From 4200b9840f30ead7736950273c1dd91a5dba3106 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <benjamin.gilbert@coreos.com>
Date: Tue, 25 Jul 2017 11:37:36 -0700
Subject: [PATCH 1/6] sys-kernel/coreos-modules: enable TCP Hybla

---
 .../sys-kernel/coreos-modules/files/commonconfig-4.12            | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.12 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.12
index 66ea0c1637..12dc9d98c3 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.12
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.12
@@ -116,6 +116,7 @@ CONFIG_INET_DIAG=m
 CONFIG_INET_UDP_DIAG=m
 CONFIG_TCP_CONG_ADVANCED=y
 CONFIG_TCP_CONG_BBR=m
+CONFIG_TCP_CONG_HYBLA=m
 # CONFIG_TCP_CONG_BIC is not set
 # CONFIG_TCP_CONG_WESTWOOD is not set
 # CONFIG_TCP_CONG_HTCP is not set

From 894fe62e6573289bac924a519298be03bcd89846 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <benjamin.gilbert@coreos.com>
Date: Tue, 25 Jul 2017 13:03:29 -0700
Subject: [PATCH 2/6] sys-kernel/coreos-modules: enable nftables

---
 ....ebuild => coreos-kernel-4.12.3-r1.ebuild} |  0
 ...ebuild => coreos-modules-4.12.3-r1.ebuild} |  0
 .../coreos-modules/files/commonconfig-4.12    | 46 +++++++++++++++++++
 3 files changed, 46 insertions(+)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.12.3.ebuild => coreos-kernel-4.12.3-r1.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-4.12.3.ebuild => coreos-modules-4.12.3-r1.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.3-r1.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.3.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.3-r1.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.3-r1.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.3.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.3-r1.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.12 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.12
index 12dc9d98c3..68d1329314 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.12
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.12
@@ -161,8 +161,50 @@ CONFIG_NF_CONNTRACK_SIP=m
 CONFIG_NF_CONNTRACK_TFTP=m
 CONFIG_NF_CT_NETLINK=m
 CONFIG_NF_CT_NETLINK_TIMEOUT=m
+CONFIG_NF_TABLES=m
+CONFIG_NF_TABLES_INET=m
+CONFIG_NF_TABLES_NETDEV=m
+CONFIG_NFT_EXTHDR=m
+CONFIG_NFT_META=m
+CONFIG_NFT_RT=m
+CONFIG_NFT_NUMGEN=m
+CONFIG_NFT_CT=m
+CONFIG_NFT_SET_RBTREE=m
+CONFIG_NFT_SET_HASH=m
+CONFIG_NFT_SET_BITMAP=m
+CONFIG_NFT_COUNTER=m
+CONFIG_NFT_LOG=m
+CONFIG_NFT_LIMIT=m
+CONFIG_NFT_MASQ=m
+CONFIG_NFT_REDIR=m
+CONFIG_NFT_NAT=m
+CONFIG_NFT_OBJREF=m
+CONFIG_NFT_QUEUE=m
+CONFIG_NFT_QUOTA=m
+CONFIG_NFT_REJECT=m
+CONFIG_NFT_COMPAT=m
+CONFIG_NFT_HASH=m
+CONFIG_NFT_FIB_INET=m
+CONFIG_NFT_DUP_NETDEV=m
+CONFIG_NFT_FWD_NETDEV=m
 CONFIG_NF_SOCKET_IPV4=m
+CONFIG_NF_TABLES_IPV4=m
+CONFIG_NFT_CHAIN_ROUTE_IPV4=m
+CONFIG_NFT_DUP_IPV4=m
+CONFIG_NFT_FIB_IPV4=m
+CONFIG_NF_TABLES_ARP=m
+CONFIG_NF_LOG_ARP=m
+CONFIG_NFT_CHAIN_NAT_IPV4=m
+CONFIG_NFT_MASQ_IPV4=m
+CONFIG_NFT_REDIR_IPV4=m
 CONFIG_NF_SOCKET_IPV6=m
+CONFIG_NF_TABLES_IPV6=m
+CONFIG_NFT_CHAIN_ROUTE_IPV6=m
+CONFIG_NFT_DUP_IPV6=m
+CONFIG_NFT_FIB_IPV6=m
+CONFIG_NFT_CHAIN_NAT_IPV6=m
+CONFIG_NFT_MASQ_IPV6=m
+CONFIG_NFT_REDIR_IPV6=m
 CONFIG_NETFILTER_XTABLES=y
 CONFIG_NETFILTER_XT_SET=m
 CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
@@ -301,6 +343,10 @@ CONFIG_IP6_NF_RAW=m
 CONFIG_IP6_NF_NAT=m
 CONFIG_IP6_NF_TARGET_MASQUERADE=m
 CONFIG_IP6_NF_TARGET_NPT=m
+CONFIG_NF_TABLES_BRIDGE=m
+CONFIG_NFT_BRIDGE_META=m
+CONFIG_NFT_BRIDGE_REJECT=m
+CONFIG_NF_LOG_BRIDGE=m
 CONFIG_BRIDGE_NF_EBTABLES=m
 CONFIG_BRIDGE_EBT_BROUTE=m
 CONFIG_BRIDGE_EBT_T_FILTER=m

From e32df6dbfe3c35b0200c1ce97418a2d287a2f559 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <benjamin.gilbert@coreos.com>
Date: Tue, 25 Jul 2017 13:05:24 -0700
Subject: [PATCH 3/6] profiles: accept libnftnl on ARM

---
 .../coreos-overlay/profiles/coreos/arm64/package.accept_keywords | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
index d24cdb924e..38a32d63c7 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
@@ -20,6 +20,7 @@
 =net-firewall/ebtables-2.0.10.4-r1 ~arm64
 =net-firewall/ipset-6.29 ~arm64
 =net-libs/libmicrohttpd-0.9.52 **
+=net-libs/libnftnl-1.0.6 **
 =net-libs/serf-1.3.8-r1 ~arm64
 =net-misc/bridge-utils-1.5 ~arm64
 =net-misc/iperf-3.1.3 **

From ee90e8feb3ab5e4ec1829763b0dc309af2ee7b53 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <benjamin.gilbert@coreos.com>
Date: Tue, 25 Jul 2017 15:34:45 -0700
Subject: [PATCH 4/6] net-firewall/nftables: add package

