blob: 57490646a919f986d99793a17b2b869b90d90fb9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
|
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
PYTHON_COMPAT=( python3_{10..12} )
DISTUTILS_IN_SOURCE_BUILD=1
DISTUTILS_USE_SETUPTOOLS=no
inherit bash-completion-r1 distutils-r1 linux-info systemd
DESCRIPTION="A program used to manage a netfilter firewall"
HOMEPAGE="https://launchpad.net/ufw"
SRC_URI="https://launchpad.net/ufw/${PV%.*}/${PV}/+download/${P}.tar.gz"
LICENSE="GPL-3"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ~loong ppc ppc64 ~riscv sparc x86"
IUSE="examples ipv6"
RDEPEND="net-firewall/iptables[ipv6(+)?]"
BDEPEND="
sys-devel/gettext
$(python_gen_cond_dep '
dev-python/setuptools[${PYTHON_USEDEP}]
' python3_12)
"
PATCHES=(
# Move files away from /lib/ufw.
"${FILESDIR}/${P}-move-path.patch"
# Remove unnecessary build time dependency on net-firewall/iptables.
"${FILESDIR}/${P}-dont-check-iptables.patch"
# Remove shebang modification.
"${FILESDIR}/${P}-shebang.patch"
# Fix bash completions, bug #526300
"${FILESDIR}/${PN}-0.36-bash-completion.patch"
)
pkg_pretend() {
local CONFIG_CHECK="~PROC_FS
~NETFILTER_XT_MATCH_COMMENT ~NETFILTER_XT_MATCH_HL
~NETFILTER_XT_MATCH_LIMIT ~NETFILTER_XT_MATCH_MULTIPORT
~NETFILTER_XT_MATCH_RECENT ~NETFILTER_XT_MATCH_STATE"
if kernel_is -ge 2 6 39; then
CONFIG_CHECK+=" ~NETFILTER_XT_MATCH_ADDRTYPE"
else
CONFIG_CHECK+=" ~IP_NF_MATCH_ADDRTYPE"
fi
# https://bugs.launchpad.net/ufw/+bug/1076050
if kernel_is -ge 3 4; then
CONFIG_CHECK+=" ~NETFILTER_XT_TARGET_LOG"
else
CONFIG_CHECK+=" ~IP_NF_TARGET_LOG"
use ipv6 && CONFIG_CHECK+=" ~IP6_NF_TARGET_LOG"
fi
CONFIG_CHECK+=" ~IP_NF_TARGET_REJECT"
use ipv6 && CONFIG_CHECK+=" ~IP6_NF_TARGET_REJECT"
check_extra_config
# Check for default, useful optional features.
if ! linux_config_exists; then
ewarn "Cannot determine configuration of your kernel."
return
fi
local nf_nat_ftp_ok="yes"
local nf_conntrack_ftp_ok="yes"
local nf_conntrack_netbios_ns_ok="yes"
linux_chkconfig_present \
NF_NAT_FTP || nf_nat_ftp_ok="no"
linux_chkconfig_present \
NF_CONNTRACK_FTP || nf_conntrack_ftp_ok="no"
linux_chkconfig_present \
NF_CONNTRACK_NETBIOS_NS || nf_conntrack_netbios_ns_ok="no"
# This is better than an essay for each unset option...
if [[ "${nf_nat_ftp_ok}" == "no" ]] || \
[[ "${nf_conntrack_ftp_ok}" == "no" ]] || \
[[ "${nf_conntrack_netbios_ns_ok}" == "no" ]]; then
echo
local mod_msg="Kernel options listed below are not set. They are not"
mod_msg+=" mandatory, but they are often useful."
mod_msg+=" If you don't need some of them, please remove relevant"
mod_msg+=" module name(s) from IPT_MODULES in"
mod_msg+=" '${EROOT}/etc/default/ufw' before (re)starting ufw."
mod_msg+=" Otherwise ufw may fail to start!"
ewarn "${mod_msg}"
if [[ "${nf_nat_ftp_ok}" == "no" ]]; then
ewarn "NF_NAT_FTP: for better support for active mode FTP."
