commit 5cff1341aca1c7a2ce4a2540754bb0ce23205632 Author: zyppe <210hcl@gmail.com> Date: Tue Mar 5 16:50:11 2024 +0800 Initialize for nftables diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..7fbe45e --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +nftables-0.9.8.tar.bz2 diff --git a/.nftables.metadata b/.nftables.metadata new file mode 100644 index 0000000..2708bb5 --- /dev/null +++ b/.nftables.metadata @@ -0,0 +1 @@ +4f5ccaf16f3533f9c045867efd1580d1c6c29c9e31f0575e63da600f6c924d97 nftables-0.9.8.tar.bz2 diff --git a/0001-cache-check-for-NULL-chain-in-cache_init.patch b/0001-cache-check-for-NULL-chain-in-cache_init.patch new file mode 100644 index 0000000..e2588f6 --- /dev/null +++ b/0001-cache-check-for-NULL-chain-in-cache_init.patch @@ -0,0 +1,33 @@ +From 6b7b7d5d219dca4465390f4a69096383d17782d3 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 1 Apr 2021 23:15:02 +0200 +Subject: [PATCH] cache: check for NULL chain in cache_init() + +Another process might race to add chains after chain_cache_init(). +The generation check does not help since it comes after cache_init(). +NLM_F_DUMP_INTR only guarantees consistency within one single netlink +dump operation, so it does not help either (cache population requires +several netlink dump commands). + +Let's be safe and do not assume the chain exists in the cache when +populating the rule cache. + +Signed-off-by: Pablo Neira Ayuso +--- + src/rule.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: nftables-0.9.8/src/rule.c +=================================================================== +--- nftables-0.9.8.orig/src/rule.c ++++ nftables-0.9.8/src/rule.c +@@ -205,6 +205,9 @@ static int cache_init_objects(struct net + if (!chain) + chain = chain_binding_lookup(table, + rule->handle.chain.name); ++ if (!chain) { ++ return -1; ++ } + list_move_tail(&rule->list, &chain->rules); + } + if (ret < 0) diff --git a/0001-evaluate-reject-support-ethernet-as-L2-protocol-for-.patch b/0001-evaluate-reject-support-ethernet-as-L2-protocol-for-.patch new file mode 100644 index 0000000..cdb2573 --- /dev/null +++ b/0001-evaluate-reject-support-ethernet-as-L2-protocol-for-.patch @@ -0,0 +1,81 @@ +From 0379244930035b3bff95281a58fa7efd7e50dd51 Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Sat, 11 Dec 2021 18:55:25 +0000 +Subject: [PATCH] evaluate: reject: support ethernet as L2 protocol for inet + table + +When we are evaluating a `reject` statement in the `inet` family, we may +have `ether` and `ip` or `ip6` as the L2 and L3 protocols in the +evaluation context: + + table inet filter { + chain input { + type filter hook input priority filter; + ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject + } + } + +Since no `reject` option is given, nft attempts to infer one and fails: + + BUG: unsupported familynft: evaluate.c:2766:stmt_evaluate_reject_inet_family: Assertion `0' failed. + Aborted + +The reason it fails is that the ethernet protocol numbers for IPv4 and +IPv6 (`ETH_P_IP` and `ETH_P_IPV6`) do not match `NFPROTO_IPV4` and +`NFPROTO_IPV6`. Add support for the ethernet protocol numbers. + +Replace the current `BUG("unsupported family")` error message with +something more