[gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/, net-firewall/nftables/files/

[gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/, net-firewall/nftables/files/

[Sam Jorna]

commit:     43c988c13be72ad3b4444b9fcd96b4377743ced9
Author:     Nicholas Vinson <nvinson234 <AT> gmail <DOT> com>
AuthorDate: Sun Jul 10 22:07:00 2016 +0000
Commit:     Sam Jorna <wraeth <AT> gentoo <DOT> org>
CommitDate: Mon Jul 11 07:35:24 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43c988c1

net-firewall/nftables: backport null payload desc fix

nftables-0.6 handling of payload context descriptions was changed from
version 0.5.  This change causes the code to segfault when the desc
variable in payload_expr_pctx_update() is set to null.  The issue
appears to be fixed with upstream commit
3503738f77cdbe521da1054a37f59ac2e442b4cf.  Therefore, backporting that
commit to 0.6 to fix this issue.

Gentoo-bug: 588192
Package-Manager: portage-2.3.0
Closes: https://github.com/gentoo/gentoo/pull/1865

 .../files/nftables-0.6-null-payload-desc-fix.patch         | 14 ++++++++++++++
 .../{nftables-0.6-r1.ebuild => nftables-0.6-r2.ebuild}     |  5 ++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/net-firewall/nftables/files/nftables-0.6-null-payload-desc-fix.patch b/net-firewall/nftables/files/nftables-0.6-null-payload-desc-fix.patch
new file mode 100644
index 0000000..3ea59e7
--- /dev/null
+++ b/net-firewall/nftables/files/nftables-0.6-null-payload-desc-fix.patch
@@ -0,0 +1,14 @@
+diff --git a/src/payload.c b/src/payload.c
+index ac0e917..9ba980a 100644
+--- a/src/payload.c
++++ b/src/payload.c
+@@ -85,6 +85,9 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
+ 	base = ctx->protocol[left->payload.base].desc;
+ 	desc = proto_find_upper(base, proto);
+ 
++	if (!desc)
++		return;
++
+ 	assert(desc->base <= PROTO_BASE_MAX);
+ 	if (desc->base == base->base) {
+ 		assert(base->length > 0);

diff --git a/net-firewall/nftables/nftables-0.6-r1.ebuild b/net-firewall/nftables/nftables-0.6-r2.ebuild
similarity index 95%
rename from net-firewall/nftables/nftables-0.6-r1.ebuild
rename to net-firewall/nftables/nftables-0.6-r2.ebuild
index 550c6da..7874baf 100644
--- a/net-firewall/nftables/nftables-0.6-r1.ebuild
+++ b/net-firewall/nftables/nftables-0.6-r2.ebuild
@@ -28,7 +28,10 @@ DEPEND="${RDEPEND}
 
 S="${WORKDIR}/v${PV}"
 
-PATCHES=( "${FILESDIR}/${PN}-0.5-pdf-doc.patch" )
+PATCHES=(
+	"${FILESDIR}/${PN}-0.5-pdf-doc.patch"
+	"${FILESDIR}/${P}-null-payload-desc-fix.patch"
+)
 
 pkg_setup() {
 	if kernel_is ge 3 13; then

[gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/, net-firewall/nftables/files/

[Patrick McLean]

commit:     ee0604e2b7263e058c65d222f4c654da3ffdbbd3
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Mon Sep 28 23:18:39 2020 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Mon Sep 28 23:18:39 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee0604e2

net-firewall/nftables-0.9.6-r1: revbump, fix init script (bug #744955)

Closes: https://bugs.gentoo.org/744955
Package-Manager: Portage-3.0.8, Repoman-3.0.1
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-firewall/nftables/files/nftables.init-r1   | 105 ++++++++++++++++
 net-firewall/nftables/nftables-0.9.6-r1.ebuild | 162 +++++++++++++++++++++++++
 2 files changed, 267 insertions(+)

