Initialize for nftables

.gitignore

@@ -0,0 +1 @@
+nftables-0.9.8.tar.bz2

.nftables.metadata

@@ -0,0 +1 @@
+4f5ccaf16f3533f9c045867efd1580d1c6c29c9e31f0575e63da600f6c924d97 nftables-0.9.8.tar.bz2

0001-cache-check-for-NULL-chain-in-cache_init.patch

@@ -0,0 +1,33 @@
+From 6b7b7d5d219dca4465390f4a69096383d17782d3 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 1 Apr 2021 23:15:02 +0200
+Subject: [PATCH] cache: check for NULL chain in cache_init()
+
+Another process might race to add chains after chain_cache_init().
+The generation check does not help since it comes after cache_init().
+NLM_F_DUMP_INTR only guarantees consistency within one single netlink
+dump operation, so it does not help either (cache population requires
+several netlink dump commands).
+
+Let's be safe and do not assume the chain exists in the cache when
+populating the rule cache.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/rule.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: nftables-0.9.8/src/rule.c
+===================================================================
+--- nftables-0.9.8.orig/src/rule.c
++++ nftables-0.9.8/src/rule.c
+@@ -205,6 +205,9 @@ static int cache_init_objects(struct net
+ 				if (!chain)
+ 					chain = chain_binding_lookup(table,
+ 							rule->handle.chain.name);
++				if (!chain) {
++					return -1;
++				}
+ 				list_move_tail(&rule->list, &chain->rules);
+ 			}
+ 			if (ret < 0)

0001-evaluate-reject-support-ethernet-as-L2-protocol-for-.patch

@@ -0,0 +1,81 @@
+From 0379244930035b3bff95281a58fa7efd7e50dd51 Mon Sep 17 00:00:00 2001
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Sat, 11 Dec 2021 18:55:25 +0000
+Subject: [PATCH] evaluate: reject: support ethernet as L2 protocol for inet
+ table
+
+When we are evaluating a `reject` statement in the `inet` family, we may
+have `ether` and `ip` or `ip6` as the L2 and L3 protocols in the
+evaluation context:
+
+  table inet filter {
+    chain input {
+      type filter hook input priority filter;
+      ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject
+    }
+  }
+
+Since no `reject` option is given, nft attempts to infer one and fails:
+
+  BUG: unsupported familynft: evaluate.c:2766:stmt_evaluate_reject_inet_family: Assertion `0' failed.
+  Aborted
+
+The reason it fails is that the ethernet protocol numbers for IPv4 and
+IPv6 (`ETH_P_IP` and `ETH_P_IPV6`) do not match `NFPROTO_IPV4` and
+`NFPROTO_IPV6`.  Add support for the ethernet protocol numbers.
+
+Replace the current `BUG("unsupported family")` error message with
+something more informative that tells the user to provide an explicit
+reject option.
+
+Add a Python test case.
+
+Fixes: 5fdd0b6a0600 ("nft: complete reject support")
+Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001360
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/evaluate.c                      |  7 +++++-
+ 4 files changed, 52 insertions(+), 1 deletion(-)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index 4d4dcc2e..8edefbd1 100644
+--- a/src/evaluate.c
++++ b/src/evaluate.c
+@@ -2751,19 +2751,22 @@ static int stmt_evaluate_reject_inet_family(struct eval_ctx *ctx,
+ 		protocol = proto_find_num(base, desc);
+ 		switch (protocol) {
+ 		case NFPROTO_IPV4:
++		case __constant_htons(ETH_P_IP):
+ 			if (stmt->reject.family == NFPROTO_IPV4)
+ 				break;
+ 			return stmt_binary_error(ctx, stmt->reject.expr,
+ 				  &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR],
+ 				  "conflicting protocols specified: ip vs ip6");
+ 		case NFPROTO_IPV6:
++		case __constant_htons(ETH_P_IPV6):
+ 			if (stmt->reject.family == NFPROTO_IPV6)
+ 				break;
+ 			return stmt_binary_error(ctx, stmt->reject.expr,
+ 				  &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR],
+ 				  "conflicting protocols specified: ip vs ip6");
+ 		default:
+-			BUG("unsupported family");
++			return stmt_error(ctx, stmt,
++				  "cannot infer ICMP reject variant to use: explicit value required.\n");
+ 		}
+ 		break;
+ 	}
+@@ -2923,10 +2926,12 @@ static int stmt_evaluate_reject_default(struct eval_ctx *ctx,
+ 		protocol = proto_find_num(base, desc);
+ 		switch (protocol) {
+ 		case NFPROTO_IPV4:
++		case __constant_htons(ETH_P_IP):
+ 			stmt->reject.family = NFPROTO_IPV4;
+ 			stmt->reject.icmp_code = ICMP_PORT_UNREACH;
+ 			break;
+ 		case NFPROTO_IPV6:
++		case __constant_htons(ETH_P_IPV6):
+ 			stmt->reject.family = NFPROTO_IPV6;
+ 			stmt->reject.icmp_code = ICMP6_DST_UNREACH_NOPORT;
+ 			break;

