# # TODO: # - update BR to real required llh version # - check if kernel-headers are still required to properly build iptabels for dist kernel # - fix makefile (-D_UNKNOWN_KERNEL_POINTER_SIZE issue) # - owner needs rewrite to xt # # Conditional build: %bcond_without doc # without documentation (HOWTOS) which needed TeX %bcond_without dist_kernel # without distribution kernel %bcond_without pcap # pcap-dependend utils (nfbpf_compile, nfsynproxy) %bcond_with vserver # build xt_owner module for non-dist kernel with vserver support %bcond_with batch # build iptables-batch %bcond_with static # build static libraries, no dynamic modules (all linked into binaries) %bcond_with ipt_IPV4OPTSSTRIP # enable ipt_IPV4OPTSSTRIP for non-dist kernel %bcond_with ipt_rpc # enable ipt_rpc for non-dist kernel %bcond_with xt_layer7 # enable xt_layer7 for non-dist kernel %bcond_with usekernelsrc # include kernel headers from %{_kernelsrcdir} %if %{with dist_kernel} %define with_ipt_IPV4OPTSSTRIP 1 %define with_ipt_rpc 1 %define with_xt_layer7 1 %define with_vserver 1 %endif %define name6 ip6tables Summary: Extensible packet filtering system && extensible NAT system Summary(pl.UTF-8): System filtrowania pakietów oraz system translacji adresów (NAT) Summary(pt_BR.UTF-8): Ferramenta para controlar a filtragem de pacotes no kernel-2.6.x Summary(ru.UTF-8): Утилиты для управления пакетными фильтрами ядра Linux Summary(uk.UTF-8): Утиліти для керування пакетними фільтрами ядра Linux Summary(zh_CN.UTF-8): Linux内核包过滤管理工具 Name: iptables Version: 1.4.21 Release: 2 License: GPL v2 Group: Networking/Admin Source0: ftp://ftp.netfilter.org/pub/iptables/%{name}-%{version}.tar.bz2 # Source0-md5: 536d048c8e8eeebcd9757d0863ebb0c0 Source1: cvs://cvs.samba.org/netfilter/%{name}-howtos.tar.bz2 # Source1-md5: 2ed2b452daefe70ededd75dc0061fd07 Source2: %{name}.init Source3: %{name6}.init Source4: %{name}.upstart Source5: %{name6}.upstart Source6: %{name}-config Source7: %{name6}-config Source8: %{name}.service Source9: %{name6}.service # --- GENERAL CHANGES (patches<10): Patch0: %{name}-man.patch # additional utils; off by default Patch1: %{name}-batch.patch Patch2: no-libiptc.patch Patch3: %{name}-aligned_u64.patch # --- ADDITIONAL/CHANGED EXTENSIONS: # just ipt_IPV4OPTSSTRIP now Patch10: %{name}-20070806.patch # xt_layer7; almost based on iptables-1.4-for-kernel-2.6.20forward-layer7-2.18.patch # http://downloads.sourceforge.net/l7-filter/netfilter-layer7-v2.18.tar.gz Patch11: %{name}-layer7.patch # ipt_rpc Patch12: %{name}-old-1.3.7.patch # xt_IMQ; http://linuximq.net/patchs/iptables-1.4.12-IMQ-test4.diff Patch13: %{name}-imq.patch # enhances ipt_owner/ip6t_owner; http://people.linux-vserver.org/~dhozac/p/m/iptables-1.3.5-owner-xid.patch (currently disabled, needs update for xt_owner) Patch14: %{name}-1.3.5-owner-xid.patch # adjusts xt_owner for vserver-enabled kernel Patch15: %{name}-owner-struct-size-vs.patch # ipt_stealth; currently disabled (broken, see below) Patch16: %{name}-stealth.patch URL: http://www.netfilter.org/ BuildRequires: autoconf >= 2.50 BuildRequires: automake BuildRequires: groff BuildRequires: libnetfilter_conntrack-devel >= 1.0.4 BuildRequires: libnfnetlink-devel >= 1.0 %{?with_pcap:BuildRequires: libpcap-devel} BuildRequires: libtool BuildRequires: pkgconfig >= 1:0.9.0 BuildRequires: rpmbuild(macros) >= 1.647 %if %{with doc} BuildRequires: sed >= 4.0 BuildRequires: sgml-tools BuildRequires: sgmls BuildRequires: tetex-dvips BuildRequires: tetex-format-latex BuildRequires: tetex-latex BuildRequires: tetex-tex-babel BuildRequires: texlive-fonts-cmsuper BuildRequires: texlive-fonts-jknappen %endif %if %{with dist_kernel} BuildRequires: kernel%{_alt_kernel}-headers(netfilter) %endif BuildRequires: linux-libc-headers >= 7:2.6.22.1 Requires: %{name}-libs = %{version}-%{release} Requires: libnetfilter_conntrack >= 1.0.4 Requires: libnfnetlink >= 1.0 Provides: firewall-userspace-tool Obsoletes: ipchains Obsoletes: iptables24-compat Obsoletes: netfilter Conflicts: xtables-addons < 1.25 BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) %description An extensible NAT system, and an extensible packet filtering system. Replacement of ipchains in 2.4 and higher kernels. %description -l pl.UTF-8 Wydajny system translacji adresów (NAT) oraz system filtrowania pakietów. Zamiennik ipchains w jądrach 2.4 i nowszych. %description -l pt_BR.UTF-8 Esta é a ferramenta que controla o código de filtragem de pacotes do kernel 2.4, obsoletando ipchains. Com esta ferramenta você pode configurar filtros de pacotes, NAT, mascaramento (masquerading), regras dinâmicas (stateful inspection), etc. %description -l ru.UTF-8 iptables управляют кодом фильтрации сетевых пакетов в ядре Linux. Они позволяют вам устанавливать межсетевые экраны (firewalls) и IP маскарадинг, и т.п. %description -l uk.UTF-8 iptables управляють кодом фільтрації пакетів мережі в ядрі Linux. Вони дозволяють вам встановлювати міжмережеві екрани (firewalls) та IP маскарадинг, тощо. %package libs Summary: iptables libraries Summary(pl.UTF-8): Biblioteki iptables Group: Libraries Conflicts: iptables < 1.4.3-1 %description libs iptables libraries. %description libs -l pl.UTF-8 Biblioteki iptables. %package devel Summary: Libraries and headers for developing iptables extensions Summary(pl.UTF-8): Biblioteki i nagłówki do tworzenia rozszerzeń iptables Group: Development/Libraries Requires: %{name}-libs = %{epoch}:%{version}-%{release} Obsoletes: iptables24-devel %description devel Libraries and headers for developing iptables extensions. %description devel -l pl.UTF-8 Biblioteki i pliki nagłówkowe niezbędne do tworzenia rozszerzeń dla iptables. %package static Summary: Static iptables libraries Summary(pl.UTF-8): Biblioteki statyczne iptables Group: Development/Libraries Requires: %{name}-devel = %{epoch}:%{version}-%{release} %description static Static iptables libraries. %description static -l pl.UTF-8 Biblioteki statyczne iptables. %package init Summary: Iptables init (RedHat style) Summary(pl.UTF-8): Iptables init (w stylu RedHata) Group: Networking/Admin Requires(post,preun): /sbin/chkconfig Requires(post,preun,postun): systemd-units >= 