# install init scripts to /usr/libexec with systemd

%define script_path %{_libexecdir}/iptables

# service legacy actions (RHBZ#748134)

%define legacy_actions %{_libexecdir}/initscripts/legacy-actions

Name: iptables

Summary: Tools for managing Linux kernel packet filtering capabilities

Version: 1.4.21

Release: 33%{?dist}

Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2

Source1: iptables.init

Source2: iptables-config

Source3: iptables.service.in

Source4: iptables.save-legacy

Source5: sysconfig_iptables

Source6: sysconfig_ip6tables

Source7: iptables.panic-legacy

Patch1: iptables-1.4.21-rhbz_1054871.patch

Patch2: iptables-1.4.21-libxt_cgroup.patch

Patch3: iptables-1.4.21-wait_seconds.patch

Patch4: iptables-1.4.21-flock_wait.patch

Patch5: iptables-1.4.21-rhbz_1261238.patch

Patch6: iptables-c513cc3-rhbz_1298879.patch

Patch7: iptables-1.4.21-wait-interval.patch

Patch8: iptables-do_not_lock_again_and_again.patch

Patch9: iptables-use_the_blocking_file_lock_request.patch

Patch10: iptables-1.4.21-configure_set_lock_file_path.patch

Patch11: iptables-1.4.21-move_XT_LOCK_NAME_to_config.h.patch

Patch12: iptables-1.4.21-remove_duplicated_argument_parsing.patch

Patch13: iptables-1.4.21-restore_support_acquiring_the_lock.patch

# One patch invalid: 1cf4ba6fbe85b3cbe9828a7947000290e1989986

Patch14: iptables-do_not_set_changed_for_check_options.patch

Patch15: iptables-1.4.21-restore_version.patch

Patch16: iptables-1.4.21-restore_wait_man.patch

Patch17: extensions-libxt_tcpmss-Detect-invalid-ranges.patch

Patch18: iptables-restore-save-exit-when-given-an-unknown-opt.patch

Patch19: ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch

Patch20: ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch

Patch21: utils-nfnl_osf-Fix-synopsis-in-help-text.patch

Patch22: utils-Add-a-man-page-for-nfnl_osf.patch

Patch23: Mark-fall-through-cases-in-switch-statements.patch

Patch24: libiptc-Simplify-alloc_handle-function-signature.patch

Patch25: libxtables-Fix-potential-array-overrun-in-xtables_op.patch

Patch26: ip-6-tables-restore-Fix-for-uninitialized-array-curt.patch

Patch27: nfnl_osf-Replace-deprecated-nfnl_talk-by-nfnl_query.patch

Patch28: libxt_string-Avoid-potential-array-out-of-bounds-acc.patch

Patch29: libxt_string-Fix-array-out-of-bounds-check.patch

Patch30: libxtables-Don-t-read-garbage-in-xtables_strtoui.patch

Patch31: libxt_time-Drop-initialization-of-variable-year.patch

Patch32: libxt_sctp-fix-array-out-of-range-in-print_chunk.patch

Patch33: libxt_ipvs-Avoid-potential-buffer-overrun.patch

Patch34: libxt_conntrack-Version-0-does-not-support-XT_CONNTR.patch

Patch35: Fix-a-few-cases-of-pointless-assignments.patch

Patch36: nfnl_osf-Drop-pointless-check-in-xt_osf_strchr.patch

Patch37: libxt_conntrack-Avoid-potential-buffer-overrun.patch

Patch38: libxtables-Check-extension-real_name-length.patch

Patch39: libiptc-NULL-terminate-errorname.patch

Patch40: libxtables-Avoid-calling-memcpy-with-NULL-source.patch

Patch41: libxt_LED-Avoid-string-overrun-while-parsing-led-tri.patch

Patch42: libxt_recent-Remove-ineffective-checks-for-info-name.patch

Patch43: libxtables-move-some-code-to-avoid-cautions-in-vfork.patch

Patch44: libxtables-Use-posix_spawn-instead-of-vfork.patch

Patch45: libiptc-Avoid-side-effect-in-memset-calls.patch

Patch46: Share-print_ipv-4-6-_addr-from-xtables.patch

Patch47: extensions-REJECT-Check-for-array-overrun.patch

Patch48: list-fix-prefetch-dummy.patch

Patch49: extensions-Add-macro-_DEFAULT_SOURCE.patch

Patch50: Consolidate-DEBUGP-macros.patch

Patch51: xshared-Consolidate-argv-construction-routines.patch

Patch52: extensions-Fix-ipvs-vproto-parsing.patch

Patch53: extensions-Fix-ipvs-vproto-option-printing.patch

Patch54: extensions-libxt_devgroup-Fix-the-path-of-the-group-.patch

