iptables-1.8.11-14.el10

* Wed May 27 2026 Phil Sutter <psutter@redhat.com> [1.8.11-14.el10] - tests: shell: Review nft-only/0009-needless-bitwise_0 (Phil Sutter) [RHEL-179504] - spec: Soft-depend on kernel-modules-extra (Phil Sutter) [RHEL-176386] Resolves: RHEL-176386, RHEL-179504
2026-05-27 22:53:48 +02:00 · 2026-05-27 22:53:48 +02:00 · db3064a5c9
commit db3064a5c9
parent 00e8c249c5
2 changed files with 454 additions and 17 deletions
--- a/0009-tests-shell-Review-nft-only-0009-needless-bitwise_0.patch
+++ b/0009-tests-shell-Review-nft-only-0009-needless-bitwise_0.patch
@ -0,0 +1,432 @@
+From 011a8a2ff0eb7465a906e7d7d2bed58ffccfcee9 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 27 May 2026 22:51:54 +0200
+Subject: [PATCH] tests: shell: Review nft-only/0009-needless-bitwise_0
+
+JIRA: https://issues.redhat.com/browse/RHEL-179504
+Upstream Status: iptables commit 412d5659d398e419f45ae490caba41e978483f95
+
+commit 412d5659d398e419f45ae490caba41e978483f95
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Thu Jan 29 19:23:35 2026 +0100
+
+    tests: shell: Review nft-only/0009-needless-bitwise_0
+
+    - Avoid calling host's nft binary, use double-verbose mode with *tables
+      tools instead
+    - Update expected payloads to match new byteorder-aware libnftnl output
+    - Drop '-x' flag from shell
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ .../nft-only/0009-needless-bitwise_0          | 195 +++++++++---------
+ 1 file changed, 101 insertions(+), 94 deletions(-)
+
+diff --git a/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0
+index bfceed4..a806896 100755
+--- a/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0
+++ b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0
+@@ -1,4 +1,4 @@
+-#!/bin/bash -x
+#!/bin/bash
+ 
+ [[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+ set -e
+@@ -52,287 +52,287 @@ ff:00:00:00:00:00
+ 	echo "COMMIT"
+ ) | $XT_MULTI ebtables-restore
+ 
+-EXPECT="ip filter OUTPUT 4
+EXPECT_IP4="ip filter OUTPUT 4
+   [ payload load 4b @ network header + 16 => reg 1 ]
+-  [ cmp eq reg 1 0x0302010a ]
+  [ cmp eq reg 1 0x0a010203 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip filter OUTPUT 5 4
+   [ payload load 4b @ network header + 16 => reg 1 ]
+-  [ cmp eq reg 1 0x0302010a ]
+  [ cmp eq reg 1 0x0a010203 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip filter OUTPUT 6 5
+   [ payload load 4b @ network header + 16 => reg 1 ]
+-  [ bitwise reg 1 = ( reg 1 & 0xfcffffff ) ^ 0x00000000 ]
+-  [ cmp eq reg 1 0x0002010a ]
+  [ bitwise reg 1 = ( reg 1 & 0xfffffffc ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0a010200 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip filter OUTPUT 7 6
+   [ payload load 3b @ network header + 16 => reg 1 ]
+-  [ cmp eq reg 1 0x0002010a ]
+  [ cmp eq reg 1 0x0a0102 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip filter OUTPUT 8 7
+   [ payload load 2b @ network header + 16 => reg 1 ]
+-  [ cmp eq reg 1 0x0000010a ]
+  [ cmp eq reg 1 0x0a01 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip filter OUTPUT 9 8
+   [ payload load 1b @ network header + 16 => reg 1 ]
+-  [ cmp eq reg 1 0x0000000a ]
+  [ cmp eq reg 1 0x0a ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip filter OUTPUT 10 9
+   [ counter pkts 0 bytes 0 ]
+-
+-ip6 filter OUTPUT 4
+"
+EXPECT_IP6="ip6 filter OUTPUT 4
+   [ payload load 16b @ network header + 24 => reg 1 ]
