update changelog for 0.8-2

Gbp-Dch: Ignore

debian/README.Debian

@@ -0,0 +1,2 @@
+To enable knockd edit /etc/knockd.conf and /etc/default/knockd first.
+

debian/changelog

@@ -0,0 +1,168 @@
+knockd (0.8-2) unstable; urgency=medium
+
+  * [688ef43f] systemd: downgrade ProtectSystem to "true" from "full"
+    (Closes: #927883)
+
+ -- Leo Antunes <costela@debian.org>  Tue, 02 Nov 2021 23:40:19 +0100
+
+knockd (0.8-1) unstable; urgency=medium
+
+  [ Ondřej Nový ]
+  * d/changelog: Remove trailing whitespaces
+  * d/control: Remove trailing whitespaces
+  * d/control: Fix wrong Vcs-*
+
+  [ Leo Antunes ]
+  * [ab774823] debian: update VCS fields
+  * [6cf96b87] debian: bump to up-to-date formats overall
+  * [74aada02] New upstream version 0.8
+  * [75a1e52e] debian: add gbp.conf
+  * [15d6b105] drop reap_child_procs.patch (merged upstream)
+  * [3ef12dba] update patches for improved DEP3
+  * [e87735fc] d.knockd.service: ensure service is enabled (Closes: #868015)
+  * [07da25fb] d/upstream/metadata: add
+  * [bfe2e959] d/rules: remove old dh options
+  * [3009b440] d/control: remove unnecessary deps
+  * [a626515f] d/rules: fix permissions for /etc/knockd.conf (Closes: #902022)
+  * [614debf1] d/control: use HTTPS for Vcs-Git URL
+  * [ca7bf832] d/knockd.service: only start when online
+  * [7495e2b1] d/patches: fix manpage to match debian config
+  * [e09f46d2] d/copyright: add missing license block
+  * [e10d4e01] d/control: switch from d/compat to debhelper-compat dep
+
+ -- Leo Antunes <costela@debian.org>  Tue, 19 Oct 2021 12:10:26 +0200
+
+knockd (0.7-1) unstable; urgency=medium
+
+  * [b2567e28] New upstream version 0.7 (closes: #761853)
+    - adds timeout to pcap_open_live (closes: #816388, #308078)
+  * [48f78ca5] bump policy to 3.9.8 (no changes)
+  * [0b63eacb] update homepage url
+  * [86381cd5] migrate to dh short notation
+  * [4a38db8d] drop patches/include_limits_h: fixed upstream
+  * [42ec7481] drop patches/manpage_cmd_timeout: fixed upstream
+  * [733d82a7] switch to source/format 3.0 (quilt)
+  * [bfc99c1f] add systemd support (closes: #729663)
+  * [197eb24d] init: add dependency on $remote_fs
+  * [848daeab] add hardening flags
+  * [5c686b87] remove knock client docs from installation
+  * [805dec71] debian/control: add VCS URL
+  * [14a9bb3f] add watch file
+
+ -- Leo Antunes <costela@debian.org>  Sat, 08 Oct 2016 16:05:00 +0200
+
+knockd (0.5-3) unstable; urgency=low
+
+  * debian/patches/include_limits_h.patch: add explicit include for
+    limits.h (closes: #518882)
+  * debian/control:
+      - bump policy to 3.8.0 (no changes)
+      - bump debhelper build-dep to 7
+  * debian/compat: bump to 7
+  * debian/copyright: add version to common-licences reference
+
+ -- Leo Costela <costela@debian.org>  Tue, 10 Mar 2009 00:27:42 +0100
+
+knockd (0.5-2) unstable; urgency=low
+
+  * acknoledge NMU (thanks Francesco!)
+  * debian/patches:
+    - add manpage_cmd_timeout.patch (closes: #418842) (thanks Bernd Zeimetz)
+    - add syslog_facility_daemon.patch to log to facility DAEMON
+    - change default_config.patch to use SysLog by default (closes: #299789)
+  * debian/logrotate: removed (see above)
