diff options
18 files changed, 2070 insertions, 0 deletions
diff --git a/net-firewall/iptables/ChangeLog b/net-firewall/iptables/ChangeLog new file mode 100644 index 0000000..4bc5bbc --- /dev/null +++ b/net-firewall/iptables/ChangeLog @@ -0,0 +1,891 @@ +# ChangeLog for net-firewall/iptables +# Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/ChangeLog,v 1.178 2008/08/17 15:59:38 cardoe Exp $ + + 17 Aug 2008; Doug Goldstein <cardoe@gentoo.org> metadata.xml: + add GLEP 56 USE flag desc from use.local.desc + + 25 Jul 2008; Steve Dibb <beandog@gentoo.org> iptables-1.4.0-r1.ebuild: + amd64 stable, bug 209222 + + 13 Jul 2008; Joseph Jezak <josejx@gentoo.org> iptables-1.4.0-r1.ebuild: + Marked ppc stable for bug #209222. + + 05 Jul 2008; Tobias Klausmann <klausman@gentoo.org> + iptables-1.4.0-r1.ebuild: + Stable on alpha, bug #209222 + + 05 Jul 2008; Raúl Porcel <armin76@gentoo.org> iptables-1.4.0-r1.ebuild: + ia64 stable wrt #209222 + + 02 Jul 2008; Friedrich Oslage <bluebird@gentoo.org> + iptables-1.4.0-r1.ebuild: + Stable on sparc, bug #209222 + + 01 Jul 2008; Jeroen Roovers <jer@gentoo.org> iptables-1.4.0-r1.ebuild: + Stable for HPPA (bug #209222). + + 29 Jun 2008; Christian Faulhammer <opfer@gentoo.org> + iptables-1.4.0-r1.ebuild: + stable x86, bug 209222 + + 29 Jun 2008; Markus Rothe <corsair@gentoo.org> iptables-1.4.0-r1.ebuild: + Stable on ppc64; bug #209222 + +*iptables-1.4.1.1 (28 Jun 2008) + + 28 Jun 2008; Mike Frysinger <vapier@gentoo.org> +iptables-1.4.1.1.ebuild: + Version bump #229185 by Sergey Dryabzhinsky. + + 14 Jun 2008; Zac Medico <zmedico@gentoo.org> iptables-1.3.5-r4.ebuild, + iptables-1.3.6.ebuild, iptables-1.3.6-r1.ebuild, iptables-1.3.7.ebuild, + iptables-1.3.8.ebuild, iptables-1.3.8-r1.ebuild, iptables-1.3.8-r2.ebuild, + iptables-1.3.8-r3.ebuild, iptables-1.4.0.ebuild: + Bug #226505 - For compatibility with phase execution order in + >=portage-2.1.5, call has_version inside pkg_preinst instead of + pkg_postinst. + + 09 Jun 2008; Mike Frysinger <vapier@gentoo.org> + +files/iptables-1.4.0-in6-glibc-2.8.patch, iptables-1.4.0-r1.ebuild: + Use the correct API for accessing ip6 structs #225505 by Jose daLuz. + + 14 Mar 2008; Steve Dibb <beandog@gentoo.org> iptables-1.3.8-r3.ebuild: + amd64 stable, bug 208147 + + 06 Feb 2008; Raúl Porcel <armin76@gentoo.org> iptables-1.3.8-r3.ebuild: + alpha/ia64/sparc stable wrt #208147 + + 01 Feb 2008; Markus Meier <maekke@gentoo.org> iptables-1.3.8-r3.ebuild: + x86 stable, bug #208147 + + 31 Jan 2008; Jeroen Roovers <jer@gentoo.org> iptables-1.3.8-r3.ebuild: + Stable for HPPA (bug #208147). + + 31 Jan 2008; nixnut <nixnut@gentoo.org> iptables-1.3.8-r3.ebuild: + Stable on ppc wrt bug 208147 + + 30 Jan 2008; Brent Baude <ranger@gentoo.org> iptables-1.3.8-r3.ebuild: + Marking iptables-1.3.8-r3 ppc64 for bug 208147 + + 11 Jan 2008; <pva@gentoo.org> iptables-1.4.0-r1.ebuild: + l7-filter related code cleaned. Fixed build build problem with monolitic + kernels and any of imq, l7filter or extesion USE flags enabled, bug 205127, + thank Guillaume Castagnino <casta AT xwing.info> for report. iptables-1.2 is + long time not in the tree hence removed related obsolete ewarn. + + 10 Jan 2008; nixnut <nixnut@gentoo.org> iptables-1.3.8-r3.ebuild: + Stable on ppc wrt bug 201909 + + 08 Jan 2008; <pva@gentoo.org> metadata.xml, iptables-1.4.0-r1.ebuild: + IMQ patches updated for iptables 1.4.x. Added myself into metadata for + l7filter and imq extensions. + +*iptables-1.4.0-r1 (30 Dec 2007) + + 30 Dec 2007; Mike Frysinger <vapier@gentoo.org> + +files/iptables-1.4.0-dev-files.patch, +iptables-1.4.0-r1.ebuild: + Install dev headers/libs again #203744. + + 27 Dec 2007; Mike Frysinger <vapier@gentoo.org> iptables-1.4.0.ebuild: + Punt USE=imq. Use user-custom patch dir in /etc/. + + 24 Dec 2007; <pva@gentoo.org> iptables-1.4.0.ebuild: + Updated l7-filter patches for iptables-1.4.x. + +*iptables-1.4.0 (24 Dec 2007) + + 24 Dec 2007; Mike Frysinger <vapier@gentoo.org> +iptables-1.4.0.ebuild: + Version bump #203161 by Nebojsa Trpkovic. + +*iptables-1.3.8-r3 (24 Dec 2007) + + 24 Dec 2007; <pva@gentoo.org> +iptables-1.3.8-r3.ebuild: + Update for l7-filter patch to version 2.17, bug 195671, reported by <cilly + AT cilly.mine.nu>. + + 17 Dec 2007; Raúl Porcel <armin76@gentoo.org> iptables-1.3.8-r2.ebuild: + alpha/ia64/sparc stable wrt #201909 + + 15 Dec 2007; Samuli Suominen <drac@gentoo.org> iptables-1.3.8-r2.ebuild: + amd64 stable wrt #201909 + + 14 Dec 2007; Jeroen Roovers <jer@gentoo.org> iptables-1.3.8-r2.ebuild: + Stable for HPPA (bug #201909). + + 12 Dec 2007; Markus Rothe <corsair@gentoo.org> iptables-1.3.8-r2.ebuild: + Stable on ppc64; bug #201909 + + 11 Dec 2007; Christian Faulhammer <opfer@gentoo.org> + iptables-1.3.8-r2.ebuild: + stable x86, bug 201909 + + 06 Oct 2007; Tom Gall <tgall@gentoo.org> iptables-1.3.8-r1.ebuild: + stable on ppc64 bug #190198 + + 17 Sep 2007; Chris Gianelloni <wolf31o2@gentoo.org> + iptables-1.3.8-r1.ebuild: + Stable on amd64 wrt bug #190198. + + 30 Aug 2007; Raúl Porcel <armin76@gentoo.org> iptables-1.3.8-r1.ebuild: + alpha/ia64 stable wrt #190198 + + 30 Aug 2007; Christian Birchinger <joker@gentoo.org> + iptables-1.3.8-r1.ebuild: + Added sparc stable keyword + + 30 Aug 2007; Jeroen Roovers <jer@gentoo.org> iptables-1.3.8-r1.ebuild: + Stable for HPPA (bug #190198). + + 28 Aug 2007; Jurek Bartuszek <jurek@gentoo.org> iptables-1.3.8-r1.ebuild: + x86 stable (bug #190198) + + 28 Aug 2007; nixnut <nixnut@gentoo.org> iptables-1.3.8-r1.ebuild: + Stable on ppc wrt bug 190198 + +*iptables-1.3.8-r2 (25 Aug 2007) + + 25 Aug 2007; Mike Frysinger <vapier@gentoo.org> +iptables-1.3.8-r2.ebuild: + Make sure we set KERNEL_DIR to right include path for linux-headers #188873 + by Darren Dale and start pushing crappy patchset addons to the user so + maintenance is their problem #155243. + + 13 Aug 2007; Tobias Scherbaum <dertobi123@gentoo.org> + iptables-1.3.7.ebuild: + ppc. stable + + 09 Aug 2007; Daniel Black <dragonheart@gentoo.org> + iptables-1.3.8-r1.ebuild: + latest l7 version - no patch change appart from naming it correctly + +*iptables-1.3.8-r1 (07 Jul 2007) + + 07 Jul 2007; Daniel Black <dragonheart@gentoo.org> + +iptables-1.3.8-r1.ebuild: + l7 & imq patch update as per bug ##184164 thanks to cilly + +*iptables-1.3.8 (25 Jun 2007) + + 25 Jun 2007; Mike Frysinger <vapier@gentoo.org> +iptables-1.3.8.ebuild: + Version bump #183146 by Blu3. + + 12 May 2007; Joshua Kinard <kumba@gentoo.org> iptables-1.3.7.ebuild: + Stable on mips. + + 09 May 2007; Roy Marples <uberlord@gentoo.org> + +files/iptables-1.3.7-test-dir.patch, iptables-1.3.7.ebuild: + Fix Makefile for non bash shells. + + 06 May 2007; Marius Mauch <genone@gentoo.org> iptables-1.3.5-r4.ebuild, + iptables-1.3.6.ebuild, iptables-1.3.6-r1.ebuild, iptables-1.3.7.ebuild: + Replacing einfo with elog/ewarn + + 08 Apr 2007; Mike Frysinger <vapier@gentoo.org> + +files/iptables-1.3.7-kernel-dir.patch, iptables-1.3.7.ebuild: + By default, let the toolchain worry about kernel header location #172209 by + Karl Hiramoto. + + 04 Apr 2007; Gustavo Zacarias <gustavoz@gentoo.org> iptables-1.3.7.ebuild: + Stable on sparc + + 10 Mar 2007; Roy Marples <uberlord@gentoo.org> files/iptables-1.3.2.init: + Remove bashisms from init script, #170085 thanks to Natanael Copa. + + 08 Mar 2007; Gustavo Zacarias <gustavoz@gentoo.org> + +files/iptables-1.3.7-sparc64.patch, iptables-1.3.7.ebuild: + Fix for #166201 + + 28 Feb 2007; Daniel Black <dragonheart@gentoo.org> + +files/1.3.5-files/iptables-1.3.5-linux-headers.patch, + iptables-1.3.5-r4.ebuild: + fix USE=extensions problem with linux-headers - bug #156723. Thanks for the + tip Paul Hewlett in bug #165590 + + 06 Feb 2007; Daniel Black <dragonheart@gentoo.org> + -files/1.2.11-files/iptables-layer7-0.9.0.patch, + -files/1.2.11-files/grsecurity-1.2.8-iptables.patch, + -files/ip6tables-1.2.9-r1.confd, -files/iptables-1.2.9-r1.confd, + -files/1.2.11-files/install_all_dev_files.patch, + -files/ip6tables-1.2.9-r1.init, -files/1.2.11-files/round-robin.patch, + -files/1.2.11-files/iptables-1.2.9-imq1.diff, + -files/iptables-1.2.9-r1.init, -files/1.2.11-files/CAN-2004-0986.patch, + -files/1.2.11-files/install_ipv6_apps.patch, -iptables-1.2.11-r3.ebuild, + -iptables-1.3.5-r1.ebuild, -iptables-1.3.5-r2.ebuild, + -iptables-1.3.5-r3.ebuild: + cleanout + + 06 Feb 2007; Daniel Black <dragonheart@gentoo.org> iptables-1.3.7.ebuild: + l7 now at 2.9 - no code change just different tarball. Bumping to avoid + extra downloads or something. Bug #161809 thanks cilly + + 20 Jan 2007; Alexander H. Færøy <eroyf@gentoo.org> + iptables-1.3.5-r4.ebuild: + Stable on MIPS; bug #149643 + + 30 Dec 2006; Mike Frysinger <vapier@gentoo.org> + +files/iptables-1.3.7-more-exact-check-grep.patch, iptables-1.3.7.ebuild: + Dont abort check target when uname contains -g #159162 by Sergey Borodich. + + 22 Dec 2006; Daniel Black <dragonheart@gentoo.org> iptables-1.3.7.ebuild: + l7filter - changed to 2.8 patch - exactly the same as 2.6 but this way the + user doesn't need to download both versions of l7-filter to get it working. + +*iptables-1.3.7 (14 Dec 2006) + + 14 Dec 2006; Mike Frysinger <vapier@gentoo.org> +iptables-1.3.7.ebuild: + Version bump #157850 by Blu3. + + 11 Nov 2006; Mike Frysinger <vapier@gentoo.org> + files/ip6tables-1.3.2.confd, files/iptables-1.3.2.confd, + files/iptables-1.3.2.init: + Set policy to ACCEPT before flushing chains in init.d stop() as proposed by + Max Hacking #154269. + + 21 Oct 2006; Thomas Cort <tcort@gentoo.org> iptables-1.3.5-r4.ebuild: + Stable on alpha wrt Bug #149643. + + 14 Oct 2006; Aron Griffis <agriffis@gentoo.org> iptables-1.3.5-r4.ebuild: + Mark 1.3.5-r4 stable on ia64. #149643 + +*iptables-1.3.6-r1 (07 Oct 