summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'net-firewall')
-rw-r--r--net-firewall/conntrack-tools/conntrack-tools-1.4.8-r1.ebuild2
-rw-r--r--net-firewall/ferm/ferm-2.7.ebuild4
-rw-r--r--net-firewall/firehol/Manifest1
-rw-r--r--net-firewall/firehol/firehol-3.1.6-r3.ebuild67
-rw-r--r--net-firewall/firehol/firehol-3.1.7-r2.ebuild10
-rw-r--r--net-firewall/firewalld/Manifest2
-rw-r--r--net-firewall/firewalld/files/firewalld-systemd-service.patch19
-rw-r--r--net-firewall/firewalld/firewalld-2.2.1-r1.ebuild2
-rw-r--r--net-firewall/firewalld/firewalld-2.2.3.ebuild4
-rw-r--r--net-firewall/firewalld/firewalld-2.3.0.ebuild (renamed from net-firewall/firewalld/firewalld-2.1.1-r5.ebuild)200
-rw-r--r--net-firewall/firewalld/metadata.xml4
-rw-r--r--net-firewall/ipset/Manifest2
-rw-r--r--net-firewall/ipset/files/ipset-7.22-argv-bounds.patch36
-rw-r--r--net-firewall/ipset/files/ipset-7.22-asan-buffer-overflow.patch52
-rw-r--r--net-firewall/ipset/files/ipset-7.22-fix-building-on-musl.patch10
-rw-r--r--net-firewall/ipset/ipset-7.23.ebuild (renamed from net-firewall/ipset/ipset-7.22-r2.ebuild)9
-rw-r--r--net-firewall/iptables/Manifest1
-rw-r--r--net-firewall/iptables/files/iptables-r4.init167
-rw-r--r--net-firewall/iptables/iptables-1.8.11-r1.ebuild176
-rw-r--r--net-firewall/iptables/iptables-1.8.11.ebuild176
-rw-r--r--net-firewall/nftables/nftables-1.1.0-r1.ebuild2
-rw-r--r--net-firewall/nftables/nftables-1.1.1.ebuild4
-rw-r--r--net-firewall/nftlb/Manifest1
-rw-r--r--net-firewall/nftlb/files/nftlb-1.1.0-musl.patch73
-rw-r--r--net-firewall/nftlb/metadata.xml2
-rw-r--r--net-firewall/nftlb/nftlb-1.1.0.ebuild69
-rw-r--r--net-firewall/xtables-addons/Manifest1
-rw-r--r--net-firewall/xtables-addons/metadata.xml1
-rw-r--r--net-firewall/xtables-addons/xtables-addons-3.27.ebuild107
29 files changed, 888 insertions, 316 deletions
diff --git a/net-firewall/conntrack-tools/conntrack-tools-1.4.8-r1.ebuild b/net-firewall/conntrack-tools/conntrack-tools-1.4.8-r1.ebuild
index ff8d0251fc47..c11278aa667c 100644
--- a/net-firewall/conntrack-tools/conntrack-tools-1.4.8-r1.ebuild
+++ b/net-firewall/conntrack-tools/conntrack-tools-1.4.8-r1.ebuild
@@ -15,7 +15,7 @@ SRC_URI="
LICENSE="GPL-2+"
SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm64 ~hppa ~ppc ~ppc64 ~riscv ~x86"
+KEYWORDS="~alpha amd64 ~arm64 ~hppa ppc ppc64 ~riscv x86"
IUSE="doc +cthelper +cttimeout systemd"
RDEPEND="
diff --git a/net-firewall/ferm/ferm-2.7.ebuild b/net-firewall/ferm/ferm-2.7.ebuild
index 5e7d668967ba..6293e4dd4bb5 100644
--- a/net-firewall/ferm/ferm-2.7.ebuild
+++ b/net-firewall/ferm/ferm-2.7.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@@ -11,7 +11,7 @@ SRC_URI="http://ferm.foo-projects.org/download/${PV}/${P}.tar.xz"
LICENSE="GPL-2+"
SLOT="0"
-KEYWORDS="amd64 ppc x86"
+KEYWORDS="amd64 ~arm64 ppc x86"
# Uses Internet connection while testing.
RESTRICT="test"
diff --git a/net-firewall/firehol/Manifest b/net-firewall/firehol/Manifest
index e7ed5e2a55f8..41c60b489672 100644
--- a/net-firewall/firehol/Manifest
+++ b/net-firewall/firehol/Manifest
@@ -1,2 +1 @@
-DIST firehol-3.1.6.tar.xz 1484424 BLAKE2B aea45aa424b7b43ed0576916f52a785601a21489263c1b5c6abbf3b2b97db80bf2a2420ae8176cd55e335ab93c18a8209a47f467dba80a63cf2c319b3e3e27d8 SHA512 5ffa7e59d3f10a6c7d3f5b5ef9d93f1b2138063374a10cb0c1ac4e75578d6cf7755e154b51febf546563ba003f100af13f89bca3843b66a8d22b8fc2da3fadfe
DIST firehol-3.1.7.tar.xz 1457932 BLAKE2B 9a861f2e9c900bce45d0dbd12f4546bc14eb4d74aea27a8d4cb0e5bfe8bea92d9bff3ccf008d46bd64212d689123273c99d0b0faaaadd34f0e1d85e22ee757c9 SHA512 b05cec806c2c8fc410bf9c7a30e3ad1d9f1c06fd2d501a7e5434010f6bb38722aac5b64de9b4285d2c71cacbf6b2f3c758685da5a70c05621df52879eb5148c2
diff --git a/net-firewall/firehol/firehol-3.1.6-r3.ebuild b/net-firewall/firehol/firehol-3.1.6-r3.ebuild
deleted file mode 100644
index d68ed4f8bcc6..000000000000
--- a/net-firewall/firehol/firehol-3.1.6-r3.ebuild
+++ /dev/null
@@ -1,67 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit linux-info
-
-DESCRIPTION="iptables firewall generator"
-HOMEPAGE="https://firehol.org/ https://github.com/firehol/firehol"
-SRC_URI="https://github.com/firehol/firehol/releases/download/v${PV}/${P}.tar.xz"
-
-LICENSE="GPL-2"
-SLOT="0"
-IUSE="doc ipv6 ipset"
-KEYWORDS="amd64 arm ~arm64 ~ppc ~x86"
-
-RDEPEND="net-firewall/iptables
- sys-apps/iproute2[-minimal,ipv6(+)?]
- sys-apps/kmod[tools]
- net-misc/iputils[ipv6(+)?]
- net-misc/iprange
- net-analyzer/traceroute
- app-arch/gzip
- ipset? (
- net-firewall/ipset
- )"
-DEPEND="${RDEPEND}"
-
-pkg_setup() {
- local CONFIG_CHECK=" \
- ~IP_NF_FILTER \
- ~IP_NF_IPTABLES \
- ~IP_NF_MANGLE \
- ~IP_NF_TARGET_MASQUERADE
- ~IP_NF_TARGET_REDIRECT \
- ~IP_NF_TARGET_REJECT \
- ~NETFILTER_XT_CONNMARK \
- ~NETFILTER_XT_MATCH_HELPER \
- ~NETFILTER_XT_MATCH_LIMIT \
- ~NETFILTER_XT_MATCH_OWNER \
- ~NETFILTER_XT_MATCH_STATE \
- ~NF_CONNTRACK \
- ~NF_CONNTRACK_IPV4 \
- ~NF_CONNTRACK_MARK \
- ~NF_NAT \
- ~NF_NAT_FTP \
- ~NF_NAT_IRC \
- "
- linux-info_pkg_setup
-}
-
-src_configure() {
- econf \
- --disable-vnetbuild \
- $(use_enable ipset update-ipsets) \
- $(use_enable doc) \
- $(use_enable ipv6)
-}
-
-src_install() {
- default
-
- newconfd "${FILESDIR}"/firehol.confd firehol
- newinitd "${FILESDIR}"/firehol.initd firehol
- newconfd "${FILESDIR}"/fireqos.confd fireqos
- newinitd "${FILESDIR}"/fireqos.initd fireqos
-}
diff --git a/net-firewall/firehol/firehol-3.1.7-r2.ebuild b/net-firewall/firehol/firehol-3.1.7-r2.ebuild
index f750bfab3a7b..701ca0742f2f 100644
--- a/net-firewall/firehol/firehol-3.1.7-r2.ebuild
+++ b/net-firewall/firehol/firehol-3.1.7-r2.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@@ -12,7 +12,7 @@ SRC_URI="https://github.com/firehol/firehol/releases/download/v${PV}/${P}.tar.xz
LICENSE="GPL-2"
SLOT="0"
IUSE="doc ipv6 ipset"
-KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~x86"
+KEYWORDS="amd64 arm ~arm64 ~ppc ~x86"
