diff options
Diffstat (limited to 'net-firewall')
23 files changed, 968 insertions, 195 deletions
diff --git a/net-firewall/Manifest.gz b/net-firewall/Manifest.gz Binary files differindex 88b45124c954..4633bf333976 100644 --- a/net-firewall/Manifest.gz +++ b/net-firewall/Manifest.gz diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest index dba00c9d65f7..95abe52aa2ab 100644 --- a/net-firewall/iptables/Manifest +++ b/net-firewall/iptables/Manifest @@ -2,12 +2,19 @@ AUX ip6tables-r1.confd 899 BLAKE2B d8c72df359a35798d7a92958ba9a620ab580427a06765 AUX iptables-1.8.2-link.patch 785 BLAKE2B 2ef5ac495260eef324f341d5d807e8c59afee8ac4853b46ef8c88765ed786396888d0bcd15822765da5584c25c6cdbbbc6b8b85eb0b8dbdd9b300662b1d59479 SHA512 10f6fdc4e4a37a0becb87f99c49888df366248f02b17037faf83068ef00824ecb61022a40b5551f9c8d2db22262ad738d554296bd6b78765dd5f8baf524b2388 AUX iptables-1.8.4-no-symlinks.patch 800 BLAKE2B 721d2dcc881f781031d2be48659dcd54568b3e8c25ad19d0505699f0cf8276990b41f2ddf9d5eda5c2a77f66ae9a16ae542c42c6fc2d91b085cc5922121f9b00 SHA512 79601d8a8a352f82f0f3eaf85a7b1f830c9ddc400ae0fadaf08eb1848bb9a2801a886b2b0803bf498e353db1828c0976aa8d30c9ece5fdcf61a203070ed4d7cd AUX iptables-1.8.7-cache-double-free.patch 1574 BLAKE2B 475ed5b4d267b32a03b921cb009fa76931a7fc737ecabb70aed3d13b1f64d94bbb69194892c178fed9784d31c3478b00ab6dbc0d6fc5dd0b86a3ae86d8dcd681 SHA512 79e908845804b36a4a581485f61028570f58645aaaee9682d4a7b9609d4a410c8fb7547d082c5b02deafcf342f675da6e2a7e3436333d0ae6f3ce1a770afdc1a +AUX iptables-1.8.8-format-security.patch 639 BLAKE2B df5c843d0cd6634740b372300263dd19df3289466ad83d3a10ba9f270519d738d90152cdef273d07c94502166082d6fa5a8908b603289e6d4c9bc9d6987b8b16 SHA512 6e1da61b648259dac02662eee995f9b5117bc8b8c028f0e2afc3346d82a94b7e7faf8ae5cfd484b7dd1a6530973191c1f147579f11e57ebda945115b40134094 +AUX iptables-1.8.8-musl-headers.patch 2061 BLAKE2B 6876d083d179a055c60422397e67a24137ae5bb72cba02f732d4dd7313171c10717202a41f1256196d5b64bc29d22e98d8d0eb9861130fa93481b527d0117e96 SHA512 136f3c7dae7c88739ed1c2d2c14e9a8381013c8a376bee80a7f994098810bb61d76dd143dc65430f0ec7b44d542b64242dd947134936468155840a4a26e6ce79 +AUX iptables-1.8.8-out-of-tree-build.patch 1058 BLAKE2B 5a358632780b607533033dc3bf6b6e24ac1af49dbbc26afae05668187c2a4072dba1cdbf51647b6b5f7c5f68e5a3d64fa82b5b0477d3cd4e936d466b731707fb SHA512 453ed9a2b3b2dddb3ccc9a099386c28290416ea356884084fd4d9bd2b026e21732b91f020fbe55de12ba970b815993f2e3a18a52a6774ab7738383e2f144a973 +AUX iptables-1.8.8-uint-musl.patch 4607 BLAKE2B 8ca4ba2fec97e99e1f57d9d1f376dbdab53a698279534879163ad5dade629cda3ac232df54d57ae75e589c2327492953e0c30356bdc4367b9a1474afc259136c SHA512 01d3af7330334b5002ec9d50e4b469651148b911d9ab5d45d5a2cd08e72c3be5e770c047cbc337485e40cb622ee470faa9ed91b53ca59e09a1c197bf5df48a9a AUX iptables-r1.confd 890 BLAKE2B 0aaca870e3c03f19a71cf1b210377dfda320faf118359e298bef419eaf280fd11c9726d200ae89602e863c9b48de0bb51ac05424b50c064afe948a980e300153 SHA512 10002da01ded6be0e9bca6041798ad0859fa2212fde077a048443e4f3012c95d86e4580ae426e87af5891368062af9af6f9fd35ed617d24cdd3c51702b816b13 AUX iptables-r2.init 4384 BLAKE2B d11be1725e25d234e01af86c82d3745fd630b15b3ae2228845c5555db5c2ffdcd920fd565480f76ab91ef2d5b26f9ae96432efc288a1b9aa2abfb5b9bb01d7bf SHA512 8897ab985424c895e261e0fe521921f0da8e09e38394655b0f91c65c0e8f603731faf70489f7a6610c83d6c2fde75f92f309405d72277643165a847e62238df7 +AUX iptables-r3.init 3961 BLAKE2B fd25c46060f31242e1cb5e07281a79431eba2915a34fd91df86f3e6573029d46bb3cdf97d1297863def105cbbc34fadf6b19785951ca16893f1fe539bb070354 SHA512 13a5128f531f9f146e5f77985b899ec5d8b99223b3a1e90e656c1819bfa0984645de412b3938f998eb216ef98d5fd558dbc183351e707be0997499f40f706f16 AUX systemd/ip6tables-restore.service 404 BLAKE2B 35cdf804e787aa5cc382cc638de523735ab47b878168c41d8eef85eb592e5bebd9319e75a10db28f0eba6618efae355c90f03ac0798239edeb80d01108e98a47 SHA512 34730df7464354bce11ca5bdceb5cf305e8ab7e2ded2c2689448379e74ff93252e7a83cfe05c2f3238f59a2ade69cd9c328291c28c43b6612bfb7b29fcb0feee AUX systemd/ip6tables-store.service 243 BLAKE2B 30a0d955998a2a664c6a95b8e559898a1a48c681b77b6e3e1b2fa6f2ada7204f23df0f0894218599e95c2ccea71024e86cda7c82b6ff5a55d016d04d71cb1487 SHA512 7cee224f91d4c8348606ba176d0d689749a59229958cfdf4e75451d77271363e7cff71dbb7e30dbc4a5a837363a72d70d6960d2dfb218f3ad16456ae109cba10 AUX systemd/iptables-restore.service 400 BLAKE2B cd7f700cf717a2efb6504770308f7dcb90a1968f64cca98ea5e7437cf3cf2a2e8f575e3743ac19eec8738c665f4243f537a101c00d5d1cc94648688d4e240a59 SHA512 8c005e321ad041068f243e4baa6588b24b0ffd69991f2129dfab0a34d0ebaf702ff2be8b7328126c84abdc3bbd300e1c387a690c5f6a002b50b2e9148feeb8ef AUX systemd/iptables-store.service 240 BLAKE2B 7ddb4425e63cd41f421767fab25a7b055087fddde5927291b3fce6e0e978f0cb3b734bcacf02f78257eec99274056b69058436a847dcb366f5fb70032e410355 SHA512 a720e92b5571a2c3427101105e95e555f3b72541a53c5daa43e361c99ca28830e9e8dd27dbd7cfed40fbbe289ed180f9be7e0f3b6b0cd19bba022a531815fd5e DIST iptables-1.8.7.tar.bz2 717862 BLAKE2B fd4dcff142eaadde2a14ce3eb5e45d41c326752553b52900c77fd2e2a20c0685d0a04b95755995e914df47658834d52216d6465c2ae9cd6abc6eb122b95cc976 SHA512 c0a33fafbf1139157a9f52860938ebedc282a1394a68dcbd58981159379eb525919f999b25925f2cb4d6b18089bd99a94b00b3e73cff5cb0a0e47bdff174ed75 +DIST iptables-1.8.8.tar.bz2 746985 BLAKE2B 0da021cc7313b86af331768904956dab3eee3de245a7b03965129f3d7f13097fc03fbb1390167dcd971eff216eabad9e59b261a9c0f54bfc48a77453aa40d164 SHA512 f21df23279a77531a23f3fcb1b8f0f8ec0c726bda236dd0e33af74b06753baff6ce3f26fb9fcceb6fada560656ba901e68fc6452eb840ac1b206bc4654950f59 EBUILD iptables-1.8.7-r2.ebuild 4561 BLAKE2B f0ce89cf5c49c7856f8702aad182b91abe99ce79b82c6e13194ca7a1499dd0fbe2112189e673aaedfbe0e40a030266e2b5d4bfa2d1b542b5ef744388af7d4dc7 SHA512 8f546a3ddef734f215cb0b9673cbd31b4be90a85ff99299c12f0a19cc053f56a095103e4d9c03d104542a0d978cbaff295074fca147db5f57a75d337fb5ca297 +EBUILD iptables-1.8.8-r3.ebuild 4623 BLAKE2B a68e56509dd33fba877c1ca913fef669bbfe6f09d3ef3d724f75660a60341dfbbf18b4fb76c66321fda757c4a32195370465364c5687c0af117d7ea5c50b6735 SHA512 620fea6d3bce4ea7180ace028f3bde22b84621902706c9424958a225a00ef1a24ed7a6ae1c2d0e8e83407b1373e8fa719846a0dbad3393e74005ef20d00e1587 MISC metadata.xml 1466 BLAKE2B 7378fedb44c6e6d19e508a764ec997911f966beccd40b1f93096ad3343b7cd72f9ca129e67a666c54ca4382348a448597bd607197ffe6b94669d84306c81d127 SHA512 f89038980e81bfceaf872ff1938c47e8ad12060bbe9ff48e0e9ca9dd5acc0196b2261d2b22a156cbfd7be89d1d67448969d39ff9b28efb0896702760afa14842 diff --git a/net-firewall/iptables/files/iptables-1.8.8-format-security.patch b/net-firewall/iptables/files/iptables-1.8.8-format-security.patch new file mode 100644 index 000000000000..fafc435379b5 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.8.8-format-security.patch @@ -0,0 +1,21 @@ +https://git.netfilter.org/iptables/commit/?id=b72eb12ea5a61df0655ad99d5048994e916be83a + +From: Phil Sutter <phil@nwl.cc> +Date: Fri, 13 May 2022 16:51:58 +0200 +Subject: xshared: Fix build for -Werror=format-security + +Gcc complains about the omitted format string. + +Signed-off-by: Phil Sutter <phil@nwl.cc> +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg) + return; + + if (args->family != NFPROTO_ARP) +- xtables_error(PARAMETER_PROBLEM, msg); ++ xtables_error(PARAMETER_PROBLEM, "%s", msg); + + fprintf(stderr, "%s", msg); + } +cgit v1.2.3 diff --git a/net-firewall/iptables/files/iptables-1.8.8-musl-headers.patch b/net-firewall/iptables/files/iptables-1.8.8-musl-headers.patch new file mode 100644 index 000000000000..52e2c7019972 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.8.8-musl-headers.patch @@ -0,0 +1,59 @@ +https://git.netfilter.org/iptables/commit/?id=0e7cf0ad306cdf95dc3c28d15a254532206a888e +https://bugs.gentoo.org/846377 + +From: Phil Sutter <phil@nwl.cc> +Date: Wed, 18 May 2022 16:04:09 +0200 +Subject: Revert "fix build for missing ETH_ALEN definition" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This reverts commit c5d9a723b5159a28f547b577711787295a14fd84 