From 4f2d7949f03e1c198bc888f2d05f421d35c57e21 Mon Sep 17 00:00:00 2001
From: V3n3RiX <venerix@redcorelinux.org>
Date: Mon, 9 Oct 2017 18:53:29 +0100
Subject: reinit the tree, so we can have metadata

---
 net-firewall/iptables/Manifest                     |  22 ++++
 net-firewall/iptables/files/ip6tables-1.4.13.confd |  19 +++
 .../iptables/files/iptables-1.4.13-r1.init         | 129 +++++++++++++++++++++
 net-firewall/iptables/files/iptables-1.4.13.confd  |  19 +++
 .../iptables/files/iptables-1.4.21-configure.patch |  34 ++++++
 .../iptables-1.4.21-static-connlabel-config.patch  |  77 ++++++++++++
 net-firewall/iptables/files/iptables.init          | 129 +++++++++++++++++++++
 .../files/systemd/ip6tables-restore.service        |  14 +++
 .../iptables/files/systemd/ip6tables-store.service |  11 ++
 .../iptables/files/systemd/ip6tables.service       |   6 +
 .../files/systemd/iptables-restore.service         |  14 +++
 .../iptables/files/systemd/iptables-store.service  |  11 ++
 .../iptables/files/systemd/iptables.service        |   6 +
 net-firewall/iptables/iptables-1.4.21-r1.ebuild    |  93 +++++++++++++++
 net-firewall/iptables/iptables-1.4.21-r4.ebuild    | 104 +++++++++++++++++
 net-firewall/iptables/iptables-1.6.0-r1.ebuild     | 112 ++++++++++++++++++
 net-firewall/iptables/iptables-1.6.1-r1.ebuild     | 112 ++++++++++++++++++
 net-firewall/iptables/metadata.xml                 |  29 +++++
 18 files changed, 941 insertions(+)
 create mode 100644 net-firewall/iptables/Manifest
 create mode 100644 net-firewall/iptables/files/ip6tables-1.4.13.confd
 create mode 100644 net-firewall/iptables/files/iptables-1.4.13-r1.init
 create mode 100644 net-firewall/iptables/files/iptables-1.4.13.confd
 create mode 100644 net-firewall/iptables/files/iptables-1.4.21-configure.patch
 create mode 100644 net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch
 create mode 100755 net-firewall/iptables/files/iptables.init
 create mode 100644 net-firewall/iptables/files/systemd/ip6tables-restore.service
 create mode 100644 net-firewall/iptables/files/systemd/ip6tables-store.service
 create mode 100644 net-firewall/iptables/files/systemd/ip6tables.service
 create mode 100644 net-firewall/iptables/files/systemd/iptables-restore.service
 create mode 100644 net-firewall/iptables/files/systemd/iptables-store.service
 create mode 100644 net-firewall/iptables/files/systemd/iptables.service
 create mode 100644 net-firewall/iptables/iptables-1.4.21-r1.ebuild
 create mode 100644 net-firewall/iptables/iptables-1.4.21-r4.ebuild
 create mode 100644 net-firewall/iptables/iptables-1.6.0-r1.ebuild
 create mode 100644 net-firewall/iptables/iptables-1.6.1-r1.ebuild
 create mode 100644 net-firewall/iptables/metadata.xml

(limited to 'net-firewall/iptables')

diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest
new file mode 100644
index 000000000000..c5d061fca356
--- /dev/null
+++ b/net-firewall/iptables/Manifest
@@ -0,0 +1,22 @@
+AUX ip6tables-1.4.13.confd 690 SHA256 2938fe4206514d9868047bd8f888a699fa2097ca69edab176453436d4259abaa SHA512 8de9a5de4061bef217fbc07577688a8110f1116af7f3b936dfd18100a6a7a47ec6e70c456b24cf3432fb4f2034b741a487fe6af8d9740f174d51c6eb16945c6e WHIRLPOOL f2f4903812b5b97d5bdf9cb28f0bcb6f8c866f197b46a9128530721a8d9db1cdcedffe2512c9235391a67f494c2daf1266d7bc8a6185949756437221c3861a10
+AUX iptables-1.4.13-r1.init 2766 SHA256 2c9dcf73db7740350d41504633671e95287a349838acd5faa6d3b27418c9d6d0 SHA512 9b74344043f48ce2a4691f09199cfa752bd7ee360d912d412fe1cf51de54821b0d082c9585a11b84020454f9759af78ff097d7dfc8f5148ef9e987e6d990edde WHIRLPOOL dbd6af2c45e8e894bb03e818ef43695626fc0228530e5c7ba066e440be3c12bd54e873d31805a1053bd34c4341dda6c64b3eff2e94b51767ad2d0d390ef5a377
+AUX iptables-1.4.13.confd 687 SHA256 7e2341211ca14997b7a8a1f930f94db855291af597c568f680f80031c20d45b6 SHA512 bd67d53e997ea65755148ba071fe6e3856d6e604b9167c666900721bc3dc24f63d395bc33a1a34ae50f95e72760da630db1a8d35afc81ec5973e60ba5343dc70 WHIRLPOOL 111b809b3122b04cce8ac0e551cfcdec7fde1ad563e1001bbbb3dbb4cae0ddf13851ece1024e13fb26aab2fe306dfc4fd9e59ab5a10127b301bc7a65ec20486b