diff --git a/net-firewall/nftables/files/nftables.init-r1 b/net-firewall/nftables/files/nftables.init-r1
new file mode 100644
index 00000000000..45b2abdbda7
--- /dev/null
+++ b/net-firewall/nftables/files/nftables.init-r1
@@ -0,0 +1,105 @@
+#!/sbin/openrc-run
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="check clear list panic save soft_panic"
+extra_started_commands="reload"
+
+depend() {
+	need localmount #434774
+	before net
+}
+
+checkkernel() {
+	if ! /sbin/nft list ruleset >/dev/null 2>/dev/null ; then
+		eerror "Your kernel lacks nftables support, please load"
+		eerror "appropriate modules and try again."
+		return 1
+	fi
+	return 0
+}
+
+checkconfig() {
+	if [ -z "${NFTABLES_SAVE}" -o ! -f "${NFTABLES_SAVE}" ] ; then
+		eerror "Not starting nftables. First create some rules then run:"
+		eerror "/etc/init.d/${SVCNAME} save"
+		return 1
+	fi
+	return 0
+}
+
+start_pre() {
+	checkconfig || return 1
+	checkkernel || return 1
+	check || return 1
+}
+
+start() {
+	ebegin "Loading ${SVCNAME} state and starting firewall"
+	/usr/libexec/nftables/nftables.sh load "${NFTABLES_SAVE}"
+	eend $?
+}
+
+stop() {
+	if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+		save || return 1
+	fi
+
+	ebegin "Stopping firewall"
+	if [ "${PANIC_ON_STOP}" = "hard" ]; then
+		/usr/libexec/nftables/nftables.sh panic
+	elif [ "${PANIC_ON_STOP}" = "soft" ]; then
+		/usr/libexec/nftables/nftables.sh soft_panic
+	else
+		/usr/libexec/nftables/nftables.sh clear
+	fi
+	eend $?
+}
+
+reload() {
+	start_pre || return 1
+	start
+}
+
+clear() {
+	ebegin "Clearing rules"
+	/usr/libexec/nftables/nftables.sh clear
+	eend $?
+}
+
+list() {
+	/usr/libexec/nftables/nftables.sh list
+}
+
+check() {
+	ebegin "Checking rules"
+	/usr/libexec/nftables/nftables.sh check "${NFTABLES_SAVE}"
+	eend $?
+}
+
+save() {
+	ebegin "Saving ${SVCNAME} state"
+	checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
+	checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
+	SAVE_OPTIONS="${SAVE_OPTIONS}" \
+		/usr/libexec/nftables/nftables.sh store "${NFTABLES_SAVE}"
+	eend $?
+}
+
+panic() {
+	if service_started ${SVCNAME}; then
+		rc-service ${SVCNAME} zap
+	fi
+	ebegin "Dropping all packets"
+	/usr/libexec/nftables/nftables.sh panic
+	eend $?
+}
+
+soft_panic() {
+	if service_started ${SVCNAME}; then
+		rc-service ${SVCNAME} zap
+	fi
+	ebegin "Dropping new connections"
+	/usr/libexec/nftables/nftables.sh soft_panic
+	eend $?
+}

diff --git a/net-firewall/nftables/nftables-0.9.6-r1.ebuild b/net-firewall/nftables/nftables-0.9.6-r1.ebuild
new file mode 100644
index 00000000000..be001c0ddd6
--- /dev/null
+++ b/net-firewall/nftables/nftables-0.9.6-r1.ebuild
@@ -0,0 +1,162 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{6,7,8,9} )
+
+inherit autotools linux-info python-r1 systemd
+
+DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
+HOMEPAGE="https://netfilter.org/projects/nftables/"
+SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~ppc64 ~sparc ~x86"
+IUSE="debug doc +gmp json +modern-kernel python +readline static-libs xtables"
+
+RDEPEND="
+	>=net-libs/libmnl-1.0.4:0=
+	gmp? ( dev-libs/gmp:0= )
+	json? ( dev-libs/jansson )
+	python? ( ${PYTHON_DEPS} )
+	readline? ( sys-libs/readline:0= )
+	>=net-libs/libnftnl-1.1.7:0=
+	xtables? ( >=net-firewall/iptables-1.6.1 )
+"
+
+DEPEND="${RDEPEND}"
+
+BDEPEND="
+	doc? (
+		app-text/asciidoc
+		>=app-text/docbook2X-0.8.8-r4
+	)
+	virtual/pkgconfig
+"
+
+REQUIRED_USE="
+	python? ( ${PYTHON_REQUIRED_USE} )
+"
+
+python_make() {
+	emake \
+		-C py \
+		abs_builddir="${S}" \
+		DESTDIR="${D}" \
+		PYTHON_BIN="${PYTHON}" \
+		"${@}"
+}
+
+pkg_setup() {
+	if kernel_is ge 3 13; then
+		if use modern-kernel && kernel_is lt 3 18; then
+			eerror "The modern-kernel USE flag requires kernel version 3.18 or newer to work properly."
+		fi
+		CONFIG_CHECK="~NF_TABLES"
+		linux-info_pkg_setup
+	else
+		eerror "This package requires kernel version 3.13 or newer to work properly."
+	fi
+}
+
+src_prepare() {
+	default
+
+	# fix installation path for doc stuff
+	sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \
+		-i files/nftables/Makefile.am || die
+	sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \
+		-i files/osf/Makefile.am || die
+
+	eautoreconf
+}
+
+src_configure() {
+	local myeconfargs=(
+		# We handle python separately
+		--disable-python
+		--sbindir="${EPREFIX}"/sbin
+		$(use_enable debug)
+		$(use_enable doc man-doc)
+		$(use_with !gmp mini_gmp)
+		$(use_with json)
+		$(use_with readline cli readline)
+		$(use_enable static-libs static)
+		$(use_with xtables)
+	)
+	econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+	default
+
+	if use python; then
+		python_foreach_impl python_make
+	fi
+}
+
+src_install() {
+	default
+
+	if ! use doc; then
+		pushd doc >/dev/null || die
+		doman *.?
+		popd >/dev/null || die
+	fi
+
+	local mksuffix="$(usex modern-kernel '-mk' '')"
+
+	exeinto /usr/libexec/${PN}
+	newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh
+	newconfd "${FILESDIR}"/${PN}${mksuffix}.confd ${PN}
+	newinitd "${FILESDIR}"/${PN}${mksuffix}.init-r1 ${PN}
+	keepdir /var/lib/nftables
+
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
+
+	if use python ; then
+		python_foreach_impl python_make install
+		python_foreach_impl python_optimize
+	fi
+
+	find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_postinst() {
+	local save_file
+	save_file="${EROOT}/var/lib/nftables/rules-save"
+
+	# In order for the nftables-restore systemd service to start
+	# the save_file must exist.
+	if [[ ! -f "${save_file}" ]]; then
+		( umask 177; touch "${save_file}" )
+	elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
+		ewarn "Your system has dangerous permissions for ${save_file}"
+		ewarn "It is probably affected by bug #691326."
+		ewarn "You may need to fix the permissions of the file. To do so,"
+		ewarn "you can run the command in the line below as root."
+		ewarn "    'chmod 600 \"${save_file}\"'"
+	fi
+
+	if has_version 'sys-apps/systemd'; then
+		elog "If you wish to enable the firewall rules on boot (on systemd) you"
+		elog "will need to enable the nftables-restore service."
+		elog "    'systemctl enable ${PN}-restore.service'"
+		elog
+		elog "If you are creating firewall rules before the next system restart"
+		elog "the nftables-restore service must be manually started in order to"
+		elog "save those rules on shutdown."
+	fi
+	if has_version 'sys-apps/openrc'; then
+		elog "If you wish to enable the firewall rules on boot (on openrc) you"
+		elog "will need to enable the nftables service."
+		elog "    'rc-update add ${PN} default'"
+		elog
+		elog "If you are creating or updating the firewall rules and wish to save"
+		elog "them to be loaded on the next restart, use the \"save\" functionality"
+		elog "in the init script."
+		elog "    'rc-service ${PN} save'"
+	fi
+}

[gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/, net-firewall/nftables/files/

[Sam James]

commit:     1dfcad644e14a6095f13e17bd16a5e9b39466b90
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Thu Feb 24 20:15:00 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Thu Feb 24 23:53:24 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1dfcad64

net-firewall/nftables: restore slibtool patch, API export fix

Signed-off-by: Sam James <sam <AT> gentoo.org>

 ...-explicitly-pass-version-script-to-linker.patch | 27 +++++++++++++++++++
 .../files/nftables-1.0.2-compilation.patch         |  2 ++
 ....map-export-new-nft_ctx_-get-set-_optimiz.patch | 31 ++++++++++++++++++++++
 ...ables-1.0.2.ebuild => nftables-1.0.2-r1.ebuild} |  2 ++
 4 files changed, 62 insertions(+)

diff --git a/net-firewall/nftables/files/nftables-1.0.2-build-explicitly-pass-version-script-to-linker.patch b/net-firewall/nftables/files/nftables-1.0.2-build-explicitly-pass-version-script-to-linker.patch
new file mode 100644
index 000000000000..41c3de5bc83b
--- /dev/null
+++ b/net-firewall/nftables/files/nftables-1.0.2-build-explicitly-pass-version-script-to-linker.patch
@@ -0,0 +1,27 @@
+https://git.netfilter.org/nftables/commit/src?id=1d507ce7f1d3c12481ee24bd1dcac2fc1984ee9f
+
+From: Sam James <sam@gentoo.org>
+Date: Thu, 24 Feb 2022 19:45:43 +0000
+Subject: build: explicitly pass --version-script to linker
+
+--version-script is a linker option, so let's use -Wl, so that
+libtool handles it properly. It seems like the previous method gets silently
+ignored with GNU libtool in some cases(?) and downstream in Gentoo,
+we had to apply this change to make the build work with slibtool anyway.
+
+But it's indeed correct in any case, so let's swap.
+
+Signed-off-by: Sam James <sam@gentoo.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -91,7 +91,7 @@ libparser_la_CFLAGS = ${AM_CFLAGS} \
+ 
+ libnftables_la_LIBADD = ${LIBMNL_LIBS} ${LIBNFTNL_LIBS} libparser.la
+ libnftables_la_LDFLAGS = -version-info ${libnftables_LIBVERSION} \
+-			 --version-script=$(srcdir)/libnftables.map
++			 -Wl,--version-script=$(srcdir)/libnftables.map
+ 
+ if BUILD_MINIGMP
+ noinst_LTLIBRARIES += libminigmp.la
+cgit v1.2.3

diff --git a/net-firewall/nftables/files/nftables-1.0.2-compilation.patch b/net-firewall/nftables/files/nftables-1.0.2-compilation.patch
index 166063587485..96670c1d9531 100644
--- a/net-firewall/nftables/files/nftables-1.0.2-compilation.patch
+++ b/net-firewall/nftables/files/nftables-1.0.2-compilation.patch
@@ -1,3 +1,5 @@
+https://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3
+
 From 18a08fb7f0443f8bde83393bd6f69e23a04246b3 Mon Sep 17 00:00:00 2001
 From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Tue, 22 Feb 2022 00:56:36 +0100

