net-analyzer/suricata: bump to 5.0.0 and EAPI 7

Package-Manager: Portage-2.3.79, Repoman-2.3.16
Signed-off-by: Marek Szuba <marecki@gentoo.org>

8 files changed, 313 insertions, 1 deletions

diff --git a/net-analyzer/suricata/Manifest b/net-analyzer/suricata/Manifest
index fe67675774df..72532b86510d 100644
--- a/net-analyzer/suricata/Manifest
+++ b/net-analyzer/suricata/Manifest
@@ -1 +1,2 @@
 DIST suricata-4.0.4.tar.gz 12511121 BLAKE2B d9dfb00a45c2e9810409a8ce91a83e23ebce20eb28492bf24f9688d292b5805dca932c39cc673cf1148325fe5ef7936dda7f6c7819605753cb2e2ddc1cf5dba0 SHA512 6e158aa6d3edb9d11e0df3f986392ee2ae49ab4dfb978288ced4484dbe5c08ae061db2a566be6d22cf14bd0b88f87f9cb9c0a657d7fc44e099b8783d933c771e
+DIST suricata-5.0.0.tar.gz 23689051 BLAKE2B 701625d50dacbeb846d7ea1c3aad3980969c1c0124c007d843353fe25b7e579378d2cd125db4660e33fff1f8cf20eac4bbafe280ba6ff31f988fb6c42b29b6aa SHA512 0dc8941fdf29d615531eeda6f6076052cca79fda6dda3c96300c08b343a64a1700fd23dd83a03507009ab7c9b19c91b65ee65e704f55ddee17764b71e9e2911e
diff --git a/net-analyzer/suricata/files/suricata-5.0.0_configure-lua-flags.patch b/net-analyzer/suricata/files/suricata-5.0.0_configure-lua-flags.patch
new file mode 100644
index 000000000000..be956fd94d40
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.0_configure-lua-flags.patch
@@ -0,0 +1,16 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -1749,11 +1749,11 @@
+   # liblua
+     AC_ARG_ENABLE(lua,
+ 	        AS_HELP_STRING([--enable-lua],[Enable Lua support]),
+-	        [ enable_lua="$enableval"],
++	        [],
+ 	        [ enable_lua="no"])
+     AC_ARG_ENABLE(luajit,
+ 	        AS_HELP_STRING([--enable-luajit],[Enable Luajit support]),
+-	        [ enable_luajit="$enableval"],
++	        [],
+ 	        [ enable_luajit="no"])
+     if test "$enable_lua" = "yes"; then
+         if test "$enable_luajit" = "yes"; then
diff --git a/net-analyzer/suricata/files/suricata-5.0.0_configure-no-lz4-automagic.patch b/net-analyzer/suricata/files/suricata-5.0.0_configure-no-lz4-automagic.patch
new file mode 100644
index 000000000000..5efce46f6d9f
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.0_configure-no-lz4-automagic.patch
@@ -0,0 +1,23 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -2292,7 +2292,11 @@
+     fi
+ 
+ # Check for lz4
+-enable_liblz4="yes"
++AC_ARG_ENABLE(lz4,
++       AS_HELP_STRING([--enable-lz4], [Enable compressed pcap logging using liblz4]),
++       [enable_liblz4=$enableval],
++       [enable_liblz4=yes])
++if test "x$enable_liblz4" != "xno"; then
+ AC_CHECK_LIB(lz4, LZ4F_createCompressionContext, , enable_liblz4="no")
+ 
+ if test "$enable_liblz4" = "no"; then
+@@ -2306,6 +2310,7 @@
+     echo "               yum install lz4-devel"
+     echo
+ fi
++fi
+ 
+ # get cache line size
+     AC_PATH_PROG(HAVE_GETCONF_CMD, getconf, "no")
diff --git a/net-analyzer/suricata/files/suricata-5.0.0_default-config.patch b/net-analyzer/suricata/files/suricata-5.0.0_default-config.patch
new file mode 100644
index 000000000000..07a45c9a5747
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.0_default-config.patch
@@ -0,0 +1,61 @@
+--- a/suricata.yaml.in
++++ b/suricata.yaml.in
+@@ -203,8 +203,9 @@
+             # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
+ 
+             # As of Suricata 5.0, version 2 of the eve dns output
+-            # format is the default.
