Attachment #374300 for bug #506390




use conntrack instead of state
https://bugs.launchpad.net/ufw/+bug/1065297

This is a version for ufw 0.31.1.
diff --git a/conf/before.rules b/conf/before.rules
index bc11f36..9917b87 100644
--- a/conf/before.rules
+++ b/conf/before.rules
@@ -22,12 +22,12 @@
 -A ufw-before-output -o lo -j ACCEPT
 
 # quickly process packets for which we already have a connection
--A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
--A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 # drop INVALID packets (logs these in loglevel medium and higher)
--A ufw-before-input -m state --state INVALID -j ufw-logging-deny
--A ufw-before-input -m state --state INVALID -j DROP
+-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
+-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
 
 # ok icmp codes
 -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
diff --git a/conf/before6.rules b/conf/before6.rules
index fb1a8f1..8b7e4ff 100644
--- a/conf/before6.rules
+++ b/conf/before6.rules
@@ -34,16 +34,16 @@
 -A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
 
 # quickly process packets for which we already have a connection
--A ufw6-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
--A ufw6-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 # for multicast ping replies from link-local addresses (these don't have an
 # associated connection and would otherwise be marked INVALID)
 -A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -s fe80::/10 -j ACCEPT
 
 # drop INVALID packets (logs these in loglevel medium and higher)
--A ufw6-before-input -m state --state INVALID -j ufw6-logging-deny
--A ufw6-before-input -m state --state INVALID -j DROP
+-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
+-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
 
 # ok icmp codes
 -A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
diff --git a/doc/ufw-framework.8 b/doc/ufw-framework.8
index d9e3d5a..bfc83e2 100644
--- a/doc/ufw-framework.8
+++ b/doc/ufw-framework.8
@@ -167,9 +167,9 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have:
  net.ipv4.ip_forward=1
 .TP
 Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules:
- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\
+ \-A ufw\-before\-forward \-m conntrack \-\-ctstate RELATED,ESTABLISHED \\
    \-j ACCEPT
- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\
+ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\
    \-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT
 .TP
 Add to the end of #CONFIG_PREFIX#/ufw/before.rules, after the *filter section:
@@ -209,13 +209,13 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have:
   net.ipv4.ip_forward=1
 .TP
 Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules:
- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\
+ \-A ufw\-before\-forward \-m conntrack \-\-ctstate RELATED,ESTABLISHED \\
    \-j ACCEPT
 
- \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \-m state \\
-   \-\-state NEW \-j ACCEPT
+ \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \-m conntrack \\
+   \-\-ctstate NEW \-j ACCEPT
 
- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\
+ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\
    \-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT
 
  \-A ufw\-before\-forward \-o eth0 \-d 10.0.0.0/8 \-j REJECT
diff --git a/src/backend_iptables.py b/src/backend_iptables.py
index 340beba..4459a3b 100644
--- a/src/backend_iptables.py
+++ b/src/backend_iptables.py
@@ -551,7 +551,7 @@ class UFWBackendIptables(ufw.backend.UFWBackend):
                 lstr = '%s -j LOG --log-prefix "[UFW %s] "' % (limit_args, \
                        policy)
                 if not pat_logall.search(s):
-                    lstr = '-m state --state NEW ' + lstr
+                    lstr = '-m conntrack --ctstate NEW ' + lstr
                 snippets[i] = pat_log.sub(r'\1-j \2\4', s)
                 snippets.insert(i, pat_log.sub(r'\1-j ' + prefix + \
                                                '-user-logging-' + suffix, s))
@@ -567,9 +567,9 @@ class UFWBackendIptables(ufw.backend.UFWBackend):
         pat_limit = re.compile(r' -j LIMIT')
         for i, s in enumerate(snippets):
             if pat_limit.search(s):
-                tmp1 = pat_limit.sub(' -m state --state NEW -m recent --set', \
+                tmp1 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent --set', \
                                      s)
-                tmp2 = pat_limit.sub(' -m state --state NEW -m recent' + \
+                tmp2 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent' + \
                                      ' --update --seconds 30 --hitcount 6' + \
                                      ' -j ' + prefix + '-user-limit', s)
                 tmp3 = pat_limit.sub(' -j ' + prefix + '-user-limit-accept', s)
@@ -1178,12 +1178,12 @@ class UFWBackendIptables(ufw.backend.UFWBackend):
                     prefix = "[UFW BLOCK] "
                     if self.loglevels[level] < self.loglevels["medium"]:
                         # only log INVALID in medium and higher
-                        rules_t.append([c, ['-I', c, '-m', 'state', \
-                                            '--state', 'INVALID', \
+                        rules_t.append([c, ['-I', c, '-m', 'conntrack', \
+                                            '--ctstate', 'INVALID', \
                                             '-j', 'RETURN'] + largs, ''])
                     else:
-                        rules_t.append([c, ['-A', c, '-m', 'state', \
-                                            '--state', 'INVALID', \
+                        rules_t.append([c, ['-A', c, '-m', 'conntrack', \
+                                            '--ctstate', 'INVALID', \
                                             '-j', 'LOG', \
                                             '--log-prefix', \
                                             "[UFW AUDIT INVALID] "] + \
@@ -1202,7 +1202,7 @@ class UFWBackendIptables(ufw.backend.UFWBackend):
 
             # loglevel medium logs all new packets with limit
             if self.loglevels[level] < self.loglevels["high"]:
-                largs = ['-m', 'state', '--state', 'NEW'] + limit_args
+                largs = ['-m', 'conntrack', '--ctstate', 'NEW'] + limit_args
 
             prefix = "[UFW AUDIT] "
             for c in self.chains['before']:
diff --git a/src/ufw-init-functions b/src/ufw-init-functions
index f4783e7..c5e0319 100755
--- a/src/ufw-init-functions
+++ b/src/ufw-init-functions
@@ -251,15 +251,15 @@ ufw_start() {
             # add tracking policy
             if [ "$DEFAULT_INPUT_POLICY" = "ACCEPT" ]; then
                 printf "*filter\n"\
-"-A ufw${type}-track-input -p tcp -m state --state NEW -j ACCEPT\n"\
-"-A ufw${type}-track-input -p udp -m state --state NEW -j ACCEPT\n"\
+"-A ufw${type}-track-input -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\
+"-A ufw${type}-track-input -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\
 "COMMIT\n" | $exe-restore -n || error="yes"
             fi
 
             if [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT" ]; then
                 printf "*filter\n"\
-"-A ufw${type}-track-output -p tcp -m state --state NEW -j ACCEPT\n"\
-"-A ufw${type}-track-output -p udp -m state --state NEW -j ACCEPT\n"\
+"-A ufw${type}-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\
+"-A ufw${type}-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\
 "COMMIT\n" | $exe-restore -n || error="yes"
             fi
 
diff --git a/tests/check-requirements b/tests/check-requirements
index dbb26ec..d3ad1f8 100755
--- a/tests/check-requirements
+++ b/tests/check-requirements
@@ -152,32 +152,32 @@ for i in "" 6; do
     done
 
     echo -n "hashlimit: "
-    runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT
+    runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m conntrack --ctstate NEW -j ACCEPT
 
     echo -n "limit: "
     runcmd $exe -A $c -m limit --limit 3/min --limit-burst 10 -j ACCEPT
 
     for j in NEW RELATED ESTABLISHED INVALID; do
         echo -n "state ($j): "
-        runcmd $exe -A $c -m state --state $j
+        runcmd $exe -A $c -m conntrack --ctstate $j
     done
 
     echo -n "state (new, recent set): "
     if [ "$i" = "6" ]; then
         echo "skipped -- IPv6 'limit' not supported by ufw yet"
     else
-        runcmd $exe -A $c -m state --state NEW -m recent --set
+        runcmd $exe -A $c -m conntrack --ctstate NEW -m recent --set
     fi
 
     echo -n "state (new, recent update): "
     if [ "$i" = "6" ]; then
         echo "skipped -- IPv6 'limit' not supported by ufw yet"
     else
-        runcmd $exe -A $c -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT
+        runcmd $exe -A $c -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT
     fi
 
     echo -n "state (new, limit): "
-    runcmd $exe -A $c -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT
+    runcmd $exe -A $c -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT
 
     echo -n "interface (input): "
     runcmd $exe -A $c -i eth0 -j ACCEPT

Lines 1-187 Link Here

(-)ufw.orig/files/ufw-0.33-conntrack.patch (-3 lines)
1	use conntrack instead of state
2	https://bugs.launchpad.net/ufw/+bug/1065297
3	diff -urp ufw-0.33.orig/conf/before6.rules ufw-0.33/conf/before6.rules