diff --git a/net-firewall/nftables/files/nftables-1.0.2-libnftables.map-export-new-nft_ctx_-get-set-_optimiz.patch b/net-firewall/nftables/files/nftables-1.0.2-libnftables.map-export-new-nft_ctx_-get-set-_optimiz.patch
new file mode 100644
index 000000000000..09841d482222
--- /dev/null
+++ b/net-firewall/nftables/files/nftables-1.0.2-libnftables.map-export-new-nft_ctx_-get-set-_optimiz.patch
@@ -0,0 +1,31 @@
+https://git.netfilter.org/nftables/commit/src?id=e98a9b83cd52c7c75bedb3dad46539b197ed17ba
+
+From: Sam James <sam@gentoo.org>
+Date: Thu, 24 Feb 2022 19:45:42 +0000
+Subject: libnftables.map: export new nft_ctx_{get,set}_optimize API
+
+[ Remove incorrect symbol names were exported via .map file ]
+
+Without this, we're not explicitly saying this is part of the
+public API.
+
+This new API was added in 1.0.2 and is used by e.g. the main
+nft binary. Noticed when fixing the version-script option
+(separate patch) which picked up this problem when .map
+was missing symbols (related to when symbol visibility
+options get set).
+
+Signed-off-by: Sam James <sam@gentoo.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+--- a/src/libnftables.map
++++ b/src/libnftables.map
+@@ -30,6 +30,6 @@ LIBNFTABLES_2 {
+ } LIBNFTABLES_1;
+ 
+ LIBNFTABLES_3 {
+-  nft_set_optimize;
+-  nft_get_optimize;
++  nft_ctx_set_optimize;
++  nft_ctx_get_optimize;
+ } LIBNFTABLES_2;
+cgit v1.2.3

diff --git a/net-firewall/nftables/nftables-1.0.2.ebuild b/net-firewall/nftables/nftables-1.0.2-r1.ebuild
similarity index 96%
rename from net-firewall/nftables/nftables-1.0.2.ebuild
rename to net-firewall/nftables/nftables-1.0.2-r1.ebuild
index 0bbf94f10942..8b7db17f23e8 100644
--- a/net-firewall/nftables/nftables-1.0.2.ebuild
+++ b/net-firewall/nftables/nftables-1.0.2-r1.ebuild
@@ -54,6 +54,8 @@ REQUIRED_USE="
 
 PATCHES=(
 	"${FILESDIR}/nftables-1.0.2-compilation.patch"
+	"${FILESDIR}/nftables-1.0.2-build-explicitly-pass-version-script-to-linker.patch"
+	"${FILESDIR}/nftables-1.0.2-libnftables.map-export-new-nft_ctx_-get-set-_optimiz.patch"
 )
 
 pkg_setup() {

[gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/, net-firewall/nftables/files/

[Sam James]

commit:     9996c079375c4db6aa9a5b35f3e947608c4b99c5
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sun Jun  5 06:41:40 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sun Jun  5 06:44:57 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9996c079

net-firewall/nftables: backport crash fix; add test infrastructure

Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../files/nftables-1.0.3-optimize-segfault.patch   | 64 ++++++++++++++++++++++
 .../files/nftables-1.0.3-test-shell-sets.patch     | 21 +++++++
 ...tables-9999.ebuild => nftables-1.0.3-r1.ebuild} | 48 +++++++++++-----
 net-firewall/nftables/nftables-9999.ebuild         | 48 +++++++++++-----
 4 files changed, 153 insertions(+), 28 deletions(-)

diff --git a/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch b/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch
new file mode 100644
index 000000000000..95e53adc0b2f
--- /dev/null
+++ b/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch
@@ -0,0 +1,64 @@
+https://git.netfilter.org/nftables/commit/?id=59bd944f6d75e99fe0c8d743e7fd482672640c2d
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 1 Jun 2022 10:14:22 +0200
+Subject: optimize: segfault when releasing unsupported statement
+
+Call xfree() instead since stmt_alloc() does not initialize the
+statement type fields.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1609
+Fixes: ea1f1c9ff608 ("optimize: memleak in statement matrix")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+--- a/src/optimize.c
++++ b/src/optimize.c
+@@ -304,7 +304,7 @@ static int rule_collect_stmts(struct optimize_ctx *ctx, struct rule *rule)
+ 			clone->nat.type_flags = stmt->nat.type_flags;
+ 			break;
+ 		default:
+-			stmt_free(clone);
++			xfree(clone);
+ 			continue;
+ 		}
+ 
+--- a/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft
++++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft
+@@ -1,4 +1,10 @@
+ table ip x {
++	set s {
++		type ipv4_addr
++		size 65535
++		flags dynamic
++	}
++
+ 	chain filter_in_tcp {
+ 	}
+ 
+@@ -6,6 +12,7 @@ table ip x {
+ 	}
+ 
+ 	chain y {
++		update @s { ip saddr limit rate 12/minute burst 30 packets } accept
+ 		tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 8000-8100 : accept, 24000-25000 : accept }
+ 		meta l4proto vmap { tcp : goto filter_in_tcp, udp : goto filter_in_udp }
+ 		log
+--- a/tests/shell/testcases/optimizations/merge_vmaps
++++ b/tests/shell/testcases/optimizations/merge_vmaps
+@@ -3,11 +3,16 @@
+ set -e
+ 
+ RULESET="table ip x {
++	set s {
++		type ipv4_addr
++		flags dynamic
++	}
+ 	chain filter_in_tcp {
+ 	}
+ 	chain filter_in_udp {
+ 	}
+ 	chain y {
++	        update @s { ip saddr limit rate 12/minute burst 30 packets } accept
+ 		tcp dport vmap {
+ 			80 : accept,
+ 			81 : accept,
+cgit v1.2.3

