- Rebase onto upstream version 1.8.5 plus two late fixes
- Drop explicit iptables-apply installation, upstream fixed that
- Ship ip6tables-apply along with iptables package
- Change URL to point at iptables project, not netfilter overview page
- Reuse URL value in tarball source
- Reduce globbing of library file names to expose future SONAME changes
- Add bootstrapping for libip*tc SONAME bump
- New upstream version 1.8.2
- Integrate ebtables and arptables save/restore scripts with alternatives
- Add nft-specific ebtables and arptables man pages
- Move /etc/sysconfig/ip*tables-config files into services sub-package
According to https://fedoraproject.org/wiki/Packaging:Scriptlets:
If a package is suitable for installation without systemd (in a
container image, for example) and does not require any of the
systemd mechanisms such as tmpfiles.d, then the systemd_ordering macro
MAY be used instead of the systemd_requires macro.
That is exactly the case we want to address for container images
when installing packages in it.
Resolves: rhbz#1668678
Related-Bug: #1804822
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
- New upstream version 1.8.0.
- Replace ldconfig calls with newly introduced macros.
- Rename compat subpackage to iptables-nft to clarify its purpose.
- Make use of Alternatives system.
* Thu Mar 01 2018 Phil Sutter <psutter@redhat.com> - 1.6.2-2
- Kill module unloading support
- Support /etc/sysctl.d
- Don't restart services after package update
- Add support for --wait options to restore commands
There's no point in restarting iptables/ip6tables services if
iptables-services package is updated. On the other hand, doing so
potentially breaks VMs in OpenStack since they drop temporary rules.
Upstream changelog:
http://netfilter.org/projects/iptables/files/changes-iptables-1.6.0.txt
- New libs sub package containing libxtables and unstable libip*tc libraries (RHBZ#1323161)
- Using scripts form RHEL-7 (RHBZ#1240366)
- New compat sub package for nftables compatibility
- Install iptables-apply (RHBZ#912047)
- Fixed module uninstall (RHBZ#1324101)
- Incorporated changes by Petr Pisar
- Enabled bpf compiler (RHBZ#1170227) Thanks to Yanko Kaneti for the patch
- new version 1.4.21
- doc: clarify DEBUG usage macro
- iptables: use autoconf to process .in man pages
- extensions: libipt_ULOG: man page should mention NFLOG as replacement
- extensions: libxt_connlabel: use libnetfilter_conntrack
- Introduce a new revision for the set match with the counters support
- libxt_CT: Add the "NOTRACK" alias
- libip6t_mh: Correct command to list named mh types in manpage
- extensions: libxt_DNAT, libxt_REDIRECT, libxt_NETMAP, libxt_SNAT, libxt_MASQUERADE, libxt_LOG: rename IPv4 manpage and tell about IPv6 support
- extensions: libxt_LED: fix parsing of delay
- ip{6}tables-restore: fix breakage due to new locking approach
- libxt_recent: restore minimum value for --seconds
- iptables-xml: fix parameter parsing (similar to 2165f38)
- extensions: add copyright statements
- xtables: improve get_modprobe handling
- ip[6]tables: Add locking to prevent concurrent instances
- iptables: Fix connlabel.conf install location
- ip6tables: don't print out /128
- libip6t_LOG: target output is different to libipt_LOG
- build: additional include path required after UAPI changes
- iptables: iptables-xml: Fix various parsing bugs
- libxt_recent: restore reap functionality to recent module
- build: fail in configure on missing dependency with --enable-bpf-compiler
- extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter
- extensions: libxt_set, libxt_SET: check the set family too
- ip6tables: Use consistent exit code for EAGAIN
- iptables: libxt_hashlimit.man: correct address
- iptables: libxt_conntrack.man extraneous commas
- iptables: libip(6)t_REJECT.man default icmp types
- iptables: iptables-xm1.1 correct man section
- iptables: libxt_recent.{c,man} dead URL
- iptables: libxt_string.man add examples
- extensions: libxt_LOG: use generic syslog reference in manpage
- iptables: extensions/GNUMakefile.in use CPPFLAGS
- iptables: correctly reference generated file
- ip[6]tables: fix incorrect alignment in commands_v_options
- build: add software version to manpage first line at configure stage
- extensions: libxt_cluster: add note on arptables-jf
- utils: nfsynproxy: fix error while compiling the BPF filter
- extensions: add SYNPROXY extension
- utils: add nfsynproxy tool
- iptables: state match incompatibilty across versions
- libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masks
- iptables: improve chain name validation
