Accepting request 1220308 from security:netfilter

try again
- Update to release 1.1.1

OBS-URL: https://build.opensuse.org/request/show/1220308
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nftables?expand=0&rev=35

0001-tools-add-a-systemd-unit-for-static-rulesets.patch

@@ -1,208 +0,0 @@
-From 5150f2e49b4b17bdaf7c02299a3b08e9fcc45345 Mon Sep 17 00:00:00 2001
-From: Jan Engelhardt <jengelh@inai.de>
-Date: Fri, 28 Feb 2025 19:45:01 +0100
-Subject: [PATCH] tools: add a systemd unit for static rulesets
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-References: https://lore.kernel.org/netfilter-devel/20250308182250.98098-1-jengelh@inai.de/T/#u
-
-There is a customer request (bugreport) for wanting to trivially load a ruleset
-from a well-known location on boot, forwarded to me by M. Gerstner. A systemd
-service unit is hereby added to provide that functionality. This is based on
-various distributions attempting to do same, cf.
-
-https://src.fedoraproject.org/rpms/nftables/tree/rawhide
-https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/nftables/nftables.initd
-https://gitlab.archlinux.org/archlinux/packaging/packages/nftables
-
-Cc: Matthias Gerstner <matthias.gerstner@suse.com>
-Cc: Kevin Fenzi <kevin@scrye.com>
-Cc: Francesco Colista <fcolista@alpinelinux.org>
-Cc: Sébastien Luttringer <seblu@archlinux.org>
----
- .gitignore                |  1 +
- INSTALL                   |  6 ++++++
- Makefile.am               | 16 ++++++++++++----
- configure.ac              | 10 ++++++++++
- files/nftables/main.nft   | 24 ++++++++++++++++++++++++
- tools/nftables.service.8  | 18 ++++++++++++++++++
- tools/nftables.service.in | 21 +++++++++++++++++++++
- 7 files changed, 92 insertions(+), 4 deletions(-)
- create mode 100644 files/nftables/main.nft
- create mode 100644 tools/nftables.service.8
- create mode 100644 tools/nftables.service.in
-
-diff --git a/.gitignore b/.gitignore
-index a62e31f3..f92187ef 100644
---- a/.gitignore
-+++ b/.gitignore
-@@ -14,6 +14,7 @@ autom4te.cache
- build-aux/
- libnftables.pc
- libtool
-+tools/nftables.service
- 
- # cscope files
- /cscope.*
-diff --git a/INSTALL b/INSTALL
-index 5d45ec98..0c48c989 100644
---- a/INSTALL
-+++ b/INSTALL
-@@ -42,6 +42,12 @@ Installation instructions for nftables
- 	The base directory for arch-independent files. Defaults to
- 	$prefix/share.
- 
-+ --with-unitdir=
-+
-+	Directory for systemd unit files. Defaults to the value obtained from
-+	pkg-config for systemd.pc, and ${prefix}/lib/systemd/system as a
-+	fallback.
-+
-  --disable-debug
- 
- 	Disable debugging
-diff --git a/Makefile.am b/Makefile.am
-index fb64105d..050991f4 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -375,18 +375,19 @@ dist_pkgdata_DATA = \
- 	files/nftables/netdev-ingress.nft \
- 	$(NULL)
- 
--pkgdocdir = ${docdir}/examples
-+exampledir = ${docdir}/examples
- 
--dist_pkgdoc_SCRIPTS = \
-+dist_example_SCRIPTS = \
- 	files/examples/ct_helpers.nft \
- 	files/examples/load_balancing.nft \
- 	files/examples/secmark.nft \
- 	files/examples/sets_and_maps.nft \
- 	$(NULL)
- 
--pkgsysconfdir = ${sysconfdir}/nftables/osf
-+pkgsysconfdir = ${sysconfdir}/${PACKAGE}
-+osfdir = ${pkgsysconfdir}/osf
- 
--dist_pkgsysconf_DATA = \
-+dist_osf_DATA = \
- 	files/osf/pf.os \
- 	$(NULL)
- 
-@@ -410,3 +411,10 @@ EXTRA_DIST += \
- 
- pkgconfigdir = $(libdir)/pkgconfig
- pkgconfig_DATA = libnftables.pc
-+unit_DATA = tools/nftables.service
-+man_MANS = tools/nftables.service.8
-+doc_DATA = files/nftables/main.nft
-+