as it broke +compiling against musl libc. Might be a bug in the latter, but for the +time being try to please both by avoiding the include and instead +defining ETH_ALEN if unset. + +While being at it, move netinet/ether.h include up. + +Fixes: 1bdb5535f561a ("libxtables: Extend MAC address printing/parsing support") +Signed-off-by: Phil Sutter <phil@nwl.cc> +Reviewed-by: Maciej Żenczykowski <maze@google.com> +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -28,6 +28,7 @@ + #include <stdlib.h> + #include <string.h> + #include <unistd.h> ++#include <netinet/ether.h> + #include <sys/socket.h> + #include <sys/stat.h> + #include <sys/statfs.h> +@@ -45,7 +46,6 @@ + + #include <xtables.h> + #include <limits.h> /* INT_MAX in ip_tables.h/ip6_tables.h */ +-#include <linux/if_ether.h> /* ETH_ALEN */ + #include <linux/netfilter_ipv4/ip_tables.h> + #include <linux/netfilter_ipv6/ip6_tables.h> + #include <libiptc/libxtc.h> +@@ -72,6 +72,10 @@ + #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe" + #endif + ++#ifndef ETH_ALEN ++#define ETH_ALEN 6 ++#endif ++ + /* we need this for ip6?tables-restore. ip6?tables-restore.c sets line to the + * current line of the input file, in order to give a more precise error + * message. ip6?tables itself doesn't need this, so it is initialized to the +@@ -2245,8 +2249,6 @@ void xtables_print_num(uint64_t number, unsigned int format) + printf(FMT("%4lluT ","%lluT "), (unsigned long long)number); + } + +-#include <netinet/ether.h> +- + static const unsigned char mac_type_unicast[ETH_ALEN] = {}; + static const unsigned char msk_type_unicast[ETH_ALEN] = {1}; + static const unsigned char mac_type_multicast[ETH_ALEN] = {1}; +cgit v1.2.3 diff --git a/net-firewall/iptables/files/iptables-1.8.8-out-of-tree-build.patch b/net-firewall/iptables/files/iptables-1.8.8-out-of-tree-build.patch new file mode 100644 index 000000000000..ee9e218b5dbd --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.8.8-out-of-tree-build.patch @@ -0,0 +1,26 @@ +https://git.netfilter.org/iptables/commit/?id=0ebf52fc951b2a4d98a166afb34af4f364bbeece + +From: Ben Brown <ben@demerara.io> +Date: Wed, 25 May 2022 16:26:13 +0100 +Subject: build: Fix error during out of tree build + +Fixes the following error: + + ../../libxtables/xtables.c:52:10: fatal error: libiptc/linux_list.h: No such file or directory + 52 | #include <libiptc/linux_list.h> + +Fixes: f58b0d7406451 ("libxtables: Implement notargets hash table") +Signed-off-by: Ben Brown <ben@demerara.io> +Signed-off-by: Phil Sutter <phil@nwl.cc> +--- a/libxtables/Makefile.am ++++ b/libxtables/Makefile.am +@@ -1,7 +1,7 @@ + # -*- Makefile -*- + + AM_CFLAGS = ${regular_CFLAGS} +-AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables ${kinclude_CPPFLAGS} ++AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables -I${top_srcdir} ${kinclude_CPPFLAGS} + + lib_LTLIBRARIES = libxtables.la + libxtables_la_SOURCES = xtables.c xtoptions.c getethertype.c +cgit v1.2.3 diff --git a/net-firewall/iptables/files/iptables-1.8.8-uint-musl.patch b/net-firewall/iptables/files/iptables-1.8.8-uint-musl.patch new file mode 100644 index 000000000000..40302f624e23 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.8.8-uint-musl.patch @@ -0,0 +1,135 @@ +https://git.netfilter.org/iptables/commit/?id=f319389525b066b7dc6d389c88f16a0df3b8f189 + +From: Nick Hainke <vincent@systemli.org> +Date: Mon, 16 May 2022 18:16:41 +0200 +Subject: treewide: use uint* instead of u_int* + +Gcc complains about missing types. Some commits introduced u_int* instead +of uint*. Use uint treewide. + +Fixes errors in the form of: +In file included from xtables-legacy-multi.c:5: +xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'? + 83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, + | ^~~~~~~~~ + | uint16_t +make[6]: *** [Makefile:712: xtables_legacy_multi-xtables-legacy-multi.o] Error 1 + +Avoid libipq API breakage by adjusting libipq.h include accordingly. For +arpt_mangle.h kernel uAPI header, apply same change as in kernel commit +e91ded8db5747 ("uapi: netfilter_arp: use __u8 instead of u_int8_t"). + +Signed-off-by: Nick Hainke <vincent@systemli.org> +Signed-off-by: Phil Sutter <phil@nwl.cc> +--- a/extensions/libxt_conntrack.c ++++ b/extensions/libxt_conntrack.c +@@ -778,7 +778,7 @@ matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, + + static void + conntrack_dump_ports(const char *prefix, const char *opt, +- u_int16_t port_low, u_int16_t port_high) ++ uint16_t port_low, uint16_t port_high) + { + if (port_high == 0 || port_low == port_high) + printf(" %s%s %u", prefix, opt, port_low); +--- a/include/libipq/libipq.h ++++ b/include/libipq/libipq.h +@@ -24,7 +24,7 @@ + #include <errno.h> + #include <unistd.h> + #include <fcntl.h> +-#include <sys/types.h> ++#include <stdint.h> + #include <sys/socket.h> + #include <sys/uio.h> + #include <asm/types.h> +@@ -48,19 +48,19 @@ typedef unsigned long ipq_id_t; + struct ipq_handle + { + int fd; +- u_int8_t blocking; ++ uint8_t blocking; + struct sockaddr_nl local; + struct sockaddr_nl peer; + }; + +-struct ipq_handle *ipq_create_handle(u_int32_t flags, u_int32_t protocol); ++struct ipq_handle *ipq_create_handle(uint32_t flags, uint32_t protocol); + + int ipq_destroy_handle(struct ipq_handle *h); + + ssize_t ipq_read(const struct ipq_handle *h, + unsigned char *buf, size_t len, int timeout); + +-int ipq_set_mode(const struct ipq_handle *h, u_int8_t mode, size_t len); ++int ipq_set_mode(const struct ipq_handle *h, uint8_t mode, size_t len); + + ipq_packet_msg_t *ipq_get_packet(const unsigned char *buf); + +--- a/include/libiptc/libxtc.h ++++ b/include/libiptc/libxtc.h +@@ -10,7 +10,7 @@ extern "C" { + #endif + + #ifndef XT_MIN_ALIGN +-/* xt_entry has pointers and u_int64_t's in it, so if you align to ++/* xt_entry has pointers and uint64_t's in it, so if you align to + it, you'll also align to any crazy matches and targets someone + might write */ + #define XT_MIN_ALIGN (__alignof__(struct xt_entry)) +--- a/include/linux/netfilter_arp/arpt_mangle.h ++++ b/include/linux/netfilter_arp/arpt_mangle.h +@@ -13,7 +13,7 @@ struct arpt_mangle + union { + struct in_addr tgt_ip; + } u_t; +- u_int8_t flags; ++ __u8 flags; + int target; + }; + +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -1025,7 +1025,7 @@ static const int inverse_for_options[NUMBER_OF_OPT] = + }; + + void +-set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, ++set_option(unsigned int *options, unsigned int option, uint16_t *invflg, + bool invert) + { + if (*options & option) +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -80,7 +80,7 @@ struct xtables_target; + #define IPT_INV_ARPHRD 0x0800 + + void +-set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, ++set_option(unsigned int *options, unsigned int option, uint16_t *invflg, + bool invert); + + /** +--- a/libipq/ipq_create_handle.3 ++++ b/libipq/ipq_create_handle.3 +@@ -24,7 +24,7 @@ ipq_create_handle, ipq_destroy_handle \(em create and destroy libipq handles. + .br + .B #include <libipq.h> + .sp +-.BI "struct ipq_handle *ipq_create_handle(u_int32_t " flags ", u_int32_t " protocol ");" ++.BI "struct ipq_handle *ipq_create_handle(uint32_t " flags ", uint32_t " protocol ");" + .br + .BI "int ipq_destroy_handle(struct ipq_handle *" h ); + .SH DESCRIPTION +--- a/libipq/ipq_set_mode.3 ++++ b/libipq/ipq_set_mode.3 +@@ -24,7 +24,7 @@ ipq_set_mode \(em set the ip_queue queuing mode + .br + .B #include <libipq.h> + .sp +-.BI "int ipq_set_mode(const struct ipq_handle *" h ", u_int8_t " mode ", size_t " range ); ++.BI "int ipq_set_mode(const struct ipq_handle *" h ", uint8_t " mode ", size_t " range ); + .SH DESCRIPTION + The + .B ipq_set_mode +cgit v1.2.3 diff --git a/net-firewall/iptables/files/iptables-r3.init b/net-firewall/iptables/files/iptables-r3.init new file mode 100644 index 000000000000..53eb4246c59f --- /dev/null +++ b/net-firewall/iptables/files/iptables-r3.init @@ -0,0 +1,165 @@ +#!