+  * debian/control:
+    - add Homepage field and correct address (closes:#435568)
+    - update to policy 3.7.3 (no changes)
+    - bump dependency on debhelper to >=5
+    - add build-dep on autotools-dev to update config.{sub,guess}
+    - remove unused misc:Depends
+  * debian/compat: bump to 5
+  * debian/init:
+    - include LSB session
+    - overhaul and 'LSB-zation'
+    - fail to start gracefully, enabling upgrades in case of failure
+      (closes: #399662)
+
+ -- Leo Costela <costela@debian.org>  Sun, 09 Dec 2007 01:54:11 +0100
+
+knockd (0.5-1.1) unstable; urgency=high
+
+  * NMU
+  * Fixing wrong SIGCHLD reaper with knockd.patch. It causes a lot of zombies around due to use of a simple wait().
+    This patch should go upstream, too.
+    (closes: #373009)
+
+ -- Francesco Paolo Lovergine <frankie@debian.org>  Tue,  7 Nov 2006 21:16:30 +0100
+
+knockd (0.5-1) unstable; urgency=low
+
+  * New upstream release
+  * Fixed typo in changelog
+  * Included logrotate script (sorry for the stupid delay) (closes: #299789)
+  * Changed build system to CDBS
+  * Changed default permissions of config file to 640 root.root
+
+ -- Leo Costela <costela@debian.org>  Wed, 06 Jul 2005 17:53:24 -0300
+
+knockd (0.4-1) unstable; urgency=low
+
+  * New upstream release
+
+ -- Leo Costela <costela@debian.org>  Tue, 18 Jan 2005 09:19:20 -0300
+
+knockd (0.3.1-1) unstable; urgency=low
+
+  * New upstream release
+
+ -- Leo Costela <costela@debian.org>  Fri, 17 Sep 2004 10:08:42 -0300
+
+knockd (0.3-2) unstable; urgency=low
+
+  * debian/control: add a few infos (closes: #271719)
+  * debian/init, debian/default: made option handling in default file more
+    generic (closes: #271718)
+  * debian/rules: corrected unpatch logic (closes: #271720)
+  * all of the above are thanks: Javier Fernández-Sanguino Peña
+    <jfs@computer.org>
+  * corrected the time zone in the changelog
+
+ -- Leo Costela <costela@debian.org>  Tue, 14 Sep 2004 17:21:35 -0300
+
+knockd (0.3-1) unstable; urgency=low
+
+  * New upstream release
+  * Corrected config and example files to point to /sbin/iptables (closes: #247519)
+  * Corrected debian/rules to make propper use of CFLAGS (I could have sworn
+    it was working here)
+  * Added an INTERFACE directive to /etc/default/knockd (closes: #248022)
+  * Changed build-dep from libpcap-dev to libpcap0.8-dev to reflect source
+    changes
+
+ -- Leo Costela <costela@debian.org>  Fri, 07 May 2004 17:35:46 -0300
+
+knockd (0.2.1-2) unstable; urgency=low
+
+  * Corrected init-script logic and removed extra lines
+
+ -- Leo Costela <costela@debian.org>  Mon, 26 Apr 2004 08:48:06 -0300
+
+knockd (0.2.1-1) unstable; urgency=low
+
+  * New uptream version
+  * First Debian release (closes: #243838)
+
+ -- Leo Costela <costela@debian.org>  Thu, 15 Apr 2004 22:52:05 -0300
+
+knockd (0.2-1) unstable; urgency=low
+
+  * New upstream version
+  * Patch incorporated into upstream
+
+ -- Leo Costela <costela@debian.org>  Thu, 15 Apr 2004 22:52:05 -0300
+
+knockd (0.1-1) unstable; urgency=low
+
+  * First Debian package
+
+ -- Leo Costela <costela@debian.org>  Wed, 14 Apr 2004 22:52:05 -0300

