[gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/, net-firewall/nftables/files/ - gentoo-commits

From:	Patrick McLean <chutzpah@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/, net-firewall/nftables/files/
Date:	Mon, 28 Sep 2020 23:19:00
Message-Id:	`1601335119.ee0604e2b7263e058c65d222f4c654da3ffdbbd3.chutzpah@gentoo`

1

commit:     ee0604e2b7263e058c65d222f4c654da3ffdbbd3

2

Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>

3

AuthorDate: Mon Sep 28 23:18:39 2020 +0000

4

Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>

5

CommitDate: Mon Sep 28 23:18:39 2020 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee0604e2

7

8

net-firewall/nftables-0.9.6-r1: revbump, fix init script (bug #744955)

9

10

Closes: https://bugs.gentoo.org/744955

11

Package-Manager: Portage-3.0.8, Repoman-3.0.1

12

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

13

14

 net-firewall/nftables/files/nftables.init-r1   | 105 ++++++++++++++++

15

 net-firewall/nftables/nftables-0.9.6-r1.ebuild | 162 +++++++++++++++++++++++++

16

 2 files changed, 267 insertions(+)

17

18

diff --git a/net-firewall/nftables/files/nftables.init-r1 b/net-firewall/nftables/files/nftables.init-r1

19

new file mode 100644

20

index 00000000000..45b2abdbda7

21

--- /dev/null

22

+++ b/net-firewall/nftables/files/nftables.init-r1

23

@@ -0,0 +1,105 @@

24

+#!/sbin/openrc-run

25

+# Copyright 1999-2020 Gentoo Authors

26

+# Distributed under the terms of the GNU General Public License v2

27

+

28

+extra_commands="check clear list panic save soft_panic"

29

+extra_started_commands="reload"

30

+

31

+depend() {

32

+	need localmount #434774

33

+	before net

34

+}

35

+

36

+checkkernel() {

37

+	if ! /sbin/nft list ruleset >/dev/null 2>/dev/null ; then

38

+		eerror "Your kernel lacks nftables support, please load"

39

+		eerror "appropriate modules and try again."

40

+		return 1

41

+	fi

42

+	return 0

43

+}

44

+

45

+checkconfig() {

46

+	if [ -z "${NFTABLES_SAVE}" -o ! -f "${NFTABLES_SAVE}" ] ; then

47

+		eerror "Not starting nftables. First create some rules then run:"

48

+		eerror "/etc/init.d/${SVCNAME} save"

49

+		return 1

50

+	fi

51

+	return 0

52

+}

53

+

54

+start_pre() {

55

+	checkconfig || return 1

56

+	checkkernel || return 1

57

+	check || return 1

58

+}

59

+

60

+start() {

61

+	ebegin "Loading ${SVCNAME} state and starting firewall"

62

+	/usr/libexec/nftables/nftables.sh load "${NFTABLES_SAVE}"

63

+	eend $?

64

+}

65

+

66

+stop() {

67

+	if [ "${SAVE_ON_STOP}" = "yes" ] ; then

68

+		save || return 1

69

+	fi

70

+

71

+	ebegin "Stopping firewall"

72

+	if [ "${PANIC_ON_STOP}" = "hard" ]; then

73

+		/usr/libexec/nftables/nftables.sh panic

74

+	elif [ "${PANIC_ON_STOP}" = "soft" ]; then

75

+		/usr/libexec/nftables/nftables.sh soft_panic

76

+	else

77

+		/usr/libexec/nftables/nftables.sh clear

78

+	fi

79

+	eend $?

80

+}

81

+

82

+reload() {

83

+	start_pre || return 1

84

+	start

85

+}

86

+

87

+clear() {

88

+	ebegin "Clearing rules"

89

+	/usr/libexec/nftables/nftables.sh clear

90

+	eend $?

91

+}

92

+

93

+list() {

94

+	/usr/libexec/nftables/nftables.sh list

95

+}

96

+

97

+check() {

98

+	ebegin "Checking rules"

99

+	/usr/libexec/nftables/nftables.sh check "${NFTABLES_SAVE}"

100

+	eend $?

101

+}

102

+

103

+save() {

104

+	ebegin "Saving ${SVCNAME} state"

105

+	checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"

106

+	checkpath -q -m 0600 -f "${NFTABLES_SAVE}"

107

+	SAVE_OPTIONS="${SAVE_OPTIONS}" \

108

+		/usr/libexec/nftables/nftables.sh store "${NFTABLES_SAVE}"

109

+	eend $?

