diff options
| author |   Kerin Millar <kfm@plushkava.net> | 2023-03-09 20:11:14 +0200 |
|---|---|---|
| committer |   Sam James <sam@gentoo.org> | 2023-03-10 03:51:39 +0000 |
| commit | 40de849d06e7fce4c95bc436399aa04310af7812 (patch) | |
| tree | 01648fb58453ae2106ab7cbb719e8edc043782f1 /net-firewall | |
| parent | app-containers/cosign: add 2.0.0 (diff) | |
| download | gentoo-40de849d06e7fce4c95bc436399aa04310af7812.tar.gz gentoo-40de849d06e7fce4c95bc436399aa04310af7812.tar.bz2 gentoo-40de849d06e7fce4c95bc436399aa04310af7812.zip | |
net-firewall/nftables: Don't test iptables-nft rulesets in pkg_preinst()
Rulesets generated by iptables-nft are special in nature and will not
always be printed in a way that constitutes a valid syntax for nft(8).
Consider the following example in which iptables-nft would ideally have
generated a native rule that specifies "reject with tcp reset". Instead,
it generated a rule that integrates with an xtables target.
# iptables-nft -S
-A INPUT -j REJECT --reject-with tcp-reset
# nft list ruleset
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 0 bytes 0 xt target REJECT
}
}
Simply ignore the ruleset in the case that it appears to have been
generated by iptables-nft.
Signed-off-by: Kerin Millar <kfm@plushkava.net>
Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'net-firewall')
| -rw-r--r-- | net-firewall/nftables/nftables-1.0.6.ebuild | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/net-firewall/nftables/nftables-1.0.6.ebuild b/net-firewall/nftables/nftables-1.0.6.ebuild index e434040260a7..69e3d6988f20 100644 --- a/net-firewall/nftables/nftables-1.0.6.ebuild +++ b/net-firewall/nftables/nftables-1.0.6.ebuild @@ -167,8 +167,21 @@ src_install() { } pkg_preinst() { + local stderr + if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then - if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then + # Check the current loaded ruleset, if any, using the newly + # built instance of nft(8). + if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then + # Report errors induced by trying to list the ruleset + # but don't treat them as being fatal. + printf '%s\n' "${stderr}" >&2 + elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then + # Rulesets generated by iptables-nft are special in + # nature and will not always be printed in a way that + # constitutes a valid syntax for ntf(8). Ignore them. + return + elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" eerror "nft. This probably means that there is a regression introduced by v${PV}." eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" |