Patch55: extensions-Initialize-linear-mapping-of-symbols-in-_.patch

Patch56: xtables-Introduce-and-use-common-function-to-parse-v.patch

Patch57: iptables-xml-fix-segfault-if-missing-space-after-A.patch

Patch58: man-iptables-save-Add-note-about-module-autoloading.patch

Group: System Environment/Base

URL: http://www.netfilter.org/

License: GPLv2

# libnetfilter_conntrack is needed for xt_connlabel

BuildRequires: libnetfilter_conntrack-devel >= 1.0.4

# libnfnetlink-devel is requires for nfnl_osf

BuildRequires: libnfnetlink-devel

BuildRequires: libselinux-devel

BuildRequires: kernel-headers

BuildRequires: systemd

BuildRequires: automake

BuildRequires: autoconf

BuildRequires: libtool

%description

The iptables utility controls the network packet filtering code in the

Linux kernel. If you need to set up firewalls and/or IP masquerading,

you should install this package.

%package devel

Summary: Development package for iptables

Group: System Environment/Base

Requires: %{name}%{?_isa} = %{version}-%{release}

Requires: pkgconfig

%description devel

iptables development headers and libraries.

The iptc interface is upstream marked as not public. The interface is not 

stable and may change with every new version. It is therefore unsupported.

%package services

Summary: iptables and ip6tables services for iptables

Group: System Environment/Base

Requires: %{name} = %{version}-%{release}

Requires: /bin/bash

Requires(post): systemd

Requires(preun): systemd

Requires(postun): systemd

# provide and obsolete old main package

Provides: %{name} = 1.4.16.1

Obsoletes: %{name} < 1.4.16.1

# provide and obsolete ipv6 sub package

Provides: %{name}-ipv6 = 1.4.11.1

Obsoletes: %{name}-ipv6 < 1.4.11.1

%description services

iptables services for IPv4 and IPv6

This package provides the services iptables and ip6tables that have been split

out of the base package since they are not active by default anymore.

%package utils

Summary: iptables and ip6tables services for iptables

Group: System Environment/Base

Requires: %{name} = %{version}-%{release}

%description utils

Utils for iptables.

Currently only provides nfnl_osf with the pf.os database.

%prep

%autosetup -p1

%build

# Since patches above touch configure.ac we must regen configure

./autogen.sh

CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \

%configure --enable-devel --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr

# do not use rpath

sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool

sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool

rm -f include/linux/types.h

make %{?_smp_mflags}

%install

make install DESTDIR=%{buildroot} 

# remove la file(s)

rm -f %{buildroot}/%{_libdir}/*.la

# install ip*tables.h header files

install -m 644 include/ip*tables.h %{buildroot}%{_includedir}/

install -d -m 755 %{buildroot}%{_includedir}/iptables

install -m 644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables/

# install ipulog header file

install -d -m 755 %{buildroot}%{_includedir}/libipulog/

install -m 644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog/

# install init scripts and configuration files

install -d -m 755 %{buildroot}%{script_path}

install -c -m 755 %{SOURCE1} %{buildroot}%{script_path}/iptables.init

sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init

install -c -m 755 ip6tables.init %{buildroot}%{script_path}/ip6tables.init

install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig

install -c -m 600 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/iptables-config

sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config

install -c -m 600 ip6tables-config %{buildroot}%{_sysconfdir}/sysconfig/ip6tables-config

install -c -m 600 %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/iptables