+-  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ]
+  [ cmp eq reg 1 0xfeedc0ff 0xee000102 0x03040506 0x0708090a ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip6 filter OUTPUT 5 4
+   [ payload load 16b @ network header + 24 => reg 1 ]
+-  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ]
+  [ cmp eq reg 1 0xfeedc0ff 0xee000102 0x03040506 0x0708090a ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip6 filter OUTPUT 6 5
+   [ payload load 16b @ network header + 24 => reg 1 ]
+-  [ bitwise reg 1 = ( reg 1 & 0xffffffff 0xffffffff 0xffffffff 0xf0ffffff ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
+-  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffff 0xffffffff 0xffffffff 0xfffffff0 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
+  [ cmp eq reg 1 0xfeedc0ff 0xee000102 0x03040506 0x07080900 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip6 filter OUTPUT 7 6
+   [ payload load 15b @ network header + 24 => reg 1 ]
+-  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ]
+  [ cmp eq reg 1 0xfeedc0ff 0xee000102 0x03040506 0x070809 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip6 filter OUTPUT 8 7
+   [ payload load 14b @ network header + 24 => reg 1 ]
+-  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00000807 ]
+  [ cmp eq reg 1 0xfeedc0ff 0xee000102 0x03040506 0x0708 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip6 filter OUTPUT 9 8
+   [ payload load 11b @ network header + 24 => reg 1 ]
+-  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00050403 ]
+  [ cmp eq reg 1 0xfeedc0ff 0xee000102 0x030405 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip6 filter OUTPUT 10 9
+   [ payload load 10b @ network header + 24 => reg 1 ]
+-  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00000403 ]
+  [ cmp eq reg 1 0xfeedc0ff 0xee000102 0x0304 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip6 filter OUTPUT 11 10
+   [ payload load 8b @ network header + 24 => reg 1 ]
+-  [ cmp eq reg 1 0xffc0edfe 0x020100ee ]
+  [ cmp eq reg 1 0xfeedc0ff 0xee000102 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip6 filter OUTPUT 12 11
+   [ payload load 6b @ network header + 24 => reg 1 ]
+-  [ cmp eq reg 1 0xffc0edfe 0x000000ee ]
+  [ cmp eq reg 1 0xfeedc0ff 0xee00 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip6 filter OUTPUT 13 12
+   [ payload load 2b @ network header + 24 => reg 1 ]
+-  [ cmp eq reg 1 0x0000edfe ]
+  [ cmp eq reg 1 0xfeed ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip6 filter OUTPUT 14 13
+   [ payload load 1b @ network header + 24 => reg 1 ]
+-  [ cmp eq reg 1 0x000000fe ]
+  [ cmp eq reg 1 0xfe ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ ip6 filter OUTPUT 15 14
+   [ counter pkts 0 bytes 0 ]
+-
+-arp filter OUTPUT 3
+"
+EXPECT_ARP="arp filter OUTPUT 3
+   [ payload load 2b @ network header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x00000100 ]
+  [ cmp eq reg 1 0x0001 ]
+   [ payload load 1b @ network header + 4 => reg 1 ]
+-  [ cmp eq reg 1 0x00000006 ]
+  [ cmp eq reg 1 0x06 ]
+   [ payload load 1b @ network header + 5 => reg 1 ]
+-  [ cmp eq reg 1 0x00000004 ]
+  [ cmp eq reg 1 0x04 ]
+   [ payload load 4b @ network header + 24 => reg 1 ]
+-  [ cmp eq reg 1 0x0302010a ]
+  [ cmp eq reg 1 0x0a010203 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ arp filter OUTPUT 4 3
+   [ payload load 2b @ network header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x00000100 ]
