From b8d4439b5b8b46f84a6691db0b4edaa2e4f69909 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20F=C3=B6rster?= <Dessa@gmake.de>
Date: Fri, 15 Jul 2022 16:44:57 +0200
Subject: [PATCH] [net-firewall/iptables] sync with tree

---
 .../iptables/files/iptables-1.8.2-link.patch  |  24 ++++
 .../files/iptables-1.8.4-no-symlinks.patch    |  19 +++
 .../{iptables-r2.init => iptables-r3.init}    |  20 +--
 net-firewall/iptables/iptables-9999.ebuild    | 119 ++++++++++++------
 4 files changed, 136 insertions(+), 46 deletions(-)
 create mode 100644 net-firewall/iptables/files/iptables-1.8.2-link.patch
 create mode 100644 net-firewall/iptables/files/iptables-1.8.4-no-symlinks.patch
 rename net-firewall/iptables/files/{iptables-r2.init => iptables-r3.init} (75%)

diff --git a/net-firewall/iptables/files/iptables-1.8.2-link.patch b/net-firewall/iptables/files/iptables-1.8.2-link.patch
new file mode 100644
index 0000000..c20f2e5
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.8.2-link.patch
@@ -0,0 +1,24 @@
+From ee4fc7c558d9eb9c37035250046d4eac9af3fa28 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 27 Dec 2018 23:47:33 +0100
+Subject: [PATCH] Fix link errors for USE="conntrack static-libs" (bug #586106)
+
+---
+ iptables/Makefile.am | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/iptables/Makefile.am b/iptables/Makefile.am
+index 581dc32..2c3db86 100644
+--- a/iptables/Makefile.am
++++ b/iptables/Makefile.am
+@@ -26,6 +26,7 @@ xtables_legacy_multi_LDADD   += ../libiptc/libip6tc.la ../extensions/libext6.a
+ endif
+ xtables_legacy_multi_SOURCES += xshared.c
+ xtables_legacy_multi_LDADD   += ../libxtables/libxtables.la -lm
++xtables_legacy_multi_LDADD   += ${libnetfilter_conntrack_LIBS}
+ 
+ # iptables using nf_tables api
+ if ENABLE_NFTABLES
+-- 
+2.19.1
+
diff --git a/net-firewall/iptables/files/iptables-1.8.4-no-symlinks.patch b/net-firewall/iptables/files/iptables-1.8.4-no-symlinks.patch
new file mode 100644
index 0000000..349a01a
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.8.4-no-symlinks.patch
@@ -0,0 +1,19 @@
+diff --git a/iptables/Makefile.am b/iptables/Makefile.am
+index 71b1b1d4..30c77f9a 100644
+--- a/iptables/Makefile.am
++++ b/iptables/Makefile.am
+@@ -71,12 +71,10 @@ CLEANFILES       = iptables.8 xtables-monitor.8 \
+ 
+ vx_bin_links   = iptables-xml
+ if ENABLE_IPV4
+-v4_sbin_links  = iptables-legacy iptables-legacy-restore iptables-legacy-save \
+-		 iptables iptables-restore iptables-save
++v4_sbin_links  = iptables-legacy iptables-legacy-restore iptables-legacy-save
+ endif
+ if ENABLE_IPV6
+-v6_sbin_links  = ip6tables-legacy ip6tables-legacy-restore ip6tables-legacy-save \
+-		 ip6tables ip6tables-restore ip6tables-save
++v6_sbin_links  = ip6tables-legacy ip6tables-legacy-restore ip6tables-legacy-save
+ endif
+ if ENABLE_NFTABLES
+ x_sbin_links  = iptables-nft iptables-nft-restore iptables-nft-save \
diff --git a/net-firewall/iptables/files/iptables-r2.init b/net-firewall/iptables/files/iptables-r3.init
similarity index 75%
rename from net-firewall/iptables/files/iptables-r2.init
rename to net-firewall/iptables/files/iptables-r3.init
index 3dcabb0..53eb424 100644
--- a/net-firewall/iptables/files/iptables-r2.init
+++ b/net-firewall/iptables/files/iptables-r3.init
@@ -1,5 +1,5 @@
 #!/sbin/openrc-run
-# Copyright 1999-2018 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 extra_commands="check save panic"
@@ -38,7 +38,7 @@ set_table_policy() {
 
 	local chain
 	for chain in ${chains} ; do
-		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -t ${table} -P ${chain} ${policy}
+		${iptables_bin} --wait ${iptables_lock_wait_time} -t ${table} -P ${chain} ${policy}
 		[ $? -ne 0 ] && has_errors=1
 	done
 
