# install init scripts to /usr/libexec with systemd

%global script_path %{_libexecdir}/iptables

# service legacy actions (RHBZ#748134)

%global legacy_actions %{_libexecdir}/initscripts/legacy-actions

%global iptc_so_ver  0

%global ipXtc_so_ver 2

# build legacy sub-packages only on non-rhel distributions

%global do_legacy_pkg ! 0%{?rhel}

%define _unpackaged_files_terminate_build 0

Name: iptables

Summary: Tools for managing Linux kernel packet filtering capabilities

URL: https://www.netfilter.org/projects/iptables

Version: 1.8.8

Release: 6%{?dist}

Source: %{url}/files/%{name}-%{version}.tar.bz2

Source1: iptables.init

Source2: iptables-config

Source3: iptables.service

Source4: sysconfig_iptables

Source5: sysconfig_ip6tables

Source6: arptables-nft-helper

Source7: arptables.service

Source8: ebtables-helper

Source9: ebtables.service

Source10: ebtables-config

Source11: iptables-test.stderr.expect

Patch01: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch

Patch02: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch

Patch03: 0003-xshared-Fix-build-for-Werror-format-security.patch

Patch04: 0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch

Patch05: 0005-arptables-Support-x-exact-flag.patch

Patch06: 0006-libxtables-Fix-unsupported-extension-warning-corner-.patch

Patch07: 0007-nft-fix-ebtables-among-match-when-mac-ip-addresses-a.patch

Patch08: 0008-nft-un-break-among-match-with-concatenation.patch

# pf.os: ISC license

# iptables-apply: Artistic 2.0

License: GPLv2 and Artistic 2.0 and ISC

# libnetfilter_conntrack is needed for xt_connlabel

BuildRequires: pkgconfig(libnetfilter_conntrack)

# libnfnetlink-devel is requires for nfnl_osf

BuildRequires: pkgconfig(libnfnetlink)

BuildRequires: libselinux-devel

BuildRequires: kernel-headers

BuildRequires: systemd

# libmnl, libnftnl, bison, flex for nftables

BuildRequires: bison

BuildRequires: flex

BuildRequires: gcc

BuildRequires: pkgconfig(libmnl) >= 1.0

BuildRequires: pkgconfig(libnftnl) >= 1.1.6

# libpcap-devel for nfbpf_compile

BuildRequires: libpcap-devel

BuildRequires: autoconf

BuildRequires: automake

BuildRequires: libtool

BuildRequires: make

%description

The iptables utility controls the network packet filtering code in the

Linux kernel. If you need to set up firewalls and/or IP masquerading,

you should install this package.

%package legacy

Summary: Legacy tools for managing Linux kernel packet filtering capabilities

Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release}

Requires: %{name}-libs%{?_isa} = %{version}-%{release}

Conflicts: setup < 2.10.4-1

Requires(post): %{_sbindir}/update-alternatives

Requires(postun): %{_sbindir}/update-alternatives

Obsoletes: %{name} < %{version}-%{release}

Provides:	iptables

%description legacy

The iptables utility controls the network packet filtering code in the

Linux kernel. This package contains the legacy tools which are obsoleted by

nft-variants in iptables-nft package for backwards compatibility reasons.

If you need to set up firewalls and/or IP masquerading, you should not install

this package but either nftables or iptables-nft instead.

%package libs

Summary: libxtables and iptables extensions userspace support

%description libs

libxtables and associated shared object files

Libxtables provides unified access to iptables extensions in userspace. Data

and logic for those is kept in per-extension shared object files.

%package legacy-libs

Summary: iptables legacy libraries

Obsoletes: %{name}-libs < %{version}-%{release}

%description legacy-libs

iptables libraries.

Please remember that libip*tc libraries do neither have a stable API nor a real so version.

For more information about this, please have a look at

  http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5

%package devel

Summary: Development package for iptables

Requires: %{name}-libs%{?_isa} = %{version}-%{release}

Requires: pkgconfig

%description devel

libxtables development headers and pkgconfig files

%package legacy-devel

Summary: Development package for legacy iptables

Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release}

Requires: pkgconfig

%description legacy-devel

Legacy iptables development headers and pkgconfig files

The iptc libraries are marked as not public by upstream. The interface is not

stable and may change with every new version. It is therefore unsupported.