-+tools/nftables.service: tools/nftables.service.in ${top_builddir}/config.status
-+	${AM_V_GEN}${MKDIR_P} tools
-+	${AM_V_at}sed -e 's|@''sbindir''@|${sbindir}|g;s|@''pkgsysconfdir''@|${pkgsysconfdir}|g' <${srcdir}/tools/nftables.service.in >$@
-diff --git a/configure.ac b/configure.ac
-index 80a64813..64a164e5 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -114,6 +114,16 @@ AC_CHECK_DECLS([getprotobyname_r, getprotobynumber_r, getservbyport_r], [], [],
- #include <netdb.h>
- ]])
- 
-+AC_ARG_WITH([unitdir],
-+	[AS_HELP_STRING([--with-unitdir=PATH], [Path to systemd service unit directory])],
-+	[unitdir="$withval"],
-+	[
-+		unitdir=$("$PKG_CONFIG" systemd --variable systemdsystemunitdir 2>/dev/null)
-+		AS_IF([test -z "$unitdir"], [unitdir='${prefix}/lib/systemd/system'])
-+	])
-+AC_SUBST([unitdir])
-+
-+
- AC_CONFIG_FILES([					\
- 		Makefile				\
- 		libnftables.pc				\
-diff --git a/files/nftables/main.nft b/files/nftables/main.nft
-new file mode 100644
-index 00000000..8e62f9bc
---- /dev/null
-+++ b/files/nftables/main.nft
-@@ -0,0 +1,24 @@
-+#!/usr/sbin/nft -f
-+
-+# template static firewall configuration file
-+#
-+# copy this over to /etc/nftables/rules/main.nft as a starting point for
-+# configuring a rule set which will be loaded by nftables.service.
-+
-+flush ruleset
-+
-+table inet filter {
-+	chain input {
-+		type filter hook input priority filter;
-+	}
-+	chain forward {
-+		type filter hook forward priority filter;
-+	}
-+	chain output {
-+		type filter hook output priority filter;
-+	}
-+}
-+
-+# this can be used to split the rule set into multiple smaller files concerned
-+# with specific topics, like forwarding rules
-+#include "/etc/nftables/rules/forwarding.nft"
-diff --git a/tools/nftables.service.8 b/tools/nftables.service.8
-new file mode 100644
-index 00000000..4a83b01c
---- /dev/null
-+++ b/tools/nftables.service.8
-@@ -0,0 +1,18 @@
-+.TH nftables.service 8 "" "nftables" "nftables admin reference"
-+.SH Name
-+nftables.service \(em Static Firewall Configuration with nftables.service
-+.SH Description
-+An nftables systemd service is provided which allows to setup static firewall
-+rulesets based on a configuration file.
-+.PP
-+To use this service, you need to create the main configuration file in
-+/etc/nftables/rules/main.nft. A template for this can be copied from
-+/usr/share/doc/nftables/main.nft. The static firewall configuration can be
-+split up into multiple files which are included from the main.nft
-+configuration file.
-+.PP
-+Once the desired static firewall configuration is in place, it can be tested by
-+running `systemctl start nftables.service`. To enable the service at boot time,
-+run `systemctl enable nftables.service`.
-+.SH See also
-+\fBnft\fP(8)
-diff --git a/tools/nftables.service.in b/tools/nftables.service.in
-new file mode 100644
-index 00000000..f2f07126
---- /dev/null
-+++ b/tools/nftables.service.in
-@@ -0,0 +1,21 @@
-+[Unit]
-+Description=nftables static rule set
-+Documentation=man:nftables.service(8)
-+Wants=network-pre.target
-+Before=network-pre.target shutdown.target
-+Conflicts=shutdown.target
-+DefaultDependencies=no
-+ConditionPathExists=@pkgsysconfdir@/rules/main.nft
-+
-+[Service]
-+Type=oneshot
-+RemainAfterExit=yes
-+StandardInput=null
-+ProtectSystem=full
-+ProtectHome=true
-+ExecStart=@sbindir@/nft -f @pkgsysconfdir@/rules/main.nft
-+ExecReload=@sbindir@/nft -f @pkgsysconfdir@/rules/main.nft
-+ExecStop=@sbindir@/nft flush ruleset
-+
-+[Install]
-+WantedBy=sysinit.target
--- 
-2.48.1
-

