# install init scripts to /usr/libexec with systemd

%define script_path %{_libexecdir}/iptables

# service legacy actions (RHBZ#748134)

%define legacy_actions %{_libexecdir}/initscripts/legacy-actions

Name: iptables

Summary: Tools for managing Linux kernel packet filtering capabilities

Version: 1.4.21

Release: 18%{?dist}

Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2

Source1: iptables.init

Source2: iptables-config

Source3: iptables.service

Source4: iptables.save-legacy

Source5: sysconfig_iptables

Source6: sysconfig_ip6tables

Source7: iptables.panic-legacy

Patch1: iptables-1.4.21-rhbz_1054871.patch

Patch2: iptables-1.4.21-libxt_cgroup.patch

Patch3: iptables-1.4.21-wait_seconds.patch

Patch4: iptables-1.4.21-flock_wait.patch

Patch5: iptables-1.4.21-rhbz_1261238.patch

Patch6: iptables-c513cc3-rhbz_1298879.patch

Patch7: iptables-1.4.21-wait-interval.patch

Patch8: iptables-do_not_lock_again_and_again.patch

Patch9: iptables-use_the_blocking_file_lock_request.patch

Patch10: iptables-1.4.21-configure_set_lock_file_path.patch

Patch11: iptables-1.4.21-move_XT_LOCK_NAME_to_config.h.patch

Patch12: iptables-1.4.21-remove_duplicated_argument_parsing.patch

Patch13: iptables-1.4.21-restore_support_acquiring_the_lock.patch

# One patch invalid: 1cf4ba6fbe85b3cbe9828a7947000290e1989986

Patch14: iptables-do_not_set_changed_for_check_options.patch

Patch15: iptables-1.4.21-restore_version.patch

Patch16: iptables-1.4.21-restore_wait_man.patch

Group: System Environment/Base

URL: http://www.netfilter.org/

License: GPLv2

# libnetfilter_conntrack is needed for xt_connlabel

BuildRequires: libnetfilter_conntrack-devel >= 1.0.4

# libnfnetlink-devel is requires for nfnl_osf

BuildRequires: libnfnetlink-devel

BuildRequires: libselinux-devel

BuildRequires: kernel-headers

BuildRequires: systemd

BuildRequires: automake

BuildRequires: autoconf

%description

The iptables utility controls the network packet filtering code in the

Linux kernel. If you need to set up firewalls and/or IP masquerading,

you should install this package.

%package devel

Summary: Development package for iptables

Group: System Environment/Base

Requires: %{name}%{?_isa} = %{version}-%{release}

Requires: pkgconfig

%description devel

iptables development headers and libraries.

The iptc interface is upstream marked as not public. The interface is not 

stable and may change with every new version. It is therefore unsupported.

%package services

Summary: iptables and ip6tables services for iptables

Group: System Environment/Base

Requires: %{name} = %{version}-%{release}

Requires: /bin/bash

Requires(post): systemd

Requires(preun): systemd

Requires(postun): systemd

# provide and obsolete old main package

Provides: %{name} = 1.4.16.1

Obsoletes: %{name} < 1.4.16.1

# provide and obsolete ipv6 sub package

Provides: %{name}-ipv6 = 1.4.11.1

Obsoletes: %{name}-ipv6 < 1.4.11.1

%description services

iptables services for IPv4 and IPv6

This package provides the services iptables and ip6tables that have been split

out of the base package since they are not active by default anymore.

%package utils

Summary: iptables and ip6tables services for iptables

Group: System Environment/Base

Requires: %{name} = %{version}-%{release}

%description utils

Utils for iptables.

Currently only provides nfnl_osf with the pf.os database.

