# install init scripts to /usr/libexec with systemd

%global script_path %{_libexecdir}/iptables

# service legacy actions (RHBZ#748134)

%global legacy_actions %{_libexecdir}/initscripts/legacy-actions

# boostrap mode to assist in libip{4,6}tc SONAME bump

%global bootstrap 1

%if 0%{?bootstrap}

%global version_old 1.8.2

%global iptc_so_ver_old 0

%endif

%global iptc_so_ver 2

Name: iptables

Summary: Tools for managing Linux kernel packet filtering capabilities

URL: http://www.netfilter.org/projects/iptables

Version: 1.8.4

Release: 16%{?dist}

Source: %{url}/files/%{name}-%{version}.tar.bz2

Source1: iptables.init

Source2: iptables-config

Source3: iptables.service

Source4: sysconfig_iptables

Source5: sysconfig_ip6tables

Source6: arptables.service

Source7: arptables-helper

Source8: ebtables.systemd

Source9: ebtables.service

Source10: ebtables-config

%if 0%{?bootstrap}

Source11: %{url}/files/%{name}-%{version_old}.tar.bz2

Source12: 0003-extensions-format-security-fixes-in-libip-6-t_icmp.patch

%endif

Patch01: 0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch

Patch02: 0002-xtables-restore-Fix-parser-feed-from-line-buffer.patch

Patch03: 0003-xtables-restore-Avoid-access-of-uninitialized-data.patch

Patch04: 0004-extensions-time-Avoid-undefined-shift.patch

Patch05: 0005-extensions-cluster-Avoid-undefined-shift.patch

Patch06: 0006-libxtables-Avoid-buffer-overrun-in-xtables_compatibl.patch

Patch07: 0007-xtables-translate-Guard-strcpy-call-in-xlate_ifname.patch

Patch08: 0008-extensions-among-Check-call-to-fstat.patch

Patch09: 0009-uapi-netfilter-Avoid-undefined-left-shift-in-xt_sctp.patch

Patch10: 0010-xtables-translate-Fix-for-interface-name-corner-case.patch

Patch11: 0011-xtables-translate-Fix-for-iface.patch

Patch12: 0012-tests-shell-Fix-skip-checks-with-host-mode.patch

Patch13: 0013-xtables-restore-fix-for-noflush-and-empty-lines.patch

Patch14: 0014-iptables-test.py-Fix-host-mode.patch

Patch15: 0015-xtables-Review-nft_init.patch

Patch16: 0016-nft-cache-Fix-nft_release_cache-under-stress.patch

Patch17: 0017-nft-cache-Fix-iptables-save-segfault-under-stress.patch

Patch18: 0018-ebtables-among-Support-mixed-MAC-and-MAC-IP-entries.patch

Patch19: 0019-xtables-Align-effect-of-4-6-options-with-legacy.patch

Patch20: 0020-xtables-Drop-4-and-6-support-from-xtables-save-resto.patch

Patch21: 0021-nfnl_osf-Fix-broken-conversion-to-nfnl_query.patch

Patch22: 0022-nfnl_osf-Improve-error-handling.patch

Patch23: 0023-nft-cache-Reset-genid-when-rebuilding-cache.patch

Patch24: 0024-nft-Fix-for-F-in-iptables-dumps.patch

Patch25: 0025-tests-shell-Test-F-in-dump-files.patch

Patch26: 0026-nft-Make-batch_add_chain-return-the-added-batch-obje.patch

Patch27: 0027-nft-Fix-error-reporting-for-refreshed-transactions.patch

Patch28: 0028-nft-Fix-for-concurrent-noflush-restore-calls.patch

Patch29: 0029-tests-shell-Improve-concurrent-noflush-restore-test-.patch

Patch30: 0030-nft-cache-Make-nft_rebuild_cache-respect-fake-cache.patch

Patch31: 0031-nft-Fix-for-broken-address-mask-match-detection.patch

Patch32: 0032-nft-Optimize-class-based-IP-prefix-matches.patch

Patch33: 0033-ebtables-Optimize-masked-MAC-address-matches.patch

Patch34: 0034-tests-shell-Add-test-for-bitwise-avoidance-fixes.patch

# pf.os: ISC license

# iptables-apply: Artistic Licence 2.0

License: GPLv2 and Artistic 2.0 and ISC

# libnetfilter_conntrack is needed for xt_connlabel

BuildRequires: pkgconfig(libnetfilter_conntrack)

