gentoo auto-resync : 14:02:2024 - 05:36:28

4 files changed, 108 insertions, 2 deletions

diff --git a/net-firewall/Manifest.gz b/net-firewall/Manifest.gz
index fe01ba59f5de..12d2ec194356 100644
--- a/net-firewall/Manifest.gz
+++ b/net-firewall/Manifest.gz
diff --git a/net-firewall/ipset/Manifest b/net-firewall/ipset/Manifest
index 7ab00d236d06..d781a3a945e7 100644
--- a/net-firewall/ipset/Manifest
+++ b/net-firewall/ipset/Manifest
@@ -1,8 +1,9 @@
 AUX ipset.confd-r1 666 BLAKE2B 852963fd27d11f58305f33cc9be84d5eabde73f5af4924d97ad188505fa64b2c75f31ece180e2992d275738305b7a731afc8b911314a9f202320c0c61053fc9b SHA512 6020665ba30fc9efa7c16714c1ff7a0961153175b70ca5817f72c4123537e0ff9a977b8ca71914ef8b49d431601b73275b2ab6f848d521b53680b0cd7bcaca82
 AUX ipset.initd-r5 3375 BLAKE2B e548d1fecdb7785eacd7611881db589488c15871b9ba28bf6a6c3ba2cacddb0428b7a29426cdbefe23d3c060c5431155d9e75c14ea4e3cde889979aa111e745b SHA512 d6162f713609df66f9b30c179045fe96dfe6f85e6b13f53eaaba5d9d09bd082bf74749ef0ff5e97039658036370dfb49f16071765d3f7c3901fae540264ccf96
+AUX ipset.initd-r6 3386 BLAKE2B 1b3c0de0cc45fe80d3e0ba8a90fb2433ec3a6c2df38d50030cafea0b67562644918186e82e1c92a314f8e75939a0302a1574ae78fedbc9da9016ac3d0fd82e20 SHA512 ca821d2d22826d10f87e0c318b52faf10a339174f2ab27fb427b87f41b824ea8b74523b776465dd43edd1fa3cb311b11a6c9972f1d24f007ad60b87895860d2d
 AUX ipset.systemd-r1 492 BLAKE2B 78fd7b122e0fe08b36d36e736d18b7a5f0bf1aa78802f1bdc7abf69ad2ef9c0bcfb22ae84f8f6489aee6c147ee3c0be7ebfa600712bf6169940802466daf68ba SHA512 6574e48ce6b3c4f45122a8b387746793ceda62f68ec8b0f3f6f949f5650ab557f3f7eb75699e36d5bf04efbf39dc17e030cc44ea9d97891578d4c909669e6eb7
 DIST ipset-7.19.tar.bz2 686712 BLAKE2B 04290b94be471aedd732601e1dc147a066933606152beb76ba1a21283aa2e3f8b891fd9575db73f2af67b446fb77a0ca6b2432ae606440ac9e9bf80e41d1f640 SHA512 0f4252e6d967b0f130a2c7a0307b17c6b7d48336e86b2f838ea176f5faaa0c9bbbf273060906b43d91e9b38a9f33c18918e33d02292839a6bc321181d5d7f84e
 DIST ipset-7.20.tar.bz2 687123 BLAKE2B 24f44c887ba90379015d15d58351aedb80cc1d53638d0f4a868b1b6debec18e4c5336b626946bc7b3eb56c1b80d83ab236f287598f71e27bf44b9873dbb7eddf SHA512 d0b87ab889987a3febeaf3d73099a262aca86160878258b3bd1be064e52b55baa90601804b30ad3bbb363066c9fc1bbdfe8bc100414f801729215a892e186fc6
 EBUILD ipset-7.19-r1.ebuild 3379 BLAKE2B 4dd28ea10c1aa885af34b2892498dea9a4fc3a534d66455ae6b708fa2e144849be836a8ffe1906e137dc6e7fc438862a726612b056d72f7163575515007c9c1d SHA512 9266874bbc29d0806c4e49e2238541e6659db19ee950b81703a2a66ad1623e2f367034e67b731a654673ec7717abc495f969eef83cd3c26527606e7c6228562c
-EBUILD ipset-7.20.ebuild 3385 BLAKE2B f250967ad6bbdff6e45b79cdf82f6060fba71161b30c4f7cfac15aa9e000bbe02c6bdc75c939cb21b07331dc9f5a315064d79ed68edf59e777561db0d89db277 SHA512 afcfce175a75eb1264e21ca213b5ed64984ef27a3f0497367c725ebc6784b4ca2a0426e679068c49bf65e40093db38e726ccd26f8ed3018c83feebd2dc2dfc35
+EBUILD ipset-7.20.ebuild 3385 BLAKE2B 62b9c287f10a7b87637fd5504ea48fe30c94d5cd709c9ca60a13a10d53b92c10a19414ef8cd3cdcb30dc11cf3acef2b4da308955a45174cd497f80899d4177be SHA512 ca4d764a7933ba1477ac38b941c166c1ec2d7a6b844ad14fafda1a4d7824d63fc5402c70ced16dd309757ecb33067a8d22b4d54da6f070ea78ff7db21e2e323f
 MISC metadata.xml 475 BLAKE2B e1e06003a410249ed76d39b74ccbcd64b8572ff05f1c818729d787cecfb19cfa9c7e3463473688abc7a398efb908b0c7145bad88bbb7259e69f1b7d985584bcc SHA512 d0a3dca6593e8a62cbf5c325eb59b620137af8d8f5a463702c4d6ec102fd03b8adbbdcd9358777d0461f57a98d892d359d80b8f722d3f322f3d4766d762f6585
diff --git a/net-firewall/ipset/files/ipset.initd-r6 b/net-firewall/ipset/files/ipset.initd-r6
new file mode 100644
index 000000000000..949bdad76044
--- /dev/null
+++ b/net-firewall/ipset/files/ipset.initd-r6
@@ -0,0 +1,105 @@
+#!/sbin/openrc-run
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="save"
+extra_started_commands="reload"
+
