commit: 3eb821711cbbb51523315c657855ed175e16b8c8 Author: Felix Janda <felix.janda <AT> posteo <DOT> de> AuthorDate: Fri Jun 20 16:54:53 2014 +0000 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> CommitDate: Sat Jun 21 20:49:09 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=3eb82171
net-firewall/iptables: bump to 1.4.21 --- .../iptables/files/iptables-1.4.21-musl.patch | 136 +++++++++++++++++++++ .../files/systemd/ip6tables-restore.service | 14 +++ .../iptables/files/systemd/ip6tables-store.service | 11 ++ .../iptables/files/systemd/ip6tables.service | 6 + .../files/systemd/iptables-restore.service | 14 +++ .../iptables/files/systemd/iptables-store.service | 11 ++ .../iptables/files/systemd/iptables.service | 6 + net-firewall/iptables/iptables-1.4.21-r99.ebuild | 94 ++++++++++++++ 8 files changed, 292 insertions(+) diff --git a/net-firewall/iptables/files/iptables-1.4.21-musl.patch b/net-firewall/iptables/files/iptables-1.4.21-musl.patch new file mode 100644 index 0000000..286ea87 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.21-musl.patch @@ -0,0 +1,136 @@ +diff -ru a/iptables-1.4.21/extensions/libip6t_ipv6header.c b/iptables-1.4.21/extensions/libip6t_ipv6header.c +--- a/iptables-1.4.21/extensions/libip6t_ipv6header.c ++++ b/iptables-1.4.21/extensions/libip6t_ipv6header.c +@@ -10,6 +10,9 @@ + #include <netdb.h> + #include <xtables.h> + #include <linux/netfilter_ipv6/ip6t_ipv6header.h> ++#ifndef IPPROTO_HOPOPTS ++# define IPPROTO_HOPOPTS 0 ++#endif + + enum { + O_HEADER = 0, +diff -ru a/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c b/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c +--- a/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c ++++ b/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c +@@ -12,6 +12,21 @@ + #ifndef TCPOPT_MD5SIG + # define TCPOPT_MD5SIG 19 + #endif ++#ifndef TCPOPT_MAXSEG ++# define TCPOPT_MAXSEG 2 ++#endif ++#ifndef TCPOPT_WINDOW ++# define TCPOPT_WINDOW 3 ++#endif ++#ifndef TCPOPT_SACK_PERMITTED ++# define TCPOPT_SACK_PERMITTED 4 ++#endif ++#ifndef TCPOPT_SACK ++# define TCPOPT_SACK 5 ++#endif ++#ifndef TCPOPT_TIMESTAMP ++# define TCPOPT_TIMESTAMP 8 ++#endif + + enum { + O_STRIP_OPTION = 0, +diff -ru a/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h b/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h +--- a/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h ++++ b/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h +@@ -5,7 +5,6 @@ + + #include <limits.h> + +-#if defined(__GLIBC__) && __GLIBC__ == 2 + #include <netinet/ip.h> + #include <netinet/in.h> + #include <netinet/ip_icmp.h> +@@ -13,15 +12,4 @@ + #include <netinet/udp.h> + #include <net/if.h> + #include <sys/types.h> +-#else /* libc5 */ +-#include <sys/socket.h> +-#include <linux/ip.h> +-#include <linux/in.h> +-#include <linux/if.h> +-#include <linux/icmp.h> +-#include <linux/tcp.h> +-#include <linux/udp.h> +-#include <linux/types.h> +-#include <linux/in6.h> +-#endif + #endif +diff -ru a/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h b/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h +--- a/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h ++++ b/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h +@@ -16,6 +16,7 @@ + #define _IPTABLES_H + + #include <linux/types.h> ++#include <sys/types.h> + + #include <linux/netfilter_ipv4.h> + +diff -ru a/iptables-1.4.21/iptables/ip6tables-restore.c b/iptables-1.4.21/iptables/ip6tables-restore.c +--- a/iptables-1.4.21/iptables/ip6tables-restore.c ++++ b/iptables-1.4.21/iptables/ip6tables-restore.c +@@ -9,7 +9,7 @@ + */ + + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdbool.h> + #include <string.h> + #include <stdio.h> +diff -ru a/iptables-1.4.21/iptables/ip6tables-save.c b/iptables-1.4.21/iptables/ip6tables-save.c +--- a/iptables-1.4.21/iptables/ip6tables-save.c ++++ b/iptables-1.4.21/iptables/ip6tables-save.c +@@ -6,7 +6,7 @@ + * This code is distributed under the terms of GNU GPL v2 + */ + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdio.h> + #include <fcntl.h> + #include <stdlib.h> +diff -ru a/iptables-1.4.21/iptables/iptables-restore.c b/iptables-1.4.21/iptables/iptables-restore.c +--- a/iptables-1.4.21/iptables/iptables-restore.c ++++ b/iptables-1.4.21/iptables/iptables-restore.c +@@ -6,7 +6,7 @@ + */ + + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdbool.h> + #include <string.h> + #include <stdio.h> +diff -ru a/iptables-1.4.21/iptables/iptables-save.c b/iptables-1.4.21/iptables/iptables-save.c +--- a/iptables-1.4.21/iptables/iptables-save.c ++++ b/iptables-1.4.21/iptables/iptables-save.c +@@ -6,7 +6,7 @@ + * + */ + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdio.h> + #include <fcntl.h> + #include <stdlib.h> +diff -ru a/iptables-1.4.21/iptables/iptables-xml.c b/iptables-1.4.21/iptables/iptables-xml.c +--- a/iptables-1.4.21/iptables/iptables-xml.c ++++ b/iptables-1.4.21/iptables/iptables-xml.c +@@ -7,7 +7,7 @@ + */ + + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <string.h> + #include <stdio.h> + #include <stdlib.h> diff --git a/net-firewall/iptables/files/systemd/ip6tables-restore.service b/net-firewall/iptables/files/systemd/ip6tables-restore.service new file mode 100644 index 0000000..88415fa --- /dev/null +++ b/net-firewall/iptables/files/systemd/ip6tables-restore.service @@ -0,0 +1,14 @@ +[Unit] +Description=Restore ip6tables firewall rules +# if both are queued for some reason, don't store before restoring :) +Before=ip6tables-store.service +# sounds reasonable to have firewall up before any of the services go up +Before=network.target +Conflicts=shutdown.target + +[Service] +Type=oneshot +ExecStart=/sbin/ip6tables-restore /var/lib/ip6tables/rules-save + +[Install] +WantedBy=basic.target diff --git a/net-firewall/iptables/files/systemd/ip6tables-store.service b/net-firewall/iptables/files/systemd/ip6tables-store.service new file mode 100644 index 0000000..9975378 --- /dev/null +++ b/net-firewall/iptables/files/systemd/ip6tables-store.service @@ -0,0 +1,11 @@ +[Unit] +Description=Store ip6tables firewall rules +Before=shutdown.target +DefaultDependencies=No + +[Service] +Type=oneshot +ExecStart=/bin/sh -c "/sbin/ip6tables-save --counters > /var/lib/ip6tables/rules-save" + +[Install] +WantedBy=shutdown.target diff --git a/net-firewall/iptables/files/systemd/ip6tables.service b/net-firewall/iptables/files/systemd/ip6tables.service new file mode 100644 index 0000000..0a6d7fa --- /dev/null +++ b/net-firewall/iptables/files/systemd/ip6tables.service @@ -0,0 +1,6 @@ +[Unit] +Description=Store and restore ip6tables firewall rules + +[Install] +Also=ip6tables-store.service +Also=ip6tables-restore.service diff --git a/net-firewall/iptables/files/systemd/iptables-restore.service b/net-firewall/iptables/files/systemd/iptables-restore.service new file mode 100644 index 0000000..9d568d7 --- /dev/null +++ b/net-firewall/iptables/files/systemd/iptables-restore.service @@ -0,0 +1,14 @@ +[Unit] +Description=Restore iptables firewall rules +# if both are queued for some reason, don't store before restoring :) +Before=iptables-store.service +# sounds reasonable to have firewall up before any of the services go up +Before=network.target +Conflicts=shutdown.target + +[Service] +Type=oneshot +ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save + +[Install] +WantedBy=basic.target diff --git a/net-firewall/iptables/files/systemd/iptables-store.service b/net-firewall/iptables/files/systemd/iptables-store.service new file mode 100644 index 0000000..aa16e75 --- /dev/null +++ b/net-firewall/iptables/files/systemd/iptables-store.service @@ -0,0 +1,11 @@ +[Unit] +Description=Store iptables firewall rules +Before=shutdown.target +DefaultDependencies=No + +[Service] +Type=oneshot +ExecStart=/bin/sh -c "/sbin/iptables-save --counters > /var/lib/iptables/rules-save" + +[Install] +WantedBy=shutdown.target diff --git a/net-firewall/iptables/files/systemd/iptables.service b/net-firewall/iptables/files/systemd/iptables.service new file mode 100644 index 0000000..3643a3e --- /dev/null +++ b/net-firewall/iptables/files/systemd/iptables.service @@ -0,0 +1,6 @@ +[Unit] +Description=Store and restore iptables firewall rules + +[Install] +Also=iptables-store.service +Also=iptables-restore.service diff --git a/net-firewall/iptables/iptables-1.4.21-r99.ebuild b/net-firewall/iptables/iptables-1.4.21-r99.ebuild new file mode 100644 index 0000000..541cc61 --- /dev/null +++ b/net-firewall/iptables/iptables-1.4.21-r99.ebuild @@ -0,0 +1,94 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/iptables-1.4.21-r1.ebuild,v 1.5 2014/06/14 11:52:14 zlogene Exp $ + +EAPI="5" + +# Force users doing their own patches to install their own tools +AUTOTOOLS_AUTO_DEPEND=no + +inherit eutils multilib systemd toolchain-funcs autotools + +DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" +HOMEPAGE="http://www.netfilter.org/projects/iptables/" +SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="amd64 arm ~mips x86" +IUSE="ipv6 netlink static-libs" + +RDEPEND=" + netlink? ( net-libs/libnfnetlink ) +" +DEPEND="${RDEPEND} + virtual/os-headers + virtual/pkgconfig +" + +src_prepare() { + # use the saner headers from the kernel + rm -f include/linux/{kernel,types}.h + + epatch ${FILESDIR}/${P}-musl.patch + + # Only run autotools if user patched something + epatch_user && eautoreconf || elibtoolize +} + +src_configure() { + # Some libs use $(AR) rather than libtool to build #444282 + tc-export AR + + sed -i \ + -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ + configure || die + + econf \ + --sbindir="${EPREFIX}/sbin" \ + --libexecdir="${EPREFIX}/$(get_libdir)" \ + --enable-devel \ + --enable-shared \ + $(use_enable static-libs static) \ + $(use_enable ipv6) +} + +src_compile() { + emake V=1 +} + +src_install() { + default + dodoc INCOMPATIBILITIES iptables/iptables.xslt + + # all the iptables binaries are in /sbin, so might as well + # put these small files in with them + into / + dosbin iptables/iptables-apply + dosym iptables-apply /sbin/ip6tables-apply + doman iptables/iptables-apply.8 + + insinto /usr/include + doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) + insinto /usr/include/iptables + doins include/iptables/internal.h + + keepdir /var/lib/iptables + newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables + newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables + if use ipv6 ; then + keepdir /var/lib/ip6tables + newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables + newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables + fi + + systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service + if use ipv6 ; then + systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service + fi + + # Move important libs to /lib + gen_usr_ldscript -a ip{4,6}tc iptc xtables + + prune_libtool_files +}