commit d580575ca087e9ed009f221f0494a55900d98d558558e2470b42ba8409d41392 Author: Jan Engelhardt Date: Fri Sep 20 19:02:34 2024 +0000 [info=cb13a807e948b9e2ee7f30031672e0410b673646daf7a327e92699b9254efbbd] OBS-URL: https://build.opensuse.org/package/show/security:netfilter/iptables?expand=0&rev=164 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo new file mode 100644 index 0000000..1a3a9ed --- /dev/null +++ b/_scmsync.obsinfo @@ -0,0 +1,4 @@ +mtime: 1716910044 +commit: cb13a807e948b9e2ee7f30031672e0410b673646daf7a327e92699b9254efbbd +url: https://src.opensuse.org/jengelh/iptables +revision: master diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..07a7cbe --- /dev/null +++ b/baselibs.conf @@ -0,0 +1 @@ +libip4tc2 diff --git a/build.specials.obscpio b/build.specials.obscpio new file mode 100644 index 0000000..425f4c0 --- /dev/null +++ b/build.specials.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f2eb708ac1c9276ca2a5191d551fde3e6cc2bc99b93683499442c156c1ff3a4f +size 256 diff --git a/iptables-1.8.10.tar.xz b/iptables-1.8.10.tar.xz new file mode 100644 index 0000000..36f17e6 --- /dev/null +++ b/iptables-1.8.10.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5cc255c189356e317d070755ce9371eb63a1b783c34498fb8c30264f3cc59c9c +size 641168 diff --git a/iptables-1.8.10.tar.xz.sig b/iptables-1.8.10.tar.xz.sig new file mode 100644 index 0000000..51a3574 Binary files /dev/null and b/iptables-1.8.10.tar.xz.sig differ diff --git a/iptables-1.8.2-dont_read_garbage.patch b/iptables-1.8.2-dont_read_garbage.patch new file mode 100644 index 0000000..05f0204 --- /dev/null +++ b/iptables-1.8.2-dont_read_garbage.patch @@ -0,0 +1,24 @@ +From: Fabian Vogt +Date: 2019-04-04 13:41:59 +0200 +Subject: 'iptables -L' reads garbage +References: [bsc#1106751] +Upstream: reported (https://bugzilla.netfilter.org/show_bug.cgi?id=1331) + +This patch fixes a situation where 'iptables -L' reads garbage +from the struct as the kernel never filled it in the bugged case. +This can lead to issues like mapping a few TiB of memory + +--- + +Index: iptables-1.8.2/libiptc/libiptc.c +=================================================================== +--- iptables-1.8.2.orig/libiptc/libiptc.c ++++ iptables-1.8.2/libiptc/libiptc.c +@@ -1305,6 +1305,7 @@ TC_INIT(const char *tablename) + { + struct xtc_handle *h; + STRUCT_GETINFO info; ++ memset(&info, 0, sizeof(info)); + unsigned int tmp; + socklen_t s; + int sockfd; diff --git a/iptables-batch-lock.patch b/iptables-batch-lock.patch new file mode 100644 index 0000000..fe6f729 --- /dev/null +++ b/iptables-batch-lock.patch @@ -0,0 +1,82 @@ +From: Matthias Gerstner +Date: 2017-06-26T10:53:24+0000 + +- fix a locking issue of iptables-batch which can cause it to spuriously fail + when other programs modify the iptables rules in parallel (bnc#1045130). + This can especially affect SuSEfirewall2 during startup. + +--- + iptables/iptables-batch.c | 21 +++++++++++++++++++++ + iptables/xshared.c | 8 +++++++- + 2 files changed, 28 insertions(+), 1 deletion(-) + +Index: iptables-1.8.10/iptables/iptables-batch.c +=================================================================== +--- iptables-1.8.10.orig/iptables/iptables-batch.c ++++ iptables-1.8.10/iptables/iptables-batch.c +@@ -44,6 +44,7 @@ + #include + #endif + #include ++#include "xshared.h" + + #ifdef IP6T + #define prog_name ip6tables_globals.program_name +@@ -403,6 +404,26 @@ main(int argc, char *argv[]) + tables[3].name = "raw"; + tables[3].handle = NULL; + current_table = &tables[0]; ++ /* ++ * We need to lock the complete batch processing against parallel ++ * modification by other processes. Otherwise, we can end up with ++ * EAGAIN errors. ++ * ++ * The do_command{4,6} function already locks itself, but the complete ++ * call sequence needs to be locked until the commit is performed. ++ * ++ * Sadly, the xtables_lock() implementation is not very cooperative. ++ * There is no unlock() equivalent. The lock file descriptor is simply ++ * left open until the process exits. Thus, we would have deadlocks ++ * when calling do_command{4,6} the second time. ++ * ++ * To prevent this, part of this patch adds logic to avoid taking the ++ * lock a second time in the same process in xtables_lock() ++ */ ++ if (!xtables_lock_or_exit(-1)) { ++ fprintf(stderr, "failed to acquire the xtables lock\n"); ++ exit(1); ++ } + + while((r = getline(&iline, &llen, fp)) != -1) + { +Index: iptables-1.8.10/iptables/xshared.c +=================================================================== +--- iptables-1.8.10.orig/iptables/xshared.c ++++ iptables-1.8.10/iptables/xshared.c +@@ -255,10 +255,14 @@ static void alarm_ignore(int i) { + + static int xtables_lock(int wait) + { ++ static bool already_locked = false; + struct sigaction sigact_alarm; + const char *lock_file; + int fd; + ++ if (already_locked) ++ /* Avoid deadlocks, see iptables-batch.c */ ++ return true; + lock_file = getenv("XTABLES_LOCKFILE"); + if (lock_file == NULL || lock_file[0] == '\0') + lock_file = XT_LOCK_NAME; +@@ -278,8 +282,10 @@ static int xtables_lock(int wait) + alarm(wait); + } + +- if (flock(fd, LOCK_EX) == 0) ++ if (flock(fd, LOCK_EX) == 0) { ++ already_locked = true; + return fd; ++ } + + if (errno == EINTR) { + errno = EWOULDBLOCK; diff --git a/iptables-batch.patch b/iptables-batch.patch new file mode 100644 index 0000000..8472aef --- /dev/null +++ b/iptables-batch.patch @@ -0,0 +1,495 @@ +--- + iptables/Makefile.am | 9 + iptables/iptables-batch.c | 468 ++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 477 insertions(+) + +Index: iptables-1.8.9/iptables/Makefile.am +=================================================================== +--- iptables-1.8.9.orig/iptables/Makefile.am ++++ iptables-1.8.9/iptables/Makefile.am +@@ -147,3 +147,12 @@ uninstall-hook: + } + + EXTRA_DIST = tests ++ ++iptables_legacy_batch_SOURCES = iptables-batch.c iptables.c xshared.c ++iptables_legacy_batch_LDFLAGS = ${xtables_legacy_multi_LDFLAGS} ++iptables_legacy_batch_LDADD = ${xtables_legacy_multi_LDADD} ++ip6tables_legacy_batch_SOURCES = iptables-batch.c ip6tables.c xshared.c ++ip6tables_legacy_batch_CFLAGS = ${AM_CFLAGS} -DIP6T ++ip6tables_legacy_batch_LDFLAGS = ${xtables_legacy_multi_LDFLAGS} ++ip6tables_legacy_batch_LDADD = ${xtables_legacy_multi_LDADD} ++sbin_PROGRAMS += iptables-legacy-batch ip6tables-legacy-batch +Index: iptables-1.8.9/iptables/iptables-batch.c +=================================================================== +--- /dev/null ++++ iptables-1.8.9/iptables/iptables-batch.c +@@ -0,0 +1,468 @@ ++/* ++ * Author: Ludwig Nussel ++ * Update for iptables 1.4.3.x: Petr Uzel ++ * ++ * Based on the ipchains code by Paul Russell and Michael Neuling ++ * ++ * (C) 2000-2002 by the netfilter coreteam : ++ * Paul 'Rusty' Russell ++ * Marc Boucher ++ * James Morris ++ * Harald Welte ++ * Jozsef Kadlecsik ++ * ++ * iptables-batch -- iptables batch processor ++ * ++ * See the accompanying manual page iptables(8) for information ++ * about proper usage of this program. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++ */ ++ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++ ++#ifdef IP6T ++#include ++#else ++#include ++#endif ++#include ++ ++#ifdef IP6T ++#define prog_name ip6tables_globals.program_name ++#define prog_ver ip6tables_globals.program_version ++#else ++#define prog_name iptables_globals.program_name ++#define prog_ver iptables_globals.program_version ++#endif ++ ++static char* errstr = NULL; ++ ++static unsigned current_line = 0; ++ ++static char* ++skipspace(char* ptr) ++{ ++ while(*ptr && isspace(*ptr)) ++ ++ptr; ++ return ptr; ++} ++ ++static char* ++getliteral(char** ptr) ++{ ++ char* start = *ptr; ++ char* p = start; ++ ++ while(*p && !isspace(*p)) ++ ++p; ++ ++ if(*p) ++ { ++ *p = '\0'; ++ ++p; ++ } ++ ++ *ptr = p; ++ return start; ++} ++ ++static char* ++getstring(char** ptr) ++{ ++ char* start = *ptr+1; // skip leading " ++ char* p = start; ++ char* o = start; ++ int backslash = 0; ++ int done = 0; ++ ++ while(*p && !done) ++ { ++ if(backslash) ++ { ++ backslash = 0; ++ // no escapes supported, just eat the backslash ++ *o++ = *p++; ++ } ++ else if(*p == '\\') ++ { ++ backslash = 1; ++ p++; ++ } ++ else if(*p == '"') ++ { ++ done = 1; ++ } ++ else ++ { ++ *o++ = *p++; ++ } ++ } ++ ++ if(done) ++ { ++ *o = '\0'; ++ *p = '\0'; ++ ++p; ++ *ptr = p; ++ } ++ else ++ { ++ errstr = "missing \" at end of string"; ++ start = NULL; ++ } ++ return start; ++} ++ ++// this is just a very basic method, not 100% shell compatible ++static char* ++getword(char** ptr) ++{ ++ *ptr = skipspace(*ptr); ++ if(**ptr == '"') ++ return getstring(ptr); ++ return getliteral(ptr); ++} ++ ++// destructive ++static int ++tokenize(int* argc, char* argv[], size_t nargvsize, char* iline) ++{ ++ char* ptr = skipspace(iline); ++ int ret = 0; ++ char* word; ++ ++ while(ptr && *ptr) ++ { ++ if(*ptr == '#') ++ break; ++ if(*argc >= nargvsize) ++ { ++ errstr = "too many arguments"; ++ ret = -1; ++ break; ++ } ++ word = getword(&ptr); ++ if(!word) ++ { ++ ret = -1; ++ break; ++ } ++ argv[(*argc)++] = word; ++ ++ret; ++ } ++ return ret; ++} ++ ++#ifdef DEBUG ++static void ++dumpargv(int argc, char* argv[]) ++{ ++ int i; ++ for(i=0; i < argc; ++i) ++ { ++ printf("%s\"%s\"",i?" ":"", argv[i]); ++ } ++ puts(""); ++} ++#endif ++ ++struct table_handle ++{ ++ char* name; ++#ifdef