diff options
-rw-r--r-- | security/pflkm/DESCR | 9 | ||||
-rw-r--r-- | security/pflkm/MESSAGE | 18 | ||||
-rw-r--r-- | security/pflkm/Makefile | 95 | ||||
-rw-r--r-- | security/pflkm/PLIST | 32 | ||||
-rw-r--r-- | security/pflkm/buildlink3.mk | 18 | ||||
-rw-r--r-- | security/pflkm/builtin.mk | 41 | ||||
-rw-r--r-- | security/pflkm/distinfo | 4 | ||||
-rw-r--r-- | security/pflkm/files/pf.sh | 54 | ||||
-rw-r--r-- | security/pflkm/files/pflogd.sh | 18 |
9 files changed, 289 insertions, 0 deletions
diff --git a/security/pflkm/DESCR b/security/pflkm/DESCR new file mode 100644 index 00000000000..bb77023f0eb --- /dev/null +++ b/security/pflkm/DESCR @@ -0,0 +1,9 @@ +Packet Filter (from here on referred to as PF) is OpenBSD's system for +filtering TCP/IP traffic and doing Network Address Translation. PF is also +capable of normalizing and conditioning TCP/IP traffic. + +PF was originally developed by Daniel Hartmeier and is now maintained and +developed by Daniel and the rest of the OpenBSD team. + +This package includes a complete port (LKM and userland utilities) from +OpenBSD 3.6 to NetBSD 2.0. diff --git a/security/pflkm/MESSAGE b/security/pflkm/MESSAGE new file mode 100644 index 00000000000..5b6ee4b3099 --- /dev/null +++ b/security/pflkm/MESSAGE @@ -0,0 +1,18 @@ +=========================================================================== +$NetBSD: MESSAGE,v 1.1.1.1 2004/11/05 15:05:30 peter Exp $ + +First create the /dev/pf device: + +# cd /dev +# ./MAKEDEV pf + +Then load the kernel module: + +# modload ${PREFIX}/lkm/pf.o + +If you want PF to get loaded automatically at boot time, you need to set +lkm=YES in /etc/rc.conf and add this line to /etc/lkm.conf: + +${PREFIX}/lkm/pf.o - - - - AFTERMOUNT + +=========================================================================== diff --git a/security/pflkm/Makefile b/security/pflkm/Makefile new file mode 100644 index 00000000000..5813082cd3b --- /dev/null +++ b/security/pflkm/Makefile @@ -0,0 +1,95 @@ +# $NetBSD: Makefile,v 1.1.1.1 2004/11/05 15:05:30 peter Exp $ + +DISTNAME= pflkm-20041025 +CATEGORIES= security ipv6 +MASTER_SITES= http://nedbsd.nl/~ppostma/pf/ + +MAINTAINER= peter@pointless.nl +HOMEPAGE= http://nedbsd.nl/~ppostma/pf/ +COMMENT= OpenBSD Packet Filter as loadable kernel module for NetBSD + +ONLY_FOR_PLATFORM= NetBSD-[2-9]*-* + +USE_PKGINSTALL= yes +USE_BUILDLINK3= yes +NO_CONFIGURE= yes + +PKG_USERS= _pflogd:nogroup::pflogd\\ pseudo-user:${VARBASE}/chroot/pflogd:/sbin/nologin + +RCD_SCRIPTS= pf pflogd +PKG_SYSCONFSUBDIR= pf +CONF_FILES= ${PREFIX}/share/examples/${PKGBASE}/pf.conf \ + ${PKG_SYSCONFDIR}/pf.conf +CONF_FILES+= ${PREFIX}/share/examples/${PKGBASE}/pf.os \ + ${PKG_SYSCONFDIR}/pf.os + +OWN_DIRS= ${PREFIX}/lkm ${VARBASE}/chroot/pflogd +OWN_DIRS+= ${PREFIX}/share/examples/${PKGBASE} +MAKE_DIRS= ${PREFIX}/include/net + +PKG_OPTIONS_VAR= PKG_OPTIONS.pf +PKG_SUPPORTED_OPTIONS= ifevents + +.include "../../mk/bsd.options.mk" +.include "../../mk/bsd.prefs.mk" + +.if !empty(PKG_OPTIONS:Mifevents) +MAKE_ENV+= IFEVENTS=yes +.endif + +post-install: + ${INSTALL_DATA} ${WRKSRC}/etc/pf.conf \ + ${PREFIX}/share/examples/${PKGBASE}/pf.conf + ${INSTALL_DATA} ${WRKSRC}/etc/pf.os \ + ${PREFIX}/share/examples/${PKGBASE}/pf.os + +do-install: + ${INSTALL_DATA} ${WRKSRC}/include/net/if_pflog.h ${PREFIX}/include/net/if_pflog.h + ${INSTALL_DATA} ${WRKSRC}/include/net/if_pfsync.h ${PREFIX}/include/net/if_pfsync.h + ${INSTALL_DATA} ${WRKSRC}/include/net/pfvar.h ${PREFIX}/include/net/pfvar.h + ${INSTALL_PROGRAM} ${WRKSRC}/libexec/ftp-proxy/ftp-proxy ${PREFIX}/libexec/ftp-proxy + ${INSTALL_MAN} ${WRKSRC}/libexec/ftp-proxy/ftp-proxy.cat8 ${PREFIX}/man/cat8/ftp-proxy.0 + ${INSTALL_MAN} ${WRKSRC}/libexec/ftp-proxy/ftp-proxy.8 ${PREFIX}/man/man8/ftp-proxy.8 + ${INSTALL_DATA} ${WRKSRC}/lkm/pf.o ${PREFIX}/lkm/pf.o + ${INSTALL_MAN} ${WRKSRC}/man/pf.cat4 ${PREFIX}/man/cat4/pf.0 + ${INSTALL_MAN} ${WRKSRC}/man/pflog.cat4 ${PREFIX}/man/cat4/pflog.0 + ${INSTALL_MAN} ${WRKSRC}/man/pfsync.cat4 ${PREFIX}/man/cat4/pfsync.0 + ${INSTALL_MAN} ${WRKSRC}/man/pf.conf.cat5 ${PREFIX}/man/cat5/pf.conf.0 + ${INSTALL_MAN} ${WRKSRC}/man/pf.os.cat5 ${PREFIX}/man/cat5/pf.os.0 + ${INSTALL_MAN} ${WRKSRC}/man/pf.4 ${PREFIX}/man/man4/pf.4 + ${INSTALL_MAN} ${WRKSRC}/man/pflog.4 ${PREFIX}/man/man4/pflog.4 + ${INSTALL_MAN} ${WRKSRC}/man/pfsync.4 ${PREFIX}/man/man4/pfsync.4 + ${INSTALL_MAN} ${WRKSRC}/man/pf.conf.5 ${PREFIX}/man/man5/pf.conf.5 + ${INSTALL_MAN} ${WRKSRC}/man/pf.os.5 ${PREFIX}/man/man5/pf.os.5 + ${INSTALL_PROGRAM} ${WRKSRC}/sbin/pfctl/pfctl ${PREFIX}/sbin/pfctl + ${INSTALL_MAN} ${WRKSRC}/sbin/pfctl/pfctl.cat8 ${PREFIX}/man/cat8/pfctl.0 + ${INSTALL_MAN} ${WRKSRC}/sbin/pfctl/pfctl.8 ${PREFIX}/man/man8/pfctl.8 + ${INSTALL_PROGRAM} ${WRKSRC}/sbin/pflogd/pflogd ${PREFIX}/sbin/pflogd + ${INSTALL_MAN} ${WRKSRC}/sbin/pflogd/pflogd.cat8 ${PREFIX}/man/cat8/pflogd.0 + ${INSTALL_MAN} ${WRKSRC}/sbin/pflogd/pflogd.8 ${PREFIX}/man/man8/pflogd.8 + ${INSTALL_PROGRAM} ${WRKSRC}/usr.sbin/authpf/authpf ${PREFIX}/sbin/authpf + ${INSTALL_MAN} ${WRKSRC}/usr.sbin/authpf/authpf.cat8 ${PREFIX}/man/cat8/authpf.0 + ${INSTALL_MAN} ${WRKSRC}/usr.sbin/authpf/authpf.8 ${PREFIX}/man/man8/authpf.8 + ${INSTALL_PROGRAM} ${WRKSRC}/usr.sbin/tcpdump/pftcpdump ${PREFIX}/sbin/pftcpdump + ${INSTALL_MAN} ${WRKSRC}/usr.sbin/tcpdump/pftcpdump.cat8 ${PREFIX}/man/cat8/pftcpdump.0 + ${INSTALL_MAN} ${WRKSRC}/usr.sbin/tcpdump/pftcpdump.8 ${PREFIX}/man/man8/pftcpdump.8 + +SUBST_CLASSES= path +SUBST_STAGE.path= post-patch +SUBST_FILES.path= man/pfsync.4 man/pf.conf.5 +SUBST_FILES.path+= sbin/pfctl/pfctl.8 sbin/pfctl/pfctl_parser.h +SUBST_FILES.path+= usr.sbin/authpf/authpf.8 usr.sbin/authpf/pathnames.h +SUBST_SED.path= -e 's,/etc/pf.os,${PKG_SYSCONFDIR}/pf.os,g' +SUBST_SED.path+= -e 's,/etc/pf.conf,${PKG_SYSCONFDIR}/pf.conf,g' +SUBST_SED.path+= -e 's,/etc/authpf/authpf.conf,${PKG_SYSCONFDIR}/authpf.conf,g' +SUBST_SED.path+= -e 's,/etc/authpf/authpf.allow,${PKG_SYSCONFDIR}/authpf.allow,g' +SUBST_SED.path+= -e 's,/etc/authpf/authpf.rules,${PKG_SYSCONFDIR}/authpf.rules,g' +SUBST_SED.path+= -e 's,/etc/authpf/authpf.problem,${PKG_SYSCONFDIR}/authpf.problem,g' +SUBST_SED.path+= -e 's,/etc/authpf/authpf.message,${PKG_SYSCONFDIR}/authpf.message,g' +SUBST_SED.path+= -e 's,/etc/authpf/users,${PKG_SYSCONFDIR}/users,g' +SUBST_SED.path+= -e 's,/etc/authpf/banned,${PKG_SYSCONFDIR}/banned,g' +SUBST_SED.path+= -e 's,/usr/sbin/authpf,${PREFIX}/sbin/authpf,g' +SUBST_SED.path+= -e 's,/sbin/pfctl,${PREFIX}/sbin/pfctl,g' +SUBST_MESSAGE.path= "Fixing hardcoded dirs." + +.include "../../mk/bsd.pkg.mk" diff --git a/security/pflkm/PLIST b/security/pflkm/PLIST new file mode 100644 index 00000000000..02b156a1ef4 --- /dev/null +++ b/security/pflkm/PLIST @@ -0,0 +1,32 @@ +@comment $NetBSD: PLIST,v 1.1.1.1 2004/11/05 15:05:30 peter Exp $ +include/net/if_pflog.h +include/net/if_pfsync.h +include/net/pfvar.h +libexec/ftp-proxy +lkm/pf.o +man/cat4/pf.0 +man/cat4/pflog.0 +man/cat4/pfsync.0 +man/cat5/pf.conf.0 +man/cat5/pf.os.0 +man/cat8/authpf.0 +man/cat8/ftp-proxy.0 +man/cat8/pfctl.0 +man/cat8/pflogd.0 +man/cat8/pftcpdump.0 +man/man4/pf.4 +man/man4/pflog.4 +man/man4/pfsync.4 +man/man5/pf.conf.5 +man/man5/pf.os.5 +man/man8/authpf.8 +man/man8/ftp-proxy.8 +man/man8/pfctl.8 +man/man8/pflogd.8 +man/man8/pftcpdump.8 +sbin/authpf +sbin/pfctl +sbin/pflogd +sbin/pftcpdump +share/examples/${PKGBASE}/pf.conf +share/examples/${PKGBASE}/pf.os diff --git a/security/pflkm/buildlink3.mk b/security/pflkm/buildlink3.mk new file mode 100644 index 00000000000..87c0c9568c4 --- /dev/null +++ b/security/pflkm/buildlink3.mk @@ -0,0 +1,18 @@ +# $NetBSD: buildlink3.mk,v 1.1.1.1 2004/11/05 15:05:30 peter Exp $ + +BUILDLINK_DEPTH:= ${BUILDLINK_DEPTH}+ +PFLKM_BUILDLINK3_MK:= ${PFLKM_BUILDLINK3_MK}+ + +.if !empty(BUILDLINK_DEPTH:M+) +BUILDLINK_DEPENDS+= pflkm +.endif + +BUILDLINK_PACKAGES:= ${BUILDLINK_PACKAGES:Npflkm} +BUILDLINK_PACKAGES+= pflkm + +.if !empty(PFLKM_BUILDLINK3_MK:M+) +BUILDLINK_DEPENDS.pflkm+= pflkm>=20041025 +BUILDLINK_PKGSRCDIR.pflkm?= ../../security/pflkm +.endif # PFLKM_BUILDLINK3_MK + +BUILDLINK_DEPTH:= ${BUILDLINK_DEPTH:S/+$//} diff --git a/security/pflkm/builtin.mk b/security/pflkm/builtin.mk new file mode 100644 index 00000000000..9ac188bf36d --- /dev/null +++ b/security/pflkm/builtin.mk @@ -0,0 +1,41 @@ +# $NetBSD: builtin.mk,v 1.1.1.1 2004/11/05 15:05:30 peter Exp $ + +_PF_VERSION= 3.6 # pkg default +_PF_PFVAR_H= /usr/include/net/pfvar.h + +.if !defined(IS_BUILTIN.pflkm) +IS_BUILTIN.pflkm= no +. if exists(${_PF_PFVAR_H}) +IS_BUILTIN.pflkm= yes + +# OpenBSD 3.6: pf_cksum_fixup added +_PF_3_6!