diff options
| author | V3n3RiX <venerix@koprulu.sector> | 2024-02-20 11:40:01 +0000 |
|---|---|---|
| committer | V3n3RiX <venerix@koprulu.sector> | 2024-02-20 11:40:01 +0000 |
| commit | d6ecedbb65041ed35010095376e87dd7de4270c5 (patch) | |
| tree | f00964f121a5ec52d2f3d1fd00a8f3eb52f9c756 /net-firewall/nftables | |
| parent | 89a009d7439343e207e8c7e4df1a28adecafeffe (diff) | |
gentoo auto-resync : 20:02:2024 - 11:40:01
Diffstat (limited to 'net-firewall/nftables')
| -rw-r--r-- | net-firewall/nftables/Manifest | 10 | ||||
| -rw-r--r-- | net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch | 235 | ||||
| -rw-r--r-- | net-firewall/nftables/metadata.xml | 1 | ||||
| -rw-r--r-- | net-firewall/nftables/nftables-1.0.7-r1.ebuild | 232 | ||||
| -rw-r--r-- | net-firewall/nftables/nftables-1.0.8-r1.ebuild | 217 | ||||
| -rw-r--r-- | net-firewall/nftables/nftables-1.0.8-r2.ebuild | 223 |
6 files changed, 1 insertions, 917 deletions
diff --git a/net-firewall/nftables/Manifest b/net-firewall/nftables/Manifest index 0dfa50c26bc2..980f347a01c7 100644 --- a/net-firewall/nftables/Manifest +++ b/net-firewall/nftables/Manifest @@ -1,21 +1,13 @@ AUX libexec/nftables-mk.sh 1070 BLAKE2B 30d8109d74e7d8c4f51c753f676f91a1902ad42f6d68662f1191ff73d2a43a1bf49fb795f3763705f8aeb0a4f22cab0006a943e01adb188f1ef9eb05125dfdbd SHA512 a14e48f014f75c7e611bf2a653d9760804754febd1ae4543f78abbfbe60c79f5aa07c5fd53fe26bb74b48fcb8cb8aa78274771212e41c42db031e8c8ba7e81d2 AUX libexec/nftables.sh 3665 BLAKE2B 74362a4425e974e74e7b895980002f0ded2ecbb4731bbf956edb56ffb9f1ad394802c4eeab3af3735eba4d8e71572a5663e564ce4e7fad76c9715043b90c1b43 SHA512 6cb1ac0928ae2da5c69764d45c52a661a6d72698bb9edd6a603580d2f9bd82b59f2a2661e7569ade3a3b729459d115004f251ad6a5eac8cdf1d38c65bfa9349e AUX man-pages/gen-manpages.bash 1797 BLAKE2B c93cc311570abd674a12eb88711cf01664f437b8dc0fb4de36194f36671d92c35e04fcff6c56adcb0e642f089169f63ef063736398584e5e7ce799bf55acf2ff SHA512 ea3291412ce13d9dd463403fcc11c665c9de63edaabdecaf55e051b52b0ff845c9c7d63a6c4c08e4d2d94428815fe11daf9b7390081b4e9de4774e188b9ea677 -AUX nftables-1.0.8-fix-regression-evaluate.patch 6903 BLAKE2B a211c8765e1d2181bce6dcd45ae5c9e9dc5b73daa00577ea9d192d92dd5546976dc42a64381ad37ddb9fe18ad330c68a5bd0faa49648a97f66444c7e8aacd97d SHA512 0072853d07c89bb0f5f92a224b761e3ce9724b4a8712024e3d0abf881ba4964f3e85e5680f660b5565a551aa9b5b4106eed3ba8affbe9db02358292127971daf AUX nftables-mk.confd 899 BLAKE2B f4c3d82fbae87fb0d755af786a98db591b6a667cf33660ba9275ada2e6417fad1899a7f29762f23c112fc5c9e178bc7590c3b2ba26617853c3577917bd7d3edf SHA512 505ed05674a04367f1a3d5cf6447596ad1c3b2e9c920697f12f58a20d94c2a39b0041bb4911678511c4548566a69d964661d4afc3e7e27997943b875f204c602 AUX nftables-mk.init-r1 1970 BLAKE2B 9ece7da364eac76ef2ac401f4cc3ed558e926e8f07ab43f084de819098e9543bda0a9a8d40375e4e01dd6e53b92d744acf8f3caaeab1c3678ca84b1f48d59685 SHA512 9f1e491ba5fd8a1173eb055bfa5a0de3c040c158e7d54848fcd373a5f4c4041df6fb9ddc5b0e8fdfd78243665c627b8767816bcf94dd142b441b21227206fef3 AUX nftables.confd 655 BLAKE2B 5512be1edd43e270941de3d9b66fda69e4afd7c7e6e970b232a044c2fd64f8e50b9b55a4fe670174c3eabf3d176ee0158c1043baec4b76b0802e7e97bc862fcf SHA512 8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144 AUX nftables.init-r1 2279 BLAKE2B 1c4c28ea5b6a22905b3ec7de8e54726933b579352ecd799b7641384a138ffa2d4a2deb87d84ef5d75a43ae30759f1550d611c2560096bb5083cae9bb834be2bb SHA512 2165223bfd4f300b9cc01f604347fc5167f68515174b0d116b667bd05f4baf8c2f931e482f632975a8be371c2147951d9407f397ea4dbcbac79a6738cbd23015 AUX systemd/nftables-restore.service 394 BLAKE2B 1c1f358eb2eff789e68c051098c971f11a8df6621c3c919e30a1ec1213f6db822c390609c01827fe9fc75c540effa3e3a7b6f93bd24e16ea19841bbfaab796ed SHA512 18da6a770bb3e94fd6b2c9e6f033450aaff9fe886c8846f780d08a21e2fc884ac078652743b50b3d4ea8c9500f92d272bdd27e2881e438c2b223d40816c100a0 -DIST nftables-1.0.7.tar.xz 857140 BLAKE2B 972adbb958f36b300618ce03fbbfc1fdb6fd55a3512227e4bc1fd71365be5cc8d3ee105424e8cc513588100bf00d5e69486310435efb2b0d3f5d464ed6999859 SHA512 063f3a42327fd4dca9214314c7e7bcc7310f2ccbbce4c36f86a291d61d443f94b0f91435ecd04eb757596df8be91a802daeef394ba422c3623a81b2917e01116 -DIST nftables-1.0.7.tar.xz.sig 566 BLAKE2B 53abe2598e9b362912d3e2e94ea6e04352d0484b9d1d645c8f18b6133be53d63a8d71d500e57528a57aededb84dedaf61010236afda560b16e7642db45e2f45c SHA512 