install -c -m 600 %{SOURCE6} %{buildroot}%{_sysconfdir}/sysconfig/ip6tables

# install systemd service files

install -d -m 755 %{buildroot}/%{_unitdir}

sed -e 's;iptables;ip6tables;g' \

    -e 's;IPv4;IPv6;g' \

    -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' \

    -e 's;^\(After=.*\)$;\1 iptables.service;' \

    < %{SOURCE3} > ip6tables.service

sed -e 's;^\(After=.*\)$;Before=ip6tables.service\n\1;' \

    < %{SOURCE3} > iptables.service

install -c -m 644 iptables.service %{buildroot}/%{_unitdir}

install -c -m 644 ip6tables.service %{buildroot}/%{_unitdir}

# install legacy actions for service command

install -d %{buildroot}/%{legacy_actions}/iptables

install -d %{buildroot}/%{legacy_actions}/ip6tables

install -c -m 755 %{SOURCE4} %{buildroot}/%{legacy_actions}/iptables/save

install -c -m 755 %{SOURCE7} %{buildroot}/%{legacy_actions}/iptables/panic

sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/save > ip6tabes.save-legacy

sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy

install -c -m 755 ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/save

install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic

%if 0%{?rhel}

%pre

for p in %{_sysconfdir}/alternatives/iptables.*; do

    if [ -h "$p" ]; then

        ipt=$(readlink "$p")

        echo "Removing alternatives for ${p##*/} with path $ipt"

        %{_sbindir}/alternatives --remove "${p##*/}" "$ipt"

    fi

done

for p in %{_sysconfdir}/alternatives/ip6tables.*; do

    if [ -h "$p" ]; then

        ipt=$(readlink "$p")

        echo "Removing alternatives for ${p##*/} with path $ipt"

        %{_sbindir}/alternatives --remove "${p##*/}" "$ipt"

        # create dummy alternatives entry to fix iptables-ipv6 package removal

        %{_sbindir}/alternatives --install /sbin/ip6tables.dummy "${p##*/}" "$ipt" 90

    fi

done

%posttrans

# cleanup dummy alternatives to fix iptables-ipv6 package removal if still there

for p in %{_sysconfdir}/alternatives/ip6tables.*; do

    if [ -h "$p" ]; then

        ipt=$(readlink "$p")

        %{_sbindir}/alternatives --remove "${p##*/}" "$ipt" || :

    fi

done

%endif

%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig

%post services

%systemd_post iptables.service ip6tables.service

%preun services

%systemd_preun iptables.service ip6tables.service

%postun services

/sbin/ldconfig

%systemd_postun iptables.service ip6tables.service

%files

%doc COPYING INCOMPATIBILITIES

%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/iptables-config

%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ip6tables-config

%{_sbindir}/iptables*

%{_sbindir}/ip6tables*

%{_sbindir}/xtables-multi

%{_bindir}/iptables-xml

%{_mandir}/man1/iptables-xml*

%{_mandir}/man8/iptables*

%{_mandir}/man8/ip6tables*

%dir %{_libdir}/xtables

%{_libdir}/xtables/libipt*

%{_libdir}/xtables/libip6t*

%{_libdir}/xtables/libxt*

%{_libdir}/libip*tc.so.*

%{_libdir}/libxtables.so.*

%files devel

%dir %{_includedir}/iptables

%{_includedir}/iptables/*.h

%{_includedir}/*.h

%dir %{_includedir}/libiptc

%{_includedir}/libiptc/*.h

%dir %{_includedir}/libipulog

%{_includedir}/libipulog/*.h

%{_libdir}/libip*tc.so

%{_libdir}/libxtables.so

%{_libdir}/pkgconfig/libiptc.pc

%{_libdir}/pkgconfig/libip4tc.pc

%{_libdir}/pkgconfig/libip6tc.pc

%{_libdir}/pkgconfig/xtables.pc

%files services

%dir %{script_path}

%attr(0755,root,root) %{script_path}/iptables.init

%attr(0755,root,root) %{script_path}/ip6tables.init

%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/iptables

%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ip6tables

%{_unitdir}/iptables.service

%{_unitdir}/ip6tables.service

%dir %{legacy_actions}/iptables

%{legacy_actions}/iptables/save

%{legacy_actions}/iptables/panic

%dir %{legacy_actions}/ip6tables

%{legacy_actions}/ip6tables/save

%{legacy_actions}/ip6tables/panic

%files utils

%{_sbindir}/nfnl_osf

%dir %{_datadir}/xtables

%{_datadir}/xtables/pf.os

%{_mandir}/man8/nfnl_osf*

%changelog

* Thu Apr 18 2019 Phil Sutter <psutter@redhat.com> - 1.4.21-33

- man: iptables-save: Add note about module autoloading (RHBZ#1691380)

