summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobin H. Johnson <robbat2@gentoo.org>2015-08-08 13:49:04 -0700
committerRobin H. Johnson <robbat2@gentoo.org>2015-08-08 17:38:18 -0700
commit56bd759df1d0c750a065b8c845e93d5dfa6b549d (patch)
tree3f91093cdb475e565ae857f1c5a7fd339e2d781e /net-firewall
downloadgentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.tar.gz
gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.tar.bz2
gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.zip
proj/gentoo: Initial commit
This commit represents a new era for Gentoo: Storing the gentoo-x86 tree in Git, as converted from CVS. This commit is the start of the NEW history. Any historical data is intended to be grafted onto this point. Creation process: 1. Take final CVS checkout snapshot 2. Remove ALL ChangeLog* files 3. Transform all Manifests to thin 4. Remove empty Manifests 5. Convert all stale $Header$/$Id$ CVS keywords to non-expanded Git $Id$ 5.1. Do not touch files with -kb/-ko keyword flags. Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> X-Thanks: Alec Warner <antarus@gentoo.org> - did the GSoC 2006 migration tests X-Thanks: Robin H. Johnson <robbat2@gentoo.org> - infra guy, herding this project X-Thanks: Nguyen Thai Ngoc Duy <pclouds@gentoo.org> - Former Gentoo developer, wrote Git features for the migration X-Thanks: Brian Harring <ferringb@gentoo.org> - wrote much python to improve cvs2svn X-Thanks: Rich Freeman <rich0@gentoo.org> - validation scripts X-Thanks: Patrick Lauer <patrick@gentoo.org> - Gentoo dev, running new 2014 work in migration X-Thanks: Michał Górny <mgorny@gentoo.org> - scripts, QA, nagging X-Thanks: All of other Gentoo developers - many ideas and lots of paint on the bikeshed
Diffstat (limited to 'net-firewall')
-rw-r--r--net-firewall/arno-iptables-firewall/Manifest2
-rw-r--r--net-firewall/arno-iptables-firewall/arno-iptables-firewall-2.0.1d-r2.ebuild90
-rw-r--r--net-firewall/arno-iptables-firewall/arno-iptables-firewall-2.0.1e.ebuild91
-rw-r--r--net-firewall/arno-iptables-firewall/files/arno-iptables-firewall27
-rw-r--r--net-firewall/arno-iptables-firewall/files/arno-iptables-firewall.service14
-rw-r--r--net-firewall/arno-iptables-firewall/files/rc.firewall_replace_opts.patch11
-rw-r--r--net-firewall/arno-iptables-firewall/metadata.xml12
-rw-r--r--net-firewall/arptables/Manifest1
-rw-r--r--net-firewall/arptables/arptables-0.0.3.4-r2.ebuild39
-rw-r--r--net-firewall/arptables/files/arptables-0.0.3.4-arptables_save.patch24
-rw-r--r--net-firewall/arptables/files/arptables-0.0.3.4-ldflags.patch13
-rw-r--r--net-firewall/arptables/files/arptables-0.0.3.4-manpage.patch12
-rw-r--r--net-firewall/arptables/files/arptables-0.0.3.4-type.patch17
-rw-r--r--net-firewall/arptables/metadata.xml8
-rw-r--r--net-firewall/conntrack-tools/Manifest1
-rw-r--r--net-firewall/conntrack-tools/conntrack-tools-1.4.2.ebuild83
-rw-r--r--net-firewall/conntrack-tools/files/conntrackd.confd-r214
-rw-r--r--net-firewall/conntrack-tools/files/conntrackd.initd-r377
-rw-r--r--net-firewall/conntrack-tools/metadata.xml10
-rw-r--r--net-firewall/dshieldpy/Manifest1
-rw-r--r--net-firewall/dshieldpy/dshieldpy-3.2-r1.ebuild27
-rw-r--r--net-firewall/dshieldpy/metadata.xml10
-rw-r--r--net-firewall/ebtables/Manifest1
-rw-r--r--net-firewall/ebtables/ebtables-2.0.10.4-r1.ebuild68
-rw-r--r--net-firewall/ebtables/ebtables-2.0.10.4.ebuild68
-rw-r--r--net-firewall/ebtables/files/ebtables-2.0.8.1-ebt-save.diff31
-rw-r--r--net-firewall/ebtables/files/ebtables.confd-r111
-rw-r--r--net-firewall/ebtables/files/ebtables.initd-r1102
-rw-r--r--net-firewall/ebtables/metadata.xml8
-rw-r--r--net-firewall/ferm/Manifest1
-rw-r--r--net-firewall/ferm/ferm-2.2.ebuild38
-rw-r--r--net-firewall/ferm/metadata.xml7
-rw-r--r--net-firewall/firehol/Manifest2
-rw-r--r--net-firewall/firehol/files/RESERVED_IPS19
-rw-r--r--net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch58
-rw-r--r--net-firewall/firehol/files/firehol-1.273-log-output.patch11
-rw-r--r--net-firewall/firehol/files/firehol-2.0.2-autosave.patch18
-rw-r--r--net-firewall/firehol/files/firehol.conf.d2
-rw-r--r--net-firewall/firehol/files/firehol.initrd.167
-rw-r--r--net-firewall/firehol/files/fireqos.conf.d2
-rw-r--r--net-firewall/firehol/files/fireqos.initrd45
-rw-r--r--net-firewall/firehol/firehol-1.273-r3.ebuild78
-rw-r--r--net-firewall/firehol/firehol-2.0.2.ebuild61
-rw-r--r--net-firewall/firehol/metadata.xml7
-rw-r--r--net-firewall/firewalld/Manifest3
-rw-r--r--net-firewall/firewalld/files/firewalld-0.3.10-py3k-compat.patch24
-rw-r--r--net-firewall/firewalld/files/firewalld.init13
-rw-r--r--net-firewall/firewalld/firewalld-0.3.10.ebuild98
-rw-r--r--net-firewall/firewalld/firewalld-0.3.13.ebuild98
-rw-r--r--net-firewall/firewalld/firewalld-0.3.14.2.ebuild97
-rw-r--r--net-firewall/firewalld/metadata.xml18
-rw-r--r--net-firewall/fwanalog/Manifest1
-rw-r--r--net-firewall/fwanalog/fwanalog-0.6.4.ebuild39
-rw-r--r--net-firewall/fwanalog/metadata.xml8
-rw-r--r--net-firewall/fwbuilder/Manifest2
-rw-r--r--net-firewall/fwbuilder/files/fwbuilder-5.0.0.3568-ldflags.patch11
-rw-r--r--net-firewall/fwbuilder/files/fwbuilder-5.0.1.3592-gcc47.patch11
-rw-r--r--net-firewall/fwbuilder/files/fwbuilder-5.0.1.3592-stdc-format-macros.patch51
-rw-r--r--net-firewall/fwbuilder/files/fwbuilder-5.1.0.3599-gcc47.patch11
-rw-r--r--net-firewall/fwbuilder/fwbuilder-5.0.1.3592-r1.ebuild53
-rw-r--r--net-firewall/fwbuilder/fwbuilder-5.1.0.3599.ebuild48
-rw-r--r--net-firewall/fwbuilder/metadata.xml10
-rw-r--r--net-firewall/fwipsec/Manifest1
-rw-r--r--net-firewall/fwipsec/fwipsec-0.4.2-r1.ebuild29
-rw-r--r--net-firewall/fwipsec/metadata.xml7
-rw-r--r--net-firewall/fwknop/Manifest1
-rw-r--r--net-firewall/fwknop/files/fwknopd.confd21
-rw-r--r--net-firewall/fwknop/files/fwknopd.init92
-rw-r--r--net-firewall/fwknop/files/fwknopd.service12
-rw-r--r--net-firewall/fwknop/files/fwknopd.tmpfiles.conf1
-rw-r--r--net-firewall/fwknop/fwknop-2.6.6-r1.ebuild105
-rw-r--r--net-firewall/fwknop/metadata.xml20
-rw-r--r--net-firewall/gshield/Manifest1
-rw-r--r--net-firewall/gshield/files/gshield.init27
-rw-r--r--net-firewall/gshield/gshield-2.8-r3.ebuild47
-rw-r--r--net-firewall/gshield/metadata.xml5
-rw-r--r--net-firewall/ipkungfu/Manifest2
-rw-r--r--net-firewall/ipkungfu/files/ipkungfu.init20
-rw-r--r--net-firewall/ipkungfu/files/ipkungfu_noiseless.patch24
-rw-r--r--net-firewall/ipkungfu/files/nat_ftp.patch11
-rw-r--r--net-firewall/ipkungfu/ipkungfu-0.5.2-r1.ebuild58
-rw-r--r--net-firewall/ipkungfu/ipkungfu-0.6.1.ebuild48
-rw-r--r--net-firewall/ipkungfu/metadata.xml11
-rw-r--r--net-firewall/ipsec-tools/Manifest3
-rw-r--r--net-firewall/ipsec-tools/files/ipsec-tools-0.8.0-sysctl.patch22
-rw-r--r--net-firewall/ipsec-tools/files/ipsec-tools-def-psk.patch25
-rw-r--r--net-firewall/ipsec-tools/files/ipsec-tools-include-vendoridh.patch11
-rw-r--r--net-firewall/ipsec-tools/files/ipsec-tools.conf26
-rw-r--r--net-firewall/ipsec-tools/files/psk.txt10
-rw-r--r--net-firewall/ipsec-tools/files/racoon.conf33
-rw-r--r--net-firewall/ipsec-tools/files/racoon.conf.d-r127
-rw-r--r--net-firewall/ipsec-tools/files/racoon.conf.d-r230
-rw-r--r--net-firewall/ipsec-tools/files/racoon.init.d-r257
-rw-r--r--net-firewall/ipsec-tools/files/racoon.init.d-r357
-rw-r--r--net-firewall/ipsec-tools/files/racoon.pam.d4
-rw-r--r--net-firewall/ipsec-tools/ipsec-tools-0.8.0-r5.ebuild276
-rw-r--r--net-firewall/ipsec-tools/ipsec-tools-0.8.1-r1.ebuild276
-rw-r--r--net-firewall/ipsec-tools/ipsec-tools-0.8.2.ebuild277
-rw-r--r--net-firewall/ipsec-tools/metadata.xml17
-rw-r--r--net-firewall/ipset/Manifest8
-rw-r--r--net-firewall/ipset/files/ipset.confd16
-rw-r--r--net-firewall/ipset/files/ipset.initd-r260
-rw-r--r--net-firewall/ipset/files/ipset.initd-r396
-rw-r--r--net-firewall/ipset/ipset-6.15.ebuild112
-rw-r--r--net-firewall/ipset/ipset-6.16.1.ebuild111
-rw-r--r--net-firewall/ipset/ipset-6.16.ebuild111
-rw-r--r--net-firewall/ipset/ipset-6.17.ebuild111
-rw-r--r--net-firewall/ipset/ipset-6.19.ebuild111
-rw-r--r--net-firewall/ipset/ipset-6.20.1.ebuild114
-rw-r--r--net-firewall/ipset/ipset-6.21.1.ebuild114
-rw-r--r--net-firewall/ipset/ipset-6.24.ebuild103
-rw-r--r--net-firewall/ipset/metadata.xml7
-rw-r--r--net-firewall/ipt_netflow/Manifest1
-rw-r--r--net-firewall/ipt_netflow/files/ipt_netflow-2.0-configure.patch10
-rw-r--r--net-firewall/ipt_netflow/files/ipt_netflow-2.1-linux-3.19.patch45
-rw-r--r--net-firewall/ipt_netflow/ipt_netflow-2.1.ebuild93
-rw-r--r--net-firewall/ipt_netflow/metadata.xml12
-rw-r--r--net-firewall/iptables/Manifest15
-rw-r--r--net-firewall/iptables/files/ip6tables-1.3.2.confd11
-rw-r--r--net-firewall/iptables/files/ip6tables-1.4.13.confd19
-rw-r--r--net-firewall/iptables/files/iptables-1.3.2.confd11
-rwxr-xr-xnet-firewall/iptables/files/iptables-1.3.2.init115
-rw-r--r--net-firewall/iptables/files/iptables-1.4.11.1-man-fixes.patch17
-rw-r--r--net-firewall/iptables/files/iptables-1.4.11.init117
-rw-r--r--net-firewall/iptables/files/iptables-1.4.12.1-conntrack-v2-ranges.patch48
-rw-r--r--net-firewall/iptables/files/iptables-1.4.12.1-lm.patch61
-rw-r--r--net-firewall/iptables/files/iptables-1.4.13-r1.init130
-rw-r--r--net-firewall/iptables/files/iptables-1.4.13.confd19
-rw-r--r--net-firewall/iptables/files/iptables-1.4.13.init116
-rw-r--r--net-firewall/iptables/files/iptables-1.4.16.2-static.patch55
-rw-r--r--net-firewall/iptables/files/iptables-1.4.17-libip6tc.patch32
-rw-r--r--net-firewall/iptables/files/iptables-1.4.18-extensions-link.patch74
-rw-r--r--net-firewall/iptables/files/iptables-1.4.18-ipv6-linkage.patch88
-rw-r--r--net-firewall/iptables/files/systemd/ip6tables-restore.service14
-rw-r--r--net-firewall/iptables/files/systemd/ip6tables-store.service11
-rw-r--r--net-firewall/iptables/files/systemd/ip6tables.service6
-rw-r--r--net-firewall/iptables/files/systemd/iptables-restore.service14
-rw-r--r--net-firewall/iptables/files/systemd/iptables-store.service11
-rw-r--r--net-firewall/iptables/files/systemd/iptables.service6
-rw-r--r--net-firewall/iptables/iptables-1.4.10-r1.ebuild83
-rw-r--r--net-firewall/iptables/iptables-1.4.10.ebuild67
-rw-r--r--net-firewall/iptables/iptables-1.4.11.1-r2.ebuild86
-rw-r--r--net-firewall/iptables/iptables-1.4.12.1-r1.ebuild88
-rw-r--r--net-firewall/iptables/iptables-1.4.12.1.ebuild87
-rw-r--r--net-firewall/iptables/iptables-1.4.12.ebuild84
-rw-r--r--net-firewall/iptables/iptables-1.4.13-r2.ebuild83
-rw-r--r--net-firewall/iptables/iptables-1.4.13.ebuild83
-rw-r--r--net-firewall/iptables/iptables-1.4.14-r1.ebuild82
-rw-r--r--net-firewall/iptables/iptables-1.4.15-r1.ebuild82
-rw-r--r--net-firewall/iptables/iptables-1.4.16.2.ebuild85
-rw-r--r--net-firewall/iptables/iptables-1.4.16.3.ebuild83
-rw-r--r--net-firewall/iptables/iptables-1.4.17.ebuild87
-rw-r--r--net-firewall/iptables/iptables-1.4.18.ebuild88
-rw-r--r--net-firewall/iptables/iptables-1.4.19.1.ebuild87
-rw-r--r--net-firewall/iptables/iptables-1.4.20.ebuild87
-rw-r--r--net-firewall/iptables/iptables-1.4.21-r1.ebuild92
-rw-r--r--net-firewall/iptables/iptables-1.4.21.ebuild87
-rw-r--r--net-firewall/iptables/iptables-1.4.6.ebuild54
-rw-r--r--net-firewall/iptables/metadata.xml23
-rw-r--r--net-firewall/itval/Manifest1
-rw-r--r--net-firewall/itval/files/itval-1.1-gcc44.patch28
-rw-r--r--net-firewall/itval/itval-1.2_p20121104.ebuild37
-rw-r--r--net-firewall/itval/metadata.xml5
-rw-r--r--net-firewall/lutelwall/Manifest1
-rw-r--r--net-firewall/lutelwall/files/lutelwall26
-rw-r--r--net-firewall/lutelwall/lutelwall-0.99.ebuild33
-rw-r--r--net-firewall/lutelwall/metadata.xml17
-rw-r--r--net-firewall/metadata.xml35
-rw-r--r--net-firewall/nfacct/Manifest2
-rw-r--r--net-firewall/nfacct/metadata.xml5
-rw-r--r--net-firewall/nfacct/nfacct-1.0.0.ebuild23
-rw-r--r--net-firewall/nfacct/nfacct-1.0.1.ebuild22
-rw-r--r--net-firewall/nftables/Manifest1
-rw-r--r--net-firewall/nftables/files/nftables.confd19
-rw-r--r--net-firewall/nftables/files/nftables.init166
-rw-r--r--net-firewall/nftables/metadata.xml9
-rw-r--r--net-firewall/nftables/nftables-0.4.ebuild54
-rw-r--r--net-firewall/nufw/Manifest1
-rw-r--r--net-firewall/nufw/files/nuauth-conf.d2
-rw-r--r--net-firewall/nufw/files/nuauth-init.d27
-rw-r--r--net-firewall/nufw/files/nufw-2.2.21-fix-gnutls.patch23
-rw-r--r--net-firewall/nufw/files/nufw-2.2.22-var-run.patch45
-rw-r--r--net-firewall/nufw/files/nufw-conf.d2
-rw-r--r--net-firewall/nufw/files/nufw-init.d17
-rw-r--r--net-firewall/nufw/metadata.xml11
-rw-r--r--net-firewall/nufw/nufw-2.2.22-r1.ebuild103
-rw-r--r--net-firewall/pftop/Manifest5
-rw-r--r--net-firewall/pftop/metadata.xml8
-rw-r--r--net-firewall/pftop/pftop-0.5.ebuild41
-rw-r--r--net-firewall/pftop/pftop-0.7-r1.ebuild50
-rw-r--r--net-firewall/pftop/pftop-0.7-r2.ebuild50
-rw-r--r--net-firewall/pftop/pftop-0.7.ebuild51
-rw-r--r--net-firewall/pglinux/Manifest4
-rw-r--r--net-firewall/pglinux/files/0-pglinux-2.2.2-gentoo-init.patch61
-rw-r--r--net-firewall/pglinux/files/0-pglinux-2.2.2-systemd.patch42
-rw-r--r--net-firewall/pglinux/files/1-pglinux-2.2.2-gentoo-init.patch20
-rw-r--r--net-firewall/pglinux/files/1-pglinux-2.2.2-systemd.patch144
-rw-r--r--net-firewall/pglinux/files/2-pglinux-2.2.2-systemd.patch34
-rw-r--r--net-firewall/pglinux/files/3-pglinux-2.2.2-systemd.patch21
-rw-r--r--net-firewall/pglinux/files/4-pglinux-2.2.2-systemd.patch24
-rw-r--r--net-firewall/pglinux/files/5-pglinux-2.2.2-systemd.patch18
-rw-r--r--net-firewall/pglinux/files/6-pglinux-2.2.2-systemd.patch87
-rw-r--r--net-firewall/pglinux/files/pgl.gentoo.in55
-rw-r--r--net-firewall/pglinux/files/pglinux-2.2.2-path-variables.patch131
-rw-r--r--net-firewall/pglinux/metadata.xml24
-rw-r--r--net-firewall/pglinux/pglinux-2.2.1_p20120711.ebuild91
-rw-r--r--net-firewall/pglinux/pglinux-2.2.2-r1.ebuild106
-rw-r--r--net-firewall/pglinux/pglinux-2.2.2.ebuild101
-rw-r--r--net-firewall/pglinux/pglinux-2.2.3.ebuild98
-rw-r--r--net-firewall/pglinux/pglinux-2.2.4.ebuild98
-rw-r--r--net-firewall/psad/Manifest2
-rw-r--r--net-firewall/psad/files/psad-2.2.4-var-run.patch13
-rw-r--r--net-firewall/psad/metadata.xml5
-rw-r--r--net-firewall/psad/psad-2.2.5.ebuild90
-rw-r--r--net-firewall/psad/psad-2.4.1.ebuild91
-rw-r--r--net-firewall/quicktables/Manifest1
-rw-r--r--net-firewall/quicktables/metadata.xml7
-rw-r--r--net-firewall/quicktables/quicktables-2.3.ebuild19
-rw-r--r--net-firewall/rtsp-conntrack/Manifest1
-rw-r--r--net-firewall/rtsp-conntrack/metadata.xml8
-rw-r--r--net-firewall/rtsp-conntrack/rtsp-conntrack-3.7.ebuild36
-rw-r--r--net-firewall/sanewall/Manifest1
-rw-r--r--net-firewall/sanewall/files/sanewall.confd5
-rw-r--r--net-firewall/sanewall/files/sanewall.initd57
-rw-r--r--net-firewall/sanewall/metadata.xml7
-rw-r--r--net-firewall/sanewall/sanewall-1.1.6-r1.ebuild57
-rw-r--r--net-firewall/shapecfg/Manifest1
-rw-r--r--net-firewall/shapecfg/files/README.shaper50
-rw-r--r--net-firewall/shapecfg/files/shapercfg-2.0.36-glibc.patch15
-rw-r--r--net-firewall/shapecfg/metadata.xml7
-rw-r--r--net-firewall/shapecfg/shapecfg-36.ebuild35
-rw-r--r--net-firewall/shorewall-core/Manifest2
-rw-r--r--net-firewall/shorewall-core/files/4.5.21.10-r1/shorewallrc23
-rw-r--r--net-firewall/shorewall-core/files/4.5.21.9/shorewallrc23
-rw-r--r--net-firewall/shorewall-core/metadata.xml10
-rw-r--r--net-firewall/shorewall-core/shorewall-core-4.5.21.10-r1.ebuild74
-rw-r--r--net-firewall/shorewall-core/shorewall-core-4.5.21.9.ebuild74
-rw-r--r--net-firewall/shorewall-init/Manifest2
-rw-r--r--net-firewall/shorewall-init/files/4.5.21.10-r1/01_Remove-ipset-functionality.patch27
-rw-r--r--net-firewall/shorewall-init/files/4.5.21.10-r1/README.Gentoo.txt30
-rw-r--r--net-firewall/shorewall-init/files/4.5.21.10-r1/shorewall-init.confd9
-rw-r--r--net-firewall/shorewall-init/files/4.5.21.10-r1/shorewall-init.initd196
-rw-r--r--net-firewall/shorewall-init/files/4.5.21.10-r1/shorewall-init.systemd16
-rw-r--r--net-firewall/shorewall-init/files/4.5.21.10-r1/shorewallrc23
-rw-r--r--net-firewall/shorewall-init/files/4.5.21.9/01_Remove-ipset-functionality.patch27
-rw-r--r--net-firewall/shorewall-init/files/4.5.21.9/README.Gentoo.txt30
-rw-r--r--net-firewall/shorewall-init/files/4.5.21.9/shorewall-init.confd9
-rw-r--r--net-firewall/shorewall-init/files/4.5.21.9/shorewall-init.initd196
-rw-r--r--net-firewall/shorewall-init/files/4.5.21.9/shorewall-init.systemd16
-rw-r--r--net-firewall/shorewall-init/files/4.5.21.9/shorewallrc23
-rw-r--r--net-firewall/shorewall-init/metadata.xml10
-rw-r--r--net-firewall/shorewall-init/shorewall-init-4.5.21.10-r1.ebuild104
-rw-r--r--net-firewall/shorewall-init/shorewall-init-4.5.21.9.ebuild104
-rw-r--r--net-firewall/shorewall-lite/Manifest4
-rw-r--r--net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewall-lite.confd15
-rw-r--r--net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewall-lite.initd82
-rw-r--r--net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewall-lite.systemd17
-rw-r--r--net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewallrc23
-rw-r--r--net-firewall/shorewall-lite/files/4.5.21.9/shorewall-lite.confd15
-rw-r--r--net-firewall/shorewall-lite/files/4.5.21.9/shorewall-lite.initd82
-rw-r--r--net-firewall/shorewall-lite/files/4.5.21.9/shorewall-lite.systemd17
-rw-r--r--net-firewall/shorewall-lite/files/4.5.21.9/shorewallrc23
-rw-r--r--net-firewall/shorewall-lite/metadata.xml10
-rw-r--r--net-firewall/shorewall-lite/shorewall-lite-4.5.21.10-r1.ebuild106
-rw-r--r--net-firewall/shorewall-lite/shorewall-lite-4.5.21.9.ebuild106
-rw-r--r--net-firewall/shorewall/Manifest25
-rw-r--r--net-firewall/shorewall/files/4.5.21.10-r1/shorewall-10-fix-ipset-support-detection.patch29
-rw-r--r--net-firewall/shorewall/files/4.5.21.10-r1/shorewall.confd15
-rw-r--r--net-firewall/shorewall/files/4.5.21.10-r1/shorewall.initd107
-rw-r--r--net-firewall/shorewall/files/4.5.21.10-r1/shorewall.systemd17
-rw-r--r--net-firewall/shorewall/files/4.5.21.10-r1/shorewallrc23
-rw-r--r--net-firewall/shorewall/files/4.5.21.9/shorewall.confd15
-rw-r--r--net-firewall/shorewall/files/4.5.21.9/shorewall.initd107
-rw-r--r--net-firewall/shorewall/files/4.5.21.9/shorewall.systemd17
-rw-r--r--net-firewall/shorewall/files/4.5.21.9/shorewallrc23
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall-init-01_remove-ipset-functionality-r1.patch28
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall-init-01_remove-ipset-functionality.patch27
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall-init.confd6
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall-init.initd192
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall-init.readme30
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall-init.systemd19
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall-init.systemd-r119
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall-lite.confd15
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall-lite.initd74
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall-lite.systemd19
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall-lite.systemd-r120
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall.confd15
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall.initd99
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall.systemd19
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall.systemd-r120
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall6-lite.confd15
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall6-lite.initd84
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall6-lite.systemd19
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall6-lite.systemd-r120
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall6.confd15
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall6.initd109
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall6.systemd19
-rw-r--r--net-firewall/shorewall/files/4.6/shorewall6.systemd-r120
-rw-r--r--net-firewall/shorewall/files/4.6/shorewallrc23
-rw-r--r--net-firewall/shorewall/metadata.xml17
-rw-r--r--net-firewall/shorewall/shorewall-4.5.21.10-r1.ebuild118
-rw-r--r--net-firewall/shorewall/shorewall-4.5.21.9.ebuild116
-rw-r--r--net-firewall/shorewall/shorewall-4.6.10.1.ebuild442
-rw-r--r--net-firewall/shorewall/shorewall-4.6.11.ebuild442
-rw-r--r--net-firewall/shorewall/shorewall-4.6.6.2.ebuild442
-rw-r--r--net-firewall/shorewall6-lite/Manifest4
-rw-r--r--net-firewall/shorewall6-lite/files/4.5.21.10-r1/shorewall6-lite.confd15
-rw-r--r--net-firewall/shorewall6-lite/files/4.5.21.10-r1/shorewall6-lite.initd82
-rw-r--r--net-firewall/shorewall6-lite/files/4.5.21.10-r1/shorewall6-lite.systemd17
-rw-r--r--net-firewall/shorewall6-lite/files/4.5.21.10-r1/shorewallrc23
-rw-r--r--net-firewall/shorewall6-lite/files/4.5.21.10/shorewall6-lite.confd15
-rw-r--r--net-firewall/shorewall6-lite/files/4.5.21.10/shorewall6-lite.initd82
-rw-r--r--net-firewall/shorewall6-lite/files/4.5.21.10/shorewall6-lite.systemd17
-rw-r--r--net-firewall/shorewall6-lite/files/4.5.21.10/shorewallrc23
-rw-r--r--net-firewall/shorewall6-lite/files/4.5.21.9/shorewall6-lite.confd15
-rw-r--r--net-firewall/shorewall6-lite/files/4.5.21.9/shorewall6-lite.initd82
-rw-r--r--net-firewall/shorewall6-lite/files/4.5.21.9/shorewall6-lite.systemd17
-rw-r--r--net-firewall/shorewall6-lite/files/4.5.21.9/shorewallrc23
-rw-r--r--net-firewall/shorewall6-lite/metadata.xml10
-rw-r--r--net-firewall/shorewall6-lite/shorewall6-lite-4.5.21.10-r1.ebuild107
-rw-r--r--net-firewall/shorewall6-lite/shorewall6-lite-4.5.21.9.ebuild107
-rw-r--r--net-firewall/shorewall6/Manifest4
-rw-r--r--net-firewall/shorewall6/files/4.5.21.10-r1/shorewall6.confd15
-rw-r--r--net-firewall/shorewall6/files/4.5.21.10-r1/shorewall6.initd107
-rw-r--r--net-firewall/shorewall6/files/4.5.21.10-r1/shorewall6.systemd17
-rw-r--r--net-firewall/shorewall6/files/4.5.21.10-r1/shorewallrc23
-rw-r--r--net-firewall/shorewall6/files/4.5.21.9/shorewall6.confd15
-rw-r--r--net-firewall/shorewall6/files/4.5.21.9/shorewall6.initd107
-rw-r--r--net-firewall/shorewall6/files/4.5.21.9/shorewall6.systemd17
-rw-r--r--net-firewall/shorewall6/files/4.5.21.9/shorewallrc23
-rw-r--r--net-firewall/shorewall6/metadata.xml10
-rw-r--r--net-firewall/shorewall6/shorewall6-4.5.21.10-r1.ebuild112
-rw-r--r--net-firewall/shorewall6/shorewall6-4.5.21.9.ebuild112
-rw-r--r--net-firewall/ufw-frontends/Manifest1
-rw-r--r--net-firewall/ufw-frontends/files/org.gentoo.pkexec.ufw-gtk.policy21
-rw-r--r--net-firewall/ufw-frontends/files/ufw-frontends-0.3.2-no-log-crash.patch61
-rw-r--r--net-firewall/ufw-frontends/metadata.xml17
-rw-r--r--net-firewall/ufw-frontends/ufw-frontends-0.3.2-r3.ebuild66
-rw-r--r--net-firewall/ufw/Manifest1
-rw-r--r--net-firewall/ufw/files/rsyslog/ufw.logrotate13
-rw-r--r--net-firewall/ufw/files/syslog-ng/syslog-ng.example13
-rw-r--r--net-firewall/ufw/files/syslog-ng/ufw.logrotate12
-rw-r--r--net-firewall/ufw/files/ufw-0.31.1-move-path.patch177
-rw-r--r--net-firewall/ufw/files/ufw-0.31.1-python-abis.patch42
-rw-r--r--net-firewall/ufw/files/ufw-0.33-dont-check-iptables.patch46
-rw-r--r--net-firewall/ufw/files/ufw-0.34_pre805-bash-completion.patch17
-rw-r--r--net-firewall/ufw/files/ufw-0.34_pre805-shebang.patch15
-rw-r--r--net-firewall/ufw/files/ufw-2.initd137
-rw-r--r--net-firewall/ufw/files/ufw.confd5
-rw-r--r--net-firewall/ufw/files/ufw.service15
-rw-r--r--net-firewall/ufw/metadata.xml18
-rw-r--r--net-firewall/ufw/ufw-0.34_pre805-r1.ebuild184
-rw-r--r--net-firewall/ufw/ufw-0.34_pre805-r2.ebuild186
-rw-r--r--net-firewall/xtables-addons/Manifest6
-rw-r--r--net-firewall/xtables-addons/metadata.xml26
-rw-r--r--net-firewall/xtables-addons/xtables-addons-1.37.ebuild165
-rw-r--r--net-firewall/xtables-addons/xtables-addons-1.47.1.ebuild172
-rw-r--r--net-firewall/xtables-addons/xtables-addons-2.1.ebuild169
-rw-r--r--net-firewall/xtables-addons/xtables-addons-2.3.ebuild169
-rw-r--r--net-firewall/xtables-addons/xtables-addons-2.6.ebuild188
-rw-r--r--net-firewall/xtables-addons/xtables-addons-2.7.ebuild186
361 files changed, 17727 insertions, 0 deletions
diff --git a/net-firewall/arno-iptables-firewall/Manifest b/net-firewall/arno-iptables-firewall/Manifest
new file mode 100644
index 000000000000..20eb3185cb5f
--- /dev/null
+++ b/net-firewall/arno-iptables-firewall/Manifest
@@ -0,0 +1,2 @@
+DIST arno-iptables-firewall_2.0.1d.tar.gz 125329 SHA256 177343362063125985e8b0008fe69bc6ca8d3ba252cfa35a316e708f52fef9c6 SHA512 a99f4fcf4f84a47cc1bda26b39e4f3dc7e10b74f3aeaea8a2519bf18f43ff08ec0bfbd0f078ac36ce12da31d3ac0eabc51231b4559cadca13cd4d75e0940bf9d WHIRLPOOL 2dd56678015cf49ed9442c63c5455c70e72a6f252d9278a56ae1eaabda34d597c44f7fdb97695656882754776385778a5e67d83e7e35e4554e5765e3a0e68b13
+DIST arno-iptables-firewall_2.0.1e.tar.gz 126238 SHA256 fa7b865e5d9b8e077cba73b2f28695a2fd691092a0a7f9e1c16ee369fc27fe43 SHA512 244b3bbf08b2d97128908aece487388bb71ced002cc129885144f4eacf9cf6053c9eb1225a1cd33fdefc502f1e6822a85710d35a7884e99cfde35d34f3fd4f70 WHIRLPOOL f6c1b5ade8b4acdcc4c8e90e19a84335c3932d2a58bbba2221a91b7cbd228c4d6072af6e21836314d86ef005780b47c5ce85198219b345116af529178e2133c1
diff --git a/net-firewall/arno-iptables-firewall/arno-iptables-firewall-2.0.1d-r2.ebuild b/net-firewall/arno-iptables-firewall/arno-iptables-firewall-2.0.1d-r2.ebuild
new file mode 100644
index 000000000000..b61173224188
--- /dev/null
+++ b/net-firewall/arno-iptables-firewall/arno-iptables-firewall-2.0.1d-r2.ebuild
@@ -0,0 +1,90 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+inherit readme.gentoo systemd
+
+DESCRIPTION="Arno's iptables firewall script"
+HOMEPAGE="http://rocky.eld.leidenuniv.nl"
+SRC_URI="http://rocky.eld.leidenuniv.nl/${PN}/${PN}_${PV}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 x86"
+IUSE="+plugins"
+
+# sys-apps/coreutils dependency wrt
+# https://bugs.gentoo.org/show_bug.cgi?id=448716
+
+DEPEND=""
+RDEPEND="net-firewall/iptables
+ || ( <sys-apps/coreutils-8.20 >sys-apps/coreutils-8.20-r1 )
+ sys-apps/iproute2
+ plugins? ( net-dns/bind-tools )"
+
+S="${WORKDIR}/${PN}_${PV}"
+
+DISABLE_AUTOFORMATTING="yes"
+DOC_CONTENTS="You will need to configure /etc/${PN}/firewall.conf
+before using this package. To start the script, run:
+
+/etc/init.d/${PN} start (for openRC)
+systemctl start ${PN} (for Systemd)
+
+If you want to start this script at boot, run:
+
+rc-update add ${PN} default (for openRC)
+systemctl enable ${PN} (for Systemd)"
+
+src_prepare() {
+ sed -i -e 's:/usr/local/share/:/usr/libexec/:' \
+ etc/"${PN}"/firewall.conf || die "Sed failed!"
+}
+
+src_install() {
+
+ insinto /etc/"${PN}"
+ doins etc/"${PN}"/firewall.conf
+ doins etc/"${PN}"/custom-rules
+
+ doinitd "${FILESDIR}/${PN}"
+ systemd_dounit "${FILESDIR}/${PN}.service"
+
+ dobin bin/arno-fwfilter
+ dosbin bin/"${PN}"
+
+ insinto /usr/libexec/"${PN}"
+ doins share/"${PN}"/environment
+
+ dodoc CHANGELOG README
+ readme.gentoo_create_doc
+
+ if use plugins
+ then
+ insinto /etc/"${PN}"/plugins
+ doins etc/"${PN}"/plugins/*
+
+ insinto /usr/libexec/"${PN}"/plugins
+ doins share/"${PN}"/plugins/*.plugin
+
+ exeinto /usr/libexec/"${PN}"/plugins
+ doexe share/"${PN}"/plugins/dyndns-host-open-helper
+ doexe share/"${PN}"/plugins/traffic-accounting-helper
+ doexe share/"${PN}"/plugins/traffic-accounting-log-rotate
+ doexe share/"${PN}"/plugins/traffic-accounting-show
+
+ docinto plugins
+ dodoc share/"${PN}"/plugins/*.CHANGELOG
+ fi
+
+ doman share/man/man1/arno-fwfilter.1 \
+ share/man/man8/"${PN}".8
+}
+
+pkg_postinst () {
+ ewarn "When you stop this script, all firewall rules are flushed!"
+ ewarn "Make sure to not use multiple firewall scripts simultaneously"
+ ewarn "unless you know what you are doing!"
+ readme.gentoo_print_elog
+}
diff --git a/net-firewall/arno-iptables-firewall/arno-iptables-firewall-2.0.1e.ebuild b/net-firewall/arno-iptables-firewall/arno-iptables-firewall-2.0.1e.ebuild
new file mode 100644
index 000000000000..094b69b02099
--- /dev/null
+++ b/net-firewall/arno-iptables-firewall/arno-iptables-firewall-2.0.1e.ebuild
@@ -0,0 +1,91 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+inherit readme.gentoo systemd
+
+DESCRIPTION="Arno's iptables firewall script"
+HOMEPAGE="http://rocky.eld.leidenuniv.nl"
+SRC_URI="http://rocky.eld.leidenuniv.nl/${PN}/${PN}_${PV}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 x86"
+IUSE="+plugins"
+
+# sys-apps/coreutils dependency wrt
+# https://bugs.gentoo.org/show_bug.cgi?id=448716
+
+DEPEND=""
+RDEPEND="net-firewall/iptables
+ || ( <sys-apps/coreutils-8.20 >sys-apps/coreutils-8.20-r1 )
+ sys-apps/iproute2
+ plugins? ( net-dns/bind-tools )"
+
+S="${WORKDIR}/${PN}_${PV}"
+
+DISABLE_AUTOFORMATTING="yes"
+DOC_CONTENTS="You will need to configure /etc/${PN}/firewall.conf
+before using this package. To start the script, run:
+
+/etc/init.d/${PN} start (for OpenRC)
+systemctl start ${PN} (for systemd)
+
+If you want to start this script at boot, run:
+
+rc-update add ${PN} default (for OpenRC)
+systemctl enable ${PN} (for systemd)"
+
+src_prepare() {
+ sed -i -e 's:/usr/local/share/:/usr/libexec/:' \
+ etc/"${PN}"/firewall.conf || die "Sed failed!"
+ sed -i -e 's:/usr/local/sbin/:/usr/sbin/:' \
+ lib/systemd/system/"${PN}.service" || die "Sed failed!"
+}
+
+src_install() {
+ insinto /etc/"${PN}"
+ doins etc/"${PN}"/firewall.conf
+ doins etc/"${PN}"/custom-rules
+
+ doinitd "${FILESDIR}/${PN}"
+ systemd_dounit lib/systemd/system/"${PN}.service"
+
+ dobin bin/arno-fwfilter
+ dosbin bin/"${PN}"
+
+ insinto /usr/libexec/"${PN}"
+ doins share/"${PN}"/environment
+
+ dodoc CHANGELOG README
+ readme.gentoo_create_doc
+
+ if use plugins
+ then
+ insinto /etc/"${PN}"/plugins
+ doins etc/"${PN}"/plugins/*
+
+ insinto /usr/libexec/"${PN}"/plugins
+ doins share/"${PN}"/plugins/*.plugin
+
+ exeinto /usr/libexec/"${PN}"/plugins
+ doexe share/"${PN}"/plugins/dyndns-host-open-helper
+ doexe share/"${PN}"/plugins/traffic-accounting-helper
+ doexe share/"${PN}"/plugins/traffic-accounting-log-rotate
+ doexe share/"${PN}"/plugins/traffic-accounting-show
+
+ docinto plugins
+ dodoc share/"${PN}"/plugins/*.CHANGELOG
+ fi
+
+ doman share/man/man1/arno-fwfilter.1 \
+ share/man/man8/"${PN}".8
+}
+
+pkg_postinst () {
+ ewarn "When you stop this script, all firewall rules are flushed!"
+ ewarn "Make sure to not use multiple firewall scripts simultaneously"
+ ewarn "unless you know what you are doing!"
+ readme.gentoo_print_elog
+}
diff --git a/net-firewall/arno-iptables-firewall/files/arno-iptables-firewall b/net-firewall/arno-iptables-firewall/files/arno-iptables-firewall
new file mode 100644
index 000000000000..7a56dfb24654
--- /dev/null
+++ b/net-firewall/arno-iptables-firewall/files/arno-iptables-firewall
@@ -0,0 +1,27 @@
+#!/sbin/runscript
+command=/usr/sbin/arno-iptables-firewall
+description="Single- & multi-homed firewall script with DSL/ADSL support"
+
+extra_started_commands="reload"
+description_reload="Reload blocked hosts (blackhole) file"
+
+depend() {
+ before net
+ use logger
+}
+
+start() {
+ ${command} start
+}
+
+stop() {
+ ${command} stop
+}
+
+restart() {
+ ${command} restart
+}
+
+reload() {
+ ${command} force-reload
+}
diff --git a/net-firewall/arno-iptables-firewall/files/arno-iptables-firewall.service b/net-firewall/arno-iptables-firewall/files/arno-iptables-firewall.service
new file mode 100644
index 000000000000..e663f08a08eb
--- /dev/null
+++ b/net-firewall/arno-iptables-firewall/files/arno-iptables-firewall.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=A secure stateful firewall for both single and multi-homed machine
+Before=network.target
+Wants=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/arno-iptables-firewall start
+ExecStop=/usr/sbin/arno-iptables-firewall stop
+ExecReload=/usr/sbin/arno-iptables-firewall force-reload
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-firewall/arno-iptables-firewall/files/rc.firewall_replace_opts.patch b/net-firewall/arno-iptables-firewall/files/rc.firewall_replace_opts.patch
new file mode 100644
index 000000000000..6c271d5584b3
--- /dev/null
+++ b/net-firewall/arno-iptables-firewall/files/rc.firewall_replace_opts.patch
@@ -0,0 +1,11 @@
+--- contrib/Gentoo/rc.firewall 2012-11-29 08:44:13.000000000 +0100
++++ contrib/Gentoo/rc.firewall.new 2012-12-15 18:38:12.179072084 +0100
+@@ -1,6 +1,7 @@
+ #!/sbin/runscript
+
+-opts="${opts} stats help reload"
++extra_commands="stats help"
++extra_started_commands="reload"
+
+ depend() {
+ before net
diff --git a/net-firewall/arno-iptables-firewall/metadata.xml b/net-firewall/arno-iptables-firewall/metadata.xml
new file mode 100644
index 000000000000..5a526d1b97d2
--- /dev/null
+++ b/net-firewall/arno-iptables-firewall/metadata.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<herd>proxy-maintainers</herd>
+<maintainer>
+ <email>erkiferenc@gmail.com</email>
+ <name>Ferenc Erki</name>
+</maintainer>
+<use>
+ <flag name='plugins'>Install optional plugins</flag>
+</use>
+</pkgmetadata>
diff --git a/net-firewall/arptables/Manifest b/net-firewall/arptables/Manifest
new file mode 100644
index 000000000000..9f893d711cfa
--- /dev/null
+++ b/net-firewall/arptables/Manifest
@@ -0,0 +1 @@
+DIST arptables-v0.0.3-4.tar.gz 44335 SHA256 e529fd465c67d69ad335299a043516e6b38cdcd337a5ed21718413e96073f928
diff --git a/net-firewall/arptables/arptables-0.0.3.4-r2.ebuild b/net-firewall/arptables/arptables-0.0.3.4-r2.ebuild
new file mode 100644
index 000000000000..fa5e7726722d
--- /dev/null
+++ b/net-firewall/arptables/arptables-0.0.3.4-r2.ebuild
@@ -0,0 +1,39 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="2"
+inherit versionator eutils
+
+MY_P=${PN}-v$(replace_version_separator 3 - )
+
+DESCRIPTION="set up, maintain, and inspect the tables of ARP rules in the Linux kernel"
+HOMEPAGE="http://ebtables.sourceforge.net/"
+SRC_URI="mirror://sourceforge/ebtables/${MY_P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 ppc x86"
+IUSE=""
+
+S=${WORKDIR}/${MY_P}
+
+src_prepare() {
+ epatch "${FILESDIR}/${P}-ldflags.patch"
+ epatch "${FILESDIR}/${P}-arptables_save.patch"
+ epatch "${FILESDIR}/${P}-manpage.patch"
+ epatch "${FILESDIR}/${P}-type.patch"
+}
+
+src_compile() {
+ # -O0 does not work and at least -O2 is required, bug #240752
+ emake CC="$(tc-getCC)" COPT_FLAGS="-O2 ${CFLAGS//-O0/-O2}" || die "make failed"
+ sed -ie 's:__EXEC_PATH__:/sbin:g' arptables-save arptables-restore \
+ || die "sed failed"
+}
+
+src_install() {
+ into /
+ dosbin arptables arptables-restore arptables-save || die
+ doman arptables.8 || die
+}
diff --git a/net-firewall/arptables/files/arptables-0.0.3.4-arptables_save.patch b/net-firewall/arptables/files/arptables-0.0.3.4-arptables_save.patch
new file mode 100644
index 000000000000..a1b60b24ea10
--- /dev/null
+++ b/net-firewall/arptables/files/arptables-0.0.3.4-arptables_save.patch
@@ -0,0 +1,24 @@
+# Don't resolve host names and don't convert '*' interface names to any.
+# Remove '*' interface names.
+
+diff -urNad arptables-0.0.3.3~/arptables-save arptables-0.0.3.3/arptables-save
+--- arptables-0.0.3.3~/arptables-save 2009-08-19 14:17:17.000000000 +0200
++++ arptables-0.0.3.3/arptables-save 2009-08-19 14:19:58.000000000 +0200
+@@ -35,6 +35,8 @@
+ # Due to arptables "issues" with displaying device names
+ # we need to use -v and then do some processing
+ $line =~ s/\s,\s.*//;
++ $line =~ s/-i\s\*//;
++ $line =~ s/-o\s\*//;
+ $rules = $rules . "-A $chain $line\n";
+ }
+
+@@ -47,7 +49,7 @@
+ # ========================================================
+
+ unless (-x "$tool") { print "ERROR: Tool $tool isn't executable"; exit -1; };
+-$table =`$tool -t filter -L -v`;
++$table =`$tool -t filter -L -v -n`;
+ unless ($? == 0) { print $table; exit -1 };
+ &process_table($table);
+
diff --git a/net-firewall/arptables/files/arptables-0.0.3.4-ldflags.patch b/net-firewall/arptables/files/arptables-0.0.3.4-ldflags.patch
new file mode 100644
index 000000000000..b5ced69c504b
--- /dev/null
+++ b/net-firewall/arptables/files/arptables-0.0.3.4-ldflags.patch
@@ -0,0 +1,13 @@
+=== modified file 'Makefile'
+--- Makefile 2010-09-15 11:51:49 +0000
++++ Makefile 2010-09-15 11:52:56 +0000
+@@ -31,7 +31,7 @@
+ $(CC) $(CFLAGS) -c -o $@ $<
+
+ arptables: arptables-standalone.o arptables.o libarptc/libarptc.o $(EXT_OBJS)
+- $(CC) $(CFLAGS) -o $@ $^
++ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
+
+ $(DESTDIR)$(MANDIR)/man8/arptables.8: arptables.8
+ mkdir -p $(@D)
+
diff --git a/net-firewall/arptables/files/arptables-0.0.3.4-manpage.patch b/net-firewall/arptables/files/arptables-0.0.3.4-manpage.patch
new file mode 100644
index 000000000000..76295b6d9b5c
--- /dev/null
+++ b/net-firewall/arptables/files/arptables-0.0.3.4-manpage.patch
@@ -0,0 +1,12 @@
+diff -urNad arptables-0.0.3.3~/arptables.8 arptables-0.0.3.3/arptables.8
+--- arptables-0.0.3.3~/arptables.8 2007-08-19 15:04:51.000000000 +0200
++++ arptables-0.0.3.3/arptables.8 2008-05-08 18:56:35.000000000 +0200
+@@ -22,7 +22,7 @@
+ .\"
+ .\"
+ .SH NAME
+-arptables (v.0.0.3-3) \- ARP table administration
++arptables \- ARP table administration
+ .SH SYNOPSIS
+ .BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ]
+ .br
diff --git a/net-firewall/arptables/files/arptables-0.0.3.4-type.patch b/net-firewall/arptables/files/arptables-0.0.3.4-type.patch
new file mode 100644
index 000000000000..851bf0ee247f
--- /dev/null
+++ b/net-firewall/arptables/files/arptables-0.0.3.4-type.patch
@@ -0,0 +1,17 @@
+# Patch from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> to make
+# arptables --proto-type also accept hexadecimal inputs (ethernet protocol
+# numbers are often specfied in hex, not decimal), using standard strtol()
+# behaviour (hex iff starts with 0x).
+
+diff -urNad arptables-0.0.3.3~/arptables.c arptables-0.0.3.3/arptables.c
+--- arptables-0.0.3.3~/arptables.c 2007-08-19 15:04:51.000000000 +0200
++++ arptables-0.0.3.3/arptables.c 2008-05-08 19:16:43.000000000 +0200
+@@ -2039,7 +2039,7 @@
+ check_inverse(optarg, &invert, &optind, argc);
+ set_option(&options, OPT_P_TYPE, &fw.arp.invflags,
+ invert);
+- if (get16_and_mask(argv[optind - 1], &fw.arp.arpro, &fw.arp.arpro_mask, 10)) {
++ if (get16_and_mask(argv[optind - 1], &fw.arp.arpro, &fw.arp.arpro_mask, 0)) {
+ if (strcasecmp(argv[optind-1], "ipv4"))
+ exit_error(PARAMETER_PROBLEM, "Problem with specified protocol type");
+ fw.arp.arpro = htons(0x800);
diff --git a/net-firewall/arptables/metadata.xml b/net-firewall/arptables/metadata.xml
new file mode 100644
index 000000000000..23b2d799bbe8
--- /dev/null
+++ b/net-firewall/arptables/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <herd>base-system</herd>
+ <upstream>
+ <remote-id type="sourceforge">ebtables</remote-id>
+ </upstream>
+</pkgmetadata>
diff --git a/net-firewall/conntrack-tools/Manifest b/net-firewall/conntrack-tools/Manifest
new file mode 100644
index 000000000000..b523438b4dde
--- /dev/null
+++ b/net-firewall/conntrack-tools/Manifest
@@ -0,0 +1 @@
+DIST conntrack-tools-1.4.2.tar.bz2 472074 SHA256 e5c423dc077f9ca8767eaa6cf40446943905711c6a8fe27f9cc1977d4d6aa11e SHA512 1fed742593caf8bbac96a58df8f7e806d1c0f1dfea8fc601d65aa89b4243b1022949a2bf03ab0ca25994a13e50b3b1ee43a31827e0dc4da1399801ddac623d56 WHIRLPOOL 7405e8b812c98c06bdcdbfea983178f5830001cf247b9a63aac6e19e2497b1bf2bdf8c7c6445dad60f5463eff6cc0ea58d14eca2990b2b3b3f54032daca85572
diff --git a/net-firewall/conntrack-tools/conntrack-tools-1.4.2.ebuild b/net-firewall/conntrack-tools/conntrack-tools-1.4.2.ebuild
new file mode 100644
index 000000000000..eab048983e3d
--- /dev/null
+++ b/net-firewall/conntrack-tools/conntrack-tools-1.4.2.ebuild
@@ -0,0 +1,83 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+inherit autotools eutils linux-info
+
+DESCRIPTION="Connection tracking userspace tools"
+HOMEPAGE="http://conntrack-tools.netfilter.org"
+SRC_URI="http://www.netfilter.org/projects/conntrack-tools/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 hppa x86"
+IUSE="doc"
+
+RDEPEND="
+ >=net-libs/libmnl-1.0.3
+ >=net-libs/libnetfilter_conntrack-1.0.4
+ >=net-libs/libnetfilter_cthelper-1.0.0
+ >=net-libs/libnetfilter_cttimeout-1.0.0
+ >=net-libs/libnetfilter_queue-1.0.2
+ >=net-libs/libnfnetlink-1.0.1
+"
+DEPEND="${RDEPEND}
+ doc? (
+ app-text/docbook-xml-dtd:4.1.2
+ app-text/xmlto
+ )
+ virtual/pkgconfig
+ sys-devel/bison
+ sys-devel/flex"
+
+pkg_setup() {
+ linux-info_pkg_setup
+
+ if kernel_is lt 2 6 18 ; then
+ die "${PN} requires at least 2.6.18 kernel version"
+ fi
+
+ #netfilter core team has changed some option names with kernel 2.6.20
+ if kernel_is lt 2 6 20 ; then
+ CONFIG_CHECK="~IP_NF_CONNTRACK_NETLINK"
+ else
+ CONFIG_CHECK="~NF_CT_NETLINK"
+ fi
+ CONFIG_CHECK="${CONFIG_CHECK} ~NF_CONNTRACK
+ ~NETFILTER_NETLINK ~NF_CONNTRACK_EVENTS"
+
+ check_extra_config
+
+ linux_config_exists || \
+ linux_chkconfig_present "NF_CONNTRACK_IPV4" || \
+ linux_chkconfig_present "NF_CONNTRACK_IPV6" || \
+ ewarn "CONFIG_NF_CONNTRACK_IPV4 or CONFIG_NF_CONNTRACK_IPV6 " \
+ "are not set when one at least should be."
+}
+
+src_prepare() {
+ # bug #474858
+ sed -i -e 's:/var/lock:/run/lock:' doc/stats/conntrackd.conf || die 'sed on doc/stat/conntrackd.conf failed'
+
+ epatch_user
+ eautoreconf
+}
+
+src_compile() {
+ default
+ use doc && emake -C doc/manual
+}
+
+src_install() {
+ default
+
+ newinitd "${FILESDIR}/conntrackd.initd-r3" conntrackd
+ newconfd "${FILESDIR}/conntrackd.confd-r2" conntrackd
+
+ insinto /etc/conntrackd
+ doins doc/stats/conntrackd.conf
+
+ dodoc -r doc/sync doc/stats AUTHORS TODO
+ use doc && dohtml doc/manual/${PN}.html
+}
diff --git a/net-firewall/conntrack-tools/files/conntrackd.confd-r2 b/net-firewall/conntrack-tools/files/conntrackd.confd-r2
new file mode 100644
index 000000000000..01c0633809d5
--- /dev/null
+++ b/net-firewall/conntrack-tools/files/conntrackd.confd-r2
@@ -0,0 +1,14 @@
+# conntrackd config file
+# default: /etc/conntrackd/conntrackd.conf
+#CONNTRACKD_CFG=/etc/conntrackd/conntrackd.conf
+
+# conntrackd lockfile (must match the "LockFile" entry
+# from the "General" section in the config file)
+# default: /run/lock/conntrack.lock
+#CONNTRACKD_LOCK=/run/lock/conntrack.lock
+
+# extra options for conntrackd
+#CONNTRACKD_OPTS="" # you must NOT use -C here!
+
+# depend on a specific network interface
+#rc_need="net.eth1"
diff --git a/net-firewall/conntrack-tools/files/conntrackd.initd-r3 b/net-firewall/conntrack-tools/files/conntrackd.initd-r3
new file mode 100644
index 000000000000..5309321ff8ab
--- /dev/null
+++ b/net-firewall/conntrack-tools/files/conntrackd.initd-r3
@@ -0,0 +1,77 @@
+#!/sbin/runscript
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+CONNTRACKD_BIN="/usr/sbin/conntrackd"
+CONNTRACKD_CFG=${CONNTRACKD_CFG:-/etc/conntrackd/conntrackd.conf}
+CONNTRACKD_LOCK=${CONNTRACKD_LOCK:-/run/lock/conntrack.lock}
+
+depend() {
+ use logger
+ need net
+}
+
+checkconfig() {
+ # check for netfilter conntrack kernel support
+ local nf_ct_available=0
+ for k in net.netfilter.nf_conntrack_max \
+ net.ipv4.netfilter.ip_conntrack_max \
+ net.nf_conntrack_max; do
+ if sysctl -e -n ${k} &>/dev/null; then
+ nf_ct_available=1 # sysctl key found
+ break
+ fi
+ done
+ if [ ${nf_ct_available} -eq 0 ]; then
+ eerror
+ eerror "Your kernel is missing netfilter conntrack support!"
+ eerror "Make sure your kernel was compiled with netfilter conntrack support."
+ eerror
+ eerror "If it was compiled as a module you need to ensure the module is being"
+ eerror "loaded before starting conntrackd."
+ eerror "Either add an entry to /etc/modules.autoload/[...] (for baselayout-1)"
+ eerror "or /etc/conf.d/modules (for baselayout-2/OpenRC) or load the module"
+ eerror "by hand like this, depending on your kernel version:"
+ eerror
+ eerror " modprobe nf_conntrack # (for newer kernels)"
+ eerror " modprobe ip_conntrack # (for older kernels)"
+ eerror
+ return 1
+ fi
+ # check for config file
+ if [ ! -e "${CONNTRACKD_CFG}" ]; then
+ eerror
+ eerror "The conntrackd config file (${CONNTRACKD_CFG})"
+ eerror "is missing!"
+ eerror
+ return 1
+ fi
+ # check for leftover lockfile
+ if [ -f "${CONNTRACKD_LOCK}" ]; then
+ ewarn
+ ewarn "The conntrackd lockfile (${CONNTRACKD_LOCK})"
+ ewarn "exists although the service is not marked as started."
+ ewarn "Will remove the lockfile and start the service in 10s"
+ ewarn "if not interrupted..."
+ ewarn
+ sleep 10
+ if ! rm -f "${CONNTRACKD_LOCK}"; then
+ eerror "Failed to remove the conntrackd lockfile (${CONNTRACKD_LOCK})"
+ return 1
+ fi
+ fi
+}
+
+start() {
+ checkconfig || return 1
+ ebegin "Starting conntrackd"
+ start-stop-daemon --start --exec "${CONNTRACKD_BIN}" \
+ -- -d -C "${CONNTRACKD_CFG}" ${CONNTRACKD_OPTS}
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping conntrackd"
+ start-stop-daemon --stop --exec "${CONNTRACKD_BIN}"
+ eend $?
+}
diff --git a/net-firewall/conntrack-tools/metadata.xml b/net-firewall/conntrack-tools/metadata.xml
new file mode 100644
index 000000000000..5c490dd32d99
--- /dev/null
+++ b/net-firewall/conntrack-tools/metadata.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <herd>netmon</herd>
+ <longdescription lang="en">
+ A set of tools targeted at system administrators. They are conntrack,
+ the userspace command line interface, and conntrackd, the userspace
+ daemon.
+ </longdescription>
+</pkgmetadata>
diff --git a/net-firewall/dshieldpy/Manifest b/net-firewall/dshieldpy/Manifest
new file mode 100644
index 000000000000..e660f2a3b175
--- /dev/null
+++ b/net-firewall/dshieldpy/Manifest
@@ -0,0 +1 @@
+DIST dshieldpy-3.2.tar.gz 28754 SHA256 c7fe2bcbf250e86af30b5ddc294da0c1508b82f90dfc57c5991c1330c350db8b
diff --git a/net-firewall/dshieldpy/dshieldpy-3.2-r1.ebuild b/net-firewall/dshieldpy/dshieldpy-3.2-r1.ebuild
new file mode 100644
index 000000000000..8c3cc06c927f
--- /dev/null
+++ b/net-firewall/dshieldpy/dshieldpy-3.2-r1.ebuild
@@ -0,0 +1,27 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+PYTHON_DEPEND="2"
+inherit python
+
+DESCRIPTION="Python script to submit firewall logs to dshield.org"
+HOMEPAGE="http://dshieldpy.sourceforge.net/"
+SRC_URI="mirror://sourceforge/dshieldpy/${P}.tar.gz"
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 ~ppc x86"
+IUSE=""
+DEPEND=""
+RDEPEND=""
+S=${WORKDIR}/DShield.py
+
+src_install() {
+ dodoc CHANGELOG README*
+ dobin dshield.py
+
+ insinto /etc
+ doins dshieldpy.conf
+ python_convert_shebangs 2 "${ED}"usr/bin/dshield.py
+}
diff --git a/net-firewall/dshieldpy/metadata.xml b/net-firewall/dshieldpy/metadata.xml
new file mode 100644
index 000000000000..798fd62f4e36
--- /dev/null
+++ b/net-firewall/dshieldpy/metadata.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer>
+ <email>maintainer-needed@gentoo.org</email>
+ </maintainer>
+ <upstream>
+ <remote-id type="sourceforge">dshieldpy</remote-id>
+ </upstream>
+</pkgmetadata>
diff --git a/net-firewall/ebtables/Manifest b/net-firewall/ebtables/Manifest
new file mode 100644
index 000000000000..68edfb1359dd
--- /dev/null
+++ b/net-firewall/ebtables/Manifest
@@ -0,0 +1 @@
+DIST ebtables-v2.0.10-4.tar.gz 103764 SHA256 dc6f7b484f207dc712bfca81645f45120cb6aee3380e77a1771e9c34a9a4455d SHA512 a6832453812eaede3fcbb5b4cab5902ea1ea752a80a259eed276a01b61e2afaa6cf07d3d023d86a883f9a02505aecc44a1c6e0d27b3a61f341002e4c051cd60a WHIRLPOOL 5a1e0703e3fd5c79e149824e789646d042660081fb8a9f301fa4cc2716e84fbf842216d5b6b4c8c33de3b6949bfbfcaa2eb7293fe7afa71a2305de8f70abd57d
diff --git a/net-firewall/ebtables/ebtables-2.0.10.4-r1.ebuild b/net-firewall/ebtables/ebtables-2.0.10.4-r1.ebuild
new file mode 100644
index 000000000000..5bd127821e76
--- /dev/null
+++ b/net-firewall/ebtables/ebtables-2.0.10.4-r1.ebuild
@@ -0,0 +1,68 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+inherit versionator eutils toolchain-funcs multilib flag-o-matic
+
+MY_PV=$(replace_version_separator 3 '-' )
+MY_P=${PN}-v${MY_PV}
+
+DESCRIPTION="Utility that enables basic Ethernet frame filtering on a Linux bridge, MAC NAT and brouting"
+HOMEPAGE="http://ebtables.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${MY_P}.tar.gz"
+
+KEYWORDS="~amd64 ~ppc ~x86"
+IUSE="static"
+LICENSE="GPL-2"
+SLOT="0"
+
+S=${WORKDIR}/${MY_P}
+
+pkg_setup() {
+ if use static; then
+ ewarn "You've chosen static build which is useful for embedded devices."
+ ewarn "It has no init script. Make sure that's really what you want."
+ fi
+}
+
+src_prepare() {
+ # Enhance ebtables-save to take table names as parameters bug #189315
+ epatch "${FILESDIR}/${PN}-2.0.8.1-ebt-save.diff"
+
+ sed -i -e "s,^MANDIR:=.*,MANDIR:=/usr/share/man," \
+ -e "s,^BINDIR:=.*,BINDIR:=/sbin," \
+ -e "s,^INITDIR:=.*,INITDIR:=/usr/share/doc/${PF}," \
+ -e "s,^SYSCONFIGDIR:=.*,SYSCONFIGDIR:=/usr/share/doc/${PF}," \
+ -e "s,^LIBDIR:=.*,LIBDIR:=/$(get_libdir)/\$(PROGNAME)," Makefile
+}
+
+src_compile() {
+ # This package uses _init functions to initialise extensions. With
+ # --as-needed this will not work.
+ append-ldflags $(no-as-needed)
+ # This package correctly aliases pointers, but gcc is unable to know that:
+ # unsigned char ip[4];
+ # if (*((uint32_t*)ip) == 0) {
+ #append-cflags -Wno-strict-aliasing
+ emake \
+ CC="$(tc-getCC)" \
+ CFLAGS="${CFLAGS}" \
+ $(use static && echo static)
+}
+
+src_install() {
+ if ! use static; then
+ make DESTDIR="${D}" install
+ keepdir /var/lib/ebtables/
+ newinitd "${FILESDIR}"/ebtables.initd-r1 ebtables
+ newconfd "${FILESDIR}"/ebtables.confd-r1 ebtables
+ else
+ into /
+ newsbin static ebtables
+ insinto /etc
+ doins ethertypes
+ fi
+ dodoc ChangeLog THANKS || die
+}
diff --git a/net-firewall/ebtables/ebtables-2.0.10.4.ebuild b/net-firewall/ebtables/ebtables-2.0.10.4.ebuild
new file mode 100644
index 000000000000..75eec735f5cc
--- /dev/null
+++ b/net-firewall/ebtables/ebtables-2.0.10.4.ebuild
@@ -0,0 +1,68 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+inherit versionator eutils toolchain-funcs multilib flag-o-matic
+
+MY_PV=$(replace_version_separator 3 '-' )
+MY_P=${PN}-v${MY_PV}
+
+DESCRIPTION="Utility that enables basic Ethernet frame filtering on a Linux bridge, MAC NAT and brouting"
+HOMEPAGE="http://ebtables.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${MY_P}.tar.gz"
+
+KEYWORDS="amd64 ppc x86"
+IUSE="static"
+LICENSE="GPL-2"
+SLOT="0"
+
+S=${WORKDIR}/${MY_P}
+
+pkg_setup() {
+ if use static; then
+ ewarn "You've chosen static build which is useful for embedded devices."
+ ewarn "It has no init script. Make sure that's really what you want."
+ fi
+}
+
+src_prepare() {
+ # Enhance ebtables-save to take table names as parameters bug #189315
+ epatch "${FILESDIR}/${PN}-2.0.8.1-ebt-save.diff"
+
+ sed -i -e "s,^MANDIR:=.*,MANDIR:=/usr/share/man," \
+ -e "s,^BINDIR:=.*,BINDIR:=/sbin," \
+ -e "s,^INITDIR:=.*,INITDIR:=/usr/share/doc/${PF}," \
+ -e "s,^SYSCONFIGDIR:=.*,SYSCONFIGDIR:=/usr/share/doc/${PF}," \
+ -e "s,^LIBDIR:=.*,LIBDIR:=/$(get_libdir)/\$(PROGNAME)," Makefile
+}
+
+src_compile() {
+ # This package uses _init functions to initialise extensions. With
+ # --as-needed this will not work.
+ append-ldflags $(no-as-needed)
+ # This package correctly aliases pointers, but gcc is unable to know that:
+ # unsigned char ip[4];
+ # if (*((uint32_t*)ip) == 0) {
+ #append-cflags -Wno-strict-aliasing
+ emake \
+ CC="$(tc-getCC)" \
+ CFLAGS="${CFLAGS}" \
+ $(use static && echo static)
+}
+
+src_install() {
+ if ! use static; then
+ make DESTDIR="${D}" install
+ keepdir /var/lib/ebtables/
+ newinitd "${FILESDIR}"/ebtables.initd-r1 ebtables
+ newconfd "${FILESDIR}"/ebtables.confd-r1 ebtables
+ else
+ into /
+ newsbin static ebtables
+ insinto /etc
+ doins ethertypes
+ fi
+ dodoc ChangeLog THANKS || die
+}
diff --git a/net-firewall/ebtables/files/ebtables-2.0.8.1-ebt-save.diff b/net-firewall/ebtables/files/ebtables-2.0.8.1-ebt-save.diff
new file mode 100644
index 000000000000..cdfd823447ed
--- /dev/null
+++ b/net-firewall/ebtables/files/ebtables-2.0.8.1-ebt-save.diff
@@ -0,0 +1,31 @@
+--- ./ebtables-save.orig 2007-09-28 22:50:35.000000000 +0400
++++ ./ebtables-save 2007-09-28 22:51:22.000000000 +0400
+@@ -12,6 +12,7 @@
+ my $cnt = "";
+ my $version = "1.0";
+ my $table_name;
++my @table_names;
+
+ # ========================================================
+ # Process filter table
+@@ -49,12 +50,19 @@
+ }
+ # ========================================================
+
++if ($#ARGV + 1 == 0) {
++ @table_names =split("\n", `grep -E '^ebtable_' /proc/modules | cut -f1 -d' ' | sed s/ebtable_//`);
++}
++else {
++ @table_names = @ARGV;
++}
++# ========================================================
+ unless (-x $ebtables) { exit -1 };
+ print "# Generated by ebtables-save v$version on " . `date`;
+ if (defined($ENV{'EBTABLES_SAVE_COUNTER'}) && $ENV{'EBTABLES_SAVE_COUNTER'} eq "yes") {
+ $cnt = "--Lc";
+ }
+-foreach $table_name (split("\n", `grep -E '^ebtable_' /proc/modules | cut -f1 -d' ' | sed s/ebtable_//`)) {
++foreach $table_name (@table_names) {
+ $table =`$ebtables -t $table_name -L $cnt`;
+ unless ($? == 0) { print $table; exit -1 };
+ &process_table($table);
diff --git a/net-firewall/ebtables/files/ebtables.confd-r1 b/net-firewall/ebtables/files/ebtables.confd-r1
new file mode 100644
index 000000000000..645b26edae99
--- /dev/null
+++ b/net-firewall/ebtables/files/ebtables.confd-r1
@@ -0,0 +1,11 @@
+# /etc/conf.d/ebtables
+
+# Location in which ebtables initscript will save set rules on
+# service shutdown
+EBTABLES_SAVE="/var/lib/ebtables/rules-save"
+
+# Options to pass to ebtables-save and ebtables-restore
+SAVE_RESTORE_OPTIONS=""
+
+# Save state on stopping ebtables
+SAVE_ON_STOP="yes"
diff --git a/net-firewall/ebtables/files/ebtables.initd-r1 b/net-firewall/ebtables/files/ebtables.initd-r1
new file mode 100644
index 000000000000..770dd435d907
--- /dev/null
+++ b/net-firewall/ebtables/files/ebtables.initd-r1
@@ -0,0 +1,102 @@
+#!/sbin/runscript
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="save panic"
+extra_started_commands="reload"
+
+ebtables_bin="/sbin/ebtables"
+ebtables_save=${EBTABLES_SAVE}
+
+depend() {
+ before net
+ use logger
+}
+
+ebtables_tables() {
+ for table in filter nat broute; do
+ if ${ebtables_bin} -t ${table} -L > /dev/null 2>&1; then
+ echo -n "${table} "
+ fi
+ done
+}
+
+set_table_policy() {
+ local chains table=$1 policy=$2
+ case ${table} in
+ nat) chains="PREROUTING POSTROUTING OUTPUT";;
+ broute) chains="BROUTING";;
+ filter) chains="INPUT FORWARD OUTPUT";;
+ *) chains="";;
+ esac
+ local chain
+ for chain in ${chains} ; do
+ ${ebtables_bin} -t ${table} -P ${chain} ${policy}
+ done
+}
+
+checkconfig() {
+ if [ ! -f ${ebtables_save} ] ; then
+ eerror "Not starting ebtables. First create some rules then run:"
+ eerror "/etc/init.d/ebtables save"
+ return 1
+ fi
+ return 0
+}
+
+start() {
+ checkconfig || return 1
+ ebegin "Loading ebtables state and starting bridge firewall"
+ ${ebtables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${ebtables_save}"
+ eend $?
+}
+
+stop() {
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+ save || return 1
+ fi
+ ebegin "Stopping bridge firewall"
+ local a
+ for a in $(ebtables_tables); do
+ set_table_policy $a ACCEPT
+
+ ${ebtables_bin} -t $a -F
+ ${ebtables_bin} -t $a -X
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing bridge firewall"
+ local a
+ for a in $(ebtables_tables); do
+ ${ebtables_bin} -t $a -F
+ ${ebtables_bin} -t $a -X
+ done
+ eend $?
+
+ start
+}
+
+save() {
+ ebegin "Saving ebtables state"
+ touch "${ebtables_save}"
+ chmod 0600 "${ebtables_save}"
+ ${ebtables_bin}-save $(ebtables_tables) ${SAVE_RESTORE_OPTIONS} > "${ebtables_save}"
+ eend $?
+}
+
+panic() {
+ service_started ebtables && svc_stop
+
+ local a
+ ebegin "Dropping all packets forwarded on bridges"
+ for a in $(ebtables_tables); do
+ ${ebtables_bin} -t $a -F
+ ${ebtables_bin} -t $a -X
+
+ set_table_policy $a DROP
+ done
+ eend $?
+}
diff --git a/net-firewall/ebtables/metadata.xml b/net-firewall/ebtables/metadata.xml
new file mode 100644
index 000000000000..23b2d799bbe8
--- /dev/null
+++ b/net-firewall/ebtables/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <herd>base-system</herd>
+ <upstream>
+ <remote-id type="sourceforge">ebtables</remote-id>
+ </upstream>
+</pkgmetadata>
diff --git a/net-firewall/ferm/Manifest b/net-firewall/ferm/Manifest
new file mode 100644
index 000000000000..5f8e916d72e0
--- /dev/null
+++ b/net-firewall/ferm/Manifest
@@ -0,0 +1 @@
+DIST ferm-2.2.tar.gz 118828 SHA256 6d5447a2560495f34da78b4189b5d04d5cc1fca6733496de94ba900aec8b7a63 SHA512 af703c8a77f41c08b59c88cad523427dd5ab2a9209b51c2396d4eb7d5922e1821beeded9b4d0cdc33d7c757cdbf4c825332c7493522f548bfd9294f3657b807b WHIRLPOOL 3f86002b4b7a1ec2f9986ec74579a5ad300dd01601e66c6b5ccaee04eb0befe9955e8df8372bded2a7d03d80a9ce8cb2493f2d9e7a51d4a57483dba80a986ddb
diff --git a/net-firewall/ferm/ferm-2.2.ebuild b/net-firewall/ferm/ferm-2.2.ebuild
new file mode 100644
index 000000000000..3cceec1f2cff
--- /dev/null
+++ b/net-firewall/ferm/ferm-2.2.ebuild
@@ -0,0 +1,38 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit versionator systemd
+
+MY_PV="$(get_version_component_range 1-2)"
+
+DESCRIPTION="Command line util for managing firewall rules"
+HOMEPAGE="http://ferm.foo-projects.org/"
+SRC_URI="http://ferm.foo-projects.org/download/${MY_PV}/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 ppc x86"
+IUSE=""
+
+# does not install any perl libs
+RDEPEND="dev-lang/perl:*
+ net-firewall/iptables
+ virtual/perl-File-Spec"
+
+src_compile() { :; }
+
+src_install () {
+ dobin src/{,import-}ferm
+ dodoc -r AUTHORS NEWS README TODO doc/*.txt examples
+ doman doc/*.1
+ dohtml doc/*.html
+
+ systemd_dounit ferm.service
+}
+
+pkg_postinst() {
+ elog "See /usr/share/doc/${PF}/examples for sample configs"
+}
diff --git a/net-firewall/ferm/metadata.xml b/net-firewall/ferm/metadata.xml
new file mode 100644
index 000000000000..91f4e72fb544
--- /dev/null
+++ b/net-firewall/ferm/metadata.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer>
+ <email>maintainer-needed@gentoo.org</email>
+ </maintainer>
+</pkgmetadata>
diff --git a/net-firewall/firehol/Manifest b/net-firewall/firehol/Manifest
new file mode 100644
index 000000000000..e571ba74fdef
--- /dev/null
+++ b/net-firewall/firehol/Manifest
@@ -0,0 +1,2 @@
+DIST firehol-1.273.tar.bz2 128128 SHA256 e8d3b4ac3e54097c0e0f14bfab773a75d43b522fa123a42088b7f23f13495ea2 SHA512 dbb311fb9d4fa8861480bae1fac449ce85f52612264ec21658946d87be02027c37af13b754acd791ad454964c588897f8187ec8ce80de3b3ed8a888429bfd708 WHIRLPOOL 0fa7f7644d7bf0268bfc6e817eeb95e7c1784cefa6d4a930c2fec6644774347c28e7a4d39c55df7a4e0f7a0c4697ce6b3c4bafdf6e2124bd478c097b9a6cfb27
+DIST firehol-2.0.2.tar.xz 918860 SHA256 8778d0fc891676777b55e68d852a765205a995029f6e9f599c0090a14ca8ee7c SHA512 d125c4ca7d60494afde04f806bb0fc44ebdb12d7bf59e027c441a087082d9c326d009ba568ef640b01409abdecc3c192a9ae6db6c7370ad0221a19cb3a706902 WHIRLPOOL 10b6edee6a4db07a217e7d13eea4dc5ba02d7f3a44ba1955a5b138a09aa41aea6e39acbcdb04e0ee80d22f3f1d9fc1f061d26d7a10a9d1a7f02230ca21efe514
diff --git a/net-firewall/firehol/files/RESERVED_IPS b/net-firewall/firehol/files/RESERVED_IPS
new file mode 100644
index 000000000000..2cfd261c132c
--- /dev/null
+++ b/net-firewall/firehol/files/RESERVED_IPS
@@ -0,0 +1,19 @@
+0.0.0.0/8
+10.0.0.0/8
+127.0.0.0/8
+240.0.0.0/8
+241.0.0.0/8
+242.0.0.0/8
+243.0.0.0/8
+244.0.0.0/8
+245.0.0.0/8
+246.0.0.0/8
+247.0.0.0/8
+248.0.0.0/8
+249.0.0.0/8
+250.0.0.0/8
+251.0.0.0/8
+252.0.0.0/8
+253.0.0.0/8
+254.0.0.0/8
+255.0.0.0/8
diff --git a/net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch b/net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch
new file mode 100644
index 000000000000..99a958aa701f
--- /dev/null
+++ b/net-firewall/firehol/files/firehol-1.273-CVE-2008-4953.patch
@@ -0,0 +1,58 @@
+From 545db8cd292957158bf3fa1c1c370e4be83c6688 Mon Sep 17 00:00:00 2001
+From: Robert Buchholz <rbu@goodpoint.de>
+Date: Tue, 6 Jan 2009 23:26:00 +0100
+Subject: [PATCH] Use mktemp instead of relying that $$-$RANDOM-$RANDOM does not exist.
+
+References:
+* CVE-2008-4953
+* https://bugs.gentoo.org/246013
+---
+ firehol.sh | 25 +++++++++----------------
+ 1 files changed, 9 insertions(+), 16 deletions(-)
+
+diff --git a/firehol.sh b/firehol.sh
+index 6acb497..f5dba16 100755
+--- a/firehol.sh
++++ b/firehol.sh
+@@ -238,8 +238,15 @@ ${IPTABLES_CMD} -nxvL >/dev/null 2>&1
+ # ----------------------------------------------------------------------
+ # Directories and files
+
+-# These files will be created and deleted during our run.
+-FIREHOL_DIR="/tmp/.firehol-tmp-$$-${RANDOM}-${RANDOM}"
++# Create an empty temporary directory we need for this run.
++if ! FIREHOL_DIR="`mktemp -d -t .firehol-tmp-XXXXXX`"
++then
++ echo >&2
++ echo >&2
++ echo >&2 "Cannot create temporary directory."
++ echo >&2
++ exit 1
++fi
+ FIREHOL_CHAINS_DIR="${FIREHOL_DIR}/chains"
+ FIREHOL_OUTPUT="${FIREHOL_DIR}/firehol-out.sh"
+ FIREHOL_SAVED="${FIREHOL_DIR}/firehol-save.sh"
+@@ -329,20 +336,6 @@ then
+ "${CHMOD_CMD}" 700 "${FIREHOL_CONFIG_DIR}/services"
+ fi
+
+-# Remove any old directories that might be there.
+-if [ -d "${FIREHOL_DIR}" ]
+-then
+- "${RM_CMD}" -rf "${FIREHOL_DIR}"
+- if [ $? -ne 0 -o -e "${FIREHOL_DIR}" ]
+- then
+- echo >&2
+- echo >&2
+- echo >&2 "Cannot clean temporary directory '${FIREHOL_DIR}'."
+- echo >&2
+- exit 1
+- fi
+-fi
+-"${MKDIR_CMD}" "${FIREHOL_DIR}" || exit 1
+ "${MKDIR_CMD}" "${FIREHOL_CHAINS_DIR}" || exit 1
+
+ # prepare the file that will hold all modules to be loaded.
+--
+1.6.0.4
+
diff --git a/net-firewall/firehol/files/firehol-1.273-log-output.patch b/net-firewall/firehol/files/firehol-1.273-log-output.patch
new file mode 100644
index 000000000000..66f0fd4c9b2e
--- /dev/null
+++ b/net-firewall/firehol/files/firehol-1.273-log-output.patch
@@ -0,0 +1,11 @@
+--- firehol.sh-old 2010-08-11 09:01:29.000000000 -0600
++++ firehol.sh 2010-08-12 09:22:07.000000000 -0600
+@@ -5212,7 +5212,7 @@
+ printf >&2 "\n"
+ echo >&2 "OUTPUT : "
+ echo >&2
+- ${CAT_CMD} ${FIREHOL_OUTPUT}.log
++ ${CAT_CMD} ${FIREHOL_OUTPUT}.log >&2
+ echo >&2
+
+ return 0
diff --git a/net-firewall/firehol/files/firehol-2.0.2-autosave.patch b/net-firewall/firehol/files/firehol-2.0.2-autosave.patch
new file mode 100644
index 000000000000..f552b2b167b3
--- /dev/null
+++ b/net-firewall/firehol/files/firehol-2.0.2-autosave.patch
@@ -0,0 +1,18 @@
+diff -urNp firehol-2.0.1/sbin/firehol.in firehol-2.0.1.new/sbin/firehol.in
+--- firehol-2.0.1/sbin/firehol.in 2015-02-15 17:08:03.000000000 +0200
++++ firehol-2.0.1.new/sbin/firehol.in 2015-04-14 18:05:22.262234003 +0300
+@@ -846,12 +846,12 @@ test -z "$FIREHOL_ROUTING" && \
+ # Where /etc/init.d/iptables expects its configuration?
+ # Leave it empty for automatic detection
+ test -z "$FIREHOL_AUTOSAVE" && \
+- FIREHOL_AUTOSAVE=
++ FIREHOL_AUTOSAVE="@FIREHOL_AUTOSAVE@"
+
+ # Where /etc/init.d/ip6tables expects its configuration?
+ # Leave it empty for automatic detection
+ test -z "$FIREHOL_AUTOSAVE6" && \
+- FIREHOL_AUTOSAVE6=
++ FIREHOL_AUTOSAVE6="@FIREHOL_AUTOSAVE6@"
+
+ # Set to non-empty to wait (max 60 seconds) for a network interface
+ test -z "$WAIT_FOR_IFACE" && \
diff --git a/net-firewall/firehol/files/firehol.conf.d b/net-firewall/firehol/files/firehol.conf.d
new file mode 100644
index 000000000000..c8b06e0eaf09
--- /dev/null
+++ b/net-firewall/firehol/files/firehol.conf.d
@@ -0,0 +1,2 @@
+#Locate of FireHOL conf file
+FIREHOL_CONF="/etc/firehol/firehol.conf"
diff --git a/net-firewall/firehol/files/firehol.initrd.1 b/net-firewall/firehol/files/firehol.initrd.1
new file mode 100644
index 000000000000..8d34b68b14ee
--- /dev/null
+++ b/net-firewall/firehol/files/firehol.initrd.1
@@ -0,0 +1,67 @@
+#!/sbin/runscript
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="save panic try"
+extra_started_commands="reload"
+
+depend() {
+ need localmount
+ after bootmisc
+ before net
+ provide firewall
+}
+
+checkrules() {
+ if [ ! -f ${FIREHOL_CONF} ]; then
+ eerror "Not starting FireHOL. Create ${FIREHOL_CONF}"
+ eerror "and fill it with some rules."
+ eerror "man firehol.conf for more info."
+ return 1
+ fi
+}
+
+start() {
+ checkrules || return 1
+ ebegin "Starting FireHOL"
+ /usr/sbin/firehol ${FIREHOL_CONF} start > /dev/null
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping FireHOL"
+ /usr/sbin/firehol stop > /dev/null
+ eend $?
+}
+
+restart() {
+ ebegin "Restarting Firewall"
+ svc_stop;
+ svc_start;
+ eend $?
+}
+
+try() {
+ ebegin "Trying FireHOL configuration"
+ /usr/sbin/firehol ${FIREHOL_CONF} try
+ eend $?
+}
+
+status() {
+ ebegin "Showing FireHOL status"
+ /usr/sbin/firehol status
+ eend $?
+}
+
+panic() {
+ ebegin "FireHOL PANIC"
+ /usr/sbin/firehol panic
+ eend $?
+}
+
+save() {
+ ebegin "Saving FireHOL configuration"
+ /usr/sbin/firehol save
+ eend $?
+}
diff --git a/net-firewall/firehol/files/fireqos.conf.d b/net-firewall/firehol/files/fireqos.conf.d
new file mode 100644
index 000000000000..55fa2e037e01
--- /dev/null
+++ b/net-firewall/firehol/files/fireqos.conf.d
@@ -0,0 +1,2 @@
+#Locate of FireQOS conf file
+FIREQOS="/etc/firehol/fireqos.conf"
diff --git a/net-firewall/firehol/files/fireqos.initrd b/net-firewall/firehol/files/fireqos.initrd
new file mode 100644
index 000000000000..ebfbaac5b6e2
--- /dev/null
+++ b/net-firewall/firehol/files/fireqos.initrd
@@ -0,0 +1,45 @@
+#!/sbin/runscript
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+depend() {
+ need localmount
+ after bootmisc
+ before net
+}
+
+checkrules() {
+ if [ ! -f ${FIREQOS_CONF} ]; then
+ eerror "Not starting FireQOS. Create ${FIREQOS_CONF}"
+ eerror "and fill it with some rules."
+ eerror "man fireqos.conf for more info."
+ return 1
+ fi
+}
+
+start() {
+ checkrules || return 1
+ ebegin "Starting FireQOS"
+ /usr/sbin/fireqos start ${FIREQOS_CONF} -- ${FIREQOS_EXTRA_ARGS} > /dev/null
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping FireQOS"
+ /usr/sbin/fireqos stop > /dev/null
+ eend $?
+}
+
+restart() {
+ ebegin "Restarting FireQOS"
+ svc_stop;
+ svc_start;
+ eend $?
+}
+
+status() {
+ ebegin "Showing FireQOS status"
+ /usr/sbin/fireqos status
+ eend $?
+}
diff --git a/net-firewall/firehol/firehol-1.273-r3.ebuild b/net-firewall/firehol/firehol-1.273-r3.ebuild
new file mode 100644
index 000000000000..d5f5d8b2757f
--- /dev/null
+++ b/net-firewall/firehol/firehol-1.273-r3.ebuild
@@ -0,0 +1,78 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=4
+inherit eutils linux-info
+
+DESCRIPTION="iptables firewall generator"
+HOMEPAGE="http://firehol.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE=""
+KEYWORDS="amd64 ~ppc ~sparc x86"
+
+DEPEND="sys-apps/iproute2"
+RDEPEND="net-firewall/iptables
+ sys-apps/iproute2[-minimal]
+ virtual/modutils
+ || (
+ net-misc/wget
+ net-misc/curl
+ )"
+
+src_prepare() {
+ epatch "${FILESDIR}"/${P}-CVE-2008-4953.patch
+ epatch "${FILESDIR}"/${P}-log-output.patch #332507
+}
+
+pkg_setup() {
+ local KCONFIG_OPTS="~NF_CONNTRACK_IPV4 ~NF_CONNTRACK_MARK ~NF_NAT ~NF_NAT_FTP ~NF_NAT_IRC \
+ ~IP_NF_IPTABLES ~IP_NF_FILTER ~IP_NF_TARGET_REJECT ~IP_NF_TARGET_LOG ~IP_NF_TARGET_ULOG \
+ ~IP_NF_TARGET_MASQUERADE ~IP_NF_TARGET_REDIRECT ~IP_NF_MANGLE \
+ ~NETFILTER_XT_MATCH_LIMIT ~NETFILTER_XT_MATCH_STATE ~NETFILTER_XT_MATCH_OWNER"
+
+ get_version
+ if [ ${KV_PATCH} -ge 25 ]; then
+ CONFIG_CHECK="~NF_CONNTRACK ${KCONFIG_OPTS}"
+ else
+ CONFIG_CHECK="~NF_CONNTRACK_ENABLED ${KCONFIG_OPTS}"
+ fi
+ linux-info_pkg_setup
+}
+
+src_install() {
+ newsbin firehol.sh firehol
+
+ dodir /etc/firehol /etc/firehol/examples /etc/firehol/services
+ insinto /etc/firehol/examples
+ doins examples/* || die
+
+ newconfd "${FILESDIR}"/firehol.conf.d firehol
+ newinitd "${FILESDIR}"/firehol.initrd.1 firehol
+
+ dodoc ChangeLog README TODO WhatIsNew
+ dohtml doc/*.html doc/*.css
+
+ docinto scripts
+ dodoc get-iana.sh adblock.sh
+
+ doman man/*.1 man/*.5
+
+ # Install this RESERVED_IPS as discussed in bug #332135
+ insinto /etc/firehol
+ doins "${FILESDIR}"/RESERVED_IPS
+}
+
+pkg_postinst() {
+ elog "The default path to firehol's configuration file is /etc/firehol/firehol.conf"
+ elog "See /etc/firehol/examples for configuration examples."
+ #
+ # Install a default configuration if none is available yet
+ if [[ ! -e "${ROOT}/etc/firehol/firehol.conf" ]]; then
+ einfo "Installing a sample configuration as ${ROOT}/etc/firehol/firehol.conf"
+ cp "${ROOT}/etc/firehol/examples/client-all.conf" "${ROOT}/etc/firehol/firehol.conf"
+ fi
+}
diff --git a/net-firewall/firehol/firehol-2.0.2.ebuild b/net-firewall/firehol/firehol-2.0.2.ebuild
new file mode 100644
index 000000000000..f39413ce29c1
--- /dev/null
+++ b/net-firewall/firehol/firehol-2.0.2.ebuild
@@ -0,0 +1,61 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+inherit eutils linux-info
+
+DESCRIPTION="iptables firewall generator"
+HOMEPAGE="http://firehol.sourceforge.net/"
+SRC_URI="http://firehol.org/download/releases/v${PV}/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="doc"
+KEYWORDS="~amd64 ~ppc ~sparc ~x86"
+
+RDEPEND="net-firewall/iptables
+ sys-apps/iproute2[-minimal]
+ virtual/modutils
+ app-arch/gzip"
+DEPEND="${RDEPEND}"
+
+pkg_setup() {
+ local KCONFIG_OPTS="~NF_CONNTRACK_IPV4 ~NF_CONNTRACK_MARK ~NF_NAT ~NF_NAT_FTP ~NF_NAT_IRC \
+ ~IP_NF_IPTABLES ~IP_NF_FILTER ~IP_NF_TARGET_REJECT ~IP_NF_TARGET_LOG ~IP_NF_TARGET_ULOG \
+ ~IP_NF_TARGET_MASQUERADE ~IP_NF_TARGET_REDIRECT ~IP_NF_MANGLE \
+ ~NETFILTER_XT_MATCH_LIMIT ~NETFILTER_XT_MATCH_STATE ~NETFILTER_XT_MATCH_OWNER"
+
+ get_version
+ if [ ${KV_PATCH} -ge 25 ]; then
+ CONFIG_CHECK="~NF_CONNTRACK ${KCONFIG_OPTS}"
+ else
+ CONFIG_CHECK="~NF_CONNTRACK_ENABLED ${KCONFIG_OPTS}"
+ fi
+ linux-info_pkg_setup
+}
+
+src_prepare() {
+ epatch "${FILESDIR}/${P}-autosave.patch"
+}
+
+src_configure() {
+ # removing IP6TABLES_CMD has no effect and enable build
+ # without ipv6 available
+ econf \
+ --docdir="${EPREFIX}/usr/share/doc/${PF}" \
+ --with-autosave="${EPREFIX}/var/lib/iptables/rules-save" \
+ --with-autosave6="${EPREFIX}/var/lib/ip6tables/rules-save" \
+ $(use_enable doc) \
+ IP6TABLES_CMD=/bin/false \
+ IP6TABLES_SAVE_CMD=/bin/false
+}
+
+src_install() {
+ default
+
+ newconfd "${FILESDIR}"/firehol.conf.d firehol
+ newinitd "${FILESDIR}"/firehol.initrd.1 firehol
+ newconfd "${FILESDIR}"/fireqos.conf.d fireqos
+ newinitd "${FILESDIR}"/fireqos.initrd fireqos
+}
diff --git a/net-firewall/firehol/metadata.xml b/net-firewall/firehol/metadata.xml
new file mode 100644
index 000000000000..7f679d64a788
--- /dev/null
+++ b/net-firewall/firehol/metadata.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer>
+ <email>alonbl@gentoo.org</email>
+ </maintainer>
+</pkgmetadata>
diff --git a/net-firewall/firewalld/Manifest b/net-firewall/firewalld/Manifest
new file mode 100644
index 000000000000..0a1e1cff4666
--- /dev/null
+++ b/net-firewall/firewalld/Manifest
@@ -0,0 +1,3 @@
+DIST firewalld-0.3.10.tar.bz2 548013 SHA256 0f5e051655fc06690f5ab72b1b38cb57b4368e49bd5ad98a27e2f88c79e82f2b SHA512 3fb3363959203d90d51b2c9b7b7819a4f3521a51a10a59d73d65054018e1fe90d0fdd2e31d0b83a3d38e2b2fd6e92fccd6dd2a30ec7f1be3f98a018a5a49aeac WHIRLPOOL fc6d1ceeb4e5ba91b072526ffa2dd7a790d883176104bec6e7e547b9035757ff22743746389f50edd32d646a07e9bf311b109f89b8c59acfa350e71176d0bd3c
+DIST firewalld-0.3.13.tar.bz2 561948 SHA256 bca88cbce4290b6959b3c0eea560e7f19c7cf2f563caca585b7db5cd2fca8ac9 SHA512 987ea3e243f87b8ded2f9627b4efc9649a22d878d19b6b760ba1a281e9e7280abcda558feebe6bd30e1cd27e7277a8ec99a7da623c29f04ab290c1d7ac3d6789 WHIRLPOOL 795f63fa5415c37ea9c6a835860dca4eb71879d1d69fcd6fbb022d0c4b4ab507d74e0e17098724846bd97246be3a98fab1d25134df69c9ac25db2fb77508b159
+DIST firewalld-0.3.14.2.tar.bz2 617592 SHA256 4b6c3e1deab41b6002b8dc25639e466085941c98a6c14a56bef4f621a5651567 SHA512 18d57ca4501101b217b0854851f6bf18b5bd036e1e143ef1b3c2b97ef06e0cbb7399249f4904576381c9839a82ff51296f44f4520c7b221568c9e4518e593d8c WHIRLPOOL a00930a63dab654f64caac0deb5c24a28f5aa7c9882ca40bde642b9b765c9eeb81a582dcf015885b989543d4c85f6da6dc792c6532a844d87110bda2aa9a598f
diff --git a/net-firewall/firewalld/files/firewalld-0.3.10-py3k-compat.patch b/net-firewall/firewalld/files/firewalld-0.3.10-py3k-compat.patch
new file mode 100644
index 000000000000..e91590f1cff6
--- /dev/null
+++ b/net-firewall/firewalld/files/firewalld-0.3.10-py3k-compat.patch
@@ -0,0 +1,24 @@
+diff --git a/src/firewall/core/io/direct.py b/src/firewall/core/io/direct.py
+index b698e4c..6b80201 100644
+--- a/src/firewall/core/io/direct.py
++++ b/src/firewall/core/io/direct.py
+@@ -295,8 +295,8 @@ class Direct(IO_Object):
+ if len(self.passthroughs[ipv]) == 0:
+ del self.passthroughs[ipv]
+ else:
+- raise ValueError, "Passthrough '%s' for ipv '%s'" % \
+- ("',".join(args), ipv) + "not in list"
++ raise ValueError("Passthrough '%s' for ipv '%s'" % \
++ ("',".join(args), ipv) + "not in list")
+
+ def query_passthrough(self, ipv, args):
+ return (ipv in self.passthroughs and args in self.passthroughs[ipv])
+@@ -305,7 +305,7 @@ class Direct(IO_Object):
+ if ipv in self.passthroughs:
+ return self.passthroughs[ipv]
+ else:
+- raise ValueError, "No passthroughs for ipv '%s'" % (ipv)
++ raise ValueError("No passthroughs for ipv '%s'" % (ipv))
+
+ def get_all_passthroughs(self):
+ return self.passthroughs
diff --git a/net-firewall/firewalld/files/firewalld.init b/net-firewall/firewalld/files/firewalld.init
new file mode 100644
index 000000000000..3e8b2dd84fba
--- /dev/null
+++ b/net-firewall/firewalld/files/firewalld.init
@@ -0,0 +1,13 @@
+#!/sbin/runscript
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+description="FirewallD"
+command=/usr/sbin/firewalld
+pidfile=/var/run/firewalld.pid
+
+depend() {
+ need dbus
+ provide iptables ip6tables ebtables
+}
diff --git a/net-firewall/firewalld/firewalld-0.3.10.ebuild b/net-firewall/firewalld/firewalld-0.3.10.ebuild
new file mode 100644
index 000000000000..4e87f122943e
--- /dev/null
+++ b/net-firewall/firewalld/firewalld-0.3.10.ebuild
@@ -0,0 +1,98 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+PYTHON_COMPAT=( python{2_7,3_3,3_4} )
+#BACKPORTS=190680ba
+
+inherit autotools eutils gnome2-utils python-r1 systemd multilib bash-completion-r1
+
+DESCRIPTION="A firewall daemon with D-BUS interface providing a dynamic firewall"
+HOMEPAGE="http://fedorahosted.org/firewalld"
+SRC_URI="https://fedorahosted.org/released/firewalld/${P}.tar.bz2
+ ${BACKPORTS:+http://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz}"
+
+LICENSE="GPL-2+"
+SLOT="0"
+KEYWORDS="amd64 x86"
+IUSE="gui"
+
+RDEPEND="${PYTHON_DEPS}
+ dev-python/dbus-python[${PYTHON_USEDEP}]
+ dev-python/decorator[${PYTHON_USEDEP}]
+ >=dev-python/python-slip-0.2.7[dbus,${PYTHON_USEDEP}]
+ dev-python/pygobject:3[${PYTHON_USEDEP}]
+ net-firewall/ebtables
+ net-firewall/iptables[ipv6]
+ || ( >=sys-apps/openrc-0.11.5 sys-apps/systemd )
+ gui? ( x11-libs/gtk+:3 )"
+DEPEND="${RDEPEND}
+ dev-libs/glib:2
+ >=dev-util/intltool-0.35
+ sys-devel/gettext"
+
+src_prepare() {
+ [[ -n ${BACKPORTS} ]] && \
+ EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \
+ epatch
+
+ epatch "${FILESDIR}/${P}-py3k-compat.patch"
+ epatch_user
+ eautoreconf
+}
+
+src_configure() {
+ python_setup
+
+ econf \
+ --enable-systemd \
+ "$(systemd_with_unitdir 'systemd-unitdir')" \
+ --with-bashcompletiondir="$(get_bashcompdir)"
+}
+
+src_install() {
+ # manually split up the installation to avoid "file already exists" errors
+ emake -C config DESTDIR="${D}" install
+ emake -C po DESTDIR="${D}" install
+ emake -C shell-completion DESTDIR="${D}" install
+ emake -C doc DESTDIR="${D}" install
+
+ install_python() {
+ emake -C src DESTDIR="${D}" pythondir="$(python_get_sitedir)" install
+ python_optimize
+ }
+ python_foreach_impl install_python
+
+ python_replicate_script "${D}"/usr/bin/firewall-{offline-cmd,cmd,applet,config}
+ python_replicate_script "${D}/usr/sbin/firewalld"
+
+ # Get rid of junk
+ rm -rf "${D}/etc/rc.d/"
+ rm -rf "${D}/etc/sysconfig/"
+
+ # For non-gui installs we need to remove GUI bits
+ if ! use gui; then
+ rm -f "${D}/usr/bin/firewall-applet"
+ rm -f "${D}/usr/bin/firewall-config"
+ rm -rf "${D}/usr/share/icons"
+ rm -rf "${D}/usr/share/applications"
+ fi
+
+ newinitd "${FILESDIR}"/firewalld.init firewalld
+}
+
+pkg_preinst() {
+ gnome2_icon_savelist
+ gnome2_schemas_savelist
+}
+
+pkg_postinst() {
+ gnome2_icon_cache_update
+ gnome2_schemas_update
+}
+
+pkg_postrm() {
+ gnome2_icon_cache_update
+ gnome2_schemas_update
+}
diff --git a/net-firewall/firewalld/firewalld-0.3.13.ebuild b/net-firewall/firewalld/firewalld-0.3.13.ebuild
new file mode 100644
index 000000000000..d979fe1bcbd1
--- /dev/null
+++ b/net-firewall/firewalld/firewalld-0.3.13.ebuild
@@ -0,0 +1,98 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+PYTHON_COMPAT=( python{2_7,3_3,3_4} )
+#BACKPORTS=
+
+inherit autotools eutils gnome2-utils python-r1 systemd multilib bash-completion-r1
+
+DESCRIPTION="A firewall daemon with D-BUS interface providing a dynamic firewall"
+HOMEPAGE="http://fedorahosted.org/firewalld"
+SRC_URI="https://fedorahosted.org/released/firewalld/${P}.tar.bz2
+ ${BACKPORTS:+http://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz}"
+
+LICENSE="GPL-2+"
+SLOT="0"
+KEYWORDS="amd64 x86"
+IUSE="gui"
+
+RDEPEND="${PYTHON_DEPS}
+ dev-python/dbus-python[${PYTHON_USEDEP}]
+ dev-python/decorator[${PYTHON_USEDEP}]
+ >=dev-python/python-slip-0.2.7[dbus,${PYTHON_USEDEP}]
+ dev-python/pygobject:3[${PYTHON_USEDEP}]
+ net-firewall/ebtables
+ net-firewall/iptables[ipv6]
+ || ( >=sys-apps/openrc-0.11.5 sys-apps/systemd )
+ gui? ( x11-libs/gtk+:3 )"
+DEPEND="${RDEPEND}
+ dev-libs/glib:2
+ >=dev-util/intltool-0.35
+ sys-devel/gettext"
+
+src_prepare() {
+ [[ -n ${BACKPORTS} ]] && \
+ EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \
+ epatch
+
+ epatch "${FILESDIR}/${PN}-0.3.10-py3k-compat.patch"
+ epatch_user
+ eautoreconf
+}
+
+src_configure() {
+ python_setup
+
+ econf \
+ --enable-systemd \
+ "$(systemd_with_unitdir 'systemd-unitdir')" \
+ --with-bashcompletiondir="$(get_bashcompdir)"
+}
+
+src_install() {
+ # manually split up the installation to avoid "file already exists" errors
+ emake -C config DESTDIR="${D}" install
+ emake -C po DESTDIR="${D}" install
+ emake -C shell-completion DESTDIR="${D}" install
+ emake -C doc DESTDIR="${D}" install
+
+ install_python() {
+ emake -C src DESTDIR="${D}" pythondir="$(python_get_sitedir)" install
+ python_optimize
+ }
+ python_foreach_impl install_python
+
+ python_replicate_script "${D}"/usr/bin/firewall-{offline-cmd,cmd,applet,config}
+ python_replicate_script "${D}/usr/sbin/firewalld"
+
+ # Get rid of junk
+ rm -rf "${D}/etc/rc.d/"
+ rm -rf "${D}/etc/sysconfig/"
+
+ # For non-gui installs we need to remove GUI bits
+ if ! use gui; then
+ rm -f "${D}/usr/bin/firewall-applet"
+ rm -f "${D}/usr/bin/firewall-config"
+ rm -rf "${D}/usr/share/icons"
+ rm -rf "${D}/usr/share/applications"
+ fi
+
+ newinitd "${FILESDIR}"/firewalld.init firewalld
+}
+
+pkg_preinst() {
+ gnome2_icon_savelist
+ gnome2_schemas_savelist
+}
+
+pkg_postinst() {
+ gnome2_icon_cache_update
+ gnome2_schemas_update
+}
+
+pkg_postrm() {
+ gnome2_icon_cache_update
+ gnome2_schemas_update
+}
diff --git a/net-firewall/firewalld/firewalld-0.3.14.2.ebuild b/net-firewall/firewalld/firewalld-0.3.14.2.ebuild
new file mode 100644
index 000000000000..5863d17d526e
--- /dev/null
+++ b/net-firewall/firewalld/firewalld-0.3.14.2.ebuild
@@ -0,0 +1,97 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+PYTHON_COMPAT=( python{2_7,3_3,3_4} )
+#BACKPORTS=
+
+inherit autotools eutils gnome2-utils python-r1 systemd multilib bash-completion-r1
+
+DESCRIPTION="A firewall daemon with D-BUS interface providing a dynamic firewall"
+HOMEPAGE="http://fedorahosted.org/firewalld"
+SRC_URI="https://fedorahosted.org/released/firewalld/${P}.tar.bz2
+ ${BACKPORTS:+http://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz}"
+
+LICENSE="GPL-2+"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="gui"
+
+RDEPEND="${PYTHON_DEPS}
+ dev-python/dbus-python[${PYTHON_USEDEP}]
+ dev-python/decorator[${PYTHON_USEDEP}]
+ >=dev-python/python-slip-0.2.7[dbus,${PYTHON_USEDEP}]
+ dev-python/pygobject:3[${PYTHON_USEDEP}]
+ net-firewall/ebtables
+ net-firewall/iptables[ipv6]
+ || ( >=sys-apps/openrc-0.11.5 sys-apps/systemd )
+ gui? ( x11-libs/gtk+:3 )"
+DEPEND="${RDEPEND}
+ dev-libs/glib:2
+ >=dev-util/intltool-0.35
+ sys-devel/gettext"
+
+src_prepare() {
+ [[ -n ${BACKPORTS} ]] && \
+ EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \
+ epatch
+
+ epatch_user
+ eautoreconf
+}
+
+src_configure() {
+ python_setup
+
+ econf \
+ --enable-systemd \
+ "$(systemd_with_unitdir 'systemd-unitdir')" \
+ --with-bashcompletiondir="$(get_bashcompdir)"
+}
+
+src_install() {
+ # manually split up the installation to avoid "file already exists" errors
+ emake -C config DESTDIR="${D}" install
+ emake -C po DESTDIR="${D}" install
+ emake -C shell-completion DESTDIR="${D}" install
+ emake -C doc DESTDIR="${D}" install
+
+ install_python() {
+ emake -C src DESTDIR="${D}" pythondir="$(python_get_sitedir)" install
+ python_optimize
+ }
+ python_foreach_impl install_python
+
+ python_replicate_script "${D}"/usr/bin/firewall-{offline-cmd,cmd,applet,config}
+ python_replicate_script "${D}/usr/sbin/firewalld"
+
+ # Get rid of junk
+ rm -rf "${D}/etc/rc.d/"
+ rm -rf "${D}/etc/sysconfig/"
+
+ # For non-gui installs we need to remove GUI bits
+ if ! use gui; then
+ rm -f "${D}/usr/bin/firewall-applet"
+ rm -f "${D}/usr/bin/firewall-config"
+ rm -rf "${D}/usr/share/icons"
+ rm -rf "${D}/usr/share/applications"
+ fi
+
+ newinitd "${FILESDIR}"/firewalld.init firewalld
+}
+
+pkg_preinst() {
+ gnome2_icon_savelist
+ gnome2_schemas_savelist
+}
+
+pkg_postinst() {
+ gnome2_icon_cache_update
+ gnome2_schemas_update
+}
+
+pkg_postrm() {
+ gnome2_icon_cache_update
+ gnome2_schemas_update
+}
diff --git a/net-firewall/firewalld/metadata.xml b/net-firewall/firewalld/metadata.xml
new file mode 100644
index 000000000000..773fdd88c2cb
--- /dev/null
+++ b/net-firewall/firewalld/metadata.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer>
+ <email>tamiko@gentoo.org</email>
+ <name>Matthias Maier</name>
+ <description>Please assign bugs to me</description>
+ </maintainer>
+ <maintainer>
+ <email>cardoe@gentoo.org</email>
+ <name>Doug Goldstein</name>
+ </maintainer>
+ <herd>virtualization</herd>
+ <use>
+ <flag name='gui'>Builds and installs GUI configurator and GTK+ applet</flag>
+ </use>
+</pkgmetadata>
+
diff --git a/net-firewall/fwanalog/Manifest b/net-firewall/fwanalog/Manifest
new file mode 100644
index 000000000000..3a12aefcdb00
--- /dev/null
+++ b/net-firewall/fwanalog/Manifest
@@ -0,0 +1 @@
+DIST fwanalog-0.6.4.tar.gz 128787 SHA256 8ddc4c7ec16e59a27691e25fdd1f266838230ee08c3495fa289db0e7fc008e13 SHA512 953ca03c070e82370dc2a993c19113b4a92f89be6a0d77edbbcb722420c9fc28d3f4bb454441c3e82f36eb27584ff88090beab18c095051a2e8ef7bc28b52da2 WHIRLPOOL 3b274f44788e411ddec0256e47f735de94cc2eadb66ab4f295986417cf3f4b525c0c35f40f83f5e5dec6179ea44d26cc61c8f74db5fc47d6b56f6eab174d9fa9
diff --git a/net-firewall/fwanalog/fwanalog-0.6.4.ebuild b/net-firewall/fwanalog/fwanalog-0.6.4.ebuild
new file mode 100644
index 000000000000..8434ec8babe4
--- /dev/null
+++ b/net-firewall/fwanalog/fwanalog-0.6.4.ebuild
@@ -0,0 +1,39 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+DESCRIPTION="Script to parse firewall logs and analyze them with Analog"
+HOMEPAGE="http://tud.at/programm/fwanalog/"
+SRC_URI="http://tud.at/programm/fwanalog/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 x86 ppc sparc"
+IUSE=""
+
+DEPEND="" # this is just a bash script
+RDEPEND="app-shells/bash
+ sys-apps/grep
+ virtual/awk
+ sys-apps/sed
+ app-arch/gzip
+ sys-apps/diffutils
+ dev-lang/perl
+ >=app-admin/analog-5.31"
+
+src_install() {
+ insinto /etc/fwanalog
+
+ insopts -m0700 ; doins fwanalog.sh
+
+ insopts -m0600
+ doins fwanalog-dom.tab fwanalog.lng services.conf
+ doins fwanalog.analog.conf fwanalog.analog.conf.local
+ newins fwanalog.opts.linux24 fwanalog.opts
+
+ dosed "s/\"zegrep\"/\"egrep\"/" /etc/fwanalog/fwanalog.opts
+
+ dodoc CONTRIBUTORS ChangeLog README
+ docinto support ; dodoc support/*
+ docinto langfiles ; dodoc langfiles/*
+}
diff --git a/net-firewall/fwanalog/metadata.xml b/net-firewall/fwanalog/metadata.xml
new file mode 100644
index 000000000000..f9d50da18d39
--- /dev/null
+++ b/net-firewall/fwanalog/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer>
+ <email>maintainer-needed@gentoo.org</email>
+ <description>This package lacks a primary herd or maintainer.</description>
+ </maintainer>
+</pkgmetadata>
diff --git a/net-firewall/fwbuilder/Manifest b/net-firewall/fwbuilder/Manifest
new file mode 100644
index 000000000000..46af7ab839a4
--- /dev/null
+++ b/net-firewall/fwbuilder/Manifest
@@ -0,0 +1,2 @@
+DIST fwbuilder-5.0.1.3592.tar.gz 6733502 SHA256 22120de712844b5d89a3f2924964c16cc86f96f2156ace7c3f551bd0d713c94b
+DIST fwbuilder-5.1.0.3599.tar.gz 7182573 SHA256 452514a1ec0be1416bfca93603e6c89deb91d1a3a19671c64b5a8868a3743daf
diff --git a/net-firewall/fwbuilder/files/fwbuilder-5.0.0.3568-ldflags.patch b/net-firewall/fwbuilder/files/fwbuilder-5.0.0.3568-ldflags.patch
new file mode 100644
index 000000000000..d9df8429d390
--- /dev/null
+++ b/net-firewall/fwbuilder/files/fwbuilder-5.0.0.3568-ldflags.patch
@@ -0,0 +1,11 @@
+diff -Naurp fwbuilder-5.0.0.3568.orig//qmake.inc.in fwbuilder-5.0.0.3568//qmake.inc.in
+--- fwbuilder-5.0.0.3568.orig//qmake.inc.in 2011-07-25 19:27:44.000000000 -0400
++++ fwbuilder-5.0.0.3568//qmake.inc.in 2011-08-19 17:00:41.259985388 -0400
+@@ -39,6 +39,7 @@ unix {
+ QMAKE_CFLAGS_RELEASE += -Wno-unused-parameter
+ QMAKE_CXXFLAGS_DEBUG += -Wno-unused-parameter
+ QMAKE_CXXFLAGS_RELEASE += -Wno-unused-parameter
++ QMAKE_LFLAGS = @LDFLAGS@
+
+ !macx {
+
diff --git a/net-firewall/fwbuilder/files/fwbuilder-5.0.1.3592-gcc47.patch b/net-firewall/fwbuilder/files/fwbuilder-5.0.1.3592-gcc47.patch
new file mode 100644
index 000000000000..7849e2b6da95
--- /dev/null
+++ b/net-firewall/fwbuilder/files/fwbuilder-5.0.1.3592-gcc47.patch
@@ -0,0 +1,11 @@
+--- a/src/libfwbuilder/src/fwbuilder/ThreadTools.h 2012-06-04 15:02:55.909203733 -0400
++++ b/src/libfwbuilder/src/fwbuilder/ThreadTools.h 2012-06-04 15:04:54.079198998 -0400
+@@ -31,7 +31,7 @@
+
+ #include <time.h> //for time_t definition
+ #include <pthread.h>
+-
++#include <unistd.h>
+ #include <string>
+ #include <queue>
+
diff --git a/net-firewall/fwbuilder/files/fwbuilder-5.0.1.3592-stdc-format-macros.patch b/net-firewall/fwbuilder/files/fwbuilder-5.0.1.3592-stdc-format-macros.patch
new file mode 100644
index 000000000000..3658c10a3eec
--- /dev/null
+++ b/net-firewall/fwbuilder/files/fwbuilder-5.0.1.3592-stdc-format-macros.patch
@@ -0,0 +1,51 @@
+From: Vadim Kurland <vadim@slot.vk.crocodile.org>
+Date: Tue, 14 Feb 2012 04:59:26 +0000 (-0800)
+Subject: fix for SF bug #3468802. Define macro __STDC_FORMAT_MACROS. This still
+X-Git-Url: http://fwbuilder.git.sourceforge.net/git/gitweb.cgi?p=fwbuilder%2Ffwbuilder;a=commitdiff_plain;h=f97a1b50ba51be5fa31cc54dba829a9e77609160;hp=15565ade5dc843e5fefe83568a023c37256c3c3c
+
+fix for SF bug #3468802. Define macro __STDC_FORMAT_MACROS. This still
+needs to be tested on all build machines.
+---
+
+diff --git a/qmake.inc.in b/qmake.inc.in
+index 6bf27e0..3e31fd6 100644
+--- a/qmake.inc.in
++++ b/qmake.inc.in
+@@ -67,6 +67,9 @@ unix {
+
+ CONFIG += warn_on
+
++ QMAKE_CXXFLAGS_DEBUG += -D__STDC_FORMAT_MACROS
++ QMAKE_CXXFLAGS_RELEASE += -D__STDC_FORMAT_MACROS
++
+ }
+ }
+
+diff --git a/src/libfwbuilder/qmake.inc.in b/src/libfwbuilder/qmake.inc.in
+index b4f15bb..a8114cf 100644
+--- a/src/libfwbuilder/qmake.inc.in
++++ b/src/libfwbuilder/qmake.inc.in
+@@ -34,6 +34,9 @@ unix {
+ QMAKE_CXXFLAGS_DEBUG += -Wno-unused-parameter @CXXFLAGS@
+ QMAKE_CXXFLAGS_RELEASE += -Wno-unused-parameter @CXXFLAGS@
+
++ QMAKE_CXXFLAGS_DEBUG += -D__STDC_FORMAT_MACROS
++ QMAKE_CXXFLAGS_RELEASE += -D__STDC_FORMAT_MACROS
++
+ exec_prefix = @EXEC_PREFIX@
+ DESTDIR =
+
+diff --git a/src/libfwbuilder/src/fwbuilder/uint128.h b/src/libfwbuilder/src/fwbuilder/uint128.h
+index 0a2e7a4..b00ab47 100644
+--- a/src/libfwbuilder/src/fwbuilder/uint128.h
++++ b/src/libfwbuilder/src/fwbuilder/uint128.h
+@@ -36,7 +36,7 @@
+
+ #include <stdio.h>
+
+-#define __STDC_FORMAT_MACROS
++// #define __STDC_FORMAT_MACROS
+ #include <inttypes.h> // for sprintf formats for "long long"
+
+ // convinience macro
+
diff --git a/net-firewall/fwbuilder/files/fwbuilder-5.1.0.3599-gcc47.patch b/net-firewall/fwbuilder/files/fwbuilder-5.1.0.3599-gcc47.patch
new file mode 100644
index 000000000000..c909028467a8
--- /dev/null
+++ b/net-firewall/fwbuilder/files/fwbuilder-5.1.0.3599-gcc47.patch
@@ -0,0 +1,11 @@
+diff -ruN fwbuilder-5.1.0.3599.orig/src/libfwbuilder/src/fwbuilder/ThreadTools.h fwbuilder-5.1.0.3599/src/libfwbuilder/src/fwbuilder/ThreadTools.h
+--- fwbuilder-5.1.0.3599.orig/src/libfwbuilder/src/fwbuilder/ThreadTools.h 2012-03-23 07:10:54.000000000 +0100
++++ fwbuilder-5.1.0.3599/src/libfwbuilder/src/fwbuilder/ThreadTools.h 2012-06-27 02:33:32.122340892 +0200
+@@ -31,6 +31,7 @@
+
+ #include <time.h> //for time_t definition
+ #include <pthread.h>
++#include <unistd.h>
+
+ #include <string>
+ #include <queue>
diff --git a/net-firewall/fwbuilder/fwbuilder-5.0.1.3592-r1.ebuild b/net-firewall/fwbuilder/fwbuilder-5.0.1.3592-r1.ebuild
new file mode 100644
index 000000000000..c96f3362220b
--- /dev/null
+++ b/net-firewall/fwbuilder/fwbuilder-5.0.1.3592-r1.ebuild
@@ -0,0 +1,53 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+inherit eutils base qt4-r2 multilib autotools
+
+DESCRIPTION="A firewall GUI"
+HOMEPAGE="http://www.fwbuilder.org/"
+SRC_URI="mirror://sourceforge/fwbuilder/${P}.tar.gz"
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 ppc ppc64 x86"
+IUSE=""
+
+DEPEND=">=dev-qt/qtgui-4.3:4
+ dev-libs/openssl
+ dev-libs/elfutils"
+RDEPEND="${DEPEND}"
+
+PATCHES=(
+ "${FILESDIR}/${PN}-5.0.0.3568-ldflags.patch"
+ "${FILESDIR}/${PN}-5.0.1.3592-gcc47.patch"
+)
+
+src_prepare() {
+ # Fix a compile bug that affects some x86_64 platforms.
+ # Addressed in the upcoming 5.0.2.3596 release.
+ # Closes #395151.
+ epatch "${FILESDIR}/${P}-stdc-format-macros.patch"
+
+ qt4-r2_src_prepare
+ sed -i -e '/dnl.*AM_INIT_AUTOMAKE/d' configure.in || die #398743
+ eautoreconf
+}
+
+src_configure() {
+ eqmake4
+ # portage handles ccache/distcc itself
+ econf --without-{ccache,distcc}
+}
+
+src_install() {
+ emake INSTALL_ROOT="${D}" install
+}
+
+pkg_postinst() {
+ validate_desktop_entries
+
+ elog "You need to emerge sys-apps/iproute2 on the machine"
+ elog "that will run the firewall script."
+}
diff --git a/net-firewall/fwbuilder/fwbuilder-5.1.0.3599.ebuild b/net-firewall/fwbuilder/fwbuilder-5.1.0.3599.ebuild
new file mode 100644
index 000000000000..9980be17349a
--- /dev/null
+++ b/net-firewall/fwbuilder/fwbuilder-5.1.0.3599.ebuild
@@ -0,0 +1,48 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+inherit eutils base qt4-r2 multilib autotools
+
+DESCRIPTION="A firewall GUI"
+HOMEPAGE="http://www.fwbuilder.org/"
+SRC_URI="mirror://sourceforge/fwbuilder/${P}.tar.gz"
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~ppc64 ~x86"
+IUSE=""
+
+DEPEND=">=dev-qt/qtgui-4.3:4
+ dev-libs/openssl
+ dev-libs/elfutils"
+RDEPEND="${DEPEND}"
+
+PATCHES=(
+ "${FILESDIR}/${PN}-5.0.0.3568-ldflags.patch"
+ "${FILESDIR}/${PN}-5.1.0.3599-gcc47.patch"
+)
+
+src_prepare() {
+ qt4-r2_src_prepare
+ sed -i -e '/dnl.*AM_INIT_AUTOMAKE/d' configure.in || die #398743
+ eautoreconf
+}
+
+src_configure() {
+ eqmake4
+ # portage handles ccache/distcc itself
+ econf --without-{ccache,distcc}
+}
+
+src_install() {
+ emake INSTALL_ROOT="${D}" install
+}
+
+pkg_postinst() {
+ validate_desktop_entries
+
+ elog "You need to emerge sys-apps/iproute2 on the machine"
+ elog "that will run the firewall script."
+}
diff --git a/net-firewall/fwbuilder/metadata.xml b/net-firewall/fwbuilder/metadata.xml
new file mode 100644
index 000000000000..bfd104c96f2d
--- /dev/null
+++ b/net-firewall/fwbuilder/metadata.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer>
+ <email>maintainer-needed@gentoo.org</email>
+ </maintainer>
+ <upstream>
+ <remote-id type="sourceforge">fwbuilder</remote-id>
+ </upstream>
+</pkgmetadata>
diff --git a/net-firewall/fwipsec/Manifest b/net-firewall/fwipsec/Manifest
new file mode 100644
index 000000000000..bfbf2e2fd1af
--- /dev/null
+++ b/net-firewall/fwipsec/Manifest
@@ -0,0 +1 @@
+DIST fwipsec-0.4.2.tar.bz2 13114 SHA256 8fa4204c968198a3ea40c8b5efa20c77258be4c912d11d16c1a4c51f712d9aa4
diff --git a/net-firewall/fwipsec/fwipsec-0.4.2-r1.ebuild b/net-firewall/fwipsec/fwipsec-0.4.2-r1.ebuild
new file mode 100644
index 000000000000..cf42caca04d8
--- /dev/null
+++ b/net-firewall/fwipsec/fwipsec-0.4.2-r1.ebuild
@@ -0,0 +1,29 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+S=${WORKDIR}/${PN}
+DESCRIPTION="Firewall scripts that control iptables, FreeS/WAN, and squid"
+HOMEPAGE="http://fwipsec.sourceforge.net/"
+SRC_URI="mirror://gentoo/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE=""
+KEYWORDS="alpha amd64 ~hppa ia64 ~mips ~ppc ~sparc x86"
+
+DEPEND=">=net-firewall/iptables-1.2.7
+ sys-apps/iproute2"
+
+src_install() {
+ exeinto /etc/fwipsec
+ doexe fwipsec.*
+ doinitd fwipsec
+
+ dodoc LICENSE DOCS/README*
+ doman DOCS/*.5
+}
+
+pkg_postinst() {
+ elog "Edit /etc/fwipsec/fwipsec.defs to set your base rules."
+}
diff --git a/net-firewall/fwipsec/metadata.xml b/net-firewall/fwipsec/metadata.xml
new file mode 100644
index 000000000000..91f4e72fb544
--- /dev/null
+++ b/net-firewall/fwipsec/metadata.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer>
+ <email>maintainer-needed@gentoo.org</email>
+ </maintainer>
+</pkgmetadata>
diff --git a/net-firewall/fwknop/Manifest b/net-firewall/fwknop/Manifest
new file mode 100644
index 000000000000..ae32b6f25adc
--- /dev/null
+++ b/net-firewall/fwknop/Manifest
@@ -0,0 +1 @@
+DIST fwknop-2.6.6.tar.gz 2433846 SHA256 724e986b6bc47d3b6f5ba5c9232e2b411ae8ef4b2e8f7fffd16210c20d3be932 SHA512 ccd25701908a1bc653b59571013f0953ee40c967537b68cfaff48e1eea4fde11402712f70f07db308f7a37cfd49ef8ad11b1535d3012cf32e09cc677673c067f WHIRLPOOL df8025e8a2551e0485473715bc10fef31b373f38293b8f8f678aa7ec03f9fbe353a089cfbdbb783e5972b917313f4a90edfac4557e53bd962df6d8ba0e9fca2e
diff --git a/net-firewall/fwknop/files/fwknopd.confd b/net-firewall/fwknop/files/fwknopd.confd
new file mode 100644
index 000000000000..63bcd01dd82f
--- /dev/null
+++ b/net-firewall/fwknop/files/fwknopd.confd
@@ -0,0 +1,21 @@
+# /etc/conf.d/fwknopd: config file for /etc/init.d/fwknopd
+
+# Path to the fwknopd config directory (needs to be an absolute path).
+
+FWKNOPD_CONFDIR="/etc/fwknop"
+
+
+# Additional options to pass to fwknopd.
+# Refer to the fwknopd(8) manpage for more information.
+
+#FWKNOPD_OPTS=""
+
+
+# Pid file to use (needs to be an absolute path).
+
+#FWKNOPD_PIDFILE="/run/fwknop/fwknopd.pid"
+
+
+# Path to the fwknopd binary (needs to be an absolute path).
+
+#FWKNOPD_BINARY="/usr/sbin/fwknopd"
diff --git a/net-firewall/fwknop/files/fwknopd.init b/net-firewall/fwknop/files/fwknopd.init
new file mode 100644
index 000000000000..232e1fc7b053
--- /dev/null
+++ b/net-firewall/fwknop/files/fwknopd.init
@@ -0,0 +1,92 @@
+#!/sbin/runscript
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+: ${FWKNOPD_BINARY:=/usr/sbin/fwknopd}
+: ${FWKNOPD_CONFDIR:=/etc/fwknop}
+: ${FWKNOPD_CONFIG:=${FWKNOPD_CONFDIR}/fwknopd.conf}
+: ${FWKNOPD_PIDFILE:=/run/fwknop/${SVCNAME}.pid}
+
+depend() {
+ after iptables ip6tables ebtables firewall
+ use logger
+ if [ "${rc_need+set}" = "set" ]; then
+ : # Do nothing, the user has explicitly set rc_need
+ else
+ local x warn_intf
+ for x in $(awk '/^PCAP_INTF/{ sub(";$", ""); print $2 }' "${FWKNOPD_CONFIG}" 2>/dev/null); do
+ warn_intf="${warn_intf} ${x}"
+ done
+ if [ -n "${warn_intf}" ]; then
+ need net
+ ewarn "You are binding an interface in PCAP_INTF statement in your fwknopd.conf!"
+ ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/${SVCNAME},"
+ ewarn "where FOO is the following interface(s):"
+ ewarn "${warn_intf}"
+ else
+ # if PCAP_INTF and PCAP_FILE are not set, then fwknopd uses eth0
+ if ! grep -q '^PCAP_FILE' "${FWKNOPD_CONFIG}"; then
+ need net
+ ewarn "You are not binding any interface in PCAP_INTF statement in your fwknopd.conf,"
+ ewarn "neither you are providing PCAP_FILE option. Thus fwknopd will listen on eth0."
+ ewarn "You must add rc_need=\"net.eth0\" to your /etc/conf.d/${SVCNAME}."
+ fi
+ fi
+ fi
+}
+
+checkconfig() {
+ if [ ! -e "${FWKNOPD_CONFDIR}"/fwknopd.conf ]; then
+ eerror "You need ${FWKNOPD_CONFDIR}/fwknopd.conf file to run fwknopd"
+ eerror "Example is located at /etc/fwknop/fwknopd.conf.example"
+ return 1
+ fi
+
+ if [ ! -e "${FWKNOPD_CONFDIR}"/access.conf ]; then
+ eerror "You need ${FWKNOPD_CONFDIR}/access.conf file to run fwknopd"
+ eerror "Example is located at /etc/fwknop/access.conf.example"
+ return 1
+ fi
+
+ [ "${FWKNOPD_PIDFILE}" != "/run/fwknop/${SVCNAME}.pid" ] \
+ && FWKNOPD_OPTS="${FWKNOPD_OPTS} --pid-file=${FWKNOPD_PIDFILE}"
+
+ [ "${FWKNOPD_CONFDIR}" != "/etc/fwknop" ] \
+ && FWKNOPD_OPTS="${FWKNOPD_OPTS} \
+ --config=${FWKNOPD_CONFDIR}/fwknopd.conf \
+ --access-file=${FWKNOPD_CONFDIR}/access.conf"
+
+ return 0
+}
+
+start() {
+ checkconfig || return 1
+
+ ebegin "Starting ${SVCNAME}"
+ start-stop-daemon --start \
+ --exec ${FWKNOPD_BINARY} --pidfile ${FWKNOPD_PIDFILE} \
+ -- ${FWKNOPD_OPTS}
+ eend $?
+}
+
+stop() {
+ if [ "${RC_CMD}" = "restart" ]; then
+ checkconfig || return 1
+ fi
+
+ ebegin "Stopping ${SVCNAME}"
+ start-stop-daemon --stop --pidfile ${FWKNOPD_PIDFILE}
+ eend $?
+}
+
+reload() {
+ checkconfig || return 1
+
+ ebegin "Reloading ${SVCNAME} configuration"
+ start-stop-daemon --signal HUP --pidfile ${FWKNOPD_PIDFILE}
+ eend $?
+}
diff --git a/net-firewall/fwknop/files/fwknopd.service b/net-firewall/fwknop/files/fwknopd.service
new file mode 100644
index 000000000000..d2e8c3125200
--- /dev/null
+++ b/net-firewall/fwknop/files/fwknopd.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Firewall Knock Operator Daemon
+After=network-online.target
+
+[Service]
+Type=forking
+PIDFile=/run/fwknop/fwknopd.pid
+ExecStart=/usr/sbin/fwknopd
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-firewall/fwknop/files/fwknopd.tmpfiles.conf b/net-firewall/fwknop/files/fwknopd.tmpfiles.conf
new file mode 100644
index 000000000000..b7cb3856b056
--- /dev/null
+++ b/net-firewall/fwknop/files/fwknopd.tmpfiles.conf
@@ -0,0 +1 @@
+d /run/fwknop 0700 root root -
diff --git a/net-firewall/fwknop/fwknop-2.6.6-r1.ebuild b/net-firewall/fwknop/fwknop-2.6.6-r1.ebuild
new file mode 100644
index 000000000000..7fcc35d6ce5f
--- /dev/null
+++ b/net-firewall/fwknop/fwknop-2.6.6-r1.ebuild
@@ -0,0 +1,105 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+# Does work with python2_7, does not work with python3_3 on my machine
+# More feedback is welcome, since setup.py does not provide any info
+PYTHON_COMPAT=( python2_7 )
+DISTUTILS_OPTIONAL=1
+DISTUTILS_SINGLE_IMPL=1
+AUTOTOOLS_AUTORECONF=1
+AUTOTOOLS_IN_SOURCE_BUILD=1
+
+inherit autotools-utils distutils-r1 systemd
+
+DESCRIPTION="Single Packet Authorization and Port Knocking application"
+HOMEPAGE="http://www.cipherdyne.org/fwknop/"
+SRC_URI="https://github.com/mrash/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="client extras gdbm gpg python server udp-server"
+
+RDEPEND="
+ client? ( net-misc/wget[ssl] )
+ gpg? (
+ dev-libs/libassuan
+ dev-libs/libgpg-error
+ )
+ python? ( ${PYTHON_DEPS} )
+"
+DEPEND="${RDEPEND}
+ gdbm? ( sys-libs/gdbm )
+ gpg? ( app-crypt/gpgme )
+ server? (
+ !udp-server? ( net-libs/libpcap )
+ net-firewall/iptables
+ )
+"
+
+REQUIRED_USE="
+ python? ( ${PYTHON_REQUIRED_USE} )
+ udp-server? ( server )
+"
+
+DOCS=( ChangeLog README.md )
+
+src_prepare() {
+ # Install example configs with .example suffix
+ if use server; then
+ sed -i 's/conf;/conf.example;/g' "${S}"/Makefile.am || die
+ fi
+
+ autotools-utils_src_prepare
+
+ if use python; then
+ cd "${S}"/python || die
+ distutils-r1_src_prepare
+ fi
+}
+
+src_configure() {
+ local myeconfargs=(
+ --localstatedir=/run
+ --enable-digest-cache
+ $(use_enable client)
+ $(use_enable !gdbm file-cache)
+ $(use_enable server)
+ $(use_enable udp-server)
+ $(use_with gpg gpgme)
+ )
+ autotools-utils_src_configure
+}
+
+src_compile() {
+ autotools-utils_src_compile
+
+ if use python; then
+ cd "${S}"/python || die
+ distutils-r1_src_compile
+ fi
+}
+
+src_install() {
+ autotools-utils_src_install
+ prune_libtool_files --modules
+
+ if use server; then
+ newinitd "${FILESDIR}/fwknopd.init" fwknopd
+ newconfd "${FILESDIR}/fwknopd.confd" fwknopd
+ systemd_dounit "${FILESDIR}/fwknopd.service"
+ systemd_newtmpfilesd "${FILESDIR}/fwknopd.tmpfiles.conf" fwknopd.conf
+ fi
+
+ use extras && dodoc "${S}/extras/apparmor/usr.sbin.fwknopd"
+
+ if use python; then
+ # Unset DOCS since distutils-r1.eclass interferes
+ local DOCS=()
+ cd "${S}"/python || die
+ distutils-r1_src_install
+ fi
+}
diff --git a/net-firewall/fwknop/metadata.xml b/net-firewall/fwknop/metadata.xml
new file mode 100644
index 000000000000..79031c2f7e61
--- /dev/null
+++ b/net-firewall/fwknop/metadata.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <herd>proxy-maintainers</herd>
+ <maintainer>
+ <email>itumaykin@gmail.com</email>
+ <name>Coacher</name>
+ </maintainer>
+ <use>
+ <flag name="client">Build fwknop client</flag>
+ <flag name="gdbm">Replace file digest-cache with gdbm</flag>
+ <flag name="gpg">Enable GPG support via <pkg>app-crypt/gpgme</pkg></flag>
+ <flag name="server">Build fwknopd server</flag>
+ <flag name="extras">Install example apparmor policy</flag>
+ <flag name="udp-server">Build fwknopd with UDP server mode only</flag>
+ </use>
+ <upstream>
+ <remote-id type="github">mrash/fwknop</remote-id>
+ </upstream>
+</pkgmetadata>
diff --git a/net-firewall/gshield/Manifest b/net-firewall/gshield/Manifest
new file mode 100644
index 000000000000..df8e8810553e
--- /dev/null
+++ b/net-firewall/gshield/Manifest
@@ -0,0 +1 @@
+DIST gShield-2.8.tgz 47346 SHA256 19b04059ac4a6ad28f8653d804376779a83516ba4e0b5b041fe45d422ef68b85 SHA512 f91ef18267817e3296c795b3f1629dad9ade269e12aba7f95d39b7ae39aaf76dc15e0046747281dc44859241a18b2ce7ac03e276984aee11af15e28cf80f736c WHIRLPOOL 3e834f39be912d039112971c57e62ca2b645afc33672bdb140f77b4c2cb16227b07f82fd2983dddb492381d798c4f7567d6b1fe61ad0f67554968c937c7d5e2b
diff --git a/net-firewall/gshield/files/gshield.init b/net-firewall/gshield/files/gshield.init
new file mode 100644
index 000000000000..b7c40cf8e150
--- /dev/null
+++ b/net-firewall/gshield/files/gshield.init
@@ -0,0 +1,27 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+depend() {
+ need logger net
+}
+
+start() {
+ ebegin "Loading gShield network firewall"
+ /usr/share/gshield/gShield.rc start > /dev/null
+ # check that it loaded
+ iptables -L DMZ > /dev/null 2>&1
+ eend $?
+}
+
+stop() {
+ ebegin "Unloading gShield network firewall"
+ /usr/share/gshield/gShield.rc stop > /dev/null
+ # check that it unloaded
+ if iptables -L DMZ > /dev/null 2>&1 ; then
+ eend 1
+ else
+ eend 0;
+ fi
+}
diff --git a/net-firewall/gshield/gshield-2.8-r3.ebuild b/net-firewall/gshield/gshield-2.8-r3.ebuild
new file mode 100644
index 000000000000..333d514cd7a3
--- /dev/null
+++ b/net-firewall/gshield/gshield-2.8-r3.ebuild
@@ -0,0 +1,47 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+DESCRIPTION="iptables firewall configuration system"
+HOMEPAGE="http://muse.linuxmafia.org/gshield.html"
+SRC_URI="ftp://muse.linuxmafia.org/pub/gShield/v2/gShield-${PV}.tgz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc x86"
+
+RDEPEND="
+ net-dns/bind-tools
+ net-firewall/iptables
+ virtual/logger
+"
+
+S=${WORKDIR}/gShield-${PV}
+
+src_install() {
+ # install config files
+ dodir /etc/gshield
+ cp -pPR * "${D}"/etc/gshield || die
+ ln -s gshield "${D}"/etc/firewall || die
+
+ # get rid of docs from config
+ rm -r "${D}"/etc/gshield/{Changelog,INSTALL,LICENSE,docs} || die
+
+ # move non-config stuff out of config, but make symlinks
+ dodir /usr/share/gshield/routables
+ for q in gShield-version gShield.rc tools sourced routables/routable.rules
+ do
+ mv "${D}"/etc/gshield/$q "${D}"/usr/share/gshield/ || die
+ ln -s /usr/share/gshield/$q "${D}"/etc/gshield/$q || die
+ done
+ chmod -R u+rwX "${D}"/etc/gshield || die
+
+ # install init script
+ newinitd "${FILESDIR}"/gshield.init gshield
+ chmod -R u+rwx "${D}"/etc/init.d/gshield || die
+
+ # install docs
+ dodoc Changelog docs/*
+}
diff --git a/net-firewall/gshield/metadata.xml b/net-firewall/gshield/metadata.xml
new file mode 100644
index 000000000000..03aa50bab7e3
--- /dev/null
+++ b/net-firewall/gshield/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<herd>netmon</herd>
+</pkgmetadata>
diff --git a/net-firewall/ipkungfu/Manifest b/net-firewall/ipkungfu/Manifest
new file mode 100644
index 000000000000..070635b89847
--- /dev/null
+++ b/net-firewall/ipkungfu/Manifest
@@ -0,0 +1,2 @@
+DIST ipkungfu-0.5.2.tgz 35985 RMD160 c60c0fd1361b4306c1a3d310b1430e71ef937982 SHA1 6d749633bb6d6d4a3284a9a350c7ea9c61c28acf SHA256 6543815384f1935631121fba833b5988ca6e88ff19646a561d0315b29f2f5ef8
+DIST ipkungfu-0.6.1.tar.bz2 104516 RMD160 5137ca4ffdd8ab8188fbd42a60da87a6c5149610 SHA1 ef57bbe666f8c946b99c3970ddc7f38c615b6efc SHA256 a1b19c588ecc9584c37e7578c869842f9ceb97b5fd8320abe5b4bd98c136fa76
diff --git a/net-firewall/ipkungfu/files/ipkungfu.init b/net-firewall/ipkungfu/files/ipkungfu.init
new file mode 100644
index 000000000000..29f54420dc20
--- /dev/null
+++ b/net-firewall/ipkungfu/files/ipkungfu.init
@@ -0,0 +1,20 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+depend() {
+ need logger net
+}
+
+start () {
+ ebegin "Starting ipkungfu"
+ /usr/sbin/ipkungfu --init
+ eend $? "Failed to start ipkungfu"
+}
+
+stop() {
+ ebegin "Stopping ipkungfu"
+ /usr/sbin/ipkungfu --disable > /dev/null
+ eend $? "Failed to stop ipkungfu"
+}
diff --git a/net-firewall/ipkungfu/files/ipkungfu_noiseless.patch b/net-firewall/ipkungfu/files/ipkungfu_noiseless.patch
new file mode 100644
index 000000000000..eed657f2dada
--- /dev/null
+++ b/net-firewall/ipkungfu/files/ipkungfu_noiseless.patch
@@ -0,0 +1,24 @@
+diff -ru ipkungfu-0.6.1.orig/ipkungfu.in ipkungfu-0.6.1/ipkungfu.in
+--- ipkungfu-0.6.1.orig/ipkungfu.in 2007-01-22 04:47:04.000000000 +0100
++++ ipkungfu-0.6.1/ipkungfu.in 2007-07-04 12:49:23.000000000 +0200
+@@ -753,11 +753,15 @@
+ fi
+
+ function delTestChain {
+-# {{{ Flush and delete test chains
+- $IPTABLES -t filter -F SYSTEST
+- $IPTABLES -t filter -X SYSTEST
+- $IPTABLES -t mangle -F SYSTEST
+- $IPTABLES -t mangle -X SYSTEST
++# {{{ Flush and delete test chains, if exist
++ if $IPTABLES -t filter -L SYSTEST > /dev/null 2>&1 ; then
++ $IPTABLES -t filter -F SYSTEST
++ $IPTABLES -t filter -X SYSTEST
++ fi
++ if $IPTABLES -t mangle -L SYSTEST > /dev/null 2>&1 ; then
++ $IPTABLES -t mangle -F SYSTEST
++ $IPTABLES -t mangle -X SYSTEST
++ fi
+ # }}}
+ }
+
diff --git a/net-firewall/ipkungfu/files/nat_ftp.patch b/net-firewall/ipkungfu/files/nat_ftp.patch
new file mode 100644
index 000000000000..db919c5565e1
--- /dev/null
+++ b/net-firewall/ipkungfu/files/nat_ftp.patch
@@ -0,0 +1,11 @@
+--- ipkungfu 2003-10-03 13:05:59.000000000 -0400
++++ ipkungfu 2004-02-09 16:34:37.000000000 -0500
+@@ -138,7 +138,7 @@
+ if [ $INIT != 1 ] ; then
+ echo "Loading FTP NAT module..."
+ fi
+- $MODPROBE ip_nat_irc
++ $MODPROBE ip_nat_ftp
+ fi
+ fi
+ }
diff --git a/net-firewall/ipkungfu/ipkungfu-0.5.2-r1.ebuild b/net-firewall/ipkungfu/ipkungfu-0.5.2-r1.ebuild
new file mode 100644
index 000000000000..3b084543a634
--- /dev/null
+++ b/net-firewall/ipkungfu/ipkungfu-0.5.2-r1.ebuild
@@ -0,0 +1,58 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+inherit eutils
+
+DESCRIPTION="A nice iptables firewall script"
+HOMEPAGE="http://www.linuxkungfu.org/"
+SRC_URI="http://www.linuxkungfu.org/ipkungfu/${P}.tgz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~sparc x86"
+IUSE=""
+
+DEPEND="net-firewall/iptables"
+RDEPEND="${DEPEND}
+ virtual/logger"
+
+src_unpack() {
+ unpack ${A}
+
+ # Patch ipkungfu to load the right module for ip_nat_ftp
+ # Fixes bug #42443. Thanks to George L. Emigh <george@georgelemigh.com>
+ cd "${WORKDIR}"/${P} && epatch "${FILESDIR}"/nat_ftp.patch
+
+ # man page comes bzip2'd, so bunzip2 it.
+ cd "${WORKDIR}"/${P}/files
+ bunzip2 ipkungfu.8.bz2
+}
+
+src_install() {
+
+ # Package comes with a hard coded shell script, so here we
+ # replicate what they did, but so it's compatible with portage.
+
+ # Install shell script executable
+ dosbin ipkungfu
+
+ # Install Gentoo init script
+ newinitd "${FILESDIR}"/ipkungfu.init ipkungfu
+
+ # Install config files into /etc
+ dodir /etc/ipkungfu
+ insinto /etc/ipkungfu
+ doins files/*.conf
+
+ # Install man page
+ doman files/ipkungfu.8
+
+ # Install documentation
+ dodoc COPYRIGHT Changelog FAQ INSTALL README gpl.txt
+}
+
+pkg_postinst() {
+ einfo "Be sure to edit the config files"
+ einfo "in /etc/ipkungfu before running"
+}
diff --git a/net-firewall/ipkungfu/ipkungfu-0.6.1.ebuild b/net-firewall/ipkungfu/ipkungfu-0.6.1.ebuild
new file mode 100644
index 000000000000..360fec9dd4c7
--- /dev/null
+++ b/net-firewall/ipkungfu/ipkungfu-0.6.1.ebuild
@@ -0,0 +1,48 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+inherit eutils
+
+DESCRIPTION="A nice iptables firewall script"
+HOMEPAGE="http://www.linuxkungfu.org/"
+SRC_URI="http://www.linuxkungfu.org/ipkungfu/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~sparc ~x86"
+IUSE=""
+
+DEPEND="net-firewall/iptables"
+RDEPEND="${DEPEND}
+ virtual/logger"
+
+src_compile() {
+ epatch "${FILESDIR}/ipkungfu_noiseless.patch" || die "Could not apply ipkungfu_noiseless.patch patch"
+ econf || die "Could not run econf"
+ emake || die "Couldn't run make"
+}
+
+src_install() {
+ make DESTDIR="${D}" install || die
+
+ # Install configuration files
+ make DESTDIR="${D}" install-config || die
+
+ # Install Gentoo init script
+ newinitd "${FILESDIR}"/ipkungfu.init ipkungfu
+}
+
+pkg_postinst() {
+ # Remove the cache dir so ipkungfu won't fail when running for
+ # the first time, case 0.6.0 was installed before.
+ rm -rf /etc/ipkungfu/cache
+
+ einfo "Be sure to, before running ipkungfu, edit the config files in:"
+ einfo "/etc/ipkungfu/"
+ echo
+ einfo "Also, be sure to run ipkungfu prior to rebooting,"
+ einfo "especially if you you're updating from <0.6.0 to >=0.6.0."
+ einfo "There are some significant configuration changes on this"
+ einfo "release covered by the ipkungfu script."
+}
diff --git a/net-firewall/ipkungfu/metadata.xml b/net-firewall/ipkungfu/metadata.xml
new file mode 100644
index 000000000000..1b0f1b3c4cdb
--- /dev/null
+++ b/net-firewall/ipkungfu/metadata.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer>
+ <email>maintainer-needed@gentoo.org</email>
+ <name>Default assignee for orphaned packages</name>
+ </maintainer>
+ <longdescription lang="en">
+ ipkungfu is a nice iptables firewall script
+ </longdescription>
+</pkgmetadata>
diff --git a/net-firewall/ipsec-tools/Manifest b/net-firewall/ipsec-tools/Manifest
new file mode 100644
index 000000000000..e0cc9b545193
--- /dev/null
+++ b/net-firewall/ipsec-tools/Manifest
@@ -0,0 +1,3 @@
+DIST ipsec-tools-0.8.0.tar.bz2 809297 SHA256 2359a24aa8eda9ca7043fc47950c8e6b7f58a07c5d5ad316aa7de2bc5e3a8717 SHA512 3bec6bab4fe555612f1d48966e797202830f5254a8d2146a14d268ff0c68445af790285214db41ab08ee4888625e8e680c3b848c30789d836169d1612a25fe2c WHIRLPOOL 862d2bbf78aca8c9e01e00c995aeb3b662e1ea4a769081b9880a3fee7821ef5968e10fe75d9671268979188c7ca3b91d507a1fc9a097729d0648bc4c965e675d
+DIST ipsec-tools-0.8.1.tar.bz2 860717 SHA256 fa4a95bb36842f001b84c4e7a1bb727e3ee06147edbc830a881d63abe8153dd4 SHA512 c8308aba9764a8e0a0507dbc62e8e93dc4b51f7215f2c3bb50f2e7e1f46dde0c773cfe2992660ccd319523775a9bab668371ee53cd4af153d2fcf13a0ef4e1eb WHIRLPOOL b3e8743174f7a05ca028f47f5faa66286e397a50c68e7724568b89e5fd2eea76a903c3e77a144e772f913fd51a253466b93e10690125a87d643f186a9689476c
+DIST ipsec-tools-0.8.2.tar.bz2 866465 SHA256 8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d SHA512 2b7d0efa908d3a699be7ef8b2b126a3809956cb7add50e8efb1cfdfc2d9b70c39ef517379cb9a4fad9e5f0c25937e98535b06c32bd3e729f5129da4ab133e30f WHIRLPOOL 16452a98d6c179913fc7acf8d92f8e9e6f5614c2ac0b798158c218bfb4f6c5228ffea426fe0b26774242b4f29477323de5a4e31a623d94d82b90184a6664c2ce
diff --git a/net-firewall/ipsec-tools/files/ipsec-tools-0.8.0-sysctl.patch b/net-firewall/ipsec-tools/files/ipsec-tools-0.8.0-sysctl.patch
new file mode 100644
index 000000000000..5c69bbb2fa61
--- /dev/null
+++ b/net-firewall/ipsec-tools/files/ipsec-tools-0.8.0-sysctl.patch
@@ -0,0 +1,22 @@
+https://bugs.gentoo.org/425770
+
+--- a/src/racoon/pfkey.c
++++ b/src/racoon/pfkey.c
+@@ -59,7 +59,6 @@
+ #include <sys/param.h>
+ #include <sys/socket.h>
+ #include <sys/queue.h>
+-#include <sys/sysctl.h>
+
+ #include <net/route.h>
+ #include <net/pfkeyv2.h>
+--- a/src/setkey/setkey.c
++++ b/src/setkey/setkey.c
+@@ -40,7 +40,6 @@
+ #include <sys/socket.h>
+ #include <sys/time.h>
+ #include <sys/stat.h>
+-#include <sys/sysctl.h>
+ #include <err.h>
+ #include <netinet/in.h>
+ #include <net/pfkeyv2.h>
diff --git a/net-firewall/ipsec-tools/files/ipsec-tools-def-psk.patch b/net-firewall/ipsec-tools/files/ipsec-tools-def-psk.patch
new file mode 100644
index 000000000000..f351860a84e9
--- /dev/null
+++ b/net-firewall/ipsec-tools/files/ipsec-tools-def-psk.patch
@@ -0,0 +1,25 @@
+diff -brau ipsec-tools-0.7.3.o/src/racoon/oakley.c ipsec-tools-0.7.3/src/racoon/oakley.c
+--- ipsec-tools-0.7.3.o/src/racoon/oakley.c 2009-08-13 11:18:45.000000000 +0200
++++ ipsec-tools-0.7.3/src/racoon/oakley.c 2011-06-06 09:36:11.000000000 +0200
+@@ -2498,8 +2498,21 @@
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "couldn't find the pskey for %s.\n",
+ saddrwop2str(iph1->remote));
++ }
++ }
++ if (iph1->authstr == NULL) {
++ /*
++ * If we could not locate a psk above try and locate
++ * the default psk, ie, "*".
