From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 8A7D2138BF3 for ; Mon, 17 Feb 2014 11:53:38 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D8AD7E0A63; Mon, 17 Feb 2014 11:53:37 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 13C4DE0A61 for ; Mon, 17 Feb 2014 11:53:37 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 19E3233F991 for ; Mon, 17 Feb 2014 11:53:36 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 9252A188C9 for ; Mon, 17 Feb 2014 11:53:33 +0000 (UTC) From: "Anthony G. Basile" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Anthony G. Basile" Message-ID: <1392638025.261813f2c25976c4a52741449fe1cce34ffa73f6.blueness@gentoo> Subject: [gentoo-commits] proj/hardened-dev:musl commit in: net-firewall/iptables/files/, net-firewall/iptables/ X-VCS-Repository: proj/hardened-dev X-VCS-Files: net-firewall/iptables/files/ip6tables-1.4.13.confd net-firewall/iptables/files/iptables-1.4.13-r1.init net-firewall/iptables/files/iptables-1.4.13.confd net-firewall/iptables/files/iptables-1.4.20-musl.patch net-firewall/iptables/iptables-1.4.20-r99.ebuild net-firewall/iptables/metadata.xml X-VCS-Directories: net-firewall/iptables/files/ net-firewall/iptables/ X-VCS-Committer: blueness X-VCS-Committer-Name: Anthony G. Basile X-VCS-Revision: 261813f2c25976c4a52741449fe1cce34ffa73f6 X-VCS-Branch: musl Date: Mon, 17 Feb 2014 11:53:33 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 21304935-e26f-444e-951e-3e490e8dfbe3 X-Archives-Hash: e03daa53bd0dccc01a466ba56f1dff14 commit: 261813f2c25976c4a52741449fe1cce34ffa73f6 Author: Felix Janda posteo de> AuthorDate: Sun Feb 16 18:41:48 2014 +0000 Commit: Anthony G. Basile gentoo org> CommitDate: Mon Feb 17 11:53:45 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=261813f2 net-firewall/iptables: move to tree Disable some extensions to make it build --- net-firewall/iptables/files/ip6tables-1.4.13.confd | 19 ++ .../iptables/files/iptables-1.4.13-r1.init | 130 +++++++++ net-firewall/iptables/files/iptables-1.4.13.confd | 19 ++ .../iptables/files/iptables-1.4.20-musl.patch | 304 +++++++++++++++++++++ net-firewall/iptables/iptables-1.4.20-r99.ebuild | 93 +++++++ net-firewall/iptables/metadata.xml | 23 ++ 6 files changed, 588 insertions(+) diff --git a/net-firewall/iptables/files/ip6tables-1.4.13.confd b/net-firewall/iptables/files/ip6tables-1.4.13.confd new file mode 100644 index 0000000..3bb3698 --- /dev/null +++ b/net-firewall/iptables/files/ip6tables-1.4.13.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/ip6tables + +# Location in which iptables initscript will save set rules on +# service shutdown +IP6TABLES_SAVE="/var/lib/ip6tables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# If you need to log iptables messages as soon as iptables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/iptables/files/iptables-1.4.13-r1.init b/net-firewall/iptables/files/iptables-1.4.13-r1.init new file mode 100644 index 0000000..a63d076 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.13-r1.init @@ -0,0 +1,130 @@ +#!/sbin/runscript +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.4.13-r1.init,v 1.3 2013/04/27 17:29:09 vapier Exp $ + +extra_commands="check save panic" +extra_started_commands="reload" + +iptables_name=${SVCNAME} +case ${iptables_name} in +iptables|ip6tables) ;; +*) iptables_name="iptables" ;; +esac + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + need localmount #434774 + before net +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${iptables_bin} -t ${table} -P ${chain} ${policy} + done +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} +checkconfig() { + if [ ! -f ${iptables_save} ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + checkkernel || return 1 + ebegin "Stopping firewall" + local a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? +} + +reload() { + checkkernel || return 1 + checkrules || return 1 + ebegin "Flushing firewall" + local a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? + + start +} + +checkrules() { + ebegin "Checking rules" + ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +check() { + # Short name for users of init.d script. + checkrules +} + +save() { + ebegin "Saving ${iptables_name} state" + checkpath -q -d "$(dirname "${iptables_save}")" + checkpath -q -m 0600 -f "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + checkkernel || return 1 + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + + set_table_policy $a DROP + done + eend $? +} diff --git a/net-firewall/iptables/files/iptables-1.4.13.confd b/net-firewall/iptables/files/iptables-1.4.13.confd new file mode 100644 index 0000000..7225374 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.13.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/iptables + +# Location in which iptables initscript will save set rules on +# service shutdown +IPTABLES_SAVE="/var/lib/iptables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# If you need to log iptables messages as soon as iptables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/iptables/files/iptables-1.4.20-musl.patch b/net-firewall/iptables/files/iptables-1.4.20-musl.patch new file mode 100644 index 0000000..cd5b1a7 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.20-musl.patch @@ -0,0 +1,304 @@ +diff -ur a/iptables-1.4.20/extensions/libxt_conntrack.c b/iptables-1.4.20/extensions/libxt_conntrack.c +--- a/iptables-1.4.20/extensions/libxt_conntrack.c ++++ b/iptables-1.4.20/extensions/libxt_conntrack.c +@@ -786,7 +786,7 @@ + + static void + conntrack_dump_ports(const char *prefix, const char *opt, +- u_int16_t port_low, u_int16_t port_high) ++ uint16_t port_low, uint16_t port_high) + { + if (port_high == 0 || port_low == port_high) + printf(" %s%s %u", prefix, opt, port_low); +diff -ur a/iptables-1.4.20/include/libipq/libipq.h b/iptables-1.4.20/include/libipq/libipq.h +--- a/iptables-1.4.20/include/libipq/libipq.h ++++ b/iptables-1.4.20/include/libipq/libipq.h +@@ -48,19 +48,19 @@ + struct ipq_handle + { + int fd; +- u_int8_t blocking; ++ uint8_t blocking; + struct sockaddr_nl local; + struct sockaddr_nl peer; + }; + +-struct ipq_handle *ipq_create_handle(u_int32_t flags, u_int32_t protocol); ++struct ipq_handle *ipq_create_handle(uint32_t flags, uint32_t protocol); + + int ipq_destroy_handle(struct ipq_handle *h); + + ssize_t ipq_read(const struct ipq_handle *h, + unsigned char *buf, size_t len, int timeout); + +-int ipq_set_mode(const struct ipq_handle *h, u_int8_t mode, size_t len); ++int ipq_set_mode(const struct ipq_handle *h, uint8_t mode, size_t len); + + ipq_packet_msg_t *ipq_get_packet(const unsigned char *buf); + +diff -ur a/iptables-1.4.20/include/libiptc/ipt_kernel_headers.h b/iptables-1.4.20/include/libiptc/ipt_kernel_headers.h +--- a/iptables-1.4.20/include/libiptc/ipt_kernel_headers.h ++++ b/iptables-1.4.20/include/libiptc/ipt_kernel_headers.h +@@ -15,13 +15,12 @@ + #include + #else /* libc5 */ + #include +-#include +-#include +-#include ++#include ++#include ++#include + #include + #include + #include + #include +-#include + #endif + #endif +diff -ur a/iptables-1.4.20/include/libiptc/libxtc.h b/iptables-1.4.20/include/libiptc/libxtc.h +--- a/iptables-1.4.20/include/libiptc/libxtc.h ++++ b/iptables-1.4.20/include/libiptc/libxtc.h +@@ -10,7 +10,7 @@ + #endif + + #ifndef XT_MIN_ALIGN +-/* xt_entry has pointers and u_int64_t's in it, so if you align to ++/* xt_entry has pointers and uint64_t's in it, so if you align to + it, you'll also align to any crazy matches and targets someone + might write */ + #define XT_MIN_ALIGN (__alignof__(struct xt_entry)) +diff -ur a/iptables-1.4.20/include/libipulog/libipulog.h b/iptables-1.4.20/include/libipulog/libipulog.h +--- a/iptables-1.4.20/include/libipulog/libipulog.h 2013-08-06 15:48:43.000000000 +0000 ++++ b/iptables-1.4.20/include/libipulog/libipulog.h 2014-02-09 09:32:45.058650377 +0000 +@@ -21,9 +21,9 @@ + + struct ipulog_handle; + +-u_int32_t ipulog_group2gmask(u_int32_t group); ++uint32_t ipulog_group2gmask(uint32_t group); + +-struct ipulog_handle *ipulog_create_handle(u_int32_t gmask); ++struct ipulog_handle *ipulog_create_handle(uint32_t gmask); + + void ipulog_destroy_handle(struct ipulog_handle *h); + +diff -ur a/iptables-1.4.20/include/linux/netfilter_ipv4/ip_tables.h b/iptables-1.4.20/include/linux/netfilter_ipv4/ip_tables.h +--- a/iptables-1.4.20/include/linux/netfilter_ipv4/ip_tables.h ++++ b/iptables-1.4.20/include/linux/netfilter_ipv4/ip_tables.h +@@ -15,6 +15,7 @@ + #ifndef _IPTABLES_H + #define _IPTABLES_H + ++#include + #include + + #include +@@ -73,12 +74,12 @@ + unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; + + /* Protocol, 0 = ANY */ +- u_int16_t proto; ++ uint16_t proto; + + /* Flags word */ +- u_int8_t flags; ++ uint8_t flags; + /* Inverse flags */ +- u_int8_t invflags; ++ uint8_t invflags; + }; + + /* Values for "flag" field in struct ipt_ip (general ip structure). */ +@@ -106,9 +107,9 @@ + unsigned int nfcache; + + /* Size of ipt_entry + matches */ +- u_int16_t target_offset; ++ uint16_t target_offset; + /* Size of ipt_entry + matches + target */ +- u_int16_t next_offset; ++ uint16_t next_offset; + + /* Back pointer */ + unsigned int comefrom; +@@ -125,7 +126,7 @@ + * Unlike BSD Linux inherits IP options so you don't have to use a raw + * socket for this. Instead we check rights in the calls. + * +- * ATTENTION: check linux/in.h before adding new number here. ++ * ATTENTION: check netinet/in.h before adding new number here. + */ + #define IPT_BASE_CTL 64 + +@@ -141,9 +142,9 @@ + + /* ICMP matching stuff */ + struct ipt_icmp { +- u_int8_t type; /* type to match */ +- u_int8_t code[2]; /* range of code */ +- u_int8_t invflags; /* Inverse flags */ ++ uint8_t type; /* type to match */ ++ uint8_t code[2]; /* range of code */ ++ uint8_t invflags; /* Inverse flags */ + }; + + /* Values for "inv" field for struct ipt_icmp. */ +diff -ur a/iptables-1.4.20/include/linux/netfilter_ipv6/ip6_tables.h b/iptables-1.4.20/include/linux/netfilter_ipv6/ip6_tables.h +--- a/iptables-1.4.20/include/linux/netfilter_ipv6/ip6_tables.h ++++ b/iptables-1.4.20/include/linux/netfilter_ipv6/ip6_tables.h +@@ -73,14 +73,14 @@ + * MH do not match any packets. + * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol. + */ +- u_int16_t proto; ++ uint16_t proto; + /* TOS to match iff flags & IP6T_F_TOS */ +- u_int8_t tos; ++ uint8_t tos; + + /* Flags word */ +- u_int8_t flags; ++ uint8_t flags; + /* Inverse flags */ +- u_int8_t invflags; ++ uint8_t invflags; + }; + + /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */ +@@ -110,9 +110,9 @@ + unsigned int nfcache; + + /* Size of ipt_entry + matches */ +- u_int16_t target_offset; ++ uint16_t target_offset; + /* Size of ipt_entry + matches + target */ +- u_int16_t next_offset; ++ uint16_t next_offset; + + /* Back pointer */ + unsigned int comefrom; +@@ -162,7 +162,6 @@ + * Unlike BSD