informative that tells the user to provide an explicit +reject option. + +Add a Python test case. + +Fixes: 5fdd0b6a0600 ("nft: complete reject support") +Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001360 +Signed-off-by: Jeremy Sowden +Signed-off-by: Pablo Neira Ayuso +--- + src/evaluate.c | 7 +++++- + 4 files changed, 52 insertions(+), 1 deletion(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 4d4dcc2e..8edefbd1 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -2751,19 +2751,22 @@ static int stmt_evaluate_reject_inet_family(struct eval_ctx *ctx, + protocol = proto_find_num(base, desc); + switch (protocol) { + case NFPROTO_IPV4: ++ case __constant_htons(ETH_P_IP): + if (stmt->reject.family == NFPROTO_IPV4) + break; + return stmt_binary_error(ctx, stmt->reject.expr, + &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR], + "conflicting protocols specified: ip vs ip6"); + case NFPROTO_IPV6: ++ case __constant_htons(ETH_P_IPV6): + if (stmt->reject.family == NFPROTO_IPV6) + break; + return stmt_binary_error(ctx, stmt->reject.expr, + &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR], + "conflicting protocols specified: ip vs ip6"); + default: +- BUG("unsupported family"); ++ return stmt_error(ctx, stmt, ++ "cannot infer ICMP reject variant to use: explicit value required.\n"); + } + break; + } +@@ -2923,10 +2926,12 @@ static int stmt_evaluate_reject_default(struct eval_ctx *ctx, + protocol = proto_find_num(base, desc); + switch (protocol) { + case NFPROTO_IPV4: ++ case __constant_htons(ETH_P_IP): + stmt->reject.family = NFPROTO_IPV4; + stmt->reject.icmp_code = ICMP_PORT_UNREACH; + break; + case NFPROTO_IPV6: ++ case __constant_htons(ETH_P_IPV6): + stmt->reject.family = NFPROTO_IPV6; + stmt->reject.icmp_code = ICMP6_DST_UNREACH_NOPORT; + break; diff --git a/nftables-0.9.8.tar.bz2.sig b/nftables-0.9.8.tar.bz2.sig new file mode 100644 index 0000000..a0d5e14 Binary files /dev/null and b/nftables-0.9.8.tar.bz2.sig differ diff --git a/nftables.changes b/nftables.changes new file mode 100644 index 0000000..b41b583 --- /dev/null +++ b/nftables.changes @@ -0,0 +1,194 @@ +* Tue Jan 30 2024 matthias.gerstner@suse.com +- port python-single-spec logic from Factory package to allow shipment of + python311 modules as well (bsc#1219253). +* Tue Apr 25 2023 matthias.gerstner@suse.com +- add 0001-evaluate-reject-support-ethernet-as-L2-protocol-for-.patch: this + fixes a crash in nftables if layer2 reject rules are processed (e.g. + Ethernet MAC address based reject rich rule in firewalld, bsc#1210773). +* Mon May 2 2022 matthias.gerstner@suse.com +- add 0001-cache-check-for-NULL-chain-in-cache_init.patch: this fixes rare + crashes that could occur e.g. in firewalld (bsc#1197606). +* Fri Jan 15 2021 jengelh@inai.de +- Update to release 0.9.8 + * Complete support for matching ICMP header content fields. + * Added raw tcp option match support. + * Added ability to check for the presence of any tcp option. + * Support for rejecting traffic from the ingress chain. +* Tue Oct 27 2020 jengelh@inai.de +- Update to release 0.9.7 + * Support for implicit chains + * Support for ingress inet chains + * Support for reject from prerouting chain + * Support for --terse option in json + * Support for the reset command with json +* Tue Jun 16 2020 jengelh@inai.de +- Update to release 0.9.6 + * Fix two ASAN runtime errors +* Sat Jun 6 2020 jengelh@inai.de +- Update to release 0.9.5 + * Support for set counters. + * Support for restoring set element counters via nft -f. + * Counter support for flowtables. + * typeof concatenations support for sets. + * Support for concatenated ranges in anonymous sets. + * Allow to reject packets with 802.1q from the bridge family. + * Support for matching on the conntrack ID. +- Drop anonset-crashfix.patch (upstream solved differently) +* Thu May 7 2020 jengelh@inai.de +- Add anonset-crashfix.patch [boo#1171321] +* Wed Apr 1 2020 jengelh@inai.de +- Update to release 0.9.4 + * Add a helper for concat expression handling. + * Add "typeof" build/parse/print support. +* Mon Dec 9 2019 jengelh@inai.de +- Add json, python [boo#1158723] +* Tue Dec 3 2019 jengelh@inai.de +- Update to release 0.9.3 + * meta: Introduce new conditions "time", "day" and "hour". + * src: add ability to set/get secmarks to/from connection. + * flowtable: add support for named flowtable listing. + * flowtable: add support for delete command by handle. + * json: add support for element deletion. + * Add `-T` as the short option for `--numeric-time`. + * meta: add ibrpvid and ibrvproto support +* Mon Aug 19 2019 jengelh@inai.de +- Update to new upstream release 0.9.2 + * Transport header port matching, e.g. "th dport 53" + * Support for matching on IPv4 options + * Support for synproxy +* Sat Jan 19 2019 stefan.bruens@rwth-aachen.de +- Remove unused dblatex BuildRequires, only needed for the optional + and disabled PDF generation (same contents as shipped manpage). +* Sat Jun 9 2018 jengelh@inai.de +- Update to new upstream release 0.9.0 + * Support to check if packet matches an existing socket. + * Support to limit number of active connections by arbitrary + criteria, such as ip addresses, networks, conntrack zones or + any combination thereof. + * Added support for "audit" logging. +* Fri May 11 2018 jengelh@inai.de +- Update to new upstream release 0.8.5 + * support to add/insert a rule at a given index position + * meter statement now supports a configureable upper max size + * timeouts for sets can now be specified in milliseconds + * re-add iptables-like empty skeleton rulesets +* Wed May 2 2018 jengelh@inai.de +- Update to new upstream release 0.8.4 + * Support to match IPv6 segment routing headers. + * New "meta ibrname" and "meta obrname" arguments to match the + name of the logical bridge a packet is passing through. + These new names replace the old (misnamed) "ibriport"/"obriport". + * `nft -a` will now show handle identifier for all objects, + including tables and chains. + * nft can now delete objects by their handle number. + * Support to update maps from the ruleset (packet path). + * the "--echo" option now prints handle id for tables and + object too. + * `nft -f -` will now read from standard input + * Support for flow tables, cf. man page or + https://lwn.net/Articles/738214/ . +* Sat Mar 3 2018 jengelh@inai.de +- Update to new upstream release 0.8.3 + * raw