nftables 1.1.5

Source the v3 submission posted recently, and import into openSUSE
as a patch file.

0001-tools-add-a-systemd-unit-for-static-rulesets.patch

@@ -1,192 +0,0 @@
-From d47ba75b254179f07061dd7782b5d73c9991fdc5 Mon Sep 17 00:00:00 2001
-From: Jan Engelhardt <jengelh@inai.de>
-Date: Fri, 28 Feb 2025 19:45:01 +0100
-Subject: [PATCH] tools: add a systemd unit for static rulesets
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-References: https://lore.kernel.org/netfilter-devel/20250417145055.2700920-1-jengelh@inai.de/
-
-There is a customer request (bugreport) for wanting to trivially load a ruleset
-from a well-known location on boot, forwarded to me by M. Gerstner. A systemd
-service unit is hereby added to provide that functionality. This is based on
-various distributions attempting to do same, for example,
-
-https://src.fedoraproject.org/rpms/nftables/tree/rawhide
-https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/nftables/nftables.initd
-https://gitlab.archlinux.org/archlinux/packaging/packages/nftables
-
-Cc: Matthias Gerstner <matthias.gerstner@suse.com>
-Cc: Kevin Fenzi <kevin@scrye.com>
-Cc: Francesco Colista <fcolista@alpinelinux.org>
-Cc: Sébastien Luttringer <seblu@archlinux.org>
----
- INSTALL                   |  6 ++++++
- Makefile.am               | 16 ++++++++++++----
- configure.ac              | 10 ++++++++++
- files/nftables/main.nft   | 22 ++++++++++++++++++++++
- tools/nftables.service.8  | 17 +++++++++++++++++
- tools/nftables.service.in | 21 +++++++++++++++++++++
- 6 files changed, 88 insertions(+), 4 deletions(-)
- create mode 100644 files/nftables/main.nft
- create mode 100644 tools/nftables.service.8
- create mode 100644 tools/nftables.service.in
-
-diff --git a/INSTALL b/INSTALL
-index 5d45ec98..0c48c989 100644
---- a/INSTALL
-+++ b/INSTALL
-@@ -42,6 +42,12 @@ Installation instructions for nftables
- 	The base directory for arch-independent files. Defaults to
- 	$prefix/share.
- 
-+ --with-unitdir=
-+
-+	Directory for systemd unit files. Defaults to the value obtained from
-+	pkg-config for systemd.pc, and ${prefix}/lib/systemd/system as a
-+	fallback.
-+
-  --disable-debug
- 
- 	Disable debugging
-diff --git a/Makefile.am b/Makefile.am
-index fb64105d..050991f4 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -375,18 +375,19 @@ dist_pkgdata_DATA = \
- 	files/nftables/netdev-ingress.nft \
- 	$(NULL)
- 
--pkgdocdir = ${docdir}/examples
-+exampledir = ${docdir}/examples
- 
--dist_pkgdoc_SCRIPTS = \
-+dist_example_SCRIPTS = \
- 	files/examples/ct_helpers.nft \
- 	files/examples/load_balancing.nft \
- 	files/examples/secmark.nft \
- 	files/examples/sets_and_maps.nft \
- 	$(NULL)
- 
--pkgsysconfdir = ${sysconfdir}/nftables/osf
-+pkgsysconfdir = ${sysconfdir}/${PACKAGE}
-+osfdir = ${pkgsysconfdir}/osf
- 
--dist_pkgsysconf_DATA = \
-+dist_osf_DATA = \
- 	files/osf/pf.os \
- 	$(NULL)
- 
-@@ -410,3 +411,10 @@ EXTRA_DIST += \
- 
- pkgconfigdir = $(libdir)/pkgconfig
- pkgconfig_DATA = libnftables.pc
-+unit_DATA = tools/nftables.service
-+man_MANS = tools/nftables.service.8
-+doc_DATA = files/nftables/main.nft
-+
-+tools/nftables.service: tools/nftables.service.in ${top_builddir}/config.status
-+	${AM_V_GEN}${MKDIR_P} tools
-+	${AM_V_at}sed -e 's|@''sbindir''@|${sbindir}|g;s|@''pkgsysconfdir''@|${pkgsysconfdir}|g' <${srcdir}/tools/nftables.service.in >$@
-diff --git a/configure.ac b/configure.ac
-index a4552df7..805af74a 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -114,6 +114,16 @@ AC_CHECK_DECLS([getprotobyname_r, getprotobynumber_r, getservbyport_r], [], [],
- #include <netdb.h>
- ]])
- 
-+AC_ARG_WITH([unitdir],
-+	[AS_HELP_STRING([--with-unitdir=PATH], [Path to systemd service unit directory])],
-+	[unitdir="$withval"],
-+	[
-+		unitdir=$("$PKG_CONFIG" systemd --variable systemdsystemunitdir 2>/dev/null)
-+		AS_IF([test -z "$unitdir"], [unitdir='${prefix}/lib/systemd/system'])
-+	])
-+AC_SUBST([unitdir])
-+
-+
- AC_CONFIG_FILES([					\
- 		Makefile				\
- 		libnftables.pc				\
-diff --git a/files/nftables/main.nft b/files/nftables/main.nft
-new file mode 100644
-index 00000000..d3171fd3
---- /dev/null
-+++ b/files/nftables/main.nft
-@@ -0,0 +1,22 @@
-+#!/usr/sbin/nft -f
-+
-+# template static firewall configuration file
-+#
-+# copy this over to /etc/nftables/rules/main.nft as a starting point for
-+# configuring a rule set which will be loaded by nftables.service.
-+
-+table inet filter {
-+	chain input {
-+		type filter hook input priority filter;
-+	}
-+	chain forward {
-+		type filter hook forward priority filter;
-+	}
-+	chain output {
-+		type filter hook output priority filter;
-+	}
-+}
-+
-+# this can be used to split the rule set into multiple smaller files concerned
-+# with specific topics, like forwarding rules
-+#include "/etc/nftables/rules/forwarding.nft"
-diff --git a/tools/nftables.service.8 b/tools/nftables.service.8
-new file mode 100644
-index 00000000..bb88dc46
---- /dev/null
-+++ b/tools/nftables.service.8
-@@ -0,0 +1,17 @@
-+.TH nftables.service 8 "" "nftables" "nftables admin reference"
-+.SH Name
-+nftables.service \(em Static Firewall Configuration with nftables.service
-+.SH Description
-+An nftables systemd service is provided which allows to setup static firewall
-+rulesets based on a configuration file.
-+.PP
-+To use this service, you need to create the main configuration file in
-+/etc/nftables/rules/main.nft. A template for this can be copied from
-+/usr/share/doc/nftables/main.nft. Alternatively, `nft list ruleset >main.nft`
-+could be used to save the active configuration (if any) to the file.
-+.PP
-+Once the desired static firewall configuration is in place, it can be tested by
-+running `systemctl start nftables.service`. To enable the service at boot time,
-+run `systemctl enable nftables.service`.
-+.SH See also
-+\fBnft\fP(8)
-diff --git a/tools/nftables.service.in b/tools/nftables.service.in
-new file mode 100644
-index 00000000..2ac7e6fd
---- /dev/null
-+++ b/tools/nftables.service.in
-@@ -0,0 +1,21 @@
-+[Unit]
-+Description=nftables static rule set
-+Documentation=man:nftables.service(8)
-+Wants=network-pre.target
-+Before=network-pre.target shutdown.target
-+Conflicts=shutdown.target
-+DefaultDependencies=no
-+ConditionPathExists=@pkgsysconfdir@/rules/main.nft
-+
-+[Service]
-+Type=oneshot
-+RemainAfterExit=yes
-+StandardInput=null
-+ProtectSystem=full
-+ProtectHome=true
-+ExecStart=@sbindir@/nft 'flush ruleset; include "@pkgsysconfdir@/rules/main.nft"'
-+ExecReload=@sbindir@/nft 'flush ruleset; include "@pkgsysconfdir@/rules/main.nft"'
-+ExecStop=@sbindir@/nft flush ruleset
-+
-+[Install]
-+WantedBy=sysinit.target
--- 
-2.49.0
-

