diff options
Diffstat (limited to 'net-firewall/nftables')
-rw-r--r-- | net-firewall/nftables/Manifest | 12 | ||||
-rw-r--r-- | net-firewall/nftables/files/nftables-0.9.8-slibtool.patch | 13 | ||||
-rw-r--r-- | net-firewall/nftables/files/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch | 252 | ||||
-rw-r--r-- | net-firewall/nftables/nftables-1.0.2-r1.ebuild | 2 | ||||
-rw-r--r-- | net-firewall/nftables/nftables-1.0.4-r2.ebuild (renamed from net-firewall/nftables/nftables-1.0.1-r2.ebuild) | 72 | ||||
-rw-r--r-- | net-firewall/nftables/nftables-9999.ebuild | 62 |
6 files changed, 356 insertions, 57 deletions
diff --git a/net-firewall/nftables/Manifest b/net-firewall/nftables/Manifest index 142d09b03b70..6c7817b75b99 100644 --- a/net-firewall/nftables/Manifest +++ b/net-firewall/nftables/Manifest @@ -1,20 +1,20 @@ AUX libexec/nftables-mk.sh 1070 BLAKE2B 30d8109d74e7d8c4f51c753f676f91a1902ad42f6d68662f1191ff73d2a43a1bf49fb795f3763705f8aeb0a4f22cab0006a943e01adb188f1ef9eb05125dfdbd SHA512 a14e48f014f75c7e611bf2a653d9760804754febd1ae4543f78abbfbe60c79f5aa07c5fd53fe26bb74b48fcb8cb8aa78274771212e41c42db031e8c8ba7e81d2 AUX libexec/nftables.sh 3665 BLAKE2B 74362a4425e974e74e7b895980002f0ded2ecbb4731bbf956edb56ffb9f1ad394802c4eeab3af3735eba4d8e71572a5663e564ce4e7fad76c9715043b90c1b43 SHA512 6cb1ac0928ae2da5c69764d45c52a661a6d72698bb9edd6a603580d2f9bd82b59f2a2661e7569ade3a3b729459d115004f251ad6a5eac8cdf1d38c65bfa9349e AUX man-pages/gen-manpages.bash 1797 BLAKE2B c93cc311570abd674a12eb88711cf01664f437b8dc0fb4de36194f36671d92c35e04fcff6c56adcb0e642f089169f63ef063736398584e5e7ce799bf55acf2ff SHA512 ea3291412ce13d9dd463403fcc11c665c9de63edaabdecaf55e051b52b0ff845c9c7d63a6c4c08e4d2d94428815fe11daf9b7390081b4e9de4774e188b9ea677 -AUX nftables-0.9.8-slibtool.patch 427 BLAKE2B 00ab37efe35a68818af21d91781eb6610574a164743c9aea4458aea2efd6ce50aa788ac4a667d37ed3a686e6802e9feb8a4145f2debc9fb379d3621ed002d6df SHA512 8969d2db4aa2ddb5e352c864af5f85aa95849c0ffbc0b5d0fb4f9b848a3a35ab1aa2e747a9c6f4911fc1cdf0f4eb2032d863bfc10e4dcc120604735e7e04f911 AUX nftables-1.0.2-build-explicitly-pass-version-script-to-linker.patch 1062 BLAKE2B 65306c5f920c6179ebd064737a1713d0af7f94ca3b813aa19a1abe5162f88d5507d290fdbdcb05729a83bf1c7d36bc0a61252b224b44896722a89e71982ec8bf SHA512 1d2fed0ca10ee5f7beab94808a73a0002ec6ba63deaa44ab87fdd97d869f0da776ce6c09834d9c6bc7393ae80aca7a326ab1e8df0b122ad016cba5627fd4fffa AUX nftables-1.0.2-compilation.patch 1188 BLAKE2B 524298dbe639ee9c613d9314cd6ad10abe058534bc6fd1773aeab14fc76103247817ff472e4c7b03e5d2adda5ce84172bb98aac548d432e64f61222d85c6f43c SHA512 d438ec732840eeddfb123e184d00e7b54590e85004a7e89bbacfac48602e36b5082f29a3848ed54769f5155b162beeda7eee58f788fc917dfb598e1ad986694d AUX nftables-1.0.2-libnftables.map-export-new-nft_ctx_-get-set-_optimiz.patch 960 BLAKE2B d37f4f2dd72268303170d5d1af1a52e922724fc578afbaf85d05eb5f7beaef3cb67cff37f324cb2adb5b41a7e9b656c51142e6c122a8ea8ecae3ede84e46f7ff SHA512 e1a4da28d62bb09b1e4acdbb3acef211b640715ed0aae93c5206debc3dd2367385aa0c06a9f9a94297c21fb25d659d3e3d51463261d9e4eef269c2c450f0f4e1 +AUX nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch 8917 BLAKE2B f520876282dfe97b27b8cc806cce3bce15051acc45427e2a5d399cf2980f23c0b989ef57df1c85af34abe7cebf74288927fdeab95a0be10b4070e12951ee858a SHA512 f51f47d6fb3ca84a6a7f540e0b240c4d1eeb793a1066113a4b1653d38d9fa37ac99017d4131be73791d241ae6cbde3956b38e282b5540fce9ce81b9ad0e65d8f AUX