1 |
commit: 68abaa58cd88af0dcfe1168fa06e0189668f3ff9 |
2 |
Author: Hank Leininger <hlein <AT> korelogic <DOT> com> |
3 |
AuthorDate: Fri May 20 01:05:00 2022 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri May 20 03:26:56 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68abaa58 |
7 |
|
8 |
net-firewall/iptables: Remove obsolete option from init script |
9 |
|
10 |
Upstream changed how locking is handled and removed --wait-interval. |
11 |
|
12 |
Signed-off-by: Hank Leininger <hlein <AT> korelogic.com> |
13 |
Closes: https://bugs.gentoo.org/846518 |
14 |
Package-Manager: Portage-3.0.30, Repoman-3.0.3 |
15 |
Closes: https://github.com/gentoo/gentoo/pull/25568 |
16 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
17 |
|
18 |
net-firewall/iptables/files/iptables-r3.init | 165 +++++++++++++++++++++++ |
19 |
net-firewall/iptables/iptables-1.8.8-r2.ebuild | 177 +++++++++++++++++++++++++ |
20 |
2 files changed, 342 insertions(+) |
21 |
|
22 |
diff --git a/net-firewall/iptables/files/iptables-r3.init b/net-firewall/iptables/files/iptables-r3.init |
23 |
new file mode 100644 |
24 |
index 000000000000..53eb4246c59f |
25 |
--- /dev/null |
26 |
+++ b/net-firewall/iptables/files/iptables-r3.init |
27 |
@@ -0,0 +1,165 @@ |
28 |
+#!/sbin/openrc-run |
29 |
+# Copyright 1999-2022 Gentoo Authors |
30 |
+# Distributed under the terms of the GNU General Public License v2 |
31 |
+ |
32 |
+extra_commands="check save panic" |
33 |
+extra_started_commands="reload" |
34 |
+ |
35 |
+iptables_lock_wait_time=${IPTABLES_LOCK_WAIT_TIME:-"60"} |
36 |
+iptables_lock_wait_interval=${IPTABLES_LOCK_WAIT_INTERVAL:-"1000"} |
37 |
+ |
38 |
+iptables_name=${SVCNAME} |
39 |
+case ${iptables_name} in |
40 |
+ iptables|ip6tables) ;; |
41 |
+ *) iptables_name="iptables" ;; |
42 |
+esac |
43 |
+ |
44 |
+iptables_bin="/sbin/${iptables_name}" |
45 |
+case ${iptables_name} in |
46 |
+ iptables) iptables_proc="/proc/net/ip_tables_names" |
47 |
+ iptables_save=${IPTABLES_SAVE};; |
48 |
+ ip6tables) iptables_proc="/proc/net/ip6_tables_names" |
49 |
+ iptables_save=${IP6TABLES_SAVE};; |
50 |
+esac |
51 |
+ |
52 |
+depend() { |
53 |
+ need localmount #434774 |
54 |
+ before net |
55 |
+} |
56 |
+ |
57 |
+set_table_policy() { |
58 |
+ local has_errors=0 chains table=$1 policy=$2 |
59 |
+ case ${table} in |
60 |
+ nat) chains="PREROUTING POSTROUTING OUTPUT";; |
61 |
+ mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; |
62 |
+ filter) chains="INPUT FORWARD OUTPUT";; |
63 |
+ *) chains="";; |
64 |
+ esac |
65 |
+ |
66 |
+ local chain |
67 |
+ for chain in ${chains} ; do |
68 |
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -t ${table} -P ${chain} ${policy} |
69 |
+ [ $? -ne 0 ] && has_errors=1 |
70 |
+ done |
71 |
+ |
72 |
+ return ${has_errors} |
73 |
+} |
74 |
+ |
75 |
+checkkernel() { |
76 |
+ if [ ! -e ${iptables_proc} ] ; then |
77 |
+ eerror "Your kernel lacks ${iptables_name} support, please load" |
78 |
+ eerror "appropriate modules and try again." |
79 |
+ return 1 |
80 |
+ fi |
81 |
+ return 0 |
82 |
+} |
83 |
+ |
84 |
+checkconfig() { |
85 |
+ if [ -z "${iptables_save}" -o ! -f "${iptables_save}" ] ; then |
86 |
+ eerror "Not starting ${iptables_name}. First create some rules then run:" |
