net-firewall/nftables: Sync with Gentoo

It's from Gentoo commit 3f9eefb94b299f4f606d69995c7cf41096d17b57. Signed-off-by: Flatcar Buildbot <buildbot@flatcar-linux.org>
2025-10-20 11:51:06 +02:00 · 2025-09-01 07:12:54 +00:00 · 2025-09-01 07:12:54 +00:00 · ed26be998c
commit ed26be998c
parent 50fefd9960
4 changed files with 480 additions and 2 deletions
--- a/sdk_container/src/third_party/portage-stable/net-firewall/nftables/Manifest
+++ b/sdk_container/src/third_party/portage-stable/net-firewall/nftables/Manifest
@ -2,3 +2,7 @@ DIST nftables-1.1.1.tar.xz 989700 BLAKE2B f273c78369ba755049c6afa63eba195cf29f92
 DIST nftables-1.1.1.tar.xz.sig 566 BLAKE2B b7debda3373972f69af9b4b23e1b66a8fd156440187aafba605bb7342c267207e5aa628256e96432ebd4583a6a9436e1969a33636111d2bd8d57185a01e2d502 SHA512 fc23034c512f686167203e827ff2a8f7cb64530211ce92a28793bd49577ce3bf519ffbe910b0071cb21925898497cb5cbf70121c68bfcdbfa4460c63a14203ac
 DIST nftables-1.1.3.tar.xz 990172 BLAKE2B 35f4ece6c27b29a14bc71bb7893971134950509a713e84453e1f87df6b07cda327314d6dbbf048032a047652b8817f8ee8a5d74a56e356088495edd1dbbed000 SHA512 b5c244cb6db73eb232e5c999e07403b60c543efb9c4b9991838cc9c43a1bd08ca7b2926233536cbb0cc66e2a9acc4fbddc4b5565f5665e753c107a8739a86040
 DIST nftables-1.1.3.tar.xz.sig 566 BLAKE2B 4f0e9c89213b46d3445a729bf96b1790adc53725f31134f9028297e99d83ac43f5094f9cfa0efee903dc691781dd5d67a814583ff1c645776f1a46266dc2681f SHA512 7aa972c146e0dfaacc8faaef9b9ebbe419f7cbc5814d1fb978b35a4972d384aabe2e6e053fefc6d5d042acb9bff5f35e5f97cbee0c4a0152c53ab9c2e5b0335f
+DIST nftables-1.1.4.tar.xz 1005044 BLAKE2B 359d23c89462125be72d4a103bd063cb9acf4c929ecc345d11c895b990ab7a7d96e73ac2d5e39036a7a6593edcb82d1b407e49c6fbb95aba8e31270f4b2d0917 SHA512 861beb92bdf668c92054becded5497369c9182124df45a175a8534aa1eb5b3d5e69f85e4e10f468f61f7493370e99b51ebe6f6e6e207670211167d88fa9e63aa
+DIST nftables-1.1.4.tar.xz.sig 566 BLAKE2B 87d84b3f4e896923c7c59701ab98aec289dd5a5413f6ff1b4680a98238ce9ccba452e23cc686b04a84c70be4c153d3aac5d73db8c7a7c61021226b20c0c11fab SHA512 4aa1d7f2b219e24cbc41fa397afcc605b3cf1c55a14b97827c0581cc2af9c5def0308ed69aa243b30690f7f14501c573a7902a75003582d0adf26ab086ca8356
+DIST nftables-1.1.5.tar.xz 1008132 BLAKE2B 4c391e316f5c04cffe16a64df60217d74e37ab4f87c614003e2d2f702b8a4fe81c2ca7f42b3429e948078b2b0ecf0ad61b8cc2f7b95384fff9c004bcc3837317 SHA512 01fbbea43fd01250b0176a200dfdb6b84d3d51156cc2350acb25a5e66960e1908c3d17a0363baddb32897ea8bea0569b67500a94f708c8587b0e29402f51cbb6
+DIST nftables-1.1.5.tar.xz.sig 566 BLAKE2B 4868d9a0fc35eade43e973e7d17412edd2302155df8d1b68664746feec84479446ad427363ccc0a4fc32272b03a200414451c9732cd3486707994816d331b91c SHA512 e6ff864eeba8c73ec5352d5c690864e29f128258edd653765f77e34689dc7408de91a04827bf15fcf8e13cf6b875f3b7e9bbdb0b23dc89cecde43787b1df60bd
--- a/sdk_container/src/third_party/portage-stable/net-firewall/nftables/nftables-1.1.4.ebuild
+++ b/sdk_container/src/third_party/portage-stable/net-firewall/nftables/nftables-1.1.4.ebuild
