[gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/

Thu, 09 Mar 2023 19:54:02 -0800 

commit:     40de849d06e7fce4c95bc436399aa04310af7812
Author:     Kerin Millar <kfm <AT> plushkava <DOT> net>
AuthorDate: Thu Mar  9 18:11:14 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Mar 10 03:51:39 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40de849d

net-firewall/nftables: Don't test iptables-nft rulesets in pkg_preinst()

Rulesets generated by iptables-nft are special in nature and will not
always be printed in a way that constitutes a valid syntax for nft(8).
Consider the following example in which iptables-nft would ideally have
generated a native rule that specifies "reject with tcp reset". Instead,
it generated a rule that integrates with an xtables target.

# iptables-nft -S
-A INPUT -j REJECT --reject-with tcp-reset

# nft list ruleset
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
        chain INPUT {
                type filter hook input priority filter; policy accept;
                counter packets 0 bytes 0 xt target REJECT
        }
}

Simply ignore the ruleset in the case that it appears to have been
generated by iptables-nft.

Signed-off-by: Kerin Millar <kfm <AT> plushkava.net>
Signed-off-by: Sam James <sam <AT> gentoo.org>

 net-firewall/nftables/nftables-1.0.6.ebuild | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/net-firewall/nftables/nftables-1.0.6.ebuild 
b/net-firewall/nftables/nftables-1.0.6.ebuild
index e434040260a7..69e3d6988f20 100644
--- a/net-firewall/nftables/nftables-1.0.6.ebuild
+++ b/net-firewall/nftables/nftables-1.0.6.ebuild
@@ -167,8 +167,21 @@ src_install() {
 }
 
 pkg_preinst() {
+       local stderr
+
        if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z 
${ROOT} ]]; then
-               if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then
+               # Check the current loaded ruleset, if any, using the newly
+               # built instance of nft(8).
+               if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 
>"${T}"/ruleset.nft); then
+                       # Report errors induced by trying to list the ruleset
+                       # but don't treat them as being fatal.
+                       printf '%s\n' "${stderr}" >&2
+               elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
+                       # Rulesets generated by iptables-nft are special in
+                       # nature and will not always be printed in a way that
+                       # constitutes a valid syntax for ntf(8). Ignore them.
+                       return
+               elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then
                        eerror "Your currently loaded ruleset cannot be parsed 
by the newly built instance of"
                        eerror "nft. This probably means that there is a 
regression introduced by v${PV}."
                        eerror "(To make the ebuild fail instead of warning, 
set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"

Reply via email to