D28346.diff
No OneTemporary
Actions

Size

44 KB

Referenced Files

None

Subscribers

None

D28346.diff
View Options

	Index: head/net/ocserv/Makefile
	===================================================================
	--- head/net/ocserv/Makefile
	+++ head/net/ocserv/Makefile
	@@ -2,12 +2,11 @@
	# $FreeBSD$

	PORTNAME= ocserv
	-PORTVERSION= 1.1.1
	-PORTREVISION= 1
	+DISTVERSION= 1.1.2
	CATEGORIES= net net-vpn security
	MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/

	-MAINTAINER= ports@FreeBSD.org
	+MAINTAINER= otis@FreeBSD.org
	COMMENT= Server implementing the AnyConnect SSL VPN protocol

	LICENSE= GPLv2+
	@@ -15,49 +14,47 @@

	BUILD_DEPENDS= bash:shells/bash \
	gsed:textproc/gsed
	-LIB_DEPENDS= liblz4.so:archivers/liblz4 \
	- libiconv.so:converters/libiconv \
	- libev.so:devel/libev \
	- libtalloc.so:devel/talloc \
	- libprotobuf-c.so:devel/protobuf-c \
	+LIB_DEPENDS= libev.so:devel/libev \
	libgnutls.so:security/gnutls \
	- libtasn1.so:security/libtasn1 \
	+ libiconv.so:converters/libiconv \
	+ liblz4.so:archivers/liblz4 \
	libnettle.so:security/nettle \
	liboath.so:security/oath-toolkit \
	- libpcl.so:devel/pcl
	+ libpcl.so:devel/pcl \
	+ libprotobuf-c.so:devel/protobuf-c \
	+ libtalloc.so:devel/talloc \
	+ libtasn1.so:security/libtasn1

	-USES= autoreconf cpe gperf libtool localbase ncurses \
	- pathfix pkgconfig readline tar:xz
	+USES= autoreconf cpe gperf libtool localbase ncurses pathfix \
	+ pkgconfig readline tar:xz

	CPE_VENDOR= infradead
	+USE_RC_SUBR= ocserv
	GNU_CONFIGURE= yes
	-CONFIGURE_ARGS= --without-geoip \
	- --without-http-parser \
	- --disable-namespaces
	+CONFIGURE_ARGS= --disable-namespaces \
	+ --without-geoip \
	+ --without-http-parser

	USERS= _ocserv
	GROUPS= _ocserv

	-USE_RC_SUBR= ocserv
	-
	-PLIST_SUB= USERS="${USERS}" GROUPS="${GROUPS}"
	-
	-OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI MAXMIND RADIUS
	-
	+PLIST_SUB= GROUPS="${GROUPS}" \
	+ USERS="${USERS}"
	PORTDOCS= AUTHORS ChangeLog NEWS README TODO
	PORTEXAMPLES= profile.xml sample.config sample.passwd

	-GSSAPI_USES= gssapi:mit
	+OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI MAXMIND RADIUS
	+
	+MAXMIND_DESC= Use Maxmind GeoIP library
	+
	GSSAPI_LIB_DEPENDS= libkrb5support.so:security/krb5
	+GSSAPI_USES= gssapi:mit
	GSSAPI_CONFIGURE_OFF= --without-gssapi
	-
	+MAXMIND_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb
	+MAXMIND_CONFIGURE_OFF= --without-maxmind
	RADIUS_LIB_DEPENDS= libradcli.so:net/radcli
	RADIUS_CONFIGURE_OFF= --without-radius

	-MAXMIND_DESC= Use Maxmind GeoIP library
	-MAXMIND_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb
	-MAXMIND_CONFIGURE_OFF= --without-maxmind
	-
	.include <bsd.port.pre.mk>

	post-patch:
	@@ -65,13 +62,19 @@
	${WRKSRC}/src/main-user.c
	${REINPLACE_CMD} 's\|/usr/bin/ocserv\\-fw\|${PREFIX}/bin/ocserv\\-fw\|g' \
	${WRKSRC}/doc/ocserv.8
	+ ${REINPLACE_CMD} -e 's\|%%PREFIX%%\|${PREFIX}\|g' \
	+ -e 's\|%%ETCDIR%%\|${ETCDIR}\|g' \
	+ -e 's\|%%USERS%%\|${USERS}\|g' \
	+ -e 's\|%%GROUPS%%\|${GROUPS}\|g' \
	+ ${WRKSRC}/doc/sample.config
	.if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr"
	${REINPLACE_CMD} -E 's\|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")\|\1${PREFIX}\2\|' ${WRKSRC}/src/config.c
	+ ${REINPLACE_CMD} -E 's\|^(#define DEFAULT_OCPASSWD ")(/etc/ocserv/ocpasswd")\|\1${PREFIX}\2\|' ${WRKSRC}/src/ocpasswd/ocpasswd.c
	.endif

	post-install:
	${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv
	- ${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample
	+ ${INSTALL_DATA} ${WRKSRC}/doc/sample.config ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample
	${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8

