net-firewall/nftables: add 1.1.6

Signed-off-by: Patrick McLean <chutzpah@gentoo.org>
2026-01-06 02:17:34 -08:00 · 2025-12-08 08:11:00 -08:00 · 2025-12-08 08:11:00 -08:00 · 05fc934019
commit 05fc934019
parent 42f6c9b13c
2 changed files with 240 additions and 0 deletions
--- a/net-firewall/nftables/Manifest
+++ b/net-firewall/nftables/Manifest
@ -6,3 +6,5 @@ DIST nftables-1.1.4.tar.xz 1005044 BLAKE2B 359d23c89462125be72d4a103bd063cb9acf4
 DIST nftables-1.1.4.tar.xz.sig 566 BLAKE2B 87d84b3f4e896923c7c59701ab98aec289dd5a5413f6ff1b4680a98238ce9ccba452e23cc686b04a84c70be4c153d3aac5d73db8c7a7c61021226b20c0c11fab SHA512 4aa1d7f2b219e24cbc41fa397afcc605b3cf1c55a14b97827c0581cc2af9c5def0308ed69aa243b30690f7f14501c573a7902a75003582d0adf26ab086ca8356
 DIST nftables-1.1.5.tar.xz 1008132 BLAKE2B 4c391e316f5c04cffe16a64df60217d74e37ab4f87c614003e2d2f702b8a4fe81c2ca7f42b3429e948078b2b0ecf0ad61b8cc2f7b95384fff9c004bcc3837317 SHA512 01fbbea43fd01250b0176a200dfdb6b84d3d51156cc2350acb25a5e66960e1908c3d17a0363baddb32897ea8bea0569b67500a94f708c8587b0e29402f51cbb6
 DIST nftables-1.1.5.tar.xz.sig 566 BLAKE2B 4868d9a0fc35eade43e973e7d17412edd2302155df8d1b68664746feec84479446ad427363ccc0a4fc32272b03a200414451c9732cd3486707994816d331b91c SHA512 e6ff864eeba8c73ec5352d5c690864e29f128258edd653765f77e34689dc7408de91a04827bf15fcf8e13cf6b875f3b7e9bbdb0b23dc89cecde43787b1df60bd
+DIST nftables-1.1.6.tar.xz 1025092 BLAKE2B ec2abb475e078fa9872c02a7eef711eac40ac8dc40e3ff15b732808db5d1b5632a85060db04146a49b187fdcf865c3cce17774773bb8987442c5d3fc943c0380 SHA512 8d0a833d0ae2b6ac82e0da8bb74ffb69679e49a938b86a75d4ee3d81343400a95fe064cf95d60d22df30370779e524b31497a9c89a516d9bff645f3f83bb6bb1
+DIST nftables-1.1.6.tar.xz.sig 566 BLAKE2B 9ccd32fd29e02457da05848852456e5bb2cebe5757ad9a18add9184f9151880712e03a34ca81df905cf9ee325e9e3278cc924b2ff87bca726e42d53b17bbe9b5 SHA512 7a7cc7773c4784f7c5902b3fd33b7efcb808eb846bee4a0fed5f8ef54759a5cf2dd59605d171fe2ffa59416db7e56162f59b7abbd7fdfa2b5e3d417942743585
--- a/net-firewall/nftables/nftables-1.1.6.ebuild
+++ b/net-firewall/nftables/nftables-1.1.6.ebuild
@ -0,0 +1,238 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DISTUTILS_OPTIONAL=1
+DISTUTILS_USE_PEP517=setuptools
+PYTHON_COMPAT=( python3_{11..14} )
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc
+inherit eapi9-ver edo linux-info distutils-r1 systemd verify-sig
+
+DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools"
+HOMEPAGE="https://netfilter.org/projects/nftables/"
+
+if [[ ${PV} =~ ^[9]{4,}$ ]]; then
+	inherit autotools git-r3
+	EGIT_REPO_URI="https://git.netfilter.org/${PN}"
+	BDEPEND="app-alternatives/yacc"
+else
+	inherit libtool
+	SRC_URI="
+		https://netfilter.org/projects/nftables/files/${P}.tar.xz
+		verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )
+	"
+	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+	BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-netfilter-20240415 )"
+fi
+
+# See COPYING: new code is GPL-2+, existing code is GPL-2
+LICENSE="GPL-2 GPL-2+"
+SLOT="0/1"
+IUSE="debug doc +gmp json libedit python +readline static-libs test xtables"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	>=net-libs/libmnl-1.0.4:=
+	>=net-libs/libnftnl-1.3.1:=
+	gmp? ( dev-libs/gmp:= )
+	json? ( dev-libs/jansson:= )
+	python? ( ${PYTHON_DEPS} )
+	readline? ( sys-libs/readline:= )
+	xtables? ( >=net-firewall/iptables-1.6.1:= )
+"
+DEPEND="${RDEPEND}"
+BDEPEND+="
+	app-alternatives/lex
+	virtual/pkgconfig
+	doc? (
+		app-text/asciidoc
+		>=app-text/docbook2X-0.8.8-r4
+	)
+	python? ( ${DISTUTILS_DEPS} )
+"
+
+REQUIRED_USE="
+	python? ( ${PYTHON_REQUIRED_USE} )
+	libedit? ( !readline )
+"
+
+src_prepare() {
+	default
+
+	if [[ ${PV} =~ ^[9]{4,}$ ]] ; then
+		eautoreconf
+	else
+		elibtoolize
+	fi
+
+	if use python; then
+		pushd py >/dev/null || die
+		distutils-r1_src_prepare
+		popd >/dev/null || die
+	fi
+}
+
+src_configure() {
+	local myeconfargs=(
+		--sbindir="${EPREFIX}"/sbin
+		--with-unitdir=$(systemd_get_systemunitdir)
+		--enable-distcheck
+		$(use_enable debug)
+		$(use_enable doc man-doc)
+		$(use_with !gmp mini_gmp)
+		$(use_with json)
+		$(use_with libedit cli editline)
+		$(use_with readline cli readline)
+		$(use_enable static-libs static)
+		$(use_with xtables)
+	)
+
+	econf "${myeconfargs[@]}"
+
+	if use python; then
+		pushd py >/dev/null || die
+		distutils-r1_src_configure
+		popd >/dev/null || die
+	fi
+}
+
+src_compile() {
