diff options
author | Stuart Shelton <stuart@shelton.me> | 2015-11-07 11:14:43 +0000 |
---|---|---|
committer | Stuart Shelton <stuart@shelton.me> | 2015-11-07 11:14:43 +0000 |
commit | 490bb94ac10c0ab00d88abf03d909a146b83cefc (patch) | |
tree | b305e6ded9bfd007692ea0ca6b09686d2feae95b /net-firewall | |
parent | Update dev-lang/php-5.5.30, dev-lang/php-5.6.14 (diff) | |
download | srcshelton-490bb94ac10c0ab00d88abf03d909a146b83cefc.tar.gz srcshelton-490bb94ac10c0ab00d88abf03d909a146b83cefc.tar.bz2 srcshelton-490bb94ac10c0ab00d88abf03d909a146b83cefc.zip |
Add net-firewall/iptables-nftables-1.4.21-r3
Diffstat (limited to 'net-firewall')
5 files changed, 368 insertions, 0 deletions
diff --git a/net-firewall/iptables-nftables/Manifest b/net-firewall/iptables-nftables/Manifest index afec2665..e08f38cc 100644 --- a/net-firewall/iptables-nftables/Manifest +++ b/net-firewall/iptables-nftables/Manifest @@ -1,6 +1,9 @@ AUX ip6tables-1.4.13.confd 690 SHA256 2938fe4206514d9868047bd8f888a699fa2097ca69edab176453436d4259abaa SHA512 8de9a5de4061bef217fbc07577688a8110f1116af7f3b936dfd18100a6a7a47ec6e70c456b24cf3432fb4f2034b741a487fe6af8d9740f174d51c6eb16945c6e WHIRLPOOL f2f4903812b5b97d5bdf9cb28f0bcb6f8c866f197b46a9128530721a8d9db1cdcedffe2512c9235391a67f494c2daf1266d7bc8a6185949756437221c3861a10 AUX iptables-1.4.13-r1.init 3105 SHA256 3ddf8418a36b69aa2ab6ecc9321e794e734bf97830c0757ce2b97320787df33e SHA512 5a974e9e7378dcaf4f3c0ebac45c18bd8e6cd0ebf37b9a711ac3dd3ad4f5454395d8698309efcbe49dbd85a4f8be06bdb4989bfa84f9aab86891990e42e9f0f4 WHIRLPOOL c36466eaa01298570423503030e0f887369ab407ee3346336a8b99662fd4726f57cd69b0a7f188d59bfb1c7278f6bce35e06188ffaa7b05213b880d94746bd2c AUX iptables-1.4.13.confd 687 SHA256 7e2341211ca14997b7a8a1f930f94db855291af597c568f680f80031c20d45b6 SHA512 bd67d53e997ea65755148ba071fe6e3856d6e604b9167c666900721bc3dc24f63d395bc33a1a34ae50f95e72760da630db1a8d35afc81ec5973e60ba5343dc70 WHIRLPOOL 111b809b3122b04cce8ac0e551cfcdec7fde1ad563e1001bbbb3dbb4cae0ddf13851ece1024e13fb26aab2fe306dfc4fd9e59ab5a10127b301bc7a65ec20486b +AUX iptables-1.4.21-configure.patch 1066 SHA256 73454c278b48fae5debcdb72ada8f2d60a36b5134cb1052b1a332b83169cbdc0 SHA512 45445d1460072ed19ba617be983be82094fdd0535a25de4f6159173de4a08be9bee9da13c7aeea419291beb92402ca25efba3a0e269510e221f7eacc8bcd5176 WHIRLPOOL 55c56c9e0711409c54b8635dc9b480be885c852b60ac336a32b3a48586c85ba5b7b9a0b4d2d427f7d646dfdc4d49c9fe6957ed39eac5cdd7de3526249f99e6ed +AUX iptables-1.4.21-static-connlabel-config.patch 2195 SHA256 e03de480a940b0ac386bba2ec681f724ba39f5e53153398e061f2d74ae491c49 SHA512 d838773bf2db9f97548d2f7eaab0ce3205265a7ec8b274df479fcecb474ba09ed061abae50534c0379a1290479c2e94927595eca0f4570b27744ec165348b6b1 WHIRLPOOL c1b79bb8e9a915d27940b443c564d0d00ccbd31728b8519bd18a6957ca7085c19dd09592d94a4aecee48102303a000130eba85710ad1de1533ef783ef1c28811 +AUX iptables.init 3029 SHA256 ed7831666a3b5c392a85db7bd6368cf5d1fa862c253e5f5fd3368a4517cdefa9 SHA512 c48b44e6f607166008ef46355f89480cdb625a820b04200a85126a138d15409e5cf37d34213e7ee6ef2fd7febb585c41ed26402e98bed17560f47a30a4c3688a WHIRLPOOL 8b73bcc40db23c6b1eedc2efe927ea82be8bb4b46652e7a2fa58ab9a0e98c978b0fb0fab3b1fef7d80904ce7b872255676f600300a73967987bee93f1b5ce836 AUX systemd/ip6tables-restore.service 395 SHA256 679ba8327bf037e991ff07d8cf910009c67026b0faf8112d75c945b64f4b64de SHA512 e41f7bc55b2b58452b993ccb42014b5bc2701aeeef46eee845a2b016b334299ff4e6d11ba22f3aaff47195f1049dc7fd4be41a7055911420230107b1ee4c6ba3 WHIRLPOOL 232d90f8591358fe853c8c4b569b2825ba02ced59d390232a7f7fb535e3bfbbcb70972938506cbead5e6b57845310f5a91c1fd225898f185cffb96ba7d4d97f3 AUX systemd/ip6tables-store.service 243 SHA256 ce93fc2ba81f7693877479ddc75cdec94627c302a140bd27ff30656fad78e72b SHA512 7cee224f91d4c8348606ba176d0d689749a59229958cfdf4e75451d77271363e7cff71dbb7e30dbc4a5a837363a72d70d6960d2dfb218f3ad16456ae109cba10 WHIRLPOOL d84687a142843fa9cd930171e817652afb22b950214349ca156ba6da174312989973d17fed04cd129c18d4d6fbd5ad3124b9afa0d105d128333248c90fdb4ca6 AUX systemd/ip6tables.service 133 SHA256 1b8d342ffdf471ef25e365dacf106e1899b438dad4bf9154cfad2d5217c3a019 SHA512 f871e694a8c666a59840c4c7ae1f355dc47f481501b3472601b65460c1d6e163a7e33f7a6c42a84ac33131ddb96170b316e83507a43f1ede54d61446f81950dc WHIRLPOOL 24140e7398cfa494210b8d3b773bdca5ee1abbbdb29c2921e84ff025848e26844b5c20fadefa9b961ce14564ce8daa9b8e9f197b7d7ec70c26bb6609b74b10d0 @@ -8,3 +11,4 @@ AUX systemd/iptables-restore.service 391 SHA256 ace3b2085700bde96f0597e8c6f3b852 AUX systemd/iptables-store.service 240 SHA256 14965fd0f3cd4285e77ea1e3d9975a818b0d64fb0026b925d8434896b2cbf839 SHA512 a720e92b5571a2c3427101105e95e555f3b72541a53c5daa43e361c99ca28830e9e8dd27dbd7cfed40fbbe289ed180f9be7e0f3b6b0cd19bba022a531815fd5e WHIRLPOOL e3a5b77b2c19ad8445a21cc9c8680c2d632d968483357221fac1c309275bd17aa25c05cf23188d5ae644d5b1266c64b3dd5fe8fbdec9f2a439a212c3d1c767db AUX systemd/iptables.service 130 SHA256 c404c54c98521817aca75b96774a24684e0c7ed2fc8de2ced78f4ae4d8a6b99d SHA512 87114ccc7eb079d1ed43d77be35cf4c91702ca960883a4bbca5dfcf74aa6f086e44f4a4251441ac3a277c93eb10e7482157caf2d62bbf2a7f5327947ede25bef WHIRLPOOL 844296866dfe2fe6b1207c99d2f938f4c87a37592e95576f9504fe056fe82fc29878b9aa1a204fa31d6711fbe7ba5cd48f7a639e4839bbe366e6220246a0d3c3 EBUILD iptables-nftables-1.4.21-r1.ebuild 2848 SHA256 69eafd2e4492103fe0d77577d3bda56b5702d841375aaacfe3757a0926d8bef1 SHA512 963457133a1ddf5dae0bae0f161b19c157b6981294d9934b4d2b6749b676d0890ac288641b053f9cf09c208eb515ac2c2ea3a3518ca42b5d170441adc4b03fd2 WHIRLPOOL 68491592b2265057f143b9606da842a9490253534c219d0243be05b68a4fd42bb8555f519b6620cddbc5251e73474a6f3146ca706d5ec87ea49f8f4d416847df +EBUILD iptables-nftables-1.4.21-r3.ebuild 3280 SHA256 d8f18059fa66828acdf60df5537a156bd5162c7a52e406c8fe63a4263fa03869 SHA512 461298913f0ccdcf3ef38e0b4fd01f267996b68a957f517d87a84536b57cf836441904cd749fbeb1fc8f0a65b854358a0b0b6cc49d36d51deca9516f59ad6c28 WHIRLPOOL bb326dbcd090b2bc84da71ef555b56da0a23fb17365653b4e4723e0ca8128501ae30150120ab1d43bc42644bafe44d8db4eae80f9231a06c13a023bce72d3132 diff --git a/net-firewall/iptables-nftables/files/iptables-1.4.21-configure.patch b/net-firewall/iptables-nftables/files/iptables-1.4.21-configure.patch new file mode 100644 index 