- Fix SSL certificate paths to PREFIX

- Add relayd.conf.sample
- Bump PORTREVISION

3 files changed, 223 insertions, 45 deletions

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index 10e1086af3f0..9d19590701c1 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -6,6 +6,7 @@
 
 PORTNAME=	relayd
 PORTVERSION=	4.6.20090813
+PORTREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	${MASTER_SITE_LOCAL}
 MASTER_SITE_SUBDIR=	mm
@@ -33,22 +34,6 @@ SUB_FILES+=	pkg-install
 SUB_LIST+=	RUSER=${RUSER} \
 		RGROUP=${RGROUP}
 
-post-extract:
-	@${CP} ${FILESDIR}/Makefile.all ${WRKSRC}/Makefile
-	@${CP} ${FILESDIR}/Makefile.relayctl ${WRKSRC}/relayctl/Makefile
-	@${CP} ${FILESDIR}/Makefile.relayd ${WRKSRC}/relayd/Makefile
-	@${CP} ${FILESDIR}/arc4random.c ${WRKSRC}/relayd
-
-pre-build:
-	${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|g' \
-		${WRKSRC}/relayd/relayd.h \
-		${WRKSRC}/relayd/relayd.conf.5 \
-		${WRKSRC}/relayd/relayd.8
-
-pre-su-install:
-	@${SETENV} PKG_PREFIX=${PREFIX} \
-		${SH} ${PKGINSTALL} ${PORTNAME} PRE-INSTALL
-
 OPTIONS=	LIBEVENT_STATIC "Build with static libevent" Off
 
 .include <bsd.port.pre.mk>
@@ -65,4 +50,24 @@ MAKE_ARGS+=	LIBEVENT=-levent
 IGNORE=	needs a patched kernel to work correctly (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_table.c.diff?r1=1.67&r2=1.68)
 .endif
 
+post-extract:
+	@${CP} ${FILESDIR}/Makefile.all ${WRKSRC}/Makefile
+	@${CP} ${FILESDIR}/Makefile.relayctl ${WRKSRC}/relayctl/Makefile
+	@${CP} ${FILESDIR}/Makefile.relayd ${WRKSRC}/relayd/Makefile
+	@${CP} ${FILESDIR}/arc4random.c ${WRKSRC}/relayd
+
+post-patch:
+	@${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|g' \
+		${WRKSRC}/relayd/relay.c \
+		${WRKSRC}/relayd/relayd.h \
+		${WRKSRC}/relayd/relayd.conf.5 \
+		${WRKSRC}/relayd/relayd.8
+
+pre-su-install:
+	@${SETENV} PKG_PREFIX=${PREFIX} \
+		${SH} ${PKGINSTALL} ${PORTNAME} PRE-INSTALL
+
+post-install:
+	@${INSTALL_DATA} ${FILESDIR}/relayd.conf.sample ${PREFIX}/etc
+
 .include <bsd.port.post.mk>
diff --git a/net/relayd/files/patch-freebsd-relayd b/net/relayd/files/patch-freebsd-relayd
index 50e2a8202189..a8cedfb7c0d5 100644
--- a/net/relayd/files/patch-freebsd-relayd
+++ b/net/relayd/files/patch-freebsd-relayd
@@ -1,6 +1,6 @@
 diff -Naur relayd.orig/carp.c relayd/carp.c
---- relayd.orig/carp.c	2010-05-27 11:05:52.871795234 +0200
-+++ relayd/carp.c	2010-05-27 11:05:58.266605620 +0200
+--- relayd.orig/carp.c	2010-05-29 10:41:49.559000800 +0200
++++ relayd/carp.c	2010-05-29 10:41:54.579324977 +0200
 @@ -19,6 +19,7 @@
  #include <sys/param.h>
  #include <sys/socket.h>
@@ -10,8 +10,8 @@ diff -Naur relayd.orig/carp.c relayd/carp.c
  #include <net/if.h>
  
