SHA256
1
0
forked from pool/iptables
iptables/iptables.spec
Jan Engelhardt 87d1cb26b1 Accepting request 691518 from home:kstreitova:branches:security:netfilter
- Add iptables-1.8.2-dont_read_garbage.patch that fixes a situation
  where 'iptables -L' reads garbage from the struct as the kernel
  never filled it in the bugged case. This can lead to issues like
  mapping a few TiB of memory [bsc#1106751].

OBS-URL: https://build.opensuse.org/request/show/691518
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/iptables?expand=0&rev=126
2019-04-04 13:20:38 +00:00

312 lines
11 KiB
RPMSpec

#
# spec file for package iptables
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: iptables
Version: 1.8.2
Release: 0
Summary: IP packet filter administration utilities
License: GPL-2.0-only AND Artistic-2.0
Group: Productivity/Networking/Security
Url: http://netfilter.org/projects/iptables/
#Git-Clone: git://git.netfilter.org/iptables
Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2
Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig
Source3: %name.keyring
Patch3: iptables-batch.patch
Patch4: iptables-apply-mktemp-fix.patch
Patch5: iptables-batch-lock.patch
Patch6: iptables-1.8.2-dont_read_garbage.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#git#BuildRequires: autoconf, automake >= 1.10
BuildRequires: bison
BuildRequires: fdupes
BuildRequires: flex >= 2.5.33
BuildRequires: libtool
BuildRequires: pkg-config >= 0.21
BuildRequires: xz
BuildRequires: pkgconfig(libmnl) >= 1.0
BuildRequires: pkgconfig(libnetfilter_conntrack) >= 1.0.4
BuildRequires: pkgconfig(libnfnetlink) >= 1.0.0
BuildRequires: pkgconfig(libnftnl) >= 1.1.1
Requires: netcfg >= 11.6
Requires: xtables-plugins = %version-%release
Requires(post): update-alternatives
Requires(postun): update-alternatives
%description
iptables is used to set up, maintain, and inspect the rule tables of
the various Netfilter packet filter engines inside the Linux kernel.
%package backend-nft
Summary: Metapackage to make nft the default backend for iptables/arptables/ebtables
Group: Productivity/Networking/Security
Requires: iptables >= 1.8.0
Requires(post): update-alternatives
Requires(postun): update-alternatives
%description backend-nft
Installation of this package adds higher priority alternatives (cf.
update-alternatives) that makes the iptables, ip6tables, arptables
and ebtables commands point to a program variant that uses the
nftables kernel interface.
%package -n xtables-plugins
Summary: Match and target extension plugins for iptables
Group: Productivity/Networking/Security
Conflicts: iptables < 1.4.18
%description -n xtables-plugins
Match and Target Extension plugins for iptables.
%package -n libipq0
Summary: Library to interface with the (old) ip_queue kernel mechanism
Group: System/Libraries
%description -n libipq0
The Netfilter project provides a mechanism (ip_queue) for passing
packets out of the stack for queueing to userspace, then receiving
these packets back into the kernel with a verdict specifying what to
do with the packets (such as ACCEPT or DROP). These packets may also
be modified in userspace prior to reinjection back into the kernel.
ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue!
%package -n libipq-devel
Summary: Development files for the ip_queue kernel mechanism
Group: Development/Libraries/C and C++
Requires: libipq0 = %version
%description -n libipq-devel
The Netfilter project provides a mechanism (ip_queue) for passing
packets out of the stack for queueing to userspace, then receiving
these packets back into the kernel with a verdict specifying what to
do with the packets (such as ACCEPT or DROP). These packets may also
be modified in userspace prior to reinjection back into the kernel.
ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue!
%package -n libiptc0
Summary: Library for the ip_tables low-level ruleset generation and parsing
Group: System/Libraries
%description -n libiptc0
libiptc ("iptables cache") is used to retrieve from the kernel, parse,
construct, and load rulesets into the kernel.
%package -n libiptc-devel
Summary: Development files for libiptc, a packet filter ruleset library
Group: Development/Libraries/C and C++
Requires: libiptc0 = %version
%description -n libiptc-devel
libiptc ("iptables cache") is used to retrieve from the kernel, parse,
construct, and load rulesets into the kernel.
