blob: 9c73c7ce0bd6687de7db7a0a15d6d516abe23181 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
--- openswan-2.6.41.orig/Makefile.inc 2014-02-21 21:46:57.000000000 +0100
+++ openswan-2.6.41/Makefile.inc 2014-03-12 18:39:50.906115397 +0100
@@ -169,7 +169,7 @@ INSTALL=install
# how backup names are composed.
# Note that the install procedures will never overwrite an existing config
# file, which is why -b is not specified for them.
-INSTBINFLAGS=-b --suffix=.old
+INSTBINFLAGS=
INSTSUIDFLAGS=--mode=u+rxs,g+rx,o+rx --group=root -b --suffix=.old
INSTMANFLAGS=
INSTCONFFLAGS=
@@ -191,10 +191,10 @@ BISONOSFLAGS=
#Example for a cross compile:
#USERCOMPILE?=-g ${PORTDEFINE} -I/usr/local/arm_tools/arm-elf/inc -L/usr/local/arm_tools/lib/gcc-lib
GCC_LINT ?= -DGCC_LINT
-USERCOMPILE?=-g -O3 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 ${WERROR} $(GCC_LINT)
+USERCOMPILE?=-g -O3 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 ${WERROR} $(GCC_LINT)
# on fedora/rhel
#USERCOMPILE?=-g -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIE -pie -DSUPPORT_BROKEN_ANDROID_ICS
-KLIPSCOMPILE=-O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -DCONFIG_KLIPS_ALG -DDISABLE_UDP_CHECKSUM
+KLIPSCOMPILE=-O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -DCONFIG_KLIPS_ALG -DDISABLE_UDP_CHECKSUM
# Additional debugging for developers (warning: can crash openswan!)
#USERCOMPILE?=-g -DLEAK_DETECTIVE -lefence
# You can also run this before starting openswan on glibc systems:
@@ -283,12 +283,12 @@ RH_KERNELSRC?=/lib/modules/2.6.9-1.681_F
# Note you need a locally running bind9 nameserver with lwres{} enabled
# to use this, or have the "lwres" package installed and running.
# This only affects conns that use DNS for keys in lookups.
-USE_LWRES?=false
+USE_LWRES?=true
# Do a new lookup every time a connection is (re)started. This works better
# on hosts with some dyndns service, since DPD will cause a new dns lookup,
# but it could be a potential security issue if receiving spoofed dns.
-USE_DYNAMICDNS?=true
+USE_DYNAMICDNS?=false
# Do we want all the configuration files like ipsec.conf and ipsec.secrets
# and any certificates to be in a single directory defined by
|