- iptables: spurious error in load_extension
- xtables: trivial spelling fix
- libxt_NFQUEUE: fix bypass option documentation
- extensions: add connlabel match
- extensions: add connlabel match
- ip[6]tables: show --protocol instead of --proto in usage
- libxt_recent: Fix missing space in manpage for --mask option
- extensions: libxt_multiport: Update manpage to list valid protocols
- utils: nfnl_osf: use the right nfnetlink lib
- libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependency
- Revert "build: resolve link failure for ip6t_NETMAP"
- libxt_osf: fix missing --ttl and --log in save output
- libxt_osf: fix bad location for location in --genre
- libip6t_SNPT: add manpage
- libip6t_DNPT: add manpage
- utils: updates .gitignore to include nfbpf_compile
- extensions: libxt_bpf: clarify --bytecode argument
- libxtables: fix parsing of dotted network mask format
- build: bump version to 1.4.19
- libxt_conntrack: fix state match alias state parsing
- extensions: add libxt_bpf extension
- utils: nfbpf_compile
- doc: mention SNAT in INPUT chain since kernel 2.6.36
- fixed changelog date weekdays where needed
- new sub package utils: provides nfnl_osf and the pf.os database
- using %{_libexecdir}/iptables as script path for the original init scripts
- added service iptables save funcitonality using the new way provided by
initscripts 9.37.1 (RHBZ#748134)
- added virtual provide for libxtables.so.7
- build: support for automake-1.12
- build: separate AC variable replacements from xtables.h
- build: have `make clean` remove dep files too
- doc: grammatical updates to libxt_SET
- doc: clean up interpunction in state list for xt_conntrack
- doc: deduplicate extension descriptions into a new manpage
- doc: trim "state" manpage and reference conntrack instead
- doc: have NOTRACK manpage point to CT instead
- doc: mention iptables-apply in the SEE ALSO sections
- extensions: libxt_addrtype: fix type in help message
- include: add missing linux/netfilter_ipv4/ip_queue.h
- iptables: fix wrong error messages
- iptables: support for match aliases
- iptables: support for target aliases
- iptables-restore: warn about -t in rule lines
- ip[6]tables-restore: cleanup to reduce one level of indentation
- libip6t_frag: match any frag id by default
- libxtables: consolidate preference logic
- libxt_devgroup: consolidate devgroup specification parsing
- libxt_devgroup: guard against negative numbers
- libxt_LED: guard against negative numbers
- libxt_NOTRACK: replace as an alias to CT --notrack
- libxt_state: replace as an alias to xt_conntrack
- libxt_tcp: print space before, not after "flags:"
- libxt_u32: do bounds checking for @'s operands
- libxt_*limit: avoid division by zero
- Merge branch 'master' of git://git.inai.de/iptables
- Merge remote-tracking branch 'nf/stable'
- New set match revision with --return-nomatch flag support
- dropped fixrestore patch, upstream
- extensions: add IPv6 capable ECN match extension
- extensions: add nfacct match
- extensions: add rpfilter module
- extensions: libxt_rateest: output all options in save hook
- iptables: missing free() in function cache_add_entry()
- iptables: missing free() in function delete_entry()
- libiptc: fix retry path in TC_INIT
- libiptc: Returns the position the entry was inserted
- libipt_ULOG: fix --ulog-cprange
- libxt_CT: add --timeout option
- ip(6)tables-restore: make sure argv is NULL terminated
- Revert "libiptc: Returns the position the entry was inserted"
- src: mark newly opened fds as FD_CLOEXEC (close on exec)
- tests: add rateest match rules
- dropped patch5 (cloexec), merged upstream
This patch is needed for the /usr-move feature
https://fedoraproject.org/wiki/Features/UsrMove
This package requires now 'filesystem' >= 3, which is only
installable on a system which has /bin, /sbin, /lib, /lib64 as
symlinks to /usr and not regular directories. The 'filesystem'
package acts as a guard, to prevent *this* package to be installed
on old unconverted systems.
New installations will have the 'filesystem' >=3 layout right away,
old installations need to be converted with anaconda or dracut first;
only after that, the 'filesystem' package, and also *this* package
can be installed.
Packages *should* not install files in /bin, /sbin, /lib, /lib64,
but only in the corresponding directories in /usr. Packages *must*
not install conflicting files with the same names in the corresponding
directories in / and /usr. Especially compatibilty symlinks must not
be installed.
Feel free to modify any of the changes to the spec file, but keep
the above in mind.
