diff options
author | Robin H. Johnson <robbat2@gentoo.org> | 2015-08-08 13:49:04 -0700 |
---|---|---|
committer | Robin H. Johnson <robbat2@gentoo.org> | 2015-08-08 17:38:18 -0700 |
commit | 56bd759df1d0c750a065b8c845e93d5dfa6b549d (patch) | |
tree | 3f91093cdb475e565ae857f1c5a7fd339e2d781e /net-firewall/iptables/files | |
download | gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.tar.gz gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.tar.bz2 gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.zip |
proj/gentoo: Initial commit
This commit represents a new era for Gentoo:
Storing the gentoo-x86 tree in Git, as converted from CVS.
This commit is the start of the NEW history.
Any historical data is intended to be grafted onto this point.
Creation process:
1. Take final CVS checkout snapshot
2. Remove ALL ChangeLog* files
3. Transform all Manifests to thin
4. Remove empty Manifests
5. Convert all stale $Header$/$Id$ CVS keywords to non-expanded Git $Id$
5.1. Do not touch files with -kb/-ko keyword flags.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
X-Thanks: Alec Warner <antarus@gentoo.org> - did the GSoC 2006 migration tests
X-Thanks: Robin H. Johnson <robbat2@gentoo.org> - infra guy, herding this project
X-Thanks: Nguyen Thai Ngoc Duy <pclouds@gentoo.org> - Former Gentoo developer, wrote Git features for the migration
X-Thanks: Brian Harring <ferringb@gentoo.org> - wrote much python to improve cvs2svn
X-Thanks: Rich Freeman <rich0@gentoo.org> - validation scripts
X-Thanks: Patrick Lauer <patrick@gentoo.org> - Gentoo dev, running new 2014 work in migration
X-Thanks: Michał Górny <mgorny@gentoo.org> - scripts, QA, nagging
X-Thanks: All of other Gentoo developers - many ideas and lots of paint on the bikeshed
Diffstat (limited to 'net-firewall/iptables/files')
21 files changed, 975 insertions, 0 deletions
diff --git a/net-firewall/iptables/files/ip6tables-1.3.2.confd b/net-firewall/iptables/files/ip6tables-1.3.2.confd new file mode 100644 index 000000000000..93c0bc89b38a --- /dev/null +++ b/net-firewall/iptables/files/ip6tables-1.3.2.confd @@ -0,0 +1,11 @@ +# /etc/conf.d/ip6tables + +# Location in which iptables initscript will save set rules on +# service shutdown +IP6TABLES_SAVE="/var/lib/ip6tables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" diff --git a/net-firewall/iptables/files/ip6tables-1.4.13.confd b/net-firewall/iptables/files/ip6tables-1.4.13.confd new file mode 100644 index 000000000000..3bb36989d37e --- /dev/null +++ b/net-firewall/iptables/files/ip6tables-1.4.13.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/ip6tables + +# Location in which iptables initscript will save set rules on +# service shutdown +IP6TABLES_SAVE="/var/lib/ip6tables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# If you need to log iptables messages as soon as iptables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/iptables/files/iptables-1.3.2.confd b/net-firewall/iptables/files/iptables-1.3.2.confd new file mode 100644 index 000000000000..91287debdbcf --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.3.2.confd @@ -0,0 +1,11 @@ +# /etc/conf.d/iptables + +# Location in which iptables initscript will save set rules on +# service shutdown +IPTABLES_SAVE="/var/lib/iptables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" diff --git a/net-firewall/iptables/files/iptables-1.3.2.init b/net-firewall/iptables/files/iptables-1.3.2.init new file mode 100755 index 000000000000..907a39e7479a --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.3.2.init @@ -0,0 +1,115 @@ +#!