commit: b38141202df6795a9268c4c57041e8f4389d76ae Author: Matt Turner <mattst88 <AT> gentoo <DOT> org> AuthorDate: Wed Mar 12 03:09:56 2025 +0000 Commit: Matt Turner <mattst88 <AT> gentoo <DOT> org> CommitDate: Mon Mar 31 16:08:21 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b3814120
net-firewall/nftables: Drop old versions Signed-off-by: Matt Turner <mattst88 <AT> gentoo.org> net-firewall/nftables/Manifest | 4 - ...es-1.1.0-revert-firewalld-breaking-change.patch | 63 ------ net-firewall/nftables/nftables-1.0.9.ebuild | 226 -------------------- net-firewall/nftables/nftables-1.1.0-r1.ebuild | 232 --------------------- 4 files changed, 525 deletions(-) diff --git a/net-firewall/nftables/Manifest b/net-firewall/nftables/Manifest index fc0e6f7ae858..95ba7296285b 100644 --- a/net-firewall/nftables/Manifest +++ b/net-firewall/nftables/Manifest @@ -1,6 +1,2 @@ -DIST nftables-1.0.9.tar.xz 971968 BLAKE2B 1dfd1e79d3a7b645fd0995dad10893d70dbd13c92805c5cf30825acbbeb45071b2095072cecbd14b4f66cf0c284d2937a996c6b8013213438f53b92731af039d SHA512 dc34099658e283d9fd4d06264b593710121074558305ea23ab298c5f6a6b564a826f186241b6e106fbaa4e11160cf77e68bb52b4ce401b28d8d2e403cd4b88e8 -DIST nftables-1.0.9.tar.xz.sig 566 BLAKE2B d4bb0a1f629d2950753799fba18f6c3ce50e5ff242816e392245a714bfeccb3408583added4362f1e0da47cc6e30b0b95f864cf8443a1872d59ae40b15b5f706 SHA512 9b96ce8539700713ff4802fb2deff5b2ea0dd3155c45f5a8f49a45f70226893c7449e0b79504833b2e63e5290290e693c962128a226ca8f6ca281185bdcd7b51 -DIST nftables-1.1.0.tar.xz 1057672 BLAKE2B cc876d9ba344480a2f5a12811206356d9edbd4a95d29e8127f43864a1b4e2ae9bc88a6d07f0d36469dfed190c5822fd6a7c69b6a9028fbb0bc1ec254e76083d9 SHA512 0b0c6789b7d987289b9770ea2d26e640c50bc7f300685476c4fc367b5ad3d6980fca63b8fe701f727fb3a94328eb7dc560ed5745b5ce44f171022de5714d3a86 -DIST nftables-1.1.0.tar.xz.sig 566 BLAKE2B 556287b40ad6f82d229ae18910ec2008c3168c7088e7149f8b5e80ca9983b90ec202cf01838c80e973845dd565f4f13a454d6dc99030a3f9cede6c33929da07d SHA512 1b3a42a76b378373c8a21b77aaf9c1fc57402360d49d56b22f02c50bef969b1f6867a4d40bda24b2dd1a0dfcf7148893938a7eea84ff8cc67d9edcd6b9b62bb4 DIST nftables-1.1.1.tar.xz 989700 BLAKE2B f273c78369ba755049c6afa63eba195cf29f926fa8fc9bf344022904c00a8c6c4259cc5093e23993a55fd25790af575305df79a7c28624fa7082661b2eed70d0 SHA512 676413d4adadffb15d52c1f8f6432636cab83a7bcda1a18d9f0e6b58819a2c027a49922588c02bd9ad386de930eaa697bfe74c0938b595bf1ee485bfa7cf2e50 DIST nftables-1.1.1.tar.xz.sig 566 BLAKE2B b7debda3373972f69af9b4b23e1b66a8fd156440187aafba605bb7342c267207e5aa628256e96432ebd4583a6a9436e1969a33636111d2bd8d57185a01e2d502 SHA512 fc23034c512f686167203e827ff2a8f7cb64530211ce92a28793bd49577ce3bf519ffbe910b0071cb21925898497cb5cbf70121c68bfcdbfa4460c63a14203ac diff --git a/net-firewall/nftables/files/nftables-1.1.0-revert-firewalld-breaking-change.patch b/net-firewall/nftables/files/nftables-1.1.0-revert-firewalld-breaking-change.patch deleted file mode 100644 index 0cc23d61fb8f..000000000000 --- a/net-firewall/nftables/files/nftables-1.1.0-revert-firewalld-breaking-change.patch +++ /dev/null @@ -1,63 +0,0 @@ -https://git.netfilter.org/nftables/commit/?id=93560d0117639c8685fc287128ab06dec9950fbd -https://github.com/firewalld/firewalld/issues/1366 -https://lore.kernel.org/netfilter-devel/Zp7FqL_YK3p_dQ8B@egarver-mac/ - -From 93560d0117639c8685fc287128ab06dec9950fbd Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso <[email protected]> -Date: Wed, 24 Jul 2024 09:38:33 +0200 -Subject: Revert "cache: recycle existing cache with incremental updates" - -This reverts commit e791dbe109b6dd891a63a4236df5dc29d7a4b863. - -Eric Garver reported two issues: - -- index with rule