From d6ecedbb65041ed35010095376e87dd7de4270c5 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Tue, 20 Feb 2024 11:40:01 +0000 Subject: gentoo auto-resync : 20:02:2024 - 11:40:01 --- net-firewall/Manifest.gz | Bin 4232 -> 4226 bytes net-firewall/iptables/Manifest | 7 +- .../files/iptables-1.8.8-format-security.patch | 21 -- .../files/iptables-1.8.8-musl-headers.patch | 59 ------ .../files/iptables-1.8.8-out-of-tree-build.patch | 26 --- .../iptables/files/iptables-1.8.8-uint-musl.patch | 135 ------------ net-firewall/iptables/iptables-1.8.10-r1.ebuild | 179 ++++++++++++++++ net-firewall/iptables/iptables-1.8.8-r5.ebuild | 185 ---------------- net-firewall/nftables/Manifest | 10 +- .../nftables-1.0.8-fix-regression-evaluate.patch | 235 --------------------- net-firewall/nftables/metadata.xml | 1 - net-firewall/nftables/nftables-1.0.7-r1.ebuild | 232 -------------------- net-firewall/nftables/nftables-1.0.8-r1.ebuild | 217 ------------------- net-firewall/nftables/nftables-1.0.8-r2.ebuild | 223 ------------------- net-firewall/xtables-addons/Manifest | 3 - .../xtables-addons/xtables-addons-3.23.ebuild | 189 ----------------- .../xtables-addons/xtables-addons-3.24.ebuild | 189 ----------------- 17 files changed, 181 insertions(+), 1730 deletions(-) delete mode 100644 net-firewall/iptables/files/iptables-1.8.8-format-security.patch delete mode 100644 net-firewall/iptables/files/iptables-1.8.8-musl-headers.patch delete mode 100644 net-firewall/iptables/files/iptables-1.8.8-out-of-tree-build.patch delete mode 100644 net-firewall/iptables/files/iptables-1.8.8-uint-musl.patch create mode 100644 net-firewall/iptables/iptables-1.8.10-r1.ebuild delete mode 100644 net-firewall/iptables/iptables-1.8.8-r5.ebuild delete mode 100644 net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch delete mode 100644 net-firewall/nftables/nftables-1.0.7-r1.ebuild delete mode 100644 net-firewall/nftables/nftables-1.0.8-r1.ebuild delete mode 100644 net-firewall/nftables/nftables-1.0.8-r2.ebuild delete mode 100644 net-firewall/xtables-addons/xtables-addons-3.23.ebuild delete mode 100644 net-firewall/xtables-addons/xtables-addons-3.24.ebuild (limited to 'net-firewall') diff --git a/net-firewall/Manifest.gz b/net-firewall/Manifest.gz index 7a57335c55a8..687bb1be3ac1 100644 Binary files a/net-firewall/Manifest.gz and b/net-firewall/Manifest.gz differ diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest index c932b4c9516d..751f3164be40 100644 --- a/net-firewall/iptables/Manifest +++ b/net-firewall/iptables/Manifest @@ -1,10 +1,6 @@ AUX ip6tables-r1.confd 899 BLAKE2B d8c72df359a35798d7a92958ba9a620ab580427a06765850928181d7b4cc25455c586daaad88bd20e61a9c9218dbc0895de38b006526bb04f4f2e998d8062fbe SHA512 553ddf83558edaccf891a366175e47aad950853be0de556581cfa08f614afa1f4139c94b8d8d2884ed69018513edeb966331d4d6a615829ada65fac2066840e5 AUX iptables-1.8.2-link.patch 785 BLAKE2B 2ef5ac495260eef324f341d5d807e8c59afee8ac4853b46ef8c88765ed786396888d0bcd15822765da5584c25c6cdbbbc6b8b85eb0b8dbdd9b300662b1d59479 SHA512 10f6fdc4e4a37a0becb87f99c49888df366248f02b17037faf83068ef00824ecb61022a40b5551f9c8d2db22262ad738d554296bd6b78765dd5f8baf524b2388 AUX iptables-1.8.4-no-symlinks.patch 800 BLAKE2B 721d2dcc881f781031d2be48659dcd54568b3e8c25ad19d0505699f0cf8276990b41f2ddf9d5eda5c2a77f66ae9a16ae542c42c6fc2d91b085cc5922121f9b00 SHA512 79601d8a8a352f82f0f3eaf85a7b1f830c9ddc400ae0fadaf08eb1848bb9a2801a886b2b0803bf498e353db1828c0976aa8d30c9ece5fdcf61a203070ed4d7cd -AUX iptables-1.8.8-format-security.patch 639 BLAKE2B df5c843d0cd6634740b372300263dd19df3289466ad83d3a10ba9f270519d738d90152cdef273d07c94502166082d6fa5a8908b603289e6d4c9bc9d6987b8b16 SHA512 6e1da61b648259dac02662eee995f9b5117bc8b8c028f0e2afc3346d82a94b7e7faf8ae5cfd484b7dd1a6530973191c1f147579f11e57ebda945115b40134094 -AUX iptables-1.8.8-musl-headers.patch 2061 BLAKE2B 6876d083d179a055c60422397e67a24137ae5bb72cba02f732d4dd7313171c10717202a41f1256196d5b64bc29d22e98d8d0eb9861130fa93481b527d0117e96 SHA512 136f3c7dae7c88739ed1c2d2c14e9a8381013c8a376bee80a7f994098810bb61d76dd143dc65430f0ec7b44d542b64242dd947134936468155840a4a26e6ce79 -AUX iptables-1.8.8-out-of-tree-build.patch 1058 BLAKE2B 5a358632780b607533033dc3bf6b6e24ac1af49dbbc26afae05668187c2a4072dba1cdbf51647b6b5f7c5f68e5a3d64fa82b5b0477d3cd4e936d466b731707fb SHA512 453ed9a2b3b2dddb3ccc9a099386c28290416ea356884084fd4d9bd2b026e21732b91f020fbe55de12ba970b815993f2e3a18a52a6774ab7738383e2f144a973 -AUX iptables-1.8.8-uint-musl.patch 4607 BLAKE2B 8ca4ba2fec97e99e1f57d9d1f376dbdab53a698279534879163ad5dade629cda3ac232df54d57ae75e589c2327492953e0c30356bdc4367b9a1474afc259136c SHA512 01d3af7330334b5002ec9d50e4b469651148b911d9ab5d45d5a2cd08e72c3be5e770c047cbc337485e40cb622ee470faa9ed91b53ca59e09a1c197bf5df48a9a AUX iptables-1.8.9-fix-checking-existence-of-rule.patch 1239 BLAKE2B 664a47b1c0f2360493dce886c6dcf8cfbf165eb1a490cf7cf8d182073b0256bb140a547f9b8ce79d26424e9bb76047b41582a3a7b7f7f5e1301269a849d4389a SHA512 63e6dfba096c163995760a7a1a8881c90a61e7a247f1c87ef3f162597e2e1161e2c5438e1e467c6e600847e011430520556315d1aae72baac005dede1f69f7cc AUX iptables-1.8.9-format-security.patch 870 BLAKE2B fc33c16eae1c77a5714ecb3f7bbb859dfe64b9506ac82a6d8f91f206d24a5ebf66664e141b60e4580e59bd85314d27df5edf6bd11511ffa4dab7deaf833ccb93 SHA512 7551438de030506e4fe462a715f6a16637991f90cfaddc352a95c0341c72ae7d90728bc0a4e56da2cc108ff2c4e3f9e92451fb6dc65633d47973694550fd08b4 AUX iptables-r1.confd 890 BLAKE2B 0aaca870e3c03f19a71cf1b210377dfda320faf118359e298bef419eaf280fd11c9726d200ae89602e863c9b48de0bb51ac05424b50c064afe948a980e300153 SHA512 10002da01ded6be0e9bca6041798ad0859fa2212fde077a048443e4f3012c95d86e4580ae426e87af5891368062af9af6f9fd35ed617d24cdd3c51702b816b13 @@ -14,10 +10,9 @@ AUX systemd/ip6tables-store.service 243 BLAKE2B 30a0d955998a2a664c6a95b8e559898a AUX systemd/iptables-restore.service 400 BLAKE2B cd7f700cf717a2efb6504770308f7dcb90a1968f64cca98ea5e7437cf3cf2a2e8f575e3743ac19eec8738c665f4243f537a101c00d5d1cc94648688d4e240a59 SHA512 8c005e321ad041068f243e4baa6588b24b0ffd69991f2129dfab0a34d0ebaf702ff2be8b7328126c84abdc3bbd300e1c387a690c5f6a002b50b2e9148feeb8ef AUX systemd/iptables-store.service 240 BLAKE2B 7ddb4425e63cd41f421767fab25a7b055087fddde5927291b3fce6e0e978f0cb3b734bcacf02f78257eec99274056b69058436a847dcb366f5fb70032e410355 SHA512 a720e92b5571a2c3427101105e95e555f3b72541a53c5daa43e361c99ca28830e9e8dd27dbd7cfed40fbbe289ed180f9be7e0f3b6b0cd19bba022a531815fd5e DIST iptables-1.8.10.tar.xz 641168 BLAKE2B 417b33fcfc7edeba169caef26ed0322798f6b82500840509f6c10b97b4ef3f11932c0393fc8dcc5946264442bf8ee959a594b6fbd5dc92012cfad30edf130520 SHA512 71e6ed2260859157d61981a4fe5039dc9e8d7da885a626a4b5dae8164c509a9d9f874286b9468bb6a462d6e259d4d32d5967777ecefdd8a293011ae80c00f153 -DIST iptables-1.8.8.tar.bz2 746985 BLAKE2B 0da021cc7313b86af331768904956dab3eee3de245a7b03965129f3d7f13097fc03fbb1390167dcd971eff216eabad9e59b261a9c0f54bfc48a77453aa40d164 SHA512 f21df23279a77531a23f3fcb1b8f0f8ec0c726bda236dd0e33af74b06753baff6ce3f26fb9fcceb6fada560656ba901e68fc6452eb840ac1b206bc4654950f59 DIST iptables-1.8.9.tar.xz 637848 BLAKE2B 37ba80be0ee7049c4d3ee5689b273b4d2cc6e6fb9ebb297e86976b5750f987f2ae4536013fe1749ae79b6989c241eaece3202019fafd47d842c7a4fe3e5093b1 SHA512 e367bf286135e39b7401e852de25c1ed06d44befdffd92ed1566eb2ae9704b48ac9196cb971f43c6c83c6ad4d910443d32064bcdf618cfcef6bcab113e31ff70 +EBUILD iptables-1.8.10-r1.ebuild 4575 BLAKE2B 7462aae70105c7e17627352b40387981f737ca73bc4d90a79f844c7894392a0d6b2c16e89df4300f5f743077abfae52cfff54c070801cb29bab264012cd41eeb SHA512 4063436980926c496fed66ed98497b2a7ed6174fc2d9b5de1d8991fff08bdbd8e2b4e9cd66d3d84fd07aecb62c715d35234210b8148cf2c8378e4759522b0f06 EBUILD iptables-1.8.10.ebuild 4672 BLAKE2B 08a99d7350339256feceb818ddff4c4ddb9c3a50595fed8f2f0fe2d6fdcbc05187f3245c8615288bb6768b9465279100371b067a39d64c8ba0a41591db169e73 SHA512 a774e1fc76a501748cb8151b2cae33f6a219d7b673f3d0426355d66a12ff9994650255e6cc43b55a61297a4af6e5d674773b23ece20a15ee3e671b735e7b3c8d -EBUILD iptables-1.8.8-r5.ebuild 4739 BLAKE2B 4345d633b233c0640035f83799013fb14ca2e1aa993472adbc2d730556f10b435609e1950791a5f914958d0464db227473ef36b3f37f10c734697ba1f6ff5152 SHA512 0a1f812081ce8a6481e64582a5ee1b1a7e4693d7728fed7c3f265b71e43334261e9694a8b0ccb06ff354f67e9cda729f7b2ad25c82cfcea47b72f427dbd165dc EBUILD iptables-1.8.9-r2.ebuild 4681 BLAKE2B 7351c269b83c5cd41547e0bee5d5b55e0c1fe51ee316fb96b2db4c1689550db79970f3f8a2b20cba2fb4990157328f0115529a8fa467048cf1f6a03b648ee9fa SHA512 5003888f620e3fb68ba0b4bf482771607f0010274369ea25fed9cfe8ba8265c08421f099edb0b361f5f24fb95a408b9209e231336acda183b929c91f246d0d20 EBUILD iptables-1.8.9.ebuild 4556 BLAKE2B 76c710543d3aaa744ea299126cb97ac793f7c7c382cadbaab6e378d4249901d65cc7eb0ab9bf95e0571fd6902c74f5b207b3a6b4297f67d22743d52eed5419a3 SHA512 