Initial commit. Patches & ebuilds by dwfreed, with some minor tweaks by me.

(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0xB5058F9A)

6 files changed, 906 insertions, 0 deletions

diff --git a/net-firewall/nftables/ChangeLog b/net-firewall/nftables/ChangeLog
new file mode 100644
index 000000000000..6dea44539bc5
--- /dev/null
+++ b/net-firewall/nftables/ChangeLog
@@ -0,0 +1,10 @@
+# ChangeLog for net-firewall/nftables
+# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/nftables/ChangeLog,v 1.1 2014/01/24 16:11:19 chainsaw Exp $
+
+*nftables-0.099 (24 Jan 2014)
+
+  24 Jan 2014; Tony Vroon <chainsaw@gentoo.org> +nftables-0.099.ebuild,
+  +files/nftables-0.099-94300c7.patch, +files/nftables.8, +metadata.xml:
+  Initial commit. Patches & ebuilds by dwfreed, with some minor tweaks by me.
+
diff --git a/net-firewall/nftables/Manifest b/net-firewall/nftables/Manifest
new file mode 100644
index 000000000000..7abd23803ca1
--- /dev/null
+++ b/net-firewall/nftables/Manifest
@@ -0,0 +1,6 @@
+AUX nftables-0.099-94300c7.patch 743 SHA256 60db6d9f106c3f92649a1d8653681b4fcaa93de501d238ec811e29e41568eae7 SHA512 8d21f0c720e662815678a338a5f2a275af9db97ea31a71473d83e8084d3138833772ef236d859223736b0dbfd506051640de548a2b91e98c770f36516d330f88 WHIRLPOOL 55cda592961edd9e11219ba3fcd94bf76aea7aaefa411a341b2a90036e01ad448ea44142a4d2f4109c66ca3fc6c12248511f00d90895f63f9488afefaf4a9907
+AUX nftables.8 9645 SHA256 bec3d7dcdc424691269852c9c322bb6ad770b6cfec4939920e32fa67ca8caac2 SHA512 aaf74c4bf0a854f3993b7ed5b9cecd436baa0bfc6b5ff119574d45c2504e5e772fc7cf41e1108b7f9cc013132c0bc0a86c6262cbfa870e639ad40ae93e25e4dc WHIRLPOOL e1c082fc3a56a9a0eb4782dfd9253857668052025d471e5124fc836246bc33b794f6d2293c46e2d5b0d8d1761b454ec8c21eb627ed95e97f07fe47f704dcdae2
+DIST nftables-0.099.tar.bz2 129351 SHA256 1a9e5f9e4d4790d69537c4d228676edc41a0890aea394e38233c351f694bf306 SHA512 5d54e1ca47544527768192776e3846254ff9af8aaa14bd6b3e2942deeedf424e62b9e1b68ab750c475ec1b2ddcf366e8a6c8ea79ad7319e8e2911890e270a2aa WHIRLPOOL 6f63be1c597719d10aade0d6c0fc3ec0a7320b960fa158d3cfbcc932b0057df2f12c3190d9e35cd29bf8c17c4c99bafbd175505ca617d740d9002dc8ac844e80
+EBUILD nftables-0.099.ebuild 995 SHA256 fb407c82d002c0cee1eafc9dd7547c8cfc25e06700e400494487176515dd2ee8 SHA512 7e02b5d609ef4b90f67eed7dca80d69595b3eb3d4764c58c03dbf331c5482ad49a55a48b5ef235c96233c3610636f030f691442635775256e650218e0c2c0fe8 WHIRLPOOL b9cf02e644498cd1f482742c2092bfc075ccb439608feeef9fa508b8d5c377d59da2cfb2732a502f9317001ab0ffee6cda2dbfb7a6154655ba117aedd9585cc3
+MISC ChangeLog 377 SHA256 5bc2d427501ee762fa37616f8e4133ed8fd0fdff607a0f4bf9708ee4d7dccc6f SHA512 04f176ed48b39c7c37769a3b986d33713e7a20f28c67bb684571378a5094002dbd3e3495011872e2f3a9ab8e1476c871d447265696a088b865b601d1b41c659a WHIRLPOOL 04ab9d5ba925661d5847ab918cecc3f977de10e39f80e2a8ba7c70c2185f36d2d3f61badf3740e2d2481a4b12ad26de1c350cebfb2ca53e8335d36c3dced91a0
+MISC metadata.xml 164 SHA256 f5f2891f2a4791cd31350bb2bb572131ad7235cd0eeb124c9912c187ac10ce92 SHA512 8eb0d5153d388f6ea069c64b93882244816a0a09aecc0d73cb872121ce0eb24c5ccafa96aad0b620b2300f319e1af101fa7fa6c5d0d561719d49bb07da0a2eca WHIRLPOOL 11a1441bddb7a6c69653c663902b7da5767ae6ad515ac2aabfc42fe37927a1ccc21472deeee454009ff720201a41c3e4a912df42661a0a87150fb46126da2d52
diff --git a/net-firewall/nftables/files/nftables-0.099-94300c7.patch b/net-firewall/nftables/files/nftables-0.099-94300c7.patch
new file mode 100644
index 000000000000..7e4850937ce0
--- /dev/null
+++ b/net-firewall/nftables/files/nftables-0.099-94300c7.patch
@@ -0,0 +1,22 @@
+From 94300c75fc3e113009e68e2ab9db91c31e99e9f4 Mon Sep 17 00:00:00 2001

