[gentoo-commits] proj/hardened-dev:musl commit in: net-firewall/iptables/files/, net-firewall/iptables/

[gentoo-commits] proj/hardened-dev:musl commit in: net-firewall/iptables/files/, net-firewall/iptables/

[Anthony G. Basile]

commit:     261813f2c25976c4a52741449fe1cce34ffa73f6
Author:     Felix Janda <felix.janda <AT> posteo <DOT> de>
AuthorDate: Sun Feb 16 18:41:48 2014 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Feb 17 11:53:45 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=261813f2

net-firewall/iptables: move to tree

Disable some extensions to make it build

---
 net-firewall/iptables/files/ip6tables-1.4.13.confd |  19 ++
 .../iptables/files/iptables-1.4.13-r1.init         | 130 +++++++++
 net-firewall/iptables/files/iptables-1.4.13.confd  |  19 ++
 .../iptables/files/iptables-1.4.20-musl.patch      | 304 +++++++++++++++++++++
 net-firewall/iptables/iptables-1.4.20-r99.ebuild   |  93 +++++++
 net-firewall/iptables/metadata.xml                 |  23 ++
 6 files changed, 588 insertions(+)

diff --git a/net-firewall/iptables/files/ip6tables-1.4.13.confd b/net-firewall/iptables/files/ip6tables-1.4.13.confd
new file mode 100644
index 0000000..3bb3698
--- /dev/null
+++ b/net-firewall/iptables/files/ip6tables-1.4.13.confd
@@ -0,0 +1,19 @@
+# /etc/conf.d/ip6tables
+
+# Location in which iptables initscript will save set rules on 
+# service shutdown
+IP6TABLES_SAVE="/var/lib/ip6tables/rules-save"
+
+# Options to pass to iptables-save and iptables-restore 
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="yes"
+
+# If you need to log iptables messages as soon as iptables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"

diff --git a/net-firewall/iptables/files/iptables-1.4.13-r1.init b/net-firewall/iptables/files/iptables-1.4.13-r1.init
new file mode 100644
index 0000000..a63d076
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.13-r1.init
@@ -0,0 +1,130 @@
+#!/sbin/runscript
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.4.13-r1.init,v 1.3 2013/04/27 17:29:09 vapier Exp $
+
+extra_commands="check save panic"
+extra_started_commands="reload"
+
+iptables_name=${SVCNAME}
+case ${iptables_name} in
+iptables|ip6tables) ;;
+*) iptables_name="iptables" ;;
+esac
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+	iptables)  iptables_proc="/proc/net/ip_tables_names"
+	           iptables_save=${IPTABLES_SAVE};;
+	ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+	           iptables_save=${IP6TABLES_SAVE};;
+esac
+
+depend() {
+	need localmount #434774
+	before net
+}
+
+set_table_policy() {
+	local chains table=$1 policy=$2
+	case ${table} in
+		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
+		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+		filter) chains="INPUT FORWARD OUTPUT";;
+		*)      chains="";;
+	esac
+	local chain
+	for chain in ${chains} ; do
+		${iptables_bin} -t ${table} -P ${chain} ${policy}
+	done
+}
+
+checkkernel() {
+	if [ ! -e ${iptables_proc} ] ; then
+		eerror "Your kernel lacks ${iptables_name} support, please load"
+		eerror "appropriate modules and try again."
+		return 1
+	fi
+	return 0
+}
+checkconfig() {
+	if [ ! -f ${iptables_save} ] ; then
+		eerror "Not starting ${iptables_name}.  First create some rules then run:"
+		eerror "/etc/init.d/${iptables_name} save"
+		return 1
+	fi
+	return 0
+}
+
+start() {
+	checkconfig || return 1
+	ebegin "Loading ${iptables_name} state and starting firewall"
+	${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+stop() {
+	if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+		save || return 1
+	fi
+	checkkernel || return 1
+	ebegin "Stopping firewall"
+	local a
+	for a in $(cat ${iptables_proc}) ; do
+		set_table_policy $a ACCEPT
+
+		${iptables_bin} -F -t $a
+		${iptables_bin} -X -t $a
+	done
+	eend $?
+}
+
+reload() {
+	checkkernel || return 1
+	checkrules || return 1
+	ebegin "Flushing firewall"
+	local a
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} -F -t $a
+		${iptables_bin} -X -t $a
+	done
+	eend $?
+
+	start
+}
+
+checkrules() {
+	ebegin "Checking rules"
+	${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+check() {
+	# Short name for users of init.d script.
+	checkrules
+}
+
+save() {
+	ebegin "Saving ${iptables_name} state"
+	checkpath -q -d "$(dirname "${iptables_save}")"
+	checkpath -q -m 0600 -f "${iptables_save}"
+	${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+	eend $?
+}
+
+panic() {
+	checkkernel || return 1
+	if service_started ${iptables_name}; then
+		rc-service ${iptables_name} stop
+	fi
+
+	local a
+	ebegin "Dropping all packets"
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} -F -t $a
+		${iptables_bin} -X -t $a
+
+		set_table_policy $a DROP
+	done
+	eend $?
+}

diff --git a/net-firewall/iptables/files/iptables-1.4.13.confd b/net-firewall/iptables/files/iptables-1.4.13.confd
new file mode 100644
index 0000000..7225374
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.13.confd
@@ -0,0 +1,19 @@
+# /etc/conf.d/iptables
+
+# Location in which iptables initscript will save set rules on 
+# service shutdown
+IPTABLES_SAVE="/var/lib/iptables/rules-save"
+
+# Options to pass to iptables-save and iptables-restore 
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="yes"
+
+# If you need to log iptables messages as soon as iptables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"

diff --git a/net-firewall/iptables/files/iptables-1.4.20-musl.patch b/net-firewall/iptables/files/iptables-1.4.20-musl.patch
new file mode 100644
index 0000000..cd5b1a7
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.20-musl.patch
@@ -0,0 +1,304 @@
+diff -ur a/iptables-1.4.20/extensions/libxt_conntrack.c b/iptables-1.4.20/extensions/libxt_conntrack.c
+--- a/iptables-1.4.20/extensions/libxt_conntrack.c
++++ b/iptables-1.4.20/extensions/libxt_conntrack.c
+@@ -786,7 +786,7 @@
+ 
+ static void
+ conntrack_dump_ports(const char *prefix, const char *opt,
+-		     u_int16_t port_low, u_int16_t port_high)
++		     uint16_t port_low, uint16_t port_high)
+ {
+ 	if (port_high == 0 || port_low == port_high)
+ 		printf(" %s%s %u", prefix, opt, port_low);
+diff -ur a/iptables-1.4.20/include/libipq/libipq.h b/iptables-1.4.20/include/libipq/libipq.h
+--- a/iptables-1.4.20/include/libipq/libipq.h
++++ b/iptables-1.4.20/include/libipq/libipq.h
+@@ -48,19 +48,19 @@
+ struct ipq_handle
+ {
+ 	int fd;
+-	u_int8_t blocking;
++	uint8_t blocking;
+ 	struct sockaddr_nl local;
+ 	struct sockaddr_nl peer;
+ };
+ 
+-struct ipq_handle *ipq_create_handle(u_int32_t flags, u_int32_t protocol);
++struct ipq_handle *ipq_create_handle(uint32_t flags, uint32_t protocol);
+ 
+ int ipq_destroy_handle(struct ipq_handle *h);
+ 
+ ssize_t ipq_read(const struct ipq_handle *h,
+                 unsigned char *buf, size_t len, int timeout);
+ 
+-int ipq_set_mode(const struct ipq_handle *h, u_int8_t mode, size_t len);
++int ipq_set_mode(const struct ipq_handle *h, uint8_t mode, size_t len);
+ 
+ ipq_packet_msg_t *ipq_get_packet(const unsigned char *buf);
+ 
+diff -ur a/iptables-1.4.20/include/libiptc/ipt_kernel_headers.h b/iptables-1.4.20/include/libiptc/ipt_kernel_headers.h
+--- a/iptables-1.4.20/include/libiptc/ipt_kernel_headers.h
++++ b/iptables-1.4.20/include/libiptc/ipt_kernel_headers.h
+@@ -15,13 +15,12 @@
+ #include <sys/types.h>
+ #else /* libc5 */
+ #include <sys/socket.h>
+-#include <linux/ip.h>
+-#include <linux/in.h>
+-#include <linux/if.h>
++#include <netinet/ip.h>
++#include <netinet/in.h>
++#include <net/if.h>
+ #include <linux/icmp.h>
+ #include <linux/tcp.h>
+ #include <linux/udp.h>
+ #include <linux/types.h>
+-#include <linux/in6.h>
+ #endif
+ #endif
+diff -ur a/iptables-1.4.20/include/libiptc/libxtc.h b/iptables-1.4.20/include/libiptc/libxtc.h
+--- a/iptables-1.4.20/include/libiptc/libxtc.h
++++ b/iptables-1.4.20/include/libiptc/libxtc.h
+@@ -10,7 +10,7 @@
+ #endif
+ 
+ #ifndef XT_MIN_ALIGN
+-/* xt_entry has pointers and u_int64_t's in it, so if you align to
++/* xt_entry has pointers and uint64_t's in it, so if you align to
+    it, you'll also align to any crazy matches and targets someone
+    might write */
+ #define XT_MIN_ALIGN (__alignof__(struct xt_entry))
+diff -ur a/iptables-1.4.20/include/libipulog/libipulog.h b/iptables-1.4.20/include/libipulog/libipulog.h
+--- a/iptables-1.4.20/include/libipulog/libipulog.h	2013-08-06 15:48:43.000000000 +0000
++++ b/iptables-1.4.20/include/libipulog/libipulog.h	2014-02-09 09:32:45.058650377 +0000
+@@ -21,9 +21,9 @@
+ 
+ struct ipulog_handle;
+ 
+-u_int32_t ipulog_group2gmask(u_int32_t group);
++uint32_t ipulog_group2gmask(uint32_t group);
+ 
+-struct ipulog_handle *ipulog_create_handle(u_int32_t gmask);
++struct ipulog_handle *ipulog_create_handle(uint32_t gmask);
+ 
+ void ipulog_destroy_handle(struct ipulog_handle *h);
+ 
+diff -ur a/iptables-1.4.20/include/linux/netfilter_ipv4/ip_tables.h b/iptables-1.4.20/include/linux/netfilter_ipv4/ip_tables.h
+--- a/iptables-1.4.20/include/linux/netfilter_ipv4/ip_tables.h
++++ b/iptables-1.4.20/include/linux/netfilter_ipv4/ip_tables.h
+@@ -15,6 +15,7 @@
+ #ifndef _IPTABLES_H
+ #define _IPTABLES_H
+ 
++#include <stdint.h>
+ #include <linux/types.h>
+ 
+ #include <linux/netfilter_ipv4.h>
+@@ -73,12 +74,12 @@
+ 	unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
+ 
+ 	/* Protocol, 0 = ANY */
+-	u_int16_t proto;
++	uint16_t proto;
+ 
+ 	/* Flags word */
+-	u_int8_t flags;
++	uint8_t flags;
+ 	/* Inverse flags */
+-	u_int8_t invflags;
++	uint8_t invflags;
+ };
+ 
+ /* Values for "flag" field in struct ipt_ip (general ip structure). */
+@@ -106,9 +107,9 @@
+ 	unsigned int nfcache;
+ 
+ 	/* Size of ipt_entry + matches */
+-	u_int16_t target_offset;
++	uint16_t target_offset;
+ 	/* Size of ipt_entry + matches + target */
+-	u_int16_t next_offset;
++	uint16_t next_offset;
+ 
+ 	/* Back pointer */
+ 	unsigned int comefrom;
+@@ -125,7 +126,7 @@
+  * Unlike BSD Linux inherits IP options so you don't have to use a raw
+  * socket for this. Instead we check rights in the calls.
+  *
+- * ATTENTION: check linux/in.h before adding new number here.
++ * ATTENTION: check netinet/in.h before adding new number here.
+  */
+ #define IPT_BASE_CTL		64
+ 
+@@ -141,9 +142,9 @@
+ 
+ /* ICMP matching stuff */
+ struct ipt_icmp {
+-	u_int8_t type;				/* type to match */
+-	u_int8_t code[2];			/* range of code */
+-	u_int8_t invflags;			/* Inverse flags */
++	uint8_t type;				/* type to match */
++	uint8_t code[2];			/* range of code */
++	uint8_t invflags;			/* Inverse flags */
+ };
+ 
+ /* Values for "inv" field for struct ipt_icmp. */
+diff -ur a/iptables-1.4.20/include/linux/netfilter_ipv6/ip6_tables.h b/iptables-1.4.20/include/linux/netfilter_ipv6/ip6_tables.h
+--- a/iptables-1.4.20/include/linux/netfilter_ipv6/ip6_tables.h
++++ b/iptables-1.4.20/include/linux/netfilter_ipv6/ip6_tables.h
+@@ -73,14 +73,14 @@
+ 	 *   MH do not match any packets.
+ 	 * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol.
+ 	 */
+-	u_int16_t proto;
++	uint16_t proto;
+ 	/* TOS to match iff flags & IP6T_F_TOS */
+-	u_int8_t tos;
++	uint8_t tos;
+ 
+ 	/* Flags word */
+-	u_int8_t flags;
++	uint8_t flags;
+ 	/* Inverse flags */
+-	u_int8_t invflags;
++	uint8_t invflags;
+ };
+ 
+ /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
+@@ -110,9 +110,9 @@
+ 	unsigned int nfcache;
+ 
+ 	/* Size of ipt_entry + matches */
+-	u_int16_t target_offset;
++	uint16_t target_offset;
+ 	/* Size of ipt_entry + matches + target */
+-	u_int16_t next_offset;
++	uint16_t next_offset;
+ 
+ 	/* Back pointer */
+ 	unsigned int comefrom;
+@@ -162,7 +162,6 @@
+  * Unlike BSD Linux inherits IP options so you don't have to use
+  * a raw socket for this. Instead we check rights in the calls.
+  *
+- * ATTENTION: check linux/in6.h before adding new number here.
+  */
+ #define IP6T_BASE_CTL			64
+ 
+@@ -178,9 +177,9 @@
+ 
+ /* ICMP matching stuff */
+ struct ip6t_icmp {