%prep

%setup -q

%patch1 -p1 -b .rhbz_1054871

%patch2 -p1 -b .libxt_cgroup

%patch3 -p1 -b .wait_seconds

%patch4 -p1 -b .flock_wait

%patch5 -p1 -b .rhbz_1261238

%patch6 -p1 -b .rhbz_1298879

%patch7 -p1 -b .wait-interval

%patch8 -p1 -b .do_not_lock_again_and_again

%patch9 -p1 -b .use_the_blocking_file_lock_request

%patch10 -p1 -b .configure_set_lock_file_path

%patch11 -p1 -b .move_XT_LOCK_NAME_to_config.h

%patch12 -p1 -b .remove_duplicated_argument_parsing

%patch13 -p1 -b .restore_support_acquiring_the_lock

%patch14 -p1 -b .do_not_set_changed_for_check_options

%patch15 -p1 -b .restore_version

%patch16 -p1 -b .restore_wait_man

%build

CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \

%configure --enable-devel --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr

# do not use rpath

sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool

sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool

rm -f include/linux/types.h

make %{?_smp_mflags}

%install

make install DESTDIR=%{buildroot} 

# remove la file(s)

rm -f %{buildroot}/%{_libdir}/*.la

# install ip*tables.h header files

install -m 644 include/ip*tables.h %{buildroot}%{_includedir}/

install -d -m 755 %{buildroot}%{_includedir}/iptables

install -m 644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables/

# install ipulog header file

install -d -m 755 %{buildroot}%{_includedir}/libipulog/

install -m 644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog/

# install init scripts and configuration files

install -d -m 755 %{buildroot}%{script_path}

install -c -m 755 %{SOURCE1} %{buildroot}%{script_path}/iptables.init

sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init

install -c -m 755 ip6tables.init %{buildroot}%{script_path}/ip6tables.init

install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig

install -c -m 600 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/iptables-config

sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config

install -c -m 600 ip6tables-config %{buildroot}%{_sysconfdir}/sysconfig/ip6tables-config

install -c -m 600 %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/iptables

install -c -m 600 %{SOURCE6} %{buildroot}%{_sysconfdir}/sysconfig/ip6tables

# install systemd service files

install -d -m 755 %{buildroot}/%{_unitdir}

install -c -m 644 %{SOURCE3} %{buildroot}/%{_unitdir}

sed -e 's;iptables;ip6tables;g' -e 's;IPv4;IPv6;g' -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' < %{SOURCE3} > ip6tables.service

install -c -m 644 ip6tables.service %{buildroot}/%{_unitdir}

# install legacy actions for service command

install -d %{buildroot}/%{legacy_actions}/iptables

install -d %{buildroot}/%{legacy_actions}/ip6tables

install -c -m 755 %{SOURCE4} %{buildroot}/%{legacy_actions}/iptables/save

install -c -m 755 %{SOURCE7} %{buildroot}/%{legacy_actions}/iptables/panic

sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/save > ip6tabes.save-legacy

sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy

install -c -m 755 ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/save

install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic

%if 0%{?rhel}

%pre

for p in %{_sysconfdir}/alternatives/iptables.*; do

    if [ -h "$p" ]; then

        ipt=$(readlink "$p")

        echo "Removing alternatives for ${p##*/} with path $ipt"

        %{_sbindir}/alternatives --remove "${p##*/}" "$ipt"

    fi

done

for p in %{_sysconfdir}/alternatives/ip6tables.*; do

    if [ -h "$p" ]; then

        ipt=$(readlink "$p")

        echo "Removing alternatives for ${p##*/} with path $ipt"

        %{_sbindir}/alternatives --remove "${p##*/}" "$ipt"

        # create dummy alternatives entry to fix iptables-ipv6 package removal

        %{_sbindir}/alternatives --install /sbin/ip6tables.dummy "${p##*/}" "$ipt" 90

    fi

done

%posttrans

# cleanup dummy alternatives to fix iptables-ipv6 package removal if still there

for p in %{_sysconfdir}/alternatives/ip6tables.*; do

    if [ -h "$p" ]; then

        ipt=$(readlink "$p")

