1 |
commit: 3eb821711cbbb51523315c657855ed175e16b8c8 |
2 |
Author: Felix Janda <felix.janda <AT> posteo <DOT> de> |
3 |
AuthorDate: Fri Jun 20 16:54:53 2014 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Jun 21 20:49:09 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=3eb82171 |
7 |
|
8 |
net-firewall/iptables: bump to 1.4.21 |
9 |
|
10 |
--- |
11 |
.../iptables/files/iptables-1.4.21-musl.patch | 136 +++++++++++++++++++++ |
12 |
.../files/systemd/ip6tables-restore.service | 14 +++ |
13 |
.../iptables/files/systemd/ip6tables-store.service | 11 ++ |
14 |
.../iptables/files/systemd/ip6tables.service | 6 + |
15 |
.../files/systemd/iptables-restore.service | 14 +++ |
16 |
.../iptables/files/systemd/iptables-store.service | 11 ++ |
17 |
.../iptables/files/systemd/iptables.service | 6 + |
18 |
net-firewall/iptables/iptables-1.4.21-r99.ebuild | 94 ++++++++++++++ |
19 |
8 files changed, 292 insertions(+) |
20 |
|
21 |
diff --git a/net-firewall/iptables/files/iptables-1.4.21-musl.patch b/net-firewall/iptables/files/iptables-1.4.21-musl.patch |
22 |
new file mode 100644 |
23 |
index 0000000..286ea87 |
24 |
--- /dev/null |
25 |
+++ b/net-firewall/iptables/files/iptables-1.4.21-musl.patch |
26 |
@@ -0,0 +1,136 @@ |
27 |
+diff -ru a/iptables-1.4.21/extensions/libip6t_ipv6header.c b/iptables-1.4.21/extensions/libip6t_ipv6header.c |
28 |
+--- a/iptables-1.4.21/extensions/libip6t_ipv6header.c |
29 |
++++ b/iptables-1.4.21/extensions/libip6t_ipv6header.c |
30 |
+@@ -10,6 +10,9 @@ |
31 |
+ #include <netdb.h> |
32 |
+ #include <xtables.h> |
33 |
+ #include <linux/netfilter_ipv6/ip6t_ipv6header.h> |
34 |
++#ifndef IPPROTO_HOPOPTS |
35 |
++# define IPPROTO_HOPOPTS 0 |
36 |
++#endif |
37 |
+ |
38 |
+ enum { |
39 |
+ O_HEADER = 0, |
40 |
+diff -ru a/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c b/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c |
41 |
+--- a/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c |
42 |
++++ b/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c |
43 |
+@@ -12,6 +12,21 @@ |
44 |
+ #ifndef TCPOPT_MD5SIG |
45 |
+ # define TCPOPT_MD5SIG 19 |
46 |
+ #endif |
47 |
++#ifndef TCPOPT_MAXSEG |
48 |
++# define TCPOPT_MAXSEG 2 |
49 |
++#endif |
50 |
++#ifndef TCPOPT_WINDOW |
51 |
++# define TCPOPT_WINDOW 3 |
52 |
++#endif |
53 |
++#ifndef TCPOPT_SACK_PERMITTED |
54 |
++# define TCPOPT_SACK_PERMITTED 4 |
55 |
++#endif |
56 |
++#ifndef TCPOPT_SACK |
57 |
++# define TCPOPT_SACK 5 |
58 |
++#endif |
59 |
++#ifndef TCPOPT_TIMESTAMP |
60 |
++# define TCPOPT_TIMESTAMP 8 |
61 |
++#endif |
62 |
+ |
63 |
+ enum { |
64 |
+ O_STRIP_OPTION = 0, |
65 |
+diff -ru a/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h b/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h |
66 |
+--- a/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h |
67 |
++++ b/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h |
68 |
+@@ -5,7 +5,6 @@ |
69 |
+ |
70 |
+ #include <limits.h> |
71 |
+ |
72 |
+-#if defined(__GLIBC__) && __GLIBC__ == 2 |
73 |
+ #include <netinet/ip.h> |
74 |
+ #include <netinet/in.h> |
75 |
+ #include <netinet/ip_icmp.h> |
76 |
+@@ -13,15 +12,4 @@ |
77 |
+ #include <netinet/udp.h> |
78 |
+ #include <net/if.h> |
79 |
+ #include <sys/types.h> |
80 |
+-#else /* libc5 */ |
81 |
+-#include <sys/socket.h> |
82 |
+-#include <linux/ip.h> |
83 |
+-#include <linux/in.h> |
84 |
+-#include <linux/if.h> |
85 |
+-#include <linux/icmp.h> |
86 |
+-#include <linux/tcp.h> |
87 |
+-#include <linux/udp.h> |
88 |
