diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2015-06-11 18:16:08 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2015-06-11 18:16:08 -0400 |
| commit | 8eddda8072add075ebf56cf6d288bc1450d6b5f8 (patch) | |
| tree | 373e2d36142a298a821f6643c097007aa38aa29f /net-firewall | |
| download | musl-8eddda8072add075ebf56cf6d288bc1450d6b5f8.tar.gz musl-8eddda8072add075ebf56cf6d288bc1450d6b5f8.tar.bz2 musl-8eddda8072add075ebf56cf6d288bc1450d6b5f8.zip | |
Initial migration from hardened-dev::musl
Diffstat (limited to 'net-firewall')
| -rw-r--r-- | net-firewall/iptables/Manifest | 16 | ||||
| -rw-r--r-- | net-firewall/iptables/files/ip6tables-1.4.13.confd | 19 | ||||
| -rw-r--r-- | net-firewall/iptables/files/iptables-1.4.13-r1.init | 130 | ||||
| -rw-r--r-- | net-firewall/iptables/files/iptables-1.4.13.confd | 19 | ||||
| -rw-r--r-- | net-firewall/iptables/files/iptables-1.4.20-musl.patch | 304 | ||||
| -rw-r--r-- | net-firewall/iptables/files/iptables-1.4.21-musl.patch | 136 | ||||
| -rw-r--r-- | net-firewall/iptables/files/systemd/ip6tables-restore.service | 14 | ||||
| -rw-r--r-- | net-firewall/iptables/files/systemd/ip6tables-store.service | 11 | ||||
| -rw-r--r-- | net-firewall/iptables/files/systemd/ip6tables.service | 6 | ||||
| -rw-r--r-- | net-firewall/iptables/files/systemd/iptables-restore.service | 14 | ||||
| -rw-r--r-- | net-firewall/iptables/files/systemd/iptables-store.service | 11 | ||||
| -rw-r--r-- | net-firewall/iptables/files/systemd/iptables.service | 6 | ||||
| -rw-r--r-- | net-firewall/iptables/iptables-1.4.20-r99.ebuild | 93 | ||||
| -rw-r--r-- | net-firewall/iptables/iptables-1.4.21-r99.ebuild | 94 | ||||
| -rw-r--r-- | net-firewall/iptables/metadata.xml | 23 |
15 files changed, 896 insertions, 0 deletions
diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest new file mode 100644 index 00000000..90d0bb2b --- /dev/null +++ b/net-firewall/iptables/Manifest @@ -0,0 +1,16 @@ +AUX ip6tables-1.4.13.confd 690 SHA256 2938fe4206514d9868047bd8f888a699fa2097ca69edab176453436d4259abaa SHA512 8de9a5de4061bef217fbc07577688a8110f1116af7f3b936dfd18100a6a7a47ec6e70c456b24cf3432fb4f2034b741a487fe6af8d9740f174d51c6eb16945c6e WHIRLPOOL f2f4903812b5b97d5bdf9cb28f0bcb6f8c866f197b46a9128530721a8d9db1cdcedffe2512c9235391a67f494c2daf1266d7bc8a6185949756437221c3861a10 +AUX iptables-1.4.13-r1.init 2891 SHA256 13047698e03079b754957e1e548ce7505dfb2c73c9a31f87e061140603ab0e44 SHA512 c35d4fc3d08e6fe3c567a5fe4b8dc0679c87c01c5d90e9a08b68039e4e846043a1f1ae47bc37bc718af761b9287394e8edfa3681d5ae23d666fc9de60a8c8302 WHIRLPOOL 7007ab6e5524b7d1e6e3c17ed0a7c40c6e7034510ecad2e442a2863a819a72f5f1cda58c5b6ad331b36c6c5c40980f344364593246d46cf95c1527a24115b829 +AUX iptables-1.4.13.confd 687 SHA256 7e2341211ca14997b7a8a1f930f94db855291af597c568f680f80031c20d45b6 SHA512 bd67d53e997ea65755148ba071fe6e3856d6e604b9167c666900721bc3dc24f63d395bc33a1a34ae50f95e72760da630db1a8d35afc81ec5973e60ba5343dc70 WHIRLPOOL 111b809b3122b04cce8ac0e551cfcdec7fde1ad563e1001bbbb3dbb4cae0ddf13851ece1024e13fb26aab2fe306dfc4fd9e59ab5a10127b301bc7a65ec20486b +AUX iptables-1.4.20-musl.patch 9543 SHA256 b245f263a7cd3807389fada98e1ff12c3b9b0359e77c5660841dbd6c6bc4c3cd SHA512 84c7401d89ef048f6221c55dfee0d6971938d4575c8ddd00e5fd03ed39cc277f7d5074b3b20313535389f321a2ef8cdfa12313a5481f8c49a89a4ca26deaf54a WHIRLPOOL 2b95fc4ede005f819676d3d3abe96f6f23881657b5da36d8cc73fb09cbdc93de8e77da8dc17c7669ddb0e0d86b4e3c0e036d9e8a8a65235b50b3cd1b2266c977 +AUX iptables-1.4.21-musl.patch 3947 SHA256 1d5fbdcb4752c480a4198a0188b067352fdd6b99a221de18ab8a106a5b115ee0 SHA512 6fc3c0c29da8f767892b1022e659f341c2ff97bc83a70b4b19fffe3b7385cd4879fe53e9630a6ec9f9449f3b5b20d34a060c4af0c5f186829069da0d075c9dfe WHIRLPOOL f6fe339c790fdfd5de544cc0791b775df2a2c486b7c4b2092ee2cd400874ddb53677abcd5c74022c2dc7079e919890e7da6d481a240b5396bd38162681ce7f54 +AUX systemd/ip6tables-restore.service 395 SHA256 679ba8327bf037e991ff07d8cf910009c67026b0faf8112d75c945b64f4b64de SHA512 e41f7bc55b2b58452b993ccb42014b5bc2701aeeef46eee845a2b016b334299ff4e6d11ba22f3aaff47195f1049dc7fd4be41a7055911420230107b1ee4c6ba3 WHIRLPOOL 232d90f8591358fe853c8c4b569b2825ba02ced59d390232a7f7fb535e3bfbbcb70972938506cbead5e6b57845310f5a91c1fd225898f185cffb96ba7d4d97f3 +AUX systemd/ip6tables-store.service 243 SHA256 ce93fc2ba81f7693877479ddc75cdec94627c302a140bd27ff30656fad78e72b