00000000..e827885f --- /dev/null +++ b/net-firewall/iptables-nftables/files/iptables-1.4.21-configure.patch @@ -0,0 +1,34 @@ +https://bugs.gentoo.org/557586 + +From b24e59fba39120bfdb9e521bbd0af8f33a60466e Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Sat, 15 Aug 2015 14:12:39 -0400 +Subject: [PATCH] configure: fix 3rd arg w/AC_ARG_ENABLE + +The 3rd arg is used when --{enable,disable}-foo are passed in, not when +the feature is enabled. Use the existing $enableval instead. + +Signed-off-by: Mike Frysinger <vapier@gentoo.org> +--- + configure.ac | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/configure ++++ b/configure +@@ -11898,14 +11898,14 @@ fi + + # Check whether --enable-bpf-compiler was given. + if test "${enable_bpf_compiler+set}" = set; then : +- enableval=$enable_bpf_compiler; enable_bpfc="yes" ++ enableval=$enable_bpf_compiler; enable_bpfc="$enableval" + else + enable_bpfc="no" + fi + + # Check whether --enable-nfsynproxy was given. + if test "${enable_nfsynproxy+set}" = set; then : +- enableval=$enable_nfsynproxy; enable_nfsynproxy="yes" ++ enableval=$enable_nfsynproxy; enable_nfsynproxy="$enableval" + else + enable_nfsynproxy="no" + fi diff --git a/net-firewall/iptables-nftables/files/iptables-1.4.21-static-connlabel-config.patch b/net-firewall/iptables-nftables/files/iptables-1.4.21-static-connlabel-config.patch new file mode 100644 index 00000000..a4183d6d --- /dev/null +++ b/net-firewall/iptables-nftables/files/iptables-1.4.21-static-connlabel-config.patch @@ -0,0 +1,77 @@ +https://bugs.gentoo.org/558234 +http://git.netfilter.org/iptables/commit/?id=825fbda5482a7d5ec5a6619c81fe07ff865c7d6e + +From 825fbda5482a7d5ec5a6619c81fe07ff865c7d6e Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Fri, 5 Sep 2014 20:45:56 +0200 +Subject: [PATCH] extensions: libxt_connlabel: do not open config file from + _init hook + +else, static builds will print this for every iptables invocation, +even 'iptables -L'. Delay open until we need to translate a mapping. + +Reported-by: Thomas De Schampheleire <patrickdepinguin@gmail.com> +Signed-off-by: Florian Westphal <fw@strlen.de> +--- + extensions/libxt_connlabel.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c +index c84a167..1f83095 100644 +--- a/extensions/libxt_connlabel.c ++++ b/extensions/libxt_connlabel.c +@@ -29,11 +29,26 @@ static const struct xt_option_entry connlabel_mt_opts[] = { + XTOPT_TABLEEND, + }; + ++/* cannot do this via _init, else static builds might spew error message ++ * for every iptables invocation. ++ */ ++static void connlabel_open(void) ++{ ++ if (map) ++ return; ++ ++ map = nfct_labelmap_new(NULL); ++ if (!map && errno) ++ xtables_error(RESOURCE_PROBLEM, "cannot open connlabel.conf: %s\n", ++ strerror(errno)); ++} ++ + static void connlabel_mt_parse(struct xt_option_call *cb) + { + struct xt_connlabel_mtinfo *info = cb->data; + int tmp; + ++ connlabel_open(); + xtables_option_parse(cb); + + switch (cb->entry->id) { +@@ -54,7 +69,11 @@ static void connlabel_mt_parse(struct xt_option_call *cb) + + static const char *connlabel_get_name(int b) + { +- const char *name = nfct_labelmap_get_name(map, b); ++ const char *name; ++ ++ connlabel_open(); ++ ++ name = nfct_labelmap_get_name(map, b); + if (name && strcmp(name, "")) + return name; + return NULL; +@@ -114,11 +133,5 @@ static struct xtables_match connlabel_mt_reg = { + + void _init(void) + { +- map = nfct_labelmap_new(NULL); +- if (!map) { +- fprintf(stderr, "cannot open connlabel.conf, not registering '%s' match: %s\n", +- connlabel_mt_reg.name, strerror(errno)); +- return; +- } + xtables_register_match(&connlabel_mt_reg); + } +-- +2.4.4 + diff --git a/net-firewall/iptables-nftables/files/iptables.init b/net-firewall/iptables-nftables/files/iptables.init new file mode 100755 index 00000000..5a030d52 --- /dev/null +++ b/net-firewall/iptables-nftables/files/iptables.init @@ -0,0 +1,135 @@ +#!/sbin/runscript +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id: f396ea2ef148bafdb609cc4fe8986e6203d2f747 $ + +extra_commands="check save panic" +extra_started_commands="reload" + +iptables_name=${SVCNAME} +case ${iptables_name} in +iptables|ip6tables) ;; +*) iptables_name="iptables" ;; +esac + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + need localmount #434774 + before net +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${iptables_bin} -w -t ${table} -P ${chain} ${policy} + done +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} +checkconfig() { + if [ ! -f ${iptables_save} ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + if [[ -x /sbin/setsystz ]] && grep -i " time " "${iptables_save}" >/dev/null 2>&1; then + ebegin "Setting kernel timezone (for -m TIME rules)" + /sbin/setsystz + eend $? "setsystz failed" + fi + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + checkkernel || return 1 + ebegin "Stopping firewall" + local a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + + ${iptables_bin} -w -F -t $a + ${iptables_bin} -w -X -t $a + done + eend $? +} + +reload() { + checkkernel || return 1 + checkrules || return 1 + ebegin "Flushing firewall" + local a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -w -F -t $a + ${iptables_bin} -w -X -t $a + done + eend $? + + start +} + +checkrules() { + ebegin "Checking rules" + ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +check() { + # Short name for users of init.d script. + checkrules +} + +save() { + ebegin "Saving ${iptables_name} state" + checkpath -q -d "$(dirname "${iptables_save}")" + checkpath -q -m 0600 -f "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + checkkernel || return 1 + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -w -F -t $a + ${iptables_bin} -w -X -t $a + + set_table_policy $a DROP + done + eend $? +} diff --git a/net-firewall/iptables-nftables/iptables-nftables-1.4.21-r3.ebuild b/net-firewall/iptables-nftables/iptables-nftables-1.4.21-r3.ebuild new file mode 100644 index 00000000..b28d7b04 --- /dev/null +++ b/net-firewall/iptables-nftables/iptables-nftables-1.4.21-r3.ebuild @@ -0,0 +1,118 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id: ef4eb78c92d7f88400535ae1a4077879110157f0 $ + +EAPI="5" + +# Force users doing their own