%package -n libxtables12
Summary: The iptables plugin interface
Group: System/Libraries
%description -n libxtables12
This library contains all the iptables code shared between iptables,
ip6tables, their extensions, and for external integration for e.g.
iproute2's m_xt.
%package -n libxtables-devel
Summary: Headers and manpages for iptables
Group: Development/Libraries/C and C++
Requires: libxtables12 = %version
%description -n libxtables-devel
This library contains all the iptables code shared between iptables,
ip6tables, their extensions, and for external integration for e.g.
Link your extension (iptables plugins) with $(pkg-config xtables
--libs) and place the plugin in the directory given by $(pkg-config
xtables --variable=xtlibdir).
%prep
%setup -q
%patch -P 3 -P 4 -P 5 -P 6 -p1
%build
# We have the iptables-batch patch, so always regenerate.
./autogen.sh
# bnc#561793 - do not include unclean module in iptables manpage
rm -f extensions/libipt_unclean.man
# includedir is overriden on purpose to detect projects that
# fail to include libxtables_CFLAGS
%configure --includedir="%_includedir/%name" --enable-libipq
make %{?_smp_mflags} V=1
%install
%make_install
b="%buildroot"
# iptables-apply is not installed by upstream Makefile
install -m0755 iptables/iptables-apply "$b/%_sbindir/"
install -m0644 iptables/iptables-apply.8 "$b/%_mandir/man8/"
rm -f "$b/%_libdir"/*.la
rm -f "$b/%_sysconfdir/ethertypes" # -> netcfg
for i in iptables iptables-restore iptables-save ip6tables ip6tables-restore \
ip6tables-save arptables arptables-restore arptables-save ebtables \
ebtables-restore ebtables-save; do
ln -fsv "/etc/alternatives/$i" "$b/%_sbindir/$i"
done
%if 0%{?suse_version}
%fdupes %buildroot/%_prefix
%endif
%post
update-alternatives \
--install "%_sbindir/iptables" iptables "%_sbindir/xtables-legacy-multi" 1 \
--slave "%_sbindir/iptables-restore" iptables-restore "%_sbindir/xtables-legacy-multi" \
--slave "%_sbindir/iptables-save" iptables-save "%_sbindir/xtables-legacy-multi" \
--slave "%_sbindir/ip6tables" ip6tables "%_sbindir/xtables-legacy-multi" \
--slave "%_sbindir/ip6tables-restore" ip6tables-restore "%_sbindir/xtables-legacy-multi" \
--slave "%_sbindir/ip6tables-save" ip6tables-save "%_sbindir/xtables-legacy-multi"
%postun
if test "$1" = 0; then
update-alternatives --remove iptables "%_sbindir/xtables-legacy-multi"
fi
%post backend-nft
update-alternatives \
--install "%_sbindir/iptables" iptables "%_sbindir/xtables-nft-multi" 2 \
--slave "%_sbindir/iptables-restore" iptables-restore "%_sbindir/xtables-nft-multi" \
--slave "%_sbindir/iptables-save" iptables-save "%_sbindir/xtables-nft-multi" \
--slave "%_sbindir/ip6tables" ip6tables "%_sbindir/xtables-nft-multi" \
--slave "%_sbindir/ip6tables-restore" ip6tables-restore "%_sbindir/xtables-nft-multi" \
--slave "%_sbindir/ip6tables-save" ip6tables-save "%_sbindir/xtables-nft-multi"
update-alternatives --install "%_sbindir/arptables" arptables "%_sbindir/xtables-nft-multi" 2 \
--slave "%_sbindir/arptables-restore" arptables-restore "%_sbindir/xtables-nft-multi" \
--slave "%_sbindir/arptables-save" arptables-save "%_sbindir/xtables-nft-multi"
update-alternatives --install "%_sbindir/ebtables" ebtables "%_sbindir/xtables-nft-multi" 2 \
--slave "%_sbindir/ebtables-restore" ebtables-restore "%_sbindir/xtables-nft-multi" \
--slave "%_sbindir/ebtables-save" ebtables-save "%_sbindir/xtables-nft-multi"
%postun backend-nft
if test "$1" = 0; then
update-alternatives --remove iptables "%_sbindir/xtables-nft-multi"
update-alternatives --remove arptables "%_sbindir/xtables-nft-multi"
update-alternatives --remove ebtables "%_sbindir/xtables-nft-multi"
fi
%post -n libipq0 -p /sbin/ldconfig
%postun -n libipq0 -p /sbin/ldconfig
%post -n libiptc0 -p /sbin/ldconfig
%postun -n libiptc0 -p /sbin/ldconfig
%post -n libxtables12 -p /sbin/ldconfig
%postun -n libxtables12 -p /sbin/ldconfig
%files
%license COPYING
%_bindir/iptables-xml
%_sbindir/iptables-apply
%_sbindir/iptables-legacy*
%_sbindir/iptables-nft*
%_sbindir/iptables-*translate*
%_sbindir/ip6tables-legacy*
%_sbindir/ip6tables-nft*
%_sbindir/ip6tables-*translate*
%_sbindir/arptables-nft*
%_sbindir/ebtables-nft*
%_sbindir/xtables*
%_mandir/man1/*tables*
%_mandir/man8/*tables*
# backend-legacy (implicit)
%ghost %_sysconfdir/alternatives/iptables
%ghost %_sysconfdir/alternatives/iptables-restore
%ghost %_sysconfdir/alternatives/iptables-save
%ghost %_sysconfdir/alternatives/ip6tables
%ghost %_sysconfdir/alternatives/ip6tables-restore
%ghost %_sysconfdir/alternatives/ip6tables-save
%_sbindir/iptables
%_sbindir/iptables-restore
%_sbindir/iptables-save
%_sbindir/ip6tables
%_sbindir/ip6tables-restore
%_sbindir/ip6tables-save
%files backend-nft
%ghost %_sysconfdir/alternatives/iptables
%ghost %_sysconfdir/alternatives/iptables-restore
%ghost %_sysconfdir/alternatives/iptables-save
%ghost %_sysconfdir/alternatives/ip6tables
%ghost %_sysconfdir/alternatives/ip6tables-restore
%ghost %_sysconfdir/alternatives/ip6tables-save
%ghost %_sysconfdir/alternatives/arptables
%ghost %_sysconfdir/alternatives/arptables-restore
%ghost %_sysconfdir/alternatives/arptables-save
%ghost %_sysconfdir/alternatives/ebtables
%ghost %_sysconfdir/alternatives/ebtables-restore
%ghost %_sysconfdir/alternatives/ebtables-save
%_sbindir/iptables
%_sbindir/iptables-restore
%_sbindir/iptables-save
%_sbindir/ip6tables
%_sbindir/ip6tables-restore
%_sbindir/ip6tables-save
%_sbindir/arptables
%_sbindir/arptables-restore
%_sbindir/arptables-save
%_sbindir/ebtables
%_sbindir/ebtables-restore
%_sbindir/ebtables-save
%files -n xtables-plugins
%_libdir/xtables/
%_sbindir/nfnl_osf
%_mandir/man8/nfnl_osf.8*
%_datadir/xtables/
%files -n libipq0
%_libdir/libipq.so.0*
%files -n libipq-devel
%doc %_mandir/man3/libipq*
%doc %_mandir/man3/ipq*
%dir %_includedir/%name/
%_includedir/%name/libipq*
%_libdir/libipq.so
%_libdir/pkgconfig/libipq.pc
%files -n libiptc0
%_libdir/libiptc.so.0*
%_libdir/libip4tc.so.0*
%_libdir/libip6tc.so.0*
%files -n libiptc-devel
%dir %_includedir/%name/
%_includedir/%name/libiptc*
%_libdir/libip*tc.so
%_libdir/pkgconfig/libip*tc.pc
%files -n libxtables12
%_libdir/libxtables.so.12*
%files -n libxtables-devel
%dir %_includedir/%name/
%_includedir/%name/xtables.h
%_includedir/%name/xtables-version.h
%_libdir/libxtables.so
%_libdir/pkgconfig/xtables.pc
%changelog