+-            #version: 2
++            # format is the default - but the daemon produces a warning to that effect
++            # at start-up if this isn't explicitly set.
++            version: 2
+ 
+             # Enable/disable this logger. Default: enabled.
+             #enabled: yes
+@@ -978,9 +979,9 @@
+ ##
+ 
+ # Run suricata as user and group.
+-#run-as:
+-#  user: suri
+-#  group: suri
++run-as:
++  user: suricata
++  group: suricata
+ 
+ # Some logging module will use that name in event as identifier. The default
+ # value is the hostname
+@@ -1806,16 +1807,28 @@
+     hashmode: hash5tuplesorted
+ 
+ ##
+-## Configure Suricata to load Suricata-Update managed rules.
+-##
+-## If this section is completely commented out move down to the "Advanced rule
+-## file configuration".
++## Configure Suricata to load default rules it comes with.
+ ##
+ 
+ default-rule-path: @e_defaultruledir@
+ 
+ rule-files:
+-  - suricata.rules
++  - /etc/suricata/rules/app-layer-events.rules
++  - /etc/suricata/rules/decoder-events.rules
++  - /etc/suricata/rules/dhcp-events.rules
++  - /etc/suricata/rules/dnp3-events.rules
++  - /etc/suricata/rules/dns-events.rules
++  - /etc/suricata/rules/files.rules
++  - /etc/suricata/rules/http-events.rules
++  - /etc/suricata/rules/ipsec-events.rules
++  - /etc/suricata/rules/kerberos-events.rules
++  - /etc/suricata/rules/modbus-events.rules
++  - /etc/suricata/rules/nfs-events.rules
++  - /etc/suricata/rules/ntp-events.rules
++  - /etc/suricata/rules/smb-events.rules
++  - /etc/suricata/rules/smtp-events.rules
++  - /etc/suricata/rules/stream-events.rules
++  - /etc/suricata/rules/tls-events.rules
+ 
+ ##
+ ## Auxiliary configuration files.
diff --git a/net-analyzer/suricata/files/suricata.service b/net-analyzer/suricata/files/suricata.service
new file mode 100644
index 000000000000..5e617388018f
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=Suricata IDS/IDP daemon
+After=network.target
+Requires=network.target
+Documentation=man:suricata(8) man:suricatasc(8)
+Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
+
+[Service]
+Type=forking
+Environment=OPTIONS='-c /etc/suricata/suricata.yaml'
+CapabilityBoundingSet=CAP_NET_ADMIN
+PIDFile=/var/run/suricata/suricata.pid
+ExecStart=/usr/bin/suricata --pidfile /var/run/suricata/suricata.pid $OPTIONS
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStop=/bin/kill $MAINPID
+PrivateTmp=yes
+ProtectHome=yes
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/net-analyzer/suricata/files/suricata.tmpfiles b/net-analyzer/suricata/files/suricata.tmpfiles
new file mode 100644
index 000000000000..46fe50842978
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata.tmpfiles
@@ -0,0 +1 @@
+d	/var/run/suricata	- - - -
diff --git a/net-analyzer/suricata/metadata.xml b/net-analyzer/suricata/metadata.xml
index 0afee5625d1a..bc25d72f0887 100644
--- a/net-analyzer/suricata/metadata.xml
+++ b/net-analyzer/suricata/metadata.xml
@@ -6,13 +6,17 @@
   </maintainer>
   <use>
     <flag name="af-packet">Enable AF_PACKET support</flag>
+    <flag name="bpf">Enable support for eBPF (as well as XDP if supported by the kernel and the NIC driver)
