| 1 |
commit: 3eb821711cbbb51523315c657855ed175e16b8c8 |
| 2 |
Author: Felix Janda <felix.janda <AT> posteo <DOT> de> |
| 3 |
AuthorDate: Fri Jun 20 16:54:53 2014 +0000 |
| 4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sat Jun 21 20:49:09 2014 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=3eb82171 |
| 7 |
|
| 8 |
net-firewall/iptables: bump to 1.4.21 |
| 9 |
|
| 10 |
--- |
| 11 |
.../iptables/files/iptables-1.4.21-musl.patch | 136 +++++++++++++++++++++ |
| 12 |
.../files/systemd/ip6tables-restore.service | 14 +++ |
| 13 |
.../iptables/files/systemd/ip6tables-store.service | 11 ++ |
| 14 |
.../iptables/files/systemd/ip6tables.service | 6 + |
| 15 |
.../files/systemd/iptables-restore.service | 14 +++ |
| 16 |
.../iptables/files/systemd/iptables-store.service | 11 ++ |
| 17 |
.../iptables/files/systemd/iptables.service | 6 + |
| 18 |
net-firewall/iptables/iptables-1.4.21-r99.ebuild | 94 ++++++++++++++ |
| 19 |
8 files changed, 292 insertions(+) |
| 20 |
|
| 21 |
diff --git a/net-firewall/iptables/files/iptables-1.4.21-musl.patch b/net-firewall/iptables/files/iptables-1.4.21-musl.patch |
| 22 |
new file mode 100644 |
| 23 |
index 0000000..286ea87 |
| 24 |
--- /dev/null |
| 25 |
+++ b/net-firewall/iptables/files/iptables-1.4.21-musl.patch |
| 26 |
@@ -0,0 +1,136 @@ |
| 27 |
+diff -ru a/iptables-1.4.21/extensions/libip6t_ipv6header.c b/iptables-1.4.21/extensions/libip6t_ipv6header.c |
| 28 |
+--- a/iptables-1.4.21/extensions/libip6t_ipv6header.c |
| 29 |
++++ b/iptables-1.4.21/extensions/libip6t_ipv6header.c |
| 30 |
+@@ -10,6 +10,9 @@ |
| 31 |
+ #include <netdb.h> |
| 32 |
+ #include <xtables.h> |
| 33 |
+ #include <linux/netfilter_ipv6/ip6t_ipv6header.h> |
| 34 |
++#ifndef IPPROTO_HOPOPTS |
| 35 |
++# define IPPROTO_HOPOPTS 0 |
| 36 |
++#endif |
| 37 |
+ |
| 38 |
+ enum { |
| 39 |
+ O_HEADER = 0, |
| 40 |
+diff -ru a/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c b/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c |
| 41 |
+--- a/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c |
| 42 |
++++ b/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c |
| 43 |
+@@ -12,6 +12,21 @@ |
| 44 |
+ #ifndef TCPOPT_MD5SIG |
| 45 |
+ # define TCPOPT_MD5SIG 19 |
| 46 |
+ #endif |
| 47 |
++#ifndef TCPOPT_MAXSEG |
| 48 |
++# define TCPOPT_MAXSEG 2 |
| 49 |
++#endif |
| 50 |
++#ifndef TCPOPT_WINDOW |
| 51 |
++# define TCPOPT_WINDOW 3 |
| 52 |
++#endif |
| 53 |
++#ifndef TCPOPT_SACK_PERMITTED |
| 54 |
++# define TCPOPT_SACK_PERMITTED 4 |
| 55 |
++#endif |
| 56 |
++#ifndef TCPOPT_SACK |
| 57 |
++# define TCPOPT_SACK 5 |
| 58 |
++#endif |
| 59 |
++#ifndef TCPOPT_TIMESTAMP |
| 60 |
++# define TCPOPT_TIMESTAMP 8 |
| 61 |
++#endif |
| 62 |
+ |
| 63 |
+ enum { |
| 64 |
+ O_STRIP_OPTION = 0, |
| 65 |
+diff -ru a/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h b/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h |
| 66 |
+--- a/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h |
