[gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/, net-firewall/nftables/files/ - gentoo-commits

From:	Sam James <sam@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/, net-firewall/nftables/files/
Date:	Sun, 05 Jun 2022 06:56:38
Message-Id:	`1654411497.9996c079375c4db6aa9a5b35f3e947608c4b99c5.sam@gentoo`

1

commit:     9996c079375c4db6aa9a5b35f3e947608c4b99c5

2

Author:     Sam James <sam <AT> gentoo <DOT> org>

3

AuthorDate: Sun Jun  5 06:41:40 2022 +0000

4

Commit:     Sam James <sam <AT> gentoo <DOT> org>

5

CommitDate: Sun Jun  5 06:44:57 2022 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9996c079

7

8

net-firewall/nftables: backport crash fix; add test infrastructure

9

10

Signed-off-by: Sam James <sam <AT> gentoo.org>

11

12

 .../files/nftables-1.0.3-optimize-segfault.patch   | 64 ++++++++++++++++++++++

13

 .../files/nftables-1.0.3-test-shell-sets.patch     | 21 +++++++

14

 ...tables-9999.ebuild => nftables-1.0.3-r1.ebuild} | 48 +++++++++++-----

15

 net-firewall/nftables/nftables-9999.ebuild         | 48 +++++++++++-----

16

 4 files changed, 153 insertions(+), 28 deletions(-)

17

18

diff --git a/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch b/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch

19

new file mode 100644

20

index 000000000000..95e53adc0b2f

21

--- /dev/null

22

+++ b/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch

23

@@ -0,0 +1,64 @@

24

+https://git.netfilter.org/nftables/commit/?id=59bd944f6d75e99fe0c8d743e7fd482672640c2d

25

+

26

+From: Pablo Neira Ayuso <pablo@×××××××××.org>

27

+Date: Wed, 1 Jun 2022 10:14:22 +0200

28

+Subject: optimize: segfault when releasing unsupported statement

29

+

30

+Call xfree() instead since stmt_alloc() does not initialize the

31

+statement type fields.

32

+

33

+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1609

34

+Fixes: ea1f1c9ff608 ("optimize: memleak in statement matrix")

35

+Signed-off-by: Pablo Neira Ayuso <pablo@×××××××××.org>

36

+--- a/src/optimize.c

37

++++ b/src/optimize.c

38

+@@ -304,7 +304,7 @@ static int rule_collect_stmts(struct optimize_ctx *ctx, struct rule *rule)

39

+ 			clone->nat.type_flags = stmt->nat.type_flags;

40

+ 			break;

41

+ 		default:

42

+-			stmt_free(clone);

43

++			xfree(clone);

44

+ 			continue;

45

+ 		}

46

+

47

+--- a/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft

48

++++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft

49

+@@ -1,4 +1,10 @@

50

+ table ip x {

51

++	set s {

52

++		type ipv4_addr

53

++		size 65535

54

++		flags dynamic

55

++	}

56

++

57

+ 	chain filter_in_tcp {

58

+ 	}

59

+

60

+@@ -6,6 +12,7 @@ table ip x {

61

+ 	}

62

+

63

+ 	chain y {

64

++		update @s { ip saddr limit rate 12/minute burst 30 packets } accept

65

+ 		tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 8000-8100 : accept, 24000-25000 : accept }

66

+ 		meta l4proto vmap { tcp : goto filter_in_tcp, udp : goto filter_in_udp }

67

+ 		log

68

+--- a/tests/shell/testcases/optimizations/merge_vmaps

69

++++ b/tests/shell/testcases/optimizations/merge_vmaps

70

+@@ -3,11 +3,16 @@

71

+ set -e

72

+

73

+ RULESET="table ip x {

74

++	set s {

75

++		type ipv4_addr

76

++		flags dynamic

77

++	}

78

+ 	chain filter_in_tcp {

79

+ 	}

80

+ 	chain filter_in_udp {

81

+ 	}

82

+ 	chain y {

83

++	        update @s { ip saddr limit rate 12/minute burst 30 packets } accept

84

+ 		tcp dport vmap {

85

+ 			80 : accept,

86

+ 			81 : accept,

87

+cgit v1.2.3

88

89

diff --git a/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch b/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch

90

new file mode 100644

91

index 000000000000..c5f93e20eea6

92

--- /dev/null

93

+++ b/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch

94

@@ -0,0 +1,21 @@

95

+https://git.netfilter.org/nftables/commit/?id=3835de19fe5773baac5b79f35484d0f0e99bcfe1

96

+

97

+From: Pablo Neira Ayuso <pablo@×××××××××.org>

98

+Date: Wed, 1 Jun 2022 18:17:02 +0200

99

+Subject: tests: shell: sets_with_ifnames release netns on exit

100

+

101

+Missing ip netns del call from cleanup()

102

+

103

+Fixes: d6fdb0d8d482 ("sets_with_ifnames: add test case for concatenated range")

104

+Signed-off-by: Pablo Neira Ayuso <pablo@×××××××××.org>

105

+--- a/tests/shell/testcases/sets/sets_with_ifnames

106

++++ b/tests/shell/testcases/sets/sets_with_ifnames

107

+@@ -13,6 +13,7 @@ ns2="nft2ifname-$rnd"

108

+ cleanup()

109

+ {

110

+ 	ip netns del "$ns1"

111

++	ip netns del "$ns2"

112

+ }

113

+

114

+ trap cleanup EXIT

115

+cgit v1.2.3

116

117

diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-1.0.3-r1.ebuild

118

similarity index 82%

119

copy from net-firewall/nftables/nftables-9999.ebuild

120

copy to net-firewall/nftables/nftables-1.0.3-r1.ebuild

121

index fa427dadfaab..d4ace7fe057b 100644

122

--- a/net-firewall/nftables/nftables-9999.ebuild

123

+++ b/net-firewall/nftables/nftables-1.0.3-r1.ebuild

124

@@ -3,15 +3,16 @@

125

126

 EAPI=7

127

128

-PYTHON_COMPAT=( python3_{8..10} )

129

 DISTUTILS_OPTIONAL=1

130

-inherit autotools linux-info distutils-r1 systemd verify-sig

131

+PYTHON_COMPAT=( python3_{8..11} )

132

+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc

133

+inherit edo linux-info distutils-r1 systemd verify-sig

134

135

 DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"

136

 HOMEPAGE="https://netfilter.org/projects/nftables/"

137

138

 if [[ ${PV} =~ ^[9]{4,}$ ]]; then

139

-	inherit git-r3

140

+	inherit autotools git-r3

141

 	EGIT_REPO_URI="https://git.netfilter.org/${PN}"

142

143

 	BDEPEND="

144

@@ -22,13 +23,13 @@ else

145

 	SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2

146

 		verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )"

147

 	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"

148

-	VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc

149

 	BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )"

150

fi

151

152

 LICENSE="GPL-2"

153

 SLOT="0/1"

154

-IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables"

155

+IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables"

156

+RESTRICT="test? ( userpriv ) !test? ( test )"

157

158

 RDEPEND="

159

 	>=net-libs/libmnl-1.0.4:0=

160

@@ -43,11 +44,12 @@ RDEPEND="

161

 DEPEND="${RDEPEND}"

162

163

 BDEPEND+="

164

+	virtual/pkgconfig

165

 	doc? (

166

 		app-text/asciidoc

167

 		>=app-text/docbook2X-0.8.8-r4

168

)

169

-	virtual/pkgconfig

170

+	python? ( ${PYTHON_DEPS} )

171

"

172

173

 REQUIRED_USE="

174

@@ -55,6 +57,11 @@ REQUIRED_USE="

175

 	libedit? ( !readline )

176

"

177

178

+PATCHES=(

179

+	"${FILESDIR}"/${P}-optimize-segfault.patch

180

+	"${FILESDIR}"/${P}-test-shell-sets.patch

181

+)

182

+

183

 pkg_setup() {

184

 	if kernel_is ge 3 13; then

185

 		if use modern-kernel && kernel_is lt 3 18; then

186

@@ -70,13 +77,9 @@ pkg_setup() {

187

 src_prepare() {

188

 	default

189

190

-	# fix installation path for doc stuff

191

-	sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \

192

-		-i files/nftables/Makefile.am || die

193

-	sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \

194

-		-i files/osf/Makefile.am || die

195

-

196

-	eautoreconf

197

+	if [[ ${PV} =~ ^[9]{4,}$ ]] ; then

198

+		eautoreconf

199

+	fi

200

201

 	if use python; then

202

 		pushd py >/dev/null || die

203

@@ -119,6 +122,17 @@ src_compile() {

204

fi

205

}

206

207

+src_test() {

208

+	emake check

209

+

210

+	edo tests/shell/run-tests.sh -v

211

+

212

+	# Need to rig up Python eclass if using this, but it doesn't seem to work

213

+	# for me anyway.

