diff --git a/SOURCES/iodine-0.7.0.split-man.patch b/SOURCES/iodine-0.7.0.split-man.patch new file mode 100644 index 0000000..2003320 --- /dev/null +++ b/SOURCES/iodine-0.7.0.split-man.patch @@ -0,0 +1,1090 @@ +diff -NurEbBH iodine-0.7.0.orig/Makefile iodine-0.7.0/Makefile +--- iodine-0.7.0.orig/Makefile 2014-06-17 00:28:43.000000000 +0400 ++++ iodine-0.7.0/Makefile 2014-07-25 18:34:06.000000000 +0400 +@@ -26,13 +26,13 @@ + $(INSTALL) $(INSTALL_FLAGS) bin/iodined $(DESTDIR)$(sbindir)/iodined + chmod 755 $(DESTDIR)$(sbindir)/iodined + $(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(mandir)/man8 +- $(INSTALL) $(INSTALL_FLAGS) man/iodine.8 $(DESTDIR)$(mandir)/man8/iodine.8 +- chmod 644 $(DESTDIR)$(mandir)/man8/iodine.8 ++ $(INSTALL) $(INSTALL_FLAGS) man/iodine{,d}.8 $(DESTDIR)$(mandir)/man8/ ++ chmod 644 $(DESTDIR)$(mandir)/man8/iodine{,d}.8 + + uninstall: + $(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodine + $(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodined +- $(RM) $(RM_FLAGS) $(DESTDIR)$(mandir)/man8/iodine.8 ++ $(RM) $(RM_FLAGS) $(DESTDIR)$(mandir)/man8/iodine{,d}.8 + + test: all + @echo "!! The check library is required for compiling and running the tests" +diff -NurEbBH iodine-0.7.0.orig/Makefile.orig iodine-0.7.0/Makefile.orig +--- iodine-0.7.0.orig/Makefile.orig 1970-01-01 03:00:00.000000000 +0300 ++++ iodine-0.7.0/Makefile.orig 2014-07-25 18:32:06.000000000 +0400 +@@ -0,0 +1,104 @@ ++prefix?=/usr/local ++sbindir=$(prefix)/sbin ++datadir=$(prefix)/share ++mandir=$(datadir)/man ++ ++DESTDIR= ++ ++INSTALL=install ++INSTALL_FLAGS= ++ ++MKDIR=mkdir ++MKDIR_FLAGS=-p ++ ++RM=rm ++RM_FLAGS=-f ++ ++TARGETOS = `uname` ++ ++all: ++ @(cd src; $(MAKE) TARGETOS=$(TARGETOS) all) ++ ++install: all ++ $(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(sbindir) ++ $(INSTALL) $(INSTALL_FLAGS) bin/iodine $(DESTDIR)$(sbindir)/iodine ++ chmod 755 $(DESTDIR)$(sbindir)/iodine ++ $(INSTALL) $(INSTALL_FLAGS) bin/iodined $(DESTDIR)$(sbindir)/iodined ++ chmod 755 $(DESTDIR)$(sbindir)/iodined ++ $(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(mandir)/man8 ++ $(INSTALL) $(INSTALL_FLAGS) man/iodine.8 $(DESTDIR)$(mandir)/man8/iodine.8 ++ chmod 644 $(DESTDIR)$(mandir)/man8/iodine.8 ++ ++uninstall: ++ $(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodine ++ $(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodined ++ $(RM) $(RM_FLAGS) $(DESTDIR)$(mandir)/man8/iodine.8 ++ ++test: all ++ @echo "!! The check library is required for compiling and running the tests" ++ @echo "!! Get it at http://check.sf.net" ++ @(cd tests; $(MAKE) TARGETOS=$(TARGETOS) all) ++ ++clean: ++ @echo "Cleaning..." ++ @(cd src; $(MAKE) clean) ++ @(cd tests; $(MAKE) clean) ++ @rm -rf bin iodine-latest* ++ ++#Helper target for windows/android zipfiles ++iodine-latest: ++ @rm -rf iodine-latest* ++ @mkdir -p iodine-latest ++ @echo "Create date: " > iodine-latest/VERSION.txt ++ @date >> iodine-latest/VERSION.txt ++ @echo "Git version: " >> iodine-latest/VERSION.txt ++ @git rev-parse HEAD >> iodine-latest/VERSION.txt ++ @for i in README CHANGELOG TODO; do cp $$i iodine-latest/$$i.txt; done ++ @unix2dos iodine-latest/* ++ ++cross-android: ++ @(cd src; $(MAKE) base64u.c base64u.h) ++ @(cd src; ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=Android.mk) ++ ++iodine-latest-android.zip: iodine-latest ++ @mv iodine-latest iodine-latest-android ++ @mkdir -p iodine-latest-android/armeabi iodine-latest-android/x86 ++ @$(MAKE) cross-android TARGET_ARCH_ABI=armeabi ++ @cp src/libs/armeabi/* iodine-latest-android/armeabi ++ @$(MAKE) cross-android TARGET_ARCH_ABI=x86 ++ @cp src/libs/x86/* iodine-latest-android/x86 ++ @cp README-android.txt iodine-latest-android ++ @zip -r iodine-latest-android.zip iodine-latest-android ++ ++cross-mingw32: ++ @(cd src; $(MAKE) TARGETOS=windows32 CC=i686-w64-mingw32-gcc all) ++ ++cross-mingw64: ++ @(cd src; $(MAKE) TARGETOS=windows32 CC=x86_64-w64-mingw32-gcc all) ++ ++iodine-latest-windows.zip: iodine-latest ++ @mv iodine-latest iodine-latest-windows ++ @mkdir -p iodine-latest-windows/64bit iodine-latest-windows/32bit ++ @(cd src; $(MAKE) TARGETOS=windows32 CC=i686-w64-mingw32-gcc clean all) ++ @i686-w64-mingw32-strip bin/iodine* ++ @for i in `ls bin`; do cp bin/$$i iodine-latest-windows/32bit/$$i.exe; done ++ @cp /usr/i686-w64-mingw32/bin/zlib1.dll iodine-latest-windows/32bit ++ @(cd src; $(MAKE) TARGETOS=windows32 CC=x86_64-w64-mingw32-gcc clean all) ++ @x86_64-w64-mingw32-strip bin/iodine* ++ @for i in `ls bin`; do cp bin/$$i iodine-latest-windows/64bit/$$i.exe; done ++ @cp /usr/x86_64-w64-mingw32/bin/zlib1.dll iodine-latest-windows/64bit ++ @cp README-win32.txt iodine-latest-windows ++ @zip -r iodine-latest-windows.zip iodine-latest-windows ++ ++cross-mingw: ++ @(cd src; $(MAKE) TARGETOS=windows32 CC=i686-mingw32-gcc all) ++ ++iodine-latest-win32.zip: cross-mingw iodine-latest ++ @mv iodine-latest iodine-latest-win32 ++ @mkdir -p iodine-latest-win32/bin ++ @i686-mingw32-strip bin/iodine* ++ @for i in `ls bin`; do cp bin/$$i iodine-latest-win32/bin/$$i.exe; done ++ @cp /usr/i686-mingw32/usr/bin/zlib1.dll iodine-latest-win32/bin ++ @cp README-win32.txt iodine-latest-win32 ++ @zip -r iodine-latest-win32.zip iodine-latest-win32 ++ +diff -NurEbBH iodine-0.7.0.orig/Makefile.rej iodine-0.7.0/Makefile.rej +--- iodine-0.7.0.orig/Makefile.rej 1970-01-01 03:00:00.000000000 +0300 ++++ iodine-0.7.0/Makefile.rej 2014-07-25 18:32:06.000000000 +0400 +@@ -0,0 +1,19 @@ ++--- Makefile 2009-01-25 22:40:04.000000000 +0100 +++++ Makefile 2012-01-08 14:45:19.310809769 +0100 ++@@ -41,13 +41,13 @@ ++ $(INSTALL) $(INSTALL_FLAGS) bin/iodined $(DESTDIR)$(sbindir)/iodined ++ chmod 755 $(DESTDIR)$(sbindir)/iodined ++ $(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(mandir)/man8 ++- $(INSTALL) $(INSTALL_FLAGS) man/iodine.8 $(DESTDIR)$(mandir)/man8/iodine.8 ++- chmod 644 $(DESTDIR)$(mandir)/man8/iodine.8 +++ $(INSTALL) $(INSTALL_FLAGS) man/iodine{,d}.8 $(DESTDIR)$(mandir)/man8/ +++ chmod 644 $(DESTDIR)$(mandir)/man8/iodine{,d}.8 ++ ++ uninstall: ++ $(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodine ++ $(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodined ++- $(RM) $(RM_FLAGS) $(DESTDIR)$(mandir)/man8/iodine.8 +++ $(RM) $(RM_FLAGS) $(DESTDIR)$(mandir)/man8/iodine{,d}.8 ++ ++ test: all ++ @echo "!! The check library is required for compiling and running the tests" +diff -NurEbBH iodine-0.7.0.orig/man/iodine.8 iodine-0.7.0/man/iodine.8 +--- iodine-0.7.0.orig/man/iodine.8 2014-06-17 00:28:43.000000000 +0400 ++++ iodine-0.7.0/man/iodine.8 2014-07-25 18:51:15.000000000 +0400 +@@ -1,7 +1,7 @@ + .