nftables-mk.confd 899 BLAKE2B f4c3d82fbae87fb0d755af786a98db591b6a667cf33660ba9275ada2e6417fad1899a7f29762f23c112fc5c9e178bc7590c3b2ba26617853c3577917bd7d3edf SHA512 505ed05674a04367f1a3d5cf6447596ad1c3b2e9c920697f12f58a20d94c2a39b0041bb4911678511c4548566a69d964661d4afc3e7e27997943b875f204c602 AUX nftables-mk.init-r1 1970 BLAKE2B 9ece7da364eac76ef2ac401f4cc3ed558e926e8f07ab43f084de819098e9543bda0a9a8d40375e4e01dd6e53b92d744acf8f3caaeab1c3678ca84b1f48d59685 SHA512 9f1e491ba5fd8a1173eb055bfa5a0de3c040c158e7d54848fcd373a5f4c4041df6fb9ddc5b0e8fdfd78243665c627b8767816bcf94dd142b441b21227206fef3 AUX nftables.confd 655 BLAKE2B 5512be1edd43e270941de3d9b66fda69e4afd7c7e6e970b232a044c2fd64f8e50b9b55a4fe670174c3eabf3d176ee0158c1043baec4b76b0802e7e97bc862fcf SHA512 8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144 AUX nftables.init-r1 2279 BLAKE2B 1c4c28ea5b6a22905b3ec7de8e54726933b579352ecd799b7641384a138ffa2d4a2deb87d84ef5d75a43ae30759f1550d611c2560096bb5083cae9bb834be2bb SHA512 2165223bfd4f300b9cc01f604347fc5167f68515174b0d116b667bd05f4baf8c2f931e482f632975a8be371c2147951d9407f397ea4dbcbac79a6738cbd23015 AUX systemd/nftables-restore.service 394 BLAKE2B 1c1f358eb2eff789e68c051098c971f11a8df6621c3c919e30a1ec1213f6db822c390609c01827fe9fc75c540effa3e3a7b6f93bd24e16ea19841bbfaab796ed SHA512 18da6a770bb3e94fd6b2c9e6f033450aaff9fe886c8846f780d08a21e2fc884ac078652743b50b3d4ea8c9500f92d272bdd27e2881e438c2b223d40816c100a0 -DIST nftables-1.0.1.tar.bz2 954586 BLAKE2B e406699c96b98495f1b6deeab0233873ce20b43c13c162eafea1e6b371961123a69f3d5e7bd2f1bedfdbe58fed56ba3e2dae962b88657af6f4ab5b3743fb6373 SHA512 a0db4d82725509d2a9c638ba7ba55547ad7b5138a5fe686b0e90260d6a65e060dd72a470969c1d69e945303bd2bfc33b2021d9f4141b88befefddc61b7afe10d -DIST nftables-1.0.1.tar.bz2.sig 566 BLAKE2B d504987b16b7a8676586ecb3a1ce9588bff972ca54bbb3ce3b0db5288f1fd981e529dccea009bd01a3a96e5199a034956bd43cdeaba67847239a88d458f43f8a SHA512 0884098ceabe7b070e146e47292afd8c80188ea595eaeaadb228307f502dae4a43bf801dea2a25519eaef3c96d567daf40e45c37fabb58db1b2256eb8f256cb0 DIST nftables-1.0.2.tar.bz2 970781 BLAKE2B 650ae6badb574ff3628d21c8aa99f81e73932dd172b3569618696100bf3853b9a108bf0296dcf9d615ae7c0fbec84b48266299b62cf755d181d19c626f8a3cd4 SHA512 560d23c6e369eafd7b354d29fe73d46154e4a74dec000178c1aea47751fe535d20c4e6bbecd3955eb2b327c7a60b1269e5c6dc5781498546b639fa2d1367a9ca DIST nftables-1.0.2.tar.bz2.sig 566 BLAKE2B 5b7a20b28c274a950b718e2e14313772707b6bdc3f4519f747350593c1eb3bfbcf8c5dd9ae7d5aa0488c5cde9af8b58e05349c75e8a8246c5634303a331f9d98 SHA512 9be59d771833ac315fd52cffe7074ed9d49fbf592aec8d94500bbc7cc1f44dcb54b3815c46831a5e7e4c4770901cbdd6b8ffc5aa8d8cb7e064ec1c8453d890f1 -EBUILD nftables-1.0.1-r2.ebuild 4966 BLAKE2B 0fac9458f91dccfd3366c3ddfec0d4444329fe1d9358b89a67d52960bba67fc56efd9e5150f9979e5ba85793d05783b1e835acf6fbe3324fddfa0ca0033597b2 SHA512 7d40d118643bc4626b79dd72094aebd1cc8204bf36c4c9a033f4910690e210ee9f3b275312b85942987d87ee171d0ed1abfee05262fd3bc6c4fa0bf7ccbd7e6a -EBUILD nftables-1.0.2-r1.ebuild 5171 BLAKE2B f7e0d66c8ea79a261f15ca775115f7a1fce74d848fc380ee7a65dbd9290fa04888dd6776c7f2292bf5a5d97c88ba78145eb1dc84d9a3e811f89e2cb9e3b24af3 SHA512 3a94050f5261e522ecdce8da260394e26c3d646c83465f432939234fda6f85c9af30cf6c5f658659b073a254039abf641c9d925896a5b3e770feab467070949b -EBUILD nftables-9999.ebuild 4938 BLAKE2B cc5caa75ec86c1d6695ddf06d0f84de7d05c0799e7ef1098c2412e19178544f11a82a0f4e4a7ff8d79e3d13675ad1bb46fc929b57c3ae6f2babdfc7aedebb06b