+AUX iptables-1.4.21-configure.patch 1066 SHA256 73454c278b48fae5debcdb72ada8f2d60a36b5134cb1052b1a332b83169cbdc0 SHA512 45445d1460072ed19ba617be983be82094fdd0535a25de4f6159173de4a08be9bee9da13c7aeea419291beb92402ca25efba3a0e269510e221f7eacc8bcd5176 WHIRLPOOL 55c56c9e0711409c54b8635dc9b480be885c852b60ac336a32b3a48586c85ba5b7b9a0b4d2d427f7d646dfdc4d49c9fe6957ed39eac5cdd7de3526249f99e6ed
+AUX iptables-1.4.21-static-connlabel-config.patch 2195 SHA256 e03de480a940b0ac386bba2ec681f724ba39f5e53153398e061f2d74ae491c49 SHA512 d838773bf2db9f97548d2f7eaab0ce3205265a7ec8b274df479fcecb474ba09ed061abae50534c0379a1290479c2e94927595eca0f4570b27744ec165348b6b1 WHIRLPOOL c1b79bb8e9a915d27940b443c564d0d00ccbd31728b8519bd18a6957ca7085c19dd09592d94a4aecee48102303a000130eba85710ad1de1533ef783ef1c28811
+AUX iptables.init 2787 SHA256 5b644ff18c49f81983e75be40f52bd15606b5ec668f1c478406c18c6c4c9a528 SHA512 317c71bee98f5b1bbfd17ea961e5e268532c2320fc865b7876f7cc4e02a66b6a012fc336f8880045a83e101f161197c0a1d106220af6240407cebafbf38022db WHIRLPOOL 7b5b790b4f3d228b99523a250d11e0b53380f3cd69d7f845d77373d1ca31106974b5c728a6c6dd247ae135b8c0a92ca021cac7fd0459e13f9ade01a20a404a60
+AUX systemd/ip6tables-restore.service 398 SHA256 611fb01a539f421a06d443ac5bec4ee412699021bb8f99bcc52056b825b72baa SHA512 4df4f73b14e123c463003656631d1affa431f722c9f598cdde6a63a531432aa3f97635b32c59aa2e1ddc4b45f500169c88da1c055fccac6c8ce89db23d015a7a WHIRLPOOL eabe0338f58a300ea53c15e09e35f8c1eb10ac9574213fbe30aff75eb350eaa676f0c927a14e24e7b2eaad6b69124645ff0df995204e65f2a23f0bc00d5d2e1c
+AUX systemd/ip6tables-store.service 243 SHA256 ce93fc2ba81f7693877479ddc75cdec94627c302a140bd27ff30656fad78e72b SHA512 7cee224f91d4c8348606ba176d0d689749a59229958cfdf4e75451d77271363e7cff71dbb7e30dbc4a5a837363a72d70d6960d2dfb218f3ad16456ae109cba10 WHIRLPOOL d84687a142843fa9cd930171e817652afb22b950214349ca156ba6da174312989973d17fed04cd129c18d4d6fbd5ad3124b9afa0d105d128333248c90fdb4ca6
+AUX systemd/ip6tables.service 133 SHA256 1b8d342ffdf471ef25e365dacf106e1899b438dad4bf9154cfad2d5217c3a019 SHA512 f871e694a8c666a59840c4c7ae1f355dc47f481501b3472601b65460c1d6e163a7e33f7a6c42a84ac33131ddb96170b316e83507a43f1ede54d61446f81950dc WHIRLPOOL 24140e7398cfa494210b8d3b773bdca5ee1abbbdb29c2921e84ff025848e26844b5c20fadefa9b961ce14564ce8daa9b8e9f197b7d7ec70c26bb6609b74b10d0
+AUX systemd/iptables-restore.service 394 SHA256 611debe959039341f2ee93c276290046365622e4a168c98a9f39684bee9565de SHA512 f0d042b487beaaa0dab0884ccb12c1cb63f9f5949b58187dcd4fcdb28a5b9874fd7b9cc8c14862f8a311a6e4016e2472edc51a776904c9940e1280da7dd3c01b WHIRLPOOL 8fc540b450347ea78e56d03591be2d22bbccadbe65dfe021c23231f9efcda3405d5555a6d5b93f38fbf5cc16855d397da104a873a5dd0fa01270d3b542f9403d
+AUX systemd/iptables-store.service 240 SHA256 14965fd0f3cd4285e77ea1e3d9975a818b0d64fb0026b925d8434896b2cbf839 SHA512 a720e92b5571a2c3427101105e95e555f3b72541a53c5daa43e361c99ca28830e9e8dd27dbd7cfed40fbbe289ed180f9be7e0f3b6b0cd19bba022a531815fd5e WHIRLPOOL e3a5b77b2c19ad8445a21cc9c8680c2d632d968483357221fac1c309275bd17aa25c05cf23188d5ae644d5b1266c64b3dd5fe8fbdec9f2a439a212c3d1c767db
+AUX systemd/iptables.service 130 SHA256 c404c54c98521817aca75b96774a24684e0c7ed2fc8de2ced78f4ae4d8a6b99d SHA512 87114ccc7eb079d1ed43d77be35cf4c91702ca960883a4bbca5dfcf74aa6f086e44f4a4251441ac3a277c93eb10e7482157caf2d62bbf2a7f5327947ede25bef WHIRLPOOL 844296866dfe2fe6b1207c99d2f938f4c87a37592e95576f9504fe056fe82fc29878b9aa1a204fa31d6711fbe7ba5cd48f7a639e4839bbe366e6220246a0d3c3
+DIST iptables-1.4.21.tar.bz2 547439 SHA256 52004c68021da9a599feed27f65defcfb22128f7da2c0531c0f75de0f479d3e0 SHA512 dd4baccdb080284d8620e6ed59beafc2677813f3e099051764b07f8e394f6d94ca11861b181f3cce7c55c66de64c1e2add13dc1a0b64e24050cd9fb7aea0689b WHIRLPOOL 475541d1b2b7fe4ee8fa3b537274ef082aab8bfd262201ee14cd53577dfac6f591445cc6d64ed93b226a4b71d54ae1b9ab4cbb378b5440861a585f770f0db200