/sbin/openrc-run +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="check save panic" +extra_started_commands="reload" + +iptables_lock_wait_time=${IPTABLES_LOCK_WAIT_TIME:-"60"} +iptables_lock_wait_interval=${IPTABLES_LOCK_WAIT_INTERVAL:-"1000"} + +iptables_name=${SVCNAME} +case ${iptables_name} in + iptables|ip6tables) ;; + *) iptables_name="iptables" ;; +esac + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + need localmount #434774 + before net +} + +set_table_policy() { + local has_errors=0 chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + + local chain + for chain in ${chains} ; do + ${iptables_bin} --wait ${iptables_lock_wait_time} -t ${table} -P ${chain} ${policy} + [ $? -ne 0 ] && has_errors=1 + done + + return ${has_errors} +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} + +checkconfig() { + if [ -z "${iptables_save}" -o ! -f "${iptables_save}" ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start_pre() { + checkconfig || return 1 +} + +start() { + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore --wait ${iptables_lock_wait_time} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop_pre() { + checkkernel || return 1 +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + + ebegin "Stopping firewall" + local has_errors=0 a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a + [ $? -ne 0 ] && has_errors=1 + done + eend ${has_errors} +} + +reload() { + checkkernel || return 1 + checkrules || return 1 + ebegin "Flushing firewall" + local has_errors=0 a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a + [ $? -ne 0 ] && has_errors=1 + done + eend ${has_errors} + + start +} + +checkrules() { + ebegin "Checking rules" + ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +check() { + # Short name for users of init.d script. + checkrules +} + +save() { + ebegin "Saving ${iptables_name} state" + checkpath -q -d "$(dirname "${iptables_save}")" + checkpath -q -m 0600 -f "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + # use iptables autoload capability to load at least all required + # modules and filter table + ${iptables_bin} --wait ${iptables_lock_wait_time} -S >/dev/null + if [ $? -ne 0 ] ; then + eerror "${iptables_bin} failed to load" + return 1 + fi + + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local has_errors=0 a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a + [ $? -ne 0 ] && has_errors=1 + + if [ "${a}" != "nat" ]; then + # The "nat" table is not intended for filtering, the use of DROP is therefore inhibited. + set_table_policy $a DROP + [ $? -ne 0 ] && has_errors=1 + fi + done + eend ${has_errors} +} diff --git a/net-firewall/iptables/iptables-1.8.8-r3.ebuild b/net-firewall/iptables/iptables-1.8.8-r3.ebuild new file mode 100644 index 000000000000..b5f9b1e35cde --- /dev/null +++ b/net-firewall/iptables/iptables-1.8.8-r3.ebuild @@ -0,0 +1,181 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit systemd toolchain-funcs autotools flag-o-matic usr-ldscript + +DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" +HOMEPAGE="https://www.netfilter.org/projects/iptables/" +SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2" + +LICENSE="GPL-2" +# Subslot reflects PV when libxtables and/or libip*tc was changed +# the last time. +SLOT="0/1.8.3" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="conntrack netlink nftables pcap static-libs" + +COMMON_DEPEND=" + conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 ) + netlink? ( net-libs/libnfnetlink ) + nftables? ( + >=net-libs/libmnl-1.0:= + >=net-libs/libnftnl-1.1.6:= + ) + pcap? ( net-libs/libpcap ) +" +DEPEND=" + ${COMMON_DEPEND} + virtual/os-headers + >=sys-kernel/linux-headers-4.4:0 +" +BDEPEND=" + virtual/pkgconfig + nftables? ( + sys-devel/flex + virtual/yacc + ) +" +RDEPEND=" + ${COMMON_DEPEND} + nftables? ( net-misc/ethertypes ) + !<net-firewall/ebtables-2.0.11-r1 + !<net-firewall/arptables-0.0.5-r1 +" +IDEPEND=">=app-eselect/eselect-pinentry-0.7.2" + +PATCHES=( + "${FILESDIR}/iptables-1.8.4-no-symlinks.patch" + "${FILESDIR}/iptables-1.8.2-link.patch" + + "${FILESDIR}/${P}-format-security.patch" + "${FILESDIR}/${P}-uint-musl.patch" + "${FILESDIR}/${P}-musl-headers.patch" + "${FILESDIR}/${P}-out-of-tree-build.patch" +) + +src_prepare() { + # Use the saner headers from the kernel + rm include/linux/{kernel,types}.h || die + + default + eautoreconf +} + +src_configure() { + # Some libs use $(AR) rather than libtool to build, bug #444282 + tc-export AR + + # Hack around struct mismatches between userland & kernel for some ABIs + # bug #472388 + use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct + + sed -i \ + -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ + -e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \ + configure || die + + local myeconfargs=( + --sbindir="${EPREFIX}/sbin" + --libexecdir="${EPREFIX}/$(get_libdir)" + --enable-devel + --enable-ipv6 + --enable-shared + $(use_enable nftables) + $(use_enable pcap bpf-compiler) + $(use_enable pcap nfsynproxy) + $(use_enable static-libs static) + ) + + econf "${myeconfargs[@]}" +} + +src_compile() { + emake V=1 +} + +src_install() { + default + + dodoc INCOMPATIBILITIES iptables/iptables.xslt + + # All the iptables binaries are in /sbin, so might as well + # put these small files in with them + into / + dosbin iptables/iptables-apply + dosym iptables-apply /sbin/ip6tables-apply + doman iptables/iptables-apply.8 + + insinto /usr/include + doins include/ip{,6}tables.h + insinto /usr/include/iptables + doins include/iptables/internal.h + + keepdir /var/lib/ip{,6}tables + newinitd "${FILESDIR}"/${PN}-r3.init iptables + newconfd "${FILESDIR}"/${PN}-r1.confd iptables + dosym iptables /etc/init.d/ip6tables + newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables + + if use nftables; then + # Bug #647458 + rm "${ED}"/etc/ethertypes || die + + # Bugs #660886 and #669894 + rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die + fi + + systemd_dounit "${FILESDIR}"/systemd/ip{,6}tables-{re,}store.service + + # Move important libs to /lib, bug #332175 + gen_usr_ldscript -a ip{4,6}tc xtables + + find "${ED}" -type f -name "*.la" -delete || die +} + +pkg_postinst() { + local default_iptables="xtables-legacy-multi" + if ! eselect iptables show &>/dev/null; then + elog "Current iptables implementation is unset, setting to ${default_iptables}" + eselect iptables set "${default_iptables}" + fi + + if use nftables; then + local tables + for tables in {arp,eb}tables; do + if ! eselect ${tables} show &>/dev/null; then + elog "Current ${tables} implementation is unset, setting to ${default_iptables}" + eselect ${tables} set xtables-nft-multi + fi + done + fi + + eselect iptables show +} + +pkg_prerm() { + if [[ -z ${REPLACED_BY_VERSION} ]]; then + elog "Unsetting iptables symlinks before removal" + eselect iptables unset + fi + + if ! has_version 'net-firewall/ebtables'; then + elog "Unsetting ebtables symlinks before removal" + eselect ebtables unset + elif [[ -z ${REPLACED_BY_VERSION} ]]; then + elog "Resetting ebtables symlinks to ebtables-legacy" + eselect ebtables set ebtables-legacy + fi + + if ! has_version 'net-firewall/arptables'; then + elog "Unsetting arptables symlinks before removal" + eselect arptables unset + elif [[ -z ${REPLACED_BY_VERSION} ]]; then + elog "Resetting arptables symlinks to arptables-legacy" + eselect arptables set arptables-legacy + fi + + # The eselect module failing should not be fatal + return 0 +} diff --git a/net-firewall/nftables/Manifest b/net-firewall/nftables/Manifest index 142d09b03b70..6c7817b75b99 100644 --- a/net-firewall/nftables/Manifest +++ b/net-firewall/nftables/Manifest @@ -1,20 +1,20 @@ AUX libexec/nftables-mk.sh 1070 BLAKE2B 30d8109d74e7d8c4f51c753f676f91a1902ad42f6d68662f1191ff73d2a43a1bf49fb795f3763705f8aeb0a4f22cab0006a943e01adb188f1ef9eb05125dfdbd SHA512 a14e48f014f75c7e611bf2a653d9760804754febd1ae4543f78abbfbe60c79f5aa07c5fd53fe26bb74b48fcb8cb8aa78274771212e41c42db031e8c8ba7e81d2 