        %{_sbindir}/alternatives --remove "${p##*/}" "$ipt" || :

    fi

done

%endif

%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig

%post services

%systemd_post iptables.service ip6tables.service

%preun services

%systemd_preun iptables.service ip6tables.service

%postun services

/sbin/ldconfig

%systemd_postun_with_restart iptables.service ip6tables.service

%files

%doc COPYING INCOMPATIBILITIES

%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/iptables-config

%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ip6tables-config

%{_sbindir}/iptables*

%{_sbindir}/ip6tables*

%{_sbindir}/xtables-multi

%{_bindir}/iptables-xml

%{_mandir}/man1/iptables-xml*

%{_mandir}/man8/iptables*

%{_mandir}/man8/ip6tables*

%dir %{_libdir}/xtables

%{_libdir}/xtables/libipt*

%{_libdir}/xtables/libip6t*

%{_libdir}/xtables/libxt*

%{_libdir}/libip*tc.so.*

%{_libdir}/libxtables.so.*

%files devel

%dir %{_includedir}/iptables

%{_includedir}/iptables/*.h

%{_includedir}/*.h

%dir %{_includedir}/libiptc

%{_includedir}/libiptc/*.h

%dir %{_includedir}/libipulog

%{_includedir}/libipulog/*.h

%{_libdir}/libip*tc.so

%{_libdir}/libxtables.so

%{_libdir}/pkgconfig/libiptc.pc

%{_libdir}/pkgconfig/libip4tc.pc

%{_libdir}/pkgconfig/libip6tc.pc

%{_libdir}/pkgconfig/xtables.pc

%files services

%dir %{script_path}

%attr(0755,root,root) %{script_path}/iptables.init

%attr(0755,root,root) %{script_path}/ip6tables.init

%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/iptables

%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ip6tables

%{_unitdir}/iptables.service

%{_unitdir}/ip6tables.service

%dir %{legacy_actions}/iptables

%{legacy_actions}/iptables/save

%{legacy_actions}/iptables/panic

%dir %{legacy_actions}/ip6tables

%{legacy_actions}/ip6tables/save

%{legacy_actions}/ip6tables/panic

%files utils

%{_sbindir}/nfnl_osf

%dir %{_datadir}/xtables

%{_datadir}/xtables/pf.os

%changelog

* Mon Apr 24 2017 Thomas Woerner <twoerner@redhat.com> 1.4.21-18

- Add support for --wait options to restore commands (RHBZ#1438597)

- Do not set changed flag for rule check operations with module targets

  (RHBZ#1438597)

- Add version option to restore commands (RHBZ#1438597)

* Fri Jul  1 2016 Thomas Woerner <twoerner@redhat.com> 1.4.21-17

- Fixed init script not to fail on missing restorecon (RHBZ#1246380)

- Adapted man page snipplet for TRACE to use proper logging backend names

  (RHBZ#1261238)

- Warn about use of DROP in nat table (RHBZ#1298879)

- Fixed modules unload in init script (RHBZ#1324102)

* Fri Sep 18 2015 Thomas Woerner <twoerner@redhat.com> 1.4.21-16

- Fix important coverity findings: missing include for flock and use bash for

  init script (RHBZ#1264399)

* Fri Sep 18 2015 Thomas Woerner <twoerner@redhat.com> 1.4.21-15

- Use systemd AssertPathExists for /etc/sysconfig/iptables (RHBZ#1200415)

* Tue Jun 30 2015 Thomas Woerner <twoerner@redhat.com> 1.4.21-14

- Add cgroup support (RHBZ#1058660)

- Add wait seonds support for commands (RHBZ#1156411)

- Add dhcpv6-client in default IPv6 firewall rules (RHBZ#1169036)

- Add message for init script error returns (RHBZ#1200415)

- Use flock for wait option (RHBZ#1202435)

* Thu Mar 27 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-13

- fixed further update issues from RHEL-6 to RHEL-7 (RHBZ#1043901)

* Tue Mar 11 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-12

- Fixed iptables-save man page completely wrong (RHBZ#1054871)

* Mon Mar 10 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-11

- Added missing "panic" action (RHBZ#1067670)

* Mon Feb 24 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-10

- Fixed missing reload action for iptables service (RHBZ#1066007)

* Fri Feb 21 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-9

- fixed missing system hang at shutdown if root device is network based

  (RHBZ#1007934)

- Fixed iptables-save man page completely wrong (RHBZ#1054871)