214

+	#cd tests/py || die

215

+	#"${EPYTHON}" nft-test.py || die

216

+}

217

+

218

 src_install() {

219

 	default

220

221

@@ -128,6 +142,11 @@ src_install() {

222

 		popd >/dev/null || die

223

fi

224

225

+	# Do it here instead of in src_prepare to avoid eautoreconf

226

+	# rmdir lets us catch if more files end up installed in /etc/nftables

227

+	mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die

228

+	rmdir "${ED}"/etc/nftables || die

229

+

230

 	local mksuffix="$(usex modern-kernel '-mk' '')"

231

232

 	exeinto /usr/libexec/${PN}

233

@@ -149,7 +168,7 @@ src_install() {

234

235

 pkg_postinst() {

236

 	local save_file

237

-	save_file="${EROOT}/var/lib/nftables/rules-save"

238

+	save_file="${EROOT}"/var/lib/nftables/rules-save

239

240

 	# In order for the nftables-restore systemd service to start

241

 	# the save_file must exist.

242

@@ -172,6 +191,7 @@ pkg_postinst() {

243

 		elog "the nftables-restore service must be manually started in order to"

244

 		elog "save those rules on shutdown."

245

fi

246

+

247

 	if has_version 'sys-apps/openrc'; then

248

 		elog "If you wish to enable the firewall rules on boot (on openrc) you"

249

 		elog "will need to enable the nftables service."

250

251

diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild

252

index fa427dadfaab..d4ace7fe057b 100644

253

--- a/net-firewall/nftables/nftables-9999.ebuild

254

+++ b/net-firewall/nftables/nftables-9999.ebuild

255

@@ -3,15 +3,16 @@

256

257

 EAPI=7

258

259

-PYTHON_COMPAT=( python3_{8..10} )

260

 DISTUTILS_OPTIONAL=1

261

-inherit autotools linux-info distutils-r1 systemd verify-sig

262

+PYTHON_COMPAT=( python3_{8..11} )

263

+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc

264

+inherit edo linux-info distutils-r1 systemd verify-sig

265

266

 DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"

267

 HOMEPAGE="https://netfilter.org/projects/nftables/"

268

269

 if [[ ${PV} =~ ^[9]{4,}$ ]]; then

270

-	inherit git-r3

271

+	inherit autotools git-r3

272

 	EGIT_REPO_URI="https://git.netfilter.org/${PN}"

273

274

 	BDEPEND="

275

@@ -22,13 +23,13 @@ else

276

 	SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2

277

 		verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )"

278

 	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"

279

-	VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc

280

 	BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )"

281

fi

282

283

 LICENSE="GPL-2"

284

 SLOT="0/1"

285

-IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables"

286

+IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables"

287

+RESTRICT="test? ( userpriv ) !test? ( test )"

288

289

 RDEPEND="

290

 	>=net-libs/libmnl-1.0.4:0=

291

@@ -43,11 +44,12 @@ RDEPEND="

292

 DEPEND="${RDEPEND}"

293

294

 BDEPEND+="

295

+	virtual/pkgconfig

296

 	doc? (

297

 		app-text/asciidoc

298

 		>=app-text/docbook2X-0.8.8-r4

299

)

300

-	virtual/pkgconfig

301

+	python? ( ${PYTHON_DEPS} )

302

"

303

304

 REQUIRED_USE="

305

@@ -55,6 +57,11 @@ REQUIRED_USE="

306

 	libedit? ( !readline )

307

"

308

309

+PATCHES=(

310

+	"${FILESDIR}"/${P}-optimize-segfault.patch

311

+	"${FILESDIR}"/${P}-test-shell-sets.patch

312

+)

