From 6e213cbdf7560964054792b8b19ace28b7b57eef Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert@fedoraproject.org>
Date: Sat, 30 Jan 2021 22:59:17 +0100
Subject: [PATCH] iptables-1.8.7-6

This patch combines changes from f34 since iptables-1.8.7-3:

- Spec file cleanup
- Restore alternatives configuration after upgrade
- Fix license location
- Fix upgrade path with package rename
- Add missing dependencies to iptables-nft package
- Drop bootstrap code again
- Drop workarounds for F24 and lower
- Fix iptables-utils summary
- Ship iptables-apply with iptables-utils
- Reduce files sections by use of globbing
- Ship common man pages with iptables-libs
- Ship *-translate man pages with iptables-nft
- Move legacy iptables binaries, libraries and headers into sub-packages
- Introduce compat sub-package to help with above transitions
- Drop libipulog header from devel package, this belongs to libnetfilter_log
- Do not ship internal headers in devel package

Resolves: RHBZ#1927721
---
 iptables.spec | 287 ++++++++++++++++++++++++--------------------------
 1 file changed, 140 insertions(+), 147 deletions(-)

diff --git a/iptables.spec b/iptables.spec
index eb8e3e2..258f9dc 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -4,22 +4,14 @@
 # service legacy actions (RHBZ#748134)
 %global legacy_actions %{_libexecdir}/initscripts/legacy-actions
 
-# Bootstrap mode providing old and new versions of libip{4,6}tc in parallel
-%global bootstrap 0
-
-%if 0%{?bootstrap}
-%global version_old      1.8.2
-%global iptc_so_ver_old  0
-%global ipXtc_so_ver_old 0
-%endif
 %global iptc_so_ver  0
 %global ipXtc_so_ver 2
 
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
-URL: http://www.netfilter.org/projects/iptables
+URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.7
-Release: 3%{?dist}
+Release: 6%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -27,10 +19,6 @@ Source3: iptables.service
 Source4: sysconfig_iptables
 Source5: sysconfig_ip6tables
 Source6: arptables-nft-helper
-%if 0%{?bootstrap}
-Source7: %{url}/files/%{name}-%{version_old}.tar.bz2
-Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch
-%endif
 
 Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
 
@@ -57,22 +45,54 @@ BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: libtool
 BuildRequires: make
-Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-%if 0%{?fedora} > 24
-Conflicts: setup < 2.10.4-1
-%endif
-Requires(post): %{_sbindir}/update-alternatives
-Requires(postun): %{_sbindir}/update-alternatives
 
 %description
 The iptables utility controls the network packet filtering code in the
 Linux kernel. If you need to set up firewalls and/or IP masquerading,
 you should install this package.
 
+%package compat
+Summary: Temporary transitioning package
+Obsoletes: %{name} < 1.8.7-4
+Requires: %{name}-legacy = %{version}-%{release}
+Requires: %{name}-utils = %{version}-%{release}
+
+%description compat
+This package only exists to help transition iptables users to the new
+package split. It will be removed after one distribution release cycle, please
+do not reference it or depend on it in any way.
+
+%package legacy
+Summary: Legacy tools for managing Linux kernel packet filtering capabilities
+Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Conflicts: setup < 2.10.4-1
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+%if 0%{?rhel} < 9
+Provides:	iptables
+%endif
+
+%description legacy
+The iptables utility controls the network packet filtering code in the
+Linux kernel. This package contains the legacy tools which are obsoleted by
+nft-variants in iptables-nft package for backwards compatibility reasons.
+If you need to set up firewalls and/or IP masquerading, you should not install
+this package but either nftables or iptables-nft instead.
+
 %package libs
-Summary: iptables libraries
+Summary: libxtables and iptables extensions userspace support
 
 %description libs
+libxtables and associated shared object files
+
+Libxtables provides unified access to iptables extensions in userspace. Data
+and logic for those is kept in per-extension shared object files.
+
+%package legacy-libs
+Summary: iptables legacy libraries
+
+%description legacy-libs
 iptables libraries.
 
 Please remember that libip*tc libraries do neither have a stable API nor a real so version.
@@ -81,14 +101,23 @@ For more information about this, please have a look at
 
   http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5
 
-
 %package devel
 Summary: Development package for iptables
-Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+# XXX: Drop this after two releases or so
+Requires: %{name}-legacy-devel%{?_isa} = %{version}-%{release}
 Requires: pkgconfig
 
 %description devel
-iptables development headers and libraries.
+libxtables development headers and pkgconfig files
+
+%package legacy-devel
+Summary: Development package for legacy iptables
+Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release}
+Requires: pkgconfig
+
+%description legacy-devel
+Legacy iptables development headers and pkgconfig files
 
 The iptc libraries are marked as not public by upstream. The interface is not
 stable and may change with every new version. It is therefore unsupported.
@@ -109,18 +138,21 @@ This package provides the services iptables and ip6tables that have been split
 out of the base package since they are not active by default anymore.
 
 %package utils
-Summary: iptables and ip6tables services for iptables
+Summary: iptables and ip6tables misc utilities
 Requires: %{name} = %{version}-%{release}
 
 %description utils
 Utils for iptables
 
 This package provides nfnl_osf with the pf.os database and nfbpf_compile,
-a bytecode generator for use with xt_bpf.
+a bytecode generator for use with xt_bpf. Also included is iptables-apply,
+a safer way to update iptables remotely.
 
 %package nft
 Summary: nftables compatibility for iptables, arptables and ebtables
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
 Obsoletes: iptables-compat < 1.6.2-4
 Provides: arptables-helper
 Provides: iptables
@@ -133,14 +165,6 @@ nftables compatibility for iptables, arptables and ebtables.
 %prep
 %autosetup -p1
 
-%if 0%{?bootstrap}
-%{__mkdir} -p bootstrap_ver
-pushd bootstrap_ver
-%{__tar} --strip-components=1 -xf %{SOURCE7}
-%{__patch} -p1 <%{SOURCE8}
-popd
-%endif
-
 %build
 ./autogen.sh
 CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \
@@ -154,43 +178,10 @@ rm -f include/linux/types.h
 
 %make_build
 
-%if 0%{?bootstrap}
-pushd bootstrap_ver
-./autogen.sh
-CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \
-%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr
-
-# do not use rpath
-sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
-sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
-
-rm -f include/linux/types.h
-
-%make_build
-popd
-%endif
-
 %install
-%if 0%{?bootstrap}
-%make_install -C bootstrap_ver
-%{_bindir}/find %{buildroot} -xtype f -not \
-	-name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print
-%{_bindir}/find %{buildroot} -type l -not \
-	-name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print
-%endif
-
 %make_install
 # remove la file(s)
-rm -f %{buildroot}/%{_libdir}/*.la
-
-# install ip*tables.h header files
-install -m 644 include/ip*tables.h %{buildroot}%{_includedir}/
-install -d -m 755 %{buildroot}%{_includedir}/iptables
-install -m 644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables/
-
-# install ipulog header file
-install -d -m 755 %{buildroot}%{_includedir}/libipulog/
-install -m 644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog/
+rm -f %{buildroot}%{_libdir}/*.la
 
 # install init scripts and configuration files
 install -d -m 755 %{buildroot}%{script_path}
@@ -230,10 +221,8 @@ chmod 755 %{buildroot}/%{legacy_actions}/iptables/panic
 sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy
 install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic
 
-%if 0%{?fedora} > 24
 # Remove /etc/ethertypes (now part of setup)
 rm -f %{buildroot}%{_sysconfdir}/ethertypes
-%endif
 
 install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/
 touch %{buildroot}%{_libexecdir}/arptables-helper
@@ -246,7 +235,7 @@ touch %{buildroot}%{_mandir}/man8/ebtables.8
 
 %ldconfig_scriptlets
 
-%post
+%post legacy
 pfx=%{_sbindir}/iptables
 pfx6=%{_sbindir}/ip6tables
 %{_sbindir}/update-alternatives --install \
@@ -257,12 +246,35 @@ pfx6=%{_sbindir}/ip6tables
 	--slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \
 	--slave $pfx6-save ip6tables-save $pfx6-legacy-save
 
-%postun
+%postun legacy
 if [ $1 -eq 0 ]; then
 	%{_sbindir}/update-alternatives --remove \
 		iptables %{_sbindir}/iptables-legacy
 fi
 
+# iptables-1.8.0-1 introduced the use of alternatives
+# when upgrading, its %postun script runs due to the package renaming
+# fix this by repeating the install into alternatives
+# also keep the old alternatives configuration to not change the system
+%triggerun legacy -- iptables > 1.8.0
+alternatives --list | awk '/^iptables/{print $3; exit}' \
+		>/var/tmp/alternatives.iptables.current
+cp /var/lib/alternatives/iptables /var/tmp/alternatives.iptables.setup
+
+%triggerpostun legacy -- iptables > 1.8.0
+pfx=%{_sbindir}/iptables
+pfx6=%{_sbindir}/ip6tables
+%{_sbindir}/update-alternatives --install \
+	$pfx iptables $pfx-legacy 10 \
+	--slave $pfx6 ip6tables $pfx6-legacy \
+	--slave $pfx-restore iptables-restore $pfx-legacy-restore \
+	--slave $pfx-save iptables-save $pfx-legacy-save \
+	--slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \
+	--slave $pfx6-save ip6tables-save $pfx6-legacy-save
+alternatives --set iptables $(</var/tmp/alternatives.iptables.current)
+rm /var/tmp/alternatives.iptables.current
+mv /var/tmp/alternatives.iptables.setup /var/lib/alternatives/iptables
+
 %post services
 %systemd_post iptables.service ip6tables.service
 
@@ -331,120 +343,101 @@ if [ $1 -eq 0 ]; then
 	done
 fi
 
-%files
-%{!?_licensedir:%global license %%doc}
-%license COPYING
+%files compat
+
+%files legacy
 %doc INCOMPATIBILITIES
-%if 0%{?fedora} <= 24
-%{_sysconfdir}/ethertypes
-%endif
-%{_sbindir}/iptables-apply
-%{_sbindir}/ip6tables-apply
-%{_sbindir}/iptables-legacy*
-%{_sbindir}/ip6tables-legacy*
+%{_sbindir}/ip{,6}tables-legacy*
 %{_sbindir}/xtables-legacy-multi
 %{_bindir}/iptables-xml
 %{_mandir}/man1/iptables-xml*
-%{_mandir}/man8/iptables*
-%{_mandir}/man8/ip6tables*
 %{_mandir}/man8/xtables-legacy*
-%ghost %{_sbindir}/iptables
-%ghost %{_sbindir}/iptables-restore
-%ghost %{_sbindir}/iptables-save
-%ghost %{_sbindir}/ip6tables
-%ghost %{_sbindir}/ip6tables-restore
-%ghost %{_sbindir}/ip6tables-save
+%ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
 
 %files libs
-%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}*
-%if 0%{?bootstrap}
-%{_libdir}/libiptc.so.%{iptc_so_ver_old}*
-%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver_old}*
-%endif
+%license COPYING
 %{_libdir}/libxtables.so.12*
 %dir %{_libdir}/xtables
-%{_libdir}/xtables/libipt*
-%{_libdir}/xtables/libip6t*
-%{_libdir}/xtables/libxt*
+%{_libdir}/xtables/lib{ip,ip6,x}t*
+%{_mandir}/man8/ip{,6}tables.8.gz
+%{_mandir}/man8/ip{,6}tables-{extensions,save,restore}.8.gz
+
+%files legacy-libs
+%license COPYING
+%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}*
 
 %files devel
-%dir %{_includedir}/iptables
-%{_includedir}/iptables/*.h
-%{_includedir}/*.h
+%{_includedir}/xtables{,-version}.h
+%{_libdir}/libxtables.so
+%{_libdir}/pkgconfig/xtables.pc
+
+%files legacy-devel
 %dir %{_includedir}/libiptc
 %{_includedir}/libiptc/*.h
-%dir %{_includedir}/libipulog
-%{_includedir}/libipulog/*.h
 %{_libdir}/libip*tc.so
-%{_libdir}/libxtables.so
-%{_libdir}/pkgconfig/libiptc.pc
-%{_libdir}/pkgconfig/libip4tc.pc
-%{_libdir}/pkgconfig/libip6tc.pc
-%{_libdir}/pkgconfig/xtables.pc
+%{_libdir}/pkgconfig/libip{,4,6}tc.pc
 