# libnfnetlink-devel is requires for nfnl_osf

BuildRequires: pkgconfig(libnfnetlink)

BuildRequires: libselinux-devel

BuildRequires: kernel-headers

BuildRequires: systemd

# libmnl, libnftnl, bison, flex for nftables

BuildRequires: bison

BuildRequires: flex

BuildRequires: gcc

BuildRequires: pkgconfig(libmnl) >= 1.0

BuildRequires: pkgconfig(libnftnl) >= 1.1.5-1

# libpcap-devel for nfbpf_compile

BuildRequires: libpcap-devel

BuildRequires:  autoconf

BuildRequires:  automake

BuildRequires:  libtool

Requires: %{name}-libs%{?_isa} = %{version}-%{release}

%if 0%{?fedora} > 24

Conflicts: setup < 2.10.4-1

%endif

%description

The iptables utility controls the network packet filtering code in the

Linux kernel. If you need to set up firewalls and/or IP masquerading,

you should either install nftables or this package.

Note: This package contains the nftables-based variants of iptables and

ip6tables, which are drop-in replacements of the legacy tools.

%package libs

Summary: iptables libraries

Group: System Environment/Base

%description libs

iptables libraries.

Please remember that libip*tc libraries do neither have a stable API nor a real so version.

For more information about this, please have a look at

  http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5

%package devel

Summary: Development package for iptables

Group: System Environment/Base

Requires: %{name}%{?_isa} = %{version}-%{release}

Requires: iptables-libs = %{version}-%{release}

Requires: pkgconfig

%description devel

iptables development headers and libraries.

The iptc libraries are marked as not public by upstream. The interface is not

stable and may change with every new version. It is therefore unsupported.

%package services

Summary: iptables and ip6tables services for iptables

Group: System Environment/Base

Requires: %{name} = %{version}-%{release}

Requires(post): systemd

Requires(preun): systemd

Requires(postun): systemd

# obsolete old main package

Obsoletes: %{name} < 1.4.16.1

# obsolete ipv6 sub package

Obsoletes: %{name}-ipv6 < 1.4.11.1

%description services

iptables services for IPv4 and IPv6

This package provides the services iptables and ip6tables that have been split

out of the base package since they are not active by default anymore.

%package utils

Summary: iptables and ip6tables services for iptables

Group: System Environment/Base

Requires: %{name} = %{version}-%{release}

%description utils

Utils for iptables.

Currently only provides nfnl_osf with the pf.os database.

%package arptables

Summary: User space tool to set up tables of ARP rules in kernel

Group: System Environment/Base

Requires: %{name} = %{version}-%{release}

Obsoletes: arptables

Provides: arptables

%description arptables

The arptables tool is used to set up and maintain

the tables of ARP rules in the Linux kernel. These rules inspect

the ARP frames which they see. arptables is analogous to the iptables

user space tool, but is less complicated.

Note: This package contains the nftables-based variant of arptables, a drop-in

replacement of the legacy tool.

%package ebtables

Summary: Ethernet Bridge frame table administration tool

Group: System Environment/Base

Requires: %{name} = %{version}-%{release}

Obsoletes: ebtables

Provides: ebtables

%description ebtables

Ethernet bridge tables is a firewalling tool to transparently filter network

traffic passing a bridge. The filtering possibilities are limited to link

layer filtering and some basic filtering on higher network layers.

This tool is the userspace control for the bridge and ebtables kernel

components (built by default in RHEL kernels).

The ebtables tool can be used together with the other Linux filtering tools,

like iptables. There are no known incompatibility issues.

Note: This package contains the nftables-based variant of ebtables, a drop-in

replacement of the legacy tool.