| 67 |
++++ b/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h |
| 68 |
+@@ -5,7 +5,6 @@ |
| 69 |
+ |
| 70 |
+ #include <limits.h> |
| 71 |
+ |
| 72 |
+-#if defined(__GLIBC__) && __GLIBC__ == 2 |
| 73 |
+ #include <netinet/ip.h> |
| 74 |
+ #include <netinet/in.h> |
| 75 |
+ #include <netinet/ip_icmp.h> |
| 76 |
+@@ -13,15 +12,4 @@ |
| 77 |
+ #include <netinet/udp.h> |
| 78 |
+ #include <net/if.h> |
| 79 |
+ #include <sys/types.h> |
| 80 |
+-#else /* libc5 */ |
| 81 |
+-#include <sys/socket.h> |
| 82 |
+-#include <linux/ip.h> |
| 83 |
+-#include <linux/in.h> |
| 84 |
+-#include <linux/if.h> |
| 85 |
+-#include <linux/icmp.h> |
| 86 |
+-#include <linux/tcp.h> |
| 87 |
+-#include <linux/udp.h> |
| 88 |
+-#include <linux/types.h> |
| 89 |
+-#include <linux/in6.h> |
| 90 |
+-#endif |
| 91 |
+ #endif |
| 92 |
+diff -ru a/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h b/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h |
| 93 |
+--- a/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h |
| 94 |
++++ b/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h |
| 95 |
+@@ -16,6 +16,7 @@ |
| 96 |
+ #define _IPTABLES_H |
| 97 |
+ |
| 98 |
+ #include <linux/types.h> |
| 99 |
++#include <sys/types.h> |
| 100 |
+ |
| 101 |
+ #include <linux/netfilter_ipv4.h> |
| 102 |
+ |
| 103 |
+diff -ru a/iptables-1.4.21/iptables/ip6tables-restore.c b/iptables-1.4.21/iptables/ip6tables-restore.c |
| 104 |
+--- a/iptables-1.4.21/iptables/ip6tables-restore.c |
| 105 |
++++ b/iptables-1.4.21/iptables/ip6tables-restore.c |
| 106 |
+@@ -9,7 +9,7 @@ |
| 107 |
+ */ |
| 108 |
+ |
| 109 |
+ #include <getopt.h> |
| 110 |
+-#include <sys/errno.h> |
| 111 |
++#include <errno.h> |
| 112 |
+ #include <stdbool.h> |
| 113 |
+ #include <string.h> |
| 114 |
+ #include <stdio.h> |
| 115 |
+diff -ru a/iptables-1.4.21/iptables/ip6tables-save.c b/iptables-1.4.21/iptables/ip6tables-save.c |
| 116 |
+--- a/iptables-1.4.21/iptables/ip6tables-save.c |
| 117 |
++++ b/iptables-1.4.21/iptables/ip6tables-save.c |
| 118 |
+@@ -6,7 +6,7 @@ |
| 119 |
+ * This code is distributed under the terms of GNU GPL v2 |
| 120 |
+ */ |
| 121 |
+ #include <getopt.h> |
| 122 |
+-#include <sys/errno.h> |
| 123 |
++#include <errno.h> |
| 124 |
+ #include <stdio.h> |
| 125 |
+ #include <fcntl.h> |
| 126 |
+ #include <stdlib.h> |
| 127 |
+diff -ru a/iptables-1.4.21/iptables/iptables-restore.c b/iptables-1.4.21/iptables/iptables-restore.c |
| 128 |
+--- a/iptables-1.4.21/iptables/iptables-restore.c |
| 129 |
++++ b/iptables-1.4.21/iptables/iptables-restore.c |
| 130 |
+@@ -6,7 +6,7 @@ |
| 131 |
+ */ |
| 132 |
+ |
| 133 |
+ #include <getopt.h> |
| 134 |
+-#include <sys/errno.h> |
| 135 |
++#include <errno.h> |
| 136 |
+ #include <stdbool.h> |
| 137 |
+ #include <string.h> |
| 138 |
+ #include <stdio.h> |
| 139 |
+diff -ru a/iptables-1.4.21/iptables/iptables-save.c b/iptables-1.4.21/iptables/iptables-save.c |
| 140 |