SHA512 4f9dd3327fe16acbe36ca674e39c0204534e1eb15564592848d5e79cefbe232e3b46cd75dbfbaefe52433c88e7d59534aaf81b163a70868dec65544cd2a5e9db +DIST nftables-1.0.4.tar.bz2 979540 BLAKE2B 1b2c596245cb7f1bc574250d13b9ff6f424f98e98d5955befadb83ea0a71acc6524b066e39f1e9d151f3946b690b2dee45b7d416347371f88911c8d6a9de047e SHA512 7d96c791365d399b3b930a1f9d6c6aa4a8c2180c258bb5163d9d62ea4d094857e2ebb20fc3ef13b89f449f216d0a291d3bcf288704f1e3bd3ceb51b6cadf8215 +DIST nftables-1.0.4.tar.bz2.sig 566 BLAKE2B 1ac42a2eb678abcc21d01bbaf5f9a3af3f4c49fa1f0732f2522d3da14e94aacbb12075650d2786224f8fef869fcdc94a1463bd76272aa44fc50ea31a8ebae1bf SHA512 2d2acd4810c1ede844e1eac81a5480866ad40ae71dfcf92d166fd9295290adff70d35d7de8cf1ec81ab63d184b221419ff144bc7010e18884afa992173723af8 +EBUILD nftables-1.0.2-r1.ebuild 5163 BLAKE2B 02bacad62aea322b42251fb73ea3e23e061167ae5bde03f751231db9b33f3d85cb8a8b0b28038140264092c2a1776e0a4c9b0a464775a0e30c57cc988ac09a36 SHA512 2b55eb2c17686e13ddde19d4da06d0ac1efe09500fd62cc205fcf95d9977f7d2478369aec51e2455aed69c49869afcc54badd08bc3c4bcf26d58972d095c8aa8 +EBUILD nftables-1.0.4-r2.ebuild 5973 BLAKE2B 33b0959b853cc3ae0a140549c105116addf23a8f48107e8279e61909927f69bdd718784dca12c5ea06148d64d2fd653e6c47b2a04e71414c8254f787b5fd6789 SHA512 746c7587ff389cb44f2a8b52a618e31dab6ea844b38d8d303a14c59d3aaffd314f37b64e281f3324228727ab629d7092e3836fc226f82d9cda7bc2562b829390 +EBUILD nftables-9999.ebuild 5877 BLAKE2B ffe8dd8c23b5755d231de39c1112db4f416481e67aafdc30b1d6b8909db5c6225f03044d8b69188091bb1681877fb57a20a1528601f049150289008019e48a15 SHA512 e3a5f820332022e502e2ae4c2f4ff0963d7711eed979e8a0dfca2f015c651418447866b0d9b53cf2dfb28de2e47c5adf37daa5c82b614b21c30a8a694f3855a1 MISC metadata.xml 933 BLAKE2B 8e76ce489c41dcc01e222d77af40f2ba5cb7ddffc2bc818c6fc8c16e24dc308c125ce4d78db1647e77af96f32c85dd3391f7079e2cee26c129c56557e0c48c8a SHA512 058d38df1dbb2c1d0e611bd992f37498d3977561c3b34846fdf0d569573f2ef93a29a216ab491e583cfc2399c55c839d256dfcf8b1d7aaba63ed6ea90f22df25 diff --git a/net-firewall/nftables/files/nftables-0.9.8-slibtool.patch b/net-firewall/nftables/files/nftables-0.9.8-slibtool.patch deleted file mode 100644 index a92645f793c7..000000000000 --- a/net-firewall/nftables/files/nftables-0.9.8-slibtool.patch +++ /dev/null @@ -1,13 +0,0 @@ -This fixes build with sys-devel/slibtool - ---- nftables-0.9.8/src/Makefile.am -+++ nftables-0.9.8/src/Makefile.am -@@ -90,7 +90,7 @@ - - libnftables_la_LIBADD = ${LIBMNL_LIBS} ${LIBNFTNL_LIBS} libparser.la - libnftables_la_LDFLAGS = -version-info ${libnftables_LIBVERSION} \ -- --version-script=$(srcdir)/libnftables.map -+ -Wl,--version-script=$(srcdir)/libnftables.map - - if BUILD_MINIGMP - noinst_LTLIBRARIES += libminigmp.la diff --git a/net-firewall/nftables/files/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch b/net-firewall/nftables/files/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch new file mode 100644 index 000000000000..db58602bb4e6 --- /dev/null +++ b/net-firewall/nftables/files/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch @@ -0,0 +1,252 @@ +From 638af0ceb2b22307098bb2730822e148ef0b9424 Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Fri, 10 Jun 2022 13:01:46 +0200 +Subject: Revert "scanner: flags: move to own scope" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Excess nesting of scanner scopes is very fragile and error prone: + +rule `iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all