net-firewall/nftables: Container Linux fixups

- Stabilize
- docbook2X isn't needed unless we're installing docs
- Don't ship automatic save/restore infrastructure for now
- Move base config files into /usr/share/nftables

sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest

@@ -1,13 +1 @@
-AUX libexec/nftables.sh 3643 SHA256 8f8ca76bc1f77d09b1198e144479cd8cf7f50cf787317522ac6c1978ca9b7e6b SHA512 efc9b4f9520c78b6248f16bd5708669872e8abf949f6f4b81182f331f8532dfeaae2df648e8878e9b5cbd66c0259daab71035ea922754807654b2b3bc86b4352 WHIRLPOOL d3ea74671d3686af9e70a22bf727b9f64ab735cd63270ca283013fc1ba0cad6750ca82127e968f028b65dfe905aeb6275b4e9c295a43f5c8dfe2a7b815a66c44
-AUX nftables-0.5-pdf-doc.patch 1663 SHA256 c55698efb6f40085f1037b12706ca5ab8ba551b8af3902b16ac2cbfc922607c2 SHA512 1925ba300068155ec38ed0631eea0bab1e17ac0b4b454b6f5bf6548961b0264dfd9c9be27e697b8fd7db1827cc670a132c3a716d0874535e29ddb696d1a3eedc WHIRLPOOL c8ea06f6dbbc8c2e4acfaf9ec082647b1ae4288c818d48b47e0b2f5c0cbc7bc6b924b93981b1dd6991923375ffa66a1733988a66ec001d87114962824ee4907f
-AUX nftables-0.6-null-payload-desc-fix.patch 411 SHA256 28bcb66a4d46cb1cb20376f38efb2d95d92983a1417cb500a4351870524c3bfe SHA512 034bfa338ef52b722df8441ab981f45c4eeb88c0d65aa4fcdbee1d17df93c7c3239786351632ccadada08ecae796d366b994bd3c20f576a853885517d4de6116 WHIRLPOOL d0b0ab1051bcdbc734f44fa361781babebfb052daf783bb0e0268d2c3d25f962d4e6f13bf141fcfe46701127c46f104b1740fc48e84266326e9a20553945bcc8
-AUX nftables.confd 655 SHA256 d5e3077345dfea02849a70aea220396322a10c3808f0303b988119adbc56fdbd SHA512 8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144 WHIRLPOOL e39d13f996e620aa82714cb18e4f57624faa302f2259a44cc065804edf95fe07a314f744d17a76be6941c3771da6b233a19ae5b6b2f63783847121c63339197f
-AUX nftables.init 3069 SHA256 be1f1628305b5989ef9de2b95aa4e6201f067eb1f32cd92bba6db6f27f4f325f SHA512 ca761be0440945b21d5b002468baffb3299d0a3ac244aa895734dfdfaf442e7a73b757bcda99d958582064411d1b80b2cbcb4eb532bb219b4df407c9ed892661 WHIRLPOOL 95aebd414c91f3a1e31e241c3d5b83bc998ff5e516c3b6d14b45c0e8bbbb39aba8435f602bc21f7591ef0f6aa71fd01ceb7f08cdab731723478b2a9fb7640c2a
-AUX systemd/nftables-restore.service 394 SHA256 ec9ca69ca916e0739de2eb229c8fee2a65a551a97886c4c0a69c35776f3f1c95 SHA512 18da6a770bb3e94fd6b2c9e6f033450aaff9fe886c8846f780d08a21e2fc884ac078652743b50b3d4ea8c9500f92d272bdd27e2881e438c2b223d40816c100a0 WHIRLPOOL 67eb5b72e81ca66ba079ffd3b574fd21d3ac3cb9fc3d4a3986b1b5543e4059adbdb633b432fa1bb71208a48b4e2eda425d1a09e4b853b7c555d48e8da2b92ded
 DIST nftables-0.6.tar.gz 252523 SHA256 85dd7fa4e741c0be02efddbc57b5d300e1147f09ec6f81d0399110f96dc958f0 SHA512 17f3b94687865e077dc082cf61b29ab2854fd1ffe18212a8d424f2876aef8db9780dd4d06dca8e6d093498151d47bab73e40e1f54062a83a23a3cbe75f27e921 WHIRLPOOL d15eaf81426d73bea28752f96727d291120120fb2aaa994d421d900974eb45062957435e077664fb916780f636ed9b61889dbec8b627d5d309512bae96f02874
-DIST nftables-0.7.tar.gz 292652 SHA256 192c9d92ee0c56eded599d1c54b0d68f4d9b0286f3d908579f0b9271aeba432f SHA512 6032720abf3af8a6dc0b4f507c6ae970447f504d59db4a34b2e0eea3c59962bc69d9ebfaa4e26a117747eb9d0224716a9709b96551b5479d914d7498f26ed43a WHIRLPOOL a999e85370bd9241daf015849ecdf5955f87a2d65f5525a6e75e9eda1bb87e1a84123c42e95f16c4469873a682409fea2ccc65a3af84a107b62d8c2a5727343d
-EBUILD nftables-0.6-r4.ebuild 2116 SHA256 81001d2c20ee1ca27bf40f397be44d2e830d9fdd48d4ea4b6aa7495d45b8db7b SHA512 4c1a3420d9d228ff1925d91ee0bdd285995b7d06b59453863e5b5fef12813c6f58d8487a10c880c313a328be79e69b49147f0a5c73e07554d665ff24ffe1f265 WHIRLPOOL 3486ed76af507f4a49e8a203d7bf4544b244319c803e272db2b59fb6d7aa53900f8b9e8146de99b2dce41372cf9cd6d03075fbd4577c5b38ba642a2f628c18c8
-EBUILD nftables-0.7.ebuild 2002 SHA256 c909b988d5ddde8cf9365667b8bd5d27314be4bb9a972ce651bc416d6739c33f SHA512 0b6efeee42b09b861a27fb11cf02b2096f5e66f8e80f92d8ed97bfeeabb8fe532b068761ffbadf7603cc6095ddd81abe313dd6f581b0719239411f740a0131bf WHIRLPOOL 2bee002b52161664bdd17ae47558b8a723ec603ab0c3c19454685a2511cd9e62d543db7007c0f64eeb35fef20a5b7edf119e8dfb8be852c2368861a95920ee29
-MISC ChangeLog 9200 SHA256 2dab66ea101a22a52b3f2cee4afbfa6dbb2545da809a22cbb10ef9341e08f25e SHA512 cf2cf5c185447f5adaf7f1c7be119f1d13e009f450e2e632234b23b132fb478defda597f09ce492aa7f1c846d2c34f2cf7e6f87b450e7713a843e21a09480e79 WHIRLPOOL 25f4c0eb5d2b5d4492636b6c4c5892e68ed6be83b8d8606785c2c583c91d9429dca75014c196d3f991e78b8e97968b526c83d0bc9277b3ab8c8fd919f1592bf3
-MISC ChangeLog-2015 1919 SHA256 36e610e38e898312082803dcc832cf1b808ff8f450e89f73610c8517cea6e045 SHA512 bb7cff250e90ba78e9e47692ddf126056d5d2b50cce7c3442de3b129ff00272e8b0ae2181f4898f424aac506783e4f978a5f2f1228827d3583402396a518e03b WHIRLPOOL b045fb1f27d640ad01b2fa3b28ba12df8d540b6b86657205d3a3bae303da17ccc5f09f441405579f662360200d98e45724b8f3cd579d55d21d82734545f9d98d
-MISC metadata.xml 363 SHA256 e42199977ccd7d8c42f737be6748733b9aedeb201c810c2487ecf37763ec3eb9 SHA512 32abec1750df9b486d5c74e81aaafd7386ae793a2046635cdcab24debf51ca1c8f6b9733fe7f5d04934751ce3086251bb973e6e88b6c5ff96c902f1825dad07c WHIRLPOOL c0fb5f41754b8a54efcc750f72497175aa67d68b32146a7dcc8170a4565a429a4fa8c16e21a68ca5169440a93ba264744b1011cd6507a3c808ef0550b043bb6c

sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/libexec/nftables.sh

@@ -1,149 +0,0 @@
-#! /bin/sh
-
-main() {
-    local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'}
-    local retval
-    case "$1" in
-        "clear")
-            if ! use_legacy; then
-                nft flush ruleset
-            else
-                clear_legacy
-            fi
-            retval=$?
-        ;;
-        "list")
-            if ! use_legacy; then
-                nft list ruleset
-            else
-                list_legacy
-            fi
-            retval=$?
-        ;;
-        "load")
-            nft -f ${NFTABLES_SAVE}
-            retval=$?
-        ;;
-        "store")
-            local tmp_save="${NFTABLES_SAVE}.tmp"
-            if ! use_legacy; then
-                nft ${SAVE_OPTIONS} list ruleset > ${tmp_save}
-            else
-                save_legacy ${tmp_save}
-            fi
-            retval=$?
-            if [ ${retval} ]; then
-                mv ${tmp_save} ${NFTABLES_SAVE}
-            fi
-        ;;
-    esac
-    return ${retval}
-}
-
-clear_legacy() {
-    local l3f line table chain first_line
-
-    first_line=1
-    if manualwalk; then
-        for l3f in $(getfamilies); do
-            nft list tables ${l3f} | while read line; do
-                table=$(echo ${line} | sed "s/table[ \t]*//")
-                deletetable ${l3f} ${table}
-            done
-        done
-    else
-        nft list tables | while read line; do
-            l3f=$(echo ${line} | cut -d ' ' -f2)
-            table=$(echo ${line} | cut -d ' ' -f3)
-            deletetable ${l3f} ${table}
-        done
-    fi
-}
-
-list_legacy() {
-    local l3f
-
-    if manualwalk; then
-        for l3f in $(getfamilies); do
-            nft list tables ${l3f} | while read line; do
-                line=$(echo ${line} | sed "s/table/table ${l3f}/")
-                echo "$(nft list ${line})"
-            done
-        done
-    else
-        nft list tables | while read line; do
-            echo "$(nft list ${line})"
-        done
-    fi
-}
-
-save_legacy() {
-    tmp_save=$1
-    touch "${tmp_save}"
-    if manualwalk; then
-        for l3f in $(getfamilies); do
-            nft list tables ${l3f} | while read line; do
-                line=$(echo ${line} | sed "s/table/table ${l3f}/")
-                nft ${SAVE_OPTIONS} list ${line} >> ${tmp_save}
-            done
-        done
-    else
-        nft list tables | while read line; do
-            nft ${SAVE_OPTIONS} list ${line} >> "${tmp_save}"
-        done
-    fi
-}
-
-use_legacy() {
-    local major_ver minor_ver
-
-    major_ver=$(uname -r | cut -d '.' -f1)
-    minor_ver=$(uname -r | cut -d '.' -f2)
-
-    [ $major_ver -ge 4 -o $major_ver -eq 3 -a $minor_ver -ge 18 ] && return 1
-    return 0
-}
-
-CHECK_TABLE_NAME="GENTOO_CHECK_TABLE"
-
-getfamilies() {
-    local l3f families
-
-    for l3f in ip arp ip6 bridge inet; do
-        if nft create table ${l3f} ${CHECK_TABLE_NAME} > /dev/null 2>&1; then
-            families="${families}${l3f} "
-            nft delete table ${l3f} ${CHECK_TABLE_NAME}
-        fi
-    done
-    echo ${families}
-}
-
-manualwalk() {
-    local result l3f=`getfamilies | cut -d ' ' -f1`
-
-    nft create table ${l3f} ${CHECK_TABLE_NAME}
-    nft list tables | read line
-    if [ $(echo $line | wc -w) -lt 3 ]; then
-        result=0
-    fi
-    result=1
-    nft delete table ${l3f} ${CHECK_TABLE_NAME}
-
-    return $result
-}
-
-deletetable() {
-    # family is $1
-    # table name is $2
-    nft flush table $1 $2
-    nft list table $1 $2 | while read l; do
-        chain=$(echo $l | grep -o 'chain [^[:space:]]\+' | cut -d ' ' -f2)
-        if [ -n "${chain}" ]; then
-            nft flush chain $1 $2 ${chain}
-            nft delete chain $1 $2 ${chain}
-        fi
-    done
-    nft delete table $1 $2
-}
-
-main "$@"

sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.confd

@@ -1,19 +0,0 @@
-# /etc/conf.d/nftables
-
-# Location in which nftables initscript will save set rules on 
-# service shutdown
-NFTABLES_SAVE="/var/lib/nftables/rules-save"
-
-# Options to pass to nft on save
-SAVE_OPTIONS="-n"
-
-# Save state on stopping nftables
-SAVE_ON_STOP="yes"
-
-# If you need to log nftables messages as soon as nftables starts,
-# AND your logger does NOT depend on the network, then you may wish
-# to uncomment the next line.
-# If your logger depends on the network, and you uncomment this line
-# you will create an unresolvable circular dependency during startup.
-# After commenting or uncommenting this line, you must run 'rc-update -u'.
-#rc_use="logger"

sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.init

@@ -1,124 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 2014-2017 Nicholas Vinson
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-extra_commands="clear list panic save"
-extra_started_commands="reload"
-depend() {
-    need localmount #434774
-    before net
-}
-
-start_pre() {
-    checkkernel || return 1
-    checkconfig || return 1
-    return 0
-}
-
-clear() {
-    /usr/libexec/nftables/nftables.sh clear || return 1
-    return 0
-}
-
-list() {
-    /usr/libexec/nftables/nftables.sh list || return 1
-    return 0
-}
-
-panic() {
-    checkkernel || return 1
-    if service_started ${RC_SVCNAME}; then
-        rc-service ${RC_SVCNAME} stop
-    fi
-
-    ebegin "Dropping all packets"
-    clear
-    if nft create table ip filter >/dev/null 2>&1; then
-	nft -f /dev/stdin <<-EOF
-	    table ip filter {
-	                    chain input {
-	                                    type filter hook input priority 0;
-	                                    drop
-	                    }
-	                    chain forward {
-	                                    type filter hook forward priority 0;
-	                                    drop
-	                    }
-	                    chain output {
-	                                    type filter hook output priority 0;
-	                                    drop
-	                    }
-	    }
-	EOF
-    fi
-    if nft create table ip6 filter >/dev/null 2>&1; then
-	nft -f /dev/stdin <<-EOF
-	    table ip6 filter {
-	                    chain input {
-	                                    type filter hook input priority 0;
-	                                    drop
-	                    }
-	                    chain forward {
-	                                    type filter hook forward priority 0;
-	                                    drop
-	                    }
-	                    chain output {
-	                                    type filter hook output priority 0;
-	                                    drop
-	                    }
-	    }
-	EOF
-    fi
-}
-
-reload() {
-    checkkernel || return 1
-    ebegin "Flushing firewall"
-    clear
-    start
-}
-
-save() {
-    ebegin "Saving nftables state"
-    checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
-    checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
-    export SAVE_OPTIONS
-    /usr/libexec/nftables/nftables.sh store ${NFTABLES_SAVE}
-    return $?
-}
-
-start() {
-    ebegin "Loading nftables state and starting firewall"
-    clear
-    /usr/libexec/nftables/nftables.sh load ${NFTABLES_SAVE}
-    eend $?
-}
-
-stop() {
-    if yesno ${SAVE_ON_STOP:-yes}; then
-        save || return 1
-    fi
-
-    ebegin "Stopping firewall"
-    clear
-    eend $?
-}
-
-checkconfig() {
-    if [ ! -f ${NFTABLES_SAVE} ]; then
-        eerror "Not starting nftables.  First create some rules then run:"
-        eerror "rc-service nftables save"
-        return 1
-    fi
-    return 0
-}
-
-checkkernel() {
-    if ! nft list tables >/dev/null 2>&1; then
-        eerror "Your kernel lacks nftables support, please load"
-        eerror "appropriate modules and try again."
-        return 1
-    fi
-    return 0
-}

sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/systemd/nftables-restore.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=Store and restore nftables firewall rules
-ConditionPathExists=/var/lib/nftables/rules-save
-Before=network-pre.target
-Wants=network-pre.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/usr/libexec/nftables/nftables.sh load /var/lib/nftables/rules-save
-ExecStop=/usr/libexec/nftables/nftables.sh store /var/lib/nftables/rules-save
-
-[Install]
-WantedBy=basic.target

sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.6-r4.ebuild

@@ -11,7 +11,7 @@ SRC_URI="http://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz
 
 LICENSE="GPL-2"
 SLOT="0"
-KEYWORDS="~amd64 ~arm ~x86"
+KEYWORDS="amd64 arm64 ~arm ~x86"
 IUSE="debug doc gmp +readline xml"
 
