commit: 5b92f67047e6ae788b7e68acd72ca421d4e42d01 Author: Hasan ÇALIŞIR <hasan.calisir <AT> psauxit <DOT> com> AuthorDate: Tue Jun 28 08:25:53 2022 +0000 Commit: Florian Schmaus <flow <AT> gentoo <DOT> org> CommitDate: Fri Jul 1 08:28:35 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b92f670
net-firewall/ufw: bump to 0.36.1 * version bump to 0.36.1. * bump to EAPI 8. * python_combat drop 3.7, add 3.11, current range 8,11. * dropped NonexistentBlockers from RDEPEND. !<kde-misc/kcm-ufw-0.4.2 !<net-firewall/ufw-frontends-0.3.2" * Removed RESTRICT="test" --> upstream bug: https://bugs.launchpad.net/ufw/+bug/815982 fixed and commited. * Change mod 0644 for all rules in /etc/ufw. * Drop comparison operator >= for iptables 1.4. Current repo already meets the requirement. * Patches synced with current version that we still need them. [ flow: add Closes bug# 834130 git trailer ] Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Hasan ÇALIŞIR <hasan.calisir <AT> psauxit.com> Closes: https://bugs.gentoo.org/834130 Closes: https://github.com/gentoo/gentoo/pull/26110 Signed-off-by: Florian Schmaus <flow <AT> gentoo.org> net-firewall/ufw/Manifest | 1 + .../ufw/files/ufw-0.36.1-bash-completion.patch | 16 ++ .../ufw/files/ufw-0.36.1-dont-check-iptables.patch | 50 +++++ net-firewall/ufw/files/ufw-0.36.1-move-path.patch | 124 ++++++++++++ net-firewall/ufw/files/ufw-0.36.1-shebang.patch | 15 ++ net-firewall/ufw/ufw-0.36.1.ebuild | 217 +++++++++++++++++++++ 6 files changed, 423 insertions(+) diff --git a/net-firewall/ufw/Manifest b/net-firewall/ufw/Manifest index ab0de6087c34..91de7839ba25 100644 --- a/net-firewall/ufw/Manifest +++ b/net-firewall/ufw/Manifest @@ -1 +1,2 @@ +DIST ufw-0.36.1.tar.gz 583123 BLAKE2B 16e1ee67493d5db10a04667b646a019aa3aeb06345d0facc334fb07eeff4d4f6674a4699b2bd7bd6ed29de1c05c4e14812e9e8ec55c4bfb8579b8e3e2e577f6a SHA512 77d01fef661083eac041be6d6eabffb1d8aedb215f73e44e18a9a63a48da96414b3c0166e3ffd9402c22c72a6de5d774ba14b15368b02997aae8e08d1c5dd4c0 DIST ufw-0.36.tar.gz 580338 BLAKE2B a7e07ac11539061a69bb83d45c0affc54793503b31c9e9f9f8b34fa890a3fe97682f9133102e74e5f6e1eb372a929cfc8619baa2cc9efc1dc289d9f4a1766efd SHA512 b32d7f79f43c203149c48b090ee0d063df78fcf654344ee11066a7363e799a62b046758ffe02b8bd15121545ac2a6b61df21fe56f8b810319fe4dd562cbdadb3 diff --git a/net-firewall/ufw/files/ufw-0.36.1-bash-completion.patch b/net-firewall/ufw/files/ufw-0.36.1-bash-completion.patch new file mode 100644 index 000000000000..927af244eef1 --- /dev/null +++ b/net-firewall/ufw/files/ufw-0.36.1-bash-completion.patch @@ -0,0 +1,16 @@ +--- a/shell-completion/bash 2018-12-14 21:25:55.000000000 +0300 ++++ b/shell-completion/bash 2019-03-21 01:26:46.152181981 +0300 +@@ -57,7 +57,6 @@ + echo "numbered verbose" + } + +-_have ufw && + _ufw() + { + cur=${COMP_WORDS[COMP_CWORD]} +@@ -91,4 +90,4 @@ + fi + } + +-_have ufw && complete -F _ufw ufw ++complete -F _ufw ufw diff --git a/net-firewall/ufw/files/ufw-0.36.1-dont-check-iptables.patch b/net-firewall/ufw/files/ufw-0.36.1-dont-check-iptables.patch new file mode 100644 index 000000000000..ae0c95525a46 --- /dev/null +++ b/net-firewall/ufw/files/ufw-0.36.1-dont-check-iptables.patch @@ -0,0 +1,50 @@ +--- a/setup.py 2022-06-27 17:33:18.043794598 +0300 ++++ b/setup.py 2022-06-27 18:15:18.384463926 +0300 +@@ -256,46 +256,7 @@ + os.unlink(os.path.join('staging', 