From e3bd5cfff66aa61ed356de31635e0ffb00689430 Mon Sep 17 00:00:00 2001 From: Packit Service Date: Dec 09 2020 23:36:59 +0000 Subject: Add spec-file for the distribution --- diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec new file mode 100644 index 0000000..741a21a --- /dev/null +++ b/SPECS/nftables.spec @@ -0,0 +1,433 @@ +%define rpmversion 0.9.3 +%define specrelease 16%{?dist} + +Name: nftables +Version: %{rpmversion} +Release: %{specrelease}%{?buildid} +# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track. +Epoch: 1 +Summary: Netfilter Tables userspace utillites + +License: GPLv2 +URL: http://netfilter.org/projects/nftables/ +Source0: http://ftp.netfilter.org/pub/nftables/nftables-%{version}.tar.bz2 +Source1: nftables.service +Source2: nftables.conf +Source3: main.nft +Source4: router.nft +Source5: nat.nft + +Patch1: 0001-main-enforce-options-before-commands.patch +Patch2: 0002-main-restore-debug.patch +Patch3: 0003-monitor-Do-not-decompose-non-anonymous-sets.patch +Patch4: 0004-monitor-Fix-output-for-ranges-in-anonymous-sets.patch +Patch5: 0005-xfrm-spi-is-big-endian.patch +Patch6: 0006-tests-shell-Search-diff-tool-once-and-for-all.patch +Patch7: 0007-cache-Fix-for-doubled-output-after-reset-command.patch +Patch8: 0008-netlink-Fix-leak-in-unterminated-string-deserializer.patch +Patch9: 0009-netlink-Fix-leaks-in-netlink_parse_cmp.patch +Patch10: 0010-netlink-Avoid-potential-NULL-pointer-deref-in-netlin.patch +Patch11: 0011-tests-json_echo-Fix-for-Python3.patch +Patch12: 0012-tests-json_echo-Support-testing-host-binaries.patch +Patch13: 0013-tests-monitor-Support-running-individual-test-cases.patch +Patch14: 0014-tests-monitor-Support-testing-host-s-nft-binary.patch +Patch15: 0015-tests-py-Support-testing-host-binaries.patch +Patch16: 0016-doc-nft.8-Mention-wildcard-interface-matching.patch +Patch17: 0017-scanner-Extend-asteriskstring-definition.patch +Patch18: 0018-parser-add-a-helper-for-concat-expression-handling.patch +Patch19: 0019-include-resync-nf_tables.h-cache-copy.patch +Patch20: 0020-src-Add-support-for-NFTNL_SET_DESC_CONCAT.patch +Patch21: 0021-src-Add-support-for-concatenated-set-ranges.patch +Patch22: 0022-parser_json-Support-ranges-in-concat-expressions.patch +Patch23: 0023-doc-Document-notrack-statement.patch +Patch24: 0024-JSON-Improve-performance-of-json_events_cb.patch +Patch25: 0025-segtree-Fix-missing-expires-value-in-prefixes.patch +Patch26: 0026-segtree-Use-expr_clone-in-get_set_interval_.patch +Patch27: 0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch +Patch28: 0028-tests-0034get_element_0-do-not-discard-stderr.patch +Patch29: 0029-segtree-Fix-get-element-command-with-prefixes.patch +Patch30: 0030-include-Resync-nf_tables.h-cache-copy.patch +Patch31: 0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch + +BuildRequires: autogen +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +BuildRequires: gcc +BuildRequires: flex +BuildRequires: bison +BuildRequires: libmnl-devel +BuildRequires: gmp-devel +BuildRequires: readline-devel +BuildRequires: pkgconfig(libnftnl) >= 1.1.5-3 +BuildRequires: systemd +BuildRequires: asciidoc +BuildRequires: iptables-devel +BuildRequires: jansson-devel +BuildRequires: python3-devel + +Requires: libnftnl >= 1.1.5-3 + +%description +Netfilter Tables userspace utilities. + +%package devel +Summary: Development library for nftables / libnftables +Group: Development/Libraries +Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: pkgconfig + +%description devel +Development tools and static libraries and header files for the libnftables library. + +%package -n python3-nftables +Summary: Python module providing an interface to libnftables +Requires: %{name} = %{epoch}:%{version}-%{release} + +%description -n python3-nftables +The nftables python module provides an interface to libnftables via ctypes. + +%prep +%autosetup -p1 + +%build +autoreconf -fi +rm -Rf autom4te*.cache config.h.in~ +%configure --disable-silent-rules --with-json --with-xtables \ + --enable-python --with-python-bin=%{__python3} +make %{?_smp_mflags} + +%install +%make_install +find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' + +# Don't ship static lib (for now at least) +rm -f $RPM_BUILD_ROOT/%{_libdir}/libnftables.a + +chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft* + +mkdir -p $RPM_BUILD_ROOT/%{_unitdir} +cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/ + +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig +cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/ + +rm $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/*.nft +cp %{SOURCE3} %{SOURCE4} %{SOURCE5} \ + $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/ + +find $RPM_BUILD_ROOT/%{_sysconfdir} \ + \( -type d -exec chmod 0700 {} \; \) , \ + \( -type f -exec chmod 0600 {} \; \) + +# make nftables.py use the real library file name +# to avoid nftables-devel package dependency +sofile=$(readlink $RPM_BUILD_ROOT/%{_libdir}/libnftables.so) +sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \ + $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py +touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py + +%post +%systemd_post nftables.service + +%preun +%systemd_preun nftables.service + +%postun +%systemd_postun_with_restart nftables.service + +%post devel +%ldconfig_post + +%postun devel +%ldconfig_postun + +%files +%license COPYING +%config(noreplace) %{_sysconfdir}/nftables/ +%config(noreplace) %{_sysconfdir}/sysconfig/nftables.conf +%{_sbindir}/nft +%{_libdir}/libnftables.so.* +%{_mandir}/man5/libnftables-json.5* +%{_mandir}/man8/nft* +%{_unitdir}/nftables.service +%{_docdir}/nftables/examples/*.nft + +%files devel +%{_libdir}/libnftables.so +%{_libdir}/pkgconfig/libnftables.pc +%{_includedir}/nftables/libnftables.h +%{_mandir}/man3/libnftables.3* + +%files -n python3-nftables +%{python3_sitelib}/nftables-*.egg-info +%{python3_sitelib}/nftables/ + +%changelog +* Sat Aug 08 2020 Phil Sutter [0.9.3-16.el8] +- src: Set NFT_SET_CONCAT flag for sets with concatenated ranges (Phil Sutter) [1820684] +- include: Resync nf_tables.h cache copy (Phil Sutter) [1820684] + +* Tue Jun 30 2020 Phil Sutter [0.9.3-15.el8] +- segtree: Fix get element command with prefixes (Phil Sutter) [1832235] +- tests: 0034get_element_0: do not discard stderr (Phil Sutter) [1832235] +- segtree: Merge get_set_interval_find() and get_set_interval_end() (Phil Sutter) [1832235] +- segtree: Use expr_clone in get_set_interval_*() (Phil Sutter) [1832235] +- segtree: Fix missing