net/sslh: update to 1.22c - sslh-select now supports UDP protocols. Probes specified in the protocols configuration entry are tried on incoming packets, TCP or UDP, and forwarded based on the input protocol (an incoming TCP connection will be forwarded as TCP, and same with UDP). This has been tested with DNS as shown in udp.cfg: incoming packets that contain my domain name are assumed to be a DNS request and forwarded accordingly. Note this could cause problems if combined with incoming TLS with SNI. UDP clients and servers need to agree on the IPv4/IPv6 they use: use the same protocol on all sides! Often, this means explicitely using `ip4-localhost'. UDP sender-receiver pairs (connections, so to speak) are kept for 60s, which can be changed with udp_timeout in the configuration. - Added probes for UDP protocols QUICK and Teamspeak. - Added probes for syslog protocol. - sslh-select refactored to change linear searches through connections to linear searches through fd_set. - Fixed a libconfig call to support libconfig 1.7.3. - Added symbol to support libconfig 1.4.9, still in use in CentOS7. - Warn about unknown settings in the configuration file. - Added per-protocol transparent option. sslh-fork drops the capability after creating the server-side transparent socket. Transparent now uses CAP_NET_RAW instead of CAP_NET_ADMIN. - Removed compile-time option to use POSIX regex. Now regex must be PCRE2 (Perl-Compatible). This was in fact the case since v1.21, as PCRE are used to parse the config file.diff -r1.15 -r1.16 pkgsrc/net/sslh/Makefile
(rhialto)
| @@ -1,16 +1,16 @@ | @@ -1,16 +1,16 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.15 2021/06/13 12:04:21 rhialto Exp $ | 1 | # $NetBSD: Makefile,v 1.16 2022/01/01 16:47:20 rhialto Exp $ | |
| 2 | 2 | |||
| 3 | DISTNAME= sslh-1.21c | 3 | DISTNAME= sslh-1.22c | |
| 4 | CATEGORIES= net | 4 | CATEGORIES= net | |
| 5 | MASTER_SITES= ${MASTER_SITE_GITHUB:=yrutschle/} | 5 | MASTER_SITES= ${MASTER_SITE_GITHUB:=yrutschle/} | |
| 6 | GITHUB_TAG= v${PKGVERSION_NOREV} | 6 | GITHUB_TAG= v${PKGVERSION_NOREV} | |
| 7 | 7 | |||
| 8 | MAINTAINER= nils@NetBSD.org | 8 | MAINTAINER= nils@NetBSD.org | |
| 9 | HOMEPAGE= https://www.rutschle.net/tech/sslh/README.html | 9 | HOMEPAGE= https://www.rutschle.net/tech/sslh/README.html | |
| 10 | COMMENT= Multiplex ssl, ssh, and other connections on the same port | 10 | COMMENT= Multiplex ssl, ssh, and other connections on the same port | |
| 11 | LICENSE= gnu-gpl-v2 | 11 | LICENSE= gnu-gpl-v2 | |
| 12 | 12 | |||
| 13 | # version.h created too late | 13 | # version.h created too late | |
| 14 | MAKE_JOBS_SAFE= no | 14 | MAKE_JOBS_SAFE= no | |
| 15 | 15 | |||
| 16 | USE_TOOLS+= gmake gzip pod2man | 16 | USE_TOOLS+= gmake gzip pod2man | |
