diff options
Diffstat (limited to 'net-firewall')
29 files changed, 888 insertions, 316 deletions
diff --git a/net-firewall/conntrack-tools/conntrack-tools-1.4.8-r1.ebuild b/net-firewall/conntrack-tools/conntrack-tools-1.4.8-r1.ebuild index ff8d0251fc47..c11278aa667c 100644 --- a/net-firewall/conntrack-tools/conntrack-tools-1.4.8-r1.ebuild +++ b/net-firewall/conntrack-tools/conntrack-tools-1.4.8-r1.ebuild @@ -15,7 +15,7 @@ SRC_URI=" LICENSE="GPL-2+" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm64 ~hppa ~ppc ~ppc64 ~riscv ~x86" +KEYWORDS="~alpha amd64 ~arm64 ~hppa ppc ppc64 ~riscv x86" IUSE="doc +cthelper +cttimeout systemd" RDEPEND=" diff --git a/net-firewall/ferm/ferm-2.7.ebuild b/net-firewall/ferm/ferm-2.7.ebuild index 5e7d668967ba..6293e4dd4bb5 100644 --- a/net-firewall/ferm/ferm-2.7.ebuild +++ b/net-firewall/ferm/ferm-2.7.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -11,7 +11,7 @@ SRC_URI="http://ferm.foo-projects.org/download/${PV}/${P}.tar.xz" LICENSE="GPL-2+" SLOT="0" -KEYWORDS="amd64 ppc x86" +KEYWORDS="amd64 ~arm64 ppc x86" # Uses Internet connection while testing. RESTRICT="test" diff --git a/net-firewall/firehol/Manifest b/net-firewall/firehol/Manifest index e7ed5e2a55f8..41c60b489672 100644 --- a/net-firewall/firehol/Manifest +++ b/net-firewall/firehol/Manifest @@ -1,2 +1 @@ -DIST firehol-3.1.6.tar.xz 1484424 BLAKE2B aea45aa424b7b43ed0576916f52a785601a21489263c1b5c6abbf3b2b97db80bf2a2420ae8176cd55e335ab93c18a8209a47f467dba80a63cf2c319b3e3e27d8 SHA512 5ffa7e59d3f10a6c7d3f5b5ef9d93f1b2138063374a10cb0c1ac4e75578d6cf7755e154b51febf546563ba003f100af13f89bca3843b66a8d22b8fc2da3fadfe DIST firehol-3.1.7.tar.xz 1457932 BLAKE2B 9a861f2e9c900bce45d0dbd12f4546bc14eb4d74aea27a8d4cb0e5bfe8bea92d9bff3ccf008d46bd64212d689123273c99d0b0faaaadd34f0e1d85e22ee757c9 SHA512 b05cec806c2c8fc410bf9c7a30e3ad1d9f1c06fd2d501a7e5434010f6bb38722aac5b64de9b4285d2c71cacbf6b2f3c758685da5a70c05621df52879eb5148c2 diff --git a/net-firewall/firehol/firehol-3.1.6-r3.ebuild b/net-firewall/firehol/firehol-3.1.6-r3.ebuild deleted file mode 100644 index d68ed4f8bcc6..000000000000 --- a/net-firewall/firehol/firehol-3.1.6-r3.ebuild +++ /dev/null @@ -1,67 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit linux-info - -DESCRIPTION="iptables firewall generator" -HOMEPAGE="https://firehol.org/ https://github.com/firehol/firehol" -SRC_URI="https://github.com/firehol/firehol/releases/download/v${PV}/${P}.tar.xz" - -LICENSE="GPL-2" -SLOT="0" -IUSE="doc ipv6 ipset" -KEYWORDS="amd64 arm ~arm64 ~ppc ~x86" - -RDEPEND="net-firewall/iptables - sys-apps/iproute2[-minimal,ipv6(+)?] - sys-apps/kmod[tools] - net-misc/iputils[ipv6(+)?] - net-misc/iprange - net-analyzer/traceroute - app-arch/gzip - ipset? ( - net-firewall/ipset - )" -DEPEND="${RDEPEND}" - -pkg_setup() { - local CONFIG_CHECK=" \ - ~IP_NF_FILTER \ - ~IP_NF_IPTABLES \ - ~IP_NF_MANGLE \ - ~IP_NF_TARGET_MASQUERADE - ~IP_NF_TARGET_REDIRECT \ - ~IP_NF_TARGET_REJECT \ - ~NETFILTER_XT_CONNMARK \ - ~NETFILTER_XT_MATCH_HELPER \ - ~NETFILTER_XT_MATCH_LIMIT \ - ~NETFILTER_XT_MATCH_OWNER \ - ~NETFILTER_XT_MATCH_STATE \ - ~NF_CONNTRACK \ - ~NF_CONNTRACK_IPV4 \ - ~NF_CONNTRACK_MARK \ - ~NF_NAT \ - ~NF_NAT_FTP \ - ~NF_NAT_IRC \ - " - linux-info_pkg_setup -} - -src_configure() { - econf \ - --disable-vnetbuild \ - $(use_enable ipset update-ipsets) \ - $(use_enable doc) \ - $(use_enable ipv6) -} - -src_install() { - default - - newconfd "${FILESDIR}"/firehol.confd firehol - newinitd "${FILESDIR}"/firehol.initd firehol - newconfd "${FILESDIR}"/fireqos.confd fireqos - newinitd "${FILESDIR}"/fireqos.initd fireqos -} diff --git a/net-firewall/firehol/firehol-3.1.7-r2.ebuild b/net-firewall/firehol/firehol-3.1.7-r2.ebuild index f750bfab3a7b..701ca0742f2f 100644 --- a/net-firewall/firehol/firehol-3.1.7-r2.ebuild +++ b/net-firewall/firehol/firehol-3.1.7-r2.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -12,7 +12,7 @@ SRC_URI="https://github.com/firehol/firehol/releases/download/v${PV}/${P}.tar.xz LICENSE="GPL-2" SLOT="0" IUSE="doc ipv6 ipset" -KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~x86" +KEYWORDS="amd64 arm ~arm64 ~ppc ~x86" # Set the dependency versions to aid cross-compiling. Keep them at their # minimums as the configure script merely checks whether they are sufficient. @@ -46,12 +46,16 @@ pkg_setup() { ~NETFILTER_XT_MATCH_OWNER \ ~NETFILTER_XT_MATCH_STATE \ ~NF_CONNTRACK \ - ~NF_CONNTRACK_IPV4 \ ~NF_CONNTRACK_MARK \ ~NF_NAT \ ~NF_NAT_FTP \ ~NF_NAT_IRC \ " + + if kernel_is -lt 4 19; then + CONFIG_CHECK+=" ~NF_CONNTRACK_IPV4" + fi + linux-info_pkg_setup } diff --git a/net-firewall/firewalld/Manifest b/net-firewall/firewalld/Manifest index c4e167cba6f3..303a9b9e7af9 100644 --- a/net-firewall/firewalld/Manifest +++ b/net-firewall/firewalld/Manifest @@ -1,3 +1,3 @@ -DIST firewalld-2.1.1.tar.bz2 1315222 BLAKE2B 064abfae1f2f1c5a63bbbbbec3357aa6e63936818fa2020ca882d1b834736b3735a32b0ab318e6de78b6f785cb4da0ee4e299956c922d9dbf6e7bd442e9bb2d6 SHA512 383e5ea3d451a28241e5a76f8d0efeeb8319663bdc5f680b68c5156ddb5145fac766a9ee9521c4af27b1df82861ca6f68ee81c0588b1dd6c4f6d4e4f5ca8fee1 DIST firewalld-2.2.1.tar.bz2 1295501 BLAKE2B fc7bb401895bc39c34ec585468bdcc1b3c3f8eeb35c786c0cf7d886f456c99840107db73e8f611a7d7ab1db1408c6dc349a3d5eee2fbd1e624fe06dd8a558d91 SHA512 08117be01a25a8e263cf419d7b01a98c80b53108af68f6cfc1d900692e6124c37b9dd6feaf4bc3c6e3f27958a9ee45b9795c7f5a9250eb644b6e903f97672c8a DIST firewalld-2.2.3.tar.bz2 1310686 BLAKE2B dba517166e1588195ac76123503a2526ffa6c7bd884953ba7ec2806f9ef3a93a879936e48e0d5b638c6e3e888b558757989f8035106cc103eab92d72d8a077be SHA512 e1b1d5fc372359ecbbc074be15e8a9dc4e39836545d5a1364f05deb07eb6e43505eb37589a7b0fb5f3115e3ed3fbc58efe447e2d5b0dcc716a66903c63df824b +DIST firewalld-2.3.0.tar.bz2 1307839 BLAKE2B