public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
@ 2015-08-14 12:42 Michał Górny
  0 siblings, 0 replies; 15+ messages in thread
From: Michał Górny @ 2015-08-14 12:42 UTC (permalink / raw
  To: gentoo-commits

commit:     190ab2e9052a9e2304a9aafac6c6ae17bd4e1ba2
Author:     Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 14 12:41:41 2015 +0000
Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Fri Aug 14 12:42:00 2015 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=190ab2e9

net-firewall/iptables: Restore 1.4.17 required by dev-perl/IPTables-libiptc

Package-Manager: portage-2.2.20

 net-firewall/iptables/Manifest                     |  1 +
 .../iptables/files/iptables-1.4.17-libip6tc.patch  | 32 ++++++++
 net-firewall/iptables/iptables-1.4.17.ebuild       | 87 ++++++++++++++++++++++
 3 files changed, 120 insertions(+)

diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest
index e3c1f23..8e3fa0b 100644
--- a/net-firewall/iptables/Manifest
+++ b/net-firewall/iptables/Manifest
@@ -1 +1,2 @@
+DIST iptables-1.4.17.tar.bz2 541137 SHA256 51e7a769469383b6ad308a6a19cdd2bd813cf4593e21a156a543a1cd70554925 SHA512 022f89cbf56408842bdeb1adbe05076addaad007599fdb662f32a1c134d743dade28c26842acc7545d2474903164be5fe3ec7fd1e276cd2c37bd3b33b8a30de1 WHIRLPOOL f2cb85d5f4080fce2c6673a58737ace3d55130f74c66207bc515d0c7b4ecd75bd7ac8540a862e8af133e740d34eee40833d72c9c3236c7ef4dc75cd43816ec41
 DIST iptables-1.4.21.tar.bz2 547439 SHA256 52004c68021da9a599feed27f65defcfb22128f7da2c0531c0f75de0f479d3e0 SHA512 dd4baccdb080284d8620e6ed59beafc2677813f3e099051764b07f8e394f6d94ca11861b181f3cce7c55c66de64c1e2add13dc1a0b64e24050cd9fb7aea0689b WHIRLPOOL 475541d1b2b7fe4ee8fa3b537274ef082aab8bfd262201ee14cd53577dfac6f591445cc6d64ed93b226a4b71d54ae1b9ab4cbb378b5440861a585f770f0db200

diff --git a/net-firewall/iptables/files/iptables-1.4.17-libip6tc.patch b/net-firewall/iptables/files/iptables-1.4.17-libip6tc.patch
new file mode 100644
index 0000000..5212dd2
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.17-libip6tc.patch
@@ -0,0 +1,32 @@
+From d42bc7c100de69396a527e90736198f8e4e3000b Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sun, 30 Dec 2012 18:06:15 -0500
+Subject: [PATCH] extensions: fix linking against -lip6tc
+
+The current build forgets to specify a path to find libip6tc which means
+it either fails (if there is no libip6tc in the system), or links against
+an old version (if there is one in the system).
+
+References: https://bugs.gentoo.org/449262
+Reported-by: Mike Gilbert <floppym@gentoo.org>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ extensions/GNUmakefile.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
+index e71e3ff..a605474 100644
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -101,7 +101,7 @@ libxt_state.so: libxt_conntrack.so
+ 	ln -fs $< $@
+ 
+ # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
+-ip6t_NETMAP_LIBADD  = -lip6tc
++ip6t_NETMAP_LIBADD  = -L../libiptc/.libs -lip6tc
+ xt_RATEEST_LIBADD   = -lm
+ xt_statistic_LIBADD = -lm
+ 
+-- 
+1.8.0
+

diff --git a/net-firewall/iptables/iptables-1.4.17.ebuild b/net-firewall/iptables/iptables-1.4.17.ebuild
new file mode 100644
index 0000000..0bbfa2b
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.17.ebuild
@@ -0,0 +1,87 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+	netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	virtual/pkgconfig
+"
+
+src_prepare() {
+	# use the saner headers from the kernel
+	rm -f include/linux/{kernel,types}.h
+	epatch "${FILESDIR}"/${P}-libip6tc.patch #449262
+
+	# Only run autotools if user patched something
+	epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+	# Some libs use $(AR) rather than libtool to build #444282
+	tc-export AR
+
+	sed -i \
+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+		configure || die
+
+	econf \
+		--sbindir="${EPREFIX}/sbin" \
+		--libexecdir="${EPREFIX}/$(get_libdir)" \
+		--enable-devel \
+		--enable-shared \
+		$(use_enable static-libs static) \
+		$(use_enable ipv6)
+}
+
+src_compile() {
+	emake V=1
+}
+
+src_install() {
+	default
+	dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+	# all the iptables binaries are in /sbin, so might as well
+	# put these small files in with them
+	into /
+	dosbin iptables/iptables-apply
+	dosym iptables-apply /sbin/ip6tables-apply
+	doman iptables/iptables-apply.8
+
+	insinto /usr/include
+	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+	insinto /usr/include/iptables
+	doins include/iptables/internal.h
+
+	keepdir /var/lib/iptables
+	newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+	if use ipv6 ; then
+		keepdir /var/lib/ip6tables
+		newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+	fi
+
+	# Move important libs to /lib
+	gen_usr_ldscript -a ip{4,6}tc iptc xtables
+	find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
@ 2015-08-27  2:08 Mike Frysinger
  0 siblings, 0 replies; 15+ messages in thread
From: Mike Frysinger @ 2015-08-27  2:08 UTC (permalink / raw
  To: gentoo-commits

commit:     adbc9428f6d4f5f6751127f4edc6846b36083d28
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Thu Aug 27 02:07:03 2015 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 02:07:43 2015 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=adbc9428

net-firewall/iptables: fix from upstream for static builds #558234

Silence constant connlabel.conf warnings when using static libs.

 .../iptables-1.4.21-static-connlabel-config.patch  |  77 +++++++++++++++
 net-firewall/iptables/iptables-1.4.21-r3.ebuild    | 104 +++++++++++++++++++++
 2 files changed, 181 insertions(+)

diff --git a/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch b/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch
new file mode 100644
index 0000000..a4183d6
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch
@@ -0,0 +1,77 @@
+https://bugs.gentoo.org/558234
+http://git.netfilter.org/iptables/commit/?id=825fbda5482a7d5ec5a6619c81fe07ff865c7d6e
+
+From 825fbda5482a7d5ec5a6619c81fe07ff865c7d6e Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 5 Sep 2014 20:45:56 +0200
+Subject: [PATCH] extensions: libxt_connlabel: do not open config file from
+ _init hook
+
+else, static builds will print this for every iptables invocation,
+even 'iptables -L'.  Delay open until we need to translate a mapping.
+
+Reported-by: Thomas De Schampheleire <patrickdepinguin@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ extensions/libxt_connlabel.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c
+index c84a167..1f83095 100644
+--- a/extensions/libxt_connlabel.c
++++ b/extensions/libxt_connlabel.c
+@@ -29,11 +29,26 @@ static const struct xt_option_entry connlabel_mt_opts[] = {
+ 	XTOPT_TABLEEND,
+ };
+ 
++/* cannot do this via _init, else static builds might spew error message
++ * for every iptables invocation.
++ */
++static void connlabel_open(void)
++{
++	if (map)
++		return;
++
++	map = nfct_labelmap_new(NULL);
++	if (!map && errno)
++		xtables_error(RESOURCE_PROBLEM, "cannot open connlabel.conf: %s\n",
++			strerror(errno));
++}
++
+ static void connlabel_mt_parse(struct xt_option_call *cb)
+ {
+ 	struct xt_connlabel_mtinfo *info = cb->data;
+ 	int tmp;
+ 
++	connlabel_open();
+ 	xtables_option_parse(cb);
+ 
+ 	switch (cb->entry->id) {
+@@ -54,7 +69,11 @@ static void connlabel_mt_parse(struct xt_option_call *cb)
+ 
+ static const char *connlabel_get_name(int b)
+ {
+-	const char *name = nfct_labelmap_get_name(map, b);
++	const char *name;
++
++	connlabel_open();
++
++	name = nfct_labelmap_get_name(map, b);
+ 	if (name && strcmp(name, ""))
+ 		return name;
+ 	return NULL;
+@@ -114,11 +133,5 @@ static struct xtables_match connlabel_mt_reg = {
+ 
+ void _init(void)
+ {
+-	map = nfct_labelmap_new(NULL);
+-	if (!map) {
+-		fprintf(stderr, "cannot open connlabel.conf, not registering '%s' match: %s\n",
+-			connlabel_mt_reg.name, strerror(errno));
+-		return;
+-	}
+ 	xtables_register_match(&connlabel_mt_reg);
+ }
+-- 
+2.4.4
+

diff --git a/net-firewall/iptables/iptables-1.4.21-r3.ebuild b/net-firewall/iptables/iptables-1.4.21-r3.ebuild
new file mode 100644
index 0000000..ef4eb78
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.21-r3.ebuild
@@ -0,0 +1,104 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib systemd toolchain-funcs autotools flag-o-matic
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.netfilter.org/projects/iptables/"
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+# Subslot tracks libxtables as that's the one other packages generally link
+# against and iptables changes.  Will have to revisit if other sonames change.
+SLOT="0/10"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="conntrack ipv6 netlink pcap static-libs"
+
+RDEPEND="
+	conntrack? ( net-libs/libnetfilter_conntrack )
+	netlink? ( net-libs/libnfnetlink )
+	pcap? ( net-libs/libpcap )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	virtual/pkgconfig
+"
+
+src_prepare() {
+	# use the saner headers from the kernel
+	rm -f include/linux/{kernel,types}.h
+
+	epatch "${FILESDIR}"/${P}-configure.patch #557586
+	epatch "${FILESDIR}"/${P}-static-connlabel-config.patch #558234
+
+	# Only run autotools if user patched something
+	epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+	# Some libs use $(AR) rather than libtool to build #444282
+	tc-export AR
+
+	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
+	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
+
+	sed -i \
+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
+		configure || die
+
+	econf \
+		--sbindir="${EPREFIX}/sbin" \
+		--libexecdir="${EPREFIX}/$(get_libdir)" \
+		--enable-devel \
+		--enable-shared \
+		$(use_enable pcap bpf-compiler) \
+		$(use_enable static-libs static) \
+		$(use_enable ipv6)
+}
+
+src_compile() {
+	emake V=1
+}
+
+src_install() {
+	default
+	dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+	# all the iptables binaries are in /sbin, so might as well
+	# put these small files in with them
+	into /
+	dosbin iptables/iptables-apply
+	dosym iptables-apply /sbin/ip6tables-apply
+	doman iptables/iptables-apply.8
+
+	insinto /usr/include
+	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+	insinto /usr/include/iptables
+	doins include/iptables/internal.h
+
+	keepdir /var/lib/iptables
+	newinitd "${FILESDIR}"/${PN}.init iptables
+	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+	if use ipv6 ; then
+		keepdir /var/lib/ip6tables
+		newinitd "${FILESDIR}"/iptables.init ip6tables
+		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+	fi
+
+	systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service
+	if use ipv6 ; then
+		systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service
+	fi
+
+	# Move important libs to /lib #332175
+	gen_usr_ldscript -a ip{4,6}tc iptc xtables
+
+	prune_libtool_files
+}


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
@ 2018-07-09 14:52 Thomas Deutschmann
  0 siblings, 0 replies; 15+ messages in thread
From: Thomas Deutschmann @ 2018-07-09 14:52 UTC (permalink / raw
  To: gentoo-commits

commit:     3a10deb82c1bcadbc0977d26dce8650c2bf5ba0a
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Mon Jul  9 14:51:42 2018 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Mon Jul  9 14:51:59 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a10deb8

net-firewall/iptables: fix building with USE=-nftables

Closes: https://bugs.gentoo.org/660790
Package-Manager: Portage-2.3.41, Repoman-2.3.9

 ...es-1.8.0-fix-building-without-nft-backend.patch | 26 ++++++++++++++++++++++
 net-firewall/iptables/iptables-1.8.0.ebuild        |  7 ++++--
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/net-firewall/iptables/files/iptables-1.8.0-fix-building-without-nft-backend.patch b/net-firewall/iptables/files/iptables-1.8.0-fix-building-without-nft-backend.patch
new file mode 100644
index 00000000000..6b19c87678b
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.8.0-fix-building-without-nft-backend.patch
@@ -0,0 +1,26 @@
+extensions: don't bother to build libebt/libarp extensions if nft backend was disabled
+
+Bug: https://bugs.gentoo.org/660790
+Reported-by: Thomas Deutschmann <whissi@gentoo.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ extensions/GNUmakefile.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
+index bee666e80e45..c0d73cd28c03 100644
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -40,8 +40,8 @@ endif
+ #	Wildcard module list
+ #
+ pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c)))
+-pfb_build_mod := $(patsubst ${srcdir}/libebt_%.c,%,$(sort $(wildcard ${srcdir}/libebt_*.c)))
+-pfa_build_mod := $(patsubst ${srcdir}/libarpt_%.c,%,$(sort $(wildcard ${srcdir}/libarpt_*.c)))
++@ENABLE_NFTABLES_TRUE@ pfb_build_mod := $(patsubst ${srcdir}/libebt_%.c,%,$(sort $(wildcard ${srcdir}/libebt_*.c)))
++@ENABLE_NFTABLES_TRUE@ pfa_build_mod := $(patsubst ${srcdir}/libarpt_%.c,%,$(sort $(wildcard ${srcdir}/libarpt_*.c)))
+ pfx_symlinks  := NOTRACK state
+ @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c)))
+ @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c)))
+-- 
+2.17.1

diff --git a/net-firewall/iptables/iptables-1.8.0.ebuild b/net-firewall/iptables/iptables-1.8.0.ebuild
index 78051935b05..d4cee0085fc 100644
--- a/net-firewall/iptables/iptables-1.8.0.ebuild
+++ b/net-firewall/iptables/iptables-1.8.0.ebuild
@@ -41,12 +41,15 @@ RDEPEND="${COMMON_DEPEND}
 	nftables? ( net-misc/ethertypes )
 "
 
+PATCHES=( "${FILESDIR}"/iptables-1.8.0-fix-building-without-nft-backend.patch )
+
 src_prepare() {
 	# use the saner headers from the kernel
 	rm -f include/linux/{kernel,types}.h
 
-	# Only run autotools if user patched something
-	eapply_user && eautoreconf || elibtoolize
+	default
+
+	eautoreconf
 }
 
 src_configure() {


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
@ 2018-10-24 13:26 Lars Wendler
  0 siblings, 0 replies; 15+ messages in thread
From: Lars Wendler @ 2018-10-24 13:26 UTC (permalink / raw
  To: gentoo-commits

commit:     281ad1c5b4f2d41492b69aaf169f5fa6ea1ab20b
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Wed Oct 24 13:26:18 2018 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Wed Oct 24 13:26:33 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=281ad1c5

net-firewall/iptables: Fixed build with USE="-nftables"

Closes: https://bugs.gentoo.org/669486
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11

 ...es-1.8.1-build_limit_without_libnftnl_fix.patch | 44 ++++++++++++++++++++++
 net-firewall/iptables/iptables-1.8.1.ebuild        |  2 +
 2 files changed, 46 insertions(+)

diff --git a/net-firewall/iptables/files/iptables-1.8.1-build_limit_without_libnftnl_fix.patch b/net-firewall/iptables/files/iptables-1.8.1-build_limit_without_libnftnl_fix.patch
new file mode 100644
index 00000000000..a0fca7efa93
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.8.1-build_limit_without_libnftnl_fix.patch
@@ -0,0 +1,44 @@
+From b2fc2a368562d55fadad94d995247bb8cd7e68a3 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 24 Oct 2018 12:00:11 +0200
+Subject: extensions: limit: unbreak build without libnftnl
+
+Lars Wendler reported 1.8.1 build failure when trying to build without nft backend:
+
+  In file included from ../iptables/nft.h:5, from libxt_limit.c:18: libnftnl/rule.h: No such file or directory
+
+Reported-by: Lars Wendler <polynomial-c@gentoo.org>
+Fixes: 02b80972c43 ("ebtables: Merge libebt_limit.c into libxt_limit.c")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ extensions/libxt_limit.c | 1 -
+ iptables/nft-bridge.h    | 1 +
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
+index c7b66295..1b324657 100644
+--- a/extensions/libxt_limit.c
++++ b/extensions/libxt_limit.c
+@@ -15,7 +15,6 @@
+ #include <xtables.h>
+ #include <linux/netfilter/x_tables.h>
+ #include <linux/netfilter/xt_limit.h>
+-#include "iptables/nft.h"
+ #include "iptables/nft-bridge.h"
+ 
+ #define XT_LIMIT_AVG	"3/hour"
+diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h
+index 9d49ccbe..de52cd71 100644
+--- a/iptables/nft-bridge.h
++++ b/iptables/nft-bridge.h
+@@ -68,6 +68,7 @@ int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mas
+ #define EBT_VERDICT_BITS 0x0000000F
+ 
+ struct nftnl_rule;
++struct iptables_command_state;
+ 
+ static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = {
+ 	"ACCEPT",
+-- 
+cgit v1.2.1
+

diff --git a/net-firewall/iptables/iptables-1.8.1.ebuild b/net-firewall/iptables/iptables-1.8.1.ebuild
index 043562633bd..3db0cde5904 100644
--- a/net-firewall/iptables/iptables-1.8.1.ebuild
+++ b/net-firewall/iptables/iptables-1.8.1.ebuild
@@ -42,6 +42,8 @@ RDEPEND="${COMMON_DEPEND}
 "
 
 src_prepare() {
+	eapply "${FILESDIR}/${P}-build_limit_without_libnftnl_fix.patch" #669486
+
 	# use the saner headers from the kernel
 	rm -f include/linux/{kernel,types}.h
 


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
@ 2018-11-14 10:13 Lars Wendler
  0 siblings, 0 replies; 15+ messages in thread
From: Lars Wendler @ 2018-11-14 10:13 UTC (permalink / raw
  To: gentoo-commits

commit:     d3b81429961f996c4a19552ea3c832e1bea615d0
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Wed Nov 14 10:13:15 2018 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Wed Nov 14 10:13:33 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3b81429

net-firewall/iptables: Removed old.

