Add conntrack support, by Sławomir Nizio

Package-Manager: portage-2.2.0_alpha137/cvs/Linux x86_64
author: Ian Whyman <thev00d00@gentoo.org> 2012-10-14 19:06:39 +0000
committer: Ian Whyman <thev00d00@gentoo.org> 2012-10-14 19:06:39 +0000
commit: 01ac4ab4e7688c54d02983911a3b1822273405b8 (patch)
tree: cc06feb2901d1362dc0b26ac37f0b3de6d2a1135 /net-firewall
parent: Version bump wrt bug 411653. (diff)
download: historical-01ac4ab4e7688c54d02983911a3b1822273405b8.tar.gz
historical-01ac4ab4e7688c54d02983911a3b1822273405b8.tar.bz2
historical-01ac4ab4e7688c54d02983911a3b1822273405b8.zip
6 files changed, 408 insertions, 6 deletions
diff --git a/net-firewall/ufw/ChangeLog b/net-firewall/ufw/ChangeLog
index 9a3b83dc2299..c6da0a691488 100644
--- a/net-firewall/ufw/ChangeLog
+++ b/net-firewall/ufw/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for net-firewall/ufw
 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-firewall/ufw/ChangeLog,v 1.9 2012/09/24 12:18:04 thev00d00 Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/ufw/ChangeLog,v 1.10 2012/10/14 19:06:35 thev00d00 Exp $
+
+*ufw-0.33-r1 (14 Oct 2012)
+*ufw-0.31.1-r1 (14 Oct 2012)
+
+  14 Oct 2012; Ian Whyman <thev00d00@gentoo.org> -ufw-0.31.1.ebuild,
+  +ufw-0.31.1-r1.ebuild, +files/ufw-0.31.1-conntrack.patch, -ufw-0.33.ebuild,
+  +ufw-0.33-r1.ebuild, +files/ufw-0.33-conntrack.patch:
+  Add conntrack support, by Sławomir Nizio
 
 *ufw-0.33 (24 Sep 2012)
 
diff --git a/net-firewall/ufw/Manifest b/net-firewall/ufw/Manifest
index 3a243e523265..427d51efbfe7 100644
--- a/net-firewall/ufw/Manifest
+++ b/net-firewall/ufw/Manifest
@@ -1,15 +1,17 @@
 AUX rsyslog/ufw.logrotate 178 SHA256 02d1a00ca68446fbe056a4c3aede319f77b3262e26092cc04ea46de8923d03f8 SHA512 d381a34b23d8656c316af69c07d49042d6c4def4cea3e51367210bce20681376fd0259a95b6b9403171c5d80732927a8880f3d401e13e6f76b505324eecb146b WHIRLPOOL 10b63f8966ad7ad0894a18216a0102fc8a102b14c8f9fb468a4a8d61ae13b1ec3176c7bb9ffb852f8aaa4ac7874584a8f8f5a2d6e98fa3fb56f5945e9bd99139
 AUX syslog-ng/syslog-ng.example 381 SHA256 70a795c1b20e2cdef38565d74b9de042c6666f860a2fd1b3bdc6f31dd451bc68 SHA512 f48d2487679fe179ea216bb4259affbf5ab4c86725b45942581ada8dac24dd0c978f755182805ff5350ab169972fcee7bb54a6d14df760d4b5f62c485af1e49e WHIRLPOOL 44874c68257b6f9a53e7fd1affc6ccf2492d9ec09a4700a17239fb3e413e2dcf2ede87eafb1e253d965c27a1c5ead36c413c8c84ec3ed55f5cf2191b927aacbe
 AUX syslog-ng/ufw.logrotate 269 SHA256 cddd86613bde19b45f0f935c65bb43721f69aefc14e7d629612b23ea3b5c5c97 SHA512 22d89f04b68a8b4deeb60aca263239255dd01b9c6e6d23a5d77514daf7bb9dc3910a28cfe9c606f70d2a50f0365bb19c3cf00c5859ee2630c00f0df451ee9c5d WHIRLPOOL 5da4f8c615667d829ea4eb318ec01b712adf69002dcf8c3df7deba8fa3e49e426b1c00e468805ba571ed2f2ce05fa81b7e2ac83e7231de3f3305d6ce190264e5
+AUX ufw-0.31.1-conntrack.patch 9842 SHA256 e91af8e88c896fd2e05b4143f361a72bc8ae78c8ab0c5afb8a26ea416f7bb631 SHA512 c7fab58aec12f47a492e8ad94e2ffbb471daf6292b6c9272396754cc25a6d2a164f3c383fd7e933a0d624d55a5b4b7a385a1fd31ef74162b7e819284c25a4fd7 WHIRLPOOL 96aa69e0aad4df20b14231edda6434f95be144d302484ef71bec4b6d6d4518714a852d1844d5aa33eaa7845a70659ab42006881297eecc5237f7c93b3907af9b
 AUX ufw-0.31.1-move-path.patch 7071 SHA256 88a7b20696b731bac01b3c5d88b0353842b1228d3239cfebe1f2a47c1bdb6768 SHA512 66382ded35437e563c874dc01417a2735a2aa136a1e670fd3707c3311516a6d9a0e62a20679a4f5dcaa2edc0225535cf2410d7f86676b1e10eb309ecc3e24bc2 WHIRLPOOL 89e3165900def8380cade3eb62fc351be9e43c8055f4b71c356f3aa5356b0c57154e18485d94e0ca86462da7c55b1b4755de379a88f1958d313b93c0ec723715
 AUX ufw-0.31.1-python-abis.patch 1872 SHA256 1e3094135d71e7e7129b2d268d79c73990f0a6f61f2bb6456d3f3654b4975463 SHA512 fbe65a6775426c66cd82382e62eea3a2179d68a0b6c617cc468e7076e2f58493baffde686b65e6bf3a89ea7fdda48a5a42d152b1be388c943408532f47d4402a WHIRLPOOL 62e68d1ef8aaa4963765599ca6701af18bcdef8f6a20607ce433b5294baa9c5ba75b3d41266d9a8bd82febe3a3ac75c6fcb2326fbc5cafa31634ec96a4407b10
