• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1%global script_path %{_libexecdir}/iptables
2%global legacy_actions %{_libexecdir}/initscripts/legacy-actions
3Name:		  iptables
4Version:	  1.8.7
5Release:	  14
6Summary:	  IP packet filter administration utilities
7License:	  GPLv2 and Artistic Licence 2.0 and ISC
8URL:		  https://www.netfilter.org/
9Source0:  	  https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.bz2
10Source1:          iptables.init
11Source2:          iptables-config
12Source3:          iptables.service
13Source4:          sysconfig_iptables
14Source5:          sysconfig_ip6tables
15
16Patch0:		  bugfix-add-check-fw-in-entry.patch
17Patch1:           tests-extensions-add-some-testcases.patch
18Patch2:           backport-xshared-Fix-response-to-unprivileged-users.patch
19Patch3:           backport-Improve-error-messages-for-unsupported-extensions.patch
20Patch4:           backport-nft-Fix-EPERM-handling-for-extensions-without-rev-0.patch
21Patch5:           backport-libxtables-Register-only-the-highest-revision-extension.patch
22Patch6:           backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch
23Patch7:           backport-xtables-restore-Extend-failure-error-message.patch
24Patch8:           enabled-makecheck-in-extensions.patch
25
26Patch9:           backport-extensions-among-Fix-for-use-with-ebtables-restore.patch
27Patch10:          backport-extensions-libebt_redirect-Fix-xlate-return-code.patch
28Patch11:          backport-extensions-libipt_ttl-Sanitize-xlate-callback.patch
29Patch12:          backport-iptables-restore-Free-handle-with-test-also.patch
30Patch13:          backport-nft-Plug-memleak-in-nft_rule_zero_counters.patch
31Patch14:          backport-iptables-Plug-memleaks-in-print_firewall.patch
32Patch15:          backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch
33Patch16:          backport-xtables-eb-fix-crash-when-opts-isn-t-reallocated.patch
34Patch17:          backport-iptables-Fix-handling-of-non-existent-chains.patch
35
36BuildRequires:    bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd
37BuildRequires:    libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel
38BuildRequires:    autogen autoconf automake libtool
39
40Requires:         %{name}-libs = %{version}-%{release}
41Conflicts:	  setup < 2.10.4-1
42
43Requires(post):   %{_sbindir}/update-alternatives
44Requires(postun): %{_sbindir}/update-alternatives
45%{?systemd_requires}
46
47Provides:         iptables-utils iptables-services
48Obsoletes:        iptables-utils iptables-services
49
50%description
51Netfilter is a set of hooks inside the Linux kernel that allows kernel
52modules to register callback functions with the network stack. A
53registered callback function is then called back for every packet that
54traverses the respective hook within the network stack.
55
56Iptables is a generic table structure for the definition of rulesets.
57Each rule within an IP table consists of a number of classifiers
58(iptables matches) and one connected action (iptables target).
59
60Netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack)
61and the NAT subsystem together build the major parts of the framework.
62
63%package          libs
64Summary:          iptables libraries
65
66%description      libs
67iptables libraries.
68
69%package          devel
70Summary:          header files for iproute
71Requires:         %{name} = %{version}-%{release} pkgconfig
72
73%description      devel
74Header files for iproute.
75
76%package          nft
77Summary:          nft package for iproute
78Requires:         %{name} = %{version}-%{release}
79Obsoletes:        iptables-compat < 1.6.2-4
80
81%description      nft
82Nft package for iproute.
