iptables-1.8.2-1

- New upstream version 1.8.2
- Integrate ebtables and arptables save/restore scripts with alternatives
- Add nft-specific ebtables and arptables man pages
- Move /etc/sysconfig/ip*tables-config files into services sub-package

0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch

@@ -0,0 +1,35 @@
+From 1dba0d0a2c9c269dc5ed9e7d841b8ecb9dc060af Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 12 Apr 2019 18:02:19 +0200
+Subject: [PATCH] iptables-apply: Use mktemp instead of tempfile
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/iptables-apply | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/iptables/iptables-apply b/iptables/iptables-apply
+index 819ca4a459c42..a685b6bbcd7dc 100755
+--- a/iptables/iptables-apply
++++ b/iptables/iptables-apply
+@@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then
+ 	exit 2
+ fi
+ 
+-COMMANDS=(tempfile "$SAVE" "$RESTORE")
++COMMANDS=(mktemp "$SAVE" "$RESTORE")
+ 
+ for cmd in "${COMMANDS[@]}"; do
+ 	if ! command -v $cmd >/dev/null; then
+@@ -122,7 +122,7 @@ done
+ 
+ umask 0700
+ 
+-TMPFILE=$(tempfile -p iptap)
++TMPFILE=$(mktemp)
+ trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \
+ 		      FPE USR1 SEGV USR2 PIPE ALRM TERM
+ 
+-- 
+2.21.0
+

0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch

@@ -0,0 +1,60 @@
+From 6e8f0c61f4c9abc2836d772fca97ff0d84c03360 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg@pld-linux.org>
+Date: Wed, 14 Nov 2018 07:35:28 +0100
+Subject: [PATCH] extensions: format-security fixes in libip[6]t_icmp
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
+introduced support for gcc feature to check format string against passed
+argument.  This commit adds missing bits to extenstions's libipt_icmp.c
+and libip6t_icmp6.c that were causing build to fail.
+
+Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
+Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ extensions/libip6t_icmp6.c | 4 ++--
+ extensions/libipt_icmp.c   | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
+index 45a71875722c4..cc7bfaeb72fd7 100644
+--- a/extensions/libip6t_icmp6.c
++++ b/extensions/libip6t_icmp6.c
+@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
+ 	type_name = icmp6_type_xlate(icmptype);
+ 
+ 	if (type_name) {
+-		xt_xlate_add(xl, type_name);
++		xt_xlate_add(xl, "%s", type_name);
+ 	} else {
+ 		for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
+ 			if (icmpv6_codes[i].type == icmptype &&
+@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
+ 				break;
+ 
+ 		if (i != ARRAY_SIZE(icmpv6_codes))
+-			xt_xlate_add(xl, icmpv6_codes[i].name);
++			xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
+ 		else
+ 			return 0;
+ 	}
+diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
+index 5418997668d4c..e76257c54708c 100644
+--- a/extensions/libipt_icmp.c
++++ b/extensions/libipt_icmp.c
+@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
+ 			if (icmp_codes[i].type == icmptype &&
+ 			    icmp_codes[i].code_min == code_min &&
+ 			    icmp_codes[i].code_max == code_max) {
+-				xt_xlate_add(xl, icmp_codes[i].name);
++				xt_xlate_add(xl, "%s", icmp_codes[i].name);
+ 				return 1;
+ 			}
+ 	}
+-- 
+2.21.0
+