+--- a/iptables-1.4.21/iptables/iptables-save.c |
| 141 |
++++ b/iptables-1.4.21/iptables/iptables-save.c |
| 142 |
+@@ -6,7 +6,7 @@ |
| 143 |
+ * |
| 144 |
+ */ |
| 145 |
+ #include <getopt.h> |
| 146 |
+-#include <sys/errno.h> |
| 147 |
++#include <errno.h> |
| 148 |
+ #include <stdio.h> |
| 149 |
+ #include <fcntl.h> |
| 150 |
+ #include <stdlib.h> |
| 151 |
+diff -ru a/iptables-1.4.21/iptables/iptables-xml.c b/iptables-1.4.21/iptables/iptables-xml.c |
| 152 |
+--- a/iptables-1.4.21/iptables/iptables-xml.c |
| 153 |
++++ b/iptables-1.4.21/iptables/iptables-xml.c |
| 154 |
+@@ -7,7 +7,7 @@ |
| 155 |
+ */ |
| 156 |
+ |
| 157 |
+ #include <getopt.h> |
| 158 |
+-#include <sys/errno.h> |
| 159 |
++#include <errno.h> |
| 160 |
+ #include <string.h> |
| 161 |
+ #include <stdio.h> |
| 162 |
+ #include <stdlib.h> |
| 163 |
|
| 164 |
diff --git a/net-firewall/iptables/files/systemd/ip6tables-restore.service b/net-firewall/iptables/files/systemd/ip6tables-restore.service |
| 165 |
new file mode 100644 |
| 166 |
index 0000000..88415fa |
| 167 |
--- /dev/null |
| 168 |
+++ b/net-firewall/iptables/files/systemd/ip6tables-restore.service |
| 169 |
@@ -0,0 +1,14 @@ |
| 170 |
+[Unit] |
| 171 |
+Description=Restore ip6tables firewall rules |
| 172 |
+# if both are queued for some reason, don't store before restoring :) |
| 173 |
+Before=ip6tables-store.service |
| 174 |
+# sounds reasonable to have firewall up before any of the services go up |
| 175 |
+Before=network.target |
| 176 |
+Conflicts=shutdown.target |
| 177 |
+ |
| 178 |
+[Service] |
| 179 |
+Type=oneshot |
| 180 |
+ExecStart=/sbin/ip6tables-restore /var/lib/ip6tables/rules-save |
| 181 |
+ |
| 182 |
+[Install] |
| 183 |
+WantedBy=basic.target |
| 184 |
|
| 185 |
diff --git a/net-firewall/iptables/files/systemd/ip6tables-store.service b/net-firewall/iptables/files/systemd/ip6tables-store.service |
| 186 |
new file mode 100644 |
| 187 |
index 0000000..9975378 |
| 188 |
--- /dev/null |
| 189 |
+++ b/net-firewall/iptables/files/systemd/ip6tables-store.service |
| 190 |
@@ -0,0 +1,11 @@ |
| 191 |
+[Unit] |
| 192 |
+Description=Store ip6tables firewall rules |
| 193 |
+Before=shutdown.target |
| 194 |
+DefaultDependencies=No |
| 195 |
+ |
| 196 |
+[Service] |
| 197 |
+Type=oneshot |
| 198 |
+ExecStart=/bin/sh -c "/sbin/ip6tables-save --counters > /var/lib/ip6tables/rules-save" |
| 199 |
+ |
| 200 |
+[Install] |
| 201 |
+WantedBy=shutdown.target |
| 202 |
|
| 203 |
diff --git a/net-firewall/iptables/files/systemd/ip6tables.service b/net-firewall/iptables/files/systemd/ip6tables.service |
| 204 |
new file mode 100644 |
| 205 |
index 0000000..0a6d7fa |
| 206 |
--- /dev/null |
| 207 |
+++ b/net-firewall/iptables/files/systemd/ip6tables.service |
| 208 |
@@ -0,0 +1,6 @@ |
| 209 |
+[Unit] |
| 210 |
+Description=Store and restore ip6tables firewall rules |
| 211 |
+ |
| 212 |
+[Install] |
| 213 |
+Also=ip6tables-store.service |
| 214 |
+Also=ip6tables-restore.service |
