This patch is needed for the /usr-move feature
https://fedoraproject.org/wiki/Features/UsrMove
This package requires now 'filesystem' >= 3, which is only
installable on a system which has /bin, /sbin, /lib, /lib64 as
symlinks to /usr and not regular directories. The 'filesystem'
package acts as a guard, to prevent *this* package to be installed
on old unconverted systems.
New installations will have the 'filesystem' >=3 layout right away,
old installations need to be converted with anaconda or dracut first;
only after that, the 'filesystem' package, and also *this* package
can be installed.
Packages *should* not install files in /bin, /sbin, /lib, /lib64,
but only in the corresponding directories in /usr. Packages *must*
not install conflicting files with the same names in the corresponding
directories in / and /usr. Especially compatibilty symlinks must not
be installed.
Feel free to modify any of the changes to the spec file, but keep
the above in mind.
- build: make check stage not fail when building statically
- build: restore build order of modules
- build: scan for unreferenced symbols
- build: sort file list before build
- doc: clarification on the meaning of -p 0
- doc: document iptables-restore's -T option
- doc: fix undesired newline in ip6tables-restore(8)
- ip6tables-restore: implement missing -T option
- iptables: move kernel version find routing into libxtables
- libiptc: provide separate pkgconfig files
- libipt_SAME: set PROTO_RANDOM on all ranges
- libxtables: Fix file descriptor leak in xtables_lmap_init on error
- libxt_connbytes: fix handling of --connbytes FROM
- libxt_CONNSECMARK: fix spacing in output
- libxt_conntrack: improve error message on parsing violation
- libxt_NFQUEUE: fix --queue-bypass ipt-save output
- libxt_RATEEST: link with -lm
- libxt_statistic: link with -lm
- Merge branch 'stable'
- Merge branch 'stable' of git://dev.medozas.de/iptables
- nfnl_osf: add missing libnfnetlink_CFLAGS to compile process
- xtoptions: fill in fallback value for nvals
- xtoptions: simplify xtables_parse_interface
- build: abort autogen on subcommand failure
- build: strengthen check for overlong lladdr components
- build: workaround broken linux-headers on RHEL-5
- doc: clarify libxt_connlimit defaults
- doc: fix typo in libxt_TRACE
- extensions: use multi-target registration
- libip6t_dst: restore setting IP6T_OPTS_LEN flag
- libip6t_frag: restore inversion support
- libip6t_hbh: restore setting IP6T_OPTS_LEN flag
- libipq: add pkgconfig file
- libipt_ttl: document that negation is available
- libxt_conntrack: fix --ctproto 0 output
- libxt_conntrack: remove one misleading comment
- libxt_dccp: fix deprecated intrapositional ordering of !
- libxt_dccp: fix random output of ! on --dccp-option
- libxt_dccp: provide man pages options in short help too
- libxt_dccp: restore missing XTOPT_INVERT tags for options
- libxt_dccp: spell out option name on save
- libxt_dscp: restore inversion support
- libxt_hashlimit: default htable-expire must be in milliseconds
- libxt_hashlimit: observe new default gc-expire time when saving
- libxt_hashlimit: remove inversion from hashlimit rev 0
- libxt_owner: restore inversion support
- libxt_physdev: restore inversion support
- libxt_policy: remove superfluous inversion
- libxt_set: put differing variable names in directly
- libxt_set: update man page about kernel support on the feature
- libxt_string: define _GNU_SOURCE for strnlen
- libxt_string: escape the escaping char too
- libxt_string: fix space around arguments
- libxt_string: replace hex codes by char equivalents
- libxt_string: simplify hex output routine
- libxt_tcp: always print the mask parts
- libxt_TCPMSS: restore build with IPv6-less libcs
- libxt_TOS: update linux kernel version list for backported fix
- libxt_u32: fix missing allowance for inversion
- src: remove unused IPTABLES_MULTI define
- tests: add negation tests for libxt_statistic
- xtoptions: flag use of XTOPT_POINTER without XTOPT_PUT
- build: attempt to fix building under Linux 2.4
- build: bump soversion for recent data structure change
- build: install modules in arch-dependent location
- doc: fix group range in libxt_NFLOG's man
- doc: fix version string in ip6tables.8
- doc: include matches/targets in manpage again
- doc: mention multiple verbosity flags
- doc: the -m option cannot be inverted
- extensions: support for per-extension instance global variable space
- iptables-apply: select default rule file depending on call name
- iptables: consolidate target/match init call
- iptables: Coverity: DEADCODE
- iptables: Coverity: NEGATIVE_RETURNS
- iptables: Coverity: RESOURCE_LEAK
- iptables: Coverity: REVERSE_INULL
- iptables: Coverity: VARARGS
- iptables: restore negation for -f
- libip6t_HL: fix option names from ttl -> hl
- libipt_LOG: fix ignoring all but last flags
- libxtables: ignore whitespace in the multiaddress argument parser
