[weasel-commit] Source: dante=1.1.19-1
- From: rbuilder@xxxxxxxxx
- To: weasel-commit@xxxxxxxxxxxxx
- Date: Fri, 15 Jan 2010 14:11:25 -0500
================================
dante:source=1.1.19-1
cvc rdiff dante -1 /weasel.rpath.org@wgl:3-devel/1.1.19-1
================================
1.1.19-1 Filip Brcic (brcha@xxxxxxx) Fri Jan 15 14:11:15 2010
dante 1.1.19
socks.conf: new
--- /dev/null
+++ socks.conf
@@ -0,0 +127 @@
+# The configfile is divided into two parts; first misc. settings,
+# then the routes. Objects in '[]' are optional.
+#
+#
+# recommended order is:
+# [debug]
+# [logoutput]
+# [resolveprotocol]
+#
+# routes:
+# from to via
+# [command]
+# [extension]
+# [protocol]
+# [proxyprotocol]
+
+
+#debug: 1 # uncomment to enable debugging
+
+#logoutput: stdout # users usually don't want to be bothered with that.
+
+# What protocol should be used for resolving hostnames? It's important
+# to set this right.
+#resolveprotocol: udp # default
+#resolveprotocol: tcp # set this if your socksserver only supports socksv4.
+#resolveprotocol: fake # set this if your clients can't access nameserver,
+ # neither directly nor proxied.
+
+
+
+#
+# the routes
+#
+
+# specifying routes for accepting remote connections (via bind()) is
+# difficult since we can't know what the "to:" address is
+# until we actually get the connection Since we support letting
+# the client accept connections both via the proxyserver and
+# "directly" at the same time, we have two options though:
+# a) specify a route for bind (only) first going via the proxyserver.
+# This will also handle "direct" connections.
+# b) specify a route for bind (only) first going "direct".
+# This means clients will only be able to accept "direct"
+# connections.
+
+# we want to accept remote connections via the proxyserver.
+#route {
+# from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.1.1.1 port = 1080
+# command: bind
+#}
+
+# we do not want to accept remote connections via the proxyserver.
+#route {
+# from: 0.0.0.0/0 to: 0.0.0.0/0 via: direct
+# command: bind
+#}
+
+
+# if you don't route all local connections via direct, you should
+# at least route nameserver connections via direct connections if you
+# can. That can make for much better performance, depending on
+# your setup. Make sure the nameserver line is the first.
+#
+# Assuming your nameserver runs on address 10.1.1.1, you can do it like this:
+#route {
+# from: 0.0.0.0/0 to: 10.1.1.1/32 port = domain via: direct
+#}
+
+
+# have a route making all connections to loopback addresses be direct.
+#route {
+# from: 0.0.0.0/0 to: 127.0.0.0/8 via: direct
+# command: connect udpassociate # everything but bind, bind confuses us.
+#}
+
+# Our net is the 10.0.0.0/8 net, let clients going to local address go
+# direct, not via server.
+#route {
+# from: 0.0.0.0/0 to: 10.0.0.0/8 via: direct
+#}
+
+# for poor souls trapped behind a msproxy server.
+#route {
+# from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.1.1.1 port = 1745
+# protocol: tcp # server supports tcp
+# proxyprotocol: msproxy_v2 # server runs msproxy_v2
+#}
+
+# clients going anywhere else go via server listening at
+# IP address 10.1.1.1, port 1080. Note that unless you have
+# specified a direct connection for DNS, or the socksserver is resolvable
+# without network traffic, you can't give a hostname for the socksserver,
+# you must give a IP address. (the reasons for that are logical enough,
+# you would create a loop otherwise.)
+#route {
+# from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.1.1.1 port = 1080
+# protocol: tcp udp # server supports tcp and udp.
+# proxyprotocol: socks_v4 socks_v5 # server supports socks v4 and v5.
+# method: none #username # we are willing to authenticate via
+# # method "none", not "username".
+#}
+
+# this is identical to the above, but it matches hostnames instead.
+# This is if you have clients that are unable to resolve hostnames.
+# It can be important that hostname routes come after address routes.