0003-doc-Add-arptables-nft-man-pages.patch

@@ -0,0 +1,486 @@
+From 1d0089550ab9882ac90d0fc673f213c51e133552 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 13 Mar 2019 20:46:12 +0100
+Subject: [PATCH] doc: Add arptables-nft man pages
+
+These are 1:1 copies from legacy arptables repository.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+(cherry picked from commit 4dbb6b9118e32a9b748ead893106de59579424f5)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/Makefile.am             |   3 +
+ iptables/arptables-nft-restore.8 |  41 ++++
+ iptables/arptables-nft-save.8    |  37 ++++
+ iptables/arptables-nft.8         | 352 +++++++++++++++++++++++++++++++
+ 4 files changed, 433 insertions(+)
+ create mode 100644 iptables/arptables-nft-restore.8
+ create mode 100644 iptables/arptables-nft-save.8
+ create mode 100644 iptables/arptables-nft.8
+
+diff --git a/iptables/Makefile.am b/iptables/Makefile.am
+index 581dc32ba846b..52309679d390c 100644
+--- a/iptables/Makefile.am
++++ b/iptables/Makefile.am
+@@ -63,6 +63,9 @@ man_MANS         = iptables.8 iptables-restore.8 iptables-save.8 \
+                    ip6tables-save.8 iptables-extensions.8 \
+                    xtables-nft.8 xtables-translate.8 xtables-legacy.8 \
+                    xtables-monitor.8
++if ENABLE_NFTABLES
++man_MANS	+= arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8
++endif
+ CLEANFILES       = iptables.8 xtables-monitor.8 \
+ 		   xtables-config-parser.c xtables-config-syntax.c
+ 
+diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
+new file mode 100644
+index 0000000000000..4f2f623673415
+--- /dev/null
++++ b/iptables/arptables-nft-restore.8
+@@ -0,0 +1,41 @@
++.TH ARPTABLES-RESTORE 8 "Nov 07, 2013" "" ""
++.\"
++.\" Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
++.\" Man page written by Harald Welte <laforge@gnumonks.org>
++.\" It is based on the iptables-restore man page.
++.\"
++.\"	This program is free software; you can redistribute it and/or modify
++.\"	it under the terms of the GNU General Public License as published by
++.\"	the Free Software Foundation; either version 2 of the License, or
++.\"	(at your option) any later version.
++.\"
++.\"	This program is distributed in the hope that it will be useful,
++.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
++.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++.\"	GNU General Public License for more details.
++.\"
++.\"	You should have received a copy of the GNU General Public License
++.\"	along with this program; if not, write to the Free Software
++.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
++.\"
++.\"
++.SH NAME
++arptables-restore \(em Restore ARP Tables
++.SH SYNOPSIS
++\fBarptables\-restore
++.SH DESCRIPTION
++.PP
++.B arptables-restore
++is used to restore ARP Tables from data specified on STDIN or
++via a file as first argument.
++Use I/O redirection provided by your shell to read from a file
++.TP
++.B arptables-restore
++flushes (deletes) all previous contents of the respective ARP Table.
++.SH BUGS
++None known as of arptables-0.0.4 release
++.SH AUTHOR
++Jesper Dangaard Brouer <brouer@redhat.com>
++.SH SEE ALSO
++\fBarptables\-save\fP(8), \fBarptables\fP(8)
++.PP
+diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
+new file mode 100644
+index 0000000000000..34791a9c087f0
+--- /dev/null
++++ b/iptables/arptables-nft-save.8
+@@ -0,0 +1,37 @@
++.TH ARPTABLES-SAVE 8 "Nov 07, 2013" "" ""
++.\"
++.\" Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
++.\" Man page written by Harald Welte <laforge@gnumonks.org>
++.\" It is based on the iptables-save man page.
++.\"
++.\"	This program is free software; you can redistribute it and/or modify
++.\"	it under the terms of the GNU General Public License as published by
++.\"	the Free Software Foundation; either version 2 of the License, or
++.\"	(at your option) any later version.
++.\"
++.\"	This program is distributed in the hope that it will be useful,
++.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
++.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++.\"	GNU General Public License for more details.
++.\"
++.\"	You should have received a copy of the GNU General Public License
++.\"	along with this program; if not, write to the Free Software
++.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
++.\"
++.\"
++.SH NAME
++arptables-save \(em dump arptables rules to stdout
++.SH SYNOPSIS
++\fBarptables\-save
++.SH DESCRIPTION
++.PP
++.B arptables-save
++is used to dump the contents of an ARP Table in easily parseable format
++to STDOUT. Use I/O-redirection provided by your shell to write to a file.
++.SH BUGS
++None known as of arptables-0.0.4 release
++.SH AUTHOR
++Jesper Dangaard Brouer <brouer@redhat.com>
++.SH SEE ALSO
++\fBarptables\-restore\fP(8), \fBarptables\fP(8)
++.PP
+diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
+new file mode 100644
+index 0000000000000..3ce99e3757004
+--- /dev/null
++++ b/iptables/arptables-nft.8
+@@ -0,0 +1,352 @@
++.TH ARPTABLES 8  "June 2018"
++.\"
++.\" Man page originally written by Jochen Friedrich <jochen@scram.de>,
++.\" maintained by Bart De Schuymer.
++.\" It is based on the iptables man page.
++.\"
++.\" Iptables page by Herve Eychenne March 2000.
++.\"
++.\"     This program is free software; you can redistribute it and/or modify
++.\"     it under the terms of the GNU General Public License as published by
++.\"     the Free Software Foundation; either version 2 of the License, or
++.\"     (at your option) any later version.
++.\"
++.\"     This program is distributed in the hope that it will be useful,
++.\"     but WITHOUT ANY WARRANTY; without even the implied warranty of
++.\"     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++.\"     GNU General Public License for more details.
++.\"
++.\"     You should have received a copy of the GNU General Public License
++.\"     along with this program; if not, write to the Free Software
++.\"     Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
++.\"
++.\"
++.SH NAME
++arptables \- ARP table administration (legacy)
++.SH SYNOPSIS
++.BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ]
++.br
++.BR "arptables " [ "-t table" ] " -" [ RI ] " chain rulenum rule-specification " [ options ]
++.br
++.BR "arptables " [ "-t table" ] " -D chain rulenum " [ options ]
++.br
++.BR "arptables " [ "-t table" ] " -" [ "LFZ" ] " " [ chain ] " " [ options ]
++.br
++.BR "arptables " [ "-t table" ] " -" [ "NX" ] " chain"
++.br
++.BR "arptables " [ "-t table" ] " -E old-chain-name new-chain-name"
++.br
++.BR "arptables " [ "-t table" ] " -P chain target " [ options ]
++
++.SH LEGACY
++This tool uses the old xtables/setsockopt framework, and is a legacy version
++of arptables. That means that a new, more modern tool exists with the same
++functionality using the nf_tables framework and you are encouraged to migrate now.
++The new binaries (formerly known as -compat) uses the same syntax and
++semantics than this legacy one.
++
++You can still use this legacy tool. You should probably get some specific
++information from your Linux distribution or vendor.
++More docs are available at https://wiki.nftables.org
++
++.SH DESCRIPTION
++.B arptables
++is a user space tool, it is used to set up and maintain the
++tables of ARP rules in the Linux kernel. These rules inspect
++the ARP frames which they see.
++.B arptables
++is analogous to the
++.B iptables
++user space tool, but
++.B arptables
++is less complicated.
++
++.SS CHAINS
++The kernel table is used to divide functionality into
++different sets of rules. Each set of rules is called a chain.
++Each chain is an ordered list of rules that can match ARP frames. If a
++rule matches an ARP frame, then a processing specification tells
++what to do with that matching frame. The processing specification is
++called a 'target'. However, if the frame does not match the current
++rule in the chain, then the next rule in the chain is examined and so forth.
++The user can create new (user-defined) chains which can be used as the 'target' of a rule.
++
++.SS TARGETS
++A firewall rule specifies criteria for an ARP frame and a frame
++processing specification called a target.  When a frame matches a rule,
++then the next action performed by the kernel is specified by the target.
++The target can be one of these values:
++.IR ACCEPT ,
++.IR DROP ,
++.IR CONTINUE ,
++.IR RETURN ,
++an 'extension' (see below) or a user-defined chain.
++.PP
++.I ACCEPT
++means to let the frame through.
++.I DROP
++means the frame has to be dropped.
++.I CONTINUE
++means the next rule has to be checked. This can be handy to know how many
++frames pass a certain point in the chain or to log those frames.
++.I RETURN
++means stop traversing this chain and resume at the next rule in the
++previous (calling) chain.
++For the extension targets please see the