%package services

Summary: iptables and ip6tables services for iptables

Requires: %{name} = %{version}-%{release}

%{?systemd_ordering}

BuildArch: noarch

%description services

iptables services for IPv4 and IPv6

This package provides the services iptables and ip6tables that have been split

out of the base package since they are not active by default anymore.

%package nft-services

Summary: Services for nft-variants of iptables, ebtables and arptables

Requires: %{name}-nft = %{version}-%{release}

Conflicts: arptables-services

Conflicts: ebtables-services

Provides: iptables-services = %{version}-%{release}

Provides: arptables-services

Provides: ebtables-services

Obsoletes: iptables-services <= 1.8.4

Obsoletes: iptables-arptables <= 1.8.4

Obsoletes: iptables-ebtables <= 1.8.4

Obsoletes: iptables-nft-compat <= 1.8.7-19

%{?systemd_ordering}

BuildArch: noarch

%description nft-services

Services for nft-variants of iptables, ebtables and arptables

This package provides the services iptables, ip6tables, arptables and ebtables

for use with iptables-nft which provides nft-variants of these tools.

%package utils

Summary: iptables and ip6tables misc utilities

Requires: %{name} = %{version}-%{release}

%description utils

Utils for iptables

This package provides nfnl_osf with the pf.os database and nfbpf_compile,

a bytecode generator for use with xt_bpf. Also included is iptables-apply,

a safer way to update iptables remotely.

%package nft

Summary: nftables compatibility for iptables, arptables and ebtables

Requires: %{name}-libs%{?_isa} = %{version}-%{release}

Requires(post): %{_sbindir}/update-alternatives

Requires(post): %{_bindir}/readlink

Requires(postun): %{_sbindir}/update-alternatives

Provides: arptables-helper

Provides: iptables

Provides: arptables

Provides: ebtables

Obsoletes: iptables <= 1.8.4

%description nft

nftables compatibility for iptables, arptables and ebtables.

%prep

%autosetup -p1

cp %{SOURCE11} .

%build

./autogen.sh

CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \

%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr

# do not use rpath

sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool

sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool

rm -f include/linux/types.h

%make_build

%install

%make_install

# remove la file(s)

rm -f %{buildroot}%{_libdir}/*.la

# install init scripts and configuration files

install -d -m 755 %{buildroot}%{script_path}

install -c -m 755 %{SOURCE1} %{buildroot}%{script_path}/iptables.init

sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init

install -c -m 755 ip6tables.init %{buildroot}%{script_path}/ip6tables.init

install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig

install -c -m 600 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/iptables-config

sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config

install -c -m 600 ip6tables-config %{buildroot}%{_sysconfdir}/sysconfig/ip6tables-config

install -c -m 600 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/iptables

install -c -m 600 %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/ip6tables

# install systemd service files

install -d -m 755 %{buildroot}/%{_unitdir}

install -c -m 644 %{SOURCE3} %{buildroot}/%{_unitdir}

sed -e 's;iptables;ip6tables;g' -e 's;IPv4;IPv6;g' -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' < %{SOURCE3} > ip6tables.service

install -c -m 644 ip6tables.service %{buildroot}/%{_unitdir}

# install legacy actions for service command

install -d %{buildroot}/%{legacy_actions}/iptables

install -d %{buildroot}/%{legacy_actions}/ip6tables

cat << EOF > %{buildroot}/%{legacy_actions}/iptables/save

#!/bin/bash

exec %{script_path}/iptables.init save

EOF

chmod 755 %{buildroot}/%{legacy_actions}/iptables/save

sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/save > ip6tabes.save-legacy

install -c -m 755 ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/save

cat << EOF > %{buildroot}/%{legacy_actions}/iptables/panic

#!/bin/bash

exec %{script_path}/iptables.init panic

EOF

chmod 755 %{buildroot}/%{legacy_actions}/iptables/panic

sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy

install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic

# Remove /etc/ethertypes (now part of setup)

rm -f %{buildroot}%{_sysconfdir}/ethertypes

# extra sources for arptables

install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/arptables-nft-helper

install -p -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/arptables.service