38 Requires: %{name} Requires: rc-scripts >= 0.4.3.0 Requires: systemd-units >= 38 Obsoletes: firewall-init Obsoletes: firewall-init-ipchains Obsoletes: iptables24-init %description init Iptables-init is meant to provide an alternate way than firewall-init to start and stop packet filtering through iptables(8). %description init -l pl.UTF-8 Iptables-init ma na celu udostępnienie alternatywnego w stosunku do firewall-init sposobu włączania i wyłączania filtrów IP jądra poprzez iptables(8). %prep %setup -q -a1 %patch0 -p1 %if %{with batch} %patch1 -p1 %endif %patch2 -p1 %patch3 -p1 %{?with_ipt_IPV4OPTSSTRIP:%patch10 -p1} %{?with_xt_layer7:%patch11 -p1} %{?with_ipt_rpc:%patch12 -p1} %patch13 -p1 %if %{with vserver} #patch14 -p1 %patch15 -p1 %endif # builds but init() api is broken, see warnings #patch16 -p1 %build %{__libtoolize} %{__aclocal} -I m4 %{__autoconf} %{__autoheader} %{__automake} %configure \ CFLAGS="%{rpmcflags} %{rpmcppflags} -D%{!?debug:N}DEBUG" \ %{?with_usekernelsrc:--with-kernel=%{_kernelsrcdir}} \ %{?with_pcap:--enable-bpf-compiler} \ --enable-libipq \ %{?with_pcap:--enable-nfsynproxy} \ %{?with_static:--enable-static} %{__make} all \ V=1 %if %{with doc} %{__make} -j1 -C iptables-howtos sed -i 's:$(HTML_HOWTOS)::g; s:$(PSUS_HOWTOS)::g' iptables-howtos/Makefile %endif %install rm -rf $RPM_BUILD_ROOT install -d $RPM_BUILD_ROOT/etc/{rc.d/init.d,sysconfig} \ $RPM_BUILD_ROOT{%{_includedir},%{_libdir},%{_mandir}/man3} \ $RPM_BUILD_ROOT%{systemdunitdir} %{__make} install \ DESTDIR=$RPM_BUILD_ROOT \ BINDIR=%{_sbindir} \ MANDIR=%{_mandir} \ LIBDIR=%{_libdir} # upstream solution with empty library with two DT_NEEDED entries doesn't work # with PLD's default LDFLAGS (--as-needed --no-copy-dt-needed-entries); # use ld script instead (see no-libiptc.patch for source) cp -p libiptc/libiptc.ld $RPM_BUILD_ROOT%{_libdir}/libiptc.so install -p %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/%{name} install -p %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/%{name6} install -d $RPM_BUILD_ROOT/etc/init cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/init/%{name}.conf cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/init/%{name6}.conf install -p %{SOURCE6} $RPM_BUILD_ROOT/etc/sysconfig/%{name}-config install -p %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/%{name6}-config install -p %{SOURCE8} $RPM_BUILD_ROOT%{systemdunitdir}/%{name}.service install -p %{SOURCE9} $RPM_BUILD_ROOT%{systemdunitdir}/%{name6}.service %clean rm -rf $RPM_BUILD_ROOT %post libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig %post init /sbin/chkconfig --add %{name} /sbin/chkconfig --add %{name6} %systemd_post %{name}.service %{name6}.service %preun init if [ "$1" = "0" ]; then /sbin/chkconfig --del %{name} /sbin/chkconfig --del %{name6} fi %systemd_preun %{name}.service %{name6}.service %postun init %systemd_reload %triggerpostun init -- %{name}-init < 1.4.13-2 %systemd_trigger %{name}.service %{name6}.service %files %defattr(644,root,root,755) %{?with_doc:%doc