add genkerenl and iptables

net-firewall/iptables/Manifest

@@ -0,0 +1,10 @@
+AUX ip6tables-1.4.13.confd 690 SHA256 2938fe4206514d9868047bd8f888a699fa2097ca69edab176453436d4259abaa SHA512 8de9a5de4061bef217fbc07577688a8110f1116af7f3b936dfd18100a6a7a47ec6e70c456b24cf3432fb4f2034b741a487fe6af8d9740f174d51c6eb16945c6e WHIRLPOOL f2f4903812b5b97d5bdf9cb28f0bcb6f8c866f197b46a9128530721a8d9db1cdcedffe2512c9235391a67f494c2daf1266d7bc8a6185949756437221c3861a10
+AUX iptables-1.4.13-IMQ-test1.diff 4310 SHA256 2a611eadf841f38dd44825b9511c48391223f96d885e49d067a94838cbd877a6 SHA512 37bafeed169a9a96b52a3a9d8479fb3ecdfe6058ed2810f479655f597d8b37a55c66242fb65ca435aa21f5a72836d30521072bd8d4b0fcc92945b9465d8cc668 WHIRLPOOL c69ad07c5d4763862cedde8c7805166bda3e6afc0e0a57a58b58fc0ba1f14c4f3b738d98e6e9f34e2b5a88f0ee82707cdd9ccd0795be13f8ec425efd3c083f58
+AUX iptables-1.4.13-r1.init 2666 SHA256 add450154d983c09e1ade0d929d9eb8b151634c0eb8e0a2c512f12e3c9574ade SHA512 8d1150dd076ad41644bc99342e20f1ecea0bfa6f5da106019b479f76398d774b55bdbe842cfa4e5d0a7f364eba10374695df3249e92ae53c56b2b2ac928ea6a1 WHIRLPOOL 2ba3227729c85d2695eb9682d98441fcf4d373ea88861330c7d299ddb0d04660a734ecdea08cba01b15796998c66ffe7657b934f414c821bd228b5d4d45c3b0a
+AUX iptables-1.4.13.confd 687 SHA256 7e2341211ca14997b7a8a1f930f94db855291af597c568f680f80031c20d45b6 SHA512 bd67d53e997ea65755148ba071fe6e3856d6e604b9167c666900721bc3dc24f63d395bc33a1a34ae50f95e72760da630db1a8d35afc81ec5973e60ba5343dc70 WHIRLPOOL 111b809b3122b04cce8ac0e551cfcdec7fde1ad563e1001bbbb3dbb4cae0ddf13851ece1024e13fb26aab2fe306dfc4fd9e59ab5a10127b301bc7a65ec20486b
+AUX iptables-1.4.13.init 2632 SHA256 3c955bbc787e57d6c0d6d5e97ec34e350fbcbf4f0b453bd2ed624e68ac83155f SHA512 ffb5eb1372a69f3aa9ed3181b3c96fe34b3a07a1b7021e132d0b8eca65f65d83bc546371bc3e7081de68e02fd18bf99993eff6a643715e4b4d0d0d9066c5eee8 WHIRLPOOL 50a3771e5ac7b0ee38cc23c11791c05616687bc44fd6708a89c431422dcee99a92448c55f5b4c790614e785b3b74cc0e168c9d91c547e9e4faa477bed7b0cdea