diff --git a/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch b/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch
new file mode 100644
index 000000000000..c5f93e20eea6
--- /dev/null
+++ b/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch
@@ -0,0 +1,21 @@
+https://git.netfilter.org/nftables/commit/?id=3835de19fe5773baac5b79f35484d0f0e99bcfe1
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 1 Jun 2022 18:17:02 +0200
+Subject: tests: shell: sets_with_ifnames release netns on exit
+
+Missing ip netns del call from cleanup()
+
+Fixes: d6fdb0d8d482 ("sets_with_ifnames: add test case for concatenated range")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+--- a/tests/shell/testcases/sets/sets_with_ifnames
++++ b/tests/shell/testcases/sets/sets_with_ifnames
+@@ -13,6 +13,7 @@ ns2="nft2ifname-$rnd"
+ cleanup()
+ {
+ 	ip netns del "$ns1"
++	ip netns del "$ns2"
+ }
+ 
+ trap cleanup EXIT
+cgit v1.2.3

diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-1.0.3-r1.ebuild
similarity index 82%
copy from net-firewall/nftables/nftables-9999.ebuild
copy to net-firewall/nftables/nftables-1.0.3-r1.ebuild
index fa427dadfaab..d4ace7fe057b 100644
--- a/net-firewall/nftables/nftables-9999.ebuild
+++ b/net-firewall/nftables/nftables-1.0.3-r1.ebuild
@@ -3,15 +3,16 @@
 
 EAPI=7
 
-PYTHON_COMPAT=( python3_{8..10} )
 DISTUTILS_OPTIONAL=1
-inherit autotools linux-info distutils-r1 systemd verify-sig
+PYTHON_COMPAT=( python3_{8..11} )
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc
+inherit edo linux-info distutils-r1 systemd verify-sig
 
 DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
 HOMEPAGE="https://netfilter.org/projects/nftables/"
 
 if [[ ${PV} =~ ^[9]{4,}$ ]]; then
-	inherit git-r3
+	inherit autotools git-r3
 	EGIT_REPO_URI="https://git.netfilter.org/${PN}"
 
 	BDEPEND="
@@ -22,13 +23,13 @@ else
 	SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2
 		verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )"
 	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
-	VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc
 	BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
 fi
 
 LICENSE="GPL-2"
 SLOT="0/1"
-IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables"
+IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables"
+RESTRICT="test? ( userpriv ) !test? ( test )"
 
 RDEPEND="
 	>=net-libs/libmnl-1.0.4:0=
@@ -43,11 +44,12 @@ RDEPEND="
 DEPEND="${RDEPEND}"
 
 BDEPEND+="
+	virtual/pkgconfig
 	doc? (
 		app-text/asciidoc
 		>=app-text/docbook2X-0.8.8-r4
 	)
-	virtual/pkgconfig
+	python? ( ${PYTHON_DEPS} )
 "
 
 REQUIRED_USE="
@@ -55,6 +57,11 @@ REQUIRED_USE="
 	libedit? ( !readline )
 "
 
+PATCHES=(
+	"${FILESDIR}"/${P}-optimize-segfault.patch
+	"${FILESDIR}"/${P}-test-shell-sets.patch
+)
+
 pkg_setup() {
 	if kernel_is ge 3 13; then
 		if use modern-kernel && kernel_is lt 3 18; then
@@ -70,13 +77,9 @@ pkg_setup() {
 src_prepare() {
 	default
 
-	# fix installation path for doc stuff
-	sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \
-		-i files/nftables/Makefile.am || die
-	sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \
-		-i files/osf/Makefile.am || die
-
-	eautoreconf
+	if [[ ${PV} =~ ^[9]{4,}$ ]] ; then
+		eautoreconf
+	fi
 
 	if use python; then
 		pushd py >/dev/null || die
@@ -119,6 +122,17 @@ src_compile() {
 	fi
 }
 
+src_test() {
+	emake check
+
+	edo tests/shell/run-tests.sh -v
+
+	# Need to rig up Python eclass if using this, but it doesn't seem to work
+	# for me anyway.
+	#cd tests/py || die
+	#"${EPYTHON}" nft-test.py || die
+}
+
 src_install() {
 	default
 
@@ -128,6 +142,11 @@ src_install() {
 		popd >/dev/null || die
 	fi
 
+	# Do it here instead of in src_prepare to avoid eautoreconf
+	# rmdir lets us catch if more files end up installed in /etc/nftables
+	mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die
+	rmdir "${ED}"/etc/nftables || die
+
 	local mksuffix="$(usex modern-kernel '-mk' '')"
 
 	exeinto /usr/libexec/${PN}
@@ -149,7 +168,7 @@ src_install() {
 
 pkg_postinst() {
 	local save_file
-	save_file="${EROOT}/var/lib/nftables/rules-save"
+	save_file="${EROOT}"/var/lib/nftables/rules-save
 