	post-install-DOCS-on:
	Index: head/net/ocserv/distinfo
	===================================================================
	--- head/net/ocserv/distinfo
	+++ head/net/ocserv/distinfo
	@@ -1,3 +1,3 @@
	-TIMESTAMP = 1602242932
	-SHA256 (ocserv-1.1.1.tar.xz) = 9c7aaf46e53e28cfa7be329b18f3951e7e851153ff6a27e946496fd4e8e5765a
	-SIZE (ocserv-1.1.1.tar.xz) = 818988
	+TIMESTAMP = 1611791595
	+SHA256 (ocserv-1.1.2.tar.xz) = 889ccdbe8e67d3bc2bc8713b7fbb5bd4e79228abc6054e88858cb4ad6d0245dd
	+SIZE (ocserv-1.1.2.tar.xz) = 824924
	Index: head/net/ocserv/files/ocserv.conf
	===================================================================
	--- head/net/ocserv/files/ocserv.conf
	+++ head/net/ocserv/files/ocserv.conf
	@@ -1,697 +0,0 @@
	-### The following directives do not change with server reload.
	-
	-# User authentication method. To require multiple methods to be
	-# used for the user to login, add multiple auth directives. The values
	-# in the 'auth' directive are AND composed (if multiple all must
	-# succeed).
	-# Available options: certificate, plain, pam, radius, gssapi.
	-# Note that authentication methods utilizing passwords cannot be
	-# combined (e.g., the plain, pam or radius methods).
	-
	-# certificate:
	-# This indicates that all connecting users must present a certificate.
	-# The username and user group will be then extracted from it (see
	-# cert-user-oid and cert-group-oid). The certificate to be accepted
	-# it must be signed by the CA certificate as specified in 'ca-cert' and
	-# it must not be listed in the CRL, as specified by the 'crl' option.
	-#
	-# pam[gid-min=1000]:
	-# This enabled PAM authentication of the user. The gid-min option is used
	-# by auto-select-group option, in order to select the minimum valid group ID.
	-#
	-# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
	-# The plain option requires specifying a password file which contains
	-# entries of the following format.
	-# "username:groupname1,groupname2:encoded-password"
	-# One entry must be listed per line, and 'ocpasswd' should be used
	-# to generate password entries. The 'otp' suboption allows one to specify
	-# an oath password file to be used for one time passwords; the format of
	-# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
	-#
	-# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
	-# The radius option requires specifying freeradius-client configuration
	-# file. If the groupconfig option is set, then config-per-user/group will be overridden,
	-# and all configuration will be read from radius. That also includes the
	-# Acct-Interim-Interval, and Session-Timeout values.
	-#
	-# See doc/README-radius.md for the supported radius configuration atributes.
	-#
	-# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
	-# The gssapi option allows one to use authentication methods supported by GSSAPI,
	-# such as Kerberos tickets with ocserv. It should be best used as an alternative
	-# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
	-# tickets and without tickets to login. The default value for require-local-user-map
	-# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented
	-# to have been issued within the provided number of seconds. That option is used to
	-# restrict logins even if the KDC provides long time TGT tickets.
	-
	-#auth = "pam"
	-#auth = "pam[gid-min=1000]"
	-#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
	-auth = "plain[passwd=./sample.passwd]"
	-#auth = "certificate"
	-#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
	-
	-# Specify alternative authentication methods that are sufficient
	-# for authentication. That is, if set, any of the methods enabled
	-# will be sufficient to login, irrespective of the main 'auth' entries.
	-# When multiple options are present, they are OR composed (any of them
	-# succeeding allows login).
	-#enable-auth = "certificate"
	-#enable-auth = "gssapi"
	-#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
	-
	-# Accounting methods available:
	-# radius: can be combined with any authentication method, it provides
	-# radius accounting to available users (see also stats-report-time).
	-#
	-# pam: can be combined with any authentication method, it provides
	-# a validation of the connecting user's name using PAM. It is
	-# superfluous to use this method when authentication is already
	-# PAM.
	-#
	-# Only one accounting method can be specified.
	-#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
	-
	-# Use listen-host to limit to specific IPs or to the IPs of a provided
	-# hostname.
	-#listen-host = [IP\|HOSTNAME]
	-
	-# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
	-# hostname. if not set, listen-host will be used
	-#udp-listen-host = [IP\|HOSTNAME]
	-
	-# When the server has a dynamic DNS address (that may change),
	-# should set that to true to ask the client to resolve again on
	-# reconnects.
	-#listen-host-is-dyndns = true
	-
	-# TCP and UDP port number
	-tcp-port = 443
	-udp-port = 443
	-
	-# Accept connections using a socket file. It accepts HTTP
	-# connections (i.e., without SSL/TLS unlike its TCP counterpart),
	-# and uses it as the primary channel. That option is experimental
	-# and it has many known issues.
	-# * It can only be combined with certificate authentication, when receiving
	-# channel information through proxy protocol (see listen-proxy-proto)
	-# * It cannot derive any keys needed for the DTLS session (hence no support for dtls-psk)
	-# * It cannot enforce the framing of the SSL/TLS packets, and that
	-# breaks assumptions held by several openconnect clients.
	-# This option is not recommended for use, and may be removed
	-# in the future.
	-#
	-#listen-clear-file = /var/run/ocserv-conn.socket
	-
	-# The user the worker processes will be run as. It should be
	-# unique (no other services run as this user).
	-run-as-user = _ocserv
	-run-as-group = _ocserv
	-
	-# socket file used for IPC with occtl. You only need to set that,
	-# if you use more than a single servers.
	-#occtl-socket-file = /var/run/occtl.socket
	-
	-# socket file used for server IPC (worker-main), will be appended with .PID
	-# It must be accessible within the chroot environment (if any), so it is best
	-# specified relatively to the chroot directory.
	-socket-file = /var/run/ocserv-socket
	-
	-# The default server directory. Does not require any devices present.
	-#chroot-dir = /var/lib/ocserv
	-
	-# The key and the certificates of the server
	-# The key may be a file, or any URL supported by GnuTLS (e.g.,
	-# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
	-# or pkcs11:object=my-vpn-key;object-type=private)
	-#
	-# The server-cert file may contain a single certificate, or
	-# a sorted certificate chain.
