ZhuningOS/iptables
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Initialize for iptables

Browse source
This commit is contained in:
zyppe 2024-02-09 17:26:23 +08:00
commit 1298b45ad5
9 changed files with 1584 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
iptables-1.8.7.tar.bz2

1
.iptables.metadata Normal file
View file

@ -0,0 +1 @@
a18c2c6017382c51376627cde74d6a96bb2733db16a18e6ea7981899ecd27adf iptables-1.8.7.tar.bz2

24
iptables-1.8.2-dont_read_garbage.patch Normal file
View file

@ -0,0 +1,24 @@
From: Fabian Vogt <fvogt@suse.com>
Date: 2019-04-04 13:41:59 +0200
Subject: 'iptables -L' reads garbage
References: [bsc#1106751]
Upstream: reported (https://bugzilla.netfilter.org/show_bug.cgi?id=1331)
This patch fixes a situation where 'iptables -L' reads garbage
from the struct as the kernel never filled it in the bugged case.
This can lead to issues like mapping a few TiB of memory
---
Index: iptables-1.8.2/libiptc/libiptc.c
===================================================================
--- iptables-1.8.2.orig/libiptc/libiptc.c
+++ iptables-1.8.2/libiptc/libiptc.c
@@ -1305,6 +1305,7 @@ TC_INIT(const char *tablename)
{
struct xtc_handle *h;
STRUCT_GETINFO info;
+ memset(&info, 0, sizeof(info));
unsigned int tmp;
socklen_t s;
int sockfd;

BIN
iptables-1.8.7.tar.bz2.sig Normal file
View file

Binary file not shown.

75
iptables-batch-lock.patch Normal file
View file

@ -0,0 +1,75 @@
From: Matthias Gerstner <matthias.gerstner@suse.com>
Date: 2017-06-26T10:53:24+0000
- fix a locking issue of iptables-batch which can cause it to spuriously fail
when other programs modify the iptables rules in parallel (bnc#1045130).
This can especially affect SuSEfirewall2 during startup.
---
iptables/iptables-batch.c | 21 +++++++++++++++++++++
iptables/xshared.c | 8 +++++++-
2 files changed, 28 insertions(+), 1 deletion(-)
Index: iptables-1.8.6/iptables/iptables-batch.c
===================================================================
--- iptables-1.8.6.orig/iptables/iptables-batch.c
+++ iptables-1.8.6/iptables/iptables-batch.c
@@ -403,6 +403,27 @@ main(int argc, char *argv[])
tables[3].name = "raw";
tables[3].handle = NULL;
current_table = &tables[0];
+ /*
+ * We need to lock the complete batch processing against parallel
+ * modification by other processes. Otherwise, we can end up with
+ * EAGAIN errors.
+ *
+ * The do_command{4,6} function already locks itself, but the complete
+ * call sequence needs to be locked until the commit is performed.
+ *
+ * Sadly, the xtables_lock() implementation is not very cooperative.
+ * There is no unlock() equivalent. The lock file descriptor is smiply
+ * left open until the process exits. Thus, we would have deadlocks
+ * when calling do_command{4,6} the second time.
+ *
+ * To prevent this, part of this patch adds logic to avoid taking the
+ * lock a second time in the same process in xtables_lock()
+ */
+ const struct timeval wait_interval = {.tv_sec = 1};
+ if (!xtables_lock_or_exit(-1, &wait_interval)) {
+ fprintf(stderr, "failed to acquire the xtables lock\n");
+ exit(1);
+ }
while((r = getline(&iline, &llen, fp)) != -1)
{
Index: iptables-1.8.6/iptables/xshared.c
===================================================================
--- iptables-1.8.6.orig/iptables/xshared.c
+++ iptables-1.8.6/iptables/xshared.c
@@ -248,10 +248,14 @@ void xs_init_match(struct xtables_match
static int xtables_lock(int wait, struct timeval *wait_interval)
{
+ static bool already_locked = false;
struct timeval time_left, wait_time;
const char *lock_file;
int fd, i = 0;
+ if (already_locked)
+ /* Avoid deadlocks, see iptables-batch.c */
+ return true;
time_left.tv_sec = wait;
time_left.tv_usec = 0;
@@ -267,8 +271,10 @@ static int xtables_lock(int wait, struct
}
if (wait == -1) {
- if (flock(fd, LOCK_EX) == 0)
+ if (flock(fd, LOCK_EX) == 0) {
+ already_locked = true;
return fd;
+ }
fprintf(stderr, "Can't lock %s: %s\n", lock_file,
strerror(errno));