 diff -Naur relayd.orig/check_tcp.c relayd/check_tcp.c
---- relayd.orig/check_tcp.c	2010-05-27 11:05:52.872794016 +0200
-+++ relayd/check_tcp.c	2010-05-27 11:05:58.269605038 +0200
+--- relayd.orig/check_tcp.c	2010-05-29 10:41:49.561008583 +0200
++++ relayd/check_tcp.c	2010-05-29 10:41:54.580329287 +0200
 @@ -31,7 +31,7 @@
  #include <stdlib.h>
  #include <errno.h>
@@ -70,8 +70,8 @@ diff -Naur relayd.orig/check_tcp.c relayd/check_tcp.c
  	if (strcmp(cte->table->conf.digest, digest)) {
  		log_warnx("check_http_digest: %s failed "
 diff -Naur relayd.orig/hce.c relayd/hce.c
---- relayd.orig/hce.c	2010-05-27 11:05:52.872794016 +0200
-+++ relayd/hce.c	2010-05-27 11:05:58.270605497 +0200
+--- relayd.orig/hce.c	2010-05-29 10:41:49.560005111 +0200
++++ relayd/hce.c	2010-05-29 10:41:54.582336791 +0200
 @@ -167,7 +167,7 @@
  	struct timeval	 tv;
  	struct table	*table;
@@ -93,8 +93,8 @@ diff -Naur relayd.orig/hce.c relayd/hce.c
  	host->last_up = host->up;
  
 diff -Naur relayd.orig/log.c relayd/log.c
---- relayd.orig/log.c	2010-05-27 11:05:52.872794016 +0200
-+++ relayd/log.c	2010-05-27 11:05:58.271605396 +0200
+--- relayd.orig/log.c	2010-05-29 10:41:49.560005111 +0200
++++ relayd/log.c	2010-05-29 10:41:54.585349444 +0200
 @@ -16,7 +16,11 @@
   * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
   */
@@ -108,8 +108,8 @@ diff -Naur relayd.orig/log.c relayd/log.c
  #include <sys/socket.h>
  #include <sys/tree.h>
 diff -Naur relayd.orig/parse.y relayd/parse.y
---- relayd.orig/parse.y	2010-05-27 11:05:52.874794374 +0200
-+++ relayd/parse.y	2010-05-27 11:07:06.666448151 +0200
+--- relayd.orig/parse.y	2010-05-29 10:41:49.561008583 +0200
++++ relayd/parse.y	2010-05-29 10:41:54.588360421 +0200
 @@ -343,6 +343,7 @@
  			}
  			conf->sc_prefork_relay = $2;
@@ -171,8 +171,8 @@ diff -Naur relayd.orig/parse.y relayd/parse.y
  	if (error) {
  		log_warnx("host_dns: could not parse \"%s\": %s", s,
 diff -Naur relayd.orig/pfe.c relayd/pfe.c
---- relayd.orig/pfe.c	2010-05-27 11:05:52.874794374 +0200
-+++ relayd/pfe.c	2010-05-27 11:05:58.276615510 +0200
+--- relayd.orig/pfe.c	2010-05-29 10:41:49.559000800 +0200
++++ relayd/pfe.c	2010-05-29 10:41:54.596392393 +0200
 @@ -17,6 +17,9 @@
   */
  