@@ -69,7 +69,7 @@ start_pre() {
 
 start() {
 	ebegin "Loading ${iptables_name} state and starting firewall"
-	${iptables_bin}-restore --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	${iptables_bin}-restore --wait ${iptables_lock_wait_time} ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
 	eend $?
 }
 
@@ -88,10 +88,10 @@ stop() {
 		set_table_policy $a ACCEPT
 		[ $? -ne 0 ] && has_errors=1
 
-		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
+		${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a
 		[ $? -ne 0 ] && has_errors=1
 
-		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
+		${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a
 		[ $? -ne 0 ] && has_errors=1
 	done
 	eend ${has_errors}
@@ -103,10 +103,10 @@ reload() {
 	ebegin "Flushing firewall"
 	local has_errors=0 a
 	for a in $(cat ${iptables_proc}) ; do
-		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
+		${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a
 		[ $? -ne 0 ] && has_errors=1
 
-		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
+		${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a
 		[ $? -ne 0 ] && has_errors=1
 	done
 	eend ${has_errors}
@@ -136,7 +136,7 @@ save() {
 panic() {
 	# use iptables autoload capability to load at least all required
 	# modules and filter table
-	${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -S >/dev/null
+	${iptables_bin} --wait ${iptables_lock_wait_time} -S >/dev/null
 	if [ $? -ne 0 ] ; then
 		eerror "${iptables_bin} failed to load"
 		return 1
@@ -149,10 +149,10 @@ panic() {
 	local has_errors=0 a
 	ebegin "Dropping all packets"
 	for a in $(cat ${iptables_proc}) ; do
-		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -F -t $a
+		${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a
 		[ $? -ne 0 ] && has_errors=1
 
-		${iptables_bin} --wait ${iptables_lock_wait_time} --wait-interval ${iptables_lock_wait_interval} -X -t $a
+		${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a
 		[ $? -ne 0 ] && has_errors=1
 
 		if [ "${a}" != "nat" ]; then
diff --git a/net-firewall/iptables/iptables-9999.ebuild b/net-firewall/iptables/iptables-9999.ebuild
index ba05c64..631929f 100644
--- a/net-firewall/iptables/iptables-9999.ebuild
+++ b/net-firewall/iptables/iptables-9999.ebuild
@@ -1,12 +1,9 @@
-# Copyright 1999-2019 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 
-# Force users doing their own patches to install their own tools
-AUTOTOOLS_AUTO_DEPEND=no
-
-inherit multilib systemd toolchain-funcs autotools flag-o-matic usr-ldscript git-r3
+inherit systemd toolchain-funcs autotools flag-o-matic usr-ldscript git-r3
 
 DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
 HOMEPAGE="https://www.netfilter.org/projects/iptables/"
@@ -17,18 +14,19 @@ LICENSE="GPL-2"
 # the last time.
 SLOT="0/1.8.3"
 KEYWORDS=""
-IUSE="conntrack ipv6 netlink nftables pcap static-libs"
+IUSE="conntrack netlink nftables pcap static-libs"
 
 COMMON_DEPEND="
 	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
 	netlink? ( net-libs/libnfnetlink )
 	nftables? (
-		>=net-libs/libmnl-1.0:0=
-		>=net-libs/libnftnl-1.1.5:0=
+		>=net-libs/libmnl-1.0:=
+		>=net-libs/libnftnl-1.1.6:=
 	)
 	pcap? ( net-libs/libpcap )
 "
-DEPEND="${COMMON_DEPEND}
+DEPEND="
+	${COMMON_DEPEND}
 	virtual/os-headers
 	>=sys-kernel/linux-headers-4.4:0
 "
@@ -39,23 +37,33 @@ BDEPEND="
 		virtual/yacc
 	)
 "
-RDEPEND="${COMMON_DEPEND}
+RDEPEND="
+	${COMMON_DEPEND}
 	nftables? ( net-misc/ethertypes )
+	!<net-firewall/ebtables-2.0.11-r1
+	!<net-firewall/arptables-0.0.5-r1
 "
+IDEPEND=">=app-eselect/eselect-iptables-20220320"
+
+PATCHES=(
+	"${FILESDIR}/iptables-1.8.4-no-symlinks.patch"
+	"${FILESDIR}/iptables-1.8.2-link.patch"
+)
 
 src_prepare() {
-	# use the saner headers from the kernel
+	# Use the saner headers from the kernel
 	rm include/linux/{kernel,types}.h || die
 
