1 |
commit: 9996c079375c4db6aa9a5b35f3e947608c4b99c5 |
2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Jun 5 06:41:40 2022 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Jun 5 06:44:57 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9996c079 |
7 |
|
8 |
net-firewall/nftables: backport crash fix; add test infrastructure |
9 |
|
10 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
11 |
|
12 |
.../files/nftables-1.0.3-optimize-segfault.patch | 64 ++++++++++++++++++++++ |
13 |
.../files/nftables-1.0.3-test-shell-sets.patch | 21 +++++++ |
14 |
...tables-9999.ebuild => nftables-1.0.3-r1.ebuild} | 48 +++++++++++----- |
15 |
net-firewall/nftables/nftables-9999.ebuild | 48 +++++++++++----- |
16 |
4 files changed, 153 insertions(+), 28 deletions(-) |
17 |
|
18 |
diff --git a/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch b/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch |
19 |
new file mode 100644 |
20 |
index 000000000000..95e53adc0b2f |
21 |
--- /dev/null |
22 |
+++ b/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch |
23 |
@@ -0,0 +1,64 @@ |
24 |
+https://git.netfilter.org/nftables/commit/?id=59bd944f6d75e99fe0c8d743e7fd482672640c2d |
25 |
+ |
26 |
+From: Pablo Neira Ayuso <pablo@×××××××××.org> |
27 |
+Date: Wed, 1 Jun 2022 10:14:22 +0200 |
28 |
+Subject: optimize: segfault when releasing unsupported statement |
29 |
+ |
30 |
+Call xfree() instead since stmt_alloc() does not initialize the |
31 |
+statement type fields. |
32 |
+ |
33 |
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1609 |
34 |
+Fixes: ea1f1c9ff608 ("optimize: memleak in statement matrix") |
35 |
+Signed-off-by: Pablo Neira Ayuso <pablo@×××××××××.org> |
36 |
+--- a/src/optimize.c |
37 |
++++ b/src/optimize.c |
38 |
+@@ -304,7 +304,7 @@ static int rule_collect_stmts(struct optimize_ctx *ctx, struct rule *rule) |
39 |
+ clone->nat.type_flags = stmt->nat.type_flags; |
40 |
+ break; |
41 |
+ default: |
42 |
+- stmt_free(clone); |
43 |
++ xfree(clone); |
44 |
+ continue; |
45 |
+ } |
46 |
+ |
47 |
+--- a/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft |
48 |
++++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft |
49 |
+@@ -1,4 +1,10 @@ |
50 |
+ table ip x { |
51 |
++ set s { |
52 |
++ type ipv4_addr |
53 |
++ size 65535 |
54 |
++ flags dynamic |
55 |
++ } |
56 |
++ |
57 |
+ chain filter_in_tcp { |
58 |
+ } |
59 |
+ |
60 |
+@@ -6,6 +12,7 @@ table ip x { |
61 |
+ } |
62 |
+ |
63 |
+ chain y { |
64 |
++ update @s { ip saddr limit rate 12/minute burst 30 packets } accept |
65 |
+ tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 8000-8100 : accept, 24000-25000 : accept } |
66 |
+ meta l4proto vmap { tcp : goto filter_in_tcp, udp : goto filter_in_udp } |
67 |
+ log |
68 |
+--- a/tests/shell/testcases/optimizations/merge_vmaps |
69 |
++++ b/tests/shell/testcases/optimizations/merge_vmaps |
70 |
+@@ -3,11 +3,16 @@ |
71 |
+ set -e |
72 |
+ |
73 |
+ RULESET="table ip x { |
74 |
++ set s { |
75 |
++ type ipv4_addr |
76 |
++ flags dynamic |
77 |
++ } |
78 |
+ chain filter_in_tcp { |
79 |
+ } |
80 |
+ chain filter_in_udp { |
81 |
+ } |
82 |
+ chain y { |
83 |
++ update @s { ip saddr limit rate 12/minute burst 30 packets } accept |
84 |
+ tcp dport vmap { |
85 |
+ 80 : accept, |
86 |
+ 81 : accept, |
87 |
+cgit v1.2.3 |
88 |
|
89 |
diff --git a/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch b/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch |
90 |
new file mode 100644 |
91 |
index 000000000000..c5f93e20eea6 |
92 |
--- /dev/null |
93 |
+++ b/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch |
94 |
@@ -0,0 +1,21 @@ |
95 |
+https://git.netfilter.org/nftables/commit/?id=3835de19fe5773baac5b79f35484d0f0e99bcfe1 |
96 |
+ |
97 |
+From: Pablo Neira Ayuso <pablo@×××××××××.org> |
98 |
+Date: Wed, 1 Jun 2022 18:17:02 +0200 |
99 |
+Subject: tests: shell: sets_with_ifnames release netns on exit |
100 |
+ |
101 |
+Missing ip netns del call from cleanup() |
102 |
+ |
103 |
+Fixes: d6fdb0d8d482 ("sets_with_ifnames: add test case for concatenated range") |
104 |
+Signed-off-by: Pablo Neira Ayuso <pablo@×××××××××.org> |
105 |
+--- a/tests/shell/testcases/sets/sets_with_ifnames |
106 |
++++ b/tests/shell/testcases/sets/sets_with_ifnames |
107 |
+@@ -13,6 +13,7 @@ ns2="nft2ifname-$rnd" |
108 |
+ cleanup() |
109 |
+ { |
110 |
+ ip netns del "$ns1" |
111 |
++ ip netns del "$ns2" |
112 |
+ } |
113 |
+ |
114 |
+ trap cleanup EXIT |
115 |
+cgit v1.2.3 |
116 |
|
117 |
diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-1.0.3-r1.ebuild |
118 |
similarity index 82% |
119 |
copy from net-firewall/nftables/nftables-9999.ebuild |
120 |
copy to net-firewall/nftables/nftables-1.0.3-r1.ebuild |
121 |
index fa427dadfaab..d4ace7fe057b 100644 |
122 |
--- a/net-firewall/nftables/nftables-9999.ebuild |
123 |
+++ b/net-firewall/nftables/nftables-1.0.3-r1.ebuild |
124 |
@@ -3,15 +3,16 @@ |
125 |
|
126 |
EAPI=7 |
127 |
|
128 |
-PYTHON_COMPAT=( python3_{8..10} ) |
129 |
DISTUTILS_OPTIONAL=1 |
130 |
-inherit autotools linux-info distutils-r1 systemd verify-sig |
131 |
+PYTHON_COMPAT=( python3_{8..11} ) |
132 |
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc |
133 |
+inherit edo linux-info distutils-r1 systemd verify-sig |
134 |
|
135 |
DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" |
136 |
HOMEPAGE="https://netfilter.org/projects/nftables/" |
137 |
|
138 |
if [[ ${PV} =~ ^[9]{4,}$ ]]; then |
139 |
- inherit git-r3 |
140 |
+ inherit autotools git-r3 |
141 |
EGIT_REPO_URI="https://git.netfilter.org/${PN}" |
142 |
|
143 |
BDEPEND=" |
144 |
@@ -22,13 +23,13 @@ else |
145 |
SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2 |
146 |
verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )" |
147 |
KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" |
148 |
- VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc |
149 |
BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )" |
150 |
fi |
151 |
|
152 |
LICENSE="GPL-2" |
153 |
SLOT="0/1" |
154 |
-IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables" |
155 |
+IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables" |
156 |
+RESTRICT="test? ( userpriv ) !test? ( test )" |
157 |
|
158 |
RDEPEND=" |
159 |
>=net-libs/libmnl-1.0.4:0= |
160 |
@@ -43,11 +44,12 @@ RDEPEND=" |
161 |
DEPEND="${RDEPEND}" |
162 |
|
163 |
BDEPEND+=" |
164 |
+ virtual/pkgconfig |
165 |
doc? ( |
166 |
app-text/asciidoc |
167 |
>=app-text/docbook2X-0.8.8-r4 |
168 |
) |
169 |
- virtual/pkgconfig |
170 |
+ python? ( ${PYTHON_DEPS} ) |
171 |
" |
172 |
|
173 |
REQUIRED_USE=" |
174 |
@@ -55,6 +57,11 @@ REQUIRED_USE=" |
175 |
libedit? ( !readline ) |
176 |
" |
177 |
|
178 |
+PATCHES=( |
179 |
+ "${FILESDIR}"/${P}-optimize-segfault.patch |
180 |