+AUX ufw-0.33-conntrack.patch 10055 SHA256 e034feba3bdeca0d4e9aed0555d88838e49804542174b988f9a7fbf8b8dc759d SHA512 7de6358ec0bf6696c4c26aab2729b9160e16ce44a67b5b634ad935fb4bf218b1b79d599f9d679f8f2a147861d865a098729fe3dbc0db110135bf5a78acfd6d53 WHIRLPOOL a3d543abf0ac1d6ca11a4754ab296c9e6f28809e8b746986524aa5d0e162f78d5a5abd586ff172618e8d79354c43429de3cc0b0e9a3d1bf91d662071c3cd2cfc
 AUX ufw-0.33-dont-check-iptables.patch 1659 SHA256 8a3ae20d399e83aa9c779dfed1f65d99b277263681b1a3e7e9e86143d5fabd0a SHA512 8f92d4b79f1caf01cb97ec64014c7607a410fb0a36e5e87376707c026d714a060ae554591b6e5b3834b671acd4145dcca68a9373aa41051ef60c9dd409dd008d WHIRLPOOL 8f897654bde85d84b17dc32507c5a469fe04eb2201acb55bfd02a76346620399dbcb9c7d0ce19f48285f6eec5de0a5d96420483d6a0b7a4c31a41fa329f91180
 AUX ufw-2.initd 2722 SHA256 657b5305923b2a5de9eb96931aaaa28d6e997ace6c40793d905887798094258c SHA512 54cb84ae5ce2c327a7a7b03deeed3d7507a4716ce929aa563d4fb5baa9aa73d95575ec7d5db7165345310869bd5a60b1033c6691f02a85ab94baa6b4a550daa7 WHIRLPOOL c19a21c93f0c63165715e8da4ab9b16a4596ccc3730118c1bbd7eb4de9a94b2b1475904818a2786b2490a07dee7d761da28ca6dc087926c27598d691cb333ce6
 AUX ufw-dont-check-iptables.patch 1572 SHA256 2ea0f9525baa82386690577525631f468e56a0fbde0e7e5a65fba36c922ea96f SHA512 c072e924ed5c7df37d89dd9dc8ecb9a52f16fcd962a31d97f45cecefb971adcceabff183bec386be29f44942d12f8bce595ff4203e390ce464627458843b19cb WHIRLPOOL a1ee6799042353f32a1746b14017403994d60dc1ba7e67581ebdff3d93e37e72c7224708d2c0d1bef25ce311ad5c647cd5f0fa62ea4da60321e47f922f64c54d
 AUX ufw.confd 219 SHA256 069aa7382b40aecebf26ef53f3f4c49890314e0357925c84b3c15f1d0b913be0 SHA512 a010532c97b9cf83f1fb5fa707228e0542a8b109c76e5942aaf2d6552c63e033d32e39e5a6ac87cb9e2ed4c3fdbc5d03c75127e6378665e592b143bc1eda52c7 WHIRLPOOL e6c4537392921c63f8a57fab7ea269fbeea846468ef8968816d988556557495e8abb77aee9d60648a1483a599683613cf5ea832cbcf498a8828baa9abcd31752
 DIST ufw-0.31.1.tar.gz 322448 SHA256 ccf5e00aa76841b9467ad9506fbf96373fb24a4b26bffd858ea1eb2522491dcb SHA512 3c9e61be7ba18ccdbd8195517f0b74a418b460f91b6efcdf0d883fc1dca2bc376ee317836882b67d2fd4825c2e5374d9c6a5da3d77f98794b64c98071d3ac0dc WHIRLPOOL 35064e73f892d6a94413f3560f5f0af945c972b673da4980af0a60576cc641810a74d76ed196935abaf9c2b395c2cc7250b6d27e710e284cbf2df014a6f0820d
 DIST ufw-0.33.tar.gz 332893 SHA256 5f85a8084ad3539b547bec097286948233188c971f498890316dec170bdd1da8 SHA512 a908d0a2c74bedef418b28f1701048bc9281f314ff747fb1e9497ddee341dbf86402215c470b605523b03a12b2dec812cd7342c310c04231dbed5b6f8e783309 WHIRLPOOL bdd09fbdc2514061b6971e06fa05d6fee04e29c2cecf0c12b237349071e88d188aa8a7bd5c54f5cf3cccd4ddf8d2e3d2bb6ed0db92538b7d76cea471d74848c1
-EBUILD ufw-0.31.1.ebuild 4740 SHA256 1434d557129a07d1b2a5e13de8bdb4d33ba8bb88479b8b78ac3af95f48757127 SHA512 1a8d5d9b0d1cf8da35d8ba861d30cd57f4b285f76d6088c11ac341af35d49abe697eb046efb35ed027305bccf7a00298ee2ef76c9be90f46dbcf922c095ebd34 WHIRLPOOL 0dbf7abecbffa54c4b7d01640ca091c38c4498110149e19087dad9156ecebea2b16b32d246de4e8fc41e1c48319e2102e237db2a142b5b9521e9273c07584b16
-EBUILD ufw-0.33.ebuild 4636 SHA256 f8228671dc04ebfba062ee31643cbbb0339e6757e131ff53fbf7aa8b447f4608 SHA512 90384086521f7a6e74bd9246d0bd2d71996bd9af3acda4004c8b1303f62073ea215a25c944d8f71e694477408a8eac4d44158b164a7e8397e192c00251e5229d WHIRLPOOL 12094132c8e689ce06e1491cb2b650210e5144d0082625da314f14cc1f4d314ab94b71c003516ea011389670dab2b1574af426dcdec11abb65b85237e64e248a
-MISC ChangeLog 2387 SHA256 ad976a6098b893d61edf7c10f333a491c4faeae6fc5255f71285021b6be14104 SHA512 163359a5b04b356553b6d37d88837f35b467fbf5a7a665760766152ad568f0182c6d9510be65361cb9a6e15465dfe58827b29ee3c025138c53fa8d3999afeebd WHIRLPOOL 1453dca2ffe4d254579d4c69d18b2d9353ef2cd85c98f54e9266e5350ef2d282099c7a4552b1e5b46d5efb7c23bb07548ce0a1260efd29013518e98ad1b61ca1
