diff --git a/_service b/_service
new file mode 100644
index 0000000..7509fef
--- /dev/null
+++ b/_service
@@ -0,0 +1,13 @@
+
+
+ git
+ git://netfilter.org/iptables
+ 0800d9b46b377bc24f15af2c6ae22550b954b6e2
+ 1.8.0.g@TAG_OFFSET@
+
+
+ *.tar
+ xz
+
+
+
diff --git a/iptables-1.6.2.tar.bz2 b/iptables-1.6.2.tar.bz2
deleted file mode 100644
index 2d4ae79..0000000
--- a/iptables-1.6.2.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:55d02dfa46263343a401f297d44190f2a3e5113c8933946f094ed40237053733
-size 639785
diff --git a/iptables-1.6.2.tar.bz2.sig b/iptables-1.6.2.tar.bz2.sig
deleted file mode 100644
index 9e4819d..0000000
Binary files a/iptables-1.6.2.tar.bz2.sig and /dev/null differ
diff --git a/iptables-1.8.0.g85.tar.xz b/iptables-1.8.0.g85.tar.xz
new file mode 100644
index 0000000..c5d69c4
--- /dev/null
+++ b/iptables-1.8.0.g85.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0479c1b53a84f66eda0d9484d1a15c9a644049635bfe866af829df0976a1c737
+size 364504
diff --git a/iptables-batch.patch b/iptables-batch.patch
index 24c8c7e..0533a27 100644
--- a/iptables-batch.patch
+++ b/iptables-batch.patch
@@ -3,31 +3,27 @@
iptables/iptables-batch.c | 468 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 477 insertions(+)
-Index: iptables/iptables/Makefile.am
+Index: iptables-1.8.0/iptables/Makefile.am
===================================================================
---- iptables.orig/iptables/Makefile.am
-+++ iptables/iptables/Makefile.am
-@@ -48,7 +48,16 @@ xtables_compat_multi_SOURCES += xshared.
- xtables_compat_multi_LDADD += ../libxtables/libxtables.la -lm
- endif
-
-+iptables_batch_SOURCES = iptables-batch.c iptables.c xshared.c
-+iptables_batch_LDFLAGS = ${xtables_multi_LDFLAGS}
-+iptables_batch_LDADD = ${xtables_multi_LDADD}
-+ip6tables_batch_SOURCES = iptables-batch.c ip6tables.c xshared.c
-+ip6tables_batch_CFLAGS = ${AM_CFLAGS} -DIP6T
-+ip6tables_batch_LDFLAGS = ${xtables_multi_LDFLAGS}
-+ip6tables_batch_LDADD = ${xtables_multi_LDADD}
+--- iptables-1.8.0.orig/iptables/Makefile.am
++++ iptables-1.8.0/iptables/Makefile.am
+@@ -98,3 +98,12 @@ install-exec-hook:
+ for i in ${v4_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
+ for i in ${v6_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
+ for i in ${x_sbin_links}; do ${LN_S} -f xtables-nft-multi "${DESTDIR}${sbindir}/$$i"; done;
+
- sbin_PROGRAMS = xtables-multi
-+sbin_PROGRAMS += iptables-batch ip6tables-batch
- if ENABLE_NFTABLES
- sbin_PROGRAMS += xtables-compat-multi
- endif
-Index: iptables/iptables/iptables-batch.c
++iptables_legacy_batch_SOURCES = iptables-batch.c iptables.c xshared.c
++iptables_legacy_batch_LDFLAGS = ${xtables_legacy_multi_LDFLAGS}
++iptables_legacy_batch_LDADD = ${xtables_legacy_multi_LDADD}
++ip6tables_legacy_batch_SOURCES = iptables-batch.c ip6tables.c xshared.c
++ip6tables_legacy_batch_CFLAGS = ${AM_CFLAGS} -DIP6T
++ip6tables_legacy_batch_LDFLAGS = ${xtables_legacy_multi_LDFLAGS}
++ip6tables_legacy_batch_LDADD = ${xtables_legacy_multi_LDADD}
++sbin_PROGRAMS += iptables-legacy-batch ip6tables-legacy-batch
+Index: iptables-1.8.0/iptables/iptables-batch.c
===================================================================
--- /dev/null
-+++ iptables/iptables/iptables-batch.c
++++ iptables-1.8.0/iptables/iptables-batch.c
@@ -0,0 +1,468 @@
+/*
+ * Author: Ludwig Nussel
diff --git a/iptables.changes b/iptables.changes
index c2460c6..61291d3 100644
--- a/iptables.changes
+++ b/iptables.changes
@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Tue Sep 4 08:08:22 UTC 2018 - Markos Chandras
+
+- Add missing update-alternatives dependency to Requires(post)
+ section. If this is missing the package fails to install properly
+ when it is used as build dependency.