| 215 |
|
| 216 |
diff --git a/net-firewall/iptables/files/systemd/iptables-restore.service b/net-firewall/iptables/files/systemd/iptables-restore.service |
| 217 |
new file mode 100644 |
| 218 |
index 0000000..9d568d7 |
| 219 |
--- /dev/null |
| 220 |
+++ b/net-firewall/iptables/files/systemd/iptables-restore.service |
| 221 |
@@ -0,0 +1,14 @@ |
| 222 |
+[Unit] |
| 223 |
+Description=Restore iptables firewall rules |
| 224 |
+# if both are queued for some reason, don't store before restoring :) |
| 225 |
+Before=iptables-store.service |
| 226 |
+# sounds reasonable to have firewall up before any of the services go up |
| 227 |
+Before=network.target |
| 228 |
+Conflicts=shutdown.target |
| 229 |
+ |
| 230 |
+[Service] |
| 231 |
+Type=oneshot |
| 232 |
+ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save |
| 233 |
+ |
| 234 |
+[Install] |
| 235 |
+WantedBy=basic.target |
| 236 |
|
| 237 |
diff --git a/net-firewall/iptables/files/systemd/iptables-store.service b/net-firewall/iptables/files/systemd/iptables-store.service |
| 238 |
new file mode 100644 |
| 239 |
index 0000000..aa16e75 |
| 240 |
--- /dev/null |
| 241 |
+++ b/net-firewall/iptables/files/systemd/iptables-store.service |
| 242 |
@@ -0,0 +1,11 @@ |
| 243 |
+[Unit] |
| 244 |
+Description=Store iptables firewall rules |
| 245 |
+Before=shutdown.target |
| 246 |
+DefaultDependencies=No |
| 247 |
+ |
| 248 |
+[Service] |
| 249 |
+Type=oneshot |
| 250 |
+ExecStart=/bin/sh -c "/sbin/iptables-save --counters > /var/lib/iptables/rules-save" |
| 251 |
+ |
| 252 |
+[Install] |
| 253 |
+WantedBy=shutdown.target |
| 254 |
|
| 255 |
diff --git a/net-firewall/iptables/files/systemd/iptables.service b/net-firewall/iptables/files/systemd/iptables.service |
| 256 |
new file mode 100644 |
| 257 |
index 0000000..3643a3e |
| 258 |
--- /dev/null |
| 259 |
+++ b/net-firewall/iptables/files/systemd/iptables.service |
| 260 |
@@ -0,0 +1,6 @@ |
| 261 |
+[Unit] |
| 262 |
+Description=Store and restore iptables firewall rules |
| 263 |
+ |
| 264 |
+[Install] |
| 265 |
+Also=iptables-store.service |
| 266 |
+Also=iptables-restore.service |
| 267 |
|
| 268 |
diff --git a/net-firewall/iptables/iptables-1.4.21-r99.ebuild b/net-firewall/iptables/iptables-1.4.21-r99.ebuild |
| 269 |
new file mode 100644 |
| 270 |
index 0000000..541cc61 |
| 271 |
--- /dev/null |
| 272 |
+++ b/net-firewall/iptables/iptables-1.4.21-r99.ebuild |
| 273 |
@@ -0,0 +1,94 @@ |
| 274 |
+# Copyright 1999-2014 Gentoo Foundation |
| 275 |
+# Distributed under the terms of the GNU General Public License v2 |
| 276 |
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/iptables-1.4.21-r1.ebuild,v 1.5 2014/06/14 11:52:14 zlogene Exp $ |
| 277 |
+ |
| 278 |
+EAPI="5" |
| 279 |
+ |
| 280 |
+# Force users doing their own patches to install their own tools |
| 281 |
+AUTOTOOLS_AUTO_DEPEND=no |
| 282 |
+ |
| 283 |
+inherit eutils multilib systemd toolchain-funcs autotools |
