ipset: add init script

Included init script is based on work from bug 181045.

7 files changed, 450 insertions, 0 deletions

diff --git a/net-firewall/ipset/ChangeLog b/net-firewall/ipset/ChangeLog
new file mode 100644
index 0000000..09f0d49
--- /dev/null
+++ b/net-firewall/ipset/ChangeLog
@@ -0,0 +1,257 @@
+# ChangeLog for net-firewall/ipset
+# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/ipset/ChangeLog,v 1.49 2011/07/24 10:59:11 pva Exp $
+
+*ipset-6.8 (24 Jul 2011)
+
+  24 Jul 2011; Peter Volkov <pva@gentoo.org> +ipset-6.8.ebuild:
+  Version bump, thank Ed Wildgoose for report.
+
+  02 Jul 2011; Sven Wegener <swegener@gentoo.org> ipset-6.7-r1.ebuild:
+  Use correct source and build options for kernel.
+
+*ipset-6.7-r1 (16 Jun 2011)
+
+  16 Jun 2011; Peter Volkov <pva@gentoo.org> -ipset-6.4.ebuild,
+  -ipset-6.6.ebuild, -ipset-6.7.ebuild, +ipset-6.7-r1.ebuild:
+  Add missing xt_set and ip_set_hash_netiface modules. Drop old.
+
+*ipset-6.7 (16 Jun 2011)
+
+  16 Jun 2011; Peter Volkov <pva@gentoo.org> +ipset-6.7.ebuild:
+  Version bump.
+
+*ipset-6.6 (24 May 2011)
+
+  24 May 2011; Peter Volkov <pva@gentoo.org> +ipset-6.6.ebuild:
+  Version bump.
+
+  15 May 2011; Peter Volkov <pva@gentoo.org> ipset-6.4.ebuild:
+  Fixed build in case symlink points on different sources then currnely
+  running, bug #356727#c9 thank Ed Wildgoose for this fix.
+
+*ipset-6.4 (01 May 2011)
+
+  01 May 2011; Peter Volkov <pva@gentoo.org> -ipset-2.4.7.ebuild,
+  +ipset-6.4.ebuild:
+  Version bump, bug 356727, thank Andreis_Vinogradovs (slepnoga) for report.
+
+  25 Mar 2011; Kacper Kowalik <xarthisius@gentoo.org> ipset-2.4.7.ebuild,
+  ipset-4.4.ebuild, ipset-4.5.ebuild:
+  Dropped ppc wrt #345019, #304037
+
+*ipset-4.5 (21 Dec 2010)
+
+  21 Dec 2010; Peter Volkov <pva@gentoo.org> -ipset-4.1.ebuild,
+  -ipset-4.2.ebuild, -ipset-4.3.ebuild, +ipset-4.5.ebuild:
+  Version bump, drop old.
+
+  26 Nov 2010; Christian Faulhammer <fauli@gentoo.org> ipset-4.4.ebuild:
+  stable x86, bug 345019
+
+  11 Nov 2010; Markos Chandras <hwoarang@gentoo.org> ipset-4.4.ebuild:
+  Stable on amd64 wrt bug #345019
+
+*ipset-4.4 (14 Oct 2010)
+
+  14 Oct 2010; Peter Volkov <pva@gentoo.org> +ipset-4.4.ebuild:
+  Version bump.
+
+*ipset-4.3 (25 Aug 2010)
+
+  25 Aug 2010; Peter Volkov <pva@gentoo.org> +ipset-4.3.ebuild:
+  Version bump, fixes 2.6.35 kernel compatibility issue, bug 332687, thank
+  fkhp and Oleksandr Kovalenko for report.
+
+  20 May 2010; Peter Volkov <pva@gentoo.org> ipset-4.1.ebuild:
+  amd64 stable, bug 304037.
