summarylogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.SRCINFO10
-rw-r--r--PKGBUILD29
-rw-r--r--tcpcrypt.install15
-rw-r--r--tcpcryptd.conf16
-rw-r--r--tcpcryptd.service13
-rw-r--r--tcpcryptd.sysusers2
-rw-r--r--tcpcryptd.tmpfiles6
7 files changed, 39 insertions, 52 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 0c354c8bfcc..b4d0b68e571 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
pkgbase = tcpcrypt-git
pkgdesc = Transparent user space implementation for the tcpcrypt TCP extensions
- pkgver = 346.ec01927
+ pkgver = 369.25c9a85
pkgrel = 1
url = http://tcpcrypt.org
install = tcpcrypt.install
@@ -23,10 +23,10 @@ pkgbase = tcpcrypt-git
source = tcpcryptd.tmpfiles
source = tcpcryptd.sysusers
sha256sums = SKIP
- sha256sums = a41bfa7b0c8f527f96c993f68e0a02265ad672fe6c2e10f41bc00b8b1f819305
- sha256sums = 68a3227f971dce0056bbe8768b570fade4ee8b17aca2e354c35352f2bf0a7028
- sha256sums = 95393df0fca7e228e36b9594e29a3f32514c8f7229b329e0b9a37dab4985b28f
- sha256sums = e9c73c4eeff3f14f0fedd14a529f8c81f591ada543b91e82252e5b2b8f11d916
+ sha256sums = 4a12aafddb6600a49652acdec13e703a5f4305fd19fdb5c35581b188cd7cca58
+ sha256sums = ac10f4c3de034bfc0ca8fd7034da7633a95d8fce7a9d12304a998a9c3b6fa51b
+ sha256sums = 3ed90191d41add525242e7e84769c17b6d40b5fa461937739b4d5b7532afc83d
+ sha256sums = 3eeaaa4124904c673cfe7584e6c399ea2ab060f0e1d4d181323552ffee782c81
pkgname = tcpcrypt-git
diff --git a/PKGBUILD b/PKGBUILD
index f5ce0023bd6..74a34a5ccc9 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -3,7 +3,7 @@
# Maintainer: mutantmonkey <aur@mutantmonkey.in>
pkgname=tcpcrypt-git
-pkgver=346.ec01927
+pkgver=369.25c9a85
pkgrel=1
pkgdesc="Transparent user space implementation for the tcpcrypt TCP extensions"
arch=('i686' 'x86_64')
@@ -20,10 +20,10 @@ source=("git+https://github.com/scslab/tcpcrypt.git"
'tcpcryptd.conf' 'tcpcryptd.service'
'tcpcryptd.tmpfiles' 'tcpcryptd.sysusers')
sha256sums=('SKIP'
- 'a41bfa7b0c8f527f96c993f68e0a02265ad672fe6c2e10f41bc00b8b1f819305'
- '68a3227f971dce0056bbe8768b570fade4ee8b17aca2e354c35352f2bf0a7028'
- '95393df0fca7e228e36b9594e29a3f32514c8f7229b329e0b9a37dab4985b28f'
- 'e9c73c4eeff3f14f0fedd14a529f8c81f591ada543b91e82252e5b2b8f11d916')
+ '4a12aafddb6600a49652acdec13e703a5f4305fd19fdb5c35581b188cd7cca58'
+ 'ac10f4c3de034bfc0ca8fd7034da7633a95d8fce7a9d12304a998a9c3b6fa51b'
+ '3ed90191d41add525242e7e84769c17b6d40b5fa461937739b4d5b7532afc83d'
+ '3eeaaa4124904c673cfe7584e6c399ea2ab060f0e1d4d181323552ffee782c81')
pkgver() {
cd tcpcrypt
@@ -40,11 +40,6 @@ prepare() {
build() {
cd tcpcrypt
- export JAIL_DIR=/run/tcpcryptd
- export JAIL_USER=tcpcryptd
- export DIVERT_PORT=1666
- export CONTROL_SOCKET=\"/run/tcpcryptd.control\"
-
./configure --prefix=/usr
make
}
@@ -53,14 +48,14 @@ package() {
cd tcpcrypt
make DESTDIR="$pkgdir" install
- install -dm755 "$pkgdir/usr/lib/tmpfiles.d"
- echo 'd /run/tcpcryptd 0700 tcpcryptd tcpcryptd' >"$pkgdir/usr/lib/tmpfiles.d/tcpcryptd.conf"
+ install -dm644 "$pkgdir"/usr/share/tcpcryptd
- install -Dm644 "$srcdir"/tcpcrypt/LICENSE "$pkgdir"/usr/share/licenses/"$pkgname"/LICENSE
- install -Dm644 "$srcdir"/tcpcryptd.conf "$pkgdir"/etc/conf.d/tcpcryptd.conf
- install -Dm644 "$srcdir"/tcpcryptd.service "$pkgdir"/usr/lib/systemd/system/tcpcryptd.service
- install -Dm644 "$srcdir"/tcpcryptd.tmpfiles "$pkgdir"/usr/lib/tmpfiles.d/tcpcryptd.conf
- install -Dm644 "$srcdir"/tcpcryptd.sysusers "$pkgdir"/usr/lib/sysusers.d/tcpcryptd.conf
+ install -Dm755 src/iptables.sh "$pkgdir"/usr/share/tcpcryptd/iptables.sh
+ install -Dm644 ../tcpcrypt/LICENSE "$pkgdir"/usr/share/licenses/"$pkgname"/LICENSE
+ install -Dm644 ../tcpcryptd.conf "$pkgdir"/etc/conf.d/tcpcryptd.conf
+ install -Dm644 ../tcpcryptd.service "$pkgdir"/usr/lib/systemd/system/tcpcryptd.service
+ install -Dm644 ../tcpcryptd.tmpfiles "$pkgdir"/usr/lib/tmpfiles.d/tcpcryptd.conf
+ install -Dm644 ../tcpcryptd.sysusers "$pkgdir"/usr/lib/sysusers.d/tcpcryptd.conf
}
# vim:set ts=2 sw=2 et:
diff --git a/tcpcrypt.install b/tcpcrypt.install
index aa606613ec5..e60b641c8fc 100644
--- a/tcpcrypt.install
+++ b/tcpcrypt.install
@@ -1,23 +1,12 @@
post_install() {
- echo "To start tcpcrypt, run 'systemctl start tcpcryptd.service'. Secure"
+ echo "To start tcpcrypt, run 'systemctl start tcpcryptd'. Secure"
echo "connections should Just Work between tcpcrypt-enabled machines."
