Commits

Doug Freed committed 4903c06

net-firewall/nftables: new ebuild

Package-Manager: portage-2.2.8-r1

  • Participants
  • Parent commits b1623e0

Comments (0)

Files changed (6)

File net-firewall/nftables/Manifest

+AUX nftables-0.099-94300c7.patch 723 SHA256 bc96ade3b8e9936118e03d26dbde196d95168934d2dae15d027db59e521653c0 SHA512 abc8c45124a0326c0067f5bbee50f6d0def7e0eba4473751ee431f49541cb48fbae7c5fefddfc62d0a2256d7e60ce78ec6777c170039881595149b029f892d38 WHIRLPOOL f6472b3edce3d59d26ea7e1343d86a7f92a39b4c45095bec277157c7d7aa8dc7493e323b1aaa6c6b69b5b76e1b808dbb5da505d1b34b7bfc8014c0bb5991bd5a
+AUX nftables.8 9645 SHA256 bec3d7dcdc424691269852c9c322bb6ad770b6cfec4939920e32fa67ca8caac2 SHA512 aaf74c4bf0a854f3993b7ed5b9cecd436baa0bfc6b5ff119574d45c2504e5e772fc7cf41e1108b7f9cc013132c0bc0a86c6262cbfa870e639ad40ae93e25e4dc WHIRLPOOL e1c082fc3a56a9a0eb4782dfd9253857668052025d471e5124fc836246bc33b794f6d2293c46e2d5b0d8d1761b454ec8c21eb627ed95e97f07fe47f704dcdae2
+DIST nftables-0.099.tar.bz2 129351 SHA256 1a9e5f9e4d4790d69537c4d228676edc41a0890aea394e38233c351f694bf306 SHA512 5d54e1ca47544527768192776e3846254ff9af8aaa14bd6b3e2942deeedf424e62b9e1b68ab750c475ec1b2ddcf366e8a6c8ea79ad7319e8e2911890e270a2aa WHIRLPOOL 6f63be1c597719d10aade0d6c0fc3ec0a7320b960fa158d3cfbcc932b0057df2f12c3190d9e35cd29bf8c17c4c99bafbd175505ca617d740d9002dc8ac844e80
+EBUILD nftables-0.099.ebuild 1051 SHA256 f947819f581fb32cab5ae4b71236a0309c0b4cedf00e3185c7e2f0af13af4798 SHA512 606039809f7694136ea20a4b853401240098c51ebae0e7afc6480ff715cd3547258cc71d1569a702ebbd34fb7731b1cb11c4f7cb22c90af9fe4aa711215b1b18 WHIRLPOOL 45a68fa4cf01a026c8f64998798f4e934293e72200fe57124511ace71bc16a83626165042ff886db0acb39699636764e86171e0ae6ae1d5c5f9a6a27b5822466
+EBUILD nftables-9999.ebuild 993 SHA256 d20ee22e6ab145650c18b3a6c40bac5adf706fe445d91c8b431be6af435e11eb SHA512 5c19fdf8cb92f6abe877b382066bfe29ab259358d0a501e8e0705f745eda2ae9978de3dc00921886a8166d94feaa9339da9daa99b6cec73ffe3fdda6895b5e03 WHIRLPOOL 57b883890527b656a8cc317cff79344c7c81b9e6842619fb92668f90c2baa22803d1843a3027c4bf171d05957fb89270552408ed98d1e609668bea988a581668
+MISC metadata.xml 230 SHA256 9743c56a1fbbf8bffe2d70202967fded87ca580eae54dda6600fb2596437fd3e SHA512 fca99aacdee7e88c2de42e0fe65d4bdebba613f1e37b618595276e46a68742bc8882d788a146442335901a02b1147195650cd08ead209533efaff199e18c82e7 WHIRLPOOL 68f1274472f5663815a50fe6d2b34c683c595dffb269266546f67409614c16b68baf7b9116ab777b3af420cb8bf3e965b0ded55d31b26b9bc1e41854534548de