+
+  17 May 2010; Pawel Hajdan jr <phajdan.jr@gentoo.org> ipset-4.1.ebuild:
+  x86 stable wrt bug #304037
+
+*ipset-4.2 (08 Feb 2010)
+
+  08 Feb 2010; Peter Volkov <pva@gentoo.org> -ipset-2.2.9.20070401.ebuild,
+  -files/ipset-2.4.2-glibc28-fix.patch,
+  -files/ipset-2.4.9-gethostbyname-align.patch, -ipset-3.0.ebuild,
+  +ipset-4.2.ebuild:
+  Version bump, drop old.
+
+  15 Nov 2009; Peter Volkov <pva@gentoo.org> ipset-4.1.ebuild:
+  USE='modules' support.
+
+  14 Nov 2009; Peter Volkov <pva@gentoo.org> ipset-4.1.ebuild:
+  Do not build modules in case kernel is patched and modules are built in,
+  bug #274577 thank Brendan Pike report.
+
+*ipset-4.1 (14 Nov 2009)
+
+  14 Nov 2009; Peter Volkov <pva@gentoo.org> -ipset-2.4.9-r1.ebuild,
+  -ipset-2.5.0-r1.ebuild, +ipset-4.1.ebuild:
+  Version bump, bug #293043, thank Marcin Mirosław for report.
+
+  06 Sep 2009; Robin H. Johnson <robbat2@gentoo.org> ipset-2.4.7.ebuild,
+  ipset-2.4.9-r1.ebuild, ipset-2.5.0-r1.ebuild, ipset-3.0.ebuild:
+  Cleaning up for linux-info work: inherit linux-mod implies inherit
+  linux-info.
+
+  28 Jul 2009; Robin H. Johnson <robbat2@gentoo.org> ipset-3.0.ebuild:
+  Bug #279286: Min iptables version required for ipset is 1.4.4. Thanks to
+  James Earl Spahlinger <james@nixeagle.org>.
+
+*ipset-3.0 (05 Jun 2009)
+
+  05 Jun 2009; Peter Volkov <pva@gentoo.org> -ipset-2.5.0.ebuild,
+  +ipset-3.0.ebuild:
+  Version bump, remove broken version.
+
+*ipset-2.5.0-r1 (14 May 2009)
+
+  14 May 2009; Robin H. Johnson <robbat2@gentoo.org> +ipset-2.5.0-r1.ebuild:
+  Bug #269743: Some of the modules did not get installed.
+
+*ipset-2.5.0 (04 Apr 2009)
+
+  04 Apr 2009; Peter Volkov <pva@gentoo.org> +ipset-2.5.0.ebuild:
+  Version bump.
+
+  20 Mar 2009; Joseph Jezak <josejx@gentoo.org> ipset-2.4.7.ebuild:
+  Marked ppc stable for bug #257483.
+
+*ipset-2.4.9-r1 (03 Mar 2009)
+
+  03 Mar 2009; Peter Volkov <pva@gentoo.org>
+  +files/ipset-2.4.9-gethostbyname-align.patch,
+  -ipset-2.3.0.20070828-r2.ebuild, -ipset-2.3.1.20080612.ebuild,
+  -ipset-2.3.3a.ebuild, -ipset-2.4.2.ebuild, -ipset-2.4.9.ebuild,
+  +ipset-2.4.9-r1.ebuild:
+  Fixed gethostbyname alignment issue on hppa, bug #260481, thank Antixrict
+  for report and work with upstream. Removed old.
+
+*ipset-2.4.9 (28 Feb 2009)
+
+  28 Feb 2009; Peter Volkov <pva@gentoo.org>
+  -files/ipset-2.4.8-use-new-hash.patch, -ipset-2.4.8.ebuild,
+  +ipset-2.4.9.ebuild:
+  Version bump, bug #260480, thank Jeroen Roovers for report.
+
+*ipset-2.4.8 (26 Feb 2009)
+
+  26 Feb 2009; Peter Volkov <pva@gentoo.org>
+  +files/ipset-2.4.8-use-new-hash.patch, ipset-2.4.7.ebuild,
+  +ipset-2.4.8.ebuild:
+  Version bump, bug #260338, thank BoneKracker for report. Disable warnings,
+  fixes bug #259999, thank Aleksey Kunitskiy for report.