---
 .../net-firewall/nftables/Manifest            |  13 ++
 .../nftables/files/libexec/nftables.sh        | 149 ++++++++++++++++++
 .../nftables/files/nftables-0.5-pdf-doc.patch |  52 ++++++
 .../nftables-0.6-null-payload-desc-fix.patch  |  14 ++
 .../nftables/files/nftables.confd             |  19 +++
 .../net-firewall/nftables/files/nftables.init | 124 +++++++++++++++
 .../files/systemd/nftables-restore.service    |  14 ++
 .../net-firewall/nftables/metadata.xml        |  12 ++
 .../nftables/nftables-0.6-r4.ebuild           |  87 ++++++++++
 .../net-firewall/nftables/nftables-0.7.ebuild |  82 ++++++++++
 10 files changed, 566 insertions(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest
 create mode 100755 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/libexec/nftables.sh
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables-0.5-pdf-doc.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables-0.6-null-payload-desc-fix.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.confd
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.init
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/systemd/nftables-restore.service
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/metadata.xml
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.6-r4.ebuild
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.7.ebuild

diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest
new file mode 100644
index 0000000000..19f91b330a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest
@@ -0,0 +1,13 @@
+AUX libexec/nftables.sh 3643 SHA256 8f8ca76bc1f77d09b1198e144479cd8cf7f50cf787317522ac6c1978ca9b7e6b SHA512 efc9b4f9520c78b6248f16bd5708669872e8abf949f6f4b81182f331f8532dfeaae2df648e8878e9b5cbd66c0259daab71035ea922754807654b2b3bc86b4352 WHIRLPOOL d3ea74671d3686af9e70a22bf727b9f64ab735cd63270ca283013fc1ba0cad6750ca82127e968f028b65dfe905aeb6275b4e9c295a43f5c8dfe2a7b815a66c44
+AUX nftables-0.5-pdf-doc.patch 1663 SHA256 c55698efb6f40085f1037b12706ca5ab8ba551b8af3902b16ac2cbfc922607c2 SHA512 1925ba300068155ec38ed0631eea0bab1e17ac0b4b454b6f5bf6548961b0264dfd9c9be27e697b8fd7db1827cc670a132c3a716d0874535e29ddb696d1a3eedc WHIRLPOOL c8ea06f6dbbc8c2e4acfaf9ec082647b1ae4288c818d48b47e0b2f5c0cbc7bc6b924b93981b1dd6991923375ffa66a1733988a66ec001d87114962824ee4907f
+AUX nftables-0.6-null-payload-desc-fix.patch 411 SHA256 28bcb66a4d46cb1cb20376f38efb2d95d92983a1417cb500a4351870524c3bfe SHA512 034bfa338ef52b722df8441ab981f45c4eeb88c0d65aa4fcdbee1d17df93c7c3239786351632ccadada08ecae796d366b994bd3c20f576a853885517d4de6116 WHIRLPOOL d0b0ab1051bcdbc734f44fa361781babebfb052daf783bb0e0268d2c3d25f962d4e6f13bf141fcfe46701127c46f104b1740fc48e84266326e9a20553945bcc8
+AUX nftables.confd 655 SHA256 d5e3077345dfea02849a70aea220396322a10c3808f0303b988119adbc56fdbd SHA512 8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144 WHIRLPOOL e39d13f996e620aa82714cb18e4f57624faa302f2259a44cc065804edf95fe07a314f744d17a76be6941c3771da6b233a19ae5b6b2f63783847121c63339197f
+AUX nftables.init 3069 SHA256 be1f1628305b5989ef9de2b95aa4e6201f067eb1f32cd92bba6db6f27f4f325f SHA512 ca761be0440945b21d5b002468baffb3299d0a3ac244aa895734dfdfaf442e7a73b757bcda99d958582064411d1b80b2cbcb4eb532bb219b4df407c9ed892661 WHIRLPOOL 95aebd414c91f3a1e31e241c3d5b83bc998ff5e516c3b6d14b45c0e8bbbb39aba8435f602bc21f7591ef0f6aa71fd01ceb7f08cdab731723478b2a9fb7640c2a
+AUX systemd/nftables-restore.service 394 SHA256 ec9ca69ca916e0739de2eb229c8fee2a65a551a97886c4c0a69c35776f3f1c95 SHA512 18da6a770bb3e94fd6b2c9e6f033450aaff9fe886c8846f780d08a21e2fc884ac078652743b50b3d4ea8c9500f92d272bdd27e2881e438c2b223d40816c100a0 WHIRLPOOL 67eb5b72e81ca66ba079ffd3b574fd21d3ac3cb9fc3d4a3986b1b5543e4059adbdb633b432fa1bb71208a48b4e2eda425d1a09e4b853b7c555d48e8da2b92ded
+DIST nftables-0.6.tar.gz 252523 SHA256 85dd7fa4e741c0be02efddbc57b5d300e1147f09ec6f81d0399110f96dc958f0 SHA512 17f3b94687865e077dc082cf61b29ab2854fd1ffe18212a8d424f2876aef8db9780dd4d06dca8e6d093498151d47bab73e40e1f54062a83a23a3cbe75f27e921 WHIRLPOOL d15eaf81426d73bea28752f96727d291120120fb2aaa994d421d900974eb45062957435e077664fb916780f636ed9b61889dbec8b627d5d309512bae96f02874
+DIST nftables-0.7.tar.gz 292652 SHA256 192c9d92ee0c56eded599d1c54b0d68f4d9b0286f3d908579f0b9271aeba432f SHA512 6032720abf3af8a6dc0b4f507c6ae970447f504d59db4a34b2e0eea3c59962bc69d9ebfaa4e26a117747eb9d0224716a9709b96551b5479d914d7498f26ed43a WHIRLPOOL a999e85370bd9241daf015849ecdf5955f87a2d65f5525a6e75e9eda1bb87e1a84123c42e95f16c4469873a682409fea2ccc65a3af84a107b62d8c2a5727343d
+EBUILD nftables-0.6-r4.ebuild 2116 SHA256 81001d2c20ee1ca27bf40f397be44d2e830d9fdd48d4ea4b6aa7495d45b8db7b SHA512 4c1a3420d9d228ff1925d91ee0bdd285995b7d06b59453863e5b5fef12813c6f58d8487a10c880c313a328be79e69b49147f0a5c73e07554d665ff24ffe1f265 WHIRLPOOL 3486ed76af507f4a49e8a203d7bf4544b244319c803e272db2b59fb6d7aa53900f8b9e8146de99b2dce41372cf9cd6d03075fbd4577c5b38ba642a2f628c18c8
+EBUILD nftables-0.7.ebuild 2002 SHA256 c909b988d5ddde8cf9365667b8bd5d27314be4bb9a972ce651bc416d6739c33f SHA512 0b6efeee42b09b861a27fb11cf02b2096f5e66f8e80f92d8ed97bfeeabb8fe532b068761ffbadf7603cc6095ddd81abe313dd6f581b0719239411f740a0131bf WHIRLPOOL 2bee002b52161664bdd17ae47558b8a723ec603ab0c3c19454685a2511cd9e62d543db7007c0f64eeb35fef20a5b7edf119e8dfb8be852c2368861a95920ee29
+MISC ChangeLog 9200 SHA256 2dab66ea101a22a52b3f2cee4afbfa6dbb2545da809a22cbb10ef9341e08f25e SHA512 cf2cf5c185447f5adaf7f1c7be119f1d13e009f450e2e632234b23b132fb478defda597f09ce492aa7f1c846d2c34f2cf7e6f87b450e7713a843e21a09480e79 WHIRLPOOL 25f4c0eb5d2b5d4492636b6c4c5892e68ed6be83b8d8606785c2c583c91d9429dca75014c196d3f991e78b8e97968b526c83d0bc9277b3ab8c8fd919f1592bf3
