net-firewall/ebtables: Move the package into coreos-overlay

Incase the ebtables tables are not set, the ebuilds links the
ebtables binaries to the legacy version instead of the nft version

Moving to coreos-overlay to link it to xtables-nft-multi.
The next step could be upstream the patches, incase of the usage of
nftables USE flag.

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>

sdk_container/src/third_party/coreos-overlay/net-firewall/ebtables/Manifest

@@ -0,0 +1 @@
+DIST ebtables-2.0.11.tar.gz 428411 BLAKE2B 62af4c38ad21498e43f41ef96c8abb5704e8d8a48f1327c587b664f36fdfa9849a9a37e59958db56d38019465d8bf1775914f7387fde99a441615913702cf504 SHA512 43a04c6174c8028c501591ef260526297e0f018016f226e2a3bcf80766fddf53d4605c347554d6da7c4ab5e2131584a18da20916ffddcbf2d26ac93b00c5777f

sdk_container/src/third_party/coreos-overlay/net-firewall/ebtables/ebtables-2.0.11-r3.ebuild

@@ -0,0 +1,106 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+inherit autotools
+
+MY_PV="$(ver_rs 3 '-' )"
+MY_P="${PN}-${MY_PV}"
+
+DESCRIPTION="Controls Ethernet frame filtering on a Linux bridge, MAC NAT and brouting"
+HOMEPAGE="https://ebtables.netfilter.org/"
+SRC_URI="http://ftp.netfilter.org/pub/${PN}/${MY_P}.tar.gz"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 ~arm arm64 ppc ~ppc64 ~riscv x86"
+IUSE="+perl static"
+
+BDEPEND=">=app-eselect/eselect-iptables-20200508"
+# The ebtables-save script is written in perl.
+RDEPEND="${BDEPEND}
+	perl? ( dev-lang/perl )
+	net-misc/ethertypes"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-2.0.11-makefile.patch"
+
+	# Enhance ebtables-save to take table names as parameters bug #189315
+	"${FILESDIR}/${PN}-2.0.11-ebt-save.patch"
+
+	# from upstream git
+	"${FILESDIR}/ebtables-2.0.11-remove-stray-atsign.patch"
+)
+
+pkg_setup() {
+	if use static; then
+		ewarn "You've chosen static build which is useful for embedded devices."
+		ewarn "It has no init script. Make sure that's really what you want."
+	fi
+}
+
+src_prepare() {
+	default
+
+	# Don't install perl scripts if USE=perl is disabled.
+	if ! use perl; then
+		sed -i -e '/^sbin_SCRIPTS/ d' Makefile.am || die
+	fi
+
+	# The bundled autotools are borked, so force a rebuild.
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		--bindir="/bin" \
+		--sbindir="/sbin" \
+		--libdir="/$(get_libdir)/${PN}" \
+		$(use_enable static)
+}
+
+src_compile() {
+	emake $(usex static 'static ebtables-legacy.8' '')
+}
+
+src_install() {
+	local -a DOCS=( ChangeLog THANKS )
+
+	if ! use static; then
+		emake DESTDIR="${D}" install
+		newinitd "${FILESDIR}"/ebtables.initd-r1 ebtables
+		newconfd "${FILESDIR}"/ebtables.confd-r1 ebtables
+
+		find "${D}" -name '*.la' -type f -delete || die
+
+		# The ethertypes package installs this for us.
+		rm "${ED}"/etc/ethertypes || die
+	else
+		into /
+		newsbin static ebtables
+	fi
+
+	newman ebtables-legacy.8 ebtables.8
+	einstalldocs
+}
+
+pkg_postinst() {
+	if ! eselect ebtables show &>/dev/null; then
+		elog "Current ebtables implementation is unset, setting to ebtables-legacy"
+		eselect ebtables set ebtables-legacy
+	fi
+
+	eselect ebtables show
+}
+
+pkg_prerm() {
+	if [[ -z ${REPLACED_BY_VERSION} ]] && has_version 'net-firewall/iptables[nftables]'; then
+		elog "Resetting ebtables symlinks to xtables-nft-multi before removal"
+		eselect ebtables set xtables-nft-multi
+	else
+		elog "Unsetting ebtables symlinks before removal"
+		eselect ebtables unset
+	fi
+}

sdk_container/src/third_party/coreos-overlay/net-firewall/ebtables/files/ebtables-2.0.11-ebt-save.patch

