iptables-1.8.7-6

This patch combines changes from f34 since iptables-1.8.7-3:

- Spec file cleanup
- Restore alternatives configuration after upgrade
- Fix license location
- Fix upgrade path with package rename
- Add missing dependencies to iptables-nft package
- Drop bootstrap code again
- Drop workarounds for F24 and lower
- Fix iptables-utils summary
- Ship iptables-apply with iptables-utils
- Reduce files sections by use of globbing
- Ship common man pages with iptables-libs
- Ship *-translate man pages with iptables-nft
- Move legacy iptables binaries, libraries and headers into sub-packages
- Introduce compat sub-package to help with above transitions
- Drop libipulog header from devel package, this belongs to libnetfilter_log
- Do not ship internal headers in devel package

Resolves: RHBZ#1927721
This commit is contained in:
Robert Scheck 2021-01-30 22:59:17 +01:00 committed by Phil Sutter
parent b95090f5f5
commit 6e213cbdf7

View File

@ -4,22 +4,14 @@
# service legacy actions (RHBZ#748134)
%global legacy_actions %{_libexecdir}/initscripts/legacy-actions
# Bootstrap mode providing old and new versions of libip{4,6}tc in parallel
%global bootstrap 0
%if 0%{?bootstrap}
%global version_old 1.8.2
%global iptc_so_ver_old 0
%global ipXtc_so_ver_old 0
%endif
%global iptc_so_ver 0
%global ipXtc_so_ver 2
Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities
URL: http://www.netfilter.org/projects/iptables
URL: https://www.netfilter.org/projects/iptables
Version: 1.8.7
Release: 3%{?dist}
Release: 6%{?dist}
Source: %{url}/files/%{name}-%{version}.tar.bz2
Source1: iptables.init
Source2: iptables-config
@ -27,10 +19,6 @@ Source3: iptables.service
Source4: sysconfig_iptables
Source5: sysconfig_ip6tables
Source6: arptables-nft-helper
%if 0%{?bootstrap}
Source7: %{url}/files/%{name}-%{version_old}.tar.bz2
Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch
%endif
Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
@ -57,22 +45,54 @@ BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
BuildRequires: make
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%if 0%{?fedora} > 24
Conflicts: setup < 2.10.4-1
%endif
Requires(post): %{_sbindir}/update-alternatives
Requires(postun): %{_sbindir}/update-alternatives
%description
The iptables utility controls the network packet filtering code in the
Linux kernel. If you need to set up firewalls and/or IP masquerading,
you should install this package.
%package compat
Summary: Temporary transitioning package
Obsoletes: %{name} < 1.8.7-4
Requires: %{name}-legacy = %{version}-%{release}
Requires: %{name}-utils = %{version}-%{release}
%description compat
This package only exists to help transition iptables users to the new
package split. It will be removed after one distribution release cycle, please
do not reference it or depend on it in any way.
%package legacy
Summary: Legacy tools for managing Linux kernel packet filtering capabilities
Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Conflicts: setup < 2.10.4-1
Requires(post): %{_sbindir}/update-alternatives
Requires(postun): %{_sbindir}/update-alternatives
%if 0%{?rhel} < 9
Provides: iptables
%endif
%description legacy
The iptables utility controls the network packet filtering code in the
Linux kernel. This package contains the legacy tools which are obsoleted by
nft-variants in iptables-nft package for backwards compatibility reasons.
If you need to set up firewalls and/or IP masquerading, you should not install
this package but either nftables or iptables-nft instead.
%package libs
Summary: iptables libraries
Summary: libxtables and iptables extensions userspace support
%description libs
libxtables and associated shared object files
Libxtables provides unified access to iptables extensions in userspace. Data
and logic for those is kept in per-extension shared object files.
%package legacy-libs
Summary: iptables legacy libraries
%description legacy-libs
iptables libraries.
Please remember that libip*tc libraries do neither have a stable API nor a real so version.
