From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 69F4513888F for ; Thu, 15 Oct 2015 09:07:00 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E4EF821C029; Thu, 15 Oct 2015 09:06:59 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 826F321C029 for ; Thu, 15 Oct 2015 09:06:54 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 21CB0340A4A for ; Thu, 15 Oct 2015 09:06:50 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 833BB922 for ; Thu, 15 Oct 2015 09:06:48 +0000 (UTC) From: "Ian Delaney" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Ian Delaney" Message-ID: <1444899997.322474a9c7cb65b6ebd39d8efd8526f19c38f90b.idella4@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/files/, net-firewall/nftables/ X-VCS-Repository: repo/gentoo X-VCS-Files: net-firewall/nftables/files/nftables.init-r1 net-firewall/nftables/metadata.xml net-firewall/nftables/nftables-0.5-r1.ebuild X-VCS-Directories: net-firewall/nftables/files/ net-firewall/nftables/ X-VCS-Committer: idella4 X-VCS-Committer-Name: Ian Delaney X-VCS-Revision: 322474a9c7cb65b6ebd39d8efd8526f19c38f90b X-VCS-Branch: master Date: Thu, 15 Oct 2015 09:06:48 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 2ecad929-d4bd-4c8d-a0eb-e952c06ecd27 X-Archives-Hash: da89a1dfe57e54230e7d8a4b5ea0d0a9 commit: 322474a9c7cb65b6ebd39d8efd8526f19c38f90b Author: Ian Delaney gentoo org> AuthorDate: Thu Oct 15 09:05:28 2015 +0000 Commit: Ian Delaney gentoo org> CommitDate: Thu Oct 15 09:06:37 2015 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=322474a9 net-firewall/nftables: revbump and patch to fix broken init script patches submitted by Nicholas Vinson via gentoo bug, set in metadata as new proxy maintainer by invitation by developer maintainer mreug, thanks to gokturk for assistance and cross testing Gentoo bug: #560920 Package-Manager: portage-2.2.20.1 net-firewall/nftables/files/nftables.init-r1 | 263 +++++++++++++++++++++++++++ net-firewall/nftables/metadata.xml | 16 +- net-firewall/nftables/nftables-0.5-r1.ebuild | 57 ++++++ 3 files changed, 331 insertions(+), 5 deletions(-) diff --git a/net-firewall/nftables/files/nftables.init-r1 b/net-firewall/nftables/files/nftables.init-r1 new file mode 100644 index 0000000..05bb053 --- /dev/null +++ b/net-firewall/nftables/files/nftables.init-r1 @@ -0,0 +1,263 @@ +#!/sbin/runscript +# Copyright 2014 Nicholas Vinson +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="clear list panic save" +extra_started_commands="reload" +depend() { + need localmount #434774 + before net +} + +start_pre() { + checkkernel || return 1 + checkconfig || return 1 + return 0 +} + +clear() { + if use_legacy; then + clear_legacy + return 0 + fi + + nft flush ruleset +} + +list() { + if use_legacy; then + list_legacy + return 0 + fi + + nft list ruleset +} + +panic() { + checkkernel || return 1 + if service_started ${RC_SVCNAME}; then + rc-service ${RC_SVCNAME} stop + fi + + ebegin "Dropping all packets" + clear + if nft create table ip filter >/dev/null 2>&1; then + #nft -f /var/lib/nftables/rules-panic.ip + nft -f /dev/stdin <<-EOF + table ip filter { + chain input { + type filter hook input priority 0; + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + drop + } + } + EOF + fi + if nft create table ip6 filter >/dev/null 2>&1; then + #nft -f /var/lib/nftables/rules-panic.ip6 + nft -f /dev/stdin <<-EOF + table ip6 filter { + chain input { + type filter hook input priority 0; + drop + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + drop + } + } + EOF + fi +} + +reload() { + checkkernel || return 1 + ebegin "Flushing firewall" + clear + start +} + +save() { + ebegin "Saving nftables state" + checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" + checkpath -q -m 0600 -f "${NFTABLES_SAVE}" + + local tmp_save="${NFTABLES_SAVE}.tmp" + + if use_legacy; then + save_legacy ${tmp_save} + else + nft list ruleset > ${tmp_save} + fi + mv ${tmp_save} ${NFTABLES_SAVE} +} + +start() { + ebegin "Loading nftables state and starting firewall" + clear + nft -f ${NFTABLES_SAVE} + eend $? +} + +stop() { + if yesno ${SAVE_ON_STOP:-yes}; then + save || return 1 + fi + + ebegin "Stopping firewall" + clear + eend $? +} + +################################################################################ +# +# SUPPORT FUNCTIONS +# +################################################################################ +checkconfig() { + if [ ! -f ${NFTABLES_SAVE} ]; then + eerror "Not starting nftables. First create some rules then run:" + eerror "rc-service nftables save" + return 1 + fi + return 