# - update BR to real required llh version
# - check if kernel-headers are still required to properly build iptabels for dist kernel
# - fix makefile (-D_UNKNOWN_KERNEL_POINTER_SIZE issue)
-# - owner needs rewrite to xt
+# - think what to do with the useless 'ebtables' wrapper. The original old
+# ebtables is still needed e.g. for libvirt's nwfilter
#
# Conditional build:
%bcond_without doc # without documentation (HOWTOS) which needed TeX
%bcond_without dist_kernel # without distribution kernel
+%bcond_without nftables # nftables compatibility
%bcond_without pcap # pcap-dependend utils (nfbpf_compile, nfsynproxy)
%bcond_with vserver # build xt_owner module for non-dist kernel with vserver support
%bcond_with batch # build iptables-batch
%define with_ipt_IPV4OPTSSTRIP 1
%define with_ipt_rpc 1
%define with_xt_layer7 1
-%define with_vserver 1
%endif
-%define name6 ip6tables
+%define orgname iptables
+%define name6 ip6tables
+
Summary: Extensible packet filtering system && extensible NAT system
Summary(pl.UTF-8): System filtrowania pakietów oraz system translacji adresów (NAT)
Summary(pt_BR.UTF-8): Ferramenta para controlar a filtragem de pacotes no kernel-2.6.x
Summary(ru.UTF-8): Утилиты для управления пакетными фильтрами ядра Linux
Summary(uk.UTF-8): Утиліти для керування пакетними фільтрами ядра Linux
Summary(zh_CN.UTF-8): Linux内核包过滤管理工具
-Name: iptables
-Version: 1.4.21
-Release: 1
+Name: iptables%{?with_vserver:-vserver}
+Version: 1.6.1
+Release: 5
License: GPL v2
Group: Networking/Admin
-Source0: ftp://ftp.netfilter.org/pub/iptables/%{name}-%{version}.tar.bz2
-# Source0-md5: 536d048c8e8eeebcd9757d0863ebb0c0
-Source1: cvs://cvs.samba.org/netfilter/%{name}-howtos.tar.bz2
+Source0: ftp://ftp.netfilter.org/pub/iptables/%{orgname}-%{version}.tar.bz2
+# Source0-md5: ab38a33806b6182c6f53d6afb4619add
+Source1: cvs://cvs.samba.org/netfilter/%{orgname}-howtos.tar.bz2
# Source1-md5: 2ed2b452daefe70ededd75dc0061fd07
-Source2: %{name}.init
+Source2: %{orgname}.init
Source3: %{name6}.init
-Source4: %{name}.upstart
-Source5: %{name6}.upstart
-Source6: %{name}-config
+Source6: %{orgname}-config
Source7: %{name6}-config
-Source8: %{name}.service
+Source8: %{orgname}.service
Source9: %{name6}.service
+# these are not compatible with this package! there are no ebtables-save and ebtables-restore here
+Source10: ebtables.init
+Source11: ebtables-config
+Source12: ebtables.service
# --- GENERAL CHANGES (patches<10):
-Patch0: %{name}-man.patch
+Patch0: %{orgname}-man.patch
# additional utils; off by default
-Patch1: %{name}-batch.patch
+Patch1: %{orgname}-batch.patch
Patch2: no-libiptc.patch
-Patch3: %{name}-aligned_u64.patch
+Patch3: %{orgname}-aligned_u64.patch
+Patch4: %{orgname}-ebtables.patch
+Patch5: ebtables-X.patch
# --- ADDITIONAL/CHANGED EXTENSIONS:
# just ipt_IPV4OPTSSTRIP now
-Patch10: %{name}-20070806.patch
+Patch10: %{orgname}-20070806.patch
# xt_layer7; almost based on iptables-1.4-for-kernel-2.6.20forward-layer7-2.18.patch
# http://downloads.sourceforge.net/l7-filter/netfilter-layer7-v2.18.tar.gz
-Patch11: %{name}-layer7.patch
