diff options
Diffstat (limited to 'net-firewall')
-rw-r--r-- | net-firewall/iptables/ChangeLog | 9 | ||||
-rw-r--r-- | net-firewall/iptables/files/iptables-1.4.12.1-conntrack-v2-ranges.patch | 48 | ||||
-rw-r--r-- | net-firewall/iptables/iptables-1.4.12.1-r1.ebuild | 88 |
3 files changed, 144 insertions, 1 deletions
diff --git a/net-firewall/iptables/ChangeLog b/net-firewall/iptables/ChangeLog index 511f058b2a26..954525d4eb21 100644 --- a/net-firewall/iptables/ChangeLog +++ b/net-firewall/iptables/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for net-firewall/iptables # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/ChangeLog,v 1.252 2011/09/18 16:57:17 maekke Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/ChangeLog,v 1.253 2011/09/19 07:45:40 pva Exp $ + +*iptables-1.4.12.1-r1 (19 Sep 2011) + + 19 Sep 2011; Peter Volkov <pva@gentoo.org> +iptables-1.4.12.1-r1.ebuild, + +files/iptables-1.4.12.1-conntrack-v2-ranges.patch: + Fix parsing bug in libxt_conntrack.c, bug 383331 thank Bill Kenworthy for + report. 18 Sep 2011; Markus Meier <maekke@gentoo.org> iptables-1.4.12.1.ebuild: arm stable, bug #382367 diff --git a/net-firewall/iptables/files/iptables-1.4.12.1-conntrack-v2-ranges.patch b/net-firewall/iptables/files/iptables-1.4.12.1-conntrack-v2-ranges.patch new file mode 100644 index 000000000000..9bbcc67cb6a5 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.12.1-conntrack-v2-ranges.patch @@ -0,0 +1,48 @@ +commit 3412bd0bfb8b8bac9834cbfd3392b3d5487133bf +Author: Tom Eastep <teastep@shorewall.net> +Date: Thu Aug 18 15:11:16 2011 -0700 + + libxt_conntrack: improve error message on parsing violation + + Tom Eastep noted: + + $ iptables -A foo -m conntrack --ctorigdstport 22 + iptables v1.4.12: conntrack rev 2 does not support port ranges + Try `iptables -h' or 'iptables --help' for more information. + + Commit v1.4.12-41-g1ad6407 takes care of the actual cause of the bug, + but let's include Tom's patch nevertheless for the better error + message in case one actually does specify a range with rev 2. + + References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2 + Signed-off-by: Jan Engelhardt <jengelh@medozas.de> + +diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c +index 060b947..fff69f8 100644 +--- a/extensions/libxt_conntrack.c ++++ b/extensions/libxt_conntrack.c +@@ -129,13 +129,20 @@ static const struct xt_option_entry conntrack2_mt_opts[] = { + .flags = XTOPT_INVERT}, + {.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC, + .flags = XTOPT_INVERT}, +- {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORT, ++ /* ++ * Rev 1 and 2 only store one port, and we would normally use ++ * %XTTYPE_PORT (rather than %XTTYPE_PORTRC) for that. The resulting ++ * error message - in case a user passed a range nevertheless - ++ * "port 22:23 resolved to nothing" is not quite as useful as using ++ * %XTTYPE_PORTC and libxt_conntrack's own range test. ++ */ ++ {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORTRC, + .flags = XTOPT_INVERT | XTOPT_NBO}, +- {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORT, ++ {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORTRC, + .flags = XTOPT_INVERT | XTOPT_NBO}, +- {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORT, ++ {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORTRC, + .flags = XTOPT_INVERT | XTOPT_NBO}, +- {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORT, ++ {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORTRC, + .flags = XTOPT_INVERT | XTOPT_NBO}, + {.name = "ctdir", .id = O_CTDIR, .type = XTTYPE_STRING}, + XTOPT_TABLEEND, diff --git a/net-firewall/iptables/iptables-1.4.12.1-r1.ebuild b/net-firewall/iptables/iptables-1.4.12.1-r1.ebuild new file mode 100644 index 000000000000..3dca4d624dd9 --- /dev/null +++ b/net-firewall/iptables/iptables-1.4.12.1-r1.ebuild @@ -0,0 +1,88 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/iptables-1.4.12.1-r1.ebuild,v 1.1 2011/09/19 07:45:40 pva Exp $ + +EAPI="4" + +# Force users doing their own patches to install their own tools +AUTOTOOLS_AUTO_DEPEND=no + +inherit eutils toolchain-funcs autotools + +DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" +HOMEPAGE="http://www.iptables.org/" +SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="ipv6 netlink" + +COMMON_DEPEND=" + netlink? ( net-libs/libnfnetlink ) +" +DEPEND=" + ${COMMON_DEPEND} + virtual/os-headers + sys-devel/automake +" +RDEPEND=" + ${COMMON_DEPEND} +" + +src_prepare() { + epatch "${FILESDIR}/iptables-1.4.12.1-lm.patch" + epatch "${FILESDIR}/iptables-1.4.12.1-conntrack-v2-ranges.patch" + eautomake + + # Only run autotools if user patched something + epatch_user && eautoreconf || elibtoolize +} + +src_configure() { + sed -i \ + -e "/nfnetlink=[01]/s:=[01]:=$(use netlink && echo 1 || echo 0):" \ + configure || die + econf \ + --sbindir=/sbin \ + --libexecdir=/$(get_libdir) \ + --enable-devel \ + --enable-libipq \ + --enable-shared \ + --enable-static \ + $(use_enable ipv6) +} + +src_compile() { + emake V=1 +} + +src_install() { + emake install DESTDIR="${D}" + dodoc INCOMPATIBILITIES iptables/iptables.xslt + + # all the iptables binaries are in /sbin, so might as well + # put these small files in with them + into / + dosbin iptables/iptables-apply + dosym iptables-apply /sbin/ip6tables-apply + doman iptables/iptables-apply.8 + + insinto /usr/include + doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) + insinto /usr/include/iptables + doins include/iptables/internal.h + + keepdir /var/lib/iptables + newinitd "${FILESDIR}"/${PN}-1.4.11.init iptables + newconfd "${FILESDIR}"/${PN}-1.3.2.confd iptables + if use ipv6 ; then + keepdir /var/lib/ip6tables + newinitd "${FILESDIR}"/iptables-1.4.11.init ip6tables + newconfd "${FILESDIR}"/ip6tables-1.3.2.confd ip6tables + fi + + # Move important libs to /lib + gen_usr_ldscript -a ip{4,6}tc ipq iptc xtables + find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed" +} |