83
84%package_help
85
86%prep
87%autosetup -n %{name}-%{version} -p1
88
89%build
90./autogen.sh
91%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr
92
93%disable_rpath
94
95rm -f include/linux/types.h
96
97%make_build
98
99%check
100make check
101
102%install
103%make_install
104
105%delete_la
106
107install -m 0755 -d %{buildroot}%{_includedir}/iptables
108install -m 0644 include/ip*tables.h %{buildroot}%{_includedir}
109install -m 0644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables
110
111install -m 0755 -d %{buildroot}%{_includedir}/libipulog/
112install -m 0644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog
113
114install -m 0755 -d %{buildroot}/%{script_path}
115install -m 0755 -c %{SOURCE1} %{buildroot}/%{script_path}/iptables.init
116sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init
117install -m 0755 ip6tables.init %{buildroot}/%{script_path}/ip6tables.init
118install -m 0755 -d %{buildroot}%{_sysconfdir}/sysconfig
119install -m 0600 -c %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/iptables-config
120sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config
121install -m 0600 -c ip6tables-config %{buildroot}%{_sysconfdir}/sysconfig/ip6tables-config
122install -m 0600 -c %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/iptables
123install -m 0600 -c %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/ip6tables
124
125install -m 0755 -d %{buildroot}%{_unitdir}
126install -m 0644 -c %{SOURCE3} %{buildroot}%{_unitdir}
127sed -e 's;iptables;ip6tables;g' -e 's;IPv4;IPv6;g' -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' < %{SOURCE3} > ip6tables.service
128install -m 0644 -c ip6tables.service %{buildroot}%{_unitdir}
129
130install -m 0755 -d %{buildroot}/%{legacy_actions}/iptables
131install -m 0755 -d %{buildroot}/%{legacy_actions}/ip6tables
132
133pushd  %{buildroot}/%{legacy_actions}/iptables
134cat << EOF > save
135#!/bin/bash
136exec %{script_path}/iptables.init save
137EOF
138chmod 0755 save
139popd
140sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/save > ip6tabes.save-legacy
141install -m 0755 -c ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/save
142
143pushd %{buildroot}/%{legacy_actions}/iptables
144cat << EOF > panic
145#!/bin/bash
146exec %{script_path}/iptables.init panic
147EOF
148chmod 0755 panic
149popd
150sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy
151install -m 0755 -c ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic
152
153install -m 0755 iptables/iptables-apply %{buildroot}%{_sbindir}
154install -m 0755 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8
155
156# Remove /etc/ethertypes (now part of setup)
157rm -f %{buildroot}%{_sysconfdir}/ethertypes
158
159touch %{buildroot}%{_libexecdir}/arptables-helper
160
161touch %{buildroot}%{_mandir}/man8/arptables.8
162touch %{buildroot}%{_mandir}/man8/arptables-save.8
163touch %{buildroot}%{_mandir}/man8/arptables-restore.8
164touch %{buildroot}%{_mandir}/man8/ebtables.8
165
166%ldconfig_scriptlets
167
168%post
169pfx=%{_sbindir}/iptables
170pfx6=%{_sbindir}/ip6tables
171%{_sbindir}/update-alternatives --install \
172	$pfx iptables $pfx-legacy 10 \
173	--slave $pfx6 ip6tables $pfx6-legacy \
174        --slave $pfx-restore iptables-restore $pfx-legacy-restore \
175        --slave $pfx-save iptables-save $pfx-legacy-save \
176        --slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \
177        --slave $pfx6-save ip6tables-save $pfx6-legacy-save
178
179%systemd_post iptables.service ip6tables.service
180
181%preun
182%systemd_preun iptables.service ip6tables.service
183
184%postun
185if [ $1 -eq 0 ]; then
186	%{_sbindir}/update-alternatives --remove \
187		iptables %{_sbindir}/iptables-legacy
188fi
189%?ldconfig
190%systemd_postun iptables.service ip6tables.service
191
192%post             nft
193pfx=%{_sbindir}/iptables
194pfx6=%{_sbindir}/ip6tables
195%{_sbindir}/update-alternatives --install \
196	$pfx iptables $pfx-nft 10 \
