iptables with imq patch

10 files changed, 475 insertions, 0 deletions

diff --git a/net-firewall/iptables/files/iptables-1.6.0-imq.diff b/net-firewall/iptables/files/iptables-1.6.0-imq.diff
new file mode 100644
index 0000000..2252980
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.6.0-imq.diff
@@ -0,0 +1,141 @@
+diff -Naupr iptables-1.6.0_orig/extensions/libxt_IMQ.c iptables-1.6.0/extensions/libxt_IMQ.c
+--- iptables-1.6.0_orig/extensions/libxt_IMQ.c	1970-01-01 07:00:00.000000000 +0700
++++ iptables-1.6.0/extensions/libxt_IMQ.c	2016-05-17 22:16:54.609657870 +0600
+@@ -0,0 +1,105 @@
++/* Shared library add-on to iptables to add IMQ target support. */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <xtables.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_IMQ.h>
++
++/* Function which prints out usage message. */
++static void IMQ_help(void)
++{
++	printf(
++"IMQ target options:\n"
++"  --todev <N>		enqueue to imq<N>, defaults to 0\n");
++
++}
++
++static struct option IMQ_opts[] = {
++	{ "todev", 1, 0, '1' },
++	{ 0 }
++};
++
++/* Initialize the target. */
++static void IMQ_init(struct xt_entry_target *t)
++{
++	struct xt_imq_info *mr = (struct xt_imq_info*)t->data;
++
++	mr->todev = 0;
++}
++
++/* Function which parses command options; returns true if it
++   ate an option */
++static int IMQ_parse(int c, char **argv, int invert, unsigned int *flags,
++      const void *entry, struct xt_entry_target **target)
++{
++	struct xt_imq_info *mr = (struct xt_imq_info*)(*target)->data;
++	
++	switch(c) {
++	case '1':
++/*		if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
++			xtables_error(PARAMETER_PROBLEM,
++				   "Unexpected `!' after --todev");
++*/
++		mr->todev=atoi(optarg);
++		break;
++
++	default:
++		return 0;
++	}
++	return 1;
++}
++
++/* Prints out the targinfo. */
++static void IMQ_print(const void *ip,
++      const struct xt_entry_target *target,
++      int numeric)
++{
++	struct xt_imq_info *mr = (struct xt_imq_info*)target->data;
++
++	printf("IMQ: todev %u ", mr->todev);
++}
++
++/* Saves the union ipt_targinfo in parsable form to stdout. */
++static void IMQ_save(const void *ip, const struct xt_entry_target *target)
++{
++	struct xt_imq_info *mr = (struct xt_imq_info*)target->data;
++
++	printf(" --todev %u", mr->todev);
++}
++
++static struct xtables_target imq_target = {
++	.name		= "IMQ",
++	.version	= XTABLES_VERSION,
++	.family		= NFPROTO_IPV4,
++	.size		= XT_ALIGN(sizeof(struct xt_imq_info)),
++	.userspacesize	= XT_ALIGN(sizeof(struct xt_imq_info)),
++	.help		= IMQ_help,
++	.init		= IMQ_init,
++	.parse		= IMQ_parse,
++	.print		= IMQ_print,
++	.save		= IMQ_save,
++	.extra_opts	= IMQ_opts,
++};
++
++static struct xtables_target imq_target6 = {
++	.name		= "IMQ",
++	.version	= XTABLES_VERSION,
++	.family		= NFPROTO_IPV6,
++	.size		= XT_ALIGN(sizeof(struct xt_imq_info)),
++	.userspacesize	= XT_ALIGN(sizeof(struct xt_imq_info)),
++	.help		= IMQ_help,
++	.init		= IMQ_init,
++	.parse		= IMQ_parse,
++	.print		= IMQ_print,
++	.save		= IMQ_save,
++	.extra_opts	= IMQ_opts,
++};
++
++// void __attribute((constructor)) nf_ext_init(void){
++void _init(void){
++	xtables_register_target(&imq_target);
++	xtables_register_target(&imq_target6);
++}
+diff -Naupr iptables-1.6.0_orig/extensions/libxt_IMQ.man iptables-1.6.0/extensions/libxt_IMQ.man
+--- iptables-1.6.0_orig/extensions/libxt_IMQ.man	1970-01-01 07:00:00.000000000 +0700
++++ iptables-1.6.0/extensions/libxt_IMQ.man	2016-05-17 22:16:54.609657870 +0600
+@@ -0,0 +1,15 @@
++This target is used to redirect the traffic to the IMQ driver and you can apply
++QoS rules like HTB or CBQ.