 	# In order for the nftables-restore systemd service to start
 	# the save_file must exist.
@@ -172,6 +191,7 @@ pkg_postinst() {
 		elog "the nftables-restore service must be manually started in order to"
 		elog "save those rules on shutdown."
 	fi
+
 	if has_version 'sys-apps/openrc'; then
 		elog "If you wish to enable the firewall rules on boot (on openrc) you"
 		elog "will need to enable the nftables service."

diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild
index fa427dadfaab..d4ace7fe057b 100644
--- a/net-firewall/nftables/nftables-9999.ebuild
+++ b/net-firewall/nftables/nftables-9999.ebuild
@@ -3,15 +3,16 @@
 
 EAPI=7
 
-PYTHON_COMPAT=( python3_{8..10} )
 DISTUTILS_OPTIONAL=1
-inherit autotools linux-info distutils-r1 systemd verify-sig
+PYTHON_COMPAT=( python3_{8..11} )
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc
+inherit edo linux-info distutils-r1 systemd verify-sig
 
 DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
 HOMEPAGE="https://netfilter.org/projects/nftables/"
 
 if [[ ${PV} =~ ^[9]{4,}$ ]]; then
-	inherit git-r3
+	inherit autotools git-r3
 	EGIT_REPO_URI="https://git.netfilter.org/${PN}"
 
 	BDEPEND="
@@ -22,13 +23,13 @@ else
 	SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2
 		verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )"
 	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
-	VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc
 	BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
 fi
 
 LICENSE="GPL-2"
 SLOT="0/1"
-IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables"
+IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables"
+RESTRICT="test? ( userpriv ) !test? ( test )"
 
 RDEPEND="
 	>=net-libs/libmnl-1.0.4:0=
@@ -43,11 +44,12 @@ RDEPEND="
 DEPEND="${RDEPEND}"
 
 BDEPEND+="
+	virtual/pkgconfig
 	doc? (
 		app-text/asciidoc
 		>=app-text/docbook2X-0.8.8-r4
 	)
-	virtual/pkgconfig
+	python? ( ${PYTHON_DEPS} )
 "
 
 REQUIRED_USE="
@@ -55,6 +57,11 @@ REQUIRED_USE="
 	libedit? ( !readline )
 "
 
+PATCHES=(
+	"${FILESDIR}"/${P}-optimize-segfault.patch
+	"${FILESDIR}"/${P}-test-shell-sets.patch
+)
+
 pkg_setup() {
 	if kernel_is ge 3 13; then
 		if use modern-kernel && kernel_is lt 3 18; then
@@ -70,13 +77,9 @@ pkg_setup() {
 src_prepare() {
 	default
 
-	# fix installation path for doc stuff
-	sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \
-		-i files/nftables/Makefile.am || die
-	sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \
-		-i files/osf/Makefile.am || die
-
-	eautoreconf
+	if [[ ${PV} =~ ^[9]{4,}$ ]] ; then
+		eautoreconf
+	fi
 
 	if use python; then
 		pushd py >/dev/null || die
@@ -119,6 +122,17 @@ src_compile() {
 	fi
 }
 
+src_test() {
+	emake check
+
+	edo tests/shell/run-tests.sh -v
+
+	# Need to rig up Python eclass if using this, but it doesn't seem to work
+	# for me anyway.
+	#cd tests/py || die
+	#"${EPYTHON}" nft-test.py || die
+}
+
 src_install() {
 	default
 
@@ -128,6 +142,11 @@ src_install() {
 		popd >/dev/null || die
 	fi
 
+	# Do it here instead of in src_prepare to avoid eautoreconf
+	# rmdir lets us catch if more files end up installed in /etc/nftables
+	mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die
+	rmdir "${ED}"/etc/nftables || die
+
 	local mksuffix="$(usex modern-kernel '-mk' '')"
 
 	exeinto /usr/libexec/${PN}
@@ -149,7 +168,7 @@ src_install() {
 
 pkg_postinst() {
 	local save_file
-	save_file="${EROOT}/var/lib/nftables/rules-save"
+	save_file="${EROOT}"/var/lib/nftables/rules-save
 
 	# In order for the nftables-restore systemd service to start
 	# the save_file must exist.
@@ -172,6 +191,7 @@ pkg_postinst() {
 		elog "the nftables-restore service must be manually started in order to"
 		elog "save those rules on shutdown."
 	fi
+
 	if has_version 'sys-apps/openrc'; then
 		elog "If you wish to enable the firewall rules on boot (on openrc) you"
 		elog "will need to enable the nftables service."

[gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/, net-firewall/nftables/files/

[Sam James]

commit:     83c0b0b3744ebd4d3a68b7f5ceb4bdb25e025116
Author:     Alfred Wingate <parona <AT> protonmail <DOT> com>
AuthorDate: Wed Jul 24 08:58:41 2024 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Jul 24 11:53:02 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=83c0b0b3

net-firewall/nftables: revert firewalld breaking change

https://lore.kernel.org/netfilter-devel/ZqCw126I4VRE0xKJ@calendula/

Signed-off-by: Alfred Wingate <parona <AT> protonmail.com>
Signed-off-by: Sam James <sam <AT> gentoo.org>

 ...es-1.1.0-revert-firewalld-breaking-change.patch |  63 ++++++
 net-firewall/nftables/nftables-1.1.0-r1.ebuild     | 232 +++++++++++++++++++++
 2 files changed, 295 insertions(+)

diff --git a/net-firewall/nftables/files/nftables-1.1.0-revert-firewalld-breaking-change.patch b/net-firewall/nftables/files/nftables-1.1.0-revert-firewalld-breaking-change.patch
new file mode 100644
index 000000000000..0cc23d61fb8f
--- /dev/null
+++ b/net-firewall/nftables/files/nftables-1.1.0-revert-firewalld-breaking-change.patch
@@ -0,0 +1,63 @@
+https://git.netfilter.org/nftables/commit/?id=93560d0117639c8685fc287128ab06dec9950fbd
+https://github.com/firewalld/firewalld/issues/1366
+https://lore.kernel.org/netfilter-devel/Zp7FqL_YK3p_dQ8B@egarver-mac/
+
+From 93560d0117639c8685fc287128ab06dec9950fbd Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 24 Jul 2024 09:38:33 +0200
+Subject: Revert "cache: recycle existing cache with incremental updates"
+
+This reverts commit e791dbe109b6dd891a63a4236df5dc29d7a4b863.
+
+Eric Garver reported two issues:
+
+- index with rule breaks, because NFT_CACHE_REFRESH is missing.
+- simple set updates.
+
+Moreover, the current process could populate the cache with objects for
+listing commands (no generation ID is bumped), while another process
+could update the ruleset. Leading to a inconsistent cache due to the
+genid + 1 check.
+
+This optimization needs more work and more tests for -i/--interactive,
+revert it.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -1184,21 +1184,9 @@ static bool nft_cache_needs_refresh(struct nft_cache *cache, unsigned int flags)
+ 	       (flags & NFT_CACHE_REFRESH);
+ }
+ 
+-static bool nft_cache_is_updated(struct nft_cache *cache, unsigned int flags,
+-				 uint16_t genid)
++static bool nft_cache_is_updated(struct nft_cache *cache, uint16_t genid)
+ {
+-	if (!genid)
+-		return false;
+-
+-	if (genid == cache->genid)
+-		return true;
+-
+-	if (genid == cache->genid + 1) {
+-		cache->genid++;
+-		return true;
+-	}
+-
+-	return false;
++	return genid && genid == cache->genid;
+ }
+ 
+ bool nft_cache_needs_update(struct nft_cache *cache)
+@@ -1223,7 +1211,7 @@ replay:
+ 	genid = mnl_genid_get(&ctx);
+ 	if (!nft_cache_needs_refresh(cache, flags) &&
+ 	    nft_cache_is_complete(cache, flags) &&
+-	    nft_cache_is_updated(cache, flags, genid))
++	    nft_cache_is_updated(cache, genid))
+ 		return 0;
+ 
+ 	if (cache->genid)
+-- 
+cgit v1.2.3
+

