commit: 3eb821711cbbb51523315c657855ed175e16b8c8
Author: Felix Janda <felix.janda <AT> posteo <DOT> de>
AuthorDate: Fri Jun 20 16:54:53 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Jun 21 20:49:09 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=3eb82171
net-firewall/iptables: bump to 1.4.21
---
.../iptables/files/iptables-1.4.21-musl.patch | 136 +++++++++++++++++++++
.../files/systemd/ip6tables-restore.service | 14 +++
.../iptables/files/systemd/ip6tables-store.service | 11 ++
.../iptables/files/systemd/ip6tables.service | 6 +
.../files/systemd/iptables-restore.service | 14 +++
.../iptables/files/systemd/iptables-store.service | 11 ++
.../iptables/files/systemd/iptables.service | 6 +
net-firewall/iptables/iptables-1.4.21-r99.ebuild | 94 ++++++++++++++
8 files changed, 292 insertions(+)
diff --git a/net-firewall/iptables/files/iptables-1.4.21-musl.patch
b/net-firewall/iptables/files/iptables-1.4.21-musl.patch
new file mode 100644
index 0000000..286ea87
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.21-musl.patch
@@ -0,0 +1,136 @@
+diff -ru a/iptables-1.4.21/extensions/libip6t_ipv6header.c
b/iptables-1.4.21/extensions/libip6t_ipv6header.c
+--- a/iptables-1.4.21/extensions/libip6t_ipv6header.c
++++ b/iptables-1.4.21/extensions/libip6t_ipv6header.c
+@@ -10,6 +10,9 @@
+ #include <netdb.h>
+ #include <xtables.h>
+ #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
++#ifndef IPPROTO_HOPOPTS
++# define IPPROTO_HOPOPTS 0
++#endif
+
+ enum {
+ O_HEADER = 0,
+diff -ru a/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c
b/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c
+--- a/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c
++++ b/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c
+@@ -12,6 +12,21 @@
+ #ifndef TCPOPT_MD5SIG
+ # define TCPOPT_MD5SIG 19
+ #endif
++#ifndef TCPOPT_MAXSEG
++# define TCPOPT_MAXSEG 2
++#endif
++#ifndef TCPOPT_WINDOW
++# define TCPOPT_WINDOW 3
++#endif
++#ifndef TCPOPT_SACK_PERMITTED
++# define TCPOPT_SACK_PERMITTED 4
++#endif
++#ifndef TCPOPT_SACK
++# define TCPOPT_SACK 5
++#endif
++#ifndef TCPOPT_TIMESTAMP
++# define TCPOPT_TIMESTAMP 8
++#endif
+
+ enum {
+ O_STRIP_OPTION = 0,
+diff -ru a/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h
b/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h
+--- a/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h
++++ b/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h
+@@ -5,7 +5,6 @@
+
+ #include <limits.h>
+
+-#if defined(__GLIBC__) && __GLIBC__ == 2
+ #include <netinet/ip.h>
+ #include <netinet/in.h>
+ #include <netinet/ip_icmp.h>
+@@ -13,15 +12,4 @@
+ #include <netinet/udp.h>
+ #include <net/if.h>
+ #include <sys/types.h>
+-#else /* libc5 */
+-#include <sys/socket.h>
+-#include <linux/ip.h>
+-#include <linux/in.h>
+-#include <linux/if.h>
+-#include <linux/icmp.h>
+-#include <linux/tcp.h>
+-#include <linux/udp.h>
+-#include <linux/types.h>
+-#include <linux/in6.h>
+-#endif
+ #endif
+diff -ru a/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h
b/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h
+--- a/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h
++++ b/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h
+@@ -16,6 +16,7 @@
+ #define _IPTABLES_H
+
+ #include <linux/types.h>
++#include <sys/types.h>
+
+ #include <linux/netfilter_ipv4.h>
+
+diff -ru a/iptables-1.4.21/iptables/ip6tables-restore.c
b/iptables-1.4.21/iptables/ip6tables-restore.c
+--- a/iptables-1.4.21/iptables/ip6tables-restore.c
++++ b/iptables-1.4.21/iptables/ip6tables-restore.c
+@@ -9,7 +9,7 @@
+ */
+
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdbool.h>
+ #include <string.h>
+ #include <stdio.h>
+diff -ru a/iptables-1.4.21/iptables/ip6tables-save.c
b/iptables-1.4.21/iptables/ip6tables-save.c
+--- a/iptables-1.4.21/iptables/ip6tables-save.c
++++ b/iptables-1.4.21/iptables/ip6tables-save.c
+@@ -6,7 +6,7 @@
+ * This code is distributed under the terms of GNU GPL v2
+ */
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdio.h>
+ #include <fcntl.h>
+ #include <stdlib.h>
+diff -ru a/iptables-1.4.21/iptables/iptables-restore.c
b/iptables-1.4.21/iptables/iptables-restore.c
+--- a/iptables-1.4.21/iptables/iptables-restore.c
++++ b/iptables-1.4.21/iptables/iptables-restore.c
+@@ -6,7 +6,7 @@
+ */
+
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdbool.h>
+ #include <string.h>
+ #include <stdio.h>
+diff -ru a/iptables-1.4.21/iptables/iptables-save.c
b/iptables-1.4.21/iptables/iptables-save.c
+--- a/iptables-1.4.21/iptables/iptables-save.c
++++ b/iptables-1.4.21/iptables/iptables-save.c
+@@ -6,7 +6,7 @@
+ *
+ */
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdio.h>
+ #include <fcntl.h>
+ #include <stdlib.h>
+diff -ru a/iptables-1.4.21/iptables/iptables-xml.c
b/iptables-1.4.21/iptables/iptables-xml.c
+--- a/iptables-1.4.21/iptables/iptables-xml.c
