Added patch from bug 98726. Changed herd to qmail, added description to metadata

(Portage version: 2.0.51.22-r2)

5 files changed, 466 insertions, 2 deletions

diff --git a/sys-apps/ucspi-tcp/ChangeLog b/sys-apps/ucspi-tcp/ChangeLog
index 7e69011d5a96..3043fa718560 100644
--- a/sys-apps/ucspi-tcp/ChangeLog
+++ b/sys-apps/ucspi-tcp/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-apps/ucspi-tcp
 # Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/ucspi-tcp/ChangeLog,v 1.33 2005/02/14 12:49:19 robbat2 Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/ucspi-tcp/ChangeLog,v 1.34 2005/08/28 12:40:56 hansmi Exp $
+
+*ucspi-tcp-0.88-r11 (28 Aug 2005)
+
+  28 Aug 2005; Michael Hanselmann <hansmi@gentoo.org>
+  +files/0.88-limits.patch, metadata.xml, +ucspi-tcp-0.88-r11.ebuild:
+  Added patch from bug 98726. Changed herd to qmail, added description to
+  metadata.
 
   14 Feb 2005; Robin H. Johnson <robbat2@gentoo.org>
   +files/0.88-rblsmtpd-ignore-on-RELAYCLIENT.patch:
diff --git a/sys-apps/ucspi-tcp/files/0.88-limits.patch b/sys-apps/ucspi-tcp/files/0.88-limits.patch
new file mode 100644
index 000000000000..6ec88694bf0c
--- /dev/null
+++ b/sys-apps/ucspi-tcp/files/0.88-limits.patch
@@ -0,0 +1,365 @@
+diff -purN ucspi-tcp-0.88.org/README.tcpserver-limits-patch ucspi-tcp-0.88.my/README.tcpserver-limits-patch
+--- ucspi-tcp-0.88.org/README.tcpserver-limits-patch	1970-01-01 01:00:00.000000000 +0100
++++ ucspi-tcp-0.88.my/README.tcpserver-limits-patch	2005-01-30 18:26:14.000000000 +0100
+@@ -0,0 +1,135 @@
++20050130 reinstated /proc/loadavg support for those compiling on Linux 
++with dietlibc (see #define NO_GETLOADAVG at top of tcpserver.c). 
++Also, we now compile on 64bit platforms (we avoid including unistd.h if
++using getloadavg(3), so we don't conflict with readwrite.h header file)
++Needed if your compile was breaking with:
++readwrite.h:4: error: syntax error before "read"
++readwrite.h:4: warning: data definition has no type or storage class
++SUMMARY: If 20040725 worked for you, there is no reason to upgrade 
++(no new features of bugfixes)
++
++20040725 adds a sleep(1) before terminating (to prevent too high load from
++many rapid fork()/exit() calls. It also changes the method for checking
++system load to getloadavg(3) instead of parsing /proc/loadavg, therefore
++making it working on *BSD and other non-Linux systems in addition to Linux.
++It also adds DIEMSG="xxx" support.
++
++20040327 fixes a bug in 20040124 related to MAXLOAD (it would not work
++correctly when load was higher than 10.00)
++
++
++This patch (20040725) makes tcpserver from DJB's ucspi-tcp-0.88 package (see
++http://cr.yp.to/ucspi-tcp.html) to modify its behavior if some environment
++variables are present.
++
++The variables can be preset before starting tcpserver (thus acting as
++default for all connections), or, if you use 'tcpserver -x xxx.cdb', they
++can be set (or overridden) from xxx.cdb. If none of the variables are set,
++tcpserver behaves same as non patched version (except for negligible
++performance loss). Any or all variables can be set, as soon as first limit
++is reached the connection is dropped. I'd recommend using .cdb files
++exclusively though, as you can then modify configuration without killing
++tcpserver.
++
++The variables are:
++
++(1) MAXLOAD 
++    maximum 1-minute load average * 100. For example, if you have line
++    :allow,MAXLOAD="350" 
++    in your rules file from which you created .cdb, the connection will be
++    accepted only if load average is below 3.50
++    For this variable to have effect, you have to have working getloadavg(3)
++    (most modern UN*Xoids have, including Linux and FreeBSD)
++    Otherwise, you have to uncomment #define NO_GETLOADAVG in tcpserver.c 
++    and have readable '/proc/loadavg' with linux-2.4.x/2.6.x syntax (see 
++    the source -- this is needed if you're compiling with dietlibc 
++    or such)
++  
++(2) MAXCONNIP
++    maximum connections from one IP address. tcpserver's -c flag defines
++    maximum number of allowed connections, but it can be abused if
++    just one host goes wild and eats all the connections - no other host
++    would be able to connect then. If you created your .cdb with:
++    :allow,MAXCONNIP="5"
++    and run tcpserver -c 50, then each IP address would be able to have at 
++    most 5 concurrent connections, while there still could connect 50
++    clients total
++
++(3) MAXCONNC
++
++    maximum connections from whole C-class (256 addresses). Extension of
++    MAXCONNIP, as sometimes the problematic client has a whole farm of
++    client machines with different IP addresses instead of just one IP
++    address, and they all try to connect. It might have been more useful to
++    be able to specify CIDR block than C-class, but I've decided to KISS.