+-#include <linux/types.h> |
89 |
+-#include <linux/in6.h> |
90 |
+-#endif |
91 |
+ #endif |
92 |
+diff -ru a/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h b/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h |
93 |
+--- a/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h |
94 |
++++ b/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h |
95 |
+@@ -16,6 +16,7 @@ |
96 |
+ #define _IPTABLES_H |
97 |
+ |
98 |
+ #include <linux/types.h> |
99 |
++#include <sys/types.h> |
100 |
+ |
101 |
+ #include <linux/netfilter_ipv4.h> |
102 |
+ |
103 |
+diff -ru a/iptables-1.4.21/iptables/ip6tables-restore.c b/iptables-1.4.21/iptables/ip6tables-restore.c |
104 |
+--- a/iptables-1.4.21/iptables/ip6tables-restore.c |
105 |
++++ b/iptables-1.4.21/iptables/ip6tables-restore.c |
106 |
+@@ -9,7 +9,7 @@ |
107 |
+ */ |
108 |
+ |
109 |
+ #include <getopt.h> |
110 |
+-#include <sys/errno.h> |
111 |
++#include <errno.h> |
112 |
+ #include <stdbool.h> |
113 |
+ #include <string.h> |
114 |
+ #include <stdio.h> |
115 |
+diff -ru a/iptables-1.4.21/iptables/ip6tables-save.c b/iptables-1.4.21/iptables/ip6tables-save.c |
116 |
+--- a/iptables-1.4.21/iptables/ip6tables-save.c |
117 |
++++ b/iptables-1.4.21/iptables/ip6tables-save.c |
118 |
+@@ -6,7 +6,7 @@ |
119 |
+ * This code is distributed under the terms of GNU GPL v2 |
120 |
+ */ |
121 |
+ #include <getopt.h> |
122 |
+-#include <sys/errno.h> |
123 |
++#include <errno.h> |
124 |
+ #include <stdio.h> |
125 |
+ #include <fcntl.h> |
126 |
+ #include <stdlib.h> |
127 |
+diff -ru a/iptables-1.4.21/iptables/iptables-restore.c b/iptables-1.4.21/iptables/iptables-restore.c |
128 |
+--- a/iptables-1.4.21/iptables/iptables-restore.c |
129 |
++++ b/iptables-1.4.21/iptables/iptables-restore.c |
130 |
+@@ -6,7 +6,7 @@ |
131 |
+ */ |
132 |
+ |
133 |
+ #include <getopt.h> |
134 |
+-#include <sys/errno.h> |
135 |
++#include <errno.h> |
136 |
+ #include <stdbool.h> |
137 |
+ #include <string.h> |
138 |
+ #include <stdio.h> |
139 |
+diff -ru a/iptables-1.4.21/iptables/iptables-save.c b/iptables-1.4.21/iptables/iptables-save.c |
140 |
+--- a/iptables-1.4.21/iptables/iptables-save.c |
141 |
++++ b/iptables-1.4.21/iptables/iptables-save.c |
142 |
+@@ -6,7 +6,7 @@ |
143 |
+ * |
144 |
+ */ |
145 |
+ #include <getopt.h> |
146 |
+-#include <sys/errno.h> |
147 |
++#include <errno.h> |
148 |
+ #include <stdio.h> |
149 |
+ #include <fcntl.h> |
150 |
+ #include <stdlib.h> |
151 |
+diff -ru a/iptables-1.4.21/iptables/iptables-xml.c b/iptables-1.4.21/iptables/iptables-xml.c |
152 |
+--- a/iptables-1.4.21/iptables/iptables-xml.c |
153 |
++++ b/iptables-1.4.21/iptables/iptables-xml.c |
154 |
+@@ -7,7 +7,7 @@ |
155 |
+ */ |
156 |
+ |
157 |
+ #include <getopt.h> |
158 |
+-#include <sys/errno.h> |
159 |
++#include <errno.h> |
160 |
+ #include <string.h> |
161 |
+ #include <stdio.h> |
162 |
+ #include <stdlib.h> |
163 |
|
164 |
diff --git a/net-firewall/iptables/files/systemd/ip6tables-restore.service b/net-firewall/iptables/files/systemd/ip6tables-restore.service |
165 |
new file mode 100644 |
166 |
index 0000000..88415fa |
167 |
--- /dev/null |
168 |
+++ b/net-firewall/iptables/files/systemd/ip6tables-restore.service |
169 |
@@ -0,0 +1,14 @@ |
170 |
+[Unit] |
171 |
+Description=Restore ip6tables firewall rules |
172 |
+# if both are queued for some reason, don't store before restoring :) |
173 |
+Before=ip6tables-store.service |
174 |
+# sounds reasonable to have firewall up before any of the services go up |
175 |