+	default
+
+	if use python; then
+		pushd py >/dev/null || die
+		distutils-r1_src_compile
+		popd >/dev/null || die
+	fi
+}
+
+src_test() {
+	emake check
+
+	if [[ ${EUID} == 0 ]]; then
+		edo tests/shell/run-tests.sh -v
+	else
+		ewarn "Skipping shell tests (requires root)"
+	fi
+
+	if use python; then
+		pushd tests/py >/dev/null || die
+		distutils-r1_src_test
+		popd >/dev/null || die
+	fi
+}
+
+python_test() {
+	if [[ ${EUID} == 0 ]]; then
+		edo "${EPYTHON}" nft-test.py
+	else
+		ewarn "Skipping Python tests (requires root)"
+	fi
+}
+
+src_install() {
+	default
+
+	if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then
+		pushd doc >/dev/null || die
+		doman *.?
+		popd >/dev/null || die
+	fi
+
+	# Do it here instead of in src_prepare to avoid eautoreconf
+	# rmdir lets us catch if more files end up installed in /etc/nftables
+	dodir /usr/share/doc/${PF}/skels/
+	mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die
+	rmdir "${ED}"/etc/nftables || die
+
+	exeinto /usr/libexec/${PN}
+	newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh
+	newconfd "${FILESDIR}"/${PN}-mk.confd ${PN}
+	newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN}
+	keepdir /var/lib/nftables
+
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-load.service
+	systemd_dounit "${FILESDIR}"/systemd/${PN}-store.service
+
+	if use python ; then
+		pushd py >/dev/null || die
+		distutils-r1_src_install
+		popd >/dev/null || die
+	fi
+
+	find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_preinst() {
+	local stderr
+
+	# There's a history of regressions with nftables upgrades. Perform a
+	# safety check to help us spot them earlier. For the check to pass, the
+	# currently loaded ruleset, if any, must be successfully evaluated by
+	# the newly built instance of nft(8).
+	if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then
+		# Either nftables isn't yet in use or nft(8) cannot be executed.
+		return
+	elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then
+		# Report errors induced by trying to list the ruleset but don't
+		# treat them as being fatal.
+		printf '%s\n' "${stderr}" >&2
+	elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
+		# Rulesets generated by iptables-nft are special in nature and
+		# will not always be printed in a way that constitutes a valid
+		# syntax for ntf(8). Ignore them.
+		return
+	elif set -- "${ED}"/usr/lib*/libnftables.so;
+		! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft
+	then
+		eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of"
+		eerror "nft. This probably means that there is a regression introduced by v${PV}."
+		eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
+		if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
+			die "Aborting because of failed nft reload!"
+		fi
+	fi
+}
+
+pkg_postinst() {
+	local save_file
+	save_file="${EROOT}"/var/lib/nftables/rules-save
+
+	# In order for the nftables-load systemd service to start
+	# the save_file must exist.
+	if [[ ! -f "${save_file}" ]]; then
+		( umask 177; touch "${save_file}" )
+	elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
+		ewarn "Your system has dangerous permissions for ${save_file}"
+		ewarn "It is probably affected by bug #691326."
+		ewarn "You may need to fix the permissions of the file. To do so,"
+		ewarn "you can run the command in the line below as root."
+		ewarn "    'chmod 600 \"${save_file}\"'"
+	fi
+
+	if has_version 'sys-apps/systemd'; then
+		if ver_replacing -lt "1.1.1-r1"; then
+			elog "Starting with ${PN}-1.1.1-r1, the ${PN}-restore.service has"
+			elog "been split into ${PN}-load.service and ${PN}-store.service."
+			elog
+		fi
+		elog "If you wish to enable the firewall rules on boot (on systemd) you"
+		elog "will need to enable the nftables-load service."
+		elog "    'systemctl enable ${PN}-load.service'"
+		elog
+		elog "Enable nftables-store.service if you want firewall rules to be"
+		elog "saved at shutdown."
+	fi
+
+	if has_version 'sys-apps/openrc'; then
+		elog "If you wish to enable the firewall rules on boot (on openrc) you"
+		elog "will need to enable the nftables service."
+		elog "    'rc-update add ${PN} default'"
+		elog
+		elog "If you are creating or updating the firewall rules and wish to save"
+		elog "them to be loaded on the next restart, use the \"save\" functionality"
+		elog "in the init script."
+		elog "    'rc-service ${PN} save'"
+	fi
+}