+
+  04 Feb 2009; Markus Meier <maekke@gentoo.org> ipset-2.4.7.ebuild:
+  amd64/x86 stable, bug #257483
+
+*ipset-2.4.7 (31 Jan 2009)
+
+  31 Jan 2009; Peter Volkov <pva@gentoo.org>
+  +files/ipset-2.4.7-LDFLAGS.patch, +ipset-2.4.7.ebuild:
+  Version bump. Respect LDFLAGS, #246016, thank Olivier Huber. Probably
+  fixes compatibility issue with 2.6.28, #254207, thank Jochen Schlick.
+
+*ipset-2.4.2 (24 Oct 2008)
+
+  24 Oct 2008; Robin H. Johnson <robbat2@gentoo.org>
+  +files/ipset-2.4.2-glibc28-fix.patch, +ipset-2.4.2.ebuild:
+  Bug #243092, version bump.
+
+  14 Oct 2008; Robin H. Johnson <robbat2@gentoo.org> ipset-2.3.3a.ebuild:
+  Bug #236138, allow building with non-modular kernels.
+
+*ipset-2.3.3a (14 Aug 2008)
+
+  14 Aug 2008; Robin H. Johnson <robbat2@gentoo.org> +ipset-2.3.3a.ebuild:
+  Bug #233763, version bump to resolve glibc-2.8 issues. Upstream also now
+  includes modules buildable without patching the kernel.
+
+*ipset-2.3.1.20080612 (25 Jun 2008)
+
+  25 Jun 2008; Robin H. Johnson <robbat2@gentoo.org>
+  +ipset-2.3.1.20080612.ebuild:
+  Version bump per bug #226155.
+
+*ipset-2.3.0.20070828-r2 (14 Nov 2007)
+
+  14 Nov 2007; <pva@gentoo.org> -ipset-2.3.0.20070828-r1.ebuild,
+  +ipset-2.3.0.20070828-r2.ebuild:
+  Fixed LIBDIR to include /; bug 199084 reported by Krzysztof Olędzki
+  <ole+gentoo AT ans.pl>.
+
+  10 Nov 2007; <pva@gentoo.org> -ipset-2.1.0.20050119-r1.ebuild,
+  -ipset-2.2.8.20051203.ebuild, -ipset-2.2.9.20060508.ebuild:
+  Clean old.
+
+  10 Nov 2007; Christian Faulhammer <opfer@gentoo.org>
+  ipset-2.2.9.20070401.ebuild:
+  stable x86, bug 198158
+
+*ipset-2.3.0.20070828-r1 (07 Nov 2007)
+
+  07 Nov 2007; <pva@gentoo.org> -ipset-2.3.0.20070828.ebuild,
+  +ipset-2.3.0.20070828-r1.ebuild:
+  Cleaned ebuild, courtesy of Donnie Berkholz <dberkholz AT gentoo.org>
+
+*ipset-2.3.0.20070828 (05 Nov 2007)
+
+  05 Nov 2007; <pva@gentoo.org> metadata.xml, +ipset-2.3.0.20070828.ebuild:
+  Version bump. Added myself in metadata. Added emerge --config to patch the
+  kernel.
+
+  12 Apr 2007; Stefan Schweizer <genstef@gentoo.org>
+  -ipset-2.1.0.20050119.ebuild:
+  Remove old version that uses check_KV, bug 150058
+
+*ipset-2.2.9.20070401 (10 Apr 2007)
+
+  10 Apr 2007; Robin H. Johnson <robbat2@gentoo.org>
+  +ipset-2.2.9.20070401.ebuild:
+  New version from upstream, bug #173218. Please note that while this version
+  will compile without a patched kernel, you still need a patched kernel to
+  use it!.