++
++    for example tcpserver -c 200, and .cdb with:
++    :allow,MAXCONNC="15"
++    will allow at most 15 host from any x.y.z.0/24 address block, while
++    still allowing up to 200 total connections.
++
++(4) DIEMSG
++    
++    if set and one of the above limits is exceeded, this is the message 
++    to be sent to client (CRLF is always added to the text) before terminating
++    connection. If unset, the connection simply terminates (after 1 sec delay) 
++    if limit is exceeded.
++
++    For example:
++    DIEMSG="421 example.com Service temporarily not available, closing 
++    transmission channel"
++
++Notes: 
++
++- if a connection is dropped due to some of those variables set, it will be
++  flagged (if you run tcpserver -v) with "LOAD:", "MAXCONNIP:" or
++  "MAXCONNC:" at the end of the "tcpserver: deny" line. If that bothers you
++  (eg. you have a strict log parsers), don't apply that chunk of the patch.
++
++- the idea for this patch came from my previous experience with xinetd, and
++  need to limit incoming bursts of virus/spam SMTP connections, since I was
++  running qmail-scanner to scan incoming and outgoing messages for viruses
++  and spam.
++
++When you make changes, please check that they work as expected. 
++
++Examples (for tcprules created .cdb)
++(a) 192.168.:allow,MAXLOAD="1000"
++    :allow,MAXCONNIP="3"
++
++    this would allow any connection from your local LAN (192.168.*.*
++    addresses) if system load is less than 10.00. non-LAN connections would
++    be accepted only if clients from that IP address have not already opened
++    more than 2 connections (as your connection would be last allowed -- 3rd)
++
++(b) 192.168.:allow
++    5.6.7.8:allow,MAXCONNIP="3"
++    1.2.:allow,MAXLOAD="500",MAXCONNIP="1",MAXCONNC="5"
++    :allow,MAXLOAD="1000",MAXCONNIP="3",DIEMSG="421 example.com unavailable"
++
++    if client connects from 192.168.*.* (ex: your LAN), it is allowed.
++    if it connects from 5.6.7.8 (ex: little abusive customer of yours),
++     it is allowed unless there are already 3active connections from 5.6.7.8
++     to this service
++    if it connects from 1.2.*.* (ex: some problematic networks which caused
++     you grief in the past) it will connect only if load is less than 5.0,
++     there is less than 5 active connections from whole C class
++     (1.2.*.0/24), and if that specific IP address does not already have
++     connection open.
++    in all other cases, the client will be permitted to connect if load is
++     less than 10.00 and client has 2 or less connections open. If load is
++     higher than 10.00 or there are 3 or more connections open from this
++     client, the message "421 example.com unavailable" will be returned to 
++     the client and connection terminated.
++
++
++Any bugs introduced are my own, do not bother DJB with them.
++If you find any, or have neat ideas, or better documentation, or whatever,
++contact me.