Lines 1-45 Link Here

(-)ufw.orig/files/ufw-dont-check-iptables.patch




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

AUX rsyslog/ufw.logrotate 178 SHA256 02d1a00ca68446fbe056a4c3aede319f77b3262e26092cc04ea46de8923d03f8 SHA512 d381a34b23d8656c316af69c07d49042d6c4def4cea3e51367210bce20681376fd0259a95b6b9403171c5d80732927a8880f3d401e13e6f76b505324eecb146b WHIRLPOOL 10b63f8966ad7ad0894a18216a0102fc8a102b14c8f9fb468a4a8d61ae13b1ec3176c7bb9ffb852f8aaa4ac7874584a8f8f5a2d6e98fa3fb56f5945e9bd99139
AUX syslog-ng/syslog-ng.example 381 SHA256 70a795c1b20e2cdef38565d74b9de042c6666f860a2fd1b3bdc6f31dd451bc68 SHA512 f48d2487679fe179ea216bb4259affbf5ab4c86725b45942581ada8dac24dd0c978f755182805ff5350ab169972fcee7bb54a6d14df760d4b5f62c485af1e49e WHIRLPOOL 44874c68257b6f9a53e7fd1affc6ccf2492d9ec09a4700a17239fb3e413e2dcf2ede87eafb1e253d965c27a1c5ead36c413c8c84ec3ed55f5cf2191b927aacbe
AUX syslog-ng/ufw.logrotate 269 SHA256 cddd86613bde19b45f0f935c65bb43721f69aefc14e7d629612b23ea3b5c5c97 SHA512 22d89f04b68a8b4deeb60aca263239255dd01b9c6e6d23a5d77514daf7bb9dc3910a28cfe9c606f70d2a50f0365bb19c3cf00c5859ee2630c00f0df451ee9c5d WHIRLPOOL 5da4f8c615667d829ea4eb318ec01b712adf69002dcf8c3df7deba8fa3e49e426b1c00e468805ba571ed2f2ce05fa81b7e2ac83e7231de3f3305d6ce190264e5
AUX ufw-0.31.1-conntrack.patch 9842 SHA256 e91af8e88c896fd2e05b4143f361a72bc8ae78c8ab0c5afb8a26ea416f7bb631 SHA512 c7fab58aec12f47a492e8ad94e2ffbb471daf6292b6c9272396754cc25a6d2a164f3c383fd7e933a0d624d55a5b4b7a385a1fd31ef74162b7e819284c25a4fd7 WHIRLPOOL 96aa69e0aad4df20b14231edda6434f95be144d302484ef71bec4b6d6d4518714a852d1844d5aa33eaa7845a70659ab42006881297eecc5237f7c93b3907af9b
AUX ufw-0.31.1-move-path.patch 7071 SHA256 88a7b20696b731bac01b3c5d88b0353842b1228d3239cfebe1f2a47c1bdb6768 SHA512 66382ded35437e563c874dc01417a2735a2aa136a1e670fd3707c3311516a6d9a0e62a20679a4f5dcaa2edc0225535cf2410d7f86676b1e10eb309ecc3e24bc2 WHIRLPOOL 89e3165900def8380cade3eb62fc351be9e43c8055f4b71c356f3aa5356b0c57154e18485d94e0ca86462da7c55b1b4755de379a88f1958d313b93c0ec723715
AUX ufw-0.31.1-python-abis.patch 1872 SHA256 1e3094135d71e7e7129b2d268d79c73990f0a6f61f2bb6456d3f3654b4975463 SHA512 fbe65a6775426c66cd82382e62eea3a2179d68a0b6c617cc468e7076e2f58493baffde686b65e6bf3a89ea7fdda48a5a42d152b1be388c943408532f47d4402a WHIRLPOOL 62e68d1ef8aaa4963765599ca6701af18bcdef8f6a20607ce433b5294baa9c5ba75b3d41266d9a8bd82febe3a3ac75c6fcb2326fbc5cafa31634ec96a4407b10
AUX ufw-0.33-conntrack.patch 10055 SHA256 e034feba3bdeca0d4e9aed0555d88838e49804542174b988f9a7fbf8b8dc759d SHA512 7de6358ec0bf6696c4c26aab2729b9160e16ce44a67b5b634ad935fb4bf218b1b79d599f9d679f8f2a147861d865a098729fe3dbc0db110135bf5a78acfd6d53 WHIRLPOOL a3d543abf0ac1d6ca11a4754ab296c9e6f28809e8b746986524aa5d0e162f78d5a5abd586ff172618e8d79354c43429de3cc0b0e9a3d1bf91d662071c3cd2cfc
AUX ufw-0.33-dont-check-iptables.patch 1659 SHA256 8a3ae20d399e83aa9c779dfed1f65d99b277263681b1a3e7e9e86143d5fabd0a SHA512 8f92d4b79f1caf01cb97ec64014c7607a410fb0a36e5e87376707c026d714a060ae554591b6e5b3834b671acd4145dcca68a9373aa41051ef60c9dd409dd008d WHIRLPOOL 8f897654bde85d84b17dc32507c5a469fe04eb2201acb55bfd02a76346620399dbcb9c7d0ce19f48285f6eec5de0a5d96420483d6a0b7a4c31a41fa329f91180
AUX ufw-2.initd 2722 SHA256 657b5305923b2a5de9eb96931aaaa28d6e997ace6c40793d905887798094258c SHA512 54cb84ae5ce2c327a7a7b03deeed3d7507a4716ce929aa563d4fb5baa9aa73d95575ec7d5db7165345310869bd5a60b1033c6691f02a85ab94baa6b4a550daa7 WHIRLPOOL c19a21c93f0c63165715e8da4ab9b16a4596ccc3730118c1bbd7eb4de9a94b2b1475904818a2786b2490a07dee7d761da28ca6dc087926c27598d691cb333ce6
AUX ufw-dont-check-iptables.patch 1572 SHA256 2ea0f9525baa82386690577525631f468e56a0fbde0e7e5a65fba36c922ea96f SHA512 c072e924ed5c7df37d89dd9dc8ecb9a52f16fcd962a31d97f45cecefb971adcceabff183bec386be29f44942d12f8bce595ff4203e390ce464627458843b19cb WHIRLPOOL a1ee6799042353f32a1746b14017403994d60dc1ba7e67581ebdff3d93e37e72c7224708d2c0d1bef25ce311ad5c647cd5f0fa62ea4da60321e47f922f64c54d
AUX ufw.confd 219 SHA256 069aa7382b40aecebf26ef53f3f4c49890314e0357925c84b3c15f1d0b913be0 SHA512 a010532c97b9cf83f1fb5fa707228e0542a8b109c76e5942aaf2d6552c63e033d32e39e5a6ac87cb9e2ed4c3fdbc5d03c75127e6378665e592b143bc1eda52c7 WHIRLPOOL e6c4537392921c63f8a57fab7ea269fbeea846468ef8968816d988556557495e8abb77aee9d60648a1483a599683613cf5ea832cbcf498a8828baa9abcd31752
AUX ufw.service 329 SHA256 1c600d9b9425485a0536fdf77a39fbf94bfcaade686789d6c4f3f1aac08ffe69 SHA512 a365e704ca958c83c86f8a6b1623ce3f9ad72dcfb0cfc7758bfc787e0877f897ccf8b200db83df17130ca5dcc54f938178b8cabfe3ee0c0896c814ee7d2439c7 WHIRLPOOL a00069a5582b9c52b5ff9a9c88b03294140dd06596ea0fbcbd0e7f6de016b1eed97840728c932a82f18762c84c9e8849f86ee504b49931420f2d097bb9b0ebd6
DIST ufw-0.31.1.tar.gz 322448 SHA256 ccf5e00aa76841b9467ad9506fbf96373fb24a4b26bffd858ea1eb2522491dcb SHA512 3c9e61be7ba18ccdbd8195517f0b74a418b460f91b6efcdf0d883fc1dca2bc376ee317836882b67d2fd4825c2e5374d9c6a5da3d77f98794b64c98071d3ac0dc WHIRLPOOL 35064e73f892d6a94413f3560f5f0af945c972b673da4980af0a60576cc641810a74d76ed196935abaf9c2b395c2cc7250b6d27e710e284cbf2df014a6f0820d
DIST ufw-0.33.tar.gz 332893 SHA256 5f85a8084ad3539b547bec097286948233188c971f498890316dec170bdd1da8 SHA512 a908d0a2c74bedef418b28f1701048bc9281f314ff747fb1e9497ddee341dbf86402215c470b605523b03a12b2dec812cd7342c310c04231dbed5b6f8e783309 WHIRLPOOL bdd09fbdc2514061b6971e06fa05d6fee04e29c2cecf0c12b237349071e88d188aa8a7bd5c54f5cf3cccd4ddf8d2e3d2bb6ed0db92538b7d76cea471d74848c1
DIST ufw-0.34_pre805.tar.gz 335875 SHA256 a78693da04720f9f7eb463447b940eed18c3e2c20d3de336ebf9bf821dfdac2f SHA512 b8bba3bb8c423070d6434d1df7274423edf3a356415f54c6448fa0ff2d13a4b2ac21c4bb627cba01d6955b04f793eeaf2fc535c6221e7de48f11bef745035263 WHIRLPOOL 5e5238925d928e883c9869b3b72a7a04ad18352ebbcb5fead9b14c7bb5225f1bbae613d9117ceb5e9d435e1ca1f1d0d033bbdf673896990eda5efcb7a7d04829
EBUILD ufw-0.31.1-r2.ebuild 5587 SHA256 8ff4d7fcf67686d85b18cc094c19c7625d9e980f3c6747cca04c796c3c997e3a SHA512 ecea06b997f91cbed3500e84678c65a3ecd6eca9acfc877888ddabf6d4cbefd95a8f8c66f5f9185c5d4a06d92a31b7780bc4adfaefffb4ec4b6907d49fb2edbb WHIRLPOOL da35894ce419296a4ad415f05f84fbdea701200be55bcf8acd975a040fa6e1eb983d6e27f2ee31290e6c7b30803d19accf2470015aa4c331ee3d1615dab09903
EBUILD ufw-0.33-r2.ebuild 5665 SHA256 77e14c04d236925a4608a55307dea92c137583a304d4cf685f87bcc114b3f26d SHA512 4614dcb6fd4f8d102fe344e7eac1f46d0c8ea8ed7153edd67111aab58e1f8c9ac37208da7fd5472dc6bad0081788d181e4062d58481f963663e9c9bc0993e043 WHIRLPOOL 6711f39ca765009e1a545787b18e11b67ec92a4dd11245c753b636c7ea865dbbbbd974fb542532f26a3dc119c0db0a3dc929549109b4b8fc5a6e76700c1ccdee
EBUILD ufw-0.34_pre805.ebuild 5415 SHA256 2a5191348122b729d4cefccb4f65e9714c704e61afff25dcedc530e12284c5a2 SHA512 378e32a0e135eafc33cb2134a26a0fa9590b86d9abd8008bb7086d0739a0e106f36cc127069d5145659dce9607734b6344804dc0b3914ae7efdc867885c1b504 WHIRLPOOL 13cdf52c7824fd06d407e0e3bd8333fda9dc7f6af2164b6cfe1ed95fab4ddf313df347c86793ee9e4d26b805bcd7118e4c38cce4cee2041ea5fe15900f51a788
MISC ChangeLog 3412 SHA256 e40b5094a14577b02edf32e128c1007ffb3ed1e3428fd92752746bddd4031cfc SHA512 891a4f1369ae1926e65f4744544142f70c7ebb7ec9d1ac4d9f421f9c848e863743b2b593447c16b67bc30f1bb55b8ffae65e0d297344e09142cc0d36ffa1b536 WHIRLPOOL c360c1bb16cec63b6b8bcae25d5959427bcac9ac82186ab1f4b585c26ae0771179a026f8112e7ed9672cc6364d612a3a866e20180aeb65c6e4d592574309ac53
MISC metadata.xml 568 SHA256 0fea99101adbd93b9a644642cf668a7cb5d6392c840b66b4c8aca504985c4033 SHA512 5ac4c205a5df4c0bf11f22d442457c5a50535ebf007fb01bb07e9480f9d854eb053bdd220519e37e0602e1d3ec0043bab7e1865bf9c2e8339b76538719285e96 WHIRLPOOL 122348f9b736392521b10685d03ce3105abec78c8a1378ed1e1b86f9bf6097b1b6be66ce172e1cc92e813c21c8722a4f44e52ee63bfd2c327c9e2c844faf1d13
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEAREIAAYFAlGZ51wACgkQfaj9zK3JFuU8agCfaSghPqtPnfhwkx1lEMazNSq5
iyEAnjHVFS+FmCLVkeQ5tpq6WzXjjixH
=Uc3e
-----END PGP SIGNATURE-----




# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-firewall/ufw/ufw-0.31.1-r2.ebuild,v 1.2 2013/05/20 09:05:50 lxnay Exp $

EAPI=4
PYTHON_DEPEND="2:2.5"
SUPPORT_PYTHON_ABIS="1"
RESTRICT_PYTHON_ABIS="3.* *-jython"

inherit versionator bash-completion-r1 eutils linux-info distutils systemd

MY_PV_12=$(get_version_component_range 1-2)
DESCRIPTION="A program used to manage a netfilter firewall"
HOMEPAGE="http://launchpad.net/ufw"
SRC_URI="http://launchpad.net/ufw/${MY_PV_12}/${PV}/+download/${P}.tar.gz"

LICENSE="GPL-3"
SLOT="0"
KEYWORDS="~amd64 ~x86"
IUSE="examples ipv6"

DEPEND="sys-devel/gettext"
RDEPEND=">=net-firewall/iptables-1.4[ipv6?]
	!<kde-misc/kcm-ufw-0.4.2
	!<net-firewall/ufw-frontends-0.3.2
"

# tests fail; upstream bug: https://bugs.launchpad.net/ufw/+bug/815982
RESTRICT="test"

pkg_pretend() {
	local CONFIG_CHECK="~PROC_FS
		~NETFILTER_XT_MATCH_COMMENT ~NETFILTER_XT_MATCH_HL
		~NETFILTER_XT_MATCH_LIMIT ~NETFILTER_XT_MATCH_MULTIPORT
		~NETFILTER_XT_MATCH_RECENT ~NETFILTER_XT_MATCH_STATE"

	if kernel_is -ge 2 6 39; then
		CONFIG_CHECK+=" ~NETFILTER_XT_MATCH_ADDRTYPE"
	else
		CONFIG_CHECK+=" ~IP_NF_MATCH_ADDRTYPE"
	fi

	check_extra_config

	# Check for default, useful optional features.
	if ! linux_config_exists; then
		ewarn "Cannot determine configuration of your kernel."
		return
	fi

	local nf_nat_ftp_ok="yes"
	local nf_conntrack_ftp_ok="yes"
	local nf_conntrack_netbios_ns_ok="yes"

	linux_chkconfig_present \
		NF_NAT_FTP || nf_nat_ftp_ok="no"
	linux_chkconfig_present \
		NF_CONNTRACK_FTP || nf_conntrack_ftp_ok="no"
	linux_chkconfig_present \
		NF_CONNTRACK_NETBIOS_NS || nf_conntrack_netbios_ns_ok="no"

	# This is better than an essay for each unset option...
	if [[ ${nf_nat_ftp_ok} = no ]] || [[ ${nf_conntrack_ftp_ok} = no ]] \
		|| [[ ${nf_conntrack_netbios_ns_ok} = no ]]
	then
		echo
		local mod_msg="Kernel options listed below are not set. They are not"
		mod_msg+=" mandatory, but they are often useful."
		mod_msg+=" If you don't need some of them, please remove relevant"
		mod_msg+=" module name(s) from IPT_MODULES in"
		mod_msg+=" '${EROOT}etc/default/ufw' before (re)starting ufw."
		mod_msg+=" Otherwise ufw may fail to start!"
		ewarn "${mod_msg}"
		if [[ ${nf_nat_ftp_ok} = no ]]; then
			ewarn "NF_NAT_FTP: for better support for active mode FTP."
		fi
		if [[ ${nf_conntrack_ftp_ok} = no ]]; then
			ewarn "NF_CONNTRACK_FTP: for better support for active mode FTP."
		fi
		if [[ ${nf_conntrack_netbios_ns_ok} = no ]]; then
			ewarn "NF_CONNTRACK_NETBIOS_NS: for better Samba support."
		fi
	fi
}

src_prepare() {
	# Remove warning about 'state' being obsolete in iptables 1.4.16.2.
	epatch "${FILESDIR}"/${P}-conntrack.patch
	# Allow to remove unnecessary build time dependency
	# on net-firewall/iptables.
	epatch "${FILESDIR}"/${PN}-dont-check-iptables.patch
	# Move files away from /lib/ufw.
	epatch "${FILESDIR}"/${P}-move-path.patch
	# Contains fixes related to SUPPORT_PYTHON_ABIS="1" (see comment in the
	# file).
	epatch "${FILESDIR}"/${P}-python-abis.patch

	# Set as enabled by default. User can enable or disable
	# the service by adding or removing it to/from a runlevel.
	sed -i 's/^ENABLED=no/ENABLED=yes/' conf/ufw.conf \
		|| die "sed failed (ufw.conf)"

	sed -i "s/^IPV6=yes/IPV6=$(usex ipv6)/" conf/ufw.defaults || die

	# If LINGUAS is set install selected translations only.
	if [[ -n ${LINGUAS+set} ]]; then
		_EMPTY_LOCALE_LIST="yes"
		pushd locales/po > /dev/null || die

		local lang
		for lang in *.po; do
			if ! has "${lang%.po}" ${LINGUAS}; then
				rm "${lang}" || die
			else
				_EMPTY_LOCALE_LIST="no"
			fi
		done

		popd > /dev/null || die
	else
		_EMPTY_LOCALE_LIST="no"
	fi
}

src_install() {
	newconfd "${FILESDIR}"/ufw.confd ufw
	newinitd "${FILESDIR}"/ufw-2.initd ufw
	systemd_dounit "${FILESDIR}/ufw.service"

	exeinto /usr/share/${PN}
	doexe tests/check-requirements

	# users normally would want it
	insinto /usr/share/doc/${PF}/logging/syslog-ng
	doins "${FILESDIR}"/syslog-ng/*

	insinto /usr/share/doc/${PF}/logging/rsyslog
	doins "${FILESDIR}"/rsyslog/*
	doins doc/rsyslog.example

	if use examples; then
		insinto /usr/share/doc/${PF}/examples
		doins examples/*
	fi
	distutils_src_install
	[[ $_EMPTY_LOCALE_LIST != yes ]] && domo locales/mo/*.mo
	newbashcomp shell-completion/bash ${PN}
}

pkg_postinst() {
	distutils_pkg_postinst
	if [[ -z ${REPLACING_VERSIONS} ]]; then
		echo
		elog "To enable ufw, add it to boot sequence and activate it:"
		elog "-- # rc-update add ufw boot"
		elog "-- # /etc/init.d/ufw start"
		echo
		elog "If you want to keep ufw logs in a separate file, take a look at"
		elog "/usr/share/doc/${PF}/logging."
	fi
	# Make sure it gets displayed also when one downgrades from >= 0.33*,
	# because this message isn't displayed for 0.33* (and possibly newer
	# ones in the future) as it's not relevant there.
	if [[ -z ${REPLACING_VERSIONS} ]] \
		|| [[ ${REPLACING_VERSIONS} = 0.33 ]] \
		|| [[ ${REPLACING_VERSIONS} > 0.33 ]] \
		|| [[ ${REPLACING_VERSIONS} < 0.31.1-r2 ]]
	then
		echo
		elog "Starting from ufw-0.31.1-r2, /usr/share/ufw/check-requirements"
		elog "script is installed. It is useful for debugging problems with"
		elog "ufw. However one should keep in mind that the script assumes"
		elog "IPv6 is enabled on kernel and net-firewall/iptables,"
		elog "and fails when it's not."
	fi
	echo
	ewarn "Note: once enabled, ufw blocks also incoming SSH connections by"
	ewarn "default. See README, Remote Management section for more information."
}




# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-firewall/ufw/ufw-0.33-r2.ebuild,v 1.2 2013/05/20 09:05:50 lxnay Exp $

EAPI=4
PYTHON_DEPEND="2:2.6 3:3.1"
SUPPORT_PYTHON_ABIS="1"
RESTRICT_PYTHON_ABIS="2.5 *-jython"

inherit versionator bash-completion-r1 eutils linux-info distutils systemd

MY_PV_12=$(get_version_component_range 1-2)
DESCRIPTION="A program used to manage a netfilter firewall"
HOMEPAGE="http://launchpad.net/ufw"
SRC_URI="http://launchpad.net/ufw/${MY_PV_12}/${PV}/+download/${P}.tar.gz"

LICENSE="GPL-3"
SLOT="0"
KEYWORDS="~amd64 ~x86"
IUSE="examples"

DEPEND="sys-devel/gettext"
# ipv6 forced: bug 437266
RDEPEND=">=net-firewall/iptables-1.4[ipv6]
	!<kde-misc/kcm-ufw-0.4.2
	!<net-firewall/ufw-frontends-0.3.2
"

# tests fail; upstream bug: https://bugs.launchpad.net/ufw/+bug/815982
RESTRICT="test"

pkg_pretend() {
	local CONFIG_CHECK="~PROC_FS
		~NETFILTER_XT_MATCH_COMMENT ~NETFILTER_XT_MATCH_HL
		~NETFILTER_XT_MATCH_LIMIT ~NETFILTER_XT_MATCH_MULTIPORT
		~NETFILTER_XT_MATCH_RECENT ~NETFILTER_XT_MATCH_STATE"

	if kernel_is -ge 2 6 39; then
		CONFIG_CHECK+=" ~NETFILTER_XT_MATCH_ADDRTYPE"
	else
		CONFIG_CHECK+=" ~IP_NF_MATCH_ADDRTYPE"
	fi

	check_extra_config

	# Check for default, useful optional features.
	if ! linux_config_exists; then
		ewarn "Cannot determine configuration of your kernel."
		return
	fi

	if ! linux_chkconfig_present IPV6; then
		echo
		ewarn "This version of ufw requires that IPv6 is enabled."
		ewarn "If you don't want it, install ${CATEGORY}/${PN}-0.31.1."
		ewarn "More information can be found in bug 437266."
	fi

	local nf_nat_ftp_ok="yes"
	local nf_conntrack_ftp_ok="yes"
	local nf_conntrack_netbios_ns_ok="yes"

	linux_chkconfig_present \
		NF_NAT_FTP || nf_nat_ftp_ok="no"
	linux_chkconfig_present \
		NF_CONNTRACK_FTP || nf_conntrack_ftp_ok="no"
	linux_chkconfig_present \
		NF_CONNTRACK_NETBIOS_NS || nf_conntrack_netbios_ns_ok="no"

