%global script_path %{_libexecdir}/iptables %global legacy_actions %{_libexecdir}/initscripts/legacy-actions Name: iptables Version: 1.8.7 Release: 11 Summary: IP packet filter administration utilities License: GPLv2 and Artistic Licence 2.0 and ISC URL: https://www.netfilter.org/ Source0: https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config Source3: iptables.service Source4: sysconfig_iptables Source5: sysconfig_ip6tables Patch0: bugfix-add-check-fw-in-entry.patch Patch1: tests-extensions-add-some-testcases.patch Patch2: backport-xshared-Fix-response-to-unprivileged-users.patch Patch3: backport-Improve-error-messages-for-unsupported-extensions.patch Patch4: backport-nft-Fix-EPERM-handling-for-extensions-without-rev-0.patch Patch5: backport-libxtables-Register-only-the-highest-revision-extension.patch Patch6: backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch Patch7: backport-xtables-restore-Extend-failure-error-message.patch Patch8: enabled-makecheck-in-extensions.patch BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd BuildRequires: libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel BuildRequires: autogen autoconf automake libtool Requires: %{name}-libs = %{version}-%{release} Conflicts: setup < 2.10.4-1 Requires(post): %{_sbindir}/update-alternatives Requires(postun): %{_sbindir}/update-alternatives %{?systemd_requires} Provides: iptables-utils iptables-services Obsoletes: iptables-utils iptables-services %description Netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack. Iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target). Netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) and the NAT subsystem together build the major parts of the framework. %package libs Summary: iptables libraries %description libs iptables libraries. %package devel Summary: header files for iproute Requires: %{name} = %{version}-%{release} pkgconfig %description devel Header files for iproute. %package nft Summary: nft package for iproute Requires: %{name} = %{version}-%{release} Obsoletes: iptables-compat < 1.6.2-4 %description nft Nft package for iproute. %package_help %prep %autosetup -n %{name}-%{version} -p1 %build ./autogen.sh %configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr %disable_rpath rm -f include/linux/types.h %make_build %check make check %install %make_install %delete_la install -m 0755 -d %{buildroot}%{_includedir}/iptables install -m 0644 include/ip*tables.h %{buildroot}%{_includedir} install -m 0644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables install -m 0755 -d %{buildroot}%{_includedir}/libipulog/ install -m 0644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog install -m 0755 -d %{buildroot}/%{script_path} install -m 0755 -c %{SOURCE1} %{buildroot}/%{script_path}/iptables.init sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init install -m 0755 ip6tables.init %{buildroot}/%{script_path}/ip6tables.init install -m 0755 -d %{buildroot}%{_sysconfdir}/sysconfig install -m 0600 -c %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/iptables-config sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config install -m 0600 -c ip6tables-config %{buildroot}%{_sysconfdir}/sysconfig/ip6tables-config install -m 0600 -c %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/iptables install -m 0600 -c %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/ip6tables install -m 0755 -d %{buildroot}%{_unitdir} install -m 0644 -c %{SOURCE3} %{buildroot}%{_unitdir} sed -e 's;iptables;ip6tables;g' -e 's;IPv4;IPv6;g' -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' < %{SOURCE3} > ip6tables.service install -m 0644 -c ip6tables.service %{buildroot}%{_unitdir} install -m 0755 -d %{buildroot}/%{legacy_actions}/iptables install -m 0755 -d %{buildroot}/%{legacy_actions}/ip6tables pushd %{buildroot}/%{legacy_actions}/iptables cat << EOF > save #!