+MISC ChangeLog-2015 1919 SHA256 36e610e38e898312082803dcc832cf1b808ff8f450e89f73610c8517cea6e045 SHA512 bb7cff250e90ba78e9e47692ddf126056d5d2b50cce7c3442de3b129ff00272e8b0ae2181f4898f424aac506783e4f978a5f2f1228827d3583402396a518e03b WHIRLPOOL b045fb1f27d640ad01b2fa3b28ba12df8d540b6b86657205d3a3bae303da17ccc5f09f441405579f662360200d98e45724b8f3cd579d55d21d82734545f9d98d
+MISC metadata.xml 363 SHA256 e42199977ccd7d8c42f737be6748733b9aedeb201c810c2487ecf37763ec3eb9 SHA512 32abec1750df9b486d5c74e81aaafd7386ae793a2046635cdcab24debf51ca1c8f6b9733fe7f5d04934751ce3086251bb973e6e88b6c5ff96c902f1825dad07c WHIRLPOOL c0fb5f41754b8a54efcc750f72497175aa67d68b32146a7dcc8170a4565a429a4fa8c16e21a68ca5169440a93ba264744b1011cd6507a3c808ef0550b043bb6c
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/libexec/nftables.sh b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/libexec/nftables.sh
new file mode 100755
index 0000000000..cc55f85660
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/libexec/nftables.sh
@@ -0,0 +1,149 @@
+#! /bin/sh
+
+main() {
+    local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'}
+    local retval
+    case "$1" in
+        "clear")
+            if ! use_legacy; then
+                nft flush ruleset
+            else
+                clear_legacy
+            fi
+            retval=$?
+        ;;
+        "list")
+            if ! use_legacy; then
+                nft list ruleset
+            else
+                list_legacy
+            fi
+            retval=$?
+        ;;
+        "load")
+            nft -f ${NFTABLES_SAVE}
+            retval=$?
+        ;;
+        "store")
+            local tmp_save="${NFTABLES_SAVE}.tmp"
+            if ! use_legacy; then
+                nft ${SAVE_OPTIONS} list ruleset > ${tmp_save}
+            else
+                save_legacy ${tmp_save}
+            fi
+            retval=$?
+            if [ ${retval} ]; then
+                mv ${tmp_save} ${NFTABLES_SAVE}
+            fi
+        ;;
+    esac
+    return ${retval}
+}
+
+clear_legacy() {
+    local l3f line table chain first_line
+
+    first_line=1
+    if manualwalk; then
+        for l3f in $(getfamilies); do
+            nft list tables ${l3f} | while read line; do
+                table=$(echo ${line} | sed "s/table[ \t]*//")
+                deletetable ${l3f} ${table}
+            done
+        done
+    else
+        nft list tables | while read line; do
+            l3f=$(echo ${line} | cut -d ' ' -f2)
+            table=$(echo ${line} | cut -d ' ' -f3)
+            deletetable ${l3f} ${table}
+        done
+    fi
+}
+
+list_legacy() {
+    local l3f
+
+    if manualwalk; then
+        for l3f in $(getfamilies); do
+            nft list tables ${l3f} | while read line; do
+                line=$(echo ${line} | sed "s/table/table ${l3f}/")
+                echo "$(nft list ${line})"
+            done
+        done
+    else
+        nft list tables | while read line; do
+            echo "$(nft list ${line})"
+        done
+    fi
+}
+
+save_legacy() {
+    tmp_save=$1
+    touch "${tmp_save}"
+    if manualwalk; then
+        for l3f in $(getfamilies); do
+            nft list tables ${l3f} | while read line; do
+                line=$(echo ${line} | sed "s/table/table ${l3f}/")
+                nft ${SAVE_OPTIONS} list ${line} >> ${tmp_save}
+            done
+        done
+    else
+        nft list tables | while read line; do
+            nft ${SAVE_OPTIONS} list ${line} >> "${tmp_save}"
+        done
+    fi
+}
+
+use_legacy() {
+    local major_ver minor_ver
+
+    major_ver=$(uname -r | cut -d '.' -f1)
+    minor_ver=$(uname -r | cut -d '.' -f2)
+
+    [ $major_ver -ge 4 -o $major_ver -eq 3 -a $minor_ver -ge 18 ] && return 1
+    return 0
+}
+
+CHECK_TABLE_NAME="GENTOO_CHECK_TABLE"
+
+getfamilies() {
+    local l3f families
+
+    for l3f in ip arp ip6 bridge inet; do
+        if nft create table ${l3f} ${CHECK_TABLE_NAME} > /dev/null 2>&1; then
+            families="${families}${l3f} "
+            nft delete table ${l3f} ${CHECK_TABLE_NAME}
+        fi
+    done
+    echo ${families}
+}
+
+manualwalk() {
+    local result l3f=`getfamilies | cut -d ' ' -f1`
+
+    nft create table ${l3f} ${CHECK_TABLE_NAME}
+    nft list tables | read line
+    if [ $(echo $line | wc -w) -lt 3 ]; then
+        result=0
+    fi
+    result=1
+    nft delete table ${l3f} ${CHECK_TABLE_NAME}
+
+    return $result
+}
+
+deletetable() {
+    # family is $1
+    # table name is $2
+    nft flush table $1 $2
+    nft list table $1 $2 | while read l; do
+        chain=$(echo $l | grep -o 'chain [^[:space:]]\+' | cut -d ' ' -f2)
+        if [ -n "${chain}" ]; then
+            nft flush chain $1 $2 ${chain}
+            nft delete chain $1 $2 ${chain}
+        fi
+    done
+    nft delete table $1 $2
+}
+
+main "$@"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables-0.5-pdf-doc.patch b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables-0.5-pdf-doc.patch
new file mode 100644
index 0000000000..d09faa3ddd
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables-0.5-pdf-doc.patch
@@ -0,0 +1,52 @@
+Update configure script to include option to enable and disable PDF man page
+generation.
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -27,10 +27,16 @@
+ AC_CONFIG_HEADER([config.h])
+ 
+ AC_DEFINE([_GNU_SOURCE], [], [Enable various GNU extensions])
+ AC_DEFINE([_STDC_FORMAT_MACROS], [], [printf-style format macros])
+ 
++AC_ARG_ENABLE([pdf-doc],
++	      AS_HELP_STRING([--disable-pdf-doc], [Disable PDF documentation]),
++	      AS_IF([test "x$enable_pdf_doc" = "xno"], [enable_pdf_doc=no],
++	      [enable_pdf_doc=yes]), [enable_pdf_doc=yes])
++AM_CONDITIONAL([BUILD_PDF], [test "x$enable_pdf_doc" == "xyes" ])