diff --git a/net-firewall/nftables/nftables-1.1.0-r1.ebuild b/net-firewall/nftables/nftables-1.1.0-r1.ebuild
new file mode 100644
index 000000000000..eb927df4997e
--- /dev/null
+++ b/net-firewall/nftables/nftables-1.1.0-r1.ebuild
@@ -0,0 +1,232 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DISTUTILS_OPTIONAL=1
+DISTUTILS_USE_PEP517=setuptools
+PYTHON_COMPAT=( python3_{10..13} )
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc
+inherit edo linux-info distutils-r1 systemd verify-sig
+
+DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools"
+HOMEPAGE="https://netfilter.org/projects/nftables/"
+
+if [[ ${PV} =~ ^[9]{4,}$ ]]; then
+	inherit autotools git-r3
+	EGIT_REPO_URI="https://git.netfilter.org/${PN}"
+	BDEPEND="app-alternatives/yacc"
+else
+	SRC_URI="
+		https://netfilter.org/projects/nftables/files/${P}.tar.xz
+		verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )
+	"
+	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
+fi
+
+# See COPYING: new code is GPL-2+, existing code is GPL-2
+LICENSE="GPL-2 GPL-2+"
+SLOT="0/1"
+IUSE="debug doc +gmp json libedit python +readline static-libs test xtables"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	>=net-libs/libmnl-1.0.4:=
+	>=net-libs/libnftnl-1.2.7:=
+	gmp? ( dev-libs/gmp:= )
+	json? ( dev-libs/jansson:= )
+	python? ( ${PYTHON_DEPS} )
+	readline? ( sys-libs/readline:= )
+	xtables? ( >=net-firewall/iptables-1.6.1:= )
+"
+DEPEND="${RDEPEND}"
+BDEPEND+="
+	app-alternatives/lex
+	virtual/pkgconfig
+	doc? (
+		app-text/asciidoc
+		>=app-text/docbook2X-0.8.8-r4
+	)
+	python? ( ${DISTUTILS_DEPS} )
+"
+
+REQUIRED_USE="
+	python? ( ${PYTHON_REQUIRED_USE} )
+	libedit? ( !readline )
+"
+
+PATCHES=(
+	"${FILESDIR}"/nftables-1.1.0-revert-firewalld-breaking-change.patch
+)
+
+src_prepare() {
+	default
+
+	if [[ ${PV} =~ ^[9]{4,}$ ]] ; then
+		eautoreconf
+	fi
+
+	if use python; then
+		pushd py >/dev/null || die
+		distutils-r1_src_prepare
+		popd >/dev/null || die
+	fi
+}
+
+src_configure() {
+	local myeconfargs=(
+		--sbindir="${EPREFIX}"/sbin
+		$(use_enable debug)
+		$(use_enable doc man-doc)
+		$(use_with !gmp mini_gmp)
+		$(use_with json)
+		$(use_with libedit cli editline)
+		$(use_with readline cli readline)
+		$(use_enable static-libs static)
+		$(use_with xtables)
+	)
+
+	econf "${myeconfargs[@]}"
+
+	if use python; then
+		pushd py >/dev/null || die
+		distutils-r1_src_configure
+		popd >/dev/null || die
+	fi
+}
+
+src_compile() {
+	default
+
+	if use python; then
+		pushd py >/dev/null || die
+		distutils-r1_src_compile
+		popd >/dev/null || die
+	fi
+}
+
+src_test() {
+	emake check
+
+	if [[ ${EUID} == 0 ]]; then
+		edo tests/shell/run-tests.sh -v
+	else
+		ewarn "Skipping shell tests (requires root)"
+	fi
+
+	if use python; then
+		pushd tests/py >/dev/null || die
+		distutils-r1_src_test
+		popd >/dev/null || die
+	fi
+}
+
+python_test() {
+	if [[ ${EUID} == 0 ]]; then
+		edo "${EPYTHON}" nft-test.py
+	else
+		ewarn "Skipping Python tests (requires root)"
+	fi
+}
+
+src_install() {
+	default
+
+	if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then
+		pushd doc >/dev/null || die
+		doman *.?
+		popd >/dev/null || die
+	fi
+
+	# Do it here instead of in src_prepare to avoid eautoreconf
+	# rmdir lets us catch if more files end up installed in /etc/nftables
+	dodir /usr/share/doc/${PF}/skels/
+	mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die
+	rmdir "${ED}"/etc/nftables || die
+
+	exeinto /usr/libexec/${PN}
+	newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh
+	newconfd "${FILESDIR}"/${PN}-mk.confd ${PN}
+	newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN}
+	keepdir /var/lib/nftables
+
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
+
+	if use python ; then
+		pushd py >/dev/null || die
+		distutils-r1_src_install
+		popd >/dev/null || die
+	fi
+
+	find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_preinst() {
+	local stderr
+
+	# There's a history of regressions with nftables upgrades. Perform a
+	# safety check to help us spot them earlier. For the check to pass, the
+	# currently loaded ruleset, if any, must be successfully evaluated by
+	# the newly built instance of nft(8).
+	if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then
+		# Either nftables isn't yet in use or nft(8) cannot be executed.
+		return
+	elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then
+		# Report errors induced by trying to list the ruleset but don't
+		# treat them as being fatal.
+		printf '%s\n' "${stderr}" >&2
+	elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
+		# Rulesets generated by iptables-nft are special in nature and
+		# will not always be printed in a way that constitutes a valid
+		# syntax for ntf(8). Ignore them.
+		return
+	elif set -- "${ED}"/usr/lib*/libnftables.so;
+		! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft
+	then
+		eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of"
+		eerror "nft. This probably means that there is a regression introduced by v${PV}."
+		eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
+		if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
+			die "Aborting because of failed nft reload!"
+		fi
+	fi
+}
+
+pkg_postinst() {
+	local save_file
+	save_file="${EROOT}"/var/lib/nftables/rules-save
+
+	# In order for the nftables-restore systemd service to start
+	# the save_file must exist.
+	if [[ ! -f "${save_file}" ]]; then
+		( umask 177; touch "${save_file}" )
+	elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
+		ewarn "Your system has dangerous permissions for ${save_file}"
+		ewarn "It is probably affected by bug #691326."
+		ewarn "You may need to fix the permissions of the file. To do so,"
+		ewarn "you can run the command in the line below as root."
+		ewarn "    'chmod 600 \"${save_file}\"'"
+	fi
+
+	if has_version 'sys-apps/systemd'; then
+		elog "If you wish to enable the firewall rules on boot (on systemd) you"
+		elog "will need to enable the nftables-restore service."
+		elog "    'systemctl enable ${PN}-restore.service'"
+		elog
+		elog "If you are creating firewall rules before the next system restart"
+		elog "the nftables-restore service must be manually started in order to"
+		elog "save those rules on shutdown."
+	fi
+
+	if has_version 'sys-apps/openrc'; then
+		elog "If you wish to enable the firewall rules on boot (on openrc) you"
+		elog "will need to enable the nftables service."
+		elog "    'rc-update add ${PN} default'"
+		elog
+		elog "If you are creating or updating the firewall rules and wish to save"
+		elog "them to be loaded on the next restart, use the \"save\" functionality"
+		elog "in the init script."
+		elog "    'rc-service ${PN} save'"
+	fi
+}