+EBUILD ufw-0.31.1-r1.ebuild 4855 SHA256 8a71e86df6d1ca949359d8eabba6e40f414303eb3d400f4c6df24c3477b0ea72 SHA512 207d2191b73062495eca92b7ac622ec5c920adcc41101d888597bc141b8e64c26869f1a8f5471b090164ef4b4a53617cc889b6fcbebb8f1b6c0a6560bda2f048 WHIRLPOOL 0d90c5b27c60e1e581a656880057d6d7ced57fce314cb3fa4e4650466d53ec2142fc0e898fc2bf4d62e65c28ccb4fcf450e0d8ebcda43ee84e35ff1b8f101597
+EBUILD ufw-0.33-r1.ebuild 4751 SHA256 4e55224d8c8207948d966d01a28e2f211920db5dd46a741dd5f50c8ceb2a1981 SHA512 09b8acd90ce593c2f347b3c3fef1e737b640482a6e493ac601c5d444192e33c26c8d5c9f9e3bd8f450dfb8f352e9081a1b8cfd7fbab1cee8e14e554741764d91 WHIRLPOOL 64818bd7e668454ee3a9c4126295b1792d66977bfa044edcf2ee7858eb75f1dfcff4907505d62cdd48c40eb38308b3f0387aacbb6e7b11d87eef98bde22dfece
+MISC ChangeLog 2693 SHA256 1cf149f3f69c56ded6244cae0bea7355bc810901506e37d742ccc3d0937ca7a4 SHA512 d012f77e198ea28502061509b71e21a59cbf857ea1f91f091209a106609346a43dd1c8026b126d072e82a9e9c16ea506981ec68aa2e0483d30b2ea35376a1a4b WHIRLPOOL 27a8aafe9a7f1387f1885559ca88e626e45e550f15b1856e0c8b5fecc5ca2ff8d5bd40d757b7c3208c1758bdf51e31da8f67a7793a6a4fb9c1a1b0589b2da3cc
 MISC metadata.xml 622 SHA256 e504f88d893e02ac0bf5aa71b5b153da69205bcc72463a24b551918686afdcc4 SHA512 27a11c5b355ff6cbf5cccc6d852d0b8702cd73641cf0fbcc79cef7ced889cc7aa89ef1e56b3e8fc5a1e0b82c789f0b272ae75db83d32c8e3963bc08d69dc7e38 WHIRLPOOL cda0950c88207d057a8a952e5294e170216f1bef97b18fa29f15dc128a076761cc40a56ec1096a10450dda86585255c54f4eac699671fbe9a5bab049113feee1
diff --git a/net-firewall/ufw/files/ufw-0.31.1-conntrack.patch b/net-firewall/ufw/files/ufw-0.31.1-conntrack.patch
new file mode 100644
index 000000000000..6a7e6924c53f
--- /dev/null
+++ b/net-firewall/ufw/files/ufw-0.31.1-conntrack.patch
@@ -0,0 +1,201 @@
+use conntrack instead of state
+https://bugs.launchpad.net/ufw/+bug/1065297
+
+This is a version for ufw 0.31.1.
+diff --git a/conf/before.rules b/conf/before.rules
+index bc11f36..9917b87 100644
+--- a/conf/before.rules
++++ b/conf/before.rules
+@@ -22,12 +22,12 @@
+ -A ufw-before-output -o lo -j ACCEPT
+ 
+ # quickly process packets for which we already have a connection
+--A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
+--A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
++-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
++-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+ 
+ # drop INVALID packets (logs these in loglevel medium and higher)
+--A ufw-before-input -m state --state INVALID -j ufw-logging-deny
+--A ufw-before-input -m state --state INVALID -j DROP
++-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
++-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
+ 
+ # ok icmp codes
+ -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
+diff --git a/conf/before6.rules b/conf/before6.rules
+index fb1a8f1..8b7e4ff 100644
+--- a/conf/before6.rules
++++ b/conf/before6.rules
+@@ -34,16 +34,16 @@
+ -A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
+ 
+ # quickly process packets for which we already have a connection
+--A ufw6-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
+--A ufw6-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
++-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
++-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+ 
+ # for multicast ping replies from link-local addresses (these don't have an
+ # associated connection and would otherwise be marked INVALID)
+ -A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -s fe80::/10 -j ACCEPT
+ 
+ # drop INVALID packets (logs these in loglevel medium and higher)
+--A ufw6-before-input -m state --state INVALID -j ufw6-logging-deny
+--A ufw6-before-input -m state --state INVALID -j DROP
++-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
++-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
+ 
+ # ok icmp codes
+ -A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+diff --git a/doc/ufw-framework.8 b/doc/ufw-framework.8
+index d9e3d5a..bfc83e2 100644
+--- a/doc/ufw-framework.8
