From fd6a30d07b299516c5e1fd72e352bddbcd56898b Mon Sep 17 00:00:00 2001 From: Jonathan Bennett Date: Wed, 11 Jun 2014 15:21:16 -0500 Subject: [PATCH] Add fwknop to packages feed and update to latest version --- net/fwknop/Makefile | 118 ++++++++++++++++++++++++ net/fwknop/patches/001-fix_config.patch | 18 ++++ net/fwknop/patches/002-fix_init.patch | 17 ++++ 3 files changed, 153 insertions(+) create mode 100644 net/fwknop/Makefile create mode 100644 net/fwknop/patches/001-fix_config.patch create mode 100644 net/fwknop/patches/002-fix_init.patch diff --git a/net/fwknop/Makefile b/net/fwknop/Makefile new file mode 100644 index 0000000000..b93752c621 --- /dev/null +++ b/net/fwknop/Makefile @@ -0,0 +1,118 @@ +# +# Copyright (C) 2011-2012 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=fwknop +PKG_VERSION:=2.6.2 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_SOURCE_URL:=http://www.cipherdyne.org/fwknop/download +PKG_MD5SUM:=4c68128297f76ee536a446fcdd496435 +PKG_MAINTAINER:=Jonathan Bennett +PKG_INSTALL:=1 + +include $(INCLUDE_DIR)/package.mk + +define Package/fwknop/Default + TITLE:=FireWall KNock OPerator + URL:=http://www.cipherdyne.org/fwknop/ +endef + +define Package/fwknop/Default/description + Fwknop implements an authorization scheme known as Single Packet Authorization + (SPA) for Linux systems running iptables. This mechanism requires only a + single encrypted and non-replayed packet to communicate various pieces of + information including desired access through an iptables policy. The main + application of this program is to use iptables in a default-drop stance to + protect services such as SSH with an additional layer of security in order to + make the exploitation of vulnerabilities (both 0-day and unpatched code) much + more difficult. +endef + +define Package/fwknopd + $(call Package/fwknop/Default) + SECTION:=net + CATEGORY:=Network + SUBMENU:=Firewall + TITLE+= Daemon + DEPENDS:=+iptables +libfko +libpcap +endef + +define Package/fwknopd/description + $(call Package/fwknop/Default/description) + This package contains the fwknop daemon. +endef + +define Package/fwknopd/conffiles +/etc/fwknop/access.conf +/etc/fwknop/fwknopd.conf +endef + +define Package/fwknop + $(call Package/fwknop/Default) + SECTION:=net + CATEGORY:=Network + SUBMENU:=Firewall + TITLE+= Client + DEPENDS:=+libfko +endef + +define Package/fwknop/description + $(call Package/fwknop/Default/description) + This package contains the fwknop client. +endef + +define Package/libfko + $(call Package/fwknop/Default) + SECTION:=libs + CATEGORY:=Libraries + SUBMENU:=Firewall + TITLE+= Library +endef + +define Package/libfko/description + $(call Package/fwknop/Default/description) + This package contains the libfko shared library. +endef + +CONFIGURE_ARGS += \ + --without-gpgme \ + --with-iptables=/usr/sbin/iptables + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/fko.h $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libfko.{a,la,so*} $(1)/usr/lib/ +endef + +define Package/fwknopd/install + $(INSTALL_DIR) $(1)/etc/fwknop + $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/fwknop/{access,fwknopd}.conf \ + $(1)/etc/fwknop/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) $(PKG_BUILD_DIR)/extras/fwknop.init.openwrt \ + $(1)/etc/init.d/fwknopd + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/fwknopd $(1)/usr/sbin/ +endef + +define Package/fwknop/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/fwknop $(1)/usr/bin/ +endef + +define Package/libfko/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libfko.so.* $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,fwknopd)) +$(eval $(call BuildPackage,fwknop)) +$(eval $(call BuildPackage,libfko)) diff --git a/net/fwknop/patches/001-fix_config.patch b/net/fwknop/patches/001-fix_config.patch new file mode 100644 index 0000000000..9362df99a9 --- /dev/null +++ b/net/fwknop/patches/001-fix_config.patch @@ -0,0 +1,18 @@ +--- a/server/fwknopd.conf.inst ++++ b/server/fwknopd.conf.inst +@@ -284,8 +284,13 @@ + # The IPT_FORWARD_ACCESS variable is only used if ENABLE_IPT_FORWARDING is + # enabled. + # +-#IPT_FORWARD_ACCESS ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1; +-#IPT_DNAT_ACCESS DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1; ++ ++# These two lines are changed specifically for Openwrt, due to ++# different naming conventions. IPT_FORWARD is still disabled ++# by default, and must be enabled earlier in this file to be used. ++ ++IPT_FORWARD_ACCESS ACCEPT, filter, zone_wan_forward, 1, FWKNOP_FORWARD, 1; ++IPT_DNAT_ACCESS DNAT, nat, zone_wan_prerouting, 1, FWKNOP_PREROUTING, 1; + + # The IPT_SNAT_ACCESS variable is not used unless both ENABLE_IPT_SNAT and + # ENABLE_IPT_FORWARDING are enabled. Also, the external static IP must be diff --git a/net/fwknop/patches/002-fix_init.patch b/net/fwknop/patches/002-fix_init.patch new file mode 100644 index 0000000000..6370c8e60b --- /dev/null +++ b/net/fwknop/patches/002-fix_init.patch @@ -0,0 +1,17 @@ +--- a/extras/openwrt/package/fwknop/files/fwknopd.init ++++ b/extras/openwrt/package/fwknop/files/fwknopd.init +@@ -11,12 +11,12 @@ FWKNOPD_BIN=/usr/sbin/fwknopd + + start() + { +- $FWKNOPD_BIN ++ service_start $FWKNOPD_BIN + } + + stop() + { +- $FWKNOPD_BIN -K ++ service_stop $FWKNOPD_BIN -K + } + + restart()