* Tue Apr 09 2019 Phil Sutter <psutter@redhat.com> - 1.4.21-32

- iptables-xml: fix segfault if missing space after -A (RHBZ#1525980)

* Wed Apr 03 2019 Phil Sutter <psutter@redhat.com> - 1.4.21-31

- Fix iptables-restore with empty comment in rule (RHBZ#1668475)

- Fix parsing and printing of -m ipvs --vproto option (RHBZ#1679726)

- Fix for wrong location of devgroup definition file (RHBZ#1657075)

- Fix for non-numeric devgroup name output (RHBZ#1657075)

- Reject negative realm values (RHBZ#1657075)

* Fri Mar 15 2019 Phil Sutter - 1.4.21-30

- Drop leftover variable from init script (RHBZ#1520534)

* Fri Mar 15 2019 Phil Sutter - 1.4.21-29

- Do not attempt to unload any modules when stopping the firewall (RHBZ#1520534)

- Fix for covscan warnings (RHBZ#1525980)

* Tue Jun 05 2018 Phil Sutter - 1.4.21-28

- Add nfnl_osf.8 man page (RHBZ#1487331)

* Fri May 11 2018 Phil Sutter - 1.4.21-27

- libxt_tcpmss: Detect invalid ranges (RHBZ#1128510)

- ip(6)tables-save/restore: Exit if invalid option was given (RHBZ#1465078)

- ip(6)tables-save/restore: Require value to -W option (RHBZ#1465078)

- ip(6)tables-save/restore: Don't accept -W without -w (RHBZ#1465078)

- Ignore security table when setting policies (RHBZ#1494012)

- Fix spec file changing SRPM content (RHBZ#1531290)

* Thu Mar 29 2018 Phil Sutter - 1.4.21-26

- Avoid overwriting parent's return code (RHBZ#1560012)

* Thu Mar 29 2018 Phil Sutter - 1.4.21-25

- Fix for stopping iptables and ip6tables at the same time (RHBZ#1560012)

- Propagate errors on service stop (RHBZ#1560012)

* Fri Nov 17 2017 Phil Sutter - 1.4.21-24

- Fix fgrep call over multiple files in iptables.init

* Fri Oct 20 2017 Phil Sutter - 1.4.21-23

- Fix incorrect ip6tables.service unit syntax (RHBZ#1486803)

* Fri Oct 06 2017 Phil Sutter - 1.4.21-22

- Search for restorecon binary using which (RHBZ#1406860)

* Thu Sep 07 2017 Phil Sutter - 1.4.21-21

- Scan /etc/sysctl.d for items in IPTABLES_SYSCTL_LOAD_LIST (RHBZ#1402021)

* Thu Aug 31 2017 Phil Sutter - 1.4.21-20

- Prevent iptables.service and ip6tables.service from running in parallel

  (RHBZ#1486803)

- Don't restart services upon upgrade (RHBZ#1380141)

* Thu Aug 10 2017 Thomas Woerner <twoerner@redhat.com> 1.4.21-19

- Use wait option for restore calls to fix failing service starts

  (RHBZ#1477413)

* Mon Apr 24 2017 Thomas Woerner <twoerner@redhat.com> 1.4.21-18

- Add support for --wait options to restore commands (RHBZ#1438597)

- Do not set changed flag for rule check operations with module targets

  (RHBZ#1438597)

- Add version option to restore commands (RHBZ#1438597)

* Fri Jul  1 2016 Thomas Woerner <twoerner@redhat.com> 1.4.21-17

- Fixed init script not to fail on missing restorecon (RHBZ#1246380)

- Adapted man page snipplet for TRACE to use proper logging backend names

  (RHBZ#1261238)

- Warn about use of DROP in nat table (RHBZ#1298879)

- Fixed modules unload in init script (RHBZ#1324102)