++ */
++ iph1->authstr = privsep_getpsk("*", 1);
++ if (iph1->authstr == NULL) {
++ plog(LLV_ERROR, LOCATION, iph1->remote,
++ "couldn't find the the default pskey either.\n");
+ goto end;
+ }
++ plog(LLV_NOTIFY, LOCATION, iph1->remote,
++ "Using default PSK.\n");
+ }
+ plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n");
+ /* should be secret PSK */
diff --git a/net-firewall/ipsec-tools/files/ipsec-tools-include-vendoridh.patch b/net-firewall/ipsec-tools/files/ipsec-tools-include-vendoridh.patch
new file mode 100644
index 000000000000..2e22c82db478
--- /dev/null
+++ b/net-firewall/ipsec-tools/files/ipsec-tools-include-vendoridh.patch
@@ -0,0 +1,11 @@
+diff -Naur ipsec-tools-0.8.0.orig//src/racoon/ipsec_doi.c ipsec-tools-0.8.0/src/racoon/ipsec_doi.c
+--- ipsec-tools-0.8.0.orig//src/racoon/ipsec_doi.c 2012-02-28 13:42:24.000000000 -0500
++++ ipsec-tools-0.8.0/src/racoon/ipsec_doi.c 2012-02-28 13:41:22.000000000 -0500
+@@ -87,6 +87,7 @@
+ #ifdef HAVE_GSSAPI
+ #include <iconv.h>
+ #include "gssapi.h"
++#include "vendorid.h"
+ #ifdef HAVE_ICONV_2ND_CONST
+ #define __iconv_const const
+ #else
diff --git a/net-firewall/ipsec-tools/files/ipsec-tools.conf b/net-firewall/ipsec-tools/files/ipsec-tools.conf
new file mode 100644
index 000000000000..bfff04af069a
--- /dev/null
+++ b/net-firewall/ipsec-tools/files/ipsec-tools.conf
@@ -0,0 +1,26 @@
+#!/usr/sbin/setkey -f
+#
+# THIS IS A SAMPLE FILE!
+#
+# This is a sample file to test Gentoo's ipsec-tools out of the box.
+# Do not use it in production. See: http://www.ipsec-howto.org/
+#
+flush;
+spdflush;
+
+#
+# Uncomment the following if you want to do manual keying, ie, you want to run IPsec without racoon.
+# Do not switch 192.168.3.21 <-> 192.168.3.25 on the peer
+#
+#add 192.168.3.25 192.168.3.21 ah 0x200 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;
+#add 192.168.3.21 192.168.3.25 ah 0x300 -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;
+#add 192.168.3.25 192.168.3.21 esp 0x201 -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
+#add 192.168.3.21 192.168.3.25 esp 0x301 -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
+
+#
+# Make sure to switch 192.168.3.21 <-> 192.168.3.25 on the peer
+#
+#spdadd 192.168.3.21 192.168.3.25 any -P out ipsec esp/transport//require ah/transport//require;
+#spdadd 192.168.3.25 192.168.3.21 any -P in ipsec esp/transport//require ah/transport//require;
+spdadd 192.168.3.25 192.168.3.21 any -P out ipsec esp/transport//require ah/transport//require;
+spdadd 192.168.3.21 192.168.3.25 any -P in ipsec esp/transport//require ah/transport//require;
diff --git a/net-firewall/ipsec-tools/files/psk.txt b/net-firewall/ipsec-tools/files/psk.txt
new file mode 100644
index 000000000000..97f5180f5ae5
--- /dev/null
+++ b/net-firewall/ipsec-tools/files/psk.txt
@@ -0,0 +1,10 @@
+# THIS IS A SAMPLE FILE!
+#
+# This is a sample file to test Gentoo's ipsec-tools out of the box.
+# Do not use it in production. See: http://www.ipsec-howto.org/
+#
+# Make sure to switch 192.168.3.21 <-> 192.168.3.25 on the peer
+#
+# Peer IP/FQDN Secret
+# 192.168.3.25 sample
+192.168.3.21 sample
diff --git a/net-firewall/ipsec-tools/files/racoon.conf b/net-firewall/ipsec-tools/files/racoon.conf
new file mode 100644
index 000000000000..2e9206db9506
--- /dev/null
+++ b/net-firewall/ipsec-tools/files/racoon.conf
@@ -0,0 +1,33 @@
+# THIS IS A SAMPLE FILE!
+#
+# This is a sample file to test Gentoo's ipsec-tools out of the box.
+# Do not use it in production. See: http://www.ipsec-howto.org/
+#
+path pre_shared_key "/etc/racoon/psk.txt";
+
+#
+# Make sure to switch 192.168.3.21 <-> 192.168.3.25 on the peer
+#
+#remote 192.168.3.25
+remote 192.168.3.21
+{
+ exchange_mode main;
+ proposal {
+ encryption_algorithm 3des;
+ hash_algorithm md5;
+ authentication_method pre_shared_key;
+ dh_group modp1024;
+ }
+}
+
+#
+# Make sure to switch 192.168.3.21 <-> 192.168.3.25 on the peer
+#
+#sainfo address 192.168.3.21 any address 192.168.3.25 any
+sainfo address 192.168.3.25 any address 192.168.3.21 any
+{
+ pfs_group modp768;
+ encryption_algorithm 3des;
+ authentication_algorithm hmac_md5;
+ compression_algorithm deflate;
+}
diff --git a/net-firewall/ipsec-tools/files/racoon.conf.d-r1 b/net-firewall/ipsec-tools/files/racoon.conf.d-r1
new file mode 100644
index 000000000000..80b89f966188
--- /dev/null
+++ b/net-firewall/ipsec-tools/files/racoon.conf.d-r1
@@ -0,0 +1,27 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+# Config file for /etc/init.d/racoon
+
+# See the man page or run `racoon --help` for valid command-line options
+# RACOON_OPTS="-d"
+
+RACOON_CONF="/etc/racoon/racoon.conf"
+RACOON_PSK_FILE="/etc/racoon/psk.txt"
+
+# The amount of time in ms for start-stop-daemon to wait before a timeout
+# Racoon can sometimes be slow. We'll wait 1 sec. Bug #435398.
+
+RACOON_WAIT="1000"
+
+# The setkey config file. Don't name it ipsec.conf as this clashes
+# with strongswan. We'll follow debian's naming. Bug #436144.
+
+SETKEY_CONF="/etc/ipsec-tools.conf"
+
+# Comment or remove the following if you don't want the policy tables
+# to be flushed when racoon is stopped.
+
+RACOON_RESET_TABLES="true"
+
diff --git a/net-firewall/ipsec-tools/files/racoon.conf.d-r2 b/net-firewall/ipsec-tools/files/racoon.conf.d-r2
new file mode 100644
index 000000000000..84efa9df6e58
--- /dev/null
+++ b/net-firewall/ipsec-tools/files/racoon.conf.d-r2
@@ -0,0 +1,30 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+# Config file for /etc/init.d/racoon
+
+# See the man page or run `racoon --help` for valid command-line options
+# RACOON_OPTS="-d"
+
+RACOON_CONF="/etc/racoon/racoon.conf"
+RACOON_PSK_FILE="/etc/racoon/psk.txt"
+
+# The amount of time in ms for start-stop-daemon to wait before a timeout
+# Racoon can sometimes be slow. We'll wait 1 sec. Bug #435398.
+
+RACOON_WAIT="1000"
+
+# The setkey config file. Don't name it ipsec.conf as this clashes
+# with strongswan. We'll follow debian's naming. Bug #436144.
+
+SETKEY_CONF="/etc/ipsec-tools.conf"
+
+# Comment or remove the following if you don't want the policy tables
+# to be flushed when racoon is stopped.
+
+RACOON_RESET_TABLES="true"
+
+# If you need to set custom options to the setkey command when loading rules, use this
+# more info in the setkey mangage (example below sets kernel mode instead of RFC mode):
+#SETKEY_OPTS="-k"
diff --git a/net-firewall/ipsec-tools/files/racoon.init.d-r2 b/net-firewall/ipsec-tools/files/racoon.init.d-r2
new file mode 100644
index 000000000000..aeed27d2287c
--- /dev/null
+++ b/net-firewall/ipsec-tools/files/racoon.init.d-r2
@@ -0,0 +1,57 @@
+#!/sbin/runscript
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+depend() {
+ before netmount
+ use net
+}
+
+checkconfig() {
+ if [ ! -e ${SETKEY_CONF} ] ; then
+ eerror "You need to configure setkey before starting racoon."
+ return 1
+ fi
+ if [ ! -e ${RACOON_CONF} ] ; then
+ eerror "You need a configuration file to start racoon."
+ return 1
+ fi
+ if [ ! -z ${RACOON_PSK_FILE} ] ; then
+ if [ ! -f ${RACOON_PSK_FILE} ] ; then
+ eerror "PSK file not found as specified."
+ eerror "Set RACOON_PSK_FILE in /etc/conf.d/racoon."
+ return 1
+ fi
+ case "`ls -Lldn ${RACOON_PSK_FILE}`" in
+ -r--------*)
+ ;;
+ *)
+ eerror "Your defined PSK file should be mode 400 for security!"
+ return 1
+ ;;
+ esac
+ fi
+}
+
+command=/usr/sbin/racoon
+command_args="-f ${RACOON_CONF} ${RACOON_OPTS}"
+pidfile=/var/run/racoon.pid
+start_stop_daemon_args="--wait ${RACOON_WAIT}"
+
+start_pre() {
+ checkconfig || return 1
+ einfo "Loading ipsec policies from ${SETKEY_CONF}."
+ /usr/sbin/setkey -f ${SETKEY_CONF}
+ if [ $? -eq 1 ] ; then
+ eerror "Error while loading ipsec policies"
+ fi
+}
+
+stop_post() {
+ if [ -n "${RACOON_RESET_TABLES}" ]; then
+ ebegin "Flushing policy entries"
+ /usr/sbin/setkey -F
+ /usr/sbin/setkey -FP
+ eend $?
+ fi
+}
diff --git a/net-firewall/ipsec-tools/files/racoon.init.d-r3 b/net-firewall/ipsec-tools/files/racoon.init.d-r3
new file mode 100644
index 000000000000..5bfc654ed904
--- /dev/null
+++ b/net-firewall/ipsec-tools/files/racoon.init.d-r3
@@ -0,0 +1,57 @@
+#!/sbin/runscript
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+depend() {
+ before netmount
+ use net
+}
+
+checkconfig() {
+ if [ ! -e ${SETKEY_CONF} ] ; then
+ eerror "You need to configure setkey before starting racoon."
+ return 1
+ fi
+ if [ ! -e ${RACOON_CONF} ] ; then
+ eerror "You need a configuration file to start racoon."
+ return 1
+ fi
+ if [ ! -z ${RACOON_PSK_FILE} ] ; then
+ if [ ! -f ${RACOON_PSK_FILE} ] ; then
+ eerror "PSK file not found as specified."
+ eerror "Set RACOON_PSK_FILE in /etc/conf.d/racoon."
+ return 1
+ fi
+ case "`ls -Lldn ${RACOON_PSK_FILE}`" in
+ -r--------*)
+ ;;
+ *)
+ eerror "Your defined PSK file should be mode 400 for security!"
+ return 1
+ ;;
+ esac
+ fi
+}
+
+command=/usr/sbin/racoon
+command_args="-f ${RACOON_CONF} ${RACOON_OPTS}"
+pidfile=/var/run/racoon.pid
+start_stop_daemon_args="--wait ${RACOON_WAIT}"
+
+start_pre() {
+ checkconfig || return 1
+ einfo "Loading ipsec policies from ${SETKEY_CONF}."
+ /usr/sbin/setkey ${SETKEY_OPTS} -f ${SETKEY_CONF}
+ if [ $? -eq 1 ] ; then
+ eerror "Error while loading ipsec policies"
+ fi
+}
+
+stop_post() {
+ if [ -n "${RACOON_RESET_TABLES}" ]; then
+ ebegin "Flushing policy entries"
+ /usr/sbin/setkey -F
+ /usr/sbin/setkey -FP
+ eend $?
+ fi
+}
diff --git a/net-firewall/ipsec-tools/files/racoon.pam.d b/net-firewall/ipsec-tools/files/racoon.pam.d
new file mode 100644
index 000000000000..b801aaafa0f9
--- /dev/null
+++ b/net-firewall/ipsec-tools/files/racoon.pam.d
@@ -0,0 +1,4 @@
+auth include system-remote-login
+account include system-remote-login
+password include system-remote-login
+session include system-remote-login
diff --git a/net-firewall/ipsec-tools/ipsec-tools-0.8.0-r5.ebuild b/net-firewall/ipsec-tools/ipsec-tools-0.8.0-r5.ebuild
new file mode 100644
index 000000000000..927c65a3cb0a
--- /dev/null
+++ b/net-firewall/ipsec-tools/ipsec-tools-0.8.0-r5.ebuild
@@ -0,0 +1,276 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+inherit eutils flag-o-matic autotools linux-info pam
+
+DESCRIPTION="A port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation"
+HOMEPAGE="http://ipsec-tools.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="amd64 arm ~mips ppc ppc64 x86"
+IUSE="hybrid idea ipv6 kerberos ldap nat pam rc5 readline selinux stats"
+
+RDEPEND="
+ dev-libs/openssl
+ kerberos? ( virtual/krb5 )
+ ldap? ( net-nds/openldap )
+ pam? ( sys-libs/pam )
+ readline? ( sys-libs/readline )
+ selinux? (
+ sys-libs/libselinux
+ sec-policy/selinux-ipsec
+ )"
+
+DEPEND="${RDEPEND}
+ >=sys-kernel/linux-headers-2.6.30"
+
+pkg_preinst() {
+ if has_version "<${CATEGORY}/${PN}-0.8.0-r5" ; then
+ ewarn
+ ewarn "\033[1;33m**************************************************\033[00m"
+ ewarn
+ if ! has_version "net-misc/strongswan" &&
+ ! has_version "net-misc/openswan" &&
+ ! has_version "net-misc/libreswan"; then
+ ewarn "We found an earlier version of ${PN} installed."
+ ewarn "As of ${PN}-0.8.0-r5, the old configuration file,"
+ ewarn "ipsec.conf, has been changed to ipsec-tools.conf to avoid"
+ ewarn "a conflict with net-misc/strongswan; bug #436144. We will"
+ ewarn "rename this file for you with this upgrade. However, if"
+ ewarn "you later downgrade, you'll have to rename the file to"
+ ewarn "its orignal manually or change /etc/conf.d/racoon to point"
+ ewarn "to the new file."
+
+ if [[ -f /etc/ipsec.conf && ! -f /etc/ipsec-tools.conf ]] ; then
+ mv /etc/ipsec.conf /etc/ipsec-tools.conf
+ else
+ ewarn
+ ewarn "Oops! I can't move ipsec.conf to ipsec-tools.conf!"
+ ewarn "Either the former doesn't exist or the later does and"
+ ewarn "I won't clobber it. Please fix this situation manually."
+ fi
+ else
+ ewarn "You had both an earlier version of ${PN} and"
+ ewarn "net-misc/strongswan installed. I can't tell whether"
+ ewarn "the configuration file, ipsec.conf, belongs to one"
+ ewarn "package or the other due to a file conflict; bug #436144."
+ ewarn "The current version of ${PN} uses ipsec-tools.conf"
+ ewarn "as its configuration file, as will future versions."
+ ewarn "Please fix this situation manually."
+ fi
+ ewarn
+ ewarn "\033[1;33m**************************************************\033[00m"
+ ewarn
+ fi
+}
+
+pkg_setup() {
+ linux-info_pkg_setup
+
+ get_version
+
+ if linux_config_exists && kernel_is -ge 2 6 19; then
+ ewarn
+ ewarn "\033[1;33m**************************************************\033[00m"
+ ewarn
+ ewarn "Checking kernel configuration in /usr/src/linux or"
+ ewarn "or /proc/config.gz for compatibility with ${PN}."
+ ewarn "Here are the potential problems:"
+ ewarn
+
+ local nothing="1"
+
+ # Check options for all flavors of IPSec
+ local msg=""
+ for i in XFRM_USER NET_KEY; do
+ if ! linux_chkconfig_present ${i}; then
+ msg="${msg} ${i}"
+ fi
+ done
+ if [[ ! -z "$msg" ]]; then
+ nothing="0"
+ ewarn
+ ewarn "ALL IPSec may fail. CHECK:"
+ ewarn "${msg}"
+ fi
+
+ # Check unencrypted IPSec
+ if ! linux_chkconfig_present CRYPTO_NULL; then
+ nothing="0"
+ ewarn
+ ewarn "Unencrypted IPSec may fail. CHECK:"
+ ewarn " CRYPTO_NULL"
+ fi
+
+ # Check IPv4 IPSec
+ msg=""
+ for i in \
+ INET_IPCOMP INET_AH INET_ESP \
+ INET_XFRM_MODE_TRANSPORT \
+ INET_XFRM_MODE_TUNNEL \
+ INET_XFRM_MODE_BEET
+ do
+ if ! linux_chkconfig_present ${i}; then
+ msg="${msg} ${i}"
+ fi
+ done
+ if [[ ! -z "$msg" ]]; then
+ nothing="0"
+ ewarn
+ ewarn "IPv4 IPSec may fail. CHECK:"
+ ewarn "${msg}"
+ fi
+
+ # Check IPv6 IPSec
+ if use ipv6; then
+ msg=""
+ for i in INET6_IPCOMP INET6_AH INET6_ESP \
+ INET6_XFRM_MODE_TRANSPORT \
+ INET6_XFRM_MODE_TUNNEL \
+ INET6_XFRM_MODE_BEET
+ do
+ if ! linux_chkconfig_present ${i}; then
+ msg="${msg} ${i}"
+ fi
+ done
+ if [[ ! -z "$msg" ]]; then
+ nothing="0"
+ ewarn
+ ewarn "IPv6 IPSec may fail. CHECK:"
+ ewarn "${msg}"
+ fi
+ fi
+
+ # Check IPSec behind NAT
+ if use nat; then
+ if ! linux_chkconfig_present NETFILTER_XT_MATCH_POLICY; then
+ nothing="0"
+ ewarn
+ ewarn "IPSec behind NAT may fail. CHECK:"
+ ewarn " NETFILTER_XT_MATCH_POLICY"
+ fi
+ fi
+
+ if [[ $nothing == "1" ]]; then
+ ewarn "NO PROBLEMS FOUND"
+ fi
+
+ ewarn
+ ewarn "WARNING: If your *configured* and *running* kernel"
+ ewarn "differ either now or in the future, then these checks"
+ ewarn "may lead to misleading results."
+ ewarn
+ ewarn "\033[1;33m**************************************************\033[00m"
+ ewarn
+ else
+ eerror
+ eerror "\033[1;31m**************************************************\033[00m"
+ eerror "Make sure that your *running* kernel is/will be >=2.6.19."
+ eerror "Building ${PN} now, assuming that you know what you're doing."
+ eerror "\033[1;31m**************************************************\033[00m"
+ eerror
+ fi
+}
+
+src_prepare() {
+ # fix for bug #124813
+ sed -i 's:-Werror::g' "${S}"/configure.ac || die
+ # fix for building with gcc-4.6
+ sed -i 's: -R: -Wl,-R:' "${S}"/configure.ac || die
+
+ epatch "${FILESDIR}/${PN}-def-psk.patch"
+ epatch "${FILESDIR}/${PN}-include-vendoridh.patch"
+ epatch "${FILESDIR}"/${P}-sysctl.patch #425770
+
+ AT_M4DIR="${S}" eautoreconf
+}
+
+src_configure() {
+ #--with-{iconv,libradius} lead to "Broken getaddrinfo()"
+ #--enable-samode-unspec is not supported in linux
+ local myconf
+ myconf="--with-kernel-headers=/usr/include \
+ --enable-adminport \
+ --enable-dependency-tracking \
+ --enable-dpd \
+ --enable-frag \
+ --without-libiconv \
+ --without-libradius \
+ --disable-samode-unspec \
+ $(use_enable idea) \
+ $(use_enable ipv6) \
+ $(use_enable kerberos gssapi) \
+ $(use_with ldap libldap) \
+ $(use_enable nat natt) \
+ $(use_with pam libpam) \
+ $(use_enable rc5) \
+ $(use_with readline) \
+ $(use_enable selinux security-context) \
+ $(use_enable stats)"
+
+ use nat && myconf="${myconf} --enable-natt-versions=yes"
+
+ # enable mode-cfg and xauth support
+ if use pam; then
+ myconf="${myconf} --enable-hybrid"
+ else
+ myconf="${myconf} $(use_enable hybrid)"
+ fi
+
+ econf ${myconf}
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+ keepdir /var/lib/racoon
+ newconfd "${FILESDIR}"/racoon.conf.d-r1 racoon
+ newinitd "${FILESDIR}"/racoon.init.d-r2 racoon
+ use pam && newpamd "${FILESDIR}"/racoon.pam.d racoon
+
+ insinto /etc
+ doins "${FILESDIR}"/ipsec-tools.conf
+ insinto /etc/racoon
+ doins "${FILESDIR}"/racoon.conf
+ doins "${FILESDIR}"/psk.txt
+ chmod 400 "${D}"/etc/racoon/psk.txt
+
+ dodoc ChangeLog README NEWS
+ dodoc -r src/racoon/samples
+ dodoc -r src/racoon/doc
+ docinto samples
+ newdoc src/setkey/sample.cf ipsec-tools.conf
+}
+
+pkg_postinst() {
+ if use nat; then
+ elog
+ elog "You have enabled the nat traversal functionnality."
+ elog "Nat versions wich are enabled by default are 00,02,rfc"
+ elog "you can find those drafts in the CVS repository:"
+ elog "cvs -d anoncvs@anoncvs.netbsd.org:/cvsroot co ipsec-tools"
+ elog
+ elog "If you feel brave enough and you know what you are"
+ elog "doing, you can consider emerging this ebuild with"
+ elog "EXTRA_ECONF=\"--enable-natt-versions=08,07,06\""
+ elog
+ fi
+
+ if use ldap; then
+ elog
+ elog "You have enabled ldap support with {$PN}."
+ elog "The man page does NOT contain any information on it yet."
+ elog "Consider using a more recent version or CVS."
+ elog
+ fi
+
+ elog
+ elog "Please have a look in /usr/share/doc/${P} and visit"
+ elog "http://www.netbsd.org/Documentation/network/ipsec/"
+ elog "to find more information on how to configure this tool."
+ elog
+}
diff --git a/net-firewall/ipsec-tools/ipsec-tools-0.8.1-r1.ebuild b/net-firewall/ipsec-tools/ipsec-tools-0.8.1-r1.ebuild
new file mode 100644
index 000000000000..4ffffcaf24c8
--- /dev/null
+++ b/net-firewall/ipsec-tools/ipsec-tools-0.8.1-r1.ebuild
@@ -0,0 +1,276 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils flag-o-matic autotools linux-info pam
+
+DESCRIPTION="A port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation"
+HOMEPAGE="http://ipsec-tools.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="amd64 arm ~mips ppc ppc64 x86"
+IUSE="hybrid idea ipv6 kerberos ldap nat pam rc5 readline selinux stats"
+
+RDEPEND="
+ dev-libs/openssl
+ kerberos? ( virtual/krb5 )
+ ldap? ( net-nds/openldap )
+ pam? ( sys-libs/pam )
+ readline? ( sys-libs/readline )
+ selinux? (
+ sys-libs/libselinux
+ sec-policy/selinux-ipsec
+ )"
+
+DEPEND="${RDEPEND}
+ >=sys-kernel/linux-headers-2.6.30"
+
+pkg_preinst() {
+ if has_version "<${CATEGORY}/${PN}-0.8.0-r5" ; then
+ ewarn
+ ewarn "\033[1;33m**************************************************\033[00m"
+ ewarn
+ if ! has_version "net-misc/strongswan" &&
+ ! has_version "net-misc/openswan" &&
+ ! has_version "net-misc/libreswan"; then
+ ewarn "We found an earlier version of ${PN} installed."
+ ewarn "As of ${PN}-0.8.0-r5, the old configuration file,"
+ ewarn "ipsec.conf, has been changed to ipsec-tools.conf to avoid"
+ ewarn "a conflict with net-misc/strongswan; bug #436144. We will"
+ ewarn "rename this file for you with this upgrade. However, if"
+ ewarn "you later downgrade, you'll have to rename the file to"
+ ewarn "its orignal manually or change /etc/conf.d/racoon to point"
+ ewarn "to the new file."
+
+ if [[ -f /etc/ipsec.conf && ! -f /etc/ipsec-tools.conf ]] ; then
+ mv /etc/ipsec.conf /etc/ipsec-tools.conf
+ else
+ ewarn
+ ewarn "Oops! I can't move ipsec.conf to ipsec-tools.conf!"
+ ewarn "Either the former doesn't exist or the later does and"
+ ewarn "I won't clobber it. Please fix this situation manually."
+ fi
+ else
+ ewarn "You had both an earlier version of ${PN} and"
+ ewarn "net-misc/strongswan installed. I can't tell whether"
+ ewarn "the configuration file, ipsec.conf, belongs to one"
+ ewarn "package or the other due to a file conflict; bug #436144."
+ ewarn "The current version of ${PN} uses ipsec-tools.conf"
+ ewarn "as its configuration file, as will future versions."
+ ewarn "Please fix this situation manually."
+ fi
+ ewarn
+ ewarn "\033[1;33m**************************************************\033[00m"
+ ewarn
+ fi
+}
+
+pkg_setup() {
+ linux-info_pkg_setup
+
+ get_version
+
+ if linux_config_exists && kernel_is -ge 2 6 19; then
+ ewarn
+ ewarn "\033[1;33m**************************************************\033[00m"
+ ewarn
+ ewarn "Checking kernel configuration in /usr/src/linux or"
+ ewarn "or /proc/config.gz for compatibility with ${PN}."
+ ewarn "Here are the potential problems:"
+ ewarn
+
+ local nothing="1"
+
+ # Check options for all flavors of IPSec
+ local msg=""
+ for i in XFRM_USER NET_KEY; do
+ if ! linux_chkconfig_present ${i}; then
+ msg="${msg} ${i}"
+ fi
+ done
+ if [[ ! -z "$msg" ]]; then
+ nothing="0"
+ ewarn
+ ewarn "ALL IPSec may fail. CHECK:"
+ ewarn "${msg}"
+ fi
+
+ # Check unencrypted IPSec
+ if ! linux_chkconfig_present CRYPTO_NULL; then
+ nothing="0"
+ ewarn
+ ewarn "Unencrypted IPSec may fail. CHECK:"
+ ewarn " CRYPTO_NULL"
+ fi
+
+ # Check IPv4 IPSec
+ msg=""
+ for i in \
+ INET_IPCOMP INET_AH INET_ESP \
+ INET_XFRM_MODE_TRANSPORT \
+ INET_XFRM_MODE_TUNNEL \
+ INET_XFRM_MODE_BEET
+ do
+ if ! linux_chkconfig_present ${i}; then
+ msg="${msg} ${i}"
+ fi
+ done
+ if [[ ! -z "$msg" ]]; then
+ nothing="0"
+ ewarn
+ ewarn "IPv4 IPSec may fail. CHECK:"
+ ewarn "${msg}"
+ fi
+
+ # Check IPv6 IPSec
+ if use ipv6; then
+ msg=""
+ for i in INET6_IPCOMP INET6_AH INET6_ESP \
+ INET6_XFRM_MODE_TRANSPORT \
+ INET6_XFRM_MODE_TUNNEL \
+ INET6_XFRM_MODE_BEET
+ do
+ if ! linux_chkconfig_present ${i}; then
+ msg="${msg} ${i}"
+ fi
+ done
+ if [[ ! -z "$msg" ]]; then
+ nothing="0"
+ ewarn
+ ewarn "IPv6 IPSec may fail. CHECK:"
+ ewarn "${msg}"
+ fi
+ fi
+
+ # Check IPSec behind NAT
+ if use nat; then
+ if ! linux_chkconfig_present NETFILTER_XT_MATCH_POLICY; then
+ nothing="0"
+ ewarn
+ ewarn "IPSec behind NAT may fail. CHECK:"
+ ewarn " NETFILTER_XT_MATCH_POLICY"
+ fi
+ fi
+
+ if [[ $nothing == "1" ]]; then
+ ewarn "NO PROBLEMS FOUND"
+ fi
+
+ ewarn
+ ewarn "WARNING: If your *configured* and *running* kernel"
+ ewarn "differ either now or in the future, then these checks"
+ ewarn "may lead to misleading results."
+ ewarn
+ ewarn "\033[1;33m**************************************************\033[00m"
+ ewarn
+ else
+ eerror
+ eerror "\033[1;31m**************************************************\033[00m"
+ eerror "Make sure that your *running* kernel is/will be >=2.6.19."
+ eerror "Building ${PN} now, assuming that you know what you're doing."
+ eerror "\033[1;31m**************************************************\033[00m"
+ eerror
+ fi
+}
+
+src_prepare() {
+ # fix for bug #124813
+ sed -i 's:-Werror::g' "${S}"/configure.ac || die
+ # fix for building with gcc-4.6
+ sed -i 's: -R: -Wl,-R:' "${S}"/configure.ac || die
+
+ epatch "${FILESDIR}/${PN}-def-psk.patch"
+ epatch "${FILESDIR}/${PN}-include-vendoridh.patch"
+ epatch "${FILESDIR}"/${PN}-0.8.0-sysctl.patch #425770
+
+ AT_M4DIR="${S}" eautoreconf
+}
+
+src_configure() {
+ #--with-{libiconv,libradius} lead to "Broken getaddrinfo()"
+ #--enable-samode-unspec is not supported in linux
+ local myconf
+ myconf="--with-kernel-headers=/usr/include \
+ --enable-adminport \
+ --enable-dependency-tracking \
+ --enable-dpd \
+ --enable-frag \
+ --without-libiconv \
+ --without-libradius \
+ --disable-samode-unspec \
+ $(use_enable idea) \
+ $(use_enable ipv6) \
+ $(use_enable kerberos gssapi) \
+ $(use_with ldap libldap) \
+ $(use_enable nat natt) \
+ $(use_with pam libpam) \
+ $(use_enable rc5) \
+ $(use_with readline) \
+ $(use_enable selinux security-context) \
+ $(use_enable stats)"
+
+ use nat && myconf="${myconf} --enable-natt-versions=yes"
+
+ # enable mode-cfg and xauth support
+ if use pam; then
+ myconf="${myconf} --enable-hybrid"
+ else
+ myconf="${myconf} $(use_enable hybrid)"
+ fi
+
+ econf ${myconf}
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+ keepdir /var/lib/racoon
+ newconfd "${FILESDIR}"/racoon.conf.d-r2 racoon
+ newinitd "${FILESDIR}"/racoon.init.d-r3 racoon
+ use pam && newpamd "${FILESDIR}"/racoon.pam.d racoon
+
+ insinto /etc
+ doins "${FILESDIR}"/ipsec-tools.conf
+ insinto /etc/racoon
+ doins "${FILESDIR}"/racoon.conf
+ doins "${FILESDIR}"/psk.txt
+ chmod 400 "${D}"/etc/racoon/psk.txt
+
+ dodoc ChangeLog README NEWS
+ dodoc -r src/racoon/samples
+ dodoc -r src/racoon/doc
+ docinto samples
+ newdoc src/setkey/sample.cf ipsec-tools.conf
+}
+
+pkg_postinst() {
+ if use nat; then
+ elog
+ elog "You have enabled the nat traversal functionnality."
+ elog "Nat versions wich are enabled by default are 00,02,rfc"
+ elog "you can find those drafts in the CVS repository:"
+ elog "cvs -d anoncvs@anoncvs.netbsd.org:/cvsroot co ipsec-tools"
+ elog
+ elog "If you feel brave enough and you know what you are"
+ elog "doing, you can consider emerging this ebuild with"
+ elog "EXTRA_ECONF=\"--enable-natt-versions=08,07,06\""
+ elog
+ fi
+
+ if use ldap; then
+ elog
+ elog "You have enabled ldap support with {$PN}."
+ elog "The man page does NOT contain any information on it yet."
+ elog "Consider using a more recent version or CVS."
+ elog
+ fi
+
+ elog
+ elog "Please have a look in /usr/share/doc/${P} and visit"
+ elog "http://www.netbsd.org/Documentation/network/ipsec/"
+ elog "to find more information on how to configure this tool."
+ elog
+}
diff --git a/net-firewall/ipsec-tools/ipsec-tools-0.8.2.ebuild b/net-firewall/ipsec-tools/ipsec-tools-0.8.2.ebuild
new file mode 100644
index 000000000000..82a2e96f72a1
--- /dev/null
+++ b/net-firewall/ipsec-tools/ipsec-tools-0.8.2.ebuild
@@ -0,0 +1,277 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils flag-o-matic autotools linux-info pam
+
+DESCRIPTION="A port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation"
+HOMEPAGE="http://ipsec-tools.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="amd64 arm ~mips ppc ppc64 x86"
+IUSE="hybrid idea ipv6 kerberos ldap nat pam rc5 readline selinux stats"
+
+CDEPEND="
+ dev-libs/openssl:0=
+ kerberos? ( virtual/krb5 )
+ ldap? ( net-nds/openldap )
+ pam? ( sys-libs/pam )
+ readline? ( sys-libs/readline:0= )
+ selinux? ( sys-libs/libselinux )"
+
+DEPEND="${CDEPEND}
+ >=sys-kernel/linux-headers-2.6.30"
+
+RDEPEND="${CDEPEND}
+ selinux? ( sec-policy/selinux-ipsec )
+"
+
+pkg_preinst() {
+ if has_version "<${CATEGORY}/${PN}-0.8.0-r5" ; then
+ ewarn
+ ewarn "\033[1;33m**************************************************\033[00m"
+ ewarn
+ if ! has_version "net-misc/strongswan" &&
+ ! has_version "net-misc/openswan" &&
+ ! has_version "net-misc/libreswan"; then
+ ewarn "We found an earlier version of ${PN} installed."
+ ewarn "As of ${PN}-0.8.0-r5, the old configuration file,"
+ ewarn "ipsec.conf, has been changed to ipsec-tools.conf to avoid"
+ ewarn "a conflict with net-misc/strongswan; bug #436144. We will"
+ ewarn "rename this file for you with this upgrade. However, if"
+ ewarn "you later downgrade, you'll have to rename the file to"
+ ewarn "its orignal manually or change /etc/conf.d/racoon to point"
+ ewarn "to the new file."
+
+ if [[ -f /etc/ipsec.conf && ! -f /etc/ipsec-tools.conf ]] ; then
+ mv /etc/ipsec.conf /etc/ipsec-tools.conf
+ else
+ ewarn
+ ewarn "Oops! I can't move ipsec.conf to ipsec-tools.conf!"
+ ewarn "Either the former doesn't exist or the later does and"
+ ewarn "I won't clobber it. Please fix this situation manually."
+ fi
+ else
+ ewarn "You had both an earlier version of ${PN} and"
+ ewarn "net-misc/strongswan installed. I can't tell whether"
+ ewarn "the configuration file, ipsec.conf, belongs to one"
+ ewarn "package or the other due to a file conflict; bug #436144."
+ ewarn "The current version of ${PN} uses ipsec-tools.conf"
+ ewarn "as its configuration file, as will future versions."
+ ewarn "Please fix this situation manually."
+ fi
+ ewarn
+ ewarn "\033[1;33m**************************************************\033[00m"
+ ewarn
+ fi
+}
+
+pkg_setup() {
+ linux-info_pkg_setup
+
+ get_version
+
+ if linux_config_exists && kernel_is -ge 2 6 19; then
+ ewarn
+ ewarn "\033[1;33m**************************************************\033[00m"
+ ewarn
+ ewarn "Checking kernel configuration in /usr/src/linux or"
+ ewarn "or /proc/config.gz for compatibility with ${PN}."
+ ewarn "Here are the potential problems:"
+ ewarn
+
+ local nothing="1"
+
+ # Check options for all flavors of IPSec
+ local msg=""
+ for i in XFRM_USER NET_KEY; do
+ if ! linux_chkconfig_present ${i}; then
+ msg="${msg} ${i}"
+ fi
+ done
+ if [[ ! -z "$msg" ]]; then
+ nothing="0"
+ ewarn
+ ewarn "ALL IPSec may fail. CHECK:"
+ ewarn "${msg}"
+ fi
+
+ # Check unencrypted IPSec
+ if ! linux_chkconfig_present CRYPTO_NULL; then
+ nothing="0"
+ ewarn
+ ewarn "Unencrypted IPSec may fail. CHECK:"
+ ewarn " CRYPTO_NULL"
+ fi
+
+ # Check IPv4 IPSec
+ msg=""
+ for i in \
+ INET_IPCOMP INET_AH INET_ESP \
+ INET_XFRM_MODE_TRANSPORT \
+ INET_XFRM_MODE_TUNNEL \
+ INET_XFRM_MODE_BEET
+ do
+ if ! linux_chkconfig_present ${i}; then
+ msg="${msg} ${i}"
+ fi
+ done
+ if [[ ! -z "$msg" ]]; then
+ nothing="0"
+ ewarn
+ ewarn "IPv4 IPSec may fail. CHECK:"
+ ewarn "${msg}"
+ fi
+
+ # Check IPv6 IPSec
+ if use ipv6; then
+ msg=""
+ for i in INET6_IPCOMP INET6_AH INET6_ESP \
+ INET6_XFRM_MODE_TRANSPORT \
+ INET6_XFRM_MODE_TUNNEL \
+ INET6_XFRM_MODE_BEET
+ do
+ if ! linux_chkconfig_present ${i}; then
+ msg="${msg} ${i}"
+ fi
+ done
+ if [[ ! -z "$msg" ]]; then
+ nothing="0"
+ ewarn
+ ewarn "IPv6 IPSec may fail. CHECK:"
+ ewarn "${msg}"
+ fi
+ fi
+
+ # Check IPSec behind NAT
+ if use nat; then
+ if ! linux_chkconfig_present NETFILTER_XT_MATCH_POLICY; then
+ nothing="0"
+ ewarn
+ ewarn "IPSec behind NAT may fail. CHECK:"
+ ewarn " NETFILTER_XT_MATCH_POLICY"
+ fi
+ fi
+
+ if [[ $nothing == "1" ]]; then
+ ewarn "NO PROBLEMS FOUND"
+ fi
+
+ ewarn
+ ewarn "WARNING: If your *configured* and *running* kernel"
+ ewarn "differ either now or in the future, then these checks"
+ ewarn "may lead to misleading results."
+ ewarn
+ ewarn "\033[1;33m**************************************************\033[00m"
+ ewarn
+ else
+ eerror
+ eerror "\033[1;31m**************************************************\033[00m"
+ eerror "Make sure that your *running* kernel is/will be >=2.6.19."
+ eerror "Building ${PN} now, assuming that you know what you're doing."
+ eerror "\033[1;31m**************************************************\033[00m"
+ eerror
+ fi
+}
+
+src_prepare() {
+ # fix for bug #124813
+ sed -i 's:-Werror::g' "${S}"/configure.ac || die
+ # fix for building with gcc-4.6
+ sed -i 's: -R: -Wl,-R:' "${S}"/configure.ac || die
+
+ epatch "${FILESDIR}/${PN}-def-psk.patch"
+ epatch "${FILESDIR}/${PN}-include-vendoridh.patch"
+ epatch "${FILESDIR}"/${PN}-0.8.0-sysctl.patch #425770
+
+ AT_M4DIR="${S}" eautoreconf
+}
+
+src_configure() {
+ #--with-{libiconv,libradius} lead to "Broken getaddrinfo()"
+ #--enable-samode-unspec is not supported in linux
+ local myconf
+ myconf="--with-kernel-headers=/usr/include \
+ --enable-adminport \
+ --enable-dependency-tracking \
+ --enable-dpd \
+ --enable-frag \
+ --without-libiconv \
+ --without-libradius \
+ --disable-samode-unspec \
+ $(use_enable idea) \
+ $(use_enable ipv6) \
+ $(use_enable kerberos gssapi) \
+ $(use_with ldap libldap) \
+ $(use_enable nat natt) \
+ $(use_with pam libpam) \
+ $(use_enable rc5) \
+ $(use_with readline) \
+ $(use_enable selinux security-context) \
+ $(use_enable stats)"
+
+ use nat && myconf="${myconf} --enable-natt-versions=yes"
+
+ # enable mode-cfg and xauth support
+ if use pam; then
+ myconf="${myconf} --enable-hybrid"
+ else
+ myconf="${myconf} $(use_enable hybrid)"
+ fi
+
+ econf ${myconf}
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+ keepdir /var/lib/racoon
+ newconfd "${FILESDIR}"/racoon.conf.d-r2 racoon
+ newinitd "${FILESDIR}"/racoon.init.d-r3 racoon
+ use pam && newpamd "${FILESDIR}"/racoon.pam.d racoon
+
+ insinto /etc
+ doins "${FILESDIR}"/ipsec-tools.conf
+ insinto /etc/racoon
+ doins "${FILESDIR}"/racoon.conf
+ doins "${FILESDIR}"/psk.txt
+ chmod 400 "${D}"/etc/racoon/psk.txt
+
+ dodoc ChangeLog README NEWS
+ dodoc -r src/racoon/samples
+ dodoc -r src/racoon/doc
+ docinto samples
+ newdoc src/setkey/sample.cf ipsec-tools.conf
+}
+
+pkg_postinst() {
+ if use nat; then
+ elog
+ elog "You have enabled the nat traversal functionnality."
+ elog "Nat versions wich are enabled by default are 00,02,rfc"
+ elog "you can find those drafts in the CVS repository:"
+ elog "cvs -d anoncvs@anoncvs.netbsd.org:/cvsroot co ipsec-tools"
+ elog
+ elog "If you feel brave enough and you know what you are"
+ elog "doing, you can consider emerging this ebuild with"
+ elog "EXTRA_ECONF=\"--enable-natt-versions=08,07,06\""
+ elog
+ fi
+
+ if use ldap; then
+ elog
+ elog "You have enabled ldap support with {$PN}."
+ elog "The man page does NOT contain any information on it yet."
+ elog "Consider using a more recent version or CVS."
+ elog
+ fi
+
+ elog
+ elog "Please have a look in /usr/share/doc/${P} and visit"
+ elog "http://www.netbsd.org/Documentation/network/ipsec/"
+ elog "to find more information on how to configure this tool."
+ elog
+}
diff --git a/net-firewall/ipsec-tools/metadata.xml b/net-firewall/ipsec-tools/metadata.xml
new file mode 100644
index 000000000000..e71c61508b60
--- /dev/null
+++ b/net-firewall/ipsec-tools/metadata.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer>
+ <email>blueness@gentoo.org</email>
+ </maintainer>
+ <use>
+ <flag name="hybrid">Makes available both mode-cfg and xauth support</flag>
+ <flag name="idea">Enable support for the IDEA algorithm</flag>
+ <flag name="nat">Enable NAT-Traversal</flag>
+ <flag name="rc5">Enable support for the patented RC5 algorithm</flag>
+ <flag name="stats">Enable statistics reporting</flag>
+ </use>
+ <upstream>
+ <remote-id type="sourceforge">ipsec-tools</remote-id>
+ </upstream>
+</pkgmetadata>
diff --git a/net-firewall/ipset/Manifest b/net-firewall/ipset/Manifest
new file mode 100644
index 000000000000..0d2769cd4949
--- /dev/null
+++ b/net-firewall/ipset/Manifest
@@ -0,0 +1,8 @@
+DIST ipset-6.15.tar.bz2 432771 SHA256 6f60a472bc2ef7b1c864be6472de65365c90e264dfadf28da48c2361393d8fd1 SHA512 f72329bb8610717ccdddbfaf7b7774e717a34d71fdb7f9c7eac97e3d1b314915500c88137b6e229411df99c86d2228bef447f26c116bc2cf992cfb60ab1422d3 WHIRLPOOL 868ee3cd722c2d86c273aca8f3ca7695e8ef5d00d30111ef0f2bf972a119211008d8cadec1760b43b4f0efb24690f20a2cf5f0fdbbb0700cf66e5660d363ab2a
+DIST ipset-6.16.1.tar.bz2 433347 SHA256 cb5b02deab8521946fd473b77c40f00452b76fed621f0eee76746c74e89e4c3c SHA512 e54d32932875a9d06acba598280de9e83529f36326cbaaeb05d38b985bc40d276dc46e37eae3d1d4c1afcdd69b3074678512349ebd964b6189ca1c6871efe304 WHIRLPOOL ff2276446c7dbb4005de236b73bf9879ead8273f3ec014883160b779f6c089eaf7d4c4dce06233ef357f0a8b5376754b158eec29187ae5f5f7bb52bfd2d8ae3c
+DIST ipset-6.16.tar.bz2 433118 SHA256 bc3ea05cfbacd43aebff6668825453d0a626edd5d3495a8670103ab895fba464 SHA512 34ef44af76f3609035ae1bdacb7586f2288ee66701ed8a1a5a0632fb23b5f651fe02b070e0f0f1b0ebae6cab02b3f827cc7e67f740cf77f51ba494c25dcc47dd WHIRLPOOL 3b3c2172626530145401bd813c39114f31bf3546ebe0af6e168ed32ade102c158f3bc5f4690ee8bf0540415adc35929da5d8ca8e4e1c2ec83bf631849a24b8a7
+DIST ipset-6.17.tar.bz2 448076 SHA256 7987bb8de1b0490b32084ab72165ae53038e497a96ab9940920280d8068629b0 SHA512 668f173b7ddd8a18af2730205e2e2c38610aa9fd191af52f91080e903bcd8e1f38e8e3a7fd57077decb00fd0556df89c3315c91eaffaa6977f2caf2a3300b175 WHIRLPOOL 1d08c841d87c7a5ca355857ac823ee696922b867690e9066c631414615c98f3cf3e59c6dd8d9f556170eef90a029260c7d41dc1e3f47811ede2190c5d0298e8b
+DIST ipset-6.19.tar.bz2 465927 SHA256 058e7950efdf8b9539ab79eb145de7be60d6cb7b92c0c011edda37e70135024c SHA512 9e9fdccd8ae34ad56c5fc6da03060b39b3acc9a53154acf7e82df3f2c1545b2bdcc7b5b9b4f6ddd6ee3e8582e81b1fa51fae37cb4f46948c053d5153bdca6f39 WHIRLPOOL 31472a732781598c8d99ee562766492c225e359b8153ff68a7769d8fa86f41cac9749eda08e4e3922a6ada5a815192109104b42c59ba3079530f6c0b0169613c
+DIST ipset-6.20.1.tar.bz2 500898 SHA256 356cac020438cd0871acbfc4cb119b8296030f0bb4661ad0d44bbc115ccbce92 SHA512 3fda3a71c18c8d5f9567038fc72f95abec81b4c789fbca7f7b9c032b15000cfbd2829f11a07f2f9ad2afcff54d6851923caff0917b2ead73756673a6b3667565 WHIRLPOOL f31cd533d286238e63f38aecbf281d428d75e856b393f61db5f6622d0dc0cd0a6de7aa4d3eaa2831e1da7dd0846e95c22f92b3a586cf3918cee074360a4caff3
+DIST ipset-6.21.1.tar.bz2 510013 SHA256 cf46c9c35a15aa0f2e0fbab0422586757bd82386c8ad3864936e6cffbd74a331 SHA512 c2ffb2eafc780e15370fd48841f4323c39e8fef1893216c8bc0b8aa8d143f9daf078c6e261e4558243004fe9612ce1d5ca4cca16f8b3f324f4194700c1b0accb WHIRLPOOL 230ebb4756891283980f5b7f67c0c64772b1527b8e8c0b6cdd2714de450b3f6c2a75d961d44563e440edd1399bdee8cce820fe59f46c28355a6f053ad6b1c37b
+DIST ipset-6.24.tar.bz2 518811 SHA256 3071fc283f00a6472b5b352ef57f9825c9face70dda5b0d8715f8d43d0e995d0 SHA512 107bf492030dc4e8e4c2a939e46a715f58458126bfb636dae993e5bf31151d33c2a41b89eb5cca85b71d95b3e36debf97cdfc72c568f351091df17159003d6c6 WHIRLPOOL d34e8d5d197be85cf00ea6a5dbfeb7c52b5d42d9e78299620928e69ba1fbbe124cb16b9f5f2e05d1213b2b7a29a2bed2c1edac2f15ee3c83d8dc19eb3afcc112
diff --git a/net-firewall/ipset/files/ipset.confd b/net-firewall/ipset/files/ipset.confd
new file mode 100644
index 000000000000..9fe42e9c75c5
--- /dev/null
+++ b/net-firewall/ipset/files/ipset.confd
@@ -0,0 +1,16 @@
+# /etc/conf.d/ipset
+
+# Location in which ipset initscript will save set rules on
+# service shutdown
+IPSET_SAVE="/var/lib/ipset/rules-save"
+
+# Save state on stopping ipset
+SAVE_ON_STOP="yes"
+
+# If you need to log iptables messages as soon as iptables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/net-firewall/ipset/files/ipset.initd-r2 b/net-firewall/ipset/files/ipset.initd-r2
new file mode 100644
index 000000000000..e97ebe352069
--- /dev/null
+++ b/net-firewall/ipset/files/ipset.initd-r2
@@ -0,0 +1,60 @@
+#!/sbin/runscript
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="save"
+
+IPSET_SAVE=${IPSET_SAVE:-/var/lib/ipset/rules-save}
+
+depend() {
+ before iptables ip6tables
+}
+
+checkconfig() {
+ if [ ! -f "${IPSET_SAVE}" ] ; then
+ eerror "Not starting ${SVCNAME}. First create some rules then run:"
+ eerror "/etc/init.d/${SVCNAME} save"
+ return 1
+ fi
+ return 0
+}
+
+start() {
+ checkconfig || return 1
+ ebegin "Loading ipset session"
+ ipset restore < "${IPSET_SAVE}"
+ eend $?
+}
+
+stop() {
+ # check if there are any references to current sets
+
+ if ! ipset list | gawk '
+ ($1 == "References:") { refcnt += $2 }
+ ($1 == "Type:" && $2 == "list:set") { set = 1 }
+ (scan) { if ($0 != "") setcnt++; else { scan = 0; set = 0 } }
+ (set && $1 == "Members:") {scan = 1}
+ END { if ((refcnt - setcnt) > 0) exit 1 }
+ '; then
+ eerror "ipset is in use, can't stop"
+ return 1
+ fi
+
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+ save || return 1
+ fi
+
+ ebegin "Removing kernel IP sets"
+ ipset flush
+ ipset destroy
+ eend $?
+}
+
+save() {
+ ebegin "Saving ipset session"
+ touch "${IPSET_SAVE}"
+ chmod 0600 "${IPSET_SAVE}"
+ ipset save > "${IPSET_SAVE}"
+ eend $?
+}
diff --git a/net-firewall/ipset/files/ipset.initd-r3 b/net-firewall/ipset/files/ipset.initd-r3
new file mode 100644
index 000000000000..66294da58058
--- /dev/null
+++ b/net-firewall/ipset/files/ipset.initd-r3
@@ -0,0 +1,96 @@
+#!/sbin/runscript
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="save"
+extra_started_commands="reload"
+
+IPSET_SAVE=${IPSET_SAVE:-/var/lib/ipset/rules-save}
+
+depend() {
+ before iptables ip6tables
+}
+
+checkconfig() {
+ if [ ! -f "${IPSET_SAVE}" ] ; then
+ eerror "Not starting ${SVCNAME}. First create some rules then run:"
+ eerror "/etc/init.d/${SVCNAME} save"
+ return 1
+ fi
+ return 0
+}
+
+start() {
+ checkconfig || return 1
+ ebegin "Loading ipset session"
+ ipset restore < "${IPSET_SAVE}"
+ eend $?
+}
+
+stop() {
+ # check if there are any references to current sets
+
+ if ! ipset list | gawk '
+ ($1 == "References:") { refcnt += $2 }
+ ($1 == "Type:" && $2 == "list:set") { set = 1 }
+ (scan) { if ($0 != "") setcnt++; else { scan = 0; set = 0 } }
+ (set && $1 == "Members:") {scan = 1}
+ END { if ((refcnt - setcnt) > 0) exit 1 }
+ '; then
+ eerror "ipset is in use, can't stop"
+ return 1
+ fi
+
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+ save || return 1
+ fi
+
+ ebegin "Removing kernel IP sets"
+ ipset flush
+ ipset destroy
+ eend $?
+}
+
+reload() {
+ ebegin "Reloading ipsets"
+
+ # Loading sets from a save file is only additive (there is no
+ # automatic flushing or replacing). And, we can not remove sets
+ # that are currently used in existing iptables rules.
+ #
+ # Instead, we create new temp sets for any set that is already
+ # in use, and then atomically swap them into place.
+ #
+ # XXX: This does not clean out previously used ipsets that are
+ # not in the new saved policy--it can't, because they may still
+ # be referenced in the current iptables rules.
+
+ # Build a list of all currently used sets (if any).
+ running_ipset_list=$(ipset save | gawk '/^create/{printf "%s ",$2}')
+ running_ipset_list="${running_ipset_list% }"
+ # Build a regular expression that matches those set names.
+ running_ipset_list_regex="${running_ipset_list// /|}"
+
+ # Load up sets from the save file, but rename any set that already
+ # exists to a temporary name that we will swap later.
+ if ! cat ${IPSET_SAVE} | sed -r "s/^(create|add) (${running_ipset_list_regex}) /\1 \2_atomic_temp /" | ipset restore ; then
+ eend $? "Failed to load new ipsets"
+ fi
+
+ # Now for every set name that currently exists, atomically swap it
+ # with the temporary new one we created, and then destroy the old set.
+ for ipset_name in ${running_ipset_list} ; do
+ ipset swap ${ipset_name} ${ipset_name}_atomic_temp || eend $? "Failed to swap in new ipset $ipset_name"
+ ipset destroy ${ipset_name}_atomic_temp || eend $? "Failed to delete obsolete ipset ${ipset_name}_atomic_temp"
+ done
+ eend 0
+}
+
+save() {
+ ebegin "Saving ipset session"
+ touch "${IPSET_SAVE}"
+ chmod 0600 "${IPSET_SAVE}"
+ ipset save > "${IPSET_SAVE}"
+ eend $?
+}
diff --git a/net-firewall/ipset/ipset-6.15.ebuild b/net-firewall/ipset/ipset-6.15.ebuild
new file mode 100644
index 000000000000..55328570d6f7
--- /dev/null
+++ b/net-firewall/ipset/ipset-6.15.ebuild
@@ -0,0 +1,112 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+inherit autotools linux-info linux-mod
+
+DESCRIPTION="IPset tool for iptables, successor to ippool"
+HOMEPAGE="http://ipset.netfilter.org/"
+SRC_URI="http://ipset.netfilter.org/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 ~ppc x86"
+IUSE="modules"
+
+RDEPEND=">=net-firewall/iptables-1.4.7
+ net-libs/libmnl"
+DEPEND="${RDEPEND}"
+
+DOCS=( ChangeLog INSTALL README UPGRADE )
+
+# configurable from outside, e.g. /etc/make.conf
+IP_NF_SET_MAX=${IP_NF_SET_MAX:-256}
+
+BUILD_TARGETS="modules"
+MODULE_NAMES_ARG="kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/ipset"
+MODULE_NAMES="xt_set(kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/)"
+for i in ip_set{,_bitmap_{ip{,mac},port},_hash_{ip{,port{,ip,net}},net,net{port,iface}},_list_set}; do
+ MODULE_NAMES+=" ${i}(${MODULE_NAMES_ARG})"
+done
+
+check_header_patch() {
+ if ! $(grep -q NFNL_SUBSYS_IPSET "${KV_DIR}/include/linux/netfilter/nfnetlink.h"); then
+ eerror "Sorry, but you have to patch kernel sources with the following patch:"
+ eerror " # cd ${KV_DIR}"
+ eerror " # patch -i ${S}/netlink.patch -p1"
+ eerror "You should recompile and run new kernel to avoid runtime errors."
+ die "Unpatched kernel"
+ fi
+}
+
+pkg_setup() {
+ get_version
+ CONFIG_CHECK="NETFILTER"
+ ERROR_NETFILTER="ipset requires NETFILTER support in your kernel."
+
+ build_modules=0
+ if use modules; then
+ kernel_is -lt 2 6 35 && die "${PN} requires kernel greater then 2.6.35."
+ if linux_config_src_exists && linux_chkconfig_builtin "MODULES" ; then
+ if linux_chkconfig_present "IP_NF_SET" || \
+ linux_chkconfig_present "IP_SET"; then #274577
+ eerror "There is IP{,_NF}_SET or NETFILTER_XT_SET support in your kernel."
+ eerror "Please either build ipset with modules USE flag disabled"
+ eerror "or rebuild kernel without IP_SET support and make sure"
+ eerror "there is NO kernel ip_set* modules in /lib/modules/<your_kernel>/... ."
+ die "USE=modules and in-kernel ipset support detected."
+ else
+ einfo "Modular kernel detected. Gonna build kernel modules..."
+ build_modules=1
+ fi
+ else
+ eerror "Nonmodular kernel detected, but USE=modules. Either build"
+ eerror "modular kernel (without IP_SET) or disable USE=modules"
+ die "Nonmodular kernel detected, will not build kernel modules"
+ fi
+ fi
+ [[ ${build_modules} -eq 1 ]] && linux-mod_pkg_setup
+}
+
+src_prepare() {
+ [[ ${build_modules} -eq 1 ]] && check_header_patch
+ eautoreconf
+}
+
+src_configure() {
+ econf \
+ $(use_with modules kmod) \
+ --disable-static \
+ --with-maxsets=${IP_NF_SET_MAX} \
+ --libdir="${EPREFIX}/$(get_libdir)" \
+ --with-ksource="${KV_DIR}" \
+ --with-kbuild="${KV_OUT_DIR}" \
+ --disable-silent-rules
+}
+
+src_compile() {
+ einfo "Building userspace"
+ emake
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Building kernel modules"
+ set_arch_to_kernel
+ emake modules
+ fi
+}
+
+src_install() {
+ einfo "Installing userspace"
+ default
+ prune_libtool_files
+
+ newinitd "${FILESDIR}"/ipset.initd-r2 ${PN}
+ newconfd "${FILESDIR}"/ipset.confd ${PN}
+ keepdir /var/lib/ipset
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Installing kernel modules"
+ linux-mod_src_install
+ fi
+}
diff --git a/net-firewall/ipset/ipset-6.16.1.ebuild b/net-firewall/ipset/ipset-6.16.1.ebuild
new file mode 100644
index 000000000000..334752d8055d
--- /dev/null
+++ b/net-firewall/ipset/ipset-6.16.1.ebuild
@@ -0,0 +1,111 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+inherit autotools linux-info linux-mod
+
+DESCRIPTION="IPset tool for iptables, successor to ippool"
+HOMEPAGE="http://ipset.netfilter.org/"
+SRC_URI="http://ipset.netfilter.org/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~x86"
+IUSE="modules"
+
+RDEPEND=">=net-firewall/iptables-1.4.7
+ net-libs/libmnl"
+DEPEND="${RDEPEND}"
+
+DOCS=( ChangeLog INSTALL README UPGRADE )
+
+# configurable from outside, e.g. /etc/make.conf
+IP_NF_SET_MAX=${IP_NF_SET_MAX:-256}
+
+BUILD_TARGETS="modules"
+MODULE_NAMES_ARG="kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/ipset"
+MODULE_NAMES="xt_set(kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/)"
+for i in ip_set{,_bitmap_{ip{,mac},port},_hash_{ip{,port{,ip,net}},net,net{port,iface}},_list_set}; do
+ MODULE_NAMES+=" ${i}(${MODULE_NAMES_ARG})"
+done
+
+check_header_patch() {
+ if ! $(grep -q NFNL_SUBSYS_IPSET "${KV_DIR}/include/linux/netfilter/nfnetlink.h"); then
+ eerror "Sorry, but you have to patch kernel sources with the following patch:"
+ eerror " # cd ${KV_DIR}"
+ eerror " # patch -i ${S}/netlink.patch -p1"
+ eerror "You should recompile and run new kernel to avoid runtime errors."
+ die "Unpatched kernel"
+ fi
+}
+
+pkg_setup() {
+ get_version
+ CONFIG_CHECK="NETFILTER"
+ ERROR_NETFILTER="ipset requires NETFILTER support in your kernel."
+
+ build_modules=0
+ if use modules; then
+ kernel_is -lt 2 6 35 && die "${PN} requires kernel greater then 2.6.35."
+ if linux_config_src_exists && linux_chkconfig_builtin "MODULES" ; then
+ if linux_chkconfig_present "IP_NF_SET" || \
+ linux_chkconfig_present "IP_SET"; then #274577
+ eerror "There is IP{,_NF}_SET or NETFILTER_XT_SET support in your kernel."
+ eerror "Please either build ipset with modules USE flag disabled"
+ eerror "or rebuild kernel without IP_SET support and make sure"
+ eerror "there is NO kernel ip_set* modules in /lib/modules/<your_kernel>/... ."
+ die "USE=modules and in-kernel ipset support detected."
+ else
+ einfo "Modular kernel detected. Gonna build kernel modules..."
+ build_modules=1
+ fi
+ else
+ eerror "Nonmodular kernel detected, but USE=modules. Either build"
+ eerror "modular kernel (without IP_SET) or disable USE=modules"
+ die "Nonmodular kernel detected, will not build kernel modules"
+ fi
+ fi
+ [[ ${build_modules} -eq 1 ]] && linux-mod_pkg_setup
+}
+
+src_prepare() {
+ [[ ${build_modules} -eq 1 ]] && check_header_patch
+ eautoreconf
+}
+
+src_configure() {
+ econf \
+ $(use_with modules kmod) \
+ --disable-static \
+ --with-maxsets=${IP_NF_SET_MAX} \
+ --libdir="${EPREFIX}/$(get_libdir)" \
+ --with-ksource="${KV_DIR}" \
+ --with-kbuild="${KV_OUT_DIR}"
+}
+
+src_compile() {
+ einfo "Building userspace"
+ emake
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Building kernel modules"
+ set_arch_to_kernel
+ emake modules
+ fi
+}
+
+src_install() {
+ einfo "Installing userspace"
+ default
+ prune_libtool_files
+
+ newinitd "${FILESDIR}"/ipset.initd-r2 ${PN}
+ newconfd "${FILESDIR}"/ipset.confd ${PN}
+ keepdir /var/lib/ipset
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Installing kernel modules"
+ linux-mod_src_install
+ fi
+}
diff --git a/net-firewall/ipset/ipset-6.16.ebuild b/net-firewall/ipset/ipset-6.16.ebuild
new file mode 100644
index 000000000000..334752d8055d
--- /dev/null
+++ b/net-firewall/ipset/ipset-6.16.ebuild
@@ -0,0 +1,111 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+inherit autotools linux-info linux-mod
+
+DESCRIPTION="IPset tool for iptables, successor to ippool"
+HOMEPAGE="http://ipset.netfilter.org/"
+SRC_URI="http://ipset.netfilter.org/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~x86"
+IUSE="modules"
+
+RDEPEND=">=net-firewall/iptables-1.4.7
+ net-libs/libmnl"
+DEPEND="${RDEPEND}"
+
+DOCS=( ChangeLog INSTALL README UPGRADE )
+
+# configurable from outside, e.g. /etc/make.conf
+IP_NF_SET_MAX=${IP_NF_SET_MAX:-256}
+
+BUILD_TARGETS="modules"
+MODULE_NAMES_ARG="kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/ipset"
+MODULE_NAMES="xt_set(kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/)"
+for i in ip_set{,_bitmap_{ip{,mac},port},_hash_{ip{,port{,ip,net}},net,net{port,iface}},_list_set}; do
+ MODULE_NAMES+=" ${i}(${MODULE_NAMES_ARG})"
+done
+
+check_header_patch() {
+ if ! $(grep -q NFNL_SUBSYS_IPSET "${KV_DIR}/include/linux/netfilter/nfnetlink.h"); then
+ eerror "Sorry, but you have to patch kernel sources with the following patch:"
+ eerror " # cd ${KV_DIR}"
+ eerror " # patch -i ${S}/netlink.patch -p1"
+ eerror "You should recompile and run new kernel to avoid runtime errors."
+ die "Unpatched kernel"
+ fi
+}
+
+pkg_setup() {
+ get_version
+ CONFIG_CHECK="NETFILTER"
+ ERROR_NETFILTER="ipset requires NETFILTER support in your kernel."
+
+ build_modules=0
+ if use modules; then
+ kernel_is -lt 2 6 35 && die "${PN} requires kernel greater then 2.6.35."
+ if linux_config_src_exists && linux_chkconfig_builtin "MODULES" ; then
+ if linux_chkconfig_present "IP_NF_SET" || \
+ linux_chkconfig_present "IP_SET"; then #274577
+ eerror "There is IP{,_NF}_SET or NETFILTER_XT_SET support in your kernel."
+ eerror "Please either build ipset with modules USE flag disabled"
+ eerror "or rebuild kernel without IP_SET support and make sure"
+ eerror "there is NO kernel ip_set* modules in /lib/modules/<your_kernel>/... ."
+ die "USE=modules and in-kernel ipset support detected."
+ else
+ einfo "Modular kernel detected. Gonna build kernel modules..."
+ build_modules=1
+ fi
+ else
+ eerror "Nonmodular kernel detected, but USE=modules. Either build"
+ eerror "modular kernel (without IP_SET) or disable USE=modules"
+ die "Nonmodular kernel detected, will not build kernel modules"
+ fi
+ fi
+ [[ ${build_modules} -eq 1 ]] && linux-mod_pkg_setup
+}
+
+src_prepare() {
+ [[ ${build_modules} -eq 1 ]] && check_header_patch
+ eautoreconf
+}
+
+src_configure() {
+ econf \
+ $(use_with modules kmod) \
+ --disable-static \
+ --with-maxsets=${IP_NF_SET_MAX} \
+ --libdir="${EPREFIX}/$(get_libdir)" \
+ --with-ksource="${KV_DIR}" \
+ --with-kbuild="${KV_OUT_DIR}"
+}
+
+src_compile() {
+ einfo "Building userspace"
+ emake
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Building kernel modules"
+ set_arch_to_kernel
+ emake modules
+ fi
+}
+
+src_install() {
+ einfo "Installing userspace"
+ default
+ prune_libtool_files
+
+ newinitd "${FILESDIR}"/ipset.initd-r2 ${PN}
+ newconfd "${FILESDIR}"/ipset.confd ${PN}
+ keepdir /var/lib/ipset
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Installing kernel modules"
+ linux-mod_src_install
+ fi
+}
diff --git a/net-firewall/ipset/ipset-6.17.ebuild b/net-firewall/ipset/ipset-6.17.ebuild
new file mode 100644
index 000000000000..fa6b78f49592
--- /dev/null
+++ b/net-firewall/ipset/ipset-6.17.ebuild
@@ -0,0 +1,111 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+inherit autotools linux-info linux-mod
+
+DESCRIPTION="IPset tool for iptables, successor to ippool"
+HOMEPAGE="http://ipset.netfilter.org/"
+SRC_URI="http://ipset.netfilter.org/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 ~ppc x86"
+IUSE="modules"
+
+RDEPEND=">=net-firewall/iptables-1.4.7
+ net-libs/libmnl"
+DEPEND="${RDEPEND}"
+
+DOCS=( ChangeLog INSTALL README UPGRADE )
+
+# configurable from outside, e.g. /etc/make.conf
+IP_NF_SET_MAX=${IP_NF_SET_MAX:-256}
+
+BUILD_TARGETS="modules"
+MODULE_NAMES_ARG="kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/ipset"
+MODULE_NAMES="xt_set(kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/)"
+for i in ip_set{,_bitmap_{ip{,mac},port},_hash_{ip{,port{,ip,net}},net,net{port,iface}},_list_set}; do
+ MODULE_NAMES+=" ${i}(${MODULE_NAMES_ARG})"
+done
+
+check_header_patch() {
+ if ! $(grep -q NFNL_SUBSYS_IPSET "${KV_DIR}/include/linux/netfilter/nfnetlink.h"); then
+ eerror "Sorry, but you have to patch kernel sources with the following patch:"
+ eerror " # cd ${KV_DIR}"
+ eerror " # patch -i ${S}/netlink.patch -p1"
+ eerror "You should recompile and run new kernel to avoid runtime errors."
+ die "Unpatched kernel"
+ fi
+}
+
+pkg_setup() {
+ get_version
+ CONFIG_CHECK="NETFILTER"
+ ERROR_NETFILTER="ipset requires NETFILTER support in your kernel."
+
+ build_modules=0
+ if use modules; then
+ kernel_is -lt 2 6 35 && die "${PN} requires kernel greater then 2.6.35."
+ if linux_config_src_exists && linux_chkconfig_builtin "MODULES" ; then
+ if linux_chkconfig_present "IP_NF_SET" || \
+ linux_chkconfig_present "IP_SET"; then #274577
+ eerror "There is IP{,_NF}_SET or NETFILTER_XT_SET support in your kernel."
+ eerror "Please either build ipset with modules USE flag disabled"
+ eerror "or rebuild kernel without IP_SET support and make sure"
+ eerror "there is NO kernel ip_set* modules in /lib/modules/<your_kernel>/... ."
+ die "USE=modules and in-kernel ipset support detected."
+ else
+ einfo "Modular kernel detected. Gonna build kernel modules..."
+ build_modules=1
+ fi
+ else
+ eerror "Nonmodular kernel detected, but USE=modules. Either build"
+ eerror "modular kernel (without IP_SET) or disable USE=modules"
+ die "Nonmodular kernel detected, will not build kernel modules"
+ fi
+ fi
+ [[ ${build_modules} -eq 1 ]] && linux-mod_pkg_setup
+}
+
+src_prepare() {
+ [[ ${build_modules} -eq 1 ]] && check_header_patch
+ eautoreconf
+}
+
+src_configure() {
+ econf \
+ $(use_with modules kmod) \
+ --disable-static \
+ --with-maxsets=${IP_NF_SET_MAX} \
+ --libdir="${EPREFIX}/$(get_libdir)" \
+ --with-ksource="${KV_DIR}" \
+ --with-kbuild="${KV_OUT_DIR}"
+}
+
+src_compile() {
+ einfo "Building userspace"
+ emake
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Building kernel modules"
+ set_arch_to_kernel
+ emake modules
+ fi
+}
+
+src_install() {
+ einfo "Installing userspace"
+ default
+ prune_libtool_files
+
+ newinitd "${FILESDIR}"/ipset.initd-r2 ${PN}
+ newconfd "${FILESDIR}"/ipset.confd ${PN}
+ keepdir /var/lib/ipset
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Installing kernel modules"
+ linux-mod_src_install
+ fi
+}
diff --git a/net-firewall/ipset/ipset-6.19.ebuild b/net-firewall/ipset/ipset-6.19.ebuild
new file mode 100644
index 000000000000..334752d8055d
--- /dev/null
+++ b/net-firewall/ipset/ipset-6.19.ebuild
@@ -0,0 +1,111 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+inherit autotools linux-info linux-mod
+
+DESCRIPTION="IPset tool for iptables, successor to ippool"
+HOMEPAGE="http://ipset.netfilter.org/"
+SRC_URI="http://ipset.netfilter.org/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~x86"
+IUSE="modules"
+
+RDEPEND=">=net-firewall/iptables-1.4.7
+ net-libs/libmnl"
+DEPEND="${RDEPEND}"
+
+DOCS=( ChangeLog INSTALL README UPGRADE )
+
+# configurable from outside, e.g. /etc/make.conf
+IP_NF_SET_MAX=${IP_NF_SET_MAX:-256}
+
+BUILD_TARGETS="modules"
+MODULE_NAMES_ARG="kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/ipset"
+MODULE_NAMES="xt_set(kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/)"
+for i in ip_set{,_bitmap_{ip{,mac},port},_hash_{ip{,port{,ip,net}},net,net{port,iface}},_list_set}; do
+ MODULE_NAMES+=" ${i}(${MODULE_NAMES_ARG})"
+done
+
+check_header_patch() {
+ if ! $(grep -q NFNL_SUBSYS_IPSET "${KV_DIR}/include/linux/netfilter/nfnetlink.h"); then
+ eerror "Sorry, but you have to patch kernel sources with the following patch:"
+ eerror " # cd ${KV_DIR}"
+ eerror " # patch -i ${S}/netlink.patch -p1"
+ eerror "You should recompile and run new kernel to avoid runtime errors."
+ die "Unpatched kernel"
+ fi
+}
+
+pkg_setup() {
+ get_version
+ CONFIG_CHECK="NETFILTER"
+ ERROR_NETFILTER="ipset requires NETFILTER support in your kernel."
+
+ build_modules=0
+ if use modules; then
+ kernel_is -lt 2 6 35 && die "${PN} requires kernel greater then 2.6.35."
+ if linux_config_src_exists && linux_chkconfig_builtin "MODULES" ; then
+ if linux_chkconfig_present "IP_NF_SET" || \
+ linux_chkconfig_present "IP_SET"; then #274577
+ eerror "There is IP{,_NF}_SET or NETFILTER_XT_SET support in your kernel."
+ eerror "Please either build ipset with modules USE flag disabled"
+ eerror "or rebuild kernel without IP_SET support and make sure"
+ eerror "there is NO kernel ip_set* modules in /lib/modules/<your_kernel>/... ."
+ die "USE=modules and in-kernel ipset support detected."
+ else
+ einfo "Modular kernel detected. Gonna build kernel modules..."
+ build_modules=1
+ fi
+ else
+ eerror "Nonmodular kernel detected, but USE=modules. Either build"
+ eerror "modular kernel (without IP_SET) or disable USE=modules"
+ die "Nonmodular kernel detected, will not build kernel modules"
+ fi
+ fi
+ [[ ${build_modules} -eq 1 ]] && linux-mod_pkg_setup
+}
+
+src_prepare() {
+ [[ ${build_modules} -eq 1 ]] && check_header_patch
+ eautoreconf
+}
+
+src_configure() {
+ econf \
+ $(use_with modules kmod) \
+ --disable-static \
+ --with-maxsets=${IP_NF_SET_MAX} \
+ --libdir="${EPREFIX}/$(get_libdir)" \
+ --with-ksource="${KV_DIR}" \
+ --with-kbuild="${KV_OUT_DIR}"
+}
+
+src_compile() {
+ einfo "Building userspace"
+ emake
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Building kernel modules"
+ set_arch_to_kernel
+ emake modules
+ fi
+}
+
+src_install() {
+ einfo "Installing userspace"
+ default
+ prune_libtool_files
+
+ newinitd "${FILESDIR}"/ipset.initd-r2 ${PN}
+ newconfd "${FILESDIR}"/ipset.confd ${PN}
+ keepdir /var/lib/ipset
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Installing kernel modules"
+ linux-mod_src_install
+ fi
+}
diff --git a/net-firewall/ipset/ipset-6.20.1.ebuild b/net-firewall/ipset/ipset-6.20.1.ebuild
new file mode 100644
index 000000000000..650eacc6b5fa
--- /dev/null
+++ b/net-firewall/ipset/ipset-6.20.1.ebuild
@@ -0,0 +1,114 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+MODULES_OPTIONAL_USE=modules
+inherit autotools linux-info linux-mod
+
+DESCRIPTION="IPset tool for iptables, successor to ippool"
+HOMEPAGE="http://ipset.netfilter.org/"
+SRC_URI="http://ipset.netfilter.org/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 ~ppc ~x86"
+
+RDEPEND=">=net-firewall/iptables-1.4.7
+ net-libs/libmnl"
+DEPEND="${RDEPEND}"
+
+DOCS=( ChangeLog INSTALL README UPGRADE )
+
+# configurable from outside, e.g. /etc/make.conf
+IP_NF_SET_MAX=${IP_NF_SET_MAX:-256}
+
+BUILD_TARGETS="modules"
+MODULE_NAMES_ARG="kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/ipset"
+MODULE_NAMES="xt_set(kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/)"
+for i in ip_set{,_bitmap_{ip{,mac},port},_hash_{ip{,port{,ip,net}},net{,port{,net},iface,net}},_list_set}; do
+ MODULE_NAMES+=" ${i}(${MODULE_NAMES_ARG})"
+done
+
+check_header_patch() {
+ if ! $(grep -q NFNL_SUBSYS_IPSET "${KV_DIR}/include/linux/netfilter/nfnetlink.h"); then
+ eerror "Sorry, but you have to patch kernel sources with the following patch:"
+ eerror " # cd ${KV_DIR}"
+ eerror " # patch -i ${S}/netlink.patch -p1"
+ eerror "You should recompile and run new kernel to avoid runtime errors."
+ die "Unpatched kernel"
+ fi
+}
+
+pkg_setup() {
+ get_version
+ CONFIG_CHECK="NETFILTER"
+ ERROR_NETFILTER="ipset requires NETFILTER support in your kernel."
+ # It does still build without NET_NS, but it may be needed in future.
+ #CONFIG_CHECK="${CONFIG_CHECK} NET_NS"
+ #ERROR_NET_NS="ipset requires NET_NS (network namespace) support in your kernel."
+
+ build_modules=0
+ if use modules; then
+ kernel_is -lt 2 6 35 && die "${PN} requires kernel greater then 2.6.35."
+ if linux_config_src_exists && linux_chkconfig_builtin "MODULES" ; then
+ if linux_chkconfig_present "IP_NF_SET" || \
+ linux_chkconfig_present "IP_SET"; then #274577
+ eerror "There is IP{,_NF}_SET or NETFILTER_XT_SET support in your kernel."
+ eerror "Please either build ipset with modules USE flag disabled"
+ eerror "or rebuild kernel without IP_SET support and make sure"
+ eerror "there is NO kernel ip_set* modules in /lib/modules/<your_kernel>/... ."
+ die "USE=modules and in-kernel ipset support detected."
+ else
+ einfo "Modular kernel detected. Gonna build kernel modules..."
+ build_modules=1
+ fi
+ else
+ eerror "Nonmodular kernel detected, but USE=modules. Either build"
+ eerror "modular kernel (without IP_SET) or disable USE=modules"
+ die "Nonmodular kernel detected, will not build kernel modules"
+ fi
+ fi
+ [[ ${build_modules} -eq 1 ]] && linux-mod_pkg_setup
+}
+
+src_prepare() {
+ [[ ${build_modules} -eq 1 ]] && check_header_patch
+ eautoreconf
+}
+
+src_configure() {
+ econf \
+ $(use_with modules kmod) \
+ --disable-static \
+ --with-maxsets=${IP_NF_SET_MAX} \
+ --libdir="${EPREFIX}/$(get_libdir)" \
+ --with-ksource="${KV_DIR}" \
+ --with-kbuild="${KV_OUT_DIR}"
+}
+
+src_compile() {
+ einfo "Building userspace"
+ emake
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Building kernel modules"
+ set_arch_to_kernel
+ emake modules
+ fi
+}
+
+src_install() {
+ einfo "Installing userspace"
+ default
+ prune_libtool_files
+
+ newinitd "${FILESDIR}"/ipset.initd-r3 ${PN}
+ newconfd "${FILESDIR}"/ipset.confd ${PN}
+ keepdir /var/lib/ipset
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Installing kernel modules"
+ linux-mod_src_install
+ fi
+}
diff --git a/net-firewall/ipset/ipset-6.21.1.ebuild b/net-firewall/ipset/ipset-6.21.1.ebuild
new file mode 100644
index 000000000000..9819b4b19433
--- /dev/null
+++ b/net-firewall/ipset/ipset-6.21.1.ebuild
@@ -0,0 +1,114 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+MODULES_OPTIONAL_USE=modules
+inherit autotools linux-info linux-mod
+
+DESCRIPTION="IPset tool for iptables, successor to ippool"
+HOMEPAGE="http://ipset.netfilter.org/"
+SRC_URI="http://ipset.netfilter.org/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~x86"
+
+RDEPEND=">=net-firewall/iptables-1.4.7
+ net-libs/libmnl"
+DEPEND="${RDEPEND}"
+
+DOCS=( ChangeLog INSTALL README UPGRADE )
+
+# configurable from outside, e.g. /etc/make.conf
+IP_NF_SET_MAX=${IP_NF_SET_MAX:-256}
+
+BUILD_TARGETS="modules"
+MODULE_NAMES_ARG="kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/ipset"
+MODULE_NAMES="xt_set(kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/)"
+for i in ip_set{,_bitmap_{ip{,mac},port},_hash_{ip{,port{,ip,net}},net{,port{,net},iface,net}},_list_set}; do
+ MODULE_NAMES+=" ${i}(${MODULE_NAMES_ARG})"
+done
+
+check_header_patch() {
+ if ! $(grep -q NFNL_SUBSYS_IPSET "${KV_DIR}/include/linux/netfilter/nfnetlink.h"); then
+ eerror "Sorry, but you have to patch kernel sources with the following patch:"
+ eerror " # cd ${KV_DIR}"
+ eerror " # patch -i ${S}/netlink.patch -p1"
+ eerror "You should recompile and run new kernel to avoid runtime errors."
+ die "Unpatched kernel"
+ fi
+}
+
+pkg_setup() {
+ get_version
+ CONFIG_CHECK="NETFILTER"
+ ERROR_NETFILTER="ipset requires NETFILTER support in your kernel."
+ # It does still build without NET_NS, but it may be needed in future.
+ #CONFIG_CHECK="${CONFIG_CHECK} NET_NS"
+ #ERROR_NET_NS="ipset requires NET_NS (network namespace) support in your kernel."
+
+ build_modules=0
+ if use modules; then
+ kernel_is -lt 2 6 35 && die "${PN} requires kernel greater then 2.6.35."
+ if linux_config_src_exists && linux_chkconfig_builtin "MODULES" ; then
+ if linux_chkconfig_present "IP_NF_SET" || \
+ linux_chkconfig_present "IP_SET"; then #274577
+ eerror "There is IP{,_NF}_SET or NETFILTER_XT_SET support in your kernel."
+ eerror "Please either build ipset with modules USE flag disabled"
+ eerror "or rebuild kernel without IP_SET support and make sure"
+ eerror "there is NO kernel ip_set* modules in /lib/modules/<your_kernel>/... ."
+ die "USE=modules and in-kernel ipset support detected."
+ else
+ einfo "Modular kernel detected. Gonna build kernel modules..."
+ build_modules=1
+ fi
+ else
+ eerror "Nonmodular kernel detected, but USE=modules. Either build"
+ eerror "modular kernel (without IP_SET) or disable USE=modules"
+ die "Nonmodular kernel detected, will not build kernel modules"
+ fi
+ fi
+ [[ ${build_modules} -eq 1 ]] && linux-mod_pkg_setup
+}
+
+src_prepare() {
+ [[ ${build_modules} -eq 1 ]] && check_header_patch
+ eautoreconf
+}
+
+src_configure() {
+ econf \
+ $(use_with modules kmod) \
+ --disable-static \
+ --with-maxsets=${IP_NF_SET_MAX} \
+ --libdir="${EPREFIX}/$(get_libdir)" \
+ --with-ksource="${KV_DIR}" \
+ --with-kbuild="${KV_OUT_DIR}"
+}
+
+src_compile() {
+ einfo "Building userspace"
+ emake
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Building kernel modules"
+ set_arch_to_kernel
+ emake modules
+ fi
+}
+
+src_install() {
+ einfo "Installing userspace"
+ default
+ prune_libtool_files
+
+ newinitd "${FILESDIR}"/ipset.initd-r3 ${PN}
+ newconfd "${FILESDIR}"/ipset.confd ${PN}
+ keepdir /var/lib/ipset
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Installing kernel modules"
+ linux-mod_src_install
+ fi
+}
diff --git a/net-firewall/ipset/ipset-6.24.ebuild b/net-firewall/ipset/ipset-6.24.ebuild
new file mode 100644
index 000000000000..0db53d79e7b6
--- /dev/null
+++ b/net-firewall/ipset/ipset-6.24.ebuild
@@ -0,0 +1,103 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+MODULES_OPTIONAL_USE=modules
+inherit autotools linux-info linux-mod
+
+DESCRIPTION="IPset tool for iptables, successor to ippool"
+HOMEPAGE="http://ipset.netfilter.org/"
+SRC_URI="http://ipset.netfilter.org/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~x86"
+
+RDEPEND=">=net-firewall/iptables-1.4.7
+ net-libs/libmnl"
+DEPEND="${RDEPEND}"
+
+DOCS=( ChangeLog INSTALL README UPGRADE )
+
+# configurable from outside, e.g. /etc/make.conf
+IP_NF_SET_MAX=${IP_NF_SET_MAX:-256}
+
+BUILD_TARGETS="modules"
+MODULE_NAMES_ARG="kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/ipset"
+MODULE_NAMES="xt_set(kernel/net/netfilter/ipset/:${S}/kernel/net/netfilter/)"
+for i in ip_set{,_bitmap_{ip{,mac},port},_hash_{ip{,port{,ip,net}},net{,port{,net},iface,net}},_list_set}; do
+ MODULE_NAMES+=" ${i}(${MODULE_NAMES_ARG})"
+done
+
+pkg_setup() {
+ get_version
+ CONFIG_CHECK="NETFILTER"
+ ERROR_NETFILTER="ipset requires NETFILTER support in your kernel."
+ # It does still build without NET_NS, but it may be needed in future.
+ #CONFIG_CHECK="${CONFIG_CHECK} NET_NS"
+ #ERROR_NET_NS="ipset requires NET_NS (network namespace) support in your kernel."
+
+ build_modules=0
+ if use modules; then
+ kernel_is -lt 2 6 35 && die "${PN} requires kernel greater then 2.6.35."
+ if linux_config_src_exists && linux_chkconfig_builtin "MODULES" ; then
+ if linux_chkconfig_present "IP_NF_SET" || \
+ linux_chkconfig_present "IP_SET"; then #274577
+ eerror "There is IP{,_NF}_SET or NETFILTER_XT_SET support in your kernel."
+ eerror "Please either build ipset with modules USE flag disabled"
+ eerror "or rebuild kernel without IP_SET support and make sure"
+ eerror "there is NO kernel ip_set* modules in /lib/modules/<your_kernel>/... ."
+ die "USE=modules and in-kernel ipset support detected."
+ else
+ einfo "Modular kernel detected. Gonna build kernel modules..."
+ build_modules=1
+ fi
+ else
+ eerror "Nonmodular kernel detected, but USE=modules. Either build"
+ eerror "modular kernel (without IP_SET) or disable USE=modules"
+ die "Nonmodular kernel detected, will not build kernel modules"
+ fi
+ fi
+ [[ ${build_modules} -eq 1 ]] && linux-mod_pkg_setup
+}
+
+#src_prepare() {
+# eautoreconf
+#}
+
+src_configure() {
+ econf \
+ $(use_with modules kmod) \
+ --disable-static \
+ --with-maxsets=${IP_NF_SET_MAX} \
+ --libdir="${EPREFIX}/$(get_libdir)" \
+ --with-ksource="${KV_DIR}" \
+ --with-kbuild="${KV_OUT_DIR}"
+}
+
+src_compile() {
+ einfo "Building userspace"
+ emake
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Building kernel modules"
+ set_arch_to_kernel
+ emake modules
+ fi
+}
+
+src_install() {
+ einfo "Installing userspace"
+ default
+ prune_libtool_files
+
+ newinitd "${FILESDIR}"/ipset.initd-r3 ${PN}
+ newconfd "${FILESDIR}"/ipset.confd ${PN}
+ keepdir /var/lib/ipset
+
+ if [[ ${build_modules} -eq 1 ]]; then
+ einfo "Installing kernel modules"
+ linux-mod_src_install
+ fi
+}
diff --git a/net-firewall/ipset/metadata.xml b/net-firewall/ipset/metadata.xml
new file mode 100644
index 000000000000..c6d862855eb5
--- /dev/null
+++ b/net-firewall/ipset/metadata.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer>
+ <email>robbat2@gentoo.org</email>
+</maintainer>
+</pkgmetadata>
diff --git a/net-firewall/ipt_netflow/Manifest b/net-firewall/ipt_netflow/Manifest
new file mode 100644
index 000000000000..c0b5d1d89a4f
--- /dev/null
+++ b/net-firewall/ipt_netflow/Manifest
@@ -0,0 +1 @@
+DIST ipt-netflow-2.1.tgz 87872 SHA256 1cc1ee518ecd6c7d8d792ea79c0f69d03ce450c10fefd37f053c43aac92e9931 SHA512 0055ebb1846077f94c1fbf701af8a07a432058c8e86e31c6f420d5c00c96b45012abdcdeef3c5b1ead7d20c7efd51ac65d000b6cb931d878f528f52de0ab9c21 WHIRLPOOL e46ffe69f58293cca0fc26c2ff13ee30e68e2a60a4b198c89fdb24ebc45a4376877285358d4e72019c811d70d0a77194dbc0d46f44c8076923fc626cfe2e7488
diff --git a/net-firewall/ipt_netflow/files/ipt_netflow-2.0-configure.patch b/net-firewall/ipt_netflow/files/ipt_netflow-2.0-configure.patch
new file mode 100644
index 000000000000..f6b3a005ba21
--- /dev/null
+++ b/net-firewall/ipt_netflow/files/ipt_netflow-2.0-configure.patch
@@ -0,0 +1,10 @@
+--- a/configure
++++ b/configure
+@@ -421,7 +421,6 @@
+ iptables_find_version #IPTVER
+ iptables_try_pkgconfig #try to configure from pkg-config
+ iptables_find_src #IPTSRC
+-iptables_src_version #check that IPTSRC match to IPTVER
+ iptables_inc #IPTINC
+ iptables_modules #IPTLIB
+
diff --git a/net-firewall/ipt_netflow/files/ipt_netflow-2.1-linux-3.19.patch b/net-firewall/ipt_netflow/files/ipt_netflow-2.1-linux-3.19.patch
new file mode 100644
index 000000000000..47fec4f73da8
--- /dev/null
+++ b/net-firewall/ipt_netflow/files/ipt_netflow-2.1-linux-3.19.patch
@@ -0,0 +1,45 @@
+commit 582fd497a5f0f5ae5dce24cba042d856d63bfbe1
+Author: ABC <abc@telekom.ru>
+Date: Mon Feb 16 21:53:54 2015 +0400
+
+ Compatibility of __get_cpu_var with linux 3.19.
+
+ Fixes #28, thanks boyarsh@github.
+
+diff --git a/ipt_NETFLOW.h b/ipt_NETFLOW.h
+index bc2734f..5548e57 100644
+--- a/ipt_NETFLOW.h
++++ b/ipt_NETFLOW.h
+@@ -396,6 +396,9 @@ struct netflow_aggr_p {
+ __u16 aggr_port;
+ };
+
++#ifndef __get_cpu_var
++#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
++#endif
+ #define NETFLOW_STAT_INC(count) (__get_cpu_var(ipt_netflow_stat).count++)
+ #define NETFLOW_STAT_ADD(count, val) (__get_cpu_var(ipt_netflow_stat).count += (unsigned long long)val)
+ #define NETFLOW_STAT_SET(count, val) (__get_cpu_var(ipt_netflow_stat).count = (unsigned long long)val)
+diff --git a/testing.sh b/testing.sh
+index b465c8d..caa4f03 100755
+--- a/testing.sh
++++ b/testing.sh
+@@ -6,7 +6,7 @@ if [ "$1" = "" ]; then
+ echo Maintainer only tool.
+ exit 1
+ elif [ "$1" = all ]; then
+- exec bash $0 linux-2.6.18 centos5 linux-3.11.2 centos6 linux-3.4.66 linux-3.9.11 centos7 linux-3.14 linux-3.17
++ exec bash $0 linux-2.6.18 centos5 linux-3.11.2 centos6 linux-3.4.66 linux-3.9.11 centos7 linux-3.14 linux-3.17 linux-3.19
+ exit 1
+ fi
+
+@@ -33,6 +33,9 @@ readarray -t opts <<EOF
+ --enable-sampler=hash
+ --enable-promisc
+ EOF
++if [ "$SHORT" ]; then
++ opts=("")
++fi
+
+ colorecho() {
+ echo -e "\033[1;32m$@\033[m"
diff --git a/net-firewall/ipt_netflow/ipt_netflow-2.1.ebuild b/net-firewall/ipt_netflow/ipt_netflow-2.1.ebuild
new file mode 100644
index 000000000000..af6bc1fbee93
--- /dev/null
+++ b/net-firewall/ipt_netflow/ipt_netflow-2.1.ebuild
@@ -0,0 +1,93 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+MY_PN="${PN/_/-}"
+MY_P="${MY_PN}-${PV}"
+inherit eutils linux-info linux-mod multilib toolchain-funcs
+
+DESCRIPTION="Netflow iptables module"
+HOMEPAGE="http://sourceforge.net/projects/ipt-netflow"
+SRC_URI="mirror://sourceforge/${MY_PN}/${MY_P}.tgz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 x86"
+
+IUSE="debug snmp"
+
+RDEPEND="
+ net-firewall/iptables
+ snmp? ( net-analyzer/net-snmp )
+"
+DEPEND="${RDEPEND}
+ virtual/linux-sources
+ virtual/pkgconfig
+"
+
+# set S before MODULE_NAMES
+S="${WORKDIR}/${MY_P}"
+
+BUILD_TARGETS="all"
+MODULE_NAMES="ipt_NETFLOW(ipt_netflow:${S})"
+
+IPT_LIB="/usr/$(get_libdir)/xtables"
+
+pkg_setup() {
+ local CONFIG_CHECK="~IP_NF_IPTABLES"
+ use debug && CONFIG_CHECK+=" ~DEBUG_FS"
+ linux-mod_pkg_setup
+}
+
+src_prepare() {
+ sed -i \
+ -e 's:make -C:$(MAKE) -C:g' \
+ -e 's:gcc -O2:$(CC) $(CFLAGS) $(LDFLAGS):' \
+ -e 's:gcc:$(CC) $(CFLAGS) $(LDFLAGS):' \
+ Makefile.in || die
+
+ # Checking for directory is enough
+ sed -i -e 's:-s /etc/snmp/snmpd.conf:-d /etc/snmp:' configure || die
+
+ # bug #455984
+ epatch "${FILESDIR}/${PN}-2.0-configure.patch"
+
+ # bug #552476
+ epatch "${FILESDIR}/${PN}-2.1-linux-3.19.patch"
+
+ epatch_user
+}
+
+do_conf() {
+ echo ./configure $*
+ ./configure $* ${EXTRA_ECONF} || die 'configure failed'
+}
+
+src_configure() {
+ local IPT_VERSION="$($(tc-getPKG_CONFIG) --modversion xtables)"
+ # this configure script is not based on autotools
+ # ipt-src need to be defined, see bug #455984
+ do_conf \
+ --disable-dkms \
+ --ipt-lib="${IPT_LIB}" \
+ --ipt-src="/usr/" \
+ --ipt-ver="${IPT_VERSION}" \
+ --kdir="${KV_DIR}" \
+ --kver="${KV_FULL}" \
+ $(use debug && echo '--enable-debugfs') \
+ $(use snmp && echo '--enable-snmp-rules' || echo '--disable-snmp-agent')
+}
+
+src_compile() {
+ emake ARCH="$(tc-arch-kernel)" CC="$(tc-getCC)" all
+}
+
+src_install() {
+ linux-mod_src_install
+ exeinto "${IPT_LIB}"
+ doexe libipt_NETFLOW.so
+ use snmp && emake DESTDIR="${D}" SNMPTGSO="/usr/$(get_libdir)/snmp/dlmod/snmp_NETFLOW.so" sinstall
+ doheader ipt_NETFLOW.h
+ dodoc README*
+}
diff --git a/net-firewall/ipt_netflow/metadata.xml b/net-firewall/ipt_netflow/metadata.xml
new file mode 100644
index 000000000000..e2cd4f38e85b
--- /dev/null
+++ b/net-firewall/ipt_netflow/metadata.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <herd>netmon</herd>
+ <maintainer>
+ <email>pinkbyte@gentoo.org</email>
+ <name>Sergey Popov</name>
+ </maintainer>
+ <upstream>
+ <remote-id type="sourceforge">ipt-netflow</remote-id>
+ </upstream>
+</pkgmetadata>
diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest
new file mode 100644
index 000000000000..285a257c0005
--- /dev/null
+++ b/net-firewall/iptables/Manifest
@@ -0,0 +1,15 @@
+DIST iptables-1.4.10.tar.bz2 478007 SHA256 7544e437d2222078b15e6cd063b521c6f1ec4dac49e6af9ba3bfece2a6a93445 SHA512 264a974cc303cf9b352ccdf50d3aa1491167cdf1d7919074925645cc94d7f5e40d315cff048d0fab48e31853dcdad64bd65b83ef6fdd05f9e896be4e3317cd1e WHIRLPOOL 4ca6629ed2f43f1393be5a24284147272ff208d27e8bc073ccadb80f27887f2ef2c477e08ab2f8f22414cd11ab6a33dc42071f2ee3168e15026a76a3270cbc2e
+DIST iptables-1.4.11.1.tar.bz2 486926 SHA256 170c294698ca573477b1b2a3815e1563bf9929d182efef6cf0331a6e955c9ade SHA512 432dff8d1bc2b65cd636bb7a8d9ace5402db134df6e5e15c11c2bf1684d513a0f3cf70af099875fbddb25a1ef8868716b4a80791d7475848dd9d7917752d451a WHIRLPOOL ace3dc5ed59f98faea78cce2f1e673cb9b9726360cb1fcaa6ff73b9c36ba2ece8b415f191f1c6862a85829bb857202571bb851132a503ffb272c078d87889cbf
+DIST iptables-1.4.12.1.tar.bz2 473418 SHA256 77e6581f21f15946a814fa311236e5f3f7c6593180f9d695cea06aa95e464aba SHA512 ca8960d6d11faaba293e62169a32f8821d9240907d7ca11741dfca78ce92e32d5e2625f99786f55fb08d27ff7643e2531cc741aa0867f45df61248264b8ffe18 WHIRLPOOL b737fb2704511066d052227f7fe73a1ce64f427c614e56a1a681a7dcc37bac214448f9821b416a35cbe7efdf5436c49d0202f6da77aa0ec60de724137d28abda
+DIST iptables-1.4.12.tar.bz2 487036 SHA256 3e07a0beb746b580fbcfb04b3842ef0bd94a2f281786552f586415b26a7e971c SHA512 e61652cee5b3e691643769ac16dd9674ad7e2d5684f9e3146200be91a6db5674cead4525a97e232644f966692bea9143eb3b0c64a2dc01a32bf34834d3a0b4de WHIRLPOOL c5f5b29387322b36cce9c59fd548bb582b7b9b11da2616f5ff14c4ddc5eec8bc500da3756593406f5a5a4ab5b43d0f0b9d44b028b270479e10d1d8f716e1d0a0
+DIST iptables-1.4.13.tar.bz2 502942 SHA256 321e2600fc4541a958e44cafd85a42864b0035404097e0f2e082d474029b9ded SHA512 598b05aa1446172c65b5103bdd02e29f8c8253eb3395e8cabc33e664e7d7afb4a842deea4f0faaac4645acd29a4fbfc0c0675c55f67e38c822ae28b549eab73c WHIRLPOOL 44df42d7fd66349c6bdef8cfa6d80571e7ec7d58a7092b188ef41a8431cd02394835177bdc4d31255b8a115f088daba269f6ecb9230b8d04df6e01151a926017
+DIST iptables-1.4.14.tar.bz2 507123 SHA256 9be675696f41cd4f35cc332b667d285fe9489ca93c8e1f77804bd04b3315a522 SHA512 3bf6db564359acafa738068980793129982318317bea69f21282d80f40dcb1e16938f8e2928e6cdcc4e77d89b2bc3f6c45aad7eb11ff84063b78e5f8e1907f9e WHIRLPOOL 16f630e38272b76c3d7eefa83869902b0f111d9ffba2eca6fe885759619dc81f1c9fc1bfe2f946adc99edfdfc5f4002a331e412a8fef674f63bfb760aa44e868
+DIST iptables-1.4.15.tar.bz2 514830 SHA256 867c144e60075e7bebe6fcecf0b65169d5e2d1fa5ceec2ebd9780cd5026123ea SHA512 2ef559f1079838b2aa8348e66248aac7bc7549be93014ddbdaf730fbad168a657e20e031dcfd9ffa62ed45a52dbefc3683783a5d9b929d539d07ba6ad6adcfa0 WHIRLPOOL 8a56ed3cffd572f2202f172a3b903283452b4fd9647b6123530a1cc489a150bc88e7eb1f911f896b655d1de37f26c0a5eadd383c06103a0f395a82e1bc321b89
+DIST iptables-1.4.16.2.tar.bz2 536755 SHA256 4468ce7e1d68349a8e30f26110eb7969dbfdbf497d6c53758883123b3f2d6f6e SHA512 1ec9d12cc069a8acb1a443e7325c2bb98f0216e0a454413424b49c90bd6f4f94832ed1187a8fc75bdc7d80aa4ca9f3534e15799c46cb17344886d7b4ad34e4c0 WHIRLPOOL b0c782f41bb7d0df794064b1f57853ec664ddf0f899ab4b1f8cf51df0f98594065b7e7e3a77ee398cbb4fcc03fe360e67cf679bf6f9f730263ad29be394e76e0
+DIST iptables-1.4.16.3.tar.bz2 536872 SHA256 643ccf34099d53d5b839e1d889c05627745a51ec122648e76a9fcec3a8a9ec79 SHA512 c232a927fe63623cc0d336b4a09d7baad2d0c5a2a5e3b7ad083727e9f17cd0b668a826a4c5ff0bbb45233fee6c38c153710b13f458514516af7cf7df10d720e2 WHIRLPOOL 2dadcdb39f7741cb7b3c493bc36792a6edbdd9ddaa0c862d2ec0a6fbb89eb82c55f04ae407ab641f425208b15ef6e689af10ce6c03368e40652367c39dead75f
+DIST iptables-1.4.17.tar.bz2 541137 SHA256 51e7a769469383b6ad308a6a19cdd2bd813cf4593e21a156a543a1cd70554925 SHA512 022f89cbf56408842bdeb1adbe05076addaad007599fdb662f32a1c134d743dade28c26842acc7545d2474903164be5fe3ec7fd1e276cd2c37bd3b33b8a30de1 WHIRLPOOL f2cb85d5f4080fce2c6673a58737ace3d55130f74c66207bc515d0c7b4ecd75bd7ac8540a862e8af133e740d34eee40833d72c9c3236c7ef4dc75cd43816ec41
+DIST iptables-1.4.18.tar.bz2 542308 SHA256 14a99fb8b0ca22027a9ac6eb72fa32c834ceb3073820e0ba79bf251c6a7bcf3c SHA512 fc62916bd90863c0868f70d711fd6716cbcb54402c32bdeebfd0cee05137fa3ff1a137f0a4b5b31ee0bb6492e23e60e7025d51914b26c0e0b233181cbb1cb1b5 WHIRLPOOL 5d89e0f8d2dfad0f25a369f936f86386c799b2c475cef9fb13fb3c8cb9fcb201361c7d134a24f68099b2b5468c97476e1982bc116fa6448a07d776c724fddbd3
+DIST iptables-1.4.19.1.tar.bz2 543785 SHA256 dd51d3b942758a462afc7c8495930d25c93058e5319303247375183ad50164d2 SHA512 a3232ae92b997f67b5895c110f2cb8ec3aecbc383e804a870351c61e49cd83c1d7bf750818768f5560d615090157a17cc5c4ef101bc104905915de67fa022088 WHIRLPOOL 99ec72c45eb5a5721e4228b3ae79ffa2d1a67db362a9c67a09190c8bed54f023e6550b300b41d0d119c518d234559d7bc1182313b26460a2d224768d1f7955b3
+DIST iptables-1.4.20.tar.bz2 546864 SHA256 109b8c7ca90b4536bc5de869ae705f6d5efcc0c08ef3003755aad3ed6d2d49ad SHA512 6c8e1d89db66c0cfd76afd7fa7de8a7d451337f6f15f01d811585714f6d488275621ca9a1f4967a2ae99e90f3890cf0e3c7f7a9a3a98fda902b0a56717d7ffe0 WHIRLPOOL 8146d632ec00c663988d4e82e3adfa8b9fa2df269df2e6cc359dae65727e59f4ef614540eb4f970d020eac558d7423731a88246f9df1265718346ca62e59a8e7
+DIST iptables-1.4.21.tar.bz2 547439 SHA256 52004c68021da9a599feed27f65defcfb22128f7da2c0531c0f75de0f479d3e0 SHA512 dd4baccdb080284d8620e6ed59beafc2677813f3e099051764b07f8e394f6d94ca11861b181f3cce7c55c66de64c1e2add13dc1a0b64e24050cd9fb7aea0689b WHIRLPOOL 475541d1b2b7fe4ee8fa3b537274ef082aab8bfd262201ee14cd53577dfac6f591445cc6d64ed93b226a4b71d54ae1b9ab4cbb378b5440861a585f770f0db200
+DIST iptables-1.4.6.tar.bz2 463758 SHA256 6e732798cad62163d6e033aa52e22b771246556a230c0f66cd33fe69e96d72a4 SHA512 0ec1314462a154b5892093b17b997f130760b2ada4fb2b7cdc0f6cb7bb9da9ddaf77400c3fcbe57c4db1400adaec37d38f9debe37f7ed33dabbbe3b58c13e942 WHIRLPOOL 39e1f0f3f46350c81d2fe219b5d40174f4a390180f71ac8c896a634aa29abe98da665c8e93d373465dad351a9604d6c5e36c0f99f7256b85ffbc3615cefa28ae
diff --git a/net-firewall/iptables/files/ip6tables-1.3.2.confd b/net-firewall/iptables/files/ip6tables-1.3.2.confd
new file mode 100644
index 000000000000..93c0bc89b38a
--- /dev/null
+++ b/net-firewall/iptables/files/ip6tables-1.3.2.confd
@@ -0,0 +1,11 @@
+# /etc/conf.d/ip6tables
+
+# Location in which iptables initscript will save set rules on
+# service shutdown
+IP6TABLES_SAVE="/var/lib/ip6tables/rules-save"
+
+# Options to pass to iptables-save and iptables-restore
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="yes"
diff --git a/net-firewall/iptables/files/ip6tables-1.4.13.confd b/net-firewall/iptables/files/ip6tables-1.4.13.confd
new file mode 100644
index 000000000000..3bb36989d37e
--- /dev/null
+++ b/net-firewall/iptables/files/ip6tables-1.4.13.confd
@@ -0,0 +1,19 @@
+# /etc/conf.d/ip6tables
+
+# Location in which iptables initscript will save set rules on
+# service shutdown
+IP6TABLES_SAVE="/var/lib/ip6tables/rules-save"
+
+# Options to pass to iptables-save and iptables-restore
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="yes"
+
+# If you need to log iptables messages as soon as iptables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/net-firewall/iptables/files/iptables-1.3.2.confd b/net-firewall/iptables/files/iptables-1.3.2.confd
new file mode 100644
index 000000000000..91287debdbcf
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.3.2.confd
@@ -0,0 +1,11 @@
+# /etc/conf.d/iptables
+
+# Location in which iptables initscript will save set rules on
+# service shutdown
+IPTABLES_SAVE="/var/lib/iptables/rules-save"
+
+# Options to pass to iptables-save and iptables-restore
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="yes"
diff --git a/net-firewall/iptables/files/iptables-1.3.2.init b/net-firewall/iptables/files/iptables-1.3.2.init
new file mode 100755
index 000000000000..907a39e7479a
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.3.2.init
@@ -0,0 +1,115 @@
+#!/sbin/runscript
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="save panic"
+extra_started_commands="reload"
+
+iptables_name=${SVCNAME}
+if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then
+ iptables_name="iptables"
+fi
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+ iptables) iptables_proc="/proc/net/ip_tables_names"
+ iptables_save=${IPTABLES_SAVE};;
+ ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+ iptables_save=${IP6TABLES_SAVE};;
+esac
+
+depend() {
+ before net
+ use logger
+}
+
+set_table_policy() {
+ local chains table=$1 policy=$2
+ case ${table} in
+ nat) chains="PREROUTING POSTROUTING OUTPUT";;
+ mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+ filter) chains="INPUT FORWARD OUTPUT";;
+ *) chains="";;
+ esac
+ local chain
+ for chain in ${chains} ; do
+ ${iptables_bin} -t ${table} -P ${chain} ${policy}
+ done
+}
+
+checkkernel() {
+ if [ ! -e ${iptables_proc} ] ; then
+ eerror "Your kernel lacks ${iptables_name} support, please load"
+ eerror "appropriate modules and try again."
+ return 1
+ fi
+ return 0
+}
+checkconfig() {
+ if [ ! -f ${iptables_save} ] ; then
+ eerror "Not starting ${iptables_name}. First create some rules then run:"
+ eerror "/etc/init.d/${iptables_name} save"
+ return 1
+ fi
+ return 0
+}
+
+start() {
+ checkconfig || return 1
+ ebegin "Loading ${iptables_name} state and starting firewall"
+ ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+ eend $?
+}
+
+stop() {
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+ save || return 1
+ fi
+ checkkernel || return 1
+ ebegin "Stopping firewall"
+ local a
+ for a in $(cat ${iptables_proc}) ; do
+ set_table_policy $a ACCEPT
+
+ ${iptables_bin} -F -t $a
+ ${iptables_bin} -X -t $a
+ done
+ eend $?
+}
+
+reload() {
+ checkkernel || return 1
+ ebegin "Flushing firewall"
+ local a
+ for a in $(cat ${iptables_proc}) ; do
+ ${iptables_bin} -F -t $a
+ ${iptables_bin} -X -t $a
+ done
+ eend $?
+
+ start
+}
+
+save() {
+ ebegin "Saving ${iptables_name} state"
+ touch "${iptables_save}"
+ chmod 0600 "${iptables_save}"
+ ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+ eend $?
+}
+
+panic() {
+ checkkernel || return 1
+ service_started ${iptables_name} && svc_stop
+
+ local a
+ ebegin "Dropping all packets"
+ for a in $(cat ${iptables_proc}) ; do
+ ${iptables_bin} -F -t $a
+ ${iptables_bin} -X -t $a
+
+ set_table_policy $a DROP
+ done
+ eend $?
+}
diff --git a/net-firewall/iptables/files/iptables-1.4.11.1-man-fixes.patch b/net-firewall/iptables/files/iptables-1.4.11.1-man-fixes.patch
new file mode 100644
index 000000000000..d83a7059f37b
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.11.1-man-fixes.patch
@@ -0,0 +1,17 @@
+diff --git a/iptables/Makefile.am b/iptables/Makefile.am
+index 13cca9c..a068278 100644
+--- a/iptables/Makefile.am
++++ b/iptables/Makefile.am
+@@ -51,10 +51,10 @@ v6_sbin_links = ip6tables ip6tables-restore ip6tables-save
+ endif
+
+ iptables.8: ${srcdir}/iptables.8.in ../extensions/matches4.man ../extensions/targets4.man
+- ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches4.man' -e '/@TARGET@/ r extensions/targets4.man' $< >$@;
++ ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches4.man' -e '/@TARGET@/ r ../extensions/targets4.man' $< >$@;
+
+ ip6tables.8: ${srcdir}/ip6tables.8.in ../extensions/matches6.man ../extensions/targets6.man
+- ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches6.man' -e '/@TARGET@/ r extensions/targets6.man' $< >$@;
++ ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches6.man' -e '/@TARGET@/ r ../extensions/targets6.man' $< >$@;
+
+ pkgconfig_DATA = xtables.pc
+
diff --git a/net-firewall/iptables/files/iptables-1.4.11.init b/net-firewall/iptables/files/iptables-1.4.11.init
new file mode 100644
index 000000000000..6b2b88c5dbed
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.11.init
@@ -0,0 +1,117 @@
+#!/sbin/runscript
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="save panic"
+extra_started_commands="reload"
+
+iptables_name=${SVCNAME}
+if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then
+ iptables_name="iptables"
+fi
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+ iptables) iptables_proc="/proc/net/ip_tables_names"
+ iptables_save=${IPTABLES_SAVE};;
+ ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+ iptables_save=${IP6TABLES_SAVE};;
+esac
+
+depend() {
+ before net
+ use logger
+}
+
+set_table_policy() {
+ local chains table=$1 policy=$2
+ case ${table} in
+ nat) chains="PREROUTING POSTROUTING OUTPUT";;
+ mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+ filter) chains="INPUT FORWARD OUTPUT";;
+ *) chains="";;
+ esac
+ local chain
+ for chain in ${chains} ; do
+ ${iptables_bin} -t ${table} -P ${chain} ${policy}
+ done
+}
+
+checkkernel() {
+ if [ ! -e ${iptables_proc} ] ; then
+ eerror "Your kernel lacks ${iptables_name} support, please load"
+ eerror "appropriate modules and try again."
+ return 1
+ fi
+ return 0
+}
+checkconfig() {
+ if [ ! -f ${iptables_save} ] ; then
+ eerror "Not starting ${iptables_name}. First create some rules then run:"
+ eerror "/etc/init.d/${iptables_name} save"
+ return 1
+ fi
+ return 0
+}
+
+start() {
+ checkconfig || return 1
+ ebegin "Loading ${iptables_name} state and starting firewall"
+ ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+ eend $?
+}
+
+stop() {
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+ save || return 1
+ fi
+ checkkernel || return 1
+ ebegin "Stopping firewall"
+ local a
+ for a in $(cat ${iptables_proc}) ; do
+ set_table_policy $a ACCEPT
+
+ ${iptables_bin} -F -t $a
+ ${iptables_bin} -X -t $a
+ done
+ eend $?
+}
+
+reload() {
+ checkkernel || return 1
+ ebegin "Flushing firewall"
+ local a
+ for a in $(cat ${iptables_proc}) ; do
+ ${iptables_bin} -F -t $a
+ ${iptables_bin} -X -t $a
+ done
+ eend $?
+
+ start
+}
+
+save() {
+ ebegin "Saving ${iptables_name} state"
+ touch "${iptables_save}"
+ chmod 0600 "${iptables_save}"
+ ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+ eend $?
+}
+
+panic() {
+ checkkernel || return 1
+ if service_started ${iptables_name}; then
+ rc-service ${iptables_name} stop
+ fi
+
+ local a
+ ebegin "Dropping all packets"
+ for a in $(cat ${iptables_proc}) ; do
+ ${iptables_bin} -F -t $a
+ ${iptables_bin} -X -t $a
+
+ set_table_policy $a DROP
+ done
+ eend $?
+}
diff --git a/net-firewall/iptables/files/iptables-1.4.12.1-conntrack-v2-ranges.patch b/net-firewall/iptables/files/iptables-1.4.12.1-conntrack-v2-ranges.patch
new file mode 100644
index 000000000000..9bbcc67cb6a5
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.12.1-conntrack-v2-ranges.patch
@@ -0,0 +1,48 @@
+commit 3412bd0bfb8b8bac9834cbfd3392b3d5487133bf
+Author: Tom Eastep <teastep@shorewall.net>
+Date: Thu Aug 18 15:11:16 2011 -0700
+
+ libxt_conntrack: improve error message on parsing violation
+
+ Tom Eastep noted:
+
+ $ iptables -A foo -m conntrack --ctorigdstport 22
+ iptables v1.4.12: conntrack rev 2 does not support port ranges
+ Try `iptables -h' or 'iptables --help' for more information.
+
+ Commit v1.4.12-41-g1ad6407 takes care of the actual cause of the bug,
+ but let's include Tom's patch nevertheless for the better error
+ message in case one actually does specify a range with rev 2.
+
+ References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2
+ Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
+
+diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
+index 060b947..fff69f8 100644
+--- a/extensions/libxt_conntrack.c
++++ b/extensions/libxt_conntrack.c
+@@ -129,13 +129,20 @@ static const struct xt_option_entry conntrack2_mt_opts[] = {
+ .flags = XTOPT_INVERT},
+ {.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC,
+ .flags = XTOPT_INVERT},
+- {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORT,
++ /*
++ * Rev 1 and 2 only store one port, and we would normally use
++ * %XTTYPE_PORT (rather than %XTTYPE_PORTRC) for that. The resulting
++ * error message - in case a user passed a range nevertheless -
++ * "port 22:23 resolved to nothing" is not quite as useful as using
++ * %XTTYPE_PORTC and libxt_conntrack's own range test.
++ */
++ {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORTRC,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+- {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORT,
++ {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORTRC,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+- {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORT,
++ {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORTRC,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+- {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORT,
++ {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORTRC,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+ {.name = "ctdir", .id = O_CTDIR, .type = XTTYPE_STRING},
+ XTOPT_TABLEEND,
diff --git a/net-firewall/iptables/files/iptables-1.4.12.1-lm.patch b/net-firewall/iptables/files/iptables-1.4.12.1-lm.patch
new file mode 100644
index 000000000000..4d9e1d8ed4dd
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.12.1-lm.patch
@@ -0,0 +1,61 @@
+parent 2ca6273c73b42e8c74afd5f8b1fe10c5c93ce363 (v1.4.12-43-g2ca6273)
+commit d4e72dc1c684c2f8361d87e6bde2902cd2ee8efb
+Author: Jan Engelhardt <jengelh@medozas.de>
+Date: Sat Sep 3 13:34:40 2011 +0200
+
+libxt_statistic: link with -lm
+
+$ ldd -r libxt_statistic.so
+undefined symbol: lround (./libxt_statistic.so)
+
+References: https://bugs.archlinux.org/task/25358
+Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
+---
+ extensions/GNUmakefile.in | 5 ++++-
+ iptables/Makefile.am | 9 +++++++--
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
+index 2b48d84..dbf210c 100644
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -90,11 +90,14 @@ init%.o: init%.c
+ # Shared libraries
+ #
+ lib%.so: lib%.oo
+- ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< ${$*_LIBADD};
+
+ lib%.oo: ${srcdir}/lib%.c
+ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+
++# Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
++xt_statistic_LIBADD = -lm
++
+
+ #
+ # Static bits
+diff --git a/iptables/Makefile.am b/iptables/Makefile.am
+index addb159..f6db32d 100644
+--- a/iptables/Makefile.am
++++ b/iptables/Makefile.am
+@@ -6,12 +6,17 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}
+ lib_LTLIBRARIES = libxtables.la
+ libxtables_la_SOURCES = xtables.c xtoptions.c
+ libxtables_la_LDFLAGS = -version-info ${libxtables_vcurrent}:0:${libxtables_vage}
++libxtables_la_LIBADD =
++if ENABLE_STATIC
++# With --enable-static, shipped extensions are linked into the main executable,
++# so we need all the LIBADDs here too
++libxtables_la_LIBADD += -lm
++endif
+ if ENABLE_SHARED
+ libxtables_la_CFLAGS = ${AM_CFLAGS}
+-libxtables_la_LIBADD = -ldl
++libxtables_la_LIBADD += -ldl
+ else
+ libxtables_la_CFLAGS = ${AM_CFLAGS} -DNO_SHARED_LIBS=1
+-libxtables_la_LIBADD =
+ endif
+
+ xtables_multi_SOURCES = xtables-multi.c iptables-xml.c
diff --git a/net-firewall/iptables/files/iptables-1.4.13-r1.init b/net-firewall/iptables/files/iptables-1.4.13-r1.init
new file mode 100644
index 000000000000..440e840c41a8
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.13-r1.init
@@ -0,0 +1,130 @@
+#!/sbin/runscript
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="check save panic"
+extra_started_commands="reload"
+
+iptables_name=${SVCNAME}
+case ${iptables_name} in
+iptables|ip6tables) ;;
+*) iptables_name="iptables" ;;
+esac
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+ iptables) iptables_proc="/proc/net/ip_tables_names"
+ iptables_save=${IPTABLES_SAVE};;
+ ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+ iptables_save=${IP6TABLES_SAVE};;
+esac
+
+depend() {
+ need localmount #434774
+ before net
+}
+
+set_table_policy() {
+ local chains table=$1 policy=$2
+ case ${table} in
+ nat) chains="PREROUTING POSTROUTING OUTPUT";;
+ mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+ filter) chains="INPUT FORWARD OUTPUT";;
+ *) chains="";;
+ esac
+ local chain
+ for chain in ${chains} ; do
+ ${iptables_bin} -t ${table} -P ${chain} ${policy}
+ done
+}
+
+checkkernel() {
+ if [ ! -e ${iptables_proc} ] ; then
+ eerror "Your kernel lacks ${iptables_name} support, please load"
+ eerror "appropriate modules and try again."
+ return 1
+ fi
+ return 0
+}
+checkconfig() {
+ if [ ! -f ${iptables_save} ] ; then
+ eerror "Not starting ${iptables_name}. First create some rules then run:"
+ eerror "/etc/init.d/${iptables_name} save"
+ return 1
+ fi
+ return 0
+}
+
+start() {
+ checkconfig || return 1
+ ebegin "Loading ${iptables_name} state and starting firewall"
+ ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+ eend $?
+}
+
+stop() {
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+ save || return 1
+ fi
+ checkkernel || return 1
+ ebegin "Stopping firewall"
+ local a
+ for a in $(cat ${iptables_proc}) ; do
+ set_table_policy $a ACCEPT
+
+ ${iptables_bin} -F -t $a
+ ${iptables_bin} -X -t $a
+ done
+ eend $?
+}
+
+reload() {
+ checkkernel || return 1
+ checkrules || return 1
+ ebegin "Flushing firewall"
+ local a
+ for a in $(cat ${iptables_proc}) ; do
+ ${iptables_bin} -F -t $a
+ ${iptables_bin} -X -t $a
+ done
+ eend $?
+
+ start
+}
+
+checkrules() {
+ ebegin "Checking rules"
+ ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+ eend $?
+}
+
+check() {
+ # Short name for users of init.d script.
+ checkrules
+}
+
+save() {
+ ebegin "Saving ${iptables_name} state"
+ checkpath -q -d "$(dirname "${iptables_save}")"
+ checkpath -q -m 0600 -f "${iptables_save}"
+ ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+ eend $?
+}
+
+panic() {
+ checkkernel || return 1
+ if service_started ${iptables_name}; then
+ rc-service ${iptables_name} stop
+ fi
+
+ local a
+ ebegin "Dropping all packets"
+ for a in $(cat ${iptables_proc}) ; do
+ ${iptables_bin} -F -t $a
+ ${iptables_bin} -X -t $a
+
+ set_table_policy $a DROP
+ done
+ eend $?
+}
diff --git a/net-firewall/iptables/files/iptables-1.4.13.confd b/net-firewall/iptables/files/iptables-1.4.13.confd
new file mode 100644
index 000000000000..7225374c3a8a
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.13.confd
@@ -0,0 +1,19 @@
+# /etc/conf.d/iptables
+
+# Location in which iptables initscript will save set rules on
+# service shutdown
+IPTABLES_SAVE="/var/lib/iptables/rules-save"
+
+# Options to pass to iptables-save and iptables-restore
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="yes"
+
+# If you need to log iptables messages as soon as iptables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/net-firewall/iptables/files/iptables-1.4.13.init b/net-firewall/iptables/files/iptables-1.4.13.init
new file mode 100644
index 000000000000..a45c6d1a9918
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.13.init
@@ -0,0 +1,116 @@
+#!/sbin/runscript
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="save panic"
+extra_started_commands="reload"
+
+iptables_name=${SVCNAME}
+if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then
+ iptables_name="iptables"
+fi
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+ iptables) iptables_proc="/proc/net/ip_tables_names"
+ iptables_save=${IPTABLES_SAVE};;
+ ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+ iptables_save=${IP6TABLES_SAVE};;
+esac
+
+depend() {
+ before net
+}
+
+set_table_policy() {
+ local chains table=$1 policy=$2
+ case ${table} in
+ nat) chains="PREROUTING POSTROUTING OUTPUT";;
+ mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+ filter) chains="INPUT FORWARD OUTPUT";;
+ *) chains="";;
+ esac
+ local chain
+ for chain in ${chains} ; do
+ ${iptables_bin} -t ${table} -P ${chain} ${policy}
+ done
+}
+
+checkkernel() {
+ if [ ! -e ${iptables_proc} ] ; then
+ eerror "Your kernel lacks ${iptables_name} support, please load"
+ eerror "appropriate modules and try again."
+ return 1
+ fi
+ return 0
+}
+checkconfig() {
+ if [ ! -f ${iptables_save} ] ; then
+ eerror "Not starting ${iptables_name}. First create some rules then run:"
+ eerror "/etc/init.d/${iptables_name} save"
+ return 1
+ fi
+ return 0
+}
+
+start() {
+ checkconfig || return 1
+ ebegin "Loading ${iptables_name} state and starting firewall"
+ ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+ eend $?
+}
+
+stop() {
+ if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+ save || return 1
+ fi
+ checkkernel || return 1
+ ebegin "Stopping firewall"
+ local a
+ for a in $(cat ${iptables_proc}) ; do
+ set_table_policy $a ACCEPT
+
+ ${iptables_bin} -F -t $a
+ ${iptables_bin} -X -t $a
+ done
+ eend $?
+}
+
+reload() {
+ checkkernel || return 1
+ ebegin "Flushing firewall"
+ local a
+ for a in $(cat ${iptables_proc}) ; do
+ ${iptables_bin} -F -t $a
+ ${iptables_bin} -X -t $a
+ done
+ eend $?
+
+ start
+}
+
+save() {
+ ebegin "Saving ${iptables_name} state"
+ touch "${iptables_save}"
+ chmod 0600 "${iptables_save}"
+ ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+ eend $?
+}
+
+panic() {
+ checkkernel || return 1
+ if service_started ${iptables_name}; then
+ rc-service ${iptables_name} stop
+ fi
+
+ local a
+ ebegin "Dropping all packets"
+ for a in $(cat ${iptables_proc}) ; do
+ ${iptables_bin} -F -t $a
+ ${iptables_bin} -X -t $a
+
+ set_table_policy $a DROP
+ done
+ eend $?
+}
diff --git a/net-firewall/iptables/files/iptables-1.4.16.2-static.patch b/net-firewall/iptables/files/iptables-1.4.16.2-static.patch
new file mode 100644
index 000000000000..a5d6fe71f670
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.16.2-static.patch
@@ -0,0 +1,55 @@
+https://bugs.gentoo.org/437712
+
+From 269655d54e22f3a36250bb2c4639dddd102258c6 Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Mon, 8 Oct 2012 12:04:56 +0000
+Subject: [PATCH] build: remove symlink-only extensions from static object
+ list
+
+$ ./configure --enable-static --disable-shared --enable-ipv4
+ --enable-ipv6 && make
+[...]
+make[3]: *** No rule to make target "libxt_NOTRACK.o", needed by
+"libext.a". Stop.
+
+Signed-off-by: Jan Engelhardt <jengelh@inai.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ extensions/GNUmakefile.in | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
+index 8b38df9..1cef239 100644
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -39,7 +39,7 @@ endif
+ # Wildcard module list
+ #
+ pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c)))
+-pfx_build_mod += NOTRACK state
++pfx_symlinks := NOTRACK state
+ @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c)))
+ @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c)))
+ pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
+@@ -48,7 +48,7 @@ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
+ pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod})
+ pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod})
+ pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod})
+-pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
++pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks})
+ pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod})
+ pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod})
+
+@@ -220,7 +220,7 @@ man_run = \
+ done >$@;
+
+ matches.man: .initext.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man)
+- $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod}))
++ $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod} ${pfx_symlinks}))
+
+ targets.man: .initext.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man)
+- $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod}))
++ $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod} ${pfx_symlinks}))
+--
+1.7.12
+
diff --git a/net-firewall/iptables/files/iptables-1.4.17-libip6tc.patch b/net-firewall/iptables/files/iptables-1.4.17-libip6tc.patch
new file mode 100644
index 000000000000..5212dd253aa8
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.17-libip6tc.patch
@@ -0,0 +1,32 @@
+From d42bc7c100de69396a527e90736198f8e4e3000b Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sun, 30 Dec 2012 18:06:15 -0500
+Subject: [PATCH] extensions: fix linking against -lip6tc
+
+The current build forgets to specify a path to find libip6tc which means
+it either fails (if there is no libip6tc in the system), or links against
+an old version (if there is one in the system).
+
+References: https://bugs.gentoo.org/449262
+Reported-by: Mike Gilbert <floppym@gentoo.org>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ extensions/GNUmakefile.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
+index e71e3ff..a605474 100644
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -101,7 +101,7 @@ libxt_state.so: libxt_conntrack.so
+ ln -fs $< $@
+
+ # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
+-ip6t_NETMAP_LIBADD = -lip6tc
++ip6t_NETMAP_LIBADD = -L../libiptc/.libs -lip6tc
+ xt_RATEEST_LIBADD = -lm
+ xt_statistic_LIBADD = -lm
+
+--
+1.8.0
+
diff --git a/net-firewall/iptables/files/iptables-1.4.18-extensions-link.patch b/net-firewall/iptables/files/iptables-1.4.18-extensions-link.patch
new file mode 100644
index 000000000000..33d048163a18
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.18-extensions-link.patch
@@ -0,0 +1,74 @@
+From 37b19d08f3cbc83a653386d76261490e173a874b Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sat, 16 Mar 2013 12:15:30 +0100
+Subject: [PATCH] Revert "build: resolve link failure for ip6t_NETMAP"
+
+This reverts commit 68e77a26111ee6b8f10c735a76891a7de6d57ee6.
+
+The use of libtool was introduced to resolve linking problems
+in NETMAP (IPv6 version), but that resulted in RPATH problems
+reported from distributors and warnings spotted by libtool at
+linking stage.
+
+Since (0ca548b libip6t_NETMAP: Use xtables_ip6mask_to_cidr and
+get rid of libip6tc dependency) fixed the NETMAP issue, let's
+roll back to our previous stage.
+
+A small conflicts in extensions/GNUmakefile.in has been resolved
+in this revert.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ extensions/GNUmakefile.in | 18 +++++++-----------
+ 1 file changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
+index 3db6985..1ae7f74 100644
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -33,7 +33,6 @@ AM_VERBOSE_CXX = @echo " CXX " $@;
+ AM_VERBOSE_CXXLD = @echo " CXXLD " $@;
+ AM_VERBOSE_AR = @echo " AR " $@;
+ AM_VERBOSE_GEN = @echo " GEN " $@;
+-AM_VERBOSE_NULL = @
+ endif
+
+ #
+@@ -76,7 +75,7 @@ install: ${targets_install}
+ if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi;
+
+ clean:
+- rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
++ rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
+ rm -f .*.d .*.dd;
+
+ distclean: clean
+@@ -90,19 +89,16 @@ init%.o: init%.c
+ #
+ # Shared libraries
+ #
+-lib%.so: lib%.la
+- ${AM_VERBOSE_NULL} ln -fs .libs/$@ $@
++lib%.so: lib%.oo
++ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD};
+
+-lib%.la: lib%.lo
+- ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir}
+-
+-lib%.lo: ${srcdir}/lib%.c
+- ${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<
++lib%.oo: ${srcdir}/lib%.c
++ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+
+ libxt_NOTRACK.so: libxt_CT.so
+- ${AM_VERBOSE_GEN} ln -fs $< $@
++ ln -fs $< $@
+ libxt_state.so: libxt_conntrack.so
+- ${AM_VERBOSE_GEN} ln -fs $< $@
++ ln -fs $< $@
+
+ # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
+ xt_RATEEST_LIBADD = -lm
+--
+1.8.2.1
+
diff --git a/net-firewall/iptables/files/iptables-1.4.18-ipv6-linkage.patch b/net-firewall/iptables/files/iptables-1.4.18-ipv6-linkage.patch
new file mode 100644
index 000000000000..52829de24a5f
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.4.18-ipv6-linkage.patch
@@ -0,0 +1,88 @@
+From cccfff9309743f173c504dd265fae173caa5b47f Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sat, 16 Mar 2013 12:11:07 +0100
+Subject: [PATCH] libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of
+ libip6tc dependency
+
+This patch changes the NETMAP target extension (IPv6 side) to use
+the xtables_ip6mask_to_cidr available in libxtables.
+
+As a side effect, we get rid of the libip6tc dependency.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ extensions/GNUmakefile.in | 1 -
+ extensions/libip6t_NETMAP.c | 2 +-
+ include/libiptc/libip6tc.h | 3 ---
+ iptables/ip6tables.c | 2 +-
+ libiptc/libip6tc.c | 2 +-
+ 5 files changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
+index adad4d6..3db6985 100644
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -105,7 +105,6 @@ libxt_state.so: libxt_conntrack.so
+ ${AM_VERBOSE_GEN} ln -fs $< $@
+
+ # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
+-ip6t_NETMAP_LIBADD = ../libiptc/libip6tc.la
+ xt_RATEEST_LIBADD = -lm
+ xt_statistic_LIBADD = -lm
+
+diff --git a/extensions/libip6t_NETMAP.c b/extensions/libip6t_NETMAP.c
+index d14dece..a4df70e 100644
+--- a/extensions/libip6t_NETMAP.c
++++ b/extensions/libip6t_NETMAP.c
+@@ -61,7 +61,7 @@ static void NETMAP_print(const void *ip, const struct xt_entry_target *target,
+ printf("%s", xtables_ip6addr_to_numeric(&a));
+ for (i = 0; i < 4; i++)
+ a.s6_addr32[i] = ~(r->min_addr.ip6[i] ^ r->max_addr.ip6[i]);
+- bits = ipv6_prefix_length(&a);
++ bits = xtables_ip6mask_to_cidr(&a);
+ if (bits < 0)
+ printf("/%s", xtables_ip6addr_to_numeric(&a));
+ else
+diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h
+index c656bc4..9aed80a 100644
+--- a/include/libiptc/libip6tc.h
++++ b/include/libiptc/libip6tc.h
+@@ -154,9 +154,6 @@ int ip6tc_get_raw_socket(void);
+ /* Translates errno numbers into more human-readable form than strerror. */
+ const char *ip6tc_strerror(int err);
+
+-/* Return prefix length, or -1 if not contiguous */
+-int ipv6_prefix_length(const struct in6_addr *a);
+-
+ extern void dump_entries6(struct xtc_handle *const);
+
+ extern const struct xtc_ops ip6tc_ops;
+diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
+index 4cfbea3..7d02cc1 100644
+--- a/iptables/ip6tables.c
++++ b/iptables/ip6tables.c
+@@ -1022,7 +1022,7 @@ static void print_ip(const char *prefix, const struct in6_addr *ip,
+ const struct in6_addr *mask, int invert)
+ {
+ char buf[51];
+- int l = ipv6_prefix_length(mask);
++ int l = xtables_ip6mask_to_cidr(mask);
+
+ if (l == 0 && !invert)
+ return;
+diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c
+index 7128e1c..ca01bcb 100644
+--- a/libiptc/libip6tc.c
++++ b/libiptc/libip6tc.c
+@@ -113,7 +113,7 @@ typedef unsigned int socklen_t;
+ #define BIT6(a, l) \
+ ((ntohl(a->s6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1)
+
+-int
++static int
+ ipv6_prefix_length(const struct in6_addr *a)
+ {
+ int l, i;
+--
+1.8.2.1
+
diff --git a/net-firewall/iptables/files/systemd/ip6tables-restore.service b/net-firewall/iptables/files/systemd/ip6tables-restore.service
new file mode 100644
index 000000000000..88415fa37a64
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/ip6tables-restore.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Restore ip6tables firewall rules
+# if both are queued for some reason, don't store before restoring :)
+Before=ip6tables-store.service
+# sounds reasonable to have firewall up before any of the services go up
+Before=network.target
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ip6tables-restore /var/lib/ip6tables/rules-save
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/iptables/files/systemd/ip6tables-store.service b/net-firewall/iptables/files/systemd/ip6tables-store.service
new file mode 100644
index 000000000000..9975378353d3
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/ip6tables-store.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Store ip6tables firewall rules
+Before=shutdown.target
+DefaultDependencies=No
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "/sbin/ip6tables-save --counters > /var/lib/ip6tables/rules-save"
+
+[Install]
+WantedBy=shutdown.target
diff --git a/net-firewall/iptables/files/systemd/ip6tables.service b/net-firewall/iptables/files/systemd/ip6tables.service
new file mode 100644
index 000000000000..0a6d7fa1c8ab
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/ip6tables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Store and restore ip6tables firewall rules
+
+[Install]
+Also=ip6tables-store.service
+Also=ip6tables-restore.service
diff --git a/net-firewall/iptables/files/systemd/iptables-restore.service b/net-firewall/iptables/files/systemd/iptables-restore.service
new file mode 100644
index 000000000000..9d568d78b309
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/iptables-restore.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Restore iptables firewall rules
+# if both are queued for some reason, don't store before restoring :)
+Before=iptables-store.service
+# sounds reasonable to have firewall up before any of the services go up
+Before=network.target
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/iptables/files/systemd/iptables-store.service b/net-firewall/iptables/files/systemd/iptables-store.service
new file mode 100644
index 000000000000..aa16e75e9ccf
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/iptables-store.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Store iptables firewall rules
+Before=shutdown.target
+DefaultDependencies=No
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "/sbin/iptables-save --counters > /var/lib/iptables/rules-save"
+
+[Install]
+WantedBy=shutdown.target
diff --git a/net-firewall/iptables/files/systemd/iptables.service b/net-firewall/iptables/files/systemd/iptables.service
new file mode 100644
index 000000000000..3643a3e31034
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/iptables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Store and restore iptables firewall rules
+
+[Install]
+Also=iptables-store.service
+Also=iptables-restore.service
diff --git a/net-firewall/iptables/iptables-1.4.10-r1.ebuild b/net-firewall/iptables/iptables-1.4.10-r1.ebuild
new file mode 100644
index 000000000000..ff152ec86761
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.10-r1.ebuild
@@ -0,0 +1,83 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="2"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="ipv6 netlink"
+
+COMMON_DEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="
+ ${COMMON_DEPEND}
+ virtual/os-headers
+"
+RDEPEND="
+ ${COMMON_DEPEND}
+"
+
+src_prepare() {
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(use netlink && echo 1 || echo 0):" \
+ configure
+ econf \
+ --sbindir=/sbin \
+ --libexecdir=/$(get_libdir) \
+ --enable-devel \
+ --enable-libipq \
+ --enable-shared \
+ --enable-static \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1 || die
+}
+
+src_install() {
+ emake install DESTDIR="${D}" || die
+ doman iptables-apply.8 || die
+ dodoc INCOMPATIBILITIES iptables.xslt || die
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables-apply || die
+ dosym iptables-apply /sbin/ip6tables-apply || die
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) || die
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h || die
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.3.2.init iptables || die
+ newconfd "${FILESDIR}"/${PN}-1.3.2.confd iptables || die
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.3.2.init ip6tables || die
+ newconfd "${FILESDIR}"/ip6tables-1.3.2.confd ip6tables || die
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc ipq iptc xtables
+ find "${D}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}
diff --git a/net-firewall/iptables/iptables-1.4.10.ebuild b/net-firewall/iptables/iptables-1.4.10.ebuild
new file mode 100644
index 000000000000..82e42fdf7ee5
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.10.ebuild
@@ -0,0 +1,67 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="2"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
+IUSE="ipv6"
+
+DEPEND="virtual/os-headers"
+RDEPEND=""
+
+src_prepare() {
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ econf \
+ --sbindir=/sbin \
+ --libexecdir=/$(get_libdir) \
+ --enable-devel \
+ --enable-libipq \
+ --enable-shared \
+ --enable-static \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1 || die
+}
+
+src_install() {
+ emake install DESTDIR="${D}" || die
+ dosbin iptables-apply || die
+ doman iptables-apply.8 || die
+ dodoc INCOMPATIBILITIES iptables.xslt || die
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) || die
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h || die
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.3.2.init iptables || die
+ newconfd "${FILESDIR}"/${PN}-1.3.2.confd iptables || die
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.3.2.init ip6tables || die
+ newconfd "${FILESDIR}"/ip6tables-1.3.2.confd ip6tables || die
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc ipq iptc xtables
+ find "${D}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}
diff --git a/net-firewall/iptables/iptables-1.4.11.1-r2.ebuild b/net-firewall/iptables/iptables-1.4.11.1-r2.ebuild
new file mode 100644
index 000000000000..77310ab04511
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.11.1-r2.ebuild
@@ -0,0 +1,86 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm ~hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
+IUSE="ipv6 netlink"
+
+COMMON_DEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="
+ ${COMMON_DEPEND}
+ virtual/os-headers
+ sys-devel/automake
+"
+RDEPEND="
+ ${COMMON_DEPEND}
+"
+
+src_prepare() {
+ # Only run autotools if user patched something
+ epatch "${FILESDIR}/${P}-man-fixes.patch"
+ eautomake
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(use netlink && echo 1 || echo 0):" \
+ configure
+ econf \
+ --sbindir=/sbin \
+ --libexecdir=/$(get_libdir) \
+ --enable-devel \
+ --enable-libipq \
+ --enable-shared \
+ --enable-static \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ emake install DESTDIR="${D}"
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.11.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.3.2.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.11.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.3.2.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc ipq iptc xtables
+ find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}
diff --git a/net-firewall/iptables/iptables-1.4.12.1-r1.ebuild b/net-firewall/iptables/iptables-1.4.12.1-r1.ebuild
new file mode 100644
index 000000000000..2055cf251814
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.12.1-r1.ebuild
@@ -0,0 +1,88 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+ virtual/os-headers
+ sys-devel/automake
+"
+
+src_prepare() {
+ epatch \
+ "${FILESDIR}/iptables-1.4.12.1-lm.patch" \
+ "${FILESDIR}/iptables-1.4.12.1-conntrack-v2-ranges.patch"
+ eautomake
+
+ # use the saner headers from the kernel
+ rm -f include/linux/{kernel,types}.h
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+ configure || die
+ econf \
+ --sbindir=/sbin \
+ --libexecdir=/$(get_libdir) \
+ --enable-devel \
+ --enable-libipq \
+ --enable-shared \
+ $(use_enable static-libs static) \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.11.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.3.2.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.11.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.3.2.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc ipq iptc xtables
+ find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}
diff --git a/net-firewall/iptables/iptables-1.4.12.1.ebuild b/net-firewall/iptables/iptables-1.4.12.1.ebuild
new file mode 100644
index 000000000000..2639b2e56363
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.12.1.ebuild
@@ -0,0 +1,87 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
+IUSE="ipv6 netlink"
+
+COMMON_DEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="
+ ${COMMON_DEPEND}
+ virtual/os-headers
+ sys-devel/automake
+"
+RDEPEND="
+ ${COMMON_DEPEND}
+"
+
+src_prepare() {
+ epatch "${FILESDIR}/iptables-1.4.12.1-lm.patch"
+ eautomake
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(use netlink && echo 1 || echo 0):" \
+ configure || die
+ econf \
+ --sbindir=/sbin \
+ --libexecdir=/$(get_libdir) \
+ --enable-devel \
+ --enable-libipq \
+ --enable-shared \
+ --enable-static \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ emake install DESTDIR="${D}"
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.11.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.3.2.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.11.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.3.2.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc ipq iptc xtables
+ find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}
diff --git a/net-firewall/iptables/iptables-1.4.12.ebuild b/net-firewall/iptables/iptables-1.4.12.ebuild
new file mode 100644
index 000000000000..80e13cc88046
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.12.ebuild
@@ -0,0 +1,84 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="ipv6 netlink"
+
+COMMON_DEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="
+ ${COMMON_DEPEND}
+ virtual/os-headers
+ sys-devel/automake
+"
+RDEPEND="
+ ${COMMON_DEPEND}
+"
+
+src_prepare() {
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(use netlink && echo 1 || echo 0):" \
+ configure || die
+ econf \
+ --sbindir=/sbin \
+ --libexecdir=/$(get_libdir) \
+ --enable-devel \
+ --enable-libipq \
+ --enable-shared \
+ --enable-static \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ emake install DESTDIR="${D}"
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.11.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.3.2.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.11.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.3.2.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc ipq iptc xtables
+ find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}
diff --git a/net-firewall/iptables/iptables-1.4.13-r2.ebuild b/net-firewall/iptables/iptables-1.4.13-r2.ebuild
new file mode 100644
index 000000000000..e10df947ab5c
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.13-r2.ebuild
@@ -0,0 +1,83 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+ virtual/os-headers
+ !>=sys-kernel/linux-headers-3.5
+"
+
+src_prepare() {
+ # use the saner headers from the kernel
+ rm -f include/linux/{kernel,types}.h
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+ configure || die
+ econf \
+ --sbindir="${EPREFIX}/sbin" \
+ --libexecdir="${EPREFIX}/$(get_libdir)" \
+ --enable-devel \
+ --enable-libipq \
+ --enable-shared \
+ $(use_enable static-libs static) \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc ipq iptc xtables
+ find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}
diff --git a/net-firewall/iptables/iptables-1.4.13.ebuild b/net-firewall/iptables/iptables-1.4.13.ebuild
new file mode 100644
index 000000000000..efa45e2e066b
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.13.ebuild
@@ -0,0 +1,83 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+ virtual/os-headers
+ !>=sys-kernel/linux-headers-3.5
+"
+
+src_prepare() {
+ # use the saner headers from the kernel
+ rm -f include/linux/{kernel,types}.h
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+ configure || die
+ econf \
+ --sbindir="${EPREFIX}/sbin" \
+ --libexecdir="${EPREFIX}/$(get_libdir)" \
+ --enable-devel \
+ --enable-libipq \
+ --enable-shared \
+ $(use_enable static-libs static) \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.11.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.3.2.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.11.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.3.2.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc ipq iptc xtables
+ find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}
diff --git a/net-firewall/iptables/iptables-1.4.14-r1.ebuild b/net-firewall/iptables/iptables-1.4.14-r1.ebuild
new file mode 100644
index 000000000000..829beb00e618
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.14-r1.ebuild
@@ -0,0 +1,82 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+ virtual/os-headers
+ !>=sys-kernel/linux-headers-3.5
+"
+
+src_prepare() {
+ # use the saner headers from the kernel
+ rm -f include/linux/{kernel,types}.h
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+ configure || die
+ econf \
+ --sbindir="${EPREFIX}/sbin" \
+ --libexecdir="${EPREFIX}/$(get_libdir)" \
+ --enable-devel \
+ --enable-shared \
+ $(use_enable static-libs static) \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc iptc xtables
+ find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}
diff --git a/net-firewall/iptables/iptables-1.4.15-r1.ebuild b/net-firewall/iptables/iptables-1.4.15-r1.ebuild
new file mode 100644
index 000000000000..829beb00e618
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.15-r1.ebuild
@@ -0,0 +1,82 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+ virtual/os-headers
+ !>=sys-kernel/linux-headers-3.5
+"
+
+src_prepare() {
+ # use the saner headers from the kernel
+ rm -f include/linux/{kernel,types}.h
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+ configure || die
+ econf \
+ --sbindir="${EPREFIX}/sbin" \
+ --libexecdir="${EPREFIX}/$(get_libdir)" \
+ --enable-devel \
+ --enable-shared \
+ $(use_enable static-libs static) \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc iptc xtables
+ find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}
diff --git a/net-firewall/iptables/iptables-1.4.16.2.ebuild b/net-firewall/iptables/iptables-1.4.16.2.ebuild
new file mode 100644
index 000000000000..4dc89f6921c8
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.16.2.ebuild
@@ -0,0 +1,85 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+ virtual/os-headers
+ virtual/pkgconfig
+"
+
+src_prepare() {
+ # use the saner headers from the kernel
+ rm -f include/linux/{kernel,types}.h
+
+ epatch "${FILESDIR}"/${P}-static.patch #437712
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+ configure || die
+
+ econf \
+ --sbindir="${EPREFIX}/sbin" \
+ --libexecdir="${EPREFIX}/$(get_libdir)" \
+ --enable-devel \
+ --enable-shared \
+ $(use_enable static-libs static) \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc iptc xtables
+ find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}
diff --git a/net-firewall/iptables/iptables-1.4.16.3.ebuild b/net-firewall/iptables/iptables-1.4.16.3.ebuild
new file mode 100644
index 000000000000..a5c40e6fda90
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.16.3.ebuild
@@ -0,0 +1,83 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+ virtual/os-headers
+ virtual/pkgconfig
+"
+
+src_prepare() {
+ # use the saner headers from the kernel
+ rm -f include/linux/{kernel,types}.h
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+ configure || die
+
+ econf \
+ --sbindir="${EPREFIX}/sbin" \
+ --libexecdir="${EPREFIX}/$(get_libdir)" \
+ --enable-devel \
+ --enable-shared \
+ $(use_enable static-libs static) \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc iptc xtables
+ find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}
diff --git a/net-firewall/iptables/iptables-1.4.17.ebuild b/net-firewall/iptables/iptables-1.4.17.ebuild
new file mode 100644
index 000000000000..0bbfa2b99cba
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.17.ebuild
@@ -0,0 +1,87 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+ virtual/os-headers
+ virtual/pkgconfig
+"
+
+src_prepare() {
+ # use the saner headers from the kernel
+ rm -f include/linux/{kernel,types}.h
+ epatch "${FILESDIR}"/${P}-libip6tc.patch #449262
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ # Some libs use $(AR) rather than libtool to build #444282
+ tc-export AR
+
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+ configure || die
+
+ econf \
+ --sbindir="${EPREFIX}/sbin" \
+ --libexecdir="${EPREFIX}/$(get_libdir)" \
+ --enable-devel \
+ --enable-shared \
+ $(use_enable static-libs static) \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc iptc xtables
+ find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}
diff --git a/net-firewall/iptables/iptables-1.4.18.ebuild b/net-firewall/iptables/iptables-1.4.18.ebuild
new file mode 100644
index 000000000000..6976767da282
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.18.ebuild
@@ -0,0 +1,88 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.netfilter.org/projects/iptables/"
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+ virtual/os-headers
+ virtual/pkgconfig
+"
+
+src_prepare() {
+ # use the saner headers from the kernel
+ rm -f include/linux/{kernel,types}.h
+ epatch "${FILESDIR}"/${P}-extensions-link.patch
+ epatch "${FILESDIR}"/${P}-ipv6-linkage.patch
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ # Some libs use $(AR) rather than libtool to build #444282
+ tc-export AR
+
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+ configure || die
+
+ econf \
+ --sbindir="${EPREFIX}/sbin" \
+ --libexecdir="${EPREFIX}/$(get_libdir)" \
+ --enable-devel \
+ --enable-shared \
+ $(use_enable static-libs static) \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc iptc xtables
+ find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}
diff --git a/net-firewall/iptables/iptables-1.4.19.1.ebuild b/net-firewall/iptables/iptables-1.4.19.1.ebuild
new file mode 100644
index 000000000000..052c7e70e34e
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.19.1.ebuild
@@ -0,0 +1,87 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.netfilter.org/projects/iptables/"
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+ virtual/os-headers
+ virtual/pkgconfig
+"
+
+src_prepare() {
+ # use the saner headers from the kernel
+ rm -f include/linux/{kernel,types}.h
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ # Some libs use $(AR) rather than libtool to build #444282
+ tc-export AR
+
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+ configure || die
+
+ econf \
+ --sbindir="${EPREFIX}/sbin" \
+ --libexecdir="${EPREFIX}/$(get_libdir)" \
+ --enable-devel \
+ --enable-shared \
+ $(use_enable static-libs static) \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc iptc xtables
+
+ prune_libtool_files
+}
diff --git a/net-firewall/iptables/iptables-1.4.20.ebuild b/net-firewall/iptables/iptables-1.4.20.ebuild
new file mode 100644
index 000000000000..43dc46ce3714
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.20.ebuild
@@ -0,0 +1,87 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.netfilter.org/projects/iptables/"
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+ virtual/os-headers
+ virtual/pkgconfig
+"
+
+src_prepare() {
+ # use the saner headers from the kernel
+ rm -f include/linux/{kernel,types}.h
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ # Some libs use $(AR) rather than libtool to build #444282
+ tc-export AR
+
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+ configure || die
+
+ econf \
+ --sbindir="${EPREFIX}/sbin" \
+ --libexecdir="${EPREFIX}/$(get_libdir)" \
+ --enable-devel \
+ --enable-shared \
+ $(use_enable static-libs static) \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc iptc xtables
+
+ prune_libtool_files
+}
diff --git a/net-firewall/iptables/iptables-1.4.21-r1.ebuild b/net-firewall/iptables/iptables-1.4.21-r1.ebuild
new file mode 100644
index 000000000000..95ceda5539c2
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.21-r1.ebuild
@@ -0,0 +1,92 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib systemd toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.netfilter.org/projects/iptables/"
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+ virtual/os-headers
+ virtual/pkgconfig
+"
+
+src_prepare() {
+ # use the saner headers from the kernel
+ rm -f include/linux/{kernel,types}.h
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ # Some libs use $(AR) rather than libtool to build #444282
+ tc-export AR
+
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+ configure || die
+
+ econf \
+ --sbindir="${EPREFIX}/sbin" \
+ --libexecdir="${EPREFIX}/$(get_libdir)" \
+ --enable-devel \
+ --enable-shared \
+ $(use_enable static-libs static) \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+ fi
+
+ systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service
+ if use ipv6 ; then
+ systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc iptc xtables
+
+ prune_libtool_files
+}
diff --git a/net-firewall/iptables/iptables-1.4.21.ebuild b/net-firewall/iptables/iptables-1.4.21.ebuild
new file mode 100644
index 000000000000..56a8118d78b0
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.21.ebuild
@@ -0,0 +1,87 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.netfilter.org/projects/iptables/"
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+ netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+ virtual/os-headers
+ virtual/pkgconfig
+"
+
+src_prepare() {
+ # use the saner headers from the kernel
+ rm -f include/linux/{kernel,types}.h
+
+ # Only run autotools if user patched something
+ epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+ # Some libs use $(AR) rather than libtool to build #444282
+ tc-export AR
+
+ sed -i \
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+ configure || die
+
+ econf \
+ --sbindir="${EPREFIX}/sbin" \
+ --libexecdir="${EPREFIX}/$(get_libdir)" \
+ --enable-devel \
+ --enable-shared \
+ $(use_enable static-libs static) \
+ $(use_enable ipv6)
+}
+
+src_compile() {
+ emake V=1
+}
+
+src_install() {
+ default
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+ # all the iptables binaries are in /sbin, so might as well
+ # put these small files in with them
+ into /
+ dosbin iptables/iptables-apply
+ dosym iptables-apply /sbin/ip6tables-apply
+ doman iptables/iptables-apply.8
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+ newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+ newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+ fi
+
+ # Move important libs to /lib
+ gen_usr_ldscript -a ip{4,6}tc iptc xtables
+
+ prune_libtool_files
+}
diff --git a/net-firewall/iptables/iptables-1.4.6.ebuild b/net-firewall/iptables/iptables-1.4.6.ebuild
new file mode 100644
index 000000000000..c8e790cd6996
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.4.6.ebuild
@@ -0,0 +1,54 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+inherit eutils multilib toolchain-funcs
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
+IUSE="ipv6"
+
+DEPEND="virtual/os-headers
+ !>=sys-kernel/linux-headers-2.6.33"
+RDEPEND=""
+
+src_unpack() {
+ unpack ${P}.tar.bz2
+ cd "${S}"
+ epatch_user
+}
+
+src_compile() {
+ econf \
+ --sbindir=/sbin \
+ --libexecdir=/$(get_libdir) \
+ --enable-devel \
+ --enable-libipq \
+ --enable-shared \
+ --enable-static \
+ $(use_enable ipv6)
+ emake V=1 || die
+}
+
+src_install() {
+ emake install DESTDIR="${D}" || die
+
+ insinto /usr/include
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) || die
+ insinto /usr/include/iptables
+ doins include/iptables/internal.h || die
+
+ keepdir /var/lib/iptables
+ newinitd "${FILESDIR}"/${PN}-1.3.2.init iptables || die
+ newconfd "${FILESDIR}"/${PN}-1.3.2.confd iptables || die
+ if use ipv6 ; then
+ keepdir /var/lib/ip6tables
+ newinitd "${FILESDIR}"/iptables-1.3.2.init ip6tables || die
+ newconfd "${FILESDIR}"/ip6tables-1.3.2.confd ip6tables || die
+ fi
+}
diff --git a/net-firewall/iptables/metadata.xml b/net-firewall/iptables/metadata.xml
new file mode 100644
index 000000000000..ed96e3dd4e4e
--- /dev/null
+++ b/net-firewall/iptables/metadata.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<herd>base-system</herd>
+<use>
+ <flag name='netlink'>Build against libnfnetlink which enables the nfnl_osf util</flag>
+</use>
+<longdescription>
+ iptables is the userspace command line program used to set up, maintain, and
+ inspect the tables of IPv4 packet filter rules in the Linux kernel. It's a
+ part of packet filtering framework which allows the stateless and stateful
+ packet filtering, all kinds of network address and port translation, and is a
+ flexible and extensible infrastructure with multiple layers of API's for 3rd
+ party extensions. The iptables package also includes ip6tables. ip6tables is
+ used for configuring the IPv6 packet filter.
