diff options
author | Sam James <sam@gentoo.org> | 2022-12-26 08:22:38 +0000 |
---|---|---|
committer | Sam James <sam@gentoo.org> | 2022-12-26 08:32:57 +0000 |
commit | 95e050cf52f79c17d80907fcb1adca20c30be825 (patch) | |
tree | 36d67bddb310fb8c0a8f5fb947f49ec97bb513a7 /net-firewall/nftables | |
parent | dev-libs/nettle: drop 3.7.3 (diff) | |
download | gentoo-95e050cf52f79c17d80907fcb1adca20c30be825.tar.gz gentoo-95e050cf52f79c17d80907fcb1adca20c30be825.tar.bz2 gentoo-95e050cf52f79c17d80907fcb1adca20c30be825.zip |
net-firewall/nftables: drop 1.0.2-r1, 1.0.4-r2
Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'net-firewall/nftables')
7 files changed, 0 insertions, 763 deletions
diff --git a/net-firewall/nftables/Manifest b/net-firewall/nftables/Manifest index 72f7151be1aa..3537caf064d6 100644 --- a/net-firewall/nftables/Manifest +++ b/net-firewall/nftables/Manifest @@ -1,7 +1,3 @@ -DIST nftables-1.0.2.tar.bz2 970781 BLAKE2B 650ae6badb574ff3628d21c8aa99f81e73932dd172b3569618696100bf3853b9a108bf0296dcf9d615ae7c0fbec84b48266299b62cf755d181d19c626f8a3cd4 SHA512 560d23c6e369eafd7b354d29fe73d46154e4a74dec000178c1aea47751fe535d20c4e6bbecd3955eb2b327c7a60b1269e5c6dc5781498546b639fa2d1367a9ca -DIST nftables-1.0.2.tar.bz2.sig 566 BLAKE2B 5b7a20b28c274a950b718e2e14313772707b6bdc3f4519f747350593c1eb3bfbcf8c5dd9ae7d5aa0488c5cde9af8b58e05349c75e8a8246c5634303a331f9d98 SHA512 9be59d771833ac315fd52cffe7074ed9d49fbf592aec8d94500bbc7cc1f44dcb54b3815c46831a5e7e4c4770901cbdd6b8ffc5aa8d8cb7e064ec1c8453d890f1 -DIST nftables-1.0.4.tar.bz2 979540 BLAKE2B 1b2c596245cb7f1bc574250d13b9ff6f424f98e98d5955befadb83ea0a71acc6524b066e39f1e9d151f3946b690b2dee45b7d416347371f88911c8d6a9de047e SHA512 7d96c791365d399b3b930a1f9d6c6aa4a8c2180c258bb5163d9d62ea4d094857e2ebb20fc3ef13b89f449f216d0a291d3bcf288704f1e3bd3ceb51b6cadf8215 -DIST nftables-1.0.4.tar.bz2.sig 566 BLAKE2B 1ac42a2eb678abcc21d01bbaf5f9a3af3f4c49fa1f0732f2522d3da14e94aacbb12075650d2786224f8fef869fcdc94a1463bd76272aa44fc50ea31a8ebae1bf SHA512 2d2acd4810c1ede844e1eac81a5480866ad40ae71dfcf92d166fd9295290adff70d35d7de8cf1ec81ab63d184b221419ff144bc7010e18884afa992173723af8 DIST nftables-1.0.5.tar.bz2 982538 BLAKE2B 5d58170b8fc6feccc1581653cd0815d37b59b43b7f4f9bff9f7fb46928c6c7eee5a6f07150c404f7cf42f5a1d2e980860a4dd2589b99773179e019a093c42cfa SHA512 51cbf10579db7eed58f4358044840f2ce1bffe84533c5fb03e0ebcc702970856455576ac793169c94d38a9f8148e33631ad91444e54a8be189d93af7c27feb9a DIST nftables-1.0.5.tar.bz2.sig 566 BLAKE2B 7744a84c213999b35c3094fa5d9f974acec6fedac3d310422834285823825bcb14fb55b463d88b91fa41d79e33ce34498769992d912b7178fa1f70bd7a1e0977 SHA512 fbff6b5b28d81e964d4523729c7866d0b52d764d090cae70a43d850bc579b17308ec41a3d7fe6707877850028e99ad09c33b5e87fa16ac5199dfeba193a61511 DIST nftables-1.0.6.tar.xz 834584 BLAKE2B 7c14db883f0ee9394b603870c93dcc92ce472bf0349a59d0e377f1d44efc870df3449d6f2dc9a198f2e396e5d73b19532dac498e832083ca8cf65cc78db9ccd4 SHA512 afe08381acd27d39cc94743190b07c579f8c49c4182c9b8753d5b3a0b7d1fe89ed664fdbc19cef1547c3ca4a0c1e32ca4303dba9ec626272fa08c77e88c11119 diff --git a/net-firewall/nftables/files/nftables-1.0.2-build-explicitly-pass-version-script-to-linker.patch b/net-firewall/nftables/files/nftables-1.0.2-build-explicitly-pass-version-script-to-linker.patch deleted file mode 100644 index 41c3de5bc83b..000000000000 --- a/net-firewall/nftables/files/nftables-1.0.2-build-explicitly-pass-version-script-to-linker.patch +++ /dev/null @@ -1,27 +0,0 @@ -https://git.netfilter.org/nftables/commit/src?id=1d507ce7f1d3c12481ee24bd1dcac2fc1984ee9f - -From: Sam James <sam@gentoo.org> -Date: Thu, 24 Feb 2022 19:45:43 +0000 -Subject: build: explicitly pass --version-script to linker - ---version-script is a linker option, so let's use -Wl, so that -libtool handles it properly. It seems like the previous method gets silently -ignored with GNU libtool in some cases(?) and downstream in Gentoo, -we had to apply this change to make the build work with slibtool anyway. - -But it's indeed correct in any case, so let's swap. - -Signed-off-by: Sam James <sam@gentoo.org> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -91,7 +91,7 @@ libparser_la_CFLAGS = ${AM_CFLAGS} \ - - libnftables_la_LIBADD = ${LIBMNL_LIBS} ${LIBNFTNL_LIBS} libparser.la - libnftables_la_LDFLAGS = -version-info ${libnftables_LIBVERSION} \ -- --version-script=$(srcdir)/libnftables.map -+ -Wl,--version-script=$(srcdir)/libnftables.map - - if BUILD_MINIGMP - noinst_LTLIBRARIES += libminigmp.la -cgit v1.2.3 diff --git a/net-firewall/nftables/files/nftables-1.0.2-compilation.patch b/net-firewall/nftables/files/nftables-1.0.2-compilation.patch deleted file mode 100644 index 96670c1d9531..000000000000 --- a/net-firewall/nftables/files/nftables-1.0.2-compilation.patch +++ /dev/null @@ -1,36 +0,0 @@ -https://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3 - -From 18a08fb7f0443f8bde83393bd6f69e23a04246b3 Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso <pablo@netfilter.org> -Date: Tue, 22 Feb 2022 00:56:36 +0100 -Subject: examples: compile with `make check' and add AM_CPPFLAGS - -Compile examples via `make check' like libnftnl does. Use AM_CPPFLAGS to -specify local headers via -I. - -Unfortunately, `make distcheck' did not catch this compile time error in -my system, since it was using the nftables/libnftables.h file of the -previous nftables release. - -Fixes: 5b364657a35f ("build: missing SUBIRS update") -Fixes: caf2a6ad2d22 ("examples: add libnftables example program") -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - examples/Makefile.am | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/examples/Makefile.am b/examples/Makefile.am -index c972170d..3b8b0b67 100644 ---- a/examples/Makefile.am -+++ b/examples/Makefile.am -@@ -1,4 +1,6 @@ --noinst_PROGRAMS = nft-buffer \ -+check_PROGRAMS = nft-buffer \ - nft-json-file - -+AM_CPPFLAGS = -I$(top_srcdir)/include -+ - LDADD = $(top_builddir)/src/libnftables.la --- -cgit v1.2.3 - diff --git a/net-firewall/nftables/files/nftables-1.0.2-libnftables.map-export-new-nft_ctx_-get-set-_optimiz.patch b/net-firewall/nftables/files/nftables-1.0.2-libnftables.map-export-new-nft_ctx_-get-set-_optimiz.patch deleted file mode 100644 index 09841d482222..000000000000 --- a/net-firewall/nftables/files/nftables-1.0.2-libnftables.map-export-new-nft_ctx_-get-set-_optimiz.patch +++ /dev/null @@ -1,31 +0,0 @@ -https://git.netfilter.org/nftables/commit/src?id=e98a9b83cd52c7c75bedb3dad46539b197ed17ba - -From: Sam James <sam@gentoo.org> -Date: Thu, 24 Feb 2022 19:45:42 +0000 -Subject: libnftables.map: export new nft_ctx_{get,set}_optimize API - -[ Remove incorrect symbol names were exported via .map file ] - -Without this, we're not explicitly saying this is part of the -public API. - -This new API was added in 1.0.2 and is used by e.g. the main -nft binary. Noticed when fixing the version-script option -(separate patch) which picked up this problem when .map -was