87 |
+ eerror "/etc/init.d/${iptables_name} save" |
88 |
+ return 1 |
89 |
+ fi |
90 |
+ return 0 |
91 |
+} |
92 |
+ |
93 |
+start_pre() { |
94 |
+ checkconfig || return 1 |
95 |
+} |
96 |
+ |
97 |
+start() { |
98 |
+ ebegin "Loading ${iptables_name} state and starting firewall" |
99 |
+ ${iptables_bin}-restore --wait ${iptables_lock_wait_time} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" |
100 |
+ eend $? |
101 |
+} |
102 |
+ |
103 |
+stop_pre() { |
104 |
+ checkkernel || return 1 |
105 |
+} |
106 |
+ |
107 |
+stop() { |
108 |
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then |
109 |
+ save || return 1 |
110 |
+ fi |
111 |
+ |
112 |
+ ebegin "Stopping firewall" |
113 |
+ local has_errors=0 a |
114 |
+ for a in $(cat ${iptables_proc}) ; do |
115 |
+ set_table_policy $a ACCEPT |
116 |
+ [ $? -ne 0 ] && has_errors=1 |
117 |
+ |
118 |
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a |
119 |
+ [ $? -ne 0 ] && has_errors=1 |
120 |
+ |
121 |
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a |
122 |
+ [ $? -ne 0 ] && has_errors=1 |
123 |
+ done |
124 |
+ eend ${has_errors} |
125 |
+} |
126 |
+ |
127 |
+reload() { |
128 |
+ checkkernel || return 1 |
129 |
+ checkrules || return 1 |
130 |
+ ebegin "Flushing firewall" |
131 |
+ local has_errors=0 a |
132 |
+ for a in $(cat ${iptables_proc}) ; do |
133 |
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a |
134 |
+ [ $? -ne 0 ] && has_errors=1 |
135 |
+ |
136 |
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a |
137 |
+ [ $? -ne 0 ] && has_errors=1 |
138 |
+ done |
139 |
+ eend ${has_errors} |
140 |
+ |
141 |
+ start |
142 |
+} |
143 |
+ |
144 |
+checkrules() { |
145 |
+ ebegin "Checking rules" |
146 |
+ ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" |
147 |
+ eend $? |
148 |
+} |
149 |
+ |
150 |
+check() { |
151 |
+ # Short name for users of init.d script. |
152 |
+ checkrules |
153 |
+} |
154 |
+ |
155 |
+save() { |
156 |
+ ebegin "Saving ${iptables_name} state" |
157 |
+ checkpath -q -d "$(dirname "${iptables_save}")" |
158 |
+ checkpath -q -m 0600 -f "${iptables_save}" |
159 |
+ ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" |
160 |
+ eend $? |
161 |
+} |
162 |
+ |
163 |
+panic() { |
164 |
+ # use iptables autoload capability to load at least all required |
165 |
+ # modules and filter table |
166 |
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -S >/dev/null |
167 |
+ if [ $? -ne 0 ] ; then |
168 |
+ eerror "${iptables_bin} failed to load" |
169 |
+ return 1 |
170 |
+ fi |
171 |
+ |
172 |
+ if service_started ${iptables_name}; then |
173 |
+ rc-service ${iptables_name} stop |
174 |
+ fi |
175 |
+ |
176 |
+ local has_errors=0 a |
177 |
+ ebegin "Dropping all packets" |
178 |
+ for a in $(cat ${iptables_proc}) ; do |
179 |
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a |
180 |
+ [ $? -ne 0 ] && has_errors=1 |
181 |
+ |
182 |
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a |
183 |
+ [ $? -ne 0 ] && has_errors=1 |
184 |
+ |
185 |
+ if [ "${a}" != "nat" ]; then |
186 |
+ # The "nat" table is not intended for filtering, the use of DROP is therefore inhibited. |
187 |
+ set_table_policy $a DROP |
188 |
