[gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/, net-firewall/iptables/files/ - gentoo-commits

From:	Sam James <sam@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/, net-firewall/iptables/files/
Date:	Fri, 20 May 2022 03:27:32
Message-Id:	`1653017216.68abaa58cd88af0dcfe1168fa06e0189668f3ff9.sam@gentoo`

1

commit:     68abaa58cd88af0dcfe1168fa06e0189668f3ff9

2

Author:     Hank Leininger <hlein <AT> korelogic <DOT> com>

3

AuthorDate: Fri May 20 01:05:00 2022 +0000

4

Commit:     Sam James <sam <AT> gentoo <DOT> org>

5

CommitDate: Fri May 20 03:26:56 2022 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68abaa58

7

8

net-firewall/iptables: Remove obsolete option from init script

9

10

Upstream changed how locking is handled and removed --wait-interval.

11

12

Signed-off-by: Hank Leininger <hlein <AT> korelogic.com>

13

Closes: https://bugs.gentoo.org/846518

14

Package-Manager: Portage-3.0.30, Repoman-3.0.3

15

Closes: https://github.com/gentoo/gentoo/pull/25568

16

Signed-off-by: Sam James <sam <AT> gentoo.org>

17

18

 net-firewall/iptables/files/iptables-r3.init   | 165 +++++++++++++++++++++++

19

 net-firewall/iptables/iptables-1.8.8-r2.ebuild | 177 +++++++++++++++++++++++++

20

 2 files changed, 342 insertions(+)

21

22

diff --git a/net-firewall/iptables/files/iptables-r3.init b/net-firewall/iptables/files/iptables-r3.init

23

new file mode 100644

24

index 000000000000..53eb4246c59f

25

--- /dev/null

26

+++ b/net-firewall/iptables/files/iptables-r3.init

27

@@ -0,0 +1,165 @@

28

+#!/sbin/openrc-run

29

+# Copyright 1999-2022 Gentoo Authors

30

+# Distributed under the terms of the GNU General Public License v2

31

+

32

+extra_commands="check save panic"

33

+extra_started_commands="reload"

34

+

35

+iptables_lock_wait_time=${IPTABLES_LOCK_WAIT_TIME:-"60"}

36

+iptables_lock_wait_interval=${IPTABLES_LOCK_WAIT_INTERVAL:-"1000"}

37

+

38

+iptables_name=${SVCNAME}

39

+case ${iptables_name} in

40

+	iptables|ip6tables) ;;

41

+	*) iptables_name="iptables" ;;

42

+esac

43

+

44

+iptables_bin="/sbin/${iptables_name}"

45

+case ${iptables_name} in

46

+	iptables)  iptables_proc="/proc/net/ip_tables_names"

47

+	           iptables_save=${IPTABLES_SAVE};;

48

+	ip6tables) iptables_proc="/proc/net/ip6_tables_names"

49

+	           iptables_save=${IP6TABLES_SAVE};;

50

+esac

51

+

52

+depend() {

53

+	need localmount #434774

54

+	before net

55

+}

56

+

57

+set_table_policy() {

58

+	local has_errors=0 chains table=$1 policy=$2

59

+	case ${table} in

60

+		nat)    chains="PREROUTING POSTROUTING OUTPUT";;

61

+		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;

62

+		filter) chains="INPUT FORWARD OUTPUT";;

63

+		*)      chains="";;

64

+	esac

65

+

66

+	local chain

67

+	for chain in ${chains} ; do

68

+		${iptables_bin} --wait ${iptables_lock_wait_time} -t ${table} -P ${chain} ${policy}

69

+		[ $? -ne 0 ] && has_errors=1

70

+	done

71

+

72

+	return ${has_errors}

73

+}

74

+

75

+checkkernel() {

76

+	if [ ! -e ${iptables_proc} ] ; then

77

+		eerror "Your kernel lacks ${iptables_name} support, please load"

78

+		eerror "appropriate modules and try again."

