Name:           nftables

Version:        0.9.0

Release:        14%{?dist}

# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.

Epoch:          1

Summary:        Netfilter Tables userspace utillites

License:        GPLv2

URL:            http://netfilter.org/projects/nftables/

Source0:        http://ftp.netfilter.org/pub/nftables/nftables-%{version}.tar.bz2

Source1:        nftables.service

Source2:        nftables.conf

Patch1:  0001-evaluate-reject-Allow-icmpx-in-inet-bridge-families.patch

Patch2:  0002-monitor-Drop-fake-XML-support.patch

Patch3:  0003-monitor-Drop-update-table-and-update-chain-cases.patch

Patch4:  0004-monitor-Fix-printing-of-ct-objects.patch

Patch5:  0005-monitor-Use-libnftables-JSON-output.patch

Patch6:  0006-tests-monitor-Test-JSON-output-as-well.patch

Patch7:  0007-segtree-bogus-range-via-get-set-element-on-existing-.patch

Patch8:  0008-segtree-disantangle-get_set_interval_end.patch

Patch9:  0009-segtree-memleak-in-get_set_decompose.patch

Patch10: 0010-segtree-stop-iteration-on-existing-elements-in-case-.patch

Patch11: 0011-segtree-incorrect-handling-of-last-element-in-get_se.patch

Patch12: 0012-segtree-set-proper-error-cause-on-existing-elements.patch

Patch13: 0013-rule-fix-memleak-in-do_get_setelems.patch

Patch14: 0014-Fix-memleak-in-netlink_parse_fwd-error-path.patch

Patch15: 0015-libnftables-Fix-memleak-in-nft_parse_bison_filename.patch

Patch16: 0016-src-pass-struct-nft_ctx-through-struct-eval_ctx.patch

Patch17: 0017-src-trace-fix-policy-printing.patch

Patch18: 0018-rule-list-only-the-table-containing-object.patch

Patch19: 0019-src-pass-struct-nft_ctx-through-struct-netlink_ctx.patch

Patch20: 0020-netlink-reset-mnl_socket-field-in-struct-nft_ctx-on-.patch

Patch21: 0021-src-remove-opts-field-from-struct-xt_stmt.patch

Patch22: 0022-JSON-Support-latest-enhancements-of-fwd-statement.patch

Patch23: 0023-parser_json-Fix-for-ineffective-family-value-checks.patch

Patch24: 0024-json-Fix-memleak-in-dup_stmt_json.patch

Patch25: 0025-json-Fix-for-recent-changes-to-context-structs.patch

Patch26: 0026-parser_bison-Fix-for-ECN-keyword-in-LHS-of-relationa.patch

Patch27: 0027-nft.8-Update-meta-pkt_type-value-description.patch

Patch28: 0028-json-Work-around-segfault-when-encountering-xt-stmt.patch

Patch29: 0029-nft.8-Document-log-level-audit.patch

Patch30: 0030-nft.8-Clarify-index-option-of-add-rule-command.patch

Patch31: 0031-src-Reject-export-vm-json-command.patch

Patch32: 0032-datatype-add-stolen-verdict.patch

Patch33: 0033-libnftables-Fix-exit_cookie.patch

Patch34: 0034-scanner-Do-not-convert-tabs-into-spaces.patch

Patch35: 0035-netlink_delinearize-Refactor-meta_may_dependency_kil.patch

Patch36: 0036-evaluate-skip-evaluation-of-datatype-concatenations.patch

Patch37: 0037-tests-shell-add-tests-for-listing-objects.patch

Patch38: 0038-rule-fix-object-listing-when-no-table-is-given.patch

Patch39: 0039-proto-fix-icmp-icmpv6-code-datatype.patch

