[OpenWrt-Devel] [patch] vpnc 0.5.1

[Johannes Ballé]

Hello,

I just hacked the patches/Makefile for vpnc to support vpnc 0.5.1. This 
release is far more usable than 0.4.0, because it fixes one annoying 
keep-alive problem and many other bugs.

(see http://www.unix-ag.uni-kl.de/~massar/vpnc/ for a list)

So here's the patch against SVN r10611.

Additionally, I would like to suggest to remove the start_vpn_nat/stop_vpn_nat 
functions in the vpnc-script (I kept them for now). Currently, they are 
hard-coded to allow any packets to be forwarded between the VPN and any other 
network (also the WAN...)

In the setup I'm using (at least) this default is insecure. I'm using a VPN 
tunnel to establish a connection to the Internet and using the router to 
share this connection locally. So, I have to comment out these lines 
in /etc/vpnc/vpnc-script, which is not very user-friendly. IMHO, it would be 
better if the scripts were non-permissive by default (because the fact that 
you're using a VPN usually indicates that there are some security aspects 
involved).

In most situations, I would think that a static firewall setup 
in /etc/firewall.user suffices. In my situation, it does. In cases where a 
dynamic firewall setup is needed, the user would probably adjust vpnc-script 
manually, anyway. So, as far as I can see, there's no point in having a 
wide-open firewall hard-coded into the script.

Best regards,

Johannes

Index: patches/002-vpn_script.patch
===================================================================
--- patches/002-vpn_script.patch	(revision 10611)
+++ patches/002-vpn_script.patch	(working copy)
@@ -1,7 +1,8 @@
---- vpnc-0.4.0/vpnc-script	2007-02-18 12:52:03.000000000 +0100
-+++ vpnc-0.4.0.patched/vpnc-script	2007-02-25 11:34:06.000000000 +0100
-@@ -107,7 +107,7 @@
- }
+diff -ur vpnc-0.5.1.orig/vpnc-script vpnc-0.5.1/vpnc-script
+--- vpnc-0.5.1.orig/vpnc-script	2007-09-06 22:05:15.000000000 +0200
++++ vpnc-0.5.1/vpnc-script	2008-03-17 23:12:10.000000000 +0100
+@@ -95,7 +95,7 @@
+ # =========== tunnel interface handling ====================================
  
  do_ifconfig() {
 -	ifconfig "$TUNDEV" inet "$INTERNAL_IP4_ADDRESS" $ifconfig_syntax_ptp "$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu 1412 up
@@ -9,7 +10,7 @@
  }
  
  destroy_tun_device() {
-@@ -388,6 +388,18 @@
+@@ -490,6 +490,18 @@
  	fi
  }
  
@@ -25,10 +26,10 @@
 +	iptables -D forwarding_rule -o $TUNDEV -j ACCEPT
 +}
 +
- ####
+ #### Main
  
  if [ -z "$reason" ]; then
-@@ -401,8 +413,10 @@
+@@ -503,8 +515,10 @@
  		;;
  	connect)
  		do_connect
Index: patches/001-cross.patch
===================================================================
--- patches/001-cross.patch	(revision 10611)
+++ patches/001-cross.patch	(working copy)
@@ -1,8 +1,8 @@
-diff -Nur vpnc-0.4.0/Makefile vpnc-0.4.0.patched/Makefile
---- vpnc-0.4.0/Makefile	2007-02-19 21:51:12.000000000 +0100
-+++ vpnc-0.4.0.patched/Makefile	2007-02-25 10:40:25.000000000 +0100
+diff -ur vpnc-0.5.1.orig/Makefile vpnc-0.5.1/Makefile
+--- vpnc-0.5.1.orig/Makefile	2007-09-06 22:05:15.000000000 +0200
++++ vpnc-0.5.1/Makefile	2008-03-17 23:16:06.000000000 +0100
 @@ -20,7 +20,7 @@
- # $Id: Makefile 148 2007-02-19 20:51:14Z Maurice Massar $
+ # $Id: Makefile 236 2007-09-05 20:40:59Z Joerg Mayer $
  
  DESTDIR=
 -PREFIX=/usr/local
@@ -10,19 +10,29 @@
  ETCDIR=/etc/vpnc
  BINDIR=$(PREFIX)/bin
  SBINDIR=$(PREFIX)/sbin
-@@ -35,12 +35,11 @@
- RELEASE_VERSION := $(shell cat VERSION)
- 
+@@ -52,12 +52,12 @@
  CC=gcc
--CFLAGS += -W -Wall -O3 -Wmissing-declarations -Wwrite-strings -g
-+CFLAGS += -W -Wall -Wmissing-declarations -Wwrite-strings -I$(STAGING_DIR)/usr/include -I$(STAGING_DIR)/include $(OFLAGS) '-DVERSION="$(shell cat VERSION)"'
- CPPFLAGS = -DVERSION=\"$(VERSION)\"
--LDFLAGS = -g $(shell libgcrypt-config --libs)
+ CFLAGS ?= -O3 -g
+ CFLAGS += -W -Wall -Wmissing-declarations -Wwrite-strings
 -CFLAGS +=  $(shell libgcrypt-config --cflags)
++CFLAGS += -I$(STAGING_DIR)/usr/include -I$(STAGING_DIR)/include
+ CPPFLAGS += -DVERSION=\"$(VERSION)\" $(OPENSSL_GPL_VIOLATION)
+ LDFLAGS ?= -g
+-LDFLAGS += $(shell libgcrypt-config --libs) $(OPENSSLLIBS)
 +LDFLAGS = -L$(STAGING_DIR)/usr/lib -L$(STAGING_DIR)/lib -lgcrypt -lgpg-error
  
 -ifeq ($(shell uname -s), SunOS)
 +ifeq ($(OS), SunOS)
  LDFLAGS += -lnsl -lresolv -lsocket
  endif
+ ifneq (,$(findstring Apple,$(shell $(CC) --version)))
+@@ -65,7 +65,7 @@
+ CFLAGS += -fstrict-aliasing -freorder-blocks -fsched-interblock
+ endif
  
+-all : $(BINS) vpnc.8
++all : $(BINS)
+ 
+ vpnc : $(OBJS) vpnc.o
+ 	$(CC) -o $@ $^ $(LDFLAGS)
+Only in vpnc-0.5.1: Makefile.orig
Index: Makefile
===================================================================
--- Makefile	(revision 10611)
+++ Makefile	(working copy)
@@ -9,12 +9,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=vpnc
-PKG_VERSION:=0.4.0
+PKG_VERSION:=0.5.1
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.unix-ag.uni-kl.de/~massar/vpnc/
-PKG_MD5SUM:=604807e7dd90fce00a4e2344ee29c76d
+PKG_MD5SUM:=7a8e94dbe94f39a4fd89b72e0125f66f
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
http://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel