From 8072317d881634e55191d9dab013b25f060b3293 Mon Sep 17 00:00:00 2001
From: Andrew Jeddeloh <andrew.jeddeloh@coreos.com>
Date: Tue, 24 Oct 2017 17:17:00 -0700
Subject: [PATCH 1/2] sys-apps/iproute2: remove iproute2

iproute was in the overlay for a patch, but as of 4.13 that patch has
been merged upstream (commit d6a4076b6ba6547d7e52c377a7c58c56eb5ea16e).
Move iproute2 back to portage-stable.
---
 .../coreos-overlay/sys-apps/iproute2/Manifest |   1 -
 .../iproute2/files/iproute2-3.1.0-mtu.patch   |  48 ------
 .../files/iproute2-4.11.0-no-ipv6.patch       |  37 -----
 ...proute2-4.12.0-recursive-mount-netns.patch |  32 ----
 ...ute2-4.12.0-uclibc-ng-add-ipproto_mh.patch |  38 -----
 .../sys-apps/iproute2/iproute2-4.12.0.ebuild  | 151 ------------------
 .../sys-apps/iproute2/metadata.xml            |  13 --
 7 files changed, 320 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/Manifest
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-3.1.0-mtu.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-4.11.0-no-ipv6.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-4.12.0-recursive-mount-netns.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-4.12.0-uclibc-ng-add-ipproto_mh.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/iproute2-4.12.0.ebuild
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/metadata.xml

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/Manifest
deleted file mode 100644
index 63398361e4..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/Manifest
+++ /dev/null
@@ -1 +0,0 @@
-DIST iproute2-4.12.0.tar.xz 662424 SHA256 2e0a4c4262d9f6c169885a6e16c4c5c5f1ef6fd57b6a0e7b41f42be5bb6ebd7d SHA512 275147f71e7c4698654f0d6d0981ab42f6f108066508c15cfcd5d9e0d3aaf8d33291968d9f06cb03f5494d801cfabf8d53308aaf56fc4fa92c52b137e970a3b0 WHIRLPOOL 590cc191e96ff0b777373603186e4416f064931d529878ec783759f31fd99e1119bb0604e8a89dc98d350f80eca2bfef05a13bca7ce24302408072002c0b17b2
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-3.1.0-mtu.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-3.1.0-mtu.patch
deleted file mode 100644
index fa12dad2d7..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-3.1.0-mtu.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-http://bugs.gentoo.org/291907
-
-This patch was merged from two patches extracted from this thread:
-http://markmail.org/thread/qkd76gpdgefpjlfn
-
-tc_stab.c: small fixes to commandline help
-
-
-tc_core.c:
-As kernel part of things relies on cell align which is always set to -1,
-I also added it to userspace computation stage. This way if someone
-specified e.g. 2048 and 512 for mtu and tsize respectively, one wouldn't
-end with tsize supporting mtu 4096 suddenly, New default mtu is also set
-to 2048 (disregarding weirdness of setting mtu to such values).
-
-
-Unless I missed something, this is harmless and feels cleaner, but if it's
-not allowed, documentation will have to be changed back to 2047 + extra
-explanation as well.
-
---- iproute2/tc/tc_core.c
-+++ iproute2/tc/tc_core.c
-@@ -155,12 +155,12 @@
- 	}
- 
- 	if (s->mtu == 0)
--		s->mtu = 2047;
-+		s->mtu = 2048;
- 	if (s->tsize == 0)
- 		s->tsize = 512;
- 
- 	s->cell_log = 0;
--	while ((s->mtu >> s->cell_log) > s->tsize - 1)
-+	while ((s->mtu - 1 >> s->cell_log) > s->tsize - 1)
- 		s->cell_log++;
- 
- 	*stab = malloc(s->tsize * sizeof(__u16));
---- iproute2/tc/tc_stab.c
-+++ iproute2/tc/tc_stab.c
-@@ -32,7 +32,7 @@
- 	fprintf(stderr,
- 		"Usage: ... stab [ mtu BYTES ] [ tsize SLOTS ] [ mpu BYTES ] \n"
- 		"                [ overhead BYTES ] [ linklayer TYPE ] ...\n"
--		"   mtu       : max packet size we create rate map for {2047}\n"
-+		"   mtu       : max packet size we create size table for {2048}\n"
- 		"   tsize     : how many slots should size table have {512}\n"
- 		"   mpu       : minimum packet size used in rate computations\n"
- 		"   overhead  : per-packet size overhead used in rate computations\n"
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-4.11.0-no-ipv6.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-4.11.0-no-ipv6.patch
deleted file mode 100644
index fc855dcf22..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-4.11.0-no-ipv6.patch
+++ /dev/null
@@ -1,37 +0,0 @@
---- iproute2-4.11.0/ip/ipmonitor.c
-+++ iproute2-4.11.0/ip/ipmonitor.c
-@@ -114,7 +114,6 @@
- 	}
- 	if (n->nlmsg_type == RTM_NEWPREFIX) {
- 		print_headers(fp, "[PREFIX]", ctrl);
--		print_prefix(who, n, arg);
- 		return 0;
- 	}
- 	if (n->nlmsg_type == RTM_NEWRULE || n->nlmsg_type == RTM_DELRULE) {
---- iproute2-4.11.0/ip/iptunnel.c
-+++ iproute2-4.11.0/ip/iptunnel.c
-@@ -589,13 +589,6 @@
- 		break;
- 	case AF_INET:
- 		break;
--	/*
--	 * This is silly enough but we have no easy way to make it
--	 * protocol-independent because of unarranged structure between
--	 * IPv4 and IPv6.
--	 */
--	case AF_INET6:
--		return do_ip6tunnel(argc, argv);
- 	default:
- 		fprintf(stderr, "Unsupported protocol family: %d\n", preferred_family);
- 		exit(-1);
---- iproute2-4.11.0/ip/Makefile
-+++ iproute2-4.11.0/ip/Makefile
-@@ -1,6 +1,6 @@
- IPOBJ=ip.o ipaddress.o ipaddrlabel.o iproute.o iprule.o ipnetns.o \
--    rtm_map.o iptunnel.o ip6tunnel.o tunnel.o ipneigh.o ipntable.o iplink.o \
--    ipmaddr.o ipmonitor.o ipmroute.o ipprefix.o iptuntap.o iptoken.o \
-+    rtm_map.o iptunnel.o tunnel.o ipneigh.o ipntable.o iplink.o \
-+    ipmaddr.o ipmonitor.o ipmroute.o iptuntap.o iptoken.o \
-     ipxfrm.o xfrm_state.o xfrm_policy.o xfrm_monitor.o iplink_dummy.o \
-     iplink_ifb.o iplink_nlmon.o iplink_team.o iplink_vcan.o \
-     iplink_vlan.o link_veth.o link_gre.o iplink_can.o iplink_xdp.o \
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-4.12.0-recursive-mount-netns.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-4.12.0-recursive-mount-netns.patch
deleted file mode 100644
index b8d6ff4ce7..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-4.12.0-recursive-mount-netns.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From d6a4076b6ba6547d7e52c377a7c58c56eb5ea16e Mon Sep 17 00:00:00 2001
-From: Casey Callendrello <casey.callendrello@coreos.com>
-Date: Tue, 1 Aug 2017 17:46:09 +0200
-Subject: netns: make /var/run/netns bind-mount recursive
-
-When ip netns {add|delete} is first run, it bind-mounts /var/run/netns
-on top of itself, then marks it as shared. However, if there are already
-bind-mounts in the directory from other tools, these would not be
-propagated. Fix this by recursively bind-mounting.
-
-Signed-off-by: Casey Callendrello <casey.callendrello@coreos.com>
-Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
----
- ip/ipnetns.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ip/ipnetns.c b/ip/ipnetns.c
-index 198e9de..9ee1fe6 100644
---- a/ip/ipnetns.c
-+++ b/ip/ipnetns.c
-@@ -636,7 +636,7 @@ static int netns_add(int argc, char **argv)
- 		}
- 
- 		/* Upgrade NETNS_RUN_DIR to a mount point */
--		if (mount(NETNS_RUN_DIR, NETNS_RUN_DIR, "none", MS_BIND, NULL)) {
-+		if (mount(NETNS_RUN_DIR, NETNS_RUN_DIR, "none", MS_BIND | MS_REC, NULL)) {
- 			fprintf(stderr, "mount --bind %s %s failed: %s\n",
- 				NETNS_RUN_DIR, NETNS_RUN_DIR, strerror(errno));
- 			return -1;
--- 
-cgit v1.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-4.12.0-uclibc-ng-add-ipproto_mh.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-4.12.0-uclibc-ng-add-ipproto_mh.patch
deleted file mode 100644
index 48cae70143..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/files/iproute2-4.12.0-uclibc-ng-add-ipproto_mh.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 2ac2f416072d9968a9ea2dd9f48168223a1147b0 Mon Sep 17 00:00:00 2001
-From: Baruch Siach <baruch@tkos.co.il>
-Date: Tue, 18 Jul 2017 14:09:06 +0300
-Subject: [PATCH] Fix build with uClibc-ng
-
-Add a local definition for IPPROTO_MH to fix build with uClibc-ng. As of
-version 1.0.25, the uClibc-ng netinet/in.h header does not provide this
-definition. The kernel provided definition is masked by libc-compat.h. Add
-this local fix until uClibc-ng syncs netinet/in.h with glibc.
