11 files changed, 268 insertions, 0 deletions
diff --git a/debian/patches/avoid-to-include-if_tunnel-h.patch b/debian/patches/avoid-to-include-if_tunnel-h.patch
new file mode 100644
index 0000000..1a40ec7
--- /dev/null
+++ b/debian/patches/avoid-to-include-if_tunnel-h.patch
@@ -0,0 +1,34 @@
+From 6f7636cfc6dffb387afe21f4f3bff119f8d8e033 Mon Sep 17 00:00:00 2001
+From: Eric Leblond <eric@regit.org>
+Date: Thu, 31 Oct 2019 13:29:56 +0100
+Subject: [PATCH] ebpf: avoid to include if_tunnel.h
+
+This is causing a dependency issue as file from another architecture
+have to be installed.
+---
+ ebpf/xdp_lb.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/ebpf/xdp_lb.c
++++ b/ebpf/xdp_lb.c
+@@ -26,7 +26,6 @@
+ /* Workaround to avoid the need of 32bit headers */
+ #define _LINUX_IF_H
+ #define IFNAMSIZ 16
+-#include <linux/if_tunnel.h>
+ #include <linux/ip.h>
+ #include <linux/ipv6.h>
+ #include <linux/tcp.h>
+@@ -35,6 +34,12 @@
+ 
+ #include "hash_func01.h"
+ 
++#define GRE_CSUM        __cpu_to_be16(0x8000)
++#define GRE_ROUTING     __cpu_to_be16(0x4000)
++#define GRE_KEY         __cpu_to_be16(0x2000)
++#define GRE_SEQ         __cpu_to_be16(0x1000)
++#define GRE_VERSION     __cpu_to_be16(0x0007)
++
+ #define LINUX_VERSION_CODE 263682
+ 
+ /* Hashing initval */
diff --git a/debian/patches/configure-clang-variable.patch b/debian/patches/configure-clang-variable.patch
new file mode 100644
index 0000000..6aae947
--- /dev/null
+++ b/debian/patches/configure-clang-variable.patch
@@ -0,0 +1,26 @@
+From: Hilko Bengen <bengen@debian.org>
+Date: Tue, 22 Jan 2019 18:10:47 +0100
+Subject: configure: Introduce CLANG variable
+
+---
+ configure.ac | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -38,6 +38,15 @@
+ 
+     AC_SUBST([CLANG])
+ 
++    AC_ARG_WITH([clang],
++                [CLANG compiler],
++                [CLANG="$withval"],
++                [AS_IF([test "$compiler" = clang],
++                       [CLANG="$CC"],
++                       [AC_PATH_PROG([CLANG],[clang])])])
++
++    AC_SUBST([CLANG])
++
+     case "$compiler" in
+         clang)
+             CLANG_CFLAGS="-Wextra -Werror-implicit-function-declaration -Wno-error=unused-command-line-argument"
diff --git a/debian/patches/cross.patch b/debian/patches/cross.patch
new file mode 100644
index 0000000..ddc724d
--- /dev/null
+++ b/debian/patches/cross.patch
@@ -0,0 +1,13 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -77,8 +77,8 @@
+     AC_PATH_PROG(HAVE_CYGPATH, cygpath, "no")
+     AM_CONDITIONAL([HAVE_CYGPATH], [test "x$HAVE_CYGPATH" != "xno"])
+ 
+-    AC_PATH_PROG(HAVE_PKG_CONFIG, pkg-config, "no")
+-    if test "$HAVE_PKG_CONFIG" = "no"; then
++    PKG_PROG_PKG_CONFIG
++    if test "x$PKG_CONFIG" = "x"; then
+         echo
+         echo "   ERROR! pkg-config not found, go get it  "
+         echo "   http://pkg-config.freedesktop.org/wiki/ "
diff --git a/debian/patches/debian-default-cfg.patch b/debian/patches/debian-default-cfg.patch
new file mode 100644
index 0000000..bf872cf
--- /dev/null
+++ b/debian/patches/debian-default-cfg.patch
@@ -0,0 +1,43 @@
+From: Arturo Borrero Gonzalez <arturo@debian.org>
+Subject: Debian default configuration
+ This patch sets Debian defaults for suricata configuration.
+ .
+ Currently, it sets a proper path for suricata unix socket.
+Forwarded: not-needed
+Last-Update: 2016-12-01
+
+--- a/suricata.yaml.in
++++ b/suricata.yaml.in
+@@ -1291,8 +1291,8 @@
+ # activated in live capture mode. You can use the filename variable to set
+ # the file name of the socket.
+ unix-command:
+-  enabled: auto
+-  #filename: custom.socket
++  enabled: yes
++  filename: @e_localstatedir@suricata-command.socket
+ 
+ # Magic file. The extension .mgc is added to the value here.
