commit 5f01a038a1d36fa456ca0d6668707601405c03c2eb210420fb768f48eff57e28 Author: Adrian Schröter Date: Fri May 3 17:01:56 2024 +0200 Sync from SUSE:SLFO:Main nftables revision 1b451e0a95ff95804a3c101bcf911a3a diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/0001-Revert-py-replace-distutils-with-setuptools.patch b/0001-Revert-py-replace-distutils-with-setuptools.patch new file mode 100644 index 0000000..915e3ed --- /dev/null +++ b/0001-Revert-py-replace-distutils-with-setuptools.patch @@ -0,0 +1,24 @@ +From 2125091e724c399d653790af854d9daba0218b99 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt +Date: Mon, 17 Jul 2023 12:13:05 +0200 +Subject: [PATCH] Revert "py: replace distutils with setuptools" + +This reverts commit 1acc2fd48c755a8931fa87b8d0560b750316059f. +--- + py/setup.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/py/setup.py b/py/setup.py +index 8ad73e7b..72fc8fd9 100755 +--- a/py/setup.py ++++ b/py/setup.py +@@ -1,5 +1,5 @@ + #!/usr/bin/env python +-from setuptools import setup ++from distutils.core import setup + from nftables import NFTABLES_VERSION + + setup(name='nftables', +-- +2.41.0 + diff --git a/nftables-1.0.8.tar.xz b/nftables-1.0.8.tar.xz new file mode 100644 index 0000000..5879930 --- /dev/null +++ b/nftables-1.0.8.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9373740de41a82dbc98818e0a46a073faeb8a8d0689fa4fa1a74399c32bf3d50 +size 882980 diff --git a/nftables-1.0.8.tar.xz.sig b/nftables-1.0.8.tar.xz.sig new file mode 100644 index 0000000..4307b29 Binary files /dev/null and b/nftables-1.0.8.tar.xz.sig differ diff --git a/nftables.changes b/nftables.changes new file mode 100644 index 0000000..c042f13 --- /dev/null +++ b/nftables.changes @@ -0,0 +1,376 @@ +------------------------------------------------------------------- +Fri Jul 14 11:56:43 UTC 2023 - Jan Engelhardt + +- Update to release 1.0.8 + * Support for setting meta and ct mark from other fields in + rules, e.g. set meta mark to ip dscp header field. + * Enhacements for -o/--optimize to deal with NAT statements, to + compact masquerade statements. + * Support for stateful statements in anonymous maps, such as + counters. + * Support for resetting stateful expressions in sets, maps and + elements, e.g. counters. + * broute support to short-circuit bridge logic from the bridge + prerouting hook and pass up packets to the local IP stack. + * JSON support for table and chain comments. +- Added 0001-Revert-py-replace-distutils-with-setuptools.patch + +------------------------------------------------------------------- +Mon Mar 13 20:47:53 UTC 2023 - Jan Engelhardt + +- Update to release 1.0.7 + * Support for vxlan/geneve/gre/gretap matching + * auto-merge support for partial set element deletion + * Allow for NAT mapping with concatenation and ranges + * Support for quota in sets + +------------------------------------------------------------------- +Wed Dec 21 23:47:26 UTC 2022 - Jan Engelhardt + +- Update to release 1.0.6 + * Fix bytecode generation for concatenation of intervals where + selectors use different byteorder datatypes, e.g. IPv4 + (network byte order). + * Fix match of uncommon protocol matches with raw expressions + * Unbreak insertion of rules with intervals ("sport { + 3478-3497, 16384-16387 }") + +------------------------------------------------------------------- +Wed Aug 17 19:21:15 UTC 2022 - Dirk Müller + +- update to 1.0.5: + * Fixes for the -o/--optimize, run this --optimize option to automagically + compact your ruleset using sets, maps