@@ -210,8 +210,8 @@ diff -Naur relayd.orig/pfe.c relayd/pfe.c
  }
  
 diff -Naur relayd.orig/pfe_filter.c relayd/pfe_filter.c
---- relayd.orig/pfe_filter.c	2010-05-27 11:05:52.873793915 +0200
-+++ relayd/pfe_filter.c	2010-05-27 11:05:58.277615689 +0200
+--- relayd.orig/pfe_filter.c	2010-05-29 10:41:49.560005111 +0200
++++ relayd/pfe_filter.c	2010-05-29 10:41:54.600408239 +0200
 @@ -97,6 +97,10 @@
  		    sizeof(tables[i].pfrt_name))
  			goto toolong;
@@ -270,8 +270,8 @@ diff -Naur relayd.orig/pfe_filter.c relayd/pfe_filter.c
  		if (rio.rule.proto == IPPROTO_TCP)
  			rio.rule.timeout[PFTM_TCP_ESTABLISHED] =
 diff -Naur relayd.orig/relay.c relayd/relay.c
---- relayd.orig/relay.c	2010-05-27 11:05:52.872794016 +0200
-+++ relayd/relay.c	2010-05-27 11:05:58.280728536 +0200
+--- relayd.orig/relay.c	2010-05-29 10:41:49.560005111 +0200
++++ relayd/relay.c	2010-05-29 10:41:54.603420334 +0200
 @@ -16,7 +16,11 @@
   * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
   */
@@ -363,9 +363,27 @@ diff -Naur relayd.orig/relay.c relayd/relay.c
  
