iptables-1.8.7-6

This patch combines changes from f34 since iptables-1.8.7-3: - Spec file cleanup - Restore alternatives configuration after upgrade - Fix license location - Fix upgrade path with package rename - Add missing dependencies to iptables-nft package - Drop bootstrap code again - Drop workarounds for F24 and lower - Fix iptables-utils summary - Ship iptables-apply with iptables-utils - Reduce files sections by use of globbing - Ship common man pages with iptables-libs - Ship *-translate man pages with iptables-nft - Move legacy iptables binaries, libraries and headers into sub-packages - Introduce compat sub-package to help with above transitions - Drop libipulog header from devel package, this belongs to libnetfilter_log - Do not ship internal headers in devel package Resolves: RHBZ#1927721
2021-01-30 22:59:17 +01:00 · 2021-01-30 22:59:17 +01:00 · 6e213cbdf7
parent b95090f5f5
commit 6e213cbdf7
1 changed files with 140 additions and 147 deletions
--- a/iptables.spec
+++ b/iptables.spec
@ -4,22 +4,14 @@
 # service legacy actions (RHBZ#748134)
 %global legacy_actions %{_libexecdir}/initscripts/legacy-actions
 # Bootstrap mode providing old and new versions of libip{4,6}tc in parallel
 %global bootstrap 0
 %if 0%{?bootstrap}
 %global version_old      1.8.2
 %global iptc_so_ver_old  0
 %global ipXtc_so_ver_old 0
 %endif
 %global iptc_so_ver  0
 %global ipXtc_so_ver 2
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
-URL: http://www.netfilter.org/projects/iptables
+URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.7
-Release: 3%{?dist}
+Release: 6%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@ -27,10 +19,6 @@ Source3: iptables.service
 Source4: sysconfig_iptables
 Source5: sysconfig_ip6tables
 Source6: arptables-nft-helper
 %if 0%{?bootstrap}
 Source7: %{url}/files/%{name}-%{version_old}.tar.bz2
 Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch
 %endif
 Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
@ -57,22 +45,54 @@ BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: libtool
 BuildRequires: make
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %if 0%{?fedora} > 24
 Conflicts: setup < 2.10.4-1
 %endif
 Requires(post): %{_sbindir}/update-alternatives
 Requires(postun): %{_sbindir}/update-alternatives
 %description
 The iptables utility controls the network packet filtering code in the
 Linux kernel. If you need to set up firewalls and/or IP masquerading,
 you should install this package.
 %package compat
 Summary: Temporary transitioning package
 Obsoletes: %{name} < 1.8.7-4
 Requires: %{name}-legacy = %{version}-%{release}
 Requires: %{name}-utils = %{version}-%{release}
 %description compat
 This package only exists to help transition iptables users to the new
 package split. It will be removed after one distribution release cycle, please
 do not reference it or depend on it in any way.
 %package legacy
 Summary: Legacy tools for managing Linux kernel packet filtering capabilities
 Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release}
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Conflicts: setup < 2.10.4-1
 Requires(post): %{_sbindir}/update-alternatives
 Requires(postun): %{_sbindir}/update-alternatives
 %if 0%{?rhel} < 9
 Provides:	iptables
 %endif
 %description legacy
 The iptables utility controls the network packet filtering code in the
 Linux kernel. This package contains the legacy tools which are obsoleted by
 nft-variants in iptables-nft package for backwards compatibility reasons.
 If you need to set up firewalls and/or IP masquerading, you should not install
 this package but either nftables or iptables-nft instead.
 %package libs
-Summary: iptables libraries
+Summary: libxtables and iptables extensions userspace support
 %description libs
 libxtables and associated shared object files
 Libxtables provides unified access to iptables extensions in userspace. Data
 and logic for those is kept in per-extension shared object files.
 %package legacy-libs
 Summary: iptables legacy libraries
 %description legacy-libs
 iptables libraries.
 Please remember that libip*tc libraries do neither have a stable API nor a real so version.
@ -81,14 +101,23 @@ For more information about this, please have a look at
  http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5
 %package devel
 Summary: Development package for iptables
-Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 # XXX: Drop this after two releases or so
 Requires: %{name}-legacy-devel%{?_isa} = %{version}-%{release}
 Requires: pkgconfig
 %description devel
-iptables development headers and libraries.
+libxtables development headers and pkgconfig files
 %package legacy-devel
 Summary: Development package for legacy iptables
 Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release}
 Requires: pkgconfig
 %description legacy-devel
 Legacy iptables development headers and pkgconfig files
 The iptc libraries are marked as not public by upstream. The interface is not
 stable and may change with every new version. It is therefore unsupported.
@ -109,18 +138,21 @@ This package provides the services iptables and ip6tables that have been split
 out of the base package since they are not active by default anymore.
 %package utils
-Summary: iptables and ip6tables services for iptables
+Summary: iptables and ip6tables misc utilities
 Requires: %{name} = %{version}-%{release}
 %description utils
 Utils for iptables
 This package provides nfnl_osf with the pf.os database and nfbpf_compile,
-a bytecode generator for use with xt_bpf.
+a bytecode generator for use with xt_bpf. Also included is iptables-apply,
 a safer way to update iptables remotely.
 %package nft
 Summary: nftables compatibility for iptables, arptables and ebtables
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Requires(post): %{_sbindir}/update-alternatives
 Requires(postun): %{_sbindir}/update-alternatives
 Obsoletes: iptables-compat < 1.6.2-4
 Provides: arptables-helper
 Provides: iptables
@ -133,14 +165,6 @@ nftables compatibility for iptables, arptables and ebtables.
 %prep
 %autosetup -p1
 %if 0%{?bootstrap}
 %{__mkdir} -p bootstrap_ver
 pushd bootstrap_ver
 %{__tar} --strip-components=1 -xf %{SOURCE7}
 %{__patch} -p1 <%{SOURCE8}
 popd
 %endif
 %build
 ./autogen.sh
 CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \
@ -154,43 +178,10 @@ rm -f include/linux/types.h
 %make_build
 %if 0%{?bootstrap}
 pushd bootstrap_ver
 ./autogen.sh
 CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \
 %configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr
 # do not use rpath
 sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
 sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 rm -f include/linux/types.h
 %make_build
 popd
 %endif
 %install
 %if 0%{?bootstrap}
 %make_install -C bootstrap_ver
 %{_bindir}/find %{buildroot} -xtype f -not \
 	-name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print
 %{_bindir}/find %{buildroot} -type l -not \
 	-name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print
 %endif
 %make_install
 # remove la file(s)
-rm -f %{buildroot}/%{_libdir}/*.la
+rm -f %{buildroot}%{_libdir}/*.la
 # install ip*tables.h header files
 install -m 644 include/ip*tables.h %{buildroot}%{_includedir}/
 install -d -m 755 %{buildroot}%{_includedir}/iptables
 install -m 644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables/
 # install ipulog header file
 install -d -m 755 %{buildroot}%{_includedir}/libipulog/
 install -m 644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog/
 # install init scripts and configuration files
 install -d -m 755 %{buildroot}%{script_path}
@ -230,10 +221,8 @@ chmod 755 %{buildroot}/%{legacy_actions}/iptables/panic
 sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy
 install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic
 %if 0%{?fedora} > 24
 # Remove /etc/ethertypes (now part of setup)
 rm -f %{buildroot}%{_sysconfdir}/ethertypes
 %endif
 install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/
 touch %{buildroot}%{_libexecdir}/arptables-helper
@ -246,7 +235,7 @@ touch %{buildroot}%{_mandir}/man8/ebtables.8
 %ldconfig_scriptlets
-%post
+%post legacy
 pfx=%{_sbindir}/iptables
 pfx6=%{_sbindir}/ip6tables
 %{_sbindir}/update-alternatives --install \
@ -257,12 +246,35 @@ pfx6=%{_sbindir}/ip6tables
 	--slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \
 	--slave $pfx6-save ip6tables-save $pfx6-legacy-save
-%postun
+%postun legacy
 if [ $1 -eq 0 ]; then
 	%{_sbindir}/update-alternatives --remove \
 		iptables %{_sbindir}/iptables-legacy
 fi
 # iptables-1.8.0-1 introduced the use of alternatives
 # when upgrading, its %postun script runs due to the package renaming
 # fix this by repeating the install into alternatives
 # also keep the old alternatives configuration to not change the system
 %triggerun legacy -- iptables > 1.8.0
 alternatives --list | awk '/^iptables/{print $3; exit}' \
 		>/var/tmp/alternatives.iptables.current
 cp /var/lib/alternatives/iptables /var/tmp/alternatives.iptables.setup
 %triggerpostun legacy -- iptables > 1.8.0
 pfx=%{_sbindir}/iptables
 pfx6=%{_sbindir}/ip6tables
 %{_sbindir}/update-alternatives --install \
 	$pfx iptables $pfx-legacy 10 \
 	--slave $pfx6 ip6tables $pfx6-legacy \
 	--slave $pfx-restore iptables-restore $pfx-legacy-restore \
 	--slave $pfx-save iptables-save $pfx-legacy-save \
 	--slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \
 	--slave $pfx6-save ip6tables-save $pfx6-legacy-save
 alternatives --set iptables $(</var/tmp/alternatives.iptables.current)
 rm /var/tmp/alternatives.iptables.current
 mv /var/tmp/alternatives.iptables.setup /var/lib/alternatives/iptables
 %post services
 %systemd_post iptables.service ip6tables.service
@ -331,120 +343,101 @@ if [ $1 -eq 0 ]; then
 	done
 fi
-%files
+%files compat
-%{!?_licensedir:%global license %%doc}
+
-%license COPYING
+%files legacy
 %doc INCOMPATIBILITIES
-%if 0%{?fedora} <= 24
+%{_sbindir}/ip{,6}tables-legacy*
 %{_sysconfdir}/ethertypes
 %endif
 %{_sbindir}/iptables-apply
 %{_sbindir}/ip6tables-apply
 %{_sbindir}/iptables-legacy*
 %{_sbindir}/ip6tables-legacy*
 %{_sbindir}/xtables-legacy-multi
 %{_bindir}/iptables-xml
 %{_mandir}/man1/iptables-xml*
 %{_mandir}/man8/iptables*
 %{_mandir}/man8/ip6tables*
 %{_mandir}/man8/xtables-legacy*
-%ghost %{_sbindir}/iptables
+%ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
 %ghost %{_sbindir}/iptables-restore
 %ghost %{_sbindir}/iptables-save
 %ghost %{_sbindir}/ip6tables
 %ghost %{_sbindir}/ip6tables-restore
 %ghost %{_sbindir}/ip6tables-save
 %files libs
-%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}*
+%license COPYING
 %if 0%{?bootstrap}
 %{_libdir}/libiptc.so.%{iptc_so_ver_old}*
 %{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver_old}*
 %endif
 %{_libdir}/libxtables.so.12*
 %dir %{_libdir}/xtables
-%{_libdir}/xtables/libipt*
+%{_libdir}/xtables/lib{ip,ip6,x}t*
-%{_libdir}/xtables/libip6t*
+%{_mandir}/man8/ip{,6}tables.8.gz
-%{_libdir}/xtables/libxt*
+%{_mandir}/man8/ip{,6}tables-{extensions,save,restore}.8.gz
 %files legacy-libs
 %license COPYING
 %{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}*
 %files devel
-%dir %{_includedir}/iptables
+%{_includedir}/xtables{,-version}.h
-%{_includedir}/iptables/*.h
+%{_libdir}/libxtables.so
-%{_includedir}/*.h
+%{_libdir}/pkgconfig/xtables.pc
 %files legacy-devel
 %dir %{_includedir}/libiptc
 %{_includedir}/libiptc/*.h
 %dir %{_includedir}/libipulog
 %{_includedir}/libipulog/*.h
 %{_libdir}/libip*tc.so
-%{_libdir}/libxtables.so
+%{_libdir}/pkgconfig/libip{,4,6}tc.pc
 %{_libdir}/pkgconfig/libiptc.pc
 %{_libdir}/pkgconfig/libip4tc.pc
 %{_libdir}/pkgconfig/libip6tc.pc
 %{_libdir}/pkgconfig/xtables.pc
 %files services
 %dir %{script_path}
-%{script_path}/iptables.init