b5821aa6939dc5b4d16065d9d7083e4ff40b9f99417354efbcbc95a8ccde43108b99a5b8a75a24086cd3df2291a049cad3adb7b06e2c098f0eb7861f85c5c768 -DIST nftables-1.0.8.tar.xz 882980 BLAKE2B cdf174846cbc3e581993cdee3a24e5ead3fdbb3d6b24d51473ed88affb7fcf70279a8374a4963b31044a9e64cb72ddb28ca1f1686bbaa3101eed4d623fb67d05 SHA512 06053c05a0d7c84a5cc4d22733836dadf9880c3552df3dace6d30aea95c7e1edb5528ea45df8576f282c15bf58f23407e26efb22257bd98a478849a8bdd4f8d5 -DIST nftables-1.0.8.tar.xz.sig 566 BLAKE2B 2f22b9467a55a46ec9e8caf13efe3cd59a6a1a867174602b583549ccaff54576b5f80b5ad9b1cefd208c3f49bc6ce07072626218f479628df369ed7294e1b83b SHA512 0ddd8f29dc5ba891069c63715719f11c0a4745f1e3cd9cd7f9e388ac35835cfbe8f34b371a2ce2a06cbda42384cc72d0bf57746fb02757d68a9b053bbbd67a77 DIST nftables-1.0.9.tar.xz 971968 BLAKE2B 1dfd1e79d3a7b645fd0995dad10893d70dbd13c92805c5cf30825acbbeb45071b2095072cecbd14b4f66cf0c284d2937a996c6b8013213438f53b92731af039d SHA512 dc34099658e283d9fd4d06264b593710121074558305ea23ab298c5f6a6b564a826f186241b6e106fbaa4e11160cf77e68bb52b4ce401b28d8d2e403cd4b88e8 DIST nftables-1.0.9.tar.xz.sig 566 BLAKE2B d4bb0a1f629d2950753799fba18f6c3ce50e5ff242816e392245a714bfeccb3408583added4362f1e0da47cc6e30b0b95f864cf8443a1872d59ae40b15b5f706 SHA512 9b96ce8539700713ff4802fb2deff5b2ea0dd3155c45f5a8f49a45f70226893c7449e0b79504833b2e63e5290290e693c962128a226ca8f6ca281185bdcd7b51 -EBUILD nftables-1.0.7-r1.ebuild 6835 BLAKE2B 4a6ab7443ed492eb1029c3f6a065101a85b92a87b8cfe872e7ed1d9a9fd44c3a56be38f7295bb5c881521a783cc55ad3fd8883fd6d76ccd8c96374a7eefabf11 SHA512 6e8c6a6e12a55bcb32c697658445d5e33453dc252fb2260187c0b513a0356663e0e491beb2901c0edc89ee0573499dc1dbb5342c3569031ccaf8cb95bddf2f21 -EBUILD nftables-1.0.8-r1.ebuild 6452 BLAKE2B 97ddb81c64df8e81900eb6c41818c484669cbd462c1b4f5a0360cc867637f30e4df4f31c34e680b12e0a5174988004887b61b2eead5d460c5a4b90b09ca911ec SHA512 edb90cfaf1474698b9a68be020627fbfacac7a275b8ebda497e958708019e3f0a357ea826ec654c9d774689716139295ace2b0cf0879f7bd6f8b9d82b46cf699 -EBUILD nftables-1.0.8-r2.ebuild 6512 BLAKE2B 809ade4a868b3307db5088208fbe3339864c977890fe9c6e2545df6c3426189106bcfc8d64ddd03e1344237902c9f64d8ffabf4106a8ce6b55f5be8c4911d1cf SHA512 10dd618102a51036105c2aa2eb2931a6c0c63142d540e3e124f098cb7299d65ee054eb87e134bcccb85cbc2f64102ebe8b25bca0367297933748b520f6cd1aef EBUILD nftables-1.0.9.ebuild 6478 BLAKE2B 6a2b1299a1f12d13a24021019b5134294b64f46e87dbbe3419127777f1959eb2b608aab5203a24e7efb5ea7f5fbc35eb9a361bc92d7abc8dd6de34c1be5f527b SHA512 26fce18a97ddca1eb163f22d304f04b70d765a39d36e8b2d9ddaa8233835bbb83fd76631bae5a2db0890947095136bccf45b75c0df414b0870a4756ebda26843 EBUILD nftables-9999.ebuild 6486 BLAKE2B ff3058cc2be5b26e39f6669d587d56f53db08a31aae5a6149450c1b98554ce4895e34754c24b5423b5ce5be007ad81d581230c6b69f50660b515f5574e78f727 SHA512 ab875fbab2efb4c89116e26e2da961ba000c89057c930bf23be26f4d4a41eea833758e196cd0fa9a78402e5d01f89640fefab4822acce2f06012e970f8948525 -MISC metadata.xml 933 BLAKE2B 8e76ce489c41dcc01e222d77af40f2ba5cb7ddffc2bc818c6fc8c16e24dc308c125ce4d78db1647e77af96f32c85dd3391f7079e2cee26c129c56557e0c48c8a SHA512 058d38df1dbb2c1d0e611bd992f37498d3977561c3b34846fdf0d569573f2ef93a29a216ab491e583cfc2399c55c839d256dfcf8b1d7aaba63ed6ea90f22df25 +MISC metadata.xml 824 BLAKE2B 141fb69b52c99b995ae70254175a0e9d9547994b284bc5285e1c556b74c6b3cd0f4d65b34a67eff660baf2ab8dd9b353cc6e7494517ee59c8c153d9b805b3cbc SHA512 b76c748da850aaca6e62ce3fba6bb48066ec61195618b2222f8395e503b29d41ed41b054d8d40f06b06ba578ef13405e92e1ec90b20b8125aa261a63a7b83cab diff --git a/net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch b/net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch deleted file mode 100644 index 1b81ab0e6ef2..000000000000 --- a/net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch +++ /dev/null @@ -1,235 +0,0 @@ -https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230719001444.154070-1-pablo@netfilter.org/ -https://git.netfilter.org/nftables/commit/?id=5f1676ac9f1aeb36d7695c3c354dade013a1e4f3 - -From 5f1676ac9f1aeb36d7695c3c354dade013a1e4f3 Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso <pablo@netfilter.org> -Date: Tue, 18 Jul 2023 23:10:01 +0200 -Subject: meta: stash context statement length when generating payload/meta - dependency - -... meta mark set ip dscp - -generates an implicit dependency from the inet family to match