and concatenations + * Fix ethernet and vlan concatenations, eg. define a dynamic set which + is populated from the packet path + * Fix ruleset listing with interface wildcard map + * Fix several regressions in the input lexer which broke valid rulesets. + * Fix slowdown with large lists of singleton interval elements. + * Fix set automerge feature for large lists of singleton interval elements. + * Fix bogus error reporting for exact overlaps. + * Fix segfault when adding elements to invalid set. + * fix device parsing in netdev family in json. + +------------------------------------------------------------------- +Tue Jun 7 14:55:21 UTC 2022 - Jan Engelhardt + +- Update to release 1.0.4 + * Fixed a segfault in -o/--optimize with unsupported statements. + * Bogus datatype mismatch error report in sets was fixed. + +------------------------------------------------------------------- +Tue May 31 13:34:12 UTC 2022 - Jan Engelhardt + +- Update to release 1.0.3 + * Support for wildcard interface name matching with sets + * Support for runtime auto-merge of set elements. + * Enhancements for the ruleset optimization -o/--optimize + option which allows to coalesce several NAT rules into map. + * Support for raw expressions in concatenations. + * Support for integer type protocol header fields in concatenations. + * Allow to reset TCP options (requires Linux kernel >= 5.18) +- Drop 0001-build-add-missing-AM_CPPFLAGS-to-examples.patch + +------------------------------------------------------------------- +Tue Feb 22 04:39:01 UTC 2022 - Jan Engelhardt + +- Update to release 1.0.2 + * New ruleset optimization -o/--optimize option. + * Support for IP and TCP options and SCTP chunks in sets. + * Support for tcp fastopen, md5sig and mptcp options. + * MP-TCP subtype matching support. + * JSON support for flowtables. +- Add 0001-build-add-missing-AM_CPPFLAGS-to-examples.patch + +------------------------------------------------------------------- +Thu Nov 18 22:15:03 UTC 2021 - Jan Engelhardt + +- Update to release 1.0.1 + * Reduce memory footprint when loading large sets/maps. + * Speed up reload of large sets/maps. + * Speed up listing of specific tables in large ruleset, e.g. + large ruleset with ~100k lines. + * Speed up --terse option when listing a ruleset large sets/maps. + * Print raw payload expression in hexadecimal, e.g. + "@ll,0,8 & 0x80 == 0x80" + * egress hook support (available since 5.16-rc1). + * Allow matching and update bytes at inner header/payload + offset (available since 5.16-rc1). + +------------------------------------------------------------------- +Thu Aug 19 18:06:29 UTC 2021 - Jan Engelhardt + +- Update to release 1.0.0 + * Catch-all set element support. + * The command-line option --define is now recognized. + * Stateful expressions in maps. + * Allow combination of jhash, symhash and numgen expressions with + the queue statement. + * Allow combination of verdict maps with interval concatenations. + +------------------------------------------------------------------- +Tue May 25 23:20:59 UTC 2021 - Jan Engelhardt + +- Update to release 0.9.9 + * Flowtable hardware offload support + * Support for the table owner flag. + * 802.1ad (QinQ) support + * cgroupsv2 support. + * match on SCTP packet chunks (dependent on Linux 5.14) + * Allow to use verdict in set/map typeof definitions + +------------------------------------------------------------------- +Fri Jan 15 22:28:26 UTC 2021 - Jan Engelhardt + +- Update to release 0.9.8 + * Complete support for