- Fixed missing reload action for iptables service (RHBZ#1066007)

- Fixed regressions from RHEL-6 iptables services (RHBZ#1067670)

* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1.4.21-8

- Mass rebuild 2014-01-24

* Wed Jan 15 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-7

- libnetfilter_conntrack is needed in version 1.0.4 for connlabel

  See: RHBZ#1053702

* Wed Jan 15 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-6

- Enable connlabel support again, needs libnetfilter_conntrack

* Wed Jan 15 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-6

- fixed update from RHEL-6 to RHEL-7 (RHBZ#1043901)

* Tue Jan 14 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-5

- chmod /etc/sysconfig/ip[6]tables 755 -> 600

* Fri Jan 10 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-4

- drop virtual provide for xtables.so.9

- add default /etc/sysconfig/ip[6]tables (RHBZ#1034494)

* Thu Jan 09 2014 Jiri Popelka <jpopelka@redhat.com> - 1.4.21-3

- no need to support the pre-systemd things

- use systemd macros (#850166)

- remove scriptlets for migrating to a systemd unit from a SysV initscripts

- ./configure -> %%configure

- spec clean up

- fix self-obsoletion

* Thu Jan  9 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-2

- fixed system hang at shutdown if root device is network based (RHBZ#1007934)

  Thanks to Rodrigo A B Freire for the patch

* Thu Jan  9 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-1

- no connlabel.conf upstream anymore

- new version 1.4.21

  - doc: clarify DEBUG usage macro

  - iptables: use autoconf to process .in man pages

  - extensions: libipt_ULOG: man page should mention NFLOG as replacement

  - extensions: libxt_connlabel: use libnetfilter_conntrack

  - Introduce a new revision for the set match with the counters support

  - libxt_CT: Add the "NOTRACK" alias

  - libip6t_mh: Correct command to list named mh types in manpage

  - extensions: libxt_DNAT, libxt_REDIRECT, libxt_NETMAP, libxt_SNAT, libxt_MASQUERADE, libxt_LOG: rename IPv4 manpage and tell about IPv6 support

  - extensions: libxt_LED: fix parsing of delay

  - ip{6}tables-restore: fix breakage due to new locking approach

  - libxt_recent: restore minimum value for --seconds

  - iptables-xml: fix parameter parsing (similar to 2165f38)

  - extensions: add copyright statements

  - xtables: improve get_modprobe handling

  - ip[6]tables: Add locking to prevent concurrent instances

  - iptables: Fix connlabel.conf install location

  - ip6tables: don't print out /128

  - libip6t_LOG: target output is different to libipt_LOG

  - build: additional include path required after UAPI changes

  - iptables: iptables-xml: Fix various parsing bugs

  - libxt_recent: restore reap functionality to recent module

  - build: fail in configure on missing dependency with --enable-bpf-compiler

  - extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter

  - extensions: libxt_set, libxt_SET: check the set family too

  - ip6tables: Use consistent exit code for EAGAIN

  - iptables: libxt_hashlimit.man: correct address

  - iptables: libxt_conntrack.man extraneous commas

  - iptables: libip(6)t_REJECT.man default icmp types

  - iptables: iptables-xm1.1 correct man section

  - iptables: libxt_recent.{c,man} dead URL

  - iptables: libxt_string.man add examples

  - extensions: libxt_LOG: use generic syslog reference in manpage

  - iptables: extensions/GNUMakefile.in use CPPFLAGS

  - iptables: correctly reference generated file

  - ip[6]tables: fix incorrect alignment in commands_v_options

  - build: add software version to manpage first line at configure stage

  - extensions: libxt_cluster: add note on arptables-jf

  - utils: nfsynproxy: fix error while compiling the BPF filter

  - extensions: add SYNPROXY extension

  - utils: add nfsynproxy tool

  - iptables: state match incompatibilty across versions

  - libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masks

  - iptables: improve chain name validation

  - iptables: spurious error in load_extension

  - xtables: trivial spelling fix

* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.4.19.1-2

- Mass rebuild 2013-12-27

* Sun Dec 22 2013 Ville Skyttä <ville.skytta@iki.fi> - 1.4.19.1-2

- Drop INSTALL from docs, escape macros in %%changelog.

