From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 1B20C15A7D9 for ; Sun, 19 Mar 2023 22:22:51 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 194F5E0866; Sun, 19 Mar 2023 22:22:50 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DF971E0866 for ; Sun, 19 Mar 2023 22:22:49 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id E48223412D5 for ; Sun, 19 Mar 2023 22:22:48 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 2F0128D4 for ; Sun, 19 Mar 2023 22:22:47 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1679264514.68a4aeb7ce34ec6f16710ce40443a1b460af6517.sam@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/ X-VCS-Repository: repo/gentoo X-VCS-Files: net-firewall/nftables/nftables-1.0.5.ebuild net-firewall/nftables/nftables-1.0.6.ebuild net-firewall/nftables/nftables-1.0.7.ebuild net-firewall/nftables/nftables-9999.ebuild X-VCS-Directories: net-firewall/nftables/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: 68a4aeb7ce34ec6f16710ce40443a1b460af6517 X-VCS-Branch: master Date: Sun, 19 Mar 2023 22:22:47 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 0c22924a-22aa-45be-80b4-f5aee0f11aa6 X-Archives-Hash: ecb46a3b05223b60dfe67848e3257991 commit: 68a4aeb7ce34ec6f16710ce40443a1b460af6517 Author: Kerin Millar plushkava net> AuthorDate: Sun Mar 19 09:04:41 2023 +0000 Commit: Sam James gentoo org> CommitDate: Sun Mar 19 22:21:54 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68a4aeb7 net-firewall/nftables: Use the newly built libnftables.so in the pkg_preinst check Doing so is appropriate because it's not a library that's provided externally. Also, tidy up the code structure and replace the outdated pkg_preinst() function in the ebuild for v1.0.5. Signed-off-by: Kerin Millar plushkava.net> Signed-off-by: Sam James gentoo.org> net-firewall/nftables/nftables-1.0.5.ebuild | 33 ++++++++++++++++------ net-firewall/nftables/nftables-1.0.6.ebuild | 44 ++++++++++++++--------------- net-firewall/nftables/nftables-1.0.7.ebuild | 44 ++++++++++++++--------------- net-firewall/nftables/nftables-9999.ebuild | 44 ++++++++++++++--------------- 4 files changed, 90 insertions(+), 75 deletions(-) diff --git a/net-firewall/nftables/nftables-1.0.5.ebuild b/net-firewall/nftables/nftables-1.0.5.ebuild index 3b4f9fbbf1d2..5226ca74577d 100644 --- a/net-firewall/nftables/nftables-1.0.5.ebuild +++ b/net-firewall/nftables/nftables-1.0.5.ebuild @@ -167,15 +167,30 @@ src_install() { } pkg_preinst() { - if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then - if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then - eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" - eerror "nft. This probably means that there is a regression introduced by v${PV}." - eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" - - if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then - die "Aborting because of failed nft reload!" - fi + local stderr + + # There's a history of regressions with nftables upgrades. Perform a + # safety check to help us spot them earlier. For the check to pass, the + # currently loaded ruleset, if any, must be successfully evaluated by + # the newly built instance of nft(8). + if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then + # Either nftables isn't yet in use or nft(8) cannot be executed. + return + elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then + # Report errors induced by trying to list the ruleset but don't + # treat them as being fatal. + printf '%s\n' "${stderr}" >&2 + elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then + # Rulesets generated by iptables-nft are special in nature and + # will not always be printed in a way that constitutes a valid + # syntax for ntf(8). Ignore them. + return + elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then + eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" + eerror "nft. This probably means that there is a regression introduced by v${PV}." + eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" + if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then + die "Aborting because of failed nft reload!" fi fi } diff --git a/net-firewall/nftables/nftables-1.0.6.ebuild b/net-firewall/nftables/nftables-1.0.6.ebuild index bd4f23708a7e..e5de7f69c0a1 100644 --- a/net-firewall/nftables/nftables-1.0.6.ebuild +++ b/net-firewall/nftables/nftables-1.0.6.ebuild @@ -169,28 +169,28 @@ src_install() { pkg_preinst() { local stderr - # There's a history of regressions with nftables upgrades. Add a safety - # check to help us spot them earlier. - if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then - # Check the current loaded ruleset, if any, using the newly - # built instance of nft(8). - if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then - # Report errors induced by trying to list the ruleset - # but don't treat them as being fatal. - printf '%s\n' "${stderr}" >&2 - elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then - # Rulesets generated by iptables-nft are special in - # nature and will not always be printed in a way that - # constitutes a valid syntax for ntf(8). Ignore them. - return - elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then - eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" - eerror "nft. This probably means that there is a regression introduced by v${PV}." - eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" - - if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then - die "Aborting because of failed nft reload!" - fi + # There's a history of regressions with nftables upgrades. Perform a + # safety check to help us spot them earlier. For the check to pass, the + # currently loaded ruleset, if any, must be successfully evaluated by + # the newly built instance of nft(8). + if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then + # Either nftables isn't yet in use or nft(8) cannot be executed. + return + elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then + # Report errors induced by trying to list the ruleset but don't + # treat them as being fatal. + printf '%s\n' "${stderr}" >&2 + elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then + # Rulesets generated by iptables-nft are special in nature and + # will not always be printed in a way that constitutes a valid + # syntax for ntf(8). Ignore them. + return + elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then + eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" + eerror "nft. This probably means that there is a regression introduced by v${PV}." + eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" + if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then + die "Aborting because of failed nft reload!" fi fi } diff --git a/net-firewall/nftables/nftables-1.0.7.ebuild b/net-firewall/nftables/nftables-1.0.7.ebuild index b144fded77b4..13ecec61248b 100644 --- a/net-firewall/nftables/nftables-1.0.7.ebuild +++ b/net-firewall/nftables/nftables-1.0.7.ebuild @@ -170,28 +170,28 @@ src_install() { pkg_preinst() { local stderr - # There's a history of regressions with nftables upgrades. Add a safety - # check to help us spot them earlier. - if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then - # Check the current loaded ruleset, if any, using the newly - # built instance of nft(8). - if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then - # Report errors induced by trying to list the ruleset - # but don't treat them as being fatal. - printf '%s\n' "${stderr}" >&2 - elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then - # Rulesets generated by iptables-nft are special in - # nature and will not always be printed in a way that - # constitutes a valid syntax for ntf(8). Ignore them. - return - elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then - eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" - eerror "nft. This probably means that there is a regression introduced by v${PV}." - eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" - - if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then - die "Aborting because of failed nft reload!" - fi + # There's a history of regressions with nftables upgrades. Perform a + # safety check to help us spot them earlier. For the check to pass, the + # currently loaded ruleset, if any, must be successfully evaluated by + # the newly built instance of nft(8). + if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then + # Either nftables isn't yet in use or nft(8) cannot be executed. + return + elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then + # Report errors induced by trying to list the ruleset but don't + # treat them as being fatal. + printf '%s\n' "${stderr}" >&2 + elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then + # Rulesets generated by iptables-nft are special in nature and + # will not always be printed in a way that constitutes a valid + # syntax for ntf(8). Ignore them. + return + elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then + eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" + eerror "nft. This probably means that there is a regression introduced by v${PV}." + eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" + if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then + die "Aborting because of failed nft reload!" fi fi } diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild index b144fded77b4..13ecec61248b 100644 --- a/net-firewall/nftables/nftables-9999.ebuild +++ b/net-firewall/nftables/nftables-9999.ebuild @@ -170,28 +170,28 @@ src_install() { pkg_preinst() { local stderr - # There's a history of regressions with nftables upgrades. Add a safety - # check to help us spot them earlier. - if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then - # Check the current loaded ruleset, if any, using the newly - # built instance of nft(8). - if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then - # Report errors induced by trying to list the ruleset - # but don't treat them as being fatal. - printf '%s\n' "${stderr}" >&2 - elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then - # Rulesets generated by iptables-nft are special in - # nature and will not always be printed in a way that - # constitutes a valid syntax for ntf(8). Ignore them. - return - elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then - eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" - eerror "nft. This probably means that there is a regression introduced by v${PV}." - eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" - - if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then - die "Aborting because of failed nft reload!" - fi + # There's a history of regressions with nftables upgrades. Perform a + # safety check to help us spot them earlier. For the check to pass, the + # currently loaded ruleset, if any, must be successfully evaluated by + # the newly built instance of nft(8). + if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then + # Either nftables isn't yet in use or nft(8) cannot be executed. + return + elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then + # Report errors induced by trying to list the ruleset but don't + # treat them as being fatal. + printf '%s\n' "${stderr}" >&2 + elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then + # Rulesets generated by iptables-nft are special in nature and + # will not always be printed in a way that constitutes a valid + # syntax for ntf(8). Ignore them. + return + elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then + eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" + eerror "nft. This probably means that there is a regression introduced by v${PV}." + eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" + if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then + die "Aborting because of failed nft reload!" fi fi }