+From: Pablo Neira Ayuso <pablo@netfilter.org>

+Date: Mon, 20 Jan 2014 14:02:50 +0000

+Subject: build: use libnftnl instead of libnftables in configure.in

+

+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

+---

+diff --git a/configure.ac b/configure.ac

+index b38295f..9f0d894 100644

+--- a/configure.ac

++++ b/configure.ac

+@@ -53,7 +53,7 @@ fi

+ AC_CHECK_LIB([mnl], [mnl_socket_open], ,

+ 	     AC_MSG_ERROR([No suitable version of libmnl found]))

+ 

+-AC_CHECK_LIB([nftables], [nft_rule_alloc], ,

++AC_CHECK_LIB([nftnl], [nft_rule_alloc], ,

+ 	     AC_MSG_ERROR([No suitable version of libnftnl found]))

+ 

+ AC_CHECK_LIB([gmp], [__gmpz_init], ,

+--

+cgit v0.9.2
\ No newline at end of file
diff --git a/net-firewall/nftables/files/nftables.8 b/net-firewall/nftables/files/nftables.8
new file mode 100644
index 000000000000..fd2476fe830d
--- /dev/null
+++ b/net-firewall/nftables/files/nftables.8
@@ -0,0 +1,813 @@
+'\" t -*- coding: us-ascii -*-
+.if \n(.g .ds T< \\FC
+.if \n(.g .ds T> \\F[\n[.fam]]
+.de URL
+\\$2 \(la\\$1\(ra\\$3
+..
+.if \n(.g .mso www.tmac
+.TH nftables 8 "22 January 2014" "" ""
+.SH NAME
+nftables \- Administration tool for packet filtering and classification 
+.SH SYNOPSIS
+'nh
+.fi
+.ad l
+\fBnftables\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[
+\fB-n/--numeric\fR
+] [
+\fB-I/--includepath\fR
+\fIdirectory\fR
+] [
+\fB-f/--file\fR
+\fIfilename\fR
+| 
+\fB-i/--interactive\fR
+| 
+\fIcmd\fR
+\&...]
+'in \n(.iu-\nxu
+.ad b
+'hy
+'nh
+.fi
+.ad l
+\fBnftables\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[
+\fB-h/--help\fR
+] [
+\fB-v/--version\fR
+]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.SH DESCRIPTION
+nftables is used to set up, maintain and inspect packet
+filtering and classification rules in the Linux kernel.
+.SH OPTIONS
+For a full summary of options, run \fBnftables --help\fR.
+.TP 
+\*(T<\fB\-h/\-\-help\fR\*(T>
+Show help message and all options.
+.TP 
+\*(T<\fB\-v/\-\-version\fR\*(T>
+Show version.
+.TP 
+\*(T<\fB\-n/\-\-numeric\fR\*(T>
+Numeric output: IP addresses and other information
+that might need network traffic to resolve to symbolic names
+are shown numerically.
+.TP 
+\*(T<\fB\-I/\-\-includepath \fR\*(T>\fIdirectory\fR
+Add the directory \fIdirectory\fR to the list of directories to by searched for included files.
+.TP 
+\*(T<\fB\-f/\-\-file \fR\*(T>\fIfilename\fR
+Read input from \fIfilename\fR.
+.TP 
+\*(T<\fB\-i/\-\-interactive\fR\*(T>
+Read input from an interactive readline CLI.
+.SH "INPUT FILE FORMAT"
+Input is parsed line-wise. When the last character of a line just before
+the newline character is a non-quoted backslash (\*(T<\e\*(T>),
+the newline is treated as a line continuation.
+.PP
+A \*(T<#\*(T> begins a comment. All following characters on
+the same line are ignored.
+.PP
+Other files can be included by using
+\fBinclude "\fIfilename\fB"\fR.
+.SH TABLES
+'nh
+.fi
+.ad l
+{add | delete | list | flush} \fBtable\fR [\fIfamily\fR] {\fItable\fR}
+.ad b
+'hy
+.PP
+Tables are containers for chains. They are identified by their family
+and their name. The family must be one of
+\*(T<ip\*(T>, \*(T<ip6\*(T>, \*(T<arp\*(T>, \*(T<bridge\*(T>.
+When no family is specified, \*(T<ip\*(T> is used by default.
+.TP 
+\*(T<\fBadd\fR\*(T>
+Add a new table for the given family with the given name.
+.TP 
+\*(T<\fBdelete\fR\*(T>
+Delete the specified table.
+.TP 
+\*(T<\fBlist\fR\*(T>
+List all chains and rules of the specified table.
+.TP 
+\*(T<\fBflush\fR\*(T>
+Flush all chains and rules of the specified table.
+.SH CHAINS
+'nh
+.fi
+.ad l
+{add} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {\fIhook\fR} {\fIpriority\fR}
+.ad b
+'hy
+'nh
+.fi
+.ad l
+{add | delete | list | flush} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR}
+.ad b
+'hy
+.PP
+Chains are containers for rules. They exist in two kinds,
+basechains and regular chains. A basecase is an entry point for
+packets from the networking stack, a regular chain may be used
+as jump target and is used for better rule organization.
+.TP 
+\*(T<\fBadd\fR\*(T>
+Add a new chain in the specified table. When a hook and priority
+value are specified, the chain is created as a base chain and hooked
+up to the networking stack.
+.TP 
+\*(T<\fBdelete\fR\*(T>
+Delete the specified chain.
+.TP 
+\*(T<\fBlist\fR\*(T>
+List all rules of the specified chain.
+.TP 
+\*(T<\fBflush\fR\*(T>
+Flush all rules of the specified chain.
+.SH RULES
+'nh
+.fi
+.ad l
+{add | delete} \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} [handle \fIhandle\fR] {\fIstatement\fR}\&...
+.ad b
+'hy
+.PP
+Rules are constructed from two kinds of components according to a set
+of rules: expressions and statements. The lowest order expression is a
+primary expression, representing either a constant or a single datum
+from a packets payload, meta data or a stateful module. Primary expressions
+can be used as arguments to relational expressions (equality,
+set membership, ...) to construct match expressions.
+.SH "PRIMARY EXPRESSIONS"
+.SS "META EXPRESSIONS"
+A meta expression refers to meta data associated with a packet.
+.PP
+\fBMeta expressions\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+length
+T}	T{
+Length of the packet in bytes
+T}	T{
+Numeric (32 bit)
+T}
+T{
+protocol
+T}	T{
+Ethertype protocol value
+T}	T{
+ethertype
+T}
+T{
+priority
+T}	T{
+TC packet priority
+T}	T{
+Numeric (32 bit)
+T}
+T{
+mark
+T}	T{
+Packet mark
+T}	T{
+packetmark
+T}
+T{
+iif
+T}	T{
+Input interface index
+T}	T{
+ifindex
+T}
+T{
+iifname
+T}	T{
+Input interface name
+T}	T{
+ifname
+T}
+T{
+iiftype
+T}	T{
+Input interface hardware type
+T}	T{
+hwtype
+T}
+T{
+oif
+T}	T{
+Output interface index
+T}	T{
+ifindex
+T}
+T{
+oifname
+T}	T{
+Output interface name
+T}	T{
+ifname
+T}
+T{
+oiftype
+T}	T{
+Output interface hardware type
+T}	T{
+hwtype
+T}
+T{
+skuid
+T}	T{
+UID associated with originating socket
+T}	T{
+uid
+T}
+T{
+skgid
+T}	T{
+GID associated with originating socket
+T}	T{
+gid
+T}
+T{
+rtclassid
+T}	T{
+Routing realm
+T}	T{
+realm
+T}
+.TE
+.PP
+\fBMeta expression specific types\fR
+.TS
+allbox ;
+l | l.
+T{
+Type
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+ifindex