 RDEPEND=">=net-libs/libmnl-1.0.3
@@ -20,8 +20,7 @@ RDEPEND=">=net-libs/libmnl-1.0.3
 	>=net-libs/libnftnl-1.0.6[xml(-)?]
 	"
 DEPEND="${RDEPEND}
-	>=app-text/docbook2X-0.8.8-r4
-	doc? ( >=app-text/dblatex-0.3.7 )
+	doc? ( >=app-text/docbook2X-0.8.8-r4 >=app-text/dblatex-0.3.7 )
 	sys-devel/bison
 	sys-devel/flex
 	virtual/pkgconfig"
@@ -49,39 +48,10 @@ src_prepare() {
 
 src_configure() {
 	econf \
+		--sysconfdir="${EPREFIX}"/usr/share \
 		--sbindir="${EPREFIX}"/sbin \
 		$(use_enable doc pdf-doc) \
 		$(use_enable debug) \
 		$(use_with readline cli) \
 		$(use_with !gmp mini_gmp)
 }
-
-src_install() {
-	default
-
-	dodir /usr/libexec/${PN}
-	exeinto /usr/libexec/${PN}
-	doexe "${FILESDIR}"/libexec/${PN}.sh
-
-	newconfd "${FILESDIR}"/${PN}.confd ${PN}
-	newinitd "${FILESDIR}"/${PN}.init ${PN}
-	keepdir /var/lib/nftables
-
-	systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
-	systemd_enable_service basic.target ${PN}-restore.service
-}
-
-pkg_postinst() {
-	local save_file
-	save_file="${EROOT%/}/var/lib/nftables/rules-save"
-
-	elog "In order for the nftables-restore systemd service to start, "
-	elog "the file, ${save_file}, must exist.  To create this "
-	elog "file run the following command: "
-	elog ""
-	elog "	touch '${save_file}'"
-	elog ""
-	elog "Afterwards, the nftables-restore service should be manually started "
-	elog "to ensure firewall changes are stored on system shutdown.  The "
-	elog "systemd service will function normally thereafter."
-}

sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.7.ebuild

@@ -1,82 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit autotools linux-info systemd
-
-DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
-HOMEPAGE="http://netfilter.org/projects/nftables/"
-SRC_URI="http://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="~amd64 ~arm ~x86"
-IUSE="debug doc gmp +readline"
-
-RDEPEND=">=net-libs/libmnl-1.0.3
-	gmp? ( dev-libs/gmp:0= )
-	readline? ( sys-libs/readline:0= )
-	>=net-libs/libnftnl-1.0.7"
-
-DEPEND="${RDEPEND}
-	>=app-text/docbook2X-0.8.8-r4
-	doc? ( >=app-text/dblatex-0.3.7 )
-	sys-devel/bison
-	sys-devel/flex
-	virtual/pkgconfig"
-
-S="${WORKDIR}/v${PV}"
-
-pkg_setup() {
-	if kernel_is ge 3 13; then
-		CONFIG_CHECK="~NF_TABLES"
-		linux-info_pkg_setup
-	else
-		eerror "This package requires kernel version 3.13 or newer to work properly."
-	fi
-}
-
-src_prepare() {
-	default
-	eautoreconf
-}
-
-src_configure() {
-	econf \
-		--sbindir="${EPREFIX}"/sbin \
-		$(use_enable doc pdf-doc) \
-		$(use_enable debug) \
-		$(use_with readline cli) \
-		$(use_with !gmp mini_gmp)
-}
-
-src_install() {
-	default
-
-	dodir /usr/libexec/${PN}
-	exeinto /usr/libexec/${PN}
-	doexe "${FILESDIR}"/libexec/${PN}.sh
-
-	newconfd "${FILESDIR}"/${PN}.confd ${PN}
-	newinitd "${FILESDIR}"/${PN}.init ${PN}
-	keepdir /var/lib/nftables
-
-	systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
-	systemd_enable_service basic.target ${PN}-restore.service
-}
-
-pkg_postinst() {
-	local save_file
-	save_file="${EROOT%/}/var/lib/nftables/rules-save"
-
-	elog "In order for the nftables-restore systemd service to start, "
-	elog "the file, ${save_file}, must exist.  To create this "
-	elog "file run the following command: "
-	elog ""
-	elog "	touch '${save_file}'"
-	elog ""
-	elog "Afterwards, the nftables-restore service should be manually started "
-	elog "to ensure firewall changes are stored on system shutdown.  The "
-	elog "systemd service will function normally thereafter."
-}