* Fri Sep 18 2015 Thomas Woerner <twoerner@redhat.com> 1.4.21-16

- Fix important coverity findings: missing include for flock and use bash for

  init script (RHBZ#1264399)

* Fri Sep 18 2015 Thomas Woerner <twoerner@redhat.com> 1.4.21-15

- Use systemd AssertPathExists for /etc/sysconfig/iptables (RHBZ#1200415)

* Tue Jun 30 2015 Thomas Woerner <twoerner@redhat.com> 1.4.21-14

- Add cgroup support (RHBZ#1058660)

- Add wait seonds support for commands (RHBZ#1156411)

- Add dhcpv6-client in default IPv6 firewall rules (RHBZ#1169036)

- Add message for init script error returns (RHBZ#1200415)

- Use flock for wait option (RHBZ#1202435)

* Thu Mar 27 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-13

- fixed further update issues from RHEL-6 to RHEL-7 (RHBZ#1043901)

* Tue Mar 11 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-12

- Fixed iptables-save man page completely wrong (RHBZ#1054871)

* Mon Mar 10 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-11

- Added missing "panic" action (RHBZ#1067670)

* Mon Feb 24 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-10

- Fixed missing reload action for iptables service (RHBZ#1066007)

* Fri Feb 21 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-9

- fixed missing system hang at shutdown if root device is network based

  (RHBZ#1007934)

- Fixed iptables-save man page completely wrong (RHBZ#1054871)

- Fixed missing reload action for iptables service (RHBZ#1066007)

- Fixed regressions from RHEL-6 iptables services (RHBZ#1067670)

* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1.4.21-8

- Mass rebuild 2014-01-24

* Wed Jan 15 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-7

- libnetfilter_conntrack is needed in version 1.0.4 for connlabel

  See: RHBZ#1053702

* Wed Jan 15 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-6

- Enable connlabel support again, needs libnetfilter_conntrack

* Wed Jan 15 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-6

- fixed update from RHEL-6 to RHEL-7 (RHBZ#1043901)

* Tue Jan 14 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-5

- chmod /etc/sysconfig/ip[6]tables 755 -> 600

* Fri Jan 10 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-4

- drop virtual provide for xtables.so.9

- add default /etc/sysconfig/ip[6]tables (RHBZ#1034494)

* Thu Jan 09 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-3

- no need to support the pre-systemd things

- use systemd macros (#850166)

- remove scriptlets for migrating to a systemd unit from a SysV initscripts

- ./configure -> %%configure

- spec clean up

- fix self-obsoletion

* Thu Jan  9 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-2

- fixed system hang at shutdown if root device is network based (RHBZ#1007934)

  Thanks to Rodrigo A B Freire for the patch

* Thu Jan  9 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-1

- no connlabel.conf upstream anymore

- new version 1.4.21

  - doc: clarify DEBUG usage macro

  - iptables: use autoconf to process .in man pages

  - extensions: libipt_ULOG: man page should mention NFLOG as replacement

  - extensions: libxt_connlabel: use libnetfilter_conntrack

  - Introduce a new revision for the set match with the counters support

  - libxt_CT: Add the "NOTRACK" alias

  - libip6t_mh: Correct command to list named mh types in manpage

  - extensions: libxt_DNAT, libxt_REDIRECT, libxt_NETMAP, libxt_SNAT, libxt_MASQUERADE, libxt_LOG: rename IPv4 manpage and tell about IPv6 support

  - extensions: libxt_LED: fix parsing of delay

  - ip{6}tables-restore: fix breakage due to new locking approach

  - libxt_recent: restore minimum value for --seconds

  - iptables-xml: fix parameter parsing (similar to 2165f38)