   fail:
  	if (buf != NULL)
+@@ -3142,7 +3168,7 @@
+ 		return (-1);
+ 
+ 	if (snprintf(certfile, sizeof(certfile),
+-	    "/etc/ssl/%s.crt", hbuf) == -1)
++	    "%%PREFIX%%/etc/ssl/%s.crt", hbuf) == -1)
+ 		return (-1);
+ 	if ((rlay->rl_ssl_cert = relay_load_file(certfile,
+ 	    &rlay->rl_ssl_cert_len)) == NULL)
+@@ -3150,7 +3176,7 @@
+ 	log_debug("relay_load_certfiles: using certificate %s", certfile);
+ 
+ 	if (snprintf(certfile, sizeof(certfile),
+-	    "/etc/ssl/private/%s.key", hbuf) == -1)
++	    "%%PREFIX%%/etc/ssl/private/%s.key", hbuf) == -1)
+ 		return -1;
+ 	if ((rlay->rl_ssl_key = relay_load_file(certfile,
+ 	    &rlay->rl_ssl_key_len)) == NULL)
 diff -Naur relayd.orig/relay_udp.c relayd/relay_udp.c
---- relayd.orig/relay_udp.c	2010-05-27 11:05:52.873793915 +0200
-+++ relayd/relay_udp.c	2010-05-27 11:05:58.281790178 +0200
+--- relayd.orig/relay_udp.c	2010-05-29 10:41:49.559000800 +0200
++++ relayd/relay_udp.c	2010-05-29 10:41:54.613459810 +0200
 @@ -16,7 +16,11 @@
   * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
   */
@@ -379,8 +397,8 @@ diff -Naur relayd.orig/relay_udp.c relayd/relay_udp.c
  #include <sys/time.h>
  #include <sys/stat.h>
 diff -Naur relayd.orig/relayd.8 relayd/relayd.8
---- relayd.orig/relayd.8	2010-05-27 11:05:52.871795234 +0200
-+++ relayd/relayd.8	2010-05-27 11:05:58.282841763 +0200
+--- relayd.orig/relayd.8	2010-05-29 10:41:49.559000800 +0200
++++ relayd/relayd.8	2010-05-29 10:41:54.616471625 +0200
 @@ -117,7 +117,7 @@
  .It Fl f Ar file
  Specify an alternative configuration file.
@@ -400,8 +418,8 @@ diff -Naur relayd.orig/relayd.8 relayd/relayd.8
  .It /var/run/relayd.sock
  Unix-domain socket used for communication with
 diff -Naur relayd.orig/relayd.c relayd/relayd.c
---- relayd.orig/relayd.c	2010-05-27 11:05:52.873793915 +0200
-+++ relayd/relayd.c	2010-05-27 11:05:58.284862515 +0200
+--- relayd.orig/relayd.c	2010-05-29 10:41:49.561008583 +0200
++++ relayd/relayd.c	2010-05-29 10:41:54.617476494 +0200
 @@ -17,7 +17,11 @@
   * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
   */
@@ -524,8 +542,17 @@ diff -Naur relayd.orig/relayd.c relayd/relayd.c
  	    bnd->bnd_ss.ss_len) == -1)
  		goto fail;
 diff -Naur relayd.orig/relayd.conf.5 relayd/relayd.conf.5
---- relayd.orig/relayd.conf.5	2010-05-27 11:05:52.873793915 +0200
-+++ relayd/relayd.conf.5	2010-05-27 11:05:58.285863811 +0200
+--- relayd.orig/relayd.conf.5	2010-05-29 10:41:49.559000800 +0200
++++ relayd/relayd.conf.5	2010-05-29 10:41:54.622495534 +0200
+@@ -78,7 +78,7 @@
+ .Ic include
+ keyword, for example:
+ .Bd -literal -offset indent
+-include "/etc/relayd.conf.local"
++include "%%PREFIX%%/etc/relayd.conf.local"
+ .Ed
+ .Sh MACROS
+ Macros can be defined that will later be expanded in context.
 @@ -103,17 +103,6 @@
  .Sh GLOBAL CONFIGURATION
  Here are the settings that can be set globally:
@@ -578,16 +605,56 @@ diff -Naur relayd.orig/relayd.conf.5 relayd/relayd.conf.5
  .It Ic interval Ar number
  Override the global interval and specify one for this table.
  It must be a multiple of the global interval.
-@@ -1037,7 +1006,7 @@
+@@ -604,9 +573,9 @@
+ keyword is present, the relay will accept connections using the
+ encrypted SSL protocol.
+ The relay will look up a private key in
+-.Pa /etc/ssl/private/address.key
++.Pa %%PREFIX%%/etc/ssl/private/address.key
+ and a public certificate in
+-.Pa /etc/ssl/address.crt ,
++.Pa %%PREFIX%%/etc/ssl/address.crt ,
+ where
+ .Ar address
+ is the specified IP address of the relay to listen on.
+@@ -955,9 +924,6 @@
+ This option enables CA verification in SSL client mode.
+ The daemon will load the CA (Certificate Authority) certificates from
+ the specified path to verify the server certificates.
+-.Ox
+-provides a default CA bundle in
+-.Pa /etc/ssl/cert.pem .
+ .It Ic ciphers Ar string
+ Set the string defining the SSL cipher suite.
+ If not specified, the default value
+@@ -1036,22 +1002,19 @@
+ .El
  .El
  .Sh FILES
- .Bl -tag -width "/etc/ssl/private/address.keyXX" -compact
+-.Bl -tag -width "/etc/ssl/private/address.keyXX" -compact
 -.It Pa /etc/relayd.conf
++.Bl -tag -width "%%PREFIX%%/etc/ssl/private/address.keyXX" -compact
 +.It Pa %%PREFIX%%/etc/relayd.conf
  .Xr relayd 8
  configuration file.
  .Pp
-@@ -1146,7 +1115,6 @@
+ .It Pa /etc/services
+ Service name database.
+ .Pp
+-.It Pa /etc/ssl/address.crt
+-.It Pa /etc/ssl/private/address.key
++.It Pa %%PREFIX%%/etc/ssl/address.crt
++.It Pa %%PREFIX%%/etc/ssl/private/address.key
+ Location of the relay SSL server certificates, where
+ .Ar address
+ is the configured IP address of the relay.
+-.It Pa /etc/ssl/cert.pem
+-Default location of the CA bundle that can be used with
+-.Xr relayd 8 .
+ .El
+ .Sh EXAMPLES
+ This configuration file would create a redirection service
+@@ -1146,7 +1109,6 @@
  .Sh SEE ALSO
  .Xr relayctl 8 ,
  .Xr relayd 8 ,
@@ -596,8 +663,8 @@ diff -Naur relayd.orig/relayd.conf.5 relayd/relayd.conf.5
  .Sh HISTORY
  The
 diff -Naur relayd.orig/relayd.h relayd/relayd.h
---- relayd.orig/relayd.h	2010-05-27 11:05:52.871795234 +0200
-+++ relayd/relayd.h	2010-05-27 11:05:58.286913720 +0200
+--- relayd.orig/relayd.h	2010-05-29 10:41:49.559000800 +0200
++++ relayd/relayd.h	2010-05-29 10:41:54.627515412 +0200
 @@ -19,10 +19,18 @@
   */
  
