1%global script_path %{_libexecdir}/iptables 2%global legacy_actions %{_libexecdir}/initscripts/legacy-actions 3Name: iptables 4Version: 1.8.7 5Release: 11 6Summary: IP packet filter administration utilities 7License: GPLv2 and Artistic Licence 2.0 and ISC 8URL: https://www.netfilter.org/ 9Source0: https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.bz2 10Source1: iptables.init 11Source2: iptables-config 12Source3: iptables.service 13Source4: sysconfig_iptables 14Source5: sysconfig_ip6tables 15 16Patch0: bugfix-add-check-fw-in-entry.patch 17Patch1: tests-extensions-add-some-testcases.patch 18Patch2: backport-xshared-Fix-response-to-unprivileged-users.patch 19Patch3: backport-Improve-error-messages-for-unsupported-extensions.patch 20Patch4: backport-nft-Fix-EPERM-handling-for-extensions-without-rev-0.patch 21Patch5: backport-libxtables-Register-only-the-highest-revision-extension.patch 22Patch6: backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch 23Patch7: backport-xtables-restore-Extend-failure-error-message.patch 24Patch8: enabled-makecheck-in-extensions.patch 25 26BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd 27BuildRequires: libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel 28BuildRequires: autogen autoconf automake libtool 29 30Requires: %{name}-libs = %{version}-%{release} 31Conflicts: setup < 2.10.4-1 32 33Requires(post): %{_sbindir}/update-alternatives 34Requires(postun): %{_sbindir}/update-alternatives 35%{?systemd_requires} 36 37Provides: iptables-utils iptables-services 38Obsoletes: iptables-utils iptables-services 39 40%description 41Netfilter is a set of hooks inside the Linux kernel that allows kernel 42modules to register callback functions with the network stack. A 43registered callback function is then called back for every packet that 44traverses the respective hook within the network stack. 45 46Iptables is a generic table structure for the definition of rulesets. 47Each rule within an IP table consists of a number of classifiers 48(iptables matches) and one connected action (iptables target). 49 50Netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) 51and the NAT subsystem together build the major parts of the framework. 52 53%package libs 54Summary: iptables libraries 55 56%description libs 57iptables libraries. 58 59%package devel 60Summary: header files for iproute 61Requires: %{name} = %{version}-%{release} pkgconfig 62 63%description devel 64Header files for iproute. 65 66%package nft 67Summary: nft package for iproute 68Requires: %{name} = %{version}-%{release} 69Obsoletes: iptables-compat < 1.6.2-4 70 71%description nft 72Nft package for iproute. 73 74%package_help 75 76%prep 77%autosetup -n %{name}-%{version} -p1 78 79%build 80./autogen.sh 81%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr 82 83%disable_rpath 84 85rm -f include/linux/types.h 86 87%make_build 88 89%check 90make check 91 92%install 93%make_install 94 95%delete_la 96 97install -m 0755 -d %{buildroot}%{_includedir}/iptables 98install -m 0644 include/ip*tables.h %{buildroot}%{_includedir} 99install -m 0644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables 100 101install -m 0755 -d %{buildroot}%{_includedir}/libipulog/ 102install -m 0644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog 103 104install -m 0755 -d %{buildroot}/%{script_path} 105install -m 0755 -c %{SOURCE1} %{buildroot}/%{script_path}/iptables.init 106sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init 107install -m 0755 ip6tables.init %{buildroot}/%{script_path}/ip6tables.init 108install -m 0755 -d %{buildroot}%{_sysconfdir}/sysconfig 109install -m 0600 -c %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/iptables-config 110sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config 111install -m 0600 -c ip6tables-config %{buildroot}%{_sysconfdir}/sysconfig/ip6tables-config 112install -m 0600 -c %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/iptables 113install -m 0600 -c %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/ip6tables 114 115install -m 0755 -d %{buildroot}%{_unitdir} 116install -m 0644 -c %{SOURCE3} %{buildroot}%{_unitdir} 117sed -e 's;iptables;ip6tables;g' -e 's;IPv4;IPv6;g' -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' < %{SOURCE3} > ip6tables.service 118install -m 0644 -c ip6tables.service %{buildroot}%{_unitdir} 119 120install -m 0755 -d %{buildroot}/%{legacy_actions}/iptables 121install -m 0755 -d %{buildroot}/%{legacy_actions}/ip6tables 122 123pushd %{buildroot}/%{legacy_actions}/iptables 124cat << EOF > save 125#!/bin/bash 126exec %{script_path}/iptables.init save 127EOF 128chmod 0755 save 129popd 130sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/save > ip6tabes.save-legacy 131install -m 0755 -c ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/save 132 133pushd %{buildroot}/%{legacy_actions}/iptables 134cat << EOF > panic 135#!/bin/bash 136exec %{script_path}/iptables.init panic 137EOF 138chmod 0755 panic 139popd 140sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy 141install -m 0755 -c ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic 142 143install -m 0755 iptables/iptables-apply %{buildroot}%{_sbindir} 144install -m 0755 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8 145 146# Remove /etc/ethertypes (now part of setup) 147rm -f %{buildroot}%{_sysconfdir}/ethertypes 148 149touch %{buildroot}%{_libexecdir}/arptables-helper 150 151touch %{buildroot}%{_mandir}/man8/arptables.8 152touch %{buildroot}%{_mandir}/man8/arptables-save.8 153touch %{buildroot}%{_mandir}/man8/arptables-restore.8 154touch %{buildroot}%{_mandir}/man8/ebtables.8 155 156%ldconfig_scriptlets 157 158%post 159pfx=%{_sbindir}/iptables 160pfx6=%{_sbindir}/ip6tables 161%{_sbindir}/update-alternatives --install \ 162 $pfx iptables $pfx-legacy 10 \ 163 --slave $pfx6 ip6tables $pfx6-legacy \ 164 --slave $pfx-restore iptables-restore $pfx-legacy-restore \ 165 --slave $pfx-save iptables-save $pfx-legacy-save \ 166 --slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \ 167 --slave $pfx6-save ip6tables-save $pfx6-legacy-save 168 169%systemd_post iptables.service ip6tables.service 170 171%preun 172%systemd_preun iptables.service ip6tables.service 173 174%postun 175if [ $1 -eq 0 ]; then 176 %{_sbindir}/update-alternatives --remove \ 177 iptables %{_sbindir}/iptables-legacy 178fi 179%?ldconfig 180%systemd_postun iptables.service ip6tables.service 181 182%post nft 183pfx=%{_sbindir}/iptables 184pfx6=%{_sbindir}/ip6tables 185%{_sbindir}/update-alternatives --install \ 186 $pfx iptables $pfx-nft 10 \ 187 --slave $pfx6 ip6tables $pfx6-nft \ 188 --slave $pfx-restore iptables-restore $pfx-nft-restore \ 189 --slave $pfx-save iptables-save $pfx-nft-save \ 190 --slave $pfx6-restore ip6tables-restore $pfx6-nft-restore \ 191 --slave $pfx6-save ip6tables-save $pfx6-nft-save 