File net-firewall/nftables/files/nftables-0.099-94300c7.patch

+From 94300c75fc3e113009e68e2ab9db91c31e99e9f4 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 20 Jan 2014 14:02:50 +0000
+Subject: build: use libnftnl instead of libnftables in configure.in
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+diff --git a/configure.ac b/configure.ac
+index b38295f..9f0d894 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -53,7 +53,7 @@ fi
+ AC_CHECK_LIB([mnl], [mnl_socket_open], ,
+ 	     AC_MSG_ERROR([No suitable version of libmnl found]))
+ 
+-AC_CHECK_LIB([nftables], [nft_rule_alloc], ,
++AC_CHECK_LIB([nftnl], [nft_rule_alloc], ,
+ 	     AC_MSG_ERROR([No suitable version of libnftnl found]))
+ 
+ AC_CHECK_LIB([gmp], [__gmpz_init], ,
+--
+cgit v0.9.2

File net-firewall/nftables/files/nftables.8

+'\" t -*- coding: us-ascii -*-
+.if \n(.g .ds T< \\FC
+.if \n(.g .ds T> \\F[\n[.fam]]
+.de URL
+\\$2 \(la\\$1\(ra\\$3
+..
+.if \n(.g .mso www.tmac
+.TH nftables 8 "22 January 2014" "" ""
+.SH NAME
+nftables \- Administration tool for packet filtering and classification 
+.SH SYNOPSIS
+'nh
+.fi
+.ad l
+\fBnftables\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[
+\fB-n/--numeric\fR
+] [
+\fB-I/--includepath\fR
+\fIdirectory\fR
+] [
+\fB-f/--file\fR
+\fIfilename\fR
+| 
+\fB-i/--interactive\fR
+| 
+\fIcmd\fR
+\&...]
+'in \n(.iu-\nxu
+.ad b
+'hy
+'nh
+.fi
+.ad l
+\fBnftables\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[
+\fB-h/--help\fR
+] [
+\fB-v/--version\fR
+]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.SH DESCRIPTION
+nftables is used to set up, maintain and inspect packet
+filtering and classification rules in the Linux kernel.
+.SH OPTIONS
+For a full summary of options, run \fBnftables --help\fR.
+.TP 
+\*(T<\fB\-h/\-\-help\fR\*(T>
+Show help message and all options.
+.TP 
+\*(T<\fB\-v/\-\-version\fR\*(T>
+Show version.
+.TP 
+\*(T<\fB\-n/\-\-numeric\fR\*(T>
+Numeric output: IP addresses and other information
+that might need network traffic to resolve to symbolic names
+are shown numerically.
+.TP 
+\*(T<\fB\-I/\-\-includepath \fR\*(T>\fIdirectory\fR
+Add the directory \fIdirectory\fR to the list of directories to by searched for included files.
+.TP 
+\*(T<\fB\-f/\-\-file \fR\*(T>\fIfilename\fR
+Read input from \fIfilename\fR.
+.TP 
+\*(T<\fB\-i/\-\-interactive\fR\*(T>
+Read input from an interactive readline CLI.
+.SH "INPUT FILE FORMAT"
+Input is parsed line-wise. When the last character of a line just before
+the newline character is a non-quoted backslash (\*(T<\e\*(T>),
+the newline is treated as a line continuation.
+.PP
+A \*(T<#\*(T> begins a comment. All following characters on
+the same line are ignored.
+.PP
+Other files can be included by using
+\fBinclude "\fIfilename\fB"\fR.
+.SH TABLES
+'nh
+.fi
+.ad l
+{add | delete | list | flush} \fBtable\fR [\fIfamily\fR] {\fItable\fR}
+.ad b
+'hy
+.PP
+Tables are containers for chains. They are identified by their family
+and their name. The family must be one of
+\*(T<ip\*(T>, \*(T<ip6\*(T>, \*(T<arp\*(T>, \*(T<bridge\*(T>.
+When no family is specified, \*(T<ip\*(T> is used by default.
+.TP 
+\*(T<\fBadd\fR\*(T>
+Add a new table for the given family with the given name.
+.TP 
+\*(T<\fBdelete\fR\*(T>
+Delete the specified table.
+.TP 
+\*(T<\fBlist\fR\*(T>
+List all chains and rules of the specified table.
+.TP 
+\*(T<\fBflush\fR\*(T>
+Flush all chains and rules of the specified table.
+.SH CHAINS
+'nh
+.fi
+.ad l
+{add} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {\fIhook\fR} {\fIpriority\fR}
+.ad b
+'hy
+'nh
+.fi
+.ad l