 %files services
 %dir %{script_path}
-%{script_path}/iptables.init
-%{script_path}/ip6tables.init
-%config(noreplace) %{_sysconfdir}/sysconfig/iptables
-%config(noreplace) %{_sysconfdir}/sysconfig/ip6tables
-%config(noreplace) %{_sysconfdir}/sysconfig/iptables-config
-%config(noreplace) %{_sysconfdir}/sysconfig/ip6tables-config
-%{_unitdir}/iptables.service
-%{_unitdir}/ip6tables.service
-%dir %{legacy_actions}/iptables
-%{legacy_actions}/iptables/save
-%{legacy_actions}/iptables/panic
-%dir %{legacy_actions}/ip6tables
-%{legacy_actions}/ip6tables/save
-%{legacy_actions}/ip6tables/panic
+%{script_path}/ip{,6}tables.init
+%config(noreplace) %{_sysconfdir}/sysconfig/ip{,6}tables{,-config}
+%{_unitdir}/ip{,6}tables.service
+%dir %{legacy_actions}/ip{,6}tables
+%{legacy_actions}/ip{,6}tables/{save,panic}
 
 %files utils
+%license COPYING
 %{_sbindir}/nfnl_osf
 %{_sbindir}/nfbpf_compile
+%{_sbindir}/ip{,6}tables-apply
 %dir %{_datadir}/xtables
 %{_datadir}/xtables/pf.os
 %{_mandir}/man8/nfnl_osf*
 %{_mandir}/man8/nfbpf_compile*
+%{_mandir}/man8/ip{,6}tables-apply*
 
 %files nft
-%{_sbindir}/iptables-nft*
-%{_sbindir}/iptables-restore-translate
-%{_sbindir}/iptables-translate
-%{_sbindir}/ip6tables-nft*
-%{_sbindir}/ip6tables-restore-translate
-%{_sbindir}/ip6tables-translate
-%{_sbindir}/ebtables-nft*
-%{_sbindir}/arptables-nft*
+%{_sbindir}/ip{,6}tables-nft*
+%{_sbindir}/ip{,6}tables{,-restore}-translate
+%{_sbindir}/{eb,arp}tables-nft*
 %{_sbindir}/xtables-nft-multi
 %{_sbindir}/xtables-monitor
 %dir %{_libdir}/xtables
-%{_libdir}/xtables/libarpt*
-%{_libdir}/xtables/libebt*
+%{_libdir}/xtables/lib{arp,eb}t*
 %{_libexecdir}/arptables-nft-helper
 %{_mandir}/man8/xtables-monitor*
 %{_mandir}/man8/xtables-translate*
 %{_mandir}/man8/*-nft*
-%ghost %{_sbindir}/iptables
-%ghost %{_sbindir}/iptables-restore
-%ghost %{_sbindir}/iptables-save
-%ghost %{_sbindir}/ip6tables
-%ghost %{_sbindir}/ip6tables-restore
-%ghost %{_sbindir}/ip6tables-save
-%ghost %{_sbindir}/ebtables
-%ghost %{_sbindir}/ebtables-save
-%ghost %{_sbindir}/ebtables-restore
-%ghost %{_sbindir}/arptables
-%ghost %{_sbindir}/arptables-save
-%ghost %{_sbindir}/arptables-restore
+%{_mandir}/man8/ip{,6}tables{,-restore}-translate*
+%ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
+%ghost %{_sbindir}/{eb,arp}tables{,-save,-restore}
 %ghost %{_libexecdir}/arptables-helper
-%ghost %{_mandir}/man8/arptables.8.gz
-%ghost %{_mandir}/man8/arptables-save.8.gz
-%ghost %{_mandir}/man8/arptables-restore.8.gz
+%ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz
 %ghost %{_mandir}/man8/ebtables.8.gz
 
 
 %changelog
+* Tue Mar 23 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-6
+- Restore alternatives configuration after upgrade
+- Fix license location
+
+* Tue Mar 23 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-5
+- Fix upgrade path with package rename
+- Add missing dependencies to iptables-nft package
+
+* Tue Feb 16 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-4
+- Drop bootstrap code again
+- Drop workarounds for F24 and lower
+- Fix iptables-utils summary
+- Ship iptables-apply with iptables-utils
+- Reduce files sections by use of globbing
+- Ship common man pages with iptables-libs
+- Ship *-translate man pages with iptables-nft
+- Move legacy iptables binaries, libraries and headers into sub-packages
+- Introduce compat sub-package to help with above transitions
+- Drop libipulog header from devel package, this belongs to libnetfilter_log
+- Do not ship internal headers in devel package
+
 * Thu Jan 28 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-3
 - ebtables: Exit gracefully on invalid table names