@ -0,0 +1,236 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DISTUTILS_OPTIONAL=1
+DISTUTILS_USE_PEP517=setuptools
+PYTHON_COMPAT=( python3_{11..14} )
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc
+inherit eapi9-ver edo linux-info distutils-r1 systemd verify-sig
+
+DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools"
+HOMEPAGE="https://netfilter.org/projects/nftables/"
+
+if [[ ${PV} =~ ^[9]{4,}$ ]]; then
+	inherit autotools git-r3
+	EGIT_REPO_URI="https://git.netfilter.org/${PN}"
+	BDEPEND="app-alternatives/yacc"
+else
+	inherit libtool
+	SRC_URI="
+		https://netfilter.org/projects/nftables/files/${P}.tar.xz
+		verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )
+	"
+	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+	BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-netfilter-20240415 )"
+fi
+
+# See COPYING: new code is GPL-2+, existing code is GPL-2
+LICENSE="GPL-2 GPL-2+"
+SLOT="0/1"
+IUSE="debug doc +gmp json libedit python +readline static-libs test xtables"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	>=net-libs/libmnl-1.0.4:=
+	>=net-libs/libnftnl-1.3.0:=
+	gmp? ( dev-libs/gmp:= )
+	json? ( dev-libs/jansson:= )
+	python? ( ${PYTHON_DEPS} )
+	readline? ( sys-libs/readline:= )
+	xtables? ( >=net-firewall/iptables-1.6.1:= )
+"
+DEPEND="${RDEPEND}"
+BDEPEND+="
+	app-alternatives/lex
+	virtual/pkgconfig
+	doc? (
+		app-text/asciidoc
+		>=app-text/docbook2X-0.8.8-r4
+	)
+	python? ( ${DISTUTILS_DEPS} )
+"
+
+REQUIRED_USE="
+	python? ( ${PYTHON_REQUIRED_USE} )
+	libedit? ( !readline )
+"
+
+src_prepare() {
+	default
+
+	if [[ ${PV} =~ ^[9]{4,}$ ]] ; then
+		eautoreconf
+	else
+		elibtoolize
+	fi
+
+	if use python; then
+		pushd py >/dev/null || die
+		distutils-r1_src_prepare
+		popd >/dev/null || die
+	fi
+}
+
+src_configure() {
+	local myeconfargs=(
+		--sbindir="${EPREFIX}"/sbin
+		$(use_enable debug)
+		$(use_enable doc man-doc)
+		$(use_with !gmp mini_gmp)
+		$(use_with json)
+		$(use_with libedit cli editline)
+		$(use_with readline cli readline)
+		$(use_enable static-libs static)
+		$(use_with xtables)
+	)
+
+	econf "${myeconfargs[@]}"
+
+	if use python; then
+		pushd py >/dev/null || die
+		distutils-r1_src_configure
+		popd >/dev/null || die
+	fi
+}
+
+src_compile() {
+	default
+
+	if use python; then
+		pushd py >/dev/null || die
+		distutils-r1_src_compile
+		popd >/dev/null || die
+	fi
+}
+
+src_test() {
+	emake check
+
+	if [[ ${EUID} == 0 ]]; then
+		edo tests/shell/run-tests.sh -v
+	else
+		ewarn "Skipping shell tests (requires root)"
+	fi
+
+	if use python; then
+		pushd tests/py >/dev/null || die
+		distutils-r1_src_test
+		popd >/dev/null || die
+	fi
+}
+
+python_test() {
+	if [[ ${EUID} == 0 ]]; then
+		edo "${EPYTHON}" nft-test.py
+	else
+		ewarn "Skipping Python tests (requires root)"
+	fi
+}
+
+src_install() {
+	default
+
+	if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then
+		pushd doc >/dev/null || die
+		doman *.?