nftables.changes

@@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Wed Aug 27 23:31:54 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 1.1.5
+  * Revert JSON ruleset listing, restore set flags to display
+    single item with array
+  * Fix misleading "No buffer space available" error when kernel
+    reports too many errors back to userspace.
+- Delete 0001-tools-add-a-systemd-unit-for-static-rulesets.patch,
+  json.patch (merged)
+
+-------------------------------------------------------------------
+Wed Aug 20 14:07:09 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Add json.patch
+
+-------------------------------------------------------------------
+Wed Aug  6 15:50:11 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 1.1.4
+  * Add conntrack information to monitor trace command.
+  * Add a 'check' fib result to check for routes.
+  * Better error reporting with re-declarations set/map with
+    different types.
+  * Restore meta hour matching on ranges spanning date boundaries,
+    e.g. `... meta hour "21:00"-"02:00"`
+  * Display number of set elements in rule listings.
+  * Allow deleting maps via their handle.
+
 -------------------------------------------------------------------
 Tue Apr 22 11:48:56 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
 

nftables.spec

@@ -22,7 +22,7 @@
 %define pyversion 0.1
 
 Name:           nftables
-Version:        1.1.3
+Version:        1.1.5
 Release:        0
 Summary:        Userspace utility to access the nf_tables packet filter
 License:        GPL-2.0-only
@@ -33,7 +33,6 @@ Source:         http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz
 Source2:        http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz.sig
 Source3:        %name.keyring
 Source4:        nftables.rpmlintrc
-Patch1:         0001-tools-add-a-systemd-unit-for-static-rulesets.patch
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  %{python_module wheel}
@@ -48,7 +47,7 @@ BuildRequires:  python-rpm-macros
 BuildRequires:  pkgconfig(jansson)
 BuildRequires:  pkgconfig(libedit)
 BuildRequires:  pkgconfig(libmnl) >= 1.0.4
-BuildRequires:  pkgconfig(libnftnl) >= 1.2.9
+BuildRequires:  pkgconfig(libnftnl) >= 1.3.0
 BuildRequires:  pkgconfig(xtables) >= 1.6.1
 %python_subpackages
 
@@ -93,11 +92,9 @@ BuildArch:      noarch
 Python bindings for nftables
 
 %prep
-%setup -q
+%autosetup -p1
 # remove unused shebang
 sed -i '1{/bin/d}' py/src/nftables.py
-rm -f files/nftables/main.nft
-%patch -P 1 -p1
 
 %build
 autoreconf -fi
@@ -109,7 +106,8 @@ cd obj/
 %define _configure ../configure
 %configure --disable-silent-rules --disable-static --docdir="%_docdir/%name" \
 	--includedir="%_includedir/%name" --with-json \
-	--enable-python --with-python-bin="$(which python3)"
+	--enable-python --with-python-bin="$(which python3)" \
+	--with-unitdir=/usr/lib/systemd/system
 %make_build
 cd -
 cd py