| @@ -30,16 +30,16 @@ REPLACE_SH+= genver.sh | @@ -30,16 +30,16 @@ REPLACE_SH+= genver.sh | |||
| 30 | do-install: | 30 | do-install: | |
| 31 | ${INSTALL_PROGRAM} ${WRKSRC}/sslh-fork ${DESTDIR}${PREFIX}/sbin/sslh | 31 | ${INSTALL_PROGRAM} ${WRKSRC}/sslh-fork ${DESTDIR}${PREFIX}/sbin/sslh | |
| 32 | ${INSTALL_PROGRAM} ${WRKSRC}/sslh-select ${DESTDIR}${PREFIX}/sbin | 32 | ${INSTALL_PROGRAM} ${WRKSRC}/sslh-select ${DESTDIR}${PREFIX}/sbin | |
| 33 | ${INSTALL_MAN} ${WRKSRC}/sslh.8.gz ${DESTDIR}${PREFIX}/${PKGMANDIR}/man8 | 33 | ${INSTALL_MAN} ${WRKSRC}/sslh.8.gz ${DESTDIR}${PREFIX}/${PKGMANDIR}/man8 | |
| 34 | ${INSTALL_DATA} ${WRKSRC}/scripts/*.* ${DESTDIR}${EGDIR}/scripts | 34 | ${INSTALL_DATA} ${WRKSRC}/scripts/*.* ${DESTDIR}${EGDIR}/scripts | |
| 35 | ${INSTALL_DATA} ${WRKSRC}/scripts/fail2ban/* ${DESTDIR}${EGDIR}/scripts/fail2ban | 35 | ${INSTALL_DATA} ${WRKSRC}/scripts/fail2ban/* ${DESTDIR}${EGDIR}/scripts/fail2ban | |
| 36 | ${INSTALL_DATA} ${WRKSRC}/example.cfg ${DESTDIR}${EGDIR} | 36 | ${INSTALL_DATA} ${WRKSRC}/example.cfg ${DESTDIR}${EGDIR} | |
| 37 | ${INSTALL_DATA} ${WRKSRC}/basic.cfg ${DESTDIR}${EGDIR} | 37 | ${INSTALL_DATA} ${WRKSRC}/basic.cfg ${DESTDIR}${EGDIR} | |
| 38 | ${INSTALL_DATA} ${WRKSRC}/README.md ${DESTDIR}${PREFIX}/${DOCDIR} | 38 | ${INSTALL_DATA} ${WRKSRC}/README.md ${DESTDIR}${PREFIX}/${DOCDIR} | |
| 39 | ${INSTALL_DATA} ${WRKSRC}/ChangeLog ${DESTDIR}${PREFIX}/${DOCDIR} | 39 | ${INSTALL_DATA} ${WRKSRC}/ChangeLog ${DESTDIR}${PREFIX}/${DOCDIR} | |
| 40 | 40 | |||
| 41 | .include "../../devel/libconfig/buildlink3.mk" | 41 | .include "../../devel/libconfig/buildlink3.mk" | |
| 42 | .include "../../devel/libgetopt/buildlink3.mk" | 42 | .include "../../devel/libgetopt/buildlink3.mk" | |
| 43 | .include "../../devel/pcre/buildlink3.mk" | 43 | .include "../../devel/pcre2/buildlink3.mk" | |
| 44 | .include "../../security/tcp_wrappers/buildlink3.mk" | 44 | .include "../../security/tcp_wrappers/buildlink3.mk" | |
| 45 | .include "../../mk/bsd.pkg.mk" | 45 | .include "../../mk/bsd.pkg.mk" |
| @@ -1,12 +1,9 @@ | @@ -1,12 +1,9 @@ | |||
| 1 | $NetBSD: distinfo,v 1.13 2021/10/26 11:06:58 nia Exp $ | 1 | $NetBSD: distinfo,v 1.14 2022/01/01 16:47:20 rhialto Exp $ | |
| 2 | 2 | |||
| 3 | BLAKE2s (sslh-1.21c.tar.gz) = f8a6a048eaf9fa88d79a39237bc6aaed761740c93fe03b935586389eee81d3e8 | 3 | BLAKE2s (sslh-1.22c.tar.gz) = 81e3a9d77b7c0030e4cf8edf3344f3e4fd06736952939aa66c55b0d6aa0176e2 | |
| 4 | SHA512 (sslh-1.21c.tar.gz) = 9446c6afe965684c5d6406ac8917338f57d95f8fbfacd7a51193dd5dbac77e1ed5e39eb8e2575e7025a8612b25e9fba7e64832a48c999f366875217b9328da22 | 4 | SHA512 (sslh-1.22c.tar.gz) = f13560fbe74b5b08e9b360985d6afd27f2c7e157d220919162e354f3711b90f43bb81f9bda341fb21fef2651acd488f52e9a04dc2da28861540f579e7ca798c4 | |
