commit: 68a4aeb7ce34ec6f16710ce40443a1b460af6517
Author: Kerin Millar <kfm <AT> plushkava <DOT> net>
AuthorDate: Sun Mar 19 09:04:41 2023 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sun Mar 19 22:21:54 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68a4aeb7
net-firewall/nftables: Use the newly built libnftables.so in the pkg_preinst
check
Doing so is appropriate because it's not a library that's provided
externally. Also, tidy up the code structure and replace the outdated
pkg_preinst() function in the ebuild for v1.0.5.
Signed-off-by: Kerin Millar <kfm <AT> plushkava.net>
Signed-off-by: Sam James <sam <AT> gentoo.org>
net-firewall/nftables/nftables-1.0.5.ebuild | 33 ++++++++++++++++------
net-firewall/nftables/nftables-1.0.6.ebuild | 44 ++++++++++++++---------------
net-firewall/nftables/nftables-1.0.7.ebuild | 44 ++++++++++++++---------------
net-firewall/nftables/nftables-9999.ebuild | 44 ++++++++++++++---------------
4 files changed, 90 insertions(+), 75 deletions(-)
diff --git a/net-firewall/nftables/nftables-1.0.5.ebuild
b/net-firewall/nftables/nftables-1.0.5.ebuild
index 3b4f9fbbf1d2..5226ca74577d 100644
--- a/net-firewall/nftables/nftables-1.0.5.ebuild
+++ b/net-firewall/nftables/nftables-1.0.5.ebuild
@@ -167,15 +167,30 @@ src_install() {
}
pkg_preinst() {
- if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z
${ROOT} ]]; then
- if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then
- eerror "Your currently loaded ruleset cannot be parsed
by the newly built instance of"
- eerror "nft. This probably means that there is a
regression introduced by v${PV}."
- eerror "(To make the ebuild fail instead of warning,
set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
-
- if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
- die "Aborting because of failed nft reload!"
- fi
+ local stderr
+
+ # There's a history of regressions with nftables upgrades. Perform a
+ # safety check to help us spot them earlier. For the check to pass, the
+ # currently loaded ruleset, if any, must be successfully evaluated by
+ # the newly built instance of nft(8).
+ if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x
/sbin/nft ]]; then
+ # Either nftables isn't yet in use or nft(8) cannot be executed.
+ return
+ elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1
>"${T}"/ruleset.nft); then
+ # Report errors induced by trying to list the ruleset but don't
+ # treat them as being fatal.
+ printf '%s\n' "${stderr}" >&2
+ elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
+ # Rulesets generated by iptables-nft are special in nature and
+ # will not always be printed in a way that constitutes a valid
+ # syntax for ntf(8). Ignore them.
+ return
+ elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*}
"${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then
+ eerror "Your currently loaded ruleset cannot be parsed by the
newly built instance of"
+ eerror "nft. This probably means that there is a regression
introduced by v${PV}."
+ eerror "(To make the ebuild fail instead of warning, set
NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
+ if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
+ die "Aborting because of failed nft reload!"
fi
fi
}
diff --git a/net-firewall/nftables/nftables-1.0.6.ebuild
b/net-firewall/nftables/nftables-1.0.6.ebuild
index bd4f23708a7e..e5de7f69c0a1 100644
--- a/net-firewall/nftables/nftables-1.0.6.ebuild
+++ b/net-firewall/nftables/nftables-1.0.6.ebuild
@@ -169,28 +169,28 @@ src_install() {
pkg_preinst() {
local stderr
- # There's a history of regressions with nftables upgrades. Add a safety
- # check to help us spot them earlier.
- if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z
${ROOT} ]]; then
- # Check the current loaded ruleset, if any, using the newly
- # built instance of nft(8).
- if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1
>"${T}"/ruleset.nft); then
- # Report errors induced by trying to list the ruleset
- # but don't treat them as being fatal.
- printf '%s\n' "${stderr}" >&2
- elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
- # Rulesets generated by iptables-nft are special in
- # nature and will not always be printed in a way that
- # constitutes a valid syntax for ntf(8). Ignore them.
- return
- elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then
- eerror "Your currently loaded ruleset cannot be parsed
by the newly built instance of"
- eerror "nft. This probably means that there is a
regression introduced by v${PV}."
- eerror "(To make the ebuild fail instead of warning,
set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
-
- if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
- die "Aborting because of failed nft reload!"
- fi
+ # There's a history of regressions with nftables upgrades. Perform a
+ # safety check to help us spot them earlier. For the check to pass, the
+ # currently loaded ruleset, if any, must be successfully evaluated by
+ # the newly built instance of nft(8).
+ if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x
/sbin/nft ]]; then
+ # Either nftables isn't yet in use or nft(8) cannot be executed.
+ return
+ elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1
>"${T}"/ruleset.nft); then
+ # Report errors induced by trying to list the ruleset but don't
+ # treat them as being fatal.
+ printf '%s\n' "${stderr}" >&2
+ elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
+ # Rulesets generated by iptables-nft are special in nature and
+ # will not always be printed in a way that constitutes a valid
+ # syntax for ntf(8). Ignore them.