nftables.changes

@@ -0,0 +1,194 @@
+* Tue Jan 30 2024 matthias.gerstner@suse.com
+- port python-single-spec logic from Factory package to allow shipment of
+  python311 modules as well (bsc#1219253).
+* Tue Apr 25 2023 matthias.gerstner@suse.com
+- add 0001-evaluate-reject-support-ethernet-as-L2-protocol-for-.patch: this
+  fixes a crash in nftables if layer2 reject rules are processed (e.g.
+  Ethernet MAC address based reject rich rule in firewalld, bsc#1210773).
+* Mon May  2 2022 matthias.gerstner@suse.com
+- add 0001-cache-check-for-NULL-chain-in-cache_init.patch: this fixes rare
+  crashes that could occur e.g. in firewalld (bsc#1197606).
+* Fri Jan 15 2021 jengelh@inai.de
+- Update to release 0.9.8
+  * Complete support for matching ICMP header content fields.
+  * Added raw tcp option match support.
+  * Added ability to check for the presence of any tcp option.
+  * Support for rejecting traffic from the ingress chain.
+* Tue Oct 27 2020 jengelh@inai.de
+- Update to release 0.9.7
+  * Support for implicit chains
+  * Support for ingress inet chains
+  * Support for reject from prerouting chain
+  * Support for --terse option in json
+  * Support for the reset command with json
+* Tue Jun 16 2020 jengelh@inai.de
+- Update to release 0.9.6
+  * Fix two ASAN runtime errors
+* Sat Jun  6 2020 jengelh@inai.de
+- Update to release 0.9.5
+  * Support for set counters.
+  * Support for restoring set element counters via nft -f.
+  * Counter support for flowtables.
+  * typeof concatenations support for sets.
+  * Support for concatenated ranges in anonymous sets.
+  * Allow to reject packets with 802.1q from the bridge family.
+  * Support for matching on the conntrack ID.
+- Drop anonset-crashfix.patch (upstream solved differently)
+* Thu May  7 2020 jengelh@inai.de
+- Add anonset-crashfix.patch [boo#1171321]
+* Wed Apr  1 2020 jengelh@inai.de
+- Update to release 0.9.4
+  * Add a helper for concat expression handling.
+  * Add "typeof" build/parse/print support.
+* Mon Dec  9 2019 jengelh@inai.de
+- Add json, python [boo#1158723]
+* Tue Dec  3 2019 jengelh@inai.de
+- Update to release 0.9.3
+  * meta: Introduce new conditions "time", "day" and "hour".
+  * src: add ability to set/get secmarks to/from connection.
+  * flowtable: add support for named flowtable listing.
+  * flowtable: add support for delete command by handle.
+  * json: add support for element deletion.
+  * Add `-T` as the short option for `--numeric-time`.
+  * meta: add ibrpvid and ibrvproto support
+* Mon Aug 19 2019 jengelh@inai.de
+- Update to new upstream release 0.9.2
+  * Transport header port matching, e.g. "th dport 53"
+  * Support for matching on IPv4 options
+  * Support for synproxy
+* Sat Jan 19 2019 stefan.bruens@rwth-aachen.de
+- Remove unused dblatex BuildRequires, only needed for the optional
+  and disabled PDF generation (same contents as shipped manpage).
+* Sat Jun  9 2018 jengelh@inai.de
+- Update to new upstream release 0.9.0
+  * Support to check if packet matches an existing socket.