matching ICMP header content fields. + * Added raw tcp option match support. + * Added ability to check for the presence of any tcp option. + * Support for rejecting traffic from the ingress chain. + +------------------------------------------------------------------- +Tue Oct 27 12:08:37 UTC 2020 - Jan Engelhardt + +- Update to release 0.9.7 + * Support for implicit chains + * Support for ingress inet chains + * Support for reject from prerouting chain + * Support for --terse option in json + * Support for the reset command with json + +------------------------------------------------------------------- +Tue Jun 16 13:37:28 UTC 2020 - Jan Engelhardt + +- Update to release 0.9.6 + * Fix two ASAN runtime errors + +------------------------------------------------------------------- +Sat Jun 6 12:03:35 UTC 2020 - Jan Engelhardt + +- Update to release 0.9.5 + * Support for set counters. + * Support for restoring set element counters via nft -f. + * Counter support for flowtables. + * typeof concatenations support for sets. + * Support for concatenated ranges in anonymous sets. + * Allow to reject packets with 802.1q from the bridge family. + * Support for matching on the conntrack ID. +- Drop anonset-crashfix.patch (upstream solved differently) + +------------------------------------------------------------------- +Thu May 7 11:41:07 UTC 2020 - Jan Engelhardt + +- Add anonset-crashfix.patch [boo#1171321] + +------------------------------------------------------------------- +Wed Apr 1 18:48:56 UTC 2020 - Jan Engelhardt + +- Update to release 0.9.4 + * Add a helper for concat expression handling. + * Add "typeof" build/parse/print support. + +------------------------------------------------------------------- +Mon Dec 9 09:39:52 UTC 2019 - Jan Engelhardt + +- Add json, python [boo#1158723] + +------------------------------------------------------------------- +Tue Dec 3 09:09:28 UTC 2019 - Jan Engelhardt + +- Update to release 0.9.3 + * meta: Introduce new conditions "time", "day" and "hour". + * src: add ability to set/get secmarks to/from connection. + * flowtable: add support for named flowtable listing. + * flowtable: add support for delete command by handle. + * json: add support for element deletion. + * Add `-T` as the short option for `--numeric-time`. + * meta: add ibrpvid and ibrvproto support + +------------------------------------------------------------------- +Mon Aug 19 12:37:45 UTC 2019 - Jan Engelhardt + +- Update to new upstream release 0.9.2 + * Transport header port matching, e.g. "th dport 53" + * Support for matching on IPv4 options + * Support for synproxy + +------------------------------------------------------------------- +Sat Jan 19 20:53:09 UTC 2019 - Stefan Brüns + +- Remove unused dblatex BuildRequires, only needed for the optional + and disabled PDF generation (same contents as shipped manpage). + +------------------------------------------------------------------- +Sat Jun 9 07:28:57 UTC 2018 - jengelh@inai.de + +- Update to new upstream release 0.9.0 + * Support to check if packet matches an existing socket. + * Support to limit number of active connections by arbitrary + criteria, such as ip addresses, networks, conntrack zones or + any combination thereof. + * Added support for "audit" logging. + +------------------------------------------------------------------- +Fri May 11 07:30:10 UTC 2018 - jengelh@inai.de + +- Update to new upstream release 0.8.5 + * support to add/insert a rule at a given index position + * meter statement now supports a configureable upper max size + * timeouts for sets can now be specified in milliseconds + * re-add iptables-like empty skeleton rulesets + +------------------------------------------------------------------- +Wed May 2 06:08:00 UTC 2018 - jengelh@inai.de + +- Update to new upstream release 0.8.4 + * Support to match IPv6 segment routing headers. + * New "meta ibrname" and "meta obrname" arguments to match the + name of the logical bridge a packet is passing through. + These new names replace the old (misnamed) "ibriport"/"obriport". + * `nft -a` will now show handle identifier for all objects, + including tables and chains. + * nft can now delete objects by their handle number. + * Support to update maps from the ruleset (packet path). + * the "--echo" option now prints handle id for tables and + object too. + * `nft -f -` will now read from standard input + * Support for flow tables, cf. man page or + https://lwn.net/Articles/738214/ . + +------------------------------------------------------------------- +Sat Mar 3 22:59:01 UTC 2018 - jengelh@inai.de + +- Update to new upstream release 0.8.3 + * raw payload support to match headers that do not yet have + received a mnemonic. + +------------------------------------------------------------------- +Sat Feb 3 14:26:36 UTC 2018 - jengelh@inai.de + +- Update to new upstream release 0.8.2 + * add secpath support + +------------------------------------------------------------------- +Tue Jan 16 14:16:40 UTC 2018 - jengelh@inai.de + +- Update to new upstream release 0.8.1 + * This release deprecates the "flow table" syntax in favor + of "meter". + +------------------------------------------------------------------- +Fri Oct 13 08:39:41 UTC 2017 - jengelh@inai.de + +- Update to new upstream release 0.8 + * This release contains new features available up to the + (upcoming) Linux 4.14 kernel release: + * Support for stateful objects, these objects are uniquely + identified by a user-defined name, you can refer to them from + rules, and there is a well established interface to operate + with them. + * Sort set elements when listing them, from lower to largest. + * TCP option matching and mangling support. This includes TCP + maximum segment size mangling. + * Add new "-s" option for listings without stateful information. + * Add new -c/--check option for nft, to tests if your ruleset + loads fine, into the kernel, this is a dry run mode. + * Connection tracking helper support. + * Add --echo option, to print the handle that the kernel + allocates to uniquely identify rules. + * Conntrack zone support + * Symmetric hash support + * Add support to include directories from nft natives scripts, + files are loaded in alphanumerical order. + * Allow to check if IPv6 extension header or TCP option exists + or is missing. + * Extend quota support to display used bytes. + * Add ct average matching, to match average bytes per packet a + connection has transferred so far, to map the existing + feature available in the iptables connbytes match. + * Allow to flush maps and flow tables. + * Allow to embed set definition into an existing set. + * Conntrack event filtering support via rule. + +------------------------------------------------------------------- +Tue Dec 20 22:35:41 UTC 2016 - jengelh@inai.de + +- Update to new upstream release 0.7 + * Add new fib expression, which can be used to obtain the + output interface from the route table based on either source + or destination address of a packet. + * Support