* Wed Jul 31 2013 Thomas Woerner <twoerner@redhat.com> 1.4.19.1-1

- new version 1.4.19.1

  - libxt_NFQUEUE: fix bypass option documentation

  - extensions: add connlabel match

  - extensions: add connlabel match

  - ip[6]tables: show --protocol instead of --proto in usage

  - libxt_recent: Fix missing space in manpage for --mask option

  - extensions: libxt_multiport: Update manpage to list valid protocols

  - utils: nfnl_osf: use the right nfnetlink lib

  - libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependency

  - Revert "build: resolve link failure for ip6t_NETMAP"

  - libxt_osf: fix missing --ttl and --log in save output

  - libxt_osf: fix bad location for location in --genre

  - libip6t_SNPT: add manpage

  - libip6t_DNPT: add manpage

  - utils: updates .gitignore to include nfbpf_compile

  - extensions: libxt_bpf: clarify --bytecode argument

  - libxtables: fix parsing of dotted network mask format

  - build: bump version to 1.4.19

  - libxt_conntrack: fix state match alias state parsing

  - extensions: add libxt_bpf extension

  - utils: nfbpf_compile

  - doc: mention SNAT in INPUT chain since kernel 2.6.36

- fixed changelog date weekdays where needed

* Mon Mar  4 2013 Thomas Woerner <twoerner@redhat.com> 1.4.18-1

- new version 1.4.18 

  - lots of documentation changes

  - Introduce match/target aliases

  - Add the "state" alias to the "conntrack" match

  - iptables: remove unused leftover definitions

  - libxtables: add xtables_rule_matches_free

  - libxtables: add xtables_print_num

  - extensions: libip6t_DNPT: fix wording in DNPT target

  - extension: libip6t_DNAT: allow port DNAT without address

  - extensions: libip6t_DNAT: set IPv6 DNAT --to-destination

  - extensions: S/DNPT: add missing save function

- changes of 1.4.17:

  - libxt_time: add support to ignore day transition

  - Convert the NAT targets to use the kernel supplied nf_nat.h header

  - extensions: add IPv6 MASQUERADE extension

  - extensions: add IPv6 SNAT extension

  - extensions: add IPv6 DNAT target

  - extensions: add IPv6 REDIRECT extension

  - extensions: add IPv6 NETMAP extension

  - extensions: add NPT extension

  - extensions: libxt_statistic: Fix save output

* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.16.2-7

- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

* Wed Jan 16 2013 Ville Skyttä <ville.skytta@iki.fi> - 1.4.16.2-6

- Own unowned -services libexec dirs (#894464, Michael Scherer).

- Fix -services unit file permissions (#732936, Michal Schmidt).

* Thu Nov  8 2012 Thomas Woerner <twoerner@redhat.com> 1.4.16.2-5

- fixed path of ip6tables.init in ip6tables.service

* Fri Nov  2 2012 Thomas Woerner <twoerner@redhat.com> 1.4.16.2-4

- fixed missing services for update of pre F-18 installations (rhbz#867960)

  - provide and obsolete old main package in services sub package

  - provide and obsolete old ipv6 sub package (pre F-17) in services sub package

* Sun Oct 14 2012 Dan Horák <dan[at]dany.cz> 1.4.16.2-3

- fix the compat provides for all 64-bit arches

* Fri Oct 12 2012 Thomas Woerner <twoerner@redhat.com> 1.4.16.2-2

- new sub package services providing the systemd services (RHBZ#862922)

- new sub package utils: provides nfnl_osf and the pf.os database

- using %%{_libexecdir}/iptables as script path for the original init scripts

- added service iptables save funcitonality using the new way provided by 

  initscripts 9.37.1 (RHBZ#748134)

