From e299a9454a24c8918a589becfb8c67a3ca710f63 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Tue, 25 Jul 2017 15:40:21 -0700 Subject: [PATCH] net-firewall/nftables: Container Linux fixups - Stabilize - docbook2X isn't needed unless we're installing docs - Don't ship automatic save/restore infrastructure for now - Move base config files into /usr/share/nftables --- .../net-firewall/nftables/Manifest | 12 -- .../nftables/files/libexec/nftables.sh | 149 ------------------ .../nftables/files/nftables.confd | 19 --- .../net-firewall/nftables/files/nftables.init | 124 --------------- .../files/systemd/nftables-restore.service | 14 -- .../nftables/nftables-0.6-r4.ebuild | 36 +---- .../net-firewall/nftables/nftables-0.7.ebuild | 82 ---------- 7 files changed, 3 insertions(+), 433 deletions(-) delete mode 100755 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/libexec/nftables.sh delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.confd delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.init delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/systemd/nftables-restore.service delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.7.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest index 19f91b330a..ee4654f4c8 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest @@ -1,13 +1 @@ -AUX libexec/nftables.sh 3643 SHA256 8f8ca76bc1f77d09b1198e144479cd8cf7f50cf787317522ac6c1978ca9b7e6b SHA512 efc9b4f9520c78b6248f16bd5708669872e8abf949f6f4b81182f331f8532dfeaae2df648e8878e9b5cbd66c0259daab71035ea922754807654b2b3bc86b4352 WHIRLPOOL d3ea74671d3686af9e70a22bf727b9f64ab735cd63270ca283013fc1ba0cad6750ca82127e968f028b65dfe905aeb6275b4e9c295a43f5c8dfe2a7b815a66c44 -AUX nftables-0.5-pdf-doc.patch 1663 SHA256 c55698efb6f40085f1037b12706ca5ab8ba551b8af3902b16ac2cbfc922607c2 SHA512 1925ba300068155ec38ed0631eea0bab1e17ac0b4b454b6f5bf6548961b0264dfd9c9be27e697b8fd7db1827cc670a132c3a716d0874535e29ddb696d1a3eedc WHIRLPOOL c8ea06f6dbbc8c2e4acfaf9ec082647b1ae4288c818d48b47e0b2f5c0cbc7bc6b924b93981b1dd6991923375ffa66a1733988a66ec001d87114962824ee4907f -AUX nftables-0.6-null-payload-desc-fix.patch 411 SHA256 28bcb66a4d46cb1cb20376f38efb2d95d92983a1417cb500a4351870524c3bfe SHA512 034bfa338ef52b722df8441ab981f45c4eeb88c0d65aa4fcdbee1d17df93c7c3239786351632ccadada08ecae796d366b994bd3c20f576a853885517d4de6116 WHIRLPOOL d0b0ab1051bcdbc734f44fa361781babebfb052daf783bb0e0268d2c3d25f962d4e6f13bf141fcfe46701127c46f104b1740fc48e84266326e9a20553945bcc8 -AUX nftables.confd 655 SHA256 d5e3077345dfea02849a70aea220396322a10c3808f0303b988119adbc56fdbd SHA512 8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144 WHIRLPOOL e39d13f996e620aa82714cb18e4f57624faa302f2259a44cc065804edf95fe07a314f744d17a76be6941c3771da6b233a19ae5b6b2f63783847121c63339197f -AUX nftables.init 3069 SHA256 be1f1628305b5989ef9de2b95aa4e6201f067eb1f32cd92bba6db6f27f4f325f SHA512 ca761be0440945b21d5b002468baffb3299d0a3ac244aa895734dfdfaf442e7a73b757bcda99d958582064411d1b80b2cbcb4eb532bb219b4df407c9ed892661 WHIRLPOOL 95aebd414c91f3a1e31e241c3d5b83bc998ff5e516c3b6d14b45c0e8bbbb39aba8435f602bc21f7591ef0f6aa71fd01ceb7f08cdab731723478b2a9fb7640c2a -AUX systemd/nftables-restore.service 394 SHA256 ec9ca69ca916e0739de2eb229c8fee2a65a551a97886c4c0a69c35776f3f1c95 SHA512 18da6a770bb3e94fd6b2c9e6f033450aaff9fe886c8846f780d08a21e2fc884ac078652743b50b3d4ea8c9500f92d272bdd27e2881e438c2b223d40816c100a0 WHIRLPOOL 67eb5b72e81ca66ba079ffd3b574fd21d3ac3cb9fc3d4a3986b1b5543e4059adbdb633b432fa1bb71208a48b4e2eda425d1a09e4b853b7c555d48e8da2b92ded DIST nftables-0.6.tar.gz 