Package-Manager: Portage-2.3.51, Repoman-2.3.12
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 net-firewall/iptables/Manifest                     |   1 -
 ...es-1.8.0-fix-building-without-nft-backend.patch |  26 ----
 ...ort-nft-suffix-for-arptables-and-ebtables.patch |  44 -------
 net-firewall/iptables/iptables-1.8.0-r1.ebuild     | 132 ---------------------
 4 files changed, 203 deletions(-)

diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest
index aaefc0f765c..8808dd33a3a 100644
--- a/net-firewall/iptables/Manifest
+++ b/net-firewall/iptables/Manifest
@@ -1,6 +1,5 @@
 DIST iptables-1.4.21.tar.bz2 547439 BLAKE2B e30f25581a118b91781dcc02761d4c8c420fb19876ec9e8ade3aff22b574931065f9a1c1ec31983a444c406dd928c47673d02698553da85c3db4f31484b1597d SHA512 dd4baccdb080284d8620e6ed59beafc2677813f3e099051764b07f8e394f6d94ca11861b181f3cce7c55c66de64c1e2add13dc1a0b64e24050cd9fb7aea0689b
 DIST iptables-1.6.1.tar.bz2 620890 BLAKE2B b45ac26e1fb7e8b17a6df0afab3b6c0e2f0a5df9191367548136b3ce9aadc1bcb875b8bc0403e6f12fcf487054e96418f4ef34da827af8989fd4dcf83cd3cd8d SHA512 12280db6e6ef8e68da2537e9da59fc601790fd02b1ba38a37c90dbb56272018329dccb8be995f96ecd5d94fafa6043204f3e8f8ee96531685d9e3c55359d2ee8
 DIST iptables-1.6.2.tar.bz2 639785 BLAKE2B 3d129756fd33c8c73d56d57e3c5595896db86ded14834a45db21b964d82840b62216ce3cea4ae4960e8c5f0671df3cc6bfb222f68d29cf3a8c99e0eee14bf017 SHA512 04f22e969c794246b9aa28055b202638081cfb0bb4a5625c049a30c48ac84cdd41db12a53c5831398cfe47c8f5691aa02b30b0ae3b5afe0f20ec48cf86a799c0
-DIST iptables-1.8.0.tar.bz2 677980 BLAKE2B ce874572d736087f46ea5a6e393cf9b32bf7328efda0fd9faee94dfa11428fc0e124d5ed81329484032ac4ebe89b2604b26dbb135e152c0e0f4c74d88db52d00 SHA512 5f3fe4c15f02e29a2e6ee2905a242f450f8a3b51553618e0cdc59301c35b8bb663e8f2ea70dfcaed8d4e53192c01519906b60ff649385c693e0602622742890f
 DIST iptables-1.8.1.tar.bz2 678706 BLAKE2B 671e7329cc07dae0fbc54c1f6061bc148c4823e1f675369ee36a7cd2346cc1a9a516d5aa2e8a3506d5400027c1ba306cbe426940894117710bc61aacd256fccd SHA512 96a896b6dd26c2d0b4e1672d428ea3c3aab0a3c9e56a896af3a2b8428c4212d7378ba555e0be198b0ccb3fd370bca529466ab8b4edc1777eb7deed600d3f0e11
 DIST iptables-1.8.2.tar.bz2 679858 BLAKE2B 2004d85c89ecbc37ef0d571ac8ece680fd2e11a51b074f6387d6e9c4892da524c785d6bf3f30e26af4e7c2cb1f401d51bf8bcb21a91e380e24945374553139cb SHA512 8cf0f515764e1dc6e03284581d682d1949b33e8f25fea29c27ae856f1089fe8ca7b1814524b85f4378fd1fc7c7c7d002f06557b257ae2bbc945f8555bad0dc76

diff --git a/net-firewall/iptables/files/iptables-1.8.0-fix-building-without-nft-backend.patch b/net-firewall/iptables/files/iptables-1.8.0-fix-building-without-nft-backend.patch
deleted file mode 100644
index 6b19c87678b..00000000000
--- a/net-firewall/iptables/files/iptables-1.8.0-fix-building-without-nft-backend.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-extensions: don't bother to build libebt/libarp extensions if nft backend was disabled
-
-Bug: https://bugs.gentoo.org/660790
-Reported-by: Thomas Deutschmann <whissi@gentoo.org>
-Signed-off-by: Florian Westphal <fw@strlen.de>
----
- extensions/GNUmakefile.in | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
-index bee666e80e45..c0d73cd28c03 100644
---- a/extensions/GNUmakefile.in
-+++ b/extensions/GNUmakefile.in
-@@ -40,8 +40,8 @@ endif
- #	Wildcard module list
- #
- pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c)))
--pfb_build_mod := $(patsubst ${srcdir}/libebt_%.c,%,$(sort $(wildcard ${srcdir}/libebt_*.c)))
--pfa_build_mod := $(patsubst ${srcdir}/libarpt_%.c,%,$(sort $(wildcard ${srcdir}/libarpt_*.c)))
-+@ENABLE_NFTABLES_TRUE@ pfb_build_mod := $(patsubst ${srcdir}/libebt_%.c,%,$(sort $(wildcard ${srcdir}/libebt_*.c)))
-+@ENABLE_NFTABLES_TRUE@ pfa_build_mod := $(patsubst ${srcdir}/libarpt_%.c,%,$(sort $(wildcard ${srcdir}/libarpt_*.c)))
- pfx_symlinks  := NOTRACK state
- @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c)))
- @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c)))
--- 
-2.17.1

diff --git a/net-firewall/iptables/files/iptables-1.8.0-support-nft-suffix-for-arptables-and-ebtables.patch b/net-firewall/iptables/files/iptables-1.8.0-support-nft-suffix-for-arptables-and-ebtables.patch
deleted file mode 100644
index 1053c0a338e..00000000000
--- a/net-firewall/iptables/files/iptables-1.8.0-support-nft-suffix-for-arptables-and-ebtables.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-Backport of
-
-https://git.netfilter.org/iptables/commit/?id=565a22395c4c620bf26a002515d9016db0c35824
-
-Bug: https://bugs.gentoo.org/660886
---- a/iptables/Makefile.am
-+++ b/iptables/Makefile.am
-@@ -80,7 +80,9 @@ x_sbin_links  = iptables-nft iptables-nft-restore iptables-nft-save \
- 		ip6tables-nft ip6tables-nft-restore ip6tables-nft-save \
- 		iptables-translate ip6tables-translate \
- 		iptables-restore-translate ip6tables-restore-translate \
--		arptables ebtables xtables-monitor
-+		arptables-nft arptables \
-+		ebtables-nft ebtables \
-+		xtables-monitor
- endif
- 
- iptables-extensions.8: iptables-extensions.8.tmpl ../extensions/matches.man ../extensions/targets.man
---- a/iptables/Makefile.in
-+++ b/iptables/Makefile.in
-@@ -526,7 +526,9 @@ vx_bin_links = iptables-xml
- @ENABLE_NFTABLES_TRUE@		ip6tables-nft ip6tables-nft-restore ip6tables-nft-save \
- @ENABLE_NFTABLES_TRUE@		iptables-translate ip6tables-translate \
- @ENABLE_NFTABLES_TRUE@		iptables-restore-translate ip6tables-restore-translate \
--@ENABLE_NFTABLES_TRUE@		arptables ebtables xtables-monitor
-+@ENABLE_NFTABLES_TRUE@		arptables-nft arptables \
-+@ENABLE_NFTABLES_TRUE@		ebtables-nft ebtables \
-+@ENABLE_NFTABLES_TRUE@		xtables-monitor
- 
- pkgconfig_DATA = xtables.pc
- all: $(BUILT_SOURCES)
---- a/iptables/xtables-nft-multi.c
-+++ b/iptables/xtables-nft-multi.c
-@@ -31,8 +31,10 @@ static const struct subcommand multi_subcommands[] = {
- 	{"iptables-restore-translate",	xtables_ip4_xlate_restore_main},
- 	{"ip6tables-restore-translate",	xtables_ip6_xlate_restore_main},
- 	{"arptables",			xtables_arp_main},
-+	{"arptables-nft",		xtables_arp_main},
- 	{"ebtables-translate",		xtables_eb_xlate_main},
- 	{"ebtables",			xtables_eb_main},
-+	{"ebtables-nft",		xtables_eb_main},
- 	{"xtables-monitor",		xtables_monitor_main},
- 	{NULL},
- };

diff --git a/net-firewall/iptables/iptables-1.8.0-r1.ebuild b/net-firewall/iptables/iptables-1.8.0-r1.ebuild
deleted file mode 100644
index cbef20783c2..00000000000
--- a/net-firewall/iptables/iptables-1.8.0-r1.ebuild
+++ /dev/null
@@ -1,132 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-# Force users doing their own patches to install their own tools
-AUTOTOOLS_AUTO_DEPEND=no
-
-inherit multilib systemd toolchain-funcs autotools flag-o-matic
-
-DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
-HOMEPAGE="https://www.netfilter.org/projects/iptables/"
-SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
-
-LICENSE="GPL-2"
-# Subslot tracks libxtables as that's the one other packages generally link
-# against and iptables changes.  Will have to revisit if other sonames change.
-SLOT="0/12"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-IUSE="conntrack ipv6 netlink nftables pcap static-libs"
-
-COMMON_DEPEND="
-	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
-	netlink? ( net-libs/libnfnetlink )
-	nftables? (
-		>=net-libs/libmnl-1.0:0=
-		>=net-libs/libnftnl-1.1.1:0=
-	)
-	pcap? ( net-libs/libpcap )
-"
-DEPEND="${COMMON_DEPEND}
-	virtual/os-headers
-	>=sys-kernel/linux-headers-4.4:0
-	virtual/pkgconfig
-	nftables? (
-		sys-devel/flex
-		virtual/yacc
-	)
-"
-RDEPEND="${COMMON_DEPEND}
-	nftables? ( net-misc/ethertypes )
-"
-
-src_prepare() {
-	eapply "${FILESDIR}"/${P}-fix-building-without-nft-backend.patch
-	touch -r configure extensions/GNUmakefile.in || die
-
-	eapply "${FILESDIR}"/${P}-support-nft-suffix-for-arptables-and-ebtables.patch
-	touch -r configure iptables/Makefile.{am,in} || die
-
-	# use the saner headers from the kernel
-	rm -f include/linux/{kernel,types}.h
-
-	# Only run autotools if user patched something
-	eapply_user && eautoreconf || elibtoolize
-}
-
-src_configure() {
-	# Some libs use $(AR) rather than libtool to build #444282
-	tc-export AR
-
-	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
-	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
-
-	sed -i \
-		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
-		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
-		configure || die
-
-	local myeconfargs=(
-		--sbindir="${EPREFIX}/sbin"
-		--libexecdir="${EPREFIX}/$(get_libdir)"
-		--enable-devel
-		--enable-shared
-		$(use_enable nftables)
-		$(use_enable pcap bpf-compiler)
-		$(use_enable pcap nfsynproxy)
-		$(use_enable static-libs static)
-		$(use_enable ipv6)
-	)
-	econf "${myeconfargs[@]}"
-}
-
-src_compile() {
-	# Deal with parallel build errors.
-	use nftables && emake -C iptables xtables-config-parser.h
-	emake V=1
-}
-
-src_install() {
-	default
-	dodoc INCOMPATIBILITIES iptables/iptables.xslt
-
-	# all the iptables binaries are in /sbin, so might as well
-	# put these small files in with them
-	into /
-	dosbin iptables/iptables-apply
-	dosym iptables-apply /sbin/ip6tables-apply
-	doman iptables/iptables-apply.8
-
-	insinto /usr/include
-	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
-	insinto /usr/include/iptables
-	doins include/iptables/internal.h
-
-	keepdir /var/lib/iptables
-	newinitd "${FILESDIR}"/${PN}.init iptables
-	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
-	if use ipv6 ; then
-		keepdir /var/lib/ip6tables
-		newinitd "${FILESDIR}"/iptables.init ip6tables
-		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
-	fi
-
-	if use nftables; then
-		# Bug 647458
-		rm "${ED%/}"/etc/ethertypes || die
-
-		# Bug 660886
-		rm "${ED%/}"/sbin/{arptables,ebtables} || die
-	fi
-
-	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
-	if use ipv6 ; then
-		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
-	fi
-
-	# Move important libs to /lib #332175
-	gen_usr_ldscript -a ip{4,6}tc iptc xtables
-
-	find "${ED}" -name "*.la" -delete || die
-}


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
@ 2018-11-20 13:54 Lars Wendler
  0 siblings, 0 replies; 15+ messages in thread
From: Lars Wendler @ 2018-11-20 13:54 UTC (permalink / raw
  To: gentoo-commits

commit:     070fae35cc6d85cdb9c35b92b476394e17c8c144
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 20 13:53:28 2018 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue Nov 20 13:54:09 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=070fae35

net-firewall/iptables: Removed old.

Package-Manager: Portage-2.3.52, Repoman-2.3.12
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 net-firewall/iptables/Manifest                     |   1 -
 .../iptables/files/iptables-1.4.21-configure.patch |  34 -------
 .../iptables-1.4.21-static-connlabel-config.patch  |  77 ---------------
 net-firewall/iptables/iptables-1.4.21-r1.ebuild    |  93 ------------------
 net-firewall/iptables/iptables-1.4.21-r5.ebuild    | 104 ---------------------
 5 files changed, 309 deletions(-)

diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest
index 8808dd33a3a..2d94c7883a8 100644
--- a/net-firewall/iptables/Manifest
+++ b/net-firewall/iptables/Manifest
@@ -1,4 +1,3 @@
-DIST iptables-1.4.21.tar.bz2 547439 BLAKE2B e30f25581a118b91781dcc02761d4c8c420fb19876ec9e8ade3aff22b574931065f9a1c1ec31983a444c406dd928c47673d02698553da85c3db4f31484b1597d SHA512 dd4baccdb080284d8620e6ed59beafc2677813f3e099051764b07f8e394f6d94ca11861b181f3cce7c55c66de64c1e2add13dc1a0b64e24050cd9fb7aea0689b
 DIST iptables-1.6.1.tar.bz2 620890 BLAKE2B b45ac26e1fb7e8b17a6df0afab3b6c0e2f0a5df9191367548136b3ce9aadc1bcb875b8bc0403e6f12fcf487054e96418f4ef34da827af8989fd4dcf83cd3cd8d SHA512 12280db6e6ef8e68da2537e9da59fc601790fd02b1ba38a37c90dbb56272018329dccb8be995f96ecd5d94fafa6043204f3e8f8ee96531685d9e3c55359d2ee8
 DIST iptables-1.6.2.tar.bz2 639785 BLAKE2B 3d129756fd33c8c73d56d57e3c5595896db86ded14834a45db21b964d82840b62216ce3cea4ae4960e8c5f0671df3cc6bfb222f68d29cf3a8c99e0eee14bf017 SHA512 04f22e969c794246b9aa28055b202638081cfb0bb4a5625c049a30c48ac84cdd41db12a53c5831398cfe47c8f5691aa02b30b0ae3b5afe0f20ec48cf86a799c0
 DIST iptables-1.8.1.tar.bz2 678706 BLAKE2B 671e7329cc07dae0fbc54c1f6061bc148c4823e1f675369ee36a7cd2346cc1a9a516d5aa2e8a3506d5400027c1ba306cbe426940894117710bc61aacd256fccd SHA512 96a896b6dd26c2d0b4e1672d428ea3c3aab0a3c9e56a896af3a2b8428c4212d7378ba555e0be198b0ccb3fd370bca529466ab8b4edc1777eb7deed600d3f0e11

diff --git a/net-firewall/iptables/files/iptables-1.4.21-configure.patch b/net-firewall/iptables/files/iptables-1.4.21-configure.patch
deleted file mode 100644
index e827885f168..00000000000
--- a/net-firewall/iptables/files/iptables-1.4.21-configure.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-https://bugs.gentoo.org/557586
-
-From b24e59fba39120bfdb9e521bbd0af8f33a60466e Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sat, 15 Aug 2015 14:12:39 -0400
-Subject: [PATCH] configure: fix 3rd arg w/AC_ARG_ENABLE
-
-The 3rd arg is used when --{enable,disable}-foo are passed in, not when
-the feature is enabled.  Use the existing $enableval instead.
-
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- configure.ac | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/configure
-+++ b/configure
-@@ -11898,14 +11898,14 @@ fi
- 
- # Check whether --enable-bpf-compiler was given.
- if test "${enable_bpf_compiler+set}" = set; then :
--  enableval=$enable_bpf_compiler; enable_bpfc="yes"
-+  enableval=$enable_bpf_compiler; enable_bpfc="$enableval"
- else
-   enable_bpfc="no"
- fi
- 
- # Check whether --enable-nfsynproxy was given.
- if test "${enable_nfsynproxy+set}" = set; then :
--  enableval=$enable_nfsynproxy; enable_nfsynproxy="yes"
-+  enableval=$enable_nfsynproxy; enable_nfsynproxy="$enableval"
- else
-   enable_nfsynproxy="no"
- fi

diff --git a/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch b/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch
deleted file mode 100644
index a4183d6d402..00000000000
--- a/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-https://bugs.gentoo.org/558234
-http://git.netfilter.org/iptables/commit/?id=825fbda5482a7d5ec5a6619c81fe07ff865c7d6e
-
-From 825fbda5482a7d5ec5a6619c81fe07ff865c7d6e Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Fri, 5 Sep 2014 20:45:56 +0200
-Subject: [PATCH] extensions: libxt_connlabel: do not open config file from
- _init hook
-
-else, static builds will print this for every iptables invocation,
-even 'iptables -L'.  Delay open until we need to translate a mapping.
-
-Reported-by: Thomas De Schampheleire <patrickdepinguin@gmail.com>
-Signed-off-by: Florian Westphal <fw@strlen.de>
----
- extensions/libxt_connlabel.c | 27 ++++++++++++++++++++-------
- 1 file changed, 20 insertions(+), 7 deletions(-)
-
-diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c
-index c84a167..1f83095 100644
---- a/extensions/libxt_connlabel.c
-+++ b/extensions/libxt_connlabel.c
-@@ -29,11 +29,26 @@ static const struct xt_option_entry connlabel_mt_opts[] = {
- 	XTOPT_TABLEEND,
- };
- 
-+/* cannot do this via _init, else static builds might spew error message
-+ * for every iptables invocation.
-+ */
-+static void connlabel_open(void)
-+{
-+	if (map)
-+		return;
-+
-+	map = nfct_labelmap_new(NULL);
-+	if (!map && errno)
-+		xtables_error(RESOURCE_PROBLEM, "cannot open connlabel.conf: %s\n",
-+			strerror(errno));
-+}
-+
- static void connlabel_mt_parse(struct xt_option_call *cb)
- {
- 	struct xt_connlabel_mtinfo *info = cb->data;
- 	int tmp;
- 
-+	connlabel_open();
- 	xtables_option_parse(cb);
- 
- 	switch (cb->entry->id) {
-@@ -54,7 +69,11 @@ static void connlabel_mt_parse(struct xt_option_call *cb)
- 
- static const char *connlabel_get_name(int b)
- {
--	const char *name = nfct_labelmap_get_name(map, b);
-+	const char *name;
-+
-+	connlabel_open();
-+
-+	name = nfct_labelmap_get_name(map, b);
- 	if (name && strcmp(name, ""))
- 		return name;
- 	return NULL;
-@@ -114,11 +133,5 @@ static struct xtables_match connlabel_mt_reg = {
- 
- void _init(void)
- {
--	map = nfct_labelmap_new(NULL);
--	if (!map) {
--		fprintf(stderr, "cannot open connlabel.conf, not registering '%s' match: %s\n",
--			connlabel_mt_reg.name, strerror(errno));
--		return;
--	}
- 	xtables_register_match(&connlabel_mt_reg);
- }
--- 
-2.4.4
-