missing symbols (related to when symbol visibility -options get set). - -Signed-off-by: Sam James <sam@gentoo.org> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- a/src/libnftables.map -+++ b/src/libnftables.map -@@ -30,6 +30,6 @@ LIBNFTABLES_2 { - } LIBNFTABLES_1; - - LIBNFTABLES_3 { -- nft_set_optimize; -- nft_get_optimize; -+ nft_ctx_set_optimize; -+ nft_ctx_get_optimize; - } LIBNFTABLES_2; -cgit v1.2.3 diff --git a/net-firewall/nftables/files/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch b/net-firewall/nftables/files/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch deleted file mode 100644 index db58602bb4e6..000000000000 --- a/net-firewall/nftables/files/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch +++ /dev/null @@ -1,252 +0,0 @@ -From 638af0ceb2b22307098bb2730822e148ef0b9424 Mon Sep 17 00:00:00 2001 -From: Florian Westphal <fw@strlen.de> -Date: Fri, 10 Jun 2022 13:01:46 +0200 -Subject: Revert "scanner: flags: move to own scope" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Excess nesting of scanner scopes is very fragile and error prone: - -rule `iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all prefix "nft_lo4 " drop` -fails with `Error: No symbol type information` hinting at `prefix` - -Problem is that we nest via: - counter - limit - log - flags - -By the time 'prefix' is scanned, state is still stuck in 'counter' due -to this nesting. Working around "prefix" isn't enough, any other -keyword, e.g. "level" in 'flags all level debug' will be parsed as 'string' too. - -So, revert this. - -Fixes: a16697097e2b ("scanner: flags: move to own scope") -Reported-by: Christian Göttsche <cgzones@googlemail.com> -Signed-off-by: Florian Westphal <fw@strlen.de> ---- - include/parser.h | 1 - - src/parser_bison.y | 29 ++++++++++++++--------------- - src/scanner.l | 18 +++++++----------- - tests/shell/testcases/parsing/log | 10 ++++++++++ - 4 files changed, 31 insertions(+), 27 deletions(-) - create mode 100755 tests/shell/testcases/parsing/log - -diff --git a/include/parser.h b/include/parser.h -index f32154cc..d8d2eb11 100644 ---- a/include/parser.h -+++ b/include/parser.h -@@ -35,7 +35,6 @@ enum startcond_type { - PARSER_SC_CT, - PARSER_SC_COUNTER, - PARSER_SC_ETH, -- PARSER_SC_FLAGS, - PARSER_SC_ICMP, - PARSER_SC_IGMP, - PARSER_SC_IP, -diff --git a/src/parser_bison.y b/src/parser_bison.y -index ca5c488c..2a0240fb 100644 ---- a/src/parser_bison.y -+++ b/src/parser_bison.y -@@ -942,7 +942,6 @@ close_scope_esp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_ESP); } - close_scope_eth : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ETH); }; - close_scope_export : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_EXPORT); }; - close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); }; --close_scope_flags : { scanner_pop_start_cond(nft->scanner, PARSER_SC_FLAGS); }; - close_scope_frag : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FRAG); }; - close_scope_fwd : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_FWD); }; - close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); }; -@@ -1679,7 +1678,7 @@ table_block_alloc : /* empty */ - } - ; - --table_options : FLAGS STRING close_scope_flags -+table_options : FLAGS STRING - { - if (strcmp($2, "dormant") == 0) { - $<table>0->flags |= TABLE_F_DORMANT; -@@ -1946,7 +1945,7 @@ set_block : /* empty */ { $$ = $<set>-1; } - datatype_set($1->key, $3->dtype); - $$ = $1; - } -- | set_block FLAGS set_flag_list stmt_separator close_scope_flags -+ | set_block FLAGS set_flag_list stmt_separator - { - $1->flags = $3; - $$ = $1; -@@ -2080,7 +2079,7 @@ map_block : /* empty */ { $$ = $<set>-1; } - $1->flags |= NFT_SET_OBJECT; - $$ = $1; - } -- | map_block FLAGS set_flag_list stmt_separator close_scope_flags -+ | map_block FLAGS set_flag_list stmt_separator - { - $1->flags |= $3; - $$ = $1; -@@ -2153,7 +2152,7 @@ flowtable_block : /* empty */ { $$ = $<flowtable>-1; } - { - $$->flags |= NFT_FLOWTABLE_COUNTER; - } -- | flowtable_block FLAGS OFFLOAD stmt_separator close_scope_flags -+ | flowtable_block FLAGS OFFLOAD stmt_separator - { - $$->flags |= FLOWTABLE_F_HW_OFFLOAD; - } -@@ -2520,7 +2519,7 @@ dev_spec : DEVICE string - | /* empty */ { $$ = NULL; } - ; - --flags_spec : FLAGS OFFLOAD close_scope_flags -+flags_spec : FLAGS OFFLOAD - { - $<chain>0->flags |= CHAIN_F_HW_OFFLOAD; - } -@@ -3126,7 +3125,7 @@ log_arg : PREFIX string - $<stmt>0->log.level = $2; - $<stmt>0->log.flags |= STMT_LOG_LEVEL; - } -- | FLAGS log_flags close_scope_flags -+ | FLAGS log_flags - { - $<stmt>0->log.logflags |= $2; - } -@@ -3828,13 +3827,13 @@ queue_stmt : queue_stmt_compat close_scope_queue - { - $$ = queue_stmt_alloc(&@$, $3, 0); - } -- | QUEUE FLAGS queue_stmt_flags close_scope_flags TO queue_stmt_expr close_scope_queue -+ | QUEUE FLAGS queue_stmt_flags TO queue_stmt_expr close_scope_queue - { -- $$ = queue_stmt_alloc(&@$, $6, $3); -+ $$ = queue_stmt_alloc(&@$, $5, $3); - } -- | QUEUE FLAGS queue_stmt_flags close_scope_flags QUEUENUM queue_stmt_expr_simple close_scope_queue -+ | QUEUE FLAGS queue_stmt_flags QUEUENUM queue_stmt_expr_simple close_scope_queue - { -- $$ = queue_stmt_alloc(&@$, $6, $3); -+ $$ = queue_stmt_alloc(&@$, $5, $3); - } - ; - -@@ -5501,7 +5500,7 @@ comp_hdr_expr : COMP comp_hdr_field close_scope_comp - ; - - comp_hdr_field : NEXTHDR { $$ = COMPHDR_NEXTHDR; } -- | FLAGS close_scope_flags { $$ = COMPHDR_FLAGS; } -+ | FLAGS { $$ = COMPHDR_FLAGS; } - | CPI { $$ = COMPHDR_CPI; } - ; - -@@ -5562,7 +5561,7 @@ tcp_hdr_field : SPORT { $$ = TCPHDR_SPORT; } - | ACKSEQ { $$ = TCPHDR_ACKSEQ; } - | DOFF { $$ = TCPHDR_DOFF; } - | RESERVED { $$ = TCPHDR_RESERVED; } -- | FLAGS close_scope_flags { $$ = TCPHDR_FLAGS; } -+ | FLAGS { $$ = TCPHDR_FLAGS; } - | WINDOW { $$ = TCPHDR_WINDOW; } - | CHECKSUM { $$ = TCPHDR_CHECKSUM; } - | URGPTR { $$ = TCPHDR_URGPTR; } -@@ -5676,7 +5675,7 @@ sctp_chunk_type : DATA { $$ = SCTP_CHUNK_TYPE_DATA; } - ; - - sctp_chunk_common_field : TYPE close_scope_type { $$ = SCTP_CHUNK_COMMON_TYPE; } -- | FLAGS close_scope_flags { $$ = SCTP_CHUNK_COMMON_FLAGS; } -+ | FLAGS { $$ = SCTP_CHUNK_COMMON_FLAGS; } - | LENGTH { $$ = SCTP_CHUNK_COMMON_LENGTH; } - ; - -@@ -5844,7 +5843,7 @@ rt4_hdr_expr : RT4 rt4_hdr_field close_scope_rt - ; - - rt4_hdr_field : LAST_ENT { $$ = RT4HDR_LASTENT; } -- | FLAGS close_scope_flags { $$ = RT4HDR_FLAGS; } -+ | FLAGS { $$ = RT4HDR_FLAGS; } - | TAG { $$ = RT4HDR_TAG; } - | SID '[' NUM ']' - { -diff --git a/src/scanner.l b/src/scanner.l -index 2154281e..7eb74020 100644 ---- a/src/scanner.l -+++ b/src/scanner.l -@@ -201,7 +201,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) - %s SCANSTATE_CT - %s SCANSTATE_COUNTER - %s SCANSTATE_ETH --%s SCANSTATE_FLAGS - %s SCANSTATE_ICMP - %s SCANSTATE_IGMP - %s SCANSTATE_IP -@@ -339,7 +338,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) - "jump" { return JUMP; } - "goto" { return GOTO; } - "return" { return