gentoo auto-resync : 01:04:2025 - 01:33:27

author: V3n3RiX <venerix@koprulu.sector> 2025-04-01 01:33:27 +0100
committer: V3n3RiX <venerix@koprulu.sector> 2025-04-01 01:33:27 +0100
commit: 9cb5d77a6732fadf391fd38da00e6921f3e23112 (patch)
tree: 30f5c59801151fa131da4743ca598f950b2e5b4b /net-firewall
parent: 033286afc1eb2e64a87a58798a0c620d8b56f497 (diff)
10 files changed, 277 insertions, 321 deletions
diff --git a/net-firewall/Manifest.gz b/net-firewall/Manifest.gz
index 429d64900c1b..db6ce3724708 100644
--- a/net-firewall/Manifest.gz
+++ b/net-firewall/Manifest.gz
diff --git a/net-firewall/nftables/Manifest b/net-firewall/nftables/Manifest
index 30d510236ade..506784f10fe5 100644
--- a/net-firewall/nftables/Manifest
+++ b/net-firewall/nftables/Manifest
@@ -1,20 +1,16 @@
 AUX libexec/nftables-mk.sh 1070 BLAKE2B 30d8109d74e7d8c4f51c753f676f91a1902ad42f6d68662f1191ff73d2a43a1bf49fb795f3763705f8aeb0a4f22cab0006a943e01adb188f1ef9eb05125dfdbd SHA512 a14e48f014f75c7e611bf2a653d9760804754febd1ae4543f78abbfbe60c79f5aa07c5fd53fe26bb74b48fcb8cb8aa78274771212e41c42db031e8c8ba7e81d2
 AUX libexec/nftables.sh 3665 BLAKE2B 74362a4425e974e74e7b895980002f0ded2ecbb4731bbf956edb56ffb9f1ad394802c4eeab3af3735eba4d8e71572a5663e564ce4e7fad76c9715043b90c1b43 SHA512 6cb1ac0928ae2da5c69764d45c52a661a6d72698bb9edd6a603580d2f9bd82b59f2a2661e7569ade3a3b729459d115004f251ad6a5eac8cdf1d38c65bfa9349e
 AUX man-pages/gen-manpages.bash 1797 BLAKE2B c93cc311570abd674a12eb88711cf01664f437b8dc0fb4de36194f36671d92c35e04fcff6c56adcb0e642f089169f63ef063736398584e5e7ce799bf55acf2ff SHA512 ea3291412ce13d9dd463403fcc11c665c9de63edaabdecaf55e051b52b0ff845c9c7d63a6c4c08e4d2d94428815fe11daf9b7390081b4e9de4774e188b9ea677
-AUX nftables-1.1.0-revert-firewalld-breaking-change.patch 1919 BLAKE2B 3234b278522a919b8e5afafae9749360edfc224f5f45fd3f0a816d8ae8ddfa3798327610add8d152129e1b36f2473549f2245793685c33db942aff0e61b0be34 SHA512 eb041be1770da615af24ef573ae38fcdffb1dcf3b9cf7584514e4e67d2a24a0525b4ad04ea35cf568402a5a074a5cfe313c0bd7d38405940267be49f81f9e4e2
 AUX nftables-mk.confd 899 BLAKE2B f4c3d82fbae87fb0d755af786a98db591b6a667cf33660ba9275ada2e6417fad1899a7f29762f23c112fc5c9e178bc7590c3b2ba26617853c3577917bd7d3edf SHA512 505ed05674a04367f1a3d5cf6447596ad1c3b2e9c920697f12f58a20d94c2a39b0041bb4911678511c4548566a69d964661d4afc3e7e27997943b875f204c602
 AUX nftables-mk.init-r1 1970 BLAKE2B 9ece7da364eac76ef2ac401f4cc3ed558e926e8f07ab43f084de819098e9543bda0a9a8d40375e4e01dd6e53b92d744acf8f3caaeab1c3678ca84b1f48d59685 SHA512 9f1e491ba5fd8a1173eb055bfa5a0de3c040c158e7d54848fcd373a5f4c4041df6fb9ddc5b0e8fdfd78243665c627b8767816bcf94dd142b441b21227206fef3
 AUX nftables.confd 655 BLAKE2B 5512be1edd43e270941de3d9b66fda69e4afd7c7e6e970b232a044c2fd64f8e50b9b55a4fe670174c3eabf3d176ee0158c1043baec4b76b0802e7e97bc862fcf SHA512 8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144
 AUX nftables.init-r1 2279 BLAKE2B 1c4c28ea5b6a22905b3ec7de8e54726933b579352ecd799b7641384a138ffa2d4a2deb87d84ef5d75a43ae30759f1550d611c2560096bb5083cae9bb834be2bb SHA512 2165223bfd4f300b9cc01f604347fc5167f68515174b0d116b667bd05f4baf8c2f931e482f632975a8be371c2147951d9407f397ea4dbcbac79a6738cbd23015
+AUX systemd/nftables-load.service 407 BLAKE2B 572dda7ed02610862410b636d60e2fac6522509d12a1aeaa3e39953fabab10236f0a3fe2551c7212a7a35e705622eb3d52b46609b7485b8b99d0da1922c0b6f9 SHA512 94f8485441d8299e80c0612af034caaeb20fb257df77fd70a16c7f6c99a04725694e577a18962d1461cc109fe15bbf8ed7846c10b3d7cd3c059fb6b7ed9da7a0
 AUX systemd/nftables-restore.service 394 BLAKE2B 1c1f358eb2eff789e68c051098c971f11a8df6621c3c919e30a1ec1213f6db822c390609c01827fe9fc75c540effa3e3a7b6f93bd24e16ea19841bbfaab796ed SHA512 18da6a770bb3e94fd6b2c9e6f033450aaff9fe886c8846f780d08a21e2fc884ac078652743b50b3d4ea8c9500f92d272bdd27e2881e438c2b223d40816c100a0
-DIST nftables-1.0.9.tar.xz 971968 BLAKE2B 1dfd1e79d3a7b645fd0995dad10893d70dbd13c92805c5cf30825acbbeb45071b2095072cecbd14b4f66cf0c284d2937a996c6b8013213438f53b92731af039d SHA512 dc34099658e283d9fd4d06264b593710121074558305ea23ab298c5f6a6b564a826f186241b6e106fbaa4e11160cf77e68bb52b4ce401b28d8d2e403cd4b88e8
-DIST nftables-1.0.9.tar.xz.sig 566 BLAKE2B d4bb0a1f629d2950753799fba18f6c3ce50e5ff242816e392245a714bfeccb3408583added4362f1e0da47cc6e30b0b95f864cf8443a1872d59ae40b15b5f706 SHA512 9b96ce8539700713ff4802fb2deff5b2ea0dd3155c45f5a8f49a45f70226893c7449e0b79504833b2e63e5290290e693c962128a226ca8f6ca281185bdcd7b51
-DIST nftables-1.1.0.tar.xz 1057672 BLAKE2B cc876d9ba344480a2f5a12811206356d9edbd4a95d29e8127f43864a1b4e2ae9bc88a6d07f0d36469dfed190c5822fd6a7c69b6a9028fbb0bc1ec254e76083d9 SHA512 0b0c6789b7d987289b9770ea2d26e640c50bc7f300685476c4fc367b5ad3d6980fca63b8fe701f727fb3a94328eb7dc560ed5745b5ce44f171022de5714d3a86