- libxtables: properly reject empty hostnames
- libxtables: set clone's initial data to NULL
- libxt_conntrack: move more data into the xt_option_entry
- libxt_conntrack: restore network-byte order for v1,v2
- libxt_hashlimit: use a more obvious expiry value by default
- libxt_rateest: abolish global variables
- libxt_RATEEST: abolish global variables
- libxt_RATEEST: fix userspacesize field
- libxt_RATEEST: use guided option parser
- libxt_state: fix regression about inversion of main option
- option: remove last traces of intrapositional negation
- complete changelog:
http://www.netfilter.org/projects/iptables/files/changes-iptables-1.4.12.txt
- all: consistent syntax use in struct option
- build: fix static linking
- doc: let man(1) autoalign the text in xt_cpu
- doc: remove extra empty line from xt_cpu
- doc: minimal spelling updates to xt_cpu
- doc: consistent use of markup
- extensions: libxt_quota: don't ignore the quota value on deletion
- extensions: REDIRECT: add random help
- extensions: add xt_cpu match
- extensions: add idletimer xt target extension
- extensions: libxt_IDLETIMER: use xtables_param_act when checking options
- extensions: libxt_CHECKSUM extension
- extensions: libipt_LOG/libip6t_LOG: support macdecode option
- extensions: fix compilation of the new CHECKSUM target
- extensions: libxt_ipvs: user-space lib for netfilter matcher xt_ipvs
- iptables-xml: resolve compiler warnings
- iptables: limit chain name length to be consistent with targets
- libiptc: add Libs.private to pkgconfig files
- libiptc: build with -Wl,--no-as-needed
- xtables: remove unnecessary cast
- dropped xt_CHECKSUM, added upstream
- doc: xt_hashlimit: fix a typo
- doc: xt_LED: nroff formatting requirements
- doc: xt_string: correct copy-and-pasting in manpage
- extensions: add the LED target
- extensions: libxt_quota.c: Support option negation
- extensions: libxt_rateest: fix bps options for iptables-save
- extensions: libxt_rateest: fix typo in the man page
- extensions: REDIRECT: add random help
- includes: sync header files from Linux 2.6.35-rc1
- libxt_conntrack: do print netmask
- libxt_hashlimit: always print burst value
- libxt_set: new revision added
- utils: add missing include flags to Makefile
- xtables: another try at chain name length checking
- xtables: remove xtables_set_revision function
- xt_quota: also document negation
- xt_sctp: Trace DATA chunk that supports SACK-IMMEDIATELY extension
- xt_sctp: support FORWARD_TSN chunk type
(rhbz#570767)
- libip4tc: Add static qualifier to dump_entry()
- libipq: build as shared library
- recent: reorder cases in code (cosmetic cleanup)
- several man page and documentation fixes
- policy: fix error message showing wrong option
- includes: header updates
- Lift restrictions on interface names
- fixed licensea and moved iptables-xml into base package according to
review
- several man page fixes
- Support for nommu arches
- realm: remove static initializations
- libiptc: remove unused functions
- libiptc: avoid strict-aliasing warnings
- iprange: do accept non-ranges for xt_iprange v1
- iprange: warn on reverse range
- iprange: roll address parsing into a loop
- iprange: do accept non-ranges for xt_iprange v1 (log)
- iprange: warn on reverse range (log)
- libiptc: fix wrong maptype of base chain counters on restore
- iptables: fix undersized deletion mask creation
- style: reduce indent in xtables_check_inverse
- libxtables: hand argv to xtables_check_inverse
- iptables/extensions: make bundled options work again
- CONNMARK: print mark rules with mask 0xffffffff as set instead of xset
- iptables: take masks into consideration for replace command
- doc: explain experienced --hitcount limit
- doc: name resolution clarification
- iptables: expose option to zero packet/byte counters for a specific rule
- build: restore --disable-ipv6 functionality on system w/o v6 headers
- MARK: print mark rules with mask 0xffffffff as --set-mark instead of
--set-xmark
- DNAT: fix incorrect check during parsing
- extensions: add osf extension
- conntrack: fix --expires parsing
- dropped nf_ext_init remains from cloexec patch
- libxt_NFQUEUE: add new v1 version with queue-balance option
- xt_conntrack: revision 2 for enlarged state_mask member
- libxt_helper: fix invalid passed option to check_inverse
- libiptc: split v4 and v6
- extensions: collapse registration structures
- iptables: allow for parse-less extensions
- iptables: allow for help-less extensions
- extensions: remove empty help and parse functions
- xtables: add multi-registration functions
- extensions: collapse data variables to use multi-reg calls
- xtables: warn of missing version identifier in extensions
- multi binary: allow subcommand via argv[1]
- iptables: accept multiple IP address specifications for -s, -d
- several build fixes
- several man page fixes
- fixed two leaked file descriptors on sockets (rhbz#521397)
