diff options
| author |   Stuart Shelton <stuart@shelton.me> | 2014-05-18 13:24:39 +0100 |
|---|---|---|
| committer | Stuart Shelton <stuart@shelton.me> | 2014-05-18 13:24:39 +0100 |
| commit | a7a11aa47ccbd18ba9517c5930aa0968a1c08b8d (patch) | |
| tree | cec3b2f2a0cf27b316d250e34d12906e3d77f66b /net-firewall | |
| parent | Add net-firewall/nftables-0.2, update nftables-9999 (diff) | |
| download | srcshelton-a7a11aa47ccbd18ba9517c5930aa0968a1c08b8d.tar.gz srcshelton-a7a11aa47ccbd18ba9517c5930aa0968a1c08b8d.tar.bz2 srcshelton-a7a11aa47ccbd18ba9517c5930aa0968a1c08b8d.zip | |
Update net-firewall/iptables-nftables-9999
Diffstat (limited to 'net-firewall')
5 files changed, 249 insertions, 13 deletions
diff --git a/net-firewall/iptables-nftables/Manifest b/net-firewall/iptables-nftables/Manifest index 21e843a3..ff28b709 100644 --- a/net-firewall/iptables-nftables/Manifest +++ b/net-firewall/iptables-nftables/Manifest @@ -1 +1,4 @@ -EBUILD iptables-nftables-9999.ebuild 738 SHA256 2eb84bec7d9ea5f5245b17d992e79495229732e73216d9d30e40042c61b28907 SHA512 cf37d9e950b6f1abc27034e541ad5e5317a8b3f40dd09891013eac8544fc9f13dd4a8bdd480457700952747f66e962c61eec18e56c6ccf470ce267498aa92cf7 WHIRLPOOL e99d79454b4617d4c7459f0dc890c973c48380c682bcb6d1d6fbaea2fa55334c51ec8e65206531860997a35302eaa8fea88dd67b4c7cd56a4fef0abc7bc25bfa +AUX ip6tables-1.4.13.confd 690 SHA256 2938fe4206514d9868047bd8f888a699fa2097ca69edab176453436d4259abaa SHA512 8de9a5de4061bef217fbc07577688a8110f1116af7f3b936dfd18100a6a7a47ec6e70c456b24cf3432fb4f2034b741a487fe6af8d9740f174d51c6eb16945c6e WHIRLPOOL f2f4903812b5b97d5bdf9cb28f0bcb6f8c866f197b46a9128530721a8d9db1cdcedffe2512c9235391a67f494c2daf1266d7bc8a6185949756437221c3861a10 +AUX iptables-1.4.13-r1.init 2891 SHA256 13047698e03079b754957e1e548ce7505dfb2c73c9a31f87e061140603ab0e44 SHA512 c35d4fc3d08e6fe3c567a5fe4b8dc0679c87c01c5d90e9a08b68039e4e846043a1f1ae47bc37bc718af761b9287394e8edfa3681d5ae23d666fc9de60a8c8302 WHIRLPOOL 7007ab6e5524b7d1e6e3c17ed0a7c40c6e7034510ecad2e442a2863a819a72f5f1cda58c5b6ad331b36c6c5c40980f344364593246d46cf95c1527a24115b829 +AUX iptables-1.4.13.confd 687 SHA256 7e2341211ca14997b7a8a1f930f94db855291af597c568f680f80031c20d45b6 SHA512 bd67d53e997ea65755148ba071fe6e3856d6e604b9167c666900721bc3dc24f63d395bc33a1a34ae50f95e72760da630db1a8d35afc81ec5973e60ba5343dc70 WHIRLPOOL 111b809b3122b04cce8ac0e551cfcdec7fde1ad563e1001bbbb3dbb4cae0ddf13851ece1024e13fb26aab2fe306dfc4fd9e59ab5a10127b301bc7a65ec20486b +EBUILD iptables-nftables-9999.ebuild 2684 SHA256 32f99c6dde67351cf142ce86ad13401fd5d5ec79102f7698b81063f207257a38 SHA512 6a3539f3bd829cba5abcb116e1acc4d7694f619a5920e665c9f981fe1066a4fdba7f8e9f2293a0d256c34bdd0761d3e5e2d35ec4e80fdb81b7baaa1dd4e43188 WHIRLPOOL 76665129832e035fb4757a5943b510e907a767af0ea42459d43b19ec50d10aa85ae3fbc9f9f239e80a16bf138c9c52a8be128a82796f4e3a7a6147912e4ff1ec diff --git a/net-firewall/iptables-nftables/files/ip6tables-1.4.13.confd b/net-firewall/iptables-nftables/files/ip6tables-1.4.13.confd new file mode 100644 index 00000000..3bb36989 --- /dev/null +++ b/net-firewall/iptables-nftables/files/ip6tables-1.4.13.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/ip6tables + +# Location in which iptables initscript will save set rules on +# service shutdown +IP6TABLES_SAVE="/var/lib/ip6tables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# If you need to log iptables messages as soon as iptables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/iptables-nftables/files/iptables-1.4.13-r1.init b/net-firewall/iptables-nftables/files/iptables-1.4.13-r1.init new file mode 100644 index 00000000..a63d0768 --- /dev/null +++ b/net-firewall/iptables-nftables/files/iptables-1.4.13-r1.init @@ -0,0 +1,130 @@ +#!/sbin/runscript +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.4.13-r1.init,v 1.3 2013/04/27 17:29:09 vapier Exp $ + +extra_commands="check save panic" +extra_started_commands="reload" + +iptables_name=${SVCNAME} +case ${iptables_name} in +iptables|ip6tables) ;; +*) iptables_name="iptables" ;; +esac + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + need localmount #434774 + before net +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${iptables_bin} -t ${table} -P ${chain} ${policy} + done +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} +checkconfig() { + if [ ! -f ${iptables_save} ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + checkkernel || return 1 + ebegin "Stopping firewall" + local