on meta -nfproto ip. - -The length of this implicit expression is incorrectly adjusted to the -statement length, ie. relational to compare meta nfproto takes 4 bytes -instead of 1 byte. The evaluation of 'ip dscp' under the meta mark -statement triggers this implicit dependency which should not consider -the context statement length since it is added before the statement -itself. - -This problem shows when listing the ruleset, since netlink_parse_cmp() -where left->len < right->len, hence handling the implicit dependency as -a concatenation, but it is actually a bug in the evaluation step that -leads to incorrect bytecode. - -Fixes: 3c64ea7995cb ("evaluate: honor statement length in integer evaluation") -Fixes: edecd58755a8 ("evaluate: support shifts larger than the width of the left operand") -Tested-by: Brian Davidson <davidson.brian@gmail.com> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- a/src/payload.c -+++ b/src/payload.c -@@ -409,6 +409,7 @@ static int payload_add_dependency(struct eval_ctx *ctx, - const struct proto_hdr_template *tmpl; - struct expr *dep, *left, *right; - struct proto_ctx *pctx; -+ unsigned int stmt_len; - struct stmt *stmt; - int protocol; - -@@ -429,11 +430,16 @@ static int payload_add_dependency(struct eval_ctx *ctx, - constant_data_ptr(protocol, tmpl->len)); - - dep = relational_expr_alloc(&expr->location, OP_EQ, left, right); -+ -+ stmt_len = ctx->stmt_len; -+ ctx->stmt_len = 0; -+ - stmt = expr_stmt_alloc(&dep->location, dep); - if (stmt_evaluate(ctx, stmt) < 0) { - return expr_error(ctx->msgs, expr, - "dependency statement is invalid"); - } -+ ctx->stmt_len = stmt_len; - - if (ctx->inner_desc) { - if (tmpl->meta_key) -@@ -543,6 +549,7 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, - const struct hook_proto_desc *h; - const struct proto_desc *desc; - struct proto_ctx *pctx; -+ unsigned int stmt_len; - struct stmt *stmt; - uint16_t type; - -@@ -559,12 +566,18 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, - "protocol specification is invalid " - "for this family"); - -+ stmt_len = ctx->stmt_len; -+ ctx->stmt_len = 0; -+ - stmt = meta_stmt_meta_iiftype(&expr->location, type); - if (stmt_evaluate(ctx, stmt) < 0) { - return expr_error(ctx->msgs, expr, - "dependency statement is invalid"); - } - *res = stmt; -+ -+ ctx->stmt_len = stmt_len; -+ - return 0; - } - ---- a/tests/py/inet/meta.t -+++ b/tests/py/inet/meta.t -@@ -25,3 +25,8 @@ meta mark set ct mark >> 8;ok - meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok - ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok - ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok -+ -+meta mark set ip dscp;ok -+meta mark set ip dscp | 0x40;ok -+meta mark set ip6 dscp;ok -+meta mark set ip6 dscp | 0x40;ok ---- a/tests/py/inet/meta.t.json -+++ b/tests/py/inet/meta.t.json -@@ -440,3 +440,89 @@ - } - ] - -+# meta mark set ip dscp -+[ -+ { -+ "mangle": { -+ "key": { -+ "meta": { -+ "key": "mark" -+ } -+ }, -+ "value": { -+ "payload": { -+ "field": "dscp", -+ "protocol": "ip" -+ } -+ } -+ } -+ } -+] -+ -+# meta mark set ip dscp | 0x40 -+[ -+ { -+ "mangle": { -+ "key": { -+ "meta": { -+ "key": "mark" -+ } -+ }, -+ "value": { -+ "|": [ -+ { -+ "payload": { -+ "field": "dscp", -+ "protocol": "ip" -+ } -+ }, -+ 64 -+ ] -+ } -+ } -+ } -+] -+ -+# meta mark set ip6 dscp -+[ -+ { -+ "mangle": { -+ "key": { -+ "meta": { -+ "key": "mark" -+ } -+ }, -+ "value": { -+ "payload": { -+ "field": "dscp", -+ "protocol": "ip6" -+ } -+ } -+ } -+ } -+] -+ -+# meta mark set ip6 dscp | 0x40 -+[ -+ { -+ "mangle": { -+ "key": { -+ "meta": { -+ "key": "mark" -+ } -+ }, -+ "value": { -+ "|": [ -+ { -+ "payload": { -+ "field": "dscp", -+ "protocol": "ip6" -+ } -+ }, -+ 64 -+ ] -+ } -+ } -+ } -+] -+ ---- a/tests/py/inet/meta.t.payload -+++ b/tests/py/inet/meta.t.payload -@@ -133,3 +133,43 @@ inet test-inet input - [ meta load mark => reg 9 ] - [ lookup reg 1 set __set%d ] - -+# meta mark set ip dscp -+inet test-inet input -+ [ meta load nfproto => reg 1 ] -+ [ cmp eq reg 1 0x00000002 ] -+ [ payload load 1b @ network header + 1 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] -+ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] -+ [ meta set mark with reg 1 ] -+ -+# meta mark set ip dscp | 0x40 -+inet test-inet input -+ [ meta load nfproto => reg 1 ] -+ [ cmp eq