diff --git a/net/relayd/files/relayd.conf.sample b/net/relayd/files/relayd.conf.sample
new file mode 100644
index 000000000000..d6cad7c878fe
--- /dev/null
+++ b/net/relayd/files/relayd.conf.sample
@@ -0,0 +1,106 @@
+# $FreeBSD$
+# $OpenBSD: relayd.conf,v 1.13 2008/03/03 16:58:41 reyk Exp $
+#
+# Macros
+#
+ext_addr="192.168.1.1"
+webhost1="10.0.0.1"
+webhost2="10.0.0.2"
+sshhost1="10.0.0.3"
+
+#
+# Global Options
+#
+# interval 10
+# timeout 1000
+# prefork 5
+
+#
+# Each table will be mapped to a pf table.
+#
+table <webhosts> { $webhost1 $webhost2 }
+table <fallback> { 127.0.0.1 }
+
+#
+# Services will be mapped to a rdr rule.
+#
+redirect www {
+	listen on $ext_addr port http interface trunk0
+
+	# tag every packet that goes thru the rdr rule with RELAYD
+	tag RELAYD
+
+	forward to <webhosts> check http "/" code 200
+	forward to <fallback> check icmp
+}
+
+#
+# Relay and protocol for HTTP layer 7 loadbalancing and SSL acceleration
+#
+http protocol httpssl {
+	header append "$REMOTE_ADDR" to "X-Forwarded-For"
+	header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
+	header change "Connection" to "close"
+
+	# Various TCP performance options
+	tcp { nodelay, sack, socket buffer 65536, backlog 128 }
+
+#	ssl { no sslv2, sslv3, tlsv1, ciphers HIGH }
+#	ssl session cache disable
+}
+
+relay wwwssl {
+	# Run as a SSL accelerator
+	listen on $ext_addr port 443 ssl
+	protocol httpssl
+
+	# Forward to hosts in the webhosts table using a src/dst hash
+	forward to <webhosts> port http mode loadbalance \
+		check http "/" code 200
+}
+
+#
+# Relay and protocol for simple TCP forwarding on layer 7
+#
+protocol sshtcp {
+	# The TCP_NODELAY option is required for "smooth" terminal sessions
+	tcp nodelay
+}
+
+relay sshgw {
+	# Run as a simple TCP relay
+	listen on $ext_addr port 2222
+	protocol sshtcp
+
+	# Forward to the shared carp(4) address of an internal gateway
+	forward to $sshhost1 port 22
+}
+
+#
+# Relay and protocol for a transparent HTTP proxy
+#
+http protocol httpfilter {
+	# Return HTTP/HTML error pages to the client
+	return error
+
+	# Block disallowed browsers
+	label "Please try a <em>different Browser</em>"
+	header filter "Mozilla/4.0 (compatible; MSIE *" from "User-Agent"
+
+	# Block some well-known Instant Messengers
+	label "Instant messenger disallowed!"
+	response header filter "application/x-msn-messenger" from "Content-Type"
+	response header filter "app/x-hotbar-xip20" from "Content-Type"
+	response header filter "application/x-icq" from "Content-Type"
+	response header filter "AIM/HTTP" from "Content-Type"
+	response header filter "application/x-comet-log" from "Content-Type"
+}
+
+relay httpproxy {
+	# Listen on localhost, accept redirected connections from pf(4)
+	listen on 127.0.0.1 port 8080
+	protocol httpfilter
+
+	# Forward to the original target host
+	forward to nat lookup
+}