  - extensions: add copyright statements

  - xtables: improve get_modprobe handling

  - ip[6]tables: Add locking to prevent concurrent instances

  - iptables: Fix connlabel.conf install location

  - ip6tables: don't print out /128

  - libip6t_LOG: target output is different to libipt_LOG

  - build: additional include path required after UAPI changes

  - iptables: iptables-xml: Fix various parsing bugs

  - libxt_recent: restore reap functionality to recent module

  - build: fail in configure on missing dependency with --enable-bpf-compiler

  - extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter

  - extensions: libxt_set, libxt_SET: check the set family too

  - ip6tables: Use consistent exit code for EAGAIN

  - iptables: libxt_hashlimit.man: correct address

  - iptables: libxt_conntrack.man extraneous commas

  - iptables: libip(6)t_REJECT.man default icmp types

  - iptables: iptables-xm1.1 correct man section

  - iptables: libxt_recent.{c,man} dead URL

  - iptables: libxt_string.man add examples

  - extensions: libxt_LOG: use generic syslog reference in manpage

  - iptables: extensions/GNUMakefile.in use CPPFLAGS

  - iptables: correctly reference generated file

  - ip[6]tables: fix incorrect alignment in commands_v_options

  - build: add software version to manpage first line at configure stage

  - extensions: libxt_cluster: add note on arptables-jf

  - utils: nfsynproxy: fix error while compiling the BPF filter

  - extensions: add SYNPROXY extension

  - utils: add nfsynproxy tool

  - iptables: state match incompatibilty across versions

  - libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masks

  - iptables: improve chain name validation

  - iptables: spurious error in load_extension

  - xtables: trivial spelling fix

* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.4.19.1-2

- Mass rebuild 2013-12-27

* Sun Dec 22 2013 Ville Skyttä <ville.skytta@iki.fi> - 1.4.19.1-2

- Drop INSTALL from docs, escape macros in %%changelog.

* Wed Jul 31 2013 Thomas Woerner <twoerner@redhat.com> 1.4.19.1-1

- new version 1.4.19.1

  - libxt_NFQUEUE: fix bypass option documentation

  - extensions: add connlabel match

  - extensions: add connlabel match

  - ip[6]tables: show --protocol instead of --proto in usage

  - libxt_recent: Fix missing space in manpage for --mask option

  - extensions: libxt_multiport: Update manpage to list valid protocols

  - utils: nfnl_osf: use the right nfnetlink lib

  - libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependency

  - Revert "build: resolve link failure for ip6t_NETMAP"

  - libxt_osf: fix missing --ttl and --log in save output

  - libxt_osf: fix bad location for location in --genre

  - libip6t_SNPT: add manpage

  - libip6t_DNPT: add manpage

  - utils: updates .gitignore to include nfbpf_compile

  - extensions: libxt_bpf: clarify --bytecode argument

  - libxtables: fix parsing of dotted network mask format

  - build: bump version to 1.4.19

  - libxt_conntrack: fix state match alias state parsing

  - extensions: add libxt_bpf extension

  - utils: nfbpf_compile

  - doc: mention SNAT in INPUT chain since kernel 2.6.36

- fixed changelog date weekdays where needed

* Mon Mar  4 2013 Thomas Woerner <twoerner@redhat.com> 1.4.18-1

- new version 1.4.18 

  - lots of documentation changes

  - Introduce match/target aliases

  - Add the "state" alias to the "conntrack" match

  - iptables: remove unused leftover definitions

  - libxtables: add xtables_rule_matches_free

  - libxtables: add xtables_print_num

  - extensions: libip6t_DNPT: fix wording in DNPT target

  - extension: libip6t_DNAT: allow port DNAT without address

  - extensions: libip6t_DNAT: set IPv6 DNAT --to-destination

  - extensions: S/DNPT: add missing save function

- changes of 1.4.17:

  - libxt_time: add support to ignore day transition

  - Convert the NAT targets to use the kernel supplied nf_nat.h header

  - extensions: add IPv6 MASQUERADE extension

  - extensions: add IPv6 SNAT extension

  - extensions: add IPv6 DNAT target

  - extensions: add IPv6 REDIRECT extension

  - extensions: add IPv6 NETMAP extension

  - extensions: add NPT extension

  - extensions: libxt_statistic: Fix save output

* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.16.2-7

- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

* Wed Jan 16 2013 Ville Skyttä <ville.skytta@iki.fi> - 1.4.16.2-6

- Own unowned -services libexec dirs (#894464, Michael Scherer).

- Fix -services unit file permissions (#732936, Michal Schmidt).