\" groff -man -Tascii iodine.8 + .TH IODINE 8 "JUN 2014" "User Manuals" + .SH NAME +-iodine, iodined \- tunnel IPv4 over DNS ++iodine \- tunnel IPv4 over DNS + .SH SYNOPSIS + .B iodine [-v] + +@@ -41,44 +41,7 @@ + .B ] + .I topdomain + +-.B iodined [-v] + +-.B iodined [-h] +- +-.B iodined [-c] [-s] [-f] [-D] [-u +-.I user +-.B ] [-t +-.I chrootdir +-.B ] [-d +-.I device +-.B ] [-m +-.I mtu +-.B ] [-l +-.I listen_ip +-.B ] [-p +-.I port +-.B ] [-n +-( +-.B auto +-| +-.I external_ip +-) +-.B ] [-b +-.I dnsport +-.B ] [-P +-.I password +-.B ] [-z +-.I context +-.B ] [-F +-.I pidfile +-.B ] [-i +-.I max_idle_time +-.B ] +-.I tunnel_ip +-.B [ +-.I /netmask +-.B ] +-.I topdomain + .SH DESCRIPTION + .B iodine + lets you tunnel IPv4 data through a DNS +@@ -235,114 +198,6 @@ + and these errors can be ignored. + Maximum useful value is 59, since iodined will close a client's + connection after 60 seconds of inactivity. +-.SS Server Options: +-.TP +-.B -c +-Disable checking the client IP address on all incoming requests. +-By default, requests originating from non-matching IP addresses will be +-rejected, however this will cause problems when requests are routed +-via a cluster of DNS servers. +-.TP +-.B -s +-Don't try to configure IP address or MTU. +-This should only be used if you have already configured the device that will be +-used. +-.TP +-.B -D +-Increase debug level. Level 1 prints info about each RX/TX packet. +-Implies the +-.B -f +-option. +-On level 2 (\-DD) or higher, DNS queries will be printed literally. +-When using Base128 upstream encoding, this is best viewed as +-ISO Latin-1 text instead of (illegal) UTF-8. +-This is easily done with : "LC_ALL=C luit iodined \-DD ..." +-(see luit(1)). +-.TP +-.B -m mtu +-Set 'mtu' as mtu size for the tun device. +-This will be sent to the client on login, and the client will use the same mtu +-for its tun device. Default 1130. Note that the DNS traffic will be +-automatically fragmented when needed. +-.TP +-.B -l listen_ip +-Make the server listen only on 'listen_ip' for incoming requests. +-By default, incoming requests are accepted from all interfaces. +-.TP +-.B -p port +-Make the server listen on 'port' instead of 53 for traffic. +-If 'listen_ip' does not include localhost, this 'port' can be the same +-as 'dnsport'. +-.B Note: +-You must make sure the dns requests are forwarded to this port yourself. +-.TP +-.B -n auto|external_ip +-The IP address to return in NS responses. Default is to return the address used +-as destination in the query. +-If external_ip is 'auto', iodined will use externalip.net web service to +-retrieve the external IP of the host and use that for NS responses. +-.TP +-.B -b dnsport +-If this port is specified, all incoming requests not inside the tunnel domain +-will be forwarded to this port on localhost, to be handled by a real dns. +-If 'listen_ip' does not include localhost, this 'dnsport' can be the +-same as 'port'. +-.B Note: +-The forwarding is not fully transparent, and not advised for use +-in production environments. +-.TP +-.B -i max_idle_time +-Make the server stop itself after max_idle_time seconds if no traffic have been received. +-This should be combined with systemd or upstart on demand activation for being effective. +-.SS Client Arguments: +-.TP +-.B nameserver +-The nameserver to use to relay the dns traffic. This can be any relaying +-nameserver or the server running iodined if reachable. This field can be +-given as an IPv4/IPv6 address or as a hostname. This argument is optional, +-and if not specified a nameserver will be read from the +-.I /etc/resolv.conf +-file. +-.TP +-.B topdomain +-The dns traffic will be sent as queries for subdomains under +-\'topdomain'. This is normally a subdomain to a domain you own. Use a short +-domain name to get better throughput. If +-.B nameserver +-is the iodined server, then the topdomain can be chosen freely. This argument +-must be the same on both the client and the server. +-.SS Server Arguments: +-.TP +-.B tunnel_ip[/netmask] +-This is the server's ip address on the tun interface. The client will be +-given the next ip number in the range. It is recommended to use the +-10.0.0.0 or 172.16.0.0 ranges. The default netmask is /27, can be overridden +-by specifying it here. Using a smaller network will limit the number of +-concurrent users. +-.TP +-.B topdomain +-The dns traffic is expected to arrive as queries for +-subdomains under 'topdomain'. This is normally a subdomain to a domain you +-own. Use a short domain name to get better throughput. This argument must be +-the same on both the client and the server. Queries for domains other +-than 'topdomain' will be forwarded when the \-b option is given, otherwise +-they will be dropped. +-.SH EXAMPLES +-See the README file for both a quick test scenario, and a detailed description +-of real-world deployment. +-.SH SECURITY +-Login is a relatively secure challenge-response MD5 hash, with the +-password never passing the wire. +-However, all other data is +-.B NOT +-encrypted in any way. The DNS traffic is also vulnerable to replay, +-injection and man-in-the-middle attacks, especially when iodined is used +-with the \-c option. Use of ssh or vpn tunneling is strongly recommended. +-On both server and client, use +-.IR iptables , +-.I pf +-or other firewalls to block all traffic coming in from the tun interfaces, +-except to the used ssh or vpn ports. + .SH ENVIRONMENT + .SS IODINE_PASS + If the environment variable +@@ -351,13 +206,6 @@ + for one. The + .B -P + option still has precedence. +-.SS IODINED_PASS +-If the environment variable +-.B IODINED_PASS +-is set, iodined will use the value it is set to as password instead of asking +-for one. The +-.B -P +-option still has precedence. + .SH SEE ALSO + The README file in the source distribution contains some more elaborate + information. +diff -NurEbBH iodine-0.7.0.orig/man/iodine.8.orig iodine-0.7.0/man/iodine.8.orig +--- iodine-0.7.0.orig/man/iodine.8.orig 1970-01-01 03:00:00.000000000 +0300 ++++ iodine-0.7.0/man/iodine.8.orig 2014-06-17 00:28:43.000000000 +0400 +@@ -0,0 +1,368 @@ ++.