diff options
| author | Yves-Alexis Perez <corsac@corsac.net> | 2012-07-02 15:41:16 +0200 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@corsac.net> | 2012-07-02 15:41:53 +0200 |
| commit | 1ad7db82d5016c43353dc2dff02d6c422c080c60 (patch) | |
| tree | a525fabf68a7c48d0a1eaf8a02d2d5983d84e9fa | |
| parent | 7cdc5510e163b66be3b6379d1b3a785f2c91e4e5 (diff) | |
| download | vyos-strongswan-1ad7db82d5016c43353dc2dff02d6c422c080c60.tar.gz vyos-strongswan-1ad7db82d5016c43353dc2dff02d6c422c080c60.zip | |
correcty hande non linux arches:
* debian/rules:
- and finally libcap-dev linux-any too...
- make -ikev1 linux-any since pluto can't be build on FreeBSD.
- handle non kFreeBSD more carefully closes: #640928
+ don't enable NM and Linux capabilities drop;
+ disable pluto (and xauth plugin);
+ don't enable farp and dhcp, enable kernel-pf{key,route} plugins
| -rw-r--r-- | debian/changelog | 7 | ||||
| -rw-r--r-- | debian/control | 2 | ||||
| -rw-r--r-- | debian/libstrongswan.install | 4 | ||||
| -rw-r--r-- | debian/libstrongswan.strongswan.logcheck.ignore.paranoid (renamed from debian/libstrongswan.logcheck.ignore.paranoid) | 0 | ||||
| -rw-r--r-- | debian/libstrongswan.strongswan.logcheck.ignore.server (renamed from debian/libstrongswan.logcheck.ignore.server) | 0 | ||||
| -rw-r--r-- | debian/libstrongswan.strongswan.logcheck.ignore.workstation (renamed from debian/libstrongswan.logcheck.ignore.workstation) | 0 | ||||
| -rw-r--r-- | debian/libstrongswan.strongswan.logcheck.violations.ignore (renamed from debian/libstrongswan.logcheck.violations.ignore) | 0 | ||||
| -rwxr-xr-x | debian/rules | 58 |
8 files changed, 57 insertions, 14 deletions
diff --git a/debian/changelog b/debian/changelog index c531e8989..7ac0d3f49 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,14 @@ strongswan (4.6.4-5) UNRELEASED; urgency=low * debian/control: - - and finally libcap-dev linux-any too... (really) closes: #640928 + - and finally libcap-dev linux-any too... + - make -ikev1 linux-any since pluto can't be build on FreeBSD. * debian/rules: - stop installing logcheck rules manually. + - handle non kFreeBSD more carefully closes: #640928 + + don't enable NM and Linux capabilities drop; + + disable pluto (and xauth plugin); + + don't enable farp and dhcp, enable kernel-pf{key,route} plugins * Handle logcheck files from dh_installlogcheck and thus name them correctly so they are not installed in the wrong package. closes: #679745 * debian/po diff --git a/debian/control b/debian/control index 34b9e87a5..d1fbe5922 100644 --- a/debian/control +++ b/debian/control @@ -73,7 +73,7 @@ Description: strongSwan daemon starter and configuration file parser IKEv1 daemon is limited to configurations from ipsec.conf. Package: strongswan-ikev1 -Architecture: any +Architecture: linux-any Pre-Depends: debconf | debconf-2.0 Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version}), strongswan-starter, bsdmainutils, diff --git a/debian/libstrongswan.install b/debian/libstrongswan.install index 2823bfbbd..9a46a1cf3 100644 --- a/debian/libstrongswan.install +++ b/debian/libstrongswan.install @@ -27,14 +27,11 @@ usr/lib/*/ipsec/plugins/libstrongswan-addrblock.so usr/lib/*/ipsec/plugins/libstrongswan-md5.so usr/lib/*/ipsec/plugins/libstrongswan-sha1.so usr/lib/*/ipsec/plugins/libstrongswan-sha2.so -usr/lib/*/ipsec/plugins/libstrongswan-dhcp.so usr/lib/*/ipsec/plugins/libstrongswan-dnskey.so -usr/lib/*/ipsec/plugins/libstrongswan-farp.so usr/lib/*/ipsec/plugins/libstrongswan-fips-prf.so usr/lib/*/ipsec/plugins/libstrongswan-resolve.so usr/lib/*/ipsec/plugins/libstrongswan-sql.so usr/lib/*/ipsec/plugins/libstrongswan-ha.so -usr/lib/*/ipsec/plugins/libstrongswan-xauth.so usr/lib/*/ipsec/plugins/libstrongswan-revocation.so usr/lib/*/ipsec/plugins/libstrongswan-constraints.so usr/lib/*/ipsec/plugins/libstrongswan-test-vectors.so @@ -44,6 +41,5 @@ usr/lib/*/ipsec/plugins/libstrongswan-cmac.so usr/lib/*/ipsec/plugins/libstrongswan-ldap.so usr/lib/*/ipsec/plugins/libstrongswan-attr*.so usr/lib/*/ipsec/plugins/libstrongswan-curl.so -usr/lib/*/ipsec/plugins/libstrongswan-kernel-netlink.so usr/lib/*/ipsec/plugins/libstrongswan-gcrypt.so etc/strongswan.conf diff --git a/debian/libstrongswan.logcheck.ignore.paranoid b/debian/libstrongswan.strongswan.logcheck.ignore.paranoid index ca6c97dde..ca6c97dde 100644 --- a/debian/libstrongswan.logcheck.ignore.paranoid +++ b/debian/libstrongswan.strongswan.logcheck.ignore.paranoid diff --git a/debian/libstrongswan.logcheck.ignore.server b/debian/libstrongswan.strongswan.logcheck.ignore.server index 7ab04c524..7ab04c524 100644 --- a/debian/libstrongswan.logcheck.ignore.server +++ b/debian/libstrongswan.strongswan.logcheck.ignore.server diff --git a/debian/libstrongswan.logcheck.ignore.workstation b/debian/libstrongswan.strongswan.logcheck.ignore.workstation index 7ab04c524..7ab04c524 100644 --- a/debian/libstrongswan.logcheck.ignore.workstation +++ b/debian/libstrongswan.strongswan.logcheck.ignore.workstation diff --git a/debian/libstrongswan.logcheck.violations.ignore b/debian/libstrongswan.strongswan.logcheck.violations.ignore index 1a190fc28..1a190fc28 100644 --- a/debian/libstrongswan.logcheck.violations.ignore +++ b/debian/libstrongswan.strongswan.logcheck.violations.ignore diff --git a/debian/rules b/debian/rules index 373264e9e..6bb408ecb 100755 --- a/debian/rules +++ b/debian/rules @@ -4,7 +4,6 @@ export DEB_BUILD_MAINT_OPTIONS=hardening=+pie,+bindnow CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \ --enable-ldap --enable-curl \ - --with-capabilities=libcap \ --enable-smartcard --enable-pkcs11 \ --with-default-pkcs11=/usr/lib/$(DEB_HOST_MULTIARCH)/opensc-pkcs11.so \ --enable-mediation --enable-medsrv --enable-medcli \ @@ -14,10 +13,9 @@ CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \ --enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \ --enable-eap-tls --enable-eap-ttls --enable-eap-tnc \ --enable-sql --enable-integrity-test \ - --enable-ha --enable-dhcp --enable-farp \ + --enable-ha \ --enable-led --enable-gcrypt \ --enable-test-vectors --enable-nat-transport \ - --enable-nm \ --with-user=strongswan --with-group=nogroup \ --disable-blowfish --disable-des # BSD-Young license # --enable-kernel-pfkey --enable-kernel-klips \ @@ -31,7 +29,25 @@ CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \ # but it actually doesn't do much, so maybe we don't need it DEB_BUILD_ARCH_CPU ?=$(shell dpkg-architecture -qDEB_BUILD_ARCH_CPU) ifeq ($(DEB_BUILD_ARCH_CPU),i386) - CONFIGUREARGS += --enable-padlock + CONFIGUREARGS += --enable-padlock +endif + +ifeq ($(DEB_BUILD_ARCH_OS),linux) + # only enable network-manager and capabilities dropping on linux hosts + # some plugins are linux-only too + CONFIGUREARGS += --enable-nm \ + --with-capabilities=libcap \ + --enable-farp \ + --enable-dhcp +endif + +ifeq ($(DEB_BUILD_ARCH_OS),kfreebsd) + # recommended configure line for FreeBSD + # http://wiki.strongswan.org/projects/strongswan/wiki/FreeBSD + CONFIGUREARGS += --disable-kernel-netlink \ + --enable-kernel-pfkey --enable-kernel-pfroute \ + --disable-pluto --with-group=wheel + #--disable-tools --disable-scripts --disable-pluto --with-group=wheel endif override_dh_auto_configure: @@ -55,14 +71,37 @@ override_dh_auto_clean: override_dh_install: - # install files from debian/tmp into proper package dirs - dh_install --fail-missing -X\.la -X\.a -Xmedsrv -Xman3 -Xlibstrongswan-padlock.so - # special handling for padlock, as it is only built on i386 + # first special cases +ifeq ($(DEB_BUILD_ARCH_OS),linux) + # handle Linux-only plugins + dh_install -p libstrongswan usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins/libstrongswan-dhcp.so + dh_install -p libstrongswan usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins/libstrongswan-farp.so + dh_install -p libstrongswan usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins/libstrongswan-xauth.so + dh_install -p libstrongswan usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins/libstrongswan-kernel-netlink.so +endif + +ifeq ($(DEB_BUILD_ARCH_OS),kfreebsd) + # handle FreeBSD-only plugins + dh_install -p libstrongswan usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins/libstrongswan-kernel-pfkey.so + dh_install -p libstrongswan usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins/libstrongswan-kernel-pfroute.so +endif + ifeq ($(DEB_BUILD_ARCH_CPU),i386) - install $(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins/libstrongswan-padlock.so* $(CURDIR)/debian/libstrongswan/usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins/ + # special handling for padlock, as it is only built on i386 + dh_install -p libstrongswan usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins/libstrongswan-padlock.so endif + # then install the rest, ignoring the above + dh_install --fail-missing \ + -X\.la -X\.a \ + -Xmedsrv -Xman3 \ + -Xlibstrongswan-kernel \ + -Xlibstrongswan-dhcp.so \ + -Xlibstrongswan-farp.so \ + -Xlibstrongswan-xauth.so \ + -Xlibstrongswan-padlock.so + # add additional files not covered by upstream makefile... install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets # also "patch" ipsec.conf to include the debconf-managed file @@ -103,5 +142,8 @@ override_dh_fixperms: override_dh_makeshlibs: dh_makeshlibs -n -X usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins +override_dh_installlogcheck: + dh_installlogcheck --name strongswan + %: dh $@ --parallel |