495
iptables-batch.patch Normal file
View file

@ -0,0 +1,495 @@
---
iptables/Makefile.am | 9
iptables/iptables-batch.c | 468 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 477 insertions(+)
Index: iptables-1.8.6/iptables/Makefile.am
===================================================================
--- iptables-1.8.6.orig/iptables/Makefile.am
+++ iptables-1.8.6/iptables/Makefile.am
@@ -138,3 +138,12 @@ uninstall-hook:
); \
( cd "$$dir" && rm -f ip6tables-apply ); \
}
+
+iptables_legacy_batch_SOURCES = iptables-batch.c iptables.c xshared.c
+iptables_legacy_batch_LDFLAGS = ${xtables_legacy_multi_LDFLAGS}
+iptables_legacy_batch_LDADD = ${xtables_legacy_multi_LDADD}
+ip6tables_legacy_batch_SOURCES = iptables-batch.c ip6tables.c xshared.c
+ip6tables_legacy_batch_CFLAGS = ${AM_CFLAGS} -DIP6T
+ip6tables_legacy_batch_LDFLAGS = ${xtables_legacy_multi_LDFLAGS}
+ip6tables_legacy_batch_LDADD = ${xtables_legacy_multi_LDADD}
+sbin_PROGRAMS += iptables-legacy-batch ip6tables-legacy-batch
Index: iptables-1.8.6/iptables/iptables-batch.c
===================================================================
--- /dev/null
+++ iptables-1.8.6/iptables/iptables-batch.c
@@ -0,0 +1,468 @@
+/*
+ * Author: Ludwig Nussel <ludwig.nussel@suse.de>
+ * Update for iptables 1.4.3.x: Petr Uzel <petr.uzel@suse.cz>
+ *
+ * Based on the ipchains code by Paul Russell and Michael Neuling
+ *
+ * (C) 2000-2002 by the netfilter coreteam <coreteam@netfilter.org>:
+ * Paul 'Rusty' Russell <rusty@rustcorp.com.au>
+ * Marc Boucher <marc+nf@mbsi.ca>
+ * James Morris <jmorris@intercode.com.au>
+ * Harald Welte <laforge@gnumonks.org>
+ * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * iptables-batch -- iptables batch processor
+ *
+ * See the accompanying manual page iptables(8) for information
+ * about proper usage of this program.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+
+#ifdef IP6T
+#include <ip6tables.h>
+#else
+#include <iptables.h>
+#endif
+#include <xtables.h>
+
+#ifdef IP6T
+#define prog_name ip6tables_globals.program_name
+#define prog_ver ip6tables_globals.program_version
+#else
+#define prog_name iptables_globals.program_name
+#define prog_ver iptables_globals.program_version
+#endif
+
+static char* errstr = NULL;
+
+static unsigned current_line = 0;
+
+static char*
+skipspace(char* ptr)
+{
+ while(*ptr && isspace(*ptr))
+ ++ptr;
+ return ptr;
+}
+
+static char*
+getliteral(char** ptr)
+{
+ char* start = *ptr;
+ char* p = start;
+
+ while(*p && !isspace(*p))
+ ++p;
+
+ if(*p)
+ {
+ *p = '\0';
+ ++p;
+ }
+
+ *ptr = p;
+ return start;
+}
+
+static char*
+getstring(char** ptr)
+{
+ char* start = *ptr+1; // skip leading "
+ char* p = start;
+ char* o = start;
+ int backslash = 0;
+ int done = 0;
+
+ while(*p && !done)
+ {
+ if(backslash)
+ {
+ backslash = 0;
+ // no escapes supported, just eat the backslash
+ *o++ = *p++;
+ }
+ else if(*p == '\\')
+ {
+ backslash = 1;
+ p++;
+ }
+ else if(*p == '"')
+ {
+ done = 1;
+ }
+ else
+ {
+ *o++ = *p++;
+ }
+ }
+
+ if(done)
+ {
+ *o = '\0';
+ *p = '\0';
+ ++p;
+ *ptr = p;
+ }
+ else
+ {
+ errstr = "missing \" at end of string";
+ start = NULL;
+ }
+ return start;
+}
+
+// this is just a very basic method, not 100% shell compatible
+static char*
+getword(char** ptr)
+{
+ *ptr = skipspace(*ptr);
+ if(**ptr == '"')
+ return getstring(ptr);
+ return getliteral(ptr);
+}
+
+// destructive
+static int
+tokenize(int* argc, char* argv[], size_t nargvsize, char* iline)
+{
+ char* ptr = skipspace(iline);
+ int ret = 0;
+ char* word;
+
+ while(ptr && *ptr)
+ {
+ if(*ptr == '#')
+ break;
+ if(*argc >= nargvsize)
+ {
+ errstr = "too many arguments";
+ ret = -1;
+ break;
+ }
+ word = getword(&ptr);
+ if(!word)
+ {
+ ret = -1;
+ break;
+ }
+ argv[(*argc)++] = word;
+ ++ret;
+ }
+ return ret;
+}
+
+#ifdef DEBUG
+static void
+dumpargv(int argc, char* argv[])
+{
+ int i;
+ for(i=0; i < argc; ++i)
+ {
+ printf("%s\"%s\"",i?" ":"", argv[i]);
+ }
+ puts("");
+}
+#endif
+
+struct table_handle
+{
+ char* name;
+#ifdef IP6T
+ struct ip6tc_handle *handle;
+#else
+ struct iptc_handle *handle;
+#endif
+};
+
+static struct table_handle* tables = NULL;
+static unsigned num_tables;
+struct table_handle* current_table;
+
+static void
+alloc_tables(void)
+{
+ tables = realloc(tables, sizeof(struct table_handle) * num_tables);
+}
+
+static void
+set_current_table(const char* name)
+{
+ unsigned i;
+
+ if(!strcmp(name, current_table->name)) // same as last time?
+ return;
+
+ for(i = 0; i < num_tables; ++i) // find already known table
+ {
+ if(!strcmp(name, tables[i].name))
+ {
+ current_table = &tables[i];
+ return;
+ }
+ }
+
+ // table name not known, create new
+ i = num_tables++;
+ alloc_tables();
+ current_table = &tables[i];
+ current_table->name = strdup(name);
+ current_table->handle = NULL;
+}
+
+static int
+find_table(int argc, char* argv[])
+{
+ int i;
+ for(i = 0; i < argc; ++i)
+ {
+ if(!strcmp(argv[i], "-t") || !strcmp(argv[i], "--table"))
+ {
+ ++i;
+ if(i >= argc)
+ {
+ fprintf(stderr, "line %d: missing table name after %s\n",
+ current_line, argv[i]);
+ return 0;
+ }
+ set_current_table(argv[i]);
+ return 1;
+ }
+ }
+
+ // no -t specified
+ set_current_table("filter");
+
+ return 1;
+}
+
+static int
+do_iptables(int argc, char* argv[])
+{
+ char *table = "filter";
+ int ret = 0;
+
+ if(!find_table(argc, argv))
+ return 0;
+
+#ifdef IP6T
+ ret = do_command6(argc, argv, &table, &current_table->handle, true);
+
+ if (!ret)
+ {
+ fprintf(stderr, "line %d: %s\n", current_line, ip6tc_strerror(errno));
+ }
+ else
+ {
+ if(!table || strcmp(table, current_table->name))
+ {
+ fprintf(stderr, "line %d: expected table %s, got %s\n",
+ current_line, current_table->name, table);
+ exit(1);
+ }
+ }
+#else
+ ret = do_command4(argc, argv, &table, &current_table->handle, true);
+
+ if (!ret)
+ {
+ fprintf(stderr, "line %d: %s\n", current_line, iptc_strerror(errno));
+ }
+ else
+ {
+ if(!table || strcmp(table, current_table->name))
+ {
+ fprintf(stderr, "line %d: expected table %s, got %s\n",
+ current_line, current_table->name, table);
+ exit(1);
+ }
+ }
+#endif
+
+ return ret;
+}
+
+static int
+do_commit(void)
+{
+ unsigned i;
+ int ret = 1;
+
+ for(i = 0; i < num_tables; ++i)
+ {
+ if(tables[i].handle)
+ {
+#ifdef IP6T
+ ret = ip6tc_commit(tables[i].handle);
+ if (!ret)
+ fprintf(stderr, "commit failed on table %s: %s\n", tables[i].name, ip6tc_strerror(errno));
+ ip6tc_free(tables[i].handle);
+ tables[i].handle = NULL;
+#else
+ ret = iptc_commit(tables[i].handle);
+ if (!ret)
+ fprintf(stderr, "commit failed on table %s: %s\n", tables[i].name, iptc_strerror(errno));
+ iptc_free(tables[i].handle);
+ tables[i].handle = NULL;
+#endif
+ }
+ }
+
+ return ret;
+}
+
+static void
+help(void)
+{
+ fprintf(stderr, "Usage: %s [FILE]\n\n", prog_name);
+ puts("Read iptables commands from FILE, commit them at EOF\n");
+ puts("In addition to normal iptables calls the commands");
+ puts("'commit' and 'exit' are understood.");
+ exit(0);
+}
+
+int
+main(int argc, char *argv[])
+{
+ int ret = 1;
+ int c;
+ int numtok;
+ size_t llen = 0;
+ char* iline = NULL;
+ ssize_t r = -1;
+ int nargc = 0;
+ char* nargv[256];
+ FILE* fp = stdin;
+
+#ifdef IP6T
+ prog_name = "ip6tables-batch";
+#else
+ prog_name = "iptables-batch";
+#endif
+
+#ifdef IP6T
+ c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
+#else
+ c = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
+#endif
+
+ if(c < 0) {
+ fprintf(stderr, "%s/%s Failed to initialize xtables\n",
+ prog_name,
+ prog_ver);
+ exit(1);
+ }
+
+#ifdef NO_SHARED_LIBS
+ init_extensions();
+#endif
+ if(argc > 1)
+ {
+ if(!strcmp(argv[1], "--help") || !strcmp(argv[1], "-h"))
+ {
+ help();
+ }
+ else if(strcmp(argv[1], "-"))
+ {
+ fp = fopen(argv[1], "r");
+ if(!fp)
+ {
+ perror("fopen");
+ exit(1);
+ }
+ }
+ }
+
+ num_tables = 4;
+ alloc_tables();
+ tables[0].name = "filter";
+ tables[0].handle = NULL;
+ tables[1].name = "mangle";
+ tables[1].handle = NULL;
+ tables[2].name = "nat";
+ tables[2].handle = NULL;
+ tables[3].name = "raw";
+ tables[3].handle = NULL;
+ current_table = &tables[0];
+
+ while((r = getline(&iline, &llen, fp)) != -1)
+ {
+ if(llen < 1 || !*iline)
+ continue;
+ if(iline[strlen(iline)-1] == '\n')
+ iline[strlen(iline) -1 ] = '\0';
+
+ ++current_line;
+ nargc = 0;
+ errstr = NULL;
+ numtok = tokenize(&nargc, nargv, (sizeof(nargv)/sizeof(nargv[0])), iline);
+ if(numtok == -1)
+ {
+ }
+ else if (numtok == 0)
+ {
+ continue;
+ }
+ else if(nargc < 1)
+ {
+ errstr = "insufficient number of arguments";
+ }
+
+ if(errstr)
+ {
+ fprintf(stderr, "parse error in line %d: %s\n", current_line, errstr);
+ ret = 0;
+ break;
+ }
+
+#ifdef DEBUG
+ dumpargv(nargc, nargv);
+#endif
+
+#ifdef IP6T
+ if(!strcmp(nargv[0], "ip6tables"))
+#else
+ if(!strcmp(nargv[0], "iptables"))
+#endif
+ {
+ ret = do_iptables(nargc, nargv);
+ if(!ret) break;
+ }
+ else if(!strcmp(nargv[0], "exit"))
+ {
+ break;
+ }
+ else if(!strcmp(nargv[0], "commit"))
+ {
+ /* do nothing - see bnc#500990, comment #16 */
+ }
+ else
+ {
+ fprintf(stderr, "line %d: invalid command '%s'\n", current_line, nargv[0]);
+ }
+ }
+
+ if(ret)
+ ret = do_commit();
+
+ exit(!ret);
+}

