iptables-1.8.11-1.el10

* Fri Nov 08 2024 Phil Sutter <psutter@redhat.com> [1.8.11-1.el10] - Add requirement on kernel-modules-extra (Phil Sutter) [RHEL-65224] - Rebase onto upstream version 1.8.11 (Phil Sutter) [RHEL-66725] Resolves: RHEL-65224, RHEL-66725
2024-11-08 23:17:46 +01:00 · 2024-11-08 23:17:46 +01:00 · ca25de4fcf
commit ca25de4fcf
parent d2a9a30f8e
9 changed files with 37 additions and 289 deletions
--- a/.gitignore
+++ b/.gitignore
@ -14,3 +14,4 @@
 /iptables-1.8.8.tar.bz2
 /iptables-1.8.9.tar.xz
 /iptables-1.8.10.tar.xz
+/iptables-1.8.11.tar.xz
--- a/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
+++ b/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
@ -1,4 +1,4 @@
-From 2abc07c47189b26fce16f4751a96f747fa53fc0f Mon Sep 17 00:00:00 2001
+From cc09ad00d7915c21dd21f20fa616f1a68cb4fc26 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Thu, 17 Jun 2021 18:44:28 +0200
 Subject: [PATCH] doc: Add deprecation notices to all relevant man pages
@ -23,12 +23,12 @@ Signed-off-by: Phil Sutter <psutter@redhat.com>
 10 files changed, 142 insertions(+), 7 deletions(-)

 diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
-index 09d9082..b1bf029 100644
+index 596ca1c..99b1cb7 100644
 --- a/iptables/arptables-nft-restore.8
 +++ b/iptables/arptables-nft-restore.8
-@@ -24,6 +24,17 @@ arptables-restore \- Restore ARP Tables (nft-based)
+@@ -24,6 +24,17 @@ arptables-restore \(em Restore ARP Tables (nft-based)
 .SH SYNOPSIS
- \fBarptables\-restore
+ \fBarptables\-restore\fP
 .SH DESCRIPTION
 +This tool is
 +.B deprecated
@ -52,10 +52,10 @@ index 09d9082..b1bf029 100644
 +\fBarptables\-save\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
 .PP
 diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
-index 905e598..49bb0f6 100644
+index e9171d5..6a95991 100644
 --- a/iptables/arptables-nft-save.8
 +++ b/iptables/arptables-nft-save.8
-@@ -27,6 +27,18 @@ arptables-save \- dump arptables rules to stdout (nft-based)
+@@ -27,6 +27,18 @@ arptables-save \(em dump arptables rules to stdout (nft-based)
 \fBarptables\-save\fP [\fB\-V\fP]
 .SH DESCRIPTION
 .PP
@ -82,12 +82,12 @@ index 905e598..49bb0f6 100644
 +\fBarptables\-restore\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
 .PP
 diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
-index ea31e08..ec5b993 100644
+index c48a2cc..66bec39 100644
 --- a/iptables/arptables-nft.8
 +++ b/iptables/arptables-nft.8
-@@ -39,6 +39,19 @@ arptables \- ARP table administration (nft-based)
- .BR "arptables " [ "-t table" ] " -P chain target " [ options ]
- 
+@@ -53,6 +53,19 @@ match := \fB\-m\fP \fImatchname\fP [per-match-options]
+ .PP
+ target := \fB\-j\fP \fItargetname\fP [per-target-options]
 .SH DESCRIPTION
 +.PP
 +This tool is
@ -105,7 +105,7 @@ index ea31e08..ec5b993 100644
 .B arptables
 is a user space tool, it is used to set up and maintain the
 tables of ARP rules in the Linux kernel. These rules inspect
-@@ -340,9 +353,13 @@ bridges, the same may be achieved using
+@@ -354,9 +367,13 @@ bridges, the same may be achieved using
 chain in
 .BR ebtables .