-
-This partially reverts upstream commit a9ae195a2169 (xfrm: get #define's from
-linux includes)
-
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
----
-Upstream status: non upstreamable; local uClibc-ng compatibility fix
----
- ip/xfrm.h | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/ip/xfrm.h b/ip/xfrm.h
-index 54d80ce5e949..50b85550fb45 100644
---- a/ip/xfrm.h
-+++ b/ip/xfrm.h
-@@ -30,6 +30,10 @@
- #include <linux/xfrm.h>
- #include <linux/ipsec.h>
- 
-+#ifndef IPPROTO_MH
-+# define IPPROTO_MH     135
-+#endif
-+
- #define XFRMS_RTA(x)  ((struct rtattr*)(((char*)(x)) + NLMSG_ALIGN(sizeof(struct xfrm_usersa_info))))
- #define XFRMS_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct xfrm_usersa_info))
- 
--- 
-2.13.2
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/iproute2-4.12.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/iproute2-4.12.0.ebuild
deleted file mode 100644
index 4c37b16aac..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/iproute2-4.12.0.ebuild
+++ /dev/null
@@ -1,151 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=5
-
-inherit eutils toolchain-funcs flag-o-matic multilib
-
-if [[ ${PV} == "9999" ]] ; then
-	EGIT_REPO_URI="git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git"
-	inherit git-2
-else
-	SRC_URI="mirror://kernel/linux/utils/net/${PN}/${P}.tar.xz"
-	KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-fi
-
-DESCRIPTION="kernel routing and traffic control utilities"
-HOMEPAGE="https://wiki.linuxfoundation.org/networking/iproute2"
-
-LICENSE="GPL-2"
-SLOT="0"
-IUSE="atm berkdb +iptables ipv6 minimal selinux"
-
-# We could make libmnl optional, but it's tiny, so eh
-RDEPEND="
-	!net-misc/arpd
-	!minimal? ( net-libs/libmnl )
-	iptables? ( >=net-firewall/iptables-1.4.20:= )
-	berkdb? ( sys-libs/db:= )
-	atm? ( net-dialup/linux-atm )
-	selinux? ( sys-libs/libselinux )
-"
-# We require newer linux-headers for ipset support #549948 and some defines #553876
-DEPEND="
-	${RDEPEND}
-	app-arch/xz-utils
-	iptables? ( virtual/pkgconfig )
-	sys-devel/bison
-	sys-devel/flex
-	>=sys-kernel/linux-headers-3.16
-	elibc_glibc? ( >=sys-libs/glibc-2.7 )
-"
-
-PATCHES=(
-	"${FILESDIR}"/${PN}-3.1.0-mtu.patch #291907
-	"${FILESDIR}"/${PN}-4.12.0-recursive-mount-netns.patch # rkt/rkt#3761
-)
-
-src_prepare() {
-	if ! use ipv6 ; then
-		PATCHES+=(
-			"${FILESDIR}"/${PN}-4.11.0-no-ipv6.patch #326849
-		)
-	fi
-
-	# Local uclibc-ng compat fix until uclibc-ng upstream can sync
-	# netinet/in.h with glibc.  Resolves #626546.
-	if use elibc_uclibc ; then
-		PATCHES+=(
-			"${FILESDIR}"/${PN}-4.12.0-uclibc-ng-add-ipproto_mh.patch
-		)
-	fi
-
-	epatch "${PATCHES[@]}"
-
-	sed -i \
-		-e '/^CC :=/d' \
-		-e "/^LIBDIR/s:=.*:=/$(get_libdir):" \
-		-e "s:-O2:${CFLAGS} ${CPPFLAGS}:" \
-		-e "/^HOSTCC/s:=.*:= $(tc-getBUILD_CC):" \
-		-e "/^WFLAGS/s:-Werror::" \
-		-e "/^DBM_INCLUDE/s:=.*:=${T}:" \
-		Makefile || die
-
-	# Use /run instead of /var/run.
-	sed -i \
-		-e 's:/var/run:/run:g' \
-		include/namespace.h \
-		man/man8/ip-netns.8 || die
-
-	# build against system headers
-	rm -r include/netinet #include/linux include/ip{,6}tables{,_common}.h include/libiptc
-	sed -i 's:TCPI_OPT_ECN_SEEN:16:' misc/ss.c || die
-
-	use minimal && sed -i -e '/^SUBDIRS=/s:=.*:=lib tc ip:' Makefile
-}
-
-src_configure() {
-	tc-export AR CC PKG_CONFIG
-
-	# This sure is ugly.  Should probably move into toolchain-funcs at some point.