AUX libexec/nftables.sh 3665 BLAKE2B 74362a4425e974e74e7b895980002f0ded2ecbb4731bbf956edb56ffb9f1ad394802c4eeab3af3735eba4d8e71572a5663e564ce4e7fad76c9715043b90c1b43 SHA512 6cb1ac0928ae2da5c69764d45c52a661a6d72698bb9edd6a603580d2f9bd82b59f2a2661e7569ade3a3b729459d115004f251ad6a5eac8cdf1d38c65bfa9349e AUX man-pages/gen-manpages.bash 1797 BLAKE2B c93cc311570abd674a12eb88711cf01664f437b8dc0fb4de36194f36671d92c35e04fcff6c56adcb0e642f089169f63ef063736398584e5e7ce799bf55acf2ff SHA512 ea3291412ce13d9dd463403fcc11c665c9de63edaabdecaf55e051b52b0ff845c9c7d63a6c4c08e4d2d94428815fe11daf9b7390081b4e9de4774e188b9ea677 -AUX nftables-0.9.8-slibtool.patch 427 BLAKE2B 00ab37efe35a68818af21d91781eb6610574a164743c9aea4458aea2efd6ce50aa788ac4a667d37ed3a686e6802e9feb8a4145f2debc9fb379d3621ed002d6df SHA512 8969d2db4aa2ddb5e352c864af5f85aa95849c0ffbc0b5d0fb4f9b848a3a35ab1aa2e747a9c6f4911fc1cdf0f4eb2032d863bfc10e4dcc120604735e7e04f911 AUX nftables-1.0.2-build-explicitly-pass-version-script-to-linker.patch 1062 BLAKE2B 65306c5f920c6179ebd064737a1713d0af7f94ca3b813aa19a1abe5162f88d5507d290fdbdcb05729a83bf1c7d36bc0a61252b224b44896722a89e71982ec8bf SHA512 1d2fed0ca10ee5f7beab94808a73a0002ec6ba63deaa44ab87fdd97d869f0da776ce6c09834d9c6bc7393ae80aca7a326ab1e8df0b122ad016cba5627fd4fffa AUX nftables-1.0.2-compilation.patch 1188 BLAKE2B 524298dbe639ee9c613d9314cd6ad10abe058534bc6fd1773aeab14fc76103247817ff472e4c7b03e5d2adda5ce84172bb98aac548d432e64f61222d85c6f43c SHA512 d438ec732840eeddfb123e184d00e7b54590e85004a7e89bbacfac48602e36b5082f29a3848ed54769f5155b162beeda7eee58f788fc917dfb598e1ad986694d AUX nftables-1.0.2-libnftables.map-export-new-nft_ctx_-get-set-_optimiz.patch 960 BLAKE2B d37f4f2dd72268303170d5d1af1a52e922724fc578afbaf85d05eb5f7beaef3cb67cff37f324cb2adb5b41a7e9b656c51142e6c122a8ea8ecae3ede84e46f7ff SHA512 e1a4da28d62bb09b1e4acdbb3acef211b640715ed0aae93c5206debc3dd2367385aa0c06a9f9a94297c21fb25d659d3e3d51463261d9e4eef269c2c450f0f4e1 +AUX nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch 8917 BLAKE2B f520876282dfe97b27b8cc806cce3bce15051acc45427e2a5d399cf2980f23c0b989ef57df1c85af34abe7cebf74288927fdeab95a0be10b4070e12951ee858a SHA512 f51f47d6fb3ca84a6a7f540e0b240c4d1eeb793a1066113a4b1653d38d9fa37ac99017d4131be73791d241ae6cbde3956b38e282b5540fce9ce81b9ad0e65d8f AUX nftables-mk.confd 899 BLAKE2B f4c3d82fbae87fb0d755af786a98db591b6a667cf33660ba9275ada2e6417fad1899a7f29762f23c112fc5c9e178bc7590c3b2ba26617853c3577917bd7d3edf SHA512 505ed05674a04367f1a3d5cf6447596ad1c3b2e9c920697f12f58a20d94c2a39b0041bb4911678511c4548566a69d964661d4afc3e7e27997943b875f204c602 AUX nftables-mk.init-r1 1970 BLAKE2B 9ece7da364eac76ef2ac401f4cc3ed558e926e8f07ab43f084de819098e9543bda0a9a8d40375e4e01dd6e53b92d744acf8f3caaeab1c3678ca84b1f48d59685 SHA512 9f1e491ba5fd8a1173eb055bfa5a0de3c040c158e7d54848fcd373a5f4c4041df6fb9ddc5b0e8fdfd78243665c627b8767816bcf94dd142b441b21227206fef3 AUX nftables.confd 655 BLAKE2B 5512be1edd43e270941de3d9b66fda69e4afd7c7e6e970b232a044c2fd64f8e50b9b55a4fe670174c3eabf3d176ee0158c1043baec4b76b0802e7e97bc862fcf SHA512 8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144 AUX nftables.init-r1 2279 BLAKE2B 1c4c28ea5b6a22905b3ec7de8e54726933b579352ecd799b7641384a138ffa2d4a2deb87d84ef5d75a43ae30759f1550d611c2560096bb5083cae9bb834be2bb SHA512 2165223bfd4f300b9cc01f604347fc5167f68515174b0d116b667bd05f4baf8c2f931e482f632975a8be371c2147951d9407f397ea4dbcbac79a6738cbd23015 AUX systemd/nftables-restore.service 394 BLAKE2B 1c1f358eb2eff789e68c051098c971f11a8df6621c3c919e30a1ec1213f6db822c390609c01827fe9fc75c540effa3e3a7b6f93bd24e16ea19841bbfaab796ed SHA512 18da6a770bb3e94fd6b2c9e6f033450aaff9fe886c8846f780d08a21e2fc884ac078652743b50b3d4ea8c9500f92d272bdd27e2881e438c2b223d40816c100a0 -DIST nftables-1.0.1.tar.bz2 954586 BLAKE2B e406699c96b98495f1b6deeab0233873ce20b43c13c162eafea1e6b371961123a69f3d5e7bd2f1bedfdbe58fed56ba3e2dae962b88657af6f4ab5b3743fb6373 SHA512 a0db4d82725509d2a9c638ba7ba55547ad7b5138a5fe686b0e90260d6a65e060dd72a470969c1d69e945303bd2bfc33b2021d9f4141b88befefddc61b7afe10d -DIST nftables-1.0.1.tar.bz2.sig 566 BLAKE2B d504987b16b7a8676586ecb3a1ce9588bff972ca54bbb3ce3b0db5288f1fd981e529dccea009bd01a3a96e5199a034956bd43cdeaba67847239a88d458f43f8a SHA512 0884098ceabe7b070e146e47292afd8c80188ea595eaeaadb228307f502dae4a43bf801dea2a25519eaef3c96d567daf40e45c37fabb58db1b2256eb8f256cb0 DIST nftables-1.0.2.tar.bz2 970781 BLAKE2B 650ae6badb574ff3628d21c8aa99f81e73932dd172b3569618696100bf3853b9a108bf0296dcf9d615ae7c0fbec84b48266299b62cf755d181d19c626f8a3cd4 SHA512 560d23c6e369eafd7b354d29fe73d46154e4a74dec000178c1aea47751fe535d20c4e6bbecd3955eb2b327c7a60b1269e5c6dc5781498546b639fa2d1367a9ca DIST nftables-1.0.2.tar.bz2.sig 566 BLAKE2B 5b7a20b28c274a950b718e2e14313772707b6bdc3f4519f747350593c1eb3bfbcf8c5dd9ae7d5aa0488c5cde9af8b58e05349c75e8a8246c5634303a331f9d98 SHA512 9be59d771833ac315fd52cffe7074ed9d49fbf592aec8d94500bbc7cc1f44dcb54b3815c46831a5e7e4c4770901cbdd6b8ffc5aa8d8cb7e064ec1c8453d890f1 -EBUILD nftables-1.0.1-r2.ebuild 4966 BLAKE2B 0fac9458f91dccfd3366c3ddfec0d4444329fe1d9358b89a67d52960bba67fc56efd9e5150f9979e5ba85793d05783b1e835acf6fbe3324fddfa0ca0033597b2 SHA512 7d40d118643bc4626b79dd72094aebd1cc8204bf36c4c9a033f4910690e210ee9f3b275312b85942987d87ee171d0ed1abfee05262fd3bc6c4fa0bf7ccbd7e6a -EBUILD nftables-1.0.2-r1.ebuild 5171 BLAKE2B f7e0d66c8ea79a261f15ca775115f7a1fce74d848fc380ee7a65dbd9290fa04888dd6776c7f2292bf5a5d97c88ba78145eb1dc84d9a3e811f89e2cb9e3b24af3 SHA512 3a94050f5261e522ecdce8da260394e26c3d646c83465f432939234fda6f85c9af30cf6c5f658659b073a254039abf641c9d925896a5b3e770feab467070949b -EBUILD nftables-9999.ebuild 4938 BLAKE2B cc5caa75ec86c1d6695ddf06d0f84de7d05c0799e7ef1098c2412e19178544f11a82a0f4e4a7ff8d79e3d13675ad1bb46fc929b57c3ae6f2babdfc7aedebb06b SHA512 4f9dd3327fe16acbe36ca674e39c0204534e1eb15564592848d5e79cefbe232e3b46cd75dbfbaefe52433c88e7d59534aaf81b163a70868dec65544cd2a5e9db +DIST nftables-1.0.4.tar.bz2 979540 BLAKE2B 1b2c596245cb7f1bc574250d13b9ff6f424f98e98d5955befadb83ea0a71acc6524b066e39f1e9d151f3946b690b2dee45b7d416347371f88911c8d6a9de047e SHA512 7d96c791365d399b3b930a1f9d6c6aa4a8c2180c258bb5163d9d62ea4d094857e2ebb20fc3ef13b89f449f216d0a291d3bcf288704f1e3bd3ceb51b6cadf8215 +DIST nftables-1.0.4.tar.bz2.sig 566 BLAKE2B 1ac42a2eb678abcc21d01bbaf5f9a3af3f4c49fa1f0732f2522d3da14e94aacbb12075650d2786224f8fef869fcdc94a1463bd76272aa44fc50ea31a8ebae1bf SHA512 2d2acd4810c1ede844e1eac81a5480866ad40ae71dfcf92d166fd9295290adff70d35d7de8cf1ec81ab63d184b221419ff144bc7010e18884afa992173723af8 +EBUILD nftables-1.0.2-r1.ebuild 5163 BLAKE2B 02bacad62aea322b42251fb73ea3e23e061167ae5bde03f751231db9b33f3d85cb8a8b0b28038140264092c2a1776e0a4c9b0a464775a0e30c57cc988ac09a36 SHA512 2b55eb2c17686e13ddde19d4da06d0ac1efe09500fd62cc205fcf95d9977f7d2478369aec51e2455aed69c49869afcc54badd08bc3c4bcf26d58972d095c8aa8 +EBUILD nftables-1.0.4-r2.ebuild 5973 BLAKE2B 33b0959b853cc3ae0a140549c105116addf23a8f48107e8279e61909927f69bdd718784dca12c5ea06148d64d2fd653e6c47b2a04e71414c8254f787b5fd6789 SHA512 746c7587ff389cb44f2a8b52a618e31dab6ea844b38d8d303a14c59d3aaffd314f37b64e281f3324228727ab629d7092e3836fc226f82d9cda7bc2562b829390 +EBUILD nftables-9999.ebuild 5877 BLAKE2B ffe8dd8c23b5755d231de39c1112db4f416481e67aafdc30b1d6b8909db5c6225f03044d8b69188091bb1681877fb57a20a1528601f049150289008019e48a15 SHA512 e3a5f820332022e502e2ae4c2f4ff0963d7711eed979e8a0dfca2f015c651418447866b0d9b53cf2dfb28de2e47c5adf37daa5c82b614b21c30a8a694f3855a1 MISC metadata.xml 933 BLAKE2B 8e76ce489c41dcc01e222d77af40f2ba5cb7ddffc2bc818c6fc8c16e24dc308c125ce4d78db1647e77af96f32c85dd3391f7079e2cee26c129c56557e0c48c8a SHA512 058d38df1dbb2c1d0e611bd992f37498d3977561c3b34846fdf0d569573f2ef93a29a216ab491e583cfc2399c55c839d256dfcf8b1d7aaba63ed6ea90f22df25 diff --git a/net-firewall/nftables/files/nftables-0.9.8-slibtool.patch b/net-firewall/nftables/files/nftables-0.9.8-slibtool.patch deleted file mode 100644 index a92645f793c7..000000000000 --- a/net-firewall/nftables/files/nftables-0.9.8-slibtool.patch +++ /dev/null @@ -1,13 +0,0 @@ -This fixes build with sys-devel/slibtool - ---- nftables-0.9.8/src/Makefile.am -+++ nftables-0.9.8/src/Makefile.am -@@ -90,7 +90,7 @@ - - libnftables_la_LIBADD = ${LIBMNL_LIBS} ${LIBNFTNL_LIBS} libparser.la - libnftables_la_LDFLAGS = -version-info ${libnftables_LIBVERSION} \ -- --version-script=$(srcdir)/libnftables.map -+ -Wl,--version-script=$(srcdir)/libnftables.map - - if BUILD_MINIGMP - noinst_LTLIBRARIES += libminigmp.la diff --git a/net-firewall/nftables/files/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch b/net-firewall/nftables/files/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch new file mode 100644 index 000000000000..db58602bb4e6 --- /dev/null +++ b/net-firewall/nftables/files/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch @@ -0,0 +1,252 @@ +From 638af0ceb2b22307098bb2730822e148ef0b9424 Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Fri, 10 Jun 2022 13:01:46 +0200 +Subject: Revert "scanner: flags: move to own scope" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Excess nesting of scanner scopes is very fragile and error prone: + +rule `iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all prefix "nft_lo4 " drop` +fails with `Error: No symbol type information` hinting at `prefix` + +Problem is that we nest via: + counter + limit + log + flags + +By the time 'prefix' is scanned, state is still stuck in 'counter' due +to this nesting. Working around "prefix" isn't enough, any other +keyword, e.g. "level" in 'flags all level debug' will be parsed as 'string' too. + +So, revert this. + +Fixes: a16697097e2b ("scanner: flags: move to own scope") +Reported-by: Christian Göttsche <cgzones@googlemail.com> +Signed-off-by: Florian Westphal <fw@strlen.de> +--- + include/parser.h | 1 - + src/parser_bison.y | 29 ++++++++++++++--------------- + src/scanner.l | 18 +++++++----------- + tests/shell/testcases/parsing/log | 10 ++++++++++ + 4 files changed, 31 insertions(+), 27 deletions(-) + create mode 100755 tests/shell/testcases/parsing/log + +diff --git a/include/parser.h b/include/parser.h +index f32154cc..d8d2eb11 100644 +--- a/include/parser.h ++++ b/include/parser.h +@@ -35,7 +35,6 @@ enum startcond_type { + PARSER_SC_CT, + PARSER_SC_COUNTER, + PARSER_SC_ETH, +- PARSER_SC_FLAGS, + PARSER_SC_ICMP, + PARSER_SC_IGMP, + PARSER_SC_IP, +diff --git a/src/parser_bison.y b/src/parser_bison.y +index ca5c488c..2a0240fb 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -942,7 +942,6 @@ close_scope_esp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_ESP); } + close_scope_eth : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ETH); }; + close_scope_export : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_EXPORT); }; + close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); }; +-close_scope_flags : { scanner_pop_start_cond(nft->scanner, PARSER_SC_FLAGS); }; + close_scope_frag : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FRAG); }; + close_scope_fwd : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_FWD); }; + close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); }; +@@ -1679,7 +1678,7 @@ table_block_alloc : /* empty */ + } + ; + +-table_options : FLAGS STRING close_scope_flags ++table_options : FLAGS STRING + { + if (strcmp($2, "dormant") == 0) { + $<table>0->flags |= TABLE_F_DORMANT; +@@ -1946,7 +1945,7 @@ set_block : /* empty */ { $$ = $<set>-1; } + datatype_set($1->key, $3->dtype); + $$ = $1; + } +- | set_block FLAGS set_flag_list stmt_separator close_scope_flags ++ | set_block FLAGS set_flag_list stmt_separator + { + $1->flags = $3; + $$ = $1; +@@ -2080,7 +2079,7 @@ map_block : /* empty */ { $$ = $<set>-1; } + $1->flags |= NFT_SET_OBJECT; + $$ = $1; + } +- | map_block FLAGS set_flag_list stmt_separator close_scope_flags ++ | map_block FLAGS set_flag_list stmt_separator + { + $1->flags |= $3; + $$ = $1; +@@ -2153,7 +2152,7 @@ flowtable_block : /* empty */ { $$ = $<flowtable>-1; } + { + $$->flags |= NFT_FLOWTABLE_COUNTER; + } +- | flowtable_block FLAGS OFFLOAD stmt_separator close_scope_flags ++ | flowtable_block FLAGS OFFLOAD stmt_separator + { + $$->flags |= FLOWTABLE_F_HW_OFFLOAD; + } +@@ -2520,7 +2519,7 @@ dev_spec : DEVICE string + | /* empty */ { $$ = NULL; } + ; + +-flags_spec : FLAGS OFFLOAD close_scope_flags ++flags_spec : FLAGS OFFLOAD + { + $<chain>0->flags |= CHAIN_F_HW_OFFLOAD; + } +@@ -3126,7 +3125,7 @@ log_arg : PREFIX string + $<stmt>0->log.level = $2; + $<stmt>0->log.flags |= STMT_LOG_LEVEL; + } +- | FLAGS log_flags close_scope_flags ++ | FLAGS log_flags + { + $<stmt>0->log.logflags |= $2; + } +@@ -3828,13 +3827,13 @@ queue_stmt : queue_stmt_compat close_scope_queue + { + $$ = queue_stmt_alloc(&@$, $3, 0); + } +- | QUEUE FLAGS queue_stmt_flags close_scope_flags TO queue_stmt_expr close_scope_queue ++ | QUEUE FLAGS queue_stmt_flags TO queue_stmt_expr close_scope_queue + { +- $$ = queue_stmt_alloc(&@$, $6, $3); ++ $$ = queue_stmt_alloc(&@$, $5, $3); + } +- | QUEUE FLAGS queue_stmt_flags close_scope_flags QUEUENUM queue_stmt_expr_simple close_scope_queue ++ | QUEUE FLAGS queue_stmt_flags QUEUENUM queue_stmt_expr_simple close_scope_queue + { +- $$ = queue_stmt_alloc(&@$, $6, $3); ++ $$ = queue_stmt_alloc(&@$, $5, $3); + } + ; + +@@ -5501,7 +5500,7 @@ comp_hdr_expr : COMP comp_hdr_field close_scope_comp + ; + + comp_hdr_field : NEXTHDR { $$ = COMPHDR_NEXTHDR; } +- | FLAGS close_scope_flags { $$ = COMPHDR_FLAGS; } ++ | FLAGS { $$ = COMPHDR_FLAGS; } + | CPI { $$ = COMPHDR_CPI; } + ; + +@@ -5562,7 +5561,7 @@ tcp_hdr_field : SPORT { $$ = TCPHDR_SPORT; } + | ACKSEQ { $$ = TCPHDR_ACKSEQ; } + | DOFF { $$ = TCPHDR_DOFF; } + | RESERVED { $$ = TCPHDR_RESERVED; } +- | FLAGS close_scope_flags { $$ = TCPHDR_FLAGS; } ++ | FLAGS { $$ = TCPHDR_FLAGS; } + | WINDOW { $$ = TCPHDR_WINDOW; } + | CHECKSUM { $$ = TCPHDR_CHECKSUM; } + | URGPTR { $$ = TCPHDR_URGPTR; } +@@ -5676,7 +5675,7 @@ sctp_chunk_type : DATA { $$ = SCTP_CHUNK_TYPE_DATA; } + ; + + sctp_chunk_common_field : TYPE close_scope_type { $$ = SCTP_CHUNK_COMMON_TYPE; } +- | FLAGS close_scope_flags { $$ = SCTP_CHUNK_COMMON_FLAGS; } ++ | FLAGS { $$ = SCTP_CHUNK_COMMON_FLAGS; } + | LENGTH { $$ = SCTP_CHUNK_COMMON_LENGTH; } + ; + +@@ -5844,7 +5843,7 @@ rt4_hdr_expr : RT4 rt4_hdr_field close_scope_rt + ; + + rt4_hdr_field : LAST_ENT { $$ = RT4HDR_LASTENT; } +- | FLAGS close_scope_flags { $$ = RT4HDR_FLAGS; } ++ | FLAGS { $$ = RT4HDR_FLAGS; } + | TAG { $$ = RT4HDR_TAG; } + | SID '[' NUM ']' + { +diff --git a/src/scanner.l b/src/scanner.l +index 2154281e..7eb74020 100644 +--- a/src/scanner.l ++++ b/src/scanner.l +@@ -201,7 +201,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) + %s SCANSTATE_CT + %s SCANSTATE_COUNTER + %s SCANSTATE_ETH +-%s SCANSTATE_FLAGS + %s SCANSTATE_ICMP + %s SCANSTATE_IGMP + %s SCANSTATE_IP +@@ -339,7 +338,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) + "jump" { return JUMP; } + "goto" { return GOTO; } + "return" { return RETURN; } +-<SCANSTATE_EXPR_QUEUE,SCANSTATE_STMT_DUP,SCANSTATE_STMT_FWD,SCANSTATE_STMT_NAT,SCANSTATE_STMT_TPROXY,SCANSTATE_FLAGS,SCANSTATE_IP,SCANSTATE_IP6>"to" { return TO; } /* XXX: SCANSTATE_FLAGS and SCANSTATE_IP here are workarounds */ ++<SCANSTATE_EXPR_QUEUE,SCANSTATE_STMT_DUP,SCANSTATE_STMT_FWD,SCANSTATE_STMT_NAT,SCANSTATE_STMT_TPROXY,SCANSTATE_IP,SCANSTATE_IP6>"to" { return TO; } /* XXX: SCANSTATE_IP is a workaround */ + + "inet" { return INET; } + "netdev" { return NETDEV; } +@@ -363,14 +362,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) + "index" { return INDEX; } + "comment" { return COMMENT; } + +-<SCANSTATE_FLAGS>{ +- "constant" { return CONSTANT; } +- "dynamic" { return DYNAMIC; } +- +- /* log flags */ +- "all" { return ALL; } +-} ++"constant" { return CONSTANT; } + "interval" { return INTERVAL; } ++"dynamic" { return DYNAMIC; } + "auto-merge" { return AUTOMERGE; } + "timeout" { return TIMEOUT; } + "gc-interval" { return GC_INTERVAL; } +@@ -418,7 +412,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) + } + + "queue" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_QUEUE); return QUEUE;} +-<SCANSTATE_FLAGS,SCANSTATE_EXPR_QUEUE>{ ++<SCANSTATE_EXPR_QUEUE>{ + "num" { return QUEUENUM;} + "bypass" { return BYPASS;} + "fanout" { return FANOUT;} +@@ -612,7 +606,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) + <SCANSTATE_EXPR_COMP>{ + "cpi" { return CPI; } + } +-"flags" { scanner_push_start_cond(yyscanner, SCANSTATE_FLAGS); return FLAGS; } ++"flags" { return FLAGS; } + + "udp" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_UDP); return UDP; } + "udplite" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_UDPLITE); return UDPLITE; } +@@ -781,6 +775,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) + + "notrack" { return NOTRACK; } + ++"all" { return ALL; } ++ + <SCANSTATE_CMD_EXPORT,SCANSTATE_CMD_IMPORT,SCANSTATE_CMD_MONITOR>{ + "xml" { return XML; } + "json" { return JSON; } +diff --git a/tests/shell/testcases/parsing/log b/tests/shell/testcases/parsing/log +new file mode 100755 +index 00000000..0b89d589 +--- /dev/null ++++ b/tests/shell/testcases/parsing/log +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++$NFT add table t || exit 1 ++$NFT add chain t c || exit 1 ++$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all prefix "nft_lo4 " drop' || exit 1 ++$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all level debug drop' || exit 1 ++$NFT delete table t || exit 1 ++ ++exit 0 ++ +-- +cgit v1.2.3 + diff --git a/net-firewall/nftables/nftables-1.0.2-r1.ebuild b/net-firewall/nftables/nftables-1.0.2-r1.ebuild index 4e105370dd23..a7337abb2897 100644 --- a/net-firewall/nftables/nftables-1.0.2-r1.ebuild +++ b/net-firewall/nftables/nftables-1.0.2-r1.ebuild @@ -21,7 +21,7 @@ if [[ ${PV} =~ ^[9]{4,}$ ]]; then else SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2 verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )" - KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" + KEYWORDS="amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv sparc x86" VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )" fi diff --git a/net-firewall/nftables/nftables-1.0.1-r2.ebuild b/net-firewall/nftables/nftables-1.0.4-r2.ebuild index a6b3f71dcc5e..e15c2462f85d 100644 --- a/net-firewall/nftables/nftables-1.0.1-r2.ebuild +++ b/net-firewall/nftables/nftables-1.0.4-r2.ebuild @@ -1,17 +1,18 @@ # Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 -PYTHON_COMPAT=( python3_{7..10} ) DISTUTILS_OPTIONAL=1 -inherit autotools linux-info distutils-r1 systemd verify-sig +PYTHON_COMPAT=( python3_{8..11} ) +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc +inherit edo linux-info distutils-r1 systemd verify-sig DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" HOMEPAGE="https://netfilter.org/projects/nftables/" if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit git-r3 + inherit autotools git-r3 EGIT_REPO_URI="https://git.netfilter.org/${PN}" BDEPEND=" @@ -21,18 +22,18 @@ if [[ ${PV} =~ ^[9]{4,}$ ]]; then else SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2 verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )" - KEYWORDS="amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv sparc x86" - VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )" fi LICENSE="GPL-2" SLOT="0/1" -IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables" +IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables" +RESTRICT="test? ( userpriv ) !test? ( test )" RDEPEND=" >=net-libs/libmnl-1.0.4:0= - >=net-libs/libnftnl-1.2.1:0= + >=net-libs/libnftnl-1.2.2:0= gmp? ( dev-libs/gmp:= ) json? ( dev-libs/jansson:= ) python? ( ${PYTHON_DEPS} ) @@ -43,11 +44,12 @@ RDEPEND=" DEPEND="${RDEPEND}" BDEPEND+=" + virtual/pkgconfig doc? ( app-text/asciidoc >=app-text/docbook2X-0.8.8-r4 ) - virtual/pkgconfig + python? ( ${PYTHON_DEPS} ) " REQUIRED_USE=" @@ -55,10 +57,6 @@ REQUIRED_USE=" libedit? ( !readline ) " -PATCHES=( - "${FILESDIR}/${PN}-0.9.8-slibtool.patch" -) - pkg_setup() { if kernel_is ge 3 13; then if use modern-kernel && kernel_is lt 3 18; then @@ -72,15 +70,14 @@ pkg_setup() { } src_prepare() { + local PATCHES=( + "${FILESDIR}/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch" + ) default - # fix installation path for doc stuff - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \ - -i files/nftables/Makefile.am || die - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \ - -i files/osf/Makefile.am || die - - eautoreconf + if [[ ${PV} =~ ^[9]{4,}$ ]] ; then + eautoreconf + fi if use python; then pushd py >/dev/null || die @@ -93,6 +90,7 @@ src_configure() { local myeconfargs=( # We handle python separately --disable-python + --disable-static --sbindir="${EPREFIX}"/sbin $(use_enable debug) $(use_enable doc man-doc) @@ -122,6 +120,17 @@ src_compile() { fi } +src_test() { + emake check + + edo tests/shell/run-tests.sh -v + + # Need to rig up Python eclass if using this, but it doesn't seem to work + # for me anyway. + #cd tests/py || die + #"${EPYTHON}" nft-test.py || die +} + src_install() { default @@ -131,6 +140,12 @@ src_install() { popd >/dev/null || die fi + # Do it here instead of in src_prepare to avoid eautoreconf + # rmdir lets us catch if more files end up installed in /etc/nftables + dodir /usr/share/doc/${PF}/skels/ + mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die + rmdir "${ED}"/etc/nftables || die + local mksuffix="$(usex modern-kernel '-mk' '')" exeinto /usr/libexec/${PN} @@ -150,9 +165,23 @@ src_install() { find "${ED}" -type f -name "*.la" -delete || die } +pkg_preinst() { + if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then + if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then + eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" + eerror "nft. This probably means that there is a regression introduced by v${PV}." + eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" + + if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then + die "Aborting because of failed nft reload!" + fi + fi + fi +} + pkg_postinst() { local save_file - save_file="${EROOT}/var/lib/nftables/rules-save" + save_file="${EROOT}"/var/lib/nftables/rules-save # In order for the nftables-restore systemd service to start # the save_file must exist. @@ -175,6 +204,7 @@ pkg_postinst() { elog "the nftables-restore service must be manually started in order to" elog "save those rules on shutdown." fi + if has_version 'sys-apps/openrc'; then elog "If you wish to enable the firewall rules on boot (on openrc) you" elog "will need to enable the nftables service." diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild index fa427dadfaab..51f0627a762d 100644 --- a/net-firewall/nftables/nftables-9999.ebuild +++ b/net-firewall/nftables/nftables-9999.ebuild @@ -1,17 +1,18 @@ # Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 -PYTHON_COMPAT=( python3_{8..10} ) DISTUTILS_OPTIONAL=1 -inherit autotools linux-info distutils-r1 systemd verify-sig +PYTHON_COMPAT=( python3_{8..11} ) +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc +inherit edo linux-info distutils-r1 systemd verify-sig DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" HOMEPAGE="https://netfilter.org/projects/nftables/" if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit git-r3 + inherit autotools git-r3 EGIT_REPO_URI="https://git.netfilter.org/${PN}" BDEPEND=" @@ -22,17 +23,17 @@ else SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2 verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )" KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" - VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )" fi LICENSE="GPL-2" SLOT="0/1" -IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables" +IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables" +RESTRICT="test? ( userpriv ) !test? ( test )" RDEPEND=" >=net-libs/libmnl-1.0.4:0= - >=net-libs/libnftnl-1.2.1:0= + >=net-libs/libnftnl-1.2.2:0= gmp? ( dev-libs/gmp:= ) json? ( dev-libs/jansson:= ) python? ( ${PYTHON_DEPS} ) @@ -43,11 +44,12 @@ RDEPEND=" DEPEND="${RDEPEND}" BDEPEND+=" + virtual/pkgconfig doc? ( app-text/asciidoc >=app-text/docbook2X-0.8.8-r4 ) - virtual/pkgconfig + python? ( ${PYTHON_DEPS} ) " REQUIRED_USE=" @@ -70,13 +72,9 @@ pkg_setup() { src_prepare() { default - # fix installation path for doc stuff - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \ - -i files/nftables/Makefile.am || die - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \ - -i files/osf/Makefile.am || die - - eautoreconf + if [[ ${PV} =~ ^[9]{4,}$ ]] ; then + eautoreconf + fi if use python; then pushd py >/dev/null || die @@ -119,6 +117,17 @@ src_compile() { fi } +src_test() { + emake check + + edo tests/shell/run-tests.sh -v + + # Need to rig up Python eclass if using this, but it doesn't seem to work + # for me anyway. + #cd tests/py || die + #"${EPYTHON}" nft-test.py || die +} + src_install() { default @@ -128,6 +137,12 @@ src_install() { popd >/dev/null || die fi + # Do it here instead of in src_prepare to avoid eautoreconf + # rmdir lets us catch if more files end up installed in /etc/nftables + dodir /usr/share/doc/${PF}/skels/ + mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die + rmdir "${ED}"/etc/nftables || die + local mksuffix="$(usex modern-kernel '-mk' '')" exeinto /usr/libexec/${PN} @@ -147,9 +162,23 @@ src_install() { find "${ED}" -type f -name "*.la" -delete || die } +pkg_preinst() { + if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then + if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then + eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" + eerror "nft. This probably means that there is a regression introduced by v${PV}." + eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" + + if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then + die "Aborting because of failed nft reload!" + fi + fi + fi +} + pkg_postinst() { local save_file - save_file="${EROOT}/var/lib/nftables/rules-save" + save_file="${EROOT}"/var/lib/nftables/rules-save # In order for the nftables-restore systemd service to start # the save_file must exist. @@ -172,6 +201,7 @@ pkg_postinst() { elog "the nftables-restore service must be manually started in order to" elog "save those rules on shutdown." fi + if has_version 'sys-apps/openrc'; then elog "If you wish to enable the firewall rules on boot (on openrc) you" elog "will need to enable the nftables service." diff --git a/net-firewall/nftlb/Manifest b/net-firewall/nftlb/Manifest index 197abc435bb8..e0b2b835ec74 100644 --- a/net-firewall/nftlb/Manifest +++ b/net-firewall/nftlb/Manifest @@ -1,9 +1,7 @@ -AUX nftlb-0.6-musl.patch 1887 BLAKE2B fdf12a0f3113e1fff17096195150e387ec44342d67b80d63fff525e8b28222599276bb607b7f21b44953dbeb0f00861b6477b01af24bc990be046b45a169ced5 SHA512 48781ce88c94b7d184764d9b2fb70410310215fe165fa89965293633bc039044e5d34eb10fe382f9d394f36e5960a91efb12c9e7fde24c057ae6ece0f3d75bb9 -AUX nftlb-0.6-tests.patch 1037 BLAKE2B 1b26671d49035bb57bfd5f730d40d756017234413f427a94367d571a47a4959f09389d55b95e46e0512003e0eb3022470feadeee00632d64cf6cfa94097e89b4 SHA512 9c57db285efb5a5e12d1099e4f44de17e70eb137e7fa05f9c678cadf43c7eecaab76fdb7a7815e2a22ccb9fb1d3e5c524496a9a87ff10cb64f4ff50c281889ce AUX nftlb-1.0-musl.patch 1899 BLAKE2B 6c2c51ba355473754ac1aa59e423b367c9eba8c0aef6cc0756533f08e22aa423e397a2216449b25360d625d62ef64173701e0cec40be6bb342094ad81a2ca463 SHA512 e73efbaffa03c9bf762b9335561ae3f905434cd15351e843063c8aeac5cd80db6bbb3916fe0eca04a7699c3bebfb8910e52a2f1f07b068ee1c9951d645bf3e28 AUX nftlb-1.0-tests.patch 1025 BLAKE2B 1c1a3b363d5896799dbc9c789684bcb407cafeee6b7d7d061f28142a718a77b9a7fc11a59ff40f178047d37a8452c66cab904661d36874efc343677ec4a043a4 SHA512 a013fd84528620e61b93b11218edb5fbf4096d0367d802f697048f544751a0a4c9d64ecfa5198b28d8dc732b195db7d7ed5028423aa26c855f116d11665f096b -DIST nftlb-0.6.tar.gz 121216 BLAKE2B 98b69c35070eb733a218ac1b1aaa7816de1e4f149c8447fee298b4cf50c57610c816fb178d4115e1e7af5cea0f5b20df36eb5b79655e0d7c69ff30e363985104 SHA512 95b879cfc187fe94cc6876f4af3fe77795c1e0228850cfb38b95206685d9065076b6905d365da7ec5f92773cf8f72f6e441d9140d9b10b02eaf9b6c862c31006 -DIST nftlb-1.0.tar.gz 195057 BLAKE2B b8237b7ba6f6f61dde726d53b63f2488bf38646984b252317ba0f47727ae91e5f4d58c32c0f0d609b134124efd29fdce2b9c10a981a3892220dac78c84946f48 SHA512 f93db34e4372d8f16e99650f3ade62908ce65722fadd521c6d698ab81b24502f6d82e1945b06b166876ebeb39e1907c97a40776ddf985b035b883e93f62e8766 -EBUILD nftlb-0.6.ebuild 1021 BLAKE2B 28e978c5eaa237691d102184761476ef31fab9a0c986825ae87df87599121774c2d1a95963695b52ce7a130d48c9fbf096339b166b3d57998a4a4e95d6414f25 SHA512 fb3e447387fb311569e56075b04e4a6352ee38eb9a5d8d9b2a2690404cb47cf5ff477002d2a715c047728bc203f9fe08af202e40eb5948809fb292a099d20000 -EBUILD nftlb-1.0.ebuild 1037 BLAKE2B 61b6a5e568945cb063f205b39dc43e36aa4ed1001bdadd592e513f813c376f41eab26309f4a2df4827741fa4eacfa88a8b57c5dfcffae53674fe0a824baf62ff SHA512 43a81b0c731563e4d1cf8a3880b722d9c171d7930b1998cb4251d38f756fcd02bc6860e923db776aca3ca24aff3fd8590c195a009d41399bbe3331c8e7ffed1d +DIST nftlb-1.0.4.tar.gz 199236 BLAKE2B 457fc617af75513330b7c6730a3ee67061d5df4d1faf74a0d57ffaa7ef003e882136a9e0300fe61f1f0235ef752a5d695cfdf9a5e1cecf9b57553d4c9151bfd6 SHA512 89b0dba85029236f55289818c7b7ec6fe6e2e1f33003fc7fb9fa3ae763b96395827ba9d8134aa4ac80f8be0da6e17be132e9293b46c9264d9c49062e4db6688a +DIST nftlb-1.0.6.tar.gz 201767 BLAKE2B d81607ad88c88f3cf97124bf2db6ad8b210fe8f60d72661094dfbbbfc66c4b911985944f08b5483ceec420850b18cb0fe3a8fd6fa7fb76fa4da456870367cecd SHA512 63fa1e9b5fbd18e5c852adb2415dcd6e24bad899fe647641ea6e8dbca4b7c2808c939bdf5f7700a586304f3126088bb74a0fce79c72e8bc92df1e7a9c111feca +EBUILD nftlb-1.0.4.ebuild 1037 BLAKE2B 61b6a5e568945cb063f205b39dc43e36aa4ed1001bdadd592e513f813c376f41eab26309f4a2df4827741fa4eacfa88a8b57c5dfcffae53674fe0a824baf62ff SHA512 43a81b0c731563e4d1cf8a3880b722d9c171d7930b1998cb4251d38f756fcd02bc6860e923db776aca3ca24aff3fd8590c195a009d41399bbe3331c8e7ffed1d +EBUILD nftlb-1.0.6.ebuild 1037 BLAKE2B 61b6a5e568945cb063f205b39dc43e36aa4ed1001bdadd592e513f813c376f41eab26309f4a2df4827741fa4eacfa88a8b57c5dfcffae53674fe0a824baf62ff SHA512 43a81b0c731563e4d1cf8a3880b722d9c171d7930b1998cb4251d38f756fcd02bc6860e923db776aca3ca24aff3fd8590c195a009d41399bbe3331c8e7ffed1d MISC metadata.xml 256 BLAKE2B e4fb7b4732dc88ff20c10bd7e5425beca8310c14d3934046ad6fcd99d8f401ea8610a6df5444d094f5bae4e5120cb7aedc15b45f0862b73f83bd7d5e54617337 SHA512 d37651285ce883fc1c73b41e09e66788d47b2451a4f96ac4237e6bef59643b3171a7a24900f204f0ca1accdbd5961d74e4bd7c8c41e1d29492874e4cbc737611 diff --git a/net-firewall/nftlb/files/nftlb-0.6-musl.patch b/net-firewall/nftlb/files/nftlb-0.6-musl.patch deleted file mode 100644 index 99990726f05e..000000000000 --- a/net-firewall/nftlb/files/nftlb-0.6-musl.patch +++ /dev/null @@ -1,72 +0,0 @@ -diff --git a/configure.ac b/configure.ac -index 4e7b0a9..2396857 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -2,6 +2,7 @@ AC_INIT([nftlb], [0.6], [netfilter-devel@vger.kernel.org]) - - AC_CONFIG_AUX_DIR([build-aux]) - AC_CONFIG_MACRO_DIR([m4]) -+AC_CONFIG_HEADERS([config.h]) - AM_INIT_AUTOMAKE([-Wall foreign subdir-objects - tar-pax no-dist-gzip dist-bzip2 1.6]) - -@@ -25,5 +26,7 @@ AC_CHECK_HEADER([ev.h], [EVENTINC="-include ev.h"], - [EVENTINC="-include libev/ev.h"], - [AC_MSG_ERROR([ev.h not found])])]) - -+AC_CHECK_HEADERS([execinfo.h]) -+ - AC_CONFIG_FILES([Makefile src/Makefile]) - AC_OUTPUT -diff --git a/src/main.c b/src/main.c -index b6b5ec4..b2a080f 100644 ---- a/src/main.c -+++ b/src/main.c -@@ -18,6 +18,7 @@ - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * - */ -+#include "config.h" - - #include <stdio.h> - #include <stdlib.h> -@@ -26,7 +27,10 @@ - #include <syslog.h> - #include <errno.h> - #include <unistd.h> -+ -+#ifdef HAVE_EXECINFO_H - #include <execinfo.h> -+#endif /* HAVE_EXECINFO_H */ - - #include "config.h" - #include "objects.h" -@@ -85,6 +89,7 @@ static void nftlb_sighandler(int