+DIST iptables-1.6.0.tar.bz2 608288 SHA256 4bb72a0a0b18b5a9e79e87631ddc4084528e5df236bc7624472dcaa8480f1c60 SHA512 60360910db76e3265fb7b6456a55b91708263bde9c4e5b9cadf3832d2e2a9db3e6cb60c82e278ea0672618bd5c9566c374e00d19d35a2e8f330116c3ab6aaf51 WHIRLPOOL e5ab2398b0650883d31ea144777a6b00904a4e02434f0420037aa54cfc5e47359b95604e945ae3a1abbf3037c37aea2143d3a5457a500e12f1c1139b11655015
+DIST iptables-1.6.1.tar.bz2 620890 SHA256 0fc2d7bd5d7be11311726466789d4c65fb4c8e096c9182b56ce97440864f0cf5 SHA512 12280db6e6ef8e68da2537e9da59fc601790fd02b1ba38a37c90dbb56272018329dccb8be995f96ecd5d94fafa6043204f3e8f8ee96531685d9e3c55359d2ee8 WHIRLPOOL e34fffbad8a5aea278cdfd11f042e2318862f8e6045a94a2eff35e6cb233ec62d030d83838613338ca2d928f6982cebf9665d039ba61218399139745c9cb08f9
+EBUILD iptables-1.4.21-r1.ebuild 2440 SHA256 175cacc8552ae92ca05b938d706acdb345ee488081972e1d5d666ef532a5a012 SHA512 b8cc233407d3cdec4ac916c61f7dcacd0ab23ca344205d48be9ab1a6be52275e595c1a64ba48b0e2e122d6ad762b8ae73883cb3c98c646e0d2ec233a8ccc8155 WHIRLPOOL b292ce7fcdf1a68d553bfd258c7d9f6a7cb3c47aab86f82b94fe4d97ad0fbc704adbfe9371f0db5202fbf6ff3fc249e07ff37804ff934ff64078b9ec9bf789e4
+EBUILD iptables-1.4.21-r4.ebuild 2973 SHA256 c7a60f6ae50344f860a0780c3ed960dfc29a0e9d4bf438aa3533607ec9fdb4bc SHA512 a8ac1de33f16d4d5b2b21aa145ec33a05dae62ba045d269a84e5f58539900d23d39b9a923dab9a1b61514009a263ecacb50563eeb0b6e4e1b3ba673d76fb0594 WHIRLPOOL 0d081a592b28ddffc501767b1478a631bd934f780748b6b53b2746cae499b8b829fd6aad9c0ac9afa11efd777cdc201b22d1fb46978cb5ec1a286415fff913a0
+EBUILD iptables-1.6.0-r1.ebuild 3097 SHA256 c5f6f3b579f8b39325b5aa9c3232f6ecf692385989d5e440a91f6ce91d19c2c5 SHA512 8c30729a0c00a78a53960034748016717210c977fca971efbb68fb5c188c4ba9fbcffb4c0c84396ccfcb0f0045c8ece8f2b7e213d61c05b6cd5b8701cfbbfbdc WHIRLPOOL 9d758ffe70b7b578c0f67041feb398ab83c6f46adde72cf0c1c5d590aac5ef550aa4c81bf00ca49c3fcd6c174efa343806fc1bd07b242f5076a5cfcb88a76ecf
+EBUILD iptables-1.6.1-r1.ebuild 3105 SHA256 a8e2244d7cc4bf08f52cfd8893d75db34edbb8d28ce9a12309352690ae3277c4 SHA512 8e8ecf87f5535d562922f2c57988947f81e804c8d094d20fe7a90c0ff3288c8b1fe43a4d5123ec226f9930709487ed9745f5d1081e2c63a2001635dfdcc5bccd WHIRLPOOL 65242c872dd2c2a7165388f27ebd4b18386571024b430eed034391125c1f046369d3314f204626a7abc0e29d3076fa8b9040d5c26e96aa9b8942d592462248a9
+MISC ChangeLog 9263 SHA256 a7cd952f78c9b527ae0dbc5ec3d654ceb7f74143003be019abb1f3809b08e08b SHA512 078ec1b34dbe48e83ea9ab618198b8c702f81ee3085cbf67ca203b64fbe414f2dfef5b6e89710e073178afda31e001f83ff572cb2236fbd260c753aaab92785c WHIRLPOOL b9b6c738e050c27eb9ae144762d4efcbac9adeecd162981d3db7c68cbace6827b1aada551d50220949e28da9074d6747ebe043ebec52a3a13e0cb6ce30c570e7
+MISC ChangeLog-2015 53266 SHA256 899937b46b0928ec409e58139647df2d10a1641c8d3e325b69307b4219d562b8 SHA512 904982cacd86d993475dfc7e078a66e5390b788ee29fc4b4f57401396420fdff076d35aefceb1b34814876e4acc0746faa23348152ed2acd62b0753cda938900 WHIRLPOOL 7e1ba68e5f9b5c8e75924c10c8fc54c2441450a2ebe7a0ed05f035e5932ef5447aacd29193219025e6a33984247935feb25bf041c8caab9df74dbda77345f38d
+MISC metadata.xml 1450 SHA256 12a59ccb10431b7760a10a4421f05fd3763eb14c91d27239f04d9bcacec548ab SHA512 3cd157fddc3a2aeca4ba563509b021ae52f02e23a721488eaf47b2aa701e6fee5ab8432603ca9999e6854b4d8a69950cf1a156104ee5db35f9232302326601f1 WHIRLPOOL 4d48988fd6ec8b53a643206c939789a773ab59253506c4659b83f7d563bd558924845dd04bb03702dff160cc49f72a319fa68b7e1e49988022270eeac7cfe82c
diff --git a/net-firewall/iptables/files/ip6tables-1.4.13.confd b/net-firewall/iptables/files/ip6tables-1.4.13.confd
new file mode 100644
index 000000000000..3bb36989d37e
--- /dev/null
+++ b/net-firewall/iptables/files/ip6tables-1.4.13.confd
@@ -0,0 +1,19 @@
+# /etc/conf.d/ip6tables
+
+# Location in which iptables initscript will save set rules on 
+# service shutdown
+IP6TABLES_SAVE="/var/lib/ip6tables/rules-save"
+
+# Options to pass to iptables-save and iptables-restore 
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="yes"
+
+# If you need to log iptables messages as soon as iptables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/net-firewall/iptables/files/iptables-1.4.13-r1.init b/net-firewall/iptables/files/iptables-1.4.13-r1.init
new file mode 100644
index 000000000000..b410b4ff52bf