| 5 | Size (sslh-1.21c.tar.gz) = 111895 bytes | 5 | Size (sslh-1.22c.tar.gz) = 146954 bytes | |
| 6 | SHA1 (patch-argtable3.c) = da39a3ee5e6b4b0d3255bfef95601890afd80709 | |||
| 7 | SHA1 (patch-common.c) = e5aa0cc38e9c62a765400b08ed700e9d2f08f2db | 6 | SHA1 (patch-common.c) = e5aa0cc38e9c62a765400b08ed700e9d2f08f2db | |
| 8 | SHA1 (patch-common.h) = 3e4cc77aeedf9fa4e94329dcf1c1c65099d3ae68 | 7 | SHA1 (patch-common.h) = d89c6ce3f9a4f2b4b4c734adcafd0eed6abca84e | |
| 9 | SHA1 (patch-echosrv.c) = 611044fd7ed1fd52c44e2d8ff393091c35478e17 | 8 | SHA1 (patch-echosrv.c) = 96832c2391ff63cd96efa8e65270be6845f4a306 | |
| 10 | SHA1 (patch-sslh-conf.c) = da39a3ee5e6b4b0d3255bfef95601890afd80709 | 9 | SHA1 (patch-sslh-select.c) = ea07bf85d6ccdcd3815d49bb0131439573152502 | |
| 11 | SHA1 (patch-sslh-main.c) = 059fd93a7412fc2ca38b29ae0c65783f4213e77c | |||
| 12 | SHA1 (patch-sslh-select.c) = d470e6dc803164fbdfa77ddc189cdb4dd7672bd4 |
| @@ -1,44 +1,44 @@ | @@ -1,44 +1,44 @@ | |||
| 1 | $NetBSD: patch-common.h,v 1.2 2021/06/13 12:04:21 rhialto Exp $ | 1 | $NetBSD: patch-common.h,v 1.3 2022/01/01 16:47:21 rhialto Exp $ | |
| 2 | 2 | |||
| 3 | Avoid queue variable conflict. | 3 | Avoid queue variable conflict. | |
| 4 | 4 | |||
| 5 | --- common.h.orig 2020-07-30 07:45:50.000000000 +0000 | 5 | --- common.h.orig 2021-08-28 14:33:20.000000000 +0000 | |
| 6 | +++ common.h | 6 | +++ common.h | |
| 7 | @@ -85,7 +85,7 @@ enum connection_state { | 7 | @@ -88,7 +88,7 @@ enum connection_state { | |
| 8 | 8 | |||
| 9 | /* A 'queue' is composed of a file descriptor (which can be read from or | 9 | /* A 'queue' is composed of a file descriptor (which can be read from or | |
| 10 | * written to), and a queue for deferred write data */ | 10 | * written to), and a queue for deferred write data */ | |
| 11 | -struct queue { | 11 | -struct queue { | |
| 12 | +struct sslhqueue { | 12 | +struct sslhqueue { | |
| 13 | int fd; | 13 | int fd; | |
| 14 | void *begin_deferred_data; | 14 | void *begin_deferred_data; | |
| 15 | void *deferred_data; | 15 | void *deferred_data; | |
| 16 | @@ -100,7 +100,7 @@ struct connection { | 16 | @@ -106,7 +106,7 @@ struct connection { | |
| 17 | /* q[0]: queue for external connection (client); | 17 | /* q[0]: queue for external connection (client); | |
| 18 | * q[1]: queue for internal connection (httpd or sshd); | 18 | * q[1]: queue for internal connection (httpd or sshd); | |
| 19 | * */ | 19 | * */ | |
| 20 | - struct queue q[2]; | 20 | - struct queue q[2]; | |
| 21 | + struct sslhqueue q[2]; | 21 | + struct sslhqueue q[2]; | |
| 22 | }; | |||
| 23 | 22 | |||
| 24 | #define FD_CNXCLOSED 0 | 23 | /* SOCK_DGRAM */ | |