fi
if [[ "${nf_conntrack_ftp_ok}" == "no" ]]; then
ewarn "NF_CONNTRACK_FTP: for better support for active mode FTP."
fi
if [[ "${nf_conntrack_netbios_ns_ok}" == "no" ]]; then
ewarn "NF_CONNTRACK_NETBIOS_NS: for better Samba support."
fi
fi
}
python_prepare_all() {
# Set as enabled by default. User can enable or disable
# the service by adding or removing it to/from a runlevel.
sed -i 's/^ENABLED=no/ENABLED=yes/' conf/ufw.conf \
|| die "sed failed (ufw.conf)"
sed -i "s/^IPV6=yes/IPV6=$(usex ipv6)/" conf/ufw.defaults || die
# If LINGUAS is set install selected translations only.
if [[ -n ${LINGUAS+set} ]]; then
_EMPTY_LOCALE_LIST="yes"
pushd locales/po > /dev/null || die
local lang
for lang in *.po; do
if ! has "${lang%.po}" ${LINGUAS}; then
rm "${lang}" || die
else
_EMPTY_LOCALE_LIST="no"
fi
done
popd > /dev/null || die
else
_EMPTY_LOCALE_LIST="no"
fi
distutils-r1_python_prepare_all
}
python_install_all() {
newconfd "${FILESDIR}"/ufw.confd ufw
newinitd "${FILESDIR}"/ufw-2.initd ufw
systemd_dounit "${FILESDIR}/ufw.service"
pushd "${ED}" || die
chmod -R 0644 etc/ufw/*.rules || die
popd || die
exeinto /usr/share/${PN}
doexe tests/check-requirements
# users normally would want it
insinto "/usr/share/doc/${PF}/logging/syslog-ng"
doins -r "${FILESDIR}"/syslog-ng/*
insinto "/usr/share/doc/${PF}/logging/rsyslog"
doins -r "${FILESDIR}"/rsyslog/*
doins doc/rsyslog.example
if use examples; then
insinto "/usr/share/doc/${PF}/examples"
doins -r examples/*
fi
newbashcomp shell-completion/bash "${PN}"
[[ $_EMPTY_LOCALE_LIST != "yes" ]] && domo locales/mo/*.mo
distutils-r1_python_install_all
python_replicate_script "${D}/usr/sbin/ufw"
}
pkg_postinst() {
local print_check_req_warn
print_check_req_warn=false
local found=()
local apps=( "net-firewall/arno-iptables-firewall"
"net-firewall/ferm"
"net-firewall/firehol"
"net-firewall/firewalld"
"net-firewall/ipkungfu" )
for exe in "${apps[@]}"
do
if has_version "${exe}"; then
found+=( "${exe}" )
fi
done
if [[ -n ${found} ]]; then
echo ""
ewarn "WARNING: Detected other firewall applications:"
ewarn "${found[@]}"
ewarn "If enabled, these applications may interfere with ufw!"
fi
if [[ -z "${REPLACING_VERSIONS}" ]]; then
echo ""
elog "To enable ufw, add it to boot sequence and activate it:"
elog "-- # rc-update add ufw boot"
elog "-- # /etc/init.d/ufw start"
echo
elog "If you want to keep ufw logs in a separate file, take a look at"
elog "/usr/share/doc/${PF}/logging."
print_check_req_warn=true
else
local rv
for rv in ${REPLACING_VERSIONS}; do
local major=${rv%%.*}
local minor=${rv#${major}.}
if [[ "${major}" -eq 0 && "${minor}" -lt 34 ]]; then
print_check_req_warn=true
fi
done
fi
if [[ "${print_check_req_warn}" == "true" ]]; then
echo
elog "/usr/share/ufw/check-requirements script is installed."
elog "It is useful for debugging problems with ufw. However one"
elog "should keep in mind that the script assumes IPv6 is enabled"
elog "on kernel and net-firewall/iptables, and fails when it's not."
fi
echo
ewarn "Note: once enabled, ufw blocks also incoming SSH connections by"
ewarn "default. See README, Remote Management section for more information."
}
|