+  * Support to limit number of active connections by arbitrary
+    criteria, such as ip addresses, networks, conntrack zones or
+    any combination thereof.
+  * Added support for "audit" logging.
+* Fri May 11 2018 jengelh@inai.de
+- Update to new upstream release 0.8.5
+  * support to add/insert a rule at a given index position
+  * meter statement now supports a configureable upper max size
+  * timeouts for sets can now be specified in milliseconds
+  * re-add iptables-like empty skeleton rulesets
+* Wed May  2 2018 jengelh@inai.de
+- Update to new upstream release 0.8.4
+  * Support to match IPv6 segment routing headers.
+  * New "meta ibrname" and "meta obrname" arguments to match the
+    name of the logical bridge a packet is passing through.
+    These new names replace the old (misnamed) "ibriport"/"obriport".
+  * `nft -a` will now show handle identifier for all objects,
+    including tables and chains.
+  * nft can now delete objects by their handle number.
+  * Support to update maps from the ruleset (packet path).
+  * the "--echo" option now prints handle id for tables and
+    object too.
+  * `nft -f -` will now read from standard input
+  * Support for flow tables, cf. man page or
+    https://lwn.net/Articles/738214/ .
+* Sat Mar  3 2018 jengelh@inai.de
+- Update to new upstream release 0.8.3
+  * raw payload support to match headers that do not yet have
+    received a mnemonic.
+* Sat Feb  3 2018 jengelh@inai.de
+- Update to new upstream release 0.8.2
+  * add secpath support
+* Tue Jan 16 2018 jengelh@inai.de
+- Update to new upstream release 0.8.1
+  * This release deprecates the "flow table" syntax in favor
+    of "meter".
+* Fri Oct 13 2017 jengelh@inai.de
+- Update to new upstream release 0.8
+  * This release contains new features available up to the
+    (upcoming) Linux 4.14 kernel release:
+  * Support for stateful objects, these objects are uniquely
+    identified by a user-defined name, you can refer to them from
+    rules, and there is a well established interface to operate
+    with them.
+  * Sort set elements when listing them, from lower to largest.
+  * TCP option matching and mangling support. This includes TCP
+    maximum segment size mangling.
+  * Add new "-s" option for listings without stateful information.
+  * Add new -c/--check option for nft, to tests if your ruleset
+    loads fine, into the kernel, this is a dry run mode.
+  * Connection tracking helper support.
+  * Add --echo option, to print the handle that the kernel
+    allocates to uniquely identify rules.
+  * Conntrack zone support
+  * Symmetric hash support
+  * Add support to include directories from nft natives scripts,
+    files are loaded in alphanumerical order.
+  * Allow to check if IPv6 extension header or TCP option exists
+    or is missing.
+  * Extend quota support to display used bytes.
+  * Add ct average matching, to match average bytes per packet a
+    connection has transferred so far, to map the existing
+    feature available in the iptables connbytes match.
+  * Allow to flush maps and flow tables.