79

+		return 1

80

+	fi

81

+	return 0

82

+}

83

+

84

+checkconfig() {

85

+	if [ -z "${iptables_save}" -o ! -f "${iptables_save}" ] ; then

86

+		eerror "Not starting ${iptables_name}.  First create some rules then run:"

87

+		eerror "/etc/init.d/${iptables_name} save"

88

+		return 1

89

+	fi

90

+	return 0

91

+}

92

+

93

+start_pre() {

94

+	checkconfig || return 1

95

+}

96

+

97

+start() {

98

+	ebegin "Loading ${iptables_name} state and starting firewall"

99

+	${iptables_bin}-restore --wait ${iptables_lock_wait_time} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"

100

+	eend $?

101

+}

102

+

103

+stop_pre() {

104

+	checkkernel || return 1

105

+}

106

+

107

+stop() {

108

+	if [ "${SAVE_ON_STOP}" = "yes" ] ; then

109

+		save || return 1

110

+	fi

111

+

112

+	ebegin "Stopping firewall"

113

+	local has_errors=0 a

114

+	for a in $(cat ${iptables_proc}) ; do

115

+		set_table_policy $a ACCEPT

116

+		[ $? -ne 0 ] && has_errors=1

117

+

118

+		${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a

119

+		[ $? -ne 0 ] && has_errors=1

120

+

121

+		${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a

122

+		[ $? -ne 0 ] && has_errors=1

123

+	done

124

+	eend ${has_errors}

125

+}

126

+

127

+reload() {

128

+	checkkernel || return 1

129

+	checkrules || return 1

130

+	ebegin "Flushing firewall"

131

+	local has_errors=0 a

132

+	for a in $(cat ${iptables_proc}) ; do

133

+		${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a

134

+		[ $? -ne 0 ] && has_errors=1

135

+

136

+		${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a

137

+		[ $? -ne 0 ] && has_errors=1

138

+	done

139

+	eend ${has_errors}

140

+

141

+	start

142

+}

143

+

144

+checkrules() {

145

+	ebegin "Checking rules"

146

+	${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"

147

+	eend $?

148

+}

149

+

150

+check() {

151

+	# Short name for users of init.d script.

152

+	checkrules

153

+}

154

+

155

+save() {

156

+	ebegin "Saving ${iptables_name} state"

157

+	checkpath -q -d "$(dirname "${iptables_save}")"

158

+	checkpath -q -m 0600 -f "${iptables_save}"

159

+	${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"

160

+	eend $?

161

+}

162

+

163

+panic() {

164

+	# use iptables autoload capability to load at least all required

165

+	# modules and filter table

166

+	${iptables_bin} --wait ${iptables_lock_wait_time} -S >/dev/null

167

+	if [ $? -ne 0 ] ; then

168

+		eerror "${iptables_bin} failed to load"

169

+		return 1

170

+	fi

171

+

172

+	if service_started ${iptables_name}; then

173

+		rc-service ${iptables_name} stop

174

+	fi

175

+

176

+	local has_errors=0 a

177

+	ebegin "Dropping all packets"

178

+	for a in $(cat ${iptables_proc}) ; do

179

+		${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a

180

+		[ $? -ne 0 ] && has_errors=1

181

+

182

+		${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a

183

+		[ $? -ne 0 ] && has_errors=1

184

+

185

+		if [ "${a}" != "nat" ]; then

186

+			# The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.

187

+			set_table_policy $a DROP

188

+			[ $? -ne 0 ] && has_errors=1

189

+		fi

190

+	done

191

+	eend ${has_errors}

192

+}

193

194

diff --git a/net-firewall/iptables/iptables-1.8.8-r2.ebuild b/net-firewall/iptables/iptables-1.8.8-r2.ebuild

195

new file mode 100644

196

index 000000000000..03c908c9d9b1

197

--- /dev/null

198

+++ b/net-firewall/iptables/iptables-1.8.8-r2.ebuild

199

@@ -0,0 +1,177 @@

200

+# Copyright 1999-2022 Gentoo Authors

201

+# Distributed under the terms of the GNU General Public License v2

202

+

203

+EAPI=7

204

+

205

+inherit systemd toolchain-funcs autotools flag-o-matic usr-ldscript

206

+

207

+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"

208

+HOMEPAGE="https://www.netfilter.org/projects/iptables/"

209

+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"

210

+

211

+LICENSE="GPL-2"

212

+# Subslot reflects PV when libxtables and/or libip*tc was changed

213

+# the last time.