+{add | delete | list | flush} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR}
+.ad b
+'hy
+.PP
+Chains are containers for rules. They exist in two kinds,
+basechains and regular chains. A basecase is an entry point for
+packets from the networking stack, a regular chain may be used
+as jump target and is used for better rule organization.
+.TP 
+\*(T<\fBadd\fR\*(T>
+Add a new chain in the specified table. When a hook and priority
+value are specified, the chain is created as a base chain and hooked
+up to the networking stack.
+.TP 
+\*(T<\fBdelete\fR\*(T>
+Delete the specified chain.
+.TP 
+\*(T<\fBlist\fR\*(T>
+List all rules of the specified chain.
+.TP 
+\*(T<\fBflush\fR\*(T>
+Flush all rules of the specified chain.
+.SH RULES
+'nh
+.fi
+.ad l
+{add | delete} \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} [handle \fIhandle\fR] {\fIstatement\fR}\&...
+.ad b
+'hy
+.PP
+Rules are constructed from two kinds of components according to a set
+of rules: expressions and statements. The lowest order expression is a
+primary expression, representing either a constant or a single datum
+from a packets payload, meta data or a stateful module. Primary expressions
+can be used as arguments to relational expressions (equality,
+set membership, ...) to construct match expressions.
+.SH "PRIMARY EXPRESSIONS"
+.SS "META EXPRESSIONS"
+A meta expression refers to meta data associated with a packet.
+.PP
+\fBMeta expressions\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+length
+T}	T{
+Length of the packet in bytes
+T}	T{
+Numeric (32 bit)
+T}
+T{
+protocol
+T}	T{
+Ethertype protocol value
+T}	T{
+ethertype
+T}
+T{
+priority
+T}	T{
+TC packet priority
+T}	T{
+Numeric (32 bit)
+T}
+T{
+mark
+T}	T{
+Packet mark
+T}	T{
+packetmark
+T}
+T{
+iif
+T}	T{
+Input interface index
+T}	T{
+ifindex
+T}
+T{
+iifname
+T}	T{
+Input interface name
+T}	T{
+ifname
+T}
+T{
+iiftype
+T}	T{
+Input interface hardware type
+T}	T{
+hwtype
+T}
+T{
+oif
+T}	T{
+Output interface index
+T}	T{
+ifindex
+T}
+T{
+oifname
+T}	T{
+Output interface name
+T}	T{
+ifname
+T}
+T{
+oiftype
+T}	T{
+Output interface hardware type
+T}	T{
+hwtype
+T}
+T{
+skuid
+T}	T{
+UID associated with originating socket
+T}	T{
+uid
+T}
+T{
+skgid
+T}	T{
+GID associated with originating socket
+T}	T{
+gid
+T}
+T{
+rtclassid
+T}	T{
+Routing realm
+T}	T{
+realm
+T}
+.TE
+.PP
+\fBMeta expression specific types\fR
+.TS
+allbox ;
+l | l.
+T{
+Type
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+ifindex
+T}	T{
+Interface index (32 bit number). Can be specified numerically
+or as name of an existing interface.
+T}
+T{
+ifname
+T}	T{
+Interface name (16 byte string). Does not have to exist.
+T}
+T{
+uid
+T}	T{
+User ID (32 bit number). Can be specified numerically or as
+user name.
+T}
+T{
+gid
+T}	T{
+Group ID (32 bit number). Can be specified numerically or as
+group name.
+T}
+T{
+realm
+T}	T{
+Routing Realm (32 bit number). Can be specified numerically
+or as symbolic name defined in /etc/iproute2/rt_realms.
+T}
+.TE
+.SS "PAYLOAD EXPRESSIONS"
+\fBEthernet header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l
+l | l
+l | l.
+T{
+daddr
+T}	T{
+Destination address
+T}
+T{
+saddr
+T}	T{
+Source address
+T}
+T{
+type
+T}	T{
+EtherType
+T}
+.TE
+.PP
+\fBVLAN header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+id
+T}	T{
+VLAN ID (VID)
+T}
+T{
+cfi
+T}	T{
+Canonical Format Indicator
+T}
+T{
+pcp
+T}	T{
+Priority code point
+T}
+T{
+type
+T}	T{
+EtherType
+T}
+.TE
+.PP
+\fBARP header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+htype
+T}	T{