breaks, because NFT_CACHE_REFRESH is missing. -- simple set updates. - -Moreover, the current process could populate the cache with objects for -listing commands (no generation ID is bumped), while another process -could update the ruleset. Leading to a inconsistent cache due to the -genid + 1 check. - -This optimization needs more work and more tests for -i/--interactive, -revert it. - -Signed-off-by: Pablo Neira Ayuso <[email protected]> ---- a/src/cache.c -+++ b/src/cache.c -@@ -1184,21 +1184,9 @@ static bool nft_cache_needs_refresh(struct nft_cache *cache, unsigned int flags) - (flags & NFT_CACHE_REFRESH); - } - --static bool nft_cache_is_updated(struct nft_cache *cache, unsigned int flags, -- uint16_t genid) -+static bool nft_cache_is_updated(struct nft_cache *cache, uint16_t genid) - { -- if (!genid) -- return false; -- -- if (genid == cache->genid) -- return true; -- -- if (genid == cache->genid + 1) { -- cache->genid++; -- return true; -- } -- -- return false; -+ return genid && genid == cache->genid; - } - - bool nft_cache_needs_update(struct nft_cache *cache) -@@ -1223,7 +1211,7 @@ replay: - genid = mnl_genid_get(&ctx); - if (!nft_cache_needs_refresh(cache, flags) && - nft_cache_is_complete(cache, flags) && -- nft_cache_is_updated(cache, flags, genid)) -+ nft_cache_is_updated(cache, genid)) - return 0; - - if (cache->genid) --- -cgit v1.2.3 - diff --git a/net-firewall/nftables/nftables-1.0.9.ebuild b/net-firewall/nftables/nftables-1.0.9.ebuild deleted file mode 100644 index f042bec930bc..000000000000 --- a/net-firewall/nftables/nftables-1.0.9.ebuild +++ /dev/null @@ -1,226 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DISTUTILS_OPTIONAL=1 -DISTUTILS_USE_PEP517=setuptools -PYTHON_COMPAT=( python3_{10..12} ) -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc -inherit edo linux-info distutils-r1 systemd verify-sig - -DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools" -HOMEPAGE="https://netfilter.org/projects/nftables/"; - -if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit autotools git-r3 - EGIT_REPO_URI="https://git.netfilter.org/${PN}"; - BDEPEND="app-alternatives/yacc" -else - SRC_URI=" - https://netfilter.org/projects/nftables/files/${P}.tar.xz - verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig ) - " - KEYWORDS="amd64 arm arm64 hppa ~loong ~mips ppc ppc64 ~riscv sparc x86" - BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )" -fi - -# See COPYING: new code is GPL-2+, existing code is GPL-2 -LICENSE="GPL-2 GPL-2+" -SLOT="0/1" -IUSE="debug doc +gmp json libedit python +readline static-libs test xtables" -RESTRICT="!test? ( test )" - -RDEPEND=" - >=net-libs/libmnl-1.0.4:= - >=net-libs/libnftnl-1.2.6:= - gmp? ( dev-libs/gmp:= ) - json? ( dev-libs/jansson:= ) - python? ( ${PYTHON_DEPS} ) - readline? ( sys-libs/readline:= ) - xtables? ( >=net-firewall/iptables-1.6.1:= ) -" -DEPEND="${RDEPEND}" -BDEPEND+=" - app-alternatives/lex - virtual/pkgconfig - doc? ( - app-text/asciidoc - >=app-text/docbook2X-0.8.8-r4 - ) - python? ( ${DISTUTILS_DEPS} ) -" - -REQUIRED_USE=" - python? ( ${PYTHON_REQUIRED_USE} ) - libedit? ( !readline ) -" - -src_prepare() { - default - - if [[ ${PV} =~ ^[9]{4,}$ ]] ; then - eautoreconf - fi - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_prepare - popd >/dev/null || die - fi -} - -src_configure() { - local myeconfargs=( - --sbindir="${EPREFIX}"/sbin - $(use_enable debug) - $(use_enable doc man-doc) - $(use_with !gmp mini_gmp) - $(use_with json) - $(use_with libedit cli editline) - $(use_with readline cli readline) - $(use_enable static-libs static) - $(use_with xtables) - ) - - econf "${myeconfargs[@]}" - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_configure - popd >/dev/null || die - fi -} - -src_compile() { - default - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_compile - popd >/dev/null || die - fi -} - -src_test() { - emake check - - if [[ ${EUID} == 0 ]]; then - edo tests/shell/run-tests.sh -v - else - ewarn "Skipping shell tests (requires root)" - fi - - if use python; then - pushd tests/py >/dev/null || die - distutils-r1_src_test - popd >/dev/null || die - fi -} - -python_test() { - if [[ ${EUID} == 0 ]]; then - edo "${EPYTHON}" nft-test.py - else - ewarn "Skipping Python tests (requires root)" - fi -} - -src_install() { - default - - if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then - pushd doc >/dev/null || die - doman *.? - popd >/dev/null || die - fi - - # Do it here instead of in src_prepare to avoid eautoreconf - # rmdir lets us catch if more files end up installed in /etc/nftables - dodir /usr/share/doc/${PF}/skels/ - mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die - rmdir "${ED}"/etc/nftables || die - - exeinto /usr/libexec/${PN} - newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh - newconfd "${FILESDIR}"/${PN}-mk.confd ${PN} - newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN} - keepdir /var/lib/nftables - - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service - - if use python ; then - pushd py >/dev/null || die - distutils-r1_src_install - popd >/dev/null || die - fi - - find "${ED}" -type f -name "*.la" -delete || die -} - -pkg_preinst() { - local stderr - - # There's a history of regressions with nftables upgrades. Perform a - # safety check to help us spot them earlier. For the check to pass, the - # currently loaded ruleset, if any, must be successfully evaluated by - # the newly built instance of nft(8). - if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then - # Either nftables isn't yet in use or nft(8) cannot be executed. - return - elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then - # Report errors induced by trying to list the ruleset but don't - # treat them as being fatal. - printf '%s\n' "${stderr}" >&2 - elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then - # Rulesets generated by iptables-nft are special in nature and - # will not always be printed in a way that constitutes a valid - # syntax for ntf(8). Ignore them. - return - elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then - eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" - eerror "nft. This probably means that there is a regression introduced by v${PV}." - eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" - if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then - die "Aborting because of failed nft reload!" - fi - fi -} - -pkg_postinst() { - local save_file - save_file="${EROOT}"/var/lib/nftables/rules-save - - # In order for the nftables-restore systemd service to start - # the save_file must exist. - if [[ ! -f "${save_file}" ]]; then - ( umask 177; touch "${save_file}" ) - elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then - ewarn "Your system has dangerous permissions for ${save_file}" - ewarn "It is probably affected by bug #691326." - ewarn "You may need to fix the permissions of the file. To do so," - ewarn "you can run the command in the line below as root." - ewarn " 'chmod 600 \"${save_file}\"'" - fi - - if has_version 'sys-apps/systemd'; then - elog "If you wish to enable the firewall rules on boot (on systemd) you" - elog "will need to enable the nftables-restore service." - elog " 'systemctl enable ${PN}-restore.service'" - elog - elog "If you are creating