605
iptables.changes Normal file
View file

@ -0,0 +1,605 @@
* Fri Jan 15 2021 jengelh@inai.de
- Update to release 1.8.7
* iptables-nft:
* Improved performance when matching on IP/MAC address prefixes
if the prefix is byte-aligned. In ideal cases, this doubles
packet processing performance.
* Dump user-defined chains in lexical order. This way ruleset
dumps become stable and easily comparable.
* Avoid pointless table/chain creation. For instance,
`iptables-nft -L` no longer creates missing base-chains.
* Sun Nov 1 2020 jengelh@inai.de
- Update to release 1.8.6
* iptables-nft had pointlessly added "bitwise" expressions to
each IP address match, needlessly slowing down run-time
performance (by 50%% in worst cases).
* iptables-nft-restore: Support basechain policy value of "-"
(indicating to not change the chain's policy).
* nft-translte: Fix translation of ICMP type "any" match.
* Wed Jun 3 2020 jengelh@inai.de
- Update to release 1.8.5
* IDLETIMER: Add alarm timer option
* nft: CT: add translation for NOTRACK
- Drop iptables-apply-mktemp-fix.patch (seemingly applied)
* Mon Dec 2 2019 jengelh@inai.de
- Update to release 1.8.4
* Fix for wrong counter format in `ebtables-nft-save -c` output.
* Print typical iptables-save comments in arptables- and
ebtables-save, too.
* xt_owner: add --suppl-groups option
* Remove support for /etc/xtables.conf
* Restore support for "-4" and "-6" options in rule lines.
* Mon Sep 30 2019 kstreitova@suse.com
- Add Conflicts with iptables-nft = 1.6.2 as during the update to
iptables 1.8 ip6tables-restore-translate, ip6tables-translate,
iptables-restore-translate and iptables-translate were moved from
iptables-nft subpackage (now iptables-backend-nft) to the main
package. So we need to add a conflict here otherwise we hit file
conflicts error during the update.
* Fri Sep 6 2019 kstreitova@suse.com
- add missing Provides/Obsoletes for the renamed package
iptables-backend-nft (was iptables-nft)
* Tue May 28 2019 jengelh@inai.de
- Update to new upstream release 1.8.3
* ebtables: Fix rule listing with counters
* ebtables-nft: Support user-defined chain policies
- Remove 0001-include-extend-the-headers-conflict-workaround-to-in.patch
0001-include-fix-build-with-kernel-headers-before-4.2.patch
(upstreamed)
* Wed May 22 2019 jengelh@inai.de
- Add 0001-include-fix-build-with-kernel-headers-before-4.2.patch,
0001-include-extend-the-headers-conflict-workaround-to-in.patch
to fix build with older linux-glibc-devel. [boo#1132821]
* Thu Apr 4 2019 kstreitova@suse.com
- Add iptables-1.8.2-dont_read_garbage.patch that fixes a situation
where 'iptables -L' reads garbage from the struct as the kernel
never filled it in the bugged case. This can lead to issues like
mapping a few TiB of memory [bsc#1106751].
* Tue Nov 13 2018 jengelh@inai.de
- Update to new upstream release 1.8.2
* Fix incorrect handling of various targets and options in
iptables-nft,ebtables-nft,arptables-nft.
* Tue Oct 23 2018 jengelh@inai.de
- Update to new upstream release 1.8.1
* New cgroup match revision with reduced memory footprint
* Mon Sep 24 2018 astieger@suse.com
- note build-time dependency on libnftnl >= 1.1.1
* Tue Sep 4 2018 mchandras@suse.de
- Add missing update-alternatives dependency to Requires(post)
section. If this is missing the package fails to install properly
when it is used as build dependency.
* Mon Jul 9 2018 jengelh@inai.de
- Update to new upstream release 1.8.0 and snapshot 1.8.0.g75
* The ipv6 "srh" match can now match previous/next/last sid
* CONNMARK target now supports bit-shifting for restore,set
and save-mark.
* DNAT now supports shifted portmap ranges.
* iptables now comes in two backends: legacy and nft.
* Thu May 24 2018 kukuk@suse.de
- Use %%license instead of %%doc [bsc#1082318]
* Mon Mar 12 2018 matthias.gerstner@suse.com
- Fix ethertypes ownership, should be %%exclude, not %%ghost.
* Thu Feb 22 2018 matthias.gerstner@suse.com
- Resolve conflict with ebtables and obtain ethertypes from new netcfg minor
version. FATE#320520
* Sat Feb 3 2018 jengelh@inai.de
- Update to new upstream release 1.6.2
* add support for the "srh" match
* add randomize-full for the "MASQUERADE" target
* add rate match mode to the "hashlimit" match
* Thu Jun 22 2017 matthias.gerstner@suse.com
- Add iptables-batch-lock.patch: Fix a locking issue of
iptables-batch which can cause it to spuriously fail when other
programs modify the iptables rules in parallel (bnc#1045130).
This can especially affect SuSEfirewall2 during startup.
* Fri Jan 27 2017 jengelh@inai.de
- Update to new upstream release 1.6.1
* add support for hashlimit rev 2 for higher pps rates
* add support for cgroup2 path matching
* translation program for nft
* Fri Dec 18 2015 jengelh@inai.de
- Update to final release 1.6.0
* Only a build fix, no new significant changes.
* Mon Nov 23 2015 jengelh@inai.de
- Update to new snapshot v1.4.21-367-g9763347 [1.6.0~]
* -m ah/esp/rt: restore matching "any SPI id" by default
(they unexpectedly defaulted to --spi 0 rather than --spi ALL)
* -m cgroup: new module
* -m dst: make ! --dst-len work
* -m ipcomp: new module
* -m socket: add --restore-skmark option
* -j CT: add support for new zone options
* -j REJECT: add missing ICMPv6 codes
* -j TEE: make it possible to delete rules with -D ... -j
* -j SNAT/DNAT: add randomize-full support
* Thu Apr 24 2014 dmueller@suse.com
- remove dependency on gpg-offline (blocks rebuilds and
tarball integrity is checked by source-validator anyway)
* Wed Apr 23 2014 dmueller@suse.com
- remove dependency on sgmltool: doesn't seem to be used
and reduces rebuild time on aarch64 by 8 hours
* Sat Nov 23 2013 jengelh@inai.de
- Update to new upstream release 1.4.21
* --nowildcard option for xt_socket, available since Linux kernel 3.11
* SYNPROXY support, available since Linux kernel 3.12
* Wed Aug 7 2013 jengelh@inai.de
- Update to new upstream release 1.4.20
* Introduce a new revision for the set match with the counters support
* Add locking to prevent concurrent instances
* Fri May 31 2013 jengelh@inai.de
- Update to new upstream release 1.4.19.1
* New connlabel and bpf matches
- Remove 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch,
0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch
(are upstream)
* Mon Apr 15 2013 jengelh@inai.de
- libxt_state.so symlink was not installed (bnc#815182); fix by
removing 0001-build-also-use-libtool-for-install-stage.patch,
removing 0001-build-do-not-dereference-symlinks-on-installation.patch,
adding 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch,
adding 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch
* Wed Mar 20 2013 cfarrell@suse.com
- license update: GPL-2.0 and Artistic-2.0
GPL version does not have ^or later^ due to inclusion of numerous GPL 2
^only^ files. Also, aggregation of Artistic-2.0 content
* Mon Mar 4 2013 jengelh@inai.de
- Update to new upstream release 1.4.18
* documentation updates
- Create subpackage xtables-plugins, to aid packaging of xtadm
- Add 0001-build-do-not-dereference-symlinks-on-installation.patch
as a prerequisite for:
- Add 0001-build-also-use-libtool-for-install-stage.patch
to kill of undesired DT_RPATH entries
* Tue Dec 25 2012 jengelh@inai.de
- Update to new upstream release 1.4.17
* libxt_time: add support to ignore day transition
* libxt_statistic: fix save output
* Wed Nov 28 2012 sbrabec@suse.cz
- Verify GPG signature
* Thu Nov 15 2012 lnussel@suse.de
- list all required binaries explicitly to make sure all of them are actually
compiled
* Thu Nov 15 2012 jengelh@inai.de
- Always regenerate files due to SUSE's iptables-batch patch
* Mon Oct 8 2012 jengelh@inai.de
- Update to new upstream release 1.4.16.3
* This release includes aliasing support which translates command
lines using obsolete extensions into new ones. The option parser
now flags illegal negative numbers in some more extensions.
A division by zero was resolved in libxt_limit as well.
* Tue Jul 31 2012 jengelh@inai.de
- Update to new upstream release 1.4.15
* libxt_recent: add --mask netmask
* libxt_hashlimit: add support for byte-based operation
* Sat May 26 2012 jengelh@inai.de
- Update to new upstream release 1.4.14
* Support for the new cttimeout infrastructure. This allows you to
attach specific timeout policies to flow via iptables CT target.
* Tue Mar 27 2012 jengelh@medozas.de
- Update to new upstream release 1.4.13
* Add the rpfilter, nfacct and IPv6 ECN extensions
* Mon Jan 2 2012 jengelh@medozas.de
- Update to newer git snapshot (v1.4.12.2-28-g2117f2b,
but master branch), tag locally as 1.4.12.90.
* ships missing pkgconfig files, compile fix for libnfnetlink
* libxt_NFQUEUE: fix --queue-bypass ipt-save output
* libxt_connbytes: fix handling of --connbytes FROM
