net-firewall/nftables: Minor fixes on the script closes #675188

* Use printf instead of echo for better shell compatibility.
* Use an include instead of concatenating the ruleset.
  (Note that this is likely to fail is the ruleset path contains
   special characters).
* Empty the table first when executing panic actions.

Fixes: https://bugs.gentoo.org/675188

Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11
Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

2 files changed, 4 insertions, 3 deletions

diff --git a/net-firewall/nftables/files/libexec/nftables-mk.sh b/net-firewall/nftables/files/libexec/nftables-mk.sh
index b6ad37867b6d..b3d7db60d7fe 100644
--- a/net-firewall/nftables/files/libexec/nftables-mk.sh
+++ b/net-firewall/nftables/files/libexec/nftables-mk.sh
@@ -13,7 +13,8 @@ main() {
 			nft ${SAVE_OPTIONS} list ruleset
 		;;
 		"load")
-			( echo "flush ruleset;"; cat "${NFTABLES_SAVE}" ) | nft -f -
+			# We use an include because cat fails with long rulesets see #675188
+			printf 'flush ruleset\ninclude "%s"\n' "${NFTABLES_SAVE}" | nft -f -
 		;;
 		"panic")
 			panic hard | nft -f -
@@ -25,8 +26,7 @@ main() {
 			local tmp_save="${NFTABLES_SAVE}.tmp"
 			umask 600;
 			(
-				echo "#!/sbin/nft -f"
-				echo "flush ruleset;"
+				printf '#!/sbin/nft -f\nflush ruleset\n'
 				nft ${SAVE_OPTIONS} list ruleset
 			) > "$tmp_save" && mv ${tmp_save} ${NFTABLES_SAVE}
 		;;
@@ -37,6 +37,7 @@ panic() {
 	local erule;
 	[ "$1" = soft ] && erule="ct state established,related accept;" || erule="";
 	cat <<EOF
+flush ruleset
 table inet filter {
 	chain input {
 		type filter hook input priority 0;
diff --git a/net-firewall/nftables/nftables-0.9.0-r2.ebuild b/net-firewall/nftables/nftables-0.9.0-r3.ebuild
index 346d321bb376..346d321bb376 100644
--- a/net-firewall/nftables/nftables-0.9.0-r2.ebuild
+++ b/net-firewall/nftables/nftables-0.9.0-r3.ebuild