SHA512 7cee224f91d4c8348606ba176d0d689749a59229958cfdf4e75451d77271363e7cff71dbb7e30dbc4a5a837363a72d70d6960d2dfb218f3ad16456ae109cba10 WHIRLPOOL d84687a142843fa9cd930171e817652afb22b950214349ca156ba6da174312989973d17fed04cd129c18d4d6fbd5ad3124b9afa0d105d128333248c90fdb4ca6 +AUX systemd/ip6tables.service 133 SHA256 1b8d342ffdf471ef25e365dacf106e1899b438dad4bf9154cfad2d5217c3a019 SHA512 f871e694a8c666a59840c4c7ae1f355dc47f481501b3472601b65460c1d6e163a7e33f7a6c42a84ac33131ddb96170b316e83507a43f1ede54d61446f81950dc WHIRLPOOL 24140e7398cfa494210b8d3b773bdca5ee1abbbdb29c2921e84ff025848e26844b5c20fadefa9b961ce14564ce8daa9b8e9f197b7d7ec70c26bb6609b74b10d0 +AUX systemd/iptables-restore.service 391 SHA256 ace3b2085700bde96f0597e8c6f3b8524c28d4f9b6c924deb09b164a5b8e979c SHA512 222a088d487f8e5c199aec4a3619f8c8ee620ffca13c35fd3da8daf926db25fa5203226a6f4a2c426622d935ffd57c02ad4ff5edbca922f8168e29fc3e52c516 WHIRLPOOL 507cfef3650fcce3a17d56edfb39110d08397bbd96c88cb21c2cdb74c69b920142f0f68f71312ae7a6013057e0ab500546a0075806dd424fc85b9aebdb76b5f4 +AUX systemd/iptables-store.service 240 SHA256 14965fd0f3cd4285e77ea1e3d9975a818b0d64fb0026b925d8434896b2cbf839 SHA512 a720e92b5571a2c3427101105e95e555f3b72541a53c5daa43e361c99ca28830e9e8dd27dbd7cfed40fbbe289ed180f9be7e0f3b6b0cd19bba022a531815fd5e WHIRLPOOL e3a5b77b2c19ad8445a21cc9c8680c2d632d968483357221fac1c309275bd17aa25c05cf23188d5ae644d5b1266c64b3dd5fe8fbdec9f2a439a212c3d1c767db +AUX systemd/iptables.service 130 SHA256 c404c54c98521817aca75b96774a24684e0c7ed2fc8de2ced78f4ae4d8a6b99d SHA512 87114ccc7eb079d1ed43d77be35cf4c91702ca960883a4bbca5dfcf74aa6f086e44f4a4251441ac3a277c93eb10e7482157caf2d62bbf2a7f5327947ede25bef WHIRLPOOL 844296866dfe2fe6b1207c99d2f938f4c87a37592e95576f9504fe056fe82fc29878b9aa1a204fa31d6711fbe7ba5cd48f7a639e4839bbe366e6220246a0d3c3 +DIST iptables-1.4.20.tar.bz2 546864 SHA256 109b8c7ca90b4536bc5de869ae705f6d5efcc0c08ef3003755aad3ed6d2d49ad SHA512 6c8e1d89db66c0cfd76afd7fa7de8a7d451337f6f15f01d811585714f6d488275621ca9a1f4967a2ae99e90f3890cf0e3c7f7a9a3a98fda902b0a56717d7ffe0 WHIRLPOOL 8146d632ec00c663988d4e82e3adfa8b9fa2df269df2e6cc359dae65727e59f4ef614540eb4f970d020eac558d7423731a88246f9df1265718346ca62e59a8e7 +DIST iptables-1.4.21.tar.bz2 547439 SHA256 52004c68021da9a599feed27f65defcfb22128f7da2c0531c0f75de0f479d3e0 SHA512 dd4baccdb080284d8620e6ed59beafc2677813f3e099051764b07f8e394f6d94ca11861b181f3cce7c55c66de64c1e2add13dc1a0b64e24050cd9fb7aea0689b WHIRLPOOL 475541d1b2b7fe4ee8fa3b537274ef082aab8bfd262201ee14cd53577dfac6f591445cc6d64ed93b226a4b71d54ae1b9ab4cbb378b5440861a585f770f0db200 +EBUILD iptables-1.4.20-r99.ebuild 2351 SHA256 cc58a460821612291fc4040a71d1c6c69b36e315a6c7fa42447009a1c440f208 SHA512 9839e8fd6c7d29ff014dc9f71fb8f85d4c2378384bb9ebb1283dfd03c593bdc968262f7f5f389649407a3596dd7c699c5d0f226a5df84acd81bca85f28dd5f5d WHIRLPOOL 94d8c4a2d94ad72fbb1cbd822494526ae5c5520e6e2fa9500c04d116523ebc22b66c60a24ec18d9ccf138c833fd4eb3ef64a359ba3de074126b6d786a4293dae +EBUILD iptables-1.4.21-r99.ebuild 2428 SHA256 106e7046e9977b4c69be158b04bb541ec4514b063b80308f860094b920eca726 SHA512 8c45d4c8d0c3ed6d813ba20d41a5a672f5b318b124015d30b5af0035587e96ccd9d62cfc680a097928df965653b1b6b620515153335109d936e0bca70a0a5646 WHIRLPOOL 3dfd8107fa7bb492e224e2966c40928d59ee728f7db5e663ba8fcae4e2f98e38a3f10c5c0582416d235f788b7d3108824fb10be0847b96960e7375d4b024cc17 +MISC metadata.xml 1069 SHA256 91c6679d742c254b368f9a18cb42a3d29f90a9b691dda61967152b629e2abaa2 SHA512 395b2b3b812cc99d31ea812ad2e42fe52e9fc3e5fcd17db18b95b1dba09495bb5124760308ba46a463b47cb089d587819600d5883a313314a865628fa00f6907 WHIRLPOOL 6e1e2717c19802d94f155c6841a0b7cef10ad38cd338e3e5ba8eab671b433c547fbe816a234f8e02ad1a0bfd6f69695ff643f3ca62a99a6d51be8108eb79e9ce diff --git a/net-firewall/iptables/files/ip6tables-1.4.13.confd b/net-firewall/iptables/files/ip6tables-1.4.13.confd new file mode 100644 index 00000000..3bb36989 --- /dev/null +++ b/net-firewall/iptables/files/ip6tables-1.4.13.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/ip6tables + +# Location in which iptables initscript will save set rules on +# service shutdown +IP6TABLES_SAVE="/var/lib/ip6tables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# If you need to log iptables messages as soon as iptables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/iptables/files/iptables-1.4.13-r1.init b/net-firewall/iptables/files/iptables-1.4.13-r1.init new file mode 100644 index 00000000..a63d0768 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.13-r1.init @@ -0,0 +1,130 @@ +#!