-DIST nftables-1.1.0.tar.xz.sig 566 BLAKE2B 556287b40ad6f82d229ae18910ec2008c3168c7088e7149f8b5e80ca9983b90ec202cf01838c80e973845dd565f4f13a454d6dc99030a3f9cede6c33929da07d SHA512 1b3a42a76b378373c8a21b77aaf9c1fc57402360d49d56b22f02c50bef969b1f6867a4d40bda24b2dd1a0dfcf7148893938a7eea84ff8cc67d9edcd6b9b62bb4
+AUX systemd/nftables-store.service 234 BLAKE2B bc28a2495df40258ee7d665b3b64ba425b4d9780812896a47b216bbb63651b06aaa8aa26b0b9c8b55c39e8dd3aa15e5f1b19eed62d028fb5be3de28b9dbee75c SHA512 329e89e287700c945ac6a6cfd1232f0d411709cab9730e3dac3eb5dc6f4b19c736276e88837e7cb3866391d6bc2ca88092d910ac911b1195a78824360d615f77
 DIST nftables-1.1.1.tar.xz 989700 BLAKE2B f273c78369ba755049c6afa63eba195cf29f926fa8fc9bf344022904c00a8c6c4259cc5093e23993a55fd25790af575305df79a7c28624fa7082661b2eed70d0 SHA512 676413d4adadffb15d52c1f8f6432636cab83a7bcda1a18d9f0e6b58819a2c027a49922588c02bd9ad386de930eaa697bfe74c0938b595bf1ee485bfa7cf2e50
 DIST nftables-1.1.1.tar.xz.sig 566 BLAKE2B b7debda3373972f69af9b4b23e1b66a8fd156440187aafba605bb7342c267207e5aa628256e96432ebd4583a6a9436e1969a33636111d2bd8d57185a01e2d502 SHA512 fc23034c512f686167203e827ff2a8f7cb64530211ce92a28793bd49577ce3bf519ffbe910b0071cb21925898497cb5cbf70121c68bfcdbfa4460c63a14203ac
-EBUILD nftables-1.0.9.ebuild 6472 BLAKE2B 28da5e49bdf6f55f3e5811d0563c8906e46c74dc8075bd9d88cb5558c6d2b41a9b3f6fe2cf310b8adbd2943ca2ee26e9fb96b516e14fdaf08a4c028ebb3546fc SHA512 46de8e2d2b0750185fdeefe4640d4df9233b7a9369a23f580bb4ab7681a830a7d7d13e2a7ebc9b10d1dfe11ba04b0d63a77e5902113543f45571205cc57b6254
-EBUILD nftables-1.1.0-r1.ebuild 6556 BLAKE2B 4289acbf5aa22a66a0591af82ac10d2e6173f678a77d52e28a9911d64b51554bb5096585b5adaf34f5faee9fd94f909fe60e29082ebdbc1bf25801d3543037f1 SHA512 3c0cf66264351f2bfa4efbcafebcfc1f229f8124539516af16d9b3a1f3c583e9ecc6ecf0bffb155a6cf76ab7ac3d28515c88baad3b37491e7d815738e8db5a71
+EBUILD nftables-1.1.1-r1.ebuild 6642 BLAKE2B c7e2678d081aeeba12636cf582b781567e1bec29214a485b5178b710da2d71c64aea7c29fe8dd7e2b77fbf3f4afac87ad135894fe6d9ff9739b61b5297f97d10 SHA512 08c9b366ff6dbf9a219ee13398cd3d123fb611e362291398d550d0876e75e95ce0dbb498be19e1e49d884ca9b57260277c414e440d2c12a5d97aa6f26def3bad
 EBUILD nftables-1.1.1.ebuild 6474 BLAKE2B 0dd1ea43c50c38c9058874298f465e8773332c5e929b161d25edc166a0e00efc46b499e807885e837308fcbeddb4994282907f668f80fb4dcea696d4e54d10e7 SHA512 14e2a76d0e435b497ad20ed8d0316c4efb9e6711b77fa58a5bae172b0c9ef0e96e23735ad48662befb99f64916bdc18282e257edde4e4a70237c3cd520f231e2
-EBUILD nftables-9999.ebuild 6482 BLAKE2B f803c2b3ea243bdd7365fccdb7f36dffe6246381b7743d656dcebfa6c5afbaca110c2dd110cea0437f7d5fcc9790da57df00f6b6021861a048672abab8f26c8a SHA512 265d6d5512b005e45f555a812557ac7ca48a2a9efb0095cd9aa37e90877bc6943a2e751efd9f82f1583b623bb4c05cbb04e93253c8f9804f8a14887d1eadffba
+EBUILD nftables-9999.ebuild 6642 BLAKE2B c7e2678d081aeeba12636cf582b781567e1bec29214a485b5178b710da2d71c64aea7c29fe8dd7e2b77fbf3f4afac87ad135894fe6d9ff9739b61b5297f97d10 SHA512 08c9b366ff6dbf9a219ee13398cd3d123fb611e362291398d550d0876e75e95ce0dbb498be19e1e49d884ca9b57260277c414e440d2c12a5d97aa6f26def3bad
 MISC metadata.xml 684 BLAKE2B 96044107a07596178b59f3d4bed0433e06eb74693fafcc1a8c20468e02626814ba1544bba54c64367e43a126463b0f3b33e340476aff15db934467e8b9d46bf7 SHA512 fa4c9cadddccda4217837a892fbec3e1b984fb18a4d11d5536f22724d2455724eb59c5cc06da5830fb28bb48cb2d01374fdc56e216296c695c678af28390392a
diff --git a/net-firewall/nftables/files/nftables-1.1.0-revert-firewalld-breaking-change.patch b/net-firewall/nftables/files/nftables-1.1.0-revert-firewalld-breaking-change.patch
deleted file mode 100644
index 0cc23d61fb8f..000000000000
--- a/net-firewall/nftables/files/nftables-1.1.0-revert-firewalld-breaking-change.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-https://git.netfilter.org/nftables/commit/?id=93560d0117639c8685fc287128ab06dec9950fbd
-https://github.com/firewalld/firewalld/issues/1366
-https://lore.kernel.org/netfilter-devel/Zp7FqL_YK3p_dQ8B@egarver-mac/
-
-From 93560d0117639c8685fc287128ab06dec9950fbd Mon Sep 17 00:00:00 2001
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Wed, 24 Jul 2024 09:38:33 +0200
-Subject: Revert "cache: recycle existing cache with incremental updates"
-
-This reverts commit e791dbe109b6dd891a63a4236df5dc29d7a4b863.
-
-Eric Garver reported two issues:
-
-- index with rule breaks, because NFT_CACHE_REFRESH is missing.
-- simple set updates.
-
-Moreover, the current process could populate the cache with objects for
-listing commands (no generation ID is bumped), while another process
-could update the ruleset. Leading to a inconsistent cache due to the
-genid + 1 check.
-
-This optimization needs more work and more tests for -i/--interactive,
-revert it.