++
++the latest version of the patch can be found at:
++http://linux.voyager.hr/ucspi-tcp/
++
++Enjoy,
++Matija Nalis,
++mnalis-tcpserver _at_ voyager.hr
+diff -N -ru ucspi-tcp-0.88.orig/tcpserver.c ucspi-tcp-0.88/tcpserver.c
+--- ucspi-tcp-0.88.orig/tcpserver.c	2005-08-28 14:34:30.000000000 +0200
++++ ucspi-tcp-0.88/tcpserver.c	2005-08-28 14:35:00.000000000 +0200
+@@ -1,3 +1,12 @@
++#ifdef __dietlibc__
++#define NO_GETLOADAVG
++#endif
++
++#include <stdlib.h>
++#ifdef NO_GETLOADAVG
++#include <unistd.h>
++#endif
++
+ #include <sys/types.h>
+ #include <sys/param.h>
+ #include <netdb.h>
+@@ -64,6 +73,13 @@
+ buffer b;
+ 
+ 
++typedef struct
++{
++  char ip[4];
++  pid_t pid;
++} baby;
++
++baby *child;
+ 
+ /* ---------------------------- child */
+ 
+@@ -72,6 +88,10 @@
+ int flagdeny = 0;
+ int flagallownorules = 0;
+ char *fnrules = 0;
++unsigned long maxload = 0;
++unsigned long maxconnip = 0;
++unsigned long maxconnc = 0;
++char *diemsg = "";
+ 
+ void drop_nomem(void)
+ {
+@@ -110,6 +130,8 @@
+   strerr_die4sys(111,DROP,"unable to read ",fnrules,": ");
+ }
+ 
++unsigned long limit = 40;
++
+ void found(char *data,unsigned int datalen)
+ {
+   unsigned int next0;
+@@ -125,6 +147,10 @@
+ 	if (data[1 + split] == '=') {
+ 	  data[1 + split] = 0;
+ 	  env(data + 1,data + 1 + split + 1);
++	  if (str_diff(data+1, "MAXLOAD") == 0) scan_ulong(data+1+split+1,&maxload);
++	  if (str_diff(data+1, "MAXCONNIP") == 0) scan_ulong(data+1+split+1,&maxconnip);
++	  if (str_diff(data+1, "MAXCONNC") == 0) scan_ulong(data+1+split+1,&maxconnc);
++	  if (str_diff(data+1, "DIEMSG") == 0) diemsg = data+1+split+1;
+ 	}
+ 	break;
+     }
+@@ -210,6 +236,53 @@
+       close(fdrules);
+     }
+   }
++  
++  unsigned long curload;
++
++  if (maxload) {
++#ifdef NO_GETLOADAVG
++	int lret;
++	int i;
++	unsigned long u1, u2;
++	char *s;
++	static stralloc loadavg_data = {0};
++
++	lret = openreadclose("/proc/loadavg", &loadavg_data, 10);
++	if (lret != -1) {
++		/* /proc/loadavg format is:
++		   13.08 3.04 1.00 34/170 14190 */
++		s = loadavg_data.s;
++		i = scan_ulong (s, &u1); s+=i;
++		if ((i>0) && (i<5) && (*s == '.')) {    /* load should be < 10000 */
++			i = scan_ulong (s+1,&u2);
++			if (i==2) {     /* we require two decimal places */
++				curload = u1 * 100 + u2;
++				if (curload > maxload) flagdeny = 2;
++			}
++		}
++	}
++#else
++	double result;
++	if (getloadavg(&result, 1) == 1) {
++		curload = result * 100;
++		if (curload > maxload) flagdeny = 2;
++	}
++#endif
++  }
++  
++  if (!flagdeny && (maxconnip || maxconnc)) {
++  	unsigned long u, c1=0, cc=0;
++  	for (u=0; u < limit; u++) if (child[u].pid != 0) { 
++  		if ((child[u].ip[0] == remoteip[0]) &&
++  		    (child[u].ip[1] == remoteip[1]) &&
++  		    (child[u].ip[2] == remoteip[2]) ) {
++  		    cc++;
++  		    if (child[u].ip[3] == remoteip[3]) c1++;
++  		}
++  	}
++	if (maxconnc && (cc >= maxconnc)) flagdeny = 4;
++	if (maxconnip && (c1 >= maxconnip)) flagdeny = 3;
++  }
+ 
+   if (verbosity >= 2) {
+     strnum[fmt_ulong(strnum,getpid())] = 0;
+@@ -223,11 +296,35 @@
+     cats(":"); safecats(remoteipstr);
+     cats(":"); if (flagremoteinfo) safecats(tcpremoteinfo.s);
+     cats(":"); safecats(remoteportstr);
++    if (flagdeny == 2) {
++    	char curloadstr[FMT_ULONG];
++    	curloadstr[fmt_ulong(curloadstr,curload)] = 0;
++    	cats(" "); safecats ("LOAD"); cats(":"); safecats(curloadstr);
++    }
++    if (flagdeny == 3) {
++    	char maxconstr[FMT_ULONG];
++    	maxconstr[fmt_ulong(maxconstr,maxconnip)] = 0;
++    	cats(" "); safecats ("MAXCONNIP"); cats(":"); safecats(maxconstr);
++    }
++    if (flagdeny == 4) {
++    	char maxconstr[FMT_ULONG];
++    	maxconstr[fmt_ulong(maxconstr,maxconnc)] = 0;
