New port: net/mlvpn

MLVPN allow to bond your internet links to increase bandwidth, secure your
internet connection by actively monitoring your links and removing the faulty
ones, without loosing your TCP connections and secure your internet connection
to the aggregation server using cryptography.

WWW: https://zehome.github.io/MLVPN/

Approved by:	mat
Differential Revision:	https://reviews.freebsd.org/D6034

GIDs

@@ -103,6 +103,7 @@ agk:*:172:
 polipo:*:173:
 flowtools:*:174:
 twms:*:175:
+mlvpn:*:176:
 gdnsd:*:179:
 rt:*:180:
 nagios:*:181:

UIDs

@@ -109,6 +109,7 @@ agk:*:172:172::0:0:AquaGateKeeper:/nonexistent:/nonexistent
 polipo:*:173:173::0:0:polipo web cache:/nonexistent:/usr/sbin/nologin
 flowtools:*:174:174::0:0:Flow-tools collector pseudo-user:/nonexistent:/usr/sbin/nologin
 twms:*:175:175::0:0:tWMS pseudo-user:/nonexistent:/usr/sbin/nologin
+mlvpn:*:176:176::0:0:mlVPN pseudo-user:/var/run/mlvpn:/usr/sbin/nologin
 gdnsd:*:179:179::0:0:gDNSd pseudo-user:/nonexistent:/usr/sbin/nologin
 nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin
 noc:*:182:182::0:0:NOC pseudo-user:/usr/local/noc:/bin/sh

net/Makefile

@@ -398,6 +398,7 @@
     SUBDIR += miniupnpd
     SUBDIR += miredo
     SUBDIR += miruo
+    SUBDIR += mlvpn
     SUBDIR += mono-zeroconf
     SUBDIR += mopd
     SUBDIR += morebalance

net/mlvpn/Makefile

@@ -0,0 +1,41 @@
+# $FreeBSD$
+
+PORTNAME=	mlvpn
+PORTVERSION=	2.3.1
+CATEGORIES=	net
+
+MAINTAINER=	olivier@FreeBSD.org
+COMMENT=	Multi-link VPN
+
+LICENSE=	BSD2CLAUSE
+LICENSE_FILE=	${WRKSRC}/LICENCE
+
+LIB_DEPENDS=	libev.so:devel/libev \
+		libsodium.so:security/libsodium
+
+USE_GITHUB=	yes
+GH_PROJECT=	MLVPN
+GH_ACCOUNT=	zehome
+
+USES=	autoreconf libtool pkgconfig localbase
+GNU_CONFIGURE=	yes
+
+USERS=		mlvpn
+GROUPS=		mlvpn
+USE_RC_SUBR=	mlvpn
+
+OPTIONS_DEFINE=	CONTROL
+CONTROL_DESC=	Enable UNIX socket/HTTP json remote control API
+
+OPTIONS_DEFAULT=	CONTROL
+CONTROL_CONFIGURE_OFF=	--disable-control
+
+do-install:
+	${INSTALL_PROGRAM} ${WRKSRC}/src/${PORTNAME} ${STAGEDIR}${PREFIX}/sbin/
+	${INSTALL_MAN} ${WRKSRC}/man/${PORTNAME}.1 ${STAGEDIR}${PREFIX}/man/man1
+	${INSTALL_MAN} ${WRKSRC}/man/${PORTNAME}.conf.5	${STAGEDIR}${PREFIX}/man/man5
+	@${MKDIR} ${STAGEDIR}${ETCDIR}
+	${INSTALL_MAN} ${WRKSRC}/doc/examples/${PORTNAME}.conf.in ${STAGEDIR}${ETCDIR}/${PORTNAME}.conf.sample
+	${INSTALL_SCRIPT} ${WRKSRC}/doc/examples/mlvpn_updown.sh.in ${STAGEDIR}${ETCDIR}/mlvpn_updown.sh
+
+.include <bsd.port.mk>

net/mlvpn/distinfo

@@ -0,0 +1,2 @@
+SHA256 (zehome-MLVPN-2.3.1_GH0.tar.gz) = 4bbe8ae10ccad4ba764d29db0293b3ab523ded5d0a0b5adbe6a8d4d839e4138e
+SIZE (zehome-MLVPN-2.3.1_GH0.tar.gz) = 83817