hashing of any arbitrary key combination, eg. + * Add number generation support. Useful for round-robin packet + mark setting. + * Add quota support, eg. + * Introduce routing expression, for routing related data with + support for nexthop + * Notrack support, to explicitly skip connection tracking for + matching packets. + * Support to set non-byte bound packet header fields, including + checksum adjustment. + * Add 'create set' and 'create element' commands. + * Allow to use variable reference for set element definitions. + * Allow to use variable definitions from element commands. + * Add support to flush set. You can use this new command to + remove all existing elements in a set. + * Inverted set lookups. + * Honor absolute and relative paths via include file, where: + * Support log flags, to enable logging TCP sequence and options. + * tc classid parser support, eg. + * Allow numeric connlabels, so if connlabel still works with + undefined labels. + +------------------------------------------------------------------- +Thu Jun 2 18:31:23 UTC 2016 - jengelh@inai.de + +- Update to new upstream release 0.6 +* Rules may be replaced now +* Flow table support (requires Linux >= 4.3) +* Support for tracing +* Ratelimiting now supports units like bytes/second. +* Matchinv VLAN IDs, DSCP/ECN, ICMP RtAdv & RtSol + +------------------------------------------------------------------- +Thu Sep 17 21:16:31 UTC 2015 - jengelh@inai.de + +- Update to new upstream release 0.5 +* Support combinations of two or more selectors to build a tuple +* Timeout support for sets +* Dormant flag for tables +* Default chain policy specifiable on creation + +------------------------------------------------------------------- +Sat May 23 23:06:12 UTC 2015 - mrueckert@suse.de + +- set the url to the project page +- pass --disable-silent-rules to configure to allow gcc post build + check to work + +------------------------------------------------------------------- +Tue Dec 16 01:25:00 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 0.4 +* Since Linux 3.18: support for global ruleset operations +* Since 3.17: full logging support for all the families, + including nfnetlink_log +* 3.16: automatic selection of the optimal set implementation +* 3.14: reject support for ip, ip6 and inet +* 3.18: reject support for bridge, and reject icmpx abstraction +* 3.18: masquerade support +* 3.19: redirect support +* Extend meta to support pkttype, cpu and devgroup matching. + +------------------------------------------------------------------- +Fri Jun 27 17:08:46 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 0.3 +* More compact syntax for the queue action +* Match input and output bridge interface name through "meta + ibriport" and "meta obriport" +* netlink event monitor, to monitor ruleset events, set changes, etc. +* New transaction infrastructure - fully atomic updates for all + object available in the upcoming 3.16. + +------------------------------------------------------------------- +Mon Jan 13 09:05:35 UTC 2014 - jengelh@inai.de + +- Initial package for build.opensuse.org diff --git a/nftables.keyring b/nftables.keyring new file mode 100644 index 0000000..34ba618 --- /dev/null +++ b/nftables.keyring @@ -0,0 +1,64 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF+HdQgBEACzteJUJGtj3N6u5mcGh4Nu/9GQfwrrphZuI7jto2N6+ZoURded +660mFLnax7wgIE8ugAa085jwFWbFY3FzGutUs/kDmnqy9WneYNBLIAF3ZTFfY+oi +V1C09bBlHKDj9gSEM2TZ/qU14exKdSloqcMKSdIqLQX27w/D6WmO1crDjOKKN9F2 +zjc3uLjo1gIPrY+Kdld29aI0W4gYvNLOo+ewhVC5Q6ymWOdR3eKaP2HIAt8CYf0t +Sx8ChHdBvXQITDmXoGPLTTiCHBoUzaJ/N8m4AZTuSUTr9g3jUNFmL48OrJjFPhHh +KDY0V59id5nPu4RX3fa/XW+4FNlrthA5V9dQSIPh7r7uHynDtkcCHT5m4mn0NqG3 +dsUqeYQlrWKCVDTfX/WQB3Rq1tgmOssFG9kZkXcVTmis3KFP1ZAahBRB33OJgSfi +WKc/mWLMEQcljbysbJzq74Vrjg44DNK7vhAXGoR35kjj5saduxTywdb3iZhGXEsg +9zqV0uOIfMQsQJQCZTlkqvZibdB3xlRyiCwqlf1eHB2Vo7efWbRIizX2da4c5xUj ++IL1eSPmTV+52x1dYXpn/cSVKJAROtcSmwvMRyjuGOcTNtir0XHCxC5YYBow6tKR +U1hrFiulCMH80HeS+u/g4SpT4lcv+x0DlN5BfWQuN5k5ZzwKb6EQs092qQARAQAB +tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC +VAQTAQoAPhYhBDfZZKzASYHHVQD7m9Vdl4qKFCDkBQJfh3UIAhsDBQkHhM4ABQsJ +CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENVdl4qKFCDk0msQAJTIK8TLHw2IJDc6 ++ZfUJc+znSNwskO+A4lwvb1vRY5qFV+CA2S1eUS4HGDWDT0sPKie6Nx4+FBczkWd +RA+eaKDqQeS5Vzc2f0bl74un91h7yE8O2NsVnpL166MnAAk3/ACjHsZX2PzF12F6 +4stvGQFpjZRWItj0I6bvPY6CTtqVPB98a6RpdbS9kGxCCMrL3CFGDXGSjXes5KwN +IvngmVB36wjb3QgEtQIv13jrWFfiXeuieqMRyC6Z3KNYVcvis34eGxPFD9MHrK+w +bdw3KzMBJd7hMoVRl32Q13T/PX8H3pqWMqKaL41wHUswRt0IQjNZnRvRnlJ0VDFf +Wep/3dFK+uQbdABuiwCiRli5mWeOMCP+qJodP1OZSGqg0VwZWUGdCGG5+qIhngOj +QVomvJ7N4eRLU3xuPVjLoBeHzvViUPpYtWQ/YiZK5rWTJHhu88xZaysFJRaV+Uz3 +wPkeqdArRRXl1Tpy+cKy7D5BZAr7OjT1wboon23IM2DJRurbaHD8blMsjZ07pbvb +4hdpiE6mqq7CYskDz2UGTaFfEW4bFnKtvKTXEnmcqc4mWcr2z9BBYouGmcFczgET +tE02XejmExXV2RPUtXfLuNIbVpuXG1qhzNuXAfm+S/68XDSFrwyK8/Dgq5ga0iIP +n8Uvz12Xu/Qde+NicogLNWF90QJ2iQIzBBABCgAdFiEEwJ2yBj8dcDS6YVKtq0ZV +oSbSkuQFAl+HdTEACgkQq0ZVoSbSkuSrmhAAi64OqYjb2ZbAJbFAPM6pijyys6Y9 +o8ZyLoCRCUXNrjWkNIozTgmj5fm0ECrUXKyrB6OJhTvaRXmqLcBwWOAnP1v7wb+S +ZhEwP0n6E1mZW0t1Qt0xX8yifM5Tpvy+757OSrsuoRpXwwz4Ubuc6G4N/McoRSfU +tVUcz3sKF8hcbETD/hVZb9Qfv0ZjQxu8LiBfKfgy2Eg8yExTdO027hYqQc5q2HEp +HRjD2PMyI33V8KqffWn0AkofweOOFxg1ePV5X9M8rYP+k/2gjPkrrvnZgF/4SxDM +FATmHaIbO3zEQg+u2f1mVCZASBBN1MLth7dMOoClHBmxnQ8uapRg9GNxs7TnXmV/ +diZZbqLf6i9bW/scvWEIdM8EGKpbGjdWIlgQJTIuz3seB+9zOdq9L3uTQWHnYLid +R3YkyOsBRqQvM7Gb3zYgvlPjZ+L2FeGg5rD/eeLbv+k027E0TSAgtHoSA2pVTDDK +uqCXVKfmk1I0SO83L9teBblxed07LeVaS9/uK00rWM/TM1bwogfF/4ZEsmAWznzv +Xan/QmrYNgK3C3AZ4pMX7pGCGV1w93Fw3tUzaEJeS2LlsiL5aPOF63b/DqM6W2nl +UqGjKTdVLuF+JgoRH5U2wCyHYhDFm+CaFsYUu2Jf5hTmVWOR3anBoXy6Ty8SoV8q +KxtKpmKmIdPhDe65Ag0EX4d1CAEQANJMZApYzeeLrc7Rs6fGDK4Z3ejEST+aq7vO +RT9YEppRBG1QoUDBuNodAFxIWM6SpwvN7X9AZeIML2EOjDabF5Q6RNHbwODyLDYc +wmqtWh0NNpK85fXwDgcLOQW+dPimsk3ni1crXhhjZgs6syb9yM/pDi0Tf7wzNZt0 +0p736zlpQPMORfO+mFgac0FVt/GQsTdIwTBzZ36fcV3W8iPH334Sqsatp617R+z+ +q2alH8Vynz12iHi2oJFtmTxhghCROPcLWz3XMKv9A7BfuZeE0k+pK7xnBKrpZzKU +k1j2uzTKzV2Bquo5HNDsy9PgQn16BlXVrxdHfQnBz2w67aHMKnPD/v+K81oxtnuk +pwBAT8Wovkyy1VTLhQH5F0y5bpQrVH/Lwq0/q421hfD3iPHtb2tC1heT9ze/sqkY +plctFb81fx3o8xcBpvuIaTB3URptf8JNvh5KjETZFMQvAddq8oYovoKu+Z/585uC +qwO0Fohpw9qRwmhq7UBvGDVAVgo6kKjMW2Z9U3OnfggrDCytCIZh8eLNagfRL2cu +iq8Sx+cGGt1zoCPhjDN1MaNt/KHm8Gxr+lP+RxH3Et3pEX6mmhSCaU4wr0W5Bf3p +jEtiOwnqajisBQCHh49OGiV8Vg9uQN5GpLpPpbvnGS4vq8jdj6p3gsiS2F7JMy7O +ysBENBkXABEBAAGJAjwEGAEKACYWIQQ32WSswEmBx1UA+5vVXZeKihQg5AUCX4d1 +CAIbDAUJB4TOAAAKCRDVXZeKihQg5NMIEACBdwXwDMRB8rQeqNrhbh7pjbHHFmag +8bPvkmCq/gYGx9MQEKFUFtEGNSBh6m5pXr9hJ9HD2V16q9ERbuBcA6wosz4efQFB +bbage7ZSECCN+xMLirQGRVbTozu2eS8FXedH0X9f0JWLDGWwRg+pAqSOtuFjHhYM +jVpwbH/s71BhH84x5RgWezh2BWLbP3UuY7JtWNAvAaeo53Js2dzzgjDopPis4qZR +rLR9cTGjqa6ZTc/PlLfaCsm6rGBlNx/bFJjz75+yn7vMQa47fOBt4qfriHX7G/Tg +3s8xsQSLEm3IBEYh27hoc9ZD45EXgm9ZiGA21t9v1jA27yTVaUrPbC40iDv/CMcQ +7N2Y1sJRvmrd+2pKxtNNutujjwgBguo5bKK253R5Hy0a+NzK2LSc/GmR8EJJEwW1 +7r6road7Ss6YImCZExeY+CAW0FEzwQpmqfOdlusvIyk4x4r12JH8Q8NWHMzU3Ym/ +yqdopn/SCwCfXJsL4/eHLCaWuyiWjljNa7MwPDITx2ZPRE5QEqCqi4gaDWXyVHt8 +leGE1G3zoXNJogWhDswh105UnlZEEfOvbHbaxgWPjLV/xkuHhVlaqdyXbTExrgK6 +U2wevNS03dBuQ6bjNIbMIt9ulbiBV8MJWR0PZtnNJ958f1QXC4GT+L3FG1g5Jtz+ +rlbu70nh2kSJrg== +=wukb +-----END PGP PUBLIC KEY BLOCK----- diff --git a/nftables.spec b/nftables.spec new file mode 100644 index 0000000..2334328 --- /dev/null +++ b/nftables.spec @@ -0,0 +1,129 @@ +# +# spec file for package nftables +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: nftables +Version: 1.0.8 +Release: 0 +Summary: Userspace utility to access the nf_tables packet filter +License: GPL-2.0-only +Group: Productivity/Networking/Security +URL: https://netfilter.org/projects/nftables/ + +#Git-Clone: git://git.netfilter.org/nftables +Source: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz +Source2: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz.sig +Source3: %name.keyring +Patch1: 0001-Revert-py-replace-distutils-with-setuptools.patch +BuildRequires: asciidoc +BuildRequires: bison +BuildRequires: flex +BuildRequires: gmp-devel +BuildRequires: libtool +BuildRequires: pkg-config >= 0.21 +BuildRequires: python3-base +BuildRequires: pkgconfig(jansson) +BuildRequires: pkgconfig(libedit) +BuildRequires: pkgconfig(libmnl) >= 1.0.4 +BuildRequires: pkgconfig(libnftnl) >= 1.2.6 +BuildRequires: pkgconfig(xtables) >= 1.6.1 + +%description +nf_tables is a firewalling mechanism in the Linux kernel, running +independently of and parallel to ip_tables, ip6_tables, +arp_tables and ebtables. nftables is the corresponsing userspace +frontend. + +The nftables frontend features support for sets and dictionaries of arbitrary +types, meta data types, atomic incremental and full ruleset updates, and, +similar to iptables, support for different protocols, access to connection +tracking and NAT and logging. + +%package -n libnftables1 +Summary: nftables firewalling command interface +Group: System/Libraries + +%description -n libnftables1 +libnftables is the nftables command line interface placed into a +library. + +%package devel +Summary: Development files for the nftables command line interface +Group: Development/Libraries/C and C++ +Requires: libnftables1 = %version + +%description devel +libnftables is the nftables command line interface placed into a +library. + +This package contains the header files for the library. + +%package -n python3-nftables +Summary: Python interface for nftables +Group: Development/Languages/Python + +%description -n python3-nftables +A Python module for nftables. + +%prep +%autosetup -p1 + +%build +autoreconf -fi +mkdir bin +ln -s "%_bindir/docbook-to-man" bin/docbook2x-man +export PATH="$PATH:$PWD/bin" +mkdir obj +pushd obj/ +%define _configure ../configure +%configure --disable-silent-rules --disable-static --docdir="%_docdir/%name" \ + --includedir="%_includedir/%name" --with-json \ + --enable-python --with-python-bin="$(which python3)" +%make_build +popd + +%install +b="%buildroot" +%make_install -C obj +rm -f "%buildroot/%_libdir"/*.la +mkdir -p "$b/%_docdir/%name/examples" +mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/" + +%post -n libnftables1 -p /sbin/ldconfig +%postun -n libnftables1 -p /sbin/ldconfig + +%files +%license COPYING +%_sysconfdir/nftables/ +%_sbindir/nft +%_mandir/man5/*.5* +%_mandir/man8/nft* +%_docdir/%name/ + +%files -n libnftables1 +%_libdir/libnftables.so.1* + +%files devel +%_includedir/%name/ +%_libdir/libnftables.so +%_libdir/pkgconfig/*.pc +%_mandir/man3/*.3* + +%files -n python3-nftables +%python3_sitelib/nftables* + +%changelog