++    	cats(" "); safecats ("MAXCONNC"); cats(":"); safecats(maxconstr);
++    }
+     cats("\n");
+     buffer_putflush(buffer_2,tmp.s,tmp.len);
+   }
+ 
+-  if (flagdeny) _exit(100);
++  if (flagdeny) {
++    if (*diemsg) {
++      buffer_init(&b,write,t,bspace,sizeof bspace);
++      buffer_puts(&b,diemsg);
++      if (buffer_putsflush(&b,"\r\n") == -1)
++        strerr_die2sys(111,DROP,"unable to print diemsg: ");
++    }
++    sleep(1);
++    _exit(100);
++  }
+ }
+ 
+ 
+@@ -253,7 +350,6 @@
+   _exit(100);
+ }
+ 
+-unsigned long limit = 40;
+ unsigned long numchildren = 0;
+ 
+ int flag1 = 0;
+@@ -278,6 +374,7 @@
+ {
+   int wstat;
+   int pid;
++  unsigned long u;
+  
+   while ((pid = wait_nohang(&wstat)) > 0) {
+     if (verbosity >= 2) {
+@@ -286,11 +383,14 @@
+       strerr_warn4("tcpserver: end ",strnum," status ",strnum2,0);
+     }
+     if (numchildren) --numchildren; printstatus();
++    for (u=0; u < limit; u++) if (child[u].pid == pid) { child[u].pid = 0; break; }
++    if (u == limit) strerr_die1x(111,"tcpserver: ERROR: dead child not found?!"); /* never happens */
+   }
+ }
+ 
+ main(int argc,char **argv)
+ {
++  pid_t pid;
+   char *hostname;
+   char *portname;
+   int opt;
+@@ -332,6 +432,11 @@
+   argc -= optind;
+   argv += optind;
+ 
++  x = env_get("MAXLOAD"); if (x) scan_ulong(x,&maxload);
++  x = env_get("MAXCONNIP"); if (x) scan_ulong(x,&maxconnip);
++  x = env_get("MAXCONNC"); if (x) scan_ulong(x,&maxconnc);
++  x = env_get("DIEMSG"); if (x) diemsg = x;
++  
+   if (!verbosity)
+     buffer_2->fd = -1;
+  
+@@ -352,6 +457,10 @@
+   }
+ 
+   if (!*argv) usage();
++  
++  child = calloc(sizeof(baby),limit);
++  if (!child)
++    strerr_die2x(111,FATAL,"out of memory for MAXCONNIP tracking");
+  
+   sig_block(sig_child);
+   sig_catch(sig_child,sigchld);
+@@ -405,7 +514,7 @@
+     if (t == -1) continue;
+     ++numchildren; printstatus();
+  
+-    switch(fork()) {
++    switch(pid=fork()) {
+       case 0:
+         close(s);
+         doit(t);
+@@ -420,6 +529,10 @@
+       case -1:
+         strerr_warn2(DROP,"unable to fork: ",&strerr_sys);
+         --numchildren; printstatus();
++        break;
++      default:
++        for (u=0; u < limit; u++) if (child[u].pid == 0) { byte_copy(child[u].ip,4,remoteip); child[u].pid = pid; break; }
++	if (u == limit) strerr_die1x(111,"tcpserver: ERROR: no empty space for new child?!"); /* never happens */
+     }
+     close(t);
+   }
diff --git a/sys-apps/ucspi-tcp/files/digest-ucspi-tcp-0.88-r11 b/sys-apps/ucspi-tcp/files/digest-ucspi-tcp-0.88-r11
new file mode 100644
index 000000000000..807f2623b597
--- /dev/null
+++ b/sys-apps/ucspi-tcp/files/digest-ucspi-tcp-0.88-r11
@@ -0,0 +1,5 @@
+MD5 39b619147db54687c4a583a7a94c9163 ucspi-tcp-0.88.tar.gz 53019
+MD5 67de66745001ddb48563a1d4e92262c2 ucspi-tcp-0.88-ipv6.diff14.bz2 21917
+MD5 554ec0eb60f619667efde3fb5325310d ucspi-rss.diff 1828
+MD5 10d5074c18d00e5c62c76ce69d7c975b ucspi-tcp-ssl-20020705.patch.gz 3084
+MD5 2dfc47b1a142e1021a49c678dfbb7a03 ucspi-tcp-0.88-ipv6-ssl-nm1.patch.bz2 3212
diff --git a/sys-apps/ucspi-tcp/metadata.xml b/sys-apps/ucspi-tcp/metadata.xml
index 96a2d586367d..692f0c880548 100644
--- a/sys-apps/ucspi-tcp/metadata.xml
+++ b/sys-apps/ucspi-tcp/metadata.xml
@@ -1,5 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
-<herd>base-system</herd>
+	<herd>qmail</herd>
+	<longdescription>
+		ucspi-tcp is a replacement for inetd. It consists of tcpserver and
+		tcpclient. tcpserver can listen on sockets and start programs in an
+		inetd like fashion except that information like the IP address and
+		remote port are communicated via environment variables. tcpclient makes
+		a TCP connection and runs a program of your choice. It sets up the same
+		environment variables as tcpserver.