++++ b/doc/ufw-framework.8
+@@ -167,9 +167,9 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have:
+  net.ipv4.ip_forward=1
+ .TP
+ Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules:
+- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\
++ \-A ufw\-before\-forward \-m conntrack \-\-ctstate RELATED,ESTABLISHED \\
+    \-j ACCEPT
+- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\
++ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\
+    \-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT
+ .TP
+ Add to the end of #CONFIG_PREFIX#/ufw/before.rules, after the *filter section:
+@@ -209,13 +209,13 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have:
+   net.ipv4.ip_forward=1
+ .TP
+ Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules:
+- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\
++ \-A ufw\-before\-forward \-m conntrack \-\-ctstate RELATED,ESTABLISHED \\
+    \-j ACCEPT
+ 
+- \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \-m state \\
+-   \-\-state NEW \-j ACCEPT
++ \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \-m conntrack \\
++   \-\-ctstate NEW \-j ACCEPT
+ 
+- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\
++ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\
+    \-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT
+ 
+  \-A ufw\-before\-forward \-o eth0 \-d 10.0.0.0/8 \-j REJECT
+diff --git a/src/backend_iptables.py b/src/backend_iptables.py
+index 340beba..4459a3b 100644
+--- a/src/backend_iptables.py
++++ b/src/backend_iptables.py
+@@ -551,7 +551,7 @@ class UFWBackendIptables(ufw.backend.UFWBackend):
+                 lstr = '%s -j LOG --log-prefix "[UFW %s] "' % (limit_args, \
+                        policy)
+                 if not pat_logall.search(s):
+-                    lstr = '-m state --state NEW ' + lstr
++                    lstr = '-m conntrack --ctstate NEW ' + lstr
+                 snippets[i] = pat_log.sub(r'\1-j \2\4', s)
+                 snippets.insert(i, pat_log.sub(r'\1-j ' + prefix + \
+                                                '-user-logging-' + suffix, s))
+@@ -567,9 +567,9 @@ class UFWBackendIptables(ufw.backend.UFWBackend):
+         pat_limit = re.compile(r' -j LIMIT')
+         for i, s in enumerate(snippets):
+             if pat_limit.search(s):
+-                tmp1 = pat_limit.sub(' -m state --state NEW -m recent --set', \
++                tmp1 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent --set', \
+                                      s)
+-                tmp2 = pat_limit.sub(' -m state --state NEW -m recent' + \
++                tmp2 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent' + \
+                                      ' --update --seconds 30 --hitcount 6' + \
+                                      ' -j ' + prefix + '-user-limit', s)
+                 tmp3 = pat_limit.sub(' -j ' + prefix + '-user-limit-accept', s)
+@@ -1178,12 +1178,12 @@ class UFWBackendIptables(ufw.backend.UFWBackend):
+                     prefix = "[UFW BLOCK] "
+                     if self.loglevels[level] < self.loglevels["medium"]:
+                         # only log INVALID in medium and higher
+-                        rules_t.append([c, ['-I', c, '-m', 'state', \
+-                                            '--state', 'INVALID', \
++                        rules_t.append([c, ['-I', c, '-m', 'conntrack', \
++                                            '--ctstate', 'INVALID', \
+                                             '-j', 'RETURN'] + largs, ''])
+                     else:
+-                        rules_t.append([c, ['-A', c, '-m', 'state', \
+-                                            '--state', 'INVALID', \
++                        rules_t.append([c, ['-A', c, '-m', 'conntrack', \
++                                            '--ctstate', 'INVALID', \
