1 |
commit: ee0604e2b7263e058c65d222f4c654da3ffdbbd3 |
2 |
Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Sep 28 23:18:39 2020 +0000 |
4 |
Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Sep 28 23:18:39 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee0604e2 |
7 |
|
8 |
net-firewall/nftables-0.9.6-r1: revbump, fix init script (bug #744955) |
9 |
|
10 |
Closes: https://bugs.gentoo.org/744955 |
11 |
Package-Manager: Portage-3.0.8, Repoman-3.0.1 |
12 |
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org> |
13 |
|
14 |
net-firewall/nftables/files/nftables.init-r1 | 105 ++++++++++++++++ |
15 |
net-firewall/nftables/nftables-0.9.6-r1.ebuild | 162 +++++++++++++++++++++++++ |
16 |
2 files changed, 267 insertions(+) |
17 |
|
18 |
diff --git a/net-firewall/nftables/files/nftables.init-r1 b/net-firewall/nftables/files/nftables.init-r1 |
19 |
new file mode 100644 |
20 |
index 00000000000..45b2abdbda7 |
21 |
--- /dev/null |
22 |
+++ b/net-firewall/nftables/files/nftables.init-r1 |
23 |
@@ -0,0 +1,105 @@ |
24 |
+#!/sbin/openrc-run |
25 |
+# Copyright 1999-2020 Gentoo Authors |
26 |
+# Distributed under the terms of the GNU General Public License v2 |
27 |
+ |
28 |
+extra_commands="check clear list panic save soft_panic" |
29 |
+extra_started_commands="reload" |
30 |
+ |
31 |
+depend() { |
32 |
+ need localmount #434774 |
33 |
+ before net |
34 |
+} |
35 |
+ |
36 |
+checkkernel() { |
37 |
+ if ! /sbin/nft list ruleset >/dev/null 2>/dev/null ; then |
38 |
+ eerror "Your kernel lacks nftables support, please load" |
39 |
+ eerror "appropriate modules and try again." |
40 |
+ return 1 |
41 |
+ fi |
42 |
+ return 0 |
43 |
+} |
44 |
+ |
45 |
+checkconfig() { |
46 |
+ if [ -z "${NFTABLES_SAVE}" -o ! -f "${NFTABLES_SAVE}" ] ; then |
47 |
+ eerror "Not starting nftables. First create some rules then run:" |
48 |
+ eerror "/etc/init.d/${SVCNAME} save" |
49 |
+ return 1 |
50 |
+ fi |
51 |
+ return 0 |
52 |
+} |
53 |
+ |
54 |
+start_pre() { |
55 |
+ checkconfig || return 1 |
56 |
+ checkkernel || return 1 |
57 |
+ check || return 1 |
58 |
+} |
59 |
+ |
60 |
+start() { |
61 |
+ ebegin "Loading ${SVCNAME} state and starting firewall" |
62 |
+ /usr/libexec/nftables/nftables.sh load "${NFTABLES_SAVE}" |
63 |
+ eend $? |
64 |
+} |
65 |
+ |
66 |
+stop() { |
67 |
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then |
68 |
+ save || return 1 |
69 |
+ fi |
70 |
+ |
71 |
+ ebegin "Stopping firewall" |
72 |
+ if [ "${PANIC_ON_STOP}" = "hard" ]; then |
73 |
+ /usr/libexec/nftables/nftables.sh panic |
74 |
+ elif [ "${PANIC_ON_STOP}" = "soft" ]; then |
75 |
+ /usr/libexec/nftables/nftables.sh soft_panic |
76 |
+ else |
77 |
+ /usr/libexec/nftables/nftables.sh clear |
78 |
+ fi |
79 |
+ eend $? |
80 |
+} |
81 |
+ |
82 |
+reload() { |
83 |
+ start_pre || return 1 |
84 |
+ start |
85 |
+} |
86 |
+ |
87 |
+clear() { |
88 |
+ ebegin "Clearing rules" |
89 |
+ /usr/libexec/nftables/nftables.sh clear |
90 |
+ eend $? |
91 |
+} |
92 |
+ |
93 |
+list() { |
94 |
+ /usr/libexec/nftables/nftables.sh list |
95 |
+} |
96 |
+ |
97 |
+check() { |
98 |
+ ebegin "Checking rules" |
99 |
+ /usr/libexec/nftables/nftables.sh check "${NFTABLES_SAVE}" |
100 |
+ eend $? |
101 |
+} |
102 |
+ |
103 |
+save() { |
104 |
+ ebegin "Saving ${SVCNAME} state" |
105 |
+ checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" |
106 |
+ checkpath -q -m 0600 -f "${NFTABLES_SAVE}" |
107 |
+ SAVE_OPTIONS="${SAVE_OPTIONS}" \ |
108 |
+ /usr/libexec/nftables/nftables.sh store "${NFTABLES_SAVE}" |
109 |
+ eend $? |
110 |
+} |
111 |
+ |
112 |
+panic() { |
113 |
+ if service_started ${SVCNAME}; then |
114 |
+ rc-service ${SVCNAME} zap |
115 |
+ fi |
116 |
+ ebegin "Dropping all packets" |
117 |
+ /usr/libexec/nftables/nftables.sh panic |
118 |
+ eend $? |
119 |
+} |
120 |
+ |
121 |
+soft_panic() { |
122 |
+ if service_started ${SVCNAME}; then |
123 |
+ rc-service ${SVCNAME} zap |
124 |
+ fi |
125 |
+ ebegin "Dropping new connections" |
126 |
+ /usr/libexec/nftables/nftables.sh soft_panic |
127 |
+ eend $? |
128 |
+} |
129 |
|
130 |
diff --git a/net-firewall/nftables/nftables-0.9.6-r1.ebuild b/net-firewall/nftables/nftables-0.9.6-r1.ebuild |
131 |
new file mode 100644 |
132 |
index 00000000000..be001c0ddd6 |
133 |
--- /dev/null |
134 |
+++ b/net-firewall/nftables/nftables-0.9.6-r1.ebuild |
135 |
@@ -0,0 +1,162 @@ |
136 |
+# Copyright 1999-2020 Gentoo Authors |
137 |
+# Distributed under the terms of the GNU General Public License v2 |
138 |
+ |
139 |
+EAPI=7 |
140 |
+ |
141 |
+PYTHON_COMPAT=( python3_{6,7,8,9} ) |
142 |
+ |
143 |
+inherit autotools linux-info python-r1 systemd |
144 |
+ |
145 |
+DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" |
146 |
+HOMEPAGE="https://netfilter.org/projects/nftables/" |
147 |
+SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2" |
148 |
+ |
149 |
+LICENSE="GPL-2" |
150 |
+SLOT="0" |
151 |
+KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~ppc64 ~sparc ~x86" |
152 |
+IUSE="debug doc +gmp json +modern-kernel python +readline static-libs xtables" |
153 |
+ |
154 |
+RDEPEND=" |
155 |
+ >=net-libs/libmnl-1.0.4:0= |
156 |
+ gmp? ( dev-libs/gmp:0= ) |
157 |
+ json? ( dev-libs/jansson ) |
158 |
+ python? ( ${PYTHON_DEPS} ) |
159 |
+ readline? ( sys-libs/readline:0= ) |
160 |
+ >=net-libs/libnftnl-1.1.7:0= |
161 |
+ xtables? ( >=net-firewall/iptables-1.6.1 ) |
162 |
+" |
163 |
+ |
164 |
+DEPEND="${RDEPEND}" |
165 |
+ |
166 |
+BDEPEND=" |
167 |
+ doc? ( |
168 |
+ app-text/asciidoc |
169 |
+ >=app-text/docbook2X-0.8.8-r4 |
170 |
+ ) |
171 |
+ virtual/pkgconfig |
172 |
+" |
173 |
+ |
174 |
+REQUIRED_USE=" |
175 |
+ python? ( ${PYTHON_REQUIRED_USE} ) |
176 |
+" |
177 |
+ |
178 |
+python_make() { |
179 |
+ emake \ |
180 |
+ -C py \ |
181 |
+ abs_builddir="${S}" \ |
182 |
+ DESTDIR="${D}" \ |
183 |
+ PYTHON_BIN="${PYTHON}" \ |
184 |
+ "${@}" |
185 |
+} |
186 |
+ |
187 |
+pkg_setup() { |
188 |
+ if kernel_is ge 3 13; then |
189 |
+ if use modern-kernel && kernel_is lt 3 18; then |
190 |
+ eerror "The modern-kernel USE flag requires kernel version 3.18 or newer to work properly." |
191 |
+ fi |
192 |
+ CONFIG_CHECK="~NF_TABLES" |
193 |
+ linux-info_pkg_setup |
194 |
+ else |
195 |
+ eerror "This package requires kernel version 3.13 or newer to work properly." |
196 |
+ fi |
197 |
+} |
198 |
+ |
199 |
+src_prepare() { |
200 |
+ default |
201 |
+ |
202 |
+ # fix installation path for doc stuff |
203 |
+ sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \ |
204 |
+ -i files/nftables/Makefile.am || die |
205 |
+ sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \ |
206 |
+ -i files/osf/Makefile.am || die |
207 |
+ |
208 |
+ eautoreconf |
209 |
+} |
210 |
+ |
211 |
+src_configure() { |
212 |
+ local myeconfargs=( |
213 |
+ # We handle python separately |
214 |
+ --disable-python |
215 |
+ --sbindir="${EPREFIX}"/sbin |
216 |
+ $(use_enable debug) |
217 |
+ $(use_enable doc man-doc) |
218 |
+ $(use_with !gmp mini_gmp) |
219 |
+ $(use_with json) |
220 |
+ $(use_with readline cli readline) |
221 |
+ $(use_enable static-libs static) |
222 |
+ $(use_with xtables) |
223 |
+ ) |
224 |
+ econf "${myeconfargs[@]}" |
225 |
+} |
226 |
+ |
227 |
+src_compile() { |
228 |
+ default |
229 |
+ |
230 |
+ if use python; then |
231 |
+ python_foreach_impl python_make |
232 |
+ fi |
233 |
+} |
234 |
+ |
235 |
+src_install() { |
236 |
+ default |
237 |
+ |
238 |
+ if ! use doc; then |
239 |
+ pushd doc >/dev/null || die |
240 |
+ doman *.? |
241 |
+ popd >/dev/null || die |
242 |
+ fi |
243 |
+ |
244 |
+ local mksuffix="$(usex modern-kernel '-mk' '')" |
245 |
+ |
246 |
+ exeinto /usr/libexec/${PN} |
247 |
+ newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh |
248 |
+ newconfd "${FILESDIR}"/${PN}${mksuffix}.confd ${PN} |
249 |
+ newinitd "${FILESDIR}"/${PN}${mksuffix}.init-r1 ${PN} |
250 |
+ keepdir /var/lib/nftables |
251 |
+ |
252 |
+ systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service |
253 |
+ |
254 |
+ if use python ; then |
255 |
+ python_foreach_impl python_make install |
256 |
+ python_foreach_impl python_optimize |
257 |
+ fi |
258 |
+ |
259 |
+ find "${ED}" -type f -name "*.la" -delete || die |
260 |
+} |
261 |
+ |
262 |
+pkg_postinst() { |
263 |
+ local save_file |
264 |
+ save_file="${EROOT}/var/lib/nftables/rules-save" |
265 |
+ |
266 |
+ # In order for the nftables-restore systemd service to start |
267 |
+ # the save_file must exist. |
268 |
+ if [[ ! -f "${save_file}" ]]; then |
269 |
+ ( umask 177; touch "${save_file}" ) |
270 |
+ elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then |
271 |
+ ewarn "Your system has dangerous permissions for ${save_file}" |
272 |
+ ewarn "It is probably affected by bug #691326." |
273 |
+ ewarn "You may need to fix the permissions of the file. To do so," |
274 |
+ ewarn "you can run the command in the line below as root." |
275 |
+ ewarn " 'chmod 600 \"${save_file}\"'" |
276 |
+ fi |
277 |
+ |
278 |
+ if has_version 'sys-apps/systemd'; then |
279 |
+ elog "If you wish to enable the firewall rules on boot (on systemd) you" |
280 |
+ elog "will need to enable the nftables-restore service." |
281 |
+ elog " 'systemctl enable ${PN}-restore.service'" |
282 |
+ elog |
283 |
+ elog "If you are creating firewall rules before the next system restart" |
284 |
+ elog "the nftables-restore service must be manually started in order to" |
285 |
+ elog "save those rules on shutdown." |
286 |
+ fi |
287 |
+ if has_version 'sys-apps/openrc'; then |
288 |
+ elog "If you wish to enable the firewall rules on boot (on openrc) you" |
289 |
+ elog "will need to enable the nftables service." |
290 |
+ elog " 'rc-update add ${PN} default'" |
291 |
+ elog |
292 |
+ elog "If you are creating or updating the firewall rules and wish to save" |
293 |
+ elog "them to be loaded on the next restart, use the \"save\" functionality" |
294 |
+ elog "in the init script." |
295 |
+ elog " 'rc-service ${PN} save'" |
296 |
+ fi |
297 |
+} |