Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
Date: Tue, 20 Nov 2018 15:36:54
Message-Id: 1542728198.cdc003118830087bbb409761fe4e0e2c19ea103a.whissi@gentoo
1 commit: cdc003118830087bbb409761fe4e0e2c19ea103a
2 Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3 AuthorDate: Tue Nov 20 15:36:22 2018 +0000
4 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5 CommitDate: Tue Nov 20 15:36:38 2018 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cdc00311
7
8 net-firewall/iptables: multiple fixes for runscript
9
10 - We are now passing iptables "--wait" option to every iptables
11 command which needs to aquire a lock. [Bug 501710]
12
13 - In addition, "--wait" (IPTABLES_LOCK_WAIT_TIME) and "--wait-interval"
14 (IPTABLES_LOCK_WAIT_INTERVAL) is now configurable via
15 /etc/conf.d/{iptables,ip6tables}.
16
17 - We are now only installing one runscript and now using a symlink
18 for the ip6tables runscript.
19
20 - Error detection improved/added.
21
22 Closes: https://bugs.gentoo.org/501710
23 Package-Manager: Portage-2.3.52, Repoman-2.3.12
24 Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
25
26 net-firewall/iptables/files/ip6tables-r1.confd | 27 +++++
27 net-firewall/iptables/files/iptables-r1.confd | 27 +++++
28 net-firewall/iptables/files/iptables-r1.init | 159 +++++++++++++++++++++++++
29 net-firewall/iptables/iptables-1.8.2-r1.ebuild | 129 ++++++++++++++++++++
30 4 files changed, 342 insertions(+)
31
32 diff --git a/net-firewall/iptables/files/ip6tables-r1.confd b/net-firewall/iptables/files/ip6tables-r1.confd
33 new file mode 100644
34 index 00000000000..e608f41d1ea
35 --- /dev/null
36 +++ b/net-firewall/iptables/files/ip6tables-r1.confd
37 @@ -0,0 +1,27 @@
38 +# /etc/conf.d/ip6tables
39 +
40 +# Set wait option for xtables lock in seconds
41 +# DEFAULT: 60
42 +#IPTABLES_LOCK_WAIT_TIME="60"
43 +
44 +# Set wait interval option for xtables lock in microseconds
45 +# DEFAULT: 1000
46 +#IPTABLES_LOCK_WAIT_INTERVAL="1000"
47 +
48 +# Location in which ip6tables initscript will save set rules on
49 +# service shutdown
50 +IP6TABLES_SAVE="/var/lib/ip6tables/rules-save"
51 +
52 +# Options to pass to ip6tables-save and ip6tables-restore
53 +SAVE_RESTORE_OPTIONS="-c"
54 +
55 +# Save state on stopping ip6tables
56 +SAVE_ON_STOP="yes"
57 +
58 +# If you need to log ip6tables messages as soon as ip6tables starts,
59 +# AND your logger does NOT depend on the network, then you may wish
60 +# to uncomment the next line.
61 +# If your logger depends on the network, and you uncomment this line
62 +# you will create an unresolvable circular dependency during startup.
63 +# After commenting or uncommenting this line, you must run 'rc-update -u'.
64 +#rc_use="logger"
65
66 diff --git a/net-firewall/iptables/files/iptables-r1.confd b/net-firewall/iptables/files/iptables-r1.confd
67 new file mode 100644
68 index 00000000000..d5055e0a5d2
69 --- /dev/null
70 +++ b/net-firewall/iptables/files/iptables-r1.confd
71 @@ -0,0 +1,27 @@
72 +# /etc/conf.d/iptables
73 +
74 +# Set wait option for xtables lock in seconds
75 +# DEFAULT: 60
76 +#IPTABLES_LOCK_WAIT_TIME="60"
77 +
78 +# Set wait interval option for xtables lock in microseconds
79 +# DEFAULT: 1000
80 +#IPTABLES_LOCK_WAIT_INTERVAL="1000"
81 +
82 +# Location in which iptables initscript will save set rules on
83 +# service shutdown
84 +IPTABLES_SAVE="/var/lib/iptables/rules-save"
85 +
86 +# Options to pass to iptables-save and iptables-restore
87 +SAVE_RESTORE_OPTIONS="-c"
88 +
89 +# Save state on stopping iptables
90 +SAVE_ON_STOP="yes"
91 +
92 +# If you need to log iptables messages as soon as iptables starts,
93 +# AND your logger does NOT depend on the network, then you may wish
94 +# to uncomment the next line.
95 +# If your logger depends on the network, and you uncomment this line
96 +# you will create an unresolvable circular dependency during startup.
97 +# After commenting or uncommenting this line, you must run 'rc-update -u'.