+                                             '-j', 'LOG', \
+                                             '--log-prefix', \
+                                             "[UFW AUDIT INVALID] "] + \
+@@ -1202,7 +1202,7 @@ class UFWBackendIptables(ufw.backend.UFWBackend):
+ 
+             # loglevel medium logs all new packets with limit
+             if self.loglevels[level] < self.loglevels["high"]:
+-                largs = ['-m', 'state', '--state', 'NEW'] + limit_args
++                largs = ['-m', 'conntrack', '--ctstate', 'NEW'] + limit_args
+ 
+             prefix = "[UFW AUDIT] "
+             for c in self.chains['before']:
+diff --git a/src/ufw-init-functions b/src/ufw-init-functions
+index f4783e7..c5e0319 100755
+--- a/src/ufw-init-functions
++++ b/src/ufw-init-functions
+@@ -251,15 +251,15 @@ ufw_start() {
+             # add tracking policy
+             if [ "$DEFAULT_INPUT_POLICY" = "ACCEPT" ]; then
+                 printf "*filter\n"\
+-"-A ufw${type}-track-input -p tcp -m state --state NEW -j ACCEPT\n"\
+-"-A ufw${type}-track-input -p udp -m state --state NEW -j ACCEPT\n"\
++"-A ufw${type}-track-input -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\
++"-A ufw${type}-track-input -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\
+ "COMMIT\n" | $exe-restore -n || error="yes"
+             fi
+ 
+             if [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT" ]; then
+                 printf "*filter\n"\
+-"-A ufw${type}-track-output -p tcp -m state --state NEW -j ACCEPT\n"\
+-"-A ufw${type}-track-output -p udp -m state --state NEW -j ACCEPT\n"\
++"-A ufw${type}-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\
++"-A ufw${type}-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\
+ "COMMIT\n" | $exe-restore -n || error="yes"
+             fi
+ 
+diff --git a/tests/check-requirements b/tests/check-requirements
+index dbb26ec..d3ad1f8 100755
+--- a/tests/check-requirements
++++ b/tests/check-requirements
+@@ -152,32 +152,32 @@ for i in "" 6; do
+     done
+ 
+     echo -n "hashlimit: "
+-    runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT
++    runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m conntrack --ctstate NEW -j ACCEPT
+ 
+     echo -n "limit: "
+     runcmd $exe -A $c -m limit --limit 3/min --limit-burst 10 -j ACCEPT
+ 
+     for j in NEW RELATED ESTABLISHED INVALID; do
+         echo -n "state ($j): "
+-        runcmd $exe -A $c -m state --state $j
++        runcmd $exe -A $c -m conntrack --ctstate $j
+     done
+ 
+     echo -n "state (new, recent set): "
+     if [ "$i" = "6" ]; then
+         echo "skipped -- IPv6 'limit' not supported by ufw yet"
+     else
+-        runcmd $exe -A $c -m state --state NEW -m recent --set
++        runcmd $exe -A $c -m conntrack --ctstate NEW -m recent --set
+     fi
+ 
+     echo -n "state (new, recent update): "
+     if [ "$i" = "6" ]; then
+         echo "skipped -- IPv6 'limit' not supported by ufw yet"
+     else
+-        runcmd $exe -A $c -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT
++        runcmd $exe -A $c -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT
+     fi
+ 
+     echo -n "state (new, limit): "
+-    runcmd $exe -A $c -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT
++    runcmd $exe -A $c -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT
+ 
+     echo -n "interface (input): "
+     runcmd $exe -A $c -i eth0 -j ACCEPT
diff --git a/net-firewall/ufw/files/ufw-0.33-conntrack.patch b/net-firewall/ufw/files/ufw-0.33-conntrack.patch
new file mode 100644
index 000000000000..36eee8e76505
--- /dev/null
+++ b/net-firewall/ufw/files/ufw-0.33-conntrack.patch
@@ -0,0 +1,187 @@
+use conntrack instead of state
+https://bugs.launchpad.net/ufw/+bug/1065297
+diff -urp ufw-0.33.orig/conf/before6.rules ufw-0.33/conf/before6.rules
+--- ufw-0.33.orig/conf/before6.rules	2012-10-10 22:26:26.021931270 +0200
