diff --git a/SOURCES/0017-src-bail-out-when-exporting-ruleset-with-unsupported.patch b/SOURCES/0017-src-bail-out-when-exporting-ruleset-with-unsupported.patch new file mode 100644 index 0000000..916d287 --- /dev/null +++ b/SOURCES/0017-src-bail-out-when-exporting-ruleset-with-unsupported.patch @@ -0,0 +1,92 @@ +From 032a1808c1abb70004703f57c2d1625a099beca3 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 12:59:19 +0100 +Subject: [PATCH] src: bail out when exporting ruleset with unsupported output + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1646336 +Upstream Status: nftables commit a340aa6ca6cd0 +Conflicts: +* Dropped changes to import command which doesn't exist in RHEL7. +* Changes to parser_bison.y applied manually. Major conflicts due to + missing commit 2fa54d8a49352 ("src: Add import command for low level + json"). +* Adjusted to missing commit 2fa54d8a49352 ("src: Add import command for + low level json"). + +commit a340aa6ca6cd08ae173fbb95cd3e65807264df07 +Author: Pablo Neira Ayuso +Date: Thu Feb 15 17:22:16 2018 +0100 + + src: bail out when exporting ruleset with unsupported output + + Display error message and propagate error to shell when running command + with unsupported output: + + # nft export ruleset json + Error: this output type is not supported + export ruleset json + ^^^^^^^^^^^^^^^^^^^^ + # echo $? + 1 + + When displaying the output in json using the low-level VM + representation, it shows: + + # nft export ruleset vm json + ... low-level VM json output + # echo $? + 0 + + While at it, do the same with obsoleted XML output. + + Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1224 + Signed-off-by: Pablo Neira Ayuso +--- + include/nftables.h | 2 ++ + src/evaluate.c | 3 +++ + src/parser_bison.y | 4 ++-- + 3 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/include/nftables.h b/include/nftables.h +index 01d72a8..0abbcaf 100644 +--- a/include/nftables.h ++++ b/include/nftables.h +@@ -154,4 +154,6 @@ int nft_print(struct output_ctx *octx, const char *fmt, ...) + int nft_gmp_print(struct output_ctx *octx, const char *fmt, ...) + __attribute__((format(printf, 2, 0))); + ++#define __NFT_OUTPUT_NOTSUPP UINT_MAX ++ + #endif /* NFTABLES_NFTABLES_H */ +diff --git a/src/evaluate.c b/src/evaluate.c +index ab1347f..c8a98f1 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -3426,6 +3426,9 @@ static int cmd_evaluate_monitor(struct eval_ctx *ctx, struct cmd *cmd) + + static int cmd_evaluate_export(struct eval_ctx *ctx, struct cmd *cmd) + { ++ if (cmd->export->format == __NFT_OUTPUT_NOTSUPP) ++ return cmd_error(ctx, "this output type is not supported"); ++ + return cache_update(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs, + ctx->debug_mask & DEBUG_NETLINK, ctx->octx); + } +diff --git a/src/parser_bison.y b/src/parser_bison.y +index f9878ba..e87669e 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -1204,8 +1204,8 @@ monitor_format : /* empty */ { $$ = NFTNL_OUTPUT_DEFAULT; } + | export_format + ; + +-export_format : XML { $$ = NFTNL_OUTPUT_XML; } +- | JSON { $$ = NFTNL_OUTPUT_JSON; } ++export_format : XML { $$ = __NFT_OUTPUT_NOTSUPP; } ++ | JSON { $$ = __NFT_OUTPUT_NOTSUPP; } + ; + + describe_cmd : primary_expr +-- +1.8.3.1 + diff --git a/SOURCES/0018-monitor-Drop-fake-XML-support.patch b/SOURCES/0018-monitor-Drop-fake-XML-support.patch new file mode 100644 index 