%prep

%autosetup -p1

%if 0%{?bootstrap}

%{__mkdir} -p bootstrap_ver

pushd bootstrap_ver

%{__tar} --strip-components=1 -xf %{SOURCE11}

%{__patch} -p1 <%{SOURCE12}

popd

%endif

%build

./autogen.sh

CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \

%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr

# do not use rpath

sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool

sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool

rm -f include/linux/types.h

make %{?_smp_mflags} V=1

%if 0%{?bootstrap}

pushd bootstrap_ver

./autogen.sh

CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \

%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr

# do not use rpath

sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool

sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool

rm -f include/linux/types.h

make %{?_smp_mflags} V=1

popd

%endif

%install

%if 0%{?bootstrap}

%make_install -C bootstrap_ver

find %{buildroot} -xtype f -not \

	-name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print

find %{buildroot} -type l -not \

	-name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print

%endif

make install DESTDIR=%{buildroot} 

# remove la file(s)

rm -f %{buildroot}/%{_libdir}/*.la

# install ip*tables.h header files

install -m 644 include/ip*tables.h %{buildroot}%{_includedir}/

install -d -m 755 %{buildroot}%{_includedir}/iptables

install -m 644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables/

# install ipulog header file

install -d -m 755 %{buildroot}%{_includedir}/libipulog/

install -m 644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog/

# install init scripts and configuration files

install -d -m 755 %{buildroot}%{script_path}

install -c -m 755 %{SOURCE1} %{buildroot}%{script_path}/iptables.init

sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init

install -c -m 755 ip6tables.init %{buildroot}%{script_path}/ip6tables.init

install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig

install -c -m 600 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/iptables-config

sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config

install -c -m 600 ip6tables-config %{buildroot}%{_sysconfdir}/sysconfig/ip6tables-config

install -c -m 600 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/iptables

install -c -m 600 %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/ip6tables

# install systemd service files

install -d -m 755 %{buildroot}/%{_unitdir}

install -c -m 644 %{SOURCE3} %{buildroot}/%{_unitdir}

sed -e 's;iptables;ip6tables;g' -e 's;IPv4;IPv6;g' -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' < %{SOURCE3} > ip6tables.service

install -c -m 644 ip6tables.service %{buildroot}/%{_unitdir}

# install legacy actions for service command

install -d %{buildroot}/%{legacy_actions}/iptables

install -d %{buildroot}/%{legacy_actions}/ip6tables

cat << EOF > %{buildroot}/%{legacy_actions}/iptables/save

#!/bin/bash

exec %{script_path}/iptables.init save

EOF

chmod 755 %{buildroot}/%{legacy_actions}/iptables/save

sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/save > ip6tabes.save-legacy

install -c -m 755 ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/save

cat << EOF > %{buildroot}/%{legacy_actions}/iptables/panic

#!/bin/bash

exec %{script_path}/iptables.init panic

EOF

chmod 755 %{buildroot}/%{legacy_actions}/iptables/panic

sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy

install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic

# install iptables-apply with man page

install -m 755 iptables/iptables-apply %{buildroot}%{_sbindir}/

install -m 644 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8/

%if 0%{?fedora} > 24

# Remove /etc/ethertypes (now part of setup)

rm -f %{buildroot}%{_sysconfdir}/ethertypes

%endif

# drop all legacy tools

rm -f %{buildroot}%{_sbindir}/*legacy*

rm -f %{buildroot}%{_bindir}/iptables-xml

rm -f %{buildroot}%{_mandir}/man1/iptables-xml*

rm -f %{buildroot}%{_mandir}/man8/xtables-legacy*

# rename nft versions to standard name

pfx=%{buildroot}%{_sbindir}/iptables

for pfx in %{buildroot}%{_sbindir}/{iptables,ip6tables,arptables,ebtables}; do

	mv $pfx-nft $pfx

	mv $pfx-nft-restore $pfx-restore

	mv $pfx-nft-save $pfx-save

done

# extra sources for arptables

install -p -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/arptables.service

mkdir -p %{buildroot}%{_libexecdir}/

install -p -D -m 755 %{SOURCE7} %{buildroot}%{_libexecdir}/

mkdir -p %{buildroot}%{_sysconfdir}/sysconfig

echo '# Configure prior to use' > %{buildroot}%{_sysconfdir}/sysconfig/arptables

for sfx in "" "-restore" "-save"; do

	echo '.so man8/arptables-nft${sfx}.8' > \

		%{buildroot}%{_mandir}/man8/arptables${sfx}.8

done

# extra sources for ebtables

install -p %{SOURCE9} %{buildroot}%{_unitdir}/

install -m0755 %{SOURCE8} %{buildroot}%{_libexecdir}/ebtables

install -m0600 %{SOURCE10} %{buildroot}%{_sysconfdir}/sysconfig/ebtables-config

touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables

echo '.so man8/ebtables-nft.8' > %{buildroot}%{_mandir}/man8/ebtables.8

%if 0%{?rhel}

%pre

for p in %{_sysconfdir}/alternatives/{iptables,ip6tables}.*; do

    if [ -h "$p" ]; then

        ipt=$(readlink "$p")

        echo "Removing alternatives for ${p##*/} with path $ipt"