Patch40: 0040-evaluate-throw-distinct-error-if-map-exists-but-cont.patch

Patch41: 0041-parser-bail-out-on-incorrect-burst-unit.patch

Patch42: 0042-src-fix-netdev-family-device-name-parsing.patch

Patch43: 0043-libnftables-Print-errors-before-freeing-commands.patch

Patch44: 0044-segtree-fix-crash-when-debug-mode-is-active.patch

Patch45: 0045-parser_bison-no-need-for-statement-separator-for-ct-.patch

Patch46: 0046-ct-use-nft_print-instead-of-printf.patch

Patch47: 0047-parser_bison-type_identifier-string-memleak.patch

Patch48: 0048-src-missing-destroy-function-in-statement-definition.patch

Patch49: 0049-tests-shell-validate-too-deep-jumpstack-from-basecha.patch

Patch50: 0050-netlink-remove-markup-json-parsing-code.patch

Patch51: 0051-rule-limit-don-t-print-default-burst-value.patch

Patch52: 0052-JSON-Review-verdict-statement-and-expression.patch

Patch53: 0053-parser_json-Duplicate-chain-name-when-parsing-jump-v.patch

Patch54: 0054-src-Introduce-chain_expr-in-jump-and-goto-statements.patch

Patch55: 0055-src-Allow-goto-and-jump-to-a-variable.patch

Patch56: 0056-parser_json-Fix-and-simplify-verdict-expression-pars.patch

Patch57: 0057-src-invalid-read-when-importing-chain-name.patch

Patch58: 0058-expression-use-expr_clone-from-verdict_expr_clone.patch

Patch59: 0059-parser_bison-free-chain-name-after-creating-constant.patch

Patch60: 0060-doc-update-nft-list-plural-form-parameters.patch

Patch61: 0061-doc-Add-minimal-description-of-v-map-statements.patch

Patch62: 0062-xt-pass-octx-to-translate-function.patch

Patch63: 0063-xt-always-build-with-a-minimal-support-for-xt-match-.patch

Patch64: 0064-src-fix-double-free-on-xt-stmt-destruction.patch

Patch65: 0065-tests-shell-Add-testcase-for-cache-update-problems.patch

Patch66: 0066-src-update-cache-if-cmd-is-more-specific.patch

Patch67: 0067-src-fix-jumps-on-bigendian-arches.patch

Patch68: 0068-src-json-fix-constant-parsing-on-bigendian.patch

BuildRequires: autogen

BuildRequires: autoconf

BuildRequires: automake

BuildRequires: libtool

BuildRequires: gcc

BuildRequires: flex

BuildRequires: bison

BuildRequires: libmnl-devel

BuildRequires: gmp-devel

BuildRequires: readline-devel

BuildRequires: libnftnl-devel

BuildRequires: docbook2X

BuildRequires: systemd

BuildRequires: jansson-devel

BuildRequires: iptables-devel

%description

Netfilter Tables userspace utilities.

%package        devel

Summary:        Development library for nftables / libnftables

Group:          Development/Libraries

Requires:       %{name} = %{epoch}:%{version}-%{release}

Requires:       pkgconfig

%description devel

Development tools and static libraries and header files for the libnftables library.

%prep

%autosetup -p1

%build

autoreconf -fi

rm -Rf autom4te*.cache config.h.in~

%configure --disable-silent-rules --with-json --with-xtables

make %{?_smp_mflags}

%install

%make_install

find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'