+  * Allow to embed set definition into an existing set.
+  * Conntrack event filtering support via rule.
+* Tue Dec 20 2016 jengelh@inai.de
+- Update to new upstream release 0.7
+  * Add new fib expression, which can be used to obtain the
+    output interface from the route table based on either source
+    or destination address of a packet.
+  * Support hashing of any arbitrary key combination, eg.
+  * Add number generation support. Useful for round-robin packet
+    mark setting.
+  * Add quota support, eg.
+  * Introduce routing expression, for routing related data with
+    support for nexthop
+  * Notrack support, to explicitly skip connection tracking for
+    matching packets.
+  * Support to set non-byte bound packet header fields, including
+    checksum adjustment.
+  * Add 'create set' and 'create element' commands.
+  * Allow to use variable reference for set element definitions.
+  * Allow to use variable definitions from element commands.
+  * Add support to flush set. You can use this new command to
+    remove all existing elements in a set.
+  * Inverted set lookups.
+  * Honor absolute and relative paths via include file, where:
+  * Support log flags, to enable logging TCP sequence and options.
+  * tc classid parser support, eg.
+  * Allow numeric connlabels, so if connlabel still works with
+    undefined labels.
+* Thu Jun  2 2016 jengelh@inai.de
+- Update to new upstream release 0.6
+  * Rules may be replaced now
+  * Flow table support (requires Linux >= 4.3)
+  * Support for tracing
+  * Ratelimiting now supports units like bytes/second.
+  * Matchinv VLAN IDs, DSCP/ECN, ICMP RtAdv & RtSol
+* Thu Sep 17 2015 jengelh@inai.de
+- Update to new upstream release 0.5
+  * Support combinations of two or more selectors to build a tuple
+  * Timeout support for sets
+  * Dormant flag for tables
+  * Default chain policy specifiable on creation
+* Sat May 23 2015 mrueckert@suse.de
+- set the url to the project page
+- pass --disable-silent-rules to configure to allow gcc post build
+  check to work
+* Tue Dec 16 2014 jengelh@inai.de
+- Update to new upstream release 0.4
+  * Since Linux 3.18: support for global ruleset operations
+  * Since 3.17: full logging support for all the families,
+  including nfnetlink_log
+  * 3.16: automatic selection of the optimal set implementation
+  * 3.14: reject support for ip, ip6 and inet
+  * 3.18: reject support for bridge, and reject icmpx abstraction
+  * 3.18: masquerade support
+  * 3.19: redirect support
+  * Extend meta to support pkttype, cpu and devgroup matching.
+* Fri Jun 27 2014 jengelh@inai.de
+- Update to new upstream release 0.3
+  * More compact syntax for the queue action
+  * Match input and output bridge interface name through "meta
+  ibriport" and "meta obriport"
+  * netlink event monitor, to monitor ruleset events, set changes, etc.
+  * New transaction infrastructure - fully atomic updates for all
+  object available in the upcoming 3.16.
+* Mon Jan 13 2014 jengelh@inai.de
+- Initial package for build.opensuse.org