192 193pfx=%{_sbindir}/ebtables 194manpfx=%{_mandir}/man8/ebtables 195for sfx in "" "-restore" "-save"; do 196 if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then 197 rm -f $pfx$sfx 198 fi 199done 200if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then 201 rm -f $manpfx.8.gz 202fi 203%{_sbindir}/update-alternatives --install \ 204 $pfx ebtables $pfx-nft 10 \ 205 --slave $pfx-save ebtables-save $pfx-nft-save \ 206 --slave $pfx-restore ebtables-restore $pfx-nft-restore \ 207 --slave $manpfx.8.gz ebtables-man $manpfx-nft.8.gz 208 209pfx=%{_sbindir}/arptables 210manpfx=%{_mandir}/man8/arptables 211lepfx=%{_libexecdir}/arptables 212for sfx in "" "-restore" "-save"; do 213 if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then 214 rm -f $pfx$sfx 215 fi 216 if [ "$(readlink -e $manpfx$sfx.8.gz)" == $manpfx$sfx.8.gz ]; then 217 rm -f $manpfx$sfx.8.gz 218 fi 219done 220if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then 221 rm -f $lepfx-helper 222fi 223%{_sbindir}/update-alternatives --install \ 224 $pfx arptables $pfx-nft 10 \ 225 --slave $pfx-save arptables-save $pfx-nft-save \ 226 --slave $pfx-restore arptables-restore $pfx-nft-restore \ 227 --slave $manpfx.8.gz arptables-man $manpfx-nft.8.gz \ 228 --slave $manpfx-save.8.gz arptables-save-man $manpfx-nft-save.8.gz \ 229 --slave $manpfx-restore.8.gz arptables-restore-man $manpfx-nft-restore.8.gz \ 230 --slave $lepfx-helper arptables-helper $lepfx-nft-helper 231 232if [ x`rpm -qa firewalld` != x ]; then 233 firews=`systemctl status firewalld | grep Active | awk '{print $3}'` 234 if [ "$firews" == "(running)" ]; then 235 %systemd_postun_with_restart firewalld.service 236 fi 237fi 238 239%postun nft 240if [ $1 -eq 0 ]; then 241 for cmd in iptables ebtables arptables; do 242 %{_sbindir}/update-alternatives --remove \ 243 $cmd %{_sbindir}/$cmd-nft 244 done 245fi 246 247%files 248%defattr(-,root,root) 249%license COPYING 250%{script_path}/ip*tables.init 251%config(noreplace) %{_sysconfdir}/sysconfig/* 252%{_sbindir}/nfnl_osf 253%{_sbindir}/nfbpf_* 254%{_sbindir}/iptables-apply 255%{_sbindir}/ip6tables-apply 256%{_sbindir}/ip*tables-legacy* 257%{_sbindir}/xtables-legacy-multi 258%exclude %{_sbindir}/*-nft* 259%exclude %{_sbindir}/*-translate 260%exclude %{_sbindir}/xtables-monitor 261%{_bindir}/iptables-xml 262%{_unitdir}/*.service 263%dir %{legacy_actions} 264%{legacy_actions}/ip* 265%{_datadir}/xtables/pf.os 266%ghost %{_sbindir}/ip*tables 267%ghost %{_sbindir}/ip*tables-restore 268%ghost %{_sbindir}/ip*tables-save 269 270%files libs 271%defattr(-,root,root) 272%{_libdir}/libip*tc.so.* 273%{_libdir}/libxtables.so.* 274%{_libdir}/libxtables.so.12* 275%dir %{_libdir}/xtables 276%{_libdir}/xtables/libipt* 277%{_libdir}/xtables/libip6t* 278%{_libdir}/xtables/libxt* 279 280%files devel 281%defattr(-,root,root) 282%{_includedir}/* 283%{_libdir}/*.so 284%{_libdir}/pkgconfig/*.pc 285 286%files nft 287%defattr(-,root,root) 288%{_sbindir}/iptables-nft* 289%{_sbindir}/iptables-restore-translate 290%{_sbindir}/iptables-translate 291%{_sbindir}/ip6tables-nft* 292%{_sbindir}/ip6tables-restore-translate 293%{_sbindir}/ip6tables-translate 294%{_sbindir}/ebtables-nft* 295%{_sbindir}/arptables-nft* 296%{_sbindir}/xtables-nft-multi 297%{_sbindir}/xtables-monitor 298%dir %{_libdir}/xtables 299%{_libdir}/xtables/libarpt* 300%{_libdir}/xtables/libebt* 301%ghost %{_sbindir}/iptables 302%ghost %{_sbindir}/iptables-restore 