NMU: Version bump. See bug #511460. Generate manpage on buildtime. Add init script based on iptables scripts by Nicholas Vinson. See bug #508182.

(Portage version: 2.2.12/cvs/Linux x86_64, signed Manifest commit with key )
author: Manuel Rüger <mrueg@gentoo.org> 2014-08-25 19:30:47 +0000
committer: Manuel Rüger <mrueg@gentoo.org> 2014-08-25 19:30:47 +0000
commit: cfc806c4b683ad7979560aa4f326e2a20a6dc8f8 (patch)
tree: 5b1bcc025670d670c0e08039404bbb8f6555acfb
parent: Stable for HPPA (bug #520338). (diff)
download: gentoo-2-cfc806c4b683ad7979560aa4f326e2a20a6dc8f8.tar.gz
gentoo-2-cfc806c4b683ad7979560aa4f326e2a20a6dc8f8.tar.bz2
gentoo-2-cfc806c4b683ad7979560aa4f326e2a20a6dc8f8.zip
4 files changed, 281 insertions, 2 deletions
diff --git a/net-firewall/nftables/ChangeLog b/net-firewall/nftables/ChangeLog
index 4b61038ae538..6f64ab8e5bb2 100644
--- a/net-firewall/nftables/ChangeLog
+++ b/net-firewall/nftables/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for net-firewall/nftables
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-firewall/nftables/ChangeLog,v 1.2 2014/02/01 20:13:10 steev Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/nftables/ChangeLog,v 1.3 2014/08/25 19:30:47 mrueg Exp $
+
+*nftables-0.3 (25 Aug 2014)
+
+  25 Aug 2014; Manuel Rüger <mrueg@gentoo.org> +files/nftables.confd,
+  +files/nftables.init, +nftables-0.3.ebuild:
+  NMU: Version bump. See bug #511460. Generate manpage on buildtime. Add init
+  script based on iptables scripts by Nicholas Vinson. See bug #508182.
 
   01 Feb 2014; Steev Klimaszewski <steev@gentoo.org> nftables-0.099.ebuild:
   Add ~arm keyword. Tested by aholler on armv5
@@ -10,4 +17,3 @@
   24 Jan 2014; Tony Vroon <chainsaw@gentoo.org> +nftables-0.099.ebuild,
   +files/nftables-0.099-94300c7.patch, +files/nftables.8, +metadata.xml:
   Initial commit. Patches & ebuilds by dwfreed, with some minor tweaks by me.
-
diff --git a/net-firewall/nftables/files/nftables.confd b/net-firewall/nftables/files/nftables.confd
new file mode 100644
index 000000000000..e83a4b962061
--- /dev/null
+++ b/net-firewall/nftables/files/nftables.confd
@@ -0,0 +1,19 @@
+# /etc/conf.d/nftables
+
+# Location in which nftables initscript will save set rules on 
+# service shutdown
+NFTABLES_SAVE="/var/lib/nftables/rules-save"
+
+# Options to pass to nft on save
+SAVE_OPTIONS="-n"
+
+# Save state on stopping nftables
+SAVE_ON_STOP="yes"
+
+# If you need to log nftables messages as soon as nftables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/net-firewall/nftables/files/nftables.init b/net-firewall/nftables/files/nftables.init
new file mode 100644
index 000000000000..a5c324602adf
--- /dev/null
+++ b/net-firewall/nftables/files/nftables.init
@@ -0,0 +1,201 @@
+#!/sbin/runscript
+# Copyright 2014 Nicholas Vinson
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="check clear list panic save"
+extra_started_commands="reload"
+
+nftables_name=nftables
+nft_bin=/sbin/nft
+
+depend() {
+    need localmount #434774
+    before net
+}
+
+checkkernel() {
+    ${nft_bin} list tables &>/dev/null
+    if [ $? -ne 0 ]; then
+        eerror "Your kernel lacks ${nftables_name} support, please load"
+        eerror "appropriate modules and try again."
+        return 1
+    fi
+    return 0
+}
+
+checkconfig() {
+    if [ ! -f ${NFTABLES_SAVE} ]; then
+        eerror "Not starting ${nftables_name}.  First create some rules then run:"
+        eerror "/etc/init.d/${nftables_name} save"
+        return 1
+    fi
+    return 0
+}
+
+checkfamilies() {
+    if [ -n "${families+set}" ]; then
+        return
+    fi
+
+    local families=()
+    for l3f in ip arp ip6 bridge inet; do
+        ${nft_bin} list tables ${l3f} &> /dev/null
+        if [ $? -eq 0 ]; then
+            families+=($l3f)
+        fi
+    done
+}
+
+havefamily() {
+    local i tfamily=$1
+    checkfamilies
+
+    for i in ${families[@]}; do
+        if [ $i == $tfamily ]; then
+            return 0
+        fi
+    done
+    return 1
+}
+
+clearNFT() {
+    checkfamilies
+
+    local l3f line table chain
+
+    for l3f in ${families[@]}; do
+        ${nft_bin} list tables ${l3f} | while read line; do
+            table=$(echo ${line} | sed "s/table[ \t]*//")
+            ${nft_bin} flush table ${l3f} ${table}
+            ${nft_bin} list table ${l3f} ${table} | while read l; do
+                chain=$(echo $l | grep -o 'chain [^[:space:]]\+' |\
+                        cut -d ' ' -f2)
+                if [ -n "${chain}" ]; then
+                    ${nft_bin} flush chain ${l3f} ${table} ${chain}
+                    ${nft_bin} delete chain ${l3f} ${table} ${chain}
+                fi
+            done
+            ${nft_bin} delete table ${l3f} ${table}
+        done
+    done
+}
+
+addpanictable() {
+    local l3f=$1
+    nft add table ${l3f} panic
+    nft add chain ${l3f} panic input \{ type filter hook input priority 0\; \}
+    nft add chain ${l3f} panic output \{ type filter hook output priority 0\; \}
+    nft add chain ${l3f} panic forward \{ type filter hook forward priority 0\; \}
+    nft add rule ${l3f} panic input drop
+    nft add rule ${l3f} panic output drop
+    nft add rule ${l3f} panic forward drop
+}
+
+checkrules() {
+    ewarn "Rules not checked as ${nftables_name} does not support this feature."
