diff options
Diffstat (limited to 'net-firewall')
| -rw-r--r-- | net-firewall/Manifest.gz | bin | 4235 -> 4237 bytes | |||
| -rw-r--r-- | net-firewall/nftables/Manifest | 12 | ||||
| -rw-r--r-- | net-firewall/nftables/files/nftables-1.1.0-revert-firewalld-breaking-change.patch | 63 | ||||
| -rw-r--r-- | net-firewall/nftables/files/systemd/nftables-load.service | 14 | ||||
| -rw-r--r-- | net-firewall/nftables/files/systemd/nftables-store.service | 11 | ||||
| -rw-r--r-- | net-firewall/nftables/nftables-1.0.9.ebuild | 226 | ||||
| -rw-r--r-- | net-firewall/nftables/nftables-1.1.1-r1.ebuild (renamed from net-firewall/nftables/nftables-1.1.0-r1.ebuild) | 31 | ||||
| -rw-r--r-- | net-firewall/nftables/nftables-9999.ebuild | 23 | ||||
| -rw-r--r-- | net-firewall/ufw/Manifest | 1 | ||||
| -rw-r--r-- | net-firewall/ufw/ufw-0.36.1-r2.ebuild | 217 |
10 files changed, 277 insertions, 321 deletions
diff --git a/net-firewall/Manifest.gz b/net-firewall/Manifest.gz Binary files differindex 429d64900c1b..db6ce3724708 100644 --- a/net-firewall/Manifest.gz +++ b/net-firewall/Manifest.gz diff --git a/net-firewall/nftables/Manifest b/net-firewall/nftables/Manifest index 30d510236ade..506784f10fe5 100644 --- a/net-firewall/nftables/Manifest +++ b/net-firewall/nftables/Manifest @@ -1,20 +1,16 @@ AUX libexec/nftables-mk.sh 1070 BLAKE2B 30d8109d74e7d8c4f51c753f676f91a1902ad42f6d68662f1191ff73d2a43a1bf49fb795f3763705f8aeb0a4f22cab0006a943e01adb188f1ef9eb05125dfdbd SHA512 a14e48f014f75c7e611bf2a653d9760804754febd1ae4543f78abbfbe60c79f5aa07c5fd53fe26bb74b48fcb8cb8aa78274771212e41c42db031e8c8ba7e81d2 AUX libexec/nftables.sh 3665 BLAKE2B 74362a4425e974e74e7b895980002f0ded2ecbb4731bbf956edb56ffb9f1ad394802c4eeab3af3735eba4d8e71572a5663e564ce4e7fad76c9715043b90c1b43 SHA512 6cb1ac0928ae2da5c69764d45c52a661a6d72698bb9edd6a603580d2f9bd82b59f2a2661e7569ade3a3b729459d115004f251ad6a5eac8cdf1d38c65bfa9349e AUX man-pages/gen-manpages.bash 1797 BLAKE2B c93cc311570abd674a12eb88711cf01664f437b8dc0fb4de36194f36671d92c35e04fcff6c56adcb0e642f089169f63ef063736398584e5e7ce799bf55acf2ff SHA512 ea3291412ce13d9dd463403fcc11c665c9de63edaabdecaf55e051b52b0ff845c9c7d63a6c4c08e4d2d94428815fe11daf9b7390081b4e9de4774e188b9ea677 -AUX nftables-1.1.0-revert-firewalld-breaking-change.patch 1919 BLAKE2B 3234b278522a919b8e5afafae9749360edfc224f5f45fd3f0a816d8ae8ddfa3798327610add8d152129e1b36f2473549f2245793685c33db942aff0e61b0be34 SHA512 eb041be1770da615af24ef573ae38fcdffb1dcf3b9cf7584514e4e67d2a24a0525b4ad04ea35cf568402a5a074a5cfe313c0bd7d38405940267be49f81f9e4e2 AUX nftables-mk.confd 899 BLAKE2B f4c3d82fbae87fb0d755af786a98db591b6a667cf33660ba9275ada2e6417fad1899a7f29762f23c112fc5c9e178bc7590c3b2ba26617853c3577917bd7d3edf SHA512 505ed05674a04367f1a3d5cf6447596ad1c3b2e9c920697f12f58a20d94c2a39b0041bb4911678511c4548566a69d964661d4afc3e7e27997943b875f204c602 AUX nftables-mk.init-r1 1970 BLAKE2B 9ece7da364eac76ef2ac401f4cc3ed558e926e8f07ab43f084de819098e9543bda0a9a8d40375e4e01dd6e53b92d744acf8f3caaeab1c3678ca84b1f48d59685 SHA512 9f1e491ba5fd8a1173eb055bfa5a0de3c040c158e7d54848fcd373a5f4c4041df6fb9ddc5b0e8fdfd78243665c627b8767816bcf94dd142b441b21227206fef3 AUX nftables.confd 655 BLAKE2B 5512be1edd43e270941de3d9b66fda69e4afd7c7e6e970b232a044c2fd64f8e50b9b55a4fe670174c3eabf3d176ee0158c1043baec4b76b0802e7e97bc862fcf SHA512 8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144 AUX nftables.init-r1 2279 BLAKE2B 1c4c28ea5b6a22905b3ec7de8e54726933b579352ecd799b7641384a138ffa2d4a2deb87d84ef5d75a43ae30759f1550d611c2560096bb5083cae9bb834be2bb SHA512 2165223bfd4f300b9cc01f604347fc5167f68515174b0d116b667bd05f4baf8c2f931e482f632975a8be371c2147951d9407f397ea4dbcbac79a6738cbd23015 +AUX systemd/nftables-load.service 407 BLAKE2B 572dda7ed02610862410b636d60e2fac6522509d12a1aeaa3e39953fabab10236f0a3fe2551c7212a7a35e705622eb3d52b46609b7485b8b99d0da1922c0b6f9 SHA512 94f8485441d8299e80c0612af034caaeb20fb257df77fd70a16c7f6c99a04725694e577a18962d1461cc109fe15bbf8ed7846c10b3d7cd3c059fb6b7ed9da7a0 