++
+ AC_ARG_ENABLE([debug],
+ 	      AS_HELP_STRING([--enable-debug], [Disable debugging]),
+ 	      AS_IF([test "x$enable_debug" = "xno"], [with_debug=no], [with_debug=yes]),
+ 	      [with_debug=yes])
+ AC_SUBST(with_debug)
+@@ -61,15 +67,15 @@
+ 	)]
+ )
+ AC_SUBST(DB2MAN)
+ AM_CONDITIONAL([BUILD_MAN], [test -n "$DB2MAN"])
+ 
+-AC_CHECK_PROG(DBLATEX, [dblatex], [found], [no])
+-AS_IF([test "$DBLATEX" == "no"],
+-	[AC_MSG_WARN([dblatex not found, no PDF manpages will be built])]
+-)
+-AM_CONDITIONAL([BUILD_PDF], [test "$DBLATEX" == "found"])
++AM_COND_IF([BUILD_PDF], [
++	AC_CHECK_PROG(DBLATEX, [dblatex], [found], [no])
++	AS_IF([test "$DBLATEX" == "no"],
++	      [AC_MSG_ERROR([dblatex not found])])
++])
+ 
+ # Checks for libraries.
+ PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
+ PKG_CHECK_MODULES([LIBNFTNL], [libnftnl >= 1.0.5])
+ 
+@@ -134,6 +140,7 @@
+ 
+ echo "
+ nft configuration:
+   cli support:			${with_cli}
+   enable debugging:		${with_debug}
+-  use mini-gmp:			${with_mini_gmp}"
++  use mini-gmp:			${with_mini_gmp}
++  enable pdf documentation:	${enable_pdf_doc}"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables-0.6-null-payload-desc-fix.patch b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables-0.6-null-payload-desc-fix.patch
new file mode 100644
index 0000000000..3ea59e7aa4
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables-0.6-null-payload-desc-fix.patch
@@ -0,0 +1,14 @@
+diff --git a/src/payload.c b/src/payload.c
+index ac0e917..9ba980a 100644
+--- a/src/payload.c
++++ b/src/payload.c
+@@ -85,6 +85,9 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
+ 	base = ctx->protocol[left->payload.base].desc;
+ 	desc = proto_find_upper(base, proto);
+ 
++	if (!desc)
++		return;
++
+ 	assert(desc->base <= PROTO_BASE_MAX);
+ 	if (desc->base == base->base) {
+ 		assert(base->length > 0);
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.confd b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.confd
new file mode 100644
index 0000000000..e83a4b9620
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.confd
@@ -0,0 +1,19 @@
+# /etc/conf.d/nftables
+
+# Location in which nftables initscript will save set rules on 
+# service shutdown
+NFTABLES_SAVE="/var/lib/nftables/rules-save"
+
+# Options to pass to nft on save
+SAVE_OPTIONS="-n"
+
+# Save state on stopping nftables
+SAVE_ON_STOP="yes"
+
+# If you need to log nftables messages as soon as nftables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.init b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.init
new file mode 100644
index 0000000000..cf4ab8b5f4
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.init
@@ -0,0 +1,124 @@
+#!/sbin/openrc-run
+# Copyright 2014-2017 Nicholas Vinson
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="clear list panic save"
+extra_started_commands="reload"
+depend() {
+    need localmount #434774
+    before net
+}
+
+start_pre() {
+    checkkernel || return 1
+    checkconfig || return 1
+    return 0
+}
+
+clear() {
+    /usr/libexec/nftables/nftables.sh clear || return 1
+    return 0
+}
+
+list() {
+    /usr/libexec/nftables/nftables.sh list || return 1
+    return 0
+}
+
+panic() {
+    checkkernel || return 1
+    if service_started ${RC_SVCNAME}; then
+        rc-service ${RC_SVCNAME} stop
+    fi
+
+    ebegin "Dropping all packets"
+    clear
+    if nft create table ip filter >/dev/null 2>&1; then
+	nft -f /dev/stdin <<-EOF
+	    table ip filter {
+	                    chain input {
+	                                    type filter hook input priority 0;
+	                                    drop
+	                    }
+	                    chain forward {
+	                                    type filter hook forward priority 0;
+	                                    drop
+	                    }
+	                    chain output {
+	                                    type filter hook output priority 0;
+	                                    drop
+	                    }
+	    }
+	EOF
+    fi
+    if nft create table ip6 filter >/dev/null 2>&1; then
+	nft -f /dev/stdin <<-EOF
+	    table ip6 filter {
+	                    chain input {
+	                                    type filter hook input priority 0;
+	                                    drop
+	                    }
+	                    chain forward {
+	                                    type filter hook forward priority 0;
+	                                    drop
+	                    }
+	                    chain output {
+	                                    type filter hook output priority 0;
+	                                    drop
+	                    }
+	    }
+	EOF
+    fi
+}
+
+reload() {
+    checkkernel || return 1
+    ebegin "Flushing firewall"
+    clear
+    start
+}
+
+save() {
+    ebegin "Saving nftables state"
+    checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
+    checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
+    export SAVE_OPTIONS
+    /usr/libexec/nftables/nftables.sh store ${NFTABLES_SAVE}
+    return $?
+}
+
+start() {
+    ebegin "Loading nftables state and starting firewall"
+    clear
+    /usr/libexec/nftables/nftables.sh load ${NFTABLES_SAVE}
+    eend $?
+}
+
+stop() {
+    if yesno ${SAVE_ON_STOP:-yes}; then
+        save || return 1
+    fi
+
+    ebegin "Stopping firewall"
+    clear
+    eend $?
+}
+
+checkconfig() {
+    if [ ! -f ${NFTABLES_SAVE} ]; then
+        eerror "Not starting nftables.  First create some rules then run:"
+        eerror "rc-service nftables save"
+        return 1
+    fi
+    return 0
+}
+
+checkkernel() {
+    if ! nft list tables >/dev/null 2>&1; then