iptables-howtos/{NAT,networking-concepts,packet-filtering}-HOWTO*} %attr(755,root,root) %{_bindir}/iptables-xml %attr(755,root,root) %{_sbindir}/iptables %attr(755,root,root) %{_sbindir}/iptables-restore %attr(755,root,root) %{_sbindir}/iptables-save %attr(755,root,root) %{_sbindir}/ip6tables %attr(755,root,root) %{_sbindir}/ip6tables-restore %attr(755,root,root) %{_sbindir}/ip6tables-save %if %{with batch} %attr(755,root,root) %{_sbindir}/iptables-batch %attr(755,root,root) %{_sbindir}/ip6tables-batch %endif %attr(755,root,root) %{_sbindir}/nfnl_osf %if %{with pcap} %attr(755,root,root) %{_sbindir}/nfbpf_compile %attr(755,root,root) %{_sbindir}/nfsynproxy %endif %attr(755,root,root) %{_sbindir}/xtables-multi %{_datadir}/xtables %dir %{_libdir}/xtables %attr(755,root,root) %{_libdir}/xtables/libip6t_HL.so %attr(755,root,root) %{_libdir}/xtables/libip6t_LOG.so %attr(755,root,root) %{_libdir}/xtables/libip6t_REJECT.so %attr(755,root,root) %{_libdir}/xtables/libip6t_ah.so %attr(755,root,root) %{_libdir}/xtables/libip6t_dst.so %attr(755,root,root) %{_libdir}/xtables/libip6t_eui64.so %attr(755,root,root) %{_libdir}/xtables/libip6t_frag.so %attr(755,root,root) %{_libdir}/xtables/libip6t_hbh.so %attr(755,root,root) %{_libdir}/xtables/libip6t_hl.so %attr(755,root,root) %{_libdir}/xtables/libip6t_icmp6.so %attr(755,root,root) %{_libdir}/xtables/libip6t_ipv6header.so %attr(755,root,root) %{_libdir}/xtables/libip6t_mh.so %attr(755,root,root) %{_libdir}/xtables/libip6t_rt.so %attr(755,root,root) %{_libdir}/xtables/libipt_CLUSTERIP.so %attr(755,root,root) %{_libdir}/xtables/libipt_DNAT.so %attr(755,root,root) %{_libdir}/xtables/libipt_ECN.so %attr(755,root,root) %{_libdir}/xtables/libipt_LOG.so %attr(755,root,root) %{_libdir}/xtables/libipt_MASQUERADE.so %attr(755,root,root) %{_libdir}/xtables/libipt_MIRROR.so %attr(755,root,root) %{_libdir}/xtables/libipt_NETMAP.so %attr(755,root,root) %{_libdir}/xtables/libipt_REDIRECT.so %attr(755,root,root) %{_libdir}/xtables/libipt_REJECT.so %attr(755,root,root) %{_libdir}/xtables/libipt_SAME.so %attr(755,root,root) %{_libdir}/xtables/libipt_SNAT.so %attr(755,root,root) %{_libdir}/xtables/libipt_TTL.so %attr(755,root,root) %{_libdir}/xtables/libipt_ULOG.so %attr(755,root,root) %{_libdir}/xtables/libipt_ah.so %attr(755,root,root) %{_libdir}/xtables/libipt_icmp.so %attr(755,root,root) %{_libdir}/xtables/libipt_realm.so # disabled, see above #%attr(755,root,root) %{_libdir}/xtables/libipt_stealth.so %attr(755,root,root) %{_libdir}/xtables/libipt_ttl.so %attr(755,root,root) %{_libdir}/xtables/libipt_unclean.so %attr(755,root,root) %{_libdir}/xtables/libip6t_DNAT.so %attr(755,root,root) %{_libdir}/xtables/libip6t_DNPT.so %attr(755,root,root) %{_libdir}/xtables/libip6t_MASQUERADE.so %attr(755,root,root) %{_libdir}/xtables/libip6t_NETMAP.so %attr(755,root,root) %{_libdir}/xtables/libip6t_REDIRECT.so %attr(755,root,root) %{_libdir}/xtables/libip6t_SNAT.so %attr(755,root,root) %{_libdir}/xtables/libip6t_SNPT.so %attr(755,root,root) %{_libdir}/xtables/libxt_AUDIT.so %attr(755,root,root) %{_libdir}/xtables/libxt_CHECKSUM.so %attr(755,root,root) %{_libdir}/xtables/libxt_CLASSIFY.so %attr(755,root,root) %{_libdir}/xtables/libxt_CONNMARK.so %attr(755,root,root) %{_libdir}/xtables/libxt_CONNSECMARK.so %attr(755,root,root) %{_libdir}/xtables/libxt_CT.so %attr(755,root,root) %{_libdir}/xtables/libxt_DSCP.so %attr(755,root,root) %{_libdir}/xtables/libxt_HMARK.so %attr(755,root,root) %{_libdir}/xtables/libxt_IDLETIMER.so %attr(755,root,root) %{_libdir}/xtables/libxt_IMQ.so %attr(755,root,root) %{_libdir}/xtables/libxt_LED.so %attr(755,root,root) %{_libdir}/xtables/libxt_MARK.so %attr(755,root,root) %{_libdir}/xtables/libxt_NFLOG.so %attr(755,root,root) %{_libdir}/xtables/libxt_NFQUEUE.so %attr(755,root,root) %{_libdir}/xtables/libxt_NOTRACK.so %attr(755,root,root) %{_libdir}/xtables/libxt_RATEEST.so %attr(755,root,root) %{_libdir}/xtables/libxt_SECMARK.so %attr(755,root,root) %{_libdir}/xtables/libxt_SET.so %attr(755,root,root) %{_libdir}/xtables/libxt_SYNPROXY.so %attr(755,root,root) %{_libdir}/xtables/libxt_TCPMSS.so %attr(755,root,root) %{_libdir}/xtables/libxt_TCPOPTSTRIP.so %attr(755,root,root) %{_libdir}/xtables/libxt_TEE.so %attr(755,root,root) %{_libdir}/xtables/libxt_TOS.so %attr(755,root,root) %{_libdir}/xtables/libxt_TPROXY.so %attr(755,root,root) %{_libdir}/xtables/libxt_TRACE.so %attr(755,root,root) %{_libdir}/xtables/libxt_addrtype.so %attr(755,root,root) %{_libdir}/xtables/libxt_bpf.so %attr(755,root,root) %{_libdir}/xtables/libxt_cluster.so %attr(755,root,root) %{_libdir}/xtables/libxt_comment.so %attr(755,root,root) %{_libdir}/xtables/libxt_connbytes.so %attr(755,root,root) %{_libdir}/xtables/libxt_connlabel.so %attr(755,root,root) %{_libdir}/xtables/libxt_connlimit.so %attr(755,root,root) %{_libdir}/xtables/libxt_connmark.so %attr(755,root,root) %{_libdir}/xtables/libxt_conntrack.so %attr(755,root,root) %{_libdir}/xtables/libxt_cpu.so %attr(755,root,root) %{_libdir}/xtables/libxt_dccp.so %attr(755,root,root) %{_libdir}/xtables/libxt_devgroup.so %attr(755,root,root) %{_libdir}/xtables/libxt_dscp.so %attr(755,root,root) %{_libdir}/xtables/libxt_ecn.so %attr(755,root,root) %{_libdir}/xtables/libxt_esp.so %attr(755,root,root) %{_libdir}/xtables/libxt_hashlimit.so %attr(755,root,root) %{_libdir}/xtables/libxt_helper.so %attr(755,root,root) %{_libdir}/xtables/libxt_iprange.so %attr(755,root,root) %{_libdir}/xtables/libxt_ipvs.so %attr(755,root,root) %{_libdir}/xtables/libxt_length.so %attr(755,root,root) %{_libdir}/xtables/libxt_limit.so %attr(755,root,root) %{_libdir}/xtables/libxt_mac.so %attr(755,root,root) %{_libdir}/xtables/libxt_mark.so %attr(755,root,root) %{_libdir}/xtables/libxt_multiport.so %attr(755,root,root) %{_libdir}/xtables/libxt_nfacct.so %attr(755,root,root) %{_libdir}/xtables/libxt_osf.so %attr(755,root,root) %{_libdir}/xtables/libxt_owner.so %attr(755,root,root) %{_libdir}/xtables/libxt_physdev.so %attr(755,root,root) %{_libdir}/xtables/libxt_pkttype.so %attr(755,root,root) %{_libdir}/xtables/libxt_policy.so %attr(755,root,root) %{_libdir}/xtables/libxt_quota.so %attr(755,root,root) %{_libdir}/xtables/libxt_rateest.so %attr(755,root,root) %{_libdir}/xtables/libxt_recent.so %attr(755,root,root) %{_libdir}/xtables/libxt_rpfilter.so %attr(755,root,root) %{_libdir}/xtables/libxt_sctp.so %attr(755,root,root) %{_libdir}/xtables/libxt_set.so %attr(755,root,root) %{_libdir}/xtables/libxt_socket.so %attr(755,root,root) %{_libdir}/xtables/libxt_standard.so %attr(755,root,root) %{_libdir}/xtables/libxt_state.so %attr(755,root,root) %{_libdir}/xtables/libxt_statistic.so %attr(755,root,root) %{_libdir}/xtables/libxt_string.so %attr(755,root,root) %{_libdir}/xtables/libxt_tcp.so %attr(755,root,root) %{_libdir}/xtables/libxt_tcpmss.so %attr(755,root,root) %{_libdir}/xtables/libxt_time.so %attr(755,root,root) %{_libdir}/xtables/libxt_tos.so %attr(755,root,root) %{_libdir}/xtables/libxt_u32.so %attr(755,root,root) %{_libdir}/xtables/libxt_udp.so %{?with_ipt_IPV4OPTSSTRIP:%attr(755,root,root) %{_libdir}/xtables/libipt_IPV4OPTSSTRIP.so} %{?with_ipt_rpc:%attr(755,root,root) %{_libdir}/xtables/libipt_rpc.so} %{?with_xt_layer7:%attr(755,root,root) %{_libdir}/xtables/libxt_layer7.so} %{_mandir}/man1/iptables-xml.1* %{_mandir}/man8/ip6tables.8* %{_mandir}/man8/ip6tables-restore.8* %{_mandir}/man8/ip6tables-save.8* %{_mandir}/man8/iptables.8* %{_mandir}/man8/iptables-extensions.8* %{_mandir}/man8/iptables-restore.8* %{_mandir}/man8/iptables-save.8* %files libs %defattr(644,root,root,755) %attr(755,root,root) %{_libdir}/libip4tc.so.*.*.* %attr(755,root,root) %ghost %{_libdir}/libip4tc.so.0 %attr(755,root,root) %{_libdir}/libip6tc.so.*.*.* %attr(755,root,root) %ghost %{_libdir}/libip6tc.so.0 %attr(755,root,root) %{_libdir}/libipq.so.*.*.* %attr(755,root,root) %ghost %{_libdir}/libipq.so.0 %attr(755,root,root) %{_libdir}/libxtables.so.*.*.* %attr(755,root,root) %ghost %{_libdir}/libxtables.so.10 %files devel %defattr(644,root,root,755) %{?with_doc:%doc iptables-howtos/netfilter-hacking-HOWTO*} %attr(755,root,root) %{_libdir}/libip4tc.so %attr(755,root,root) %{_libdir}/libip6tc.so %attr(755,root,root) %{_libdir}/libipq.so %attr(755,root,root) %{_libdir}/libiptc.so %attr(755,root,root) %{_libdir}/libxtables.so %{_libdir}/libip4tc.la %{_libdir}/libip6tc.la %{_libdir}/libipq.la %{_libdir}/libxtables.la %{_includedir}/libipq.h %{_includedir}/xtables.h %{_includedir}/xtables-version.h %{_includedir}/libiptc %{_pkgconfigdir}/libip4tc.pc %{_pkgconfigdir}/libip6tc.pc %{_pkgconfigdir}/libipq.pc %{_pkgconfigdir}/libiptc.pc %{_pkgconfigdir}/xtables.pc %{_mandir}/man3/ipq_*.3* %{_mandir}/man3/libipq.3* %if %{with static} %files static %defattr(644,root,root,755) %{_libdir}/libip4tc.a %{_libdir}/libip6tc.a %{_libdir}/libipq.a %{_libdir}/libxtables.a %endif %files init %defattr(644,root,root,755) %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/%{name}-config %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/%{name6}-config %attr(754,root,root) /etc/rc.d/init.d/iptables %attr(754,root,root) /etc/rc.d/init.d/ip6tables %config(noreplace) %verify(not md5 mtime size) /etc/init/%{name}.conf %config(noreplace) %verify(not md5 mtime size) /etc/init/%{name6}.conf %{systemdunitdir}/%{name}.service %{systemdunitdir}/%{name6}.service