 
@ -116,15 +116,15 @@ index ea31e08..ec5b993 100644
 .SH MAILINGLISTS
 .BR "" "See " http://netfilter.org/mailinglists.html
 .SH SEE ALSO
-.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
-+.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip "(8), " nft (8)
+-.BR xtables\-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
+.BR xtables\-nft "(8), " iptables "(8), " ebtables "(8), " ip "(8), " nft (8)
 .PP
 .BR "" "See " https://wiki.nftables.org
 diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
-index 0304b50..cfd617a 100644
+index 8698165..e68d64b 100644
 --- a/iptables/ebtables-nft.8
 +++ b/iptables/ebtables-nft.8
-@@ -46,6 +46,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
+@@ -46,6 +46,19 @@ ebtables \(em Ethernet bridge frame table administration (nft-based)
 .br
 
 .SH DESCRIPTION
@ -144,7 +144,7 @@ index 0304b50..cfd617a 100644
 .B ebtables
 is an application program used to set up and maintain the
 tables of rules (inside the Linux kernel) that inspect
-@@ -1083,6 +1096,6 @@ has not been implemented, although
+@@ -1084,6 +1097,6 @@ has not been implemented, although
 might replace them entirely given the inherent atomicity of nftables.
 Finally, this list is probably not complete.
 .SH SEE ALSO
@ -153,10 +153,10 @@ index 0304b50..cfd617a 100644
 .PP
 .BR "" "See " https://wiki.nftables.org
 diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in
-index f0ed4e5..7f99a21 100644
+index 33fd79f..f0171f1 100644
 --- a/iptables/iptables-apply.8.in
 +++ b/iptables/iptables-apply.8.in
-@@ -11,6 +11,18 @@ iptables-apply \- a safer way to update iptables remotely
+@@ -9,6 +9,18 @@ iptables-apply \(em a safer way to update iptables remotely
 \fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP
 .SH "DESCRIPTION"
 .PP
@ -175,7 +175,7 @@ index f0ed4e5..7f99a21 100644
 iptables\-apply will try to apply a new rulesfile (as output by
 iptables-save, read by iptables-restore) or run a command to configure
 iptables and then prompt the user whether the changes are okay. If the
-@@ -47,7 +59,7 @@ Display usage information.
+@@ -45,7 +57,7 @@ Display usage information.
 Display version information.
 .SH "SEE ALSO"
 .PP
@ -278,12 +278,12 @@ index 65c1f28..d47be27 100644
 The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
 which details NAT, and the netfilter-hacking-HOWTO which details the
 diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
-index ecaa555..4c4a15a 100644
+index 21fb891..ef20bf2 100644
 --- a/iptables/iptables.8.in
 +++ b/iptables/iptables.8.in
-@@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
+@@ -55,6 +55,20 @@ match := \fB\-m\fP \fImatchname\fP [per-match-options]
 .PP
- target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
+ target := \fB\-j\fP \fItargetname\fP [per-target-options]
 .SH DESCRIPTION
 +These tools are
 +.B deprecated
@ -313,7 +313,7 @@ index ecaa555..4c4a15a 100644
 The packet-filtering-HOWTO details iptables usage for
 packet filtering, the NAT-HOWTO details NAT,
 diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in
-index a7f22c0..e21d7ff 100644
+index ed2c5fb..99016cd 100644
 --- a/iptables/xtables-monitor.8.in
 +++ b/iptables/xtables-monitor.8.in
@@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events
--- a/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
+++ b/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
@ -1,4 +1,4 @@
-From 4388fad6c3874a3861907734f9a6368cfd0a731c Mon Sep 17 00:00:00 2001
+From 9ff1da0df36a3e963b797d7251f8f350f059ea64 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Fri, 16 Jul 2021 21:51:49 +0200
 Subject: [PATCH] extensions: SECMARK: Use a better context in test case
--- a/0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
+++ b/0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
@ -1,73 +0,0 @@
-From 7a8231504928a4ad7a2229d0f8a27d9734159647 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Tue, 7 Nov 2023 23:44:55 +0100
-Subject: [PATCH] ebtables: Fix corner-case noflush restore bug
-
-JIRA: https://issues.redhat.com/browse/RHEL-14147
-Upstream Status: iptables commit c1083acea70787eea3f7929fd04718434bb05ba8
-
-commit c1083acea70787eea3f7929fd04718434bb05ba8
-Author: Phil Sutter <phil@nwl.cc>
-Date:   Tue Nov 7 19:12:14 2023 +0100
-
-    ebtables: Fix corner-case noflush restore bug
-
-    Report came from firwalld, but this is actually rather hard to trigger.
-    Since a regular chain line prevents it, typical dump/restore use-cases
-    are unaffected.