* libxt_recent: Add support for --reap option
- split iptables-devel into libiptc-devel and libxtables-devel
* Wed Dec 28 2011 puzel@suse.com
- iptables-apply-mktemp-fix.patch (bnc#730161)
* Wed Nov 30 2011 coolo@suse.com
- add automake as buildrequire to avoid implicit dependency
* Tue Oct 4 2011 jengelh@medozas.de
- Update to a newer git snapshot of the stable branch
(to v1.4.12.1-16-gd2b0eaa)
* resolve failure to load extensions that depend on libm.so
- rediff of iptables-batch due to fuzz
- relax runtime requires
* Thu Sep 1 2011 jengelh@medozas.de
- Update to new upstream release 1.4.12.1
* regression fixes for the new (stricter) command-line parser
- restore --includedir= in spec file
- Put libxtables into its own subpackage so that one does not need
a lockstep update of iproute2 on a new iptables package
- Remove redundant fields (Autoreqprov defaults to on, License is
inherited from main package)
* Fri Aug 12 2011 draht@suse.de
- include path is /usr/include
* Mon Aug 8 2011 jengelh@medozas.de
- Put include files into a separate directory to flag up missing
CFLAGS. libipq.pc will now be provided.
- Enable build of nfnl_osf, a tool to upload OS fingerprints to
the kernel for use with xt_osf.
* Fri Jul 22 2011 jengelh@medozas.de
- Update to new upstream release 1.4.12
* Include lost match/target descriptions in manpage again
* libxt_LOG: fix ignorance of all but the last flag
* libxt_HL: restore hl-* option names
* libxt_hashlimit: use a more obvious expiry value by default
* libxt_RATEEST: fix find-and-delete of rules with -j RATEEST
* ipv4: restore negation for the -f option
* Reject empty host specifications (e.g. -s "")
* libxt_conntrack: restore network byteordering for ABI v1 & v2
* Documentation updates
* Wed Jun 8 2011 jengelh@medozas.de
- Update to snapshot 1.4.11+git16
* libxt_owner: restore inversion support
* option: fix ignored negation before implicit extension loading
* build: fix installation of symlinks
* build: fix absence of xml translator in IPv6-only builds
- Drop merged patches
* Sun May 29 2011 jengelh@medozas.de
- Update to new upstream release 1.4.11
* stricter option parsing
* support for the current xt_SET target as contained in 2.6.39
* support for the new xt_devgroup match
* support for the new xt_AUDIT target
* support for a new NFQUEUE bypass option, allowing to bypass the
queue if no userspace listener is present
* a new iptables option "-C" to check for existence of a rules
- Fixes on top
* allow negation of --uid-owner/--gid-owner again
* fix installation of symlinks
- Run spec-beautifier
* Fri Oct 29 2010 jengelh@medozas.de
- Update to new upstream release 1.4.10
* this is the release for the Linux 2.6.36 kernel
* support for the cpu match, which can be used to improve cache
locality when running multiple server instances
* support for the IDLETIMER target, which can be used to notify
userspace of interfaces being idle
* support for the CHECKSUM target
* support for the ipvs match
* a fix for deletion of rules using the quota match
* Mon Aug 9 2010 puzel@novell.com
- update to new upstream release 1.4.9.1
* fixes a compilation problem with static linking in the 1.4.9
release
* Wed Aug 4 2010 puzel@novell.com
- update to new upstream release 1.4.9
* this is the release for the Linux 2.6.35 kernel
* support for the LED target
* a new version of the set extension for the upcoming release
supporting IPv6
* negation support for the quota match
* support for the SACK-IMMEDIATELY SCTP extension and
FORWARD_TSN chunk type in the sctp match
* documentation updates and various smaller bugfixes
* Wed May 26 2010 jengelh@medozas.de
- update to new upstream release 1.4.8
* this is the release for the Linux 2.6.34 kernel
* add support for the new xt_CT extension
* import the nfnl_osf program required for proper operation
of the xt_osf extension
* Sat Apr 24 2010 coolo@novell.com
- buildrequire pkg-config to fix provides
* Mon Mar 1 2010 jengelh@medozas.de
- update to new upstream release 1.4.7
* libipq is built as a shared library
* removal of some restrictions on interface names
* documentation updates
- rebase and fix linking of iptables-batch
- fix libdir->libexecdir
* Mon Feb 22 2010 jengelh@medozas.de
- only run configure when needed
- use %%_smp_mflags
- use newer git snapshot to fix compile error due to missing
ipt_DSCP.h in newer linux-glibc-devel (>= 2.6.32)
* Wed Dec 30 2009 puzel@novell.com
- fix bnc#561793 - do not include unclean module documentation
in iptables manpage
* Tue Dec 22 2009 jengelh@medozas.de
- update specfile descriptions (bnc#553801)
- update to iptables 1.4.6:
* combine iptables subprograms into a new multi-purpose binary
* support for new implementations: NFQUEUE v1, conntrack v2
* helper: fix invalid passed option to check_inverse
* iprange accepts single host specifications again
* iprange: do accept non-ranges for xt_iprange v1
* iprange: warn on reverse range
* libiptc: fix wrong maptype of base chain counters on restore
* iptables: fix undersized deletion mask creation
* iptables/extensions: make bundled options work again
* iptables: take masks into consideration for replace command
* xtables: warn of missing version identifier in extensions
* documentation updates
- refresh iptables-batch
* Thu Nov 12 2009 puzel@novell.com
- remove outdated howtos (bnc#551748)
* Wed Jul 15 2009 kay.sievers@novell.com
- fix libdir/libexecdir on 64bit installation
* Wed Jun 17 2009 puzel@novell.com
- install iptables-apply
* Wed Jun 17 2009 puzel@suse.cz
- update to iptables-1.4.4
* support for the new features in the 2.6.30 kernel, namely the
cluster match and persistent multi-range NAT mappings
* support for the ipset set match and target
* various minor fixes and cleanups
* documentation updates
* Mon May 11 2009 puzel@suse.cz
- make explicit 'commit' in iptables-batch do nothing (bnc#500990)
* Tue Apr 21 2009 puzel@suse.cz
- update to 1.4.3.2
- numerous documentation updates and bugfixes
- set of changes to move some of the iptables functionality to a shared
library for tc and m_ipt
- make libiptc available as shared library (closes bnc#487629)
- IPv6 support for the recent match
- TPROXY support
- SCTP/DCCP NAT support
- INCOMPATIBILITY: This release starts enforcing the deprecation of NAT
filtering that was added in 1.4.2-rc1, filtering rules in the NAT tables will
cause an error instead of a warning from now on.
- rework iptables-batch.patch (libiptc interface has changed)
- update howtos
* Fri Jan 16 2009 prusnak@suse.cz
- updated to 1.4.2
* remove dependency on libiptc headers
* fix segmentation fault with -tanything
* warn about use of DROP in nat table
* do allow --rttl for --update
* run ldconfig on `make install`
* fix invalid iptables-save output
* fix hashlimit output
* Wed Sep 10 2008 prusnak@suse.cz
- updated to 1.4.2-rc1
* libxt_TOS: make sure --set-tos value/mask is recognized
* libiptc: fix scalability performance issue during initial ruleset parsing
* xt_string: string extension case insensitive matching
* ip6tables: add --goto support
* Wed Sep 10 2008 prusnak@suse.cz
- updated to 1.4.1.1
* iptables: fix printing of line numbers with --line-numbers arg
* ip6tables: fix printing of ipv6 network masks
* build: fix `make install` when --disable-shared is used
* iprange: kernel flags were not set
* Wed Sep 10 2008 prusnak@suse.cz
- updated to 1.4.1
* iptables: use C99 lists for struct options
* Make iptables-restore usable over a pipe
* Add support for --set-counters to iptables -P
* iptables --list-rules command
* iptables --list chain rulenum
* Make --set-counters (-c) accept comma separated counters
* libxt_iprange: Fix IP validation logic
* fix ip6tables dest address printing
* Converts the iptables build infrastructure to autotools.
* Introduce strtonum(), which works like string_to_number(), but passes
* print warning when dlopen fails
* libxt_owner: UID/GID range support
* Fix compilation of iptables-static build
* xtables.h: move non-exported parts to internal.h
* Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR
* manpages: fix broken markup (missing close tags)
* manpages: update to reflect fine-grained control
* configure: split --enable-libipq from --enable-devel
* Add all necessary header files - compilation fix for various cases
* Install libiptc header files because xtables.h depends on it
* Implement AF_UNSPEC as a wildcard for extensions
* Combine ipt and ip6t manpages
* Resolve warnings on 64-bit compile
* Wrap dlopen code into NO_SHARED_LIBS
* Remove support for compilation of conditional extensions
* Resolve libipt_set warnings
* Update documentation about building the package
* configure.ac: AC_SUBST must be separate
* Dynamically create xtables.h.in with version