++For example you can select only traffic comming from a specific interface or
++is going out on a specific interface.
++Also it permits to capture the traffic BEFORE NAT in the case of outgoing traffic
++or AFTER NAT in the case of incomming traffic.
++.TP
++\fB\-\-to\-dev\fP \fIvalue\fP
++Set the IMQ interface where to send this traffic
++.TP
++Example:
++.TP
++Redirect incomming traffic from interface eth0 to imq0 and outgoing traffic to imq1:
++iptables \-t mangle \-A FORWARD \-i eth0 \-j IMQ \-\-to\-dev 0
++iptables \-t mangle \-A FORWARD \-o eth0 \-j IMQ \-\-to\-dev 1
+diff -Naupr iptables-1.6.0_orig/include/linux/netfilter/xt_IMQ.h iptables-1.6.0/include/linux/netfilter/xt_IMQ.h
+--- iptables-1.6.0_orig/include/linux/netfilter/xt_IMQ.h	1970-01-01 07:00:00.000000000 +0700
++++ iptables-1.6.0/include/linux/netfilter/xt_IMQ.h	2016-05-17 22:16:54.609657870 +0600
+@@ -0,0 +1,9 @@
++#ifndef _XT_IMQ_H
++#define _XT_IMQ_H
++
++struct xt_imq_info {
++	unsigned int todev;     /* target imq device */
++};
++
++#endif /* _XT_IMQ_H */
++
diff --git a/net-firewall/iptables/files/iptables.init b/net-firewall/iptables/files/iptables.init
new file mode 100755
index 0000000..10394c6
--- /dev/null
+++ b/net-firewall/iptables/files/iptables.init
@@ -0,0 +1,129 @@
+#!/sbin/openrc-run
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="check save panic"
+extra_started_commands="reload"
+
+iptables_name=${SVCNAME}
+case ${iptables_name} in
+iptables|ip6tables) ;;
+*) iptables_name="iptables" ;;
+esac
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+	iptables)  iptables_proc="/proc/net/ip_tables_names"
+	           iptables_save=${IPTABLES_SAVE};;
+	ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+	           iptables_save=${IP6TABLES_SAVE};;
+esac
+
+depend() {
+	need localmount #434774
+	before net
+}
+
+set_table_policy() {
+	local chains table=$1 policy=$2
+	case ${table} in
+		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
+		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+		filter) chains="INPUT FORWARD OUTPUT";;
+		*)      chains="";;
+	esac
+	local chain
+	for chain in ${chains} ; do
+		${iptables_bin} -w -t ${table} -P ${chain} ${policy}
+	done
+}
+
+checkkernel() {
+	if [ ! -e ${iptables_proc} ] ; then
+		eerror "Your kernel lacks ${iptables_name} support, please load"
+		eerror "appropriate modules and try again."
+		return 1
+	fi
+	return 0
+}
+checkconfig() {
+	if [ ! -f ${iptables_save} ] ; then
+		eerror "Not starting ${iptables_name}.  First create some rules then run:"
+		eerror "/etc/init.d/${iptables_name} save"
+		return 1
+	fi
+	return 0
+}
+
+start() {
+	checkconfig || return 1
+	ebegin "Loading ${iptables_name} state and starting firewall"
+	${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+stop() {
+	if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+		save || return 1
+	fi
+	checkkernel || return 1
+	ebegin "Stopping firewall"
+	local a
+	for a in $(cat ${iptables_proc}) ; do
+		set_table_policy $a ACCEPT
+
+		${iptables_bin} -w -F -t $a
+		${iptables_bin} -w -X -t $a
+	done
+	eend $?