debian/control

@@ -0,0 +1,21 @@
+Source: knockd
+Section: net
+Priority: optional
+Maintainer: Leo Antunes <costela@debian.org>
+Build-Depends: debhelper-compat (= 13), libpcap0.8-dev
+Standards-Version: 4.6.0.1
+Homepage: http://www.zeroflux.org/projects/knock
+Vcs-Git: https://salsa.debian.org/debian/knockd.git
+Vcs-Browser: https://salsa.debian.org/debian/knockd
+
+Package: knockd
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, logrotate, lsb-base (>= 11.0.0)
+Description: small port-knock daemon
+ A port-knock server that listens to all traffic on a given network
+ interface (only Ethernet and PPP are currently supported), looking for
+ a special "knock" sequences of port-hits. A remote system
+ makes these port-hits by sending a TCP (or UDP) packet to a port on the
+ server. When the server detects a specific sequence of port-hits, it
+ runs a command defined in its configuration file. This can be used to
+ open up holes in a firewall for quick access.

debian/copyright

@@ -0,0 +1,32 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: knock
+Upstream-Contact: Judd Vinet <jvinet@zeroflux.org>
+Source: https://github.com/jvinet/knock
+Files-Excluded:
+  .git
+
+Files: *
+Copyright: 2004-2021 Judd Vinet <jvinet@zeroflux.org>
+License: GPL-2
+
+Files: debian/*
+Copyright: 2004-2021 Leo Antunes <costela@debian.org>
+License: GPL-2
+
+License: GPL-2
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ .
+ On Debian systems, the complete text of the Apache version 2.0 license
+ can be found in "/usr/share/common-licenses/Apache-2.0".

debian/default

@@ -0,0 +1,8 @@
+# control if we start knockd at init or not
+# 1 = start
+# anything else = don't start
+# PLEASE EDIT /etc/knockd.conf BEFORE ENABLING
+START_KNOCKD=0
+
+# command line options
+#KNOCKD_OPTS="-i eth1"

debian/gbp.conf

@@ -0,0 +1,4 @@
+[DEFAULT]
+debian-branch = master
+dist = DEP14
+pristine-tar = True

debian/knockd.init

@@ -0,0 +1,71 @@
+#! /bin/sh
+
+### BEGIN INIT INFO
+# Provides:          knockd
+# Required-Start:    $network $syslog $remote_fs
+# Required-Stop:     $network $syslog $remote_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: port-knock daemon
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/knockd
+NAME=knockd
+PIDFILE=/var/run/$NAME.pid
+DEFAULTS_FILE=/etc/default/knockd
+DESC="Port-knock daemon"
+OPTIONS=" -d"
+
+umask 0037
+
+test -f $DAEMON || exit 0
+
+set -e
+
+[ -f $DEFAULTS_FILE ] && . $DEFAULTS_FILE
+
+. /lib/lsb/init-functions
+
+[ "$KNOCKD_OPTS" ] && OPTIONS="$OPTIONS $KNOCKD_OPTS"
+
+start_if_configured() {
+    if [ $START_KNOCKD -ne 1 ]; then
+        log_warning_msg "$NAME disabled: not starting. To enable it edit $DEFAULTS_FILE"
+        exit 0
+    else
+        log_daemon_msg "Starting $DESC" "$NAME"
+        if ! START_ERROR=`start-stop-daemon --start --oknodo --quiet --exec $DAEMON -- $OPTIONS 2>&1`; then
+            # don't fail the upgrade if it fails to start
+            echo -n " "
+            log_action_end_msg 1 "$START_ERROR"
+            exit 0
+        else
+            log_end_msg 0
+        fi
+    fi
+}
+
+case "$1" in
+    start)
+        start_if_configured
+        ;;
+    stop)
+        log_daemon_msg "Stopping $DESC" "$NAME"
+        start-stop-daemon --stop --oknodo --quiet --exec $DAEMON
+        log_end_msg 0
+        ;;
+    restart|reload|force-reload)
+        log_daemon_msg "Stopping $DESC" "$NAME"
+        start-stop-daemon --stop --oknodo --quiet --exec $DAEMON
+        log_end_msg 0
+        sleep 1
+        start_if_configured
+        ;;
+    *)
+        log_warning_msg "Usage: $0 {start|stop|restart|reload|force-reload}" >&2
+        exit 1
+        ;;
+esac
+
+exit 0

debian/knockd.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Port-Knock Daemon
+After=network-online.target
+Wants=network-online.target
+Documentation=man:knockd(1)
+
+[Service]
+EnvironmentFile=-/etc/default/knockd
+ExecStart=/usr/sbin/knockd $KNOCKD_OPTS
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=mixed
+SuccessExitStatus=0 2 15
+ProtectSystem=true
+CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_MODULE
+
+[Install]
+WantedBy=multi-user.target