\" groff -man -Tascii iodine.8 ++.TH IODINE 8 "JUN 2014" "User Manuals" ++.SH NAME ++iodine, iodined \- tunnel IPv4 over DNS ++.SH SYNOPSIS ++.B iodine [-v] ++ ++.B iodine [-h] ++ ++.B iodine [-4] [-6] [-f] [-r] [-u ++.I user ++.B ] [-P ++.I password ++.B ] [-m ++.I fragsize ++.B ] [-t ++.I chrootdir ++.B ] [-d ++.I device ++.B ] [-R ++.I rdomain ++.B ] [-m ++.I fragsize ++.B ] [-M ++.I namelen ++.B ] [-z ++.I context ++.B ] [-F ++.I pidfile ++.B ] [-T ++.I dnstype ++.B ] [-O ++.I downenc ++.B ] [-L ++.I 0|1 ++.B ] [-I ++.I interval ++.B ] ++.B [ ++.I nameserver ++.B ] ++.I topdomain ++ ++.B iodined [-v] ++ ++.B iodined [-h] ++ ++.B iodined [-c] [-s] [-f] [-D] [-u ++.I user ++.B ] [-t ++.I chrootdir ++.B ] [-d ++.I device ++.B ] [-m ++.I mtu ++.B ] [-l ++.I listen_ip ++.B ] [-p ++.I port ++.B ] [-n ++( ++.B auto ++| ++.I external_ip ++) ++.B ] [-b ++.I dnsport ++.B ] [-P ++.I password ++.B ] [-z ++.I context ++.B ] [-F ++.I pidfile ++.B ] [-i ++.I max_idle_time ++.B ] ++.I tunnel_ip ++.B [ ++.I /netmask ++.B ] ++.I topdomain ++.SH DESCRIPTION ++.B iodine ++lets you tunnel IPv4 data through a DNS ++server. This can be useful in situations where Internet access is firewalled, ++but DNS queries are allowed. It needs a TUN/TAP device to operate. The ++bandwidth is asymmetrical, ++with a measured maximum of 680 kbit/s upstream and 2.3 Mbit/s ++downstream in a wired LAN test network. ++Realistic sustained throughput on a Wifi network using a carrier-grade ++DNS cache has been measured at some 50 kbit/s upstream and over 200 kbit/s ++downstream. ++.B iodine ++is the client application, ++.B iodined ++is the server. ++ ++Note: server and client are required to speak the exact same protocol. In most ++cases, this means running the same iodine version. Unfortunately, implementing ++backward and forward protocol compatibility is usually not feasible. ++.SH OPTIONS ++.SS Common Options: ++.TP ++.B -v ++Print version info and exit. ++.TP ++.B -h ++Print usage info and exit. ++.TP ++.B -f ++Keep running in foreground. ++.TP ++.B -u user ++Drop privileges and run as user 'user' after setting up tunnel. ++.TP ++.B -t chrootdir ++Chroot to 'chrootdir' after setting up tunnel. ++.TP ++.B -d device ++Use the TUN device 'device' instead of the normal one, which is dnsX on Linux ++and otherwise tunX. ++.TP ++.B -P password ++Use 'password' to authenticate. If not used, ++.B stdin ++will be used as input. Only the first 32 characters will be used. ++.TP ++.B -z context ++Apply SELinux 'context' after initialization. ++.TP ++.B -F pidfile ++Create 'pidfile' and write process id in it. ++.SS Client Options: ++.TP ++.B -4 ++Force IPv4 DNS queries ++.TP ++.B -6 ++Force IPv6 DNS queries ++.TP ++.B -r ++Skip raw UDP mode. If not used, iodine will try getting the public IP address ++of the iodined host and test if it is reachable directly. If it is, traffic ++will be sent to the server instead of the DNS relay. ++.TP ++.B -R rdomain ++Use OpenBSD routing domain 'rdomain' for the DNS connection. ++.TP ++.B -m fragsize ++Force maximum downstream fragment size. Not setting this will cause the ++client to automatically probe the maximum accepted downstream fragment size. ++.TP ++.B -M namelen ++Maximum length of upstream hostnames, default 255. ++Usable range ca. 100 to 255. ++Use this option to scale back upstream bandwidth in favor of downstream ++bandwidth. ++Also useful for DNS servers that perform unreliably when using full-length ++hostnames, noticeable when fragment size autoprobe returns very ++different results each time. ++.TP ++.B -T dnstype ++DNS request type override. ++By default, autodetection will probe for working DNS request types, and ++will select the request type that is expected to provide the most bandwidth. ++However, it may turn out that a DNS relay imposes limits that skew the ++picture, which may lead to an "unexpected" DNS request type providing ++more bandwidth. ++In that case, use this option to override the autodetection. ++In (expected) decreasing bandwidth order, the supported DNS request types are: ++.IR NULL , ++.IR PRIVATE , ++.IR TXT , ++.IR SRV , ++.IR MX , ++.I CNAME ++and ++.I A ++(returning CNAME). ++Note that ++.IR SRV , ++.I MX ++and ++.I A ++may/will cause additional lookups by "smart" caching ++nameservers to get an actual IP address, which may either slow down or fail ++completely. The ++.IR PRIVATE ++type uses value 65399 (in the 'private use' range) and requires servers ++implementing RFC 3597. ++.TP ++.B -O downenc ++Force downstream encoding type for all query type responses except NULL. ++Default is autodetected, but may not spot all problems for the more advanced ++codecs. ++Use this option to override the autodetection. ++.I Base32 ++is the lowest-grade codec and should always work; this is used when ++autodetection fails. ++.I Base64 ++provides more bandwidth, but may not work on all nameservers. ++.I Base64u ++is equal to Base64 except in using underscore ('_') ++instead of plus sign ('+'), possibly working where ++.I Base64 ++does not. ++.I Base128 ++uses high byte values (mostly accented letters in iso8859-1), ++which might work with some nameservers. ++For TXT queries, ++.I Raw ++will provide maximum performance, but this will only work if the nameserver ++path is fully 8-bit-clean for responses that are assumed to be "legible text". ++.TP ++.B -L 0|1 ++Lazy-mode switch. ++\-L1 (default): Use lazy mode for improved performance and decreased latency. ++A very small minority of DNS relays appears to be unable to handle the ++lazy mode traffic pattern, resulting in no or very little data coming through. ++The iodine client will detect this and try to switch back to legacy mode, ++but this may not always work. ++In these situations use \-L0 to force running in legacy mode ++(implies \-I1). ++.TP ++.B -I interval ++Maximum interval between requests (pings) so that intermediate DNS ++servers will not time out. Default is 4 in lazy mode, which will work ++fine in most cases. When too many SERVFAIL errors occur, iodine ++will automatically reduce this to 1. ++To get absolute minimum DNS traffic, ++increase well above 4, but not so high that SERVFAIL errors start to occur. ++There are some DNS relays with very small timeouts, ++notably dnsadvantage.com (ultradns), that will give ++SERVFAIL errors even with \-I1; data will still get trough, ++and these errors can be ignored. ++Maximum useful value is 59, since iodined will close a client's ++connection after 60 seconds of inactivity. ++.SS Server Options: ++.TP ++.B -c ++Disable checking the client IP address on all incoming requests. ++By default, requests originating from non-matching IP addresses will be ++rejected, however this will cause problems when requests are routed ++via a cluster of DNS servers. ++.TP ++.B -s ++Don't try to configure IP address or MTU. ++This should only be used if you have already configured the device that will be ++used. ++.TP ++.B -D ++Increase debug level. Level 1 prints info about each RX/TX packet. ++Implies the ++.B -f ++option. ++On level 2 (\-DD) or higher, DNS queries will be printed literally. ++When using Base128 upstream encoding, this is best viewed as ++ISO Latin-1 text instead of (illegal) UTF-8. ++This is easily done with : "LC_ALL=C luit iodined \-DD ..." ++(see luit(1)). ++.TP ++.B -m mtu ++Set 