diff --git a/net-firewall/iptables/iptables-1.4.21-r1.ebuild b/net-firewall/iptables/iptables-1.4.21-r1.ebuild
deleted file mode 100644
index 47f4a175748..00000000000
--- a/net-firewall/iptables/iptables-1.4.21-r1.ebuild
+++ /dev/null
@@ -1,93 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-# Force users doing their own patches to install their own tools
-AUTOTOOLS_AUTO_DEPEND=no
-
-inherit eutils multilib systemd toolchain-funcs autotools
-
-DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
-HOMEPAGE="https://www.netfilter.org/projects/iptables/"
-SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
-IUSE="conntrack ipv6 netlink static-libs"
-
-RDEPEND="
-	conntrack? ( net-libs/libnetfilter_conntrack )
-	netlink? ( net-libs/libnfnetlink )
-"
-DEPEND="${RDEPEND}
-	virtual/os-headers
-	virtual/pkgconfig
-"
-
-src_prepare() {
-	# use the saner headers from the kernel
-	rm -f include/linux/{kernel,types}.h
-
-	# Only run autotools if user patched something
-	epatch_user && eautoreconf || elibtoolize
-}
-
-src_configure() {
-	# Some libs use $(AR) rather than libtool to build #444282
-	tc-export AR
-
-	sed -i \
-		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
-		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
-		configure || die
-
-	econf \
-		--sbindir="${EPREFIX}/sbin" \
-		--libexecdir="${EPREFIX}/$(get_libdir)" \
-		--enable-devel \
-		--enable-shared \
-		$(use_enable static-libs static) \
-		$(use_enable ipv6)
-}
-
-src_compile() {
-	emake V=1
-}
-
-src_install() {
-	default
-	dodoc INCOMPATIBILITIES iptables/iptables.xslt
-
-	# all the iptables binaries are in /sbin, so might as well
-	# put these small files in with them
-	into /
-	dosbin iptables/iptables-apply
-	dosym iptables-apply /sbin/ip6tables-apply
-	doman iptables/iptables-apply.8
-
-	insinto /usr/include
-	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
-	insinto /usr/include/iptables
-	doins include/iptables/internal.h
-
-	keepdir /var/lib/iptables
-	newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
-	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
-	if use ipv6 ; then
-		keepdir /var/lib/ip6tables
-		newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
-		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
-	fi
-
-	systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service
-	if use ipv6 ; then
-		systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service
-	fi
-
-	# Move important libs to /lib #332175
-	gen_usr_ldscript -a ip{4,6}tc iptc xtables
-
-	prune_libtool_files
-}

diff --git a/net-firewall/iptables/iptables-1.4.21-r5.ebuild b/net-firewall/iptables/iptables-1.4.21-r5.ebuild
deleted file mode 100644
index 6dbce98c427..00000000000
--- a/net-firewall/iptables/iptables-1.4.21-r5.ebuild
+++ /dev/null
@@ -1,104 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-# Force users doing their own patches to install their own tools
-AUTOTOOLS_AUTO_DEPEND=no
-
-inherit eutils multilib systemd toolchain-funcs autotools flag-o-matic
-
-DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
-HOMEPAGE="https://www.netfilter.org/projects/iptables/"
-SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
-
-LICENSE="GPL-2"
-# Subslot tracks libxtables as that's the one other packages generally link
-# against and iptables changes.  Will have to revisit if other sonames change.
-SLOT="0/10"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-IUSE="conntrack ipv6 netlink pcap static-libs"
-
-RDEPEND="
-	conntrack? ( net-libs/libnetfilter_conntrack )
-	netlink? ( net-libs/libnfnetlink )
-	pcap? ( net-libs/libpcap )
-"
-DEPEND="${RDEPEND}
-	virtual/os-headers
-	virtual/pkgconfig
-"
-
-src_prepare() {
-	# use the saner headers from the kernel
-	rm -f include/linux/{kernel,types}.h
-
-	epatch "${FILESDIR}"/${P}-configure.patch #557586
-	epatch "${FILESDIR}"/${P}-static-connlabel-config.patch #558234
-
-	# Only run autotools if user patched something
-	epatch_user && eautoreconf || elibtoolize
-}
-
-src_configure() {
-	# Some libs use $(AR) rather than libtool to build #444282
-	tc-export AR
-
-	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
-	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
-
-	sed -i \
-		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
-		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
-		configure || die
-
-	econf \
-		--sbindir="${EPREFIX}/sbin" \
-		--libexecdir="${EPREFIX}/$(get_libdir)" \
-		--enable-devel \
-		--enable-shared \
-		$(use_enable pcap bpf-compiler) \
-		$(use_enable pcap nfsynproxy) \
-		$(use_enable static-libs static) \
-		$(use_enable ipv6)
-}
-
-src_compile() {
-	emake V=1
-}
-
-src_install() {
-	default
-	dodoc INCOMPATIBILITIES iptables/iptables.xslt
-
-	# all the iptables binaries are in /sbin, so might as well
-	# put these small files in with them
-	into /
-	dosbin iptables/iptables-apply
-	dosym iptables-apply /sbin/ip6tables-apply
-	doman iptables/iptables-apply.8
-
-	insinto /usr/include
-	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
-	insinto /usr/include/iptables
-	doins include/iptables/internal.h
-
-	keepdir /var/lib/iptables
-	newinitd "${FILESDIR}"/${PN}.init iptables
-	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
-	if use ipv6 ; then
-		keepdir /var/lib/ip6tables
-		newinitd "${FILESDIR}"/iptables.init ip6tables
-		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
-	fi
-
-	systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service
-	if use ipv6 ; then
-		systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service
-	fi
-
-	# Move important libs to /lib #332175
-	gen_usr_ldscript -a ip{4,6}tc iptc xtables
-
-	prune_libtool_files
-}


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
@ 2018-11-20 14:23 Lars Wendler
  0 siblings, 0 replies; 15+ messages in thread
From: Lars Wendler @ 2018-11-20 14:23 UTC (permalink / raw
  To: gentoo-commits

commit:     7ed84d5b5c472c3251c4acb752d9fed6880bf973
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 20 14:21:32 2018 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue Nov 20 14:22:55 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ed84d5b

Revert "net-firewall/iptables: Removed old."

This reverts commit 070fae35cc6d85cdb9c35b92b476394e17c8c144.

Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 net-firewall/iptables/Manifest                     |   1 +
 .../iptables/files/iptables-1.4.21-configure.patch |  34 +++++++
 .../iptables-1.4.21-static-connlabel-config.patch  |  77 +++++++++++++++
 net-firewall/iptables/iptables-1.4.21-r1.ebuild    |  93 ++++++++++++++++++
 net-firewall/iptables/iptables-1.4.21-r5.ebuild    | 104 +++++++++++++++++++++
 5 files changed, 309 insertions(+)

diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest
index 2d94c7883a8..8808dd33a3a 100644
--- a/net-firewall/iptables/Manifest
+++ b/net-firewall/iptables/Manifest
@@ -1,3 +1,4 @@
+DIST iptables-1.4.21.tar.bz2 547439 BLAKE2B e30f25581a118b91781dcc02761d4c8c420fb19876ec9e8ade3aff22b574931065f9a1c1ec31983a444c406dd928c47673d02698553da85c3db4f31484b1597d SHA512 dd4baccdb080284d8620e6ed59beafc2677813f3e099051764b07f8e394f6d94ca11861b181f3cce7c55c66de64c1e2add13dc1a0b64e24050cd9fb7aea0689b
 DIST iptables-1.6.1.tar.bz2 620890 BLAKE2B b45ac26e1fb7e8b17a6df0afab3b6c0e2f0a5df9191367548136b3ce9aadc1bcb875b8bc0403e6f12fcf487054e96418f4ef34da827af8989fd4dcf83cd3cd8d SHA512 12280db6e6ef8e68da2537e9da59fc601790fd02b1ba38a37c90dbb56272018329dccb8be995f96ecd5d94fafa6043204f3e8f8ee96531685d9e3c55359d2ee8
 DIST iptables-1.6.2.tar.bz2 639785 BLAKE2B 3d129756fd33c8c73d56d57e3c5595896db86ded14834a45db21b964d82840b62216ce3cea4ae4960e8c5f0671df3cc6bfb222f68d29cf3a8c99e0eee14bf017 SHA512 04f22e969c794246b9aa28055b202638081cfb0bb4a5625c049a30c48ac84cdd41db12a53c5831398cfe47c8f5691aa02b30b0ae3b5afe0f20ec48cf86a799c0
 DIST iptables-1.8.1.tar.bz2 678706 BLAKE2B 671e7329cc07dae0fbc54c1f6061bc148c4823e1f675369ee36a7cd2346cc1a9a516d5aa2e8a3506d5400027c1ba306cbe426940894117710bc61aacd256fccd SHA512 96a896b6dd26c2d0b4e1672d428ea3c3aab0a3c9e56a896af3a2b8428c4212d7378ba555e0be198b0ccb3fd370bca529466ab8b4edc1777eb7deed600d3f0e11

diff --git a/net-firewall/iptables/files/iptables-1.4.21-configure.patch b/net-firewall/iptables/files/iptables-1.4.21-configure.patch
new file mode 100644
index 00000000000..e827885f168
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.21-configure.patch
@@ -0,0 +1,34 @@
+https://bugs.gentoo.org/557586
+
+From b24e59fba39120bfdb9e521bbd0af8f33a60466e Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sat, 15 Aug 2015 14:12:39 -0400
+Subject: [PATCH] configure: fix 3rd arg w/AC_ARG_ENABLE
+
+The 3rd arg is used when --{enable,disable}-foo are passed in, not when
+the feature is enabled.  Use the existing $enableval instead.
+
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ configure.ac | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/configure
++++ b/configure
+@@ -11898,14 +11898,14 @@ fi
+ 
+ # Check whether --enable-bpf-compiler was given.
+ if test "${enable_bpf_compiler+set}" = set; then :
+-  enableval=$enable_bpf_compiler; enable_bpfc="yes"
++  enableval=$enable_bpf_compiler; enable_bpfc="$enableval"
+ else
+   enable_bpfc="no"
+ fi
+ 
+ # Check whether --enable-nfsynproxy was given.
+ if test "${enable_nfsynproxy+set}" = set; then :
+-  enableval=$enable_nfsynproxy; enable_nfsynproxy="yes"
++  enableval=$enable_nfsynproxy; enable_nfsynproxy="$enableval"
+ else
+   enable_nfsynproxy="no"
+ fi

diff --git a/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch b/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch
new file mode 100644
index 00000000000..a4183d6d402
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch
@@ -0,0 +1,77 @@
+https://bugs.gentoo.org/558234
+http://git.netfilter.org/iptables/commit/?id=825fbda5482a7d5ec5a6619c81fe07ff865c7d6e
+
+From 825fbda5482a7d5ec5a6619c81fe07ff865c7d6e Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 5 Sep 2014 20:45:56 +0200
+Subject: [PATCH] extensions: libxt_connlabel: do not open config file from
+ _init hook
+
+else, static builds will print this for every iptables invocation,
+even 'iptables -L'.  Delay open until we need to translate a mapping.
+
+Reported-by: Thomas De Schampheleire <patrickdepinguin@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ extensions/libxt_connlabel.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c
+index c84a167..1f83095 100644
+--- a/extensions/libxt_connlabel.c
++++ b/extensions/libxt_connlabel.c
+@@ -29,11 +29,26 @@ static const struct xt_option_entry connlabel_mt_opts[] = {
+ 	XTOPT_TABLEEND,
+ };
+ 
++/* cannot do this via _init, else static builds might spew error message
++ * for every iptables invocation.
++ */
++static void connlabel_open(void)
++{
++	if (map)
++		return;
++
++	map = nfct_labelmap_new(NULL);
++	if (!map && errno)
++		xtables_error(RESOURCE_PROBLEM, "cannot open connlabel.conf: %s\n",
++			strerror(errno));
++}
++
+ static void connlabel_mt_parse(struct xt_option_call *cb)
+ {
+ 	struct xt_connlabel_mtinfo *info = cb->data;
+ 	int tmp;
+ 
++	connlabel_open();
+ 	xtables_option_parse(cb);
+ 
+ 	switch (cb->entry->id) {
+@@ -54,7 +69,11 @@ static void connlabel_mt_parse(struct xt_option_call *cb)
+ 
+ static const char *connlabel_get_name(int b)
+ {
+-	const char *name = nfct_labelmap_get_name(map, b);
++	const char *name;
++
++	connlabel_open();
++
++	name = nfct_labelmap_get_name(map, b);
+ 	if (name && strcmp(name, ""))
+ 		return name;
+ 	return NULL;
+@@ -114,11 +133,5 @@ static struct xtables_match connlabel_mt_reg = {
+ 
+ void _init(void)
+ {
+-	map = nfct_labelmap_new(NULL);
+-	if (!map) {
+-		fprintf(stderr, "cannot open connlabel.conf, not registering '%s' match: %s\n",
+-			connlabel_mt_reg.name, strerror(errno));
+-		return;
+-	}
+ 	xtables_register_match(&connlabel_mt_reg);
+ }
+-- 
+2.4.4
+

diff --git a/net-firewall/iptables/iptables-1.4.21-r1.ebuild b/net-firewall/iptables/iptables-1.4.21-r1.ebuild
new file mode 100644
index 00000000000..47f4a175748
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.21-r1.ebuild
@@ -0,0 +1,93 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib systemd toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="https://www.netfilter.org/projects/iptables/"
+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
+IUSE="conntrack ipv6 netlink static-libs"
+
+RDEPEND="
+	conntrack? ( net-libs/libnetfilter_conntrack )
+	netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	virtual/pkgconfig
+"
+
+src_prepare() {
+	# use the saner headers from the kernel
+	rm -f include/linux/{kernel,types}.h
+
+	# Only run autotools if user patched something
+	epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+	# Some libs use $(AR) rather than libtool to build #444282
+	tc-export AR
+
+	sed -i \
+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
+		configure || die
+
+	econf \
+		--sbindir="${EPREFIX}/sbin" \
+		--libexecdir="${EPREFIX}/$(get_libdir)" \
+		--enable-devel \
+		--enable-shared \
+		$(use_enable static-libs static) \
+		$(use_enable ipv6)
+}
+
+src_compile() {
+	emake V=1
+}
+
+src_install() {
+	default
+	dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+	# all the iptables binaries are in /sbin, so might as well
+	# put these small files in with them
+	into /
+	dosbin iptables/iptables-apply
+	dosym iptables-apply /sbin/ip6tables-apply
+	doman iptables/iptables-apply.8
+
+	insinto /usr/include
+	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+	insinto /usr/include/iptables
+	doins include/iptables/internal.h
+
+	keepdir /var/lib/iptables
+	newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+	if use ipv6 ; then
+		keepdir /var/lib/ip6tables
+		newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+	fi
+
+	systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service
+	if use ipv6 ; then
+		systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service
+	fi
+
+	# Move important libs to /lib #332175
+	gen_usr_ldscript -a ip{4,6}tc iptc xtables
+
+	prune_libtool_files
+}

diff --git a/net-firewall/iptables/iptables-1.4.21-r5.ebuild b/net-firewall/iptables/iptables-1.4.21-r5.ebuild
new file mode 100644
index 00000000000..6dbce98c427
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.21-r5.ebuild
@@ -0,0 +1,104 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib systemd toolchain-funcs autotools flag-o-matic
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="https://www.netfilter.org/projects/iptables/"
+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+# Subslot tracks libxtables as that's the one other packages generally link
+# against and iptables changes.  Will have to revisit if other sonames change.
+SLOT="0/10"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="conntrack ipv6 netlink pcap static-libs"
+
+RDEPEND="
+	conntrack? ( net-libs/libnetfilter_conntrack )
+	netlink? ( net-libs/libnfnetlink )
+	pcap? ( net-libs/libpcap )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	virtual/pkgconfig
+"
+
+src_prepare() {
+	# use the saner headers from the kernel
+	rm -f include/linux/{kernel,types}.h
+
+	epatch "${FILESDIR}"/${P}-configure.patch #557586
+	epatch "${FILESDIR}"/${P}-static-connlabel-config.patch #558234
+
+	# Only run autotools if user patched something
+	epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+	# Some libs use $(AR) rather than libtool to build #444282
+	tc-export AR
+
+	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
+	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
+
+	sed -i \
+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
+		configure || die
+
+	econf \
+		--sbindir="${EPREFIX}/sbin" \
+		--libexecdir="${EPREFIX}/$(get_libdir)" \
+		--enable-devel \
+		--enable-shared \
+		$(use_enable pcap bpf-compiler) \
+		$(use_enable pcap nfsynproxy) \
+		$(use_enable static-libs static) \
+		$(use_enable ipv6)
+}
+
+src_compile() {
+	emake V=1
+}
+
+src_install() {
+	default
+	dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+	# all the iptables binaries are in /sbin, so might as well
+	# put these small files in with them
+	into /
+	dosbin iptables/iptables-apply
+	dosym iptables-apply /sbin/ip6tables-apply
+	doman iptables/iptables-apply.8
+
+	insinto /usr/include
+	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+	insinto /usr/include/iptables
+	doins include/iptables/internal.h
+
+	keepdir /var/lib/iptables
+	newinitd "${FILESDIR}"/${PN}.init iptables
+	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+	if use ipv6 ; then
+		keepdir /var/lib/ip6tables
+		newinitd "${FILESDIR}"/iptables.init ip6tables
+		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+	fi
+
+	systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service
+	if use ipv6 ; then
+		systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service
+	fi
+
+	# Move important libs to /lib #332175
+	gen_usr_ldscript -a ip{4,6}tc iptc xtables
+
+	prune_libtool_files
+}


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
@ 2018-11-20 15:36 Thomas Deutschmann
  0 siblings, 0 replies; 15+ messages in thread
From: Thomas Deutschmann @ 2018-11-20 15:36 UTC (permalink / raw
  To: gentoo-commits

commit:     cdc003118830087bbb409761fe4e0e2c19ea103a
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 20 15:36:22 2018 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Tue Nov 20 15:36:38 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cdc00311

net-firewall/iptables: multiple fixes for runscript

- We are now passing iptables "--wait" option to every iptables
  command which needs to aquire a lock. [Bug 501710]

- In addition, "--wait" (IPTABLES_LOCK_WAIT_TIME) and "--wait-interval"
  (IPTABLES_LOCK_WAIT_INTERVAL) is now configurable via
  /etc/conf.d/{iptables,ip6tables}.

