net-firewall/nftables: Sync with Gentoo upstream; updates to 0.9.9

Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>

sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest

@@ -1 +1,2 @@
-DIST nftables-0.6.tar.gz 252523 SHA256 85dd7fa4e741c0be02efddbc57b5d300e1147f09ec6f81d0399110f96dc958f0 SHA512 17f3b94687865e077dc082cf61b29ab2854fd1ffe18212a8d424f2876aef8db9780dd4d06dca8e6d093498151d47bab73e40e1f54062a83a23a3cbe75f27e921 WHIRLPOOL d15eaf81426d73bea28752f96727d291120120fb2aaa994d421d900974eb45062957435e077664fb916780f636ed9b61889dbec8b627d5d309512bae96f02874
+DIST nftables-0.9.8.tar.bz2 879516 BLAKE2B 5063090d648668f4d5ae6d4be48ebecc65dfd4b525768e94a0d90ceebbee73874c916727be8de633550db71c612d698d88cf93575931362b48d954e6ac275143 SHA512 1c5709825c8b2c13cbed0310658959ecee164c930bc9e2447618a0894598138b9a549d20509c32a5c23ce99e40438df38f9e170cf656ce993d819f365490a180
+DIST nftables-0.9.9.tar.bz2 922624 BLAKE2B 8de2709576a26ca84a8d694f7cb06cad2bb2fb4671ba21ffc32c0d5997e8124ae7cd794dafddf4db48d8a49c280b48b07d2a31b6c18f6647fdb67cfe7f065b61 SHA512 dfdd3ffc0ffc1742ca0494a3f8fac1c7b2fe942849e60d33fc3cb8a51e27bd39e1ccfeda2195191377a32bb5363ea244f4c3e71b4a6d930f33bf87e17a534fab

sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables-0.5-pdf-doc.patch

@@ -1,52 +0,0 @@
-Update configure script to include option to enable and disable PDF man page
-generation.
-
---- a/configure.ac
-+++ b/configure.ac
-@@ -27,10 +27,16 @@
- AC_CONFIG_HEADER([config.h])
- 
- AC_DEFINE([_GNU_SOURCE], [], [Enable various GNU extensions])
- AC_DEFINE([_STDC_FORMAT_MACROS], [], [printf-style format macros])
- 
-+AC_ARG_ENABLE([pdf-doc],
-+	      AS_HELP_STRING([--disable-pdf-doc], [Disable PDF documentation]),
-+	      AS_IF([test "x$enable_pdf_doc" = "xno"], [enable_pdf_doc=no],
-+	      [enable_pdf_doc=yes]), [enable_pdf_doc=yes])
-+AM_CONDITIONAL([BUILD_PDF], [test "x$enable_pdf_doc" == "xyes" ])
-+
- AC_ARG_ENABLE([debug],
- 	      AS_HELP_STRING([--enable-debug], [Disable debugging]),
- 	      AS_IF([test "x$enable_debug" = "xno"], [with_debug=no], [with_debug=yes]),
- 	      [with_debug=yes])
- AC_SUBST(with_debug)
-@@ -61,15 +67,15 @@
- 	)]
- )
- AC_SUBST(DB2MAN)
- AM_CONDITIONAL([BUILD_MAN], [test -n "$DB2MAN"])
- 
--AC_CHECK_PROG(DBLATEX, [dblatex], [found], [no])
--AS_IF([test "$DBLATEX" == "no"],
--	[AC_MSG_WARN([dblatex not found, no PDF manpages will be built])]
--)
--AM_CONDITIONAL([BUILD_PDF], [test "$DBLATEX" == "found"])
-+AM_COND_IF([BUILD_PDF], [
-+	AC_CHECK_PROG(DBLATEX, [dblatex], [found], [no])
-+	AS_IF([test "$DBLATEX" == "no"],
-+	      [AC_MSG_ERROR([dblatex not found])])
-+])
- 
- # Checks for libraries.
- PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
- PKG_CHECK_MODULES([LIBNFTNL], [libnftnl >= 1.0.5])
- 
-@@ -134,6 +140,7 @@
- 
- echo "
- nft configuration:
-   cli support:			${with_cli}
-   enable debugging:		${with_debug}
--  use mini-gmp:			${with_mini_gmp}"
-+  use mini-gmp:			${with_mini_gmp}
-+  enable pdf documentation:	${enable_pdf_doc}"

sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables-0.6-null-payload-desc-fix.patch

