commit: 1c73d672e4a3e228c1b6b287d4345d229597fa35 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Fri Jun 17 18:42:28 2022 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Fri Jun 17 18:44:03 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c73d672
net-firewall/nftables: add emergency pkg_preinst sanity check The idea here is that we check just before merging whether the freshly built `nft` binary can safely (pretend) reload the system ruleset. A significant number of recent regressions have manifested in immediate segfaults when doing this, so it's worth doing the safety check (it's not as if it's niche or unlikely for a failure to occur at this point). Those who want a failed check to be *fatal* can set NFTABLES_ABORT_ON_RELOAD_FAILURE=1. Otherwise, it's just a warning. Bug: https://bugs.gentoo.org/852662 Thanks-to: Kerin Millar <kfm <AT> plushkava.net> Signed-off-by: Sam James <sam <AT> gentoo.org> ...{nftables-9999.ebuild => nftables-1.0.4-r2.ebuild} | 19 ++++++++++++++++++- net-firewall/nftables/nftables-9999.ebuild | 16 +++++++++++++++- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-1.0.4-r2.ebuild similarity index 88% copy from net-firewall/nftables/nftables-9999.ebuild copy to net-firewall/nftables/nftables-1.0.4-r2.ebuild index d3b5ea2ddc40..e15c2462f85d 100644 --- a/net-firewall/nftables/nftables-9999.ebuild +++ b/net-firewall/nftables/nftables-1.0.4-r2.ebuild @@ -1,7 +1,7 @@ # Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 DISTUTILS_OPTIONAL=1 PYTHON_COMPAT=( python3_{8..11} ) @@ -70,6 +70,9 @@ pkg_setup() { } src_prepare() { + local PATCHES=( + "${FILESDIR}/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch" + ) default if [[ ${PV} =~ ^[9]{4,}$ ]] ; then @@ -162,6 +165,20 @@ src_install() { find "${ED}" -type f -name "*.la" -delete || die } +pkg_preinst() { + if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then + if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then + eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" + eerror "nft. This probably means that there is a regression introduced by v${PV}." + eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" + + if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then + die "Aborting because of failed nft reload!" + fi + fi + fi +} + pkg_postinst() { local save_file save_file="${EROOT}"/var/lib/nftables/rules-save diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild index d3b5ea2ddc40..51f0627a762d 100644 --- a/net-firewall/nftables/nftables-9999.ebuild +++ b/net-firewall/nftables/nftables-9999.ebuild @@ -1,7 +1,7 @@ # Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 DISTUTILS_OPTIONAL=1 PYTHON_COMPAT=( python3_{8..11} ) @@ -162,6 +162,20 @@ src_install() { find "${ED}" -type f -name "*.la" -delete || die } +pkg_preinst() { + if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then + if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then + eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" + eerror "nft. This probably means that there is a regression introduced by v${PV}." + eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" + + if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then + die "Aborting because of failed nft reload!" + fi + fi + fi +} + pkg_postinst() { local save_file save_file="${EROOT}"/var/lib/nftables/rules-save