/sbin/runscript +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +extra_commands="save panic" +extra_started_commands="reload" + +iptables_name=${SVCNAME} +if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then + iptables_name="iptables" +fi + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + before net + use logger +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${iptables_bin} -t ${table} -P ${chain} ${policy} + done +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} +checkconfig() { + if [ ! -f ${iptables_save} ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + checkkernel || return 1 + ebegin "Stopping firewall" + local a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? +} + +reload() { + checkkernel || return 1 + ebegin "Flushing firewall" + local a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? + + start +} + +save() { + ebegin "Saving ${iptables_name} state" + touch "${iptables_save}" + chmod 0600 "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + checkkernel || return 1 + service_started ${iptables_name} && svc_stop + + local a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + + set_table_policy $a DROP + done + eend $? +} diff --git a/net-firewall/iptables/files/iptables-1.4.11.1-man-fixes.patch b/net-firewall/iptables/files/iptables-1.4.11.1-man-fixes.patch new file mode 100644 index 000000000000..d83a7059f37b --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.11.1-man-fixes.patch @@ -0,0 +1,17 @@ +diff --git a/iptables/Makefile.am b/iptables/Makefile.am +index 13cca9c..a068278 100644 +--- a/iptables/Makefile.am ++++ b/iptables/Makefile.am +@@ -51,10 +51,10 @@ v6_sbin_links = ip6tables ip6tables-restore ip6tables-save + endif + + iptables.8: ${srcdir}/iptables.8.in ../extensions/matches4.man ../extensions/targets4.man +- ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches4.man' -e '/@TARGET@/ r extensions/targets4.man' $< >$@; ++ ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches4.man' -e '/@TARGET@/ r ../extensions/targets4.man' $< >$@; + + ip6tables.8: ${srcdir}/ip6tables.8.in ../extensions/matches6.man ../extensions/targets6.man +- ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches6.man' -e '/@TARGET@/ r extensions/targets6.man' $< >$@; ++ ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches6.man' -e '/@TARGET@/ r ../extensions/targets6.man' $< >$@; + + pkgconfig_DATA = xtables.pc + diff --git a/net-firewall/iptables/files/iptables-1.4.11.init b/net-firewall/iptables/files/iptables-1.4.11.init new file mode 100644 index 000000000000..6b2b88c5dbed --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.11.init @@ -0,0 +1,117 @@ +#!/sbin/runscript +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +extra_commands="save panic" +extra_started_commands="reload" + +iptables_name=${SVCNAME} +if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then + iptables_name="iptables" +fi + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + before net + use logger +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${iptables_bin} -t ${table} -P ${chain} ${policy} + done +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} +checkconfig() { + if [ ! -f ${iptables_save} ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + checkkernel || return 1 + ebegin "Stopping firewall" + local a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? +} + +reload() { + checkkernel || return 1 + ebegin "Flushing firewall" + local a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? + + start +} + +save() { + ebegin "Saving ${iptables_name} state" + touch "${iptables_save}" + chmod 0600 "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + checkkernel || return 1 + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + + set_table_policy $a DROP + done + eend $? +} diff --git a/net-firewall/iptables/files/iptables-1.4.12.1-conntrack-v2-ranges.patch b/net-firewall/iptables/files/iptables-1.4.12.1-conntrack-v2-ranges.patch new file mode 100644 index 000000000000..9bbcc67cb6a5 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.12.1-conntrack-v2-ranges.patch @@ -0,0 +1,48 @@ +commit 3412bd0bfb8b8bac9834cbfd3392b3d5487133bf +Author: Tom Eastep <teastep@shorewall.net> +Date: Thu Aug 18 15:11:16 2011 -0700 + + libxt_conntrack: improve error message on parsing violation + + Tom Eastep noted: + + $ iptables -A foo -m conntrack --ctorigdstport 22 + iptables v1.4.12: conntrack rev 2 does not support port ranges + Try `iptables -h' or 'iptables --help' for more information. + + Commit v1.4.12-41-g1ad6407 takes care of the actual cause of the bug, + but let's include Tom's patch nevertheless for the better error + message in case one actually does specify a range with rev 2. + + References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2 + Signed-off-by: Jan Engelhardt <jengelh@medozas.de> + +diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c +index 060b947..fff69f8 100644 +--- a/extensions/libxt_conntrack.c ++++ b/extensions/libxt_conntrack.c +@@ -129,13 +129,20 @@ static const struct xt_option_entry conntrack2_mt_opts[] = { + .flags = XTOPT_INVERT}, + {.