+Patch11: %{orgname}-layer7.patch
# ipt_rpc
-Patch12: %{name}-old-1.3.7.patch
+Patch12: %{orgname}-old-1.3.7.patch
# xt_IMQ; http://linuximq.net/patchs/iptables-1.4.12-IMQ-test4.diff
-Patch13: %{name}-imq.patch
+Patch13: %{orgname}-imq.patch
# enhances ipt_owner/ip6t_owner; http://people.linux-vserver.org/~dhozac/p/m/iptables-1.3.5-owner-xid.patch (currently disabled, needs update for xt_owner)
-Patch14: %{name}-1.3.5-owner-xid.patch
+Patch14: %{orgname}-owner-xid.patch
# adjusts xt_owner for vserver-enabled kernel
-Patch15: %{name}-owner-struct-size-vs.patch
-# ipt_stealth; currently disabled (broken, see below)
-Patch16: %{name}-stealth.patch
+Patch15: %{orgname}-owner-struct-size-vs.patch
URL: http://www.netfilter.org/
BuildRequires: autoconf >= 2.50
BuildRequires: automake
+%{?with_nftables:BuildRequires: bison}
+%{?with_nftables:BuildRequires: flex}
BuildRequires: groff
-BuildRequires: libnetfilter_conntrack-devel >= 1.0.4
+%{?with_nftables:BuildRequires: libmnl-devel >= 1.0}
+BuildRequires: libnetfilter_conntrack-devel >= 1.0.6
BuildRequires: libnfnetlink-devel >= 1.0
+%{?with_nftables:BuildRequires: libnftnl-devel >= 1.0.5}
%{?with_pcap:BuildRequires: libpcap-devel}
BuildRequires: libtool
BuildRequires: pkgconfig >= 1:0.9.0
BuildRequires: kernel%{_alt_kernel}-headers(netfilter)
%endif
BuildRequires: linux-libc-headers >= 7:2.6.22.1
-Requires: %{name}-libs = %{version}-%{release}
-Requires: libnetfilter_conntrack >= 1.0.4
+Requires: %{orgname}-libs = %{version}-%{release}
+%{?with_nftables:Requires: libmnl >= 1.0}
+Requires: libnetfilter_conntrack >= 1.0.6
Requires: libnfnetlink >= 1.0
+%{?with_nftables:Requires: libnftnl >= 1.0.5}
+Provides: arptables
Provides: firewall-userspace-tool
+%{?with_vserver:Provides: iptables = %{version}-%{release}}
+Obsoletes: arptables
Obsoletes: ipchains
Obsoletes: iptables24-compat
Obsoletes: netfilter
Conflicts: xtables-addons < 1.25
-BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
+BuildRoot: %{tmpdir}/%{orgname}-%{version}-root-%(id -u -n)
%description
An extensible NAT system, and an extensible packet filtering system.
Summary: Libraries and headers for developing iptables extensions
Summary(pl.UTF-8): Biblioteki i nagłówki do tworzenia rozszerzeń iptables
Group: Development/Libraries
-Requires: %{name}-libs = %{epoch}:%{version}-%{release}
+Requires: %{orgname}-libs = %{epoch}:%{version}-%{release}
Obsoletes: iptables24-devel
%description devel
Group: Networking/Admin
Requires(post,preun): /sbin/chkconfig
Requires(post,preun,postun): systemd-units >= 38
-Requires: %{name}
+Requires: %{name} = %{version}-%{release}
Requires: rc-scripts >= 0.4.3.0
Requires: systemd-units >= 38
Obsoletes: firewall-init
Obsoletes: firewall-init-ipchains
Obsoletes: iptables24-init
+%{?with_vserver:Provides: iptables-init = %{version}-%{release}}
%description init
Iptables-init is meant to provide an alternate way than firewall-init
firewall-init sposobu włączania i wyłączania filtrów IP jądra poprzez
iptables(8).