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.13-r1.init
@@ -0,0 +1,129 @@
+#!/sbin/openrc-run
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="check save panic"
+extra_started_commands="reload"
+
+iptables_name=${SVCNAME}
+case ${iptables_name} in
+iptables|ip6tables) ;;
+*) iptables_name="iptables" ;;
+esac
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+	iptables)  iptables_proc="/proc/net/ip_tables_names"
+	           iptables_save=${IPTABLES_SAVE};;
+	ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+	           iptables_save=${IP6TABLES_SAVE};;
+esac
+
+depend() {
+	need localmount #434774
+	before net
+}
+
+set_table_policy() {
+	local chains table=$1 policy=$2
+	case ${table} in
+		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
+		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+		filter) chains="INPUT FORWARD OUTPUT";;
+		*)      chains="";;
+	esac
+	local chain
+	for chain in ${chains} ; do
+		${iptables_bin} -t ${table} -P ${chain} ${policy}
+	done
+}
+
+checkkernel() {
+	if [ ! -e ${iptables_proc} ] ; then
+		eerror "Your kernel lacks ${iptables_name} support, please load"
+		eerror "appropriate modules and try again."
+		return 1
+	fi
+	return 0
+}
+checkconfig() {
+	if [ ! -f ${iptables_save} ] ; then
+		eerror "Not starting ${iptables_name}.  First create some rules then run:"
+		eerror "/etc/init.d/${iptables_name} save"
+		return 1
+	fi
+	return 0
+}
+
+start() {
+	checkconfig || return 1
+	ebegin "Loading ${iptables_name} state and starting firewall"
+	${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+stop() {
+	if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+		save || return 1
+	fi
+	checkkernel || return 1
+	ebegin "Stopping firewall"
+	local a
+	for a in $(cat ${iptables_proc}) ; do
+		set_table_policy $a ACCEPT
+
+		${iptables_bin} -F -t $a
+		${iptables_bin} -X -t $a
+	done
+	eend $?
+}
+
+reload() {
+	checkkernel || return 1
+	checkrules || return 1
+	ebegin "Flushing firewall"
+	local a
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} -F -t $a
+		${iptables_bin} -X -t $a
+	done
+	eend $?
+
+	start
+}
+
+checkrules() {
+	ebegin "Checking rules"
+	${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+check() {
+	# Short name for users of init.d script.
+	checkrules
+}
+
+save() {
+	ebegin "Saving ${iptables_name} state"
+	checkpath -q -d "$(dirname "${iptables_save}")"
+	checkpath -q -m 0600 -f "${iptables_save}"
+	${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+	eend $?
+}
+
+panic() {
+	checkkernel || return 1
+	if service_started ${iptables_name}; then
+		rc-service ${iptables_name} stop
+	fi
+
+	local a
+	ebegin "Dropping all packets"
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} -F -t $a
+		${iptables_bin} -X -t $a
+
+		set_table_policy $a DROP
+	done
+	eend $?
+}
diff --git a/net-firewall/iptables/files/iptables-1.4.13.confd b/net-firewall/iptables/files/iptables-1.4.13.confd
new file mode 100644
index 000000000000..7225374c3a8a
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.13.confd
@@ -0,0 +1,19 @@
+# /etc/conf.d/iptables
+
+# Location in which iptables initscript will save set rules on 
+# service shutdown
+IPTABLES_SAVE="/var/lib/iptables/rules-save"
+
+# Options to pass to iptables-save and iptables-restore 
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="yes"
+
+# If you need to log iptables messages as soon as iptables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/net-firewall/iptables/files/iptables-1.4.21-configure.patch b/net-firewall/iptables/files/iptables-1.4.21-configure.patch
new file mode 100644
index 000000000000..e827885f1688
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.21-configure.patch
@@ -0,0 +1,34 @@
+https://bugs.gentoo.org/557586
+
+From b24e59fba39120bfdb9e521bbd0af8f33a60466e Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sat, 15 Aug 2015 14:12:39 -0400
+Subject: [PATCH] configure: fix 3rd arg w/AC_ARG_ENABLE
+
+The 3rd arg is used when --{enable,disable}-foo are passed in, not when
+the feature is enabled.  Use the existing $enableval instead.
+
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ configure.ac | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/configure
++++ b/configure
+@@ -11898,14 +11898,14 @@ fi
+ 
+ # Check whether --enable-bpf-compiler was given.
+ if test "${enable_bpf_compiler+set}" = set; then :
+-  enableval=$enable_bpf_compiler; enable_bpfc="yes"
++  enableval=$enable_bpf_compiler; enable_bpfc="$enableval"
+ else
+   enable_bpfc="no"
+ fi
+ 
+ # Check whether --enable-nfsynproxy was given.
+ if test "${enable_nfsynproxy+set}" = set; then :
+-  enableval=$enable_nfsynproxy; enable_nfsynproxy="yes"
++  enableval=$enable_nfsynproxy; enable_nfsynproxy="$enableval"
+ else
+   enable_nfsynproxy="no"
+ fi
diff --git a/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch b/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch
new file mode 100644
index 000000000000..a4183d6d4025
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch
@@ -0,0 +1,77 @@
+https://bugs.gentoo.org/558234
+http://git.netfilter.org/iptables/commit/?id=825fbda5482a7d5ec5a6619c81fe07ff865c7d6e
+
+From 825fbda5482a7d5ec5a6619c81fe07ff865c7d6e Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 5 Sep 2014 20:45:56 +0200
+Subject: [PATCH] extensions: libxt_connlabel: do not open config file from
+ _init hook
+
+else, static builds will print this for every iptables invocation,
+even 'iptables -L'.  Delay open until we need to translate a mapping.
+
+Reported-by: Thomas De Schampheleire <patrickdepinguin@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ extensions/libxt_connlabel.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c
+index c84a167..1f83095 100644
+--- a/extensions/libxt_connlabel.c
++++ b/extensions/libxt_connlabel.c
+@@ -29,11 +29,26 @@ static const struct xt_option_entry connlabel_mt_opts[] = {
+ 	XTOPT_TABLEEND,
+ };
+ 
++/* cannot do this via _init, else static builds might spew error message
++ * for every iptables invocation.
++ */
++static void connlabel_open(void)
++{
++	if (map)
++		return;
++
++	map = nfct_labelmap_new(NULL);
++	if (!map && errno)
++		xtables_error(RESOURCE_PROBLEM, "cannot open connlabel.conf: %s\n",
++			strerror(errno));
++}
++
+ static void connlabel_mt_parse(struct xt_option_call *cb)
+ {
+ 	struct xt_connlabel_mtinfo *info = cb->data;
+ 	int tmp;
+ 
++	connlabel_open();
+ 	xtables_option_parse(cb);
+ 
+ 	switch (cb->entry->id) {
+@@ -54,7 +69,11 @@ static void connlabel_mt_parse(struct xt_option_call *cb)
+ 
+ static const char *connlabel_get_name(int b)
+ {
+-	const char *name = nfct_labelmap_get_name(map, b);
++	const char *name;
++
++	connlabel_open();
++
++	name = nfct_labelmap_get_name(map, b);
+ 	if (name && strcmp(name, ""))
+ 		return name;
+ 	return NULL;
+@@ -114,11 +133,5 @@ static struct xtables_match connlabel_mt_reg = {
+ 
+ void _init(void)
+ {
+-	map = nfct_labelmap_new(NULL);
+-	if (!map) {
+-		fprintf(stderr, "cannot open connlabel.conf, not registering '%s' match: %s\n",
+-			connlabel_mt_reg.name, strerror(errno));
+-		return;
+-	}
+ 	xtables_register_match(&connlabel_mt_reg);
+ }
+-- 
+2.4.4
+
diff --git a/net-firewall/iptables/files/iptables.init b/net-firewall/iptables/files/iptables.init
new file mode 100755
index 000000000000..10394c6f09cf
--- /dev/null
+++ b/net-firewall/iptables/files/iptables.init
@@ -0,0 +1,129 @@
+#!/sbin/openrc-run
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="check save panic"
+extra_started_commands="reload"
+
+iptables_name=${SVCNAME}
+case ${iptables_name} in
+iptables|ip6tables) ;;
+*) iptables_name="iptables" ;;
+esac
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+	iptables)  iptables_proc="/proc/net/ip_tables_names"
+	           iptables_save=${IPTABLES_SAVE};;
+	ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+	           iptables_save=${IP6TABLES_SAVE};;
+esac
+
+depend() {
+	need localmount #434774
+	before net
+}
+
+set_table_policy() {
+	local chains table=$1 policy=$2
+	case ${table} in
+		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
+		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+		filter) chains="INPUT FORWARD OUTPUT";;
+		*)      chains="";;
+	esac
+	local chain
+	for chain in ${chains} ; do
+		${iptables_bin} -w -t ${table} -P ${chain} ${policy}
+	done
+}
+
+checkkernel() {
+	if [ ! -e ${iptables_proc} ] ; then
+		eerror "Your kernel lacks ${iptables_name} support, please load"
+		eerror "appropriate modules and try again."