+        eerror "Your kernel lacks nftables support, please load"
+        eerror "appropriate modules and try again."
+        return 1
+    fi
+    return 0
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/systemd/nftables-restore.service b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/systemd/nftables-restore.service
new file mode 100644
index 0000000000..4b68b0a5b0
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/systemd/nftables-restore.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Store and restore nftables firewall rules
+ConditionPathExists=/var/lib/nftables/rules-save
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/nftables/nftables.sh load /var/lib/nftables/rules-save
+ExecStop=/usr/libexec/nftables/nftables.sh store /var/lib/nftables/rules-save
+
+[Install]
+WantedBy=basic.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/metadata.xml b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/metadata.xml
new file mode 100644
index 0000000000..e22af2f1da
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/metadata.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>mrueg@gentoo.org</email>
+		<name>Manuel Rüger</name>
+	</maintainer>
+	<maintainer type="project">
+		<email>base-system@gentoo.org</email>
+		<name>Gentoo Base System</name>
+	</maintainer>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.6-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.6-r4.ebuild
new file mode 100644
index 0000000000..be9f30bcfb
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.6-r4.ebuild
@@ -0,0 +1,87 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit autotools linux-info systemd
+
+DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://netfilter.org/projects/nftables/"
+SRC_URI="http://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="debug doc gmp +readline xml"
+
+RDEPEND=">=net-libs/libmnl-1.0.3
+	gmp? ( dev-libs/gmp:0= )
+	readline? ( sys-libs/readline:0= )
+	>=net-libs/libnftnl-1.0.6[xml(-)?]
+	"
+DEPEND="${RDEPEND}
+	>=app-text/docbook2X-0.8.8-r4
+	doc? ( >=app-text/dblatex-0.3.7 )
+	sys-devel/bison
+	sys-devel/flex
+	virtual/pkgconfig"
+
+S="${WORKDIR}/v${PV}"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-0.5-pdf-doc.patch"
+	"${FILESDIR}/${P}-null-payload-desc-fix.patch"
+)
+
+pkg_setup() {
+	if kernel_is ge 3 13; then
+		CONFIG_CHECK="~NF_TABLES"
+		linux-info_pkg_setup
+	else
+		eerror "This package requires kernel version 3.13 or newer to work properly."
+	fi
+}
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		--sbindir="${EPREFIX}"/sbin \
+		$(use_enable doc pdf-doc) \
+		$(use_enable debug) \
+		$(use_with readline cli) \
+		$(use_with !gmp mini_gmp)
+}
+
+src_install() {
+	default
+
+	dodir /usr/libexec/${PN}
+	exeinto /usr/libexec/${PN}
+	doexe "${FILESDIR}"/libexec/${PN}.sh
+
+	newconfd "${FILESDIR}"/${PN}.confd ${PN}
+	newinitd "${FILESDIR}"/${PN}.init ${PN}
+	keepdir /var/lib/nftables
+
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
+	systemd_enable_service basic.target ${PN}-restore.service
+}
+
+pkg_postinst() {
+	local save_file
+	save_file="${EROOT%/}/var/lib/nftables/rules-save"
+
+	elog "In order for the nftables-restore systemd service to start, "
+	elog "the file, ${save_file}, must exist.  To create this "
+	elog "file run the following command: "
+	elog ""
+	elog "	touch '${save_file}'"
+	elog ""
+	elog "Afterwards, the nftables-restore service should be manually started "
+	elog "to ensure firewall changes are stored on system shutdown.  The "
+	elog "systemd service will function normally thereafter."
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.7.ebuild b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.7.ebuild
new file mode 100644
index 0000000000..30376495f1
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.7.ebuild
@@ -0,0 +1,82 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit autotools linux-info systemd
+
+DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://netfilter.org/projects/nftables/"
+SRC_URI="http://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="debug doc gmp +readline"
+
+RDEPEND=">=net-libs/libmnl-1.0.3
+	gmp? ( dev-libs/gmp:0= )
+	readline? ( sys-libs/readline:0= )
+	>=net-libs/libnftnl-1.0.7"
+
+DEPEND="${RDEPEND}
+	>=app-text/docbook2X-0.8.8-r4
+	doc? ( >=app-text/dblatex-0.3.7 )
+	sys-devel/bison
+	sys-devel/flex
+	virtual/pkgconfig"
+
+S="${WORKDIR}/v${PV}"
+
+pkg_setup() {
+	if kernel_is ge 3 13; then
+		CONFIG_CHECK="~NF_TABLES"
+		linux-info_pkg_setup
+	else
+		eerror "This package requires kernel version 3.13 or newer to work properly."
+	fi
+}
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		--sbindir="${EPREFIX}"/sbin \
+		$(use_enable doc pdf-doc) \
+		$(use_enable debug) \
+		$(use_with readline cli) \
+		$(use_with !gmp mini_gmp)
+}
+
+src_install() {
+	default
+
+	dodir /usr/libexec/${PN}
+	exeinto /usr/libexec/${PN}
+	doexe "${FILESDIR}"/libexec/${PN}.sh
+
+	newconfd "${FILESDIR}"/${PN}.confd ${PN}
+	newinitd "${FILESDIR}"/${PN}.init ${PN}
+	keepdir /var/lib/nftables
+
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
+	systemd_enable_service basic.target ${PN}-restore.service
+}
+
+pkg_postinst() {
+	local save_file
+	save_file="${EROOT%/}/var/lib/nftables/rules-save"
+
+	elog "In order for the nftables-restore systemd service to start, "
+	elog "the file, ${save_file}, must exist.  To create this "
+	elog "file run the following command: "
+	elog ""
+	elog "	touch '${save_file}'"
+	elog ""
+	elog "Afterwards, the nftables-restore service should be manually started "
+	elog "to ensure firewall changes are stored on system shutdown.  The "
+	elog "systemd service will function normally thereafter."
+}

