| 1 |
commit: 68a4aeb7ce34ec6f16710ce40443a1b460af6517 |
| 2 |
Author: Kerin Millar <kfm <AT> plushkava <DOT> net> |
| 3 |
AuthorDate: Sun Mar 19 09:04:41 2023 +0000 |
| 4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Mar 19 22:21:54 2023 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68a4aeb7 |
| 7 |
|
| 8 |
net-firewall/nftables: Use the newly built libnftables.so in the pkg_preinst check |
| 9 |
|
| 10 |
Doing so is appropriate because it's not a library that's provided |
| 11 |
externally. Also, tidy up the code structure and replace the outdated |
| 12 |
pkg_preinst() function in the ebuild for v1.0.5. |
| 13 |
|
| 14 |
Signed-off-by: Kerin Millar <kfm <AT> plushkava.net> |
| 15 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
| 16 |
|
| 17 |
net-firewall/nftables/nftables-1.0.5.ebuild | 33 ++++++++++++++++------ |
| 18 |
net-firewall/nftables/nftables-1.0.6.ebuild | 44 ++++++++++++++--------------- |
| 19 |
net-firewall/nftables/nftables-1.0.7.ebuild | 44 ++++++++++++++--------------- |
| 20 |
net-firewall/nftables/nftables-9999.ebuild | 44 ++++++++++++++--------------- |
| 21 |
4 files changed, 90 insertions(+), 75 deletions(-) |
| 22 |
|
| 23 |
diff --git a/net-firewall/nftables/nftables-1.0.5.ebuild b/net-firewall/nftables/nftables-1.0.5.ebuild |
| 24 |
index 3b4f9fbbf1d2..5226ca74577d 100644 |
| 25 |
--- a/net-firewall/nftables/nftables-1.0.5.ebuild |
| 26 |
+++ b/net-firewall/nftables/nftables-1.0.5.ebuild |
| 27 |
@@ -167,15 +167,30 @@ src_install() { |
| 28 |
} |
| 29 |
|
| 30 |
pkg_preinst() { |
| 31 |
- if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then |
| 32 |
- if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then |
| 33 |
- eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
| 34 |
- eerror "nft. This probably means that there is a regression introduced by v${PV}." |
| 35 |
- eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
| 36 |
- |
| 37 |
- if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
| 38 |
- die "Aborting because of failed nft reload!" |
| 39 |
- fi |
| 40 |
+ local stderr |
| 41 |
+ |
| 42 |
+ # There's a history of regressions with nftables upgrades. Perform a |
| 43 |
+ # safety check to help us spot them earlier. For the check to pass, the |
| 44 |
+ # currently loaded ruleset, if any, must be successfully evaluated by |
| 45 |
+ # the newly built instance of nft(8). |
| 46 |
+ if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then |
| 47 |
+ # Either nftables isn't yet in use or nft(8) cannot be executed. |
| 48 |
+ return |
| 49 |
+ elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then |
| 50 |
+ # Report errors induced by trying to list the ruleset but don't |
| 51 |
+ # treat them as being fatal. |
| 52 |
+ printf '%s\n' "${stderr}" >&2 |
| 53 |
+ elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then |
| 54 |
+ # Rulesets generated by iptables-nft are special in nature and |
| 55 |
+ # will not always be printed in a way that constitutes a valid |
| 56 |
+ # syntax for ntf(8). Ignore them. |
| 57 |
+ return |
| 58 |
+ elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then |
| 59 |
+ eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
| 60 |
+ eerror "nft. This probably means that there is a regression introduced by v${PV}." |
| 61 |
+ eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
| 62 |
+ if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
| 63 |
+ die "Aborting because of failed nft reload!" |
| 64 |
fi |
| 65 |
fi |
| 66 |
} |
| 67 |
|
| 68 |
diff --git a/net-firewall/nftables/nftables-1.0.6.ebuild b/net-firewall/nftables/nftables-1.0.6.ebuild |
| 69 |
index bd4f23708a7e..e5de7f69c0a1 100644 |
| 70 |
--- a/net-firewall/nftables/nftables-1.0.6.ebuild |
| 71 |
+++ b/net-firewall/nftables/nftables-1.0.6.ebuild |
| 72 |
@@ -169,28 +169,28 @@ src_install() { |
| 73 |
pkg_preinst() { |
| 74 |
local stderr |
| 75 |
|
| 76 |
- # There's a history of regressions with nftables upgrades. Add a safety |
| 77 |
- # check to help us spot them earlier. |
| 78 |
- if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then |
| 79 |
- # Check the current loaded ruleset, if any, using the newly |
| 80 |
- # built instance of nft(8). |
| 81 |
- if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then |
| 82 |
- # Report errors induced by trying to list the ruleset |
| 83 |
- # but don't treat them as being fatal. |
| 84 |
- printf '%s\n' "${stderr}" >&2 |
| 85 |
- elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then |
| 86 |
- # Rulesets generated by iptables-nft are special in |
| 87 |
- # nature and will not always be printed in a way that |
| 88 |
- # constitutes a valid syntax for ntf(8). Ignore them. |
| 89 |
- return |
| 90 |
- elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then |
| 91 |
- eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
| 92 |
- eerror "nft. This probably means that there is a regression introduced by v${PV}." |
| 93 |
- eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
| 94 |
- |
| 95 |
- if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
| 96 |
- die "Aborting because of failed nft reload!" |
| 97 |
- fi |
| 98 |
+ # There's a history of regressions with nftables upgrades. Perform a |
| 99 |
+ # safety check to help us spot them earlier. For the check to pass, the |
| 100 |
+ # currently loaded ruleset, if any, must be successfully evaluated by |
| 101 |
+ # the newly built instance of nft(8). |
| 102 |
+ if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then |
| 103 |
+ # Either nftables isn't yet in use or nft(8) cannot be executed. |
| 104 |
+ return |
| 105 |
+ elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then |
| 106 |
+ # Report errors induced by trying to list the ruleset but don't |
| 107 |
+ # treat them as being fatal. |
| 108 |
+ printf '%s\n' "${stderr}" >&2 |
| 109 |
+ elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then |
| 110 |
+ # Rulesets generated by iptables-nft are special in nature and |
| 111 |
+ # will not always be printed in a way that constitutes a valid |
| 112 |
+ # syntax for ntf(8). Ignore them. |
| 113 |
+ return |
| 114 |
+ elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then |
| 115 |
+ eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
| 116 |
+ eerror "nft. This probably means that there is a regression introduced by v${PV}." |
| 117 |
+ eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
| 118 |
+ if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
| 119 |
+ die "Aborting because of failed nft reload!" |
| 120 |
fi |
| 121 |
fi |
| 122 |
} |
| 123 |
|
| 124 |
diff --git a/net-firewall/nftables/nftables-1.0.7.ebuild b/net-firewall/nftables/nftables-1.0.7.ebuild |
| 125 |
index b144fded77b4..13ecec61248b 100644 |
| 126 |
--- a/net-firewall/nftables/nftables-1.0.7.ebuild |
| 127 |
+++ b/net-firewall/nftables/nftables-1.0.7.ebuild |
| 128 |
@@ -170,28 +170,28 @@ src_install() { |
| 129 |
pkg_preinst() { |
| 130 |
local stderr |
| 131 |
|
| 132 |
- # There's a history of regressions with nftables upgrades. Add a safety |
| 133 |
- # check to help us spot them earlier. |
| 134 |
- if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then |
| 135 |
- # Check the current loaded ruleset, if any, using the newly |
| 136 |
- # built instance of nft(8). |
| 137 |
- if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then |
| 138 |
- # Report errors induced by trying to list the ruleset |
| 139 |
- # but don't treat them as being fatal. |
| 140 |
- printf '%s\n' "${stderr}" >&2 |
| 141 |
- elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then |
| 142 |
- # Rulesets generated by iptables-nft are special in |
| 143 |
- # nature and will not always be printed in a way that |
| 144 |
- # constitutes a valid syntax for ntf(8). Ignore them. |
| 145 |
- return |
| 146 |
- elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then |
| 147 |
- eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
| 148 |
- eerror "nft. This probably means that there is a regression introduced by v${PV}." |
| 149 |
- eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
| 150 |
- |
| 151 |
- if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
| 152 |
- die "Aborting because of failed nft reload!" |
| 153 |
- fi |
| 154 |
+ # There's a history of regressions with nftables upgrades. Perform a |
| 155 |
+ # safety check to help us spot them earlier. For the check to pass, the |
| 156 |
+ # currently loaded ruleset, if any, must be successfully evaluated by |
| 157 |
