Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 152971

Summary: net-firewall/ipsec-tools-0.6.6 version bump
Product: Gentoo Linux Reporter: Cyrius <cyrius>
Component: New packagesAssignee: Peter Johanson (RETIRED) <latexer>
Status: RESOLVED FIXED    
Severity: enhancement CC: c.affolter, dragonheart, flophousejoe-gentoo-bugzilla-ehx, latexer, markus.gapp, menion
Priority: High    
Version: 2006.0   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 121919    
Attachments: New ebuild for ipsec-tool 0.6.6
New ebuild for ipsec-tools 0.6.6
New ebuild for ipsec-tools 0.6.6
New ebuild for ipsec-tool 0.6.6
New ebuild for ipsec-tool 0.6.6
New ebuild for ipsec-tool 0.6.6
New ebuild for ipsec-tools 0.6.6
New ebuild for ipsec-tools 0.6.6
net-firewall/ipsec-tools-0.6.6.ebuild (new ebuild, clean-up)
ipsec-tools-0.6.6.ebuild.patch

Description Cyrius 2006-10-27 05:39:40 UTC
The new version of ipsec tools is available. 
You will find the changing ebuild on attachment.
Comment 1 Cyrius 2006-10-27 05:40:53 UTC
Created attachment 100573 [details]
New ebuild for ipsec-tool 0.6.6
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-27 05:44:32 UTC
no reason to keep this secret ;-)
Comment 3 Cyrius 2006-10-28 02:38:11 UTC
   I've learned that it's better to use the CVS version of IPSEC tools. There are a lot of functionnalities and corrected buggs in more in racoon and setkey.
   Do you confirm it ?
   If yes, perhaps it will be better to make a CVS ebuild.
   I've done it. If you want i can post it. Cause i'm not an expert in.
   So you will have a base for working on this.
Comment 4 Cyrius 2006-10-28 15:06:29 UTC
Created attachment 100667 [details]
New ebuild for ipsec-tools 0.6.6

This ebuild have some use flag add :
   dpd 
   fastquit 
   frag 
   gssapi 
   hybrid 
   idea 
   ldap 
   natt 
   pam 
   rc5 
   readline 
   security-context
   stats 
   ipv6
and a check functionnality of kernel flags
Comment 5 Cyrius 2006-10-28 15:09:22 UTC
The ssl flag is not supported with this version.
It is from the CVS version. Then it will.
Radius is not supported by Gentoo with libradius library. 
As i understood, we have to use pam ... strange
Comment 6 Cyrius 2006-10-28 15:16:06 UTC
In the compil, i didn't success to have some option flag up :
checking kernel NAT-Traversal support... yes
checking whether to support NAT-T... no
checking which NAT-T versions to support... none
checking whether we support FWD policy... no
checking for ipsec_policy_t... no

or 
checking openssl/camellia.h usability... no
checking openssl/camellia.h presence... no

I don't know if it's relevant or not.

And an other point is iconv seems to need the new libiconv which is hard masked for the moment.

Comment 7 Cyrius 2006-10-28 16:32:00 UTC
Created attachment 100673 [details]
New ebuild for ipsec-tools 0.6.6

Use flags in more :
  adminport
  pic 
  shared
  static

I have corrected a dependancy beetween pam and hybrid flag.
inherited linux-mod replaced by linux-info.
Comment 8 Cyrius 2006-10-30 14:52:25 UTC
Comment on attachment 100673 [details]
New ebuild for ipsec-tools 0.6.6

natt flag is not taking in account
Comment 9 Cyrius 2006-10-30 14:54:57 UTC
Created attachment 100822 [details]
New ebuild for ipsec-tool 0.6.6

Natt flag is corrected
ssl flag is not needed anymore. It was a mistake.
Comment 10 Cyrius 2006-10-30 15:08:37 UTC
TODO :
There is two mode for the forwarding policy : Kernel and RFC 
It's not taking in account for the moment.
Normally, only the RFC is done.

security-context depends of some options of kernel.
i'll try to find them.


Comment 11 Cyrius 2006-10-31 02:10:00 UTC
Created attachment 100858 [details]
New ebuild for ipsec-tool 0.6.6

In fact security context is searching for the lsm kernel module wich seems to be present systematically in 2.6.
Then nothing to do :-)

The kernel mode is used when you do a "setkey -k"
Then nothing to do :-)

The camelia cipher algorithm is too much recent. See http://www.ntt.co.jp/news/news06e/0604/060413a.html
Then nothing to do :-)

The ldap functionnality is not documented in this version.
But the doc exist in the recent CVS version. Then a warning is raised.

Kernel includes repertory have been added in the compil params.

With Nat traversal, there is more options which could be choosed. So a warning
is raised.

Could other gentoouser test it please ?
Comment 12 Joshua Schmidlkofer 2006-10-31 11:09:10 UTC
I am adding this, temporarily to asylumware-portage. I will be testing it on various systems.