252523 SHA256 85dd7fa4e741c0be02efddbc57b5d300e1147f09ec6f81d0399110f96dc958f0 SHA512 17f3b94687865e077dc082cf61b29ab2854fd1ffe18212a8d424f2876aef8db9780dd4d06dca8e6d093498151d47bab73e40e1f54062a83a23a3cbe75f27e921 WHIRLPOOL d15eaf81426d73bea28752f96727d291120120fb2aaa994d421d900974eb45062957435e077664fb916780f636ed9b61889dbec8b627d5d309512bae96f02874 -DIST nftables-0.7.tar.gz 292652 SHA256 192c9d92ee0c56eded599d1c54b0d68f4d9b0286f3d908579f0b9271aeba432f SHA512 6032720abf3af8a6dc0b4f507c6ae970447f504d59db4a34b2e0eea3c59962bc69d9ebfaa4e26a117747eb9d0224716a9709b96551b5479d914d7498f26ed43a WHIRLPOOL a999e85370bd9241daf015849ecdf5955f87a2d65f5525a6e75e9eda1bb87e1a84123c42e95f16c4469873a682409fea2ccc65a3af84a107b62d8c2a5727343d -EBUILD nftables-0.6-r4.ebuild 2116 SHA256 81001d2c20ee1ca27bf40f397be44d2e830d9fdd48d4ea4b6aa7495d45b8db7b SHA512 4c1a3420d9d228ff1925d91ee0bdd285995b7d06b59453863e5b5fef12813c6f58d8487a10c880c313a328be79e69b49147f0a5c73e07554d665ff24ffe1f265 WHIRLPOOL 3486ed76af507f4a49e8a203d7bf4544b244319c803e272db2b59fb6d7aa53900f8b9e8146de99b2dce41372cf9cd6d03075fbd4577c5b38ba642a2f628c18c8 -EBUILD nftables-0.7.ebuild 2002 SHA256 c909b988d5ddde8cf9365667b8bd5d27314be4bb9a972ce651bc416d6739c33f SHA512 0b6efeee42b09b861a27fb11cf02b2096f5e66f8e80f92d8ed97bfeeabb8fe532b068761ffbadf7603cc6095ddd81abe313dd6f581b0719239411f740a0131bf WHIRLPOOL 2bee002b52161664bdd17ae47558b8a723ec603ab0c3c19454685a2511cd9e62d543db7007c0f64eeb35fef20a5b7edf119e8dfb8be852c2368861a95920ee29 -MISC ChangeLog 9200 SHA256 2dab66ea101a22a52b3f2cee4afbfa6dbb2545da809a22cbb10ef9341e08f25e SHA512 cf2cf5c185447f5adaf7f1c7be119f1d13e009f450e2e632234b23b132fb478defda597f09ce492aa7f1c846d2c34f2cf7e6f87b450e7713a843e21a09480e79 WHIRLPOOL 25f4c0eb5d2b5d4492636b6c4c5892e68ed6be83b8d8606785c2c583c91d9429dca75014c196d3f991e78b8e97968b526c83d0bc9277b3ab8c8fd919f1592bf3 -MISC ChangeLog-2015 1919 SHA256 36e610e38e898312082803dcc832cf1b808ff8f450e89f73610c8517cea6e045 SHA512 bb7cff250e90ba78e9e47692ddf126056d5d2b50cce7c3442de3b129ff00272e8b0ae2181f4898f424aac506783e4f978a5f2f1228827d3583402396a518e03b WHIRLPOOL b045fb1f27d640ad01b2fa3b28ba12df8d540b6b86657205d3a3bae303da17ccc5f09f441405579f662360200d98e45724b8f3cd579d55d21d82734545f9d98d -MISC metadata.xml 363 SHA256 e42199977ccd7d8c42f737be6748733b9aedeb201c810c2487ecf37763ec3eb9 SHA512 32abec1750df9b486d5c74e81aaafd7386ae793a2046635cdcab24debf51ca1c8f6b9733fe7f5d04934751ce3086251bb973e6e88b6c5ff96c902f1825dad07c WHIRLPOOL c0fb5f41754b8a54efcc750f72497175aa67d68b32146a7dcc8170a4565a429a4fa8c16e21a68ca5169440a93ba264744b1011cd6507a3c808ef0550b043bb6c diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/libexec/nftables.sh b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/libexec/nftables.sh deleted file mode 100755 index cc55f85660..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/libexec/nftables.sh +++ /dev/null @@ -1,149 +0,0 @@ -#! /bin/sh - -main() { - local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'} - local retval - case "$1" in - "clear") - if ! use_legacy; then - nft flush ruleset - else - clear_legacy - fi - retval=$? - ;; - "list") - if ! use_legacy; then - nft list ruleset - else - list_legacy - fi - retval=$? - ;; - "load") - nft -f ${NFTABLES_SAVE} - retval=$? - ;; - "store") - local tmp_save="${NFTABLES_SAVE}.tmp" - if ! use_legacy; then - nft ${SAVE_OPTIONS} list ruleset > ${tmp_save} - else - save_legacy ${tmp_save} - fi - retval=$? - if [ ${retval} ]; then - mv ${tmp_save} ${NFTABLES_SAVE} - fi - ;; - esac - return ${retval} -} - -clear_legacy() { - local l3f