touch %{buildroot}%{_sysconfdir}/sysconfig/arptables

# extra sources for ebtables

install -p %{SOURCE9} %{buildroot}%{_unitdir}/

install -m0755 %{SOURCE8} %{buildroot}%{_libexecdir}/ebtables-helper

install -m0600 %{SOURCE10} %{buildroot}%{_sysconfdir}/sysconfig/ebtables-config

touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables

# prepare for alternatives

touch %{buildroot}%{_libexecdir}/arptables-helper

touch %{buildroot}%{_mandir}/man8/arptables.8

touch %{buildroot}%{_mandir}/man8/arptables-save.8

touch %{buildroot}%{_mandir}/man8/arptables-restore.8

touch %{buildroot}%{_mandir}/man8/ebtables.8

%ldconfig_scriptlets

%post legacy

pfx=%{_sbindir}/iptables

pfx6=%{_sbindir}/ip6tables

%{_sbindir}/update-alternatives --install \

	$pfx iptables $pfx-legacy 10 \

	--slave $pfx6 ip6tables $pfx6-legacy \

	--slave $pfx-restore iptables-restore $pfx-legacy-restore \

	--slave $pfx-save iptables-save $pfx-legacy-save \

	--slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \

	--slave $pfx6-save ip6tables-save $pfx6-legacy-save

%postun legacy

if [ $1 -eq 0 ]; then

	%{_sbindir}/update-alternatives --remove \

		iptables %{_sbindir}/iptables-legacy

fi

%post services

%systemd_post iptables.service ip6tables.service

%preun services

%systemd_preun iptables.service ip6tables.service

%postun services

%?ldconfig

%systemd_postun iptables.service ip6tables.service

%post nft-services

%systemd_post iptables.service ip6tables.service

%systemd_post arptables.service ebtables.service

%preun nft-services

%systemd_preun iptables.service ip6tables.service

%systemd_preun arptables.service ebtables.service

%postun nft-services

%?ldconfig

%systemd_postun iptables.service ip6tables.service

%systemd_postun arptables.service ebtables.service

%post nft

pfx=%{_sbindir}/iptables

pfx6=%{_sbindir}/ip6tables

%{_sbindir}/update-alternatives --install \

	$pfx iptables $pfx-nft 10 \

	--slave $pfx6 ip6tables $pfx6-nft \

	--slave $pfx-restore iptables-restore $pfx-nft-restore \

	--slave $pfx-save iptables-save $pfx-nft-save \

	--slave $pfx6-restore ip6tables-restore $pfx6-nft-restore \

	--slave $pfx6-save ip6tables-save $pfx6-nft-save

pfx=%{_sbindir}/ebtables

manpfx=%{_mandir}/man8/ebtables

for sfx in "" "-restore" "-save"; do

	if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then

		rm -f $pfx$sfx

	fi

done

if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then

	rm -f $manpfx.8.gz

fi

%{_sbindir}/update-alternatives --install \

	$pfx ebtables $pfx-nft 10 \

	--slave $pfx-save ebtables-save $pfx-nft-save \

	--slave $pfx-restore ebtables-restore $pfx-nft-restore \

	--slave $manpfx.8.gz ebtables-man $manpfx-nft.8.gz

pfx=%{_sbindir}/arptables

manpfx=%{_mandir}/man8/arptables

lepfx=%{_libexecdir}/arptables

for sfx in "" "-restore" "-save"; do

	if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then

		rm -f $pfx$sfx

	fi

	if [ "$(readlink -e $manpfx$sfx.8.gz)" == $manpfx$sfx.8.gz ]; then

		rm -f $manpfx$sfx.8.gz

	fi

done

if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then

	rm -f $lepfx-helper

fi

%{_sbindir}/update-alternatives --install \

	$pfx arptables $pfx-nft 10 \

	--slave $pfx-save arptables-save $pfx-nft-save \

	--slave $pfx-restore arptables-restore $pfx-nft-restore \

	--slave $manpfx.8.gz arptables-man $manpfx-nft.8.gz \

	--slave $manpfx-save.8.gz arptables-save-man $manpfx-nft-save.8.gz \

	--slave $manpfx-restore.8.gz arptables-restore-man $manpfx-nft-restore.8.gz \

	--slave $lepfx-helper arptables-helper $lepfx-nft-helper

%postun nft

if [ $1 -eq 0 ]; then

	for cmd in iptables ebtables arptables; do

		%{_sbindir}/update-alternatives --remove \

			$cmd %{_sbindir}/$cmd-nft

	done

fi

%if %{do_legacy_pkg}

%files legacy

%doc INCOMPATIBILITIES

%{_sbindir}/ip{,6}tables-legacy*

%{_sbindir}/xtables-legacy-multi

%{_bindir}/iptables-xml

%{_mandir}/man1/iptables-xml*

%{_mandir}/man8/xtables-legacy*

%ghost %{_sbindir}/ip{,6}tables{,-save,-restore}