-
-    Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
-    Cc: Eric Garver <eric@garver.life>
-    Signed-off-by: Phil Sutter <phil@nwl.cc>
-
-Signed-off-by: Phil Sutter <psutter@redhat.com>
---
- .../testcases/ebtables/0009-broute-bug_0      | 25 +++++++++++++++++++
- iptables/xtables-eb.c                         |  2 ++
- 2 files changed, 27 insertions(+)
- create mode 100755 iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
-
-diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
-new file mode 100755
-index 0000000..0def0ac
--- /dev/null
-+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
-@@ -0,0 +1,25 @@
-+#!/bin/sh
-+#
-+# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring:
-+# - with --noflush
-+# - a second table after the broute one
-+# - A policy command but no chain line for BROUTING chain
-+
-+set -e
-+
-+case "$XT_MULTI" in
-+*xtables-nft-multi)
-+	;;
-+*)
-+	echo "skip $XT_MULTI"
-+	exit 0
-+	;;
-+esac
-+
-+$XT_MULTI ebtables-restore --noflush <<EOF
-+*broute
-+-P BROUTING ACCEPT
-+*nat
-+-P PREROUTING ACCEPT
-+COMMIT
-+EOF
-diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
-index 08eec79..a8ad57c 100644
--- a/iptables/xtables-eb.c
-+++ b/iptables/xtables-eb.c
-@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)
- 		return NF_BR_LOCAL_OUT;
- 	else if (strcmp(chain, "POSTROUTING") == 0)
- 		return NF_BR_POST_ROUTING;
-+	else if (strcmp(chain, "BROUTING") == 0)
-+		return NF_BR_BROUTING;
- 
- 	/* placeholder for user defined chain */
- 	return NF_BR_NUMHOOKS;
--- a/0004-nft-Fix-for-broken-recover_rule_compat.patch
+++ b/0004-nft-Fix-for-broken-recover_rule_compat.patch
@ -1,99 +0,0 @@
-From 4c883007ecf15b5fe18a71688a4383686e7c0026 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Wed, 22 May 2024 18:26:58 +0200
-Subject: [PATCH] nft: Fix for broken recover_rule_compat()
-
-JIRA: https://issues.redhat.com/browse/RHEL-26619
-Upstream Status: iptables commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
-
-commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
-Author: Phil Sutter <phil@nwl.cc>
-Date:   Tue Feb 27 18:47:39 2024 +0100
-
-    nft: Fix for broken recover_rule_compat()
-
-    When IPv4 rule generator was changed to emit payload instead of
-    meta expressions for l4proto matches, the code reinserting
-    NFTNL_RULE_COMPAT_* attributes into rules being reused for counter
-    zeroing was broken by accident.
-
-    Make rule compat recovery aware of the alternative match, basically
-    reinstating the effect of commit 7a373f6683afb ("nft: Fix -Z for rules
-    with NFTA_RULE_COMPAT") but add a test case this time to make sure
-    things stay intact.
-
-    Fixes: 69278f9602b43 ("nft: use payload matching for layer 4 protocol")
-    Signed-off-by: Phil Sutter <phil@nwl.cc>
-
-Signed-off-by: Phil Sutter <psutter@redhat.com>
---
- iptables/nft.c                                | 27 ++++++++++++++++---
- .../nft-only/0011-zero-needs-compat_0         | 12 +++++++++
- 2 files changed, 35 insertions(+), 4 deletions(-)
- create mode 100755 iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
-
-diff --git a/iptables/nft.c b/iptables/nft.c
-index 97fd4f4..c4caf29 100644
--- a/iptables/nft.c
-+++ b/iptables/nft.c
-@@ -3679,6 +3679,27 @@ const char *nft_strerror(int err)
- 	return strerror(err);
- }
- 
-+static int l4proto_expr_get_dreg(struct nftnl_expr *e, uint32_t *dregp)
-+{
-+	const char *name = nftnl_expr_get_str(e, NFTNL_EXPR_NAME);
-+	uint32_t poff = offsetof(struct iphdr, protocol);
-+	uint32_t pbase = NFT_PAYLOAD_NETWORK_HEADER;
-+
-+	if (!strcmp(name, "payload") &&
-+	    nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_BASE) == pbase &&
-+	    nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET) == poff &&
-+	    nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_LEN) == sizeof(uint8_t)) {