+IPSET_SAVE=${IPSET_SAVE:-/var/lib/ipset/rules-save}
+
+depend() {
+    before iptables ip6tables
+}
+
+checkconfig() {
+    if [ ! -f "${IPSET_SAVE}" ] ; then
+        eerror "Not starting ${SVCNAME}. First create some rules then run:"
+        eerror "/etc/init.d/${SVCNAME} save"
+        return 1
+    fi
+    return 0
+}
+
+start() {
+    checkconfig || return 1
+    ebegin "Loading ipset session"
+    ipset restore < "${IPSET_SAVE}"
+    eend $?
+}
+
+stop() {
+    # check if there are any references to current sets
+
+    if ! ipset list | gawk '
+        ($1 == "References:") { refcnt += $2 }
+        ($1 == "Type:" && $2 == "list:set") { set = 1 }
+        (scan) { if ($0 != "") setcnt++; else { scan = 0; set = 0 } }
+        (set && $1 == "Members:") {scan = 1}
+        END { if ((refcnt - setcnt) > 0) exit 1 }
+    '; then
+        eerror "ipset is in use, can't stop"
+        return 1
+    fi
+
+    if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+        save || return 1
+    fi
+
+    ebegin "Removing kernel IP sets"
+    ipset flush
+    ipset destroy
+    eend $?
+}
+
+reload() {
+    ebegin "Reloading ipsets"
+
+    # Loading sets from a save file is only additive (there is no
+    # automatic flushing or replacing). And, we can not remove sets
+    # that are currently used in existing iptables rules.
+    #
+    # Instead, we create new temp sets for any set that is already
+    # in use, and then atomically swap them into place.
+    #
+    # XXX: This does not clean out previously used ipsets that are
+    # not in the new saved policy--it can't, because they may still
+    # be referenced in the current iptables rules.
+    
+
+    # Build a list of all currently used sets (if any).
+    running_ipset_list=$(ipset save | gawk '/^create/{printf "%s ",$2}')
+	running_ipset_list="${running_ipset_list% }"
+
+    # Check the configured suffix, and make sure there are no collisions
+    if test -z "${TEMP_SUFFIX}" ; then
+      eend 1 "TEMP_SUFFIX cannot be empty"
+      return 1
+    elif echo "$running_ipset_list" | grep -q -E "${TEMP_SUFFIX}( |$)" ; then
+      eend 1 "Existing set(s) match TEMP_SUFFIX pattern ('${TEMP_SUFFIX}'), cannot continue"
+      return 1
+    fi
+
+    # Build a regular expression that matches those set names.
+    running_ipset_list_regex="$(echo "$running_ipset_list" | tr -s ' ' '|' )"
+
+    # Load up sets from the save file, but rename any set that already
+    # exists to a temporary name that we will swap later.
+    if ! cat ${IPSET_SAVE} | sed -r "s/^(create|add) (${running_ipset_list_regex}) /\1 \2${TEMP_SUFFIX} /" | ipset restore ; then
+        eend $? "Failed to load new ipsets"
+    fi
+
+    # Now for every set name that currently exists, atomically swap it
+    # with the temporary new one we created, and then destroy the old set.
+    for ipset_name in ${running_ipset_list} ; do
+        ipset swap ${ipset_name} ${ipset_name}${TEMP_SUFFIX} || eend $? "Failed to swap in new ipset $ipset_name"
+        ipset destroy ${ipset_name}${TEMP_SUFFIX} || eend $? "Failed to delete obsolete ipset ${ipset_name}${TEMP_SUFFIX}"
+    done
+    eend 0
+}
+
+save() {
+    ebegin "Saving ipset session"
+    checkpath --file --mode 0600 "${IPSET_SAVE}"
+		ipset -output save list > "${IPSET_SAVE}"
+    eend $?
+}
diff --git a/net-firewall/ipset/ipset-7.20.ebuild b/net-firewall/ipset/ipset-7.20.ebuild
index f1a25f936d47..433d477210f0 100644
--- a/net-firewall/ipset/ipset-7.20.ebuild
+++ b/net-firewall/ipset/ipset-7.20.ebuild
@@ -102,7 +102,7 @@ src_install() {
 
 	find "${ED}" -name '*.la' -delete || die
 
-	newinitd "${FILESDIR}"/ipset.initd-r5 ${PN}
+	newinitd "${FILESDIR}"/ipset.initd-r6 ${PN}
 	newconfd "${FILESDIR}"/ipset.confd-r1 ${PN}
 	systemd_newunit "${FILESDIR}"/ipset.systemd-r1 ${PN}.service
 	keepdir /var/lib/ipset