+ARP hardware type
+T}
+T{
+ptype
+T}	T{
+EtherType
+T}
+T{
+hlen
+T}	T{
+Hardware address len
+T}
+T{
+plen
+T}	T{
+Protocol address len
+T}
+T{
+op
+T}	T{
+Operation
+T}
+.TE
+.PP
+\fBIPv4 header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+version
+T}	T{
+IP header version (4)
+T}
+T{
+hdrlength
+T}	T{
+IP header length including options
+T}
+T{
+tos
+T}	T{
+Type Of Service
+T}
+T{
+length
+T}	T{
+Total packet length
+T}
+T{
+id
+T}	T{
+IP ID
+T}
+T{
+frag-off
+T}	T{
+Fragment offset
+T}
+T{
+ttl
+T}	T{
+Time to live
+T}
+T{
+protocol
+T}	T{
+Upper layer protocol
+T}
+T{
+checksum
+T}	T{
+IP header checksum
+T}
+T{
+saddr
+T}	T{
+Source address
+T}
+T{
+daddr
+T}	T{
+Destination address
+T}
+.TE
+.PP
+\fBIPv6 header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+version
+T}	T{
+IP header version (6)
+T}
+T{
+priority
+T}	T{
+T}
+T{
+flowlabel
+T}	T{
+T}
+T{
+length
+T}	T{
+T}
+T{
+nexthdr
+T}	T{
+Nexthdr protocol
+T}
+T{
+hoplimit
+T}	T{
+T}
+T{
+saddr
+T}	T{
+Source address
+T}
+T{
+daddr
+T}	T{
+Destination address
+T}
+.TE
+.PP
+\fBSCTP header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+sport
+T}	T{
+Source port
+T}
+T{
+dport
+T}	T{
+Destination port
+T}
+T{
+vtag
+T}	T{
+Verfication Tag
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}
+.TE
+.PP
+\fBDCCP header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l
+l | l.
+T{
+sport
+T}	T{
+Source port
+T}
+T{
+dport
+T}	T{
+Destination port
+T}
+.TE
+.PP
+\fBTCP header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+sport
+T}	T{
+Source port
+T}
+T{
+dport
+T}	T{
+Destination port
+T}
+T{
+sequence
+T}	T{
+Sequence number
+T}
+T{
+ackseq
+T}	T{
+Acknowledgement number
+T}
+T{
+doff
+T}	T{
+Data offset
+T}
+T{
+reserved
+T}	T{
+Reserved area
+T}
+T{
+flags
+T}	T{
+TCP flags
+T}
+T{
+window
+T}	T{
+Window
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}
+T{
+urgptr
+T}	T{
+Urgent pointer
+T}
+.TE
+.PP
+\fBUDP header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+sport
+T}	T{
+Source port
+T}
+T{
+dport
+T}	T{
+Destination port
+T}
+T{
+length
+T}	T{
+Total packet length
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}
+.TE
+.PP
+\fBUDP-Lite header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+sport
+T}	T{
+Source port
+T}
+T{
+dport
+T}	T{
+Destination port
+T}
+T{
+cscov
+T}	T{
+Checksum coverage
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}
+.TE
+.PP
+\fBAH header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+nexthdr
+T}	T{
+Next header protocol
+T}
+T{
+hdrlength
+T}	T{
+AH Header length
+T}
+T{
+reserved
+T}	T{
+Reserved area
+T}
+T{
+spi
+T}	T{
+Security Parameter Index
+T}
+T{
+sequence
+T}	T{
+Sequence number
+T}
+.TE
+.PP
+\fBESP header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l
+l | l.
+T{
+spi
+T}	T{
+Security Parameter Index
+T}
+T{
+sequence
+T}	T{
+Sequence number
+T}
+.TE
+.PP
+\fBIPComp header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l
+l | l
+l | l.
+T{
+nexthdr
+T}	T{
+Next header protocol
+T}
+T{
+flags
+T}	T{
+Flags
+T}
+T{
+cfi
+T}	T{
+Compression Parameter Index
+T}
+.TE
+.SH "EXIT STATUS"
+On success, nftables exits with a status of 0. Unspecified
+errors cause it to exit with a status of 1, memory allocation
+errors with a status of 2.
+.SH "SEE ALSO"
+iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8)
+.SH AUTHORS
+nftables was written by Patrick McHardy.
+.SH COPYRIGHT
+Copyright \(co 2008 Patrick McHardy <\*(T<kaber@trash.net\*(T>>
+.PP
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 2 as
+published by the Free Software Foundation.

