commit: 322474a9c7cb65b6ebd39d8efd8526f19c38f90b
Author: Ian Delaney <idella4 <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 15 09:05:28 2015 +0000
Commit: Ian Delaney <idella4 <AT> gentoo <DOT> org>
CommitDate: Thu Oct 15 09:06:37 2015 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=322474a9
net-firewall/nftables: revbump and patch to fix broken init script
patches submitted by Nicholas Vinson via gentoo bug, set in metadata
as new proxy maintainer by invitation by developer maintainer mreug,
thanks to gokturk for assistance and cross testing
Gentoo bug: #560920
Package-Manager: portage-2.2.20.1
net-firewall/nftables/files/nftables.init-r1 | 263 +++++++++++++++++++++++++++
net-firewall/nftables/metadata.xml | 16 +-
net-firewall/nftables/nftables-0.5-r1.ebuild | 57 ++++++
3 files changed, 331 insertions(+), 5 deletions(-)
diff --git a/net-firewall/nftables/files/nftables.init-r1
b/net-firewall/nftables/files/nftables.init-r1
new file mode 100644
index 0000000..05bb053
--- /dev/null
+++ b/net-firewall/nftables/files/nftables.init-r1
@@ -0,0 +1,263 @@
+#!/sbin/runscript
+# Copyright 2014 Nicholas Vinson
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="clear list panic save"
+extra_started_commands="reload"
+depend() {
+ need localmount #434774
+ before net
+}
+
+start_pre() {
+ checkkernel || return 1
+ checkconfig || return 1
+ return 0
+}
+
+clear() {
+ if use_legacy; then
+ clear_legacy
+ return 0
+ fi
+
+ nft flush ruleset
+}
+
+list() {
+ if use_legacy; then
+ list_legacy
+ return 0
+ fi
+
+ nft list ruleset
+}
+
+panic() {
+ checkkernel || return 1
+ if service_started ${RC_SVCNAME}; then
+ rc-service ${RC_SVCNAME} stop
+ fi
+
+ ebegin "Dropping all packets"
+ clear
+ if nft create table ip filter >/dev/null 2>&1; then
+ #nft -f /var/lib/nftables/rules-panic.ip
+ nft -f /dev/stdin <<-EOF
+ table ip filter {
+ chain input {
+ type filter hook input priority 0;
+ drop
+ }
+ chain forward {
+ type filter hook forward priority 0;
+ drop
+ }
+ chain output {
+ type filter hook output priority 0;
+ drop
+ }
+ }
+ EOF
+ fi
+ if nft create table ip6 filter >/dev/null 2>&1; then
+ #nft -f /var/lib/nftables/rules-panic.ip6
+ nft -f /dev/stdin <<-EOF
+ table ip6 filter {
+ chain input {
+ type filter hook input priority 0;
+ drop
+ }
+ chain forward {
+ type filter hook forward priority 0;
+ drop
+ }
+ chain output {
+ type filter hook output priority 0;
+ drop
+ }
+ }
+ EOF
+ fi
+}
+
+reload() {
+ checkkernel || return 1
+ ebegin "Flushing firewall"
+ clear
+ start
+}
+
+save() {
+ ebegin "Saving nftables state"
+ checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
+ checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
+
+ local tmp_save="${NFTABLES_SAVE}.tmp"
+
+ if use_legacy; then
+ save_legacy ${tmp_save}
+ else
+ nft list ruleset > ${tmp_save}
+ fi
+ mv ${tmp_save} ${NFTABLES_SAVE}
+}
+
+start() {
+ ebegin "Loading nftables state and starting firewall"
+ clear
+ nft -f ${NFTABLES_SAVE}
+ eend $?
+}
+
+stop() {
+ if yesno ${SAVE_ON_STOP:-yes}; then
+ save || return 1
+ fi
+
+ ebegin "Stopping firewall"
+ clear
+ eend $?
+}
+
+################################################################################
+#
+# SUPPORT FUNCTIONS
+#
+################################################################################
+checkconfig() {
+ if [ ! -f ${NFTABLES_SAVE} ]; then
+ eerror "Not starting nftables. First create some rules then run:"
+ eerror "rc-service nftables save"
+ return 1
+ fi
+ return 0
+}
+
+checkkernel() {
+ if ! nft list tables >/dev/null 2>&1; then
+ eerror "Your kernel lacks nftables support, please load"
+ eerror "appropriate modules and try again."