-
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---- a/src/cache.c
-+++ b/src/cache.c
-@@ -1184,21 +1184,9 @@ static bool nft_cache_needs_refresh(struct nft_cache *cache, unsigned int flags)
- 	       (flags & NFT_CACHE_REFRESH);
- }
- 
--static bool nft_cache_is_updated(struct nft_cache *cache, unsigned int flags,
--				 uint16_t genid)
-+static bool nft_cache_is_updated(struct nft_cache *cache, uint16_t genid)
- {
--	if (!genid)
--		return false;
--
--	if (genid == cache->genid)
--		return true;
--
--	if (genid == cache->genid + 1) {
--		cache->genid++;
--		return true;
--	}
--
--	return false;
-+	return genid && genid == cache->genid;
- }
- 
- bool nft_cache_needs_update(struct nft_cache *cache)
-@@ -1223,7 +1211,7 @@ replay:
- 	genid = mnl_genid_get(&ctx);
- 	if (!nft_cache_needs_refresh(cache, flags) &&
- 	    nft_cache_is_complete(cache, flags) &&
--	    nft_cache_is_updated(cache, flags, genid))
-+	    nft_cache_is_updated(cache, genid))
- 		return 0;
- 
- 	if (cache->genid)
--- 
-cgit v1.2.3
-
diff --git a/net-firewall/nftables/files/systemd/nftables-load.service b/net-firewall/nftables/files/systemd/nftables-load.service
new file mode 100644
index 000000000000..149ccac2f5f0
--- /dev/null
+++ b/net-firewall/nftables/files/systemd/nftables-load.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Load nftables firewall rules
+# if both are queued for some reason, don't store before restoring :)
+Before=nftables-store.service
+# sounds reasonable to have firewall up before any of the services go up
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/nftables/nftables.sh load /var/lib/nftables/rules-save
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/nftables/files/systemd/nftables-store.service b/net-firewall/nftables/files/systemd/nftables-store.service
new file mode 100644
index 000000000000..373f8b947d7d
--- /dev/null
+++ b/net-firewall/nftables/files/systemd/nftables-store.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Store nftables firewall rules
+Before=shutdown.target
+DefaultDependencies=No
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/nftables/nftables.sh store /var/lib/nftables/rules-save
+
+[Install]
+WantedBy=shutdown.target
diff --git a/net-firewall/nftables/nftables-1.0.9.ebuild b/net-firewall/nftables/nftables-1.0.9.ebuild
deleted file mode 100644
index f042bec930bc..000000000000
--- a/net-firewall/nftables/nftables-1.0.9.ebuild
+++ /dev/null
@@ -1,226 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-DISTUTILS_OPTIONAL=1
-DISTUTILS_USE_PEP517=setuptools
-PYTHON_COMPAT=( python3_{10..12} )
-VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc
-inherit edo linux-info distutils-r1 systemd verify-sig
-
-DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools"
-HOMEPAGE="https://netfilter.org/projects/nftables/"
-
-if [[ ${PV} =~ ^[9]{4,}$ ]]; then
-	inherit autotools git-r3
-	EGIT_REPO_URI="https://git.netfilter.org/${PN}"
-	BDEPEND="app-alternatives/yacc"
-else
-	SRC_URI="
-		https://netfilter.org/projects/nftables/files/${P}.tar.xz
-		verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )
-	"
-	KEYWORDS="amd64 arm arm64 hppa ~loong ~mips ppc ppc64 ~riscv sparc x86"
-	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
-fi
-
-# See COPYING: new code is GPL-2+, existing code is GPL-2
-LICENSE="GPL-2 GPL-2+"
-SLOT="0/1"
-IUSE="debug doc +gmp json libedit python +readline static-libs test xtables"
-RESTRICT="!test? ( test )"
-
-RDEPEND="
-	>=net-libs/libmnl-1.0.4:=
-	>=net-libs/libnftnl-1.2.6:=
-	gmp? ( dev-libs/gmp:= )
-	json? ( dev-libs/jansson:= )
-	python? ( ${PYTHON_DEPS} )
-	readline? ( sys-libs/readline:= )
-	xtables? ( >=net-firewall/iptables-1.6.1:= )
-"
-DEPEND="${RDEPEND}"
-BDEPEND+="
-	app-alternatives/lex
-	virtual/pkgconfig
-	doc? (
-		app-text/asciidoc
-		>=app-text/docbook2X-0.8.8-r4
-	)
-	python? ( ${DISTUTILS_DEPS} )
-"
-
-REQUIRED_USE="
-	python? ( ${PYTHON_REQUIRED_USE} )
-	libedit? ( !readline )
-"
-
-src_prepare() {
-	default
-
-	if [[ ${PV} =~ ^[9]{4,}$ ]] ; then
-		eautoreconf
-	fi
-
-	if use python; then
-		pushd py >/dev/null || die
-		distutils-r1_src_prepare
-		popd >/dev/null || die
-	fi
-}
-
-src_configure() {
-	local myeconfargs=(
-		--sbindir="${EPREFIX}"/sbin
-		$(use_enable debug)
-		$(use_enable doc man-doc)
-		$(use_with !gmp mini_gmp)
-		$(use_with json)
-		$(use_with libedit cli editline)
-		$(use_with readline cli readline)
-		$(use_enable static-libs static)
-		$(use_with xtables)
-	)
-
-	econf "${myeconfargs[@]}"
-
-	if use python; then
-		pushd py >/dev/null || die
-		distutils-r1_src_configure
-		popd >/dev/null || die
-	fi
-}
-
-src_compile() {
-	default
-
-	if use python; then
-		pushd py >/dev/null || die