+
+-------------------------------------------------------------------
+Mon Jul 9 09:38:13 UTC 2018 - jengelh@inai.de
+
+- Update to new upstream release 1.8.0 and snapshot 1.8.0.g75
+ * The ipv6 "srh" match can now match previous/next/last sid
+ * CONNMARK target now supports bit-shifting for restore,set
+ and save-mark.
+ * DNAT now supports shifted portmap ranges.
+ * iptables now comes in two backends: legacy and nft.
+
-------------------------------------------------------------------
Thu May 24 16:38:53 CEST 2018 - kukuk@suse.de
diff --git a/iptables.spec b/iptables.spec
index 2b9154e..224ae8a 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -17,29 +17,25 @@
Name: iptables
-Version: 1.6.2
+Version: 1.8.0.g85
Release: 0
Summary: IP packet filter administration utilities
License: GPL-2.0-only AND Artistic-2.0
Group: Productivity/Networking/Security
Url: http://netfilter.org/projects/iptables/
#Git-Clone: git://git.netfilter.org/iptables
-Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2
-Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig
+#Source: http://netfilter.org/projects/iptables/files/%%name-%%version.tar.bz2
+#Source2: http://netfilter.org/projects/iptables/files/%%name-%%version.tar.bz2.sig
+Source: %name-%version.tar.xz
Source3: %name.keyring
Patch3: iptables-batch.patch
Patch4: iptables-apply-mktemp-fix.patch
Patch5: iptables-batch-lock.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
-%if 0%{?fedora_version} || 0%{?centos_version}
-BuildRequires: sgml-common
-%endif
-%if 0%{?suse_version}
-BuildRequires: fdupes
-%endif
#git#BuildRequires: autoconf, automake >= 1.10
BuildRequires: bison
+BuildRequires: fdupes
BuildRequires: flex >= 2.5.33
BuildRequires: libtool
BuildRequires: pkg-config >= 0.21
@@ -48,24 +44,27 @@ BuildRequires: pkgconfig(libmnl) >= 1.0
BuildRequires: pkgconfig(libnetfilter_conntrack) >= 1.0.4
BuildRequires: pkgconfig(libnfnetlink) >= 1.0.0
BuildRequires: pkgconfig(libnftnl) >= 1.0.5
+Requires: netcfg >= 11.6
Requires: xtables-plugins = %version-%release
+Requires(post): update-alternatives
+Requires(postun): update-alternatives
%description
iptables is used to set up, maintain, and inspect the rule tables of
-the classic "ip6_tables" and "ip_tables" packet filters in the Linux
-kernel.
+the various Netfilter packet filter engines inside the Linux kernel.
-%package nft
-Summary: nft packet filter administration utilties in the style of Xtables
+%package backend-nft
+Summary: Metapackage to make nft the default backend for iptables/arptables/ebtables
Group: Productivity/Networking/Security
-Requires: netcfg >= 11.6
-Requires: xtables-plugins = %version-%release
+Requires: iptables >= 1.8.0
+Requires(post): update-alternatives
+Requires(postun): update-alternatives
-%description nft
-The programs shipped in this subpackage behave like iptables on the
-command line, but instead edits the rules of the nft packet filter in
-the Linux kernel. Linux kernel 4.2 or newer is recommended to exploit
-the features.
+%description backend-nft
+Installation of this package adds higher priority alternatives (cf.
+update-alternatives) that makes the iptables, ip6tables, arptables
+and ebtables commands point to a program variant that uses the
+nftables kernel interface.
%package -n xtables-plugins
Summary: Match and target extension plugins for iptables
@@ -103,12 +102,12 @@ be modified in userspace prior to reinjection back into the kernel.
ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue!
%package -n libiptc0
-Summary: Library for low-level ruleset generation and parsing
+Summary: Library for the ip_tables low-level ruleset generation and parsing
Group: System/Libraries
%description -n libiptc0
libiptc ("iptables cache") is used to retrieve from the kernel, parse,
-construct, and load new rulesets into the kernel.
+construct, and load rulesets into the kernel.
%package -n libiptc-devel
Summary: Development files for libiptc, a packet filter ruleset library
@@ -117,10 +116,10 @@ Requires: libiptc0 = %version
%description -n libiptc-devel
libiptc ("iptables cache") is used to retrieve from the kernel, parse,
-construct, and load new rulesets into the kernel.
