svn commit: r552035 - in head/net/ocserv: . files

Kurt Jaeger pi at FreeBSD.org
Sun Oct 11 08:36:35 UTC 2020 

Author: pi
Date: Sun Oct 11 08:36:34 2020
New Revision: 552035
URL: https://svnweb.freebsd.org/changeset/ports/552035

Log:
  net/ocserv: update 1.0.1 -> 1.1.1
  
  - Fixed compatibility with OpenBSD that lacks procfs
  - Improved rate-limit-ms and made it dependent on secmod backlog. This makes
    the server more resilient (and prevents connection failures) on multiple
    concurrent connections
  - Added namespace support for listen address by introducing the listen-netns
    option
  - Disable TLS1.3 when cisco client compatibility is enabled. New anyconnect
    clients seem to supporting TLS1.3 but are unable to handle a
    client with an RSA key
  - Enable a race free user disconnection via occtl
  - Added the config option of a pre-login-banner
  - Ocserv siwtched to using multiple ocserv-sm processes to improve scale,
    with the number of ocserv-sm process dependent on maximum clients
    and number of CPUs. Configuration option sec-mod-scale can be
    used to override the heuristics.
  - Fixed issue with group selection on radius servers sending multiple group
    class attribute.
  
  PR:		250225
  Submitted by:	Juraj Lutter <juraj at lutter.sk>
  Relnotes:	https://gitlab.com/openconnect/ocserv/-/releases/1.1.1

Modified:
  head/net/ocserv/Makefile
  head/net/ocserv/distinfo
  head/net/ocserv/files/patch-configure.ac
  head/net/ocserv/files/patch-doc_sample.config
  head/net/ocserv/pkg-plist

Modified: head/net/ocserv/Makefile
==============================================================================
--- head/net/ocserv/Makefile	Sun Oct 11 08:32:24 2020	(r552034)
+++ head/net/ocserv/Makefile	Sun Oct 11 08:36:34 2020	(r552035)
@@ -2,8 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	ocserv
-PORTVERSION=	1.0.1
-PORTREVISION=	1
+PORTVERSION=	1.1.1
 CATEGORIES=	net net-vpn security
 MASTER_SITES=	ftp://ftp.infradead.org/pub/ocserv/
 
@@ -32,7 +31,8 @@ USES=		autoreconf cpe gperf libtool localbase ncurses 
 CPE_VENDOR=	infradead
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--without-geoip \
-		--without-http-parser
+		--without-http-parser \
+		--disable-namespaces
 
 USERS=		_ocserv
 GROUPS=		_ocserv
@@ -41,7 +41,7 @@ USE_RC_SUBR=	ocserv
 
 PLIST_SUB=	USERS="${USERS}" GROUPS="${GROUPS}"
 
-OPTIONS_DEFINE=		DOCS EXAMPLES GSSAPI RADIUS
+OPTIONS_DEFINE=		DOCS EXAMPLES GSSAPI MAXMIND RADIUS
 
 PORTDOCS=	AUTHORS ChangeLog NEWS README TODO
 PORTEXAMPLES=	profile.xml sample.config sample.passwd
@@ -52,6 +52,10 @@ GSSAPI_CONFIGURE_OFF=	--without-gssapi
 
 RADIUS_LIB_DEPENDS=	libradcli.so:net/radcli
 RADIUS_CONFIGURE_OFF=	--without-radius
+
+MAXMIND_DESC=		Use Maxmind GeoIP library
+MAXMIND_LIB_DEPENDS=	libmaxminddb.so:net/libmaxminddb
+MAXMIND_CONFIGURE_OFF=	--without-maxmind
 
 .include <bsd.port.pre.mk>
 

Modified: head/net/ocserv/distinfo
==============================================================================
--- head/net/ocserv/distinfo	Sun Oct 11 08:32:24 2020	(r552034)
+++ head/net/ocserv/distinfo	Sun Oct 11 08:36:34 2020	(r552035)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1586552655
-SHA256 (ocserv-1.0.1.tar.xz) = 59d9ef7a1aeb95ff6e762e2a0f231b3fae2ea420f68a1cf09d39a26395040f4b
-SIZE (ocserv-1.0.1.tar.xz) = 787800
+TIMESTAMP = 1602242932
+SHA256 (ocserv-1.1.1.tar.xz) = 9c7aaf46e53e28cfa7be329b18f3951e7e851153ff6a27e946496fd4e8e5765a
+SIZE (ocserv-1.1.1.tar.xz) = 818988