+
+ Note that some extensions (e.g. imq and l7filter) are not included into
+ official kernel sources so you have to patch the sources before installation.
+</longdescription>
+<upstream>
+ <remote-id type="cpe">cpe:/a:netfilter_core_team:iptables</remote-id>
+</upstream>
+</pkgmetadata>
diff --git a/net-firewall/itval/Manifest b/net-firewall/itval/Manifest
new file mode 100644
index 000000000000..b1343e53b77c
--- /dev/null
+++ b/net-firewall/itval/Manifest
@@ -0,0 +1 @@
+DIST ITVal-20121104.tar.bz2 71398 SHA256 dba3bcd2876b28fad4baedfd39a4d8ddd658d128e50c6f53253d321a082dcf42 SHA512 145f464154d0c88e6c43a16a6ea59f3f6f525612c99032bd5acb934975d46568a40b25996a92d63d190afbe2f129010fb7cdb843dced9eae4ec925b97ee17eca WHIRLPOOL 6c4ebb99b496988749559e83d6170e2f7c211cb9afe7e079a2591f11e01fc679dee5e94b030291bc76995f760b1ad3f056a5a64b110757f93e9d3e3cdbe8bdd2
diff --git a/net-firewall/itval/files/itval-1.1-gcc44.patch b/net-firewall/itval/files/itval-1.1-gcc44.patch
new file mode 100644
index 000000000000..796b67481796
--- /dev/null
+++ b/net-firewall/itval/files/itval-1.1-gcc44.patch
@@ -0,0 +1,28 @@
+--- a/FDDL/mdd.h
++++ b/FDDL/mdd.h
+@@ -29,10 +29,11 @@
+ //#define BRIEF_DEBUG
+
+ #ifndef FDDL_MDD_H
+ # define FDDL_MDD_H 1
+
++# include <cstdio>
+ # include <iostream>
+ # include <assert.h>
+
+ # include <FDDL/mddtypes.h>
+ # include <FDDL/caches.h>
+--- a/src/structures.h
++++ b/src/structures.h
+@@ -28,10 +28,11 @@
+
+ #ifndef __STRUCTURES_H
+ #define __STRUCTURES_H
+
+ #include <stdlib.h>
++#include <cstdio>
+
+ //Linked list of IP addresses
+ class address
+ {
+ public:
diff --git a/net-firewall/itval/itval-1.2_p20121104.ebuild b/net-firewall/itval/itval-1.2_p20121104.ebuild
new file mode 100644
index 000000000000..87c74aa5e6f0
--- /dev/null
+++ b/net-firewall/itval/itval-1.2_p20121104.ebuild
@@ -0,0 +1,37 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+CMAKE_IN_SOURCE_BUILD=1
+inherit cmake-utils versionator
+
+MY_PN="ITVal"
+MY_PV="$(get_version_component_range 3)"
+MY_PV="${MY_PV/p/}"
+MY_P="${MY_PN}-${MY_PV}"
+
+DESCRIPTION="Iptables policy testing and validation tool"
+HOMEPAGE="http://itval.sourceforge.net"
+SRC_URI="http://dev.gentoo.org/~pinkbyte/distfiles/snapshots/${MY_P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 x86"
+
+RDEPEND="dev-libs/fddl"
+DEPEND="
+ sys-devel/flex
+ sys-devel/bison
+ ${RDEPEND}
+"
+
+S=${WORKDIR}/${MY_P}
+
+DOCS=( AUTHORS ChangeLog README RELEASE )
+
+src_install() {
+ default
+ doman man/ITVal.n
+}
diff --git a/net-firewall/itval/metadata.xml b/net-firewall/itval/metadata.xml
new file mode 100644
index 000000000000..78692635ad22
--- /dev/null
+++ b/net-firewall/itval/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <herd>netmon</herd>
+</pkgmetadata>
diff --git a/net-firewall/lutelwall/Manifest b/net-firewall/lutelwall/Manifest
new file mode 100644
index 000000000000..2509d88a91c1
--- /dev/null
+++ b/net-firewall/lutelwall/Manifest
@@ -0,0 +1 @@
+DIST lutelwall-0.99.tar.gz 29209 SHA256 92ab7ab320cbefd694cd5ba3799e6143244402eac65ffcd4b52528bc31d1a1f8 SHA512 8812048c9e4ec3beff2214ed3ceb2d980d769ada686a934af22baec76a3670e51ddb171097adbfb78c63ce9bc25554b1da93ec8c86f59457277fd4651cf1068c WHIRLPOOL 842979556cecab887f9f050d5d92e0539c608023a694608d82e77a7d338ca6a6d8fc842dee49aa2def49dfeebc82faf23b12108e0363ec881395ced8279bdb76
diff --git a/net-firewall/lutelwall/files/lutelwall b/net-firewall/lutelwall/files/lutelwall
new file mode 100644
index 000000000000..5c9c64ec54b9
--- /dev/null
+++ b/net-firewall/lutelwall/files/lutelwall
@@ -0,0 +1,26 @@
+#!/sbin/runscript
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License, v2 or later
+# $Id$
+
+depend() {
+ need net
+ use logger
+}
+
+start() {
+ ebegin "Starting LutelWall"
+ /usr/sbin/lutelwall start
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping LutelWall"
+ /usr/sbin/lutelwall stop
+ eend $?
+}
+
+restart() {
+ stop
+ start
+}
diff --git a/net-firewall/lutelwall/lutelwall-0.99.ebuild b/net-firewall/lutelwall/lutelwall-0.99.ebuild
new file mode 100644
index 000000000000..f6ba5792f84f
--- /dev/null
+++ b/net-firewall/lutelwall/lutelwall-0.99.ebuild
@@ -0,0 +1,33 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+DESCRIPTION="IPTables firewall setup script"
+LICENSE="GPL-2"
+HOMEPAGE="http://www.lutel.pl/lutelwall/"
+SRC_URI="http://www.lutel.pl/wp-content/uploads/${PV}/${P}.tar.gz"
+SLOT="0"
+KEYWORDS="alpha ~amd64 ~ppc ~sparc x86"
+
+RDEPEND="
+ >=net-firewall/iptables-1.2.6
+ >=sys-apps/gawk-3.1
+ sys-apps/iproute2
+"
+
+src_install() {
+ insinto /etc
+ doins lutelwall.conf
+
+ dosbin lutelwall
+ doinitd "${FILESDIR}"/lutelwall
+
+ dodoc FEATURES ChangeLog
+}
+
+pkg_postinst() {
+ elog "Basic configuration file is /etc/lutelwall.conf"
+ elog "Adjust it to your needs before using"
+}
diff --git a/net-firewall/lutelwall/metadata.xml b/net-firewall/lutelwall/metadata.xml
new file mode 100644
index 000000000000..8a0d713fe48d
--- /dev/null
+++ b/net-firewall/lutelwall/metadata.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<herd>netmon</herd>
+<herd>proxy-maintainers</herd>
+<maintainer>
+ <email>tomek@lutel.pl</email>
+ <name>Tomek Lutelmowski</name>
+ <description>LuteWall developer, third party maintainer</description>
+</maintainer>
+<longdescription>
+LutelWall is high-level firewall configuration tool. It uses human-readable and easy
+to understand configuration to set up Netfilter in most secure way. Its flexibility
+allows firewall admins build from very simple, single-homed firewalls, to most complex
+ones - with multiple subnets, DMZ's and traffic redirections.
+</longdescription>
+</pkgmetadata>
diff --git a/net-firewall/metadata.xml b/net-firewall/metadata.xml
new file mode 100644
index 000000000000..7ba30053341a
--- /dev/null
+++ b/net-firewall/metadata.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE catmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<catmetadata>
+ <longdescription lang="en">
+ The net-firewall category contains network firewall software.
+ </longdescription>
+ <longdescription lang="de">
+ Die Kategorie net-firewall enthült Firewall-Software.
+ </longdescription>
+ <longdescription lang="es">
+ La categoría net-firewall contiene programas relacionados con
+ cortafuegos de redes.
+ </longdescription>
+ <longdescription lang="ja">
+ net-firewall カテゴリーにはネットワーク・ファイアウォールの
+ ソフトウェアが含まれています。
+ </longdescription>
+ <longdescription lang="nl">
+ De net-firewall categorie bevat firewall-software.
+ </longdescription>
+ <longdescription lang="vi">
+ Nhóm net-firewall chứa các phần mềm firewall.
+ </longdescription>
+ <longdescription lang="it">
+ La categoria net-firewall contiene software per firewall.
+ </longdescription>
+ <longdescription lang="pt">
+ A categoria net-firewall contém programas de firewall para
+ redes.
+ </longdescription>
+ <longdescription lang="pl">
+ Kategoria net-firewall zawiera ściany ogniowe (firewalle).
+ </longdescription>
+</catmetadata>
+
diff --git a/net-firewall/nfacct/Manifest b/net-firewall/nfacct/Manifest
new file mode 100644
index 000000000000..9498245f4d74
--- /dev/null
+++ b/net-firewall/nfacct/Manifest
@@ -0,0 +1,2 @@
+DIST nfacct-1.0.0.tar.bz2 255640 SHA256 eb7e64c3ee4f1e4b5d508e933dc9dc2f91e14ea3ee5f1926aad76c114d1d2014 SHA512 5ffec413759f065f150b8af622ee61a984546d253a6c95771f3e88433cb85cbfa93a41cbc8bdda66f8a3f19ec20bccce44d38f02c7305bb2bc72dad754fea566 WHIRLPOOL 0b0a62ac2dd9c1c30fd4559a1c19adc76da39709c377cf2537ecef33338dc9174dd0f9a55d50ac55f357a725b867b82c524634ef47cd5c0da97398294ed5f8c8
+DIST nfacct-1.0.1.tar.bz2 257013 SHA256 81ef261616f313372a957431d17c5a0334984f06ceea190cf390479bf043e7c4 SHA512 4d428f51ce3b12382974de3cb7d502f6a18d9c0fd4446071fc2b5e932c44e4b33072202f8b9bd4bdf892a08a64533776bb8e9a0a7c4acc876cfec154f76227a1 WHIRLPOOL ab3983015154109389c831cf4ac8e6d4afb299b3f2d0d9e76ae6e23e716f0fcb00f3317dd0754f144a6650f5c42029d132c875aa7d90687e5f2ac8ca24c476aa
diff --git a/net-firewall/nfacct/metadata.xml b/net-firewall/nfacct/metadata.xml
new file mode 100644
index 000000000000..78692635ad22
--- /dev/null
+++ b/net-firewall/nfacct/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <herd>netmon</herd>
+</pkgmetadata>
diff --git a/net-firewall/nfacct/nfacct-1.0.0.ebuild b/net-firewall/nfacct/nfacct-1.0.0.ebuild
new file mode 100644
index 000000000000..643c98abf5fc
--- /dev/null
+++ b/net-firewall/nfacct/nfacct-1.0.0.ebuild
@@ -0,0 +1,23 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=4
+
+inherit linux-info
+
+DESCRIPTION="Command line tool to create/retrieve/delete accounting objects in NetFilter"
+HOMEPAGE="http://netfilter.org/projects/nfacct"
+SRC_URI="http://www.netfilter.org/projects/${PN}/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 ~arm x86"
+IUSE=""
+
+RDEPEND="net-libs/libmnl
+ >=net-libs/libnetfilter_acct-1.0.0"
+DEPEND="${RDEPEND}
+ virtual/pkgconfig"
+
+CONFIG_CHECK="~NETFILTER_NETLINK_ACCT"
diff --git a/net-firewall/nfacct/nfacct-1.0.1.ebuild b/net-firewall/nfacct/nfacct-1.0.1.ebuild
new file mode 100644
index 000000000000..3a91810edcdc
--- /dev/null
+++ b/net-firewall/nfacct/nfacct-1.0.1.ebuild
@@ -0,0 +1,22 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit linux-info
+
+DESCRIPTION="Command line tool to create/retrieve/delete accounting objects in NetFilter"
+HOMEPAGE="http://netfilter.org/projects/nfacct"
+SRC_URI="http://www.netfilter.org/projects/${PN}/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 ~arm x86"
+
+RDEPEND="net-libs/libmnl
+ >=net-libs/libnetfilter_acct-1.0.2"
+DEPEND="${RDEPEND}
+ virtual/pkgconfig"
+
+CONFIG_CHECK="~NETFILTER_NETLINK_ACCT"
diff --git a/net-firewall/nftables/Manifest b/net-firewall/nftables/Manifest
new file mode 100644
index 000000000000..a443926b35a8
--- /dev/null
+++ b/net-firewall/nftables/Manifest
@@ -0,0 +1 @@
+DIST nftables-0.4.tar.bz2 362120 SHA256 f6ca69b75c68915f9f3a3972274ec68354dfbbcfc0b9fc55c813a0525c351d3c SHA512 0932cf987da602285fbf7c7f61328b0d74d687889c2d4a5bd2bd7fe11e8b99433bc5ee53ebbddadf2c90e40acdcb28f6babf07e11feedff815c571c3b782dffc WHIRLPOOL 1604010f260247c2fd98d33ca931eb0be6f38097937983aadfbdf2eb44fd3827212d00e6e6351821ccd8a2696fc696d9e7ec102d447387f930b8fb2afadc22a8
diff --git a/net-firewall/nftables/files/nftables.confd b/net-firewall/nftables/files/nftables.confd
new file mode 100644
index 000000000000..e83a4b962061
--- /dev/null
+++ b/net-firewall/nftables/files/nftables.confd
@@ -0,0 +1,19 @@
+# /etc/conf.d/nftables
+
+# Location in which nftables initscript will save set rules on
+# service shutdown
+NFTABLES_SAVE="/var/lib/nftables/rules-save"
+
+# Options to pass to nft on save
+SAVE_OPTIONS="-n"
+
+# Save state on stopping nftables
+SAVE_ON_STOP="yes"
+
+# If you need to log nftables messages as soon as nftables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/net-firewall/nftables/files/nftables.init b/net-firewall/nftables/files/nftables.init
new file mode 100644
index 000000000000..c72639305654
--- /dev/null
+++ b/net-firewall/nftables/files/nftables.init
@@ -0,0 +1,166 @@
+#!/sbin/runscript
+# Copyright 2014 Nicholas Vinson
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="clear list panic save"
+extra_started_commands="reload"
+
+depend() {
+ need localmount #434774
+ before net
+}
+
+checkkernel() {
+ if ! nft list tables >/dev/null 2>&1; then
+ eerror "Your kernel lacks nftables support, please load"
+ eerror "appropriate modules and try again."
+ return 1
+ fi
+ return 0
+}
+
+checkconfig() {
+ if [ ! -f ${NFTABLES_SAVE} ]; then
+ eerror "Not starting nftables. First create some rules then run:"
+ eerror "rc-service nftables save"
+ return 1
+ fi
+ return 0
+}
+
+getfamilies() {
+ local families
+ for l3f in ip arp ip6 bridge inet; do
+ if nft list tables ${l3f} > /dev/null 2>&1; then
+ families="${families}${l3f} "
+ fi
+ done
+ echo ${families}
+}
+
+clearNFT() {
+ local l3f line table chain
+
+ for l3f in $(getfamilies); do
+ nft list tables ${l3f} | while read line; do
+ table=$(echo ${line} | sed "s/table[ \t]*//")
+ nft flush table ${l3f} ${table}
+ nft list table ${l3f} ${table} | while read l; do
+ chain=$(echo $l | grep -o 'chain [^[:space:]]\+' |\
+ cut -d ' ' -f2)
+ if [ -n "${chain}" ]; then
+ nft flush chain ${l3f} ${table} ${chain}
+ nft delete chain ${l3f} ${table} ${chain}
+ fi
+ done
+ nft delete table ${l3f} ${table}
+ done
+ done
+}
+
+addpanictable() {
+ local l3f=$1
+ nft add table ${l3f} panic
+ nft add chain ${l3f} panic input \{ type filter hook input priority 0\; \}
+ nft add chain ${l3f} panic output \{ type filter hook output priority 0\; \}
+ nft add chain ${l3f} panic forward \{ type filter hook forward priority 0\; \}
+ nft add rule ${l3f} panic input drop
+ nft add rule ${l3f} panic output drop
+ nft add rule ${l3f} panic forward drop
+}
+
+start_pre() {
+ checkkernel || return 1
+ checkconfig || return 1
+ return 0
+}
+
+start() {
+ ebegin "Loading nftables state and starting firewall"
+ clearNFT
+ nft -f ${NFTABLES_SAVE}
+ eend $?
+}
+
+stop() {
+ if yesno ${SAVE_ON_STOP:-yes}; then
+ save || return 1
+ fi
+
+ ebegin "Stopping firewall"
+ clearNFT
+ eend $?
+}
+
+reload() {
+ checkkernel || return 1
+ # checkrules || return 1
+ ebegin "Flushing firewall"
+ clearNFT
+
+ start
+}
+
+clear() {
+ clearNFT
+}
+
+list() {
+ local l3f
+
+ for l3f in $(getfamilies); do
+ nft list tables ${l3f} | while read line; do
+ line=$(echo ${line} | sed "s/table/table ${l3f}/")
+ echo "$(nft list ${line})"
+ done
+ done
+}
+
+save() {
+ ebegin "Saving nftables state"
+ checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
+ checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
+
+ local l3f line tmp_save="${NFTABLES_SAVE}.tmp"
+
+ touch "${tmp_save}"
+ for l3f in $(getfamilies); do
+ nft list tables ${l3f} | while read line; do
+ line=$(echo ${line} | sed "s/table/table ${l3f}/")
+ # The below substitution fixes an issue where nft -n output may not
+ # always be parsable by nft -f. For example, nft -n might print
+ #
+ # ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept
+ #
+ # but nft -f refuses to parse that string with error:
+ #
+ # In file included from internal:0:0-0:
+ # /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule:
+ # Invalid argument
+ # table ip6 filter {
+ # ^^
+ echo "$(nft ${SAVE_OPTIONS} list ${line} |\
+ sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}"
+ done
+ done
+ mv "${tmp_save}" "${NFTABLES_SAVE}"
+}
+
+panic() {
+ checkkernel || return 1
+ if service_started ${RC_SVCNAME}; then
+ rc-service ${RC_SVCNAME} stop
+ fi
+
+ ebegin "Dropping all packets"
+ clearNFT
+
+ local l3f
+ for l3f in $(getfamilies); do
+ case ${l3f} in
+ ip) addpanictable ${l3f} ;;
+ ip6) addpanictable ${l3f} ;;
+ esac
+ done
+}
diff --git a/net-firewall/nftables/metadata.xml b/net-firewall/nftables/metadata.xml
new file mode 100644
index 000000000000..a25096653fc9
--- /dev/null
+++ b/net-firewall/nftables/metadata.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<herd>base-system</herd>
+<maintainer>
+ <email>mrueg@gentoo.org</email>
+ <name>Manuel Rüger</name>
+</maintainer>
+</pkgmetadata>
diff --git a/net-firewall/nftables/nftables-0.4.ebuild b/net-firewall/nftables/nftables-0.4.ebuild
new file mode 100644
index 000000000000..85a0bbb60204
--- /dev/null
+++ b/net-firewall/nftables/nftables-0.4.ebuild
@@ -0,0 +1,54 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit autotools linux-info
+
+DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://netfilter.org/projects/nftables/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="debug +readline"
+SRC_URI="http://netfilter.org/projects/${PN}/files/${P}.tar.bz2"
+
+RDEPEND="net-libs/libmnl
+ >=net-libs/libnftnl-1.0.2
+ dev-libs/gmp
+ readline? ( sys-libs/readline )"
+DEPEND="${RDEPEND}
+ >=app-text/docbook2X-0.8.8-r4
+ sys-devel/bison
+ sys-devel/flex"
+
+pkg_setup() {
+ if kernel_is ge 3 13; then
+ CONFIG_CHECK="~NF_TABLES"
+ linux-info_pkg_setup
+ else
+ eerror "This package requires kernel version 3.13 or newer to work properly."
+ fi
+}
+
+src_prepare() {
+ epatch_user
+ eautoreconf
+}
+
+src_configure() {
+ econf \
+ --sbindir="${EPREFIX}"/sbin \
+ $(use_enable debug) \
+ $(use_with readline cli)
+}
+
+src_install() {
+ default
+
+ newconfd "${FILESDIR}"/${PN}.confd ${PN}
+ newinitd "${FILESDIR}"/${PN}.init ${PN}
+ keepdir /var/lib/nftables
+}
diff --git a/net-firewall/nufw/Manifest b/net-firewall/nufw/Manifest
new file mode 100644
index 000000000000..e07d5abfce5e
--- /dev/null
+++ b/net-firewall/nufw/Manifest
@@ -0,0 +1 @@
+DIST nufw-2.2.22.tar.bz2 597491 SHA256 92603813b4138bfd52b5873c68d7c6e43f78885a414067e57bd2c1e8eba66b8c SHA512 cc9f43b9ebf6aabbab4c83799ca1735fc456c085959cfb24d17571302c71518660424195b2cc62ed615f811bd6b3c45e1b99db99138d1caa6a744370775acaee WHIRLPOOL 5e493d2aa2c661dd9766670bb805f98849c82f1962d39ff3692481f7049740cc73455e6aa45b7ca20632b2e254be8bb953f9aebdeb7a46c525578fc7a9d007ba
diff --git a/net-firewall/nufw/files/nuauth-conf.d b/net-firewall/nufw/files/nuauth-conf.d
new file mode 100644
index 000000000000..1ac750cf49fd
--- /dev/null
+++ b/net-firewall/nufw/files/nuauth-conf.d
@@ -0,0 +1,2 @@
+# configuration file for /etc/init.d/nuauth
+NUAUTH_OPTIONS=""
diff --git a/net-firewall/nufw/files/nuauth-init.d b/net-firewall/nufw/files/nuauth-init.d
new file mode 100644
index 000000000000..21bad8ff132f
--- /dev/null
+++ b/net-firewall/nufw/files/nuauth-init.d
@@ -0,0 +1,27 @@
+#!/sbin/runscript
+
+depend() {
+ before net
+}
+
+checkconfig() {
+ if [ ! -e /etc/nufw/nuauth.conf ]; then
+ eerror "You need a /etc/nufw/nuauth.conf file to run nuauth"
+ eerror "There is sample file in /usr/share/doc/nufw-version/"
+ return 1
+ fi
+}
+
+start() {
+ checkpath -d /run/nuauth
+ checkconfig || return 1
+ ebegin "Starting nuauth"
+ start-stop-daemon --start --quiet --exec /usr/sbin/nuauth -- -D ${NUAUTH_OPTIONS}
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping nuauth"
+ start-stop-daemon --stop --quiet --pidfile /run/nuauth/nuauth.pid
+ eend $?
+}
diff --git a/net-firewall/nufw/files/nufw-2.2.21-fix-gnutls.patch b/net-firewall/nufw/files/nufw-2.2.21-fix-gnutls.patch
new file mode 100644
index 000000000000..b5e8048cd051
--- /dev/null
+++ b/net-firewall/nufw/files/nufw-2.2.21-fix-gnutls.patch
@@ -0,0 +1,23 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -87,6 +87,7 @@
+ #AM_CHECK_PATH([libgcrypt], [gcry_md_open],AC_DEFINE([HAVE_LIBRARY_GCRYPT],[1],[Gcrypt lib flag]), check_gcrypt=no,[-L/usr/local/lib])
+ #AM_CHECK_PATH(libgnutls], [gnutls_init],AC_DEFINE([HAVE_LIBRARY_GNUTLS],[1],[Gnutls lib flag]), check_gnutls=no)
+
++PKG_PROG_PKG_CONFIG
+
+ NEED_LIBGCRYPT_VERSION=1.2.0
+ AM_PATH_LIBGCRYPT("$NEED_LIBGCRYPT_VERSION")
+@@ -99,11 +100,7 @@
+ fi
+
+ NEED_LIBGNUTLS_VERSION=1.0.16
+-AM_PATH_LIBGNUTLS("$NEED_LIBGNUTLS_VERSION")
+-if test "x$LIBGNUTLS_LIBS" = "x"; then
+- AC_MSG_ERROR([libgnutls is needed.
+- See www.gnu.org/software/gnutls/ .])
+-fi
++PKG_CHECK_MODULES(GNUTLS, gnutls >= $NEED_LIBGNUTLS_VERSION,,exit)
+
+ #Configure database support, depending on user input
+ AC_ARG_WITH(prelude-log,
diff --git a/net-firewall/nufw/files/nufw-2.2.22-var-run.patch b/net-firewall/nufw/files/nufw-2.2.22-var-run.patch
new file mode 100644
index 000000000000..f6bcc95e0006
--- /dev/null
+++ b/net-firewall/nufw/files/nufw-2.2.22-var-run.patch
@@ -0,0 +1,45 @@
+--- a/src/nuauth/auth_srv.h
++++ b/src/nuauth/auth_srv.h
+@@ -162,7 +162,7 @@
+ #ifdef S_SPLINT_S
+ # define NUAUTH_PID_FILE "/usr/local/var/run/nuauth/nuauth.pid"
+ #else
+-# define NUAUTH_PID_FILE LOCAL_STATE_DIR "/run/nuauth/nuauth.pid"
++# define NUAUTH_PID_FILE "/run/nuauth/nuauth.pid"
+ #endif
+
+ /* define the number of threads that will do user check */
+--- a/src/nuauth/command.c
++++ b/src/nuauth/command.c
+@@ -26,7 +26,7 @@
+ #include <sys/un.h> /* unix socket */
+ #include <sys/stat.h> /* fchmod() */
+
+-#define SOCKET_FILENAME LOCAL_STATE_DIR "/run/nuauth/nuauth-command.socket"
++#define SOCKET_FILENAME "/run/nuauth/nuauth-command.socket"
+
+ const char* COMMAND_HELP =
+ "version: display nuauth version\n"
+--- a/src/nufw/main.c
++++ b/src/nufw/main.c
+@@ -54,7 +54,7 @@
+
+ /*! Name of pid file prefixed by LOCAL_STATE_DIR (variable defined
+ * during compilation/installation) */
+-#define NUFW_PID_FILE LOCAL_STATE_DIR "/run/nufw.pid"
++#define NUFW_PID_FILE "/run/nufw.pid"
+
+ /**
+ * Stop threads and then wait until threads exit.
+--- a/src/nuauth/Makefile.am
++++ b/src/nuauth/Makefile.am
+@@ -26,9 +26,6 @@
+
+ nuauth_LDADD = $(GLIB_LIBS) -lm -lgnutls -lsasl2 -lnufw -L$(top_builddir)/src/include/
+
+-install-exec-local:
+- install -d "$(DESTDIR)$(localstatedir)/run/nuauth/"
+-
+ nuauth$(EXEEXT): $(nuauth_OBJECTS) $(nuauth_DEPENDENCIES)
+ @rm -f nuauth$(EXEEXT)
+ $(LINK) $(nuauth_LDFLAGS) $(nuauth_OBJECTS) $(nuauth_LDADD)
diff --git a/net-firewall/nufw/files/nufw-conf.d b/net-firewall/nufw/files/nufw-conf.d
new file mode 100644
index 000000000000..b2ea527744ec
--- /dev/null
+++ b/net-firewall/nufw/files/nufw-conf.d
@@ -0,0 +1,2 @@
+# configuration file for /etc/init.d/nufw
+NUFW_OPTIONS="-k /etc/nufw/nufw.key -c /etc/nufw/nufw.pem -d 127.0.0.1 -p 4129"
diff --git a/net-firewall/nufw/files/nufw-init.d b/net-firewall/nufw/files/nufw-init.d
new file mode 100644
index 000000000000..6cfcfd793248
--- /dev/null
+++ b/net-firewall/nufw/files/nufw-init.d
@@ -0,0 +1,17 @@
+#!/sbin/runscript
+
+depend() {
+ before net
+}
+
+start() {
+ ebegin "Starting nufw"
+ start-stop-daemon --start --quiet --exec /usr/sbin/nufw -- -D ${NUFW_OPTIONS}
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping nufw"
+ start-stop-daemon --stop --quiet --pidfile /run/nufw.pid
+ eend $?
+}
diff --git a/net-firewall/nufw/metadata.xml b/net-firewall/nufw/metadata.xml
new file mode 100644
index 000000000000..983d41997af1
--- /dev/null
+++ b/net-firewall/nufw/metadata.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<herd>netmon</herd>
+<use>
+<flag name='nfconntrack'>Use netfilter_conntrack</flag>
+<flag name='nfqueue'>Use NFQUEUE instead of QUEUE</flag>
+<flag name='pam_nuauth'>Add support for pam nufw from PAM</flag>
+<flag name='plaintext'>Add support for authentication with plaintext files</flag>
+</use>
+</pkgmetadata>
diff --git a/net-firewall/nufw/nufw-2.2.22-r1.ebuild b/net-firewall/nufw/nufw-2.2.22-r1.ebuild
new file mode 100644
index 000000000000..6da51fab622e
--- /dev/null
+++ b/net-firewall/nufw/nufw-2.2.22-r1.ebuild
@@ -0,0 +1,103 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+SSL_CERT_MANDATORY=1
+inherit autotools eutils multilib pam ssl-cert
+
+DESCRIPTION="An enterprise grade authenticating firewall based on netfilter"
+HOMEPAGE="http://www.nufw.org/"
+SRC_URI="http://www.nufw.org/attachments/download/39/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 x86"
+IUSE="debug ldap mysql pam pam_nuauth plaintext postgres prelude unicode nfqueue nfconntrack static syslog test"
+
+REQUIRED_USE="pam_nuauth? ( plaintext )"
+DEPEND="
+ dev-libs/cyrus-sasl
+ dev-libs/glib:2
+ dev-libs/libgcrypt:0
+ dev-python/ipy
+ net-firewall/iptables
+ net-libs/gnutls
+ ldap? ( >=net-nds/openldap-2 )
+ mysql? ( virtual/mysql )
+ nfconntrack? ( net-libs/libnetfilter_conntrack )
+ nfqueue? ( net-libs/libnfnetlink net-libs/libnetfilter_queue )
+ pam? ( sys-libs/pam )
+ pam_nuauth? ( sys-libs/pam )
+ postgres? ( dev-db/postgresql[server] )
+ prelude? ( dev-libs/libprelude )
+"
+RDEPEND=${DEPEND}
+
+RESTRICT="test"
+
+src_prepare() {
+ epatch "${FILESDIR}"/${P}-var-run.patch
+ sed -i \
+ -e 's:^#\(nuauth_tls_key="/etc/nufw/\)nuauth-key.pem:\1nuauth.key:' \
+ -e 's:^#\(nuauth_tls_cert="/etc/nufw/\)nuauth-cert.pem:\1nuauth.pem:' \
+ conf/nuauth.conf || die
+ sed -i \
+ -e "/^modulesdir/s|=.*|= /$(get_libdir)/security|g" \
+ src/clients/pam_nufw/Makefile.am || die
+ eautoreconf
+}
+
+src_configure() {
+ econf \
+ $(use_enable debug) \
+ $(use_enable pam_nuauth pam-nufw) \
+ $(use_enable static) \
+ $(use_with ldap) \
+ $(use_with mysql mysql-auth) \
+ $(use_with mysql mysql-log) \
+ $(use_with nfconntrack) \
+ $(use_with nfqueue) \
+ $(use_with pam system-auth) \
+ $(use_with plaintext plaintext-auth) \
+ $(use_with postgres pgsql-log) \
+ $(use_with prelude prelude-log) \
+ $(use_with syslog syslog-log) \
+ $(use_with unicode utf8) \
+ --enable-shared \
+ --includedir="/usr/include/nufw" \
+ --localstatedir="/var" \
+ --sysconfdir="/etc/nufw" \
+ --with-mark-group \
+ --with-user-mark
+}
+
+src_install() {
+ default
+
+ newinitd "${FILESDIR}"/nufw-init.d nufw
+ newconfd "${FILESDIR}"/nufw-conf.d nufw
+
+ newinitd "${FILESDIR}"/nuauth-init.d nuauth
+ newconfd "${FILESDIR}"/nuauth-conf.d nuauth
+
+ insinto /etc/nufw
+ doins conf/nuauth.conf
+
+ dodoc AUTHORS ChangeLog NEWS README TODO
+ docinto scripts
+ dodoc scripts/{clean_conntrack.pl,nuaclgen,nutop,README,ulog_rotate_daily.sh,ulog_rotate_weekly.sh}
+ docinto conf
+ dodoc conf/*.{nufw,schema,conf,dump,xml}
+
+ if use pam; then
+ pamd_mimic system-auth nufw auth account password session
+ fi
+
+ prune_libtool_files
+}
+
+pkg_postinst() {
+ install_cert /etc/nufw/{nufw,nuauth}
+}
diff --git a/net-firewall/pftop/Manifest b/net-firewall/pftop/Manifest
new file mode 100644
index 000000000000..35e33b767c40
--- /dev/null
+++ b/net-firewall/pftop/Manifest
@@ -0,0 +1,5 @@
+DIST pftop-0.5.tar.gz 24855 SHA256 e5d0fd0d84285a52fd0d1944908d4c3e4f545ec0f0e11e9f9c29ce1536a9d0b7
+DIST pftop-0.7-patches-1.tar.bz2 5403 SHA256 35564dbfc45859fee9d59b90cda510ca642e4a17ef2fdd5a771937a5fcbb96dc SHA512 80ad35cd59d4e4ecc76d72e0973a13af9efcbbbf3a50f1fc8c3756c05ff04fc5db302dfddc0e2ac1a2d5abf8201e1cc3f0246a2df46e053ad2d6b3489ad118b8 WHIRLPOOL 621af8f990617b6af0eea4b3b939857e510d2b755e02718862cc48a15d04b570a523091f0311ac167b795116cbaa9bce6c16a3d3294035f3204c4b060e02e09b
+DIST pftop-0.7-patches-2.tar.bz2 10225 SHA256 2bda1d635d30f4bf0b5e1080aca079345e6b2ce01421bf62f60e8a363e0331a2 SHA512 57444d849e21848febe2189413ea01baa9855e05e7cfb491522da8da49ca2b49cc2fc08e3121ef1e34c9f63efbd2c20bd05ab2658514e08e5966bf0d9c3d3ed5 WHIRLPOOL ba39d17605a1d15bb8763f04787399e9456f46fd06d75f7753ab764a6183b3fbb3509d7584e85040cefa352059945b8416b0ef9d50be2e9d02eea15d5f519005
+DIST pftop-0.7-patches-3.tar.bz2 10611 SHA256 56826b18fb4b6559dd3ddec1d53ab7d84988dcb10f5b1abc6539f2f7ffb1ae22 SHA512 7c8f438e8fc1c507313cf9fe69da2b27bdc57e4cf27b8b0d6153fb0c269d417a59ff93cd74987809b131ae2d148b659ca00d93da1346a515b11c1d8bbfc67f1f WHIRLPOOL c4c5f833daa9aef066351dd924e581dfd595d8ee0b987ee5dd5693480eca540ebbb4c603a1ceb4fc87678473ea4790e026b0ad86775187581aa6e285c19fbc4f
+DIST pftop-0.7.tar.gz 59765 SHA256 afde859fab77597e4aae1ef6b87f1bb26a5ad8cb2b1d7316a12e5098153492af SHA512 e9be01704adc112bd1f5dc011f7900754d600df6be50e28ee4a937faabe00b627ed4d1565e92560d750e70f5117533c494565f616f3562eae61301642d438713 WHIRLPOOL af50aa66c7eecfa7bdd390f86e0953baac4ccd45652c6fadfbe952b201190fe402b667fb5c262449e503c3aac88916f23e6e2bc219803b5ea823670df85097dc
diff --git a/net-firewall/pftop/metadata.xml b/net-firewall/pftop/metadata.xml
new file mode 100644
index 000000000000..49ee990318f8
--- /dev/null
+++ b/net-firewall/pftop/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <herd>bsd</herd>
+ <use>
+ <flag name="altq">Enable altq(4) support — alternate queuing of network packets.</flag>
+ </use>
+</pkgmetadata>
diff --git a/net-firewall/pftop/pftop-0.5.ebuild b/net-firewall/pftop/pftop-0.5.ebuild
new file mode 100644
index 000000000000..d3013e72d5cf
--- /dev/null
+++ b/net-firewall/pftop/pftop-0.5.ebuild
@@ -0,0 +1,41 @@
+# Copyright 2006-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+inherit bsdmk
+DESCRIPTION="Pftop: curses-based utility for real-time display of active states and rule statistics for pf"
+
+HOMEPAGE="http://www.eee.metu.edu.tr/~canacar/pftop/"
+
+SRC_URI="http://www.eee.metu.edu.tr/~canacar/${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~x86-fbsd"
+IUSE=""
+
+RDEPEND="sys-libs/ncurses"
+
+src_compile() {
+ # OS_LEVEL variable refers to the version of pf shipped with OpenBSD.
+ # On FreeBSD we have to know it.
+ local OSLEVEL
+
+ case ${CHOST} in
+ *-openbsd*)
+ local obsdver=${CHOST/*-openbsd/}
+ OSLEVEL=${obsdver//.}
+ ;;
+ *-freebsd5.[34]) OSLEVEL=35 ;;
+ *-freebsd6.[012]) OSLEVEL=37 ;;
+ *)
+ die "Your OS/Version is not supported (${CHOST}), please report."
+ ;;
+ esac
+
+ mkmake LOCALBASE="/usr" CFLAGS="${CFLAGS} -DOS_LEVEL=${OSLEVEL}" || die "pmake failed"
+}
+
+src_install() {
+ mkinstall DESTDIR=${D} LOCALBASE="/usr" MANDIR="/usr/share/man/man" install || die
+}
diff --git a/net-firewall/pftop/pftop-0.7-r1.ebuild b/net-firewall/pftop/pftop-0.7-r1.ebuild
new file mode 100644
index 000000000000..ac646b2ff19a
--- /dev/null
+++ b/net-firewall/pftop/pftop-0.7-r1.ebuild
@@ -0,0 +1,50 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=4
+PATCH_PV=2
+
+inherit bsdmk flag-o-matic eutils
+
+DESCRIPTION="Pftop: curses-based utility for real-time display of active states and rule statistics for pf"
+HOMEPAGE="http://www.eee.metu.edu.tr/~canacar/pftop/"
+SRC_URI="http://www.eee.metu.edu.tr/~canacar/${P}.tar.gz
+ mirror://gentoo/${P}-patches-${PATCH_PV}.tar.bz2"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~x86-fbsd"
+IUSE="altq"
+
+RDEPEND="sys-libs/ncurses"
+
+src_prepare() {
+ epatch "${WORKDIR}"/patches/*
+}
+
+src_compile() {
+ # OS_LEVEL variable refers to the version of pf shipped with OpenBSD.
+ # On FreeBSD we have to know it.
+ local OSLEVEL
+
+ case ${CHOST} in
+ *-openbsd*)
+ local obsdver=${CHOST/*-openbsd/}
+ OSLEVEL=${obsdver//.}
+ ;;
+ *-freebsd[78]*) OSLEVEL=41 ;;
+ *-freebsd9*) OSLEVEL=45 ;;
+ *)
+ die "Your OS/Version is not supported (${CHOST}), please report."
+ ;;
+ esac
+ append-flags "-DHAVE_SNPRINTF -DHAVE_VSNPRINTF -DOS_LEVEL=${OSLEVEL}"
+ use altq && append-flags "-DHAVE_ALTQ"
+ mkmake LOCALBASE="/usr" CFLAGS="${CFLAGS}" || die "pmake failed"
+}
+
+src_install() {
+ mkinstall DESTDIR="${D}" LOCALBASE="/usr" MANDIR="/usr/share/man/man" \
+ NO_MANCOMPRESS= install || die
+}
diff --git a/net-firewall/pftop/pftop-0.7-r2.ebuild b/net-firewall/pftop/pftop-0.7-r2.ebuild
new file mode 100644
index 000000000000..11ed8929df22
--- /dev/null
+++ b/net-firewall/pftop/pftop-0.7-r2.ebuild
@@ -0,0 +1,50 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=4
+PATCH_PV=3
+
+inherit bsdmk flag-o-matic eutils
+
+DESCRIPTION="Pftop: curses-based utility for real-time display of active states and rule statistics for pf"
+HOMEPAGE="http://www.eee.metu.edu.tr/~canacar/pftop/"
+SRC_URI="http://www.eee.metu.edu.tr/~canacar/${P}.tar.gz
+ mirror://gentoo/${P}-patches-${PATCH_PV}.tar.bz2"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~x86-fbsd"
+IUSE="altq"
+
+RDEPEND="sys-libs/ncurses"
+
+src_prepare() {
+ epatch "${WORKDIR}"/patches/*
+}
+
+src_compile() {
+ # OS_LEVEL variable refers to the version of pf shipped with OpenBSD.
+ # On FreeBSD we have to know it.
+ local OSLEVEL
+
+ case ${CHOST} in
+ *-openbsd*)
+ local obsdver=${CHOST/*-openbsd/}
+ OSLEVEL=${obsdver//.}
+ ;;
+ *-freebsd[78]*) OSLEVEL=41 ;;
+ *-freebsd9*) OSLEVEL=45 ;;
+ *)
+ die "Your OS/Version is not supported (${CHOST}), please report."
+ ;;
+ esac
+ append-flags "-DHAVE_SNPRINTF -DHAVE_VSNPRINTF -DOS_LEVEL=${OSLEVEL}"
+ use altq && append-flags "-DHAVE_ALTQ"
+ mkmake LOCALBASE="/usr" CFLAGS="${CFLAGS}" || die "pmake failed"
+}
+
+src_install() {
+ mkinstall DESTDIR="${D}" LOCALBASE="/usr" MANDIR="/usr/share/man/man" \
+ NO_MANCOMPRESS= install || die
+}
diff --git a/net-firewall/pftop/pftop-0.7.ebuild b/net-firewall/pftop/pftop-0.7.ebuild
new file mode 100644
index 000000000000..8ec96bb1c9f8
--- /dev/null
+++ b/net-firewall/pftop/pftop-0.7.ebuild
@@ -0,0 +1,51 @@
+# Copyright 1999-2010 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+PATCH_PV=1
+
+inherit bsdmk flag-o-matic eutils
+
+DESCRIPTION="Pftop: curses-based utility for real-time display of active states and rule statistics for pf"
+HOMEPAGE="http://www.eee.metu.edu.tr/~canacar/pftop/"
+SRC_URI="http://www.eee.metu.edu.tr/~canacar/${P}.tar.gz
+ mirror://gentoo/${P}-patches-${PATCH_PV}.tar.bz2"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~x86-fbsd"
+IUSE=""
+
+RDEPEND="sys-libs/ncurses"
+
+src_unpack() {
+ unpack ${A}
+ cd "${S}"
+ epatch "${WORKDIR}"/patches/*
+}
+
+src_compile() {
+ # OS_LEVEL variable refers to the version of pf shipped with OpenBSD.
+ # On FreeBSD we have to know it.
+ local OSLEVEL
+
+ case ${CHOST} in
+ *-openbsd*)
+ local obsdver=${CHOST/*-openbsd/}
+ OSLEVEL=${obsdver//.}
+ ;;
+ *-freebsd5.[34]) OSLEVEL=35 ;;
+ *-freebsd6.[012]) OSLEVEL=37 ;;
+ *-freebsd*) OSLEVEL=41 ;;
+ *)
+ die "Your OS/Version is not supported (${CHOST}), please report."
+ ;;
+ esac
+ append-flags "-DHAVE_SNPRINTF -DHAVE_VSNPRINTF -DOS_LEVEL=${OSLEVEL}"
+ mkmake LOCALBASE="/usr" CFLAGS="${CFLAGS}" || die "pmake failed"
+}
+
+src_install() {
+ mkinstall DESTDIR="${D}" LOCALBASE="/usr" MANDIR="/usr/share/man/man" \
+ NO_MANCOMPRESS= install || die
+}
diff --git a/net-firewall/pglinux/Manifest b/net-firewall/pglinux/Manifest
new file mode 100644
index 000000000000..3295409ad296
--- /dev/null
+++ b/net-firewall/pglinux/Manifest
@@ -0,0 +1,4 @@
+DIST pgl-2.2.1_p20120711.tar.xz 412840 SHA256 cc32046e4ae6b4441b5135a951091c5dc9603a6b89f8f16721f60200a600a434 SHA512 bbde8d990253db97093969aeddc0466e3c0a0c3b008a67f9779ae2a47436be939751522710a69bd7a7d7c299235a60c886f8a36e99ea8bffcfa319d697e0c20f WHIRLPOOL 6abe0f35b647890ea6cff8368060954b2e6fa52ff7d58e5976eecbde495c4e5e7695fe3a025ce357e7b4b68b437a37949046293e50f60e610b9265dca8b6db0f
+DIST pgl-2.2.2.tar.gz 590472 SHA256 4794ec5b16f5f901866811826d56091df7b5f6d9703cf97f95d3b15075aadb8e SHA512 bc59276b651d5998f2c4c752fc0575ad482455eb3f98d42bd66d9035f68d26d04273f63287b0ba52d8a5f678ee28f8ac7a2fa3e1b956252edc8318563b85043d WHIRLPOOL 22fa7e498ae0e0ac37bebb9ce5ebac0a6f8209f42f010660586b320f7b23cb310b64749a61b77657b63a69f6755e9eec957bb27cf519e3cde4cbafa15a58e88c
+DIST pgl-2.2.3.tar.gz 608243 SHA256 03627b54147894ca26b8a68829732910f15c9d4398fae5e461569b5625b77000 SHA512 51d34c23fc1cbfda047555d3527433d096d00255474b6b9b141eca990a3708aaa335bd1ad35e15ae5f0400802c49043ae5078bd0dcb95377501143c3a4089b6c WHIRLPOOL 867f552d402660968eb780cd6a6710f45d7b023b67ef15b87ff6f8fa44cc64ed15653036ef3a89fd30ea2569509e2d622c84de741bfc3ff615daed0ef86603bb
+DIST pgl-2.2.4.tar.gz 608622 SHA256 26e91cb085a9da7faa643f9364192c0e3eeec64ccae56d0bb62de5174e185866 SHA512 d6daad259a904647917388e586d4bd7d6a73b078bf61974a5682b6eec2d8d2abb02760483838f23fefa13ae761b4bd40765ddb13e6d820d0b6e3ee65b0815f58 WHIRLPOOL 59de9ad6a3c95e2f9f553e7c311be948b488825bfe8db7e2fc78610d46d98c0cbef4ce4846a659b01b2a0b6548dfed13dde27c55ffc22cb37418b97cde0c0ca8
diff --git a/net-firewall/pglinux/files/0-pglinux-2.2.2-gentoo-init.patch b/net-firewall/pglinux/files/0-pglinux-2.2.2-gentoo-init.patch
new file mode 100644
index 000000000000..f3ae3cf85d17
--- /dev/null
+++ b/net-firewall/pglinux/files/0-pglinux-2.2.2-gentoo-init.patch
@@ -0,0 +1,61 @@
+diff --git a/pgl/pglcmd/init/pgl.gentoo.in b/pgl/pglcmd/init/pgl.gentoo.in
+new file mode 100644
+index 0000000..c94d978
+--- /dev/null
++++ b/pgl/pglcmd/init/pgl.gentoo.in
+@@ -0,0 +1,55 @@
++#!/sbin/runscript
++# Copyright 1999-2012 Gentoo Foundation
++# Distributed under the terms of the GNU General Public License v2
++
++description="Daemon script for pglinux"
++extra_commands="reload forcereload update"
++
++depend() {
++ need net
++}
++
++PIDFILE=@PID_DIR@/pgld.pid
++PGLCMD=@PGLCMDPATH@
++
++start() {
++ ebegin "Starting pglinux daemon"
++
++ if [ "${RC_CMD}" = "restart" ]; then
++ sleep 3
++ fi
++
++ $PGLCMD start
++ eend $?
++}
++
++stop() {
++ ebegin "Stopping pglinux daemon"
++ $PGLCMD stop_quick
++ eend $?
++}
++
++status() {
++ ebegin "Checking status of pglinux daemon"
++ $PGLCMD status
++ eend $?
++}
++
++reload() {
++ ebegin "reload config"
++ $PGLCMD reload
++ eend $?
++}
++
++forcereload() {
++ ebegin "force config reload"
++ $PGLCMD force-reload
++ eend $?
++}
++
++update() {
++ ebegin "Force update of lists"
++ $PGLCMD update
++ eend $?
++}
++
diff --git a/net-firewall/pglinux/files/0-pglinux-2.2.2-systemd.patch b/net-firewall/pglinux/files/0-pglinux-2.2.2-systemd.patch
new file mode 100644
index 000000000000..0c8d50b10dd0
--- /dev/null
+++ b/net-firewall/pglinux/files/0-pglinux-2.2.2-systemd.patch
@@ -0,0 +1,42 @@
+commit 5099e4f985db621465f6d5c91ddad877926322c8
+Author: jre <jre-phoenix@users.sourceforge.net>
+Date: Thu Feb 14 00:12:00 2013 +0100
+
+ added systemd file by Pierre Buard, Arch Linux
+
+diff --git a/pgl/INSTALL b/pgl/INSTALL
+index e0225a2..25f668e 100644
+--- a/pgl/INSTALL
++++ b/pgl/INSTALL
+@@ -278,9 +278,8 @@ http://forums.phoenixlabs.org/thread-15882-post-120482.html#pid120482
+
+ ARCH / AUR (Arch User Repo):
+ ----------------------------
+-PKGBUILD by Gilrain:
++PKGBUILD by Pierre Buard (Gilrain), Arch Linux maintainer
+ https://aur.archlinux.org/packages.php?ID=51839
+-(Last Updated: Thu, 14 Jun 2012 08:52:59 +0000 for 2.2.0)
+
+
+ Gentoo:
+diff --git a/pgl/pglcmd/init/service b/pgl/pglcmd/init/service
+new file mode 100644
+index 0000000..3f2f747
+--- /dev/null
++++ b/pgl/pglcmd/init/service
+@@ -0,0 +1,15 @@
++[Unit]
++Description=PeerGuardian Linux - an IP Blocker
++Documentation=man:pgld(1) file:///usr/share/doc/pgl/README.blocklists
++After=network.target
++ConditionPathExists=|/etc/pgl/blocklists.list
++ConditionDirectoryNotEmpty=|/usr/lib/pgl
++
++[Service]
++BusName=org.netfilter.pgl
++ExecStart=/usr/bin/pglcmd start
++ExecStop=/usr/bin/pglcmd stop
++PIDFile=/run/pgld.pid
++
++[Install]
++WantedBy=multi-user.target
diff --git a/net-firewall/pglinux/files/1-pglinux-2.2.2-gentoo-init.patch b/net-firewall/pglinux/files/1-pglinux-2.2.2-gentoo-init.patch
new file mode 100644
index 000000000000..63aecf506be2
--- /dev/null
+++ b/net-firewall/pglinux/files/1-pglinux-2.2.2-gentoo-init.patch
@@ -0,0 +1,20 @@
+commit a63052957b350adcf92e7c23aaad7b71450d8023
+Author: hasufell <julian.ospald@googlemail.com>
+Date: Sun Nov 25 13:44:34 2012 +0100
+
+ fix make dist
+
+ forgot to add pgl.gentoo.in :/
+
+diff --git a/pgl/pglcmd/Makefile.am b/pgl/pglcmd/Makefile.am
+index 147a66e..896b6bc 100644
+--- a/pgl/pglcmd/Makefile.am
++++ b/pgl/pglcmd/Makefile.am
+@@ -118,6 +118,7 @@ EXTRA_DIST = \
+ pglcmd.wd.in \
+ cron.daily/pglcmd.in \
+ init/pgl.in \
++ init/pgl.gentoo.in \
+ networkmanager/20pglcmd.in \
+ pglcmd.lib
+
diff --git a/net-firewall/pglinux/files/1-pglinux-2.2.2-systemd.patch b/net-firewall/pglinux/files/1-pglinux-2.2.2-systemd.patch
new file mode 100644
index 000000000000..ebcf3c44717c
--- /dev/null
+++ b/net-firewall/pglinux/files/1-pglinux-2.2.2-systemd.patch
@@ -0,0 +1,144 @@
+commit dad29189eabd8aaee79fefd95bd9f8ff216d3bec
+Author: jre <jre-phoenix@users.sourceforge.net>
+Date: Sat May 18 10:13:49 2013 +0200
+
+ integrated the systemd service file
+
+ thanks again ARCH Linux guys, especially Pierre Buard
+
+ 2.) Uninstall
+diff --git a/pgl/Makefile.am b/pgl/Makefile.am
+index b738fdd..a81c3ee 100644
+--- a/pgl/Makefile.am
++++ b/pgl/Makefile.am
+@@ -4,6 +4,10 @@ MASTER_BLOCKLIST_DIR = @MASTER_BLOCKLIST_DIR@
+
+ ACLOCAL_AMFLAGS = -I m4
+
++# Ensure that make distcheck continues to work
++DISTCHECK_CONFIGURE_FLAGS = \
++ --with-systemdsystemunitdir=$$dc_install_base/$(systemdsystemunitdir)
++
+ SUBDIRS = \
+ docs \
+ pglcmd \
+diff --git a/pgl/configure.ac b/pgl/configure.ac
+index 213baa5..04e43cb 100644
+--- a/pgl/configure.ac
++++ b/pgl/configure.ac
+@@ -132,6 +132,17 @@ AC_ARG_WITH([gentoo-init],
+
+ AM_CONDITIONAL(GENTOOINIT, [test "x$gentoo_init" = "xyes"])
+
++# use systemd service file (yes, if user specifies a path)
++# http://www.freedesktop.org/software/systemd/man/daemon.html
++PKG_PROG_PKG_CONFIG
++AC_ARG_WITH([systemdsystemunitdir],
++ AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files]),
++ [], [with_systemdsystemunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)])
++if test "x$with_systemdsystemunitdir" != xno; then
++ AC_SUBST([systemdsystemunitdir], [$with_systemdsystemunitdir])
++fi
++AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$with_systemdsystemunitdir" -a "x$with_systemdsystemunitdir" != xno ])
++
+ # let user specify iconsdir
+ AC_ARG_WITH([iconsdir],
+ [AS_HELP_STRING([--with-iconsdir=DIR],
+@@ -311,6 +322,11 @@ else
+ echo QT-gui....................................... : no
+ fi
+
++if test -n "$with_systemdsystemunitdir" -a "x$with_systemdsystemunitdir" != xno; then
++echo systemdsystemunitdir......................... : $systemdsystemunitdir
++else
++echo systemd...................................... : no
++fi
+ echo
+ echo .............................................
+ echo "Developer debug:"
+diff --git a/pgl/pglcmd/Makefile.am b/pgl/pglcmd/Makefile.am
+index 896b6bc..132a475 100644
+--- a/pgl/pglcmd/Makefile.am
++++ b/pgl/pglcmd/Makefile.am
+@@ -48,6 +48,9 @@ pgllib_DATA = \
+ pglcmd.lib \
+ pglcmd.main
+
++systemdsystemunit_DATA = \
++ init/pgl.service
++
+ # Don't update PATH here anymore, because on user's make it doesn't contain
+ # [/usr]/sbin
+ pglcmd.defaults:
+@@ -103,6 +106,15 @@ init/pgl:
+ chmod +x init/pgl
+ endif
+
++init/pgl.service:
++ sed \
++ -e 's|@data_root_dir@|$(datarootdir)|g' \
++ -e 's|@CONF_DIR@|$(sysconfdir)|g' \
++ -e 's|@LIB_DIR@|$(libdir)|g' \
++ -e 's|@BIN_DIR@|$(bindir)|g' \
++ -e 's|@PID_DIR@|$(PIDDIR)|g' \
++ < init/pgl.service.in > init/pgl.service
++
+ networkmanager/20pglcmd:
+ $(do_subst) < networkmanager/20pglcmd.in > networkmanager/20pglcmd
+ chmod +x networkmanager/20pglcmd
+@@ -119,6 +131,7 @@ EXTRA_DIST = \
+ cron.daily/pglcmd.in \
+ init/pgl.in \
+ init/pgl.gentoo.in \
++ init/pgl.service.in \
+ networkmanager/20pglcmd.in \
+ pglcmd.lib
+
+@@ -131,4 +144,5 @@ CLEANFILES = \
+ pglcmd.wd \
+ cron.daily/pglcmd \
+ init/pgl \
++ init/pgl.service \
+ networkmanager/20pglcmd
+diff --git a/pgl/pglcmd/init/pgl.service.in b/pgl/pglcmd/init/pgl.service.in
+new file mode 100644
+index 0000000..55779bd
+--- /dev/null
++++ b/pgl/pglcmd/init/pgl.service.in
+@@ -0,0 +1,15 @@
++[Unit]
++Description=PeerGuardian Linux - an IP Blocker
++Documentation=man:pgld(1) file://@data_root_dir@/doc/pgl/README.blocklists
++After=network.target
++ConditionPathExists=|@CONF_DIR@/pgl/blocklists.list
++ConditionDirectoryNotEmpty=|@LIB_DIR@/pgl
++
++[Service]
++BusName=org.netfilter.pgl
++ExecStart=@BIN_DIR@/pglcmd start
++ExecStop=@BIN_DIR@/pglcmd stop
++PIDFile=@PID_DIR@/pgld.pid
++
++[Install]
++WantedBy=multi-user.target
+diff --git a/pgl/pglcmd/init/service b/pgl/pglcmd/init/service
+deleted file mode 100644
+index 3f2f747..0000000
+--- a/pgl/pglcmd/init/service
++++ /dev/null
+@@ -1,15 +0,0 @@
+-[Unit]
+-Description=PeerGuardian Linux - an IP Blocker
+-Documentation=man:pgld(1) file:///usr/share/doc/pgl/README.blocklists
+-After=network.target
+-ConditionPathExists=|/etc/pgl/blocklists.list
+-ConditionDirectoryNotEmpty=|/usr/lib/pgl
+-
+-[Service]
+-BusName=org.netfilter.pgl
+-ExecStart=/usr/bin/pglcmd start
+-ExecStop=/usr/bin/pglcmd stop
+-PIDFile=/run/pgld.pid
+-
+-[Install]
+-WantedBy=multi-user.target
diff --git a/net-firewall/pglinux/files/2-pglinux-2.2.2-systemd.patch b/net-firewall/pglinux/files/2-pglinux-2.2.2-systemd.patch
new file mode 100644
index 000000000000..49bde436d947
--- /dev/null
+++ b/net-firewall/pglinux/files/2-pglinux-2.2.2-systemd.patch
@@ -0,0 +1,34 @@
+commit b1bbab1348f924635daba2739ab0882f7f976957
+Author: jre <jre-phoenix@users.sourceforge.net>
+Date: Mon May 20 14:39:29 2013 +0200
+
+ systemd fixes: don't wait for pgl dbus, but fork instead
+
+ necessary to prevent timeout, because on start pglcmd first downloads
+ all missing blocklists (may take quite long) and then starts pgld,
+ which just then registers with dbus
+
+ editorial change
+
+ Thanks again Pierre Buard
+
+diff --git a/pgl/pglcmd/init/pgl.service.in b/pgl/pglcmd/init/pgl.service.in
+index 55779bd..5279404 100644
+--- a/pgl/pglcmd/init/pgl.service.in
++++ b/pgl/pglcmd/init/pgl.service.in
+@@ -1,12 +1,13 @@
+ [Unit]
+ Description=PeerGuardian Linux - an IP Blocker
+-Documentation=man:pgld(1) file://@data_root_dir@/doc/pgl/README.blocklists
++Documentation=man:pgld(1)
++Documentation=file://@data_root_dir@/doc/pgl/README.blocklists
+ After=network.target
+ ConditionPathExists=|@CONF_DIR@/pgl/blocklists.list
+ ConditionDirectoryNotEmpty=|@LIB_DIR@/pgl
+
+ [Service]
+-BusName=org.netfilter.pgl
++Type=forking
+ ExecStart=@BIN_DIR@/pglcmd start
+ ExecStop=@BIN_DIR@/pglcmd stop
+ PIDFile=@PID_DIR@/pgld.pid
diff --git a/net-firewall/pglinux/files/3-pglinux-2.2.2-systemd.patch b/net-firewall/pglinux/files/3-pglinux-2.2.2-systemd.patch
new file mode 100644
index 000000000000..347c9c836de4
--- /dev/null
+++ b/net-firewall/pglinux/files/3-pglinux-2.2.2-systemd.patch
@@ -0,0 +1,21 @@
+commit 459f460cfd4a166d5108c3e88c2cad294b32fb74
+Author: jre <jre-phoenix@users.sourceforge.net>
+Date: Mon May 20 19:26:25 2013 +0200
+
+ fix: install systemd file only if configured
+
+diff --git a/pgl/pglcmd/Makefile.am b/pgl/pglcmd/Makefile.am
+index 132a475..c7f34a5 100644
+--- a/pgl/pglcmd/Makefile.am
++++ b/pgl/pglcmd/Makefile.am
+@@ -48,8 +48,10 @@ pgllib_DATA = \
+ pglcmd.lib \
+ pglcmd.main
+
++if HAVE_SYSTEMD
+ systemdsystemunit_DATA = \
+ init/pgl.service
++endif
+
+ # Don't update PATH here anymore, because on user's make it doesn't contain
+ # [/usr]/sbin
diff --git a/net-firewall/pglinux/files/4-pglinux-2.2.2-systemd.patch b/net-firewall/pglinux/files/4-pglinux-2.2.2-systemd.patch
new file mode 100644
index 000000000000..cc124ebe1ac8
--- /dev/null
+++ b/net-firewall/pglinux/files/4-pglinux-2.2.2-systemd.patch
@@ -0,0 +1,24 @@
+commit 53ac32c45e0a28bfaf42f32cd9b887ed1414ecae
+Author: jre <jre-phoenix@users.sourceforge.net>
+Date: Tue May 21 20:21:47 2013 +0200
+
+ revised systemd targets
+
+ thanks again Pierre Buard
+
+diff --git a/pgl/pglcmd/init/pgl.service.in b/pgl/pglcmd/init/pgl.service.in
+index 5279404..c8809d0 100644
+--- a/pgl/pglcmd/init/pgl.service.in
++++ b/pgl/pglcmd/init/pgl.service.in
+@@ -2,9 +2,8 @@
+ Description=PeerGuardian Linux - an IP Blocker
+ Documentation=man:pgld(1)
+ Documentation=file://@data_root_dir@/doc/pgl/README.blocklists
+-After=network.target
+-ConditionPathExists=|@CONF_DIR@/pgl/blocklists.list
+-ConditionDirectoryNotEmpty=|@LIB_DIR@/pgl
++After=network.target syslog.target
++After=firehol.service firestarter.service firewalld.service ufw.service
+
+ [Service]
+ Type=forking
diff --git a/net-firewall/pglinux/files/5-pglinux-2.2.2-systemd.patch b/net-firewall/pglinux/files/5-pglinux-2.2.2-systemd.patch
new file mode 100644
index 000000000000..49fa35a64ed9
--- /dev/null
+++ b/net-firewall/pglinux/files/5-pglinux-2.2.2-systemd.patch
@@ -0,0 +1,18 @@
+commit fe6a60d6be7c611d0568042e5bdbdd9398f9a7e8
+Author: jre <jre-phoenix@users.sourceforge.net>
+Date: Tue Jun 11 22:42:21 2013 +0200
+
+ add RemainAfterExit to prevent timeout during long blocklist downloads
+
+diff --git a/pgl/pglcmd/init/pgl.service.in b/pgl/pglcmd/init/pgl.service.in
+index c8809d0..64ee040 100644
+--- a/pgl/pglcmd/init/pgl.service.in
++++ b/pgl/pglcmd/init/pgl.service.in
+@@ -10,6 +10,7 @@ Type=forking
+ ExecStart=@BIN_DIR@/pglcmd start
+ ExecStop=@BIN_DIR@/pglcmd stop
+ PIDFile=@PID_DIR@/pgld.pid
++RemainAfterExit=yes
+
+ [Install]
+ WantedBy=multi-user.target
diff --git a/net-firewall/pglinux/files/6-pglinux-2.2.2-systemd.patch b/net-firewall/pglinux/files/6-pglinux-2.2.2-systemd.patch
new file mode 100644
index 000000000000..b1000cb5d4e8
--- /dev/null
+++ b/net-firewall/pglinux/files/6-pglinux-2.2.2-systemd.patch
@@ -0,0 +1,87 @@
+commit 6ed523649e296a16494c6b559ef22de04833cddc
+Author: hasufell <hasufell@posteo.de>
+Date: Mon Sep 23 23:57:48 2013 +0200
+
+ BUILD: small cleanup to systemd bits
+
+ * don't double check for pkg-config
+ * use AS_IF
+ * consistent variable naming
+ * do not install systemd file when "--with-systemd" is omitted
+
+diff --git a/pgl/Makefile.am b/pgl/Makefile.am
+index a81c3ee..c5dd377 100644
+--- a/pgl/Makefile.am
++++ b/pgl/Makefile.am
+@@ -6,7 +6,7 @@ ACLOCAL_AMFLAGS = -I m4
+
+ # Ensure that make distcheck continues to work
+ DISTCHECK_CONFIGURE_FLAGS = \
+- --with-systemdsystemunitdir=$$dc_install_base/$(systemdsystemunitdir)
++ --with-systemd=$$dc_install_base/$(SYSTEMDUNITDIR)
+
+ SUBDIRS = \
+ docs \
+diff --git a/pgl/configure.ac b/pgl/configure.ac
+index 63b443c..dd2086e 100644
+--- a/pgl/configure.ac
++++ b/pgl/configure.ac
+@@ -14,9 +14,7 @@
+ AC_PROG_CC
+ AC_PROG_INSTALL
+ AC_PROG_LIBTOOL
+-AC_PATH_PROG([PKGCONFIG], [pkg-config])
+-AS_IF([test "x$PKGCONFIG" = "x"],
+- [AC_MSG_ERROR([pkg-config not found!])])