110

+}

111

+

112

+panic() {

113

+	if service_started ${SVCNAME}; then

114

+		rc-service ${SVCNAME} zap

115

+	fi

116

+	ebegin "Dropping all packets"

117

+	/usr/libexec/nftables/nftables.sh panic

118

+	eend $?

119

+}

120

+

121

+soft_panic() {

122

+	if service_started ${SVCNAME}; then

123

+		rc-service ${SVCNAME} zap

124

+	fi

125

+	ebegin "Dropping new connections"

126

+	/usr/libexec/nftables/nftables.sh soft_panic

127

+	eend $?

128

+}

129

130

diff --git a/net-firewall/nftables/nftables-0.9.6-r1.ebuild b/net-firewall/nftables/nftables-0.9.6-r1.ebuild

131

new file mode 100644

132

index 00000000000..be001c0ddd6

133

--- /dev/null

134

+++ b/net-firewall/nftables/nftables-0.9.6-r1.ebuild

135

@@ -0,0 +1,162 @@

136

+# Copyright 1999-2020 Gentoo Authors

137

+# Distributed under the terms of the GNU General Public License v2

138

+

139

+EAPI=7

140

+

141

+PYTHON_COMPAT=( python3_{6,7,8,9} )

142

+

143

+inherit autotools linux-info python-r1 systemd

144

+

145

+DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"

146

+HOMEPAGE="https://netfilter.org/projects/nftables/"

147

+SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2"

148

+

149

+LICENSE="GPL-2"

150

+SLOT="0"

151

+KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~ppc64 ~sparc ~x86"

152

+IUSE="debug doc +gmp json +modern-kernel python +readline static-libs xtables"

153

+

154

+RDEPEND="

155

+	>=net-libs/libmnl-1.0.4:0=

156

+	gmp? ( dev-libs/gmp:0= )

157

+	json? ( dev-libs/jansson )

158

+	python? ( ${PYTHON_DEPS} )

159

+	readline? ( sys-libs/readline:0= )

160

+	>=net-libs/libnftnl-1.1.7:0=

161

+	xtables? ( >=net-firewall/iptables-1.6.1 )

162

+"

163

+

164

+DEPEND="${RDEPEND}"

165

+

166

+BDEPEND="

167

+	doc? (

168

+		app-text/asciidoc

169

+		>=app-text/docbook2X-0.8.8-r4

170

+	)

171

+	virtual/pkgconfig

172

+"

173

+

174

+REQUIRED_USE="

175

+	python? ( ${PYTHON_REQUIRED_USE} )

176

+"

177

+

178

+python_make() {

179

+	emake \

180

+		-C py \

181

+		abs_builddir="${S}" \

182

+		DESTDIR="${D}" \

183

+		PYTHON_BIN="${PYTHON}" \

184

+		"${@}"

185

+}

186

+

187

+pkg_setup() {

188

+	if kernel_is ge 3 13; then

189

+		if use modern-kernel && kernel_is lt 3 18; then

190

+			eerror "The modern-kernel USE flag requires kernel version 3.18 or newer to work properly."

191

+		fi

192

+		CONFIG_CHECK="~NF_TABLES"

193

+		linux-info_pkg_setup

194

+	else

195

+		eerror "This package requires kernel version 3.13 or newer to work properly."

196

+	fi

197

+}

198

+

199

+src_prepare() {

200

+	default

201

+

202

+	# fix installation path for doc stuff

203

+	sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \

204

+		-i files/nftables/Makefile.am || die

205

+	sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \

206

+		-i files/osf/Makefile.am || die

207

+

208

+	eautoreconf

209

+}

210

+

211

+src_configure() {

212

+	local myeconfargs=(

213

+		# We handle python separately

214

+		--disable-python

215

+		--sbindir="${EPREFIX}"/sbin

216

+		$(use_enable debug)

217

+		$(use_enable doc man-doc)

218

+		$(use_with !gmp mini_gmp)

219

+		$(use_with json)

220

+		$(use_with readline cli readline)

221

+		$(use_enable static-libs static)

222

+		$(use_with xtables)

223

+	)

224

+	econf "${myeconfargs[@]}"

225

+}

226

+

227

+src_compile() {

228

+	default

229

+

230

+	if use python; then

231

+		python_foreach_impl python_make

232

+	fi

233

+}

234

+

235

+src_install() {

236

+	default

237

+

238

+	if ! use doc; then

239

+		pushd doc >/dev/null || die

240

+		doman *.?

