1 |
commit: adbc9428f6d4f5f6751127f4edc6846b36083d28 |
2 |
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Aug 27 02:07:03 2015 +0000 |
4 |
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Aug 27 02:07:43 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=adbc9428 |
7 |
|
8 |
net-firewall/iptables: fix from upstream for static builds #558234 |
9 |
|
10 |
Silence constant connlabel.conf warnings when using static libs. |
11 |
|
12 |
.../iptables-1.4.21-static-connlabel-config.patch | 77 +++++++++++++++ |
13 |
net-firewall/iptables/iptables-1.4.21-r3.ebuild | 104 +++++++++++++++++++++ |
14 |
2 files changed, 181 insertions(+) |
15 |
|
16 |
diff --git a/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch b/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch |
17 |
new file mode 100644 |
18 |
index 0000000..a4183d6 |
19 |
--- /dev/null |
20 |
+++ b/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch |
21 |
@@ -0,0 +1,77 @@ |
22 |
+https://bugs.gentoo.org/558234 |
23 |
+http://git.netfilter.org/iptables/commit/?id=825fbda5482a7d5ec5a6619c81fe07ff865c7d6e |
24 |
+ |
25 |
+From 825fbda5482a7d5ec5a6619c81fe07ff865c7d6e Mon Sep 17 00:00:00 2001 |
26 |
+From: Florian Westphal <fw@××××××.de> |
27 |
+Date: Fri, 5 Sep 2014 20:45:56 +0200 |
28 |
+Subject: [PATCH] extensions: libxt_connlabel: do not open config file from |
29 |
+ _init hook |
30 |
+ |
31 |
+else, static builds will print this for every iptables invocation, |
32 |
+even 'iptables -L'. Delay open until we need to translate a mapping. |
33 |
+ |
34 |
+Reported-by: Thomas De Schampheleire <patrickdepinguin@×××××.com> |
35 |
+Signed-off-by: Florian Westphal <fw@××××××.de> |
36 |
+--- |
37 |
+ extensions/libxt_connlabel.c | 27 ++++++++++++++++++++------- |
38 |
+ 1 file changed, 20 insertions(+), 7 deletions(-) |
39 |
+ |
40 |
+diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c |
41 |
+index c84a167..1f83095 100644 |
42 |
+--- a/extensions/libxt_connlabel.c |
43 |
++++ b/extensions/libxt_connlabel.c |
44 |
+@@ -29,11 +29,26 @@ static const struct xt_option_entry connlabel_mt_opts[] = { |
45 |
+ XTOPT_TABLEEND, |
46 |
+ }; |
47 |
+ |
48 |
++/* cannot do this via _init, else static builds might spew error message |
49 |
++ * for every iptables invocation. |
50 |
++ */ |
51 |
++static void connlabel_open(void) |
52 |
++{ |
53 |
++ if (map) |
54 |
++ return; |
55 |
++ |
56 |
++ map = nfct_labelmap_new(NULL); |
57 |
++ if (!map && errno) |
58 |
++ xtables_error(RESOURCE_PROBLEM, "cannot open connlabel.conf: %s\n", |
59 |
++ strerror(errno)); |
60 |
++} |
61 |
++ |
62 |
+ static void connlabel_mt_parse(struct xt_option_call *cb) |
63 |
+ { |
64 |
+ struct xt_connlabel_mtinfo *info = cb->data; |
65 |
+ int tmp; |
66 |
+ |
67 |
++ connlabel_open(); |
68 |
+ xtables_option_parse(cb); |
69 |
+ |
70 |
+ switch (cb->entry->id) { |
71 |
+@@ -54,7 +69,11 @@ static void connlabel_mt_parse(struct xt_option_call *cb) |
72 |
+ |
73 |
+ static const char *connlabel_get_name(int b) |
74 |
+ { |
75 |
+- const char *name = nfct_labelmap_get_name(map, b); |
76 |
++ const char *name; |
77 |
++ |
78 |
++ connlabel_open(); |
79 |
++ |
80 |
++ name = nfct_labelmap_get_name(map, b); |
81 |
+ if (name && strcmp(name, "")) |
82 |
+ return name; |
83 |
+ return NULL; |
84 |
+@@ -114,11 +133,5 @@ static struct xtables_match connlabel_mt_reg = { |
85 |
+ |
86 |
+ void _init(void) |
87 |
+ { |
88 |
+- map = nfct_labelmap_new(NULL); |
89 |
+- if (!map) { |
90 |
+- fprintf(stderr, "cannot open connlabel.conf, not registering '%s' match: %s\n", |
91 |
+- connlabel_mt_reg.name, strerror(errno)); |
92 |
+- return; |
93 |
+- } |
94 |
+ xtables_register_match(&connlabel_mt_reg); |
95 |
+ } |
96 |
+-- |
97 |
+2.4.4 |
98 |
+ |
99 |
|
100 |
diff --git a/net-firewall/iptables/iptables-1.4.21-r3.ebuild b/net-firewall/iptables/iptables-1.4.21-r3.ebuild |
101 |
new file mode 100644 |
102 |
index 0000000..ef4eb78 |