	# This is better than an essay for each unset option...
	if [[ ${nf_nat_ftp_ok} = no ]] || [[ ${nf_conntrack_ftp_ok} = no ]] \
		|| [[ ${nf_conntrack_netbios_ns_ok} = no ]]
	then
		echo
		local mod_msg="Kernel options listed below are not set. They are not"
		mod_msg+=" mandatory, but they are often useful."
		mod_msg+=" If you don't need some of them, please remove relevant"
		mod_msg+=" module name(s) from IPT_MODULES in"
		mod_msg+=" '${EROOT}etc/default/ufw' before (re)starting ufw."
		mod_msg+=" Otherwise ufw may fail to start!"
		ewarn "${mod_msg}"
		if [[ ${nf_nat_ftp_ok} = no ]]; then
			ewarn "NF_NAT_FTP: for better support for active mode FTP."
		fi
		if [[ ${nf_conntrack_ftp_ok} = no ]]; then
			ewarn "NF_CONNTRACK_FTP: for better support for active mode FTP."
		fi
		if [[ ${nf_conntrack_netbios_ns_ok} = no ]]; then
			ewarn "NF_CONNTRACK_NETBIOS_NS: for better Samba support."
		fi
	fi
}

src_prepare() {
	# Remove warning about 'state' being obsolete in iptables 1.4.16.2.
	epatch "${FILESDIR}"/${P}-conntrack.patch
	# Allow to remove unnecessary build time dependency
	# on net-firewall/iptables.
	epatch "${FILESDIR}"/${P}-dont-check-iptables.patch
	# Move files away from /lib/ufw.
	epatch "${FILESDIR}"/${PN}-0.31.1-move-path.patch
	# Contains fixes related to SUPPORT_PYTHON_ABIS="1" (see comment in the
	# file).
	epatch "${FILESDIR}"/${PN}-0.31.1-python-abis.patch

	# Set as enabled by default. User can enable or disable
	# the service by adding or removing it to/from a runlevel.
	sed -i 's/^ENABLED=no/ENABLED=yes/' conf/ufw.conf \
		|| die "sed failed (ufw.conf)"

	#sed -i "s/^IPV6=yes/IPV6=$(usex ipv6)/" conf/ufw.defaults || die

	# If LINGUAS is set install selected translations only.
	if [[ -n ${LINGUAS+set} ]]; then
		_EMPTY_LOCALE_LIST="yes"
		pushd locales/po > /dev/null || die

		local lang
		for lang in *.po; do
			if ! has "${lang%.po}" ${LINGUAS}; then
				rm "${lang}" || die
			else
				_EMPTY_LOCALE_LIST="no"
			fi
		done

		popd > /dev/null || die
	else
		_EMPTY_LOCALE_LIST="no"
	fi
}

src_install() {
	newconfd "${FILESDIR}"/ufw.confd ufw
	newinitd "${FILESDIR}"/ufw-2.initd ufw
	systemd_dounit "${FILESDIR}/ufw.service"

	exeinto /usr/share/${PN}
	doexe tests/check-requirements

	# users normally would want it
	insinto /usr/share/doc/${PF}/logging/syslog-ng
	doins "${FILESDIR}"/syslog-ng/*

	insinto /usr/share/doc/${PF}/logging/rsyslog
	doins "${FILESDIR}"/rsyslog/*
	doins doc/rsyslog.example

	if use examples; then
		insinto /usr/share/doc/${PF}/examples
		doins examples/*
	fi
	distutils_src_install
	[[ $_EMPTY_LOCALE_LIST != yes ]] && domo locales/mo/*.mo
	newbashcomp shell-completion/bash ${PN}
}

pkg_postinst() {
	distutils_pkg_postinst
	if [[ -z ${REPLACING_VERSIONS} ]]; then
		echo
		elog "To enable ufw, add it to boot sequence and activate it:"
		elog "-- # rc-update add ufw boot"
		elog "-- # /etc/init.d/ufw start"
		echo
		elog "If you want to keep ufw logs in a separate file, take a look at"
		elog "/usr/share/doc/${PF}/logging."
	fi
	if [[ -z ${REPLACING_VERSIONS} ]] \
		|| [[ ${REPLACING_VERSIONS} < 0.33-r2 ]];
	then
		# etc-update etc. should show when the file needs updating
		# but let's inform about the change
		echo
		elog "Because of bug 437266 this version doesn't have ipv6 USE"
		elog "flag, so in case it's needed, please adjust 'IPV6' setting"
		elog "in /etc/default/ufw manually. (IPv6 is enabled there by default.)"
		# TODO: add message about check-requirements script when this
		# bug is fixed
	fi
	echo
	ewarn "Note: once enabled, ufw blocks also incoming SSH connections by"
	ewarn "default. See README, Remote Management section for more information."
}

Return to bug 506390

Lines 1-201 Link Here

(-)ufw.orig/files/ufw-0.31.1-conntrack.patch (-201 lines)
1	use conntrack instead of state
2	https://bugs.launchpad.net/ufw/+bug/1065297
3
4	This is a version for ufw 0.31.1.
5	diff --git a/conf/before.rules b/conf/before.rules
6	index bc11f36..9917b87 100644
7	--- a/conf/before.rules
8	+++ b/conf/before.rules
9	@@ -22,12 +22,12 @@
10	-A ufw-before-output -o lo -j ACCEPT
11
12	# quickly process packets for which we already have a connection
13	--A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
14	--A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
15	+-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
16	+-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
17
18	# drop INVALID packets (logs these in loglevel medium and higher)
19	--A ufw-before-input -m state --state INVALID -j ufw-logging-deny
20	--A ufw-before-input -m state --state INVALID -j DROP
21	+-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
22	+-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
23
24	# ok icmp codes
25	-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
26	diff --git a/conf/before6.rules b/conf/before6.rules
27	index fb1a8f1..8b7e4ff 100644
28	--- a/conf/before6.rules
29	+++ b/conf/before6.rules
30	@@ -34,16 +34,16 @@
31	-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
32
33	# quickly process packets for which we already have a connection
34	--A ufw6-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
35	--A ufw6-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
36	+-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
37	+-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
38
39	# for multicast ping replies from link-local addresses (these don't have an
40	# associated connection and would otherwise be marked INVALID)
41	-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -s fe80::/10 -j ACCEPT
42
43	# drop INVALID packets (logs these in loglevel medium and higher)
44	--A ufw6-before-input -m state --state INVALID -j ufw6-logging-deny
45	--A ufw6-before-input -m state --state INVALID -j DROP
46	+-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
47	+-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
48
49	# ok icmp codes
50	-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
51	diff --git a/doc/ufw-framework.8 b/doc/ufw-framework.8
52	index d9e3d5a..bfc83e2 100644
53	--- a/doc/ufw-framework.8
54	+++ b/doc/ufw-framework.8
55	@@ -167,9 +167,9 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have:
56	net.ipv4.ip_forward=1
57	.TP
58	Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules:
59	- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\
60	+ \-A ufw\-before\-forward \-m conntrack \-\-ctstate RELATED,ESTABLISHED \\
61	\-j ACCEPT
62	- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\
63	+ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\
64	\-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT
65	.TP
66	Add to the end of #CONFIG_PREFIX#/ufw/before.rules, after the *filter section:
67	@@ -209,13 +209,13 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have:
68	net.ipv4.ip_forward=1
69	.TP
70	Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules:
71	- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\
72	+ \-A ufw\-before\-forward \-m conntrack \-\-ctstate RELATED,ESTABLISHED \\
73	\-j ACCEPT
74
75	- \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \-m state \\
76	- \-\-state NEW \-j ACCEPT
77	+ \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \-m conntrack \\
78	+ \-\-ctstate NEW \-j ACCEPT
79
80	- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\
81	+ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\
82	\-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT
83
84	\-A ufw\-before\-forward \-o eth0 \-d 10.0.0.0/8 \-j REJECT
85	diff --git a/src/backend_iptables.py b/src/backend_iptables.py
86	index 340beba..4459a3b 100644
87	--- a/src/backend_iptables.py
88	+++ b/src/backend_iptables.py
89	@@ -551,7 +551,7 @@ class UFWBackendIptables(ufw.backend.UFWBackend):
90	lstr = '%s -j LOG --log-prefix "[UFW %s] "' % (limit_args, \
91	policy)
92	if not pat_logall.search(s):
93	- lstr = '-m state --state NEW ' + lstr
94	+ lstr = '-m conntrack --ctstate NEW ' + lstr
95	snippets[i] = pat_log.sub(r'\1-j \2\4', s)
96	snippets.insert(i, pat_log.sub(r'\1-j ' + prefix + \
97	'-user-logging-' + suffix, s))
98	@@ -567,9 +567,9 @@ class UFWBackendIptables(ufw.backend.UFWBackend):
99	pat_limit = re.compile(r' -j LIMIT')
100	for i, s in enumerate(snippets):
101	if pat_limit.search(s):
102	- tmp1 = pat_limit.sub(' -m state --state NEW -m recent --set', \
103	+ tmp1 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent --set', \
104	s)
105	- tmp2 = pat_limit.sub(' -m state --state NEW -m recent' + \
106	+ tmp2 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent' + \
107	' --update --seconds 30 --hitcount 6' + \
108	' -j ' + prefix + '-user-limit', s)
109	tmp3 = pat_limit.sub(' -j ' + prefix + '-user-limit-accept', s)
110	@@ -1178,12 +1178,12 @@ class UFWBackendIptables(ufw.backend.UFWBackend):
111	prefix = "[UFW BLOCK] "
112	if self.loglevels[level] < self.loglevels["medium"]:
113	# only log INVALID in medium and higher
114	- rules_t.append([c, ['-I', c, '-m', 'state', \
115	- '--state', 'INVALID', \
116	+ rules_t.append([c, ['-I', c, '-m', 'conntrack', \
117	+ '--ctstate', 'INVALID', \
118	'-j', 'RETURN'] + largs, ''])
119	else:
120	- rules_t.append([c, ['-A', c, '-m', 'state', \
121	- '--state', 'INVALID', \
122	+ rules_t.append([c, ['-A', c, '-m', 'conntrack', \
123	+ '--ctstate', 'INVALID', \
124	'-j', 'LOG', \
125	'--log-prefix', \
126	"[UFW AUDIT INVALID] "] + \
127	@@ -1202,7 +1202,7 @@ class UFWBackendIptables(ufw.backend.UFWBackend):
128
129	# loglevel medium logs all new packets with limit
130	if self.loglevels[level] < self.loglevels["high"]:
131	- largs = ['-m', 'state', '--state', 'NEW'] + limit_args
132	+ largs = ['-m', 'conntrack', '--ctstate', 'NEW'] + limit_args
133
134	prefix = "[UFW AUDIT] "
135	for c in self.chains['before']:
136	diff --git a/src/ufw-init-functions b/src/ufw-init-functions
137	index f4783e7..c5e0319 100755
138	--- a/src/ufw-init-functions
139	+++ b/src/ufw-init-functions
140	@@ -251,15 +251,15 @@ ufw_start() {
141	# add tracking policy
142	if [ "$DEFAULT_INPUT_POLICY" = "ACCEPT" ]; then
143	printf "*filter\n"\
144	-"-A ufw${type}-track-input -p tcp -m state --state NEW -j ACCEPT\n"\
145	-"-A ufw${type}-track-input -p udp -m state --state NEW -j ACCEPT\n"\
146	+"-A ufw${type}-track-input -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\
147	+"-A ufw${type}-track-input -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\
148	"COMMIT\n" \| $exe-restore -n \|\| error="yes"
149	fi
150
151	if [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT" ]; then
152	printf "*filter\n"\
153	-"-A ufw${type}-track-output -p tcp -m state --state NEW -j ACCEPT\n"\
154	-"-A ufw${type}-track-output -p udp -m state --state NEW -j ACCEPT\n"\
155	+"-A ufw${type}-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\
156	+"-A ufw${type}-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\
157	"COMMIT\n" \| $exe-restore -n \|\| error="yes"
158	fi
159
160	diff --git a/tests/check-requirements b/tests/check-requirements
161	index dbb26ec..d3ad1f8 100755
162	--- a/tests/check-requirements
163	+++ b/tests/check-requirements
164	@@ -152,32 +152,32 @@ for i in "" 6; do
165	done
166
167	echo -n "hashlimit: "
168	- runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT
169	+ runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m conntrack --ctstate NEW -j ACCEPT
170
171	echo -n "limit: "
172	runcmd $exe -A $c -m limit --limit 3/min --limit-burst 10 -j ACCEPT
173
174	for j in NEW RELATED ESTABLISHED INVALID; do
175	echo -n "state ($j): "
176	- runcmd $exe -A $c -m state --state $j
177	+ runcmd $exe -A $c -m conntrack --ctstate $j
178	done
179
180	echo -n "state (new, recent set): "
181	if [ "$i" = "6" ]; then
182	echo "skipped -- IPv6 'limit' not supported by ufw yet"
183	else
184	- runcmd $exe -A $c -m state --state NEW -m recent --set
185	+ runcmd $exe -A $c -m conntrack --ctstate NEW -m recent --set
186	fi
187
188	echo -n "state (new, recent update): "
189	if [ "$i" = "6" ]; then
190	echo "skipped -- IPv6 'limit' not supported by ufw yet"
191	else
192	- runcmd $exe -A $c -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT
193	+ runcmd $exe -A $c -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT
194	fi
195
196	echo -n "state (new, limit): "
197	- runcmd $exe -A $c -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT
198	+ runcmd $exe -A $c -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT
199
200	echo -n "interface (input): "
201	runcmd $exe -A $c -i eth0 -j ACCEPT