File net-firewall/nftables/metadata.xml

+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer>
+    <email>dwfreed@mtu.edu</email>
+    <name>dwfreed</name>
+  </maintainer>
+</pkgmetadata>

File net-firewall/nftables/nftables-0.099.ebuild

+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: $
+
+EAPI=5
+
+inherit autotools linux-info
+
+DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://netfilter.org/projects/nftables/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 x86"
+IUSE="debug"
+SRC_URI="http://netfilter.org/projects/${PN}/files/${P}.tar.bz2"
+
+COMMON_DEPEND="net-libs/libmnl
+		>=net-libs/libnftnl-1.0.0-r2
+		dev-libs/gmp
+		sys-libs/readline"
+# Upstream checks specifically for bison
+DEPEND="sys-devel/bison
+		sys-devel/flex
+		${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+
+pkg_setup() {
+	if kernel_is ge 3 13; then
+		CONFIG_CHECK="~NF_TABLES"
+		linux-info_pkg_setup
+	else
+		eerror "This package requires kernel version 3.13 or newer to work properly."
+	fi
+}
+
+src_prepare() {
+	epatch "${FILESDIR}"/nftables-0.099-94300c7.patch
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		--sbindir="${EPREFIX}"/sbin \
+		$(use_enable debug)
+}
+
+src_install() {
+	default
+	doman "${FILESDIR}"/nftables.8
+}

File net-firewall/nftables/nftables-9999.ebuild

+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: $
+
+EAPI=5
+EGIT_REPO_URI="git://git.netfilter.org/${PN}"
+
+inherit autotools git-r3 linux-info
+
+DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://netfilter.org/projects/nftables/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="debug"
+
+COMMON_DEPEND="net-libs/libmnl
+		>=net-libs/libnftnl-1.0.0-r2
+		dev-libs/gmp
+		sys-libs/readline"
+# Upstream checks specifically for bison
+DEPEND="sys-devel/bison
+		sys-devel/flex
+		>=app-text/docbook2X-0.8.8-r4
+		app-text/docbook-xml-dtd:4.5
+		${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+
+pkg_setup() {
+	if kernel_is ge 3 13; then
+		CONFIG_CHECK="~NF_TABLES"
+		linux-info_pkg_setup
+	else
+		eerror "This package requires kernel version 3.13 or newer to work properly."
+	fi
+}
+
+src_prepare() {
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		--sbindir="${EPREFIX}"/sbin \
+		$(use_enable debug)
+}