+AUX iptables-layer7.patch 11456 SHA256 2caf08767e82eec69c53612063c004756e15e37b28338a4aff31bdd8be6cc74d SHA512 1f4ca9f95404781aaff99b2accaff80588171f35d33f190effcb4808a1161e8a2c3f3baf593666cb305c35b18bdc42070f5cdd808f0e93b404f4620934318d3e WHIRLPOOL 682d10cceece2b2b093dd2c113cd36ff4ef37796531b4d8b1b0049c4937670dd4a36139dd157b32ef4c1de9e958aeb2c4a9ed9892aee108bf0d7c1efe32b1419
+DIST iptables-1.4.16.3.tar.bz2 536872 SHA256 643ccf34099d53d5b839e1d889c05627745a51ec122648e76a9fcec3a8a9ec79 SHA512 c232a927fe63623cc0d336b4a09d7baad2d0c5a2a5e3b7ad083727e9f17cd0b668a826a4c5ff0bbb45233fee6c38c153710b13f458514516af7cf7df10d720e2 WHIRLPOOL 2dadcdb39f7741cb7b3c493bc36792a6edbdd9ddaa0c862d2ec0a6fbb89eb82c55f04ae407ab641f425208b15ef6e689af10ce6c03368e40652367c39dead75f
+EBUILD iptables-1.4.16.3.ebuild 2346 SHA256 52354ce68dd8aeb4edf8024d9c2922ea4fc9e19a50d2163777e06f40be26353e SHA512 8fd8e297644b9da495939e78bf1d0ec2cbd3634eb315b5508903617b3681f1865419a5d503ac9ac0824d4dd806bf884eed9d1a6a146a05309a7169335c3b5a8f WHIRLPOOL 033bd35b47448e6fe66038d0a3f4bb5e272bf55e90a791aa8f45d248987555d5e6f05ac6dee1217b35ee006f9518f50f88018d536d64264cc6fc59be8ab9d190
+MISC ChangeLog 48600 SHA256 1198a02eb018f75e1dcfe5c37a166267fef971111967b62b6fbe215aa540c6ca SHA512 3f6463392886cd79059d41a5ecd6041474c39c1f8fcebd6ca364d643051dccaa3b370f676dd2710a3743318d816aab86a37dec96833d5ae49759710291ac6a57 WHIRLPOOL ed3c04733e9051db8050221258a700c8609b42d41626a0370cc23e5859849a8dab6144476adcea3ff26dff097b04616a37ea9cf6010ab9402d43e929f3924b8f
+MISC metadata.xml 1033 SHA256 6972ae7bad5c0025564a15429579f046ab4c365929aa175b1e84c1586872bdc9 SHA512 fe251377457099cbf9014fc206176a79d377b2c61f1b239b81e10cb05e740ac8e6d4849ac60987091d33b66ae9d72fbb36cf590bfe663e3dc1338c3648e1c179 WHIRLPOOL e0282695b2be9ab1b56e3779d26e27ce38803fa7fce9b1c66eb0ab3226d527e354436fcde7e15aa238c83dcbeab74cbf6f1aba36609096ca4bcdf982fce52abc