line table chain first_line - - first_line=1 - if manualwalk; then - for l3f in $(getfamilies); do - nft list tables ${l3f} | while read line; do - table=$(echo ${line} | sed "s/table[ \t]*//") - deletetable ${l3f} ${table} - done - done - else - nft list tables | while read line; do - l3f=$(echo ${line} | cut -d ' ' -f2) - table=$(echo ${line} | cut -d ' ' -f3) - deletetable ${l3f} ${table} - done - fi -} - -list_legacy() { - local l3f - - if manualwalk; then - for l3f in $(getfamilies); do - nft list tables ${l3f} | while read line; do - line=$(echo ${line} | sed "s/table/table ${l3f}/") - echo "$(nft list ${line})" - done - done - else - nft list tables | while read line; do - echo "$(nft list ${line})" - done - fi -} - -save_legacy() { - tmp_save=$1 - touch "${tmp_save}" - if manualwalk; then - for l3f in $(getfamilies); do - nft list tables ${l3f} | while read line; do - line=$(echo ${line} | sed "s/table/table ${l3f}/") - nft ${SAVE_OPTIONS} list ${line} >> ${tmp_save} - done - done - else - nft list tables | while read line; do - nft ${SAVE_OPTIONS} list ${line} >> "${tmp_save}" - done - fi -} - -use_legacy() { - local major_ver minor_ver - - major_ver=$(uname -r | cut -d '.' -f1) - minor_ver=$(uname -r | cut -d '.' -f2) - - [ $major_ver -ge 4 -o $major_ver -eq 3 -a $minor_ver -ge 18 ] && return 1 - return 0 -} - -CHECK_TABLE_NAME="GENTOO_CHECK_TABLE" - -getfamilies() { - local l3f families - - for l3f in ip arp ip6 bridge inet; do - if nft create table ${l3f} ${CHECK_TABLE_NAME} > /dev/null 2>&1; then - families="${families}${l3f} " - nft delete table ${l3f} ${CHECK_TABLE_NAME} - fi - done - echo ${families} -} - -manualwalk() { - local result l3f=`getfamilies | cut -d ' ' -f1` - - nft create table ${l3f} ${CHECK_TABLE_NAME} - nft list tables | read line - if [ $(echo $line | wc -w) -lt 3 ]; then - result=0 - fi - result=1 - nft delete table ${l3f} ${CHECK_TABLE_NAME} - - return $result -} - -deletetable() { - # family is $1 - # table name is $2 - nft flush table $1 $2 - nft list table $1 $2 | while read l; do - chain=$(echo $l | grep -o 'chain [^[:space:]]\+' | cut -d ' ' -f2) - if [ -n "${chain}" ]; then - nft flush chain $1 $2 ${chain} - nft delete chain $1 $2 ${chain} - fi - done - nft delete table $1 $2 -} - -main "$@" diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.confd b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.confd deleted file mode 100644 index e83a4b9620..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.confd +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/conf.d/nftables - -# Location in which nftables initscript will save set rules on -# service shutdown -NFTABLES_SAVE="/var/lib/nftables/rules-save" - -# Options to pass to nft on save -SAVE_OPTIONS="-n" - -# Save state on stopping nftables -SAVE_ON_STOP="yes" - -# If you need to log nftables messages as soon as nftables starts, -# AND your logger does NOT depend on the network, then you may wish -# to uncomment the next line. -# If your logger depends on the network, and you uncomment this line -# you will create an unresolvable circular dependency during startup. -# After commenting or uncommenting this line, you must run 'rc-update -u'. -#rc_use="logger" diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.init b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.init deleted file mode 100644 index cf4ab8b5f4..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables.init +++ /dev/null @@ -1,124 +0,0 @@ -#!