++PKG_PROG_PKG_CONFIG
+
+ # Checks for header files.
+ AC_CHECK_HEADERS([arpa/inet.h inttypes.h limits.h netinet/in.h stdlib.h string.h sys/time.h syslog.h unistd.h])
+@@ -134,14 +132,14 @@
+
+ # use systemd service file (yes, if user specifies a path)
+ # http://www.freedesktop.org/software/systemd/man/daemon.html
+-PKG_PROG_PKG_CONFIG
+-AC_ARG_WITH([systemdsystemunitdir],
+- AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files]),
+- [], [with_systemdsystemunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)])
+-if test "x$with_systemdsystemunitdir" != xno; then
+- AC_SUBST([systemdsystemunitdir], [$with_systemdsystemunitdir])
+-fi
+-AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$with_systemdsystemunitdir" -a "x$with_systemdsystemunitdir" != xno ])
++AC_ARG_WITH([systemd],
++ [AS_HELP_STRING([--with-systemd=UNITDIR], [install systemd unit file (into UNITDIR if given)])],
++ [with_systemd="$withval"],
++ [with_systemd="no"])
++AS_IF([test "x$with_systemd" != xno],
++ [AS_IF([test "$with_systemd" = yes], [with_systemd="`$PKG_CONFIG --variable=systemdsystemunitdir systemd`"])]
++ [AC_SUBST([SYSTEMDUNITDIR], [$with_systemd])])
++AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$with_systemd" -a "x$with_systemd" != xno ])
+
+ # let user specify iconsdir
+ AC_ARG_WITH([iconsdir],
+@@ -321,9 +319,9 @@
+ else
+ echo QT-gui....................................... : no
+ fi
+-
+-if test -n "$with_systemdsystemunitdir" -a "x$with_systemdsystemunitdir" != xno; then
+-echo systemdsystemunitdir......................... : $systemdsystemunitdir
++if test -n "$with_systemd" -a "x$with_systemd" != xno; then
++echo systemd ..................................... : yes
++echo systemd unit dir ............................ : $with_systemd
+ else
+ echo systemd...................................... : no
+ fi
+diff --git a/pgl/pglcmd/Makefile.am b/pgl/pglcmd/Makefile.am
+index c7f34a5..d06871e 100644
+--- a/pgl/pglcmd/Makefile.am
++++ b/pgl/pglcmd/Makefile.am
+@@ -51,6 +51,7 @@ pgllib_DATA = \
+ if HAVE_SYSTEMD
+ systemdsystemunit_DATA = \
+ init/pgl.service
++systemdsystemunitdir = @SYSTEMDUNITDIR@
+ endif
+
+ # Don't update PATH here anymore, because on user's make it doesn't contain
diff --git a/net-firewall/pglinux/files/pgl.gentoo.in b/net-firewall/pglinux/files/pgl.gentoo.in
new file mode 100644
index 000000000000..c94d9784096e
--- /dev/null
+++ b/net-firewall/pglinux/files/pgl.gentoo.in
@@ -0,0 +1,55 @@
+#!/sbin/runscript
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+description="Daemon script for pglinux"
+extra_commands="reload forcereload update"
+
+depend() {
+ need net
+}
+
+PIDFILE=@PID_DIR@/pgld.pid
+PGLCMD=@PGLCMDPATH@
+
+start() {
+ ebegin "Starting pglinux daemon"
+
+ if [ "${RC_CMD}" = "restart" ]; then
+ sleep 3
+ fi
+
+ $PGLCMD start
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping pglinux daemon"
+ $PGLCMD stop_quick
+ eend $?
+}
+
+status() {
+ ebegin "Checking status of pglinux daemon"
+ $PGLCMD status
+ eend $?
+}
+
+reload() {
+ ebegin "reload config"
+ $PGLCMD reload
+ eend $?
+}
+
+forcereload() {
+ ebegin "force config reload"
+ $PGLCMD force-reload
+ eend $?
+}
+
+update() {
+ ebegin "Force update of lists"
+ $PGLCMD update
+ eend $?
+}
+
diff --git a/net-firewall/pglinux/files/pglinux-2.2.2-path-variables.patch b/net-firewall/pglinux/files/pglinux-2.2.2-path-variables.patch
new file mode 100644
index 000000000000..2d3693a98536
--- /dev/null
+++ b/net-firewall/pglinux/files/pglinux-2.2.2-path-variables.patch
@@ -0,0 +1,131 @@
+commit 07b4b464e18c763bf095214a73d0bcfa32c4f933
+Author: hasufell <hasufell@posteo.de>
+Date: Sat Sep 7 00:33:42 2013 +0200
+
+ BUILD: do not expand path variables in configure.ac
+
+ it is bad form and could cause unexpected behavior
+
+diff --git a/pgl/configure.ac b/pgl/configure.ac
+index 213baa5..6160956 100644
+--- a/pgl/configure.ac
++++ b/pgl/configure.ac
+@@ -45,21 +45,21 @@ AC_ARG_WITH([initddir],
+ [AS_HELP_STRING([--with-initddir=DIR],
+ [path to init script directory (default: sysconfdir/init.d)])],
+ [INITDDIR="$withval"],
+- [INITDDIR="$sysconfdir/init.d"])
++ [INITDDIR='$(sysconfdir)/init.d'])
+
+ # let user specify LOGDIR
+ AC_ARG_WITH([logdir],
+ [AS_HELP_STRING([--with-logdir=DIR],
+ [path to log directory (default: localstatedir/log/pgl)])],
+ [LOGDIR="$withval"],
+- [LOGDIR="$localstatedir/log/$PACKAGE"])
++ [LOGDIR='$(localstatedir)/log/'$PACKAGE])
+
+ # let user specify PIDDIR
+ AC_ARG_WITH([piddir],
+ [AS_HELP_STRING([--with-piddir=DIR],
+ [path to PID directory (default: localstatedir/run)])],
+ [PIDDIR="$withval"],
+- [PIDDIR="$localstatedir/run"])
++ [PIDDIR='$(localstatedir)/run'])
+
+ # let user specify TMPDIR
+ AC_ARG_WITH([tmpdir],
+@@ -73,21 +73,21 @@ AC_ARG_WITH([blocklists],
+ [AS_HELP_STRING([--with-blocklists=DIR],
+ [path to blocklists directory (default: localstatedir/spool/pgl)])],
+ [BLOCKLISTS_DIR="$withval"],
+- [BLOCKLISTS_DIR="$localstatedir/spool/$PACKAGE"])
++ [BLOCKLISTS_DIR='$(localstatedir)/spool/'$PACKAGE])
+
+ # let user specify LOCAL_BLOCKLIST_DIR
+ AC_ARG_WITH([localblocklist],
+ [AS_HELP_STRING([--with-localblocklist=DIR],
+ [path to local blocklist directory (default: sysconfdir/pgl/blocklists.local)])],
+ [LOCAL_BLOCKLIST_DIR="$withval"],
+- [LOCAL_BLOCKLIST_DIR="$sysconfdir/$PACKAGE/blocklists.local"])
++ [LOCAL_BLOCKLIST_DIR='$(sysconfdir)'/$PACKAGE/blocklists.local])
+
+ # let user specify MASTER_BLOCKLIST_DIR
+ AC_ARG_WITH([masterblocklist],
+ [AS_HELP_STRING([--with-masterblocklist=DIR],
+ [path to master blocklist directory (default: localstatedir/lib/pgl)])],
+ [MASTER_BLOCKLIST_DIR="$withval"],
+- [MASTER_BLOCKLIST_DIR="$localstatedir/lib/$PACKAGE"])
++ [MASTER_BLOCKLIST_DIR='$(localstatedir)/lib/'$PACKAGE])
+
+ # let user specify LSB
+ AC_ARG_WITH([lsb],
+@@ -137,7 +137,7 @@ AC_ARG_WITH([iconsdir],
+ [AS_HELP_STRING([--with-iconsdir=DIR],
+ [path where icons get installed (default: datadir/pixmaps)])],
+ [ICONSDIR="$withval"],
+- [ICONSDIR="$datadir/pixmaps"])
++ [ICONSDIR='$(datadir)/pixmaps'])
+
+
+
+@@ -147,7 +147,7 @@ AC_ARG_WITH([iconsdir],
+ # pkg-config module check, generates $1_LIBS and $1_CFLAGS vars
+ PKG_CHECK_MODULES([libnetfilterqueue],[libnetfilter_queue])
+ PGLD_CFLAGS=""
+-PGLD_CPPFLAGS="$libnetfilterqueue_CFLAGS -DVERSION=\\\"$VERSION\\\" -DPACKAGE_NAME=\\\"$PACKAGE\\\" -DPIDFILE=\\\"${localstatedir}/run/${PACKAGE}d.pid\\\""
++PGLD_CPPFLAGS="$libnetfilterqueue_CFLAGS -DVERSION=\\\"$VERSION\\\" -DPACKAGE_NAME=\\\"$PACKAGE\\\""
+ PGLD_LDFLAGS=""
+ PGLD_LIBS="$libnetfilterqueue_LIBS"
+
+@@ -180,7 +180,7 @@ AS_IF([test "x$enable_dbus" = "xyes"],
+ [PKG_CHECK_MODULES([DBUS],
+ [dbus-1])]
+ [PGLD_CFLAGS="$PGLD_CFLAGS -fPIC"]
+- [PGLD_CPPFLAGS="$PGLD_CPPFLAGS $DBUS_CFLAGS -DHAVE_DBUS -DPLUGINDIR=\\\"${libdir}/$PACKAGE\\\""]
++ [PGLD_CPPFLAGS="$PGLD_CPPFLAGS $DBUS_CFLAGS -DHAVE_DBUS"]
+ [PGLD_LDFLAGS="-Wl,-export-dynamic"]
+ [PGLD_LIBS="$PGLD_LIBS $DBUS_LIBS -ldl"])
+
+@@ -203,7 +203,7 @@ AS_IF([test "x$enable_lowmem" = "xyes"],
+ ##
+ # initial QT_flags
+ QT_CXXFLAGS=""
+-QT_CPPFLAGS="-DVERSION=\\\"$VERSION\\\" -DPGLCMDDEFAULTSPATH=\\\"${libdir}/${PACKAGE}/${PACKAGE}cmd.defaults\\\" -D_REENTRANT -DQT_GUI_LIB -DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_SHARED"
++QT_CPPFLAGS="-DVERSION=\\\"$VERSION\\\" -D_REENTRANT -DQT_GUI_LIB -DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_SHARED"
+ QT_LDFLAGS=""
+ QT_LIBS=""
+
+diff --git a/pgl/pgld/Makefile.am b/pgl/pgld/Makefile.am
+index ca7d509..91fc7db 100644
+--- a/pgl/pgld/Makefile.am
++++ b/pgl/pgld/Makefile.am
+@@ -1,6 +1,7 @@
+ # flags
+ AM_CFLAGS = @PGLD_CFLAGS@
+-AM_CPPFLAGS = @PGLD_CPPFLAGS@
++AM_CPPFLAGS = @PGLD_CPPFLAGS@ \
++ -DPIDFILE=\"$(localstatedir)/run/${PACKAGE}d.pid\"
+ AM_LDFLAGS = @PGLD_LDFLAGS@
+
+ # sources for pgld binary
+@@ -14,6 +15,7 @@ sbin_PROGRAMS = pgld
+
+ # build dbus library for --enable-dbus
+ if DBUSMAKE
++AM_CPPFLAGS += -DPLUGINDIR=\"$(libdir)/$(PACKAGE)\"
+ libdbusdir = $(libdir)/$(PACKAGE_NAME)
+ libdbus_LTLIBRARIES = libdbus.la
+ libdbus_la_SOURCES = src/dbus.c src/dbus.h
+diff --git a/pgl/pglgui/Makefile.am b/pgl/pglgui/Makefile.am
+index 3a1757e..05c2a54 100644
+--- a/pgl/pglgui/Makefile.am
++++ b/pgl/pglgui/Makefile.am
+@@ -11,6 +11,7 @@ MOC = @MOC@
+ AM_CXXFLAGS = @QT_CXXFLAGS@
+ AM_CPPFLAGS = \
+ @QT_CPPFLAGS@ \
++ -DPGLCMDDEFAULTSPATH=\"$(libdir)/$(PACKAGE)/$(PACKAGE)cmd.defaults\" \
+ -I./ui
+ AM_LDFLAGS = @QT_LDFLAGS@
+
diff --git a/net-firewall/pglinux/metadata.xml b/net-firewall/pglinux/metadata.xml
new file mode 100644
index 000000000000..6e64606e9405
--- /dev/null
+++ b/net-firewall/pglinux/metadata.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer>
+ <email>hasufell@gentoo.org</email>
+ <name>Julian Ospald</name>
+ </maintainer>
+ <upstream>
+ <changelog>https://sourceforge.net/news/?group_id=131687</changelog>
+ <doc lang="en">https://sourceforge.net/projects/peerguardian/support</doc>
+ <bugs-to>https://sourceforge.net/tracker/?group_id=131687</bugs-to>
+ <remote-id type="sourceforge">peerguardian</remote-id>
+ </upstream>
+ <use>
+ <flag name="cron">Install cron script</flag>
+ <flag name="logrotate">Install logrotate.d file</flag>
+ </use>
+ <longdescription lang="en">
+ PeerGuardian Linux (pgl) is a privacy oriented firewall application. It blocks
+ connections to and from hosts specified in huge blocklists (thousands or
+ millions of IP ranges). pgl is based on the Linux kernel netfilter framework
+ and iptables.
+ </longdescription>
+</pkgmetadata>
diff --git a/net-firewall/pglinux/pglinux-2.2.1_p20120711.ebuild b/net-firewall/pglinux/pglinux-2.2.1_p20120711.ebuild
new file mode 100644
index 000000000000..662c2c283c94
--- /dev/null
+++ b/net-firewall/pglinux/pglinux-2.2.1_p20120711.ebuild
@@ -0,0 +1,91 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=4
+
+inherit gnome2-utils linux-info
+
+MY_P="pgl-${PV}"
+
+DESCRIPTION="Privacy oriented firewall application"
+HOMEPAGE="https://sourceforge.net/projects/peerguardian/"
+SRC_URI="http://dev.gentoo.org/~hasufell/distfiles/${MY_P}.tar.xz"
+
+LICENSE="GPL-3"
+KEYWORDS="amd64 x86"
+SLOT="0"
+IUSE="cron dbus logrotate networkmanager qt4 zlib"
+
+COMMON_DEPEND="
+ net-libs/libnetfilter_queue
+ net-libs/libnfnetlink
+ dbus? ( sys-apps/dbus )
+ zlib? ( sys-libs/zlib )
+ qt4? ( sys-auth/polkit-qt[qt4(+)]
+ dev-qt/qtcore:4
+ dev-qt/qtdbus:4
+ dev-qt/qtgui:4
+ || ( kde-apps/kdesu x11-libs/gksu x11-misc/ktsuss )
+ )"
+DEPEND="${COMMON_DEPEND}
+ virtual/pkgconfig
+ sys-devel/libtool:2"
+RDEPEND="${COMMON_DEPEND}
+ net-firewall/iptables
+ sys-apps/sysvinit
+ cron? ( virtual/cron )
+ logrotate? ( app-admin/logrotate )
+ networkmanager? ( net-misc/networkmanager )"
+
+REQUIRED_USE="qt4? ( dbus )"
+
+CONFIG_CHECK="~NETFILTER_NETLINK
+ ~NETFILTER_NETLINK_QUEUE
+ ~NETFILTER_XTABLES
+ ~NETFILTER_XT_TARGET_NFQUEUE
+ ~NETFILTER_XT_MATCH_IPRANGE
+ ~NETFILTER_XT_MARK
+ ~NETFILTER_XT_MATCH_MULTIPORT
+ ~NETFILTER_XT_MATCH_STATE
+ ~NF_CONNTRACK
+ ~NF_CONNTRACK_IPV4
+ ~NF_DEFRAG_IPV4
+ ~IP_NF_FILTER
+ ~IP_NF_IPTABLES
+ ~IP_NF_TARGET_REJECT"
+
+S=${WORKDIR}/${MY_P}
+
+src_configure() {
+ econf \
+ --localstatedir=/var \
+ --docdir=/usr/share/doc/${PF} \
+ $(use_enable logrotate) \
+ $(use_enable cron) \
+ $(use_enable networkmanager) \
+ $(use_enable zlib) \
+ $(use_enable dbus) \
+ --disable-lowmem \
+ --with-iconsdir=/usr/share/icons/hicolor/128x128/apps \
+ --with-gentoo-init \
+ $(use_with qt4)
+}
+
+pkg_preinst() {
+ gnome2_icon_savelist
+}
+
+pkg_postinst() {
+ elog "optional dependencies:"
+ elog " app-arch/p7zip (needed for blocklists packed as .7z)"
+ elog " app-arch/unzip (needed for blocklists packed as .zip)"
+ elog " virtual/mta (needed to send informational (blocklist updates) and"
+ elog " warning mails (if pglcmd.wd detects a problem.))"
+
+ gnome2_icon_cache_update
+}
+
+pkg_postrm() {
+ gnome2_icon_cache_update
+}
diff --git a/net-firewall/pglinux/pglinux-2.2.2-r1.ebuild b/net-firewall/pglinux/pglinux-2.2.2-r1.ebuild
new file mode 100644
index 000000000000..993efc239889
--- /dev/null
+++ b/net-firewall/pglinux/pglinux-2.2.2-r1.ebuild
@@ -0,0 +1,106 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit autotools eutils gnome2-utils linux-info systemd
+
+MY_P="pgl-${PV}"
+
+DESCRIPTION="Privacy oriented firewall application"
+HOMEPAGE="https://sourceforge.net/projects/peerguardian/"
+SRC_URI="mirror://sourceforge/peerguardian/${MY_P}.tar.gz"
+
+LICENSE="GPL-3"
+KEYWORDS="~amd64 ~x86"
+SLOT="0"
+IUSE="cron dbus logrotate networkmanager qt4 zlib"
+
+COMMON_DEPEND="
+ net-libs/libnetfilter_queue
+ net-libs/libnfnetlink
+ dbus? ( sys-apps/dbus )
+ zlib? ( sys-libs/zlib )
+ qt4? ( sys-auth/polkit-qt[qt4(+)]
+ dev-qt/qtcore:4
+ dev-qt/qtdbus:4
+ dev-qt/qtgui:4
+ || ( kde-apps/kdesu x11-libs/gksu x11-misc/ktsuss )
+ )"
+DEPEND="${COMMON_DEPEND}
+ virtual/pkgconfig
+ sys-devel/libtool:2"
+RDEPEND="${COMMON_DEPEND}
+ net-firewall/iptables
+ sys-apps/sysvinit
+ cron? ( virtual/cron )
+ logrotate? ( app-admin/logrotate )
+ networkmanager? ( net-misc/networkmanager )"
+
+REQUIRED_USE="qt4? ( dbus )"
+
+CONFIG_CHECK="~NETFILTER_NETLINK
+ ~NETFILTER_NETLINK_QUEUE
+ ~NETFILTER_XTABLES
+ ~NETFILTER_XT_TARGET_NFQUEUE
+ ~NETFILTER_XT_MATCH_IPRANGE
+ ~NETFILTER_XT_MARK
+ ~NETFILTER_XT_MATCH_MULTIPORT
+ ~NETFILTER_XT_MATCH_STATE
+ ~NF_CONNTRACK
+ ~NF_CONNTRACK_IPV4
+ ~NF_DEFRAG_IPV4
+ ~IP_NF_FILTER
+ ~IP_NF_IPTABLES
+ ~IP_NF_TARGET_REJECT"
+
+S=${WORKDIR}/${MY_P}
+
+src_prepare() {
+ epatch -p2 "${FILESDIR}"/${P}-path-variables.patch \
+ "${FILESDIR}"/{0,1}-${P}-gentoo-init.patch \
+ "${FILESDIR}"/{0..6}-${P}-systemd.patch
+
+ eautoreconf
+}
+
+src_configure() {
+ econf \
+ --localstatedir=/var \
+ --docdir=/usr/share/doc/${PF} \
+ $(use_enable logrotate) \
+ $(use_enable cron) \
+ $(use_enable networkmanager) \
+ $(use_enable zlib) \
+ $(use_enable dbus) \
+ --disable-lowmem \
+ --with-iconsdir=/usr/share/icons/hicolor/128x128/apps \
+ --with-gentoo-init \
+ $(use_with qt4) \
+ --with-systemd="$(systemd_get_unitdir)"
+}
+
+src_install() {
+ default
+ keepdir /var/{lib,log,spool}/pgl
+ rm -rf "${ED}"/tmp
+}
+
+pkg_preinst() {
+ gnome2_icon_savelist
+}
+
+pkg_postinst() {
+ elog "optional dependencies:"
+ elog " app-arch/p7zip (needed for blocklists packed as .7z)"
+ elog " app-arch/unzip (needed for blocklists packed as .zip)"
+ elog " virtual/mta (needed to send informational (blocklist updates) and"
+ elog " warning mails (if pglcmd.wd detects a problem.))"
+
+ gnome2_icon_cache_update
+}
+
+pkg_postrm() {
+ gnome2_icon_cache_update
+}
diff --git a/net-firewall/pglinux/pglinux-2.2.2.ebuild b/net-firewall/pglinux/pglinux-2.2.2.ebuild
new file mode 100644
index 000000000000..5b334481664e
--- /dev/null
+++ b/net-firewall/pglinux/pglinux-2.2.2.ebuild
@@ -0,0 +1,101 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=4
+
+inherit gnome2-utils linux-info
+
+MY_P="pgl-${PV}"
+
+DESCRIPTION="Privacy oriented firewall application"
+HOMEPAGE="https://sourceforge.net/projects/peerguardian/"
+SRC_URI="mirror://sourceforge/peerguardian/${MY_P}.tar.gz"
+
+LICENSE="GPL-3"
+KEYWORDS="amd64 x86"
+SLOT="0"
+IUSE="cron dbus logrotate networkmanager qt4 zlib"
+
+COMMON_DEPEND="
+ net-libs/libnetfilter_queue
+ net-libs/libnfnetlink
+ dbus? ( sys-apps/dbus )
+ zlib? ( sys-libs/zlib )
+ qt4? ( sys-auth/polkit-qt[qt4(+)]
+ dev-qt/qtcore:4
+ dev-qt/qtdbus:4
+ dev-qt/qtgui:4
+ || ( kde-apps/kdesu x11-libs/gksu x11-misc/ktsuss )
+ )"
+DEPEND="${COMMON_DEPEND}
+ virtual/pkgconfig
+ sys-devel/libtool:2"
+RDEPEND="${COMMON_DEPEND}
+ net-firewall/iptables
+ sys-apps/sysvinit
+ cron? ( virtual/cron )
+ logrotate? ( app-admin/logrotate )
+ networkmanager? ( net-misc/networkmanager )"
+
+REQUIRED_USE="qt4? ( dbus )"
+
+CONFIG_CHECK="~NETFILTER_NETLINK
+ ~NETFILTER_NETLINK_QUEUE
+ ~NETFILTER_XTABLES
+ ~NETFILTER_XT_TARGET_NFQUEUE
+ ~NETFILTER_XT_MATCH_IPRANGE
+ ~NETFILTER_XT_MARK
+ ~NETFILTER_XT_MATCH_MULTIPORT
+ ~NETFILTER_XT_MATCH_STATE
+ ~NF_CONNTRACK
+ ~NF_CONNTRACK_IPV4
+ ~NF_DEFRAG_IPV4
+ ~IP_NF_FILTER
+ ~IP_NF_IPTABLES
+ ~IP_NF_TARGET_REJECT"
+
+S=${WORKDIR}/${MY_P}
+
+src_prepare() {
+ cp "${FILESDIR}"/pgl.gentoo.in "${S}"/pglcmd/init || die "cp failed"
+}
+
+src_configure() {
+ econf \
+ --localstatedir=/var \
+ --docdir=/usr/share/doc/${PF} \
+ $(use_enable logrotate) \
+ $(use_enable cron) \
+ $(use_enable networkmanager) \
+ $(use_enable zlib) \
+ $(use_enable dbus) \
+ --disable-lowmem \
+ --with-iconsdir=/usr/share/icons/hicolor/128x128/apps \
+ --with-gentoo-init \
+ $(use_with qt4)
+}
+
+src_install() {
+ default
+ keepdir /var/{lib,log,spool}/pgl
+ rm -rf "${ED}"/tmp
+}
+
+pkg_preinst() {
+ gnome2_icon_savelist
+}
+
+pkg_postinst() {
+ elog "optional dependencies:"
+ elog " app-arch/p7zip (needed for blocklists packed as .7z)"
+ elog " app-arch/unzip (needed for blocklists packed as .zip)"
+ elog " virtual/mta (needed to send informational (blocklist updates) and"
+ elog " warning mails (if pglcmd.wd detects a problem.))"
+
+ gnome2_icon_cache_update
+}
+
+pkg_postrm() {
+ gnome2_icon_cache_update
+}
diff --git a/net-firewall/pglinux/pglinux-2.2.3.ebuild b/net-firewall/pglinux/pglinux-2.2.3.ebuild
new file mode 100644
index 000000000000..280cd890df69
--- /dev/null
+++ b/net-firewall/pglinux/pglinux-2.2.3.ebuild
@@ -0,0 +1,98 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit eutils gnome2-utils linux-info systemd
+
+MY_P="pgl-${PV}"
+
+DESCRIPTION="Privacy oriented firewall application"
+HOMEPAGE="https://sourceforge.net/projects/peerguardian/"
+SRC_URI="mirror://sourceforge/peerguardian/${MY_P}.tar.gz"
+
+LICENSE="GPL-3"
+KEYWORDS="~amd64 ~x86"
+SLOT="0"
+IUSE="cron dbus logrotate networkmanager qt4 zlib"
+
+COMMON_DEPEND="
+ net-libs/libnetfilter_queue
+ net-libs/libnfnetlink
+ dbus? ( sys-apps/dbus )
+ zlib? ( sys-libs/zlib )
+ qt4? ( sys-auth/polkit-qt[qt4(+)]
+ dev-qt/qtcore:4
+ dev-qt/qtdbus:4
+ dev-qt/qtgui:4
+ || ( kde-apps/kdesu x11-libs/gksu x11-misc/ktsuss )
+ )"
+DEPEND="${COMMON_DEPEND}
+ virtual/pkgconfig
+ sys-devel/libtool:2"
+RDEPEND="${COMMON_DEPEND}
+ net-firewall/iptables
+ sys-apps/sysvinit
+ cron? ( virtual/cron )
+ logrotate? ( app-admin/logrotate )
+ networkmanager? ( net-misc/networkmanager )"
+
+REQUIRED_USE="qt4? ( dbus )"
+
+CONFIG_CHECK="~NETFILTER_NETLINK
+ ~NETFILTER_NETLINK_QUEUE
+ ~NETFILTER_XTABLES
+ ~NETFILTER_XT_TARGET_NFQUEUE
+ ~NETFILTER_XT_MATCH_IPRANGE
+ ~NETFILTER_XT_MARK
+ ~NETFILTER_XT_MATCH_MULTIPORT
+ ~NETFILTER_XT_MATCH_STATE
+ ~NF_CONNTRACK
+ ~NF_CONNTRACK_IPV4
+ ~NF_DEFRAG_IPV4
+ ~IP_NF_FILTER
+ ~IP_NF_IPTABLES
+ ~IP_NF_TARGET_REJECT"
+
+S=${WORKDIR}/${MY_P}
+
+src_configure() {
+ econf \
+ --localstatedir=/var \
+ --docdir=/usr/share/doc/${PF} \
+ $(use_enable logrotate) \
+ $(use_enable cron) \
+ $(use_enable networkmanager) \
+ $(use_enable zlib) \
+ $(use_enable dbus) \
+ --disable-lowmem \
+ --with-iconsdir=/usr/share/icons/hicolor/128x128/apps \
+ --with-gentoo-init \
+ $(use_with qt4) \
+ --with-systemd="$(systemd_get_unitdir)"
+}
+
+src_install() {
+ default
+ keepdir /var/{lib,log,spool}/pgl
+ rm -rf "${ED}"/tmp
+}
+
+pkg_preinst() {
+ gnome2_icon_savelist
+}
+
+pkg_postinst() {
+ elog "optional dependencies:"
+ elog " app-arch/p7zip (needed for blocklists packed as .7z)"
+ elog " app-arch/unzip (needed for blocklists packed as .zip)"
+ elog " virtual/mta (needed to send informational (blocklist updates) and"
+ elog " warning mails (if pglcmd.wd detects a problem.))"
+
+ gnome2_icon_cache_update
+}
+
+pkg_postrm() {
+ gnome2_icon_cache_update
+}
diff --git a/net-firewall/pglinux/pglinux-2.2.4.ebuild b/net-firewall/pglinux/pglinux-2.2.4.ebuild
new file mode 100644
index 000000000000..daf6e73bda03
--- /dev/null
+++ b/net-firewall/pglinux/pglinux-2.2.4.ebuild
@@ -0,0 +1,98 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit eutils gnome2-utils linux-info systemd
+
+MY_P="pgl-${PV}"
+
+DESCRIPTION="Privacy oriented firewall application"
+HOMEPAGE="https://sourceforge.net/projects/peerguardian/"
+SRC_URI="mirror://sourceforge/peerguardian/${MY_P}.tar.gz"
+
+LICENSE="GPL-3"
+KEYWORDS="amd64 x86"
+SLOT="0"
+IUSE="cron dbus logrotate networkmanager qt4 zlib"
+
+COMMON_DEPEND="
+ net-libs/libnetfilter_queue
+ net-libs/libnfnetlink
+ dbus? ( sys-apps/dbus )
+ zlib? ( sys-libs/zlib )
+ qt4? ( sys-auth/polkit-qt[qt4(+)]
+ dev-qt/qtcore:4
+ dev-qt/qtdbus:4
+ dev-qt/qtgui:4
+ || ( kde-apps/kdesu x11-libs/gksu x11-misc/ktsuss )
+ )"
+DEPEND="${COMMON_DEPEND}
+ virtual/pkgconfig
+ sys-devel/libtool:2"
+RDEPEND="${COMMON_DEPEND}
+ net-firewall/iptables
+ sys-apps/sysvinit
+ cron? ( virtual/cron )
+ logrotate? ( app-admin/logrotate )
+ networkmanager? ( net-misc/networkmanager )"
+
+REQUIRED_USE="qt4? ( dbus )"
+
+CONFIG_CHECK="~NETFILTER_NETLINK
+ ~NETFILTER_NETLINK_QUEUE
+ ~NETFILTER_XTABLES
+ ~NETFILTER_XT_TARGET_NFQUEUE
+ ~NETFILTER_XT_MATCH_IPRANGE
+ ~NETFILTER_XT_MARK
+ ~NETFILTER_XT_MATCH_MULTIPORT
+ ~NETFILTER_XT_MATCH_STATE
+ ~NF_CONNTRACK
+ ~NF_CONNTRACK_IPV4
+ ~NF_DEFRAG_IPV4
+ ~IP_NF_FILTER
+ ~IP_NF_IPTABLES
+ ~IP_NF_TARGET_REJECT"
+
+S=${WORKDIR}/${MY_P}
+
+src_configure() {
+ econf \
+ --localstatedir=/var \
+ --docdir=/usr/share/doc/${PF} \
+ $(use_enable logrotate) \
+ $(use_enable cron) \
+ $(use_enable networkmanager) \
+ $(use_enable zlib) \
+ $(use_enable dbus) \
+ --disable-lowmem \
+ --with-iconsdir=/usr/share/icons/hicolor/128x128/apps \
+ --with-gentoo-init \
+ $(use_with qt4) \
+ --with-systemd="$(systemd_get_unitdir)"
+}
+
+src_install() {
+ default
+ keepdir /var/{lib,log,spool}/pgl
+ rm -rf "${ED%/}"/tmp
+}
+
+pkg_preinst() {
+ gnome2_icon_savelist
+}
+
+pkg_postinst() {
+ elog "optional dependencies:"
+ elog " app-arch/p7zip (needed for blocklists packed as .7z)"
+ elog " app-arch/unzip (needed for blocklists packed as .zip)"
+ elog " virtual/mta (needed to send informational (blocklist updates) and"
+ elog " warning mails (if pglcmd.wd detects a problem.))"
+
+ gnome2_icon_cache_update
+}
+
+pkg_postrm() {
+ gnome2_icon_cache_update
+}
diff --git a/net-firewall/psad/Manifest b/net-firewall/psad/Manifest
new file mode 100644
index 000000000000..79ec3260e7e6
--- /dev/null
+++ b/net-firewall/psad/Manifest
@@ -0,0 +1,2 @@
+DIST psad-2.2.5.tar.bz2 1243987 SHA256 736d446266227cb65511d792c85224573c95ea4dc3bde3d5c65bc19084f57452 SHA512 195a06420cf821d182a5422705ba2d407fd35f23887430e61925cad0eada7d20e2416eaf6317857a5aec2f1264a280a7e0128cc301f17dcf20cf833a9f0efb6e WHIRLPOOL fac4797e0a399d4f5edf2179c21d37791d184ee1e334b9b8fb2707405afc10ca0c0d4ab43cd274f34cf8ba9453189066b1d46b955d0533fa357e376ef3817f1f
+DIST psad-2.4.1.tar.bz2 1361593 SHA256 d86688ed7907724750b501087a92a3417cb5b2dc81e06230d0eb2cdcf676b03e SHA512 e146d9853e265f4bb25b79fff7a0ab6ba2759367890498ea25edaff771df1b30c3a284b18e6fe5ae3f4c91a79f6b8d255bf331921c36a24fb0f4f554fa3cb848 WHIRLPOOL 5ac2b96fd8ec4baa98a0b35465e5c8bbfb3dffd48f2a95e31ef80e176d80e7ed09a5bcf6d945e8bed3d69d9cb21b14857dc56fd24bc5ce01ef9540729fd585d4
diff --git a/net-firewall/psad/files/psad-2.2.4-var-run.patch b/net-firewall/psad/files/psad-2.2.4-var-run.patch
new file mode 100644
index 000000000000..78178a43d5e6
--- /dev/null
+++ b/net-firewall/psad/files/psad-2.2.4-var-run.patch
@@ -0,0 +1,13 @@
+--- a/init-scripts/psad-init.gentoo
++++ b/init-scripts/psad-init.gentoo
+@@ -19,6 +19,10 @@
+
+ start() {
+ checkconfig || return 1
++ checkpath -q -d -m 755 -o root:root /run/psad
++ checkpath -q -d -m 755 -o root:root /var/lib/psad
++ checkpath -q -d -m 755 -o root:root /var/log/psad
++ [ -p /var/lib/psad/psadfifo ] || mknod -m 600 /var/lib/psad/psadfifo p
+
+ ebegin "Starting ${SVCNAME}"
+ start-stop-daemon \
diff --git a/net-firewall/psad/metadata.xml b/net-firewall/psad/metadata.xml
new file mode 100644
index 000000000000..03aa50bab7e3
--- /dev/null
+++ b/net-firewall/psad/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<herd>netmon</herd>
+</pkgmetadata>
diff --git a/net-firewall/psad/psad-2.2.5.ebuild b/net-firewall/psad/psad-2.2.5.ebuild
new file mode 100644
index 000000000000..2eccd5ad7093
--- /dev/null
+++ b/net-firewall/psad/psad-2.2.5.ebuild
@@ -0,0 +1,90 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+#PERL_EXPORT_PHASE_FUNCTIONS=no
+inherit eutils perl-module toolchain-funcs
+
+DESCRIPTION="Port Scanning Attack Detection daemon"
+SRC_URI="http://www.cipherdyne.org/psad/download/${P}.tar.bz2"
+HOMEPAGE="http://www.cipherdyne.org/psad"
+
+SLOT="0"
+LICENSE="GPL-2"
+KEYWORDS="alpha amd64 ppc ~sparc x86"
+
+DEPEND="virtual/perl-ExtUtils-MakeMaker"
+RDEPEND="
+ dev-perl/Bit-Vector
+ dev-perl/Date-Calc
+ dev-perl/NetAddr-IP
+ dev-perl/Unix-Syslog
+ net-firewall/iptables
+ net-misc/whois
+ virtual/logger
+ virtual/mailx
+ virtual/perl-Storable
+"
+
+src_prepare() {
+ epatch "${FILESDIR}"/${PN}-2.2.4-var-run.patch
+
+ sed -i \
+ -e 's|/usr/bin/gcc|$(CC)|g' \
+ -e 's|-O|$(CFLAGS) $(LDFLAGS)|g' \
+ Makefile || die
+ # Fix up default paths
+ sed -i \
+ -e "s:/usr/bin/whois_psad:/usr/bin/whois:g" \
+ psad.conf || die
+}
+
+src_configure() {
+ default
+
+ local deps_subdir
+ for deps_subdir in IPTables-Parse IPTables-ChainMgr; do
+ cd "${S}"/deps/${deps_subdir} || die
+ SRC_PREP="no" perl-module_src_configure
+ done
+}
+
+src_compile() {
+ tc-export CC
+ default
+
+ local deps_subdir
+ for deps_subdir in IPTables-Parse IPTables-ChainMgr; do
+ cd "${S}"/deps/${deps_subdir} || die
+ perl-module_src_compile
+ done
+}
+
+src_install() {
+ newbin pscan psad-pscan
+
+ insinto /usr
+ dosbin kmsgsd psad psadwatchd
+ newsbin fwcheck_psad.pl fwcheck_psad
+
+ insinto /etc/psad
+ doins \
+ *.conf auto_dl icmp{,6}_types ip_options psad_* pf.os posf \
+ protocols signatures
+
+ newinitd init-scripts/psad-init.gentoo psad
+
+ doman *.8
+
+ dodoc BENCHMARK CREDITS Change* FW_EXAMPLE_RULES README SCAN_LOG
+
+ insinto /etc/psad/snort_rules
+ doins deps/snort_rules/*
+
+ local deps_subdir
+ for deps_subdir in IPTables-Parse IPTables-ChainMgr; do
+ cd "${S}"/deps/${deps_subdir} || die
+ perl-module_src_install
+ done
+}
diff --git a/net-firewall/psad/psad-2.4.1.ebuild b/net-firewall/psad/psad-2.4.1.ebuild
new file mode 100644
index 000000000000..dcf0bcd10907
--- /dev/null
+++ b/net-firewall/psad/psad-2.4.1.ebuild
@@ -0,0 +1,91 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+#PERL_EXPORT_PHASE_FUNCTIONS=no
+inherit eutils perl-module toolchain-funcs
+
+DESCRIPTION="Port Scanning Attack Detection daemon"
+SRC_URI="http://www.cipherdyne.org/psad/download/${P}.tar.bz2"
+HOMEPAGE="http://www.cipherdyne.org/psad"
+
+SLOT="0"
+LICENSE="GPL-2"
+KEYWORDS="~alpha ~amd64 ~ppc ~sparc ~x86"
+
+DEPEND="virtual/perl-ExtUtils-MakeMaker"
+RDEPEND="
+ dev-perl/Bit-Vector
+ dev-perl/Date-Calc
+ dev-perl/NetAddr-IP
+ dev-perl/Unix-Syslog
+ net-firewall/iptables
+ net-misc/whois
+ virtual/logger
+ virtual/mailx
+ virtual/perl-Storable
+"
+
+src_prepare() {
+ epatch "${FILESDIR}"/${PN}-2.2.4-var-run.patch
+
+ sed -i \
+ -e 's|/usr/bin/gcc|$(CC)|g' \
+ -e 's|-O|$(CFLAGS) $(LDFLAGS)|g' \
+ Makefile || die
+ # Fix up default paths
+ sed -i \
+ -e "s:/usr/bin/whois_psad:/usr/bin/whois:g" \
+ psad.conf || die
+}
+
+src_configure() {
+ default
+
+ local deps_subdir
+ for deps_subdir in IPTables-Parse IPTables-ChainMgr; do
+ cd "${S}"/deps/${deps_subdir} || die
+ SRC_PREP="no" perl-module_src_configure
+ done
+}
+
+src_compile() {
+ tc-export CC
+ default
+
+ local deps_subdir
+ for deps_subdir in IPTables-Parse IPTables-ChainMgr; do
+ cd "${S}"/deps/${deps_subdir} || die
+ perl-module_src_compile
+ done
+}
+
+src_install() {
+ newbin pscan psad-pscan
+
+ insinto /usr
+ dosbin kmsgsd psad psadwatchd
+ newsbin fwcheck_psad.pl fwcheck_psad
+
+ insinto /etc/psad
+ doins \
+ *.conf auto_dl icmp{,6}_types ip_options psad_* pf.os posf \
+ protocols signatures
+
+ newinitd init-scripts/psad-init.gentoo psad
+
+ doman *.8
+
+ dodoc BENCHMARK CREDITS Change* FW_EXAMPLE_RULES FW_HELP README \
+ README.SYSLOG SCAN_LOG
+
+ insinto /etc/psad/snort_rules
+ doins deps/snort_rules/*
+
+ local deps_subdir
+ for deps_subdir in IPTables-Parse IPTables-ChainMgr; do
+ cd "${S}"/deps/${deps_subdir} || die
+ perl-module_src_install
+ done
+}
diff --git a/net-firewall/quicktables/Manifest b/net-firewall/quicktables/Manifest
new file mode 100644
index 000000000000..ba39b76ccf06
--- /dev/null
+++ b/net-firewall/quicktables/Manifest
@@ -0,0 +1 @@
+DIST quicktables-2.3.tar.gz 20287 RMD160 107711062ba23d96c62dba6a6bd893b94e9d86d1 SHA1 ac685eb7ad580f6e20f68b8b4e60dee1356d7fb0 SHA256 f96c39dd72227b0056899d635531c3836a64a300183d657a12a5625d435155f6
diff --git a/net-firewall/quicktables/metadata.xml b/net-firewall/quicktables/metadata.xml
new file mode 100644
index 000000000000..d9cd2cad66c2
--- /dev/null
+++ b/net-firewall/quicktables/metadata.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer>
+<email>maintainer-needed@gentoo.org</email>
+</maintainer>
+</pkgmetadata>
diff --git a/net-firewall/quicktables/quicktables-2.3.ebuild b/net-firewall/quicktables/quicktables-2.3.ebuild
new file mode 100644
index 000000000000..b0398c5beeab
--- /dev/null
+++ b/net-firewall/quicktables/quicktables-2.3.ebuild
@@ -0,0 +1,19 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+DESCRIPTION="a quick iptables script generator"
+HOMEPAGE="http://qtables.radom.org/"
+SRC_URI="http://qtables.radom.org/files/${P}.tar.gz"
+
+LICENSE="GPL-2"
+IUSE=""
+KEYWORDS="~amd64 ~ppc ~x86"
+SLOT="0"
+
+RDEPEND="net-firewall/iptables"
+
+src_install() {
+ dosbin quicktables-2.3 || die
+ dodoc changes readme todo
+}
diff --git a/net-firewall/rtsp-conntrack/Manifest b/net-firewall/rtsp-conntrack/Manifest
new file mode 100644
index 000000000000..ecb90044c22c
--- /dev/null
+++ b/net-firewall/rtsp-conntrack/Manifest
@@ -0,0 +1 @@
+DIST rtsp-module-3.7.tar.gz 11474 SHA256 a8333924e9553ec25ed0707b8e78637bf055e654a888ff7e40634f356102068a SHA512 480316f41f7e9a2a75b73b3edcbbdc98bf293f013a5549c6829659e601d2d1ec0ac94f7a2519cd6e40d41cbd02cf64f81fe2a371c703c3b0ba36d200fe29a3c1 WHIRLPOOL c76f20fb016a11c036d452998a6892af055247dccb7fa6e35c5c4bd2954fcc2a7b2d1403612d05c19d278ff4222faaaaa31284e81d7c135ed7cac47f2b3c69d3
diff --git a/net-firewall/rtsp-conntrack/metadata.xml b/net-firewall/rtsp-conntrack/metadata.xml
new file mode 100644
index 000000000000..b6b8956cde34
--- /dev/null
+++ b/net-firewall/rtsp-conntrack/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer>
+ <email>pinkbyte@gentoo.org</email>
+ <name>Sergey Popov</name>
+ </maintainer>
+</pkgmetadata>
diff --git a/net-firewall/rtsp-conntrack/rtsp-conntrack-3.7.ebuild b/net-firewall/rtsp-conntrack/rtsp-conntrack-3.7.ebuild
new file mode 100644
index 000000000000..5d548286663a
--- /dev/null
+++ b/net-firewall/rtsp-conntrack/rtsp-conntrack-3.7.ebuild
@@ -0,0 +1,36 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+inherit eutils linux-mod versionator
+
+DESCRIPTION="RTSP conntrack module for Netfilter"
+HOMEPAGE="http://mike.it-loops.com/rtsp"
+SRC_URI="http://mike.it-loops.com/rtsp/rtsp-module-${PV}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 x86"
+
+S="${WORKDIR}/rtsp"
+
+BUILD_TARGETS="all"
+MODULE_NAMES="
+ nf_conntrack_rtsp(net/netfilter::)
+ nf_nat_rtsp(net/ipv4/netfilter::)"
+MODULESD_NF_CONNTRACK_RTSP_DOCS="README.rst"
+
+CONFIG_CHECK="NF_CONNTRACK"
+WARNING_NF_CONNTRACK="You must enable NF_CONNTRACK in your kernel, otherwise ${PN} would not work"
+
+BUILD_PARAMS="KERNELDIR=${KERNEL_DIR} V=1"
+
+pkg_setup() {
+ linux-mod_pkg_setup
+ kernel_is -lt $(get_version_components) && die "This version of ${PN} would not work on kernels <= ${PV}"
+}
+
+src_prepare() {
+ epatch_user
+}
diff --git a/net-firewall/sanewall/Manifest b/net-firewall/sanewall/Manifest
new file mode 100644
index 000000000000..c2fe9fa72022
--- /dev/null
+++ b/net-firewall/sanewall/Manifest
@@ -0,0 +1 @@
+DIST sanewall-1.1.6.tar.xz 585316 SHA256 c26a339a1ac945aa0ddffbbb92ac4dff07302da8d9de6983832e91e123c4b00e SHA512 73260197b88816e90b15fc244a5940c290ec99c82eb8e50338b4f0f88710900c8cd18920c6f319205e527859c0696da28798428ab04b03c7f355c1d8ba6f7ca0 WHIRLPOOL cf906c539c4d348837fc93e46e7cf3d1d94cadcd111db918c265fa78133b35befd69ea2bdef782a054b035f40130821291b11965c7846220eaf4551237bcfb78
diff --git a/net-firewall/sanewall/files/sanewall.confd b/net-firewall/sanewall/files/sanewall.confd
new file mode 100644
index 000000000000..2193b04d49bf
--- /dev/null
+++ b/net-firewall/sanewall/files/sanewall.confd
@@ -0,0 +1,5 @@
+# location of sanewall config
+SANEWALL_CONFIG="/etc/sanewall/sanewall.conf"
+
+# arguments for sanewall
+#SANEWALL_OPTS=""
diff --git a/net-firewall/sanewall/files/sanewall.initd b/net-firewall/sanewall/files/sanewall.initd
new file mode 100644
index 000000000000..665d3868ff4c
--- /dev/null
+++ b/net-firewall/sanewall/files/sanewall.initd
@@ -0,0 +1,57 @@
+#!/sbin/runscript
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="save panic try"
+extra_started_commands="reload"
+
+depend() {
+ need localmount
+ after bootmisc
+ before net
+ provide firewall
+}
+
+start_pre() {
+ if [ ! -f ${SANEWALL_CONFIG} ]; then
+ eerror "Not starting sanewall, missing config file ${SANEWALL_CONFIG}."
+ return 1
+ fi
+}
+
+start() {
+ ebegin "Starting sanewall"
+ /usr/sbin/sanewall ${SANEWALL_OPTS} ${SANEWALL_CONFIG} start >/dev/null
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping sanewall"
+ /usr/sbin/sanewall ${SANEWALL_OPTS} stop >/dev/null
+ eend $?
+}
+
+try() {
+ ebegin "Trying sanewall configuration"
+ /usr/sbin/sanewall ${SANEWALL_OPTS} ${SANEWALL_CONFIG} try
+ eend $?
+}
+
+status() {
+ ebegin "Showing sanewall status"
+ /usr/sbin/sanewall ${SANEWALL_OPTS} status
+ eend $?
+}
+
+panic() {
+ ebegin "sanewall panic"
+ /usr/sbin/sanewall ${SANEWALL_OPTS} panic
+ eend $?
+}
+
+save() {
+ ebegin "Saving sanewall configuration"
+ /usr/sbin/sanewall ${SANEWALL_OPTS} save
+ eend $?
+}
diff --git a/net-firewall/sanewall/metadata.xml b/net-firewall/sanewall/metadata.xml
new file mode 100644
index 000000000000..ccea844db312
--- /dev/null
+++ b/net-firewall/sanewall/metadata.xml
@@ -0,0 +1,7 @@
+<?xml version = '1.0' encoding = 'UTF-8'?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer>
+ <email>maintainer-needed@gentoo.org</email>
+ </maintainer>
+</pkgmetadata>
diff --git a/net-firewall/sanewall/sanewall-1.1.6-r1.ebuild b/net-firewall/sanewall/sanewall-1.1.6-r1.ebuild
new file mode 100644
index 000000000000..93ebfa5bf2f2
--- /dev/null
+++ b/net-firewall/sanewall/sanewall-1.1.6-r1.ebuild
@@ -0,0 +1,57 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit linux-info
+
+DESCRIPTION="iptables firewall generator (fork of firehol)"
+HOMEPAGE="http://www.sanewall.org/"
+SRC_URI="http://download.sanewall.org/releases/${PV}/${P}.tar.xz"
+
+LICENSE="GPL-2+"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+
+DEPEND="app-arch/xz-utils"
+RDEPEND="net-firewall/iptables[ipv6]
+ sys-apps/iproute2[-minimal]
+ virtual/modutils
+ || (
+ net-misc/wget
+ net-misc/curl
+ )"
+
+pkg_setup() {
+ local KCONFIG_OPTS="~NF_CONNTRACK_IPV4 ~NF_CONNTRACK_MARK ~NF_NAT ~NF_NAT_FTP ~NF_NAT_IRC \
+ ~IP_NF_IPTABLES ~IP_NF_FILTER ~IP_NF_TARGET_REJECT ~IP_NF_TARGET_LOG ~IP_NF_TARGET_ULOG \
+ ~IP_NF_TARGET_MASQUERADE ~IP_NF_TARGET_REDIRECT ~IP_NF_MANGLE \
+ ~NETFILTER_XT_MATCH_LIMIT ~NETFILTER_XT_MATCH_STATE ~NETFILTER_XT_MATCH_OWNER"
+
+ get_version
+ if [[ ${KV_PATCH} -ge 25 ]] ; then
+ CONFIG_CHECK="~NF_CONNTRACK ${KCONFIG_OPTS}"
+ else
+ CONFIG_CHECK="~NF_CONNTRACK_ENABLED ${KCONFIG_OPTS}"
+ fi
+ linux-info_pkg_setup
+}
+
+src_configure() {
+ econf --docdir="/usr/share/doc/${PF}"
+}
+
+src_install() {
+ default
+ newconfd "${FILESDIR}"/${PN}.confd ${PN}
+ newinitd "${FILESDIR}"/${PN}.initd ${PN}
+}
+
+pkg_postinst() {
+ # install default configuration if it doesn't exist
+ if [[ ! -e "${ROOT}"/etc/${PN}/${PN}.conf ]] ; then
+ einfo "Installing a sample configuration to ${ROOT}/etc/${PN}/${PN}.conf"
+ cp "${ROOT}"/etc/${PN}/${PN}.conf.example "${ROOT}"/etc/${PN}/${PN}.conf || die
+ fi
+}
diff --git a/net-firewall/shapecfg/Manifest b/net-firewall/shapecfg/Manifest
new file mode 100644
index 000000000000..953a87b53c5d
--- /dev/null
+++ b/net-firewall/shapecfg/Manifest
@@ -0,0 +1 @@
+DIST shaper.36.tar.gz 671 RMD160 1c7ab11cb7f68070aca4aacb1edc0de812314bfb SHA1 7a8fe9f963c2e5b288fefabab173fcf1877234ff SHA256 33abccecf7628da63e668042b3f6d5ac94df6036f8194d86d233964f15400323
diff --git a/net-firewall/shapecfg/files/README.shaper b/net-firewall/shapecfg/files/README.shaper
new file mode 100644
index 000000000000..60c2b4d6afb6
--- /dev/null
+++ b/net-firewall/shapecfg/files/README.shaper
@@ -0,0 +1,50 @@
+
+Traffic Shaper For Linux
+
+This is the current ALPHA release of the traffic shaper for Linux. It works
+within the following limits:
+
+o Minimum shaping speed is currently about 9600 baud (it can only
+ shape down to 1 byte per clock tick)
+
+o Maximum is about 256K, it will go above this but get a bit blocky.
+
+o If you ifconfig the master device that a shaper is attached to down
+ then your machine will follow.
+
+o The shaper must be a module.
+
+
+Setup:
+
+A shaper device is configured using the shapeconfig program.
+Typically you will do something like this
+
+shapecfg attach shaper0 eth1
+shapecfg speed shaper0 64000
+ifconfig shaper0 myhost netmask 255.255.255.240 broadcast 1.2.3.4.255 up
+route add -net some.network netmask a.b.c.d dev shaper0
+
+The shaper should have the same IP address as the device it is attached to
+for normal use.
+
+Gotchas:
+
+ The shaper shapes transmitted traffic. It's rather impossible to
+shape received traffic except at the end (or a router) transmitting it.
+
+ Gated/routed/rwhod/mrouted all see the shaper as an additional device
+and will treat it as such unless patched. Note that for mrouted you can run
+mrouted tunnels via a traffic shaper to control bandwidth usage.
+
+ The shaper is device/route based. This makes it very easy to use
+with any setup BUT less flexible. You may well want to combine this patch
+with Mike McLagan 's patch to allow routes to be
+specified by source/destination pairs.
+
+ There is no "borrowing" or "sharing" scheme. This is a simple
+traffic limiter. I'd like to implement Van Jacobson and Sally Floyd's CBQ
+architecture into Linux one day (maybe in 2.1 sometime) and do this with
+style.
+
+
diff --git a/net-firewall/shapecfg/files/shapercfg-2.0.36-glibc.patch b/net-firewall/shapecfg/files/shapercfg-2.0.36-glibc.patch
new file mode 100644
index 000000000000..3fb6a36ae50b
--- /dev/null
+++ b/net-firewall/shapecfg/files/shapercfg-2.0.36-glibc.patch
@@ -0,0 +1,15 @@
+--- shaper/shapecfg.c.glibc Tue Sep 29 20:24:02 1998
++++ shaper/shapecfg.c Tue Sep 29 20:29:27 1998
+@@ -3,9 +3,9 @@
+ #include <stdlib.h>
+ #include <linux/types.h>
+ #include <netinet/in.h>
+-#include <linux/if.h>
+-#include <linux/if_shaper.h>
+-#include <linux/sockios.h>
++#include <net/if.h>
++#include <net/if_shaper.h>
++#include <sys/ioctl.h>
+
+ void usage(char *name)
+ {
diff --git a/net-firewall/shapecfg/metadata.xml b/net-firewall/shapecfg/metadata.xml
new file mode 100644
index 000000000000..d9cd2cad66c2
--- /dev/null
+++ b/net-firewall/shapecfg/metadata.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer>
+<email>maintainer-needed@gentoo.org</email>
+</maintainer>
+</pkgmetadata>
diff --git a/net-firewall/shapecfg/shapecfg-36.ebuild b/net-firewall/shapecfg/shapecfg-36.ebuild
new file mode 100644
index 000000000000..d8be777b2b0e
--- /dev/null
+++ b/net-firewall/shapecfg/shapecfg-36.ebuild
@@ -0,0 +1,35 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+inherit eutils flag-o-matic
+
+DESCRIPTION="configuration tool for setting traffic bandwidth parameters"
+HOMEPAGE="ftp://archive.download.redhat.com/pub/redhat/linux/9/en/os/i386/SRPMS http://sourceforge.net/projects/cbqinit"
+SRC_URI="mirror://gentoo/shaper.${PV}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE=""
+
+DEPEND=""
+
+S=${WORKDIR}/shaper
+
+src_unpack() {
+ unpack ${A}
+ cd "${S}"
+ epatch "${FILESDIR}"/shapercfg-2.0.36-glibc.patch
+ rm -f Makefile
+}
+
+src_compile() {
+ append-flags -Wall
+ emake shapecfg || die
+}
+
+src_install() {
+ dobin shapecfg || die
+ dodoc "${FILESDIR}"/README.shaper
+}
diff --git a/net-firewall/shorewall-core/Manifest b/net-firewall/shorewall-core/Manifest
new file mode 100644
index 000000000000..e42704c3edfc
--- /dev/null
+++ b/net-firewall/shorewall-core/Manifest
@@ -0,0 +1,2 @@
+DIST shorewall-core-4.5.21.10.tar.bz2 86185 SHA256 57e4b96ae3258b5150fbb188921845e8843d6b6ccb77d60a10bb984f87951334 SHA512 ad96fd91d5d8eb900b7a2180a37fa1826c7448fd5ff0f94f938e897b2cdf9d7b2a064cb4499fb76107bb8cf8f32c1265a7ff6d5966dae1d1d76a4a61482d6c81 WHIRLPOOL f08ccd4c59bac5f7f1fc8ea1bec853e5286aa1f13ad0b09fd3578d5002266ec210382a73f8a2f8b45dd09dda93cdd695f259ee60803820ed2715dc046ff16e7c
+DIST shorewall-core-4.5.21.9.tar.bz2 86021 SHA256 f431edf0109641b7fd7c9568e39917b16f1d776393d58aef328f82bf5ef20656 SHA512 53525a3159e33aefbc39ff59fe300e5da3f51a4c2c363ecb4b56888d87ef48f56b8ec7c4d09668407148898f2704ff60627a90b42203cf48d2e4c3d3c5fd8f41 WHIRLPOOL 032ee33b1e1e3effc1a7b97ad4000b4e9eaf0a1f4d45cffeb252298aaea06444484ccc80b4c5115d59ffb6e2d76e2fac97b2ceb6b2b2c4b7283f4cdd4778a6f6
diff --git a/net-firewall/shorewall-core/files/4.5.21.10-r1/shorewallrc b/net-firewall/shorewall-core/files/4.5.21.10-r1/shorewallrc
new file mode 100644
index 000000000000..46f5eb9a3603
--- /dev/null
+++ b/net-firewall/shorewall-core/files/4.5.21.10-r1/shorewallrc
@@ -0,0 +1,23 @@
+#
+# Gentoo Shorewall 4.5 rc file
+#
+BUILD= #Default is to detect the build system
+HOST=gentoo #Gentoo GNU Linux
+PREFIX=@GENTOO_PORTAGE_EPREFIX@/usr #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
+CONFDIR=@GENTOO_PORTAGE_EPREFIX@/etc #Directory where subsystem configurations are installed
+SBINDIR=@GENTOO_PORTAGE_EPREFIX@/sbin #Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
+INITDIR=${CONFDIR}/init.d #Directory where SysV init scripts are installed.
+INITFILE=${PRODUCT} #Name of the product's installed SysV init script
+INITSOURCE=init.gentoo.sh #Name of the distributed file to be installed as the SysV init script
+ANNOTATED= #If non-zero, annotated configuration files are installed
+SYSTEMD=@GENTOO_PORTAGE_EPREFIX@/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=gentoo.service #Name of the distributed file to be installed as systemd service file
+SYSCONFFILE=default.gentoo #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFDIR=${CONFDIR}/conf.d #Directory where SysV init parameter files are installed
+SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=@GENTOO_PORTAGE_EPREFIX@/var/lib #Directory where product variable data is stored.
+VARDIR=${VARLIB}/${PRODUCT} #Directory where product variable data is stored.
diff --git a/net-firewall/shorewall-core/files/4.5.21.9/shorewallrc b/net-firewall/shorewall-core/files/4.5.21.9/shorewallrc
new file mode 100644
index 000000000000..46f5eb9a3603
--- /dev/null
+++ b/net-firewall/shorewall-core/files/4.5.21.9/shorewallrc
@@ -0,0 +1,23 @@
+#
+# Gentoo Shorewall 4.5 rc file
+#
+BUILD= #Default is to detect the build system
+HOST=gentoo #Gentoo GNU Linux
+PREFIX=@GENTOO_PORTAGE_EPREFIX@/usr #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
+CONFDIR=@GENTOO_PORTAGE_EPREFIX@/etc #Directory where subsystem configurations are installed
+SBINDIR=@GENTOO_PORTAGE_EPREFIX@/sbin #Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
+INITDIR=${CONFDIR}/init.d #Directory where SysV init scripts are installed.
+INITFILE=${PRODUCT} #Name of the product's installed SysV init script
+INITSOURCE=init.gentoo.sh #Name of the distributed file to be installed as the SysV init script
+ANNOTATED= #If non-zero, annotated configuration files are installed
+SYSTEMD=@GENTOO_PORTAGE_EPREFIX@/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=gentoo.service #Name of the distributed file to be installed as systemd service file
+SYSCONFFILE=default.gentoo #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFDIR=${CONFDIR}/conf.d #Directory where SysV init parameter files are installed
+SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=@GENTOO_PORTAGE_EPREFIX@/var/lib #Directory where product variable data is stored.
+VARDIR=${VARLIB}/${PRODUCT} #Directory where product variable data is stored.
diff --git a/net-firewall/shorewall-core/metadata.xml b/net-firewall/shorewall-core/metadata.xml
new file mode 100644
index 000000000000..52ffdde3f9be
--- /dev/null
+++ b/net-firewall/shorewall-core/metadata.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <herd>netmon</herd>
+ <herd>proxy-maintainers</herd>
+ <maintainer>
+ <email>whissi@whissi.de</email>
+ <name>Thomas D. (Whissi)</name>
+ </maintainer>
+</pkgmetadata>
diff --git a/net-firewall/shorewall-core/shorewall-core-4.5.21.10-r1.ebuild b/net-firewall/shorewall-core/shorewall-core-4.5.21.10-r1.ebuild
new file mode 100644
index 000000000000..4e189a5b858b
--- /dev/null
+++ b/net-firewall/shorewall-core/shorewall-core-4.5.21.10-r1.ebuild
@@ -0,0 +1,74 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils prefix versionator
+
+MY_URL_PREFIX=
+case ${P} in
+ *_beta* | \
+ *_rc*)
+ MY_URL_PREFIX='development/'
+ ;;
+esac
+
+MY_PV=${PV/_rc/-RC}
+MY_PV=${MY_PV/_beta/-Beta}
+MY_P=${PN}-${MY_PV}
+
+MY_MAJOR_RELEASE_NUMBER=$(get_version_component_range 1-2)
+MY_MAJORMINOR_RELEASE_NUMBER=$(get_version_component_range 1-3)
+
+DESCRIPTION="Core libraries of shorewall / shorewall(6)-lite"
+HOMEPAGE="http://www.shorewall.net/"
+SRC_URI="http://www1.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}/${MY_P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 hppa ~ppc ~ppc64 ~sparc ~x86"
+IUSE="selinux"
+
+DEPEND="
+ >=dev-lang/perl-5.10
+ virtual/perl-Digest-SHA
+ !<net-firewall/shorewall-4.5.0.1
+"
+RDEPEND="
+ ${DEPEND}
+ >=net-firewall/iptables-1.4.20
+ >=sys-apps/iproute2-3.8.0[-minimal]
+ >=sys-devel/bc-1.06.95
+ >=sys-apps/coreutils-8.20
+ selinux? ( >=sec-policy/selinux-shorewall-2.20130424-r2 )
+"
+
+DOCS=( changelog.txt releasenotes.txt )
+
+S=${WORKDIR}/${PN}-${MY_PV}
+
+src_prepare() {
+ cp "${FILESDIR}"/${PVR}/shorewallrc "${S}"/shorewallrc.gentoo || die "Copying shorewallrc failed"
+ eprefixify "${S}"/shorewallrc.gentoo
+
+ epatch_user
+}
+
+src_configure() {
+ :;
+}
+
+src_install() {
+ DESTDIR="${D}" ./install.sh shorewallrc.gentoo || die "install.sh failed"
+ default
+}
+
+pkg_postinst() {
+ if ! has_version sys-apps/net-tools; then
+ elog "It is recommended to install sys-apps/net-tools which will provide the"
+ elog "the 'arp' utility which will give you a better 'shorewall-lite dump' output:"
+ elog ""
+ elog " # emerge sys-apps/net-tools"
+ fi
+}
diff --git a/net-firewall/shorewall-core/shorewall-core-4.5.21.9.ebuild b/net-firewall/shorewall-core/shorewall-core-4.5.21.9.ebuild
new file mode 100644
index 000000000000..f313a9316472
--- /dev/null
+++ b/net-firewall/shorewall-core/shorewall-core-4.5.21.9.ebuild
@@ -0,0 +1,74 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils prefix versionator
+
+MY_URL_PREFIX=
+case ${P} in
+ *_beta* | \
+ *_rc*)
+ MY_URL_PREFIX='development/'
+ ;;
+esac
+
+MY_PV=${PV/_rc/-RC}
+MY_PV=${MY_PV/_beta/-Beta}
+MY_P=${PN}-${MY_PV}
+
+MY_MAJOR_RELEASE_NUMBER=$(get_version_component_range 1-2)
+MY_MAJORMINOR_RELEASE_NUMBER=$(get_version_component_range 1-3)
+
+DESCRIPTION="Core libraries of shorewall / shorewall(6)-lite"
+HOMEPAGE="http://www.shorewall.net/"
+SRC_URI="http://www1.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}/${MY_P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86"
+IUSE="selinux"
+
+DEPEND="
+ >=dev-lang/perl-5.10
+ virtual/perl-Digest-SHA
+ !<net-firewall/shorewall-4.5.0.1
+"
+RDEPEND="
+ ${DEPEND}
+ >=net-firewall/iptables-1.4.20
+ >=sys-apps/iproute2-3.8.0[-minimal]
+ >=sys-devel/bc-1.06.95
+ >=sys-apps/coreutils-8.20
+ selinux? ( >=sec-policy/selinux-shorewall-2.20130424-r2 )
+"
+
+DOCS=( changelog.txt releasenotes.txt )
+
+S=${WORKDIR}/${PN}-${MY_PV}
+
+src_prepare() {
+ cp "${FILESDIR}"/${PVR}/shorewallrc "${S}"/shorewallrc.gentoo || die "Copying shorewallrc failed"
+ eprefixify "${S}"/shorewallrc.gentoo
+
+ epatch_user
+}
+
+src_configure() {
+ :;
+}
+
+src_install() {
+ DESTDIR="${D}" ./install.sh shorewallrc.gentoo || die "install.sh failed"
+ default
+}
+
+pkg_postinst() {
+ if ! has_version sys-apps/net-tools; then
+ elog "It is recommended to install sys-apps/net-tools which will provide the"
+ elog "the 'arp' utility which will give you a better 'shorewall-lite dump' output:"
+ elog ""
+ elog " # emerge sys-apps/net-tools"
+ fi
+}
diff --git a/net-firewall/shorewall-init/Manifest b/net-firewall/shorewall-init/Manifest
new file mode 100644
index 000000000000..bec4a10e313c
--- /dev/null
+++ b/net-firewall/shorewall-init/Manifest
@@ -0,0 +1,2 @@
+DIST shorewall-init-4.5.21.10.tar.bz2 66287 SHA256 53dc29e61d2ed91b7d47f5d4ef51f751567288b2bf0c4459ddbae8dc8259dc32 SHA512 4856816b4f7c5d9015f4c8e65246297ccf927b979050cb955253ef24947938fc31e5aed9b8f6f4a0f5d2ae390a97cf5cd6010639c677befb981ec85234435f6e WHIRLPOOL a5463c06a7c60129f5b969cc28c4c94701d12955192179055deed9e29bb07cab24c4885b8ec279f247fac83b72fa8e39880bceae153ba82c41f7bd4a7cff0740
+DIST shorewall-init-4.5.21.9.tar.bz2 66436 SHA256 53867182aac095777d08830260596eaad8893c64715a27c837ac928546803f20 SHA512 973302b3f74f655b6b284e36caaa02e95ed3e3afabf5f0eae5307381cf95f8e33f3a85696b573e928dad91b121123ab07903954dfb6fa3b57a4759dfa72f93f6 WHIRLPOOL 43f527cbb4b36b725a981076df1a2efd5213058439916d56baf94dc6981b305286e42d7f8d406f8c6e47362cac92a5674975642e8d2535f0cf6e685db9d918c5
diff --git a/net-firewall/shorewall-init/files/4.5.21.10-r1/01_Remove-ipset-functionality.patch b/net-firewall/shorewall-init/files/4.5.21.10-r1/01_Remove-ipset-functionality.patch
new file mode 100644
index 000000000000..620e479f92fc
--- /dev/null
+++ b/net-firewall/shorewall-init/files/4.5.21.10-r1/01_Remove-ipset-functionality.patch
@@ -0,0 +1,27 @@
+--- shorewall-init.old 2013-09-08 23:25:36.364924304 +0200
++++ shorewall-init 2013-09-08 23:29:27.418736392 +0200
+@@ -79,10 +79,6 @@
+ fi
+ done
+
+- if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+- ipset -R < "$SAVE_IPSETS"
+- fi
+-
+ return 0
+ }
+
+@@ -100,13 +96,6 @@
+ fi
+ done
+
+- if [ -n "$SAVE_IPSETS" ]; then
+- mkdir -p $(dirname "$SAVE_IPSETS")
+- if ipset -S > "${SAVE_IPSETS}.tmp"; then
+- grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+- fi
+- fi
+-
+ return 0
+ }
+
diff --git a/net-firewall/shorewall-init/files/4.5.21.10-r1/README.Gentoo.txt b/net-firewall/shorewall-init/files/4.5.21.10-r1/README.Gentoo.txt
new file mode 100644
index 000000000000..f7b13fed3de6
--- /dev/null
+++ b/net-firewall/shorewall-init/files/4.5.21.10-r1/README.Gentoo.txt
@@ -0,0 +1,30 @@
+shorewall-init from upstream offers two features (taken from [1]):
+
+ 1. It can 'close' the firewall before the network interfaces are
+ brought up during boot.
+
+ 2. It can change the firewall state as the result of interfaces
+ being brought up or taken down.
+
+On Gentoo we only support the first feature -- the firewall lockdown during
+boot.
+
+We do not support the second feature, because Gentoo doesn't support a
+if-{up,down}.d folder like other distributions do. If you would want to use
+such a feature, you would have to add a custom action to /etc/conf.d/net
+(please refer to the Gentoo Linux Handbook [2] for more information).
+If you are able to add your custom {pre,post}{up,down} action, your are
+also able to specify what shorewall{6,-lite,6-lite} should do, so there is
+no need for upstream's scripts in Gentoo.
+
+If you disagree with us, feel free to open a bug [3] and contribute your
+solution for Gentoo.
+
+Upstream's original init script also supports saving and restoring of
+ipsets. Please use the init script from net-firewall/ipset if you need
+such a feature.
+
+
+[1] http://www.shorewall.net/Shorewall-init.html
+[2] http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&chap=5
+[3] https://bugs.gentoo.org
diff --git a/net-firewall/shorewall-init/files/4.5.21.10-r1/shorewall-init.confd b/net-firewall/shorewall-init/files/4.5.21.10-r1/shorewall-init.confd
new file mode 100644
index 000000000000..4ca0024579f7
--- /dev/null
+++ b/net-firewall/shorewall-init/files/4.5.21.10-r1/shorewall-init.confd
@@ -0,0 +1,9 @@
+# List the Shorewall products that Shorewall-init is to
+# initialize (space-separated list).
+#
+# Sample: PRODUCTS="shorewall shorewall6-lite"
+#
+PRODUCTS=""
+
+# Startup options - set verbosity to 0 (minimal reporting)
+OPTIONS="-V0"
diff --git a/net-firewall/shorewall-init/files/4.5.21.10-r1/shorewall-init.initd b/net-firewall/shorewall-init/files/4.5.21.10-r1/shorewall-init.initd
new file mode 100644
index 000000000000..3b574c56386b
--- /dev/null
+++ b/net-firewall/shorewall-init/files/4.5.21.10-r1/shorewall-init.initd
@@ -0,0 +1,196 @@
+#!/sbin/runscript
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+SHOREWALLRC_FILE="@GENTOO_PORTAGE_EPREFIX@/usr/share/shorewall/shorewallrc"
+CONFIG_FILE="@GENTOO_PORTAGE_EPREFIX@/etc/conf.d/${SVCNAME}"
+
+description="Puts Shorewall in a safe state at boot time"
+description="${description} prior to bringing up the network."