# Set the dependency versions to aid cross-compiling. Keep them at their
# minimums as the configure script merely checks whether they are sufficient.
@@ -46,12 +46,16 @@ pkg_setup() {
~NETFILTER_XT_MATCH_OWNER \
~NETFILTER_XT_MATCH_STATE \
~NF_CONNTRACK \
- ~NF_CONNTRACK_IPV4 \
~NF_CONNTRACK_MARK \
~NF_NAT \
~NF_NAT_FTP \
~NF_NAT_IRC \
"
+
+ if kernel_is -lt 4 19; then
+ CONFIG_CHECK+=" ~NF_CONNTRACK_IPV4"
+ fi
+
linux-info_pkg_setup
}
diff --git a/net-firewall/firewalld/Manifest b/net-firewall/firewalld/Manifest
index c4e167cba6f3..303a9b9e7af9 100644
--- a/net-firewall/firewalld/Manifest
+++ b/net-firewall/firewalld/Manifest
@@ -1,3 +1,3 @@
-DIST firewalld-2.1.1.tar.bz2 1315222 BLAKE2B 064abfae1f2f1c5a63bbbbbec3357aa6e63936818fa2020ca882d1b834736b3735a32b0ab318e6de78b6f785cb4da0ee4e299956c922d9dbf6e7bd442e9bb2d6 SHA512 383e5ea3d451a28241e5a76f8d0efeeb8319663bdc5f680b68c5156ddb5145fac766a9ee9521c4af27b1df82861ca6f68ee81c0588b1dd6c4f6d4e4f5ca8fee1
DIST firewalld-2.2.1.tar.bz2 1295501 BLAKE2B fc7bb401895bc39c34ec585468bdcc1b3c3f8eeb35c786c0cf7d886f456c99840107db73e8f611a7d7ab1db1408c6dc349a3d5eee2fbd1e624fe06dd8a558d91 SHA512 08117be01a25a8e263cf419d7b01a98c80b53108af68f6cfc1d900692e6124c37b9dd6feaf4bc3c6e3f27958a9ee45b9795c7f5a9250eb644b6e903f97672c8a
DIST firewalld-2.2.3.tar.bz2 1310686 BLAKE2B dba517166e1588195ac76123503a2526ffa6c7bd884953ba7ec2806f9ef3a93a879936e48e0d5b638c6e3e888b558757989f8035106cc103eab92d72d8a077be SHA512 e1b1d5fc372359ecbbc074be15e8a9dc4e39836545d5a1364f05deb07eb6e43505eb37589a7b0fb5f3115e3ed3fbc58efe447e2d5b0dcc716a66903c63df824b
+DIST firewalld-2.3.0.tar.bz2 1307839 BLAKE2B f986af940841d7982c44ef5d7df9758f8b8f0e2bd511c61dc358d21e2d272ddc510571bcbdd6c7e47d0bd1ee6250240445094b30945c8de695007c1eb24ed642 SHA512 9a0fe1098c8bbb63bc4af04f56b7810d3d4e94be4247574daba64fb7a344488053f80426b7422c3a4620a54fee69a4264e1b0d66580757aac29aa65d723007c5
diff --git a/net-firewall/firewalld/files/firewalld-systemd-service.patch b/net-firewall/firewalld/files/firewalld-systemd-service.patch
deleted file mode 100644
index 66f4c730b66f..000000000000
--- a/net-firewall/firewalld/files/firewalld-systemd-service.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Drops the/an obsolete 'conflicts' line with old iptables services bug #833506
-Removes EnvironmentFile and FIREWALLD_ARGS variable
-===================================================================
---- a/config/firewalld.service.in
-+++ b/config/firewalld.service.in
-@@ -4,12 +4,10 @@
- Wants=network-pre.target
- After=dbus.service
- After=polkit.service
--Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service
- Documentation=man:firewalld(1)
-
- [Service]
--EnvironmentFile=-/etc/sysconfig/firewalld
--ExecStart=@sbindir@/firewalld --nofork --nopid $FIREWALLD_ARGS
-+ExecStart=@sbindir@/firewalld --nofork --nopid
- ExecReload=/bin/kill -HUP $MAINPID
- # supress to log debug and error output also to /var/log/messages
- StandardOutput=null
diff --git a/net-firewall/firewalld/firewalld-2.2.1-r1.ebuild b/net-firewall/firewalld/firewalld-2.2.1-r1.ebuild
index 4a115f5bf943..5b38b6e28baa 100644
--- a/net-firewall/firewalld/firewalld-2.2.1-r1.ebuild
+++ b/net-firewall/firewalld/firewalld-2.2.1-r1.ebuild
@@ -28,7 +28,7 @@ RDEPEND="
>=net-firewall/nftables-0.9.4[python,json,${PYTHON_USEDEP}]
gui? (
x11-libs/gtk+:3
- dev-python/PyQt6[gui,widgets,${PYTHON_USEDEP}]
+ dev-python/pyqt6[gui,widgets,${PYTHON_USEDEP}]
)
')
net-firewall/nftables[xtables(+)]
diff --git a/net-firewall/firewalld/firewalld-2.2.3.ebuild b/net-firewall/firewalld/firewalld-2.2.3.ebuild
index d08a06d0215c..5b38b6e28baa 100644
--- a/net-firewall/firewalld/firewalld-2.2.3.ebuild
+++ b/net-firewall/firewalld/firewalld-2.2.3.ebuild
@@ -13,7 +13,7 @@ SRC_URI="https://github.com/firewalld/firewalld/releases/download/v${PV}/${P}.ta
LICENSE="GPL-2+"
SLOT="0"
-KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+KEYWORDS="amd64 arm arm64 ppc64 ~riscv x86"
IUSE="gui selinux test"
# Tests are too unreliable in sandbox environment
RESTRICT="!test? ( test ) test"
@@ -28,7 +28,7 @@ RDEPEND="
>=net-firewall/nftables-0.9.4[python,json,${PYTHON_USEDEP}]
gui? (
x11-libs/gtk+:3
- dev-python/PyQt6[gui,widgets,${PYTHON_USEDEP}]
+ dev-python/pyqt6[gui,widgets,${PYTHON_USEDEP}]
)
')
net-firewall/nftables[xtables(+)]
diff --git a/net-firewall/firewalld/firewalld-2.1.1-r5.ebuild b/net-firewall/firewalld/firewalld-2.3.0.ebuild
index e1ff652b6c61..bbb543d6a9f1 100644
--- a/net-firewall/firewalld/firewalld-2.1.1-r5.ebuild
+++ b/net-firewall/firewalld/firewalld-2.3.0.ebuild
@@ -1,9 +1,9 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
-PYTHON_COMPAT=( python3_{10..12} )
+PYTHON_COMPAT=( python3_{10..13} )
inherit bash-completion-r1 gnome2-utils linux-info optfeature
inherit plocale python-single-r1 systemd xdg-utils
@@ -14,7 +14,7 @@ SRC_URI="https://github.com/firewalld/firewalld/releases/download/v${PV}/${P}.ta
LICENSE="GPL-2+"
SLOT="0"
KEYWORDS="amd64 arm arm64 ~loong ppc64 ~riscv x86"
-IUSE="gui +nftables +iptables selinux test"
+IUSE="gui selinux test"
# Tests are too unreliable in sandbox environment
RESTRICT="!test? ( test ) test"
REQUIRED_USE="${PYTHON_REQUIRED_USE}"
@@ -25,18 +25,13 @@ RDEPEND="
$(python_gen_cond_dep '
dev-python/dbus-python[${PYTHON_USEDEP}]
dev-python/pygobject:3[${PYTHON_USEDEP}]
+ >=net-firewall/nftables-0.9.4[python,json,${PYTHON_USEDEP}]