	-# There may be multiple server-cert and server-key directives,
	-# but each key should correspond to the preceding certificate.
	-# The certificate files will be reloaded when changed allowing for in-place
	-# certificate renewal (they are checked and reloaded periodically;
	-# a SIGHUP signal to main server will force reload).
	-
	-#server-cert = /etc/ocserv/server-cert.pem
	-#server-key = /etc/ocserv/server-key.pem
	-server-cert = ../tests/certs/server-cert.pem
	-server-key = ../tests/certs/server-key.pem
	-
	-# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
	-# versions of GnuTLS for supporting DHE ciphersuites.
	-# Can be generated using:
	-# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
	-#dh-params = /etc/ocserv/dh.pem
	-
	-# In case PKCS #11, TPM or encrypted keys are used the PINs should be available
	-# in files. The srk-pin-file is applicable to TPM keys only, and is the
	-# storage root key.
	-#pin-file = /etc/ocserv/pin.txt
	-#srk-pin-file = /etc/ocserv/srkpin.txt
	-
	-# The password or PIN needed to unlock the key in server-key file.
	-# Only needed if the file is encrypted or a PKCS #11 object. This
	-# is an alternative method to pin-file.
	-#key-pin = 1234
	-
	-# The SRK PIN for TPM.
	-# This is an alternative method to srk-pin-file.
	-#srk-pin = 1234
	-
	-# The Certificate Authority that will be used to verify
	-# client certificates (public keys) if certificate authentication
	-# is set.
	-#ca-cert = /etc/ocserv/ca.pem
	-ca-cert = ../tests/certs/ca.pem
	-
	-
	-### All configuration options below this line are reloaded on a SIGHUP.
	-### The options above, will remain unchanged. Note however, that the
	-### server-cert, server-key, dh-params and ca-cert options will be reloaded
	-### if the provided file changes, on server reload. That allows certificate
	-### rotation, but requires the server key to remain the same for seamless
	-### operation. If the server key changes on reload, there may be connection
	-### failures during the reloading time.
	-
	-# ocserv 1.0.1 on FreeBSD does not currently support process isolation,
	-# because ocserv only supports Linux's seccomp system, but not capsicum(4).
	-#isolate-workers = false
	-
	-# A banner to be displayed on clients
	-#banner = "Welcome"
	-
	-# Limit the number of clients. Unset or set to zero for unlimited.
	-#max-clients = 1024
	-max-clients = 16
	-
	-# Limit the number of identical clients (i.e., users connecting
	-# multiple times). Unset or set to zero for unlimited.
	-max-same-clients = 2
	-
	-# When the server receives connections from a proxy, like haproxy
	-# which supports the proxy protocol, set this to obtain the correct
	-# client addresses. The proxy protocol would then be expected in
	-# the TCP or UNIX socket (not the UDP one). Although both v1
	-# and v2 versions of proxy protocol are supported, the v2 version
	-# is recommended as it is more efficient in parsing.
	-#listen-proxy-proto = true
	-
	-# Limit the number of client connections to one every X milliseconds
	-# (X is the provided value). Set to zero for no limit.
	-#rate-limit-ms = 100
	-
	-# Stats report time. The number of seconds after which each
	-# worker process will report its usage statistics (number of
	-# bytes transferred etc). This is useful when accounting like
	-# radius is in use.
	-#stats-report-time = 360
	-
	-# Stats reset time. The period of time statistics kept by main/sec-mod
	-# processes will be reset. These are the statistics shown by cmd
	-# 'occtl show stats'. For daily: 86400, weekly: 604800
	-# This is unrelated to stats-report-time.
	-server-stats-reset-time = 604800
	-
	-# Keepalive in seconds
	-keepalive = 32400
	-
	-# Dead peer detection in seconds.
	-# Note that when the client is behind a NAT this value
	-# needs to be short enough to prevent the NAT disassociating
	-# his UDP session from the port number. Otherwise the client
	-# could have his UDP connection stalled, for several minutes.
	-dpd = 90
	-
	-# Dead peer detection for mobile clients. That needs to
	-# be higher to prevent such clients being awaken too
	-# often by the DPD messages, and save battery.
	-# The mobile clients are distinguished from the header
	-# 'X-AnyConnect-Identifier-Platform'.
	-mobile-dpd = 1800
	-
	-# If using DTLS, and no UDP traffic is received for this
	-# many seconds, attempt to send future traffic over the TCP
	-# connection instead, in an attempt to wake up the client
	-# in the case that there is a NAT and the UDP translation
	-# was deleted. If this is unset, do not attempt to use this
	-# recovery mechanism.
	-switch-to-tcp-timeout = 25
	-
	-# MTU discovery (DPD must be enabled)
	-try-mtu-discovery = false
	-
	-# If you have a certificate from a CA that provides an OCSP
	-# service you may provide a fresh OCSP status response within
	-# the TLS handshake. That will prevent the client from connecting
	-# independently on the OCSP server.
	-# You can update this response periodically using:
	-# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
	-# Make sure that you replace the following file in an atomic way.
	-#ocsp-response = /etc/ocserv/ocsp.der
	-
	-# The object identifier that will be used to read the user ID in the client
	-# certificate. The object identifier should be part of the certificate's DN
	-# Useful OIDs are:
	-# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1, SAN(rfc822name)
	-cert-user-oid = 0.9.2342.19200300.100.1.1
	-
	-# The object identifier that will be used to read the user group in the
	-# client certificate. The object identifier should be part of the certificate's
	-# DN. If the user may belong to multiple groups, then use multiple such fields
	-# in the certificate's DN. Useful OIDs are:
	-# OU (organizational unit) = 2.5.4.11
	-#cert-group-oid = 2.5.4.11
	-
	-# The revocation list of the certificates issued by the 'ca-cert' above.
	-# See the manual to generate an empty CRL initially. The CRL will be reloaded
	-# periodically when ocserv detects a change in the file. To force a reload use
	-# SIGHUP.
	-#crl = /etc/ocserv/crl.pem
	-
	-# Uncomment this to enable compression negotiation (LZS, LZ4).
	-#compression = true
	-
	-# Set the minimum size under which a packet will not be compressed.
	-# That is to allow low-latency for VoIP packets. The default size
	-# is 256 bytes. Modify it if the clients typically use compression
	-# as well of VoIP with codecs that exceed the default value.
	-#no-compress-limit = 256
	-
	-# GnuTLS priority string; note that SSL 3.0 is disabled by default
	-# as there are no openconnect (and possibly anyconnect clients) using
	-# that protocol. The string below does not enforce perfect forward
	-# secrecy, in order to be compatible with legacy clients.
