Upstream changelog:
http://netfilter.org/projects/iptables/files/changes-iptables-1.6.0.txt
- New libs sub package containing libxtables and unstable libip*tc libraries (RHBZ#1323161)
- Using scripts form RHEL-7 (RHBZ#1240366)
- New compat sub package for nftables compatibility
- Install iptables-apply (RHBZ#912047)
- Fixed module uninstall (RHBZ#1324101)
- Incorporated changes by Petr Pisar
- Enabled bpf compiler (RHBZ#1170227) Thanks to Yanko Kaneti for the patch
- new version 1.4.21
- doc: clarify DEBUG usage macro
- iptables: use autoconf to process .in man pages
- extensions: libipt_ULOG: man page should mention NFLOG as replacement
- extensions: libxt_connlabel: use libnetfilter_conntrack
- Introduce a new revision for the set match with the counters support
- libxt_CT: Add the "NOTRACK" alias
- libip6t_mh: Correct command to list named mh types in manpage
- extensions: libxt_DNAT, libxt_REDIRECT, libxt_NETMAP, libxt_SNAT, libxt_MASQUERADE, libxt_LOG: rename IPv4 manpage and tell about IPv6 support
- extensions: libxt_LED: fix parsing of delay
- ip{6}tables-restore: fix breakage due to new locking approach
- libxt_recent: restore minimum value for --seconds
- iptables-xml: fix parameter parsing (similar to 2165f38)
- extensions: add copyright statements
- xtables: improve get_modprobe handling
- ip[6]tables: Add locking to prevent concurrent instances
- iptables: Fix connlabel.conf install location
- ip6tables: don't print out /128
- libip6t_LOG: target output is different to libipt_LOG
- build: additional include path required after UAPI changes
- iptables: iptables-xml: Fix various parsing bugs
- libxt_recent: restore reap functionality to recent module
- build: fail in configure on missing dependency with --enable-bpf-compiler
- extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter
- extensions: libxt_set, libxt_SET: check the set family too
- ip6tables: Use consistent exit code for EAGAIN
- iptables: libxt_hashlimit.man: correct address
- iptables: libxt_conntrack.man extraneous commas
- iptables: libip(6)t_REJECT.man default icmp types
- iptables: iptables-xm1.1 correct man section
- iptables: libxt_recent.{c,man} dead URL
- iptables: libxt_string.man add examples
- extensions: libxt_LOG: use generic syslog reference in manpage
- iptables: extensions/GNUMakefile.in use CPPFLAGS
- iptables: correctly reference generated file
- ip[6]tables: fix incorrect alignment in commands_v_options
- build: add software version to manpage first line at configure stage
- extensions: libxt_cluster: add note on arptables-jf
- utils: nfsynproxy: fix error while compiling the BPF filter
- extensions: add SYNPROXY extension
- utils: add nfsynproxy tool
- iptables: state match incompatibilty across versions
- libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masks
- iptables: improve chain name validation
- iptables: spurious error in load_extension
- xtables: trivial spelling fix
- libxt_NFQUEUE: fix bypass option documentation
- extensions: add connlabel match
- extensions: add connlabel match
- ip[6]tables: show --protocol instead of --proto in usage
- libxt_recent: Fix missing space in manpage for --mask option
- extensions: libxt_multiport: Update manpage to list valid protocols
- utils: nfnl_osf: use the right nfnetlink lib
- libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependency
- Revert "build: resolve link failure for ip6t_NETMAP"
- libxt_osf: fix missing --ttl and --log in save output
- libxt_osf: fix bad location for location in --genre
- libip6t_SNPT: add manpage
- libip6t_DNPT: add manpage
- utils: updates .gitignore to include nfbpf_compile
- extensions: libxt_bpf: clarify --bytecode argument
- libxtables: fix parsing of dotted network mask format
- build: bump version to 1.4.19
- libxt_conntrack: fix state match alias state parsing
- extensions: add libxt_bpf extension
- utils: nfbpf_compile
- doc: mention SNAT in INPUT chain since kernel 2.6.36
- fixed changelog date weekdays where needed
- new sub package utils: provides nfnl_osf and the pf.os database
- using %{_libexecdir}/iptables as script path for the original init scripts
- added service iptables save funcitonality using the new way provided by
initscripts 9.37.1 (RHBZ#748134)
- added virtual provide for libxtables.so.7
- build: support for automake-1.12
- build: separate AC variable replacements from xtables.h
- build: have `make clean` remove dep files too
- doc: grammatical updates to libxt_SET
- doc: clean up interpunction in state list for xt_conntrack
- doc: deduplicate extension descriptions into a new manpage
- doc: trim "state" manpage and reference conntrack instead
- doc: have NOTRACK manpage point to CT instead
- doc: mention iptables-apply in the SEE ALSO sections
- extensions: libxt_addrtype: fix type in help message
- include: add missing linux/netfilter_ipv4/ip_queue.h
- iptables: fix wrong error messages
- iptables: support for match aliases
- iptables: support for target aliases
- iptables-restore: warn about -t in rule lines
- ip[6]tables-restore: cleanup to reduce one level of indentation
- libip6t_frag: match any frag id by default
- libxtables: consolidate preference logic
- libxt_devgroup: consolidate devgroup specification parsing
- libxt_devgroup: guard against negative numbers
- libxt_LED: guard against negative numbers
- libxt_NOTRACK: replace as an alias to CT --notrack
- libxt_state: replace as an alias to xt_conntrack
- libxt_tcp: print space before, not after "flags:"
- libxt_u32: do bounds checking for @'s operands
- libxt_*limit: avoid division by zero
- Merge branch 'master' of git://git.inai.de/iptables
- Merge remote-tracking branch 'nf/stable'
- New set match revision with --return-nomatch flag support
- dropped fixrestore patch, upstream
- extensions: add IPv6 capable ECN match extension
- extensions: add nfacct match
- extensions: add rpfilter module
- extensions: libxt_rateest: output all options in save hook
- iptables: missing free() in function cache_add_entry()
- iptables: missing free() in function delete_entry()
- libiptc: fix retry path in TC_INIT
- libiptc: Returns the position the entry was inserted
- libipt_ULOG: fix --ulog-cprange
- libxt_CT: add --timeout option
- ip(6)tables-restore: make sure argv is NULL terminated
- Revert "libiptc: Returns the position the entry was inserted"
- src: mark newly opened fds as FD_CLOEXEC (close on exec)
- tests: add rateest match rules
- dropped patch5 (cloexec), merged upstream
This patch is needed for the /usr-move feature
https://fedoraproject.org/wiki/Features/UsrMove
This package requires now 'filesystem' >= 3, which is only
installable on a system which has /bin, /sbin, /lib, /lib64 as
symlinks to /usr and not regular directories. The 'filesystem'
package acts as a guard, to prevent *this* package to be installed
on old unconverted systems.
New installations will have the 'filesystem' >=3 layout right away,
old installations need to be converted with anaconda or dracut first;
only after that, the 'filesystem' package, and also *this* package
can be installed.
Packages *should* not install files in /bin, /sbin, /lib, /lib64,
but only in the corresponding directories in /usr. Packages *must*
not install conflicting files with the same names in the corresponding
directories in / and /usr. Especially compatibilty symlinks must not
be installed.
Feel free to modify any of the changes to the spec file, but keep
the above in mind.