+		popd >/dev/null || die
+	fi
+
+	# Do it here instead of in src_prepare to avoid eautoreconf
+	# rmdir lets us catch if more files end up installed in /etc/nftables
+	dodir /usr/share/doc/${PF}/skels/
+	mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die
+	rmdir "${ED}"/etc/nftables || die
+
+	exeinto /usr/libexec/${PN}
+	newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh
+	newconfd "${FILESDIR}"/${PN}-mk.confd ${PN}
+	newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN}
+	keepdir /var/lib/nftables
+
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-load.service
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-store.service
+
+	if use python ; then
+		pushd py >/dev/null || die
+		distutils-r1_src_install
+		popd >/dev/null || die
+	fi
+
+	find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_preinst() {
+	local stderr
+
+	# There's a history of regressions with nftables upgrades. Perform a
+	# safety check to help us spot them earlier. For the check to pass, the
+	# currently loaded ruleset, if any, must be successfully evaluated by
+	# the newly built instance of nft(8).
+	if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then
+		# Either nftables isn't yet in use or nft(8) cannot be executed.
+		return
+	elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then
+		# Report errors induced by trying to list the ruleset but don't
+		# treat them as being fatal.
+		printf '%s\n' "${stderr}" >&2
+	elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
+		# Rulesets generated by iptables-nft are special in nature and
+		# will not always be printed in a way that constitutes a valid
+		# syntax for ntf(8). Ignore them.
+		return
+	elif set -- "${ED}"/usr/lib*/libnftables.so;
+		! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft
+	then
+		eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of"
+		eerror "nft. This probably means that there is a regression introduced by v${PV}."
+		eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
+		if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
+			die "Aborting because of failed nft reload!"
+		fi
+	fi
+}
+
+pkg_postinst() {
+	local save_file
+	save_file="${EROOT}"/var/lib/nftables/rules-save
+
+	# In order for the nftables-load systemd service to start
+	# the save_file must exist.
+	if [[ ! -f "${save_file}" ]]; then
+		( umask 177; touch "${save_file}" )
+	elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
+		ewarn "Your system has dangerous permissions for ${save_file}"
+		ewarn "It is probably affected by bug #691326."
+		ewarn "You may need to fix the permissions of the file. To do so,"
+		ewarn "you can run the command in the line below as root."
+		ewarn "    'chmod 600 \"${save_file}\"'"
+	fi
+
+	if has_version 'sys-apps/systemd'; then
+		if ver_replacing -lt "1.1.1-r1"; then
+			elog "Starting with ${PN}-1.1.1-r1, the ${PN}-restore.service has"
+			elog "been split into ${PN}-load.service and ${PN}-store.service."
+			elog
+		fi
+		elog "If you wish to enable the firewall rules on boot (on systemd) you"
+		elog "will need to enable the nftables-load service."
+		elog "    'systemctl enable ${PN}-load.service'"
+		elog
+		elog "Enable nftables-store.service if you want firewall rules to be"
+		elog "saved at shutdown."
+	fi
+
+	if has_version 'sys-apps/openrc'; then
+		elog "If you wish to enable the firewall rules on boot (on openrc) you"
+		elog "will need to enable the nftables service."
+		elog "    'rc-update add ${PN} default'"
+		elog
+		elog "If you are creating or updating the firewall rules and wish to save"
+		elog "them to be loaded on the next restart, use the \"save\" functionality"
+		elog "in the init script."