IP6T ++ struct ip6tc_handle *handle; ++#else ++ struct iptc_handle *handle; ++#endif ++}; ++ ++static struct table_handle* tables = NULL; ++static unsigned num_tables; ++struct table_handle* current_table; ++ ++static void ++alloc_tables(void) ++{ ++ tables = realloc(tables, sizeof(struct table_handle) * num_tables); ++} ++ ++static void ++set_current_table(const char* name) ++{ ++ unsigned i; ++ ++ if(!strcmp(name, current_table->name)) // same as last time? ++ return; ++ ++ for(i = 0; i < num_tables; ++i) // find already known table ++ { ++ if(!strcmp(name, tables[i].name)) ++ { ++ current_table = &tables[i]; ++ return; ++ } ++ } ++ ++ // table name not known, create new ++ i = num_tables++; ++ alloc_tables(); ++ current_table = &tables[i]; ++ current_table->name = strdup(name); ++ current_table->handle = NULL; ++} ++ ++static int ++find_table(int argc, char* argv[]) ++{ ++ int i; ++ for(i = 0; i < argc; ++i) ++ { ++ if(!strcmp(argv[i], "-t") || !strcmp(argv[i], "--table")) ++ { ++ ++i; ++ if(i >= argc) ++ { ++ fprintf(stderr, "line %d: missing table name after %s\n", ++ current_line, argv[i]); ++ return 0; ++ } ++ set_current_table(argv[i]); ++ return 1; ++ } ++ } ++ ++ // no -t specified ++ set_current_table("filter"); ++ ++ return 1; ++} ++ ++static int ++do_iptables(int argc, char* argv[]) ++{ ++ char *table = "filter"; ++ int ret = 0; ++ ++ if(!find_table(argc, argv)) ++ return 0; ++ ++#ifdef IP6T ++ ret = do_command6(argc, argv, &table, ¤t_table->handle, true); ++ ++ if (!ret) ++ { ++ fprintf(stderr, "line %d: %s\n", current_line, ip6tc_strerror(errno)); ++ } ++ else ++ { ++ if(!table || strcmp(table, current_table->name)) ++ { ++ fprintf(stderr, "line %d: expected table %s, got %s\n", ++ current_line, current_table->name, table); ++ exit(1); ++ } ++ } ++#else ++ ret = do_command4(argc, argv, &table, ¤t_table->handle, true); ++ ++ if (!ret) ++ { ++ fprintf(stderr, "line %d: %s\n", current_line, iptc_strerror(errno)); ++ } ++ else ++ { ++ if(!table || strcmp(table, current_table->name)) ++ { ++ fprintf(stderr, "line %d: expected table %s, got %s\n", ++ current_line, current_table->name, table); ++ exit(1); ++ } ++ } ++#endif ++ ++ return ret; ++} ++ ++static int ++do_commit(void) ++{ ++ unsigned i; ++ int ret = 1; ++ ++ for(i = 0; i < num_tables; ++i) ++ { ++ if(tables[i].handle) ++ { ++#ifdef IP6T ++ ret = ip6tc_commit(tables[i].handle); ++ if (!ret) ++ fprintf(stderr, "commit failed on table %s: %s\n", tables[i].name, ip6tc_strerror(errno)); ++ ip6tc_free(tables[i].handle); ++ tables[i].handle = NULL; ++#else ++ ret = iptc_commit(tables[i].handle); ++ if (!ret) ++ fprintf(stderr, "commit failed on table %s: %s\n", tables[i].name, iptc_strerror(errno)); ++ iptc_free(tables[i].handle); ++ tables[i].handle = NULL; ++#endif ++ } ++ } ++ ++ return ret; ++} ++ ++static void ++help(void) ++{ ++ fprintf(stderr, "Usage: %s [FILE]\n\n", prog_name); ++ puts("Read iptables commands from FILE, commit them at EOF\n"); ++ puts("In addition to normal iptables calls the commands"); ++ puts("'commit' and 'exit' are understood."); ++ exit(0); ++} ++ ++int ++main(int argc, char *argv[]) ++{ ++ int ret = 1; ++ int c; ++ int numtok; ++ size_t llen = 0; ++ char* iline = NULL; ++ ssize_t r = -1; ++ int nargc = 0; ++ char* nargv[256]; ++ FILE* fp = stdin; ++ ++#ifdef IP6T ++ prog_name = "ip6tables-batch"; ++#else ++ prog_name = "iptables-batch"; ++#endif ++ ++#ifdef IP6T ++ c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6); ++#else ++ c = xtables_init_all(&iptables_globals, NFPROTO_IPV4); ++#endif ++ ++ if(c < 0) { ++ fprintf(stderr, "%s/%s Failed to initialize xtables\n", ++ prog_name, ++ prog_ver); ++ exit(1); ++ } ++ ++#ifdef NO_SHARED_LIBS ++ init_extensions(); ++#endif ++ if(argc > 1) ++ { ++ if(!strcmp(argv[1], "--help") || !strcmp(argv[1], "-h")) ++ { ++ help(); ++ } ++ else if(strcmp(argv[1], "-")) ++ { ++ fp = fopen(argv[1], "r"); ++ if(!fp) ++ { ++ perror("fopen"); ++ exit(1); ++ } ++ } ++ } ++ ++ num_tables = 4; ++ alloc_tables(); ++ tables[0].name = "filter"; ++ tables[0].handle = NULL; ++ tables[1].name = "mangle"; ++ tables[1].handle = NULL; ++ tables[2].name = "nat"; ++ tables[2].handle = NULL; ++ tables[3].name = "raw"; ++ tables[3].handle = NULL; ++ current_table = &tables[0]; ++ ++ while((r = getline(&iline, &llen, fp)) != -1) ++ { ++ if(llen < 1 || !*iline) ++ continue; ++ if(iline[strlen(iline)-1] == '\n') ++ iline[strlen(iline) -1 ] = '\0'; ++ ++ ++current_line; ++ nargc = 0; ++ errstr = NULL; ++ numtok = tokenize(&nargc, nargv, (sizeof(nargv)/sizeof(nargv[0])), iline); ++ if(numtok == -1) ++ { ++ } ++ else if (numtok == 0) ++ { ++ continue; ++ } ++ else if(nargc < 1) ++ { ++ errstr = "insufficient number of arguments"; ++ } ++ ++ if(errstr) ++ { ++ fprintf(stderr, "parse error in line %d: %s\n", current_line, errstr); ++ ret = 0; ++ break; ++ } ++ ++#ifdef DEBUG ++ dumpargv(nargc, nargv); ++#endif ++ ++#ifdef IP6T ++ if(!strcmp(nargv[0], "ip6tables")) ++#else ++ if(!strcmp(nargv[0], "iptables")) ++#endif ++ { ++ ret = do_iptables(nargc, nargv); ++ if(!ret) break; ++ } ++ else if(!strcmp(nargv[0], "exit")) ++ { ++ break; ++ } ++ else if(!strcmp(nargv[0], "commit")) ++ { ++ /* do nothing - see bnc#500990, comment #16 */ ++ } ++ else ++ { ++ fprintf(stderr, "line %d: invalid command '%s'\n", current_line, nargv[0]); ++ } ++ } ++ ++ if(ret) ++ ret = do_commit(); ++ ++ exit(!ret); ++} diff --git a/iptables.changes b/iptables.changes new file mode 100644 index 0000000..663aad5 --- /dev/null +++ b/iptables.changes @@ -0,0 +1,1035 @@ +------------------------------------------------------------------- +Fri May 24 15:07:24 UTC 2024 - Jan Engelhardt + +- Edit iptables-batch-lock.patch, cure use of implicit function, + fix it to make gcc14 happy. + +------------------------------------------------------------------- +Sat Oct 21 06:03:26 UTC 2023 - Jan Engelhardt + +- The presence of nftables does not mandate that iptables use + backend-nft [bsc#1206383]. + +------------------------------------------------------------------- +Tue Oct 10 11:43:57 UTC 2023 - Jan Engelhardt + +- Update to release 1.8.10 + * xtables-translate: support rule insert with index + * broute table support in ebtables-nft + * nft-variants' debug output (pass multiple ``-v`` flags) now + contains sets if present + * Add mld-listener type names to icmp6 match + +------------------------------------------------------------------- +Mon Feb 13 14:29:48 UTC 2023 - Danilo Spinella + +- Use nftables backend by default when nftables is installed, bsc#1206383 + +------------------------------------------------------------------- +Thu Jan 12 22:58:50 UTC 2023 - Jan Engelhardt + +- Update to release 1.8.9 + * arptables-nft: Support --exact flag + * Support more chunk types in the "sctp" extension + * Print `--` in ip6tables' "opt" column for consistency with + iptables + * More verbose error messages if iptables-nft-restore fails + * Support `-p Length` with ebtables-nft, + needed for 802_3 extension. + +------------------------------------------------------------------- +Thu Jul 21 12:43:02 UTC 2022 - Ludwig Nussel + +- add baselibs.conf for libip4tc2, will be needed by + libsystemd-shared-251.so + +------------------------------------------------------------------- +Fri May 13 15:39:33 UTC 2022 - Jan Engelhardt + +- Update to release 1.8.8 + * Add iptables-translate support for: sctp match's + --chunk-types option, connlimit match, multiport match's + --ports option, and the tcpmss match. + * Reject setuid executables in libxtables for safety reasons + * Extended arptables-nft with -C, -I, -R, -S cmomands and the + "-c N,M" counter syntax. + * Debug output in iptables-restore (all variants), iptables-nft + and ebtables-nft when specifying -v multiple times + * Improved performance of iptables-save and -restore + +------------------------------------------------------------------- +Thu Dec 30 15:05:20 UTC 2021 - Danilo Spinella + +- Only use nftables backend when iptables-backend-nft is installed + when using libalternatives + +------------------------------------------------------------------- +Fri Nov 19 11:17:27 UTC 2021 - Danilo Spinella + +- Fix libalternatives configuration for ebtables and arptables + by keeping argv0, fixes bsc#1192799. + +------------------------------------------------------------------- +Wed Oct 20 11:15:19 UTC 2021 - Stefan Schubert + +- Added alts requirements for iptables-backend-nft package. + +------------------------------------------------------------------- +Thu Sep 16 11:40:45 UTC 2021 - Stefan Schubert + +- Removed update-alternatives dependency in libalternatives mode. + +------------------------------------------------------------------- +Tue Aug 3 07:13:19 UTC 2021 - Stefan Schubert + +- Use libalternatives instead of update-alternatives. + +------------------------------------------------------------------- +Fri Jan 15 22:34:25 UTC 2021 - Jan Engelhardt + +- Update to release 1.8.7 + * iptables-nft: + * Improved performance when matching on IP/MAC address prefixes + if the prefix is byte-aligned. In ideal cases, this doubles + packet processing performance. + * Dump user-defined chains in lexical order. This way ruleset + dumps become stable and easily comparable. + * Avoid pointless table/chain creation. For instance, + `iptables-nft -L` no longer creates missing