2006) + + 07 Oct 2006; Mike Frysinger <vapier@gentoo.org> +iptables-1.3.6-r1.ebuild: + Update l7-filter support #150124. + + 03 Oct 2006; Chris Gianelloni <wolf31o2@gentoo.org> + iptables-1.3.5-r4.ebuild: + Stable on x86 wrt bug #141688. + + 03 Oct 2006; Simon Stelling <blubb@gentoo.org> iptables-1.3.5-r4.ebuild: + stable on amd64 + + 01 Oct 2006; Tobias Scherbaum <dertobi123@gentoo.org> + iptables-1.3.5-r4.ebuild: + hppa stable, bug #149643 + + 01 Oct 2006; Markus Rothe <corsair@gentoo.org> iptables-1.3.5-r4.ebuild: + Stable on ppc64; bug #149643 + + 30 Sep 2006; <nixnut@gentoo.org> iptables-1.3.5-r4.ebuild: + Stable on ppc wrt bug 149643 + + 30 Sep 2006; Jason Wever <weeve@gentoo.org> iptables-1.3.5-r4.ebuild: + Stable on SPARC wrt bug #149643. + +*iptables-1.3.6 (30 Sep 2006) + + 30 Sep 2006; Mike Frysinger <vapier@gentoo.org> +iptables-1.3.6.ebuild: + Version bump #149438 by Brett. + + 23 Sep 2006; Mike Frysinger <vapier@gentoo.org> + +files/1.3.5-files/iptables-1.3.5-log-prefix-no-empty-strings.patch, + iptables-1.3.5-r4.ebuild: + Fix silly segfault when using --log-prefix="" #148169 by tla. + + 04 Sep 2006; Joshua Kinard <kumba@gentoo.org> iptables-1.3.5-r1.ebuild: + Marked stable on mips. + + 28 Jul 2006; Martin Schlemmer <azarah@gentoo.org> + iptables-1.3.5-r4.ebuild: + Fix USE=extensions to actually build the extra extensions. + +*iptables-1.3.5-r4 (28 Jul 2006) + + 28 Jul 2006; Martin Schlemmer <azarah@gentoo.org> + +iptables-1.3.5-r4.ebuild: + Add extensions USE flag back for misc patch-o-matic extensions. Bump + l7filter patch to 2.3. + +*iptables-1.3.5-r3 (09 Jul 2006) + + 09 Jul 2006; Daniel Black <dragonheart@gentoo.org> + +files/1.3.5-files/iptables-1.3.5-errno.patch, +iptables-1.3.5-r3.ebuild: + separated extensions patch as promised to vapier/hansmi/wolf31o2(?). Added + upstream patch for errnum (bug #139726) thanks to Rance Hall and upstream + dev Daniel + + 12 Jun 2006; Chris Gianelloni <wolf31o2@gentoo.org> + iptables-1.3.5-r1.ebuild: + Stable on x86 wrt bug #135380. + + 11 Jun 2006; Simon Stelling <blubb@gentoo.org> iptables-1.3.5-r1.ebuild: + stable on amd64 + + 10 Jun 2006; <nixnut@gentoo.org> iptables-1.3.5-r1.ebuild: + Stable on ppc; bug #135380 + + 09 Jun 2006; Guy Martin <gmsoft@gentoo.org> iptables-1.3.5-r1.ebuild: + Stable on hppa. + + 08 Jun 2006; Jason Wever <weeve@gentoo.org> iptables-1.3.5-r1.ebuild: + Stable on SPARC wrt bug #135380. + + 08 Jun 2006; Thomas Cort <tcort@gentoo.org> iptables-1.3.5-r1.ebuild: + Stable on alpha wrt Bug #135380. + + 08 Jun 2006; Markus Rothe <corsair@gentoo.org> iptables-1.3.5-r1.ebuild: + Stable on ppc64; bug #135380 + +*iptables-1.3.5-r2 (04 Jun 2006) + + 04 Jun 2006; Daniel Black <dragonheart@gentoo.org> iptables-1.3.5-r2.ebuild: + update l7-filter patch version + +*iptables-1.3.5-r1 (02 May 2006) + + 02 May 2006; Daniel Black <dragonheart@gentoo.org> + +iptables-1.3.5-r1.ebuild: + layer7 filtering patch version bump. + +*iptables-1.3.5 (04 Feb 2006) + + 04 Feb 2006; Mike Frysinger <vapier@gentoo.org> +iptables-1.3.5.ebuild: + Version bump #121392 by Michail Baikov. + + 06 Jan 2006; Daniel Black <dragonheart@gentoo.org> iptables-1.3.4.ebuild: + changing l7 filter from 2.0_beta to 2.0 - only change in the iptables patch + was an error message change + + 18 Dec 2005; Markus Rothe <corsair@gentoo.org> iptables-1.3.4.ebuild: + Stable on ppc64 + + 09 Dec 2005; Bryan Østergaard <kloeri@gentoo.org iptables-1.3.4.ebuild: + Stable on alpha. + + 19 Nov 2005; Marcus D. Hanwell <cryos@gentoo.org> iptables-1.3.4.ebuild: + Stable on amd64. + + 18 Nov 2005; Michael Hanselmann <hansmi@gentoo.org> iptables-1.3.4.ebuild: + Stable on hppa, ppc. + + 14 Nov 2005; Gustavo Zacarias <gustavoz@gentoo.org> iptables-1.3.4.ebuild: + Stable on sparc + + 13 Nov 2005; Mark Loeser <halcy0n@gentoo.org> iptables-1.3.4.ebuild: + Stable on x86; bug #112351 + +*iptables-1.3.4 (05 Nov 2005) + + 05 Nov 2005; Mike Frysinger <vapier@gentoo.org> +iptables-1.3.4.ebuild: + Version bump to fix #110758 by Brian Kroth. + + 15 Oct 2005; Daniel Black <dragonheart@gentoo.org> + -files/1.2.7a-files/01_all_grsecurity.patch.bz2, + -files/1.2.7a-files/02_all_imq.patch.bz2, + -files/1.2.7a-files/03_all_mac_fix.patch.bz2, + -files/1.2.7a-files/04_all_no_optimize_fix.patch.bz2, + -files/1.2.9-files/01_all_grsecurity.patch.bz2, + -files/1.2.9-files/02_all_imq.patch.bz2, + -files/1.2.9-files/03_hppa_gentoo.patch.bz2, + -files/1.2.9-files/04_all_install_ipv6_apps.patch.bz2, + -files/1.2.9-files/05_all_install_all_dev_files.patch.bz2, + -files/1.2.9-files/06_all_l7.patch.bz2, + -files/1.2.9-files/sparc64_limit_fix.patch.bz2, -files/ip6tables.confd, + -files/iptables-1.2.7a-hppa.diff, -files/sparc64_limit_fix.patch.bz2, + -files/ip6tables.init, -files/iptables-1.2.9-hppa.patch.bz2, + -files/iptables.confd, -files/iptables.init, -iptables-1.2.7a-r3.ebuild, + -iptables-1.2.9.ebuild, -iptables-1.2.9-r1.ebuild, + -iptables-1.2.9-r4.ebuild, -iptables-1.3.1-r4.ebuild, + -iptables-1.3.3.ebuild: + cleanout of old version and patches + +*iptables-1.3.3-r2 (25 Sep 2005) + + 25 Sep 2005; Daniel Black <dragonheart@gentoo.org> iptables-1.3.3-r2.ebuild: + updated to use l7-filter-2.0-beta + +*iptables-1.3.3-r1 (17 Sep 2005) + + 17 Sep 2005; Daniel Black <dragonheart@gentoo.org> + +iptables-1.3.3-r1.ebuild: + updated to use l7-filter-1.5 - bug #106009 + + 15 Sep 2005; Aron Griffis <agriffis@gentoo.org> iptables-1.3.2.ebuild: + Mark 1.3.2 stable on alpha + + 03 Sep 2005; Markus Rothe <corsair@gentoo.org> iptables-1.3.2.ebuild: + Stable on ppc64 + + 02 Sep 2005; Michael Hanselmann <hansmi@gentoo.org> iptables-1.3.2.ebuild: + Stable on ppc. + + 18 Aug 2005; Gustavo Zacarias <gustavoz@gentoo.org> iptables-1.3.2.ebuild: + Stable on sparc + +*iptables-1.3.3 (16 Aug 2005) + + 16 Aug 2005; Robin H. Johnson <robbat2@gentoo.org> +iptables-1.3.3.ebuild: + Bug #102682, version bump. + + 08 Aug 2005; Aaron Walker <ka0ttic@gentoo.org> iptables-1.3.1-r4.ebuild, + iptables-1.3.2.ebuild: + Re-added ~mips for bug 91285. + +*iptables-1.3.2 (12 Jul 2005) + + 12 Jul 2005; Mike Frysinger <vapier@gentoo.org> + +files/ip6tables-1.3.2.confd, +files/iptables-1.3.2.confd, + +files/iptables-1.3.2.init, +iptables-1.3.2.ebuild: + Version bump #98641 by Lars (Polynomial-C). Unified the iptables/ip6tables + init.d scripts. Added a new 'panic' option to init.d #72033 by Colin + Kingsley. Warn about issues upgrading from 1.2.x to 1.3.x #92535 by Volkov + Peter. + +*iptables-1.3.1-r4 (05 May 2005) + + 05 May 2005; Mike Frysinger <vapier@gentoo.org> + files/iptables-1.2.9-r1.init, files/iptables.init, metadata.xml, + -iptables-1.3.1-r3.ebuild, +iptables-1.3.1-r4.ebuild: + Make sure /var/lib/iptables/rules-saves is only read/writable by root #91468 + by eromang. + + 03 May 2005; Stephanie Lockwood-Childs <wormo@gentoo.org> + iptables-1.3.1-r3.ebuild: + mark ~ppc wrt #91285 + + 03 May 2005; Herbie Hopkins <herbs@gentoo.org> iptables-1.3.1-r3.ebuild: + Multilib fixes. + + 03 May 2005; Omkhar Arasaratnam <omkhar@gentoo.org> + iptables-1.3.1-r3.ebuild: + Keyworded ~ppc64 wrt #91285 + + 03 May 2005; Jan Brinkmann <luckyduck@gentoo.org> + iptables-1.3.1-r3.ebuild: + (re-)added ~amd64 to KEYWORDS wrt #91285 + + 03 May 2005; Gustavo Zacarias <gustavoz@gentoo.org> + iptables-1.3.1-r3.ebuild: + Keyworded ~sparc wrt #91285 + +*iptables-1.3.1-r3 (03 May 2005) + + 03 May 2005; Robin H. Johnson <robbat2@gentoo.org> : + iptables-1.3.1-r2.ebuild, +iptables-1.3.1-r3.ebuild + Clean up 1.3.1 ebuilds, and forcable mark as KEYWORDS=~x86 ONLY, as I want + arches to test it first. + +*iptables-1.3.1-r2 (21 Apr 2005) + + 21 Apr 2005; Daniel Black <dragonheart@gentoo.org> -iptables-1.3.1.ebuild, + -iptables-1.3.1-r1.ebuild, +iptables-1.3.1-r2.ebuild: + As per bug #89500 removed old iptables-1.3* due to memory leak in the l7 + filter section. Revision bump includes l7 filter 1.2. + + 28 Mar 2005; Jeremy Huddleston <eradicator@gentoo.org> + iptables-1.2.11-r3.ebuild, iptables-1.3.1-r1.ebuild: + Use proper toolchain compiler. + + 28 Mar 2005; Daniel Black <dragonheart@gentoo.org> iptables-1.3.1-r1.ebuild, + iptables-1.3.1.ebuild: + added conditional unpack on l7-filter thanks to Marcelo Góes (vanquirius) + +*iptables-1.3.1-r1 (23 Mar 2005) + + 23 Mar 2005; Daniel Black <dragonheart@gentoo.org> + +iptables-1.3.1-r1.ebuild: + revision bump to support l7-filter-1.1. Doco fixes included + +*iptables-1.3.1 (09 Mar 2005) + + 09 Mar 2005; Robin H. Johnson <robbat2@gentoo.org> + +files/1.3.1-files/grsecurity-1.2.8-iptables.patch-1.3.1.bz2, + +files/1.3.1-files/install_all_dev_files.patch-1.3.1.bz2, + +files/1.3.1-files/install_ipv6_apps.patch.bz2, + +files/1.3.1-files/iptables-1.3.1-compilefix.patch, + +iptables-1.3.1.ebuild: + Bug #80556, initial work, lots of changes here. This is hardmasked for + testing still. It didn't compile against my mm-sources kernel, but does + compile against a stock kernel. + + 29 Dec 2004; Ciaran McCreesh <ciaranm@gentoo.org> : + Change encoding to UTF-8 for GLEP 31 compliance + + 09 Nov 2004; Aron Griffis <agriffis@gentoo.org> iptables-1.2.11-r3.ebuild: + stable on ia64 + + 08 Nov 2004; Markus Rothe <corsair@gentoo.org> iptables-1.2.11-r3.ebuild: + Stable on ppc64; bug #70240 + + 08 Nov 2004; Simon Stelling <blubb@gentoo.org> iptables-1.2.11-r3.ebuild: + stable for security reasons (bug #70240) + + 08 Nov 2004; Bryan Østergaard <kloeri@gentoo.org> + iptables-1.2.11-r3.ebuild: + Stable on alpha, bug 70240. + + 08 Nov 2004; <SeJo@gentoo.org> iptables-1.2.11-r3.ebuild: + stable on ppc gsla: 70240 + + 07 Nov 2004; Olivier Crete <tester@gentoo.org> iptables-1.2.11-r3.ebuild: + Stable on x86 per security bug #70240 + + 07 Nov 2004; Jason Wever <weeve@gentoo.org> iptables-1.2.11-r3.ebuild: + Stable on sparc wrt security bug #70240. + + 07 Nov 2004; Joshua Kinard <kumba@gentoo.org> iptables-1.2.11-r3.ebuild: + Marked stable on mips. + + 07 Nov 2004; Joshua Kinard <kumba@gentoo.org> iptables-1.2.11-r2.ebuild: + Marked stable on mips. + +*iptables-1.2.11-r3 (06 Nov 2004) + + 06 Nov 2004; <solar@gentoo.org> +files/1.2.11-files/CAN-2004-0986.patch, + +iptables-1.2.11-r3.ebuild: + security bump. Exception handling error. bug 70240 + + 10 Sep 2004; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.11-r2.ebuild, + files/1.2.11-files/round-robin.patch: + Added round-robin patch, closing #60979. + + 05 Sep 2004; Guy Martin <gmsoft@gentoo.org> + -files/1.2.11-files/hppa.patch.bz2, iptables-1.2.11-r2.ebuild: + Stable on hppa. Removed no more needed hppa patch. + + 29 Aug 2004; Tom Gall <tgall@gentoo.org> iptables-1.2.11-r2.ebuild: + stable on ppc64, bug #60780 + + 22 Aug 2004; Seemant Kulleen <seemant@gentoo.org> iptables-1.2.11-r2.ebuild, + iptables-1.2.9-r1.ebuild, iptables-1.2.9-r4.ebuild, iptables-1.2.9.ebuild: + fix spelling error. Thanks to: Kurt McKee <kurtmckee@northwestern.edu> in bug + #61325 + + 22 Aug 2004; Bryan Østergaard <kloeri@gentoo.org> iptables-1.2.11-r2.ebuild: + Stable on alpha. + + 20 Aug 2004; Gustavo Zacarias <gustavoz@gentoo.org> + iptables-1.2.11-r2.ebuild: + Stable on sparc + + 18 Aug 2004; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.11-r2.ebuild, + files/ip6tables-1.2.9-r1.confd, files/ip6tables-1.2.9-r1.init, + files/iptables-1.2.9-r1.confd, files/iptables-1.2.9-r1.init: + Enable saving state when stopping service, closing #60680. + Unmasking on x86 and amd64. + + 10 Jul 2004; Daniel Ahlberg <aliz@gentoo.org> files/ip6tables.init: + Fix typo in init file, closing #56537. + + 05 Jul 2004; Michal Januszewski <spock@gentoo.org> + iptables-1.2.11-r2.ebuild: + Fixed problems with iptables installing into /usr/local/sbin/. + + 04 Jul 2004; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.11-r2.ebuild: + + Fix installation path, initscript and config script. Closing #55978. + + Fix dependencies. Closing #55605 + + 04 Jul 2004; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.9-r4.ebuild: + + Fix dependencies. Closing #55605 + + 03 Jul 2004; Seemant Kulleen <seemant@gentoo.org> iptables-1.2.11-r2.ebuild: + sed statement fix, thanks to x1bncwn in #gentoo + +*iptables-1.2.9-r4 (03 Jul 2004) +*iptables-1.2.11-r2 (03 Jul 2004) + + 03 Jul 2004; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.11-r1.ebuild, + iptables-1.2.9-r3.ebuild: + For some reason iptables may decide to compile in the src_install section + too, make sure it compiles against the correct KERNEL_DIR. Closing #55489. + + 02 Jul 2004; Jeremy Huddleston <eradicator@gentoo.org> + iptables-1.2.11-r1.ebuild, iptables-1.2.7a-r3.ebuild, + iptables-1.2.9-r1.ebuild, iptables-1.2.9-r3.ebuild, iptables-1.2.9.ebuild: + || die's to make install to avoid problems like we see in bug #55489. + + 02 Jul 2004; Lars Weiler <pylon@gentoo.org> iptables-1.2.9-r3.ebuild: + Stable on ppc as iptables-1.2.7a-r3 does not compile any more. + + 28 Jun 2004; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.11.ebuild, + iptables-1.2.9-r3.ebuild: + Revision bump these so they propagate correctly. + +*iptables-1.2.11-r1 (28 Jun 2004) + + 28 Jun 2004; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.11.ebuild: + Version bump and updated IMQ and l7 patches. Closing #54067 and #55308. + +*iptables-1.2.9-r3 (28 Jun 2004) + + 28 Jun 2004; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.9-r3.ebuild: + New revision with a new local use flag that toggles the applying of + 3rd party patches and building against linux sources. Without the new + use flag no 3rd party extensions patches will be applied and iptables + will be built against linux-headers. + + Be aware that iptables doesn't always build against the newest kernels + and manual patching may be required. + + Closing #54440 + + 28 Jun 2004; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.7a-r3.ebuild, + iptables-1.2.9-r1.ebuild, iptables-1.2.9.ebuild: + Step back to an earlier date to clean up the mess, + change "Gentoo Technologies Inc" to "Gentoo Foundation". + + 09 Jun 2004; Aron Griffis <agriffis@gentoo.org> iptables-1.2.7a-r3.ebuild, + iptables-1.2.9-r1.ebuild, iptables-1.2.9.ebuild: + Fix use invocation and replace unnecessary subshell with if..then..fi + + 07 Jun 2004; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.9-r1.ebuild: + + Only run check_KV if /usr/src/liunx is a symlink or a directory, possible + fix for #46817. + + Handle extensionpatches that was added for 1.2.9-r1. Closing #51418. + + 10 May 2004; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.9-r1.ebuild: + CFLAGS must have -O flag, closing #44204 + +*iptables-1.2.9-r1 (25 Apr 2004) + + 25 Apr 2004; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.9-r1.ebuild: + + Depend on virtual/linux-sources. + + Add static build support. + + Install all headers, patch contributed by Thomas Jacob <jacob@internet24.de>. + + l7-filter support, closing #39761. + + Made initscript run before net, closing #27087. + + Removed ipforwarding from initscripts as it doesn't belong here and added einfo about it. + + Removed some old ebuilds. + + 21 Apr 2004; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.7a-r3.ebuild, + iptables-1.2.7a-r4.ebuild, iptables-1.2.8.ebuild: + Added IUSE= + + 09 Mar 2004; <agriffis@gentoo.org> iptables-1.2.9.ebuild: + stable on alpha and ia64 + + 09 Mar 2004; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.9.ebuild: + + Added einfo about kernel 2.4.21, closing #25919. + + Install ip6tables-save and ip6tables-restore, closing #39833. + + Really enable IPv6, closing #41624. + + 28 Jan 2004; <gustavoz@gentoo.org> iptables-1.2.9.ebuild: + stable on hppa and sparc + + 23 Jan 2004; Daniel Ahlberg <aliz@gentoo.org> files/iptables.init, files/ip6tables.init, iptables-1.2.9.ebuild: + Add reload support to initscript. Closing #21801. + Added note about saving your rules if upgrading. Closing #35135. + Unmasked, closing #34910. + + 21 Nov 2003; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.9.ebuild : + Replae -O0 with -O2, same as the the lack of -O flag problem. Closing #33899. + +*iptables-1.2.9 (04 Nov 2003) + + 04 Nov 2003; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.9.ebuild : + Version bump. + +*iptables-1.2.8-r2 (15 Oct 2003) + + 15 Oct 2003; John Mylchreest <johnm@gentoo.org>; iptables-1.2.8-r2.ebuild: + fixes bug #22223 + + 21 Sep 2003; Matthew Rickard <frogger@gentoo.org> iptables-1.2.8-r1.ebuild: + "-fstack-protector" breaks "iptables -p icmp". We will + filter this flag until this is fixed properly. + + 19 Sep 2003; Daniel Ahlberg <aliz@gentoo.org> files/ip6tables.init: + Closing #29087. + + 06 May 2003; Christian Birchinger <joker@gentoo.org> + iptables-1.2.8-r1.ebuild: + Added stable sparc keyword + + 05 May 2003; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.8-r1.ebuild : + Unmasked on x86. + +*iptables-1.2.8-r1 (04 May 2003) + + 02 Jul 2003; Guy Martin <gmsoft@gentoo.org> files/1.2.8-files/03_hppa_gentoo.patch.bz2, + iptables-1.2.8-r1.ebuild : + Bzipped 03_hppa_gentoo.patch.bz2 which was not. Marked stable for hppa. + + 04 May 2003; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.8-r1.ebuild, files/iptables.init + files/iptables.confd, files/ip6tables.init + files/ip6tables.confd : + Fixed ipv6 support. Closes #17155. + + 04 May 2003; Daniel Ahlberg <aliz@gentoo.org> files/1.2.8-files/03_hppa_gentoo.patch.bz2 : + doh! uncompressed patch. + + 04 May 2003; Daniel Ahlberg <aliz@gentoo.org> files/iptables.init : + Removed auto saving of rules when stopping iptables. Closing #15333 + and #13673. + + 02 May 2003; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.8.ebuild : + Force -O2 if no -O flag is set. Remove 03_all_no_optimize_fix.patch.bz2. + + 19 Apr 2003; Daniel Ahlberg <aliz@gentoo.org> : + Removed 03_all_mac_fix.patch.bz2 becuse it was fixed in 1.2.8. + +*iptables-1.2.8 (19 Apr 2003) + + 19 Apr 2003; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.8.ebuild : + Version bump. + +*iptables-1.2.7a-r4 (10 Apr 2003) + + 19 apr 2003; Preston A. Elder <prez@gentoo.org> iptables-1.2.7a-r4.ebuild : + Enabled -r4 for x86 + + 10 apr 2003; Preston A. Elder <prez@gentoo.org> iptables-1.2.7a-r4.ebuild : + Added compilation of development tools + +*iptables-1.2.7a-r3 (11 Mar 2003) + + 15 Mar 2003; Jason Wever <weeve@gentoo.org> + files/sparc64_limit_fix.patch.bz2: + Added sparc64_limit_fix.patch.bz2 back into the files directory as it got lost + in the moving of iptables from sys-apps to net-firewall. + + 15 Mar 2003; Jan Seidel <tuxus@gentoo.org> : + Added mips to KEYWORDS + + 11 Mar 2003; Martin Holzer <mholzer@gentoo.org> iptables-1.2.7a-r3.ebuild, + files/grsecurity-1.2.7a-iptables.patch, files/iptables-1.2.6a-imq.diff-3, + files/iptables-1.2.7a-gentoo.diff, files/iptables-1.2.7a-hppa.diff, + files/iptables-1.2.7a-imq.diff-3, files/iptables.confd, files/iptables.init, + files/1.2.7a-files/01_all_grsecurity.patch.bz2, + files/1.2.7a-files/02_all_imq.patch.bz2, + files/1.2.7a-files/03_all_mac_fix.patch.bz2, + files/1.2.7a-files/04_all_no_optimize_fix.patch.bz2: + moved from sys-apps/iptables to net-firewall/iptables + + 21 Feb 2003; Zach Welch <zwelch@gentoo.org> iptables-1.2.7a-r3.ebuild : + Added arm keyword + + 17 Feb 2003; Guy Martin <gmsoft@gentoo.org> iptables-1.2.7a-r3.ebuild : + Added patch and keyword for hppa. + +*iptables-1.2.7a-r3 (09 Jan 2003) + + 11 Mar 2003; Zach Welch <zwelch@gentoo.org> iptables-1.2.7a-r3.ebuild: + change sys-kernel/linux-headers to new virtual/os-headers + + 09 Feb 2003; Seemant Kulleen <seemant@gentoo.org> + iptables-1.2.7a-r3.ebuild : + + Sed expression delimiter from / to :, closing bug #15006 by Blu3 + <david+gentoo.org@blue-labs.org> + + 06 Feb 2003; Mark Guertin <gerk@gentoo.org> iptables-1.2.7a-r3.ebuild : + Added ppc keyword + + 10 Jan 2003; Joshua Brindle <method@gentoo.org> iptables-1.2.7a-r3.ebuild : + unmasked for x86, sparc, alpha re: bug #13466 + fixed sed string re: bug #13644 + + 09 Jan 2003; Christian Birchinger <joker@gentoo.org> : + Added new revsion with sparc64 limit rule fixes. + + 09 Jan 2003; Daniel Ahlberg <aliz@gentoo.org> files/iptables.init : + Readded save() function, closes #7752. + + 08 Jan 2003; Daniel Ahlberg <aliz@gentoo.org> files/iptables.init : + Forgot to remove save() function from initscript. + + 08 Jan 2003; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.7a-r2.ebuild : + Closes #13466. + + 07 Jan 2003; Daniel Ahlberg <aliz@gentoo.org> : + Cleaned out old files. + +*iptables-1.2.7a-r2 (07 Jan 2003) + + 07 Jan 2003; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.7a-r2.ebuild, files/iptables.init, + files/iptables.confd : + Closes #13366, #13144 and #10424. Added new patching method and made installation prettier. + +*iptables-1.2.7a-r1 (10 Dec 2002) + + 10 Dec 2002; Joshua Beindle <method@gentoo.org> iptables-1.2.7a-r1.ebuild : + Added grsecurity stealth module patch + + 06 Dec 2002; Rodney Rees <manson@gentoo.org> : changed sparc ~sparc keywords + +*iptables-1.2.7a (27 Aug 2002) + + 20 Nov 2002; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.7a.ebuild : + Added patch for iptables-restore. Contributed by fridtjof@fbunet.de in #10736. + + 25 Sep 2002; Daniel Ahlberg <aliz@gentoo.org> files/iptables-1.2.7a-imq.diff-3 : + Closes #8046. + + 23 Sep 2002; Jack Morgan <jmorgan@gentoo.org> iptables-1.2.7a.ebuild : + Added sparc/sparc64 keywords + + 09 Sep 2002; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.7a.ebuild : + Cleaned up configurationfiles and ebuild, added blocke's changes to -r1 into this version. + + 08 Sep 2002; Bruce A. Locke <blocke@shivan.org> iptables-1.2.6a-r3.ebuild, iptables-1.2.7a-r2, files/iptables.confd-2, files/iptables.init-2 + Fix #2355. Forwarding is disabled on script stop and only turned on + during script start if conf.d/iptables settings are enabled. + + 01 Sep 2002; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.7a.ebuild : + Added better handling of stopping iptables as described in #6949. + Suggested and submitted by Frederic Jolliton <fred@jolliton.com>. + + 30 Aug 2002; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.7a.ebuild : + Added the IMQ patch to 1.2.7a. + + 27 Aug 2002; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.7a.ebuild : New + upstream version to fix the bugs introduced in 1.2.7. + +*iptables-1.2.6a-r3 + + 08 Sep 2002; Bruce A. Locke <blocke@shivan.org> iptables-1.2.6a-r3.ebuild, iptables-1.2.7a-r2, files/iptables.confd-2, files/iptables.init-2 + Fix #2335. Forwarding is disabled on script stop and only turned on + during script start if conf.d/iptables settings are enabled. + +*iptables-1.2.6a-r2 (29 Aug 2002) + + 29 Aug 2002; Daniel Robbins <drobbins@gentoo.org> new rev of iptables-1.2.6a + adding support for IMQ (intermediate queueing device.) See + http://luxik.cdi.cz/~patrick/imq/ for more information. + +*iptables-1.2.7.ebuild (17 Aug 2002) + + 17 Aug 2002; Daniel Ahlberg <aliz@gentoo.org> iptables-1.2.7.ebuild : Version + bump. Christian Parpart <cparpart@surakware.net> brought this to our + attention. + +*iptables-1.2.6a-r1.ebuild (14 July 2002) + + 14 Jul 2002; phoen][x <phoenix@gentoo.org> iptables-1.2.6a.ebuild : + Added KEYWORDS. + + 14 Jul 2002; phoen][x <phoenix@gentoo.org> iptables-1.2.6a-r1.ebuild : + Added KEYWORDS. + +*iptables-1.2.4-r1.ebuild (14 July 2002) + + 14 Jul 2002; phoen][x <phoenix@gentoo.org> iptables-1.2.4-r1.ebuild : + Added KEYWORDS, SLOT. + +*iptables-1.2.6a (13 Apr 2002) + + 13 Apr 2002; Seemant Kulleen <seemant@gentoo.org> iptables-1.2.6a.ebuild : + + gaarde@yahoo.com (Paul Belt) in bug #1670 submitted the update. + +*iptables-1.2.5-r1 (20 Mar 2002) + + 14 Jul 2002; phoen][x <phoenix@gentoo.org> iptables-1.2.5.ebuild : + Added KEYWORDS, SLOT. + + 14 Jul 2002; phoen][x <phoenix@gentoo.org> iptables-1.2.5-r1.ebuild : + Added KEYWORDS. + + 20 Mar 2002; Daniel Robbins <drobbins@gentoo.org> : iptables *requires* + kernel sources to compile. Before, we got away without them since we had a + /usr/include/linux/autoconf.h. Now we don't, and this means that we need a + source tree handy. Sad but true, and apparently the right thing to do. + +*iptables-1.2.5 (1 Feb 2002) + + 1 Feb 2002; G.Bevin <gbevin@gentoo.org> ChangeLog : + + Added initial ChangeLog which should be updated whenever the package is + updated in any way. This changelog is targetted to users. This means that the + comments should well explained and written in clean English. The details about + writing correct changelogs are explained in the skel.ChangeLog file which you + can find in the root directory of the portage repository. diff --git a/net-firewall/iptables/Manifest b/net-firewall/iptables/Manifest new file mode 100644 index 0000000..767f8a1 --- /dev/null +++ b/net-firewall/iptables/Manifest @@ -0,0 +1,23 @@ +AUX 1.3.1-files/grsecurity-1.2.8-iptables.patch-1.3.1 1315 RMD160 3665aaa6788261f16372c1e34810fe99fd60453c SHA1 b3c88dc5ceebc15aca73fcc02afdf8d0fa6a389f SHA256 f86e32f84af0e68b927b712a60e5d02d1bc27972537f476c71a311711fdcfc12 +AUX 1.3.1-files/install_all_dev_files.patch-1.3.1 2748 RMD160 9df4ee7b0a26e83b02ef6cbe071d00841d9a070b SHA1 c854c1d520a923d1616ba1d374bfa5729a122767 SHA256 c61769413e3a71e008f927b0639d26db6586f921f371a89b3db0e892d064af28 +AUX 1.3.1-files/install_ipv6_apps.patch 826 RMD160 505c5832d20fad96839936da900a12b5f4209045 SHA1 6e5808694e17002f2312ea9a45b46fb577694a83 SHA256 0a7f666962e586b2be8d2d3d2947497b3e3837c78b57056ce065455518c78722 +AUX ip6tables-1.3.2.confd 293 RMD160 2e5399355a930ab3c804c9cc46fe37763555a97e SHA1 0e82dbe8538f9168bb97939a03b73dd291e82760 SHA256 c93827ac2b8fdd83e2c36788053ee7567ceb13b3cbc5fcf40d186500e05c8104 +AUX iptables-1.3.2.confd 290 RMD160 cb180068f86a608b16d850635ae909ea7b9cc059 SHA1 cb56dba4799eb3998b28e492c61265574c37d522 SHA256 351e123ba9e0ec7db2bcff42849aa627d29a3b2e77a47b82386f5e3a7e21bd30 +AUX iptables-1.3.2.init 2570 RMD160 84d06807fae0455009476cfa63dfcda9fe016dc3 SHA1 da7c4fca4049c4d3f45e32d29403c8bb05047f15 SHA256 1137517483c0d312e3d396d953e9ee197b84f64ed17adfd48f25dbb60e114697 +AUX iptables-1.3.7-kernel-dir.patch 552 RMD160 4d4b4444c5eb91b7bd24829b1d564263a540d5ef SHA1 8949bcafbc899878023a68b16452557a49a88f63 SHA256 13e7108c871fc4203abea57f711010a125fd1856c68f94a5dfd40613f8f27d6a +AUX iptables-1.3.7-sparc64.patch 629 RMD160 15655e9ef5047055f9930de11d313e7e9377f083 SHA1 7ca7c7d54840c94a3bd4054f0e0ef38067937b49 SHA256 cd76d6b43d55f77df0af7ad493df3f6f07756b1e410121a2a6045a97b7ce7647 +AUX iptables-1.3.8-tarpit.diff 4298 RMD160 fa87efb2a6a5c546f5aef0d41efb5f01e0f2618b SHA1 fdb7a25660a185e830e9b10a77b54cc8c6678e8b SHA256 4a655aff0af1a76c42b363c3b4de681ca7143973de0873a05b4c8c64ecef20b2 +AUX iptables-1.4.0-dev-files.patch 1523 RMD160 ad3dd979f20f87d78bc19f6cf906bc2fc6206389 SHA1 c0f8e615c65dd43e9b25bcf3c7f44e9f32b7b6fd SHA256 bce920b13a4b94411f23177fb03ca19084508c6121de634d7de1df19bb468afa +AUX iptables-1.4.0-in6-glibc-2.8.patch 707 RMD160 fe02ae798356522734237fee1bd4b6c9efa47437 SHA1 5c929e66e1176dd3aba6bb4bae8964d2c0bc9891 SHA256 d6bd6fb4fc9002a9aad2bd41830d50610486c200ea5ff104bb691f5da8ff62a8 +AUX iptables-1.4.0-tarpit.diff 4363 RMD160 54c0648ab711cc9ebd94198c13876e115e05c6e6 SHA1 ae3f7c7bfef2240ae95d4a45421f092c2ad8f0c1 SHA256 0fe4805ded3199cda1725cdd149984353f36f7b46aee73777fa7c5d749176151 +DIST iptables-1.3.6-imq.diff 5723 RMD160 7158923558f9ad82973cda9dbec2c10b86e13e9c SHA1 1a2d7d9bcb10e7d4e69f445d4882ab598b57855e SHA256 f507319d01dd1810b497e0700a67d8f9668dd1363b1f8e1b09097cf2bbc26ab7 +DIST iptables-1.3.8.tar.bz2 172584 RMD160 851b223eef0ca008ad1f375aa0ebdab46ff6f886 SHA1 948f361b194e989b39de4cfa3e95dbe634269ed0 SHA256 c5c8a091ed9a1fa2dab86b4d87719064b50c202e8503046f50f299a361e6211c +DIST iptables-1.4.0-imq.diff 5345 RMD160 71e012358cb0ed274feb46f862d300cf0d877818 SHA1 8e243b15c20400402d60f627a40b08957ac96c10 SHA256 e23d5bce7845cbe6fecf9e93e4e8e329948adb8282efec932d629b3bb4cb9c82 +DIST iptables-1.4.0.tar.bz2 181610 RMD160 6f6a29cbe0e55261607acc1183e04482c444286e SHA1 b61064885ab20b62d6ac2a590ea429117248d9d7 SHA256 fd9a978035e6a8f73344f986c84a222dc4ac3706b901e0c1ecae9647db5e5d52 +DIST iptables-1.4.1.1.tar.bz2 436366 RMD160 3986c7023b82037acb931c06e792f019b927fbd3 SHA1 61a8680b2aa578d1ff8d242b9ddf6b682c60eba7 SHA256 f9e11ccdf60a9f118bbee8d80dc76cf7c0c649f0e18fa34a8450df271a70b582 +DIST netfilter-layer7-v2.17.tar.gz 160408 RMD160 9823d7b411e18160dc8501a6a5d2129f75e727e1 SHA1 fd05e5b5027ec5c143f2f63f5e48c05ffea8d50f SHA256 2e2893757a3b22f2786ead2045efae1d6a52942a89d0159c39ba907531b60c01 +EBUILD iptables-1.3.8-r3.ebuild 7346 RMD160 3706b557665be12553a72ff7bda8ee0822ee1ff8 SHA1 a0a44a8ae6d26dc100ea772c7c3faed098f82cc8 SHA256 cfadef0120586403fd23907f53001537014ce0dad295fb40719e22f3b97388f8 +EBUILD iptables-1.4.0-r1.ebuild 6453 RMD160 0c26a572802f7b8dc738c642bbd4e2c2e50782ba SHA1 050be05e323d3b245bcdf46f392f40e1cd5bed3e SHA256 63c7bd6254d07250f62966de42cf11ed3480472adb4721a5ddb70e11cf6391ba +EBUILD iptables-1.4.1.1.ebuild 1646 RMD160 3e0c302b1e766445b91c8bf9798089e4efa91381 SHA1 a0d2be782633920f1816a96685e43f13863ae03c SHA256 044362f3b320f1bcea7bc0ed2932bef9b47a294eb784c3f21852b895a9c57614 +MISC ChangeLog 33557 RMD160 18d371571f181573e9e777f4ccc489871e18cde2 SHA1 e18b51b548058803541534ff2f3f3af897f35b5e SHA256 f1f8da400a402c9d94a7827d5e6ef639511a52bd4d4a4dbf1a54369000b61a6b +MISC metadata.xml 