+T}	T{
+Interface index (32 bit number). Can be specified numerically
+or as name of an existing interface.
+T}
+T{
+ifname
+T}	T{
+Interface name (16 byte string). Does not have to exist.
+T}
+T{
+uid
+T}	T{
+User ID (32 bit number). Can be specified numerically or as
+user name.
+T}
+T{
+gid
+T}	T{
+Group ID (32 bit number). Can be specified numerically or as
+group name.
+T}
+T{
+realm
+T}	T{
+Routing Realm (32 bit number). Can be specified numerically
+or as symbolic name defined in /etc/iproute2/rt_realms.
+T}
+.TE
+.SS "PAYLOAD EXPRESSIONS"
+\fBEthernet header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l
+l | l
+l | l.
+T{
+daddr
+T}	T{
+Destination address
+T}
+T{
+saddr
+T}	T{
+Source address
+T}
+T{
+type
+T}	T{
+EtherType
+T}
+.TE
+.PP
+\fBVLAN header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+id
+T}	T{
+VLAN ID (VID)
+T}
+T{
+cfi
+T}	T{
+Canonical Format Indicator
+T}
+T{
+pcp
+T}	T{
+Priority code point
+T}
+T{
+type
+T}	T{
+EtherType
+T}
+.TE
+.PP
+\fBARP header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+htype
+T}	T{
+ARP hardware type
+T}
+T{
+ptype
+T}	T{
+EtherType
+T}
+T{
+hlen
+T}	T{
+Hardware address len
+T}
+T{
+plen
+T}	T{
+Protocol address len
+T}
+T{
+op
+T}	T{
+Operation
+T}
+.TE
+.PP
+\fBIPv4 header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+version
+T}	T{
+IP header version (4)
+T}
+T{
+hdrlength
+T}	T{
+IP header length including options
+T}
+T{
+tos
+T}	T{
+Type Of Service
+T}
+T{
+length
+T}	T{
+Total packet length
+T}
+T{
+id
+T}	T{
+IP ID
+T}
+T{
+frag-off
+T}	T{
+Fragment offset
+T}
+T{
+ttl
+T}	T{
+Time to live
+T}
+T{
+protocol
+T}	T{
+Upper layer protocol
+T}
+T{
+checksum
+T}	T{
+IP header checksum
+T}
+T{
+saddr
+T}	T{
+Source address
+T}
+T{
+daddr
+T}	T{
+Destination address
+T}
+.TE
+.PP
+\fBIPv6 header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+version
+T}	T{
+IP header version (6)
+T}
+T{
+priority
+T}	T{
+T}
+T{
+flowlabel
+T}	T{
+T}
+T{
+length
+T}	T{
+T}
+T{
+nexthdr
+T}	T{
+Nexthdr protocol
+T}
+T{
+hoplimit
+T}	T{
+T}
+T{
+saddr
+T}	T{
+Source address
+T}
+T{
+daddr
+T}	T{
+Destination address
+T}
+.TE
+.PP
+\fBSCTP header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+sport
+T}	T{
+Source port
+T}
+T{
+dport
+T}	T{
+Destination port
+T}
+T{
+vtag
+T}	T{
+Verfication Tag
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}
+.TE
+.PP
+\fBDCCP header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l
+l | l.
+T{
+sport
+T}	T{
+Source port
+T}
+T{
+dport
+T}	T{
+Destination port
+T}
+.TE
+.PP
+\fBTCP header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+sport
+T}	T{
+Source port
+T}
+T{
+dport
+T}	T{
+Destination port
+T}
+T{
+sequence
+T}	T{
+Sequence number
+T}
+T{
+ackseq
+T}	T{
+Acknowledgement number
+T}
+T{
+doff
+T}	T{
+Data offset
+T}
+T{
+reserved
+T}	T{
+Reserved area
+T}
+T{
+flags
+T}	T{
+TCP flags
+T}
+T{
+window
+T}	T{
+Window
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}
+T{
+urgptr
+T}	T{
+Urgent pointer
+T}
+.TE
+.PP
+\fBUDP header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+sport
+T}	T{
+Source port
+T}
+T{