0000000..13385b2 --- /dev/null +++ b/SOURCES/0018-monitor-Drop-fake-XML-support.patch @@ -0,0 +1,80 @@ +From 1dbcbe1ae24756b7b7a7fe8a02626f58604ca2fd Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 13:08:03 +0100 +Subject: [PATCH] monitor: Drop fake XML support + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1646336 +Upstream Status: nftables commit 2194a76ed46a2 +Conflicts: Adjusted changes to missing commit fbcb888b311a9 + ("src: move monitor code to src/monitor.c"). + +commit 2194a76ed46a2f097c5ca5955e44544418866cc2 +Author: Phil Sutter +Date: Thu Oct 11 17:48:57 2018 +0200 + + monitor: Drop fake XML support + + Since libnftnl doesn't support XML formatting, pretending to do so in + nft monitor is pointless. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/netlink.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/src/netlink.c b/src/netlink.c +index ebfad18..09d483d 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -2014,7 +2014,6 @@ static int netlink_events_table_cb(const struct nlmsghdr *nlh, int type, + nft_mon_print(monh, "%s %s\n", family2str(family), + nftnl_table_get_str(nlt, NFTNL_TABLE_NAME)); + break; +- case NFTNL_OUTPUT_XML: + case NFTNL_OUTPUT_JSON: + nftnl_table_fprintf(monh->ctx->octx->output_fp, nlt, + monh->format, netlink_msg2nftnl_of(type)); +@@ -2056,7 +2055,6 @@ static int netlink_events_chain_cb(const struct nlmsghdr *nlh, int type, + break; + } + break; +- case NFTNL_OUTPUT_XML: + case NFTNL_OUTPUT_JSON: + nftnl_chain_fprintf(monh->ctx->octx->output_fp, nlc, + monh->format, netlink_msg2nftnl_of(type)); +@@ -2103,7 +2101,6 @@ static int netlink_events_set_cb(const struct nlmsghdr *nlh, int type, + break; + } + break; +- case NFTNL_OUTPUT_XML: + case NFTNL_OUTPUT_JSON: + nftnl_set_fprintf(monh->ctx->octx->output_fp, nls, + monh->format, netlink_msg2nftnl_of(type)); +@@ -2252,7 +2249,6 @@ static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type, + + set_free(dummyset); + break; +- case NFTNL_OUTPUT_XML: + case NFTNL_OUTPUT_JSON: + nftnl_set_fprintf(monh->ctx->octx->output_fp, nls, + monh->format, netlink_msg2nftnl_of(type)); +@@ -2297,7 +2293,6 @@ static int netlink_events_obj_cb(const struct nlmsghdr *nlh, int type, + break; + } + break; +- case NFTNL_OUTPUT_XML: + case NFTNL_OUTPUT_JSON: + nftnl_obj_fprintf(monh->ctx->octx->output_fp, nlo, + monh->format, netlink_msg2nftnl_of(type)); +@@ -2353,7 +2348,6 @@ static int netlink_events_rule_cb(const struct nlmsghdr *nlh, int type, + break; + } + break; +- case NFTNL_OUTPUT_XML: + case NFTNL_OUTPUT_JSON: + nftnl_rule_fprintf(monh->ctx->octx->output_fp, nlr, + monh->format, netlink_msg2nftnl_of(type)); +-- +1.8.3.1 + diff --git a/SOURCES/0019-src-Reject-export-vm-json-command.patch b/SOURCES/0019-src-Reject-export-vm-json-command.patch new file mode 100644 index 0000000..9ed20ea --- /dev/null +++ b/SOURCES/0019-src-Reject-export-vm-json-command.patch @@ -0,0 +1,117 @@ +From 213bb692b8907c2d458298ff2569c96ed71fb925 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 13:08:45 +0100 +Subject: [PATCH] src: Reject 'export vm json' command + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1646336 +Upstream Status: nftables commit 8d51f169e0e83 +Conflicts: +* Adjusted changes to missing commit a84f9329d2f6c + ("src: use location to display error messages"). +* Error message changed to not suggest 'nft -j' which doesn't