reg 1 0x00000002 ] -+ [ payload load 1b @ network header + 1 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] -+ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] -+ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] -+ [ meta set mark with reg 1 ] -+ -+# meta mark set ip6 dscp -+inet test-inet input -+ [ meta load nfproto => reg 1 ] -+ [ cmp eq reg 1 0x0000000a ] -+ [ payload load 2b @ network header + 0 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] -+ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] -+ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] -+ [ meta set mark with reg 1 ] -+ -+# meta mark set ip6 dscp | 0x40 -+inet test-inet input -+ [ meta load nfproto => reg 1 ] -+ [ cmp eq reg 1 0x0000000a ] -+ [ payload load 2b @ network header + 0 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] -+ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] -+ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] -+ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] -+ [ meta set mark with reg 1 ] -+ --- -cgit v1.2.3 diff --git a/net-firewall/nftables/metadata.xml b/net-firewall/nftables/metadata.xml index 9b4ce12e54e0..1fcc64724c1f 100644 --- a/net-firewall/nftables/metadata.xml +++ b/net-firewall/nftables/metadata.xml @@ -16,7 +16,6 @@ <use> <flag name="doc">Create man pages for the package (requires <pkg>app-text/asciidoc</pkg>)</flag> <flag name="json">Enable JSON support via <pkg>dev-libs/jansson</pkg></flag> - <flag name="modern-kernel">Install init scripts for 3.18 or higher kernels with atomic rule updates</flag> <flag name="xtables">Add libxtables support to try to automatically translate rules added by iptables-compat</flag> </use> </pkgmetadata> diff --git a/net-firewall/nftables/nftables-1.0.7-r1.ebuild b/net-firewall/nftables/nftables-1.0.7-r1.ebuild deleted file mode 100644 index d5054eca943d..000000000000 --- a/net-firewall/nftables/nftables-1.0.7-r1.ebuild +++ /dev/null @@ -1,232 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DISTUTILS_OPTIONAL=1 -PYTHON_COMPAT=( python3_{9..11} ) -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc -inherit edo linux-info distutils-r1 systemd verify-sig - -DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools" -HOMEPAGE="https://netfilter.org/projects/nftables/" - -if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit autotools git-r3 - EGIT_REPO_URI="https://git.netfilter.org/${PN}" - BDEPEND="app-alternatives/yacc" -else - SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.xz - verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )" - KEYWORDS="amd64 arm arm64 hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv sparc x86" - BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )" -fi - -# See COPYING: new code is GPL-2+, existing code is GPL-2 -LICENSE="GPL-2 GPL-2+" -SLOT="0/1" -IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables" -RESTRICT="!test? ( test )" - -RDEPEND=" - >=net-libs/libmnl-1.0.4:= - >=net-libs/libnftnl-1.2.5:= - gmp? ( dev-libs/gmp:= ) - json? ( dev-libs/jansson:= ) - python? ( ${PYTHON_DEPS} ) - readline? ( sys-libs/readline:= ) - xtables? ( >=net-firewall/iptables-1.6.1:= ) -" - -DEPEND="${RDEPEND}" - -BDEPEND+=" - app-alternatives/lex - virtual/pkgconfig - doc? ( - app-text/asciidoc - >=app-text/docbook2X-0.8.8-r4 - ) - python? ( ${PYTHON_DEPS} ) -" - -REQUIRED_USE=" - python? ( ${PYTHON_REQUIRED_USE} ) - libedit? ( !readline ) -" - -pkg_setup() { - if kernel_is ge 3 13; then - if use modern-kernel && kernel_is lt 3 18; then - eerror "The modern-kernel USE flag requires kernel version 3.18 or newer to work properly." - fi - CONFIG_CHECK="~NF_TABLES" - linux-info_pkg_setup - else - eerror "This package requires kernel version 3.13 or newer to work properly." - fi -} - -src_prepare() { - default - - if [[ ${PV} =~ ^[9]{4,}$ ]] ; then - eautoreconf - fi - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_prepare - popd >/dev/null || die - fi -} - -src_configure() { - local myeconfargs=( - # We handle python separately - --disable-python - --disable-static - --sbindir="${EPREFIX}"/sbin - $(use_enable debug) - $(use_enable doc man-doc) - $(use_with !gmp mini_gmp) - $(use_with json) - $(use_with libedit cli editline) - $(use_with readline cli readline) - $(use_enable static-libs static) - $(use_with