+  [ cmp eq reg 1 0x0001 ]
+   [ payload load 1b @ network header + 4 => reg 1 ]
+-  [ cmp eq reg 1 0x00000006 ]
+  [ cmp eq reg 1 0x06 ]
+   [ payload load 1b @ network header + 5 => reg 1 ]
+-  [ cmp eq reg 1 0x00000004 ]
+  [ cmp eq reg 1 0x04 ]
+   [ payload load 4b @ network header + 24 => reg 1 ]
+-  [ cmp eq reg 1 0x0302010a ]
+  [ cmp eq reg 1 0x0a010203 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ arp filter OUTPUT 5 4
+   [ payload load 2b @ network header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x00000100 ]
+  [ cmp eq reg 1 0x0001 ]
+   [ payload load 1b @ network header + 4 => reg 1 ]
+-  [ cmp eq reg 1 0x00000006 ]
+  [ cmp eq reg 1 0x06 ]
+   [ payload load 1b @ network header + 5 => reg 1 ]
+-  [ cmp eq reg 1 0x00000004 ]
+  [ cmp eq reg 1 0x04 ]
+   [ payload load 4b @ network header + 24 => reg 1 ]
+-  [ bitwise reg 1 = ( reg 1 & 0xfcffffff ) ^ 0x00000000 ]
+-  [ cmp eq reg 1 0x0002010a ]
+  [ bitwise reg 1 = ( reg 1 & 0xfffffffc ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0a010200 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ arp filter OUTPUT 6 5
+   [ payload load 2b @ network header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x00000100 ]
+  [ cmp eq reg 1 0x0001 ]
+   [ payload load 1b @ network header + 4 => reg 1 ]
+-  [ cmp eq reg 1 0x00000006 ]
+  [ cmp eq reg 1 0x06 ]
+   [ payload load 1b @ network header + 5 => reg 1 ]
+-  [ cmp eq reg 1 0x00000004 ]
+  [ cmp eq reg 1 0x04 ]
+   [ payload load 3b @ network header + 24 => reg 1 ]
+-  [ cmp eq reg 1 0x0002010a ]
+  [ cmp eq reg 1 0x0a0102 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ arp filter OUTPUT 7 6
+   [ payload load 2b @ network header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x00000100 ]
+  [ cmp eq reg 1 0x0001 ]
+   [ payload load 1b @ network header + 4 => reg 1 ]
+-  [ cmp eq reg 1 0x00000006 ]
+  [ cmp eq reg 1 0x06 ]
+   [ payload load 1b @ network header + 5 => reg 1 ]
+-  [ cmp eq reg 1 0x00000004 ]
+  [ cmp eq reg 1 0x04 ]
+   [ payload load 2b @ network header + 24 => reg 1 ]
+-  [ cmp eq reg 1 0x0000010a ]
+  [ cmp eq reg 1 0x0a01 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ arp filter OUTPUT 8 7
+   [ payload load 2b @ network header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x00000100 ]
+  [ cmp eq reg 1 0x0001 ]
+   [ payload load 1b @ network header + 4 => reg 1 ]
+-  [ cmp eq reg 1 0x00000006 ]
+  [ cmp eq reg 1 0x06 ]
+   [ payload load 1b @ network header + 5 => reg 1 ]
+-  [ cmp eq reg 1 0x00000004 ]
+  [ cmp eq reg 1 0x04 ]
+   [ payload load 1b @ network header + 24 => reg 1 ]
+-  [ cmp eq reg 1 0x0000000a ]
+  [ cmp eq reg 1 0x0a ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ arp filter OUTPUT 9 8
+   [ payload load 2b @ network header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x00000100 ]
+  [ cmp eq reg 1 0x0001 ]
+   [ payload load 1b @ network header + 4 => reg 1 ]
+-  [ cmp eq reg 1 0x00000006 ]
+  [ cmp eq reg 1 0x06 ]
+   [ payload load 1b @ network header + 5 => reg 1 ]
+-  [ cmp eq reg 1 0x00000004 ]
+  [ cmp eq reg 1 0x04 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ arp filter OUTPUT 10 9
+   [ payload load 2b @ network header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x00000100 ]
+  [ cmp eq reg 1 0x0001 ]
+   [ payload load 1b @ network header + 4 => reg 1 ]
+-  [ cmp eq reg 1 0x00000006 ]