net-firewall/iptables/files/ip6tables-1.4.13.confd

@@ -0,0 +1,19 @@
+# /etc/conf.d/ip6tables
+
+# Location in which iptables initscript will save set rules on 
+# service shutdown
+IP6TABLES_SAVE="/var/lib/ip6tables/rules-save"
+
+# Options to pass to iptables-save and iptables-restore 
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="yes"
+
+# If you need to log iptables messages as soon as iptables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"

net-firewall/iptables/files/iptables-1.4.13-IMQ-test1.diff

@@ -0,0 +1,141 @@
+diff -Naur iptables-1.4.12.2/extensions/libxt_IMQ.c iptables-1.4.12.2-imq/extensions/libxt_IMQ.c
+--- iptables-1.4.12.2/extensions/libxt_IMQ.c	1970-01-01 02:00:00.000000000 +0200
++++ iptables-1.4.12.2-imq/extensions/libxt_IMQ.c	2011-09-30 13:53:21.000000000 +0300
+@@ -0,0 +1,105 @@
++/* Shared library add-on to iptables to add IMQ target support. */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <xtables.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_IMQ.h>
++
++/* Function which prints out usage message. */
++static void IMQ_help(void)
++{
++	printf(
++"IMQ target options:\n"
++"  --todev <N>		enqueue to imq<N>, defaults to 0\n");
++
++}
++
++static struct option IMQ_opts[] = {
++	{ "todev", 1, 0, '1' },
++	{ 0 }
++};
++
++/* Initialize the target. */
++static void IMQ_init(struct xt_entry_target *t)
++{
++	struct xt_imq_info *mr = (struct xt_imq_info*)t->data;
++
++	mr->todev = 0;
++}
++
++/* Function which parses command options; returns true if it
++   ate an option */
++static int IMQ_parse(int c, char **argv, int invert, unsigned int *flags,
++      const void *entry, struct xt_entry_target **target)
++{
++	struct xt_imq_info *mr = (struct xt_imq_info*)(*target)->data;
++	
++	switch(c) {
++	case '1':
++/*		if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
++			xtables_error(PARAMETER_PROBLEM,
++				   "Unexpected `!' after --todev");
++*/
++		mr->todev=atoi(optarg);
++		break;
++
++	default:
++		return 0;
++	}
++	return 1;
++}
++
++/* Prints out the targinfo. */
++static void IMQ_print(const void *ip,
++      const struct xt_entry_target *target,
++      int numeric)
++{
++	struct xt_imq_info *mr = (struct xt_imq_info*)target->data;
++
++	printf("IMQ: todev %u ", mr->todev);
++}
++
++/* Saves the union ipt_targinfo in parsable form to stdout. */
++static void IMQ_save(const void *ip, const struct xt_entry_target *target)
++{
++	struct xt_imq_info *mr = (struct xt_imq_info*)target->data;
++
++	printf(" --todev %u", mr->todev);
++}
++
++static struct xtables_target imq_target = {
++	.name		= "IMQ",
++	.version	= XTABLES_VERSION,
++	.family		= NFPROTO_IPV4,
++	.size		= XT_ALIGN(sizeof(struct xt_imq_info)),
++	.userspacesize	= XT_ALIGN(sizeof(struct xt_imq_info)),
++	.help		= IMQ_help,
++	.init		= IMQ_init,
++	.parse		= IMQ_parse,
++	.print		= IMQ_print,
++	.save		= IMQ_save,
++	.extra_opts	= IMQ_opts,
++};
++
++static struct xtables_target imq_target6 = {
++	.name		= "IMQ",
++	.version	= XTABLES_VERSION,
++	.family		= NFPROTO_IPV6,
++	.size		= XT_ALIGN(sizeof(struct xt_imq_info)),
++	.userspacesize	= XT_ALIGN(sizeof(struct xt_imq_info)),
++	.help		= IMQ_help,
++	.init		= IMQ_init,
++	.parse		= IMQ_parse,
++	.print		= IMQ_print,
++	.save		= IMQ_save,
++	.extra_opts	= IMQ_opts,
++};
++
++// void __attribute((constructor)) nf_ext_init(void){
++void _init(void){
++	xtables_register_target(&imq_target);
++	xtables_register_target(&imq_target6);
++}
+diff -Naur iptables-1.4.12.2/extensions/libxt_IMQ.man iptables-1.4.12.2-imq/extensions/libxt_IMQ.man
+--- iptables-1.4.12.2/extensions/libxt_IMQ.man	1970-01-01 02:00:00.000000000 +0200
++++ iptables-1.4.12.2-imq/extensions/libxt_IMQ.man	2011-09-30 13:53:21.000000000 +0300
+@@ -0,0 +1,15 @@
++This target is used to redirect the traffic to the IMQ driver and you can apply
++QoS rules like HTB or CBQ.
++For example you can select only traffic comming from a specific interface or
++is going out on a specific interface.
++Also it permits to capture the traffic BEFORE NAT in the case of outgoing traffic
++or AFTER NAT in the case of incomming traffic.
++.TP
++\fB\-\-to\-dev\fP \fIvalue\fP
++Set the IMQ interface where to send this traffic
++.TP
++Example:
++.TP
++Redirect incomming traffic from interface eth0 to imq0 and outgoing traffic to imq1:
++iptables \-t mangle \-A FORWARD \-i eth0 \-j IMQ \-\-to\-dev 0
++iptables \-t mangle \-A FORWARD \-o eth0 \-j IMQ \-\-to\-dev 1
+diff -Naur iptables-1.4.12.2/include/linux/netfilter/xt_IMQ.h iptables-1.4.12.2-imq/include/linux/netfilter/xt_IMQ.h
+--- iptables-1.4.12.2/include/linux/netfilter/xt_IMQ.h	1970-01-01 02:00:00.000000000 +0200
++++ iptables-1.4.12.2-imq/include/linux/netfilter/xt_IMQ.h	2011-09-30 13:53:21.000000000 +0300
+@@ -0,0 +1,9 @@
++#ifndef _XT_IMQ_H
++#define _XT_IMQ_H
++
++struct xt_imq_info {
++	unsigned int todev;     /* target imq device */
++};
++
++#endif /* _XT_IMQ_H */
++