+
+*ipset-2.2.9.20060508 (25 May 2006)
+
+  25 May 2006; Robin H. Johnson <robbat2@gentoo.org>
+  ipset-2.2.8.20051203.ebuild, +ipset-2.2.9.20060508.ebuild:
+  Bug #126878, upstream seems to have changed the directory name inside the
+  tarball. Also version bump that fixes a return code issue.
+
+  27 Jan 2006; Robin H. Johnson <robbat2@gentoo.org>
+  ipset-2.2.8.20051203.ebuild:
+  Adjust description to indicate that this package only provides the userspace
+  portion of ipset. You must still manually patch your kernel to have ipset
+  support.
+
+*ipset-2.2.8.20051203 (12 Dec 2005)
+
+  12 Dec 2005; Robin H. Johnson <robbat2@gentoo.org>
+  +ipset-2.2.8.20051203.ebuild:
+  Version bump.
+
+  26 Sep 2005; Robin H. Johnson <robbat2@gentoo.org>
+  ipset-2.1.0.20050119-r1.ebuild:
+  Stable on x86, 146 days in ~x86.
+
+  06 May 2005; Sven Wegener <swegener@gentoo.org>
+  ipset-2.1.0.20050119.ebuild, ipset-2.1.0.20050119-r1.ebuild:
+  Removed * postfix from <, <=, >= and > dependencies.
+
+*ipset-2.1.0.20050119-r1 (03 May 2005)
+
+  03 May 2005; Robin H. Johnson <robbat2@gentoo.org>
+  +ipset-2.1.0.20050119-r1.ebuild:
+  Convert to use linux-info eclass.
+
+  26 Apr 2005; Andrej Kacian <ticho@gentoo.org> ipset-2.1.0.20050119.ebuild:
+  Added ~amd64 keyword.
+
+*ipset-2.1.0.20050119 (10 Mar 2005)
+
+  10 Mar 2005; Robin H. Johnson <robbat2@gentoo.org> +metadata.xml,
+  +ipset-2.1.0.20050119.ebuild:
+  Initial commit, ebuild by Robin H. Johnson <robbat2@gentoo.org>.
+
diff --git a/net-firewall/ipset/Manifest b/net-firewall/ipset/Manifest
new file mode 100644
index 0000000..ea3003c
--- /dev/null
+++ b/net-firewall/ipset/Manifest
@@ -0,0 +1,6 @@
+AUX ipset.confd 191 RMD160 b05d15226960cfaad609a11433bd5ec47c855681 SHA1 57ca914734177c0247802749896ff5cee2806f4e SHA256 51f976f3c4aedd5cae6c48c62e566527de344cef8eaf8175ce1e631b7b670043
+AUX ipset.initd 1130 RMD160 3044c71ff33f30b7ed05f8bf8a73f9d6a1bb887c SHA1 4becbffb04877a18fa63d463ce169fae15d31913 SHA256 3150d06327872ff3ddb345c5317aac56a18ffb6a8479823f501acc04891c8c02
+DIST ipset-6.8.tar.bz2 122954 RMD160 94ee3177540743153013b04e560839596dde1aad SHA1 0f4abb79fe8a65088f687e8a274aaddb542bc86a SHA256 d7b499ee961cd92ba5f0f698e5de49909d8b2c6697ff5aea3a1535e183f9b809
+EBUILD ipset-6.8.ebuild 3356 RMD160 2a7205d726283f1f612a70ed0fe122aade73cc6b SHA1 6c557c85cdf9f746e18b31671b40f059d1296c7c SHA256 4e934cb93a7ec68073694c9d97fde05ff0831d8d34b8b39826c3e2eb56c55dac
+MISC ChangeLog 8776 RMD160 3ed2eed75b591999fcadd827c13a561a46f5485f SHA1 adcf7562f7cf18ffac4cf40ee4f2485153b88c87 SHA256 f4c47fae8f9895b935a87c66c1d2f8b46419a38aa5a61657216886b8687f27c4
+MISC metadata.xml 282 RMD160 aa8f4511de4ce6c391a019bfe77d4fbb42d0abb6 SHA1 721fca55a38262a0101e2e6680443986c27a681d SHA256 f4824882e12d63f3488e08077df95b12dca429a0275b82c541e4098527773fa5
diff --git a/net-firewall/ipset/files/ipset.confd b/net-firewall/ipset/files/ipset.confd