From e299a9454a24c8918a589becfb8c67a3ca710f63 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <benjamin.gilbert@coreos.com>
Date: Tue, 25 Jul 2017 15:40:21 -0700
Subject: [PATCH 5/6] net-firewall/nftables: Container Linux fixups

- Stabilize
- docbook2X isn't needed unless we're installing docs
- Don't ship automatic save/restore infrastructure for now
- Move base config files into /usr/share/nftables
---
 .../net-firewall/nftables/Manifest            |  12 --
 .../nftables/files/libexec/nftables.sh        | 149 ------------------
 .../nftables/files/nftables.confd             |  19 ---
 .../net-firewall/nftables/files/nftables.init | 124 ---------------
 .../files/systemd/nftables-restore.service    |  14 --
 .../nftables/nftables-0.6-r4.ebuild           |  36 +----
 .../net-firewall/nftables/nftables-0.7.ebuild |  82 ----------
 7 files changed, 3 insertions(+), 433 deletions(-)
 delete mode 100755 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/libexec/nftables.sh
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.confd
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.init
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/systemd/nftables-restore.service
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.7.ebuild

diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest
index 19f91b330a..ee4654f4c8 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest
@@ -1,13 +1 @@
-AUX libexec/nftables.sh 3643 SHA256 8f8ca76bc1f77d09b1198e144479cd8cf7f50cf787317522ac6c1978ca9b7e6b SHA512 efc9b4f9520c78b6248f16bd5708669872e8abf949f6f4b81182f331f8532dfeaae2df648e8878e9b5cbd66c0259daab71035ea922754807654b2b3bc86b4352 WHIRLPOOL d3ea74671d3686af9e70a22bf727b9f64ab735cd63270ca283013fc1ba0cad6750ca82127e968f028b65dfe905aeb6275b4e9c295a43f5c8dfe2a7b815a66c44
-AUX nftables-0.5-pdf-doc.patch 1663 SHA256 c55698efb6f40085f1037b12706ca5ab8ba551b8af3902b16ac2cbfc922607c2 SHA512 1925ba300068155ec38ed0631eea0bab1e17ac0b4b454b6f5bf6548961b0264dfd9c9be27e697b8fd7db1827cc670a132c3a716d0874535e29ddb696d1a3eedc WHIRLPOOL c8ea06f6dbbc8c2e4acfaf9ec082647b1ae4288c818d48b47e0b2f5c0cbc7bc6b924b93981b1dd6991923375ffa66a1733988a66ec001d87114962824ee4907f
-AUX nftables-0.6-null-payload-desc-fix.patch 411 SHA256 28bcb66a4d46cb1cb20376f38efb2d95d92983a1417cb500a4351870524c3bfe SHA512 034bfa338ef52b722df8441ab981f45c4eeb88c0d65aa4fcdbee1d17df93c7c3239786351632ccadada08ecae796d366b994bd3c20f576a853885517d4de6116 WHIRLPOOL d0b0ab1051bcdbc734f44fa361781babebfb052daf783bb0e0268d2c3d25f962d4e6f13bf141fcfe46701127c46f104b1740fc48e84266326e9a20553945bcc8
-AUX nftables.confd 655 SHA256 d5e3077345dfea02849a70aea220396322a10c3808f0303b988119adbc56fdbd SHA512 8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144 WHIRLPOOL e39d13f996e620aa82714cb18e4f57624faa302f2259a44cc065804edf95fe07a314f744d17a76be6941c3771da6b233a19ae5b6b2f63783847121c63339197f
-AUX nftables.init 3069 SHA256 be1f1628305b5989ef9de2b95aa4e6201f067eb1f32cd92bba6db6f27f4f325f SHA512 ca761be0440945b21d5b002468baffb3299d0a3ac244aa895734dfdfaf442e7a73b757bcda99d958582064411d1b80b2cbcb4eb532bb219b4df407c9ed892661 WHIRLPOOL 95aebd414c91f3a1e31e241c3d5b83bc998ff5e516c3b6d14b45c0e8bbbb39aba8435f602bc21f7591ef0f6aa71fd01ceb7f08cdab731723478b2a9fb7640c2a
-AUX systemd/nftables-restore.service 394 SHA256 ec9ca69ca916e0739de2eb229c8fee2a65a551a97886c4c0a69c35776f3f1c95 SHA512 18da6a770bb3e94fd6b2c9e6f033450aaff9fe886c8846f780d08a21e2fc884ac078652743b50b3d4ea8c9500f92d272bdd27e2881e438c2b223d40816c100a0 WHIRLPOOL 67eb5b72e81ca66ba079ffd3b574fd21d3ac3cb9fc3d4a3986b1b5543e4059adbdb633b432fa1bb71208a48b4e2eda425d1a09e4b853b7c555d48e8da2b92ded
 DIST nftables-0.6.tar.gz 252523 SHA256 85dd7fa4e741c0be02efddbc57b5d300e1147f09ec6f81d0399110f96dc958f0 SHA512 17f3b94687865e077dc082cf61b29ab2854fd1ffe18212a8d424f2876aef8db9780dd4d06dca8e6d093498151d47bab73e40e1f54062a83a23a3cbe75f27e921 WHIRLPOOL d15eaf81426d73bea28752f96727d291120120fb2aaa994d421d900974eb45062957435e077664fb916780f636ed9b61889dbec8b627d5d309512bae96f02874
-DIST nftables-0.7.tar.gz 292652 SHA256 192c9d92ee0c56eded599d1c54b0d68f4d9b0286f3d908579f0b9271aeba432f SHA512 6032720abf3af8a6dc0b4f507c6ae970447f504d59db4a34b2e0eea3c59962bc69d9ebfaa4e26a117747eb9d0224716a9709b96551b5479d914d7498f26ed43a WHIRLPOOL a999e85370bd9241daf015849ecdf5955f87a2d65f5525a6e75e9eda1bb87e1a84123c42e95f16c4469873a682409fea2ccc65a3af84a107b62d8c2a5727343d
-EBUILD nftables-0.6-r4.ebuild 2116 SHA256 81001d2c20ee1ca27bf40f397be44d2e830d9fdd48d4ea4b6aa7495d45b8db7b SHA512 4c1a3420d9d228ff1925d91ee0bdd285995b7d06b59453863e5b5fef12813c6f58d8487a10c880c313a328be79e69b49147f0a5c73e07554d665ff24ffe1f265 WHIRLPOOL 3486ed76af507f4a49e8a203d7bf4544b244319c803e272db2b59fb6d7aa53900f8b9e8146de99b2dce41372cf9cd6d03075fbd4577c5b38ba642a2f628c18c8
-EBUILD nftables-0.7.ebuild 2002 SHA256 c909b988d5ddde8cf9365667b8bd5d27314be4bb9a972ce651bc416d6739c33f SHA512 0b6efeee42b09b861a27fb11cf02b2096f5e66f8e80f92d8ed97bfeeabb8fe532b068761ffbadf7603cc6095ddd81abe313dd6f581b0719239411f740a0131bf WHIRLPOOL 2bee002b52161664bdd17ae47558b8a723ec603ab0c3c19454685a2511cd9e62d543db7007c0f64eeb35fef20a5b7edf119e8dfb8be852c2368861a95920ee29
-MISC ChangeLog 9200 SHA256 2dab66ea101a22a52b3f2cee4afbfa6dbb2545da809a22cbb10ef9341e08f25e SHA512 cf2cf5c185447f5adaf7f1c7be119f1d13e009f450e2e632234b23b132fb478defda597f09ce492aa7f1c846d2c34f2cf7e6f87b450e7713a843e21a09480e79 WHIRLPOOL 25f4c0eb5d2b5d4492636b6c4c5892e68ed6be83b8d8606785c2c583c91d9429dca75014c196d3f991e78b8e97968b526c83d0bc9277b3ab8c8fd919f1592bf3
-MISC ChangeLog-2015 1919 SHA256 36e610e38e898312082803dcc832cf1b808ff8f450e89f73610c8517cea6e045 SHA512 bb7cff250e90ba78e9e47692ddf126056d5d2b50cce7c3442de3b129ff00272e8b0ae2181f4898f424aac506783e4f978a5f2f1228827d3583402396a518e03b WHIRLPOOL b045fb1f27d640ad01b2fa3b28ba12df8d540b6b86657205d3a3bae303da17ccc5f09f441405579f662360200d98e45724b8f3cd579d55d21d82734545f9d98d
-MISC metadata.xml 363 SHA256 e42199977ccd7d8c42f737be6748733b9aedeb201c810c2487ecf37763ec3eb9 SHA512 32abec1750df9b486d5c74e81aaafd7386ae793a2046635cdcab24debf51ca1c8f6b9733fe7f5d04934751ce3086251bb973e6e88b6c5ff96c902f1825dad07c WHIRLPOOL c0fb5f41754b8a54efcc750f72497175aa67d68b32146a7dcc8170a4565a429a4fa8c16e21a68ca5169440a93ba264744b1011cd6507a3c808ef0550b043bb6c
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/libexec/nftables.sh b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/libexec/nftables.sh
deleted file mode 100755
index cc55f85660..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/libexec/nftables.sh
+++ /dev/null
@@ -1,149 +0,0 @@
-#! /bin/sh
-
-main() {
-    local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'}
-    local retval
-    case "$1" in
-        "clear")
-            if ! use_legacy; then
-                nft flush ruleset
-            else
-                clear_legacy
-            fi
-            retval=$?
-        ;;
-        "list")
-            if ! use_legacy; then
-                nft list ruleset
-            else
-                list_legacy
-            fi
-            retval=$?
-        ;;
-        "load")
-            nft -f ${NFTABLES_SAVE}
-            retval=$?
-        ;;
-        "store")
-            local tmp_save="${NFTABLES_SAVE}.tmp"
-            if ! use_legacy; then
-                nft ${SAVE_OPTIONS} list ruleset > ${tmp_save}
-            else
-                save_legacy ${tmp_save}
-            fi
-            retval=$?
-            if [ ${retval} ]; then
-                mv ${tmp_save} ${NFTABLES_SAVE}
-            fi
-        ;;
-    esac
-    return ${retval}
-}
-
-clear_legacy() {
-    local l3f line table chain first_line
-
-    first_line=1
-    if manualwalk; then
-        for l3f in $(getfamilies); do
-            nft list tables ${l3f} | while read line; do
-                table=$(echo ${line} | sed "s/table[ \t]*//")
-                deletetable ${l3f} ${table}
-            done
-        done