        %{_sbindir}/alternatives --remove "${p##*/}" "$ipt"

    fi

done

%endif

%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig

%post services

%systemd_post iptables.service ip6tables.service

%preun services

%systemd_preun iptables.service ip6tables.service

%postun services

/sbin/ldconfig

%systemd_postun iptables.service ip6tables.service

%post arptables

%systemd_post arptables.service

%preun arptables

%systemd_preun arptables.service

%postun arptables

%systemd_postun arptables.service

%post ebtables

%systemd_post ebtables.service

%preun ebtables

%systemd_preun ebtables.service

%postun ebtables

%systemd_postun_with_restart ebtables.service

%files

%{!?_licensedir:%global license %%doc}

%license COPYING

%doc INCOMPATIBILITIES

%config(noreplace) %{_sysconfdir}/sysconfig/iptables-config

%config(noreplace) %{_sysconfdir}/sysconfig/ip6tables-config

%if 0%{?fedora} <= 24

%{_sysconfdir}/ethertypes

%endif

%{_sbindir}/iptables

%{_sbindir}/iptables-apply

%{_sbindir}/iptables-restore

%{_sbindir}/iptables-restore-translate

%{_sbindir}/iptables-save

%{_sbindir}/iptables-translate

%{_sbindir}/ip6tables

%{_sbindir}/ip6tables-restore

%{_sbindir}/ip6tables-restore-translate

%{_sbindir}/ip6tables-save

%{_sbindir}/ip6tables-translate

%{_sbindir}/xtables-monitor

%{_sbindir}/xtables-nft-multi

%doc %{_mandir}/man8/iptables*

%doc %{_mandir}/man8/ip6tables*

%doc %{_mandir}/man8/xtables-monitor*

%doc %{_mandir}/man8/xtables-nft*

%doc %{_mandir}/man8/*tables-translate*

%doc %{_mandir}/man8/*tables-restore-translate*

%dir %{_libdir}/xtables

%{_libdir}/xtables/libarpt*

%{_libdir}/xtables/libebt*

%{_libdir}/xtables/libipt*

%{_libdir}/xtables/libip6t*

%{_libdir}/xtables/libxt*

%files libs

%{_libdir}/libip*tc.so.%{iptc_so_ver}*

%if 0%{?bootstrap}

%{_libdir}/libip*tc.so.%{iptc_so_ver_old}*

%endif

%{_libdir}/libxtables.so.12*

%files devel

%dir %{_includedir}/iptables

%{_includedir}/iptables/*.h

%{_includedir}/*.h

%dir %{_includedir}/libiptc

%{_includedir}/libiptc/*.h

%dir %{_includedir}/libipulog

%{_includedir}/libipulog/*.h

%{_libdir}/libip*tc.so

%{_libdir}/libxtables.so

%{_libdir}/pkgconfig/libiptc.pc

%{_libdir}/pkgconfig/libip4tc.pc

%{_libdir}/pkgconfig/libip6tc.pc

%{_libdir}/pkgconfig/xtables.pc

%files services

%dir %{script_path}

%{script_path}/iptables.init

%{script_path}/ip6tables.init

%config(noreplace) %{_sysconfdir}/sysconfig/iptables

%config(noreplace) %{_sysconfdir}/sysconfig/ip6tables

%{_unitdir}/iptables.service

%{_unitdir}/ip6tables.service

%dir %{legacy_actions}/iptables

%{legacy_actions}/iptables/save

%{legacy_actions}/iptables/panic

%dir %{legacy_actions}/ip6tables

%{legacy_actions}/ip6tables/save

%{legacy_actions}/ip6tables/panic

%files utils

%{_sbindir}/nfnl_osf

%{_sbindir}/nfbpf_compile

%dir %{_datadir}/xtables

%{_datadir}/xtables/pf.os

%doc %{_mandir}/man8/nfnl_osf*

%doc %{_mandir}/man8/nfbpf_compile*

%files arptables

%{_sbindir}/arptables*

%{_libexecdir}/arptables-helper

%{_unitdir}/arptables.service

%config(noreplace) %{_sysconfdir}/sysconfig/arptables

%doc %{_mandir}/man8/arptables*.8*

%files ebtables

%{_sbindir}/ebtables*

%{_libexecdir}/ebtables

%{_unitdir}/ebtables.service

%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config

%ghost %{_sysconfdir}/sysconfig/ebtables

%doc %{_mandir}/man8/ebtables*.8*

%changelog

* Wed Oct 28 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-16

- tests/shell: Add test for bitwise avoidance fixes

- ebtables: Optimize masked MAC address matches

- nft: Optimize class-based IP prefix matches

- nft: Fix for broken address mask match detection

- nft: cache: Make nft_rebuild_cache() respect fake cache

- tests: shell: Improve concurrent noflush restore test a bit

- nft: Fix for concurrent noflush restore calls

- nft: Fix error reporting for refreshed transactions

- nft: Make batch_add_chain() return the added batch object

* Sat Aug 15 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-15

- Ignore sysctl files not suffixed '.conf'