+		elog "    'rc-service ${PN} save'"
+	fi
+}
--- a/sdk_container/src/third_party/portage-stable/net-firewall/nftables/nftables-1.1.5.ebuild
+++ b/sdk_container/src/third_party/portage-stable/net-firewall/nftables/nftables-1.1.5.ebuild
@ -0,0 +1,237 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DISTUTILS_OPTIONAL=1
+DISTUTILS_USE_PEP517=setuptools
+PYTHON_COMPAT=( python3_{11..14} )
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc
+inherit eapi9-ver edo linux-info distutils-r1 systemd verify-sig
+
+DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools"
+HOMEPAGE="https://netfilter.org/projects/nftables/"
+
+if [[ ${PV} =~ ^[9]{4,}$ ]]; then
+	inherit autotools git-r3
+	EGIT_REPO_URI="https://git.netfilter.org/${PN}"
+	BDEPEND="app-alternatives/yacc"
+else
+	inherit libtool
+	SRC_URI="
+		https://netfilter.org/projects/nftables/files/${P}.tar.xz
+		verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )
+	"
+	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+	BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-netfilter-20240415 )"
+fi
+
+# See COPYING: new code is GPL-2+, existing code is GPL-2
+LICENSE="GPL-2 GPL-2+"
+SLOT="0/1"
+IUSE="debug doc +gmp json libedit python +readline static-libs test xtables"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	>=net-libs/libmnl-1.0.4:=
+	>=net-libs/libnftnl-1.3.0:=
+	gmp? ( dev-libs/gmp:= )
+	json? ( dev-libs/jansson:= )
+	python? ( ${PYTHON_DEPS} )
+	readline? ( sys-libs/readline:= )
+	xtables? ( >=net-firewall/iptables-1.6.1:= )
+"
+DEPEND="${RDEPEND}"
+BDEPEND+="
+	app-alternatives/lex
+	virtual/pkgconfig
+	doc? (
+		app-text/asciidoc
+		>=app-text/docbook2X-0.8.8-r4
+	)
+	python? ( ${DISTUTILS_DEPS} )
+"
+
+REQUIRED_USE="
+	python? ( ${PYTHON_REQUIRED_USE} )
+	libedit? ( !readline )
+"
+
+src_prepare() {
+	default
+
+	if [[ ${PV} =~ ^[9]{4,}$ ]] ; then
+		eautoreconf
+	else
+		elibtoolize
+	fi
+
+	if use python; then
+		pushd py >/dev/null || die
+		distutils-r1_src_prepare
+		popd >/dev/null || die
+	fi
+}
+
+src_configure() {
+	local myeconfargs=(
+		--sbindir="${EPREFIX}"/sbin
+		--with-unitdir=$(systemd_get_systemunitdir)
+		$(use_enable debug)
+		$(use_enable doc man-doc)
+		$(use_with !gmp mini_gmp)
+		$(use_with json)
+		$(use_with libedit cli editline)
+		$(use_with readline cli readline)
+		$(use_enable static-libs static)
+		$(use_with xtables)
+	)
+
+	econf "${myeconfargs[@]}"
+
+	if use python; then
+		pushd py >/dev/null || die
+		distutils-r1_src_configure
+		popd >/dev/null || die
+	fi
+}
+
+src_compile() {
+	default
+
+	if use python; then
+		pushd py >/dev/null || die
+		distutils-r1_src_compile
+		popd >/dev/null || die
+	fi
+}
+
+src_test() {
+	emake check
+
+	if [[ ${EUID} == 0 ]]; then
+		edo tests/shell/run-tests.sh -v
+	else
+		ewarn "Skipping shell tests (requires root)"
+	fi
+
+	if use python; then
+		pushd tests/py >/dev/null || die
+		distutils-r1_src_test
+		popd >/dev/null || die
+	fi
+}
+
+python_test() {
+	if [[ ${EUID} == 0 ]]; then
+		edo "${EPYTHON}" nft-test.py
+	else
+		ewarn "Skipping Python tests (requires root)"
+	fi
+}
+
+src_install() {
+	default
+
+	if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then
+		pushd doc >/dev/null || die
+		doman *.?
+		popd >/dev/null || die
+	fi
+
+	# Do it here instead of in src_prepare to avoid eautoreconf
+	# rmdir lets us catch if more files end up installed in /etc/nftables
+	dodir /usr/share/doc/${PF}/skels/
+	mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die
+	rmdir "${ED}"/etc/nftables || die
+
+	exeinto /usr/libexec/${PN}
+	newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh
+	newconfd "${FILESDIR}"/${PN}-mk.confd ${PN}
+	newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN}
+	keepdir /var/lib/nftables
+
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-load.service
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-store.service
+
+	if use python ; then
+		pushd py >/dev/null || die
+		distutils-r1_src_install
+		popd >/dev/null || die
+	fi
+
+	find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_preinst() {
+	local stderr
+
+	# There's a history of regressions with nftables upgrades. Perform a
+	# safety check to help us spot them earlier. For the check to pass, the
+	# currently loaded ruleset, if any, must be successfully evaluated by
+	# the newly built instance of nft(8).
