From fcc5224904648a8e6eb528d7603154160a20022f Mon Sep 17 00:00:00 2001
From: V3n3RiX <venerix@koprulu.sector>
Date: Wed, 2 Feb 2022 01:39:05 +0000
Subject: gentoo resync : 02.02.2022

---
 net-firewall/iptables/Manifest                     |   2 +
 .../files/iptables-1.8.7-cache-double-free.patch   |  61 +++++++
 net-firewall/iptables/iptables-1.8.7-r1.ebuild     | 183 +++++++++++++++++++++
 3 files changed, 246 insertions(+)
 create mode 100644 net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch
 create mode 100644 net-firewall/iptables/iptables-1.8.7-r1.ebuild

(limited to 'net-firewall/iptables')

diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest
index 99f439827a98..e5289fccb777 100644
--- a/net-firewall/iptables/Manifest
+++ b/net-firewall/iptables/Manifest
@@ -1,6 +1,7 @@
 AUX ip6tables-r1.confd 899 BLAKE2B d8c72df359a35798d7a92958ba9a620ab580427a06765850928181d7b4cc25455c586daaad88bd20e61a9c9218dbc0895de38b006526bb04f4f2e998d8062fbe SHA512 553ddf83558edaccf891a366175e47aad950853be0de556581cfa08f614afa1f4139c94b8d8d2884ed69018513edeb966331d4d6a615829ada65fac2066840e5
 AUX iptables-1.8.2-link.patch 785 BLAKE2B 2ef5ac495260eef324f341d5d807e8c59afee8ac4853b46ef8c88765ed786396888d0bcd15822765da5584c25c6cdbbbc6b8b85eb0b8dbdd9b300662b1d59479 SHA512 10f6fdc4e4a37a0becb87f99c49888df366248f02b17037faf83068ef00824ecb61022a40b5551f9c8d2db22262ad738d554296bd6b78765dd5f8baf524b2388
 AUX iptables-1.8.4-no-symlinks.patch 800 BLAKE2B 721d2dcc881f781031d2be48659dcd54568b3e8c25ad19d0505699f0cf8276990b41f2ddf9d5eda5c2a77f66ae9a16ae542c42c6fc2d91b085cc5922121f9b00 SHA512 79601d8a8a352f82f0f3eaf85a7b1f830c9ddc400ae0fadaf08eb1848bb9a2801a886b2b0803bf498e353db1828c0976aa8d30c9ece5fdcf61a203070ed4d7cd
+AUX iptables-1.8.7-cache-double-free.patch 1574 BLAKE2B 475ed5b4d267b32a03b921cb009fa76931a7fc737ecabb70aed3d13b1f64d94bbb69194892c178fed9784d31c3478b00ab6dbc0d6fc5dd0b86a3ae86d8dcd681 SHA512 79e908845804b36a4a581485f61028570f58645aaaee9682d4a7b9609d4a410c8fb7547d082c5b02deafcf342f675da6e2a7e3436333d0ae6f3ce1a770afdc1a
 AUX iptables-r1.confd 890 BLAKE2B 0aaca870e3c03f19a71cf1b210377dfda320faf118359e298bef419eaf280fd11c9726d200ae89602e863c9b48de0bb51ac05424b50c064afe948a980e300153 SHA512 10002da01ded6be0e9bca6041798ad0859fa2212fde077a048443e4f3012c95d86e4580ae426e87af5891368062af9af6f9fd35ed617d24cdd3c51702b816b13
 AUX iptables-r2.init 4384 BLAKE2B d11be1725e25d234e01af86c82d3745fd630b15b3ae2228845c5555db5c2ffdcd920fd565480f76ab91ef2d5b26f9ae96432efc288a1b9aa2abfb5b9bb01d7bf SHA512 8897ab985424c895e261e0fe521921f0da8e09e38394655b0f91c65c0e8f603731faf70489f7a6610c83d6c2fde75f92f309405d72277643165a847e62238df7
 AUX systemd/ip6tables-restore.service 404 BLAKE2B 35cdf804e787aa5cc382cc638de523735ab47b878168c41d8eef85eb592e5bebd9319e75a10db28f0eba6618efae355c90f03ac0798239edeb80d01108e98a47 SHA512 34730df7464354bce11ca5bdceb5cf305e8ab7e2ded2c2689448379e74ff93252e7a83cfe05c2f3238f59a2ade69cd9c328291c28c43b6612bfb7b29fcb0feee
@@ -8,5 +9,6 @@ AUX systemd/ip6tables-store.service 243 BLAKE2B 30a0d955998a2a664c6a95b8e559898a
 AUX systemd/iptables-restore.service 400 BLAKE2B cd7f700cf717a2efb6504770308f7dcb90a1968f64cca98ea5e7437cf3cf2a2e8f575e3743ac19eec8738c665f4243f537a101c00d5d1cc94648688d4e240a59 SHA512 8c005e321ad041068f243e4baa6588b24b0ffd69991f2129dfab0a34d0ebaf702ff2be8b7328126c84abdc3bbd300e1c387a690c5f6a002b50b2e9148feeb8ef
 AUX systemd/iptables-store.service 240 BLAKE2B 7ddb4425e63cd41f421767fab25a7b055087fddde5927291b3fce6e0e978f0cb3b734bcacf02f78257eec99274056b69058436a847dcb366f5fb70032e410355 SHA512 a720e92b5571a2c3427101105e95e555f3b72541a53c5daa43e361c99ca28830e9e8dd27dbd7cfed40fbbe289ed180f9be7e0f3b6b0cd19bba022a531815fd5e