new file mode 100644
index 0000000..aef7589
--- /dev/null
+++ b/net-firewall/ipset/files/ipset.confd
@@ -0,0 +1,8 @@
+# /etc/conf.d/ipset
+
+# Location in which ipset initscript will save set rules on 
+# service shutdown
+IPSET_SAVE="/var/lib/ipset/rules-save"
+
+# Save state on stopping ipset
+SAVE_ON_STOP="yes"
diff --git a/net-firewall/ipset/files/ipset.initd b/net-firewall/ipset/files/ipset.initd
new file mode 100755
index 0000000..bc21070
--- /dev/null
+++ b/net-firewall/ipset/files/ipset.initd
@@ -0,0 +1,54 @@
+#!/sbin/runscript
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: $
+
+opts="save"
+
+ipset_bin="/usr/sbin/ipset"
+
+depend() {
+    before iptables ip6tables
+    use logger
+}
+
+checkconfig() {
+    if [[ ! -f ${IPSET_SAVE} ]] ; then
+        eerror "Not starting ${SVCNAME}. First create some rules then run:"
+        eerror "/etc/init.d/${SVCNAME} save"
+        return 1
+    fi
+    return 0
+}
+
+start() {
+    checkconfig || return 1
+    ebegin "Loading ipset session'"
+    ${ipset_bin} restore < "${IPSET_SAVE}"
+    eend $?
+}
+
+stop() {
+    service_started iptables && {
+        eerror "Can't stop while iptables is running"
+        return 1
+    }
+    service_started ip6tables && {
+        eerror "Can't stop while ip6tables is running"
+        return 1
+    }
+    if [[ "${SAVE_ON_STOP}" = "yes" ]] ; then
+        save || return 1
+    fi
+    ebegin "Removing kernel IP sets"
+    ${ipset_bin} destroy
+    eend $?
+}
+
+save() {
+    ebegin "Saving ipset session"
+    touch "${IPSET_SAVE}"
+    chmod 0600 "${IPSET_SAVE}"
+    ${ipset_bin} save > "${IPSET_SAVE}"
+    eend $?
+}
diff --git a/net-firewall/ipset/ipset-6.8.ebuild b/net-firewall/ipset/ipset-6.8.ebuild
new file mode 100644
index 0000000..f67a44a
--- /dev/null
+++ b/net-firewall/ipset/ipset-6.8.ebuild
@@ -0,0 +1,113 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/ipset/ipset-6.8.ebuild,v 1.1 2011/07/24 10:59:11 pva Exp $
+
+EAPI="4"
+inherit autotools linux-info linux-mod
+
+DESCRIPTION="IPset tool for iptables, successor to ippool."
+HOMEPAGE="http://ipset.netfilter.org/"
+SRC_URI="http://ipset.netfilter.org/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="modules"
+
+RDEPEND=">=net-firewall/iptables-1.4.4
+	net-libs/libmnl"
+DEPEND="${RDEPEND}"
+
+# configurable from outside, e.g. /etc/make.conf
+IP_NF_SET_MAX=${IP_NF_SET_MAX:-256}
+
+BUILD_TARGETS="modules"
+MODULE_NAMES_ARG="kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/ipset"
+MODULE_NAMES="xt_set(kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/)"
+for i in ip_set{,_bitmap_{ip{,mac},port},_hash_{ip{,port{,ip,net}},net,net{port,iface}},_list_set}; do
+	MODULE_NAMES+=" ${i}(${MODULE_NAMES_ARG})"
+done
+CONFIG_CHECK="NETFILTER IP6_NF_IPTABLES !IP_SET"
+ERROR_NETFILTER="ipset requires NETFILTER support in your kernel."