'mtu' as mtu size for the tun device. ++This will be sent to the client on login, and the client will use the same mtu ++for its tun device. Default 1130. Note that the DNS traffic will be ++automatically fragmented when needed. ++.TP ++.B -l listen_ip ++Make the server listen only on 'listen_ip' for incoming requests. ++By default, incoming requests are accepted from all interfaces. ++.TP ++.B -p port ++Make the server listen on 'port' instead of 53 for traffic. ++If 'listen_ip' does not include localhost, this 'port' can be the same ++as 'dnsport'. ++.B Note: ++You must make sure the dns requests are forwarded to this port yourself. ++.TP ++.B -n auto|external_ip ++The IP address to return in NS responses. Default is to return the address used ++as destination in the query. ++If external_ip is 'auto', iodined will use externalip.net web service to ++retrieve the external IP of the host and use that for NS responses. ++.TP ++.B -b dnsport ++If this port is specified, all incoming requests not inside the tunnel domain ++will be forwarded to this port on localhost, to be handled by a real dns. ++If 'listen_ip' does not include localhost, this 'dnsport' can be the ++same as 'port'. ++.B Note: ++The forwarding is not fully transparent, and not advised for use ++in production environments. ++.TP ++.B -i max_idle_time ++Make the server stop itself after max_idle_time seconds if no traffic have been received. ++This should be combined with systemd or upstart on demand activation for being effective. ++.SS Client Arguments: ++.TP ++.B nameserver ++The nameserver to use to relay the dns traffic. This can be any relaying ++nameserver or the server running iodined if reachable. This field can be ++given as an IPv4/IPv6 address or as a hostname. This argument is optional, ++and if not specified a nameserver will be read from the ++.I /etc/resolv.conf ++file. ++.TP ++.B topdomain ++The dns traffic will be sent as queries for subdomains under ++\'topdomain'. This is normally a subdomain to a domain you own. Use a short ++domain name to get better throughput. If ++.B nameserver ++is the iodined server, then the topdomain can be chosen freely. This argument ++must be the same on both the client and the server. ++.SS Server Arguments: ++.TP ++.B tunnel_ip[/netmask] ++This is the server's ip address on the tun interface. The client will be ++given the next ip number in the range. It is recommended to use the ++10.0.0.0 or 172.16.0.0 ranges. The default netmask is /27, can be overridden ++by specifying it here. Using a smaller network will limit the number of ++concurrent users. ++.TP ++.B topdomain ++The dns traffic is expected to arrive as queries for ++subdomains under 'topdomain'. This is normally a subdomain to a domain you ++own. Use a short domain name to get better throughput. This argument must be ++the same on both the client and the server. Queries for domains other ++than 'topdomain' will be forwarded when the \-b option is given, otherwise ++they will be dropped. ++.SH EXAMPLES ++See the README file for both a quick test scenario, and a detailed description ++of real-world deployment. ++.SH SECURITY ++Login is a relatively secure challenge-response MD5 hash, with the ++password never passing the wire. ++However, all other data is ++.B NOT ++encrypted in any way. The DNS traffic is also vulnerable to replay, ++injection and man-in-the-middle attacks, especially when iodined is used ++with the \-c option. Use of ssh or vpn tunneling is strongly recommended. ++On both server and client, use ++.IR iptables , ++.I pf ++or other firewalls to block all traffic coming in from the tun interfaces, ++except to the used ssh or vpn ports. ++.SH ENVIRONMENT ++.SS IODINE_PASS ++If the environment variable ++.B IODINE_PASS ++is set, iodine will use the value it is set to as password instead of asking ++for one. The ++.B -P ++option still has precedence. ++.SS IODINED_PASS ++If the environment variable ++.B IODINED_PASS ++is set, iodined will use the value it is set to as password instead of asking ++for one. The ++.B -P ++option still has precedence. ++.SH SEE ALSO ++The README file in the source distribution contains some more elaborate ++information. ++.SH BUGS ++File bugs at http://dev.kryo.se/iodine/ ++.SH AUTHORS ++Erik Ekman and Bjorn Andersson . Major ++contributions by Anne Bezemer. +diff -NurEbBH iodine-0.7.0.orig/man/iodine.8.rej iodine-0.7.0/man/iodine.8.rej +--- iodine-0.7.0.orig/man/iodine.8.rej 1970-01-01 03:00:00.000000000 +0300 ++++ iodine-0.7.0/man/iodine.8.rej 2014-07-25 18:32:06.000000000 +0400 +@@ -0,0 +1,155 @@ ++--- man/iodine.8 2009-12-29 21:10:02.000000000 +0100 +++++ man/iodine.8 2012-01-08 14:43:48.256155811 +0100 ++@@ -39,38 +39,6 @@ ++ .B ] ++ .I topdomain ++ ++-.B iodined [-v] ++- ++-.B iodined [-h] ++- ++-.B iodined [-c] [-s] [-f] [-D] [-u ++-.I user ++-.B ] [-t ++-.I chrootdir ++-.B ] [-d ++-.I device ++-.B ] [-m ++-.I mtu ++-.B ] [-l ++-.I listen_ip ++-.B ] [-p ++-.I port ++-.B ] [-n ++-.I external_ip ++-.B ] [-b ++-.I dnsport ++-.B ] [-P ++-.I password ++-.B ] [-z ++-.I context ++-.B ] [-F ++-.I pidfile ++-.B ] ++-.I tunnel_ip ++-.B [ ++-.I /netmask ++-.B ] ++-.I topdomain ++ .SH DESCRIPTION ++ .B iodine ++ lets you tunnel IPv4 data through a DNS ++@@ -214,55 +182,6 @@ ++ and these errors can be ignored. ++ Maximum useful value is 59, since iodined will close a client's ++ connection after 60 seconds of inactivity. ++-.SS Server Options: ++-.TP ++-.B -c ++-Disable checking the client IP address on all incoming requests. ++-By default, requests originating from non-matching IP adresses will be ++-rejected, however this will cause problems when requests are routed ++-via a cluster of DNS servers. ++-.TP ++-.B -s ++-Don't try to configure IP address or MTU. ++-This should only be used if you have already configured the device that will be ++-used. ++-.TP ++-.B -D ++-Increase debug level. Level 1 prints info about each RX/TX packet. ++-Implies the ++-.B -f ++-option. ++-On level 2 (-DD) or higher, DNS queries will be printed literally. ++-When using Base128 upstream encoding, this is best viewed as ++-ISO Latin-1 text instead of (illegal) UTF-8. ++-This is easily done with : "LC_ALL=C luit iodined -DD ..." ++-(see luit(1)). ++-.TP ++-.B -m mtu ++-Set 'mtu' as mtu size for the tun device. ++-This will be sent to the client on login, and the client will use the same mtu ++-for its tun device. Default 1130. Note that the DNS traffic will be ++-automatically fragmented when needed. ++-.TP ++-.B -l listen_ip ++-Make the server listen only on 'listen_ip' for incoming requests. ++-By default, incoming requests are accepted from all interfaces. ++-.TP ++-.B -p port ++-Make