+-	u_int8_t type;				/* type to match */
+-	u_int8_t code[2];			/* range of code */
+-	u_int8_t invflags;			/* Inverse flags */
++	uint8_t type;				/* type to match */
++	uint8_t code[2];			/* range of code */
++	uint8_t invflags;			/* Inverse flags */
+ };
+ 
+ /* Values for "inv" field for struct ipt_icmp. */
+diff -ur a/iptables-1.4.20/include/linux/netfilter_ipv6/ip6t_rt.h b/iptables-1.4.20/include/linux/netfilter_ipv6/ip6t_rt.h
+--- a/iptables-1.4.20/include/linux/netfilter_ipv6/ip6t_rt.h
++++ b/iptables-1.4.20/include/linux/netfilter_ipv6/ip6t_rt.h
+@@ -2,7 +2,6 @@
+ #define _IP6T_RT_H
+ 
+ #include <linux/types.h>
+-/*#include <linux/in6.h>*/
+ 
+ #define IP6T_RT_HOPS 16
+ 
+diff -ur a/iptables-1.4.20/include/xtables.h b/iptables-1.4.20/include/xtables.h
+--- a/iptables-1.4.20/include/xtables.h
++++ b/iptables-1.4.20/include/xtables.h
+@@ -220,12 +220,12 @@
+ 	const char *real_name;
+ 
+ 	/* Revision of match (0 by default). */
+-	u_int8_t revision;
++	uint8_t revision;
+ 
+ 	/* Extension flags */
+-	u_int8_t ext_flags;
++	uint8_t ext_flags;
+ 
+-	u_int16_t family;
++	uint16_t family;
+ 
+ 	/* Size of match data. */
+ 	size_t size;
+@@ -297,12 +297,12 @@
+ 	const char *real_name;
+ 
+ 	/* Revision of target (0 by default). */
+-	u_int8_t revision;
++	uint8_t revision;
+ 
+ 	/* Extension flags */
+-	u_int8_t ext_flags;
++	uint8_t ext_flags;
+ 
+-	u_int16_t family;
++	uint16_t family;
+ 
+ 
+ 	/* Size of target data. */
+@@ -373,7 +373,7 @@
+  */
+ struct xtables_pprot {
+ 	const char *name;
+-	u_int8_t num;
++	uint8_t num;
+ };
+ 
+ enum xtables_tryload {
+@@ -446,12 +446,12 @@
+ extern bool xtables_strtoui(const char *, char **, unsigned int *,
+ 	unsigned int, unsigned int);
+ extern int xtables_service_to_port(const char *name, const char *proto);
+-extern u_int16_t xtables_parse_port(const char *port, const char *proto);
++extern uint16_t xtables_parse_port(const char *port, const char *proto);
+ extern void
+ xtables_parse_interface(const char *arg, char *vianame, unsigned char *mask);
+ 
+ /* this is a special 64bit data type that is 8-byte aligned */
+-#define aligned_u64 u_int64_t __attribute__((aligned(8)))
++#define aligned_u64 uint64_t __attribute__((aligned(8)))
+ 
+ extern struct xtables_globals *xt_params;
+ #define xtables_error (xt_params->exit_err)
+@@ -514,7 +514,7 @@
+ #endif
+ 
+ extern const struct xtables_pprot xtables_chain_protos[];
+-extern u_int16_t xtables_parse_protocol(const char *s);
++extern uint16_t xtables_parse_protocol(const char *s);
+ 
+ /* kernel revision handling */
+ extern int kernel_version;
+diff -ur a/iptables-1.4.20/libipq/ipq_create_handle.3 b/iptables-1.4.20/libipq/ipq_create_handle.3
+--- a/iptables-1.4.20/libipq/ipq_create_handle.3
++++ b/iptables-1.4.20/libipq/ipq_create_handle.3
+@@ -24,7 +24,7 @@
+ .br
+ .B #include <libipq.h>
+ .sp
+-.BI "struct ipq_handle *ipq_create_handle(u_int32_t " flags ", u_int32_t " protocol ");"
++.BI "struct ipq_handle *ipq_create_handle(uint32_t " flags ", uint32_t " protocol ");"
+ .br
+ .BI "int ipq_destroy_handle(struct ipq_handle *" h );
+ .SH DESCRIPTION
+diff -ur a/iptables-1.4.20/libipq/ipq_set_mode.3 b/iptables-1.4.20/libipq/ipq_set_mode.3
+--- a/iptables-1.4.20/libipq/ipq_set_mode.3
++++ b/iptables-1.4.20/libipq/ipq_set_mode.3
+@@ -24,7 +24,7 @@
+ .br
+ .B #include <libipq.h>
+ .sp
+-.BI "int ipq_set_mode(const struct ipq_handle *" h ", u_int8_t " mode ", size_t " range );
++.BI "int ipq_set_mode(const struct ipq_handle *" h ", uint8_t " mode ", size_t " range );
+ .SH DESCRIPTION
+ The
+ .B ipq_set_mode