- echo "To start it at boot, run 'systemctl enable tcpcryptd.service'"
echo
echo "This implementation of tcpcrypt is relatively safe. In the worst case"
echo "the daemon crashes and you lose all connectivity. When that happens,"
- echo "just run 'systemctl stop tcpcryptd.service' to tear down iptables"
+ echo "just run 'systemctl stop tcpcryptd' to tear down iptables"
echo "rules and everything will continue."
echo
echo "For debugging, run 'tcnetstat' to list all active encrypted connections"
echo "Run 'iptables -vnL' to check if iptables rules were set up correctly"
- post_upgrade
-}
-
-post_upgrade() {
- systemd-sysusers tcpcryptd.conf
- systemd-tmpfiles --create tcpcryptd.conf
-}
-
-pre_remove() {
- echo
}
diff --git a/tcpcryptd.conf b/tcpcryptd.conf
index a08648b044f..b76a3e39fba 100644
--- a/tcpcryptd.conf
+++ b/tcpcryptd.conf
@@ -3,9 +3,17 @@
# STOP the daemon before you modify these -- otherwise the old iptables
# rules won't be torn down!
-# What TCP ports to capture? This can be a number or a range with ':'
-# e.g. 0:65535 to captures all ports
-PORT=0:65535
+# which netfilter userspace queue to use
+DIVERT_PORT=666
-NFQUEUE_NUM=1666
+# which user account
+DAEMON_USER=tcpcryptd
+# where to chroot
+JAIL_DIR=/var/run/tcpcryptd
+
+# which ports should tcpcrypt try to engage on?
+# see the multiport extension in iptables-extensions(8) for how to specify
+# set exactly one of OMIT_PORTS or ONLY_PORTS:
+OMIT_PORTS=22,53,261,443,563,614,636,684,695,989,990,992:995,6697,9999
+#ONLY_PORTS=80,7777
diff --git a/tcpcryptd.service b/tcpcryptd.service
index a9126f634a6..4bfeb575e09 100644
--- a/tcpcryptd.service
+++ b/tcpcryptd.service
@@ -1,16 +1,13 @@
[Unit]
-Description=User-space implementation of tcpcrypt
+Description=tcpcrypt daemon for automatic transparent encryption of TCP sessions
+Documentation=man:tcpcryptd(8)
After=network.target
[Service]
-Type=simple
EnvironmentFile=/etc/conf.d/tcpcryptd.conf
-ExecStartPre=/usr/sbin/iptables -I INPUT ! --in-interface lo -p tcp --sport $PORT -j NFQUEUE --queue-num $NFQUEUE_NUM
-ExecStartPre=/usr/sbin/iptables -I OUTPUT ! --out-interface lo -p tcp --dport $PORT -j NFQUEUE --queue-num $NFQUEUE_NUM
-ExecStart=/usr/bin/tcpcryptd $OPTS -p $NFQUEUE_NUM
-ExecStopPost=/usr/sbin/iptables -D INPUT ! --in-interface lo -p tcp --sport $PORT -j NFQUEUE --queue-num $NFQUEUE_NUM
-ExecStopPost=/usr/sbin/iptables -D OUTPUT ! --out-interface lo -p tcp --dport $PORT -j NFQUEUE --queue-num $NFQUEUE_NUM
-KillSignal=SIGINT
+ExecStartPre=/usr/share/tcpcryptd/iptables.sh start
+ExecStart=/usr/bin/tcpcryptd -p "$DIVERT_PORT" -U "$DAEMON_USER" -J "$JAIL_DIR" -f -e
+ExecStopPost=/usr/share/tcpcryptd/iptables.sh stop
[Install]
WantedBy=multi-user.target
diff --git a/tcpcryptd.sysusers b/tcpcryptd.sysusers
index 6465a41eb45..fd038fe6c7d 100644
--- a/tcpcryptd.sysusers
+++ b/tcpcryptd.sysusers
@@ -1 +1 @@
-u tcpcryptd - "Tcpcrypt Daemon" /run/tcpcryptd
+u tcpcryptd - "Tcpcrypt Daemon" /run/tcpcryptd
diff --git a/tcpcryptd.tmpfiles b/tcpcryptd.tmpfiles
index 8ad1fdd65f6..6b2aeed2e46 100644
--- a/tcpcryptd.tmpfiles
+++ b/tcpcryptd.tmpfiles
@@ -1,4 +1,2 @@
-# systemd tmpfile settings for tcpcryptd
-# See tmpfiles.d(5) for details
-
-d /run/tcpcryptd 0700 tcpcryptd tcpcryptd -
+# chrooted jail directory for tcpcryptd:
+d /run/tcpcryptd 0755 tcpcryptd root - -