diff options
| author |   Sam James <sam@gentoo.org> | 2022-06-05 07:41:40 +0100 |
|---|---|---|
| committer | Sam James <sam@gentoo.org> | 2022-06-05 07:44:57 +0100 |
| commit | 9996c079375c4db6aa9a5b35f3e947608c4b99c5 (patch) | |
| tree | 280fd91d74cb1fce778dbdb960bfdd1f85dafdde | |
| parent | dev-util/cbindgen: drop 0.20.0, 0.21.0, 0.22.0 (diff) | |
| download | gentoo-9996c079.tar.gz gentoo-9996c079.tar.bz2 gentoo-9996c079.zip | |
net-firewall/nftables: backport crash fix; add test infrastructure
Signed-off-by: Sam James <sam@gentoo.org>
4 files changed, 324 insertions, 14 deletions
diff --git a/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch b/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch new file mode 100644 index 000000000000..95e53adc0b2f --- /dev/null +++ b/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch @@ -0,0 +1,64 @@ +https://git.netfilter.org/nftables/commit/?id=59bd944f6d75e99fe0c8d743e7fd482672640c2d + +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Wed, 1 Jun 2022 10:14:22 +0200 +Subject: optimize: segfault when releasing unsupported statement + +Call xfree() instead since stmt_alloc() does not initialize the +statement type fields. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1609 +Fixes: ea1f1c9ff608 ("optimize: memleak in statement matrix") +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- a/src/optimize.c ++++ b/src/optimize.c +@@ -304,7 +304,7 @@ static int rule_collect_stmts(struct optimize_ctx *ctx, struct rule *rule) + clone->nat.type_flags = stmt->nat.type_flags; + break; + default: +- stmt_free(clone); ++ xfree(clone); + continue; + } + +--- a/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft ++++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft +@@ -1,4 +1,10 @@ + table ip x { ++ set s { ++ type ipv4_addr ++ size 65535 ++ flags dynamic ++ } ++ + chain filter_in_tcp { + } + +@@ -6,6 +12,7 @@ table ip x { + } + + chain y { ++ update @s { ip saddr limit rate 12/minute burst 30 packets } accept + tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 8000-8100 : accept, 24000-25000 : accept } + meta l4proto vmap { tcp : goto filter_in_tcp, udp : goto filter_in_udp } + log +--- a/tests/shell/testcases/optimizations/merge_vmaps ++++ b/tests/shell/testcases/optimizations/merge_vmaps +@@ -3,11 +3,16 @@ + set -e + + RULESET="table ip x { ++ set s { ++ type ipv4_addr ++ flags dynamic ++ } + chain filter_in_tcp { + } + chain filter_in_udp { + } + chain y { ++ update @s { ip saddr limit rate 12/minute burst 30 packets } accept + tcp dport vmap { + 80 : accept, + 81 : accept, +cgit v1.2.3 diff --git a/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch b/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch new file mode 100644 index 000000000000..c5f93e20eea6 --- /dev/null +++ b/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch @@ -0,0 +1,21 @@ +https://git.netfilter.org/nftables/commit/?id=3835de19fe5773baac5b79f35484d0f0e99bcfe1 + +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Wed, 1 Jun 2022 18:17:02 +0200 +Subject: tests: shell: sets_with_ifnames release netns on exit + +Missing ip netns del call from cleanup() + +Fixes: d6fdb0d8d482 ("sets_with_ifnames: add test case for concatenated range") +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- a/tests/shell/testcases/sets/sets_with_ifnames ++++ b/tests/shell/testcases/sets/sets_with_ifnames +@@ -13,6 +13,7 @@ ns2="nft2ifname-$rnd" + cleanup() + { + ip netns del "$ns1" ++ ip netns del "$ns2" + } + + trap cleanup EXIT +cgit v1.2.3 diff --git a/net-firewall/nftables/nftables-1.0.3-r1.ebuild b/net-firewall/nftables/nftables-1.0.3-r1.ebuild new file mode 100644 index 000000000000..d4ace7fe057b --- /dev/null +++ b/net-firewall/nftables/nftables-1.0.3-r1.ebuild @@ -0,0 +1,205 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +DISTUTILS_OPTIONAL=1 +PYTHON_COMPAT=( python3_{8..11} ) +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc +inherit edo linux-info distutils-r1 systemd verify-sig + +DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" +HOMEPAGE="https://netfilter.org/projects/nftables/" + +if [[ ${PV} =~ ^[9]{4,}$ ]]; then + inherit autotools git-r3 + EGIT_REPO_URI="https://git.netfilter.org/${PN}" + + BDEPEND=" + sys-devel/bison + sys-devel/flex + " +else + SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2 + verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )" + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" + BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )" +fi + +LICENSE="GPL-2" +SLOT="0/1" +IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables" +RESTRICT="test? ( userpriv ) !test? ( test )" + +RDEPEND=" + >=net-libs/libmnl-1.0.4:0= + >=net-libs/libnftnl-1.2.1:0= + gmp? ( dev-libs/gmp:= ) + json? ( dev-libs/jansson:= ) + python? ( ${PYTHON_DEPS} ) + readline? ( sys-libs/readline:= ) + xtables? ( >=net-firewall/iptables-1.6.1:= ) +" + +DEPEND="${RDEPEND}" + +BDEPEND+=" + virtual/pkgconfig + doc? ( + app-text/asciidoc + >=app-text/docbook2X-0.8.8-r4 + ) + python? ( ${PYTHON_DEPS} ) +" + +REQUIRED_USE=" + python? ( ${PYTHON_REQUIRED_USE} ) + libedit? ( !readline ) +" + +PATCHES=( + "${FILESDIR}"/${P}-optimize-segfault.patch + "${FILESDIR}"/${P}-test-shell-sets.patch +) + +pkg_setup() { + if kernel_is ge 3 13; then + if use modern-kernel && kernel_is lt 3 18; then + eerror "The modern-kernel USE flag requires kernel version 3.18 or newer to work properly." + fi + CONFIG_CHECK="~NF_TABLES" + linux-info_pkg_setup + else + eerror "This package requires kernel version 3.13 or newer to work properly." + fi +} + +src_prepare() { + default + + if [[ ${PV} =~ ^[9]{4,}$ ]] ; then + eautoreconf + fi + + if use python; then + pushd py >/dev/null || die + distutils-r1_src_prepare + popd >/dev/null || die + fi +} + +src_configure() { + local myeconfargs=( + # We handle python separately + --disable-python + --disable-static + --sbindir="${EPREFIX}"/sbin + $(use_enable debug) + $(use_enable doc man-doc) + $(use_with !gmp mini_gmp) + $(use_with json) + $(use_with libedit cli editline) + $(use_with readline cli readline) + $(use_enable static-libs static) + $(use_with xtables) + ) + econf "${myeconfargs[@]}" + + if use python; then + pushd py >/dev/null || die + distutils-r1_src_configure + popd >/dev/null || die + fi +} + +src_compile() { + default + + if use python; then + pushd py >/dev/null || die + distutils-r1_src_compile + popd >/dev/null || die + fi +} + +src_test() { + emake check + + edo tests/shell/run-tests.sh -v + + # Need to rig up Python eclass if using this, but it doesn't seem to work + # for me anyway. + #cd tests/py || die + #"${EPYTHON}" nft-test.py || die +} + +src_install() { + default + + if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then + pushd doc >/dev/null || die + doman *.? + popd >/dev/null || die + fi + + # Do it here instead of in src_prepare to avoid eautoreconf + # rmdir lets us catch if more files end up installed in /etc/nftables + mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die + rmdir "${ED}"/etc/nftables || die + + local mksuffix="$(usex modern-kernel '-mk' '')" + + exeinto /usr/libexec/${PN} + newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh + newconfd "${FILESDIR}"/${PN}${mksuffix}.confd ${PN} + newinitd "${FILESDIR}"/${PN}${mksuffix}.init-r1 ${PN} + keepdir /var/lib/nftables + + systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service + + if use python ; then + pushd py >/dev/null || die + distutils-r1_src_install + popd >/dev/null || die + fi + + find "${ED}" -type f -name "*.la" -delete || die +} + +pkg_postinst() { + local save_file + save_file="${EROOT}"/var/lib/nftables/rules-save + + # In order for the nftables-restore systemd service to start + # the save_file must exist. + if [[ ! -f "${save_file}" ]]; then + ( umask 177; touch "${save_file}" ) + elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then + ewarn "Your system has dangerous permissions for ${save_file}" + ewarn "It is probably affected by bug #691326." + ewarn "You may need to fix the permissions of the file. To do so," + ewarn "you can run the command in the line below as root." + ewarn " 'chmod 600 \"${save_file}\"'" + fi + + if has_version 'sys-apps/systemd'; then + elog "If you wish