net-firewall/iptables/files/iptables-1.4.13-r1.init

@@ -0,0 +1,116 @@
+#!/sbin/runscript
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.4.13-r1.init,v 1.1 2012/09/14 17:58:26 axs Exp $
+
+extra_commands="save panic"
+extra_started_commands="reload"
+
+iptables_name=${SVCNAME}
+if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then
+	iptables_name="iptables"
+fi
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+	iptables)  iptables_proc="/proc/net/ip_tables_names"
+	           iptables_save=${IPTABLES_SAVE};;
+	ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+	           iptables_save=${IP6TABLES_SAVE};;
+esac
+
+depend() {
+	before net
+}
+
+set_table_policy() {
+	local chains table=$1 policy=$2
+	case ${table} in
+		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
+		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+		filter) chains="INPUT FORWARD OUTPUT";;
+		*)      chains="";;
+	esac
+	local chain
+	for chain in ${chains} ; do
+		${iptables_bin} -t ${table} -P ${chain} ${policy}
+	done
+}
+
+checkkernel() {
+	if [ ! -e ${iptables_proc} ] ; then
+		eerror "Your kernel lacks ${iptables_name} support, please load"
+		eerror "appropriate modules and try again."
+		return 1
+	fi
+	return 0
+}
+checkconfig() {
+	if [ ! -f ${iptables_save} ] ; then
+		eerror "Not starting ${iptables_name}.  First create some rules then run:"
+		eerror "/etc/init.d/${iptables_name} save"
+		return 1
+	fi
+	return 0
+}
+
+start() {
+	checkconfig || return 1
+	ebegin "Loading ${iptables_name} state and starting firewall"
+	${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+stop() {
+	if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+		save || return 1
+	fi
+	checkkernel || return 1
+	ebegin "Stopping firewall"
+	local a
+	for a in $(cat ${iptables_proc}) ; do
+		set_table_policy $a ACCEPT
+
+		${iptables_bin} -F -t $a
+		${iptables_bin} -X -t $a
+	done
+	eend $?
+}
+
+reload() {
+	checkkernel || return 1
+	ebegin "Flushing firewall"
+	local a
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} -F -t $a
+		${iptables_bin} -X -t $a
+	done
+	eend $?
+
+	start
+}
+
+save() {
+	ebegin "Saving ${iptables_name} state"
+	checkpath -q -d "$(dirname "${iptables_save}")"
+	checkpath -q -m 0600 -f "${iptables_save}"
+	${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+	eend $?
+}
+
+panic() {
+	checkkernel || return 1
+	if service_started ${iptables_name}; then
+		rc-service ${iptables_name} stop
+	fi
+
+	local a
+	ebegin "Dropping all packets"
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} -F -t $a
+		${iptables_bin} -X -t $a
+
+		set_table_policy $a DROP
+	done
+	eend $?
+}

net-firewall/iptables/files/iptables-1.4.13.confd

@@ -0,0 +1,19 @@
+# /etc/conf.d/iptables
+
+# Location in which iptables initscript will save set rules on 
+# service shutdown
+IPTABLES_SAVE="/var/lib/iptables/rules-save"
+
+# Options to pass to iptables-save and iptables-restore 
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="yes"
+
+# If you need to log iptables messages as soon as iptables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"

net-firewall/iptables/files/iptables-1.4.13.init

@@ -0,0 +1,116 @@
+#!/sbin/runscript
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.4.13.init,v 1.1 2012/05/21 21:24:16 williamh Exp $
+
+extra_commands="save panic"
+extra_started_commands="reload"
+
+iptables_name=${SVCNAME}
+if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then
+	iptables_name="iptables"
+fi
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+	iptables)  iptables_proc="/proc/net/ip_tables_names"
+	           iptables_save=${IPTABLES_SAVE};;
+	ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+	           iptables_save=${IP6TABLES_SAVE};;
+esac
+
+depend() {
+	before net
+}
+
+set_table_policy() {
+	local chains table=$1 policy=$2
+	case ${table} in
+		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
+		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+		filter) chains="INPUT FORWARD OUTPUT";;
+		*)      chains="";;
+	esac
+	local chain
+	for chain in ${chains} ; do
+		${iptables_bin} -t ${table} -P ${chain} ${policy}
+	done
+}
+
+checkkernel() {
+	if [ ! -e ${iptables_proc} ] ; then
+		eerror "Your kernel lacks ${iptables_name} support, please load"
+		eerror "appropriate modules and try again."
+		return 1
+	fi
+	return 0
+}
+checkconfig() {
+	if [ ! -f ${iptables_save} ] ; then
+		eerror "Not starting ${iptables_name}.  First create some rules then run:"
+		eerror "/etc/init.d/${iptables_name} save"
+		return 1
+	fi
+	return 0
+}
+
+start() {
+	checkconfig || return 1
+	ebegin "Loading ${iptables_name} state and starting firewall"
+	${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+stop() {
+	if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+		save || return 1
+	fi
+	checkkernel || return 1
+	ebegin "Stopping firewall"
+	local a
+	for a in $(cat ${iptables_proc}) ; do
+		set_table_policy $a ACCEPT
+
+		${iptables_bin} -F -t $a
+		${iptables_bin} -X -t $a
+	done
+	eend $?
+}
+
+reload() {
+	checkkernel || return 1
+	ebegin "Flushing firewall"
+	local a
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} -F -t $a
+		${iptables_bin} -X -t $a
+	done
+	eend $?
+
+	start
+}
+
+save() {
+	ebegin "Saving ${iptables_name} state"
+	touch "${iptables_save}"
+	chmod 0600 "${iptables_save}"
+	${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+	eend $?
+}
+
+panic() {
+	checkkernel || return 1
+	if service_started ${iptables_name}; then
+		rc-service ${iptables_name} stop
+	fi
+
+	local a
+	ebegin "Dropping all packets"
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} -F -t $a
+		${iptables_bin} -X -t $a
+
+		set_table_policy $a DROP
+	done
+	eend $?
+}