-	eapply_user
+	default
 	eautoreconf
 }
 
 src_configure() {
-	# Some libs use $(AR) rather than libtool to build #444282
+	# Some libs use $(AR) rather than libtool to build, bug #444282
 	tc-export AR
 
-	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
+	# Hack around struct mismatches between userland & kernel for some ABIs
+	# bug #472388
 	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
 
 	sed -i \
@@ -67,13 +75,14 @@ src_configure() {
 		--sbindir="${EPREFIX}/sbin"
 		--libexecdir="${EPREFIX}/$(get_libdir)"
 		--enable-devel
+		--enable-ipv6
 		--enable-shared
 		$(use_enable nftables)
 		$(use_enable pcap bpf-compiler)
 		$(use_enable pcap nfsynproxy)
 		$(use_enable static-libs static)
-		$(use_enable ipv6)
 	)
+
 	econf "${myeconfargs[@]}"
 }
 
@@ -83,9 +92,10 @@ src_compile() {
 
 src_install() {
 	default
+
 	dodoc INCOMPATIBILITIES iptables/iptables.xslt
 
-	# all the iptables binaries are in /sbin, so might as well
+	# All the iptables binaries are in /sbin, so might as well
 	# put these small files in with them
 	into /
 	dosbin iptables/iptables-apply
@@ -93,37 +103,74 @@ src_install() {
 	doman iptables/iptables-apply.8
 
 	insinto /usr/include
-	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+	doins include/ip{,6}tables.h
 	insinto /usr/include/iptables
 	doins include/iptables/internal.h
 
-	keepdir /var/lib/iptables
-	newinitd "${FILESDIR}"/${PN}-r2.init iptables
+	keepdir /var/lib/ip{,6}tables
+	newinitd "${FILESDIR}"/${PN}-r3.init iptables
 	newconfd "${FILESDIR}"/${PN}-r1.confd iptables
-	if use ipv6 ; then
-		keepdir /var/lib/ip6tables
-		dosym iptables /etc/init.d/ip6tables
-		newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables
-	fi
+	dosym iptables /etc/init.d/ip6tables
+	newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables
 
 	if use nftables; then
-		# Bug 647458
+		# Bug #647458
 		rm "${ED}"/etc/ethertypes || die
 
-		# Bug 660886
-		rm "${ED}"/sbin/{arptables,ebtables} || die
-
-		# Bug 669894
-		rm "${ED}"/sbin/ebtables-{save,restore} || die
+		# Bugs #660886 and #669894
+		rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die
 	fi
 
-	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
-	if use ipv6 ; then
-		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
-	fi
+	systemd_dounit "${FILESDIR}"/systemd/ip{,6}tables-{re,}store.service
 
-	# Move important libs to /lib #332175
+	# Move important libs to /lib, bug #332175
 	gen_usr_ldscript -a ip{4,6}tc xtables
 
 	find "${ED}" -type f -name "*.la" -delete || die
 }
+
+pkg_postinst() {
+	local default_iptables="xtables-legacy-multi"
+	if ! eselect iptables show &>/dev/null; then
+		elog "Current iptables implementation is unset, setting to ${default_iptables}"
+		eselect iptables set "${default_iptables}"
+	fi
+
+	if use nftables; then
+		local tables
+		for tables in {arp,eb}tables; do
+			if ! eselect ${tables} show &>/dev/null; then
+				elog "Current ${tables} implementation is unset, setting to ${default_iptables}"
+				eselect ${tables} set xtables-nft-multi
+			fi
+		done
+	fi
+
+	eselect iptables show
+}
+
+pkg_prerm() {
+	if [[ -z ${REPLACED_BY_VERSION} ]]; then
+		elog "Unsetting iptables symlinks before removal"
+		eselect iptables unset
+	fi
+
+	if ! has_version 'net-firewall/ebtables'; then
+		elog "Unsetting ebtables symlinks before removal"
+		eselect ebtables unset
+	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
+		elog "Resetting ebtables symlinks to ebtables-legacy"
+		eselect ebtables set ebtables-legacy
+	fi
+
+	if ! has_version 'net-firewall/arptables'; then
+		elog "Unsetting arptables symlinks before removal"
+		eselect arptables unset
+	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
+		elog "Resetting arptables symlinks to arptables-legacy"
+		eselect arptables set arptables-legacy
+	fi
+
+	# The eselect module failing should not be fatal
+	return 0
+}