| 284 |
+ |
| 285 |
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" |
| 286 |
+HOMEPAGE="http://www.netfilter.org/projects/iptables/" |
| 287 |
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2" |
| 288 |
+ |
| 289 |
+LICENSE="GPL-2" |
| 290 |
+SLOT="0" |
| 291 |
+KEYWORDS="amd64 arm ~mips x86" |
| 292 |
+IUSE="ipv6 netlink static-libs" |
| 293 |
+ |
| 294 |
+RDEPEND=" |
| 295 |
+ netlink? ( net-libs/libnfnetlink ) |
| 296 |
+" |
| 297 |
+DEPEND="${RDEPEND} |
| 298 |
+ virtual/os-headers |
| 299 |
+ virtual/pkgconfig |
| 300 |
+" |
| 301 |
+ |
| 302 |
+src_prepare() { |
| 303 |
+ # use the saner headers from the kernel |
| 304 |
+ rm -f include/linux/{kernel,types}.h |
| 305 |
+ |
| 306 |
+ epatch ${FILESDIR}/${P}-musl.patch |
| 307 |
+ |
| 308 |
+ # Only run autotools if user patched something |
| 309 |
+ epatch_user && eautoreconf || elibtoolize |
| 310 |
+} |
| 311 |
+ |
| 312 |
+src_configure() { |
| 313 |
+ # Some libs use $(AR) rather than libtool to build #444282 |
| 314 |
+ tc-export AR |
| 315 |
+ |
| 316 |
+ sed -i \ |
| 317 |
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ |
| 318 |
+ configure || die |
| 319 |
+ |
| 320 |
+ econf \ |
| 321 |
+ --sbindir="${EPREFIX}/sbin" \ |
| 322 |
+ --libexecdir="${EPREFIX}/$(get_libdir)" \ |
| 323 |
+ --enable-devel \ |
| 324 |
+ --enable-shared \ |
| 325 |
+ $(use_enable static-libs static) \ |
| 326 |
+ $(use_enable ipv6) |
| 327 |
+} |
| 328 |
+ |
| 329 |
+src_compile() { |
| 330 |
+ emake V=1 |
| 331 |
+} |
| 332 |
+ |
| 333 |
+src_install() { |
| 334 |
+ default |
| 335 |
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt |
| 336 |
+ |
| 337 |
+ # all the iptables binaries are in /sbin, so might as well |
| 338 |
+ # put these small files in with them |
| 339 |
+ into / |
| 340 |
+ dosbin iptables/iptables-apply |
| 341 |
+ dosym iptables-apply /sbin/ip6tables-apply |
| 342 |
+ doman iptables/iptables-apply.8 |
| 343 |
+ |
| 344 |
+ insinto /usr/include |
| 345 |
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) |
| 346 |
+ insinto /usr/include/iptables |
| 347 |
+ doins include/iptables/internal.h |
| 348 |
+ |
| 349 |
+ keepdir /var/lib/iptables |
| 350 |
+ newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables |
| 351 |
+ newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables |
| 352 |
+ if use ipv6 ; then |
| 353 |
+ keepdir /var/lib/ip6tables |
| 354 |
+ newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables |
| 355 |
+ newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables |
| 356 |
+ fi |
| 357 |
+ |
| 358 |
+ systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service |
| 359 |
+ if use ipv6 ; then |
| 360 |
+ systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service |
| 361 |
+ fi |
| 362 |
+ |
| 363 |
+ # Move important libs to /lib |
| 364 |
+ gen_usr_ldscript -a ip{4,6}tc iptc xtables |
| 365 |
+ |
| 366 |
+ prune_libtool_files |
| 367 |
+} |
Archives