signo) - exit(EXIT_SUCCESS); - } - -+#ifdef HAVE_EXECINFO_H - static void nftlb_trace() { - void *buffer[255]; - char **str; -@@ -106,6 +111,7 @@ static void nftlb_trace() { - - exit(EXIT_FAILURE); - } -+#endif /* HAVE_EXECINFO_H */ - - int main(int argc, char *argv[]) - { -@@ -157,8 +163,12 @@ int main(int argc, char *argv[]) - - if (signal(SIGINT, nftlb_sighandler) == SIG_ERR || - signal(SIGTERM, nftlb_sighandler) == SIG_ERR || -+#ifdef HAVE_EXECINFO_H - signal(SIGPIPE, SIG_IGN) == SIG_ERR || - signal(SIGSEGV, nftlb_trace) == SIG_ERR) { -+#else -+ signal(SIGPIPE, SIG_IGN) == SIG_ERR) { -+#endif /* HAVE_EXECINFO_H */ - fprintf(stderr, "Error assigning signals\n"); - syslog(LOG_ERR, "Error assigning signals"); - return EXIT_FAILURE; diff --git a/net-firewall/nftlb/files/nftlb-0.6-tests.patch b/net-firewall/nftlb/files/nftlb-0.6-tests.patch deleted file mode 100644 index 05baa7ee03a3..000000000000 --- a/net-firewall/nftlb/files/nftlb-0.6-tests.patch +++ /dev/null @@ -1,47 +0,0 @@ -diff --git a/tests/exec_tests.sh b/tests/exec_tests.sh -index d96eaa3..b7f812d 100755 ---- a/tests/exec_tests.sh -+++ b/tests/exec_tests.sh -@@ -33,6 +33,8 @@ fi - - echo "-- Executing configuration tests" - -+retval=0 -+ - for test in `ls -d ${TESTS}`; do - if [[ ! ${test} =~ ^..._ ]]; then - continue; -@@ -55,14 +57,16 @@ for test in `ls -d ${TESTS}`; do - - if [ $statusexec -ne 0 ]; then - echo -e "\e[31mNFT EXEC ERROR\e[0m" -+ retval=1 - continue; - fi - - #~ nftfile=`echo ${file} | awk -F'.' '{ print $1 }'` -- $NFTBIN list ruleset > ${reportfile} -+ $NFTBIN list ruleset > ${reportfile} || retval=1 - - if [ ! -f ${outputfile} ]; then - echo "Dump file doesn't exist" -+ retval=1 - continue; - fi - -@@ -74,6 +78,7 @@ for test in `ls -d ${TESTS}`; do - rm -f ${reportfile} - else - echo -e "\e[31mNFT DUMP ERROR\e[0m" -+ retval=1 - fi - done - -@@ -83,4 +88,7 @@ fi - - if [ "`grep 'nft command error' /var/log/syslog`" != "" ]; then - echo -e "\e[33m* command errors found, please check syslog\e[0m" -+ retval=1 - fi -+ -+exit ${retval} diff --git a/net-firewall/nftlb/nftlb-1.0.ebuild b/net-firewall/nftlb/nftlb-1.0.4.ebuild index f1e9170bcbc4..f1e9170bcbc4 100644 --- a/net-firewall/nftlb/nftlb-1.0.ebuild +++ b/net-firewall/nftlb/nftlb-1.0.4.ebuild diff --git a/net-firewall/nftlb/nftlb-0.6.ebuild b/net-firewall/nftlb/nftlb-1.0.6.ebuild index 99822681780a..f1e9170bcbc4 100644 --- a/net-firewall/nftlb/nftlb-0.6.ebuild +++ b/net-firewall/nftlb/nftlb-1.0.6.ebuild @@ -1,7 +1,7 @@ -# Copyright 2020 Gentoo Authors +# Copyright 2020-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 inherit linux-info autotools @@ -24,13 +24,18 @@ RDEPEND="${DEPEND}" RESTRICT="test" PATCHES=( - "${FILESDIR}/nftlb-0.6-tests.patch" - "${FILESDIR}/nftlb-0.6-musl.patch" + "${FILESDIR}/nftlb-1.0-tests.patch" + "${FILESDIR}/nftlb-1.0-musl.patch" ) pkg_setup() { - local CONFIG_CHECK="~NF_TABLES ~NFT_NUMGEN - ~NFT_HASH ~NF_NAT ~IP_NF_NAT" + local CONFIG_CHECK=" + ~NF_TABLES + ~NFT_NUMGEN + ~NFT_HASH + ~NF_NAT + ~IP_NF_NAT + " linux-info_pkg_setup diff --git a/net-firewall/shorewall/Manifest b/net-firewall/shorewall/Manifest index 306a52d4137c..76821333dfe1 100644 --- a/net-firewall/shorewall/Manifest +++ b/net-firewall/shorewall/Manifest @@ -23,4 +23,4 @@ DIST shorewall-lite-5.2.8.tar.bz2 47250 BLAKE2B 2fff00d7a6248a3db0aa5d6b3ed041b0 DIST shorewall6-5.2.8.tar.bz2 203102 BLAKE2B d9117d42cd25e18aa1104ec3f4498227eedcce5c3531623e2e4d6ec27ba5221f98e1ae2e596ac90d7415cd366b2dbfdd024adaaef0c1c2756900188bde105903 SHA512 7044efe84b2c585fcd0bfb661666c71cea140157f22ba7d4881006e24d785eb0091c071c825fa5948bc1383e7fd4617cc8f3d4e68865cf472ddea3811bf1833d DIST shorewall6-lite-5.2.8.tar.bz2 47178 BLAKE2B 47026c3fdab7564c8e48b653a4c67db99fe5ff07de723169f65185aea563691806164a637a38c419d19619cf1380462fa7287b0993d9389dd311393bac911602 SHA512 a80ffc7baf7800e024e41a0f9736543b15d10f2d403540e48e8a2cd2ba0196ce04ff01ac98fc03852c7d268bb4954714dd428375e768b80aa4792683b8775935 EBUILD shorewall-5.2.8-r1.ebuild 16955 BLAKE2B 291631c586a50aa34b11561f97b6e7e1a73447018f5b2f11410168c0b4d1415c115be50fcbf39734f1581360d8c831a7613413600884845805e9877bbc9e494e SHA512 343cba6edbb1ac8a7880185c03c28636ea4f143d60413d381a0fcbf7a40004b3c5a0925e10c07a0462b65d31ca92896ac3d7662e5e1c9bb254f8cd191f60475d -MISC metadata.xml 2255 BLAKE2B 669608503b5252aac383a628d8efd16a280d390f52670178ee95d6b025ae0261e06a7cb59a667bbaa8590fa07c346e75133ff1542be681ec33798ec2d48bb156 SHA512 8b1663236afb891caa8faab343063d64cf8963540d4286e42285c97c29cb5d27561eca6a80a17488c8a58be4bde0fff4f720c27f27d85d6366ed823da989c4c9 +MISC metadata.xml 2143 BLAKE2B 6924e8496c8bf1e0410a94bfae2cd85ca9ecc9b4d8e51a0d0deffee205abd2e8689de8fb3c57cf640bbc5fe8da9e54a2de6e8d9a7068f3e72e07c1f6462339f6 SHA512 8cb38dce4a1ffc5b07242d3256f2c7b442caba4ef21bdfe98bc847cc603d21708fab025f38d276969cabd9ace1ff7367dad06ef7daaec09cb39a131aef898ecf diff --git a/net-firewall/shorewall/metadata.xml b/net-firewall/shorewall/metadata.xml index bfc572c0d1bf..6e9634122307 100644 --- a/net-firewall/shorewall/metadata.xml +++ b/net-firewall/shorewall/metadata.xml @@ -1,10 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd"> <pkgmetadata> - <maintainer type="person"> - <email>whissi@gentoo.org</email> - <name>Thomas Deutschmann</name> - </maintainer> <maintainer type="project"> <email>netmon@gentoo.org</email> <name>Gentoo network monitoring and analysis project</name> diff --git a/net-firewall/ufw/Manifest b/net-firewall/ufw/Manifest index 5a4e3ae8ed1c..9db8da6bf533 100644 --- a/net-firewall/ufw/Manifest +++ b/net-firewall/ufw/Manifest @@ -9,5 +9,5 @@ AUX ufw-2.initd 2611 BLAKE2B b6a75e023ad0efeeef168e7e074c716ec66f40d3bde9f99cf1a AUX ufw.confd 219 BLAKE2B 8ed5dec5dd9acc84715918240e31398268ff36f73bb2cfc10e64e0593e59cc7f5b988f8545ddea37f19d9b40e870d743bea66edd7da1e3d2753b6edda8afa352 SHA512 a010532c97b9cf83f1fb5fa707228e0542a8b109c76e5942aaf2d6552c63e033d32e39e5a6ac87cb9e2ed4c3fdbc5d03c75127e6378665e592b143bc1eda52c7 AUX ufw.service 329 BLAKE2B e817fc85b3bdb21b47a3089c6f2204292a019eaeae510832530f0e09f8784a312dd636fa3cf90610bb3159d52b4bdaadf803699ac4bff31576b566a3e977b2d2 SHA512 a365e704ca958c83c86f8a6b1623ce3f9ad72dcfb0cfc7758bfc787e0877f897ccf8b200db83df17130ca5dcc54f938178b8cabfe3ee0c0896c814ee7d2439c7 DIST ufw-0.36.tar.gz 580338 BLAKE2B a7e07ac11539061a69bb83d45c0affc54793503b31c9e9f9f8b34fa890a3fe97682f9133102e74e5f6e1eb372a929cfc8619baa2cc9efc1dc289d9f4a1766efd SHA512 b32d7f79f43c203149c48b090ee0d063df78fcf654344ee11066a7363e799a62b046758ffe02b8bd15121545ac2a6b61df21fe56f8b810319fe4dd562cbdadb3 -EBUILD ufw-0.36-r1.ebuild 6204 BLAKE2B ec62cbe52243f10575a6d88565b77bff351e7313fdfb75f36e7abebd8615a2094fb1e9e97c212240854e77b66e581a79c21340d07e520c7961ac7d7e480c10b8 SHA512 d6721e0ae0dff4fe744a14749c9a4363a32a8ce55e52bb1bf408f069747561fa597c91574765d089d1b8092ab4a189f65965a0e725b50b249dd2e546cd52684f +EBUILD ufw-0.36-r1.ebuild 6211 BLAKE2B 0a952ba2fba9a0819c0858942d27484ff472dc7a1fbcfa9568b985c58d637ba7ea948c1ba774767e693cc6f9d965fcee8ba24669213fa0dec534d9ea19d79de4 SHA512 a82ceab9449eca80c7b3805abe84c022880e0e2516f03330e58031240127af53dbde5a4ac0b6d9bb6b659b5cdb6685866e40b50493c5d4f3fac136ab5194cd94 MISC metadata.xml 922 BLAKE2B 0c91f6735dd5504990a134e76089fac6f83aeb8f02e62be3a0e66c82d71c8013867b196c952d769247f2ab30786b753114361c066a0b892f79b342491370aedf SHA512 592b21153b57e3ccbd66bde46e4d2ff0768f1c678bc9154e8dd9a728f5f6ca13f71f9349381dba9667e6ed5ae30f38f5d95378d665475694cf9b49edde549a23 diff --git a/net-firewall/ufw/ufw-0.36-r1.ebuild b/net-firewall/ufw/ufw-0.36-r1.ebuild index e6626c0697dd..052ffc4ee44e 100644 --- a/net-firewall/ufw/ufw-0.36-r1.ebuild +++ b/net-firewall/ufw/ufw-0.36-r1.ebuild @@ -15,7 +15,7 @@ SRC_URI="https://launchpad.net/ufw/${PV}/${PV}/+download/${P}.tar.gz" LICENSE="GPL-3" SLOT="0" -KEYWORDS="amd64 ~arm arm64 ~ia64 ppc ppc64 ~riscv sparc x86" +KEYWORDS="amd64 ~arm arm64 ~ia64 ~loong ppc ppc64 ~riscv sparc x86" IUSE="examples ipv6" RDEPEND=">=net-firewall/iptables-1.4[ipv6(+)?] |