	-#
	-# Note that the most performant ciphersuites are the moment are the ones
	-# involving AES-GCM. These are very fast in x86 and x86-64 hardware, and
	-# in addition require no padding, thus taking full advantage of the MTU.
	-# For that to be taken advantage of, the openconnect client must be
	-# used, and the server must be compiled against GnuTLS 3.2.7 or later.
	-# Use "gnutls-cli --benchmark-tls-ciphers", to see the performance
	-# difference with AES_128_CBC_SHA1 (the default for anyconnect clients)
	-# in your system.
	-
	-tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
	-
	-# More combinations in priority strings are available, check
	-# http://gnutls.org/manual/html_node/Priority-Strings.html
	-# E.g., the string below enforces perfect forward secrecy (PFS)
	-# on the main channel.
	-#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
	-
	-# That option requires the established DTLS channel to use the same
	-# cipher as the primary TLS channel. This cannot be combined with
	-# listen-clear-file since the ciphersuite information is not available
	-# in that configuration. Note also, that this option implies that
	-# dtls-legacy option is false; this option cannot be enforced
	-# in the legacy/compat protocol.
	-#match-tls-dtls-ciphers = true
	-
	-# The time (in seconds) that a client is allowed to stay connected prior
	-# to authentication
	-auth-timeout = 240
	-
	-# The time (in seconds) that a client is allowed to stay idle (no traffic)
	-# before being disconnected. Unset to disable.
	-#idle-timeout = 1200
	-
	-# The time (in seconds) that a client is allowed to stay connected
	-# Unset to disable. When set a client will be disconnected after being
	-# continuously connected for this amount of time, and its cookies will
	-# be invalidated (i.e., re-authentication will be required).
	-#session-timeout = 86400
	-
	-# The time (in seconds) that a mobile client is allowed to stay idle (no
	-# traffic) before being disconnected. Unset to disable.
	-#mobile-idle-timeout = 2400
	-
	-# The time (in seconds) that a client is not allowed to reconnect after
	-# a failed authentication attempt.
	-min-reauth-time = 300
	-
	-# Banning clients in ocserv works with a point system. IP addresses
	-# that get a score over that configured number are banned for
	-# min-reauth-time seconds. By default a wrong password attempt is 10 points,
	-# a KKDCP POST is 1 point, and a connection is 1 point. Note that
	-# due to difference processes being involved the count of points
	-# will not be real-time precise.
	-#
	-# Score banning cannot be reliably used when receiving proxied connections
	-# locally from an HTTP server (i.e., when listen-clear-file is used).
	-#
	-# Set to zero to disable.
	-max-ban-score = 80
	-
	-# The time (in seconds) that all score kept for a client is reset.
	-ban-reset-time = 1200
	-
	-# In case you'd like to change the default points.
	-#ban-points-wrong-password = 10
	-#ban-points-connection = 1
	-#ban-points-kkdcp = 1
	-
	-# Cookie timeout (in seconds)
	-# Once a client is authenticated he's provided a cookie with
	-# which he can reconnect. That cookie will be invalidated if not
	-# used within this timeout value. This cookie remains valid, during
	-# the user's connected time, and after user disconnection it
	-# remains active for this amount of time. That setting should allow a
	-# reasonable amount of time for roaming between different networks.
	-cookie-timeout = 300
	-
	-# If this is enabled (not recommended) the cookies will stay
	-# valid even after a user manually disconnects, and until they
	-# expire. This may improve roaming with some broken clients.
	-#persistent-cookies = true
	-
	-# Whether roaming is allowed, i.e., if true a cookie is
	-# restricted to a single IP address and cannot be re-used
	-# from a different IP.
	-deny-roaming = false
	-
	-# ReKey time (in seconds)
	-# ocserv will ask the client to refresh keys periodically once
	-# this amount of seconds is elapsed. Set to zero to disable (note
	-# that, some clients fail if rekey is disabled).
	-rekey-time = 172800
	-
	-# ReKey method
	-# Valid options: ssl, new-tunnel
	-# ssl: Will perform an efficient rehandshake on the channel allowing
	-# a seamless connection during rekey.
	-# new-tunnel: Will instruct the client to discard and re-establish the channel.
	-# Use this option only if the connecting clients have issues with the ssl
	-# option.
	-rekey-method = ssl
	-
	-# Script to call when a client connects and obtains an IP.
	-# The following parameters are passed on the environment.
	-# REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client),
	-# IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL
	-# (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
	-# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
	-# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
	-# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
	-# In addition the following variables OCSERV_ROUTES (the applied routes for this
	-# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
	-# will contain a space separated list of routes or DNS servers. A version
	-# of these variables with the 4 or 6 suffix will contain only the IPv4 or
	-# IPv6 values. The connect script must return zero as exit code, or the
	-# client connection will be refused.
	-
	-# The disconnect script will receive the additional values: STATS_BYTES_IN,
	-# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
	-# output from the tun device, and the duration of the session in seconds.
	-
	-#connect-script = /usr/bin/myscript
	-#disconnect-script = /usr/bin/myscript
	-
	-# UTMP
	-# Register the connected clients to utmp. This will allow viewing
	-# the connected clients using the command 'who'.
	-#use-utmp = true
	-
	-# Whether to enable support for the occtl tool (i.e., either through D-BUS,
	-# or via a unix socket).
	-use-occtl = true
	-
	-# PID file. It can be overridden in the command line.
	-pid-file = /var/run/ocserv.pid
	-
	-# Set the protocol-defined priority (SO_PRIORITY) for packets to
	-# be sent. That is a number from 0 to 6 with 0 being the lowest
	-# priority. Alternatively this can be used to set the IP Type-
	-# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
	-# This can be set per user/group or globally.
	-#net-priority = 3
	-
	-# Set the VPN worker process into a specific cgroup. This is Linux
	-# specific and can be set per user/group or globally.
	-#cgroup = "cpuset,cpu:test"
	-
	-#
	-# Network settings
	-#
	-
	-# The name to use for the tun device
	-device = vpns
	-
	-# Whether the generated IPs will be predictable, i.e., IP stays the
	-# same for the same user when possible.
	-predictable-ips = true