@@ -0,0 +1,26 @@
+diff --git a/ebtables-save.in b/ebtables-save.in
+index 17924a2..c7a64c3 100644
+--- a/ebtables-save.in
++++ b/ebtables-save.in
+@@ -12,6 +12,7 @@ my $ebtables = "@sbindir@/ebtables";
+ my $cnt = "";
+ my $version = "1.0";
+ my $table_name;
++my @table_names;
+ 
+ # ========================================================
+ # Process filter table
+@@ -49,6 +50,13 @@ sub process_table {
+ }
+ # ========================================================
+ 
++if ($#ARGV + 1 == 0) {
++   @table_names =split("\n", `grep -E '^ebtable_' /proc/modules | cut -f1 -d' ' | sed s/ebtable_//`);
++}
++else {
++   @table_names = @ARGV;
++}
++# ========================================================
+ unless (-x $ebtables) { exit -1 };
+ print "# Generated by ebtables-save v$version (legacy) on " . `date`;
+ if (defined($ENV{'EBTABLES_SAVE_COUNTER'}) && $ENV{'EBTABLES_SAVE_COUNTER'} eq "yes") {

sdk_container/src/third_party/coreos-overlay/net-firewall/ebtables/files/ebtables-2.0.11-makefile.patch

@@ -0,0 +1,13 @@
+diff --git a/Makefile.am b/Makefile.am
+index 6181003..de01139 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -50,7 +50,7 @@ ebtables_legacy_LDADD = libebtc.la
+ ebtablesd_LDADD = libebtc.la
+ ebtables_legacy_restore_SOURCES = ebtables-restore.c
+ ebtables_legacy_restore_LDADD = libebtc.la
+-static_SOURCES = ebtables.c
++static_SOURCES = ebtables.c ebtables-standalone.c
+ static_LDFLAGS = -static
+ static_LDADD = libebtc.la
+ examples_ulog_test_ulog_SOURCES = examples/ulog/test_ulog.c getethertype.c

sdk_container/src/third_party/coreos-overlay/net-firewall/ebtables/files/ebtables-2.0.11-remove-stray-atsign.patch

@@ -0,0 +1,32 @@
+From 7d00e58157bc61168a057cde91a6e5b54dca573b Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Mon, 2 Dec 2019 20:52:04 +0100
+Subject: build: remove stray @ sign in manpage
+
+Because the sed command was not matching the trailing @, it
+was left in the manpage, leading to
+
+NAME
+       ebtables-legacy (2.0.11@) - Ethernet bridge frame table administration (legacy)
+
+Signed-off-by: Jan Engelhardt <jengelh@inai.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index b879941..6181003 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -64,6 +64,6 @@ ebtables-legacy-save: ebtables-save.in ${top_builddir}/config.status
+ 	${AM_V_GEN}sed -e 's![@]sbindir@!${sbindir}!g' <$< >$@
+ 
+ ebtables-legacy.8: ebtables-legacy.8.in ${top_builddir}/config.status
+-	${AM_V_GEN}sed -e 's![@]PACKAGE_VERSION!${PACKAGE_VERSION}!g' \
++	${AM_V_GEN}sed -e 's![@]PACKAGE_VERSION@!${PACKAGE_VERSION}!g' \
+ 		-e 's![@]PACKAGE_DATE@!${PROGDATE}!g' \
+ 		-e 's![@]LOCKFILE@!${LOCKFILE}!g' <$< >$@
+-- 
+cgit v1.2.1
+

sdk_container/src/third_party/coreos-overlay/net-firewall/ebtables/files/ebtables.confd-r1