+ #magic-file: /usr/share/file/magic
+--- a/src/unix-manager.c
++++ b/src/unix-manager.c
+@@ -57,7 +57,7 @@
+ # endif
+ #endif
+ 
+-#define SOCKET_PATH LOCAL_STATE_DIR "/run/suricata/"
++#define SOCKET_PATH LOCAL_STATE_DIR "/"
+ #define SOCKET_FILENAME "suricata-command.socket"
+ #define SOCKET_TARGET SOCKET_PATH SOCKET_FILENAME
+ 
+--- a/configure.ac
++++ b/configure.ac
+@@ -2566,7 +2566,7 @@
+     EXPAND_VARIABLE(localstatedir, e_logfilesdir, "/log/suricata/files")
+     EXPAND_VARIABLE(localstatedir, e_logcertsdir, "/log/suricata/certs")
+     EXPAND_VARIABLE(sysconfdir, e_sysconfdir, "/suricata/")
+-    EXPAND_VARIABLE(localstatedir, e_localstatedir, "/run/suricata")
++    EXPAND_VARIABLE(localstatedir, e_localstatedir, "/run/")
+     EXPAND_VARIABLE(datadir, e_datarulesdir, "/suricata/rules")
+     EXPAND_VARIABLE(localstatedir, e_datadir, "/lib/suricata/data")
+     EXPAND_VARIABLE(localstatedir, e_defaultruledir, "/lib/suricata/rules")
diff --git a/debian/patches/fix-repeated-builds.patch b/debian/patches/fix-repeated-builds.patch
new file mode 100644
index 0000000..c389a60
--- /dev/null
+++ b/debian/patches/fix-repeated-builds.patch
@@ -0,0 +1,16 @@
+Description: do not clean vendor directory on distclean 
+ dh_auto_clean calls make distclean, which in the case of Suricata also
+ removes the vendor directory. This breaks repeated builds.
+Author: Sascha Steinbiss <satta@debian.org>
+Last-Update: 2018-12-26
+--- a/rust/Makefile.am
++++ b/rust/Makefile.am
+@@ -69,7 +69,7 @@
+ 	rm -f Cargo.lock
+ 
+ maintainer-clean-local:
+-	rm -rf vendor gen
++	rm -rf gen
+ 
+ check:
+ 	CARGO_HOME="$(CARGO_HOME)" @rustup_home@ \
diff --git a/debian/patches/import-sockio-h.patch b/debian/patches/import-sockio-h.patch
new file mode 100644
index 0000000..83d8743
--- /dev/null
+++ b/debian/patches/import-sockio-h.patch
@@ -0,0 +1,16 @@
+From: Eric Leblond <eric@regit.org>
+Date: Wed, 17 Jul 2019 12:35:12 +0200
+Subject: [PATCH] af-packet: fix build on recent Linux kernels
+--- a/src/source-af-packet.c
++++ b/src/source-af-packet.c
+@@ -72,6 +72,10 @@
+ #include <linux/sockios.h>
+ #endif
+ 
++#if HAVE_LINUX_SOCKIOS_H
++#include <linux/sockios.h>
++#endif
++
+ #ifdef HAVE_PACKET_EBPF
+ #include <bpf/libbpf.h>
+ #include <bpf/bpf.h>
diff --git a/debian/patches/llc.patch b/debian/patches/llc.patch
new file mode 100644
index 0000000..dc0bf38
--- /dev/null
+++ b/debian/patches/llc.patch
@@ -0,0 +1,20 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -473,11 +473,12 @@
+           [
+             AS_IF([test "$CLANG" != no],
+                   [
+-                    llc_candidates=$($CLANG --version | sed -e 's/.*clang version/clang version/' | \
+-                      awk '/^clang version/ {
+-                             split($3, v, ".");
+-                             printf("llc-%s.%s llc-%s llc", v[[1]], v[[2]], v[[1]])
+-                           }')
++                    #llc_candidates=$($CLANG --version | sed -e 's/.*clang version/clang version/' | \
++                    #  awk '/^clang version/ {
++                    #         split($3, v, ".");
++                    #         printf("llc-%s.%s llc-%s llc", v[[1]], v[[2]], v[[1]])
++                    #       }')
++		    llc_candidates=llc
+                     AC_CHECK_PROGS([LLC], [$llc_candidates], "no")
+                     if test "$LLC" = "no"; then
+                         AC_MSG_ERROR([unable to find any of $llc_candidates needed to build ebpf files])
diff --git a/debian/patches/no-use-gnu.patch b/debian/patches/no-use-gnu.patch
new file mode 100644
index 0000000..c6d12d9
--- /dev/null
+++ b/debian/patches/no-use-gnu.patch
@@ -0,0 +1,28 @@
+Description: Don't use __USE_GNU
+ __USE_GNU is a glibc-internal symbol.
+ AC_USE_SYSTEM_EXTENSIONS is the proper autoconf
+ way to enable extensions.
+Author: Adrian Bunk <bunk@debian.org>
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -6,6 +6,7 @@
+     AM_INIT_AUTOMAKE([tar-ustar subdir-objects])
+ 
+     AC_LANG([C])
++    AC_USE_SYSTEM_EXTENSIONS
+     LT_INIT
+     PKG_PROG_PKG_CONFIG
+ 
+--- a/src/suricata-common.h
++++ b/src/suricata-common.h
+@@ -33,9 +33,6 @@
+ #define TRUE   1
+ #define FALSE  0
+ 
+-#define _GNU_SOURCE
+-#define __USE_GNU
+-
+ #if defined(__clang_analyzer__)
+ /* clang analyzer acts as DEBUG_VALIDATION in some places, so
+  * force this so #ifdef DEBUG_VALIDATION code gets included */
diff --git a/debian/patches/reproducible.patch b/debian/patches/reproducible.patch
new file mode 100644
index 0000000..3995731
--- /dev/null
+++ b/debian/patches/reproducible.patch
@@ -0,0 +1,21 @@
+From: Arturo Borrero Gonzalez <arturo@debian.org>
+Subject: Patch to make the suricata build reproducible
+ This patch makes some changes to the suricata build to make it reproducible
+ .
+ Currently, it only filters out the -fdebug-prefix-map CFLAG which embeds
+ the build path.
+Forwarded: not-needed
+Last-Update: 2016-09-05
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -2699,7 +2699,8 @@
+ echo
+ echo "$SURICATA_BUILD_CONF"
+ echo "printf(" >src/build-info.h
+-echo "$SURICATA_BUILD_CONF" | sed -e 's/^/"/' | sed -e 's/$/\\n"/' >>src/build-info.h
++echo "$SURICATA_BUILD_CONF" | sed -e 's/^/"/' | sed -e 's/$/\\n"/' \
++			| sed 's/-fdebug-prefix-map=.*=. //' >>src/build-info.h
+ echo ");" >>src/build-info.h
+ 
+ echo "
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..8d1cf89
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,10 @@
+reproducible.patch
+debian-default-cfg.patch
+cross.patch
+no-use-gnu.patch
+fix-repeated-builds.patch
+configure-clang-variable.patch
+with-ebpf-includes.patch
+import-sockio-h.patch
+avoid-to-include-if_tunnel-h.patch
+llc.patch
diff --git a/debian/patches/with-ebpf-includes.patch b/debian/patches/with-ebpf-includes.patch
new file mode 100644
index 0000000..28b65c9
--- /dev/null
+++ b/debian/patches/with-ebpf-includes.patch
@@ -0,0 +1,41 @@
+From: Hilko Bengen <bengen@debian.org>
+Date: Tue, 23 Jul 2019 14:43:21 +0200
+Subject: Add --with-ebpf-includes parameter
+
+---
+ configure.ac     | 4 ++++
+ ebpf/Makefile.am | 3 +--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -485,6 +485,10 @@
+                     AC_SUBST(LLC)
+                   ],
+                   [AC_MSG_ERROR([clang needed to build ebpf files])])
++            AC_ARG_WITH(ebpf_includes,
++                    [  --with-ebpf-includes=DIR  include directory for building eBPF programs],
++                    [AC_SUBST([ebpf_includes],["$withval"])],
++                    [AC_SUBST([ebpf_includes],["/usr/include/${build_alias}"])])
+           ])
+ 
+   # enable debug output
+--- a/ebpf/Makefile.am
++++ b/ebpf/Makefile.am
+@@ -4,7 +4,7 @@
+ if BUILD_EBPF
+ 
+ # Maintaining a local copy of UAPI linux/bpf.h
+-BPF_CFLAGS = -Iinclude
++BPF_CFLAGS = -Iinclude -I$(ebpf_includes)
+ 
+ BPF_TARGETS  = lb.bpf
+ BPF_TARGETS += filter.bpf
+@@ -19,7 +19,6 @@
+ $(BPF_TARGETS): %.bpf: %.c
+ #      From C-code to LLVM-IR format suffix .ll (clang -S -emit-llvm)
+ 	${CLANG} -Wall $(BPF_CFLAGS) -O2 \
+-		-I/usr/include/$(build_cpu)-$(build_os)/ \
+ 		-D__KERNEL__ -D__ASM_SYSREG_H \
+ 		-target bpf -S -emit-llvm $< -o ${@:.bpf=.ll}
+ #      From LLVM-IR to BPF-bytecode in ELF-obj file