+        for low-level, high-speed packet processing</flag>
     <flag name="control-socket">Enable unix socket</flag>
     <flag name="cuda">Enable NVIDIA Cuda computations support</flag>
     <flag name="detection">Enable detection modules</flag>
+    <flag name="logrotate">Install logrotate rule</flag>
+    <flag name="lz4">Enable support for compressed pcap logging using the LZ4 algorithm</flag>
     <flag name="nflog">Enable libnetfilter_log support</flag>
     <flag name="nfqueue">Enable NFQUEUE support for inline IDP</flag>
     <flag name="redis">Enable Redis support</flag>
     <flag name="rules">Install default ruleset</flag>
-    <flag name="logrotate">Install logrotate rule</flag>
+    <flag name="tools">Install suricatactl, suricatasc and suricata-update</flag>
   </use>
 </pkgmetadata>
diff --git a/net-analyzer/suricata/suricata-5.0.0.ebuild b/net-analyzer/suricata/suricata-5.0.0.ebuild
new file mode 100644
index 000000000000..05f328b973b3
--- /dev/null
+++ b/net-analyzer/suricata/suricata-5.0.0.ebuild
@@ -0,0 +1,185 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{6,7,8} )
+
+inherit autotools linux-info python-single-r1 systemd
+
+DESCRIPTION="High performance Network IDS, IPS and Network Security Monitoring engine"
+HOMEPAGE="https://suricata-ids.org/"
+SRC_URI="https://www.openinfosecfoundation.org/download/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="+af-packet bpf control-socket cuda debug +detection geoip hardened logrotate lua luajit lz4 nflog +nfqueue redis +rules systemd test tools"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="?? ( lua luajit )
+	bpf? ( af-packet )
+	tools? ( ${PYTHON_REQUIRED_USE} )"
+
+CDEPEND="acct-group/suricata
+	acct-user/suricata
+	dev-libs/jansson
+	dev-libs/libpcre
+	dev-libs/libyaml
+	net-libs/libnet:*
+	net-libs/libnfnetlink
+	dev-libs/nspr
+	dev-libs/nss
+	>=net-libs/libhtp-0.5.31
+	net-libs/libpcap
+	sys-apps/file
+	sys-libs/libcap-ng
+	bpf?        ( >=dev-libs/libbpf-0.0.5 )
+	cuda?       ( dev-util/nvidia-cuda-toolkit )
+	geoip?      ( dev-libs/libmaxminddb )
+	logrotate?  ( app-admin/logrotate )
+	lua?        ( dev-lang/lua:* )
+	luajit?     ( dev-lang/luajit:* )
+	lz4?        ( app-arch/lz4 )
+	nflog?      ( net-libs/libnetfilter_log )
+	nfqueue?    ( net-libs/libnetfilter_queue )
+	redis?      ( dev-libs/hiredis )
+	tools?      ( dev-python/pyyaml[${PYTHON_USEDEP}] )"
+DEPEND="${CDEPEND}
+	dev-lang/rust"
+# Not confirmed that it works yet
+#	test? ( dev-util/coccinelle )"
+RDEPEND="${CDEPEND}
+	tools? ( ${PYTHON_DEPS} )"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-5.0.0_configure-lua-flags.patch"
+	"${FILESDIR}/${PN}-5.0.0_configure-no-lz4-automagic.patch"
+	"${FILESDIR}/${PN}-5.0.0_default-config.patch"
+)
+
+pkg_pretend() {
+	if use bpf && use kernel_linux; then
+		if kernel_is -lt 4 15; then
+			ewarn "Kernel 4.15 or newer is necessary to use all XDP features like the CPU redirect map"
+		fi
+
+		CONFIG_CHECK="~XDP_SOCKETS"
+		ERROR_XDP_SOCKETS="CONFIG_XDP_SOCKETS is not set, making it impossible for Suricata will to load XDP programs. "
+		ERROR_XDP_SOCKETS+="Other eBPF features should work normally."