gui? (
x11-libs/gtk+:3
- dev-python/PyQt5[gui,widgets,${PYTHON_USEDEP}]
+ dev-python/pyqt6[gui,widgets,${PYTHON_USEDEP}]
)
- nftables? ( >=net-firewall/nftables-0.9.4[python,json] )
')
- iptables? (
- net-firewall/iptables[ipv6(+)]
- net-firewall/ebtables
- net-firewall/ipset
- nftables? ( net-firewall/nftables[xtables(+)] )
- )
+ net-firewall/nftables[xtables(+)]
selinux? ( sec-policy/selinux-firewalld )
"
DEPEND="
@@ -57,92 +52,94 @@ QA_AM_MAINTAINER_MODE=".*--run autom4te --language=autotest.*"
PLOCALES="ar as ast bg bn_IN ca cs da de el en_GB en_US es et eu fa fi fr gl gu hi hr hu ia id it ja ka kn ko lt ml mr nl or pa pl pt pt_BR ro ru si sk sl sq sr sr@latin sv ta te tr uk zh_CN zh_TW"
PATCHES=(
- "${FILESDIR}"/${PN}-systemd-service.patch
+ "${FILESDIR}"/${PN}-2.2.1-systemd-service.patch
)
pkg_setup() {
# See bug #830132 for the huge list
# We can probably narrow it down a bit but it's rather fragile
- local CONFIG_CHECK="~NF_CONNTRACK ~NETFILTER_XT_MATCH_CONNTRACK
- ~NETFILTER
- ~NETFILTER_ADVANCED
- ~NETFILTER_INGRESS
- ~NF_NAT_MASQUERADE
- ~NF_NAT_REDIRECT
- ~NF_TABLES_INET
- ~NF_TABLES_IPV4
- ~NF_TABLES_IPV6
- ~NF_CONNTRACK
- ~NF_CONNTRACK_BROADCAST
- ~NF_CONNTRACK_NETBIOS_NS
- ~NF_CONNTRACK_TFTP
- ~NF_CT_NETLINK
- ~NF_CT_NETLINK_HELPER
- ~NF_DEFRAG_IPV4
- ~NF_DEFRAG_IPV6
- ~NF_NAT
- ~NF_NAT_TFTP
- ~NF_REJECT_IPV4
- ~NF_REJECT_IPV6
- ~NF_SOCKET_IPV4
- ~NF_SOCKET_IPV6
- ~NF_TABLES
- ~NF_TPROXY_IPV4
- ~NF_TPROXY_IPV6
- ~IP_NF_FILTER
- ~IP_NF_IPTABLES
- ~IP_NF_MANGLE
- ~IP_NF_NAT
- ~IP_NF_RAW
- ~IP_NF_SECURITY
- ~IP_NF_TARGET_MASQUERADE
- ~IP_NF_TARGET_REJECT
- ~IP6_NF_FILTER
- ~IP6_NF_IPTABLES
- ~IP6_NF_MANGLE
- ~IP6_NF_NAT
- ~IP6_NF_RAW
- ~IP6_NF_SECURITY
- ~IP6_NF_TARGET_MASQUERADE
- ~IP6_NF_TARGET_REJECT
- ~IP_SET
- ~NETFILTER_CONNCOUNT
- ~NETFILTER_NETLINK
- ~NETFILTER_NETLINK_OSF
- ~NETFILTER_NETLINK_QUEUE
- ~NETFILTER_SYNPROXY
- ~NETFILTER_XTABLES
- ~NETFILTER_XT_CONNMARK
- ~NETFILTER_XT_MATCH_CONNTRACK
- ~NETFILTER_XT_MATCH_MULTIPORT
- ~NETFILTER_XT_MATCH_STATE
- ~NETFILTER_XT_NAT
- ~NETFILTER_XT_TARGET_MASQUERADE
- ~NFT_COMPAT
- ~NFT_CT
- ~NFT_FIB
- ~NFT_FIB_INET
- ~NFT_FIB_IPV4
- ~NFT_FIB_IPV6
- ~NFT_HASH
- ~NFT_LIMIT
- ~NFT_LOG
- ~NFT_MASQ
- ~NFT_NAT
- ~NFT_QUEUE
- ~NFT_QUOTA
- ~NFT_REDIR
- ~NFT_REJECT
- ~NFT_REJECT_INET
- ~NFT_REJECT_IPV4
- ~NFT_REJECT_IPV6
- ~NFT_SOCKET
- ~NFT_SYNPROXY
- ~NFT_TPROXY
- ~NFT_TUNNEL
- ~NFT_XFRM"
-
- # kernel >= 4.19 has unified a NF_CONNTRACK module, bug #692944
+ local CONFIG_CHECK="
+ ~NF_CONNTRACK ~NETFILTER_XT_MATCH_CONNTRACK
+ ~NETFILTER
+ ~NETFILTER_ADVANCED
+ ~NETFILTER_INGRESS
+ ~NF_NAT_MASQUERADE
+ ~NF_NAT_REDIRECT
+ ~NF_TABLES_INET
+ ~NF_TABLES_IPV4
+ ~NF_TABLES_IPV6
+ ~NF_CONNTRACK
+ ~NF_CONNTRACK_BROADCAST
+ ~NF_CONNTRACK_NETBIOS_NS
+ ~NF_CONNTRACK_TFTP
+ ~NF_CT_NETLINK
+ ~NF_CT_NETLINK_HELPER
+ ~NF_DEFRAG_IPV4
+ ~NF_DEFRAG_IPV6
+ ~NF_NAT
+ ~NF_NAT_TFTP
+ ~NF_REJECT_IPV4
+ ~NF_REJECT_IPV6
+ ~NF_SOCKET_IPV4
+ ~NF_SOCKET_IPV6
+ ~NF_TABLES
+ ~NF_TPROXY_IPV4
+ ~NF_TPROXY_IPV6
+ ~IP_NF_FILTER
+ ~IP_NF_IPTABLES
+ ~IP_NF_MANGLE
+ ~IP_NF_NAT
+ ~IP_NF_RAW
+ ~IP_NF_SECURITY
+ ~IP_NF_TARGET_MASQUERADE
+ ~IP_NF_TARGET_REJECT
+ ~IP6_NF_FILTER
+ ~IP6_NF_IPTABLES
+ ~IP6_NF_MANGLE
+ ~IP6_NF_NAT
+ ~IP6_NF_RAW
+ ~IP6_NF_SECURITY
+ ~IP6_NF_TARGET_MASQUERADE
+ ~IP6_NF_TARGET_REJECT
+ ~IP_SET
+ ~NETFILTER_CONNCOUNT
+ ~NETFILTER_NETLINK
+ ~NETFILTER_NETLINK_OSF
+ ~NETFILTER_NETLINK_QUEUE
+ ~NETFILTER_SYNPROXY
+ ~NETFILTER_XTABLES
+ ~NETFILTER_XT_CONNMARK
+ ~NETFILTER_XT_MATCH_CONNTRACK
+ ~NETFILTER_XT_MATCH_MULTIPORT
+ ~NETFILTER_XT_MATCH_STATE
+ ~NETFILTER_XT_NAT
+ ~NETFILTER_XT_TARGET_MASQUERADE
+ ~NFT_COMPAT
+ ~NFT_CT
+ ~NFT_FIB
+ ~NFT_FIB_INET
+ ~NFT_FIB_IPV4
+ ~NFT_FIB_IPV6
+ ~NFT_HASH
+ ~NFT_LIMIT
+ ~NFT_LOG
+ ~NFT_MASQ
+ ~NFT_NAT
+ ~NFT_QUEUE
+ ~NFT_QUOTA
+ ~NFT_REDIR
+ ~NFT_REJECT
+ ~NFT_REJECT_INET
+ ~NFT_REJECT_IPV4
+ ~NFT_REJECT_IPV6
+ ~NFT_SOCKET
+ ~NFT_SYNPROXY
+ ~NFT_TPROXY
+ ~NFT_TUNNEL
+ ~NFT_XFRM
+ "
+
+ # kernel >= 4.19 has a unified NF_CONNTRACK module, bug #692944
if kernel_is -lt 4 19; then
CONFIG_CHECK+=" ~NF_CONNTRACK_IPV4 ~NF_CONNTRACK_IPV6"
fi
@@ -177,13 +174,6 @@ src_configure() {
local myeconfargs=(
--enable-systemd
- $(use_with iptables iptables "${EPREFIX}/sbin/iptables")
- $(use_with iptables iptables_restore "${EPREFIX}/sbin/iptables-restore")
- $(use_with iptables ip6tables "${EPREFIX}/sbin/ip6tables")
- $(use_with iptables ip6tables_restore "${EPREFIX}/sbin/ip6tables-restore")
- $(use_with iptables ebtables "${EPREFIX}/sbin/ebtables")
- $(use_with iptables ebtables_restore "${EPREFIX}/sbin/ebtables-restore")
- $(use_with iptables ipset "${EPREFIX}/usr/sbin/ipset")
--with-systemd-unitdir="$(systemd_get_systemunitdir)"
--with-bashcompletiondir="$(get_bashcompdir)"
)
@@ -196,15 +186,15 @@ src_install() {
python_optimize
# Get rid of junk
- rm -rf "${D}/etc/sysconfig/" || die
+ rm -rf "${ED}"/etc/sysconfig/ || die
# For non-gui installs we need to remove GUI bits
if ! use gui; then
- rm -rf "${D}/etc/xdg/autostart" || die
- rm -f "${D}/usr/bin/firewall-applet" || die
- rm -f "${D}/usr/bin/firewall-config" || die
- rm -rf "${D}/usr/share/applications" || die
- rm -rf "${D}/usr/share/icons" || die
+ rm -rf "${ED}"/etc/xdg/autostart || die
+ rm -f "${ED}"/usr/bin/firewall-applet || die
+ rm -f "${ED}"/usr/bin/firewall-config || die
+ rm -rf "${ED}"/usr/share/applications || die