-		distutils-r1_src_compile
-		popd >/dev/null || die
-	fi
-}
-
-src_test() {
-	emake check
-
-	if [[ ${EUID} == 0 ]]; then
-		edo tests/shell/run-tests.sh -v
-	else
-		ewarn "Skipping shell tests (requires root)"
-	fi
-
-	if use python; then
-		pushd tests/py >/dev/null || die
-		distutils-r1_src_test
-		popd >/dev/null || die
-	fi
-}
-
-python_test() {
-	if [[ ${EUID} == 0 ]]; then
-		edo "${EPYTHON}" nft-test.py
-	else
-		ewarn "Skipping Python tests (requires root)"
-	fi
-}
-
-src_install() {
-	default
-
-	if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then
-		pushd doc >/dev/null || die
-		doman *.?
-		popd >/dev/null || die
-	fi
-
-	# Do it here instead of in src_prepare to avoid eautoreconf
-	# rmdir lets us catch if more files end up installed in /etc/nftables
-	dodir /usr/share/doc/${PF}/skels/
-	mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die
-	rmdir "${ED}"/etc/nftables || die
-
-	exeinto /usr/libexec/${PN}
-	newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh
-	newconfd "${FILESDIR}"/${PN}-mk.confd ${PN}
-	newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN}
-	keepdir /var/lib/nftables
-
-	systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
-
-	if use python ; then
-		pushd py >/dev/null || die
-		distutils-r1_src_install
-		popd >/dev/null || die
-	fi
-
-	find "${ED}" -type f -name "*.la" -delete || die
-}
-
-pkg_preinst() {
-	local stderr
-
-	# There's a history of regressions with nftables upgrades. Perform a
-	# safety check to help us spot them earlier. For the check to pass, the
-	# currently loaded ruleset, if any, must be successfully evaluated by
-	# the newly built instance of nft(8).
-	if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then
-		# Either nftables isn't yet in use or nft(8) cannot be executed.
-		return
-	elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then
-		# Report errors induced by trying to list the ruleset but don't
-		# treat them as being fatal.
-		printf '%s\n' "${stderr}" >&2
-	elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
-		# Rulesets generated by iptables-nft are special in nature and
-		# will not always be printed in a way that constitutes a valid
-		# syntax for ntf(8). Ignore them.
-		return
-	elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then
-		eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of"
-		eerror "nft. This probably means that there is a regression introduced by v${PV}."
-		eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
-		if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
-			die "Aborting because of failed nft reload!"
-		fi
-	fi
-}
-
-pkg_postinst() {
-	local save_file
-	save_file="${EROOT}"/var/lib/nftables/rules-save
-
-	# In order for the nftables-restore systemd service to start
-	# the save_file must exist.
-	if [[ ! -f "${save_file}" ]]; then
-		( umask 177; touch "${save_file}" )
-	elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
-		ewarn "Your system has dangerous permissions for ${save_file}"
-		ewarn "It is probably affected by bug #691326."
-		ewarn "You may need to fix the permissions of the file. To do so,"
-		ewarn "you can run the command in the line below as root."
-		ewarn "    'chmod 600 \"${save_file}\"'"
-	fi
-
-	if has_version 'sys-apps/systemd'; then
-		elog "If you wish to enable the firewall rules on boot (on systemd) you"
-		elog "will need to enable the nftables-restore service."
-		elog "    'systemctl enable ${PN}-restore.service'"
-		elog
-		elog "If you are creating firewall rules before the next system restart"
-		elog "the nftables-restore service must be manually started in order to"
-		elog "save those rules on shutdown."
-	fi
-
-	if has_version 'sys-apps/openrc'; then
-		elog "If you wish to enable the firewall rules on boot (on openrc) you"
-		elog "will need to enable the nftables service."
-		elog "    'rc-update add ${PN} default'"
-		elog
-		elog "If you are creating or updating the firewall rules and wish to save"
-		elog "them to be loaded on the next restart, use the \"save\" functionality"
-		elog "in the init script."
-		elog "    'rc-service ${PN} save'"
-	fi
-}
diff --git a/net-firewall/nftables/nftables-1.1.0-r1.ebuild b/net-firewall/nftables/nftables-1.1.1-r1.ebuild
index 24ede801396a..14a775b021a2 100644
--- a/net-firewall/nftables/nftables-1.1.0-r1.ebuild
+++ b/net-firewall/nftables/nftables-1.1.1-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -7,7 +7,7 @@ DISTUTILS_OPTIONAL=1
 DISTUTILS_USE_PEP517=setuptools
 PYTHON_COMPAT=( python3_{10..13} )
 VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc
-inherit edo linux-info distutils-r1 systemd verify-sig
+inherit eapi9-ver edo linux-info distutils-r1 systemd verify-sig
 
 DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools"
 HOMEPAGE="https://netfilter.org/projects/nftables/"
@@ -21,7 +21,7 @@ else
 		https://netfilter.org/projects/nftables/files/${P}.tar.xz
 		verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )
 	"
-	KEYWORDS="amd64 arm arm64 hppa ~loong ~mips ppc ppc64 ~riscv sparc x86"
+	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
 	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
 fi
 
@@ -33,7 +33,7 @@ RESTRICT="!test? ( test )"
 
 RDEPEND="
 	>=net-libs/libmnl-1.0.4:=
-	>=net-libs/libnftnl-1.2.7:=
+	>=net-libs/libnftnl-1.2.8:=
 	gmp? ( dev-libs/gmp:= )
 	json? ( dev-libs/jansson:= )
 	python? ( ${PYTHON_DEPS} )
@@ -56,10 +56,6 @@ REQUIRED_USE="
 	libedit? ( !readline )
 "
 
-PATCHES=(
-	"${FILESDIR}"/nftables-1.1.0-revert-firewalld-breaking-change.patch
-)
-
 src_prepare() {
 	default
 
@@ -151,7 +147,8 @@ src_install() {
 	newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN}
 	keepdir /var/lib/nftables
 
-	systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-load.service
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-store.service
 
 	if use python ; then
 		pushd py >/dev/null || die
@@ -197,7 +194,7 @@ pkg_postinst() {
 	local save_file
 	save_file="${EROOT}"/var/lib/nftables/rules-save
 
