Accepting request 71968 from security:netfilter

- Update to new upstream release 1.4.11
* stricter option parsing
* support for the current xt_SET target as contained in 2.6.39
* support for the new xt_devgroup match
* support for the new xt_AUDIT target
* support for a new NFQUEUE bypass option, allowing to bypass the
  queue if no userspace listener is present
* a new iptables option "-C" to check for existence of a rules
- Fixes on top
* allow negation of --uid-owner/--gid-owner again
* fix installation of symlinks
- Run spec-beautifier

OBS-URL: https://build.opensuse.org/request/show/71968
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/iptables?expand=0&rev=31

71e402b-fix-install-symlinks.diff

@@ -0,0 +1,31 @@
+parent 7d91a2accc92d13bb32bf881831e9c9a8b4d7734 (v1.4.11-2-g7d91a2a)
+commit 71e402bbb3db7b54571f0e44354fd37706ff90aa
+Author: Jan Engelhardt <jengelh@medozas.de>
+Date:   Mon May 30 01:45:14 2011 +0200
+
+build: fix installation of symlinks
+
+Commit v1.4.11~20 forgot to change the symlink target names to the new
+executable name.
+
+Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
+---
+ Makefile.am |    6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 13e144e..741729b 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -96,6 +96,6 @@ config.status: extensions/GNUmakefile.in \
+ install-exec-hook:
+ 	-if test -z "${DESTDIR}"; then /sbin/ldconfig; fi;
+ 	${INSTALL} -dm0755 "${DESTDIR}${bindir}";
+-	for i in ${v4_bin_links}; do ${LN_S} -f "${sbindir}/iptables-multi" "${DESTDIR}${bindir}/$$i"; done;
+-	for i in ${v4_sbin_links}; do ${LN_S} -f iptables-multi "${DESTDIR}${sbindir}/$$i"; done;
+-	for i in ${v6_sbin_links}; do ${LN_S} -f ip6tables-multi "${DESTDIR}${sbindir}/$$i"; done;
++	for i in ${v4_bin_links}; do ${LN_S} -f "${sbindir}/xtables-multi" "${DESTDIR}${bindir}/$$i"; done;
++	for i in ${v4_sbin_links}; do ${LN_S} -f xtables-multi "${DESTDIR}${sbindir}/$$i"; done;
++	for i in ${v6_sbin_links}; do ${LN_S} -f xtables-multi "${DESTDIR}${sbindir}/$$i"; done;
+-- 
+# Created with git-export-patch

874bd762-owner-restore-invert.diff

@@ -0,0 +1,31 @@
+parent 172e9b15271c276aa1485b4a2fb63928a65b13ae (v1.4.11)
+commit 874b76221f74a00520a712ef89b5254a1ed896f8
+Author: Jan Engelhardt <jengelh@medozas.de>
+Date:   Sun May 29 16:43:25 2011 +0200
+
+libxt_owner: restore inversion support
+
+Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
+---
+ extensions/libxt_owner.c |    6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c
+index b60f907..d2fdfa9 100644
+--- a/extensions/libxt_owner.c
++++ b/extensions/libxt_owner.c
+@@ -125,8 +125,10 @@ static const struct xt_option_entry owner_mt6_opts_v0[] = {
+ #undef s
+ 
+ static const struct xt_option_entry owner_mt_opts[] = {
+-	{.name = "uid-owner", .id = O_USER, .type = XTTYPE_STRING},
+-	{.name = "gid-owner", .id = O_GROUP, .type = XTTYPE_STRING},
++	{.name = "uid-owner", .id = O_USER, .type = XTTYPE_STRING,
++	 .flags = XTOPT_INVERT},
++	{.name = "gid-owner", .id = O_GROUP, .type = XTTYPE_STRING,
++	 .flags = XTOPT_INVERT},
+ 	{.name = "socket-exists", .id = O_SOCK_EXISTS, .type = XTTYPE_NONE},
+ 	XTOPT_TABLEEND,
+ };
+-- 
+# Created with git-export-patch

iptables-1.4.10.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7544e437d2222078b15e6cd063b521c6f1ec4dac49e6af9ba3bfece2a6a93445
-size 478007

iptables-1.4.11.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:10b5e56839b8eb49003d0fa87ed3548783fb169c23d80b6df77d27fca5247c49
+size 409000

iptables-batch.patch

@@ -1,46 +1,33 @@
 ---
- Makefile.am      |   12 +
+ Makefile.am      |   10 +
  iptables-batch.c |  468 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 478 insertions(+), 2 deletions(-)
+ 2 files changed, 477 insertions(+), 1 deletion(-)
 
