path: root/net-firewall
diff options
authorV3n3RiX <venerix@koprulu.sector>2023-06-17 19:45:55 +0100
committerV3n3RiX <venerix@koprulu.sector>2023-06-17 19:45:55 +0100
commit59fb6ea4eff116f078307a57217645762b78aba7 (patch)
treebc4b009c0fb67e5716ad01ba8306a486fe4744ed /net-firewall
parent197f0639ca0a63b397552e059e2a992d39e09e55 (diff)
gentoo auto-resync : 17:06:2023 - 19:45:55
Diffstat (limited to 'net-firewall')
-rw-r--r--net-firewall/Manifest.gzbin4386 -> 4385 bytes
5 files changed, 246 insertions, 0 deletions
diff --git a/net-firewall/Manifest.gz b/net-firewall/Manifest.gz
index 00c740b5ce30..3f5ccc43e9f8 100644
--- a/net-firewall/Manifest.gz
+++ b/net-firewall/Manifest.gz
Binary files differ
diff --git a/net-firewall/ipset/Manifest b/net-firewall/ipset/Manifest
index b79f688c21d8..809feac11be3 100644
--- a/net-firewall/ipset/Manifest
+++ b/net-firewall/ipset/Manifest
@@ -1,8 +1,11 @@
AUX ipset-7.16-bashism.patch 1564 BLAKE2B 43de84f4f3f877b5a74aaced9ce31a3e310b938dd446d68d3786bc7225d33c5f6340fa404913a99d972e4cc2588ca2939728dfc73f95393235f0725dba06124e SHA512 fd58fe919ee3bd69376f6035c8f915c0bc0609ced7f070da5e670f7d1bb2433f06cc24886ef5a71360dafd0a59e5eb71d2466fd8f4e378dff683a48b034bd870
AUX ipset.confd 588 BLAKE2B fb1b728c12953cb6d5009469eaeeb9e58e01dd76b6849ad554d545bab417e8614d6417be52c2079b961bc66e355cf27c697ac3b2e0fcd823f978c39d14c66264 SHA512 93e01873c3fb8ff5f4f78e04118a666a650e604a1ba2908309faab08aa140e0ca7a2e24fc5114a9e809d3dbe81e801fc9ad59d53e174014cae1f23719a2a8e3e
+AUX ipset.confd-r1 666 BLAKE2B 852963fd27d11f58305f33cc9be84d5eabde73f5af4924d97ad188505fa64b2c75f31ece180e2992d275738305b7a731afc8b911314a9f202320c0c61053fc9b SHA512 6020665ba30fc9efa7c16714c1ff7a0961153175b70ca5817f72c4123537e0ff9a977b8ca71914ef8b49d431601b73275b2ab6f848d521b53680b0cd7bcaca82
AUX ipset.initd-r4 2997 BLAKE2B 9c376e1a5083829a1fc40bfcca192cad19644c8ba585c29018a55837c0788127963071de2a94a251288ee19a7308ba4d7d80f48f3bc1aba497489872f9810479 SHA512 0e674308ae51b5d65e8aba913ffece7e9233ff69b15086d5f35cd8b4e23e6ee08d6c233ed21b647a033039a9e268ee2cb01718ac9ebb548734c5996a8acb3961
+AUX ipset.initd-r5 3375 BLAKE2B e548d1fecdb7785eacd7611881db589488c15871b9ba28bf6a6c3ba2cacddb0428b7a29426cdbefe23d3c060c5431155d9e75c14ea4e3cde889979aa111e745b SHA512 d6162f713609df66f9b30c179045fe96dfe6f85e6b13f53eaaba5d9d09bd082bf74749ef0ff5e97039658036370dfb49f16071765d3f7c3901fae540264ccf96
AUX ipset.systemd 476 BLAKE2B 6d536142066ab60fdec24bcb138976709f186c575a7958ad9e8f0762c5b473de6882dcbdb7fbe16c79840096806fb8472308647aaa5b26dec192f91f4a541174 SHA512 c537c8c1bacbf9f3eeedfa123b666ac4f3d71cca9e44e89c9dc0f95328e1ec6be9480927272bd69d06a59f1d22bf4dc117c092d187d950c3f72e31608ab27a08
AUX ipset.systemd-r1 492 BLAKE2B 78fd7b122e0fe08b36d36e736d18b7a5f0bf1aa78802f1bdc7abf69ad2ef9c0bcfb22ae84f8f6489aee6c147ee3c0be7ebfa600712bf6169940802466daf68ba SHA512 6574e48ce6b3c4f45122a8b387746793ceda62f68ec8b0f3f6f949f5650ab557f3f7eb75699e36d5bf04efbf39dc17e030cc44ea9d97891578d4c909669e6eb7
DIST ipset-7.17.tar.bz2 684983 BLAKE2B 43b74ab7caf5a963787184aa75b6c071388c8d28997681444b72118aba68b843e961b50418c3fa70b451b4cb090ec62940b770abac2156910442115edbf90d41 SHA512 e308a0d7707ccf7d0cb06a32cf9a822f97862e007abdbab8a91a5a0d5bfbd9f2fb9a3f5e8f36b250ec0d565438c8648a31e8e5b45d8205a76558e90f46e6e597
+EBUILD ipset-7.17-r1.ebuild 3516 BLAKE2B 9abb817fdc2e1b2d928f29345aed74f7779ae778276237cc11c490d149f450e0afaac4c50804f7122d7ebd9c298291e299e4d16f246580296fbe30b8899e5596 SHA512 29c9e73dcafae178a0d1f9d2451c1fef9ab7ab2a083b62e96b9f63e5655d8e8701668eb2dcb6105c42435ff4a82f5e4e90d01beb58780961863342d057fbaf3b