/sbin/openrc-run -# Copyright 2014-2017 Nicholas Vinson -# Copyright 1999-2017 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -extra_commands="clear list panic save" -extra_started_commands="reload" -depend() { - need localmount #434774 - before net -} - -start_pre() { - checkkernel || return 1 - checkconfig || return 1 - return 0 -} - -clear() { - /usr/libexec/nftables/nftables.sh clear || return 1 - return 0 -} - -list() { - /usr/libexec/nftables/nftables.sh list || return 1 - return 0 -} - -panic() { - checkkernel || return 1 - if service_started ${RC_SVCNAME}; then - rc-service ${RC_SVCNAME} stop - fi - - ebegin "Dropping all packets" - clear - if nft create table ip filter >/dev/null 2>&1; then - nft -f /dev/stdin <<-EOF - table ip filter { - chain input { - type filter hook input priority 0; - drop - } - chain forward { - type filter hook forward priority 0; - drop - } - chain output { - type filter hook output priority 0; - drop - } - } - EOF - fi - if nft create table ip6 filter >/dev/null 2>&1; then - nft -f /dev/stdin <<-EOF - table ip6 filter { - chain input { - type filter hook input priority 0; - drop - } - chain forward { - type filter hook forward priority 0; - drop - } - chain output { - type filter hook output priority 0; - drop - } - } - EOF - fi -} - -reload() { - checkkernel || return 1 - ebegin "Flushing firewall" - clear - start -} - -save() { - ebegin "Saving nftables state" - checkpath -q -d "$(dirname "${NFTABLES_SAVE}")" - checkpath -q -m 0600 -f "${NFTABLES_SAVE}" - export SAVE_OPTIONS - /usr/libexec/nftables/nftables.sh store ${NFTABLES_SAVE} - return $? -} - -start() { - ebegin "Loading nftables state and starting firewall" - clear - /usr/libexec/nftables/nftables.sh load ${NFTABLES_SAVE} - eend $? -} - -stop() { - if yesno ${SAVE_ON_STOP:-yes}; then - save || return 1 - fi - - ebegin "Stopping firewall" - clear - eend $? -} - -checkconfig() { - if [ ! -f ${NFTABLES_SAVE} ]; then - eerror "Not starting nftables. First create some rules then run:" - eerror "rc-service nftables save" - return 1 - fi - return 0 -} - -checkkernel() { - if ! nft list tables >/dev/null 2>&1; then - eerror "Your kernel lacks nftables support, please load" - eerror "appropriate modules and try again." - return 1 - fi - return 0 -} diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/systemd/nftables-restore.service b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/systemd/nftables-restore.service deleted file mode 100644 index 4b68b0a5b0..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/systemd/nftables-restore.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=Store and restore nftables firewall rules -ConditionPathExists=/var/lib/nftables/rules-save -Before=network-pre.target -Wants=network-pre.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/libexec/nftables/nftables.sh load /var/lib/nftables/rules-save -ExecStop=/usr/libexec/nftables/nftables.sh store /var/lib/nftables/rules-save - -[Install] -WantedBy=basic.target diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.6-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.6-r4.ebuild index be9f30bcfb..fcdf2add82 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.6-r4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.6-r4.ebuild @@ -11,7 +11,7 @@ SRC_URI="http://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz LICENSE="GPL-2" SLOT="0" -KEYWORDS="~amd64 ~arm ~x86" +KEYWORDS="amd64 arm64 ~arm ~x86" IUSE="debug doc gmp +readline xml" RDEPEND=">=net-libs/libmnl-1.0.3 @@ -20,8 +20,7 @@ RDEPEND=">=net-libs/libmnl-1.0.3 >=net-libs/libnftnl-1.0.6[xml(-)?] " DEPEND="${RDEPEND} - >=app-text/docbook2X-0.8.8-r4 - doc? ( >=app-text/dblatex-0.3.7 ) + doc? ( >=app-text/docbook2X-0.8.8-r4 >=app-text/dblatex-0.3.7 ) sys-devel/bison sys-devel/flex virtual/pkgconfig" @@ -49,39 +48,10 @@ src_prepare() { src_configure() { econf \ + --sysconfdir="${EPREFIX}"/usr/share \ --sbindir="${EPREFIX}"/sbin \ $(use_enable doc pdf-doc) \ $(use_enable debug) \ $(use_with readline cli) \ $(use_with !gmp mini_gmp) } - -src_install() { - default - - dodir /usr/libexec/${PN} - exeinto /usr/libexec/${PN} - doexe "${FILESDIR}"/libexec/${PN}.sh - - newconfd "${FILESDIR}"/${PN}.confd ${PN} - newinitd "${FILESDIR}"/${PN}.init ${PN} - keepdir /var/lib/nftables - - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service - systemd_enable_service basic.target ${PN}-restore.service -} - -pkg_postinst() { - local save_file - save_file="${EROOT%/}/var/lib/nftables/rules-save" - - elog "In order for the nftables-restore systemd service to start, " - elog "the file, ${save_file}, must exist. To create this " - elog "file run the following command: " - elog "" - elog " touch '${save_file}'" - elog "" - elog "Afterwards, the nftables-restore service should be manually started " - elog "to ensure firewall changes are stored on system shutdown. The " - elog "systemd service will function normally thereafter." -} diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.7.ebuild b/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.7.ebuild deleted file mode 100644 index 30376495f1..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.7.ebuild +++ /dev/null @@ -1,82 +0,0 @@ -# Copyright 1999-2017 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -inherit autotools linux-info systemd - -DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" -HOMEPAGE="http://netfilter.org/projects/nftables/" -SRC_URI="http://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz" - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="~amd64 ~arm ~x86" -IUSE="debug doc gmp +readline" - -RDEPEND=">=net-libs/libmnl-1.0.3 - gmp? ( dev-libs/gmp:0= ) - readline? ( sys-libs/readline:0= ) - >=net-libs/libnftnl-1.0.7" - -DEPEND="${RDEPEND} - >=app-text/docbook2X-0.8.8-r4 - doc? ( >=app-text/dblatex-0.3.7 ) - sys-devel/bison - sys-devel/flex - virtual/pkgconfig" - -S="${WORKDIR}/v${PV}" - -pkg_setup() { - if kernel_is ge 3 13; then - CONFIG_CHECK="~NF_TABLES" - linux-info_pkg_setup - else - eerror "This package requires kernel version 3.13 or newer to work properly." - fi -} - -src_prepare() { - default - eautoreconf -} - -src_configure() { - econf \ - --sbindir="${EPREFIX}"/sbin \ - $(use_enable doc pdf-doc) \ - $(use_enable debug) \ - $(use_with readline cli) \ - $(use_with !gmp mini_gmp) -} - -src_install() { - default - - dodir /usr/libexec/${PN} - exeinto /usr/libexec/${PN} - doexe "${FILESDIR}"/libexec/${PN}.sh - - newconfd "${FILESDIR}"/${PN}.confd ${PN} - newinitd "${FILESDIR}"/${PN}.init ${PN} - keepdir /var/lib/nftables - - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service - systemd_enable_service basic.target ${PN}-restore.service -} - -pkg_postinst() { - local save_file - save_file="${EROOT%/}/var/lib/nftables/rules-save" - - elog "In order for the nftables-restore systemd service to start, " - elog "the file, ${save_file}, must exist. To create this " - elog "file run the following command: " - elog "" - elog " touch '${save_file}'" - elog "" - elog "Afterwards, the nftables-restore service should be manually started " - elog "to ensure firewall changes are stored on system shutdown. The " - elog "systemd service will function normally thereafter." -}