net-firewall/nftables: fix redefinition of ethhdr

net-firewall/nftables/Manifest

@@ -0,0 +1,4 @@
+DIST nftables-1.1.1.tar.xz 989700 BLAKE2B f273c78369ba755049c6afa63eba195cf29f926fa8fc9bf344022904c00a8c6c4259cc5093e23993a55fd25790af575305df79a7c28624fa7082661b2eed70d0 SHA512 676413d4adadffb15d52c1f8f6432636cab83a7bcda1a18d9f0e6b58819a2c027a49922588c02bd9ad386de930eaa697bfe74c0938b595bf1ee485bfa7cf2e50
+DIST nftables-1.1.1.tar.xz.sig 566 BLAKE2B b7debda3373972f69af9b4b23e1b66a8fd156440187aafba605bb7342c267207e5aa628256e96432ebd4583a6a9436e1969a33636111d2bd8d57185a01e2d502 SHA512 fc23034c512f686167203e827ff2a8f7cb64530211ce92a28793bd49577ce3bf519ffbe910b0071cb21925898497cb5cbf70121c68bfcdbfa4460c63a14203ac
+DIST nftables-1.1.3.tar.xz 990172 BLAKE2B 35f4ece6c27b29a14bc71bb7893971134950509a713e84453e1f87df6b07cda327314d6dbbf048032a047652b8817f8ee8a5d74a56e356088495edd1dbbed000 SHA512 b5c244cb6db73eb232e5c999e07403b60c543efb9c4b9991838cc9c43a1bd08ca7b2926233536cbb0cc66e2a9acc4fbddc4b5565f5665e753c107a8739a86040
+DIST nftables-1.1.3.tar.xz.sig 566 BLAKE2B 4f0e9c89213b46d3445a729bf96b1790adc53725f31134f9028297e99d83ac43f5094f9cfa0efee903dc691781dd5d67a814583ff1c645776f1a46266dc2681f SHA512 7aa972c146e0dfaacc8faaef9b9ebbe419f7cbc5814d1fb978b35a4972d384aabe2e6e053fefc6d5d042acb9bff5f35e5f97cbee0c4a0152c53ab9c2e5b0335f

net-firewall/nftables/files/libexec/nftables-mk.sh

@@ -0,0 +1,60 @@
+#!/bin/sh
+
+main() {
+	local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'}
+	case "$1" in
+		"check")
+			nft -c -f "${NFTABLES_SAVE}"
+		;;
+		"clear")
+			nft flush ruleset
+		;;
+		"list")
+			nft ${SAVE_OPTIONS} list ruleset
+		;;
+		"load")
+			# We use an include because cat fails with long rulesets see #675188
+			printf 'flush ruleset\ninclude "%s"\n' "${NFTABLES_SAVE}" | nft -f -
+		;;
+		"panic")
+			panic hard | nft -f -
+		;;
+		"soft_panic")
+			panic soft | nft -f -
+		;;
+		"store")
+			local tmp_save="${NFTABLES_SAVE}.tmp"
+			umask 177
+			(
+				printf '#!/sbin/nft -f\nflush ruleset\n'
+				nft ${SAVE_OPTIONS} list ruleset
+			) > "$tmp_save" && mv ${tmp_save} ${NFTABLES_SAVE}
+		;;
+	esac
+}
+
+panic() {
+	local erule;
+	[ "$1" = soft ] && erule="ct state established,related accept;" || erule="";
+	cat <<EOF
+flush ruleset
+table inet filter {
+	chain input {
+		type filter hook input priority 0;
+		$erule
+		drop
+	}
+	chain forward {
+		type filter hook forward priority 0;
+		drop
+	}
+	chain output {
+		type filter hook output priority 0;
+		$erule
+		drop
+	}
+}
+EOF
+}
+
+main "$@"