+ rm -rf "${ED}"/usr/share/icons || die
fi
newinitd "${FILESDIR}"/firewalld.init firewalld
diff --git a/net-firewall/firewalld/metadata.xml b/net-firewall/firewalld/metadata.xml
index 79917d81993e..d9b61b18aba8 100644
--- a/net-firewall/firewalld/metadata.xml
+++ b/net-firewall/firewalld/metadata.xml
@@ -9,10 +9,6 @@
<email>sam@gentoo.org</email>
<name>Sam James</name>
</maintainer>
- <use>
- <flag name="nftables">Add support for <pkg>net-firewall/nftables</pkg> as firewall backend</flag>
- <flag name="iptables">Add support for <pkg>net-firewall/iptables</pkg> as firewall backend</flag>
- </use>
<upstream>
<remote-id type="github">firewalld/firewalld</remote-id>
</upstream>
diff --git a/net-firewall/ipset/Manifest b/net-firewall/ipset/Manifest
index f66331f135e0..afca750b4594 100644
--- a/net-firewall/ipset/Manifest
+++ b/net-firewall/ipset/Manifest
@@ -1 +1 @@
-DIST ipset-7.22.tar.bz2 694069 BLAKE2B 9daaff54adb6f9daf69cd7dabbd9134d8fcf8cd7f8ef0c52296961579ad3c8202087158a01664228eff70356ba97f77ec61abbab7c7ce323112fbdc32abd661b SHA512 e375a9110eb7974480147c57eb2cff4bdd03c7704cdae006a3d254cc80fada587aa8aee25a86f7cab29db83f5e283c5f9a47a314297317660ebba5097f623d79
+DIST ipset-7.23.tar.bz2 695655 BLAKE2B a596630d12a8bcc1383475627e5e62b7be4c17570ae9d3650b9dbcac0ec46324e1ac7c0e7e11f674fb5354871538f6f15e57476ac752b1ac1415023d837904e6 SHA512 5a43c790abf157a55db5a9a22cb5f28a225f5c7969beda81566a2259aa82c9d852979eb805b11b4347f47c6a0c2cc4de6f14e4733bee5b562844422a45fb9dab
diff --git a/net-firewall/ipset/files/ipset-7.22-argv-bounds.patch b/net-firewall/ipset/files/ipset-7.22-argv-bounds.patch
deleted file mode 100644
index 07d18303642e..000000000000
--- a/net-firewall/ipset/files/ipset-7.22-argv-bounds.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-https://git.netfilter.org/ipset/commit/?id=851cb04ffee5040f1e0063f77c3fe9bc6245e0fb
-
-From 851cb04ffee5040f1e0063f77c3fe9bc6245e0fb Mon Sep 17 00:00:00 2001
-From: Phil Sutter <phil@nwl.cc>
-Date: Thu, 27 Jun 2024 10:18:17 +0200
-Subject: lib: ipset: Avoid 'argv' array overstepping
-
-The maximum accepted value for 'argc' is MAX_ARGS which matches 'argv'
-array size. The maximum allowed array index is therefore argc-1.
-
-This fix will leave items in argv non-NULL-terminated, so explicitly
-NULL the formerly last entry after shifting.
-
-Looks like a day-1 bug. Interestingly, this neither triggered ASAN nor
-valgrind. Yet adding debug output printing argv entries being copied
-did.
-
-Fixes: 1e6e8bd9a62aa ("Third stage to ipset-5")
-Signed-off-by: Phil Sutter <phil@nwl.cc>
-Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---- a/lib/ipset.c
-+++ b/lib/ipset.c
-@@ -343,9 +343,9 @@ ipset_shift_argv(int *argc, char *argv[], int from)
-
- assert(*argc >= from + 1);
-
-- for (i = from + 1; i <= *argc; i++)
-+ for (i = from + 1; i < *argc; i++)
- argv[i-1] = argv[i];
-- (*argc)--;
-+ argv[--(*argc)] = NULL;
- return;
- }
-
---
-cgit v1.2.3
diff --git a/net-firewall/ipset/files/ipset-7.22-asan-buffer-overflow.patch b/net-firewall/ipset/files/ipset-7.22-asan-buffer-overflow.patch
deleted file mode 100644
index 56d126db5efa..000000000000
--- a/net-firewall/ipset/files/ipset-7.22-asan-buffer-overflow.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-https://git.netfilter.org/ipset/commit/?id=f1bcacf5eeb8620ea684524e1ce9c3951a77f1f9
-
-From f1bcacf5eeb8620ea684524e1ce9c3951a77f1f9 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <phil@nwl.cc>
-Date: Thu, 27 Jun 2024 10:18:16 +0200
-Subject: lib: data: Fix for global-buffer-overflow warning by ASAN
-
-After compiling with CFLAGS="-fsanitize=address -g", running the
-testsuite triggers the following warning:
-
-| ipmap: Range: Check syntax error: missing range/from-to: FAILED
-| Failed test: ../src/ipset 2>.foo.err -N test ipmap
-| =================================================================
-| ==4204==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55a21e77172a at pc 0x7f1ef246f2a6 bp 0x7fffed8f4f40 sp 0x7fffed8f46e8
-| READ of size 32 at 0x55a21e77172a thread T0
-| #0 0x7f1ef246f2a5 in __interceptor_memcpy /var/tmp/portage/sys-devel/gcc-13.2.1_p20231014/work/gcc-13-20231014/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:899
-| #1 0x55a21e758bf6 in ipset_strlcpy /home/n0-1/git/ipset/lib/data.c:119
-| #2 0x55a21e758bf6 in ipset_data_set /home/n0-1/git/ipset/lib/data.c:349
-| #3 0x55a21e75ee2f in ipset_parse_typename /home/n0-1/git/ipset/lib/parse.c:1819
-| #4 0x55a21e754119 in ipset_parser /home/n0-1/git/ipset/lib/ipset.c:1205
-| #5 0x55a21e752cef in ipset_parse_argv /home/n0-1/git/ipset/lib/ipset.c:1344
-| #6 0x55a21e74ea45 in main /home/n0-1/git/ipset/src/ipset.c:38
-| #7 0x7f1ef224cf09 (/lib64/libc.so.6+0x23f09)
-| #8 0x7f1ef224cfc4 in __libc_start_main (/lib64/libc.so.6+0x23fc4)
-| #9 0x55a21e74f040 in _start (/home/n0-1/git/ipset/src/ipset+0x1d040)
-|
-| 0x55a21e77172a is located 54 bytes before global variable '*.LC1' defined in 'ipset_bitmap_ip.c' (0x55a21e771760) of size 19
-| '*.LC1' is ascii string 'IP|IP/CIDR|FROM-TO'
-| 0x55a21e77172a is located 0 bytes after global variable '*.LC0' defined in 'ipset_bitmap_ip.c' (0x55a21e771720) of size 10
-| '*.LC0' is ascii string 'bitmap:ip'
-
-Fix this by avoiding 'src' array overstep in ipset_strlcpy(): In
-contrast to strncpy(), memcpy() does not respect NUL-chars in input but
-stubbornly reads as many bytes as specified.