+		return 1
+	fi
+	return 0
+}
+checkconfig() {
+	if [ ! -f ${iptables_save} ] ; then
+		eerror "Not starting ${iptables_name}.  First create some rules then run:"
+		eerror "/etc/init.d/${iptables_name} save"
+		return 1
+	fi
+	return 0
+}
+
+start() {
+	checkconfig || return 1
+	ebegin "Loading ${iptables_name} state and starting firewall"
+	${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+stop() {
+	if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+		save || return 1
+	fi
+	checkkernel || return 1
+	ebegin "Stopping firewall"
+	local a
+	for a in $(cat ${iptables_proc}) ; do
+		set_table_policy $a ACCEPT
+
+		${iptables_bin} -w -F -t $a
+		${iptables_bin} -w -X -t $a
+	done
+	eend $?
+}
+
+reload() {
+	checkkernel || return 1
+	checkrules || return 1
+	ebegin "Flushing firewall"
+	local a
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} -w -F -t $a
+		${iptables_bin} -w -X -t $a
+	done
+	eend $?
+
+	start
+}
+
+checkrules() {
+	ebegin "Checking rules"
+	${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+check() {
+	# Short name for users of init.d script.
+	checkrules
+}
+
+save() {
+	ebegin "Saving ${iptables_name} state"
+	checkpath -q -d "$(dirname "${iptables_save}")"
+	checkpath -q -m 0600 -f "${iptables_save}"
+	${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+	eend $?
+}
+
+panic() {
+	checkkernel || return 1
+	if service_started ${iptables_name}; then
+		rc-service ${iptables_name} stop
+	fi
+
+	local a
+	ebegin "Dropping all packets"
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} -w -F -t $a
+		${iptables_bin} -w -X -t $a
+
+		set_table_policy $a DROP
+	done
+	eend $?
+}
diff --git a/net-firewall/iptables/files/systemd/ip6tables-restore.service b/net-firewall/iptables/files/systemd/ip6tables-restore.service
new file mode 100644
index 000000000000..c149e92ba900
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/ip6tables-restore.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Restore ip6tables firewall rules
+# if both are queued for some reason, don't store before restoring :)
+Before=ip6tables-store.service
+# sounds reasonable to have firewall up before any of the services go up
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ip6tables-restore /var/lib/ip6tables/rules-save
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/iptables/files/systemd/ip6tables-store.service b/net-firewall/iptables/files/systemd/ip6tables-store.service
new file mode 100644
index 000000000000..9975378353d3
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/ip6tables-store.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Store ip6tables firewall rules
+Before=shutdown.target
+DefaultDependencies=No
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "/sbin/ip6tables-save --counters > /var/lib/ip6tables/rules-save"
+
+[Install]
+WantedBy=shutdown.target
diff --git a/net-firewall/iptables/files/systemd/ip6tables.service b/net-firewall/iptables/files/systemd/ip6tables.service
new file mode 100644
index 000000000000..0a6d7fa1c8ab
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/ip6tables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Store and restore ip6tables firewall rules
+
+[Install]
+Also=ip6tables-store.service
+Also=ip6tables-restore.service
diff --git a/net-firewall/iptables/files/systemd/iptables-restore.service b/net-firewall/iptables/files/systemd/iptables-restore.service
new file mode 100644
index 000000000000..2474ee3ec419
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/iptables-restore.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Restore iptables firewall rules
+# if both are queued for some reason, don't store before restoring :)
+Before=iptables-store.service
+# sounds reasonable to have firewall up before any of the services go up
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/iptables/files/systemd/iptables-store.service b/net-firewall/iptables/files/systemd/iptables-store.service
new file mode 100644
index 000000000000..aa16e75e9ccf
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/iptables-store.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Store iptables firewall rules
+Before=shutdown.target
+DefaultDependencies=No
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "/sbin/iptables-save --counters > /var/lib/iptables/rules-save"
+
+[Install]
+WantedBy=shutdown.target
diff --git a/net-firewall/iptables/files/systemd/iptables.service b/net-firewall/iptables/files/systemd/iptables.service
new file mode 100644
index 000000000000..3643a3e31034
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/iptables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Store and restore iptables firewall rules
+
+[Install]
+Also=iptables-store.service
+Also=iptables-restore.service
diff --git a/net-firewall/iptables/iptables-1.4.21-r1.ebuild b/net-firewall/iptables/iptables-1.4.21-r1.ebuild
new file mode 100644
index 000000000000..05b4e957ca31
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.21-r1.ebuild
@@ -0,0 +1,93 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib systemd toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.netfilter.org/projects/iptables/"
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
+IUSE="conntrack ipv6 netlink static-libs"
+
+RDEPEND="
+	conntrack? ( net-libs/libnetfilter_conntrack )
+	netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	virtual/pkgconfig
+"
+
+src_prepare() {
+	# use the saner headers from the kernel
+	rm -f include/linux/{kernel,types}.h
+
+	# Only run autotools if user patched something
+	epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+	# Some libs use $(AR) rather than libtool to build #444282
+	tc-export AR
+
+	sed -i \
+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
+		configure || die
+
+	econf \
+		--sbindir="${EPREFIX}/sbin" \
+		--libexecdir="${EPREFIX}/$(get_libdir)" \
+		--enable-devel \
+		--enable-shared \
+		$(use_enable static-libs static) \
+		$(use_enable ipv6)
+}
+
+src_compile() {
+	emake V=1
+}
+
+src_install() {
+	default
+	dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+	# all the iptables binaries are in /sbin, so might as well
+	# put these small files in with them
+	into /
+	dosbin iptables/iptables-apply
+	dosym iptables-apply /sbin/ip6tables-apply
+	doman iptables/iptables-apply.8
+
+	insinto /usr/include
+	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+	insinto /usr/include/iptables
+	doins include/iptables/internal.h
+
+	keepdir /var/lib/iptables
+	newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+	if use ipv6 ; then
+		keepdir /var/lib/ip6tables
+		newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+	fi
+
+	systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service
+	if use ipv6 ; then
+		systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service
+	fi
+
+	# Move important libs to /lib #332175
+	gen_usr_ldscript -a ip{4,6}tc iptc xtables
+
+	prune_libtool_files
+}
diff --git a/net-firewall/iptables/iptables-1.4.21-r4.ebuild b/net-firewall/iptables/iptables-1.4.21-r4.ebuild
new file mode 100644
index 000000000000..b873bc7ffcfa
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.21-r4.ebuild
@@ -0,0 +1,104 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib systemd toolchain-funcs autotools flag-o-matic
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.netfilter.org/projects/iptables/"
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+# Subslot tracks libxtables as that's the one other packages generally link
+# against and iptables changes.  Will have to revisit if other sonames change.