* configure.ac: remove already-defined variables
* Remove old functions, constants
* Makefile.am: use PACKAGE_TARNAME
* iptables out-of-tree build directory
* Introduce a counter for number of user defined chains.
* Solving scalability issue: for chain list "name" searching.
* REDIRECT: Allow symbolic port in REDIRECT --to-port
* Fix iptables-save output of libxt_owner match
* allow empty strings in argument parser
* Fix define value of SCTP chunk type.
* cleanup several code wraparounds
* Add RATEEST target extension
* Add rateest match extension
* Properly initialize revision for ip6tables targets
* Resync header files with kernel
* libiptc: move variable definitions to head of function
* Fix CONNMARK mask initialisation
* iptables-save:remove unnecessary code.
* Don't assume /bin/sh is bash
* Add xtables version defines.
* Use s6_addr32 to access bits in int6_addr instead of incompatible name
* Tue Jan 8 2008 prusnak@suse.cz
- updated to 1.4.0:
* Add support for generic xtables infrastructure (improved IPv6 support!)
* Deletes empty ->final_check() functions
* Fix sparse warnings: non-C99 array declaration, incorrect function prototypes
* Remove last vestiges of NFC
* Make @msg argument a const char *, just like printf
* Makes it possible to omit extra_opts of matches/targets if unnecessary
* Fix "iptables getsockopt failed strangely" when querying revisions
for non-existant matches and targets
* Introduces DEST_IPT_LIBDIR in Makefile
* Change default KERNEL_DIR location and add KBUILD_OUTPUT
* Removes obsolete KERNEL_64_USERSPACE_32 definitions
* Fix unused function warning
* Don't use dlfcn.h if NO_SHARED_LIBS is defined
* Fix showing help text for matches/targets with revision as user
* Print warnings to stderr
* Fix sscanf type errors
* Always print mask in iptables-save
* Don't silenty exit on failure to open /proc/net/{ip,ip6}_tables_names
* Adds --table to iptables-restore
* Make DO_MULTI=1 work for ip6tables* binaries
* Add ip6tables-{save,restore} to non-experimental target,
fix strict aliasing warnings
* Introducing libxt_*.man files. Sorted matches and modules
* Install ip6tables-{save,restore} manpages
* Performance optimization in sorting chain during pull-out
* Fix sockfd use accounting for kernels without autoloading
* use <linux/types.h>
* Fix make/compile error for iptables-1.4.0rc1
* Fix for --random option in DNAT and REDIRECT
* Document xt_statistic
* sctp: fix - mistake to pass a pointer where array is required
* Fix connlimit output for inverted --connlimit-above:
! > is <=, not <
* Add NFLOG manpage
* Move libipt_DSCP.man to libxt_DSCP.man for ip6tables.8
* Unifies libip[6]t_CONNSECMARK.man to libxt_CONNSECMARK.man
* Moves libipt_CLASSYFY.man to libxt_CLASSYFY.man for ip6tables.8
* fix check_inverse() call
- removed obsolete patch:
* strict-aliasing-fix.diff (included in update)
* Tue Jul 31 2007 prusnak@suse.cz
- removed sed scripts in %%prep section from last update
* not needed anymore
* Thu Jul 26 2007 prusnak@suse.cz
- updated to 1.3.8
* Fix build error of conntrack match
* Remove whitespace in ip6tables.c
* `-p all' and `-p 0' should be allowed in ip6tables
* hashlimit doc update
* add --random option to DNAT and REDIRECT
* Makefile uses POSIX conform directory check
* Fix missing newlines in iptables-save/restore output
* Update quota manpage for SMP
* Output for unspecified proto is `all' instead of `0'
* Fix iptables-save with --random option
* Remove unnecessary IP_NAT_RANGE_PROTO_RANDOM ifdefs
* Remove libnsl from LDLIBS
* Fix problem with iptables-restore and quotes
* Remove unnecessary includes
* Fix --modprobe parameter
* ip6tables-restore should output error of modprobe after failed to load
* Add random option to SNAT
* Fix missing space in error message
* Fixes for manpages of tcp, udp, and icmp{,6}
* Add ip6tables mh extension
* Fix tcpmss manpage
* Add ip6tables TCPMSS extension
* Add UDPLITE multiport support
* Fix missing space in ruleset listing
* Remove extensions for unmaintained/obsolete patchlets
* Fix greedy debug grep
* Fix type in manpage
* Fix compile/install error for iptables-xml with DO_MULTI=1
- dropped obsolete patches:
* newlines.diff (included in update)
* shlibs.diff (done by sed in %%prep section)
* extensions.diff
* Wed May 9 2007 prusnak@suse.cz
- added newlines to error messages (newlines.diff) [#271847]
* Tue Mar 13 2007 prusnak@suse.cz
- added initial setting of KERNEL_DIR variable in %%install section of spec file
* Tue Jan 9 2007 prusnak@suse.cz
- added experimental tools and extensions (removed by last update)
* Wed Jan 3 2007 prusnak@suse.cz
- updated to 1.3.7
* Add revision support for ip6tables
* Add port range support for ip6tables multiport match
* Add sctp match extension for ip6tables
* Add iptables-xml tool
* Add hashlimit support for ip6tables (needs kernel > 2.6.19)
* Add NFLOG target extension for iptables/ip6tables (needs kernel > 2.6.19)
* Bugfixes
- updated debian-docs and moved into tar.bz2
* Thu Nov 16 2006 mjancar@suse.cz
- allow setting KERNEL_DIR on commandline for build (#220851)
* Tue Oct 17 2006 anosek@suse.cz
- updated to version 1.3.6
* Support multiple matches of the same type within a single rule
* DCCP/SCTP support for multiport match (needs kernel >= 2.6.18)
* SELinux SECMARK target (needs kernel >= 2.6.18)
* SELinux CONNSECMARK target (needs kernel >= 2.6.18)
* Add support for statistic match (needs kernel >= 2.6.18)
* Optionally read realm values from /etc/iproute2/rt_realms
* Bugfixes
* Wed Feb 1 2006 lnussel@suse.de
- updated to version 1.3.5
* supports ip6tables state and conntrack \o/ (#145758)
* Fri Jan 27 2006 mls@suse.de
- converted neededforbuild to BuildRequires
* Tue Jan 24 2006 schwab@suse.de
- Fix building of shared libraries.
* Tue Jan 17 2006 postadal@suse.cz
- updated policy extension from upstream (policy-1.3.4.patch)
* ported for changes in kernel
* Tue Nov 15 2005 postadal@suse.cz
- updated to version 1.3.4
- added RPM_OPT_FLAGS to CFLAGS
- fixed strict aliasing (strict-aliasing-fix.patch)
* Mon Aug 1 2005 lnussel@suse.de
- add iptables-batch and ip6tables-batch
* Mon Aug 1 2005 postadal@suse.cz
- updated to version 1.3.3
* Wed Jul 27 2005 postadal@suse.cz
- updated to version 1.3.2
* Wed Mar 9 2005 postadal@suse.cz
- updated to version 1.3.1 (bug fixes)
* Thu Feb 17 2005 postadal@suse.cz
- updated to version 1.3.0
- removed obsoleted patch modules-secfix
* Tue Nov 2 2004 postadal@suse.cz
- fixed uninitialised variable [#47850] - CAN-2004-0986
* Tue Aug 17 2004 mludvig@suse.cz
- Fixed mode for extensions/.policy-test6
* Thu Aug 5 2004 mludvig@suse.cz
- Added IPv6 support to the 'policy' match.
* Wed Aug 4 2004 postadal@suse.cz
- updated to version 1.2.11
- removed obsoleted patch clusterip
* Sat Apr 24 2004 lmb@suse.de
- Add support for Cluster IP functionality.
* Wed Apr 21 2004 mludvig@suse.cz
- Added module for IPv6 conntrack from USAGI.
* Wed Mar 24 2004 mludvig@suse.cz
- Added policy module from patch-o-matic
* Fri Feb 6 2004 postadal@suse.cz
- updated to version 1.2.9.
* Sat Jan 10 2004 adrian@suse.de
- add %%defattr
* Wed Jul 23 2003 postadal@suse.cz
- updated to 1.2.8
* Tue Apr 8 2003 schwab@suse.de
- Prefer sanitized kernel headers.
* Thu Sep 5 2002 postadal@suse.cz
- updated to bugfixed 1.2.7a version
* Wed Aug 28 2002 postadal@suse.cz
- added Requires %%{name} = %%{version} to devel package
* Thu Aug 8 2002 nadvornik@suse.cz
- updated to 1.2.7
* Wed Mar 27 2002 postadal@suse.cz
- revert to compile it with kernel headers (#15448)
* Fri Feb 1 2002 nadvornik@suse.cz
- compiled with kernel headers from glibc
* Tue Jan 15 2002 nadvornik@suse.cz
- update to 1.2.5
* Wed Nov 14 2001 nadvornik@suse.cz
- updated to 1.2.4 [bug #12104]
- fixed problems with iptables-save/restore
- iptables-1.2.4.debian.diff.bz2 contains documentation only,
Makefile changes moved to separate patch
* Sat Sep 22 2001 garloff@suse.de
- Fix ipt_string support (compile fix).
* Tue Jul 17 2001 garloff@suse.de
- Update to iptables-1.2.2
- Appply debian patch: mostly docu stuff
- Added COMPILE_EXPERIMENTAL flag to Makefile and pass it from RPM
.spec file to compile and install ip(6)tables-save/restore apps.
* Fri Apr 6 2001 kukuk@suse.de
- changed neededforbuild from lx_suse to kernel-source
* Tue Mar 27 2001 lmuelle@suse.de
- update to 1.2.1a
- add devel package with libipq stuff
- minor spec file cleanup
* Sun Jan 28 2001 olh@suse.de
- update to 1.2, needed for ppc and sparc
* Tue Dec 19 2000 nadvornik@suse.cz
- compiled with lx_suse
* Tue Oct 17 2000 nadvornik@suse.cz
- update to 1.1.2
* Fri Sep 22 2000 ro@suse.de
- up to 1.1.1
* Fri Jun 9 2000 ro@suse.de
- fixed neededforbuild
* Wed Jun 7 2000 nadvornik@suse.cz
- new package 1.1.0