f986af940841d7982c44ef5d7df9758f8b8f0e2bd511c61dc358d21e2d272ddc510571bcbdd6c7e47d0bd1ee6250240445094b30945c8de695007c1eb24ed642 SHA512 9a0fe1098c8bbb63bc4af04f56b7810d3d4e94be4247574daba64fb7a344488053f80426b7422c3a4620a54fee69a4264e1b0d66580757aac29aa65d723007c5 diff --git a/net-firewall/firewalld/files/firewalld-systemd-service.patch b/net-firewall/firewalld/files/firewalld-systemd-service.patch deleted file mode 100644 index 66f4c730b66f..000000000000 --- a/net-firewall/firewalld/files/firewalld-systemd-service.patch +++ /dev/null @@ -1,19 +0,0 @@ -Drops the/an obsolete 'conflicts' line with old iptables services bug #833506 -Removes EnvironmentFile and FIREWALLD_ARGS variable -=================================================================== ---- a/config/firewalld.service.in -+++ b/config/firewalld.service.in -@@ -4,12 +4,10 @@ - Wants=network-pre.target - After=dbus.service - After=polkit.service --Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service - Documentation=man:firewalld(1) - - [Service] --EnvironmentFile=-/etc/sysconfig/firewalld --ExecStart=@sbindir@/firewalld --nofork --nopid $FIREWALLD_ARGS -+ExecStart=@sbindir@/firewalld --nofork --nopid - ExecReload=/bin/kill -HUP $MAINPID - # supress to log debug and error output also to /var/log/messages - StandardOutput=null diff --git a/net-firewall/firewalld/firewalld-2.2.1-r1.ebuild b/net-firewall/firewalld/firewalld-2.2.1-r1.ebuild index 4a115f5bf943..5b38b6e28baa 100644 --- a/net-firewall/firewalld/firewalld-2.2.1-r1.ebuild +++ b/net-firewall/firewalld/firewalld-2.2.1-r1.ebuild @@ -28,7 +28,7 @@ RDEPEND=" >=net-firewall/nftables-0.9.4[python,json,${PYTHON_USEDEP}] gui? ( x11-libs/gtk+:3 - dev-python/PyQt6[gui,widgets,${PYTHON_USEDEP}] + dev-python/pyqt6[gui,widgets,${PYTHON_USEDEP}] ) ') net-firewall/nftables[xtables(+)] diff --git a/net-firewall/firewalld/firewalld-2.2.3.ebuild b/net-firewall/firewalld/firewalld-2.2.3.ebuild index d08a06d0215c..5b38b6e28baa 100644 --- a/net-firewall/firewalld/firewalld-2.2.3.ebuild +++ b/net-firewall/firewalld/firewalld-2.2.3.ebuild @@ -13,7 +13,7 @@ SRC_URI="https://github.com/firewalld/firewalld/releases/download/v${PV}/${P}.ta LICENSE="GPL-2+" SLOT="0" -KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +KEYWORDS="amd64 arm arm64 ppc64 ~riscv x86" IUSE="gui selinux test" # Tests are too unreliable in sandbox environment RESTRICT="!test? ( test ) test" @@ -28,7 +28,7 @@ RDEPEND=" >=net-firewall/nftables-0.9.4[python,json,${PYTHON_USEDEP}] gui? ( x11-libs/gtk+:3 - dev-python/PyQt6[gui,widgets,${PYTHON_USEDEP}] + dev-python/pyqt6[gui,widgets,${PYTHON_USEDEP}] ) ') net-firewall/nftables[xtables(+)] diff --git a/net-firewall/firewalld/firewalld-2.1.1-r5.ebuild b/net-firewall/firewalld/firewalld-2.3.0.ebuild index e1ff652b6c61..bbb543d6a9f1 100644 --- a/net-firewall/firewalld/firewalld-2.1.1-r5.ebuild +++ b/net-firewall/firewalld/firewalld-2.3.0.ebuild @@ -1,9 +1,9 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 -PYTHON_COMPAT=( python3_{10..12} ) +PYTHON_COMPAT=( python3_{10..13} ) inherit bash-completion-r1 gnome2-utils linux-info optfeature inherit plocale python-single-r1 systemd xdg-utils @@ -14,7 +14,7 @@ SRC_URI="https://github.com/firewalld/firewalld/releases/download/v${PV}/${P}.ta LICENSE="GPL-2+" SLOT="0" KEYWORDS="amd64 arm arm64 ~loong ppc64 ~riscv x86" -IUSE="gui +nftables +iptables selinux test" +IUSE="gui selinux test" # Tests are too unreliable in sandbox environment RESTRICT="!test? ( test ) test" REQUIRED_USE="${PYTHON_REQUIRED_USE}" @@ -25,18 +25,13 @@ RDEPEND=" $(python_gen_cond_dep ' dev-python/dbus-python[${PYTHON_USEDEP}] dev-python/pygobject:3[${PYTHON_USEDEP}] + >=net-firewall/nftables-0.9.4[python,json,${PYTHON_USEDEP}] gui? ( x11-libs/gtk+:3 - dev-python/PyQt5[gui,widgets,${PYTHON_USEDEP}] + dev-python/pyqt6[gui,widgets,${PYTHON_USEDEP}] ) - nftables? ( >=net-firewall/nftables-0.9.4[python,json] ) ') - iptables? ( - net-firewall/iptables[ipv6(+)] - net-firewall/ebtables - net-firewall/ipset - nftables? ( net-firewall/nftables[xtables(+)] ) - ) + net-firewall/nftables[xtables(+)] selinux? ( sec-policy/selinux-firewalld ) " DEPEND=" @@ -57,92 +52,94 @@ QA_AM_MAINTAINER_MODE=".*--run autom4te --language=autotest.*" PLOCALES="ar as ast bg bn_IN ca cs da de el en_GB en_US es et eu fa fi fr gl gu hi hr hu ia id it ja ka kn ko lt ml mr nl or pa pl pt pt_BR ro ru si sk sl sq sr sr@latin sv ta te tr uk zh_CN zh_TW" PATCHES=( - "${FILESDIR}"/${PN}-systemd-service.patch + "${FILESDIR}"/${PN}-2.2.1-systemd-service.patch ) pkg_setup() { # See bug #830132 for the huge list # We can probably narrow it down a bit but it's rather fragile - local CONFIG_CHECK="~NF_CONNTRACK ~NETFILTER_XT_MATCH_CONNTRACK - ~NETFILTER - ~NETFILTER_ADVANCED - ~NETFILTER_INGRESS - ~NF_NAT_MASQUERADE - ~NF_NAT_REDIRECT - ~NF_TABLES_INET - ~NF_TABLES_IPV4 - ~NF_TABLES_IPV6 - ~NF_CONNTRACK - ~NF_CONNTRACK_BROADCAST - ~NF_CONNTRACK_NETBIOS_NS - ~NF_CONNTRACK_TFTP - ~NF_CT_NETLINK - ~NF_CT_NETLINK_HELPER - ~NF_DEFRAG_IPV4 - ~NF_DEFRAG_IPV6 - ~NF_NAT - ~NF_NAT_TFTP - ~NF_REJECT_IPV4 - ~NF_REJECT_IPV6 - ~NF_SOCKET_IPV4 - ~NF_SOCKET_IPV6 - ~NF_TABLES - ~NF_TPROXY_IPV4 - ~NF_TPROXY_IPV6 - ~IP_NF_FILTER - ~IP_NF_IPTABLES - ~IP_NF_MANGLE - ~IP_NF_NAT - ~IP_NF_RAW - ~IP_NF_SECURITY - ~IP_NF_TARGET_MASQUERADE - ~IP_NF_TARGET_REJECT - ~IP6_NF_FILTER - ~IP6_NF_IPTABLES - ~IP6_NF_MANGLE - ~IP6_NF_NAT - ~IP6_NF_RAW - ~IP6_NF_SECURITY - ~IP6_NF_TARGET_MASQUERADE - ~IP6_NF_TARGET_REJECT - ~IP_SET - ~NETFILTER_CONNCOUNT - ~NETFILTER_NETLINK - ~NETFILTER_NETLINK_OSF - ~NETFILTER_NETLINK_QUEUE - ~NETFILTER_SYNPROXY - ~NETFILTER_XTABLES - ~NETFILTER_XT_CONNMARK - ~NETFILTER_XT_MATCH_CONNTRACK - ~NETFILTER_XT_MATCH_MULTIPORT - ~NETFILTER_XT_MATCH_STATE - ~NETFILTER_XT_NAT - ~NETFILTER_XT_TARGET_MASQUERADE - ~NFT_COMPAT - ~NFT_CT - ~NFT_FIB - ~NFT_FIB_INET - ~NFT_FIB_IPV4 - ~NFT_FIB_IPV6 - ~NFT_HASH - ~NFT_LIMIT - ~NFT_LOG - ~NFT_MASQ - ~NFT_NAT - ~NFT_QUEUE - ~NFT_QUOTA - ~NFT_REDIR - ~NFT_REJECT - ~NFT_REJECT_INET - ~NFT_REJECT_IPV4 - ~NFT_REJECT_IPV6 - ~NFT_SOCKET - ~NFT_SYNPROXY - ~NFT_TPROXY - ~NFT_TUNNEL - ~NFT_XFRM" - - # kernel >= 4.19 has unified a NF_CONNTRACK module, bug #692944 + local CONFIG_CHECK=" + ~NF_CONNTRACK ~NETFILTER_XT_MATCH_CONNTRACK + ~NETFILTER + ~NETFILTER_ADVANCED + ~NETFILTER_INGRESS + ~NF_NAT_MASQUERADE + ~NF_NAT_REDIRECT + ~NF_TABLES_INET + ~NF_TABLES_IPV4 + ~NF_TABLES_IPV6 + ~NF_CONNTRACK + ~NF_CONNTRACK_BROADCAST + ~NF_CONNTRACK_NETBIOS_NS + ~NF_CONNTRACK_TFTP + ~NF_CT_NETLINK + ~NF_CT_NETLINK_HELPER + ~NF_DEFRAG_IPV4 + ~NF_DEFRAG_IPV6 + ~NF_NAT + ~NF_NAT_TFTP + ~NF_REJECT_IPV4 + ~NF_REJECT_IPV6 + ~NF_SOCKET_IPV4 + ~NF_SOCKET_IPV6 + ~NF_TABLES + ~NF_TPROXY_IPV4 + ~NF_TPROXY_IPV6 + ~IP_NF_FILTER + ~IP_NF_IPTABLES + ~IP_NF_MANGLE + ~IP_NF_NAT + ~IP_NF_RAW + ~IP_NF_SECURITY + ~IP_NF_TARGET_MASQUERADE + ~IP_NF_TARGET_REJECT + ~IP6_NF_FILTER + ~IP6_NF_IPTABLES + ~IP6_NF_MANGLE + ~IP6_NF_NAT + ~IP6_NF_RAW + ~IP6_NF_SECURITY + ~IP6_NF_TARGET_MASQUERADE + ~IP6_NF_TARGET_REJECT + ~IP_SET + ~NETFILTER_CONNCOUNT + ~NETFILTER_NETLINK + ~NETFILTER_NETLINK_OSF + ~NETFILTER_NETLINK_QUEUE + ~NETFILTER_SYNPROXY + ~NETFILTER_XTABLES + ~NETFILTER_XT_CONNMARK + ~NETFILTER_XT_MATCH_CONNTRACK + ~NETFILTER_XT_MATCH_MULTIPORT + ~NETFILTER_XT_MATCH_STATE + ~NETFILTER_XT_NAT + ~NETFILTER_XT_TARGET_MASQUERADE + ~NFT_COMPAT + ~NFT_CT + ~NFT_FIB + ~NFT_FIB_INET + ~NFT_FIB_IPV4 + ~NFT_FIB_IPV6 + ~NFT_HASH + ~NFT_LIMIT + ~NFT_LOG + ~NFT_MASQ + ~NFT_NAT + ~NFT_QUEUE + ~NFT_QUOTA + ~NFT_REDIR + ~NFT_REJECT + ~NFT_REJECT_INET + ~NFT_REJECT_IPV4 + ~NFT_REJECT_IPV6 + ~NFT_SOCKET + ~NFT_SYNPROXY + ~NFT_TPROXY + ~NFT_TUNNEL + ~NFT_XFRM + " + + # kernel >= 4.19 has a unified NF_CONNTRACK module, bug #692944 if kernel_is -lt 4 19; then CONFIG_CHECK+=" ~NF_CONNTRACK_IPV4 ~NF_CONNTRACK_IPV6" fi @@ -177,13 +174,6 @@ src_configure() { local myeconfargs=( --enable-systemd - $(use_with iptables iptables "${EPREFIX}/sbin/iptables") - $(use_with iptables iptables_restore "${EPREFIX}/sbin/iptables-restore") - $(use_with iptables ip6tables "${EPREFIX}/sbin/ip6tables") - $(use_with iptables ip6tables_restore "${EPREFIX}/sbin/ip6tables-restore") - $(use_with iptables ebtables "${EPREFIX}/sbin/ebtables") - $(use_with iptables ebtables_restore "${EPREFIX}/sbin/ebtables-restore") - $(use_with iptables ipset "${EPREFIX}/usr/sbin/ipset") --with-systemd-unitdir="$(systemd_get_systemunitdir)" --with-bashcompletiondir="$(get_bashcompdir)" ) @@ -196,15 +186,15 @@ src_install() { python_optimize # Get rid of junk - rm -rf "${D}/etc/sysconfig/" || die + rm -rf "${ED}"/etc/sysconfig/ || die # For non-gui installs we need to remove GUI bits if ! use gui; then - rm -rf "${D}/etc/xdg/autostart" || die - rm -f "${D}/usr/bin/firewall-applet" || die - rm -f "${D}/usr/bin/firewall-config" || die - rm -rf "${D}/usr/share/applications" || die - rm -rf "${D}/usr/share/icons" || die + rm -rf "${ED}"/etc/xdg/autostart || die + rm -f "${ED}"/usr/bin/firewall-applet || die + rm -f "${ED}"/usr/bin/firewall-config || die + rm -rf "${ED}"/usr/share/applications || die + rm -rf "${ED}"/usr/share/icons || die fi newinitd "${FILESDIR}"/firewalld.init firewalld diff --git a/net-firewall/firewalld/metadata.xml b/net-firewall/firewalld/metadata.xml index 79917d81993e..d9b61b18aba8 100644 --- a/net-firewall/firewalld/metadata.xml +++ b/net-firewall/firewalld/metadata.xml @@ -9,10 +9,6 @@ <email>sam@gentoo.org</email> <name>Sam James</name> </maintainer> - <use> - <flag name="nftables">Add support for <pkg>net-firewall/nftables</pkg> as firewall backend</flag> - <flag name="iptables">Add support for <pkg>net-firewall/iptables</pkg> as firewall backend</flag> - </use> <upstream> <remote-id type="github">firewalld/firewalld</remote-id> </upstream> diff --git a/net-firewall/ipset/Manifest b/net-firewall/ipset/Manifest index f66331f135e0..afca750b4594 100644 --- a/net-firewall/ipset/Manifest +++ b/net-firewall/ipset/Manifest @@ -1 +1 @@ -DIST ipset-7.22.tar.bz2 694069 BLAKE2B 9daaff54adb6f9daf69cd7dabbd9134d8fcf8cd7f8ef0c52296961579ad3c8202087158a01664228eff70356ba97f77ec61abbab7c7ce323112fbdc32abd661b SHA512 e375a9110eb7974480147c57eb2cff4bdd03c7704cdae006a3d254cc80fada587aa8aee25a86f7cab29db83f5e283c5f9a47a314297317660ebba5097f623d79 +DIST ipset-7.23.tar.bz2 695655 BLAKE2B a596630d12a8bcc1383475627e5e62b7be4c17570ae9d3650b9dbcac0ec46324e1ac7c0e7e11f674fb5354871538f6f15e57476ac752b1ac1415023d837904e6 SHA512 5a43c790abf157a55db5a9a22cb5f28a225f5c7969beda81566a2259aa82c9d852979eb805b11b4347f47c6a0c2cc4de6f14e4733bee5b562844422a45fb9dab diff --git a/net-firewall/ipset/files/ipset-7.22-argv-bounds.patch b/net-firewall/ipset/files/ipset-7.22-argv-bounds.patch deleted file mode 100644 index 07d18303642e..000000000000 --- a/net-firewall/ipset/files/ipset-7.22-argv-bounds.patch +++ /dev/null @@ -1,36 +0,0 @@ -https://git.netfilter.org/ipset/commit/?id=851cb04ffee5040f1e0063f77c3fe9bc6245e0fb - -From 851cb04ffee5040f1e0063f77c3fe9bc6245e0fb Mon Sep 17 00:00:00 2001 -From: Phil Sutter <phil@nwl.cc> -Date: Thu, 27 Jun 2024 10:18:17 +0200 -Subject: lib: ipset: Avoid 'argv' array overstepping - -The maximum accepted value for 'argc' is MAX_ARGS which matches 'argv' -array size. The maximum allowed array index is therefore argc-1. - -This fix will leave items in argv non-NULL-terminated, so explicitly -NULL the formerly last entry after shifting. - -Looks like a day-1 bug. Interestingly, this neither triggered ASAN nor -valgrind. Yet adding debug output printing argv entries being copied -did. - -Fixes: 1e6e8bd9a62aa ("Third stage to ipset-5") -Signed-off-by: Phil