+  [ cmp eq reg 1 0x06 ]
+   [ payload load 1b @ network header + 5 => reg 1 ]
+-  [ cmp eq reg 1 0x00000004 ]
+  [ cmp eq reg 1 0x04 ]
+   [ payload load 6b @ network header + 18 => reg 1 ]
+-  [ cmp eq reg 1 0xc000edfe 0x0000eeff ]
+  [ cmp eq reg 1 0xfeed00c0 0xffee ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ arp filter OUTPUT 11 10
+   [ payload load 2b @ network header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x00000100 ]
+  [ cmp eq reg 1 0x0001 ]
+   [ payload load 1b @ network header + 4 => reg 1 ]
+-  [ cmp eq reg 1 0x00000006 ]
+  [ cmp eq reg 1 0x06 ]
+   [ payload load 1b @ network header + 5 => reg 1 ]
+-  [ cmp eq reg 1 0x00000004 ]
+  [ cmp eq reg 1 0x04 ]
+   [ payload load 6b @ network header + 18 => reg 1 ]
+-  [ bitwise reg 1 = ( reg 1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ]
+-  [ cmp eq reg 1 0xc000edfe 0x0000e0ff ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffff 0xfff0 ) ^ 0x00000000 0x0000 ]
+  [ cmp eq reg 1 0xfeed00c0 0xffe0 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ arp filter OUTPUT 12 11
+   [ payload load 2b @ network header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x00000100 ]
+  [ cmp eq reg 1 0x0001 ]
+   [ payload load 1b @ network header + 4 => reg 1 ]
+-  [ cmp eq reg 1 0x00000006 ]
+  [ cmp eq reg 1 0x06 ]
+   [ payload load 1b @ network header + 5 => reg 1 ]
+-  [ cmp eq reg 1 0x00000004 ]
+  [ cmp eq reg 1 0x04 ]
+   [ payload load 5b @ network header + 18 => reg 1 ]
+-  [ cmp eq reg 1 0xc000edfe 0x000000ff ]
+  [ cmp eq reg 1 0xfeed00c0 0xff ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ arp filter OUTPUT 13 12
+   [ payload load 2b @ network header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x00000100 ]
+  [ cmp eq reg 1 0x0001 ]
+   [ payload load 1b @ network header + 4 => reg 1 ]
+-  [ cmp eq reg 1 0x00000006 ]
+  [ cmp eq reg 1 0x06 ]
+   [ payload load 1b @ network header + 5 => reg 1 ]
+-  [ cmp eq reg 1 0x00000004 ]
+  [ cmp eq reg 1 0x04 ]
+   [ payload load 4b @ network header + 18 => reg 1 ]
+-  [ cmp eq reg 1 0xc000edfe ]
+  [ cmp eq reg 1 0xfeed00c0 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ arp filter OUTPUT 14 13
+   [ payload load 2b @ network header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x00000100 ]
+  [ cmp eq reg 1 0x0001 ]
+   [ payload load 1b @ network header + 4 => reg 1 ]
+-  [ cmp eq reg 1 0x00000006 ]
+  [ cmp eq reg 1 0x06 ]
+   [ payload load 1b @ network header + 5 => reg 1 ]
+-  [ cmp eq reg 1 0x00000004 ]
+  [ cmp eq reg 1 0x04 ]
+   [ payload load 3b @ network header + 18 => reg 1 ]
+-  [ cmp eq reg 1 0x0000edfe ]
+  [ cmp eq reg 1 0xfeed00 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ arp filter OUTPUT 15 14
+   [ payload load 2b @ network header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x00000100 ]
+  [ cmp eq reg 1 0x0001 ]
+   [ payload load 1b @ network header + 4 => reg 1 ]
+-  [ cmp eq reg 1 0x00000006 ]
+  [ cmp eq reg 1 0x06 ]
+   [ payload load 1b @ network header + 5 => reg 1 ]
+-  [ cmp eq reg 1 0x00000004 ]
+  [ cmp eq reg 1 0x04 ]
+   [ payload load 2b @ network header + 18 => reg 1 ]
+-  [ cmp eq reg 1 0x0000edfe ]
+  [ cmp eq reg 1 0xfeed ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ arp filter OUTPUT 16 15
+   [ payload load 2b @ network header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x00000100 ]
+  [ cmp eq reg 1 0x0001 ]