+SLOT="0/10"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="conntrack ipv6 netlink pcap static-libs"
+
+RDEPEND="
+	conntrack? ( net-libs/libnetfilter_conntrack )
+	netlink? ( net-libs/libnfnetlink )
+	pcap? ( net-libs/libpcap )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	virtual/pkgconfig
+"
+
+src_prepare() {
+	# use the saner headers from the kernel
+	rm -f include/linux/{kernel,types}.h
+
+	epatch "${FILESDIR}"/${P}-configure.patch #557586
+	epatch "${FILESDIR}"/${P}-static-connlabel-config.patch #558234
+
+	# Only run autotools if user patched something
+	epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+	# Some libs use $(AR) rather than libtool to build #444282
+	tc-export AR
+
+	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
+	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
+
+	sed -i \
+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
+		configure || die
+
+	econf \
+		--sbindir="${EPREFIX}/sbin" \
+		--libexecdir="${EPREFIX}/$(get_libdir)" \
+		--enable-devel \
+		--enable-shared \
+		$(use_enable pcap bpf-compiler) \
+		$(use_enable pcap nfsynproxy) \
+		$(use_enable static-libs static) \
+		$(use_enable ipv6)
+}
+
+src_compile() {
+	emake V=1
+}
+
+src_install() {
+	default
+	dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+	# all the iptables binaries are in /sbin, so might as well
+	# put these small files in with them
+	into /
+	dosbin iptables/iptables-apply
+	dosym iptables-apply /sbin/ip6tables-apply
+	doman iptables/iptables-apply.8
+
+	insinto /usr/include
+	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+	insinto /usr/include/iptables
+	doins include/iptables/internal.h
+
+	keepdir /var/lib/iptables
+	newinitd "${FILESDIR}"/${PN}.init iptables
+	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+	if use ipv6 ; then
+		keepdir /var/lib/ip6tables
+		newinitd "${FILESDIR}"/iptables.init ip6tables
+		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+	fi
+
+	systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service
+	if use ipv6 ; then
+		systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service
+	fi
+
+	# Move important libs to /lib #332175
+	gen_usr_ldscript -a ip{4,6}tc iptc xtables
+
+	prune_libtool_files
+}
diff --git a/net-firewall/iptables/iptables-1.6.0-r1.ebuild b/net-firewall/iptables/iptables-1.6.0-r1.ebuild
new file mode 100644
index 000000000000..11aff3774610
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.6.0-r1.ebuild
@@ -0,0 +1,112 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib systemd toolchain-funcs autotools flag-o-matic
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.netfilter.org/projects/iptables/"
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+# Subslot tracks libxtables as that's the one other packages generally link
+# against and iptables changes.  Will have to revisit if other sonames change.
+SLOT="0/11"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="conntrack ipv6 netlink nftables pcap static-libs"
+
+RDEPEND="
+	conntrack? ( net-libs/libnetfilter_conntrack )
+	netlink? ( net-libs/libnfnetlink )
+	nftables? (
+		>=net-libs/libmnl-1.0
+		>=net-libs/libnftnl-1.0.5
+	)
+	pcap? ( net-libs/libpcap )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	virtual/pkgconfig
+	nftables? (
+		sys-devel/flex
+		virtual/yacc
+	)
+"
+
+src_prepare() {
+	# use the saner headers from the kernel
+	rm -f include/linux/{kernel,types}.h
+
+	# Only run autotools if user patched something
+	epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+	# Some libs use $(AR) rather than libtool to build #444282
+	tc-export AR
+
+	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
+	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
+
+	sed -i \
+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
+		configure || die
+
+	econf \
+		--sbindir="${EPREFIX}/sbin" \
+		--libexecdir="${EPREFIX}/$(get_libdir)" \
+		--enable-devel \
+		--enable-shared \
+		$(use_enable nftables) \
+		$(use_enable pcap bpf-compiler) \
+		$(use_enable pcap nfsynproxy) \
+		$(use_enable static-libs static) \
+		$(use_enable ipv6)
+}
+
+src_compile() {
+	# Deal with parallel build errors.