-	# In order for the nftables-restore systemd service to start
+	# In order for the nftables-load systemd service to start
 	# the save_file must exist.
 	if [[ ! -f "${save_file}" ]]; then
 		( umask 177; touch "${save_file}" )
@@ -210,13 +207,17 @@ pkg_postinst() {
 	fi
 
 	if has_version 'sys-apps/systemd'; then
+		if ver_replacing -lt "1.1.1-r1"; then
+			elog "Starting with ${PN}-1.1.1-r1, the ${PN}-restore.service has"
+			elog "been split into ${PN}-load.service and ${PN}-store.service."
+			elog
+		fi
 		elog "If you wish to enable the firewall rules on boot (on systemd) you"
-		elog "will need to enable the nftables-restore service."
-		elog "    'systemctl enable ${PN}-restore.service'"
+		elog "will need to enable the nftables-load service."
+		elog "    'systemctl enable ${PN}-load.service'"
 		elog
-		elog "If you are creating firewall rules before the next system restart"
-		elog "the nftables-restore service must be manually started in order to"
-		elog "save those rules on shutdown."
+		elog "Enable nftables-store.service if you want firewall rules to be"
+		elog "saved at shutdown."
 	fi
 
 	if has_version 'sys-apps/openrc'; then
diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild
index ecfd85b0e138..14a775b021a2 100644
--- a/net-firewall/nftables/nftables-9999.ebuild
+++ b/net-firewall/nftables/nftables-9999.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -7,7 +7,7 @@ DISTUTILS_OPTIONAL=1
 DISTUTILS_USE_PEP517=setuptools
 PYTHON_COMPAT=( python3_{10..13} )
 VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc
-inherit edo linux-info distutils-r1 systemd verify-sig
+inherit eapi9-ver edo linux-info distutils-r1 systemd verify-sig
 
 DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools"
 HOMEPAGE="https://netfilter.org/projects/nftables/"
@@ -147,7 +147,8 @@ src_install() {
 	newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN}
 	keepdir /var/lib/nftables
 
-	systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-load.service
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-store.service
 
 	if use python ; then
 		pushd py >/dev/null || die
@@ -193,7 +194,7 @@ pkg_postinst() {
 	local save_file
 	save_file="${EROOT}"/var/lib/nftables/rules-save
 
-	# In order for the nftables-restore systemd service to start
+	# In order for the nftables-load systemd service to start
 	# the save_file must exist.
 	if [[ ! -f "${save_file}" ]]; then
 		( umask 177; touch "${save_file}" )
@@ -206,13 +207,17 @@ pkg_postinst() {
 	fi
 
 	if has_version 'sys-apps/systemd'; then
+		if ver_replacing -lt "1.1.1-r1"; then
+			elog "Starting with ${PN}-1.1.1-r1, the ${PN}-restore.service has"
+			elog "been split into ${PN}-load.service and ${PN}-store.service."
+			elog
+		fi
 		elog "If you wish to enable the firewall rules on boot (on systemd) you"
-		elog "will need to enable the nftables-restore service."
-		elog "    'systemctl enable ${PN}-restore.service'"
+		elog "will need to enable the nftables-load service."
+		elog "    'systemctl enable ${PN}-load.service'"
 		elog
-		elog "If you are creating firewall rules before the next system restart"
-		elog "the nftables-restore service must be manually started in order to"
-		elog "save those rules on shutdown."
+		elog "Enable nftables-store.service if you want firewall rules to be"
+		elog "saved at shutdown."
 	fi
 