AUX systemd/nftables-restore.service 394 BLAKE2B 1c1f358eb2eff789e68c051098c971f11a8df6621c3c919e30a1ec1213f6db822c390609c01827fe9fc75c540effa3e3a7b6f93bd24e16ea19841bbfaab796ed SHA512 18da6a770bb3e94fd6b2c9e6f033450aaff9fe886c8846f780d08a21e2fc884ac078652743b50b3d4ea8c9500f92d272bdd27e2881e438c2b223d40816c100a0 -DIST nftables-1.0.9.tar.xz 971968 BLAKE2B 1dfd1e79d3a7b645fd0995dad10893d70dbd13c92805c5cf30825acbbeb45071b2095072cecbd14b4f66cf0c284d2937a996c6b8013213438f53b92731af039d SHA512 dc34099658e283d9fd4d06264b593710121074558305ea23ab298c5f6a6b564a826f186241b6e106fbaa4e11160cf77e68bb52b4ce401b28d8d2e403cd4b88e8 -DIST nftables-1.0.9.tar.xz.sig 566 BLAKE2B d4bb0a1f629d2950753799fba18f6c3ce50e5ff242816e392245a714bfeccb3408583added4362f1e0da47cc6e30b0b95f864cf8443a1872d59ae40b15b5f706 SHA512 9b96ce8539700713ff4802fb2deff5b2ea0dd3155c45f5a8f49a45f70226893c7449e0b79504833b2e63e5290290e693c962128a226ca8f6ca281185bdcd7b51 -DIST nftables-1.1.0.tar.xz 1057672 BLAKE2B cc876d9ba344480a2f5a12811206356d9edbd4a95d29e8127f43864a1b4e2ae9bc88a6d07f0d36469dfed190c5822fd6a7c69b6a9028fbb0bc1ec254e76083d9 SHA512 0b0c6789b7d987289b9770ea2d26e640c50bc7f300685476c4fc367b5ad3d6980fca63b8fe701f727fb3a94328eb7dc560ed5745b5ce44f171022de5714d3a86 -DIST nftables-1.1.0.tar.xz.sig 566 BLAKE2B 556287b40ad6f82d229ae18910ec2008c3168c7088e7149f8b5e80ca9983b90ec202cf01838c80e973845dd565f4f13a454d6dc99030a3f9cede6c33929da07d SHA512 1b3a42a76b378373c8a21b77aaf9c1fc57402360d49d56b22f02c50bef969b1f6867a4d40bda24b2dd1a0dfcf7148893938a7eea84ff8cc67d9edcd6b9b62bb4 +AUX systemd/nftables-store.service 234 BLAKE2B bc28a2495df40258ee7d665b3b64ba425b4d9780812896a47b216bbb63651b06aaa8aa26b0b9c8b55c39e8dd3aa15e5f1b19eed62d028fb5be3de28b9dbee75c SHA512 329e89e287700c945ac6a6cfd1232f0d411709cab9730e3dac3eb5dc6f4b19c736276e88837e7cb3866391d6bc2ca88092d910ac911b1195a78824360d615f77 DIST nftables-1.1.1.tar.xz 989700 BLAKE2B f273c78369ba755049c6afa63eba195cf29f926fa8fc9bf344022904c00a8c6c4259cc5093e23993a55fd25790af575305df79a7c28624fa7082661b2eed70d0 SHA512 676413d4adadffb15d52c1f8f6432636cab83a7bcda1a18d9f0e6b58819a2c027a49922588c02bd9ad386de930eaa697bfe74c0938b595bf1ee485bfa7cf2e50 DIST nftables-1.1.1.tar.xz.sig 566 BLAKE2B b7debda3373972f69af9b4b23e1b66a8fd156440187aafba605bb7342c267207e5aa628256e96432ebd4583a6a9436e1969a33636111d2bd8d57185a01e2d502 SHA512 fc23034c512f686167203e827ff2a8f7cb64530211ce92a28793bd49577ce3bf519ffbe910b0071cb21925898497cb5cbf70121c68bfcdbfa4460c63a14203ac -EBUILD nftables-1.0.9.ebuild 6472 BLAKE2B 28da5e49bdf6f55f3e5811d0563c8906e46c74dc8075bd9d88cb5558c6d2b41a9b3f6fe2cf310b8adbd2943ca2ee26e9fb96b516e14fdaf08a4c028ebb3546fc SHA512 46de8e2d2b0750185fdeefe4640d4df9233b7a9369a23f580bb4ab7681a830a7d7d13e2a7ebc9b10d1dfe11ba04b0d63a77e5902113543f45571205cc57b6254 -EBUILD nftables-1.1.0-r1.ebuild 6556 BLAKE2B 4289acbf5aa22a66a0591af82ac10d2e6173f678a77d52e28a9911d64b51554bb5096585b5adaf34f5faee9fd94f909fe60e29082ebdbc1bf25801d3543037f1 SHA512 3c0cf66264351f2bfa4efbcafebcfc1f229f8124539516af16d9b3a1f3c583e9ecc6ecf0bffb155a6cf76ab7ac3d28515c88baad3b37491e7d815738e8db5a71 +EBUILD nftables-1.1.1-r1.ebuild 6642 BLAKE2B c7e2678d081aeeba12636cf582b781567e1bec29214a485b5178b710da2d71c64aea7c29fe8dd7e2b77fbf3f4afac87ad135894fe6d9ff9739b61b5297f97d10 SHA512 08c9b366ff6dbf9a219ee13398cd3d123fb611e362291398d550d0876e75e95ce0dbb498be19e1e49d884ca9b57260277c414e440d2c12a5d97aa6f26def3bad EBUILD nftables-1.1.1.ebuild 6474 BLAKE2B 0dd1ea43c50c38c9058874298f465e8773332c5e929b161d25edc166a0e00efc46b499e807885e837308fcbeddb4994282907f668f80fb4dcea696d4e54d10e7 SHA512 14e2a76d0e435b497ad20ed8d0316c4efb9e6711b77fa58a5bae172b0c9ef0e96e23735ad48662befb99f64916bdc18282e257edde4e4a70237c3cd520f231e2 -EBUILD nftables-9999.ebuild 6482 BLAKE2B f803c2b3ea243bdd7365fccdb7f36dffe6246381b7743d656dcebfa6c5afbaca110c2dd110cea0437f7d5fcc9790da57df00f6b6021861a048672abab8f26c8a SHA512 265d6d5512b005e45f555a812557ac7ca48a2a9efb0095cd9aa37e90877bc6943a2e751efd9f82f1583b623bb4c05cbb04e93253c8f9804f8a14887d1eadffba +EBUILD nftables-9999.ebuild 6642 BLAKE2B c7e2678d081aeeba12636cf582b781567e1bec29214a485b5178b710da2d71c64aea7c29fe8dd7e2b77fbf3f4afac87ad135894fe6d9ff9739b61b5297f97d10 SHA512 08c9b366ff6dbf9a219ee13398cd3d123fb611e362291398d550d0876e75e95ce0dbb498be19e1e49d884ca9b57260277c414e440d2c12a5d97aa6f26def3bad MISC metadata.xml 684 BLAKE2B 96044107a07596178b59f3d4bed0433e06eb74693fafcc1a8c20468e02626814ba1544bba54c64367e43a126463b0f3b33e340476aff15db934467e8b9d46bf7 SHA512 fa4c9cadddccda4217837a892fbec3e1b984fb18a4d11d5536f22724d2455724eb59c5cc06da5830fb28bb48cb2d01374fdc56e216296c695c678af28390392a diff --git a/net-firewall/nftables/files/nftables-1.1.0-revert-firewalld-breaking-change.patch b/net-firewall/nftables/files/nftables-1.1.0-revert-firewalld-breaking-change.patch deleted file mode 100644 index 0cc23d61fb8f..000000000000 --- a/net-firewall/nftables/files/nftables-1.1.0-revert-firewalld-breaking-change.patch +++ /dev/null @@ -1,63 +0,0 @@ -https://git.netfilter.org/nftables/commit/?id=93560d0117639c8685fc287128ab06dec9950fbd -https://github.com/firewalld/firewalld/issues/1366 -https://lore.kernel.org/netfilter-devel/Zp7FqL_YK3p_dQ8B@egarver-mac/ - -From 93560d0117639c8685fc287128ab06dec9950fbd Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso <pablo@netfilter.org> -Date: Wed, 24 Jul 2024 09:38:33 +0200 -Subject: Revert "cache: recycle existing cache with incremental updates" - -This reverts commit e791dbe109b6dd891a63a4236df5dc29d7a4b863. - -Eric Garver reported two issues: - -- index with rule breaks, because NFT_CACHE_REFRESH is missing. -- simple set updates. - -Moreover, the current process could populate the cache with objects for -listing commands (no generation ID is bumped), while another process -could update the ruleset. Leading to a inconsistent cache due to the -genid + 1 check. - -This optimization needs more work and more tests for -i/--interactive, -revert it. - -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- a/src/cache.c -+++ b/src/cache.c -@@ -1184,21 +1184,9 @@ static bool nft_cache_needs_refresh(struct nft_cache *cache, unsigned int flags) - (flags & NFT_CACHE_REFRESH); - } - --static bool nft_cache_is_updated(struct nft_cache *cache, unsigned int flags, -- uint16_t genid) -+static bool nft_cache_is_updated(struct nft_cache *cache, uint16_t genid) - { -- if (!genid) -- return false; -- -- if (genid == cache->genid) -- return true; -- -- if (genid == cache->genid + 1) { -- cache->genid++; -- return true; -- } -- -- return false; -+ return genid && genid == cache->genid; - } - - bool nft_cache_needs_update(struct nft_cache *cache) -@@ -1223,7 +1211,7 @@ replay: - genid = mnl_genid_get(&ctx); - if (!nft_cache_needs_refresh(cache, flags) && - nft_cache_is_complete(cache, flags) && -- nft_cache_is_updated(cache, flags, genid)) -+ nft_cache_is_updated(cache, genid)) - return 0; - - if (cache->genid) --- -cgit v1.2.3 - diff --git a/net-firewall/nftables/files/systemd/nftables-load.service b/net-firewall/nftables/files/systemd/nftables-load.service new file mode 100644 index 000000000000..149ccac2f5f0 --- /dev/null +++ b/net-firewall/nftables/files/systemd/nftables-load.service @@ -0,0 +1,14 @@ +[Unit] +Description=Load nftables firewall rules +# if both are queued for some reason, don't store before restoring :) +Before=nftables-store.service +# sounds reasonable to have firewall up before any of the services go up +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/usr/libexec/nftables/nftables.sh load /var/lib/nftables/rules-save + +[Install] +WantedBy=basic.target diff --git a/net-firewall/nftables/files/systemd/nftables-store.service b/net-firewall/nftables/files/systemd/nftables-store.service new file mode 100644 index 000000000000..373f8b947d7d --- /dev/null +++ b/net-firewall/nftables/files/systemd/nftables-store.service @@ -0,0 +1,11 @@ +[Unit] +Description=Store nftables firewall rules +Before=shutdown.target +DefaultDependencies=No + +[Service] +Type=oneshot +ExecStart=/usr/libexec/nftables/nftables.sh store /var/lib/nftables/rules-save + +[Install] +WantedBy=shutdown.target diff --git a/net-firewall/nftables/nftables-1.0.9.ebuild b/net-firewall/nftables/nftables-1.0.9.ebuild deleted file mode 100644 index f042bec930bc..000000000000 --- a/net-firewall/nftables/nftables-1.0.9.ebuild +++ /dev/null @@ -1,226 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DISTUTILS_OPTIONAL=1 -DISTUTILS_USE_PEP517=setuptools -PYTHON_COMPAT=( python3_{10..12} ) -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc -inherit edo linux-info distutils-r1 systemd verify-sig - -DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools" -HOMEPAGE="https://netfilter.org/projects/nftables/" - -if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit autotools git-r3 - EGIT_REPO_URI="https://git.netfilter.org/${PN}" - BDEPEND="app-alternatives/yacc" -else - SRC_URI=" - https://netfilter.org/projects/nftables/files/${P}.tar.xz - verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig ) - " - KEYWORDS="amd64 arm arm64 hppa ~loong ~mips ppc ppc64 ~riscv sparc x86" - BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )" -fi - -# See COPYING: new code is GPL-2+, existing code is GPL-2 -LICENSE="GPL-2 GPL-2+" -SLOT="0/1" -IUSE="debug doc +gmp json libedit python +readline static-libs test xtables" -RESTRICT="!test? ( test )" - -RDEPEND=" - >=net-libs/libmnl-1.0.4:= - >=net-libs/libnftnl-1.2.6:= - gmp? ( dev-libs/gmp:= ) - json? ( dev-libs/jansson:= ) - python? ( ${PYTHON_DEPS} ) - readline? ( sys-libs/readline:= ) - xtables? ( >=net-firewall/iptables-1.6.1:= ) -" -DEPEND="${RDEPEND}" -BDEPEND+=" - app-alternatives/lex - virtual/pkgconfig - doc? ( - app-text/asciidoc - >=app-text/docbook2X-0.8.8-r4 - ) - python? ( ${DISTUTILS_DEPS} ) -" - -REQUIRED_USE=" - python? ( ${PYTHON_REQUIRED_USE} ) - libedit? ( !readline ) -" - -src_prepare() { - default - - if [[ ${PV} =~ ^[9]{4,}$ ]] ; then - eautoreconf - fi - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_prepare - popd >/dev/null || die - fi -} - -src_configure() { - local myeconfargs=( - --sbindir="${EPREFIX}"/sbin - $(use_enable debug) - $(use_enable doc man-doc) - $(use_with !gmp mini_gmp) - $(use_with json) - $(use_with libedit cli editline) - $(use_with readline cli readline) - $(use_enable static-libs static) - $(use_with xtables) - ) - - econf "${myeconfargs[@]}" - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_configure - popd >/dev/null || die - fi -} - -src_compile() { - default - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_compile - popd >/dev/null || die - fi -} - -src_test() { - emake check - - if [[ ${EUID} == 0 ]]; then - edo tests/shell/run-tests.sh -v - else - ewarn "Skipping shell tests (requires root)" - fi - - if use python; then - pushd tests/py >/dev/null || die - distutils-r1_src_test - popd >/dev/null || die - fi -} - -python_test() { - if [[ ${EUID} == 0 ]]; then - edo "${EPYTHON}" nft-test.py - else - ewarn "Skipping Python tests (requires root)" - fi -} - -src_install() { - default - - if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then - pushd doc >/dev/null || die - doman *.? - popd >/dev/null || die - fi - - # Do it here instead of in src_prepare to avoid eautoreconf - # rmdir lets us catch if more files end up installed in /etc/nftables - dodir /usr/share/doc/${PF}/skels/ - mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die - rmdir "${ED}"/etc/nftables || die - - exeinto /usr/libexec/${PN} - newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh - newconfd "${FILESDIR}"/${PN}-mk.confd ${PN} - newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN} - keepdir /var/lib/nftables - - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service - - if use python ; then - pushd py >/dev/null || die - distutils-r1_src_install - popd >/dev/null || die - fi - - find "${ED}" -type f -name "*.la" -delete || die -} - -pkg_preinst() { - local stderr - - # There's a history of regressions with nftables upgrades. Perform a - # safety check to help us spot them earlier. For the check to pass, the - # currently loaded ruleset, if any, must be successfully evaluated by - # the newly built instance of nft(8). - if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then - # Either nftables isn't yet in use or nft(8) cannot be executed. - return - elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then - # Report errors induced by trying to list the ruleset but don't - # treat them as being fatal. - printf '%s\n' "${stderr}" >&2 - elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then - # Rulesets generated by iptables-nft are special in nature and - # will not always be printed in a way that constitutes a valid - # syntax for ntf(8). Ignore them. - return - elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then - eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" - eerror "nft. This probably means that there is a regression introduced by v${PV}." - eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" - if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then - die "Aborting because of failed nft reload!" - fi - fi -} - -pkg_postinst() { - local save_file - save_file="${EROOT}"/var/lib/nftables/rules-save - - # In order for the nftables-restore systemd service to start - # the save_file must exist. - if [[ ! -f "${save_file}" ]]; then - ( umask 177; touch "${save_file}" ) - elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then - ewarn "Your system has dangerous permissions for ${save_file}" - ewarn "It is probably affected by bug #691326." - ewarn "You may need to fix the permissions of the file. To do so," - ewarn "you can run the command in the line below as root." - ewarn " 'chmod 600 \"${save_file}\"'" - fi - - if has_version 'sys-apps/systemd'; then - elog "If you wish to enable the firewall rules on boot (on systemd) you" - elog "will need to enable the nftables-restore service." - elog " 'systemctl enable ${PN}-restore.service'" - elog - elog "If you are creating firewall rules before the next system restart" - elog "the nftables-restore service must be manually started in order to" - elog "save those rules on shutdown." - fi - - if has_version 'sys-apps/openrc'; then - elog "If you wish to enable the firewall rules on boot (on openrc) you" - elog "will need to enable the nftables service." - elog " 'rc-update add ${PN} default'" - elog - elog "If you are creating or updating the firewall rules and wish to save" - elog "them to be loaded on the next restart, use the \"save\" functionality" - elog "in the init script." - elog " 'rc-service ${PN} save'" - fi -} diff --git a/net-firewall/nftables/nftables-1.1.0-r1.ebuild b/net-firewall/nftables/nftables-1.1.1-r1.ebuild index 24ede801396a..14a775b021a2 100644 --- a/net-firewall/nftables/nftables-1.1.0-r1.ebuild +++ b/net-firewall/nftables/nftables-1.1.1-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -7,7 +7,7 @@ DISTUTILS_OPTIONAL=1 DISTUTILS_USE_PEP517=setuptools PYTHON_COMPAT=( python3_{10..13} ) VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc -inherit edo linux-info distutils-r1 systemd verify-sig +inherit eapi9-ver edo linux-info distutils-r1 systemd verify-sig DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools" HOMEPAGE="https://netfilter.org/projects/nftables/" @@ -21,7 +21,7 @@ else https://netfilter.org/projects/nftables/files/${P}.tar.xz verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig ) " - KEYWORDS="amd64 arm arm64 hppa ~loong ~mips ppc ppc64 ~riscv sparc x86" + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )" fi @@ -33,7 +33,7 @@ RESTRICT="!test? ( test )" RDEPEND=" >=net-libs/libmnl-1.0.4:= - >=net-libs/libnftnl-1.2.7:= + >=net-libs/libnftnl-1.2.8:= gmp? ( dev-libs/gmp:= ) json? ( dev-libs/jansson:= ) python? ( ${PYTHON_DEPS} ) @@ -56,10 +56,6 @@ REQUIRED_USE=" libedit? ( !readline ) " -PATCHES=( - "${FILESDIR}"/nftables-1.1.0-revert-firewalld-breaking-change.patch -) - src_prepare() { default @@ -151,7 +147,8 @@ src_install() { newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN} keepdir /var/lib/nftables - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service + systemd_dounit "${FILESDIR}"/systemd/${PN}-load.service + systemd_dounit "${FILESDIR}"/systemd/${PN}-store.service if use python ; then pushd py >/dev/null || die @@ -197,7 +194,7 @@ pkg_postinst() { local save_file save_file="${EROOT}"/var/lib/nftables/rules-save - # In order for the nftables-restore systemd service to start + # In order for the nftables-load systemd service to start # the save_file must exist. if [[ ! -f "${save_file}" ]]; then ( umask 177; touch "${save_file}" ) @@ -210,13 +207,17 @@ pkg_postinst() { fi if has_version 'sys-apps/systemd'; then + if ver_replacing -lt "1.1.1-r1"; then + elog "Starting with ${PN}-1.1.1-r1, the ${PN}-restore.service has" + elog "been split into ${PN}-load.service and ${PN}-store.service." + elog + fi elog "If you wish to enable the firewall rules on boot (on systemd) you" - elog "will need to enable the nftables-restore service." - elog " 'systemctl enable ${PN}-restore.service'" + elog "will need to enable the nftables-load service." + elog " 'systemctl enable ${PN}-load.service'" elog - elog "If you are creating firewall rules before the next system restart" - elog "the nftables-restore service must be manually started in order to" - elog "save those rules on shutdown." + elog "Enable nftables-store.service if you want firewall rules to be" + elog "saved at shutdown." fi if has_version 'sys-apps/openrc'; then diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild index ecfd85b0e138..14a775b021a2 100644 --- a/net-firewall/nftables/nftables-9999.ebuild +++ b/net-firewall/nftables/nftables-9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -7,7 +7,7 @@ DISTUTILS_OPTIONAL=1 DISTUTILS_USE_PEP517=setuptools PYTHON_COMPAT=( python3_{10..13} ) VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc -inherit edo linux-info distutils-r1 systemd verify-sig +inherit eapi9-ver edo linux-info distutils-r1 systemd verify-sig DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools" HOMEPAGE="https://netfilter.org/projects/nftables/" @@ -147,7 +147,8 @@ src_install() { newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN} keepdir /var/lib/nftables - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service + systemd_dounit "${FILESDIR}"/systemd/${PN}-load.service + systemd_dounit "${FILESDIR}"/systemd/${PN}-store.service if use python ; then pushd py >/dev/null || die @@ -193,7 +194,7 @@ pkg_postinst() { local save_file save_file="${EROOT}"/var/lib/nftables/rules-save - # In order for the nftables-restore systemd service to start + # In order for the nftables-load systemd service to start # the save_file must exist. if [[ ! -f "${save_file}" ]]; then ( umask 177; touch "${save_file}" ) @@ -206,13 +207,17 @@ pkg_postinst() { fi if has_version 'sys-apps/systemd'; then + if ver_replacing -lt "1.1.1-r1"; then + elog "Starting with ${PN}-1.1.1-r1, the ${PN}-restore.service has" + elog "been split into ${PN}-load.service and ${PN}-store.service." + elog + fi elog "If you wish to enable the firewall rules on boot (on systemd) you" - elog "will need to enable the nftables-restore service." - elog " 'systemctl enable ${PN}-restore.service'" + elog "will need to enable the nftables-load service." + elog " 'systemctl enable ${PN}-load.service'" elog - elog "If you are creating firewall rules before the next system restart" - elog "the nftables-restore service must be manually started in order to" - elog "save those rules on shutdown." + elog "Enable nftables-store.service if you want firewall rules to be" + elog "saved at shutdown." fi if has_version 'sys-apps/openrc'; then diff --git a/net-firewall/ufw/Manifest b/net-firewall/ufw/Manifest index 321978434fe1..4704692522ba 100644 --- a/net-firewall/ufw/Manifest +++ b/net-firewall/ufw/Manifest @@ -11,4 +11,5 @@ AUX ufw.confd 219 BLAKE2B 8ed5dec5dd9acc84715918240e31398268ff36f73bb2cfc10e64e0 AUX ufw.service 329 BLAKE2B e817fc85b3bdb21b47a3089c6f2204292a019eaeae510832530f0e09f8784a312dd636fa3cf90610bb3159d52b4bdaadf803699ac4bff31576b566a3e977b2d2 SHA512 a365e704ca958c83c86f8a6b1623ce3f9ad72dcfb0cfc7758bfc787e0877f897ccf8b200db83df17130ca5dcc54f938178b8cabfe3ee0c0896c814ee7d2439c7 DIST ufw-0.36.1.tar.gz 583123 BLAKE2B 16e1ee67493d5db10a04667b646a019aa3aeb06345d0facc334fb07eeff4d4f6674a4699b2bd7bd6ed29de1c05c4e14812e9e8ec55c4bfb8579b8e3e2e577f6a SHA512 77d01fef661083eac041be6d6eabffb1d8aedb215f73e44e18a9a63a48da96414b3c0166e3ffd9402c22c72a6de5d774ba14b15368b02997aae8e08d1c5dd4c0 EBUILD ufw-0.36.1-r1.ebuild 5969 BLAKE2B 572d2e2e5078f8e5f60ba69b56015433047809df0ba2b60e97cc84a47d05fbb3e54c8cfeab3c2295745d6bce15900b1bf4e071967ed40a05b25feab04a8c0885 SHA512 c8167747b311dc7fac50e0ad78a160e9481bee6e21d123b1cab8d70b87965873fac6f9c8c5d36c8a23077309845b7c8e3696202ee0e70ed6fe87d11507077509 +EBUILD ufw-0.36.1-r2.ebuild 6053 BLAKE2B 8817e93d68e69f594cac7b1aae31bd305029aec93b5b276eb2b9420ad8ea672f9f9a1e299eb16e686cb9a8fe0b7eea36e78e13b8b3cd8b5e55b4ffc331610066 SHA512 e047aad3d2cb2c8b27fa4eb4438f3456c31348944e72fc37356062d3fd1769401b8d3c0cf2d483662624a851ad057674349e0db01620fde8863a0cac91d21f5a MISC metadata.xml 686 BLAKE2B 6d415e2295cf7facf8908aab2fbd7d4150d24595c9eb30ccf7f105ff2263cd7dc6c393dc8ad8303b264d76be37bb11da3ce4d4b666c0648e974b7585e9e7e452 SHA512 c1dee02a7458095069243337abb01a66dc132de15a51114cc1b39778f02b3a05d28a869cfa8cef55cf8701bb7f872232b63d432c1c5e45d71d90fa6099f74dd5 diff --git a/net-firewall/ufw/ufw-0.36.1-r2.ebuild b/net-firewall/ufw/ufw-0.36.1-r2.ebuild new file mode 100644 index 000000000000..d379494306bc --- /dev/null +++ b/net-firewall/ufw/ufw-0.36.1-r2.ebuild @@ -0,0 +1,217 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..13} ) +inherit bash-completion-r1 eapi9-ver edo linux-info python-single-r1 systemd + +DESCRIPTION="A program used to manage a netfilter firewall" +HOMEPAGE="https://launchpad.net/ufw" +SRC_URI="https://launchpad.net/ufw/${PV%.*}/${PV}/+download/${P}.tar.gz" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86" +IUSE="examples ipv6" +REQUIRED_USE="${PYTHON_REQUIRED_USE}" + +RDEPEND=" + ${PYTHON_DEPS} + net-firewall/iptables[ipv6(+)?] +" +BDEPEND=" + $(python_gen_cond_dep ' + dev-python/setuptools[${PYTHON_USEDEP}] + ') + sys-devel/gettext +" + +PATCHES=( + # Move files away from /lib/ufw. + "${FILESDIR}/${P}-move-path.patch" + # Remove unnecessary build time dependency on net-firewall/iptables. + "${FILESDIR}/${P}-dont-check-iptables.patch" + # Remove shebang modification. + "${FILESDIR}/${P}-shebang.patch" + # Fix bash completions, bug #526300 + "${FILESDIR}/${PN}-0.36-bash-completion.patch" + # Strip distutils use + "${FILESDIR}/${PN}-0.36.1-distutils.patch" +) + +pkg_pretend() { + local CONFIG_CHECK="~PROC_FS + ~NETFILTER_XT_MATCH_COMMENT ~NETFILTER_XT_MATCH_HL + ~NETFILTER_XT_MATCH_LIMIT ~NETFILTER_XT_MATCH_MULTIPORT + ~NETFILTER_XT_MATCH_RECENT ~NETFILTER_XT_MATCH_STATE" + + if kernel_is -ge 2 6 39; then + CONFIG_CHECK+=" ~NETFILTER_XT_MATCH_ADDRTYPE" + else + CONFIG_CHECK+=" ~IP_NF_MATCH_ADDRTYPE" + fi + + # https://bugs.launchpad.net/ufw/+bug/1076050 + if kernel_is -ge 3 4; then + CONFIG_CHECK+=" ~NETFILTER_XT_TARGET_LOG" + else + CONFIG_CHECK+=" ~IP_NF_TARGET_LOG" + use ipv6 && CONFIG_CHECK+=" ~IP6_NF_TARGET_LOG" + fi + + CONFIG_CHECK+=" ~IP_NF_TARGET_REJECT" + use ipv6 && CONFIG_CHECK+=" ~IP6_NF_TARGET_REJECT" + + check_extra_config + + # Check for default, useful optional features. + if ! linux_config_exists; then + ewarn "Cannot determine configuration of your kernel." + return + fi + + local nf_nat_ftp_ok="yes" + local nf_conntrack_ftp_ok="yes" + local nf_conntrack_netbios_ns_ok="yes" + + linux_chkconfig_present \ + NF_NAT_FTP || nf_nat_ftp_ok="no" + linux_chkconfig_present \ + NF_CONNTRACK_FTP || nf_conntrack_ftp_ok="no" + linux_chkconfig_present \ + NF_CONNTRACK_NETBIOS_NS || nf_conntrack_netbios_ns_ok="no" + + # This is better than an essay for each unset option... + if [[ "${nf_nat_ftp_ok}" == "no" ]] || \ + [[ "${nf_conntrack_ftp_ok}" == "no" ]] || \ + [[ "${nf_conntrack_netbios_ns_ok}" == "no" ]]; then + echo + local mod_msg="Kernel options listed below are not set. They are not" + mod_msg+=" mandatory, but they are often useful." + mod_msg+=" If you don't need some of them, please remove relevant" + mod_msg+=" module name(s) from IPT_MODULES in" + mod_msg+=" '${EROOT}/etc/default/ufw' before (re)starting ufw." + mod_msg+=" Otherwise ufw may fail to start!" + ewarn "${mod_msg}" + if [[ "${nf_nat_ftp_ok}" == "no" ]]; then + ewarn "NF_NAT_FTP: for better support for active mode FTP." + fi + if [[ "${nf_conntrack_ftp_ok}" == "no" ]]; then + ewarn "NF_CONNTRACK_FTP: for better support for active mode FTP." + fi + if [[ "${nf_conntrack_netbios_ns_ok}" == "no" ]]; then + ewarn "NF_CONNTRACK_NETBIOS_NS: for better Samba support." + fi + fi +} + +src_prepare() { + default + + # Set as enabled by default. User can enable or disable + # the service by adding or removing it to/from a runlevel. + sed -i 's/^ENABLED=no/ENABLED=yes/' conf/ufw.conf \ + || die "sed failed (ufw.conf)" + + sed -i "s/^IPV6=yes/IPV6=$(usex ipv6)/" conf/ufw.defaults || die + + # If LINGUAS is set install selected translations only. + if [[ -n ${LINGUAS+set} ]]; then + _EMPTY_LOCALE_LIST="yes" + pushd locales/po > /dev/null || die + + local lang + for lang in *.po; do + if ! has "${lang%.po}" ${LINGUAS}; then + rm "${lang}" || die + else + _EMPTY_LOCALE_LIST="no" + fi + done + + popd > /dev/null || die + else + _EMPTY_LOCALE_LIST="no" + fi +} + +src_compile() { + edo ${EPYTHON} setup.py build +} + +src_install() { + edo ${EPYTHON} setup.py install --prefix="${EPREFIX}/usr" --root="${D}" + python_optimize + einstalldocs + + newconfd "${FILESDIR}"/ufw.confd ufw + newinitd "${FILESDIR}"/ufw-2.initd ufw + systemd_dounit "${FILESDIR}/ufw.service" + + pushd "${ED}" || die + chmod -R 0644 etc/ufw/*.rules || die + popd || die + + exeinto /usr/share/${PN} + doexe tests/check-requirements + + # users normally would want it + insinto "/usr/share/doc/${PF}/logging/syslog-ng" + doins -r "${FILESDIR}"/syslog-ng/* + + insinto "/usr/share/doc/${PF}/logging/rsyslog" + doins -r "${FILESDIR}"/rsyslog/* + doins doc/rsyslog.example + + if use examples; then + insinto "/usr/share/doc/${PF}/examples" + doins -r examples/* + fi + newbashcomp shell-completion/bash "${PN}" + + [[ ${_EMPTY_LOCALE_LIST} != "yes" ]] && domo locales/mo/*.mo +} + +pkg_postinst() { + local found=() + local apps=( "net-firewall/arno-iptables-firewall" + "net-firewall/ferm" + "net-firewall/firehol" + "net-firewall/firewalld" + "net-firewall/ipkungfu" ) + + for exe in "${apps[@]}" + do + if has_version "${exe}"; then + found+=( "${exe}" ) + fi + done + + if [[ -n ${found} ]]; then + echo "" + ewarn "WARNING: Detected other firewall applications:" + ewarn "${found[@]}" + ewarn "If enabled, these applications may interfere with ufw!" + fi + + if [[ -z ${REPLACING_VERSIONS} ]]; then + echo "" + elog "To enable ufw, add it to boot sequence and activate it:" + elog "-- # rc-update add ufw boot" + elog "-- # /etc/init.d/ufw start" + echo + elog "If you want to keep ufw logs in a separate file, take a look at" + elog "/usr/share/doc/${PF}/logging." + fi + if [[ -z ${REPLACING_VERSIONS} ]] || ver_replacing -lt 0.34; then + echo + elog "/usr/share/ufw/check-requirements script is installed." + elog "It is useful for debugging problems with ufw. However one" + elog "should keep in mind that the script assumes IPv6 is enabled" + elog "on kernel and net-firewall/iptables, and fails when it's not." + fi + echo + ewarn "Note: once enabled, ufw blocks also incoming SSH connections by" + ewarn "default. See README, Remote Management section for more information." +} |