+	</longdescription>
 </pkgmetadata>
diff --git a/sys-apps/ucspi-tcp/ucspi-tcp-0.88-r11.ebuild b/sys-apps/ucspi-tcp/ucspi-tcp-0.88-r11.ebuild
new file mode 100644
index 000000000000..9306e0f17825
--- /dev/null
+++ b/sys-apps/ucspi-tcp/ucspi-tcp-0.88-r11.ebuild
@@ -0,0 +1,79 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/ucspi-tcp/ucspi-tcp-0.88-r11.ebuild,v 1.1 2005/08/28 12:40:56 hansmi Exp $
+
+inherit eutils toolchain-funcs
+
+DESCRIPTION="Collection of tools for managing UNIX services"
+HOMEPAGE="http://cr.yp.to/ucspi-tcp.html"
+SRC_URI="http://cr.yp.to/${PN}/${P}.tar.gz
+	ipv6? ( http://www.fefe.de/ucspi/ucspi-tcp-0.88-ipv6.diff14.bz2 )
+	mirror://qmail/ucspi-rss.diff
+	ssl? (
+		!ipv6? ( http://www.nrg4u.com/qmail/ucspi-tcp-ssl-20020705.patch.gz )
+		ipv6? ( http://www.netmonks.ca/gentoo/patches/ucspi-tcp-0.88-ipv6-ssl-nm1.patch.bz2 )
+		)"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc-macos ~ppc64 ~s390 ~sparc ~x86"
+IUSE="ssl ipv6 selinux doc"
+
+DEPEND="virtual/libc
+		ssl? ( >=dev-libs/openssl-0.9.6g )"
+RDEPEND="${DEPEND}
+		doc? ( app-doc/ucspi-tcp-man )
+		selinux? ( sec-policy/selinux-ucspi-tcp )"
+PROVIDE="virtual/inetd"
+
+src_unpack() {
+	unpack ${A}
+	cd ${S}
+
+	if use ipv6; then
+		epatch ${WORKDIR}/ucspi-tcp-0.88-ipv6.diff14
+		# Fixes bug 18892
+		epatch ${FILESDIR}/${PV}-bigendian.patch
+	fi
+	if use ssl; then
+		# this is a merged thingy. Thanks to Stephen Olesen <slepp.netmonks.ca>
+		# (bug #32007)
+		if use ipv6 ; then
+			epatch ${WORKDIR}/ucspi-tcp-0.88-ipv6-ssl-nm1.patch
+		else
+			epatch ${WORKDIR}/ucspi-tcp-ssl-20020705.patch
+		fi
+	fi
+	epatch ${FILESDIR}/${PV}-errno.patch
+	epatch ${DISTDIR}/ucspi-rss.diff
+	epatch ${FILESDIR}/${PV}-head-1.patch
+	epatch ${FILESDIR}/${PV}-rblsmtpd-ignore-on-RELAYCLIENT.patch
+	epatch ${FILESDIR}/${PV}-limits.patch
+
+	tc-export CC
+	echo "${CC} ${CFLAGS}" > conf-cc
+	echo "${CC} ${LDFLAGS}" > conf-ld
+	echo "/usr/" > conf-home
+
+	# allow larger responses
+	sed -i 's|if (text.len > 200) text.len = 200;|if (text.len > 500) text.len = 500;|g' ${S}/rblsmtpd.c
+}
+
+src_compile() {
+	emake || die
+}
+
+src_install() {
+	dobin tcpserver tcprules tcprulescheck argv0 recordio tcpclient *\@ tcpcat mconnect mconnect-io addcr delcr fixcrio rblsmtpd || die
+	doman *.[15]
+	dodoc CHANGES FILES README SYSDEPS TARGETS TODO VERSION
+	dodoc README.tcpserver-limits-patch
+	insinto /etc/tcprules.d/
+	newins ${FILESDIR}/tcprules-Makefile Makefile
+}
+
+pkg_postinst() {
+	einfo "We have started a move to get all tcprules files into"
+	einfo "/etc/tcprules.d/, where we have provided a Makefile to"
+	einfo "easily update the CDB file."
+}