Lines 1-30 Link Here

(-)ufw.orig/Manifest (-17 lines)
1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA256
3
4	AUX rsyslog/ufw.logrotate 178 SHA256 02d1a00ca68446fbe056a4c3aede319f77b3262e26092cc04ea46de8923d03f8 SHA512 d381a34b23d8656c316af69c07d49042d6c4def4cea3e51367210bce20681376fd0259a95b6b9403171c5d80732927a8880f3d401e13e6f76b505324eecb146b WHIRLPOOL 10b63f8966ad7ad0894a18216a0102fc8a102b14c8f9fb468a4a8d61ae13b1ec3176c7bb9ffb852f8aaa4ac7874584a8f8f5a2d6e98fa3fb56f5945e9bd99139	1	AUX rsyslog/ufw.logrotate 178 SHA256 02d1a00ca68446fbe056a4c3aede319f77b3262e26092cc04ea46de8923d03f8 SHA512 d381a34b23d8656c316af69c07d49042d6c4def4cea3e51367210bce20681376fd0259a95b6b9403171c5d80732927a8880f3d401e13e6f76b505324eecb146b WHIRLPOOL 10b63f8966ad7ad0894a18216a0102fc8a102b14c8f9fb468a4a8d61ae13b1ec3176c7bb9ffb852f8aaa4ac7874584a8f8f5a2d6e98fa3fb56f5945e9bd99139
5	AUX syslog-ng/syslog-ng.example 381 SHA256 70a795c1b20e2cdef38565d74b9de042c6666f860a2fd1b3bdc6f31dd451bc68 SHA512 f48d2487679fe179ea216bb4259affbf5ab4c86725b45942581ada8dac24dd0c978f755182805ff5350ab169972fcee7bb54a6d14df760d4b5f62c485af1e49e WHIRLPOOL 44874c68257b6f9a53e7fd1affc6ccf2492d9ec09a4700a17239fb3e413e2dcf2ede87eafb1e253d965c27a1c5ead36c413c8c84ec3ed55f5cf2191b927aacbe	2	AUX syslog-ng/syslog-ng.example 381 SHA256 70a795c1b20e2cdef38565d74b9de042c6666f860a2fd1b3bdc6f31dd451bc68 SHA512 f48d2487679fe179ea216bb4259affbf5ab4c86725b45942581ada8dac24dd0c978f755182805ff5350ab169972fcee7bb54a6d14df760d4b5f62c485af1e49e WHIRLPOOL 44874c68257b6f9a53e7fd1affc6ccf2492d9ec09a4700a17239fb3e413e2dcf2ede87eafb1e253d965c27a1c5ead36c413c8c84ec3ed55f5cf2191b927aacbe
6	AUX syslog-ng/ufw.logrotate 269 SHA256 cddd86613bde19b45f0f935c65bb43721f69aefc14e7d629612b23ea3b5c5c97 SHA512 22d89f04b68a8b4deeb60aca263239255dd01b9c6e6d23a5d77514daf7bb9dc3910a28cfe9c606f70d2a50f0365bb19c3cf00c5859ee2630c00f0df451ee9c5d WHIRLPOOL 5da4f8c615667d829ea4eb318ec01b712adf69002dcf8c3df7deba8fa3e49e426b1c00e468805ba571ed2f2ce05fa81b7e2ac83e7231de3f3305d6ce190264e5	3	AUX syslog-ng/ufw.logrotate 269 SHA256 cddd86613bde19b45f0f935c65bb43721f69aefc14e7d629612b23ea3b5c5c97 SHA512 22d89f04b68a8b4deeb60aca263239255dd01b9c6e6d23a5d77514daf7bb9dc3910a28cfe9c606f70d2a50f0365bb19c3cf00c5859ee2630c00f0df451ee9c5d WHIRLPOOL 5da4f8c615667d829ea4eb318ec01b712adf69002dcf8c3df7deba8fa3e49e426b1c00e468805ba571ed2f2ce05fa81b7e2ac83e7231de3f3305d6ce190264e5
7	AUX ufw-0.31.1-conntrack.patch 9842 SHA256 e91af8e88c896fd2e05b4143f361a72bc8ae78c8ab0c5afb8a26ea416f7bb631 SHA512 c7fab58aec12f47a492e8ad94e2ffbb471daf6292b6c9272396754cc25a6d2a164f3c383fd7e933a0d624d55a5b4b7a385a1fd31ef74162b7e819284c25a4fd7 WHIRLPOOL 96aa69e0aad4df20b14231edda6434f95be144d302484ef71bec4b6d6d4518714a852d1844d5aa33eaa7845a70659ab42006881297eecc5237f7c93b3907af9b
8	AUX ufw-0.31.1-move-path.patch 7071 SHA256 88a7b20696b731bac01b3c5d88b0353842b1228d3239cfebe1f2a47c1bdb6768 SHA512 66382ded35437e563c874dc01417a2735a2aa136a1e670fd3707c3311516a6d9a0e62a20679a4f5dcaa2edc0225535cf2410d7f86676b1e10eb309ecc3e24bc2 WHIRLPOOL 89e3165900def8380cade3eb62fc351be9e43c8055f4b71c356f3aa5356b0c57154e18485d94e0ca86462da7c55b1b4755de379a88f1958d313b93c0ec723715	4	AUX ufw-0.31.1-move-path.patch 7071 SHA256 88a7b20696b731bac01b3c5d88b0353842b1228d3239cfebe1f2a47c1bdb6768 SHA512 66382ded35437e563c874dc01417a2735a2aa136a1e670fd3707c3311516a6d9a0e62a20679a4f5dcaa2edc0225535cf2410d7f86676b1e10eb309ecc3e24bc2 WHIRLPOOL 89e3165900def8380cade3eb62fc351be9e43c8055f4b71c356f3aa5356b0c57154e18485d94e0ca86462da7c55b1b4755de379a88f1958d313b93c0ec723715
9	AUX ufw-0.31.1-python-abis.patch 1872 SHA256 1e3094135d71e7e7129b2d268d79c73990f0a6f61f2bb6456d3f3654b4975463 SHA512 fbe65a6775426c66cd82382e62eea3a2179d68a0b6c617cc468e7076e2f58493baffde686b65e6bf3a89ea7fdda48a5a42d152b1be388c943408532f47d4402a WHIRLPOOL 62e68d1ef8aaa4963765599ca6701af18bcdef8f6a20607ce433b5294baa9c5ba75b3d41266d9a8bd82febe3a3ac75c6fcb2326fbc5cafa31634ec96a4407b10	5	AUX ufw-0.31.1-python-abis.patch 1872 SHA256 1e3094135d71e7e7129b2d268d79c73990f0a6f61f2bb6456d3f3654b4975463 SHA512 fbe65a6775426c66cd82382e62eea3a2179d68a0b6c617cc468e7076e2f58493baffde686b65e6bf3a89ea7fdda48a5a42d152b1be388c943408532f47d4402a WHIRLPOOL 62e68d1ef8aaa4963765599ca6701af18bcdef8f6a20607ce433b5294baa9c5ba75b3d41266d9a8bd82febe3a3ac75c6fcb2326fbc5cafa31634ec96a4407b10
10	AUX ufw-0.33-conntrack.patch 10055 SHA256 e034feba3bdeca0d4e9aed0555d88838e49804542174b988f9a7fbf8b8dc759d SHA512 7de6358ec0bf6696c4c26aab2729b9160e16ce44a67b5b634ad935fb4bf218b1b79d599f9d679f8f2a147861d865a098729fe3dbc0db110135bf5a78acfd6d53 WHIRLPOOL a3d543abf0ac1d6ca11a4754ab296c9e6f28809e8b746986524aa5d0e162f78d5a5abd586ff172618e8d79354c43429de3cc0b0e9a3d1bf91d662071c3cd2cfc
11	AUX ufw-0.33-dont-check-iptables.patch 1659 SHA256 8a3ae20d399e83aa9c779dfed1f65d99b277263681b1a3e7e9e86143d5fabd0a SHA512 8f92d4b79f1caf01cb97ec64014c7607a410fb0a36e5e87376707c026d714a060ae554591b6e5b3834b671acd4145dcca68a9373aa41051ef60c9dd409dd008d WHIRLPOOL 8f897654bde85d84b17dc32507c5a469fe04eb2201acb55bfd02a76346620399dbcb9c7d0ce19f48285f6eec5de0a5d96420483d6a0b7a4c31a41fa329f91180	6	AUX ufw-0.33-dont-check-iptables.patch 1659 SHA256 8a3ae20d399e83aa9c779dfed1f65d99b277263681b1a3e7e9e86143d5fabd0a SHA512 8f92d4b79f1caf01cb97ec64014c7607a410fb0a36e5e87376707c026d714a060ae554591b6e5b3834b671acd4145dcca68a9373aa41051ef60c9dd409dd008d WHIRLPOOL 8f897654bde85d84b17dc32507c5a469fe04eb2201acb55bfd02a76346620399dbcb9c7d0ce19f48285f6eec5de0a5d96420483d6a0b7a4c31a41fa329f91180
12	AUX ufw-2.initd 2722 SHA256 657b5305923b2a5de9eb96931aaaa28d6e997ace6c40793d905887798094258c SHA512 54cb84ae5ce2c327a7a7b03deeed3d7507a4716ce929aa563d4fb5baa9aa73d95575ec7d5db7165345310869bd5a60b1033c6691f02a85ab94baa6b4a550daa7 WHIRLPOOL c19a21c93f0c63165715e8da4ab9b16a4596ccc3730118c1bbd7eb4de9a94b2b1475904818a2786b2490a07dee7d761da28ca6dc087926c27598d691cb333ce6	7	AUX ufw-2.initd 2722 SHA256 657b5305923b2a5de9eb96931aaaa28d6e997ace6c40793d905887798094258c SHA512 54cb84ae5ce2c327a7a7b03deeed3d7507a4716ce929aa563d4fb5baa9aa73d95575ec7d5db7165345310869bd5a60b1033c6691f02a85ab94baa6b4a550daa7 WHIRLPOOL c19a21c93f0c63165715e8da4ab9b16a4596ccc3730118c1bbd7eb4de9a94b2b1475904818a2786b2490a07dee7d761da28ca6dc087926c27598d691cb333ce6