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC, + .flags = XTOPT_INVERT}, +- {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORT, ++ /* ++ * Rev 1 and 2 only store one port, and we would normally use ++ * %XTTYPE_PORT (rather than %XTTYPE_PORTRC) for that. The resulting ++ * error message - in case a user passed a range nevertheless - ++ * "port 22:23 resolved to nothing" is not quite as useful as using ++ * %XTTYPE_PORTC and libxt_conntrack's own range test. ++ */ ++ {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORTRC, + .flags = XTOPT_INVERT | XTOPT_NBO}, +- {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORT, ++ {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORTRC, + .flags = XTOPT_INVERT | XTOPT_NBO}, +- {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORT, ++ {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORTRC, + .flags = XTOPT_INVERT | XTOPT_NBO}, +- {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORT, ++ {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORTRC, + .flags = XTOPT_INVERT | XTOPT_NBO}, + {.name = "ctdir", .id = O_CTDIR, .type = XTTYPE_STRING}, + XTOPT_TABLEEND, diff --git a/net-firewall/iptables/files/iptables-1.4.12.1-lm.patch b/net-firewall/iptables/files/iptables-1.4.12.1-lm.patch new file mode 100644 index 000000000000..4d9e1d8ed4dd --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.12.1-lm.patch @@ -0,0 +1,61 @@ +parent 2ca6273c73b42e8c74afd5f8b1fe10c5c93ce363 (v1.4.12-43-g2ca6273) +commit d4e72dc1c684c2f8361d87e6bde2902cd2ee8efb +Author: Jan Engelhardt <jengelh@medozas.de> +Date: Sat Sep 3 13:34:40 2011 +0200 + +libxt_statistic: link with -lm + +$ ldd -r libxt_statistic.so +undefined symbol: lround (./libxt_statistic.so) + +References: https://bugs.archlinux.org/task/25358 +Signed-off-by: Jan Engelhardt <jengelh@medozas.de> +--- + extensions/GNUmakefile.in | 5 ++++- + iptables/Makefile.am | 9 +++++++-- + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in +index 2b48d84..dbf210c 100644 +--- a/extensions/GNUmakefile.in ++++ b/extensions/GNUmakefile.in +@@ -90,11 +90,14 @@ init%.o: init%.c + # Shared libraries + # + lib%.so: lib%.oo +- ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<; ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< ${$*_LIBADD}; + + lib%.oo: ${srcdir}/lib%.c + ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; + ++# Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD ++xt_statistic_LIBADD = -lm ++ + + # + # Static bits +diff --git a/iptables/Makefile.am b/iptables/Makefile.am +index addb159..f6db32d 100644 +--- a/iptables/Makefile.am ++++ b/iptables/Makefile.am +@@ -6,12 +6,17 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir} + lib_LTLIBRARIES = libxtables.la + libxtables_la_SOURCES = xtables.c xtoptions.c + libxtables_la_LDFLAGS = -version-info ${libxtables_vcurrent}:0:${libxtables_vage} ++libxtables_la_LIBADD = ++if ENABLE_STATIC ++# With --enable-static, shipped extensions are linked into the main executable, ++# so we need all the LIBADDs here too ++libxtables_la_LIBADD += -lm ++endif + if ENABLE_SHARED + libxtables_la_CFLAGS = ${AM_CFLAGS} +-libxtables_la_LIBADD = -ldl ++libxtables_la_LIBADD += -ldl + else + libxtables_la_CFLAGS = ${AM_CFLAGS} -DNO_SHARED_LIBS=1 +-libxtables_la_LIBADD = + endif + + xtables_multi_SOURCES = xtables-multi.c iptables-xml.c diff --git a/net-firewall/iptables/files/iptables-1.4.13-r1.init b/net-firewall/iptables/files/iptables-1.4.13-r1.init new file mode 100644 index 000000000000..440e840c41a8 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.13-r1.init @@ -0,0 +1,130 @@ +#!