- added virtual provide for libxtables.so.7

* Mon Oct  8 2012 Thomas Woerner <twoerner@redhat.com> 1.4.16.2-1

- new version 1.4.16.2

  - build: support for automake-1.12

  - build: separate AC variable replacements from xtables.h

  - build: have `make clean` remove dep files too

  - doc: grammatical updates to libxt_SET

  - doc: clean up interpunction in state list for xt_conntrack

  - doc: deduplicate extension descriptions into a new manpage

  - doc: trim "state" manpage and reference conntrack instead

  - doc: have NOTRACK manpage point to CT instead

  - doc: mention iptables-apply in the SEE ALSO sections

  - extensions: libxt_addrtype: fix type in help message

  - include: add missing linux/netfilter_ipv4/ip_queue.h

  - iptables: fix wrong error messages

  - iptables: support for match aliases

  - iptables: support for target aliases

  - iptables-restore: warn about -t in rule lines

  - ip[6]tables-restore: cleanup to reduce one level of indentation

  - libip6t_frag: match any frag id by default

  - libxtables: consolidate preference logic

  - libxt_devgroup: consolidate devgroup specification parsing

  - libxt_devgroup: guard against negative numbers

  - libxt_LED: guard against negative numbers

  - libxt_NOTRACK: replace as an alias to CT --notrack

  - libxt_state: replace as an alias to xt_conntrack

  - libxt_tcp: print space before, not after "flags:"

  - libxt_u32: do bounds checking for @'s operands

  - libxt_*limit: avoid division by zero

  - Merge branch 'master' of git://git.inai.de/iptables

  - Merge remote-tracking branch 'nf/stable'

  - New set match revision with --return-nomatch flag support

- dropped fixrestore patch, upstream

* Wed Aug  1 2012 Thomas Woerner <twoerner@redhat.com> 1.4.15-1

- new version 1.4.15

  - extensions: add HMARK target

  - iptables-restore: fix parameter parsing (shows up with gcc-4.7)

  - iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)

  - libxtables: add xtables_ip[6]mask_to_cidr

  - libxt_devgroup: add man page snippet

  - libxt_hashlimit: add support for byte-based operation

  - libxt_recent: add --mask netmask

  - libxt_recent: remove unused variable

  - libxt_HMARK: correct a number of errors introduced by Pablo's rework

  - libxt_HMARK: fix ct case example

  - libxt_HMARK: fix output of iptables -L

  - Revert "iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)"

* Wed Jul 18 2012 Thomas Woerner <twoerner@redhat.com> 1.4.14-3

- added fixrestore patch submitted to upstream by fryasu (nfbz#774) 

  (RHBZ#825796)

* Wed Jul 18 2012 Thomas Woerner <twoerner@redhat.com> 1.4.14-2

- disabled libipq, removed upstream, not provided by kernel anymore

* Wed Jul 18 2012 Thomas Woerner <twoerner@redhat.com> 1.4.14-1

- new version 1.4.14

  - extensions: add IPv6 capable ECN match extension

  - extensions: add nfacct match

  - extensions: add rpfilter module

  - extensions: libxt_rateest: output all options in save hook

  - iptables: missing free() in function cache_add_entry()

  - iptables: missing free() in function delete_entry()

  - libiptc: fix retry path in TC_INIT

  - libiptc: Returns the position the entry was inserted

  - libipt_ULOG: fix --ulog-cprange

  - libxt_CT: add --timeout option

  - ip(6)tables-restore: make sure argv is NULL terminated

  - Revert "libiptc: Returns the position the entry was inserted"

  - src: mark newly opened fds as FD_CLOEXEC (close on exec)

