From ca4f63d31c27514bc47a052a57415db026643380 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20F=C3=B6rster?= Date: Sat, 1 Nov 2014 11:33:56 +0100 Subject: [PATCH] [net-firewall/iptables] import of iptables scm junk, needs cleanup --- .../iptables/files/ip6tables-1.4.13.confd | 19 +++ .../iptables/files/iptables-1.4.13-r1.init | 130 ++++++++++++++++++ .../iptables/files/iptables-1.4.13.confd | 19 +++ .../files/systemd/ip6tables-restore.service | 14 ++ .../files/systemd/ip6tables-store.service | 11 ++ .../iptables/files/systemd/ip6tables.service | 6 + .../files/systemd/iptables-restore.service | 14 ++ .../files/systemd/iptables-store.service | 11 ++ .../iptables/files/systemd/iptables.service | 6 + net-firewall/iptables/iptables-9999.ebuild | 96 +++++++++++++ net-libs/libmnl/libmnl-9999.ebuild | 45 ++++++ net-libs/libnftnl/libnftnl-9999.ebuild | 55 ++++++++ 12 files changed, 426 insertions(+) create mode 100644 net-firewall/iptables/files/ip6tables-1.4.13.confd create mode 100644 net-firewall/iptables/files/iptables-1.4.13-r1.init create mode 100644 net-firewall/iptables/files/iptables-1.4.13.confd create mode 100644 net-firewall/iptables/files/systemd/ip6tables-restore.service create mode 100644 net-firewall/iptables/files/systemd/ip6tables-store.service create mode 100644 net-firewall/iptables/files/systemd/ip6tables.service create mode 100644 net-firewall/iptables/files/systemd/iptables-restore.service create mode 100644 net-firewall/iptables/files/systemd/iptables-store.service create mode 100644 net-firewall/iptables/files/systemd/iptables.service create mode 100644 net-firewall/iptables/iptables-9999.ebuild create mode 100644 net-libs/libmnl/libmnl-9999.ebuild create mode 100644 net-libs/libnftnl/libnftnl-9999.ebuild diff --git a/net-firewall/iptables/files/ip6tables-1.4.13.confd b/net-firewall/iptables/files/ip6tables-1.4.13.confd new file mode 100644 index 0000000..3bb3698 --- /dev/null +++ b/net-firewall/iptables/files/ip6tables-1.4.13.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/ip6tables + +# Location in which iptables initscript will save set rules on +# service shutdown +IP6TABLES_SAVE="/var/lib/ip6tables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# If you need to log iptables messages as soon as iptables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/iptables/files/iptables-1.4.13-r1.init b/net-firewall/iptables/files/iptables-1.4.13-r1.init new file mode 100644 index 0000000..a63d076 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.13-r1.init @@ -0,0 +1,130 @@ +#!/sbin/runscript +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.4.13-r1.init,v 1.3 2013/04/27 17:29:09 vapier Exp $ + +extra_commands="check save panic" +extra_started_commands="reload" + +iptables_name=${SVCNAME} +case ${iptables_name} in +iptables|ip6tables) ;; +*) iptables_name="iptables" ;; +esac + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + need localmount #434774 + before net +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${iptables_bin} -t ${table} -P ${chain} ${policy} + done +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} +checkconfig() { + if [ ! -f ${iptables_save} ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + checkkernel || return 1 + ebegin "Stopping firewall" + local a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? +} + +reload() { + checkkernel || return 1 + checkrules || return 1 + ebegin "Flushing firewall" + local a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? + + start +} + +checkrules() { + ebegin "Checking rules" + ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +check() { + # Short name for users of init.d script. + checkrules +} + +save() { + ebegin "Saving ${iptables_name} state" + checkpath -q -d "$(dirname "${iptables_save}")" + checkpath -q -m 0600 -f "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + checkkernel || return 1 + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + + set_table_policy $a DROP + done + eend $? +} diff --git a/net-firewall/iptables/files/iptables-1.4.13.confd b/net-firewall/iptables/files/iptables-1.4.13.confd new file mode 100644 index 0000000..7225374 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.13.