_scmsync.obsinfo

@@ -0,0 +1,4 @@
+mtime: 1727939012
+commit: 554c6b6a3ce96010af8c533855d96945c8fd8d9fff4d3cbf12956b82a08de423
+url: https://src.opensuse.org/jengelh/nftables
+revision: master

build.specials.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:82162ff6918de35ae9f3d1e379d1a2af83a90b85c80e8d38a1b411f2f8de0c5c
+size 256

nftables.changes

@@ -1,15 +1,3 @@
--------------------------------------------------------------------
-Sat Mar  8 21:24:40 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
-
-- Update 0001-tools-add-a-systemd-unit-for-static-rulesets.patch
-  from new submission.
-
--------------------------------------------------------------------
-Tue Mar  4 08:01:21 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
-
-- Add 0001-tools-add-a-systemd-unit-for-static-rulesets.patch
-  [boo#1237277]
-
 -------------------------------------------------------------------
 Thu Oct  3 07:00:54 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
 

nftables.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package nftables
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -33,7 +33,6 @@ Source:         http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz
 Source2:        http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz.sig
 Source3:        %name.keyring
 Source4:        nftables.rpmlintrc
-Patch1:         0001-tools-add-a-systemd-unit-for-static-rulesets.patch
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  %{python_module wheel}
@@ -103,51 +102,37 @@ mkdir bin
 ln -s "%_bindir/docbook-to-man" bin/docbook2x-man
 export PATH="$PATH:$PWD/bin"
 mkdir obj
-cd obj/
+pushd obj/
 %define _configure ../configure
 %configure --disable-silent-rules --disable-static --docdir="%_docdir/%name" \
 	--includedir="%_includedir/%name" --with-json \
 	--enable-python --with-python-bin="$(which python3)"
 %make_build
-cd -
+popd
-cd py
+pushd py
 %pyproject_wheel
-cd -
+popd
 
 %install
 b="%buildroot"
 %make_install -C obj
-perl -i -lpe 's{^(Conflicts=.*)}{$1 firewalld.service}' "$b/%_unitdir/nftables.service"
+pushd py
-cd py
 %pyproject_install
 %python_expand %fdupes %buildroot/%{$python_sitelib}
+popd
 rm -f "%buildroot/%_libdir"/*.la
 mkdir -p "$b/%_docdir/%name/examples"
 mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/"
 
 %ldconfig_scriptlets -n libnftables1
 
-%pre
-%service_add_pre nftables.service
-
-%post
-%service_add_post nftables.service
-
-%preun
-%service_del_preun nftables.service
-
-%postun
-%service_del_postun nftables.service
-
 %files
 %license COPYING
-%dir %_sysconfdir/nftables/
+%_sysconfdir/nftables/
-%_sysconfdir/nftables/osf/
 %_sbindir/nft
 %_mandir/man5/*.5*
 %_mandir/man8/nft*
 %_docdir/%name/
-%_unitdir/nftables.service
 
 %files -n libnftables1
 %_libdir/libnftables.so.1*