diff --git a/net-firewall/iptables/iptables-1.4.20-r99.ebuild b/net-firewall/iptables/iptables-1.4.20-r99.ebuild
new file mode 100644
index 0000000..7c0b4d1
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.20-r99.ebuild
@@ -0,0 +1,93 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/iptables-1.4.20.ebuild,v 1.12 2014/01/18 19:48:53 ago Exp $
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.netfilter.org/projects/iptables/"
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+	netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	virtual/pkgconfig
+"
+
+src_prepare() {
+	# use the saner headers from the kernel
+	rm -f include/linux/{kernel,types}.h
+
+	epatch ${FILESDIR}/${P}-musl.patch
+
+	# Remove problematic extensions
+	rm -f extensions/libxt_TCPOPTSTRIP.*
+	rm -f extensions/libxt_osf.*
+
+	# Only run autotools if user patched something
+	epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+	# Some libs use $(AR) rather than libtool to build #444282
+	tc-export AR
+
+	sed -i \
+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+		configure || die
+
+	econf \
+		--sbindir="${EPREFIX}/sbin" \
+		--libexecdir="${EPREFIX}/$(get_libdir)" \
+		--enable-devel \
+		--enable-shared \
+		$(use_enable static-libs static) \
+		$(use_enable ipv6)
+}
+
+src_compile() {
+	emake V=1
+}
+
+src_install() {
+	default
+	dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+	# all the iptables binaries are in /sbin, so might as well
+	# put these small files in with them
+	into /
+	dosbin iptables/iptables-apply
+	dosym iptables-apply /sbin/ip6tables-apply
+	doman iptables/iptables-apply.8
+
+	insinto /usr/include
+	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+	insinto /usr/include/iptables
+	doins include/iptables/internal.h
+
+	keepdir /var/lib/iptables
+	newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+	if use ipv6 ; then
+		keepdir /var/lib/ip6tables
+		newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+	fi
+
+	# Move important libs to /lib
+	gen_usr_ldscript -a ip{4,6}tc iptc xtables
+
+	prune_libtool_files
+}

diff --git a/net-firewall/iptables/metadata.xml b/net-firewall/iptables/metadata.xml
new file mode 100644
index 0000000..ed96e3d
--- /dev/null
+++ b/net-firewall/iptables/metadata.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<herd>base-system</herd>
+<use>
+ <flag name='netlink'>Build against libnfnetlink which enables the nfnl_osf util</flag>
+</use>
+<longdescription>
+  iptables is the userspace command line program used to set up, maintain, and
+  inspect the tables of IPv4 packet filter rules in the Linux kernel. It's a
+  part of packet filtering framework which allows the stateless and stateful
+  packet filtering, all kinds of network address and port translation, and is a
+  flexible and extensible infrastructure with multiple layers of API's for 3rd
+  party extensions. The iptables package also includes ip6tables. ip6tables is
+  used for configuring the IPv6 packet filter.
+
+  Note that some extensions (e.g. imq and l7filter) are not included into
+  official kernel sources so you have to patch the sources before installation.
+</longdescription>
+<upstream>
+ <remote-id type="cpe">cpe:/a:netfilter_core_team:iptables</remote-id>
+</upstream>
+</pkgmetadata>