base-chains. + +------------------------------------------------------------------- +Sun Nov 1 12:31:34 UTC 2020 - Jan Engelhardt + +- Update to release 1.8.6 + * iptables-nft had pointlessly added "bitwise" expressions to + each IP address match, needlessly slowing down run-time + performance (by 50% in worst cases). + * iptables-nft-restore: Support basechain policy value of "-" + (indicating to not change the chain's policy). + * nft-translte: Fix translation of ICMP type "any" match. + +------------------------------------------------------------------- +Wed Jun 3 13:21:57 UTC 2020 - Jan Engelhardt + +- Update to release 1.8.5 + * IDLETIMER: Add alarm timer option + * nft: CT: add translation for NOTRACK +- Drop iptables-apply-mktemp-fix.patch (seemingly applied) + +------------------------------------------------------------------- +Mon Dec 2 20:01:25 UTC 2019 - Jan Engelhardt + +- Update to release 1.8.4 + * Fix for wrong counter format in `ebtables-nft-save -c` output. + * Print typical iptables-save comments in arptables- and + ebtables-save, too. + * xt_owner: add --suppl-groups option + * Remove support for /etc/xtables.conf + * Restore support for "-4" and "-6" options in rule lines. + +------------------------------------------------------------------- +Mon Sep 30 13:21:38 UTC 2019 - Kristyna Streitova + +- Add Conflicts with iptables-nft = 1.6.2 as during the update to + iptables 1.8 ip6tables-restore-translate, ip6tables-translate, + iptables-restore-translate and iptables-translate were moved from + iptables-nft subpackage (now iptables-backend-nft) to the main + package. So we need to add a conflict here otherwise we hit file + conflicts error during the update. + +------------------------------------------------------------------- +Fri Sep 6 10:19:25 UTC 2019 - Kristyna Streitova + +- add missing Provides/Obsoletes for the renamed package + iptables-backend-nft (was iptables-nft) + +------------------------------------------------------------------- +Tue May 28 08:37:39 UTC 2019 - Jan Engelhardt + +- Update to new upstream release 1.8.3 + * ebtables: Fix rule listing with counters + * ebtables-nft: Support user-defined chain policies +- Remove 0001-include-extend-the-headers-conflict-workaround-to-in.patch + 0001-include-fix-build-with-kernel-headers-before-4.2.patch + (upstreamed) + +------------------------------------------------------------------- +Wed May 22 16:15:28 UTC 2019 - Jan Engelhardt + +- Add 0001-include-fix-build-with-kernel-headers-before-4.2.patch, + 0001-include-extend-the-headers-conflict-workaround-to-in.patch + to fix build with older linux-glibc-devel. [boo#1132821] + +------------------------------------------------------------------- +Thu Apr 4 11:44:31 UTC 2019 - KristĂ˝na Streitová + +- Add iptables-1.8.2-dont_read_garbage.patch that fixes a situation + where 'iptables -L' reads garbage from the struct as the kernel + never filled it in the bugged case. This can lead to issues like + mapping a few TiB of memory [bsc#1106751]. + +------------------------------------------------------------------- +Tue Nov 13 12:09:24 UTC 2018 - Jan Engelhardt + +- Update to new upstream release 1.8.2 + * Fix incorrect handling of various targets and options in + iptables-nft,ebtables-nft,arptables-nft. + +------------------------------------------------------------------- +Tue Oct 23 14:25:53 UTC 2018 - Jan Engelhardt + +- Update to new upstream release 1.8.1 + * New cgroup match revision with reduced memory footprint + +------------------------------------------------------------------- +Mon Sep 24 08:14:16 UTC 2018 - astieger@suse.com + +- note build-time dependency on libnftnl >= 1.1.1 + +------------------------------------------------------------------- +Tue Sep 4 08:08:22 UTC 2018 - Markos Chandras + +- Add missing update-alternatives dependency to Requires(post) + section. If this is missing the package fails to install properly + when it is used as build dependency. + +------------------------------------------------------------------- +Mon Jul 9 09:38:13 UTC 2018 - jengelh@inai.de + +- Update to new upstream release 1.8.0 and snapshot 1.8.0.g75 + * The ipv6 "srh" match can now match previous/next/last sid + * CONNMARK target now supports bit-shifting for restore,set + and save-mark. + * DNAT now supports shifted portmap ranges. + * iptables now comes in two backends: legacy and nft. + +------------------------------------------------------------------- +Thu May 24 16:38:53 CEST 2018 - kukuk@suse.de + +- Use %license instead of %doc [bsc#1082318] + +------------------------------------------------------------------- +Mon Mar 12 10:08:53 UTC 2018 - matthias.gerstner@suse.com + +- Fix ethertypes ownership, should be %exclude, not %ghost. + +------------------------------------------------------------------- +Thu Feb 22 16:21:38 UTC 2018 - matthias.gerstner@suse.com + +- Resolve conflict with ebtables and obtain ethertypes from new netcfg minor + version. FATE#320520 + +------------------------------------------------------------------- +Sat Feb 3 14:02:59 UTC 2018 - jengelh@inai.de + +- Update to new upstream release 1.6.2 + * add support for the "srh" match + * add randomize-full for the "MASQUERADE" target + * add rate match mode to the "hashlimit" match + +------------------------------------------------------------------- +Thu Jun 22 15:34:40 UTC 2017 - matthias.gerstner@suse.com + +- Add iptables-batch-lock.patch: Fix a locking issue of + iptables-batch which can cause it to spuriously fail when other + programs modify the iptables rules in parallel (bnc#1045130). + This can especially affect SuSEfirewall2 during startup. + +------------------------------------------------------------------- +Fri Jan 27 22:53:14 UTC 2017 - jengelh@inai.de + +- Update to new upstream release 1.6.1 +* add support for hashlimit rev 2 for higher pps rates +* add support for cgroup2 path matching +* translation program for nft + +------------------------------------------------------------------- +Fri Dec 18 20:06:41 UTC 2015 - jengelh@inai.de + +- Update to final release 1.6.0 +* Only a build fix, no new significant changes. + +------------------------------------------------------------------- +Mon Nov 23 11:07:15 UTC 2015 - jengelh@inai.de + +- Update to new snapshot v1.4.21-367-g9763347 [1.6.0~] +* -m ah/esp/rt: restore matching "any SPI id" by default + (they unexpectedly defaulted to --spi 0 rather than --spi ALL) +* -m cgroup: new module +* -m dst: make ! --dst-len work +* -m ipcomp: new module +* -m socket: add --restore-skmark option +* -j CT: add support for new zone options +* -j REJECT: add missing ICMPv6 codes +* -j TEE: make it possible to delete rules with -D ... -j +* -j SNAT/DNAT: add randomize-full support + +------------------------------------------------------------------- +Thu Apr 24 09:54:12 UTC 2014 - dmueller@suse.com + +- remove dependency on gpg-offline (blocks rebuilds and + tarball integrity is checked by source-validator anyway) + +------------------------------------------------------------------- +Wed Apr 23 16:20:02 UTC 2014 - dmueller@suse.com + +- remove dependency on sgmltool: doesn't seem to be used + and reduces rebuild time on aarch64 by 8 hours + +------------------------------------------------------------------- +Sat Nov 23 04:39:31 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.4.21 +* --nowildcard option for xt_socket, available since Linux kernel 3.11 +* SYNPROXY support, available since Linux kernel 3.12 + +------------------------------------------------------------------- +Wed Aug 7 13:19:02 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.4.20 +* Introduce a new revision for the set match with the counters support +* Add locking to prevent concurrent instances + +------------------------------------------------------------------- +Fri May 31 20:00:39 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.4.19.1 +* New connlabel and bpf matches +- Remove 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch, + 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch + (are upstream) + +------------------------------------------------------------------- +Mon Apr 15 06:19:21 UTC 2013 - jengelh@inai.de + +- libxt_state.so symlink was not installed (bnc#815182); fix by + removing 0001-build-also-use-libtool-for-install-stage.patch, + removing 0001-build-do-not-dereference-symlinks-on-installation.patch, + adding 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch, + adding 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch + +------------------------------------------------------------------- +Wed Mar 20 08:22:20 UTC 2013 - cfarrell@suse.com + +- license update: GPL-2.0 and Artistic-2.0 + GPL version does not have ^or later^ due to inclusion of numerous GPL 2 + ^only^ files. Also, aggregation of Artistic-2.0 content + +------------------------------------------------------------------- +Mon Mar 4 21:42:12 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.4.18 +* documentation updates +- Create subpackage xtables-plugins, to aid packaging of xtadm +- Add 0001-build-do-not-dereference-symlinks-on-installation.patch + as a prerequisite for: +- Add 0001-build-also-use-libtool-for-install-stage.patch + to kill of undesired DT_RPATH entries + +------------------------------------------------------------------- +Tue