aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/ipfw-grsec/APKBUILD76
-rw-r--r--main/ipfw-grsec/ipfw-cgroup.patch34
-rw-r--r--main/ipfw-grsec/ipfw-kmod-dereffix.patch22
-rw-r--r--main/ipfw-grsec/ipfw-strict-uidgid.patch40
4 files changed, 172 insertions, 0 deletions
diff --git a/main/ipfw-grsec/APKBUILD b/main/ipfw-grsec/APKBUILD
new file mode 100644
index 0000000000..9606a730f5
--- /dev/null
+++ b/main/ipfw-grsec/APKBUILD
@@ -0,0 +1,76 @@
+# Contributor: William Pitcock <nenolod@dereferenced.org>
+# Maintainer: William Pitcock <nenolod@dereferenced.org>
+_flavor=${FLAVOR:-grsec}
+_kpkg=linux-$_flavor
+_realname=ipfw
+_name=$_realname-$_flavor
+
+_kver=3.12.8
+_kpkgrel=0
+
+_realver=20130607
+_mypkgrel=0
+
+# source the kernel version
+if [ -f ../linux-$_flavor/APKBUILD ]; then
+ . ../linux-$_flavor/APKBUILD
+ [ "$_kver" != "$pkgver" ] && die "$_name: Please update _kver to $pkgver"
+ [ "$_kpkgrel" != "$pkgrel" ] && die "$_name: Please update _kpkgrel to $pkgrel"
+fi
+
+_kernelver=$_kver-r$_kpkgrel
+_abi_release=${_kver}-${_kpkgrel}-${_flavor}
+
+pkgname=$_name
+pkgver=$_kver
+pkgrel=$(($_kpkgrel + $_mypkgrel))
+pkgdesc="BSD ipfw firewall and dummynet suite (linux-grsec modules)"
+url="http://info.iet.unipi.it/~luigi/dummynet/"
+arch="all"
+license="BSD"
+depends="linux-${_flavor}=${_kernelver}"
+makedepends="linux-${_flavor}-dev=${_kernelver} iptables-dev pkgconfig"
+install=
+install_if="linux-$_flavor=$_kernelver $_realname"
+source="http://info.iet.unipi.it/~luigi/doc/${_realver}-${_realname}3.tgz
+ ipfw-kmod-dereffix.patch
+ ipfw-cgroup.patch
+ ipfw-strict-uidgid.patch"
+subpackages=""
+
+_builddir="$srcdir/ipfw3-2012"
+prepare() {
+ local i
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+}
+
+build() {
+ cd "$_builddir"
+ make kipfw KSRC=/usr/src/linux-headers-${_abi_release} V=1
+}
+
+package() {
+ cd "$_builddir/kipfw-mod"
+ mkdir -p "$pkgdir/lib/modules/${_abi_release}/misc/"
+ for module in `find . -type f -name '*.ko'`; do
+ install -D -m644 $module "$pkgdir/lib/modules/${_abi_release}/misc/"
+ done
+}
+
+md5sums="004e65e6d545a89c4dcc3e741e287444 20130607-ipfw3.tgz
+c4f9a8065d448da3901b3d8219dd98ca ipfw-kmod-dereffix.patch
+f0d782e9869b26aae8a919645a48fc88 ipfw-cgroup.patch
+5a7390c6dcdb49b576c2a74071d7e3dd ipfw-strict-uidgid.patch"
+sha256sums="7dc80437b137e629f8ef3a7889b24ffbd1c27274e9cce15fd1f3b2c8620c6d64 20130607-ipfw3.tgz
+84967fe411d8c35343c39b321aaddc830ef955ab2e27f78de1cf99c496b2cbfa ipfw-kmod-dereffix.patch
+7538104b3ae3ea175c06b3d021877f1961688e9f6a897a80f75e864c21c162d1 ipfw-cgroup.patch
+4d96448496b6fecc0ca13aedb19f08b28769a66c82d301c8f57dced117e537b7 ipfw-strict-uidgid.patch"
+sha512sums="6c4c2c7d4795094b9ff72212394e7dee44e5f9e09e97021b5ac9c3fad6de5a32b1d608ae9572da17f62cb37d076d89ab26859c61255d03d6bce22ca527f2c8ec 20130607-ipfw3.tgz
+e445c17ebc01feea5ce473819c386c7e07507889365a8790d8a8e8f41bbea70b06fc7e0a7e98d558b9653abe1c175706684a5222f0003f5350902c6927df9b72 ipfw-kmod-dereffix.patch
+c1841f7a47ef840a8fde575e84ea47d71b7f80dbb0606f4a53f6c58bfcd157b26db003f1ecf2ff61c0138f81f8e56835c0866ed6ca31188a0bad6790a78edae8 ipfw-cgroup.patch
+a9c89d5c2310d5d4e76747a191767dc2acef8d149377d5f943d4969137a68d42feae8c9e9aef4fe688221f933762a61b444f96d68f6db0b31efbd845c3d591c3 ipfw-strict-uidgid.patch"
diff --git a/main/ipfw-grsec/ipfw-cgroup.patch b/main/ipfw-grsec/ipfw-cgroup.patch
new file mode 100644
index 0000000000..23942e7a24
--- /dev/null
+++ b/main/ipfw-grsec/ipfw-cgroup.patch
@@ -0,0 +1,34 @@
+--- ipfw3-2012.orig/glue.h
++++ ipfw3-2012/glue.h
+@@ -377,13 +377,29 @@
+ #define flow_daddr fl.nl_u.ip4_u
+ #endif
+
+-#endif /* __linux__ */
+-
+ /*
+ * Do not load prio_heap.h header because of conflicting names
+ * with our heap functions defined in include/netinet/ipfw/dn_heap.h
+ */
+ #define _LINUX_PRIO_HEAP_H
++
++/* Do however declare the structure... */
++/**
++ * struct ptr_heap - simple static-sized priority heap
++ * @ptrs - pointer to data area
++ * @max - max number of elements that can be stored in @ptrs
++ * @size - current number of valid elements in @ptrs (in the range 0..@size-1
++ * @gt: comparison operator, which should implement "greater than"
++ */
++struct ptr_heap {
++ void **ptrs;
++ int max;
++ int size;
++ int (*gt)(void *, void *);
++};
++
++#endif /* __linux__ */
++
+ /*
+ * The following define prevent the ipv6.h header to be loaded.