98 +#rc_use="logger"
99
100 diff --git a/net-firewall/iptables/files/iptables-r1.init b/net-firewall/iptables/files/iptables-r1.init
101 new file mode 100755
102 index 00000000000..708dcce6d3c
103 --- /dev/null
104 +++ b/net-firewall/iptables/files/iptables-r1.init
105 @@ -0,0 +1,159 @@
106 +#!/sbin/openrc-run
107 +# Copyright 1999-2018 Gentoo Authors
108 +# Distributed under the terms of the GNU General Public License v2
109 +
110 +extra_commands="check save panic"
111 +extra_started_commands="reload"
112 +
113 +iptables_lock_wait_time=${IPTABLES_LOCK_WAIT_TIME:-"60"}
114 +iptables_lock_wait_interval=${IPTABLES_LOCK_WAIT_INTERVAL:-"1000"}
115 +
116 +iptables_name=${SVCNAME}
117 +case ${iptables_name} in
118 + iptables|ip6tables) ;;
119 + *) iptables_name="iptables" ;;
120 +esac
121 +
122 +iptables_bin="/sbin/${iptables_name}"
123 +case ${iptables_name} in
124 + iptables) iptables_proc="/proc/net/ip_tables_names"
125 + iptables_save=${IPTABLES_SAVE};;
126 + ip6tables) iptables_proc="/proc/net/ip6_tables_names"
127 + iptables_save=${IP6TABLES_SAVE};;
128 +esac
129 +
130 +depend() {
131 + need localmount #434774
132 + before net
133 +}
134 +
135 +set_table_policy() {
136 + local has_errors=0 chains table=$1 policy=$2
137 + case ${table} in
138 + nat) chains="PREROUTING POSTROUTING OUTPUT";;
139 + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
140 + filter) chains="INPUT FORWARD OUTPUT";;
141 + *) chains="";;
142 + esac
143 +
144 + local chain
145 + for chain in ${chains} ; do
146 + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -t ${table} -P ${chain} ${policy}
147 + [ $? -ne 0 ] && has_errors=1
148 + done
149 +
150 + return ${has_errors}
151 +}
152 +
153 +checkkernel() {
154 + if [ ! -e ${iptables_proc} ] ; then
155 + eerror "Your kernel lacks ${iptables_name} support, please load"
156 + eerror "appropriate modules and try again."
157 + return 1
158 + fi
159 + return 0
160 +}
161 +
162 +checkconfig() {
163 + if [ -z "${iptables_save}" -o ! -f "${iptables_save}" ] ; then
164 + eerror "Not starting ${iptables_name}. First create some rules then run:"
165 + eerror "/etc/init.d/${iptables_name} save"
166 + return 1
167 + fi
168 + return 0
169 +}
170 +
171 +start_pre() {
172 + checkkernel || return 1
173 + checkconfig || return 1
174 +}
175 +
176 +start() {
177 + ebegin "Loading ${iptables_name} state and starting firewall"
178 + ${iptables_bin}-restore --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
179 + eend $?
180 +}
181 +
182 +stop_pre() {
183 + checkkernel || return 1
184 +}
185 +
186 +stop() {
187 + if [ "${SAVE_ON_STOP}" = "yes" ] ; then
188 + save || return 1
189 + fi
190 +
191 + ebegin "Stopping firewall"
192 + local has_errors=0 a
193 + for a in $(cat ${iptables_proc}) ; do
194 + set_table_policy $a ACCEPT
195 + [ $? -ne 0 ] && has_errors=1
196 +
197 + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
198 + [ $? -ne 0 ] && has_errors=1
199 +
200 + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
201 + [ $? -ne 0 ] && has_errors=1
202 + done
203 + eend ${has_errors}
204 +}
205 +
206 +reload() {
207 + checkkernel || return 1
208 + checkrules || return 1
209 + ebegin "Flushing firewall"
210 + local has_errors=0 a
211 + for a in $(cat ${iptables_proc}) ; do
212 + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
213 + [ $? -ne 0 ] && has_errors=1
214 +
215 + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
216 + [ $? -ne 0 ] && has_errors=1
217 + done
218 + eend ${has_errors}
219 +
220 + start
221 +}
222 +
223 +checkrules() {
224 + ebegin "Checking rules"
225 + ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
226 + eend $?
227 +}
228 +
229 +check() {
230 + # Short name for users of init.d script.
231 + checkrules
232 +}
233 +
234 +save() {
235 + ebegin "Saving ${iptables_name} state"
236 + checkpath -q -d "$(dirname "${iptables_save}")"
237 + checkpath -q -m 0600 -f "${iptables_save}"
238 + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
239 + eend $?
240 +}
241 +
242 +panic() {
243 + checkkernel || return 1
244 + if service_started ${iptables_name}; then
245 + rc-service ${iptables_name} stop
246 + fi
247 +
248 + local has_errors=0 a
249 + ebegin "Dropping all packets"
250 + for a in $(cat ${iptables_proc}) ; do
251 + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
252 + [ $? -ne 0 ] && has_errors=1
253 +
254 + ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
255 + [ $? -ne 0 ] && has_errors=1
256 +
257 + if [ "${a}" != "nat" ]; then
258 + # The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.
259 + set_table_policy $a DROP
260 + [ $? -ne 0 ] && has_errors=1
261 + fi
262 + done
263 + eend ${has_errors}
264 +}
265
266 diff --git a/net-firewall/iptables/iptables-1.8.2-r1.ebuild b/net-firewall/iptables/iptables-1.8.2-r1.ebuild
267 new file mode 100644
268 index 00000000000..9279db2ecc5
269 --- /dev/null
270 +++ b/net-firewall/iptables/iptables-1.8.2-r1.ebuild
271 @@ -0,0 +1,129 @@
272 +# Copyright 1999-2018 Gentoo Authors
273 +# Distributed under the terms of the GNU General Public License v2
274 +
275 +EAPI=6
276 +
277 +# Force users doing their own patches to install their own tools
278 +AUTOTOOLS_AUTO_DEPEND=no
279 +
280 +inherit multilib systemd toolchain-funcs autotools flag-o-matic
281 +
282 +DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
283 +HOMEPAGE="https://www.netfilter.org/projects/iptables/"
284 +SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
285 +
286 +LICENSE="GPL-2"
287 +# Subslot tracks libxtables as that's the one other packages generally link
288 +# against and iptables changes. Will have to revisit if other sonames change.
289 +SLOT="0/12"
290 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
291 +IUSE="conntrack ipv6 netlink nftables pcap static-libs"
292 +
293 +COMMON_DEPEND="
294 + conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
295 + netlink? ( net-libs/libnfnetlink )
296 + nftables? (
297 + >=net-libs/libmnl-1.0:0=
298 + >=net-libs/libnftnl-1.1.1:0=
299 + )
300 + pcap? ( net-libs/libpcap )
301 +"
302 +DEPEND="${COMMON_DEPEND}
303 + virtual/os-headers
304 + >=sys-kernel/linux-headers-4.4:0
305 + virtual/pkgconfig
306 + nftables? (
307 + sys-devel/flex
308 + virtual/yacc
309 + )
310 +"
311 +RDEPEND="${COMMON_DEPEND}
312 + nftables? ( net-misc/ethertypes )
313 +"
314 +
315 +src_prepare() {
316 + # use the saner headers from the kernel
317 + rm -f include/linux/{kernel,types}.h
318 +
319 + # Only run autotools if user patched something
320 + eapply_user && eautoreconf || elibtoolize
321 +}
322 +
323 +src_configure() {
324 + # Some libs use $(AR) rather than libtool to build #444282
325 + tc-export AR
326 +
327 + # Hack around struct mismatches between userland & kernel for some ABIs. #472388
328 + use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
329 +
330 + sed -i \
331 + -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
332 + -e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
333 + configure || die
334 +
335 + local myeconfargs=(
336 + --sbindir="${EPREFIX}/sbin"
337 + --libexecdir="${EPREFIX}/$(get_libdir)"
338 + --enable-devel
339 + --enable-shared
340 + $(use_enable nftables)
341 + $(use_enable pcap bpf-compiler)
342 + $(use_enable pcap nfsynproxy)
343 + $(use_enable static-libs static)
344 + $(use_enable ipv6)
345 + )
346 + econf "${myeconfargs[@]}"
347 +}
348 +
349 +src_compile() {
350 + # Deal with parallel build errors.
351 + use nftables && emake -C iptables xtables-config-parser.h
352 + emake V=1
353 +}
354 +
355 +src_install() {
356 + default
357 + dodoc INCOMPATIBILITIES iptables/iptables.xslt
358 +
359 + # all the iptables binaries are in /sbin, so might as well
360 + # put these small files in with them
361 + into /
362 + dosbin iptables/iptables-apply
363 + dosym iptables-apply /sbin/ip6tables-apply
364 + doman iptables/iptables-apply.8
365 +
366 + insinto /usr/include
367 + doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
368 + insinto /usr/include/iptables
369 + doins include/iptables/internal.h
370 +
371 + keepdir /var/lib/iptables
372 + newinitd "${FILESDIR}"/${PN}-r1.init iptables
373 + newconfd "${FILESDIR}"/${PN}-r1.confd iptables
374 + if use ipv6 ; then
375 + keepdir /var/lib/ip6tables
376 + dosym iptables /etc/init.d/ip6tables
377 + newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables
378 + fi
379 +
380 + if use nftables; then
381 + # Bug 647458
382 + rm "${ED%/}"/etc/ethertypes || die
383 +
384 + # Bug 660886
385 + rm "${ED%/}"/sbin/{arptables,ebtables} || die
386 +
387 + # Bug 669894
388 + rm "${ED%/}"/sbin/ebtables-{save,restore} || die
389 + fi
390 +
391 + systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
392 + if use ipv6 ; then
393 + systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
394 + fi
395 +
396 + # Move important libs to /lib #332175
397 + gen_usr_ldscript -a ip{4,6}tc iptc xtables
398 +
399 + find "${ED}" -name "*.la" -delete || die
400 +}
Report Message
Find on MARC Find on Google Groups