Dec 25 22:47:56 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.4.17 +* libxt_time: add support to ignore day transition +* libxt_statistic: fix save output + +------------------------------------------------------------------- +Wed Nov 28 17:07:29 CET 2012 - sbrabec@suse.cz + +- Verify GPG signature + +------------------------------------------------------------------- +Thu Nov 15 16:06:15 UTC 2012 - lnussel@suse.de + +- list all required binaries explicitly to make sure all of them are actually + compiled + +------------------------------------------------------------------- +Thu Nov 15 14:15:48 UTC 2012 - jengelh@inai.de + +- Always regenerate files due to SUSE's iptables-batch patch + +------------------------------------------------------------------- +Mon Oct 8 12:42:37 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.4.16.3 +* This release includes aliasing support which translates command + lines using obsolete extensions into new ones. The option parser + now flags illegal negative numbers in some more extensions. + A division by zero was resolved in libxt_limit as well. + +------------------------------------------------------------------- +Tue Jul 31 12:08:07 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.4.15 +* libxt_recent: add --mask netmask +* libxt_hashlimit: add support for byte-based operation + +------------------------------------------------------------------- +Sat May 26 19:35:38 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.4.14 +* Support for the new cttimeout infrastructure. This allows you to + attach specific timeout policies to flow via iptables CT target. + +------------------------------------------------------------------- +Tue Mar 27 13:29:31 UTC 2012 - jengelh@medozas.de + +- Update to new upstream release 1.4.13 +* Add the rpfilter, nfacct and IPv6 ECN extensions + +------------------------------------------------------------------- +Mon Jan 2 21:30:38 UTC 2012 - jengelh@medozas.de + +- Update to newer git snapshot (v1.4.12.2-28-g2117f2b, + but master branch), tag locally as 1.4.12.90. +* ships missing pkgconfig files, compile fix for libnfnetlink +* libxt_NFQUEUE: fix --queue-bypass ipt-save output +* libxt_connbytes: fix handling of --connbytes FROM +* libxt_recent: Add support for --reap option +- split iptables-devel into libiptc-devel and libxtables-devel + +------------------------------------------------------------------- +Wed Dec 28 09:50:23 UTC 2011 - puzel@suse.com + +- iptables-apply-mktemp-fix.patch (bnc#730161) + +------------------------------------------------------------------- +Wed Nov 30 14:28:11 UTC 2011 - coolo@suse.com + +- add automake as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Tue Oct 4 23:01:57 UTC 2011 - jengelh@medozas.de + +- Update to a newer git snapshot of the stable branch + (to v1.4.12.1-16-gd2b0eaa) +* resolve failure to load extensions that depend on libm.so +- rediff of iptables-batch due to fuzz +- relax runtime requires + +------------------------------------------------------------------- +Thu Sep 1 17:09:05 UTC 2011 - jengelh@medozas.de + +- Update to new upstream release 1.4.12.1 +* regression fixes for the new (stricter) command-line parser +- restore --includedir= in spec file +- Put libxtables into its own subpackage so that one does not need + a lockstep update of iproute2 on a new iptables package +- Remove redundant fields (Autoreqprov defaults to on, License is + inherited from main package) + +------------------------------------------------------------------- +Sat Aug 13 01:39:38 CEST 2011 - draht@suse.de + +- include path is /usr/include + +------------------------------------------------------------------- +Mon Aug 8 00:42:53 UTC 2011 - jengelh@medozas.de + +- Put include files into a separate directory to flag up missing + CFLAGS. libipq.pc will now be provided. +- Enable build of nfnl_osf, a tool to upload OS fingerprints to + the kernel for use with xt_osf. + +------------------------------------------------------------------- +Fri Jul 22 13:12:50 UTC 2011 - jengelh@medozas.de + +- Update to new upstream release 1.4.12 +* Include lost match/target descriptions in manpage again +* libxt_LOG: fix ignorance of all but the last flag +* libxt_HL: restore hl-* option names +* libxt_hashlimit: use a more obvious expiry value by default +* libxt_RATEEST: fix find-and-delete of rules with -j RATEEST +* ipv4: restore negation for the -f option +* Reject empty host specifications (e.g. -s "") +* libxt_conntrack: restore network byteordering for ABI v1 & v2 +* Documentation updates + +------------------------------------------------------------------- +Wed Jun 8 10:20:57 UTC 2011 - jengelh@medozas.de + +- Update to snapshot 1.4.11+git16 +* libxt_owner: restore inversion support +* option: fix ignored negation before implicit extension loading +* build: fix installation of symlinks +* build: fix absence of xml translator in IPv6-only builds +- Drop merged patches + +------------------------------------------------------------------- +Sun May 29 23:56:33 UTC 2011 - jengelh@medozas.de + +- Update to new upstream release 1.4.11 +* stricter option parsing +* support for the current xt_SET target as contained in 2.6.39 +* support for the new xt_devgroup match +* support for the new xt_AUDIT target +* support for a new NFQUEUE bypass option, allowing to bypass the + queue if no userspace listener is present +* a new iptables option "-C" to check for existence of a rules +- Fixes on top +* allow negation of --uid-owner/--gid-owner again +* fix installation of symlinks +- Run spec-beautifier + +------------------------------------------------------------------- +Fri Oct 29 17:56:48 UTC 2010 - jengelh@medozas.de + +- Update to new upstream release 1.4.10 +* this is the release for the Linux 2.6.36 kernel +* support for the cpu match, which can be used to improve cache + locality when running multiple server instances +* support for the IDLETIMER target, which can be used to notify + userspace of interfaces being idle +* support for the CHECKSUM target +* support for the ipvs match +* a fix for deletion of rules using the quota match + +------------------------------------------------------------------- +Mon Aug 9 07:21:28 UTC 2010 - puzel@novell.com + +- update to new upstream release 1.4.9.1 + * fixes a compilation problem with static linking in the 1.4.9 + release + +------------------------------------------------------------------- +Wed Aug 4 09:56:11 UTC 2010 - puzel@novell.com + +- update to new upstream release 1.4.9 + * this is the release for the Linux 2.6.35 kernel + * support for the LED target + * a new version of the set extension for the upcoming release + supporting IPv6 + * negation support for the quota match + * support for the SACK-IMMEDIATELY SCTP extension and + FORWARD_TSN chunk type in the sctp match + * documentation updates and various smaller bugfixes + +------------------------------------------------------------------- +Wed May 26 15:20:25 UTC 2010 - jengelh@medozas.de + +- update to new upstream release 1.4.8 + * this is the release for the Linux 2.6.34 kernel + * add support for the new xt_CT extension + * import the nfnl_osf program required for proper operation + of the xt_osf extension + +------------------------------------------------------------------- +Sat Apr 24 11:38:18 UTC 2010 - coolo@novell.com + +- buildrequire pkg-config to fix provides + +------------------------------------------------------------------- +Mon Mar 1 15:43:30 UTC 2010 - jengelh@medozas.de + +- update to new upstream release 1.4.7 + * libipq is built as a shared library + * removal of some restrictions on interface names + * documentation updates +- rebase and fix linking of iptables-batch +- fix libdir->libexecdir + +------------------------------------------------------------------- +Mon Feb 22 13:09:03 UTC 2010 - jengelh@medozas.de + +- only run configure when needed +- use %_smp_mflags +- use newer git snapshot to fix compile error due to missing + ipt_DSCP.h in newer linux-glibc-devel (>= 2.6.32) + +------------------------------------------------------------------- +Wed Dec 30 13:01:52 UTC 2009 - puzel@novell.com + +- fix bnc#561793 - do not include unclean module documentation + in iptables manpage + +------------------------------------------------------------------- +Tue Dec 22 18:09:11 CET 2009 - jengelh@medozas.de + +- update specfile descriptions (bnc#553801) +- update to iptables 1.4.6: + * combine iptables subprograms into a new multi-purpose binary + * support for new implementations: NFQUEUE v1, conntrack v2 + * helper: fix invalid passed option to check_inverse + * iprange accepts single host specifications again + * iprange: do accept non-ranges for xt_iprange v1 + * iprange: warn on reverse range + * libiptc: fix wrong maptype of base chain counters on restore + * iptables: fix undersized deletion mask creation + * iptables/extensions: make bundled options work again + * iptables: take masks into consideration for replace command + * xtables: warn of missing version identifier in extensions + * documentation updates +- refresh iptables-batch + +------------------------------------------------------------------- +Thu Nov 12 08:21:35 UTC 2009 - puzel@novell.com + +- remove outdated howtos (bnc#551748) + +------------------------------------------------------------------- +Wed