blob: eb927df4997e55f002d957fbd3c6fa6896323514 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
|
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
DISTUTILS_OPTIONAL=1
DISTUTILS_USE_PEP517=setuptools
PYTHON_COMPAT=( python3_{10..13} )
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc
inherit edo linux-info distutils-r1 systemd verify-sig
DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools"
HOMEPAGE="https://netfilter.org/projects/nftables/"
if [[ ${PV} =~ ^[9]{4,}$ ]]; then
inherit autotools git-r3
EGIT_REPO_URI="https://git.netfilter.org/${PN}"
BDEPEND="app-alternatives/yacc"
else
SRC_URI="
https://netfilter.org/projects/nftables/files/${P}.tar.xz
verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )
"
KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
fi
# See COPYING: new code is GPL-2+, existing code is GPL-2
LICENSE="GPL-2 GPL-2+"
SLOT="0/1"
IUSE="debug doc +gmp json libedit python +readline static-libs test xtables"
RESTRICT="!test? ( test )"
RDEPEND="
>=net-libs/libmnl-1.0.4:=
>=net-libs/libnftnl-1.2.7:=
gmp? ( dev-libs/gmp:= )
json? ( dev-libs/jansson:= )
python? ( ${PYTHON_DEPS} )
readline? ( sys-libs/readline:= )
xtables? ( >=net-firewall/iptables-1.6.1:= )
"
DEPEND="${RDEPEND}"
BDEPEND+="
app-alternatives/lex
virtual/pkgconfig
doc? (
app-text/asciidoc
>=app-text/docbook2X-0.8.8-r4
)
python? ( ${DISTUTILS_DEPS} )
"
REQUIRED_USE="
python? ( ${PYTHON_REQUIRED_USE} )
libedit? ( !readline )
"
PATCHES=(
"${FILESDIR}"/nftables-1.1.0-revert-firewalld-breaking-change.patch
)
src_prepare() {
default
if [[ ${PV} =~ ^[9]{4,}$ ]] ; then
eautoreconf
fi
if use python; then
pushd py >/dev/null || die
distutils-r1_src_prepare
popd >/dev/null || die
fi
}
src_configure() {
local myeconfargs=(
--sbindir="${EPREFIX}"/sbin
$(use_enable debug)
$(use_enable doc man-doc)
$(use_with !gmp mini_gmp)
$(use_with json)
$(use_with libedit cli editline)
$(use_with readline cli readline)
$(use_enable static-libs static)
$(use_with xtables)
)
econf "${myeconfargs[@]}"
if use python; then
pushd py >/dev/null || die
distutils-r1_src_configure
popd >/dev/null || die
fi
}
src_compile() {
default
if use python; then
pushd py >/dev/null || die
distutils-r1_src_compile
popd >/dev/null || die
fi
}
src_test() {
emake check
if [[ ${EUID} == 0 ]]; then
edo tests/shell/run-tests.sh -v
else
ewarn "Skipping shell tests (requires root)"
fi
if use python; then
pushd tests/py >/dev/null || die
distutils-r1_src_test
popd >/dev/null || die
fi
}
python_test() {
if [[ ${EUID} == 0 ]]; then
edo "${EPYTHON}" nft-test.py
else
ewarn "Skipping Python tests (requires root)"
fi
}
src_install() {
default
if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then
pushd doc >/dev/null || die
doman *.?
popd >/dev/null || die
fi
# Do it here instead of in src_prepare to avoid eautoreconf
# rmdir lets us catch if more files end up installed in /etc/nftables
dodir /usr/share/doc/${PF}/skels/
mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die
rmdir "${ED}"/etc/nftables || die
exeinto /usr/libexec/${PN}
newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh
newconfd "${FILESDIR}"/${PN}-mk.confd ${PN}
newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN}
keepdir /var/lib/nftables
systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
if use python ; then
pushd py >/dev/null || die
distutils-r1_src_install
popd >/dev/null || die
fi
find "${ED}" -type f -name "*.la" -delete || die
}
pkg_preinst() {
local stderr
# There's a history of regressions with nftables upgrades. Perform a
# safety check to help us spot them earlier. For the check to pass, the
# currently loaded ruleset, if any, must be successfully evaluated by
# the newly built instance of nft(8).
if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then
# Either nftables isn't yet in use or nft(8) cannot be executed.
return
elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then
# Report errors induced by trying to list the ruleset but don't
# treat them as being fatal.
printf '%s\n' "${stderr}" >&2
elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
# Rulesets generated by iptables-nft are special in nature and
# will not always be printed in a way that constitutes a valid
# syntax for ntf(8). Ignore them.
return
elif set -- "${ED}"/usr/lib*/libnftables.so;
! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft
then
eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of"
eerror "nft. This probably means that there is a regression introduced by v${PV}."
eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
die "Aborting because of failed nft reload!"
fi
fi
}
pkg_postinst() {
local save_file
save_file="${EROOT}"/var/lib/nftables/rules-save
# In order for the nftables-restore systemd service to start
# the save_file must exist.
if [[ ! -f "${save_file}" ]]; then
( umask 177; touch "${save_file}" )
elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
ewarn "Your system has dangerous permissions for ${save_file}"
ewarn "It is probably affected by bug #691326."
ewarn "You may need to fix the permissions of the file. To do so,"
ewarn "you can run the command in the line below as root."
ewarn " 'chmod 600 \"${save_file}\"'"
fi
if has_version 'sys-apps/systemd'; then
elog "If you wish to enable the firewall rules on boot (on systemd) you"
elog "will need to enable the nftables-restore service."
elog " 'systemctl enable ${PN}-restore.service'"
elog
elog "If you are creating firewall rules before the next system restart"
elog "the nftables-restore service must be manually started in order to"
elog "save those rules on shutdown."
fi
if has_version 'sys-apps/openrc'; then
elog "If you wish to enable the firewall rules on boot (on openrc) you"
elog "will need to enable the nftables service."
elog " 'rc-update add ${PN} default'"
elog
elog "If you are creating or updating the firewall rules and wish to save"
elog "them to be loaded on the next restart, use the \"save\" functionality"
elog "in the init script."
elog " 'rc-service ${PN} save'"
fi
}
|