++.B "TARGET EXTENSIONS"
++section of this man page.
++.SS TABLES
++There is only one ARP table in the Linux
++kernel.  The table is
++.BR filter.
++You can drop the '-t filter' argument to the arptables command.
++The -t argument must be the
++first argument on the arptables command line, if used.
++.TP
++.B "-t, --table"
++.br
++.BR filter ,
++is the only table and contains two (Linux kernels 2.4.X) or three (Linux kernels 2.6.0 and later) built-in chains:
++.B INPUT 
++(for frames destined for the host), 
++.B OUTPUT 
++(for locally-generated frames) and
++.B FORWARD
++(for frames being forwarded by the bridge code). The
++.B FORWARD
++chain doesn't exist in Linux 2.4.X kernels.
++.br
++.br
++.SH ARPTABLES COMMAND LINE ARGUMENTS
++After the initial arptables command line argument, the remaining
++arguments can be divided into several different groups.  These groups
++are commands, miscellaneous commands, rule-specifications, match-extensions,
++and watcher-extensions.
++.SS COMMANDS
++The arptables command arguments specify the actions to perform on the table
++defined with the -t argument.  If you do not use the -t argument to name
++a table, the commands apply to the default filter table.
++With the exception of the
++.B "-Z"
++command, only one command may be used on the command line at a time.
++.TP
++.B "-A, --append"
++Append a rule to the end of the selected chain.
++.TP
++.B "-D, --delete"
++Delete the specified rule from the selected chain. There are two ways to
++use this command. The first is by specifying an interval of rule numbers
++to delete, syntax: start_nr[:end_nr]. Using negative numbers is allowed, for more
++details about using negative numbers, see the -I command. The second usage is by
++specifying the complete rule as it would have been specified when it was added.
++.TP
++.B "-I, --insert"
++Insert the specified rule into the selected chain at the specified rule number.
++If the current number of rules equals N, then the specified number can be
++between -N and N+1. For a positive number i, it holds that i and i-N-1 specify the
++same place in the chain where the rule should be inserted. The number 0 specifies
++the place past the last rule in the chain and using this number is therefore
++equivalent with using the -A command.
++.TP
++.B "-R, --replace"
++Replaces the specified rule into the selected chain at the specified rule number.
++If the current number of rules equals N, then the specified number can be
++between 1 and N. i specifies the place in the chain where the rule should be replaced.
++.TP
++.B "-P, --policy"
++Set the policy for the chain to the given target. The policy can be
++.BR ACCEPT ", " DROP " or " RETURN .
++.TP
++.B "-F, --flush"
++Flush the selected chain. If no chain is selected, then every chain will be
++flushed. Flushing the chain does not change the policy of the
++chain, however.
++.TP
++.B "-Z, --zero"
++Set the counters of the selected chain to zero. If no chain is selected, all the counters
++are set to zero. The
++.B "-Z"
++command can be used in conjunction with the 
++.B "-L"
++command.
++When both the
++.B "-Z"
++and
++.B "-L"
++commands are used together in this way, the rule counters are printed on the screen
++before they are set to zero.
++.TP
++.B "-L, --list"
++List all rules in the selected chain. If no chain is selected, all chains
++are listed.
++.TP
++.B "-N, --new-chain"
++Create a new user-defined chain with the given name. The number of
++user-defined chains is unlimited. A user-defined chain name has maximum
++length of 31 characters.
++.TP
++.B "-X, --delete-chain"
++Delete the specified user-defined chain. There must be no remaining references
++to the specified chain, otherwise
++.B arptables
++will refuse to delete it. If no chain is specified, all user-defined
++chains that aren't referenced will be removed.
++.TP
++.B "-E, --rename-chain"
++Rename the specified chain to a new name.  Besides renaming a user-defined
++chain, you may rename a standard chain name to a name that suits your
++taste. For example, if you like PREBRIDGING more than PREROUTING,
++then you can use the -E command to rename the PREROUTING chain. If you do
++rename one of the standard
++.B arptables
++chain names, please be sure to mention
++this fact should you post a question on the
++.B arptables
++mailing lists.
++It would be wise to use the standard name in your post. Renaming a standard
++.B arptables
++chain in this fashion has no effect on the structure or function
++of the
++.B arptables
++kernel table.
++
++.SS MISCELLANOUS COMMANDS
++.TP
++.B "-V, --version"
++Show the version of the arptables userspace program.
++.TP
++.B "-h, --help"
++Give a brief description of the command syntax.
++.TP
++.BR "-j, --jump " "\fItarget\fP"
++The target of the rule. This is one of the following values:
++.BR ACCEPT ,
++.BR DROP ,
++.BR CONTINUE ,
++.BR RETURN ,
++a target extension (see
++.BR "TARGET EXTENSIONS" ")"
++or a user-defined chain name.
++.TP
++.BI "-c, --set-counters " "PKTS BYTES"
++This enables the administrator to initialize the packet and byte
++counters of a rule (during
++.B INSERT,
++.B APPEND,
++.B REPLACE
++operations).
++
++.SS RULE-SPECIFICATIONS
++The following command line arguments make up a rule specification (as used 
++in the add and delete commands). A "!" option before the specification 
++inverts the test for that specification. Apart from these standard rule 
++specifications there are some other command line arguments of interest.
++.TP
++.BR "-s, --source-ip " "[!] \fIaddress\fP[/\fImask]\fP"
++The Source IP specification.
++.TP 
++.BR "-d, --destination-ip " "[!] \fIaddress\fP[/\fImask]\fP"
++The Destination IP specification.
++.TP 
++.BR "--source-mac " "[!] \fIaddress\fP[/\fImask\fP]"
++The source mac address. Both mask and address are written as 6 hexadecimal
++numbers separated by colons.
++.TP
++.BR "--destination-mac " "[!] \fIaddress\fP[/\fImask\fP]"
++The destination mac address. Both mask and address are written as 6 hexadecimal
++numbers separated by colons.
++.TP 
++.BR "-i, --in-interface " "[!] \fIname\fP"
++The interface via which a frame is received (for the
++.BR INPUT " and " FORWARD
++chains). The flag
++.B --in-if
++is an alias for this option.
++.TP
++.BR "-o, --out-interface " "[!] \fIname\fP"
++The interface via which a frame is going to be sent (for the
++.BR OUTPUT " and " FORWARD
++chains). The flag
++.B --out-if
++is an alias for this option.
++.TP
++.BR "-l, --h-length " "\fIlength\fP[/\fImask\fP]"
++The hardware length (nr of bytes)
++.TP
++.BR "--opcode " "\fIcode\fP[/\fImask\fP]
++The operation code (2 bytes). Available values are:
++.BR 1 = Request
++.BR 2 = Reply
++.BR 3 = Request_Reverse
++.BR 4 = Reply_Reverse
++.BR 5 = DRARP_Request
++.BR 6 = DRARP_Reply
++.BR 7 = DRARP_Error
++.BR 8 = InARP_Request
++.BR 9 = ARP_NAK .
++.TP
++.BR "--h-type " "\fItype\fP[/\fImask\fP]"
++The hardware type (2 bytes, hexadecimal). Available values are:
++.BR 1 = Ethernet .
++.TP
++.BR "--proto-type " "\fItype\fP[/\fImask\fP]"
++The protocol type (2 bytes). Available values are:
++.BR 0x800 = IPv4 .
++
++.SS TARGET-EXTENSIONS
++.B arptables
++extensions are precompiled into the userspace tool. So there is no need
++to explicitly load them with a -m option like in
++.BR iptables .
++However, these
++extensions deal with functionality supported by supplemental kernel modules.
++.SS mangle
++.TP
++.BR "--mangle-ip-s IP address"
++Mangles Source IP Address to given value.
++.TP
++.BR "--mangle-ip-d IP address"
++Mangles Destination IP Address to given value.
++.TP
++.BR "--mangle-mac-s MAC address"
++Mangles Source MAC Address to given value.
++.TP
++.BR "--mangle-mac-d MAC address"
++Mangles Destination MAC Address to given value.
++.TP
++.BR "--mangle-target target "
++Target of ARP mangle operation
++.BR "" ( DROP ", " CONTINUE " or " ACCEPT " -- default is " ACCEPT ).
++.SS CLASSIFY
++This  module  allows you to set the skb->priority value (and thus clas-
++sify the packet into a specific CBQ class).
++
++.TP
++.BR "--set-class major:minor"
++
++Set the major and minor  class  value.  The  values  are  always
++interpreted as hexadecimal even if no 0x prefix is given.
++
++.SS MARK
++This  module  allows you to set the skb->mark value (and thus classify
++the packet by the mark in u32)
++
++.TP
++.BR "--set-mark mark"
++Set the mark value. The  values  are  always
++interpreted as hexadecimal even if no 0x prefix is given
++
++.TP
++.BR "--and-mark mark"
++Binary AND the mark with bits.
++
++.TP
++.BR "--or-mark mark"
++Binary OR the mark with bits.
++
++.SH MAILINGLISTS
++.BR "" "See " http://netfilter.org/mailinglists.html
++.SH SEE ALSO
++.BR iptables "(8), " ebtables "(8), " arp "(8), " rarp "(8), " ifconfig "(8), " route (8)
++.PP
++.BR "" "See " http://ebtables.sf.net
+-- 
+2.21.0
+

0004-doc-Adjust-arptables-man-pages.patch

@@ -0,0 +1,192 @@
+From 2efbd30ed9f1db90b32b556d0e3df16d05281bc7 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 13 Mar 2019 20:46:13 +0100
+Subject: [PATCH] doc: Adjust arptables man pages
+
+Change content to suit the shipped nft-based variant. Most relevant
+changes:
+
+* FORWARD chain is not supported
+* arptables-nft-save supports a few parameters
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+(cherry picked from commit 1a0cd997d601794c7031346063b8b77f4af2a13e)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/arptables-nft-restore.8 |  6 ++--
+ iptables/arptables-nft-save.8    | 20 +++++++++----
+ iptables/arptables-nft.8         | 48 +++++++++++++++-----------------
+ 3 files changed, 39 insertions(+), 35 deletions(-)
+
+diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
+index 4f2f623673415..09d9082cf9fd3 100644
+--- a/iptables/arptables-nft-restore.8
++++ b/iptables/arptables-nft-restore.8
+@@ -1,4 +1,4 @@
+-.TH ARPTABLES-RESTORE 8 "Nov 07, 2013" "" ""
++.TH ARPTABLES-RESTORE 8 "March 2019" "" ""
+ .\"
+ .\" Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
+ .\" Man page written by Harald Welte <laforge@gnumonks.org>
+@@ -20,7 +20,7 @@
+ .\"
+ .\"
+ .SH NAME
+-arptables-restore \(em Restore ARP Tables
++arptables-restore \- Restore ARP Tables (nft-based)
+ .SH SYNOPSIS
+ \fBarptables\-restore
+ .SH DESCRIPTION
+@@ -32,8 +32,6 @@ Use I/O redirection provided by your shell to read from a file
+ .TP
+ .B arptables-restore
+ flushes (deletes) all previous contents of the respective ARP Table.
+-.SH BUGS
+-None known as of arptables-0.0.4 release
+ .SH AUTHOR
+ Jesper Dangaard Brouer <brouer@redhat.com>
+ .SH SEE ALSO
+diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
+index 34791a9c087f0..905e59854cc28 100644
+--- a/iptables/arptables-nft-save.8
++++ b/iptables/arptables-nft-save.8
+@@ -1,4 +1,4 @@
+-.TH ARPTABLES-SAVE 8 "Nov 07, 2013" "" ""
++.TH ARPTABLES-SAVE 8 "March 2019" "" ""
+ .\"
+ .\" Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
+ .\" Man page written by Harald Welte <laforge@gnumonks.org>
+@@ -20,16 +20,26 @@
+ .\"
+ .\"
+ .SH NAME
+-arptables-save \(em dump arptables rules to stdout
++arptables-save \- dump arptables rules to stdout (nft-based)
+ .SH SYNOPSIS
+-\fBarptables\-save
++\fBarptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
++.P
++\fBarptables\-save\fP [\fB\-V\fP]
+ .SH DESCRIPTION
+ .PP
+ .B arptables-save
+ is used to dump the contents of an ARP Table in easily parseable format
+ to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+-.SH BUGS
+-None known as of arptables-0.0.4 release
++.TP
++\fB\-M\fR, \fB\-\-modprobe\fR \fImodprobe_program\fP
++Specify the path to the modprobe program. By default, arptables-save will
++inspect /proc/sys/kernel/modprobe to determine the executable's path.
++.TP
++\fB\-c\fR, \fB\-\-counters\fR
++Include the current values of all packet and byte counters in the output.
++.TP
++\fB\-V\fR, \fB\-\-version\fR
++Print version information and exit.
+ .SH AUTHOR
+ Jesper Dangaard Brouer <brouer@redhat.com>
+ .SH SEE ALSO
+diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
+index 3ce99e3757004..ea31e0842acd4 100644
+--- a/iptables/arptables-nft.8
++++ b/iptables/arptables-nft.8
+@@ -1,4 +1,4 @@
+-.TH ARPTABLES 8  "June 2018"
++.TH ARPTABLES 8  "March 2019"
+ .\"
+ .\" Man page originally written by Jochen Friedrich <jochen@scram.de>,
+ .\" maintained by Bart De Schuymer.
+@@ -22,7 +22,7 @@
+ .\"
+ .\"
+ .SH NAME
+-arptables \- ARP table administration (legacy)
++arptables \- ARP table administration (nft-based)
+ .SH SYNOPSIS
+ .BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ]
+ .br
+@@ -38,17 +38,6 @@ arptables \- ARP table administration (legacy)
+ .br
+ .BR "arptables " [ "-t table" ] " -P chain target " [ options ]
+ 
+-.SH LEGACY
+-This tool uses the old xtables/setsockopt framework, and is a legacy version
+-of arptables. That means that a new, more modern tool exists with the same
+-functionality using the nf_tables framework and you are encouraged to migrate now.
+-The new binaries (formerly known as -compat) uses the same syntax and
+-semantics than this legacy one.
+-
+-You can still use this legacy tool. You should probably get some specific
+-information from your Linux distribution or vendor.
+-More docs are available at https://wiki.nftables.org
+-
+ .SH DESCRIPTION
+ .B arptables
+ is a user space tool, it is used to set up and maintain the
+@@ -106,15 +95,11 @@ first argument on the arptables command line, if used.
+ .B "-t, --table"
+ .br
+ .BR filter ,
+-is the only table and contains two (Linux kernels 2.4.X) or three (Linux kernels 2.6.0 and later) built-in chains:
++is the only table and contains two built-in chains:
+ .B INPUT 
+-(for frames destined for the host), 
++(for frames destined for the host) and
+ .B OUTPUT 
+-(for locally-generated frames) and
+-.B FORWARD
+-(for frames being forwarded by the bridge code). The
+-.B FORWARD
+-chain doesn't exist in Linux 2.4.X kernels.
++(for locally-generated frames).
+ .br
+ .br
+ .SH ARPTABLES COMMAND LINE ARGUMENTS
+@@ -258,15 +243,15 @@ numbers separated by colons.
+ .TP 
+ .BR "-i, --in-interface " "[!] \fIname\fP"
+ The interface via which a frame is received (for the
+-.BR INPUT " and " FORWARD
+-chains). The flag
++.B INPUT
++chain). The flag
+ .B --in-if
+ is an alias for this option.
+ .TP
+ .BR "-o, --out-interface " "[!] \fIname\fP"
+ The interface via which a frame is going to be sent (for the
+-.BR OUTPUT " and " FORWARD
+-chains). The flag
++.B OUTPUT
++chain). The flag
+ .B --out-if
+ is an alias for this option.
+ .TP
+@@ -344,9 +329,20 @@ Binary AND the mark with bits.
+ .BR "--or-mark mark"
+ Binary OR the mark with bits.
+ 
++.SH NOTES
++In this nft-based version of
++.BR arptables ,
++support for
++.B FORWARD
++chain has not been implemented. Since ARP packets are "forwarded" only by Linux
++bridges, the same may be achieved using
++.B FORWARD
++chain in
++.BR ebtables .
++
+ .SH MAILINGLISTS
+ .BR "" "See " http://netfilter.org/mailinglists.html
+ .SH SEE ALSO
+-.BR iptables "(8), " ebtables "(8), " arp "(8), " rarp "(8), " ifconfig "(8), " route (8)
++.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
+ .PP
+-.BR "" "See " http://ebtables.sf.net
++.BR "" "See " https://wiki.nftables.org
+-- 
+2.21.0
+

0006-doc-Adjust-ebtables-man-page.patch

@@ -0,0 +1,275 @@
+From a3310b304ca75f45505b89071b1537a6fcc97228 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 13 Mar 2019 20:46:15 +0100
+Subject: [PATCH] doc: Adjust ebtables man page
+
+Change content to match nft-variant, most notably:
+
+* There is no broute table, drop all references to it
+* Comment out description of among and string matches, we don't support
+  them (yet)
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+(cherry picked from commit 1939cbc25e6f51cebaa7a2d71c45bb312bab8668)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/ebtables-nft.8 | 164 ++++++++++++++++------------------------
+ 1 file changed, 67 insertions(+), 97 deletions(-)
+
+diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
+index 55204ab91e8a4..db8b2ab28cca5 100644
+--- a/iptables/ebtables-nft.8
++++ b/iptables/ebtables-nft.8
+@@ -24,7 +24,7 @@
+ .\"     
+ .\"
+ .SH NAME
+-ebtables-legacy (2.0.10.4@) \- Ethernet bridge frame table administration (legacy)
++ebtables \- Ethernet bridge frame table administration (nft-based)
+ .SH SYNOPSIS
+ .BR "ebtables " [ -t " table ] " - [ ACDI "] chain rule specification [match extensions] [watcher extensions] target"
+ .br
+@@ -51,17 +51,6 @@ ebtables-legacy (2.0.10.4@) \- Ethernet bridge frame table administration (legac
+ .BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save
+ .br
+ 
+-.SH LEGACY
+-This tool uses the old xtables/setsockopt framework, and is a legacy version
+-of ebtables. That means that a new, more modern tool exists with the same
+-functionality using the nf_tables framework and you are encouraged to migrate now.
+-The new binaries (known as ebtables-nft and formerly known as ebtables-compat)
+-uses the same syntax and semantics than this legacy one.
+-
+-You can still use this legacy tool. You should probably get some specific
+-information from your Linux distribution or vendor.
+-More docs are available at https://wiki.nftables.org
+-
+ .SH DESCRIPTION
+ .B ebtables
+ is an application program used to set up and maintain the
+@@ -72,7 +61,7 @@ It is analogous to the
+ application, but less complicated, due to the fact that the Ethernet protocol
+ is much simpler than the IP protocol.
+ .SS CHAINS
+-There are three ebtables tables with built-in chains in the
++There are two ebtables tables with built-in chains in the
+ Linux kernel. These tables are used to divide functionality into
+ different sets of rules. Each set of rules is called a chain.
+ Each chain is an ordered list of rules that can match Ethernet frames. If a
+@@ -98,10 +87,7 @@ an 'extension' (see below) or a jump to a user-defined chain.
+ .B ACCEPT
+ means to let the frame through.
+ .B DROP
+-means the frame has to be dropped. In the
+-.BR BROUTING " chain however, the " ACCEPT " and " DROP " target have different"
+-meanings (see the info provided for the
+-.BR -t " option)."
++means the frame has to be dropped.
+ .B CONTINUE
+ means the next rule has to be checked. This can be handy, f.e., to know how many
+ frames pass a certain point in the chain, to log those frames or to apply multiple
+@@ -113,14 +99,16 @@ For the extension targets please refer to the
+ .B "TARGET EXTENSIONS"
+ section of this man page.
+ .SS TABLES
+-As stated earlier, there are three ebtables tables in the Linux
++As stated earlier, there are two ebtables tables in the Linux
+ kernel.  The table names are
+-.BR filter ", " nat " and " broute .
+-Of these three tables,
++.BR filter " and " nat .
++Of these two tables,
+ the filter table is the default table that the command operates on.
+ If you are working with the filter table, then you can drop the '-t filter'
+ argument to the ebtables command.  However, you will need to provide
+-the -t argument for the other two tables.  Moreover, the -t argument must be the
++the -t argument for
++.B nat
++table.  Moreover, the -t argument must be the
+ first argument on the ebtables command line, if used. 
+ .TP
+ .B "-t, --table"
+@@ -149,25 +137,6 @@ iptables world to ebtables it is easier to have the same names. Note that you
+ can change the name
+ .BR "" ( -E )
+ if you don't like the default.
+-.br
+-.br
+-.B broute
+-is used to make a brouter, it has one built-in chain:
+-.BR BROUTING .
+-The targets
+-.BR DROP " and " ACCEPT
+-have a special meaning in the broute table (these names are used instead of
+-more descriptive names to keep the implementation generic).
+-.B DROP
+-actually means the frame has to be routed, while
+-.B ACCEPT
+-means the frame has to be bridged. The
+-.B BROUTING
+-chain is traversed very early. However, it is only traversed by frames entering on
+-a bridge port that is in forwarding state. Normally those frames
+-would be bridged, but you can decide otherwise here. The
+-.B redirect
+-target is very handy here.
+ .SH EBTABLES COMMAND LINE ARGUMENTS
+ After the initial ebtables '-t table' command line argument, the remaining
+ arguments can be divided into several groups.  These groups
+@@ -553,35 +522,35 @@ If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type field must
+ be consulted to determine the payload protocol.  This is a two byte
+ (hexadecimal) argument.  Only 802.3 frames with DSAP/SSAP 0xaa are
+ checked for type.
+-.SS among
+-Match a MAC address or MAC/IP address pair versus a list of MAC addresses
+-and MAC/IP address pairs.
+-A list entry has the following format:
+-.IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple"
+-list entries are separated by a comma, specifying an IP address corresponding to
+-the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address
+-but different IP address (and vice versa) can be specified. If the MAC address doesn't
+-match any entry from the list, the frame doesn't match the rule (unless "!" was used).
+-.TP
+-.BR "--among-dst " "[!] \fIlist\fP"
+-Compare the MAC destination to the given list. If the Ethernet frame has type
+-.IR IPv4 " or " ARP ,
+-then comparison with MAC/IP destination address pairs from the
+-list is possible.
+-.TP
+-.BR "--among-src " "[!] \fIlist\fP"
+-Compare the MAC source to the given list. If the Ethernet frame has type
+-.IR IPv4 " or " ARP ,
+-then comparison with MAC/IP source address pairs from the list
+-is possible.
+-.TP
+-.BR "--among-dst-file " "[!] \fIfile\fP"
+-Same as
+-.BR --among-dst " but the list is read in from the specified file."
+-.TP
+-.BR "--among-src-file " "[!] \fIfile\fP"
+-Same as
+-.BR --among-src " but the list is read in from the specified file."
++.\" .SS among
++.\" Match a MAC address or MAC/IP address pair versus a list of MAC addresses
++.\" and MAC/IP address pairs.
++.\" A list entry has the following format:
++.\" .IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple"
++.\" list entries are separated by a comma, specifying an IP address corresponding to
++.\" the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address
++.\" but different IP address (and vice versa) can be specified. If the MAC address doesn't
++.\" match any entry from the list, the frame doesn't match the rule (unless "!" was used).
++.\" .TP
++.\" .BR "--among-dst " "[!] \fIlist\fP"
++.\" Compare the MAC destination to the given list. If the Ethernet frame has type
++.\" .IR IPv4 " or " ARP ,
++.\" then comparison with MAC/IP destination address pairs from the
++.\" list is possible.
++.\" .TP
++.\" .BR "--among-src " "[!] \fIlist\fP"
++.\" Compare the MAC source to the given list. If the Ethernet frame has type
++.\" .IR IPv4 " or " ARP ,
++.\" then comparison with MAC/IP source address pairs from the list
++.\" is possible.
++.\" .TP
++.\" .BR "--among-dst-file " "[!] \fIfile\fP"
++.\" Same as
++.\" .BR --among-dst " but the list is read in from the specified file."
++.\" .TP
++.\" .BR "--among-src-file " "[!] \fIfile\fP"
++.\" Same as
++.\" .BR --among-src " but the list is read in from the specified file."
+ .SS arp
+ Specify (R)ARP fields. The protocol must be specified as
+ .IR ARP " or " RARP .
+@@ -822,26 +791,26 @@ The hello time timer (0-65535) range.
+ .TP
+ .BR "--stp-forward-delay " "[!] [\fIdelay\fP][:\fIdelay\fP]"
+ The forward delay timer (0-65535) range.
+-.SS string
+-This module matches on a given string using some pattern matching strategy.
+-.TP
+-.BR "--string-algo " "\fIalgorithm\fP"
+-The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
+-.TP
+-.BR "--string-from " "\fIoffset\fP"
+-The lowest offset from which a match can start. (default: 0)
+-.TP
+-.BR "--string-to " "\fIoffset\fP"
+-The highest offset from which a match can start. (default: size of frame)
+-.TP
+-.BR "--string " "[!] \fIpattern\fP"
+-Matches the given pattern.
+-.TP
+-.BR "--string-hex " "[!] \fIpattern\fP"
+-Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|'
+-.TP
+-.BR "--string-icase"
+-Ignore case when searching.
++.\" .SS string
++.\" This module matches on a given string using some pattern matching strategy.
++.\" .TP
++.\" .BR "--string-algo " "\fIalgorithm\fP"
++.\" The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
++.\" .TP
++.\" .BR "--string-from " "\fIoffset\fP"
++.\" The lowest offset from which a match can start. (default: 0)
++.\" .TP
++.\" .BR "--string-to " "\fIoffset\fP"
++.\" The highest offset from which a match can start. (default: size of frame)
++.\" .TP
++.\" .BR "--string " "[!] \fIpattern\fP"
++.\" Matches the given pattern.
++.\" .TP
++.\" .BR "--string-hex " "[!] \fIpattern\fP"
++.\" Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|'
++.\" .TP
++.\" .BR "--string-icase"
++.\" Ignore case when searching.
+ .SS vlan
+ Specify 802.1Q Tag Control Information fields.
+ The protocol must be specified as
+@@ -1026,7 +995,6 @@ The default target
+ The
+ .B dnat
+ target can only be used in the
+-.BR BROUTING " chain of the " broute " table and the "
+ .BR PREROUTING " and " OUTPUT " chains of the " nat " table."
+ It specifies that the destination MAC address has to be changed.
+ .TP
+@@ -1089,11 +1057,8 @@ The
+ .B redirect
+ target will change the MAC target address to that of the bridge device the
+ frame arrived on. This target can only be used in the
+-.BR BROUTING " chain of the " broute " table and the "
+ .BR PREROUTING " chain of the " nat " table."
+-In the
+-.BR BROUTING " chain, the MAC address of the bridge port is used as destination address,"
+-.BR "" "in the " PREROUTING " chain, the MAC address of the bridge is used."
++The MAC address of the bridge is used as destination address."
+ .TP
+ .BR "--redirect-target " "\fItarget\fP"
+ .br
+@@ -1135,12 +1100,17 @@ arp message and the hardware address length in the arp header is 6 bytes.
+ .br
+ .SH FILES
+ .I /etc/ethertypes
+-.I /var/lib/ebtables/lock
+ .SH ENVIRONMENT VARIABLES
+ .I EBTABLES_ATOMIC_FILE
+ .SH MAILINGLISTS
+ .BR "" "See " http://netfilter.org/mailinglists.html
++.SH BUGS
++The version of ebtables this man page ships with does not support the
++.B broute
++table. Also there is no support for
++.BR among " and " string
++matches. And finally, this list is probably not complete.
+ .SH SEE ALSO
+-.BR iptables "(8), " brctl "(8), " ifconfig "(8), " route (8)
++.BR xtables-nft "(8), " iptables "(8), " ip (8)
+ .PP
+-.BR "" "See " http://ebtables.sf.net
++.BR "" "See " https://wiki.nftables.org
+-- 
+2.21.0
+

