Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/net-firewall
diff options
context:
space:
mode:
authorManuel Rüger <mrueg@gentoo.org>2014-08-25 19:30:51 +0000
committerManuel Rüger <mrueg@gentoo.org>2014-08-25 19:30:51 +0000
commitbcaa93383522575a2f870a16f4dc1f3676c25acb (patch)
tree5093feeaeb8a0f832a8ec76d2cfb7ef2ca4ea8e9 /net-firewall
parentStable for HPPA (bug #520338). (diff)
downloadhistorical-bcaa93383522575a2f870a16f4dc1f3676c25acb.tar.gz
historical-bcaa93383522575a2f870a16f4dc1f3676c25acb.tar.bz2
historical-bcaa93383522575a2f870a16f4dc1f3676c25acb.zip
NMU: Version bump. See bug #511460. Generate manpage on buildtime. Add init script based on iptables scripts by Nicholas Vinson. See bug #508182.
Package-Manager: portage-2.2.12/cvs/Linux x86_64
Diffstat (limited to 'net-firewall')
-rw-r--r--net-firewall/nftables/ChangeLog10
-rw-r--r--net-firewall/nftables/Manifest6
-rw-r--r--net-firewall/nftables/files/nftables.confd19
-rw-r--r--net-firewall/nftables/files/nftables.init201
-rw-r--r--net-firewall/nftables/nftables-0.3.ebuild53
5 files changed, 286 insertions, 3 deletions
diff --git a/net-firewall/nftables/ChangeLog b/net-firewall/nftables/ChangeLog
index 4b61038ae538..6f64ab8e5bb2 100644
--- a/net-firewall/nftables/ChangeLog
+++ b/net-firewall/nftables/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for net-firewall/nftables
# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-firewall/nftables/ChangeLog,v 1.2 2014/02/01 20:13:10 steev Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/nftables/ChangeLog,v 1.3 2014/08/25 19:30:47 mrueg Exp $
+
+*nftables-0.3 (25 Aug 2014)
+
+ 25 Aug 2014; Manuel Rüger <mrueg@gentoo.org> +files/nftables.confd,
+ +files/nftables.init, +nftables-0.3.ebuild:
+ NMU: Version bump. See bug #511460. Generate manpage on buildtime. Add init
+ script based on iptables scripts by Nicholas Vinson. See bug #508182.
01 Feb 2014; Steev Klimaszewski <steev@gentoo.org> nftables-0.099.ebuild:
Add ~arm keyword. Tested by aholler on armv5
@@ -10,4 +17,3 @@
24 Jan 2014; Tony Vroon <chainsaw@gentoo.org> +nftables-0.099.ebuild,
+files/nftables-0.099-94300c7.patch, +files/nftables.8, +metadata.xml:
Initial commit. Patches & ebuilds by dwfreed, with some minor tweaks by me.
-
diff --git a/net-firewall/nftables/Manifest b/net-firewall/nftables/Manifest
index e022d6cc64ca..097b6fb0d55e 100644
--- a/net-firewall/nftables/Manifest
+++ b/net-firewall/nftables/Manifest
@@ -1,6 +1,10 @@
AUX nftables-0.099-94300c7.patch 743 SHA256 60db6d9f106c3f92649a1d8653681b4fcaa93de501d238ec811e29e41568eae7 SHA512 8d21f0c720e662815678a338a5f2a275af9db97ea31a71473d83e8084d3138833772ef236d859223736b0dbfd506051640de548a2b91e98c770f36516d330f88 WHIRLPOOL 55cda592961edd9e11219ba3fcd94bf76aea7aaefa411a341b2a90036e01ad448ea44142a4d2f4109c66ca3fc6c12248511f00d90895f63f9488afefaf4a9907
AUX nftables.8 9645 SHA256 bec3d7dcdc424691269852c9c322bb6ad770b6cfec4939920e32fa67ca8caac2 SHA512 aaf74c4bf0a854f3993b7ed5b9cecd436baa0bfc6b5ff119574d45c2504e5e772fc7cf41e1108b7f9cc013132c0bc0a86c6262cbfa870e639ad40ae93e25e4dc WHIRLPOOL e1c082fc3a56a9a0eb4782dfd9253857668052025d471e5124fc836246bc33b794f6d2293c46e2d5b0d8d1761b454ec8c21eb627ed95e97f07fe47f704dcdae2