%files legacy-libs

%license COPYING

%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}*

%files legacy-devel

%dir %{_includedir}/libiptc

%{_includedir}/libiptc/*.h

%{_libdir}/libip*tc.so

%{_libdir}/pkgconfig/libip{,4,6}tc.pc

%files services

# do_legacy_pkg

%else

%files nft-services

%{_unitdir}/{arp,eb}tables.service

%{_libexecdir}/ebtables-helper

%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config

%ghost %{_sysconfdir}/sysconfig/arptables

%ghost %{_sysconfdir}/sysconfig/ebtables

# do_legacy_pkg

%endif

# the common files in services and nft-services

%dir %{script_path}

%{script_path}/ip{,6}tables.init

%config(noreplace) %{_sysconfdir}/sysconfig/ip{,6}tables{,-config}

%{_unitdir}/ip{,6}tables.service

%dir %{legacy_actions}/ip{,6}tables

%{legacy_actions}/ip{,6}tables/{save,panic}

%files libs

%license COPYING

%{_libdir}/libxtables.so.12*

%dir %{_libdir}/xtables

%{_libdir}/xtables/lib{ip,ip6,x}t*

%{_mandir}/man8/ip{,6}tables.8.gz

%{_mandir}/man8/ip{,6}tables-{extensions,save,restore}.8.gz

%files devel

%{_includedir}/xtables{,-version}.h

%{_libdir}/libxtables.so

%{_libdir}/pkgconfig/xtables.pc

%files utils

%license COPYING

%{_sbindir}/nfnl_osf

%{_sbindir}/nfbpf_compile

%{_sbindir}/ip{,6}tables-apply

%dir %{_datadir}/xtables

%{_datadir}/xtables/pf.os

%{_mandir}/man8/nfnl_osf*

%{_mandir}/man8/nfbpf_compile*

%{_mandir}/man8/ip{,6}tables-apply*

%files nft

%{_sbindir}/ip{,6}tables-nft*

%{_sbindir}/ip{,6}tables{,-restore}-translate

%{_sbindir}/{eb,arp}tables-nft*

%{_sbindir}/xtables-nft-multi

%{_sbindir}/xtables-monitor

%dir %{_libdir}/xtables

%{_libdir}/xtables/lib{arp,eb}t*

%{_libexecdir}/arptables-nft-helper

%{_mandir}/man8/xtables-monitor*

%{_mandir}/man8/xtables-translate*

%{_mandir}/man8/*-nft*

%{_mandir}/man8/ip{,6}tables{,-restore}-translate*

%ghost %{_sbindir}/ip{,6}tables{,-save,-restore}

%ghost %{_sbindir}/{eb,arp}tables{,-save,-restore}

%ghost %{_libexecdir}/arptables-helper

%ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz

%ghost %{_mandir}/man8/ebtables.8.gz

%changelog

* Wed Dec 07 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-6

- Add expected testsuite result

* Tue Dec 06 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-5

- nft: un-break among match with concatenation

- nft: fix ebtables among match when mac+ip addresses are used

* Tue Jul 05 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-4

- libxtables: Fix unsupported extension warning corner case

* Wed Jun 08 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-3

- arptables: Support -x/--exact flag

* Thu Jun 02 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-2

- tests: shell: Check overhead in iptables-save and -restore

* Fri May 13 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-1

- new version

* Fri Mar 18 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-30

- Use proto_to_name() from xshared in more places

* Fri Mar 18 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-29

- libxtables: Boost rule target checks by announcing chain names

- libxtables: Implement notargets hash table

- nft: Reject standard targets as chain names when restoring

- xshared: Merge and share parse_chain()

- xshared: Prefer xtables_chain_protos lookup over getprotoent

- nft: Speed up immediate parsing

- nft: Simplify immediate parsing

* Wed Feb 16 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-28

- extensions: SECMARK: Use a better context in test case

* Fri Jan 28 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-27

- extensions: SECMARK: Implement revision 1

* Mon Oct 11 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-26

- tests/shell: Assert non-verbose mode is silent

- nft: Fix for non-verbose check command

* Wed Oct 06 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-25

- ebtables: Dump atomic waste

- doc: ebtables-nft.8: Adjust for missing atomic-options

- nft: Use xtables_malloc() in mnl_err_list_node_add()