+#route {
+# from: 0.0.0.0/0 to: . via: 10.1.1.1 port = 1080
+# protocol: tcp udp # server supports tcp and udp.
+# proxyprotocol: socks_v4 socks_v5 # server supports socks v4 and v5.
+# method: none #username # we are willing to authenticate via
+# # method "none", not "username".
+#}
+
+# identical to above two routes, but using a httpproxy instead.
+#
+
+#route {
+# from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.1.1.1 port = 3128
+# command: connect # only thing a httproxy supports.
+# proxyprotocol: http_v1.0
+#}
+
+#route {
+# from: 0.0.0.0/0 to: . via: 10.1.1.1 port = 3128
+# command: connect # only thing a httproxy supports.
+# proxyprotocol: http_v1.0
+#}
dante-sockd-conf: new
--- /dev/null
+++ dante-sockd-conf
@@ -0,0 +14 @@
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-proxy/dante/files/dante-sockd-conf,v
1.1 2005/04/22 20:47:27 mrness Exp $
+
+# Number of processes to fork off
+# 1 is plenty for most users
+# increment SLOWLY for bigger demand
+SOCKD_FORKDEPTH=1
+
+# set this to 1 to enable debug
+SOCKD_DEBUG=0
+
+# disable TCP keepalive for better resource usage
+SOCKD_DISABLE_KEEPALIVE=1
dante-1.1.19.tar.gz: new
dante.recipe: new
--- /dev/null
+++ dante.recipe
@@ -0,0 +70 @@
+#
+# Copyright (c) 2010 Filip Brcic <brcha@xxxxxxxxxxxx>
+# Distributed under the terms of the GNU General Public License v3
+#
+
+class Dante(AutoPackageRecipe):
+ name = 'dante'
+ version = '1.1.19'
+
+ buildRequires = [
+ 'autoconf:runtime', 'automake:runtime', 'flex:runtime',
+ 'libtool:runtime', 'pam:devel', 'tcp_wrappers:devel',
+ ]
+
+ shortDesc = 'A free socks4,5 and msproxy implementation'
+ longDesc = """
+Dante is a circuit-level firewall/proxy that can be used to provide
+convenient and secure network connectivity to a wide range of hosts
+while requiring only the server Dante runs on to have external network
+connectivity. Once installed, Dante can in most cases be made
+transparent to the clients while offering detailed access control and
+logging facilities to the server administrator.
+"""
+ url = 'http://www.inet.no/dante/'
+ licenses = [ 'BSD' ]
+ categories = [ 'Network/Proxy' ]
+
+ def unpack(r):
+ r.addArchive(('ftp://ftp.inet.no/pub/socks/',
+ 'ftp://ftp.inet.no/pub/socks/old/'))
+
+ r.addPatch('dante-1.1.19-socksify.patch')
+ r.addPatch('dante-1.1.19-libpam.patch')
+
+ r.Replace(('/etc/socks\.conf', '%(sysconfdir)s/socks/socks.conf'),
+ ('/etc/sockd\.conf', '%(sysconfdir)s/socks/sockd.conf'),
+ 'doc/{faq.ps,faq.tex,sockd.8,sockd.conf.5,socks.conf.5}')
+
+ r.Autoreconf()
+
+ def configure(r):
+ r.Configure(
+ ' --enable-libwrap'
+ ' --with-pam'
+ ' --with-socks-conf=%(sysconfdir)s/socks/socks.conf'
+ ' --with-sockd-conf=%(sysconfdir)s/socks/sockd.conf'
+ )
+
+ # the comments in the source say this is only useful for 2.0 kernels
...