-    else
-        nft list tables | while read line; do
-            l3f=$(echo ${line} | cut -d ' ' -f2)
-            table=$(echo ${line} | cut -d ' ' -f3)
-            deletetable ${l3f} ${table}
-        done
-    fi
-}
-
-list_legacy() {
-    local l3f
-
-    if manualwalk; then
-        for l3f in $(getfamilies); do
-            nft list tables ${l3f} | while read line; do
-                line=$(echo ${line} | sed "s/table/table ${l3f}/")
-                echo "$(nft list ${line})"
-            done
-        done
-    else
-        nft list tables | while read line; do
-            echo "$(nft list ${line})"
-        done
-    fi
-}
-
-save_legacy() {
-    tmp_save=$1
-    touch "${tmp_save}"
-    if manualwalk; then
-        for l3f in $(getfamilies); do
-            nft list tables ${l3f} | while read line; do
-                line=$(echo ${line} | sed "s/table/table ${l3f}/")
-                nft ${SAVE_OPTIONS} list ${line} >> ${tmp_save}
-            done
-        done
-    else
-        nft list tables | while read line; do
-            nft ${SAVE_OPTIONS} list ${line} >> "${tmp_save}"
-        done
-    fi
-}
-
-use_legacy() {
-    local major_ver minor_ver
-
-    major_ver=$(uname -r | cut -d '.' -f1)
-    minor_ver=$(uname -r | cut -d '.' -f2)
-
-    [ $major_ver -ge 4 -o $major_ver -eq 3 -a $minor_ver -ge 18 ] && return 1
-    return 0
-}
-
-CHECK_TABLE_NAME="GENTOO_CHECK_TABLE"
-
-getfamilies() {
-    local l3f families
-
-    for l3f in ip arp ip6 bridge inet; do
-        if nft create table ${l3f} ${CHECK_TABLE_NAME} > /dev/null 2>&1; then
-            families="${families}${l3f} "
-            nft delete table ${l3f} ${CHECK_TABLE_NAME}
-        fi
-    done
-    echo ${families}
-}
-
-manualwalk() {
-    local result l3f=`getfamilies | cut -d ' ' -f1`
-
-    nft create table ${l3f} ${CHECK_TABLE_NAME}
-    nft list tables | read line
-    if [ $(echo $line | wc -w) -lt 3 ]; then
-        result=0
-    fi
-    result=1
-    nft delete table ${l3f} ${CHECK_TABLE_NAME}
-
-    return $result
-}
-
-deletetable() {
-    # family is $1
-    # table name is $2
-    nft flush table $1 $2
-    nft list table $1 $2 | while read l; do
-        chain=$(echo $l | grep -o 'chain [^[:space:]]\+' | cut -d ' ' -f2)
-        if [ -n "${chain}" ]; then
-            nft flush chain $1 $2 ${chain}
-            nft delete chain $1 $2 ${chain}
-        fi
-    done
-    nft delete table $1 $2
-}
-
-main "$@"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.confd b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.confd
deleted file mode 100644
index e83a4b9620..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.confd
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/conf.d/nftables
-
-# Location in which nftables initscript will save set rules on 
-# service shutdown
-NFTABLES_SAVE="/var/lib/nftables/rules-save"
-
-# Options to pass to nft on save
-SAVE_OPTIONS="-n"
-
-# Save state on stopping nftables
-SAVE_ON_STOP="yes"
-
-# If you need to log nftables messages as soon as nftables starts,
-# AND your logger does NOT depend on the network, then you may wish
-# to uncomment the next line.
-# If your logger depends on the network, and you uncomment this line
-# you will create an unresolvable circular dependency during startup.
-# After commenting or uncommenting this line, you must run 'rc-update -u'.
-#rc_use="logger"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.init b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.init
deleted file mode 100644
index cf4ab8b5f4..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.init
+++ /dev/null
@@ -1,124 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 2014-2017 Nicholas Vinson
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-extra_commands="clear list panic save"
-extra_started_commands="reload"
-depend() {
-    need localmount #434774
-    before net
-}
-
-start_pre() {
-    checkkernel || return 1
-    checkconfig || return 1
-    return 0
-}
-
-clear() {
-    /usr/libexec/nftables/nftables.sh clear || return 1
-    return 0
-}
-
-list() {
-    /usr/libexec/nftables/nftables.sh list || return 1
-    return 0
-}
-
-panic() {
-    checkkernel || return 1
-    if service_started ${RC_SVCNAME}; then
-        rc-service ${RC_SVCNAME} stop
-    fi
-
-    ebegin "Dropping all packets"
-    clear
-    if nft create table ip filter >/dev/null 2>&1; then
-	nft -f /dev/stdin <<-EOF
-	    table ip filter {
-	                    chain input {
-	                                    type filter hook input priority 0;
-	                                    drop
-	                    }
-	                    chain forward {
-	                                    type filter hook forward priority 0;
-	                                    drop
-	                    }
-	                    chain output {
-	                                    type filter hook output priority 0;
-	                                    drop
-	                    }
-	    }
-	EOF
-    fi
-    if nft create table ip6 filter >/dev/null 2>&1; then
-	nft -f /dev/stdin <<-EOF
-	    table ip6 filter {
-	                    chain input {
-	                                    type filter hook input priority 0;
-	                                    drop
-	                    }
-	                    chain forward {
-	                                    type filter hook forward priority 0;
-	                                    drop
-	                    }
-	                    chain output {
-	                                    type filter hook output priority 0;
-	                                    drop
-	                    }
-	    }
-	EOF
-    fi
-}
-
-reload() {
-    checkkernel || return 1
-    ebegin "Flushing firewall"
-    clear
-    start
-}
-
-save() {
-    ebegin "Saving nftables state"
-    checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
-    checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
-    export SAVE_OPTIONS
-    /usr/libexec/nftables/nftables.sh store ${NFTABLES_SAVE}
-    return $?
-}
-
-start() {
-    ebegin "Loading nftables state and starting firewall"
-    clear
-    /usr/libexec/nftables/nftables.sh load ${NFTABLES_SAVE}
-    eend $?
-}
-
-stop() {
-    if yesno ${SAVE_ON_STOP:-yes}; then
-        save || return 1
-    fi
-
-    ebegin "Stopping firewall"
-    clear
-    eend $?
-}
-
-checkconfig() {
-    if [ ! -f ${NFTABLES_SAVE} ]; then
-        eerror "Not starting nftables.  First create some rules then run:"
-        eerror "rc-service nftables save"
-        return 1
-    fi
-    return 0
-}
-
-checkkernel() {
-    if ! nft list tables >/dev/null 2>&1; then
-        eerror "Your kernel lacks nftables support, please load"
-        eerror "appropriate modules and try again."
-        return 1
-    fi
-    return 0
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/systemd/nftables-restore.service b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/systemd/nftables-restore.service
deleted file mode 100644
index 4b68b0a5b0..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/systemd/nftables-restore.service
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=Store and restore nftables firewall rules
-ConditionPathExists=/var/lib/nftables/rules-save
-Before=network-pre.target
-Wants=network-pre.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/usr/libexec/nftables/nftables.sh load /var/lib/nftables/rules-save
-ExecStop=/usr/libexec/nftables/nftables.sh store /var/lib/nftables/rules-save
-
-[Install]
-WantedBy=basic.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.6-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.6-r4.ebuild
index be9f30bcfb..fcdf2add82 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.6-r4.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.6-r4.ebuild
@@ -11,7 +11,7 @@ SRC_URI="http://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz
 