/bin/bash exec %{script_path}/iptables.init save EOF chmod 0755 save popd sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/save > ip6tabes.save-legacy install -m 0755 -c ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/save pushd %{buildroot}/%{legacy_actions}/iptables cat << EOF > panic #!/bin/bash exec %{script_path}/iptables.init panic EOF chmod 0755 panic popd sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy install -m 0755 -c ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic install -m 0755 iptables/iptables-apply %{buildroot}%{_sbindir} install -m 0755 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8 # Remove /etc/ethertypes (now part of setup) rm -f %{buildroot}%{_sysconfdir}/ethertypes touch %{buildroot}%{_libexecdir}/arptables-helper touch %{buildroot}%{_mandir}/man8/arptables.8 touch %{buildroot}%{_mandir}/man8/arptables-save.8 touch %{buildroot}%{_mandir}/man8/arptables-restore.8 touch %{buildroot}%{_mandir}/man8/ebtables.8 %ldconfig_scriptlets %post pfx=%{_sbindir}/iptables pfx6=%{_sbindir}/ip6tables %{_sbindir}/update-alternatives --install \ $pfx iptables $pfx-legacy 10 \ --slave $pfx6 ip6tables $pfx6-legacy \ --slave $pfx-restore iptables-restore $pfx-legacy-restore \ --slave $pfx-save iptables-save $pfx-legacy-save \ --slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \ --slave $pfx6-save ip6tables-save $pfx6-legacy-save %systemd_post iptables.service ip6tables.service %preun %systemd_preun iptables.service ip6tables.service %postun if [ $1 -eq 0 ]; then %{_sbindir}/update-alternatives --remove \ iptables %{_sbindir}/iptables-legacy fi %?ldconfig %systemd_postun iptables.service ip6tables.service %post nft pfx=%{_sbindir}/iptables pfx6=%{_sbindir}/ip6tables %{_sbindir}/update-alternatives --install \ $pfx iptables $pfx-nft 10 \ --slave $pfx6 ip6tables $pfx6-nft \ --slave $pfx-restore iptables-restore $pfx-nft-restore \ --slave $pfx-save iptables-save $pfx-nft-save \ --slave $pfx6-restore ip6tables-restore $pfx6-nft-restore \ --slave $pfx6-save ip6tables-save $pfx6-nft-save pfx=%{_sbindir}/ebtables manpfx=%{_mandir}/man8/ebtables for sfx in "" "-restore" "-save"; do if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then rm -f $pfx$sfx fi done if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then rm -f $manpfx.8.gz fi %{_sbindir}/update-alternatives --install \ $pfx ebtables $pfx-nft 10 \ --slave $pfx-save ebtables-save $pfx-nft-save \ --slave $pfx-restore ebtables-restore $pfx-nft-restore \ --slave $manpfx.8.gz ebtables-man $manpfx-nft.8.gz pfx=%{_sbindir}/arptables manpfx=%{_mandir}/man8/arptables lepfx=%{_libexecdir}/arptables for sfx in "" "-restore" "-save"; do if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then rm -f $pfx$sfx fi if [ "$(readlink -e $manpfx$sfx.8.gz)" == $manpfx$sfx.8.gz ]; then rm -f $manpfx$sfx.8.gz fi done if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then rm -f $lepfx-helper fi %{_sbindir}/update-alternatives --install \ $pfx arptables $pfx-nft 10 \ --slave $pfx-save arptables-save $pfx-nft-save \ --slave $pfx-restore arptables-restore $pfx-nft-restore \ --slave $manpfx.8.gz arptables-man $manpfx-nft.8.gz \ --slave $manpfx-save.8.gz arptables-save-man $manpfx-nft-save.8.gz \ --slave $manpfx-restore.8.gz arptables-restore-man $manpfx-nft-restore.8.gz \ --slave $lepfx-helper arptables-helper $lepfx-nft-helper if [ x`rpm -qa firewalld` != x ]; then firews=`systemctl status firewalld | grep Active | awk '{print $3}'` if [ "$firews" == "(running)" ]; then %systemd_postun_with_restart firewalld.service fi fi %postun nft if [ $1 -eq 0 ]; then for cmd in iptables ebtables arptables; do %{_sbindir}/update-alternatives --remove \ $cmd %{_sbindir}/$cmd-nft done fi %files %defattr(-,root,root) %license COPYING %{script_path}/ip*tables.init %config(noreplace) %{_sysconfdir}/sysconfig/* %{_sbindir}/nfnl_osf %{_sbindir}/nfbpf_* %{_sbindir}/iptables-apply %{_sbindir}/ip6tables-apply %{_sbindir}/ip*tables-legacy* %{_sbindir}/xtables-legacy-multi %exclude %{_sbindir}/*-nft* %exclude %{_sbindir}/*-translate %exclude %{_sbindir}/xtables-monitor %{_bindir}/iptables-xml %{_unitdir}/*.service %dir %{legacy_actions} %{legacy_actions}/ip* %{_datadir}/xtables/pf.os %ghost %{_sbindir}/ip*tables %ghost %{_sbindir}/ip*tables-restore %ghost %{_sbindir}/ip*tables-save %files libs %defattr(-,root,root) %{_libdir}/libip*tc.so.