- Drop bootstrap code again
- Drop workarounds for F24 and lower
- Fix iptables-utils summary
- Ship iptables-apply with iptables-utils
- Reduce files sections by use of globbing
- Ship common man pages with iptables-libs
- Ship *-translate man pages with iptables-nft
- Move legacy iptables binaries, libraries and headers into sub-packages
- Introduce compat sub-package to help with above transitions
- Drop libipulog header from devel package, this belongs to libnetfilter_log
- Do not ship internal headers in devel package
- Rebase onto upstream version 1.8.5 plus two late fixes
- Drop explicit iptables-apply installation, upstream fixed that
- Ship ip6tables-apply along with iptables package
- Change URL to point at iptables project, not netfilter overview page
- Reuse URL value in tarball source
- Reduce globbing of library file names to expose future SONAME changes
- Add bootstrapping for libip*tc SONAME bump
- New upstream version 1.8.2
- Integrate ebtables and arptables save/restore scripts with alternatives
- Add nft-specific ebtables and arptables man pages
- Move /etc/sysconfig/ip*tables-config files into services sub-package
According to https://fedoraproject.org/wiki/Packaging:Scriptlets:
If a package is suitable for installation without systemd (in a
container image, for example) and does not require any of the
systemd mechanisms such as tmpfiles.d, then the systemd_ordering macro
MAY be used instead of the systemd_requires macro.
That is exactly the case we want to address for container images
when installing packages in it.
Resolves: rhbz#1668678
Related-Bug: #1804822
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
- New upstream version 1.8.0.
- Replace ldconfig calls with newly introduced macros.
- Rename compat subpackage to iptables-nft to clarify its purpose.
- Make use of Alternatives system.
* Thu Mar 01 2018 Phil Sutter <psutter@redhat.com> - 1.6.2-2
- Kill module unloading support
- Support /etc/sysctl.d
- Don't restart services after package update
- Add support for --wait options to restore commands
There's no point in restarting iptables/ip6tables services if
iptables-services package is updated. On the other hand, doing so
potentially breaks VMs in OpenStack since they drop temporary rules.
The whole concept is unfixably broken:
Some kernel modules are used by both IPv4 and IPv6 netfilter and the
algorithm has no way to identify this situation. Therefore if iptables
and ip6tables services are restarted in parallel, one's module unloading
tends to stomp onto the other's attempt at loading rules.
Another problem is with OVS: iptables service unloading conntrack
modules breaks a running OVS instance.