Sutter <phil@nwl.cc> -Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> ---- a/lib/ipset.c -+++ b/lib/ipset.c -@@ -343,9 +343,9 @@ ipset_shift_argv(int *argc, char *argv[], int from) - - assert(*argc >= from + 1); - -- for (i = from + 1; i <= *argc; i++) -+ for (i = from + 1; i < *argc; i++) - argv[i-1] = argv[i]; -- (*argc)--; -+ argv[--(*argc)] = NULL; - return; - } - --- -cgit v1.2.3 diff --git a/net-firewall/ipset/files/ipset-7.22-asan-buffer-overflow.patch b/net-firewall/ipset/files/ipset-7.22-asan-buffer-overflow.patch deleted file mode 100644 index 56d126db5efa..000000000000 --- a/net-firewall/ipset/files/ipset-7.22-asan-buffer-overflow.patch +++ /dev/null @@ -1,52 +0,0 @@ -https://git.netfilter.org/ipset/commit/?id=f1bcacf5eeb8620ea684524e1ce9c3951a77f1f9 - -From f1bcacf5eeb8620ea684524e1ce9c3951a77f1f9 Mon Sep 17 00:00:00 2001 -From: Phil Sutter <phil@nwl.cc> -Date: Thu, 27 Jun 2024 10:18:16 +0200 -Subject: lib: data: Fix for global-buffer-overflow warning by ASAN - -After compiling with CFLAGS="-fsanitize=address -g", running the -testsuite triggers the following warning: - -| ipmap: Range: Check syntax error: missing range/from-to: FAILED -| Failed test: ../src/ipset 2>.foo.err -N test ipmap -| ================================================================= -| ==4204==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55a21e77172a at pc 0x7f1ef246f2a6 bp 0x7fffed8f4f40 sp 0x7fffed8f46e8 -| READ of size 32 at 0x55a21e77172a thread T0 -| #0 0x7f1ef246f2a5 in __interceptor_memcpy /var/tmp/portage/sys-devel/gcc-13.2.1_p20231014/work/gcc-13-20231014/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:899 -| #1 0x55a21e758bf6 in ipset_strlcpy /home/n0-1/git/ipset/lib/data.c:119 -| #2 0x55a21e758bf6 in ipset_data_set /home/n0-1/git/ipset/lib/data.c:349 -| #3 0x55a21e75ee2f in ipset_parse_typename /home/n0-1/git/ipset/lib/parse.c:1819 -| #4 0x55a21e754119 in ipset_parser /home/n0-1/git/ipset/lib/ipset.c:1205 -| #5 0x55a21e752cef in ipset_parse_argv /home/n0-1/git/ipset/lib/ipset.c:1344 -| #6 0x55a21e74ea45 in main /home/n0-1/git/ipset/src/ipset.c:38 -| #7 0x7f1ef224cf09 (/lib64/libc.so.6+0x23f09) -| #8 0x7f1ef224cfc4 in __libc_start_main (/lib64/libc.so.6+0x23fc4) -| #9 0x55a21e74f040 in _start (/home/n0-1/git/ipset/src/ipset+0x1d040) -| -| 0x55a21e77172a is located 54 bytes before global variable '*.LC1' defined in 'ipset_bitmap_ip.c' (0x55a21e771760) of size 19 -| '*.LC1' is ascii string 'IP|IP/CIDR|FROM-TO' -| 0x55a21e77172a is located 0 bytes after global variable '*.LC0' defined in 'ipset_bitmap_ip.c' (0x55a21e771720) of size 10 -| '*.LC0' is ascii string 'bitmap:ip' - -Fix this by avoiding 'src' array overstep in ipset_strlcpy(): In -contrast to strncpy(), memcpy() does not respect NUL-chars in input but -stubbornly reads as many bytes as specified. - -Fixes: a7432ba786ca4 ("Workaround misleading -Wstringop-truncation warning") -Signed-off-by: Phil Sutter <phil@nwl.cc> -Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> ---- a/lib/data.c -+++ b/lib/data.c -@@ -111,6 +111,9 @@ ipset_strlcpy(char *dst, const char *src, size_t len) - assert(dst); - assert(src); - -+ if (strlen(src) < len) -+ len = strlen(src) + 1; -+ - memcpy(dst, src, len); - dst[len - 1] = '\0'; - } --- -cgit v1.2.3 diff --git a/net-firewall/ipset/files/ipset-7.22-fix-building-on-musl.patch b/net-firewall/ipset/files/ipset-7.22-fix-building-on-musl.patch deleted file mode 100644 index 7a77aa952869..000000000000 --- a/net-firewall/ipset/files/ipset-7.22-fix-building-on-musl.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- a/src/ipset.c 2024-08-30 14:21:19.201863069 +0000 -+++ b/src/ipset.c 2024-08-30 14:21:52.525571560 +0000 -@@ -15,6 +15,7 @@ - #include <config.h> - #include <libipset/ipset.h> /* ipset library */ - #include <libipset/xlate.h> /* translate to nftables */ -+#include <libgen.h> - - int - main(int argc, char *argv[]) diff --git a/net-firewall/ipset/ipset-7.22-r2.ebuild b/net-firewall/ipset/ipset-7.23.ebuild index affe9147840d..431969f5d7cd 100644 --- a/net-firewall/ipset/ipset-7.22-r2.ebuild +++ b/net-firewall/ipset/ipset-7.23.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -26,12 +26,7 @@ DOCS=( ChangeLog INSTALL README UPGRADE ) # configurable from outside, e.g. /etc/portage/make.conf IP_NF_SET_MAX=${IP_NF_SET_MAX:-256} -PATCHES=( - "${FILESDIR}/${PN}-bash-completion.patch" - "${FILESDIR}/${P}-asan-buffer-overflow.patch" - "${FILESDIR}/${P}-argv-bounds.patch" - "${FILESDIR}/${P}-fix-building-on-musl.patch" -) +PATCHES=( "${FILESDIR}/${PN}-bash-completion.patch") src_prepare() { default diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest index 2de1a22873c0..b09d48227e0b 100644 --- a/net-firewall/iptables/Manifest +++ b/net-firewall/iptables/Manifest @@ -1,2 +1,3 @@ DIST iptables-1.8.10.tar.xz 641168 BLAKE2B 417b33fcfc7edeba169caef26ed0322798f6b82500840509f6c10b97b4ef3f11932c0393fc8dcc5946264442bf8ee959a594b6fbd5dc92012cfad30edf130520 SHA512 71e6ed2260859157d61981a4fe5039dc9e8d7da885a626a4b5dae8164c509a9d9f874286b9468bb6a462d6e259d4d32d5967777ecefdd8a293011ae80c00f153 +DIST iptables-1.8.11.tar.xz 649284 BLAKE2B 82daca3940e253f6fda7cf5b3332488c31391ff66c0112c0cae2645ab61918f81e6028ea2b1e1385f21e4c5ff8cd64cba31072a2417a2ab696fe1c6b5464cea1 SHA512 4937020bf52d57a45b76e1eba125214a2f4531de52ff1d15185faeef8bea0cd90eb77f99f81baa573944aa122f350a7198cef41d70594e1b65514784addbcc40 DIST iptables-1.8.9.tar.xz 637848 BLAKE2B 37ba80be0ee7049c4d3ee5689b273b4d2cc6e6fb9ebb297e86976b5750f987f2ae4536013fe1749ae79b6989c241eaece3202019fafd47d842c7a4fe3e5093b1 SHA512 e367bf286135e39b7401e852de25c1ed06d44befdffd92ed1566eb2ae9704b48ac9196cb971f43c6c83c6ad4d910443d32064bcdf618cfcef6bcab113e31ff70 diff --git a/net-firewall/iptables/files/iptables-r4.init b/net-firewall/iptables/files/iptables-r4.init new file mode 100644 index 000000000000..e3b38b30e42c --- /dev/null +++ b/net-firewall/iptables/files/iptables-r4.init @@ -0,0 +1,167 @@ +#!