1 # Copyright 1999-2020 Gentoo Authors
2 # Distributed under the terms of the GNU General Public License v2
6 PYTHON_COMPAT=( python{2_7,3_6} )
7 DISTUTILS_IN_SOURCE_BUILD=1
9 inherit bash-completion-r1 distutils-r1 eutils linux-info systemd
11 DESCRIPTION="A program used to manage a netfilter firewall"
12 HOMEPAGE="https://launchpad.net/ufw"
13 SRC_URI="https://launchpad.net/ufw/${PV}/${PV}/+download/${P}.tar.gz"
17 KEYWORDS="amd64 ia64 ppc ppc64 sparc x86"
22 RDEPEND=">=net-firewall/iptables-1.4[ipv6?]
23 !<kde-misc/kcm-ufw-0.4.2
24 !<net-firewall/ufw-frontends-0.3.2"
26 BDEPEND="sys-devel/gettext"
28 # tests fail; upstream bug: https://bugs.launchpad.net/ufw/+bug/815982
32 # Move files away from /lib/ufw.
33 "${FILESDIR}/${P}-move-path.patch"
34 # Remove unnecessary build time dependency on net-firewall/iptables.
35 "${FILESDIR}/${P}-dont-check-iptables.patch"
36 # Remove shebang modification.
37 "${FILESDIR}/${P}-shebang.patch"
38 # Fix bash completions, bug #526300
39 "${FILESDIR}/${P}-bash-completion.patch"
43 local CONFIG_CHECK="~PROC_FS
44 ~NETFILTER_XT_MATCH_COMMENT ~NETFILTER_XT_MATCH_HL
45 ~NETFILTER_XT_MATCH_LIMIT ~NETFILTER_XT_MATCH_MULTIPORT
46 ~NETFILTER_XT_MATCH_RECENT ~NETFILTER_XT_MATCH_STATE"
48 if kernel_is -ge 2 6 39; then
49 CONFIG_CHECK+=" ~NETFILTER_XT_MATCH_ADDRTYPE"
51 CONFIG_CHECK+=" ~IP_NF_MATCH_ADDRTYPE"
54 # https://bugs.launchpad.net/ufw/+bug/1076050
55 if kernel_is -ge 3 4; then
56 CONFIG_CHECK+=" ~NETFILTER_XT_TARGET_LOG"
58 CONFIG_CHECK+=" ~IP_NF_TARGET_LOG"
59 use ipv6 && CONFIG_CHECK+=" ~IP6_NF_TARGET_LOG"
62 CONFIG_CHECK+=" ~IP_NF_TARGET_REJECT"
63 use ipv6 && CONFIG_CHECK+=" ~IP6_NF_TARGET_REJECT"
67 # Check for default, useful optional features.
68 if ! linux_config_exists; then
69 ewarn "Cannot determine configuration of your kernel."
73 local nf_nat_ftp_ok="yes"
74 local nf_conntrack_ftp_ok="yes"
75 local nf_conntrack_netbios_ns_ok="yes"
77 linux_chkconfig_present \
78 NF_NAT_FTP || nf_nat_ftp_ok="no"
79 linux_chkconfig_present \
80 NF_CONNTRACK_FTP || nf_conntrack_ftp_ok="no"
81 linux_chkconfig_present \
82 NF_CONNTRACK_NETBIOS_NS || nf_conntrack_netbios_ns_ok="no"
84 # This is better than an essay for each unset option...
85 if [[ "${nf_nat_ftp_ok}" == "no" ]] || \
86 [[ "${nf_conntrack_ftp_ok}" == "no" ]] || \
87 [[ "${nf_conntrack_netbios_ns_ok}" == "no" ]]; then
89 local mod_msg="Kernel options listed below are not set. They are not"
90 mod_msg+=" mandatory, but they are often useful."
91 mod_msg+=" If you don't need some of them, please remove relevant"
92 mod_msg+=" module name(s) from IPT_MODULES in"
93 mod_msg+=" '${EROOT}/etc/default/ufw' before (re)starting ufw."
94 mod_msg+=" Otherwise ufw may fail to start!"
96 if [[ "${nf_nat_ftp_ok}" == "no" ]]; then
97 ewarn "NF_NAT_FTP: for better support for active mode FTP."
99 if [[ "${nf_conntrack_ftp_ok}" == "no" ]]; then
100 ewarn "NF_CONNTRACK_FTP: for better support for active mode FTP."
102 if [[ "${nf_conntrack_netbios_ns_ok}" == "no" ]]; then
103 ewarn "NF_CONNTRACK_NETBIOS_NS: for better Samba support."
108 python_prepare_all() {
109 # Set as enabled by default. User can enable or disable
110 # the service by adding or removing it to/from a runlevel.
111 sed -i 's/^ENABLED=no/ENABLED=yes/' conf/ufw.conf \
112 || die "sed failed (ufw.conf)"
114 sed -i "s/^IPV6=yes/IPV6=$(usex ipv6)/" conf/ufw.defaults || die
116 # If LINGUAS is set install selected translations only.
117 if [[ -n ${LINGUAS+set} ]]; then
118 _EMPTY_LOCALE_LIST="yes"
119 pushd locales/po > /dev/null || die
123 if ! has "${lang%.po}" ${LINGUAS}; then
126 _EMPTY_LOCALE_LIST="no"
130 popd > /dev/null || die
132 _EMPTY_LOCALE_LIST="no"
135 distutils-r1_python_prepare_all
138 python_install_all() {
139 newconfd "${FILESDIR}"/ufw.confd ufw
140 newinitd "${FILESDIR}"/ufw-2.initd ufw
141 systemd_dounit "${FILESDIR}/ufw.service"
143 exeinto /usr/share/${PN}
144 doexe tests/check-requirements
146 # users normally would want it
147 insinto "/usr/share/doc/${PF}/logging/syslog-ng"
148 doins -r "${FILESDIR}"/syslog-ng/*
150 insinto "/usr/share/doc/${PF}/logging/rsyslog"
151 doins -r "${FILESDIR}"/rsyslog/*
152 doins doc/rsyslog.example
154 if use examples; then
155 insinto "/usr/share/doc/${PF}/examples"
158 newbashcomp shell-completion/bash "${PN}"
160 [[ $_EMPTY_LOCALE_LIST != "yes" ]] && domo locales/mo/*.mo
162 distutils-r1_python_install_all
163 python_replicate_script "${D}/usr/sbin/ufw"
167 local print_check_req_warn
168 print_check_req_warn=false
170 if [[ -z "${REPLACING_VERSIONS}" ]]; then
172 elog "To enable ufw, add it to boot sequence and activate it:"
173 elog "-- # rc-update add ufw boot"
174 elog "-- # /etc/init.d/ufw start"
176 elog "If you want to keep ufw logs in a separate file, take a look at"
177 elog "/usr/share/doc/${PF}/logging."
178 print_check_req_warn=true
181 for rv in "${REPLACING_VERSIONS}"; do
182 local major=${rv%%.*}
183 local minor=${rv#${major}.}
184 if [[ "${major}" -eq 0 && "${minor}" -lt 34 ]]; then
185 print_check_req_warn=true
189 if [[ "${print_check_req_warn}" == "true" ]]; then
191 elog "/usr/share/ufw/check-requirements script is installed."
192 elog "It is useful for debugging problems with ufw. However one"
193 elog "should keep in mind that the script assumes IPv6 is enabled"
194 elog "on kernel and net-firewall/iptables, and fails when it's not."
197 ewarn "Note: once enabled, ufw blocks also incoming SSH connections by"
198 ewarn "default. See README, Remote Management section for more information."