@ -81,14 +101,23 @@ For more information about this, please have a look at
http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5
%package devel
Summary: Development package for iptables
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
# XXX: Drop this after two releases or so
Requires: %{name}-legacy-devel%{?_isa} = %{version}-%{release}
Requires: pkgconfig
%description devel
iptables development headers and libraries.
libxtables development headers and pkgconfig files
%package legacy-devel
Summary: Development package for legacy iptables
Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release}
Requires: pkgconfig
%description legacy-devel
Legacy iptables development headers and pkgconfig files
The iptc libraries are marked as not public by upstream. The interface is not
stable and may change with every new version. It is therefore unsupported.
@ -109,18 +138,21 @@ This package provides the services iptables and ip6tables that have been split
out of the base package since they are not active by default anymore.
%package utils
Summary: iptables and ip6tables services for iptables
Summary: iptables and ip6tables misc utilities
Requires: %{name} = %{version}-%{release}
%description utils
Utils for iptables
This package provides nfnl_osf with the pf.os database and nfbpf_compile,
a bytecode generator for use with xt_bpf.
a bytecode generator for use with xt_bpf. Also included is iptables-apply,
a safer way to update iptables remotely.
%package nft
Summary: nftables compatibility for iptables, arptables and ebtables
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires(post): %{_sbindir}/update-alternatives
Requires(postun): %{_sbindir}/update-alternatives
Obsoletes: iptables-compat < 1.6.2-4
Provides: arptables-helper
Provides: iptables
@ -133,14 +165,6 @@ nftables compatibility for iptables, arptables and ebtables.
%prep
%autosetup -p1
%if 0%{?bootstrap}
%{__mkdir} -p bootstrap_ver
pushd bootstrap_ver
%{__tar} --strip-components=1 -xf %{SOURCE7}
%{__patch} -p1 <%{SOURCE8}
popd
%endif
%build
./autogen.sh
CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \
@ -154,43 +178,10 @@ rm -f include/linux/types.h
%make_build
%if 0%{?bootstrap}
pushd bootstrap_ver
./autogen.sh
CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \
%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr
# do not use rpath
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
rm -f include/linux/types.h
%make_build
popd
%endif
%install
%if 0%{?bootstrap}
%make_install -C bootstrap_ver
%{_bindir}/find %{buildroot} -xtype f -not \
-name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print
%{_bindir}/find %{buildroot} -type l -not \
-name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print
%endif
%make_install
# remove la file(s)
rm -f %{buildroot}/%{_libdir}/*.la
# install ip*tables.h header files
install -m 644 include/ip*tables.h %{buildroot}%{_includedir}/
install -d -m 755 %{buildroot}%{_includedir}/iptables
install -m 644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables/
# install ipulog header file
install -d -m 755 %{buildroot}%{_includedir}/libipulog/
install -m 644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog/
rm -f %{buildroot}%{_libdir}/*.la
# install init scripts and configuration files
install -d -m 755 %{buildroot}%{script_path}
@ -230,10 +221,8 @@ chmod 755 %{buildroot}/%{legacy_actions}/iptables/panic
sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy
install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic
%if 0%{?fedora} > 24
# Remove /etc/ethertypes (now part of setup)
rm -f %{buildroot}%{_sysconfdir}/ethertypes
%endif
install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/
touch %{buildroot}%{_libexecdir}/arptables-helper
@ -246,7 +235,7 @@ touch %{buildroot}%{_mandir}/man8/ebtables.8
%ldconfig_scriptlets
%post
%post legacy
pfx=%{_sbindir}/iptables
pfx6=%{_sbindir}/ip6tables
%{_sbindir}/update-alternatives --install \
@ -257,12 +246,35 @@ pfx6=%{_sbindir}/ip6tables
--slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \
--slave $pfx6-save ip6tables-save $pfx6-legacy-save
%postun
%postun legacy
if [ $1 -eq 0 ]; then
%{_sbindir}/update-alternatives --remove \
iptables %{_sbindir}/iptables-legacy
fi
# iptables-1.8.0-1 introduced the use of alternatives
# when upgrading, its %postun script runs due to the package renaming
# fix this by repeating the install into alternatives
# also keep the old alternatives configuration to not change the system
%triggerun legacy -- iptables > 1.8.0
alternatives --list | awk '/^iptables/{print $3; exit}' \
>/var/tmp/alternatives.iptables.current
cp /var/lib/alternatives/iptables /var/tmp/alternatives.iptables.setup
%triggerpostun legacy -- iptables > 1.8.0
pfx=%{_sbindir}/iptables
pfx6=%{_sbindir}/ip6tables
%{_sbindir}/update-alternatives --install \
$pfx iptables $pfx-legacy 10 \
--slave $pfx6 ip6tables $pfx6-legacy \
--slave $pfx-restore iptables-restore $pfx-legacy-restore \
--slave $pfx-save iptables-save $pfx-legacy-save \
--slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \
--slave $pfx6-save ip6tables-save $pfx6-legacy-save
alternatives --set iptables $(</var/tmp/alternatives.iptables.current)
rm /var/tmp/alternatives.iptables.current
mv /var/tmp/alternatives.iptables.setup /var/lib/alternatives/iptables
%post services
%systemd_post iptables.service ip6tables.service
@ -331,120 +343,101 @@ if [ $1 -eq 0 ]; then
done
fi
%files
%{!?_licensedir:%global license %%doc}
%license COPYING
%files compat
%files legacy
%doc INCOMPATIBILITIES
%if 0%{?fedora} <= 24
%{_sysconfdir}/ethertypes
%endif
%{_sbindir}/iptables-apply
%{_sbindir}/ip6tables-apply
%{_sbindir}/iptables-legacy*
%{_sbindir}/ip6tables-legacy*
%{_sbindir}/ip{,6}tables-legacy*
%{_sbindir}/xtables-legacy-multi
%{_bindir}/iptables-xml
%{_mandir}/man1/iptables-xml*
%{_mandir}/man8/iptables*
%{_mandir}/man8/ip6tables*
%{_mandir}/man8/xtables-legacy*
%ghost %{_sbindir}/iptables
%ghost %{_sbindir}/iptables-restore
%ghost %{_sbindir}/iptables-save
%ghost %{_sbindir}/ip6tables
%ghost %{_sbindir}/ip6tables-restore
%ghost %{_sbindir}/ip6tables-save
%ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
%files libs
%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}*
%if 0%{?bootstrap}
%{_libdir}/libiptc.so.%{iptc_so_ver_old}*
%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver_old}*
%endif
%license COPYING
%{_libdir}/libxtables.so.12*
%dir %{_libdir}/xtables
%{_libdir}/xtables/libipt*
%{_libdir}/xtables/libip6t*
%{_libdir}/xtables/libxt*
%{_libdir}/xtables/lib{ip,ip6,x}t*
%{_mandir}/man8/ip{,6}tables.8.gz
%{_mandir}/man8/ip{,6}tables-{extensions,save,restore}.8.gz
%files legacy-libs
%license COPYING
%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}*
%files devel
%dir %{_includedir}/iptables
%{_includedir}/iptables/*.h
%{_includedir}/*.h
%{_includedir}/xtables{,-version}.h
%{_libdir}/libxtables.so
%{_libdir}/pkgconfig/xtables.pc
%files legacy-devel
%dir %{_includedir}/libiptc
%{_includedir}/libiptc/*.h
%dir %{_includedir}/libipulog
%{_includedir}/libipulog/*.h
%{_libdir}/libip*tc.so
%{_libdir}/libxtables.so
%{_libdir}/pkgconfig/libiptc.pc
%{_libdir}/pkgconfig/libip4tc.pc
%{_libdir}/pkgconfig/libip6tc.pc