+AUX nftables.confd 655 SHA256 d5e3077345dfea02849a70aea220396322a10c3808f0303b988119adbc56fdbd SHA512 8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144 WHIRLPOOL e39d13f996e620aa82714cb18e4f57624faa302f2259a44cc065804edf95fe07a314f744d17a76be6941c3771da6b233a19ae5b6b2f63783847121c63339197f
+AUX nftables.init 5002 SHA256 b8a0a523ef910523da554f04f19164e5e2c10013ba91fd844630bb5d91a78f2a SHA512 f6421040fa1e548e47f0f6e518093a2c34bd0f39d72f0ec6d72d03e5c7b2e2242e74cb6280bd678e6680737b67e48945fe3727e20302885308ddb7ab602b4883 WHIRLPOOL 2fc69ea6a45c0e1a274f78b9f73cbe61fa4f6c069cc1ff3baaffd301f48039e7ff877fde0cca5d67a7e144becd420587c9b2691fadf861742a95a4b107bb751c
DIST nftables-0.099.tar.bz2 129351 SHA256 1a9e5f9e4d4790d69537c4d228676edc41a0890aea394e38233c351f694bf306 SHA512 5d54e1ca47544527768192776e3846254ff9af8aaa14bd6b3e2942deeedf424e62b9e1b68ab750c475ec1b2ddcf366e8a6c8ea79ad7319e8e2911890e270a2aa WHIRLPOOL 6f63be1c597719d10aade0d6c0fc3ec0a7320b960fa158d3cfbcc932b0057df2f12c3190d9e35cd29bf8c17c4c99bafbd175505ca617d740d9002dc8ac844e80
+DIST nftables-0.3.tar.bz2 160585 SHA256 4d372645442d89675c7148b8a0a112c4825b57edf8bad15ddf9a08c220229c2f SHA512 76e280e6c42ad3c1d70d0b16c2d488ba92ffae1611241a9949f537da143f613ba06d5b2d7fbc40f0b51ac26a4e35cb93954816bab99dc0f485ef5797e1fcf1a0 WHIRLPOOL 019478f5be2204e9d48df47fab0cd6c07650accbc10c0857cea22c407965db71986c3f03e07b205ac80aa1cfaf4550d25896d1f25ec7f2b859fd24d5a2f774e5
EBUILD nftables-0.099.ebuild 1104 SHA256 e7bb0b76616aa741a584f450417193c663edf2dc221087f940729f05cdd3e17b SHA512 c4834348f2d446ebab32ec90e078173113d2519ebe0b0a7ad7867a7a00f2aca83baca4d8af041bfd8e9f52126bf6b63eaa95ef562a4ea72b85205f3c8d49c2ea WHIRLPOOL 0c8a126449980097daef9861f38dc076cdc5c1508b6c82c1ae86bdf51923b4fd89f52859eb0e379ea3a123b5609d4657bfac42a21b9961edcd9063e48b862da1
-MISC ChangeLog 593 SHA256 6912803f1e3d46286b8b4ac4ed386dd41d64dd4bca3b0fdbc51e9186723fdf17 SHA512 83d8f5120b69ff4be1916675c1899bcd39d175d3bb4876a95e1440ab1b5cc45d94da81cf7b93c0f4a1a9f4c1020643bf3a745824da4b4ff8ec71cb4ea47ffca6 WHIRLPOOL 7c45e9ea68230bb825092b02cbc5a923a4c8f949c86830dd1abd297a6b03f26b8115b7a318ab319d14519b2442eaa81ac516d07c8b75feb67f9549fd56883a98
+EBUILD nftables-0.3.ebuild 1143 SHA256 8cb1a1e5ed5cccb3ef9afce34bdc08a60fcdecffd6642d613a035e8480dcbdd3 SHA512 2a61445142731935c7d0f4459a32cf7c751325e5bbc385810d66b918544b0157c17ff852b7c79639a29fd462de37cab9fce155d02e4f23c1f8ee1c31f9eda734 WHIRLPOOL f3e036c6e81dc1d9a688304ed45f203f0bbfa4d631b8b605501ee5379bfd27752d6458b53aca5b17e33e28a68809377ed80a05c8c63e5f9b0b822f30c76b0e4d
+MISC ChangeLog 889 SHA256 e961b71107a0c74c24e85777360f4e38fb23db6f5ba3ca9fe2cd06237ca0183b SHA512 334f420fd886b4474e69fe410059ba6e448476ca34eb99fddbcbee9900d2190325b6c4cc6bfdfae17dbea138712b28b6a9b78d66e517eb9eeda28cabe566819e WHIRLPOOL 75f1e58d0d1627cfb94b60e0ad1ebb4519d08059ddc6302a229de54a564b7e735d09ebc83f23d25e866bb23491d99b09bdf1002403219ad0986ecb6e0794aaca
MISC metadata.xml 164 SHA256 f5f2891f2a4791cd31350bb2bb572131ad7235cd0eeb124c9912c187ac10ce92 SHA512 8eb0d5153d388f6ea069c64b93882244816a0a09aecc0d73cb872121ce0eb24c5ccafa96aad0b620b2300f319e1af101fa7fa6c5d0d561719d49bb07da0a2eca WHIRLPOOL 11a1441bddb7a6c69653c663902b7da5767ae6ad515ac2aabfc42fe37927a1ccc21472deeee454009ff720201a41c3e4a912df42661a0a87150fb46126da2d52