nftables.keyring

@@ -0,0 +1,64 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF+HdQgBEACzteJUJGtj3N6u5mcGh4Nu/9GQfwrrphZuI7jto2N6+ZoURded
+660mFLnax7wgIE8ugAa085jwFWbFY3FzGutUs/kDmnqy9WneYNBLIAF3ZTFfY+oi
+V1C09bBlHKDj9gSEM2TZ/qU14exKdSloqcMKSdIqLQX27w/D6WmO1crDjOKKN9F2
+zjc3uLjo1gIPrY+Kdld29aI0W4gYvNLOo+ewhVC5Q6ymWOdR3eKaP2HIAt8CYf0t
+Sx8ChHdBvXQITDmXoGPLTTiCHBoUzaJ/N8m4AZTuSUTr9g3jUNFmL48OrJjFPhHh
+KDY0V59id5nPu4RX3fa/XW+4FNlrthA5V9dQSIPh7r7uHynDtkcCHT5m4mn0NqG3
+dsUqeYQlrWKCVDTfX/WQB3Rq1tgmOssFG9kZkXcVTmis3KFP1ZAahBRB33OJgSfi
+WKc/mWLMEQcljbysbJzq74Vrjg44DNK7vhAXGoR35kjj5saduxTywdb3iZhGXEsg
+9zqV0uOIfMQsQJQCZTlkqvZibdB3xlRyiCwqlf1eHB2Vo7efWbRIizX2da4c5xUj
++IL1eSPmTV+52x1dYXpn/cSVKJAROtcSmwvMRyjuGOcTNtir0XHCxC5YYBow6tKR
+U1hrFiulCMH80HeS+u/g4SpT4lcv+x0DlN5BfWQuN5k5ZzwKb6EQs092qQARAQAB
+tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC
+VAQTAQoAPhYhBDfZZKzASYHHVQD7m9Vdl4qKFCDkBQJfh3UIAhsDBQkHhM4ABQsJ
+CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENVdl4qKFCDk0msQAJTIK8TLHw2IJDc6
++ZfUJc+znSNwskO+A4lwvb1vRY5qFV+CA2S1eUS4HGDWDT0sPKie6Nx4+FBczkWd
+RA+eaKDqQeS5Vzc2f0bl74un91h7yE8O2NsVnpL166MnAAk3/ACjHsZX2PzF12F6
+4stvGQFpjZRWItj0I6bvPY6CTtqVPB98a6RpdbS9kGxCCMrL3CFGDXGSjXes5KwN
+IvngmVB36wjb3QgEtQIv13jrWFfiXeuieqMRyC6Z3KNYVcvis34eGxPFD9MHrK+w
+bdw3KzMBJd7hMoVRl32Q13T/PX8H3pqWMqKaL41wHUswRt0IQjNZnRvRnlJ0VDFf
+Wep/3dFK+uQbdABuiwCiRli5mWeOMCP+qJodP1OZSGqg0VwZWUGdCGG5+qIhngOj
+QVomvJ7N4eRLU3xuPVjLoBeHzvViUPpYtWQ/YiZK5rWTJHhu88xZaysFJRaV+Uz3
+wPkeqdArRRXl1Tpy+cKy7D5BZAr7OjT1wboon23IM2DJRurbaHD8blMsjZ07pbvb
+4hdpiE6mqq7CYskDz2UGTaFfEW4bFnKtvKTXEnmcqc4mWcr2z9BBYouGmcFczgET
+tE02XejmExXV2RPUtXfLuNIbVpuXG1qhzNuXAfm+S/68XDSFrwyK8/Dgq5ga0iIP
+n8Uvz12Xu/Qde+NicogLNWF90QJ2iQIzBBABCgAdFiEEwJ2yBj8dcDS6YVKtq0ZV
+oSbSkuQFAl+HdTEACgkQq0ZVoSbSkuSrmhAAi64OqYjb2ZbAJbFAPM6pijyys6Y9
+o8ZyLoCRCUXNrjWkNIozTgmj5fm0ECrUXKyrB6OJhTvaRXmqLcBwWOAnP1v7wb+S
+ZhEwP0n6E1mZW0t1Qt0xX8yifM5Tpvy+757OSrsuoRpXwwz4Ubuc6G4N/McoRSfU
+tVUcz3sKF8hcbETD/hVZb9Qfv0ZjQxu8LiBfKfgy2Eg8yExTdO027hYqQc5q2HEp