+ERROR_IP6_NF_IPTABLES="ipset requires IP6_NF_IPTABLES support in your kernel."
+ERROR_IP_SET="There is IP_SET support in your kernel. Please build ipset with modules USE flag disabled or you may have troubles loading correct modules."
+
+check_header_patch() {
+	if ! $(grep -q NFNL_SUBSYS_IPSET "${KV_DIR}/include/linux/netfilter/nfnetlink.h"); then
+		eerror "Sorry, but you have to patch kernel sources with the following patch:"
+		eerror " # cd ${KV_DIR}"
+		eerror " # patch -i ${S}/netlink.patch -p1"
+		eerror "You do not need to recompile your kernel."
+		die "Unpatched kernel"
+	fi
+}
+
+pkg_setup() {
+	get_version
+
+	build_modules=0
+	if use modules; then
+		kernel_is -lt 2 6 35 && die "${PN} requires kernel greater then 2.6.35."
+		if linux_config_src_exists && linux_chkconfig_builtin "MODULES" ; then
+			if linux_chkconfig_builtin "IP_NF_SET"; then #274577
+				einfo "Modular kernel detected but IP_NF_SET=y, will not build kernel modules"
+			else
+				if kernel_is -gt 2 6 39; then
+					einfo "This kernel has modules inside, will not build kernel modules"
+				else
+					einfo "Modular kernel detected, will build kernel modules"
+					build_modules=1
+				fi
+			fi
+		else
+			einfo "Nonmodular kernel detected, will not build kernel modules"
+		fi
+	fi
+
+	[[ ${build_modules} -eq 1 ]] && linux-mod_pkg_setup
+}
+
+src_prepare() {
+	[[ ${build_modules} -eq 1 ]] && check_header_patch
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		--with-maxsets=${IP_NF_SET_MAX} \
+		--libdir="${EPREFIX}"/$(get_libdir) \
+		--with-ksource="${KV_DIR}" \
+		--with-kbuild="${KV_OUT_DIR}"
+}
+
+src_compile() {
+	einfo "Building userspace"
+	emake
+
+	if [[ ${build_modules} -eq 1 ]]; then
+		einfo "Building kernel modules"
+		set_arch_to_kernel
+		emake modules
+	fi
+}
+
+src_install() {
+	einfo "Installing userspace"
+	emake DESTDIR="${D}" install
+
+	if [[ ${build_modules} -eq 1 ]]; then
+		einfo "Installing kernel modules"
+		linux-mod_src_install
+	fi
+	find "${ED}" \( -name '*.la' -o -name '*.a' \) -exec rm -f '{}' +
+
+	keepdir /var/lib/ipset
+	newinitd "${FILESDIR}"/${PN}.initd ipset
+	newconfd "${FILESDIR}"/${PN}.confd ipset
+}
+
+pkg_postinst() {
+	linux-mod_pkg_postinst
+	elog "Note you need to rebuid and run kernel with netlink.patch or you'll get error:"
+	elog "Kernel error received: Invalid argument"
+}
diff --git a/net-firewall/ipset/metadata.xml b/net-firewall/ipset/metadata.xml
new file mode 100644
index 0000000..f38b7dc
--- /dev/null
+++ b/net-firewall/ipset/metadata.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<herd>no-herd</herd>
+<maintainer>
+  <email>robbat2@gentoo.org</email>
+</maintainer>
+<maintainer>
+  <email>pva@gentoo.org</email>
+</maintainer>
+</pkgmetadata>
diff --git a/profiles/categories b/profiles/categories
index f560d66..d2c9a84 100644
--- a/profiles/categories
+++ b/profiles/categories
@@ -12,6 +12,7 @@ media-sound
 media-video
 net-dialup
 net-dns
+net-firewall
 net-ftp
 net-libs
 net-misc