13	AUX ufw-dont-check-iptables.patch 1572 SHA256 2ea0f9525baa82386690577525631f468e56a0fbde0e7e5a65fba36c922ea96f SHA512 c072e924ed5c7df37d89dd9dc8ecb9a52f16fcd962a31d97f45cecefb971adcceabff183bec386be29f44942d12f8bce595ff4203e390ce464627458843b19cb WHIRLPOOL a1ee6799042353f32a1746b14017403994d60dc1ba7e67581ebdff3d93e37e72c7224708d2c0d1bef25ce311ad5c647cd5f0fa62ea4da60321e47f922f64c54d
14	AUX ufw.confd 219 SHA256 069aa7382b40aecebf26ef53f3f4c49890314e0357925c84b3c15f1d0b913be0 SHA512 a010532c97b9cf83f1fb5fa707228e0542a8b109c76e5942aaf2d6552c63e033d32e39e5a6ac87cb9e2ed4c3fdbc5d03c75127e6378665e592b143bc1eda52c7 WHIRLPOOL e6c4537392921c63f8a57fab7ea269fbeea846468ef8968816d988556557495e8abb77aee9d60648a1483a599683613cf5ea832cbcf498a8828baa9abcd31752	8	AUX ufw.confd 219 SHA256 069aa7382b40aecebf26ef53f3f4c49890314e0357925c84b3c15f1d0b913be0 SHA512 a010532c97b9cf83f1fb5fa707228e0542a8b109c76e5942aaf2d6552c63e033d32e39e5a6ac87cb9e2ed4c3fdbc5d03c75127e6378665e592b143bc1eda52c7 WHIRLPOOL e6c4537392921c63f8a57fab7ea269fbeea846468ef8968816d988556557495e8abb77aee9d60648a1483a599683613cf5ea832cbcf498a8828baa9abcd31752
15	AUX ufw.service 329 SHA256 1c600d9b9425485a0536fdf77a39fbf94bfcaade686789d6c4f3f1aac08ffe69 SHA512 a365e704ca958c83c86f8a6b1623ce3f9ad72dcfb0cfc7758bfc787e0877f897ccf8b200db83df17130ca5dcc54f938178b8cabfe3ee0c0896c814ee7d2439c7 WHIRLPOOL a00069a5582b9c52b5ff9a9c88b03294140dd06596ea0fbcbd0e7f6de016b1eed97840728c932a82f18762c84c9e8849f86ee504b49931420f2d097bb9b0ebd6	9	AUX ufw.service 329 SHA256 1c600d9b9425485a0536fdf77a39fbf94bfcaade686789d6c4f3f1aac08ffe69 SHA512 a365e704ca958c83c86f8a6b1623ce3f9ad72dcfb0cfc7758bfc787e0877f897ccf8b200db83df17130ca5dcc54f938178b8cabfe3ee0c0896c814ee7d2439c7 WHIRLPOOL a00069a5582b9c52b5ff9a9c88b03294140dd06596ea0fbcbd0e7f6de016b1eed97840728c932a82f18762c84c9e8849f86ee504b49931420f2d097bb9b0ebd6
16	DIST ufw-0.31.1.tar.gz 322448 SHA256 ccf5e00aa76841b9467ad9506fbf96373fb24a4b26bffd858ea1eb2522491dcb SHA512 3c9e61be7ba18ccdbd8195517f0b74a418b460f91b6efcdf0d883fc1dca2bc376ee317836882b67d2fd4825c2e5374d9c6a5da3d77f98794b64c98071d3ac0dc WHIRLPOOL 35064e73f892d6a94413f3560f5f0af945c972b673da4980af0a60576cc641810a74d76ed196935abaf9c2b395c2cc7250b6d27e710e284cbf2df014a6f0820d
17	DIST ufw-0.33.tar.gz 332893 SHA256 5f85a8084ad3539b547bec097286948233188c971f498890316dec170bdd1da8 SHA512 a908d0a2c74bedef418b28f1701048bc9281f314ff747fb1e9497ddee341dbf86402215c470b605523b03a12b2dec812cd7342c310c04231dbed5b6f8e783309 WHIRLPOOL bdd09fbdc2514061b6971e06fa05d6fee04e29c2cecf0c12b237349071e88d188aa8a7bd5c54f5cf3cccd4ddf8d2e3d2bb6ed0db92538b7d76cea471d74848c1
18	DIST ufw-0.34_pre805.tar.gz 335875 SHA256 a78693da04720f9f7eb463447b940eed18c3e2c20d3de336ebf9bf821dfdac2f SHA512 b8bba3bb8c423070d6434d1df7274423edf3a356415f54c6448fa0ff2d13a4b2ac21c4bb627cba01d6955b04f793eeaf2fc535c6221e7de48f11bef745035263 WHIRLPOOL 5e5238925d928e883c9869b3b72a7a04ad18352ebbcb5fead9b14c7bb5225f1bbae613d9117ceb5e9d435e1ca1f1d0d033bbdf673896990eda5efcb7a7d04829	10	DIST ufw-0.34_pre805.tar.gz 335875 SHA256 a78693da04720f9f7eb463447b940eed18c3e2c20d3de336ebf9bf821dfdac2f SHA512 b8bba3bb8c423070d6434d1df7274423edf3a356415f54c6448fa0ff2d13a4b2ac21c4bb627cba01d6955b04f793eeaf2fc535c6221e7de48f11bef745035263 WHIRLPOOL 5e5238925d928e883c9869b3b72a7a04ad18352ebbcb5fead9b14c7bb5225f1bbae613d9117ceb5e9d435e1ca1f1d0d033bbdf673896990eda5efcb7a7d04829
19	EBUILD ufw-0.31.1-r2.ebuild 5587 SHA256 8ff4d7fcf67686d85b18cc094c19c7625d9e980f3c6747cca04c796c3c997e3a SHA512 ecea06b997f91cbed3500e84678c65a3ecd6eca9acfc877888ddabf6d4cbefd95a8f8c66f5f9185c5d4a06d92a31b7780bc4adfaefffb4ec4b6907d49fb2edbb WHIRLPOOL da35894ce419296a4ad415f05f84fbdea701200be55bcf8acd975a040fa6e1eb983d6e27f2ee31290e6c7b30803d19accf2470015aa4c331ee3d1615dab09903
20	EBUILD ufw-0.33-r2.ebuild 5665 SHA256 77e14c04d236925a4608a55307dea92c137583a304d4cf685f87bcc114b3f26d SHA512 4614dcb6fd4f8d102fe344e7eac1f46d0c8ea8ed7153edd67111aab58e1f8c9ac37208da7fd5472dc6bad0081788d181e4062d58481f963663e9c9bc0993e043 WHIRLPOOL 6711f39ca765009e1a545787b18e11b67ec92a4dd11245c753b636c7ea865dbbbbd974fb542532f26a3dc119c0db0a3dc929549109b4b8fc5a6e76700c1ccdee
21	EBUILD ufw-0.34_pre805.ebuild 5415 SHA256 2a5191348122b729d4cefccb4f65e9714c704e61afff25dcedc530e12284c5a2 SHA512 378e32a0e135eafc33cb2134a26a0fa9590b86d9abd8008bb7086d0739a0e106f36cc127069d5145659dce9607734b6344804dc0b3914ae7efdc867885c1b504 WHIRLPOOL 13cdf52c7824fd06d407e0e3bd8333fda9dc7f6af2164b6cfe1ed95fab4ddf313df347c86793ee9e4d26b805bcd7118e4c38cce4cee2041ea5fe15900f51a788	11	EBUILD ufw-0.34_pre805.ebuild 5415 SHA256 2a5191348122b729d4cefccb4f65e9714c704e61afff25dcedc530e12284c5a2 SHA512 378e32a0e135eafc33cb2134a26a0fa9590b86d9abd8008bb7086d0739a0e106f36cc127069d5145659dce9607734b6344804dc0b3914ae7efdc867885c1b504 WHIRLPOOL 13cdf52c7824fd06d407e0e3bd8333fda9dc7f6af2164b6cfe1ed95fab4ddf313df347c86793ee9e4d26b805bcd7118e4c38cce4cee2041ea5fe15900f51a788
22	MISC ChangeLog 3412 SHA256 e40b5094a14577b02edf32e128c1007ffb3ed1e3428fd92752746bddd4031cfc SHA512 891a4f1369ae1926e65f4744544142f70c7ebb7ec9d1ac4d9f421f9c848e863743b2b593447c16b67bc30f1bb55b8ffae65e0d297344e09142cc0d36ffa1b536 WHIRLPOOL c360c1bb16cec63b6b8bcae25d5959427bcac9ac82186ab1f4b585c26ae0771179a026f8112e7ed9672cc6364d612a3a866e20180aeb65c6e4d592574309ac53	12	MISC ChangeLog 3412 SHA256 e40b5094a14577b02edf32e128c1007ffb3ed1e3428fd92752746bddd4031cfc SHA512 891a4f1369ae1926e65f4744544142f70c7ebb7ec9d1ac4d9f421f9c848e863743b2b593447c16b67bc30f1bb55b8ffae65e0d297344e09142cc0d36ffa1b536 WHIRLPOOL c360c1bb16cec63b6b8bcae25d5959427bcac9ac82186ab1f4b585c26ae0771179a026f8112e7ed9672cc6364d612a3a866e20180aeb65c6e4d592574309ac53
23	MISC metadata.xml 568 SHA256 0fea99101adbd93b9a644642cf668a7cb5d6392c840b66b4c8aca504985c4033 SHA512 5ac4c205a5df4c0bf11f22d442457c5a50535ebf007fb01bb07e9480f9d854eb053bdd220519e37e0602e1d3ec0043bab7e1865bf9c2e8339b76538719285e96 WHIRLPOOL 122348f9b736392521b10685d03ce3105abec78c8a1378ed1e1b86f9bf6097b1b6be66ce172e1cc92e813c21c8722a4f44e52ee63bfd2c327c9e2c844faf1d13	13	MISC metadata.xml 568 SHA256 0fea99101adbd93b9a644642cf668a7cb5d6392c840b66b4c8aca504985c4033 SHA512 5ac4c205a5df4c0bf11f22d442457c5a50535ebf007fb01bb07e9480f9d854eb053bdd220519e37e0602e1d3ec0043bab7e1865bf9c2e8339b76538719285e96 WHIRLPOOL 122348f9b736392521b10685d03ce3105abec78c8a1378ed1e1b86f9bf6097b1b6be66ce172e1cc92e813c21c8722a4f44e52ee63bfd2c327c9e2c844faf1d13
24	-----BEGIN PGP SIGNATURE-----
25	Version: GnuPG v2.0.19 (GNU/Linux)
26
27	iEYEAREIAAYFAlGZ51wACgkQfaj9zK3JFuU8agCfaSghPqtPnfhwkx1lEMazNSq5
28	iyEAnjHVFS+FmCLVkeQ5tpq6WzXjjixH
29	=Uc3e
30	-----END PGP SIGNATURE-----