- We are now only installing one runscript and now using a symlink
  for the ip6tables runscript.

- Error detection improved/added.

Closes: https://bugs.gentoo.org/501710
Package-Manager: Portage-2.3.52, Repoman-2.3.12
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 net-firewall/iptables/files/ip6tables-r1.confd |  27 +++++
 net-firewall/iptables/files/iptables-r1.confd  |  27 +++++
 net-firewall/iptables/files/iptables-r1.init   | 159 +++++++++++++++++++++++++
 net-firewall/iptables/iptables-1.8.2-r1.ebuild | 129 ++++++++++++++++++++
 4 files changed, 342 insertions(+)

diff --git a/net-firewall/iptables/files/ip6tables-r1.confd b/net-firewall/iptables/files/ip6tables-r1.confd
new file mode 100644
index 00000000000..e608f41d1ea
--- /dev/null
+++ b/net-firewall/iptables/files/ip6tables-r1.confd
@@ -0,0 +1,27 @@
+# /etc/conf.d/ip6tables
+
+# Set wait option for xtables lock in seconds
+# DEFAULT: 60
+#IPTABLES_LOCK_WAIT_TIME="60"
+
+# Set wait interval option for xtables lock in microseconds
+# DEFAULT: 1000
+#IPTABLES_LOCK_WAIT_INTERVAL="1000"
+
+# Location in which ip6tables initscript will save set rules on
+# service shutdown
+IP6TABLES_SAVE="/var/lib/ip6tables/rules-save"
+
+# Options to pass to ip6tables-save and ip6tables-restore 
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping ip6tables
+SAVE_ON_STOP="yes"
+
+# If you need to log ip6tables messages as soon as ip6tables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"

diff --git a/net-firewall/iptables/files/iptables-r1.confd b/net-firewall/iptables/files/iptables-r1.confd
new file mode 100644
index 00000000000..d5055e0a5d2
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-r1.confd
@@ -0,0 +1,27 @@
+# /etc/conf.d/iptables
+
+# Set wait option for xtables lock in seconds
+# DEFAULT: 60
+#IPTABLES_LOCK_WAIT_TIME="60"
+
+# Set wait interval option for xtables lock in microseconds
+# DEFAULT: 1000
+#IPTABLES_LOCK_WAIT_INTERVAL="1000"
+
+# Location in which iptables initscript will save set rules on
+# service shutdown
+IPTABLES_SAVE="/var/lib/iptables/rules-save"
+
+# Options to pass to iptables-save and iptables-restore 
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="yes"
+
+# If you need to log iptables messages as soon as iptables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"

diff --git a/net-firewall/iptables/files/iptables-r1.init b/net-firewall/iptables/files/iptables-r1.init
new file mode 100755
index 00000000000..708dcce6d3c
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-r1.init
@@ -0,0 +1,159 @@
+#!/sbin/openrc-run
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="check save panic"
+extra_started_commands="reload"
+
+iptables_lock_wait_time=${IPTABLES_LOCK_WAIT_TIME:-"60"}
+iptables_lock_wait_interval=${IPTABLES_LOCK_WAIT_INTERVAL:-"1000"}
+
+iptables_name=${SVCNAME}
+case ${iptables_name} in
+	iptables|ip6tables) ;;
+	*) iptables_name="iptables" ;;
+esac
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+	iptables)  iptables_proc="/proc/net/ip_tables_names"
+	           iptables_save=${IPTABLES_SAVE};;
+	ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+	           iptables_save=${IP6TABLES_SAVE};;
+esac
+
+depend() {
+	need localmount #434774
+	before net
+}
+
+set_table_policy() {
+	local has_errors=0 chains table=$1 policy=$2
+	case ${table} in
+		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
+		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+		filter) chains="INPUT FORWARD OUTPUT";;
+		*)      chains="";;
+	esac
+
+	local chain
+	for chain in ${chains} ; do
+		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -t ${table} -P ${chain} ${policy}
+		[ $? -ne 0 ] && has_errors=1
+	done
+
+	return ${has_errors}
+}
+
+checkkernel() {
+	if [ ! -e ${iptables_proc} ] ; then
+		eerror "Your kernel lacks ${iptables_name} support, please load"
+		eerror "appropriate modules and try again."
+		return 1
+	fi
+	return 0
+}
+
+checkconfig() {
+	if [ -z "${iptables_save}" -o ! -f "${iptables_save}" ] ; then
+		eerror "Not starting ${iptables_name}.  First create some rules then run:"
+		eerror "/etc/init.d/${iptables_name} save"
+		return 1
+	fi
+	return 0
+}
+
+start_pre() {
+	checkkernel || return 1
+	checkconfig || return 1
+}
+
+start() {
+	ebegin "Loading ${iptables_name} state and starting firewall"
+	${iptables_bin}-restore --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+stop_pre() {
+	checkkernel || return 1
+}
+
+stop() {
+	if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+		save || return 1
+	fi
+
+	ebegin "Stopping firewall"
+	local has_errors=0 a
+	for a in $(cat ${iptables_proc}) ; do
+		set_table_policy $a ACCEPT
+		[ $? -ne 0 ] && has_errors=1
+
+		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
+		[ $? -ne 0 ] && has_errors=1
+
+		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
+		[ $? -ne 0 ] && has_errors=1
+	done
+	eend ${has_errors}
+}
+
+reload() {
+	checkkernel || return 1
+	checkrules || return 1
+	ebegin "Flushing firewall"
+	local has_errors=0 a
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
+		[ $? -ne 0 ] && has_errors=1
+
+		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
+		[ $? -ne 0 ] && has_errors=1
+	done
+	eend ${has_errors}
+
+	start
+}
+
+checkrules() {
+	ebegin "Checking rules"
+	${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+check() {
+	# Short name for users of init.d script.
+	checkrules
+}
+
+save() {
+	ebegin "Saving ${iptables_name} state"
+	checkpath -q -d "$(dirname "${iptables_save}")"
+	checkpath -q -m 0600 -f "${iptables_save}"
+	${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+	eend $?
+}
+
+panic() {
+	checkkernel || return 1
+	if service_started ${iptables_name}; then
+		rc-service ${iptables_name} stop
+	fi
+
+	local has_errors=0 a
+	ebegin "Dropping all packets"
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
+		[ $? -ne 0 ] && has_errors=1
+
+		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
+		[ $? -ne 0 ] && has_errors=1
+
+		if [ "${a}" != "nat" ]; then
+			# The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.
+			set_table_policy $a DROP
+			[ $? -ne 0 ] && has_errors=1
+		fi
+	done
+	eend ${has_errors}
+}

diff --git a/net-firewall/iptables/iptables-1.8.2-r1.ebuild b/net-firewall/iptables/iptables-1.8.2-r1.ebuild
new file mode 100644
index 00000000000..9279db2ecc5
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.8.2-r1.ebuild
@@ -0,0 +1,129 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit multilib systemd toolchain-funcs autotools flag-o-matic
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="https://www.netfilter.org/projects/iptables/"
+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+# Subslot tracks libxtables as that's the one other packages generally link
+# against and iptables changes.  Will have to revisit if other sonames change.
+SLOT="0/12"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="conntrack ipv6 netlink nftables pcap static-libs"
+
+COMMON_DEPEND="
+	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
+	netlink? ( net-libs/libnfnetlink )
+	nftables? (
+		>=net-libs/libmnl-1.0:0=
+		>=net-libs/libnftnl-1.1.1:0=
+	)
+	pcap? ( net-libs/libpcap )
+"
+DEPEND="${COMMON_DEPEND}
+	virtual/os-headers
+	>=sys-kernel/linux-headers-4.4:0
+	virtual/pkgconfig
+	nftables? (
+		sys-devel/flex
+		virtual/yacc
+	)
+"
+RDEPEND="${COMMON_DEPEND}
+	nftables? ( net-misc/ethertypes )
+"
+
+src_prepare() {
+	# use the saner headers from the kernel
+	rm -f include/linux/{kernel,types}.h
+
+	# Only run autotools if user patched something
+	eapply_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+	# Some libs use $(AR) rather than libtool to build #444282
+	tc-export AR
+
+	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
+	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
+
+	sed -i \
+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
+		configure || die
+
+	local myeconfargs=(
+		--sbindir="${EPREFIX}/sbin"
+		--libexecdir="${EPREFIX}/$(get_libdir)"
+		--enable-devel
+		--enable-shared
+		$(use_enable nftables)
+		$(use_enable pcap bpf-compiler)
+		$(use_enable pcap nfsynproxy)
+		$(use_enable static-libs static)
+		$(use_enable ipv6)
+	)
+	econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+	# Deal with parallel build errors.
+	use nftables && emake -C iptables xtables-config-parser.h
+	emake V=1
+}
+
+src_install() {
+	default
+	dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+	# all the iptables binaries are in /sbin, so might as well
+	# put these small files in with them
+	into /
+	dosbin iptables/iptables-apply
+	dosym iptables-apply /sbin/ip6tables-apply
+	doman iptables/iptables-apply.8
+
+	insinto /usr/include
+	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+	insinto /usr/include/iptables
+	doins include/iptables/internal.h
+
+	keepdir /var/lib/iptables
+	newinitd "${FILESDIR}"/${PN}-r1.init iptables
+	newconfd "${FILESDIR}"/${PN}-r1.confd iptables
+	if use ipv6 ; then
+		keepdir /var/lib/ip6tables
+		dosym iptables /etc/init.d/ip6tables
+		newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables
+	fi
+
+	if use nftables; then
+		# Bug 647458
+		rm "${ED%/}"/etc/ethertypes || die
+
+		# Bug 660886
+		rm "${ED%/}"/sbin/{arptables,ebtables} || die
+
+		# Bug 669894
+		rm "${ED%/}"/sbin/ebtables-{save,restore} || die
+	fi
+
+	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
+	if use ipv6 ; then
+		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
+	fi
+
+	# Move important libs to /lib #332175
+	gen_usr_ldscript -a ip{4,6}tc iptc xtables
+
+	find "${ED}" -name "*.la" -delete || die
+}


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
@ 2019-05-28  0:41 Lars Wendler
  0 siblings, 0 replies; 15+ messages in thread
From: Lars Wendler @ 2019-05-28  0:41 UTC (permalink / raw
  To: gentoo-commits

commit:     81518bff4f1a83cba9c65438f6a812f8e523b162
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Tue May 28 00:39:51 2019 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue May 28 00:41:08 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81518bff

net-firewall/iptables: Removed old.

Package-Manager: Portage-2.3.67, Repoman-2.3.13
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 net-firewall/iptables/Manifest                     |   2 -
 .../iptables/files/iptables-1.4.21-configure.patch |  34 ------
 .../iptables-1.4.21-static-connlabel-config.patch  |  77 ------------
 ...es-1.8.1-build_limit_without_libnftnl_fix.patch |  44 -------
 net-firewall/iptables/iptables-1.4.21-r1.ebuild    |  93 ---------------
 net-firewall/iptables/iptables-1.4.21-r5.ebuild    | 104 ----------------
 net-firewall/iptables/iptables-1.8.1-r1.ebuild     | 131 ---------------------
 net-firewall/iptables/iptables-1.8.2.ebuild        | 129 --------------------
 8 files changed, 614 deletions(-)

diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest
index 5e0703efb12..0199e509e2c 100644
--- a/net-firewall/iptables/Manifest
+++ b/net-firewall/iptables/Manifest
@@ -1,6 +1,4 @@
-DIST iptables-1.4.21.tar.bz2 547439 BLAKE2B e30f25581a118b91781dcc02761d4c8c420fb19876ec9e8ade3aff22b574931065f9a1c1ec31983a444c406dd928c47673d02698553da85c3db4f31484b1597d SHA512 dd4baccdb080284d8620e6ed59beafc2677813f3e099051764b07f8e394f6d94ca11861b181f3cce7c55c66de64c1e2add13dc1a0b64e24050cd9fb7aea0689b
 DIST iptables-1.6.1.tar.bz2 620890 BLAKE2B b45ac26e1fb7e8b17a6df0afab3b6c0e2f0a5df9191367548136b3ce9aadc1bcb875b8bc0403e6f12fcf487054e96418f4ef34da827af8989fd4dcf83cd3cd8d SHA512 12280db6e6ef8e68da2537e9da59fc601790fd02b1ba38a37c90dbb56272018329dccb8be995f96ecd5d94fafa6043204f3e8f8ee96531685d9e3c55359d2ee8
 DIST iptables-1.6.2.tar.bz2 639785 BLAKE2B 3d129756fd33c8c73d56d57e3c5595896db86ded14834a45db21b964d82840b62216ce3cea4ae4960e8c5f0671df3cc6bfb222f68d29cf3a8c99e0eee14bf017 SHA512 04f22e969c794246b9aa28055b202638081cfb0bb4a5625c049a30c48ac84cdd41db12a53c5831398cfe47c8f5691aa02b30b0ae3b5afe0f20ec48cf86a799c0
-DIST iptables-1.8.1.tar.bz2 678706 BLAKE2B 671e7329cc07dae0fbc54c1f6061bc148c4823e1f675369ee36a7cd2346cc1a9a516d5aa2e8a3506d5400027c1ba306cbe426940894117710bc61aacd256fccd SHA512 96a896b6dd26c2d0b4e1672d428ea3c3aab0a3c9e56a896af3a2b8428c4212d7378ba555e0be198b0ccb3fd370bca529466ab8b4edc1777eb7deed600d3f0e11
 DIST iptables-1.8.2.tar.bz2 679858 BLAKE2B 2004d85c89ecbc37ef0d571ac8ece680fd2e11a51b074f6387d6e9c4892da524c785d6bf3f30e26af4e7c2cb1f401d51bf8bcb21a91e380e24945374553139cb SHA512 8cf0f515764e1dc6e03284581d682d1949b33e8f25fea29c27ae856f1089fe8ca7b1814524b85f4378fd1fc7c7c7d002f06557b257ae2bbc945f8555bad0dc76
 DIST iptables-1.8.3.tar.bz2 716257 BLAKE2B 58c606a5753ae2cb8ada9039e4653d2abe03c7c9b6aeef1e458baa3e10e818893f35e8f2aed5221e692415115e618aa673c8fcd33d172f85e9d1b609ed79c7b8 SHA512 84b10080646077cbea78b7f3fcc58c6c6e1898213341c69862e1b48179f37a6820c3d84437c896071f966b61aa6d16b132d91948a85fd8c05740f29be3a0986d

diff --git a/net-firewall/iptables/files/iptables-1.4.21-configure.patch b/net-firewall/iptables/files/iptables-1.4.21-configure.patch
deleted file mode 100644
index e827885f168..00000000000
--- a/net-firewall/iptables/files/iptables-1.4.21-configure.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-https://bugs.gentoo.org/557586
-
-From b24e59fba39120bfdb9e521bbd0af8f33a60466e Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sat, 15 Aug 2015 14:12:39 -0400
-Subject: [PATCH] configure: fix 3rd arg w/AC_ARG_ENABLE
-
-The 3rd arg is used when --{enable,disable}-foo are passed in, not when
-the feature is enabled.  Use the existing $enableval instead.
-
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- configure.ac | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/configure
-+++ b/configure
-@@ -11898,14 +11898,14 @@ fi
- 
- # Check whether --enable-bpf-compiler was given.
- if test "${enable_bpf_compiler+set}" = set; then :
--  enableval=$enable_bpf_compiler; enable_bpfc="yes"
-+  enableval=$enable_bpf_compiler; enable_bpfc="$enableval"
- else
-   enable_bpfc="no"
- fi
- 
- # Check whether --enable-nfsynproxy was given.
- if test "${enable_nfsynproxy+set}" = set; then :
--  enableval=$enable_nfsynproxy; enable_nfsynproxy="yes"
-+  enableval=$enable_nfsynproxy; enable_nfsynproxy="$enableval"
- else
-   enable_nfsynproxy="no"
- fi

diff --git a/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch b/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch
deleted file mode 100644
index a4183d6d402..00000000000
--- a/net-firewall/iptables/files/iptables-1.4.21-static-connlabel-config.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-https://bugs.gentoo.org/558234
-http://git.netfilter.org/iptables/commit/?id=825fbda5482a7d5ec5a6619c81fe07ff865c7d6e
-
-From 825fbda5482a7d5ec5a6619c81fe07ff865c7d6e Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Fri, 5 Sep 2014 20:45:56 +0200
-Subject: [PATCH] extensions: libxt_connlabel: do not open config file from
- _init hook
-
-else, static builds will print this for every iptables invocation,
-even 'iptables -L'.  Delay open until we need to translate a mapping.
-
-Reported-by: Thomas De Schampheleire <patrickdepinguin@gmail.com>
-Signed-off-by: Florian Westphal <fw@strlen.de>
----
- extensions/libxt_connlabel.c | 27 ++++++++++++++++++++-------
- 1 file changed, 20 insertions(+), 7 deletions(-)
-
-diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c
-index c84a167..1f83095 100644
---- a/extensions/libxt_connlabel.c
-+++ b/extensions/libxt_connlabel.c
-@@ -29,11 +29,26 @@ static const struct xt_option_entry connlabel_mt_opts[] = {
- 	XTOPT_TABLEEND,
- };
- 
-+/* cannot do this via _init, else static builds might spew error message
-+ * for every iptables invocation.
-+ */
-+static void connlabel_open(void)
-+{
-+	if (map)
-+		return;
-+
-+	map = nfct_labelmap_new(NULL);
-+	if (!map && errno)
-+		xtables_error(RESOURCE_PROBLEM, "cannot open connlabel.conf: %s\n",
-+			strerror(errno));
-+}
-+
- static void connlabel_mt_parse(struct xt_option_call *cb)
- {
- 	struct xt_connlabel_mtinfo *info = cb->data;
- 	int tmp;
- 
-+	connlabel_open();
- 	xtables_option_parse(cb);
- 
- 	switch (cb->entry->id) {
-@@ -54,7 +69,11 @@ static void connlabel_mt_parse(struct xt_option_call *cb)
- 
- static const char *connlabel_get_name(int b)
- {
--	const char *name = nfct_labelmap_get_name(map, b);
-+	const char *name;
-+
-+	connlabel_open();
-+
-+	name = nfct_labelmap_get_name(map, b);
- 	if (name && strcmp(name, ""))
- 		return name;
- 	return NULL;
-@@ -114,11 +133,5 @@ static struct xtables_match connlabel_mt_reg = {
- 
- void _init(void)
- {
--	map = nfct_labelmap_new(NULL);
--	if (!map) {
--		fprintf(stderr, "cannot open connlabel.conf, not registering '%s' match: %s\n",
--			connlabel_mt_reg.name, strerror(errno));
--		return;
--	}
- 	xtables_register_match(&connlabel_mt_reg);
- }
--- 
-2.4.4
-