+ "${FILESDIR}"/${P}-test-shell-sets.patch |
181 |
+) |
182 |
+ |
183 |
pkg_setup() { |
184 |
if kernel_is ge 3 13; then |
185 |
if use modern-kernel && kernel_is lt 3 18; then |
186 |
@@ -70,13 +77,9 @@ pkg_setup() { |
187 |
src_prepare() { |
188 |
default |
189 |
|
190 |
- # fix installation path for doc stuff |
191 |
- sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \ |
192 |
- -i files/nftables/Makefile.am || die |
193 |
- sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \ |
194 |
- -i files/osf/Makefile.am || die |
195 |
- |
196 |
- eautoreconf |
197 |
+ if [[ ${PV} =~ ^[9]{4,}$ ]] ; then |
198 |
+ eautoreconf |
199 |
+ fi |
200 |
|
201 |
if use python; then |
202 |
pushd py >/dev/null || die |
203 |
@@ -119,6 +122,17 @@ src_compile() { |
204 |
fi |
205 |
} |
206 |
|
207 |
+src_test() { |
208 |
+ emake check |
209 |
+ |
210 |
+ edo tests/shell/run-tests.sh -v |
211 |
+ |
212 |
+ # Need to rig up Python eclass if using this, but it doesn't seem to work |
213 |
+ # for me anyway. |
214 |
+ #cd tests/py || die |
215 |
+ #"${EPYTHON}" nft-test.py || die |
216 |
+} |
217 |
+ |
218 |
src_install() { |
219 |
default |
220 |
|
221 |
@@ -128,6 +142,11 @@ src_install() { |
222 |
popd >/dev/null || die |
223 |
fi |
224 |
|
225 |
+ # Do it here instead of in src_prepare to avoid eautoreconf |
226 |
+ # rmdir lets us catch if more files end up installed in /etc/nftables |
227 |
+ mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die |
228 |
+ rmdir "${ED}"/etc/nftables || die |
229 |
+ |
230 |
local mksuffix="$(usex modern-kernel '-mk' '')" |
231 |
|
232 |
exeinto /usr/libexec/${PN} |
233 |
@@ -149,7 +168,7 @@ src_install() { |
234 |
|
235 |
pkg_postinst() { |
236 |
local save_file |
237 |
- save_file="${EROOT}/var/lib/nftables/rules-save" |
238 |
+ save_file="${EROOT}"/var/lib/nftables/rules-save |
239 |
|
240 |
# In order for the nftables-restore systemd service to start |
241 |
# the save_file must exist. |
242 |
@@ -172,6 +191,7 @@ pkg_postinst() { |
243 |
elog "the nftables-restore service must be manually started in order to" |
244 |
elog "save those rules on shutdown." |
245 |
fi |
246 |
+ |
247 |
if has_version 'sys-apps/openrc'; then |
248 |
elog "If you wish to enable the firewall rules on boot (on openrc) you" |
249 |
elog "will need to enable the nftables service." |
250 |
|
251 |
diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild |
252 |
index fa427dadfaab..d4ace7fe057b 100644 |
253 |
--- a/net-firewall/nftables/nftables-9999.ebuild |
254 |
+++ b/net-firewall/nftables/nftables-9999.ebuild |
255 |
@@ -3,15 +3,16 @@ |
256 |
|
257 |
EAPI=7 |
258 |
|
259 |
-PYTHON_COMPAT=( python3_{8..10} ) |
260 |
DISTUTILS_OPTIONAL=1 |
261 |
-inherit autotools linux-info distutils-r1 systemd verify-sig |
262 |
+PYTHON_COMPAT=( python3_{8..11} ) |
263 |
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc |
264 |
+inherit edo linux-info distutils-r1 systemd verify-sig |
265 |
|
266 |
DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" |
267 |
HOMEPAGE="https://netfilter.org/projects/nftables/" |
268 |
|
269 |
if [[ ${PV} =~ ^[9]{4,}$ ]]; then |
270 |
- inherit git-r3 |
271 |
+ inherit autotools git-r3 |
272 |
EGIT_REPO_URI="https://git.netfilter.org/${PN}" |
273 |
|
274 |
BDEPEND=" |
275 |
@@ -22,13 +23,13 @@ else |
276 |
SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2 |
277 |
verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )" |
278 |
KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" |
279 |
- VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc |
280 |
BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )" |
281 |
fi |
282 |
|
283 |
LICENSE="GPL-2" |
284 |
SLOT="0/1" |
285 |
-IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables" |
286 |
+IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables" |
287 |
+RESTRICT="test? ( userpriv ) !test? ( test )" |
288 |
|
289 |
RDEPEND=" |
290 |
>=net-libs/libmnl-1.0.4:0= |
291 |
@@ -43,11 +44,12 @@ RDEPEND=" |
292 |
DEPEND="${RDEPEND}" |
293 |
|
294 |
BDEPEND+=" |
295 |
+ virtual/pkgconfig |
296 |
doc? ( |
297 |
app-text/asciidoc |
298 |
>=app-text/docbook2X-0.8.8-r4 |
299 |
) |
300 |
- virtual/pkgconfig |
301 |
+ python? ( ${PYTHON_DEPS} ) |
302 |
" |
303 |
|
304 |
REQUIRED_USE=" |
305 |
@@ -55,6 +57,11 @@ REQUIRED_USE=" |
306 |
libedit? ( !readline ) |
307 |
" |
308 |
|
309 |
+PATCHES=( |
310 |
+ "${FILESDIR}"/${P}-optimize-segfault.patch |
311 |
+ "${FILESDIR}"/${P}-test-shell-sets.patch |
312 |
+) |
313 |
+ |
314 |
pkg_setup() { |
315 |
if kernel_is ge 3 13; then |
316 |
if use modern-kernel && kernel_is lt 3 18; then |
317 |
@@ -70,13 +77,9 @@ pkg_setup() { |
318 |
src_prepare() { |
319 |
default |
320 |
|
321 |
- # fix installation path for doc stuff |
322 |
- sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \ |
323 |
- -i files/nftables/Makefile.am || die |
324 |
- sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \ |
325 |
- -i files/osf/Makefile.am || die |
326 |
- |
327 |
- eautoreconf |
328 |
+ if [[ ${PV} =~ ^[9]{4,}$ ]] ; then |
329 |
+ eautoreconf |
330 |
+ fi |
331 |
|
332 |
if use python; then |
333 |
pushd py >/dev/null || die |
334 |
@@ -119,6 +122,17 @@ src_compile() { |
335 |
fi |
336 |
} |
337 |
|
338 |
+src_test() { |
339 |
+ emake check |
340 |
+ |
341 |
+ edo tests/shell/run-tests.sh -v |
342 |
+ |
343 |
+ # Need to rig up Python eclass if using this, but it doesn't seem to work |
344 |
+ # for me anyway. |
345 |
+ #cd tests/py || die |
346 |
+ #"${EPYTHON}" nft-test.py || die |
347 |
+} |
348 |
+ |
349 |
src_install() { |
350 |
default |
351 |
|
352 |
@@ -128,6 +142,11 @@ src_install() { |
353 |
popd >/dev/null || die |
354 |
fi |
355 |
|
356 |
+ # Do it here instead of in src_prepare to avoid eautoreconf |
357 |
+ # rmdir lets us catch if more files end up installed in /etc/nftables |
358 |
+ mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die |
359 |
+ rmdir "${ED}"/etc/nftables || die |
360 |
+ |
361 |
local mksuffix="$(usex modern-kernel '-mk' '')" |
362 |
|
363 |
exeinto /usr/libexec/${PN} |
364 |
@@ -149,7 +168,7 @@ src_install() { |
365 |
|
366 |
pkg_postinst() { |
367 |
local save_file |
368 |
- save_file="${EROOT}/var/lib/nftables/rules-save" |
369 |
+ save_file="${EROOT}"/var/lib/nftables/rules-save |
370 |
|
371 |
# In order for the nftables-restore systemd service to start |
372 |
# the save_file must exist. |
373 |
@@ -172,6 +191,7 @@ pkg_postinst() { |
374 |
elog "the nftables-restore service must be manually started in order to" |
375 |
elog "save those rules on shutdown." |
376 |
fi |
377 |
+ |
378 |
if has_version 'sys-apps/openrc'; then |
379 |
elog "If you wish to enable the firewall rules on boot (on openrc) you" |
380 |
elog "will need to enable the nftables service." |