* Fri Oct 01 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-24

- Add missing readlink required for iptables-nft(post)

* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.8.7-23

- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags

  Related: rhbz#1991688

* Thu Aug 05 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-22

- nft-services must not depend on specific arch's build

* Thu Aug 05 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-21

- Build services sub-packages as noarch

* Fri Jul 30 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-20

- Make nft-services obsolete nft-compat to fix upgrade path

* Thu Jul 29 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-19

- Build iptables-services on C9S only

- Use systemd_ordering in nft-services, too

- Drop compat package, nft-services serves well for that purpose

- Make legacy unconditionally provide iptables, it's not built on RHEL

* Wed Jul 28 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-18

- Make iptables-nft-services require iptables-services to avoid confusion

- Add deprecation notice to iptables-extensions man page as well

* Mon Jul 12 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-17

- Provide a compat package to fix upgrade path from RHEL8

* Mon Jul 05 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-16

- Review systemd unit file

* Fri Jul 02 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-15

- doc: Improve deprecation notices a bit

- nft: cache: Sort chains on demand only

- nft: Increase BATCH_PAGE_SIZE to support huge rulesets

* Fri Jun 25 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-14

- doc: Add deprecation notices to all relevant man pages

* Wed Jun 16 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-13

- extensions: sctp: Fix nftables translation

- nft: Fix bitwise expression avoidance detection

- iptables-nft: fix -Z option

- Do not build legacy sub-packages on RHEL

* Thu Jun 10 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-12

- arptables-nft-helper: Remove bashisms

- ebtables-helper: Drop unused variable, add a missing quote

- extensions: libxt_string: Avoid buffer size warning for strncpy()

- libxtables: Introduce xtables_strdup() and use it everywhere

- extensions: libebt_ip6: Use xtables_ip6parse_any()

- iptables-apply: Drop unused variable

- nft: Avoid buffer size warnings copying iface names

- nft: Avoid memleak in error path of nft_cmd_new()

- libxtables: Fix memleak in xtopt_parse_hostmask()

- extensions: libebt_ip6: Drop unused variables

- libxtables: Drop leftover variable in xtables_numeric_to_ip6addr()

* Wed May 12 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-11

- Fix License name in spec file

- Eliminate inet_aton() and inet_ntoa()

- nft-arp: Make use of ipv4_addr_to_string()

- Make legacy sub-packages obsolete older non-legacy ones

- Fix dates in changelog

- iptables.init: Fix functionality for iptables-nft

- iptables.init: Ignore sysctl files not suffixed '.conf'

- iptables.init: Drop unused NEW_MODUTILS check

- iptables.init: Drop some trailing whitespace

* Fri Apr 23 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-10

- Add provides to iptables-nft-services

* Wed Apr 21 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-9

- Add nft-services subpackage

* Mon Apr 19 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-8

- Drop hacks to maintain upgrade path

* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.8.7-7

- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

* Tue Mar 23 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-6

- Restore alternatives configuration after upgrade

- Fix license location

* Tue Mar 23 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-5

- Fix upgrade path with package rename

- Add missing dependencies to iptables-nft package

* Tue Feb 16 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-4

- Drop bootstrap code again

- Drop workarounds for F24 and lower

- Fix iptables-utils summary

- Ship iptables-apply with iptables-utils

- Reduce files sections by use of globbing

- Ship common man pages with iptables-libs

- Ship *-translate man pages with iptables-nft

- Move legacy iptables binaries, libraries and headers into sub-packages

- Introduce compat sub-package to help with above transitions

- Drop libipulog header from devel package, this belongs to libnetfilter_log

- Do not ship internal headers in devel package

* Thu Jan 28 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-3

- ebtables: Exit gracefully on invalid table names

* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.7-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

