1 |
commit: 68a4aeb7ce34ec6f16710ce40443a1b460af6517 |
2 |
Author: Kerin Millar <kfm <AT> plushkava <DOT> net> |
3 |
AuthorDate: Sun Mar 19 09:04:41 2023 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Mar 19 22:21:54 2023 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68a4aeb7 |
7 |
|
8 |
net-firewall/nftables: Use the newly built libnftables.so in the pkg_preinst check |
9 |
|
10 |
Doing so is appropriate because it's not a library that's provided |
11 |
externally. Also, tidy up the code structure and replace the outdated |
12 |
pkg_preinst() function in the ebuild for v1.0.5. |
13 |
|
14 |
Signed-off-by: Kerin Millar <kfm <AT> plushkava.net> |
15 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
16 |
|
17 |
net-firewall/nftables/nftables-1.0.5.ebuild | 33 ++++++++++++++++------ |
18 |
net-firewall/nftables/nftables-1.0.6.ebuild | 44 ++++++++++++++--------------- |
19 |
net-firewall/nftables/nftables-1.0.7.ebuild | 44 ++++++++++++++--------------- |
20 |
net-firewall/nftables/nftables-9999.ebuild | 44 ++++++++++++++--------------- |
21 |
4 files changed, 90 insertions(+), 75 deletions(-) |
22 |
|
23 |
diff --git a/net-firewall/nftables/nftables-1.0.5.ebuild b/net-firewall/nftables/nftables-1.0.5.ebuild |
24 |
index 3b4f9fbbf1d2..5226ca74577d 100644 |
25 |
--- a/net-firewall/nftables/nftables-1.0.5.ebuild |
26 |
+++ b/net-firewall/nftables/nftables-1.0.5.ebuild |
27 |
@@ -167,15 +167,30 @@ src_install() { |
28 |
} |
29 |
|
30 |
pkg_preinst() { |
31 |
- if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then |
32 |
- if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then |
33 |
- eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
34 |
- eerror "nft. This probably means that there is a regression introduced by v${PV}." |
35 |
- eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
36 |
- |
37 |
- if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
38 |
- die "Aborting because of failed nft reload!" |
39 |
- fi |
40 |
+ local stderr |
41 |
+ |
42 |
+ # There's a history of regressions with nftables upgrades. Perform a |
43 |
+ # safety check to help us spot them earlier. For the check to pass, the |
44 |
+ # currently loaded ruleset, if any, must be successfully evaluated by |
45 |
+ # the newly built instance of nft(8). |
46 |
+ if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then |
47 |
+ # Either nftables isn't yet in use or nft(8) cannot be executed. |
48 |
+ return |
49 |
+ elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then |
50 |
+ # Report errors induced by trying to list the ruleset but don't |
51 |
+ # treat them as being fatal. |
52 |
+ printf '%s\n' "${stderr}" >&2 |
53 |
+ elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then |
54 |
+ # Rulesets generated by iptables-nft are special in nature and |
55 |
+ # will not always be printed in a way that constitutes a valid |
56 |
+ # syntax for ntf(8). Ignore them. |
57 |
+ return |
58 |
+ elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then |
59 |
+ eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
60 |
+ eerror "nft. This probably means that there is a regression introduced by v${PV}." |
61 |
+ eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
62 |
+ if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
63 |
+ die "Aborting because of failed nft reload!" |
64 |
fi |
65 |
fi |
66 |
} |
67 |
|
68 |
diff --git a/net-firewall/nftables/nftables-1.0.6.ebuild b/net-firewall/nftables/nftables-1.0.6.ebuild |
69 |
index bd4f23708a7e..e5de7f69c0a1 100644 |
70 |
--- a/net-firewall/nftables/nftables-1.0.6.ebuild |
71 |
+++ b/net-firewall/nftables/nftables-1.0.6.ebuild |
72 |
@@ -169,28 +169,28 @@ src_install() { |
73 |
pkg_preinst() { |
74 |
local stderr |
75 |
|
76 |
- # There's a history of regressions with nftables upgrades. Add a safety |
77 |
- # check to help us spot them earlier. |
78 |
- if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then |
79 |
- # Check the current loaded ruleset, if any, using the newly |
80 |
- # built instance of nft(8). |
81 |
- if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then |
82 |
- # Report errors induced by trying to list the ruleset |
83 |
- # but don't treat them as being fatal. |
84 |
- printf '%s\n' "${stderr}" >&2 |
85 |
- elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then |
86 |
- # Rulesets generated by iptables-nft are special in |
87 |
- # nature and will not always be printed in a way that |
88 |
- # constitutes a valid syntax for ntf(8). Ignore them. |
89 |
- return |
90 |
- elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then |
91 |
- eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
92 |
- eerror "nft. This probably means that there is a regression introduced by v${PV}." |
93 |
- eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
94 |
- |
95 |
- if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
96 |
- die "Aborting because of failed nft reload!" |
97 |
- fi |
98 |
+ # There's a history of regressions with nftables upgrades. Perform a |
99 |
+ # safety check to help us spot them earlier. For the check to pass, the |
100 |
+ # currently loaded ruleset, if any, must be successfully evaluated by |
101 |
+ # the newly built instance of nft(8). |
102 |
+ if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then |
103 |
+ # Either nftables isn't yet in use or nft(8) cannot be executed. |
104 |
+ return |
105 |
+ elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then |
106 |
+ # Report errors induced by trying to list the ruleset but don't |
107 |
+ # treat them as being fatal. |
108 |
+ printf '%s\n' "${stderr}" >&2 |
109 |
+ elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then |
110 |
+ # Rulesets generated by iptables-nft are special in nature and |
111 |
+ # will not always be printed in a way that constitutes a valid |
112 |
+ # syntax for ntf(8). Ignore them. |
113 |
+ return |
114 |
+ elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then |
115 |
+ eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
116 |
+ eerror "nft. This probably means that there is a regression introduced by v${PV}." |
117 |
+ eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
118 |
+ if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
119 |
+ die "Aborting because of failed nft reload!" |
120 |
fi |
121 |
fi |
122 |
} |
123 |
|
124 |
diff --git a/net-firewall/nftables/nftables-1.0.7.ebuild b/net-firewall/nftables/nftables-1.0.7.ebuild |
125 |
index b144fded77b4..13ecec61248b 100644 |
126 |
--- a/net-firewall/nftables/nftables-1.0.7.ebuild |
127 |
+++ b/net-firewall/nftables/nftables-1.0.7.ebuild |
128 |
@@ -170,28 +170,28 @@ src_install() { |
129 |
pkg_preinst() { |
130 |
local stderr |
131 |
|
132 |
- # There's a history of regressions with nftables upgrades. Add a safety |
133 |
- # check to help us spot them earlier. |
134 |
- if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then |
135 |
- # Check the current loaded ruleset, if any, using the newly |
136 |
- # built instance of nft(8). |
137 |
- if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then |
138 |
- # Report errors induced by trying to list the ruleset |
139 |
- # but don't treat them as being fatal. |
140 |
- printf '%s\n' "${stderr}" >&2 |
141 |
- elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then |
142 |
- # Rulesets generated by iptables-nft are special in |
143 |
- # nature and will not always be printed in a way that |
144 |
- # constitutes a valid syntax for ntf(8). Ignore them. |
145 |
- return |
146 |
- elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then |
147 |
- eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
148 |
- eerror "nft. This probably means that there is a regression introduced by v${PV}." |
149 |
- eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
150 |
- |
151 |
- if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
152 |
- die "Aborting because of failed nft reload!" |
153 |
- fi |
154 |
+ # There's a history of regressions with nftables upgrades. Perform a |
155 |
+ # safety check to help us spot them earlier. For the check to pass, the |
156 |
+ # currently loaded ruleset, if any, must be successfully evaluated by |
157 |
+ # the newly built instance of nft(8). |
158 |
+ if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then |
159 |
+ # Either nftables isn't yet in use or nft(8) cannot be executed. |
160 |
+ return |
161 |
+ elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then |
162 |
+ # Report errors induced by trying to list the ruleset but don't |
163 |
+ # treat them as being fatal. |
164 |
+ printf '%s\n' "${stderr}" >&2 |
165 |
+ elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then |
166 |
+ # Rulesets generated by iptables-nft are special in nature and |
167 |
+ # will not always be printed in a way that constitutes a valid |
168 |
+ # syntax for ntf(8). Ignore them. |
169 |
+ return |
170 |
+ elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then |
171 |
+ eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
172 |
+ eerror "nft. This probably means that there is a regression introduced by v${PV}." |
173 |
+ eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
174 |
+ if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
175 |
+ die "Aborting because of failed nft reload!" |
176 |
fi |
177 |
fi |
178 |
} |
179 |
|
180 |
diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild |
181 |
index b144fded77b4..13ecec61248b 100644 |
182 |
--- a/net-firewall/nftables/nftables-9999.ebuild |
183 |
+++ b/net-firewall/nftables/nftables-9999.ebuild |
184 |
@@ -170,28 +170,28 @@ src_install() { |
185 |
pkg_preinst() { |
186 |
local stderr |
187 |
|
188 |
- # There's a history of regressions with nftables upgrades. Add a safety |
189 |
- # check to help us spot them earlier. |
190 |
- if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then |
191 |
- # Check the current loaded ruleset, if any, using the newly |
192 |
- # built instance of nft(8). |
193 |
- if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then |
194 |
- # Report errors induced by trying to list the ruleset |
195 |
- # but don't treat them as being fatal. |
196 |
- printf '%s\n' "${stderr}" >&2 |
197 |
- elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then |
198 |
- # Rulesets generated by iptables-nft are special in |
199 |
- # nature and will not always be printed in a way that |
200 |
- # constitutes a valid syntax for ntf(8). Ignore them. |
201 |
- return |
202 |
- elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then |
203 |
- eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
204 |
- eerror "nft. This probably means that there is a regression introduced by v${PV}." |
205 |
- eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
206 |
- |
207 |
- if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
208 |
- die "Aborting because of failed nft reload!" |
209 |
- fi |
210 |
+ # There's a history of regressions with nftables upgrades. Perform a |
211 |
+ # safety check to help us spot them earlier. For the check to pass, the |
212 |
+ # currently loaded ruleset, if any, must be successfully evaluated by |
213 |
+ # the newly built instance of nft(8). |
214 |
+ if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then |
215 |
+ # Either nftables isn't yet in use or nft(8) cannot be executed. |
216 |
+ return |
217 |
+ elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then |
218 |
+ # Report errors induced by trying to list the ruleset but don't |
219 |
+ # treat them as being fatal. |
220 |
+ printf '%s\n' "${stderr}" >&2 |
221 |
+ elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then |
222 |
+ # Rulesets generated by iptables-nft are special in nature and |
223 |
+ # will not always be printed in a way that constitutes a valid |
224 |
+ # syntax for ntf(8). Ignore them. |
225 |
+ return |
226 |
+ elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then |
227 |
+ eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" |
228 |
+ eerror "nft. This probably means that there is a regression introduced by v${PV}." |
229 |
+ eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |
230 |
+ if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then |
231 |
+ die "Aborting because of failed nft reload!" |
232 |
fi |
233 |
fi |
234 |
} |