diff --git a/net-firewall/nftables/files/nftables.confd b/net-firewall/nftables/files/nftables.confd
new file mode 100644
index 000000000000..e83a4b962061
--- /dev/null
+++ b/net-firewall/nftables/files/nftables.confd
@@ -0,0 +1,19 @@
+# /etc/conf.d/nftables
+
+# Location in which nftables initscript will save set rules on
+# service shutdown
+NFTABLES_SAVE="/var/lib/nftables/rules-save"
+
+# Options to pass to nft on save
+SAVE_OPTIONS="-n"
+
+# Save state on stopping nftables
+SAVE_ON_STOP="yes"
+
+# If you need to log nftables messages as soon as nftables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/net-firewall/nftables/files/nftables.init b/net-firewall/nftables/files/nftables.init
new file mode 100644
index 000000000000..a5c324602adf
--- /dev/null
+++ b/net-firewall/nftables/files/nftables.init
@@ -0,0 +1,201 @@
+#!/sbin/runscript
+# Copyright 2014 Nicholas Vinson
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="check clear list panic save"
+extra_started_commands="reload"
+
+nftables_name=nftables
+nft_bin=/sbin/nft
+
+depend() {
+ need localmount #434774
+ before net
+}
+
+checkkernel() {
+ ${nft_bin} list tables &>/dev/null
+ if [ $? -ne 0 ]; then
+ eerror "Your kernel lacks ${nftables_name} support, please load"
+ eerror "appropriate modules and try again."
+ return 1
+ fi
+ return 0
+}
+
+checkconfig() {
+ if [ ! -f ${NFTABLES_SAVE} ]; then
+ eerror "Not starting ${nftables_name}. First create some rules then run:"
+ eerror "/etc/init.d/${nftables_name} save"
+ return 1
+ fi
+ return 0
+}
+
+checkfamilies() {
+ if [ -n "${families+set}" ]; then
+ return
+ fi
+
+ local families=()
+ for l3f in ip arp ip6 bridge inet; do
+ ${nft_bin} list tables ${l3f} &> /dev/null
+ if [ $? -eq 0 ]; then
+ families+=($l3f)
+ fi
+ done
+}
+
+havefamily() {
+ local i tfamily=$1
+ checkfamilies
+
+ for i in ${families[@]}; do
+ if [ $i == $tfamily ]; then
+ return 0
+ fi
+ done
+ return 1
+}
+
+clearNFT() {
+ checkfamilies
+
+ local l3f line table chain
+
+ for l3f in ${families[@]}; do
+ ${nft_bin} list tables ${l3f} | while read line; do
+ table=$(echo ${line} | sed "s/table[ \t]*//")
+ ${nft_bin} flush table ${l3f} ${table}
+ ${nft_bin} list table ${l3f} ${table} | while read l; do
+ chain=$(echo $l | grep -o 'chain [^[:space:]]\+' |\
+ cut -d ' ' -f2)
+ if [ -n "${chain}" ]; then
+ ${nft_bin} flush chain ${l3f} ${table} ${chain}
+ ${nft_bin} delete chain ${l3f} ${table} ${chain}
+ fi
+ done
+ ${nft_bin} delete table ${l3f} ${table}
+ done
+ done
+}
+
+addpanictable() {
+ local l3f=$1
+ nft add table ${l3f} panic
+ nft add chain ${l3f} panic input \{ type filter hook input priority 0\; \}
+ nft add chain ${l3f} panic output \{ type filter hook output priority 0\; \}
+ nft add chain ${l3f} panic forward \{ type filter hook forward priority 0\; \}
+ nft add rule ${l3f} panic input drop
+ nft add rule ${l3f} panic output drop
+ nft add rule ${l3f} panic forward drop
+}
+
+checkrules() {
+ ewarn "Rules not checked as ${nftables_name} does not support this feature."