 DIST iptables-1.8.7.tar.bz2 717862 BLAKE2B fd4dcff142eaadde2a14ce3eb5e45d41c326752553b52900c77fd2e2a20c0685d0a04b95755995e914df47658834d52216d6465c2ae9cd6abc6eb122b95cc976 SHA512 c0a33fafbf1139157a9f52860938ebedc282a1394a68dcbd58981159379eb525919f999b25925f2cb4d6b18089bd99a94b00b3e73cff5cb0a0e47bdff174ed75
+EBUILD iptables-1.8.7-r1.ebuild 4777 BLAKE2B 8966c8181c23b7e48554ea34b22a84ce96de655eb3f1f6d40e33793f067415da67eb276cdc28dce0cb48d034c6fc5f72d59001d989eb82d4859e0ca378493b66 SHA512 429aa79710c3f9f73ad0e6d18d768664419ef144432f8acb0c020551a928eaeee75a750395c18b4890d15227f5f0c1abee7f560bcecebfcce624bbfba0d72ad0
 EBUILD iptables-1.8.7.ebuild 4682 BLAKE2B 6d5e8c0d3b9aa4ec0de723547b23dfde616732d4e525299a7a21738cf0f8bb688b8dc4303592790f2ba835f198bde5da71e9b83f0a8f037c8c6adb2aa9ddd78c SHA512 fca30ef62c65af232436f6cd34c12693e4de65886019f12c5cc2bf2165e52d0dae36370e160887616a4d1b4a05aeb6d9476df4a6083ccd553eb37e54cc8fe573
 MISC metadata.xml 1466 BLAKE2B 7378fedb44c6e6d19e508a764ec997911f966beccd40b1f93096ad3343b7cd72f9ca129e67a666c54ca4382348a448597bd607197ffe6b94669d84306c81d127 SHA512 f89038980e81bfceaf872ff1938c47e8ad12060bbe9ff48e0e9ca9dd5acc0196b2261d2b22a156cbfd7be89d1d67448969d39ff9b28efb0896702760afa14842
diff --git a/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch b/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch
new file mode 100644
index 000000000000..fc88636d2944
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch
@@ -0,0 +1,61 @@
+commit 4318961230bce82958df82b57f1796143bf2f421
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Sep 21 11:39:45 2021 +0200
+
+    nft: cache: Avoid double free of unrecognized base-chains
+    
+    On error, nft_cache_add_chain() frees the allocated nft_chain object
+    along with the nftnl_chain it points at. Fix nftnl_chain_list_cb() to
+    not free the nftnl_chain again in that case.
+    
+    Fixes: 176c92c26bfc9 ("nft: Introduce a dedicated base chain array")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
+index 2c88301c..9a03bbfb 100644
+--- a/iptables/nft-cache.c
++++ b/iptables/nft-cache.c
+@@ -314,9 +314,7 @@ static int nftnl_chain_list_cb(const struct nlmsghdr *nlh, void *data)
+ 		goto out;
+ 	}
+ 
+-	if (nft_cache_add_chain(h, t, c))
+-		goto out;
+-
++	nft_cache_add_chain(h, t, c);
+ 	return MNL_CB_OK;
+ out:
+ 	nftnl_chain_free(c);
+diff --git a/iptables/tests/shell/testcases/chain/0004extra-base_0 b/iptables/tests/shell/testcases/chain/0004extra-base_0
+new file mode 100755
+index 00000000..1b85b060
+--- /dev/null
++++ b/iptables/tests/shell/testcases/chain/0004extra-base_0
+@@ -0,0 +1,27 @@
++#!/bin/bash
++
++case $XT_MULTI in
++*xtables-nft-multi)
++	;;
++*)
++	echo skip $XT_MULTI
++	exit 0
++	;;
++esac
++
++set -e
++
++nft -f - <<EOF
++table ip filter {
++        chain INPUT {
++                type filter hook input priority filter
++                counter packets 218 bytes 91375 accept
++        }
++
++        chain x {
++                type filter hook input priority filter
++        }
++}
++EOF
++
++$XT_MULTI iptables -L
diff --git a/net-firewall/iptables/iptables-1.8.7-r1.ebuild b/net-firewall/iptables/iptables-1.8.7-r1.ebuild
new file mode 100644
index 000000000000..f748bdb9f289
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.8.7-r1.ebuild
@@ -0,0 +1,183 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit systemd toolchain-funcs autotools flag-o-matic usr-ldscript
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="https://www.netfilter.org/projects/iptables/"
+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+# Subslot reflects PV when libxtables and/or libip*tc was changed
+# the last time.