+%{script_path}/ip{,6}tables.init
-%{script_path}/ip6tables.init
+%config(noreplace) %{_sysconfdir}/sysconfig/ip{,6}tables{,-config}
-%config(noreplace) %{_sysconfdir}/sysconfig/iptables
+%{_unitdir}/ip{,6}tables.service
-%config(noreplace) %{_sysconfdir}/sysconfig/ip6tables
+%dir %{legacy_actions}/ip{,6}tables
-%config(noreplace) %{_sysconfdir}/sysconfig/iptables-config
+%{legacy_actions}/ip{,6}tables/{save,panic}
 %config(noreplace) %{_sysconfdir}/sysconfig/ip6tables-config
 %{_unitdir}/iptables.service
 %{_unitdir}/ip6tables.service
 %dir %{legacy_actions}/iptables
 %{legacy_actions}/iptables/save
 %{legacy_actions}/iptables/panic
 %dir %{legacy_actions}/ip6tables
 %{legacy_actions}/ip6tables/save
 %{legacy_actions}/ip6tables/panic
 %files utils
 %license COPYING
 %{_sbindir}/nfnl_osf
 %{_sbindir}/nfbpf_compile
 %{_sbindir}/ip{,6}tables-apply
 %dir %{_datadir}/xtables
 %{_datadir}/xtables/pf.os
 %{_mandir}/man8/nfnl_osf*
 %{_mandir}/man8/nfbpf_compile*
 %{_mandir}/man8/ip{,6}tables-apply*
 %files nft
-%{_sbindir}/iptables-nft*
+%{_sbindir}/ip{,6}tables-nft*
-%{_sbindir}/iptables-restore-translate
+%{_sbindir}/ip{,6}tables{,-restore}-translate
-%{_sbindir}/iptables-translate
+%{_sbindir}/{eb,arp}tables-nft*
 %{_sbindir}/ip6tables-nft*
 %{_sbindir}/ip6tables-restore-translate
 %{_sbindir}/ip6tables-translate
 %{_sbindir}/ebtables-nft*
 %{_sbindir}/arptables-nft*
 %{_sbindir}/xtables-nft-multi
 %{_sbindir}/xtables-monitor
 %dir %{_libdir}/xtables
-%{_libdir}/xtables/libarpt*
+%{_libdir}/xtables/lib{arp,eb}t*
 %{_libdir}/xtables/libebt*
 %{_libexecdir}/arptables-nft-helper
 %{_mandir}/man8/xtables-monitor*
 %{_mandir}/man8/xtables-translate*
 %{_mandir}/man8/*-nft*
-%ghost %{_sbindir}/iptables
+%{_mandir}/man8/ip{,6}tables{,-restore}-translate*
-%ghost %{_sbindir}/iptables-restore
+%ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
-%ghost %{_sbindir}/iptables-save
+%ghost %{_sbindir}/{eb,arp}tables{,-save,-restore}
 %ghost %{_sbindir}/ip6tables
 %ghost %{_sbindir}/ip6tables-restore
 %ghost %{_sbindir}/ip6tables-save
 %ghost %{_sbindir}/ebtables
 %ghost %{_sbindir}/ebtables-save
 %ghost %{_sbindir}/ebtables-restore
 %ghost %{_sbindir}/arptables
 %ghost %{_sbindir}/arptables-save
 %ghost %{_sbindir}/arptables-restore
 %ghost %{_libexecdir}/arptables-helper
-%ghost %{_mandir}/man8/arptables.8.gz
+%ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz
 %ghost %{_mandir}/man8/arptables-save.8.gz
 %ghost %{_mandir}/man8/arptables-restore.8.gz
 %ghost %{_mandir}/man8/ebtables.8.gz
 %changelog
 * Tue Mar 23 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-6
 - Restore alternatives configuration after upgrade
 - Fix license location
 * Tue Mar 23 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-5
 - Fix upgrade path with package rename
 - Add missing dependencies to iptables-nft package
 * Tue Feb 16 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-4
 - Drop bootstrap code again
 - Drop workarounds for F24 and lower
 - Fix iptables-utils summary
 - Ship iptables-apply with iptables-utils
 - Reduce files sections by use of globbing
 - Ship common man pages with iptables-libs
 - Ship *-translate man pages with iptables-nft
 - Move legacy iptables binaries, libraries and headers into sub-packages
 - Introduce compat sub-package to help with above transitions
 - Drop libipulog header from devel package, this belongs to libnetfilter_log
 - Do not ship internal headers in devel package
 * Thu Jan 28 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-3
 - ebtables: Exit gracefully on invalid table names