net-firewall/iptables/files/iptables-layer7.patch

@@ -0,0 +1,406 @@
+diff -urN iptables-1.4.9.1.org/extensions/libxt_layer7.c iptables-1.4.9.1/extensions/libxt_layer7.c
+--- iptables-1.4.9.1.org/extensions/libxt_layer7.c	1970-01-01 01:00:00.000000000 +0100
++++ iptables-1.4.9.1/extensions/libxt_layer7.c	2009-07-14 00:53:05.000000000 +0200
+@@ -0,0 +1,368 @@
++/* 
++   Shared library add-on to iptables for layer 7 matching support. 
++  
++   By Matthew Strait <quadong@users.sf.net>, Oct 2003-Aug 2008.
++
++   http://l7-filter.sf.net 
++
++   This program is free software; you can redistribute it and/or
++   modify it under the terms of the GNU General Public License
++   as published by the Free Software Foundation; either version
++   2 of the License, or (at your option) any later version.
++   http://www.gnu.org/licenses/gpl.txt
++*/
++
++#define _GNU_SOURCE
++#include <stdio.h>
++#include <netdb.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <ctype.h>
++#include <dirent.h>
++
++#include <xtables.h>
++#include <linux/netfilter/xt_layer7.h>
++
++#define MAX_FN_LEN 256
++
++static char l7dir[MAX_FN_LEN] = "\0";
++
++/* Function which prints out usage message. */
++static void help(void)
++{
++	printf(
++	"layer7 match options:\n"
++	"    --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
++	"                          (--l7dir must be specified before --l7proto if used)\n"
++	"[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat\n");
++}
++
++static const struct option opts[] = {
++	{ .name = "l7proto", .has_arg = 1, .val = 'p' },
++	{ .name = "l7dir",   .has_arg = 1, .val = 'd' },
++	{ .name = NULL }
++};
++
++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
++static int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
++{
++	FILE * f;
++	char * line = NULL;
++	size_t len = 0;
++
++	enum { protocol, pattern, done } datatype = protocol;
++
++	f = fopen(filename, "r");
++
++	if(!f)
++		return 0;
++
++	while(getline(&line, &len, f) != -1)
++	{
++		if(strlen(line) < 2 || line[0] == '#')
++			continue;
++
++		/* strip the pesky newline... */
++		if(line[strlen(line) - 1] == '\n')
++			line[strlen(line) - 1] = '\0';
++
++		if(datatype == protocol)
++		{
++			/* Ignore everything on the line beginning with the 
++			first space or tab . For instance, this allows the 
++			protocol line in http.pat to be "http " (or 
++			"http I am so cool") instead of just "http". */
++			if(strchr(line, ' ')){
++				char * space = strchr(line, ' ');
++				space[0] = '\0';
++			}
++			if(strchr(line, '\t')){
++				char * space = strchr(line, '\t');
++				space[0] = '\0';
++			}
++
++			/* sanity check.  First non-comment non-blank 
++			line must be the same as the file name. */
++			if(strcmp(line, protoname))
++				xtables_error(OTHER_PROBLEM, 
++					"Protocol name (%s) doesn't match file name (%s).  Bailing out\n",
++					line, filename);
++
++			if(strlen(line) >= MAX_PROTOCOL_LEN)
++				 xtables_error(PARAMETER_PROBLEM, 
++					"Protocol name in %s too long!", filename);
++			strncpy(info->protocol, line, MAX_PROTOCOL_LEN);
++
++			datatype = pattern; 
++		}
++		else if(datatype == pattern)
++		{
++			if(strlen(line) >= MAX_PATTERN_LEN)
++				 xtables_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename);
++			strncpy(info->pattern, line, MAX_PATTERN_LEN);
++			
++			datatype = done;			
++			break;
++		}
++		else
++			xtables_error(OTHER_PROBLEM, "Internal error");
++	}
++
++	if(datatype != done)
++		xtables_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename);
++
++	if(line) free(line);
++	fclose(f);
++
++	return 1;
++}
++
++static int hex2dec(char c)
++{
++        switch (c)
++        {
++                case '0' ... '9':
++                        return c - '0';
++                case 'a' ... 'f':
++                        return c - 'a' + 10;
++                case 'A' ... 'F':
++                        return c - 'A' + 10;