= ${GREP} -c pf_cksum_fixup ${_PF_PFVAR_H} || ${TRUE} + +.if ${_PF_3_6} == "1" +BUILTIN_PKG.pflkm= 3.6 +.else +BUILTIN_PKG.pflkm= 3.5 +.endif + +_PF_VERSION= ${BUILTIN_PKG.pflkm} + +.endif # exists(${_PF_PFVAR_H}) + +.if !defined(USE_BUILTIN.pflkm) +USE_BUILTIN.pflkm?= ${IS_BUILTIN.pflkm} + +. if defined(BUILTIN_PKG.pflkm) +USE_BUILTIN.pflkm= yes +. for _depend_ in ${BUILDLINK_DEPENDS.pflkm} +. if !empty(USE_BUILTIN.pflkm:M[yY][eE][sS]) +USE_BUILTIN.pflkm!= \ + if ${PKG_ADMIN} pmatch '${_depend_}' ${BUILTIN_PKG.pflkm}; then \ + ${ECHO} "yes"; \ + else \ + ${ECHO} "no"; \ + fi +. endif +. endfor +. endif +.endif # USE_BUILTIN.pflkm +.endif # IS_BUILTIN.pflkm diff --git a/security/pflkm/distinfo b/security/pflkm/distinfo new file mode 100644 index 00000000000..a168f2910de --- /dev/null +++ b/security/pflkm/distinfo @@ -0,0 +1,4 @@ +$NetBSD: distinfo,v 1.1.1.1 2004/11/05 15:05:30 peter Exp $ + +SHA1 (pflkm-20041025.tar.gz) = 4f0720bb8fab1d4bde0d68e6927970d98c3628ad +Size (pflkm-20041025.tar.gz) = 792281 bytes diff --git a/security/pflkm/files/pf.sh b/security/pflkm/files/pf.sh new file mode 100644 index 00000000000..c47750c0890 --- /dev/null +++ b/security/pflkm/files/pf.sh @@ -0,0 +1,54 @@ +#!@RCD_SCRIPTS_SHELL@ +# +# $NetBSD: pf.sh,v 1.1.1.1 2004/11/05 15:05:30 peter Exp $ +# +# PROVIDE: pf +# REQUIRE: DAEMON +# + +. /etc/rc.subr + +name="pf" +rcvar=$name +pfctl="@PREFIX@/sbin/pfctl" +config="@PKG_SYSCONFDIR@/pf.conf" +start_cmd="pf_start" +stop_cmd="pf_stop" +reload_cmd="pf_reload" +status_cmd="pf_status" +extra_commands="reload status" + +pf_start() +{ + echo "Enabling pf firewall." + ${pfctl} -q -e + if [ -f ${config} ]; then + ${pfctl} -q -f ${config} + else + warn "pf.conf not found; no pf rules loaded." + fi +} + +pf_stop() +{ + echo "Disabling pf firewall." + ${pfctl} -q -d +} + +pf_reload() +{ + echo "Reloading pf rules." + if [ -f ${config} ]; then + ${pfctl} -q -f ${config} + else + warn "pf.conf not found; no pf rules loaded." + fi +} + +pf_status() +{ + ${pfctl} -s info +} + +load_rc_config $name +run_rc_command "$1" diff --git a/security/pflkm/files/pflogd.sh b/security/pflkm/files/pflogd.sh new file mode 100644 index 00000000000..a0692e44da8 --- /dev/null +++ b/security/pflkm/files/pflogd.sh @@ -0,0 +1,18 @@ +#!@RCD_SCRIPTS_SHELL@ +# +# $NetBSD: pflogd.sh,v 1.1.1.1 2004/11/05 15:05:30 peter Exp $ +# +# PROVIDE: pflogd +# REQUIRE: DAEMON +# + +. /etc/rc.subr + +name="pflogd" +rcvar=$name +command="@PREFIX@/sbin/${name}" +start_precmd="/sbin/ifconfig pflog0 up" +pidfile="/var/run/${name}.pid" + +load_rc_config $name +run_rc_command "$1" |