'ufw-init')) + os.unlink(os.path.join('staging', 'ufw-init-functions')) + +-iptables_exe = '' +-iptables_dir = '' +- +-for e in ['iptables']: +- # Historically iptables was in /sbin, then later also symlinked from +- # /usr/sbin/iptables to /sbin/iptables. Debian bullseye moves iptables +- # to /usr/sbin with no symlink in /sbin except on upgrades. To accomodate +- # buildds that may still have the old iptables, search /usr/sbin first +- for dir in ['/usr/sbin', '/sbin', '/usr/bin', '/bin', '/usr/local/sbin', \ +- '/usr/local/bin']: +- if e == "iptables": +- if os.path.exists(os.path.join(dir, e)): +- iptables_dir = dir +- iptables_exe = os.path.join(iptables_dir, "iptables") +- print("Found '%s'" % iptables_exe) +- else: +- continue +- +- if iptables_exe != "": +- break +- +- +-if iptables_exe == '': +- print("ERROR: could not find required binary 'iptables'", file=sys.stderr) +- sys.exit(1) +- +-for e in ['ip6tables', 'iptables-restore', 'ip6tables-restore']: +- if not os.path.exists(os.path.join(iptables_dir, e)): +- print("ERROR: could not find required binary '%s'" % (e), file=sys.stderr) +- sys.exit(1) +- +-(rc, out) = cmd([iptables_exe, '-V']) +-if rc != 0: +- raise OSError(errno.ENOENT, "Could not find version for '%s'" % \ +- (iptables_exe)) +-version = re.sub('^v', '', re.split('\s', str(out))[1]) +-print("Found '%s' version '%s'" % (iptables_exe, version)) +-if version < "1.4": +- print("WARN: version '%s' has limited IPv6 support. See README for details." % (version), file=sys.stderr) +- ++iptables_dir = '/sbin' + setup (name='ufw', + version=ufw_version, + description='front-end for Linux firewalling', diff --git a/net-firewall/ufw/files/ufw-0.36.1-move-path.patch b/net-firewall/ufw/files/ufw-0.36.1-move-path.patch new file mode 100644 index 000000000000..8ace1edc1166 --- /dev/null +++ b/net-firewall/ufw/files/ufw-0.36.1-move-path.patch @@ -0,0 +1,124 @@ +--- a/doc/ufw-framework.8 2021-09-19 04:19:03.000000000 +0300 ++++ b/doc/ufw-framework.8 2022-06-27 17:14:11.292890569 +0300 +@@ -18,7 +18,7 @@ + parameters and configuration of IPv6. The framework consists of the following + files: + .TP +-#STATE_PREFIX#/ufw\-init ++#SHARE_DIR#/ufw\-init + initialization script + .TP + #CONFIG_PREFIX#/ufw/before.init +@@ -47,7 +47,7 @@ + + .SH "BOOT INITIALIZATION" + .PP +-\fBufw\fR is started on boot with #STATE_PREFIX#/ufw\-init. This script is a ++\fBufw\fR is started on boot with #SHARE_DIR#/ufw\-init. This script is a + standard SysV style initscript used by the \fBufw\fR command and should not be + modified. The #CONFIG_PREFIX#/before.init and #CONFIG_PREFIX#/after.init + scripts may be used to perform any additional firewall configuration that is +--- a/setup.py 2021-09-19 04:19:01.000000000 +0300 ++++ b/setup.py 2022-06-27 17:33:18.043794598 +0300 +@@ -54,7 +54,7 @@ + return + + real_confdir = os.path.join('/etc') +- real_statedir = os.path.join('/lib', 'ufw') ++ real_statedir = os.path.join('/etc', 'ufw', 'user') + real_prefix = self.prefix + if self.home != None: + real_confdir = self.home + real_confdir +@@ -131,14 +131,20 @@ + self.copy_file('doc/ufw.8', manpage) + self.copy_file('doc/ufw-framework.8', manpage_f) + +- # Install state files and helper scripts ++ # Install state files + statedir = real_statedir + if self.root != None: + statedir = self.root + real_statedir + self.mkpath(statedir) + +- init_helper = os.path.join(statedir, 'ufw-init') +- init_helper_functions = os.path.join(statedir, 'ufw-init-functions') ++ # Install helper scripts ++ sharedir = real_sharedir ++ if self.root != None: ++ sharedir = self.root + real_sharedir ++ self.mkpath(sharedir) ++ ++ init_helper = os.path.join(sharedir, 'ufw-init') ++ init_helper_functions = os.path.join(sharedir, 'ufw-init-functions') + self.copy_file('src/ufw-init', init_helper) + self.copy_file('src/ufw-init-functions', init_helper_functions) + +@@ -219,14 +225,19 @@ + f]) + + subprocess.call(["sed", ++ "-i", ++ "s%#SHARE_DIR#%" + real_sharedir + "%g", ++ f]) ++ ++ subprocess.call(["sed", + "-i", + "s%#VERSION#%" + ufw_version + "%g", + f]) + + # Install pristine copies of rules files +- sharedir = real_sharedir +- if self.root != None: +- sharedir = self.root + real_sharedir ++ #sharedir = real_sharedir ++ #if self.root != None: ++ # sharedir = self.root + real_sharedir + rulesdir = os.path.join(sharedir, 'iptables') + self.mkpath(rulesdir) + for f in [ before_rules, after_rules, \ +--- a/src/backend_iptables.py 2021-09-19 04:19:01.000000000 +0300 ++++ b/src/backend_iptables.py 2022-06-27 17:44:24.880445896 +0300 +@@ -37,6 +37,8 @@ + + files = {} + config_dir = _findpath(ufw.common.config_dir, datadir) ++ state_dir = _findpath(ufw.common.state_dir, datadir) ++ share_dir = _findpath(ufw.common.share_dir, datadir) + + files['rules'] = os.path.join(config_dir, 'ufw/user.rules') + files['before_rules'] = os.path.join(config_dir, 'ufw/before.rules') +@@ -48,8 +50,7 @@ + # the lock files (ufw.common.state_dir, aka /lib/ufw), but when set, + # ufw-init is in rootdir/lib/ufw (ro) and the lockfiles in + # datadir/lib/ufw (rw) +- files['init'] = os.path.join(_findpath(ufw.common.state_dir, rootdir), +- 'ufw-init') ++ files['init'] = os.path.join(share_dir, 'ufw-init') + + ufw.backend.UFWBackend.__init__(self, "iptables", dryrun, files, + rootdir=rootdir, datadir=datadir) +--- a/src/ufw-init 2021-09-19 03:50:19.000000000 +0300 ++++ b/src/ufw-init 2022-06-27 17:48:34.352545026 +0300 +@@ -31,10 +31,10 @@ + fi + export DATA_DIR="$datadir" + +-if [ -s "${rootdir}#STATE_PREFIX#/ufw-init-functions" ]; then +- . "${rootdir}#STATE_PREFIX#/ufw-init-functions" ++if [ -s "${rootdir}#SHARE_DIR#/ufw-init-functions" ]; then ++ . "${rootdir}#SHARE_DIR#/ufw-init-functions" + else +- echo "Could not find ${rootdir}#STATE_PREFIX#/ufw-init-functions (aborting)" ++ echo "Could not find ${rootdir}#SHARE_DIR#/ufw-init-functions (aborting)" + exit 1 + fi + +@@ -83,7 +83,7 @@ + fi + ;; + *) +- echo "Usage: #STATE_PREFIX#/ufw-init {start|stop|restart|force-reload|force-stop|flush-all|status}" ++ echo "Usage: #SHARE_DIR#/ufw-init {start|stop|restart|force-reload|force-stop|flush-all|status}" + exit 1 + ;; + esac diff --git a/net-firewall/ufw/files/ufw-0.36.1-shebang.patch b/net-firewall/ufw/files/ufw-0.36.1-shebang.patch new file mode 100644 index 000000000000..aaafaac12ae9 --- /dev/null +++ b/net-firewall/ufw/files/ufw-0.36.1-shebang.patch @@ -0,0 +1,15 @@ +--- a/setup.py 2019-03-21 01:51:55.751971770 +0300 ++++ b/setup.py 2019-03-21 01:54:40.142513567 +0300 +@@ -121,12 +121,6 @@ + for f in [ script, manpage, manpage_f ]: + self.mkpath(os.path.dirname(f)) + +- # update the interpreter to that of the one the user specified for setup +- print("Updating staging/ufw to use %s" % (sys.executable)) +- subprocess.call(["sed", +- "-i", +- "1s%^#.