@@ -1,14 +0,0 @@
-diff --git a/src/payload.c b/src/payload.c
-index ac0e917..9ba980a 100644
---- a/src/payload.c
-+++ b/src/payload.c
-@@ -85,6 +85,9 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
- 	base = ctx->protocol[left->payload.base].desc;
- 	desc = proto_find_upper(base, proto);
- 
-+	if (!desc)
-+		return;
-+
- 	assert(desc->base <= PROTO_BASE_MAX);
- 	if (desc->base == base->base) {
- 		assert(base->length > 0);

sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables-0.9.8-slibtool.patch

@@ -0,0 +1,13 @@
+This fixes build with sys-devel/slibtool
+
+--- nftables-0.9.8/src/Makefile.am
++++ nftables-0.9.8/src/Makefile.am
+@@ -90,7 +90,7 @@
+ 
+ libnftables_la_LIBADD = ${LIBMNL_LIBS} ${LIBNFTNL_LIBS} libparser.la
+ libnftables_la_LDFLAGS = -version-info ${libnftables_LIBVERSION} \
+-			 --version-script=$(srcdir)/libnftables.map
++			 -Wl,--version-script=$(srcdir)/libnftables.map
+ 
+ if BUILD_MINIGMP
+ noinst_LTLIBRARIES += libminigmp.la

sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/metadata.xml

@@ -1,12 +1,22 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
-	<maintainer type="person">
-		<email>mrueg@gentoo.org</email>
-		<name>Manuel Rüger</name>
-	</maintainer>
 	<maintainer type="project">
 		<email>base-system@gentoo.org</email>
 		<name>Gentoo Base System</name>
 	</maintainer>
+	<maintainer type="person">
+		<email>prometheanfire@gentoo.org</email>
+		<name>Matthew Thode</name>
+	</maintainer>
+	<maintainer type="person" proxied="yes">
+		<email>klondike@gentoo.org</email>
+		<name>Francisco Blas Izquierdo Riera</name>
+	</maintainer>
+	<use>
+		<flag name="doc">Create man pages for the package (requires <pkg>app-text/asciidoc</pkg>)</flag>
+		<flag name="json">Enable JSON support via <pkg>dev-libs/jansson</pkg></flag>
+		<flag name="modern-kernel">Install init scripts for 3.18 or higher kernels with atomic rule updates</flag>
+		<flag name="xtables">Add libxtables support to try to automatically translate rules added by iptables-compat</flag>
+	</use>
 </pkgmetadata>

sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.6-r4.ebuild

@@ -1,57 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit autotools linux-info systemd
-
-DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
-HOMEPAGE="http://netfilter.org/projects/nftables/"
-SRC_URI="http://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="amd64 arm64 ~arm ~x86"
-IUSE="debug doc gmp +readline xml"
-
-RDEPEND=">=net-libs/libmnl-1.0.3
-	gmp? ( dev-libs/gmp:0= )
-	readline? ( sys-libs/readline:0= )
-	>=net-libs/libnftnl-1.0.6[xml(-)?]
-	"
-DEPEND="${RDEPEND}
-	doc? ( >=app-text/docbook2X-0.8.8-r4 >=app-text/dblatex-0.3.7 )
-	sys-devel/bison
-	sys-devel/flex
-	virtual/pkgconfig"
-
-S="${WORKDIR}/v${PV}"
-
-PATCHES=(
-	"${FILESDIR}/${PN}-0.5-pdf-doc.patch"
-	"${FILESDIR}/${P}-null-payload-desc-fix.patch"
-)
-
-pkg_setup() {
-	if kernel_is ge 3 13; then
-		CONFIG_CHECK="~NF_TABLES"
-		linux-info_pkg_setup
-	else
-		eerror "This package requires kernel version 3.13 or newer to work properly."
-	fi
-}
-
-src_prepare() {
-	default
-	eautoreconf
-}
-
-src_configure() {
-	econf \
-		--sysconfdir="${EPREFIX}"/usr/share \
-		--sbindir="${EPREFIX}"/sbin \
-		$(use_enable doc pdf-doc) \
-		$(use_enable debug) \
-		$(use_with readline cli) \
-		$(use_with !gmp mini_gmp)
-}

sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.9.9.ebuild

@@ -0,0 +1,179 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_7 )
+
+inherit autotools linux-info python-r1 systemd
+
+DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
+HOMEPAGE="https://netfilter.org/projects/nftables/"
+
+if [[ ${PV} =~ ^[9]{4,}$ ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://git.netfilter.org/${PN}"
+
+	BDEPEND="
+		sys-devel/bison
+		sys-devel/flex
+	"
+else
+	SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2"
+	KEYWORDS="amd64 arm arm64 ~ia64 ppc ~ppc64 ~riscv sparc x86"
+fi
+
+LICENSE="GPL-2"
+SLOT="0/1"
+IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables"
+
+RDEPEND="
+	>=net-libs/libmnl-1.0.4:0=
+	>=net-libs/libnftnl-1.2.0:0=
+	gmp? ( dev-libs/gmp:0= )
+	json? ( dev-libs/jansson:= )
+	python? ( ${PYTHON_DEPS} )
+	readline? ( sys-libs/readline:0= )
+	xtables? ( >=net-firewall/iptables-1.6.1 )
+"
+
+DEPEND="${RDEPEND}"
+
+BDEPEND+="
+	doc? (
+		app-text/asciidoc
+		>=app-text/docbook2X-0.8.8-r4
+	)
+	virtual/pkgconfig
+"
+
+REQUIRED_USE="
+	python? ( ${PYTHON_REQUIRED_USE} )
+	libedit? ( !readline )
+"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-0.9.8-slibtool.patch"
+)
+
+python_make() {
+	emake \
+		-C py \
+		abs_builddir="${S}" \
+		DESTDIR="${D}" \
+		PYTHON_BIN="${PYTHON}" \
+		"${@}"
+}
+
+pkg_setup() {
+	if kernel_is ge 3 13; then
+		if use modern-kernel && kernel_is lt 3 18; then
+			eerror "The modern-kernel USE flag requires kernel version 3.18 or newer to work properly."
+		fi
+		CONFIG_CHECK="~NF_TABLES"
+		linux-info_pkg_setup
+	else
+		eerror "This package requires kernel version 3.13 or newer to work properly."
+	fi
+}
+
+src_prepare() {
+	default
+
+	# fix installation path for doc stuff
+	sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \
+		-i files/nftables/Makefile.am || die
+	sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \
+		-i files/osf/Makefile.am || die
+
+	eautoreconf
+}
+
+src_configure() {
+	local myeconfargs=(
+		# We handle python separately
+		--disable-python
+		--sbindir="${EPREFIX}"/sbin
+		$(use_enable debug)
+		$(use_enable doc man-doc)
+		$(use_with !gmp mini_gmp)
+		$(use_with json)
+		$(use_with libedit cli editline)
+		$(use_with readline cli readline)
+		$(use_enable static-libs static)
+		$(use_with xtables)
+	)
+	econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+	default
+
+	if use python; then
+		python_foreach_impl python_make
+	fi
+}
+
+src_install() {
+	default
+
+	if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then
+		pushd doc >/dev/null || die
+		doman *.?
+		popd >/dev/null || die
+	fi
+
+	local mksuffix="$(usex modern-kernel '-mk' '')"
+
+	exeinto /usr/libexec/${PN}
+	newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh
+	newconfd "${FILESDIR}"/${PN}${mksuffix}.confd ${PN}
+	newinitd "${FILESDIR}"/${PN}${mksuffix}.init-r1 ${PN}
+	keepdir /var/lib/nftables
+
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
+
+	if use python ; then
+		python_foreach_impl python_make install
+		python_foreach_impl python_optimize
+	fi
+
+	find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_postinst() {
+	local save_file
+	save_file="${EROOT}/var/lib/nftables/rules-save"
+
+	# In order for the nftables-restore systemd service to start
+	# the save_file must exist.
+	if [[ ! -f "${save_file}" ]]; then
+		( umask 177; touch "${save_file}" )
+	elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
+		ewarn "Your system has dangerous permissions for ${save_file}"
+		ewarn "It is probably affected by bug #691326."
+		ewarn "You may need to fix the permissions of the file. To do so,"
+		ewarn "you can run the command in the line below as root."
+		ewarn "    'chmod 600 \"${save_file}\"'"
+	fi
+
+	if has_version 'sys-apps/systemd'; then
+		elog "If you wish to enable the firewall rules on boot (on systemd) you"
+		elog "will need to enable the nftables-restore service."
+		elog "    'systemctl enable ${PN}-restore.service'"
+		elog
+		elog "If you are creating firewall rules before the next system restart"
+		elog "the nftables-restore service must be manually started in order to"
+		elog "save those rules on shutdown."
+	fi
+	if has_version 'sys-apps/openrc'; then
+		elog "If you wish to enable the firewall rules on boot (on openrc) you"
+		elog "will need to enable the nftables service."
+		elog "    'rc-update add ${PN} default'"
+		elog
+		elog "If you are creating or updating the firewall rules and wish to save"
+		elog "them to be loaded on the next restart, use the \"save\" functionality"
+		elog "in the init script."
+		elog "    'rc-service ${PN} save'"
+	fi
+}