+HRjD2PMyI33V8KqffWn0AkofweOOFxg1ePV5X9M8rYP+k/2gjPkrrvnZgF/4SxDM
+FATmHaIbO3zEQg+u2f1mVCZASBBN1MLth7dMOoClHBmxnQ8uapRg9GNxs7TnXmV/
+diZZbqLf6i9bW/scvWEIdM8EGKpbGjdWIlgQJTIuz3seB+9zOdq9L3uTQWHnYLid
+R3YkyOsBRqQvM7Gb3zYgvlPjZ+L2FeGg5rD/eeLbv+k027E0TSAgtHoSA2pVTDDK
+uqCXVKfmk1I0SO83L9teBblxed07LeVaS9/uK00rWM/TM1bwogfF/4ZEsmAWznzv
+Xan/QmrYNgK3C3AZ4pMX7pGCGV1w93Fw3tUzaEJeS2LlsiL5aPOF63b/DqM6W2nl
+UqGjKTdVLuF+JgoRH5U2wCyHYhDFm+CaFsYUu2Jf5hTmVWOR3anBoXy6Ty8SoV8q
+KxtKpmKmIdPhDe65Ag0EX4d1CAEQANJMZApYzeeLrc7Rs6fGDK4Z3ejEST+aq7vO
+RT9YEppRBG1QoUDBuNodAFxIWM6SpwvN7X9AZeIML2EOjDabF5Q6RNHbwODyLDYc
+wmqtWh0NNpK85fXwDgcLOQW+dPimsk3ni1crXhhjZgs6syb9yM/pDi0Tf7wzNZt0
+0p736zlpQPMORfO+mFgac0FVt/GQsTdIwTBzZ36fcV3W8iPH334Sqsatp617R+z+
+q2alH8Vynz12iHi2oJFtmTxhghCROPcLWz3XMKv9A7BfuZeE0k+pK7xnBKrpZzKU
+k1j2uzTKzV2Bquo5HNDsy9PgQn16BlXVrxdHfQnBz2w67aHMKnPD/v+K81oxtnuk
+pwBAT8Wovkyy1VTLhQH5F0y5bpQrVH/Lwq0/q421hfD3iPHtb2tC1heT9ze/sqkY
+plctFb81fx3o8xcBpvuIaTB3URptf8JNvh5KjETZFMQvAddq8oYovoKu+Z/585uC
+qwO0Fohpw9qRwmhq7UBvGDVAVgo6kKjMW2Z9U3OnfggrDCytCIZh8eLNagfRL2cu
+iq8Sx+cGGt1zoCPhjDN1MaNt/KHm8Gxr+lP+RxH3Et3pEX6mmhSCaU4wr0W5Bf3p
+jEtiOwnqajisBQCHh49OGiV8Vg9uQN5GpLpPpbvnGS4vq8jdj6p3gsiS2F7JMy7O
+ysBENBkXABEBAAGJAjwEGAEKACYWIQQ32WSswEmBx1UA+5vVXZeKihQg5AUCX4d1
+CAIbDAUJB4TOAAAKCRDVXZeKihQg5NMIEACBdwXwDMRB8rQeqNrhbh7pjbHHFmag
+8bPvkmCq/gYGx9MQEKFUFtEGNSBh6m5pXr9hJ9HD2V16q9ERbuBcA6wosz4efQFB
+bbage7ZSECCN+xMLirQGRVbTozu2eS8FXedH0X9f0JWLDGWwRg+pAqSOtuFjHhYM
+jVpwbH/s71BhH84x5RgWezh2BWLbP3UuY7JtWNAvAaeo53Js2dzzgjDopPis4qZR
+rLR9cTGjqa6ZTc/PlLfaCsm6rGBlNx/bFJjz75+yn7vMQa47fOBt4qfriHX7G/Tg
+3s8xsQSLEm3IBEYh27hoc9ZD45EXgm9ZiGA21t9v1jA27yTVaUrPbC40iDv/CMcQ
+7N2Y1sJRvmrd+2pKxtNNutujjwgBguo5bKK253R5Hy0a+NzK2LSc/GmR8EJJEwW1
+7r6road7Ss6YImCZExeY+CAW0FEzwQpmqfOdlusvIyk4x4r12JH8Q8NWHMzU3Ym/
+yqdopn/SCwCfXJsL4/eHLCaWuyiWjljNa7MwPDITx2ZPRE5QEqCqi4gaDWXyVHt8
+leGE1G3zoXNJogWhDswh105UnlZEEfOvbHbaxgWPjLV/xkuHhVlaqdyXbTExrgK6
+U2wevNS03dBuQ6bjNIbMIt9ulbiBV8MJWR0PZtnNJ958f1QXC4GT+L3FG1g5Jtz+
+rlbu70nh2kSJrg==
+=wukb
+-----END PGP PUBLIC KEY BLOCK-----

