From f6efb50cb644c3773030dd6768687cd0a3f15756 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <sayan@kinvolk.io>
Date: Mon, 14 Jun 2021 20:54:27 +0530
Subject: [PATCH] net-firewall/iptables: Apply the Flatcar patches

Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
---
 .../iptables/files/systemd/ip6tables.service  |  6 +++
 .../iptables/files/systemd/iptables.service   |  6 +++
 .../iptables/iptables-1.8.7.ebuild            | 41 +++++++++----------
 3 files changed, 32 insertions(+), 21 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service

diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service
new file mode 100644
index 0000000000..0a6d7fa1c8
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Store and restore ip6tables firewall rules
+
+[Install]
+Also=ip6tables-store.service
+Also=ip6tables-restore.service
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service
new file mode 100644
index 0000000000..3643a3e310
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Store and restore iptables firewall rules
+
+[Install]
+Also=iptables-store.service
+Also=iptables-restore.service
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild
index a6ba56cb35..69ab247e39 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild
@@ -32,19 +32,23 @@ DEPEND="${COMMON_DEPEND}
 	virtual/os-headers
 	>=sys-kernel/linux-headers-4.4:0
 "
+# Flatcar: Rename virtual/yacc to app-alternatives/yacc. The former is
+# gone in favor of the latter in Gentoo. This modification will be
+# dropped when we update this ebuild from Gentoo.
 BDEPEND="${BUILD_DEPEND}
 	app-eselect/eselect-iptables
 	virtual/pkgconfig
 	nftables? (
 		sys-devel/flex
-		virtual/yacc
+		app-alternatives/yacc
 	)
 "
+# Flatcar: Drop BUILD_DEPEND, as we would not like to ship
+# eselect in the final image. Also, drop net-firewall/arptables as we don't
+# ship arptables
 RDEPEND="${COMMON_DEPEND}
-	${BUILD_DEPEND}
 	nftables? ( net-misc/ethertypes )
 	!<net-firewall/ebtables-2.0.11-r1
-	!<net-firewall/arptables-0.0.5-r1
 "
 
 PATCHES=(
@@ -120,12 +124,16 @@ src_install() {
 		rm "${ED}"/etc/ethertypes || die
 
 		# Bugs 660886 and 669894
-		rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die
+		# Flatcar: We don't provide arptables* binaries.
+		# Flatcar: Keeping the ebtables binaries
+		rm "${ED}"/sbin/arptables{{,-{save,restore}},-nft{,-{save,restore}}} || die
 	fi
 
-	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
+	# Flatcar: Gentoo upstream dropped the iptables & ip6tables services
+	# but we continue to ship them
+	systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service
 	if use ipv6 ; then
-		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
+		systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service
 	fi
 
 	# Move important libs to /lib #332175
@@ -135,18 +143,20 @@ src_install() {
 }
 
 pkg_postinst() {
-	local default_iptables="xtables-legacy-multi"
+	# Flatcar: Use xtables-nft-multi to use the nft backend instead of legacy backend
+	local default_iptables="xtables-nft-multi"
 	if ! eselect iptables show &>/dev/null; then
 		elog "Current iptables implementation is unset, setting to ${default_iptables}"
 		eselect iptables set "${default_iptables}"
 	fi
-
+	# Flatcar: Drop the arptables, but retain the `for` structure in favor of lesser diff
+	# to upstream
 	if use nftables; then
 		local tables
-		for tables in {arp,eb}tables; do
+		for tables in ebtables; do
 			if ! eselect ${tables} show &>/dev/null; then
 				elog "Current ${tables} implementation is unset, setting to ${default_iptables}"
-				eselect ${tables} set xtables-nft-multi
+				eselect ${tables} set "${default_iptables}"
 			fi
 		done
 	fi
@@ -161,17 +171,6 @@ pkg_prerm() {
 	if ! has_version 'net-firewall/ebtables'; then
 		elog "Unsetting ebtables symlinks before removal"
 		eselect ebtables unset
-	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
-		elog "Resetting ebtables symlinks to ebtables-legacy"
-		eselect ebtables set ebtables-legacy
-	fi
-
-	if ! has_version 'net-firewall/arptables'; then
-		elog "Unsetting arptables symlinks before removal"
-		eselect arptables unset
-	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
-		elog "Resetting arptables symlinks to arptables-legacy"
-		eselect arptables set arptables-legacy
 	fi
 
 	# the eselect module failing should not be fatal