++++ ufw-0.33/conf/before6.rules	2012-10-10 22:38:58.803605951 +0200
+@@ -34,16 +34,16 @@
+ -A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
+ 
+ # quickly process packets for which we already have a connection
+--A ufw6-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
+--A ufw6-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
++-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
++-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+ 
+ # for multicast ping replies from link-local addresses (these don't have an
+ # associated connection and would otherwise be marked INVALID)
+ -A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -s fe80::/10 -j ACCEPT
+ 
+ # drop INVALID packets (logs these in loglevel medium and higher)
+--A ufw6-before-input -m state --state INVALID -j ufw6-logging-deny
+--A ufw6-before-input -m state --state INVALID -j DROP
++-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
++-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
+ 
+ # ok icmp codes
+ -A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+diff -urp ufw-0.33.orig/conf/before.rules ufw-0.33/conf/before.rules
+--- ufw-0.33.orig/conf/before.rules	2012-10-10 22:26:26.021931270 +0200
++++ ufw-0.33/conf/before.rules	2012-10-10 22:38:17.442349148 +0200
+@@ -22,12 +22,12 @@
+ -A ufw-before-output -o lo -j ACCEPT
+ 
+ # quickly process packets for which we already have a connection
+--A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
+--A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
++-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
++-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+ 
+ # drop INVALID packets (logs these in loglevel medium and higher)
+--A ufw-before-input -m state --state INVALID -j ufw-logging-deny
+--A ufw-before-input -m state --state INVALID -j DROP
++-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
++-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
+ 
+ # ok icmp codes
+ -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
+diff -urp ufw-0.33.orig/doc/ufw-framework.8 ufw-0.33/doc/ufw-framework.8
+--- ufw-0.33.orig/doc/ufw-framework.8	2012-10-10 22:26:26.020931143 +0200
++++ ufw-0.33/doc/ufw-framework.8	2012-10-10 23:06:21.407372442 +0200
+@@ -167,9 +167,9 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to
+  net.ipv4.ip_forward=1
+ .TP
+ Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules:
+- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\
+-   \-j ACCEPT
+- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\
++ \-A ufw\-before\-forward \-m conntrack \\
++   \-\-ctstate RELATED,ESTABLISHED \-j ACCEPT
++ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\
+    \-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT
+ .TP
+ Add to the end of #CONFIG_PREFIX#/ufw/before.rules, after the *filter section:
+@@ -209,13 +209,13 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to
+   net.ipv4.ip_forward=1
+ .TP
+ Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules:
+- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\
+-   \-j ACCEPT
++ \-A ufw\-before\-forward \-m conntrack \\
++   \-\-ctstate RELATED,ESTABLISHED \-j ACCEPT
+ 
+- \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \-m state \\
+-   \-\-state NEW \-j ACCEPT
++ \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \\
++   \-m conntrack \-\-ctstate NEW \-j ACCEPT
+ 
+- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\
++ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\
+    \-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT
+ 
+  \-A ufw\-before\-forward \-o eth0 \-d 10.0.0.0/8 \-j REJECT
+diff -urp ufw-0.33.orig/src/backend_iptables.py ufw-0.33/src/backend_iptables.py
+--- ufw-0.33.orig/src/backend_iptables.py	2012-10-10 22:26:26.022931397 +0200
++++ ufw-0.33/src/backend_iptables.py	2012-10-10 22:29:53.981361845 +0200
+@@ -558,7 +558,7 @@ class UFWBackendIptables(ufw.backend.UFW