the server listen on 'port' instead of 53 for traffic. ++-.B Note: ++-You must make sure the dns requests are forwarded to this port yourself. ++-.TP ++-.B -n external_ip ++-The IP address to return in NS responses. Default is to return the address used ++-as destination in the query. ++-.TP ++-.B -b dnsport ++-If this port is specified, all incoming requests not inside the tunnel domain ++-will be forwarded to this port on localhost, to be handled by a real dns. ++-.B Note: ++-The forwarding is not fully transparent, and not advised for use ++-in production environments. ++ .SS Client Arguments: ++ .TP ++ .B nameserver ++@@ -280,38 +199,6 @@ ++ .B nameserver ++ is the iodined server, then the topdomain can be chosen freely. This argument ++ must be the same on both the client and the server. ++-.SS Server Arguments: ++-.TP ++-.B tunnel_ip[/netmask] ++-This is the server's ip address on the tun interface. The client will be ++-given the next ip number in the range. It is recommended to use the ++-10.0.0.0 or 172.16.0.0 ranges. The default netmask is /27, can be overriden ++-by specifying it here. Using a smaller network will limit the number of ++-concurrent users. ++-.TP ++-.B topdomain ++-The dns traffic is expected to arrive as queries for ++-subdomains under 'topdomain'. This is normally a subdomain to a domain you ++-own. Use a short domain name to get better throughput. This argument must be ++-the same on both the client and the server. Queries for domains other ++-than 'topdomain' will be forwarded when the \-b option is given, otherwise ++-they will be dropped. ++-.SH EXAMPLES ++-See the README file for both a quick test scenario, and a detailed description ++-of real-world deployment. ++-.SH SECURITY ++-Login is a relatively secure challenge-response MD5 hash, with the ++-password never passing the wire. ++-However, all other data is ++-.B NOT ++-encrypted in any way. The DNS traffic is also vulnerable to replay, ++-injection and man-in-the-middle attacks, especially when iodined is used ++-with the \-c option. Use of ssh or vpn tunneling is strongly recommended. ++-On both server and client, use ++-.IR iptables , ++-.I pf ++-or other firewalls to block all traffic coming in from the tun interfaces, ++-except to the used ssh or vpn ports. ++ .SH ENVIRONMENT ++ .SS IODINE_PASS ++ If the environment variable ++@@ -320,16 +207,9 @@ ++ for one. The ++ .B -P ++ option still has precedence. ++-.SS IODINED_PASS ++-If the environment variable ++-.B IODINED_PASS ++-is set, iodined will use the value it is set to as password instead of asking ++-for one. The ++-.B -P ++-option still has precedence. ++-.El ++ .SH SEE ALSO ++-The README file in the source distribution contains some more elaborate +++\fBiodined\fR(8), +++the README file in the source distribution contains some more elaborate ++ information. ++ .SH BUGS ++ File bugs at http://dev.kryo.se/iodine/ +diff -NurEbBH iodine-0.7.0.orig/man/iodined.8 iodine-0.7.0/man/iodined.8 +--- iodine-0.7.0.orig/man/iodined.8 1970-01-01 03:00:00.000000000 +0300 ++++ iodine-0.7.0/man/iodined.8 2014-07-25 18:51:25.000000000 +0400 +@@ -0,0 +1,218 @@ ++.\" groff -man -Tascii iodine.8 ++.TH IODINE 8 "JUN 2014" "User Manuals" ++.SH NAME ++iodined \- tunnel IPv4 over DNS ++.SH SYNOPSIS ++.B iodined [-v] ++ ++.B iodined [-h] ++ ++.B iodined [-c] [-s] [-f] [-D] [-u ++.I user ++.B ] [-t ++.I chrootdir ++.B ] [-d ++.I device ++.B ] [-m ++.I mtu ++.B ] [-l ++.I listen_ip ++.B ] [-p ++.I port ++.B ] [-n ++( ++.B auto ++| ++.I external_ip ++) ++.B ] [-b ++.I dnsport ++.B ] [-P ++.I password ++.B ] [-z ++.I context ++.B ] [-F ++.I pidfile ++.B ] [-i ++.I max_idle_time ++.B ] ++.I tunnel_ip ++.B [ ++.I /netmask ++.B ] ++.I topdomain ++.SH DESCRIPTION ++.B iodined ++lets you tunnel IPv4 data through a DNS ++server. This can be useful in situations where Internet access is firewalled, ++but DNS queries are allowed. It needs a TUN/TAP device to operate. The ++bandwidth is asymmetrical, ++with a measured maximum of 680 kbit/s upstream and 2.3 Mbit/s ++downstream in a wired LAN test network. ++Realistic sustained throughput on a Wifi network using a carrier-grade ++DNS cache has been measured at some 50 kbit/s upstream and over 200 kbit/s ++downstream. ++.B iodine ++is the client application, ++.B iodined ++is the server. ++ ++Note: server and client are required to speak the exact same protocol. In most ++cases, this means running the same iodine[d] version. Unfortunately, implementing ++backward and forward protocol compatibility is usually not feasible. ++.SH OPTIONS ++.SS Common Options: ++.TP ++.B -v ++Print version info and exit. ++.TP ++.B -h ++Print usage info and exit. ++.TP ++.B -f ++Keep running in foreground. ++.TP ++.B -u user ++Drop privileges and run as user 'user' after setting up tunnel. ++.TP ++.B -t chrootdir ++Chroot to 'chrootdir' after setting up tunnel. ++.TP ++.B -d device ++Use the TUN device 'device' instead of the normal one, which is dnsX on Linux ++and otherwise tunX. ++.TP ++.B -P password ++Use 'password' to authenticate. If not used, ++.B stdin ++will be used as input. Only the first 32 characters will be used. ++.TP ++.B -z context ++Apply SELinux 'context' after initialization. ++.TP ++.B -F pidfile ++Create 'pidfile' and write process id in it. ++.SS Server Options: ++.TP ++.B -c ++Disable checking the client IP address on all incoming requests. ++By default, requests originating from non-matching IP addresses will be ++rejected, however this will cause problems when requests are routed ++via a cluster of DNS servers. ++.TP ++.B -s ++Don't try to configure IP address or MTU. ++This should only be used if you have already configured the device that will be ++used. ++.TP ++.B -D ++Increase debug level. Level 1 prints info about each RX/TX packet. ++Implies the ++.B -f ++option. ++On level 2 (\-DD) or higher, DNS queries will be printed literally. ++When using Base128 upstream encoding, this is best viewed as ++ISO Latin-1 text instead of (illegal) UTF-8. ++This is easily done with : "LC_ALL=C luit iodined \-DD ..." ++(see luit(1)). ++.TP ++.B -m mtu ++Set 'mtu' as mtu size for the tun device. ++This will be sent to the client on login, and the client will use the same mtu ++for its tun device. Default 1130. Note that the DNS traffic will be ++automatically fragmented when needed. ++.TP ++.B -l listen_ip ++Make the server listen only on 'listen_ip' for incoming requests. ++By default, incoming requests are accepted from all interfaces. ++.TP ++.B -p port ++Make the server listen on 'port' instead of 53 for traffic. ++If 'listen_ip' does not include localhost, this 'port' can be the same ++as 'dnsport'. ++.B Note: ++You must