+ return 1
+ fi
+ return 0
+}
+
+use_legacy() {
+ local major_ver minor_ver
+
+ major_ver=`uname -r | cut -d '.' -f1`
+ minor_ver=`uname -r | cut -d '.' -f2`
+
+ [[ $major_ver -ge 4 || $major_ver -eq 3 && $minor_ver -ge 18 ]] && return 1
+ return 0
+}
+
+################################################################################
+#
+# LEGACY COMMAND FUNCTIONS
+#
+################################################################################
+
+clear_legacy() {
+ local l3f line table chain first_line
+
+ first_line=1
+ if manualwalk; then
+ for l3f in $(getfamilies); do
+ nft list tables ${l3f} | while read line; do
+ table=$(echo ${line} | sed "s/table[ \t]*//")
+ deletetable ${l3f} ${table}
+ done
+ done
+ else
+ nft list tables | while read line; do
+ l3f=$(echo ${line} | cut -d ' ' -f2)
+ table=$(echo ${line} | cut -d ' ' -f3)
+ deletetable ${l3f} ${table}
+ done
+ fi
+}
+
+list_legacy() {
+ local l3f
+
+ if manualwalk; then
+ for l3f in $(getfamilies); do
+ nft list tables ${l3f} | while read line; do
+ line=$(echo ${line} | sed "s/table/table ${l3f}/")
+ echo "$(nft list ${line})"
+ done
+ done
+ else
+ nft list tables | while read line; do
+ echo "$(nft list ${line})"
+ done
+ fi
+}
+
+save_legacy() {
+ tmp_save=$1
+ touch "${tmp_save}"
+ if manualwalk; then
+ for l3f in $(getfamilies); do
+ nft list tables ${l3f} | while read line; do
+ line=$(echo ${line} | sed "s/table/table ${l3f}/")
+ nft ${SAVE_OPTIONS} list ${line} >> ${tmp_save}
+ done
+ done
+ else
+ nft list tables | while read line; do
+ nft ${SAVE_OPTIONS} list ${line} >> "${tmp_save}"
+ done
+ fi
+}
+
+################################################################################
+#
+# LEGACY SUPPORT FUNCTIONS
+#
+################################################################################
+CHECK_TABLE_NAME="GENTOO_CHECK_TABLE"
+
+getfamilies() {
+ local l3f families
+
+ for l3f in ip arp ip6 bridge inet; do
+ if nft create table ${l3f} ${CHECK_TABLE_NAME} > /dev/null 2>&1; then
+ families="${families}${l3f} "
+ nft delete table ${l3f} ${CHECK_TABLE_NAME}
+ fi
+ done
+ echo ${families}
+}
+
+manualwalk() {
+ local result l3f=`getfamilies | cut -d ' ' -f1`
+
+ nft create table ${l3f} ${CHECK_TABLE_NAME}
+ nft list tables | read line
+ if [ $(echo $line | wc -w) -lt 3 ]; then
+ result=0
+ fi
+ result=1
+ nft delete table ${l3f} ${CHECK_TABLE_NAME}
+
+ return $result
+}
+
+deletetable() {
+ # family is $1
+ # table name is $2
+ nft flush table $1 $2
+ nft list table $1 $2 | while read l; do
+ chain=$(echo $l | grep -o 'chain [^[:space:]]\+' | cut -d ' ' -f2)
+ if [ -n "${chain}" ]; then
+ nft flush chain $1 $2 ${chain}
+ nft delete chain $1 $2 ${chain}
+ fi
+ done
+ nft delete table $1 $2
+}
+
diff --git a/net-firewall/nftables/metadata.xml
b/net-firewall/nftables/metadata.xml
index a250966..822af25 100644
--- a/net-firewall/nftables/metadata.xml
+++ b/net-firewall/nftables/metadata.xml
@@ -1,9 +1,15 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd";>
<pkgmetadata>
-<herd>base-system</herd>
-<maintainer>
- <email>[email protected]</email>
- <name>Manuel Rüger</name>
-</maintainer>
+ <herd>base-system</herd>
+ <herd>proxy-maintainers</herd>
+ <maintainer>
+ <email>[email protected]</email>
+ <name>Manuel Rüger</name>
+ </maintainer>
+ <maintainer>
+ <email>[email protected]</email>
+ <name>Nicholas Vinson</name>
+ <description>Proxy maintianer to be assifgned bugs</description>
+ </maintainer>
</pkgmetadata>
diff --git a/net-firewall/nftables/nftables-0.5-r1.ebuild
b/net-firewall/nftables/nftables-0.5-r1.ebuild
new file mode 100644
index 0000000..8c70616
--- /dev/null
+++ b/net-firewall/nftables/nftables-0.5-r1.ebuild
@@ -0,0 +1,57 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit autotools linux-info eutils
+
+DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://netfilter.org/projects/nftables/";
+SRC_URI="http://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz ->
${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="debug gmp +readline"
+
+RDEPEND=">=net-libs/libmnl-1.0.3
+ >=net-libs/libnftnl-1.0.5
+ gmp? ( dev-libs/gmp:0= )
+ readline? ( sys-libs/readline:0= )"
+DEPEND="${RDEPEND}
+ >=app-text/docbook2X-0.8.8-r4
+ sys-devel/bison
+ sys-devel/flex"
+
+S="${WORKDIR}"/v${PV}
+
+pkg_setup() {
+ if kernel_is ge 3 13; then
+ CONFIG_CHECK="~NF_TABLES"
+ linux-info_pkg_setup
+ else
+ eerror "This package requires kernel version 3.13 or newer to
work properly."
+ fi
+}
+
+src_prepare() {
+ epatch_user
+ eautoreconf
+}
+
+src_configure() {
+ econf \
+ --sbindir="${EPREFIX}"/sbin \
+ $(use_enable debug) \
+ $(use_with readline cli) \
+ $(use_with !gmp mini_gmp)
+}
+
+src_install() {
+ default
+
+ newconfd "${FILESDIR}"/${PN}.confd ${PN}
+ newinitd "${FILESDIR}"/${PN}.init-r1 ${PN}
+ keepdir /var/lib/nftables
+}