+ # well it may fix 2.0 but it breaks with 2.6 :)
+ r.Replace('if HAVE_LINUX_ECCENTRICITIES', 'if 0',
+ 'include/common.h')
+
+ def policy(r):
+ r.Replace('libdl\.so', '', '%(bindir)s/socksify')
+
+ r.addSource('socks.conf',
+ dest='%(sysconfdir)s/socks/')
+ r.addSource('sockd.conf',
+ dest='%(sysconfdir)s/socks/')
+
+ r.addSource('dante-sockd-init',
+ dest='%(initdir)s/dante-sockd',
+ mode=0755)
+ r.addSource('dante-sockd-conf',
+ dest='%(sysconfdir)s/conf.d/dante-sockd')
+
+ r.Doc('BUGS', 'CREDITS', 'NEWS', 'README', 'SUPPORT', 'TODO')
+ r.Doc('doc/{README*,*.txt,SOCKS4.*}', dir='txt')
+ r.Doc('example/*.conf', dir='example')
dante-1.1.19-libpam.patch: new
--- /dev/null
+++ dante-1.1.19-libpam.patch
@@ -0,0 +76 @@
+diff -Nru dante-1.1.19.orig/acinclude.m4 dante-1.1.19/acinclude.m4
+--- dante-1.1.19.orig/acinclude.m4 2005-12-18 21:57:57.000000000 +0100
++++ dante-1.1.19/acinclude.m4 2008-06-25 22:24:16.000000000 +0200
+@@ -260,4 +260,4 @@
+
+ tproto($@)])
+
+-# -- acinclude end --
+\ No newline at end of file
++# -- acinclude end --
+diff -Nru dante-1.1.19.orig/configure.ac dante-1.1.19/configure.ac
+--- dante-1.1.19.orig/configure.ac 2006-01-15 16:33:37.000000000 +0100
++++ dante-1.1.19/configure.ac 2008-06-25 22:25:09.000000000 +0200
+@@ -21,7 +21,7 @@
+ #NOTE: save CFLAGS; wish to compile without -O2 when debugging
+ oCFLAGS=$CFLAGS
+ unset CFLAGS
+-AC_AIX #evidently also modifies CFLAGS
++#AC_AIX #evidently also modifies CFLAGS
+ AC_PROG_LIBTOOL
+ autoconf_compflags=$CFLAGS
+ CFLAGS=$oCFLAGS
+@@ -30,18 +30,6 @@
+
+ AM_CONDITIONAL(PRERELEASE, test x$prerelease != x)
+
+-#known keywords for --enable/disable-foo(=yes/no)?
+-LTINTERNAL="dlopen|dlopen_self|dlopen_self_static|fast_install|libtool_lock|win32_dll|shared_with_static_runtimes|shared_with_static_runtimes_CXX|shared_with_static_runtimes_F77"
+-KNOWN_KEYWORDS="$LTINTERNAL|shared|static|debug|warnings|diagnostic|profiling|linting|libwrap|preload|serverdl|clientdl|internal|pidfile"
+-for keyword in `set | egrep '^enable_' | sed -e 's/^enable_\(.*\)=.*/\1/'`;
+-do
+- echo $keyword | egrep "^(${KNOWN_KEYWORDS})$" > /dev/null
+- if test $? -ne 0; then
+- AC_MSG_WARN([unknown option '$keyword', ignoring ...])
+- sleep 10;
+- fi
+-done
+-
+ #Solaris 2.5.1 is broken in many places
+ case $host in
+ *-*-solaris2.5.1)
+@@ -1288,15 +1288,18 @@
+ [ --without-pam disable pam support @<:@default=detect@:>@],
+ [PAM=$withval])
+
++LIBPAM=
+ if test "${PAM}" != no; then
+ #look for PAM header and lib
+ AC_CHECK_HEADERS(security/pam_appl.h, [have_pam_header=t])
+- AC_SEARCH_LIBS(pam_start, pam, [have_libpam=t])
++ AC_CHECK_LIB(pam, pam_start, [have_libpam=t])
+
+ if test x"${have_pam_header}" != x -a x"${have_libpam}" != x; then
+ AC_DEFINE(HAVE_PAM, 1, [PAM support])
++ LIBPAM=-lpam
+ fi
+ fi
++AC_SUBST(LIBPAM)
+
+ #expected select behaviour?