+   [ payload load 1b @ network header + 4 => reg 1 ]
+-  [ cmp eq reg 1 0x00000006 ]
+  [ cmp eq reg 1 0x06 ]
+   [ payload load 1b @ network header + 5 => reg 1 ]
+-  [ cmp eq reg 1 0x00000004 ]
+  [ cmp eq reg 1 0x04 ]
+   [ payload load 1b @ network header + 18 => reg 1 ]
+-  [ cmp eq reg 1 0x000000fe ]
+  [ cmp eq reg 1 0xfe ]
+   [ counter pkts 0 bytes 0 ]
+-
+-bridge filter OUTPUT 4
+"
+EXPECT_EBT="bridge filter OUTPUT 4
+   [ payload load 6b @ link header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0xc000edfe 0x0000eeff ]
+  [ cmp eq reg 1 0xfeed00c0 0xffee ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ bridge filter OUTPUT 5 4
+   [ payload load 6b @ link header + 0 => reg 1 ]
+-  [ bitwise reg 1 = ( reg 1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ]
+-  [ cmp eq reg 1 0xc000edfe 0x0000e0ff ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffff 0xfff0 ) ^ 0x00000000 0x0000 ]
+  [ cmp eq reg 1 0xfeed00c0 0xffe0 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ bridge filter OUTPUT 6 5
+   [ payload load 5b @ link header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0xc000edfe 0x000000ff ]
+  [ cmp eq reg 1 0xfeed00c0 0xff ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ bridge filter OUTPUT 7 6
+   [ payload load 4b @ link header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0xc000edfe ]
+  [ cmp eq reg 1 0xfeed00c0 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ bridge filter OUTPUT 8 7
+   [ payload load 3b @ link header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x0000edfe ]
+  [ cmp eq reg 1 0xfeed00 ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ bridge filter OUTPUT 9 8
+   [ payload load 2b @ link header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x0000edfe ]
+  [ cmp eq reg 1 0xfeed ]
+   [ counter pkts 0 bytes 0 ]
+ 
+ bridge filter OUTPUT 10 9
+   [ payload load 1b @ link header + 0 => reg 1 ]
+-  [ cmp eq reg 1 0x000000fe ]
+  [ cmp eq reg 1 0xfe ]
+   [ counter pkts 0 bytes 0 ]
+ "
+ 
+@@ -340,7 +340,14 @@ bridge filter OUTPUT 10 9
+ # - lines with bytecode (starting with '  [')
+ # - empty lines (so printed diff is not a complete mess)
+ filter() {
+-	awk '/^table /{exit} /^(  \[|$)/{print}'
+	awk '/^(table|-P) /{exit} /^(  \[|$)/{print}'
+ }
+ 
+-diff -u -Z -B <(filter <<< "$EXPECT") <(nft --debug=netlink list ruleset | filter)
+do_check() { # (expect, ipt)
+	diff -u -Z -B --label "$2 expected" --label "$2 got" \
+		<(filter <<< "$1") <($XT_MULTI $2 -vvS | filter)
+}
+do_check "$EXPECT_IP4" iptables
+do_check "$EXPECT_IP6" ip6tables
+do_check "$EXPECT_ARP" arptables
+do_check "$EXPECT_EBT" ebtables
--- a/iptables.spec
+++ b/iptables.spec
@ -14,7 +14,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.11
-Release: 13%{?dist}
+Release: 14%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.xz
 Source1: iptables.init
 Source2: iptables-config
@ -36,6 +36,7 @@ Patch5:             0005-nft-Drop-interface-mask-leftovers-from-post_parse-ca.pa
 Patch6:             0006-extensions-icmp-Support-info-request-reply-type-name.patch
 Patch7:             0007-xshared-Accept-an-option-if-any-given-command-allows.patch
 Patch8:             0008-extensions-sctp-Translate-bare-m-sctp-match.patch
+Patch9:             0009-tests-shell-Review-nft-only-0009-needless-bitwise_0.patch

 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@ -72,14 +73,14 @@ you should install this package.
