net-firewall/nftables: add 1.0.9

Signed-off-by: Sam James <sam@gentoo.org>

net-firewall/nftables/Manifest

@@ -2,3 +2,5 @@ DIST nftables-1.0.7.tar.xz 857140 BLAKE2B 972adbb958f36b300618ce03fbbfc1fdb6fd55
 DIST nftables-1.0.7.tar.xz.sig 566 BLAKE2B 53abe2598e9b362912d3e2e94ea6e04352d0484b9d1d645c8f18b6133be53d63a8d71d500e57528a57aededb84dedaf61010236afda560b16e7642db45e2f45c SHA512 b5821aa6939dc5b4d16065d9d7083e4ff40b9f99417354efbcbc95a8ccde43108b99a5b8a75a24086cd3df2291a049cad3adb7b06e2c098f0eb7861f85c5c768
 DIST nftables-1.0.8.tar.xz 882980 BLAKE2B cdf174846cbc3e581993cdee3a24e5ead3fdbb3d6b24d51473ed88affb7fcf70279a8374a4963b31044a9e64cb72ddb28ca1f1686bbaa3101eed4d623fb67d05 SHA512 06053c05a0d7c84a5cc4d22733836dadf9880c3552df3dace6d30aea95c7e1edb5528ea45df8576f282c15bf58f23407e26efb22257bd98a478849a8bdd4f8d5
 DIST nftables-1.0.8.tar.xz.sig 566 BLAKE2B 2f22b9467a55a46ec9e8caf13efe3cd59a6a1a867174602b583549ccaff54576b5f80b5ad9b1cefd208c3f49bc6ce07072626218f479628df369ed7294e1b83b SHA512 0ddd8f29dc5ba891069c63715719f11c0a4745f1e3cd9cd7f9e388ac35835cfbe8f34b371a2ce2a06cbda42384cc72d0bf57746fb02757d68a9b053bbbd67a77
+DIST nftables-1.0.9.tar.xz 971968 BLAKE2B 1dfd1e79d3a7b645fd0995dad10893d70dbd13c92805c5cf30825acbbeb45071b2095072cecbd14b4f66cf0c284d2937a996c6b8013213438f53b92731af039d SHA512 dc34099658e283d9fd4d06264b593710121074558305ea23ab298c5f6a6b564a826f186241b6e106fbaa4e11160cf77e68bb52b4ce401b28d8d2e403cd4b88e8
+DIST nftables-1.0.9.tar.xz.sig 566 BLAKE2B d4bb0a1f629d2950753799fba18f6c3ce50e5ff242816e392245a714bfeccb3408583added4362f1e0da47cc6e30b0b95f864cf8443a1872d59ae40b15b5f706 SHA512 9b96ce8539700713ff4802fb2deff5b2ea0dd3155c45f5a8f49a45f70226893c7449e0b79504833b2e63e5290290e693c962128a226ca8f6ca281185bdcd7b51