-Index: iptables-1.4.7/Makefile.am
+Index: iptables-1.4.11/Makefile.am
 ===================================================================
---- iptables-1.4.7.orig/Makefile.am
+--- iptables-1.4.11.orig/Makefile.am
-+++ iptables-1.4.7/Makefile.am
++++ iptables-1.4.11/Makefile.am
-@@ -54,6 +54,14 @@ endif
+@@ -59,7 +59,15 @@ endif
- ip6tables_multi_LDFLAGS   = -rdynamic
+ xtables_multi_SOURCES += xshared.c
- ip6tables_multi_LDADD     = libiptc/libip6tc.la extensions/libext6.a libxtables.la -lm
+ xtables_multi_LDADD   += libxtables.la -lm
  
+-sbin_PROGRAMS    = xtables-multi
 +iptables_batch_SOURCES    = iptables-batch.c iptables.c xshared.c
-+iptables_batch_LDFLAGS    = ${iptables_multi_LDFLAGS}
++iptables_batch_LDFLAGS    = ${xtables_multi_LDFLAGS}
-+iptables_batch_LDADD      = ${iptables_multi_LDADD}
++iptables_batch_LDADD      = ${xtables_multi_LDADD}
 +ip6tables_batch_SOURCES   = iptables-batch.c ip6tables.c xshared.c
 +ip6tables_batch_CFLAGS    = ${AM_CFLAGS} -DIP6T
-+ip6tables_batch_LDFLAGS   = ${ip6tables_multi_LDFLAGS}
++ip6tables_batch_LDFLAGS   = ${xtables_multi_LDFLAGS}
-+ip6tables_batch_LDADD     = ${ip6tables_multi_LDADD}
++ip6tables_batch_LDADD     = ${xtables_multi_LDADD}
 +
- sbin_PROGRAMS    =
++sbin_PROGRAMS    = xtables-multi iptables-batch ip6tables-batch
  man_MANS         = iptables.8 iptables-restore.8 iptables-save.8 \
                     iptables-xml.8 ip6tables.8 ip6tables-restore.8 \
-@@ -61,12 +69,12 @@ man_MANS         = iptables.8 iptables-r
+                    ip6tables-save.8
- CLEANFILES       = iptables.8 ip6tables.8
+Index: iptables-1.4.11/iptables-batch.c
- 
- if ENABLE_IPV4
--sbin_PROGRAMS += iptables-multi
-+sbin_PROGRAMS += iptables-multi iptables-batch
- v4_bin_links   = iptables-xml
- v4_sbin_links  = iptables iptables-restore iptables-save
- endif
- if ENABLE_IPV6
--sbin_PROGRAMS += ip6tables-multi
-+sbin_PROGRAMS += ip6tables-multi ip6tables-batch
- v6_sbin_links  = ip6tables ip6tables-restore ip6tables-save
- endif
- 
-Index: iptables-1.4.7/iptables-batch.c
 ===================================================================
 --- /dev/null
-+++ iptables-1.4.7/iptables-batch.c
++++ iptables-1.4.11/iptables-batch.c
 @@ -0,0 +1,468 @@
 +/*
 + * Author: Ludwig Nussel <ludwig.nussel@suse.de>
@@ -325,7 +312,7 @@ Index: iptables-1.4.7/iptables-batch.c
 +		}
 +	}
 +#else
-+	ret = do_command(argc, argv, &table, &current_table->handle);
++	ret = do_command4(argc, argv, &table, &current_table->handle);
 +
 +	if (!ret)
 +	{