+dport
+T}	T{
+Destination port
+T}
+T{
+length
+T}	T{
+Total packet length
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}
+.TE
+.PP
+\fBUDP-Lite header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+sport
+T}	T{
+Source port
+T}
+T{
+dport
+T}	T{
+Destination port
+T}
+T{
+cscov
+T}	T{
+Checksum coverage
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}
+.TE
+.PP
+\fBAH header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+nexthdr
+T}	T{
+Next header protocol
+T}
+T{
+hdrlength
+T}	T{
+AH Header length
+T}
+T{
+reserved
+T}	T{
+Reserved area
+T}
+T{
+spi
+T}	T{
+Security Parameter Index
+T}
+T{
+sequence
+T}	T{
+Sequence number
+T}
+.TE
+.PP
+\fBESP header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l
+l | l.
+T{
+spi
+T}	T{
+Security Parameter Index
+T}
+T{
+sequence
+T}	T{
+Sequence number
+T}
+.TE
+.PP
+\fBIPComp header expression\fR
+.TS
+allbox ;
+l | l.
+T{
+Keyword
+T}	T{
+Description
+T}
+.T&
+l | l
+l | l
+l | l.
+T{
+nexthdr
+T}	T{
+Next header protocol
+T}
+T{
+flags
+T}	T{
+Flags
+T}
+T{
+cfi
+T}	T{
+Compression Parameter Index
+T}
+.TE
+.SH "EXIT STATUS"
+On success, nftables exits with a status of 0. Unspecified
+errors cause it to exit with a status of 1, memory allocation
+errors with a status of 2.
+.SH "SEE ALSO"
+iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8)
+.SH AUTHORS
+nftables was written by Patrick McHardy.
+.SH COPYRIGHT
+Copyright \(co 2008 Patrick McHardy <\*(T<kaber@trash.net\*(T>>
+.PP
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 2 as
+published by the Free Software Foundation.
diff --git a/net-firewall/nftables/metadata.xml b/net-firewall/nftables/metadata.xml
new file mode 100644
index 000000000000..96a2d586367d
--- /dev/null
+++ b/net-firewall/nftables/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<herd>base-system</herd>
+</pkgmetadata>
diff --git a/net-firewall/nftables/nftables-0.099.ebuild b/net-firewall/nftables/nftables-0.099.ebuild
new file mode 100644
index 000000000000..22347f7e2d3c
--- /dev/null
+++ b/net-firewall/nftables/nftables-0.099.ebuild
@@ -0,0 +1,50 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/nftables/nftables-0.099.ebuild,v 1.1 2014/01/24 16:11:19 chainsaw Exp $
+
+EAPI=5
+
+inherit autotools base linux-info
+
+DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://netfilter.org/projects/nftables/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="debug"
+SRC_URI="http://netfilter.org/projects/${PN}/files/${P}.tar.bz2"
+
+RDEPEND="net-libs/libmnl
+	>=net-libs/libnftnl-1.0.0-r2
+	dev-libs/gmp
+	sys-libs/readline"
+DEPEND="${RDEPEND}
+	sys-devel/bison
+	sys-devel/flex"
+PATCHES=( "${FILESDIR}/nftables-0.099-94300c7.patch" )
+
+pkg_setup() {
+	if kernel_is ge 3 13; then
+		CONFIG_CHECK="~NF_TABLES"
+		linux-info_pkg_setup
+	else
+		eerror "This package requires kernel version 3.13 or newer to work properly."
+	fi
+}
+
+src_prepare() {
+	base_src_prepare
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		--sbindir="${EPREFIX}"/sbin \
+		$(use_enable debug)
+}
+
+src_install() {
+	default
+	doman "${FILESDIR}"/nftables.8
+}