make sure the dns requests are forwarded to this port yourself. ++.TP ++.B -n auto|external_ip ++The IP address to return in NS responses. Default is to return the address used ++as destination in the query. ++If external_ip is 'auto', iodined will use externalip.net web service to ++retrieve the external IP of the host and use that for NS responses. ++.TP ++.B -b dnsport ++If this port is specified, all incoming requests not inside the tunnel domain ++will be forwarded to this port on localhost, to be handled by a real dns. ++If 'listen_ip' does not include localhost, this 'dnsport' can be the ++same as 'port'. ++.B Note: ++The forwarding is not fully transparent, and not advised for use ++in production environments. ++.TP ++.B -i max_idle_time ++Make the server stop itself after max_idle_time seconds if no traffic have been received. ++This should be combined with systemd or upstart on demand activation for being effective. ++.SS Client Arguments: ++.TP ++.B nameserver ++The nameserver to use to relay the dns traffic. This can be any relaying ++nameserver or the server running iodined if reachable. This field can be ++given as an IPv4/IPv6 address or as a hostname. This argument is optional, ++and if not specified a nameserver will be read from the ++.I /etc/resolv.conf ++file. ++.TP ++.B topdomain ++The dns traffic will be sent as queries for subdomains under ++\'topdomain'. This is normally a subdomain to a domain you own. Use a short ++domain name to get better throughput. If ++.B nameserver ++is the iodined server, then the topdomain can be chosen freely. This argument ++must be the same on both the client and the server. ++.SS Server Arguments: ++.TP ++.B tunnel_ip[/netmask] ++This is the server's ip address on the tun interface. The client will be ++given the next ip number in the range. It is recommended to use the ++10.0.0.0 or 172.16.0.0 ranges. The default netmask is /27, can be overridden ++by specifying it here. Using a smaller network will limit the number of ++concurrent users. ++.TP ++.B topdomain ++The dns traffic is expected to arrive as queries for ++subdomains under 'topdomain'. This is normally a subdomain to a domain you ++own. Use a short domain name to get better throughput. This argument must be ++the same on both the client and the server. Queries for domains other ++than 'topdomain' will be forwarded when the \-b option is given, otherwise ++they will be dropped. ++.SH EXAMPLES ++See the README file for both a quick test scenario, and a detailed description ++of real-world deployment. ++.SH SECURITY ++Login is a relatively secure challenge-response MD5 hash, with the ++password never passing the wire. ++However, all other data is ++.B NOT ++encrypted in any way. The DNS traffic is also vulnerable to replay, ++injection and man-in-the-middle attacks, especially when iodined is used ++with the \-c option. Use of ssh or vpn tunneling is strongly recommended. ++On both server and client, use ++.IR iptables , ++.I pf ++or other firewalls to block all traffic coming in from the tun interfaces, ++except to the used ssh or vpn ports. ++.SH ENVIRONMENT ++.SS IODINED_PASS ++If the environment variable ++.B IODINED_PASS ++is set, iodined will use the value it is set to as password instead of asking ++for one. The ++.B -P ++option still has precedence. ++.SH SEE ALSO ++The README file in the source distribution contains some more elaborate ++information. ++.SH BUGS ++File bugs at http://dev.kryo.se/iodine/ ++.SH AUTHORS ++Erik Ekman and Bjorn Andersson . Major ++contributions by Anne Bezemer. diff --git a/SOURCES/iodine-client.conf b/SOURCES/iodine-client.conf new file mode 100644 index 0000000..c7f58c8 --- /dev/null +++ b/SOURCES/iodine-client.conf @@ -0,0 +1,6 @@ +# You may provide password in two way, uncomment next line, or provide it in OPTIONS +#IODINE_PASS="my_cool_passwd" + +# For more detailes see 'man iodine' +#OPTIONS="-P PASSWORD NAMESERVER DOMAIN" +OPTIONS="" diff --git a/SOURCES/iodine-client.init b/SOURCES/iodine-client.init new file mode 100644 index 0000000..d6b04bf --- /dev/null +++ b/SOURCES/iodine-client.init @@ -0,0 +1,103 @@ +#!/bin/sh +# +# iodine-client Startup script for the iodine client +# +# chkconfig: - 80 30 +# description: iodine lets you tunnel IPv4 data through a DNS server + +### BEGIN INIT INFO +# Provides: iodine-client +# Required-Start: $local_fs $network +# Required-Stop: $local_fs $network +# Should-Start: +# Should-Stop: +# Default-Start: +# Default-Stop: 0 1 2 3 4 5 6 +# Short-Description: start and stop iodine-client +# Description: iodine lets you tunnel IPv4 data through a DNS server +### END INIT INFO + +# Source function library. +. /etc/rc.d/init.d/functions + +exec_short="iodine" +exec="/usr/sbin/${exec_short}" +prog="iodine-client" +logfile="/var/log/${prog}.log" + +[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog + +lockfile=/var/lock/subsys/$prog + +start() { + [ -x $exec ] || exit 5 + echo -n $"Starting $prog: " + daemon "/usr/bin/setsid $exec $OPTIONS >> $logfile 2>&1 &" + retval=$? + echo + [ $retval -eq 0 ] && touch $lockfile + return $retval +} + +stop() { + echo -n $"Stopping $prog: " + killproc $exec_short + retval=$? + echo + [ $retval -eq 0 ] && rm -f $lockfile + return $retval +} + +restart() { + stop + start +} + +reload() { + restart +} + +force_reload() { + restart +} + +rh_status() { + status $exec_short +} + +rh_status_q() { + rh_status >/dev/null 2>&1 +} + + +case "$1" in + start) + rh_status_q && exit 0 + $1 + ;; + stop) + rh_status_q || exit 0 + $1 + ;; + restart) + $1 + ;; + reload) + rh_status_q || exit 7 + $1 + ;; + force-reload) + force_reload + ;; + status) + rh_status + ;; + condrestart|try-restart) + rh_status_q || exit 0 + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 2 +esac +exit $? diff --git a/SOURCES/iodine-client.service b/SOURCES/iodine-client.service new file mode 100644 index 0000000..308cf8e --- /dev/null +++ b/SOURCES/iodine-client.service @@ -0,0 +1,11 @@ +[Unit] +Description=Iodine Client +After=local-fs.target network.target + +[Service] +EnvironmentFile=-/etc/sysconfig/iodine-client +ExecStart=/usr/sbin/iodine $OPTIONS +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/iodine-server.conf b/SOURCES/iodine-server.conf new file mode 100644 index 0000000..be205b7 --- /dev/null +++ b/SOURCES/iodine-server.conf @@ -0,0 +1,6 @@ +# You may provide password in two way, uncomment next line, or provide it in OPTIONS +#IODINED_PASS="my_cool_passwd" + +# See `man iodine` +#OPTIONS="-P PASSWORD TUNNEL_IP DOMAIN" +OPTIONS="" diff --git a/SOURCES/iodine-server.init b/SOURCES/iodine-server.init new file mode 100644 index 0000000..e246f1b --- /dev/null +++ b/SOURCES/iodine-server.init @@ -0,0 +1,103 @@ +#!