 	if has_version 'sys-apps/openrc'; then
diff --git a/net-firewall/ufw/Manifest b/net-firewall/ufw/Manifest
index 321978434fe1..4704692522ba 100644
--- a/net-firewall/ufw/Manifest
+++ b/net-firewall/ufw/Manifest
@@ -11,4 +11,5 @@ AUX ufw.confd 219 BLAKE2B 8ed5dec5dd9acc84715918240e31398268ff36f73bb2cfc10e64e0
 AUX ufw.service 329 BLAKE2B e817fc85b3bdb21b47a3089c6f2204292a019eaeae510832530f0e09f8784a312dd636fa3cf90610bb3159d52b4bdaadf803699ac4bff31576b566a3e977b2d2 SHA512 a365e704ca958c83c86f8a6b1623ce3f9ad72dcfb0cfc7758bfc787e0877f897ccf8b200db83df17130ca5dcc54f938178b8cabfe3ee0c0896c814ee7d2439c7
 DIST ufw-0.36.1.tar.gz 583123 BLAKE2B 16e1ee67493d5db10a04667b646a019aa3aeb06345d0facc334fb07eeff4d4f6674a4699b2bd7bd6ed29de1c05c4e14812e9e8ec55c4bfb8579b8e3e2e577f6a SHA512 77d01fef661083eac041be6d6eabffb1d8aedb215f73e44e18a9a63a48da96414b3c0166e3ffd9402c22c72a6de5d774ba14b15368b02997aae8e08d1c5dd4c0
 EBUILD ufw-0.36.1-r1.ebuild 5969 BLAKE2B 572d2e2e5078f8e5f60ba69b56015433047809df0ba2b60e97cc84a47d05fbb3e54c8cfeab3c2295745d6bce15900b1bf4e071967ed40a05b25feab04a8c0885 SHA512 c8167747b311dc7fac50e0ad78a160e9481bee6e21d123b1cab8d70b87965873fac6f9c8c5d36c8a23077309845b7c8e3696202ee0e70ed6fe87d11507077509
+EBUILD ufw-0.36.1-r2.ebuild 6053 BLAKE2B 8817e93d68e69f594cac7b1aae31bd305029aec93b5b276eb2b9420ad8ea672f9f9a1e299eb16e686cb9a8fe0b7eea36e78e13b8b3cd8b5e55b4ffc331610066 SHA512 e047aad3d2cb2c8b27fa4eb4438f3456c31348944e72fc37356062d3fd1769401b8d3c0cf2d483662624a851ad057674349e0db01620fde8863a0cac91d21f5a
 MISC metadata.xml 686 BLAKE2B 6d415e2295cf7facf8908aab2fbd7d4150d24595c9eb30ccf7f105ff2263cd7dc6c393dc8ad8303b264d76be37bb11da3ce4d4b666c0648e974b7585e9e7e452 SHA512 c1dee02a7458095069243337abb01a66dc132de15a51114cc1b39778f02b3a05d28a869cfa8cef55cf8701bb7f872232b63d432c1c5e45d71d90fa6099f74dd5
diff --git a/net-firewall/ufw/ufw-0.36.1-r2.ebuild b/net-firewall/ufw/ufw-0.36.1-r2.ebuild
new file mode 100644
index 000000000000..d379494306bc
--- /dev/null
+++ b/net-firewall/ufw/ufw-0.36.1-r2.ebuild
@@ -0,0 +1,217 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..13} )
+inherit bash-completion-r1 eapi9-ver edo linux-info python-single-r1 systemd
+
+DESCRIPTION="A program used to manage a netfilter firewall"
+HOMEPAGE="https://launchpad.net/ufw"
+SRC_URI="https://launchpad.net/ufw/${PV%.*}/${PV}/+download/${P}.tar.gz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86"
+IUSE="examples ipv6"
+REQUIRED_USE="${PYTHON_REQUIRED_USE}"
+
+RDEPEND="
+	${PYTHON_DEPS}
+	net-firewall/iptables[ipv6(+)?]
+"
+BDEPEND="
+	$(python_gen_cond_dep '
+		dev-python/setuptools[${PYTHON_USEDEP}]
+	')
+	sys-devel/gettext
+"
+
+PATCHES=(
+	# Move files away from /lib/ufw.
+	"${FILESDIR}/${P}-move-path.patch"
+	# Remove unnecessary build time dependency on net-firewall/iptables.
+	"${FILESDIR}/${P}-dont-check-iptables.patch"
+	# Remove shebang modification.
+	"${FILESDIR}/${P}-shebang.patch"
+	# Fix bash completions, bug #526300
+	"${FILESDIR}/${PN}-0.36-bash-completion.patch"
+	# Strip distutils use
+	"${FILESDIR}/${PN}-0.36.1-distutils.patch"
+)
+
+pkg_pretend() {
+	local CONFIG_CHECK="~PROC_FS
+		~NETFILTER_XT_MATCH_COMMENT ~NETFILTER_XT_MATCH_HL
+		~NETFILTER_XT_MATCH_LIMIT ~NETFILTER_XT_MATCH_MULTIPORT
+		~NETFILTER_XT_MATCH_RECENT ~NETFILTER_XT_MATCH_STATE"
+
+	if kernel_is -ge 2 6 39; then
+		CONFIG_CHECK+=" ~NETFILTER_XT_MATCH_ADDRTYPE"
+	else
+		CONFIG_CHECK+=" ~IP_NF_MATCH_ADDRTYPE"
+	fi
+
+	# https://bugs.launchpad.net/ufw/+bug/1076050
+	if kernel_is -ge 3 4; then
+		CONFIG_CHECK+=" ~NETFILTER_XT_TARGET_LOG"
+	else
+		CONFIG_CHECK+=" ~IP_NF_TARGET_LOG"
+		use ipv6 && CONFIG_CHECK+=" ~IP6_NF_TARGET_LOG"
+	fi
+
+	CONFIG_CHECK+=" ~IP_NF_TARGET_REJECT"
+	use ipv6 && CONFIG_CHECK+=" ~IP6_NF_TARGET_REJECT"
+
+	check_extra_config
+
+	# Check for default, useful optional features.
+	if ! linux_config_exists; then
+		ewarn "Cannot determine configuration of your kernel."
+		return
+	fi
+
+	local nf_nat_ftp_ok="yes"
+	local nf_conntrack_ftp_ok="yes"
+	local nf_conntrack_netbios_ns_ok="yes"
+
+	linux_chkconfig_present \
+		NF_NAT_FTP || nf_nat_ftp_ok="no"
+	linux_chkconfig_present \
+		NF_CONNTRACK_FTP || nf_conntrack_ftp_ok="no"
+	linux_chkconfig_present \
+		NF_CONNTRACK_NETBIOS_NS || nf_conntrack_netbios_ns_ok="no"