exist in + RHEL7. +* Man page changes applied manually, upstream converted to asciidoc in + between. +* Include netlink.h from src/evaluate.c to make NFTNL_OUTPUT_JSON + known. Upstream added this in unrelated commit 1524134b0bc01 + ("src: osf: load pf.os from expr_evaluate_osf()"). + +commit 8d51f169e0e832a41d2ed278be903c08bd4fa473 +Author: Phil Sutter +Date: Mon Dec 17 16:29:56 2018 +0100 + + src: Reject 'export vm json' command + + Since libnftnl recently dropped JSON output support, this form of JSON + export is not available anymore. Point at 'nft -j list ruleset' command + for a replacement in error message. + + Since 'export' command is not useable anymore, remove it from + documentation. Instead point out that 'list ruleset' command serves well + for dumping and later restoring. + + To not cause pointless inconvenience for users wishing to store their + ruleset in JSON format, make JSON parser fallback to CMD_ADD if no + recognized command property was found. This allows to feed the output of + 'nft -j list ruleset' into 'nft -f' without any modification. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + doc/nft.xml | 23 +++-------------------- + src/evaluate.c | 4 ++++ + 2 files changed, 7 insertions(+), 20 deletions(-) + +diff --git a/doc/nft.xml b/doc/nft.xml +index e6cfb78..a4a4c3f 100644 +--- a/doc/nft.xml ++++ b/doc/nft.xml +@@ -514,11 +514,6 @@ filter input iif $int_ifs accept + ruleset + family + +- +- export +- ruleset +- format +- + + + +@@ -548,17 +543,6 @@ filter input iif $int_ifs accept + + + +- +- +- +- +- Print the ruleset in machine readable format. The +- mandatory format parameter +- may be either xml or +- json. +- +- +- + + + +@@ -568,10 +552,9 @@ filter input iif $int_ifs accept + + + +- Note that contrary to what one might assume, the output generated +- by export is not parseable by +- nft -f. Instead, the output of +- list command serves well for that purpose. ++ By design, list ruleset command output may be used as ++ input to nft -f. Effectively, this is the nft-equivalent ++ of iptables-save and iptables-restore. + + + +diff --git a/src/evaluate.c b/src/evaluate.c +index c8a98f1..b6c70b8 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -24,6 +24,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -3428,6 +3429,9 @@ static int cmd_evaluate_export(struct eval_ctx *ctx, struct cmd *cmd) + { + if (cmd->export->format == __NFT_OUTPUT_NOTSUPP) + return cmd_error(ctx, "this output type is not supported"); ++ else if (cmd->export->format == NFTNL_OUTPUT_JSON) ++ return cmd_error(ctx, ++ "JSON export is not supported"); + + return cache_update(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs, + ctx->debug_mask & DEBUG_NETLINK, ctx->octx); +-- +1.8.3.1 + diff --git a/SOURCES/0020-include-fix-build-failure.patch b/SOURCES/0020-include-fix-build-failure.patch new file mode 100644 index 0000000..c250f81 --- /dev/null +++ b/SOURCES/0020-include-fix-build-failure.patch @@ -0,0 +1,37 @@ +From f663f587d6e0ceb0674575db7c8538cf672ae160 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 14:35:12 +0100 +Subject: [PATCH] include: fix build failure + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1646336 +Upstream Status: nftables commit cea0712fe7759 + +commit cea0712fe7759fc1153cd0fd1c882486d036647d +Author: Florian Westphal +Date: Sat Feb 17 23:21:14 2018 +0100 + + include: fix build failure + + on older machine of mine: + ../include/nftables.h:130:30: error: 'UINT_MAX' undeclared (first use in this function) + + Signed-off-by: Florian Westphal +--- + include/nftables.