73c363ceec2be0a032088a9ddcbf7b4c6abf0886f32d59fb20369f6a816f3e29025a938e5c9326d36e4032a8a2c2795c61e625556c7e4614021e3fec6378c258 MISC metadata.xml 1466 BLAKE2B 7378fedb44c6e6d19e508a764ec997911f966beccd40b1f93096ad3343b7cd72f9ca129e67a666c54ca4382348a448597bd607197ffe6b94669d84306c81d127 SHA512 f89038980e81bfceaf872ff1938c47e8ad12060bbe9ff48e0e9ca9dd5acc0196b2261d2b22a156cbfd7be89d1d67448969d39ff9b28efb0896702760afa14842 diff --git a/net-firewall/iptables/files/iptables-1.8.8-format-security.patch b/net-firewall/iptables/files/iptables-1.8.8-format-security.patch deleted file mode 100644 index fafc435379b5..000000000000 --- a/net-firewall/iptables/files/iptables-1.8.8-format-security.patch +++ /dev/null @@ -1,21 +0,0 @@ -https://git.netfilter.org/iptables/commit/?id=b72eb12ea5a61df0655ad99d5048994e916be83a - -From: Phil Sutter -Date: Fri, 13 May 2022 16:51:58 +0200 -Subject: xshared: Fix build for -Werror=format-security - -Gcc complains about the omitted format string. - -Signed-off-by: Phil Sutter ---- a/iptables/xshared.c -+++ b/iptables/xshared.c -@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg) - return; - - if (args->family != NFPROTO_ARP) -- xtables_error(PARAMETER_PROBLEM, msg); -+ xtables_error(PARAMETER_PROBLEM, "%s", msg); - - fprintf(stderr, "%s", msg); - } -cgit v1.2.3 diff --git a/net-firewall/iptables/files/iptables-1.8.8-musl-headers.patch b/net-firewall/iptables/files/iptables-1.8.8-musl-headers.patch deleted file mode 100644 index 52e2c7019972..000000000000 --- a/net-firewall/iptables/files/iptables-1.8.8-musl-headers.patch +++ /dev/null @@ -1,59 +0,0 @@ -https://git.netfilter.org/iptables/commit/?id=0e7cf0ad306cdf95dc3c28d15a254532206a888e -https://bugs.gentoo.org/846377 - -From: Phil Sutter -Date: Wed, 18 May 2022 16:04:09 +0200 -Subject: Revert "fix build for missing ETH_ALEN definition" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This reverts commit c5d9a723b5159a28f547b577711787295a14fd84 as it broke -compiling against musl libc. Might be a bug in the latter, but for the -time being try to please both by avoiding the include and instead -defining ETH_ALEN if unset. - -While being at it, move netinet/ether.h include up. - -Fixes: 1bdb5535f561a ("libxtables: Extend MAC address printing/parsing support") -Signed-off-by: Phil Sutter -Reviewed-by: Maciej Żenczykowski ---- a/libxtables/xtables.c -+++ b/libxtables/xtables.c -@@ -28,6 +28,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -45,7 +46,6 @@ - - #include - #include /* INT_MAX in ip_tables.h/ip6_tables.h */ --#include /* ETH_ALEN */ - #include - #include - #include -@@ -72,6 +72,10 @@ - #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe" - #endif - -+#ifndef ETH_ALEN -+#define ETH_ALEN 6 -+#endif -+ - /* we need this for ip6?tables-restore. ip6?tables-restore.c sets line to the - * current line of the input file, in order to give a more precise error - * message. ip6?tables itself doesn't need this, so it is initialized to the -@@ -2245,8 +2249,6 @@ void xtables_print_num(uint64_t number, unsigned int format) - printf(FMT("%4lluT ","%lluT "), (unsigned long long)number); - } - --#include -- - static const unsigned char mac_type_unicast[ETH_ALEN] = {}; - static const unsigned char msk_type_unicast[ETH_ALEN] = {1}; - static const unsigned char mac_type_multicast[ETH_ALEN] = {1}; -cgit v1.2.3 diff --git a/net-firewall/iptables/files/iptables-1.8.8-out-of-tree-build.patch b/net-firewall/iptables/files/iptables-1.8.8-out-of-tree-build.patch deleted file mode 100644 index ee9e218b5dbd..000000000000 --- a/net-firewall/iptables/files/iptables-1.8.8-out-of-tree-build.patch +++ /dev/null @@ -1,26 +0,0 @@ -https://git.netfilter.org/iptables/commit/?id=0ebf52fc951b2a4d98a166afb34af4f364bbeece - -From: Ben Brown -Date: Wed, 25 May 2022 16:26:13 +0100 -Subject: build: Fix error during out of tree build - -Fixes the following error: - - ../../libxtables/xtables.c:52:10: fatal error: libiptc/linux_list.h: No such file or directory - 52 | #include - -Fixes: f58b0d7406451 ("libxtables: Implement notargets hash table") -Signed-off-by: Ben Brown -Signed-off-by: Phil Sutter ---- a/libxtables/Makefile.am -+++ b/libxtables/Makefile.am -@@ -1,7 +1,7 @@ - # -*- Makefile -*- - - AM_CFLAGS = ${regular_CFLAGS} --AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables ${kinclude_CPPFLAGS} -+AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables -I${top_srcdir} ${kinclude_CPPFLAGS} - - lib_LTLIBRARIES = libxtables.la - libxtables_la_SOURCES = xtables.c xtoptions.c getethertype.c -cgit v1.2.3 diff --git a/net-firewall/iptables/files/iptables-1.8.8-uint-musl.patch b/net-firewall/iptables/files/iptables-1.8.8-uint-musl.patch deleted file mode 100644 index 40302f624e23..000000000000 --- a/net-firewall/iptables/files/iptables-1.8.8-uint-musl.patch +++ /dev/null @@ -1,135 +0,0 @@ -https://git.netfilter.org/iptables/commit/?id=f319389525b066b7dc6d389c88f16a0df3b8f189 - -From: Nick Hainke -Date: Mon, 16 May 2022 18:16:41 +0200 -Subject: treewide: use uint* instead of u_int* - -Gcc complains about missing types. Some commits introduced u_int* instead -of uint*. Use uint treewide. - -Fixes errors in the form of: -In file included from xtables-legacy-multi.c:5: -xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'? - 83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, - | ^~~~~~~~~ - | uint16_t -make[6]: *** [Makefile:712: xtables_legacy_multi-xtables-legacy-multi.o] Error 1 - -Avoid libipq API breakage by adjusting libipq.h include accordingly. For -arpt_mangle.h kernel uAPI header, apply same change as in kernel commit -e91ded8db5747 ("uapi: netfilter_arp: use __u8 instead of u_int8_t"). - -Signed-off-by: Nick Hainke -Signed-off-by: Phil Sutter ---- a/extensions/libxt_conntrack.c -+++ b/extensions/libxt_conntrack.c -@@ -778,7 +778,7 @@ matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, - - static void - conntrack_dump_ports(const char *prefix, const char *opt, -- u_int16_t port_low, u_int16_t port_high) -+ uint16_t port_low, uint16_t port_high) - { - if (port_high == 0 || port_low == port_high) - printf(" %s%s %u", prefix, opt, port_low); ---- a/include/libipq/libipq.h -+++ b/include/libipq/libipq.h -@@ -24,7 +24,7 @@ - #include - #include - #include --#include -+#include - #include - #include - #include -@@ -48,19 +48,19 @@ typedef unsigned long ipq_id_t; - struct ipq_handle - { - int fd; -- u_int8_t blocking; -+ uint8_t blocking; - struct sockaddr_nl local; - struct sockaddr_nl peer; - }; - --struct ipq_handle *ipq_create_handle(u_int32_t flags, u_int32_t protocol); -+struct ipq_handle *ipq_create_handle(uint32_t flags, uint32_t protocol); - - int ipq_destroy_handle(struct ipq_handle *h); - - ssize_t ipq_read(const struct ipq_handle *h, - unsigned char *buf, size_t len, int timeout); - --int ipq_set_mode(const struct ipq_handle *h, u_int8_t mode, size_t len); -+int ipq_set_mode(const struct ipq_handle *h, uint8_t mode, size_t len); - - ipq_packet_msg_t *ipq_get_packet(const unsigned char *buf); - ---- a/include/libiptc/libxtc.h -+++ b/include/libiptc/libxtc.h -@@ -10,7 +10,7 @@ extern "C" { - #endif - - #ifndef XT_MIN_ALIGN --/* xt_entry has pointers and u_int64_t's in it, so if you align to -+/* xt_entry has pointers and uint64_t's in it, so if you align to - it, you'll also align to any crazy matches and targets someone - might write */ - #define XT_MIN_ALIGN (__alignof__(struct xt_entry)) ---- a/include/linux/netfilter_arp/arpt_mangle.h -+++ b/include/linux/netfilter_arp/arpt_mangle.h -@@ -13,7 +13,7 @@ struct arpt_mangle - union { - struct in_addr tgt_ip; - } u_t; -- u_int8_t flags; -+ __u8 flags; - int target; - }; - ---- a/iptables/xshared.c -+++ b/iptables/xshared.c -@@ -1025,7 +1025,7 @@ static const int inverse_for_options[NUMBER_OF_OPT] = - }; - - void --set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, -+set_option(unsigned int *options, unsigned int option, uint16_t *invflg, - bool invert) - { - if (*options & option) ---- a/iptables/xshared.h -+++ b/iptables/xshared.h -@@ -80,7 +80,7 @@ struct xtables_target; - #define IPT_INV_ARPHRD 0x0800 - - void --set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, -+set_option(unsigned int *options, unsigned int option, uint16_t *invflg, - bool invert); - - /** ---- a/libipq/ipq_create_handle.3 -+++ b/libipq/ipq_create_handle.3 -@@ -24,7 +24,7 @@ ipq_create_handle, ipq_destroy_handle \(em create and destroy libipq handles. - .br - .B #include - .sp --.BI "struct ipq_handle *ipq_create_handle(u_int32_t " flags ", u_int32_t " protocol ");" -+.BI "struct ipq_handle *ipq_create_handle(uint32_t " flags ", uint32_t " protocol ");" - .br - .BI "int ipq_destroy_handle(struct ipq_handle *" h ); - .SH DESCRIPTION ---- a/libipq/ipq_set_mode.3 -+++ b/libipq/ipq_set_mode.3 -@@ -24,7 +24,7 @@ ipq_set_mode \(em set the ip_queue queuing mode - .br - .B #include - .sp --.BI "int ipq_set_mode(const struct ipq_handle *" h ", u_int8_t " mode ", size_t " range ); -+.BI "int ipq_set_mode(const struct ipq_handle *" h ", uint8_t " mode ", size_t " range ); - .SH DESCRIPTION - The - .B ipq_set_mode -cgit v1.2.3 diff --git a/net-firewall/iptables/iptables-1.8.10-r1.ebuild b/net-firewall/iptables/iptables-1.8.10-r1.ebuild new file mode 100644 index 000000000000..4dc9d9c412ed --- /dev/null +++ b/net-firewall/iptables/iptables-1.8.10-r1.ebuild @@ -0,0 +1,179 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit systemd toolchain-funcs autotools flag-o-matic + +DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" +HOMEPAGE="https://www.netfilter.org/projects/iptables/" +SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.xz" + +LICENSE="GPL-2" +# Subslot reflects PV when libxtables and/or libip*tc was changed +# the last time. +SLOT="0/1.8.3" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="conntrack netlink nftables pcap static-libs test" +RESTRICT="!test? ( test )" +# TODO: skip tests needing nftables if no xtables-nft-multi (bug #890628) +REQUIRED_USE="test? ( conntrack nftables )" + +COMMON_DEPEND=" + conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 ) + netlink? ( net-libs/libnfnetlink ) + nftables? ( + >=net-libs/libmnl-1.0:= + >=net-libs/libnftnl-1.2.6:= + ) + pcap? ( net-libs/libpcap ) +" +DEPEND=" + ${COMMON_DEPEND} + virtual/os-headers + >=sys-kernel/linux-headers-4.4:0 +" +BDEPEND=" + virtual/pkgconfig + nftables? ( + app-alternatives/lex + app-alternatives/yacc + ) +" +RDEPEND=" + ${COMMON_DEPEND} + nftables? ( net-misc/ethertypes ) + !/dev/null; then + elog "Current iptables implementation is unset, setting to ${default_iptables}" + eselect iptables set "${default_iptables}" + fi + + if use nftables; then + local tables + for tables in {arp,eb}tables; do + if ! eselect ${tables} show &>/dev/null; then + elog "Current ${tables} implementation is unset, setting to ${default_iptables}" + eselect ${tables} set xtables-nft-multi + fi + done + fi + + eselect iptables show +} + +pkg_prerm() { + if [[ -z ${REPLACED_BY_VERSION} ]]; then + elog "Unsetting iptables symlinks before removal" + eselect iptables unset + fi + + if ! has_version 'net-firewall/ebtables'; then + elog "Unsetting ebtables symlinks before removal" + eselect ebtables unset + elif [[ -z ${REPLACED_BY_VERSION} ]]; then + elog "Resetting ebtables symlinks to ebtables-legacy" + eselect ebtables set ebtables-legacy + fi + + if ! has_version 'net-firewall/arptables'; then + elog "Unsetting arptables symlinks before removal" + eselect arptables unset + elif [[ -z ${REPLACED_BY_VERSION} ]]; then + elog "Resetting arptables symlinks to arptables-legacy" + eselect arptables set arptables-legacy + fi + + # The eselect module failing should not be fatal + return 0 +} diff --git a/net-firewall/iptables/iptables-1.8.8-r5.ebuild b/net-firewall/iptables/iptables-1.8.8-r5.ebuild deleted file mode 100644 index cf0ad131a044..000000000000 --- a/net-firewall/iptables/iptables-1.8.8-r5.ebuild +++ /dev/null @@ -1,185 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -inherit systemd toolchain-funcs autotools flag-o-matic usr-ldscript - -DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" -HOMEPAGE="https://www.netfilter.org/projects/iptables/" -SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2" - -LICENSE="GPL-2" -# Subslot reflects PV when libxtables and/or libip*tc was changed -# the last time. -SLOT="0/1.8.3" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" -IUSE="conntrack netlink nftables pcap static-libs" - -COMMON_DEPEND=" - conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 ) - netlink? ( net-libs/libnfnetlink ) - nftables? ( - >=net-libs/libmnl-1.0:= - >=net-libs/libnftnl-1.1.6:= - ) - pcap? ( net-libs/libpcap ) -" -DEPEND=" - ${COMMON_DEPEND} - virtual/os-headers - >=sys-kernel/linux-headers-4.4:0 -" -BDEPEND=" - virtual/pkgconfig - nftables? ( - app-alternatives/lex - app-alternatives/yacc - ) -" -RDEPEND=" - ${COMMON_DEPEND} - nftables? ( net-misc/ethertypes ) - !/dev/null; then - elog "Current iptables implementation is unset, setting to ${default_iptables}" - eselect iptables set "${default_iptables}" - fi - - if use nftables; then - local tables - for tables in {arp,eb}tables; do - if ! eselect ${tables} show &>/dev/null; then - elog "Current ${tables} implementation is unset, setting to ${default_iptables}" - eselect ${tables} set xtables-nft-multi - fi - done - fi - - eselect iptables show -} - -pkg_prerm() { - if [[ -z ${REPLACED_BY_VERSION} ]]; then - elog "Unsetting iptables symlinks before removal" - eselect iptables unset - fi - - if ! has_version 'net-firewall/ebtables'; then - elog "Unsetting ebtables symlinks before removal" - eselect ebtables unset - elif [[ -z ${REPLACED_BY_VERSION} ]]; then - elog "Resetting ebtables symlinks to ebtables-legacy" - eselect ebtables set ebtables-legacy - fi - - if ! has_version 'net-firewall/arptables'; then - elog "Unsetting arptables symlinks before removal" - eselect arptables unset - elif [[ -z ${REPLACED_BY_VERSION} ]]; then - elog "Resetting arptables symlinks to arptables-legacy" - eselect arptables set arptables-legacy - fi - - # The eselect module failing should not be fatal - return 0 -} diff --git a/net-firewall/nftables/Manifest b/net-firewall/nftables/Manifest index 0dfa50c26bc2..980f347a01c7 100644 --- a/net-firewall/nftables/Manifest +++ b/net-firewall/nftables/Manifest @@ -1,21 +1,13 @@ AUX libexec/nftables-mk.sh 1070 BLAKE2B 30d8109d74e7d8c4f51c753f676f91a1902ad42f6d68662f1191ff73d2a43a1bf49fb795f3763705f8aeb0a4f22cab0006a943e01adb188f1ef9eb05125dfdbd SHA512 a14e48f014f75c7e611bf2a653d9760804754febd1ae4543f78abbfbe60c79f5aa07c5fd53fe26bb74b48fcb8cb8aa78274771212e41c42db031e8c8ba7e81d2 AUX libexec/nftables.sh 3665 BLAKE2B 74362a4425e974e74e7b895980002f0ded2ecbb4731bbf956edb56ffb9f1ad394802c4eeab3af3735eba4d8e71572a5663e564ce4e7fad76c9715043b90c1b43 SHA512 6cb1ac0928ae2da5c69764d45c52a661a6d72698bb9edd6a603580d2f9bd82b59f2a2661e7569ade3a3b729459d115004f251ad6a5eac8cdf1d38c65bfa9349e AUX man-pages/gen-manpages.bash 1797 BLAKE2B c93cc311570abd674a12eb88711cf01664f437b8dc0fb4de36194f36671d92c35e04fcff6c56adcb0e642f089169f63ef063736398584e5e7ce799bf55acf2ff SHA512 ea3291412ce13d9dd463403fcc11c665c9de63edaabdecaf55e051b52b0ff845c9c7d63a6c4c08e4d2d94428815fe11daf9b7390081b4e9de4774e188b9ea677 -AUX nftables-1.0.8-fix-regression-evaluate.patch 6903 BLAKE2B a211c8765e1d2181bce6dcd45ae5c9e9dc5b73daa00577ea9d192d92dd5546976dc42a64381ad37ddb9fe18ad330c68a5bd0faa49648a97f66444c7e8aacd97d SHA512 0072853d07c89bb0f5f92a224b761e3ce9724b4a8712024e3d0abf881ba4964f3e85e5680f660b5565a551aa9b5b4106eed3ba8affbe9db02358292127971daf AUX nftables-mk.confd 899 BLAKE2B f4c3d82fbae87fb0d755af786a98db591b6a667cf33660ba9275ada2e6417fad1899a7f29762f23c112fc5c9e178bc7590c3b2ba26617853c3577917bd7d3edf SHA512 505ed05674a04367f1a3d5cf6447596ad1c3b2e9c920697f12f58a20d94c2a39b0041bb4911678511c4548566a69d964661d4afc3e7e27997943b875f204c602 AUX nftables-mk.init-r1 1970 BLAKE2B 9ece7da364eac76ef2ac401f4cc3ed558e926e8f07ab43f084de819098e9543bda0a9a8d40375e4e01dd6e53b92d744acf8f3caaeab1c3678ca84b1f48d59685 SHA512 9f1e491ba5fd8a1173eb055bfa5a0de3c040c158e7d54848fcd373a5f4c4041df6fb9ddc5b0e8fdfd78243665c627b8767816bcf94dd142b441b21227206fef3 AUX nftables.confd 655 BLAKE2B 5512be1edd43e270941de3d9b66fda69e4afd7c7e6e970b232a044c2fd64f8e50b9b55a4fe670174c3eabf3d176ee0158c1043baec4b76b0802e7e97bc862fcf SHA512 8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144 AUX nftables.init-r1 2279 BLAKE2B 1c4c28ea5b6a22905b3ec7de8e54726933b579352ecd799b7641384a138ffa2d4a2deb87d84ef5d75a43ae30759f1550d611c2560096bb5083cae9bb834be2bb SHA512 2165223bfd4f300b9cc01f604347fc5167f68515174b0d116b667bd05f4baf8c2f931e482f632975a8be371c2147951d9407f397ea4dbcbac79a6738cbd23015 AUX systemd/nftables-restore.service 394 BLAKE2B 1c1f358eb2eff789e68c051098c971f11a8df6621c3c919e30a1ec1213f6db822c390609c01827fe9fc75c540effa3e3a7b6f93bd24e16ea19841bbfaab796ed SHA512 18da6a770bb3e94fd6b2c9e6f033450aaff9fe886c8846f780d08a21e2fc884ac078652743b50b3d4ea8c9500f92d272bdd27e2881e438c2b223d40816c100a0 -DIST nftables-1.0.7.tar.xz 857140 BLAKE2B 972adbb958f36b300618ce03fbbfc1fdb6fd55a3512227e4bc1fd71365be5cc8d3ee105424e8cc513588100bf00d5e69486310435efb2b0d3f5d464ed6999859 SHA512 063f3a42327fd4dca9214314c7e7bcc7310f2ccbbce4c36f86a291d61d443f94b0f91435ecd04eb757596df8be91a802daeef394ba422c3623a81b2917e01116 -DIST nftables-1.0.7.tar.xz.sig 566 BLAKE2B 53abe2598e9b362912d3e2e94ea6e04352d0484b9d1d645c8f18b6133be53d63a8d71d500e57528a57aededb84dedaf61010236afda560b16e7642db45e2f45c SHA512 b5821aa6939dc5b4d16065d9d7083e4ff40b9f99417354efbcbc95a8ccde43108b99a5b8a75a24086cd3df2291a049cad3adb7b06e2c098f0eb7861f85c5c768 -DIST nftables-1.0.8.tar.xz 882980 BLAKE2B cdf174846cbc3e581993cdee3a24e5ead3fdbb3d6b24d51473ed88affb7fcf70279a8374a4963b31044a9e64cb72ddb28ca1f1686bbaa3101eed4d623fb67d05 SHA512 06053c05a0d7c84a5cc4d22733836dadf9880c3552df3dace6d30aea95c7e1edb5528ea45df8576f282c15bf58f23407e26efb22257bd98a478849a8bdd4f8d5 -DIST nftables-1.0.8.tar.xz.sig 566 BLAKE2B 2f22b9467a55a46ec9e8caf13efe3cd59a6a1a867174602b583549ccaff54576b5f80b5ad9b1cefd208c3f49bc6ce07072626218f479628df369ed7294e1b83b SHA512 0ddd8f29dc5ba891069c63715719f11c0a4745f1e3cd9cd7f9e388ac35835cfbe8f34b371a2ce2a06cbda42384cc72d0bf57746fb02757d68a9b053bbbd67a77 DIST nftables-1.0.9.tar.xz 971968 BLAKE2B 1dfd1e79d3a7b645fd0995dad10893d70dbd13c92805c5cf30825acbbeb45071b2095072cecbd14b4f66cf0c284d2937a996c6b8013213438f53b92731af039d SHA512 dc34099658e283d9fd4d06264b593710121074558305ea23ab298c5f6a6b564a826f186241b6e106fbaa4e11160cf77e68bb52b4ce401b28d8d2e403cd4b88e8 DIST nftables-1.0.9.tar.xz.sig 566 BLAKE2B d4bb0a1f629d2950753799fba18f6c3ce50e5ff242816e392245a714bfeccb3408583added4362f1e0da47cc6e30b0b95f864cf8443a1872d59ae40b15b5f706 SHA512 9b96ce8539700713ff4802fb2deff5b2ea0dd3155c45f5a8f49a45f70226893c7449e0b79504833b2e63e5290290e693c962128a226ca8f6ca281185bdcd7b51 -EBUILD nftables-1.0.7-r1.ebuild 6835 BLAKE2B 4a6ab7443ed492eb1029c3f6a065101a85b92a87b8cfe872e7ed1d9a9fd44c3a56be38f7295bb5c881521a783cc55ad3fd8883fd6d76ccd8c96374a7eefabf11 SHA512 6e8c6a6e12a55bcb32c697658445d5e33453dc252fb2260187c0b513a0356663e0e491beb2901c0edc89ee0573499dc1dbb5342c3569031ccaf8cb95bddf2f21 -EBUILD nftables-1.0.8-r1.ebuild 6452 BLAKE2B 97ddb81c64df8e81900eb6c41818c484669cbd462c1b4f5a0360cc867637f30e4df4f31c34e680b12e0a5174988004887b61b2eead5d460c5a4b90b09ca911ec SHA512 edb90cfaf1474698b9a68be020627fbfacac7a275b8ebda497e958708019e3f0a357ea826ec654c9d774689716139295ace2b0cf0879f7bd6f8b9d82b46cf699 -EBUILD nftables-1.0.8-r2.ebuild 6512 BLAKE2B 809ade4a868b3307db5088208fbe3339864c977890fe9c6e2545df6c3426189106bcfc8d64ddd03e1344237902c9f64d8ffabf4106a8ce6b55f5be8c4911d1cf SHA512 10dd618102a51036105c2aa2eb2931a6c0c63142d540e3e124f098cb7299d65ee054eb87e134bcccb85cbc2f64102ebe8b25bca0367297933748b520f6cd1aef EBUILD nftables-1.0.9.ebuild 6478 BLAKE2B 6a2b1299a1f12d13a24021019b5134294b64f46e87dbbe3419127777f1959eb2b608aab5203a24e7efb5ea7f5fbc35eb9a361bc92d7abc8dd6de34c1be5f527b SHA512 26fce18a97ddca1eb163f22d304f04b70d765a39d36e8b2d9ddaa8233835bbb83fd76631bae5a2db0890947095136bccf45b75c0df414b0870a4756ebda26843 EBUILD nftables-9999.ebuild 6486 BLAKE2B ff3058cc2be5b26e39f6669d587d56f53db08a31aae5a6149450c1b98554ce4895e34754c24b5423b5ce5be007ad81d581230c6b69f50660b515f5574e78f727 SHA512 ab875fbab2efb4c89116e26e2da961ba000c89057c930bf23be26f4d4a41eea833758e196cd0fa9a78402e5d01f89640fefab4822acce2f06012e970f8948525 -MISC metadata.xml 933 BLAKE2B 8e76ce489c41dcc01e222d77af40f2ba5cb7ddffc2bc818c6fc8c16e24dc308c125ce4d78db1647e77af96f32c85dd3391f7079e2cee26c129c56557e0c48c8a SHA512 058d38df1dbb2c1d0e611bd992f37498d3977561c3b34846fdf0d569573f2ef93a29a216ab491e583cfc2399c55c839d256dfcf8b1d7aaba63ed6ea90f22df25 +MISC metadata.xml 824 BLAKE2B 141fb69b52c99b995ae70254175a0e9d9547994b284bc5285e1c556b74c6b3cd0f4d65b34a67eff660baf2ab8dd9b353cc6e7494517ee59c8c153d9b805b3cbc SHA512 b76c748da850aaca6e62ce3fba6bb48066ec61195618b2222f8395e503b29d41ed41b054d8d40f06b06ba578ef13405e92e1ec90b20b8125aa261a63a7b83cab diff --git a/net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch b/net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch deleted file mode 100644 index 1b81ab0e6ef2..000000000000 --- a/net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch +++ /dev/null @@ -1,235 +0,0 @@ -https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230719001444.154070-1-pablo@netfilter.org/ -https://git.netfilter.org/nftables/commit/?id=5f1676ac9f1aeb36d7695c3c354dade013a1e4f3 - -From 5f1676ac9f1aeb36d7695c3c354dade013a1e4f3 Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso -Date: Tue, 18 Jul 2023 23:10:01 +0200 -Subject: meta: stash context statement length when generating payload/meta - dependency - -... meta mark set ip dscp - -generates an implicit dependency from the inet family to match on meta -nfproto ip. - -The length of this implicit expression is incorrectly adjusted to the -statement length, ie. relational to compare meta nfproto takes 4 bytes -instead of 1 byte. The evaluation of 'ip dscp' under the meta mark -statement triggers this implicit dependency which should not consider -the context statement length since it is added before the statement -itself. - -This problem shows when listing the ruleset, since netlink_parse_cmp() -where left->len < right->len, hence handling the implicit dependency as -a concatenation, but it is actually a bug in the evaluation step that -leads to incorrect bytecode. - -Fixes: 3c64ea7995cb ("evaluate: honor statement length in integer evaluation") -Fixes: edecd58755a8 ("evaluate: support shifts larger than the width of the left operand") -Tested-by: Brian Davidson -Signed-off-by: Pablo Neira Ayuso ---- a/src/payload.c -+++ b/src/payload.c -@@ -409,6 +409,7 @@ static int payload_add_dependency(struct eval_ctx *ctx, - const struct proto_hdr_template *tmpl; - struct expr *dep, *left, *right; - struct proto_ctx *pctx; -+ unsigned int stmt_len; - struct stmt *stmt; - int protocol; - -@@ -429,11 +430,16 @@ static int payload_add_dependency(struct eval_ctx *ctx, - constant_data_ptr(protocol, tmpl->len)); - - dep = relational_expr_alloc(&expr->location, OP_EQ, left, right); -+ -+ stmt_len = ctx->stmt_len; -+ ctx->stmt_len = 0; -+ - stmt = expr_stmt_alloc(&dep->location, dep); - if (stmt_evaluate(ctx, stmt) < 0) { - return expr_error(ctx->msgs, expr, - "dependency statement is invalid"); - } -+ ctx->stmt_len = stmt_len; - - if (ctx->inner_desc) { - if (tmpl->meta_key) -@@ -543,6 +549,7 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, - const struct hook_proto_desc *h; - const struct proto_desc *desc; - struct proto_ctx *pctx; -+ unsigned int stmt_len; - struct stmt *stmt; - uint16_t type; - -@@ -559,12 +566,18 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, - "protocol specification is invalid " - "for this family"); - -+ stmt_len = ctx->stmt_len; -+ ctx->stmt_len = 0; -+ - stmt = meta_stmt_meta_iiftype(&expr->location, type); - if (stmt_evaluate(ctx, stmt) < 0) { - return expr_error(ctx->msgs, expr, - "dependency statement is invalid"); - } - *res = stmt; -+ -+ ctx->stmt_len = stmt_len; -+ - return 0; - } - ---- a/tests/py/inet/meta.t -+++ b/tests/py/inet/meta.t -@@ -25,3 +25,8 @@ meta mark set ct mark >> 8;ok - meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok - ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok - ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok -+ -+meta mark set ip dscp;ok -+meta mark set ip dscp | 0x40;ok -+meta mark set ip6 dscp;ok -+meta mark set ip6 dscp | 0x40;ok ---- a/tests/py/inet/meta.t.json -+++ b/tests/py/inet/meta.t.json -@@ -440,3 +440,89 @@ - } - ] - -+# meta mark set ip dscp -+[ -+ { -+ "mangle": { -+ "key": { -+ "meta": { -+ "key": "mark" -+ } -+ }, -+ "value": { -+ "payload": { -+ "field": "dscp", -+ "protocol": "ip" -+ } -+ } -+ } -+ } -+] -+ -+# meta mark set ip dscp | 0x40 -+[ -+ { -+ "mangle": { -+ "key": { -+ "meta": { -+ "key": "mark" -+ } -+ }, -+ "value": { -+ "|": [ -+ { -+ "payload": { -+ "field": "dscp", -+ "protocol": "ip" -+ } -+ }, -+ 64 -+ ] -+ } -+ } -+ } -+] -+ -+# meta mark set ip6 dscp -+[ -+ { -+ "mangle": { -+ "key": { -+ "meta": { -+ "key": "mark" -+ } -+ }, -+ "value": { -+ "payload": { -+ "field": "dscp", -+ "protocol": "ip6" -+ } -+ } -+ } -+ } -+] -+ -+# meta mark set ip6 dscp | 0x40 -+[ -+ { -+ "mangle": { -+ "key": { -+ "meta": { -+ "key": "mark" -+ } -+ }, -+ "value": { -+ "|": [ -+ { -+ "payload": { -+ "field": "dscp", -+ "protocol": "ip6" -+ } -+ }, -+ 64 -+ ] -+ } -+ } -+ } -+] -+ ---- a/tests/py/inet/meta.t.payload -+++ b/tests/py/inet/meta.t.payload -@@ -133,3 +133,43 @@ inet test-inet input - [ meta load mark => reg 9 ] - [ lookup reg 1 set __set%d ] - -+# meta mark set ip dscp -+inet test-inet input -+ [ meta load nfproto => reg 1 ] -+ [ cmp eq reg 1 0x00000002 ] -+ [ payload load 1b @ network header + 1 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] -+ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] -+ [ meta set mark with reg 1 ] -+ -+# meta mark set ip dscp | 0x40 -+inet test-inet input -+ [ meta load nfproto => reg 1 ] -+ [ cmp eq reg 1 0x00000002 ] -+ [ payload load 1b @ network header + 1 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] -+ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] -+ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] -+ [ meta set mark with reg 1 ] -+ -+# meta mark set ip6 dscp -+inet test-inet input -+ [ meta load nfproto => reg 1 ] -+ [ cmp eq reg 1 0x0000000a ] -+ [ payload load 2b @ network header + 0 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] -+ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] -+ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] -+ [ meta set mark with reg 1 ] -+ -+# meta mark set ip6 dscp | 0x40 -+inet test-inet input -+ [ meta load nfproto => reg 1 ] -+ [ cmp eq reg 1 0x0000000a ] -+ [ payload load 2b @ network header + 0 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] -+ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] -+ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] -+ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] -+ [ meta set mark with reg 1 ] -+ --- -cgit v1.2.3 diff --git a/net-firewall/nftables/metadata.xml b/net-firewall/nftables/metadata.xml index 9b4ce12e54e0..1fcc64724c1f 100644 --- a/net-firewall/nftables/metadata.xml +++ b/net-firewall/nftables/metadata.xml @@ -16,7 +16,6 @@ Create man pages for the package (requires app-text/asciidoc) Enable JSON support via dev-libs/jansson - Install init scripts for 3.18 or higher kernels with atomic rule updates Add libxtables support to try to automatically translate rules added by iptables-compat diff --git a/net-firewall/nftables/nftables-1.0.7-r1.ebuild b/net-firewall/nftables/nftables-1.0.7-r1.ebuild deleted file mode 100644 index d5054eca943d..000000000000 --- a/net-firewall/nftables/nftables-1.0.7-r1.ebuild +++ /dev/null @@ -1,232 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DISTUTILS_OPTIONAL=1 -PYTHON_COMPAT=( python3_{9..11} ) -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc -inherit edo linux-info distutils-r1 systemd verify-sig - -DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools" -HOMEPAGE="https://netfilter.org/projects/nftables/" - -if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit autotools git-r3 - EGIT_REPO_URI="https://git.netfilter.org/${PN}" - BDEPEND="app-alternatives/yacc" -else - SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.xz - verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )" - KEYWORDS="amd64 arm arm64 hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv sparc x86" - BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )" -fi - -# See COPYING: new code is GPL-2+, existing code is GPL-2 -LICENSE="GPL-2 GPL-2+" -SLOT="0/1" -IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables" -RESTRICT="!test? ( test )" - -RDEPEND=" - >=net-libs/libmnl-1.0.4:= - >=net-libs/libnftnl-1.2.5:= - gmp? ( dev-libs/gmp:= ) - json? ( dev-libs/jansson:= ) - python? ( ${PYTHON_DEPS} ) - readline? ( sys-libs/readline:= ) - xtables? ( >=net-firewall/iptables-1.6.1:= ) -" - -DEPEND="${RDEPEND}" - -BDEPEND+=" - app-alternatives/lex - virtual/pkgconfig - doc? ( - app-text/asciidoc - >=app-text/docbook2X-0.8.8-r4 - ) - python? ( ${PYTHON_DEPS} ) -" - -REQUIRED_USE=" - python? ( ${PYTHON_REQUIRED_USE} ) - libedit? ( !readline ) -" - -pkg_setup() { - if kernel_is ge 3 13; then - if use modern-kernel && kernel_is lt 3 18; then - eerror "The modern-kernel USE flag requires kernel version 3.18 or newer to work properly." - fi - CONFIG_CHECK="~NF_TABLES" - linux-info_pkg_setup - else - eerror "This package requires kernel version 3.13 or newer to work properly." - fi -} - -src_prepare() { - default - - if [[ ${PV} =~ ^[9]{4,}$ ]] ; then - eautoreconf - fi - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_prepare - popd >/dev/null || die - fi -} - -src_configure() { - local myeconfargs=( - # We handle python separately - --disable-python - --disable-static - --sbindir="${EPREFIX}"/sbin - $(use_enable debug) - $(use_enable doc man-doc) - $(use_with !gmp mini_gmp) - $(use_with json) - $(use_with libedit cli editline) - $(use_with readline cli readline) - $(use_enable static-libs static) - $(use_with xtables) - ) - econf "${myeconfargs[@]}" - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_configure - popd >/dev/null || die - fi -} - -src_compile() { - default - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_compile - popd >/dev/null || die - fi -} - -src_test() { - emake check - - if [[ ${EUID} == 0 ]]; then - edo tests/shell/run-tests.sh -v - else - ewarn "Skipping shell tests (requires root)" - fi - - # Need to rig up Python eclass if using this, but it doesn't seem to work - # for me anyway. - #cd tests/py || die - #"${EPYTHON}" nft-test.py || die -} - -src_install() { - default - - if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then - pushd doc >/dev/null || die - doman *.? - popd >/dev/null || die - fi - - # Do it here instead of in src_prepare to avoid eautoreconf - # rmdir lets us catch if more files end up installed in /etc/nftables - dodir /usr/share/doc/${PF}/skels/ - mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die - rmdir "${ED}"/etc/nftables || die - - local mksuffix="$(usex modern-kernel '-mk' '')" - - exeinto /usr/libexec/${PN} - newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh - newconfd "${FILESDIR}"/${PN}${mksuffix}.confd ${PN} - newinitd "${FILESDIR}"/${PN}${mksuffix}.init-r1 ${PN} - keepdir /var/lib/nftables - - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service - - if use python ; then - pushd py >/dev/null || die - distutils-r1_src_install - popd >/dev/null || die - fi - - find "${ED}" -type f -name "*.la" -delete || die -} - -pkg_preinst() { - local stderr - - # There's a history of regressions with nftables upgrades. Perform a - # safety check to help us spot them earlier. For the check to pass, the - # currently loaded ruleset, if any, must be successfully evaluated by - # the newly built instance of nft(8). - if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then - # Either nftables isn't yet in use or nft(8) cannot be executed. - return - elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then - # Report errors induced by trying to list the ruleset but don't - # treat them as being fatal. - printf '%s\n' "${stderr}" >&2 - elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then - # Rulesets generated by iptables-nft are special in nature and - # will not always be printed in a way that constitutes a valid - # syntax for ntf(8). Ignore them. - return - elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then - eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" - eerror "nft. This probably means that there is a regression introduced by v${PV}." - eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" - if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then - die "Aborting because of failed nft reload!" - fi - fi -} - -pkg_postinst() { - local save_file - save_file="${EROOT}"/var/lib/nftables/rules-save - - # In order for the nftables-restore systemd service to start - # the save_file must exist. - if [[ ! -f "${save_file}" ]]; then - ( umask 177; touch "${save_file}" ) - elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then - ewarn "Your system has dangerous permissions for ${save_file}" - ewarn "It is probably affected by bug #691326." - ewarn "You may need to fix the permissions of the file. To do so," - ewarn "you can run the command in the line below as root." - ewarn " 'chmod 600 \"${save_file}\"'" - fi - - if has_version 'sys-apps/systemd'; then - elog "If you wish to enable the firewall rules on boot (on systemd) you" - elog "will need to enable the nftables-restore service." - elog " 'systemctl enable ${PN}-restore.service'" - elog - elog "If you are creating firewall rules before the next system restart" - elog "the nftables-restore service must be manually started in order to" - elog "save those rules on shutdown." - fi - - if has_version 'sys-apps/openrc'; then - elog "If you wish to enable the firewall rules on boot (on openrc) you" - elog "will need to enable the nftables service." - elog " 'rc-update add ${PN} default'" - elog - elog "If you are creating or updating the firewall rules and wish to save" - elog "them to be loaded on the next restart, use the \"save\" functionality" - elog "in the init script." - elog " 'rc-service ${PN} save'" - fi -} diff --git a/net-firewall/nftables/nftables-1.0.8-r1.ebuild b/net-firewall/nftables/nftables-1.0.8-r1.ebuild deleted file mode 100644 index 221f5fa3d427..000000000000 --- a/net-firewall/nftables/nftables-1.0.8-r1.ebuild +++ /dev/null @@ -1,217 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DISTUTILS_OPTIONAL=1 -DISTUTILS_USE_PEP517=setuptools -PYTHON_COMPAT=( python3_{10..11} ) -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc -inherit edo linux-info distutils-r1 systemd verify-sig - -DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools" -HOMEPAGE="https://netfilter.org/projects/nftables/" - -if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit autotools git-r3 - EGIT_REPO_URI="https://git.netfilter.org/${PN}" - BDEPEND="app-alternatives/yacc" -else - SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.xz - verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )" - KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" - BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )" -fi - -# See COPYING: new code is GPL-2+, existing code is GPL-2 -LICENSE="GPL-2 GPL-2+" -SLOT="0/1" -IUSE="debug doc +gmp json libedit python +readline static-libs test xtables" -RESTRICT="!test? ( test )" - -RDEPEND=" - >=net-libs/libmnl-1.0.4:= - >=net-libs/libnftnl-1.2.6:= - gmp? ( dev-libs/gmp:= ) - json? ( dev-libs/jansson:= ) - python? ( ${PYTHON_DEPS} ) - readline? ( sys-libs/readline:= ) - xtables? ( >=net-firewall/iptables-1.6.1:= ) -" -DEPEND="${RDEPEND}" -BDEPEND+=" - app-alternatives/lex - virtual/pkgconfig - doc? ( - app-text/asciidoc - >=app-text/docbook2X-0.8.8-r4 - ) - python? ( ${DISTUTILS_DEPS} ) -" - -REQUIRED_USE=" - python? ( ${PYTHON_REQUIRED_USE} ) - libedit? ( !readline ) -" - -src_prepare() { - default - - if [[ ${PV} =~ ^[9]{4,}$ ]] ; then - eautoreconf - fi - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_prepare - popd >/dev/null || die - fi -} - -src_configure() { - local myeconfargs=( - # We handle python separately - --disable-python - --disable-static - --sbindir="${EPREFIX}"/sbin - $(use_enable debug) - $(use_enable doc man-doc) - $(use_with !gmp mini_gmp) - $(use_with json) - $(use_with libedit cli editline) - $(use_with readline cli readline) - $(use_enable static-libs static) - $(use_with xtables) - ) - econf "${myeconfargs[@]}" - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_configure - popd >/dev/null || die - fi -} - -src_compile() { - default - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_compile - popd >/dev/null || die - fi -} - -src_test() { - emake check - - if [[ ${EUID} == 0 ]]; then - edo tests/shell/run-tests.sh -v - else - ewarn "Skipping shell tests (requires root)" - fi - - # Need to rig up Python eclass if using this, but it doesn't seem to work - # for me anyway. - #cd tests/py || die - #"${EPYTHON}" nft-test.py || die -} - -src_install() { - default - - if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then - pushd doc >/dev/null || die - doman *.? - popd >/dev/null || die - fi - - # Do it here instead of in src_prepare to avoid eautoreconf - # rmdir lets us catch if more files end up installed in /etc/nftables - dodir /usr/share/doc/${PF}/skels/ - mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die - rmdir "${ED}"/etc/nftables || die - - exeinto /usr/libexec/${PN} - newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh - newconfd "${FILESDIR}"/${PN}-mk.confd ${PN} - newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN} - keepdir /var/lib/nftables - - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service - - if use python ; then - pushd py >/dev/null || die - distutils-r1_src_install - popd >/dev/null || die - fi - - find "${ED}" -type f -name "*.la" -delete || die -} - -pkg_preinst() { - local stderr - - # There's a history of regressions with nftables upgrades. Perform a - # safety check to help us spot them earlier. For the check to pass, the - # currently loaded ruleset, if any, must be successfully evaluated by - # the newly built instance of nft(8). - if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then - # Either nftables isn't yet in use or nft(8) cannot be executed. - return - elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then - # Report errors induced by trying to list the ruleset but don't - # treat them as being fatal. - printf '%s\n' "${stderr}" >&2 - elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then - # Rulesets generated by iptables-nft are special in nature and - # will not always be printed in a way that constitutes a valid - # syntax for ntf(8). Ignore them. - return - elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then - eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" - eerror "nft. This probably means that there is a regression introduced by v${PV}." - eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" - if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then - die "Aborting because of failed nft reload!" - fi - fi -} - -pkg_postinst() { - local save_file - save_file="${EROOT}"/var/lib/nftables/rules-save - - # In order for the nftables-restore systemd service to start - # the save_file must exist. - if [[ ! -f "${save_file}" ]]; then - ( umask 177; touch "${save_file}" ) - elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then - ewarn "Your system has dangerous permissions for ${save_file}" - ewarn "It is probably affected by bug #691326." - ewarn "You may need to fix the permissions of the file. To do so," - ewarn "you can run the command in the line below as root." - ewarn " 'chmod 600 \"${save_file}\"'" - fi - - if has_version 'sys-apps/systemd'; then - elog "If you wish to enable the firewall rules on boot (on systemd) you" - elog "will need to enable the nftables-restore service." - elog " 'systemctl enable ${PN}-restore.service'" - elog - elog "If you are creating firewall rules before the next system restart" - elog "the nftables-restore service must be manually started in order to" - elog "save those rules on shutdown." - fi - - if has_version 'sys-apps/openrc'; then - elog "If you wish to enable the firewall rules on boot (on openrc) you" - elog "will need to enable the nftables service." - elog " 'rc-update add ${PN} default'" - elog - elog "If you are creating or updating the firewall rules and wish to save" - elog "them to be loaded on the next restart, use the \"save\" functionality" - elog "in the init script." - elog " 'rc-service ${PN} save'" - fi -} diff --git a/net-firewall/nftables/nftables-1.0.8-r2.ebuild b/net-firewall/nftables/nftables-1.0.8-r2.ebuild deleted file mode 100644 index 6f7b07fcd40b..000000000000 --- a/net-firewall/nftables/nftables-1.0.8-r2.ebuild +++ /dev/null @@ -1,223 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DISTUTILS_OPTIONAL=1 -DISTUTILS_USE_PEP517=setuptools -PYTHON_COMPAT=( python3_{10..11} ) -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc -inherit edo linux-info distutils-r1 systemd verify-sig - -DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools" -HOMEPAGE="https://netfilter.org/projects/nftables/" - -if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit autotools git-r3 - EGIT_REPO_URI="https://git.netfilter.org/${PN}" - BDEPEND="app-alternatives/yacc" -else - SRC_URI=" - https://netfilter.org/projects/nftables/files/${P}.tar.xz - verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig ) - " - KEYWORDS="amd64 arm arm64 hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv sparc x86" - BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )" -fi - -# See COPYING: new code is GPL-2+, existing code is GPL-2 -LICENSE="GPL-2 GPL-2+" -SLOT="0/1" -IUSE="debug doc +gmp json libedit python +readline static-libs test xtables" -RESTRICT="!test? ( test )" - -RDEPEND=" - >=net-libs/libmnl-1.0.4:= - >=net-libs/libnftnl-1.2.6:= - gmp? ( dev-libs/gmp:= ) - json? ( dev-libs/jansson:= ) - python? ( ${PYTHON_DEPS} ) - readline? ( sys-libs/readline:= ) - xtables? ( >=net-firewall/iptables-1.6.1:= ) -" -DEPEND="${RDEPEND}" -BDEPEND+=" - app-alternatives/lex - virtual/pkgconfig - doc? ( - app-text/asciidoc - >=app-text/docbook2X-0.8.8-r4 - ) - python? ( ${DISTUTILS_DEPS} ) -" - -REQUIRED_USE=" - python? ( ${PYTHON_REQUIRED_USE} ) - libedit? ( !readline ) -" - -PATCHES=( - "${FILESDIR}"/${P}-fix-regression-evaluate.patch -) - -src_prepare() { - default - - if [[ ${PV} =~ ^[9]{4,}$ ]] ; then - eautoreconf - fi - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_prepare - popd >/dev/null || die - fi -} - -src_configure() { - local myeconfargs=( - # We handle python separately - --disable-python - --disable-static - --sbindir="${EPREFIX}"/sbin - $(use_enable debug) - $(use_enable doc man-doc) - $(use_with !gmp mini_gmp) - $(use_with json) - $(use_with libedit cli editline) - $(use_with readline cli readline) - $(use_enable static-libs static) - $(use_with xtables) - ) - econf "${myeconfargs[@]}" - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_configure - popd >/dev/null || die - fi -} - -src_compile() { - default - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_compile - popd >/dev/null || die - fi -} - -src_test() { - emake check - - if [[ ${EUID} == 0 ]]; then - edo tests/shell/run-tests.sh -v - else - ewarn "Skipping shell tests (requires root)" - fi - - # Need to rig up Python eclass if using this, but it doesn't seem to work - # for me anyway. - #cd tests/py || die - #"${EPYTHON}" nft-test.py || die -} - -src_install() { - default - - if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then - pushd doc >/dev/null || die - doman *.? - popd >/dev/null || die - fi - - # Do it here instead of in src_prepare to avoid eautoreconf - # rmdir lets us catch if more files end up installed in /etc/nftables - dodir /usr/share/doc/${PF}/skels/ - mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die - rmdir "${ED}"/etc/nftables || die - - exeinto /usr/libexec/${PN} - newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh - newconfd "${FILESDIR}"/${PN}-mk.confd ${PN} - newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN} - keepdir /var/lib/nftables - - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service - - if use python ; then - pushd py >/dev/null || die - distutils-r1_src_install - popd >/dev/null || die - fi - - find "${ED}" -type f -name "*.la" -delete || die -} - -pkg_preinst() { - local stderr - - # There's a history of regressions with nftables upgrades. Perform a - # safety check to help us spot them earlier. For the check to pass, the - # currently loaded ruleset, if any, must be successfully evaluated by - # the newly built instance of nft(8). - if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then - # Either nftables isn't yet in use or nft(8) cannot be executed. - return - elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then - # Report errors induced by trying to list the ruleset but don't - # treat them as being fatal. - printf '%s\n' "${stderr}" >&2 - elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then - # Rulesets generated by iptables-nft are special in nature and - # will not always be printed in a way that constitutes a valid - # syntax for ntf(8). Ignore them. - return - elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then - eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" - eerror "nft. This probably means that there is a regression introduced by v${PV}." - eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" - if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then - die "Aborting because of failed nft reload!" - fi - fi -} - -pkg_postinst() { - local save_file - save_file="${EROOT}"/var/lib/nftables/rules-save - - # In order for the nftables-restore systemd service to start - # the save_file must exist. - if [[ ! -f "${save_file}" ]]; then - ( umask 177; touch "${save_file}" ) - elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then - ewarn "Your system has dangerous permissions for ${save_file}" - ewarn "It is probably affected by bug #691326." - ewarn "You may need to fix the permissions of the file. To do so," - ewarn "you can run the command in the line below as root." - ewarn " 'chmod 600 \"${save_file}\"'" - fi - - if has_version 'sys-apps/systemd'; then - elog "If you wish to enable the firewall rules on boot (on systemd) you" - elog "will need to enable the nftables-restore service." - elog " 'systemctl enable ${PN}-restore.service'" - elog - elog "If you are creating firewall rules before the next system restart" - elog "the nftables-restore service must be manually started in order to" - elog "save those rules on shutdown." - fi - - if has_version 'sys-apps/openrc'; then - elog "If you wish to enable the firewall rules on boot (on openrc) you" - elog "will need to enable the nftables service." - elog " 'rc-update add ${PN} default'" - elog - elog "If you are creating or updating the firewall rules and wish to save" - elog "them to be loaded on the next restart, use the \"save\" functionality" - elog "in the init script." - elog " 'rc-service ${PN} save'" - fi -} diff --git a/net-firewall/xtables-addons/Manifest b/net-firewall/xtables-addons/Manifest index f7522a3a1bd1..c77bdf7f8a43 100644 --- a/net-firewall/xtables-addons/Manifest +++ b/net-firewall/xtables-addons/Manifest @@ -1,6 +1,3 @@ -DIST xtables-addons-3.23.tar.xz 335776 BLAKE2B 9251a2b9707d93dae294dda24bac4f08b69b44486a5235c248f0f64d0ccac78bd6978c98ad9f83de53da1af75d4788b56ce3285a44c738346560ecfc64f8565b SHA512 f798ad74db6068ee50cae662f3de331cbc8654f0ab2b1d59ce3f7818795213e771702078e495f526a212ce8b9ba7920c04670cd5fb3ff51e693bf0161d2e2486 DIST xtables-addons-3.24.tar.xz 335724 BLAKE2B c086616c0366346bd87813ae0fc561bdb8f892eecea19ef88c65afef5318ac6f75fec658e0c6595de5c620c965b2bd7f10e45ff3ec55ffb9ddf8e85643190e7e SHA512 08c3b87617e0124aef99a3953fc5e03e8d98be50ce70771e352509ec64263d5256f744489f10f39879630d9dc8d28f3c91173b4739c95bbd8d5ad56e33138eb4 -EBUILD xtables-addons-3.23.ebuild 5533 BLAKE2B ded00caedf05de0cbea3d2be455247304b368545520504897108efad78352560e60af8510b37c2833de1ff3d90e01f444376efe1ef710d7919b8fefa4100cd85 SHA512 cbbeabd5cf2a57a79898f8602cb12df1fdabeaaaf3bfee5b1abf117b45af622b6dac3711728b4e2a8848d797e9ea68a9f2f1f29fb2bd75a880a48c699c7f6d5a EBUILD xtables-addons-3.24-r1.ebuild 2736 BLAKE2B 6c9276ebebccd0553c4f580fdc0ef8727ae9f419f4f3d573633893c9abc2f8911c69f51da103101420532fbf31672968139b13a6922655441627f98020ef334d SHA512 c3899f153fdef7e207f0329f0bf59a2dabbec33dcdc079361e46df5d42e53db9e43eba98c57f7514a148a64018812e9453c4ab1ce456029b9ed32a88b4dc9093 -EBUILD xtables-addons-3.24.ebuild 5533 BLAKE2B ded00caedf05de0cbea3d2be455247304b368545520504897108efad78352560e60af8510b37c2833de1ff3d90e01f444376efe1ef710d7919b8fefa4100cd85 SHA512 cbbeabd5cf2a57a79898f8602cb12df1fdabeaaaf3bfee5b1abf117b45af622b6dac3711728b4e2a8848d797e9ea68a9f2f1f29fb2bd75a880a48c699c7f6d5a MISC metadata.xml 698 BLAKE2B 64bcff2bb22f8b71b1acd94386eb10067dfd7be07d829f6e7e75a77da09b5999b8a53da6b9a1aca727dc7d32518fd11cd447ad19aeaec97f1eddfd9107b3d8e9 SHA512 99851425f9be6f3aa906d8d1d908a64a1354bc5b9d0ff771a016cc6b2c31ceb107a01ead4287db7cbaf20bb4661b372ee5454881b00ca5c01ef3b4b81073f9e3 diff --git a/net-firewall/xtables-addons/xtables-addons-3.23.ebuild b/net-firewall/xtables-addons/xtables-addons-3.23.ebuild deleted file mode 100644 index c64b0a510779..000000000000 --- a/net-firewall/xtables-addons/xtables-addons-3.23.ebuild +++ /dev/null @@ -1,189 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -MODULES_OPTIONAL_USE=modules -MODULES_OPTIONAL_USE_IUSE_DEFAULT=1 -inherit linux-info linux-mod multilib toolchain-funcs - -DESCRIPTION="iptables extensions not yet accepted in the main kernel" -HOMEPAGE="https://inai.de/projects/xtables-addons/ https://codeberg.org/jengelh/xtables-addons" -SRC_URI="https://inai.de/files/xtables-addons/${P}.tar.xz" - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="amd64 x86" - -MODULES="quota2 psd pknock lscan length2 ipv4options ipp2p iface gradm geoip fuzzy condition tarpit sysrq proto logmark ipmark echo dnetmap dhcpmac delude chaos account" - -for mod in ${MODULES}; do - IUSE="${IUSE} xtables_addons_${mod}" -done - -DEPEND=">=net-firewall/iptables-1.6.0" - -RDEPEND="${DEPEND} - xtables_addons_geoip? ( - app-arch/unzip - dev-perl/Net-CIDR-Lite - dev-perl/Text-CSV_XS - virtual/perl-Getopt-Long - ) -" - -DEPEND="${DEPEND} - virtual/linux-sources" - -SKIP_MODULES="" - -XA_check4internal_module() { - local mod=${1} - local version=${3} - local kconfigname=${3} - - if use xtables_addons_${mod} && kernel_is -gt ${version}; then - ewarn "${kconfigname} should be provided by the kernel. Skipping its build..." - if ! linux_chkconfig_present ${kconfigname}; then - ewarn "Please enable ${kconfigname} target in your kernel - configuration or disable checksum module in ${PN}." - fi - # SKIP_MODULES in case we need to disable building of everything - # like having this USE disabled - SKIP_MODULES+=" ${mod}" - fi -} - -pkg_setup() { - if use modules; then - get_version - check_modules_supported - CONFIG_CHECK="NF_CONNTRACK NF_CONNTRACK_MARK ~CONNECTOR" - ERROR_CONNECTOR="Please, enable CONFIG_CONNECTOR if you wish to receive userspace notifications from pknock through netlink/connector" - linux-mod_pkg_setup - - if ! linux_chkconfig_present IPV6; then - SKIP_IPV6_MODULES="ip6table_rawpost" - ewarn "No IPV6 support in kernel. Disabling: ${SKIP_IPV6_MODULES}" - fi - kernel_is -lt 4 18 && die "${P} requires kernel version >= 4.18" - fi -} - -# Helper for maintainer: cheks if all possible MODULES are listed. -XA_qa_check() { - local all_modules - all_modules=$(sed -n '/^build_/{s/build_\(.*\)=.*/\L\1/;G;s/\n/ /;s/ $//;h}; ${x;p}' "${S}/mconfig") - if [[ ${all_modules} != ${MODULES} ]]; then - ewarn "QA: Modules in mconfig differ from \$MODULES in ebuild." - ewarn "Please, update MODULES in ebuild." - ewarn "'${all_modules}'" - fi -} - -# Is there any use flag set? -XA_has_something_to_build() { - local mod - for mod in ${MODULES}; do - use xtables_addons_${mod} && return - done - - eerror "All modules are disabled. What do you want me to build?" - eerror "Please, set XTABLES_ADDONS to any combination of" - eerror "${MODULES}" - die "All modules are disabled." -} - -# Parse Kbuid files and generates list of sources -XA_get_module_name() { - [[ $# != 1 ]] && die "XA_get_sources_for_mod: needs exactly one argument." - local mod objdir build_mod sources_list - mod=${1} - objdir=${S}/extensions - # Take modules name from mconfig - build_mod=$(sed -n "s/\(build_${mod}\)=.*/\1/Ip" "${S}/mconfig") - # strip .o, = and everything before = and print - sources_list=$(sed -n "/^obj-[$][{]${build_mod}[}]/\ - {s:obj-[^+]\+ [+]=[[:space:]]*::;s:[.]o::g;p}" \ - "${objdir}/Kbuild") - - if [[ -d ${S}/extensions/${sources_list} ]]; then - objdir=${S}/extensions/${sources_list} - sources_list=$(sed -n "/^obj-m/\ - {s:obj-[^+]\+ [+]=[[:space:]]*::;s:[.]o::g;p}" \ - "${objdir}/Kbuild") - fi - for mod_src in ${sources_list}; do - has ${mod_src} ${SKIP_IPV6_MODULES} || \ - echo " ${mod_src}(xtables_addons:${S}/extensions:${objdir})" - done -} - -# Die on modules known to fail on certain kernel version. -XA_known_failure() { - local module_name=$1 - local KV_max=$2 - - if use xtables_addons_${module_name} && kernel_is ge ${KV_max//./ }; then - eerror - eerror "XTABLES_ADDONS=${module_name} fails to build on linux ${KV_max} or above." - eerror "Either remove XTABLES_ADDONS=${module_name} or use an earlier version of the kernel." - eerror - die - fi -} - -src_prepare() { - XA_qa_check - XA_has_something_to_build - - # Bug #553630#c2. echo fails on linux-4 and above. - # This appears to be fixed, at least as of linux-4.2 - # XA_known_failure "echo" 4 - - local mod module_name - if use modules; then - MODULE_NAMES="compat_xtables(xtables_addons:${S}/extensions:)" - fi - for mod in ${MODULES}; do - if ! has ${mod} ${SKIP_MODULES} && use xtables_addons_${mod}; then - sed "s/\(build_${mod}=\).*/\1m/I" -i mconfig || die - if use modules; then - for module_name in $(XA_get_module_name ${mod}); do - MODULE_NAMES+=" ${module_name}" - done - fi - else - sed "s/\(build_${mod}=\).*/\1n/I" -i mconfig || die - fi - done - einfo "${MODULE_NAMES}" # for debugging - - sed -e 's/depmod -a/true/' -i Makefile.in || die - sed -e '/^all-local:/{s: modules::}' \ - -e '/^install-exec-local:/{s: modules_install::}' \ - -i extensions/Makefile.in || die - - use xtables_addons_geoip || sed -e '/^SUBDIRS/{s/geoip//}' -i Makefile.in - - eapply_user -} - -src_configure() { - set_arch_to_kernel # .. or it'll look for /arch/amd64/Makefile - econf --prefix="${EPREFIX}/" \ - --libexecdir="${EPREFIX}/$(get_libdir)/" \ - --with-kbuild="${KV_OUT_DIR}" -} - -src_compile() { - emake CFLAGS="${CFLAGS}" CC="$(tc-getCC)" V=1 - use modules && BUILD_PARAMS="V=1" BUILD_TARGETS="modules" linux-mod_src_compile -} - -src_install() { - emake DESTDIR="${D}" install - use modules && linux-mod_src_install - dodoc -r README.rst doc/* - find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' -} diff --git a/net-firewall/xtables-addons/xtables-addons-3.24.ebuild b/net-firewall/xtables-addons/xtables-addons-3.24.ebuild deleted file mode 100644 index c64b0a510779..000000000000 --- a/net-firewall/xtables-addons/xtables-addons-3.24.ebuild +++ /dev/null @@ -1,189 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -MODULES_OPTIONAL_USE=modules -MODULES_OPTIONAL_USE_IUSE_DEFAULT=1 -inherit linux-info linux-mod multilib toolchain-funcs - -DESCRIPTION="iptables extensions not yet accepted in the main kernel" -HOMEPAGE="https://inai.de/projects/xtables-addons/ https://codeberg.org/jengelh/xtables-addons" -SRC_URI="https://inai.de/files/xtables-addons/${P}.tar.xz" - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="amd64 x86" - -MODULES="quota2 psd pknock lscan length2 ipv4options ipp2p iface gradm geoip fuzzy condition tarpit sysrq proto logmark ipmark echo dnetmap dhcpmac delude chaos account" - -for mod in ${MODULES}; do - IUSE="${IUSE} xtables_addons_${mod}" -done - -DEPEND=">=net-firewall/iptables-1.6.0" - -RDEPEND="${DEPEND} - xtables_addons_geoip? ( - app-arch/unzip - dev-perl/Net-CIDR-Lite - dev-perl/Text-CSV_XS - virtual/perl-Getopt-Long - ) -" - -DEPEND="${DEPEND} - virtual/linux-sources" - -SKIP_MODULES="" - -XA_check4internal_module() { - local mod=${1} - local version=${3} - local kconfigname=${3} - - if use xtables_addons_${mod} && kernel_is -gt ${version}; then - ewarn "${kconfigname} should be provided by the kernel. Skipping its build..." - if ! linux_chkconfig_present ${kconfigname}; then - ewarn "Please enable ${kconfigname} target in your kernel - configuration or disable checksum module in ${PN}." - fi - # SKIP_MODULES in case we need to disable building of everything - # like having this USE disabled - SKIP_MODULES+=" ${mod}" - fi -} - -pkg_setup() { - if use modules; then - get_version - check_modules_supported - CONFIG_CHECK="NF_CONNTRACK NF_CONNTRACK_MARK ~CONNECTOR" - ERROR_CONNECTOR="Please, enable CONFIG_CONNECTOR if you wish to receive userspace notifications from pknock through netlink/connector" - linux-mod_pkg_setup - - if ! linux_chkconfig_present IPV6; then - SKIP_IPV6_MODULES="ip6table_rawpost" - ewarn "No IPV6 support in kernel. Disabling: ${SKIP_IPV6_MODULES}" - fi - kernel_is -lt 4 18 && die "${P} requires kernel version >= 4.18" - fi -} - -# Helper for maintainer: cheks if all possible MODULES are listed. -XA_qa_check() { - local all_modules - all_modules=$(sed -n '/^build_/{s/build_\(.*\)=.*/\L\1/;G;s/\n/ /;s/ $//;h}; ${x;p}' "${S}/mconfig") - if [[ ${all_modules} != ${MODULES} ]]; then - ewarn "QA: Modules in mconfig differ from \$MODULES in ebuild." - ewarn "Please, update MODULES in ebuild." - ewarn "'${all_modules}'" - fi -} - -# Is there any use flag set? -XA_has_something_to_build() { - local mod - for mod in ${MODULES}; do - use xtables_addons_${mod} && return - done - - eerror "All modules are disabled. What do you want me to build?" - eerror "Please, set XTABLES_ADDONS to any combination of" - eerror "${MODULES}" - die "All modules are disabled." -} - -# Parse Kbuid files and generates list of sources -XA_get_module_name() { - [[ $# != 1 ]] && die "XA_get_sources_for_mod: needs exactly one argument." - local mod objdir build_mod sources_list - mod=${1} - objdir=${S}/extensions - # Take modules name from mconfig - build_mod=$(sed -n "s/\(build_${mod}\)=.*/\1/Ip" "${S}/mconfig") - # strip .o, = and everything before = and print - sources_list=$(sed -n "/^obj-[$][{]${build_mod}[}]/\ - {s:obj-[^+]\+ [+]=[[:space:]]*::;s:[.]o::g;p}" \ - "${objdir}/Kbuild") - - if [[ -d ${S}/extensions/${sources_list} ]]; then - objdir=${S}/extensions/${sources_list} - sources_list=$(sed -n "/^obj-m/\ - {s:obj-[^+]\+ [+]=[[:space:]]*::;s:[.]o::g;p}" \ - "${objdir}/Kbuild") - fi - for mod_src in ${sources_list}; do - has ${mod_src} ${SKIP_IPV6_MODULES} || \ - echo " ${mod_src}(xtables_addons:${S}/extensions:${objdir})" - done -} - -# Die on modules known to fail on certain kernel version. -XA_known_failure() { - local module_name=$1 - local KV_max=$2 - - if use xtables_addons_${module_name} && kernel_is ge ${KV_max//./ }; then - eerror - eerror "XTABLES_ADDONS=${module_name} fails to build on linux ${KV_max} or above." - eerror "Either remove XTABLES_ADDONS=${module_name} or use an earlier version of the kernel." - eerror - die - fi -} - -src_prepare() { - XA_qa_check - XA_has_something_to_build - - # Bug #553630#c2. echo fails on linux-4 and above. - # This appears to be fixed, at least as of linux-4.2 - # XA_known_failure "echo" 4 - - local mod module_name - if use modules; then - MODULE_NAMES="compat_xtables(xtables_addons:${S}/extensions:)" - fi - for mod in ${MODULES}; do - if ! has ${mod} ${SKIP_MODULES} && use xtables_addons_${mod}; then - sed "s/\(build_${mod}=\).*/\1m/I" -i mconfig || die - if use modules; then - for module_name in $(XA_get_module_name ${mod}); do - MODULE_NAMES+=" ${module_name}" - done - fi - else - sed "s/\(build_${mod}=\).*/\1n/I" -i mconfig || die - fi - done - einfo "${MODULE_NAMES}" # for debugging - - sed -e 's/depmod -a/true/' -i Makefile.in || die - sed -e '/^all-local:/{s: modules::}' \ - -e '/^install-exec-local:/{s: modules_install::}' \ - -i extensions/Makefile.in || die - - use xtables_addons_geoip || sed -e '/^SUBDIRS/{s/geoip//}' -i Makefile.in - - eapply_user -} - -src_configure() { - set_arch_to_kernel # .. or it'll look for /arch/amd64/Makefile - econf --prefix="${EPREFIX}/" \ - --libexecdir="${EPREFIX}/$(get_libdir)/" \ - --with-kbuild="${KV_OUT_DIR}" -} - -src_compile() { - emake CFLAGS="${CFLAGS}" CC="$(tc-getCC)" V=1 - use modules && BUILD_PARAMS="V=1" BUILD_TARGETS="modules" linux-mod_src_compile -} - -src_install() { - emake DESTDIR="${D}" install - use modules && linux-mod_src_install - dodoc -r README.rst doc/* - find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' -} -- cgit v1.2.3