/sbin/runscript +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +extra_commands="check save panic" +extra_started_commands="reload" + +iptables_name=${SVCNAME} +case ${iptables_name} in +iptables|ip6tables) ;; +*) iptables_name="iptables" ;; +esac + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + need localmount #434774 + before net +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${iptables_bin} -t ${table} -P ${chain} ${policy} + done +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} +checkconfig() { + if [ ! -f ${iptables_save} ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + checkkernel || return 1 + ebegin "Stopping firewall" + local a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? +} + +reload() { + checkkernel || return 1 + checkrules || return 1 + ebegin "Flushing firewall" + local a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? + + start +} + +checkrules() { + ebegin "Checking rules" + ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +check() { + # Short name for users of init.d script. + checkrules +} + +save() { + ebegin "Saving ${iptables_name} state" + checkpath -q -d "$(dirname "${iptables_save}")" + checkpath -q -m 0600 -f "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + checkkernel || return 1 + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + + set_table_policy $a DROP + done + eend $? +} diff --git a/net-firewall/iptables/files/iptables-1.4.13.confd b/net-firewall/iptables/files/iptables-1.4.13.confd new file mode 100644 index 000000000000..7225374c3a8a --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.13.confd @@ -0,0 +1,19 @@ +# /etc/conf.d/iptables + +# Location in which iptables initscript will save set rules on +# service shutdown +IPTABLES_SAVE="/var/lib/iptables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" + +# If you need to log iptables messages as soon as iptables starts, +# AND your logger does NOT depend on the network, then you may wish +# to uncomment the next line. +# If your logger depends on the network, and you uncomment this line +# you will create an unresolvable circular dependency during startup. +# After commenting or uncommenting this line, you must run 'rc-update -u'. +#rc_use="logger" diff --git a/net-firewall/iptables/files/iptables-1.4.13.init b/net-firewall/iptables/files/iptables-1.4.13.init new file mode 100644 index 000000000000..a45c6d1a9918 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.13.init @@ -0,0 +1,116 @@ +#!/sbin/runscript +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +extra_commands="save panic" +extra_started_commands="reload" + +iptables_name=${SVCNAME} +if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then + iptables_name="iptables" +fi + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + before net +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${iptables_bin} -t ${table} -P ${chain} ${policy} + done +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} +checkconfig() { + if [ ! -f ${iptables_save} ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + checkkernel || return 1 + ebegin "Stopping firewall" + local a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? +} + +reload() { + checkkernel || return 1 + ebegin "Flushing firewall" + local a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? + + start +} + +save() { + ebegin "Saving ${iptables_name} state" + touch "${iptables_save}" + chmod 0600 "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + checkkernel || return 1 + if service_started ${iptables_name}; then + rc-service ${iptables_name} stop + fi + + local a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + + set_table_policy $a DROP + done + eend $? +} diff --git a/net-firewall/iptables/files/iptables-1.4.16.2-static.patch b/net-firewall/iptables/files/iptables-1.4.16.2-static.patch new file mode 100644 index 000000000000..a5d6fe71f670 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.16.2-static.patch @@ -0,0 +1,55 @@ +https://bugs.gentoo.org/437712 + +From 269655d54e22f3a36250bb2c4639dddd102258c6 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt <jengelh@inai.de> +Date: Mon, 8 Oct 2012 12:04:56 +0000 +Subject: [PATCH] build: remove symlink-only extensions from static object + list + +$ ./configure --enable-static --disable-shared --enable-ipv4 + --enable-ipv6 && make +[...] +make[3]: *** No rule to make target "libxt_NOTRACK.o", needed by +"libext.a". Stop. + +Signed-off-by: Jan Engelhardt <jengelh@inai.