| 25 | @@ -118,7 +118,7 @@ struct connection_desc { | 24 | struct sockaddr client_addr; /* Contains the remote client address */ | |
| 26 | /* common.c */ | 25 | @@ -148,7 +148,7 @@ typedef enum { | |
| 27 | void init_cnx(struct connection *cnx); | 26 | void init_cnx(struct connection *cnx); | |
| 28 | int connect_addr(struct connection *cnx, int fd_from); | 27 | int set_nonblock(int fd); | |
| 28 | int connect_addr(struct connection *cnx, int fd_from, connect_blocking blocking); | |||
| 29 | -int fd2fd(struct queue *target, struct queue *from); | 29 | -int fd2fd(struct queue *target, struct queue *from); | |
| 30 | +int fd2fd(struct sslhqueue *target, struct sslhqueue *from); | 30 | +int fd2fd(struct sslhqueue *target, struct sslhqueue *from); | |
| 31 | char* sprintaddr(char* buf, size_t size, struct addrinfo *a); | 31 | char* sprintaddr(char* buf, size_t size, struct addrinfo *a); | |
| 32 | void resolve_name(struct addrinfo **out, char* fullname); | 32 | void resolve_name(struct addrinfo **out, char* fullname); | |
| 33 | int get_connection_desc(struct connection_desc* desc, const struct connection *cnx); | 33 | int get_connection_desc(struct connection_desc* desc, const struct connection *cnx); | |
| 34 | @@ -135,8 +135,8 @@ int resolve_split_name(struct addrinfo * | 34 | @@ -166,8 +166,8 @@ int resolve_split_name(struct addrinfo * | |
| 35 | 35 | |||
| 36 | int start_listen_sockets(int *sockfd[], struct addrinfo *addr_list); | 36 | int start_listen_sockets(struct listen_endpoint *sockfd[]); | |
| 37 | 37 | |||
| 38 | -int defer_write(struct queue *q, void* data, int data_size); | 38 | -int defer_write(struct queue *q, void* data, int data_size); | |
| 39 | -int flush_deferred(struct queue *q); | 39 | -int flush_deferred(struct queue *q); | |
| 40 | +int defer_write(struct sslhqueue *q, void* data, int data_size); | 40 | +int defer_write(struct sslhqueue *q, void* data, int data_size); | |
| 41 | +int flush_deferred(struct sslhqueue *q); | 41 | +int flush_deferred(struct sslhqueue *q); | |
| 42 | 42 | |||
| 43 | extern struct sslhcfg_item cfg; | 43 | extern struct sslhcfg_item cfg; | |
| 44 | extern struct addrinfo *addr_listen; | 44 | extern struct addrinfo *addr_listen; |
| @@ -1,15 +1,17 @@ | @@ -1,15 +1,17 @@ | |||
| 1 | $NetBSD: patch-echosrv.c,v 1.2 2014/11/28 10:45:28 bsiegert Exp $ | 1 | $NetBSD: patch-echosrv.c,v 1.2 2014/11/28 10:45:28 bsiegert Exp | |
| 2 | 2 | |||
| 3 | * getopt_long_only does not exist on NetBSD getopt. | 3 | Provide allow_severity and deny_severity for libwrap. | |
| 4 | 4 | |||
| 5 | --- echosrv.c.orig 2014-02-11 21:06:01.000000000 +0000 | 5 | --- echosrv.c.orig 2022-01-01 16:38:28.450058726 +0000 | |
| 6 | +++ echosrv.c | 6 | +++ echosrv.c | |