	-
	-# The default domain to be advertised
	-default-domain = example.com
	-
	-# The pool of addresses that leases will be given from. If the leases
	-# are given via Radius, or via the explicit-ip? per-user config option then
	-# these network values should contain a network with at least a single
	-# address that will remain under the full control of ocserv (that is
	-# to be able to assign the local part of the tun device address).
	-# Note that, you could use addresses from a subnet of your LAN network if you
	-# enable [proxy arp in the LAN interface](http://ocserv.gitlab.io/www/recipes-ocserv-pseudo-bridge.html);
	-# in that case it is recommended to set ping-leases to true.
	-ipv4-network = 192.168.1.0
	-ipv4-netmask = 255.255.255.0
	-
	-# An alternative way of specifying the network:
	-#ipv4-network = 192.168.1.0/24
	-
	-# The IPv6 subnet that leases will be given from.
	-#ipv6-network = fda9:4efe:7e3b:03ea::/48
	-
	-# Specify the size of the network to provide to clients. It is
	-# generally recommended to provide clients with a /64 network in
	-# IPv6, but any subnet may be specified. To provide clients only
	-# with a single IP use the prefix 128.
	-#ipv6-subnet-prefix = 128
	-#ipv6-subnet-prefix = 64
	-
	-# Whether to tunnel all DNS queries via the VPN. This is the default
	-# when a default route is set.
	-#tunnel-all-dns = true
	-
	-# The advertized DNS server. Use multiple lines for
	-# multiple servers.
	-# dns = fc00::4be0
	-dns = 192.168.1.2
	-
	-# The NBNS server (if any)
	-#nbns = 192.168.1.3
	-
	-# The domains over which the provided DNS should be used. Use
	-# multiple lines for multiple domains.
	-#split-dns = example.com
	-
	-# Prior to leasing any IP from the pool ping it to verify that
	-# it is not in use by another (unrelated to this server) host.
	-# Only set to true, if there can be occupied addresses in the
	-# IP range for leases.
	-ping-leases = false
	-
	-# Use this option to set a link MTU value to the incoming
	-# connections. Unset to use the default MTU of the TUN device.
	-# Note that the MTU is negotiated using the value set and the
	-# value sent by the peer.
	-#mtu = 1420
	-
	-# Unset to enable bandwidth restrictions (in bytes/sec). The
	-# setting here is global, but can also be set per user or per group.
	-#rx-data-per-sec = 40000
	-#tx-data-per-sec = 40000
	-
	-# The number of packets (of MTU size) that are available in
	-# the output buffer. The default is low to improve latency.
	-# Setting it higher will improve throughput.
	-#output-buffer = 10
	-
	-# Routes to be forwarded to the client. If you need the
	-# client to forward routes to the server, you may use the
	-# config-per-user/group or even connect and disconnect scripts.
	-#
	-# To set the server as the default gateway for the client just
	-# comment out all routes from the server, or use the special keyword
	-# 'default'.
	-
	-route = 10.10.10.0/255.255.255.0
	-route = 192.168.0.0/255.255.0.0
	-#route = fef4:db8:1000:1001::/64
	-#route = default
	-
	-# Subsets of the routes above that will not be routed by
	-# the server.
	-
	-no-route = 192.168.5.0/255.255.255.0
	-
	-# Note the that following two firewalling options currently are available
	-# in Linux systems with iptables software.
	-
	-# If set, the script /usr/local/bin/ocserv-fw will be called to restrict
	-# the user to its allowed routes and prevent him from accessing
	-# any other routes. In case of defaultroute, the no-routes are restricted.
	-# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw
	-# --removeall. This option can be set globally or in the per-user configuration.
	-#restrict-user-to-routes = true
	-
	-# This option implies restrict-user-to-routes set to true. If set, the
	-# script /usr/local/bin/ocserv-fw will be called to restrict the user to
	-# access specific ports in the network. This option can be set globally
	-# or in the per-user configuration.
	-#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
	-
	-# You could also use negation, i.e., block the user from accessing these ports only.
	-#restrict-user-to-ports = "!(tcp(443), tcp(80))"
	-
	-# When set to true, all client's iroutes are made visible to all
	-# connecting clients except for the ones offering them. This option
	-# only makes sense if config-per-user is set.
	-#expose-iroutes = true
	-
	-# Groups that a client is allowed to select from.
	-# A client may belong in multiple groups, and in certain use-cases
	-# it is needed to switch between them. For these cases the client can
	-# select prior to authentication. Add multiple entries for multiple groups.
	-# The group may be followed by a user-friendly name in brackets.
	-#select-group = group1
	-#select-group = group2[My special group]
	-
	-# The name of the (virtual) group that if selected it would assign the user
	-# to its default group.
	-#default-select-group = DEFAULT
	-
	-# Instead of specifying manually all the allowed groups, you may instruct
	-# ocserv to scan all available groups and include the full list.
	-#auto-select-group = true
	-
	-# Configuration files that will be applied per user connection or
	-# per group. Each file name on these directories must match the username
	-# or the groupname.
	-# The options allowed in the configuration files are dns, nbns,
	-# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route,
	-# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp,
	-# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
	-# restrict-user-to-routes, user-profile, cgroup, stats-report-time,
	-# mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
	-# split-dns and session-timeout.
	-#
	-# Note that the 'iroute' option allows one to add routes on the server
	-# based on a user or group. The syntax depends on the input accepted
	-# by the commands route-add-cmd and route-del-cmd (see below). The no-udp
	-# is a boolean option (e.g., no-udp = true), and will prevent a UDP session
	-# for that specific user or group. The hostname option will set a
	-# hostname to override any proposed by the user. Note also, that, any
	-# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
	-
	-#config-per-user = /usr/local/etc/ocserv/config-per-user/
	-#config-per-group = /usr/local/etc/ocserv/config-per-group/
	-
	-# When config-per-xxx is specified and there is no group or user that
	-# matches, then utilize the following configuration.
	-#default-user-config = /usr/local/etc/ocserv/defaults/user.conf
	-#default-group-config = /usr/local/etc/ocserv/defaults/group.conf
	-
	-# The system command to use to setup a route. %{R} will be replaced with the
	-# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
	-#
	-# The following example is from linux systems. %{R} should be something
