iptables-1.4.18

OBS-URL: https://build.opensuse.org/package/show/security:netfilter/iptables?expand=0&rev=68

0001-build-also-use-libtool-for-install-stage.patch

@@ -0,0 +1,80 @@
+From 145e3ea1c4c6a8e47a77587d17fcad4df4e2c06f Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Thu, 10 Jan 2013 15:54:08 +0100
+Subject: [PATCH] build: also use libtool for install stage
+
+The just-built library has DT_RPATH entries to be runnable from
+whereever it is. If we just install that, the distro build systems
+will throw warnings like
+
+	(Open Build Service) ERROR: RPATH
+	"/home/abuild/rpmbuild/BUILD/iptables-1.4.18/libxtables/.libs"
+	on /home/abuild/rpmbuild/BUILDROOT/iptables-1.4.18-0.x86_64/usr/lib64/xtables/libxt_unclean.so
+	is not allowed
+
+These RPATH entries are indeed undesired for libraries in a system
+location, which is why libtool produces another copy of the library on
+installation. The Makefile however missed using libtool during
+installation (introduced with commit v1.4.17-1-g68e77a2). This patch
+now resolves this.
+
+Signed-off-by: Jan Engelhardt <jengelh@inai.de>
+---
+ extensions/GNUmakefile.in |   16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
+index 781ac6d..6467f05 100644
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -49,6 +49,9 @@ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
+ pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_mod})
+ pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_mod})
+ pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_mod})
++pfx_lalibs    := $(patsubst %,libxt_%.la,${pfx_build_mod})
++pf4_lalibs    := $(patsubst %,libipt_%.la,${pf4_build_mod})
++pf6_lalibs    := $(patsubst %,libip6t_%.la,${pf6_build_mod})
+ pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod})
+ pf4_solibs    := $(patsubst %,libipt_%.so,${pf4_build_mod})
+ pf6_solibs    := $(patsubst %,libip6t_%.so,${pf6_build_mod})
+@@ -63,8 +66,9 @@ targets_instlink :=
+ @ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
+ @ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
+ @ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
+-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfx_symlinks} ${pf4_solibs} ${pf6_solibs}
+-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++@ENABLE_STATIC_FALSE@ targets_la_install += ${pfx_lalibs} ${pf4_lalibs} ${pf6_lalibs}
++@ENABLE_STATIC_FALSE@ targets_so_install += ${pfx_solibs}
+ @ENABLE_STATIC_FALSE@ targets_instlink += ${pfx_symlinks}
+ 
+ .SECONDARY:
+@@ -73,12 +77,14 @@ targets_instlink :=
+ 
+ all: ${targets}
+ 
+-install: ${targets_install} ${targets_instlink}
++install: ${targets_la_install} ${targets_so_install} ${targets_instlink}
+ 	@mkdir -p "${DESTDIR}${xtlibdir}";
++	../libtool ${AM_LIBTOOL_SILENT} --no-warn --mode=install install -pm0755 ${targets_la_install} "${DESTDIR}${xtlibdir}/"
++	rm -f "${DESTDIR}${xtlibdir}"/*.la
+ 	if test -n "${targets_install}"; then \
+ 		install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/"; \
+ 		cp -a ${pfx_symlinks} "${DESTDIR}${xtlibdir}/"; \
+-	fi;
++	fi
+ 
+ clean:
+ 	rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
+@@ -99,7 +105,7 @@ lib%.so: lib%.la
+ 	${AM_VERBOSE_NULL} ln -fs .libs/$@ $@
+ 
+ lib%.la: lib%.lo
+-	${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir}
++	${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -avoid-version -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir}
+ 
+ lib%.lo: ${srcdir}/lib%.c
+ 	${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<
+-- 
+1.7.10.4
+