103 |
--- /dev/null |
104 |
+++ b/net-firewall/iptables/iptables-1.4.21-r3.ebuild |
105 |
@@ -0,0 +1,104 @@ |
106 |
+# Copyright 1999-2014 Gentoo Foundation |
107 |
+# Distributed under the terms of the GNU General Public License v2 |
108 |
+# $Id$ |
109 |
+ |
110 |
+EAPI="5" |
111 |
+ |
112 |
+# Force users doing their own patches to install their own tools |
113 |
+AUTOTOOLS_AUTO_DEPEND=no |
114 |
+ |
115 |
+inherit eutils multilib systemd toolchain-funcs autotools flag-o-matic |
116 |
+ |
117 |
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" |
118 |
+HOMEPAGE="http://www.netfilter.org/projects/iptables/" |
119 |
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2" |
120 |
+ |
121 |
+LICENSE="GPL-2" |
122 |
+# Subslot tracks libxtables as that's the one other packages generally link |
123 |
+# against and iptables changes. Will have to revisit if other sonames change. |
124 |
+SLOT="0/10" |
125 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" |
126 |
+IUSE="conntrack ipv6 netlink pcap static-libs" |
127 |
+ |
128 |
+RDEPEND=" |
129 |
+ conntrack? ( net-libs/libnetfilter_conntrack ) |
130 |
+ netlink? ( net-libs/libnfnetlink ) |
131 |
+ pcap? ( net-libs/libpcap ) |
132 |
+" |
133 |
+DEPEND="${RDEPEND} |
134 |
+ virtual/os-headers |
135 |
+ virtual/pkgconfig |
136 |
+" |
137 |
+ |
138 |
+src_prepare() { |
139 |
+ # use the saner headers from the kernel |
140 |
+ rm -f include/linux/{kernel,types}.h |
141 |
+ |
142 |
+ epatch "${FILESDIR}"/${P}-configure.patch #557586 |
143 |
+ epatch "${FILESDIR}"/${P}-static-connlabel-config.patch #558234 |
144 |
+ |
145 |
+ # Only run autotools if user patched something |
146 |
+ epatch_user && eautoreconf || elibtoolize |
147 |
+} |
148 |
+ |
149 |
+src_configure() { |
150 |
+ # Some libs use $(AR) rather than libtool to build #444282 |
151 |
+ tc-export AR |
152 |
+ |
153 |
+ # Hack around struct mismatches between userland & kernel for some ABIs. #472388 |
154 |
+ use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct |
155 |
+ |
156 |
+ sed -i \ |
157 |
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ |
158 |
+ -e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \ |
159 |
+ configure || die |
160 |
+ |
161 |
+ econf \ |
162 |
+ --sbindir="${EPREFIX}/sbin" \ |
163 |
+ --libexecdir="${EPREFIX}/$(get_libdir)" \ |
164 |
+ --enable-devel \ |
165 |
+ --enable-shared \ |
166 |
+ $(use_enable pcap bpf-compiler) \ |
167 |
+ $(use_enable static-libs static) \ |
168 |
+ $(use_enable ipv6) |
169 |
+} |
170 |
+ |
171 |
+src_compile() { |
172 |
+ emake V=1 |
173 |
+} |
174 |
+ |
175 |
+src_install() { |
176 |
+ default |
177 |
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt |
178 |
+ |
179 |
+ # all the iptables binaries are in /sbin, so might as well |
180 |
+ # put these small files in with them |
181 |
+ into / |
182 |
+ dosbin iptables/iptables-apply |
183 |
+ dosym iptables-apply /sbin/ip6tables-apply |
184 |
+ doman iptables/iptables-apply.8 |
185 |
+ |
186 |
+ insinto /usr/include |
187 |
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) |
188 |
+ insinto /usr/include/iptables |
189 |
+ doins include/iptables/internal.h |
190 |
+ |
191 |
+ keepdir /var/lib/iptables |
192 |
+ newinitd "${FILESDIR}"/${PN}.init iptables |
193 |
+ newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables |
194 |
+ if use ipv6 ; then |
195 |
+ keepdir /var/lib/ip6tables |
196 |
+ newinitd "${FILESDIR}"/iptables.init ip6tables |
197 |
+ newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables |
198 |
+ fi |
199 |
+ |
200 |
+ systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service |
201 |
+ if use ipv6 ; then |
202 |
+ systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service |
203 |
+ fi |
204 |
+ |
205 |
+ # Move important libs to /lib #332175 |
206 |
+ gen_usr_ldscript -a ip{4,6}tc iptc xtables |
207 |
+ |
208 |
+ prune_libtool_files |
209 |
+} |