  - tests: add rateest match rules

- dropped patch5 (cloexec), merged upstream

* Mon Apr 23 2012 Thomas Woerner <twoerner@redhat.com> 1.4.12.2-5

- reenable iptables default services

* Wed Feb 29 2012 Harald Hoyer <harald@redhat.com> 1.4.12.2-4

- install everything in /usr

  https://fedoraproject.org/wiki/Features/UsrMove

* Thu Feb 16 2012 Thomas Woerner <twoerner@redhat.com> 1.4.12.2-3

- fixed auto enable check for Fedora > 16 and added rhel > 6 check

* Wed Feb 15 2012 Thomas Woerner <twoerner@redhat.com> 1.4.12.2-2

- disabled autostart and auto enable for iptables.service and ip6tables.service

  for Fedora > 16

* Mon Jan 16 2012 Thomas Woerner <twoerner@redhat.com> 1.4.12.2-1

- new version 1.4.12.2 with new pkgconfig/libip4tc.pc and pkgconfig/libip6tc.pc

  - build: make check stage not fail when building statically

  - build: restore build order of modules

  - build: scan for unreferenced symbols

  - build: sort file list before build

  - doc: clarification on the meaning of -p 0

  - doc: document iptables-restore's -T option

  - doc: fix undesired newline in ip6tables-restore(8)

  - ip6tables-restore: implement missing -T option

  - iptables: move kernel version find routing into libxtables

  - libiptc: provide separate pkgconfig files

  - libipt_SAME: set PROTO_RANDOM on all ranges

  - libxtables: Fix file descriptor leak in xtables_lmap_init on error

  - libxt_connbytes: fix handling of --connbytes FROM

  - libxt_CONNSECMARK: fix spacing in output

  - libxt_conntrack: improve error message on parsing violation

  - libxt_NFQUEUE: fix --queue-bypass ipt-save output

  - libxt_RATEEST: link with -lm

  - libxt_statistic: link with -lm

  - Merge branch 'stable'

  - Merge branch 'stable' of git://dev.medozas.de/iptables

  - nfnl_osf: add missing libnfnetlink_CFLAGS to compile process

  - xtoptions: fill in fallback value for nvals

  - xtoptions: simplify xtables_parse_interface

* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.12.1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Mon Dec 12 2011 Thomas Woerner <twoerner@redhat.com> 1.4.12.1-1

- new version 1.4.12.1 with new pkgconfig/libipq.pc

  - build: abort autogen on subcommand failure

  - build: strengthen check for overlong lladdr components

  - build: workaround broken linux-headers on RHEL-5

  - doc: clarify libxt_connlimit defaults

  - doc: fix typo in libxt_TRACE

  - extensions: use multi-target registration

  - libip6t_dst: restore setting IP6T_OPTS_LEN flag

  - libip6t_frag: restore inversion support

  - libip6t_hbh: restore setting IP6T_OPTS_LEN flag

  - libipq: add pkgconfig file

  - libipt_ttl: document that negation is available

  - libxt_conntrack: fix --ctproto 0 output

  - libxt_conntrack: remove one misleading comment

  - libxt_dccp: fix deprecated intrapositional ordering of !

