[cc'ing maintainer]
Inlined patch updates iperf3 to 3.15 (3 bug fixes, details here -
https://github.com/esnet/iperf/releases/tag/3.15).
I run iperf on public server with unfirewalled ports, so I'd like it to
be pledged/unveiled, -I and --logfile options are working fine.
Probably we could drop privs more granularly, but for I'd like to keep
things simple.
diff refs/heads/master refs/heads/iperf3
commit - de754ab24f5686d70c44225d7fe12704063ff1de
commit + 5bdda7a75b52879eba6e0f671c5f3c95701254f7
blob - 1c29e29d94370a9345b58f34cdd29525f0fb9e53
blob + 1693ea4aab9e9051e306c4069736b501aa811193
--- net/iperf3/Makefile
+++ net/iperf3/Makefile
@@ -1,6 +1,6 @@
COMMENT= tool to measure maximum achievable bandwidth on IP networks
-V= 3.14
+V= 3.15
PKGNAME= iperf3-${V}
DISTNAME= iperf-${V}
@@ -15,6 +15,7 @@ MAINTAINER= Lawrence Teo <l...@openbsd.org>
# BSD 3-clause
PERMIT_PACKAGE= Yes
+# uses pledge unveil
WANTLIB += c m
SITES= https://downloads.es.net/pub/iperf/
blob - aee4720c9e7a7c01d458ad75fa6ffacc4f3c5bcc
blob + 5e78d43fb08210550fb72de43ea73eb845202b01
--- net/iperf3/distinfo
+++ net/iperf3/distinfo
@@ -1,2 +1,2 @@
-SHA256 (iperf-3.14.tar.gz) = cj/MQwoCe8aVJij6KjrHdYSh0L0ygnXlc/ybIGwVUAQ=
-SIZE (iperf-3.14.tar.gz) = 647944
+SHA256 (iperf-3.15.tar.gz) = vbd8EfcrzpAhSIMVlXf6JEEgE+YrIIPPX1Q5HXmx2P8=
+SIZE (iperf-3.15.tar.gz) = 649330
blob - b14f7a1e19110d400b65c7d78c413e1d1136b36d
blob + ed586e35ac74ce8929882aac0e6c4c619fbebca9
--- net/iperf3/patches/patch-src_iperf_api_c
+++ net/iperf3/patches/patch-src_iperf_api_c
@@ -3,7 +3,7 @@ Default to IPv4.
Index: src/iperf_api.c
--- src/iperf_api.c.orig
+++ src/iperf_api.c
-@@ -2860,7 +2860,7 @@ iperf_defaults(struct iperf_test *testp)
+@@ -2884,7 +2884,7 @@ iperf_defaults(struct iperf_test *testp)
testp->stats_interval = testp->reporter_interval = 1;
testp->num_streams = 1;
blob - /dev/null
blob + 0596ef57b03120c490a2cac6fafbd8e529f03807 (mode 644)
--- /dev/null
+++ net/iperf3/patches/patch-src_main_c
@@ -0,0 +1,65 @@
+Add pledge and unveil
+
+Index: src/main.c
+--- src/main.c.orig
++++ src/main.c
+@@ -59,6 +59,18 @@ main(int argc, char **argv)
+ {
+ struct iperf_test *test;
+
++#if defined(__OpenBSD__)
++ if (pledge("stdio tmppath rpath cpath wpath inet unveil", NULL) == -1) {
++ fprintf(stderr, "pledge: %s\n", strerror(errno));
++ exit(1);
++ }
++
++ if (unveil("/dev/urandom", "r") == -1) {
++ fprintf(stderr, "unveil urandom: %s\n", strerror(errno));
++ exit(1);
++ }
++#endif
++
+ // XXX: Setting the process affinity requires root on most systems.
+ // Is this a feature we really need?
+ #ifdef TEST_PROC_AFFINITY
+@@ -104,6 +116,40 @@ main(int argc, char **argv)
+ usage();
+ exit(1);
+ }
++
++#if defined(__OpenBSD__)
++ int needwr = 0;
++
++ /* Check for the features which require wpath and cpath */
++ if (test->pidfile) {
++ if (unveil(test->pidfile, "cw") == -1) {
++ fprintf(stderr, "uneveil pidfile: %s\n", strerror(errno));
++ exit(1);
++ } else
++ needwr = 1;
++ }
++
++ if (test->logfile) {
++ if (unveil(test->logfile, "cwr") == -1) {
++ fprintf(stderr, "uneveil logfile: %s\n", strerror(errno));
++ exit(1);
++ } else
++ needwr = 1;
++ }
++
++ /* Drop wpath and cpath if we can */
++ if (needwr == 0) {
++ if (pledge("stdio tmppath rpath inet unveil", NULL) == -1) {
++ fprintf(stderr, "pledge needwr: %s\n", strerror(errno));
++ exit(1);
++ }
++ }
++
++ if (unveil(NULL, NULL) == -1) {
++ fprintf(stderr, "unveil NULL: %s\n", strerror(errno));
++ exit(1);
++ }
++#endif
+
+ if (run(test) < 0)
+ iperf_errexit(test, "error - %s", iperf_strerror(i_errno));