* Wed Jun 24 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-14

- nft: Fix for '-F' in iptables dumps

- tests: shell: Test -F in dump files

* Fri May 29 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-13

- Fix for endless loop in iptables-restore --test

* Tue May 26 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-12

- Unbreak nfnl_osf tool

* Tue May 19 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-11

- Complete ebtables-nft among match support

- Replace RHEL-only xtables-monitor fix with upstream solution

- xtables: Align effect of -4/-6 options with legacy

- xtables: Drop -4 and -6 support from xtables-{save,restore}

- Review systemd unit files

* Tue Mar 17 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-10

- Fix for iptables-restore segfault under pressure

- Fix for iptables-save segfault under pressure

* Mon Feb 24 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-9

- iptables-test.py: Fix --host mode

- xtables-monitor: Fix segfault when tracing

* Sat Feb 15 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-8

- xtables-translate: Fix for iface++

- tests: shell: Fix skip checks with --host mode

- xtables-restore: fix for --noflush and empty lines

* Wed Feb 12 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-7

- xtables-translate: Fix for interface name corner-cases

* Mon Dec 09 2019 Phil Sutter <psutter@redhat.com> - 1.8.4-6

- Add missing patch in last release, uAPI covscan fix

* Mon Dec 09 2019 Phil Sutter <psutter@redhat.com> - 1.8.4-5

- Fix covscan-indicated problems

* Wed Dec 04 2019 Phil Sutter <psutter@redhat.com> - 1.8.4-4

- Fix for broken xtables-restore --noflush

* Tue Dec 03 2019 Phil Sutter <psutter@redhat.com> - 1.8.4-3

- Reduce globbing in library file names to expose future SONAME changes

- Add bootstrapping for libip*tc SONAME bump

* Mon Dec 02 2019 Phil Sutter <psutter@redhat.com> - 1.8.4-2

- Use upstream-provided man pages for ebtables and arptables

* Mon Dec 02 2019 Phil Sutter <psutter@redhat.com> - 1.8.4-1

- Rebase onto upstream release 1.8.4

* Thu Aug 08 2019 Phil Sutter <psutter@redhat.com> - 1.8.2-16

- nft: Set socket receive buffer

* Wed Jul 31 2019 Phil Sutter <psutter@redhat.com> - 1.8.2-15

- doc: Install ip{6,}tables-restore-translate.8 man pages

* Tue Jul 02 2019 Phil Sutter <psutter@redhat.com> - 1.8.2-14

- arptables: Print space before comma and counters

- extensions: Fix ipvs vproto parsing

- extensions: Fix ipvs vproto option printing

- extensions: Add testcase for libxt_ipvs

* Mon Jul 01 2019 Phil Sutter <psutter@redhat.com> - 1.8.2-13

- doc: Install ip{6,}tables-translate.8 manpages

- nft: Eliminate dead code in __nft_rule_list

* Wed Jun 12 2019 Phil Sutter <psutter@redhat.com> - 1.8.2-12

- Add iptables-test.py testsuite to sources

- extensions: libip6t_mh: fix bogus translation error

- extensions: AUDIT: Document ineffective --type option

- xtables-restore: Fix program names in help texts

- xtables-save: Point at existing man page in help text

- utils: Add a manpage for nfbpf_compile

- Mark man pages in base package as documentation files

* Thu May 23 2019 Phil Sutter <psutter@redhat.com> - 1.8.2-11

- Enable verbose output when building

* Thu May 09 2019 Phil Sutter <psutter@redhat.com> - 1.8.2-10

- arptables-nft: fix decoding of hlen on bigendian platforms

- xtables-save: Fix table not found error message

- xtables: Catch errors when zeroing rule rounters

- extensions: TRACE: Point at xtables-monitor in documentation

- extensions: libipt_realm: Document allowed realm values

* Fri Feb 08 2019 Phil Sutter - 1.8.2-9

- ebtables-nft: Support user-defined chain policies