+ [ $? -ne 0 ] && has_errors=1 |
189 |
+ fi |
190 |
+ done |
191 |
+ eend ${has_errors} |
192 |
+} |
193 |
|
194 |
diff --git a/net-firewall/iptables/iptables-1.8.8-r2.ebuild b/net-firewall/iptables/iptables-1.8.8-r2.ebuild |
195 |
new file mode 100644 |
196 |
index 000000000000..03c908c9d9b1 |
197 |
--- /dev/null |
198 |
+++ b/net-firewall/iptables/iptables-1.8.8-r2.ebuild |
199 |
@@ -0,0 +1,177 @@ |
200 |
+# Copyright 1999-2022 Gentoo Authors |
201 |
+# Distributed under the terms of the GNU General Public License v2 |
202 |
+ |
203 |
+EAPI=7 |
204 |
+ |
205 |
+inherit systemd toolchain-funcs autotools flag-o-matic usr-ldscript |
206 |
+ |
207 |
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" |
208 |
+HOMEPAGE="https://www.netfilter.org/projects/iptables/" |
209 |
+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2" |
210 |
+ |
211 |
+LICENSE="GPL-2" |
212 |
+# Subslot reflects PV when libxtables and/or libip*tc was changed |
213 |
+# the last time. |
214 |
+SLOT="0/1.8.3" |
215 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" |
216 |
+IUSE="conntrack netlink nftables pcap static-libs" |
217 |
+ |
218 |
+BUILD_DEPEND=" |
219 |
+ >=app-eselect/eselect-iptables-20220320 |
220 |
+" |
221 |
+COMMON_DEPEND=" |
222 |
+ conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 ) |
223 |
+ netlink? ( net-libs/libnfnetlink ) |
224 |
+ nftables? ( |
225 |
+ >=net-libs/libmnl-1.0:0= |
226 |
+ >=net-libs/libnftnl-1.1.6:0= |
227 |
+ ) |
228 |
+ pcap? ( net-libs/libpcap ) |
229 |
+" |
230 |
+DEPEND="${COMMON_DEPEND} |
231 |
+ virtual/os-headers |
232 |
+ >=sys-kernel/linux-headers-4.4:0 |
233 |
+" |
234 |
+BDEPEND="${BUILD_DEPEND} |
235 |
+ virtual/pkgconfig |
236 |
+ nftables? ( |
237 |
+ sys-devel/flex |
238 |
+ virtual/yacc |
239 |
+ ) |
240 |
+" |
241 |
+RDEPEND="${COMMON_DEPEND} |
242 |
+ ${BUILD_DEPEND} |
243 |
+ nftables? ( net-misc/ethertypes ) |
244 |
+ !<net-firewall/ebtables-2.0.11-r1 |
245 |
+ !<net-firewall/arptables-0.0.5-r1 |
246 |
+" |
247 |
+ |
248 |
+PATCHES=( |
249 |
+ "${FILESDIR}/iptables-1.8.4-no-symlinks.patch" |
250 |
+ "${FILESDIR}/iptables-1.8.2-link.patch" |
251 |
+ |
252 |
+ "${FILESDIR}/${P}-format-security.patch" |
253 |
+ "${FILESDIR}/${P}-uint-musl.patch" |
254 |
+) |
255 |
+ |
256 |
+src_prepare() { |
257 |
+ # use the saner headers from the kernel |
258 |
+ rm include/linux/{kernel,types}.h || die |
259 |
+ |
260 |
+ default |
261 |
+ eautoreconf |
262 |
+} |
263 |
+ |
264 |
+src_configure() { |
265 |
+ # Some libs use $(AR) rather than libtool to build #444282 |
266 |
+ tc-export AR |
267 |
+ |
268 |
+ # Hack around struct mismatches between userland & kernel for some ABIs. #472388 |
269 |
+ use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct |
270 |
+ |
271 |
+ sed -i \ |
272 |
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ |
273 |
+ -e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \ |
274 |
+ configure || die |
275 |
+ |
276 |
+ local myeconfargs=( |
277 |
+ --sbindir="${EPREFIX}/sbin" |
278 |
+ --libexecdir="${EPREFIX}/$(get_libdir)" |
279 |
+ --enable-devel |
280 |
+ --enable-ipv6 |
281 |
+ --enable-shared |
282 |
+ $(use_enable nftables) |
283 |
+ $(use_enable pcap bpf-compiler) |
284 |