64
iptables.keyring Normal file
View file

@ -0,0 +1,64 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF+HdQgBEACzteJUJGtj3N6u5mcGh4Nu/9GQfwrrphZuI7jto2N6+ZoURded
660mFLnax7wgIE8ugAa085jwFWbFY3FzGutUs/kDmnqy9WneYNBLIAF3ZTFfY+oi
V1C09bBlHKDj9gSEM2TZ/qU14exKdSloqcMKSdIqLQX27w/D6WmO1crDjOKKN9F2
zjc3uLjo1gIPrY+Kdld29aI0W4gYvNLOo+ewhVC5Q6ymWOdR3eKaP2HIAt8CYf0t
Sx8ChHdBvXQITDmXoGPLTTiCHBoUzaJ/N8m4AZTuSUTr9g3jUNFmL48OrJjFPhHh
KDY0V59id5nPu4RX3fa/XW+4FNlrthA5V9dQSIPh7r7uHynDtkcCHT5m4mn0NqG3
dsUqeYQlrWKCVDTfX/WQB3Rq1tgmOssFG9kZkXcVTmis3KFP1ZAahBRB33OJgSfi
WKc/mWLMEQcljbysbJzq74Vrjg44DNK7vhAXGoR35kjj5saduxTywdb3iZhGXEsg
9zqV0uOIfMQsQJQCZTlkqvZibdB3xlRyiCwqlf1eHB2Vo7efWbRIizX2da4c5xUj
+IL1eSPmTV+52x1dYXpn/cSVKJAROtcSmwvMRyjuGOcTNtir0XHCxC5YYBow6tKR
U1hrFiulCMH80HeS+u/g4SpT4lcv+x0DlN5BfWQuN5k5ZzwKb6EQs092qQARAQAB
tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC
VAQTAQoAPhYhBDfZZKzASYHHVQD7m9Vdl4qKFCDkBQJfh3UIAhsDBQkHhM4ABQsJ
CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENVdl4qKFCDk0msQAJTIK8TLHw2IJDc6
+ZfUJc+znSNwskO+A4lwvb1vRY5qFV+CA2S1eUS4HGDWDT0sPKie6Nx4+FBczkWd
RA+eaKDqQeS5Vzc2f0bl74un91h7yE8O2NsVnpL166MnAAk3/ACjHsZX2PzF12F6
4stvGQFpjZRWItj0I6bvPY6CTtqVPB98a6RpdbS9kGxCCMrL3CFGDXGSjXes5KwN
IvngmVB36wjb3QgEtQIv13jrWFfiXeuieqMRyC6Z3KNYVcvis34eGxPFD9MHrK+w
bdw3KzMBJd7hMoVRl32Q13T/PX8H3pqWMqKaL41wHUswRt0IQjNZnRvRnlJ0VDFf
Wep/3dFK+uQbdABuiwCiRli5mWeOMCP+qJodP1OZSGqg0VwZWUGdCGG5+qIhngOj
QVomvJ7N4eRLU3xuPVjLoBeHzvViUPpYtWQ/YiZK5rWTJHhu88xZaysFJRaV+Uz3
wPkeqdArRRXl1Tpy+cKy7D5BZAr7OjT1wboon23IM2DJRurbaHD8blMsjZ07pbvb
4hdpiE6mqq7CYskDz2UGTaFfEW4bFnKtvKTXEnmcqc4mWcr2z9BBYouGmcFczgET
tE02XejmExXV2RPUtXfLuNIbVpuXG1qhzNuXAfm+S/68XDSFrwyK8/Dgq5ga0iIP
n8Uvz12Xu/Qde+NicogLNWF90QJ2iQIzBBABCgAdFiEEwJ2yBj8dcDS6YVKtq0ZV
oSbSkuQFAl+HdTEACgkQq0ZVoSbSkuSrmhAAi64OqYjb2ZbAJbFAPM6pijyys6Y9
o8ZyLoCRCUXNrjWkNIozTgmj5fm0ECrUXKyrB6OJhTvaRXmqLcBwWOAnP1v7wb+S
ZhEwP0n6E1mZW0t1Qt0xX8yifM5Tpvy+757OSrsuoRpXwwz4Ubuc6G4N/McoRSfU
tVUcz3sKF8hcbETD/hVZb9Qfv0ZjQxu8LiBfKfgy2Eg8yExTdO027hYqQc5q2HEp
HRjD2PMyI33V8KqffWn0AkofweOOFxg1ePV5X9M8rYP+k/2gjPkrrvnZgF/4SxDM
FATmHaIbO3zEQg+u2f1mVCZASBBN1MLth7dMOoClHBmxnQ8uapRg9GNxs7TnXmV/
diZZbqLf6i9bW/scvWEIdM8EGKpbGjdWIlgQJTIuz3seB+9zOdq9L3uTQWHnYLid
R3YkyOsBRqQvM7Gb3zYgvlPjZ+L2FeGg5rD/eeLbv+k027E0TSAgtHoSA2pVTDDK
uqCXVKfmk1I0SO83L9teBblxed07LeVaS9/uK00rWM/TM1bwogfF/4ZEsmAWznzv
Xan/QmrYNgK3C3AZ4pMX7pGCGV1w93Fw3tUzaEJeS2LlsiL5aPOF63b/DqM6W2nl
UqGjKTdVLuF+JgoRH5U2wCyHYhDFm+CaFsYUu2Jf5hTmVWOR3anBoXy6Ty8SoV8q
KxtKpmKmIdPhDe65Ag0EX4d1CAEQANJMZApYzeeLrc7Rs6fGDK4Z3ejEST+aq7vO
RT9YEppRBG1QoUDBuNodAFxIWM6SpwvN7X9AZeIML2EOjDabF5Q6RNHbwODyLDYc
wmqtWh0NNpK85fXwDgcLOQW+dPimsk3ni1crXhhjZgs6syb9yM/pDi0Tf7wzNZt0
0p736zlpQPMORfO+mFgac0FVt/GQsTdIwTBzZ36fcV3W8iPH334Sqsatp617R+z+
q2alH8Vynz12iHi2oJFtmTxhghCROPcLWz3XMKv9A7BfuZeE0k+pK7xnBKrpZzKU
k1j2uzTKzV2Bquo5HNDsy9PgQn16BlXVrxdHfQnBz2w67aHMKnPD/v+K81oxtnuk
pwBAT8Wovkyy1VTLhQH5F0y5bpQrVH/Lwq0/q421hfD3iPHtb2tC1heT9ze/sqkY
plctFb81fx3o8xcBpvuIaTB3URptf8JNvh5KjETZFMQvAddq8oYovoKu+Z/585uC
qwO0Fohpw9qRwmhq7UBvGDVAVgo6kKjMW2Z9U3OnfggrDCytCIZh8eLNagfRL2cu
iq8Sx+cGGt1zoCPhjDN1MaNt/KHm8Gxr+lP+RxH3Et3pEX6mmhSCaU4wr0W5Bf3p
jEtiOwnqajisBQCHh49OGiV8Vg9uQN5GpLpPpbvnGS4vq8jdj6p3gsiS2F7JMy7O
ysBENBkXABEBAAGJAjwEGAEKACYWIQQ32WSswEmBx1UA+5vVXZeKihQg5AUCX4d1
CAIbDAUJB4TOAAAKCRDVXZeKihQg5NMIEACBdwXwDMRB8rQeqNrhbh7pjbHHFmag
8bPvkmCq/gYGx9MQEKFUFtEGNSBh6m5pXr9hJ9HD2V16q9ERbuBcA6wosz4efQFB
bbage7ZSECCN+xMLirQGRVbTozu2eS8FXedH0X9f0JWLDGWwRg+pAqSOtuFjHhYM
jVpwbH/s71BhH84x5RgWezh2BWLbP3UuY7JtWNAvAaeo53Js2dzzgjDopPis4qZR
rLR9cTGjqa6ZTc/PlLfaCsm6rGBlNx/bFJjz75+yn7vMQa47fOBt4qfriHX7G/Tg
3s8xsQSLEm3IBEYh27hoc9ZD45EXgm9ZiGA21t9v1jA27yTVaUrPbC40iDv/CMcQ
7N2Y1sJRvmrd+2pKxtNNutujjwgBguo5bKK253R5Hy0a+NzK2LSc/GmR8EJJEwW1
7r6road7Ss6YImCZExeY+CAW0FEzwQpmqfOdlusvIyk4x4r12JH8Q8NWHMzU3Ym/
yqdopn/SCwCfXJsL4/eHLCaWuyiWjljNa7MwPDITx2ZPRE5QEqCqi4gaDWXyVHt8
leGE1G3zoXNJogWhDswh105UnlZEEfOvbHbaxgWPjLV/xkuHhVlaqdyXbTExrgK6
U2wevNS03dBuQ6bjNIbMIt9ulbiBV8MJWR0PZtnNJ958f1QXC4GT+L3FG1g5Jtz+
rlbu70nh2kSJrg==
=wukb
-----END PGP PUBLIC KEY BLOCK-----