EBUILD ipset-7.17.ebuild 3507 BLAKE2B 830f9465dda941460c1b4148989fb0aa79f2c500ac6daea948eac6609d50778bd2716e9cad2248b6bad1e80c73e1612188000b0ecb3f6bdd5cadac279fcd6aa2 SHA512 117834d3727b3dd50112c2f53734753ccfb8a21c71d98892e7a5c706ca0dcc98ddc4e4b43c51a1f9ad68bc3b09ab9871b4d625923ed041e0b51e8ea4b881bb12
MISC metadata.xml 369 BLAKE2B f41c3bdbd41f5cd6ae9451f00d80d3ca0e17343f45c37f88ab6e34dda8fce78e4d9b4d670385b3f8d9025f6065f1911d1815b610bbbbbfeb364942b8512ccc7b SHA512 f359ed08f769da53de8c31350f48b7fd0504c863fb29664ce40eac4e56f2cca842d9dc8de350fd4790a3a143ed4db6ed3df3419cc9daad4403078039ced52d3e
diff --git a/net-firewall/ipset/files/ipset.confd-r1 b/net-firewall/ipset/files/ipset.confd-r1
new file mode 100644
index 000000000000..ebedb672a676
--- /dev/null
+++ b/net-firewall/ipset/files/ipset.confd-r1
@@ -0,0 +1,19 @@
+# /etc/conf.d/ipset
+# Location in which ipset initscript will save set rules on
+# service shutdown
+# Save state on stopping ipset
+# Suffix used for temporary set names used for atomic swaps
+# If you need to log iptables messages as soon as iptables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
diff --git a/net-firewall/ipset/files/ipset.initd-r5 b/net-firewall/ipset/files/ipset.initd-r5
new file mode 100644
index 000000000000..0c73cec68c7d
--- /dev/null
+++ b/net-firewall/ipset/files/ipset.initd-r5
@@ -0,0 +1,105 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+depend() {
+ before iptables ip6tables
+checkconfig() {
+ if [ ! -f "${IPSET_SAVE}" ] ; then
+ eerror "Not starting ${SVCNAME}. First create some rules then run:"
+ eerror "/etc/init.d/${SVCNAME} save"
+ return 1
+ fi
+ return 0
+start() {
+ checkconfig || return 1
+ ebegin "Loading ipset session"
+ ipset restore < "${IPSET_SAVE}"
+ eend $?
+stop() {
+ # check if there are any references to current sets
+ if ! ipset list | gawk '
+ ($1 == "References:") { refcnt += $2 }
+ ($1 == "Type:" && $2 == "list:set") { set = 1 }
+ (scan) { if ($0 != "") setcnt++; else { scan = 0; set = 0 } }
+ (set && $1 == "Members:") {scan = 1}
+ END { if ((refcnt - setcnt) > 0) exit 1 }
+ '; then
+ eerror "ipset is in use, can't stop"
+ return 1
+ fi
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+ save || return 1
+ fi
+ ebegin "Removing kernel IP sets"
+ ipset flush
+ ipset destroy
+ eend $?
+reload() {
+ ebegin "Reloading ipsets"
+ # Loading sets from a save file is only additive (there is no
+ # automatic flushing or replacing). And, we can not remove sets
+ # that are currently used in existing iptables rules.
+ #
+ # Instead, we create new temp sets for any set that is already
+ # in use, and then atomically swap them into place.
+ #
+ # XXX: This does not clean out previously used ipsets that are
+ # not in the new saved policy--it can't, because they may still
+ # be referenced in the current iptables rules.
+ # Build a list of all currently used sets (if any).
+ running_ipset_list=$(ipset save | gawk '/^create/{printf "%s ",$2}')
+ running_ipset_list="${running_ipset_list% }"
+ # Check the configured suffix, and make sure there are no collisions
+ if test -z "${TEMP_SUFFIX}" ; then
+ eend 1 "TEMP_SUFFIX cannot be empty"
+ return 1
+ elif echo "$running_ipset_list" | grep -q -E "${TEMP_SUFFIX}( |$)" ; then
+ eend 1 "Existing set(s) match TEMP_SUFFIX pattern ('${TEMP_SUFFIX}'), cannot continue"
+ return 1
+ fi
+ # Build a regular expression that matches those set names.
