From db3064a5c9ffa09a0118ad5136d976b0d758d23b Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 27 May 2026 22:53:48 +0200 Subject: [PATCH] iptables-1.8.11-14.el10 * Wed May 27 2026 Phil Sutter [1.8.11-14.el10] - tests: shell: Review nft-only/0009-needless-bitwise_0 (Phil Sutter) [RHEL-179504] - spec: Soft-depend on kernel-modules-extra (Phil Sutter) [RHEL-176386] Resolves: RHEL-176386, RHEL-179504 --- ...iew-nft-only-0009-needless-bitwise_0.patch | 432 ++++++++++++++++++ iptables.spec | 39 +- 2 files changed, 454 insertions(+), 17 deletions(-) create mode 100644 0009-tests-shell-Review-nft-only-0009-needless-bitwise_0.patch diff --git a/0009-tests-shell-Review-nft-only-0009-needless-bitwise_0.patch b/0009-tests-shell-Review-nft-only-0009-needless-bitwise_0.patch new file mode 100644 index 0000000..0d06896 --- /dev/null +++ b/0009-tests-shell-Review-nft-only-0009-needless-bitwise_0.patch @@ -0,0 +1,432 @@ +From 011a8a2ff0eb7465a906e7d7d2bed58ffccfcee9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 27 May 2026 22:51:54 +0200 +Subject: [PATCH] tests: shell: Review nft-only/0009-needless-bitwise_0 + +JIRA: https://issues.redhat.com/browse/RHEL-179504 +Upstream Status: iptables commit 412d5659d398e419f45ae490caba41e978483f95 + +commit 412d5659d398e419f45ae490caba41e978483f95 +Author: Phil Sutter +Date: Thu Jan 29 19:23:35 2026 +0100 + + tests: shell: Review nft-only/0009-needless-bitwise_0 + + - Avoid calling host's nft binary, use double-verbose mode with *tables + tools instead + - Update expected payloads to match new byteorder-aware libnftnl output + - Drop '-x' flag from shell + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + .../nft-only/0009-needless-bitwise_0 | 195 +++++++++--------- + 1 file changed, 101 insertions(+), 94 deletions(-) + +diff --git a/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 +index bfceed4..a806896 100755 +--- a/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 ++++ b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 +@@ -1,4 +1,4 @@ +-#!/bin/bash -x ++#!/bin/bash + + [[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + set -e +@@ -52,287 +52,287 @@ ff:00:00:00:00:00 + echo "COMMIT" + ) | $XT_MULTI ebtables-restore + +-EXPECT="ip filter OUTPUT 4 ++EXPECT_IP4="ip filter OUTPUT 4 + [ payload load 4b @ network header + 16 => reg 1 ] +- [ cmp eq reg 1 0x0302010a ] ++ [ cmp eq reg 1 0x0a010203 ] + [ counter pkts 0 bytes 0 ] + + ip filter OUTPUT 5 4 + [ payload load 4b @ network header + 16 => reg 1 ] +- [ cmp eq reg 1 0x0302010a ] ++ [ cmp eq reg 1 0x0a010203 ] + [ counter pkts 0 bytes 0 ] + + ip filter OUTPUT 6 5 + [ payload load 4b @ network header + 16 => reg 1 ] +- [ bitwise reg 1 = ( reg 1 & 0xfcffffff ) ^ 0x00000000 ] +- [ cmp eq reg 1 0x0002010a ] ++ [ bitwise reg 1 = ( reg 1 & 0xfffffffc ) ^ 0x00000000 ] ++ [ cmp eq reg 1 0x0a010200 ] + [ counter pkts 0 bytes 0 ] + + ip filter OUTPUT 7 6 + [ payload load 3b @ network header + 16 => reg 1 ] +- [ cmp eq reg 1 0x0002010a ] ++ [ cmp eq reg 1 0x0a0102 ] + [ counter pkts 0 bytes 0 ] + + ip filter OUTPUT 8 7 + [ payload load 2b @ network header + 16 => reg 1 ] +- [ cmp eq reg 1 0x0000010a ] ++ [ cmp eq reg 1 0x0a01 ] + [ counter pkts 0 bytes 