+
+required_files="$SHOREWALLRC_FILE"
+
+depend() {
+ need localmount
+ before net
+ after bootmisc ipset tmpfiles.setup ulogd
+}
+
+
+. $SHOREWALLRC_FILE
+
+checkconfig() {
+ local PRODUCT=
+
+ if [ -z "${VARLIB}" ]; then
+ eerror "\"VARLIB\" isn't defined or empty! Please check" \
+ "\"${SHOREWALLRC_FILE}\"."
+
+
+ return 1
+ fi
+
+ if [ -z "${PRODUCTS}" ]; then
+ eerror "${SVCNAME} isn't configured! Please check" \
+ "\"${CONFIG_FILE}\"."
+
+
+ return 1
+ fi
+
+ for PRODUCT in ${PRODUCTS}; do
+ if [ ! -x ${SBINDIR}/${PRODUCT} ]; then
+ eerror "Invalid product \"${PRODUCT}\" specified" \
+ "in \"${CONFIG_FILE}\"!"
+ eerror "Maybe \"${PRODUCT}\" isn't installed?"
+
+
+ return 1
+ fi
+ done
+
+
+ return 0
+}
+
+check_firewall_script() {
+ if [ ! -x ${STATEDIR}/firewall ]; then
+ if [ ${PRODUCT} = shorewall -o ${PRODUCT} = shorewall6 ]; then
+ ebegin "Creating \"${STATEDIR}/firewall\""
+ ${SBINDIR}/${PRODUCT} compile 1>/dev/null
+ eend $?
+ else
+ eerror "\"${PRODUCT}\" isn't configured!"
+ eerror "Please go to your 'administrative system'" \
+ "and deploy the compiled firewall" \
+ "configuration for this system."
+
+
+ return 1
+ fi
+ fi
+
+
+ return 0
+}
+
+is_allowed_to_be_executed() {
+ # This is not a real service. shorewall-init is an intermediate
+ # script to put your Shorewall-based firewall into a safe state
+ # at boot time prior to bringing up the network.
+ # Please read /usr/share/doc/shorewall-init-*/README.gentoo.gz
+ # for more information.
+ # When your system is up, there is no need to call shorewall-init.
+ # Please call shorewall{,6,-lite,6-lite} directly. That's the
+ # reason why we are preventing start, stop or restart here.
+
+ local PRODUCT=
+
+ if [ "${RC_RUNLEVEL}" != "boot" -a "${RC_CMD}" = "start" ]; then
+ # Starting shorewall-init is only allowed at boot time
+ eerror "This is a boot service, which can only be started" \
+ "at boot."
+ eerror "If you want to get your shorewall-based firewall" \
+ "into the same safe boot state again, run"
+ eerror ""
+ eindent
+ for PRODUCT in ${PRODUCTS}; do
+ eerror "/etc/init.d/${PRODUCT} stop"
+ done
+ eoutdent
+ eerror ""
+ eerror "Yes, \"stop\" and not start."
+ eerror ""
+ return 1
+ fi
+
+ if [ "${RC_RUNLEVEL}" != "shutdown" -a "${RC_CMD}" = "stop" ]; then
+ # Stopping shorewall-init is only allowed at shutdown
+ eerror "This is a boot service, which cannot be stopped."
+ eerror "If you really want to stop your Shorewall-based" \
+ "firewall the same way this service would stop" \
+ "Shorewall at shutdown, please run"
+ eerror ""
+ eindent
+ for PRODUCT in ${PRODUCTS}; do
+ eerror "/etc/init.d/${PRODUCT} clear"
+ done
+ eoutdent
+ eerror ""
+ eerror "Keep in mind that this will clear (=bring down)" \
+ "your firewall!"
+ eerror ""
+ return 1
+ fi
+
+ if [ "${RC_CMD}" = "restart" ]; then
+ eerror "This is a boot service, which cannot be restarted."
+ eerror "If you want to restart any of your Shorewall-based" \
+ "firewalls, run"
+ eerror ""
+ eindent
+ for PRODUCT in ${PRODUCTS}; do
+ eerror "/etc/init.d/${PRODUCT} restart"
+ done
+ eoutdent
+ eerror ""
+ return 1
+ fi
+
+
+ return 0
+}
+
+set_statedir() {
+ STATEDIR=
+ local VARDIR=
+
+ if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+ STATEDIR=$( . ${CONFDIR}/${PRODUCT}/vardir && echo ${VARDIR} )
+ fi
+
+ [ ! -n "${STATEDIR}" ] && STATEDIR=${VARLIB}/${PRODUCT}
+}
+
+start_pre() {
+ checkconfig || return 1
+
+ is_allowed_to_be_executed || return 1
+}
+
+start() {
+ local PRODUCT=
+ local STATEDIR=
+
+ for PRODUCT in ${PRODUCTS}; do
+ set_statedir
+
+ check_firewall_script || return 1
+
+ ebegin "Initializing \"${PRODUCT}\""
+ ${STATEDIR}/firewall stop 1>/dev/null
+ eend $?
+ done
+}
+
+stop_pre() {
+ checkconfig || return 1
+
+ is_allowed_to_be_executed || return 1
+}
+
+stop() {
+ local PRODUCT=
+ local STATEDIR=
+
+ for PRODUCT in ${PRODUCTS}; do
+ set_statedir
+
+ check_firewall_script || return 1
+
+ ebegin "Clearing \"${PRODUCT}\""
+ ${STATEDIR}/firewall clear 1>/dev/null
+ eend $?
+ done
+}
diff --git a/net-firewall/shorewall-init/files/4.5.21.10-r1/shorewall-init.systemd b/net-firewall/shorewall-init/files/4.5.21.10-r1/shorewall-init.systemd
new file mode 100644
index 000000000000..e48a729105b8
--- /dev/null
+++ b/net-firewall/shorewall-init/files/4.5.21.10-r1/shorewall-init.systemd
@@ -0,0 +1,16 @@
+#
+# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+[Unit]
+Description=shorewall-init
+Documentation=http://www.shorewall.net/Shorewall-init.html
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-firewall/shorewall-init/files/4.5.21.10-r1/shorewallrc b/net-firewall/shorewall-init/files/4.5.21.10-r1/shorewallrc
new file mode 100644
index 000000000000..46f5eb9a3603
--- /dev/null
+++ b/net-firewall/shorewall-init/files/4.5.21.10-r1/shorewallrc
@@ -0,0 +1,23 @@
+#
+# Gentoo Shorewall 4.5 rc file
+#
+BUILD= #Default is to detect the build system
+HOST=gentoo #Gentoo GNU Linux
+PREFIX=@GENTOO_PORTAGE_EPREFIX@/usr #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
+CONFDIR=@GENTOO_PORTAGE_EPREFIX@/etc #Directory where subsystem configurations are installed
+SBINDIR=@GENTOO_PORTAGE_EPREFIX@/sbin #Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
+INITDIR=${CONFDIR}/init.d #Directory where SysV init scripts are installed.
+INITFILE=${PRODUCT} #Name of the product's installed SysV init script
+INITSOURCE=init.gentoo.sh #Name of the distributed file to be installed as the SysV init script
+ANNOTATED= #If non-zero, annotated configuration files are installed
+SYSTEMD=@GENTOO_PORTAGE_EPREFIX@/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=gentoo.service #Name of the distributed file to be installed as systemd service file
+SYSCONFFILE=default.gentoo #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFDIR=${CONFDIR}/conf.d #Directory where SysV init parameter files are installed
+SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=@GENTOO_PORTAGE_EPREFIX@/var/lib #Directory where product variable data is stored.
+VARDIR=${VARLIB}/${PRODUCT} #Directory where product variable data is stored.
diff --git a/net-firewall/shorewall-init/files/4.5.21.9/01_Remove-ipset-functionality.patch b/net-firewall/shorewall-init/files/4.5.21.9/01_Remove-ipset-functionality.patch
new file mode 100644
index 000000000000..620e479f92fc
--- /dev/null
+++ b/net-firewall/shorewall-init/files/4.5.21.9/01_Remove-ipset-functionality.patch
@@ -0,0 +1,27 @@
+--- shorewall-init.old 2013-09-08 23:25:36.364924304 +0200
++++ shorewall-init 2013-09-08 23:29:27.418736392 +0200
+@@ -79,10 +79,6 @@
+ fi
+ done
+
+- if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+- ipset -R < "$SAVE_IPSETS"
+- fi
+-
+ return 0
+ }
+
+@@ -100,13 +96,6 @@
+ fi
+ done
+
+- if [ -n "$SAVE_IPSETS" ]; then
+- mkdir -p $(dirname "$SAVE_IPSETS")
+- if ipset -S > "${SAVE_IPSETS}.tmp"; then
+- grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+- fi
+- fi
+-
+ return 0
+ }
+
diff --git a/net-firewall/shorewall-init/files/4.5.21.9/README.Gentoo.txt b/net-firewall/shorewall-init/files/4.5.21.9/README.Gentoo.txt
new file mode 100644
index 000000000000..f7b13fed3de6
--- /dev/null
+++ b/net-firewall/shorewall-init/files/4.5.21.9/README.Gentoo.txt
@@ -0,0 +1,30 @@
+shorewall-init from upstream offers two features (taken from [1]):
+
+ 1. It can 'close' the firewall before the network interfaces are
+ brought up during boot.
+
+ 2. It can change the firewall state as the result of interfaces
+ being brought up or taken down.
+
+On Gentoo we only support the first feature -- the firewall lockdown during
+boot.
+
+We do not support the second feature, because Gentoo doesn't support a
+if-{up,down}.d folder like other distributions do. If you would want to use
+such a feature, you would have to add a custom action to /etc/conf.d/net
+(please refer to the Gentoo Linux Handbook [2] for more information).
+If you are able to add your custom {pre,post}{up,down} action, your are
+also able to specify what shorewall{6,-lite,6-lite} should do, so there is
+no need for upstream's scripts in Gentoo.
+
+If you disagree with us, feel free to open a bug [3] and contribute your
+solution for Gentoo.
+
+Upstream's original init script also supports saving and restoring of
+ipsets. Please use the init script from net-firewall/ipset if you need
+such a feature.
+
+
+[1] http://www.shorewall.net/Shorewall-init.html
+[2] http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&chap=5
+[3] https://bugs.gentoo.org
diff --git a/net-firewall/shorewall-init/files/4.5.21.9/shorewall-init.confd b/net-firewall/shorewall-init/files/4.5.21.9/shorewall-init.confd
new file mode 100644
index 000000000000..4ca0024579f7
--- /dev/null
+++ b/net-firewall/shorewall-init/files/4.5.21.9/shorewall-init.confd
@@ -0,0 +1,9 @@
+# List the Shorewall products that Shorewall-init is to
+# initialize (space-separated list).
+#
+# Sample: PRODUCTS="shorewall shorewall6-lite"
+#
+PRODUCTS=""
+
+# Startup options - set verbosity to 0 (minimal reporting)
+OPTIONS="-V0"
diff --git a/net-firewall/shorewall-init/files/4.5.21.9/shorewall-init.initd b/net-firewall/shorewall-init/files/4.5.21.9/shorewall-init.initd
new file mode 100644
index 000000000000..3b574c56386b
--- /dev/null
+++ b/net-firewall/shorewall-init/files/4.5.21.9/shorewall-init.initd
@@ -0,0 +1,196 @@
+#!/sbin/runscript
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+SHOREWALLRC_FILE="@GENTOO_PORTAGE_EPREFIX@/usr/share/shorewall/shorewallrc"
+CONFIG_FILE="@GENTOO_PORTAGE_EPREFIX@/etc/conf.d/${SVCNAME}"
+
+description="Puts Shorewall in a safe state at boot time"
+description="${description} prior to bringing up the network."
+
+required_files="$SHOREWALLRC_FILE"
+
+depend() {
+ need localmount
+ before net
+ after bootmisc ipset tmpfiles.setup ulogd
+}
+
+
+. $SHOREWALLRC_FILE
+
+checkconfig() {
+ local PRODUCT=
+
+ if [ -z "${VARLIB}" ]; then
+ eerror "\"VARLIB\" isn't defined or empty! Please check" \
+ "\"${SHOREWALLRC_FILE}\"."
+
+
+ return 1
+ fi
+
+ if [ -z "${PRODUCTS}" ]; then
+ eerror "${SVCNAME} isn't configured! Please check" \
+ "\"${CONFIG_FILE}\"."
+
+
+ return 1
+ fi
+
+ for PRODUCT in ${PRODUCTS}; do
+ if [ ! -x ${SBINDIR}/${PRODUCT} ]; then
+ eerror "Invalid product \"${PRODUCT}\" specified" \
+ "in \"${CONFIG_FILE}\"!"
+ eerror "Maybe \"${PRODUCT}\" isn't installed?"
+
+
+ return 1
+ fi
+ done
+
+
+ return 0
+}
+
+check_firewall_script() {
+ if [ ! -x ${STATEDIR}/firewall ]; then
+ if [ ${PRODUCT} = shorewall -o ${PRODUCT} = shorewall6 ]; then
+ ebegin "Creating \"${STATEDIR}/firewall\""
+ ${SBINDIR}/${PRODUCT} compile 1>/dev/null
+ eend $?
+ else
+ eerror "\"${PRODUCT}\" isn't configured!"
+ eerror "Please go to your 'administrative system'" \
+ "and deploy the compiled firewall" \
+ "configuration for this system."
+
+
+ return 1
+ fi
+ fi
+
+
+ return 0
+}
+
+is_allowed_to_be_executed() {
+ # This is not a real service. shorewall-init is an intermediate
+ # script to put your Shorewall-based firewall into a safe state
+ # at boot time prior to bringing up the network.
+ # Please read /usr/share/doc/shorewall-init-*/README.gentoo.gz
+ # for more information.
+ # When your system is up, there is no need to call shorewall-init.
+ # Please call shorewall{,6,-lite,6-lite} directly. That's the
+ # reason why we are preventing start, stop or restart here.
+
+ local PRODUCT=
+
+ if [ "${RC_RUNLEVEL}" != "boot" -a "${RC_CMD}" = "start" ]; then
+ # Starting shorewall-init is only allowed at boot time
+ eerror "This is a boot service, which can only be started" \
+ "at boot."
+ eerror "If you want to get your shorewall-based firewall" \
+ "into the same safe boot state again, run"
+ eerror ""
+ eindent
+ for PRODUCT in ${PRODUCTS}; do
+ eerror "/etc/init.d/${PRODUCT} stop"
+ done
+ eoutdent
+ eerror ""
+ eerror "Yes, \"stop\" and not start."
+ eerror ""
+ return 1
+ fi
+
+ if [ "${RC_RUNLEVEL}" != "shutdown" -a "${RC_CMD}" = "stop" ]; then
+ # Stopping shorewall-init is only allowed at shutdown
+ eerror "This is a boot service, which cannot be stopped."
+ eerror "If you really want to stop your Shorewall-based" \
+ "firewall the same way this service would stop" \
+ "Shorewall at shutdown, please run"
+ eerror ""
+ eindent
+ for PRODUCT in ${PRODUCTS}; do
+ eerror "/etc/init.d/${PRODUCT} clear"
+ done
+ eoutdent
+ eerror ""
+ eerror "Keep in mind that this will clear (=bring down)" \
+ "your firewall!"
+ eerror ""
+ return 1
+ fi
+
+ if [ "${RC_CMD}" = "restart" ]; then
+ eerror "This is a boot service, which cannot be restarted."
+ eerror "If you want to restart any of your Shorewall-based" \
+ "firewalls, run"
+ eerror ""
+ eindent
+ for PRODUCT in ${PRODUCTS}; do
+ eerror "/etc/init.d/${PRODUCT} restart"
+ done
+ eoutdent
+ eerror ""
+ return 1
+ fi
+
+
+ return 0
+}
+
+set_statedir() {
+ STATEDIR=
+ local VARDIR=
+
+ if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+ STATEDIR=$( . ${CONFDIR}/${PRODUCT}/vardir && echo ${VARDIR} )
+ fi
+
+ [ ! -n "${STATEDIR}" ] && STATEDIR=${VARLIB}/${PRODUCT}
+}
+
+start_pre() {
+ checkconfig || return 1
+
+ is_allowed_to_be_executed || return 1
+}
+
+start() {
+ local PRODUCT=
+ local STATEDIR=
+
+ for PRODUCT in ${PRODUCTS}; do
+ set_statedir
+
+ check_firewall_script || return 1
+
+ ebegin "Initializing \"${PRODUCT}\""
+ ${STATEDIR}/firewall stop 1>/dev/null
+ eend $?
+ done
+}
+
+stop_pre() {
+ checkconfig || return 1
+
+ is_allowed_to_be_executed || return 1
+}
+
+stop() {
+ local PRODUCT=
+ local STATEDIR=
+
+ for PRODUCT in ${PRODUCTS}; do
+ set_statedir
+
+ check_firewall_script || return 1
+
+ ebegin "Clearing \"${PRODUCT}\""
+ ${STATEDIR}/firewall clear 1>/dev/null
+ eend $?
+ done
+}
diff --git a/net-firewall/shorewall-init/files/4.5.21.9/shorewall-init.systemd b/net-firewall/shorewall-init/files/4.5.21.9/shorewall-init.systemd
new file mode 100644
index 000000000000..e48a729105b8
--- /dev/null
+++ b/net-firewall/shorewall-init/files/4.5.21.9/shorewall-init.systemd
@@ -0,0 +1,16 @@
+#
+# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+[Unit]
+Description=shorewall-init
+Documentation=http://www.shorewall.net/Shorewall-init.html
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-firewall/shorewall-init/files/4.5.21.9/shorewallrc b/net-firewall/shorewall-init/files/4.5.21.9/shorewallrc
new file mode 100644
index 000000000000..46f5eb9a3603
--- /dev/null
+++ b/net-firewall/shorewall-init/files/4.5.21.9/shorewallrc
@@ -0,0 +1,23 @@
+#
+# Gentoo Shorewall 4.5 rc file
+#
+BUILD= #Default is to detect the build system
+HOST=gentoo #Gentoo GNU Linux
+PREFIX=@GENTOO_PORTAGE_EPREFIX@/usr #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
+CONFDIR=@GENTOO_PORTAGE_EPREFIX@/etc #Directory where subsystem configurations are installed
+SBINDIR=@GENTOO_PORTAGE_EPREFIX@/sbin #Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
+INITDIR=${CONFDIR}/init.d #Directory where SysV init scripts are installed.
+INITFILE=${PRODUCT} #Name of the product's installed SysV init script
+INITSOURCE=init.gentoo.sh #Name of the distributed file to be installed as the SysV init script
+ANNOTATED= #If non-zero, annotated configuration files are installed
+SYSTEMD=@GENTOO_PORTAGE_EPREFIX@/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=gentoo.service #Name of the distributed file to be installed as systemd service file
+SYSCONFFILE=default.gentoo #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFDIR=${CONFDIR}/conf.d #Directory where SysV init parameter files are installed
+SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=@GENTOO_PORTAGE_EPREFIX@/var/lib #Directory where product variable data is stored.
+VARDIR=${VARLIB}/${PRODUCT} #Directory where product variable data is stored.
diff --git a/net-firewall/shorewall-init/metadata.xml b/net-firewall/shorewall-init/metadata.xml
new file mode 100644
index 000000000000..52ffdde3f9be
--- /dev/null
+++ b/net-firewall/shorewall-init/metadata.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <herd>netmon</herd>
+ <herd>proxy-maintainers</herd>
+ <maintainer>
+ <email>whissi@whissi.de</email>
+ <name>Thomas D. (Whissi)</name>
+ </maintainer>
+</pkgmetadata>
diff --git a/net-firewall/shorewall-init/shorewall-init-4.5.21.10-r1.ebuild b/net-firewall/shorewall-init/shorewall-init-4.5.21.10-r1.ebuild
new file mode 100644
index 000000000000..b45250637e2f
--- /dev/null
+++ b/net-firewall/shorewall-init/shorewall-init-4.5.21.10-r1.ebuild
@@ -0,0 +1,104 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils versionator prefix
+
+MY_URL_PREFIX=
+case ${P} in
+ *_beta* | \
+ *_rc*)
+ MY_URL_PREFIX='development/'
+ ;;
+esac
+
+MY_PV=${PV/_rc/-RC}
+MY_PV=${MY_PV/_beta/-Beta}
+MY_P=${PN}-${MY_PV}
+
+MY_MAJOR_RELEASE_NUMBER=$(get_version_component_range 1-2)
+MY_MAJORMINOR_RELEASE_NUMBER=$(get_version_component_range 1-3)
+
+DESCRIPTION="Component to secure a Shorewall-protected system at boot time prior to bringing up the network"
+HOMEPAGE="http://www.shorewall.net/"
+SRC_URI="http://www1.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}/${MY_P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 hppa ~ppc ~ppc64 ~sparc ~x86"
+IUSE=""
+
+DEPEND=">=sys-apps/coreutils-8.20"
+RDEPEND="
+ ${DEPEND}
+ || ( =net-firewall/shorewall-${PVR} =net-firewall/shorewall6-${PVR} =net-firewall/shorewall-lite-${PVR} =net-firewall/shorewall6-lite-${PVR} )
+"
+
+S=${WORKDIR}/${MY_P}
+
+src_prepare() {
+ cp "${FILESDIR}"/${PVR}/shorewallrc "${S}"/shorewallrc.gentoo || die "Copying shorewallrc failed"
+ eprefixify "${S}"/shorewallrc.gentoo
+
+ cp "${FILESDIR}"/${PVR}/${PN}.confd "${S}"/default.gentoo || die "Copying ${PN}.confd failed"
+
+ cp "${FILESDIR}"/${PVR}/${PN}.initd "${S}"/init.gentoo.sh || die "Copying ${PN}.initd failed"
+ eprefixify "${S}"/init.gentoo.sh
+
+ cp "${FILESDIR}"/${PVR}/${PN}.systemd "${S}"/gentoo.service || die "Copying ${PN}.systemd failed"
+
+ epatch "${FILESDIR}"/${PVR}/01_Remove-ipset-functionality.patch
+ epatch_user
+}
+
+src_configure() {
+ :;
+}
+
+src_compile() {
+ :;
+}
+
+src_install() {
+ DESTDIR="${D}" ./install.sh shorewallrc.gentoo || die "install.sh failed"
+
+ if [ -d "${D}/etc/logrotate.d" ]; then
+ # On Gentoo, shorewall-init will not create shorewall-ifupdown.log,
+ # so we don't need a logrotate folder at all
+ rm -rf "${D}"/etc/logrotate.d
+ fi
+
+ if [ -d "${D}/etc/NetworkManager" ]; then
+ # On Gentoo, we don't support NetworkManager
+ # so we don't need these folder at all
+ rm -rf "${D}"/etc/NetworkManager
+ fi
+
+ if [ -f "${D}/usr/share/shorewall-init/ifupdown" ]; then
+ # This script won't work on Gentoo
+ rm -rf "${D}"/usr/share/shorewall-init/ifupdown
+ fi
+
+ dodoc changelog.txt releasenotes.txt "${FILESDIR}"/${PVR}/README.Gentoo.txt
+}
+
+pkg_postinst() {
+ if [[ -z "${REPLACING_VERSIONS}" ]]; then
+ # This is a new installation
+ elog "Before you can use ${PN}, you need to edit its configuration in:"
+ elog ""
+ elog " ${EPREFIX}/etc/conf.d/${PN}"
+ elog ""
+ elog "To use ${PN}, please add ${PN} to your boot runlevel:"
+ elog ""
+ elog " # rc-update add ${PN} boot"
+ elog ""
+ ewarn "Notice:"
+ ewarn "${PN} is more like a start script than a service."
+ ewarn "Therefore you cannot start or stop ${PN} at default runlevel."
+ ewarn ""
+ ewarn "For more information read ${EPREFIX}/usr/share/doc/${PF}/README.Gentoo.txt.bz2"
+ fi
+}
diff --git a/net-firewall/shorewall-init/shorewall-init-4.5.21.9.ebuild b/net-firewall/shorewall-init/shorewall-init-4.5.21.9.ebuild
new file mode 100644
index 000000000000..65795dadd495
--- /dev/null
+++ b/net-firewall/shorewall-init/shorewall-init-4.5.21.9.ebuild
@@ -0,0 +1,104 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils versionator prefix
+
+MY_URL_PREFIX=
+case ${P} in
+ *_beta* | \
+ *_rc*)
+ MY_URL_PREFIX='development/'
+ ;;
+esac
+
+MY_PV=${PV/_rc/-RC}
+MY_PV=${MY_PV/_beta/-Beta}
+MY_P=${PN}-${MY_PV}
+
+MY_MAJOR_RELEASE_NUMBER=$(get_version_component_range 1-2)
+MY_MAJORMINOR_RELEASE_NUMBER=$(get_version_component_range 1-3)
+
+DESCRIPTION="Component to secure a Shorewall-protected system at boot time prior to bringing up the network"
+HOMEPAGE="http://www.shorewall.net/"
+SRC_URI="http://www1.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}/${MY_P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86"
+IUSE=""
+
+DEPEND=">=sys-apps/coreutils-8.20"
+RDEPEND="
+ ${DEPEND}
+ || ( =net-firewall/shorewall-${PVR} =net-firewall/shorewall6-${PVR} =net-firewall/shorewall-lite-${PVR} =net-firewall/shorewall6-lite-${PVR} )
+"
+
+S=${WORKDIR}/${MY_P}
+
+src_prepare() {
+ cp "${FILESDIR}"/${PVR}/shorewallrc "${S}"/shorewallrc.gentoo || die "Copying shorewallrc failed"
+ eprefixify "${S}"/shorewallrc.gentoo
+
+ cp "${FILESDIR}"/${PVR}/${PN}.confd "${S}"/default.gentoo || die "Copying ${PN}.confd failed"
+
+ cp "${FILESDIR}"/${PVR}/${PN}.initd "${S}"/init.gentoo.sh || die "Copying ${PN}.initd failed"
+ eprefixify "${S}"/init.gentoo.sh
+
+ cp "${FILESDIR}"/${PVR}/${PN}.systemd "${S}"/gentoo.service || die "Copying ${PN}.systemd failed"
+
+ epatch "${FILESDIR}"/${PVR}/01_Remove-ipset-functionality.patch
+ epatch_user
+}
+
+src_configure() {
+ :;
+}
+
+src_compile() {
+ :;
+}
+
+src_install() {
+ DESTDIR="${D}" ./install.sh shorewallrc.gentoo || die "install.sh failed"
+
+ if [ -d "${D}/etc/logrotate.d" ]; then
+ # On Gentoo, shorewall-init will not create shorewall-ifupdown.log,
+ # so we don't need a logrotate folder at all
+ rm -rf "${D}"/etc/logrotate.d
+ fi
+
+ if [ -d "${D}/etc/NetworkManager" ]; then
+ # On Gentoo, we don't support NetworkManager
+ # so we don't need these folder at all
+ rm -rf "${D}"/etc/NetworkManager
+ fi
+
+ if [ -f "${D}/usr/share/shorewall-init/ifupdown" ]; then
+ # This script won't work on Gentoo
+ rm -rf "${D}"/usr/share/shorewall-init/ifupdown
+ fi
+
+ dodoc changelog.txt releasenotes.txt "${FILESDIR}"/${PVR}/README.Gentoo.txt
+}
+
+pkg_postinst() {
+ if [[ -z "${REPLACING_VERSIONS}" ]]; then
+ # This is a new installation
+ elog "Before you can use ${PN}, you need to edit its configuration in:"
+ elog ""
+ elog " ${EPREFIX}/etc/conf.d/${PN}"
+ elog ""
+ elog "To use ${PN}, please add ${PN} to your boot runlevel:"
+ elog ""
+ elog " # rc-update add ${PN} boot"
+ elog ""
+ ewarn "Notice:"
+ ewarn "${PN} is more like a start script than a service."
+ ewarn "Therefore you cannot start or stop ${PN} at default runlevel."
+ ewarn ""
+ ewarn "For more information read ${EPREFIX}/usr/share/doc/${PF}/README.Gentoo.txt.bz2"
+ fi
+}
diff --git a/net-firewall/shorewall-lite/Manifest b/net-firewall/shorewall-lite/Manifest
new file mode 100644
index 000000000000..35c9d0db9d85
--- /dev/null
+++ b/net-firewall/shorewall-lite/Manifest
@@ -0,0 +1,4 @@
+DIST shorewall-docs-html-4.5.21.10.tar.bz2 4146174 SHA256 cdbc5f3654f7cfb6f0c3b3750a7174df8fa0590dfe34df055300140b3eb13192 SHA512 94852cc094d6a485cacc4023a2819431f1bfd80b8cbcab29981c422fdff9dfee90697ae8a9bda7ded3a8be03db516bdd5f4bcc4b83e7d01bc433a8c88d23731a WHIRLPOOL 6f02d0e3255dd1e31a43193f67f9b957546a6ae574631e61364f81244bee887e7f21c38f412fa21cde77b3d89aaf0e14e43909683db0c9c32edeb455c20b998e
+DIST shorewall-docs-html-4.5.21.9.tar.bz2 4146065 SHA256 9056c22b8232d8276cc53a6eb74940bab42a250c670cb5baa42c75cfb89efdef SHA512 48b2c692ba59b7ec74307909e43a95104e212c9b8e21af7f0dd9f3438ac4f24a6fd2bcc6517966681517aef03beaa8faf03efd74406966d97b68cb416be8551b WHIRLPOOL f68cba7ecaf8c541e58d26c157914bff2d90cd9deae30af7323ca69c68d028217133f53e597bf383191aee83fab29203d233b3cd1e75e4cf08d9e17308dc25e4
+DIST shorewall-lite-4.5.21.10.tar.bz2 79456 SHA256 73f2e7101ca7ff296fa3a7be4dec6b6ec3ec562f5c0d746fe6e2355d2b8931e3 SHA512 145c18f7a2859bea9ce265d243a875e83fbbaa2c982f269f1401b73253133d8d48e1060c3b18aefdee09dbc8755fe3e875014dda354f38e90829f0d970b52718 WHIRLPOOL 0d7187d7ede8b01819c241fec61eeef03e17743845188f8e41b3448d814466994b8822e3dc166793d9b5b2b5f4b04dc33bd85664e09771746bc655756790e813
+DIST shorewall-lite-4.5.21.9.tar.bz2 79121 SHA256 af6c039d880581a6eaf7aba9f638ff86e471567b15e16adc607053651d1f50f5 SHA512 fb15881dc4d5fd05c8ca8421ee4a5deb0c9f6fdab955d0fc7dd371bf710706bf6d851bdb8ba00d0d34c1f7f1d2bc2cc39e9e9fe0a6d8b48ed4accc27c011462c WHIRLPOOL 2f8eb61da9b3eafdd184718054d14dfdef39afdf6e3724ee62c0386f12ea3aa3badcf959ee0351f8cdcd744cf4b262e168e5cd6afa677a8674d515541f0f2f80
diff --git a/net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewall-lite.confd b/net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewall-lite.confd
new file mode 100644
index 000000000000..e5957167b5b9
--- /dev/null
+++ b/net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewall-lite.confd
@@ -0,0 +1,15 @@
+# Global start/restart/stop options
+#
+OPTIONS=""
+
+# Start options
+#
+STARTOPTIONS=""
+
+# Stop options
+#
+STOPOPTIONS=""
+
+# Restart options
+#
+RESTARTOPTIONS=""
diff --git a/net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewall-lite.initd b/net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewall-lite.initd
new file mode 100644
index 000000000000..4fdbe607bdf1
--- /dev/null
+++ b/net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewall-lite.initd
@@ -0,0 +1,82 @@
+#!/sbin/runscript
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+description='The Shoreline Firewall Lite, more commonly known as "Shorewall Lite", is'
+description="${description} a high-level tool for configuring Netfilter."
+
+extra_commands="clear"
+extra_started_commands="reset"
+
+description_clear="Clear will remove all rules and chains installed by"
+description_clear="${description_clear} Shorewall Lite. The firewall is"
+description_clear="${description_clear} then wide open and unprotected."
+
+description_reset="All the packet and byte counters in the firewall are reset."
+
+depend() {
+ need net
+ provide firewall
+ after ulogd
+}
+
+status() {
+ local _retval
+ /sbin/shorewall-lite status 1>/dev/null
+ _retval=$?
+ if [ ${_retval} = '0' ]; then
+ einfo 'status: started'
+ mark_service_started "${SVCNAME}"
+ return 0
+ else
+ einfo 'status: stopped'
+ mark_service_stopped "${SVCNAME}"
+ return 3
+ fi
+}
+
+start() {
+ ebegin "Starting shorewall-lite"
+ /sbin/shorewall-lite ${OPTIONS} start ${STARTOPTIONS} 1>/dev/null
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping shorewall-lite"
+ /sbin/shorewall-lite ${OPTIONS} stop ${STOPOPTIONS} 1>/dev/null
+ eend $?
+}
+
+restart() {
+ # shorewall comes with its own control script that includes a
+ # restart function, so refrain from calling svc_stop/svc_start
+ # here. Note that this comment is required to fix bug 55576;
+ # runscript.sh greps this script... (09 Jul 2004 agriffis)
+
+ ebegin "Restarting shorewall-lite"
+ /sbin/shorewall-lite status 1>/dev/null
+ if [ $? != 0 ] ; then
+ svc_start
+ else
+ /sbin/shorewall-lite ${OPTIONS} restart ${RESTARTOPTIONS} 1>/dev/null
+ fi
+ eend $?
+}
+
+clear() {
+ # clear will remove all the rules and bring the system to an unfirewalled
+ # state. (21 Nov 2004 eldad)
+
+ ebegin "Clearing all shorewall-lite rules and setting policy to ACCEPT"
+ /sbin/shorewall-lite ${OPTIONS} clear 1>/dev/null
+ eend $?
+}
+
+reset() {
+ # reset the packet and byte counters in the firewall
+
+ ebegin "Resetting the packet and byte counters in shorewall-lite"
+ /sbin/shorewall-lite ${OPTIONS} reset 1>/dev/null
+ eend $?
+}
diff --git a/net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewall-lite.systemd b/net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewall-lite.systemd
new file mode 100644
index 000000000000..a7c932418a9c
--- /dev/null
+++ b/net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewall-lite.systemd
@@ -0,0 +1,17 @@
+#
+# The Shoreline Firewall Lite (Shorewall-Lite) Packet Filtering Firewall - V4.5
+#
+[Unit]
+Description=Shorewall IPv4 firewall lite
+Documentation=man:shorewall-lite(8) http://www.shorewall.net/Documentation_Index.html
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/etc/conf.d/shorewall-lite
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall-lite $OPTIONS stop $STOPOPTIONS
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewallrc b/net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewallrc
new file mode 100644
index 000000000000..46f5eb9a3603
--- /dev/null
+++ b/net-firewall/shorewall-lite/files/4.5.21.10-r1/shorewallrc
@@ -0,0 +1,23 @@
+#
+# Gentoo Shorewall 4.5 rc file
+#
+BUILD= #Default is to detect the build system
+HOST=gentoo #Gentoo GNU Linux
+PREFIX=@GENTOO_PORTAGE_EPREFIX@/usr #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
+CONFDIR=@GENTOO_PORTAGE_EPREFIX@/etc #Directory where subsystem configurations are installed
+SBINDIR=@GENTOO_PORTAGE_EPREFIX@/sbin #Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
+INITDIR=${CONFDIR}/init.d #Directory where SysV init scripts are installed.
+INITFILE=${PRODUCT} #Name of the product's installed SysV init script
+INITSOURCE=init.gentoo.sh #Name of the distributed file to be installed as the SysV init script
+ANNOTATED= #If non-zero, annotated configuration files are installed
+SYSTEMD=@GENTOO_PORTAGE_EPREFIX@/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=gentoo.service #Name of the distributed file to be installed as systemd service file
+SYSCONFFILE=default.gentoo #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFDIR=${CONFDIR}/conf.d #Directory where SysV init parameter files are installed
+SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=@GENTOO_PORTAGE_EPREFIX@/var/lib #Directory where product variable data is stored.
+VARDIR=${VARLIB}/${PRODUCT} #Directory where product variable data is stored.
diff --git a/net-firewall/shorewall-lite/files/4.5.21.9/shorewall-lite.confd b/net-firewall/shorewall-lite/files/4.5.21.9/shorewall-lite.confd
new file mode 100644
index 000000000000..e5957167b5b9
--- /dev/null
+++ b/net-firewall/shorewall-lite/files/4.5.21.9/shorewall-lite.confd
@@ -0,0 +1,15 @@
+# Global start/restart/stop options
+#
+OPTIONS=""
+
+# Start options
+#
+STARTOPTIONS=""
+
+# Stop options
+#
+STOPOPTIONS=""
+
+# Restart options
+#
+RESTARTOPTIONS=""
diff --git a/net-firewall/shorewall-lite/files/4.5.21.9/shorewall-lite.initd b/net-firewall/shorewall-lite/files/4.5.21.9/shorewall-lite.initd
new file mode 100644
index 000000000000..4fdbe607bdf1
--- /dev/null
+++ b/net-firewall/shorewall-lite/files/4.5.21.9/shorewall-lite.initd
@@ -0,0 +1,82 @@
+#!/sbin/runscript
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+description='The Shoreline Firewall Lite, more commonly known as "Shorewall Lite", is'
+description="${description} a high-level tool for configuring Netfilter."
+
+extra_commands="clear"
+extra_started_commands="reset"
+
+description_clear="Clear will remove all rules and chains installed by"
+description_clear="${description_clear} Shorewall Lite. The firewall is"
+description_clear="${description_clear} then wide open and unprotected."
+
+description_reset="All the packet and byte counters in the firewall are reset."
+
+depend() {
+ need net
+ provide firewall
+ after ulogd
+}
+
+status() {
+ local _retval
+ /sbin/shorewall-lite status 1>/dev/null
+ _retval=$?
+ if [ ${_retval} = '0' ]; then
+ einfo 'status: started'
+ mark_service_started "${SVCNAME}"
+ return 0
+ else
+ einfo 'status: stopped'
+ mark_service_stopped "${SVCNAME}"
+ return 3
+ fi
+}
+
+start() {
+ ebegin "Starting shorewall-lite"
+ /sbin/shorewall-lite ${OPTIONS} start ${STARTOPTIONS} 1>/dev/null
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping shorewall-lite"
+ /sbin/shorewall-lite ${OPTIONS} stop ${STOPOPTIONS} 1>/dev/null
+ eend $?
+}
+
+restart() {
+ # shorewall comes with its own control script that includes a
+ # restart function, so refrain from calling svc_stop/svc_start
+ # here. Note that this comment is required to fix bug 55576;
+ # runscript.sh greps this script... (09 Jul 2004 agriffis)
+
+ ebegin "Restarting shorewall-lite"
+ /sbin/shorewall-lite status 1>/dev/null
+ if [ $? != 0 ] ; then
+ svc_start
+ else
+ /sbin/shorewall-lite ${OPTIONS} restart ${RESTARTOPTIONS} 1>/dev/null
+ fi
+ eend $?
+}
+
+clear() {
+ # clear will remove all the rules and bring the system to an unfirewalled
+ # state. (21 Nov 2004 eldad)
+
+ ebegin "Clearing all shorewall-lite rules and setting policy to ACCEPT"
+ /sbin/shorewall-lite ${OPTIONS} clear 1>/dev/null
+ eend $?
+}
+
+reset() {
+ # reset the packet and byte counters in the firewall
+
+ ebegin "Resetting the packet and byte counters in shorewall-lite"
+ /sbin/shorewall-lite ${OPTIONS} reset 1>/dev/null
+ eend $?
+}
diff --git a/net-firewall/shorewall-lite/files/4.5.21.9/shorewall-lite.systemd b/net-firewall/shorewall-lite/files/4.5.21.9/shorewall-lite.systemd
new file mode 100644
index 000000000000..a7c932418a9c
--- /dev/null
+++ b/net-firewall/shorewall-lite/files/4.5.21.9/shorewall-lite.systemd
@@ -0,0 +1,17 @@
+#
+# The Shoreline Firewall Lite (Shorewall-Lite) Packet Filtering Firewall - V4.5
+#
+[Unit]
+Description=Shorewall IPv4 firewall lite
+Documentation=man:shorewall-lite(8) http://www.shorewall.net/Documentation_Index.html
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/etc/conf.d/shorewall-lite
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall-lite $OPTIONS stop $STOPOPTIONS
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-firewall/shorewall-lite/files/4.5.21.9/shorewallrc b/net-firewall/shorewall-lite/files/4.5.21.9/shorewallrc
new file mode 100644
index 000000000000..46f5eb9a3603
--- /dev/null
+++ b/net-firewall/shorewall-lite/files/4.5.21.9/shorewallrc
@@ -0,0 +1,23 @@
+#
+# Gentoo Shorewall 4.5 rc file
+#
+BUILD= #Default is to detect the build system
+HOST=gentoo #Gentoo GNU Linux
+PREFIX=@GENTOO_PORTAGE_EPREFIX@/usr #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
+CONFDIR=@GENTOO_PORTAGE_EPREFIX@/etc #Directory where subsystem configurations are installed
+SBINDIR=@GENTOO_PORTAGE_EPREFIX@/sbin #Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
+INITDIR=${CONFDIR}/init.d #Directory where SysV init scripts are installed.
+INITFILE=${PRODUCT} #Name of the product's installed SysV init script
+INITSOURCE=init.gentoo.sh #Name of the distributed file to be installed as the SysV init script
+ANNOTATED= #If non-zero, annotated configuration files are installed
+SYSTEMD=@GENTOO_PORTAGE_EPREFIX@/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=gentoo.service #Name of the distributed file to be installed as systemd service file
+SYSCONFFILE=default.gentoo #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFDIR=${CONFDIR}/conf.d #Directory where SysV init parameter files are installed
+SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=@GENTOO_PORTAGE_EPREFIX@/var/lib #Directory where product variable data is stored.
+VARDIR=${VARLIB}/${PRODUCT} #Directory where product variable data is stored.
diff --git a/net-firewall/shorewall-lite/metadata.xml b/net-firewall/shorewall-lite/metadata.xml
new file mode 100644
index 000000000000..52ffdde3f9be
--- /dev/null
+++ b/net-firewall/shorewall-lite/metadata.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <herd>netmon</herd>
+ <herd>proxy-maintainers</herd>
+ <maintainer>
+ <email>whissi@whissi.de</email>
+ <name>Thomas D. (Whissi)</name>
+ </maintainer>
+</pkgmetadata>
diff --git a/net-firewall/shorewall-lite/shorewall-lite-4.5.21.10-r1.ebuild b/net-firewall/shorewall-lite/shorewall-lite-4.5.21.10-r1.ebuild
new file mode 100644
index 000000000000..d1dc86eae99a
--- /dev/null
+++ b/net-firewall/shorewall-lite/shorewall-lite-4.5.21.10-r1.ebuild
@@ -0,0 +1,106 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils linux-info prefix systemd versionator
+
+MY_URL_PREFIX=
+case ${P} in
+ *_beta* | \
+ *_rc*)
+ MY_URL_PREFIX='development/'
+ ;;
+esac
+
+MY_PV=${PV/_rc/-RC}
+MY_PV=${MY_PV/_beta/-Beta}
+MY_P=${PN}-${MY_PV}
+MY_P_DOCS=shorewall-docs-html-${MY_PV}
+
+MY_MAJOR_RELEASE_NUMBER=$(get_version_component_range 1-2)
+MY_MAJORMINOR_RELEASE_NUMBER=$(get_version_component_range 1-3)
+
+DESCRIPTION="An iptables-based firewall whose config is handled by a normal Shorewall"
+HOMEPAGE="http://www.shorewall.net/"
+SRC_URI="
+ http://www1.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}/${MY_P}.tar.bz2
+ doc? ( http://www1.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}/${MY_P_DOCS}.tar.bz2 )
+"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 hppa ~ppc ~ppc64 ~sparc ~x86"
+IUSE="doc"
+
+DEPEND="=net-firewall/shorewall-core-${PVR}"
+RDEPEND="
+ ${DEPEND}
+ >=net-firewall/iptables-1.4.20
+ >=sys-apps/iproute2-3.8.0[-minimal]
+"
+
+S=${WORKDIR}/${MY_P}
+
+pkg_pretend() {
+ local CONFIG_CHECK="~NF_CONNTRACK ~NF_CONNTRACK_IPV4"
+
+ local ERROR_CONNTRACK="${PN} requires NF_CONNTRACK support."
+
+ local ERROR_CONNTRACK_IPV4="${PN} requires NF_CONNTRACK_IPV4 support."
+
+ check_extra_config
+}
+
+src_prepare() {
+ cp "${FILESDIR}"/${PVR}/shorewallrc "${S}"/shorewallrc.gentoo || die "Copying shorewallrc failed"
+ eprefixify "${S}"/shorewallrc.gentoo
+
+ cp "${FILESDIR}"/${PVR}/${PN}.confd "${S}"/default.gentoo || die "Copying ${PN}.confd failed"
+ cp "${FILESDIR}"/${PVR}/${PN}.initd "${S}"/init.gentoo.sh || die "Copying ${PN}.initd failed"
+ cp "${FILESDIR}"/${PVR}/${PN}.systemd "${S}"/gentoo.service || die "Copying ${PN}.systemd failed"
+
+ epatch_user
+}
+
+src_configure() {
+ :;
+}
+
+src_compile() {
+ :;
+}
+
+src_install() {
+ keepdir /var/lib/${PN}
+
+ DESTDIR="${D}" ./install.sh shorewallrc.gentoo || die "install.sh failed"
+
+ dodoc changelog.txt releasenotes.txt
+ if use doc; then
+ cd "${WORKDIR}/${MY_P_DOCS}"
+ dohtml -r *
+ fi
+}
+
+pkg_postinst() {
+ if [[ -z "${REPLACING_VERSIONS}" ]]; then
+ # This is a new installation
+ elog "Before you can use ${PN}, you need to provide a configuration, which you can"
+ elog "create using ${CATEGORY}/shorewall (the full version, including the compiler)."
+ elog ""
+ elog "To activate ${PN} on system start, please add ${PN} to your default runlevel:"
+ elog ""
+ elog " # rc-update add ${PN} default"
+ fi
+
+ if ! has_version ${CATEGORY}/shorewall-init; then
+ elog ""
+ elog "Starting with shorewall-lite-4.5.21.2, Gentoo also offers ${CATEGORY}/shorewall-init,"
+ elog "which we recommend to install, to protect your firewall at system boot."
+ elog ""
+ elog "To read more about shorewall-init, please visit"
+ elog " http://www.shorewall.net/Shorewall-init.html"
+ fi
+}
diff --git a/net-firewall/shorewall-lite/shorewall-lite-4.5.21.9.ebuild b/net-firewall/shorewall-lite/shorewall-lite-4.5.21.9.ebuild
new file mode 100644
index 000000000000..c9e35b3278f4
--- /dev/null
+++ b/net-firewall/shorewall-lite/shorewall-lite-4.5.21.9.ebuild
@@ -0,0 +1,106 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils linux-info prefix systemd versionator
+
+MY_URL_PREFIX=
+case ${P} in
+ *_beta* | \
+ *_rc*)
+ MY_URL_PREFIX='development/'
+ ;;
+esac
+
+MY_PV=${PV/_rc/-RC}
+MY_PV=${MY_PV/_beta/-Beta}
+MY_P=${PN}-${MY_PV}
+MY_P_DOCS=shorewall-docs-html-${MY_PV}
+
+MY_MAJOR_RELEASE_NUMBER=$(get_version_component_range 1-2)
+MY_MAJORMINOR_RELEASE_NUMBER=$(get_version_component_range 1-3)
+
+DESCRIPTION="An iptables-based firewall whose config is handled by a normal Shorewall"
+HOMEPAGE="http://www.shorewall.net/"
+SRC_URI="
+ http://www1.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}/${MY_P}.tar.bz2
+ doc? ( http://www1.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}/${MY_P_DOCS}.tar.bz2 )
+"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86"
+IUSE="doc"
+
+DEPEND="=net-firewall/shorewall-core-${PVR}"
+RDEPEND="
+ ${DEPEND}
+ >=net-firewall/iptables-1.4.20
+ >=sys-apps/iproute2-3.8.0[-minimal]
+"
+
+S=${WORKDIR}/${MY_P}
+
+pkg_pretend() {
+ local CONFIG_CHECK="~NF_CONNTRACK ~NF_CONNTRACK_IPV4"
+
+ local ERROR_CONNTRACK="${PN} requires NF_CONNTRACK support."
+
+ local ERROR_CONNTRACK_IPV4="${PN} requires NF_CONNTRACK_IPV4 support."
+
+ check_extra_config
+}
+
+src_prepare() {
+ cp "${FILESDIR}"/${PVR}/shorewallrc "${S}"/shorewallrc.gentoo || die "Copying shorewallrc failed"
+ eprefixify "${S}"/shorewallrc.gentoo
+
+ cp "${FILESDIR}"/${PVR}/${PN}.confd "${S}"/default.gentoo || die "Copying ${PN}.confd failed"
+ cp "${FILESDIR}"/${PVR}/${PN}.initd "${S}"/init.gentoo.sh || die "Copying ${PN}.initd failed"
+ cp "${FILESDIR}"/${PVR}/${PN}.systemd "${S}"/gentoo.service || die "Copying ${PN}.systemd failed"
+
+ epatch_user
+}
+
+src_configure() {
+ :;
+}
+
+src_compile() {
+ :;
+}
+
+src_install() {
+ keepdir /var/lib/${PN}
+
+ DESTDIR="${D}" ./install.sh shorewallrc.gentoo || die "install.sh failed"
+
+ dodoc changelog.txt releasenotes.txt
+ if use doc; then
+ cd "${WORKDIR}/${MY_P_DOCS}"
+ dohtml -r *
+ fi
+}
+
+pkg_postinst() {
+ if [[ -z "${REPLACING_VERSIONS}" ]]; then
+ # This is a new installation
+ elog "Before you can use ${PN}, you need to provide a configuration, which you can"
+ elog "create using ${CATEGORY}/shorewall (the full version, including the compiler)."
+ elog ""
+ elog "To activate ${PN} on system start, please add ${PN} to your default runlevel:"
+ elog ""
+ elog " # rc-update add ${PN} default"
+ fi
+
+ if ! has_version ${CATEGORY}/shorewall-init; then
+ elog ""
+ elog "Starting with shorewall-lite-4.5.21.2, Gentoo also offers ${CATEGORY}/shorewall-init,"
+ elog "which we recommend to install, to protect your firewall at system boot."
+ elog ""
+ elog "To read more about shorewall-init, please visit"
+ elog " http://www.shorewall.net/Shorewall-init.html"
+ fi
+}
diff --git a/net-firewall/shorewall/Manifest b/net-firewall/shorewall/Manifest
new file mode 100644
index 000000000000..1431e17c8cce
--- /dev/null
+++ b/net-firewall/shorewall/Manifest
@@ -0,0 +1,25 @@
+DIST shorewall-4.5.21.10.tar.bz2 489469 SHA256 961331ba61e5e6dccc106e43685e45f19bf1e155502067c88e18ecf94c2a794f SHA512 bdc673b999c99624c61caa1239ac3a58c4d85743179de05ed5fe947e755fc4b01425da34b67cb5e6db693c62bf25e316517f1473b450a1d76887e69e4e384682 WHIRLPOOL 04a7afd30d79d6360ec325e7df06ffd6e911d938382a4c0c331312ddf6951d6564f5a0452b244095309fe4ce00b1c72838b0ef76e198e137c153a617dc22e8e5
+DIST shorewall-4.5.21.9.tar.bz2 489618 SHA256 a1fc41abcba3181235e217a5da53bb25d11e6cdeef49dde82a0daeb2bb305fc6 SHA512 137eb33f63a25533f90150de5cd246f47e5072f838f8e42b044bd6a620bce767f8cb2b9da995fcfb61e37ab6774ea97819f6f7408f669539917b419262a68496 WHIRLPOOL be464ef64e06b35ff9fdf74e9b6a8c88b8de1aa766ec3bf2a7ccf9b69731ba23dc638047f5ad44f451ab93e093458f8f88d7b16201d61bbdfce40075f9ef25be
+DIST shorewall-4.6.10.1.tar.bz2 496061 SHA256 de527474f5bac6bf59678321c604748c48efe28a897d339a2187a45e3efed8ef SHA512 a5ef4783ff04b6faaa2e25d1da57ca3c46860960859dad5cd3b8d3cb252626b1db39c35767b226333f10db7b08b0fb18c0c09cd4eaf14586cb02b1a4259b571d WHIRLPOOL 26ebb72e769d5ca7489f718cabdb1f9cfb78e2acd514329c7036edcafe27f159ffa4cdadeeb1cee43619f748474fcc7a614011147976abb14cf627503a542e3f
+DIST shorewall-4.6.11.tar.bz2 496630 SHA256 b504371e94281330fef8e60efcf8fcde0d4898322001930e7c9a11b4aee1599c SHA512 8661c89ad7e632e69206d5f308d2cc9bb150efc8e99fe911c55383c82fab5543915305f72e515e13a2d28917a3afc69088b52ec1dc8d126915516e2db699d40b WHIRLPOOL 5a645e4c25f1641a3a6634fb9b8572cc83e80f110fbf734c7ef724208616e1c94430d6594a675c9650de838d4e9ec2b255d5262b3487c6fbe06743c07966f1b2
+DIST shorewall-4.6.6.2.tar.bz2 485880 SHA256 db41744e6303e031e29be531dbedd4191624c4a70f9e23fa0b450e26953708f4 SHA512 9b37430a51b84e16d6fec3bbe0581ff18d1f8f15defd4d73ac6a13cd68eebe063da129a9b422079a433f5d4b3bcd7c0800d844cb05bf0ef0c41aa36fe57915f2 WHIRLPOOL 09c90c5871c546d8e396bca32e1a2b8b1a7041653330b74930c415bfe2b94ff24ac4c34f38644c6b539495a277410c59c3816f396f86060754bd4247fb622194
+DIST shorewall-core-4.6.10.1.tar.bz2 58247 SHA256 5af804f39f4480685e995080dc8913d4af61af70d5a478dd00bbf0593851b44d SHA512 1028e0bf950aecbc77c6c263ab8351fb8ff90b6077a0d6bf7c0d882559f5d8644ce0f2c6aec6dd3614d90a319277763460909e345e1e004cf8ea1f548e369284 WHIRLPOOL 0a0834eb355e05679b5809a18dd0749c6c06ac3130a9ab375587c7e6134042c01762775ac136f0396c051f4ac4b2f379141d111760929a42da6f00656a96e120
+DIST shorewall-core-4.6.11.tar.bz2 59476 SHA256 7651aee387eb497f71b0645234b0ae39eac906bce1d622475a1fc4401817ceed SHA512 28bfa0900826ec3f70d85257d086eea186a0a49a098b66a6263ed0812877d9552ec13a0e5a535816918e03314236893a869afb3918606a9debcc9b047798fd3d WHIRLPOOL a04ff53322eb8dda8e1cec656be689be60865dbd5b9b6dc885e461da5bfcb0995f2b8576a6dddabea7295337e0d8b37ce05351d7f6dbc0a63b7233f88cc0bd6a
+DIST shorewall-core-4.6.6.2.tar.bz2 54127 SHA256 764c8c22f619cdfd61eebd77e9f271a168515d44c4578b85af44921cc1f3b675 SHA512 bab5a8f1bb17a5273a5eadb734ad378a8b617b9a8be47a2a825f941d20c5161c88ce87dae285ebbbdbb21fe18c2e8cc5eff9b1097daef2d8def37c2eced05d6a WHIRLPOOL 8fd70565cfe0c6abc946cb41fc5cb1eca9ccc613fb4898f07b92f878fedd6293bc40e0aaf7c4af11f3e67ba47b341f471d69700e3edc0cc9426b4aad3bf38fb3
+DIST shorewall-docs-html-4.5.21.10.tar.bz2 4146174 SHA256 cdbc5f3654f7cfb6f0c3b3750a7174df8fa0590dfe34df055300140b3eb13192 SHA512 94852cc094d6a485cacc4023a2819431f1bfd80b8cbcab29981c422fdff9dfee90697ae8a9bda7ded3a8be03db516bdd5f4bcc4b83e7d01bc433a8c88d23731a WHIRLPOOL 6f02d0e3255dd1e31a43193f67f9b957546a6ae574631e61364f81244bee887e7f21c38f412fa21cde77b3d89aaf0e14e43909683db0c9c32edeb455c20b998e
+DIST shorewall-docs-html-4.5.21.9.tar.bz2 4146065 SHA256 9056c22b8232d8276cc53a6eb74940bab42a250c670cb5baa42c75cfb89efdef SHA512 48b2c692ba59b7ec74307909e43a95104e212c9b8e21af7f0dd9f3438ac4f24a6fd2bcc6517966681517aef03beaa8faf03efd74406966d97b68cb416be8551b WHIRLPOOL f68cba7ecaf8c541e58d26c157914bff2d90cd9deae30af7323ca69c68d028217133f53e597bf383191aee83fab29203d233b3cd1e75e4cf08d9e17308dc25e4
+DIST shorewall-docs-html-4.6.10.1.tar.bz2 4185752 SHA256 eeaec18b7f8663f0b836b76d140d3fad7871075de90f18ccc7b9fbda1538a787 SHA512 1bf1b3f5745d54af3af5f9bb6417c661e2bde8028d699aed4c4fcbe7cf301b8eadfed7be5e9bfdd677659c362d1e757eee13cd1b497a0c6837c179883c33e3a8 WHIRLPOOL 937fc4f76174f615de86eaa08690ebbe42f658154320d3e9972cbb0bcaa461e11fdaf5390f517f5d2f905aa5996ecb7399ca07d1767f647a49d33b1220e8d547
+DIST shorewall-docs-html-4.6.11.tar.bz2 4175307 SHA256 e1f6966d5d06b043eb3b7f91d8b6d87a0f90418ecd173af2e3e817670435bd8c SHA512 85b5efa3f8bd9322fa8f982e0cdcf4e1ccdd99f419b77dce51a39a5f2d6ad02de8d6123437a2f55b5af2467cb59d9cbb8bbbd32195ab1587fc329c6f65173471 WHIRLPOOL 01577073dbbcf8e16f8dae2a2295bd4e60d6b5ce48384ebc8dbb03d0b75cf9b3c72c51dcdfc4934761f021eed85c26e0eeb637853b99af42702f5129be0ce25b
+DIST shorewall-docs-html-4.6.6.2.tar.bz2 4178931 SHA256 89c6b3baba42bd3a4d7f67ccfbae395fec4054412bf636ff60a889dc2f5edc57 SHA512 63686a59eb6fe6330b036800dc99758bdfaecc1e67cf95c4dd3cc014db2e96a17a76d8cf92d1f44582990b34b53d062327c850187bc0a83e4d2369ac7e03d032 WHIRLPOOL 31eacfe0c6ea3dac32c24de0c5d01214f3ce4e2b95306e3d6e4165a636a7f6f225fedc741d19fa995c148a2758ec08439da0d5e1cd654483e2e5be4f21a5dfda
+DIST shorewall-init-4.6.10.1.tar.bz2 37674 SHA256 c3948dbe48230358eb4d5a370a44b247f4a6e6f28b1c4853be23d9abda79f6ba SHA512 71507a9c27f9a8286f82567f731714fe5a6f5b21f1f3f27f3a3ba9171301361948bef9824a9a45445d65f74039c4dca3ffc83e74a6ffd33783d1528ad581578e WHIRLPOOL 23c886b1015c6430d819d3010b8cdc587d88054f55b8092238438310562affdaead265a40a74dd888d1c939367afafa0ebecfe8946ceb202bab126ca2232cd97
+DIST shorewall-init-4.6.11.tar.bz2 38404 SHA256 025958f609ccfea21229f4a3f76e030f82d4d9b444ccb71e5c82f620c46ca35a SHA512 5b0dd33885825457d94ad2c59cd9b3690d9a5bfad43a8b281ba55537c1e8edc7e1de227ac0bcd22162b54bc31cc606b9db1387f2618739b2ef28292b5b6b8be7 WHIRLPOOL 06b79197b9a61fb7d63c19b7e145e08fd68e9adbbc8c60b224882649f6759848b411f99fd39a7ff9c65b9aafb33b76005c788a16a28498d19cf2622e1bd94336
+DIST shorewall-init-4.6.6.2.tar.bz2 34467 SHA256 361374cd8f52cec0f807e07a7a100da4627595c7c80c2d75d050ccee1a342e67 SHA512 760eb593c53e89622c6efafe8a46f43956aa606853f26c9a5402ca43eabbf1243a2dd3c2d64cc4a1e70da54bd0fb86de31c0f5dc14aefd0540b37745c243fb48 WHIRLPOOL 64953fab35a4a95ece8757b786a301caefbb47bd70821b61c48bfbbb445ebb3f434ca87ac5808bdf691a5469d2e2e3dd47b8857f272267790282ad8bbeb8b3b9
+DIST shorewall-lite-4.6.10.1.tar.bz2 53535 SHA256 9944da74b9496fe29afe6ebab8f4a37cfb24a6a701282231dd6916831e064c38 SHA512 79347ae6c62e8f039efb2a21b10fd33d08831b6595b64fb4806cc5fd812216d295b73c859db775c0c19cd7c8bdfe67f21042db0d0b47ba47ab6b430d1d522659 WHIRLPOOL 593b8872ea0ff95c5847c51c9c3c312329017cbd7e96efcd39bf1a41a32ef3e99a29deb797a4260422d1bfd86ef4ca72b25024b7d2f5e4e17464df1f3f25571a
+DIST shorewall-lite-4.6.11.tar.bz2 54339 SHA256 6b939754c685dc2e218ebb1f5bd4d81b1c73df8c99545d83644e5c7fa50dd568 SHA512 5a75a8e03bf48666e04cc2f5ac2a4e352b5624e8adfb1e92de400624691508fe2fe22d6f5a4e48dd412d4011d3ea737d7e0b098c56480daf72fd4801ec98f834 WHIRLPOOL 205387277cb6132c43ff18baad40c3ce6fbd7c483e736fce5f5775febeb68c3cfafbae3162682f1fb05312e48ca15c0851bb538761f6e53b5780070108397aa5
+DIST shorewall-lite-4.6.6.2.tar.bz2 48495 SHA256 6bd25fa1066da5272fa9bcc7a8a6041462eda682895cd000afce354bf42d9ebe SHA512 3c073b7531448c2d704bbdd0a7ad0287948d8969c371954f05a3cc276e6fcaaca907c554f4549c26aff2256d393fcc53221e7a1f93ac058cf519dc55c822104d WHIRLPOOL 1743c799022ab2a5ed1d86155f917120b44963c064d75b4168ea48b4e0b19970ccd1d944eb22eef0ea96f0abf396d60420508bda3f2cc30a33207c2edd12b27d
+DIST shorewall6-4.6.10.1.tar.bz2 231553 SHA256 1a2e303e9361fccf393ebfe512cf8d770b522f6b65a0a125a5e4aa0b28dd6e0c SHA512 acb678bd84e68d72f5dafd00d03feedefc8b954f7df9a4e6d57c70647ad2b046f7145c7b5de729d8bf1258a036587a687ee41170add2a50a411675be61de7d3d WHIRLPOOL a3451ff58bc32f4d720f5b8c6db226ac924cf0179084f351b7b35773f011c1b0b5feff2e9544a7b198995d297637e210b80adfb483db198e186b24a1954d2cc1
+DIST shorewall6-4.6.11.tar.bz2 232736 SHA256 1b7a58f97c40c28c4ff8b614a44cc2bc8a8e4a332afa2b5b132e78ec06fef866 SHA512 5ae1a89a980efaf860a32a106a24c98d7543bf4523361b62b568b390a5a515e67d6090523499d2e9bae9421f5a6ceb29460efed8286c41ea67d8912e4fe59ab4 WHIRLPOOL 627d0b4521ce90a3d8ea34c98c1ed9fea84ba7f631c1478c58a3ce52fc538c05116278526d66ccd08e59326467e4bf5eb44ff8e5d74ef47ed4c0492644c0b1e7
+DIST shorewall6-4.6.6.2.tar.bz2 225643 SHA256 b475473eaf9d4a8b4067214f8fa14f1c1d97cdb77c180abd9e22dfdea6b9f637 SHA512 a448e6367459fe06ff2869e45d06a3ff31ce5c7a6766920ad8367e251f8380ccf9cc62333d011f79baa7d3d97efb42fcadf1c6aecce124f2a3b94c15d3454db9 WHIRLPOOL 7f1fc2288983cb779872098362d98c7820164207dcbbcdf63d0fbec4b8fb2190724fde10f071f51ad51ba3f8f10282ecba5ba4f4b976ffa816da39935c336c54
+DIST shorewall6-lite-4.6.10.1.tar.bz2 52669 SHA256 ce19583541f5eb39acad33099af087d030374d467eb64aa4415ac9b18e65c5a8 SHA512 a33ab4b2397864329f35e6352606b13d04fb8ada17777c98d75bc685411bcf9453bf452d3a0b6699c537081483347c542bdfa547d71ca4c0c41967ccd755fd2e WHIRLPOOL ff3ef6e3ad68f69f47e71553061e845ed125735c1c6986180835397c8148386349a0317debf592917ec5ed0734c3af461c5161d9a061c6b8a6ff5c81d52743f0
+DIST shorewall6-lite-4.6.11.tar.bz2 53501 SHA256 fb9a4a42d39e3277c7f49fc09eacb6e347bc08485281c578cacce8429a055a84 SHA512 4010dd36a1cad7fc491272db202914964a1588779645e12fb0dbaa9749c37e1c28b15826ac6b07449609cbf1e77a979a29619c8cf6a9fffbbe6d1f34c843b560 WHIRLPOOL 62554f304364c61dfde283042a81568ffc740c754d7078b462b5cf8cc8a3e7afb072325900e74c99c1efb5586a35c103a190cb618dd82b8d5cb09a1b9d912f02
+DIST shorewall6-lite-4.6.6.2.tar.bz2 47909 SHA256 a7a6de15ea84a0486c9ed92492fcd6f731f2c4ce71f06ce3c59f3abf3780ae86 SHA512 0d5b0fc3d166cfdd58978e1d6b36e2ac19a0d10b5b59bbf2fa62e79040e636d72256b120df14a7d8111dc39d24ac218758feb07c5fb2119aa61e51f78c567597 WHIRLPOOL c02c11ca0f578022daf96b2c594a7f62d042cf875c7c35682eaa2b312416446239c21c9af31f965536761a081015d73ae49b553c7cc08850955378d1cfb76af7
diff --git a/net-firewall/shorewall/files/4.5.21.10-r1/shorewall-10-fix-ipset-support-detection.patch b/net-firewall/shorewall/files/4.5.21.10-r1/shorewall-10-fix-ipset-support-detection.patch
new file mode 100644
index 000000000000..55b8f7039747
--- /dev/null
+++ b/net-firewall/shorewall/files/4.5.21.10-r1/shorewall-10-fix-ipset-support-detection.patch
@@ -0,0 +1,29 @@
+Beginning with 3.14, the address family of the ipset was checked and an
+error is generated:
+
+root@jessie:~# ipset -N foo iphash
+root@jessie:~# ip6tables -N foo
+root@jessie:~# ip6tables -A foo -m set --match-set foo src
+ip6tables v1.4.21: The protocol family of set foo is IPv4, which is not
+applicable.
+
+Try `ip6tables -h' or 'ip6tables --help' for more information.
+root@jessie:~#
+
+This caused the failure. By reversing the order of the terms, an ipv6
+ipset is created (if supported) and the ip6tables command succeeds.
+
+http://thread.gmane.org/gmane.comp.security.shorewall/31349
+
+diff -rupN old/shorewall-4.5.21.10/Perl/Shorewall/Config.pm new/shorewall-4.5.21.10/Perl/Shorewall/Config.pm
+--- old/shorewall-4.5.21.10/Perl/Shorewall/Config.pm 2014-05-26 16:47:21.000000000 +0200
++++ new/shorewall-4.5.21.10/Perl/Shorewall/Config.pm 2014-07-20 18:11:28.186658453 +0200
+@@ -3961,7 +3961,7 @@ sub IPSet_Match() {
+ if ( $ipset && -x $ipset ) {
+ qt( "$ipset -X $sillyname" );
+
+- if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
++ if ( qt( "$ipset -N $sillyname hash:ip family $fam" ) || qt( "$ipset -N $sillyname iphash" ) ) {
+ if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
+ qt1( "$iptables $iptablesw -F $sillyname" );
+ $result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
diff --git a/net-firewall/shorewall/files/4.5.21.10-r1/shorewall.confd b/net-firewall/shorewall/files/4.5.21.10-r1/shorewall.confd
new file mode 100644
index 000000000000..e5957167b5b9
--- /dev/null
+++ b/net-firewall/shorewall/files/4.5.21.10-r1/shorewall.confd
@@ -0,0 +1,15 @@
+# Global start/restart/stop options
+#
+OPTIONS=""
+
+# Start options
+#
+STARTOPTIONS=""
+
+# Stop options
+#
+STOPOPTIONS=""
+
+# Restart options
+#
+RESTARTOPTIONS=""
diff --git a/net-firewall/shorewall/files/4.5.21.10-r1/shorewall.initd b/net-firewall/shorewall/files/4.5.21.10-r1/shorewall.initd
new file mode 100644
index 000000000000..898dc319b0c2
--- /dev/null
+++ b/net-firewall/shorewall/files/4.5.21.10-r1/shorewall.initd
@@ -0,0 +1,107 @@
+#!/sbin/runscript
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+description='The Shoreline Firewall, more commonly known as "Shorewall", is'
+description="${description} a high-level tool for configuring Netfilter."
+
+extra_commands="check clear"
+extra_started_commands="refresh reset"
+
+description_check="Checks if the configuration will compile or not."
+
+description_clear="Clear will remove all rules and chains installed by"
+description_clear="${description_clear} Shorewall. The firewall is then"
+description_clear="${description_clear} wide open and unprotected."
+
+description_refresh="The mangle table will be refreshed along with the"
+description_refresh="${description_refresh} blacklist chain (if any)."
+
+description_reset="All the packet and byte counters in the firewall are reset."
+
+depend() {
+ need net
+ provide firewall
+ after ulogd
+}
+
+status() {
+ local _retval
+ /sbin/shorewall status 1>/dev/null
+ _retval=$?
+ if [ ${_retval} = '0' ]; then
+ einfo 'status: started'
+ mark_service_started "${SVCNAME}"
+ return 0
+ else
+ einfo 'status: stopped'
+ mark_service_stopped "${SVCNAME}"
+ return 3
+ fi
+}
+
+start() {
+ ebegin "Starting shorewall"
+ /sbin/shorewall ${OPTIONS} start ${STARTOPTIONS} 1>/dev/null
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping shorewall"
+ /sbin/shorewall ${OPTIONS} stop ${STOPOPTIONS} 1>/dev/null
+ eend $?
+}
+
+restart() {
+ # shorewall comes with its own control script that includes a
+ # restart function, so refrain from calling svc_stop/svc_start
+ # here. Note that this comment is required to fix bug 55576;
+ # runscript.sh greps this script... (09 Jul 2004 agriffis)
+
+ ebegin "Restarting shorewall"
+ /sbin/shorewall status 1>/dev/null
+ if [ $? != 0 ] ; then
+ svc_start
+ else
+ /sbin/shorewall ${OPTIONS} restart ${RESTARTOPTIONS} 1>/dev/null
+ fi
+ eend $?
+}
+
+clear() {
+ # clear will remove all the rules and bring the system to an unfirewalled
+ # state. (21 Nov 2004 eldad)
+
+ ebegin "Clearing all shorewall rules and setting policy to ACCEPT"
+ /sbin/shorewall ${OPTIONS} clear 1>/dev/null
+ eend $?
+}
+
+reset() {
+ # reset the packet and byte counters in the firewall
+
+ ebegin "Resetting the packet and byte counters in shorewall"
+ /sbin/shorewall ${OPTIONS} reset 1>/dev/null
+ eend $?
+}
+
+refresh() {
+ # refresh the rules involving the broadcast addresses of firewall
+ # interfaces, the black list, traffic control rules and
+ # ECN control rules
+
+ ebegin "Refreshing shorewall rules"
+ /sbin/shorewall ${OPTIONS} refresh 1>/dev/null
+ eend $?
+}
+
+check() {
+ # perform cursory validation of the zones, interfaces, hosts, rules
+ # and policy files. CAUTION: does not parse and validate the generated
+ # iptables commands.
+
+ ebegin "Checking shorewall configuration"
+ /sbin/shorewall ${OPTIONS} check 1>/dev/null
+ eend $?
+}
diff --git a/net-firewall/shorewall/files/4.5.21.10-r1/shorewall.systemd b/net-firewall/shorewall/files/4.5.21.10-r1/shorewall.systemd
new file mode 100644
index 000000000000..db278fd54585
--- /dev/null
+++ b/net-firewall/shorewall/files/4.5.21.10-r1/shorewall.systemd
@@ -0,0 +1,17 @@
+#
+# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+[Unit]
+Description=Shorewall IPv4 firewall
+Documentation=man:shorewall(8) http://www.shorewall.net/Documentation_Index.html
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/etc/conf.d/shorewall
+ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall $OPTIONS stop $STOPOPTIONS
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-firewall/shorewall/files/4.5.21.10-r1/shorewallrc b/net-firewall/shorewall/files/4.5.21.10-r1/shorewallrc
new file mode 100644
index 000000000000..46f5eb9a3603
--- /dev/null
+++ b/net-firewall/shorewall/files/4.5.21.10-r1/shorewallrc
@@ -0,0 +1,23 @@
+#
+# Gentoo Shorewall 4.5 rc file
+#
+BUILD= #Default is to detect the build system
+HOST=gentoo #Gentoo GNU Linux
+PREFIX=@GENTOO_PORTAGE_EPREFIX@/usr #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
+CONFDIR=@GENTOO_PORTAGE_EPREFIX@/etc #Directory where subsystem configurations are installed
+SBINDIR=@GENTOO_PORTAGE_EPREFIX@/sbin #Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
+INITDIR=${CONFDIR}/init.d #Directory where SysV init scripts are installed.