BTW: What is this ebuild an octet-stream?  That makes no sense.
Comment 13 Cyrius 2006-10-31 14:50:41 UTC
Created attachment 100926 [details]
New ebuild for ipsec-tool 0.6.6

Right, octet-stream takes no sense.i've selected plain text.

I've added the use flag "broken-natt", all the documentation in /usr/share/doc
and so commentary to drive users.
i've definetely suppress ssl flag.

Thanks for your help.
Comment 14 Cyrius 2006-10-31 16:50:19 UTC
Created attachment 100934 [details]
New ebuild for ipsec-tools 0.6.6

Just to add the dodoc for FAQ and others text info files which are not in the same 
repertory than the samples

Does it will take a long time before it will be on unstable gentoo portage ?
Comment 15 Cyrius 2006-11-02 00:39:34 UTC
Created attachment 101029 [details]
New ebuild for ipsec-tools 0.6.6

This version corrects the doc installation (was buggy).
An explaination about sa mode unspec presence was added.
Comment 16 Cyrius 2006-11-02 00:50:02 UTC
Hello Peter,

       Do you think it could be added to gentoo unstable portage in this state ?


   
Comment 17 Cyrius 2006-11-07 00:28:29 UTC
I use this version since one week now and all seem to go to the right way.
Do you know when it will be include in the portage tree ?

Comment 18 Jakub Moc (RETIRED) gentoo-dev 2006-12-22 13:23:27 UTC
*** Bug 158860 has been marked as a duplicate of this bug. ***
Comment 19 Torsten Kaiser 2007-01-05 08:24:29 UTC
Attachment 101029 [details] (from 2006-11-02) give the following warings:
 * Running eautoreconf in '/var/tmp/portage/ipsec-tools-0.6.6-r1/work/ipsec-tools-0.6.6' ...
 * QA Notice: ${WANT_AUTOCONF} variable unset. Please report on http://bugs.gentoo.org/
 * QA Notice: ${WANT_AUTOMAKE} variable unset. Please report on http://bugs.gentoo.org/
 * Running aclocal -I /var/tmp/portage/ipsec-tools-0.6.6-r1/work/ipsec-tools-0.6.6 .  [ ok ]

So I'm reporting this. :)

Also this version does not compile for me with the same error from Bug #158860:
if x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I./../libipsec   -D_GNU_SOURCE -include ./src/include-glibc/glibc-bugs.h -I./src/include-glibc -I./src/include-glibc  -I./../../src/racoon/missing -D_GNU_SOURCE -include ../../src/include-glibc/glibc-bugs.h -I../../src/include-glibc -I../../src/include-glibc -DSYSCONFDIR=\"/etc\" -DADMINPORTDIR=\"/var/lib/racoon\" -O3 -pipe -fomit-frame-pointer -march=athlon64  -Wall  -Wno-unused -MT grabmyaddr.o -MD -MP -MF ".deps/grabmyaddr.Tpo" -c -o grabmyaddr.o grabmyaddr.c; \
        then mv -f ".deps/grabmyaddr.Tpo" ".deps/grabmyaddr.Po"; else rm -f ".deps/grabmyaddr.Tpo"; exit 1; fi
grabmyaddr.c: In function 'recvaddrs':
grabmyaddr.c:126: error: 'IFA_MAX' undeclared (first use in this function)
grabmyaddr.c:126: error: (Each undeclared identifier is reported only once
grabmyaddr.c:126: error: for each function it appears in.)
grabmyaddr.c:167: error: dereferencing pointer to incomplete type
grabmyaddr.c:168: error: dereferencing pointer to incomplete type
grabmyaddr.c:171: error: dereferencing pointer to incomplete type
grabmyaddr.c:171: error: 'IFA_F_TENTATIVE' undeclared (first use in this function)
grabmyaddr.c:175: warning: implicit declaration of function 'IFA_RTA'
grabmyaddr.c:175: error: dereferencing pointer to incomplete type
grabmyaddr.c:175: warning: passing argument 3 of 'parse_rtattr' makes pointer from integer without a cast
grabmyaddr.c:177: error: 'IFA_LOCAL' undeclared (first use in this function)
grabmyaddr.c:178: error: 'IFA_ADDRESS' undeclared (first use in this function)
grabmyaddr.c:187: error: dereferencing pointer to incomplete type
grabmyaddr.c:189: error: dereferencing pointer to incomplete type
grabmyaddr.c:190: error: dereferencing pointer to incomplete type
make[3]: *** [grabmyaddr.o] Error 1
make[3]: Leaving directory `/var/tmp/portage/ipsec-tools-0.6.6-r1/work/ipsec-tools-0.6.6/src/racoon'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/var/tmp/portage/ipsec-tools-0.6.6-r1/work/ipsec-tools-0.6.6/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/var/tmp/portage/ipsec-tools-0.6.6-r1/work/ipsec-tools-0.6.6'
make: *** [all] Error 2

That error was also mentioned in Bug #146478 in comment 16 , but neither 0.6.5 nor the 0.6.6 fix it for me.
I am using kernel 2.6.18-mm2, but also have 2.6.19-rc5-mm1 installed.
Comment 20 Torsten Kaiser 2007-01-06 13:13:35 UTC
Mmh... works now with 2.6.20-rc2-mm1...
Comment 21 Cyrius 2007-01-06 17:46:43 UTC
Great :-)
Comment 22 Kalin KOZHUHAROV 2007-01-07 18:42:35 UTC
Created attachment 105913 [details]
net-firewall/ipsec-tools-0.6.6.ebuild (new ebuild, clean-up)

Hmm, this seems VERY bad when run through repoman... several hundred errors (mostly whitespace). Had a look at it and tried to fix it... Difficult.