+}
+
+reload() {
+	checkkernel || return 1
+	checkrules || return 1
+	ebegin "Flushing firewall"
+	local a
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} -w -F -t $a
+		${iptables_bin} -w -X -t $a
+	done
+	eend $?
+
+	start
+}
+
+checkrules() {
+	ebegin "Checking rules"
+	${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+check() {
+	# Short name for users of init.d script.
+	checkrules
+}
+
+save() {
+	ebegin "Saving ${iptables_name} state"
+	checkpath -q -d "$(dirname "${iptables_save}")"
+	checkpath -q -m 0600 -f "${iptables_save}"
+	${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+	eend $?
+}
+
+panic() {
+	checkkernel || return 1
+	if service_started ${iptables_name}; then
+		rc-service ${iptables_name} stop
+	fi
+
+	local a
+	ebegin "Dropping all packets"
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} -w -F -t $a
+		${iptables_bin} -w -X -t $a
+
+		set_table_policy $a DROP
+	done
+	eend $?
+}
diff --git a/net-firewall/iptables/files/systemd/ip6tables-restore.service b/net-firewall/iptables/files/systemd/ip6tables-restore.service
new file mode 100644
index 0000000..c149e92
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/ip6tables-restore.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Restore ip6tables firewall rules
+# if both are queued for some reason, don't store before restoring :)
+Before=ip6tables-store.service
+# sounds reasonable to have firewall up before any of the services go up
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ip6tables-restore /var/lib/ip6tables/rules-save
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/iptables/files/systemd/ip6tables-store.service b/net-firewall/iptables/files/systemd/ip6tables-store.service
new file mode 100644
index 0000000..9975378
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/ip6tables-store.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Store ip6tables firewall rules
+Before=shutdown.target
+DefaultDependencies=No
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "/sbin/ip6tables-save --counters > /var/lib/ip6tables/rules-save"
+
+[Install]
+WantedBy=shutdown.target
diff --git a/net-firewall/iptables/files/systemd/ip6tables.service b/net-firewall/iptables/files/systemd/ip6tables.service
new file mode 100644
index 0000000..0a6d7fa
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/ip6tables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Store and restore ip6tables firewall rules
+
+[Install]
+Also=ip6tables-store.service
+Also=ip6tables-restore.service
diff --git a/net-firewall/iptables/files/systemd/iptables-restore.service b/net-firewall/iptables/files/systemd/iptables-restore.service
new file mode 100644
index 0000000..2474ee3
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/iptables-restore.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Restore iptables firewall rules
+# if both are queued for some reason, don't store before restoring :)
+Before=iptables-store.service
+# sounds reasonable to have firewall up before any of the services go up
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/iptables/files/systemd/iptables-store.service b/net-firewall/iptables/files/systemd/iptables-store.service
new file mode 100644
index 0000000..aa16e75
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/iptables-store.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Store iptables firewall rules
+Before=shutdown.target
+DefaultDependencies=No
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "/sbin/iptables-save --counters > /var/lib/iptables/rules-save"
+
+[Install]
+WantedBy=shutdown.target
diff --git a/net-firewall/iptables/files/systemd/iptables.service b/net-firewall/iptables/files/systemd/iptables.service
new file mode 100644
index 0000000..3643a3e
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/iptables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Store and restore iptables firewall rules
+
+[Install]
+Also=iptables-store.service
+Also=iptables-restore.service
diff --git a/net-firewall/iptables/iptables-1.6.1-r2.ebuild b/net-firewall/iptables/iptables-1.6.1-r2.ebuild
new file mode 100644
index 0000000..fde7e5b
--- /dev/null
+++ b/net-firewall/iptables/iptables-1.6.1-r2.ebuild
@@ -0,0 +1,114 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib systemd toolchain-funcs autotools flag-o-matic
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.netfilter.org/projects/iptables/"
+SRC_URI="http://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+# Subslot tracks libxtables as that's the one other packages generally link
+# against and iptables changes.  Will have to revisit if other sonames change.