diff --git a/net-firewall/iptables/files/iptables-1.8.1-build_limit_without_libnftnl_fix.patch b/net-firewall/iptables/files/iptables-1.8.1-build_limit_without_libnftnl_fix.patch
deleted file mode 100644
index a0fca7efa93..00000000000
--- a/net-firewall/iptables/files/iptables-1.8.1-build_limit_without_libnftnl_fix.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From b2fc2a368562d55fadad94d995247bb8cd7e68a3 Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Wed, 24 Oct 2018 12:00:11 +0200
-Subject: extensions: limit: unbreak build without libnftnl
-
-Lars Wendler reported 1.8.1 build failure when trying to build without nft backend:
-
-  In file included from ../iptables/nft.h:5, from libxt_limit.c:18: libnftnl/rule.h: No such file or directory
-
-Reported-by: Lars Wendler <polynomial-c@gentoo.org>
-Fixes: 02b80972c43 ("ebtables: Merge libebt_limit.c into libxt_limit.c")
-Signed-off-by: Florian Westphal <fw@strlen.de>
----
- extensions/libxt_limit.c | 1 -
- iptables/nft-bridge.h    | 1 +
- 2 files changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
-index c7b66295..1b324657 100644
---- a/extensions/libxt_limit.c
-+++ b/extensions/libxt_limit.c
-@@ -15,7 +15,6 @@
- #include <xtables.h>
- #include <linux/netfilter/x_tables.h>
- #include <linux/netfilter/xt_limit.h>
--#include "iptables/nft.h"
- #include "iptables/nft-bridge.h"
- 
- #define XT_LIMIT_AVG	"3/hour"
-diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h
-index 9d49ccbe..de52cd71 100644
---- a/iptables/nft-bridge.h
-+++ b/iptables/nft-bridge.h
-@@ -68,6 +68,7 @@ int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mas
- #define EBT_VERDICT_BITS 0x0000000F
- 
- struct nftnl_rule;
-+struct iptables_command_state;
- 
- static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = {
- 	"ACCEPT",
--- 
-cgit v1.2.1
-

diff --git a/net-firewall/iptables/iptables-1.4.21-r1.ebuild b/net-firewall/iptables/iptables-1.4.21-r1.ebuild
deleted file mode 100644
index 47f4a175748..00000000000
--- a/net-firewall/iptables/iptables-1.4.21-r1.ebuild
+++ /dev/null
@@ -1,93 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-# Force users doing their own patches to install their own tools
-AUTOTOOLS_AUTO_DEPEND=no
-
-inherit eutils multilib systemd toolchain-funcs autotools
-
-DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
-HOMEPAGE="https://www.netfilter.org/projects/iptables/"
-SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
-IUSE="conntrack ipv6 netlink static-libs"
-
-RDEPEND="
-	conntrack? ( net-libs/libnetfilter_conntrack )
-	netlink? ( net-libs/libnfnetlink )
-"
-DEPEND="${RDEPEND}
-	virtual/os-headers
-	virtual/pkgconfig
-"
-
-src_prepare() {
-	# use the saner headers from the kernel
-	rm -f include/linux/{kernel,types}.h
-
-	# Only run autotools if user patched something
-	epatch_user && eautoreconf || elibtoolize
-}
-
-src_configure() {
-	# Some libs use $(AR) rather than libtool to build #444282
-	tc-export AR
-
-	sed -i \
-		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
-		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
-		configure || die
-
-	econf \
-		--sbindir="${EPREFIX}/sbin" \
-		--libexecdir="${EPREFIX}/$(get_libdir)" \
-		--enable-devel \
-		--enable-shared \
-		$(use_enable static-libs static) \
-		$(use_enable ipv6)
-}
-
-src_compile() {
-	emake V=1
-}
-
-src_install() {
-	default
-	dodoc INCOMPATIBILITIES iptables/iptables.xslt
-
-	# all the iptables binaries are in /sbin, so might as well
-	# put these small files in with them
-	into /
-	dosbin iptables/iptables-apply
-	dosym iptables-apply /sbin/ip6tables-apply
-	doman iptables/iptables-apply.8
-
-	insinto /usr/include
-	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
-	insinto /usr/include/iptables
-	doins include/iptables/internal.h
-
-	keepdir /var/lib/iptables
-	newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
-	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
-	if use ipv6 ; then
-		keepdir /var/lib/ip6tables
-		newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
-		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
-	fi
-
-	systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service
-	if use ipv6 ; then
-		systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service
-	fi
-
-	# Move important libs to /lib #332175
-	gen_usr_ldscript -a ip{4,6}tc iptc xtables
-
-	prune_libtool_files
-}

diff --git a/net-firewall/iptables/iptables-1.4.21-r5.ebuild b/net-firewall/iptables/iptables-1.4.21-r5.ebuild
deleted file mode 100644
index 6dbce98c427..00000000000
--- a/net-firewall/iptables/iptables-1.4.21-r5.ebuild
+++ /dev/null
@@ -1,104 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-# Force users doing their own patches to install their own tools
-AUTOTOOLS_AUTO_DEPEND=no
-
-inherit eutils multilib systemd toolchain-funcs autotools flag-o-matic
-
-DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
-HOMEPAGE="https://www.netfilter.org/projects/iptables/"
-SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
-
-LICENSE="GPL-2"
-# Subslot tracks libxtables as that's the one other packages generally link
-# against and iptables changes.  Will have to revisit if other sonames change.
-SLOT="0/10"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-IUSE="conntrack ipv6 netlink pcap static-libs"
-
-RDEPEND="
-	conntrack? ( net-libs/libnetfilter_conntrack )
-	netlink? ( net-libs/libnfnetlink )
-	pcap? ( net-libs/libpcap )
-"
-DEPEND="${RDEPEND}
-	virtual/os-headers
-	virtual/pkgconfig
-"
-
-src_prepare() {
-	# use the saner headers from the kernel
-	rm -f include/linux/{kernel,types}.h
-
-	epatch "${FILESDIR}"/${P}-configure.patch #557586
-	epatch "${FILESDIR}"/${P}-static-connlabel-config.patch #558234
-
-	# Only run autotools if user patched something
-	epatch_user && eautoreconf || elibtoolize
-}
-
-src_configure() {
-	# Some libs use $(AR) rather than libtool to build #444282
-	tc-export AR
-
-	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
-	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
-
-	sed -i \
-		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
-		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
-		configure || die
-
-	econf \
-		--sbindir="${EPREFIX}/sbin" \
-		--libexecdir="${EPREFIX}/$(get_libdir)" \
-		--enable-devel \
-		--enable-shared \
-		$(use_enable pcap bpf-compiler) \
-		$(use_enable pcap nfsynproxy) \
-		$(use_enable static-libs static) \
-		$(use_enable ipv6)
-}
-
-src_compile() {
-	emake V=1
-}
-
-src_install() {
-	default
-	dodoc INCOMPATIBILITIES iptables/iptables.xslt
-
-	# all the iptables binaries are in /sbin, so might as well
-	# put these small files in with them
-	into /
-	dosbin iptables/iptables-apply
-	dosym iptables-apply /sbin/ip6tables-apply
-	doman iptables/iptables-apply.8
-
-	insinto /usr/include
-	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
-	insinto /usr/include/iptables
-	doins include/iptables/internal.h
-
-	keepdir /var/lib/iptables
-	newinitd "${FILESDIR}"/${PN}.init iptables
-	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
-	if use ipv6 ; then
-		keepdir /var/lib/ip6tables
-		newinitd "${FILESDIR}"/iptables.init ip6tables
-		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
-	fi
-
-	systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service
-	if use ipv6 ; then
-		systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service
-	fi
-
-	# Move important libs to /lib #332175
-	gen_usr_ldscript -a ip{4,6}tc iptc xtables
-
-	prune_libtool_files
-}

diff --git a/net-firewall/iptables/iptables-1.8.1-r1.ebuild b/net-firewall/iptables/iptables-1.8.1-r1.ebuild
deleted file mode 100644
index 0183b70bd77..00000000000
--- a/net-firewall/iptables/iptables-1.8.1-r1.ebuild
+++ /dev/null
@@ -1,131 +0,0 @@
-# Copyright 1999-2018 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-# Force users doing their own patches to install their own tools
-AUTOTOOLS_AUTO_DEPEND=no
-
-inherit multilib systemd toolchain-funcs autotools flag-o-matic
-
-DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
-HOMEPAGE="https://www.netfilter.org/projects/iptables/"
-SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
-
-LICENSE="GPL-2"
-# Subslot tracks libxtables as that's the one other packages generally link
-# against and iptables changes.  Will have to revisit if other sonames change.
-SLOT="0/12"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-IUSE="conntrack ipv6 netlink nftables pcap static-libs"
-
-COMMON_DEPEND="
-	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
-	netlink? ( net-libs/libnfnetlink )
-	nftables? (
-		>=net-libs/libmnl-1.0:0=
-		>=net-libs/libnftnl-1.1.1:0=
-	)
-	pcap? ( net-libs/libpcap )
-"
-DEPEND="${COMMON_DEPEND}
-	virtual/os-headers
-	>=sys-kernel/linux-headers-4.4:0
-	virtual/pkgconfig
-	nftables? (
-		sys-devel/flex
-		virtual/yacc
-	)
-"
-RDEPEND="${COMMON_DEPEND}
-	nftables? ( net-misc/ethertypes )
-"
-
-src_prepare() {
-	eapply "${FILESDIR}/${P}-build_limit_without_libnftnl_fix.patch" #669486
-
-	# use the saner headers from the kernel
-	rm -f include/linux/{kernel,types}.h
-
-	# Only run autotools if user patched something
-	eapply_user && eautoreconf || elibtoolize
-}
-
-src_configure() {
-	# Some libs use $(AR) rather than libtool to build #444282
-	tc-export AR
-
-	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
-	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
-
-	sed -i \
-		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
-		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
-		configure || die
-
-	local myeconfargs=(
-		--sbindir="${EPREFIX}/sbin"
-		--libexecdir="${EPREFIX}/$(get_libdir)"
-		--enable-devel
-		--enable-shared
-		$(use_enable nftables)
-		$(use_enable pcap bpf-compiler)
-		$(use_enable pcap nfsynproxy)
-		$(use_enable static-libs static)
-		$(use_enable ipv6)
-	)
-	econf "${myeconfargs[@]}"
-}
-
-src_compile() {
-	# Deal with parallel build errors.
-	use nftables && emake -C iptables xtables-config-parser.h
-	emake V=1
-}
-
-src_install() {
-	default
-	dodoc INCOMPATIBILITIES iptables/iptables.xslt
-
-	# all the iptables binaries are in /sbin, so might as well
-	# put these small files in with them
-	into /
-	dosbin iptables/iptables-apply
-	dosym iptables-apply /sbin/ip6tables-apply
-	doman iptables/iptables-apply.8
-
-	insinto /usr/include
-	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
-	insinto /usr/include/iptables
-	doins include/iptables/internal.h
-
-	keepdir /var/lib/iptables
-	newinitd "${FILESDIR}"/${PN}.init iptables
-	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
-	if use ipv6 ; then
-		keepdir /var/lib/ip6tables
-		newinitd "${FILESDIR}"/iptables.init ip6tables
-		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
-	fi
-
-	if use nftables; then
-		# Bug 647458
-		rm "${ED%/}"/etc/ethertypes || die
-
-		# Bug 660886
-		rm "${ED%/}"/sbin/{arptables,ebtables} || die
-
-		# Bug 669894
-		rm "${ED%/}"/sbin/ebtables-{save,restore} || die
-	fi
-
-	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
-	if use ipv6 ; then
-		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
-	fi
-
-	# Move important libs to /lib #332175
-	gen_usr_ldscript -a ip{4,6}tc iptc xtables
-
-	find "${ED}" -name "*.la" -delete || die
-}

diff --git a/net-firewall/iptables/iptables-1.8.2.ebuild b/net-firewall/iptables/iptables-1.8.2.ebuild
deleted file mode 100644
index cbf85327a99..00000000000
--- a/net-firewall/iptables/iptables-1.8.2.ebuild
+++ /dev/null
@@ -1,129 +0,0 @@
-# Copyright 1999-2018 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-# Force users doing their own patches to install their own tools
-AUTOTOOLS_AUTO_DEPEND=no
-
-inherit multilib systemd toolchain-funcs autotools flag-o-matic
-
-DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
-HOMEPAGE="https://www.netfilter.org/projects/iptables/"
-SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
-
-LICENSE="GPL-2"
-# Subslot tracks libxtables as that's the one other packages generally link
-# against and iptables changes.  Will have to revisit if other sonames change.
-SLOT="0/12"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-IUSE="conntrack ipv6 netlink nftables pcap static-libs"
-
-COMMON_DEPEND="
-	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
-	netlink? ( net-libs/libnfnetlink )
-	nftables? (
-		>=net-libs/libmnl-1.0:0=
-		>=net-libs/libnftnl-1.1.1:0=
-	)
-	pcap? ( net-libs/libpcap )
-"
-DEPEND="${COMMON_DEPEND}
-	virtual/os-headers
-	>=sys-kernel/linux-headers-4.4:0
-	virtual/pkgconfig
-	nftables? (
-		sys-devel/flex
-		virtual/yacc
-	)
-"
-RDEPEND="${COMMON_DEPEND}
-	nftables? ( net-misc/ethertypes )
-"
-
-src_prepare() {
-	# use the saner headers from the kernel
-	rm -f include/linux/{kernel,types}.h
-
-	# Only run autotools if user patched something
-	eapply_user && eautoreconf || elibtoolize
-}
-
-src_configure() {
-	# Some libs use $(AR) rather than libtool to build #444282
-	tc-export AR
-
-	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
-	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
-
-	sed -i \
-		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
-		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
-		configure || die
-
-	local myeconfargs=(
-		--sbindir="${EPREFIX}/sbin"
-		--libexecdir="${EPREFIX}/$(get_libdir)"
-		--enable-devel
-		--enable-shared
-		$(use_enable nftables)
-		$(use_enable pcap bpf-compiler)
-		$(use_enable pcap nfsynproxy)
-		$(use_enable static-libs static)
-		$(use_enable ipv6)
-	)
-	econf "${myeconfargs[@]}"
-}
-
-src_compile() {
-	# Deal with parallel build errors.
-	use nftables && emake -C iptables xtables-config-parser.h
-	emake V=1
-}
-
-src_install() {
-	default
-	dodoc INCOMPATIBILITIES iptables/iptables.xslt
-
-	# all the iptables binaries are in /sbin, so might as well
-	# put these small files in with them
-	into /
-	dosbin iptables/iptables-apply
-	dosym iptables-apply /sbin/ip6tables-apply
-	doman iptables/iptables-apply.8
-
-	insinto /usr/include
-	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
-	insinto /usr/include/iptables
-	doins include/iptables/internal.h
-
-	keepdir /var/lib/iptables
-	newinitd "${FILESDIR}"/${PN}.init iptables
-	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
-	if use ipv6 ; then
-		keepdir /var/lib/ip6tables
-		newinitd "${FILESDIR}"/iptables.init ip6tables
-		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
-	fi
-
-	if use nftables; then
-		# Bug 647458
-		rm "${ED%/}"/etc/ethertypes || die
-
-		# Bug 660886
-		rm "${ED%/}"/sbin/{arptables,ebtables} || die
-
-		# Bug 669894
-		rm "${ED%/}"/sbin/ebtables-{save,restore} || die
-	fi
-
-	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
-	if use ipv6 ; then
-		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
-	fi
-
-	# Move important libs to /lib #332175
-	gen_usr_ldscript -a ip{4,6}tc iptc xtables
-
-	find "${ED}" -name "*.la" -delete || die
-}