/sbin/runscript +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.4.13-r1.init,v 1.3 2013/04/27 17:29:09 vapier Exp $ + +extra_commands="check save panic" +extra_started_commands="reload" + +iptables_name=${SVCNAME} +case ${iptables_name} in +iptables|ip6tables) ;; +*) iptables_name="iptables" ;; +esac + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + need localmount #434774 + before net +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${iptables_bin} -t ${table} -P ${chain} ${policy} + done +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} +checkconfig() { + if [ ! -f ${iptables_save} ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + checkkernel || return 1 + ebegin "Stopping firewall" + local a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? +} + +reload() { + checkkernel || return 1 + checkrules || return 1 + ebegin "Flushing firewall" + local a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? + + start +} + +checkrules() { + ebegin "Checking rules" + ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +check() { + # Short name for users of init.d script. + checkrules +} + +save() { + ebegin "Saving ${iptables_name} state" + checkpath -q -d "$(dirname "${iptables_save}")" + checkpath -q -m 0600 -f "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + checkkernel || return 1 + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + + set_table_policy $a DROP + done + eend $? +} diff --git a/net-firewall/iptables/files/iptables-1.4.13.confd b/net-firewall/iptables/files/iptables-1.4.13.confd new file mode 100644 index 00000000..7225374c --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.13.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/iptables + +# Location in which iptables initscript will save set rules on +# service shutdown +IPTABLES_SAVE="/var/lib/iptables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# If you need to log iptables messages as soon as iptables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/iptables/files/iptables-1.4.20-musl.patch b/net-firewall/iptables/files/iptables-1.4.20-musl.patch new file mode 100644 index 00000000..cd5b1a72 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.20-musl.patch @@ -0,0 +1,304 @@ +diff -ur a/iptables-1.4.20/extensions/libxt_conntrack.c b/iptables-1.4.20/extensions/libxt_conntrack.c +--- a/iptables-1.4.20/extensions/libxt_conntrack.c ++++ b/iptables-1.4.20/extensions/libxt_conntrack.c +@@ -786,7 +786,7 @@ + + static void + conntrack_dump_ports(const char *prefix, const char *opt, +- u_int16_t port_low, u_int16_t port_high) ++ uint16_t port_low, uint16_t port_high) + { + if (port_high == 0 || port_low == port_high) + printf(" %s%s %u", prefix, opt, port_low); +diff -ur a/iptables-1.4.20/include/libipq/libipq.h b/iptables-1.4.20/include/libipq/libipq.h +--- a/iptables-1.4.20/include/libipq/libipq.h ++++ b/iptables-1.4.20/include/libipq/libipq.h +@@ -48,19 +48,19 @@ + struct ipq_handle + { + int fd; +- u_int8_t blocking; ++ uint8_t blocking; + struct sockaddr_nl local; + struct sockaddr_nl peer; + }; + +-struct ipq_handle *ipq_create_handle(u_int32_t flags, u_int32_t protocol); ++struct ipq_handle *ipq_create_handle(uint32_t flags, uint32_t protocol); + + int ipq_destroy_handle(struct ipq_handle *h); + + ssize_t ipq_read(const struct ipq_handle *h, + unsigned char *buf, size_t len, int timeout); + +-int ipq_set_mode(const struct ipq_handle *h, u_int8_t mode, size_t len); ++int ipq_set_mode(const struct ipq_handle *h, uint8_t mode, size_t len); + + ipq_packet_msg_t *ipq_get_packet(const unsigned char *buf); + +diff -ur a/iptables-1.4.20/include/libiptc/ipt_kernel_headers.h b/iptables-1.4.20/include/libiptc/ipt_kernel_headers.h +--- a/iptables-1.4.20/include/libiptc/ipt_kernel_headers.h ++++ b/iptables-1.4.20/include/libiptc/ipt_kernel_headers.h +@@ -15,13 +15,12 @@ + #include <sys/types.h> + #else /* libc5 */ + #include <sys/socket.h> +-#include <linux/ip.h> +-#include <linux/in.h> +-#include <linux/if.h> ++#include <netinet/ip.h> ++#include <netinet/in.h> ++#include <net/if.h> + #include <linux/icmp.h> + #include <linux/tcp.h> + #include <linux/udp.h> + #include <linux/types.h> +-#include <linux/in6.h> + #endif + #endif +diff -ur a/iptables-1.4.20/include/libiptc/libxtc.h b/iptables-1.4.20/include/libiptc/libxtc.h +--- a/iptables-1.4.20/include/libiptc/libxtc.h ++++ b/iptables-1.4.20/include/libiptc/libxtc.h +@@ -10,7 +10,7 @@ + #endif + + #ifndef XT_MIN_ALIGN +-/* xt_entry has pointers and u_int64_t's in it, so if you align to ++/* xt_entry has pointers and uint64_t's in it, so if you align to + it, you'll also align to any crazy matches and targets someone + might write */ + #define XT_MIN_ALIGN (__alignof__(struct xt_entry)) +diff -ur a/iptables-1.4.20/include/libipulog/libipulog.h b/iptables-1.4.20/include/libipulog/libipulog.h +--- a/iptables-1.4.20/include/libipulog/libipulog.h 2013-08-06 15:48:43.000000000 +0000 ++++ b/iptables-1.4.20/include/libipulog/libipulog.h 2014-02-09 09:32:45.058650377 +0000 +@@ -21,9 +21,9 @@ + + struct ipulog_handle; + +-u_int32_t ipulog_group2gmask(u_int32_t group); ++uint32_t ipulog_group2gmask(uint32_t group); + +-struct ipulog_handle *ipulog_create_handle(u_int32_t gmask); ++struct ipulog_handle *ipulog_create_handle(uint32_t gmask); + + void ipulog_destroy_handle(struct ipulog_handle *h); + +diff -ur a/iptables-1.4.20/include/linux/netfilter_ipv4/ip_tables.h b/iptables-1.4.20/include/linux/netfilter_ipv4/ip_tables.h +--- a/iptables-1.4.20/include/linux/netfilter_ipv4/ip_tables.h ++++ b/iptables-1.4.20/include/linux/netfilter_ipv4/ip_tables.h +@@ -15,6 +15,7 @@ + #ifndef _IPTABLES_H + #define _IPTABLES_H + ++#include <stdint.h> + #include <linux/types.h> + + #include <linux/netfilter_ipv4.h> +@@ -73,12 +74,12 @@ + unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; + + /* Protocol, 0 = ANY */ +- u_int16_t proto; ++ uint16_t proto; + + /* Flags word */ +- u_int8_t flags; ++ uint8_t flags; + /* Inverse flags */ +- u_int8_t invflags; ++ uint8_t invflags; + }; + + /* Values for "flag" field in struct ipt_ip (general ip structure). */ +@@ -106,9 +107,9 @@ + unsigned int nfcache; + + /* Size of ipt_entry + matches */ +- u_int16_t target_offset; ++ uint16_t target_offset; + /* Size of ipt_entry + matches + target */ +- u_int16_t next_offset; ++ uint16_t next_offset; + + /* Back pointer */ + unsigned int comefrom; +@@ -125,7 +126,7 @@ + * Unlike BSD Linux inherits IP options so you don't have to use a raw + * socket for this. Instead we check rights in the calls. + * +- * ATTENTION: check linux/in.h before adding new number here. ++ * ATTENTION: check netinet/in.h before adding new number here. + */ + #define IPT_BASE_CTL 64 + +@@ -141,9 +142,9 @@ + + /* ICMP matching stuff */ + struct ipt_icmp { +- u_int8_t type; /* type to match */ +- u_int8_t code[2]; /* range of code */ +- u_int8_t invflags; /* Inverse flags */ ++ uint8_t type; /* type to match */ ++ uint8_t code[2]; /* range of code */ ++ uint8_t invflags; /* Inverse flags */ + }; + + /* Values for "inv" field for struct ipt_icmp. */ +diff -ur a/iptables-1.4.20/include/linux/netfilter_ipv6/ip6_tables.h b/iptables-1.4.20/include/linux/netfilter_ipv6/ip6_tables.h +--- a/iptables-1.4.20/include/linux/netfilter_ipv6/ip6_tables.h ++++ b/iptables-1.4.20/include/linux/netfilter_ipv6/ip6_tables.h +@@ -73,14 +73,14 @@ + * MH do not match any packets. + * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol. + */ +- u_int16_t proto; ++ uint16_t proto; + /* TOS to match iff flags & IP6T_F_TOS */ +- u_int8_t tos; ++ uint8_t tos; + + /* Flags word */ +- u_int8_t flags; ++ uint8_t flags; + /* Inverse flags */ +- u_int8_t invflags; ++ uint8_t invflags; + }; + + /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */ +@@ -110,9 +110,9 @@ + unsigned int nfcache; + + /* Size of ipt_entry + matches */ +- u_int16_t target_offset; ++ uint16_t target_offset; + /* Size of ipt_entry + matches + target */ +- u_int16_t next_offset; ++ uint16_t next_offset; + + /* Back pointer */ + unsigned int comefrom; +@@ -162,7 +162,6 @@ + * Unlike BSD Linux inherits IP options so you don't have to use + * a raw socket for this. Instead we check rights in the calls. + * +- * ATTENTION: check linux/in6.h before adding new number here. + */ + #define IP6T_BASE_CTL 64 + +@@ -178,9 +177,9 @@ + + /* ICMP matching stuff */ + struct ip6t_icmp { +- u_int8_t type; /* type