* Thu Feb 07 2019 Phil Sutter - 1.8.2-8

- arptables.8: Document --set-counters option

* Thu Feb 07 2019 Phil Sutter - 1.8.2-7

- arptables: Support --set-counters option

* Fri Feb 01 2019 Phil Sutter - 1.8.2-6

- Improve performance with large rulesets

- Fix for changes in arptables output

- Fix for inserting rules at wrong position

- Fix segfault when comparing rules with standard target

- Fix ebtables output for negated values

- Document missing arptables FORWARD chain

* Tue Dec 18 2018 Phil Sutter - 1.8.2-5

- Drop change to test snippet not included in tarball from Patch4

* Tue Dec 18 2018 Phil Sutter - 1.8.2-4

- Fix iptables init script for nftables-backend

- Drop references to unsupported broute table from ebtables man page

- xtables: Don't use native nftables comments

* Thu Dec 06 2018 Phil Sutter - 1.8.2-3

- Drop change to test snippet not included in tarball from Patch3

* Thu Dec 06 2018 Phil Sutter - 1.8.2-2

- Point out that nftables-variants are installed in package description

- Fix for deleting arptables rules by referencing them

* Thu Dec 06 2018 Phil Sutter - 1.8.2-1

- Rebase onto upstream version 1.8.2

* Thu Oct 25 2018 Phil Sutter - 1.8.1-2

- Add upstream fixes to 1.8.1 release

* Thu Oct 25 2018 Phil Sutter - 1.8.1-1

- Rebase onto upstream version 1.8.1

* Thu Sep 27 2018 Phil Sutter - 1.8.0-11

- Fix for covscan warnings in init scripts

* Wed Sep 26 2018 Phil Sutter - 1.8.0-10

- Fix short name of Artistic Licence

* Wed Sep 26 2018 Phil Sutter - 1.8.0-9

- Add further fixes for issues identified by covscan

- Fix for bogus "is incompatible" warnings

- Fix layout in License tag

- Replace "Fedora" with "RHEL" in description

- Make devel sub-package depend on libs sub-package

* Mon Sep 17 2018 Phil Sutter - 1.8.0-8

- Fix issues identified by covscan

- xtables-restore: Fix flushing referenced custom chains

- xtables: Accept --wait in iptables-nft-restore

* Mon Sep 03 2018 Phil Sutter - 1.8.0-7

- xtables: Align return codes with legacy iptables

- xtables: Drop use of IP6T_F_PROTO

* Wed Aug 29 2018 Phil Sutter - 1.8.0-6

- xtables: Fix for deleting rules with comment

* Fri Aug 24 2018 Phil Sutter - 1.8.0-5

- xtables: Use meta l4proto for -p match

- ebtables: Fix for listing of non-existent chains

- xtables: Fix for no output in iptables-nft -S

* Sat Aug 18 2018 Phil Sutter - 1.8.0-4

- xtables: Fix for segfault in iptables-nft

- ebtables: Fix entries count in chain listing

- Use %%autosetup macro in %%prep

* Fri Aug 17 2018 Phil Sutter - 1.8.0-3

- xtables: Make 'iptables -S nonexisting' return non-zero

* Fri Aug 10 2018 Phil Sutter - 1.8.0-2

- Rebase onto upstream master commit 514de4801b731db4712

- Add arptables and ebtables sub-packages

* Wed Jul 11 2018 Phil Sutter - 1.8.0-1

- New upstream version 1.8.0

- Drop compat sub-package

- Use nft tool versions, drop legacy ones

* Thu Mar 01 2018 Phil Sutter <psutter@redhat.com> - 1.6.2-2

- Kill module unloading support

- Support /etc/sysctl.d

- Don't restart services after package update

- Add support for --wait options to restore commands

* Wed Feb 21 2018 Michael Cronenworth <mike@cchtml.com> - 1.6.2-1

- New upstream version 1.6.2

  http://www.netfilter.org/projects/iptables/files/changes-iptables-1.6.2.txt

* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-6

- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Sun Oct 22 2017 Kevin Fenzi <kevin@scrye.com> - 1.6.1-5

- Rebuild for new libnftnl

* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-4

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Thu Feb 02 2017 Thomas Woerner <twoerner@redhat.com> - 1.6.1-1