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/nftables.h b/include/nftables.h +index 0abbcaf..2c18c48 100644 +--- a/include/nftables.h ++++ b/include/nftables.h +@@ -3,6 +3,7 @@ + + #include + #include ++#include + #include + + enum numeric_level { +-- +1.8.3.1 + diff --git a/SOURCES/0021-nft.8-Update-meta-pkt_type-value-description.patch b/SOURCES/0021-nft.8-Update-meta-pkt_type-value-description.patch new file mode 100644 index 0000000..6f02302 --- /dev/null +++ b/SOURCES/0021-nft.8-Update-meta-pkt_type-value-description.patch @@ -0,0 +1,51 @@ +From c5911dc74ad3d2858962e3384753c49cc3ad5ebe Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 4 Apr 2019 12:32:26 +0200 +Subject: [PATCH] nft.8: Update meta pkt_type value description + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1628694 +Upstream Status: nftables commit d75e9184bb51a +Conflicts: Changes applied manually to doc/nft.xml, upstream switched to + using asciidoc. + +commit d75e9184bb51a1311ac950b13384f329836d597e +Author: Phil Sutter +Date: Fri Sep 14 11:00:14 2018 +0200 + + nft.8: Update meta pkt_type value description + + Commit 8a7f6de536408 ("meta: fix pkttype name and add 'other' symbol") + deprecated pkt_type value 'unicast' (for it being misleading) and + introduced 'host' and 'other' but it did not update documentation + accordingly. Fix this by replacing 'unicast' with 'host' in + documentation and adding 'other'. + + While being at it, make sure these literal values are recognized as + such: Put them in all lower-case (as required by the parser) and in bold + font (to stand out a bit more). + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + doc/nft.xml | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/doc/nft.xml b/doc/nft.xml +index a4a4c3f..12b6cea 100644 +--- a/doc/nft.xml ++++ b/doc/nft.xml +@@ -2734,8 +2734,9 @@ filter output icmpv6 type { echo-request, echo-reply } + + pkt_type + +- Packet type: Unicast (addressed to local host), +- Broadcast (to all), Multicast (to group). ++ Packet type: host (addressed to local host), ++ broadcast (to all), multicast (to group), ++ other (addressed to another host). + + + +-- +1.8.3.1 + diff --git a/SOURCES/0022-doc-Add-minimal-description-of-v-map-statements.patch b/SOURCES/0022-doc-Add-minimal-description-of-v-map-statements.patch new file mode 100644 index 0000000..392f1e9 --- /dev/null +++ b/SOURCES/0022-doc-Add-minimal-description-of-v-map-statements.patch @@ -0,0 +1,104 @@ +From 3344672e56bad6468981d1bf683c312b18957671 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 4 Apr 2019 13:02:55 +0200 +Subject: [PATCH] doc: Add minimal description of (v)map statements + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1628974 +Upstream Status: nftables commit 3b29acc8f2994 +Conflicts: Changes applied manually to doc/nft.xml, upstream switched to + using asciidoc. + +commit 3b29acc8f29944c5cf34259f2e2b5b40b4d0ccdd +Author: Phil Sutter +Date: Tue Apr 2 15:36:42 2019 +0200 + + doc: Add minimal description of (v)map statements + + Although quite useful, these were missing in man page. Content loosely + based on wiki documentation. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + doc/nft.xml | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 65 insertions(+) + +diff --git a/doc/nft.xml b/doc/nft.xml +index 12b6cea..5ab363f 100644 +--- a/doc/nft.xml ++++ b/doc/nft.xml +@@ -5012,6 +5012,71 @@ add rule nat prerouting tcp dport 22 redirect to :2222 + + + ++ ++ Map statement ++ ++ The map statement is used to lookup data based on some specific input key. ++ ++ ++ ++ expression ++ map { ++ key ++ : ++ value ++ ++ , ++ key ++ : ++ value ++ ++ } ++ ++ ++ ++ using the map statement ++ ++# select DNAT target based on TCP dport: ++# connections to port 80 are redirected to 192.168.1.100, ++# connections to port 8888 are redirected to 192.168.1.101 ++nft add rule ip nat prerouting dnat tcp dport map { 80 : 192.168.1.100, 8888 : 192.168.1.101 } ++ ++# source address based SNAT: ++# packets from net 192.168.1.0/24 will appear as originating from 10.0.0.1, ++# packets from net 192.168.2.0/24 will appear as originating from 10.0.0.2 ++nft add rule ip nat postrouting snat to ip saddr map { 192.168.1.0/24 : 10.0.0.1, 192.168.2.0/24 : 10.0.0.2 } ++ ++ ++ ++ ++ Vmap statement ++ ++ The verdict map (vmap) statement works analogous to the map statement, but contains verdicts as values. ++ ++ ++ ++ expression ++ vmap { ++ key ++ : ++ value ++ ++ , ++ key ++ : ++ value ++ ++ } ++ ++ ++ ++ using the vmap statement ++ ++# jump to different chains depending on layer 4 protocol type: ++nft add rule ip filter input ip protocol vmap { tcp : jump tcp-chain, udp : jump udp-chain , icmp : jump icmp-chain } ++ ++ ++ + + + +-- +1.8.3.1 + diff --git a/SOURCES/nft.8 b/SOURCES/nft.8 index 5b89ebf..971784c 100644 --- a/SOURCES/nft.8 +++ b/SOURCES/nft.8 @@ -5,7 +5,7 @@ \\$2 \(la\\$1\(ra\\$3 .. .if \n(.g .mso www.tmac -.TH nft 8 "20 June 2018" "" "" +.TH nft 8 "4 April 2019" "" "" .SH NAME nft \- Administration tool for packet filtering and classification .SH SYNOPSIS @@ -295,12 +295,6 @@ T} {list | flush} \fBruleset\fR [\fIfamily\fR] .ad b 'hy -'nh -.fi -.ad l -{export} [\fBruleset\fR] {\fIformat\fR} -.ad b -'hy .PP The \fBruleset\fR keyword is used to identify the whole set of tables, chains, etc. currently in place in kernel. The @@ -315,21 +309,14 @@ will remove all tables and whatever they contain, effectively leading to an empty ruleset - no packet filtering will happen anymore, so the kernel accepts any valid packet it receives. -.TP -\*(T<\fBexport\fR\*(T> -Print the ruleset in machine readable format. The -mandatory \fIformat\fR parameter -may be either \*(T or -\*(T. .PP It is possible to limit \fBlist\fR and \fBflush\fR to a specific address family only. For a list of valid family names, see \*(T
above. .PP -Note that contrary to what one might assume, the output generated -by \fBexport\fR is not parseable by -\fBnft -f\fR. Instead, the output of -\fBlist\fR command serves well for that purpose. +By design, \fBlist ruleset\fR command output may be used as +input to \fBnft -f\fR. Effectively, this is the nft-equivalent +of \fBiptables-save\fR and \fBiptables-restore\fR. .SH TABLES 'nh .fi @@ -2240,8 +2227,9 @@ T} T{ pkt_type T} T{ -Packet type: Unicast (addressed to local host), -Broadcast (to all), Multicast (to group). +Packet type: \*(T (addressed to local host), +\*(T (to all), \*(T (to group), +\*(T (addressed to another host). T} .TE .PP @@ -4607,6 +4595,59 @@ T} T{ Distribute packets between