+INITFILE=${PRODUCT} #Name of the product's installed SysV init script
+INITSOURCE=init.gentoo.sh #Name of the distributed file to be installed as the SysV init script
+ANNOTATED= #If non-zero, annotated configuration files are installed
+SYSTEMD=@GENTOO_PORTAGE_EPREFIX@/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=gentoo.service #Name of the distributed file to be installed as systemd service file
+SYSCONFFILE=default.gentoo #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFDIR=${CONFDIR}/conf.d #Directory where SysV init parameter files are installed
+SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=@GENTOO_PORTAGE_EPREFIX@/var/lib #Directory where product variable data is stored.
+VARDIR=${VARLIB}/${PRODUCT} #Directory where product variable data is stored.
diff --git a/net-firewall/shorewall/files/4.5.21.9/shorewall.confd b/net-firewall/shorewall/files/4.5.21.9/shorewall.confd
new file mode 100644
index 000000000000..e5957167b5b9
--- /dev/null
+++ b/net-firewall/shorewall/files/4.5.21.9/shorewall.confd
@@ -0,0 +1,15 @@
+# Global start/restart/stop options
+#
+OPTIONS=""
+
+# Start options
+#
+STARTOPTIONS=""
+
+# Stop options
+#
+STOPOPTIONS=""
+
+# Restart options
+#
+RESTARTOPTIONS=""
diff --git a/net-firewall/shorewall/files/4.5.21.9/shorewall.initd b/net-firewall/shorewall/files/4.5.21.9/shorewall.initd
new file mode 100644
index 000000000000..898dc319b0c2
--- /dev/null
+++ b/net-firewall/shorewall/files/4.5.21.9/shorewall.initd
@@ -0,0 +1,107 @@
+#!/sbin/runscript
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+description='The Shoreline Firewall, more commonly known as "Shorewall", is'
+description="${description} a high-level tool for configuring Netfilter."
+
+extra_commands="check clear"
+extra_started_commands="refresh reset"
+
+description_check="Checks if the configuration will compile or not."
+
+description_clear="Clear will remove all rules and chains installed by"
+description_clear="${description_clear} Shorewall. The firewall is then"
+description_clear="${description_clear} wide open and unprotected."
+
+description_refresh="The mangle table will be refreshed along with the"
+description_refresh="${description_refresh} blacklist chain (if any)."
+
+description_reset="All the packet and byte counters in the firewall are reset."
+
+depend() {
+ need net
+ provide firewall
+ after ulogd
+}
+
+status() {
+ local _retval
+ /sbin/shorewall status 1>/dev/null
+ _retval=$?
+ if [ ${_retval} = '0' ]; then
+ einfo 'status: started'
+ mark_service_started "${SVCNAME}"
+ return 0
+ else
+ einfo 'status: stopped'
+ mark_service_stopped "${SVCNAME}"
+ return 3
+ fi
+}
+
+start() {
+ ebegin "Starting shorewall"
+ /sbin/shorewall ${OPTIONS} start ${STARTOPTIONS} 1>/dev/null
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping shorewall"
+ /sbin/shorewall ${OPTIONS} stop ${STOPOPTIONS} 1>/dev/null
+ eend $?
+}
+
+restart() {
+ # shorewall comes with its own control script that includes a
+ # restart function, so refrain from calling svc_stop/svc_start
+ # here. Note that this comment is required to fix bug 55576;
+ # runscript.sh greps this script... (09 Jul 2004 agriffis)
+
+ ebegin "Restarting shorewall"
+ /sbin/shorewall status 1>/dev/null
+ if [ $? != 0 ] ; then
+ svc_start
+ else
+ /sbin/shorewall ${OPTIONS} restart ${RESTARTOPTIONS} 1>/dev/null
+ fi
+ eend $?
+}
+
+clear() {
+ # clear will remove all the rules and bring the system to an unfirewalled
+ # state. (21 Nov 2004 eldad)
+
+ ebegin "Clearing all shorewall rules and setting policy to ACCEPT"
+ /sbin/shorewall ${OPTIONS} clear 1>/dev/null
+ eend $?
+}
+
+reset() {
+ # reset the packet and byte counters in the firewall
+
+ ebegin "Resetting the packet and byte counters in shorewall"
+ /sbin/shorewall ${OPTIONS} reset 1>/dev/null
+ eend $?
+}
+
+refresh() {
+ # refresh the rules involving the broadcast addresses of firewall
+ # interfaces, the black list, traffic control rules and
+ # ECN control rules
+
+ ebegin "Refreshing shorewall rules"
+ /sbin/shorewall ${OPTIONS} refresh 1>/dev/null
+ eend $?
+}
+
+check() {
+ # perform cursory validation of the zones, interfaces, hosts, rules
+ # and policy files. CAUTION: does not parse and validate the generated
+ # iptables commands.
+
+ ebegin "Checking shorewall configuration"
+ /sbin/shorewall ${OPTIONS} check 1>/dev/null
+ eend $?
+}
diff --git a/net-firewall/shorewall/files/4.5.21.9/shorewall.systemd b/net-firewall/shorewall/files/4.5.21.9/shorewall.systemd
new file mode 100644
index 000000000000..db278fd54585
--- /dev/null
+++ b/net-firewall/shorewall/files/4.5.21.9/shorewall.systemd
@@ -0,0 +1,17 @@
+#
+# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+[Unit]
+Description=Shorewall IPv4 firewall
+Documentation=man:shorewall(8) http://www.shorewall.net/Documentation_Index.html
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/etc/conf.d/shorewall
+ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall $OPTIONS stop $STOPOPTIONS
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-firewall/shorewall/files/4.5.21.9/shorewallrc b/net-firewall/shorewall/files/4.5.21.9/shorewallrc
new file mode 100644
index 000000000000..46f5eb9a3603
--- /dev/null
+++ b/net-firewall/shorewall/files/4.5.21.9/shorewallrc
@@ -0,0 +1,23 @@
+#
+# Gentoo Shorewall 4.5 rc file
+#
+BUILD= #Default is to detect the build system
+HOST=gentoo #Gentoo GNU Linux
+PREFIX=@GENTOO_PORTAGE_EPREFIX@/usr #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
+CONFDIR=@GENTOO_PORTAGE_EPREFIX@/etc #Directory where subsystem configurations are installed
+SBINDIR=@GENTOO_PORTAGE_EPREFIX@/sbin #Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
+INITDIR=${CONFDIR}/init.d #Directory where SysV init scripts are installed.
+INITFILE=${PRODUCT} #Name of the product's installed SysV init script
+INITSOURCE=init.gentoo.sh #Name of the distributed file to be installed as the SysV init script
+ANNOTATED= #If non-zero, annotated configuration files are installed
+SYSTEMD=@GENTOO_PORTAGE_EPREFIX@/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=gentoo.service #Name of the distributed file to be installed as systemd service file
+SYSCONFFILE=default.gentoo #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFDIR=${CONFDIR}/conf.d #Directory where SysV init parameter files are installed
+SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=@GENTOO_PORTAGE_EPREFIX@/var/lib #Directory where product variable data is stored.
+VARDIR=${VARLIB}/${PRODUCT} #Directory where product variable data is stored.
diff --git a/net-firewall/shorewall/files/4.6/shorewall-init-01_remove-ipset-functionality-r1.patch b/net-firewall/shorewall/files/4.6/shorewall-init-01_remove-ipset-functionality-r1.patch
new file mode 100644
index 000000000000..8b60eb245fc0
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall-init-01_remove-ipset-functionality-r1.patch
@@ -0,0 +1,28 @@
+diff -rupN old/shorewall-init-4.6.10.1/shorewall-init new/shorewall-init-4.6.10.1/shorewall-init
+--- old/shorewall-init-4.6.10.1/shorewall-init 2015-06-09 20:02:00.000000000 +0200
++++ new/shorewall-init-4.6.10.1/shorewall-init 2015-06-14 17:16:17.396424059 +0200
+@@ -78,10 +78,6 @@ shorewall_start () {
+ fi
+ done
+
+- if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+- ipset -R < "$SAVE_IPSETS"
+- fi
+-
+ return 0
+ }
+
+@@ -99,13 +95,6 @@ shorewall_stop () {
+ fi
+ done
+
+- if [ -n "$SAVE_IPSETS" ]; then
+- mkdir -p $(dirname "$SAVE_IPSETS")
+- if ipset -S > "${SAVE_IPSETS}.tmp"; then
+- grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+- fi
+- fi
+-
+ return 0
+ }
+
diff --git a/net-firewall/shorewall/files/4.6/shorewall-init-01_remove-ipset-functionality.patch b/net-firewall/shorewall/files/4.6/shorewall-init-01_remove-ipset-functionality.patch
new file mode 100644
index 000000000000..620e479f92fc
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall-init-01_remove-ipset-functionality.patch
@@ -0,0 +1,27 @@
+--- shorewall-init.old 2013-09-08 23:25:36.364924304 +0200
++++ shorewall-init 2013-09-08 23:29:27.418736392 +0200
+@@ -79,10 +79,6 @@
+ fi
+ done
+
+- if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+- ipset -R < "$SAVE_IPSETS"
+- fi
+-
+ return 0
+ }
+
+@@ -100,13 +96,6 @@
+ fi
+ done
+
+- if [ -n "$SAVE_IPSETS" ]; then
+- mkdir -p $(dirname "$SAVE_IPSETS")
+- if ipset -S > "${SAVE_IPSETS}.tmp"; then
+- grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+- fi
+- fi
+-
+ return 0
+ }
+
diff --git a/net-firewall/shorewall/files/4.6/shorewall-init.confd b/net-firewall/shorewall/files/4.6/shorewall-init.confd
new file mode 100644
index 000000000000..1b126be4e8bf
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall-init.confd
@@ -0,0 +1,6 @@
+# List the Shorewall products Shorewall-init should
+# initialize (space-separated list).
+#
+# Sample: PRODUCTS="shorewall shorewall6-lite"
+#
+PRODUCTS=""
diff --git a/net-firewall/shorewall/files/4.6/shorewall-init.initd b/net-firewall/shorewall/files/4.6/shorewall-init.initd
new file mode 100644
index 000000000000..837d609bb9fd
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall-init.initd
@@ -0,0 +1,192 @@
+#!/sbin/runscript
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+SHOREWALLRC_FILE="@GENTOO_PORTAGE_EPREFIX@/usr/share/shorewall/shorewallrc"
+CONFIG_FILE="@GENTOO_PORTAGE_EPREFIX@/etc/conf.d/${SVCNAME}"
+
+description="Puts Shorewall in a safe state at boot time"
+description="${description} prior to bringing up the network."
+
+required_files="$SHOREWALLRC_FILE"
+
+depend() {
+ need localmount
+ before net
+ after bootmisc ipset tmpfiles.setup ulogd
+}
+
+
+. $SHOREWALLRC_FILE
+
+checkconfig() {
+ local PRODUCT=
+
+ if [ -z "${VARLIB}" ]; then
+ eerror "\"VARLIB\" isn't defined or empty! Please check" \
+ "\"${SHOREWALLRC_FILE}\"."
+
+ return 1
+ fi
+
+ if [ -z "${PRODUCTS}" ]; then
+ eerror "${SVCNAME} isn't configured! Please check" \
+ "\"${CONFIG_FILE}\"."
+
+ return 1
+ fi
+
+ for PRODUCT in ${PRODUCTS}; do
+ if [ ! -x ${SBINDIR}/${PRODUCT} ]; then
+ eerror "Invalid product \"${PRODUCT}\" specified" \
+ "in \"${CONFIG_FILE}\"!"
+ eerror "Maybe \"${PRODUCT}\" isn't installed?"
+
+ return 1
+ fi
+ done
+
+ return 0
+}
+
+check_firewall_script() {
+ if [ ${PRODUCT} = shorewall -o ${PRODUCT} = shorewall6 ]; then
+ ebegin "Checking \"${STATEDIR}/firewall\""
+ ${SBINDIR}/${PRODUCT} compile -c 1>/dev/null
+ eend $?
+ fi
+
+ if [ ! -x ${STATEDIR}/firewall ]; then
+ eerror "\"${PRODUCT}\" isn't configured!"
+
+ if [ ${PRODUCT} = shorewall-lite -o ${PRODUCT} = shorewall6-lite ]; then
+ eerror "Please go to your 'administrative system'" \
+ "and deploy the compiled firewall" \
+ "configuration for this system."
+ fi
+
+ return 1
+ fi
+
+ return 0
+}
+
+is_allowed_to_be_executed() {
+ # This is not a real service. shorewall-init is an intermediate
+ # script to put your Shorewall-based firewall into a safe state
+ # at boot time prior to bringing up the network.
+ # Please read /usr/share/doc/shorewall-init-*/README.gentoo.gz
+ # for more information.
+ # When your system is up, there is no need to call shorewall-init.
+ # Please call shorewall{,6,-lite,6-lite} directly. That's the
+ # reason why we are preventing start, stop or restart here.
+
+ local PRODUCT=
+
+ if [ "${RC_RUNLEVEL}" != "boot" -a "${RC_CMD}" = "start" ]; then
+ # Starting shorewall-init is only allowed at boot time
+ eerror "This is a boot service, which can only be started" \
+ "at boot."
+ eerror "If you want to get your shorewall-based firewall" \
+ "into the same safe boot state again, run"
+ eerror ""
+ eindent
+ for PRODUCT in ${PRODUCTS}; do
+ eerror "/etc/init.d/${PRODUCT} stop"
+ done
+ eoutdent
+ eerror ""
+ eerror "Yes, \"stop\" and not start."
+ eerror ""
+ return 1
+ fi
+
+ if [ "${RC_RUNLEVEL}" != "shutdown" -a "${RC_CMD}" = "stop" ]; then
+ # Stopping shorewall-init is only allowed at shutdown
+ eerror "This is a boot service, which cannot be stopped."
+ eerror "If you really want to stop your Shorewall-based" \
+ "firewall the same way this service would stop" \
+ "Shorewall at shutdown, please run"
+ eerror ""
+ eindent
+ for PRODUCT in ${PRODUCTS}; do
+ eerror "/etc/init.d/${PRODUCT} clear"
+ done
+ eoutdent
+ eerror ""
+ eerror "Keep in mind that this will clear (=bring down)" \
+ "your firewall!"
+ eerror ""
+ return 1
+ fi
+
+ if [ "${RC_CMD}" = "restart" ]; then
+ eerror "This is a boot service, which cannot be restarted."
+ eerror "If you want to restart any of your Shorewall-based" \
+ "firewalls, run"
+ eerror ""
+ eindent
+ for PRODUCT in ${PRODUCTS}; do
+ eerror "/etc/init.d/${PRODUCT} restart"
+ done
+ eoutdent
+ eerror ""
+ return 1
+ fi
+
+ return 0
+}
+
+set_statedir() {
+ STATEDIR=
+ local VARDIR=
+
+ if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+ STATEDIR=$( . ${CONFDIR}/${PRODUCT}/vardir && echo ${VARDIR} )
+ fi
+
+ [ ! -n "${STATEDIR}" ] && STATEDIR=${VARLIB}/${PRODUCT}
+}
+
+start_pre() {
+ checkconfig || return 1
+
+ is_allowed_to_be_executed || return 1
+}
+
+start() {
+ local PRODUCT=
+ local STATEDIR=
+
+ for PRODUCT in ${PRODUCTS}; do
+ set_statedir
+
+ check_firewall_script || return 1
+
+ ebegin "Initializing \"${PRODUCT}\""
+ ${STATEDIR}/firewall stop 1>/dev/null
+ eend $?
+ done
+}
+
+stop_pre() {
+ checkconfig || return 1
+
+ is_allowed_to_be_executed || return 1
+}
+
+stop() {
+ local PRODUCT=
+ local STATEDIR=
+
+ for PRODUCT in ${PRODUCTS}; do
+ set_statedir
+
+ check_firewall_script || return 1
+
+ ebegin "Clearing \"${PRODUCT}\""
+ ${STATEDIR}/firewall clear 1>/dev/null
+ eend $?
+ done
+}
diff --git a/net-firewall/shorewall/files/4.6/shorewall-init.readme b/net-firewall/shorewall/files/4.6/shorewall-init.readme
new file mode 100644
index 000000000000..f7b13fed3de6
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall-init.readme
@@ -0,0 +1,30 @@
+shorewall-init from upstream offers two features (taken from [1]):
+
+ 1. It can 'close' the firewall before the network interfaces are
+ brought up during boot.
+
+ 2. It can change the firewall state as the result of interfaces
+ being brought up or taken down.
+
+On Gentoo we only support the first feature -- the firewall lockdown during
+boot.
+
+We do not support the second feature, because Gentoo doesn't support a
+if-{up,down}.d folder like other distributions do. If you would want to use
+such a feature, you would have to add a custom action to /etc/conf.d/net
+(please refer to the Gentoo Linux Handbook [2] for more information).
+If you are able to add your custom {pre,post}{up,down} action, your are
+also able to specify what shorewall{6,-lite,6-lite} should do, so there is
+no need for upstream's scripts in Gentoo.
+
+If you disagree with us, feel free to open a bug [3] and contribute your
+solution for Gentoo.
+
+Upstream's original init script also supports saving and restoring of
+ipsets. Please use the init script from net-firewall/ipset if you need
+such a feature.
+
+
+[1] http://www.shorewall.net/Shorewall-init.html
+[2] http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&chap=5
+[3] https://bugs.gentoo.org
diff --git a/net-firewall/shorewall/files/4.6/shorewall-init.systemd b/net-firewall/shorewall/files/4.6/shorewall-init.systemd
new file mode 100644
index 000000000000..e98565fce8a1
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall-init.systemd
@@ -0,0 +1,19 @@
+#
+# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.6
+#
+[Unit]
+Description=shorewall-init
+Documentation=http://www.shorewall.net/Shorewall-init.html
+Before=network-pre.target
+Wants=network-pre.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/shorewall/files/4.6/shorewall-init.systemd-r1 b/net-firewall/shorewall/files/4.6/shorewall-init.systemd-r1
new file mode 100644
index 000000000000..542e2c26223b
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall-init.systemd-r1
@@ -0,0 +1,19 @@
+#
+# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.6
+#
+[Unit]
+Description=shorewall-init
+Documentation=http://www.shorewall.net/Shorewall-init.html
+Before=network-pre.target
+Wants=network-pre.target
+Conflicts=iptables.service ip6tables.service firewalld.service iptables-restore.service ip6tables-restore.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/shorewall/files/4.6/shorewall-lite.confd b/net-firewall/shorewall/files/4.6/shorewall-lite.confd
new file mode 100644
index 000000000000..0e419b87a3c0
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall-lite.confd
@@ -0,0 +1,15 @@
+# Global start/restart/stop options
+#
+OPTIONS="-tvv"
+
+# Start options
+#
+STARTOPTIONS=""
+
+# Stop options
+#
+STOPOPTIONS=""
+
+# Restart options
+#
+RESTARTOPTIONS=""
diff --git a/net-firewall/shorewall/files/4.6/shorewall-lite.initd b/net-firewall/shorewall/files/4.6/shorewall-lite.initd
new file mode 100644
index 000000000000..c3375153c44a
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall-lite.initd
@@ -0,0 +1,74 @@
+#!/sbin/runscript
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+description='The Shoreline Firewall Lite, more commonly known as "Shorewall Lite", is'
+description="${description} a high-level tool for configuring Netfilter."
+
+extra_commands="clear"
+extra_started_commands="reset"
+
+description_clear="Clear will remove all rules and chains installed by"
+description_clear="${description_clear} Shorewall Lite. The firewall is"
+description_clear="${description_clear} then wide open and unprotected."
+
+description_reset="All the packet and byte counters in the firewall are reset."
+
+command="/usr/sbin/shorewall-lite"
+
+depend() {
+ need net
+ provide firewall
+ after ulogd
+}
+
+status() {
+ local _retval
+ ${command} status 1>/dev/null
+ _retval=$?
+ if [ ${_retval} = '0' ]; then
+ einfo 'status: started'
+ mark_service_started "${SVCNAME}"
+ return 0
+ else
+ einfo 'status: stopped'
+ mark_service_stopped "${SVCNAME}"
+ return 3
+ fi
+}
+
+start() {
+ ebegin "Starting shorewall-lite"
+ ${command} ${OPTIONS} start ${STARTOPTIONS} 1>/dev/null
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping shorewall-lite"
+ ${command} ${OPTIONS} stop ${STOPOPTIONS} 1>/dev/null
+ eend $?
+}
+
+restart() {
+ ebegin "Restarting shorewall-lite"
+ ${command} status 1>/dev/null
+ if [ $? != 0 ] ; then
+ svc_start
+ else
+ ${command} ${OPTIONS} restart ${RESTARTOPTIONS} 1>/dev/null
+ fi
+ eend $?
+}
+
+clear() {
+ ebegin "Clearing all shorewall-lite rules and setting policy to ACCEPT"
+ ${command} ${OPTIONS} clear 1>/dev/null
+ eend $?
+}
+
+reset() {
+ ebegin "Resetting the packet and byte counters in shorewall-lite"
+ ${command} ${OPTIONS} reset 1>/dev/null
+ eend $?
+}
diff --git a/net-firewall/shorewall/files/4.6/shorewall-lite.systemd b/net-firewall/shorewall/files/4.6/shorewall-lite.systemd
new file mode 100644
index 000000000000..5898ccb86c14
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall-lite.systemd
@@ -0,0 +1,19 @@
+#
+# The Shoreline Firewall Lite (Shorewall-Lite) Packet Filtering Firewall - V4.6
+#
+[Unit]
+Description=Shorewall IPv4 firewall lite
+Documentation=man:shorewall-lite(8) http://www.shorewall.net/Documentation_Index.html
+After=network-online.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/etc/conf.d/shorewall-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall-lite $OPTIONS stop $STOPOPTIONS
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/shorewall/files/4.6/shorewall-lite.systemd-r1 b/net-firewall/shorewall/files/4.6/shorewall-lite.systemd-r1
new file mode 100644
index 000000000000..b24fca8e33a3
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall-lite.systemd-r1
@@ -0,0 +1,20 @@
+#
+# The Shoreline Firewall Lite (Shorewall-Lite) Packet Filtering Firewall - V4.6
+#
+[Unit]
+Description=Shorewall IPv4 firewall lite
+Documentation=man:shorewall-lite(8) http://www.shorewall.net/Documentation_Index.html
+Wants=network-online.target
+After=network-online.target
+Conflicts=iptables.service firewalld.service iptables-restore.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/etc/conf.d/shorewall-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall-lite $OPTIONS stop $STOPOPTIONS
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/shorewall/files/4.6/shorewall.confd b/net-firewall/shorewall/files/4.6/shorewall.confd
new file mode 100644
index 000000000000..0e419b87a3c0
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall.confd
@@ -0,0 +1,15 @@
+# Global start/restart/stop options
+#
+OPTIONS="-tvv"
+
+# Start options
+#
+STARTOPTIONS=""
+
+# Stop options
+#
+STOPOPTIONS=""
+
+# Restart options
+#
+RESTARTOPTIONS=""
diff --git a/net-firewall/shorewall/files/4.6/shorewall.initd b/net-firewall/shorewall/files/4.6/shorewall.initd
new file mode 100644
index 000000000000..76d7741a1ecd
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall.initd
@@ -0,0 +1,99 @@
+#!/sbin/runscript
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+description='The Shoreline Firewall, more commonly known as "Shorewall", is'
+description="${description} a high-level tool for configuring Netfilter."
+
+extra_commands="check clear"
+extra_started_commands="refresh reset"
+
+description_check="Checks if the configuration will compile or not."
+
+description_clear="Clear will remove all rules and chains installed by"
+description_clear="${description_clear} Shorewall. The firewall is then"
+description_clear="${description_clear} wide open and unprotected."
+
+description_refresh="The mangle table will be refreshed along with the"
+description_refresh="${description_refresh} blacklist chain (if any)."
+
+description_reset="All the packet and byte counters in the firewall are reset."
+
+command="/usr/sbin/shorewall"
+
+depend() {
+ need net
+ provide firewall
+ after ulogd
+}
+
+status() {
+ local _retval
+ ${command} status 1>/dev/null
+ _retval=$?
+ if [ ${_retval} = '0' ]; then
+ einfo 'status: started'
+ mark_service_started "${SVCNAME}"
+ return 0
+ else
+ einfo 'status: stopped'
+ mark_service_stopped "${SVCNAME}"
+ return 3
+ fi
+}
+
+start() {
+ ebegin "Starting shorewall"
+ ${command} ${OPTIONS} start ${STARTOPTIONS} 1>/dev/null
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping shorewall"
+ ${command} ${OPTIONS} stop ${STOPOPTIONS} 1>/dev/null
+ eend $?
+}
+
+restart() {
+ ebegin "Restarting shorewall"
+ ${command} status 1>/dev/null
+ if [ $? != 0 ] ; then
+ svc_start
+ else
+ ${command} ${OPTIONS} restart ${RESTARTOPTIONS} 1>/dev/null
+ fi
+ eend $?
+}
+
+clear() {
+ ebegin "Clearing all shorewall rules and setting policy to ACCEPT"
+ ${command} ${OPTIONS} clear 1>/dev/null
+ eend $?
+}
+
+reset() {
+ ebegin "Resetting the packet and byte counters in shorewall"
+ ${command} ${OPTIONS} reset 1>/dev/null
+ eend $?
+}
+
+refresh() {
+ # refresh the rules involving the broadcast addresses of firewall
+ # interfaces, the black list, traffic control rules and
+ # ECN control rules
+
+ ebegin "Refreshing shorewall rules"
+ ${command} ${OPTIONS} refresh 1>/dev/null
+ eend $?
+}
+
+check() {
+ # perform cursory validation of the zones, interfaces, hosts, rules
+ # and policy files. CAUTION: does not parse and validate the generated
+ # iptables commands.
+
+ ebegin "Checking shorewall configuration"
+ ${command} ${OPTIONS} check 1>/dev/null
+ eend $?
+}
diff --git a/net-firewall/shorewall/files/4.6/shorewall.systemd b/net-firewall/shorewall/files/4.6/shorewall.systemd
new file mode 100644
index 000000000000..986c3510454a
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall.systemd
@@ -0,0 +1,19 @@
+#
+# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.6
+#
+[Unit]
+Description=Shorewall IPv4 firewall
+Documentation=man:shorewall(8) http://www.shorewall.net/Documentation_Index.html
+After=network-online.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/etc/conf.d/shorewall
+StandardOutput=syslog
+ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall $OPTIONS stop $STOPOPTIONS
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/shorewall/files/4.6/shorewall.systemd-r1 b/net-firewall/shorewall/files/4.6/shorewall.systemd-r1
new file mode 100644
index 000000000000..209d3f78ee33
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall.systemd-r1
@@ -0,0 +1,20 @@
+#
+# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.6
+#
+[Unit]
+Description=Shorewall IPv4 firewall
+Documentation=man:shorewall(8) http://www.shorewall.net/Documentation_Index.html
+Wants=network-online.target
+After=network-online.target
+Conflicts=iptables.service firewalld.service iptables-restore.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/etc/conf.d/shorewall
+StandardOutput=syslog
+ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall $OPTIONS stop $STOPOPTIONS
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/shorewall/files/4.6/shorewall6-lite.confd b/net-firewall/shorewall/files/4.6/shorewall6-lite.confd
new file mode 100644
index 000000000000..0e419b87a3c0
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall6-lite.confd
@@ -0,0 +1,15 @@
+# Global start/restart/stop options
+#
+OPTIONS="-tvv"
+
+# Start options
+#
+STARTOPTIONS=""
+
+# Stop options
+#
+STOPOPTIONS=""
+
+# Restart options
+#
+RESTARTOPTIONS=""
diff --git a/net-firewall/shorewall/files/4.6/shorewall6-lite.initd b/net-firewall/shorewall/files/4.6/shorewall6-lite.initd
new file mode 100644
index 000000000000..527eb5b47a26
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall6-lite.initd
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+description='The Shoreline Firewall 6 Lite, more commonly known as "Shorewall6 Lite", is'
+description="${description} a high-level tool for configuring Netfilter."
+
+extra_commands="clear"
+extra_started_commands="reset"
+
+description_clear="Clear will remove all rules and chains installed by"
+description_clear="${description_clear} Shorewall6 Lite. The firewall is"
+description_clear="${description_clear} then wide open and unprotected."
+
+description_reset="All the packet and byte counters in the firewall are reset."
+
+command="/usr/sbin/shorewall6-lite"
+
+depend() {
+ need net
+ provide firewall
+ after ulogd
+}
+
+status() {
+ local _retval
+ ${command} status 1>/dev/null
+ _retval=$?
+ if [ ${_retval} = '0' ]; then
+ einfo 'status: started'
+ mark_service_started "${SVCNAME}"
+ return 0
+ else
+ einfo 'status: stopped'
+ mark_service_stopped "${SVCNAME}"
+ return 3
+ fi
+}
+
+start() {
+ ebegin "Starting shorewall6-lite"
+ ${command} ${OPTIONS} start ${STARTOPTIONS} 1>/dev/null
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping shorewall6-lite"
+ ${command} ${OPTIONS} stop ${STOPOPTIONS} 1>/dev/null
+ eend $?
+}
+
+restart() {
+ # shorewall comes with its own control script that includes a
+ # restart function, so refrain from calling svc_stop/svc_start
+ # here. Note that this comment is required to fix bug 55576;
+ # runscript.sh greps this script... (09 Jul 2004 agriffis)
+
+ ebegin "Restarting shorewall6-lite"
+ ${command} status 1>/dev/null
+ if [ $? != 0 ] ; then
+ svc_start
+ else
+ ${command} ${OPTIONS} restart ${RESTARTOPTIONS} 1>/dev/null
+ fi
+ eend $?
+}
+
+clear() {
+ # clear will remove all the rules and bring the system to an unfirewalled
+ # state. (21 Nov 2004 eldad)
+
+ ebegin "Clearing all shorewall6-lite rules and setting policy to ACCEPT"
+ ${command} ${OPTIONS} clear 1>/dev/null
+ eend $?
+}
+
+reset() {
+ # reset the packet and byte counters in the firewall
+
+ ebegin "Resetting the packet and byte counters in shorewall6-lite"
+ ${command} ${OPTIONS} reset 1>/dev/null
+ eend $?
+}
diff --git a/net-firewall/shorewall/files/4.6/shorewall6-lite.systemd b/net-firewall/shorewall/files/4.6/shorewall6-lite.systemd
new file mode 100644
index 000000000000..768a84f2ded1
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall6-lite.systemd
@@ -0,0 +1,19 @@
+#
+# The Shoreline Firewall 6 Lite (Shorewall6-Lite) Packet Filtering Firewall - V4.6
+#
+[Unit]
+Description=Shorewall IPv6 firewall lite
+Documentation=man:shorewall6-lite(8) http://www.shorewall.net/Documentation_Index.html
+After=network-online.target
+Conflicts=ip6tables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/etc/conf.d/shorewall6-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall6-lite $OPTIONS stop $STOPOPTIONS
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/shorewall/files/4.6/shorewall6-lite.systemd-r1 b/net-firewall/shorewall/files/4.6/shorewall6-lite.systemd-r1
new file mode 100644
index 000000000000..eda311d1b9c4
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall6-lite.systemd-r1
@@ -0,0 +1,20 @@
+#
+# The Shoreline Firewall 6 Lite (Shorewall6-Lite) Packet Filtering Firewall - V4.6
+#
+[Unit]
+Description=Shorewall IPv6 firewall lite
+Documentation=man:shorewall6-lite(8) http://www.shorewall.net/Documentation_Index.html
+Wants=network-online.target
+After=network-online.target
+Conflicts=ip6tables.service firewalld.service ip6tables-restore.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/etc/conf.d/shorewall6-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall6-lite $OPTIONS stop $STOPOPTIONS
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/shorewall/files/4.6/shorewall6.confd b/net-firewall/shorewall/files/4.6/shorewall6.confd
new file mode 100644
index 000000000000..210eec1b5730
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall6.confd
@@ -0,0 +1,15 @@
+# Global start/restart/stop options
+#
+OPTIONS="-tvv"
+
+# Start options
+#
+STARTOPTIONS=""
+
+# Stop options
+#
+STOPOPTIONS=""
+
+# Restart options
+#
+RESTARTOPTIONS=""
diff --git a/net-firewall/shorewall/files/4.6/shorewall6.initd b/net-firewall/shorewall/files/4.6/shorewall6.initd
new file mode 100644
index 000000000000..8ed1079db1ed
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall6.initd
@@ -0,0 +1,109 @@
+#!/sbin/runscript
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+description='The Shoreline Firewall 6, more commonly known as "Shorewall6", is'
+description="${description} a high-level tool for configuring Netfilter."
+
+extra_commands="check clear"
+extra_started_commands="refresh reset"
+
+description_check="Checks if the configuration will compile or not."
+
+description_clear="Clear will remove all rules and chains installed by"
+description_clear="${description_clear} Shorewall6. The firewall is then"
+description_clear="${description_clear} wide open and unprotected."
+
+description_refresh="The mangle table will be refreshed along with the"
+description_refresh="${description_refresh} blacklist chain (if any)."
+
+description_reset="All the packet and byte counters in the firewall are reset."
+
+command="/usr/sbin/shorewall6"
+
+depend() {
+ need net
+ provide firewall
+ after ulogd
+}
+
+status() {
+ local _retval
+ ${command} status 1>/dev/null
+ _retval=$?
+ if [ ${_retval} = '0' ]; then
+ einfo 'status: started'
+ mark_service_started "${SVCNAME}"
+ return 0
+ else
+ einfo 'status: stopped'
+ mark_service_stopped "${SVCNAME}"
+ return 3
+ fi
+}
+
+start() {
+ ebegin "Starting shorewall6"
+ ${command} ${OPTIONS} start ${STARTOPTIONS} 1>/dev/null
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping shorewall6"
+ ${command} ${OPTIONS} stop ${STOPOPTIONS} 1>/dev/null
+ eend $?
+}
+
+restart() {
+ # shorewall comes with its own control script that includes a
+ # restart function, so refrain from calling svc_stop/svc_start
+ # here. Note that this comment is required to fix bug 55576;
+ # runscript.sh greps this script... (09 Jul 2004 agriffis)
+
+ ebegin "Restarting shorewall6"
+ ${command} status 1>/dev/null
+ if [ $? != 0 ] ; then
+ svc_start
+ else
+ ${command} ${OPTIONS} restart ${RESTARTOPTIONS} 1>/dev/null
+ fi
+ eend $?
+}
+
+clear() {
+ # clear will remove all the rules and bring the system to an unfirewalled
+ # state. (21 Nov 2004 eldad)
+
+ ebegin "Clearing all shorewall rules and setting policy to ACCEPT"
+ ${command} ${OPTIONS} clear 1>/dev/null
+ eend $?
+}
+
+reset() {
+ # reset the packet and byte counters in the firewall
+
+ ebegin "Resetting the packet and byte counters in shorewall6"
+ ${command} ${OPTIONS} reset 1>/dev/null
+ eend $?
+}
+
+refresh() {
+ # refresh the rules involving the broadcast addresses of firewall
+ # interfaces, the black list, traffic control rules and
+ # ECN control rules
+
+ ebegin "Refreshing shorewall6 rules"
+ ${command} ${OPTIONS} refresh 1>/dev/null
+ eend $?
+}
+
+check() {
+ # perform cursory validation of the zones, interfaces, hosts, rules
+ # and policy files. CAUTION: does not parse and validate the generated
+ # iptables commands.
+
+ ebegin "Checking shorewall6 configuration"
+ ${command} ${OPTIONS} check 1>/dev/null
+ eend $?
+}
diff --git a/net-firewall/shorewall/files/4.6/shorewall6.systemd b/net-firewall/shorewall/files/4.6/shorewall6.systemd
new file mode 100644
index 000000000000..6ae4ea589ee8
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall6.systemd
@@ -0,0 +1,19 @@
+#
+# The Shoreline Firewall 6 (Shorewall6) Packet Filtering Firewall - V4.6
+#
+[Unit]
+Description=Shorewall IPv6 firewall
+Documentation=man:shorewall6(8) http://www.shorewall.net/Documentation_Index.html
+After=network-online.target
+Conflicts=ip6tables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/etc/conf.d/shorewall6
+StandardOutput=syslog
+ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall6 $OPTIONS stop $STOPOPTIONS
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/shorewall/files/4.6/shorewall6.systemd-r1 b/net-firewall/shorewall/files/4.6/shorewall6.systemd-r1
new file mode 100644
index 000000000000..64fd43585cf6
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewall6.systemd-r1
@@ -0,0 +1,20 @@
+#
+# The Shoreline Firewall 6 (Shorewall6) Packet Filtering Firewall - V4.6
+#
+[Unit]
+Description=Shorewall IPv6 firewall
+Documentation=man:shorewall6(8) http://www.shorewall.net/Documentation_Index.html
+Wants=network-online.target
+After=network-online.target
+Conflicts=ip6tables.service firewalld.service ip6tables-restore.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/etc/conf.d/shorewall6
+StandardOutput=syslog
+ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall6 $OPTIONS stop $STOPOPTIONS
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/shorewall/files/4.6/shorewallrc b/net-firewall/shorewall/files/4.6/shorewallrc
new file mode 100644
index 000000000000..0eef4147c008
--- /dev/null
+++ b/net-firewall/shorewall/files/4.6/shorewallrc
@@ -0,0 +1,23 @@
+#
+# Gentoo Shorewall 4.6 rc file
+#
+BUILD=gentoo #Default is to detect the build system
+HOST=gentoo #Gentoo GNU Linux
+PREFIX=@GENTOO_PORTAGE_EPREFIX@/usr #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
+CONFDIR=@GENTOO_PORTAGE_EPREFIX@/etc #Directory where subsystem configurations are installed
+SBINDIR=${PREFIX}/sbin #Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
+INITDIR=${CONFDIR}/init.d #Directory where SysV init scripts are installed.
+INITFILE=${PRODUCT} #Name of the product's installed SysV init script
+INITSOURCE=init.gentoo.sh #Name of the distributed file to be installed as the SysV init script
+ANNOTATED= #If non-zero, annotated configuration files are installed
+SERVICEDIR=@GENTOO_PORTAGE_EPREFIX@/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=gentoo.service #Name of the distributed file to be installed as systemd service file
+SYSCONFFILE=default.gentoo #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFDIR=${CONFDIR}/conf.d #Directory where SysV init parameter files are installed
+SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=@GENTOO_PORTAGE_EPREFIX@/var/lib #Directory where product variable data is stored.
+VARDIR=${VARLIB}/${PRODUCT} #Directory where product variable data is stored.
diff --git a/net-firewall/shorewall/metadata.xml b/net-firewall/shorewall/metadata.xml
new file mode 100644
index 000000000000..b05083f3a6ea
--- /dev/null
+++ b/net-firewall/shorewall/metadata.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <herd>netmon</herd>
+ <herd>proxy-maintainers</herd>
+ <maintainer>
+ <email>whissi@whissi.de</email>
+ <name>Thomas D. (Whissi)</name>
+ </maintainer>
+ <use>
+ <flag name="init">Adds the capability to place the firewall in a safe state prior to bringing up the network interfaces</flag>
+ <flag name="ipv4">Installs everything needed to create a full IPv4 firewall</flag>
+ <flag name="ipv6">Adds the capability to create a full IPv6 firewall (requires <pkg>net-firewall/shorewall[ipv4]</pkg>)</flag>
+ <flag name="lite4">Installs everything needed to just *run* an IPv4 compiled firewall script created with <pkg>net-firewall/shorewall[ipv4]</pkg></flag>
+ <flag name="lite6">Installs everything needed to just *run* an IPv6 compiled firewall script created with <pkg>net-firewall/shorewall[ipv6]</pkg></flag>
+ </use>
+</pkgmetadata>
diff --git a/net-firewall/shorewall/shorewall-4.5.21.10-r1.ebuild b/net-firewall/shorewall/shorewall-4.5.21.10-r1.ebuild
new file mode 100644
index 000000000000..18a2a85decb7
--- /dev/null
+++ b/net-firewall/shorewall/shorewall-4.5.21.10-r1.ebuild
@@ -0,0 +1,118 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils linux-info prefix systemd versionator
+
+MY_URL_PREFIX=
+case ${P} in
+ *_beta* | \
+ *_rc*)
+ MY_URL_PREFIX='development/'
+ ;;
+esac
+
+MY_PV=${PV/_rc/-RC}
+MY_PV=${MY_PV/_beta/-Beta}
+MY_P=${PN}-${MY_PV}
+MY_P_DOCS=shorewall-docs-html-${MY_PV}
+
+MY_MAJOR_RELEASE_NUMBER=$(get_version_component_range 1-2)
+MY_MAJORMINOR_RELEASE_NUMBER=$(get_version_component_range 1-3)
+
+DESCRIPTION='The Shoreline Firewall, commonly known as Shorewall, is'
+DESCRIPTION+=' a high-level tool for configuring Netfilter'
+HOMEPAGE="http://www.shorewall.net/"
+SRC_URI="
+ http://www1.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}/${MY_P}.tar.bz2
+ doc? ( http://www1.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}/${MY_P_DOCS}.tar.bz2 )
+"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 hppa ~ppc ~ppc64 ~sparc ~x86"
+IUSE="doc"
+
+DEPEND="
+ >=dev-lang/perl-5.10
+ virtual/perl-Digest-SHA
+ =net-firewall/shorewall-core-${PVR}
+"
+RDEPEND="
+ ${DEPEND}
+ >=net-firewall/iptables-1.4.20
+ >=sys-apps/iproute2-3.8.0[-minimal]
+ >=sys-devel/bc-1.06.95
+"
+
+S=${WORKDIR}/${MY_P}
+
+pkg_pretend() {
+ local CONFIG_CHECK="~NF_CONNTRACK ~NF_CONNTRACK_IPV4"
+
+ local WARNING_CONNTRACK="Without NF_CONNTRACK support, you will be unable"
+ local WARNING_CONNTRACK+=" to run ${PN} on the local system."
+
+ local WARNING_CONNTRACK_IPV4="Without NF_CONNTRACK_IPV4 support, you will"
+ local WARNING_CONNTRACK_IPV4+=" be unable to run ${PN} on the local system."
+
+ check_extra_config
+}
+
+src_prepare() {
+ epatch "${FILESDIR}"/${PVR}/shorewall-10-fix-ipset-support-detection.patch
+
+ cp "${FILESDIR}"/${PVR}/shorewallrc "${S}"/shorewallrc.gentoo || die "Copying shorewallrc failed"
+ eprefixify "${S}"/shorewallrc.gentoo
+
+ cp "${FILESDIR}"/${PVR}/${PN}.confd "${S}"/default.gentoo || die "Copying ${PN}.confd failed"
+ cp "${FILESDIR}"/${PVR}/${PN}.initd "${S}"/init.gentoo.sh || die "Copying ${PN}.initd failed"
+ cp "${FILESDIR}"/${PVR}/${PN}.systemd "${S}"/gentoo.service || die "Copying ${PN}.systemd failed"
+
+ epatch_user
+}
+
+src_configure() {
+ :;
+}
+
+src_compile() {
+ :;
+}
+
+src_install() {
+ keepdir /var/lib/${PN}
+
+ DESTDIR="${D}" ./install.sh shorewallrc.gentoo || die "install.sh failed"
+
+ dodoc changelog.txt releasenotes.txt
+ if use doc; then
+ dodoc -r Samples
+ cd "${WORKDIR}"/${MY_P_DOCS}
+ dohtml -r *
+ fi
+}
+
+pkg_postinst() {
+ if [[ -z "${REPLACING_VERSIONS}" ]]; then
+ # This is a new installation
+ elog "Before you can use ${PN}, you need to edit its configuration in:"
+ elog ""
+ elog " ${EPREFIX}/etc/${PN}/${PN}.conf"
+ elog ""
+ elog "To activate ${PN} on system start, please add ${PN} to your default runlevel:"
+ elog ""
+ elog " # rc-update add ${PN} default"
+ fi
+
+ if ! has_version ${CATEGORY}/shorewall-init; then
+ elog ""
+ elog "Starting with shorewall-4.5.21.2, Gentoo also offers ${CATEGORY}/shorewall-init,"
+ elog "which we recommend to install, to protect your firewall at system boot."
+ elog ""
+ elog "To read more about shorewall-init, please visit"
+ elog " http://www.shorewall.net/Shorewall-init.html"
+ fi
+}
diff --git a/net-firewall/shorewall/shorewall-4.5.21.9.ebuild b/net-firewall/shorewall/shorewall-4.5.21.9.ebuild
new file mode 100644
index 000000000000..621938142fc6
--- /dev/null
+++ b/net-firewall/shorewall/shorewall-4.5.21.9.ebuild
@@ -0,0 +1,116 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils linux-info prefix systemd versionator
+
+MY_URL_PREFIX=
+case ${P} in
+ *_beta* | \
+ *_rc*)
+ MY_URL_PREFIX='development/'
+ ;;
+esac
+
+MY_PV=${PV/_rc/-RC}
+MY_PV=${MY_PV/_beta/-Beta}
+MY_P=${PN}-${MY_PV}
+MY_P_DOCS=shorewall-docs-html-${MY_PV}
+
+MY_MAJOR_RELEASE_NUMBER=$(get_version_component_range 1-2)
+MY_MAJORMINOR_RELEASE_NUMBER=$(get_version_component_range 1-3)
+
+DESCRIPTION='The Shoreline Firewall, commonly known as Shorewall, is'
+DESCRIPTION+=' a high-level tool for configuring Netfilter'
+HOMEPAGE="http://www.shorewall.net/"
+SRC_URI="
+ http://www1.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}/${MY_P}.tar.bz2
+ doc? ( http://www1.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}/${MY_P_DOCS}.tar.bz2 )
+"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86"
+IUSE="doc"
+
+DEPEND="
+ >=dev-lang/perl-5.10
+ virtual/perl-Digest-SHA
+ =net-firewall/shorewall-core-${PVR}
+"
+RDEPEND="
+ ${DEPEND}
+ >=net-firewall/iptables-1.4.20
+ >=sys-apps/iproute2-3.8.0[-minimal]
+ >=sys-devel/bc-1.06.95
+"
+
+S=${WORKDIR}/${MY_P}
+
+pkg_pretend() {
+ local CONFIG_CHECK="~NF_CONNTRACK ~NF_CONNTRACK_IPV4"
+
+ local WARNING_CONNTRACK="Without NF_CONNTRACK support, you will be unable"
+ local WARNING_CONNTRACK+=" to run ${PN} on the local system."
+
+ local WARNING_CONNTRACK_IPV4="Without NF_CONNTRACK_IPV4 support, you will"
+ local WARNING_CONNTRACK_IPV4+=" be unable to run ${PN} on the local system."
+
+ check_extra_config
+}
+
+src_prepare() {
+ cp "${FILESDIR}"/${PVR}/shorewallrc "${S}"/shorewallrc.gentoo || die "Copying shorewallrc failed"
+ eprefixify "${S}"/shorewallrc.gentoo
+
+ cp "${FILESDIR}"/${PVR}/${PN}.confd "${S}"/default.gentoo || die "Copying ${PN}.confd failed"
+ cp "${FILESDIR}"/${PVR}/${PN}.initd "${S}"/init.gentoo.sh || die "Copying ${PN}.initd failed"
+ cp "${FILESDIR}"/${PVR}/${PN}.systemd "${S}"/gentoo.service || die "Copying ${PN}.systemd failed"
+
+ epatch_user
+}
+
+src_configure() {
+ :;
+}
+
+src_compile() {
+ :;
+}
+
+src_install() {
+ keepdir /var/lib/${PN}
+
+ DESTDIR="${D}" ./install.sh shorewallrc.gentoo || die "install.sh failed"
+
+ dodoc changelog.txt releasenotes.txt
+ if use doc; then
+ dodoc -r Samples
+ cd "${WORKDIR}"/${MY_P_DOCS}
+ dohtml -r *
+ fi
+}
+
+pkg_postinst() {
+ if [[ -z "${REPLACING_VERSIONS}" ]]; then
+ # This is a new installation
+ elog "Before you can use ${PN}, you need to edit its configuration in:"
+ elog ""
+ elog " ${EPREFIX}/etc/${PN}/${PN}.conf"
+ elog ""
+ elog "To activate ${PN} on system start, please add ${PN} to your default runlevel:"
+ elog ""
+ elog " # rc-update add ${PN} default"
+ fi
+
+ if ! has_version ${CATEGORY}/shorewall-init; then
+ elog ""
+ elog "Starting with shorewall-4.5.21.2, Gentoo also offers ${CATEGORY}/shorewall-init,"
+ elog "which we recommend to install, to protect your firewall at system boot."
+ elog ""
+ elog "To read more about shorewall-init, please visit"
+ elog " http://www.shorewall.net/Shorewall-init.html"
+ fi
+}
diff --git a/net-firewall/shorewall/shorewall-4.6.10.1.ebuild b/net-firewall/shorewall/shorewall-4.6.10.1.ebuild
new file mode 100644
index 000000000000..9c4abe3d3a9c
--- /dev/null
+++ b/net-firewall/shorewall/shorewall-4.6.10.1.ebuild
@@ -0,0 +1,442 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils linux-info prefix systemd versionator
+
+DESCRIPTION='The Shoreline Firewall, commonly known as Shorewall, is'
+DESCRIPTION+=' a high-level tool for configuring Netfilter'
+HOMEPAGE="http://www.shorewall.net/"
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="doc +init +ipv4 ipv6 lite4 lite6"
+
+MY_PV=${PV/_rc/-RC}
+MY_PV=${MY_PV/_beta/-Beta}
+MY_P=${PN}-${MY_PV}
+
+MY_MAJOR_RELEASE_NUMBER=$(get_version_component_range 1-2)
+MY_MAJORMINOR_RELEASE_NUMBER=$(get_version_component_range 1-3)
+
+# shorewall
+MY_PN_IPV4=Shorewall
+MY_P_IPV4=${MY_PN_IPV4/#S/s}-${MY_PV}
+
+# shorewall6
+MY_PN_IPV6=Shorewall6
+MY_P_IPV6=${MY_PN_IPV6/#S/s}-${MY_PV}
+
+# shorewall-lite
+MY_PN_LITE4=Shorewall-lite
+MY_P_LITE4=${MY_PN_LITE4/#S/s}-${MY_PV}
+
+# shorewall6-lite
+MY_PN_LITE6=Shorewall6-lite
+MY_P_LITE6=${MY_PN_LITE6/#S/s}-${MY_PV}
+
+# shorewall-init
+MY_PN_INIT=Shorewall-init
+MY_P_INIT=${MY_PN_INIT/#S/s}-${MY_PV}
+
+# shorewall-core
+MY_PN_CORE=Shorewall-core
+MY_P_CORE=${MY_PN_CORE/#S/s}-${MY_PV}
+
+# shorewall-docs-html
+MY_PN_DOCS=Shorewall-docs-html
+MY_P_DOCS=${MY_PN_DOCS/#S/s}-${MY_PV}
+
+# Upstream URL schema:
+# Beta: $MIRROR/pub/shorewall/development/4.6/shorewall-4.6.4-Beta2/shorewall-4.6.4-Beta2.tar.bz2
+# RC: $MIRROR/pub/shorewall/development/4.6/shorewall-4.6.4-RC1/shorewall-4.6.4-RC1.tar.bz2
+# Release: $MIRROR/pub/shorewall/4.6/shorewall-4.6.3/shorewall-4.6.3.3.tar.bz2
+
+MY_URL_PREFIX=
+MY_URL_SUFFIX=
+if [[ ${MY_PV} = *-Beta* ]] || [[ ${MY_PV} = *-RC* ]]; then
+ MY_URL_PREFIX='development/'
+
+ _tmp_last_index=$(($(get_last_version_component_index ${MY_PV})+1))
+ _tmp_suffix=$(get_version_component_range ${_tmp_last_index} ${MY_PV})
+ if [[ ${_tmp_suffix} = *Beta* ]] || [[ ${_tmp_suffix} = *RC* ]]; then
+ MY_URL_SUFFIX="-${_tmp_suffix}"
+ fi
+
+ # Cleaning up temporary variables
+ unset _tmp_last_index
+ unset _tmp_suffix
+else
+ KEYWORDS="alpha amd64 hppa ppc ~ppc64 sparc x86"
+fi
+
+SRC_URI="
+ http://www.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}${MY_URL_SUFFIX}/shorewall-core-${MY_PV}.tar.bz2
+ ipv4? ( http://www.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}${MY_URL_SUFFIX}/shorewall-${MY_PV}.tar.bz2 )
+ ipv6? ( http://www.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}${MY_URL_SUFFIX}/shorewall6-${MY_PV}.tar.bz2 )
+ lite4? ( http://www.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}${MY_URL_SUFFIX}/shorewall-lite-${MY_PV}.tar.bz2 )
+ lite6? ( http://www.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}${MY_URL_SUFFIX}/shorewall6-lite-${MY_PV}.tar.bz2 )
+ init? ( http://www.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}${MY_URL_SUFFIX}/shorewall-init-${MY_PV}.tar.bz2 )
+ doc? ( http://www.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}${MY_URL_SUFFIX}/${MY_P_DOCS}.tar.bz2 )
+"
+
+# - Shorewall6 requires Shorewall
+# - Installing Shorewall-init or just the documentation doesn't make any sense,
+# that's why we force the user to select at least one "real" Shorewall product
+#
+# See http://shorewall.net/download.htm#Which
+REQUIRED_USE="
+ ipv6? ( ipv4 )
+ || ( ipv4 lite4 lite6 )
+"
+
+# No build dependencies! Just plain shell scripts...
+DEPEND=""
+
+RDEPEND="
+ >=net-firewall/iptables-1.4.20
+ >=sys-apps/iproute2-3.8.0[-minimal]
+ >=sys-devel/bc-1.06.95
+ ipv4? (
+ >=dev-lang/perl-5.16
+ virtual/perl-Digest-SHA
+ )
+ ipv6? (
+ >=dev-perl/Socket6-0.230.0
+ >=net-firewall/iptables-1.4.20[ipv6]
+ >=sys-apps/iproute2-3.8.0[ipv6]
+ )
+ lite6? (
+ >=net-firewall/iptables-1.4.20[ipv6]
+ >=sys-apps/iproute2-3.8.0[ipv6]
+ )
+ init? ( >=sys-apps/coreutils-8.20 )
+ !net-firewall/shorewall-core
+ !net-firewall/shorewall6
+ !net-firewall/shorewall-lite
+ !net-firewall/shorewall6-lite
+ !net-firewall/shorewall-init
+ !<sys-apps/systemd-214
+"
+
+S=${WORKDIR}
+
+pkg_pretend() {
+ local CONFIG_CHECK="~NF_CONNTRACK"
+
+ local WARNING_CONNTRACK="Without NF_CONNTRACK support, you will be unable"
+ local WARNING_CONNTRACK+=" to run any shorewall-based firewall on the local system."
+
+ if use ipv4 || use lite4; then
+ CONFIG_CHECK="${CONFIG_CHECK} ~NF_CONNTRACK_IPV4"
+
+ local WARNING_CONNTRACK_IPV4="Without NF_CONNTRACK_IPV4 support, you will"
+ local WARNING_CONNTRACK_IPV4+=" be unable to run any shorewall-based IPv4 firewall on the local system."
+ fi
+
+ if use ipv6 || use lite6; then
+ CONFIG_CHECK="${CONFIG_CHECK} ~NF_CONNTRACK_IPV6"
+
+ local WARNING_CONNTRACK_IPV6="Without NF_CONNTRACK_IPV6 support, you will"
+ local WARNING_CONNTRACK_IPV6+=" be unable to run any shorewall-based IPv6 firewall on the local system."
+ fi
+
+ check_extra_config
+}
+
+pkg_setup() {
+ if [ -n "${DIGEST}" ]; then
+ einfo "Unsetting environment variable \"DIGEST\" to prevent conflicts with package's \"install.sh\" script ..."
+ unset DIGEST
+ fi
+}
+
+src_prepare() {
+ # We are moving each unpacked source from MY_P_* to MY_PN_*.
+ # This allows us to use patches from upstream and keeps epatch_user working
+
+ einfo "Preparing shorewallrc ..."
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewallrc "${S}"/shorewallrc.gentoo || die "Copying shorewallrc failed"
+ eprefixify "${S}"/shorewallrc.gentoo
+
+ # shorewall-core
+ mv "${S}"/${MY_P_CORE} "${S}"/${MY_PN_CORE} || die "Failed to move '${S}/${MY_P_CORE}' to '${S}/${MY_PN_CORE}'"
+ ebegin "Applying Gentoo-specific changes to ${MY_P_CORE} ..."
+ ln -s ../shorewallrc.gentoo ${MY_PN_CORE}/shorewallrc.gentoo || die "Failed to symlink shorewallrc.gentoo"
+ eend 0
+
+ # shorewall
+ if use ipv4; then
+ mv "${S}"/${MY_P_IPV4} "${S}"/${MY_PN_IPV4} || die "Failed to move '${S}/${MY_P_IPV4}' to '${S}/${MY_PN_IPV4}'"
+ ebegin "Applying Gentoo-specific changes to ${MY_P_IPV4}"
+ ln -s ../shorewallrc.gentoo ${MY_PN_IPV4}/shorewallrc.gentoo || die "Failed to symlink shorewallrc.gentoo"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall.confd "${S}"/${MY_PN_IPV4}/default.gentoo || die "Copying shorewall.confd failed"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall.initd "${S}"/${MY_PN_IPV4}/init.gentoo.sh || die "Copying shorewall.initd failed"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall.systemd-r1 "${S}"/${MY_PN_IPV4}/gentoo.service || die "Copying shorewall.systemd failed"
+ eend 0
+ fi
+
+ # shorewall6
+ if use ipv6; then
+ mv "${S}"/${MY_P_IPV6} "${S}"/${MY_PN_IPV6} || die "Failed to move '${S}/${MY_P_IPV6}' to '${S}/${MY_PN_IPV6}'"
+ ebegin "Applying Gentoo-specific changes to ${MY_P_IPV6}"
+ ln -s ../shorewallrc.gentoo ${MY_PN_IPV6}/shorewallrc.gentoo || die "Failed to symlink shorewallrc.gentoo"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall6.confd "${S}"/${MY_PN_IPV6}/default.gentoo || die "Copying shorewall6.confd failed"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall6.initd "${S}"/${MY_PN_IPV6}/init.gentoo.sh || die "Copying shorewall6.initd failed"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall6.systemd-r1 "${S}"/${MY_PN_IPV6}/gentoo.service || die "Copying shorewall6.systemd failed"
+ eend 0
+ fi
+
+ # shorewall-lite
+ if use lite4; then
+ mv "${S}"/${MY_P_LITE4} "${S}"/${MY_PN_LITE4} || die "Failed to move '${S}/${MY_P_LITE4}' to '${S}/${MY_PN_LITE4}'"
+ ebegin "Applying Gentoo-specific changes to ${MY_P_LITE4}"
+ ln -s ../shorewallrc.gentoo ${MY_PN_LITE4}/shorewallrc.gentoo || die "Failed to symlink shorewallrc.gentoo"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall-lite.confd "${S}"/${MY_PN_LITE4}/default.gentoo || die "Copying shorewall-lite.confd failed"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall-lite.initd "${S}"/${MY_PN_LITE4}/init.gentoo.sh || die "Copying shorewall-lite.initd failed"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall-lite.systemd-r1 "${S}"/${MY_PN_LITE4}/gentoo.service || die "Copying shorewall-lite.systemd failed"
+ eend 0
+ fi
+
+ # shorewall6-lite
+ if use lite6; then
+ mv "${S}"/${MY_P_LITE6} "${S}"/${MY_PN_LITE6} || die "Failed to move '${S}/${MY_P_LITE6}' to '${S}/${MY_PN_LITE6}'"
+ ebegin "Applying Gentoo-specific changes to ${MY_P_LITE6}"
+ ln -s ../shorewallrc.gentoo ${MY_PN_LITE6}/shorewallrc.gentoo || die "Failed to symlink shorewallrc.gentoo"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall6-lite.confd "${S}"/${MY_PN_LITE6}/default.gentoo || die "Copying shorewall6-lite.confd failed"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall6-lite.initd "${S}"/${MY_PN_LITE6}/init.gentoo.sh || die "Copying shorewall6-lite.initd failed"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall6-lite.systemd-r1 "${S}"/${MY_PN_LITE6}/gentoo.service || die "Copying shorewall6-lite.systemd failed"
+ eend 0
+ fi
+
+ # shorewall-init
+ if use init; then
+ mv "${S}"/${MY_P_INIT} "${S}"/${MY_PN_INIT} || die "Failed to move '${S}/${MY_P_INIT}' to '${S}/${MY_PN_INIT}'"
+ ebegin "Applying Gentoo-specific changes to ${MY_P_INIT}"
+ ln -s ../shorewallrc.gentoo ${MY_PN_INIT}/shorewallrc.gentoo || die "Failed to symlink shorewallrc.gentoo"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall-init.confd "${S}"/${MY_PN_INIT}/default.gentoo || die "Copying shorewall-init.confd failed"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall-init.initd "${S}"/${MY_PN_INIT}/init.gentoo.sh || die "Copying shorewall-init.initd failed"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall-init.systemd-r1 "${S}"/${MY_PN_INIT}/gentoo.service || die "Copying shorewall-init.systemd failed"
+ cp "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall-init.readme "${S}"/${MY_PN_INIT}/shorewall-init.README.Gentoo.txt || die "Copying shorewall-init.systemd failed"
+ eend 0
+
+ eprefixify "${S}"/${MY_PN_INIT}/init.gentoo.sh
+
+ cd "${S}"/${MY_PN_INIT}
+ epatch "${FILESDIR}"/${MY_MAJOR_RELEASE_NUMBER}/shorewall-init-01_remove-ipset-functionality-r1.patch
+ cd "${S}"
+ fi
+
+ # shorewall-docs-html
+ if use doc; then
+ mv "${S}"/${MY_P_DOCS} "${S}"/${MY_PN_DOCS} || die "Failed to move '${S}/${MY_P_DOCS}' to '${S}/${MY_PN_DOCS}'"
+ fi
+
+ epatch_user
+}
+
+src_configure() {
+ :;
+}
+
+src_compile() {
+ :;
+}
+
+src_install() {
+ # shorewall-core
+ einfo "Installing ${MY_P_CORE} ..."
+ DESTDIR="${D%/}" ${MY_PN_CORE}/install.sh shorewallrc.gentoo || die "${MY_PN_CORE}/install.sh failed"
+ dodoc "${S}"/${MY_PN_CORE}/changelog.txt "${S}"/${MY_PN_CORE}/releasenotes.txt
+
+ # shorewall
+ if use ipv4; then
+ einfo "Installing ${MY_P_IPV4} ..."
+ keepdir /var/lib/shorewall
+ DESTDIR="${D%/}" ${MY_PN_IPV4}/install.sh shorewallrc.gentoo || die "${MY_PN_IPV4}/install.sh failed"
+
+ if use doc; then
+ dodoc -r "${S}"/${MY_PN_IPV4}/Samples
+ fi
+ fi
+
+ # shorewall6
+ if use ipv6; then
+ einfo "Installing ${MY_P_IPV6} ..."
+ keepdir /var/lib/shorewall6
+ DESTDIR="${D%/}" ${MY_PN_IPV6}/install.sh shorewallrc.gentoo || die "${MY_PN_IPV6}/install.sh failed"
+
+ if use doc; then
+ dodoc -r "${S}"/${MY_PN_IPV6}/Samples6
+ fi
+ fi
+
+ # shorewall-lite
+ if use lite4; then
+ einfo "Installing ${MY_P_LITE4} ..."
+ keepdir /var/lib/shorewall-lite
+ DESTDIR="${D%/}" ${MY_PN_LITE4}/install.sh shorewallrc.gentoo || die "${MY_PN_LITE4}/install.sh failed"
+ fi
+
+ # shorewall6-lite
+ if use lite6; then
+ einfo "Installing ${MY_P_LITE6} ..."
+ keepdir /var/lib/shorewall6-lite
+ DESTDIR="${D%/}" ${MY_PN_LITE6}/install.sh shorewallrc.gentoo || die "${MY_PN_LITE6}/install.sh failed"
+ fi
+
+ # shorewall-init
+ if use init; then
+ einfo "Installing ${MY_P_INIT} ..."
+ DESTDIR="${D%/}" ${MY_PN_INIT}/install.sh shorewallrc.gentoo || die "${MY_PN_INIT}/install.sh failed"
+ dodoc "${S}"/${MY_PN_INIT}/shorewall-init.README.Gentoo.txt
+
+ if [ -f "${D}etc/logrotate.d/shorewall-init" ]; then
+ # On Gentoo, shorewall-init will not create shorewall-ifupdown.log,
+ # so we don't need a logrotate configuration file for shorewall-init
+ einfo "Removing unused \"${D}etc/logrotate.d/shorewall-init\" ..."
+ rm -rf "${D}"etc/logrotate.d/shorewall-init || die "Removing \"${D}etc/logrotate.d/shorewall-init\" failed"
+ fi
+
+ if [ -d "${D}etc/NetworkManager" ]; then
+ # On Gentoo, we don't support NetworkManager
+ # so we don't need this folder at all
+ einfo "Removing unused \"${D}etc/NetworkManager\" ..."
+ rm -rf "${D}"etc/NetworkManager || die "Removing \"${D}etc/NetworkManager\" failed"
+ fi
+
+ if [ -f "${D}usr/share/shorewall-init/ifupdown" ]; then
+ # This script isn't supported on Gentoo
+ rm -rf "${D}"usr/share/shorewall-init/ifupdown || die "Removing \"${D}usr/share/shorewall-init/ifupdown\" failed"
+ fi
+ fi
+
+ if use doc; then
+ einfo "Installing ${MY_P_DOCS} ..."
+ dohtml -r "${S}"/${MY_PN_DOCS}
+ fi
+}
+
+pkg_postinst() {
+ if [[ -z "${REPLACING_VERSIONS}" ]]; then
+ # This is a new installation
+
+ # Show first steps for shorewall/shorewall6
+ local _PRODUCTS=""
+ if use ipv4; then
+ _PRODUCTS="shorewall"
+
+ if use ipv6; then
+ _PRODUCTS="${_PRODUCTS}/shorewall6"
+ fi
+ fi
+
+ if [[ -n "${_PRODUCTS}" ]]; then
+ elog "Before you can use ${_PRODUCTS}, you need to edit its configuration in:"
+ elog ""
+ elog " /etc/shorewall/shorewall.conf"
+
+ if use ipv6; then
+ elog " /etc/shorewall6/shorewall6.conf"
+ fi
+
+ elog ""
+ elog "To activate your shorewall-based firewall on system start, please add ${_PRODUCTS} to your default runlevel:"
+ elog ""
+ elog " # rc-update add shorewall default"
+
+ if use ipv6; then
+ elog " # rc-update add shorewall6 default"
+ fi
+ fi
+
+ # Show first steps for shorewall-lite/shorewall6-lite
+ _PRODUCTS=""
+ if use lite4; then
+ _PRODUCTS="shorewall-lite"
+ fi
+
+ if use lite6; then
+ if [[ -z "${_PRODUCTS}" ]]; then
+ _PRODUCTS="shorewall6-lite"
+ else
+ _PRODUCTS="${_PRODUCTS}/shorewall6-lite"
+ fi
+ fi
+
+ if [[ -n "${_PRODUCTS}" ]]; then
+ if use ipv4; then
+ elog ""
+ fi
+
+ elog "Before you can use ${_PRODUCTS}, you need to provide a configuration, which you can"
+ elog "create using ${CATEGORY}/shorewall (with \"ipv4\" and or \"ipv6\" USE flag)."
+ elog ""
+ elog "To read more about ${_PRODUCTS}, please visit"
+ elog " http://shorewall.net/CompiledPrograms.html"
+ elog ""
+ elog "To activate your shorewall-lite-based firewall on system start, please add ${PRODUCTS} to your default runlevel:"
+ elog ""
+
+ if use lite4; then
+ elog " # rc-update add shorewall-lite default"
+ fi
+
+ if use lite6; then
+ elog " # rc-update add shorewall6-lite default"
+ fi
+ fi
+
+ if use init; then
+ elog ""
+ elog "To secure your system on boot, please add shorewall-init to your boot runlevel:"
+ elog ""
+ elog " # rc-update add shorewall-init boot"
+ elog ""
+ elog "and review \$PRODUCTS in"
+ elog ""
+ elog " /etc/conf.d/shorewall-init"
+ fi
+
+ fi
+
+ if [[ -n "${REPLACING_VERSIONS}" && ${REPLACING_VERSIONS} < ${MY_MAJOR_RELEASE_NUMBER} ]]; then
+ # This is an upgrade
+
+ elog "You are upgrading from a previous major version. It is highly recommended that you read"
+ elog ""
+ elog " - /usr/share/doc/shorewall*/releasenotes.tx*"
+ elog " - http://shorewall.net/upgrade_issues.htm#idp8704902640"
+
+ if use ipv4; then
+ elog ""
+ elog "You can auto-migrate your configuration using"
+ elog ""
+ elog " # shorewall update -A"
+
+ if use ipv6; then
+ elog " # shorewall6 update -A"
+ fi
+
+ elog ""
+ elog "But if you are not familiar with the \"shorewall[6] update\" command,"
+ elog "please read the shorewall[6] man page first."
+ fi
+ fi
+
+ if ! use init; then
+ elog ""
+ elog "Consider emerging ${CATEGORY}/${PN} with USE flag \"init\" to secure your system on boot"
+ elog "before your shorewall-based firewall is ready to start."
+ elog ""
+ elog "To read more about shorewall-init, please visit"
+ elog " http://www.shorewall.net/Shorewall-init.html"
+ fi
+
+ if ! has_version "net-firewall/conntrack-tools"; then
+ elog ""
+ elog "Your Shorewall firewall can utilize \"conntrack\" from the \"net-firewall/conntrack-tools\""
+ elog "package. if you want to use this feature, you need to install \"net-firewall/conntrack-tools\"!"
+ fi
+}
diff --git a/net-firewall/shorewall/shorewall-4.6.11.ebuild b/net-firewall/shorewall/shorewall-4.6.11.ebuild
new file mode 100644
index 000000000000..992829cb5b78
--- /dev/null
+++ b/net-firewall/shorewall/shorewall-4.6.11.ebuild
@@ -0,0 +1,442 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils linux-info prefix systemd versionator
+
+DESCRIPTION='The Shoreline Firewall, commonly known as Shorewall, is'
+DESCRIPTION+=' a high-level tool for configuring Netfilter'
+HOMEPAGE="http://www.shorewall.net/"
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="doc +init +ipv4 ipv6 lite4 lite6"
+
+MY_PV=${PV/_rc/-RC}
+MY_PV=${MY_PV/_beta/-Beta}
+MY_P=${PN}-${MY_PV}
+
+MY_MAJOR_RELEASE_NUMBER=$(get_version_component_range 1-2)
+MY_MAJORMINOR_RELEASE_NUMBER=$(get_version_component_range 1-3)
+
+# shorewall
+MY_PN_IPV4=Shorewall
+MY_P_IPV4=${MY_PN_IPV4/#S/s}-${MY_PV}
+
+# shorewall6
+MY_PN_IPV6=Shorewall6
+MY_P_IPV6=${MY_PN_IPV6/#S/s}-${MY_PV}
+
+# shorewall-lite
+MY_PN_LITE4=Shorewall-lite
+MY_P_LITE4=${MY_PN_LITE4/#S/s}-${MY_PV}
+
+# shorewall6-lite
+MY_PN_LITE6=Shorewall6-lite
+MY_P_LITE6=${MY_PN_LITE6/#S/s}-${MY_PV}
+
+# shorewall-init
+MY_PN_INIT=Shorewall-init
+MY_P_INIT=${MY_PN_INIT/#S/s}-${MY_PV}
+
+# shorewall-core
+MY_PN_CORE=Shorewall-core
+MY_P_CORE=${MY_PN_CORE/#S/s}-${MY_PV}
+
+# shorewall-docs-html
+MY_PN_DOCS=Shorewall-docs-html
+MY_P_DOCS=${MY_PN_DOCS/#S/s}-${MY_PV}
+
+# Upstream URL schema:
+# Beta: $MIRROR/pub/shorewall/development/4.6/shorewall-4.6.4-Beta2/shorewall-4.6.4-Beta2.tar.bz2
+# RC: $MIRROR/pub/shorewall/development/4.6/shorewall-4.6.4-RC1/shorewall-4.6.4-RC1.tar.bz2
+# Release: $MIRROR/pub/shorewall/4.6/shorewall-4.6.3/shorewall-4.6.3.3.tar.bz2
+
+MY_URL_PREFIX=
+MY_URL_SUFFIX=
+if [[ ${MY_PV} = *-Beta* ]] || [[ ${MY_PV} = *-RC* ]]; then
+ MY_URL_PREFIX='development/'
+
+ _tmp_last_index=$(($(get_last_version_component_index ${MY_PV})+1))
+ _tmp_suffix=$(get_version_component_range ${_tmp_last_index} ${MY_PV})
+ if [[ ${_tmp_suffix} = *Beta* ]] || [[ ${_tmp_suffix} = *RC* ]]; then
+ MY_URL_SUFFIX="-${_tmp_suffix}"
+ fi
+
+ # Cleaning up temporary variables
+ unset _tmp_last_index
+ unset _tmp_suffix
+else
+ KEYWORDS="~alpha ~amd64 ~hppa ~ppc ~ppc64 ~sparc ~x86"
+fi
+
+SRC_URI="
+ http://www.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}${MY_URL_SUFFIX}/shorewall-core-${MY_PV}.tar.bz2
+ ipv4? ( http://www.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}${MY_URL_SUFFIX}/shorewall-${MY_PV}.tar.bz2 )
+ ipv6? ( http://www.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}${MY_URL_SUFFIX}/shorewall6-${MY_PV}.tar.bz2 )
+ lite4? ( http://www.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}${MY_URL_SUFFIX}/shorewall-lite-${MY_PV}.tar.bz2 )
+ lite6? ( http://www.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}${MY_URL_SUFFIX}/shorewall6-lite-${MY_PV}.tar.bz2 )
+ init? ( http://www.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}${MY_URL_SUFFIX}/shorewall-init-${MY_PV}.tar.bz2 )
+ doc? ( http://www.shorewall.net/pub/shorewall/${MY_URL_PREFIX}${MY_MAJOR_RELEASE_NUMBER}/shorewall-${MY_MAJORMINOR_RELEASE_NUMBER}${MY_URL_SUFFIX}/${MY_P_DOCS}.tar.bz2 )
+"
+
+# - Shorewall6 requires Shorewall
+# - Installing Shorewall-init or just the documentation doesn't make any sense,