net-firewall/nftables/files/libexec/nftables.sh

@@ -0,0 +1,150 @@
+#! /bin/sh
+
+main() {
+    local NFTABLES_SAVE=${2:-'/var/lib/nftables/rules-save'}
+    local retval
+    case "$1" in
+        "clear")
+            if ! use_legacy; then
+                nft flush ruleset
+            else
+                clear_legacy
+            fi
+            retval=$?
+        ;;
+        "list")
+            if ! use_legacy; then
+                nft list ruleset
+            else
+                list_legacy
+            fi
+            retval=$?
+        ;;
+        "load")
+            nft -f ${NFTABLES_SAVE}
+            retval=$?
+        ;;
+        "store")
+            umask 177
+            local tmp_save="${NFTABLES_SAVE}.tmp"
+            if ! use_legacy; then
+                nft ${SAVE_OPTIONS} list ruleset > ${tmp_save}
+            else
+                save_legacy ${tmp_save}
+            fi
+            retval=$?
+            if [ ${retval} ]; then
+                mv ${tmp_save} ${NFTABLES_SAVE}
+            fi
+        ;;
+    esac
+    return ${retval}
+}
+
+clear_legacy() {
+    local l3f line table chain first_line
+
+    first_line=1
+    if manualwalk; then
+        for l3f in $(getfamilies); do
+            nft list tables ${l3f} | while read line; do
+                table=$(echo ${line} | sed "s/table[ \t]*//")
+                deletetable ${l3f} ${table}
+            done
+        done
+    else
+        nft list tables | while read line; do
+            l3f=$(echo ${line} | cut -d ' ' -f2)
+            table=$(echo ${line} | cut -d ' ' -f3)
+            deletetable ${l3f} ${table}
+        done
+    fi
+}
+
+list_legacy() {
+    local l3f
+
+    if manualwalk; then
+        for l3f in $(getfamilies); do
+            nft list tables ${l3f} | while read line; do
+                line=$(echo ${line} | sed "s/table/table ${l3f}/")
+                echo "$(nft list ${line})"
+            done
+        done
+    else
+        nft list tables | while read line; do
+            echo "$(nft list ${line})"
+        done
+    fi
+}
+
+save_legacy() {
+    tmp_save=$1
+    touch "${tmp_save}"
+    if manualwalk; then
+        for l3f in $(getfamilies); do
+            nft list tables ${l3f} | while read line; do
+                line=$(echo ${line} | sed "s/table/table ${l3f}/")
+                nft ${SAVE_OPTIONS} list ${line} >> ${tmp_save}
+            done
+        done
+    else
+        nft list tables | while read line; do
+            nft ${SAVE_OPTIONS} list ${line} >> "${tmp_save}"
+        done
+    fi
+}
+
+use_legacy() {
+    local major_ver minor_ver
+
+    major_ver=$(uname -r | cut -d '.' -f1)
+    minor_ver=$(uname -r | cut -d '.' -f2)
+
+    [ $major_ver -ge 4 -o $major_ver -eq 3 -a $minor_ver -ge 18 ] && return 1
+    return 0
+}
+
+CHECK_TABLE_NAME="GENTOO_CHECK_TABLE"
+
+getfamilies() {
+    local l3f families
+
+    for l3f in ip arp ip6 bridge inet; do
+        if nft create table ${l3f} ${CHECK_TABLE_NAME} > /dev/null 2>&1; then
+            families="${families}${l3f} "
+            nft delete table ${l3f} ${CHECK_TABLE_NAME}
+        fi
+    done
+    echo ${families}
+}
+
+manualwalk() {
+    local result l3f=`getfamilies | cut -d ' ' -f1`
+
+    nft create table ${l3f} ${CHECK_TABLE_NAME}
+    nft list tables | read line
+    if [ $(echo $line | wc -w) -lt 3 ]; then
+        result=0
+    fi
+    result=1
+    nft delete table ${l3f} ${CHECK_TABLE_NAME}
+
+    return $result
+}
+
+deletetable() {
+    # family is $1
+    # table name is $2
+    nft flush table $1 $2
+    nft list table $1 $2 | while read l; do
+        chain=$(echo $l | grep -o 'chain [^[:space:]]\+' | cut -d ' ' -f2)
+        if [ -n "${chain}" ]; then
+            nft flush chain $1 $2 ${chain}
+            nft delete chain $1 $2 ${chain}
+        fi
+    done
+    nft delete table $1 $2
+}
+
+main "$@"