/bin/sh +# +# iodine-server Startup script for the iodine server +# +# chkconfig: - 80 30 +# description: iodine lets you tunnel IPv4 data through a DNS server + +### BEGIN INIT INFO +# Provides: iodine-server +# Required-Start: $local_fs $network +# Required-Stop: $local_fs $network +# Should-Start: +# Should-Stop: +# Default-Start: +# Default-Stop: 0 1 2 3 4 5 6 +# Short-Description: start and stop iodine-server +# Description: iodine lets you tunnel IPv4 data through a DNS server +### END INIT INFO + +# Source function library. +. /etc/rc.d/init.d/functions + +exec_short="iodined" +exec="/usr/sbin/${exec_short}" +prog="iodine-server" +logfile="/var/log/${prog}.log" + +[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog + +lockfile=/var/lock/subsys/$prog + +start() { + [ -x $exec ] || exit 5 + echo -n $"Starting $prog: " + daemon "/usr/bin/setsid $exec $OPTIONS >> $logfile 2>&1 &" + retval=$? + echo + [ $retval -eq 0 ] && touch $lockfile + return $retval +} + +stop() { + echo -n $"Stopping $prog: " + killproc $exec_short + retval=$? + echo + [ $retval -eq 0 ] && rm -f $lockfile + return $retval +} + +restart() { + stop + start +} + +reload() { + restart +} + +force_reload() { + restart +} + +rh_status() { + status $exec_short +} + +rh_status_q() { + rh_status >/dev/null 2>&1 +} + + +case "$1" in + start) + rh_status_q && exit 0 + $1 + ;; + stop) + rh_status_q || exit 0 + $1 + ;; + restart) + $1 + ;; + reload) + rh_status_q || exit 7 + $1 + ;; + force-reload) + force_reload + ;; + status) + rh_status + ;; + condrestart|try-restart) + rh_status_q || exit 0 + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 2 +esac +exit $? diff --git a/SOURCES/iodine-server.service b/SOURCES/iodine-server.service new file mode 100644 index 0000000..2d8a502 --- /dev/null +++ b/SOURCES/iodine-server.service @@ -0,0 +1,11 @@ +[Unit] +Description=Iodine Server +After=local-fs.target network.target + +[Service] +EnvironmentFile=-/etc/sysconfig/iodine-server +ExecStart=/usr/sbin/iodined $OPTIONS +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/iodine.logrotate.client b/SOURCES/iodine.logrotate.client new file mode 100644 index 0000000..f8cc559 --- /dev/null +++ b/SOURCES/iodine.logrotate.client @@ -0,0 +1,7 @@ +/var/log/iodine-client.log { + missingok + create 0600 root root + postrotate + /etc/init.d/iodine-client condrestart > /dev/null 2>&1 || : + endscript +} diff --git a/SOURCES/iodine.logrotate.server b/SOURCES/iodine.logrotate.server new file mode 100644 index 0000000..35b62e6 --- /dev/null +++ b/SOURCES/iodine.logrotate.server @@ -0,0 +1,7 @@ +/var/log/iodine-server.log { + missingok + create 0600 root root + postrotate + /etc/init.d/iodine-server condrestart > /dev/null 2>&1 || : + endscript +} diff --git a/SPECS/iodine.spec b/SPECS/iodine.spec new file mode 100644 index 0000000..eb12987 --- /dev/null +++ b/SPECS/iodine.spec @@ -0,0 +1,306 @@ +#% global prerel -rc1 + +Name: iodine +Version: 0.7.0 +Release: 1%{?dist} +Summary: Solution to tunnel IPv4 data through a DNS server +Summary(ru): Решение для туннелирования IPv4 трафика через DNS сервер +Group: System Environment/Daemons +License: ISC +URL: http://code.kryo.se/iodine/ +Source0: http://code.kryo.se/%{name}/%{name}-%{version}%{?prerel}.tar.gz +# Initscripts and separate configs made by Nikolay Ulyanitsky +Source1: %{name}-client.conf +Source2: %{name}-server.conf + +Source3: %{name}-client.init +Source4: %{name}-server.init + +Source5: %{name}.logrotate.client +Source6: %{name}.logrotate.server + +Source7: %{name}-client.service +Source8: %{name}-server.service + +# It still needed for EPEL5 +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +# http://dev.kryo.se/iodine/ticket/119 +Patch1: iodine-0.7.0.split-man.patch + +BuildRequires: zlib-devel +Requires(post): chkconfig +Requires(preun): chkconfig, initscripts +Requires(postun): initscripts + +BuildRequires: systemd + +Requires: %{name}-client +Requires: %{name}-server + +%description +iodine lets you tunnel IPv4 data through a DNS server. This can be usable in +different situations where internet access is firewalled, but DNS queries are +allowed. + +It runs on Linux, Mac OS X, FreeBSD, NetBSD, OpenBSD and Windows and needs a +TUN/TAP device. The bandwidth is asymmetrical with limited upstream and up to +1 Mbit/s downstream. + +This is meta-package to install both client and server. +It also contain three documantation files: CHANGELOG, README, TODO. + +%description -l ru +iodine предоставляет возможность пробросить IPv4 туннель сквозь DNS сервер. +Это может быть очень полезно в разных ситуациях, когда доступ в интернет +запрещён фаерволом, но DNS запросы пропускаются нормально. + +Iodine работает на Linux, Mac OS X, FreeBSD, NetBSD, OpenBSD и Windows и +использует TUN/TAP устройство. Пропускная способность асимметрична - аплоад не +быстр, скачивание до 1 Mbit/s. + +Это мета-пакет для инсталляции обоих пакетов, клиента и сервера. +Он также содержит 3 файла документации: CHANGELOG, README, TODO. + +%package client +Summary: Client part of solution to tunnel IPv4 data through a DNS server +Summary(ru): Клиент для туннелирования IPv4 трафика через DNS сервер +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +# This is actually needed for the %%triggerun script but Requires(triggerun) +# is not valid. We can use %%post because this particular %%triggerun script +# should fire just after this package is installed. +Requires(post): systemd-sysv +Provides: bundled(md5-deutsch) + +%description client +This is the client part of iodine sulution. + +%description client -l ru +Это пакет клиентской части. + +%package client-sysvinit +Summary: Legacy sysvinit scripts for cleint daemon +Summary(ru): Устаревшие скрипты инициализации клиента в стиле sysvinit +Requires(post): chkconfig +Requires(preun): chkconfig, initscripts +Requires(postun): initscripts + +%description client-sysvinit +May be needed f.e. on CentOS. + +%description client-sysvinit -l ru +Могут понадобиться например на CentOS. + +%package server +Summary: Server part of solution to tunnel IPv4 data through a DNS server +Summary(ru): Сервер для туннелирования IPv4 трафика через DNS сервер +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +# This is actually needed for the %%triggerun script but Requires(triggerun) +# is not valid. We can use %%post because this particular %%triggerun script +# should fire just after this package is installed. +Requires(post): systemd-sysv +# /sbin/ifconfig and /sbin/route (bz#922225) +Requires: net-tools +Provides: bundled(md5-deutsch) + +%description server +This is the server part of iodine solution. + +%description server -l ru +Это пакет серверной части + +%package server-sysvinit +Summary: Legacy sysvinit scripts for server daemon +Summary(ru): Устаревшие скрипты инициализации сервера в стиле sysvinit +Requires(post): chkconfig +Requires(preun): chkconfig, initscripts +Requires(postun): initscripts + +%description server-sysvinit +May be needed f.e. on CentOS. + +%description client-sysvinit -l ru +Могут понадобиться например на CentOS. + +%prep +%setup -q -n %{name}-%{version}%{?prerel} +%patch1 -p1 -b .split-man + +%build +# It is fail to build without -c gcc flag (comes from upstream Makefile). +make %{?