%{_libdir}/pkgconfig/xtables.pc
%{_libdir}/pkgconfig/libip{,4,6}tc.pc
%files services
%dir %{script_path}
%{script_path}/iptables.init
%{script_path}/ip6tables.init
%config(noreplace) %{_sysconfdir}/sysconfig/iptables
%config(noreplace) %{_sysconfdir}/sysconfig/ip6tables
%config(noreplace) %{_sysconfdir}/sysconfig/iptables-config
%config(noreplace) %{_sysconfdir}/sysconfig/ip6tables-config
%{_unitdir}/iptables.service
%{_unitdir}/ip6tables.service
%dir %{legacy_actions}/iptables
%{legacy_actions}/iptables/save
%{legacy_actions}/iptables/panic
%dir %{legacy_actions}/ip6tables
%{legacy_actions}/ip6tables/save
%{legacy_actions}/ip6tables/panic
%{script_path}/ip{,6}tables.init
%config(noreplace) %{_sysconfdir}/sysconfig/ip{,6}tables{,-config}
%{_unitdir}/ip{,6}tables.service
%dir %{legacy_actions}/ip{,6}tables
%{legacy_actions}/ip{,6}tables/{save,panic}
%files utils
%license COPYING
%{_sbindir}/nfnl_osf
%{_sbindir}/nfbpf_compile
%{_sbindir}/ip{,6}tables-apply
%dir %{_datadir}/xtables
%{_datadir}/xtables/pf.os
%{_mandir}/man8/nfnl_osf*
%{_mandir}/man8/nfbpf_compile*
%{_mandir}/man8/ip{,6}tables-apply*
%files nft
%{_sbindir}/iptables-nft*
%{_sbindir}/iptables-restore-translate
%{_sbindir}/iptables-translate
%{_sbindir}/ip6tables-nft*
%{_sbindir}/ip6tables-restore-translate
%{_sbindir}/ip6tables-translate
%{_sbindir}/ebtables-nft*
%{_sbindir}/arptables-nft*
%{_sbindir}/ip{,6}tables-nft*
%{_sbindir}/ip{,6}tables{,-restore}-translate
%{_sbindir}/{eb,arp}tables-nft*
%{_sbindir}/xtables-nft-multi
%{_sbindir}/xtables-monitor
%dir %{_libdir}/xtables
%{_libdir}/xtables/libarpt*
%{_libdir}/xtables/libebt*
%{_libdir}/xtables/lib{arp,eb}t*
%{_libexecdir}/arptables-nft-helper
%{_mandir}/man8/xtables-monitor*
%{_mandir}/man8/xtables-translate*
%{_mandir}/man8/*-nft*
%ghost %{_sbindir}/iptables
%ghost %{_sbindir}/iptables-restore
%ghost %{_sbindir}/iptables-save
%ghost %{_sbindir}/ip6tables
%ghost %{_sbindir}/ip6tables-restore
%ghost %{_sbindir}/ip6tables-save
%ghost %{_sbindir}/ebtables
%ghost %{_sbindir}/ebtables-save
%ghost %{_sbindir}/ebtables-restore
%ghost %{_sbindir}/arptables
%ghost %{_sbindir}/arptables-save
%ghost %{_sbindir}/arptables-restore
%{_mandir}/man8/ip{,6}tables{,-restore}-translate*
%ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
%ghost %{_sbindir}/{eb,arp}tables{,-save,-restore}
%ghost %{_libexecdir}/arptables-helper
%ghost %{_mandir}/man8/arptables.8.gz
%ghost %{_mandir}/man8/arptables-save.8.gz
%ghost %{_mandir}/man8/arptables-restore.8.gz
%ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz
%ghost %{_mandir}/man8/ebtables.8.gz
%changelog
* Tue Mar 23 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-6
- Restore alternatives configuration after upgrade
- Fix license location
* Tue Mar 23 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-5
- Fix upgrade path with package rename
- Add missing dependencies to iptables-nft package
* Tue Feb 16 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-4
- Drop bootstrap code again
- Drop workarounds for F24 and lower
- Fix iptables-utils summary
- Ship iptables-apply with iptables-utils
- Reduce files sections by use of globbing
- Ship common man pages with iptables-libs
- Ship *-translate man pages with iptables-nft
- Move legacy iptables binaries, libraries and headers into sub-packages
- Introduce compat sub-package to help with above transitions
- Drop libipulog header from devel package, this belongs to libnetfilter_log
- Do not ship internal headers in devel package
* Thu Jan 28 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-3
- ebtables: Exit gracefully on invalid table names