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/iptables + +# Location in which iptables initscript will save set rules on +# service shutdown +IPTABLES_SAVE="/var/lib/iptables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# If you need to log iptables messages as soon as iptables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/iptables/files/systemd/ip6tables-restore.service b/net-firewall/iptables/files/systemd/ip6tables-restore.service new file mode 100644 index 0000000..88415fa --- /dev/null +++ b/net-firewall/iptables/files/systemd/ip6tables-restore.service @@ -0,0 +1,14 @@ +[Unit] +Description=Restore ip6tables firewall rules +# if both are queued for some reason, don't store before restoring :) +Before=ip6tables-store.service +# sounds reasonable to have firewall up before any of the services go up +Before=network.target +Conflicts=shutdown.target + +[Service] +Type=oneshot +ExecStart=/sbin/ip6tables-restore /var/lib/ip6tables/rules-save + +[Install] +WantedBy=basic.target diff --git a/net-firewall/iptables/files/systemd/ip6tables-store.service b/net-firewall/iptables/files/systemd/ip6tables-store.service new file mode 100644 index 0000000..9975378 --- /dev/null +++ b/net-firewall/iptables/files/systemd/ip6tables-store.service @@ -0,0 +1,11 @@ +[Unit] +Description=Store ip6tables firewall rules +Before=shutdown.target +DefaultDependencies=No + +[Service] +Type=oneshot +ExecStart=/bin/sh -c "/sbin/ip6tables-save --counters > /var/lib/ip6tables/rules-save" + +[Install] +WantedBy=shutdown.target diff --git a/net-firewall/iptables/files/systemd/ip6tables.service b/net-firewall/iptables/files/systemd/ip6tables.service new file mode 100644 index 0000000..0a6d7fa --- /dev/null +++ b/net-firewall/iptables/files/systemd/ip6tables.service @@ -0,0 +1,6 @@ +[Unit] +Description=Store and restore ip6tables firewall rules + +[Install] +Also=ip6tables-store.service +Also=ip6tables-restore.service diff --git a/net-firewall/iptables/files/systemd/iptables-restore.service b/net-firewall/iptables/files/systemd/iptables-restore.service new file mode 100644 index 0000000..9d568d7 --- /dev/null +++ b/net-firewall/iptables/files/systemd/iptables-restore.service @@ -0,0 +1,14 @@ +[Unit] +Description=Restore iptables firewall rules +# if both are queued for some reason, don't store before restoring :) +Before=iptables-store.service +# sounds reasonable to have firewall up before any of the services go up +Before=network.target +Conflicts=shutdown.target + +[Service] +Type=oneshot +ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save + +[Install] +WantedBy=basic.target diff --git a/net-firewall/iptables/files/systemd/iptables-store.service b/net-firewall/iptables/files/systemd/iptables-store.service new file mode 100644 index 0000000..aa16e75 --- /dev/null +++ b/net-firewall/iptables/files/systemd/iptables-store.service @@ -0,0 +1,11 @@ +[Unit] +Description=Store iptables firewall rules +Before=shutdown.target +DefaultDependencies=No + +[Service] +Type=oneshot +ExecStart=/bin/sh -c "/sbin/iptables-save --counters > /var/lib/iptables/rules-save" + +[Install] +WantedBy=shutdown.target diff --git a/net-firewall/iptables/files/systemd/iptables.service b/net-firewall/iptables/files/systemd/iptables.service new file mode 100644 index 0000000..3643a3e --- /dev/null +++ b/net-firewall/iptables/files/systemd/iptables.service @@ -0,0 +1,6 @@ +[Unit] +Description=Store and restore iptables firewall rules + +[Install] +Also=iptables-store.service +Also=iptables-restore.service diff --git a/net-firewall/iptables/iptables-9999.ebuild b/net-firewall/iptables/iptables-9999.ebuild new file mode 100644 index 0000000..376feba --- /dev/null +++ b/net-firewall/iptables/iptables-9999.ebuild @@ -0,0 +1,96 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" + +# Force users doing their own patches to install their own tools +AUTOTOOLS_AUTO_DEPEND=no + +inherit autotools eutils git-r3 multilib systemd toolchain-funcs + +DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools, with nftables compatibility" +HOMEPAGE="http://www.netfilter.org/projects/nftables/" +EGIT_REPO_URI="git://git.netfilter.org/iptables.git" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="ipv6 