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + extensions/GNUmakefile.in | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in +index 8b38df9..1cef239 100644 +--- a/extensions/GNUmakefile.in ++++ b/extensions/GNUmakefile.in +@@ -39,7 +39,7 @@ endif + # Wildcard module list + # + pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c))) +-pfx_build_mod += NOTRACK state ++pfx_symlinks := NOTRACK state + @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c))) + @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c))) + pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod}) +@@ -48,7 +48,7 @@ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod}) + pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod}) + pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod}) + pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod}) +-pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod}) ++pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks}) + pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod}) + pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) + +@@ -220,7 +220,7 @@ man_run = \ + done >$@; + + matches.man: .initext.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) +- $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod})) ++ $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod} ${pfx_symlinks})) + + targets.man: .initext.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) +- $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod})) ++ $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod} ${pfx_symlinks})) +-- +1.7.12 + diff --git a/net-firewall/iptables/files/iptables-1.4.17-libip6tc.patch b/net-firewall/iptables/files/iptables-1.4.17-libip6tc.patch new file mode 100644 index 000000000000..5212dd253aa8 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.17-libip6tc.patch @@ -0,0 +1,32 @@ +From d42bc7c100de69396a527e90736198f8e4e3000b Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Sun, 30 Dec 2012 18:06:15 -0500 +Subject: [PATCH] extensions: fix linking against -lip6tc + +The current build forgets to specify a path to find libip6tc which means +it either fails (if there is no libip6tc in the system), or links against +an old version (if there is one in the system). + +References: https://bugs.gentoo.org/449262 +Reported-by: Mike Gilbert <floppym@gentoo.org> +Signed-off-by: Mike Frysinger <vapier@gentoo.org> +--- + extensions/GNUmakefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in +index e71e3ff..a605474 100644 +--- a/extensions/GNUmakefile.in ++++ b/extensions/GNUmakefile.in +@@ -101,7 +101,7 @@ libxt_state.so: libxt_conntrack.so + ln -fs $< $@ + + # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD +-ip6t_NETMAP_LIBADD = -lip6tc ++ip6t_NETMAP_LIBADD = -L../libiptc/.libs -lip6tc + xt_RATEEST_LIBADD = -lm + xt_statistic_LIBADD = -lm + +-- +1.8.0 + diff --git a/net-firewall/iptables/files/iptables-1.4.18-extensions-link.patch b/net-firewall/iptables/files/iptables-1.4.18-extensions-link.patch new file mode 100644 index 000000000000..33d048163a18 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.18-extensions-link.patch @@ -0,0 +1,74 @@ +From 37b19d08f3cbc83a653386d76261490e173a874b Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Sat, 16 Mar 2013 12:15:30 +0100 +Subject: [PATCH] Revert "build: resolve link failure for ip6t_NETMAP" + +This reverts commit 68e77a26111ee6b8f10c735a76891a7de6d57ee6. + +The use of libtool was introduced to resolve linking problems +in NETMAP (IPv6 version), but that resulted in RPATH problems +reported from distributors and warnings spotted by libtool at +linking stage. + +Since (0ca548b libip6t_NETMAP: Use xtables_ip6mask_to_cidr