	-# like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24 (the argument of iroute).
	-
	-#route-add-cmd = "ip route add %{R} dev %{D}"
	-#route-del-cmd = "ip route delete %{R} dev %{D}"
	-
	-# This option allows one to forward a proxy. The special keywords '%{U}'
	-# and '%{G}', if present will be replaced by the username and group name.
	-#proxy-url = http://example.com/
	-#proxy-url = http://example.com/%{U}/
	-
	-# This option allows you to specify a URL location where a client can
	-# post using MS-KKDCP, and the message will be forwarded to the provided
	-# KDC server. That is a translation URL between HTTP and Kerberos.
	-# In MIT kerberos you'll need to add in realms:
	-# EXAMPLE.COM = {
	-# kdc = https://ocserv.example.com/KdcProxy
	-# http_anchors = FILE:/etc/ocserv-ca.pem
	-# }
	-# In some distributions the krb5-k5tls plugin of kinit is required.
	-#
	-# The following option is available in ocserv, when compiled with GSSAPI support.
	-
	-#kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT"
	-#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88"
	-#kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88"
	-#kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88"
	-
	-# Client profile xml. This can be used to advertise alternative servers
	-# to the client. A minimal file can be:
	-# <?xml version="1.0" encoding="UTF-8"?>
	-# <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
	-# <ServerList>
	-# <HostEntry>
	-# <HostName>VPN Server name</HostName>
	-# <HostAddress>localhost</HostAddress>
	-# </HostEntry>
	-# </ServerList>
	-# </AnyConnectProfile>
	-#
	-# Other fields may be used by some of the CISCO clients.
	-# This file must be accessible from inside the worker's chroot.
	-# Note that enabling this option is not recommended as it will allow
	-# the worker processes to open arbitrary files (when isolate-workers is
	-# set to true).
	-#user-profile = profile.xml
	-
	-#
	-# The following options are for (experimental) AnyConnect client
	-# compatibility.
	-
	-# This option will enable the pre-draft-DTLS version of DTLS, and
	-# will not require clients to present their certificate on every TLS
	-# connection. It must be set to true to support legacy CISCO clients
	-# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true.
	-cisco-client-compat = true
	-
	-# This option allows one to disable the DTLS-PSK negotiation (enabled by default).
	-# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate
	-# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the
	-# DTLS channel to negotiate its ciphers and the DTLS protocol version.
	-#dtls-psk = false
	-
	-# This option allows one to disable the legacy DTLS negotiation (enabled by default,
	-# but that may change in the future).
	-# The legacy DTLS uses a pre-draft version of the DTLS protocol and was
	-# from AnyConnect protocol. It has several limitations, that are addressed
	-# by the dtls-psk protocol supported by openconnect 7.08+.
	-dtls-legacy = true
	-
	-#Advanced options
	-
	-# Option to allow sending arbitrary custom headers to the client after
	-# authentication and prior to VPN tunnel establishment. You shouldn't
	-# need to use this option normally; if you do and you think that
	-# this may help others, please send your settings and reason to
	-# the openconnect mailing list. The special keywords '%{U}'
	-# and '%{G}', if present will be replaced by the username and group name.
	-#custom-header = "X-My-Header: hi there"
	-
	-
	-
	-# An example virtual host with different authentication methods serviced
	-# by this server.
	-
	-[vhost:www.example.com]
	-auth = "certificate"
	-
	-ca-cert = ../tests/certs/ca.pem
	-
	-# The certificate set here must include a 'dns_name' corresponding to
	-# the virtual host name.
	-
	-server-cert = ../tests/certs/server-cert-secp521r1.pem
	-server-key = ../tests/certs/server-key-secp521r1.pem
	-
	-ipv4-network = 192.168.2.0
	-ipv4-netmask = 255.255.255.0
	-
	-cert-user-oid = 0.9.2342.19200300.100.1.1
	Index: head/net/ocserv/files/patch-doc_sample.config
	===================================================================
	--- head/net/ocserv/files/patch-doc_sample.config
	+++ head/net/ocserv/files/patch-doc_sample.config
	@@ -1,26 +1,97 @@
	---- doc/sample.config.orig 2020-09-20 19:49:01 UTC
	+--- doc/sample.config.orig 2020-12-03 22:31:10 UTC
	+++ doc/sample.config
	@@ -19,7 +19,7 @@
	# This enabled PAM authentication of the user. The gid-min option is used
	# by auto-select-group option, in order to select the minimum valid group ID.
	#
	-# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
	-+# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
	++# plain[passwd=%%ETCDIR%%/ocpasswd,otp=%%ETCDIR%%/users.otp]
	# The plain option requires specifying a password file which contains
	# entries of the following format.
	# "username:groupname1,groupname2:encoded-password"
	-@@ -110,8 +110,8 @@ udp-port = 443
	+@@ -28,7 +28,7 @@
	+ # an oath password file to be used for one time passwords; the format of
	+ # the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
	+ #
	+-# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
	++# radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
	+ # The radius option requires specifying freeradius-client configuration
	+ # file. If the groupconfig option is set, then config-per-user/group will be overridden,
	+ # and all configuration will be read from radius. That also includes the
	+@@ -47,10 +47,10 @@
	+
	+ #auth = "pam"
	+ #auth = "pam[gid-min=1000]"
	+-#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
	+-auth = "plain[passwd=./sample.passwd]"
	++#auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]"
	++auth = "plain[passwd=%%ETCDIR%%/sample.passwd]"
	+ #auth = "certificate"
	+-#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
	++#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]"
	+
	+ # Specify alternative authentication methods that are sufficient
	+ # for authentication. That is, if set, any of the methods enabled
	+@@ -71,7 +71,7 @@ auth = "plain[passwd=./sample.passwd]"
	+ # PAM.
	+ #
	+ # Only one accounting method can be specified.
	+-#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
	++#acct = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf]"
	+
	+ # Use listen-host to limit to specific IPs or to the IPs of a provided
	+ # hostname.
	+@@ -96,8 +96,8 @@ udp-port = 443
	# The user the worker processes will be run as. This should be a dedicated
	# unprivileged user (e.g., 'ocserv') and no other services should run as this
	# user.
	-run-as-user = nobody
	-run-as-group = daemon
	-+run-as-user = _ocserv
	-+run-as-group = _ocserv
	++run-as-user = %%USERS%%
	++run-as-group = %%GROUPS%%

