summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'net-firewall')
-rw-r--r--net-firewall/iptables/ChangeLog9
-rw-r--r--net-firewall/iptables/files/iptables-1.4.12.1-conntrack-v2-ranges.patch48
-rw-r--r--net-firewall/iptables/iptables-1.4.12.1-r1.ebuild88
3 files changed, 144 insertions, 1 deletions
diff --git a/net-firewall/iptables/ChangeLog b/net-firewall/iptables/ChangeLog
index 511f058b2a26..954525d4eb21 100644
--- a/net-firewall/iptables/ChangeLog
+++ b/net-firewall/iptables/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for net-firewall/iptables
# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/ChangeLog,v 1.252 2011/09/18 16:57:17 maekke Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/ChangeLog,v 1.253 2011/09/19 07:45:40 pva Exp $
+
+*iptables-1.4.12.1-r1 (19 Sep 2011)
+
+ 19 Sep 2011; Peter Volkov <pva@gentoo.org> +iptables-1.4.12.1-r1.ebuild,
+ +files/iptables-1.4.12.1-conntrack-v2-ranges.patch:
+ Fix parsing bug in libxt_conntrack.c, bug 383331 thank Bill Kenworthy for
+ report.
18 Sep 2011; Markus Meier <maekke@gentoo.org> iptables-1.4.12.1.ebuild:
arm stable, bug #382367
diff --git a/net-firewall/iptables/files/iptables-1.4.12.1-conntrack-v2-ranges.patch b/net-firewall/iptables/files/iptables-1.4.12.1-conntrack-v2-ranges.patch
new file mode 100644
index 000000000000..9bbcc67cb6a5
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.12.1-conntrack-v2-ranges.patch
@@ -0,0 +1,48 @@
+commit 3412bd0bfb8b8bac9834cbfd3392b3d5487133bf
+Author: Tom Eastep <teastep@shorewall.net>
+Date: Thu Aug 18 15:11:16 2011 -0700
+
+ libxt_conntrack: improve error message on parsing violation
+
+ Tom Eastep noted:
+
+ $ iptables -A foo -m conntrack --ctorigdstport 22
+ iptables v1.4.12: conntrack rev 2 does not support port ranges
+ Try `iptables -h' or 'iptables --help' for more information.
+
+ Commit v1.4.12-41-g1ad6407 takes care of the actual cause of the bug,
+ but let's include Tom's patch nevertheless for the better error
+ message in case one actually does specify a range with rev 2.
+
+ References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2
+ Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
+
+diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
+index 060b947..fff69f8 100644
+--- a/extensions/libxt_conntrack.c
++++ b/extensions/libxt_conntrack.c
+@@ -129,13 +129,20 @@ static const struct xt_option_entry conntrack2_mt_opts[] = {
+ .flags = XTOPT_INVERT},
+ {.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC,
+ .flags = XTOPT_INVERT},
+- {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORT,
++ /*
++ * Rev 1 and 2 only store one port, and we would normally use
++ * %XTTYPE_PORT (rather than %XTTYPE_PORTRC) for that. The resulting
++ * error message - in case a user passed a range nevertheless -
++ * "port 22:23 resolved to nothing" is not quite as useful as using
++ * %XTTYPE_PORTC and libxt_conntrack's own range test.
++ */
++ {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORTRC,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+- {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORT,
++ {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORTRC,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+- {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORT,
++ {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORTRC,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+- {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORT,
++ {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORTRC,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+ {.name = "ctdir", .id = O_CTDIR, .type = XTTYPE_STRING},
+ XTOPT_TABLEEND,
diff --git a/net-firewall/iptables/iptables-1.4.12.1-r1.ebuild b/net-firewall/iptables/iptables-1.4.12.1-r1.ebuild
new file mode 100644
index 000000000000..3dca4d624dd9
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.12.1-r1.ebuild
@@ -0,0 +1,88 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/iptables-1.4.12.1-r1.ebuild,v 1.1 2011/09/19 07:45:40 pva Exp $
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="ipv6 netlink"
+
+COMMON_DEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="
+ ${COMMON_DEPEND}
+ virtual/os-headers
+ sys-devel/automake
+"
+RDEPEND="
+ ${COMMON_DEPEND}
+"
+
+src_prepare() {
+ epatch "${FILESDIR}/iptables-1.4.12.1-lm.patch"
+ epatch "${FILESDIR}/iptables-1.4.12.1-conntrack-v2-ranges.patch"
+ eautomake
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(use netlink && echo 1 || echo 0):" \
+ configure || die
+ econf \
+ --sbindir=/sbin \
+ --libexecdir=/$(get_libdir) \
+ --enable-devel \
+ --enable-libipq \
+ --enable-shared \
+ --enable-static \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ emake install DESTDIR="${D}"
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.11.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.3.2.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.11.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.3.2.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc ipq iptc xtables
+ find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}