net-firewall/nftables: add 1.0.9
Signed-off-by: Sam James <sam@gentoo.org>
This commit is contained in:
parent
b3068dae27
commit
c537b3488f
|
@ -2,3 +2,5 @@ DIST nftables-1.0.7.tar.xz 857140 BLAKE2B 972adbb958f36b300618ce03fbbfc1fdb6fd55
|
|||
DIST nftables-1.0.7.tar.xz.sig 566 BLAKE2B 53abe2598e9b362912d3e2e94ea6e04352d0484b9d1d645c8f18b6133be53d63a8d71d500e57528a57aededb84dedaf61010236afda560b16e7642db45e2f45c SHA512 b5821aa6939dc5b4d16065d9d7083e4ff40b9f99417354efbcbc95a8ccde43108b99a5b8a75a24086cd3df2291a049cad3adb7b06e2c098f0eb7861f85c5c768
|
||||
DIST nftables-1.0.8.tar.xz 882980 BLAKE2B cdf174846cbc3e581993cdee3a24e5ead3fdbb3d6b24d51473ed88affb7fcf70279a8374a4963b31044a9e64cb72ddb28ca1f1686bbaa3101eed4d623fb67d05 SHA512 06053c05a0d7c84a5cc4d22733836dadf9880c3552df3dace6d30aea95c7e1edb5528ea45df8576f282c15bf58f23407e26efb22257bd98a478849a8bdd4f8d5
|
||||
DIST nftables-1.0.8.tar.xz.sig 566 BLAKE2B 2f22b9467a55a46ec9e8caf13efe3cd59a6a1a867174602b583549ccaff54576b5f80b5ad9b1cefd208c3f49bc6ce07072626218f479628df369ed7294e1b83b SHA512 0ddd8f29dc5ba891069c63715719f11c0a4745f1e3cd9cd7f9e388ac35835cfbe8f34b371a2ce2a06cbda42384cc72d0bf57746fb02757d68a9b053bbbd67a77
|
||||
DIST nftables-1.0.9.tar.xz 971968 BLAKE2B 1dfd1e79d3a7b645fd0995dad10893d70dbd13c92805c5cf30825acbbeb45071b2095072cecbd14b4f66cf0c284d2937a996c6b8013213438f53b92731af039d SHA512 dc34099658e283d9fd4d06264b593710121074558305ea23ab298c5f6a6b564a826f186241b6e106fbaa4e11160cf77e68bb52b4ce401b28d8d2e403cd4b88e8
|
||||
DIST nftables-1.0.9.tar.xz.sig 566 BLAKE2B d4bb0a1f629d2950753799fba18f6c3ce50e5ff242816e392245a714bfeccb3408583added4362f1e0da47cc6e30b0b95f864cf8443a1872d59ae40b15b5f706 SHA512 9b96ce8539700713ff4802fb2deff5b2ea0dd3155c45f5a8f49a45f70226893c7449e0b79504833b2e63e5290290e693c962128a226ca8f6ca281185bdcd7b51
|
||||
|
|
|
@ -0,0 +1,226 @@
|
|||
# Copyright 1999-2023 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=8
|
||||
|
||||
DISTUTILS_OPTIONAL=1
|
||||
DISTUTILS_USE_PEP517=setuptools
|
||||
PYTHON_COMPAT=( python3_{10..11} )
|
||||
VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc
|
||||
inherit edo linux-info distutils-r1 systemd verify-sig
|
||||
|
||||
DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools"
|
||||
HOMEPAGE="https://netfilter.org/projects/nftables/"
|
||||
|
||||
if [[ ${PV} =~ ^[9]{4,}$ ]]; then
|
||||
inherit autotools git-r3
|
||||
EGIT_REPO_URI="https://git.netfilter.org/${PN}"
|
||||
BDEPEND="sys-devel/bison"
|
||||
else
|
||||
SRC_URI="
|
||||
https://netfilter.org/projects/nftables/files/${P}.tar.xz
|
||||
verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )
|
||||
"
|
||||
KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
|
||||
BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
|
||||
fi
|
||||
|
||||
# See COPYING: new code is GPL-2+, existing code is GPL-2
|
||||
LICENSE="GPL-2 GPL-2+"
|
||||
SLOT="0/1"
|
||||
IUSE="debug doc +gmp json libedit python +readline static-libs test xtables"
|
||||
RESTRICT="!test? ( test )"
|
||||
|
||||
RDEPEND="
|
||||
>=net-libs/libmnl-1.0.4:=
|
||||
>=net-libs/libnftnl-1.2.6:=
|
||||
gmp? ( dev-libs/gmp:= )
|
||||
json? ( dev-libs/jansson:= )
|
||||
python? ( ${PYTHON_DEPS} )
|
||||
readline? ( sys-libs/readline:= )
|
||||
xtables? ( >=net-firewall/iptables-1.6.1:= )
|
||||
"
|
||||
DEPEND="${RDEPEND}"
|
||||
BDEPEND+="
|
||||
sys-devel/flex
|
||||
virtual/pkgconfig
|
||||
doc? (
|
||||
app-text/asciidoc
|
||||
>=app-text/docbook2X-0.8.8-r4
|
||||
)
|
||||
python? ( ${DISTUTILS_DEPS} )
|
||||
"
|
||||
|
||||
REQUIRED_USE="
|
||||
python? ( ${PYTHON_REQUIRED_USE} )
|
||||
libedit? ( !readline )
|
||||
"
|
||||
|
||||
src_prepare() {
|
||||
default
|
||||
|
||||
if [[ ${PV} =~ ^[9]{4,}$ ]] ; then