319
iptables.spec Normal file
View file

@ -0,0 +1,319 @@
#
# spec file for package iptables
#
# Copyright (c) 2022-2023 ZhuningOS
#
Name: iptables
Version: 1.8.7
Release: 1.1
Summary: IP packet filter administration utilities
License: GPL-2.0-only AND Artistic-2.0
Group: Productivity/Networking/Security
URL: https://netfilter.org/projects/iptables/
#Git-Clone: git://git.netfilter.org/iptables
Source: https://netfilter.org/projects/iptables/files/%name-%version.tar.bz2
Source2: https://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig
Source3: %name.keyring
Patch1: iptables-batch.patch
Patch2: iptables-batch-lock.patch
Patch3: iptables-1.8.2-dont_read_garbage.patch
BuildRequires: bison
BuildRequires: fdupes
BuildRequires: flex >= 2.5.33
BuildRequires: libtool
BuildRequires: pkg-config >= 0.21
BuildRequires: xz
BuildRequires: pkgconfig(libmnl) >= 1.0
BuildRequires: pkgconfig(libnetfilter_conntrack) >= 1.0.4
BuildRequires: pkgconfig(libnfnetlink) >= 1.0.0
BuildRequires: pkgconfig(libnftnl) >= 1.1.6
Requires: netcfg >= 11.6
Requires: xtables-plugins = %version-%release
Requires(post): update-alternatives
Requires(postun): update-alternatives
# During the update to iptables 1.8, ip6tables-restore-translate, ip6tables-translate,
# iptables-restore-translate and iptables-translate were moved from iptables-nft subpackage
# (now iptables-backend-nft) to the main package so we need to add a conflict here otherwise
# we hit file conflicts error during the update
Conflicts: iptables-nft = 1.6.2
%description
iptables is used to set up, maintain, and inspect the rule tables of
the various Netfilter packet filter engines inside the Linux kernel.
%package backend-nft
Summary: Metapackage to make nft the default backend for iptables/arptables/ebtables
Group: Productivity/Networking/Security
Requires: iptables >= 1.8.0
Requires(post): update-alternatives
Requires(postun): update-alternatives
Provides: iptables-nft = %{version}-%{release}
Obsoletes: iptables-nft < %{version}-%{release}
%description backend-nft
Installation of this package adds higher priority alternatives (cf.
update-alternatives) that makes the iptables, ip6tables, arptables
and ebtables commands point to a program variant that uses the
nftables kernel interface.
%package -n xtables-plugins
Summary: Match and target extension plugins for iptables
Group: Productivity/Networking/Security
Conflicts: iptables < 1.4.18
%description -n xtables-plugins
Match and Target Extension plugins for iptables.
%package -n libipq0
Summary: Library to interface with the (old) ip_queue kernel mechanism
Group: System/Libraries
%description -n libipq0
The Netfilter project provides a mechanism (ip_queue) for passing
packets out of the stack for queueing to userspace, then receiving
these packets back into the kernel with a verdict specifying what to
do with the packets (such as ACCEPT or DROP). These packets may also
be modified in userspace prior to reinjection back into the kernel.
ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue!
%package -n libipq-devel
Summary: Development files for the ip_queue kernel mechanism
Group: Development/Libraries/C and C++
Requires: libipq0 = %version
%description -n libipq-devel
The Netfilter project provides a mechanism (ip_queue) for passing
packets out of the stack for queueing to userspace, then receiving
these packets back into the kernel with a verdict specifying what to
do with the packets (such as ACCEPT or DROP). These packets may also
be modified in userspace prior to reinjection back into the kernel.
ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue!
%package -n libip4tc2
Summary: Library for the ip_tables low-level ruleset generation and parsing (IPv4)
Group: System/Libraries
%description -n libip4tc2
libiptc ("iptables cache") is used to retrieve from the kernel, parse,
construct, and load rulesets into the kernel.
This package contains the iptc IPv4 API.
%package -n libip6tc2
Summary: Library for the ip_tables low-level ruleset generation and parsing (IPv6)
Group: System/Libraries
%description -n libip6tc2
libiptc ("iptables cache") is used to retrieve from the kernel, parse,
construct, and load rulesets into the kernel.
This package contains the iptc IPv6 API.
%package -n libiptc-devel
Summary: Development files for libiptc, a packet filter ruleset library
Group: Development/Libraries/C and C++
Requires: libip4tc2 = %version
Requires: libip6tc2 = %version
%description -n libiptc-devel
libiptc ("iptables cache") is used to retrieve from the kernel, parse,
construct, and load rulesets into the kernel.
%package -n libxtables12
Summary: The iptables plugin interface
Group: System/Libraries
%description -n libxtables12
This library contains all the iptables code shared between iptables,
ip6tables, their extensions, and for external integration for e.g.
iproute2's m_xt.
%package -n libxtables-devel
Summary: Headers and manpages for iptables
Group: Development/Libraries/C and C++
Requires: libxtables12 = %version
%description -n libxtables-devel
This library contains all the iptables code shared between iptables,
ip6tables, their extensions, and for external integration for e.g.
Link your extension (iptables plugins) with $(pkg-config xtables
--libs) and place the plugin in the directory given by $(pkg-config
xtables --variable=xtlibdir).
%prep
%autosetup -p1
%build
# We have the iptables-batch patch, so always regenerate.
./autogen.sh
# bnc#561793 - do not include unclean module in iptables manpage
rm -f extensions/libipt_unclean.man