	# socket file used for IPC with occtl. You only need to set that,
	# if you use more than a single servers.
	-@@ -180,15 +180,9 @@ ca-cert = ../tests/certs/ca.pem
	+@@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket
	+ # certificate renewal (they are checked and reloaded periodically;
	+ # a SIGHUP signal to main server will force reload).
	+
	+-#server-cert = /etc/ocserv/server-cert.pem
	+-#server-key = /etc/ocserv/server-key.pem
	+-server-cert = ../tests/certs/server-cert.pem
	+-server-key = ../tests/certs/server-key.pem
	++server-cert = %%ETCDIR%%/server-cert.pem
	++server-key = %%ETCDIR%%/server-key.pem
	+
	+ # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
	+ # versions of GnuTLS for supporting DHE ciphersuites.
	+ # Can be generated using:
	+-# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
	+-#dh-params = /etc/ocserv/dh.pem
	++# certtool --generate-dh-params --outfile %%ETCDIR%%/dh.pem
	++#dh-params = %%ETCDIR%%/dh.pem
	+
	+ # In case PKCS #11, TPM or encrypted keys are used the PINs should be available
	+ # in files. The srk-pin-file is applicable to TPM keys only, and is the
	+ # storage root key.
	+-#pin-file = /etc/ocserv/pin.txt
	+-#srk-pin-file = /etc/ocserv/srkpin.txt
	++#pin-file = %%ETCDIR%%/pin.txt
	++#srk-pin-file = %%ETCDIR%%/srkpin.txt
	+
	+ # The password or PIN needed to unlock the key in server-key file.
	+ # Only needed if the file is encrypted or a PKCS #11 object. This
	+@@ -153,8 +151,7 @@ server-key = ../tests/certs/server-key.pem
	+ # The Certificate Authority that will be used to verify
	+ # client certificates (public keys) if certificate authentication
	+ # is set.
	+-#ca-cert = /etc/ocserv/ca.pem
	+-ca-cert = ../tests/certs/ca.pem
	++ca-cert = %%ETCDIR%%/ca.pem
	+
	+
	+ ### All configuration options below this line are reloaded on a SIGHUP.
	+@@ -166,15 +163,9 @@ ca-cert = ../tests/certs/ca.pem
	### failures during the reloading time.