+SLOT="0/1.8.3"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="conntrack ipv6 netlink nftables pcap static-libs"
+
+BUILD_DEPEND="
+	>=app-eselect/eselect-iptables-20200508
+"
+COMMON_DEPEND="
+	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
+	netlink? ( net-libs/libnfnetlink )
+	nftables? (
+		>=net-libs/libmnl-1.0:0=
+		>=net-libs/libnftnl-1.1.6:0=
+	)
+	pcap? ( net-libs/libpcap )
+"
+DEPEND="${COMMON_DEPEND}
+	virtual/os-headers
+	>=sys-kernel/linux-headers-4.4:0
+"
+BDEPEND="${BUILD_DEPEND}
+	app-eselect/eselect-iptables
+	virtual/pkgconfig
+	nftables? (
+		sys-devel/flex
+		virtual/yacc
+	)
+"
+RDEPEND="${COMMON_DEPEND}
+	${BUILD_DEPEND}
+	nftables? ( net-misc/ethertypes )
+	!<net-firewall/ebtables-2.0.11-r1
+	!<net-firewall/arptables-0.0.5-r1
+"
+
+PATCHES=(
+	"${FILESDIR}/iptables-1.8.4-no-symlinks.patch"
+	"${FILESDIR}/iptables-1.8.2-link.patch"
+	# https://bugs.gentoo.org/831626
+	"${FILESDIR}/iptables-1.8.7-cache-double-free.patch"
+)
+
+src_prepare() {
+	# use the saner headers from the kernel
+	rm include/linux/{kernel,types}.h || die
+
+	default
+	eautoreconf
+}
+
+src_configure() {
+	# Some libs use $(AR) rather than libtool to build #444282
+	tc-export AR
+
+	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
+	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
+
+	sed -i \
+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
+		configure || die
+
+	local myeconfargs=(
+		--sbindir="${EPREFIX}/sbin"
+		--libexecdir="${EPREFIX}/$(get_libdir)"
+		--enable-devel
+		--enable-shared
+		$(use_enable nftables)
+		$(use_enable pcap bpf-compiler)
+		$(use_enable pcap nfsynproxy)
+		$(use_enable static-libs static)
+		$(use_enable ipv6)
+	)
+	econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+	emake V=1
+}
+
+src_install() {
+	default
+	dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+	# all the iptables binaries are in /sbin, so might as well
+	# put these small files in with them
+	into /
+	dosbin iptables/iptables-apply
+	dosym iptables-apply /sbin/ip6tables-apply
+	doman iptables/iptables-apply.8
+
+	insinto /usr/include
+	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+	insinto /usr/include/iptables
+	doins include/iptables/internal.h
+
+	keepdir /var/lib/iptables
+	newinitd "${FILESDIR}"/${PN}-r2.init iptables
+	newconfd "${FILESDIR}"/${PN}-r1.confd iptables
+	if use ipv6 ; then
+		keepdir /var/lib/ip6tables
+		dosym iptables /etc/init.d/ip6tables
+		newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables
+	fi
+
+	if use nftables; then
+		# Bug 647458
+		rm "${ED}"/etc/ethertypes || die
+
+		# Bugs 660886 and 669894
+		rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die
+	fi
+
+	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
+	if use ipv6 ; then
+		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
+	fi
+
+	# Move important libs to /lib #332175
+	gen_usr_ldscript -a ip{4,6}tc xtables
+
+	find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_postinst() {
+	local default_iptables="xtables-legacy-multi"
+	if ! eselect iptables show &>/dev/null; then
+		elog "Current iptables implementation is unset, setting to ${default_iptables}"
+		eselect iptables set "${default_iptables}"
+	fi
+
+	if use nftables; then
+		local tables
+		for tables in {arp,eb}tables; do
+			if ! eselect ${tables} show &>/dev/null; then
+				elog "Current ${tables} implementation is unset, setting to ${default_iptables}"
+				eselect ${tables} set xtables-nft-multi
+			fi
+		done
+	fi
+
+	eselect iptables show
+}
+
+pkg_prerm() {
+	if [[ -z ${REPLACED_BY_VERSION} ]]; then
+		elog "Unsetting iptables symlinks before removal"
+		eselect iptables unset
+	fi
+
+	if ! has_version 'net-firewall/ebtables'; then
+		elog "Unsetting ebtables symlinks before removal"
+		eselect ebtables unset
+	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
+		elog "Resetting ebtables symlinks to ebtables-legacy"
+		eselect ebtables set ebtables-legacy
+	fi
+
+	if ! has_version 'net-firewall/arptables'; then
+		elog "Unsetting arptables symlinks before removal"
+		eselect arptables unset
+	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
+		elog "Resetting arptables symlinks to arptables-legacy"
+		eselect arptables set arptables-legacy
+	fi
+
+	# the eselect module failing should not be fatal
+	return 0
+}
-- 
cgit v1.2.3