- new version 1.4.0

- fixed condrestart (rhbz#428148)
- report the module in rmmod_r if there is an error

.cvsignore

@@ -1 +1,2 @@
 iptables-1.3.8.tar.bz2
+iptables-1.4.0.tar.bz2

iptables-1.3.8-cloexec.patch

@@ -1,30 +0,0 @@
-diff -up iptables-1.3.8/ip6tables.c.cloexec iptables-1.3.8/ip6tables.c
---- iptables-1.3.8/ip6tables.c.cloexec	2007-10-02 13:42:23.000000000 +0200
-+++ iptables-1.3.8/ip6tables.c	2007-10-02 13:42:54.000000000 +0200
-@@ -1121,6 +1121,11 @@ static int compatible_revision(const cha
- 			strerror(errno));
- 		exit(1);
- 	}
-+	if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
-+		fprintf(stderr, "Could not set close on exec: %s\n",
-+			strerror(errno));
-+		exit(1);
-+	}
- 
- 	strcpy(rev.name, name);
- 	rev.revision = revision;
-diff -up iptables-1.3.8/iptables.c.cloexec iptables-1.3.8/iptables.c
---- iptables-1.3.8/iptables.c.cloexec	2007-10-02 13:42:09.000000000 +0200
-+++ iptables-1.3.8/iptables.c	2007-10-02 13:42:25.000000000 +0200
-@@ -1149,6 +1149,11 @@ static int compatible_revision(const cha
- 			strerror(errno));
- 		exit(1);
- 	}
-+	if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
-+		fprintf(stderr, "Could not set close on exec: %s\n",
-+			strerror(errno));
-+		exit(1);
-+	}
- 
- 	load_iptables_ko(modprobe, 1);
- 

iptables-1.3.8-headers.patch

@@ -1,49 +0,0 @@
-diff -up iptables-1.3.8/extensions/.frag-test6.headers iptables-1.3.8/extensions/.frag-test6
---- iptables-1.3.8/extensions/.frag-test6.headers	2007-08-23 14:05:44.000000000 +0200
-+++ iptables-1.3.8/extensions/.frag-test6	2007-08-23 15:51:17.000000000 +0200
-@@ -1,2 +1,2 @@
- #!/bin/sh
--[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_frag.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_frag.h ] && echo frag
-+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_frag.h ] && echo frag
-diff -up iptables-1.3.8/extensions/.CLUSTERIP-test.headers iptables-1.3.8/extensions/.CLUSTERIP-test
---- iptables-1.3.8/extensions/.CLUSTERIP-test.headers	2007-08-23 15:43:36.000000000 +0200
-+++ iptables-1.3.8/extensions/.CLUSTERIP-test	2007-08-23 15:45:32.000000000 +0200
-@@ -1,2 +1,2 @@
- #! /bin/sh
--[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_CLUSTERIP.c ] && echo CLUSTERIP
-+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h ] && echo CLUSTERIP
-diff -up iptables-1.3.8/extensions/.statistic-test.headers iptables-1.3.8/extensions/.statistic-test
---- iptables-1.3.8/extensions/.statistic-test.headers	2007-08-23 15:46:20.000000000 +0200
-+++ iptables-1.3.8/extensions/.statistic-test	2007-08-23 15:46:22.000000000 +0200
-@@ -1,2 +1,2 @@
- #!/bin/sh
--[ -f $KERNEL_DIR/net/netfilter/xt_statistic.c -a -f $KERNEL_DIR/include/linux/netfilter/xt_statistic.h ] && echo statistic
-+[ -f $KERNEL_DIR/include/linux/netfilter/xt_statistic.h ] && echo statistic
-diff -up iptables-1.3.8/extensions/.ah-test6.headers iptables-1.3.8/extensions/.ah-test6
---- iptables-1.3.8/extensions/.ah-test6.headers	2007-08-23 15:52:48.000000000 +0200
-+++ iptables-1.3.8/extensions/.ah-test6	2007-08-23 15:52:49.000000000 +0200
-@@ -1,2 +1,2 @@
- #!/bin/sh
--[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_ah.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ah.h ] && echo ah
-+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ah.h ] && echo ah
-diff -up iptables-1.3.8/extensions/.opts-test6.headers iptables-1.3.8/extensions/.opts-test6
---- iptables-1.3.8/extensions/.opts-test6.headers	2007-08-23 15:49:16.000000000 +0200
-+++ iptables-1.3.8/extensions/.opts-test6	2007-08-23 15:49:19.000000000 +0200
-@@ -1,2 +1,2 @@
- #!/bin/sh
--[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_hbh.c -a -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_dst.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_opts.h ] && echo hbh dst
-+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_opts.h ] && echo hbh dst
-diff -up iptables-1.3.8/extensions/.ipv6header-test6.headers iptables-1.3.8/extensions/.ipv6header-test6
---- iptables-1.3.8/extensions/.ipv6header-test6.headers	2007-08-23 14:05:45.000000000 +0200
-+++ iptables-1.3.8/extensions/.ipv6header-test6	2007-08-23 15:50:26.000000000 +0200
-@@ -1,2 +1,2 @@
- #!/bin/sh
--[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_ipv6header.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ipv6header.h ] && echo ipv6header
-+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ipv6header.h ] && echo ipv6header
-diff -up iptables-1.3.8/extensions/.rt-test6.headers iptables-1.3.8/extensions/.rt-test6
---- iptables-1.3.8/extensions/.rt-test6.headers	2007-08-23 15:47:21.000000000 +0200
-+++ iptables-1.3.8/extensions/.rt-test6	2007-08-23 15:47:23.000000000 +0200
-@@ -1,2 +1,2 @@
- #!/bin/sh
--[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_rt.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_rt.h ] && echo rt
-+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_rt.h ] && echo rt