-	local setns
-	pushd "${T}" >/dev/null
-	printf '#include <sched.h>\nint main(){return setns(0, 0);}\n' > test.c
-	${CC} ${CFLAGS} ${CPPFLAGS} -D_GNU_SOURCE ${LDFLAGS} test.c >&/dev/null && setns=y || setns=n
-	echo 'int main(){return 0;}' > test.c
-	${CC} ${CFLAGS} ${CPPFLAGS} ${LDFLAGS} test.c -lresolv >&/dev/null || sed -i '/^LDLIBS/s:-lresolv::' "${S}"/Makefile
-	popd >/dev/null
-
-	cat <<-EOF > Config
-	TC_CONFIG_ATM := $(usex atm y n)
-	TC_CONFIG_XT  := $(usex iptables y n)
-	TC_CONFIG_NO_XT := $(usex iptables n y)
-	# We've locked in recent enough kernel headers #549948
-	TC_CONFIG_IPSET := y
-	HAVE_BERKELEY_DB := $(usex berkdb y n)
-	HAVE_MNL      := $(usex minimal n y)
-	HAVE_SELINUX  := $(usex selinux y n)
-	IP_CONFIG_SETNS := ${setns}
-	# Use correct iptables dir, #144265 #293709
-	IPT_LIB_DIR := $(use iptables && ${PKG_CONFIG} xtables --variable=xtlibdir)
-	EOF
-}
-
-src_install() {
-	if use minimal ; then
-		into /
-		dosbin tc/tc
-		dobin ip/ip
-		return 0
-	fi
-
-	emake \
-		DESTDIR="${D}" \
-		LIBDIR="${EPREFIX}"/$(get_libdir) \
-		SBINDIR="${EPREFIX}"/sbin \
-		CONFDIR="${EPREFIX}"/usr/share/iproute2 \
-		DOCDIR="${EPREFIX}"/usr/share/doc/${PF} \
-		MANDIR="${EPREFIX}"/usr/share/man \
-		ARPDDIR="${EPREFIX}"/var/lib/arpd \
-		install
-
-	rm "${ED}"/usr/share/doc/${PF}/*.{sgml,tex} || die #455988
-
-	dodir /bin
-	mv "${ED}"/{s,}bin/ip || die #330115
-
-	dolib.a lib/libnetlink.a
-	insinto /usr/include
-	doins include/libnetlink.h
-	# This local header pulls in a lot of linux headers it
-	# doesn't directly need.  Delete this header that requires
-	# linux-headers-3.8 until that goes stable.  #467716
-	sed -i '/linux\/netconf.h/d' "${ED}"/usr/include/libnetlink.h || die
-
-	if use berkdb ; then
-		dodir /var/lib/arpd
-		# bug 47482, arpd doesn't need to be in /sbin
-		dodir /usr/bin
-		mv "${ED}"/sbin/arpd "${ED}"/usr/bin/ || die
-	fi
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/metadata.xml
deleted file mode 100644
index 0fa0b4cd78..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/iproute2/metadata.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
-<pkgmetadata>
-<maintainer type="project">
-	<email>base-system@gentoo.org</email>
-	<name>Gentoo Base System</name>
-</maintainer>
-<use>
-	<flag name="berkdb">build programs that use berkdb (just arpd)</flag>
-	<flag name="iptables">include support for iptables filtering</flag>
-	<flag name="minimal">only install ip and tc programs</flag>
-</use>
-</pkgmetadata>

From c7791908bc64c1e874e6a407c58b25fef1d832b2 Mon Sep 17 00:00:00 2001
From: Andrew Jeddeloh <andrew.jeddeloh@coreos.com>
Date: Tue, 24 Oct 2017 18:13:46 -0700
Subject: [PATCH 2/2] profiles: accept ~amd64, ~arm64 for iproute2

Allow iproute2 4.13.
---
 .../profiles/coreos/base/package.accept_keywords              | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index 34e5955ab9..f0073f4256 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -75,3 +75,7 @@ dev-util/checkbashisms
 
 # CVE-2017-1000117
 =dev-vcs/git-2.14.1
+
+# iproute2 4.13 includes a patch to avoid leaking netns mounts in rkt 
+# https://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git/commit/?id=d6a4076b6ba6547d7e52c377a7c58c56eb5ea16e
+=sys-apps/iproute2-4.13 ~amd64 ~arm64