Bug 895484

Summary:	net-vpn/libreswan: should have "iptables" and "nftables" USE flags
Product:	Gentoo Linux	Reporter:	Maciej S. Szmigiero <mail>
Component:	Current packages	Assignee:	Hans de Graaff <graaff>
Status:	UNCONFIRMED ---
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Maciej S. Szmigiero 2023-02-20 00:14:59 UTC

Running net-vpn/libreswan init script (/etc/init.d/ipsec start) gives me the following error:
> * Starting ipsec ...
> /usr/sbin/ipsec: line 171: iptables: command not found

This is because this system doesn't have iptables installed.

Libreswan upstream build system supports choosing the selected firewall implementation by setting either "HAVE_NFTABLES" or "HAVE_IPTABLES" build-time variable.

The net-vpn/libreswan ebuild doesn't set either so "HAVE_IPTABLES" gets enabled by default [1].
On systems without iptables installed this gives the aforementioned error.

Instead, the net-vpn/libreswan ebuild should have "iptables" and "nftables" USE flags, for selecting the preferred implementation at the emerge time.

Note that recently it had become possible to have both firewall implementations disabled for Libreswan [2].


[1]: https://github.com/libreswan/libreswan/blob/085907fa9786d6afdb0b612565d0b9b0b7a0db0c/mk/defaults/linux.mk#L110
[2]: https://github.com/libreswan/libreswan/commit/bddc2be2a9f3d2d20880defea501adfdc3891747