summaryrefslogtreecommitdiff
blob: 879fa64940e2bfd9db860c740bb6b722f50259d3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
# Copyright 1999-2008 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-firewall/ipsec-tools/ipsec-tools-0.7.1.ebuild,v 1.4 2008/10/11 13:06:53 bluebird Exp $

inherit eutils flag-o-matic autotools linux-info

DESCRIPTION="A port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation"
HOMEPAGE="http://ipsec-tools.sourceforge.net/"
SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2"

LICENSE="BSD"
SLOT="0"
KEYWORDS="amd64 ~ppc sparc x86"
IUSE="idea ipv6 pam rc5 readline selinux ldap kerberos nat hybrid iconv selinux"

# FIXME: what is the correct syntax for ~sparc ???
DEPEND="!sparc? ( >=sys-kernel/linux-headers-2.6 )
	readline? ( sys-libs/readline )
	pam? ( sys-libs/pam )
	ldap? ( net-nds/openldap )
	kerberos? ( virtual/krb5 )
	>=dev-libs/openssl-0.9.8
	iconv? ( virtual/libiconv )
	selinux? ( sys-libs/libselinux )"
#	radius? ( net-dialup/gnuradius )

RDEPEND="${DEPEND}
	selinux? ( sec-policy/selinux-ipsec-tools )"

# {{{ kernel_check()
kernel_check() {
	get_version
	if kernel_is 2 6 ; then
		if test "${KV_PATCH}" -ge 19 ; then
		# Just for kernel >=2.6.19
			ebegin "Checking for suitable kernel configuration (Networking | Networking support | Networking options)"

			if use nat ; then
				if ! { linux_chkconfig_present NETFILTER_XT_MATCH_POLICY; } ; then
					ewarn "[NETFILTER_XT_MATCH_POLICY] IPsec policy match support is NOT enabled"
					eerror "${P} won't compile with use nat traversal (USE=nat) until you enable NETFILTER_XT_MATCH_POLICY in your kernel"
					die
				else
					einfo "....[NETFILTER_XT_MATCH_POLICY] IPsec policy match support is enabled :-)"
				fi
			fi
			# {{{ general stuff
			if ! { linux_chkconfig_present XFRM_USER; }; then
				ewarn "[XFRM_USER] Transformation user configuration interface is NOT enabled."
			else
				einfo "....[XFRM_USER] Transformation user configuration interface is enabled :-)"
			fi

			if ! { linux_chkconfig_present NET_KEY; }; then
				ewarn "[NET_KEY] PF_KEY sockets is NOT enabled."
			else
				einfo "....[NET_KEY] PF_KEY sockets is enabled :-)"
			fi
			# }}}
			# {{{ IPv4 stuff
			if ! { linux_chkconfig_present INET_IPCOMP; }; then
				ewarn "[INET_IPCOMP] IP: IPComp transformation is NOT enabled"
			else
				einfo "....[INET_IPCOMP] IP: IPComp transformation is enabled :-)"
			fi

			if ! { linux_chkconfig_present INET_AH; }; then
				ewarn "[INET_AH] AH Transformation is NOT enabled."
			else
				einfo "....[INET_AH] AH Transformation is enabled :-)"
			fi

			if ! { linux_chkconfig_present INET_ESP; }; then
				ewarn "[INET_ESP] ESP Transformation is NOT enabled."
			else
				einfo "....[INET_ESP] ESP Transformation is enabled :-)"
			fi

			if ! { linux_chkconfig_present INET_XFRM_MODE_TRANSPORT; }; then
				ewarn "[INET_XFRM_MODE_TRANSPORT] IP: IPsec transport mode is NOT enabled."
			else
				einfo "....[INET_XFRM_MODE_TRANSPORT] IP: IPsec transport mode is enabled :-)"
			fi

			if ! { linux_chkconfig_present INET_XFRM_MODE_TUNNEL; }; then
				ewarn "[INET_XFRM_MODE_TUNNEL] IP: IPsec tunnel mode is NOT enabled."
			else
				einfo "....[INET_XFRM_MODE_TUNNEL] IP: IPsec tunnel mode is enabled :-)"
			fi

			if ! { linux_chkconfig_present INET_XFRM_MODE_BEET; }; then
				ewarn "[INET_XFRM_MODE_BEET] IP: IPsec BEET mode is NOT enabled."
			else
				einfo "....[INET_XFRM_MODE_BEET] IP: IPsec BEET mode is enabled :-)"
			fi
			# }}}
			# {{{ IPv6 stuff
			if use ipv6 ; then
				if ! { linux_chkconfig_present INET6_IPCOMP; }; then
					ewarn "[INET6_IPCOMP] IPv6: IPComp transformation is NOT enabled"
				else
					einfo "....[INET6_IPCOMP] IPv6: IPComp transformation is enabled :-)"
				fi

				if ! { linux_chkconfig_present INET6_AH; }; then
					ewarn "[INET6_AH] IPv6: AH Transformation is NOT enabled."
				else
					einfo "....[INET6_AH] IPv6: AH Transformation is enabled :-)"
				fi

				if ! { linux_chkconfig_present INET6_ESP; }; then
					ewarn "[INET6_ESP] IPv6: ESP Transformation is NOT enabled."
				else
					einfo "....[INET6_ESP] IPv6: ESP Transformation is enabled :-)"
				fi