+ return
+ elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*}
"${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then
+ eerror "Your currently loaded ruleset cannot be parsed by the
newly built instance of"
+ eerror "nft. This probably means that there is a regression
introduced by v${PV}."
+ eerror "(To make the ebuild fail instead of warning, set
NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
+ if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
+ die "Aborting because of failed nft reload!"
fi
fi
}
diff --git a/net-firewall/nftables/nftables-1.0.7.ebuild
b/net-firewall/nftables/nftables-1.0.7.ebuild
index b144fded77b4..13ecec61248b 100644
--- a/net-firewall/nftables/nftables-1.0.7.ebuild
+++ b/net-firewall/nftables/nftables-1.0.7.ebuild
@@ -170,28 +170,28 @@ src_install() {
pkg_preinst() {
local stderr
- # There's a history of regressions with nftables upgrades. Add a safety
- # check to help us spot them earlier.
- if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z
${ROOT} ]]; then
- # Check the current loaded ruleset, if any, using the newly
- # built instance of nft(8).
- if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1
>"${T}"/ruleset.nft); then
- # Report errors induced by trying to list the ruleset
- # but don't treat them as being fatal.
- printf '%s\n' "${stderr}" >&2
- elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
- # Rulesets generated by iptables-nft are special in
- # nature and will not always be printed in a way that
- # constitutes a valid syntax for ntf(8). Ignore them.
- return
- elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then
- eerror "Your currently loaded ruleset cannot be parsed
by the newly built instance of"
- eerror "nft. This probably means that there is a
regression introduced by v${PV}."
- eerror "(To make the ebuild fail instead of warning,
set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
-
- if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
- die "Aborting because of failed nft reload!"
- fi
+ # There's a history of regressions with nftables upgrades. Perform a
+ # safety check to help us spot them earlier. For the check to pass, the
+ # currently loaded ruleset, if any, must be successfully evaluated by
+ # the newly built instance of nft(8).
+ if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x
/sbin/nft ]]; then
+ # Either nftables isn't yet in use or nft(8) cannot be executed.
+ return
+ elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1
>"${T}"/ruleset.nft); then
+ # Report errors induced by trying to list the ruleset but don't
+ # treat them as being fatal.
+ printf '%s\n' "${stderr}" >&2
+ elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
+ # Rulesets generated by iptables-nft are special in nature and
+ # will not always be printed in a way that constitutes a valid
+ # syntax for ntf(8). Ignore them.
+ return
+ elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*}
"${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then
+ eerror "Your currently loaded ruleset cannot be parsed by the
newly built instance of"
+ eerror "nft. This probably means that there is a regression
introduced by v${PV}."
+ eerror "(To make the ebuild fail instead of warning, set
NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
+ if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
+ die "Aborting because of failed nft reload!"
fi
fi
}
diff --git a/net-firewall/nftables/nftables-9999.ebuild
b/net-firewall/nftables/nftables-9999.ebuild
index b144fded77b4..13ecec61248b 100644
--- a/net-firewall/nftables/nftables-9999.ebuild
+++ b/net-firewall/nftables/nftables-9999.ebuild
@@ -170,28 +170,28 @@ src_install() {
pkg_preinst() {
local stderr
- # There's a history of regressions with nftables upgrades. Add a safety
- # check to help us spot them earlier.
- if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z
${ROOT} ]]; then
- # Check the current loaded ruleset, if any, using the newly
- # built instance of nft(8).
- if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1
>"${T}"/ruleset.nft); then
- # Report errors induced by trying to list the ruleset
- # but don't treat them as being fatal.
- printf '%s\n' "${stderr}" >&2
- elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
- # Rulesets generated by iptables-nft are special in
- # nature and will not always be printed in a way that
- # constitutes a valid syntax for ntf(8). Ignore them.
- return
- elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then
- eerror "Your currently loaded ruleset cannot be parsed
by the newly built instance of"
- eerror "nft. This probably means that there is a
regression introduced by v${PV}."
- eerror "(To make the ebuild fail instead of warning,
set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
-
- if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
- die "Aborting because of failed nft reload!"
- fi
+ # There's a history of regressions with nftables upgrades. Perform a
+ # safety check to help us spot them earlier. For the check to pass, the
+ # currently loaded ruleset, if any, must be successfully evaluated by
+ # the newly built instance of nft(8).
+ if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x
/sbin/nft ]]; then
+ # Either nftables isn't yet in use or nft(8) cannot be executed.
+ return
+ elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1
>"${T}"/ruleset.nft); then
+ # Report errors induced by trying to list the ruleset but don't
+ # treat them as being fatal.
+ printf '%s\n' "${stderr}" >&2
+ elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
+ # Rulesets generated by iptables-nft are special in nature and
+ # will not always be printed in a way that constitutes a valid
+ # syntax for ntf(8). Ignore them.
+ return
+ elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*}
"${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then
+ eerror "Your currently loaded ruleset cannot be parsed by the
newly built instance of"
+ eerror "nft. This probably means that there is a regression
introduced by v${PV}."
+ eerror "(To make the ebuild fail instead of warning, set
NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
+ if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
+ die "Aborting because of failed nft reload!"
fi
fi
}