net-firewall/nftables/files/man-pages/gen-manpages.bash

@@ -0,0 +1,72 @@
+#!/bin/bash
+#
+# create manpages for nftables
+
+declare -A MAN_PAGES
+
+MAN_PAGES=(
+	[nft.8]="nft.txt"
+	[libnftables-json.5]="libnftables-json.adoc"
+	[libnftables.3]="libnftables.adoc"
+)
+
+build_manpages() {
+	tar axf "${distfile}" -C "${srcdir}" || return
+
+	pushd "${srcdir}/${version}/doc" > /dev/null || return
+	local manpage
+	for manpage in "${!MAN_PAGES[@]}"; do
+		a2x -L --doctype manpage --format manpage -D . "${MAN_PAGES[${manpage}]}" || return
+	done
+	popd > /dev/null || return
+
+	local -a tarfiles
+	readarray -t tarfiles < <(printf -- "${version}/doc/%s\\n" "${!MAN_PAGES[@]}")
+
+	tar -Jc --owner='root:0' --group='root:0' \
+		--transform="s:^${version}/doc:${version}-manpages:" \
+		-f "${version}-manpages.tar.xz" \
+		-C "${srcdir}" \
+		"${tarfiles[@]}" || return
+
+	rm -rf "${srcdir:?}/${version}" || return
+}
+
+main() {
+	shopt -s failglob
+	local version="${1}" srcdir="${0%/*}"
+
+	if [[ -z ${version} ]]; then
+		# shellcheck disable=SC2016
+		version=$(
+			find . -maxdepth 1 -type d -a -name 'nftables-*' -printf '%P\0' 2>/dev/null \
+			| LC_COLLATE=C sort -z \
+			| sed -z -n '${p;Q}' \
+			| tr -d '\000'
+		)
+		if [[ -z ${version} ]]; then
+			# shellcheck disable=SC2016
+			version=$(
+				find . -maxdepth 3 -mindepth 3 -type f -a -name 'nftables-*.ebuild' -printf '%P\0' 2>/dev/null \
+				| LC_COLLATE=C sort -z \
+				| sed -r -z -n '${s:.*/::;s:-r[0-9]+::;s:[.]ebuild::;p;Q}' \
+				| tr -d '\000'
+			)
+			if [[ -z ${version} ]]; then
+				printf 'Usage %s <version>\n' "${0}" >&2
+				return 1
+			fi
+		fi
+	elif [[ ${version} =~ [0-9.]+ ]]; then
+		version="nftables-${version}"
+	fi
+
+	local distdir distfile
+	local -a distfiles
+	distdir="$(portageq distdir)" || return
+	distfiles=( "${distdir}/${version}.tar."* ) || return
+	distfile="${distfiles[-1]}"
+	build_manpages || return
+}
+
+main "${@}"

net-firewall/nftables/files/nftables-1.1.1-musl-xtables-ethhdr.patch

@@ -0,0 +1,27 @@
+diff --color -Naur nftables-1.1.1.old/src/xt.c nftables-1.1.1/src/xt.c
+--- nftables-1.1.1.old/src/xt.c
++++ nftables-1.1.1/src/xt.c
+@@ -10,6 +10,12 @@
+ #include <nft.h>
+
+ #include <time.h>
++
++#ifdef HAVE_LIBXTABLES
++/* include before net/if.h to prevent redefinition of ethhdr */
++#include <xtables.h>
++#endif
++
+ #include <net/if.h>
+ #include <getopt.h>
+ #include <ctype.h>	/* for isspace */
+@@ -26,9 +32,8 @@
+ #include <linux/netfilter_arp/arp_tables.h>
+ #include <linux/netfilter_bridge/ebtables.h>
+
+-#ifdef HAVE_LIBXTABLES
+-#include <xtables.h>
+
++#ifdef HAVE_LIBXTABLES
+ static void *xt_entry_alloc(const struct xt_stmt *xt, uint32_t af);
+ #endif
+

net-firewall/nftables/files/nftables-mk.confd

@@ -0,0 +1,26 @@
+# /etc/conf.d/nftables
+
+# Location in which nftables initscript will save set rules on
+# service shutdown
+NFTABLES_SAVE="/var/lib/nftables/rules-save"
+
+# Options to pass to nft on save
+SAVE_OPTIONS="-n"
+
+# Save state on stopping nftables
+SAVE_ON_STOP="yes"
+
+# Only for OpenRC systems.
+# Set to "hard" or "soft" to panic when stopping instead of
+# clearing the rules
+# Soft panic loads a ruleset dropping any new or invalid connections
+# Hard panic loads a ruleset dropping all traffic
+PANIC_ON_STOP=""
+
+# If you need to log nftables messages as soon as nftables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"