+ unset nb_select_err
+diff -Nru dante-1.1.19.orig/sockd/Makefile.am dante-1.1.19/sockd/Makefile.am
+--- dante-1.1.19.orig/sockd/Makefile.am 2005-11-06 18:37:14.000000000
+0100
++++ dante-1.1.19/sockd/Makefile.am 2008-06-25 22:24:16.000000000 +0200
+@@ -35,9 +35,9 @@
+
+ #XXXhack
+ if STATIC_SOCKD
+-sockd_LDADD = ../libscompat/sockatmark.o ${LIBWRAP}
++sockd_LDADD = ../libscompat/sockatmark.o ${LIBWRAP} ${LIBPAM}
+ else
+-sockd_LDADD = ../libscompat/libscompat.la ${LIBWRAP}
++sockd_LDADD = ../libscompat/libscompat.la ${LIBWRAP} ${LIBPAM}
+ endif
+
+ INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/libscompat
dante-1.1.19-socksify.patch: new
--- /dev/null
+++ dante-1.1.19-socksify.patch
@@ -0,0 +16 @@
+--- dante-1.1.15-pre1/bin/socksify.in.agriffis 2004-11-04 16:07:04.000000000
-0500
++++ dante-1.1.15-pre1/bin/socksify.in 2004-11-04 16:07:08.977460049 -0500
+@@ -60,7 +60,11 @@
+
@PRELOAD_VARIABLE@="${LIBRARY}${SOCKSIFY_PRELOAD_LIBS:+${PRELOAD_SEPERATOR}}${SOCKSIFY_PRELOAD_LIBS}${PRELOAD_POSTFIX:+${PRELOAD_SEPERATOR}}${PRELOAD_POSTFIX}"
+ export @PRELOAD_VARIABLE@
+
+-LD_LIBRARY_PATH="${LD_LIBRARY_PATH}${LD_LIBRARY_PATH:+:}${LIBDIR}"
+-export LD_LIBRARY_PATH
++# There is no reason to set LD_LIBRARY_PATH, at least on Linux, where
++# LD_PRELOAD can contain a full path to the library. Setting the
++# following breaks socksify on Linux/Alpha at least with
++# binutils-2.14.90.0.7-r3 (08 Dec 2003 agriffis)
++#LD_LIBRARY_PATH="${LD_LIBRARY_PATH}${LD_LIBRARY_PATH:+:}${LIBDIR}"
++#export LD_LIBRARY_PATH
+
+ exec "$@"
sockd.conf: new
--- /dev/null
+++ sockd.conf
@@ -0,0 +254 @@
+# The configfile is divided into two parts; first serversettings,
+# then the rules.
+#
+# The recommended order is:
+# Serversettings:
+# logoutput
+# internal
+# external
+# method
+# clientmethod
+# users
+# compatibility
+# extension
+# connecttimeout
+# iotimeout
+# srchost
+#
+# Rules:
+# client block/pass
+# from to
+# libwrap
+# log
+#
+# block/pass
+# from to
+# method
+# command
+# libwrap
+# log
+# protocol
+# proxyprotocol
+
+# the server will log both via syslog, to stdout and to /var/log/lotsoflogs
+#logoutput: syslog stdout /var/log/lotsoflogs
+logoutput: syslog
+
+# The server will bind to the address 10.1.1.1, port 1080 and will only
+# accept connections going to that address.
+#internal: 10.1.1.1 port = 1080
+# Alternatively, the interface name can be used instead of the address.
+#internal: eth0 port = 1080
+
+# all outgoing connections from the server will use the IP address
+# 195.168.1.1
+#external: 192.168.1.1
+
+# list over acceptable methods, order of preference.
+# A method not set here will never be selected.
+#
+# If the method field is not set in a rule, the global
+# method is filled in for that rule.
+#
+
+# methods for socks-rules.
+#method: username none #rfc931
+
+# methods for client-rules.
+#clientmethod: none
+
+#or if you want to allow rfc931 (ident) too
+#method: username rfc931 none
+
+#or for PAM authentification
+#method: pam
+
+#
+# An important section, pay attention.
+#
+
+# when doing something that can require privilege,
+# it will use the userid "sockd".
+user.privileged: sockd
+
+# when running as usual,
+# it will use the unprivileged userid of "sockd".
