From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 1F36C158091 for ; Fri, 17 Jun 2022 18:44:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 295E8E090F; Fri, 17 Jun 2022 18:44:49 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1295FE090F for ; Fri, 17 Jun 2022 18:44:49 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 22D62341F9B for ; Fri, 17 Jun 2022 18:44:48 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 76114475 for ; Fri, 17 Jun 2022 18:44:46 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1655491443.1c73d672e4a3e228c1b6b287d4345d229597fa35.sam@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/ X-VCS-Repository: repo/gentoo X-VCS-Files: net-firewall/nftables/nftables-1.0.4-r2.ebuild net-firewall/nftables/nftables-9999.ebuild X-VCS-Directories: net-firewall/nftables/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: 1c73d672e4a3e228c1b6b287d4345d229597fa35 X-VCS-Branch: master Date: Fri, 17 Jun 2022 18:44:46 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 90f56c7c-7b87-4dd4-bcfb-7c5381d29e49 X-Archives-Hash: 90294f7ffedcd7bb6b20bf0497fa6fd5 commit: 1c73d672e4a3e228c1b6b287d4345d229597fa35 Author: Sam James gentoo org> AuthorDate: Fri Jun 17 18:42:28 2022 +0000 Commit: Sam James gentoo org> CommitDate: Fri Jun 17 18:44:03 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c73d672 net-firewall/nftables: add emergency pkg_preinst sanity check The idea here is that we check just before merging whether the freshly built `nft` binary can safely (pretend) reload the system ruleset. A significant number of recent regressions have manifested in immediate segfaults when doing this, so it's worth doing the safety check (it's not as if it's niche or unlikely for a failure to occur at this point). Those who want a failed check to be *fatal* can set NFTABLES_ABORT_ON_RELOAD_FAILURE=1. Otherwise, it's just a warning. Bug: https://bugs.gentoo.org/852662 Thanks-to: Kerin Millar plushkava.net> Signed-off-by: Sam James gentoo.org> ...{nftables-9999.ebuild => nftables-1.0.4-r2.ebuild} | 19 ++++++++++++++++++- net-firewall/nftables/nftables-9999.ebuild | 16 +++++++++++++++- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-1.0.4-r2.ebuild similarity index 88% copy from net-firewall/nftables/nftables-9999.ebuild copy to net-firewall/nftables/nftables-1.0.4-r2.ebuild index d3b5ea2ddc40..e15c2462f85d 100644 --- a/net-firewall/nftables/nftables-9999.ebuild +++ b/net-firewall/nftables/nftables-1.0.4-r2.ebuild @@ -1,7 +1,7 @@ # Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 DISTUTILS_OPTIONAL=1 PYTHON_COMPAT=( python3_{8..11} ) @@ -70,6 +70,9 @@ pkg_setup() { } src_prepare() { + local PATCHES=( + "${FILESDIR}/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch" + ) default if [[ ${PV} =~ ^[9]{4,}$ ]] ; then @@ -162,6 +165,20 @@ src_install() { find "${ED}" -type f -name "*.la" -delete || die } +pkg_preinst() { + if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then + if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then + eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" + eerror "nft. This probably means that there is a regression introduced by v${PV}." + eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" + + if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then + die "Aborting because of failed nft reload!" + fi + fi + fi +} + pkg_postinst() { local save_file save_file="${EROOT}"/var/lib/nftables/rules-save diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild index d3b5ea2ddc40..51f0627a762d 100644 --- a/net-firewall/nftables/nftables-9999.ebuild +++ b/net-firewall/nftables/nftables-9999.ebuild @@ -1,7 +1,7 @@ # Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 DISTUTILS_OPTIONAL=1 PYTHON_COMPAT=( python3_{8..11} ) @@ -162,6 +162,20 @@ src_install() { find "${ED}" -type f -name "*.la" -delete || die } +pkg_preinst() { + if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then + if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then + eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" + eerror "nft. This probably means that there is a regression introduced by v${PV}." + eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" + + if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then + die "Aborting because of failed nft reload!" + fi + fi + fi +} + pkg_postinst() { local save_file save_file="${EROOT}"/var/lib/nftables/rules-save