1 files changed, 16 insertions, 2 deletions

diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild
index f60144b1a850..f9713c4a95f6 100644
--- a/net-firewall/nftables/nftables-9999.ebuild
+++ b/net-firewall/nftables/nftables-9999.ebuild
@@ -26,7 +26,8 @@ else
 	BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
 fi
 
-LICENSE="GPL-2"
+# See COPYING: new code is GPL-2+, existing code is GPL-2
+LICENSE="GPL-2 GPL-2+"
 SLOT="0/1"
 IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables"
 RESTRICT="!test? ( test )"
@@ -167,10 +168,23 @@ src_install() {
 }
 
 pkg_preinst() {
+	local stderr
+
 	# There's a history of regressions with nftables upgrades. Add a safety
 	# check to help us spot them earlier.
 	if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then
-		if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then
+		# Check the current loaded ruleset, if any, using the newly
+		# built instance of nft(8).
+		if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then
+			# Report errors induced by trying to list the ruleset
+			# but don't treat them as being fatal.
+			printf '%s\n' "${stderr}" >&2
+		elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
+			# Rulesets generated by iptables-nft are special in
+			# nature and will not always be printed in a way that
+			# constitutes a valid syntax for ntf(8). Ignore them.
+			return
+		elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then
 			eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of"
 			eerror "nft. This probably means that there is a regression introduced by v${PV}."
 			eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"