firewall rules before the next system restart" - elog "the nftables-restore service must be manually started in order to" - elog "save those rules on shutdown." - fi - - if has_version 'sys-apps/openrc'; then - elog "If you wish to enable the firewall rules on boot (on openrc) you" - elog "will need to enable the nftables service." - elog " 'rc-update add ${PN} default'" - elog - elog "If you are creating or updating the firewall rules and wish to save" - elog "them to be loaded on the next restart, use the \"save\" functionality" - elog "in the init script." - elog " 'rc-service ${PN} save'" - fi -} diff --git a/net-firewall/nftables/nftables-1.1.0-r1.ebuild b/net-firewall/nftables/nftables-1.1.0-r1.ebuild deleted file mode 100644 index 24ede801396a..000000000000 --- a/net-firewall/nftables/nftables-1.1.0-r1.ebuild +++ /dev/null @@ -1,232 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DISTUTILS_OPTIONAL=1 -DISTUTILS_USE_PEP517=setuptools -PYTHON_COMPAT=( python3_{10..13} ) -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc -inherit edo linux-info distutils-r1 systemd verify-sig - -DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools" -HOMEPAGE="https://netfilter.org/projects/nftables/"; - -if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit autotools git-r3 - EGIT_REPO_URI="https://git.netfilter.org/${PN}"; - BDEPEND="app-alternatives/yacc" -else - SRC_URI=" - https://netfilter.org/projects/nftables/files/${P}.tar.xz - verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig ) - " - KEYWORDS="amd64 arm arm64 hppa ~loong ~mips ppc ppc64 ~riscv sparc x86" - BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )" -fi - -# See COPYING: new code is GPL-2+, existing code is GPL-2 -LICENSE="GPL-2 GPL-2+" -SLOT="0/1" -IUSE="debug doc +gmp json libedit python +readline static-libs test xtables" -RESTRICT="!test? ( test )" - -RDEPEND=" - >=net-libs/libmnl-1.0.4:= - >=net-libs/libnftnl-1.2.7:= - gmp? ( dev-libs/gmp:= ) - json? ( dev-libs/jansson:= ) - python? ( ${PYTHON_DEPS} ) - readline? ( sys-libs/readline:= ) - xtables? ( >=net-firewall/iptables-1.6.1:= ) -" -DEPEND="${RDEPEND}" -BDEPEND+=" - app-alternatives/lex - virtual/pkgconfig - doc? ( - app-text/asciidoc - >=app-text/docbook2X-0.8.8-r4 - ) - python? ( ${DISTUTILS_DEPS} ) -" - -REQUIRED_USE=" - python? ( ${PYTHON_REQUIRED_USE} ) - libedit? ( !readline ) -" - -PATCHES=( - "${FILESDIR}"/nftables-1.1.0-revert-firewalld-breaking-change.patch -) - -src_prepare() { - default - - if [[ ${PV} =~ ^[9]{4,}$ ]] ; then - eautoreconf - fi - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_prepare - popd >/dev/null || die - fi -} - -src_configure() { - local myeconfargs=( - --sbindir="${EPREFIX}"/sbin - $(use_enable debug) - $(use_enable doc man-doc) - $(use_with !gmp mini_gmp) - $(use_with json) - $(use_with libedit cli editline) - $(use_with readline cli readline) - $(use_enable static-libs static) - $(use_with xtables) - ) - - econf "${myeconfargs[@]}" - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_configure - popd >/dev/null || die - fi -} - -src_compile() { - default - - if use python; then - pushd py >/dev/null || die - distutils-r1_src_compile - popd >/dev/null || die - fi -} - -src_test() { - emake check - - if [[ ${EUID} == 0 ]]; then - edo tests/shell/run-tests.sh -v - else - ewarn "Skipping shell tests (requires root)" - fi - - if use python; then - pushd tests/py >/dev/null || die - distutils-r1_src_test - popd >/dev/null || die - fi -} - -python_test() { - if [[ ${EUID} == 0 ]]; then - edo "${EPYTHON}" nft-test.py - else - ewarn "Skipping Python tests (requires root)" - fi -} - -src_install() { - default - - if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then - pushd doc >/dev/null || die - doman *.? - popd >/dev/null || die - fi - - # Do it here instead of in src_prepare to avoid eautoreconf - # rmdir lets us catch if more files end up installed in /etc/nftables - dodir /usr/share/doc/${PF}/skels/ - mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die - rmdir "${ED}"/etc/nftables || die - - exeinto /usr/libexec/${PN} - newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh - newconfd "${FILESDIR}"/${PN}-mk.confd ${PN} - newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN} - keepdir /var/lib/nftables - - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service - - if use python ; then - pushd py >/dev/null || die - distutils-r1_src_install - popd >/dev/null || die - fi - - find "${ED}" -type f -name "*.la" -delete || die -} - -pkg_preinst() { - local stderr - - # There's a history of regressions with nftables upgrades. Perform a - # safety check to help us spot them earlier. For the check to pass, the - # currently loaded ruleset, if any, must be successfully evaluated by - # the newly built instance of nft(8). - if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then - # Either nftables isn't yet in use or nft(8) cannot be executed. - return - elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then - # Report errors induced by trying to list the ruleset but don't - # treat them as being fatal. - printf '%s\n' "${stderr}" >&2 - elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then - # Rulesets generated by iptables-nft are special in nature and - # will not always be printed in a way that constitutes a valid - # syntax for ntf(8). Ignore them. - return - elif set -- "${ED}"/usr/lib*/libnftables.so; - ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft - then - eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" - eerror "nft. This probably means that there is a regression introduced by v${PV}." - eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" - if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then - die "Aborting because of failed nft reload!" - fi - fi -} - -pkg_postinst() { - local save_file - save_file="${EROOT}"/var/lib/nftables/rules-save - - # In order for the nftables-restore systemd service to start - # the save_file must exist. - if [[ ! -f "${save_file}" ]]; then - ( umask 177; touch "${save_file}" ) - elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then - ewarn "Your system has dangerous permissions for ${save_file}" - ewarn "It is probably affected by bug #691326." - ewarn "You may need to fix the permissions of the file. To do so," - ewarn "you can run the command in the line below as root." - ewarn " 'chmod 600 \"${save_file}\"'" - fi - - if has_version 'sys-apps/systemd'; then - elog "If you wish to enable the firewall rules on boot (on systemd) you" - elog "will need to enable the nftables-restore service." - elog " 'systemctl enable ${PN}-restore.service'" - elog - elog "If you are creating firewall rules before the next system restart" - elog "the nftables-restore service must be manually started in order to" - elog "save those rules on shutdown." - fi - - if has_version 'sys-apps/openrc'; then - elog "If you wish to enable the firewall rules on boot (on openrc) you" - elog "will need to enable the nftables service." - elog " 'rc-update add ${PN} default'" - elog - elog "If you are creating or updating the firewall rules and wish to save" - elog "them to be loaded on the next restart, use the \"save\" functionality" - elog "in the init script." - elog " 'rc-service ${PN} save'" - fi -}