iptables.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Sun May 29 23:56:33 UTC 2011 - jengelh@medozas.de
+
+- Update to new upstream release 1.4.11
+* stricter option parsing
+* support for the current xt_SET target as contained in 2.6.39
+* support for the new xt_devgroup match
+* support for the new xt_AUDIT target
+* support for a new NFQUEUE bypass option, allowing to bypass the
+  queue if no userspace listener is present
+* a new iptables option "-C" to check for existence of a rules
+- Fixes on top
+* allow negation of --uid-owner/--gid-owner again
+* fix installation of symlinks
+- Run spec-beautifier
+
 -------------------------------------------------------------------
 Fri Oct 29 17:56:48 UTC 2010 - jengelh@medozas.de
 

iptables.spec

@@ -21,17 +21,19 @@
 Name:           iptables
 License:        GPLv2+
 Group:          Productivity/Networking/Security
-Version:        1.4.10
+Version:        1.4.11
 Release:        1
 Summary:        IP Packet Filter Administration
 
 #Git-Web:	http://git.netfilter.org/
 #Git-Clone:	git://git.netfilter.org/iptables
-Source:         http://netfilter.org/projects/%name/files/%name-%version.tar.bz2
+Source:		%name-%version.tar.xz
-Patch0:         iptables-batch.patch
+Patch1:         iptables-batch.patch
-Url:            http://netfilter.org/
+Patch2:		874bd762-owner-restore-invert.diff
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+Patch3:		71e402b-fix-install-symlinks.diff
-BuildRequires:  pkg-config sgmltool
+URL:            http://netfilter.org/
+BuildRoot:      %_tmppath/%name-%version-build
+BuildRequires:  pkg-config, sgmltool, xz
 
 %description
 Iptables is used to set up, maintain, and inspect the tables of IP
@@ -42,15 +44,17 @@ packet filter rules in the Linux kernel. This version requires kernel
 License:        GPLv2+
 Summary:        Libraries, Headers and Development Man Pages for iptables
 Group:          Development/Libraries/C and C++
-AutoReqProv:    on
+Autoreqprov:    on
-Requires:       %{name} = %{version}
+Requires:       %name = %version
 
 %description devel
-These libraries are needed to compile programs against libipq.
+These libraries are needed to compile
+- additional third-party extensions
+- programs using libipq
 
 %prep
 %setup -q
-%patch -P 0 -p1
+%patch -P 1 -P 2 -P 3 -p1
 
 %build
 if [ ! -e configure ]; then
@@ -63,14 +67,11 @@ rm -f extensions/libipt_unclean.man
 make %{?_smp_mflags}
 
 %install
-make DESTDIR=$RPM_BUILD_ROOT install
+make DESTDIR=%buildroot install
 # iptables-apply is not installed by upstream Makefile
-install -m0755 iptables-apply $RPM_BUILD_ROOT%{_sbindir}/
+install -m0755 iptables-apply %buildroot%_sbindir/
-install -m0644 iptables-apply.8 $RPM_BUILD_ROOT%{_mandir}/man8/
+install -m0644 iptables-apply.8 %buildroot%_mandir/man8/
-find "$RPM_BUILD_ROOT" -iname "*.la" -delete
+find "%buildroot" -iname "*.la" -delete
-
-%clean
-rm -rf $RPM_BUILD_ROOT
 
 %post -p /sbin/ldconfig
 
@@ -79,20 +80,21 @@ rm -rf $RPM_BUILD_ROOT
 %files
 %defattr(-,root,root)
 %doc COPYING INCOMPATIBILITIES
-%doc %{_mandir}/man8/*
+%doc %_mandir/man8/*
-%{_bindir}/iptables*
+%_bindir/iptables*
-%{_sbindir}/iptables*
+%_sbindir/iptables*
-%{_sbindir}/ip6tables*
+%_sbindir/ip6tables*
-%dir %{_libexecdir}/xtables
+%_sbindir/xtables*
-%{_libexecdir}/xtables/*
+%dir %_libexecdir/xtables
-%{_libdir}/*.so.*
+%_libexecdir/xtables/*
+%_libdir/*.so.*
 
 %files devel
 %defattr(-,root,root)
-%doc %{_mandir}/man3/*
+%doc %_mandir/man3/*
-%{_includedir}/*
+%_includedir/*
-%{_libdir}/*.so
+%_libdir/*.so
-%{_libdir}/pkgconfig/xtables.pc
+%_libdir/pkgconfig/xtables.pc
-%{_libdir}/pkgconfig/libiptc.pc
+%_libdir/pkgconfig/libiptc.pc
 
 %changelog