+%package ebtables
+Summary: Ethernet Bridge Tables - xtables compatibility wrapper
+Summary(pl.UTF-8): Ethernet Bridge Tables – nakładka kompatybilności na xtables
+Group: Networking/Admin
+Requires(post,preun): /sbin/chkconfig
+Requires(post,preun,postun): systemd-units >= 38
+Requires: %{name}
+Requires: rc-scripts >= 0.4.3.0
+Requires: systemd-units >= 38
+# do not 'provide' something this is not really compatible with
+#Provides: ebtables
+Obsoletes: ebtables
+%{?with_vserver:Provides: ebtables = %{version}-%{release}}
+
+%description ebtables
+ebtables is a tool for managing Linux 2.5.x (and above) Link Layer firewalling
+subsystem.
+
+This package contains a compatibility wrapper over xtables providing some
+functionality of the original ebtables tool.
+
+Note: this is not really a fully-compatible drop-in replacement!
+
%prep
-%setup -q -a1
+%setup -q -n iptables-%{version} -a1
%patch0 -p1
%if %{with batch}
%patch1 -p1
%endif
%patch2 -p1
%patch3 -p1
+%patch4 -p1
+%patch5 -p1
%{?with_ipt_IPV4OPTSSTRIP:%patch10 -p1}
%{?with_xt_layer7:%patch11 -p1}
%{?with_ipt_rpc:%patch12 -p1}
%patch13 -p1
%if %{with vserver}
-#patch14 -p1
+%patch14 -p1
%patch15 -p1
%endif
-# builds but init() api is broken, see warnings
-#patch16 -p1
%build
%{__libtoolize}
%{?with_pcap:--enable-bpf-compiler} \
--enable-libipq \
%{?with_pcap:--enable-nfsynproxy} \
+ %{!?with_nftables:--disable-nftables} \
%{?with_static:--enable-static}
-%{__make} all \
+%{__make} -j1 all \
V=1
%if %{with doc}
MANDIR=%{_mandir} \
LIBDIR=%{_libdir}
+# not installed; provide so we can obsolete arptables and ebtables packages
+ln -sf xtables-compat-multi $RPM_BUILD_ROOT%{_sbindir}/arptables
+ln -sf xtables-compat-multi $RPM_BUILD_ROOT%{_sbindir}/ebtables
+
# upstream solution with empty library with two DT_NEEDED entries doesn't work
# with PLD's default LDFLAGS (--as-needed --no-copy-dt-needed-entries);
# use ld script instead (see no-libiptc.patch for source)
cp -p libiptc/libiptc.ld $RPM_BUILD_ROOT%{_libdir}/libiptc.so
-install -p %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/%{name}
+install -p %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/%{orgname}
install -p %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/%{name6}
-install -d $RPM_BUILD_ROOT/etc/init
-cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/init/%{name}.conf
-cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/init/%{name6}.conf
-install -p %{SOURCE6} $RPM_BUILD_ROOT/etc/sysconfig/%{name}-config
+install -p %{SOURCE6} $RPM_BUILD_ROOT/etc/sysconfig/%{orgname}-config
install -p %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/%{name6}-config
-install -p %{SOURCE8} $RPM_BUILD_ROOT%{systemdunitdir}/%{name}.service
+install -p %{SOURCE8} $RPM_BUILD_ROOT%{systemdunitdir}/%{orgname}.service
install -p %{SOURCE9} $RPM_BUILD_ROOT%{systemdunitdir}/%{name6}.service
+# these won't work as they are now
+#install -p %{SOURCE10} $RPM_BUILD_ROOT/etc/rc.d/init.d/ebtables
+#install -p %{SOURCE11} $RPM_BUILD_ROOT/etc/sysconfig/ebtables-config
+#install -p %{SOURCE12} $RPM_BUILD_ROOT%{systemdunitdir}/ebtables.service
+
%clean