+ * Starting from the 2.6.38 kernel the ipv6.h file, which is included
diff --git a/main/ipfw-grsec/ipfw-kmod-dereffix.patch b/main/ipfw-grsec/ipfw-kmod-dereffix.patch
new file mode 100644
index 0000000000..168fc70e18
--- /dev/null
+++ b/main/ipfw-grsec/ipfw-kmod-dereffix.patch
@@ -0,0 +1,22 @@
+--- ipfw3-2012.orig/sys/netinet/ipfw/ip_dummynet.c
++++ ipfw3-2012/sys/netinet/ipfw/ip_dummynet.c
+@@ -635,7 +635,7 @@
+ fs->sched->fp->free_fsk(fs);
+ fs->sched = NULL;
+ if (flags & DN_DELETE_FS) {
+- bzero(fs, sizeof(fs)); /* safety */
++ bzero(fs, sizeof(*fs)); /* safety */
+ free(fs, M_DUMMYNET);
+ dn_cfg.fsk_count--;
+ } else {
+--- ipfw3-2012.orig/kipfw/ipfw2_mod.c
++++ ipfw3-2012/kipfw/ipfw2_mod.c
+@@ -218,7 +218,7 @@
+ struct thread t;
+ int ret = EINVAL;
+
+- memset(s, 0, sizeof(s));
++ memset(s, 0, sizeof(*s));
+ s->sopt_name = cmd;
+ s->sopt_dir = dir;
+ s->sopt_valsize = len;
diff --git a/main/ipfw-grsec/ipfw-strict-uidgid.patch b/main/ipfw-grsec/ipfw-strict-uidgid.patch
new file mode 100644
index 0000000000..cf4376b956
--- /dev/null
+++ b/main/ipfw-grsec/ipfw-strict-uidgid.patch
@@ -0,0 +1,40 @@
+--- ipfw3-2012.orig/glue.h
++++ ipfw3-2012/glue.h
+@@ -102,6 +102,24 @@
+ #include <linux/in.h> /* struct in_addr */
+ #include <linux/in6.h> /* struct in6_addr */
+ #include <linux/icmp.h>
++
++#ifdef CONFIG_UIDGID_STRICT_TYPE_CHECKS
++#include <linux/uidgid.h>
++
++#define KUID_TO_SUID(x) (__kuid_val(x))
++#define KGID_TO_SGID(x) (__kgid_val(x))
++#define SUID_TO_KUID(x) (KUIDT_INIT(x))
++#define SGID_TO_KGID(x) (KGIDT_INIT(x))
++
++#else
++
++#define KUID_TO_SUID(x) (x)
++#define KGID_TO_SGID(x) (x)
++#define SUID_TO_KUID(x) (x)
++#define SGID_TO_KGID(x) (x)
++
++#endif
++
+ /*
+ * LIST_HEAD in queue.h conflict with linux/list.h
+ * some previous linux include need list.h definition
+--- ipfw3-2012.orig/kipfw/ipfw2_mod.c
++++ ipfw3-2012/kipfw/ipfw2_mod.c
+@@ -737,8 +737,8 @@
+ if ((1<<st) & GOOD_STATES) {
+ read_lock_bh(&sk->sk_callback_lock);
+ if (sk->sk_socket && sk->sk_socket->file) {
+- u->uid = sk->sk_socket->file->_CURR_UID;
+- u->gid = sk->sk_socket->file->_CURR_GID;
++ u->uid = KUID_TO_SUID(sk->sk_socket->file->_CURR_UID);
++ u->gid = KGID_TO_SGID(sk->sk_socket->file->_CURR_GID);
+ }
+ read_unlock_bh(&sk->sk_callback_lock);
+ } else {