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
@ 2021-01-16 23:36 Lars Wendler
  0 siblings, 0 replies; 15+ messages in thread
From: Lars Wendler @ 2021-01-16 23:36 UTC (permalink / raw
  To: gentoo-commits

commit:     3124aea6bcf75de81f6619cee0a345499c177c19
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Sat Jan 16 23:35:22 2021 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Sat Jan 16 23:36:09 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3124aea6

net-firewall/iptables: Removed old

Package-Manager: Portage-3.0.13, Repoman-3.0.2
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 net-firewall/iptables/Manifest                     |   3 -
 net-firewall/iptables/files/ip6tables-1.4.13.confd |  19 ---
 net-firewall/iptables/files/iptables-1.4.13.confd  |  19 ---
 net-firewall/iptables/iptables-1.6.1-r3.ebuild     | 119 --------------
 net-firewall/iptables/iptables-1.6.2-r2.ebuild     | 123 --------------
 net-firewall/iptables/iptables-1.8.4-r2.ebuild     | 179 ---------------------
 6 files changed, 462 deletions(-)

diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest
index 6124f5ea369..2e92db50183 100644
--- a/net-firewall/iptables/Manifest
+++ b/net-firewall/iptables/Manifest
@@ -1,6 +1,3 @@
-DIST iptables-1.6.1.tar.bz2 620890 BLAKE2B b45ac26e1fb7e8b17a6df0afab3b6c0e2f0a5df9191367548136b3ce9aadc1bcb875b8bc0403e6f12fcf487054e96418f4ef34da827af8989fd4dcf83cd3cd8d SHA512 12280db6e6ef8e68da2537e9da59fc601790fd02b1ba38a37c90dbb56272018329dccb8be995f96ecd5d94fafa6043204f3e8f8ee96531685d9e3c55359d2ee8
-DIST iptables-1.6.2.tar.bz2 639785 BLAKE2B 3d129756fd33c8c73d56d57e3c5595896db86ded14834a45db21b964d82840b62216ce3cea4ae4960e8c5f0671df3cc6bfb222f68d29cf3a8c99e0eee14bf017 SHA512 04f22e969c794246b9aa28055b202638081cfb0bb4a5625c049a30c48ac84cdd41db12a53c5831398cfe47c8f5691aa02b30b0ae3b5afe0f20ec48cf86a799c0
-DIST iptables-1.8.4.tar.bz2 704312 BLAKE2B f677bb9ed2c86e6a39953c0565766991e9647224effdc7db2b563f3f491f6ace2f9073ecc8e865d489101a9f80cf964d9775ab81536412dbd4ca85937432de94 SHA512 a7faaab58608ffaa51e26e8056551c0e91a49187439d30fcf5cce2800274cc3c0515db6cfba0f4c85613fb80779cf96089b8915db0e89161e9980a6384faebdb
 DIST iptables-1.8.5.tar.bz2 713769 BLAKE2B 49659fc2f1f284f31637048fa1e6edb4853e9bf6ac0b6ada5599a7af34a4449205b5eb6b85b630ce4757b49cf3f8ac9ad6220e07c2c22abb688a3aeb5cf99cd2 SHA512 6a6baa541bb7aa331b176e0a91894e0766859814b59e77c71351ac34d6ebd337487981db48c70e476a48c67bcf891cfc663221a7582feb1496ad1df56eb28da8
 DIST iptables-1.8.6.tar.bz2 715744 BLAKE2B 72167610b396054fe18c495d7a9e23051d217116074ee39198af989a3e50b9908cb75f42b9172d3cfd76343835386a78a2c51d1153ed5d219a6d68209e11dc9c SHA512 d06e4cddb69822c4618664a35877fc5811992936cade2040bb0e4eb25a4d879eadc7c84401c40fb39ffac7888568505adcb1cfe995cd166a15c702237daf6acf
 DIST iptables-1.8.7.tar.bz2 717862 BLAKE2B fd4dcff142eaadde2a14ce3eb5e45d41c326752553b52900c77fd2e2a20c0685d0a04b95755995e914df47658834d52216d6465c2ae9cd6abc6eb122b95cc976 SHA512 c0a33fafbf1139157a9f52860938ebedc282a1394a68dcbd58981159379eb525919f999b25925f2cb4d6b18089bd99a94b00b3e73cff5cb0a0e47bdff174ed75

diff --git a/net-firewall/iptables/files/ip6tables-1.4.13.confd b/net-firewall/iptables/files/ip6tables-1.4.13.confd
deleted file mode 100644
index 3bb36989d37..00000000000
--- a/net-firewall/iptables/files/ip6tables-1.4.13.confd
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/conf.d/ip6tables
-
-# Location in which iptables initscript will save set rules on 
-# service shutdown
-IP6TABLES_SAVE="/var/lib/ip6tables/rules-save"
-
-# Options to pass to iptables-save and iptables-restore 
-SAVE_RESTORE_OPTIONS="-c"
-
-# Save state on stopping iptables
-SAVE_ON_STOP="yes"
-
-# If you need to log iptables messages as soon as iptables starts,
-# AND your logger does NOT depend on the network, then you may wish
-# to uncomment the next line.
-# If your logger depends on the network, and you uncomment this line
-# you will create an unresolvable circular dependency during startup.
-# After commenting or uncommenting this line, you must run 'rc-update -u'.
-#rc_use="logger"

diff --git a/net-firewall/iptables/files/iptables-1.4.13.confd b/net-firewall/iptables/files/iptables-1.4.13.confd
deleted file mode 100644
index 7225374c3a8..00000000000
--- a/net-firewall/iptables/files/iptables-1.4.13.confd
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/conf.d/iptables
-
-# Location in which iptables initscript will save set rules on 
-# service shutdown
-IPTABLES_SAVE="/var/lib/iptables/rules-save"
-
-# Options to pass to iptables-save and iptables-restore 
-SAVE_RESTORE_OPTIONS="-c"
-
-# Save state on stopping iptables
-SAVE_ON_STOP="yes"
-
-# If you need to log iptables messages as soon as iptables starts,
-# AND your logger does NOT depend on the network, then you may wish
-# to uncomment the next line.
-# If your logger depends on the network, and you uncomment this line
-# you will create an unresolvable circular dependency during startup.
-# After commenting or uncommenting this line, you must run 'rc-update -u'.
-#rc_use="logger"

diff --git a/net-firewall/iptables/iptables-1.6.1-r3.ebuild b/net-firewall/iptables/iptables-1.6.1-r3.ebuild
deleted file mode 100644
index d024b756fa0..00000000000
--- a/net-firewall/iptables/iptables-1.6.1-r3.ebuild
+++ /dev/null
@@ -1,119 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-# Force users doing their own patches to install their own tools
-AUTOTOOLS_AUTO_DEPEND=no
-
-inherit eutils multilib systemd toolchain-funcs autotools flag-o-matic ltprune usr-ldscript
-
-DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
-HOMEPAGE="https://www.netfilter.org/projects/iptables/"
-SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
-
-LICENSE="GPL-2"
-# Subslot tracks libxtables as that's the one other packages generally link
-# against and iptables changes.  Will have to revisit if other sonames change.
-SLOT="0/12"
-KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~m68k ~mips ppc ppc64 s390 sparc x86"
-IUSE="conntrack ipv6 netlink nftables pcap static-libs"
-
-COMMON_DEPEND="
-	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
-	netlink? ( net-libs/libnfnetlink )
-	nftables? (
-		>=net-libs/libmnl-1.0:0=
-		>=net-libs/libnftnl-1.0.5:0=
-	)
-	pcap? ( net-libs/libpcap )
-"
-DEPEND="${COMMON_DEPEND}
-	virtual/os-headers
-	>=sys-kernel/linux-headers-4.4:0
-	virtual/pkgconfig
-	nftables? (
-		sys-devel/flex
-		virtual/yacc
-	)
-"
-RDEPEND="${COMMON_DEPEND}
-	nftables? (
-		!<net-firewall/ebtables-2.0.10.4-r2
-		!net-misc/ethertypes
-	)
-"
-
-src_prepare() {
-	# use the saner headers from the kernel
-	rm -f include/linux/{kernel,types}.h
-
-	# Only run autotools if user patched something
-	epatch_user && eautoreconf || elibtoolize
-}
-
-src_configure() {
-	# Some libs use $(AR) rather than libtool to build #444282
-	tc-export AR
-
-	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
-	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
-
-	sed -i \
-		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
-		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
-		configure || die
-
-	econf \
-		--sbindir="${EPREFIX}/sbin" \
-		--libexecdir="${EPREFIX}/$(get_libdir)" \
-		--enable-devel \
-		--enable-shared \
-		$(use_enable nftables) \
-		$(use_enable pcap bpf-compiler) \
-		$(use_enable pcap nfsynproxy) \
-		$(use_enable static-libs static) \
-		$(use_enable ipv6)
-}
-
-src_compile() {
-	# Deal with parallel build errors.
-	use nftables && emake -C iptables xtables-config-parser.h
-	emake V=1
-}
-
-src_install() {
-	default
-	dodoc INCOMPATIBILITIES iptables/iptables.xslt
-
-	# all the iptables binaries are in /sbin, so might as well
-	# put these small files in with them
-	into /
-	dosbin iptables/iptables-apply
-	dosym iptables-apply /sbin/ip6tables-apply
-	doman iptables/iptables-apply.8
-
-	insinto /usr/include
-	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
-	insinto /usr/include/iptables
-	doins include/iptables/internal.h
-
-	keepdir /var/lib/iptables
-	newinitd "${FILESDIR}"/${PN}.init iptables
-	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
-	if use ipv6 ; then
-		keepdir /var/lib/ip6tables
-		newinitd "${FILESDIR}"/iptables.init ip6tables
-		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
-	fi
-
-	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
-	if use ipv6 ; then
-		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
-	fi
-
-	# Move important libs to /lib #332175
-	gen_usr_ldscript -a ip{4,6}tc iptc xtables
-
-	prune_libtool_files
-}

diff --git a/net-firewall/iptables/iptables-1.6.2-r2.ebuild b/net-firewall/iptables/iptables-1.6.2-r2.ebuild
deleted file mode 100644
index abd85bcb2eb..00000000000
--- a/net-firewall/iptables/iptables-1.6.2-r2.ebuild
+++ /dev/null
@@ -1,123 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-# Force users doing their own patches to install their own tools
-AUTOTOOLS_AUTO_DEPEND=no
-
-inherit ltprune multilib systemd toolchain-funcs autotools flag-o-matic usr-ldscript
-
-DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
-HOMEPAGE="https://www.netfilter.org/projects/iptables/"
-SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
-
-LICENSE="GPL-2"
-# Subslot tracks libxtables as that's the one other packages generally link
-# against and iptables changes.  Will have to revisit if other sonames change.
-SLOT="0/12"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86"
-IUSE="conntrack ipv6 netlink nftables pcap static-libs"
-
-COMMON_DEPEND="
-	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
-	netlink? ( net-libs/libnfnetlink )
-	nftables? (
-		>=net-libs/libmnl-1.0:0=
-		>=net-libs/libnftnl-1.0.5:0=
-	)
-	pcap? ( net-libs/libpcap )
-"
-DEPEND="${COMMON_DEPEND}
-	virtual/os-headers
-	>=sys-kernel/linux-headers-4.4:0
-	virtual/pkgconfig
-	nftables? (
-		sys-devel/flex
-		virtual/yacc
-	)
-"
-RDEPEND="${COMMON_DEPEND}
-	nftables? ( net-misc/ethertypes )
-"
-
-src_prepare() {
-	# use the saner headers from the kernel
-	rm -f include/linux/{kernel,types}.h
-
-	# Only run autotools if user patched something
-	eapply_user && eautoreconf || elibtoolize
-}
-
-src_configure() {
-	# Some libs use $(AR) rather than libtool to build #444282
-	tc-export AR
-
-	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
-	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
-
-	sed -i \
-		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
-		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
-		configure || die
-
-	local myeconfargs=(
-		--sbindir="${EPREFIX}/sbin"
-		--libexecdir="${EPREFIX}/$(get_libdir)"
-		--enable-devel
-		--enable-shared
-		$(use_enable nftables)
-		$(use_enable pcap bpf-compiler)
-		$(use_enable pcap nfsynproxy)
-		$(use_enable static-libs static)
-		$(use_enable ipv6)
-	)
-	econf "${myeconfargs[@]}"
-}
-
-src_compile() {
-	# Deal with parallel build errors.
-	use nftables && emake -C iptables xtables-config-parser.h
-	emake V=1
-}
-
-src_install() {
-	default
-	dodoc INCOMPATIBILITIES iptables/iptables.xslt
-
-	# all the iptables binaries are in /sbin, so might as well
-	# put these small files in with them
-	into /
-	dosbin iptables/iptables-apply
-	dosym iptables-apply /sbin/ip6tables-apply
-	doman iptables/iptables-apply.8
-
-	insinto /usr/include
-	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
-	insinto /usr/include/iptables
-	doins include/iptables/internal.h
-
-	keepdir /var/lib/iptables
-	newinitd "${FILESDIR}"/${PN}.init iptables
-	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
-	if use ipv6 ; then
-		keepdir /var/lib/ip6tables
-		newinitd "${FILESDIR}"/iptables.init ip6tables
-		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
-	fi
-
-	if use nftables; then
-		# Bug 647458
-		rm "${ED%/}"/etc/ethertypes || die
-	fi
-
-	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
-	if use ipv6 ; then
-		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
-	fi
-
-	# Move important libs to /lib #332175
-	gen_usr_ldscript -a ip{4,6}tc iptc xtables
-
-	prune_libtool_files
-}

diff --git a/net-firewall/iptables/iptables-1.8.4-r2.ebuild b/net-firewall/iptables/iptables-1.8.4-r2.ebuild
deleted file mode 100644
index 3298be20c0a..00000000000
--- a/net-firewall/iptables/iptables-1.8.4-r2.ebuild
+++ /dev/null
@@ -1,179 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit multilib systemd toolchain-funcs autotools flag-o-matic usr-ldscript
-
-DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
-HOMEPAGE="https://www.netfilter.org/projects/iptables/"
-SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
-
-LICENSE="GPL-2"
-# Subslot reflects PV when libxtables and/or libip*tc was changed
-# the last time.
-SLOT="0/1.8.3"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
-IUSE="conntrack ipv6 netlink nftables pcap static-libs"
-
-BUILD_DEPEND="
-	>=app-eselect/eselect-iptables-20200508
-"
-COMMON_DEPEND="
-	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
-	netlink? ( net-libs/libnfnetlink )
-	nftables? (
-		>=net-libs/libmnl-1.0:0=
-		>=net-libs/libnftnl-1.1.5:0=
-	)
-	pcap? ( net-libs/libpcap )
-"
-DEPEND="${COMMON_DEPEND}
-	virtual/os-headers
-	>=sys-kernel/linux-headers-4.4:0
-"
-BDEPEND="${BUILD_DEPEND}
-	app-eselect/eselect-iptables
-	virtual/pkgconfig
-	nftables? (
-		sys-devel/flex
-		virtual/yacc
-	)
-"
-RDEPEND="${COMMON_DEPEND}
-	${BUILD_DEPEND}
-	nftables? ( net-misc/ethertypes )
-	!<net-firewall/ebtables-2.0.11-r1
-	!<net-firewall/arptables-0.0.5-r1
-"
-
-PATCHES=(
-	"${FILESDIR}/iptables-1.8.4-no-symlinks.patch"
-	"${FILESDIR}/iptables-1.8.2-link.patch"
-)
-
-src_prepare() {
-	# use the saner headers from the kernel
-	rm include/linux/{kernel,types}.h || die
-
-	default
-	eautoreconf
-}
-
-src_configure() {
-	# Some libs use $(AR) rather than libtool to build #444282
-	tc-export AR
-
-	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
-	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
-
-	sed -i \
-		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
-		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
-		configure || die
-
-	local myeconfargs=(
-		--sbindir="${EPREFIX}/sbin"
-		--libexecdir="${EPREFIX}/$(get_libdir)"
-		--enable-devel
-		--enable-shared
-		$(use_enable nftables)
-		$(use_enable pcap bpf-compiler)
-		$(use_enable pcap nfsynproxy)
-		$(use_enable static-libs static)
-		$(use_enable ipv6)
-	)
-	econf "${myeconfargs[@]}"
-}
-
-src_compile() {
-	emake V=1
-}
-
-src_install() {
-	default
-	dodoc INCOMPATIBILITIES iptables/iptables.xslt
-
-	# all the iptables binaries are in /sbin, so might as well
-	# put these small files in with them
-	into /
-	dosbin iptables/iptables-apply
-	dosym iptables-apply /sbin/ip6tables-apply
-	doman iptables/iptables-apply.8
-
-	insinto /usr/include
-	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
-	insinto /usr/include/iptables
-	doins include/iptables/internal.h
-
-	keepdir /var/lib/iptables
-	newinitd "${FILESDIR}"/${PN}-r2.init iptables
-	newconfd "${FILESDIR}"/${PN}-r1.confd iptables
-	if use ipv6 ; then
-		keepdir /var/lib/ip6tables
-		dosym iptables /etc/init.d/ip6tables
-		newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables
-	fi
-
-	if use nftables; then
-		# Bug 647458
-		rm "${ED}"/etc/ethertypes || die
-
-		# Bugs 660886 and 669894
-		rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die
-	fi
-
-	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
-	if use ipv6 ; then
-		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
-	fi
-
-	# Move important libs to /lib #332175
-	gen_usr_ldscript -a ip{4,6}tc xtables
-
-	find "${ED}" -type f -name "*.la" -delete || die
-}
-
-pkg_postinst() {
-	local default_iptables="xtables-legacy-multi"
-	if ! eselect iptables show &>/dev/null; then
-		elog "Current iptables implementation is unset, setting to ${default_iptables}"
-		eselect iptables set "${default_iptables}"
-	fi
-
-	if use nftables; then
-		local tables
-		for tables in {arp,eb}tables; do
-			if ! eselect ${tables} show &>/dev/null; then
-				elog "Current ${tables} implementation is unset, setting to ${default_iptables}"
-				eselect ${tables} set xtables-nft-multi
-			fi
-		done
-	fi
-
-	eselect iptables show
-}
-
-pkg_prerm() {
-	elog "Unsetting iptables symlinks before removal"
-	eselect iptables unset
-
-	if ! has_version 'net-firewall/ebtables'; then
-		elog "Unsetting ebtables symlinks before removal"
-		eselect ebtables unset
-	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
-		elog "Resetting ebtables symlinks to ebtables-legacy"
-		eselect ebtables set ebtables-legacy
-	fi
-
-	if ! has_version 'net-firewall/arptables'; then
-		elog "Unsetting arptables symlinks before removal"
-		eselect arptables unset
-	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
-		elog "Resetting arptables symlinks to arptables-legacy"
-		eselect arptables set arptables-legacy
-	fi
-
-	# the eselect module failing should not be fatal
-	return 0
-}


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
@ 2022-05-14 21:24 Sam James
  0 siblings, 0 replies; 15+ messages in thread
From: Sam James @ 2022-05-14 21:24 UTC (permalink / raw
  To: gentoo-commits

commit:     9b5cb98661907b8e44b7c5b61fc9f7d7c4fc7703
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sat May 14 03:46:57 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat May 14 21:22:22 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b5cb986

net-firewall/iptables: add 1.8.8

Signed-off-by: Sam James <sam <AT> gentoo.org>

 net-firewall/iptables/Manifest                     |   1 +
 .../files/iptables-1.8.8-format-security.patch     |  21 +++
 net-firewall/iptables/iptables-1.8.8.ebuild        | 176 +++++++++++++++++++++
 3 files changed, 198 insertions(+)

diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest
index 20be9ec24c2d..76320a6fa208 100644
--- a/net-firewall/iptables/Manifest
+++ b/net-firewall/iptables/Manifest
@@ -1 +1,2 @@
 DIST iptables-1.8.7.tar.bz2 717862 BLAKE2B fd4dcff142eaadde2a14ce3eb5e45d41c326752553b52900c77fd2e2a20c0685d0a04b95755995e914df47658834d52216d6465c2ae9cd6abc6eb122b95cc976 SHA512 c0a33fafbf1139157a9f52860938ebedc282a1394a68dcbd58981159379eb525919f999b25925f2cb4d6b18089bd99a94b00b3e73cff5cb0a0e47bdff174ed75
+DIST iptables-1.8.8.tar.bz2 746985 BLAKE2B 0da021cc7313b86af331768904956dab3eee3de245a7b03965129f3d7f13097fc03fbb1390167dcd971eff216eabad9e59b261a9c0f54bfc48a77453aa40d164 SHA512 f21df23279a77531a23f3fcb1b8f0f8ec0c726bda236dd0e33af74b06753baff6ce3f26fb9fcceb6fada560656ba901e68fc6452eb840ac1b206bc4654950f59

diff --git a/net-firewall/iptables/files/iptables-1.8.8-format-security.patch b/net-firewall/iptables/files/iptables-1.8.8-format-security.patch
new file mode 100644
index 000000000000..fafc435379b5
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.8.8-format-security.patch
@@ -0,0 +1,21 @@
+https://git.netfilter.org/iptables/commit/?id=b72eb12ea5a61df0655ad99d5048994e916be83a
+
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 13 May 2022 16:51:58 +0200
+Subject: xshared: Fix build for -Werror=format-security
+
+Gcc complains about the omitted format string.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+--- a/iptables/xshared.c
++++ b/iptables/xshared.c
+@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg)
+ 		return;
+ 
+ 	if (args->family != NFPROTO_ARP)
+-		xtables_error(PARAMETER_PROBLEM, msg);
++		xtables_error(PARAMETER_PROBLEM, "%s", msg);
+ 
+ 	fprintf(stderr, "%s", msg);
+ }
+cgit v1.2.3

diff --git a/net-firewall/iptables/iptables-1.8.8.ebuild b/net-firewall/iptables/iptables-1.8.8.ebuild
new file mode 100644
index 000000000000..e65230759e5f
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.8.8.ebuild
@@ -0,0 +1,176 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit systemd toolchain-funcs autotools flag-o-matic usr-ldscript
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="https://www.netfilter.org/projects/iptables/"
+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+# Subslot reflects PV when libxtables and/or libip*tc was changed
+# the last time.
+SLOT="0/1.8.3"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="conntrack netlink nftables pcap static-libs"
+
+BUILD_DEPEND="
+	>=app-eselect/eselect-iptables-20220320
+"
+COMMON_DEPEND="
+	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
+	netlink? ( net-libs/libnfnetlink )
+	nftables? (
+		>=net-libs/libmnl-1.0:0=
+		>=net-libs/libnftnl-1.1.6:0=
+	)
+	pcap? ( net-libs/libpcap )
+"
+DEPEND="${COMMON_DEPEND}
+	virtual/os-headers
+	>=sys-kernel/linux-headers-4.4:0
+"
+BDEPEND="${BUILD_DEPEND}
+	virtual/pkgconfig
+	nftables? (
+		sys-devel/flex
+		virtual/yacc
+	)
+"
+RDEPEND="${COMMON_DEPEND}
+	${BUILD_DEPEND}
+	nftables? ( net-misc/ethertypes )
+	!<net-firewall/ebtables-2.0.11-r1
+	!<net-firewall/arptables-0.0.5-r1
+"
+
+PATCHES=(
+	"${FILESDIR}/iptables-1.8.4-no-symlinks.patch"
+	"${FILESDIR}/iptables-1.8.2-link.patch"
+
+	"${FILESDIR}/${P}-format-security.patch"
+)
+
+src_prepare() {
+	# use the saner headers from the kernel
+	rm include/linux/{kernel,types}.h || die
+
+	default
+	eautoreconf
+}
+
+src_configure() {
+	# Some libs use $(AR) rather than libtool to build #444282
+	tc-export AR
+
+	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
+	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
+
+	sed -i \
+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
+		configure || die
+
+	local myeconfargs=(
+		--sbindir="${EPREFIX}/sbin"
+		--libexecdir="${EPREFIX}/$(get_libdir)"
+		--enable-devel
+		--enable-ipv6
+		--enable-shared
+		$(use_enable nftables)
+		$(use_enable pcap bpf-compiler)
+		$(use_enable pcap nfsynproxy)
+		$(use_enable static-libs static)
+	)
+	econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+	emake V=1
+}
+
+src_install() {
+	default
+	dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+	# all the iptables binaries are in /sbin, so might as well
+	# put these small files in with them
+	into /
+	dosbin iptables/iptables-apply
+	dosym iptables-apply /sbin/ip6tables-apply
+	doman iptables/iptables-apply.8
+
+	insinto /usr/include
+	doins include/ip{,6}tables.h
+	insinto /usr/include/iptables
+	doins include/iptables/internal.h
+
+	keepdir /var/lib/ip{,6}tables
+	newinitd "${FILESDIR}"/${PN}-r2.init iptables
+	newconfd "${FILESDIR}"/${PN}-r1.confd iptables
+	dosym iptables /etc/init.d/ip6tables
+	newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables
+
+	if use nftables; then
+		# Bug 647458
+		rm "${ED}"/etc/ethertypes || die
+
+		# Bugs 660886 and 669894
+		rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die
+	fi
+
+	systemd_dounit "${FILESDIR}"/systemd/ip{,6}tables-{re,}store.service
+
+	# Move important libs to /lib #332175
+	gen_usr_ldscript -a ip{4,6}tc xtables
+
+	find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_postinst() {
+	local default_iptables="xtables-legacy-multi"
+	if ! eselect iptables show &>/dev/null; then
+		elog "Current iptables implementation is unset, setting to ${default_iptables}"
+		eselect iptables set "${default_iptables}"
+	fi
+
+	if use nftables; then
+		local tables
+		for tables in {arp,eb}tables; do
+			if ! eselect ${tables} show &>/dev/null; then
+				elog "Current ${tables} implementation is unset, setting to ${default_iptables}"
+				eselect ${tables} set xtables-nft-multi
+			fi
+		done
+	fi
+
+	eselect iptables show
+}
+
+pkg_prerm() {
+	if [[ -z ${REPLACED_BY_VERSION} ]]; then
+		elog "Unsetting iptables symlinks before removal"
+		eselect iptables unset
+	fi
+
+	if ! has_version 'net-firewall/ebtables'; then
+		elog "Unsetting ebtables symlinks before removal"
+		eselect ebtables unset
+	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
+		elog "Resetting ebtables symlinks to ebtables-legacy"
+		eselect ebtables set ebtables-legacy
+	fi
+
+	if ! has_version 'net-firewall/arptables'; then
+		elog "Unsetting arptables symlinks before removal"
+		eselect arptables unset
+	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
+		elog "Resetting arptables symlinks to arptables-legacy"
+		eselect arptables set arptables-legacy
+	fi
+
+	# the eselect module failing should not be fatal
+	return 0
+}


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
@ 2022-05-18 20:52 Sam James
  0 siblings, 0 replies; 15+ messages in thread
From: Sam James @ 2022-05-18 20:52 UTC (permalink / raw
  To: gentoo-commits

commit:     d8ae486250804a820434c22df25be9cfdb584f31
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Wed May 18 20:52:39 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed May 18 20:52:47 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8ae4862

net-firewall/iptables: fix build w/ musl (and installed headers)

Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../iptables/files/iptables-1.8.8-uint-musl.patch  | 135 +++++++++++++++++++++
 ...ables-1.8.8.ebuild => iptables-1.8.8-r1.ebuild} |   1 +
 2 files changed, 136 insertions(+)

diff --git a/net-firewall/iptables/files/iptables-1.8.8-uint-musl.patch b/net-firewall/iptables/files/iptables-1.8.8-uint-musl.patch
new file mode 100644
index 000000000000..40302f624e23
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.8.8-uint-musl.patch
@@ -0,0 +1,135 @@
+https://git.netfilter.org/iptables/commit/?id=f319389525b066b7dc6d389c88f16a0df3b8f189
+
+From: Nick Hainke <vincent@systemli.org>
+Date: Mon, 16 May 2022 18:16:41 +0200
+Subject: treewide: use uint* instead of u_int*
+
+Gcc complains about missing types. Some commits introduced u_int* instead
+of uint*. Use uint treewide.
+
+Fixes errors in the form of:
+In file included from xtables-legacy-multi.c:5:
+xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'?
+    83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
+        |                                                        ^~~~~~~~~
+        |                                                        uint16_t
+make[6]: *** [Makefile:712: xtables_legacy_multi-xtables-legacy-multi.o] Error 1
+
+Avoid libipq API breakage by adjusting libipq.h include accordingly. For
+arpt_mangle.h kernel uAPI header, apply same change as in kernel commit
+e91ded8db5747 ("uapi: netfilter_arp: use __u8 instead of u_int8_t").
+
+Signed-off-by: Nick Hainke <vincent@systemli.org>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+--- a/extensions/libxt_conntrack.c
++++ b/extensions/libxt_conntrack.c
+@@ -778,7 +778,7 @@ matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric,
+ 
+ static void
+ conntrack_dump_ports(const char *prefix, const char *opt,
+-		     u_int16_t port_low, u_int16_t port_high)
++		     uint16_t port_low, uint16_t port_high)
+ {
+ 	if (port_high == 0 || port_low == port_high)
+ 		printf(" %s%s %u", prefix, opt, port_low);
+--- a/include/libipq/libipq.h
++++ b/include/libipq/libipq.h
+@@ -24,7 +24,7 @@
+ #include <errno.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+-#include <sys/types.h>
++#include <stdint.h>
+ #include <sys/socket.h>
+ #include <sys/uio.h>
+ #include <asm/types.h>
+@@ -48,19 +48,19 @@ typedef unsigned long ipq_id_t;
+ struct ipq_handle
+ {
+ 	int fd;
+-	u_int8_t blocking;
++	uint8_t blocking;
+ 	struct sockaddr_nl local;
+ 	struct sockaddr_nl peer;
+ };
+ 
+-struct ipq_handle *ipq_create_handle(u_int32_t flags, u_int32_t protocol);
++struct ipq_handle *ipq_create_handle(uint32_t flags, uint32_t protocol);
+ 
+ int ipq_destroy_handle(struct ipq_handle *h);
+ 
+ ssize_t ipq_read(const struct ipq_handle *h,
+                 unsigned char *buf, size_t len, int timeout);
+ 
+-int ipq_set_mode(const struct ipq_handle *h, u_int8_t mode, size_t len);
++int ipq_set_mode(const struct ipq_handle *h, uint8_t mode, size_t len);
+ 
+ ipq_packet_msg_t *ipq_get_packet(const unsigned char *buf);
+ 
+--- a/include/libiptc/libxtc.h
++++ b/include/libiptc/libxtc.h
+@@ -10,7 +10,7 @@ extern "C" {
+ #endif
+ 
+ #ifndef XT_MIN_ALIGN
+-/* xt_entry has pointers and u_int64_t's in it, so if you align to
++/* xt_entry has pointers and uint64_t's in it, so if you align to
+    it, you'll also align to any crazy matches and targets someone
+    might write */
+ #define XT_MIN_ALIGN (__alignof__(struct xt_entry))
+--- a/include/linux/netfilter_arp/arpt_mangle.h
++++ b/include/linux/netfilter_arp/arpt_mangle.h
+@@ -13,7 +13,7 @@ struct arpt_mangle
+ 	union {
+ 		struct in_addr tgt_ip;
+ 	} u_t;
+-	u_int8_t flags;
++	__u8 flags;
+ 	int target;
+ };
+ 
+--- a/iptables/xshared.c
++++ b/iptables/xshared.c
+@@ -1025,7 +1025,7 @@ static const int inverse_for_options[NUMBER_OF_OPT] =
+ };
+ 
+ void
+-set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
++set_option(unsigned int *options, unsigned int option, uint16_t *invflg,
+ 	   bool invert)
+ {
+ 	if (*options & option)
+--- a/iptables/xshared.h
++++ b/iptables/xshared.h
+@@ -80,7 +80,7 @@ struct xtables_target;
+ #define IPT_INV_ARPHRD		0x0800
+ 
+ void
+-set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
++set_option(unsigned int *options, unsigned int option, uint16_t *invflg,
+ 	   bool invert);
+ 
+ /**
+--- a/libipq/ipq_create_handle.3
++++ b/libipq/ipq_create_handle.3
+@@ -24,7 +24,7 @@ ipq_create_handle, ipq_destroy_handle \(em create and destroy libipq handles.
+ .br
+ .B #include <libipq.h>
+ .sp
+-.BI "struct ipq_handle *ipq_create_handle(u_int32_t " flags ", u_int32_t " protocol ");"
++.BI "struct ipq_handle *ipq_create_handle(uint32_t " flags ", uint32_t " protocol ");"
+ .br
+ .BI "int ipq_destroy_handle(struct ipq_handle *" h );
+ .SH DESCRIPTION
+--- a/libipq/ipq_set_mode.3
++++ b/libipq/ipq_set_mode.3
+@@ -24,7 +24,7 @@ ipq_set_mode \(em set the ip_queue queuing mode
+ .br
+ .B #include <libipq.h>
+ .sp
+-.BI "int ipq_set_mode(const struct ipq_handle *" h ", u_int8_t " mode ", size_t " range );
++.BI "int ipq_set_mode(const struct ipq_handle *" h ", uint8_t " mode ", size_t " range );
+ .SH DESCRIPTION
+ The
+ .B ipq_set_mode
+cgit v1.2.3

diff --git a/net-firewall/iptables/iptables-1.8.8.ebuild b/net-firewall/iptables/iptables-1.8.8-r1.ebuild
similarity index 99%
rename from net-firewall/iptables/iptables-1.8.8.ebuild
rename to net-firewall/iptables/iptables-1.8.8-r1.ebuild
index e65230759e5f..2a2b9aa257c0 100644
--- a/net-firewall/iptables/iptables-1.8.8.ebuild
+++ b/net-firewall/iptables/iptables-1.8.8-r1.ebuild
@@ -51,6 +51,7 @@ PATCHES=(
 	"${FILESDIR}/iptables-1.8.2-link.patch"
 
 	"${FILESDIR}/${P}-format-security.patch"
+	"${FILESDIR}/${P}-uint-musl.patch"
 )
 
 src_prepare() {


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
@ 2022-05-28  2:52 Sam James
  0 siblings, 0 replies; 15+ messages in thread
From: Sam James @ 2022-05-28  2:52 UTC (permalink / raw
  To: gentoo-commits

commit:     56a695955754b0947cc12f99da838eab57f939de
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sat May 28 02:52:03 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat May 28 02:52:21 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56a69595

net-firewall/iptables: fix musl build

Closes: https://bugs.gentoo.org/846377
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../files/iptables-1.8.8-musl-headers.patch        | 59 ++++++++++++++++++++++
 .../files/iptables-1.8.8-out-of-tree-build.patch   | 26 ++++++++++
 net-firewall/iptables/iptables-1.8.8-r2.ebuild     |  2 +
 3 files changed, 87 insertions(+)

diff --git a/net-firewall/iptables/files/iptables-1.8.8-musl-headers.patch b/net-firewall/iptables/files/iptables-1.8.8-musl-headers.patch
new file mode 100644
index 000000000000..52e2c7019972
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.8.8-musl-headers.patch
@@ -0,0 +1,59 @@
+https://git.netfilter.org/iptables/commit/?id=0e7cf0ad306cdf95dc3c28d15a254532206a888e
+https://bugs.gentoo.org/846377
+
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 18 May 2022 16:04:09 +0200
+Subject: Revert "fix build for missing ETH_ALEN definition"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit c5d9a723b5159a28f547b577711787295a14fd84 as it broke
+compiling against musl libc. Might be a bug in the latter, but for the
+time being try to please both by avoiding the include and instead
+defining ETH_ALEN if unset.
+
+While being at it, move netinet/ether.h include up.
+
+Fixes: 1bdb5535f561a ("libxtables: Extend MAC address printing/parsing support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Reviewed-by: Maciej Żenczykowski <maze@google.com>
+--- a/libxtables/xtables.c
++++ b/libxtables/xtables.c
+@@ -28,6 +28,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <netinet/ether.h>
+ #include <sys/socket.h>
+ #include <sys/stat.h>
+ #include <sys/statfs.h>
+@@ -45,7 +46,6 @@
+ 
+ #include <xtables.h>
+ #include <limits.h> /* INT_MAX in ip_tables.h/ip6_tables.h */
+-#include <linux/if_ether.h> /* ETH_ALEN */
+ #include <linux/netfilter_ipv4/ip_tables.h>
+ #include <linux/netfilter_ipv6/ip6_tables.h>
+ #include <libiptc/libxtc.h>
+@@ -72,6 +72,10 @@
+ #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
+ #endif
+ 
++#ifndef ETH_ALEN
++#define ETH_ALEN 6
++#endif
++
+ /* we need this for ip6?tables-restore.  ip6?tables-restore.c sets line to the
+  * current line of the input file, in order  to give a more precise error
+  * message.  ip6?tables itself doesn't need this, so it is initialized to the
+@@ -2245,8 +2249,6 @@ void xtables_print_num(uint64_t number, unsigned int format)
+ 	printf(FMT("%4lluT ","%lluT "), (unsigned long long)number);
+ }
+ 
+-#include <netinet/ether.h>
+-
+ static const unsigned char mac_type_unicast[ETH_ALEN] =   {};
+ static const unsigned char msk_type_unicast[ETH_ALEN] =   {1};
+ static const unsigned char mac_type_multicast[ETH_ALEN] = {1};
+cgit v1.2.3

diff --git a/net-firewall/iptables/files/iptables-1.8.8-out-of-tree-build.patch b/net-firewall/iptables/files/iptables-1.8.8-out-of-tree-build.patch
new file mode 100644
index 000000000000..ee9e218b5dbd
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.8.8-out-of-tree-build.patch
@@ -0,0 +1,26 @@
+https://git.netfilter.org/iptables/commit/?id=0ebf52fc951b2a4d98a166afb34af4f364bbeece
+
+From: Ben Brown <ben@demerara.io>
+Date: Wed, 25 May 2022 16:26:13 +0100
+Subject: build: Fix error during out of tree build
+
+Fixes the following error:
+
+    ../../libxtables/xtables.c:52:10: fatal error: libiptc/linux_list.h: No such file or directory
+       52 | #include <libiptc/linux_list.h>
+
+Fixes: f58b0d7406451 ("libxtables: Implement notargets hash table")
+Signed-off-by: Ben Brown <ben@demerara.io>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+--- a/libxtables/Makefile.am
++++ b/libxtables/Makefile.am
+@@ -1,7 +1,7 @@
+ # -*- Makefile -*-
+ 
+ AM_CFLAGS   = ${regular_CFLAGS}
+-AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables ${kinclude_CPPFLAGS}
++AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables -I${top_srcdir} ${kinclude_CPPFLAGS}
+ 
+ lib_LTLIBRARIES       = libxtables.la
+ libxtables_la_SOURCES = xtables.c xtoptions.c getethertype.c
+cgit v1.2.3

diff --git a/net-firewall/iptables/iptables-1.8.8-r2.ebuild b/net-firewall/iptables/iptables-1.8.8-r2.ebuild
index 03c908c9d9b1..c4fcdc0fb260 100644
--- a/net-firewall/iptables/iptables-1.8.8-r2.ebuild
+++ b/net-firewall/iptables/iptables-1.8.8-r2.ebuild
@@ -52,6 +52,8 @@ PATCHES=(
 