 Summary: Legacy tools for managing Linux kernel packet filtering capabilities
 Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release}
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-Requires: (kernel-modules-extra if kernel-modules-core)
-Requires: (kernel-rt-modules-extra if kernel-rt-modules-core)
-Requires: (kernel-64k-modules-extra if kernel-64k-modules-core)
-Requires: (kernel-rt-64k-modules-extra if kernel-rt-64k-modules-core)
-Requires: (kernel-debug-modules-extra if kernel-debug-modules-core)
-Requires: (kernel-rt-debug-modules-extra if kernel-rt-debug-modules-core)
-Requires: (kernel-64k-debug-modules-extra if kernel-64k-debug-modules-core)
-Requires: (kernel-rt-64k-debug-modules-extra if kernel-rt-64k-debug-modules-core)
+Recommends: (kernel-modules-extra if kernel-modules-core)
+Recommends: (kernel-rt-modules-extra if kernel-rt-modules-core)
+Recommends: (kernel-64k-modules-extra if kernel-64k-modules-core)
+Recommends: (kernel-rt-64k-modules-extra if kernel-rt-64k-modules-core)
+Recommends: (kernel-debug-modules-extra if kernel-debug-modules-core)
+Recommends: (kernel-rt-debug-modules-extra if kernel-rt-debug-modules-core)
+Recommends: (kernel-64k-debug-modules-extra if kernel-64k-debug-modules-core)
+Recommends: (kernel-rt-64k-debug-modules-extra if kernel-rt-64k-debug-modules-core)
 Conflicts: setup < 2.10.4-1
 Requires(post): %{_sbindir}/update-alternatives
 Requires(postun): %{_sbindir}/update-alternatives
@ -204,14 +205,14 @@ a safer way to update iptables remotely.
 %package nft
 Summary: nftables compatibility for iptables, arptables and ebtables
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-Requires: (kernel-modules-extra if kernel-modules-core)
-Requires: (kernel-rt-modules-extra if kernel-rt-modules-core)
-Requires: (kernel-64k-modules-extra if kernel-64k-modules-core)
-Requires: (kernel-rt-64k-modules-extra if kernel-rt-64k-modules-core)
-Requires: (kernel-debug-modules-extra if kernel-debug-modules-core)
-Requires: (kernel-rt-debug-modules-extra if kernel-rt-debug-modules-core)
-Requires: (kernel-64k-debug-modules-extra if kernel-64k-debug-modules-core)
-Requires: (kernel-rt-64k-debug-modules-extra if kernel-rt-64k-debug-modules-core)
+Recommends: (kernel-modules-extra if kernel-modules-core)
+Recommends: (kernel-rt-modules-extra if kernel-rt-modules-core)
+Recommends: (kernel-64k-modules-extra if kernel-64k-modules-core)
+Recommends: (kernel-rt-64k-modules-extra if kernel-rt-64k-modules-core)
+Recommends: (kernel-debug-modules-extra if kernel-debug-modules-core)
+Recommends: (kernel-rt-debug-modules-extra if kernel-rt-debug-modules-core)
+Recommends: (kernel-64k-debug-modules-extra if kernel-64k-debug-modules-core)
+Recommends: (kernel-rt-64k-debug-modules-extra if kernel-rt-64k-debug-modules-core)
 Requires(post): %{_sbindir}/update-alternatives
 Requires(post): %{_bindir}/readlink
 Requires(postun): %{_sbindir}/update-alternatives
@ -535,6 +536,10 @@ fi
 %ghost %{_mandir}/man8/ebtables.8.gz

 %changelog
+* Wed May 27 2026 Phil Sutter <psutter@redhat.com> [1.8.11-14.el10]
+- tests: shell: Review nft-only/0009-needless-bitwise_0 (Phil Sutter) [RHEL-179504]
+- spec: Soft-depend on kernel-modules-extra (Phil Sutter) [RHEL-176386]
+
 * Sat Jan 17 2026 Phil Sutter <psutter@redhat.com> [1.8.11-13.el10]
 - spec: Use modules-core for conditional modules-extra dependency (Phil Sutter) [RHEL-141880]