and +get rid of libip6tc dependency) fixed the NETMAP issue, let's +roll back to our previous stage. + +A small conflicts in extensions/GNUmakefile.in has been resolved +in this revert. + +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + extensions/GNUmakefile.in | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in +index 3db6985..1ae7f74 100644 +--- a/extensions/GNUmakefile.in ++++ b/extensions/GNUmakefile.in +@@ -33,7 +33,6 @@ AM_VERBOSE_CXX = @echo " CXX " $@; + AM_VERBOSE_CXXLD = @echo " CXXLD " $@; + AM_VERBOSE_AR = @echo " AR " $@; + AM_VERBOSE_GEN = @echo " GEN " $@; +-AM_VERBOSE_NULL = @ + endif + + # +@@ -76,7 +75,7 @@ install: ${targets_install} + if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi; + + clean: +- rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c; ++ rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c; + rm -f .*.d .*.dd; + + distclean: clean +@@ -90,19 +89,16 @@ init%.o: init%.c + # + # Shared libraries + # +-lib%.so: lib%.la +- ${AM_VERBOSE_NULL} ln -fs .libs/$@ $@ ++lib%.so: lib%.oo ++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD}; + +-lib%.la: lib%.lo +- ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir} +- +-lib%.lo: ${srcdir}/lib%.c +- ${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $< ++lib%.oo: ${srcdir}/lib%.c ++ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; + + libxt_NOTRACK.so: libxt_CT.so +- ${AM_VERBOSE_GEN} ln -fs $< $@ ++ ln -fs $< $@ + libxt_state.so: libxt_conntrack.so +- ${AM_VERBOSE_GEN} ln -fs $< $@ ++ ln -fs $< $@ + + # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD + xt_RATEEST_LIBADD = -lm +-- +1.8.2.1 + diff --git a/net-firewall/iptables/files/iptables-1.4.18-ipv6-linkage.patch b/net-firewall/iptables/files/iptables-1.4.18-ipv6-linkage.patch new file mode 100644 index 000000000000..52829de24a5f --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.18-ipv6-linkage.patch @@ -0,0 +1,88 @@ +From cccfff9309743f173c504dd265fae173caa5b47f Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Sat, 16 Mar 2013 12:11:07 +0100 +Subject: [PATCH] libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of + libip6tc dependency + +This patch changes the NETMAP target extension (IPv6 side) to use +the xtables_ip6mask_to_cidr available in libxtables. + +As a side effect, we get rid of the libip6tc dependency. + +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + extensions/GNUmakefile.in | 1 - + extensions/libip6t_NETMAP.c | 2 +- + include/libiptc/libip6tc.h | 3 --- + iptables/ip6tables.c | 2 +- + libiptc/libip6tc.c | 2 +- + 5 files changed, 3 insertions(+), 7 deletions(-) + +diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in +index adad4d6..3db6985 100644 +--- a/extensions/GNUmakefile.in ++++ b/extensions/GNUmakefile.in +@@ -105,7 +105,6 @@ libxt_state.so: libxt_conntrack.so + ${AM_VERBOSE_GEN} ln -fs $< $@ + + # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD +-ip6t_NETMAP_LIBADD = ../libiptc/libip6tc.la + xt_RATEEST_LIBADD = -lm + xt_statistic_LIBADD = -lm + +diff --git a/extensions/libip6t_NETMAP.c b/extensions/libip6t_NETMAP.c +index d14dece..a4df70e 100644 +--- a/extensions/libip6t_NETMAP.c ++++ b/extensions/libip6t_NETMAP.c +@@ -61,7 +61,7 @@ static void NETMAP_print(const void *ip, const struct xt_entry_target *target, + printf("%s", xtables_ip6addr_to_numeric(&a)); + for (i = 0; i < 4; i++) + a.s6_addr32[i] = ~(r->min_addr.ip6[i] ^ r->max_addr.ip6[i]); +- bits = ipv6_prefix_length(&a); ++ bits = xtables_ip6mask_to_cidr(&a); + if (bits < 0) + printf("/%s", xtables_ip6addr_to_numeric(&a)); + else +diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h +index c656bc4..9aed80a 100644 +--- a/include/libiptc/libip6tc.h ++++ b/include/libiptc/libip6tc.h +@@ -154,9 +154,6 @@ int ip6tc_get_raw_socket(void); + /* Translates errno numbers into more human-readable form than strerror. */ + const char *ip6tc_strerror(int err); + +-/* Return prefix length, or -1 if not contiguous */ +-int ipv6_prefix_length(const struct in6_addr *a); +- + extern void dump_entries6(struct xtc_handle *const); + + extern const