 	"${FILESDIR}/${P}-format-security.patch"
 	"${FILESDIR}/${P}-uint-musl.patch"
+	"${FILESDIR}/${P}-musl-headers.patch"
+	"${FILESDIR}/${P}-out-of-tree-build.patch"
 )
 
 src_prepare() {


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
@ 2022-09-23  2:14 Sam James
  0 siblings, 0 replies; 15+ messages in thread
From: Sam James @ 2022-09-23  2:14 UTC (permalink / raw
  To: gentoo-commits

commit:     72df47c7b128fc5e8b7019dee4632ddf9b20ed35
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Fri Sep 23 02:12:39 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Sep 23 02:13:36 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72df47c7

net-firewall/iptables: drop 1.8.7-r2

Signed-off-by: Sam James <sam <AT> gentoo.org>

 net-firewall/iptables/Manifest                     |   1 -
 .../files/iptables-1.8.7-cache-double-free.patch   |  61 -------
 net-firewall/iptables/iptables-1.8.7-r2.ebuild     | 176 ---------------------
 3 files changed, 238 deletions(-)

diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest
index 76320a6fa208..44c1d5abb450 100644
--- a/net-firewall/iptables/Manifest
+++ b/net-firewall/iptables/Manifest
@@ -1,2 +1 @@
-DIST iptables-1.8.7.tar.bz2 717862 BLAKE2B fd4dcff142eaadde2a14ce3eb5e45d41c326752553b52900c77fd2e2a20c0685d0a04b95755995e914df47658834d52216d6465c2ae9cd6abc6eb122b95cc976 SHA512 c0a33fafbf1139157a9f52860938ebedc282a1394a68dcbd58981159379eb525919f999b25925f2cb4d6b18089bd99a94b00b3e73cff5cb0a0e47bdff174ed75
 DIST iptables-1.8.8.tar.bz2 746985 BLAKE2B 0da021cc7313b86af331768904956dab3eee3de245a7b03965129f3d7f13097fc03fbb1390167dcd971eff216eabad9e59b261a9c0f54bfc48a77453aa40d164 SHA512 f21df23279a77531a23f3fcb1b8f0f8ec0c726bda236dd0e33af74b06753baff6ce3f26fb9fcceb6fada560656ba901e68fc6452eb840ac1b206bc4654950f59

diff --git a/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch b/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch
deleted file mode 100644
index fc88636d2944..000000000000
--- a/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-commit 4318961230bce82958df82b57f1796143bf2f421
-Author: Phil Sutter <phil@nwl.cc>
-Date:   Tue Sep 21 11:39:45 2021 +0200
-
-    nft: cache: Avoid double free of unrecognized base-chains
-    
-    On error, nft_cache_add_chain() frees the allocated nft_chain object
-    along with the nftnl_chain it points at. Fix nftnl_chain_list_cb() to
-    not free the nftnl_chain again in that case.
-    
-    Fixes: 176c92c26bfc9 ("nft: Introduce a dedicated base chain array")
-    Signed-off-by: Phil Sutter <phil@nwl.cc>
-
-diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
-index 2c88301c..9a03bbfb 100644
---- a/iptables/nft-cache.c
-+++ b/iptables/nft-cache.c
-@@ -314,9 +314,7 @@ static int nftnl_chain_list_cb(const struct nlmsghdr *nlh, void *data)
- 		goto out;
- 	}
- 
--	if (nft_cache_add_chain(h, t, c))
--		goto out;
--
-+	nft_cache_add_chain(h, t, c);
- 	return MNL_CB_OK;
- out:
- 	nftnl_chain_free(c);
-diff --git a/iptables/tests/shell/testcases/chain/0004extra-base_0 b/iptables/tests/shell/testcases/chain/0004extra-base_0
-new file mode 100755
-index 00000000..1b85b060
---- /dev/null
-+++ b/iptables/tests/shell/testcases/chain/0004extra-base_0
-@@ -0,0 +1,27 @@
-+#!/bin/bash
-+
-+case $XT_MULTI in
-+*xtables-nft-multi)
-+	;;
-+*)
-+	echo skip $XT_MULTI
-+	exit 0
-+	;;
-+esac
-+
-+set -e
-+
-+nft -f - <<EOF
-+table ip filter {
-+        chain INPUT {
-+                type filter hook input priority filter
-+                counter packets 218 bytes 91375 accept
-+        }
-+
-+        chain x {
-+                type filter hook input priority filter
-+        }
-+}
-+EOF
-+
-+$XT_MULTI iptables -L

diff --git a/net-firewall/iptables/iptables-1.8.7-r2.ebuild b/net-firewall/iptables/iptables-1.8.7-r2.ebuild
deleted file mode 100644
index 42fd108f2606..000000000000
--- a/net-firewall/iptables/iptables-1.8.7-r2.ebuild
+++ /dev/null
@@ -1,176 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit systemd toolchain-funcs autotools flag-o-matic usr-ldscript
-
-DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
-HOMEPAGE="https://www.netfilter.org/projects/iptables/"
-SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
-
-LICENSE="GPL-2"
-# Subslot reflects PV when libxtables and/or libip*tc was changed
-# the last time.
-SLOT="0/1.8.3"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
-IUSE="conntrack netlink nftables pcap static-libs"
-
-BUILD_DEPEND="
-	>=app-eselect/eselect-iptables-20220320
-"
-COMMON_DEPEND="
-	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
-	netlink? ( net-libs/libnfnetlink )
-	nftables? (
-		>=net-libs/libmnl-1.0:0=
-		>=net-libs/libnftnl-1.1.6:0=
-	)
-	pcap? ( net-libs/libpcap )
-"
-DEPEND="${COMMON_DEPEND}
-	virtual/os-headers
-	>=sys-kernel/linux-headers-4.4:0
-"
-BDEPEND="${BUILD_DEPEND}
-	virtual/pkgconfig
-	nftables? (
-		sys-devel/flex
-		virtual/yacc
-	)
-"
-RDEPEND="${COMMON_DEPEND}
-	${BUILD_DEPEND}
-	nftables? ( net-misc/ethertypes )
-	!<net-firewall/ebtables-2.0.11-r1
-	!<net-firewall/arptables-0.0.5-r1
-"
-
-PATCHES=(
-	"${FILESDIR}/iptables-1.8.4-no-symlinks.patch"
-	"${FILESDIR}/iptables-1.8.2-link.patch"
-	# https://bugs.gentoo.org/831626
-	"${FILESDIR}/iptables-1.8.7-cache-double-free.patch"
-)
-
-src_prepare() {
-	# use the saner headers from the kernel
-	rm include/linux/{kernel,types}.h || die
-
-	default
-	eautoreconf
-}
-
-src_configure() {
-	# Some libs use $(AR) rather than libtool to build #444282
-	tc-export AR
-
-	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
-	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
-
-	sed -i \
-		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
-		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
-		configure || die
-
-	local myeconfargs=(
-		--sbindir="${EPREFIX}/sbin"
-		--libexecdir="${EPREFIX}/$(get_libdir)"
-		--enable-devel
-		--enable-ipv6
-		--enable-shared
-		$(use_enable nftables)
-		$(use_enable pcap bpf-compiler)
-		$(use_enable pcap nfsynproxy)
-		$(use_enable static-libs static)
-	)
-	econf "${myeconfargs[@]}"
-}
-
-src_compile() {
-	emake V=1
-}
-
-src_install() {
-	default
-	dodoc INCOMPATIBILITIES iptables/iptables.xslt
-
-	# all the iptables binaries are in /sbin, so might as well
-	# put these small files in with them
-	into /
-	dosbin iptables/iptables-apply
-	dosym iptables-apply /sbin/ip6tables-apply
-	doman iptables/iptables-apply.8
-
-	insinto /usr/include
-	doins include/ip{,6}tables.h
-	insinto /usr/include/iptables
-	doins include/iptables/internal.h
-
-	keepdir /var/lib/ip{,6}tables
-	newinitd "${FILESDIR}"/${PN}-r2.init iptables
-	newconfd "${FILESDIR}"/${PN}-r1.confd iptables
-	dosym iptables /etc/init.d/ip6tables
-	newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables
-
-	if use nftables; then
-		# Bug 647458
-		rm "${ED}"/etc/ethertypes || die
-
-		# Bugs 660886 and 669894
-		rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die
-	fi
-
-	systemd_dounit "${FILESDIR}"/systemd/ip{,6}tables-{re,}store.service
-
-	# Move important libs to /lib #332175
-	gen_usr_ldscript -a ip{4,6}tc xtables
-
-	find "${ED}" -type f -name "*.la" -delete || die
-}
-
-pkg_postinst() {
-	local default_iptables="xtables-legacy-multi"
-	if ! eselect iptables show &>/dev/null; then
-		elog "Current iptables implementation is unset, setting to ${default_iptables}"
-		eselect iptables set "${default_iptables}"
-	fi
-
-	if use nftables; then
-		local tables
-		for tables in {arp,eb}tables; do
-			if ! eselect ${tables} show &>/dev/null; then
-				elog "Current ${tables} implementation is unset, setting to ${default_iptables}"
-				eselect ${tables} set xtables-nft-multi
-			fi
-		done
-	fi
-
-	eselect iptables show
-}
-
-pkg_prerm() {
-	if [[ -z ${REPLACED_BY_VERSION} ]]; then
-		elog "Unsetting iptables symlinks before removal"
-		eselect iptables unset
-	fi
-
-	if ! has_version 'net-firewall/ebtables'; then
-		elog "Unsetting ebtables symlinks before removal"
-		eselect ebtables unset
-	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
-		elog "Resetting ebtables symlinks to ebtables-legacy"
-		eselect ebtables set ebtables-legacy
-	fi
-
-	if ! has_version 'net-firewall/arptables'; then
-		elog "Unsetting arptables symlinks before removal"
-		eselect arptables unset
-	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
-		elog "Resetting arptables symlinks to arptables-legacy"
-		eselect arptables set arptables-legacy
-	fi
-
-	# the eselect module failing should not be fatal
-	return 0
-}


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/
@ 2023-09-18  8:49 Sam James
  0 siblings, 0 replies; 15+ messages in thread
From: Sam James @ 2023-09-18  8:49 UTC (permalink / raw
  To: gentoo-commits

commit:     e9227501ae5ec3674ba2fd93766df71f85c1da2f
Author:     Robert Kolchmeyer <rkolchmeyer <AT> google <DOT> com>
AuthorDate: Thu Aug 31 18:00:02 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Sep 18 08:39:28 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9227501

net-firewall/iptables: fix checking existence of rule

This bug was introduced in 1.8.9, and a release including the fix has
not been made yet. This patch can be removed after upgrading beyond
1.8.9.

Signed-off-by: Robert Kolchmeyer <rkolchmeyer <AT> google.com>
Closes: https://github.com/gentoo/gentoo/pull/32541
Signed-off-by: Sam James <sam <AT> gentoo.org>

 ...bles-1.8.9-fix-checking-existence-of-rule.patch |  34 ++++
 net-firewall/iptables/iptables-1.8.9-r1.ebuild     | 181 +++++++++++++++++++++
 2 files changed, 215 insertions(+)

diff --git a/net-firewall/iptables/files/iptables-1.8.9-fix-checking-existence-of-rule.patch b/net-firewall/iptables/files/iptables-1.8.9-fix-checking-existence-of-rule.patch
new file mode 100644
index 000000000000..16c894f185e7
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.8.9-fix-checking-existence-of-rule.patch
@@ -0,0 +1,34 @@
+https://git.netfilter.org/iptables/commit/?id=78850e7dba64a949c440dbdbe557f59409c6db48
+
+From 78850e7dba64a949c440dbdbe557f59409c6db48 Mon Sep 17 00:00:00 2001
+From: Markus Boehme <markubo@amazon.com>
+Date: Mon, 3 Apr 2023 23:13:47 +0200
+Subject: [PATCH] ip6tables: Fix checking existence of rule
+
+Pass the proper entry size when creating a match mask for checking the
+existence of a rule. Failing to do so causes wrong results.
+
+Reported-by: Jonathan Caicedo <jonathan@jcaicedo.com>
+Fixes: eb2546a846776 ("xshared: Share make_delete_mask() between ip{,6}tables")
+Signed-off-by: Markus Boehme <markubo@amazon.com>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ iptables/ip6tables.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
+index 345af451..9afc32c1 100644
+--- a/iptables/ip6tables.c
++++ b/iptables/ip6tables.c
+@@ -331,7 +331,7 @@ check_entry(const xt_chainlabel chain, struct ip6t_entry *fw,
+ 	int ret = 1;
+ 	unsigned char *mask;
+ 
+-	mask = make_delete_mask(matches, target, sizeof(fw));
++	mask = make_delete_mask(matches, target, sizeof(*fw));
+ 	for (i = 0; i < nsaddrs; i++) {
+ 		fw->ipv6.src = saddrs[i];
+ 		fw->ipv6.smsk = smasks[i];
+-- 
+2.42.0.283.g2d96d420d3-goog
+

diff --git a/net-firewall/iptables/iptables-1.8.9-r1.ebuild b/net-firewall/iptables/iptables-1.8.9-r1.ebuild
new file mode 100644
index 000000000000..f3c3728c7812
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.8.9-r1.ebuild
@@ -0,0 +1,181 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit systemd toolchain-funcs autotools flag-o-matic usr-ldscript
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="https://www.netfilter.org/projects/iptables/"
+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.xz"
+
+LICENSE="GPL-2"
+# Subslot reflects PV when libxtables and/or libip*tc was changed
+# the last time.
+SLOT="0/1.8.3"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="conntrack netlink nftables pcap static-libs"
+
+COMMON_DEPEND="
+	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
+	netlink? ( net-libs/libnfnetlink )
+	nftables? (
+		>=net-libs/libmnl-1.0:=
+		>=net-libs/libnftnl-1.1.6:=
+	)
+	pcap? ( net-libs/libpcap )
+"
+DEPEND="
+	${COMMON_DEPEND}
+	virtual/os-headers
+	>=sys-kernel/linux-headers-4.4:0
+"
+BDEPEND="
+	virtual/pkgconfig
+	nftables? (
+		sys-devel/flex
+		app-alternatives/yacc
+	)
+"
+RDEPEND="
+	${COMMON_DEPEND}
+	nftables? ( net-misc/ethertypes )
+	!<net-firewall/ebtables-2.0.11-r1
+	!<net-firewall/arptables-0.0.5-r1
+"
+IDEPEND=">=app-eselect/eselect-iptables-20220320"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.8.4-no-symlinks.patch
+	"${FILESDIR}"/${P}-format-security.patch
+	"${FILESDIR}"/${PN}-1.8.9-fix-checking-existence-of-rule.patch
+)
+
+src_prepare() {
+	# Use the saner headers from the kernel
+	rm include/linux/{kernel,types}.h || die
+
+	default
+	eautoreconf
+}
+
+src_configure() {
+	# Some libs use $(AR) rather than libtool to build, bug #444282
+	tc-export AR
+
+	# Hack around struct mismatches between userland & kernel for some ABIs
+	# bug #472388
+	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
+
+	sed -i \
+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
+		configure || die
+
+	local myeconfargs=(
+		--sbindir="${EPREFIX}/sbin"
+		--libexecdir="${EPREFIX}/$(get_libdir)"
+		--enable-devel
+		--enable-ipv6
+		--enable-shared
+		$(use_enable nftables)
+		$(use_enable pcap bpf-compiler)
+		$(use_enable pcap nfsynproxy)
+		$(use_enable static-libs static)
+	)
+
+	econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+	emake V=1
+}
+
+src_install() {
+	default
+
+	# Managed by eselect-iptables
+	# https://bugs.gentoo.org/881295
+	rm "${ED}/usr/bin/iptables-xml" || die
+
+	dodoc iptables/iptables.xslt
+
+	# All the iptables binaries are in /sbin, so might as well
+	# put these small files in with them
+	into /
+	dosbin iptables/iptables-apply
+	dosym iptables-apply /sbin/ip6tables-apply
+	doman iptables/iptables-apply.8
+
+	insinto /usr/include
+	doins include/ip{,6}tables.h
+	insinto /usr/include/iptables
+	doins include/iptables/internal.h
+
+	keepdir /var/lib/ip{,6}tables
+	newinitd "${FILESDIR}"/${PN}-r3.init iptables
+	newconfd "${FILESDIR}"/${PN}-r1.confd iptables
+	dosym iptables /etc/init.d/ip6tables
+	newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables
+
+	if use nftables; then
+		# Bug #647458
+		rm "${ED}"/etc/ethertypes || die
+
+		# Bugs #660886 and #669894
+		rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die
+	fi
+
+	systemd_dounit "${FILESDIR}"/systemd/ip{,6}tables-{re,}store.service
+
+	# Move important libs to /lib, bug #332175
+	gen_usr_ldscript -a ip{4,6}tc xtables
+
+	find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_postinst() {
+	local default_iptables="xtables-legacy-multi"
+	if ! eselect iptables show &>/dev/null; then
+		elog "Current iptables implementation is unset, setting to ${default_iptables}"
+		eselect iptables set "${default_iptables}"
+	fi
+
+	if use nftables; then
+		local tables
+		for tables in {arp,eb}tables; do
+			if ! eselect ${tables} show &>/dev/null; then
+				elog "Current ${tables} implementation is unset, setting to ${default_iptables}"
+				eselect ${tables} set xtables-nft-multi
+			fi
+		done
+	fi
+
+	eselect iptables show
+}
+
+pkg_prerm() {
+	if [[ -z ${REPLACED_BY_VERSION} ]]; then
+		elog "Unsetting iptables symlinks before removal"
+		eselect iptables unset
+	fi
+
+	if ! has_version 'net-firewall/ebtables'; then
+		elog "Unsetting ebtables symlinks before removal"
+		eselect ebtables unset
+	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
+		elog "Resetting ebtables symlinks to ebtables-legacy"
+		eselect ebtables set ebtables-legacy
+	fi
+
+	if ! has_version 'net-firewall/arptables'; then
+		elog "Unsetting arptables symlinks before removal"
+		eselect arptables unset
+	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
+		elog "Resetting arptables symlinks to arptables-legacy"
+		eselect arptables set arptables-legacy
+	fi
+
+	# The eselect module failing should not be fatal
+	return 0
+}


^ permalink raw reply related	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2023-09-18  8:49 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-05-14 21:24 [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/, net-firewall/iptables/ Sam James
  -- strict thread matches above, loose matches on Subject: below --
2023-09-18  8:49 Sam James
2022-09-23  2:14 Sam James
2022-05-28  2:52 Sam James
2022-05-18 20:52 Sam James
2021-01-16 23:36 Lars Wendler
2019-05-28  0:41 Lars Wendler
2018-11-20 15:36 Thomas Deutschmann
2018-11-20 14:23 Lars Wendler
2018-11-20 13:54 Lars Wendler
2018-11-14 10:13 Lars Wendler
2018-10-24 13:26 Lars Wendler
2018-07-09 14:52 Thomas Deutschmann
2015-08-27  2:08 Mike Frysinger
2015-08-14 12:42 Michał Górny

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox