diff options
-rw-r--r-- | net-firewall/iptables/Manifest | 1 | ||||
-rw-r--r-- | net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch | 61 | ||||
-rw-r--r-- | net-firewall/iptables/iptables-1.8.7-r2.ebuild | 176 |
3 files changed, 0 insertions, 238 deletions
diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest index 76320a6fa208..44c1d5abb450 100644 --- a/net-firewall/iptables/Manifest +++ b/net-firewall/iptables/Manifest @@ -1,2 +1 @@ -DIST iptables-1.8.7.tar.bz2 717862 BLAKE2B fd4dcff142eaadde2a14ce3eb5e45d41c326752553b52900c77fd2e2a20c0685d0a04b95755995e914df47658834d52216d6465c2ae9cd6abc6eb122b95cc976 SHA512 c0a33fafbf1139157a9f52860938ebedc282a1394a68dcbd58981159379eb525919f999b25925f2cb4d6b18089bd99a94b00b3e73cff5cb0a0e47bdff174ed75 DIST iptables-1.8.8.tar.bz2 746985 BLAKE2B 0da021cc7313b86af331768904956dab3eee3de245a7b03965129f3d7f13097fc03fbb1390167dcd971eff216eabad9e59b261a9c0f54bfc48a77453aa40d164 SHA512 f21df23279a77531a23f3fcb1b8f0f8ec0c726bda236dd0e33af74b06753baff6ce3f26fb9fcceb6fada560656ba901e68fc6452eb840ac1b206bc4654950f59 diff --git a/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch b/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch deleted file mode 100644 index fc88636d2944..000000000000 --- a/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch +++ /dev/null @@ -1,61 +0,0 @@ -commit 4318961230bce82958df82b57f1796143bf2f421 -Author: Phil Sutter <phil@nwl.cc> -Date: Tue Sep 21 11:39:45 2021 +0200 - - nft: cache: Avoid double free of unrecognized base-chains - - On error, nft_cache_add_chain() frees the allocated nft_chain object - along with the nftnl_chain it points at. Fix nftnl_chain_list_cb() to - not free the nftnl_chain again in that case. - - Fixes: 176c92c26bfc9 ("nft: Introduce a dedicated base chain array") - Signed-off-by: Phil Sutter <phil@nwl.cc> - -diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c -index 2c88301c..9a03bbfb 100644 ---- a/iptables/nft-cache.c -+++ b/iptables/nft-cache.c -@@ -314,9 +314,7 @@ static int nftnl_chain_list_cb(const struct nlmsghdr *nlh, void *data) - goto out; - } - -- if (nft_cache_add_chain(h, t, c)) -- goto out; -- -+ nft_cache_add_chain(h, t, c); - return MNL_CB_OK; - out: - nftnl_chain_free(c); -diff --git a/iptables/tests/shell/testcases/chain/0004extra-base_0 b/iptables/tests/shell/testcases/chain/0004extra-base_0 -new file mode 100755 -index 00000000..1b85b060 ---- /dev/null -+++ b/iptables/tests/shell/testcases/chain/0004extra-base_0 -@@ -0,0 +1,27 @@ -+#!/bin/bash -+ -+case $XT_MULTI in -+*xtables-nft-multi) -+ ;; -+*) -+ echo skip $XT_MULTI -+ exit 0 -+ ;; -+esac -+ -+set -e -+ -+nft -f - <<EOF -+table ip filter { -+ chain INPUT { -+ type filter hook input priority filter -+ counter packets 218 bytes 91375 accept -+ } -+ -+ chain x { -+ type filter hook input priority filter -+ } -+} -+EOF -+ -+$XT_MULTI iptables -L diff --git a/net-firewall/iptables/iptables-1.8.7-r2.ebuild b/net-firewall/iptables/iptables-1.8.7-r2.ebuild deleted file mode 100644 index 42fd108f2606..000000000000 --- a/net-firewall/iptables/iptables-1.8.7-r2.ebuild +++ /dev/null @@ -1,176 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit systemd toolchain-funcs autotools flag-o-matic usr-ldscript - -DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" -HOMEPAGE="https://www.netfilter.org/projects/iptables/" -SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2" - -LICENSE="GPL-2" -# Subslot reflects PV when libxtables and/or libip*tc was changed -# the last time. -SLOT="0/1.8.3" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" -IUSE="conntrack netlink nftables pcap static-libs" - -BUILD_DEPEND=" - >=app-eselect/eselect-iptables-20220320 -" -COMMON_DEPEND=" - conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 ) - netlink? ( net-libs/libnfnetlink ) - nftables? ( - >=net-libs/libmnl-1.0:0= - >=net-libs/libnftnl-1.1.6:0= - ) - pcap? ( net-libs/libpcap ) -" -DEPEND="${COMMON_DEPEND} - virtual/os-headers - >=sys-kernel/linux-headers-4.4:0 -" -BDEPEND="${BUILD_DEPEND} - virtual/pkgconfig - nftables? ( - sys-devel/flex - virtual/yacc - ) -" -RDEPEND="${COMMON_DEPEND} - ${BUILD_DEPEND} - nftables? ( net-misc/ethertypes ) - !