1; ++ break; + case 'p': + pid_file = optarg; + break; +@@ -395,6 +401,11 @@ client6_init() + strerror(errno)); + exit(1); + } ++ if (signal(SIGUSR1, client6_signal) == SIG_ERR) { ++ debug_printf(LOG_WARNING, FNAME, "failed to set signal: %s", ++ strerror(errno)); ++ exit(1); ++ } + } + + int +@@ -525,6 +536,13 @@ process_signals() + free_resources(NULL); + client6_startall(1); + } ++ if ((sig_flags & SIGF_USR1)) { ++ debug_printf(LOG_INFO, FNAME, "exit without release"); ++ exit_ok = 1; ++ opt_norelease = 1; ++ free_resources(NULL); ++ check_exit(); ++ } + + sig_flags = 0; + } +@@ -1171,6 +1189,9 @@ client6_signal(sig) + case SIGHUP: + sig_flags |= SIGF_HUP; + break; ++ case SIGUSR1: ++ sig_flags |= SIGF_USR1; ++ break; + } + } + +--- wide-dhcpv6.orig/dhcp6c_ia.c ++++ wide-dhcpv6/dhcp6c_ia.c +@@ -420,7 +420,13 @@ release_all_ia(ifp) + for (ia = TAILQ_FIRST(&iac->iadata); ia; ia = ia_next) { + ia_next = TAILQ_NEXT(ia, link); + +- (void)release_ia(ia); ++ if (opt_norelease == 0) { ++ debug_printf(LOG_INFO, FNAME, "Start address " ++ "release"); ++ (void)release_ia(ia); ++ } else ++ debug_printf(LOG_INFO, FNAME, "Bypassing address " ++ "release because of -n flag"); + + /* + * The client MUST stop using all of the addresses -- cgit v1.2.3