| 7 | @@ -64,7 +64,7 @@ void parse_cmdline(int argc, char* argv[ | 7 | @@ -41,6 +41,10 @@ | |
| 8 | }; | 8 | #define SA_NOCLDWAIT 0 | |
| 9 | struct addrinfo **a; | 9 | #endif | |
| 10 | 10 | |||
| 11 | - while ((c = getopt_long_only(argc, argv, "l:p:", options, NULL)) != -1) { | 11 | +#ifdef LIBWRAP | |
| 12 | + while ((c = getopt_long(argc, argv, "l:p:", options, NULL)) != -1) { | 12 | +int allow_severity =0, deny_severity = 0; | |
| 13 | if (c == 0) continue; | 13 | +#endif | |
| 14 | + | |||
| 15 | struct echocfg_item cfg; | |||
| 14 | 16 | |||
| 15 | switch (c) { | 17 | void check_res_dump(int res, struct addrinfo *addr, char* syscall) |
| @@ -1,25 +1,24 @@ | @@ -1,25 +1,24 @@ | |||
| 1 | $NetBSD: patch-sslh-select.c,v 1.1 2017/08/15 13:13:36 jperkin Exp $ | 1 | $NetBSD: patch-sslh-select.c,v 1.2 2022/01/01 16:47:21 rhialto Exp $ | |
| 2 | 2 | |||
| 3 | Avoid queue variable conflict. | 3 | Avoid queue variable conflict. | |
| 4 | 4 | |||
| 5 | --- sslh-select.c.orig 2016-03-29 19:19:05.000000000 +0000 | 5 | --- sslh-select.c.orig 2021-08-28 14:33:20.000000000 +0000 | |
| 6 | +++ sslh-select.c | 6 | +++ sslh-select.c | |
| 7 | @@ -131,7 +131,7 @@ int accept_new_connection(int listen_soc | 7 | @@ -129,7 +129,7 @@ static struct connection* accept_new_con | |
| 8 | /* Connect queue 1 of connection to SSL; returns new file descriptor */ | 8 | static int connect_queue(struct connection* cnx, | |
| 9 | int connect_queue(struct connection *cnx, fd_set *fds_r, fd_set *fds_w) | 9 | struct select_info* fd_info) | |
| 10 | { | 10 | { | |
| 11 | - struct queue *q = &cnx->q[1]; | 11 | - struct queue *q = &cnx->q[1]; | |
| 12 | + struct sslhqueue *q = &cnx->q[1]; | 12 | + struct sslhqueue *q = &cnx->q[1]; | |
| 13 | 13 | |||
| 14 | q->fd = connect_addr(cnx, cnx->q[0].fd); | 14 | q->fd = connect_addr(cnx, cnx->q[0].fd, NON_BLOCKING); | |
| 15 | if ((q->fd != -1) && fd_is_in_range(q->fd)) { | 15 | if ((q->fd != -1) && fd_is_in_range(q->fd)) { | |
| 16 | @@ -156,7 +156,8 @@ int connect_queue(struct connection *cnx | 16 | @@ -153,7 +153,7 @@ static int connect_queue(struct connecti | |
| 17 | void shovel(struct connection *cnx, int active_fd, | 17 | */ | |
| 18 | fd_set *fds_r, fd_set *fds_w) | 18 | static void shovel(struct connection *cnx, int active_fd, struct select_info* fd_info) | |
| 19 | { | 19 | { | |
| 20 | - struct queue *read_q, *write_q; | 20 | - struct queue *read_q, *write_q; | |
| 21 | + struct sslhqueue *read_q, *write_q; | 21 | + struct sslhqueue *read_q, *write_q; | |
| 22 | + | |||
| 23 | 22 | |||
| 24 | read_q = &cnx->q[active_fd]; | 23 | read_q = &cnx->q[active_fd]; | |
| 25 | write_q = &cnx->q[1-active_fd]; | 24 | write_q = &cnx->q[1-active_fd]; |