- Update to new upstream release 1.8.3

OBS-URL: https://build.opensuse.org/package/show/security:netfilter/iptables?expand=0&rev=130

0001-include-extend-the-headers-conflict-workaround-to-in.patch

@@ -1,36 +0,0 @@
-From 2908eda10bf9fc81119d4f3ad672c67918ab5955 Mon Sep 17 00:00:00 2001
-From: Baruch Siach <baruch@tkos.co.il>
-Date: Sun, 2 Dec 2018 18:56:34 +0200
-Subject: [PATCH] include: extend the headers conflict workaround to in6.h
-
-Commit 8d9d7e4b9ef ("include: fix build with kernel headers before 4.2")
-introduced a kernel/user headers conflict workaround that allows build
-of iptables with kernel headers older than 4.2. This minor extension
-allows build with kernel headers older than 3.12, which is the version
-that introduced explicit IP headers synchronization.
-
-Fixes: 8d9d7e4b9ef4 ("include: fix build with kernel headers before 4.2")
-Cc: Florian Westphal <fw@strlen.de>
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- include/linux/netfilter.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
-index bacf8cd9..042d8b14 100644
---- a/include/linux/netfilter.h
-+++ b/include/linux/netfilter.h
-@@ -5,8 +5,8 @@
- 
- #ifndef _NETINET_IN_H
- #include <linux/in.h>
--#endif
- #include <linux/in6.h>
-+#endif
- #include <limits.h>
- 
- /* Responses from hook functions. */
--- 
-2.21.0
-

0001-include-fix-build-with-kernel-headers-before-4.2.patch

@@ -1,52 +0,0 @@
-From 8d9d7e4b9ef4c6e6abab2cf35c747d7ca36824bd Mon Sep 17 00:00:00 2001
-From: Baruch Siach <baruch@tkos.co.il>
-Date: Fri, 16 Nov 2018 09:30:33 +0200
-Subject: [PATCH] include: fix build with kernel headers before 4.2
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Commit 672accf1530 (include: update kernel netfilter header files)
-updated linux/netfilter.h and brought with it the update from kernel
-commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h
-from netns headers). This triggers conflict of headers that is fixed in
-kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with
-netinet/in.h) included in kernel version 4.2. For earlier kernel headers
-we need a workaround that prevents the headers conflict.
-
-Fixes the following build failure:
-
-In file included from .../sysroot/usr/include/netinet/ip.h:25:0,
-                 from ../include/libiptc/ipt_kernel_headers.h:8,
-                 from ../include/libiptc/libiptc.h:6,
-                 from libip4tc.c:29:
-.../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’
-   IPPROTO_IP = 0,  /* Dummy protocol for TCP  */
-   ^
-.../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here
-     IPPROTO_IP = 0,    /* Dummy protocol for TCP.  */
-     ^~~~~~~~~~
-
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
-Signed-off-by: Florian Westphal <fw@strlen.de>
----
- include/linux/netfilter.h | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
-index c3f087ac..bacf8cd9 100644
---- a/include/linux/netfilter.h
-+++ b/include/linux/netfilter.h
-@@ -3,7 +3,9 @@
- 
- #include <linux/types.h>
- 
-+#ifndef _NETINET_IN_H
- #include <linux/in.h>
-+#endif
- #include <linux/in6.h>
- #include <limits.h>
- 
--- 
-2.21.0
-

iptables-1.8.2.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a3778b50ed1a3256f9ca975de82c2204e508001fc2471238c8c97f3d1c4c12af
-size 679858

iptables-1.8.3.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80
+size 716257

iptables.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Tue May 28 08:37:39 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to new upstream release 1.8.3
+  * ebtables: Fix rule listing with counters
+  * ebtables-nft: Support user-defined chain policies
+- Remove 0001-include-extend-the-headers-conflict-workaround-to-in.patch
+  0001-include-fix-build-with-kernel-headers-before-4.2.patch
+  (upstreamed)
+
 -------------------------------------------------------------------
 Wed May 22 16:15:28 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
 