214

+SLOT="0/1.8.3"

215

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"

216

+IUSE="conntrack netlink nftables pcap static-libs"

217

+

218

+BUILD_DEPEND="

219

+	>=app-eselect/eselect-iptables-20220320

220

+"

221

+COMMON_DEPEND="

222

+	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )

223

+	netlink? ( net-libs/libnfnetlink )

224

+	nftables? (

225

+		>=net-libs/libmnl-1.0:0=

226

+		>=net-libs/libnftnl-1.1.6:0=

227

+	)

228

+	pcap? ( net-libs/libpcap )

229

+"

230

+DEPEND="${COMMON_DEPEND}

231

+	virtual/os-headers

232

+	>=sys-kernel/linux-headers-4.4:0

233

+"

234

+BDEPEND="${BUILD_DEPEND}

235

+	virtual/pkgconfig

236

+	nftables? (

237

+		sys-devel/flex

238

+		virtual/yacc

239

+	)

240

+"

241

+RDEPEND="${COMMON_DEPEND}

242

+	${BUILD_DEPEND}

243

+	nftables? ( net-misc/ethertypes )

244

+	!<net-firewall/ebtables-2.0.11-r1

245

+	!<net-firewall/arptables-0.0.5-r1

246

+"

247

+

248

+PATCHES=(

249

+	"${FILESDIR}/iptables-1.8.4-no-symlinks.patch"

250

+	"${FILESDIR}/iptables-1.8.2-link.patch"

251

+

252

+	"${FILESDIR}/${P}-format-security.patch"

253

+	"${FILESDIR}/${P}-uint-musl.patch"

254

+)

255

+

256

+src_prepare() {

257

+	# use the saner headers from the kernel

258

+	rm include/linux/{kernel,types}.h || die

259

+

260

+	default

261

+	eautoreconf

262

+}

263

+

264

+src_configure() {

265

+	# Some libs use $(AR) rather than libtool to build #444282

266

+	tc-export AR

267

+

268

+	# Hack around struct mismatches between userland & kernel for some ABIs. #472388

269

+	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct

270

+

271

+	sed -i \

272

+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \

273

+		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \

274

+		configure || die

275

+

276

+	local myeconfargs=(

277

+		--sbindir="${EPREFIX}/sbin"

278

+		--libexecdir="${EPREFIX}/$(get_libdir)"

279

+		--enable-devel

280

+		--enable-ipv6

281

+		--enable-shared

282

+		$(use_enable nftables)

283

+		$(use_enable pcap bpf-compiler)

284

+		$(use_enable pcap nfsynproxy)

285

+		$(use_enable static-libs static)

286

+	)

287

+	econf "${myeconfargs[@]}"

288

+}

289

+

290

+src_compile() {

291

+	emake V=1

292

+}

293

+

294

+src_install() {

295

+	default

296

+	dodoc INCOMPATIBILITIES iptables/iptables.xslt

297

+

298

+	# all the iptables binaries are in /sbin, so might as well

299

+	# put these small files in with them

300

+	into /

301

+	dosbin iptables/iptables-apply

302

+	dosym iptables-apply /sbin/ip6tables-apply

303

+	doman iptables/iptables-apply.8

304

+

305

+	insinto /usr/include

306

+	doins include/ip{,6}tables.h

307

+	insinto /usr/include/iptables

308

+	doins include/iptables/internal.h

309

+

310

+	keepdir /var/lib/ip{,6}tables

311

+	newinitd "${FILESDIR}"/${PN}-r3.init iptables

312

+	newconfd "${FILESDIR}"/${PN}-r1.confd iptables

313

+	dosym iptables /etc/init.d/ip6tables

314

+	newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables

315

+

316

+	if use nftables; then

317

+		# Bug 647458

318

+		rm "${ED}"/etc/ethertypes || die

319

+

320

+		# Bugs 660886 and 669894

321

+		rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die

322

+	fi

323

+

324

+	systemd_dounit "${FILESDIR}"/systemd/ip{,6}tables-{re,}store.service

325

+

326

+	# Move important libs to /lib #332175

327

+	gen_usr_ldscript -a ip{4,6}tc xtables

328

+

329

+	find "${ED}" -type f -name "*.la" -delete || die

330

+}

331

+

332

+pkg_postinst() {

333

+	local default_iptables="xtables-legacy-multi"