+    return 0
+}
+
+start() {
+    checkkernel || return 1
+    checkconfig || return 1
+    ebegin "Loading ${nftables_name} state and starting firewall"
+    clearNFT
+    ${nft_bin} -f ${NFTABLES_SAVE}
+    eend $?
+}
+
+stop() {
+    if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+        save || return 1
+    fi
+
+    ebegin "Stopping firewall"
+    clearNFT
+    eend $?
+}
+
+reload() {
+    checkkernel || return 1
+    # checkrules || return 1
+    ebegin "Flushing firewall"
+    clearNFT
+
+    start
+}
+
+check() {
+    # Short name for users of init.d script
+    checkrules
+}
+
+clear() {
+    clearNFT
+}
+
+list() {
+    checkfamilies
+    local l3f
+
+    for l3f in ${families[@]}; do
+        ${nft_bin} list tables ${l3f} | while read line; do
+            line=$(echo ${line} | sed "s/table/table ${l3f}/")
+            echo "$(${nft_bin} list ${line})"
+        done
+    done
+}
+
+save() {
+    checkfamilies
+
+    ebegin "Saving ${nftables_name} state"
+    checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
+    checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
+
+    local l3f line tmp_save="${NFTABLES_SAVE}.tmp"
+
+    touch "${tmp_save}"
+    for l3f in ${families[@]}; do
+        ${nft_bin} list tables ${l3f} | while read line; do
+            line=$(echo ${line} | sed "s/table/table ${l3f}/")
+            # The below substitution fixes an issue where nft -n output may not
+            # always be parsable by nft -f.  For example, nft -n might print
+            #
+            #     ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept
+            #
+            # but nft -f refuses to parse that string with error:
+            #
+            #     In file included from internal:0:0-0:
+            #     /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule:
+            #     Invalid argument
+            #     table ip6 filter {
+            #     ^^
+            echo "$(${nft_bin} ${SAVE_OPTIONS} list ${line} |\
+                    sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}"
+        done
+    done
+    mv "${tmp_save}" "${NFTABLES_SAVE}"
+}
+
+panic() {
+    checkkernel || return 1
+    if service_started ${nftables_name}; then
+        rc-service ${nftables_name} stop
+    fi
+
+    ebegin "Dropping all packets"
+    clearNFT
+
+    if havefamily "inet"; then
+        einfo inet
+    fi
+
+    local l3f
+    for l3f in ${families[@]}; do
+        case ${l3f} in
+            ip) addpanictable ${l3f} ;;
+            ip6) addpanictable ${l3f} ;;
+        esac
+    done
+}
diff --git a/net-firewall/nftables/nftables-0.3.ebuild b/net-firewall/nftables/nftables-0.3.ebuild
new file mode 100644
index 000000000000..ed24ed3a9839
--- /dev/null
+++ b/net-firewall/nftables/nftables-0.3.ebuild
@@ -0,0 +1,53 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/nftables/nftables-0.3.ebuild,v 1.1 2014/08/25 19:30:47 mrueg Exp $
+
+EAPI=5
+
+inherit autotools base linux-info
+
+DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://netfilter.org/projects/nftables/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="debug"
+SRC_URI="http://netfilter.org/projects/${PN}/files/${P}.tar.bz2"
+
+RDEPEND="net-libs/libmnl
+	>=net-libs/libnftnl-1.0.2
+	dev-libs/gmp
+	sys-libs/readline"
+DEPEND="${RDEPEND}
+	app-text/docbook2X
+	sys-devel/bison
+	sys-devel/flex"
+
+pkg_setup() {
+	if kernel_is ge 3 13; then
+		CONFIG_CHECK="~NF_TABLES"
+		linux-info_pkg_setup
+	else
+		eerror "This package requires kernel version 3.13 or newer to work properly."
+	fi
+}
+
+src_prepare() {
+	base_src_prepare
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		--sbindir="${EPREFIX}"/sbin \
+		$(use_enable debug)
+}
+
+src_install() {
+	default
+
+	newconfd "${FILESDIR}"/${PN}.confd ${PN}
+	newinitd "${FILESDIR}"/${PN}.init ${PN}
+	keepdir /var/lib/nftables
+}
author	Manuel Rüger <mrueg@gentoo.org>	2014-08-25 19:30:47 +0000
committer	Manuel Rüger <mrueg@gentoo.org>	2014-08-25 19:30:47 +0000
commit	cfc806c4b683ad7979560aa4f326e2a20a6dc8f8 (patch)
tree	5b1bcc025670d670c0e08039404bbb8f6555acfb
parent	Stable for HPPA (bug #520338). (diff)
download	gentoo-2-cfc806c4b683ad7979560aa4f326e2a20a6dc8f8.tar.gz gentoo-2-cfc806c4b683ad7979560aa4f326e2a20a6dc8f8.tar.bz2 gentoo-2-cfc806c4b683ad7979560aa4f326e2a20a6dc8f8.zip