+Before=network.target |
176 |
+Conflicts=shutdown.target |
177 |
+ |
178 |
+[Service] |
179 |
+Type=oneshot |
180 |
+ExecStart=/sbin/ip6tables-restore /var/lib/ip6tables/rules-save |
181 |
+ |
182 |
+[Install] |
183 |
+WantedBy=basic.target |
184 |
|
185 |
diff --git a/net-firewall/iptables/files/systemd/ip6tables-store.service b/net-firewall/iptables/files/systemd/ip6tables-store.service |
186 |
new file mode 100644 |
187 |
index 0000000..9975378 |
188 |
--- /dev/null |
189 |
+++ b/net-firewall/iptables/files/systemd/ip6tables-store.service |
190 |
@@ -0,0 +1,11 @@ |
191 |
+[Unit] |
192 |
+Description=Store ip6tables firewall rules |
193 |
+Before=shutdown.target |
194 |
+DefaultDependencies=No |
195 |
+ |
196 |
+[Service] |
197 |
+Type=oneshot |
198 |
+ExecStart=/bin/sh -c "/sbin/ip6tables-save --counters > /var/lib/ip6tables/rules-save" |
199 |
+ |
200 |
+[Install] |
201 |
+WantedBy=shutdown.target |
202 |
|
203 |
diff --git a/net-firewall/iptables/files/systemd/ip6tables.service b/net-firewall/iptables/files/systemd/ip6tables.service |
204 |
new file mode 100644 |
205 |
index 0000000..0a6d7fa |
206 |
--- /dev/null |
207 |
+++ b/net-firewall/iptables/files/systemd/ip6tables.service |
208 |
@@ -0,0 +1,6 @@ |
209 |
+[Unit] |
210 |
+Description=Store and restore ip6tables firewall rules |
211 |
+ |
212 |
+[Install] |
213 |
+Also=ip6tables-store.service |
214 |
+Also=ip6tables-restore.service |
215 |
|
216 |
diff --git a/net-firewall/iptables/files/systemd/iptables-restore.service b/net-firewall/iptables/files/systemd/iptables-restore.service |
217 |
new file mode 100644 |
218 |
index 0000000..9d568d7 |
219 |
--- /dev/null |
220 |
+++ b/net-firewall/iptables/files/systemd/iptables-restore.service |
221 |
@@ -0,0 +1,14 @@ |
222 |
+[Unit] |
223 |
+Description=Restore iptables firewall rules |
224 |
+# if both are queued for some reason, don't store before restoring :) |
225 |
+Before=iptables-store.service |
226 |
+# sounds reasonable to have firewall up before any of the services go up |
227 |
+Before=network.target |
228 |
+Conflicts=shutdown.target |
229 |
+ |
230 |
+[Service] |
231 |
+Type=oneshot |
232 |
+ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save |
233 |
+ |
234 |
+[Install] |
235 |
+WantedBy=basic.target |
236 |
|
237 |
diff --git a/net-firewall/iptables/files/systemd/iptables-store.service b/net-firewall/iptables/files/systemd/iptables-store.service |
238 |
new file mode 100644 |
239 |
index 0000000..aa16e75 |
240 |
--- /dev/null |
241 |
+++ b/net-firewall/iptables/files/systemd/iptables-store.service |
242 |
@@ -0,0 +1,11 @@ |
243 |
+[Unit] |
244 |
+Description=Store iptables firewall rules |
245 |
+Before=shutdown.target |
246 |
+DefaultDependencies=No |
247 |
+ |
248 |
+[Service] |
249 |
+Type=oneshot |
250 |
+ExecStart=/bin/sh -c "/sbin/iptables-save --counters > /var/lib/iptables/rules-save" |
251 |
+ |
252 |
+[Install] |
253 |
+WantedBy=shutdown.target |
254 |
|
255 |
diff --git a/net-firewall/iptables/files/systemd/iptables.service b/net-firewall/iptables/files/systemd/iptables.service |
256 |
new file mode 100644 |
257 |
index 0000000..3643a3e |
258 |
--- /dev/null |
259 |
+++ b/net-firewall/iptables/files/systemd/iptables.service |
260 |
@@ -0,0 +1,6 @@ |
261 |
+[Unit] |
262 |
+Description=Store and restore iptables firewall rules |
263 |
+ |
264 |
+[Install] |
265 |
+Also=iptables-store.service |
266 |
+Also=iptables-restore.service |
267 |
|
268 |