to enable the firewall rules on boot (on systemd) you" + elog "will need to enable the nftables-restore service." + elog " 'systemctl enable ${PN}-restore.service'" + elog + elog "If you are creating firewall rules before the next system restart" + elog "the nftables-restore service must be manually started in order to" + elog "save those rules on shutdown." + fi + + if has_version 'sys-apps/openrc'; then + elog "If you wish to enable the firewall rules on boot (on openrc) you" + elog "will need to enable the nftables service." + elog " 'rc-update add ${PN} default'" + elog + elog "If you are creating or updating the firewall rules and wish to save" + elog "them to be loaded on the next restart, use the \"save\" functionality" + elog "in the init script." + elog " 'rc-service ${PN} save'" + fi +} diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild index fa427dadfaab..d4ace7fe057b 100644 --- a/net-firewall/nftables/nftables-9999.ebuild +++ b/net-firewall/nftables/nftables-9999.ebuild @@ -3,15 +3,16 @@ EAPI=7 -PYTHON_COMPAT=( python3_{8..10} ) DISTUTILS_OPTIONAL=1 -inherit autotools linux-info distutils-r1 systemd verify-sig +PYTHON_COMPAT=( python3_{8..11} ) +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc +inherit edo linux-info distutils-r1 systemd verify-sig DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" HOMEPAGE="https://netfilter.org/projects/nftables/" if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit git-r3 + inherit autotools git-r3 EGIT_REPO_URI="https://git.netfilter.org/${PN}" BDEPEND=" @@ -22,13 +23,13 @@ else SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2 verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )" KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" - VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )" fi LICENSE="GPL-2" SLOT="0/1" -IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables" +IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables" +RESTRICT="test? ( userpriv ) !test? ( test )" RDEPEND=" >=net-libs/libmnl-1.0.4:0= @@ -43,11 +44,12 @@ RDEPEND=" DEPEND="${RDEPEND}" BDEPEND+=" + virtual/pkgconfig doc? ( app-text/asciidoc >=app-text/docbook2X-0.8.8-r4 ) - virtual/pkgconfig + python? ( ${PYTHON_DEPS} ) " REQUIRED_USE=" @@ -55,6 +57,11 @@ REQUIRED_USE=" libedit? ( !readline ) " +PATCHES=( + "${FILESDIR}"/${P}-optimize-segfault.patch + "${FILESDIR}"/${P}-test-shell-sets.patch +) + pkg_setup() { if kernel_is ge 3 13; then if use modern-kernel && kernel_is lt 3 18; then @@ -70,13 +77,9 @@ pkg_setup() { src_prepare() { default - # fix installation path for doc stuff - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \ - -i files/nftables/Makefile.am || die - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \ - -i files/osf/Makefile.am || die - - eautoreconf + if [[ ${PV} =~ ^[9]{4,}$ ]] ; then + eautoreconf + fi if use python; then pushd py >/dev/null || die @@ -119,6 +122,17 @@ src_compile() { fi } +src_test() { + emake check + + edo tests/shell/run-tests.sh -v + + # Need to rig up Python eclass if using this, but it doesn't seem to work + # for me anyway. + #cd tests/py || die + #"${EPYTHON}" nft-test.py || die +} + src_install() { default @@ -128,6 +142,11 @@ src_install() { popd >/dev/null || die fi + # Do it here instead of in src_prepare to avoid eautoreconf + # rmdir lets us catch if more files end up installed in /etc/nftables + mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die + rmdir "${ED}"/etc/nftables || die + local mksuffix="$(usex modern-kernel '-mk' '')" exeinto /usr/libexec/${PN} @@ -149,7 +168,7 @@ src_install() { pkg_postinst() { local save_file - save_file="${EROOT}/var/lib/nftables/rules-save" + save_file="${EROOT}"/var/lib/nftables/rules-save # In order for the nftables-restore systemd service to start # the save_file must exist. @@ -172,6 +191,7 @@ pkg_postinst() { elog "the nftables-restore service must be manually started in order to" elog "save those rules on shutdown." fi + if has_version 'sys-apps/openrc'; then elog "If you wish to enable the firewall rules on boot (on openrc) you" elog "will need to enable the nftables service." |