 LICENSE="GPL-2"
 SLOT="0"
-KEYWORDS="~amd64 ~arm ~x86"
+KEYWORDS="amd64 arm64 ~arm ~x86"
 IUSE="debug doc gmp +readline xml"
 
 RDEPEND=">=net-libs/libmnl-1.0.3
@@ -20,8 +20,7 @@ RDEPEND=">=net-libs/libmnl-1.0.3
 	>=net-libs/libnftnl-1.0.6[xml(-)?]
 	"
 DEPEND="${RDEPEND}
-	>=app-text/docbook2X-0.8.8-r4
-	doc? ( >=app-text/dblatex-0.3.7 )
+	doc? ( >=app-text/docbook2X-0.8.8-r4 >=app-text/dblatex-0.3.7 )
 	sys-devel/bison
 	sys-devel/flex
 	virtual/pkgconfig"
@@ -49,39 +48,10 @@ src_prepare() {
 
 src_configure() {
 	econf \
+		--sysconfdir="${EPREFIX}"/usr/share \
 		--sbindir="${EPREFIX}"/sbin \
 		$(use_enable doc pdf-doc) \
 		$(use_enable debug) \
 		$(use_with readline cli) \
 		$(use_with !gmp mini_gmp)
 }
-
-src_install() {
-	default
-
-	dodir /usr/libexec/${PN}
-	exeinto /usr/libexec/${PN}
-	doexe "${FILESDIR}"/libexec/${PN}.sh
-
-	newconfd "${FILESDIR}"/${PN}.confd ${PN}
-	newinitd "${FILESDIR}"/${PN}.init ${PN}
-	keepdir /var/lib/nftables
-
-	systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
-	systemd_enable_service basic.target ${PN}-restore.service
-}
-
-pkg_postinst() {
-	local save_file
-	save_file="${EROOT%/}/var/lib/nftables/rules-save"
-
-	elog "In order for the nftables-restore systemd service to start, "
-	elog "the file, ${save_file}, must exist.  To create this "
-	elog "file run the following command: "
-	elog ""
-	elog "	touch '${save_file}'"
-	elog ""
-	elog "Afterwards, the nftables-restore service should be manually started "
-	elog "to ensure firewall changes are stored on system shutdown.  The "
-	elog "systemd service will function normally thereafter."
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.7.ebuild b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.7.ebuild
deleted file mode 100644
index 30376495f1..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.7.ebuild
+++ /dev/null
@@ -1,82 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit autotools linux-info systemd
-
-DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
-HOMEPAGE="http://netfilter.org/projects/nftables/"
-SRC_URI="http://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="~amd64 ~arm ~x86"
-IUSE="debug doc gmp +readline"
-
-RDEPEND=">=net-libs/libmnl-1.0.3
-	gmp? ( dev-libs/gmp:0= )
-	readline? ( sys-libs/readline:0= )
-	>=net-libs/libnftnl-1.0.7"
-
-DEPEND="${RDEPEND}
-	>=app-text/docbook2X-0.8.8-r4
-	doc? ( >=app-text/dblatex-0.3.7 )
-	sys-devel/bison
-	sys-devel/flex
-	virtual/pkgconfig"
-
-S="${WORKDIR}/v${PV}"
-
-pkg_setup() {
-	if kernel_is ge 3 13; then
-		CONFIG_CHECK="~NF_TABLES"
-		linux-info_pkg_setup
-	else
-		eerror "This package requires kernel version 3.13 or newer to work properly."
-	fi
-}
-
-src_prepare() {
-	default
-	eautoreconf
-}
-
-src_configure() {
-	econf \
-		--sbindir="${EPREFIX}"/sbin \
-		$(use_enable doc pdf-doc) \
-		$(use_enable debug) \
-		$(use_with readline cli) \
-		$(use_with !gmp mini_gmp)
-}
-
-src_install() {
-	default
-
-	dodir /usr/libexec/${PN}
-	exeinto /usr/libexec/${PN}
-	doexe "${FILESDIR}"/libexec/${PN}.sh
-
-	newconfd "${FILESDIR}"/${PN}.confd ${PN}
-	newinitd "${FILESDIR}"/${PN}.init ${PN}
-	keepdir /var/lib/nftables
-
-	systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
-	systemd_enable_service basic.target ${PN}-restore.service
-}
-
-pkg_postinst() {
-	local save_file
-	save_file="${EROOT%/}/var/lib/nftables/rules-save"
-
-	elog "In order for the nftables-restore systemd service to start, "
-	elog "the file, ${save_file}, must exist.  To create this "
-	elog "file run the following command: "
-	elog ""
-	elog "	touch '${save_file}'"
-	elog ""
-	elog "Afterwards, the nftables-restore service should be manually started "
-	elog "to ensure firewall changes are stored on system shutdown.  The "
-	elog "systemd service will function normally thereafter."
-}

From d3d76b8bbebc5bc3fa983d638a4af2e6d69e012f Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <benjamin.gilbert@coreos.com>
Date: Tue, 25 Jul 2017 13:06:58 -0700
Subject: [PATCH 6/6] coreos-base/coreos: add nftables

---
 .../{coreos-0.0.1-r284.ebuild => coreos-0.0.1-r285.ebuild}       | 0
 .../coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild        | 1 +
 2 files changed, 1 insertion(+)
 rename sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/{coreos-0.0.1-r284.ebuild => coreos-0.0.1-r285.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r284.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r285.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r284.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r285.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
index a50c37286d..992aaff340 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
@@ -119,6 +119,7 @@ RDEPEND="${RDEPEND}
 	net-firewall/ebtables
 	net-firewall/ipset
 	net-firewall/iptables
+	net-firewall/nftables
 	net-fs/nfs-utils
 	net-misc/bridge-utils
 	net-misc/dhcpcd