_smp_mflags} prefix=%{_prefix} CFLAGS="-c %{optflags} -DLINUX" + +%install +make install prefix=%{buildroot}%{_prefix} + +install -Dp -m 0644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/sysconfig/%{name}-client +install -Dp -m 0644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/sysconfig/%{name}-server + +install -Dp -m 0755 %{SOURCE3} %{buildroot}/%{_initrddir}/%{name}-client +install -Dp -m 0755 %{SOURCE4} %{buildroot}/%{_initrddir}/%{name}-server + +install -Dp -m 0644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/logrotate.d/%{name}-client +install -Dp -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/logrotate.d/%{name}-server + +install -Dp -m 0644 %{SOURCE7} %{buildroot}/%{_unitdir}/%{name}-client.service +install -Dp -m 0644 %{SOURCE8} %{buildroot}/%{_unitdir}/%{name}-server.service + +%post client +%systemd_post %{name}-client.service + +%preun client +%systemd_preun %{name}-client.service + +%postun client +%systemd_postun_with_restart %{name}-client.service + +%post client-sysvinit +/sbin/chkconfig --add %{name}-client + +%post server-sysvinit +/sbin/chkconfig --add %{name}-server + +%preun client-sysvinit +if [ $1 = 0 ] ; then + /sbin/service %{name}-client stop >/dev/null 2>&1 + /sbin/chkconfig --del %{name}-client +fi + +%post server +%systemd_post %{name}-server.service + +%preun server +%systemd_preun %{name}-server.service + +%postun server +%systemd_postun_with_restart %{name}-server.service + +%preun server-sysvinit +if [ $1 = 0 ] ; then + /sbin/service %{name}-server stop >/dev/null 2>&1 + /sbin/chkconfig --del %{name}-server +fi + +%postun client-sysvinit +if [ "$1" -ge "1" ] ; then + /sbin/service %{name}-client condrestart >/dev/null 2>&1 || : +fi + +%postun server-sysvinit +if [ "$1" -ge "1" ] ; then + /sbin/service %{name}-server condrestart >/dev/null 2>&1 || : +fi + +# https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Systemd +%triggerun -- %{name}-client < 0.6.0-0.rc1.9 +/usr/bin/systemd-sysv-convert --save %{name}-client >/dev/null 2>&1 ||: + +# Run these because the SysV package being removed won't do them +/sbin/chkconfig --del %{name}-client >/dev/null 2>&1 || : +/bin/systemctl try-restart %{name}-client.service >/dev/null 2>&1 || : + +%triggerun -- %{name}-server < 0.6.0-0.rc1.9 +/usr/bin/systemd-sysv-convert --save %{name}-server >/dev/null 2>&1 ||: + +# Run these because the SysV package being removed won't do them +/sbin/chkconfig --del %{name}-client >/dev/null 2>&1 || : +/bin/systemctl try-restart %{name}-server.service >/dev/null 2>&1 || : + +# https://fedoraproject.org/wiki/Packaging:SysVInitScript#Initscripts_in_addition_to_systemd_unit_files +%triggerpostun -n %{name}-client-sysvinit -- %{name}-client < 0.6.0-0.rc1.9 +/sbin/chkconfig --add %{name}-client >/dev/null 2>&1 || : + +%triggerpostun -n %{name}-server-sysvinit -- %{name}-server < 0.6.0-0.rc1.9 +/sbin/chkconfig --add %{name}-server >/dev/null 2>&1 || : + +%files +%doc CHANGELOG README TODO + +%files client +%{_sbindir}/%{name} +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}-client +%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}-client +%{_initrddir}/%{name}-client +%{_mandir}/man8/%{name}.8.gz +%{_unitdir}/%{name}-client.service + +%files server +%{_sbindir}/%{name}d +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}-server +%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}-server +%{_initrddir}/%{name}-server +%{_mandir}/man8/%{name}d.8.gz +%{_unitdir}/%{name}-server.service + +%changelog +* Tue Jul 22 2014 Pavel Alexeev - 0.7.0-1 +- Update to 0.7.0 to fix CVE-2014-4168 iodine: authentication bypass vulnerability (bz#1110339, bz#1110338 [bz#1110340, bz#1110341, bz#1110342]). +- Drop old Patch0: iodine-0.5.2-prefix.patch +- Rebase iodine-0.6.0-rc1.split-man.patch -> iodine-0.7.0.split-man.patch +- Some spec cleanup. + +* Sat Jun 07 2014 Fedora Release Engineering - 0.6.0-0.rc1.12.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Jan 7 2014 Pavel Alexeev - 0.6.0-0.rc1.12 +- Step to systemd macroses (#850160) + +* Tue Jan 7 2014 Pavel Alexeev - 0.6.0-0.rc1.11 +- Add Provides: bundled(md5-deutsch) to client and server sub-packages (#1046028) + +* Sat Aug 03 2013 Fedora Release Engineering - 0.6.0-0.rc1.10.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Sun Apr 14 2013 Pavel Alexeev - 0.6.0-0.rc1.10 +- Add Requires: net-tools (bz#922225) for server package. + +* Thu Feb 14 2013 Fedora Release Engineering - 0.6.0-0.rc1.9.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Jul 19 2012 Fedora Release Engineering - 0.6.0-0.rc1.9.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Feb 23 2012 Pavel Alexeev - 0.6.0-0.rc1.9 +- Introduce systemd support. Move legacy sysvinit part into subpackages (bz#789697). + +* Sun Jan 8 2012 Pavel Alexeev - 0.6.0-0.rc1.8 +- Split man pages also. + +* Mon Jan 2 2012 Pavel Alexeev - 0.6.0-0.rc1.7 +- By request bz#758930 split to subpackages. + +* Wed Feb 09 2011 Fedora Release Engineering - 0.6.0-0.rc1.6.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Oct 26 2010 Pavel Alexeev - 0.6.0-0.rc1.6 +- Add -DLINUX to build options (BZ#644310, thanks to Andy Shevchenko) +- Fix service scripts to find binaries in /usr/sbin instead of /usr/bin (BZ#644299 thanks to Andy Shevchenko) +- Add 0600 file attributes to prevent password access from regular users (BZ#644305). +- In comments configs add IODINE(D)_PASS variables description (BZ#644317). + +* Wed Sep 29 2010 jkeating - 0.6.0-0.rc1.4.2 +- Rebuilt for gcc bug 634757 + +* Wed Sep 29 2010 jkeating - 0.6.0-0.rc1.4.1 +- Rebuilt for gcc bug 634757 + +* Sun Sep 12 2010 Pavel Alexeev - 0.6.0-0.rc1.4 +- Build new version 0.6.0rc1 +- Define prerel. + +* Sat Mar 6 2010 Pavel Alexeev - 0.5.2-3 +- Honor CFLAGS + +* Mon Feb 22 2010 Pavel Alexeev - 0.5.2-2 +- Import some items from Nikolay Ulyanitsky package ( https://bugzilla.redhat.com/show_bug.cgi?id=530747#c1 ): + o Add initscripts support (modified) + o Add logrotate support + o Exclude README-win32.txt and respective delete dos2unix BR. + o Add BR zlib-devel + +* Sat Oct 24 2009 Pavel Alexeev - 0.5.2-1 +- Initial spec.