several queues. T} .TE +.SS "MAP STATEMENT" +The map statement is used to lookup data based on some specific input key. +.PP +'nh +.fi +.ad l +\fIexpression\fR \fBmap {\fR \fIkey\fR \fB:\fR \fIvalue\fR [ +\fB,\fR +\fIkey\fR +\fB:\fR +\fIvalue\fR +]\&... \fB}\fR +.ad b +'hy +.PP +\fBusing the map statement\fR +.PP +.nf +\*(T< +# select DNAT target based on TCP dport: +# connections to port 80 are redirected to 192.168.1.100, +# connections to port 8888 are redirected to 192.168.1.101 +nft add rule ip nat prerouting dnat tcp dport map { 80 : 192.168.1.100, 8888 : 192.168.1.101 } + +# source address based SNAT: +# packets from net 192.168.1.0/24 will appear as originating from 10.0.0.1, +# packets from net 192.168.2.0/24 will appear as originating from 10.0.0.2 +nft add rule ip nat postrouting snat to ip saddr map { 192.168.1.0/24 : 10.0.0.1, 192.168.2.0/24 : 10.0.0.2 } + \*(T> +.fi +.SS "VMAP STATEMENT" +The verdict map (vmap) statement works analogous to the map statement, but contains verdicts as values. +.PP +'nh +.fi +.ad l +\fIexpression\fR \fBvmap {\fR \fIkey\fR \fB:\fR \fIvalue\fR [ +\fB,\fR +\fIkey\fR +\fB:\fR +\fIvalue\fR +]\&... \fB}\fR +.ad b +'hy +.PP +\fBusing the vmap statement\fR +.PP +.nf +\*(T< +# jump to different chains depending on layer 4 protocol type: +nft add rule ip filter input ip protocol vmap { tcp : jump tcp\-chain, udp : jump udp\-chain , icmp : jump icmp\-chain } + \*(T> +.fi .SH "ADDITIONAL COMMANDS" These are some additional commands included in nft. .SS MONITOR diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index e561487..f8328df 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,5 +1,5 @@ %define rpmversion 0.8 -%define specrelease 10%{?dist} +%define specrelease 14%{?dist} %define libnftnlversion 1.0.8-1 Name: nftables @@ -39,6 +39,12 @@ Patch12: 0013-nft.8-Fix-reject-statement-documentation.patch Patch13: 0014-doc-reword-insert-position-this-expects-rule-handle-.patch Patch14: 0015-Deprecate-add-insert-rule-position-argument.patch Patch15: 0016-evaluate-explicitly-deny-concatenated-types-in-inter.patch +Patch16: 0017-src-bail-out-when-exporting-ruleset-with-unsupported.patch +Patch17: 0018-monitor-Drop-fake-XML-support.patch +Patch18: 0019-src-Reject-export-vm-json-command.patch +Patch19: 0020-include-fix-build-failure.patch +Patch20: 0021-nft.8-Update-meta-pkt_type-value-description.patch +Patch21: 0022-doc-Add-minimal-description-of-v-map-statements.patch %description Netfilter Tables userspace utilities. @@ -87,6 +93,21 @@ chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/* %{_unitdir}/nftables.service %changelog +* Thu Apr 04 2019 Phil Sutter [0.8-14.el7] +- Update pre-generated nft.8 (Phil Sutter) [1628974] + +* Thu Apr 04 2019 Phil Sutter [0.8-13.el7] +- doc: Add minimal description of (v)map statements (Phil Sutter) [1628974] +- nft.8: Update meta pkt_type value description (Phil Sutter) [1628694] + +* Fri Mar 15 2019 Phil Sutter [0.8-12.el7] +- include: fix build failure (Phil Sutter) [1646336] + +* Fri Mar 15 2019 Phil Sutter [0.8-11.el7] +- src: Reject 'export vm json' command (Phil Sutter) [1646336] +- monitor: Drop fake XML support (Phil Sutter) [1646336] +- src: bail out when exporting ruleset with unsupported output (Phil Sutter) [1646336] + * Wed Jun 20 2018 Phil Sutter [0.8-10.el7] - Bump epoch to allow upgrading from EPEL (Phil Sutter) [1575059]