/sbin/openrc-run +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="check save panic" +extra_started_commands="reload" + +iptables_lock_wait_time=${IPTABLES_LOCK_WAIT_TIME:-"60"} +iptables_lock_wait_interval=${IPTABLES_LOCK_WAIT_INTERVAL:-"1000"} + +iptables_name=${SVCNAME} +case ${iptables_name} in + iptables|ip6tables) ;; + *) iptables_name="iptables" ;; +esac + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + need localmount #434774 + before net +} + +set_table_policy() { + local has_errors=0 chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + + local chain + for chain in ${chains} ; do + ${iptables_bin} --wait ${iptables_lock_wait_time} -t ${table} -P ${chain} ${policy} + [ $? -ne 0 ] && has_errors=1 + done + + return ${has_errors} +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} + +checkconfig() { + if [ -z "${iptables_save}" -o ! -f "${iptables_save}" ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start_pre() { + checkconfig || return 1 +} + +start() { + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore --wait ${iptables_lock_wait_time} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop_pre() { + checkkernel || return 1 +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + + ebegin "Stopping firewall" + local has_errors=0 a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a + [ $? -ne 0 ] && has_errors=1 + done + eend ${has_errors} +} + +reload() { + checkkernel || return 1 + checkrules || return 1 + local has_errors=0 a flushed=0 + for a in $(cat ${iptables_proc}) ; do + if ! grep -q "^\*${a}$" "${iptables_save}" ; then + [ $flushed -eq 0 ] && ebegin "Flushing firewall" && flushed=1 + ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a + [ $? -ne 0 ] && has_errors=1 + fi + done + eend ${has_errors} + + start +} + +checkrules() { + ebegin "Checking rules" + ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +check() { + # Short name for users of init.d script. + checkrules +} + +save() { + ebegin "Saving ${iptables_name} state" + checkpath -q -d "$(dirname "${iptables_save}")" + checkpath -q -m 0600 -f "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + # use iptables autoload capability to load at least all required + # modules and filter table + ${iptables_bin} --wait ${iptables_lock_wait_time} -S >/dev/null + if [ $? -ne 0 ] ; then + eerror "${iptables_bin} failed to load" + return 1 + fi + + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local has_errors=0 a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a + [ $? -ne 0 ] && has_errors=1 + + ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a + [ $? -ne 0 ] && has_errors=1 + + if [ "${a}" != "nat" ]; then + # The "nat" table is not intended for filtering, the use of DROP is therefore inhibited. + set_table_policy $a DROP + [ $? -ne 0 ] && has_errors=1 + fi + done + eend ${has_errors} +} diff --git a/net-firewall/iptables/iptables-1.8.11-r1.ebuild b/net-firewall/iptables/iptables-1.8.11-r1.ebuild new file mode 100644 index 000000000000..eeb7878289e6 --- /dev/null +++ b/net-firewall/iptables/iptables-1.8.11-r1.ebuild @@ -0,0 +1,176 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit systemd toolchain-funcs autotools flag-o-matic + +DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" +HOMEPAGE="https://www.netfilter.org/projects/iptables/" +SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.xz" + +LICENSE="GPL-2" +# Subslot reflects PV when libxtables and/or libip*tc was changed +# the last time. +SLOT="0/1.8.3" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" +IUSE="conntrack netlink nftables pcap static-libs test" +RESTRICT="!test? ( test )" +# TODO: skip tests needing nftables if no xtables-nft-multi (bug #890628) +REQUIRED_USE="test? ( conntrack nftables )" + +COMMON_DEPEND=" + conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 ) + netlink? ( net-libs/libnfnetlink ) + nftables? ( + >=net-libs/libmnl-1.0:= + >=net-libs/libnftnl-1.2.6:= + ) + pcap? ( net-libs/libpcap ) +" +DEPEND=" + ${COMMON_DEPEND} + virtual/os-headers + >=sys-kernel/linux-headers-4.4:0 +" +BDEPEND=" + virtual/pkgconfig + nftables? ( + app-alternatives/lex + app-alternatives/yacc + ) +" +RDEPEND=" + ${COMMON_DEPEND} + nftables? ( net-misc/ethertypes ) + !<net-firewall/ebtables-2.0.11-r1 + !<net-firewall/arptables-0.0.5-r1 +" +IDEPEND=">=app-eselect/eselect-iptables-20220320" + +PATCHES=( + "${FILESDIR}"/${PN}-1.8.4-no-symlinks.patch +) + +src_prepare() { + # Use the saner headers from the kernel + rm include/linux/{kernel,types}.h || die + + default + eautoreconf +} + +src_configure() { + # Some libs use $(AR) rather than libtool to build, bug #444282 + tc-export AR + + # Hack around struct mismatches between userland & kernel for some ABIs + # bug #472388 + use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct + + local myeconfargs=( + --sbindir="${EPREFIX}/sbin" + --libexecdir="${EPREFIX}/$(get_libdir)" + --enable-devel + --enable-ipv6 + --enable-shared + $(use_enable conntrack connlabel) + $(use_enable nftables) + $(use_enable netlink libnfnetlink) + $(use_enable pcap bpf-compiler) + $(use_enable pcap nfsynproxy) + $(use_enable static-libs static) + ) + + econf "${myeconfargs[@]}" +} + +src_compile() { + emake V=1 +} + +src_install() { + default + + # Managed by eselect-iptables + # https://bugs.gentoo.org/881295 + rm "${ED}/usr/bin/iptables-xml" || die + + dodoc iptables/iptables.xslt + + # All the iptables binaries are in /sbin, so might as well + # put these small files in with them + into / + dosbin iptables/iptables-apply + dosym iptables-apply /sbin/ip6tables-apply + doman iptables/iptables-apply.8 + + insinto /usr/include + doins include/ip{,6}tables.h + insinto /usr/include/iptables + doins include/iptables/internal.h + + keepdir /var/lib/ip{,6}tables + newinitd "${FILESDIR}"/${PN}-r4.init iptables + newconfd "${FILESDIR}"/${PN}-r1.confd iptables + dosym iptables /etc/init.d/ip6tables + newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables + + if use nftables; then + # Bug #647458 + rm "${ED}"/etc/ethertypes || die + + # Bugs #660886 and #669894 + rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die + fi + + systemd_dounit "${FILESDIR}"/systemd/ip{,6}tables-{re,}store.service + + find "${ED}" -type f -name "*.la" -delete || die +} + +pkg_postinst() { + local default_iptables="xtables-legacy-multi" + if ! eselect iptables show &>/dev/null; then + elog "Current iptables implementation is unset, setting to ${default_iptables}" + eselect iptables set "${default_iptables}" + fi + + if use nftables; then + local tables + for tables in {arp,eb}tables; do + if ! eselect ${tables} show &>/dev/null; then + elog "Current ${tables} implementation is unset, setting to ${default_iptables}" + eselect ${tables} set xtables-nft-multi + fi + done + fi + + eselect iptables show +} + +pkg_prerm() { + if [[ -z ${REPLACED_BY_VERSION} ]]; then + elog "Unsetting iptables symlinks before removal" + eselect iptables unset + fi + + if ! has_version 'net-firewall/ebtables'; then + elog "Unsetting ebtables symlinks before removal" + eselect ebtables unset + elif [[ -z ${REPLACED_BY_VERSION} ]]; then + elog "Resetting ebtables symlinks to ebtables-legacy" + eselect ebtables set ebtables-legacy + fi + + if ! has_version 'net-firewall/arptables'; then + elog "Unsetting arptables symlinks before removal" + eselect arptables unset + elif [[ -z ${REPLACED_BY_VERSION} ]]; then + elog "Resetting arptables symlinks to arptables-legacy" + eselect arptables set arptables-legacy + fi + + # The eselect module failing should not be fatal + return 0 +} diff --git a/net-firewall/iptables/iptables-1.8.11.ebuild b/net-firewall/iptables/iptables-1.8.11.ebuild new file mode 100644 index 000000000000..ba246b4b175d --- /dev/null +++ b/net-firewall/iptables/iptables-1.8.11.ebuild @@ -0,0 +1,176 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit systemd toolchain-funcs autotools flag-o-matic + +DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" +HOMEPAGE="https://www.netfilter.org/projects/iptables/" +SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.xz" + +LICENSE="GPL-2" +# Subslot reflects PV when libxtables and/or libip*tc was changed +# the last time. +SLOT="0/1.8.3" +KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" +IUSE="conntrack netlink nftables pcap static-libs test" +RESTRICT="!test? ( test )" +# TODO: skip tests needing nftables if no xtables-nft-multi (bug #890628) +REQUIRED_USE="test? ( conntrack nftables )" + +COMMON_DEPEND=" + conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 ) + netlink? ( net-libs/libnfnetlink ) + nftables? ( + >=net-libs/libmnl-1.0:= + >=net-libs/libnftnl-1.2.6:= + ) + pcap? ( net-libs/libpcap ) +" +DEPEND=" + ${COMMON_DEPEND} + virtual/os-headers + >=sys-kernel/linux-headers-4.4:0 +" +BDEPEND=" + virtual/pkgconfig + nftables? ( + app-alternatives/lex + app-alternatives/yacc + ) +" +RDEPEND=" + ${COMMON_DEPEND} + nftables? ( net-misc/ethertypes ) + !<net-firewall/ebtables-2.0.11-r1 + !<net-firewall/arptables-0.0.5-r1 +" +IDEPEND=">=app-eselect/eselect-iptables-20220320" + +PATCHES=( + "${FILESDIR}"/${PN}-1.8.4-no-symlinks.patch +) + +src_prepare() { + # Use the saner headers from the kernel + rm include/linux/{kernel,types}.h || die + + default + eautoreconf +} + +src_configure() { + # Some libs use $(AR) rather than libtool to build, bug #444282 + tc-export AR + + # Hack around struct mismatches between userland & kernel for some ABIs + # bug #472388 + use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct + + local myeconfargs=( + --sbindir="${EPREFIX}/sbin" + --libexecdir="${EPREFIX}/$(get_libdir)" + --enable-devel + --enable-ipv6 + --enable-shared + $(use_enable conntrack connlabel) + $(use_enable nftables) + $(use_enable netlink libnfnetlink) + $(use_enable pcap bpf-compiler) + $(use_enable pcap nfsynproxy) + $(use_enable static-libs static) + ) + + econf "${myeconfargs[@]}" +} + +src_compile() { + emake V=1 +} + +src_install() { + default + + # Managed by eselect-iptables + # https://bugs.gentoo.org/881295 + rm "${ED}/usr/bin/iptables-xml" || die + + dodoc iptables/iptables.xslt + + # All the iptables binaries are in /sbin, so might as well + # put these small files in with them + into / + dosbin iptables/iptables-apply + dosym iptables-apply /sbin/ip6tables-apply + doman iptables/iptables-apply.8 + + insinto /usr/include + doins include/ip{,6}tables.h + insinto /usr/include/iptables + doins include/iptables/internal.h + + keepdir /var/lib/ip{,6}tables + newinitd "${FILESDIR}"/${PN}-r3.init iptables + newconfd "${FILESDIR}"/${PN}-r1.confd iptables + dosym iptables /etc/init.d/ip6tables + newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables + + if use nftables; then + # Bug #647458 + rm "${ED}"/etc/ethertypes || die + + # Bugs #660886 and #669894 + rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die + fi + + systemd_dounit "${FILESDIR}"/systemd/ip{,6}tables-{re,}store.service + + find "${ED}" -type f -name "*.la" -delete || die +} + +pkg_postinst() { + local default_iptables="xtables-legacy-multi" + if ! eselect iptables show &>/dev/null; then + elog "Current iptables implementation is unset, setting to ${default_iptables}" + eselect iptables set "${default_iptables}" + fi + + if use nftables; then + local tables + for tables in {arp,eb}tables; do + if ! eselect ${tables} show &>/dev/null; then + elog "Current ${tables} implementation is unset, setting to ${default_iptables}" + eselect ${tables} set xtables-nft-multi + fi + done + fi + + eselect iptables show +} + +pkg_prerm() { + if [[ -z ${REPLACED_BY_VERSION} ]]; then + elog "Unsetting iptables symlinks before removal" + eselect iptables unset + fi + + if ! has_version 'net-firewall/ebtables'; then + elog "Unsetting ebtables symlinks before removal" + eselect ebtables unset + elif [[ -z ${REPLACED_BY_VERSION} ]]; then + elog "Resetting ebtables symlinks to ebtables-legacy" + eselect ebtables set ebtables-legacy + fi + + if ! has_version 'net-firewall/arptables'; then + elog "Unsetting arptables symlinks before removal" + eselect arptables unset + elif [[ -z ${REPLACED_BY_VERSION} ]]; then + elog "Resetting arptables symlinks to arptables-legacy" + eselect arptables set arptables-legacy + fi + + # The eselect module failing should not be fatal + return 0 +} diff --git a/net-firewall/nftables/nftables-1.1.0-r1.ebuild b/net-firewall/nftables/nftables-1.1.0-r1.ebuild index efec7e4d23d4..24ede801396a 100644 --- a/net-firewall/nftables/nftables-1.1.0-r1.ebuild +++ b/net-firewall/nftables/nftables-1.1.0-r1.ebuild @@ -21,7 +21,7 @@ else https://netfilter.org/projects/nftables/files/${P}.tar.xz verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig ) " - KEYWORDS="amd64 arm arm64 ~hppa ~loong ~mips ppc ppc64 ~riscv sparc x86" + KEYWORDS="amd64 arm arm64 hppa ~loong ~mips ppc ppc64 ~riscv sparc x86" BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )" fi diff --git a/net-firewall/nftables/nftables-1.1.1.ebuild b/net-firewall/nftables/nftables-1.1.1.ebuild index ecfd85b0e138..81f6ec23a51b 100644 --- a/net-firewall/nftables/nftables-1.1.1.ebuild +++ b/net-firewall/nftables/nftables-1.1.1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -21,7 +21,7 @@ else https://netfilter.org/projects/nftables/files/${P}.tar.xz verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig ) " - KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" + KEYWORDS="amd64 arm arm64 hppa ~loong ~mips ppc ppc64 ~riscv sparc x86" BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )" fi diff --git a/net-firewall/nftlb/Manifest b/net-firewall/nftlb/Manifest index d4a85e63f071..8ec890888e6a 100644 --- a/net-firewall/nftlb/Manifest +++ b/net-firewall/nftlb/Manifest @@ -1,2 +1,3 @@ DIST nftlb-1.0.7.tar.gz 201988 BLAKE2B 794778523b3a60a351fd071e6ff129197203ddfb1b80823dd6b05c30cb530040da465a10d2ffbf11cad063c2a453bb9baebd6e689b9166d4fcb0fe9fd17760e8 SHA512 eb1e9847f340e57b75a5b8680774d8208b282faccdef48e316b2bd52b10349eeda70643386e0e899d0f6a2f506964cf1b7a7ec2d86279f83ca87a9afa8f047bc DIST nftlb-1.0.8.gh.tar.gz 256936 BLAKE2B 1ab9fb508c8613304ebde7185a8ad8ddabb483d17c8b872cfb7da8a0b0e5a8d40f74a74361d1d5b8304d45c00357eea1f88f2cc39e5afe537791278277462407 SHA512 f612b7065fb5011f1af34cabe0945b7b0c1479241b4673d86e2e97d06bffdfefcc5ca4ec3ad3752faa92862306ed8ad28754838236476fe9db88099bc389cf7c +DIST nftlb-1.1.0.gh.tar.gz 250421 BLAKE2B 4034032bec80fe43c67af54550fe24f6133ce9b79c769caa678ef351d001ad01b758740df73e149726f00c258a84e3f4cbd6394a86efec0cdb5221a2f374f774 SHA512 e4fd41f5d7251913be457ae9b4e1ca1a1cc25751d1ffbb7fac3e009332ff963fcd5ab141e8cdbd26eee57183bc7663bf153feb5cd2ba8e2b6cc36083c8c12e46 diff --git a/net-firewall/nftlb/files/nftlb-1.1.0-musl.patch b/net-firewall/nftlb/files/nftlb-1.1.0-musl.patch new file mode 100644 index 000000000000..b9cfb315c7e2 --- /dev/null +++ b/net-firewall/nftlb/files/nftlb-1.1.0-musl.patch @@ -0,0 +1,73 @@ +diff --git a/configure.ac b/configure.ac +index ace78db..55f5f68 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2,6 +2,7 @@ AC_INIT([nftlb], [1.1.0], [netfilter-devel@vger.kernel.org]) + + AC_CONFIG_AUX_DIR([build-aux]) + AC_CONFIG_MACRO_DIR([m4]) ++AC_CONFIG_HEADERS([config.h]) + AM_INIT_AUTOMAKE([-Wall foreign subdir-objects + tar-pax no-dist-gzip dist-bzip2 1.6]) + +@@ -25,5 +26,7 @@ AC_CHECK_HEADER([ev.h], [EVENTINC="-include ev.h"], + [EVENTINC="-include libev/ev.h"], + [AC_MSG_ERROR([ev.h not found])])]) + ++AC_CHECK_HEADERS([execinfo.h]) ++ + AC_CONFIG_FILES([Makefile src/Makefile]) + AC_OUTPUT +diff --git a/src/main.c b/src/main.c +index bca652e..5d7e918 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -18,6 +18,7 @@ + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ ++#include "config.h" + + #include <stdio.h> + #include <stdlib.h> +@@ -25,6 +26,10 @@ + #include <errno.h> + #include <unistd.h> + ++#ifdef HAVE_EXECINFO_H ++ #include <execinfo.h> ++#endif /* HAVE_EXECINFO_H */ ++ + #include "config.h" + #include "objects.h" + #include "server.h" +@@ -88,6 +93,7 @@ static void nftlb_sighandler(int signo) + exit(EXIT_SUCCESS); + } + ++#ifdef HAVE_EXECINFO_H + static void nftlb_trace() { + int level; + +@@ -100,6 +106,7 @@ static void nftlb_trace() { + if (!obj_recovery()) + exit(EXIT_FAILURE); + } ++#endif /* HAVE_EXECINFO_H */ + + static int main_process(const char *config, int mode) + { +@@ -189,9 +196,13 @@ int main(int argc, char *argv[]) + + if (signal(SIGINT, nftlb_sighandler) == SIG_ERR || + signal(SIGTERM, nftlb_sighandler) == SIG_ERR || ++#ifdef HAVE_EXECINFO_H + signal(SIGPIPE, SIG_IGN) == SIG_ERR || + signal(SIGABRT, nftlb_trace) == SIG_ERR || + signal(SIGSEGV, nftlb_trace) == SIG_ERR) { ++#else ++ signal(sigpipe, sig_ign) == sig_err) { ++#endif /* have_execinfo_h */ + u_log_print(LOG_ERR, "Error assigning signals"); + return EXIT_FAILURE; + } diff --git a/net-firewall/nftlb/metadata.xml b/net-firewall/nftlb/metadata.xml index ab906c04250e..6cf207784952 100644 --- a/net-firewall/nftlb/metadata.xml +++ b/net-firewall/nftlb/metadata.xml @@ -6,6 +6,6 @@ <name>Patrick McLean</name> </maintainer> <upstream> - <remote-id type="github">zevenet/nftlb</remote-id> + <remote-id type="github">relianoid/nftlb</remote-id> </upstream> </pkgmetadata> diff --git a/net-firewall/nftlb/nftlb-1.1.0.ebuild b/net-firewall/nftlb/nftlb-1.1.0.ebuild new file mode 100644 index 000000000000..7e90a613b33b --- /dev/null +++ b/net-firewall/nftlb/nftlb-1.1.0.ebuild @@ -0,0 +1,69 @@ +# Copyright 2020-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit linux-info autotools + +DESCRIPTION="nftables load balancer" +HOMEPAGE=" + https://www.relianoid.com/nftlb + https://github.com/relianoid/nftlb +" +SRC_URI="https://github.com/relianoid/${PN}/archive/v${PV}.tar.gz -> ${P}.gh.tar.gz" + +LICENSE="AGPL-3" +SLOT="0" +KEYWORDS="~amd64 ~x86" + +DEPEND=" + net-firewall/nftables:=[modern-kernel(+)] + dev-libs/jansson:= + dev-libs/libev:= +" +RDEPEND=" + ${DEPEND} +" + +# tests need root access +RESTRICT="test" + +PATCHES=( + "${FILESDIR}/nftlb-1.0.8-tests.patch" + "${FILESDIR}/nftlb-1.1.0-musl.patch" +) + +pkg_setup() { + local CONFIG_CHECK=" + ~NF_TABLES + ~NFT_NUMGEN + ~NFT_HASH + ~NF_NAT + ~IP_NF_NAT + " + + linux-info_pkg_setup + + if kernel_is lt 4 19; then + eerror "${PN} requires kernel version 4.19 or newer" + fi +} + +src_prepare() { + # there are some compiler artifacts in the tarball + find "${S}" -name '*.o' -delete || die + + default + eautoreconf +} + +src_test() { + pushd tests >/dev/null || die + + sed -e "s:/var/log/syslog:\"${T}/tests.log\":" \ + -i exec_tests.sh || die + + ./exec_tests.sh || die "tests failed" + + popd >/dev/null || die +} diff --git a/net-firewall/xtables-addons/Manifest b/net-firewall/xtables-addons/Manifest index 9dfa189cce62..c7600d5d4f47 100644 --- a/net-firewall/xtables-addons/Manifest +++ b/net-firewall/xtables-addons/Manifest @@ -1 +1,2 @@ DIST xtables-addons-3.24.tar.xz 335724 BLAKE2B c086616c0366346bd87813ae0fc561bdb8f892eecea19ef88c65afef5318ac6f75fec658e0c6595de5c620c965b2bd7f10e45ff3ec55ffb9ddf8e85643190e7e SHA512 08c3b87617e0124aef99a3953fc5e03e8d98be50ce70771e352509ec64263d5256f744489f10f39879630d9dc8d28f3c91173b4739c95bbd8d5ad56e33138eb4 +DIST xtables-addons-3.27.tar.xz 340360 BLAKE2B 5b82069e21464bc293d76c6cd298e6beafdda57bc07582be64d7ff9a5511741bd1acd9a54a7b1caa08631d108a17b51dc7e7c2926003e6a893b1df0f6b360b62 SHA512 1938342914c24621743d0460e4057ffa6d3b6d01f3d0ca5feaa3852675f18c309f57fcb73725972d4aa87b7da92667efffa16e203f4cd1362cb8bb03a116636a diff --git a/net-firewall/xtables-addons/metadata.xml b/net-firewall/xtables-addons/metadata.xml index 22c9b77bb8cd..461cf8e0f052 100644 --- a/net-firewall/xtables-addons/metadata.xml +++ b/net-firewall/xtables-addons/metadata.xml @@ -13,5 +13,6 @@ </longdescription> <upstream> <remote-id type="sourceforge">xtables-addons</remote-id> + <remote-id type="codeberg">jengelh/xtables-addons</remote-id> </upstream> </pkgmetadata> diff --git a/net-firewall/xtables-addons/xtables-addons-3.27.ebuild b/net-firewall/xtables-addons/xtables-addons-3.27.ebuild new file mode 100644 index 000000000000..dd7a313409cf --- /dev/null +++ b/net-firewall/xtables-addons/xtables-addons-3.27.ebuild @@ -0,0 +1,107 @@ +# Copyright 2023-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +MODULES_OPTIONAL_IUSE="+modules" +inherit flag-o-matic linux-mod-r1 + +XTABLES_MODULES=( + account chaos delude dhcpmac dnetmap echo ipmark logmark + proto sysrq tarpit asn condition fuzzy geoip gradm iface + ipp2p ipv4options length2 lscan pknock psd quota2 +) + +MODULES_KERNEL_MIN=4.15 + +DESCRIPTION="iptables extensions not yet accepted in the main kernel" +HOMEPAGE=" + https://inai.de/projects/xtables-addons/ + https://codeberg.org/jengelh/xtables-addons/ +" +SRC_URI="https://inai.de/files/xtables-addons/${P}.tar.xz" + +LICENSE="GPL-2+" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="${XTABLES_MODULES[*]/#/xtables_addons_}" + +XTABLES_SCRIPTS_DEPEND=" + app-arch/unzip + dev-perl/Net-CIDR-Lite + dev-perl/Text-CSV_XS + virtual/perl-Getopt-Long +" +DEPEND="net-firewall/iptables:=" +RDEPEND=" + ${DEPEND} + xtables_addons_asn? ( ${XTABLES_SCRIPTS_DEPEND} ) + xtables_addons_geoip? ( ${XTABLES_SCRIPTS_DEPEND} ) +" + +pkg_setup() { + local CONFIG_CHECK="NF_CONNTRACK NF_CONNTRACK_MARK" + + if use xtables_addons_pknock; then + CONFIG_CHECK+=" ~CONNECTOR" + local ERROR_CONNECTOR="CONFIG_CONNECTOR: is not set but is needed to receive userspace + notifications from pknock through netlink/connector" + fi + + linux-mod-r1_pkg_setup +} + +src_prepare() { + default + + local mod modules + mapfile -t modules < <(sed -En 's/^build_(.+)=.*/\L\1/p' mconfig || die) + [[ ${modules[*]} == "${XTABLES_MODULES[*]}" ]] || + die "XTABLES_MODULES needs to be updated to: '${modules[*]}'" + + for mod in "${modules[@]}"; do + use xtables_addons_${mod} || sed -i "/^build_${mod}=/Id" mconfig || die + done +} + +src_configure() { + # Uses CFLAGS for tools, and it may mismatch with the kernel's CC + # FIXME?: ideally would want to build tools with normal CC + use modules && CC=${KERNEL_CC} strip-unsupported-flags + + local econfargs=( + # TODO?: should move to ${EPREFIX}/usr + use default libexecdir by now + # (matching documentation), but could be a disruptive change for users + # with xt_asn/geoip_* paths they may have hardcoded in scripts + --prefix="${EPREFIX:-/}" + --libexecdir="${EPREFIX}"/$(get_libdir) + $(usex modules --with-kbuild="${KV_OUT_DIR}" --without-kbuild) + ) + + econf "${econfargs[@]}" +} + +src_compile() { + use modules || MODULES_MAKEARGS=() + + emake "${MODULES_MAKEARGS[@]}" +} + +src_install() { + MODULES_MAKEARGS+=( + DESTDIR="${D}" + INSTALL_MOD_DIR=xtables_addons + ) + + emake "${MODULES_MAKEARGS[@]}" install + modules_post_process + + dodoc -r README.rst doc/. + + use xtables_addons_asn || + find "${ED}" -type f -name '*_asn*' -delete || die + use xtables_addons_geoip || + find "${ED}" -type f -name '*_geoip*' -delete || die + + find "${ED}" -type f -name '*.la' -delete || die +} |