- build: make check stage not fail when building statically
- build: restore build order of modules
- build: scan for unreferenced symbols
- build: sort file list before build
- doc: clarification on the meaning of -p 0
- doc: document iptables-restore's -T option
- doc: fix undesired newline in ip6tables-restore(8)
- ip6tables-restore: implement missing -T option
- iptables: move kernel version find routing into libxtables
- libiptc: provide separate pkgconfig files
- libipt_SAME: set PROTO_RANDOM on all ranges
- libxtables: Fix file descriptor leak in xtables_lmap_init on error
- libxt_connbytes: fix handling of --connbytes FROM
- libxt_CONNSECMARK: fix spacing in output
- libxt_conntrack: improve error message on parsing violation
- libxt_NFQUEUE: fix --queue-bypass ipt-save output
- libxt_RATEEST: link with -lm
- libxt_statistic: link with -lm
- Merge branch 'stable'
- Merge branch 'stable' of git://dev.medozas.de/iptables
- nfnl_osf: add missing libnfnetlink_CFLAGS to compile process
- xtoptions: fill in fallback value for nvals
- xtoptions: simplify xtables_parse_interface
- build: abort autogen on subcommand failure
- build: strengthen check for overlong lladdr components
- build: workaround broken linux-headers on RHEL-5
- doc: clarify libxt_connlimit defaults
- doc: fix typo in libxt_TRACE
- extensions: use multi-target registration
- libip6t_dst: restore setting IP6T_OPTS_LEN flag
- libip6t_frag: restore inversion support
- libip6t_hbh: restore setting IP6T_OPTS_LEN flag
- libipq: add pkgconfig file
- libipt_ttl: document that negation is available
- libxt_conntrack: fix --ctproto 0 output
- libxt_conntrack: remove one misleading comment
- libxt_dccp: fix deprecated intrapositional ordering of !
- libxt_dccp: fix random output of ! on --dccp-option
- libxt_dccp: provide man pages options in short help too
- libxt_dccp: restore missing XTOPT_INVERT tags for options
- libxt_dccp: spell out option name on save
- libxt_dscp: restore inversion support
- libxt_hashlimit: default htable-expire must be in milliseconds
- libxt_hashlimit: observe new default gc-expire time when saving
- libxt_hashlimit: remove inversion from hashlimit rev 0
- libxt_owner: restore inversion support
- libxt_physdev: restore inversion support
- libxt_policy: remove superfluous inversion
- libxt_set: put differing variable names in directly
- libxt_set: update man page about kernel support on the feature
- libxt_string: define _GNU_SOURCE for strnlen
- libxt_string: escape the escaping char too
- libxt_string: fix space around arguments
- libxt_string: replace hex codes by char equivalents
- libxt_string: simplify hex output routine
- libxt_tcp: always print the mask parts
- libxt_TCPMSS: restore build with IPv6-less libcs
- libxt_TOS: update linux kernel version list for backported fix
- libxt_u32: fix missing allowance for inversion
- src: remove unused IPTABLES_MULTI define
- tests: add negation tests for libxt_statistic
- xtoptions: flag use of XTOPT_POINTER without XTOPT_PUT
- build: attempt to fix building under Linux 2.4
- build: bump soversion for recent data structure change
- build: install modules in arch-dependent location
- doc: fix group range in libxt_NFLOG's man
- doc: fix version string in ip6tables.8
- doc: include matches/targets in manpage again
- doc: mention multiple verbosity flags
- doc: the -m option cannot be inverted
- extensions: support for per-extension instance global variable space
- iptables-apply: select default rule file depending on call name
- iptables: consolidate target/match init call
- iptables: Coverity: DEADCODE
- iptables: Coverity: NEGATIVE_RETURNS
- iptables: Coverity: RESOURCE_LEAK
- iptables: Coverity: REVERSE_INULL
- iptables: Coverity: VARARGS
- iptables: restore negation for -f
- libip6t_HL: fix option names from ttl -> hl
- libipt_LOG: fix ignoring all but last flags
- libxtables: ignore whitespace in the multiaddress argument parser
- libxtables: properly reject empty hostnames
- libxtables: set clone's initial data to NULL
- libxt_conntrack: move more data into the xt_option_entry
- libxt_conntrack: restore network-byte order for v1,v2
- libxt_hashlimit: use a more obvious expiry value by default
- libxt_rateest: abolish global variables
- libxt_RATEEST: abolish global variables
- libxt_RATEEST: fix userspacesize field
- libxt_RATEEST: use guided option parser
- libxt_state: fix regression about inversion of main option
- option: remove last traces of intrapositional negation
- complete changelog:
http://www.netfilter.org/projects/iptables/files/changes-iptables-1.4.12.txt