# includedir is overriden on purpose to detect projects that
# fail to include libxtables_CFLAGS
%configure --includedir="%_includedir/%name" --enable-libipq
make %{?_smp_mflags} V=1
%install
%make_install
b="%buildroot"
# no contents and is unused; proposed for removal upstream
rm -f "$b/%_libdir/"libiptc.so*
# iptables-apply is not installed by upstream Makefile
install -m0755 iptables/iptables-apply "$b/%_sbindir/"
rm -f "$b/%_libdir"/*.la
rm -f "$b/%_sysconfdir/ethertypes" # -> netcfg
for i in iptables iptables-restore iptables-save ip6tables ip6tables-restore \
ip6tables-save arptables arptables-restore arptables-save ebtables \
ebtables-restore ebtables-save; do
ln -fsv "/etc/alternatives/$i" "$b/%_sbindir/$i"
done
%if 0%{?suse_version}
%fdupes %buildroot/%_prefix
%endif
%post
update-alternatives \
--install "%_sbindir/iptables" iptables "%_sbindir/xtables-legacy-multi" 1 \
--slave "%_sbindir/iptables-restore" iptables-restore "%_sbindir/xtables-legacy-multi" \
--slave "%_sbindir/iptables-save" iptables-save "%_sbindir/xtables-legacy-multi" \
--slave "%_sbindir/ip6tables" ip6tables "%_sbindir/xtables-legacy-multi" \
--slave "%_sbindir/ip6tables-restore" ip6tables-restore "%_sbindir/xtables-legacy-multi" \
--slave "%_sbindir/ip6tables-save" ip6tables-save "%_sbindir/xtables-legacy-multi"
%postun
if test "$1" = 0; then
update-alternatives --remove iptables "%_sbindir/xtables-legacy-multi"
fi
%post backend-nft
update-alternatives \
--install "%_sbindir/iptables" iptables "%_sbindir/xtables-nft-multi" 2 \
--slave "%_sbindir/iptables-restore" iptables-restore "%_sbindir/xtables-nft-multi" \
--slave "%_sbindir/iptables-save" iptables-save "%_sbindir/xtables-nft-multi" \
--slave "%_sbindir/ip6tables" ip6tables "%_sbindir/xtables-nft-multi" \
--slave "%_sbindir/ip6tables-restore" ip6tables-restore "%_sbindir/xtables-nft-multi" \
--slave "%_sbindir/ip6tables-save" ip6tables-save "%_sbindir/xtables-nft-multi"
update-alternatives --install "%_sbindir/arptables" arptables "%_sbindir/xtables-nft-multi" 2 \
--slave "%_sbindir/arptables-restore" arptables-restore "%_sbindir/xtables-nft-multi" \
--slave "%_sbindir/arptables-save" arptables-save "%_sbindir/xtables-nft-multi"
update-alternatives --install "%_sbindir/ebtables" ebtables "%_sbindir/xtables-nft-multi" 2 \
--slave "%_sbindir/ebtables-restore" ebtables-restore "%_sbindir/xtables-nft-multi" \
--slave "%_sbindir/ebtables-save" ebtables-save "%_sbindir/xtables-nft-multi"
%postun backend-nft
if test "$1" = 0; then
update-alternatives --remove iptables "%_sbindir/xtables-nft-multi"
update-alternatives --remove arptables "%_sbindir/xtables-nft-multi"
update-alternatives --remove ebtables "%_sbindir/xtables-nft-multi"
fi
%post -n libipq0 -p /sbin/ldconfig
%postun -n libipq0 -p /sbin/ldconfig
%post -n libip4tc2 -p /sbin/ldconfig
%postun -n libip4tc2 -p /sbin/ldconfig
%post -n libip6tc2 -p /sbin/ldconfig
%postun -n libip6tc2 -p /sbin/ldconfig
%post -n libxtables12 -p /sbin/ldconfig
%postun -n libxtables12 -p /sbin/ldconfig
%files
%license COPYING
%_bindir/iptables-xml
%_sbindir/iptables-apply
%_sbindir/iptables-legacy*
%_sbindir/iptables-nft*
%_sbindir/iptables-*translate*
%_sbindir/ip6tables-apply
%_sbindir/ip6tables-legacy*
%_sbindir/ip6tables-nft*
%_sbindir/ip6tables-*translate*
%_sbindir/arptables-nft*
%_sbindir/ebtables-nft*
%_sbindir/xtables*
%_mandir/man1/*tables*
%_mandir/man8/*tables*
# backend-legacy (implicit)
%ghost %_sysconfdir/alternatives/iptables
%ghost %_sysconfdir/alternatives/iptables-restore
%ghost %_sysconfdir/alternatives/iptables-save
%ghost %_sysconfdir/alternatives/ip6tables
%ghost %_sysconfdir/alternatives/ip6tables-restore
%ghost %_sysconfdir/alternatives/ip6tables-save
%_sbindir/iptables
%_sbindir/iptables-restore
%_sbindir/iptables-save
%_sbindir/ip6tables
%_sbindir/ip6tables-restore
%_sbindir/ip6tables-save
%files backend-nft
%ghost %_sysconfdir/alternatives/iptables
%ghost %_sysconfdir/alternatives/iptables-restore
%ghost %_sysconfdir/alternatives/iptables-save
%ghost %_sysconfdir/alternatives/ip6tables
%ghost %_sysconfdir/alternatives/ip6tables-restore
%ghost %_sysconfdir/alternatives/ip6tables-save
%ghost %_sysconfdir/alternatives/arptables
%ghost %_sysconfdir/alternatives/arptables-restore
%ghost %_sysconfdir/alternatives/arptables-save
%ghost %_sysconfdir/alternatives/ebtables
%ghost %_sysconfdir/alternatives/ebtables-restore
%ghost %_sysconfdir/alternatives/ebtables-save
%_sbindir/iptables
%_sbindir/iptables-restore
%_sbindir/iptables-save
%_sbindir/ip6tables
%_sbindir/ip6tables-restore
%_sbindir/ip6tables-save
%_sbindir/arptables
%_sbindir/arptables-restore
%_sbindir/arptables-save
%_sbindir/ebtables
%_sbindir/ebtables-restore
%_sbindir/ebtables-save
%files -n xtables-plugins
%_libdir/xtables/
%_sbindir/nfnl_osf
%_mandir/man8/nfnl_osf.8*
%_datadir/xtables/
%files -n libipq0
%_libdir/libipq.so.0*
%files -n libipq-devel
%doc %_mandir/man3/libipq*
%doc %_mandir/man3/ipq*
%dir %_includedir/%name/
%_includedir/%name/libipq*
%_libdir/libipq.so
%_libdir/pkgconfig/libipq.pc
%files -n libip4tc2
%_libdir/libip4tc.so.2*
%files -n libip6tc2
%_libdir/libip6tc.so.2*
%files -n libiptc-devel
%dir %_includedir/%name/
%_includedir/%name/libiptc*
%_libdir/libip*tc.so
%_libdir/pkgconfig/libip*tc.pc
%files -n libxtables12
%_libdir/libxtables.so.12*
%files -n libxtables-devel
%dir %_includedir/%name/
%_includedir/%name/xtables.h
%_includedir/%name/xtables-version.h
%_libdir/libxtables.so
%_libdir/pkgconfig/xtables.pc
%changelog