@@ -0,0 +1,19 @@
+# /etc/conf.d/ebtables
+
+# Location in which ebtables initscript will save set rules on 
+# service shutdown
+EBTABLES_SAVE="/var/lib/ebtables/rules-save"
+
+# Options to pass to ebtables-save and ebtables-restore 
+SAVE_RESTORE_OPTIONS=""
+
+# Save state on stopping ebtables
+SAVE_ON_STOP="yes"
+
+# If you need to log iptables messages as soon as iptables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"

sdk_container/src/third_party/coreos-overlay/net-firewall/ebtables/files/ebtables.initd-r1

@@ -0,0 +1,101 @@
+#!/sbin/openrc-run
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="save panic"
+extra_started_commands="reload"
+
+ebtables_bin="/sbin/ebtables"
+ebtables_save=${EBTABLES_SAVE}
+
+depend() {
+	before net
+}
+
+ebtables_tables() {
+	local table
+	for table in filter nat broute; do
+		if ${ebtables_bin} -t ${table} -L > /dev/null 2>&1; then
+			printf '%s' "${table} "
+		fi
+	done
+}
+
+set_table_policy() {
+	local chains table=$1 policy=$2
+	case ${table} in
+		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
+		broute) chains="BROUTING";;
+		filter) chains="INPUT FORWARD OUTPUT";;
+		*)      chains="";;
+	esac
+	local chain
+	for chain in ${chains} ; do
+		${ebtables_bin} -t ${table} -P ${chain} ${policy}
+	done
+}
+
+checkconfig() {
+	if [ ! -f ${ebtables_save} ] ; then
+		eerror "Not starting ebtables.  First create some rules then run:"
+		eerror "/etc/init.d/ebtables save"
+		return 1
+	fi
+	return 0
+}
+
+start() {
+	checkconfig || return 1
+	ebegin "Loading ebtables state and starting bridge firewall"
+	${ebtables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${ebtables_save}"
+	eend $?
+}
+
+stop() {
+	if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+		save || return 1
+	fi
+	ebegin "Stopping bridge firewall"
+	local a
+	for a in $(ebtables_tables); do
+		set_table_policy $a ACCEPT
+
+		${ebtables_bin} -t $a -F
+		${ebtables_bin} -t $a -X
+	done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing bridge firewall"
+	local a
+	for a in $(ebtables_tables); do
+		${ebtables_bin} -t $a -F
+		${ebtables_bin} -t $a -X
+	done
+	eend $?
+
+	start
+}
+
+save() {
+	ebegin "Saving ebtables state"
+	checkpath -d -m 0755 "${ebtables_save%/*}"
+	checkpath -f -m 0600 "${ebtables_save}"
+	${ebtables_bin}-save $(ebtables_tables) ${SAVE_RESTORE_OPTIONS} > "${ebtables_save}"
+	eend $?
+}
+
+panic() {
+	service_started ebtables && svc_stop
+
+	local a
+	ebegin "Dropping all packets forwarded on bridges"
+	for a in $(ebtables_tables); do
+		${ebtables_bin} -t $a -F
+		${ebtables_bin} -t $a -X
+
+		set_table_policy $a DROP
+	done
+	eend $?
+}

sdk_container/src/third_party/coreos-overlay/net-firewall/ebtables/metadata.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>base-system@gentoo.org</email>
+		<name>Gentoo Base System</name>
+	</maintainer>
+	<use>
+		<flag name="perl">Install the ebtables-save script which uses perl</flag>
+	</use>
+	<upstream>
+		<remote-id type="sourceforge">ebtables</remote-id>
+		<remote-id type="cpe">cpe:/a:netfilter:ebtables</remote-id>
+	</upstream>
+</pkgmetadata>