diff --git a/net-firewall/iptables/iptables-1.4.21-r99.ebuild b/net-firewall/iptables/iptables-1.4.21-r99.ebuild |
269 |
new file mode 100644 |
270 |
index 0000000..541cc61 |
271 |
--- /dev/null |
272 |
+++ b/net-firewall/iptables/iptables-1.4.21-r99.ebuild |
273 |
@@ -0,0 +1,94 @@ |
274 |
+# Copyright 1999-2014 Gentoo Foundation |
275 |
+# Distributed under the terms of the GNU General Public License v2 |
276 |
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/iptables-1.4.21-r1.ebuild,v 1.5 2014/06/14 11:52:14 zlogene Exp $ |
277 |
+ |
278 |
+EAPI="5" |
279 |
+ |
280 |
+# Force users doing their own patches to install their own tools |
281 |
+AUTOTOOLS_AUTO_DEPEND=no |
282 |
+ |
283 |
+inherit eutils multilib systemd toolchain-funcs autotools |
284 |
+ |
285 |
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" |
286 |
+HOMEPAGE="http://www.netfilter.org/projects/iptables/" |
287 |
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2" |
288 |
+ |
289 |
+LICENSE="GPL-2" |
290 |
+SLOT="0" |
291 |
+KEYWORDS="amd64 arm ~mips x86" |
292 |
+IUSE="ipv6 netlink static-libs" |
293 |
+ |
294 |
+RDEPEND=" |
295 |
+ netlink? ( net-libs/libnfnetlink ) |
296 |
+" |
297 |
+DEPEND="${RDEPEND} |
298 |
+ virtual/os-headers |
299 |
+ virtual/pkgconfig |
300 |
+" |
301 |
+ |
302 |
+src_prepare() { |
303 |
+ # use the saner headers from the kernel |
304 |
+ rm -f include/linux/{kernel,types}.h |
305 |
+ |
306 |
+ epatch ${FILESDIR}/${P}-musl.patch |
307 |
+ |
308 |
+ # Only run autotools if user patched something |
309 |
+ epatch_user && eautoreconf || elibtoolize |
310 |
+} |
311 |
+ |
312 |
+src_configure() { |
313 |
+ # Some libs use $(AR) rather than libtool to build #444282 |
314 |
+ tc-export AR |
315 |
+ |
316 |
+ sed -i \ |
317 |
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ |
318 |
+ configure || die |
319 |
+ |
320 |
+ econf \ |
321 |
+ --sbindir="${EPREFIX}/sbin" \ |
322 |
+ --libexecdir="${EPREFIX}/$(get_libdir)" \ |
323 |
+ --enable-devel \ |
324 |
+ --enable-shared \ |
325 |
+ $(use_enable static-libs static) \ |
326 |
+ $(use_enable ipv6) |
327 |
+} |
328 |
+ |
329 |
+src_compile() { |
330 |
+ emake V=1 |
331 |
+} |
332 |
+ |
333 |
+src_install() { |
334 |
+ default |
335 |
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt |
336 |
+ |
337 |
+ # all the iptables binaries are in /sbin, so might as well |
338 |
+ # put these small files in with them |
339 |
+ into / |
340 |
+ dosbin iptables/iptables-apply |
341 |
+ dosym iptables-apply /sbin/ip6tables-apply |
342 |
+ doman iptables/iptables-apply.8 |
343 |
+ |
344 |
+ insinto /usr/include |
345 |
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) |
346 |
+ insinto /usr/include/iptables |
347 |
+ doins include/iptables/internal.h |
348 |
+ |
349 |
+ keepdir /var/lib/iptables |
350 |
+ newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables |
351 |
+ newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables |
352 |
+ if use ipv6 ; then |
353 |
+ keepdir /var/lib/ip6tables |
354 |
+ newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables |
355 |
+ newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables |
356 |
+ fi |
357 |
+ |
358 |
+ systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service |
359 |
+ if use ipv6 ; then |
360 |
+ systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service |
361 |
+ fi |
362 |
+ |
363 |
+ # Move important libs to /lib |
364 |
+ gen_usr_ldscript -a ip{4,6}tc iptc xtables |
365 |
+ |
366 |
+ prune_libtool_files |
367 |
+} |