to match */ +- u_int8_t code[2]; /* range of code */ +- u_int8_t invflags; /* Inverse flags */ ++ uint8_t type; /* type to match */ ++ uint8_t code[2]; /* range of code */ ++ uint8_t invflags; /* Inverse flags */ + }; + + /* Values for "inv" field for struct ipt_icmp. */ +diff -ur a/iptables-1.4.20/include/linux/netfilter_ipv6/ip6t_rt.h b/iptables-1.4.20/include/linux/netfilter_ipv6/ip6t_rt.h +--- a/iptables-1.4.20/include/linux/netfilter_ipv6/ip6t_rt.h ++++ b/iptables-1.4.20/include/linux/netfilter_ipv6/ip6t_rt.h +@@ -2,7 +2,6 @@ + #define _IP6T_RT_H + + #include <linux/types.h> +-/*#include <linux/in6.h>*/ + + #define IP6T_RT_HOPS 16 + +diff -ur a/iptables-1.4.20/include/xtables.h b/iptables-1.4.20/include/xtables.h +--- a/iptables-1.4.20/include/xtables.h ++++ b/iptables-1.4.20/include/xtables.h +@@ -220,12 +220,12 @@ + const char *real_name; + + /* Revision of match (0 by default). */ +- u_int8_t revision; ++ uint8_t revision; + + /* Extension flags */ +- u_int8_t ext_flags; ++ uint8_t ext_flags; + +- u_int16_t family; ++ uint16_t family; + + /* Size of match data. */ + size_t size; +@@ -297,12 +297,12 @@ + const char *real_name; + + /* Revision of target (0 by default). */ +- u_int8_t revision; ++ uint8_t revision; + + /* Extension flags */ +- u_int8_t ext_flags; ++ uint8_t ext_flags; + +- u_int16_t family; ++ uint16_t family; + + + /* Size of target data. */ +@@ -373,7 +373,7 @@ + */ + struct xtables_pprot { + const char *name; +- u_int8_t num; ++ uint8_t num; + }; + + enum xtables_tryload { +@@ -446,12 +446,12 @@ + extern bool xtables_strtoui(const char *, char **, unsigned int *, + unsigned int, unsigned int); + extern int xtables_service_to_port(const char *name, const char *proto); +-extern u_int16_t xtables_parse_port(const char *port, const char *proto); ++extern uint16_t xtables_parse_port(const char *port, const char *proto); + extern void + xtables_parse_interface(const char *arg, char *vianame, unsigned char *mask); + + /* this is a special 64bit data type that is 8-byte aligned */ +-#define aligned_u64 u_int64_t __attribute__((aligned(8))) ++#define aligned_u64 uint64_t __attribute__((aligned(8))) + + extern struct xtables_globals *xt_params; + #define xtables_error (xt_params->exit_err) +@@ -514,7 +514,7 @@ + #endif + + extern const struct xtables_pprot xtables_chain_protos[]; +-extern u_int16_t xtables_parse_protocol(const char *s); ++extern uint16_t xtables_parse_protocol(const char *s); + + /* kernel revision handling */ + extern int kernel_version; +diff -ur a/iptables-1.4.20/libipq/ipq_create_handle.3 b/iptables-1.4.20/libipq/ipq_create_handle.3 +--- a/iptables-1.4.20/libipq/ipq_create_handle.3 ++++ b/iptables-1.4.20/libipq/ipq_create_handle.3 +@@ -24,7 +24,7 @@ + .br + .B #include <libipq.h> + .sp +-.BI "struct ipq_handle *ipq_create_handle(u_int32_t " flags ", u_int32_t " protocol ");" ++.BI "struct ipq_handle *ipq_create_handle(uint32_t " flags ", uint32_t " protocol ");" + .br + .BI "int ipq_destroy_handle(struct ipq_handle *" h ); + .SH DESCRIPTION +diff -ur a/iptables-1.4.20/libipq/ipq_set_mode.3 b/iptables-1.4.20/libipq/ipq_set_mode.3 +--- a/iptables-1.4.20/libipq/ipq_set_mode.3 ++++ b/iptables-1.4.20/libipq/ipq_set_mode.3 +@@ -24,7 +24,7 @@ + .br + .B #include <libipq.h> + .sp +-.BI "int ipq_set_mode(const struct ipq_handle *" h ", u_int8_t " mode ", size_t " range ); ++.BI "int ipq_set_mode(const struct ipq_handle *" h ", uint8_t " mode ", size_t " range ); + .SH DESCRIPTION + The + .B ipq_set_mode diff --git a/net-firewall/iptables/files/iptables-1.4.21-musl.patch b/net-firewall/iptables/files/iptables-1.4.21-musl.patch new file mode 100644 index 00000000..286ea875 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.21-musl.patch @@ -0,0 +1,136 @@ +diff -ru a/iptables-1.4.21/extensions/libip6t_ipv6header.c b/iptables-1.4.21/extensions/libip6t_ipv6header.c +--- a/iptables-1.4.21/extensions/libip6t_ipv6header.c ++++ b/iptables-1.4.21/extensions/libip6t_ipv6header.c +@@ -10,6 +10,9 @@ + #include <netdb.h> + #include <xtables.h> + #include <linux/netfilter_ipv6/ip6t_ipv6header.h> ++#ifndef IPPROTO_HOPOPTS ++# define IPPROTO_HOPOPTS 0 ++#endif + + enum { + O_HEADER = 0, +diff -ru a/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c b/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c +--- a/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c ++++ b/iptables-1.4.21/extensions/libxt_TCPOPTSTRIP.c +@@ -12,6 +12,21 @@ + #ifndef TCPOPT_MD5SIG + # define TCPOPT_MD5SIG 19 + #endif ++#ifndef TCPOPT_MAXSEG ++# define TCPOPT_MAXSEG 2 ++#endif ++#ifndef TCPOPT_WINDOW ++# define TCPOPT_WINDOW 3 ++#endif ++#ifndef TCPOPT_SACK_PERMITTED ++# define TCPOPT_SACK_PERMITTED 4 ++#endif ++#ifndef TCPOPT_SACK ++# define TCPOPT_SACK 5 ++#endif ++#ifndef TCPOPT_TIMESTAMP ++# define TCPOPT_TIMESTAMP 8 ++#endif + + enum { + O_STRIP_OPTION = 0, +diff -ru a/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h b/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h +--- a/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h ++++ b/iptables-1.4.21/include/libiptc/ipt_kernel_headers.h +@@ -5,7 +5,6 @@ + + #include <limits.h> + +-#if defined(__GLIBC__) && __GLIBC__ == 2 + #include <netinet/ip.h> + #include <netinet/in.h> + #include <netinet/ip_icmp.h> +@@ -13,15 +12,4 @@ + #include <netinet/udp.h> + #include <net/if.h> + #include <sys/types.h> +-#else /* libc5 */ +-#include <sys/socket.h> +-#include <linux/ip.h> +-#include <linux/in.h> +-#include <linux/if.h> +-#include <linux/icmp.h> +-#include <linux/tcp.h> +-#include <linux/udp.h> +-#include <linux/types.h> +-#include <linux/in6.h> +-#endif + #endif +diff -ru a/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h b/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h +--- a/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h ++++ b/iptables-1.4.21/include/linux/netfilter_ipv4/ip_tables.h +@@ -16,6 +16,7 @@ + #define _IPTABLES_H + + #include <linux/types.h> ++#include <sys/types.h> + + #include <linux/netfilter_ipv4.h> + +diff -ru a/iptables-1.4.21/iptables/ip6tables-restore.c b/iptables-1.4.21/iptables/ip6tables-restore.c +--- a/iptables-1.4.21/iptables/ip6tables-restore.c ++++ b/iptables-1.4.21/iptables/ip6tables-restore.c +@@ -9,7 +9,7 @@ + */ + + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdbool.h> + #include <string.h> + #include <stdio.h> +diff -ru a/iptables-1.4.21/iptables/ip6tables-save.c b/iptables-1.4.21/iptables/ip6tables-save.c +--- a/iptables-1.4.21/iptables/ip6tables-save.c ++++ b/iptables-1.4.21/iptables/ip6tables-save.c +@@ -6,7 +6,7 @@ + * This code is distributed under the terms of GNU GPL v2 + */ + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdio.h> + #include <fcntl.h> + #include <stdlib.h> +diff -ru a/iptables-1.4.21/iptables/iptables-restore.c b/iptables-1.4.21/iptables/iptables-restore.c +--- a/iptables-1.4.21/iptables/iptables-restore.c ++++ b/iptables-1.4.21/iptables/iptables-restore.c +@@ -6,7 +6,7 @@ + */ + + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdbool.h> + #include <string.h> + #include <stdio.h> +diff -ru a/iptables-1.4.21/iptables/iptables-save.c b/iptables-1.4.21/iptables/iptables-save.c +--- a/iptables-1.4.21/iptables/iptables-save.c ++++ b/iptables-1.4.21/iptables/iptables-save.c +@@ -6,7 +6,7 @@ + * + */ + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <stdio.h> + #include <fcntl.h> + #include <stdlib.h> +diff -ru a/iptables-1.4.21/iptables/iptables-xml.c b/iptables-1.4.21/iptables/iptables-xml.c +--- a/iptables-1.4.21/iptables/iptables-xml.c ++++ b/iptables-1.4.21/iptables/iptables-xml.c +@@ -7,7 +7,7 @@ + */ + + #include <getopt.h> +-#include <sys/errno.h> ++#include <errno.h> + #include <string.h> + #include <stdio.h> + #include <stdlib.h> diff --git a/net-firewall/iptables/files/systemd/ip6tables-restore.service b/net-firewall/iptables/files/systemd/ip6tables-restore.service new file mode 100644 index 00000000..88415fa3 --- /dev/null +++ b/net-firewall/iptables/files/systemd/ip6tables-restore.service @@ -0,0 +1,14 @@ +[Unit] +Description=Restore ip6tables firewall rules +# if both are queued for some reason, don't store before restoring :) +Before=ip6tables-store.service +# sounds reasonable to have firewall up before any of the services go up +Before=network.target +Conflicts=shutdown.target + +[Service] +Type=oneshot +ExecStart=/sbin/ip6tables-restore /var/lib/ip6tables/rules-save + +[Install] +WantedBy=basic.target diff --git a/net-firewall/iptables/files/systemd/ip6tables-store.service b/net-firewall/iptables/files/systemd/ip6tables-store.service new file mode 100644 index 00000000..99753783 --- /dev/null +++ b/net-firewall/iptables/files/systemd/ip6tables-store.service @@ -0,0 +1,11 @@ +[Unit] +Description=Store ip6tables firewall rules +Before=shutdown.target +DefaultDependencies=No + +[Service] +Type=oneshot +ExecStart=/bin/sh -c "/sbin/ip6tables-save --counters > /var/lib/ip6tables/rules-save" + +[Install] +WantedBy=shutdown.target diff --git a/net-firewall/iptables/files/systemd/ip6tables.service b/net-firewall/iptables/files/systemd/ip6tables.service new file mode 100644 index 00000000..0a6d7fa1 --- /dev/null +++ b/net-firewall/iptables/files/systemd/ip6tables.service @@ -0,0 +1,6 @@ +[Unit] +Description=Store and restore ip6tables firewall rules + +[Install] +Also=ip6tables-store.service +Also=ip6tables-restore.service diff --git a/net-firewall/iptables/files/systemd/iptables-restore.service b/net-firewall/iptables/files/systemd/iptables-restore.service new file mode 100644 index 00000000..9d568d78 --- /dev/null +++ b/net-firewall/iptables/files/systemd/iptables-restore.service @@ -0,0 +1,14 @@ +[Unit] +Description=Restore iptables firewall rules +# if both are queued for some reason, don't store before restoring :) +Before=iptables-store.service +# sounds reasonable to have firewall up before any of the services go up +Before=network.target +Conflicts=shutdown.target + +[Service] +Type=oneshot +ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save + +[Install] +WantedBy=basic.target diff --git a/net-firewall/iptables/files/systemd/iptables-store.service b/net-firewall/iptables/files/systemd/iptables-store.service new file mode 100644 index 00000000..aa16e75e --- /dev/null +++ b/net-firewall/iptables/files/systemd/iptables-store.service @@ -0,0 +1,11 @@ +[Unit] +Description=Store iptables firewall rules +Before=shutdown.target +DefaultDependencies=No + +[Service] +Type=oneshot +ExecStart=/bin/sh -c "/sbin/iptables-save --counters > /var/lib/iptables/rules-save" + +[Install] +WantedBy=shutdown.target diff --git a/net-firewall/iptables/files/systemd/iptables.service b/net-firewall/iptables/files/systemd/iptables.service new file mode 100644 index 00000000..3643a3e3 --- /dev/null +++ b/net-firewall/iptables/files/systemd/iptables.service @@ -0,0 +1,6 @@ +[Unit] +Description=Store and restore iptables firewall rules + +[Install] +Also=iptables-store.service +Also=iptables-restore.service diff --git a/net-firewall/iptables/iptables-1.4.20-r99.ebuild b/net-firewall/iptables/iptables-1.4.20-r99.ebuild new file mode 100644 index 00000000..287dec6c --- /dev/null +++ b/net-firewall/iptables/iptables-1.4.20-r99.ebuild @@ -0,0 +1,93 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/iptables-1.4.20.ebuild,v 1.12 2014/01/18 19:48:53 ago Exp $ + +EAPI="4" + +# Force users doing their own patches to install their own tools +AUTOTOOLS_AUTO_DEPEND=no + +inherit eutils multilib toolchain-funcs autotools + +DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" +HOMEPAGE="http://www.netfilter.org/projects/iptables/" +SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="amd64 arm ~mips ppc x86" +IUSE="ipv6 netlink static-libs" + +RDEPEND=" + netlink? ( net-libs/libnfnetlink ) +" +DEPEND="${RDEPEND} + virtual/os-headers + virtual/pkgconfig +" + +src_prepare() { + # use the saner headers from the kernel + rm -f include/linux/{kernel,types}.h + + epatch ${FILESDIR}/${P}-musl.patch + + # Remove problematic extensions + rm -f extensions/libxt_TCPOPTSTRIP.* + rm -f extensions/libxt_osf.* + + # Only run autotools if user patched something + epatch_user && eautoreconf || elibtoolize +} + +src_configure() { + # Some libs use $(AR) rather than libtool to build #444282 + tc-export AR + + sed -i \ + -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ + configure || die + + econf \ + --sbindir="${EPREFIX}/sbin" \ + --libexecdir="${EPREFIX}/$(get_libdir)" \ + --enable-devel \ + --enable-shared \ + $(use_enable static-libs static) \ + $(use_enable ipv6) +} + +src_compile() { + emake V=1 +} + +src_install() { + default + dodoc INCOMPATIBILITIES iptables/iptables.xslt + + # all the iptables binaries are in /sbin, so might as well + # put these small files in with them + into / + dosbin iptables/iptables-apply + dosym iptables-apply /sbin/ip6tables-apply + doman iptables/iptables-apply.8 + + insinto /usr/include + doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) + insinto /usr/include/iptables + doins include/iptables/internal.h + + keepdir /var/lib/iptables + newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables + newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables + if use ipv6 ; then + keepdir /var/lib/ip6tables + newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables + newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables + fi + + # Move important libs to /lib + gen_usr_ldscript -a ip{4,6}tc iptc xtables + + prune_libtool_files +} diff --git a/net-firewall/iptables/iptables-1.4.21-r99.ebuild b/net-firewall/iptables/iptables-1.4.21-r99.ebuild new file mode 100644 index 00000000..6f5106d5 --- /dev/null +++ b/net-firewall/iptables/iptables-1.4.21-r99.ebuild @@ -0,0 +1,94 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/iptables-1.4.21-r1.ebuild,v 1.5 2014/06/14 11:52:14 zlogene Exp $ + +EAPI="5" + +# Force users doing their own patches to install their own tools +AUTOTOOLS_AUTO_DEPEND=no + +inherit eutils multilib systemd toolchain-funcs autotools + +DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" +HOMEPAGE="http://www.netfilter.org/projects/iptables/" +SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="amd64 arm ~mips ppc x86" +IUSE="ipv6 netlink static-libs" + +RDEPEND=" + netlink? ( net-libs/libnfnetlink ) +" +DEPEND="${RDEPEND} + virtual/os-headers + virtual/pkgconfig +" + +src_prepare() { + # use the saner headers from the kernel + rm -f include/linux/{kernel,types}.h + + epatch ${FILESDIR}/${P}-musl.patch + + # Only run autotools if user patched something + epatch_user && eautoreconf || elibtoolize +} + +src_configure() { + # Some libs use $(AR) rather than libtool to build #444282 + tc-export AR + + sed -i \ + -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ + configure || die + + econf \ + --sbindir="${EPREFIX}/sbin" \ + --libexecdir="${EPREFIX}/$(get_libdir)" \ + --enable-devel \ + --enable-shared \ + $(use_enable static-libs static) \ + $(use_enable ipv6) +} + +src_compile() { + emake V=1 +} + +src_install() { + default + dodoc INCOMPATIBILITIES iptables/iptables.xslt + + # all the iptables binaries are in /sbin, so might as well + # put these small files in with them + into / + dosbin iptables/iptables-apply + dosym iptables-apply /sbin/ip6tables-apply + doman iptables/iptables-apply.8 + + insinto /usr/include + doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) + insinto /usr/include/iptables + doins include/iptables/internal.h + + keepdir /var/lib/iptables + newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables + newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables + if use ipv6 ; then + keepdir /var/lib/ip6tables + newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables + newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables + fi + + systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service + if use ipv6 ; then + systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service + fi + + # Move important libs to /lib + gen_usr_ldscript -a ip{4,6}tc iptc xtables + + prune_libtool_files +} diff --git a/net-firewall/iptables/metadata.xml b/net-firewall/iptables/metadata.xml new file mode 100644 index 00000000..ed96e3dd --- /dev/null +++ b/net-firewall/iptables/metadata.xml @@ -0,0 +1,23 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> +<herd>base-system</herd> +<use> + <flag name='netlink'>Build against libnfnetlink which enables the nfnl_osf util</flag> +</use> +<longdescription> + iptables is the userspace command line program used to set up, maintain, and + inspect the tables of IPv4 packet filter rules in the Linux kernel. It's a + part of packet filtering framework which allows the stateless and stateful + packet filtering, all kinds of network address and port translation, and is a + flexible and extensible infrastructure with multiple layers of API's for 3rd + party extensions. The iptables package also includes ip6tables. ip6tables is + used for configuring the IPv6 packet filter. + + Note that some extensions (e.g. imq and l7filter) are not included into + official kernel sources so you have to patch the sources before installation. +</longdescription> +<upstream> + <remote-id type="cpe">cpe:/a:netfilter_core_team:iptables</remote-id> +</upstream> +</pkgmetadata> |