RETURN; } --<SCANSTATE_EXPR_QUEUE,SCANSTATE_STMT_DUP,SCANSTATE_STMT_FWD,SCANSTATE_STMT_NAT,SCANSTATE_STMT_TPROXY,SCANSTATE_FLAGS,SCANSTATE_IP,SCANSTATE_IP6>"to" { return TO; } /* XXX: SCANSTATE_FLAGS and SCANSTATE_IP here are workarounds */ -+<SCANSTATE_EXPR_QUEUE,SCANSTATE_STMT_DUP,SCANSTATE_STMT_FWD,SCANSTATE_STMT_NAT,SCANSTATE_STMT_TPROXY,SCANSTATE_IP,SCANSTATE_IP6>"to" { return TO; } /* XXX: SCANSTATE_IP is a workaround */ - - "inet" { return INET; } - "netdev" { return NETDEV; } -@@ -363,14 +362,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) - "index" { return INDEX; } - "comment" { return COMMENT; } - --<SCANSTATE_FLAGS>{ -- "constant" { return CONSTANT; } -- "dynamic" { return DYNAMIC; } -- -- /* log flags */ -- "all" { return ALL; } --} -+"constant" { return CONSTANT; } - "interval" { return INTERVAL; } -+"dynamic" { return DYNAMIC; } - "auto-merge" { return AUTOMERGE; } - "timeout" { return TIMEOUT; } - "gc-interval" { return GC_INTERVAL; } -@@ -418,7 +412,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) - } - - "queue" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_QUEUE); return QUEUE;} --<SCANSTATE_FLAGS,SCANSTATE_EXPR_QUEUE>{ -+<SCANSTATE_EXPR_QUEUE>{ - "num" { return QUEUENUM;} - "bypass" { return BYPASS;} - "fanout" { return FANOUT;} -@@ -612,7 +606,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) - <SCANSTATE_EXPR_COMP>{ - "cpi" { return CPI; } - } --"flags" { scanner_push_start_cond(yyscanner, SCANSTATE_FLAGS); return FLAGS; } -+"flags" { return FLAGS; } - - "udp" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_UDP); return UDP; } - "udplite" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_UDPLITE); return UDPLITE; } -@@ -781,6 +775,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) - - "notrack" { return NOTRACK; } - -+"all" { return ALL; } -+ - <SCANSTATE_CMD_EXPORT,SCANSTATE_CMD_IMPORT,SCANSTATE_CMD_MONITOR>{ - "xml" { return XML; } - "json" { return JSON; } -diff --git a/tests/shell/testcases/parsing/log b/tests/shell/testcases/parsing/log -new file mode 100755 -index 00000000..0b89d589 ---- /dev/null -+++ b/tests/shell/testcases/parsing/log -@@ -0,0 +1,10 @@ -+#!/bin/bash -+ -+$NFT add table t || exit 1 -+$NFT add chain t c || exit 1 -+$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all prefix "nft_lo4 " drop' || exit 1 -+$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all level debug drop' || exit 1 -+$NFT delete table t || exit 1 -+ -+exit 0 -+ --- -cgit v1.2.3 - diff --git a/net-firewall/nftables/nftables-1.0.2-r1.ebuild b/net-firewall/nftables/nftables-1.0.2-r1.ebuild deleted file mode 100644 index a7337abb2897..000000000000 --- a/net-firewall/nftables/nftables-1.0.2-r1.ebuild +++ /dev/null @@ -1,191 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -PYTHON_COMPAT=( python3_{8..10} ) -DISTUTILS_OPTIONAL=1 -inherit autotools linux-info distutils-r1 systemd verify-sig - -DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" -HOMEPAGE="https://netfilter.org/projects/nftables/" - -if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit git-r3 - EGIT_REPO_URI="https://git.netfilter.org/${PN}" - - BDEPEND=" - sys-devel/bison - sys-devel/flex - " -else - SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2 - verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )" - KEYWORDS="amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv sparc x86" - VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc - BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )" -fi - -LICENSE="GPL-2" -SLOT="0/1" -IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables" - -RDEPEND=" - >=net-libs/libmnl-1.0.4:0= - >=net-libs/libnftnl-1.2.1:0= - gmp? ( dev-libs/gmp:= ) - json? ( dev-libs/jansson:= ) - python? ( ${PYTHON_DEPS} ) - readline? ( sys-libs/readline:= ) - xtables? ( >=net-firewall/iptables-1.6.1:= ) -" - -DEPEND="${RDEPEND}" - -BDEPEND+=" - doc? ( - app-text/asciidoc - >=app-text/docbook2X-0.8.8-r4 - ) - virtual/pkgconfig -" - -REQUIRED_USE=" - python? ( ${PYTHON_REQUIRED_USE} ) - libedit? ( !readline ) -" - -PATCHES=( - "${FILESDIR}/nftables-1.0.2-compilation.patch" - "${FILESDIR}/nftables-1.0.2-build-explicitly-pass-version-script-to-linker.patch" - "${FILESDIR}/nftables-1.0.2-libnftables.map-export-new-nft_ctx_-get-set-_optimiz.patch" -) - -pkg_setup() { - if kernel_is ge 3 13; then - if use modern-kernel && kernel_is lt 3 18; then - eerror "The modern-kernel USE flag requires kernel version 3.18 or newer to work properly." - fi - CONFIG_CHECK="~NF_TABLES" - linux-info_pkg_setup - else - eerror "This package requires kernel version 3.13 or newer to work properly." - fi -} - -src_prepare() { - default - - # fix installation path for doc stuff - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \ - -i files/nftables/Makefile.am || die - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \ - -i files/osf/Makefile.am || die - - eautoreconf - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_prepare - popd >/dev/null || die - fi -} - -src_configure() { - local myeconfargs=( - # We handle python separately - --disable-python - --disable-static - --sbindir="${EPREFIX}"/sbin - $(use_enable debug) - $(use_enable doc man-doc) - $(use_with !gmp mini_gmp) - $(use_with json) - $(use_with libedit cli editline) - $(use_with readline cli readline) - $(use_enable static-libs static) - $(use_with xtables) - ) - econf "${myeconfargs[@]}" - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_configure - popd >/dev/null || die - fi -} - -src_compile() { - default - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_compile - popd >/dev/null || die - fi -} - -src_install() { - default - - if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then - pushd doc >/dev/null || die - doman *.? - popd >/dev/null || die - fi - - local mksuffix="$(usex modern-kernel '-mk' '')" - - exeinto /usr/libexec/${PN} - newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh - newconfd "${FILESDIR}"/${PN}${mksuffix}.confd ${PN} - newinitd "${FILESDIR}"/${PN}${mksuffix}.init-r1 ${PN} - keepdir /var/lib/nftables - - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service - - if use python ; then - pushd py >/dev/null || die - distutils-r1_src_install - popd >/dev/null || die - fi - - find "${ED}" -type f -name "*.la" -delete || die -} - -pkg_postinst() { - local save_file - save_file="${EROOT}/var/lib/nftables/rules-save" - - # In order for the nftables-restore systemd service to start - # the save_file must exist. - if [[ ! -f "${save_file}" ]]; then - ( umask 177; touch "${save_file}" ) - elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then - ewarn "Your system has dangerous permissions for ${save_file}" - ewarn "It is probably affected by bug #691326." - ewarn "You may need to fix the permissions of the file. To do so," - ewarn "you can run the command in the line below as root." - ewarn " 'chmod 600 \"${save_file}\"'" - fi - - if has_version 