On Fri 04/03/2022 12:20, Bjorn Ketelaars wrote:
> Diff below brings ocserv to 1.1.6. Changes can be found at
> https://ocserv.gitlab.io/www/changelog.html.
>
> Comments/OK?
Ping...
Diff enclosed again:
diff --git Makefile Makefile
index a3aeb0dee0c..ed2bf093c19 100644
--- Makefile
+++ Makefile
@@ -1,6 +1,6 @@
COMMENT= server implementing the AnyConnect SSL VPN protocol
-DISTNAME= ocserv-1.1.3
+DISTNAME= ocserv-1.1.6
EXTRACT_SUFX= .tar.xz
CATEGORIES= net
diff --git distinfo distinfo
index 1cba0add06d..16c7a6c526b 100644
--- distinfo
+++ distinfo
@@ -1,2 +1,2 @@
-SHA256 (ocserv-1.1.3.tar.xz) = GrcMbm6ja2E+jhcfwDtggcQxKkXuUswpWcBownMkEH4=
-SIZE (ocserv-1.1.3.tar.xz) = 833320
+SHA256 (ocserv-1.1.6.tar.xz) = amy+kiEuMigEJqUcY0rcPUgDV53QSc/bfgFHFMyCxpM=
+SIZE (ocserv-1.1.6.tar.xz) = 839744
diff --git patches/patch-doc_sample_config patches/patch-doc_sample_config
index 355341ba271..e509136066d 100644
--- patches/patch-doc_sample_config
+++ patches/patch-doc_sample_config
@@ -6,7 +6,7 @@ Index: doc/sample.config
@@ -35,15 +35,6 @@
# Acct-Interim-Interval, and Session-Timeout values.
#
- # See doc/README-radius.md for the supported radius configuration atributes.
+ # See doc/README-radius.md for the supported radius configuration attributes.
-#
-#
gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
-# The gssapi option allows one to use authentication methods supported by
GSSAPI,
@@ -48,7 +48,7 @@ Index: doc/sample.config
# The default server directory. Does not require any devices present.
#chroot-dir = /var/lib/ocserv
-@@ -166,16 +155,6 @@ ca-cert = ../tests/certs/ca.pem
+@@ -172,16 +161,6 @@ ca-cert = ../tests/certs/ca.pem
### failures during the reloading time.
@@ -65,19 +65,21 @@ Index: doc/sample.config
# A banner to be displayed on clients after connection
#banner = "Welcome"
-@@ -341,9 +320,8 @@ min-reauth-time = 300
+@@ -345,10 +324,9 @@ min-reauth-time = 300
# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
-# a KKDCP POST is 1 point, and a connection is 1 point. Note that
--# due to difference processes being involved the count of points
--# will not be real-time precise.
-+# and a connection is 1 point. Note that due to different processes
-+# being involved the count of points will not be real-time precise.
+-# due to different processes being involved the count of points
+-# will not be real-time precise. Local subnet IPs are exempt to allow
+-# services that check for process health.
++# and a connection is 1 point. Note that due to different processes being
++# involved the count of points will not be real-time precise. Local subnet
++# IPs are exempt to allow services that check for process health.
#
- # Score banning cannot be reliably used when receiving proxied connections
- # locally from an HTTP server (i.e., when listen-clear-file is used).
-@@ -357,7 +335,6 @@ ban-reset-time = 1200
+ # Set to zero to disable.
+ max-ban-score = 80
+@@ -359,7 +337,6 @@ ban-reset-time = 1200
# In case you'd like to change the default points.
#ban-points-wrong-password = 10
#ban-points-connection = 1
@@ -85,7 +87,7 @@ Index: doc/sample.config
# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
-@@ -432,7 +409,7 @@ rekey-method = ssl
+@@ -434,7 +411,7 @@ rekey-method = ssl
use-occtl = true
# PID file. It can be overridden in the command line.
@@ -94,7 +96,7 @@ Index: doc/sample.config
# Log Level. It can be overridden in the command line with the -d option.
# All messages at the configure level and lower will be displayed.
-@@ -561,6 +538,11 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -563,6 +540,11 @@ no-route = 192.168.5.0/255.255.255.0
# any other routes. In case of defaultroute, the no-routes are restricted.
# All the routes applied by ocserv can be reverted using /etc/ocserv/ocserv-fw
# --removeall. This option can be set globally or in the per-user
configuration.
@@ -106,7 +108,7 @@ Index: doc/sample.config
#restrict-user-to-routes = true
# This option implies restrict-user-to-routes set to true. If set, the
-@@ -633,23 +615,6 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -635,23 +617,6 @@ no-route = 192.168.5.0/255.255.255.0
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/