- several man page fixes
- iptables: replace open-coded sizeof by ARRAY_SIZE
- libip6t_policy: remove redundant functions
- policy: use direct xt_policy_info instead of ipt/ip6t
- policy: merge ipv6 and ipv4 variant
- extensions: add `cluster' match support
- extensions: add const qualifiers in print/save functions
- extensions: use NFPROTO_UNSPEC for .family field
- extensions: remove redundant casts
- iptables: close open file descriptors
- fix segfault if incorrect protocol name is used
- replace open-coded sizeof by ARRAY_SIZE
- do not include v4-only modules in ip6tables manpage
- use direct xt_policy_info instead of ipt/ip6t
- xtables: fix segfault if incorrect protocol name is used
- libxt_connlimit: initialize v6_mask
- SNAT/DNAT: add support for persistent multi-range NAT mappings
- blacklisting is not working, use "install X /bin/(true|false)" test
instead
- return private exit code 150 for disabled ipv6 support
- use script name for output messages
- fixed init script: start, stop and status
- support netfilter compiled into kernel in init script (rhbz#295611)
- dropped inversion for limit modules from man pages (rhbz#220780)
- fixed typo in ip6tables man page (rhbz#236185)
- fixed initscript for LSB conformance (rhbz#246953, rhbz#242459)
- provide iptc interface again, but unsupported (rhbz#216733)
- compile all extension, which are supported by the kernel-headers package
- review fixes (rhbz#225906)
- new version 1.3.4
- dropped free_opts patch (upstream fixed)
- made libipq PIC (#158623)
- additional configuration options for iptables startup script (#172929)
Thanks to Jan Gruenwald for the patch
- spec file cleanup (dropped linux_header define and usage)
- Remove unnecessary explicit kernel dep (#146142)
- Fixed out of bounds accesses (#131848): Thanks to Steve Grubb for the
patch
- Adapted iptables-config to reference to modprobe.conf (#150143)
- Remove misleading message (#140154): Thanks to Ulrich Drepper for the
patch
- changed default behaviour for IPTABLES_STATUS_NUMERIC to "yes" (#129731)
- modified config file to match this change and un-commented variables with
default values
Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
Thu Feb 26 2004 Thomas Woerner <twoerner@redhat.com> 1.2.9-2.3
- fixed iptables-restore -c fault if there are no counters (#116421)
Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
Sun Jan 25 2004 Dan Walsh <dwalsh@redhat.com> 1.2.9-1.2
- Close File descriptors to prevent SELinux error message
Wed Jan 07 2004 Thomas Woerner <twoerner@redhat.com> 1.2.9-1.1
- rebuild
Wed Dec 17 2003 Thomas Woerner <twoerner@redhat.com> 1.2.9-1.0
- vew version 1.2.9
- new config options in ipXtables-config: IPTABLES_MODULES_UNLOAD
- more documentation in ipXtables-config
- fix for netlink security issue in libipq (devel package)
- print fix for libipt_icmp (#109546)
Fri Dec 05 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-14
- fixed netlink security issue in libipq (devel package)
- fixed save in libipt_icmp (#109546)
Thu Oct 23 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-13
- marked all messages in iptables init script for translation (#107462)
- enabled devel package (#105884, #106101)
- bumped build for fedora for libipt_recent.so (#106002)
Tue Sep 23 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-12.1
- fixed lost udp port range in ip6tables-save (#104484)
- fixed non numeric multiport port output in ipXtables-savs
Mon Sep 22 2003 Florian La Roche <Florian.LaRoche@redhat.de> 1.2.8-11
- do not link against -lnsl
Sat Jul 19 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-7.90.1
- fixed save when iptables file is missing and iptables-config permissions
Tue Jul 08 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-7
- fixes for ip6tables: module unloading, setting policy only for existing
tables
Thu Jul 03 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-6
- IPTABLES_SAVE_COUNTER defaults to no, now
- install config file in /etc/sysconfig
- exchange unload of ip_tables and ip_conntrack
- fixed start function
Wed Jul 02 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-5
- new config option IPTABLES_SAVE_ON_RESTART
- init script: new status, save and restart
- fixes#44905, #65389, #80785, #82860, #91040, #91560 and #91374
Mon Jun 30 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-4
- new config option IPTABLES_STATUS_NUMERIC
- cleared IPTABLES_MODULES in iptables-config
Mon Jun 30 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-3
- new init scripts
Sat Jun 28 2003 Florian La Roche <Florian.LaRoche@redhat.de>
- remove check for very old kernel versions in init scripts
- sync up both init scripts and remove some further ugly things
- add some docu into rpm
Thu Jun 26 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-2
- rebuild
Mon Jun 16 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-1
- update to 1.2.8