334

+	if ! eselect iptables show &>/dev/null; then

335

+		elog "Current iptables implementation is unset, setting to ${default_iptables}"

336

+		eselect iptables set "${default_iptables}"

337

+	fi

338

+

339

+	if use nftables; then

340

+		local tables

341

+		for tables in {arp,eb}tables; do

342

+			if ! eselect ${tables} show &>/dev/null; then

343

+				elog "Current ${tables} implementation is unset, setting to ${default_iptables}"

344

+				eselect ${tables} set xtables-nft-multi

345

+			fi

346

+		done

347

+	fi

348

+

349

+	eselect iptables show

350

+}

351

+

352

+pkg_prerm() {

353

+	if [[ -z ${REPLACED_BY_VERSION} ]]; then

354

+		elog "Unsetting iptables symlinks before removal"

355

+		eselect iptables unset

356

+	fi

357

+

358

+	if ! has_version 'net-firewall/ebtables'; then

359

+		elog "Unsetting ebtables symlinks before removal"

360

+		eselect ebtables unset

361

+	elif [[ -z ${REPLACED_BY_VERSION} ]]; then

362

+		elog "Resetting ebtables symlinks to ebtables-legacy"

363

+		eselect ebtables set ebtables-legacy

364

+	fi

365

+

366

+	if ! has_version 'net-firewall/arptables'; then

367

+		elog "Unsetting arptables symlinks before removal"

368

+		eselect arptables unset

369

+	elif [[ -z ${REPLACED_BY_VERSION} ]]; then

370

+		elog "Resetting arptables symlinks to arptables-legacy"

371

+		eselect arptables set arptables-legacy

372

+	fi

373

+

374

+	# the eselect module failing should not be fatal

375

+	return 0

376

+}

1	commit: 68abaa58cd88af0dcfe1168fa06e0189668f3ff9
2	Author: Hank Leininger <hlein <AT> korelogic <DOT> com>
3	AuthorDate: Fri May 20 01:05:00 2022 +0000
4	Commit: Sam James <sam <AT> gentoo <DOT> org>
5	CommitDate: Fri May 20 03:26:56 2022 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68abaa58
7
8	net-firewall/iptables: Remove obsolete option from init script
9
10	Upstream changed how locking is handled and removed --wait-interval.
11
12	Signed-off-by: Hank Leininger <hlein <AT> korelogic.com>
13	Closes: https://bugs.gentoo.org/846518
14	Package-Manager: Portage-3.0.30, Repoman-3.0.3
15	Closes: https://github.com/gentoo/gentoo/pull/25568
16	Signed-off-by: Sam James <sam <AT> gentoo.org>
17
18	net-firewall/iptables/files/iptables-r3.init \| 165 +++++++++++++++++++++++
19	net-firewall/iptables/iptables-1.8.8-r2.ebuild \| 177 +++++++++++++++++++++++++
20	2 files changed, 342 insertions(+)
21
22	diff --git a/net-firewall/iptables/files/iptables-r3.init b/net-firewall/iptables/files/iptables-r3.init
23	new file mode 100644
24	index 000000000000..53eb4246c59f
25	--- /dev/null
26	+++ b/net-firewall/iptables/files/iptables-r3.init
27	@@ -0,0 +1,165 @@
28	+#!/sbin/openrc-run
29	+# Copyright 1999-2022 Gentoo Authors
30	+# Distributed under the terms of the GNU General Public License v2
31	+
32	+extra_commands="check save panic"
33	+extra_started_commands="reload"
34	+
35	+iptables_lock_wait_time=${IPTABLES_LOCK_WAIT_TIME:-"60"}
36	+iptables_lock_wait_interval=${IPTABLES_LOCK_WAIT_INTERVAL:-"1000"}
37	+
38	+iptables_name=${SVCNAME}
39	+case ${iptables_name} in
40	+ iptables\|ip6tables) ;;
41	+ *) iptables_name="iptables" ;;
42	+esac
43	+
44	+iptables_bin="/sbin/${iptables_name}"
45	+case ${iptables_name} in
46	+ iptables) iptables_proc="/proc/net/ip_tables_names"
47	+ iptables_save=${IPTABLES_SAVE};;
48	+ ip6tables) iptables_proc="/proc/net/ip6_tables_names"
49	+ iptables_save=${IP6TABLES_SAVE};;
50	+esac
51	+
52	+depend() {
53	+ need localmount #434774
54	+ before net
55	+}
56	+
57	+set_table_policy() {
58	+ local has_errors=0 chains table=$1 policy=$2
59	+ case ${table} in
60	+ nat) chains="PREROUTING POSTROUTING OUTPUT";;
61	+ mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
62	+ filter) chains="INPUT FORWARD OUTPUT";;
63	+ *) chains="";;
64	+ esac
65	+
66	+ local chain
67	+ for chain in ${chains} ; do
68	+ ${iptables_bin} --wait ${iptables_lock_wait_time} -t ${table} -P ${chain} ${policy}
69	+ [ $? -ne 0 ] && has_errors=1
70	+ done
71	+
72	+ return ${has_errors}
73	+}
74	+
75	+checkkernel() {
76	+ if [ ! -e ${iptables_proc} ] ; then
77	+ eerror "Your kernel lacks ${iptables_name} support, please load"
78	+ eerror "appropriate modules and try again."
79	+ return 1
80	+ fi
81	+ return 0
82	+}
83	+
84	+checkconfig() {
85	+ if [ -z "${iptables_save}" -o ! -f "${iptables_save}" ] ; then
86	+ eerror "Not starting ${iptables_name}. First create some rules then run:"
87	+ eerror "/etc/init.d/${iptables_name} save"
88	+ return 1
89	+ fi
90	+ return 0
91	+}
92	+
93	+start_pre() {
94	+ checkconfig \|\| return 1
95	+}
96	+
97	+start() {
98	+ ebegin "Loading ${iptables_name} state and starting firewall"
99	+ ${iptables_bin}-restore --wait ${iptables_lock_wait_time} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
100	+ eend $?
101	+}
102	+
103	+stop_pre() {
104	+ checkkernel \|\| return 1
105	+}
106	+
107	+stop() {
108	+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
109	+ save \|\| return 1
110	+ fi
111	+
112	+ ebegin "Stopping firewall"
113	+ local has_errors=0 a
114	+ for a in $(cat ${iptables_proc}) ; do
115	+ set_table_policy $a ACCEPT
116	+ [ $? -ne 0 ] && has_errors=1
117	+
118	+ ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a
119	+ [ $? -ne 0 ] && has_errors=1
120	+
121	+ ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a
122	+ [ $? -ne 0 ] && has_errors=1
123	+ done
124	+ eend ${has_errors}
125	+}
126	+
127	+reload() {
128	+ checkkernel \|\| return 1
129	+ checkrules \|\| return 1
130	+ ebegin "Flushing firewall"
131	+ local has_errors=0 a
132	+ for a in $(cat ${iptables_proc}) ; do
133	+ ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a
134	+ [ $? -ne 0 ] && has_errors=1
135	+
136	+ ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a
137	+ [ $? -ne 0 ] && has_errors=1
138	+ done
139	+ eend ${has_errors}
140	+
141	+ start
142	+}
143	+
144	+checkrules() {
145	+ ebegin "Checking rules"
146	+ ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
147	+ eend $?
148	+}
149	+
150	+check() {
151	+ # Short name for users of init.d script.
152	+ checkrules
153	+}
154	+
155	+save() {
156	+ ebegin "Saving ${iptables_name} state"
157	+ checkpath -q -d "$(dirname "${iptables_save}")"
158	+ checkpath -q -m 0600 -f "${iptables_save}"
159	+ ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
160	+ eend $?
161	+}
162	+
163	+panic() {
164	+ # use iptables autoload capability to load at least all required
165	+ # modules and filter table
166	+ ${iptables_bin} --wait ${iptables_lock_wait_time} -S >/dev/null
167	+ if [ $? -ne 0 ] ; then
168	+ eerror "${iptables_bin} failed to load"
169	+ return 1
170	+ fi
171	+
172	+ if service_started ${iptables_name}; then
173	+ rc-service ${iptables_name} stop
174	+ fi
175	+
176	+ local has_errors=0 a
177	+ ebegin "Dropping all packets"
178	+ for a in $(cat ${iptables_proc}) ; do
179	+ ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a
180	+ [ $? -ne 0 ] && has_errors=1
181	+
182	+ ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a
183	+ [ $? -ne 0 ] && has_errors=1
184	+
185	+ if [ "${a}" != "nat" ]; then
186	+ # The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.
187	+ set_table_policy $a DROP
188	+ [ $? -ne 0 ] && has_errors=1
189	+ fi
190	+ done
191	+ eend ${has_errors}
192	+}
193
194	diff --git a/net-firewall/iptables/iptables-1.8.8-r2.ebuild b/net-firewall/iptables/iptables-1.8.8-r2.ebuild
195	new file mode 100644
196	index 000000000000..03c908c9d9b1
197	--- /dev/null
198	+++ b/net-firewall/iptables/iptables-1.8.8-r2.ebuild
199	@@ -0,0 +1,177 @@
200	+# Copyright 1999-2022 Gentoo Authors
201	+# Distributed under the terms of the GNU General Public License v2
202	+
203	+EAPI=7
204	+
205	+inherit systemd toolchain-funcs autotools flag-o-matic usr-ldscript
206	+
207	+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
208	+HOMEPAGE="https://www.netfilter.org/projects/iptables/"
209	+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
210	+
211	+LICENSE="GPL-2"
212	+# Subslot reflects PV when libxtables and/or libip*tc was changed
213	+# the last time.
214	+SLOT="0/1.8.3"
215	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
216	+IUSE="conntrack netlink nftables pcap static-libs"
217	+
218	+BUILD_DEPEND="
219	+ >=app-eselect/eselect-iptables-20220320
220	+"
221	+COMMON_DEPEND="
222	+ conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
223	+ netlink? ( net-libs/libnfnetlink )
224	+ nftables? (
225	+ >=net-libs/libmnl-1.0:0=
226	+ >=net-libs/libnftnl-1.1.6:0=
227	+ )
228	+ pcap? ( net-libs/libpcap )
229	+"
230	+DEPEND="${COMMON_DEPEND}
231	+ virtual/os-headers
232	+ >=sys-kernel/linux-headers-4.4:0
233	+"
234	+BDEPEND="${BUILD_DEPEND}
235	+ virtual/pkgconfig
236	+ nftables? (
237	+ sys-devel/flex
238	+ virtual/yacc
239	+ )
240	+"
241	+RDEPEND="${COMMON_DEPEND}
242	+ ${BUILD_DEPEND}
243	+ nftables? ( net-misc/ethertypes )
244	+ !<net-firewall/ebtables-2.0.11-r1
245	+ !<net-firewall/arptables-0.0.5-r1
246	+"
247	+
248	+PATCHES=(
249	+ "${FILESDIR}/iptables-1.8.4-no-symlinks.patch"
250	+ "${FILESDIR}/iptables-1.8.2-link.patch"
251	+
252	+ "${FILESDIR}/${P}-format-security.patch"
253	+ "${FILESDIR}/${P}-uint-musl.patch"
254	+)
255	+
256	+src_prepare() {
257	+ # use the saner headers from the kernel
258	+ rm include/linux/{kernel,types}.h \|\| die
259	+
260	+ default
261	+ eautoreconf
262	+}
263	+
264	+src_configure() {
265	+ # Some libs use $(AR) rather than libtool to build #444282
266	+ tc-export AR
267	+
268	+ # Hack around struct mismatches between userland & kernel for some ABIs. #472388
269	+ use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
270	+
271	+ sed -i \
272	+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
273	+ -e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
274	+ configure \|\| die
275	+
276	+ local myeconfargs=(
277	+ --sbindir="${EPREFIX}/sbin"
278	+ --libexecdir="${EPREFIX}/$(get_libdir)"
279	+ --enable-devel
280	+ --enable-ipv6
281	+ --enable-shared
282	+ $(use_enable nftables)
283	+ $(use_enable pcap bpf-compiler)
284	+ $(use_enable pcap nfsynproxy)
285	+ $(use_enable static-libs static)
286	+ )
287	+ econf "${myeconfargs[@]}"
288	+}
289	+
290	+src_compile() {
291	+ emake V=1
292	+}
293	+
294	+src_install() {
295	+ default
296	+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
297	+
298	+ # all the iptables binaries are in /sbin, so might as well
299	+ # put these small files in with them
300	+ into /
301	+ dosbin iptables/iptables-apply
302	+ dosym iptables-apply /sbin/ip6tables-apply
303	+ doman iptables/iptables-apply.8
304	+
305	+ insinto /usr/include
306	+ doins include/ip{,6}tables.h
307	+ insinto /usr/include/iptables
308	+ doins include/iptables/internal.h
309	+
310	+ keepdir /var/lib/ip{,6}tables
311	+ newinitd "${FILESDIR}"/${PN}-r3.init iptables
312	+ newconfd "${FILESDIR}"/${PN}-r1.confd iptables
313	+ dosym iptables /etc/init.d/ip6tables
314	+ newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables
315	+
316	+ if use nftables; then
317	+ # Bug 647458
318	+ rm "${ED}"/etc/ethertypes \|\| die
319	+
320	+ # Bugs 660886 and 669894
321	+ rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} \|\| die
322	+ fi
323	+
324	+ systemd_dounit "${FILESDIR}"/systemd/ip{,6}tables-{re,}store.service
325	+
326	+ # Move important libs to /lib #332175
327	+ gen_usr_ldscript -a ip{4,6}tc xtables
328	+
329	+ find "${ED}" -type f -name "*.la" -delete \|\| die
330	+}
331	+
332	+pkg_postinst() {
333	+ local default_iptables="xtables-legacy-multi"
334	+ if ! eselect iptables show &>/dev/null; then
335	+ elog "Current iptables implementation is unset, setting to ${default_iptables}"
336	+ eselect iptables set "${default_iptables}"
337	+ fi
338	+
339	+ if use nftables; then
340	+ local tables
341	+ for tables in {arp,eb}tables; do
342	+ if ! eselect ${tables} show &>/dev/null; then
343	+ elog "Current ${tables} implementation is unset, setting to ${default_iptables}"
344	+ eselect ${tables} set xtables-nft-multi
345	+ fi
346	+ done
347	+ fi
348	+
349	+ eselect iptables show
350	+}
351	+
352	+pkg_prerm() {
353	+ if [[ -z ${REPLACED_BY_VERSION} ]]; then
354	+ elog "Unsetting iptables symlinks before removal"
355	+ eselect iptables unset
356	+ fi
357	+
358	+ if ! has_version 'net-firewall/ebtables'; then
359	+ elog "Unsetting ebtables symlinks before removal"
360	+ eselect ebtables unset
361	+ elif [[ -z ${REPLACED_BY_VERSION} ]]; then
362	+ elog "Resetting ebtables symlinks to ebtables-legacy"
363	+ eselect ebtables set ebtables-legacy
364	+ fi
365	+
366	+ if ! has_version 'net-firewall/arptables'; then
367	+ elog "Unsetting arptables symlinks before removal"
368	+ eselect arptables unset
369	+ elif [[ -z ${REPLACED_BY_VERSION} ]]; then
370	+ elog "Resetting arptables symlinks to arptables-legacy"
371	+ eselect arptables set arptables-legacy
372	+ fi
373	+
374	+ # the eselect module failing should not be fatal
375	+ return 0
376	+}

Gentoo Archives: gentoo-commits