iptables.spec

@@ -17,7 +17,7 @@
 
 
 Name:           iptables
-Version:        1.8.2
+Version:        1.8.3
 Release:        0
 Summary:        IP packet filter administration utilities
 License:        GPL-2.0-only AND Artistic-2.0
@@ -27,8 +27,6 @@ URL:            https://netfilter.org/projects/iptables/
 Source:         https://netfilter.org/projects/iptables/files/%name-%version.tar.bz2
 Source2:        https://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig
 Source3:        %name.keyring
-Patch1:         0001-include-fix-build-with-kernel-headers-before-4.2.patch
-Patch2:         0001-include-extend-the-headers-conflict-workaround-to-in.patch
 Patch3:         iptables-batch.patch
 Patch4:         iptables-apply-mktemp-fix.patch
 Patch5:         iptables-batch-lock.patch
@@ -45,7 +43,7 @@ BuildRequires:  xz
 BuildRequires:  pkgconfig(libmnl) >= 1.0
 BuildRequires:  pkgconfig(libnetfilter_conntrack) >= 1.0.4
 BuildRequires:  pkgconfig(libnfnetlink) >= 1.0.0
-BuildRequires:  pkgconfig(libnftnl) >= 1.1.1
+BuildRequires:  pkgconfig(libnftnl) >= 1.1.3
 Requires:       netcfg >= 11.6
 Requires:       xtables-plugins = %version-%release
 Requires(post): update-alternatives
@@ -103,18 +101,29 @@ be modified in userspace prior to reinjection back into the kernel.
 
 ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue!
 
-%package -n libiptc0
-Summary:        Library for the ip_tables low-level ruleset generation and parsing
+%package -n libip4tc2
+Summary:        Library for the ip_tables low-level ruleset generation and parsing (IPv4)
 Group:          System/Libraries
 
-%description -n libiptc0
+%description -n libip4tc2
 libiptc ("iptables cache") is used to retrieve from the kernel, parse,
 construct, and load rulesets into the kernel.
+This package contains the iptc IPv4 API.
+
+%package -n libip6tc2
+Summary:        Library for the ip_tables low-level ruleset generation and parsing (IPv6)
+Group:          System/Libraries
+
+%description -n libip6tc2
+libiptc ("iptables cache") is used to retrieve from the kernel, parse,
+construct, and load rulesets into the kernel.
+This package contains the iptc IPv6 API.
 
 %package -n libiptc-devel
 Summary:        Development files for libiptc, a packet filter ruleset library
 Group:          Development/Libraries/C and C++
-Requires:       libiptc0 = %version
+Requires:       libip4tc2 = %version
+Requires:       libip6tc2 = %version
 
 %description -n libiptc-devel
 libiptc ("iptables cache") is used to retrieve from the kernel, parse,
@@ -158,6 +167,8 @@ make %{?_smp_mflags} V=1
 %install
 %make_install
 b="%buildroot"
+# no contents and is unused; proposed for removal upstream
+rm -f "$b/%_libdir/"libiptc.so*
 # iptables-apply is not installed by upstream Makefile
 install -m0755 iptables/iptables-apply "$b/%_sbindir/"
 install -m0644 iptables/iptables-apply.8 "$b/%_mandir/man8/"
@@ -211,8 +222,10 @@ fi
 
 %post   -n libipq0 -p /sbin/ldconfig
 %postun -n libipq0 -p /sbin/ldconfig
-%post   -n libiptc0 -p /sbin/ldconfig
-%postun -n libiptc0 -p /sbin/ldconfig
+%post   -n libip4tc2 -p /sbin/ldconfig
+%postun -n libip4tc2 -p /sbin/ldconfig
+%post   -n libip6tc2 -p /sbin/ldconfig
+%postun -n libip6tc2 -p /sbin/ldconfig
 %post   -n libxtables12 -p /sbin/ldconfig
 %postun -n libxtables12 -p /sbin/ldconfig
 
@@ -288,10 +301,11 @@ fi
 %_libdir/libipq.so
 %_libdir/pkgconfig/libipq.pc
 
-%files -n libiptc0
-%_libdir/libiptc.so.0*
-%_libdir/libip4tc.so.0*
-%_libdir/libip6tc.so.0*
+%files -n libip4tc2
+%_libdir/libip4tc.so.2*
+
+%files -n libip6tc2
+%_libdir/libip6tc.so.2*
 
 %files -n libiptc-devel
 %dir %_includedir/%name/