+SLOT="0/12"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="conntrack ipv6 -imq netlink nftables pcap static-libs"
+
+RDEPEND="
+	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
+	netlink? ( net-libs/libnfnetlink )
+	nftables? (
+		>=net-libs/libmnl-1.0
+		>=net-libs/libnftnl-1.0.5
+	)
+	pcap? ( net-libs/libpcap )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	virtual/pkgconfig
+	nftables? (
+		sys-devel/flex
+		virtual/yacc
+	)
+"
+
+src_prepare() {
+	# use the saner headers from the kernel
+	rm -f include/linux/{kernel,types}.h
+
+	use imq && epatch "${FILESDIR}"/iptables-1.6.0-imq.diff
+
+	# Only run autotools if user patched something
+	epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+	# Some libs use $(AR) rather than libtool to build #444282
+	tc-export AR
+
+	# Hack around struct mismatches between userland & kernel for some ABIs. #472388
+	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
+
+	sed -i \
+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
+		configure || die
+
+	econf \
+		--sbindir="${EPREFIX}/sbin" \
+		--libexecdir="${EPREFIX}/$(get_libdir)" \
+		--enable-devel \
+		--enable-shared \
+		$(use_enable nftables) \
+		$(use_enable pcap bpf-compiler) \
+		$(use_enable pcap nfsynproxy) \
+		$(use_enable static-libs static) \
+		$(use_enable ipv6)
+}
+
+src_compile() {
+	# Deal with parallel build errors.
+	use nftables && emake -C iptables xtables-config-parser.h
+	emake V=1
+}
+
+src_install() {
+	default
+	dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+	# all the iptables binaries are in /sbin, so might as well
+	# put these small files in with them
+	into /
+	dosbin iptables/iptables-apply
+	dosym iptables-apply /sbin/ip6tables-apply
+	doman iptables/iptables-apply.8
+
+	insinto /usr/include
+	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+	insinto /usr/include/iptables
+	doins include/iptables/internal.h
+
+	keepdir /var/lib/iptables
+	newinitd "${FILESDIR}"/${PN}.init iptables
+	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+	if use ipv6 ; then
+		keepdir /var/lib/ip6tables
+		newinitd "${FILESDIR}"/iptables.init ip6tables
+		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+	fi
+
+	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
+	if use ipv6 ; then
+		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
+	fi
+
+	# Move important libs to /lib #332175
+	gen_usr_ldscript -a ip{4,6}tc iptc xtables
+
+	prune_libtool_files
+}
diff --git a/net-firewall/iptables/metadata.xml b/net-firewall/iptables/metadata.xml
new file mode 100644
index 0000000..92f454b
--- /dev/null
+++ b/net-firewall/iptables/metadata.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer type="project">
+	<email>base-system@gentoo.org</email>
+	<name>Gentoo Base System</name>
+</maintainer>
+<use>
+	<flag name="conntrack">Build against <pkg>net-libs/libnetfilter_conntrack</pkg> when enables the connlabel matcher</flag>
+	<flag name="netlink">Build against libnfnetlink which enables the nfnl_osf util</flag>
+	<flag name="nftables">Support nftables kernel interface</flag>
+	<flag name="pcap">Build against <pkg>net-libs/libpcap</pkg> which enables the nfbpf_compile util</flag>
+</use>
+<longdescription>
+  iptables is the userspace command line program used to set up, maintain, and
+  inspect the tables of IPv4 packet filter rules in the Linux kernel. It's a
+  part of packet filtering framework which allows the stateless and stateful
+  packet filtering, all kinds of network address and port translation, and is a
+  flexible and extensible infrastructure with multiple layers of API's for 3rd
+  party extensions. The iptables package also includes ip6tables. ip6tables is
+  used for configuring the IPv6 packet filter.
+
+  Note that some extensions (e.g. imq and l7filter) are not included into
+  official kernel sources so you have to patch the sources before installation.
+</longdescription>
+<upstream>
+ <remote-id type="cpe">cpe:/a:netfilter_core_team:iptables</remote-id>
+</upstream>
+</pkgmetadata>