313

+

314

 pkg_setup() {

315

 	if kernel_is ge 3 13; then

316

 		if use modern-kernel && kernel_is lt 3 18; then

317

@@ -70,13 +77,9 @@ pkg_setup() {

318

 src_prepare() {

319

 	default

320

321

-	# fix installation path for doc stuff

322

-	sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \

323

-		-i files/nftables/Makefile.am || die

324

-	sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \

325

-		-i files/osf/Makefile.am || die

326

-

327

-	eautoreconf

328

+	if [[ ${PV} =~ ^[9]{4,}$ ]] ; then

329

+		eautoreconf

330

+	fi

331

332

 	if use python; then

333

 		pushd py >/dev/null || die

334

@@ -119,6 +122,17 @@ src_compile() {

335

fi

336

}

337

338

+src_test() {

339

+	emake check

340

+

341

+	edo tests/shell/run-tests.sh -v

342

+

343

+	# Need to rig up Python eclass if using this, but it doesn't seem to work

344

+	# for me anyway.

345

+	#cd tests/py || die

346

+	#"${EPYTHON}" nft-test.py || die

347

+}

348

+

349

 src_install() {

350

 	default

351

352

@@ -128,6 +142,11 @@ src_install() {

353

 		popd >/dev/null || die

354

fi

355

356

+	# Do it here instead of in src_prepare to avoid eautoreconf

357

+	# rmdir lets us catch if more files end up installed in /etc/nftables

358

+	mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die

359

+	rmdir "${ED}"/etc/nftables || die

360

+

361

 	local mksuffix="$(usex modern-kernel '-mk' '')"

362

363

 	exeinto /usr/libexec/${PN}

364

@@ -149,7 +168,7 @@ src_install() {

365

366

 pkg_postinst() {

367

 	local save_file

368

-	save_file="${EROOT}/var/lib/nftables/rules-save"

369

+	save_file="${EROOT}"/var/lib/nftables/rules-save

370

371

 	# In order for the nftables-restore systemd service to start

372

 	# the save_file must exist.

373

@@ -172,6 +191,7 @@ pkg_postinst() {

374

 		elog "the nftables-restore service must be manually started in order to"

375

 		elog "save those rules on shutdown."

376

fi

377

+

378

 	if has_version 'sys-apps/openrc'; then

379

 		elog "If you wish to enable the firewall rules on boot (on openrc) you"

380

 		elog "will need to enable the nftables service."