|
||||
eautoreconf
|
||||
fi
|
||||
|
||||
if use python; then
|
||||
pushd py >/dev/null || die
|
||||
distutils-r1_src_prepare
|
||||
popd >/dev/null || die
|
||||
fi
|
||||
}
|
||||
|
||||
src_configure() {
|
||||
local myeconfargs=(
|
||||
--sbindir="${EPREFIX}"/sbin
|
||||
$(use_enable debug)
|
||||
$(use_enable doc man-doc)
|
||||
$(use_with !gmp mini_gmp)
|
||||
$(use_with json)
|
||||
$(use_with libedit cli editline)
|
||||
$(use_with readline cli readline)
|
||||
$(use_enable static-libs static)
|
||||
$(use_with xtables)
|
||||
)
|
||||
|
||||
econf "${myeconfargs[@]}"
|
||||
|
||||
if use python; then
|
||||
pushd py >/dev/null || die
|
||||
distutils-r1_src_configure
|
||||
popd >/dev/null || die
|
||||
fi
|
||||
}
|
||||
|
||||
src_compile() {
|
||||
default
|
||||
|
||||
if use python; then
|
||||
pushd py >/dev/null || die
|
||||
distutils-r1_src_compile
|
||||
popd >/dev/null || die
|
||||
fi
|
||||
}
|
||||
|
||||
src_test() {
|
||||
emake check
|
||||
|
||||
if [[ ${EUID} == 0 ]]; then
|
||||
edo tests/shell/run-tests.sh -v
|
||||
else
|
||||
ewarn "Skipping shell tests (requires root)"
|
||||
fi
|
||||
|
||||
if use python; then
|
||||
pushd tests/py >/dev/null || die
|
||||
distutils-r1_src_test
|
||||
popd >/dev/null || die
|
||||
fi
|
||||
}
|
||||
|
||||
python_test() {
|
||||
if [[ ${EUID} == 0 ]]; then
|
||||
edo "${EPYTHON}" nft-test.py
|
||||
else
|
||||
ewarn "Skipping Python tests (requires root)"
|
||||
fi
|
||||
}
|
||||
|
||||
src_install() {
|
||||
default
|
||||
|
||||
if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then
|
||||
pushd doc >/dev/null || die
|
||||
doman *.?
|
||||
popd >/dev/null || die
|
||||
fi
|
||||
|
||||
# Do it here instead of in src_prepare to avoid eautoreconf
|
||||
# rmdir lets us catch if more files end up installed in /etc/nftables
|
||||
dodir /usr/share/doc/${PF}/skels/
|
||||
mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die
|
||||
rmdir "${ED}"/etc/nftables || die
|
||||
|
||||
exeinto /usr/libexec/${PN}
|
||||
newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh
|
||||
newconfd "${FILESDIR}"/${PN}-mk.confd ${PN}
|
||||
newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN}
|
||||
keepdir /var/lib/nftables
|
||||
|
||||
systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
|
||||
|
||||
if use python ; then
|
||||
pushd py >/dev/null || die
|
||||
distutils-r1_src_install
|
||||
popd >/dev/null || die
|
||||
fi
|
||||
|
||||
find "${ED}" -type f -name "*.la" -delete || die
|
||||
}
|
||||
|
||||
pkg_preinst() {
|
||||
local stderr
|
||||
|
||||
# There's a history of regressions with nftables upgrades. Perform a
|
||||
# safety check to help us spot them earlier. For the check to pass, the
|
||||
# currently loaded ruleset, if any, must be successfully evaluated by
|
||||
# the newly built instance of nft(8).
|
||||
if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then
|
||||
# Either nftables isn't yet in use or nft(8) cannot be executed.
|
||||
return
|
||||
elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then
|
||||
# Report errors induced by trying to list the ruleset but don't
|
||||
# treat them as being fatal.
|
||||
printf '%s\n' "${stderr}" >&2
|
||||
elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
|
||||
# Rulesets generated by iptables-nft are special in nature and
|
||||
# will not always be printed in a way that constitutes a valid
|
||||
# syntax for ntf(8). Ignore them.
|
||||
return
|
||||
elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then
|
||||
eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of"
|
||||
eerror "nft. This probably means that there is a regression introduced by v${PV}."