net/mlvpn/files/mlvpn.in

@@ -0,0 +1,155 @@
+#!/bin/sh
+#
+# mlvpn - load tun/tap driver and start mlvpn daemon
+#
+# (C) Copyright 2005 - 2008, 2010 by Matthias Andree
+# (C) Copyright 2015 Laurent COUSTET (mlvpn modifications)
+# (C) Copyright 2016 Olivier Cochard-Labbe (updating rc script)
+
+# based on suggestions by Matthias Grimm and Dirk Gouders
+# with multi-instance contribution from Denis Shaposhnikov, Gleb Kozyrev
+# and Vasil Dimov
+# softrestart feature suggested by Nick Hibma
+#
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
+# Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# PROVIDE: mlvpn
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+
+# -----------------------------------------------------------------------------
+#
+# This script supports running multiple instances of mlvpn
+# To run additional instances link this script to something like
+# % ln -s mlvpn mlvpn_foo
+# and define additional mlvpn_foo_* variables in one of
+# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/mlvpn_foo
+#
+# Below NAME should be substituted with the name of this script. By default
+# it is mlvpn, so read as mlvpn_enable. If you linked the script to
+# mlvpn_foo, then read as mlvpn_foo_enable etc.
+#
+# The following variables are supported (defaults are shown).
+# You can place them in any of
+# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/NAME
+#
+# NAME_enable="NO"	# set to YES to enable mlvpn
+# NAME_if=		# driver(s) to load, set to "tun", "tap" or "tun tap"
+#			# it is OK to specify the if_ prefix.
+#
+# # optional:
+# NAME_flags=				# additional command line arguments
+# NAME_configfile="/usr/local/etc/mlvpn/NAME.conf"	# --config file
+#
+# Note that we deliberately refrain from unloading drivers.
+#
+# For further documentation, please see http://www.mlvpn.fr/
+#
+
+. /etc/rc.subr
+
+case "$0" in
+/etc/rc*)
+	# during boot (shutdown) $0 is /etc/rc (/etc/rc.shutdown),
+	# so get the name of the script from $_file
+	name="$_file"
+	;;
+*)
+	name="$0"
+	;;
+esac
+
+name="${name##*/}"
+rcvar=${name}_enable
+
+mlvpn_stop()
+{
+	if [ -f ${pidfile} ]; then
+		rc_pid=$(check_pidfile $pidfile ${name})
+		kill -TERM $rc_pid
+		wait_for_pids $rc_pid
+	fi
+}
+
+stop_postcmd()
+{
+	rm -f "$pidfile" || warn "Could not remove $pidfile."
+}
+
+mlvpn_softrestart()
+{
+	rc_pid=$(check_pidfile $pidfile ${name})
+	local status
+
+	if ! status=`run_rc_command status 2>&1`; then
+		echo $status
+		return 1
+	fi
+	echo 'Softrestarting mlvpn.'
+	kill -USR1 $rc_pid
+}
+
+mlvpn_status()
+{
+	rc_pid=$(check_pidfile $pidfile ${name})
+
+	if [ -z "$rc_pid" ]; then
+		[ -n "$rc_fast" ] && return 0
+		if [ -n "$pidfile" ]; then
+			echo "${name} not running? (check $pidfile)."
+		else
+			echo "${name} not running?"
+		fi
+		return 1
+	fi
+	echo "${name} is running as pid ${rc_pid}"
+}
+
+# reload: support SIGHUP to reparse configuration file
+# softrestart: support SIGUSR1 to reconnect without superuser privileges
+extra_commands="reload softrestart"
+softrestart_cmd="mlvpn_softrestart"
+
+# pidfile
+pidfile="/var/run/${name}.pid"
+rc_pid=$(check_pidfile $pidfile ame)
+
+# command and arguments
+procname="%%PREFIX%%/sbin/mlvpn"
+command="/usr/sbin/daemon"
+
+# run this last
+stop_cmd="mlvpn_stop"
+stop_postcmd="stop_postcmd"
+status_cmd="mlvpn_status"
+
+load_rc_config ${name}
+
+eval ": \${${name}_enable:=\"NO\"}"
+eval ": \${${name}_configfile:=\"/usr/local/etc/mlvpn/${name}.conf\"}"
+
+configfile="$(eval echo \${${name}_configfile})"
+interfaces="$(eval echo \${${name}_if})"
+
+required_modules=
+for i in $interfaces ; do
+    required_modules="$required_modules${required_modules:+" "}if_${i#if_}"
+done
+
+required_files=${configfile}
+
+command_args="-f -p ${pidfile} ${procname} --name ${name} --config ${configfile} --user mlvpn"
+
+run_rc_command "$1"

net/mlvpn/files/patch-src_config.c

@@ -0,0 +1,57 @@
+--- src/config.c.orig	2015-12-28 11:20:16 UTC
++++ src/config.c
+@@ -269,6 +269,7 @@ mlvpn_config(int config_file_fd, int fir
+             } else if (strncmp(lastSection, "filters", 7) != 0) {
+                 char *bindaddr;
+                 char *bindport;
++				uint32_t bindfib = 0;
+                 char *dstaddr;
+                 char *dstport;
+                 uint32_t bwlimit = 0;
+@@ -284,6 +285,9 @@ mlvpn_config(int config_file_fd, int fir
+                     _conf_set_str_from_conf(
+                         config, lastSection, "bindport", &bindport, NULL,
+                         "bind port is mandatory in server mode.\n", 1);
++					_conf_set_uint_from_conf(
++						config, lastSection, "bindfib", &bindfib, 0,
++						NULL, 0);
+                     _conf_set_str_from_conf(
+                         config, lastSection, "remotehost", &dstaddr, NULL,
+                         NULL, 0);
+@@ -297,6 +301,9 @@ mlvpn_config(int config_file_fd, int fir
+                     _conf_set_str_from_conf(
+                         config, lastSection, "bindport", &bindport, NULL,
+                         NULL, 0);
++					 _conf_set_uint_from_conf(
++						config, lastSection, "bindfib", &bindfib, 0,
++						NULL, 0);
+                     _conf_set_str_from_conf(
+                         config, lastSection, "remotehost", &dstaddr, NULL,
+                         "No remote address specified.\n", 1);
+@@ -336,6 +343,7 @@ mlvpn_config(int config_file_fd, int fir
+                               tmptun->name);
+                         if ((! mystr_eq(tmptun->bindaddr, bindaddr)) ||
+                                 (! mystr_eq(tmptun->bindport, bindport)) ||
++								(tmptun->bindfib != bindfib) ||
+                                 (! mystr_eq(tmptun->destaddr, dstaddr)) ||
+                                 (! mystr_eq(tmptun->destport, dstport))) {
+                             mlvpn_rtun_status_down(tmptun);
+@@ -347,6 +355,9 @@ mlvpn_config(int config_file_fd, int fir
+                         if (bindport) {
+                             strlcpy(tmptun->bindport, bindport, sizeof(tmptun->bindport));
+                         }
++						if (tmptun->bindfib != bindfib) {
++							tmptun->bindfib = bindfib;
++						}
+                         if (dstaddr) {
+                             strlcpy(tmptun->destaddr, dstaddr, sizeof(tmptun->destaddr));
+                         }
+@@ -380,7 +391,7 @@ mlvpn_config(int config_file_fd, int fir
+                 {
+                     log_info("config", "%s tunnel added", lastSection);
+                     mlvpn_rtun_new(
+-                        lastSection, bindaddr, bindport, dstaddr, dstport,
++                        lastSection, bindaddr, bindport, bindfib, dstaddr, dstport,
+                         default_server_mode, timeout, fallback_only,
+                         bwlimit, loss_tolerence);
+                 }