netlink static-libs" + +RDEPEND=" + netlink? ( net-libs/libnfnetlink ) +" +DEPEND="${RDEPEND} + virtual/os-headers + virtual/pkgconfig + net-libs/libnetfilter_conntrack + net-libs/libnftnl + net-libs/libpcap +" + +src_prepare() { + # use the saner headers from the kernel + rm -f include/linux/{kernel,types}.h + + eautoreconf +} + +src_configure() { + # Some libs use $(AR) rather than libtool to build #444282 + tc-export AR + + sed -i \ + -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ + configure || die + + econf \ + --sbindir="${EPREFIX}/sbin" \ + --libexecdir="${EPREFIX}/$(get_libdir)" \ + --enable-devel \ + --enable-shared \ + --enable-libipq \ + --enable-bpf-compiler \ + --enable-nfsynproxy \ + $(use_enable static-libs static) \ + $(use_enable ipv6) +} + +src_compile() { + emake V=1 +} + +src_install() { + default + dodoc INCOMPATIBILITIES iptables/iptables.xslt + + # all the iptables binaries are in /sbin, so might as well + # put these small files in with them + into / + dosbin iptables/iptables-apply + dosym iptables-apply /sbin/ip6tables-apply + doman iptables/iptables-apply.8 + + insinto /usr/include + doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) + insinto /usr/include/iptables + doins include/iptables/internal.h + + keepdir /var/lib/iptables + newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables + newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables + if use ipv6 ; then + keepdir /var/lib/ip6tables + newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables + newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables + fi + + systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service + if use ipv6 ; then + systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service + fi + + # Move important libs to /lib + gen_usr_ldscript -a ip{4,6}tc iptc xtables + + prune_libtool_files +} diff --git a/net-libs/libmnl/libmnl-9999.ebuild b/net-libs/libmnl/libmnl-9999.ebuild new file mode 100644 index 0000000..14b8aa9 --- /dev/null +++ b/net-libs/libmnl/libmnl-9999.ebuild @@ -0,0 +1,45 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: $ + +EAPI=5 + +inherit git-r3 autotools autotools-utils + +DESCRIPTION="Minimalistic netlink library" +HOMEPAGE="http://netfilter.org/projects/libmnl" +EGIT_REPO_URI="git://git.netfilter.org/libmnl.git" + +LICENSE="LGPL-2.1" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="examples static-libs" + +DEPEND="" +RDEPEND="${DEPEND}" + +AUTOTOOLS_IN_SOURCE_BUILD=1 +DOCS=(README) +src_unpack() { + git-r3_src_unpack +} + +src_prepare(){ + eautoreconf +} + +src_configure() { + econf $(use_enable static-libs static) +} + +src_install() { + default + gen_usr_ldscript -a mnl + prune_libtool_files + + if use examples; then + find examples/ -name 'Makefile*' -delete + dodoc -r examples/ + docompress -x /usr/share/doc/${PF}/examples + fi +} diff --git a/net-libs/libnftnl/libnftnl-9999.ebuild b/net-libs/libnftnl/libnftnl-9999.ebuild new file mode 100644 index 0000000..789b546 --- /dev/null +++ b/net-libs/libnftnl/libnftnl-9999.ebuild @@ -0,0 +1,55 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: $ + +EAPI=5 +EGIT_REPO_URI="git://git.netfilter.org/${PN}" + +inherit autotools git-r3 linux-info + +DESCRIPTION="Netlink API to the in-kernel nf_tables subsystem" +HOMEPAGE="http://netfilter.org/projects/nftables/" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="xml json examples static-libs" + +COMMON_DEPEND=">=net-libs/libmnl-1.0.0 + xml? ( >=dev-libs/mini-xml-2.6 ) + json? ( >=dev-libs/jansson-2.3 )" +DEPEND="virtual/pkgconfig + ${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" + +pkg_setup() { + if kernel_is ge 3 13; then + CONFIG_CHECK="~NF_TABLES" + linux-info_pkg_setup + else + eerror "This package requires kernel version 3.13 or newer to work properly." + fi +} + +src_prepare() { + eautoreconf +} + +src_configure() { + econf \ + $(use_enable static-libs static) \ + $(use_with xml xml-parsing) \ + $(use_with json json-parsing) +} + +src_install() { + default + gen_usr_ldscript -a nftnl + prune_libtool_files + + if use examples; then + find examples/ -name 'Makefile*' -delete + dodoc -r examples/ + docompress -x /usr/share/doc/${PF}/examples + fi +}