+construct, and load rulesets into the kernel.
%package -n libxtables12
-Summary: iptables extension interface
+Summary: The iptables plugin interface
Group: System/Libraries
%description -n libxtables12
@@ -147,26 +146,68 @@ xtables --variable=xtlibdir).
%build
# We have the iptables-batch patch, so always regenerate.
-if true || [ ! -e configure ]; then
- ./autogen.sh
-fi
+./autogen.sh
# bnc#561793 - do not include unclean module in iptables manpage
rm -f extensions/libipt_unclean.man
# includedir is overriden on purpose to detect projects that
# fail to include libxtables_CFLAGS
%configure --includedir="%_includedir/%name" --enable-libipq
-make %{?_smp_mflags}
+%make_build V=1
%install
-make DESTDIR=%buildroot install
+%make_install
+b="%buildroot"
# iptables-apply is not installed by upstream Makefile
-install -m0755 iptables/iptables-apply %buildroot%_sbindir/
-install -m0644 iptables/iptables-apply.8 %buildroot%_mandir/man8/
-rm -f "%buildroot/%_libdir"/*.la
+install -m0755 iptables/iptables-apply "$b/%_sbindir/"
+install -m0644 iptables/iptables-apply.8 "$b/%_mandir/man8/"
+rm -f "$b/%_libdir"/*.la
+rm -f "$b/%_sysconfdir/ethertypes" # -> netcfg
+
+for i in iptables iptables-restore iptables-save ip6tables ip6tables-restore \
+ ip6tables-save arptables arptables-restore arptables-save ebtables \
+ ebtables-restore ebtables-save; do
+ ln -fsv "/etc/alternatives/$i" "$b/%_sbindir/$i"
+done
%if 0%{?suse_version}
%fdupes %buildroot/%_prefix
%endif
+%post
+update-alternatives \
+ --install "%_sbindir/iptables" iptables "%_sbindir/xtables-legacy-multi" 1 \
+ --slave "%_sbindir/iptables-restore" iptables-restore "%_sbindir/xtables-legacy-multi" \
+ --slave "%_sbindir/iptables-save" iptables-save "%_sbindir/xtables-legacy-multi" \
+ --slave "%_sbindir/ip6tables" ip6tables "%_sbindir/xtables-legacy-multi" \
+ --slave "%_sbindir/ip6tables-restore" ip6tables-restore "%_sbindir/xtables-legacy-multi" \
+ --slave "%_sbindir/ip6tables-save" ip6tables-save "%_sbindir/xtables-legacy-multi"
+
+%postun
+if test "$1" = 0; then
+ update-alternatives --remove iptables "%_sbindir/xtables-legacy-multi"
+fi
+
+%post backend-nft
+update-alternatives \
+ --install "%_sbindir/iptables" iptables "%_sbindir/xtables-nft-multi" 2 \
+ --slave "%_sbindir/iptables-restore" iptables-restore "%_sbindir/xtables-nft-multi" \
+ --slave "%_sbindir/iptables-save" iptables-save "%_sbindir/xtables-nft-multi" \
+ --slave "%_sbindir/ip6tables" ip6tables "%_sbindir/xtables-nft-multi" \
+ --slave "%_sbindir/ip6tables-restore" ip6tables-restore "%_sbindir/xtables-nft-multi" \
+ --slave "%_sbindir/ip6tables-save" ip6tables-save "%_sbindir/xtables-nft-multi"
+update-alternatives --install "%_sbindir/arptables" arptables "%_sbindir/xtables-nft-multi" 2 \
+ --slave "%_sbindir/arptables-restore" arptables-restore "%_sbindir/xtables-nft-multi" \
+ --slave "%_sbindir/arptables-save" arptables-save "%_sbindir/xtables-nft-multi"
+update-alternatives --install "%_sbindir/ebtables" ebtables "%_sbindir/xtables-nft-multi" 2 \
+ --slave "%_sbindir/ebtables-restore" ebtables-restore "%_sbindir/xtables-nft-multi" \
+ --slave "%_sbindir/ebtables-save" ebtables-save "%_sbindir/xtables-nft-multi"
+
+%postun backend-nft
+if test "$1" = 0; then
+ update-alternatives --remove iptables "%_sbindir/xtables-nft-multi"