xtables) - ) - econf "${myeconfargs[@]}" - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_configure - popd >/dev/null || die - fi -} - -src_compile() { - default - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_compile - popd >/dev/null || die - fi -} - -src_test() { - emake check - - if [[ ${EUID} == 0 ]]; then - edo tests/shell/run-tests.sh -v - else - ewarn "Skipping shell tests (requires root)" - fi - - # Need to rig up Python eclass if using this, but it doesn't seem to work - # for me anyway. - #cd tests/py || die - #"${EPYTHON}" nft-test.py || die -} - -src_install() { - default - - if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then - pushd doc >/dev/null || die - doman *.? - popd >/dev/null || die - fi - - # Do it here instead of in src_prepare to avoid eautoreconf - # rmdir lets us catch if more files end up installed in /etc/nftables - dodir /usr/share/doc/${PF}/skels/ - mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die - rmdir "${ED}"/etc/nftables || die - - local mksuffix="$(usex modern-kernel '-mk' '')" - - exeinto /usr/libexec/${PN} - newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh - newconfd "${FILESDIR}"/${PN}${mksuffix}.confd ${PN} - newinitd "${FILESDIR}"/${PN}${mksuffix}.init-r1 ${PN} - keepdir /var/lib/nftables - - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service - - if use python ; then - pushd py >/dev/null || die - distutils-r1_src_install - popd >/dev/null || die - fi - - find "${ED}" -type f -name "*.la" -delete || die -} - -pkg_preinst() { - local stderr - - # There's a history of regressions with nftables upgrades. Perform a - # safety check to help us spot them earlier. For the check to pass, the - # currently loaded ruleset, if any, must be successfully evaluated by - # the newly built instance of nft(8). - if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then - # Either nftables isn't yet in use or nft(8) cannot be executed. - return - elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then - # Report errors induced by trying to list the ruleset but don't - # treat them as being fatal. - printf '%s\n' "${stderr}" >&2 - elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then - # Rulesets generated by iptables-nft are special in nature and - # will not always be printed in a way that constitutes a valid - # syntax for ntf(8). Ignore them. - return - elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then - eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" - eerror "nft. This probably means that there is a regression introduced by v${PV}." - eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" - if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then - die "Aborting because of failed nft reload!" - fi - fi -} - -pkg_postinst() { - local save_file - save_file="${EROOT}"/var/lib/nftables/rules-save - - # In order for the nftables-restore systemd service to start - # the save_file must exist. - if [[ ! -f "${save_file}" ]]; then - ( umask 177; touch "${save_file}" ) - elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then - ewarn "Your system has dangerous permissions for ${save_file}" - ewarn "It is probably affected by bug #691326." - ewarn "You may need to fix the permissions of the file. To do so," - ewarn "you can run the command in the line below as root." - ewarn " 'chmod 600 \"${save_file}\"'" - fi - - if has_version 'sys-apps/systemd'; then - elog "If you wish to enable the firewall rules on boot (on systemd) you" - elog "will need to enable the nftables-restore service." - elog " 'systemctl enable ${PN}-restore.service'" - elog - elog "If you are creating firewall rules before the next system restart" - elog "the nftables-restore service must be manually started in order to" - elog "save those rules on shutdown." - fi - - if has_version 'sys-apps/openrc'; then - elog "If you wish to enable the firewall rules on boot (on openrc) you" - elog "will need to enable the nftables service." - elog " 'rc-update add ${PN} default'" - elog - elog "If you are creating or updating the firewall rules and wish to save" - elog "them to be loaded on the next restart, use the \"save\" functionality" - elog "in the init script." - elog " 'rc-service ${PN} save'" - fi -} diff --git a/net-firewall/nftables/nftables-1.0.8-r1.ebuild