+	if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then
+		# Either nftables isn't yet in use or nft(8) cannot be executed.
+		return
+	elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then
+		# Report errors induced by trying to list the ruleset but don't
+		# treat them as being fatal.
+		printf '%s\n' "${stderr}" >&2
+	elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
+		# Rulesets generated by iptables-nft are special in nature and
+		# will not always be printed in a way that constitutes a valid
+		# syntax for ntf(8). Ignore them.
+		return
+	elif set -- "${ED}"/usr/lib*/libnftables.so;
+		! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft
+	then
+		eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of"
+		eerror "nft. This probably means that there is a regression introduced by v${PV}."
+		eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
+		if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
+			die "Aborting because of failed nft reload!"
+		fi
+	fi
+}
+
+pkg_postinst() {
+	local save_file
+	save_file="${EROOT}"/var/lib/nftables/rules-save
+
+	# In order for the nftables-load systemd service to start
+	# the save_file must exist.
+	if [[ ! -f "${save_file}" ]]; then
+		( umask 177; touch "${save_file}" )
+	elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
+		ewarn "Your system has dangerous permissions for ${save_file}"
+		ewarn "It is probably affected by bug #691326."
+		ewarn "You may need to fix the permissions of the file. To do so,"
+		ewarn "you can run the command in the line below as root."
+		ewarn "    'chmod 600 \"${save_file}\"'"
+	fi
+
+	if has_version 'sys-apps/systemd'; then
+		if ver_replacing -lt "1.1.1-r1"; then
+			elog "Starting with ${PN}-1.1.1-r1, the ${PN}-restore.service has"
+			elog "been split into ${PN}-load.service and ${PN}-store.service."
+			elog
+		fi
+		elog "If you wish to enable the firewall rules on boot (on systemd) you"
+		elog "will need to enable the nftables-load service."
+		elog "    'systemctl enable ${PN}-load.service'"
+		elog
+		elog "Enable nftables-store.service if you want firewall rules to be"
+		elog "saved at shutdown."
+	fi
+
+	if has_version 'sys-apps/openrc'; then
+		elog "If you wish to enable the firewall rules on boot (on openrc) you"
+		elog "will need to enable the nftables service."
+		elog "    'rc-update add ${PN} default'"
+		elog
+		elog "If you are creating or updating the firewall rules and wish to save"
+		elog "them to be loaded on the next restart, use the \"save\" functionality"
+		elog "in the init script."
+		elog "    'rc-service ${PN} save'"
+	fi
+}
--- a/sdk_container/src/third_party/portage-stable/net-firewall/nftables/nftables-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/net-firewall/nftables/nftables-9999.ebuild
@ -5,7 +5,7 @@ EAPI=8

 DISTUTILS_OPTIONAL=1
 DISTUTILS_USE_PEP517=setuptools
-PYTHON_COMPAT=( python3_{10..13} )
+PYTHON_COMPAT=( python3_{11..14} )
 VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc
 inherit eapi9-ver edo linux-info distutils-r1 systemd verify-sig

@ -34,7 +34,7 @@ RESTRICT="!test? ( test )"

 RDEPEND="
 	>=net-libs/libmnl-1.0.4:=
-	>=net-libs/libnftnl-1.2.9:=
+	>=net-libs/libnftnl-1.3.0:=
 	gmp? ( dev-libs/gmp:= )
 	json? ( dev-libs/jansson:= )
 	python? ( ${PYTHON_DEPS} )
@ -76,6 +76,7 @@ src_prepare() {
 src_configure() {
 	local myeconfargs=(
 		--sbindir="${EPREFIX}"/sbin
+		--with-unitdir=$(systemd_get_systemunitdir)
 		$(use_enable debug)
 		$(use_enable doc man-doc)
 		$(use_with !gmp mini_gmp)