				if ! { linux_chkconfig_present INET6_XFRM_MODE_TRANSPORT; }; then
					ewarn "[INET6_XFRM_MODE_TRANSPORT] IPv6: IPsec transport mode is NOT enabled."
				else
					einfo "....[INET6_XFRM_MODE_TRANSPORT] IPv6: IPsec transport mode is enabled :-)"
				fi

				if ! { linux_chkconfig_present INET6_XFRM_MODE_TUNNEL; }; then
					ewarn "[INET6_XFRM_MODE_TUNNEL] IPv6: IPsec tunnel mode is NOT enabled."
				else
					einfo "....[INET6_XFRM_MODE_TUNNEL] IPv6: IPsec tunnel mode is enabled :-)"
				fi

				if ! { linux_chkconfig_present INET6_XFRM_MODE_BEET; }; then
					ewarn "[INET6_XFRM_MODE_BEET] IPv6: IPsec BEET mode is NOT enabled."
				else
					einfo "....[INET6_XFRM_MODE_BEET] IPv6: IPsec BEET mode is enabled :-)"
				fi
				if ! { linux_chkconfig_present CRYPTO_NULL; }; then
					ewarn "[CRYPTO_NULL] Crypto: NULL algorithm is NOT enabled"
				else
					einfo "....[CRYPTO_NULL] Cyrpto: Crypto NULL algorithm enabled :-)"
				fi
fi
			# }}}

			eend $?
		fi
	fi
}
# }}}

src_unpack() {
	unpack ${A}
	cd "${S}"
	# fix for bug #76741
	sed -i 's:#include <sys/sysctl.h>::' src/racoon/pfkey.c src/setkey/setkey.c
	# fix for bug #124813
	sed -i 's:-Werror::g' "${S}"/configure.ac

	AT_M4DIR="${S}" eautoreconf
	epunt_cxx
}

src_compile() {
	# fix for bug #61025
	filter-flags -march=c3

	kernel_check

	myconf="--with-kernel-headers=${KV_DIR}/include \
			--enable-dependency-tracking \
			--enable-dpd \
			--enable-frag \
			--enable-stats \
			--enable-fastquit \
			--enable-stats \
			--enable-adminport \
			$(use_enable ipv6) \
			$(use_enable rc5) \
			$(use_enable idea) \
			$(use_with readline)
			$(use_enable kerberos gssapi) \
			$(use_with ldap libldap) \
			$(use_with pam libpam)"

#	we do not want broken-natt from the kernel
#	myconf="${myconf} $(use_enable broken-natt)"
	use nat && myconf="${myconf} --enable-natt --enable-natt-versions=yes"

	# we only need security-context when using selinux
	myconf="${myconf} $(use_enable selinux security-context)"

	# enable mode-cfg and xauth support
	if use pam; then
		myconf="${myconf} --enable-hybrid"
	else
		myconf="${myconf} $(use_enable hybrid)"
	fi

	# dev-libs/libiconv is hard masked
	#use iconv && myconf="${myconf} $(use_with iconv libiconv)"

	# the default (/usr/include/openssl/) is OK for Gentoo, leave it
	# myconf="${myconf} $(use_with ssl openssl )"

	# No way to get it compiling with freeradius or gnuradius
	# We would need libradius which only exists on FreeBSD

	# See bug #77369
	#myconf="${myconf} --enable-samode-unspec"

	econf ${myconf} || die
	emake -j1 || die
}

src_install() {
	emake DESTDIR="${D}" install || die
	keepdir /var/lib/racoon
	newconfd "${FILESDIR}"/racoon.conf.d racoon
	newinitd "${FILESDIR}"/racoon.init.d racoon

	dodoc ChangeLog README NEWS
	dodoc src/racoon/samples/*
	dodoc src/racoon/doc/*

	docinto roadwarrior
	dodoc src/racoon/samples/roadwarrior/*

	docinto roadwarrior/client
	dodoc src/racoon/samples/roadwarrior/client/*
	docinto roadwarrior/server
	dodoc src/racoon/samples/roadwarrior/server/*

	docinto setkey
	dodoc src/setkey/sample.cf

	dodir /etc/racoon

	# RFC are only available from CVS for the moment, see einfo below
	#docinto "rfc"
	#dodoc ${S}/src/racoon/rfc/*
}

pkg_postinst() {
	if use nat; then
		elog
		elog " You have enabled the nat traversal functionnality."
		elog " Nat versions wich are enabled by default are 00,02,rfc"
		elog " you can find those drafts in the CVS repository:"
		elog "cvs -d anoncvs@anoncvs.netbsd.org:/cvsroot co ipsec-tools"
		elog
		elog "If you feel brave enough and you know what you are"
		elog "doing, you can consider emerging this ebuild"
		elog "with"
		elog "EXTRA_ECONF=\"--enable-natt-versions=08,07,06\""
		elog
	fi;

	if use ldap; then
		elog
		elog " You have enabled ldap support with {$PN}."
		elog " The man page does NOT contain any information on it yet."
		elog " Consider to use a more recent version or CVS"
		elog
	fi;

	elog
	elog "Please have a look in /usr/share/doc/${P} and visit"
	elog "http://www.netbsd.org/Documentation/network/ipsec/"
	elog "to find a lot of information on how to configure this great tool."
	elog
}

# vim: set foldmethod=marker nowrap :