++                default:
++                        xtables_error(OTHER_PROBLEM, "hex2dec: bad value!\n");
++                        return 0;
++        }
++}
++
++/* takes a string with \xHH escapes and returns one with the characters 
++they stand for */
++static char * pre_process(char * s)
++{
++	char * result = malloc(strlen(s) + 1);
++	int sindex = 0, rrindex = 0;
++        while( sindex < strlen(s) )
++        {
++            if( sindex + 3 < strlen(s) &&
++                s[sindex] == '\\' && s[sindex+1] == 'x' && 
++                isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) 
++                {
++                        /* carefully remember to call tolower here... */
++                        result[rrindex] = tolower( hex2dec(s[sindex + 2])*16 +
++                                                  hex2dec(s[sindex + 3] ) );
++
++			switch ( result[rrindex] )
++			{
++			case 0x24:
++			case 0x28:
++			case 0x29:
++			case 0x2a:
++			case 0x2b:
++			case 0x2e:
++			case 0x3f:
++			case 0x5b:
++			case 0x5c:
++			case 0x5d:
++			case 0x5e:
++			case 0x7c:
++				fprintf(stderr, 
++					"Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
++					"I recommend that you write this as %c or \\%c, depending on what you meant.\n",
++					result[rrindex], s[sindex + 2], s[sindex + 3], result[rrindex], result[rrindex]);
++				break;
++			case 0x00:
++				fprintf(stderr, 
++					"Warning: null (\\x00) in layer7 regexp.  A null terminates the regexp string!\n");
++				break;
++			default:
++				break;
++			}
++
++
++                        sindex += 3; /* 4 total */
++                }
++                else
++                        result[rrindex] = tolower(s[sindex]);
++
++		sindex++; 
++		rrindex++;
++        }
++	result[rrindex] = '\0';
++
++	return result;
++}
++
++#define MAX_SUBDIRS 128
++static char ** readl7dir(char * dirname)
++{
++        DIR             * scratchdir;
++        struct dirent   ** namelist;
++	char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *));
++
++        int n, d = 1;
++	subdirs[0] = "";
++
++        n = scandir(dirname, &namelist, 0, alphasort);
++
++	if (n < 0)
++	{
++            perror("scandir");
++	    xtables_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname);
++	}
++        else 
++	{
++            	while(n--) 
++		{
++			char fulldirname[MAX_FN_LEN];
++
++			snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name);
++
++                	if((scratchdir = opendir(fulldirname)) != NULL)
++			{
++				closedir(scratchdir);
++
++				if(!strcmp(namelist[n]->d_name, ".") || 
++				   !strcmp(namelist[n]->d_name, ".."))
++					/* do nothing */ ;
++				else
++				{
++					subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1);
++					strcpy(subdirs[d], namelist[n]->d_name);
++					d++;
++					if(d >= MAX_SUBDIRS - 1)
++					{
++						fprintf(stderr, 
++						  "Too many subdirectories, skipping the rest!\n");
++						break;
++					}
++				}
++			}
++                	free(namelist[n]);
++            	}
++            	free(namelist);
++        }
++	
++	subdirs[d] = NULL;
++
++	return subdirs;
++}
++
++static void parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
++{
++	char filename[MAX_FN_LEN];
++	char * dir = NULL;
++	char ** subdirs;
++	int n = 0, done = 0;
++
++	if(strlen(l7dir) > 0) dir = l7dir;
++	else                  dir = "/etc/l7-protocols";
++
++	subdirs = readl7dir(dir);
++
++	while(subdirs[n] != NULL)
++	{
++		int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
++
++		if(c > MAX_FN_LEN)
++			xtables_error(OTHER_PROBLEM, 
++				"Filename beginning with %s is too long!\n", filename);
++
++		/* read in the pattern from the file */
++		if(parse_protocol_file(filename, s, info)){
++			done = 1;
++			break;
++		}
++		
++		n++;
++	}
++
++	if(!done)
++		xtables_error(OTHER_PROBLEM, 
++			"Couldn't find a pattern definition file for %s.\n", s);
++
++	/* process \xHH escapes and tolower everything. (our regex lib has no
++	case insensitivity option.) */
++	strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN);
++}
++
++/* Function which parses command options; returns true if it ate an option */
++static int parse(int c, char **argv, int invert, unsigned int *flags,
++      const void *entry, struct xt_entry_match **match)
++{
++	struct xt_layer7_info *layer7info = 
++		(struct xt_layer7_info *)(*match)->data;
++
++	switch (c) {
++	case 'p':
++		parse_layer7_protocol(argv[optind-1], layer7info);
++		if (invert)
++			layer7info->invert = true;
++		*flags = 1;
++		break;
++
++	case 'd':
++		if(strlen(argv[optind-1]) >= MAX_FN_LEN)
++			xtables_error(PARAMETER_PROBLEM, "directory name too long\n");
++
++		strncpy(l7dir, argv[optind-1], MAX_FN_LEN);
++
++		*flags = 1;
++		break;
++
++	default:
++		return 0;
++	}
++
++	return 1;
++}
++
++/* Final check; must have specified --l7proto */
++static void final_check(unsigned int flags)
++{
++	if (!flags)
++		xtables_error(PARAMETER_PROBLEM,
++			   "LAYER7 match: You must specify `--l7proto'");
++}
++
++static void print_protocol(char s[], int invert, int numeric)
++{
++	fputs("l7proto ", stdout);
++	if (invert) fputc('!', stdout);
++	printf("%s ", s);
++}
++
++/* Prints out the matchinfo. */
++static void print(const void *ip,
++      const struct xt_entry_match *match,
++      int numeric)
++{
++	printf("LAYER7 ");
++	print_protocol(((struct xt_layer7_info *)match->data)->protocol,
++		  ((struct xt_layer7_info *)match->data)->invert, numeric);
++}
++/* Saves the union ipt_matchinfo in parsable form to stdout. */
++static void save(const void *ip, const struct xt_entry_match *match)
++{
++        const struct xt_layer7_info *info =
++            (const struct xt_layer7_info*) match->data;
++
++        printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol);
++}
++
++static struct xtables_match layer7 = { 
++    .family        = AF_INET,
++    .name          = "layer7",
++    .version       = XTABLES_VERSION,
++    .size          = XT_ALIGN(sizeof(struct xt_layer7_info)),
++    .userspacesize = XT_ALIGN(sizeof(struct xt_layer7_info)),
++    .help          = &help,
++    .parse         = &parse,
++    .final_check   = &final_check,
++    .print         = &print,
++    .save          = &save,
++    .extra_opts    = opts
++};
++
++void _init(void)
++{
++	xtables_register_match(&layer7);
++}
+diff -urN iptables-1.4.9.1.org/extensions/libxt_layer7.man iptables-1.4.9.1/extensions/libxt_layer7.man
+--- iptables-1.4.9.1.org/extensions/libxt_layer7.man	1970-01-01 01:00:00.000000000 +0100
++++ iptables-1.4.9.1/extensions/libxt_layer7.man	2009-07-14 00:51:32.000000000 +0200
+@@ -0,0 +1,14 @@
++This module matches packets based on the application layer data of 
++their connections.  It uses regular expression matching to compare 
++the application layer data to regular expressions found it the layer7 
++configuration files.  This is an experimental module which can be found at 
++http://l7-filter.sf.net.  It takes two options.
++.TP
++.BI "--l7proto " "\fIprotocol\fP"
++Match the specified protocol.  The protocol name must match a file 
++name in /etc/l7-protocols/ or one of its first-level child directories.
++.TP
++.BI "--l7dir " "\fIdirectory\fP"
++Use \fIdirectory\fP instead of /etc/l7-protocols/.  This option must be 
++specified before --l7proto.
++
+--- iptables.orig/include/linux/netfilter/xt_layer7.h	1969-12-31 18:00:00.000000000 -0600
++++ iptables/include/linux/netfilter/xt_layer7.h	2009-01-07 16:07:31.000000000 -0600
+@@ -0,0 +1,13 @@
++#ifndef _XT_LAYER7_H
++#define _XT_LAYER7_H
++
++#define MAX_PATTERN_LEN 8192
++#define MAX_PROTOCOL_LEN 256
++
++struct xt_layer7_info {
++    char protocol[MAX_PROTOCOL_LEN];
++    char pattern[MAX_PATTERN_LEN];
++    u_int8_t invert;
++};
++
++#endif /* _XT_LAYER7_H */