197	--slave $pfx6 ip6tables $pfx6-nft \
198	--slave $pfx-restore iptables-restore $pfx-nft-restore \
199	--slave $pfx-save iptables-save $pfx-nft-save \
200	--slave $pfx6-restore ip6tables-restore $pfx6-nft-restore \
201	--slave $pfx6-save ip6tables-save $pfx6-nft-save
202
203pfx=%{_sbindir}/ebtables
204manpfx=%{_mandir}/man8/ebtables
205for sfx in "" "-restore" "-save"; do
206	if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then
207		rm -f $pfx$sfx
208	fi
209done
210if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then
211	rm -f $manpfx.8.gz
212fi
213%{_sbindir}/update-alternatives --install \
214	$pfx ebtables $pfx-nft 10 \
215	--slave $pfx-save ebtables-save $pfx-nft-save \
216	--slave $pfx-restore ebtables-restore $pfx-nft-restore \
217	--slave $manpfx.8.gz ebtables-man $manpfx-nft.8.gz
218
219pfx=%{_sbindir}/arptables
220manpfx=%{_mandir}/man8/arptables
221lepfx=%{_libexecdir}/arptables
222for sfx in "" "-restore" "-save"; do
223	if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then
224		rm -f $pfx$sfx
225	fi
226	if [ "$(readlink -e $manpfx$sfx.8.gz)" == $manpfx$sfx.8.gz ]; then
227		rm -f $manpfx$sfx.8.gz
228	fi
229done
230if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then
231	rm -f $lepfx-helper
232fi
233%{_sbindir}/update-alternatives --install \
234	$pfx arptables $pfx-nft 10 \
235	--slave $pfx-save arptables-save $pfx-nft-save \
236	--slave $pfx-restore arptables-restore $pfx-nft-restore \
237	--slave $manpfx.8.gz arptables-man $manpfx-nft.8.gz \
238	--slave $manpfx-save.8.gz arptables-save-man $manpfx-nft-save.8.gz \
239	--slave $manpfx-restore.8.gz arptables-restore-man $manpfx-nft-restore.8.gz \
240	--slave $lepfx-helper arptables-helper $lepfx-nft-helper
241
242if [ x`rpm -qa firewalld` != x ]; then
243	firews=`systemctl status firewalld | grep Active | awk '{print $3}'`
244	if [ "$firews" == "(running)" ]; then
245		%systemd_postun_with_restart firewalld.service
246	fi
247fi
248
249%postun           nft
250if [ $1 -eq 0 ]; then
251	for cmd in iptables ebtables arptables; do
252		%{_sbindir}/update-alternatives --remove \
253			$cmd %{_sbindir}/$cmd-nft
254	done
255fi
256
257%files
258%defattr(-,root,root)
259%license COPYING
260%{script_path}/ip*tables.init
261%config(noreplace) %{_sysconfdir}/sysconfig/*
262%{_sbindir}/nfnl_osf
263%{_sbindir}/nfbpf_*
264%{_sbindir}/iptables-apply
265%{_sbindir}/ip6tables-apply
266%{_sbindir}/ip*tables-legacy*
267%{_sbindir}/xtables-legacy-multi
268%exclude %{_sbindir}/*-nft*
269%exclude %{_sbindir}/*-translate
270%exclude %{_sbindir}/xtables-monitor
271%{_bindir}/iptables-xml
272%{_unitdir}/*.service
273%dir %{legacy_actions}
274%{legacy_actions}/ip*
275%{_datadir}/xtables/pf.os
276%ghost %{_sbindir}/ip*tables
277%ghost %{_sbindir}/ip*tables-restore
278%ghost %{_sbindir}/ip*tables-save
279
280%files            libs
281%defattr(-,root,root)
282%{_libdir}/libip*tc.so.*
283%{_libdir}/libxtables.so.*
284%{_libdir}/libxtables.so.12*
285%dir %{_libdir}/xtables
286%{_libdir}/xtables/libipt*
287%{_libdir}/xtables/libip6t*
288%{_libdir}/xtables/libxt*
289
290%files            devel
291%defattr(-,root,root)
292%{_includedir}/*
293%{_libdir}/*.so
294%{_libdir}/pkgconfig/*.pc
295
296%files            nft
297%defattr(-,root,root)
298%{_sbindir}/iptables-nft*
299%{_sbindir}/iptables-restore-translate
300%{_sbindir}/iptables-translate
301%{_sbindir}/ip6tables-nft*
302%{_sbindir}/ip6tables-restore-translate
303%{_sbindir}/ip6tables-translate
304%{_sbindir}/ebtables-nft*
305%{_sbindir}/arptables-nft*
306%{_sbindir}/xtables-nft-multi
307%{_sbindir}/xtables-monitor
308%dir %{_libdir}/xtables
309%{_libdir}/xtables/libarpt*
310%{_libdir}/xtables/libebt*
311%ghost %{_sbindir}/iptables
312%ghost %{_sbindir}/iptables-restore
313%ghost %{_sbindir}/iptables-save
314%ghost %{_sbindir}/ip6tables
315%ghost %{_sbindir}/ip6tables-restore
316%ghost %{_sbindir}/ip6tables-save
317%ghost %{_sbindir}/ebtables
318%ghost %{_sbindir}/ebtables-save
319%ghost %{_sbindir}/ebtables-restore