+user.notprivileged: sockd
+
+# when running libwrap commands,
+# it will use the userid "sockd".
+user.libwrap: sockd
+
+#
+# some options to help clients with compatibility:
+#
+
+# when a client connection comes in the socksserver will try to use
+# the same port as the client is using, when the socksserver
+# goes out on the clients behalf (external: IP address).
+# If this option is set, Dante will try to do it for reserved ports aswell.
+# This will usually require user.privileged to be set to "root".
+#compatibility: sameport
+
+# If you are using the bind extension and have trouble running servers
+# via the server, you might try setting this. The consequences of it
+# are unknown.
+#compatibility: reuseaddr
+
+#
+# The Dante server supports some extensions to the socks protocol.
+# These require that the socks client implements the same extension and
+# can be enabled using the "extension" keyword.
+#
+# enable the bind extension.
+#extension: bind
+
+
+#
+#
+# misc options.
+#
+
+# how many seconds can pass from when a client connects til it has
+# sent us it's request? Adjust according to your network performance
+# and methods supported.
+#connecttimeout: 30 # on a lan, this should be enough if method is "none".
+
+# how many seconds can the client and it's peer idle without sending
+# any data before we dump it? Unless you disable tcp keep-alive for
+# some reason, it's probably best to set this to 0, which is
+# "forever".
+#iotimeout: 0 # or perhaps 86400, for a day.
+
+# do you want to accept connections from addresses without
+# dns info? what about addresses having a mismatch in dnsinfo?
+#srchost: nounknown nomismatch
+
+#
+# The actual rules. There are two kinds and they work at different levels.
+#
+# The rules prefixed with "client" are checked first and say who is allowed
+# and who is not allowed to speak/connect to the server. I.e the
+# ip range containing possibly valid clients.
+# It is especially important that these only use IP addresses, not hostnames,
+# for security reasons.
+#
+# The rules that do not have a "client" prefix are checked later, when the
+# client has sent its request and are used to evaluate the actual
+# request.
+#
+# The "to:" in the "client" context gives the address the connection
+# is accepted on, i.e the address the socksserver is listening on, or
+# just "0.0.0.0/0" for any address the server is listening on.
+#
+# The "to:" in the non-"client" context gives the destination of the clients
+# socksrequest.
+#
+# "from:" is the source address in both contexts.
+#
+
+
+# the "client" rules. All our clients come from the net 10.0.0.0/8.
+#
+
+# Allow our clients, also provides an example of the port range command.
+#client pass {
+# from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0
+# method: rfc931 # match all idented users that also are in passwordfile
+#}
+
+# This is identical to above, but allows clients without a rfc931 (ident)
+# too. In practise this means the socksserver will try to get a rfc931
+# reply first (the above rule), if that fails, it tries this rule.
+#client pass {
+# from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0
+#}
+
+
+# drop everyone else as soon as we can and log the connect, they are not
+# on our net and have no business connecting to us. This is the default
+# but if you give the rule yourself, you can specify details.
+#client block {
+# from: 0.0.0.0/0 to: 0.0.0.0/0
+# log: connect error
+#}
+
+
+# the rules controlling what clients are allowed what requests
+#
+
+# you probably don't want people connecting to loopback addresses,
+# who knows what could happen then.
+#block {
+# from: 0.0.0.0/0 to: 127.0.0.0/8
+# log: connect error
+#}
+
+# the people at the 172.16.0.0/12 are bad, no one should talk to them.
+# log the connect request and also provide an example on how to
+# interact with libwrap.
+#block {
+# from: 0.0.0.0/0 to: 172.16.0.0/12
+# libwrap: spawn finger @%a
+# log: connect error
+#}
+
+# unless you need it, you could block any bind requests.
+#block {
+# from: 0.0.0.0/0 to: 0.0.0.0/0
+# command: bind
+# log: connect error
+#}
+
+# or you might want to allow it, for instance "active" ftp uses it.
+# Note that a "bindreply" command must also be allowed, it
+# should usually by from "0.0.0.0/0", i.e if a client of yours
+# has permission to bind, it will also have permission to accept
+# the reply from anywhere.