rm -rf $RPM_BUILD_ROOT
%postun libs -p /sbin/ldconfig
%post init
-/sbin/chkconfig --add %{name}
+/sbin/chkconfig --add %{orgname}
/sbin/chkconfig --add %{name6}
-%systemd_post %{name}.service %{name6}.service
+%systemd_post %{orgname}.service %{name6}.service
%preun init
if [ "$1" = "0" ]; then
- /sbin/chkconfig --del %{name}
+ /sbin/chkconfig --del %{orgname}
/sbin/chkconfig --del %{name6}
fi
-%systemd_preun %{name}.service %{name6}.service
+%systemd_preun %{orgname}.service %{name6}.service
%postun init
%systemd_reload
-%triggerpostun init -- %{name}-init < 1.4.13-2
-%systemd_trigger %{name}.service %{name6}.service
+%triggerpostun init -- %{orgname}-init < 1.4.13-2
+%systemd_trigger %{orgname}.service %{name6}.service
%files
%defattr(644,root,root,755)
%{?with_doc:%doc iptables-howtos/{NAT,networking-concepts,packet-filtering}-HOWTO*}
%attr(755,root,root) %{_bindir}/iptables-xml
+%attr(755,root,root) %{_sbindir}/arptables
%attr(755,root,root) %{_sbindir}/iptables
%attr(755,root,root) %{_sbindir}/iptables-restore
%attr(755,root,root) %{_sbindir}/iptables-save
%attr(755,root,root) %{_sbindir}/nfsynproxy
%endif
%attr(755,root,root) %{_sbindir}/xtables-multi
+%if %{with nftables}
+%attr(755,root,root) %{_sbindir}/arptables-compat
+%attr(755,root,root) %{_sbindir}/ebtables-compat
+%attr(755,root,root) %{_sbindir}/iptables-compat
+%attr(755,root,root) %{_sbindir}/iptables-compat-restore
+%attr(755,root,root) %{_sbindir}/iptables-compat-save
+%attr(755,root,root) %{_sbindir}/iptables-restore-translate
+%attr(755,root,root) %{_sbindir}/iptables-translate
+%attr(755,root,root) %{_sbindir}/ip6tables-compat
+%attr(755,root,root) %{_sbindir}/ip6tables-compat-restore
+%attr(755,root,root) %{_sbindir}/ip6tables-compat-save
+%attr(755,root,root) %{_sbindir}/ip6tables-restore-translate
+%attr(755,root,root) %{_sbindir}/ip6tables-translate
+%attr(755,root,root) %{_sbindir}/xtables-compat-multi
+%endif
%{_datadir}/xtables
%dir %{_libdir}/xtables
+%attr(755,root,root) %{_libdir}/xtables/libarpt_mangle.so
+%attr(755,root,root) %{_libdir}/xtables/libebt_802_3.so
+%attr(755,root,root) %{_libdir}/xtables/libebt_ip.so
+%attr(755,root,root) %{_libdir}/xtables/libebt_limit.so
+%attr(755,root,root) %{_libdir}/xtables/libebt_log.so
+%attr(755,root,root) %{_libdir}/xtables/libebt_mark.so
+%attr(755,root,root) %{_libdir}/xtables/libebt_mark_m.so
+%attr(755,root,root) %{_libdir}/xtables/libebt_nflog.so
%attr(755,root,root) %{_libdir}/xtables/libip6t_HL.so
%attr(755,root,root) %{_libdir}/xtables/libip6t_LOG.so
%attr(755,root,root) %{_libdir}/xtables/libip6t_REJECT.so
%attr(755,root,root) %{_libdir}/xtables/libipt_ECN.so
%attr(755,root,root) %{_libdir}/xtables/libipt_LOG.so
%attr(755,root,root) %{_libdir}/xtables/libipt_MASQUERADE.so
-%attr(755,root,root) %{_libdir}/xtables/libipt_MIRROR.so
%attr(755,root,root) %{_libdir}/xtables/libipt_NETMAP.so
%attr(755,root,root) %{_libdir}/xtables/libipt_REDIRECT.so
%attr(755,root,root) %{_libdir}/xtables/libipt_REJECT.so
-%attr(755,root,root) %{_libdir}/xtables/libipt_SAME.so
%attr(755,root,root) %{_libdir}/xtables/libipt_SNAT.so
%attr(755,root,root) %{_libdir}/xtables/libipt_TTL.so