net-firewall/iptables/iptables-1.4.16.3.ebuild

@@ -0,0 +1,87 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/iptables-1.4.16.3.ebuild,v 1.1 2012/10/23 07:58:43 radhermit Exp $
+
+EAPI="4"
+
+# Force users doing their own patches to install their own tools
+AUTOTOOLS_AUTO_DEPEND=no
+
+inherit eutils multilib toolchain-funcs autotools
+
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://www.iptables.org/"
+SRC_URI="http://iptables.org/projects/iptables/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="ipv6 netlink static-libs"
+
+RDEPEND="
+	netlink? ( net-libs/libnfnetlink )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	virtual/pkgconfig
+"
+
+src_prepare() {
+	# use the saner headers from the kernel
+	rm -f include/linux/{kernel,types}.h
+
+	epatch "${FILESDIR}/iptables-1.4.13-IMQ-test1.diff"
+	epatch "${FILESDIR}/iptables-layer7.patch"
+	eautoreconf
+
+	# Only run autotools if user patched something
+	epatch_user && eautoreconf || elibtoolize
+}
+
+src_configure() {
+	sed -i \
+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
+		configure || die
+
+	econf \
+		--sbindir="${EPREFIX}/sbin" \
+		--libexecdir="${EPREFIX}/$(get_libdir)" \
+		--enable-devel \
+		--enable-shared \
+		$(use_enable static-libs static) \
+		$(use_enable ipv6)
+}
+
+src_compile() {
+	emake V=1
+}
+
+src_install() {
+	default
+	dodoc INCOMPATIBILITIES iptables/iptables.xslt
+
+	# all the iptables binaries are in /sbin, so might as well
+	# put these small files in with them
+	into /
+	dosbin iptables/iptables-apply
+	dosym iptables-apply /sbin/ip6tables-apply
+	doman iptables/iptables-apply.8
+
+	insinto /usr/include
+	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
+	insinto /usr/include/iptables
+	doins include/iptables/internal.h
+
+	keepdir /var/lib/iptables
+	newinitd "${FILESDIR}"/${PN}-1.4.13-r1.init iptables
+	newconfd "${FILESDIR}"/${PN}-1.4.13.confd iptables
+	if use ipv6 ; then
+		keepdir /var/lib/ip6tables
+		newinitd "${FILESDIR}"/iptables-1.4.13-r1.init ip6tables
+		newconfd "${FILESDIR}"/ip6tables-1.4.13.confd ip6tables
+	fi
+
+	# Move important libs to /lib
+	gen_usr_ldscript -a ip{4,6}tc iptc xtables
+	find "${ED}" -type f -name '*.la' -exec rm -rf '{}' '+' || die "la removal failed"
+}

net-firewall/iptables/metadata.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<herd>base-system</herd>
+<maintainer>
+	<email>pva@gentoo.org</email>
+</maintainer>
+<use>
+ <flag name='netlink'>Build against libnfnetlink which enables the nfnl_osf util</flag>
+</use>
+<longdescription>
+  iptables is the userspace command line program used to set up, maintain, and
+  inspect the tables of IPv4 packet filter rules in the Linux kernel. It's a
+  part of packet filtering framework which allows the stateless and stateful
+  packet filtering, all kinds of network address and port translation, and is a
+  flexible and extensible infrastructure with multiple layers of API's for 3rd
+  party extensions. The iptables package also includes ip6tables. ip6tables is
+  used for configuring the IPv6 packet filter.
+
+  Note that some extensions (e.g. imq and l7filter) are not included into
+  official kernel sources so you have to patch the sources before installation.
+</longdescription>
+</pkgmetadata>