+ return 0
+}
+
+start() {
+ checkkernel || return 1
+ checkconfig || return 1
+ ebegin "Loading ${nftables_name} state and starting firewall"
+ clearNFT
+ ${nft_bin} -f ${NFTABLES_SAVE}
+ eend $?
+}
+
+stop() {
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+ save || return 1
+ fi
+
+ ebegin "Stopping firewall"
+ clearNFT
+ eend $?
+}
+
+reload() {
+ checkkernel || return 1
+ # checkrules || return 1
+ ebegin "Flushing firewall"
+ clearNFT
+
+ start
+}
+
+check() {
+ # Short name for users of init.d script
+ checkrules
+}
+
+clear() {
+ clearNFT
+}
+
+list() {
+ checkfamilies
+ local l3f
+
+ for l3f in ${families[@]}; do
+ ${nft_bin} list tables ${l3f} | while read line; do
+ line=$(echo ${line} | sed "s/table/table ${l3f}/")
+ echo "$(${nft_bin} list ${line})"
+ done
+ done
+}
+
+save() {
+ checkfamilies
+
+ ebegin "Saving ${nftables_name} state"
+ checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
+ checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
+
+ local l3f line tmp_save="${NFTABLES_SAVE}.tmp"
+
+ touch "${tmp_save}"
+ for l3f in ${families[@]}; do
+ ${nft_bin} list tables ${l3f} | while read line; do
+ line=$(echo ${line} | sed "s/table/table ${l3f}/")
+ # The below substitution fixes an issue where nft -n output may not
+ # always be parsable by nft -f. For example, nft -n might print
+ #
+ # ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept
+ #
+ # but nft -f refuses to parse that string with error:
+ #
+ # In file included from internal:0:0-0:
+ # /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule:
+ # Invalid argument
+ # table ip6 filter {
+ # ^^
+ echo "$(${nft_bin} ${SAVE_OPTIONS} list ${line} |\
+ sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}"
+ done
+ done
+ mv "${tmp_save}" "${NFTABLES_SAVE}"
+}
+
+panic() {
+ checkkernel || return 1
+ if service_started ${nftables_name}; then
+ rc-service ${nftables_name} stop
+ fi
+
+ ebegin "Dropping all packets"
+ clearNFT
+
+ if havefamily "inet"; then
+ einfo inet
+ fi
+
+ local l3f
+ for l3f in ${families[@]}; do
+ case ${l3f} in
+ ip) addpanictable ${l3f} ;;
+ ip6) addpanictable ${l3f} ;;
+ esac
+ done
+}
diff --git a/net-firewall/nftables/nftables-0.3.ebuild b/net-firewall/nftables/nftables-0.3.ebuild
new file mode 100644
index 000000000000..ed24ed3a9839
--- /dev/null
+++ b/net-firewall/nftables/nftables-0.3.ebuild
@@ -0,0 +1,53 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/nftables/nftables-0.3.ebuild,v 1.1 2014/08/25 19:30:47 mrueg Exp $
+
+EAPI=5
+
+inherit autotools base linux-info
+
+DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://netfilter.org/projects/nftables/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="debug"
+SRC_URI="http://netfilter.org/projects/${PN}/files/${P}.tar.bz2"
+
+RDEPEND="net-libs/libmnl
+ >=net-libs/libnftnl-1.0.2
+ dev-libs/gmp
+ sys-libs/readline"
+DEPEND="${RDEPEND}
+ app-text/docbook2X
+ sys-devel/bison
+ sys-devel/flex"
+
+pkg_setup() {
+ if kernel_is ge 3 13; then
+ CONFIG_CHECK="~NF_TABLES"
+ linux-info_pkg_setup
+ else
+ eerror "This package requires kernel version 3.13 or newer to work properly."
+ fi
+}
+
+src_prepare() {
+ base_src_prepare
+ eautoreconf
+}
+
+src_configure() {
+ econf \
+ --sbindir="${EPREFIX}"/sbin \
+ $(use_enable debug)
+}
+
+src_install() {
+ default
+
+ newconfd "${FILESDIR}"/${PN}.confd ${PN}
+ newinitd "${FILESDIR}"/${PN}.init ${PN}
+ keepdir /var/lib/nftables
+}