%attr(755,root,root) %{_libdir}/xtables/libipt_ULOG.so
%attr(755,root,root) %{_libdir}/xtables/libipt_ah.so
%attr(755,root,root) %{_libdir}/xtables/libipt_icmp.so
%attr(755,root,root) %{_libdir}/xtables/libipt_realm.so
-# disabled, see above
-#%attr(755,root,root) %{_libdir}/xtables/libipt_stealth.so
%attr(755,root,root) %{_libdir}/xtables/libipt_ttl.so
-%attr(755,root,root) %{_libdir}/xtables/libipt_unclean.so
%attr(755,root,root) %{_libdir}/xtables/libip6t_DNAT.so
%attr(755,root,root) %{_libdir}/xtables/libip6t_DNPT.so
%attr(755,root,root) %{_libdir}/xtables/libip6t_MASQUERADE.so
%attr(755,root,root) %{_libdir}/xtables/libxt_TRACE.so
%attr(755,root,root) %{_libdir}/xtables/libxt_addrtype.so
%attr(755,root,root) %{_libdir}/xtables/libxt_bpf.so
+%attr(755,root,root) %{_libdir}/xtables/libxt_cgroup.so
%attr(755,root,root) %{_libdir}/xtables/libxt_cluster.so
%attr(755,root,root) %{_libdir}/xtables/libxt_comment.so
%attr(755,root,root) %{_libdir}/xtables/libxt_connbytes.so
%attr(755,root,root) %{_libdir}/xtables/libxt_esp.so
%attr(755,root,root) %{_libdir}/xtables/libxt_hashlimit.so
%attr(755,root,root) %{_libdir}/xtables/libxt_helper.so
+%attr(755,root,root) %{_libdir}/xtables/libxt_ipcomp.so
%attr(755,root,root) %{_libdir}/xtables/libxt_iprange.so
%attr(755,root,root) %{_libdir}/xtables/libxt_ipvs.so
%attr(755,root,root) %{_libdir}/xtables/libxt_length.so
%attr(755,root,root) %{_libdir}/xtables/libxt_limit.so
%attr(755,root,root) %{_libdir}/xtables/libxt_mac.so
+%attr(755,root,root) %{_libdir}/xtables/libxt_mangle.so
%attr(755,root,root) %{_libdir}/xtables/libxt_mark.so
%attr(755,root,root) %{_libdir}/xtables/libxt_multiport.so
%attr(755,root,root) %{_libdir}/xtables/libxt_nfacct.so
%{?with_ipt_IPV4OPTSSTRIP:%attr(755,root,root) %{_libdir}/xtables/libipt_IPV4OPTSSTRIP.so}
%{?with_ipt_rpc:%attr(755,root,root) %{_libdir}/xtables/libipt_rpc.so}
%{?with_xt_layer7:%attr(755,root,root) %{_libdir}/xtables/libxt_layer7.so}
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ethertypes
%{_mandir}/man1/iptables-xml.1*
%{_mandir}/man8/ip6tables.8*
%{_mandir}/man8/ip6tables-restore.8*
%attr(755,root,root) %{_libdir}/libipq.so.*.*.*
%attr(755,root,root) %ghost %{_libdir}/libipq.so.0
%attr(755,root,root) %{_libdir}/libxtables.so.*.*.*
-%attr(755,root,root) %ghost %{_libdir}/libxtables.so.10
+%attr(755,root,root) %ghost %{_libdir}/libxtables.so.12
%files devel
%defattr(644,root,root,755)
%files init
%defattr(644,root,root,755)
-%config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/%{name}-config
+%config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/%{orgname}-config
%config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/%{name6}-config
%attr(754,root,root) /etc/rc.d/init.d/iptables
%attr(754,root,root) /etc/rc.d/init.d/ip6tables
-%config(noreplace) %verify(not md5 mtime size) /etc/init/%{name}.conf
-%config(noreplace) %verify(not md5 mtime size) /etc/init/%{name6}.conf
-%{systemdunitdir}/%{name}.service
+%{systemdunitdir}/%{orgname}.service
%{systemdunitdir}/%{name6}.service
+
+%files ebtables
+%defattr(644,root,root,755)
+%attr(755,root,root) %{_sbindir}/ebtables