0 ] + + ip filter OUTPUT 9 8 + [ payload load 1b @ network header + 16 => reg 1 ] +- [ cmp eq reg 1 0x0000000a ] ++ [ cmp eq reg 1 0x0a ] + [ counter pkts 0 bytes 0 ] + + ip filter OUTPUT 10 9 + [ counter pkts 0 bytes 0 ] +- +-ip6 filter OUTPUT 4 ++" ++EXPECT_IP6="ip6 filter OUTPUT 4 + [ payload load 16b @ network header + 24 => reg 1 ] +- [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ] ++ [ cmp eq reg 1 0xfeedc0ff 0xee000102 0x03040506 0x0708090a ] + [ counter pkts 0 bytes 0 ] + + ip6 filter OUTPUT 5 4 + [ payload load 16b @ network header + 24 => reg 1 ] +- [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ] ++ [ cmp eq reg 1 0xfeedc0ff 0xee000102 0x03040506 0x0708090a ] + [ counter pkts 0 bytes 0 ] + + ip6 filter OUTPUT 6 5 + [ payload load 16b @ network header + 24 => reg 1 ] +- [ bitwise reg 1 = ( reg 1 & 0xffffffff 0xffffffff 0xffffffff 0xf0ffffff ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] +- [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ] ++ [ bitwise reg 1 = ( reg 1 & 0xffffffff 0xffffffff 0xffffffff 0xfffffff0 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] ++ [ cmp eq reg 1 0xfeedc0ff 0xee000102 0x03040506 0x07080900 ] + [ counter pkts 0 bytes 0 ] + + ip6 filter OUTPUT 7 6 + [ payload load 15b @ network header + 24 => reg 1 ] +- [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ] ++ [ cmp eq reg 1 0xfeedc0ff 0xee000102 0x03040506 0x070809 ] + [ counter pkts 0 bytes 0 ] + + ip6 filter OUTPUT 8 7 + [ payload load 14b @ network header + 24 => reg 1 ] +- [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00000807 ] ++ [ cmp eq reg 1 0xfeedc0ff 0xee000102 0x03040506 0x0708 ] + [ counter pkts 0 bytes 0 ] + + ip6 filter OUTPUT 9 8 + [ payload load 11b @ network header + 24 => reg 1 ] +- [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00050403 ] ++ [ cmp eq reg 1 0xfeedc0ff 0xee000102 0x030405 ] + [ counter pkts 0 bytes 0 ] + + ip6 filter OUTPUT 10 9 + [ payload load 10b @ network header + 24 => reg 1 ] +- [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00000403 ] ++ [ cmp eq reg 1 0xfeedc0ff 0xee000102 0x0304 ] + [ counter pkts 0 bytes 0 ] + + ip6 filter OUTPUT 11 10 + [ payload load 8b @ network header + 24 => reg 1 ] +- [ cmp eq reg 1 0xffc0edfe 0x020100ee ] ++ [ cmp eq reg 1 0xfeedc0ff 0xee000102 ] + [ counter pkts 0 bytes 0 ] + + ip6 filter OUTPUT 12 11 + [ payload load 6b @ network header + 24 => reg 1 ] +- [ cmp eq reg 1 0xffc0edfe 0x000000ee ] ++ [ cmp eq reg 1 0xfeedc0ff 0xee00 ] + [ counter pkts 0 bytes 0 ] + + ip6 filter OUTPUT 13 12 + [ payload load 2b @ network header + 24 => reg 1 ] +- [ cmp eq reg 1 0x0000edfe ] ++ [ cmp eq reg 1 0xfeed ] + [ counter pkts 0 bytes 0 ] + + ip6 filter OUTPUT 14 13 + [ payload load 1b @ network header + 24 => reg 1 ] +- [ cmp eq reg 1 0x000000fe ] ++ [ cmp eq reg 1 0xfe ] + [ counter pkts 0 bytes 0 ] + + ip6 filter OUTPUT 15 14 + [ counter pkts 0 bytes 0 ] +- +-arp filter OUTPUT 3 ++" ++EXPECT_ARP="arp filter OUTPUT 3 + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp eq reg 1 0x00000100 ] ++ [ cmp eq reg 1 0x0001 ] + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp eq reg 1 0x00000006 ] ++ [ cmp eq reg 1 0x06 ] + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp eq reg 1 0x00000004 ] ++ [ cmp eq reg 1 0x04 ] + [ payload load 4b @ network header + 24 => reg 1 ] +- [ cmp eq reg 1 0x0302010a ] ++ [ cmp eq reg 1 0x0a010203 ] + [ counter pkts 0 bytes 0 ] + + arp filter OUTPUT 4 3 + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp eq reg 1 0x00000100 ] ++ [ cmp eq reg 1 0x0001 ] + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp eq reg 1 0x00000006 ] ++ [ cmp eq reg 1 0x06 ] + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp eq reg 1 0x00000004 ] ++ [ cmp eq reg 1 0x04 ] + [ payload load 4b @ network header + 24 => reg 1 ] +- [ cmp eq reg 1 0x0302010a ] ++ [ cmp eq reg 1 0x0a010203 ] + [ counter pkts 0 bytes 0 ] + + arp filter OUTPUT 5 4 + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp eq reg 1 0x00000100 ] ++ [ cmp eq reg 1 0x0001 ] + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp eq reg 1 0x00000006 ] ++ [ cmp eq reg 1 0x06 ] + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp eq reg 1 0x00000004 ] ++ [ cmp eq reg 1 0x04 ] + [ payload load 4b @ network header + 24 => reg 1 ] +- [ bitwise reg 1 = ( reg 1 & 0xfcffffff ) ^ 0x00000000 ] +- [ cmp eq reg 1 0x0002010a ] ++ [ bitwise reg 1 = ( reg 1 & 0xfffffffc ) ^ 0x00000000 ] ++ [ cmp eq reg 1 0x0a010200 ] + [ counter pkts 0 bytes 0 ] + + arp filter OUTPUT 6 5 + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp eq reg 1 0x00000100 ] ++ [ cmp eq reg 1 0x0001 ] + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp eq reg 1 0x00000006 ] ++ [ cmp eq reg 1 0x06 ] + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp eq reg 1 0x00000004 ] ++ [ cmp eq reg 1 0x04 ] + [ payload load 3b @ network header + 24 => reg 1 ] +- [ cmp eq reg 1 0x0002010a ] ++ [ cmp eq reg 1 0x0a0102 ] + [ counter pkts 0 bytes 0 ] + + arp filter OUTPUT 7 6 + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp eq reg 1 0x00000100 ] ++ [ cmp eq reg 1 0x0001 ] + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp eq reg 1 0x00000006 ] ++ [ cmp eq reg 1 0x06 ] + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp eq reg 1 0x00000004 ] ++ [ cmp eq reg 1 0x04 ] + [ payload load 2b @ network header + 24 => reg 1 ] +- [ cmp eq reg 1 0x0000010a ] ++ [ cmp eq reg 1 0x0a01 ] + [ counter pkts 0 bytes 0 ] + + arp filter OUTPUT 8 7 + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp eq reg 1 0x00000100 ] ++ [ cmp eq reg 1 0x0001 ] + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp eq reg 1 0x00000006 ] ++ [ cmp eq reg 1 0x06 ] + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp eq reg 1 0x00000004 ] ++ [ cmp eq reg 1 0x04 ] + [ payload load 1b @ network header + 24 => reg 1 ] +- [ cmp eq reg 1 0x0000000a ] ++ [ cmp eq reg 1 0x0a ] + [ counter pkts 0 bytes 0 ] + + arp filter OUTPUT 9 8 + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp eq reg 1 0x00000100 ] ++ [ cmp eq reg 1 0x0001 ] + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp eq reg 1 0x00000006 ] ++ [ cmp eq reg 1 0x06 ] + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp eq reg 1 0x00000004 ] ++ [ cmp eq reg 1 0x04 ] + [ counter pkts 0 bytes 0 ] + + arp filter OUTPUT 10 9 + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp eq reg 1 0x00000100 ] ++ [ cmp eq reg 1 0x0001 ] + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp eq reg 1 0x00000006 ] ++ [ cmp eq reg 1 0x06 ] + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp eq reg 1 0x00000004 ] ++ [ cmp eq reg 1 0x04 ] + [ payload load 6b @ network header + 18 => reg 1 ] +- [ cmp eq reg 1 0xc000edfe 0x0000eeff ] ++ [ cmp eq reg 1 0xfeed00c0 0xffee ] + [ counter pkts 0 bytes 0 ] + + arp filter OUTPUT 11 10 + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp eq reg 1 0x00000100 ] ++ [ cmp eq reg 1 0x0001 ] + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp eq reg 1 0x00000006 ] ++ [ cmp eq reg 1 0x06 ] + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp eq reg 1 0x00000004 ] ++ [ cmp eq reg 1 0x04 ] + [ payload load 6b @ network header + 18 => reg 1 ] +- [ bitwise reg 1 = ( reg 1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ] +- [ cmp eq reg 1 0xc000edfe 0x0000e0ff ] ++ [ bitwise reg 1 = ( reg 1 & 0xffffffff 0xfff0 ) ^ 0x00000000 0x0000 ] ++ [ cmp eq reg 1 0xfeed00c0 0xffe0 ] + [ counter pkts 0 bytes 0 ] + + arp filter OUTPUT 12 11 + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp eq reg 1 0x00000100 ] ++ [ cmp eq reg 1 0x0001 ] + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp eq reg 1 0x00000006 ] ++ [ cmp eq reg 1 0x06 ] + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp eq reg 1 0x00000004 ] ++ [ cmp eq reg 1 0x04 ] + [ payload load 5b @ network header + 18 => reg 1 ] +- [ cmp eq reg 1 0xc000edfe 0x000000ff ] ++ [ cmp eq reg 1 0xfeed00c0 0xff ] + [ counter pkts 0 bytes 0 ] + + arp filter OUTPUT 13 12 + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp eq reg 1 0x00000100 ] ++ [ cmp eq reg 1 0x0001 ] + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp eq reg 1 0x00000006 ] ++ [ cmp eq reg 1 0x06 ] + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp eq reg 1 0x00000004 ] ++ [ cmp eq reg 1 0x04 ] + [ payload load 4b @ network header + 18 => reg 1 ] +- [ cmp eq reg 1 0xc000edfe ] ++ [ cmp eq reg 1 0xfeed00c0 ] + [ counter pkts 0 bytes 0 ] + + arp filter OUTPUT 14 13 + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp eq reg 1 0x00000100 ] ++ [ cmp eq reg 1 0x0001 ] + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp eq reg 1 0x00000006 ] ++ [ cmp eq reg 1 0x06 ] + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp eq reg 1 0x00000004 ] ++ [ cmp eq reg 1 0x04 ] + [ payload load 3b @ network header + 18 => reg 1 ] +- [ cmp eq reg 1 0x0000edfe ] ++ [ cmp eq reg 1 0xfeed00 ] + [ counter pkts 0 bytes 0 ] + + arp filter OUTPUT 15 14 + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp eq reg 1 0x00000100 ] ++ [ cmp eq reg 1 0x0001 ] + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp eq reg 1 0x00000006 ] ++ [ cmp eq reg 1 0x06 ] + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp eq reg 1 0x00000004 ] ++ [ cmp eq reg 1 0x04 ] + [ payload load 2b @ network header + 18 => reg 1 ] +- [ cmp eq reg 1 0x0000edfe ] ++ [ cmp eq reg 1 0xfeed ] + [ counter pkts 0 bytes 0 ] + + arp filter OUTPUT 16 15 + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp eq reg 1 0x00000100 ] ++ [ cmp eq reg 1 0x0001 ] + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp eq reg 1 0x00000006 ] ++ [ cmp eq reg 1 0x06 ] + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp eq reg 1 0x00000004 ] ++ [ cmp eq reg 1 0x04 ] + [ payload load 1b @ network header + 18 => reg 1 ] +- [ cmp eq reg 1 0x000000fe ] ++ [ cmp eq reg 1 0xfe ] + [ counter pkts 0 bytes 0 ] +- +-bridge filter OUTPUT 4 ++" ++EXPECT_EBT="bridge filter OUTPUT 4 + [ payload load 6b @ link header + 0 => reg 1 ] +- [ cmp eq reg 1 0xc000edfe 0x0000eeff ] ++ [ cmp eq reg 1 0xfeed00c0 0xffee ] + [ counter pkts 0 bytes 0 ] + + bridge filter OUTPUT 5 4 + [ payload load 6b @ link header + 0 => reg 1 ] +- [ bitwise reg 1 = ( reg 1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ] +- [ cmp eq reg 1 0xc000edfe 0x0000e0ff ] ++ [ bitwise reg 1 = ( reg 1 & 0xffffffff 0xfff0 ) ^ 0x00000000 0x0000 ] ++ [ cmp eq reg 1 0xfeed00c0 0xffe0 ] + [ counter pkts 0 bytes 0 ] + + bridge filter OUTPUT 6 5 + [ payload load 5b @ link header + 0 => reg 1 ] +- [ cmp eq reg 1 0xc000edfe 0x000000ff ] ++ [ cmp eq reg 1 0xfeed00c0 0xff ] + [ counter pkts 0 bytes 0 ] + + bridge filter OUTPUT 7 6 + [ payload load 4b @ link header + 0 => reg 1 ] +- [ cmp eq reg 1 0xc000edfe ] ++ [ cmp eq reg 1 0xfeed00c0 ] + [ counter pkts 0 bytes 0 ] + + bridge filter OUTPUT 8 7 + [ payload load 3b @ link header + 0 => reg 1 ] +- [ cmp eq reg 1 0x0000edfe ] ++ [ cmp eq reg 1 0xfeed00 ] + [ counter pkts 0 bytes 0 ] + + bridge filter OUTPUT 9 8 + [ payload load 2b @ link header + 0 => reg 1 ] +- [ cmp eq reg 1 0x0000edfe ] ++ [ cmp eq reg 1 0xfeed ] + [ counter pkts 0 bytes 0 ] + + bridge filter OUTPUT 10 9 + [ payload load 1b @ link header + 0 => reg 1 ] +- [ cmp eq reg 1 0x000000fe ] ++ [ cmp eq reg 1 0xfe ] + [ counter pkts 0 bytes 0 ] + " + +@@ -340,7 +340,14 @@ bridge filter OUTPUT 10 9 + # - lines with bytecode (starting with ' [') + # - empty lines (so printed diff is not a complete mess) + filter() { +- awk '/^table /{exit} /^( \[|$)/{print}' ++ awk '/^(table|-P) /{exit} /^( \[|$)/{print}' + } + +-diff -u -Z -B <(filter <<< "$EXPECT") <(nft --debug=netlink list ruleset | filter) ++do_check() { # (expect, ipt) ++ diff -u -Z -B --label "$2 expected" --label "$2 got" \ ++ <(filter <<< "$1") <($XT_MULTI $2 -vvS | filter) ++} ++do_check "$EXPECT_IP4" iptables ++do_check "$EXPECT_IP6" ip6tables ++do_check "$EXPECT_ARP" arptables ++do_check "$EXPECT_EBT" ebtables diff --git a/iptables.spec b/iptables.spec index ee44b32..81d87a0 100644 --- a/iptables.spec +++ b/iptables.spec @@ -14,7 +14,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables Version: 1.8.11 -Release: 13%{?dist} +Release: 14%{?dist} Source: %{url}/files/%{name}-%{version}.tar.xz Source1: iptables.init Source2: iptables-config @@ -36,6 +36,7 @@ Patch5: 0005-nft-Drop-interface-mask-leftovers-from-post_parse-ca.pa Patch6: 0006-extensions-icmp-Support-info-request-reply-type-name.patch Patch7: 0007-xshared-Accept-an-option-if-any-given-command-allows.patch Patch8: 0008-extensions-sctp-Translate-bare-m-sctp-match.patch +Patch9: 0009-tests-shell-Review-nft-only-0009-needless-bitwise_0.