net/mlvpn/files/patch-src_mlvpn.c

@@ -0,0 +1,54 @@
+--- src/mlvpn.c.orig	2015-12-28 11:20:16 UTC
++++ src/mlvpn.c
+@@ -597,7 +597,7 @@ mlvpn_rtun_write(EV_P_ ev_io *w, int rev
+ 
+ mlvpn_tunnel_t *
+ mlvpn_rtun_new(const char *name,
+-               const char *bindaddr, const char *bindport,
++               const char *bindaddr, const char *bindport, uint32_t bindfib,
+                const char *destaddr, const char *destport,
+                int server_mode, uint32_t timeout,
+                int fallback_only, uint32_t bandwidth,
+@@ -653,6 +653,7 @@ mlvpn_rtun_new(const char *name,
+         strlcpy(new->bindaddr, bindaddr, sizeof(new->bindaddr));
+     if (bindport)
+         strlcpy(new->bindport, bindport, sizeof(new->bindport));
++	new->bindfib = bindfib;
+     if (destaddr)
+         strlcpy(new->destaddr, destaddr, sizeof(new->destaddr));
+     if (destport)
+@@ -780,6 +781,7 @@ static int
+ mlvpn_rtun_start(mlvpn_tunnel_t *t)
+ {
+     int ret, fd = -1;
++	int fib = 0;
+     char *addr, *port;
+     struct addrinfo hints, *res;
+ 
+@@ -788,9 +790,11 @@ mlvpn_rtun_start(mlvpn_tunnel_t *t)
+     {
+         addr = t->bindaddr;
+         port = t->bindport;
++		fib = t->bindfib;
+     } else {
+         addr = t->destaddr;
+         port = t->destport;
++		fib = t->bindfib;
+     }
+ 
+     /* Initialize hints */
+@@ -817,6 +821,14 @@ mlvpn_rtun_start(mlvpn_tunnel_t *t)
+             log_warn(NULL, "%s socket creation error",
+                 t->name);
+         } else {
++#if defined(HAVE_FREEBSD) || defined(HAVE_OPENBSD)
++			/* Setting SO_SETFIB (fib) supported on FreeBSD and OpenBSD only */
++			if (setsockopt(fd, SOL_SOCKET, SO_SETFIB, &fib, sizeof(fib)) < 0)
++			{
++      			log_warnx(NULL, "Cannot set FIB %d for kernel socket", fib);
++				goto error;
++			}
++#endif
+             t->fd = fd;
+             break;
+         }

net/mlvpn/files/patch-src_mlvpn.h

@@ -0,0 +1,19 @@
+--- src/mlvpn.h.orig	2015-12-28 11:20:16 UTC
++++ src/mlvpn.h
+@@ -138,6 +138,7 @@ typedef struct mlvpn_tunnel_s
+     char *name;           /* tunnel name */
+     char bindaddr[MLVPN_MAXHNAMSTR]; /* packets source */
+     char bindport[MLVPN_MAXPORTSTR]; /* packets port source (or NULL) */
++	uint32_t bindfib;     /* FIB number to use */
+     char destaddr[MLVPN_MAXHNAMSTR]; /* remote server ip (can be hostname) */
+     char destport[MLVPN_MAXPORTSTR]; /* remote server port */
+     int fd;               /* socket file descriptor */
+@@ -193,7 +194,7 @@ int mlvpn_rtun_wrr_reset(struct rtunhead
+ mlvpn_tunnel_t *mlvpn_rtun_wrr_choose();
+ mlvpn_tunnel_t *mlvpn_rtun_choose();
+ mlvpn_tunnel_t *mlvpn_rtun_new(const char *name,
+-    const char *bindaddr, const char *bindport,
++    const char *bindaddr, const char *bindport, uint32_t bindfib,
+     const char *destaddr, const char *destport,
+     int server_mode, uint32_t timeout,
+     int fallback_only, uint32_t bandwidth,

net/mlvpn/files/patch-src_tuntap__bsd.c

@@ -0,0 +1,11 @@
+--- src/tuntap_bsd.c.orig	2015-12-28 11:20:16 UTC
++++ src/tuntap_bsd.c
+@@ -21,7 +21,7 @@ mlvpn_tuntap_read(struct tuntap_s *tunta
+     mlvpn_tunnel_t *rtun = NULL;
+     mlvpn_pkt_t *pkt;
+     ssize_t ret;
+-    u_char data[DEFAULT_MTU]
++    u_char data[DEFAULT_MTU];
+     struct iovec iov[2];
+     uint32_t type;
+ 

net/mlvpn/pkg-descr

@@ -0,0 +1,6 @@
+MLVPN allow to bond your internet links to increase bandwidth, secure your 
+internet connection by actively monitoring your links and removing the faulty 
+ones, without loosing your TCP connections and secure your internet connection 
+to the aggregation server using cryptography.
+
+WWW: https://zehome.github.io/MLVPN/

net/mlvpn/pkg-plist

@@ -0,0 +1,5 @@
+sbin/mlvpn
+man/man1/mlvpn.1.gz
+man/man5/mlvpn.conf.5.gz
+@sample(,,600)  %%ETCDIR%%/mlvpn.conf.sample
+@(,,700) %%ETCDIR%%/mlvpn_updown.sh