1322 RMD160 a960bf567867311d3513c9171b148a9639578f9e SHA1 bdb94c29e97f5b105efcbcd2547809b47425dc97 SHA256 39df18ef3c5485b92e03c93d673bfd959c34f9ab2b4dd97bc7efc53a5e8b15d2 diff --git a/net-firewall/iptables/files/1.3.1-files/grsecurity-1.2.8-iptables.patch-1.3.1 b/net-firewall/iptables/files/1.3.1-files/grsecurity-1.2.8-iptables.patch-1.3.1 new file mode 100644 index 0000000..61b3d09 --- /dev/null +++ b/net-firewall/iptables/files/1.3.1-files/grsecurity-1.2.8-iptables.patch-1.3.1 @@ -0,0 +1,67 @@ +--- /dev/null ++++ extensions/libipt_stealth.c +@@ -0,0 +1,64 @@ ++/* Shared library add-on to iptables to add stealth support. ++ * Copyright (C) 2002 Brad Spengler <spender@grsecurity.net> ++ * This netfilter module is licensed under the GNU GPL. ++ */ ++ ++#include <stdio.h> ++#include <netdb.h> ++#include <stdlib.h> ++#include <getopt.h> ++#include <iptables.h> ++ ++/* Function which prints out usage message. */ ++static void ++help(void) ++{ ++ printf("stealth v%s takes no options\n\n", IPTABLES_VERSION); ++} ++ ++static struct option opts[] = { ++ {0} ++}; ++ ++/* Initialize the match. */ ++static void ++init(struct ipt_entry_match *m, unsigned int *nfcache) ++{ ++ *nfcache |= NFC_UNKNOWN; ++} ++ ++static int ++parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct ipt_entry *entry, ++ unsigned int *nfcache, ++ struct ipt_entry_match **match) ++{ ++ return 0; ++} ++ ++static void ++final_check(unsigned int flags) ++{ ++ return; ++} ++ ++static ++struct iptables_match stealth = { ++ .next = NULL, ++ .name = "stealth", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(0), ++ .userspacesize = IPT_ALIGN(0), ++ .help = &help, ++ .init = &init, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = NULL, ++ .save = NULL, ++ .extra_opts = opts ++}; ++ ++void _init(void) ++{ ++ register_match(&stealth); ++} diff --git a/net-firewall/iptables/files/1.3.1-files/install_all_dev_files.patch-1.3.1 b/net-firewall/iptables/files/1.3.1-files/install_all_dev_files.patch-1.3.1 new file mode 100644 index 0000000..d60b453 --- /dev/null +++ b/net-firewall/iptables/files/1.3.1-files/install_all_dev_files.patch-1.3.1 @@ -0,0 +1,80 @@ +--- iptables-1.3.1/Makefile ++++ iptables-1.3.1/Makefile +@@ -38,8 +38,10 @@ + CFLAGS += -DNO_SHARED_LIBS=1 + endif + +-EXTRAS+=iptables iptables.o iptables.8 ++EXTRAS+=iptables iptables.o iptables.8 libiptables.a + EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables $(DESTDIR)$(MANDIR)/man8/iptables.8 ++DEVEL_HEADERS+=include/iptables.h include/iptables_common.h ++DEVEL_LIBS+=libiptables.a + + # No longer experimental. + ifneq ($(DO_MULTI), 1) +@@ -48,10 +50,12 @@ + EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables-save $(DESTDIR)$(BINDIR)/iptables-restore $(DESTDIR)$(MANDIR)/man8/iptables-restore.8 $(DESTDIR)$(MANDIR)/man8/iptables-save.8 + + ifeq ($(DO_IPV6), 1) +-EXTRAS+=ip6tables ip6tables.o ip6tables.8 ++EXTRAS+=ip6tables ip6tables.o ip6tables.8 libip6tables.a + EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/ip6tables $(DESTDIR)$(MANDIR)/man8/ip6tables.8 + EXTRAS+=ip6tables-save ip6tables-restore + EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/ip6tables-save $(DESTDIR)$(BINDIR)/ip6tables-restore # $(DESTDIR)$(MANDIR)/man8/iptables-restore.8 $(DESTDIR)$(MANDIR)/man8/iptables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-restore.8 ++DEVEL_HEADERS+=include/ip6tables.h ++DEVEL_LIBS+=libip6tables.a + endif + + # Sparc64 hack +@@ -113,6 +117,8 @@ + print-extensions: + @[ -n "$(OPTIONALS)" ] && echo Extensions found: $(OPTIONALS) + ++libiptables.a: libiptables.a(iptables.o) ++ + iptables.o: iptables.c + $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" -c -o $@ $< + +@@ -154,6 +160,8 @@ + cp $< $@ + endif + ++libip6tables.a: libip6tables.a(ip6tables.o) ++ + ip6tables.o: ip6tables.c + $(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -c -o $@ $< + +@@ -202,7 +210,7 @@ + .PHONY: install-devel-headers + install-devel-headers: $(DEVEL_HEADERS) + @[ -d $(DESTDIR)$(INCDIR) ] || mkdir -p $(DESTDIR)$(INCDIR) +- @cp -v $(DEVEL_HEADERS) $(DESTDIR)$(INCDIR) ++ @cp -v --parents $(DEVEL_HEADERS) `echo $(DESTDIR)$(INCDIR) | sed -e "s:/include/\?::"` + + .PHONY: install-devel-libs + install-devel-libs: $(DEVEL_LIBS) +--- iptables-1.3.1/libipq/Makefile ++++ iptables-1.3.1/libipq/Makefile +@@ -17,7 +17,7 @@ + + DEVEL_LIBS+=libipq/libipq.a + +-DEVEL_HEADERS+=include/libipq/libipq.h ++DEVEL_HEADERS+=include/libipq/libipq.h include/libipq/ip_queue_64.h + + ifndef TOPLEVEL_INCLUDED + local: +--- iptables-1.3.1/libiptc/Makefile ++++ iptables-1.3.1/libiptc/Makefile +@@ -16,8 +16,11 @@ + ifeq ($(DO_IPV6), 1) + EXTRA_DEPENDS+= libiptc/libip6tc.d + libiptc/libiptc.a: libiptc/libiptc.a(libiptc/libip6tc.o) ++DEVEL_HEADERS+=include/libiptc/libip6tc.h + endif + ++DEVEL_HEADERS+=include/libiptc/libiptc.h include/libiptc/ipt_kernel_headers.h ++ + libiptc/libip4tc.d libiptc/libip6tc.d: %.d: %.c + @-$(CC) -M -MG $(CFLAGS) $< | sed -e 's@^.*\.o:@$*.d libiptc/libiptc.a($*.o):@' > $@ + endif diff --git a/net-firewall/iptables/files/1.3.1-files/install_ipv6_apps.patch b/net-firewall/iptables/files/1.3.1-files/install_ipv6_apps.patch new file mode 100644 index 0000000..ac53572 --- /dev/null +++ b/net-firewall/iptables/files/1.3.1-files/install_ipv6_apps.patch @@ -0,0 +1,13 @@ +--- Makefile ++++ Makefile +@@ -63,8 +63,8 @@ + ifeq ($(DO_IPV6), 1) + EXTRAS+=ip6tables ip6tables.o + EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/ip6tables $(DESTDIR)$(MANDIR)/man8/ip6tables.8 +-EXTRAS_EXP+=ip6tables-save ip6tables-restore +-EXTRA_INSTALLS_EXP+=$(DESTDIR)$(BINDIR)/ip6tables-save $(DESTDIR)$(BINDIR)/ip6tables-restore # $(DESTDIR)$(MANDIR)/man8/iptables-restore.8 $(DESTDIR)$(MANDIR)/man8/iptables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-restore.8 ++EXTRAS+=ip6tables-save ip6tables-restore ++EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/ip6tables-save $(DESTDIR)$(BINDIR)/ip6tables-restore # $(DESTDIR)$(MANDIR)/man8/iptables-restore.8 $(DESTDIR)$(MANDIR)/man8/iptables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-restore.8 + endif + + # Sparc64 hack diff --git a/net-firewall/iptables/files/ip6tables-1.3.2.confd b/net-firewall/iptables/files/ip6tables-1.3.2.confd new file mode 100644 index 0000000..93c0bc8 --- /dev/null +++ b/net-firewall/iptables/files/ip6tables-1.3.2.confd @@ -0,0 +1,11 @@ +# /etc/conf.d/ip6tables + +# Location in which iptables initscript will save set rules on +# service shutdown +IP6TABLES_SAVE="/var/lib/ip6tables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" diff --git a/net-firewall/iptables/files/iptables-1.3.2.confd b/net-firewall/iptables/files/iptables-1.3.2.confd new file mode 100644 index 0000000..91287de --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.3.2.confd @@ -0,0 +1,11 @@ +# /etc/conf.d/iptables + +# Location in which iptables initscript will save set rules on +# service shutdown +IPTABLES_SAVE="/var/lib/iptables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" diff --git a/net-firewall/iptables/files/iptables-1.3.2.init b/net-firewall/iptables/files/iptables-1.3.2.init new file mode 100755 index 0000000..e63d8ea --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.3.2.init @@ -0,0 +1,114 @@ +#!/sbin/runscript +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.3.2.init,v 1.6 2007/03/12 21:49:04 vapier Exp $ + +opts="save reload panic" + +iptables_name=${SVCNAME} +if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then + iptables_name="iptables" +fi + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + before net + use logger +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${iptables_bin} -t ${table} -P ${chain} ${policy} + done +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} +checkconfig() { + if [ ! -f ${iptables_save} ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + checkkernel || return 1 + ebegin "Stopping firewall" + local a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? +} + +reload() { + checkkernel || return 1 + ebegin "Flushing firewall" + local a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? + + start +} + +save() { + ebegin "Saving ${iptables_name} state" + touch "${iptables_save}" + chmod 0600 "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + checkkernel || return 1 + service_started ${iptables_name} && svc_stop + + local a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + + set_table_policy $a DROP + done + eend $? +} diff --git a/net-firewall/iptables/files/iptables-1.3.7-kernel-dir.patch b/net-firewall/iptables/files/iptables-1.3.7-kernel-dir.patch new file mode 100644 index 0000000..758bc3a --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.3.7-kernel-dir.patch @@ -0,0 +1,18 @@ +let the toolchain figure out the default header location + +http://bugs.gentoo.org/172209 + +--- Makefile ++++ Makefile +@@ -37,7 +37,10 @@ + endif + + COPT_FLAGS:=-O2 +-CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -Iinclude/ -DIPTABLES_VERSION=\"$(IPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DIPTC_DEBUG ++CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -Iinclude/ -DIPTABLES_VERSION=\"$(IPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DIPTC_DEBUG ++ifneq ($(KERNEL_DIR),) ++CFLAGS += -I$(KERNEL_DIR)/include ++endif + + ifdef NO_SHARED_LIBS + CFLAGS += -DNO_SHARED_LIBS=1 diff --git a/net-firewall/iptables/files/iptables-1.3.7-sparc64.patch b/net-firewall/iptables/files/iptables-1.3.7-sparc64.patch new file mode 100644 index 0000000..68e8164 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.3.7-sparc64.patch @@ -0,0 +1,12 @@ +diff -Nura iptables-1.3.7/Makefile iptables-1.3.7-sparc64/Makefile +--- iptables-1.3.7/Makefile 2006-12-04 08:16:01.000000000 -0300 ++++ iptables-1.3.7-sparc64/Makefile 2007-02-13 23:01:09.000000000 -0300 +@@ -65,7 +65,7 @@ + 32bituser := $(shell echo -e "\#include <stdio.h>\n\#if !defined(__sparcv9) && !defined(__arch64__) && !defined(_LP64)\nuserspace_is_32bit\n\#endif" | $(CC) $(CFLAGS) -E - | grep userspace_is_32bit) + ifdef 32bituser + # The kernel is 64-bit, even though userspace is 32. +- CFLAGS+=-DIPT_MIN_ALIGN=8 -DKERNEL_64_USERSPACE_32 ++ CFLAGS+=-DIPT_MIN_ALIGN=8 + else + EXT_LDFLAGS+=-Wl,-m,elf64_sparc + endif diff --git a/net-firewall/iptables/files/iptables-1.3.8-tarpit.diff b/net-firewall/iptables/files/iptables-1.3.8-tarpit.diff new file mode 100644 index 0000000..c20a917 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.3.8-tarpit.diff @@ -0,0 +1,117 @@ +diff -uNr -r iptables-1.3.8/extensions/.TARPIT-test iptables-1.3.8-tarpit/extensions/.TARPIT-test +--- iptables-1.3.8/extensions/.TARPIT-test 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.8-tarpit/extensions/.TARPIT-test 2008-10-19 17:00:58.000000000 +0200 +@@ -0,0 +1,2 @@ ++#! /bin/sh ++[ -f $KERNEL_DIR/net/netfilter/xt_TARPIT.c ] && echo TARPIT +diff -uNr -r iptables-1.3.8/extensions/Makefile iptables-1.3.8-tarpit/extensions/Makefile +--- iptables-1.3.8/extensions/Makefile 2007-03-22 01:04:36.000000000 +0100 ++++ iptables-1.3.8-tarpit/extensions/Makefile 2008-10-19 17:19:02.000000000 +0200 +@@ -6,6 +6,7 @@ + # package (HW) + # + PF_EXT_SLIB:=ah addrtype comment connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TCPMSS TOS TTL ULOG ++PF_EXT_SLIB+=TARPIT + PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TCPMSS + + ifeq ($(DO_SELINUX), 1) +diff -uNr -r iptables-1.3.8/extensions/libipt_TARPIT.c iptables-1.3.8-tarpit/extensions/libipt_TARPIT.c +--- iptables-1.3.8/extensions/libipt_TARPIT.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.8-tarpit/extensions/libipt_TARPIT.c 2008-10-19 17:00:58.000000000 +0200 +@@ -0,0 +1,58 @@ ++/* Shared library add-on to iptables for TARPIT support */ ++#include <stdio.h> ++#include <getopt.h> ++#include <iptables.h> ++ ++static void ++help(void) ++{ ++ fputs( ++"TARPIT takes no options\n" ++"\n", stdout); ++} ++ ++static struct option opts[] = { ++ { 0 } ++}; ++ ++static int ++parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct ipt_entry *entry, ++ struct ipt_entry_target **target) ++{ ++ return 0; ++} ++ ++static void final_check(unsigned int flags) ++{ ++} ++ ++static void ++print(const struct ipt_ip *ip, ++ const struct ipt_entry_target *target, ++ int numeric) ++{ ++} ++ ++static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target) ++{ ++} ++ ++static struct iptables_target tarpit = { ++ .next = NULL, ++ .name = "TARPIT", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(0), ++ .userspacesize = IPT_ALIGN(0), ++ .help = &help, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++void _init(void) ++{ ++ register_target(&tarpit); ++} +diff -uNr -r iptables-1.3.8/extensions/libipt_TARPIT.man iptables-1.3.8-tarpit/extensions/libipt_TARPIT.man +--- iptables-1.3.8/extensions/libipt_TARPIT.man 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.8-tarpit/extensions/libipt_TARPIT.man 2008-10-19 17:00:58.000000000 +0200 +@@ -0,0 +1,34 @@ ++Captures and holds incoming TCP connections using no local ++per-connection resources. Connections are accepted, but immediately ++switched to the persist state (0 byte window), in which the remote ++side stops sending data and asks to continue every 60-240 seconds. ++Attempts to close the connection are ignored, forcing the remote side ++to time out the connection in 12-24 minutes. ++ ++This offers similar functionality to LaBrea ++<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated ++hardware or IPs. Any TCP port that you would normally DROP or REJECT ++can instead become a tarpit. ++ ++To tarpit connections to TCP port 80 destined for the current machine: ++.IP ++iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT ++.P ++To significantly slow down Code Red/Nimda-style scans of unused address ++space, forward unused ip addresses to a Linux box not acting as a router ++(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP ++forwarding on the Linux box, and add: ++.IP ++iptables -A FORWARD -p tcp -j TARPIT ++.IP ++iptables -A FORWARD -j DROP ++.TP ++NOTE: ++If you use the conntrack module while you are using TARPIT, you should ++also use the NOTRACK target, or the kernel will unnecessarily allocate ++resources for each TARPITted connection. To TARPIT incoming ++connections to the standard IRC port while using conntrack, you could: ++.IP ++iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK ++.IP ++iptables -A INPUT -p tcp --dport 6667 -j TARPIT diff --git a/net-firewall/iptables/files/iptables-1.4.0-dev-files.patch b/net-firewall/iptables/files/iptables-1.4.0-dev-files.patch new file mode 100644 index 0000000..6669add --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.0-dev-files.patch @@ -0,0 +1,46 @@ +install headers and make a small archive for people to use + +--- iptables/Makefile ++++ iptables/Makefile +@@ -102,6 +102,17 @@ + print-extensions: + @[ -n "$(OPTIONALS)" ] && echo Extensions found: $(OPTIONALS) + ++EXTRAS+=libiptables.a ++DEVEL_HEADERS+=include/iptables.h include/xtables.h include/libipulog/libipulog.h ++DEVEL_LIBS+=libiptables.a ++ifeq ($(DO_IPV6), 1) ++EXTRAS+=libip6tables.a ++DEVEL_HEADERS+=include/ip6tables.h ++DEVEL_LIBS+=libip6tables.a ++endif ++libiptables.a: libiptables.a(iptables.o) ++libip6tables.a: libip6tables.a(ip6tables.o) ++ + iptables.o: iptables.c + $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" -c -o $@ $< + +@@ -221,7 +232,7 @@ + .PHONY: install-devel-headers + install-devel-headers: $(DEVEL_HEADERS) + @[ -d $(DESTDIR)$(INCDIR) ] || mkdir -p $(DESTDIR)$(INCDIR) +- @cp -v $(DEVEL_HEADERS) $(DESTDIR)$(INCDIR) ++ @cd include && cp -v --parents $(patsubst include/%,%,$(DEVEL_HEADERS)) $(DESTDIR)$(INCDIR) + + .PHONY: install-devel-libs + install-devel-libs: $(DEVEL_LIBS) +--- iptables/libiptc/Makefile ++++ iptables/libiptc/Makefile +@@ -16,8 +16,12 @@ + ifeq ($(DO_IPV6), 1) + EXTRA_DEPENDS+= libiptc/libip6tc.d + libiptc/libiptc.a: libiptc/libiptc.a(libiptc/libip6tc.o) ++DEVEL_HEADERS+=include/libiptc/libip6tc.h + endif + ++DEVEL_LIBS+=libiptc/libiptc.a ++DEVEL_HEADERS+=include/libiptc/libiptc.h include/libiptc/ipt_kernel_headers.h include/libiptc/libxtc.h ++ + libiptc/libip4tc.d libiptc/libip6tc.d: %.d: %.c + @-$(CC) -M -MG $(CFLAGS) $< | sed -e 's@^.*\.o:@$*.d libiptc/libiptc.a($*.o):@' > $@ + endif diff --git a/net-firewall/iptables/files/iptables-1.4.0-in6-glibc-2.8.patch b/net-firewall/iptables/files/iptables-1.4.0-in6-glibc-2.8.patch new file mode 100644 index 0000000..a46a146 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.0-in6-glibc-2.8.patch @@ -0,0 +1,26 @@ +use the proper api to access the data structures + +http://bugs.gentoo.org/225505 + +--- libiptc/libip6tc.c ++++ libiptc/libip6tc.c +@@ -113,7 +113,7 @@ + #include "libiptc.c" + + #define BIT6(a, l) \ +- ((ntohl(a->in6_u.u6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1) ++ ((ntohl(a->s6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1) + + int + ipv6_prefix_length(const struct in6_addr *a) +--- ip6tables.c ++++ ip6tables.c +@@ -678,7 +678,7 @@ + for (i = 0, j = 0; i < n; i++) { + int k; + for (k = 0; k < 4; k++) +- addrp[j].in6_u.u6_addr32[k] &= maskp->in6_u.u6_addr32[k]; ++ addrp[j].s6_addr32[k] &= maskp->s6_addr32[k]; + j++; + for (k = 0; k < j - 1; k++) { + if (IN6_ARE_ADDR_EQUAL(&addrp[k], &addrp[j - 1])) { diff --git a/net-firewall/iptables/files/iptables-1.4.0-tarpit.diff b/net-firewall/iptables/files/iptables-1.4.0-tarpit.diff new file mode 100644 index 0000000..71db6c0 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.4.0-tarpit.diff @@ -0,0 +1,115 @@ +diff -urN iptables-1.4.0/extensions/.TARPIT-test iptables-1.4.0-tarpit/extensions/.TARPIT-test +--- iptables-1.4.0/extensions/.TARPIT-test 1969-12-31 19:00:00.000000000 -0500 ++++ iptables-1.4.0-tarpit/extensions/.TARPIT-test 2008-04-10 13:29:45.001461481 -0400 +@@ -0,0 +1,2 @@ ++#! /bin/sh ++[ -f $KERNEL_DIR/net/netfilter/xt_TARPIT.c ] && echo TARPIT +diff -uNr -r iptables-1.4.0/extensions/Makefile iptables-1.4.0-tarpit/extensions/Makefile +--- iptables-1.4.0/extensions/Makefile 2007-03-22 01:04:36.000000000 +0100 ++++ iptables-1.4.0-tarpit/extensions/Makefile 2008-10-19 17:19:02.000000000 +0200 +@@ -6,6 +6,7 @@ + # package (HW) + # + PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange owner policy realm recent tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG ++PF_EXT_SLIB+=TARPIT + PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh owner policy rt HL LOG REJECT + PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE + +diff -urN iptables-1.4.0/extensions/libipt_TARPIT.c iptables-1.4.0-tarpit/extensions/libipt_TARPIT.c +--- iptables-1.4.0/extensions/libipt_TARPIT.c 1969-12-31 19:00:00.000000000 -0500 ++++ iptables-1.4.0-tarpit/extensions/libipt_TARPIT.c 2008-04-10 13:58:17.321461025 -0400 +@@ -0,0 +1,56 @@ ++/* Shared library add-on to iptables for TARPIT support */ ++#include <stdio.h> ++#include <getopt.h> ++#include <iptables.h> ++ ++static void ++TARPIT_help(void) ++{ ++ fputs( ++ "TARPIT takes no options\n" ++ "\n", stdout); ++} ++ ++static struct option TARPIT_opts[] = { ++ { 0 } ++}; ++ ++static int ++TARPIT_parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, ++ struct xt_entry_target **target) ++{ ++ return 0; ++} ++ ++static void TARPIT_final_check(unsigned int flags) ++{ ++} ++ ++static void ++TARPIT_print(const void *ip, const struct xt_entry_target *target, ++ int numeric) ++{ ++} ++ ++static void TARPIT_save(const void *ip, const struct