-
-Fixes: a7432ba786ca4 ("Workaround misleading -Wstringop-truncation warning")
-Signed-off-by: Phil Sutter <phil@nwl.cc>
-Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---- a/lib/data.c
-+++ b/lib/data.c
-@@ -111,6 +111,9 @@ ipset_strlcpy(char *dst, const char *src, size_t len)
- assert(dst);
- assert(src);
-
-+ if (strlen(src) < len)
-+ len = strlen(src) + 1;
-+
- memcpy(dst, src, len);
- dst[len - 1] = '\0';
- }
---
-cgit v1.2.3
diff --git a/net-firewall/ipset/files/ipset-7.22-fix-building-on-musl.patch b/net-firewall/ipset/files/ipset-7.22-fix-building-on-musl.patch
deleted file mode 100644
index 7a77aa952869..000000000000
--- a/net-firewall/ipset/files/ipset-7.22-fix-building-on-musl.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- a/src/ipset.c 2024-08-30 14:21:19.201863069 +0000
-+++ b/src/ipset.c 2024-08-30 14:21:52.525571560 +0000
-@@ -15,6 +15,7 @@
- #include <config.h>
- #include <libipset/ipset.h> /* ipset library */
- #include <libipset/xlate.h> /* translate to nftables */
-+#include <libgen.h>
-
- int
- main(int argc, char *argv[])
diff --git a/net-firewall/ipset/ipset-7.22-r2.ebuild b/net-firewall/ipset/ipset-7.23.ebuild
index affe9147840d..431969f5d7cd 100644
--- a/net-firewall/ipset/ipset-7.22-r2.ebuild
+++ b/net-firewall/ipset/ipset-7.23.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@@ -26,12 +26,7 @@ DOCS=( ChangeLog INSTALL README UPGRADE )
# configurable from outside, e.g. /etc/portage/make.conf
IP_NF_SET_MAX=${IP_NF_SET_MAX:-256}
-PATCHES=(
- "${FILESDIR}/${PN}-bash-completion.patch"
- "${FILESDIR}/${P}-asan-buffer-overflow.patch"
- "${FILESDIR}/${P}-argv-bounds.patch"
- "${FILESDIR}/${P}-fix-building-on-musl.patch"
-)
+PATCHES=( "${FILESDIR}/${PN}-bash-completion.patch")
src_prepare() {
default
diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest
index 2de1a22873c0..b09d48227e0b 100644
--- a/net-firewall/iptables/Manifest
+++ b/net-firewall/iptables/Manifest
@@ -1,2 +1,3 @@
DIST iptables-1.8.10.tar.xz 641168 BLAKE2B 417b33fcfc7edeba169caef26ed0322798f6b82500840509f6c10b97b4ef3f11932c0393fc8dcc5946264442bf8ee959a594b6fbd5dc92012cfad30edf130520 SHA512 71e6ed2260859157d61981a4fe5039dc9e8d7da885a626a4b5dae8164c509a9d9f874286b9468bb6a462d6e259d4d32d5967777ecefdd8a293011ae80c00f153
+DIST iptables-1.8.11.tar.xz 649284 BLAKE2B 82daca3940e253f6fda7cf5b3332488c31391ff66c0112c0cae2645ab61918f81e6028ea2b1e1385f21e4c5ff8cd64cba31072a2417a2ab696fe1c6b5464cea1 SHA512 4937020bf52d57a45b76e1eba125214a2f4531de52ff1d15185faeef8bea0cd90eb77f99f81baa573944aa122f350a7198cef41d70594e1b65514784addbcc40
DIST iptables-1.8.9.tar.xz 637848 BLAKE2B 37ba80be0ee7049c4d3ee5689b273b4d2cc6e6fb9ebb297e86976b5750f987f2ae4536013fe1749ae79b6989c241eaece3202019fafd47d842c7a4fe3e5093b1 SHA512 e367bf286135e39b7401e852de25c1ed06d44befdffd92ed1566eb2ae9704b48ac9196cb971f43c6c83c6ad4d910443d32064bcdf618cfcef6bcab113e31ff70
diff --git a/net-firewall/iptables/files/iptables-r4.init b/net-firewall/iptables/files/iptables-r4.init
new file mode 100644
index 000000000000..e3b38b30e42c
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-r4.init
@@ -0,0 +1,167 @@
+#!/sbin/openrc-run
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="check save panic"
+extra_started_commands="reload"
+
+iptables_lock_wait_time=${IPTABLES_LOCK_WAIT_TIME:-"60"}
+iptables_lock_wait_interval=${IPTABLES_LOCK_WAIT_INTERVAL:-"1000"}
+
+iptables_name=${SVCNAME}
+case ${iptables_name} in
+ iptables|ip6tables) ;;
+ *) iptables_name="iptables" ;;
+esac
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+ iptables) iptables_proc="/proc/net/ip_tables_names"
+ iptables_save=${IPTABLES_SAVE};;
+ ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+ iptables_save=${IP6TABLES_SAVE};;
+esac
+
+depend() {
+ need localmount #434774
+ before net
+}
+
+set_table_policy() {
+ local has_errors=0 chains table=$1 policy=$2
+ case ${table} in
+ nat) chains="PREROUTING POSTROUTING OUTPUT";;
+ mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+ filter) chains="INPUT FORWARD OUTPUT";;
+ *) chains="";;
+ esac
+
+ local chain
+ for chain in ${chains} ; do
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -t ${table} -P ${chain} ${policy}
+ [ $? -ne 0 ] && has_errors=1
+ done
+
+ return ${has_errors}
+}
+
+checkkernel() {
+ if [ ! -e ${iptables_proc} ] ; then
+ eerror "Your kernel lacks ${iptables_name} support, please load"
+ eerror "appropriate modules and try again."
+ return 1
+ fi
+ return 0
+}
+
+checkconfig() {
+ if [ -z "${iptables_save}" -o ! -f "${iptables_save}" ] ; then
+ eerror "Not starting ${iptables_name}. First create some rules then run:"
+ eerror "/etc/init.d/${iptables_name} save"
+ return 1
+ fi
+ return 0
+}
+
+start_pre() {
+ checkconfig || return 1
+}
+
+start() {
+ ebegin "Loading ${iptables_name} state and starting firewall"
+ ${iptables_bin}-restore --wait ${iptables_lock_wait_time} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+ eend $?
+}
+
+stop_pre() {
+ checkkernel || return 1
+}
+
+stop() {
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+ save || return 1
+ fi
+
+ ebegin "Stopping firewall"
+ local has_errors=0 a
+ for a in $(cat ${iptables_proc}) ; do
+ set_table_policy $a ACCEPT
+ [ $? -ne 0 ] && has_errors=1
+
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a
+ [ $? -ne 0 ] && has_errors=1
+
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a
+ [ $? -ne 0 ] && has_errors=1
+ done
+ eend ${has_errors}
+}
+
+reload() {
+ checkkernel || return 1
+ checkrules || return 1
+ local has_errors=0 a flushed=0
+ for a in $(cat ${iptables_proc}) ; do
+ if ! grep -q "^\*${a}$" "${iptables_save}" ; then
+ [ $flushed -eq 0 ] && ebegin "Flushing firewall" && flushed=1
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a
+ [ $? -ne 0 ] && has_errors=1
+
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a
+ [ $? -ne 0 ] && has_errors=1
+ fi
+ done
+ eend ${has_errors}
+
+ start
+}
+
+checkrules() {
+ ebegin "Checking rules"
+ ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+ eend $?
+}
+
+check() {
+ # Short name for users of init.d script.
+ checkrules
+}
+
+save() {
+ ebegin "Saving ${iptables_name} state"
+ checkpath -q -d "$(dirname "${iptables_save}")"
+ checkpath -q -m 0600 -f "${iptables_save}"
+ ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+ eend $?
+}
+
+panic() {
+ # use iptables autoload capability to load at least all required
+ # modules and filter table
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -S >/dev/null
+ if [ $? -ne 0 ] ; then
+ eerror "${iptables_bin} failed to load"
+ return 1
+ fi
+
+ if service_started ${iptables_name}; then
+ rc-service ${iptables_name} stop
+ fi
+
+ local has_errors=0 a
+ ebegin "Dropping all packets"
+ for a in $(cat ${iptables_proc}) ; do
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a
+ [ $? -ne 0 ] && has_errors=1
+
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a
+ [ $? -ne 0 ] && has_errors=1
+
+ if [ "${a}" != "nat" ]; then
+ # The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.