+                 lstr = '%s -j LOG --log-prefix "[UFW %s] "' % (limit_args, \
+                        policy)
+                 if not pat_logall.search(s):
+-                    lstr = '-m state --state NEW ' + lstr
++                    lstr = '-m conntrack --ctstate NEW ' + lstr
+                 snippets[i] = pat_log.sub(r'\1-j \2\4', s)
+                 snippets.insert(i, pat_log.sub(r'\1-j ' + prefix + \
+                                                '-user-logging-' + suffix, s))
+@@ -574,9 +574,9 @@ class UFWBackendIptables(ufw.backend.UFW
+         pat_limit = re.compile(r' -j LIMIT')
+         for i, s in enumerate(snippets):
+             if pat_limit.search(s):
+-                tmp1 = pat_limit.sub(' -m state --state NEW -m recent --set', \
++                tmp1 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent --set', \
+                                      s)
+-                tmp2 = pat_limit.sub(' -m state --state NEW -m recent' + \
++                tmp2 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent' + \
+                                      ' --update --seconds 30 --hitcount 6' + \
+                                      ' -j ' + prefix + '-user-limit', s)
+                 tmp3 = pat_limit.sub(' -j ' + prefix + '-user-limit-accept', s)
+@@ -1196,12 +1196,12 @@ class UFWBackendIptables(ufw.backend.UFW
+                     prefix = "[UFW BLOCK] "
+                     if self.loglevels[level] < self.loglevels["medium"]:
+                         # only log INVALID in medium and higher
+-                        rules_t.append([c, ['-I', c, '-m', 'state', \
+-                                            '--state', 'INVALID', \
++                        rules_t.append([c, ['-I', c, '-m', 'conntrack', \
++                                            '--ctstate', 'INVALID', \
+                                             '-j', 'RETURN'] + largs, ''])
+                     else:
+-                        rules_t.append([c, ['-A', c, '-m', 'state', \
+-                                            '--state', 'INVALID', \
++                        rules_t.append([c, ['-A', c, '-m', 'conntrack', \
++                                            '--ctstate', 'INVALID', \
+                                             '-j', 'LOG', \
+                                             '--log-prefix', \
+                                             "[UFW AUDIT INVALID] "] + \
+@@ -1220,7 +1220,7 @@ class UFWBackendIptables(ufw.backend.UFW
+ 
+             # loglevel medium logs all new packets with limit
+             if self.loglevels[level] < self.loglevels["high"]:
+-                largs = ['-m', 'state', '--state', 'NEW'] + limit_args
++                largs = ['-m', 'conntrack', '--ctstate', 'NEW'] + limit_args
+ 
+             prefix = "[UFW AUDIT] "
+             for c in self.chains['before']:
+diff -urp ufw-0.33.orig/src/ufw-init-functions ufw-0.33/src/ufw-init-functions
+--- ufw-0.33.orig/src/ufw-init-functions	2012-10-10 22:26:26.023931524 +0200
++++ ufw-0.33/src/ufw-init-functions	2012-10-10 22:48:38.305257627 +0200
+@@ -251,15 +251,15 @@ ufw_start() {
+             # add tracking policy
+             if [ "$DEFAULT_INPUT_POLICY" = "ACCEPT" ]; then
+                 printf "*filter\n"\
+-"-A ufw${type}-track-input -p tcp -m state --state NEW -j ACCEPT\n"\
+-"-A ufw${type}-track-input -p udp -m state --state NEW -j ACCEPT\n"\
++"-A ufw${type}-track-input -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\
++"-A ufw${type}-track-input -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\
+ "COMMIT\n" | $exe-restore -n || error="yes"
+             fi
+ 
+             if [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT" ]; then
+                 printf "*filter\n"\
+-"-A ufw${type}-track-output -p tcp -m state --state NEW -j ACCEPT\n"\