320%ghost %{_sbindir}/arptables
321%ghost %{_sbindir}/arptables-save
322%ghost %{_sbindir}/arptables-restore
323%ghost %{_libexecdir}/arptables-helper
324
325%files            help
326%defattr(-,root,root)
327%doc INCOMPATIBILITIES
328%ghost %{_mandir}/man8/arptables.8.gz
329%ghost %{_mandir}/man8/arptables-save.8.gz
330%ghost %{_mandir}/man8/arptables-restore.8.gz
331%ghost %{_mandir}/man8/ebtables.8.gz
332%{_mandir}/man8/xtables-monitor*
333%{_mandir}/man8/xtables-translate*
334%{_mandir}/man8/*-nft*
335%{_mandir}/man8/nfnl_osf*
336%{_mandir}/man8/nfbpf_compile*
337%{_mandir}/man1/iptables-xml*
338%{_mandir}/man8/iptables*
339%{_mandir}/man8/ip6tables*
340%{_mandir}/man8/xtables-legacy*
341
342%changelog
343* Mon Aug 14 2023 zhanghao <zhanghao383@huawei.com> - 1.8.7-14
344- Type:bugfix
345- CVE:NA
346- SUG:NA
347- DESC:iptables: Fix handling of non-existent chains
348
349* Wed Apr 12 2023 zhanghao <zhanghao383@huawei.com> - 1.8.7-13
350- Type:bugfix
351- CVE:NA
352- SUG:NA
353- DESC:xtables-eb: fix crash when opts isn't reallocated
354
355* Tue Mar 21 2023 zhanghao <zhanghao383@huawei.com> - 1.8.7-12
356- Type:bugfix
357- CVE:NA
358- SUG:NA
359- DESC:extensions among Fix for use with ebtables restore
360extensions libebt redirect Fix xlate return code
361extensions libipt ttl Sanitize xlate callback
362iptables restore  Free handle with test also
363nft Plug memleak in nft rule zero counters
364iptables Plug memleaks in print firewall
365ebtables translate Print flush command after parsing is finished
366
367* Wed Nov 30 2022 huangyu <huangyu106@huawei.com> - 1.8.7-11
368- Type:feature
369- ID:NA
370- SUG:NA
371- DESC:enabled DT test
372
373* Mon Nov 21 2022 huangyu <huangyu106@huawei.com> - 1.8.7-10
374- Type:bugfix
375- ID:NA
376- SUG:NA
377- DESC:add some patches
378
379* Thu Sep 29 2022 huangyu <huangyu106@huawei.com> - 1.8.7-9
380- Type:bugfix
381- ID:NA
382- SUG:NA
383- DESC:add some patches
384
385* Fri Jul 01 2022 xingwei <xingwei14@h-partners.com> - 1.8.7-8
386- Type:bugfix
387- ID:NA
388- SUG:NA
389- DESC:/etc/ethertypes has been moved into the setup package
390
391* Wed Apr 06 2022 chenzhen <vchanger123456@163.com> - 1.8.7-7
392- Type:Enhancement
393- ID:NA
394- SUG:NA
395- DESC:add some testcases of extensions
396
397* Thu Mar 24 2022 yanglu <yanglu72@h-partners.com> - 1.8.7-6
398- Type:bugfix
399- ID:NA
400- SUG:NA
401- DESC:delete useless so files
402
403* Wed Mar 02 2022 duyiwei <duyiwei@kylinos.cn> - 1.8.7-5
404- change %systemd_requires to %{?systemd_requires}
405
406* Wed Feb 23 2022 gaihuiying <eaglegai@163.com> - 1.8.7-4
407- Type:bugfix
408- ID:NA
409- SUG:NA
410- DESC:fix failed message when stop iptables service
411
412* Wed Feb 9 2022 xingwei <xingwei14@h-partners.com> - 1.8.7-3
413- Type:bugfix
414- ID:NA
415- SUG:restart
416- DESC:add check fw in entry
417
418* Mon Aug 02 2021 chenyanpanHW <chenyanpan@huawei.com> - 1.8.7-2
419- DESC: delete -S git from %autosetup, and delete BuildRequires git
420
421* Fri Jul 23 2021 gaihuiying <gaihuiying11@huawei.com> - 1.8.7-1
422- update to 1.8.7
423
424* Sat Jul 25 2020 hanzhijun <hanzhijun1@huawei.com> - 1.8.5-1
425- update to 1.8.5
426
427* Thu Apr 16 2020 chenzhen <chenzhen44@huawei.com> - 1.8.1-5
428- Type:cves
429- ID:CVE-2019-11360
430- SUG:restart
431- DESC:fix CVE-2019-11360
432
433* Sat Jan 18 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.1-4
434- add executable permissions to iptables.init
435
436* Wed Jan 15 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.1-3
437- optimization the patch
438
439* Sun Jan 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.1-2
440- optimization the patch
441
442* Fri Jan 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.1-1
443- Package update
444
445* Thu Nov 7 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.0-6
446- Type:bugfix
447- Id:NA
448- SUG:NA
449- DESC:add iptables-libs package
450
451* Fri Sep 20 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.0-5
452- Package init
453