0001-build-do-not-dereference-symlinks-on-installation.patch

@@ -0,0 +1,69 @@
+From cbe7c8ef0dabe56bf8a1f7ed27722e85abb0af9f Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Thu, 10 Jan 2013 16:02:09 +0100
+Subject: [PATCH] build: do not dereference symlinks on installation
+
+By using install(1), libxt_NOTRACK.so was inadvertently installed as
+an actual file to /usr/lib/xtables rather than as a symlink. Switch to
+using cp(1).
+
+Signed-off-by: Jan Engelhardt <jengelh@inai.de>
+---
+ extensions/GNUmakefile.in |   15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
+index adad4d6..781ac6d 100644
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -40,7 +40,7 @@ endif
+ #	Wildcard module list
+ #
+ pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c)))
+-pfx_symlinks  := NOTRACK state
++pfx_symlinks  := libxt_NOTRACK.so libxt_state.so
+ @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c)))
+ @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c)))
+ pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
+@@ -49,7 +49,7 @@ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
+ pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_mod})
+ pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_mod})
+ pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_mod})
+-pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks})
++pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod})
+ pf4_solibs    := $(patsubst %,libipt_%.so,${pf4_build_mod})
+ pf6_solibs    := $(patsubst %,libip6t_%.so,${pf6_build_mod})
+ 
+@@ -59,11 +59,13 @@ pf6_solibs    := $(patsubst %,libip6t_%.so,${pf6_build_mod})
+ #
+ targets := libext.a libext4.a libext6.a matches.man targets.man
+ targets_install :=
++targets_instlink :=
+ @ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
+ @ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
+ @ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
+-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfx_symlinks} ${pf4_solibs} ${pf6_solibs}
+ @ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++@ENABLE_STATIC_FALSE@ targets_instlink += ${pfx_symlinks}
+ 
+ .SECONDARY:
+ 
+@@ -71,9 +73,12 @@ targets_install :=
+ 
+ all: ${targets}
+ 
+-install: ${targets_install}
++install: ${targets_install} ${targets_instlink}
+ 	@mkdir -p "${DESTDIR}${xtlibdir}";
+-	if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi;
++	if test -n "${targets_install}"; then \
++		install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/"; \
++		cp -a ${pfx_symlinks} "${DESTDIR}${xtlibdir}/"; \
++	fi;
+ 
+ clean:
+ 	rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
+-- 
+1.7.10.4
+

0001-build-resolve-link-failure-for-ip6t_NETMAP.patch

@@ -1,42 +0,0 @@
-From 070e9ad8fe6380be3fe19924cd50619e540382d0 Mon Sep 17 00:00:00 2001
-From: Jan Engelhardt <jengelh@inai.de>
-Date: Sun, 2 Dec 2012 19:09:38 +0100
-Subject: [PATCH] build: resolve link failure for ip6t_NETMAP
-
-Link stage of libip6t_NETMAP failed since recently.
-
-  CCLD     libip6t_NETMAP.so
-/usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld:
-cannot find -lip6tc
-
-libip6t_NETMAP.c uses the "ipv6_prefix_length" function from
-libip6tc.so; "-lip6tc" is used in the Makefile, but, the directory to
-it is not specified.
-
-Why does the link succeed for some people? Because
-/usr/lib(64)/libip6tc.so satisfies -lip6tc, but not all environments,
-especially those without iptables development files, have that file,
-hence this link error can happen.
-
-Signed-off-by: Jan Engelhardt <jengelh@inai.de>
----
- extensions/GNUmakefile.in |    3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
-index e71e3ff..68e0b9b 100644
---- a/extensions/GNUmakefile.in
-+++ b/extensions/GNUmakefile.in
-@@ -101,7 +101,8 @@ libxt_state.so: libxt_conntrack.so
- 	ln -fs $< $@
- 
- # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
--ip6t_NETMAP_LIBADD  = -lip6tc
-+ip6t_NETMAP_LIBADD  = -L${top_builddir}/libiptc/.libs \
-+                      -L${top_builddir}/libiptc -lip6tc
- xt_RATEEST_LIBADD   = -lm
- xt_statistic_LIBADD = -lm
- 
--- 
-1.7.10.4
-

iptables-1.4.17.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:51e7a769469383b6ad308a6a19cdd2bd813cf4593e21a156a543a1cd70554925
-size 541137

iptables-1.4.18.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:14a99fb8b0ca22027a9ac6eb72fa32c834ceb3073820e0ba79bf251c6a7bcf3c
+size 542308

iptables.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Mon Mar  4 21:42:12 UTC 2013 - jengelh@inai.de
+
+- Update to new upstream release 1.4.18
+* documentation updates
+- Create subpackage xtables-plugins, to aid packaging of xtadm
+- Add 0001-build-do-not-dereference-symlinks-on-installation.patch
+  as a prerequisite for:
+- Add 0001-build-also-use-libtool-for-install-stage.patch
+  to kill of undesired DT_RPATH entries
+
 -------------------------------------------------------------------
 Tue Dec 25 22:47:56 UTC 2012 - jengelh@inai.de
 

iptables.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package iptables
 #
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,13 +19,13 @@
 Name:           iptables
 %define lname_ipq	libipq0
 %define lname_iptc	libiptc0
-%define lname_xt	libxtables9
-Version:        1.4.17
+%define lname_xt	libxtables10
+Version:        1.4.18
 Release:        0
 Summary:        IP Packet Filter Administration utilities
 License:        GPL-2.0+
 Group:          Productivity/Networking/Security
-Url:            http://netfilter.org/
+Url:            http://netfilter.org/projects/iptables/
 
