From a00cc42b6b0c5212e28600cebd184a01a31759aa Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <sayan@kinvolk.io>
Date: Mon, 14 Jun 2021 20:54:27 +0530
Subject: [PATCH] net-firewall/iptables: Apply the Flatcar patches

Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
---
 .../iptables/files/systemd/ip6tables.service  |  6 +++
 .../iptables/files/systemd/iptables.service   |  6 +++
 .../iptables/iptables-1.8.7.ebuild            | 38 ++++++++-----------
 .../profiles/coreos/base/package.use          |  3 ++
 4 files changed, 31 insertions(+), 22 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service

diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service
new file mode 100644
index 0000000000..0a6d7fa1c8
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Store and restore ip6tables firewall rules
+
+[Install]
+Also=ip6tables-store.service
+Also=ip6tables-restore.service
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service
new file mode 100644
index 0000000000..3643a3e310
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Store and restore iptables firewall rules
+
+[Install]
+Also=iptables-store.service
+Also=iptables-restore.service
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild
index a6ba56cb35..4a3590c604 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild
@@ -40,11 +40,10 @@ BDEPEND="${BUILD_DEPEND}
 		virtual/yacc
 	)
 "
+# Flatcar: Drop BUILD_DEPEND, as we would not like to ship
+# eselect in the final image
 RDEPEND="${COMMON_DEPEND}
-	${BUILD_DEPEND}
 	nftables? ( net-misc/ethertypes )
-	!<net-firewall/ebtables-2.0.11-r1
-	!<net-firewall/arptables-0.0.5-r1
 "
 
 PATCHES=(
@@ -120,12 +119,16 @@ src_install() {
 		rm "${ED}"/etc/ethertypes || die
 
 		# Bugs 660886 and 669894
-		rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die
+		# Flatcar: We don't provide arptables* binaries.
+		# Flatcar: Keeping the ebtables binaries
+		rm "${ED}"/sbin/arptables{{,-{save,restore}},-nft{,-{save,restore}}} || die
 	fi
 
-	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
+	# Flatcar: Gentoo upstream dropped the iptables & ip6tables services
+	# but we continue to ship them
+	systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service
 	if use ipv6 ; then
-		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
+		systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service
 	fi
 
 	# Move important libs to /lib #332175
@@ -135,18 +138,20 @@ src_install() {
 }
 
 pkg_postinst() {
-	local default_iptables="xtables-legacy-multi"
+	# Flatcar: Use xtables-nft-multi to use the nft backend instead of legacy backend 
+	local default_iptables="xtables-nft-multi"
 	if ! eselect iptables show &>/dev/null; then
 		elog "Current iptables implementation is unset, setting to ${default_iptables}"
 		eselect iptables set "${default_iptables}"
 	fi
-
-	if use nftables; then
+	# Flatcar: Drop the arptables, but retain the `for` structure in favor of lesser diff
+	# to upstream
+   	if use nftables; then
 		local tables
-		for tables in {arp,eb}tables; do
+		for tables in ebtables; do
 			if ! eselect ${tables} show &>/dev/null; then
 				elog "Current ${tables} implementation is unset, setting to ${default_iptables}"
-				eselect ${tables} set xtables-nft-multi
+				eselect ${tables} set "${default_iptables}"
 			fi
 		done
 	fi
@@ -161,17 +166,6 @@ pkg_prerm() {
 	if ! has_version 'net-firewall/ebtables'; then
 		elog "Unsetting ebtables symlinks before removal"
 		eselect ebtables unset
-	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
-		elog "Resetting ebtables symlinks to ebtables-legacy"
-		eselect ebtables set ebtables-legacy
-	fi
-
-	if ! has_version 'net-firewall/arptables'; then
-		elog "Unsetting arptables symlinks before removal"
-		eselect arptables unset
-	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
-		elog "Resetting arptables symlinks to arptables-legacy"
-		eselect arptables set arptables-legacy
 	fi
 
 	# the eselect module failing should not be fatal
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
index 318f0f0620..38146c4f66 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -138,3 +138,6 @@ net-fs/samba -regedit
 
 # Drop extra dependencies
 sys-libs/ldb -lmdb -python
+
+# Enable nftables backend for the iptables instead of legacy backend
+net-firewall/iptables nftables