expires value in prefixes (Phil Sutter) [1832235] + +* Wed Jun 24 2020 Phil Sutter [0.9.3-14.el8] +- JSON: Improve performance of json_events_cb() (Phil Sutter) [1835300] +- doc: Document notrack statement (Phil Sutter) [1841292] + +* Wed May 27 2020 Phil Sutter [0.9.3-13.el8] +- parser_json: Support ranges in concat expressions (Phil Sutter) [1805798] + +* Thu Mar 26 2020 Phil Sutter [0.9.3-12.el8] +- Restore default config to be empty (Phil Sutter) [1694723] + +* Mon Feb 17 2020 Phil Sutter [0.9.3-11.el8] +- Package requires libnftnl-1.1.5-3 (Phil Sutter) [1795224] +- src: Add support for concatenated set ranges (Phil Sutter) [1795224] +- src: Add support for NFTNL_SET_DESC_CONCAT (Phil Sutter) [1795224] +- include: resync nf_tables.h cache copy (Phil Sutter) [1795224] +- parser: add a helper for concat expression handling (Phil Sutter) [1795224] + +* Wed Feb 12 2020 Phil Sutter [0.9.3-10.el8] +- scanner: Extend asteriskstring definition (Phil Sutter) [1763652] +- doc: nft.8: Mention wildcard interface matching (Phil Sutter) [1763652] +- tests: py: Support testing host binaries (Phil Sutter) [1754047] +- tests: monitor: Support testing host's nft binary (Phil Sutter) [1754047] +- tests: monitor: Support running individual test cases (Phil Sutter) [1754047] +- tests: json_echo: Support testing host binaries (Phil Sutter) [1754047] +- tests: json_echo: Fix for Python3 (Phil Sutter) [1754047] + +* Mon Jan 27 2020 Phil Sutter [0.9.3-9.el8] +- netlink: Avoid potential NULL-pointer deref in netlink_gen_payload_stmt() (Phil Sutter) [1793030] +- netlink: Fix leaks in netlink_parse_cmp() (Phil Sutter) [1793030] +- netlink: Fix leak in unterminated string deserializer (Phil Sutter) [1793030] + +* Fri Jan 17 2020 Phil Sutter [0.9.3-8.el8] +- cache: Fix for doubled output after reset command (Phil Sutter) [1790793] +- tests: shell: Search diff tool once and for all (Phil Sutter) [1790793] +- xfrm: spi is big-endian (Phil Sutter) [1790963] + +* Mon Jan 13 2020 Phil Sutter [0.9.3-7.el8] +- monitor: Fix output for ranges in anonymous sets (Phil Sutter) [1774742] + +* Fri Jan 10 2020 Phil Sutter [0.9.3-6.el8] +- monitor: Do not decompose non-anonymous sets (Phil Sutter) [1774742] +- main: restore --debug (Phil Sutter) [1778883] +- main: enforce options before commands (Phil Sutter) [1778883] + +* Fri Jan 10 2020 Phil Sutter [0.9.3-5.el8] +- Install an improved sample config (Phil Sutter) [1694723] + +* Wed Dec 04 2019 Phil Sutter [0.9.3-4.el8] +- Explicitly depend on newer libnftl version (Phil Sutter) [1643192] + +* Tue Dec 03 2019 Phil Sutter [0.9.3-3.el8] +- Fix permissions of osf-related configs (Phil Sutter) [1776462] + +* Tue Dec 03 2019 Phil Sutter [0.9.3-2.el8] +- Add example scripts to nftables package (Phil Sutter) [1643192] + +* Mon Dec 02 2019 Phil Sutter [0.9.3-1.el8] +- Rebase onto upstream release 0.9.3 (Phil Sutter) [1643192] + +* Mon Oct 21 2019 Phil Sutter [0.9.2-4.el8] +- tproxy: Add missing error checking when parsing from netlink (Phil Sutter) [1643192] +- parser_json: Fix checking of parse_policy() return code (Phil Sutter) [1643192] + +* Fri Oct 18 2019 Phil Sutter [0.9.2-3.el8] +- spec: Avoid multilib problems due to updated nftables.py (Phil Sutter) [1643192] + +* Fri Oct 18 2019 Phil Sutter [0.9.2-2.el8] +- rule: Fix for single line ct timeout printing (Phil Sutter) [1643192] +- tests/monitor: Fix for changed ct timeout format (Phil Sutter) [1643192] +- monitor: Add missing newline to error message (Phil Sutter) [1643192] +- src: restore --echo with anonymous sets (Phil Sutter) [1643192] + +* Tue Oct 15 2019 Phil Sutter [0.9.2-1.el8] +- src: obj: fix memleak in handle_free() (Phil Sutter) [1643192] +- libnftables: memleak when list of commands is empty (Phil Sutter) [1643192] +- mnl: do not cache sender buffer size (Phil Sutter) [1643192] +- src: meter: avoid double-space in list ruleset output (Phil Sutter) [1643192] +- src: parser_json: fix crash while restoring secmark object (Phil Sutter) [1643192] +- nftables: don't crash in 'list ruleset' if policy is not set (Phil Sutter) [1643192] +- json: tests: fix typo in ct expectation json test (Phil Sutter) [1643192] +- parser_bison: Fix 'exists' keyword on Big Endian (Phil Sutter) [1643192] +- json: fix type mismatch on "ct expect" json exporting (Phil Sutter) [1643192] +- libnftables: use-after-free in exit path (Phil Sutter) [1643192] +- netlink_delinearize: fix wrong conversion to "list" in ct mark (Phil Sutter) [1643192] +- mnl: fix --echo buffer size again (Phil Sutter) [1643192] +- parser_json: fix crash on insert rule to bad references (Phil Sutter) [1643192] +- evaluate: flag fwd and queue statements as terminal (Phil Sutter) [1643192] +- tests: shell: check that rule add with index works with echo (Phil Sutter) [1643192] +- cache: fix --echo with index/position (Phil Sutter) [1643192] +- src: secmark: fix brace indentation and missing quotes in selctx output (Phil Sutter) [1643192] +- Add python3-nftables sub-package (Phil Sutter) [1643192] +- Rebase onto upstream version 0.9.2 (Phil Sutter) [1643192] + +* Mon Aug 12 2019 Phil Sutter - 1:0.9.0-14 +- src: fix jumps on bigendian arches +- src: json: fix constant parsing on bigendian + +* Thu Aug 08 2019 Phil Sutter - 1:0.9.0-13 +- Fix for adding a rule with index and set reference + +* Wed Jul 31 2019 Phil Sutter - 1:0.9.0-12 +- Fix permissions of /etc/nftables directory + +* Wed Jun 26 2019 Phil Sutter - 1:0.9.0-11 +- Fix segfault with xtables support + +* Wed Jun 26 2019 Phil Sutter - 1:0.9.0-10 +- Fix typo in spec file + +* Wed Jun 26 2019 Phil Sutter - 1:0.9.0-9 +- Allow variables in jump statement +- Make example configs readable only by root +- Document nft list parameters +- Document vmap statement +- Install netdev-ingress.nft sample config in the right spot +- Backport upstream fixes since last release + +* Fri Mar 01 2019 Phil Sutter - 1:0.9.0-8 +- Add missing patch to spec file + +* Fri Dec 21 2018 Phil Sutter - 1:0.9.0-7 +- src: Reject 'export vm json' command + +* Tue Dec 18 2018 Phil Sutter - 1:0.9.0-6 +- Rebuild for updated libnftnl + +* Thu Dec 13 2018 Phil Sutter - 1:0.9.0-5 +- nft.8: Document log level audit +- nft.8: Clarify 'index' option of add rule command + +* Thu Oct 25 2018 Phil Sutter - 1:0.9.0-4 +- Add fixes for covscan report +- Fix for ECN keyword in LHS of relational +- Update meta pkt_type value description +- Fix for segfault with JSON output if xt expression is present +- Add missing nft suffix to files included from /etc/sysconfig/nftables.conf +- Use native JSON API in nft monitor + +* Thu Oct 11 2018 Phil Sutter - 1:0.9.0-3 +- Enable xtables support +- Enable JSON support + +* Mon Sep 10 2018 Phil Sutter - 1:0.9.0-2 +- Allow icmpx in inet/bridge families + +* Tue Aug 14 2018 Phil Sutter - 1:0.9.0-1 +- New version 0.9.0 +- Install libnftables +- Add devel sub-package +- Add gcc BuildRequires + +* Sat Mar 03 2018 Kevin Fenzi - 0.8.3-1 +- Update to 0.8.3. Fixes bug #1551207 + +* Thu Feb 08 2018 Fedora Release Engineering - 1:0.8.