<net-firewall/ebtables-2.0.11-r1 - !<net-firewall/arptables-0.0.5-r1 -" - -PATCHES=( - "${FILESDIR}/iptables-1.8.4-no-symlinks.patch" - "${FILESDIR}/iptables-1.8.2-link.patch" - # https://bugs.gentoo.org/831626 - "${FILESDIR}/iptables-1.8.7-cache-double-free.patch" -) - -src_prepare() { - # use the saner headers from the kernel - rm include/linux/{kernel,types}.h || die - - default - eautoreconf -} - -src_configure() { - # Some libs use $(AR) rather than libtool to build #444282 - tc-export AR - - # Hack around struct mismatches between userland & kernel for some ABIs. #472388 - use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct - - sed -i \ - -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ - -e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \ - configure || die - - local myeconfargs=( - --sbindir="${EPREFIX}/sbin" - --libexecdir="${EPREFIX}/$(get_libdir)" - --enable-devel - --enable-ipv6 - --enable-shared - $(use_enable nftables) - $(use_enable pcap bpf-compiler) - $(use_enable pcap nfsynproxy) - $(use_enable static-libs static) - ) - econf "${myeconfargs[@]}" -} - -src_compile() { - emake V=1 -} - -src_install() { - default - dodoc INCOMPATIBILITIES iptables/iptables.xslt - - # all the iptables binaries are in /sbin, so might as well - # put these small files in with them - into / - dosbin iptables/iptables-apply - dosym iptables-apply /sbin/ip6tables-apply - doman iptables/iptables-apply.8 - - insinto /usr/include - doins include/ip{,6}tables.h - insinto /usr/include/iptables - doins include/iptables/internal.h - - keepdir /var/lib/ip{,6}tables - newinitd "${FILESDIR}"/${PN}-r2.init iptables - newconfd "${FILESDIR}"/${PN}-r1.confd iptables - dosym iptables /etc/init.d/ip6tables - newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables - - if use nftables; then - # Bug 647458 - rm "${ED}"/etc/ethertypes || die - - # Bugs 660886 and 669894 - rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die - fi - - systemd_dounit "${FILESDIR}"/systemd/ip{,6}tables-{re,}store.service - - # Move important libs to /lib #332175 - gen_usr_ldscript -a ip{4,6}tc xtables - - find "${ED}" -type f -name "*.la" -delete || die -} - -pkg_postinst() { - local default_iptables="xtables-legacy-multi" - if ! eselect iptables show &>/dev/null; then - elog "Current iptables implementation is unset, setting to ${default_iptables}" - eselect iptables set "${default_iptables}" - fi - - if use nftables; then - local tables - for tables in {arp,eb}tables; do - if ! eselect ${tables} show &>/dev/null; then - elog "Current ${tables} implementation is unset, setting to ${default_iptables}" - eselect ${tables} set xtables-nft-multi - fi - done - fi - - eselect iptables show -} - -pkg_prerm() { - if [[ -z ${REPLACED_BY_VERSION} ]]; then - elog "Unsetting iptables symlinks before removal" - eselect iptables unset - fi - - if ! has_version 'net-firewall/ebtables'; then - elog "Unsetting ebtables symlinks before removal" - eselect ebtables unset - elif [[ -z ${REPLACED_BY_VERSION} ]]; then - elog "Resetting ebtables symlinks to ebtables-legacy" - eselect ebtables set ebtables-legacy - fi - - if ! has_version 'net-firewall/arptables'; then - elog "Unsetting arptables symlinks before removal" - eselect arptables unset - elif [[ -z ${REPLACED_BY_VERSION} ]]; then - elog "Resetting arptables symlinks to arptables-legacy" - eselect arptables set arptables-legacy - fi - - # the eselect module failing should not be fatal - return 0 -} |