- New upstream version 1.6.1 with enhanced translation to nft support and

  several fixes (RHBZ#1417323)

  http://netfilter.org/projects/iptables/files/changes-iptables-1.6.1.txt

- Enable parallel build again

* Thu Feb 02 2017 Petr Šabata <contyk@redhat.com> - 1.6.0-4

- Disabling parallel build to avoid build issues with xtables

- See http://patchwork.alpinelinux.org/patch/1787/ for reference

- This should be fixed in 1.6.1; parallel build can be restored after the

  update

* Mon Dec 19 2016 Thomas Woerner <twoerner@redhat.com> - 1.6.0-3

- Dropped bad provides for iptables in services sub package (RHBZ#1327786)

* Fri Jul 22 2016 Thomas Woerner <twoerner@redhat.com> - 1.6.0-2

- /etc/ethertypes has been moved into the setup package for F-25+.

  (RHBZ#1329256)

* Wed Apr 13 2016 Thomas Woerner <twoerner@redhat.com> - 1.6.0-1

- New upstream version 1.6.0 with nft-compat support and lots of fixes (RHBZ#1292990)

  Upstream changelog:

  http://netfilter.org/projects/iptables/files/changes-iptables-1.6.0.txt

- New libs sub package containing libxtables and unstable libip*tc libraries (RHBZ#1323161)

- Using scripts form RHEL-7 (RHBZ#1240366)

- New compat sub package for nftables compatibility

- Install iptables-apply (RHBZ#912047)

- Fixed module uninstall (RHBZ#1324101)

- Incorporated changes by Petr Pisar

- Enabled bpf compiler (RHBZ#1170227) Thanks to Yanko Kaneti for the patch

* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.21-16

- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.21-15

- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Mon Dec 01 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-14

- add dhcpv6-client to /etc/sysconfig/ip6tables (RHBZ#1169036)

* Mon Nov 03 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-13

- iptables.init: use /run/lock/subsys/ instead of /var/lock/subsys/ (RHBZ#1159573)

* Mon Sep 29 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-12

- ip[6]tables.init: change shebang from /bin/sh to /bin/bash (RHBZ#1147272)

* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.21-11

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

* Sat Jul 12 2014 Tom Callaway <spot@fedoraproject.org> - 1.4.21-10

- fix license handling

* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.21-9

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Wed Mar 12 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-8

- add missing reload and panic actions

- BuildRequires: pkgconfig(x) instead of x-devel

- no need to specify file mode bits twice (in %%install and %%files)

* Sun Jan 19 2014 Ville Skyttä <ville.skytta@iki.fi> - 1.4.21-7

- Don't order services after syslog.target.

* Wed Jan 15 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-6

- Enable connlabel support again, needs libnetfilter_conntrack

* Wed Jan 15 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-6

- fixed update from RHEL-6 to RHEL-7 (RHBZ#1043901)

* Tue Jan 14 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-5

- chmod /etc/sysconfig/ip[6]tables 755 -> 600

* Fri Jan 10 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-4

- drop virtual provide for xtables.so.9

- add default /etc/sysconfig/ip[6]tables (RHBZ#1034494)

* Thu Jan 09 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-3

- no need to support the pre-systemd things

- use systemd macros (#850166)

- remove scriptlets for migrating to a systemd unit from a SysV initscripts

- ./configure -> %%configure

- spec clean up

- fix self-obsoletion

* Thu Jan  9 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-2

- fixed system hang at shutdown if root device is network based (RHBZ#1007934)

  Thanks to Rodrigo A B Freire for the patch

* Thu Jan  9 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-1

- no connlabel.conf upstream anymore

- new version 1.4.21

  - doc: clarify DEBUG usage macro

  - iptables: use autoconf to process .in man pages

  - extensions: libipt_ULOG: man page should mention NFLOG as replacement

  - extensions: libxt_connlabel: use libnetfilter_conntrack

  - Introduce a new revision for the set match with the counters support

  - libxt_CT: Add the "NOTRACK" alias

  - libip6t_mh: Correct command to list named mh types in manpage

  - extensions: libxt_DNAT, libxt_REDIRECT, libxt_NETMAP, libxt_SNAT, libxt_MASQUERADE, libxt_LOG: rename IPv4 manpage and tell about IPv6 support