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -72,14 +73,14 @@ you should install this package. Summary: Legacy tools for managing Linux kernel packet filtering capabilities Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Requires: (kernel-modules-extra if kernel-modules-core) -Requires: (kernel-rt-modules-extra if kernel-rt-modules-core) -Requires: (kernel-64k-modules-extra if kernel-64k-modules-core) -Requires: (kernel-rt-64k-modules-extra if kernel-rt-64k-modules-core) -Requires: (kernel-debug-modules-extra if kernel-debug-modules-core) -Requires: (kernel-rt-debug-modules-extra if kernel-rt-debug-modules-core) -Requires: (kernel-64k-debug-modules-extra if kernel-64k-debug-modules-core) -Requires: (kernel-rt-64k-debug-modules-extra if kernel-rt-64k-debug-modules-core) +Recommends: (kernel-modules-extra if kernel-modules-core) +Recommends: (kernel-rt-modules-extra if kernel-rt-modules-core) +Recommends: (kernel-64k-modules-extra if kernel-64k-modules-core) +Recommends: (kernel-rt-64k-modules-extra if kernel-rt-64k-modules-core) +Recommends: (kernel-debug-modules-extra if kernel-debug-modules-core) +Recommends: (kernel-rt-debug-modules-extra if kernel-rt-debug-modules-core) +Recommends: (kernel-64k-debug-modules-extra if kernel-64k-debug-modules-core) +Recommends: (kernel-rt-64k-debug-modules-extra if kernel-rt-64k-debug-modules-core) Conflicts: setup < 2.10.4-1 Requires(post): %{_sbindir}/update-alternatives Requires(postun): %{_sbindir}/update-alternatives @@ -204,14 +205,14 @@ a safer way to update iptables remotely. %package nft Summary: nftables compatibility for iptables, arptables and ebtables Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Requires: (kernel-modules-extra if kernel-modules-core) -Requires: (kernel-rt-modules-extra if kernel-rt-modules-core) -Requires: (kernel-64k-modules-extra if kernel-64k-modules-core) -Requires: (kernel-rt-64k-modules-extra if kernel-rt-64k-modules-core) -Requires: (kernel-debug-modules-extra if kernel-debug-modules-core) -Requires: (kernel-rt-debug-modules-extra if kernel-rt-debug-modules-core) -Requires: (kernel-64k-debug-modules-extra if kernel-64k-debug-modules-core) -Requires: (kernel-rt-64k-debug-modules-extra if kernel-rt-64k-debug-modules-core) +Recommends: (kernel-modules-extra if kernel-modules-core) +Recommends: (kernel-rt-modules-extra if kernel-rt-modules-core) +Recommends: (kernel-64k-modules-extra if kernel-64k-modules-core) +Recommends: (kernel-rt-64k-modules-extra if kernel-rt-64k-modules-core) +Recommends: (kernel-debug-modules-extra if kernel-debug-modules-core) +Recommends: (kernel-rt-debug-modules-extra if kernel-rt-debug-modules-core) +Recommends: (kernel-64k-debug-modules-extra if kernel-64k-debug-modules-core) +Recommends: (kernel-rt-64k-debug-modules-extra if kernel-rt-64k-debug-modules-core) Requires(post): %{_sbindir}/update-alternatives Requires(post): %{_bindir}/readlink Requires(postun): %{_sbindir}/update-alternatives @@ -535,6 +536,10 @@ fi %ghost %{_mandir}/man8/ebtables.8.gz %changelog +* Wed May 27 2026 Phil Sutter [1.8.11-14.el10] +- tests: shell: Review nft-only/0009-needless-bitwise_0 (Phil Sutter) [RHEL-179504] +- spec: Soft-depend on kernel-modules-extra (Phil Sutter) [RHEL-176386] + * Sat Jan 17 2026 Phil Sutter [1.8.11-13.el10] - spec: Use modules-core for conditional modules-extra dependency (Phil Sutter) [RHEL-141880]