0 +} + +checkkernel() { + if ! nft list tables >/dev/null 2>&1; then + eerror "Your kernel lacks nftables support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} + +use_legacy() { + local major_ver minor_ver + + major_ver=`uname -r | cut -d '.' -f1` + minor_ver=`uname -r | cut -d '.' -f2` + + [[ $major_ver -ge 4 || $major_ver -eq 3 && $minor_ver -ge 18 ]] && return 1 + return 0 +} + +################################################################################ +# +# LEGACY COMMAND FUNCTIONS +# +################################################################################ + +clear_legacy() { + local l3f line table chain first_line + + first_line=1 + if manualwalk; then + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + table=$(echo ${line} | sed "s/table[ \t]*//") + deletetable ${l3f} ${table} + done + done + else + nft list tables | while read line; do + l3f=$(echo ${line} | cut -d ' ' -f2) + table=$(echo ${line} | cut -d ' ' -f3) + deletetable ${l3f} ${table} + done + fi +} + +list_legacy() { + local l3f + + if manualwalk; then + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + line=$(echo ${line} | sed "s/table/table ${l3f}/") + echo "$(nft list ${line})" + done + done + else + nft list tables | while read line; do + echo "$(nft list ${line})" + done + fi +} + +save_legacy() { + tmp_save=$1 + touch "${tmp_save}" + if manualwalk; then + for l3f in $(getfamilies); do + nft list tables ${l3f} | while read line; do + line=$(echo ${line} | sed "s/table/table ${l3f}/") + nft ${SAVE_OPTIONS} list ${line} >> ${tmp_save} + done + done + else + nft list tables | while read line; do + nft ${SAVE_OPTIONS} list ${line} >> "${tmp_save}" + done + fi +} + +################################################################################ +# +# LEGACY SUPPORT FUNCTIONS +# +################################################################################ +CHECK_TABLE_NAME="GENTOO_CHECK_TABLE" + +getfamilies() { + local l3f families + + for l3f in ip arp ip6 bridge inet; do + if nft create table ${l3f} ${CHECK_TABLE_NAME} > /dev/null 2>&1; then + families="${families}${l3f} " + nft delete table ${l3f} ${CHECK_TABLE_NAME} + fi + done + echo ${families} +} + +manualwalk() { + local result l3f=`getfamilies | cut -d ' ' -f1` + + nft create table ${l3f} ${CHECK_TABLE_NAME} + nft list tables | read line + if [ $(echo $line | wc -w) -lt 3 ]; then + result=0 + fi + result=1 + nft delete table ${l3f} ${CHECK_TABLE_NAME} + + return $result +} + +deletetable() { + # family is $1 + # table name is $2 + nft flush table $1 $2 + nft list table $1 $2 | while read l; do + chain=$(echo $l | grep -o 'chain [^[:space:]]\+' | cut -d ' ' -f2) + if [ -n "${chain}" ]; then + nft flush chain $1 $2 ${chain} + nft delete chain $1 $2 ${chain} + fi + done + nft delete table $1 $2 +} + diff --git a/net-firewall/nftables/metadata.xml b/net-firewall/nftables/metadata.xml index a250966..822af25 100644 --- a/net-firewall/nftables/metadata.xml +++ b/net-firewall/nftables/metadata.xml @@ -1,9 +1,15 @@ -base-system - - mrueg@gentoo.org - Manuel Rüger - + base-system + proxy-maintainers + + mrueg@gentoo.org + Manuel Rüger + + + nvinson234@gmail.com + Nicholas Vinson + Proxy maintianer to be assifgned bugs + diff --git a/net-firewall/nftables/nftables-0.5-r1.ebuild b/net-firewall/nftables/nftables-0.5-r1.ebuild new file mode 100644 index 0000000..8c70616 --- /dev/null +++ b/net-firewall/nftables/nftables-0.5-r1.ebuild @@ -0,0 +1,57 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +inherit autotools linux-info eutils + +DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" +HOMEPAGE="http://netfilter.org/projects/nftables/" +SRC_URI="http://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~arm ~x86" +IUSE="debug gmp +readline" + +RDEPEND=">=net-libs/libmnl-1.0.3 + >=net-libs/libnftnl-1.0.5 + gmp? ( dev-libs/gmp:0= ) + readline? ( sys-libs/readline:0= )" +DEPEND="${RDEPEND} + >=app-text/docbook2X-0.8.8-r4 + sys-devel/bison + sys-devel/flex" + +S="${WORKDIR}"/v${PV} + +pkg_setup() { + if kernel_is ge 3 13; then + CONFIG_CHECK="~NF_TABLES" + linux-info_pkg_setup + else + eerror "This package requires kernel version 3.13 or newer to work properly." + fi +} + +src_prepare() { + epatch_user + eautoreconf +} + +src_configure() { + econf \ + --sbindir="${EPREFIX}"/sbin \ + $(use_enable debug) \ + $(use_with readline cli) \ + $(use_with !gmp mini_gmp) +} + +src_install() { + default + + newconfd "${FILESDIR}"/${PN}.confd ${PN} + newinitd "${FILESDIR}"/${PN}.init-r1 ${PN} + keepdir /var/lib/nftables +}