Jul 15 17:53:13 CEST 2009 - kay.sievers@novell.com + +- fix libdir/libexecdir on 64bit installation + +------------------------------------------------------------------- +Wed Jun 17 17:23:48 CEST 2009 - puzel@novell.com + +- install iptables-apply + +------------------------------------------------------------------- +Wed Jun 17 12:15:58 CEST 2009 - puzel@suse.cz + +- update to iptables-1.4.4 + * support for the new features in the 2.6.30 kernel, namely the + cluster match and persistent multi-range NAT mappings + * support for the ipset set match and target + * various minor fixes and cleanups + * documentation updates + +------------------------------------------------------------------- +Mon May 11 17:12:57 CEST 2009 - puzel@suse.cz + +- make explicit 'commit' in iptables-batch do nothing (bnc#500990) + +------------------------------------------------------------------- +Tue Apr 21 14:15:16 CEST 2009 - puzel@suse.cz + +- update to 1.4.3.2 + - numerous documentation updates and bugfixes + - set of changes to move some of the iptables functionality to a shared + library for tc and m_ipt + - make libiptc available as shared library (closes bnc#487629) + - IPv6 support for the recent match + - TPROXY support + - SCTP/DCCP NAT support + +- INCOMPATIBILITY: This release starts enforcing the deprecation of NAT + filtering that was added in 1.4.2-rc1, filtering rules in the NAT tables will + cause an error instead of a warning from now on. + +- rework iptables-batch.patch (libiptc interface has changed) +- update howtos + +------------------------------------------------------------------- +Fri Jan 16 14:57:14 CET 2009 - prusnak@suse.cz + +- updated to 1.4.2 + * remove dependency on libiptc headers + * fix segmentation fault with -tanything + * warn about use of DROP in nat table + * do allow --rttl for --update + * run ldconfig on `make install` + * fix invalid iptables-save output + * fix hashlimit output + +------------------------------------------------------------------- +Wed Sep 10 13:36:30 CEST 2008 - prusnak@suse.cz + +- updated to 1.4.2-rc1 + * libxt_TOS: make sure --set-tos value/mask is recognized + * libiptc: fix scalability performance issue during initial ruleset parsing + * xt_string: string extension case insensitive matching + * ip6tables: add --goto support + +------------------------------------------------------------------- +Wed Sep 10 12:02:03 CEST 2008 - prusnak@suse.cz + +- updated to 1.4.1.1 + * iptables: fix printing of line numbers with --line-numbers arg + * ip6tables: fix printing of ipv6 network masks + * build: fix `make install` when --disable-shared is used + * iprange: kernel flags were not set + +------------------------------------------------------------------- +Wed Sep 10 11:59:58 CEST 2008 - prusnak@suse.cz + +- updated to 1.4.1 + * iptables: use C99 lists for struct options + * Make iptables-restore usable over a pipe + * Add support for --set-counters to iptables -P + * iptables --list-rules command + * iptables --list chain rulenum + * Make --set-counters (-c) accept comma separated counters + * libxt_iprange: Fix IP validation logic + * fix ip6tables dest address printing + * Converts the iptables build infrastructure to autotools. + * Introduce strtonum(), which works like string_to_number(), but passes + * print warning when dlopen fails + * libxt_owner: UID/GID range support + * Fix compilation of iptables-static build + * xtables.h: move non-exported parts to internal.h + * Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR + * manpages: fix broken markup (missing close tags) + * manpages: update to reflect fine-grained control + * configure: split --enable-libipq from --enable-devel + * Add all necessary header files - compilation fix for various cases + * Install libiptc header files because xtables.h depends on it + * Implement AF_UNSPEC as a wildcard for extensions + * Combine ipt and ip6t manpages + * Resolve warnings on 64-bit compile + * Wrap dlopen code into NO_SHARED_LIBS + * Remove support for compilation of conditional extensions + * Resolve libipt_set warnings + * Update documentation about building the package + * configure.ac: AC_SUBST must be separate + * Dynamically create xtables.h.in with version + * configure.ac: remove already-defined variables + * Remove old functions, constants + * Makefile.am: use PACKAGE_TARNAME + * iptables out-of-tree build directory + * Introduce a counter for number of user defined chains. + * Solving scalability issue: for chain list "name" searching. + * REDIRECT: Allow symbolic port in REDIRECT --to-port + * Fix iptables-save output of libxt_owner match + * allow empty strings in argument parser + * Fix define value of SCTP chunk type. + * cleanup several code wraparounds + * Add RATEEST target extension + * Add rateest match extension + * Properly initialize revision for ip6tables targets + * Resync header files with kernel + * libiptc: move variable definitions to head of function + * Fix CONNMARK mask initialisation + * iptables-save:remove unnecessary code. + * Don't assume /bin/sh is bash + * Add xtables version defines. + * Use s6_addr32 to access bits in int6_addr instead of incompatible name + +------------------------------------------------------------------- +Tue Jan 8 17:10:54 CET 2008 - prusnak@suse.cz + +- updated to 1.4.0: + * Add support for generic xtables infrastructure (improved IPv6 support!) + * Deletes empty ->final_check() functions + * Fix sparse warnings: non-C99 array declaration, incorrect function prototypes + * Remove last vestiges of NFC + * Make @msg argument a const char *, just like printf + * Makes it possible to omit extra_opts of matches/targets if unnecessary + * Fix "iptables getsockopt failed strangely" when querying revisions + for non-existant matches and targets + * Introduces DEST_IPT_LIBDIR in Makefile + * Change default KERNEL_DIR location and add KBUILD_OUTPUT + * Removes obsolete KERNEL_64_USERSPACE_32 definitions + * Fix unused function warning + * Don't use dlfcn.h if NO_SHARED_LIBS is defined + * Fix showing help text for matches/targets with revision as user + * Print warnings to stderr + * Fix sscanf type errors + * Always print mask in iptables-save + * Don't silenty exit on failure to open /proc/net/{ip,ip6}_tables_names + * Adds --table to iptables-restore + * Make DO_MULTI=1 work for ip6tables* binaries + * Add ip6tables-{save,restore} to non-experimental target, + fix strict aliasing warnings + * Introducing libxt_*.man files. Sorted matches and modules + * Install ip6tables-{save,restore} manpages + * Performance optimization in sorting chain during pull-out + * Fix sockfd use accounting for kernels without autoloading + * use + * Fix make/compile error for iptables-1.4.0rc1 + * Fix for --random option in DNAT and REDIRECT + * Document xt_statistic + * sctp: fix - mistake to pass a pointer where array is required + * Fix connlimit output for inverted --connlimit-above: + ! > is <=, not < + * Add NFLOG manpage + * Move libipt_DSCP.man to libxt_DSCP.man for ip6tables.8 + * Unifies libip[6]t_CONNSECMARK.man to libxt_CONNSECMARK.man + * Moves libipt_CLASSYFY.man to libxt_CLASSYFY.man for ip6tables.8 + * fix check_inverse() call +- removed obsolete patch: + * strict-aliasing-fix.diff (included in update) + +------------------------------------------------------------------- +Tue Jul 31 13:10:56 CEST 2007 - prusnak@suse.cz + +- removed sed scripts in %prep section from last update + * not needed anymore + +------------------------------------------------------------------- +Thu Jul 26 16:20:40 CEST 2007 - prusnak@suse.cz + +- updated to 1.3.8 + * Fix build error of conntrack match + * Remove whitespace in ip6tables.c + * `-p all' and `-p 0' should be allowed in ip6tables + * hashlimit doc update + * add --random option to DNAT and REDIRECT + * Makefile uses POSIX conform directory check + * Fix missing newlines in iptables-save/restore output + * Update quota manpage for SMP + * Output for unspecified proto is `all' instead of `0' + * Fix iptables-save with --random option + * Remove unnecessary IP_NAT_RANGE_PROTO_RANDOM ifdefs + * Remove libnsl from LDLIBS + * Fix problem with iptables-restore and quotes + * Remove unnecessary includes + * Fix --modprobe parameter + * ip6tables-restore should output error of modprobe after failed to load + * Add random option to SNAT + * Fix missing space in error message + * Fixes for manpages of tcp, udp, and icmp{,6} + * Add ip6tables mh extension + * Fix tcpmss manpage + * Add ip6tables TCPMSS extension + * Add UDPLITE multiport support + * Fix missing space in ruleset listing + * Remove extensions for unmaintained/obsolete patchlets + * Fix greedy debug grep + * Fix type in manpage + * Fix compile/install error for iptables-xml with DO_MULTI=1 +- dropped obsolete patches: + * newlines.diff (included in update) + * shlibs.diff (done by sed in %prep section) + * extensions.diff + +------------------------------------------------------------------- +Wed May 9 13:39:08 CEST 2007 - prusnak@suse.cz + +- added newlines to error messages (newlines.diff) [#271847] + +------------------------------------------------------------------- +Tue Mar 13 14:08:25 CET 2007 - prusnak@suse.cz + +- added initial setting of KERNEL_DIR variable in %install section of spec file + +------------------------------------------------------------------- +Tue Jan 9 14:52:15 CET 2007 - prusnak@suse.cz + +- added experimental tools and extensions (removed by last update) + +------------------------------------------------------------------- +Wed Jan 3 17:58:09 CET 2007 - prusnak@suse.cz + +- updated to 1.3.7 + * Add revision support for ip6tables + * Add port range support for ip6tables multiport match + * Add sctp match extension for ip6tables + * Add iptables-xml tool + * Add hashlimit support for ip6tables (needs kernel > 2.6.19) + * Add NFLOG target extension for iptables/ip6tables (needs kernel > 2.6.19) + * Bugfixes +- updated debian-docs and moved into tar.bz2 + +------------------------------------------------------------------- +Thu Nov 16 11:06:55 CET 2006 - mjancar@suse.cz + +- allow setting KERNEL_DIR on commandline for build (#220851) + +------------------------------------------------------------------- +Tue Oct 17 17:47:47 CEST 2006 - anosek@suse.cz + +- updated to version 1.3.6 + * Support multiple matches of the same type within a single rule + * DCCP/SCTP support for multiport match (needs kernel >= 2.6.18) + * SELinux SECMARK target (needs kernel >= 2.6.18) + * SELinux CONNSECMARK target (needs kernel >= 2.6.18) + * Add support for statistic match (needs kernel >= 2.6.18) + * Optionally read realm values from /etc/iproute2/rt_realms + * Bugfixes + +------------------------------------------------------------------- +Wed Feb 1 15:26:39 CET 2006 - lnussel@suse.de + +- updated to version 1.3.5 + * supports ip6tables state and conntrack \o/ (#145758) + +------------------------------------------------------------------- +Fri Jan 27 01:50:25 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Tue Jan 24 15:00:31 CET 2006 - schwab@suse.de + +- Fix building of shared libraries. + +------------------------------------------------------------------- +Tue Jan 17 15:11:43 CET 2006 - postadal@suse.cz + +- updated policy extension from upstream (policy-1.3.4.patch) + * ported for changes in kernel + +------------------------------------------------------------------- +Tue Nov 15 17:09:38 CET 2005 - postadal@suse.cz + +- updated to version 1.3.4 +- added RPM_OPT_FLAGS to CFLAGS +- fixed strict aliasing (strict-aliasing-fix.patch) + +------------------------------------------------------------------- +Mon Aug 1 16:36:26 CEST 2005 - lnussel@suse.de + +- add iptables-batch and ip6tables-batch + +------------------------------------------------------------------- +Mon Aug 1 10:14:00 CEST 2005 - postadal@suse.cz + +- updated to version 1.3.3 + +------------------------------------------------------------------- +Wed Jul 27 15:38:26 CEST 2005 - postadal@suse.cz + +- updated to version 1.3.2 + +------------------------------------------------------------------- +Wed Mar 9 11:28:10 CET 2005 - postadal@suse.cz + +- updated to version 1.3.1 (bug fixes) + +------------------------------------------------------------------- +Thu Feb 17 10:02:14 CET 2005 - postadal@suse.cz + +- updated to version 1.3.0 +- removed obsoleted patch modules-secfix + +------------------------------------------------------------------- +Tue Nov 02 17:00:05 CET 2004 - postadal@suse.cz + +- fixed uninitialised variable [#47850] - CAN-2004-0986 + +------------------------------------------------------------------- +Tue Aug 17 15:15:44 CEST 2004 - mludvig@suse.cz + +- Fixed mode for extensions/.policy-test6 + +------------------------------------------------------------------- +Thu Aug 05 14:15:52 CEST 2004 - mludvig@suse.cz + +- Added IPv6 support to the 'policy' match. + +------------------------------------------------------------------- +Wed Aug 04 15:44:06 CEST 2004 - postadal@suse.cz + +- updated to version 1.2.11 +- removed obsoleted patch clusterip + +------------------------------------------------------------------- +Sat Apr 24 08:45:00 CEST 2004 - lmb@suse.de + +- Add support for Cluster IP functionality. + +------------------------------------------------------------------- +Wed Apr 21 16:51:03 CEST 2004 - mludvig@suse.cz + +- Added module for IPv6 conntrack from USAGI. + +------------------------------------------------------------------- +Wed Mar 24 15:47:24 CET 2004 - mludvig@suse.cz + +- Added policy module from patch-o-matic + +------------------------------------------------------------------- +Fri Feb 06 18:09:42 CET 2004 - postadal@suse.cz + +- updated to version 1.2.9. + +------------------------------------------------------------------- +Sat Jan 10 20:33:48 CET 2004 - adrian@suse.de + +- add %defattr + +------------------------------------------------------------------- +Wed Jul 23 15:08:45 CEST 2003 - postadal@suse.cz + +- updated to 1.2.8 + +------------------------------------------------------------------- +Tue Apr 8 21:33:42 CEST 2003 - schwab@suse.de + +- Prefer sanitized kernel headers. + +------------------------------------------------------------------- +Thu Sep 05 11:13:51 CEST 2002 - postadal@suse.cz + +- updated to bugfixed 1.2.7a version + +------------------------------------------------------------------- +Wed Aug 28 18:20:07 CEST 2002 - postadal@suse.cz + +- added Requires %{name} = %{version} to devel package + +------------------------------------------------------------------- +Thu Aug 08 13:03:46 CEST 2002 - nadvornik@suse.cz + +- updated to 1.2.7 + +------------------------------------------------------------------- +Wed Mar 27 11:10:32 CET 2002 - postadal@suse.cz + +- revert to compile it with kernel headers (#15448) + +------------------------------------------------------------------- +Fri Feb 1 14:14:49 CET 2002 - nadvornik@suse.cz + +- compiled with kernel headers from glibc + +------------------------------------------------------------------- +Tue Jan 15 15:30:31 CET 2002 - nadvornik@suse.cz + +- update to 1.2.5 + +------------------------------------------------------------------- +Wed Nov 14 13:51:38 CET 2001 - nadvornik@suse.cz + +- updated to 1.2.4 [bug #12104] + - fixed problems with iptables-save/restore +- iptables-1.2.4.debian.diff.bz2 contains documentation only, + Makefile changes moved to separate patch + +------------------------------------------------------------------- +Sat Sep 22 02:04:31 MEST 2001 - garloff@suse.de + +- Fix ipt_string support (compile fix). + +------------------------------------------------------------------- +Tue Jul 17 10:55:30 MEST 2001 - garloff@suse.de + +- Update to iptables-1.2.2 +- Appply debian patch: mostly docu stuff +- Added COMPILE_EXPERIMENTAL flag to Makefile and pass it from RPM + .spec file to compile and install ip(6)tables-save/restore apps. + +------------------------------------------------------------------- +Fri Apr 6 15:28:00 CEST 2001 - kukuk@suse.de + +- changed neededforbuild from lx_suse to kernel-source + +------------------------------------------------------------------- +Tue Mar 27 23:24:15 CEST 2001 - lmuelle@suse.de + +- update to 1.2.1a +- add devel package with libipq stuff +- minor spec file cleanup + +------------------------------------------------------------------- +Sun Jan 28 16:40:08 CET 2001 - olh@suse.de + +- update to 1.2, needed for ppc and sparc + +------------------------------------------------------------------- +Tue Dec 19 09:33:37 CET 2000 - nadvornik@suse.cz + +- compiled with lx_suse + +------------------------------------------------------------------- +Tue Oct 17 16:15:51 CEST 2000 - nadvornik@suse.cz + +- update to 1.1.2 + +------------------------------------------------------------------- +Fri Sep 22 02:34:07 CEST 2000 - ro@suse.de + +- up to 1.1.1 + +------------------------------------------------------------------- +Fri Jun 9 08:58:25 CEST 2000 - ro@suse.de + +- fixed neededforbuild + +------------------------------------------------------------------- +Wed Jun 7 08:33:45 CEST 2000 - nadvornik@suse.cz + +- new package 1.1.0 + diff --git a/iptables.keyring b/iptables.keyring new file mode 100644 index 0000000..34ba618 --- /dev/null +++ b/iptables.keyring @@ -0,0 +1,64 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF+HdQgBEACzteJUJGtj3N6u5mcGh4Nu/9GQfwrrphZuI7jto2N6+ZoURded +660mFLnax7wgIE8ugAa085jwFWbFY3FzGutUs/kDmnqy9WneYNBLIAF3ZTFfY+oi +V1C09bBlHKDj9gSEM2TZ/qU14exKdSloqcMKSdIqLQX27w/D6WmO1crDjOKKN9F2 +zjc3uLjo1gIPrY+Kdld29aI0W4gYvNLOo+ewhVC5Q6ymWOdR3eKaP2HIAt8CYf0t +Sx8ChHdBvXQITDmXoGPLTTiCHBoUzaJ/N8m4AZTuSUTr9g3jUNFmL48OrJjFPhHh +KDY0V59id5nPu4RX3fa/XW+4FNlrthA5V9dQSIPh7r7uHynDtkcCHT5m4mn0NqG3 +dsUqeYQlrWKCVDTfX/WQB3Rq1tgmOssFG9kZkXcVTmis3KFP1ZAahBRB33OJgSfi +WKc/mWLMEQcljbysbJzq74Vrjg44DNK7vhAXGoR35kjj5saduxTywdb3iZhGXEsg +9zqV0uOIfMQsQJQCZTlkqvZibdB3xlRyiCwqlf1eHB2Vo7efWbRIizX2da4c5xUj ++IL1eSPmTV+52x1dYXpn/cSVKJAROtcSmwvMRyjuGOcTNtir0XHCxC5YYBow6tKR +U1hrFiulCMH80HeS+u/g4SpT4lcv+x0DlN5BfWQuN5k5ZzwKb6EQs092qQARAQAB +tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC +VAQTAQoAPhYhBDfZZKzASYHHVQD7m9Vdl4qKFCDkBQJfh3UIAhsDBQkHhM4ABQsJ +CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENVdl4qKFCDk0msQAJTIK8TLHw2IJDc6 ++ZfUJc+znSNwskO+A4lwvb1vRY5qFV+CA2S1eUS4HGDWDT0sPKie6Nx4+FBczkWd +RA+eaKDqQeS5Vzc2f0bl74un91h7yE8O2NsVnpL166MnAAk3/ACjHsZX2PzF12F6 +4stvGQFpjZRWItj0I6bvPY6CTtqVPB98a6RpdbS9kGxCCMrL3CFGDXGSjXes5KwN +IvngmVB36wjb3QgEtQIv13jrWFfiXeuieqMRyC6Z3KNYVcvis34eGxPFD9MHrK+w +bdw3KzMBJd7hMoVRl32Q13T/PX8H3pqWMqKaL41wHUswRt0IQjNZnRvRnlJ0VDFf +Wep/3dFK+uQbdABuiwCiRli5mWeOMCP+qJodP1OZSGqg0VwZWUGdCGG5+qIhngOj +QVomvJ7N4eRLU3xuPVjLoBeHzvViUPpYtWQ/YiZK5rWTJHhu88xZaysFJRaV+Uz3 +wPkeqdArRRXl1Tpy+cKy7D5BZAr7OjT1wboon23IM2DJRurbaHD8blMsjZ07pbvb +4hdpiE6mqq7CYskDz2UGTaFfEW4bFnKtvKTXEnmcqc4mWcr2z9BBYouGmcFczgET +tE02XejmExXV2RPUtXfLuNIbVpuXG1qhzNuXAfm+S/68XDSFrwyK8/Dgq5ga0iIP +n8Uvz12Xu/Qde+NicogLNWF90QJ2iQIzBBABCgAdFiEEwJ2yBj8dcDS6YVKtq0ZV +oSbSkuQFAl+HdTEACgkQq0ZVoSbSkuSrmhAAi64OqYjb2ZbAJbFAPM6pijyys6Y9 +o8ZyLoCRCUXNrjWkNIozTgmj5fm0ECrUXKyrB6OJhTvaRXmqLcBwWOAnP1v7wb+S +ZhEwP0n6E1mZW0t1Qt0xX8yifM5Tpvy+757OSrsuoRpXwwz4Ubuc6G4N/McoRSfU +tVUcz3sKF8hcbETD/hVZb9Qfv0ZjQxu8LiBfKfgy2Eg8yExTdO027hYqQc5q2HEp +HRjD2PMyI33V8KqffWn0AkofweOOFxg1ePV5X9M8rYP+k/2gjPkrrvnZgF/4SxDM +FATmHaIbO3zEQg+u2f1mVCZASBBN1MLth7dMOoClHBmxnQ8uapRg9GNxs7TnXmV/ +diZZbqLf6i9bW/scvWEIdM8EGKpbGjdWIlgQJTIuz3seB+9zOdq9L3uTQWHnYLid +R3YkyOsBRqQvM7Gb3zYgvlPjZ+L2FeGg5rD/eeLbv+k027E0TSAgtHoSA2pVTDDK +uqCXVKfmk1I0SO83L9teBblxed07LeVaS9/uK00rWM/TM1bwogfF/4ZEsmAWznzv +Xan/QmrYNgK3C3AZ4pMX7pGCGV1w93Fw3tUzaEJeS2LlsiL5aPOF63b/DqM6W2nl +UqGjKTdVLuF+JgoRH5U2wCyHYhDFm+CaFsYUu2Jf5hTmVWOR3anBoXy6Ty8SoV8q +KxtKpmKmIdPhDe65Ag0EX4d1CAEQANJMZApYzeeLrc7Rs6fGDK4Z3ejEST+aq7vO +RT9YEppRBG1QoUDBuNodAFxIWM6SpwvN7X9AZeIML2EOjDabF5Q6RNHbwODyLDYc +wmqtWh0NNpK85fXwDgcLOQW+dPimsk3ni1crXhhjZgs6syb9yM/pDi0Tf7wzNZt0 +0p736zlpQPMORfO+mFgac0FVt/GQsTdIwTBzZ36fcV3W8iPH334Sqsatp617R+z+ +q2alH8Vynz12iHi2oJFtmTxhghCROPcLWz3XMKv9A7BfuZeE0k+pK7xnBKrpZzKU +k1j2uzTKzV2Bquo5HNDsy9PgQn16BlXVrxdHfQnBz2w67aHMKnPD/v+K81oxtnuk +pwBAT8Wovkyy1VTLhQH5F0y5bpQrVH/Lwq0/q421hfD3iPHtb2tC1heT9ze/sqkY +plctFb81fx3o8xcBpvuIaTB3URptf8JNvh5KjETZFMQvAddq8oYovoKu+Z/585uC +qwO0Fohpw9qRwmhq7UBvGDVAVgo6kKjMW2Z9U3OnfggrDCytCIZh8eLNagfRL2cu +iq8Sx+cGGt1zoCPhjDN1MaNt/KHm8Gxr+lP+RxH3Et3pEX6mmhSCaU4wr0W5Bf3p +jEtiOwnqajisBQCHh49OGiV8Vg9uQN5GpLpPpbvnGS4vq8jdj6p3gsiS2F7JMy7O +ysBENBkXABEBAAGJAjwEGAEKACYWIQQ32WSswEmBx1UA+5vVXZeKihQg5AUCX4d1 +CAIbDAUJB4TOAAAKCRDVXZeKihQg5NMIEACBdwXwDMRB8rQeqNrhbh7pjbHHFmag +8bPvkmCq/gYGx9MQEKFUFtEGNSBh6m5pXr9hJ9HD2V16q9ERbuBcA6wosz4efQFB +bbage7ZSECCN+xMLirQGRVbTozu2eS8FXedH0X9f0JWLDGWwRg+pAqSOtuFjHhYM +jVpwbH/s71BhH84x5RgWezh2BWLbP3UuY7JtWNAvAaeo53Js2dzzgjDopPis4qZR +rLR9cTGjqa6ZTc/PlLfaCsm6rGBlNx/bFJjz75+yn7vMQa47fOBt4qfriHX7G/Tg +3s8xsQSLEm3IBEYh27hoc9ZD45EXgm9ZiGA21t9v1jA27yTVaUrPbC40iDv/CMcQ +7N2Y1sJRvmrd+2pKxtNNutujjwgBguo5bKK253R5Hy0a+NzK2LSc/GmR8EJJEwW1 +7r6road7Ss6YImCZExeY+CAW0FEzwQpmqfOdlusvIyk4x4r12JH8Q8NWHMzU3Ym/ +yqdopn/SCwCfXJsL4/eHLCaWuyiWjljNa7MwPDITx2ZPRE5QEqCqi4gaDWXyVHt8 +leGE1G3zoXNJogWhDswh105UnlZEEfOvbHbaxgWPjLV/xkuHhVlaqdyXbTExrgK6 +U2wevNS03dBuQ6bjNIbMIt9ulbiBV8MJWR0PZtnNJ958f1QXC4GT+L3FG1g5Jtz+ +rlbu70nh2kSJrg== +=wukb +-----END PGP PUBLIC KEY BLOCK----- diff --git a/iptables.spec b/iptables.spec new file mode 100644 index 0000000..c6cb679 --- /dev/null +++ b/iptables.spec @@ -0,0 +1,458 @@ +# +# spec file for package iptables +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%if 0%{?suse_version} > 1500 +%bcond_without libalternatives +%else +%bcond_with libalternatives +%endif + +Name: iptables +Version: 1.8.10 +Release: 0 +Summary: IP packet filter administration utilities +License: Artistic-2.0 AND GPL-2.0-only +Group: Productivity/Networking/Security +URL: https://netfilter.org/projects/iptables/ +#Git-Clone: git://git.netfilter.org/iptables +Source: https://netfilter.org/projects/iptables/files/%name-%version.tar.xz +Source2: https://netfilter.org/projects/iptables/files/%name-%version.tar.xz.sig +Source3: %name.keyring +Source4: baselibs.conf +Patch1: iptables-batch.patch +Patch2: iptables-batch-lock.patch +Patch3: iptables-1.8.2-dont_read_garbage.patch + +BuildRequires: bison +BuildRequires: fdupes +BuildRequires: flex >= 2.5.33 +BuildRequires: libtool +BuildRequires: pkg-config >= 0.21 +BuildRequires: xz +BuildRequires: pkgconfig(libmnl) >= 1.0 +BuildRequires: pkgconfig(libnetfilter_conntrack) >= 1.0.4 +BuildRequires: pkgconfig(libnfnetlink) >= 1.0.0 +BuildRequires: pkgconfig(libnftnl) >= 1.1.6 +Requires: netcfg >= 11.6 +Requires: xtables-plugins = %version-%release +%if %{with libalternatives} +Requires: alts +BuildRequires: alts +%else +Requires(post): update-alternatives +Requires(postun): update-alternatives +%endif +# During the update to iptables 1.8, ip6tables-restore-translate, ip6tables-translate, +# iptables-restore-translate and iptables-translate were moved from iptables-nft subpackage +# (now iptables-backend-nft) to the main package so we need to add a conflict here otherwise +# we hit file conflicts error during the update +Conflicts: iptables-nft = 1.6.2 + +%description +iptables is used to set up, maintain, and inspect the rule tables of +the various Netfilter packet filter engines inside the Linux kernel. + +%package backend-nft +Summary: Metapackage to make nft the default backend for iptables/arptables/ebtables +Group: Productivity/Networking/Security +Requires: iptables >= 1.8.0 +%if %{with libalternatives} +Requires: alts +BuildRequires: alts +%else +Requires(post): update-alternatives +Requires(postun): update-alternatives +%endif +Provides: iptables-nft = %version-%release +Obsoletes: iptables-nft < %version-%release + +%description backend-nft +Installation of this package adds higher priority alternatives (cf. +update-alternatives) that makes the iptables, ip6tables, arptables +and ebtables commands point to a program variant that uses the +nftables kernel interface. + +%package -n xtables-plugins +Summary: Match and target extension plugins for iptables +Group: Productivity/Networking/Security +Conflicts: iptables < 1.4.18 + +%description -n xtables-plugins +Match and Target Extension plugins for iptables. + +%package -n libipq0 +Summary: Library to interface with the (old) ip_queue kernel mechanism +Group: System/Libraries + +%description -n libipq0 +The Netfilter project provides a mechanism (ip_queue) for passing +packets out of the stack for queueing to userspace, then receiving +these packets back into the kernel with a verdict specifying what to +do with the packets (such as ACCEPT or DROP). These packets may also +be modified in userspace prior to reinjection back into the kernel. + +ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue! + +%package -n libipq-devel +Summary: Development files for the ip_queue kernel mechanism +Group: Development/Libraries/C and C++ +Requires: libipq0 = %version + +%description -n libipq-devel +The Netfilter project provides a mechanism (ip_queue) for passing +packets out of the stack for queueing to userspace, then receiving +these packets back into the kernel with a verdict specifying what to +do with the packets (such as ACCEPT or DROP). These packets may also +be modified in userspace prior to reinjection back into the kernel. + +ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue! + +%package -n libip4tc2 +Summary: Library for the ip_tables low-level ruleset generation and parsing (IPv4) +Group: System/Libraries + +%description -n libip4tc2 +libiptc ("iptables cache") is used to retrieve from the kernel, parse, +construct, and load rulesets into the kernel. +This package contains the iptc IPv4 API. + +%package -n libip6tc2 +Summary: Library for the ip_tables low-level ruleset generation and parsing (IPv6) +Group: System/Libraries + +%description -n libip6tc2 +libiptc ("iptables cache") is used to retrieve from the kernel, parse, +construct, and load rulesets into the kernel. +This package contains the iptc IPv6 API. + +%package -n libiptc-devel +Summary: Development files for libiptc, a packet filter ruleset library +Group: Development/Libraries/C and C++ +Requires: libip4tc2 = %version +Requires: libip6tc2 = %version + +%description -n libiptc-devel +libiptc ("iptables cache") is used to retrieve from the kernel, parse, +construct, and load rulesets into the kernel. + +%package -n libxtables12 +Summary: The iptables plugin interface +Group: System/Libraries + +%description -n libxtables12 +This library contains all the iptables code shared between iptables, +ip6tables, their extensions, and for external integration for e.g. +iproute2's m_xt. + +%package -n libxtables-devel +Summary: Headers and manpages for iptables +Group: Development/Libraries/C and C++ +Requires: libxtables12 = %version + +%description -n libxtables-devel +This library contains all the iptables code shared between iptables, +ip6tables, their extensions, and for external integration for e.g. + +Link your extension (iptables plugins) with $(pkg-config xtables +--libs) and place the plugin in the directory given by $(pkg-config +xtables --variable=xtlibdir). + +%prep +%autosetup -p1 + +%build +# We have the iptables-batch patch, so always regenerate. +./autogen.sh +# bnc#561793 - do not include unclean module in iptables manpage +rm -f extensions/libipt_unclean.man +# includedir is overriden on purpose to detect projects that +# fail to include libxtables_CFLAGS +%configure --includedir="%_includedir/%name" --enable-libipq +%make_build V=1 + +%install +%make_install +b="%buildroot" +# no contents and is unused; proposed for removal upstream +rm -f "$b/%_libdir/"libiptc.so* +# iptables-apply is not installed by upstream Makefile +install -m0755 iptables/iptables-apply "$b/%_sbindir/" +rm -f "$b/%_libdir"/*.la +rm -f "$b/%_sysconfdir/ethertypes" # provided by netcfg +rm -f "$b/%_sysconfdir/xtables.conf" # packaging bug + +for