xt_entry_target *target) ++{ ++} ++ ++static struct iptables_target tarpit_target = { ++ .name = "TARPIT", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(0), ++ .userspacesize = IPT_ALIGN(0), ++ .help = TARPIT_help, ++ .parse = TARPIT_parse, ++ .final_check = TARPIT_final_check, ++ .print = TARPIT_print, ++ .save = TARPIT_save, ++ .extra_opts = TARPIT_opts ++}; ++ ++void _init(void) ++{ ++ register_target(&tarpit_target); ++} +diff -urN iptables-1.4.0/extensions/libipt_TARPIT.man iptables-1.4.0-tarpit/extensions/libipt_TARPIT.man +--- iptables-1.4.0/extensions/libipt_TARPIT.man 1969-12-31 19:00:00.000000000 -0500 ++++ iptables-1.4.0-tarpit/extensions/libipt_TARPIT.man 2008-04-10 13:29:45.000460310 -0400 +@@ -0,0 +1,34 @@ ++Captures and holds incoming TCP connections using no local ++per-connection resources. Connections are accepted, but immediately ++switched to the persist state (0 byte window), in which the remote ++side stops sending data and asks to continue every 60-240 seconds. ++Attempts to close the connection are ignored, forcing the remote side ++to time out the connection in 12-24 minutes. ++ ++This offers similar functionality to LaBrea ++<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated ++hardware or IPs. Any TCP port that you would normally DROP or REJECT ++can instead become a tarpit. ++ ++To tarpit connections to TCP port 80 destined for the current machine: ++.IP ++iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT ++.P ++To significantly slow down Code Red/Nimda-style scans of unused address ++space, forward unused ip addresses to a Linux box not acting as a router ++(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP ++forwarding on the Linux box, and add: ++.IP ++iptables -A FORWARD -p tcp -j TARPIT ++.IP ++iptables -A FORWARD -j DROP ++.TP ++NOTE: ++If you use the conntrack module while you are using TARPIT, you should ++also use the NOTRACK target, or the kernel will unnecessarily allocate ++resources for each TARPITted connection. To TARPIT incoming ++connections to the standard IRC port while using conntrack, you could: ++.IP ++iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK ++.IP ++iptables -A INPUT -p tcp --dport 6667 -j TARPIT diff --git a/net-firewall/iptables/iptables-1.3.8-r3.ebuild b/net-firewall/iptables/iptables-1.3.8-r3.ebuild new file mode 100644 index 0000000..0db3430 --- /dev/null +++ b/net-firewall/iptables/iptables-1.3.8-r3.ebuild @@ -0,0 +1,237 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/iptables-1.3.8-r3.ebuild,v 1.10 2008/06/14 14:04:51 zmedico Exp $ + +inherit eutils flag-o-matic toolchain-funcs linux-info + +L7_PV=2.17 +L7_P=netfilter-layer7-v${L7_PV} +IMQ_PATCH=iptables-1.3.6-imq.diff + +DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" +HOMEPAGE="http://www.iptables.org/ http://www.linuximq.net/ http://l7-filter.sf.net/" +SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2 + imq? ( http://www.linuximq.net/patchs/${IMQ_PATCH} ) + l7filter? ( mirror://sourceforge/l7-filter/${L7_P}.tar.gz )" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86" +IUSE="extensions imq ipv6 l7filter static +tarpit" + +DEPEND="virtual/os-headers + l7filter? ( virtual/linux-sources ) + imq? ( virtual/linux-sources )" +RDEPEND="" + +pkg_setup() { + if use l7filter || use imq || use extensions ; then + ewarn "WARNING: 3rd party extensions has been enabled." + ewarn "This means that iptables will use your currently installed" + ewarn "kernel in ${KERNEL_DIR} as headers for iptables." + ewarn + if use extensions ; then + ewarn "You may have to patch your kernel to allow iptables to build." + ewarn "Please check http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ for patches" + ewarn "for your kernel." + ewarn + fi + linux-info_pkg_setup + fi + + if kernel_is ge 2 6 20 + then + L7FILE=${KERNEL_DIR}/net/netfilter/xt_layer7.c + else + L7FILE=${KERNEL_DIR}/net/ipv4/netfilter/ipt_layer7.c + fi + if use l7filter && \ + [ ! -f "${L7FILE}" ]; then + die "For layer 7 support emerge net-misc/l7-filter-${L7_PV} before this" + fi + if use imq && \ + [ ! -f "${KERNEL_DIR}/net/ipv4/netfilter/ipt_IMQ.c" ]; then + die "For IMQ support add a patch from http://www.linuximq.net/patches.html to your kernel" + fi +} + +src_unpack() { + unpack ${P}.tar.bz2 + + if use tarpit ; then + if use extensions ; then + epatch "${FILESDIR}"/${P}-tarpit.diff + chmod +x "${S}"/extensions/.TARPIT-test + else + ewarn "tarpit USEflag is used only with USE=extensions" + fi + fi + + if use l7filter + then + unpack ${L7_P}.tar.gz + fi + cd "${S}" + + epatch "${FILESDIR}"/${PN}-1.3.7-sparc64.patch #166201 + epatch "${FILESDIR}"/${PN}-1.3.7-kernel-dir.patch #172209 + + EPATCH_OPTS="-p0" \ + epatch "${FILESDIR}"/1.3.1-files/install_ipv6_apps.patch + EPATCH_OPTS="-p1" \ + epatch "${FILESDIR}"/1.3.1-files/install_all_dev_files.patch-1.3.1 + + # this provide's grsec's stealth match + EPATCH_OPTS="-p0" \ + epatch "${FILESDIR}"/1.3.1-files/grsecurity-1.2.8-iptables.patch-1.3.1 + sed -i \ + -e "s/PF_EXT_SLIB:=/PF_EXT_SLIB:=stealth /g" \ + extensions/Makefile || die "failed to enable stealth extension" + + local check base=${PORTAGE_CONFIGROOT}/etc/portage/patches + for check in {${CATEGORY}/${PF},${CATEGORY}/${P},${CATEGORY}/${PN}}; do + EPATCH_SOURCE=${base}/${CTARGET}/${check} + [[ -r ${EPATCH_SOURCE} ]] || EPATCH_SOURCE=${base}/${CHOST}/${check} + [[ -r ${EPATCH_SOURCE} ]] || EPATCH_SOURCE=${base}/${check} + if [[ -d ${EPATCH_SOURCE} ]] ; then + EPATCH_SUFFIX="patch" + EPATCH_FORCE="yes" \ + EPATCH_MULTI_MSG="Applying user patches from ${EPATCH_SOURCE} ..." \ + epatch + break + fi + done + + if use imq ; then + EPATCH_OPTS="-p1" epatch "${DISTDIR}"/${IMQ_PATCH} + for OA in extensions/.IMQ-test extensions/.IMQ-test6 ; do + mv ${OA} ${OA}.orig + tr '\015' '\012' < ${OA}.orig > ${OA} + rm ${OA}.orig + done + chmod +x extensions/.IMQ-test* + fi + if use l7filter ; then + #yes choosing 2.6.20 was deliberate - upstream mistake possibly + if kernel_is ge 2 6 20 + then + L7_PATCH=iptables-1.3-for-kernel-2.6.20forward-layer7-${L7_PV}.patch + else + L7_PATCH=iptables-1.3-for-kernel-pre2.6.20-layer7-${L7_PV}.patch + fi + EPATCH_OPTS="-p1" epatch "${WORKDIR}"/${L7_P}/${L7_PATCH} + chmod +x extensions/.layer7-test* + fi + + # the net directory is moving around so account for new/old locations + cd "${S}"/extensions + local x + for x in .*-test* ; do + sed -e 's:net/ipv[46]/netfilter:net/netfilter:g' ${x} > .new-${x} + if cmp ${x} .new-${x} > /dev/null ; then + rm -f .new-${x} + else + chmod a+rx .new-${x} + fi + done +} + +src_defs() { + # these are used in both of src_compile and src_install + myconf="" + myconf="${myconf} PREFIX=" + myconf="${myconf} LIBDIR=/$(get_libdir)" + myconf="${myconf} BINDIR=/sbin" + myconf="${myconf} MANDIR=/usr/share/man" + myconf="${myconf} INCDIR=/usr/include" + # iptables and libraries are now installed to /sbin and /lib, so that + # systems with remote network-mounted /usr filesystems can get their + # network interfaces up and running correctly without /usr. + use ipv6 || myconf="${myconf} DO_IPV6=0" + use static && myconf="${myconf} NO_SHARED_LIBS=0" + export myconf + if ! use l7filter && ! use imq && ! use extensions ; then + export KERNEL_DIR=$( + # ugh -- iptables has scripts which check for the existence of + # files so we need to give it the right path to our toolchains + # include dir where the linux headers are. + # FYI IPTABLES: YOU FAIL + echo '#include <linux/limits.h>' | $(tc-getCPP) - | grep -o '/[^"]*linux/limits.h' | sed s:/include/linux/limits.h:: + ) + diemsg="failure" + else + diemsg="failure - with l7filter and/or imq patch and/or other miscellanious patches added" + fi + export diemsg +} + +src_compile() { + src_defs + + # iptables will NOT work correctly unless -O[123] are present! + replace-flags -O0 -O2 + get-flag -O || append-flags -O2 + # cannot work with the following according to Makefile near check: + # -g -pg -DIPTC_DEBUG + + emake -j1 \ + COPT_FLAGS="${CFLAGS}" ${myconf} \ + KERNEL_DIR="${KERNEL_DIR}" \ + CC="$(tc-getCC)" \ + || die "${diemsg}" +} + +src_install() { + src_defs + make ${myconf} \ + DESTDIR="${D}" \ + KERNEL_DIR="${KERNEL_DIR}" \ + install install-devel || die "${diemsg}" + + dodir /usr/$(get_libdir) + mv -f "${D}"/$(get_libdir)/*.a "${D}"/usr/$(get_libdir) + + keepdir /var/lib/iptables + newinitd "${FILESDIR}"/${PN}-1.3.2.init iptables + newconfd "${FILESDIR}"/${PN}-1.3.2.confd iptables + + if use ipv6 ; then + keepdir /var/lib/ip6tables + newinitd "${FILESDIR}"/iptables-1.3.2.init ip6tables + newconfd "${FILESDIR}"/ip6tables-1.3.2.confd ip6tables + fi +} + +pkg_preinst() { + has_version "=${CATEGORY}/${PN}-1.2*" + upgrade_from_1_2_x=$? +} + +pkg_postinst() { + elog "This package now includes an initscript which loads and saves" + elog "rules stored in /var/lib/iptables/rules-save" + use ipv6 && elog "and /var/lib/ip6tables/rules-save" + elog "This location can be changed in /etc/conf.d/iptables" + elog + elog "If you are using the iptables initsscript you should save your" + elog "rules using the new iptables version before rebooting." + elog + elog "If you are upgrading to a >=2.4.21 kernel you may need to rebuild" + elog "iptables." + elog + ewarn "!!! ipforwarding is not a part of the iptables initscripts." + ewarn + ewarn "To enable ipforwarding at bootup:" + ewarn "/etc/sysctl.conf and set net.ipv4.ip_forward = 1" + if use ipv6 ; then + ewarn "and/or" + ewarn " net.ipv6.ip_forward = 1" + ewarn "for ipv6." + fi + if [[ $upgrade_from_1_2_x = 0 ]] ; then + ewarn + ewarn "When upgrading from iptables-1.2.x, you may be unable to remove" + ewarn "rules added with iptables-1.2.x. This is a known issue, please see:" + ewarn "http://bugs.gentoo.org/92535" + fi +} diff --git a/net-firewall/iptables/iptables-1.4.0-r1.ebuild b/net-firewall/iptables/iptables-1.4.0-r1.ebuild new file mode 100644 index 0000000..774ba40 --- /dev/null +++ b/net-firewall/iptables/iptables-1.4.0-r1.ebuild @@ -0,0 +1,201 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/iptables-1.4.0-r1.ebuild,v 1.13 2008/08/17 14:15:30 vapier Exp $ + +inherit eutils toolchain-funcs linux-info + +L7_PV=2.17 +L7_P=netfilter-layer7-v${L7_PV} +IMQ_PATCH=iptables-1.4.0-imq.diff + +DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" +HOMEPAGE="http://www.iptables.org/ http://www.linuximq.net/ http://l7-filter.sf.net/" +SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2 + imq? ( http://www.actusa.net/~linuximq/${IMQ_PATCH} ) + l7filter? ( mirror://sourceforge/l7-filter/${L7_P}.tar.gz )" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86" +IUSE="extensions imq ipv6 l7filter static +tarpit" + +DEPEND="virtual/os-headers + l7filter? ( virtual/linux-sources ) + imq? ( virtual/linux-sources )" +RDEPEND="" + +pkg_setup() { + if use l7filter || use imq || use extensions ; then + ewarn "WARNING: 3rd party extensions has been enabled." + ewarn "This means that iptables will use your currently installed" + ewarn "kernel in ${KERNEL_DIR} as headers for iptables." + ewarn + if use extensions ; then + ewarn "You may have to patch your kernel to allow iptables to build." + ewarn "Please check http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ for patches" + ewarn "for your kernel." + ewarn + fi + linux-info_pkg_setup + fi + + if use l7filter ; then + if kernel_is lt 2 6 20 ; then + eerror "Currently there is no l7-filter patch available for iptables-1.4.x" + eerror "and kernel version before 2.6.20." + eerror "If you need to compile iptables 1.4.x against Linux 2.6.19.x" + eerror "or earlier, with l7-filter patch, please, report upstream." + die "No patch available." + fi + [ ! -f "${KERNEL_DIR}/include/linux/netfilter/xt_layer7.h" ] && \ + die "For layer 7 support emerge net-misc/l7-filter-${L7_PV} before this." + fi + if use imq && \ + [ ! -f "${KERNEL_DIR}/net/ipv4/netfilter/ipt_IMQ.c" ]; then + eerror "For IMQ support add a patch from http://www.actusa.net/~linuximq/ or from" + eerror "http://www.linuximq.net/patches.html (for older kernels) to your kernel." + die "Please, patch your kernel to support IMQ." + fi +} + +src_unpack() { + unpack ${P}.tar.bz2 + + if use tarpit ; then + if use extensions ; then + epatch "${FILESDIR}"/${P}-tarpit.diff + chmod +x "${S}"/extensions/.TARPIT-test + else + ewarn "tarpit USEflag is used only with USE=extensions" + fi + fi + + if use l7filter ; then + unpack ${L7_P}.tar.gz + fi + cd "${S}" + + epatch "${FILESDIR}"/${P}-dev-files.patch + epatch "${FILESDIR}"/${P}-in6-glibc-2.8.patch #225505 + + # this provide's grsec's stealth match + EPATCH_OPTS="-p0" \ + epatch "${FILESDIR}"/1.3.1-files/grsecurity-1.2.8-iptables.patch-1.3.1 + sed -i \ + -e "s/PF_EXT_SLIB:=/PF_EXT_SLIB:=stealth /g" \ + extensions/Makefile || die "failed to enable stealth extension" + + local check base=${PORTAGE_CONFIGROOT}/etc/portage/patches + for check in {${CATEGORY}/${PF},${CATEGORY}/${P},${CATEGORY}/${PN}}; do + EPATCH_SOURCE=${base}/${CTARGET}/${check} + [[ -r ${EPATCH_SOURCE} ]] || EPATCH_SOURCE=${base}/${CHOST}/${check} + [[ -r ${EPATCH_SOURCE} ]] || EPATCH_SOURCE=${base}/${check} + if [[ -d ${EPATCH_SOURCE} ]] ; then + EPATCH_SUFFIX="patch" + EPATCH_FORCE="yes" \ + EPATCH_MULTI_MSG="Applying user patches from ${EPATCH_SOURCE} ..." \ + epatch + break + fi + done + + if use imq ; then + EPATCH_OPTS="-p1" epatch "${DISTDIR}"/${IMQ_PATCH} + chmod +x extensions/.IMQ-test* + fi + + if use l7filter ; then + EPATCH_OPTS="-p1" epatch \ + "${WORKDIR}"/${L7_P}/iptables-1.4-for-kernel-2.6.20forward-layer7-${L7_PV}.patch + chmod +x extensions/.layer7-test + fi + + if ! use extensions ; then + cat <<-EOF > "${S}"/include/linux/compiler.h + #define __user + EOF + fi +} + +src_defs() { + # these are used in both of src_compile and src_install + myconf="" + myconf="${myconf} PREFIX=" + myconf="${myconf} LIBDIR=/$(get_libdir)" + myconf="${myconf} BINDIR=/sbin" + myconf="${myconf} MANDIR=/usr/share/man" + myconf="${myconf} INCDIR=/usr/include" + # iptables and libraries are now installed to /sbin and /lib, so that + # systems with remote network-mounted /usr filesystems can get their + # network interfaces up and running correctly without /usr. + use ipv6 || myconf="${myconf} DO_IPV6=0" + use static && myconf="${myconf} NO_SHARED_LIBS=0" + export myconf + if ! use l7filter && ! use imq && ! use extensions ; then + export KERNEL_DIR=$( + # ugh -- iptables has scripts which check for the existence of + # files so we need to give it the right path to our toolchains + # include dir where the linux headers are. + # FYI IPTABLES: YOU FAIL + echo '#include <linux/limits.h>' | $(tc-getCPP) - | grep -o '/[^"]*linux/limits.h' | sed s:/include/linux/limits.h:: + ) + export KBUILD_OUTPUT=${KERNEL_DIR} + diemsg="failure" + else + export KERNEL_DIR + diemsg="failure - with l7filter and/or imq patch and/or other miscellanious patches added" + fi + export diemsg +} + +src_compile() { + src_defs + emake \ + COPT_FLAGS="${CFLAGS}" ${myconf} \ + CC="$(tc-getCC)" \ + || die "${diemsg}" +} + +src_install() { + src_defs + emake ${myconf} \ + DESTDIR="${D}" \ + KERNEL_DIR="${KERNEL_DIR}" \ + install install-devel || die "${diemsg}" + + dodir /usr/$(get_libdir) + mv -f "${D}"/$(get_libdir)/*.a "${D}"/usr/$(get_libdir) + + keepdir /var/lib/iptables + newinitd "${FILESDIR}"/${PN}-1.3.2.init iptables + newconfd "${FILESDIR}"/${PN}-1.3.2.confd iptables + + if use ipv6 ; then + keepdir /var/lib/ip6tables + newinitd "${FILESDIR}"/iptables-1.3.2.init ip6tables + newconfd "${FILESDIR}"/ip6tables-1.3.2.confd ip6tables + fi +} + +pkg_postinst() { + elog "This package now includes an initscript which loads and saves" + elog "rules stored in /var/lib/iptables/rules-save" + use ipv6 && elog "and /var/lib/ip6tables/rules-save" + elog "This location can be changed in /etc/conf.d/iptables" + elog + elog "If you are using the iptables initsscript you should save your" + elog "rules using the new iptables version before rebooting." + elog + elog "If you are upgrading to a >=2.4.21 kernel you may need to rebuild" + elog "iptables." + elog + ewarn "!!! ipforwarding is not a part of the iptables initscripts." + ewarn + ewarn "To enable ipforwarding at bootup:" + ewarn "/etc/sysctl.conf and set net.ipv4.ip_forward = 1" + if use ipv6 ; then + ewarn "and/or" + ewarn " net.ipv6.ip_forward = 1" + ewarn "for ipv6." + fi +} diff --git a/net-firewall/iptables/iptables-1.4.1.1.ebuild b/net-firewall/iptables/iptables-1.4.1.1.ebuild new file mode 100644 index 0000000..f6ea829 --- /dev/null +++ b/net-firewall/iptables/iptables-1.4.1.1.ebuild @@ -0,0 +1,58 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/iptables-1.4.1.1.ebuild,v 1.1 2008/06/28 17:32:24 vapier Exp $ + +inherit eutils toolchain-funcs linux-info + +DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" +HOMEPAGE="http://www.iptables.org/" +SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="" + +DEPEND="virtual/os-headers" +RDEPEND="" + +src_unpack() { + unpack ${P}.tar.bz2 + cd "${S}" + + local check base=${PORTAGE_CONFIGROOT}/etc/portage/patches + for check in {${CATEGORY}/${PF},${CATEGORY}/${P},${CATEGORY}/${PN}}; do + EPATCH_SOURCE=${base}/${CTARGET}/${check} + [[ -r ${EPATCH_SOURCE} ]] || EPATCH_SOURCE=${base}/${CHOST}/${check} + [[ -r ${EPATCH_SOURCE} ]] || EPATCH_SOURCE=${base}/${check} + if [[ -d ${EPATCH_SOURCE} ]] ; then + EPATCH_SUFFIX="patch" + EPATCH_FORCE="yes" \ + EPATCH_MULTI_MSG="Applying user patches from ${EPATCH_SOURCE} ..." \ + epatch + break + fi + done +} + +src_compile() { + econf \ + --sbindir=/sbin \ + --libexecdir=/$(get_libdir) \ + --without-kernel \ + --enable-devel \ + --enable-libipq \ + || die + emake || die +} + +src_install() { + emake install DESTDIR="${D}" || die + + keepdir /var/lib/iptables + newinitd "${FILESDIR}"/${PN}-1.3.2.init iptables + newconfd "${FILESDIR}"/${PN}-1.3.2.confd iptables + keepdir /var/lib/ip6tables + newinitd "${FILESDIR}"/iptables-1.3.2.init ip6tables + newconfd "${FILESDIR}"/ip6tables-1.3.2.confd ip6tables +} diff --git a/net-firewall/iptables/metadata.xml b/net-firewall/iptables/metadata.xml new file mode 100644 index 0000000..5c4a19e --- /dev/null +++ b/net-firewall/iptables/metadata.xml @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> +<herd>base-system</herd> +<maintainer> + <email>pva@gentoo.org</email> + <name>Peter Volkov</name> + <description>imq and l7filter extensions</description> +</maintainer> +<longdescription> + iptables is the userspace command line program used to set up, maintain, and + inspect the tables of IPv4 packet filter rules in the Linux kernel. It's a + part of packet filtering framework which allows the stateless and stateful + packet filtering, all kinds of network address and port translation, and is a + flexible and extensible infrastructure with multiple layers of API's for 3rd + party extensions. The iptables package also includes ip6tables. ip6tables is + used for configuring the IPv6 packet filter. + + Note that some extensions (e.g. imq and l7filter) are not included into + official kernel sources so you have to patch the sources before installation. +</longdescription> +<use> + <flag name='extensions'>Enable support for 3rd party patch-o-matic + extensions</flag> + <flag name='imq'>Enable support for intermediate queueing devices + (http://www.linuximq.net)</flag> + <flag name='l7filter'>Enable support for layer 7 filtering + (http://l7-filter.sourceforge.net)</flag> +</use> +</pkgmetadata> |