+-"-A ufw${type}-track-output -p udp -m state --state NEW -j ACCEPT\n"\
++"-A ufw${type}-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\
++"-A ufw${type}-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\
+ "COMMIT\n" | $exe-restore -n || error="yes"
+             fi
+ 
+diff -urp ufw-0.33.orig/tests/check-requirements ufw-0.33/tests/check-requirements
+--- ufw-0.33.orig/tests/check-requirements	2012-10-10 22:26:25.944921482 +0200
++++ ufw-0.33/tests/check-requirements	2012-10-10 22:41:54.378920671 +0200
+@@ -167,24 +167,24 @@ for i in "" 6; do
+     done
+ 
+     echo -n "hashlimit: "
+-    runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT
++    runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m conntrack --ctstate NEW -j ACCEPT
+ 
+     echo -n "limit: "
+     runcmd $exe -A $c -m limit --limit 3/min --limit-burst 10 -j ACCEPT
+ 
+     for j in NEW RELATED ESTABLISHED INVALID; do
+         echo -n "state ($j): "
+-        runcmd $exe -A $c -m state --state $j
++        runcmd $exe -A $c -m conntrack --ctstate $j
+     done
+ 
+     echo -n "state (new, recent set): "
+-    runcmd runtime $exe -A $c -m state --state NEW -m recent --set
++    runcmd runtime $exe -A $c -m conntrack --ctstate NEW -m recent --set
+ 
+     echo -n "state (new, recent update): "
+-    runcmd runtime $exe -A $c -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT
++    runcmd runtime $exe -A $c -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT
+ 
+     echo -n "state (new, limit): "
+-    runcmd $exe -A $c -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT
++    runcmd $exe -A $c -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT
+ 
+     echo -n "interface (input): "
+     runcmd $exe -A $c -i eth0 -j ACCEPT
diff --git a/net-firewall/ufw/ufw-0.31.1.ebuild b/net-firewall/ufw/ufw-0.31.1-r1.ebuild
index a76dfa8efe59..0cb68c48c72d 100644
--- a/net-firewall/ufw/ufw-0.31.1.ebuild
+++ b/net-firewall/ufw/ufw-0.31.1-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2012 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-firewall/ufw/ufw-0.31.1.ebuild,v 1.3 2012/09/23 18:20:24 thev00d00 Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/ufw/ufw-0.31.1-r1.ebuild,v 1.1 2012/10/14 19:06:35 thev00d00 Exp $
 
 EAPI=4
 PYTHON_DEPEND="2:2.5"
@@ -84,6 +84,8 @@ pkg_pretend() {
 }
 
 src_prepare() {
+	# Remove warning about 'state' being obsolete in iptables 1.4.16.2.
+	epatch "${FILESDIR}"/${P}-conntrack.patch
 	# Allow to remove unnecessary build time dependency
 	# on net-firewall/iptables.
 	epatch "${FILESDIR}"/${PN}-dont-check-iptables.patch
diff --git a/net-firewall/ufw/ufw-0.33.ebuild b/net-firewall/ufw/ufw-0.33-r1.ebuild
index 0fbfc26a3765..d0cfdc296f3c 100644
--- a/net-firewall/ufw/ufw-0.33.ebuild
+++ b/net-firewall/ufw/ufw-0.33-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2012 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-firewall/ufw/ufw-0.33.ebuild,v 1.1 2012/09/24 12:18:04 thev00d00 Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/ufw/ufw-0.33-r1.ebuild,v 1.1 2012/10/14 19:06:35 thev00d00 Exp $
 
 EAPI=4
 PYTHON_DEPEND="2:2.6 3:3.1"
@@ -84,6 +84,8 @@ pkg_pretend() {
 }
 
 src_prepare() {
+	# Remove warning about 'state' being obsolete in iptables 1.4.16.2.
+	epatch "${FILESDIR}"/${P}-conntrack.patch
 	# Allow to remove unnecessary build time dependency
 	# on net-firewall/iptables.
 	epatch "${FILESDIR}"/${P}-dont-check-iptables.patch
author	Ian Whyman <thev00d00@gentoo.org>	2012-10-14 19:06:39 +0000
committer	Ian Whyman <thev00d00@gentoo.org>	2012-10-14 19:06:39 +0000
commit	01ac4ab4e7688c54d02983911a3b1822273405b8 (patch)
tree	cc06feb2901d1362dc0b26ac37f0b3de6d2a1135 /net-firewall
parent	Version bump wrt bug 411653. (diff)
download	historical-01ac4ab4e7688c54d02983911a3b1822273405b8.tar.gz historical-01ac4ab4e7688c54d02983911a3b1822273405b8.tar.bz2 historical-01ac4ab4e7688c54d02983911a3b1822273405b8.zip