+	use nftables && emake -C iptables xtables-config-parser.h
+	emake V=1
+}
+
+src_install() {
+	default
+	dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+	# all the iptables binaries are in /sbin, so might as well
+	# put these small files in with them
+	into /
+	dosbin iptables/iptables-apply
+	dosym iptables-apply /sbin/ip6tables-apply
+	doman iptables/iptables-apply.8
+
+	insinto /usr/include
+	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+	insinto /usr/include/iptables
+	doins include/iptables/internal.h
+
+	keepdir /var/lib/iptables
+	newinitd "${FILESDIR}"/${PN}.init iptables
+	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+	if use ipv6 ; then
+		keepdir /var/lib/ip6tables
+		newinitd "${FILESDIR}"/iptables.init ip6tables
+		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+	fi
+
+	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
+	if use ipv6 ; then
+		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
+	fi
+
+	# Move important libs to /lib #332175
+	gen_usr_ldscript -a ip{4,6}tc iptc xtables
+
+	prune_libtool_files
+}
diff --git a/net-firewall/iptables/iptables-1.6.1-r1.ebuild b/net-firewall/iptables/iptables-1.6.1-r1.ebuild
new file mode 100644
index 000000000000..4132b8a76807
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.6.1-r1.ebuild
@@ -0,0 +1,112 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib systemd toolchain-funcs autotools flag-o-matic
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.netfilter.org/projects/iptables/"
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+# Subslot tracks libxtables as that's the one other packages generally link
+# against and iptables changes.  Will have to revisit if other sonames change.
+SLOT="0/12"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="conntrack ipv6 netlink nftables pcap static-libs"
+
+RDEPEND="
+	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
+	netlink? ( net-libs/libnfnetlink )
+	nftables? (
+		>=net-libs/libmnl-1.0
+		>=net-libs/libnftnl-1.0.5
+	)
+	pcap? ( net-libs/libpcap )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	virtual/pkgconfig
+	nftables? (
+		sys-devel/flex
+		virtual/yacc
+	)
+"
+
+src_prepare() {
+	# use the saner headers from the kernel
+	rm -f include/linux/{kernel,types}.h
+
+	# Only run autotools if user patched something
+	epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+	# Some libs use $(AR) rather than libtool to build #444282
+	tc-export AR
+
+	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
+	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
+
+	sed -i \
+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
+		configure || die
+
+	econf \
+		--sbindir="${EPREFIX}/sbin" \
+		--libexecdir="${EPREFIX}/$(get_libdir)" \
+		--enable-devel \
+		--enable-shared \
+		$(use_enable nftables) \
+		$(use_enable pcap bpf-compiler) \
+		$(use_enable pcap nfsynproxy) \
+		$(use_enable static-libs static) \
+		$(use_enable ipv6)
+}
+
+src_compile() {
+	# Deal with parallel build errors.
+	use nftables && emake -C iptables xtables-config-parser.h
+	emake V=1
+}
+
+src_install() {
+	default
+	dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+	# all the iptables binaries are in /sbin, so might as well
+	# put these small files in with them
+	into /
+	dosbin iptables/iptables-apply
+	dosym iptables-apply /sbin/ip6tables-apply
+	doman iptables/iptables-apply.8
+
+	insinto /usr/include
+	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+	insinto /usr/include/iptables
+	doins include/iptables/internal.h
+
+	keepdir /var/lib/iptables
+	newinitd "${FILESDIR}"/${PN}.init iptables
+	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+	if use ipv6 ; then
+		keepdir /var/lib/ip6tables
+		newinitd "${FILESDIR}"/iptables.init ip6tables
+		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+	fi
+
+	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
+	if use ipv6 ; then
+		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
+	fi
+
+	# Move important libs to /lib #332175
+	gen_usr_ldscript -a ip{4,6}tc iptc xtables
+
+	prune_libtool_files
+}
diff --git a/net-firewall/iptables/metadata.xml b/net-firewall/iptables/metadata.xml
new file mode 100644
index 000000000000..92f454ba7f63
--- /dev/null
+++ b/net-firewall/iptables/metadata.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer type="project">
+	<email>base-system@gentoo.org</email>
+	<name>Gentoo Base System</name>
+</maintainer>
+<use>
+	<flag name="conntrack">Build against <pkg>net-libs/libnetfilter_conntrack</pkg> when enables the connlabel matcher</flag>
+	<flag name="netlink">Build against libnfnetlink which enables the nfnl_osf util</flag>
+	<flag name="nftables">Support nftables kernel interface</flag>
+	<flag name="pcap">Build against <pkg>net-libs/libpcap</pkg> which enables the nfbpf_compile util</flag>
+</use>
+<longdescription>
+  iptables is the userspace command line program used to set up, maintain, and
+  inspect the tables of IPv4 packet filter rules in the Linux kernel. It's a
+  part of packet filtering framework which allows the stateless and stateful
+  packet filtering, all kinds of network address and port translation, and is a
+  flexible and extensible infrastructure with multiple layers of API's for 3rd
+  party extensions. The iptables package also includes ip6tables. ip6tables is
+  used for configuring the IPv6 packet filter.
+
+  Note that some extensions (e.g. imq and l7filter) are not included into
+  official kernel sources so you have to patch the sources before installation.
+</longdescription>
+<upstream>
+ <remote-id type="cpe">cpe:/a:netfilter_core_team:iptables</remote-id>
+</upstream>
+</pkgmetadata>
-- 
cgit v1.2.3