a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? +} + +reload() { + checkkernel || return 1 + checkrules || return 1 + ebegin "Flushing firewall" + local a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? + + start +} + +checkrules() { + ebegin "Checking rules" + ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +check() { + # Short name for users of init.d script. + checkrules +} + +save() { + ebegin "Saving ${iptables_name} state" + checkpath -q -d "$(dirname "${iptables_save}")" + checkpath -q -m 0600 -f "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + checkkernel || return 1 + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + + set_table_policy $a DROP + done + eend $? +} diff --git a/net-firewall/iptables-nftables/files/iptables-1.4.13.confd b/net-firewall/iptables-nftables/files/iptables-1.4.13.confd new file mode 100644 index 00000000..7225374c --- /dev/null +++ b/net-firewall/iptables-nftables/files/iptables-1.4.13.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/iptables + +# Location in which iptables initscript will save set rules on +# service shutdown +IPTABLES_SAVE="/var/lib/iptables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# If you need to log iptables messages as soon as iptables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/iptables-nftables/iptables-nftables-9999.ebuild b/net-firewall/iptables-nftables/iptables-nftables-9999.ebuild index f5031074..9420bc74 100644 --- a/net-firewall/iptables-nftables/iptables-nftables-9999.ebuild +++ b/net-firewall/iptables-nftables/iptables-nftables-9999.ebuild @@ -1,42 +1,107 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -EAPI=4 -inherit autotools git-2 +EAPI="5" +# Force users doing their own patches to install their own tools +AUTOTOOLS_AUTO_DEPEND=no + +inherit autotools eutils git-r3 multilib systemd toolchain-funcs + +# iptables-nftables was merged into iptables... #REPO="${PN}" +# ... and no longer has its own branch... +#BRANCH="nft-compat" REPO="iptables" -#BRANCH="master" -BRANCH="nft-compat" +BRANCH="master" +COMMIT="03091e55a0d949e35a723dadbd6fd0f78ddf3a8c" -DESCRIPTION="Add nftables rules using {ip,ip6}tables syntax" +DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools, with nftables compatibility" HOMEPAGE="http://www.netfilter.org/projects/nftables/" EGIT_REPO_URI="git://git.netfilter.org/${REPO}.git" -EGIT_MASTER="${BRANCH}" +#EGIT_BRANCH="${BRANCH}" +EGIT_COMMIT="${COMMIT}" LICENSE="GPL-2" SLOT="0" -KEYWORDS="amd64 ~arm ~ppc ~ppc64 x86" -#IUSE="" +KEYWORDS="~alpha ~amd64 arm ~arm64 hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="ipv6 netlink static-libs systemd" -#RDEPEND="" -#DEPEND="${RDEPEND}" -DEPEND="net-libs/libpcap" +RDEPEND=" + netlink? ( net-libs/libnfnetlink ) +" +DEPEND="${RDEPEND} + virtual/os-headers + virtual/pkgconfig + net-libs/libpcap + !net-firewall/iptables +" src_prepare() { + # use the saner headers from the kernel + rm -f include/linux/{kernel,types}.h + eautoreconf } src_configure() { + # Some libs use $(AR) rather than libtool to build #444282 + tc-export AR + + sed -i \ + -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ + configure || die + econf \ + --sbindir="${EPREFIX}/sbin" \ + --libexecdir="${EPREFIX}/$(get_libdir)" \ + --enable-devel \ + --enable-shared \ --enable-libipq \ --enable-bpf-compiler \ --enable-nfsynproxy \ - --enable-devel + $(use_enable static-libs static) \ + $(use_enable ipv6) +} + +src_compile() { + emake V=1 } src_install() { default + dodoc INCOMPATIBILITIES iptables/iptables.xslt + + # all the iptables binaries are in /sbin, so might as well + # put these small files in with them + into / + dosbin iptables/iptables-apply + dosym iptables-apply /sbin/ip6tables-apply + doman iptables/iptables-apply.8 + + insinto /usr/include + doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) + insinto /usr/include/iptables + doins include/iptables/internal.h + + keepdir /var/lib/iptables + newinitd "${FILESDIR}"/iptables-1.4.13-r1.init iptables + newconfd "${FILESDIR}"/iptables-1.4.13.confd iptables + if use ipv6 ; then + keepdir /var/lib/ip6tables + newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables + newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables + fi + + if use systemd; then + systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service + if use ipv6 ; then + systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service + fi + fi + + # Move important libs to /lib + gen_usr_ldscript -a ip{4,6}tc iptc xtables prune_libtool_files --all } |