Modified: head/net/ocserv/files/patch-configure.ac
==============================================================================
--- head/net/ocserv/files/patch-configure.ac	Sun Oct 11 08:32:24 2020	(r552034)
+++ head/net/ocserv/files/patch-configure.ac	Sun Oct 11 08:36:34 2020	(r552035)
@@ -1,15 +1,15 @@
---- configure.ac.orig	2020-04-09 21:07:12 UTC
+--- configure.ac.orig	2020-10-09 11:32:59 UTC
 +++ configure.ac
 @@ -15,7 +15,7 @@ AM_PROG_AR
  AM_PROG_CC_C_O
  AC_PROG_SED
- if [ test "$GCC" = "yes" ];then
+ if test "$GCC" = "yes" && ! expr "$CC" : clang >/dev/null 2>&1;then
 -	CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-truncation"
 +	CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers"
  fi
+ 
  AC_PATH_PROG(CTAGS, ctags, [:])
- AC_PATH_PROG(CSCOPE, cscope, [:])
-@@ -199,7 +199,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
+@@ -222,7 +222,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
  fi
  
  have_readline=no

Modified: head/net/ocserv/files/patch-doc_sample.config
==============================================================================
--- head/net/ocserv/files/patch-doc_sample.config	Sun Oct 11 08:32:24 2020	(r552034)
+++ head/net/ocserv/files/patch-doc_sample.config	Sun Oct 11 08:36:34 2020	(r552035)
@@ -1,4 +1,4 @@
---- doc/sample.config.orig	2020-04-09 20:56:20 UTC
+--- doc/sample.config.orig	2020-09-20 19:49:01 UTC
 +++ doc/sample.config
 @@ -19,7 +19,7 @@
  #  This enabled PAM authentication of the user. The gid-min option is used
@@ -9,10 +9,10 @@
  #  The plain option requires specifying a password file which contains
  # entries of the following format.
  # "username:groupname1,groupname2:encoded-password"
-@@ -106,8 +106,8 @@ udp-port = 443
- 
- # The user the worker processes will be run as. It should be
- # unique (no other services run as this user).
+@@ -110,8 +110,8 @@ udp-port = 443
+ # The user the worker processes will be run as. This should be a dedicated
+ # unprivileged user (e.g., 'ocserv') and no other services should run as this
+ # user.
 -run-as-user = nobody
 -run-as-group = daemon
 +run-as-user = _ocserv
@@ -20,7 +20,7 @@
  
  # socket file used for IPC with occtl. You only need to set that,
  # if you use more than a single servers.
-@@ -176,15 +176,9 @@ ca-cert = ../tests/certs/ca.pem
+@@ -180,15 +180,9 @@ ca-cert = ../tests/certs/ca.pem
  ### failures during the reloading time.
  
  
@@ -33,13 +33,13 @@
 -# disabling that option and report the failures you, along with system and debugging
 -# information at: https://gitlab.com/ocserv/ocserv/issues
 -isolate-workers = true
-+# ocserv 1.0.1 on FreeBSD does not currently support process isolation,
++# ocserv 1.1.1 on FreeBSD does not currently support process isolation,
 +# because ocserv only supports Linux's seccomp system, but not capsicum(4).
 +#isolate-workers = false
  
- # A banner to be displayed on clients
+ # A banner to be displayed on clients after connection
  #banner = "Welcome"
-@@ -535,15 +529,15 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -553,15 +547,15 @@ no-route = 192.168.5.0/255.255.255.0
  # Note the that following two firewalling options currently are available
  # in Linux systems with iptables software. 
  
@@ -58,7 +58,7 @@
  # access specific ports in the network. This option can be set globally
  # or in the per-user configuration.
  #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
-@@ -591,13 +585,13 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -609,13 +603,13 @@ no-route = 192.168.5.0/255.255.255.0
  # hostname to override any proposed by the user. Note also, that, any 
  # routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
  

Modified: head/net/ocserv/pkg-plist
==============================================================================
--- head/net/ocserv/pkg-plist	Sun Oct 11 08:32:24 2020	(r552034)
+++ head/net/ocserv/pkg-plist	Sun Oct 11 08:36:34 2020	(r552035)
@@ -6,4 +6,5 @@ man/man8/ocpasswd.8.gz
 man/man8/ocserv.8.gz
 @sample etc/ocserv/ocserv.conf.sample
 sbin/ocserv
+sbin/ocserv-worker
 @dir(%%USERS%%,%%GROUPS%%,750) /var/run/ocserv

More information about the svn-ports-all mailing list