prefix "nft_lo4 " drop` +fails with `Error: No symbol type information` hinting at `prefix` + +Problem is that we nest via: + counter + limit + log + flags + +By the time 'prefix' is scanned, state is still stuck in 'counter' due +to this nesting. Working around "prefix" isn't enough, any other +keyword, e.g. "level" in 'flags all level debug' will be parsed as 'string' too. + +So, revert this. + +Fixes: a16697097e2b ("scanner: flags: move to own scope") +Reported-by: Christian Göttsche <cgzones@googlemail.com> +Signed-off-by: Florian Westphal <fw@strlen.de> +--- + include/parser.h | 1 - + src/parser_bison.y | 29 ++++++++++++++--------------- + src/scanner.l | 18 +++++++----------- + tests/shell/testcases/parsing/log | 10 ++++++++++ + 4 files changed, 31 insertions(+), 27 deletions(-) + create mode 100755 tests/shell/testcases/parsing/log + +diff --git a/include/parser.h b/include/parser.h +index f32154cc..d8d2eb11 100644 +--- a/include/parser.h ++++ b/include/parser.h +@@ -35,7 +35,6 @@ enum startcond_type { + PARSER_SC_CT, + PARSER_SC_COUNTER, + PARSER_SC_ETH, +- PARSER_SC_FLAGS, + PARSER_SC_ICMP, + PARSER_SC_IGMP, + PARSER_SC_IP, +diff --git a/src/parser_bison.y b/src/parser_bison.y +index ca5c488c..2a0240fb 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -942,7 +942,6 @@ close_scope_esp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_ESP); } + close_scope_eth : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ETH); }; + close_scope_export : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_EXPORT); }; + close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); }; +-close_scope_flags : { scanner_pop_start_cond(nft->scanner, PARSER_SC_FLAGS); }; + close_scope_frag : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FRAG); }; + close_scope_fwd : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_FWD); }; + close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); }; +@@ -1679,7 +1678,7 @@ table_block_alloc : /* empty */ + } + ; + +-table_options : FLAGS STRING close_scope_flags ++table_options : FLAGS STRING + { + if (strcmp($2, "dormant") == 0) { + $<table>0->flags |= TABLE_F_DORMANT; +@@ -1946,7 +1945,7 @@ set_block : /* empty */ { $$ = $<set>-1; } + datatype_set($1->key, $3->dtype); + $$ = $1; + } +- | set_block FLAGS set_flag_list stmt_separator close_scope_flags ++ | set_block FLAGS set_flag_list stmt_separator + { + $1->flags = $3; + $$ = $1; +@@ -2080,7 +2079,7 @@ map_block : /* empty */ { $$ = $<set>-1; } + $1->flags |= NFT_SET_OBJECT; + $$ = $1; + } +- | map_block FLAGS set_flag_list stmt_separator close_scope_flags ++ | map_block FLAGS set_flag_list stmt_separator + { + $1->flags |= $3; + $$ = $1; +@@ -2153,7 +2152,7 @@ flowtable_block : /* empty */ { $$ = $<flowtable>-1; } + { + $$->flags |= NFT_FLOWTABLE_COUNTER; + } +- | flowtable_block FLAGS OFFLOAD stmt_separator close_scope_flags ++ | flowtable_block FLAGS OFFLOAD stmt_separator + { + $$->flags |= FLOWTABLE_F_HW_OFFLOAD; + } +@@ -2520,7 +2519,7 @@ dev_spec : DEVICE string + | /* empty */ { $$ = NULL; } + ; + +-flags_spec : FLAGS OFFLOAD close_scope_flags ++flags_spec : FLAGS OFFLOAD + { + $<chain>0->flags |= CHAIN_F_HW_OFFLOAD; + } +@@ -3126,7 +3125,7 @@ log_arg : PREFIX string + $<stmt>0->log.level = $2; + $<stmt>0->log.flags |= STMT_LOG_LEVEL; + } +- | FLAGS log_flags close_scope_flags ++ | FLAGS log_flags + { + $<stmt>0->log.logflags |= $2; + } +@@ -3828,13 +3827,13 @@ queue_stmt : queue_stmt_compat close_scope_queue + { + $$ = queue_stmt_alloc(&@$, $3, 0); + } +- | QUEUE FLAGS queue_stmt_flags close_scope_flags TO queue_stmt_expr close_scope_queue ++ | QUEUE FLAGS queue_stmt_flags TO queue_stmt_expr close_scope_queue + { +- $$ = queue_stmt_alloc(&@$, $6, $3); ++ $$ = queue_stmt_alloc(&@$, $5, $3); + } +- | QUEUE FLAGS queue_stmt_flags close_scope_flags QUEUENUM queue_stmt_expr_simple close_scope_queue ++ | QUEUE FLAGS queue_stmt_flags QUEUENUM queue_stmt_expr_simple close_scope_queue + { +- $$ = queue_stmt_alloc(&@$, $6, $3); ++ $$ = queue_stmt_alloc(&@$, $5, $3); + } + ; + +@@ -5501,7 +5500,7 @@ comp_hdr_expr : COMP comp_hdr_field close_scope_comp + ; + + comp_hdr_field : NEXTHDR { $$ = COMPHDR_NEXTHDR; } +- | FLAGS close_scope_flags { $$ = COMPHDR_FLAGS; } ++ | FLAGS { $$ = COMPHDR_FLAGS; } + | CPI { $$ = COMPHDR_CPI; } + ; + +@@ -5562,7 +5561,7 @@ tcp_hdr_field : SPORT { $$ = TCPHDR_SPORT; } + | ACKSEQ { $$ = TCPHDR_ACKSEQ; } + | DOFF { $$ = TCPHDR_DOFF; } + | RESERVED { $$ = TCPHDR_RESERVED; } +- | FLAGS close_scope_flags { $$ = TCPHDR_FLAGS; } ++ | FLAGS { $$ = TCPHDR_FLAGS; } + | WINDOW { $$ = TCPHDR_WINDOW; } + | CHECKSUM { $$ = TCPHDR_CHECKSUM; } + | URGPTR { $$ = TCPHDR_URGPTR; } +@@ -5676,7 +5675,7 @@ sctp_chunk_type : DATA { $$ = SCTP_CHUNK_TYPE_DATA; } + ; + + sctp_chunk_common_field : TYPE close_scope_type { $$ = SCTP_CHUNK_COMMON_TYPE; } +- | FLAGS close_scope_flags { $$ = SCTP_CHUNK_COMMON_FLAGS; } ++ | FLAGS { $$ = SCTP_CHUNK_COMMON_FLAGS; } + | LENGTH { $$ = SCTP_CHUNK_COMMON_LENGTH; } + ; + +@@ -5844,7 +5843,7 @@ rt4_hdr_expr : RT4 rt4_hdr_field close_scope_rt + ; + + rt4_hdr_field : LAST_ENT { $$ = RT4HDR_LASTENT; } +- | FLAGS close_scope_flags { $$ = RT4HDR_FLAGS; } ++ | FLAGS { $$ = RT4HDR_FLAGS; } + | TAG { $$ = RT4HDR_TAG; } + | SID '[' NUM ']' + { +diff --git a/src/scanner.l b/src/scanner.l +index 2154281e..7eb74020 100644 +--- a/src/scanner.l ++++ b/src/scanner.l +@@ -201,7 +201,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) + %s SCANSTATE_CT + %s SCANSTATE_COUNTER + %s SCANSTATE_ETH +-%s SCANSTATE_FLAGS + %s SCANSTATE_ICMP + %s SCANSTATE_IGMP + %s SCANSTATE_IP +@@ -339,7 +338,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) + "jump" { return JUMP; } + "goto" { return GOTO; } + "return" { return RETURN; } +-<SCANSTATE_EXPR_QUEUE,SCANSTATE_STMT_DUP,SCANSTATE_STMT_FWD,SCANSTATE_STMT_NAT,SCANSTATE_STMT_TPROXY,SCANSTATE_FLAGS,SCANSTATE_IP,SCANSTATE_IP6>"to" { return TO; } /* XXX: SCANSTATE_FLAGS and SCANSTATE_IP here are workarounds */ ++<SCANSTATE_EXPR_QUEUE,SCANSTATE_STMT_DUP,SCANSTATE_STMT_FWD,SCANSTATE_STMT_NAT,SCANSTATE_STMT_TPROXY,SCANSTATE_IP,SCANSTATE_IP6>"to" { return TO; } /* XXX: SCANSTATE_IP is a workaround */ + + "inet" { return INET; } + "netdev" { return NETDEV; } +@@ -363,14 +362,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) + "index" { return INDEX; } + "comment" { return COMMENT; } + +-<SCANSTATE_FLAGS>{ +- "constant" { return CONSTANT; } +- "dynamic" { return DYNAMIC; } +- +- /* log flags */ +- "all" { return ALL; } +-} ++"constant" { return CONSTANT; } + "interval" { return INTERVAL; } ++"dynamic" { return DYNAMIC; } + "auto-merge" { return AUTOMERGE; } + "timeout" { return TIMEOUT; } + "gc-interval" { return GC_INTERVAL; } +@@ -418,7 +412,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) + } + + "queue" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_QUEUE); return