1	commit: 9996c079375c4db6aa9a5b35f3e947608c4b99c5
2	Author: Sam James <sam <AT> gentoo <DOT> org>
3	AuthorDate: Sun Jun 5 06:41:40 2022 +0000
4	Commit: Sam James <sam <AT> gentoo <DOT> org>
5	CommitDate: Sun Jun 5 06:44:57 2022 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9996c079
7
8	net-firewall/nftables: backport crash fix; add test infrastructure
9
10	Signed-off-by: Sam James <sam <AT> gentoo.org>
11
12	.../files/nftables-1.0.3-optimize-segfault.patch \| 64 ++++++++++++++++++++++
13	.../files/nftables-1.0.3-test-shell-sets.patch \| 21 +++++++
14	...tables-9999.ebuild => nftables-1.0.3-r1.ebuild} \| 48 +++++++++++-----
15	net-firewall/nftables/nftables-9999.ebuild \| 48 +++++++++++-----
16	4 files changed, 153 insertions(+), 28 deletions(-)
17
18	diff --git a/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch b/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch
19	new file mode 100644
20	index 000000000000..95e53adc0b2f
21	--- /dev/null
22	+++ b/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch
23	@@ -0,0 +1,64 @@
24	+https://git.netfilter.org/nftables/commit/?id=59bd944f6d75e99fe0c8d743e7fd482672640c2d
25	+
26	+From: Pablo Neira Ayuso <pablo@×××××××××.org>
27	+Date: Wed, 1 Jun 2022 10:14:22 +0200
28	+Subject: optimize: segfault when releasing unsupported statement
29	+
30	+Call xfree() instead since stmt_alloc() does not initialize the
31	+statement type fields.
32	+
33	+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1609
34	+Fixes: ea1f1c9ff608 ("optimize: memleak in statement matrix")
35	+Signed-off-by: Pablo Neira Ayuso <pablo@×××××××××.org>
36	+--- a/src/optimize.c
37	++++ b/src/optimize.c
38	+@@ -304,7 +304,7 @@ static int rule_collect_stmts(struct optimize_ctx ctx, struct rule rule)
39	+ clone->nat.type_flags = stmt->nat.type_flags;
40	+ break;
41	+ default:
42	+- stmt_free(clone);
43	++ xfree(clone);
44	+ continue;
45	+ }
46	+
47	+--- a/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft
48	++++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft
49	+@@ -1,4 +1,10 @@
50	+ table ip x {
51	++ set s {
52	++ type ipv4_addr
53	++ size 65535
54	++ flags dynamic
55	++ }
56	++
57	+ chain filter_in_tcp {
58	+ }
59	+
60	+@@ -6,6 +12,7 @@ table ip x {
61	+ }
62	+
63	+ chain y {
64	++ update @s { ip saddr limit rate 12/minute burst 30 packets } accept
65	+ tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 8000-8100 : accept, 24000-25000 : accept }
66	+ meta l4proto vmap { tcp : goto filter_in_tcp, udp : goto filter_in_udp }
67	+ log
68	+--- a/tests/shell/testcases/optimizations/merge_vmaps
69	++++ b/tests/shell/testcases/optimizations/merge_vmaps
70	+@@ -3,11 +3,16 @@
71	+ set -e
72	+
73	+ RULESET="table ip x {
74	++ set s {
75	++ type ipv4_addr
76	++ flags dynamic
77	++ }
78	+ chain filter_in_tcp {
79	+ }
80	+ chain filter_in_udp {
81	+ }
82	+ chain y {
83	++ update @s { ip saddr limit rate 12/minute burst 30 packets } accept
84	+ tcp dport vmap {
85	+ 80 : accept,
86	+ 81 : accept,
87	+cgit v1.2.3
88
89	diff --git a/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch b/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch
90	new file mode 100644
91	index 000000000000..c5f93e20eea6
92	--- /dev/null
93	+++ b/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch
94	@@ -0,0 +1,21 @@
95	+https://git.netfilter.org/nftables/commit/?id=3835de19fe5773baac5b79f35484d0f0e99bcfe1
96	+
97	+From: Pablo Neira Ayuso <pablo@×××××××××.org>
98	+Date: Wed, 1 Jun 2022 18:17:02 +0200
99	+Subject: tests: shell: sets_with_ifnames release netns on exit
100	+
101	+Missing ip netns del call from cleanup()
102	+
103	+Fixes: d6fdb0d8d482 ("sets_with_ifnames: add test case for concatenated range")
104	+Signed-off-by: Pablo Neira Ayuso <pablo@×××××××××.org>
105	+--- a/tests/shell/testcases/sets/sets_with_ifnames
106	++++ b/tests/shell/testcases/sets/sets_with_ifnames
107	+@@ -13,6 +13,7 @@ ns2="nft2ifname-$rnd"
108	+ cleanup()
109	+ {
110	+ ip netns del "$ns1"
111	++ ip netns del "$ns2"
112	+ }
113	+
114	+ trap cleanup EXIT