iptables-1.3.8-limit_man.patch

@@ -1,25 +0,0 @@
-diff -up iptables-1.3.8/iptables.8.in.limit iptables-1.3.8/iptables.8.in
-diff -up iptables-1.3.8/extensions/libip6t_limit.man.limit_man iptables-1.3.8/extensions/libip6t_limit.man
---- iptables-1.3.8/extensions/libip6t_limit.man.limit_man	2007-09-24 16:48:22.000000000 +0200
-+++ iptables-1.3.8/extensions/libip6t_limit.man	2007-09-24 17:28:29.000000000 +0200
-@@ -1,6 +1,6 @@
- This module matches at a limited rate using a token bucket filter.
--A rule using this extension will match until this limit is reached
--(unless the `!' flag is used).  It can be used in combination with the
-+A rule using this extension will match until this limit is reached.
-+  It can be used in combination with the
- .B LOG
- target to give limited logging, for example.
- .TP
-diff -up iptables-1.3.8/extensions/libipt_limit.man.limit_man iptables-1.3.8/extensions/libipt_limit.man
---- iptables-1.3.8/extensions/libipt_limit.man.limit_man	2007-09-24 16:48:22.000000000 +0200
-+++ iptables-1.3.8/extensions/libipt_limit.man	2007-09-24 17:28:19.000000000 +0200
-@@ -1,6 +1,6 @@
- This module matches at a limited rate using a token bucket filter.
--A rule using this extension will match until this limit is reached
--(unless the `!' flag is used).  It can be used in combination with the
-+A rule using this extension will match until this limit is reached.
-+  It can be used in combination with the
- .B LOG
- target to give limited logging, for example.
- .TP

iptables-1.3.8-reject_type.patch

@@ -1,20 +0,0 @@
-diff -up iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h
---- iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h.reject_type	2007-09-24 16:48:21.000000000 +0200
-+++ iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_REJECT.h	2007-09-24 17:20:45.000000000 +0200
-@@ -4,13 +4,15 @@
- enum ip6t_reject_with {
- 	IP6T_ICMP6_NO_ROUTE,
- 	IP6T_ICMP6_ADM_PROHIBITED,
-+	IP6T_ICMP6_NOT_NEIGHBOUR,
- 	IP6T_ICMP6_ADDR_UNREACH,
- 	IP6T_ICMP6_PORT_UNREACH,
-+	IP6T_ICMP6_ECHOREPLY,
- 	IP6T_TCP_RESET
- };
- 
- struct ip6t_reject_info {
--	enum ip6t_reject_with with;      /* reject type */
-+	u_int32_t with;      /* reject type */
- };
- 
- #endif /*_IP6T_REJECT_H*/

iptables-1.4.0-cloexec.patch

@@ -0,0 +1,16 @@
+diff -up iptables-1.4.0/xtables.c.cloexec iptables-1.4.0/xtables.c
+--- iptables-1.4.0/xtables.c.cloexec	2008-02-11 13:50:20.000000000 +0100
++++ iptables-1.4.0/xtables.c	2008-02-11 13:51:03.000000000 +0100
+@@ -428,6 +428,12 @@ static int compatible_revision(const cha
+ 		exit(1);
+ 	}
+ 
++	if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
++		fprintf(stderr, "Could not set close on exec: %s\n",
++			strerror(errno));
++		exit(1);
++	}
++
+ 	load_xtables_ko(modprobe, 1);
+ 
+ 	strcpy(rev.name, name);

iptables.init

@@ -49,8 +49,8 @@ IPTABLES_STATUS_NUMERIC="yes"
 [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
 
 # Netfilter modules
-NF_MODULES=(${IPV}_tables nf_conntrack_${_IPV})
-NF_MODULES_COMMON=(x_tables nf_conntrack) # Used by netfilter v4 and v6
+NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
+NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
 
 # Get active tables
 NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
@@ -80,7 +80,9 @@ rmmod_r() {
     # after all referring modules are unloaded.
     if grep -q "^${mod}" /proc/modules ; then
 	modprobe -r $mod > /dev/null 2>&1
-	let ret+=$?;
+	res=$?
+	[ $res -eq 0 ] || echo -n " $mod"
+	let ret+=$res;
     fi
 
     return $ret
@@ -328,7 +330,7 @@ case "$1" in
 	RETVAL=$?
 	;;
     condrestart|try-restart)
-	[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
+	[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
 	restart
 	RETVAL=$?
 	;;

iptables.spec

@@ -2,17 +2,14 @@
 
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
-Version: 1.3.8
-Release: 6%{?dist}
+Version: 1.4.0
+Release: 1%{?dist}
 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
 Patch0: iptables-1.3.8-iptc.patch
-Patch1: iptables-1.3.8-headers.patch
-Patch2: iptables-1.3.8-reject_type.patch
-Patch3: iptables-1.3.8-limit_man.patch
 Patch4: iptables-1.3.8-typo_latter.patch
-Patch5: iptables-1.3.8-cloexec.patch
+Patch5: iptables-1.4.0-cloexec.patch
 Group: System Environment/Base
 URL: http://www.netfilter.org/
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -59,9 +56,6 @@ stable and may change with every new version. It is therefore unsupported.
 %prep
 %setup -q
 %patch0 -p1 -b .iptc
-%patch1 -p1 -b .headers
-%patch2 -p1 -b .reject_type
-%patch3 -p1 -b .limit_man
 %patch4 -p1 -b .typo_latter
 %patch5 -p1 -b .cloexec
 
@@ -133,6 +127,7 @@ fi
 %{_mandir}/man8/iptables*
 %dir /%{_lib}/iptables
 /%{_lib}/iptables/libipt*
+/%{_lib}/iptables/libxt*
 
 %files ipv6
 %defattr(-,root,root)
@@ -155,6 +150,11 @@ fi
 %endif
 
 %changelog
+* Mon Feb 11 2008 Thomas Woerner <twoerner@redhat.com> 1.4.0-1
+- new version 1.4.0
+- fixed condrestart (rhbz#428148)
+- report the module in rmmod_r if there is an error
+
 * Mon Nov  5 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-6
 - fixed leaked file descriptor before fork/exec (rhbz#312191)
 - blacklisting is not working, use "install X /bin/(true|false)" test instead

sources

@@ -1 +1 @@
-0a9209f928002e5eee9cdff8fef4d4b3  iptables-1.3.8.tar.bz2
+90cfa8a554a29b0b859a625e701af2a7  iptables-1.4.0.tar.bz2