  - libxt_dccp: fix random output of ! on --dccp-option

  - libxt_dccp: provide man pages options in short help too

  - libxt_dccp: restore missing XTOPT_INVERT tags for options

  - libxt_dccp: spell out option name on save

  - libxt_dscp: restore inversion support

  - libxt_hashlimit: default htable-expire must be in milliseconds

  - libxt_hashlimit: observe new default gc-expire time when saving

  - libxt_hashlimit: remove inversion from hashlimit rev 0

  - libxt_owner: restore inversion support

  - libxt_physdev: restore inversion support

  - libxt_policy: remove superfluous inversion

  - libxt_set: put differing variable names in directly

  - libxt_set: update man page about kernel support on the feature

  - libxt_string: define _GNU_SOURCE for strnlen

  - libxt_string: escape the escaping char too

  - libxt_string: fix space around arguments

  - libxt_string: replace hex codes by char equivalents

  - libxt_string: simplify hex output routine

  - libxt_tcp: always print the mask parts

  - libxt_TCPMSS: restore build with IPv6-less libcs

  - libxt_TOS: update linux kernel version list for backported fix

  - libxt_u32: fix missing allowance for inversion

  - src: remove unused IPTABLES_MULTI define

  - tests: add negation tests for libxt_statistic

  - xtoptions: flag use of XTOPT_POINTER without XTOPT_PUT

- removed include/linux/types.h before build to be able to compile

* Tue Jul 26 2011 Thomas Woerner <twoerner@redhat.com> 1.4.12-2

- dropped temporary provide again

* Tue Jul 26 2011 Thomas Woerner <twoerner@redhat.com> 1.4.12-1.1

- added temporary provides for libxtables.so.6 to be able to rebuild iproute,

  which is part of the standard build environment

* Mon Jul 25 2011 Thomas Woerner <twoerner@redhat.com> 1.4.12-1

- new version 1.4.12 with support of all new features of kernel 3.0

  - build: attempt to fix building under Linux 2.4

  - build: bump soversion for recent data structure change

  - build: install modules in arch-dependent location

  - doc: fix group range in libxt_NFLOG's man

  - doc: fix version string in ip6tables.8

  - doc: include matches/targets in manpage again

  - doc: mention multiple verbosity flags

  - doc: the -m option cannot be inverted

  - extensions: support for per-extension instance global variable space

  - iptables-apply: select default rule file depending on call name

  - iptables: consolidate target/match init call

  - iptables: Coverity: DEADCODE

  - iptables: Coverity: NEGATIVE_RETURNS

  - iptables: Coverity: RESOURCE_LEAK

  - iptables: Coverity: REVERSE_INULL

  - iptables: Coverity: VARARGS

  - iptables: restore negation for -f

  - libip6t_HL: fix option names from ttl -> hl

  - libipt_LOG: fix ignoring all but last flags

  - libxtables: ignore whitespace in the multiaddress argument parser

  - libxtables: properly reject empty hostnames

  - libxtables: set clone's initial data to NULL

  - libxt_conntrack: move more data into the xt_option_entry

  - libxt_conntrack: restore network-byte order for v1,v2

  - libxt_hashlimit: use a more obvious expiry value by default

  - libxt_rateest: abolish global variables

  - libxt_RATEEST: abolish global variables

  - libxt_RATEEST: fix userspacesize field

  - libxt_RATEEST: use guided option parser

  - libxt_state: fix regression about inversion of main option

  - option: remove last traces of intrapositional negation

- complete changelog:

  http://www.netfilter.org/projects/iptables/files/changes-iptables-1.4.12.txt

* Thu Jul 21 2011 Thomas Woerner <twoerner@redhat.com> 1.4.11.1-4

- merged ipv6 sub package into main package

- renamed init scripts to /usr/libexec/ip*tables.init

* Fri Jul 15 2011 Thomas Woerner <twoerner@redhat.com> 1.4.11.1-3

- added support for native systemd file (rhbz#694738)

  - new iptables.service file

  - additional requires

  - moved sysv init scripts to /usr/libexec

  - added new post, preun and postun scripts and triggers

* Tue Jul 12 2011 Thomas Woerner <twoerner@redhat.com> 1.4.11.1-2

- dropped temporary provide again

- enabled smp build

* Tue Jul 12 2011 Thomas Woerner <twoerner@redhat.com> 1.4.11.1-1.1

-  added temporary provides for libxtables.so.5 to be able to rebuild iproute,

   which is part of the standard build environment

* Mon Jul 11 2011 Thomas Woerner <twoerner@redhat.com> 1.4.11.1-1

- new version 1.4.11.1, bug and doc fix release for 1.4.11

* Tue Jun  7 2011 Thomas Woerner <twoerner@redhat.com> 1.4.11-1

- new version 1.4.11 with all new features of 2.6.37-39 (not usable)

  - lots of changes and bugfixes for base and extensions

  - complete changelog:

    http://www.netfilter.org/projects/iptables/files/changes-iptables-1.4.11.txt

* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.10-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Mon Jan 10 2011 Thomas Woerner <twoerner@redhat.com> 1.4.10-1

- new version 1.4.10 with all new features of 2.6.36

  - all: consistent syntax use in struct option

  - build: fix static linking

  - doc: let man(1) autoalign the text in xt_cpu

  - doc: remove extra empty line from xt_cpu

  - doc: minimal spelling updates to xt_cpu

  - doc: consistent use of markup

  - extensions: libxt_quota: don't ignore the quota value on deletion

  - extensions: REDIRECT: add random help