*python.*%#! /usr/bin/env " + sys.executable + "%g", +- 'staging/ufw']) + self.copy_file('staging/ufw', script) + self.copy_file('doc/ufw.8', manpage) + self.copy_file('doc/ufw-framework.8', manpage_f) diff --git a/net-firewall/ufw/ufw-0.36.1.ebuild b/net-firewall/ufw/ufw-0.36.1.ebuild new file mode 100644 index 000000000000..8eca27c146a6 --- /dev/null +++ b/net-firewall/ufw/ufw-0.36.1.ebuild @@ -0,0 +1,217 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{8..11} ) +DISTUTILS_IN_SOURCE_BUILD=1 +DISTUTILS_USE_SETUPTOOLS=no + +inherit bash-completion-r1 distutils-r1 linux-info systemd + +DESCRIPTION="A program used to manage a netfilter firewall" +HOMEPAGE="https://launchpad.net/ufw"; +SRC_URI="https://launchpad.net/ufw/${PV%.*}/${PV}/+download/${P}.tar.gz"; + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~riscv ~sparc ~x86" +IUSE="examples ipv6" + +RDEPEND="net-firewall/iptables[ipv6(+)?]" +BDEPEND="sys-devel/gettext" + +PATCHES=( + # Move files away from /lib/ufw. + "${FILESDIR}/${P}-move-path.patch" + # Remove unnecessary build time dependency on net-firewall/iptables. + "${FILESDIR}/${P}-dont-check-iptables.patch" + # Remove shebang modification. + "${FILESDIR}/${P}-shebang.patch" + # Fix bash completions, bug #526300 + "${FILESDIR}/${P}-bash-completion.patch" +) + +pkg_pretend() { + local CONFIG_CHECK="~PROC_FS + ~NETFILTER_XT_MATCH_COMMENT ~NETFILTER_XT_MATCH_HL + ~NETFILTER_XT_MATCH_LIMIT ~NETFILTER_XT_MATCH_MULTIPORT + ~NETFILTER_XT_MATCH_RECENT ~NETFILTER_XT_MATCH_STATE" + + if kernel_is -ge 2 6 39; then + CONFIG_CHECK+=" ~NETFILTER_XT_MATCH_ADDRTYPE" + else + CONFIG_CHECK+=" ~IP_NF_MATCH_ADDRTYPE" + fi + + # https://bugs.launchpad.net/ufw/+bug/1076050 + if kernel_is -ge 3 4; then + CONFIG_CHECK+=" ~NETFILTER_XT_TARGET_LOG" + else + CONFIG_CHECK+=" ~IP_NF_TARGET_LOG" + use ipv6 && CONFIG_CHECK+=" ~IP6_NF_TARGET_LOG" + fi + + CONFIG_CHECK+=" ~IP_NF_TARGET_REJECT" + use ipv6 && CONFIG_CHECK+=" ~IP6_NF_TARGET_REJECT" + + check_extra_config + + # Check for default, useful optional features. + if ! linux_config_exists; then + ewarn "Cannot determine configuration of your kernel." + return + fi + + local nf_nat_ftp_ok="yes" + local nf_conntrack_ftp_ok="yes" + local nf_conntrack_netbios_ns_ok="yes" + + linux_chkconfig_present \ + NF_NAT_FTP || nf_nat_ftp_ok="no" + linux_chkconfig_present \ + NF_CONNTRACK_FTP || nf_conntrack_ftp_ok="no" + linux_chkconfig_present \ + NF_CONNTRACK_NETBIOS_NS || nf_conntrack_netbios_ns_ok="no" + + # This is better than an essay for each unset option... + if [[ "${nf_nat_ftp_ok}" == "no" ]] || \ + [[ "${nf_conntrack_ftp_ok}" == "no" ]] || \ + [[ "${nf_conntrack_netbios_ns_ok}" == "no" ]]; then + echo + local mod_msg="Kernel options listed below are not set. They are not" + mod_msg+=" mandatory, but they are often useful." + mod_msg+=" If you don't need some of them, please remove relevant" + mod_msg+=" module name(s) from IPT_MODULES in" + mod_msg+=" '${EROOT}/etc/default/ufw' before (re)starting ufw." + mod_msg+=" Otherwise ufw may fail to start!" + ewarn "${mod_msg}" + if [[ "${nf_nat_ftp_ok}" == "no" ]]; then + ewarn "NF_NAT_FTP: for better support for active mode FTP." + fi + if [[ "${nf_conntrack_ftp_ok}" == "no" ]]; then + ewarn "NF_CONNTRACK_FTP: for better support for active mode FTP." + fi + if [[ "${nf_conntrack_netbios_ns_ok}" == "no" ]]; then + ewarn "NF_CONNTRACK_NETBIOS_NS: for better Samba support." + fi + fi +} + +python_prepare_all() { + # Set as enabled by default. User can enable or disable + # the service by adding or removing it to/from a runlevel. + sed -i 's/^ENABLED=no/ENABLED=yes/' conf/ufw.conf \ + || die "sed failed (ufw.conf)" + + sed -i "s/^IPV6=yes/IPV6=$(usex ipv6)/" conf/ufw.defaults || die + + # If LINGUAS is set install selected translations only. + if [[ -n ${LINGUAS+set} ]]; then + _EMPTY_LOCALE_LIST="yes" + pushd locales/po > /dev/null || die + + local lang + for lang in *.po; do + if ! has "${lang%.po}" ${LINGUAS}; then + rm "${lang}" || die + else + _EMPTY_LOCALE_LIST="no" + fi + done + + popd > /dev/null || die + else + _EMPTY_LOCALE_LIST="no" + fi + + distutils-r1_python_prepare_all +} + +python_install_all() { + newconfd "${FILESDIR}"/ufw.confd ufw + newinitd "${FILESDIR}"/ufw-2.initd ufw + systemd_dounit "${FILESDIR}/ufw.service" + + pushd "${ED}" || die + fperms -R 0644 etc/ufw/*.rules + popd || die + + exeinto /usr/share/${PN} + doexe tests/check-requirements + + # users normally would want it + insinto "/usr/share/doc/${PF}/logging/syslog-ng" + doins -r "${FILESDIR}"/syslog-ng/* + + insinto "/usr/share/doc/${PF}/logging/rsyslog" + doins -r "${FILESDIR}"/rsyslog/* + doins doc/rsyslog.example + + if use examples; then + insinto "/usr/share/doc/${PF}/examples" + doins -r examples/* + fi + newbashcomp shell-completion/bash "${PN}" + + [[ $_EMPTY_LOCALE_LIST != "yes" ]] && domo locales/mo/*.mo + + distutils-r1_python_install_all + python_replicate_script "${D}/usr/sbin/ufw" +} + +pkg_postinst() { + local print_check_req_warn + print_check_req_warn=false + + local found=() + local apps=( "net-firewall/arno-iptables-firewall" + "net-firewall/ferm" + "net-firewall/firehol" + "net-firewall/firewalld" + "net-firewall/ipkungfu" ) + + for exe in "${apps[@]}" + do + if has_version "${exe}"; then + found+=( "${exe}" ) + fi + done + + if [[ -n ${found} ]]; then + echo "" + ewarn "WARNING: Detected other firewall applications:" + ewarn "${found[@]}" + ewarn "If enabled, these applications may interfere with ufw!" + fi + + if [[ -z "${REPLACING_VERSIONS}" ]]; then + echo "" + elog "To enable ufw, add it to boot sequence and activate it:" + elog "-- # rc-update add ufw boot" + elog "-- # /etc/init.d/ufw start" + echo + elog "If you want to keep ufw logs in a separate file, take a look at" + elog "/usr/share/doc/${PF}/logging." + print_check_req_warn=true + else + local rv + for rv in "${REPLACING_VERSIONS}"; do + local major=${rv%%.*} + local minor=${rv#${major}.} + if [[ "${major}" -eq 0 && "${minor}" -lt 34 ]]; then + print_check_req_warn=true + fi + done + fi + if [[ "${print_check_req_warn}" == "true" ]]; then + echo + elog "/usr/share/ufw/check-requirements script is installed." + elog "It is useful for debugging problems with ufw. However one" + elog "should keep in mind that the script assumes IPv6 is enabled" + elog "on kernel and net-firewall/iptables, and fails when it's not." + fi + echo + ewarn "Note: once enabled, ufw blocks also incoming SSH connections by" + ewarn "default. See README, Remote Management section for more information." +}