* %{_libdir}/libxtables.so.* %{_libdir}/libxtables.so.12* %dir %{_libdir}/xtables %{_libdir}/xtables/libipt* %{_libdir}/xtables/libip6t* %{_libdir}/xtables/libxt* %files devel %defattr(-,root,root) %{_includedir}/* %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc %files nft %defattr(-,root,root) %{_sbindir}/iptables-nft* %{_sbindir}/iptables-restore-translate %{_sbindir}/iptables-translate %{_sbindir}/ip6tables-nft* %{_sbindir}/ip6tables-restore-translate %{_sbindir}/ip6tables-translate %{_sbindir}/ebtables-nft* %{_sbindir}/arptables-nft* %{_sbindir}/xtables-nft-multi %{_sbindir}/xtables-monitor %dir %{_libdir}/xtables %{_libdir}/xtables/libarpt* %{_libdir}/xtables/libebt* %ghost %{_sbindir}/iptables %ghost %{_sbindir}/iptables-restore %ghost %{_sbindir}/iptables-save %ghost %{_sbindir}/ip6tables %ghost %{_sbindir}/ip6tables-restore %ghost %{_sbindir}/ip6tables-save %ghost %{_sbindir}/ebtables %ghost %{_sbindir}/ebtables-save %ghost %{_sbindir}/ebtables-restore %ghost %{_sbindir}/arptables %ghost %{_sbindir}/arptables-save %ghost %{_sbindir}/arptables-restore %ghost %{_libexecdir}/arptables-helper %files help %defattr(-,root,root) %doc INCOMPATIBILITIES %ghost %{_mandir}/man8/arptables.8.gz %ghost %{_mandir}/man8/arptables-save.8.gz %ghost %{_mandir}/man8/arptables-restore.8.gz %ghost %{_mandir}/man8/ebtables.8.gz %{_mandir}/man8/xtables-monitor* %{_mandir}/man8/xtables-translate* %{_mandir}/man8/*-nft* %{_mandir}/man8/nfnl_osf* %{_mandir}/man8/nfbpf_compile* %{_mandir}/man1/iptables-xml* %{_mandir}/man8/iptables* %{_mandir}/man8/ip6tables* %{_mandir}/man8/xtables-legacy* %changelog * Wed Nov 30 2022 huangyu - 1.8.7-11 - Type:feature - ID:NA - SUG:NA - DESC:enabled DT test * Mon Nov 21 2022 huangyu - 1.8.7-10 - Type:bugfix - ID:NA - SUG:NA - DESC:add some patches * Thu Sep 29 2022 huangyu - 1.8.7-9 - Type:bugfix - ID:NA - SUG:NA - DESC:add some patches * Fri Jul 01 2022 xingwei - 1.8.7-8 - Type:bugfix - ID:NA - SUG:NA - DESC:/etc/ethertypes has been moved into the setup package * Wed Apr 06 2022 chenzhen - 1.8.7-7 - Type:Enhancement - ID:NA - SUG:NA - DESC:add some testcases of extensions * Thu Mar 24 2022 yanglu - 1.8.7-6 - Type:bugfix - ID:NA - SUG:NA - DESC:delete useless so files * Wed Mar 02 2022 duyiwei - 1.8.7-5 - change %systemd_requires to %{?systemd_requires} * Wed Feb 23 2022 gaihuiying - 1.8.7-4 - Type:bugfix - ID:NA - SUG:NA - DESC:fix failed message when stop iptables service * Wed Feb 9 2022 xingwei - 1.8.7-3 - Type:bugfix - ID:NA - SUG:restart - DESC:add check fw in entry * Mon Aug 02 2021 chenyanpanHW - 1.8.7-2 - DESC: delete -S git from %autosetup, and delete BuildRequires git * Fri Jul 23 2021 gaihuiying - 1.8.7-1 - update to 1.8.7 * Sat Jul 25 2020 hanzhijun - 1.8.5-1 - update to 1.8.5 * Thu Apr 16 2020 chenzhen - 1.8.1-5 - Type:cves - ID:CVE-2019-11360 - SUG:restart - DESC:fix CVE-2019-11360 * Sat Jan 18 2020 openEuler Buildteam - 1.8.1-4 - add executable permissions to iptables.init * Wed Jan 15 2020 openEuler Buildteam - 1.8.1-3 - optimization the patch * Sun Jan 12 2020 openEuler Buildteam - 1.8.1-2 - optimization the patch * Fri Jan 10 2020 openEuler Buildteam - 1.8.1-1 - Package update * Thu Nov 7 2019 openEuler Buildteam - 1.8.0-6 - Type:bugfix - Id:NA - SUG:NA - DESC:add iptables-libs package * Fri Sep 20 2019 openEuler Buildteam - 1.8.0-5 - Package init