Lines 1-179 Link Here

(-)ufw.orig/ufw-0.31.1-r2.ebuild (-179 lines)
1	# Copyright 1999-2013 Gentoo Foundation
2	# Distributed under the terms of the GNU General Public License v2
3	# $Header: /var/cvsroot/gentoo-x86/net-firewall/ufw/ufw-0.31.1-r2.ebuild,v 1.2 2013/05/20 09:05:50 lxnay Exp $
4
5	EAPI=4
6	PYTHON_DEPEND="2:2.5"
7	SUPPORT_PYTHON_ABIS="1"
8	RESTRICT_PYTHON_ABIS="3.* *-jython"
9
10	inherit versionator bash-completion-r1 eutils linux-info distutils systemd
11
12	MY_PV_12=$(get_version_component_range 1-2)
13	DESCRIPTION="A program used to manage a netfilter firewall"
14	HOMEPAGE="http://launchpad.net/ufw"
15	SRC_URI="http://launchpad.net/ufw/${MY_PV_12}/${PV}/+download/${P}.tar.gz"
16
17	LICENSE="GPL-3"
18	SLOT="0"
19	KEYWORDS="~amd64 ~x86"
20	IUSE="examples ipv6"
21
22	DEPEND="sys-devel/gettext"
23	RDEPEND=">=net-firewall/iptables-1.4[ipv6?]
24	!<kde-misc/kcm-ufw-0.4.2
25	!<net-firewall/ufw-frontends-0.3.2
26	"
27
28	# tests fail; upstream bug: https://bugs.launchpad.net/ufw/+bug/815982
29	RESTRICT="test"
30
31	pkg_pretend() {
32	local CONFIG_CHECK="~PROC_FS
33	~NETFILTER_XT_MATCH_COMMENT ~NETFILTER_XT_MATCH_HL
34	~NETFILTER_XT_MATCH_LIMIT ~NETFILTER_XT_MATCH_MULTIPORT
35	~NETFILTER_XT_MATCH_RECENT ~NETFILTER_XT_MATCH_STATE"
36
37	if kernel_is -ge 2 6 39; then
38	CONFIG_CHECK+=" ~NETFILTER_XT_MATCH_ADDRTYPE"
39	else
40	CONFIG_CHECK+=" ~IP_NF_MATCH_ADDRTYPE"
41	fi
42
43	check_extra_config
44
45	# Check for default, useful optional features.
46	if ! linux_config_exists; then
47	ewarn "Cannot determine configuration of your kernel."
48	return
49	fi
50
51	local nf_nat_ftp_ok="yes"
52	local nf_conntrack_ftp_ok="yes"
53	local nf_conntrack_netbios_ns_ok="yes"
54
55	linux_chkconfig_present \
56	NF_NAT_FTP \|\| nf_nat_ftp_ok="no"
57	linux_chkconfig_present \
58	NF_CONNTRACK_FTP \|\| nf_conntrack_ftp_ok="no"
59	linux_chkconfig_present \
60	NF_CONNTRACK_NETBIOS_NS \|\| nf_conntrack_netbios_ns_ok="no"
61
62	# This is better than an essay for each unset option...
63	if [[ ${nf_nat_ftp_ok} = no ]] \|\| [[ ${nf_conntrack_ftp_ok} = no ]] \
64	\|\| [[ ${nf_conntrack_netbios_ns_ok} = no ]]
65	then
66	echo
67	local mod_msg="Kernel options listed below are not set. They are not"
68	mod_msg+=" mandatory, but they are often useful."
69	mod_msg+=" If you don't need some of them, please remove relevant"
70	mod_msg+=" module name(s) from IPT_MODULES in"
71	mod_msg+=" '${EROOT}etc/default/ufw' before (re)starting ufw."
72	mod_msg+=" Otherwise ufw may fail to start!"
73	ewarn "${mod_msg}"
74	if [[ ${nf_nat_ftp_ok} = no ]]; then
75	ewarn "NF_NAT_FTP: for better support for active mode FTP."
76	fi
77	if [[ ${nf_conntrack_ftp_ok} = no ]]; then
78	ewarn "NF_CONNTRACK_FTP: for better support for active mode FTP."
79	fi
80	if [[ ${nf_conntrack_netbios_ns_ok} = no ]]; then
81	ewarn "NF_CONNTRACK_NETBIOS_NS: for better Samba support."
82	fi
83	fi
84	}
85
86	src_prepare() {
87	# Remove warning about 'state' being obsolete in iptables 1.4.16.2.
88	epatch "${FILESDIR}"/${P}-conntrack.patch
89	# Allow to remove unnecessary build time dependency
90	# on net-firewall/iptables.
91	epatch "${FILESDIR}"/${PN}-dont-check-iptables.patch
92	# Move files away from /lib/ufw.
93	epatch "${FILESDIR}"/${P}-move-path.patch
94	# Contains fixes related to SUPPORT_PYTHON_ABIS="1" (see comment in the
95	# file).
96	epatch "${FILESDIR}"/${P}-python-abis.patch
97
98	# Set as enabled by default. User can enable or disable
99	# the service by adding or removing it to/from a runlevel.
100	sed -i 's/^ENABLED=no/ENABLED=yes/' conf/ufw.conf \
101	\|\| die "sed failed (ufw.conf)"
102
103	sed -i "s/^IPV6=yes/IPV6=$(usex ipv6)/" conf/ufw.defaults \|\| die
104
105	# If LINGUAS is set install selected translations only.
106	if [[ -n ${LINGUAS+set} ]]; then
107	_EMPTY_LOCALE_LIST="yes"
108	pushd locales/po > /dev/null \|\| die
109
110	local lang
111	for lang in *.po; do
112	if ! has "${lang%.po}" ${LINGUAS}; then
113	rm "${lang}" \|\| die
114	else
115	_EMPTY_LOCALE_LIST="no"
116	fi
117	done
118
119	popd > /dev/null \|\| die
120	else
121	_EMPTY_LOCALE_LIST="no"
122	fi
123	}
124
125	src_install() {
126	newconfd "${FILESDIR}"/ufw.confd ufw
127	newinitd "${FILESDIR}"/ufw-2.initd ufw
128	systemd_dounit "${FILESDIR}/ufw.service"
129
130	exeinto /usr/share/${PN}
131	doexe tests/check-requirements
132
133	# users normally would want it
134	insinto /usr/share/doc/${PF}/logging/syslog-ng
135	doins "${FILESDIR}"/syslog-ng/*
136
137	insinto /usr/share/doc/${PF}/logging/rsyslog
138	doins "${FILESDIR}"/rsyslog/*
139	doins doc/rsyslog.example
140
141	if use examples; then
142	insinto /usr/share/doc/${PF}/examples
143	doins examples/*
144	fi
145	distutils_src_install
146	[[ $_EMPTY_LOCALE_LIST != yes ]] && domo locales/mo/*.mo
147	newbashcomp shell-completion/bash ${PN}
148	}
149
150	pkg_postinst() {
151	distutils_pkg_postinst
152	if [[ -z ${REPLACING_VERSIONS} ]]; then
153	echo
154	elog "To enable ufw, add it to boot sequence and activate it:"
155	elog "-- # rc-update add ufw boot"
156	elog "-- # /etc/init.d/ufw start"
157	echo
158	elog "If you want to keep ufw logs in a separate file, take a look at"
159	elog "/usr/share/doc/${PF}/logging."
160	fi
161	# Make sure it gets displayed also when one downgrades from >= 0.33*,
162	# because this message isn't displayed for 0.33* (and possibly newer
163	# ones in the future) as it's not relevant there.
164	if [[ -z ${REPLACING_VERSIONS} ]] \
165	\|\| [[ ${REPLACING_VERSIONS} = 0.33 ]] \
166	\|\| [[ ${REPLACING_VERSIONS} > 0.33 ]] \
167	\|\| [[ ${REPLACING_VERSIONS} < 0.31.1-r2 ]]
168	then
169	echo
170	elog "Starting from ufw-0.31.1-r2, /usr/share/ufw/check-requirements"
171	elog "script is installed. It is useful for debugging problems with"
172	elog "ufw. However one should keep in mind that the script assumes"
173	elog "IPv6 is enabled on kernel and net-firewall/iptables,"
174	elog "and fails when it's not."
175	fi
176	echo
177	ewarn "Note: once enabled, ufw blocks also incoming SSH connections by"
178	ewarn "default. See README, Remote Management section for more information."
179	}