+ set_table_policy $a DROP
+ [ $? -ne 0 ] && has_errors=1
+ fi
+ done
+ eend ${has_errors}
+}
diff --git a/net-firewall/iptables/iptables-1.8.11-r1.ebuild b/net-firewall/iptables/iptables-1.8.11-r1.ebuild
new file mode 100644
index 000000000000..eeb7878289e6
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.8.11-r1.ebuild
@@ -0,0 +1,176 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit systemd toolchain-funcs autotools flag-o-matic
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="https://www.netfilter.org/projects/iptables/"
+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.xz"
+
+LICENSE="GPL-2"
+# Subslot reflects PV when libxtables and/or libip*tc was changed
+# the last time.
+SLOT="0/1.8.3"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+IUSE="conntrack netlink nftables pcap static-libs test"
+RESTRICT="!test? ( test )"
+# TODO: skip tests needing nftables if no xtables-nft-multi (bug #890628)
+REQUIRED_USE="test? ( conntrack nftables )"
+
+COMMON_DEPEND="
+ conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
+ netlink? ( net-libs/libnfnetlink )
+ nftables? (
+ >=net-libs/libmnl-1.0:=
+ >=net-libs/libnftnl-1.2.6:=
+ )
+ pcap? ( net-libs/libpcap )
+"
+DEPEND="
+ ${COMMON_DEPEND}
+ virtual/os-headers
+ >=sys-kernel/linux-headers-4.4:0
+"
+BDEPEND="
+ virtual/pkgconfig
+ nftables? (
+ app-alternatives/lex
+ app-alternatives/yacc
+ )
+"
+RDEPEND="
+ ${COMMON_DEPEND}
+ nftables? ( net-misc/ethertypes )
+ !<net-firewall/ebtables-2.0.11-r1
+ !<net-firewall/arptables-0.0.5-r1
+"
+IDEPEND=">=app-eselect/eselect-iptables-20220320"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-1.8.4-no-symlinks.patch
+)
+
+src_prepare() {
+ # Use the saner headers from the kernel
+ rm include/linux/{kernel,types}.h || die
+
+ default
+ eautoreconf
+}
+
+src_configure() {
+ # Some libs use $(AR) rather than libtool to build, bug #444282
+ tc-export AR
+
+ # Hack around struct mismatches between userland & kernel for some ABIs
+ # bug #472388
+ use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
+
+ local myeconfargs=(
+ --sbindir="${EPREFIX}/sbin"
+ --libexecdir="${EPREFIX}/$(get_libdir)"
+ --enable-devel
+ --enable-ipv6
+ --enable-shared
+ $(use_enable conntrack connlabel)
+ $(use_enable nftables)
+ $(use_enable netlink libnfnetlink)
+ $(use_enable pcap bpf-compiler)
+ $(use_enable pcap nfsynproxy)
+ $(use_enable static-libs static)
+ )
+
+ econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+
+ # Managed by eselect-iptables
+ # https://bugs.gentoo.org/881295
+ rm "${ED}/usr/bin/iptables-xml" || die
+
+ dodoc iptables/iptables.xslt
+
+ # All the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/ip{,6}tables.h
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/ip{,6}tables
+ newinitd "${FILESDIR}"/${PN}-r4.init iptables
+ newconfd "${FILESDIR}"/${PN}-r1.confd iptables
+ dosym iptables /etc/init.d/ip6tables
+ newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables
+
+ if use nftables; then
+ # Bug #647458
+ rm "${ED}"/etc/ethertypes || die
+
+ # Bugs #660886 and #669894
+ rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die
+ fi
+
+ systemd_dounit "${FILESDIR}"/systemd/ip{,6}tables-{re,}store.service
+
+ find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_postinst() {
+ local default_iptables="xtables-legacy-multi"
+ if ! eselect iptables show &>/dev/null; then
+ elog "Current iptables implementation is unset, setting to ${default_iptables}"
+ eselect iptables set "${default_iptables}"
+ fi
+
+ if use nftables; then
+ local tables
+ for tables in {arp,eb}tables; do
+ if ! eselect ${tables} show &>/dev/null; then
+ elog "Current ${tables} implementation is unset, setting to ${default_iptables}"
+ eselect ${tables} set xtables-nft-multi
+ fi
+ done
+ fi
+
+ eselect iptables show
+}
+
+pkg_prerm() {
+ if [[ -z ${REPLACED_BY_VERSION} ]]; then
+ elog "Unsetting iptables symlinks before removal"
+ eselect iptables unset
+ fi
+
+ if ! has_version 'net-firewall/ebtables'; then
+ elog "Unsetting ebtables symlinks before removal"
+ eselect ebtables unset
+ elif [[ -z ${REPLACED_BY_VERSION} ]]; then
+ elog "Resetting ebtables symlinks to ebtables-legacy"
+ eselect ebtables set ebtables-legacy
+ fi
+
+ if ! has_version 'net-firewall/arptables'; then
+ elog "Unsetting arptables symlinks before removal"
+ eselect arptables unset
+ elif [[ -z ${REPLACED_BY_VERSION} ]]; then
+ elog "Resetting arptables symlinks to arptables-legacy"
+ eselect arptables set arptables-legacy
+ fi
+
+ # The eselect module failing should not be fatal
+ return 0
+}
diff --git a/net-firewall/iptables/iptables-1.8.11.ebuild b/net-firewall/iptables/iptables-1.8.11.ebuild
new file mode 100644
index 000000000000..ba246b4b175d
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.8.11.ebuild
@@ -0,0 +1,176 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit systemd toolchain-funcs autotools flag-o-matic
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="https://www.netfilter.org/projects/iptables/"
+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.xz"
+
+LICENSE="GPL-2"
+# Subslot reflects PV when libxtables and/or libip*tc was changed
+# the last time.
+SLOT="0/1.8.3"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+IUSE="conntrack netlink nftables pcap static-libs test"
+RESTRICT="!test? ( test )"
+# TODO: skip tests needing nftables if no xtables-nft-multi (bug #890628)
+REQUIRED_USE="test? ( conntrack nftables )"
+
+COMMON_DEPEND="
+ conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
+ netlink? ( net-libs/libnfnetlink )
+ nftables? (
+ >=net-libs/libmnl-1.0:=
+ >=net-libs/libnftnl-1.2.6:=
+ )
+ pcap? ( net-libs/libpcap )
+"
+DEPEND="
+ ${COMMON_DEPEND}
+ virtual/os-headers
+ >=sys-kernel/linux-headers-4.4:0
+"
+BDEPEND="
+ virtual/pkgconfig
+ nftables? (
+ app-alternatives/lex
+ app-alternatives/yacc
+ )
+"
+RDEPEND="
+ ${COMMON_DEPEND}
+ nftables? ( net-misc/ethertypes )
+ !<net-firewall/ebtables-2.0.11-r1
+ !<net-firewall/arptables-0.0.5-r1
+"
+IDEPEND=">=app-eselect/eselect-iptables-20220320"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-1.8.4-no-symlinks.patch
+)
+
+src_prepare() {
+ # Use the saner headers from the kernel
+ rm include/linux/{kernel,types}.h || die
+
+ default
+ eautoreconf
+}
+
+src_configure() {
+ # Some libs use $(AR) rather than libtool to build, bug #444282
+ tc-export AR
+
+ # Hack around struct mismatches between userland & kernel for some ABIs
+ # bug #472388
+ use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
+
+ local myeconfargs=(
+ --sbindir="${EPREFIX}/sbin"
+ --libexecdir="${EPREFIX}/$(get_libdir)"
+ --enable-devel
+ --enable-ipv6
+ --enable-shared
+ $(use_enable conntrack connlabel)
+ $(use_enable nftables)
+ $(use_enable netlink libnfnetlink)
+ $(use_enable pcap bpf-compiler)
+ $(use_enable pcap nfsynproxy)
+ $(use_enable static-libs static)
+ )
+
+ econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+
+ # Managed by eselect-iptables
+ # https://bugs.gentoo.org/881295
+ rm "${ED}/usr/bin/iptables-xml" || die
+
+ dodoc iptables/iptables.xslt
+
+ # All the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/ip{,6}tables.h
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/ip{,6}tables
+ newinitd "${FILESDIR}"/${PN}-r3.init iptables
+ newconfd "${FILESDIR}"/${PN}-r1.confd iptables
+ dosym iptables /etc/init.d/ip6tables
+ newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables
+
+ if use nftables; then
+ # Bug #647458
+ rm "${ED}"/etc/ethertypes || die
+
+ # Bugs #660886 and #669894
+ rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die
+ fi
+
+ systemd_dounit "${FILESDIR}"/systemd/ip{,6}tables-{re,}store.service
+
+ find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_postinst() {
+ local default_iptables="xtables-legacy-multi"
+ if ! eselect iptables show &>/dev/null; then
+ elog "Current iptables implementation is unset, setting to ${default_iptables}"
+ eselect iptables set "${default_iptables}"
+ fi
+
+ if use nftables; then
+ local tables
+ for tables in {arp,eb}tables; do
+ if ! eselect ${tables} show &>/dev/null; then
+ elog "Current ${tables} implementation is unset, setting to ${default_iptables}"
+ eselect ${tables} set xtables-nft-multi
+ fi
+ done
+ fi
+
+ eselect iptables show
+}
+
+pkg_prerm() {
+ if [[ -z ${REPLACED_BY_VERSION} ]]; then
+ elog "Unsetting iptables symlinks before removal"
+ eselect iptables unset
+ fi
+
+ if ! has_version 'net-firewall/ebtables'; then
+ elog "Unsetting ebtables symlinks before removal"
+ eselect ebtables unset
+ elif [[ -z ${REPLACED_BY_VERSION} ]]; then
+ elog "Resetting ebtables symlinks to ebtables-legacy"
+ eselect ebtables set ebtables-legacy
+ fi
+
+ if ! has_version 'net-firewall/arptables'; then
+ elog "Unsetting arptables symlinks before removal"
+ eselect arptables unset
+ elif [[ -z ${REPLACED_BY_VERSION} ]]; then
+ elog "Resetting arptables symlinks to arptables-legacy"
+ eselect arptables set arptables-legacy
+ fi
+
+ # The eselect module failing should not be fatal
+ return 0
+}
diff --git a/net-firewall/nftables/nftables-1.1.0-r1.ebuild b/net-firewall/nftables/nftables-1.1.0-r1.ebuild
index efec7e4d23d4..24ede801396a 100644
--- a/net-firewall/nftables/nftables-1.1.0-r1.ebuild
+++ b/net-firewall/nftables/nftables-1.1.0-r1.ebuild
@@ -21,7 +21,7 @@ else
https://netfilter.org/projects/nftables/files/${P}.tar.xz
verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )
"
- KEYWORDS="amd64 arm arm64 ~hppa ~loong ~mips ppc ppc64 ~riscv sparc x86"
+ KEYWORDS="amd64 arm arm64 hppa ~loong ~mips ppc ppc64 ~riscv sparc x86"
BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
fi
diff --git a/net-firewall/nftables/nftables-1.1.1.ebuild b/net-firewall/nftables/nftables-1.1.1.ebuild
index ecfd85b0e138..81f6ec23a51b 100644
--- a/net-firewall/nftables/nftables-1.1.1.ebuild
+++ b/net-firewall/nftables/nftables-1.1.1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@@ -21,7 +21,7 @@ else
https://netfilter.org/projects/nftables/files/${P}.tar.xz
verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )
"
- KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+ KEYWORDS="amd64 arm arm64 hppa ~loong ~mips ppc ppc64 ~riscv sparc x86"
BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
fi
diff --git a/net-firewall/nftlb/Manifest b/net-firewall/nftlb/Manifest
index d4a85e63f071..8ec890888e6a 100644
--- a/net-firewall/nftlb/Manifest
+++ b/net-firewall/nftlb/Manifest
@@ -1,2 +1,3 @@
DIST nftlb-1.0.7.tar.gz 201988 BLAKE2B 794778523b3a60a351fd071e6ff129197203ddfb1b80823dd6b05c30cb530040da465a10d2ffbf11cad063c2a453bb9baebd6e689b9166d4fcb0fe9fd17760e8 SHA512 eb1e9847f340e57b75a5b8680774d8208b282faccdef48e316b2bd52b10349eeda70643386e0e899d0f6a2f506964cf1b7a7ec2d86279f83ca87a9afa8f047bc
DIST nftlb-1.0.8.gh.tar.gz 256936 BLAKE2B 1ab9fb508c8613304ebde7185a8ad8ddabb483d17c8b872cfb7da8a0b0e5a8d40f74a74361d1d5b8304d45c00357eea1f88f2cc39e5afe537791278277462407 SHA512 f612b7065fb5011f1af34cabe0945b7b0c1479241b4673d86e2e97d06bffdfefcc5ca4ec3ad3752faa92862306ed8ad28754838236476fe9db88099bc389cf7c
+DIST nftlb-1.1.0.gh.tar.gz 250421 BLAKE2B 4034032bec80fe43c67af54550fe24f6133ce9b79c769caa678ef351d001ad01b758740df73e149726f00c258a84e3f4cbd6394a86efec0cdb5221a2f374f774 SHA512 e4fd41f5d7251913be457ae9b4e1ca1a1cc25751d1ffbb7fac3e009332ff963fcd5ab141e8cdbd26eee57183bc7663bf153feb5cd2ba8e2b6cc36083c8c12e46
diff --git a/net-firewall/nftlb/files/nftlb-1.1.0-musl.patch b/net-firewall/nftlb/files/nftlb-1.1.0-musl.patch
new file mode 100644
index 000000000000..b9cfb315c7e2
--- /dev/null
+++ b/net-firewall/nftlb/files/nftlb-1.1.0-musl.patch
@@ -0,0 +1,73 @@
+diff --git a/configure.ac b/configure.ac
+index ace78db..55f5f68 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2,6 +2,7 @@ AC_INIT([nftlb], [1.1.0], [netfilter-devel@vger.kernel.org])
+
+ AC_CONFIG_AUX_DIR([build-aux])
+ AC_CONFIG_MACRO_DIR([m4])
++AC_CONFIG_HEADERS([config.h])
+ AM_INIT_AUTOMAKE([-Wall foreign subdir-objects
+ tar-pax no-dist-gzip dist-bzip2 1.6])
+
+@@ -25,5 +26,7 @@ AC_CHECK_HEADER([ev.h], [EVENTINC="-include ev.h"],
+ [EVENTINC="-include libev/ev.h"],
+ [AC_MSG_ERROR([ev.h not found])])])
+
++AC_CHECK_HEADERS([execinfo.h])
++
+ AC_CONFIG_FILES([Makefile src/Makefile])
+ AC_OUTPUT
+diff --git a/src/main.c b/src/main.c
+index bca652e..5d7e918 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -18,6 +18,7 @@
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
++#include "config.h"
+
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -25,6 +26,10 @@
+ #include <errno.h>
+ #include <unistd.h>
+
++#ifdef HAVE_EXECINFO_H
++ #include <execinfo.h>
++#endif /* HAVE_EXECINFO_H */
++
+ #include "config.h"
+ #include "objects.h"
+ #include "server.h"
+@@ -88,6 +93,7 @@ static void nftlb_sighandler(int signo)
+ exit(EXIT_SUCCESS);
+ }
+
++#ifdef HAVE_EXECINFO_H
+ static void nftlb_trace() {
+ int level;
+
+@@ -100,6 +106,7 @@ static void nftlb_trace() {
+ if (!obj_recovery())
+ exit(EXIT_FAILURE);
+ }
++#endif /* HAVE_EXECINFO_H */
+
+ static int main_process(const char *config, int mode)
+ {
+@@ -189,9 +196,13 @@ int main(int argc, char *argv[])
+
+ if (signal(SIGINT, nftlb_sighandler) == SIG_ERR ||