++++ b/iptables-1.4.21/iptables/iptables-xml.c
+@@ -7,7 +7,7 @@
+ */
+
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <string.h>
+ #include <stdio.h>
+ #include <stdlib.h>
diff --git a/net-firewall/iptables/files/systemd/ip6tables-restore.service
b/net-firewall/iptables/files/systemd/ip6tables-restore.service
new file mode 100644
index 0000000..88415fa
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/ip6tables-restore.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Restore ip6tables firewall rules
+# if both are queued for some reason, don't store before restoring :)
+Before=ip6tables-store.service
+# sounds reasonable to have firewall up before any of the services go up
+Before=network.target
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ip6tables-restore /var/lib/ip6tables/rules-save
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/iptables/files/systemd/ip6tables-store.service
b/net-firewall/iptables/files/systemd/ip6tables-store.service
new file mode 100644
index 0000000..9975378
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/ip6tables-store.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Store ip6tables firewall rules
+Before=shutdown.target
+DefaultDependencies=No
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "/sbin/ip6tables-save --counters >
/var/lib/ip6tables/rules-save"
+
+[Install]
+WantedBy=shutdown.target
diff --git a/net-firewall/iptables/files/systemd/ip6tables.service
b/net-firewall/iptables/files/systemd/ip6tables.service
new file mode 100644
index 0000000..0a6d7fa
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/ip6tables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Store and restore ip6tables firewall rules
+
+[Install]
+Also=ip6tables-store.service
+Also=ip6tables-restore.service
diff --git a/net-firewall/iptables/files/systemd/iptables-restore.service
b/net-firewall/iptables/files/systemd/iptables-restore.service
new file mode 100644
index 0000000..9d568d7
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/iptables-restore.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Restore iptables firewall rules
+# if both are queued for some reason, don't store before restoring :)
+Before=iptables-store.service
+# sounds reasonable to have firewall up before any of the services go up
+Before=network.target
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/iptables/files/systemd/iptables-store.service
b/net-firewall/iptables/files/systemd/iptables-store.service
new file mode 100644
index 0000000..aa16e75
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/iptables-store.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Store iptables firewall rules
+Before=shutdown.target
+DefaultDependencies=No
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "/sbin/iptables-save --counters >
/var/lib/iptables/rules-save"
+
+[Install]
+WantedBy=shutdown.target
diff --git a/net-firewall/iptables/files/systemd/iptables.service
b/net-firewall/iptables/files/systemd/iptables.service
new file mode 100644
index 0000000..3643a3e
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/iptables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Store and restore iptables firewall rules
+
+[Install]
+Also=iptables-store.service
+Also=iptables-restore.service
diff --git a/net-firewall/iptables/iptables-1.4.21-r99.ebuild
b/net-firewall/iptables/iptables-1.4.21-r99.ebuild
new file mode 100644
index 0000000..541cc61
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.21-r99.ebuild
@@ -0,0 +1,94 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header:
/var/cvsroot/gentoo-x86/net-firewall/iptables/iptables-1.4.21-r1.ebuild,v 1.5
2014/06/14 11:52:14 zlogene Exp $
+
+EAPI="5"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib systemd toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.netfilter.org/projects/iptables/";
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2";
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 arm ~mips x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+ virtual/os-headers
+ virtual/pkgconfig
+"
+
+src_prepare() {
+ # use the saner headers from the kernel
+ rm -f include/linux/{kernel,types}.h
+
+ epatch ${FILESDIR}/${P}-musl.patch
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ # Some libs use $(AR) rather than libtool to build #444282
+ tc-export AR
+
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+ configure || die
+
+ econf \
+ --sbindir="${EPREFIX}/sbin" \
+ --libexecdir="${EPREFIX}/$(get_libdir)" \
+ --enable-devel \
+ --enable-shared \
+ $(use_enable static-libs static) \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+ fi
+
+ systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service
+ if use ipv6 ; then
+ systemd_dounit
"${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc iptc xtables
+
+ prune_libtool_files
+}