nftables.spec

@@ -0,0 +1,138 @@
+#
+# spec file for package nftables
+#
+# Copyright (c) 2022-2023 ZhuningOS
+#
+
+# configure subpackage rewriter for the python3XX-nftables bindings
+%define python_subpackage_only 1
+# check py/src/nftable.py:NFTABLES_VERSION
+%define pyversion 0.1
+
+%define skip_python2 1
+%{?sle15allpythons}
+
+Name:           nftables
+Version:        0.9.8
+Release:        150400.6.3.1
+Summary:        Userspace utility to access the nf_tables packet filter
+License:        GPL-2.0-only
+Group:          Productivity/Networking/Security
+URL:            https://netfilter.org/projects/nftables/
+
+#Git-Clone:	git://git.netfilter.org/nftables
+Source:         http://ftp.netfilter.org/pub/nftables/nftables-%version.tar.bz2
+Source2:        http://ftp.netfilter.org/pub/nftables/nftables-%version.tar.bz2.sig
+Source3:        %name.keyring
+Patch1:         0001-cache-check-for-NULL-chain-in-cache_init.patch
+Patch2:         0001-evaluate-reject-support-ethernet-as-L2-protocol-for-.patch
+BuildRequires:  asciidoc
+BuildRequires:  bison
+BuildRequires:  fdupes
+BuildRequires:  flex
+BuildRequires:  gmp-devel
+BuildRequires:  %{python_module pip}
+BuildRequires:  %{python_module setuptools}
+BuildRequires:  %{python_module wheel}
+BuildRequires:  python-rpm-macros
+BuildRequires:  pkg-config >= 0.21
+BuildRequires:  readline-devel
+BuildRequires:  pkgconfig(jansson)
+BuildRequires:  pkgconfig(libmnl) >= 1.0.4
+BuildRequires:  pkgconfig(libnftnl) >= 1.1.9
+BuildRequires:  pkgconfig(xtables) >= 1.6.1
+%python_subpackages
+
+%description
+nf_tables is a firewalling mechanism in the Linux kernel, running
+independently of and parallel to ip_tables, ip6_tables,
+arp_tables and ebtables. nftables is the corresponsing userspace
+frontend.
+
+The nftables frontend features support for sets and dictionaries of arbitrary
+types, meta data types, atomic incremental and full ruleset updates, and,
+similar to iptables, support for different protocols, access to connection
+tracking and NAT and logging.
+
+%package -n libnftables1
+Summary:        nftables firewalling command interface
+Group:          System/Libraries
+
+%description -n libnftables1
+libnftables is the nftables command line interface placed into a
+library.
+
+%package devel
+Summary:        Development files for the nftables command line interface
+Group:          Development/Libraries/C and C++
+Requires:       libnftables1 = %version
+
+%description devel
+libnftables is the nftables command line interface placed into a
+library.
+
+This package contains the header files for the library.
+
+%package -n python-nftables
+Summary:        Python interface for nftables
+Group:          Development/Languages/Python
+BuildArch:      noarch
+
+%description -n python-nftables
+A Python module for nftables.
+
+%prep
+%autosetup -p1
+# remove unused shebang
+sed -i '1{/bin/d}' py/nftables.py
+
+%build
+mkdir bin
+ln -s "%_bindir/docbook-to-man" bin/docbook2x-man
+export PATH="$PATH:$PWD/bin"
+mkdir obj
+pushd obj/
+%define _configure ../configure
+%configure --disable-silent-rules --disable-static --docdir="%_docdir/%name" \
+	--includedir="%_includedir/%name" --with-json \
+	--enable-python --with-python-bin="$(which python3)"
+%make_build
+popd
+pushd py
+%pyproject_wheel
+popd
+
+%install
+b="%buildroot"
+%make_install -C obj
+pushd py
+%pyproject_install
+%python_expand %fdupes %buildroot/%{$python_sitelib}
+popd
+rm -f "%buildroot/%_libdir"/*.la
+mkdir -p "$b/%_docdir/%name/examples"
+mv "$b/%_sysconfdir/nftables"/* "$b/%_docdir/%name/examples/"
+
+%post   -n libnftables1 -p /sbin/ldconfig
+%postun -n libnftables1 -p /sbin/ldconfig
+
+%files
+%license COPYING
+%_sbindir/nft
+%_mandir/man5/*.5*
+%_mandir/man8/nft*
+%_docdir/%name/
+
+%files -n libnftables1
+%_libdir/libnftables.so.1*
+
+%files devel
+%_includedir/%name/
+%_libdir/libnftables.so
+%_libdir/pkgconfig/*.pc
+%_mandir/man3/*.3*
+
+%files %{python_files nftables}
+%{python_sitelib}/nftables*
+
+%changelog