# Don't ship static lib (for now at least)

rm -f $RPM_BUILD_ROOT/%{_libdir}/libnftables.a

chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft*

mkdir -p $RPM_BUILD_ROOT/%{_unitdir}

cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/

mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig

cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/

chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/nftables.conf

cp files/examples/netdev-ingress.nft $RPM_BUILD_ROOT/%{_sysconfdir}/nftables

chmod 750 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables

chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/*.nft

%post

%systemd_post nftables.service

%preun

%systemd_preun nftables.service

%postun

%systemd_postun_with_restart nftables.service

%post devel

%ldconfig_post

%postun devel

%ldconfig_postun

%files

%license COPYING

%config(noreplace) %{_sysconfdir}/nftables/

%config(noreplace) %{_sysconfdir}/sysconfig/nftables.conf

%{_sbindir}/nft

%{_libdir}/libnftables.so.*

%{_mandir}/man8/nft*

%{_unitdir}/nftables.service

%files devel

%{_libdir}/libnftables.so

%{_libdir}/pkgconfig/libnftables.pc

%{_includedir}/nftables/libnftables.h

%changelog

* Mon Aug 12 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.0-14

- src: fix jumps on bigendian arches

- src: json: fix constant parsing on bigendian

* Thu Aug 08 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.0-13

- Fix for adding a rule with index and set reference

* Wed Jul 31 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.0-12

- Fix permissions of /etc/nftables directory

* Wed Jun 26 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.0-11

- Fix segfault with xtables support

* Wed Jun 26 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.0-10

- Fix typo in spec file

* Wed Jun 26 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.0-9

- Allow variables in jump statement

- Make example configs readable only by root

- Document nft list parameters

- Document vmap statement

- Install netdev-ingress.nft sample config in the right spot

- Backport upstream fixes since last release

* Fri Mar 01 2019 Phil Sutter - 1:0.9.0-8

- Add missing patch to spec file

* Fri Dec 21 2018 Phil Sutter - 1:0.9.0-7

- src: Reject 'export vm json' command

* Tue Dec 18 2018 Phil Sutter - 1:0.9.0-6

- Rebuild for updated libnftnl

* Thu Dec 13 2018 Phil Sutter - 1:0.9.0-5

- nft.8: Document log level audit

- nft.8: Clarify 'index' option of add rule command

* Thu Oct 25 2018 Phil Sutter - 1:0.9.0-4

- Add fixes for covscan report

- Fix for ECN keyword in LHS of relational

- Update meta pkt_type value description

- Fix for segfault with JSON output if xt expression is present

- Add missing nft suffix to files included from /etc/sysconfig/nftables.conf

- Use native JSON API in nft monitor

* Thu Oct 11 2018 Phil Sutter - 1:0.9.0-3

- Enable xtables support

- Enable JSON support

* Mon Sep 10 2018 Phil Sutter - 1:0.9.0-2

- Allow icmpx in inet/bridge families

* Tue Aug 14 2018 Phil Sutter - 1:0.9.0-1

- New version 0.9.0

- Install libnftables

- Add devel sub-package

- Add gcc BuildRequires

* Sat Mar 03 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.3-1

- Update to 0.8.3. Fixes bug #1551207

* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.8.2-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Mon Feb 05 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.2-1

- Update to 0.8.2. Fixes bug #1541582

* Tue Jan 16 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.1-1

- Update to 0.8.1. Fixes bug #1534982

* Sun Oct 22 2017 Kevin Fenzi <kevin@scrye.com> - 0.8-1

- Update to 0.8. 

* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.7-5

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.7-4

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.7-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Thu Jan 12 2017 Igor Gnatenko <ignatenko@redhat.com> - 1:0.7-2

- Rebuild for readline 7.x

* Thu Dec 22 2016 Kevin Fenzi <kevin@scrye.com> - 0.7-1

- Update to 0.7

* Fri Jul 15 2016 Kevin Fenzi <kevin@scrye.com> - 0.6-2

- Rebuild for new glibc symbols

* Thu Jun 02 2016 Kevin Fenzi <kevin@scrye.com> - 0.6-1

- Update to 0.6.

* Sun Apr 10 2016 Kevin Fenzi <kevin@scrye.com> - 0.5-4

- Add example config files and move config to /etc/sysconfig. Fixes bug #1313936

* Fri Mar 25 2016 Kevin Fenzi <kevin@scrye.com> - 0.5-3

- Add systemd unit file. Fixes bug #1313936

* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.5-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Thu Sep 17 2015 Kevin Fenzi <kevin@scrye.com> 0.5-1

- Update to 0.5

* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:0.4-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Sat Jan 10 2015 Kevin Fenzi <kevin@scrye.com> 0.4-2

- Add patch to fix nft -f dep gen.

* Fri Dec 26 2014 Kevin Fenzi <kevin@scrye.com> 0.4-1

- Update to 0.4

- Add Epoch to fix versioning. 

* Wed Sep 03 2014 Kevin Fenzi <kevin@scrye.com> 0.100-4.20140903git

- Update to 20140903 snapshot

* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.100-4.20140704git

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

* Fri Jul 04 2014 Kevin Fenzi <kevin@scrye.com> 0.100-3.20140704git

- Update to new snapshot

* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.100-2.20140426git

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Sat Apr 26 2014 Kevin Fenzi <kevin@scrye.com> 0.100-1.20140426git

- Update t0 20140426

* Sun Mar 30 2014 Kevin Fenzi <kevin@scrye.com> 0.100-1.20140330git

- Update to 20140330 snapshot

- Sync versions to be post 0.100 release.

* Wed Mar 26 2014 Kevin Fenzi <kevin@scrye.com> 0-0.7.20140326git

- Update to 20140326 snapshot

- Fix permissions on man pages. 

* Mon Mar 24 2014 Kevin Fenzi <kevin@scrye.com> 0-0.6.20140324git

- Update to 20140324 snapshot

* Fri Mar 07 2014 Kevin Fenzi <kevin@scrye.com> 0-0.5.20140307git

- Update to 20140307

* Sat Jan 25 2014 Kevin Fenzi <kevin@scrye.com> 0-0.4.20140125git

- Update to 20140125 snapshot

* Sat Jan 18 2014 Kevin Fenzi <kevin@scrye.com> 0-0.3.20140118git

- Update to 20140118 snapshot

- Fixed License tag to be correct

- Fixed changelog

- nft scripts now use full path for nft

- Fixed man page building

- Dropped unneeded rm in install

- Patched build to not be silent. 

* Tue Dec 03 2013 Kevin Fenzi <kevin@scrye.com> 0-0.2.20131202git

- Use upstream snapshots for source.

- Use 0 for version. 

* Sat Nov 30 2013 Kevin Fenzi <kevin@scrye.com> 0-0.1

- initial version for Fedora review