ports/130893: add ability to use LOG_OPENVPN for openvpn sysloging

Michael Scheidell scheidell at secnap.net
Thu Jan 22 16:20:02 UTC 2009 

>Number:         130893
>Category:       ports
>Synopsis:       add ability to use LOG_OPENVPN for openvpn sysloging
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 22 16:20:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Michael Scheidell
>Release:        FreeBSD 6.4-RELEASE i386
>Organization:
SECNAP Network Security
>Environment:
System: FreeBSD scanner.secnap.net 6.4-RELEASE FreeBSD 6.4-RELEASE #0: Tue Dec 23 12:27:47 EST 2008 scheidell at scanner.secnap.net:/usr/obj/usr/src/sys/IONHACKER i386

>Description:
this is something that will enhance the diagnostics of openvpn, is 100% 
upward compatible with old versions, and won't break anything.
(as the p5-Mail-SpamAssassin maintainer, I get lots of requests like 
this, but this one has been tested and really will help)
I always look at the patch, and see if it will break something (and thus 
cause more support issues), if the patch is something supported by the 
original software (it is)

and I really hate it when they say is broke and I dont get any patches.

openvpn has the ability to set logging facility to something other then 
the default, but its not a .conf or command line option, it is a compile 
option.

during compile, CFLAGS needs to have LOG_OPENVPN=  and the log facility 
in order for it to work.

make LOG_OPENVPN=LOG_LOCAL6 doesn't do anything (yet), putting 

LOG_OPENVPN=LOG_LOCAL6 in /etc/make.conf doesn't do anything (yet), but 
with this patch, first for openvpn, then for openvpn-devel, the system 
administrator or maintainer can either put LOG_OPENVPN= and facility in 
the make.conf, pkg_tooks.conf or on the command line as:
make LOG_OPENVPN=LOG_LOCAL6 and CFLAGS will be set and openvpn will log 
to log facility of your choice.

>How-To-Repeat:
make LOG_OPENVPN=LOG_LOCAL6

watch compile, it never sets the variable LOG_OPENVPN.
with patch it will:

gcc -O2 -Wall -fPIC -shared -Wl,-soname,openvpn-down-root.so -o 
openvpn-down-root.so down-root.o -lc
cd 
/usr/ports/security/openvpn-devel/work/openvpn-2.1_rc15/plugin/auth-pam 
&& cc  -I../.. -DDLOPEN_PAM=0 -O2 -fno-strict-aliasing -pipe 
-march=pentium4 -DLOG_OPENVPN=LOG_LOCAL6 -fPIC -shared 
-Wl,-soname,openvpn-auth-pam.so -o openvpn-auth-pam.so auth-pam.c 
pamdl.c -lc -lpam

I tried to submit it to openvpn themselves, and they didn't seem to 
understand that freebsd make file wasn't passing the env variable anyway 
;-)

http://openvpn.net/archive/openvpn-users/2005-08/msg00317.html
this patch below is better.

>Fix:
no need to bump version, if user has openvpn installed and working, this 
doesn't enhance anything, and will still require CLI or make.conf or 
pkg_conf stuff.

I have tested (with this patch)
make LOG_OPENVPN=LOG_LOCAL6

echo "LOG_OPENVPN=LOG_LOCAL6" >> /etc/make.conf

and with pkg_tools.conf

for openvpn patch: (you could bump to 2.09 to quiet the helpful folks..)
This doesn't, just addresses the log facility

cd /usr/ports/security/openvpn

diff -bBru /tmp/Makefile.openvpn Makefile 
--- /tmp/Makefile.openvpn       2008-08-21 02:18:19.000000000 -0400
+++ Makefile    2009-01-22 10:48:54.000000000 -0500
@@ -41,8 +41,20 @@
 
 .include <bsd.port.pre.mk>
 
+.ifdef (LOG_OPENVPN)  
+CFLAGS+=	-DLOG_OPENVPN=${LOG_OPENVPN}
+.endif
+
 SUB_LIST+=	RCSFX=${RC_SUBR_SUFFIX}
 
+pre-fetch:
+	@${ECHO} ""
+	@${ECHO} "You may use the following build options:"
+	@${ECHO} ""
+	@${ECHO} "      LOG_OPENVPN={Valid syslog facility}"
+	@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_DAEMON"
+	@${ECHO} ""
+
 # NOTE: there is no way to explicitly specify the LZO version to 
OpenVPN,
 # if LZO2 and LZO1 are installed, OpenVPN will pick LZO2.
 # So depend on LZO1 only if it's already there and LZO2 isn't.


now for openvpn-devel:

 diff -bBru /tmp/Makefile Makefile 
--- /tmp/Makefile       2009-01-22 10:36:23.000000000 -0500
+++ Makefile    2009-01-22 10:33:34.000000000 -0500
@@ -35,8 +35,20 @@
 
 .include <bsd.port.pre.mk>
 
+.ifdef (LOG_OPENVPN)
+CFLAGS+=	-DLOG_OPENVPN=${LOG_OPENVPN}
+.endif
+
 SUB_LIST+=	RCSFX=${RC_SUBR_SUFFIX}
 
+pre-fetch:
+	@${ECHO} ""
+	@${ECHO} "You may use the following build options:"
+	@${ECHO} ""
+	@${ECHO} "      LOG_OPENVPN={Valid syslog facility}"
+	@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_DAEMON"
+	@${ECHO} ""
+
 # NOTE: there is no way to explicitly specify the LZO version to 
OpenVPN,
 # if LZO2 and LZO1 are installed, OpenVPN will pick LZO2.
 # So depend on LZO1 only if it's already there and LZO2 isn't.


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list