1 |
commit: cdc003118830087bbb409761fe4e0e2c19ea103a |
2 |
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Nov 20 15:36:22 2018 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Nov 20 15:36:38 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cdc00311 |
7 |
|
8 |
net-firewall/iptables: multiple fixes for runscript |
9 |
|
10 |
- We are now passing iptables "--wait" option to every iptables |
11 |
command which needs to aquire a lock. [Bug 501710] |
12 |
|
13 |
- In addition, "--wait" (IPTABLES_LOCK_WAIT_TIME) and "--wait-interval" |
14 |
(IPTABLES_LOCK_WAIT_INTERVAL) is now configurable via |
15 |
/etc/conf.d/{iptables,ip6tables}. |
16 |
|
17 |
- We are now only installing one runscript and now using a symlink |
18 |
for the ip6tables runscript. |
19 |
|
20 |
- Error detection improved/added. |
21 |
|
22 |
Closes: https://bugs.gentoo.org/501710 |
23 |
Package-Manager: Portage-2.3.52, Repoman-2.3.12 |
24 |
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> |
25 |
|
26 |
net-firewall/iptables/files/ip6tables-r1.confd | 27 +++++ |
27 |
net-firewall/iptables/files/iptables-r1.confd | 27 +++++ |
28 |
net-firewall/iptables/files/iptables-r1.init | 159 +++++++++++++++++++++++++ |
29 |
net-firewall/iptables/iptables-1.8.2-r1.ebuild | 129 ++++++++++++++++++++ |
30 |
4 files changed, 342 insertions(+) |
31 |
|
32 |
diff --git a/net-firewall/iptables/files/ip6tables-r1.confd b/net-firewall/iptables/files/ip6tables-r1.confd |
33 |
new file mode 100644 |
34 |
index 00000000000..e608f41d1ea |
35 |
--- /dev/null |
36 |
+++ b/net-firewall/iptables/files/ip6tables-r1.confd |
37 |
@@ -0,0 +1,27 @@ |
38 |
+# /etc/conf.d/ip6tables |
39 |
+ |
40 |
+# Set wait option for xtables lock in seconds |
41 |
+# DEFAULT: 60 |
42 |
+#IPTABLES_LOCK_WAIT_TIME="60" |
43 |
+ |
44 |
+# Set wait interval option for xtables lock in microseconds |
45 |
+# DEFAULT: 1000 |
46 |
+#IPTABLES_LOCK_WAIT_INTERVAL="1000" |
47 |
+ |
48 |
+# Location in which ip6tables initscript will save set rules on |
49 |
+# service shutdown |
50 |
+IP6TABLES_SAVE="/var/lib/ip6tables/rules-save" |
51 |
+ |
52 |
+# Options to pass to ip6tables-save and ip6tables-restore |
53 |
+SAVE_RESTORE_OPTIONS="-c" |
54 |
+ |
55 |
+# Save state on stopping ip6tables |
56 |
+SAVE_ON_STOP="yes" |
57 |
+ |
58 |
+# If you need to log ip6tables messages as soon as ip6tables starts, |
59 |
+# AND your logger does NOT depend on the network, then you may wish |
60 |
+# to uncomment the next line. |
61 |
+# If your logger depends on the network, and you uncomment this line |
62 |
+# you will create an unresolvable circular dependency during startup. |
63 |
+# After commenting or uncommenting this line, you must run 'rc-update -u'. |
64 |
+#rc_use="logger" |
65 |
|
66 |
diff --git a/net-firewall/iptables/files/iptables-r1.confd b/net-firewall/iptables/files/iptables-r1.confd |
67 |
new file mode 100644 |
68 |
index 00000000000..d5055e0a5d2 |
69 |
--- /dev/null |
70 |
+++ b/net-firewall/iptables/files/iptables-r1.confd |
71 |
@@ -0,0 +1,27 @@ |
72 |
+# /etc/conf.d/iptables |
73 |
+ |
74 |
+# Set wait option for xtables lock in seconds |
75 |
+# DEFAULT: 60 |
76 |
+#IPTABLES_LOCK_WAIT_TIME="60" |
77 |
+ |
78 |
+# Set wait interval option for xtables lock in microseconds |
79 |
+# DEFAULT: 1000 |
80 |
+#IPTABLES_LOCK_WAIT_INTERVAL="1000" |
81 |
+ |
82 |
+# Location in which iptables initscript will save set rules on |
83 |
+# service shutdown |
84 |
+IPTABLES_SAVE="/var/lib/iptables/rules-save" |
85 |
+ |
86 |
+# Options to pass to iptables-save and iptables-restore |
87 |