b/net-firewall/nftables/nftables-1.0.8-r1.ebuild deleted file mode 100644 index 221f5fa3d427..000000000000 --- a/net-firewall/nftables/nftables-1.0.8-r1.ebuild +++ /dev/null @@ -1,217 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DISTUTILS_OPTIONAL=1 -DISTUTILS_USE_PEP517=setuptools -PYTHON_COMPAT=( python3_{10..11} ) -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc -inherit edo linux-info distutils-r1 systemd verify-sig - -DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools" -HOMEPAGE="https://netfilter.org/projects/nftables/" - -if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit autotools git-r3 - EGIT_REPO_URI="https://git.netfilter.org/${PN}" - BDEPEND="app-alternatives/yacc" -else - SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.xz - verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )" - KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" - BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )" -fi - -# See COPYING: new code is GPL-2+, existing code is GPL-2 -LICENSE="GPL-2 GPL-2+" -SLOT="0/1" -IUSE="debug doc +gmp json libedit python +readline static-libs test xtables" -RESTRICT="!test? ( test )" - -RDEPEND=" - >=net-libs/libmnl-1.0.4:= - >=net-libs/libnftnl-1.2.6:= - gmp? ( dev-libs/gmp:= ) - json? ( dev-libs/jansson:= ) - python? ( ${PYTHON_DEPS} ) - readline? ( sys-libs/readline:= ) - xtables? ( >=net-firewall/iptables-1.6.1:= ) -" -DEPEND="${RDEPEND}" -BDEPEND+=" - app-alternatives/lex - virtual/pkgconfig - doc? ( - app-text/asciidoc - >=app-text/docbook2X-0.8.8-r4 - ) - python? ( ${DISTUTILS_DEPS} ) -" - -REQUIRED_USE=" - python? ( ${PYTHON_REQUIRED_USE} ) - libedit? ( !readline ) -" - -src_prepare() { - default - - if [[ ${PV} =~ ^[9]{4,}$ ]] ; then - eautoreconf - fi - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_prepare - popd >/dev/null || die - fi -} - -src_configure() { - local myeconfargs=( - # We handle python separately - --disable-python - --disable-static - --sbindir="${EPREFIX}"/sbin - $(use_enable debug) - $(use_enable doc man-doc) - $(use_with !gmp mini_gmp) - $(use_with json) - $(use_with libedit cli editline) - $(use_with readline cli readline) - $(use_enable static-libs static) - $(use_with xtables) - ) - econf "${myeconfargs[@]}" - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_configure - popd >/dev/null || die - fi -} - -src_compile() { - default - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_compile - popd >/dev/null || die - fi -} - -src_test() { - emake check - - if [[ ${EUID} == 0 ]]; then - edo tests/shell/run-tests.sh -v - else - ewarn "Skipping shell tests (requires root)" - fi - - # Need to rig up Python eclass if using this, but it doesn't seem to work - # for me anyway. - #cd tests/py || die - #"${EPYTHON}" nft-test.py || die -} - -src_install() { - default - - if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then - pushd doc >/dev/null || die - doman *.? - popd >/dev/null || die - fi - - # Do it here instead of in src_prepare to avoid eautoreconf - # rmdir lets us catch if more files end up installed in /etc/nftables - dodir /usr/share/doc/${PF}/skels/ - mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die - rmdir "${ED}"/etc/nftables || die - - exeinto /usr/libexec/${PN} - newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh - newconfd "${FILESDIR}"/${PN}-mk.confd ${PN} - newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN} - keepdir /var/lib/nftables - - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service - - if use python ; then - pushd py >/dev/null || die - distutils-r1_src_install - popd >/dev/null || die - fi - - find "${ED}" -type f -name "*.la" -delete || die -} - -pkg_preinst() { - local stderr - - # There's a history of regressions with nftables upgrades. Perform a - # safety check to help us spot them earlier. For the check to pass, the - # currently loaded ruleset, if any, must be successfully evaluated by - # the newly built instance of nft(8). - if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then - # Either nftables isn't yet in use or nft(8) cannot be executed. - return - elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then - # Report errors induced by trying to list the ruleset but don't - # treat them as being fatal. - printf '%s\n' "${stderr}" >&2 - elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then - # Rulesets generated by iptables-nft are special in nature and - # will not always be printed in a way that constitutes a valid - # syntax for ntf(8). Ignore them. - return - elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then - eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" - eerror "nft. This probably means that there is a regression introduced by v${PV}." - eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" - if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then - die "Aborting because of failed nft reload!" - fi - fi -} - -pkg_postinst() { - local save_file - save_file="${EROOT}"/var/lib/nftables/rules-save - - # In order for the nftables-restore systemd service to start - # the save_file must exist. - if [[ ! -f "${save_file}" ]]; then - ( umask 177; touch "${save_file}" ) - elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then - ewarn "Your system has dangerous permissions for ${save_file}" - ewarn "It is probably affected by bug #691326." - ewarn "You may need to fix the permissions of the file. To do so," - ewarn "you can run the command in the line below as root." - ewarn " 'chmod 600 \"${save_file}\"'" - fi - - if has_version 'sys-apps/systemd'; then - elog "If you wish to enable the firewall rules on boot (on systemd) you" - elog "will need to enable the nftables-restore service." - elog " 'systemctl enable ${PN}-restore.service'" - elog - elog "If you are creating firewall rules before the next system restart" - elog "the nftables-restore service must be manually started in order to" - elog "save those rules on shutdown." - fi - - if has_version 'sys-apps/openrc'; then - elog "If you wish to enable the firewall rules on boot (on openrc) you" - elog "will need to enable the nftables service." - elog " 'rc-update add ${PN} default'" - elog - elog "If you are creating or updating the firewall rules and wish to save" - elog "them to be loaded on the next restart, use the \"save\" functionality" - elog "in the init script." - elog " 'rc-service ${PN} save'" - fi -} diff --git a/net-firewall/nftables/nftables-1.0.8-r2.ebuild b/net-firewall/nftables/nftables-1.0.8-r2.ebuild deleted file mode 100644 index 6f7b07fcd40b..000000000000 --- a/net-firewall/nftables/nftables-1.0.8-r2.ebuild +++ /dev/null @@ -1,223 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DISTUTILS_OPTIONAL=1 -DISTUTILS_USE_PEP517=setuptools -PYTHON_COMPAT=( python3_{10..11} ) -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc -inherit edo linux-info distutils-r1 systemd verify-sig - -DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools" -HOMEPAGE="https://netfilter.org/projects/nftables/" - -if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit autotools git-r3 - EGIT_REPO_URI="https://git.netfilter.org/${PN}" - BDEPEND="app-alternatives/yacc" -else - SRC_URI=" - https://netfilter.org/projects/nftables/files/${P}.tar.xz - verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig ) - " - KEYWORDS="amd64 arm arm64 hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv sparc x86" - BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )" -fi - -# See COPYING: new code is GPL-2+, existing code is GPL-2 -LICENSE="GPL-2 GPL-2+" -SLOT="0/1" -IUSE="debug doc +gmp json libedit python +readline static-libs test xtables" -RESTRICT="!test? ( test )" - -RDEPEND=" - >=net-libs/libmnl-1.0.4:= - >=net-libs/libnftnl-1.2.6:= - gmp? ( dev-libs/gmp:= ) - json? ( dev-libs/jansson:= ) - python? ( ${PYTHON_DEPS} ) - readline? ( sys-libs/readline:= ) - xtables? ( >=net-firewall/iptables-1.6.1:= ) -" -DEPEND="${RDEPEND}" -BDEPEND+=" - app-alternatives/lex - virtual/pkgconfig - doc? ( - app-text/asciidoc - >=app-text/docbook2X-0.8.8-r4 - ) - python? ( ${DISTUTILS_DEPS} ) -" - -REQUIRED_USE=" - python? ( ${PYTHON_REQUIRED_USE} ) - libedit? ( !readline ) -" - -PATCHES=( - "${FILESDIR}"/${P}-fix-regression-evaluate.patch -) - -src_prepare() { - default - - if [[ ${PV} =~ ^[9]{4,}$ ]] ; then - eautoreconf - fi - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_prepare - popd >/dev/null || die - fi -} - -src_configure() { - local myeconfargs=( - # We handle python separately - --disable-python - --disable-static - --sbindir="${EPREFIX}"/sbin - $(use_enable debug) - $(use_enable doc man-doc) - $(use_with !gmp mini_gmp) - $(use_with