  - extensions: libxt_LED: fix parsing of delay

  - ip{6}tables-restore: fix breakage due to new locking approach

  - libxt_recent: restore minimum value for --seconds

  - iptables-xml: fix parameter parsing (similar to 2165f38)

  - extensions: add copyright statements

  - xtables: improve get_modprobe handling

  - ip[6]tables: Add locking to prevent concurrent instances

  - iptables: Fix connlabel.conf install location

  - ip6tables: don't print out /128

  - libip6t_LOG: target output is different to libipt_LOG

  - build: additional include path required after UAPI changes

  - iptables: iptables-xml: Fix various parsing bugs

  - libxt_recent: restore reap functionality to recent module

  - build: fail in configure on missing dependency with --enable-bpf-compiler

  - extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter

  - extensions: libxt_set, libxt_SET: check the set family too

  - ip6tables: Use consistent exit code for EAGAIN

  - iptables: libxt_hashlimit.man: correct address

  - iptables: libxt_conntrack.man extraneous commas

  - iptables: libip(6)t_REJECT.man default icmp types

  - iptables: iptables-xm1.1 correct man section

  - iptables: libxt_recent.{c,man} dead URL

  - iptables: libxt_string.man add examples

  - extensions: libxt_LOG: use generic syslog reference in manpage

  - iptables: extensions/GNUMakefile.in use CPPFLAGS

  - iptables: correctly reference generated file

  - ip[6]tables: fix incorrect alignment in commands_v_options

  - build: add software version to manpage first line at configure stage

  - extensions: libxt_cluster: add note on arptables-jf

  - utils: nfsynproxy: fix error while compiling the BPF filter

  - extensions: add SYNPROXY extension

  - utils: add nfsynproxy tool

  - iptables: state match incompatibilty across versions

  - libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masks

  - iptables: improve chain name validation

  - iptables: spurious error in load_extension

  - xtables: trivial spelling fix

* Sun Dec 22 2013 Ville Skyttä <ville.skytta@iki.fi> - 1.4.19.1-2

- Drop INSTALL from docs, escape macros in %%changelog.

* Wed Jul 31 2013 Thomas Woerner <twoerner@redhat.com> 1.4.19.1-1

- new version 1.4.19.1

  - libxt_NFQUEUE: fix bypass option documentation

  - extensions: add connlabel match

  - extensions: add connlabel match

  - ip[6]tables: show --protocol instead of --proto in usage

  - libxt_recent: Fix missing space in manpage for --mask option

  - extensions: libxt_multiport: Update manpage to list valid protocols

  - utils: nfnl_osf: use the right nfnetlink lib

  - libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependency

  - Revert "build: resolve link failure for ip6t_NETMAP"

  - libxt_osf: fix missing --ttl and --log in save output

  - libxt_osf: fix bad location for location in --genre

  - libip6t_SNPT: add manpage

  - libip6t_DNPT: add manpage

  - utils: updates .gitignore to include nfbpf_compile

  - extensions: libxt_bpf: clarify --bytecode argument

  - libxtables: fix parsing of dotted network mask format

  - build: bump version to 1.4.19

  - libxt_conntrack: fix state match alias state parsing

  - extensions: add libxt_bpf extension

  - utils: nfbpf_compile

  - doc: mention SNAT in INPUT chain since kernel 2.6.36

- fixed changelog date weekdays where needed

* Mon Mar  4 2013 Thomas Woerner <twoerner@redhat.com> 1.4.18-1

- new version 1.4.18 

  - lots of documentation changes

  - Introduce match/target aliases

  - Add the "state" alias to the "conntrack" match

  - iptables: remove unused leftover definitions

  - libxtables: add xtables_rule_matches_free

  - libxtables: add xtables_print_num

  - extensions: libip6t_DNPT: fix wording in DNPT target

  - extension: libip6t_DNAT: allow port DNAT without address

  - extensions: libip6t_DNAT: set IPv6 DNAT --to-destination

  - extensions: S/DNPT: add missing save function

- changes of 1.4.17:

  - libxt_time: add support to ignore day transition

  - Convert the NAT targets to use the kernel supplied nf_nat.h header

  - extensions: add IPv6 MASQUERADE extension

  - extensions: add IPv6 SNAT extension

  - extensions: add IPv6 DNAT target

  - extensions: add IPv6 REDIRECT extension

  - extensions: add IPv6 NETMAP extension

  - extensions: add NPT extension

  - extensions: libxt_statistic: Fix save output