+
+	# This is better than an essay for each unset option...
+	if [[ "${nf_nat_ftp_ok}" == "no" ]] || \
+	   [[ "${nf_conntrack_ftp_ok}" == "no" ]] || \
+	   [[ "${nf_conntrack_netbios_ns_ok}" == "no" ]]; then
+		echo
+		local mod_msg="Kernel options listed below are not set. They are not"
+		mod_msg+=" mandatory, but they are often useful."
+		mod_msg+=" If you don't need some of them, please remove relevant"
+		mod_msg+=" module name(s) from IPT_MODULES in"
+		mod_msg+=" '${EROOT}/etc/default/ufw' before (re)starting ufw."
+		mod_msg+=" Otherwise ufw may fail to start!"
+		ewarn "${mod_msg}"
+		if [[ "${nf_nat_ftp_ok}" == "no" ]]; then
+			ewarn "NF_NAT_FTP: for better support for active mode FTP."
+		fi
+		if [[ "${nf_conntrack_ftp_ok}" == "no" ]]; then
+			ewarn "NF_CONNTRACK_FTP: for better support for active mode FTP."
+		fi
+		if [[ "${nf_conntrack_netbios_ns_ok}" == "no" ]]; then
+			ewarn "NF_CONNTRACK_NETBIOS_NS: for better Samba support."
+		fi
+	fi
+}
+
+src_prepare() {
+	default
+
+	# Set as enabled by default. User can enable or disable
+	# the service by adding or removing it to/from a runlevel.
+	sed -i 's/^ENABLED=no/ENABLED=yes/' conf/ufw.conf \
+		|| die "sed failed (ufw.conf)"
+
+	sed -i "s/^IPV6=yes/IPV6=$(usex ipv6)/" conf/ufw.defaults || die
+
+	# If LINGUAS is set install selected translations only.
+	if [[ -n ${LINGUAS+set} ]]; then
+		_EMPTY_LOCALE_LIST="yes"
+		pushd locales/po > /dev/null || die
+
+		local lang
+		for lang in *.po; do
+			if ! has "${lang%.po}" ${LINGUAS}; then
+				rm "${lang}" || die
+			else
+				_EMPTY_LOCALE_LIST="no"
+			fi
+		done
+
+		popd > /dev/null || die
+	else
+		_EMPTY_LOCALE_LIST="no"
+	fi
+}
+
+src_compile() {
+	edo ${EPYTHON} setup.py build
+}
+
+src_install() {
+	edo ${EPYTHON} setup.py install --prefix="${EPREFIX}/usr" --root="${D}"
+	python_optimize
+	einstalldocs
+
+	newconfd "${FILESDIR}"/ufw.confd ufw
+	newinitd "${FILESDIR}"/ufw-2.initd ufw
+	systemd_dounit "${FILESDIR}/ufw.service"
+
+	pushd "${ED}" || die
+	chmod -R 0644 etc/ufw/*.rules || die
+	popd || die
+
+	exeinto /usr/share/${PN}
+	doexe tests/check-requirements
+
+	# users normally would want it
+	insinto "/usr/share/doc/${PF}/logging/syslog-ng"
+	doins -r "${FILESDIR}"/syslog-ng/*
+
+	insinto "/usr/share/doc/${PF}/logging/rsyslog"
+	doins -r "${FILESDIR}"/rsyslog/*
+	doins doc/rsyslog.example
+
+	if use examples; then
+		insinto "/usr/share/doc/${PF}/examples"
+		doins -r examples/*
+	fi
+	newbashcomp shell-completion/bash "${PN}"
+
+	[[ ${_EMPTY_LOCALE_LIST} != "yes" ]] && domo locales/mo/*.mo
+}
+
+pkg_postinst() {
+	local found=()
+	local apps=( "net-firewall/arno-iptables-firewall"
+		"net-firewall/ferm"
+		"net-firewall/firehol"
+		"net-firewall/firewalld"
+		"net-firewall/ipkungfu" )
+
+	for exe in "${apps[@]}"
+	do
+		if has_version "${exe}"; then
+			found+=( "${exe}" )
+		fi
+	done
+
+	if [[ -n ${found} ]]; then
+		echo ""
+		ewarn "WARNING: Detected other firewall applications:"
+		ewarn "${found[@]}"
+		ewarn "If enabled, these applications may interfere with ufw!"
+	fi
+
+	if [[ -z ${REPLACING_VERSIONS} ]]; then
+		echo ""
+		elog "To enable ufw, add it to boot sequence and activate it:"
+		elog "-- # rc-update add ufw boot"
+		elog "-- # /etc/init.d/ufw start"
+		echo
+		elog "If you want to keep ufw logs in a separate file, take a look at"
+		elog "/usr/share/doc/${PF}/logging."
+	fi
+	if [[ -z ${REPLACING_VERSIONS} ]] || ver_replacing -lt 0.34; then
+		echo
+		elog "/usr/share/ufw/check-requirements script is installed."
+		elog "It is useful for debugging problems with ufw. However one"
+		elog "should keep in mind that the script assumes IPv6 is enabled"
+		elog "on kernel and net-firewall/iptables, and fails when it's not."
+	fi
+	echo
+	ewarn "Note: once enabled, ufw blocks also incoming SSH connections by"
+	ewarn "default. See README, Remote Management section for more information."
+}
author	V3n3RiX <venerix@koprulu.sector>	2025-04-01 01:33:27 +0100
committer	V3n3RiX <venerix@koprulu.sector>	2025-04-01 01:33:27 +0100
commit	9cb5d77a6732fadf391fd38da00e6921f3e23112 (patch)
tree	30f5c59801151fa131da4743ca598f950b2e5b4b /net-firewall
parent	033286afc1eb2e64a87a58798a0c620d8b56f497 (diff)