303%ghost %{_sbindir}/iptables-save 304%ghost %{_sbindir}/ip6tables 305%ghost %{_sbindir}/ip6tables-restore 306%ghost %{_sbindir}/ip6tables-save 307%ghost %{_sbindir}/ebtables 308%ghost %{_sbindir}/ebtables-save 309%ghost %{_sbindir}/ebtables-restore 310%ghost %{_sbindir}/arptables 311%ghost %{_sbindir}/arptables-save 312%ghost %{_sbindir}/arptables-restore 313%ghost %{_libexecdir}/arptables-helper 314 315%files help 316%defattr(-,root,root) 317%doc INCOMPATIBILITIES 318%ghost %{_mandir}/man8/arptables.8.gz 319%ghost %{_mandir}/man8/arptables-save.8.gz 320%ghost %{_mandir}/man8/arptables-restore.8.gz 321%ghost %{_mandir}/man8/ebtables.8.gz 322%{_mandir}/man8/xtables-monitor* 323%{_mandir}/man8/xtables-translate* 324%{_mandir}/man8/*-nft* 325%{_mandir}/man8/nfnl_osf* 326%{_mandir}/man8/nfbpf_compile* 327%{_mandir}/man1/iptables-xml* 328%{_mandir}/man8/iptables* 329%{_mandir}/man8/ip6tables* 330%{_mandir}/man8/xtables-legacy* 331 332%changelog 333* Wed Nov 30 2022 huangyu <huangyu106@huawei.com> - 1.8.7-11 334- Type:feature 335- ID:NA 336- SUG:NA 337- DESC:enabled DT test 338 339* Mon Nov 21 2022 huangyu <huangyu106@huawei.com> - 1.8.7-10 340- Type:bugfix 341- ID:NA 342- SUG:NA 343- DESC:add some patches 344 345* Thu Sep 29 2022 huangyu <huangyu106@huawei.com> - 1.8.7-9 346- Type:bugfix 347- ID:NA 348- SUG:NA 349- DESC:add some patches 350 351* Fri Jul 01 2022 xingwei <xingwei14@h-partners.com> - 1.8.7-8 352- Type:bugfix 353- ID:NA 354- SUG:NA 355- DESC:/etc/ethertypes has been moved into the setup package 356 357* Wed Apr 06 2022 chenzhen <vchanger123456@163.com> - 1.8.7-7 358- Type:Enhancement 359- ID:NA 360- SUG:NA 361- DESC:add some testcases of extensions 362 363* Thu Mar 24 2022 yanglu <yanglu72@h-partners.com> - 1.8.7-6 364- Type:bugfix 365- ID:NA 366- SUG:NA 367- DESC:delete useless so files 368 369* Wed Mar 02 2022 duyiwei <duyiwei@kylinos.cn> - 1.8.7-5 370- change %systemd_requires to %{?systemd_requires} 371 372* Wed Feb 23 2022 gaihuiying <eaglegai@163.com> - 1.8.7-4 373- Type:bugfix 374- ID:NA 375- SUG:NA 376- DESC:fix failed message when stop iptables service 377 378* Wed Feb 9 2022 xingwei <xingwei14@h-partners.com> - 1.8.7-3 379- Type:bugfix 380- ID:NA 381- SUG:restart 382- DESC:add check fw in entry 383 384* Mon Aug 02 2021 chenyanpanHW <chenyanpan@huawei.com> - 1.8.7-2 385- DESC: delete -S git from %autosetup, and delete BuildRequires git 386 387* Fri Jul 23 2021 gaihuiying <gaihuiying11@huawei.com> - 1.8.7-1 388- update to 1.8.7 389 390* Sat Jul 25 2020 hanzhijun <hanzhijun1@huawei.com> - 1.8.5-1 391- update to 1.8.5 392 393* Thu Apr 16 2020 chenzhen <chenzhen44@huawei.com> - 1.8.1-5 394- Type:cves 395- ID:CVE-2019-11360 396- SUG:restart 397- DESC:fix CVE-2019-11360 398 399* Sat Jan 18 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.1-4 400- add executable permissions to iptables.init 401 402* Wed Jan 15 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.1-3 403- optimization the patch 404 405* Sun Jan 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.1-2 406- optimization the patch 407 408* Fri Jan 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.1-1 409- Package update 410 411* Thu Nov 7 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.0-6 412- Type:bugfix 413- Id:NA 414- SUG:NA 415- DESC:add iptables-libs package 416 417* Fri Sep 20 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.0-5 418- Package init 419