patches to install their own tools +AUTOTOOLS_AUTO_DEPEND=no + +inherit autotools eutils flag-o-matic git-r3 multilib systemd toolchain-funcs + +REPO="iptables" +BRANCH="master" +COMMIT="03091e55a0d949e35a723dadbd6fd0f78ddf3a8c" + +DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools, with nftables compatibility" +HOMEPAGE="http://www.netfilter.org/projects/nftables/" +EGIT_REPO_URI="git://git.netfilter.org/${REPO}.git" +#EGIT_BRANCH="${BRANCH}" +EGIT_COMMIT="${COMMIT}" + +LICENSE="GPL-2" +# Subslot tracks libxtables as that's the one other packages generally link +# against and iptables changes. Will have to revisit if other sonames change. +SLOT="0/10" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="conntrack ipv6 netlink pcap static-libs systemd" + +RDEPEND=" + conntrack? ( net-libs/libnetfilter_conntrack ) + netlink? ( net-libs/libnfnetlink ) + pcap? ( net-libs/libpcap ) +" +DEPEND="${RDEPEND} + virtual/os-headers + virtual/pkgconfig + net-libs/libnftnl + !net-firewall/iptables +" + +src_prepare() { + # use the saner headers from the kernel + rm -f include/linux/{kernel,types}.h + + eautoreconf + + epatch "${FILESDIR}"/${P}-configure.patch #557586 + epatch "${FILESDIR}"/${P}-static-connlabel-config.patch #558234 + + # Only run autotools if user patched something + epatch_user && eautoreconf || elibtoolize +} + +src_configure() { + # Some libs use $(AR) rather than libtool to build #444282 + tc-export AR + + # Hack around struct mismatches between userland & kernel for some ABIs. #472388 + use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct + + sed -i \ + -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ + -e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \ + configure || die + + econf \ + --sbindir="${EPREFIX}/sbin" \ + --libexecdir="${EPREFIX}/$(get_libdir)" \ + --enable-devel \ + --enable-shared \ + --enable-libipq \ + --enable-nfsynproxy \ + $(use_enable pcap bpf-compiler) \ + $(use_enable static-libs static) \ + $(use_enable ipv6) +} + +src_compile() { + emake V=1 +} + +src_install() { + default + dodoc INCOMPATIBILITIES iptables/iptables.xslt + + # all the iptables binaries are in /sbin, so might as well + # put these small files in with them + into / + dosbin iptables/iptables-apply + dosym iptables-apply /sbin/ip6tables-apply + doman iptables/iptables-apply.8 + + insinto /usr/include + doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) + insinto /usr/include/iptables + doins include/iptables/internal.h + + keepdir /var/lib/iptables + newinitd "${FILESDIR}"/${PN}.init iptables + newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables + if use ipv6 ; then + keepdir /var/lib/ip6tables + newinitd "${FILESDIR}"/${PN}.init ip6tables + newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables + fi + + if use systemd; then + systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service + if use ipv6 ; then + systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service + fi + fi + + # Move important libs to /lib #332175 + gen_usr_ldscript -a ip{4,6}tc iptc xtables + + prune_libtool_files --all +} |