+#pass {
+# from: 10.0.0.0/8 to: 0.0.0.0/0
+# command: bind
+# log: connect error
+#}
+
+# some connections expect some sort of "reply", this might be
+# the reply to a bind request or it may be the reply to a
+# udppacket, since udp is packetbased.
+# Note that nothing is done to verify that it's a "genuine" reply,
+# that is in general not possible anyway. The below will allow
+# all "replies" in to your clients at the 10.0.0.0/8 net.
+#pass {
+# from: 0.0.0.0/0 to: 10.0.0.0/8
+# command: bindreply udpreply
+# log: connect error
+#}
+
+
+# pass any http connects to the example.com domain if they
+# authenticate with username.
+# This matches "example.com" itself and everything ending in ".example.com".
+#pass {
+# from: 10.0.0.0/8 to: .example.com port = http
+# log: connect error
+# method: username
+#}
+
+# block any other http connects to the example.com domain.
+#block {
+# from: 0.0.0.0/0 to: .example.com port = http
+# log: connect error
+#}
+
+# everyone from our internal network, 10.0.0.0/8 is allowed to use
+# tcp and udp for everything else.
+#pass {
+# from: 10.0.0.0/8 to: 0.0.0.0/0
+# protocol: tcp udp
+#}
+
+# last line, block everyone else. This is the default but if you provide
+# one yourself you can specify your own logging/actions
+#block {
+# from: 0.0.0.0/0 to: 0.0.0.0/0
+# log: connect error
+#}
dante-sockd-init: new
--- /dev/null
+++ dante-sockd-init
@@ -0,0 +55 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-proxy/dante/files/dante-sockd-init,v
1.6 2009/03/05 19:31:13 mrness Exp $
+
+SOCKD_OPT="-D"
+[ "${SOCKD_FORKDEPTH:-1}" -gt 1 ] && SOCKD_OPT="${SOCKD_OPT} -N
${SOCKD_FORKDEPTH}"
+[ "${SOCKD_DEBUG:-0}" -eq 1 ] && SOCKD_OPT="${SOCKD_OPT} -d"
+[ "${SOCKD_DISABLE_KEEPALIVE:-0}" -eq 1 ] && SOCKD_OPT="${SOCKD_OPT} -n"
+PIDFILE=/var/run/sockd.pid
+
+depend() {
+ need net
+}
+
+checkconfig() {
+ # first check that it exists
+ if [ ! -f /etc/socks/sockd.conf ] ; then
+ eerror "You need to setup /etc/socks/sockd.conf first"
+ eerror "Examples are in /usr/share/doc/dante[version]/example"
+ eerror "for more info, see: man sockd.conf"
+ return 1
+ fi
+
+ /usr/sbin/sockd -V >/tmp/dante-sockd.checkconf 2>&1
+ if [ $? -ne 0 ]; then
+ cat /tmp/dante-sockd.checkconf
+ eerror "Something is wrong with your configuration file"
+ eerror "for more info, see: man sockd.conf"
+ return 1
+ fi
+ rm /tmp/dante-sockd.checkconf
+
+ #Create pidfile with owner set to daemon's uid
+ DAEMON_UID=`sed -e '/^[ \t]*user[.]notprivileged[ \t]*:/{s/.*:[
\t]*//;q};d' /etc/socks/sockd.conf`
+ if [ -n "$DAEMON_UID" ]; then
+ touch $PIDFILE && chown $DAEMON_UID $PIDFILE
+ fi
+
+ return 0
+}
+
+start() {
+ checkconfig || return 1
+ ebegin "Starting dante sockd"
+ start-stop-daemon --start --quiet --pidfile $PIDFILE \
+ --make-pidfile --exec /usr/sbin/sockd -- ${SOCKD_OPT}
>/dev/null 2>&1
+ eend $? "Failed to start sockd"
+}
+
+stop() {
+ ebegin "Stopping dante sockd"
+ start-stop-daemon --stop --quiet --pidfile $PIDFILE
+ eend $? "Failed to stop sockd"
+}
Committed by: brcha
Other related posts:
