net-mgmt/p0f: add rc script

Added rc script to run p0f in daemon mode as as unprivileged user.
That is useful to provide access to p0f API via unix socket for
various clients (e.g. anti-spam filters like rspamd, haraka-plugin-p0f,
etc.).

PR:		240712
Submitted by:	Alexander Moisseev <moiseev@mezonplus.ru>

GIDs

@@ -792,7 +792,7 @@ graylog:*:848:
 chronyd:*:849:
 qbittorrent:*:850:
 cassandra:*:851:
-# free: 852
+p0f:*:852:
 _geodns:*:853:
 # free: 854
 # free: 855

UIDs

@@ -797,7 +797,7 @@ graylog:*:848:848::0:0:Graylog user:/nonexistent:/usr/sbin/nologin
 chronyd:*:849:849::0:0:chronyd user:/nonexistent:/usr/sbin/nologin
 qbittorrent:*:850:850::0:0:qBittorrent Daemon User:/var/db/qbittorrent/conf:/usr/sbin/nologin
 cassandra:*:851:851::0:0:Cassandra DB Daemon User:/var/db/cassandra:/usr/sbin/nologin
-# free: 852
+p0f:*:852:852::0:0:p0f unprivileged user:/var/empty:/usr/sbin/nologin
 _geodns:*:853:853::0:0:GeoDNS User:/var/empty:/usr/sbin/nologin
 # free: 854
 # free: 855

net-mgmt/p0f/Makefile

@@ -3,16 +3,22 @@
 
 PORTNAME=	p0f
 PORTVERSION=	3.09b
+PORTREVISION=	1
 CATEGORIES=	net-mgmt security
 MASTER_SITES=	http://lcamtuf.coredump.cx/p0f3/releases/ \
 		http://fossies.org/unix/privat/
-EXTRACT_SUFX=	.tgz
 
 MAINTAINER=	pi@FreeBSD.org
 COMMENT=	Passive OS fingerprinting tool
 
 LICENSE=	LGPL21
 
+USES=		tar:tgz
+USE_RC_SUBR=	p0f
+
+USERS=		p0f
+GROUPS=		p0f
+
 PLIST_FILES=	bin/p0f bin/p0f-client bin/p0f-sendsyn \
 		bin/p0f-sendsyn6 etc/p0f.fp
 PORTDOCS=	ChangeLog README TODO existential-notes.txt \

net-mgmt/p0f/files/p0f.in

@@ -0,0 +1,76 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: p0f
+# REQUIRE: LOGIN
+# KEYWORD: shutdown
+
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+
+# p0f_enable (bool):	Set it to YES to enable p0f.
+#			Default: NO.
+#
+# p0f_user (str)	User to drop privileges and change to.
+#			Default: p0f.
+#
+# p0f_sock (path):	Path to socket used to communicate with p0f.
+#			Default: /var/run/p0f.sock
+#
+# p0f_db (path):	Location of fingerprint db.
+#			Default: %%PREFIX%%/etc/p0f.fp
+#
+# p0f_flags (str):	Options passed to the p0f daemon.
+#			Default: "-d -u ${p0f_user} -s ${p0f_sock} -f ${p0f_db}"
+#
+# command_args (str):	Optional pcap-style traffic filtering rules.
+#			See p0f README for details.
+
+. /etc/rc.subr
+
+name="p0f"
+rcvar=p0f_enable
+
+load_rc_config "$name"
+
+: ${p0f_enable:="NO"}
+: ${p0f_user:="p0f"}
+: ${p0f_sock:="/var/run/${name}.sock"}
+: ${p0f_db:="%%PREFIX%%/etc/p0f.fp"}
+: ${p0f_flags:="-d -u ${p0f_user} -s ${p0f_sock} -f ${p0f_db}"}
+
+command="%%PREFIX%%/bin/${name}"
+
+pidfile="/var/run/${name}.pid"
+required_files="${p0f_db}"
+
+start_cmd="${name}_start"
+stop_postcmd="rm -f ${p0f_sock} $pidfile"
+
+extra_commands="reload"
+
+p0f_get_pid() {
+	PID=$(/bin/ps waux | /usr/bin/grep ${command} | /usr/bin/grep -v grep | /usr/bin/grep ${p0f_sock} | /usr/bin/awk '{print $2}')
+}
+
+p0f_start() {
+	p0f_get_pid
+	if [ -z "${PID}" ] ; then
+		echo "Starting ${name}."
+		if [ ! -z "${command_args}" ] ; then
+			${command} ${p0f_flags} "${command_args}"
+		else
+			${command} ${p0f_flags}
+		fi
+		if [ ! -z "${pidfile}" ] ; then
+			p0f_get_pid
+			[ -z "${PID}" ] || echo ${PID} > ${pidfile}
+		fi
+	else
+		echo "${name} already running? (pid=${PID})."
+	fi
+}
+
+run_rc_command "$1"