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Feb 05 2018 Kevin Fenzi - 0.8.2-1 +- Update to 0.8.2. Fixes bug #1541582 + +* Tue Jan 16 2018 Kevin Fenzi - 0.8.1-1 +- Update to 0.8.1. Fixes bug #1534982 + +* Sun Oct 22 2017 Kevin Fenzi - 0.8-1 +- Update to 0.8. + +* Thu Aug 03 2017 Fedora Release Engineering - 1:0.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1:0.7-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 1:0.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Jan 12 2017 Igor Gnatenko - 1:0.7-2 +- Rebuild for readline 7.x + +* Thu Dec 22 2016 Kevin Fenzi - 0.7-1 +- Update to 0.7 + +* Fri Jul 15 2016 Kevin Fenzi - 0.6-2 +- Rebuild for new glibc symbols + +* Thu Jun 02 2016 Kevin Fenzi - 0.6-1 +- Update to 0.6. + +* Sun Apr 10 2016 Kevin Fenzi - 0.5-4 +- Add example config files and move config to /etc/sysconfig. Fixes bug #1313936 + +* Fri Mar 25 2016 Kevin Fenzi - 0.5-3 +- Add systemd unit file. Fixes bug #1313936 + +* Thu Feb 04 2016 Fedora Release Engineering - 1:0.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Sep 17 2015 Kevin Fenzi 0.5-1 +- Update to 0.5 + +* Wed Jun 17 2015 Fedora Release Engineering - 1:0.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Jan 10 2015 Kevin Fenzi 0.4-2 +- Add patch to fix nft -f dep gen. + +* Fri Dec 26 2014 Kevin Fenzi 0.4-1 +- Update to 0.4 +- Add Epoch to fix versioning. + +* Wed Sep 03 2014 Kevin Fenzi 0.100-4.20140903git +- Update to 20140903 snapshot + +* Sun Aug 17 2014 Fedora Release Engineering - 0.100-4.20140704git +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 04 2014 Kevin Fenzi 0.100-3.20140704git +- Update to new snapshot + +* Sat Jun 07 2014 Fedora Release Engineering - 0.100-2.20140426git +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Apr 26 2014 Kevin Fenzi 0.100-1.20140426git +- Update t0 20140426 + +* Sun Mar 30 2014 Kevin Fenzi 0.100-1.20140330git +- Update to 20140330 snapshot +- Sync versions to be post 0.100 release. + +* Wed Mar 26 2014 Kevin Fenzi 0-0.7.20140326git +- Update to 20140326 snapshot +- Fix permissions on man pages. + +* Mon Mar 24 2014 Kevin Fenzi 0-0.6.20140324git +- Update to 20140324 snapshot + +* Fri Mar 07 2014 Kevin Fenzi 0-0.5.20140307git +- Update to 20140307 + +* Sat Jan 25 2014 Kevin Fenzi 0-0.4.20140125git +- Update to 20140125 snapshot + +* Sat Jan 18 2014 Kevin Fenzi 0-0.3.20140118git +- Update to 20140118 snapshot +- Fixed License tag to be correct +- Fixed changelog +- nft scripts now use full path for nft +- Fixed man page building +- Dropped unneeded rm in install +- Patched build to not be silent. + +* Tue Dec 03 2013 Kevin Fenzi 0-0.2.20131202git +- Use upstream snapshots for source. +- Use 0 for version. + +* Sat Nov 30 2013 Kevin Fenzi 0-0.1 +- initial version for Fedora review