115	+cgit v1.2.3
116
117	diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-1.0.3-r1.ebuild
118	similarity index 82%
119	copy from net-firewall/nftables/nftables-9999.ebuild
120	copy to net-firewall/nftables/nftables-1.0.3-r1.ebuild
121	index fa427dadfaab..d4ace7fe057b 100644
122	--- a/net-firewall/nftables/nftables-9999.ebuild
123	+++ b/net-firewall/nftables/nftables-1.0.3-r1.ebuild
124	@@ -3,15 +3,16 @@
125
126	EAPI=7
127
128	-PYTHON_COMPAT=( python3_{8..10} )
129	DISTUTILS_OPTIONAL=1
130	-inherit autotools linux-info distutils-r1 systemd verify-sig
131	+PYTHON_COMPAT=( python3_{8..11} )
132	+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc
133	+inherit edo linux-info distutils-r1 systemd verify-sig
134
135	DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
136	HOMEPAGE="https://netfilter.org/projects/nftables/"
137
138	if [[ ${PV} =~ ^[9]{4,}$ ]]; then
139	- inherit git-r3
140	+ inherit autotools git-r3
141	EGIT_REPO_URI="https://git.netfilter.org/${PN}"
142
143	BDEPEND="
144	@@ -22,13 +23,13 @@ else
145	SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2
146	verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )"
147	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
148	- VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc
149	BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
150	fi
151
152	LICENSE="GPL-2"
153	SLOT="0/1"
154	-IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables"
155	+IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables"
156	+RESTRICT="test? ( userpriv ) !test? ( test )"
157
158	RDEPEND="
159	>=net-libs/libmnl-1.0.4:0=
160	@@ -43,11 +44,12 @@ RDEPEND="
161	DEPEND="${RDEPEND}"
162
163	BDEPEND+="
164	+ virtual/pkgconfig
165	doc? (
166	app-text/asciidoc
167	>=app-text/docbook2X-0.8.8-r4
168	)
169	- virtual/pkgconfig
170	+ python? ( ${PYTHON_DEPS} )
171	"
172
173	REQUIRED_USE="
174	@@ -55,6 +57,11 @@ REQUIRED_USE="
175	libedit? ( !readline )
176	"
177
178	+PATCHES=(
179	+ "${FILESDIR}"/${P}-optimize-segfault.patch
180	+ "${FILESDIR}"/${P}-test-shell-sets.patch
181	+)
182	+
183	pkg_setup() {
184	if kernel_is ge 3 13; then
185	if use modern-kernel && kernel_is lt 3 18; then
186	@@ -70,13 +77,9 @@ pkg_setup() {
187	src_prepare() {
188	default
189
190	- # fix installation path for doc stuff
191	- sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \
192	- -i files/nftables/Makefile.am \|\| die
193	- sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \
194	- -i files/osf/Makefile.am \|\| die
195	-
196	- eautoreconf
197	+ if [[ ${PV} =~ ^[9]{4,}$ ]] ; then
198	+ eautoreconf
199	+ fi
200
201	if use python; then
202	pushd py >/dev/null \|\| die
203	@@ -119,6 +122,17 @@ src_compile() {
204	fi
205	}
206
207	+src_test() {
208	+ emake check
209	+
210	+ edo tests/shell/run-tests.sh -v
211	+
212	+ # Need to rig up Python eclass if using this, but it doesn't seem to work
213	+ # for me anyway.
214	+ #cd tests/py \|\| die
215	+ #"${EPYTHON}" nft-test.py \|\| die
216	+}
217	+
218	src_install() {
219	default
220
221	@@ -128,6 +142,11 @@ src_install() {
222	popd >/dev/null \|\| die
223	fi
224
225	+ # Do it here instead of in src_prepare to avoid eautoreconf
226	+ # rmdir lets us catch if more files end up installed in /etc/nftables
227	+ mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf \|\| die
228	+ rmdir "${ED}"/etc/nftables \|\| die
229	+
230	local mksuffix="$(usex modern-kernel '-mk' '')"
231
232	exeinto /usr/libexec/${PN}
233	@@ -149,7 +168,7 @@ src_install() {
234
235	pkg_postinst() {
236	local save_file
237	- save_file="${EROOT}/var/lib/nftables/rules-save"
238	+ save_file="${EROOT}"/var/lib/nftables/rules-save
239
240	# In order for the nftables-restore systemd service to start
241	# the save_file must exist.
242	@@ -172,6 +191,7 @@ pkg_postinst() {
243	elog "the nftables-restore service must be manually started in order to"
244	elog "save those rules on shutdown."
245	fi
246	+
247	if has_version 'sys-apps/openrc'; then
248	elog "If you wish to enable the firewall rules on boot (on openrc) you"