+		check_extra_config
+	fi
+}
+
+src_prepare() {
+	default
+	sed -ie 's/docdir =.*/docdir = ${datarootdir}\/doc\/'${PF}'\//' "${S}/doc/Makefile.am"
+	eautoreconf
+}
+
+src_configure() {
+	local myeconfargs=(
+		"--localstatedir=/var" \
+		"--enable-non-bundled-htp" \
+		"--enable-gccmarch-native=no" \
+		$(use_enable af-packet) \
+		$(use_enable bpf ebpf) \
+		$(use_enable control-socket unix-socket) \
+		$(use_enable cuda) \
+		$(use_enable detection) \
+		$(use_enable geoip) \
+		$(use_enable hardened gccprotect) \
+		$(use_enable hardened pie) \
+		$(use_enable lua) \
+		$(use_enable luajit) \
+		$(use_enable lz4) \
+		$(use_enable nflog) \
+		$(use_enable nfqueue) \
+		$(use_enable redis hiredis) \
+		$(use_enable test coccinelle) \
+		$(use_enable test unittests) \
+		$(use_enable tools python)
+	)
+
+	if use debug; then
+		myeconfargs+=( $(use_enable debug) )
+		# so we can get a backtrace according to "reporting bugs" on upstream web site
+		CFLAGS="-ggdb -O0" econf ${myeconfargs[@]}
+	else
+		econf ${myeconfargs[@]}
+	fi
+}
+
+src_install() {
+	emake DESTDIR="${D}" install
+
+	if use bpf; then
+		rm -f ebpf/Makefile.{am,in}
+		dodoc -r ebpf/
+		keepdir /usr/libexec/suricata/ebpf
+	fi
+
+	insinto "/etc/${PN}"
+	doins etc/{classification,reference}.config threshold.config suricata.yaml
+
+	if use rules; then
+		insinto "/etc/${PN}/rules"
+		doins rules/*.rules
+	fi
+
+	keepdir "/var/lib/${PN}"
+	keepdir "/var/log/${PN}"
+
+	fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+	fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+
+	newinitd "${FILESDIR}/${PN}-4.0.4-init" ${PN}
+	newconfd "${FILESDIR}/${PN}-4.0.4-conf" ${PN}
+	systemd_dounit "${FILESDIR}"/${PN}.service
+	systemd_newtmpfilesd "${FILESDIR}"/${PN}.tmpfiles ${PN}.conf
+
+	if use logrotate; then
+		insopts -m0644
+		insinto /etc/logrotate.d
+		newins etc/${PN}.logrotate ${PN}
+	fi
+}
+
+pkg_postinst() {
+	if ! use systemd; then
+		elog "The ${PN} init script expects to find the path to the configuration"
+		elog "file as well as extra options in /etc/conf.d."
+		elog ""
+		elog "To create more than one ${PN} service, simply create a new .yaml file for it"
+		elog "then create a symlink to the init script from a link called"
+		elog "${PN}.foo - like so"
+		elog "   cd /etc/${PN}"
+		elog "   ${EDITOR##*/} suricata-foo.yaml"
+		elog "   cd /etc/init.d"
+		elog "   ln -s ${PN} ${PN}.foo"
+		elog "Then edit /etc/conf.d/${PN} and make sure you specify sensible options for foo."
+		elog ""
+		elog "You can create as many ${PN}.foo* services as you wish."
+	fi
+
+	if use bpf; then
+		elog "eBPF/XDP files must be compiled (using sys-devel/clang[llvm_targets_BPF]) before use"
+		elog "because their configuration is hard-coded. You can find the default ones in"
+		elog "    ${EPREFIX}/usr/share/doc/${PF}"
+		elog "and the common location for eBPF bytecode is"
+		elog "    ${EPREFIX}/usr/libexec/${PN}"
+		elog "For more information, see https://${PN}.readthedocs.io/en/${P}/capture-hardware/ebpf-xdp.html"
+	fi
+
+	if use logrotate; then
+		elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logrotate config file in /etc/logrotate.d/."
+	fi
+
+	if use debug; then
+		elog "You enabled the debug USE flag. Please read this link to report bugs upstream:"
+		elog "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs"
+		elog "You need to also ensure the FEATURES variable in make.conf contains the"
+		elog "'nostrip' option to produce useful core dumps or back traces."
+	fi
+}