Linux inherits IP options so you don't have to use + * a raw socket for this. Instead we check rights in the calls. + * +- * ATTENTION: check linux/in6.h before adding new number here. + */ + #define IP6T_BASE_CTL 64 + +@@ -178,9 +177,9 @@ + + /* ICMP matching stuff */ + struct ip6t_icmp { +- u_int8_t type; /* type to match */ +- u_int8_t code[2]; /* range of code */ +- u_int8_t invflags; /* Inverse flags */ ++ uint8_t type; /* type to match */ ++ uint8_t code[2]; /* range of code */ ++ uint8_t invflags; /* Inverse flags */ + }; + + /* Values for "inv" field for struct ipt_icmp. */ +diff -ur a/iptables-1.4.20/include/linux/netfilter_ipv6/ip6t_rt.h b/iptables-1.4.20/include/linux/netfilter_ipv6/ip6t_rt.h +--- a/iptables-1.4.20/include/linux/netfilter_ipv6/ip6t_rt.h ++++ b/iptables-1.4.20/include/linux/netfilter_ipv6/ip6t_rt.h +@@ -2,7 +2,6 @@ + #define _IP6T_RT_H + + #include +-/*#include */ + + #define IP6T_RT_HOPS 16 + +diff -ur a/iptables-1.4.20/include/xtables.h b/iptables-1.4.20/include/xtables.h +--- a/iptables-1.4.20/include/xtables.h ++++ b/iptables-1.4.20/include/xtables.h +@@ -220,12 +220,12 @@ + const char *real_name; + + /* Revision of match (0 by default). */ +- u_int8_t revision; ++ uint8_t revision; + + /* Extension flags */ +- u_int8_t ext_flags; ++ uint8_t ext_flags; + +- u_int16_t family; ++ uint16_t family; + + /* Size of match data. */ + size_t size; +@@ -297,12 +297,12 @@ + const char *real_name; + + /* Revision of target (0 by default). */ +- u_int8_t revision; ++ uint8_t revision; + + /* Extension flags */ +- u_int8_t ext_flags; ++ uint8_t ext_flags; + +- u_int16_t family; ++ uint16_t family; + + + /* Size of target data. */ +@@ -373,7 +373,7 @@ + */ + struct xtables_pprot { + const char *name; +- u_int8_t num; ++ uint8_t num; + }; + + enum xtables_tryload { +@@ -446,12 +446,12 @@ + extern bool xtables_strtoui(const char *, char **, unsigned int *, + unsigned int, unsigned int); + extern int xtables_service_to_port(const char *name, const char *proto); +-extern u_int16_t xtables_parse_port(const char *port, const char *proto); ++extern uint16_t xtables_parse_port(const char *port, const char *proto); + extern void + xtables_parse_interface(const char *arg, char *vianame, unsigned char *mask); + + /* this is a special 64bit data type that is 8-byte aligned */ +-#define aligned_u64 u_int64_t __attribute__((aligned(8))) ++#define aligned_u64 uint64_t __attribute__((aligned(8))) + + extern struct xtables_globals *xt_params; + #define xtables_error (xt_params->exit_err) +@@ -514,7 +514,7 @@ + #endif + + extern const struct xtables_pprot xtables_chain_protos[]; +-extern u_int16_t xtables_parse_protocol(const char *s); ++extern uint16_t xtables_parse_protocol(const char *s); + + /* kernel revision handling */ + extern int kernel_version; +diff -ur a/iptables-1.4.20/libipq/ipq_create_handle.3 b/iptables-1.4.20/libipq/ipq_create_handle.3 +--- a/iptables-1.4.20/libipq/ipq_create_handle.3 ++++ b/iptables-1.4.20/libipq/ipq_create_handle.3 +@@ -24,7 +24,7 @@ + .br + .B #include + .sp +-.BI "struct ipq_handle *ipq_create_handle(u_int32_t " flags ", u_int32_t " protocol ");" ++.BI "struct ipq_handle *ipq_create_handle(uint32_t " flags ", uint32_t " protocol ");" + .br + .BI "int ipq_destroy_handle(struct ipq_handle *" h ); + .SH DESCRIPTION +diff -ur a/iptables-1.4.20/libipq/ipq_set_mode.3 b/iptables-1.4.20/libipq/ipq_set_mode.3 +--- a/iptables-1.4.20/libipq/ipq_set_mode.3 ++++ b/iptables-1.4.20/libipq/ipq_set_mode.3 +@@ -24,7 +24,7 @@ + .br + .B #include + .sp +-.BI "int ipq_set_mode(const struct ipq_handle *" h ", u_int8_t " mode ", size_t " range ); ++.BI "int ipq_set_mode(const struct ipq_handle *" h ", uint8_t " mode ", size_t " range ); + .SH DESCRIPTION + The + .B ipq_set_mode diff --git a/net-firewall/iptables/iptables-1.4.20-r99.ebuild b/net-firewall/iptables/iptables-1.4.20-r99.ebuild new file mode 100644 index 0000000..7c0b4d1 --- /dev/null +++ b/net-firewall/iptables/iptables-1.4.20-r99.ebuild @@ -0,0 +1,93 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/iptables-1.4.20.ebuild,v 1.12 2014/01/18 19:48:53 ago Exp $ + +EAPI="4" + +# Force users doing their own patches to install their own tools +AUTOTOOLS_AUTO_DEPEND=no + +inherit eutils multilib toolchain-funcs autotools + +DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" +HOMEPAGE="http://www.netfilter.org/projects/iptables/" +SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86" +IUSE="ipv6 netlink static-libs" + +RDEPEND=" + netlink? ( net-libs/libnfnetlink ) +" +DEPEND="${RDEPEND} + virtual/os-headers + virtual/pkgconfig +" + +src_prepare() { + # use the saner headers from the kernel + rm -f include/linux/{kernel,types}.h + + epatch ${FILESDIR}/${P}-musl.patch + + # Remove problematic extensions + rm -f extensions/libxt_TCPOPTSTRIP.* + rm -f extensions/libxt_osf.* + + # Only run autotools if user patched something + epatch_user && eautoreconf || elibtoolize +} + +src_configure() { + # Some libs use $(AR) rather than libtool to build #444282 + tc-export AR + + sed -i \ + -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ + configure || die + + econf \ + --sbindir="${EPREFIX}/sbin" \ + --libexecdir="${EPREFIX}/$(get_libdir)" \ + --enable-devel \ + --enable-shared \ + $(use_enable static-libs static) \ + $(use_enable ipv6) +} + +src_compile() { + emake V=1 +} + +src_install() { + default + dodoc INCOMPATIBILITIES iptables/iptables.xslt + + # all the iptables binaries are in /sbin, so might as well + # put these small files in with them + into / + dosbin iptables/iptables-apply + dosym iptables-apply /sbin/ip6tables-apply + doman iptables/iptables-apply.8 + + insinto /usr/include + doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) + insinto /usr/include/iptables + doins include/iptables/internal.h + + keepdir /var/lib/iptables + newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables + newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables + if use ipv6 ; then + keepdir /var/lib/ip6tables + newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables + newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables + fi + + # Move important libs to /lib + gen_usr_ldscript -a ip{4,6}tc iptc xtables + + prune_libtool_files +} diff --git a/net-firewall/iptables/metadata.xml b/net-firewall/iptables/metadata.xml new file mode 100644 index 0000000..ed96e3d --- /dev/null +++ b/net-firewall/iptables/metadata.xml @@ -0,0 +1,23 @@ + + + +base-system + + Build against libnfnetlink which enables the nfnl_osf util + + + iptables is the userspace command line program used to set up, maintain, and + inspect the tables of IPv4 packet filter rules in the Linux kernel. It's a + part of packet filtering framework which allows the stateless and stateful + packet filtering, all kinds of network address and port translation, and is a + flexible and extensible infrastructure with multiple layers of API's for 3rd + party extensions. The iptables package also includes ip6tables. ip6tables is + used for configuring the IPv6 packet filter. + + Note that some extensions (e.g. imq and l7filter) are not included into + official kernel sources so you have to patch the sources before installation. + + + cpe:/a:netfilter_core_team:iptables + +