net-firewall/nftables/nftables-1.0.9.ebuild

@@ -0,0 +1,226 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DISTUTILS_OPTIONAL=1
+DISTUTILS_USE_PEP517=setuptools
+PYTHON_COMPAT=( python3_{10..11} )
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc
+inherit edo linux-info distutils-r1 systemd verify-sig
+
+DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools"
+HOMEPAGE="https://netfilter.org/projects/nftables/"
+
+if [[ ${PV} =~ ^[9]{4,}$ ]]; then
+	inherit autotools git-r3
+	EGIT_REPO_URI="https://git.netfilter.org/${PN}"
+	BDEPEND="sys-devel/bison"
+else
+	SRC_URI="
+		https://netfilter.org/projects/nftables/files/${P}.tar.xz
+		verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )
+	"
+	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
+fi
+
+# See COPYING: new code is GPL-2+, existing code is GPL-2
+LICENSE="GPL-2 GPL-2+"
+SLOT="0/1"
+IUSE="debug doc +gmp json libedit python +readline static-libs test xtables"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	>=net-libs/libmnl-1.0.4:=
+	>=net-libs/libnftnl-1.2.6:=
+	gmp? ( dev-libs/gmp:= )
+	json? ( dev-libs/jansson:= )
+	python? ( ${PYTHON_DEPS} )
+	readline? ( sys-libs/readline:= )
+	xtables? ( >=net-firewall/iptables-1.6.1:= )
+"
+DEPEND="${RDEPEND}"
+BDEPEND+="
+	sys-devel/flex
+	virtual/pkgconfig
+	doc? (
+		app-text/asciidoc
+		>=app-text/docbook2X-0.8.8-r4
+	)
+	python? ( ${DISTUTILS_DEPS} )
+"
+
+REQUIRED_USE="
+	python? ( ${PYTHON_REQUIRED_USE} )
+	libedit? ( !readline )
+"
+
+src_prepare() {
+	default
+
+	if [[ ${PV} =~ ^[9]{4,}$ ]] ; then
+		eautoreconf
+	fi
+
+	if use python; then
+		pushd py >/dev/null || die
+		distutils-r1_src_prepare
+		popd >/dev/null || die
+	fi
+}
+
+src_configure() {
+	local myeconfargs=(
+		--sbindir="${EPREFIX}"/sbin
+		$(use_enable debug)
+		$(use_enable doc man-doc)
+		$(use_with !gmp mini_gmp)
+		$(use_with json)
+		$(use_with libedit cli editline)
+		$(use_with readline cli readline)
+		$(use_enable static-libs static)
+		$(use_with xtables)
+	)
+
+	econf "${myeconfargs[@]}"
+
+	if use python; then
+		pushd py >/dev/null || die
+		distutils-r1_src_configure
+		popd >/dev/null || die
+	fi
+}
+
+src_compile() {
+	default
+
+	if use python; then
+		pushd py >/dev/null || die
+		distutils-r1_src_compile
+		popd >/dev/null || die
+	fi
+}
+
+src_test() {
+	emake check
+
+	if [[ ${EUID} == 0 ]]; then
+		edo tests/shell/run-tests.sh -v
+	else
+		ewarn "Skipping shell tests (requires root)"
+	fi
+
+	if use python; then
+		pushd tests/py >/dev/null || die
+		distutils-r1_src_test
+		popd >/dev/null || die
+	fi
+}
+
+python_test() {
+	if [[ ${EUID} == 0 ]]; then
+		edo "${EPYTHON}" nft-test.py
+	else
+		ewarn "Skipping Python tests (requires root)"
+	fi
+}
+
+src_install() {
+	default
+
+	if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then
+		pushd doc >/dev/null || die
+		doman *.?
+		popd >/dev/null || die
+	fi
+
+	# Do it here instead of in src_prepare to avoid eautoreconf
+	# rmdir lets us catch if more files end up installed in /etc/nftables
+	dodir /usr/share/doc/${PF}/skels/
+	mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die
+	rmdir "${ED}"/etc/nftables || die
+
+	exeinto /usr/libexec/${PN}
+	newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh
+	newconfd "${FILESDIR}"/${PN}-mk.confd ${PN}
+	newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN}
+	keepdir /var/lib/nftables
+
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
+
+	if use python ; then
+		pushd py >/dev/null || die
+		distutils-r1_src_install
+		popd >/dev/null || die
+	fi
+
+	find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_preinst() {
+	local stderr
+
+	# There's a history of regressions with nftables upgrades. Perform a
+	# safety check to help us spot them earlier. For the check to pass, the
+	# currently loaded ruleset, if any, must be successfully evaluated by
+	# the newly built instance of nft(8).
+	if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then
+		# Either nftables isn't yet in use or nft(8) cannot be executed.
+		return
+	elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then
+		# Report errors induced by trying to list the ruleset but don't
+		# treat them as being fatal.
+		printf '%s\n' "${stderr}" >&2
+	elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
+		# Rulesets generated by iptables-nft are special in nature and
+		# will not always be printed in a way that constitutes a valid
+		# syntax for ntf(8). Ignore them.
+		return
+	elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then
+		eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of"
+		eerror "nft. This probably means that there is a regression introduced by v${PV}."
+		eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
+		if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
+			die "Aborting because of failed nft reload!"
+		fi
+	fi
+}
+
+pkg_postinst() {
+	local save_file
+	save_file="${EROOT}"/var/lib/nftables/rules-save
+
+	# In order for the nftables-restore systemd service to start
+	# the save_file must exist.
+	if [[ ! -f "${save_file}" ]]; then
+		( umask 177; touch "${save_file}" )
+	elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
+		ewarn "Your system has dangerous permissions for ${save_file}"
+		ewarn "It is probably affected by bug #691326."
+		ewarn "You may need to fix the permissions of the file. To do so,"
+		ewarn "you can run the command in the line below as root."
+		ewarn "    'chmod 600 \"${save_file}\"'"
+	fi
+
+	if has_version 'sys-apps/systemd'; then
+		elog "If you wish to enable the firewall rules on boot (on systemd) you"
+		elog "will need to enable the nftables-restore service."
+		elog "    'systemctl enable ${PN}-restore.service'"
+		elog
+		elog "If you are creating firewall rules before the next system restart"
+		elog "the nftables-restore service must be manually started in order to"
+		elog "save those rules on shutdown."
+	fi
+
+	if has_version 'sys-apps/openrc'; then
+		elog "If you wish to enable the firewall rules on boot (on openrc) you"
+		elog "will need to enable the nftables service."
+		elog "    'rc-update add ${PN} default'"
+		elog
+		elog "If you are creating or updating the firewall rules and wish to save"
+		elog "them to be loaded on the next restart, use the \"save\" functionality"
+		elog "in the init script."
+		elog "    'rc-service ${PN} save'"
+	fi
+}

net-firewall/nftables/nftables-9999.ebuild

@@ -17,8 +17,10 @@ if [[ ${PV} =~ ^[9]{4,}$ ]]; then
 	EGIT_REPO_URI="https://git.netfilter.org/${PN}"
 	BDEPEND="sys-devel/bison"
 else
-	SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.xz
-		verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )"
+	SRC_URI="
+		https://netfilter.org/projects/nftables/files/${P}.tar.xz
+		verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )
+	"
 	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
 	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
 fi
@@ -70,9 +72,6 @@ src_prepare() {
 
 src_configure() {
 	local myeconfargs=(
-		# We handle python separately
-		--disable-python
-		--disable-static
 		--sbindir="${EPREFIX}"/sbin
 		$(use_enable debug)
 		$(use_enable doc man-doc)
@@ -83,6 +82,7 @@ src_configure() {
 		$(use_enable static-libs static)
 		$(use_with xtables)
 	)
+
 	econf "${myeconfargs[@]}"
 
 	if use python; then
@@ -111,10 +111,19 @@ src_test() {
 		ewarn "Skipping shell tests (requires root)"
 	fi
 
-	# Need to rig up Python eclass if using this, but it doesn't seem to work
-	# for me anyway.
-	#cd tests/py || die
-	#"${EPYTHON}" nft-test.py || die
+	if use python; then
+		pushd tests/py >/dev/null || die
+		distutils-r1_src_test
+		popd >/dev/null || die
+	fi
+}
+
+python_test() {
+	if [[ ${EUID} == 0 ]]; then
+		edo "${EPYTHON}" nft-test.py
+	else
+		ewarn "Skipping Python tests (requires root)"
+	fi
 }
 
 src_install() {