+ update-alternatives --remove arptables "%_sbindir/xtables-nft-multi"
+ update-alternatives --remove ebtables "%_sbindir/xtables-nft-multi"
+fi
+
%post -n libipq0 -p /sbin/ldconfig
%postun -n libipq0 -p /sbin/ldconfig
%post -n libiptc0 -p /sbin/ldconfig
@@ -175,42 +216,70 @@ rm -f "%buildroot/%_libdir"/*.la
%postun -n libxtables12 -p /sbin/ldconfig
%files
-%defattr(-,root,root)
%license COPYING
-%doc %_mandir/man1/ip*
-%doc %_mandir/man8/ip*
%_bindir/iptables-xml
-%_sbindir/iptables
%_sbindir/iptables-apply
-%_sbindir/iptables-batch
+%_sbindir/iptables-legacy*
+%_sbindir/iptables-nft*
+%_sbindir/iptables-*translate*
+%_sbindir/ip6tables-legacy*
+%_sbindir/ip6tables-nft*
+%_sbindir/ip6tables-*translate*
+%_sbindir/arptables-nft*
+%_sbindir/ebtables-nft*
+%_sbindir/xtables*
+%_mandir/man1/*tables*
+%_mandir/man8/*tables*
+# backend-legacy (implicit)
+%ghost %_sysconfdir/alternatives/iptables
+%ghost %_sysconfdir/alternatives/iptables-restore
+%ghost %_sysconfdir/alternatives/iptables-save
+%ghost %_sysconfdir/alternatives/ip6tables
+%ghost %_sysconfdir/alternatives/ip6tables-restore
+%ghost %_sysconfdir/alternatives/ip6tables-save
+%_sbindir/iptables
%_sbindir/iptables-restore
%_sbindir/iptables-save
%_sbindir/ip6tables
-%_sbindir/ip6tables-batch
%_sbindir/ip6tables-restore
%_sbindir/ip6tables-save
-%_sbindir/xtables-multi
-%files nft
-%defattr(-,root,root)
-# is provided by netcfg
-%exclude %_sysconfdir/ethertypes
-%_sbindir/*-compat*
-%_sbindir/*-translate*
+%files backend-nft
+%ghost %_sysconfdir/alternatives/iptables
+%ghost %_sysconfdir/alternatives/iptables-restore
+%ghost %_sysconfdir/alternatives/iptables-save
+%ghost %_sysconfdir/alternatives/ip6tables
+%ghost %_sysconfdir/alternatives/ip6tables-restore
+%ghost %_sysconfdir/alternatives/ip6tables-save
+%ghost %_sysconfdir/alternatives/arptables
+%ghost %_sysconfdir/alternatives/arptables-restore
+%ghost %_sysconfdir/alternatives/arptables-save
+%ghost %_sysconfdir/alternatives/ebtables
+%ghost %_sysconfdir/alternatives/ebtables-restore
+%ghost %_sysconfdir/alternatives/ebtables-save
+%_sbindir/iptables
+%_sbindir/iptables-restore
+%_sbindir/iptables-save
+%_sbindir/ip6tables
+%_sbindir/ip6tables-restore
+%_sbindir/ip6tables-save
+%_sbindir/arptables
+%_sbindir/arptables-restore
+%_sbindir/arptables-save
+%_sbindir/ebtables
+%_sbindir/ebtables-restore
+%_sbindir/ebtables-save
%files -n xtables-plugins
-%defattr(-,root,root)
%_libdir/xtables/
%_sbindir/nfnl_osf
%_mandir/man8/nfnl_osf.8*
%_datadir/xtables/
%files -n libipq0
-%defattr(-,root,root)
%_libdir/libipq.so.0*
%files -n libipq-devel
-%defattr(-,root,root)
%doc %_mandir/man3/libipq*
%doc %_mandir/man3/ipq*
%dir %_includedir/%name/
@@ -219,24 +288,20 @@ rm -f "%buildroot/%_libdir"/*.la
%_libdir/pkgconfig/libipq.pc
%files -n libiptc0
-%defattr(-,root,root)
%_libdir/libiptc.so.0*
%_libdir/libip4tc.so.0*
%_libdir/libip6tc.so.0*
%files -n libiptc-devel
-%defattr(-,root,root)
%dir %_includedir/%name/
%_includedir/%name/libiptc*
%_libdir/libip*tc.so
%_libdir/pkgconfig/libip*tc.pc
%files -n libxtables12
-%defattr(-,root,root)
%_libdir/libxtables.so.12*
%files -n libxtables-devel
-%defattr(-,root,root)
%dir %_includedir/%name/
%_includedir/%name/xtables.h
%_includedir/%name/xtables-version.h