* Thu Nov  8 2012 Thomas Woerner <twoerner@redhat.com> 1.4.16.2-5

- fixed path of ip6tables.init in ip6tables.service

* Fri Nov  2 2012 Thomas Woerner <twoerner@redhat.com> 1.4.16.2-4

- fixed missing services for update of pre F-18 installations (rhbz#867960)

  - provide and obsolete old main package in services sub package

  - provide and obsolete old ipv6 sub package (pre F-17) in services sub package

* Sun Oct 14 2012 Dan Horák <dan[at]dany.cz> 1.4.16.2-3

- fix the compat provides for all 64-bit arches

* Fri Oct 12 2012 Thomas Woerner <twoerner@redhat.com> 1.4.16.2-2

- new sub package services providing the systemd services (RHBZ#862922)

- new sub package utils: provides nfnl_osf and the pf.os database

- using %%{_libexecdir}/iptables as script path for the original init scripts

- added service iptables save funcitonality using the new way provided by 

  initscripts 9.37.1 (RHBZ#748134)

- added virtual provide for libxtables.so.7

* Mon Oct  8 2012 Thomas Woerner <twoerner@redhat.com> 1.4.16.2-1

- new version 1.4.16.2

  - build: support for automake-1.12

  - build: separate AC variable replacements from xtables.h

  - build: have `make clean` remove dep files too

  - doc: grammatical updates to libxt_SET

  - doc: clean up interpunction in state list for xt_conntrack

  - doc: deduplicate extension descriptions into a new manpage

  - doc: trim "state" manpage and reference conntrack instead

  - doc: have NOTRACK manpage point to CT instead

  - doc: mention iptables-apply in the SEE ALSO sections

  - extensions: libxt_addrtype: fix type in help message

  - include: add missing linux/netfilter_ipv4/ip_queue.h

  - iptables: fix wrong error messages

  - iptables: support for match aliases

  - iptables: support for target aliases

  - iptables-restore: warn about -t in rule lines

  - ip[6]tables-restore: cleanup to reduce one level of indentation

  - libip6t_frag: match any frag id by default

  - libxtables: consolidate preference logic

  - libxt_devgroup: consolidate devgroup specification parsing

  - libxt_devgroup: guard against negative numbers

  - libxt_LED: guard against negative numbers

  - libxt_NOTRACK: replace as an alias to CT --notrack

  - libxt_state: replace as an alias to xt_conntrack

  - libxt_tcp: print space before, not after "flags:"

  - libxt_u32: do bounds checking for @'s operands

  - libxt_*limit: avoid division by zero

  - Merge branch 'master' of git://git.inai.de/iptables

  - Merge remote-tracking branch 'nf/stable'

  - New set match revision with --return-nomatch flag support

- dropped fixrestore patch, upstream

* Wed Aug  1 2012 Thomas Woerner <twoerner@redhat.com> 1.4.15-1

- new version 1.4.15

  - extensions: add HMARK target

  - iptables-restore: fix parameter parsing (shows up with gcc-4.7)

  - iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)

  - libxtables: add xtables_ip[6]mask_to_cidr

  - libxt_devgroup: add man page snippet

  - libxt_hashlimit: add support for byte-based operation

  - libxt_recent: add --mask netmask

  - libxt_recent: remove unused variable

  - libxt_HMARK: correct a number of errors introduced by Pablo's rework

  - libxt_HMARK: fix ct case example

  - libxt_HMARK: fix output of iptables -L

  - Revert "iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)"

* Wed Jul 18 2012 Thomas Woerner <twoerner@redhat.com> 1.4.14-3

- added fixrestore patch submitted to upstream by fryasu (nfbz#774) 

  (RHBZ#825796)

* Wed Jul 18 2012 Thomas Woerner <twoerner@redhat.com> 1.4.14-2

- disabled libipq, removed upstream, not provided by kernel anymore

* Wed Jul 18 2012 Thomas Woerner <twoerner@redhat.com> 1.4.14-1

- new version 1.4.14

  - extensions: add IPv6 capable ECN match extension

  - extensions: add nfacct match

  - extensions: add rpfilter module

  - extensions: libxt_rateest: output all options in save hook

  - iptables: missing free() in function cache_add_entry()

  - iptables: missing free() in function delete_entry()

  - libiptc: fix retry path in TC_INIT

  - libiptc: Returns the position the entry was inserted

  - libipt_ULOG: fix --ulog-cprange

  - libxt_CT: add --timeout option

  - ip(6)tables-restore: make sure argv is NULL terminated

  - Revert "libiptc: Returns the position the entry was inserted"