	@@ -39,40 +110,84 @@

	# A banner to be displayed on clients after connection
	#banner = "Welcome"
	-@@ -553,15 +547,15 @@ no-route = 192.168.5.0/255.255.255.0
	+@@ -255,7 +246,7 @@ try-mtu-discovery = false
	+ # You can update this response periodically using:
	+ # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
	+ # Make sure that you replace the following file in an atomic way.
	+-#ocsp-response = /etc/ocserv/ocsp.der
	++#ocsp-response = %%ETCDIR%%/ocsp.der
	+
	+ # The object identifier that will be used to read the user ID in the client
	+ # certificate. The object identifier should be part of the certificate's DN
	+@@ -274,7 +265,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
	+ # See the manual to generate an empty CRL initially. The CRL will be reloaded
	+ # periodically when ocserv detects a change in the file. To force a reload use
	+ # SIGHUP.
	+-#crl = /etc/ocserv/crl.pem
	++#crl = %%ETCDIR%%/crl.pem
	+
	+ # Uncomment this to enable compression negotiation (LZS, LZ4).
	+ #compression = true
	+@@ -543,15 +534,15 @@ no-route = 192.168.5.0/255.255.255.0
	# Note the that following two firewalling options currently are available
	# in Linux systems with iptables software.

	-# If set, the script /usr/bin/ocserv-fw will be called to restrict
	-+# If set, the script /usr/local/bin/ocserv-fw will be called to restrict
	++# If set, the script %%PREFIX%%/bin/ocserv-fw will be called to restrict
	# the user to its allowed routes and prevent him from accessing
	# any other routes. In case of defaultroute, the no-routes are restricted.
	-# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
	-+# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw
	++# All the routes applied by ocserv can be reverted using %%PREFIX%%/bin/ocserv-fw
	# --removeall. This option can be set globally or in the per-user configuration.
	#restrict-user-to-routes = true

	# This option implies restrict-user-to-routes set to true. If set, the
	-# script /usr/bin/ocserv-fw will be called to restrict the user to
	-+# script /usr/local/bin/ocserv-fw will be called to restrict the user to
	++# script %%PREFIX%%/bin/ocserv-fw will be called to restrict the user to
	# access specific ports in the network. This option can be set globally
	# or in the per-user configuration.
	#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
	-@@ -609,13 +603,13 @@ no-route = 192.168.5.0/255.255.255.0
	+@@ -599,13 +590,13 @@ no-route = 192.168.5.0/255.255.255.0
	# hostname to override any proposed by the user. Note also, that, any
	# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.

	-#config-per-user = /etc/ocserv/config-per-user/
	-#config-per-group = /etc/ocserv/config-per-group/
	-+#config-per-user = /usr/local/etc/ocserv/config-per-user/
	-+#config-per-group = /usr/local/etc/ocserv/config-per-group/
	++#config-per-user = %%ETCDIR%%/config-per-user/
	++#config-per-group = %%ETCDIR%%/config-per-group/

	# When config-per-xxx is specified and there is no group or user that
	# matches, then utilize the following configuration.
	-#default-user-config = /etc/ocserv/defaults/user.conf
	-#default-group-config = /etc/ocserv/defaults/group.conf
	-+#default-user-config = /usr/local/etc/ocserv/defaults/user.conf
	-+#default-group-config = /usr/local/etc/ocserv/defaults/group.conf
	++#default-user-config = %%ETCDIR%%/defaults/user.conf
	++#default-group-config = %%ETCDIR%%/defaults/group.conf

	# The system command to use to setup a route. %{R} will be replaced with the
	# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
	+@@ -627,7 +618,7 @@ no-route = 192.168.5.0/255.255.255.0
	+ # In MIT kerberos you'll need to add in realms:
	+ # EXAMPLE.COM = {
	+ # kdc = https://ocserv.example.com/KdcProxy
	+-# http_anchors = FILE:/etc/ocserv-ca.pem
	++# http_anchors = FILE:%%ETCDIR%%/ocserv-ca.pem
	+ # }
	+ # In some distributions the krb5-k5tls plugin of kinit is required.
	+ #
	+@@ -701,13 +692,13 @@ dtls-legacy = true
	+ [vhost:www.example.com]
	+ auth = "certificate"
	+
	+-ca-cert = ../tests/certs/ca.pem
	++ca-cert = %%ETCDIR%%/ca.pem
	+
	+ # The certificate set here must include a 'dns_name' corresponding to
	+ # the virtual host name.
	+
	+-server-cert = ../tests/certs/server-cert-secp521r1.pem
	+-server-key = ../tests/certs/server-key-secp521r1.pem
	++server-cert = %%ETCDIR%%/server-cert-secp521r1.pem
	++server-key = %%ETCDIR%%/server-key-secp521r1.pem
	+
	+ ipv4-network = 192.168.2.0
	+ ipv4-netmask = 255.255.255.0
	Index: head/net/ocserv/files/patch-src_main-ban.c
	===================================================================
	--- head/net/ocserv/files/patch-src_main-ban.c
	+++ head/net/ocserv/files/patch-src_main-ban.c
	@@ -0,0 +1,20 @@
	+--- src/main-ban.c.orig 2021-01-26 17:01:03 UTC
	++++ src/main-ban.c
	+@@ -403,8 +403,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo
	+ unsigned index = 0;
	+
	+ for (index = 0; index < 4; index ++) {
	+- uint32_t l = local->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index];
	+- uint32_t r = remote->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index];
	++ uint32_t l = local->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index];
	++ uint32_t r = remote->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index];
	+ if (l != r)
	+ return false;
	+ }
	+@@ -443,4 +443,4 @@ void if_address_cleanup(main_server_st * s)
	+
	+ s->if_addresses = NULL;
	+ s->if_addresses_count = 0;
	+-}
	+\ No newline at end of file
	++}
	Index: head/net/ocserv/files/patch-src_occtl_occtl.c
	===================================================================
	--- head/net/ocserv/files/patch-src_occtl_occtl.c
	+++ head/net/ocserv/files/patch-src_occtl_occtl.c
	@@ -1,6 +1,6 @@
	---- src/occtl/occtl.c.orig 2018-01-14 16:25:24 UTC
	+--- src/occtl/occtl.c.orig 2020-08-06 18:51:31 UTC
	+++ src/occtl/occtl.c
	-@@ -249,7 +249,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha
	+@@ -264,7 +264,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha
	static int handle_reset_cmd(CONN_TYPE * conn, const char arg, cmd_params_st params)
	{
	rl_reset_terminal(NULL);

File Metadata

Mime Type: text/plain
Expires: Sat, Jun 27, 10:31 PM (18 h, 35 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 34418008
Default Alt Text: D28346.diff (44 KB)

D28346.diffNo OneTemporaryActions

D28346.diffView Options

File Metadata

Event Timeline

D28346.diff
No OneTemporary
Actions

D28346.diff
View Options