json) - $(use_with libedit cli editline) - $(use_with readline cli readline) - $(use_enable static-libs static) - $(use_with xtables) - ) - econf "${myeconfargs[@]}" - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_configure - popd >/dev/null || die - fi -} - -src_compile() { - default - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_compile - popd >/dev/null || die - fi -} - -src_test() { - emake check - - if [[ ${EUID} == 0 ]]; then - edo tests/shell/run-tests.sh -v - else - ewarn "Skipping shell tests (requires root)" - fi - - # Need to rig up Python eclass if using this, but it doesn't seem to work - # for me anyway. - #cd tests/py || die - #"${EPYTHON}" nft-test.py || die -} - -src_install() { - default - - if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then - pushd doc >/dev/null || die - doman *.? - popd >/dev/null || die - fi - - # Do it here instead of in src_prepare to avoid eautoreconf - # rmdir lets us catch if more files end up installed in /etc/nftables - dodir /usr/share/doc/${PF}/skels/ - mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die - rmdir "${ED}"/etc/nftables || die - - exeinto /usr/libexec/${PN} - newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh - newconfd "${FILESDIR}"/${PN}-mk.confd ${PN} - newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN} - keepdir /var/lib/nftables - - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service - - if use python ; then - pushd py >/dev/null || die - distutils-r1_src_install - popd >/dev/null || die - fi - - find "${ED}" -type f -name "*.la" -delete || die -} - -pkg_preinst() { - local stderr - - # There's a history of regressions with nftables upgrades. Perform a - # safety check to help us spot them earlier. For the check to pass, the - # currently loaded ruleset, if any, must be successfully evaluated by - # the newly built instance of nft(8). - if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then - # Either nftables isn't yet in use or nft(8) cannot be executed. - return - elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then - # Report errors induced by trying to list the ruleset but don't - # treat them as being fatal. - printf '%s\n' "${stderr}" >&2 - elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then - # Rulesets generated by iptables-nft are special in nature and - # will not always be printed in a way that constitutes a valid - # syntax for ntf(8). Ignore them. - return - elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then - eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" - eerror "nft. This probably means that there is a regression introduced by v${PV}." - eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" - if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then - die "Aborting because of failed nft reload!" - fi - fi -} - -pkg_postinst() { - local save_file - save_file="${EROOT}"/var/lib/nftables/rules-save - - # In order for the nftables-restore systemd service to start - # the save_file must exist. - if [[ ! -f "${save_file}" ]]; then - ( umask 177; touch "${save_file}" ) - elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then - ewarn "Your system has dangerous permissions for ${save_file}" - ewarn "It is probably affected by bug #691326." - ewarn "You may need to fix the permissions of the file. To do so," - ewarn "you can run the command in the line below as root." - ewarn " 'chmod 600 \"${save_file}\"'" - fi - - if has_version 'sys-apps/systemd'; then - elog "If you wish to enable the firewall rules on boot (on systemd) you" - elog "will need to enable the nftables-restore service." - elog " 'systemctl enable ${PN}-restore.service'" - elog - elog "If you are creating firewall rules before the next system restart" - elog "the nftables-restore service must be manually started in order to" - elog "save those rules on shutdown." - fi - - if has_version 'sys-apps/openrc'; then - elog "If you wish to enable the firewall rules on boot (on openrc) you" - elog "will need to enable the nftables service." - elog " 'rc-update add ${PN} default'" - elog - elog "If you are creating or updating the firewall rules and wish to save" - elog "them to be loaded on the next restart, use the \"save\" functionality" - elog "in the init script." - elog " 'rc-service ${PN} save'" - fi -} |