Lines 1-184 Link Here

(-)ufw.orig/ufw-0.33-r2.ebuild (-184 lines)
1	# Copyright 1999-2013 Gentoo Foundation
2	# Distributed under the terms of the GNU General Public License v2
3	# $Header: /var/cvsroot/gentoo-x86/net-firewall/ufw/ufw-0.33-r2.ebuild,v 1.2 2013/05/20 09:05:50 lxnay Exp $
4
5	EAPI=4
6	PYTHON_DEPEND="2:2.6 3:3.1"
7	SUPPORT_PYTHON_ABIS="1"
8	RESTRICT_PYTHON_ABIS="2.5 *-jython"
9
10	inherit versionator bash-completion-r1 eutils linux-info distutils systemd
11
12	MY_PV_12=$(get_version_component_range 1-2)
13	DESCRIPTION="A program used to manage a netfilter firewall"
14	HOMEPAGE="http://launchpad.net/ufw"
15	SRC_URI="http://launchpad.net/ufw/${MY_PV_12}/${PV}/+download/${P}.tar.gz"
16
17	LICENSE="GPL-3"
18	SLOT="0"
19	KEYWORDS="~amd64 ~x86"
20	IUSE="examples"
21
22	DEPEND="sys-devel/gettext"
23	# ipv6 forced: bug 437266
24	RDEPEND=">=net-firewall/iptables-1.4[ipv6]
25	!<kde-misc/kcm-ufw-0.4.2
26	!<net-firewall/ufw-frontends-0.3.2
27	"
28
29	# tests fail; upstream bug: https://bugs.launchpad.net/ufw/+bug/815982
30	RESTRICT="test"
31
32	pkg_pretend() {
33	local CONFIG_CHECK="~PROC_FS
34	~NETFILTER_XT_MATCH_COMMENT ~NETFILTER_XT_MATCH_HL
35	~NETFILTER_XT_MATCH_LIMIT ~NETFILTER_XT_MATCH_MULTIPORT
36	~NETFILTER_XT_MATCH_RECENT ~NETFILTER_XT_MATCH_STATE"
37
38	if kernel_is -ge 2 6 39; then
39	CONFIG_CHECK+=" ~NETFILTER_XT_MATCH_ADDRTYPE"
40	else
41	CONFIG_CHECK+=" ~IP_NF_MATCH_ADDRTYPE"
42	fi
43
44	check_extra_config
45
46	# Check for default, useful optional features.
47	if ! linux_config_exists; then
48	ewarn "Cannot determine configuration of your kernel."
49	return
50	fi
51
52	if ! linux_chkconfig_present IPV6; then
53	echo
54	ewarn "This version of ufw requires that IPv6 is enabled."
55	ewarn "If you don't want it, install ${CATEGORY}/${PN}-0.31.1."
56	ewarn "More information can be found in bug 437266."
57	fi
58
59	local nf_nat_ftp_ok="yes"
60	local nf_conntrack_ftp_ok="yes"
61	local nf_conntrack_netbios_ns_ok="yes"
62
63	linux_chkconfig_present \
64	NF_NAT_FTP \|\| nf_nat_ftp_ok="no"
65	linux_chkconfig_present \
66	NF_CONNTRACK_FTP \|\| nf_conntrack_ftp_ok="no"
67	linux_chkconfig_present \
68	NF_CONNTRACK_NETBIOS_NS \|\| nf_conntrack_netbios_ns_ok="no"
69
70	# This is better than an essay for each unset option...
71	if [[ ${nf_nat_ftp_ok} = no ]] \|\| [[ ${nf_conntrack_ftp_ok} = no ]] \
72	\|\| [[ ${nf_conntrack_netbios_ns_ok} = no ]]
73	then
74	echo
75	local mod_msg="Kernel options listed below are not set. They are not"
76	mod_msg+=" mandatory, but they are often useful."
77	mod_msg+=" If you don't need some of them, please remove relevant"
78	mod_msg+=" module name(s) from IPT_MODULES in"
79	mod_msg+=" '${EROOT}etc/default/ufw' before (re)starting ufw."
80	mod_msg+=" Otherwise ufw may fail to start!"
81	ewarn "${mod_msg}"
82	if [[ ${nf_nat_ftp_ok} = no ]]; then
83	ewarn "NF_NAT_FTP: for better support for active mode FTP."
84	fi
85	if [[ ${nf_conntrack_ftp_ok} = no ]]; then
86	ewarn "NF_CONNTRACK_FTP: for better support for active mode FTP."
87	fi
88	if [[ ${nf_conntrack_netbios_ns_ok} = no ]]; then
89	ewarn "NF_CONNTRACK_NETBIOS_NS: for better Samba support."
90	fi
91	fi
92	}
93
94	src_prepare() {
95	# Remove warning about 'state' being obsolete in iptables 1.4.16.2.
96	epatch "${FILESDIR}"/${P}-conntrack.patch
97	# Allow to remove unnecessary build time dependency
98	# on net-firewall/iptables.
99	epatch "${FILESDIR}"/${P}-dont-check-iptables.patch
100	# Move files away from /lib/ufw.
101	epatch "${FILESDIR}"/${PN}-0.31.1-move-path.patch
102	# Contains fixes related to SUPPORT_PYTHON_ABIS="1" (see comment in the
103	# file).
104	epatch "${FILESDIR}"/${PN}-0.31.1-python-abis.patch
105
106	# Set as enabled by default. User can enable or disable
107	# the service by adding or removing it to/from a runlevel.
108	sed -i 's/^ENABLED=no/ENABLED=yes/' conf/ufw.conf \
109	\|\| die "sed failed (ufw.conf)"
110
111	#sed -i "s/^IPV6=yes/IPV6=$(usex ipv6)/" conf/ufw.defaults \|\| die
112
113	# If LINGUAS is set install selected translations only.
114	if [[ -n ${LINGUAS+set} ]]; then
115	_EMPTY_LOCALE_LIST="yes"
116	pushd locales/po > /dev/null \|\| die
117
118	local lang
119	for lang in *.po; do
120	if ! has "${lang%.po}" ${LINGUAS}; then
121	rm "${lang}" \|\| die
122	else
123	_EMPTY_LOCALE_LIST="no"
124	fi
125	done
126
127	popd > /dev/null \|\| die
128	else
129	_EMPTY_LOCALE_LIST="no"
130	fi
131	}
132
133	src_install() {
134	newconfd "${FILESDIR}"/ufw.confd ufw
135	newinitd "${FILESDIR}"/ufw-2.initd ufw
136	systemd_dounit "${FILESDIR}/ufw.service"
137
138	exeinto /usr/share/${PN}
139	doexe tests/check-requirements
140
141	# users normally would want it
142	insinto /usr/share/doc/${PF}/logging/syslog-ng
143	doins "${FILESDIR}"/syslog-ng/*
144
145	insinto /usr/share/doc/${PF}/logging/rsyslog
146	doins "${FILESDIR}"/rsyslog/*
147	doins doc/rsyslog.example
148
149	if use examples; then
150	insinto /usr/share/doc/${PF}/examples
151	doins examples/*
152	fi
153	distutils_src_install
154	[[ $_EMPTY_LOCALE_LIST != yes ]] && domo locales/mo/*.mo
155	newbashcomp shell-completion/bash ${PN}
156	}
157
158	pkg_postinst() {
159	distutils_pkg_postinst
160	if [[ -z ${REPLACING_VERSIONS} ]]; then
161	echo
162	elog "To enable ufw, add it to boot sequence and activate it:"
163	elog "-- # rc-update add ufw boot"
164	elog "-- # /etc/init.d/ufw start"
165	echo
166	elog "If you want to keep ufw logs in a separate file, take a look at"
167	elog "/usr/share/doc/${PF}/logging."
168	fi
169	if [[ -z ${REPLACING_VERSIONS} ]] \
170	\|\| [[ ${REPLACING_VERSIONS} < 0.33-r2 ]];
171	then
172	# etc-update etc. should show when the file needs updating
173	# but let's inform about the change
174	echo
175	elog "Because of bug 437266 this version doesn't have ipv6 USE"
176	elog "flag, so in case it's needed, please adjust 'IPV6' setting"
177	elog "in /etc/default/ufw manually. (IPv6 is enabled there by default.)"
178	# TODO: add message about check-requirements script when this
179	# bug is fixed
180	fi
181	echo
182	ewarn "Note: once enabled, ufw blocks also incoming SSH connections by"
183	ewarn "default. See README, Remote Management section for more information."
184	}