arptables-nft-helper

@@ -0,0 +1,68 @@
+#!/bin/sh
+# config: /etc/sysconfig/arptables
+
+# Source 'em up
+. /etc/init.d/functions
+
+ARPTABLES_CONFIG=/etc/sysconfig/arptables
+
+start() {
+	if [ ! -x /usr/sbin/arptables ]; then
+		exit 4
+	fi
+
+	# don't do squat if we don't have the config file
+	if [ -f $ARPTABLES_CONFIG ]; then
+		echo -n $"Applying arptables firewall rules: "
+		/usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \
+			success || \
+			failure
+		echo
+		touch /var/lock/subsys/arptables
+	else
+		failure
+		echo
+		echo $"Configuration file /etc/sysconfig/arptables missing"
+		exit 6
+	fi
+}
+
+stop() {
+	echo -n $"Removing user defined chains:"
+	arptables -X && success || failure
+	echo -n $"Flushing all chains:"
+	arptables -F && success || failure
+	echo -n $"Resetting built-in chains to the default ACCEPT policy:"
+	arptables -P INPUT ACCEPT && \
+		arptables -P OUTPUT ACCEPT && \
+		success || \
+		failure
+	echo
+	rm -f /var/lock/subsys/arptables
+}
+
+case "$1" in
+start)
+	start
+	;;
+
+stop)
+	stop
+	;;
+
+restart|reload)
+	# "restart" is really just "start" as this isn't a daemon,
+	# and "start" clears any pre-defined rules anyway.
+	# This is really only here to make those who expect it happy
+	start
+	;;
+
+condrestart|try-restart|force-reload)
+	[ -e /var/lock/subsys/arptables ] && start
+	;;
+
+*)
+	exit 2
+esac
+
+exit 0

iptables-1.6.0-iptables-apply_mktemp.patch

@@ -1,21 +0,0 @@
-diff -up iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp iptables-1.6.0/iptables/iptables-apply
---- iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp	2015-12-09 13:55:06.000000000 +0100
-+++ iptables-1.6.0/iptables/iptables-apply	2016-04-13 17:44:07.130453958 +0200
-@@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then
- 	exit 2
- fi
- 
--COMMANDS=(tempfile "$SAVE" "$RESTORE")
-+COMMANDS=(mktemp "$SAVE" "$RESTORE")
- 
- for cmd in "${COMMANDS[@]}"; do
- 	if ! command -v $cmd >/dev/null; then
-@@ -122,7 +122,7 @@ done
- 
- umask 0700
- 
--TMPFILE=$(tempfile -p iptap)
-+TMPFILE=$(mktemp)
- trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15
- 
- if ! "$SAVE" >"$TMPFILE"; then

iptables-1.8.0-xtables-nft-multi.patch

@@ -1,15 +0,0 @@
-diff --git a/iptables/xtables-nft-multi.c b/iptables/xtables-nft-multi.c
-index 187da81e9f59b..03690a56edb72 100644
---- a/iptables/xtables-nft-multi.c
-+++ b/iptables/xtables-nft-multi.c
-@@ -31,8 +31,10 @@ static const struct subcommand multi_subcommands[] = {
- 	{"iptables-restore-translate",	xtables_ip4_xlate_restore_main},
- 	{"ip6tables-restore-translate",	xtables_ip6_xlate_restore_main},
- 	{"arptables",			xtables_arp_main},
-+	{"arptables-nft",		xtables_arp_main},
- 	{"ebtables-translate",		xtables_eb_xlate_main},
- 	{"ebtables",			xtables_eb_main},
-+	{"ebtables-nft",		xtables_eb_main},
- 	{"xtables-monitor",		xtables_monitor_main},
- 	{NULL},
- };

iptables.spec

@@ -6,16 +6,21 @@
 
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
-Version: 1.8.0
+Version: 1.8.2
-Release: 5%{?dist}
+Release: 1%{?dist}
 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
 Source3: iptables.service
 Source4: sysconfig_iptables
 Source5: sysconfig_ip6tables
-Patch1: iptables-1.6.0-iptables-apply_mktemp.patch
+Source6: arptables-nft-helper
-Patch2: iptables-1.8.0-xtables-nft-multi.patch
+Patch1: 0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch
+Patch2: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch
+Patch3: 0003-doc-Add-arptables-nft-man-pages.patch
+Patch4: 0004-doc-Adjust-arptables-man-pages.patch
+Patch5: 0005-doc-Add-ebtables-man-page.patch
+Patch6: 0006-doc-Adjust-ebtables-man-page.patch
 URL: http://www.netfilter.org/
 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@@ -38,6 +43,10 @@ BuildRequires: pkgconfig(libmnl) >= 1.0
 BuildRequires: pkgconfig(libnftnl) >= 1.0.5
 # libpcap-devel for nfbpf_compile
 BuildRequires: libpcap-devel
+BuildRequires: autogen
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: libtool
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %if 0%{?fedora} > 24
 Conflicts: setup < 2.10.4-1
@@ -102,16 +111,16 @@ Currently only provides nfnl_osf with the pf.os database.
 Summary: nftables compatibility for iptables, arptables and ebtables
 Requires: %{name} = %{version}-%{release}
 Obsoletes: iptables-compat < 1.6.2-4
+Provides: arptables-helper
 
 %description nft
 nftables compatibility for iptables, arptables and ebtables.
 
 %prep
-%setup -q
+%autosetup -p1
-%patch1 -p1 -b .iptables-apply_mktemp
-%patch2 -p1 -b .iptables-xtables_nft_multi
 
 %build
+./autogen.sh
 CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \
 %configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr
 
@@ -184,14 +193,14 @@ install -m 644 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8/
 rm -f %{buildroot}%{_sysconfdir}/ethertypes
 %endif
 
-# rename ebtables and arptables to avoid conflicts
+install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/
-mv %{buildroot}%{_sbindir}/ebtables %{buildroot}%{_sbindir}/ebtables-nft
+touch %{buildroot}%{_libexecdir}/arptables-helper
-mv %{buildroot}%{_sbindir}/arptables %{buildroot}%{_sbindir}/arptables-nft
 
-touch %{buildroot}%{_sbindir}/ebtables
+# prepare for alternatives
-touch %{buildroot}%{_sbindir}/arptables
+touch %{buildroot}%{_mandir}/man8/arptables.8
-touch %{buildroot}%{_sbindir}/iptables
+touch %{buildroot}%{_mandir}/man8/arptables-save.8
-touch %{buildroot}%{_sbindir}/ip6tables
+touch %{buildroot}%{_mandir}/man8/arptables-restore.8
+touch %{buildroot}%{_mandir}/man8/ebtables.8
 
 %ldconfig_scriptlets
 
@@ -233,13 +242,44 @@ pfx6=%{_sbindir}/ip6tables
 	--slave $pfx6-restore ip6tables-restore $pfx6-nft-restore \
 	--slave $pfx6-save ip6tables-save $pfx6-nft-save
 
-for cmd in ebtables arptables; do
+pfx=%{_sbindir}/ebtables
-	if [ "$(readlink -e %{_sbindir}/$cmd)" == %{_sbindir}/$cmd ]; then
+manpfx=%{_mandir}/man8/ebtables
-		rm -f %{_sbindir}/$cmd
+for sfx in "" "-restore" "-save"; do
+	if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then
+		rm -f $pfx$sfx
 	fi
-	%{_sbindir}/update-alternatives --install \
-		%{_sbindir}/$cmd $cmd %{_sbindir}/$cmd-nft 5
 done
+if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then
+	rm -f $manpfx.8.gz
+fi
+%{_sbindir}/update-alternatives --install \
+	$pfx ebtables $pfx-nft 5 \
+	--slave $pfx-save ebtables-save $pfx-nft-save \
+	--slave $pfx-restore ebtables-restore $pfx-nft-restore \
+	--slave $manpfx.8.gz ebtables-man $manpfx-nft.8.gz
+
+pfx=%{_sbindir}/arptables
+manpfx=%{_mandir}/man8/arptables
+lepfx=%{_libexecdir}/arptables
+for sfx in "" "-restore" "-save"; do
+	if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then
+		rm -f $pfx$sfx
+	fi
+	if [ "$(readlink -e $manpfx$sfx.8.gz)" == $manpfx$sfx.8.gz ]; then
+		rm -f $manpfx$sfx.8.gz
+	fi
+done
+if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then
+	rm -f $lepfx-helper
+fi
+%{_sbindir}/update-alternatives --install \
+	$pfx arptables $pfx-nft 5 \
+	--slave $pfx-save arptables-save $pfx-nft-save \
+	--slave $pfx-restore arptables-restore $pfx-nft-restore \
+	--slave $manpfx.8.gz arptables-man $manpfx-nft.8.gz \
+	--slave $manpfx-save.8.gz arptables-save-man $manpfx-nft-save.8.gz \
+	--slave $manpfx-restore.8.gz arptables-restore-man $manpfx-nft-restore.8.gz \
+	--slave $lepfx-helper arptables-helper $lepfx-nft-helper
 
 %postun nft
 if [ $1 -eq 0 ]; then
@@ -253,8 +293,6 @@ fi
 %{!?_licensedir:%global license %%doc}
 %license COPYING
 %doc INCOMPATIBILITIES
-%config(noreplace) %{_sysconfdir}/sysconfig/iptables-config
-%config(noreplace) %{_sysconfdir}/sysconfig/ip6tables-config
 %if 0%{?fedora} <= 24
 %{_sysconfdir}/ethertypes
 %endif
@@ -306,6 +344,8 @@ fi
 %{script_path}/ip6tables.init
 %config(noreplace) %{_sysconfdir}/sysconfig/iptables
 %config(noreplace) %{_sysconfdir}/sysconfig/ip6tables
+%config(noreplace) %{_sysconfdir}/sysconfig/iptables-config
+%config(noreplace) %{_sysconfdir}/sysconfig/ip6tables-config
 %{_unitdir}/iptables.service
 %{_unitdir}/ip6tables.service
 %dir %{legacy_actions}/iptables
@@ -328,13 +368,14 @@ fi
 %{_sbindir}/ip6tables-nft*
 %{_sbindir}/ip6tables-restore-translate
 %{_sbindir}/ip6tables-translate
-%{_sbindir}/ebtables-nft
+%{_sbindir}/ebtables-nft*
-%{_sbindir}/arptables-nft
+%{_sbindir}/arptables-nft*
 %{_sbindir}/xtables-nft-multi
 %{_sbindir}/xtables-monitor
+%{_libexecdir}/arptables-nft-helper
 %{_mandir}/man8/xtables-monitor*
-%{_mandir}/man8/xtables-nft*
 %{_mandir}/man8/xtables-translate*
+%{_mandir}/man8/*-nft*
 %ghost %{_sbindir}/iptables
 %ghost %{_sbindir}/iptables-restore
 %ghost %{_sbindir}/iptables-save
@@ -342,9 +383,25 @@ fi
 %ghost %{_sbindir}/ip6tables-restore
 %ghost %{_sbindir}/ip6tables-save
 %ghost %{_sbindir}/ebtables
+%ghost %{_sbindir}/ebtables-save
+%ghost %{_sbindir}/ebtables-restore
 %ghost %{_sbindir}/arptables
+%ghost %{_sbindir}/arptables-save
+%ghost %{_sbindir}/arptables-restore
+%ghost %{_libexecdir}/arptables-helper
+%ghost %{_mandir}/man8/arptables.8.gz
+%ghost %{_mandir}/man8/arptables-save.8.gz
+%ghost %{_mandir}/man8/arptables-restore.8.gz
+%ghost %{_mandir}/man8/ebtables.8.gz
+
 
 %changelog
+* Mon Apr 15 2019 Phil Sutter <psutter@redhat.com> - 1.8.2-1
+- New upstream version 1.8.2
+- Integrate ebtables and arptables save/restore scripts with alternatives
+- Add nft-specific ebtables and arptables man pages
+- Move /etc/sysconfig/ip*tables-config files into services sub-package
+
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild