1 |
commit: 9b5cb98661907b8e44b7c5b61fc9f7d7c4fc7703 |
2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat May 14 03:46:57 2022 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat May 14 21:22:22 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b5cb986 |
7 |
|
8 |
net-firewall/iptables: add 1.8.8 |
9 |
|
10 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
11 |
|
12 |
net-firewall/iptables/Manifest | 1 + |
13 |
.../files/iptables-1.8.8-format-security.patch | 21 +++ |
14 |
net-firewall/iptables/iptables-1.8.8.ebuild | 176 +++++++++++++++++++++ |
15 |
3 files changed, 198 insertions(+) |
16 |
|
17 |
diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest |
18 |
index 20be9ec24c2d..76320a6fa208 100644 |
19 |
--- a/net-firewall/iptables/Manifest |
20 |
+++ b/net-firewall/iptables/Manifest |
21 |
@@ -1 +1,2 @@ |
22 |
DIST iptables-1.8.7.tar.bz2 717862 BLAKE2B fd4dcff142eaadde2a14ce3eb5e45d41c326752553b52900c77fd2e2a20c0685d0a04b95755995e914df47658834d52216d6465c2ae9cd6abc6eb122b95cc976 SHA512 c0a33fafbf1139157a9f52860938ebedc282a1394a68dcbd58981159379eb525919f999b25925f2cb4d6b18089bd99a94b00b3e73cff5cb0a0e47bdff174ed75 |
23 |
+DIST iptables-1.8.8.tar.bz2 746985 BLAKE2B 0da021cc7313b86af331768904956dab3eee3de245a7b03965129f3d7f13097fc03fbb1390167dcd971eff216eabad9e59b261a9c0f54bfc48a77453aa40d164 SHA512 f21df23279a77531a23f3fcb1b8f0f8ec0c726bda236dd0e33af74b06753baff6ce3f26fb9fcceb6fada560656ba901e68fc6452eb840ac1b206bc4654950f59 |
24 |
|
25 |
diff --git a/net-firewall/iptables/files/iptables-1.8.8-format-security.patch b/net-firewall/iptables/files/iptables-1.8.8-format-security.patch |
26 |
new file mode 100644 |
27 |
index 000000000000..fafc435379b5 |
28 |
--- /dev/null |
29 |
+++ b/net-firewall/iptables/files/iptables-1.8.8-format-security.patch |
30 |
@@ -0,0 +1,21 @@ |
31 |
+https://git.netfilter.org/iptables/commit/?id=b72eb12ea5a61df0655ad99d5048994e916be83a |
32 |
+ |
33 |
+From: Phil Sutter <phil@×××.cc> |
34 |
+Date: Fri, 13 May 2022 16:51:58 +0200 |
35 |
+Subject: xshared: Fix build for -Werror=format-security |
36 |
+ |
37 |
+Gcc complains about the omitted format string. |
38 |
+ |
39 |
+Signed-off-by: Phil Sutter <phil@×××.cc> |
40 |
+--- a/iptables/xshared.c |
41 |
++++ b/iptables/xshared.c |
42 |
+@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg) |
43 |
+ return; |
44 |
+ |
45 |
+ if (args->family != NFPROTO_ARP) |
46 |
+- xtables_error(PARAMETER_PROBLEM, msg); |
47 |
++ xtables_error(PARAMETER_PROBLEM, "%s", msg); |
48 |
+ |
49 |
+ fprintf(stderr, "%s", msg); |
50 |
+ } |
51 |
+cgit v1.2.3 |
52 |
|
53 |
diff --git a/net-firewall/iptables/iptables-1.8.8.ebuild b/net-firewall/iptables/iptables-1.8.8.ebuild |
54 |
new file mode 100644 |
55 |
index 000000000000..e65230759e5f |
56 |
--- /dev/null |
57 |
+++ b/net-firewall/iptables/iptables-1.8.8.ebuild |
58 |
@@ -0,0 +1,176 @@ |
59 |
+# Copyright 1999-2022 Gentoo Authors |
60 |
+# Distributed under the terms of the GNU General Public License v2 |
61 |
+ |
62 |
+EAPI=7 |
63 |
+ |
64 |
+inherit systemd toolchain-funcs autotools flag-o-matic usr-ldscript |
65 |
+ |
66 |
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" |
67 |
+HOMEPAGE="https://www.netfilter.org/projects/iptables/" |
68 |
+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2" |
69 |
+ |
70 |
+LICENSE="GPL-2" |
71 |
+# Subslot reflects PV when libxtables and/or libip*tc was changed |
72 |
+# the last time. |
73 |
+SLOT="0/1.8.3" |
74 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" |
75 |
+IUSE="conntrack netlink nftables pcap static-libs" |
76 |
+ |
77 |
+BUILD_DEPEND=" |
78 |
+ >=app-eselect/eselect-iptables-20220320 |
79 |
+" |
80 |
+COMMON_DEPEND=" |
81 |
+ conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 ) |
82 |
+ netlink? ( net-libs/libnfnetlink ) |
83 |
+ nftables? ( |
84 |
+ >=net-libs/libmnl-1.0:0= |
85 |
+ >=net-libs/libnftnl-1.1.6:0= |
86 |
+ ) |
87 |
+ pcap? ( net-libs/libpcap ) |
88 |
+" |
89 |
+DEPEND="${COMMON_DEPEND} |
90 |
+ virtual/os-headers |
91 |
+ >=sys-kernel/linux-headers-4.4:0 |
92 |
+" |
93 |
+BDEPEND="${BUILD_DEPEND} |
94 |
+ virtual/pkgconfig |
95 |
+ nftables? ( |
96 |
+ sys-devel/flex |
97 |
+ virtual/yacc |
98 |
+ ) |
99 |
+" |
100 |
+RDEPEND="${COMMON_DEPEND} |
101 |
+ ${BUILD_DEPEND} |
102 |
+ nftables? ( net-misc/ethertypes ) |
103 |
+ !<net-firewall/ebtables-2.0.11-r1 |
104 |
+ !<net-firewall/arptables-0.0.5-r1 |
105 |
+" |
106 |
+ |
107 |
+PATCHES=( |
108 |
+ "${FILESDIR}/iptables-1.8.4-no-symlinks.patch" |
109 |
+ "${FILESDIR}/iptables-1.8.2-link.patch" |
110 |
+ |
111 |
+ "${FILESDIR}/${P}-format-security.patch" |
112 |
+) |
113 |
+ |
114 |
+src_prepare() { |
115 |
+ # use the saner headers from the kernel |
116 |
+ rm include/linux/{kernel,types}.h || die |
117 |
+ |
118 |
+ default |
119 |
+ eautoreconf |
120 |
+} |
121 |
+ |
122 |
+src_configure() { |
123 |
+ # Some libs use $(AR) rather than libtool to build #444282 |
124 |
+ tc-export AR |
125 |
+ |
126 |
+ # Hack around struct mismatches between userland & kernel for some ABIs. #472388 |
127 |
+ use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct |
128 |
+ |
129 |
+ sed -i \ |
130 |
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ |
131 |
+ -e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \ |
132 |
+ configure || die |
133 |
+ |
134 |
+ local myeconfargs=( |
135 |
+ --sbindir="${EPREFIX}/sbin" |
136 |
+ --libexecdir="${EPREFIX}/$(get_libdir)" |
137 |
+ --enable-devel |
138 |
+ --enable-ipv6 |
139 |
+ --enable-shared |
140 |
+ $(use_enable nftables) |
141 |
+ $(use_enable pcap bpf-compiler) |
142 |
+ $(use_enable pcap nfsynproxy) |
143 |
+ $(use_enable static-libs static) |
144 |
+ ) |
145 |
+ econf "${myeconfargs[@]}" |
146 |
+} |
147 |
+ |
148 |
+src_compile() { |
149 |
+ emake V=1 |
150 |
+} |
151 |
+ |
152 |
+src_install() { |
153 |
+ default |
154 |
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt |
155 |
+ |
156 |
+ # all the iptables binaries are in /sbin, so might as well |
157 |
+ # put these small files in with them |
158 |
+ into / |
159 |
+ dosbin iptables/iptables-apply |
160 |
+ dosym iptables-apply /sbin/ip6tables-apply |
161 |
+ doman iptables/iptables-apply.8 |
162 |
+ |
163 |
+ insinto /usr/include |
164 |
+ doins include/ip{,6}tables.h |
165 |
+ insinto /usr/include/iptables |
166 |
+ doins include/iptables/internal.h |
167 |
+ |
168 |
+ keepdir /var/lib/ip{,6}tables |
169 |
+ newinitd "${FILESDIR}"/${PN}-r2.init iptables |
170 |
+ newconfd "${FILESDIR}"/${PN}-r1.confd iptables |
171 |
+ dosym iptables /etc/init.d/ip6tables |
172 |
+ newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables |
173 |
+ |
174 |
+ if use nftables; then |
175 |
+ # Bug 647458 |
176 |
+ rm "${ED}"/etc/ethertypes || die |
177 |
+ |
178 |
+ # Bugs 660886 and 669894 |
179 |
+ rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die |
180 |
+ fi |
181 |
+ |
182 |
+ systemd_dounit "${FILESDIR}"/systemd/ip{,6}tables-{re,}store.service |
183 |
+ |
184 |
+ # Move important libs to /lib #332175 |
185 |
+ gen_usr_ldscript -a ip{4,6}tc xtables |
186 |
+ |
187 |
+ find "${ED}" -type f -name "*.la" -delete || die |
188 |
+} |
189 |
+ |
190 |
+pkg_postinst() { |
191 |
+ local default_iptables="xtables-legacy-multi" |
192 |
+ if ! eselect iptables show &>/dev/null; then |
193 |
+ elog "Current iptables implementation is unset, setting to ${default_iptables}" |
194 |
+ eselect iptables set "${default_iptables}" |
195 |
+ fi |
196 |
+ |
197 |
+ if use nftables; then |
198 |
+ local tables |
199 |
+ for tables in {arp,eb}tables; do |
200 |
+ if ! eselect ${tables} show &>/dev/null; then |
201 |
+ elog "Current ${tables} implementation is unset, setting to ${default_iptables}" |
202 |
+ eselect ${tables} set xtables-nft-multi |
203 |
+ fi |
204 |
+ done |
205 |
+ fi |
206 |
+ |
207 |
+ eselect iptables show |
208 |
+} |
209 |
+ |
210 |
+pkg_prerm() { |
211 |
+ if [[ -z ${REPLACED_BY_VERSION} ]]; then |
212 |
+ elog "Unsetting iptables symlinks before removal" |
213 |
+ eselect iptables unset |
214 |
+ fi |
215 |
+ |
216 |
+ if ! has_version 'net-firewall/ebtables'; then |
217 |
+ elog "Unsetting ebtables symlinks before removal" |
218 |
+ eselect ebtables unset |
219 |
+ elif [[ -z ${REPLACED_BY_VERSION} ]]; then |
220 |
+ elog "Resetting ebtables symlinks to ebtables-legacy" |
221 |
+ eselect ebtables set ebtables-legacy |
222 |
+ fi |
223 |
+ |
224 |
+ if ! has_version 'net-firewall/arptables'; then |
225 |
+ elog "Unsetting arptables symlinks before removal" |
226 |
+ eselect arptables unset |
227 |
+ elif [[ -z ${REPLACED_BY_VERSION} ]]; then |
228 |
+ elog "Resetting arptables symlinks to arptables-legacy" |
229 |
+ eselect arptables set arptables-legacy |
230 |
+ fi |
231 |
+ |
232 |
+ # the eselect module failing should not be fatal |
233 |
+ return 0 |
234 |
+} |