 #Freecode-URL:	http://freecode.com/projects/iptables/
 #Git-Web:	http://git.netfilter.org/
@@ -34,9 +34,10 @@ Url:            http://netfilter.org/
 Source:         http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2
 Source2:        http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig
 Source3:        %name.keyring
-Patch1:         iptables-batch.patch
-Patch2:         iptables-apply-mktemp-fix.patch
-Patch3:         0001-build-resolve-link-failure-for-ip6t_NETMAP.patch
+Patch1:         0001-build-do-not-dereference-symlinks-on-installation.patch
+Patch2:         0001-build-also-use-libtool-for-install-stage.patch
+Patch3:         iptables-batch.patch
+Patch4:         iptables-apply-mktemp-fix.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if 0%{?suse_version}
@@ -63,11 +64,20 @@ BuildRequires:  libnfnetlink-devel >= 1.0.0
 %if 0%{?fedora_version} || 0%{?centos_version} || 0%{?rhel_version}
 BuildRequires:  libnfnetlink-devel >= 1.0.0
 %endif
+Requires:       xtables-plugins = %version
 
 %description
 iptables is used to set up, maintain, and inspect the tables of IP
 packet filter rules in the Linux kernel. This version requires kernel
-2.4.0 or newer.
+3.0 or newer.
+
+%package -n xtables-plugins
+Summary:        Match and Target Extension plugins for iptables
+Group:          Productivity/Networking/Security
+Conflicts:      iptables < 1.4.18
+
+%description -n xtables-plugins
+Match and Target Extension plugins for iptables.
 
 %package -n %lname_ipq
 Summary:        Library to interface with the (old) ip_queue kernel mechanism
@@ -108,9 +118,6 @@ construct, and load new rulesets into the kernel.
 Summary:        Development files for libiptc, a packet filter ruleset library
 Group:          Development/Libraries/C and C++
 Requires:       %lname_iptc = %version
-# NOT adding Obsoletes/Provides: iptables-devel, because that one has
-# been split into _two_ new pkgs (libxtables-devel, libiptc-devel).
-# NOTE: Please use pkgconfig(...) symbols for BuildRequires.
 
 %description -n libiptc-devel
 libiptc ("iptables cache") is used to retrieve from the kernel, parse,
@@ -139,16 +146,9 @@ Link your extension (iptables plugins) with $(pkg-config xtables
 xtables --variable=xtlibdir).
 
 %prep
-%if 0%{?gpg_verify:1}
-%gpg_verify %{S:2}
-%endif
-%if 0%{?__xz:1}
+%{?gpg_verify: %gpg_verify %{S:2}}
 %setup -q
-%else
-tar -xf "%{S:0}" --use=bzip2;
-%setup -DTq
-%endif
-%patch -P 1 -P 2 -P 3 -p1
+%patch -P 1 -P 2 -P 3 -P 4 -p1
 
 %build
 # We have the iptables-batch patch, so always regenerate.
@@ -169,7 +169,7 @@ install -m0755 iptables/iptables-apply %buildroot%_sbindir/
 install -m0644 iptables/iptables-apply.8 %buildroot%_mandir/man8/
 rm -f "%buildroot/%_libdir"/*.la;
 %if 0%{?suse_version}
-%fdupes %buildroot
+%fdupes %buildroot/%_prefix
 %endif
 
 %post   -n %lname_ipq -p /sbin/ldconfig
@@ -182,8 +182,8 @@ rm -f "%buildroot/%_libdir"/*.la;
 %files
 %defattr(-,root,root)
 %doc COPYING
-%doc %_mandir/man1/*
-%doc %_mandir/man8/*
+%doc %_mandir/man1/ip*
+%doc %_mandir/man8/ip*
 %_bindir/iptables-xml
 %_sbindir/iptables
 %_sbindir/iptables-apply
@@ -195,8 +195,11 @@ rm -f "%buildroot/%_libdir"/*.la;
 %_sbindir/ip6tables-restore
 %_sbindir/ip6tables-save
 %_sbindir/xtables-multi
-%_sbindir/nfnl_osf
+
+%files -n xtables-plugins
+%defattr(-,root,root)
 %_libdir/xtables
+%_sbindir/nfnl_osf
 %_datadir/xtables
 
 %files -n %lname_ipq
@@ -227,7 +230,7 @@ rm -f "%buildroot/%_libdir"/*.la;
 
 %files -n %lname_xt
 %defattr(-,root,root)
-%_libdir/libxtables.so.9*
+%_libdir/libxtables.so.10*
 
 %files -n libxtables-devel
 %defattr(-,root,root)