'sys-apps/systemd'; then - elog "If you wish to enable the firewall rules on boot (on systemd) you" - elog "will need to enable the nftables-restore service." - elog " 'systemctl enable ${PN}-restore.service'" - elog - elog "If you are creating firewall rules before the next system restart" - elog "the nftables-restore service must be manually started in order to" - elog "save those rules on shutdown." - fi - if has_version 'sys-apps/openrc'; then - elog "If you wish to enable the firewall rules on boot (on openrc) you" - elog "will need to enable the nftables service." - elog " 'rc-update add ${PN} default'" - elog - elog "If you are creating or updating the firewall rules and wish to save" - elog "them to be loaded on the next restart, use the \"save\" functionality" - elog "in the init script." - elog " 'rc-service ${PN} save'" - fi -} diff --git a/net-firewall/nftables/nftables-1.0.4-r2.ebuild b/net-firewall/nftables/nftables-1.0.4-r2.ebuild deleted file mode 100644 index 394dfa382ae0..000000000000 --- a/net-firewall/nftables/nftables-1.0.4-r2.ebuild +++ /dev/null @@ -1,222 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DISTUTILS_OPTIONAL=1 -PYTHON_COMPAT=( python3_{8..11} ) -VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc -inherit edo linux-info distutils-r1 systemd verify-sig - -DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" -HOMEPAGE="https://netfilter.org/projects/nftables/" - -if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit autotools git-r3 - EGIT_REPO_URI="https://git.netfilter.org/${PN}" - - BDEPEND=" - sys-devel/bison - sys-devel/flex - " -else - SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2 - verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )" - KEYWORDS="amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv sparc x86" - BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )" -fi - -LICENSE="GPL-2" -SLOT="0/1" -IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables" -RESTRICT="!test? ( test )" - -RDEPEND=" - >=net-libs/libmnl-1.0.4:0= - >=net-libs/libnftnl-1.2.2:0= - gmp? ( dev-libs/gmp:= ) - json? ( dev-libs/jansson:= ) - python? ( ${PYTHON_DEPS} ) - readline? ( sys-libs/readline:= ) - xtables? ( >=net-firewall/iptables-1.6.1:= ) -" - -DEPEND="${RDEPEND}" - -BDEPEND+=" - virtual/pkgconfig - doc? ( - app-text/asciidoc - >=app-text/docbook2X-0.8.8-r4 - ) - python? ( ${PYTHON_DEPS} ) -" - -REQUIRED_USE=" - python? ( ${PYTHON_REQUIRED_USE} ) - libedit? ( !readline ) -" - -pkg_setup() { - if kernel_is ge 3 13; then - if use modern-kernel && kernel_is lt 3 18; then - eerror "The modern-kernel USE flag requires kernel version 3.18 or newer to work properly." - fi - CONFIG_CHECK="~NF_TABLES" - linux-info_pkg_setup - else - eerror "This package requires kernel version 3.13 or newer to work properly." - fi -} - -src_prepare() { - local PATCHES=( - "${FILESDIR}/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch" - ) - default - - if [[ ${PV} =~ ^[9]{4,}$ ]] ; then - eautoreconf - fi - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_prepare - popd >/dev/null || die - fi -} - -src_configure() { - local myeconfargs=( - # We handle python separately - --disable-python - --disable-static - --sbindir="${EPREFIX}"/sbin - $(use_enable debug) - $(use_enable doc man-doc) - $(use_with !gmp mini_gmp) - $(use_with json) - $(use_with libedit cli editline) - $(use_with readline cli readline) - $(use_enable static-libs static) - $(use_with xtables) - ) - econf "${myeconfargs[@]}" - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_configure - popd >/dev/null || die - fi -} - -src_compile() { - default - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_compile - popd >/dev/null || die - fi -} - -src_test() { - emake check - - if [[ ${EUID} == 0 ]]; then - edo tests/shell/run-tests.sh -v - else - ewarn "Skipping shell tests (requires root)" - fi - - # Need to rig up Python eclass if using this, but it doesn't seem to work - # for me anyway. - #cd tests/py || die - #"${EPYTHON}" nft-test.py || die -} - -src_install() { - default - - if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then - pushd doc >/dev/null || die - doman *.? - popd >/dev/null || die - fi - - # Do it here instead of in src_prepare to avoid eautoreconf - # rmdir lets us catch if more files end up installed in /etc/nftables - dodir /usr/share/doc/${PF}/skels/ - mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die - rmdir "${ED}"/etc/nftables || die - - local mksuffix="$(usex modern-kernel '-mk' '')" - - exeinto /usr/libexec/${PN} - newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh - newconfd "${FILESDIR}"/${PN}${mksuffix}.confd ${PN} - newinitd "${FILESDIR}"/${PN}${mksuffix}.init-r1 ${PN} - keepdir /var/lib/nftables - - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service - - if use python ; then - pushd py >/dev/null || die - distutils-r1_src_install - popd >/dev/null || die - fi - - find "${ED}" -type f -name "*.la" -delete || die -} - -pkg_preinst() { - if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then - if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then - eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" - eerror "nft. This probably means that there is a regression introduced by v${PV}." - eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" - - if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then - die "Aborting because of failed nft reload!" - fi - fi - fi -} - -pkg_postinst() { - local save_file - save_file="${EROOT}"/var/lib/nftables/rules-save - - # In order for the nftables-restore systemd service to start - # the save_file must exist. - if [[ ! -f "${save_file}" ]]; then - ( umask 177; touch "${save_file}" ) - elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then - ewarn "Your system has dangerous permissions for ${save_file}" - ewarn "It is probably affected by bug #691326." - ewarn "You may need to fix the permissions of the file. To do so," - ewarn "you can run the command in the line below as root." - ewarn " 'chmod 600 \"${save_file}\"'" - fi - - if has_version 'sys-apps/systemd'; then - elog "If you wish to enable the firewall rules on boot (on systemd) you" - elog "will need to enable the nftables-restore service." - elog " 'systemctl enable ${PN}-restore.service'" - elog - elog "If you are creating firewall rules before the next system restart" - elog "the nftables-restore service must be manually started in order to" - elog "save those rules on shutdown." - fi - - if has_version 'sys-apps/openrc'; then - elog "If you wish to enable the firewall rules on boot (on openrc) you" - elog "will need to enable the nftables service." - elog " 'rc-update add ${PN} default'" - elog - elog "If you are creating or updating the firewall rules and wish to save" - elog "them to be loaded on the next restart, use the \"save\" functionality" - elog "in the init script." - elog " 'rc-service ${PN} save'" - fi -} |