From cba6b76bf493982380ec59ed173ec9b06c7d9b7a Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Fri, 12 Apr 2013 14:44:36 +0000 Subject: testing/ipt-netflow-grsec: new aport Linux kernel netflow sensor module http://ipt-netflow.sourceforge.net/ ref #1623 --- testing/ipt-netflow-grsec/APKBUILD | 75 ++++++++++++++++++++++++++++++++ testing/ipt-netflow-grsec/constify.patch | 35 +++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 testing/ipt-netflow-grsec/APKBUILD create mode 100644 testing/ipt-netflow-grsec/constify.patch (limited to 'testing/ipt-netflow-grsec') diff --git a/testing/ipt-netflow-grsec/APKBUILD b/testing/ipt-netflow-grsec/APKBUILD new file mode 100644 index 000000000..e66568d35 --- /dev/null +++ b/testing/ipt-netflow-grsec/APKBUILD @@ -0,0 +1,75 @@ +# Contributor: +# Maintainer: Natanael Copa + +_flavor=grsec +_kpkg=linux-$_flavor +_kver=3.8.6 +_kpkgrel=0 + +# when chaning _ver we *must* bump _mypkgrel +_ver=1.8.4 + +_mypkgrel=0 + +# verify the kernel version before entering chroot +if [ -f ../linux-${_flavor}/APKBUILD ]; then + . ../linux-${_flavor}/APKBUILD + pkgname=ipt-netflow-${_flavor} + [ "$_kver" != "$pkgver" ] && die "please update _kver to $pkgver" + [ "$_kpkgrel" != "$pkgrel" ] && die "please update _kpkgrel to $pkgrel" +fi + +_kpkgver="$_kver-r$_kpkgrel" +_abi_release=${_kver}-${_kpkgrel}-${_flavor} + +pkgname=ipt-netflow-${_flavor} +pkgver=$_kver + +pkgrel=$(( $_kpkgrel + $_mypkgrel )) +pkgdesc="Linux kernel netflow sensor module" +url="http://ipt-netflow.sourceforge.net/" +arch="all" +license=GPL-2 +source="ipt-netflow-$_ver.tar.gz::https://github.com/RushOnline/ipt-netflow/archive/v$_ver.tar.gz + constify.patch" +depends="$_kpkg-dev=$_kpkgver" +makedepends="linux-${_flavor}-dev iptables-dev bash" + +_builddir="$srcdir"/ipt-netflow-$_ver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} + +build() { + cd "$_builddir" + export GCC_SPECS=/usr/share/gcc/hardenednopie.specs + ./configure --kver=$_abi_release \ + --ipt-inc=/usr/include/libiptc \ + || return 1 + make ipt_NETFLOW.ko + + # verify that it was built with constify: + strings ipt_NETFLOW.ko | grep '^vermagic=.*CONSTIFY_PLUGIN' || return 1 +} + +package() { + cd "$_builddir" + make -j1 minstall DESTDIR="$pkgdir" || return 1 +} + +# override dev() from kernel's APKBUILD +dev() { + default_dev +} + +md5sums="a5d564dd5f30d5b61a93decf29e3a208 ipt-netflow-1.8.4.tar.gz +2d9335c3d5c32c1e18a67fbb83018bae constify.patch" +sha256sums="bb2446a0b16aa7f6052599410c2b4ce184d40893ec2ca12756f3bcb341890f43 ipt-netflow-1.8.4.tar.gz +5a86c64bdc536bddb780ebaa4aa5fe3bede93d645ed0f00afb41f23314662d1f constify.patch" +sha512sums="e15ad33b4b3df9e1e53fbac6334dbe08802d66f4850cbf489d7a60184cdb47d94448ae13480d586474a6bec6204680d059543b619ae40a0f74fad22fed1b024a ipt-netflow-1.8.4.tar.gz +08835d3de5925d868b70c240e65094a9262c5871d7ca0290001697cf8b7cee74bfc8ac2897b30c3d5ec89700b329d30b539699596f15c1150e18a85234484758 constify.patch" diff --git a/testing/ipt-netflow-grsec/constify.patch b/testing/ipt-netflow-grsec/constify.patch new file mode 100644 index 000000000..b92ed76a6 --- /dev/null +++ b/testing/ipt-netflow-grsec/constify.patch @@ -0,0 +1,35 @@ +--- ./ipt_NETFLOW.c.orig 2013-04-12 14:18:39.176959425 +0000 ++++ ./ipt_NETFLOW.c 2013-04-12 14:23:29.779638950 +0000 +@@ -367,8 +367,13 @@ + #define BEFORE2632(x,y) + #endif + ++/* PAX need to know that we are allowed to write */ ++#ifndef CONSTIFY_PLUGIN ++#define ctl_table_no_const ctl_table ++#endif ++ + /* sysctl /proc/sys/net/netflow */ +-static int hsize_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp,) ++static int hsize_procctl(ctl_table_no_const *ctl, int write, BEFORE2632(struct file *filp,) + void __user *buffer, size_t *lenp, loff_t *fpos) + { + void *orig = ctl->data; +@@ -386,7 +391,7 @@ + return ret; + } + +-static int sndbuf_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp,) ++static int sndbuf_procctl(ctl_table_no_const *ctl, int write, BEFORE2632(struct file *filp,) + void __user *buffer, size_t *lenp, loff_t *fpos) + { + int ret; +@@ -446,7 +451,7 @@ + return ret; + } + +-static int flush_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp,) ++static int flush_procctl(ctl_table_no_const *ctl, int write, BEFORE2632(struct file *filp,) + void __user *buffer, size_t *lenp, loff_t *fpos) + { + int ret; -- cgit v1.2.3