+ $(use_enable pcap nfsynproxy) |
285 |
+ $(use_enable static-libs static) |
286 |
+ ) |
287 |
+ econf "${myeconfargs[@]}" |
288 |
+} |
289 |
+ |
290 |
+src_compile() { |
291 |
+ emake V=1 |
292 |
+} |
293 |
+ |
294 |
+src_install() { |
295 |
+ default |
296 |
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt |
297 |
+ |
298 |
+ # all the iptables binaries are in /sbin, so might as well |
299 |
+ # put these small files in with them |
300 |
+ into / |
301 |
+ dosbin iptables/iptables-apply |
302 |
+ dosym iptables-apply /sbin/ip6tables-apply |
303 |
+ doman iptables/iptables-apply.8 |
304 |
+ |
305 |
+ insinto /usr/include |
306 |
+ doins include/ip{,6}tables.h |
307 |
+ insinto /usr/include/iptables |
308 |
+ doins include/iptables/internal.h |
309 |
+ |
310 |
+ keepdir /var/lib/ip{,6}tables |
311 |
+ newinitd "${FILESDIR}"/${PN}-r3.init iptables |
312 |
+ newconfd "${FILESDIR}"/${PN}-r1.confd iptables |
313 |
+ dosym iptables /etc/init.d/ip6tables |
314 |
+ newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables |
315 |
+ |
316 |
+ if use nftables; then |
317 |
+ # Bug 647458 |
318 |
+ rm "${ED}"/etc/ethertypes || die |
319 |
+ |
320 |
+ # Bugs 660886 and 669894 |
321 |
+ rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die |
322 |
+ fi |
323 |
+ |
324 |
+ systemd_dounit "${FILESDIR}"/systemd/ip{,6}tables-{re,}store.service |
325 |
+ |
326 |
+ # Move important libs to /lib #332175 |
327 |
+ gen_usr_ldscript -a ip{4,6}tc xtables |
328 |
+ |
329 |
+ find "${ED}" -type f -name "*.la" -delete || die |
330 |
+} |
331 |
+ |
332 |
+pkg_postinst() { |
333 |
+ local default_iptables="xtables-legacy-multi" |
334 |
+ if ! eselect iptables show &>/dev/null; then |
335 |
+ elog "Current iptables implementation is unset, setting to ${default_iptables}" |
336 |
+ eselect iptables set "${default_iptables}" |
337 |
+ fi |
338 |
+ |
339 |
+ if use nftables; then |
340 |
+ local tables |
341 |
+ for tables in {arp,eb}tables; do |
342 |
+ if ! eselect ${tables} show &>/dev/null; then |
343 |
+ elog "Current ${tables} implementation is unset, setting to ${default_iptables}" |
344 |
+ eselect ${tables} set xtables-nft-multi |
345 |
+ fi |
346 |
+ done |
347 |
+ fi |
348 |
+ |
349 |
+ eselect iptables show |
350 |
+} |
351 |
+ |
352 |
+pkg_prerm() { |
353 |
+ if [[ -z ${REPLACED_BY_VERSION} ]]; then |
354 |
+ elog "Unsetting iptables symlinks before removal" |
355 |
+ eselect iptables unset |
356 |
+ fi |
357 |
+ |
358 |
+ if ! has_version 'net-firewall/ebtables'; then |
359 |
+ elog "Unsetting ebtables symlinks before removal" |
360 |
+ eselect ebtables unset |
361 |
+ elif [[ -z ${REPLACED_BY_VERSION} ]]; then |
362 |
+ elog "Resetting ebtables symlinks to ebtables-legacy" |
363 |
+ eselect ebtables set ebtables-legacy |
364 |
+ fi |
365 |
+ |
366 |
+ if ! has_version 'net-firewall/arptables'; then |
367 |
+ elog "Unsetting arptables symlinks before removal" |
368 |
+ eselect arptables unset |
369 |
+ elif [[ -z ${REPLACED_BY_VERSION} ]]; then |
370 |
+ elog "Resetting arptables symlinks to arptables-legacy" |
371 |
+ eselect arptables set arptables-legacy |
372 |
+ fi |
373 |
+ |
374 |
+ # the eselect module failing should not be fatal |
375 |
+ return 0 |
376 |
+} |