+ # the newly built instance of nft(8). |
| 158 |
+ if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then |
| 159 |
+ # Either nftables isn't yet in use or nft(8) cannot be executed. |
| 160 |
+ return |
| 161 |
+ elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then |
| 162 |
+ # Report errors induced by trying to list the ruleset but don't |
| 163 |
+ # treat them as being fatal. |
| 164 |
+ printf '%s\n' "${stderr}" >&2 |
| 165 |
+ elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then |
| 166 |
+ # Rulesets generated by iptables-nft are special in nature and |
| 167 |
+ # will not always be printed in a way that constitutes a valid |
| 168 |
+ # syntax for ntf(8). Ignore them. |
| 169 |
+ return |
| 170 |
+ elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then |
| 171 |
+ eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
| 172 |
+ eerror "nft. This probably means that there is a regression introduced by v${PV}." |
| 173 |
+ eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
| 174 |
+ if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
| 175 |
+ die "Aborting because of failed nft reload!" |
| 176 |
fi |
| 177 |
fi |
| 178 |
} |
| 179 |
|
| 180 |
diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild |
| 181 |
index b144fded77b4..13ecec61248b 100644 |
| 182 |
--- a/net-firewall/nftables/nftables-9999.ebuild |
| 183 |
+++ b/net-firewall/nftables/nftables-9999.ebuild |
| 184 |
@@ -170,28 +170,28 @@ src_install() { |
| 185 |
pkg_preinst() { |
| 186 |
local stderr |
| 187 |
|
| 188 |
- # There's a history of regressions with nftables upgrades. Add a safety |
| 189 |
- # check to help us spot them earlier. |
| 190 |
- if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then |
| 191 |
- # Check the current loaded ruleset, if any, using the newly |
| 192 |
- # built instance of nft(8). |
| 193 |
- if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then |
| 194 |
- # Report errors induced by trying to list the ruleset |
| 195 |
- # but don't treat them as being fatal. |
| 196 |
- printf '%s\n' "${stderr}" >&2 |
| 197 |
- elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then |
| 198 |
- # Rulesets generated by iptables-nft are special in |
| 199 |
- # nature and will not always be printed in a way that |
| 200 |
- # constitutes a valid syntax for ntf(8). Ignore them. |
| 201 |
- return |
| 202 |
- elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then |
| 203 |
- eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
| 204 |
- eerror "nft. This probably means that there is a regression introduced by v${PV}." |
| 205 |
- eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
| 206 |
- |
| 207 |
- if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
| 208 |
- die "Aborting because of failed nft reload!" |
| 209 |
- fi |
| 210 |
+ # There's a history of regressions with nftables upgrades. Perform a |
| 211 |
+ # safety check to help us spot them earlier. For the check to pass, the |
| 212 |
+ # currently loaded ruleset, if any, must be successfully evaluated by |
| 213 |
+ # the newly built instance of nft(8). |
| 214 |
+ if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then |
| 215 |
+ # Either nftables isn't yet in use or nft(8) cannot be executed. |
| 216 |
+ return |
| 217 |
+ elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then |
| 218 |
+ # Report errors induced by trying to list the ruleset but don't |
| 219 |
+ # treat them as being fatal. |
| 220 |
+ printf '%s\n' "${stderr}" >&2 |
| 221 |
+ elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then |
| 222 |
+ # Rulesets generated by iptables-nft are special in nature and |
| 223 |
+ # will not always be printed in a way that constitutes a valid |
| 224 |
+ # syntax for ntf(8). Ignore them. |
| 225 |
+ return |
| 226 |
+ elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then |
| 227 |
+ eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
| 228 |
+ eerror "nft. This probably means that there is a regression introduced by v${PV}." |
| 229 |
+ eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
| 230 |
+ if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
| 231 |
+ die "Aborting because of failed nft reload!" |
| 232 |
fi |
| 233 |
fi |
| 234 |
} |
Archives