|
||||
eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
|
||||
if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
|
||||
die "Aborting because of failed nft reload!"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
local save_file
|
||||
save_file="${EROOT}"/var/lib/nftables/rules-save
|
||||
|
||||
# In order for the nftables-restore systemd service to start
|
||||
# the save_file must exist.
|
||||
if [[ ! -f "${save_file}" ]]; then
|
||||
( umask 177; touch "${save_file}" )
|
||||
elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
|
||||
ewarn "Your system has dangerous permissions for ${save_file}"
|
||||
ewarn "It is probably affected by bug #691326."
|
||||
ewarn "You may need to fix the permissions of the file. To do so,"
|
||||
ewarn "you can run the command in the line below as root."
|
||||
ewarn " 'chmod 600 \"${save_file}\"'"
|
||||
fi
|
||||
|
||||
if has_version 'sys-apps/systemd'; then
|
||||
elog "If you wish to enable the firewall rules on boot (on systemd) you"
|
||||
elog "will need to enable the nftables-restore service."
|
||||
elog " 'systemctl enable ${PN}-restore.service'"
|
||||
elog
|
||||
elog "If you are creating firewall rules before the next system restart"
|
||||
elog "the nftables-restore service must be manually started in order to"
|
||||
elog "save those rules on shutdown."
|
||||
fi
|
||||
|
||||
if has_version 'sys-apps/openrc'; then
|
||||
elog "If you wish to enable the firewall rules on boot (on openrc) you"
|
||||
elog "will need to enable the nftables service."
|
||||
elog " 'rc-update add ${PN} default'"
|
||||
elog
|
||||
elog "If you are creating or updating the firewall rules and wish to save"
|
||||
elog "them to be loaded on the next restart, use the \"save\" functionality"
|
||||
elog "in the init script."
|
||||
elog " 'rc-service ${PN} save'"
|
||||
fi
|
||||
}
|
|
@ -17,8 +17,10 @@ if [[ ${PV} =~ ^[9]{4,}$ ]]; then
|
|||
EGIT_REPO_URI="https://git.netfilter.org/${PN}"
|
||||
BDEPEND="sys-devel/bison"
|
||||
else
|
||||
SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.xz
|
||||
verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )"
|
||||
SRC_URI="
|
||||
https://netfilter.org/projects/nftables/files/${P}.tar.xz
|
||||
verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )
|
||||
"
|
||||
KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
|
||||
BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
|
||||
fi
|
||||
|
@ -70,9 +72,6 @@ src_prepare() {
|
|||
|
||||
src_configure() {
|
||||
local myeconfargs=(
|
||||
# We handle python separately
|
||||
--disable-python
|
||||
--disable-static
|
||||
--sbindir="${EPREFIX}"/sbin
|
||||
$(use_enable debug)
|
||||
$(use_enable doc man-doc)
|
||||
|
@ -83,6 +82,7 @@ src_configure() {
|
|||
$(use_enable static-libs static)
|
||||
$(use_with xtables)
|
||||
)
|
||||
|
||||
econf "${myeconfargs[@]}"
|
||||
|
||||
if use python; then
|
||||
|
@ -111,10 +111,19 @@ src_test() {
|
|||
ewarn "Skipping shell tests (requires root)"
|
||||
fi
|
||||
|
||||
# Need to rig up Python eclass if using this, but it doesn't seem to work
|
||||
# for me anyway.
|
||||
#cd tests/py || die
|
||||
#"${EPYTHON}" nft-test.py || die
|
||||
if use python; then
|
||||
pushd tests/py >/dev/null || die
|
||||
distutils-r1_src_test
|
||||
popd >/dev/null || die
|
||||
fi
|
||||
}
|
||||
|
||||
python_test() {
|
||||
if [[ ${EUID} == 0 ]]; then
|
||||
edo "${EPYTHON}" nft-test.py
|
||||
else
|
||||
ewarn "Skipping Python tests (requires root)"
|
||||
fi
|
||||
}
|
||||
|
||||
src_install() {
|
||||
|
|
Loading…
Reference in New Issue