-+		*dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_DREG);
-+		return 0;
-+	}
-+	if (!strcmp(name, "meta") &&
-+	    nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) == NFT_META_L4PROTO) {
-+		*dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
-+		return 0;
-+	}
-+	return -1;
-+}
-+
- static int recover_rule_compat(struct nftnl_rule *r)
- {
- 	struct nftnl_expr_iter *iter;
-@@ -3695,12 +3716,10 @@ next_expr:
- 	if (!e)
- 		goto out;
- 
-	if (strcmp("meta", nftnl_expr_get_str(e, NFTNL_EXPR_NAME)) ||
-	    nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) != NFT_META_L4PROTO)
-+	/* may be 'ip protocol' or 'meta l4proto' with identical RHS */
-+	if (l4proto_expr_get_dreg(e, &reg) < 0)
- 		goto next_expr;
- 
-	reg = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
-
- 	e = nftnl_expr_iter_next(iter);
- 	if (!e)
- 		goto out;
-diff --git a/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
-new file mode 100755
-index 0000000..e276a95
--- /dev/null
-+++ b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
-@@ -0,0 +1,12 @@
-+#!/bin/bash
-+
-+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
-+
-+set -e
-+
-+rule="-p tcp -m tcp --dport 27374 -c 23 42 -j TPROXY --on-port 50080"
-+for cmd in iptables ip6tables; do
-+	$XT_MULTI $cmd -t mangle -A PREROUTING $rule
-+	$XT_MULTI $cmd -t mangle -Z
-+	$XT_MULTI $cmd -t mangle -v -S | grep -q -- "${rule/23 42/0 0}"
-+done
--- a/0005-extensions-libxt_sctp-Add-an-extra-assert.patch
+++ b/0005-extensions-libxt_sctp-Add-an-extra-assert.patch
@ -1,43 +0,0 @@
-From 6e4197dee5ff051f2daf1327faf1683fe350264f Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Wed, 12 Jun 2024 22:49:48 +0200
-Subject: [PATCH] extensions: libxt_sctp: Add an extra assert()
-
-JIRA: https://issues.redhat.com/browse/RHEL-40928
-Upstream Status: iptables commit 0234117d24609070f08ef36a11795c3c8e4c19bf
-
-commit 0234117d24609070f08ef36a11795c3c8e4c19bf
-Author: Phil Sutter <phil@nwl.cc>
-Date:   Fri May 17 15:20:05 2024 +0200
-
-    extensions: libxt_sctp: Add an extra assert()
-
-    The code is sane, but this keeps popping up in static code analyzers.
-
-    Signed-off-by: Phil Sutter <phil@nwl.cc>
-
-Signed-off-by: Phil Sutter <psutter@redhat.com>
---
- extensions/libxt_sctp.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
-index 6e2b274..e8312f0 100644
--- a/extensions/libxt_sctp.c
-+++ b/extensions/libxt_sctp.c
-@@ -7,6 +7,7 @@
-  * libipt_ecn.c borrowed heavily from libipt_dscp.c
-  *
-  */
-+#include <assert.h>
- #include <stdbool.h>
- #include <stdio.h>
- #include <string.h>
-@@ -354,6 +355,7 @@ print_chunk_flags(uint32_t chunknum, uint8_t chunk_flags, uint8_t chunk_flags_ma
- 
- 	for (i = 7; i >= 0; i--) {
- 		if (chunk_flags_mask & (1 << i)) {
-+			assert(chunknum < ARRAY_SIZE(sctp_chunk_names));
- 			if (chunk_flags & (1 << i)) {
- 				printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]);
- 			} else {
--- a/0006-extensions-recent-New-kernels-support-999-hits.patch
+++ b/0006-extensions-recent-New-kernels-support-999-hits.patch
@ -1,39 +0,0 @@
-From 9dbd643945ba560e7fbb7aa2d4711bf14dd3452d Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Sat, 21 Sep 2024 02:04:54 +0200
-Subject: [PATCH] extensions: recent: New kernels support 999 hits
-
-JIRA: https://issues.redhat.com/browse/RHEL-34919
-Upstream Status: iptables commit d859b91e6f3ed055c22ee7b984b481c5b518d9e1
-
-commit d859b91e6f3ed055c22ee7b984b481c5b518d9e1
-Author: Phil Sutter <phil@nwl.cc>
-Date:   Sat Jul 20 02:23:28 2024 +0200
-
-    extensions: recent: New kernels support 999 hits
-
-    Since kernel commit f4ebd03496f6 ("netfilter: xt_recent: Lift
-    restrictions on max hitcount value"), the max supported hitcount value
-    has increased significantly. Adjust the test to use a value which fails
-    on old as well as new kernels.