249	elog "will need to enable the nftables service."
250
251	diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild
252	index fa427dadfaab..d4ace7fe057b 100644
253	--- a/net-firewall/nftables/nftables-9999.ebuild
254	+++ b/net-firewall/nftables/nftables-9999.ebuild
255	@@ -3,15 +3,16 @@
256
257	EAPI=7
258
259	-PYTHON_COMPAT=( python3_{8..10} )
260	DISTUTILS_OPTIONAL=1
261	-inherit autotools linux-info distutils-r1 systemd verify-sig
262	+PYTHON_COMPAT=( python3_{8..11} )
263	+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc
264	+inherit edo linux-info distutils-r1 systemd verify-sig
265
266	DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
267	HOMEPAGE="https://netfilter.org/projects/nftables/"
268
269	if [[ ${PV} =~ ^[9]{4,}$ ]]; then
270	- inherit git-r3
271	+ inherit autotools git-r3
272	EGIT_REPO_URI="https://git.netfilter.org/${PN}"
273
274	BDEPEND="
275	@@ -22,13 +23,13 @@ else
276	SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2
277	verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )"
278	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
279	- VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc
280	BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
281	fi
282
283	LICENSE="GPL-2"
284	SLOT="0/1"
285	-IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables"
286	+IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables"
287	+RESTRICT="test? ( userpriv ) !test? ( test )"
288
289	RDEPEND="
290	>=net-libs/libmnl-1.0.4:0=
291	@@ -43,11 +44,12 @@ RDEPEND="
292	DEPEND="${RDEPEND}"
293
294	BDEPEND+="
295	+ virtual/pkgconfig
296	doc? (
297	app-text/asciidoc
298	>=app-text/docbook2X-0.8.8-r4
299	)
300	- virtual/pkgconfig
301	+ python? ( ${PYTHON_DEPS} )
302	"
303
304	REQUIRED_USE="
305	@@ -55,6 +57,11 @@ REQUIRED_USE="
306	libedit? ( !readline )
307	"
308
309	+PATCHES=(
310	+ "${FILESDIR}"/${P}-optimize-segfault.patch
311	+ "${FILESDIR}"/${P}-test-shell-sets.patch
312	+)
313	+
314	pkg_setup() {
315	if kernel_is ge 3 13; then
316	if use modern-kernel && kernel_is lt 3 18; then
317	@@ -70,13 +77,9 @@ pkg_setup() {
318	src_prepare() {
319	default
320
321	- # fix installation path for doc stuff
322	- sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \
323	- -i files/nftables/Makefile.am \|\| die
324	- sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \
325	- -i files/osf/Makefile.am \|\| die
326	-
327	- eautoreconf
328	+ if [[ ${PV} =~ ^[9]{4,}$ ]] ; then
329	+ eautoreconf
330	+ fi
331
332	if use python; then
333	pushd py >/dev/null \|\| die
334	@@ -119,6 +122,17 @@ src_compile() {
335	fi
336	}
337
338	+src_test() {
339	+ emake check
340	+
341	+ edo tests/shell/run-tests.sh -v
342	+
343	+ # Need to rig up Python eclass if using this, but it doesn't seem to work
344	+ # for me anyway.
345	+ #cd tests/py \|\| die
346	+ #"${EPYTHON}" nft-test.py \|\| die
347	+}
348	+
349	src_install() {
350	default
351
352	@@ -128,6 +142,11 @@ src_install() {
353	popd >/dev/null \|\| die
354	fi
355
356	+ # Do it here instead of in src_prepare to avoid eautoreconf
357	+ # rmdir lets us catch if more files end up installed in /etc/nftables
358	+ mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf \|\| die
359	+ rmdir "${ED}"/etc/nftables \|\| die
360	+
361	local mksuffix="$(usex modern-kernel '-mk' '')"
362
363	exeinto /usr/libexec/${PN}
364	@@ -149,7 +168,7 @@ src_install() {
365
366	pkg_postinst() {
367	local save_file
368	- save_file="${EROOT}/var/lib/nftables/rules-save"
369	+ save_file="${EROOT}"/var/lib/nftables/rules-save
370
371	# In order for the nftables-restore systemd service to start
372	# the save_file must exist.
373	@@ -172,6 +191,7 @@ pkg_postinst() {
374	elog "the nftables-restore service must be manually started in order to"
375	elog "save those rules on shutdown."
376	fi
377	+
378	if has_version 'sys-apps/openrc'; then
379	elog "If you wish to enable the firewall rules on boot (on openrc) you"
380	elog "will need to enable the nftables service."

Gentoo Archives: gentoo-commits