+ running_ipset_list_regex="$(echo "$running_ipset_list" | tr -s ' ' '|' )"
+ # Load up sets from the save file, but rename any set that already
+ # exists to a temporary name that we will swap later.
+ if ! cat ${IPSET_SAVE} | sed -r "s/^(create|add) (${running_ipset_list_regex}) /\1 \2${TEMP_SUFFIX} /" | ipset restore ; then
+ eend $? "Failed to load new ipsets"
+ fi
+ # Now for every set name that currently exists, atomically swap it
+ # with the temporary new one we created, and then destroy the old set.
+ for ipset_name in ${running_ipset_list} ; do
+ ipset swap ${ipset_name} ${ipset_name}${TEMP_SUFFIX} || eend $? "Failed to swap in new ipset $ipset_name"
+ ipset destroy ${ipset_name}${TEMP_SUFFIX} || eend $? "Failed to delete obsolete ipset ${ipset_name}${TEMP_SUFFIX}"
+ done
+ eend 0
+save() {
+ ebegin "Saving ipset session"
+ checkpath --file --mode 0600 "${IPSET_SAVE}"
+ ipset save > "${IPSET_SAVE}"
+ eend $?
diff --git a/net-firewall/ipset/ipset-7.17-r1.ebuild b/net-firewall/ipset/ipset-7.17-r1.ebuild
new file mode 100644
index 000000000000..e4e4505a853a
--- /dev/null
+++ b/net-firewall/ipset/ipset-7.17-r1.ebuild
@@ -0,0 +1,119 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+inherit autotools bash-completion-r1 linux-info linux-mod systemd
+DESCRIPTION="IPset tool for iptables, successor to ippool"
+KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc ~ppc64 ~riscv ~x86"
+ >=net-firewall/iptables-1.4.7
+ net-libs/libmnl:=
+ "${FILESDIR}"/${PN}-7.16-bashism.patch
+# configurable from outside, e.g. /etc/portage/make.conf
+MODULE_NAMES+=" em_ipset(kernel/net/sched/:${S}/kernel/net/sched/)"
+for i in ip_set{,_bitmap_{ip{,mac},port},_hash_{ip{,mac,mark,port{,ip,net}},mac,net{,port{,net},iface,net}},_list_set}; do
+pkg_setup() {
+ get_version
+ ERROR_NETFILTER="ipset requires NETFILTER support in your kernel."
+ ERROR_NETFILTER_NETLINK="ipset requires NETFILTER_NETLINK support in your kernel."
+ # It does still build without NET_NS, but it may be needed in future.
+ #ERROR_NET_NS="ipset requires NET_NS (network namespace) support in your kernel."
+ ERROR_PAX_CONSTIFY_PLUGIN="ipset contains constified variables (#614896)"
+ build_modules=0
+ if use modules; then
+ if linux_config_src_exists && linux_chkconfig_builtin "MODULES" ; then
+ if linux_chkconfig_present "IP_NF_SET" || \
+ linux_chkconfig_present "IP_SET"; then #274577
+ eerror "There is IP{,_NF}_SET or NETFILTER_XT_SET support in your kernel."
+ eerror "Please either build ipset with modules USE flag disabled"
+ eerror "or rebuild kernel without IP_SET support and make sure"
+ eerror "there is NO kernel ip_set* modules in /lib/modules/<your_kernel>/... ."
+ die "USE=modules and in-kernel ipset support detected."
+ else
+ einfo "Modular kernel detected. Gonna build kernel modules..."
+ build_modules=1
+ fi
+ else
+ eerror "Nonmodular kernel detected, but USE=modules. Either build"
+ eerror "modular kernel (without IP_SET) or disable USE=modules"
+ die "Nonmodular kernel detected, will not build kernel modules"
+ fi
+ fi
+ [[ ${build_modules} -eq 1 ]] && linux-mod_pkg_setup
+src_prepare() {
+ default
+ eautoreconf
+src_configure() {
+ export bashcompdir="$(get_bashcompdir)"
+ econf \
+ --enable-bashcompl \
+ $(use_with modules kmod) \
+ --with-maxsets=${IP_NF_SET_MAX} \
+ --with-ksource="${KV_DIR}" \
+ --with-kbuild="${KV_OUT_DIR}"
+src_compile() {
+ einfo "Building userspace"
+ emake
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Building kernel modules"
+ set_arch_to_kernel
+ emake modules
+ fi
+src_install() {
+ einfo "Installing userspace"
+ default
+ find "${ED}" -name '*.la' -delete || die
+ newinitd "${FILESDIR}"/ipset.initd-r5 ${PN}
+ newconfd "${FILESDIR}"/ipset.confd-r1 ${PN}
+ systemd_newunit "${FILESDIR}"/ipset.systemd-r1 ${PN}.service
+ keepdir /var/lib/ipset
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Installing kernel modules"
+ linux-mod_src_install
+ fi