payload support to match headers that do not yet have + received a mnemonic. +* Sat Feb 3 2018 jengelh@inai.de +- Update to new upstream release 0.8.2 + * add secpath support +* Tue Jan 16 2018 jengelh@inai.de +- Update to new upstream release 0.8.1 + * This release deprecates the "flow table" syntax in favor + of "meter". +* Fri Oct 13 2017 jengelh@inai.de +- Update to new upstream release 0.8 + * This release contains new features available up to the + (upcoming) Linux 4.14 kernel release: + * Support for stateful objects, these objects are uniquely + identified by a user-defined name, you can refer to them from + rules, and there is a well established interface to operate + with them. + * Sort set elements when listing them, from lower to largest. + * TCP option matching and mangling support. This includes TCP + maximum segment size mangling. + * Add new "-s" option for listings without stateful information. + * Add new -c/--check option for nft, to tests if your ruleset + loads fine, into the kernel, this is a dry run mode. + * Connection tracking helper support. + * Add --echo option, to print the handle that the kernel + allocates to uniquely identify rules. + * Conntrack zone support + * Symmetric hash support + * Add support to include directories from nft natives scripts, + files are loaded in alphanumerical order. + * Allow to check if IPv6 extension header or TCP option exists + or is missing. + * Extend quota support to display used bytes. + * Add ct average matching, to match average bytes per packet a + connection has transferred so far, to map the existing + feature available in the iptables connbytes match. + * Allow to flush maps and flow tables. + * Allow to embed set definition into an existing set. + * Conntrack event filtering support via rule. +* Tue Dec 20 2016 jengelh@inai.de +- Update to new upstream release 0.7 + * Add new fib expression, which can be used to obtain the + output interface from the route table based on either source + or destination address of a packet. + * Support hashing of any arbitrary key combination, eg. + * Add number generation support. Useful for round-robin packet + mark setting. + * Add quota support, eg. + * Introduce routing expression, for routing related data with + support for nexthop + * Notrack support, to explicitly skip connection tracking for + matching packets. + * Support to set non-byte bound packet header fields, including + checksum adjustment. + * Add 'create set' and 'create element' commands. + * Allow to use variable reference for set element definitions. + * Allow to use variable definitions from element commands. + * Add support to flush set. You can use this new command to + remove all existing elements in a set. + * Inverted set lookups. + * Honor absolute and relative paths via include file, where: + * Support log flags, to enable logging TCP sequence and options. + * tc classid parser support, eg. + * Allow numeric connlabels, so if connlabel still works with + undefined labels. +* Thu Jun 2 2016 jengelh@inai.de +- Update to new upstream release 0.6 + * Rules may be replaced now + * Flow table support (requires Linux >= 4.3) + * Support for tracing + * Ratelimiting now supports units like bytes/second. + * Matchinv VLAN IDs, DSCP/ECN, ICMP RtAdv & RtSol +* Thu Sep 17 2015 jengelh@inai.de +- Update to new upstream release 0.5 + * Support combinations of two or more selectors to build a tuple + * Timeout support for sets + * Dormant flag for tables + * Default chain policy specifiable on creation +* Sat May 23 2015 mrueckert@suse.de +- set the url to the project page +- pass --disable-silent-rules to configure to allow gcc post build + check to work +* Tue Dec 16 2014 jengelh@inai.de +- Update to new upstream release 0.4 + * Since Linux 3.18: support for global ruleset operations + * Since 3.17: full logging support for all the families, + including nfnetlink_log + * 3.16: automatic selection of the optimal set implementation + * 3.14: reject support for ip, ip6 and inet + * 3.18: reject support for bridge, and reject icmpx abstraction + * 3.18: masquerade support + * 3.19: redirect support + * Extend meta to support pkttype, cpu and devgroup matching. +* Fri Jun 27 2014 jengelh@inai.de +- Update to new upstream release 0.3 + * More compact syntax for the queue action + * Match input and output bridge interface name through "meta + ibriport" and "meta obriport" + * netlink event monitor, to monitor ruleset events, set changes, etc. + * New transaction infrastructure - fully atomic updates for all + object available in the upcoming 3.16. +* Mon Jan 13 2014 jengelh@inai.de +- Initial package for build.opensuse.org diff --git a/nftables.keyring b/nftables.keyring new file mode 100644 index 0000000..2d3b902 --- /dev/null +++ b/nftables.keyring @@ -0,0 +1,64 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF+HdQgBEACzteJUJGtj3N6u5mcGh4Nu/9GQfwrrphZuI7jto2N6+ZoURded +660mFLnax7wgIE8ugAa085jwFWbFY3FzGutUs/kDmnqy9WneYNBLIAF3ZTFfY+oi +V1C09bBlHKDj9gSEM2TZ/qU14exKdSloqcMKSdIqLQX27w/D6WmO1crDjOKKN9F2 +zjc3uLjo1gIPrY+Kdld29aI0W4gYvNLOo+ewhVC5Q6ymWOdR3eKaP2HIAt8CYf0t +Sx8ChHdBvXQITDmXoGPLTTiCHBoUzaJ/N8m4AZTuSUTr9g3jUNFmL48OrJjFPhHh +KDY0V59id5nPu4RX3fa/XW+4FNlrthA5V9dQSIPh7r7uHynDtkcCHT5m4mn0NqG3 +dsUqeYQlrWKCVDTfX/WQB3Rq1tgmOssFG9kZkXcVTmis3KFP1ZAahBRB33OJgSfi +WKc/mWLMEQcljbysbJzq74Vrjg44DNK7vhAXGoR35kjj5saduxTywdb3iZhGXEsg +9zqV0uOIfMQsQJQCZTlkqvZibdB3xlRyiCwqlf1eHB2Vo7efWbRIizX2da4c5xUj ++IL1eSPmTV+52x1dYXpn/cSVKJAROtcSmwvMRyjuGOcTNtir0XHCxC5YYBow6tKR +U1hrFiulCMH80HeS+u/g4SpT4lcv+x0DlN5BfWQuN5k5ZzwKb6EQs092qQARAQAB +tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC +VAQTAQoAPhYhBDfZZKzASYHHVQD7m9Vdl4qKFCDkBQJfh3UIAhsDBQkHhM4ABQsJ +CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENVdl4qKFCDk0msQAJTIK8TLHw2IJDc6 ++ZfUJc+znSNwskO+A4lwvb1vRY5qFV+CA2S1eUS4HGDWDT0sPKie6Nx4+FBczkWd +RA+eaKDqQeS5Vzc2f0bl74un91h7yE8O2NsVnpL166MnAAk3/ACjHsZX2PzF12F6 +4stvGQFpjZRWItj0I6bvPY6CTtqVPB98a6RpdbS9kGxCCMrL3CFGDXGSjXes5KwN +IvngmVB36wjb3QgEtQIv13jrWFfiXeuieqMRyC6Z3KNYVcvis34eGxPFD9MHrK+w +bdw3KzMBJd7hMoVRl32Q13T/PX8H3pqWMqKaL41wHUswRt0IQjNZnRvRnlJ0VDFf +Wep/3dFK+uQbdABuiwCiRli5mWeOMCP+qJodP1OZSGqg0VwZWUGdCGG5+qIhngOj +QVomvJ7N4eRLU3xuPVjLoBeHzvViUPpYtWQ/YiZK5rWTJHhu88xZaysFJRaV+Uz3 +wPkeqdArRRXl1Tpy+cKy7D5BZAr7OjT1wboon23IM2DJRurbaHD8blMsjZ07pbvb +4hdpiE6mqq7CYskDz2UGTaFfEW4bFnKtvKTXEnmcqc4mWcr2z9BBYouGmcFczgET +tE02XejmExXV2RPUtXfLuNIbVpuXG1qhzNuXAfm+S/68XDSFrwyK8/Dgq5ga0iIP +n8Uvz12Xu/Qde+NicogLNWF90QJ2iQIzBBABCgAdFiEEwJ2yBj8dcDS6YVKtq0ZV +oSbSkuQFAl+HdTEACgkQq0ZVoSbSkuSrmhAAi64OqYjb2ZbAJbFAPM6pijyys6Y9 +o8ZyLoCRCUXNrjWkNIozTgmj5fm0ECrUXKyrB6OJhTvaRXmqLcBwWOAnP1v7wb+S +ZhEwP0n6E1mZW0t1Qt0xX8yifM5Tpvy+757OSrsuoRpXwwz4Ubuc6G4N/McoRSfU +tVUcz3sKF8hcbETD/hVZb9Qfv0ZjQxu8LiBfKfgy2Eg8yExTdO027hYqQc5q2HEp +HRjD2PMyI33V8KqffWn0AkofweOOFxg1ePV5X9M8rYP+k/2gjPkrrvnZgF/4SxDM +FATmHaIbO3zEQg+u2f1mVCZASBBN1MLth7dMOoClHBmxnQ8uapRg9GNxs7TnXmV/ +diZZbqLf6i9bW/scvWEIdM8EGKpbGjdWIlgQJTIuz3seB+9zOdq9L3uTQWHnYLid +R3YkyOsBRqQvM7Gb3zYgvlPjZ+L2FeGg5rD/eeLbv+k027E0TSAgtHoSA2pVTDDK +uqCXVKfmk1I0SO83L9teBblxed07LeVaS9/uK00rWM/TM1bwogfF/4ZEsmAWznzv +Xan/QmrYNgK3C3AZ4pMX7pGCGV1w93Fw3tUzaEJeS2LlsiL5aPOF63b/DqM6W2nl +UqGjKTdVLuF+JgoRH5U2wCyHYhDFm+CaFsYUu2Jf5hTmVWOR3anBoXy6Ty8SoV8q +KxtKpmKmIdPhDe65Ag0EX4d1CAEQANJMZApYzeeLrc7Rs6fGDK4Z3ejEST+aq7vO +RT9YEppRBG1QoUDBuNodAFxIWM6SpwvN7X9AZeIML2EOjDabF5Q6RNHbwODyLDYc +wmqtWh0NNpK85fXwDgcLOQW+dPimsk3ni1crXhhjZgs6syb9yM/pDi0Tf7wzNZt0 +0p736zlpQPMORfO+mFgac0FVt/GQsTdIwTBzZ36fcV3W8iPH334Sqsatp617R+z+ +q2alH8Vynz12iHi2oJFtmTxhghCROPcLWz3XMKv9A7BfuZeE0k+pK7xnBKrpZzKU +k1j2uzTKzV2Bquo5HNDsy9PgQn16BlXVrxdHfQnBz2w67aHMKnPD/v+K81oxtnuk +pwBAT8Wovkyy1VTLhQH5F0y5bpQrVH/Lwq0/q421hfD3iPHtb2tC1heT9ze/sqkY +plctFb81fx3o8xcBpvuIaTB3URptf8JNvh5KjETZFMQvAddq8oYovoKu+Z/585uC +qwO0Fohpw9qRwmhq7UBvGDVAVgo6kKjMW2Z9U3OnfggrDCytCIZh8eLNagfRL2cu +iq8Sx+cGGt1zoCPhjDN1MaNt/KHm8Gxr+lP+RxH3Et3pEX6mmhSCaU4wr0W5Bf3p +jEtiOwnqajisBQCHh49OGiV8Vg9uQN5GpLpPpbvnGS4vq8jdj6p3gsiS2F7JMy7O +ysBENBkXABEBAAGJAjwEGAEKACYWIQQ32WSswEmBx1UA+5vVXZeKihQg5AUCX4d1 +CAIbDAUJB4TOAAAKCRDVXZeKihQg5NMIEACBdwXwDMRB8rQeqNrhbh7pjbHHFmag +8bPvkmCq/gYGx9MQEKFUFtEGNSBh6m5pXr9hJ9HD2V16q9ERbuBcA6wosz4efQFB +bbage7ZSECCN+xMLirQGRVbTozu2eS8FXedH0X9f0JWLDGWwRg+pAqSOtuFjHhYM +jVpwbH/s71BhH84x5RgWezh2BWLbP3UuY7JtWNAvAaeo53Js2dzzgjDopPis4qZR +rLR9cTGjqa6ZTc/PlLfaCsm6rGBlNx/bFJjz75+yn7vMQa47fOBt4qfriHX7G/Tg +3s8xsQSLEm3IBEYh27hoc9ZD45EXgm9ZiGA21t9v1jA27yTVaUrPbC40iDv/CMcQ +7N2Y1sJRvmrd+2pKxtNNutujjwgBguo5bKK253R5Hy0a+NzK2LSc/GmR8EJJEwW1 +7r6road7Ss6YImCZExeY+CAW0FEzwQpmqfOdlusvIyk4x4r12JH8Q8NWHMzU3Ym/ +yqdopn/SCwCfXJsL4/eHLCaWuyiWjljNa7MwPDITx2ZPRE5QEqCqi4gaDWXyVHt8 +leGE1G3zoXNJogWhDswh105UnlZEEfOvbHbaxgWPjLV/xkuHhVlaqdyXbTExrgK6 +U2wevNS03dBuQ6bjNIbMIt9ulbiBV8MJWR0PZtnNJ958f1QXC4GT+L3FG1g5Jtz+ +rlbu70nh2kSJrg== +=wukb +-----END PGP PUBLIC KEY BLOCK----- diff --git a/nftables.spec b/nftables.spec new file mode 100644 index 0000000..e1ccf74 --- /dev/null +++ b/nftables.spec @@ -0,0 +1,138 @@ +# +# spec file for package nftables +# +# Copyright (c) 2022-2023 ZhuningOS +# + +# configure subpackage rewriter for the python3XX-nftables bindings +%define python_subpackage_only 1 +# check py/src/nftable.py:NFTABLES_VERSION +%define pyversion 0.1 + +%define skip_python2 1 +%{?sle15allpythons} + +Name: nftables +Version: 0.9.8 +Release: 150400.6.3.1 +Summary: Userspace utility to access the nf_tables packet filter +License: GPL-2.0-only +Group: Productivity/Networking/Security +URL: https://netfilter.org/projects/nftables/ + +#Git-Clone: git://git.netfilter.org/nftables +Source: http://ftp.netfilter.org/pub/nftables/nftables-%version.tar.bz2 +Source2: http://ftp.netfilter.org/pub/nftables/nftables-%version.tar.bz2.sig +Source3: %name.keyring +Patch1: 0001-cache-check-for-NULL-chain-in-cache_init.patch +Patch2: 0001-evaluate-reject-support-ethernet-as-L2-protocol-for-.patch +BuildRequires: asciidoc +BuildRequires: bison +BuildRequires: fdupes +BuildRequires: flex +BuildRequires: gmp-devel +BuildRequires: %{python_module pip} +BuildRequires: %{python_module setuptools} +BuildRequires: %{python_module wheel} +BuildRequires: python-rpm-macros +BuildRequires: pkg-config >= 0.21 +BuildRequires: readline-devel +BuildRequires: pkgconfig(jansson) +BuildRequires: pkgconfig(libmnl) >= 1.0.4 +BuildRequires: pkgconfig(libnftnl) >= 1.1.9 +BuildRequires: pkgconfig(xtables) >= 1.6.1 +%python_subpackages + +%description +nf_tables is a firewalling mechanism in the Linux kernel, running +independently of and parallel to ip_tables, ip6_tables, +arp_tables and ebtables. nftables is the corresponsing userspace +frontend. + +The nftables frontend features support for sets and dictionaries of arbitrary +types, meta data types, atomic incremental and full ruleset updates, and, +similar to iptables, support for different protocols, access to connection +tracking and NAT and logging. + +%package -n libnftables1 +Summary: nftables firewalling command interface +Group: System/Libraries + +%description -n libnftables1 +libnftables is the nftables command line interface placed into a +library. + +%package devel +Summary: Development files for the nftables command line interface +Group: Development/Libraries/C and C++ +Requires: libnftables1 = %version + +%description devel +libnftables is the nftables command line interface placed into a +library. + +This package contains the header files for the library. + +%package -n python-nftables +Summary: Python interface for nftables +Group: Development/Languages/Python +BuildArch: noarch + +%description -n python-nftables +A Python module for nftables. + +%prep +%autosetup -p1 +# remove unused shebang +sed -i '1{/bin/d}' py/nftables.py + +%build +mkdir bin +ln -s "%_bindir/docbook-to-man" bin/docbook2x-man +export PATH="$PATH:$PWD/bin" +mkdir obj +pushd obj/ +%define _configure ../configure +%configure --disable-silent-rules --disable-static --docdir="%_docdir/%name" \ + --includedir="%_includedir/%name" --with-json \ + --enable-python --with-python-bin="$(which python3)" +%make_build +popd +pushd py +%pyproject_wheel +popd + +%install +b="%buildroot" +%make_install -C obj +pushd py +%pyproject_install +%python_expand %fdupes %buildroot/%{$python_sitelib} +popd +rm -f "%buildroot/%_libdir"/*.la +mkdir -p "$b/%_docdir/%name/examples" +mv "$b/%_sysconfdir/nftables"/* "$b/%_docdir/%name/examples/" + +%post -n libnftables1 -p /sbin/ldconfig +%postun -n libnftables1 -p /sbin/ldconfig + +%files +%license COPYING +%_sbindir/nft +%_mandir/man5/*.5* +%_mandir/man8/nft* +%_docdir/%name/ + +%files -n libnftables1 +%_libdir/libnftables.so.1* + +%files devel +%_includedir/%name/ +%_libdir/libnftables.so +%_libdir/pkgconfig/*.pc +%_mandir/man3/*.3* + +%files %{python_files nftables} +%{python_sitelib}/nftables* + +%changelog