Here's what I did:

Initial import of ipsec-tools-0.6.6-r1.ebuild from bug #152971

Making repoman happy :-)
Updating most of the text to be consistent with linux-2.6.19.1
fixing nasty bug line 124 in the original: INET_XFRM_MODE_TRANSPORT was checked twice
adding BEET mode (not sure if it is used yet though)
Lots of whitespace changes (space-to-tabs, EOL space)

Adding WANT_AUTOMAKE, WANT_AUTOCONF
Trying to fix bad English in the comments.
The comment about ipsec_set_policy man page seems outdated, removing.

The new ebuild is available in my overlay at http://rsync.tar.bz/net-firewall/ipsec-tools/
(see http://rsync.tar.bz/README.txt on howto use with repoman)

This ebuild contains many useflags, not tested with all. Please report any test results here.
Comment 23 Kalin KOZHUHAROV 2007-01-10 09:09:58 UTC
Created attachment 106324 [details, diff]
ipsec-tools-0.6.6.ebuild.patch

This is a patch to apply to the ebuild in attachment #105913 [details] of this bug.
The full ebuild can be found in my overlay, here:
https://svn.tar.bz/repos/pkalin/trunk/net-firewall/ipsec-tools/ipsec-tools-0.6.6.ebuild

ChangLog:

------------------------------------------------------------------------
r166 | Kalin.KOZHUHAROV | 2007-01-10 18:02:43 +0900 (Wed, 10 Jan 2007) | 16 lines

Update the ebuild and send to https://bugs.gentoo.org/show_bug.cgi?id=152971

1. Mostly port code from my patch in bug# 121219 (http://bugs.gentoo.org/attachment.cgi?id=79082&action=diff)
2. Improve DESCRIPTION (make it shorter)
3. Run repoman and try to make it happy
4. Add references to Bugzilla for the one-line-patchers
5. linux_chkconfig_present is not needed in src_compile() as it is checked by kernel_check()
6. Remove comments about patented algorithms (they are present in /usr/portage/profiles/use*)
7. Improve comment for --enable-samode-unspec
8. s/ewarn/einfo/g throughout pkg_postinst() and improve the texts

TODO:
*       Find the way to include sparc arch
*       Link all ipsec-tools in Bugzilla as dependencies
*       Shout on dev if nobody takes action
Comment 24 Flophouse Joe 2007-03-03 20:48:37 UTC
(In reply to comment #23)
> TODO:
> *       Shout on dev if nobody takes action


Since it's been over 30 days since the last activity on this bug, would you mind shouting on -dev, Kalin? :)

Additionally, I noticed that the upstream ipsec-tools-0.6.6 tarball compiles and works fine for me on x86 and amd64 if I copy and rename ipsec-tools-0.6.5.ebuild to ipsec-tools-0.6.6.ebuild .

Are the devs nervous about jumping to a new ebuild with ipsec-tools-0.6.6 ?  If so, then perhaps we could "just" copy the exisitng 0.6.5.ebuild to a 0.6.6.ebuild and then introduce a new ebuild later as (say) ipsec-tools-0.6.6-r1.ebuild ?
Comment 25 Graham Murray 2007-04-06 12:47:36 UTC
It should also be noted that ipsec-tools 0.6.7 has just been released to fix a DoS problem.
Comment 26 Daniel Black (RETIRED) gentoo-dev 2007-04-21 10:50:11 UTC
(In reply to comment #25)
> It should also be noted that ipsec-tools 0.6.7 has just been released to fix a
> DoS problem.
> 
ref bug 173219 - doing that now.

> Are the devs nervous about jumping to a new ebuild with ipsec-tools-0.6.6 ?  If
> so, then perhaps we could "just" copy the exisitng 0.6.5.ebuild to a
> 0.6.6.ebuild and then introduce a new ebuild later as (say)
> ipsec-tools-0.6.6-r1.ebuild ?

The USE flags looks a little extreme. Slowness is probably the grasp of real life taking hold. I'm working on something for it now for bug #173219
Comment 27 Daniel Black (RETIRED) gentoo-dev 2007-04-21 12:27:12 UTC
Kalin and others. I've added ipsec-tools-0.6.7 largely based of Kalins clean patch. Can you please do a rough test on it to see if i've done anything dumb. I'd like to get this right before getting it stable (bug 173219).

I dropped most USE flags as they didn't change the functionality or bring in dependencies. If i'm wrong on either statement please tell me.