i in iptables iptables-restore iptables-save ip6tables ip6tables-restore \ + ip6tables-save arptables arptables-restore arptables-save ebtables \ + ebtables-restore ebtables-save; do +%if ! %{with libalternatives} + ln -fsv "%_sysconfdir/alternatives/$i" "$b/%_sbindir/$i" +%else + ln -fsv %_bindir/alts "$b/%_sbindir/$i" +%endif +done + +%if 0%{?suse_version} +%fdupes %buildroot/%_prefix +%endif + +%if %{with libalternatives} +mkdir -pv "$b/%_datadir/libalternatives/iptables" +cat >"$b/%_datadir/libalternatives/iptables/1.conf" <<-EOF + binary=%_sbindir/xtables-legacy-multi + group=iptables, ip6tables, ip6tables-restore, ip6tables-save, iptables-restore, iptables-save + options=KeepArgv0 +EOF +cat >"$b/%_datadir/libalternatives/iptables/2.conf" <<-EOF + binary=%_sbindir/xtables-nft-multi + group=iptables, ip6tables, ip6tables-restore, ip6tables-save, iptables-restore, iptables-save + options=KeepArgv0 +EOF +for i in ip6tables ip6tables-restore ip6tables-save iptables-restore iptables-save; do + mkdir -pv "$b/%_datadir/libalternatives/$i" + cp -av "$b/%_datadir/libalternatives/iptables/"*.conf "$b/%_datadir/libalternatives/$i/" +done + +mkdir -pv $b/%_datadir/libalternatives/arptables +cat >"$b/%_datadir/libalternatives/arptables/2.conf" <<-EOF + binary=%_sbindir/xtables-nft-multi + group=arptables, arptables-restore, arptables-save + options=KeepArgv0 +EOF +for i in arptables-restore arptables-save; do + mkdir -pv "$b/%_datadir/libalternatives/$i" + cp -av "$b/%_datadir/libalternatives/arptables/2.conf" "$b/%_datadir/libalternatives/$i/" +done + +mkdir -p "$b/%_datadir/libalternatives/ebtables" +cat >"$b/%_datadir/libalternatives/ebtables/2.conf" <<-EOF + binary=%_sbindir/xtables-nft-multi + group=ebtables, ebtables-restore, ebtables-save + options=KeepArgv0 +EOF +for i in ebtables-restore ebtables-save; do + mkdir -pv "$b/%_datadir/libalternatives/$i" + cp -av "$b/%_datadir/libalternatives/ebtables/2.conf" "$b/%_datadir/libalternatives/$i/" +done + +%endif + +%if %{with libalternatives} +%pre +# removing old update-alternatives entries +if [ "$1" -gt 0 ] && [ -f "%_sbindir/update-alternatives" ]; then + update-alternatives --remove iptables "%_sbindir/xtables-legacy-multi" +fi +%else + +%post +update-alternatives \ + --install "%_sbindir/iptables" iptables "%_sbindir/xtables-legacy-multi" 1 \ + --slave "%_sbindir/iptables-restore" iptables-restore "%_sbindir/xtables-legacy-multi" \ + --slave "%_sbindir/iptables-save" iptables-save "%_sbindir/xtables-legacy-multi" \ + --slave "%_sbindir/ip6tables" ip6tables "%_sbindir/xtables-legacy-multi" \ + --slave "%_sbindir/ip6tables-restore" ip6tables-restore "%_sbindir/xtables-legacy-multi" \ + --slave "%_sbindir/ip6tables-save" ip6tables-save "%_sbindir/xtables-legacy-multi" + +%postun +if test "$1" = 0; then + update-alternatives --remove iptables "%_sbindir/xtables-legacy-multi" +fi +%endif + +%if %{with libalternatives} +%pre backend-nft +# removing old update-alternatives entries +if [ "$1" -gt 0 ] && [ -f "%_sbindir/update-alternatives" ]; then + update-alternatives --remove iptables "%_sbindir/xtables-nft-multi" + update-alternatives --remove arptables "%_sbindir/xtables-nft-multi" + update-alternatives --remove ebtables "%_sbindir/xtables-nft-multi" +fi +%else + +%post backend-nft +update-alternatives \ + --install "%_sbindir/iptables" iptables "%_sbindir/xtables-nft-multi" 2 \ + --slave "%_sbindir/iptables-restore" iptables-restore "%_sbindir/xtables-nft-multi" \ + --slave "%_sbindir/iptables-save" iptables-save "%_sbindir/xtables-nft-multi" \ + --slave "%_sbindir/ip6tables" ip6tables "%_sbindir/xtables-nft-multi" \ + --slave "%_sbindir/ip6tables-restore" ip6tables-restore "%_sbindir/xtables-nft-multi" \ + --slave "%_sbindir/ip6tables-save" ip6tables-save "%_sbindir/xtables-nft-multi" +update-alternatives --install "%_sbindir/arptables" arptables "%_sbindir/xtables-nft-multi" 2 \ + --slave "%_sbindir/arptables-restore" arptables-restore "%_sbindir/xtables-nft-multi" \ + --slave "%_sbindir/arptables-save" arptables-save "%_sbindir/xtables-nft-multi" +update-alternatives --install "%_sbindir/ebtables" ebtables "%_sbindir/xtables-nft-multi" 2 \ + --slave "%_sbindir/ebtables-restore" ebtables-restore "%_sbindir/xtables-nft-multi" \ + --slave "%_sbindir/ebtables-save" ebtables-save "%_sbindir/xtables-nft-multi" + +%postun backend-nft +if test "$1" = 0; then + update-alternatives --remove iptables "%_sbindir/xtables-nft-multi" + update-alternatives --remove arptables "%_sbindir/xtables-nft-multi" + update-alternatives --remove ebtables "%_sbindir/xtables-nft-multi" +fi +%endif + +%post -n libipq0 -p /sbin/ldconfig +%postun -n libipq0 -p /sbin/ldconfig +%post -n libip4tc2 -p /sbin/ldconfig +%postun -n libip4tc2 -p /sbin/ldconfig +%post -n libip6tc2 -p /sbin/ldconfig +%postun -n libip6tc2 -p /sbin/ldconfig +%post -n libxtables12 -p /sbin/ldconfig +%postun -n libxtables12 -p /sbin/ldconfig + +%files +%license COPYING +%_bindir/iptables-xml +%_sbindir/iptables-apply +%_sbindir/iptables-legacy* +%_sbindir/iptables-nft* +%_sbindir/iptables-*translate* +%_sbindir/ip6tables-apply +%_sbindir/ip6tables-legacy* +%_sbindir/ip6tables-nft* +%_sbindir/ip6tables-*translate* +%_sbindir/arptables-nft* +%_sbindir/ebtables-nft* +%_sbindir/ebtables-*translate* +%_sbindir/xtables* +%_mandir/man1/*tables* +%_mandir/man8/*tables* +# backend-legacy (implicit) +%if ! %{with libalternatives} +%ghost %_sysconfdir/alternatives/iptables +%ghost %_sysconfdir/alternatives/iptables-restore +%ghost %_sysconfdir/alternatives/iptables-save +%ghost %_sysconfdir/alternatives/ip6tables +%ghost %_sysconfdir/alternatives/ip6tables-restore +%ghost %_sysconfdir/alternatives/ip6tables-save +%else +%_datadir/libalternatives/ip6tables/1.conf +%dir %_datadir/libalternatives/ip6tables +%_datadir/libalternatives/ip6tables-restore/1.conf +%dir %_datadir/libalternatives/ip6tables-restore +%_datadir/libalternatives/ip6tables-save/1.conf +%dir %_datadir/libalternatives/ip6tables-save +%_datadir/libalternatives/iptables/1.conf +%dir %_datadir/libalternatives/iptables +%_datadir/libalternatives/iptables-restore/1.conf +%dir %_datadir/libalternatives/iptables-restore +%_datadir/libalternatives/iptables-save/1.conf +%dir %_datadir/libalternatives/iptables-save +%endif +%_sbindir/iptables +%_sbindir/iptables-restore +%_sbindir/iptables-save +%_sbindir/ip6tables +%_sbindir/ip6tables-restore +%_sbindir/ip6tables-save + +%files backend-nft +%if ! %{with libalternatives} +%ghost %_sysconfdir/alternatives/iptables +%ghost %_sysconfdir/alternatives/iptables-restore +%ghost %_sysconfdir/alternatives/iptables-save +%ghost %_sysconfdir/alternatives/ip6tables +%ghost %_sysconfdir/alternatives/ip6tables-restore +%ghost %_sysconfdir/alternatives/ip6tables-save +%ghost %_sysconfdir/alternatives/arptables +%ghost %_sysconfdir/alternatives/arptables-restore +%ghost %_sysconfdir/alternatives/arptables-save +%ghost %_sysconfdir/alternatives/ebtables +%ghost %_sysconfdir/alternatives/ebtables-restore +%ghost %_sysconfdir/alternatives/ebtables-save +%_sbindir/iptables +%_sbindir/iptables-restore +%_sbindir/iptables-save +%_sbindir/ip6tables +%_sbindir/ip6tables-restore +%_sbindir/ip6tables-save +%else +%_datadir/libalternatives/arptables/2.conf +%dir %_datadir/libalternatives/arptables +%_datadir/libalternatives/arptables-restore/2.conf +%dir %_datadir/libalternatives/arptables-restore +%_datadir/libalternatives/arptables-save/2.conf +%dir %_datadir/libalternatives/arptables-save +%_datadir/libalternatives/ebtables/2.conf +%dir %_datadir/libalternatives/ebtables +%_datadir/libalternatives/ebtables-restore/2.conf +%dir %_datadir/libalternatives/ebtables-restore +%_datadir/libalternatives/ebtables-save/2.conf +%dir %_datadir/libalternatives/ebtables-save +%_datadir/libalternatives/ip6tables/2.conf +%dir %_datadir/libalternatives/ip6tables +%_datadir/libalternatives/ip6tables-restore/2.conf +%dir %_datadir/libalternatives/ip6tables-restore +%_datadir/libalternatives/ip6tables-save/2.conf +%dir %_datadir/libalternatives/ip6tables-save +%_datadir/libalternatives/iptables/2.conf +%dir %_datadir/libalternatives/iptables +%_datadir/libalternatives/iptables-restore/2.conf +%dir %_datadir/libalternatives/iptables-restore +%_datadir/libalternatives/iptables-save/2.conf +%dir %_datadir/libalternatives/iptables-save +%_datadir/libalternatives/iptables-save/2.conf +%endif +%_sbindir/arptables +%_sbindir/arptables-restore +%_sbindir/arptables-save +%_sbindir/ebtables +%_sbindir/ebtables-restore +%_sbindir/ebtables-save + +%files -n xtables-plugins +%_libdir/xtables/ +%_sbindir/nfnl_osf +%_mandir/man8/nfnl_osf.8* +%_datadir/xtables/ + +%files -n libipq0 +%_libdir/libipq.so.0* + +%files -n libipq-devel +%doc %_mandir/man3/libipq* +%doc %_mandir/man3/ipq* +%dir %_includedir/%name/ +%_includedir/%name/libipq* +%_libdir/libipq.so +%_libdir/pkgconfig/libipq.pc + +%files -n libip4tc2 +%_libdir/libip4tc.so.2* + +%files -n libip6tc2 +%_libdir/libip6tc.so.2* + +%files -n libiptc-devel +%dir %_includedir/%name/ +%_includedir/%name/libiptc* +%_libdir/libip*tc.so +%_libdir/pkgconfig/libip*tc.pc + +%files -n libxtables12 +%_libdir/libxtables.so.12* + +%files -n libxtables-devel +%dir %_includedir/%name/ +%_includedir/%name/xtables.h +%_includedir/%name/xtables-version.h +%_libdir/libxtables.so +%_libdir/pkgconfig/xtables.pc + +%changelog