241

+		popd >/dev/null || die

242

+	fi

243

+

244

+	local mksuffix="$(usex modern-kernel '-mk' '')"

245

+

246

+	exeinto /usr/libexec/${PN}

247

+	newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh

248

+	newconfd "${FILESDIR}"/${PN}${mksuffix}.confd ${PN}

249

+	newinitd "${FILESDIR}"/${PN}${mksuffix}.init-r1 ${PN}

250

+	keepdir /var/lib/nftables

251

+

252

+	systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service

253

+

254

+	if use python ; then

255

+		python_foreach_impl python_make install

256

+		python_foreach_impl python_optimize

257

+	fi

258

+

259

+	find "${ED}" -type f -name "*.la" -delete || die

260

+}

261

+

262

+pkg_postinst() {

263

+	local save_file

264

+	save_file="${EROOT}/var/lib/nftables/rules-save"

265

+

266

+	# In order for the nftables-restore systemd service to start

267

+	# the save_file must exist.

268

+	if [[ ! -f "${save_file}" ]]; then

269

+		( umask 177; touch "${save_file}" )

270

+	elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then

271

+		ewarn "Your system has dangerous permissions for ${save_file}"

272

+		ewarn "It is probably affected by bug #691326."

273

+		ewarn "You may need to fix the permissions of the file. To do so,"

274

+		ewarn "you can run the command in the line below as root."

275

+		ewarn "    'chmod 600 \"${save_file}\"'"

276

+	fi

277

+

278

+	if has_version 'sys-apps/systemd'; then

279

+		elog "If you wish to enable the firewall rules on boot (on systemd) you"

280

+		elog "will need to enable the nftables-restore service."

281

+		elog "    'systemctl enable ${PN}-restore.service'"

282

+		elog

283

+		elog "If you are creating firewall rules before the next system restart"

284

+		elog "the nftables-restore service must be manually started in order to"

285

+		elog "save those rules on shutdown."

286

+	fi

287

+	if has_version 'sys-apps/openrc'; then

288

+		elog "If you wish to enable the firewall rules on boot (on openrc) you"

289

+		elog "will need to enable the nftables service."

290

+		elog "    'rc-update add ${PN} default'"

291

+		elog

292

+		elog "If you are creating or updating the firewall rules and wish to save"

293

+		elog "them to be loaded on the next restart, use the \"save\" functionality"

294

+		elog "in the init script."

295

+		elog "    'rc-service ${PN} save'"

296

+	fi

297

+}

1	commit: ee0604e2b7263e058c65d222f4c654da3ffdbbd3
2	Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
3	AuthorDate: Mon Sep 28 23:18:39 2020 +0000
4	Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
5	CommitDate: Mon Sep 28 23:18:39 2020 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee0604e2
7
8	net-firewall/nftables-0.9.6-r1: revbump, fix init script (bug #744955)
9
10	Closes: https://bugs.gentoo.org/744955
11	Package-Manager: Portage-3.0.8, Repoman-3.0.1
12	Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>
13
14	net-firewall/nftables/files/nftables.init-r1 \| 105 ++++++++++++++++
15	net-firewall/nftables/nftables-0.9.6-r1.ebuild \| 162 +++++++++++++++++++++++++
16	2 files changed, 267 insertions(+)
17
18	diff --git a/net-firewall/nftables/files/nftables.init-r1 b/net-firewall/nftables/files/nftables.init-r1
19	new file mode 100644
20	index 00000000000..45b2abdbda7
21	--- /dev/null
22	+++ b/net-firewall/nftables/files/nftables.init-r1
23	@@ -0,0 +1,105 @@
24	+#!/sbin/openrc-run
25	+# Copyright 1999-2020 Gentoo Authors
26	+# Distributed under the terms of the GNU General Public License v2
27	+
28	+extra_commands="check clear list panic save soft_panic"
29	+extra_started_commands="reload"
30	+
31	+depend() {
32	+ need localmount #434774
33	+ before net
34	+}
35	+
36	+checkkernel() {
37	+ if ! /sbin/nft list ruleset >/dev/null 2>/dev/null ; then
38	+ eerror "Your kernel lacks nftables support, please load"
39	+ eerror "appropriate modules and try again."
40	+ return 1
41	+ fi
42	+ return 0
43	+}
44	+
45	+checkconfig() {
46	+ if [ -z "${NFTABLES_SAVE}" -o ! -f "${NFTABLES_SAVE}" ] ; then
47	+ eerror "Not starting nftables. First create some rules then run:"
48	+ eerror "/etc/init.d/${SVCNAME} save"
49	+ return 1
50	+ fi
51	+ return 0
52	+}
53	+
54	+start_pre() {
55	+ checkconfig \|\| return 1
56	+ checkkernel \|\| return 1
57	+ check \|\| return 1
58	+}
59	+
60	+start() {
61	+ ebegin "Loading ${SVCNAME} state and starting firewall"
62	+ /usr/libexec/nftables/nftables.sh load "${NFTABLES_SAVE}"
63	+ eend $?
64	+}
65	+
66	+stop() {
67	+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
68	+ save \|\| return 1
69	+ fi
70	+
71	+ ebegin "Stopping firewall"
72	+ if [ "${PANIC_ON_STOP}" = "hard" ]; then
73	+ /usr/libexec/nftables/nftables.sh panic
74	+ elif [ "${PANIC_ON_STOP}" = "soft" ]; then
75	+ /usr/libexec/nftables/nftables.sh soft_panic
76	+ else
77	+ /usr/libexec/nftables/nftables.sh clear
78	+ fi
79	+ eend $?
80	+}
81	+
82	+reload() {
83	+ start_pre \|\| return 1
84	+ start
85	+}
86	+
87	+clear() {
88	+ ebegin "Clearing rules"
89	+ /usr/libexec/nftables/nftables.sh clear
90	+ eend $?
91	+}
92	+
93	+list() {
94	+ /usr/libexec/nftables/nftables.sh list
95	+}
96	+
97	+check() {
98	+ ebegin "Checking rules"
99	+ /usr/libexec/nftables/nftables.sh check "${NFTABLES_SAVE}"
100	+ eend $?
101	+}
102	+
103	+save() {
104	+ ebegin "Saving ${SVCNAME} state"
105	+ checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
106	+ checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
107	+ SAVE_OPTIONS="${SAVE_OPTIONS}" \
108	+ /usr/libexec/nftables/nftables.sh store "${NFTABLES_SAVE}"
109	+ eend $?
110	+}
111	+
112	+panic() {
113	+ if service_started ${SVCNAME}; then
114	+ rc-service ${SVCNAME} zap
115	+ fi
116	+ ebegin "Dropping all packets"
117	+ /usr/libexec/nftables/nftables.sh panic
118	+ eend $?
119	+}
120	+
121	+soft_panic() {
122	+ if service_started ${SVCNAME}; then
123	+ rc-service ${SVCNAME} zap
124	+ fi
125	+ ebegin "Dropping new connections"
126	+ /usr/libexec/nftables/nftables.sh soft_panic
127	+ eend $?
128	+}
129
130	diff --git a/net-firewall/nftables/nftables-0.9.6-r1.ebuild b/net-firewall/nftables/nftables-0.9.6-r1.ebuild
131	new file mode 100644
132	index 00000000000..be001c0ddd6
133	--- /dev/null
134	+++ b/net-firewall/nftables/nftables-0.9.6-r1.ebuild
135	@@ -0,0 +1,162 @@
136	+# Copyright 1999-2020 Gentoo Authors
137	+# Distributed under the terms of the GNU General Public License v2
138	+
139	+EAPI=7
140	+
141	+PYTHON_COMPAT=( python3_{6,7,8,9} )
142	+
143	+inherit autotools linux-info python-r1 systemd
144	+
145	+DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
146	+HOMEPAGE="https://netfilter.org/projects/nftables/"
147	+SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2"
148	+
149	+LICENSE="GPL-2"
150	+SLOT="0"
151	+KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~ppc64 ~sparc ~x86"