debian/patches/0003-fix-manpage-to-match-debian-config.patch

@@ -0,0 +1,28 @@
+From: Leo Antunes <costela@debian.org>
+Date: Mon, 18 Oct 2021 23:57:32 +0200
+Subject: fix manpage to match debian config
+
+---
+ doc/knockd.1.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/doc/knockd.1.in b/doc/knockd.1.in
+index b69ca06..28d43ec 100644
+--- a/doc/knockd.1.in
++++ b/doc/knockd.1.in
+@@ -63,13 +63,13 @@ firewall and would like to access it discreetly.
+ 	sequence    = 7000,8000,9000
+ 	seq_timeout = 10
+ 	tcpflags    = syn
+-	command     = /usr/sbin/iptables \-A INPUT \-s %IP% \-\-dport 22 \-j ACCEPT
++	command     = /sbin/iptables \-A INPUT \-s %IP% \-\-dport 22 \-j ACCEPT
+ 
+ [closeSSH]
+ 	sequence    = 9000,8000,7000
+ 	seq_timeout = 10
+ 	tcpflags    = syn
+-	command     = /usr/sbin/iptables \-D INPUT \-s %IP% \-\-dport 22 \-j ACCEPT
++	command     = /sbin/iptables \-D INPUT \-s %IP% \-\-dport 22 \-j ACCEPT
+ 
+ .fi
+ .RE

debian/patches/default_config.patch

@@ -0,0 +1,32 @@
+From: Leo Antunes <costela@debian.org>
+Date: Mon, 18 Oct 2021 23:17:54 +0200
+Subject: Adapt default config for debian
+
+---
+ knockd.conf | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/knockd.conf b/knockd.conf
+index 7770027..13d4347 100644
+--- a/knockd.conf
++++ b/knockd.conf
+@@ -1,16 +1,16 @@
+ [options]
+-	logfile = /var/log/knockd.log
++	UseSyslog
+ 
+ [openSSH]
+ 	sequence    = 7000,8000,9000
+ 	seq_timeout = 5
+-	command     = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
++	command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
+ 	tcpflags    = syn
+ 
+ [closeSSH]
+ 	sequence    = 9000,8000,7000
+ 	seq_timeout = 5
+-	command     = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
++	command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
+ 	tcpflags    = syn
+ 
+ [openHTTPS]

debian/patches/series

@@ -0,0 +1,3 @@
+default_config.patch
+syslog_facility_daemon.patch
+0003-fix-manpage-to-match-debian-config.patch

debian/patches/syslog_facility_daemon.patch

@@ -0,0 +1,22 @@
+From: Leo Antunes <costela@debian.org>
+Date: Mon, 18 Oct 2021 23:17:54 +0200
+Subject: change syslog facility to daemon
+
+this is currently hardcoded
+---
+ src/knockd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/knockd.c b/src/knockd.c
+index e607b6c..bd991c8 100644
+--- a/src/knockd.c
++++ b/src/knockd.c
+@@ -229,7 +229,7 @@ int main(int argc, char **argv)
+ 		strncpy(o_int, "eth0", sizeof(o_int));	/* no explicit termination needed */
+ 	}
+ 	if(o_usesyslog) {
+-		openlog("knockd", 0, LOG_USER);
++		openlog("knockd", 0, LOG_DAEMON);
+ 	}
+ 	if(strlen(o_logfile)) {
+ 		/* open the log file */

debian/rules

@@ -0,0 +1,23 @@
+#!/usr/bin/make -f
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed,--no-undefined,--no-add-needed
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
+%:
+	dh $@
+
+override_dh_install:
+	dh_install
+	# original installation has duplicate docs for knock and knockd
+	rm -rf debian/knockd/usr/share/doc/knock
+	# be more restrictive
+	chmod 0600 debian/knockd/etc/knockd.conf
+
+# the standard config is unsafe
+override_dh_installsystemd:
+	dh_installsystemd --no-enable --no-start
+
+override_dh_installinit:
+	dh_installinit --no-start

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/upstream/metadata

@@ -0,0 +1,5 @@
+---
+Bug-Database: https://github.com/jvinet/knock/issues
+Bug-Submit: https://github.com/jvinet/knock/issues/new
+Repository: https://github.com/jvinet/knock.git
+Repository-Browse: https://github.com/jvinet/knock

debian/watch

@@ -0,0 +1,3 @@
+version=4
+opts=filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/knock-$1\.tar\.gz/ \
+  https://github.com/jvinet/knock/tags .*/v?(\d\S+)\.tar\.gz