struct xtc_ops ip6tc_ops; +diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c +index 4cfbea3..7d02cc1 100644 +--- a/iptables/ip6tables.c ++++ b/iptables/ip6tables.c +@@ -1022,7 +1022,7 @@ static void print_ip(const char *prefix, const struct in6_addr *ip, + const struct in6_addr *mask, int invert) + { + char buf[51]; +- int l = ipv6_prefix_length(mask); ++ int l = xtables_ip6mask_to_cidr(mask); + + if (l == 0 && !invert) + return; +diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c +index 7128e1c..ca01bcb 100644 +--- a/libiptc/libip6tc.c ++++ b/libiptc/libip6tc.c +@@ -113,7 +113,7 @@ typedef unsigned int socklen_t; + #define BIT6(a, l) \ + ((ntohl(a->s6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1) + +-int ++static int + ipv6_prefix_length(const struct in6_addr *a) + { + int l, i; +-- +1.8.2.1 + diff --git a/net-firewall/iptables/files/systemd/ip6tables-restore.service b/net-firewall/iptables/files/systemd/ip6tables-restore.service new file mode 100644 index 000000000000..88415fa37a64 --- /dev/null +++ b/net-firewall/iptables/files/systemd/ip6tables-restore.service @@ -0,0 +1,14 @@ +[Unit] +Description=Restore ip6tables firewall rules +# if both are queued for some reason, don't store before restoring :) +Before=ip6tables-store.service +# sounds reasonable to have firewall up before any of the services go up +Before=network.target +Conflicts=shutdown.target + +[Service] +Type=oneshot +ExecStart=/sbin/ip6tables-restore /var/lib/ip6tables/rules-save + +[Install] +WantedBy=basic.target diff --git a/net-firewall/iptables/files/systemd/ip6tables-store.service b/net-firewall/iptables/files/systemd/ip6tables-store.service new file mode 100644 index 000000000000..9975378353d3 --- /dev/null +++ b/net-firewall/iptables/files/systemd/ip6tables-store.service @@ -0,0 +1,11 @@ +[Unit] +Description=Store ip6tables firewall rules +Before=shutdown.target +DefaultDependencies=No + +[Service] +Type=oneshot +ExecStart=/bin/sh -c "/sbin/ip6tables-save --counters > /var/lib/ip6tables/rules-save" + +[Install] +WantedBy=shutdown.target diff --git a/net-firewall/iptables/files/systemd/ip6tables.service b/net-firewall/iptables/files/systemd/ip6tables.service new file mode 100644 index 000000000000..0a6d7fa1c8ab --- /dev/null +++ b/net-firewall/iptables/files/systemd/ip6tables.service @@ -0,0 +1,6 @@ +[Unit] +Description=Store and restore ip6tables firewall rules + +[Install] +Also=ip6tables-store.service +Also=ip6tables-restore.service diff --git a/net-firewall/iptables/files/systemd/iptables-restore.service b/net-firewall/iptables/files/systemd/iptables-restore.service new file mode 100644 index 000000000000..9d568d78b309 --- /dev/null +++ b/net-firewall/iptables/files/systemd/iptables-restore.service @@ -0,0 +1,14 @@ +[Unit] +Description=Restore iptables firewall rules +# if both are queued for some reason, don't store before restoring :) +Before=iptables-store.service +# sounds reasonable to have firewall up before any of the services go up +Before=network.target +Conflicts=shutdown.target + +[Service] +Type=oneshot +ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save + +[Install] +WantedBy=basic.target diff --git a/net-firewall/iptables/files/systemd/iptables-store.service b/net-firewall/iptables/files/systemd/iptables-store.service new file mode 100644 index 000000000000..aa16e75e9ccf --- /dev/null +++ b/net-firewall/iptables/files/systemd/iptables-store.service @@ -0,0 +1,11 @@ +[Unit] +Description=Store iptables firewall rules +Before=shutdown.target +DefaultDependencies=No + +[Service] +Type=oneshot +ExecStart=/bin/sh -c "/sbin/iptables-save --counters > /var/lib/iptables/rules-save" + +[Install] +WantedBy=shutdown.target diff --git a/net-firewall/iptables/files/systemd/iptables.service b/net-firewall/iptables/files/systemd/iptables.service new file mode 100644 index 000000000000..3643a3e31034 --- /dev/null +++ b/net-firewall/iptables/files/systemd/iptables.service @@ -0,0 +1,6 @@ +[Unit] +Description=Store and restore iptables firewall rules + +[Install] +Also=iptables-store.service +Also=iptables-restore.service |