* Sat Jan 16 2021 Kevin Fenzi <kevin@scrye.com> - 1.8.7-1

- Update to 1.8.7. Fixes rhbz#1916948

* Thu Nov 19 2020 Tom Stellard <tstellar@redhat.com> - 1.8.6-5

- Use make macros

* Tue Nov 17 2020 Phil Sutter <psutter@redhat.com> - 1.8.6-4

- ebtables: Fix for broken chain renaming

* Mon Nov 16 2020 Phil Sutter <psutter@redhat.com> - 1.8.6-3

- Drop obsolete StandardOutput setting from unit file

- Remove StandardError setting from unit file, its value is default

* Thu Nov  5 2020 Florian Weimer <fweimer@redhat.com> - 1.8.6-2

- Remove build dependency on autogen

* Sat Oct 31 2020 Kevin Fenzi <kevin@scrye.com> - 1.8.6-1

- Update to 1.8.6. Fixes bug #1893453

* Tue Aug 25 2020 Phil Sutter <psutter@redhat.com> - 1.8.5-3

- nft: cache: Check consistency with NFT_CL_FAKE, too

- nft: Fix command name in ip6tables error message

* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.5-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

* Tue Jun 23 2020 Phil Sutter <psutter@redhat.com> - 1.8.5-1

- Rebase onto upstream version 1.8.5 plus two late fixes

- Drop explicit iptables-apply installation, upstream fixed that

- Ship ip6tables-apply along with iptables package

* Wed Feb 12 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-7

- Move nft-specific extensions into iptables-nft package

- Move remaining extensions into iptables-libs package

- Make iptables-nft depend on iptables-libs instead of iptables

- Add upstream-suggested fixes

* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.4-6

- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

* Wed Jan 15 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-5

- Raise Alternatives priority of nft variants to match legacy ones

- Add Provides lines to allow for iptables-nft as full legacy alternative

* Thu Dec 19 2019 Phil Sutter <psutter@redhat.com> - 1.8.4-4

- Drop leftover include in arptables-nft-helper

* Fri Dec 13 2019 Phil Sutter <psutter@redhat.com> - 1.8.4-3

- Remove dependencies on initscripts package

* Tue Dec 10 2019 Phil Sutter <psutter@redhat.com> - 1.8.4-2

- iptables-services requires /etc/init.d/functions

* Wed Dec 04 2019 Phil Sutter <psutter@redhat.com> - 1.8.4-1

- New upstream version 1.8.4

* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-5

- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

* Tue Jun 25 2019 Björn Esser <besser82@fedoraproject.org> - 1.8.3-4

- Disable bootstrapping

* Tue Jun 25 2019 Phil Sutter <psutter@redhat.com> - 1.8.3-3

- Change URL to point at iptables project, not netfilter overview page

- Reuse URL value in tarball source

- Reduce globbing of library file names to expose future SONAME changes

- Add bootstrapping for libip*tc SONAME bump

* Tue Jun 25 2019 Phil Sutter <psutter@redhat.com> - 1.8.3-2

- Install new man page for nfbpf_compile utility

- Move nfnl_osf man page to utils subpackage

* Wed May 29 2019 Phil Sutter <psutter@redhat.com> - 1.8.3-1

- New upstream version 1.8.3

* Mon Apr 15 2019 Phil Sutter <psutter@redhat.com> - 1.8.2-1

- New upstream version 1.8.2

- Integrate ebtables and arptables save/restore scripts with alternatives

- Add nft-specific ebtables and arptables man pages

- Move /etc/sysconfig/ip*tables-config files into services sub-package

* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.0-5

- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

* Wed Jan 23 2019 Bogdan Dobrelya <bdobreli@redhat.com> - 1.8.0-4

- Use systemd_ordering macro

* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.0-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Tue Jul 10 2018 Phil Sutter <psutter@redhat.com> - 1.8.0-2

- Fix calling ebtables-nft and arptables-nft via their new names.

* Mon Jul 09 2018 Phil Sutter <psutter@redhat.com> - 1.8.0-1

- New upstream version 1.8.0.

- Replace ldconfig calls with newly introduced macros.

- Rename compat subpackage to iptables-nft to clarify its purpose.

- Make use of Alternatives system.

* Fri May 04 2018 Phil Sutter <psutter@redhat.com> - 1.6.2-3

- Fix License: tag in spec-file

- Fix separation into compat subpackage

* Thu Mar 01 2018 Phil Sutter <psutter@redhat.com> - 1.6.2-2

- Kill module unloading support

- Support /etc/sysctl.d

- Don't restart services after package update

- Add support for --wait options to restore commands