+ signal(SIGTERM, nftlb_sighandler) == SIG_ERR ||
++#ifdef HAVE_EXECINFO_H
+ signal(SIGPIPE, SIG_IGN) == SIG_ERR ||
+ signal(SIGABRT, nftlb_trace) == SIG_ERR ||
+ signal(SIGSEGV, nftlb_trace) == SIG_ERR) {
++#else
++ signal(sigpipe, sig_ign) == sig_err) {
++#endif /* have_execinfo_h */
+ u_log_print(LOG_ERR, "Error assigning signals");
+ return EXIT_FAILURE;
+ }
diff --git a/net-firewall/nftlb/metadata.xml b/net-firewall/nftlb/metadata.xml
index ab906c04250e..6cf207784952 100644
--- a/net-firewall/nftlb/metadata.xml
+++ b/net-firewall/nftlb/metadata.xml
@@ -6,6 +6,6 @@
<name>Patrick McLean</name>
</maintainer>
<upstream>
- <remote-id type="github">zevenet/nftlb</remote-id>
+ <remote-id type="github">relianoid/nftlb</remote-id>
</upstream>
</pkgmetadata>
diff --git a/net-firewall/nftlb/nftlb-1.1.0.ebuild b/net-firewall/nftlb/nftlb-1.1.0.ebuild
new file mode 100644
index 000000000000..7e90a613b33b
--- /dev/null
+++ b/net-firewall/nftlb/nftlb-1.1.0.ebuild
@@ -0,0 +1,69 @@
+# Copyright 2020-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit linux-info autotools
+
+DESCRIPTION="nftables load balancer"
+HOMEPAGE="
+ https://www.relianoid.com/nftlb
+ https://github.com/relianoid/nftlb
+"
+SRC_URI="https://github.com/relianoid/${PN}/archive/v${PV}.tar.gz -> ${P}.gh.tar.gz"
+
+LICENSE="AGPL-3"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+
+DEPEND="
+ net-firewall/nftables:=[modern-kernel(+)]
+ dev-libs/jansson:=
+ dev-libs/libev:=
+"
+RDEPEND="
+ ${DEPEND}
+"
+
+# tests need root access
+RESTRICT="test"
+
+PATCHES=(
+ "${FILESDIR}/nftlb-1.0.8-tests.patch"
+ "${FILESDIR}/nftlb-1.1.0-musl.patch"
+)
+
+pkg_setup() {
+ local CONFIG_CHECK="
+ ~NF_TABLES
+ ~NFT_NUMGEN
+ ~NFT_HASH
+ ~NF_NAT
+ ~IP_NF_NAT
+ "
+
+ linux-info_pkg_setup
+
+ if kernel_is lt 4 19; then
+ eerror "${PN} requires kernel version 4.19 or newer"
+ fi
+}
+
+src_prepare() {
+ # there are some compiler artifacts in the tarball
+ find "${S}" -name '*.o' -delete || die
+
+ default
+ eautoreconf
+}
+
+src_test() {
+ pushd tests >/dev/null || die
+
+ sed -e "s:/var/log/syslog:\"${T}/tests.log\":" \
+ -i exec_tests.sh || die
+
+ ./exec_tests.sh || die "tests failed"
+
+ popd >/dev/null || die
+}
diff --git a/net-firewall/xtables-addons/Manifest b/net-firewall/xtables-addons/Manifest
index 9dfa189cce62..c7600d5d4f47 100644
--- a/net-firewall/xtables-addons/Manifest
+++ b/net-firewall/xtables-addons/Manifest
@@ -1 +1,2 @@
DIST xtables-addons-3.24.tar.xz 335724 BLAKE2B c086616c0366346bd87813ae0fc561bdb8f892eecea19ef88c65afef5318ac6f75fec658e0c6595de5c620c965b2bd7f10e45ff3ec55ffb9ddf8e85643190e7e SHA512 08c3b87617e0124aef99a3953fc5e03e8d98be50ce70771e352509ec64263d5256f744489f10f39879630d9dc8d28f3c91173b4739c95bbd8d5ad56e33138eb4
+DIST xtables-addons-3.27.tar.xz 340360 BLAKE2B 5b82069e21464bc293d76c6cd298e6beafdda57bc07582be64d7ff9a5511741bd1acd9a54a7b1caa08631d108a17b51dc7e7c2926003e6a893b1df0f6b360b62 SHA512 1938342914c24621743d0460e4057ffa6d3b6d01f3d0ca5feaa3852675f18c309f57fcb73725972d4aa87b7da92667efffa16e203f4cd1362cb8bb03a116636a
diff --git a/net-firewall/xtables-addons/metadata.xml b/net-firewall/xtables-addons/metadata.xml
index 22c9b77bb8cd..461cf8e0f052 100644
--- a/net-firewall/xtables-addons/metadata.xml
+++ b/net-firewall/xtables-addons/metadata.xml
@@ -13,5 +13,6 @@
</longdescription>
<upstream>
<remote-id type="sourceforge">xtables-addons</remote-id>
+ <remote-id type="codeberg">jengelh/xtables-addons</remote-id>
</upstream>
</pkgmetadata>
diff --git a/net-firewall/xtables-addons/xtables-addons-3.27.ebuild b/net-firewall/xtables-addons/xtables-addons-3.27.ebuild
new file mode 100644
index 000000000000..dd7a313409cf
--- /dev/null
+++ b/net-firewall/xtables-addons/xtables-addons-3.27.ebuild
@@ -0,0 +1,107 @@
+# Copyright 2023-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+MODULES_OPTIONAL_IUSE="+modules"
+inherit flag-o-matic linux-mod-r1
+
+XTABLES_MODULES=(
+ account chaos delude dhcpmac dnetmap echo ipmark logmark
+ proto sysrq tarpit asn condition fuzzy geoip gradm iface
+ ipp2p ipv4options length2 lscan pknock psd quota2
+)
+
+MODULES_KERNEL_MIN=4.15
+
+DESCRIPTION="iptables extensions not yet accepted in the main kernel"
+HOMEPAGE="
+ https://inai.de/projects/xtables-addons/
+ https://codeberg.org/jengelh/xtables-addons/
+"
+SRC_URI="https://inai.de/files/xtables-addons/${P}.tar.xz"
+
+LICENSE="GPL-2+"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="${XTABLES_MODULES[*]/#/xtables_addons_}"
+
+XTABLES_SCRIPTS_DEPEND="
+ app-arch/unzip
+ dev-perl/Net-CIDR-Lite
+ dev-perl/Text-CSV_XS
+ virtual/perl-Getopt-Long
+"
+DEPEND="net-firewall/iptables:="
+RDEPEND="
+ ${DEPEND}
+ xtables_addons_asn? ( ${XTABLES_SCRIPTS_DEPEND} )
+ xtables_addons_geoip? ( ${XTABLES_SCRIPTS_DEPEND} )
+"
+
+pkg_setup() {
+ local CONFIG_CHECK="NF_CONNTRACK NF_CONNTRACK_MARK"
+
+ if use xtables_addons_pknock; then
+ CONFIG_CHECK+=" ~CONNECTOR"
+ local ERROR_CONNECTOR="CONFIG_CONNECTOR: is not set but is needed to receive userspace
+ notifications from pknock through netlink/connector"
+ fi
+
+ linux-mod-r1_pkg_setup
+}
+
+src_prepare() {
+ default
+
+ local mod modules
+ mapfile -t modules < <(sed -En 's/^build_(.+)=.*/\L\1/p' mconfig || die)
+ [[ ${modules[*]} == "${XTABLES_MODULES[*]}" ]] ||
+ die "XTABLES_MODULES needs to be updated to: '${modules[*]}'"
+
+ for mod in "${modules[@]}"; do
+ use xtables_addons_${mod} || sed -i "/^build_${mod}=/Id" mconfig || die
+ done
+}
+
+src_configure() {
+ # Uses CFLAGS for tools, and it may mismatch with the kernel's CC
+ # FIXME?: ideally would want to build tools with normal CC
+ use modules && CC=${KERNEL_CC} strip-unsupported-flags
+
+ local econfargs=(
+ # TODO?: should move to ${EPREFIX}/usr + use default libexecdir by now
+ # (matching documentation), but could be a disruptive change for users
+ # with xt_asn/geoip_* paths they may have hardcoded in scripts
+ --prefix="${EPREFIX:-/}"
+ --libexecdir="${EPREFIX}"/$(get_libdir)
+ $(usex modules --with-kbuild="${KV_OUT_DIR}" --without-kbuild)
+ )
+
+ econf "${econfargs[@]}"
+}
+
+src_compile() {
+ use modules || MODULES_MAKEARGS=()
+
+ emake "${MODULES_MAKEARGS[@]}"
+}
+
+src_install() {
+ MODULES_MAKEARGS+=(
+ DESTDIR="${D}"
+ INSTALL_MOD_DIR=xtables_addons
+ )
+
+ emake "${MODULES_MAKEARGS[@]}" install
+ modules_post_process
+
+ dodoc -r README.rst doc/.
+
+ use xtables_addons_asn ||
+ find "${ED}" -type f -name '*_asn*' -delete || die
+ use xtables_addons_geoip ||
+ find "${ED}" -type f -name '*_geoip*' -delete || die
+
+ find "${ED}" -type f -name '*.la' -delete || die
+}