-
-    Signed-off-by: Phil Sutter <phil@nwl.cc>
-
-Signed-off-by: Phil Sutter <psutter@redhat.com>
---
- extensions/libxt_recent.t | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/extensions/libxt_recent.t b/extensions/libxt_recent.t
-index cf23aab..3b0dd9f 100644
--- a/extensions/libxt_recent.t
-+++ b/extensions/libxt_recent.t
-@@ -4,7 +4,7 @@
- -m recent --rcheck --hitcount 12 --name foo --mask 255.255.255.255 --rsource;=;OK
- -m recent --update --rttl;-m recent --update --rttl --name DEFAULT --mask 255.255.255.255 --rsource;OK
- -m recent --set --rttl;;FAIL
--m recent --rcheck --hitcount 999 --name foo --mask 255.255.255.255 --rsource;;FAIL
-+-m recent --rcheck --hitcount 65536 --name foo --mask 255.255.255.255 --rsource;;FAIL
- # nonsensical, but all should load successfully:
- -m recent --rcheck --hitcount 3 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource;=;OK
- -m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource;=;OK
--- a/iptables.spec
+++ b/iptables.spec
@ -1,6 +1,3 @@
-%define iptables_rpmversion 1.8.10
-%define iptables_specrelease 14
-
 # install init scripts to /usr/libexec with systemd
 %global script_path %{_libexecdir}/iptables

@ -18,8 +15,8 @@
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
-Version: %{iptables_rpmversion}
-Release: %{iptables_specrelease}%{?dist}%{?buildid}.1
+Version: 1.8.11
+Release: 1%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.xz
 Source1: iptables.init
 Source2: iptables-config
@ -35,10 +32,6 @@ Source11: iptables-test.stderr.expect

 Patch1:             0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
 Patch2:             0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
-Patch3:             0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
-Patch4:             0004-nft-Fix-for-broken-recover_rule_compat.patch
-Patch5:             0005-extensions-libxt_sctp-Add-an-extra-assert.patch
-Patch6:             0006-extensions-recent-New-kernels-support-999-hits.patch

 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@ -73,6 +66,7 @@ you should install this package.
 Summary: Legacy tools for managing Linux kernel packet filtering capabilities
 Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release}
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: kernel-modules-extra
 Conflicts: setup < 2.10.4-1
 Requires(post): %{_sbindir}/update-alternatives
 Requires(postun): %{_sbindir}/update-alternatives
@ -174,6 +168,7 @@ a safer way to update iptables remotely.
 %package nft
 Summary: nftables compatibility for iptables, arptables and ebtables
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: kernel-modules-extra
 Requires(post): %{_sbindir}/update-alternatives
 Requires(post): %{_bindir}/readlink
 Requires(postun): %{_sbindir}/update-alternatives
@ -457,6 +452,7 @@ fi
 %{_sbindir}/ip{,6}tables{,-restore}-translate
 %{_sbindir}/{eb,arp}tables-nft*
 %{_sbindir}/ebtables-translate
+%{_sbindir}/arptables-translate
 %{_sbindir}/xtables-nft-multi
 %{_sbindir}/xtables-monitor
 %dir %{_libdir}/xtables
@ -466,13 +462,18 @@ fi
 %{_mandir}/man8/xtables-translate*
 %{_mandir}/man8/*-nft*
 %{_mandir}/man8/ip{,6}tables{,-restore}-translate*
+%{_mandir}/man8/{eb,arp}tables-translate.8.gz
 %ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
 %ghost %{_sbindir}/{eb,arp}tables{,-save,-restore}
 %ghost %{_libexecdir}/arptables-helper
 %ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz
-%ghost %{_mandir}/man8/ebtables{,-translate}.8.gz
+%ghost %{_mandir}/man8/ebtables.8.gz

 %changelog
+* Fri Nov 08 2024 Phil Sutter <psutter@redhat.com> [1.8.11-1.el10]
+- Add requirement on kernel-modules-extra (Phil Sutter) [RHEL-65224]
+- Rebase onto upstream version 1.8.11 (Phil Sutter) [RHEL-66725]
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.8.10-14.1
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (iptables-1.8.10.tar.xz) = 71e6ed2260859157d61981a4fe5039dc9e8d7da885a626a4b5dae8164c509a9d9f874286b9468bb6a462d6e259d4d32d5967777ecefdd8a293011ae80c00f153
+SHA512 (iptables-1.8.11.tar.xz) = 4937020bf52d57a45b76e1eba125214a2f4531de52ff1d15185faeef8bea0cd90eb77f99f81baa573944aa122f350a7198cef41d70594e1b65514784addbcc40