+SAVE_RESTORE_OPTIONS="-c" |
88 |
+ |
89 |
+# Save state on stopping iptables |
90 |
+SAVE_ON_STOP="yes" |
91 |
+ |
92 |
+# If you need to log iptables messages as soon as iptables starts, |
93 |
+# AND your logger does NOT depend on the network, then you may wish |
94 |
+# to uncomment the next line. |
95 |
+# If your logger depends on the network, and you uncomment this line |
96 |
+# you will create an unresolvable circular dependency during startup. |
97 |
+# After commenting or uncommenting this line, you must run 'rc-update -u'. |
98 |
+#rc_use="logger" |
99 |
|
100 |
diff --git a/net-firewall/iptables/files/iptables-r1.init b/net-firewall/iptables/files/iptables-r1.init |
101 |
new file mode 100755 |
102 |
index 00000000000..708dcce6d3c |
103 |
--- /dev/null |
104 |
+++ b/net-firewall/iptables/files/iptables-r1.init |
105 |
@@ -0,0 +1,159 @@ |
106 |
+#!/sbin/openrc-run |
107 |
+# Copyright 1999-2018 Gentoo Authors |
108 |
+# Distributed under the terms of the GNU General Public License v2 |
109 |
+ |
110 |
+extra_commands="check save panic" |
111 |
+extra_started_commands="reload" |
112 |
+ |
113 |
+iptables_lock_wait_time=${IPTABLES_LOCK_WAIT_TIME:-"60"} |
114 |
+iptables_lock_wait_interval=${IPTABLES_LOCK_WAIT_INTERVAL:-"1000"} |
115 |
+ |
116 |
+iptables_name=${SVCNAME} |
117 |
+case ${iptables_name} in |
118 |
+ iptables|ip6tables) ;; |
119 |
+ *) iptables_name="iptables" ;; |
120 |
+esac |
121 |
+ |
122 |
+iptables_bin="/sbin/${iptables_name}" |
123 |
+case ${iptables_name} in |
124 |
+ iptables) iptables_proc="/proc/net/ip_tables_names" |
125 |
+ iptables_save=${IPTABLES_SAVE};; |
126 |
+ ip6tables) iptables_proc="/proc/net/ip6_tables_names" |
127 |
+ iptables_save=${IP6TABLES_SAVE};; |
128 |
+esac |
129 |
+ |
130 |
+depend() { |
131 |
+ need localmount #434774 |
132 |
+ before net |
133 |
+} |
134 |
+ |
135 |
+set_table_policy() { |
136 |
+ local has_errors=0 chains table=$1 policy=$2 |
137 |
+ case ${table} in |
138 |
+ nat) chains="PREROUTING POSTROUTING OUTPUT";; |
139 |
+ mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; |
140 |
+ filter) chains="INPUT FORWARD OUTPUT";; |
141 |
+ *) chains="";; |
142 |
+ esac |
143 |
+ |
144 |
+ local chain |
145 |
+ for chain in ${chains} ; do |
146 |
+ ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -t ${table} -P ${chain} ${policy} |
147 |
+ [ $? -ne 0 ] && has_errors=1 |
148 |
+ done |
149 |
+ |
150 |
+ return ${has_errors} |
151 |
+} |
152 |
+ |
153 |
+checkkernel() { |
154 |
+ if [ ! -e ${iptables_proc} ] ; then |
155 |
+ eerror "Your kernel lacks ${iptables_name} support, please load" |
156 |
+ eerror "appropriate modules and try again." |
157 |
+ return 1 |
158 |
+ fi |
159 |
+ return 0 |
160 |
+} |
161 |
+ |
162 |
+checkconfig() { |
163 |
+ if [ -z "${iptables_save}" -o ! -f "${iptables_save}" ] ; then |
164 |
+ eerror "Not starting ${iptables_name}. First create some rules then run:" |
165 |
+ eerror "/etc/init.d/${iptables_name} save" |
166 |
+ return 1 |
167 |
+ fi |
168 |
+ return 0 |
169 |
+} |
170 |
+ |
171 |
+start_pre() { |
172 |
+ checkkernel || return 1 |
173 |
+ checkconfig || return 1 |
174 |
+} |
175 |
+ |
176 |
+start() { |
177 |
+ ebegin "Loading ${iptables_name} state and starting firewall" |
178 |
+ ${iptables_bin}-restore --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" |
179 |
+ eend $? |
180 |
+} |
181 |
+ |
182 |
+stop_pre() { |
183 |
+ checkkernel || return 1 |
184 |
+} |
185 |
+ |
186 |
+stop() { |
187 |
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then |
188 |
+ save || return 1 |
189 |
+ fi |
190 |
+ |
191 |
+ ebegin "Stopping firewall" |
192 |
+ local has_errors=0 a |
193 |
+ for a in $(cat ${iptables_proc}) ; do |
194 |
+ set_table_policy $a ACCEPT |
195 |
+ [ $? -ne 0 ] && has_errors=1 |
196 |
+ |
197 |
+ ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a |
198 |
+ [ $? -ne 0 ] && has_errors=1 |
199 |
+ |
200 |
+ ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a |
201 |
+ [ $? -ne 0 ] && has_errors=1 |
202 |
+ done |
203 |
+ eend ${has_errors} |
204 |
+} |
205 |
+ |
206 |
+reload() { |
207 |
+ checkkernel || return 1 |
208 |
+ checkrules || return 1 |
209 |
+ ebegin "Flushing firewall" |
210 |
+ local has_errors=0 a |
211 |
+ for a in $(cat ${iptables_proc}) ; do |
212 |
+ ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a |
213 |
+ [ $? -ne 0 ] && has_errors=1 |
214 |
+ |
215 |
+ ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a |
216 |
+ [ $? -ne 0 ] && has_errors=1 |
217 |
+ done |
218 |
+ eend ${has_errors} |
219 |
+ |
220 |
+ start |
221 |
+} |
222 |
+ |
223 |
+checkrules() { |
224 |
+ ebegin "Checking rules" |
225 |
+ ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" |
226 |
+ eend $? |
227 |
+} |
228 |
+ |
229 |
+check() { |
230 |
+ # Short name for users of init.d script. |
231 |
+ checkrules |
232 |
+} |
233 |
+ |
234 |
+save() { |
235 |
+ ebegin "Saving ${iptables_name} state" |
236 |
+ checkpath -q -d "$(dirname "${iptables_save}")" |
237 |
+ checkpath -q -m 0600 -f "${iptables_save}" |
238 |
+ ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" |
239 |
+ eend $? |
240 |
+} |
241 |
+ |
242 |
+panic() { |
243 |
+ checkkernel || return 1 |
244 |
+ if service_started ${iptables_name}; then |
245 |
+ rc-service ${iptables_name} stop |
246 |
+ fi |
247 |
+ |
248 |
+ local has_errors=0 a |
249 |
+ ebegin "Dropping all packets" |
250 |
+ for a in $(cat ${iptables_proc}) ; do |
251 |
+ ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a |
252 |
+ [ $? -ne 0 ] && has_errors=1 |
253 |
+ |
254 |
+ ${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a |
255 |
+ [ $? -ne 0 ] && has_errors=1 |
256 |
+ |
257 |
+ if [ "${a}" != "nat" ]; then |
258 |
+ # The "nat" table is not intended for filtering, the use of DROP is therefore inhibited. |
259 |
+ set_table_policy $a DROP |
260 |
+ [ $? -ne 0 ] && has_errors=1 |
261 |
+ fi |
262 |
+ done |
263 |
+ eend ${has_errors} |
264 |
+} |
265 |
|
266 |
diff --git a/net-firewall/iptables/iptables-1.8.2-r1.ebuild b/net-firewall/iptables/iptables-1.8.2-r1.ebuild |
267 |
new file mode 100644 |
268 |
index 00000000000..9279db2ecc5 |
269 |
--- /dev/null |
270 |
+++ b/net-firewall/iptables/iptables-1.8.2-r1.ebuild |
271 |
@@ -0,0 +1,129 @@ |
272 |
+# Copyright 1999-2018 Gentoo Authors |
273 |
+# Distributed under the terms of the GNU General Public License v2 |
274 |
+ |
275 |
+EAPI=6 |
276 |
+ |
277 |
+# Force users doing their own patches to install their own tools |
278 |
+AUTOTOOLS_AUTO_DEPEND=no |
279 |
+ |
280 |
+inherit multilib systemd toolchain-funcs autotools flag-o-matic |
281 |
+ |
282 |
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" |
283 |
+HOMEPAGE="https://www.netfilter.org/projects/iptables/" |
284 |
+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2" |
285 |
+ |
286 |
+LICENSE="GPL-2" |
287 |
+# Subslot tracks libxtables as that's the one other packages generally link |
288 |
+# against and iptables changes. Will have to revisit if other sonames change. |
289 |
+SLOT="0/12" |
290 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" |
291 |
+IUSE="conntrack ipv6 netlink nftables pcap static-libs" |
292 |
+ |
293 |
+COMMON_DEPEND=" |
294 |
+ conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 ) |
295 |
+ netlink? ( net-libs/libnfnetlink ) |
296 |
+ nftables? ( |
297 |
+ >=net-libs/libmnl-1.0:0= |
298 |
+ >=net-libs/libnftnl-1.1.1:0= |
299 |
+ ) |
300 |
+ pcap? ( net-libs/libpcap ) |
301 |
+" |
302 |
+DEPEND="${COMMON_DEPEND} |
303 |
+ virtual/os-headers |
304 |
+ >=sys-kernel/linux-headers-4.4:0 |
305 |
+ virtual/pkgconfig |
306 |
+ nftables? ( |
307 |
+ sys-devel/flex |
308 |
+ virtual/yacc |
309 |
+ ) |
310 |
+" |
311 |
+RDEPEND="${COMMON_DEPEND} |
312 |
+ nftables? ( net-misc/ethertypes ) |
313 |
+" |
314 |
+ |
315 |
+src_prepare() { |
316 |
+ # use the saner headers from the kernel |
317 |
+ rm -f include/linux/{kernel,types}.h |
318 |
+ |
319 |
+ # Only run autotools if user patched something |
320 |
+ eapply_user && eautoreconf || elibtoolize |
321 |
+} |
322 |
+ |
323 |
+src_configure() { |
324 |
+ # Some libs use $(AR) rather than libtool to build #444282 |
325 |
+ tc-export AR |
326 |
+ |
327 |
+ # Hack around struct mismatches between userland & kernel for some ABIs. #472388 |
328 |
+ use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct |
329 |
+ |
330 |
+ sed -i \ |
331 |
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ |
332 |
+ -e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \ |
333 |
+ configure || die |
334 |
+ |
335 |
+ local myeconfargs=( |
336 |
+ --sbindir="${EPREFIX}/sbin" |
337 |
+ --libexecdir="${EPREFIX}/$(get_libdir)" |
338 |
+ --enable-devel |
339 |
+ --enable-shared |
340 |
+ $(use_enable nftables) |
341 |
+ $(use_enable pcap bpf-compiler) |
342 |
+ $(use_enable pcap nfsynproxy) |
343 |
+ $(use_enable static-libs static) |
344 |
+ $(use_enable ipv6) |
345 |
+ ) |
346 |
+ econf "${myeconfargs[@]}" |
347 |
+} |
348 |
+ |
349 |
+src_compile() { |
350 |
+ # Deal with parallel build errors. |
351 |
+ use nftables && emake -C iptables xtables-config-parser.h |
352 |
+ emake V=1 |
353 |
+} |
354 |
+ |
355 |
+src_install() { |
356 |
+ default |
357 |
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt |
358 |
+ |
359 |
+ # all the iptables binaries are in /sbin, so might as well |
360 |
+ # put these small files in with them |
361 |
+ into / |
362 |
+ dosbin iptables/iptables-apply |
363 |
+ dosym iptables-apply /sbin/ip6tables-apply |
364 |
+ doman iptables/iptables-apply.8 |
365 |
+ |
366 |
+ insinto /usr/include |
367 |
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) |
368 |
+ insinto /usr/include/iptables |
369 |
+ doins include/iptables/internal.h |
370 |
+ |
371 |
+ keepdir /var/lib/iptables |
372 |
+ newinitd "${FILESDIR}"/${PN}-r1.init iptables |
373 |
+ newconfd "${FILESDIR}"/${PN}-r1.confd iptables |
374 |
+ if use ipv6 ; then |
375 |
+ keepdir /var/lib/ip6tables |
376 |
+ dosym iptables /etc/init.d/ip6tables |
377 |
+ newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables |
378 |
+ fi |
379 |
+ |
380 |
+ if use nftables; then |
381 |
+ # Bug 647458 |
382 |
+ rm "${ED%/}"/etc/ethertypes || die |
383 |
+ |
384 |
+ # Bug 660886 |
385 |
+ rm "${ED%/}"/sbin/{arptables,ebtables} || die |
386 |
+ |
387 |
+ # Bug 669894 |
388 |
+ rm "${ED%/}"/sbin/ebtables-{save,restore} || die |
389 |
+ fi |
390 |
+ |
391 |
+ systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service |
392 |
+ if use ipv6 ; then |
393 |
+ systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service |
394 |
+ fi |
395 |
+ |
396 |
+ # Move important libs to /lib #332175 |
397 |
+ gen_usr_ldscript -a ip{4,6}tc iptc xtables |
398 |
+ |
399 |
+ find "${ED}" -name "*.la" -delete || die |
400 |
+} |