QUEUE;} +-<SCANSTATE_FLAGS,SCANSTATE_EXPR_QUEUE>{ ++<SCANSTATE_EXPR_QUEUE>{ + "num" { return QUEUENUM;} + "bypass" { return BYPASS;} + "fanout" { return FANOUT;} +@@ -612,7 +606,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) + <SCANSTATE_EXPR_COMP>{ + "cpi" { return CPI; } + } +-"flags" { scanner_push_start_cond(yyscanner, SCANSTATE_FLAGS); return FLAGS; } ++"flags" { return FLAGS; } + + "udp" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_UDP); return UDP; } + "udplite" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_UDPLITE); return UDPLITE; } +@@ -781,6 +775,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) + + "notrack" { return NOTRACK; } + ++"all" { return ALL; } ++ + <SCANSTATE_CMD_EXPORT,SCANSTATE_CMD_IMPORT,SCANSTATE_CMD_MONITOR>{ + "xml" { return XML; } + "json" { return JSON; } +diff --git a/tests/shell/testcases/parsing/log b/tests/shell/testcases/parsing/log +new file mode 100755 +index 00000000..0b89d589 +--- /dev/null ++++ b/tests/shell/testcases/parsing/log +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++$NFT add table t || exit 1 ++$NFT add chain t c || exit 1 ++$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all prefix "nft_lo4 " drop' || exit 1 ++$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all level debug drop' || exit 1 ++$NFT delete table t || exit 1 ++ ++exit 0 ++ +-- +cgit v1.2.3 + diff --git a/net-firewall/nftables/nftables-1.0.2-r1.ebuild b/net-firewall/nftables/nftables-1.0.2-r1.ebuild index 4e105370dd23..a7337abb2897 100644 --- a/net-firewall/nftables/nftables-1.0.2-r1.ebuild +++ b/net-firewall/nftables/nftables-1.0.2-r1.ebuild @@ -21,7 +21,7 @@ if [[ ${PV} =~ ^[9]{4,}$ ]]; then else SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2 verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )" - KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" + KEYWORDS="amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv sparc x86" VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )" fi diff --git a/net-firewall/nftables/nftables-1.0.1-r2.ebuild b/net-firewall/nftables/nftables-1.0.4-r2.ebuild index a6b3f71dcc5e..e15c2462f85d 100644 --- a/net-firewall/nftables/nftables-1.0.1-r2.ebuild +++ b/net-firewall/nftables/nftables-1.0.4-r2.ebuild @@ -1,17 +1,18 @@ # Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 -PYTHON_COMPAT=( python3_{7..10} ) DISTUTILS_OPTIONAL=1 -inherit autotools linux-info distutils-r1 systemd verify-sig +PYTHON_COMPAT=( python3_{8..11} ) +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc +inherit edo linux-info distutils-r1 systemd verify-sig DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" HOMEPAGE="https://netfilter.org/projects/nftables/" if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit git-r3 + inherit autotools git-r3 EGIT_REPO_URI="https://git.netfilter.org/${PN}" BDEPEND=" @@ -21,18 +22,18 @@ if [[ ${PV} =~ ^[9]{4,}$ ]]; then else SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2 verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )" - KEYWORDS="amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv sparc x86" - VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )" fi LICENSE="GPL-2" SLOT="0/1" -IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables" +IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables" +RESTRICT="test? ( userpriv ) !test? ( test )" RDEPEND=" >=net-libs/libmnl-1.0.4:0= - >=net-libs/libnftnl-1.2.1:0= + >=net-libs/libnftnl-1.2.2:0= gmp? ( dev-libs/gmp:= ) json? ( dev-libs/jansson:= ) python? ( ${PYTHON_DEPS} ) @@ -43,11 +44,12 @@ RDEPEND=" DEPEND="${RDEPEND}" BDEPEND+=" + virtual/pkgconfig doc? ( app-text/asciidoc >=app-text/docbook2X-0.8.8-r4 ) - virtual/pkgconfig + python? ( ${PYTHON_DEPS} ) " REQUIRED_USE=" @@ -55,10 +57,6 @@ REQUIRED_USE=" libedit? ( !readline ) " -PATCHES=( - "${FILESDIR}/${PN}-0.9.8-slibtool.patch" -) - pkg_setup() { if kernel_is ge 3 13; then if use modern-kernel && kernel_is lt 3 18; then @@ -72,15 +70,14 @@ pkg_setup() { } src_prepare() { + local PATCHES=( + "${FILESDIR}/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch" + ) default - # fix installation path for doc stuff - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \ - -i files/nftables/Makefile.am || die - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \ - -i files/osf/Makefile.am || die - - eautoreconf + if [[ ${PV} =~ ^[9]{4,}$ ]] ; then + eautoreconf + fi if use python; then pushd py >/dev/null || die @@ -93,6 +90,7 @@ src_configure() { local myeconfargs=( # We handle python separately --disable-python + --disable-static --sbindir="${EPREFIX}"/sbin $(use_enable debug) $(use_enable doc man-doc) @@ -122,6 +120,17 @@ src_compile() { fi } +src_test() { + emake check + + edo tests/shell/run-tests.sh -v + + # Need to rig up Python eclass if using this, but it doesn't seem to work + # for me anyway. + #cd tests/py || die + #"${EPYTHON}" nft-test.py || die +} + src_install() { default @@ -131,6 +140,12 @@ src_install() { popd >/dev/null || die fi + # Do it here instead of in src_prepare to avoid eautoreconf + # rmdir lets us catch if more files end up installed in /etc/nftables + dodir /usr/share/doc/${PF}/skels/ + mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die + rmdir "${ED}"/etc/nftables || die + local mksuffix="$(usex modern-kernel '-mk' '')" exeinto /usr/libexec/${PN} @@ -150,9 +165,23 @@ src_install() { find "${ED}" -type f -name "*.la" -delete || die } +pkg_preinst() { + if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then + if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then + eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" + eerror "nft. This probably means that there is a regression introduced by v${PV}." + eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" + + if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then + die "Aborting because of failed nft reload!" + fi + fi + fi +} + pkg_postinst() { local save_file - save_file="${EROOT}/var/lib/nftables/rules-save" + save_file="${EROOT}"/var/lib/nftables/rules-save # In order for the nftables-restore systemd service to start # the save_file must exist. @@ -175,6 +204,7 @@ pkg_postinst() { elog "the nftables-restore service must be manually started in order to" elog "save those rules on shutdown." fi + if has_version 'sys-apps/openrc'; then elog "If you wish to enable the firewall rules on boot (on openrc) you" elog "will need to enable the nftables service." diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild index fa427dadfaab..51f0627a762d 100644 --- a/net-firewall/nftables/nftables-9999.ebuild +++ b/net-firewall/nftables/nftables-9999.ebuild @@ -1,17 +1,18 @@ # Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 -PYTHON_COMPAT=( python3_{8..10} ) DISTUTILS_OPTIONAL=1 -inherit autotools linux-info distutils-r1 systemd verify-sig +PYTHON_COMPAT=( python3_{8..11} ) +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc +inherit edo linux-info distutils-r1 systemd verify-sig DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" HOMEPAGE="https://netfilter.org/projects/nftables/" if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit git-r3 + inherit autotools git-r3 EGIT_REPO_URI="https://git.netfilter.org/${PN}" BDEPEND=" @@ -22,17 +23,17 @@ else SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2 verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )" KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" - VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )" fi LICENSE="GPL-2" SLOT="0/1" -IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables" +IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables" +RESTRICT="test? ( userpriv ) !test? ( test )" RDEPEND=" >=net-libs/libmnl-1.0.4:0= - >=net-libs/libnftnl-1.2.1:0= + >=net-libs/libnftnl-1.2.2:0= gmp? ( dev-libs/gmp:= ) json? ( dev-libs/jansson:= ) python? ( ${PYTHON_DEPS} ) @@ -43,11 +44,12 @@ RDEPEND=" DEPEND="${RDEPEND}" BDEPEND+=" + virtual/pkgconfig doc? ( app-text/asciidoc >=app-text/docbook2X-0.8.8-r4 ) - virtual/pkgconfig + python? ( ${PYTHON_DEPS} ) " REQUIRED_USE=" @@ -70,13 +72,9 @@ pkg_setup() { src_prepare() { default - # fix installation path for doc stuff - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \ - -i files/nftables/Makefile.am || die - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \ - -i files/osf/Makefile.am || die - - eautoreconf + if [[ ${PV} =~ ^[9]{4,}$ ]] ; then + eautoreconf + fi if use python; then pushd py >/dev/null || die @@ -119,6 +117,17 @@ src_compile() { fi } +src_test() { + emake check + + edo tests/shell/run-tests.sh -v + + # Need to rig up Python eclass if using this, but it doesn't seem to work + # for me anyway. + #cd tests/py || die + #"${EPYTHON}" nft-test.py || die +} + src_install() { default @@ -128,6 +137,12 @@ src_install() { popd >/dev/null || die fi + # Do it here instead of in src_prepare to avoid eautoreconf + # rmdir lets us catch if more files end up installed in /etc/nftables + dodir /usr/share/doc/${PF}/skels/ + mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die + rmdir "${ED}"/etc/nftables || die + local mksuffix="$(usex modern-kernel '-mk' '')" exeinto /usr/libexec/${PN} @@ -147,9 +162,23 @@ src_install() { find "${ED}" -type f -name "*.la" -delete || die } +pkg_preinst() { + if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then + if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then + eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" + eerror "nft. This probably means that there is a regression introduced by v${PV}." + eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" + + if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then + die "Aborting because of failed nft reload!" + fi + fi + fi +} + pkg_postinst() { local save_file - save_file="${EROOT}/var/lib/nftables/rules-save" + save_file="${EROOT}"/var/lib/nftables/rules-save # In order for the nftables-restore systemd service to start # the save_file must exist. @@ -172,6 +201,7 @@ pkg_postinst() { elog "the nftables-restore service must be manually started in order to" elog "save those rules on shutdown." fi + if has_version 'sys-apps/openrc'; then elog "If you wish to enable the firewall rules on boot (on openrc) you" elog "will need to enable the nftables service." |