152	+IUSE="debug doc +gmp json +modern-kernel python +readline static-libs xtables"
153	+
154	+RDEPEND="
155	+ >=net-libs/libmnl-1.0.4:0=
156	+ gmp? ( dev-libs/gmp:0= )
157	+ json? ( dev-libs/jansson )
158	+ python? ( ${PYTHON_DEPS} )
159	+ readline? ( sys-libs/readline:0= )
160	+ >=net-libs/libnftnl-1.1.7:0=
161	+ xtables? ( >=net-firewall/iptables-1.6.1 )
162	+"
163	+
164	+DEPEND="${RDEPEND}"
165	+
166	+BDEPEND="
167	+ doc? (
168	+ app-text/asciidoc
169	+ >=app-text/docbook2X-0.8.8-r4
170	+ )
171	+ virtual/pkgconfig
172	+"
173	+
174	+REQUIRED_USE="
175	+ python? ( ${PYTHON_REQUIRED_USE} )
176	+"
177	+
178	+python_make() {
179	+ emake \
180	+ -C py \
181	+ abs_builddir="${S}" \
182	+ DESTDIR="${D}" \
183	+ PYTHON_BIN="${PYTHON}" \
184	+ "${@}"
185	+}
186	+
187	+pkg_setup() {
188	+ if kernel_is ge 3 13; then
189	+ if use modern-kernel && kernel_is lt 3 18; then
190	+ eerror "The modern-kernel USE flag requires kernel version 3.18 or newer to work properly."
191	+ fi
192	+ CONFIG_CHECK="~NF_TABLES"
193	+ linux-info_pkg_setup
194	+ else
195	+ eerror "This package requires kernel version 3.13 or newer to work properly."
196	+ fi
197	+}
198	+
199	+src_prepare() {
200	+ default
201	+
202	+ # fix installation path for doc stuff
203	+ sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \
204	+ -i files/nftables/Makefile.am \|\| die
205	+ sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \
206	+ -i files/osf/Makefile.am \|\| die
207	+
208	+ eautoreconf
209	+}
210	+
211	+src_configure() {
212	+ local myeconfargs=(
213	+ # We handle python separately
214	+ --disable-python
215	+ --sbindir="${EPREFIX}"/sbin
216	+ $(use_enable debug)
217	+ $(use_enable doc man-doc)
218	+ $(use_with !gmp mini_gmp)
219	+ $(use_with json)
220	+ $(use_with readline cli readline)
221	+ $(use_enable static-libs static)
222	+ $(use_with xtables)
223	+ )
224	+ econf "${myeconfargs[@]}"
225	+}
226	+
227	+src_compile() {
228	+ default
229	+
230	+ if use python; then
231	+ python_foreach_impl python_make
232	+ fi
233	+}
234	+
235	+src_install() {
236	+ default
237	+
238	+ if ! use doc; then
239	+ pushd doc >/dev/null \|\| die
240	+ doman *.?
241	+ popd >/dev/null \|\| die
242	+ fi
243	+
244	+ local mksuffix="$(usex modern-kernel '-mk' '')"
245	+
246	+ exeinto /usr/libexec/${PN}
247	+ newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh
248	+ newconfd "${FILESDIR}"/${PN}${mksuffix}.confd ${PN}
249	+ newinitd "${FILESDIR}"/${PN}${mksuffix}.init-r1 ${PN}
250	+ keepdir /var/lib/nftables
251	+
252	+ systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
253	+
254	+ if use python ; then
255	+ python_foreach_impl python_make install
256	+ python_foreach_impl python_optimize
257	+ fi
258	+
259	+ find "${ED}" -type f -name "*.la" -delete \|\| die
260	+}
261	+
262	+pkg_postinst() {
263	+ local save_file
264	+ save_file="${EROOT}/var/lib/nftables/rules-save"
265	+
266	+ # In order for the nftables-restore systemd service to start
267	+ # the save_file must exist.
268	+ if [[ ! -f "${save_file}" ]]; then
269	+ ( umask 177; touch "${save_file}" )
270	+ elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
271	+ ewarn "Your system has dangerous permissions for ${save_file}"
272	+ ewarn "It is probably affected by bug #691326."
273	+ ewarn "You may need to fix the permissions of the file. To do so,"
274	+ ewarn "you can run the command in the line below as root."
275	+ ewarn " 'chmod 600 \"${save_file}\"'"
276	+ fi
277	+
278	+ if has_version 'sys-apps/systemd'; then
279	+ elog "If you wish to enable the firewall rules on boot (on systemd) you"
280	+ elog "will need to enable the nftables-restore service."
281	+ elog " 'systemctl enable ${PN}-restore.service'"
282	+ elog
283	+ elog "If you are creating firewall rules before the next system restart"
284	+ elog "the nftables-restore service must be manually started in order to"
285	+ elog "save those rules on shutdown."
286	+ fi
287	+ if has_version 'sys-apps/openrc'; then
288	+ elog "If you wish to enable the firewall rules on boot (on openrc) you"
289	+ elog "will need to enable the nftables service."
290	+ elog " 'rc-update add ${PN} default'"
291	+ elog
292	+ elog "If you are creating or updating the firewall rules and wish to save"
293	+ elog "them to be loaded on the next restart, use the \"save\" functionality"
294	+ elog "in the init script."
295	+ elog " 'rc-service ${PN} save'"
296	+ fi
297	+}

Gentoo Archives: gentoo-commits