  - src: mark newly opened fds as FD_CLOEXEC (close on exec)

  - tests: add rateest match rules

- dropped patch5 (cloexec), merged upstream

* Mon Apr 23 2012 Thomas Woerner <twoerner@redhat.com> 1.4.12.2-5

- reenable iptables default services

* Wed Feb 29 2012 Harald Hoyer <harald@redhat.com> 1.4.12.2-4

- install everything in /usr

  https://fedoraproject.org/wiki/Features/UsrMove

* Thu Feb 16 2012 Thomas Woerner <twoerner@redhat.com> 1.4.12.2-3

- fixed auto enable check for Fedora > 16 and added rhel > 6 check

* Wed Feb 15 2012 Thomas Woerner <twoerner@redhat.com> 1.4.12.2-2

- disabled autostart and auto enable for iptables.service and ip6tables.service

  for Fedora > 16

* Mon Jan 16 2012 Thomas Woerner <twoerner@redhat.com> 1.4.12.2-1

- new version 1.4.12.2 with new pkgconfig/libip4tc.pc and pkgconfig/libip6tc.pc

  - build: make check stage not fail when building statically

  - build: restore build order of modules

  - build: scan for unreferenced symbols

  - build: sort file list before build

  - doc: clarification on the meaning of -p 0

  - doc: document iptables-restore's -T option

  - doc: fix undesired newline in ip6tables-restore(8)

  - ip6tables-restore: implement missing -T option

  - iptables: move kernel version find routing into libxtables

  - libiptc: provide separate pkgconfig files

  - libipt_SAME: set PROTO_RANDOM on all ranges

  - libxtables: Fix file descriptor leak in xtables_lmap_init on error

  - libxt_connbytes: fix handling of --connbytes FROM

  - libxt_CONNSECMARK: fix spacing in output

  - libxt_conntrack: improve error message on parsing violation

  - libxt_NFQUEUE: fix --queue-bypass ipt-save output

  - libxt_RATEEST: link with -lm

  - libxt_statistic: link with -lm

  - Merge branch 'stable'

  - Merge branch 'stable' of git://dev.medozas.de/iptables

  - nfnl_osf: add missing libnfnetlink_CFLAGS to compile process

  - xtoptions: fill in fallback value for nvals

  - xtoptions: simplify xtables_parse_interface

* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.12.1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Mon Dec 12 2011 Thomas Woerner <twoerner@redhat.com> 1.4.12.1-1

- new version 1.4.12.1 with new pkgconfig/libipq.pc

  - build: abort autogen on subcommand failure

  - build: strengthen check for overlong lladdr components

  - build: workaround broken linux-headers on RHEL-5

  - doc: clarify libxt_connlimit defaults

  - doc: fix typo in libxt_TRACE

  - extensions: use multi-target registration

  - libip6t_dst: restore setting IP6T_OPTS_LEN flag

  - libip6t_frag: restore inversion support

  - libip6t_hbh: restore setting IP6T_OPTS_LEN flag

  - libipq: add pkgconfig file

  - libipt_ttl: document that negation is available

  - libxt_conntrack: fix --ctproto 0 output

  - libxt_conntrack: remove one misleading comment

  - libxt_dccp: fix deprecated intrapositional ordering of !

  - libxt_dccp: fix random output of ! on --dccp-option

  - libxt_dccp: provide man pages options in short help too

  - libxt_dccp: restore missing XTOPT_INVERT tags for options

  - libxt_dccp: spell out option name on save

  - libxt_dscp: restore inversion support

  - libxt_hashlimit: default htable-expire must be in milliseconds

  - libxt_hashlimit: observe new default gc-expire time when saving

  - libxt_hashlimit: remove inversion from hashlimit rev 0

  - libxt_owner: restore inversion support

  - libxt_physdev: restore inversion support

  - libxt_policy: remove superfluous inversion

  - libxt_set: put differing variable names in directly

  - libxt_set: update man page about kernel support on the feature

  - libxt_string: define _GNU_SOURCE for strnlen

  - libxt_string: escape the escaping char too