# # spec file for package iptables # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: iptables Version: 1.6.2 Release: 104.2 Summary: IP packet filter administration utilities License: GPL-2.0 and Artistic-2.0 Group: Productivity/Networking/Security Url: http://netfilter.org/projects/iptables/ #Git-Clone: git://git.netfilter.org/iptables Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2 Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig Source3: %name.keyring Patch3: iptables-batch.patch Patch4: iptables-apply-mktemp-fix.patch Patch5: iptables-batch-lock.patch # eisfair patch by Christoph Schulz fli4l team Patch100: iptables-always-wait-for-lock.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?fedora_version} || 0%{?centos_version} BuildRequires: sgml-common %endif %if 0%{?suse_version} BuildRequires: fdupes %endif #git#BuildRequires: autoconf, automake >= 1.10 BuildRequires: bison BuildRequires: flex >= 2.5.33 BuildRequires: libtool BuildRequires: pkg-config >= 0.21 BuildRequires: xz BuildRequires: pkgconfig(libmnl) >= 1.0 BuildRequires: pkgconfig(libnetfilter_conntrack) >= 1.0.4 BuildRequires: pkgconfig(libnfnetlink) >= 1.0.0 BuildRequires: pkgconfig(libnftnl) >= 1.0.5 Requires: xtables-plugins = %version-%release %description iptables is used to set up, maintain, and inspect the rule tables of the classic "ip6_tables" and "ip_tables" packet filters in the Linux kernel. %package nft Summary: nft packet filter administration utilties in the style of Xtables Group: Productivity/Networking/Security Requires: netcfg >= 11.6 Requires: xtables-plugins = %version-%release %description nft The programs shipped in this subpackage behave like iptables on the command line, but instead edits the rules of the nft packet filter in the Linux kernel. Linux kernel 4.2 or newer is recommended to exploit the features. %package -n xtables-plugins Summary: Match and target extension plugins for iptables Group: Productivity/Networking/Security Conflicts: iptables < 1.4.18 %description -n xtables-plugins Match and Target Extension plugins for iptables. %package -n libipq0 Summary: Library to interface with the (old) ip_queue kernel mechanism Group: System/Libraries %description -n libipq0 The Netfilter project provides a mechanism (ip_queue) for passing packets out of the stack for queueing to userspace, then receiving these packets back into the kernel with a verdict specifying what to do with the packets (such as ACCEPT or DROP). These packets may also be modified in userspace prior to reinjection back into the kernel. ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue! %package -n libipq-devel Summary: Development files for the ip_queue kernel mechanism Group: Development/Libraries/C and C++ Requires: libipq0 = %version %description -n libipq-devel The Netfilter project provides a mechanism (ip_queue) for passing packets out of the stack for queueing to userspace, then receiving these packets back into the kernel with a verdict specifying what to do with the packets (such as ACCEPT or DROP). These packets may also be modified in userspace prior to reinjection back into the kernel. ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue! %package -n libiptc0 Summary: Library for low-level ruleset generation and parsing Group: System/Libraries %description -n libiptc0 libiptc ("iptables cache") is used to retrieve from the kernel, parse, construct, and load new rulesets into the kernel. %package -n libiptc-devel Summary: Development files for libiptc, a packet filter ruleset library Group: Development/Libraries/C and C++ Requires: libiptc0 = %version %description -n libiptc-devel libiptc ("iptables cache") is used to retrieve from the kernel, parse, construct, and load new rulesets into the kernel. %package -n libxtables12 Summary: iptables extension interface Group: System/Libraries %description -n libxtables12 This library contains all the iptables code shared between iptables, ip6tables, their extensions, and for external integration for e.g. iproute2's m_xt. %package -n libxtables-devel Summary: Headers and manpages for iptables Group: Development/Libraries/C and C++ Requires: libxtables12 = %version %description -n libxtables-devel This library contains all the iptables code shared between iptables, ip6tables, their extensions, and for external integration for e.g. Link your extension (iptables plugins) with $(pkg-config xtables --libs) and place the plugin in the directory given by $(pkg-config xtables --variable=xtlibdir). %prep %setup -q %patch -P 3 -P 4 -P 5 -p1 %patch100 -p1 %build # We have the iptables-batch patch, so always regenerate. if true || [ ! -e configure ]; then ./autogen.sh fi # bnc#561793 - do not include unclean module in iptables manpage rm -f extensions/libipt_unclean.man # includedir is overriden on purpose to detect projects that # fail to include libxtables_CFLAGS %configure --includedir="%_includedir/%name" --enable-libipq make %{?_smp_mflags} %install make DESTDIR=%buildroot install # iptables-apply is not installed by upstream Makefile install -m0755 iptables/iptables-apply %buildroot%_sbindir/ install -m0644 iptables/iptables-apply.8 %buildroot%_mandir/man8/ rm -f "%buildroot/%_libdir"/*.la %if 0%{?suse_version} %fdupes %buildroot/%_prefix %endif %post -n libipq0 -p /sbin/ldconfig %postun -n libipq0 -p /sbin/ldconfig %post -n libiptc0 -p /sbin/ldconfig %postun -n libiptc0 -p /sbin/ldconfig %post -n libxtables12 -p /sbin/ldconfig %postun -n libxtables12 -p /sbin/ldconfig %files %defattr(-,root,root) %doc COPYING %doc %_mandir/man1/ip* %doc %_mandir/man8/ip* %_bindir/iptables-xml %_sbindir/iptables %_sbindir/iptables-apply %_sbindir/iptables-batch %_sbindir/iptables-restore %_sbindir/iptables-save %_sbindir/ip6tables %_sbindir/ip6tables-batch %_sbindir/ip6tables-restore %_sbindir/ip6tables-save %_sbindir/xtables-multi %files nft %defattr(-,root,root) # is provided by netcfg %ghost %_sysconfdir/ethertypes %_sbindir/*-compat* %_sbindir/*-translate* %files -n xtables-plugins %defattr(-,root,root) %_libdir/xtables/ %_sbindir/nfnl_osf %_mandir/man8/nfnl_osf.8* %_datadir/xtables/ %files -n libipq0 %defattr(-,root,root) %_libdir/libipq.so.0* %files -n libipq-devel %defattr(-,root,root) %doc %_mandir/man3/libipq* %doc %_mandir/man3/ipq* %dir %_includedir/%name/ %_includedir/%name/libipq* %_libdir/libipq.so %_libdir/pkgconfig/libipq.pc %files -n libiptc0 %defattr(-,root,root) %_libdir/libiptc.so.0* %_libdir/libip4tc.so.0* %_libdir/libip6tc.so.0* %files -n libiptc-devel %defattr(-,root,root) %dir %_includedir/%name/ %_includedir/%name/libiptc* %_libdir/libip*tc.so %_libdir/pkgconfig/libip*tc.pc %files -n libxtables12 %defattr(-,root,root) %_libdir/libxtables.so.12* %files -n libxtables-devel %defattr(-,root,root) %dir %_includedir/%name/ %_includedir/%name/xtables.h %_includedir/%name/xtables-version.h %_libdir/libxtables.so %_libdir/pkgconfig/xtables.pc %changelog * Thu Feb 22 2018 matthias.gerstner@suse.com - Resolve conflict with ebtables and obtain ethertypes from new netcfg minor version. FATE#320520 * Sat Feb 3 2018 jengelh@inai.de - Update to new upstream release 1.6.2 * add support for the "srh" match * add randomize-full for the "MASQUERADE" target * add rate match mode to the "hashlimit" match * Thu Jun 22 2017 matthias.gerstner@suse.com - Add iptables-batch-lock.patch: Fix a locking issue of iptables-batch which can cause it to spuriously fail when other programs modify the iptables rules in parallel (bnc#1045130). This can especially affect SuSEfirewall2 during startup. * Fri Jan 27 2017 jengelh@inai.de - Update to new upstream release 1.6.1 * add support for hashlimit rev 2 for higher pps rates * add support for cgroup2 path matching * translation program for nft * Fri Dec 18 2015 jengelh@inai.de - Update to final release 1.6.0 * Only a build fix, no new significant changes. * Mon Nov 23 2015 jengelh@inai.de - Update to new snapshot v1.4.21-367-g9763347 [1.6.0~] * -m ah/esp/rt: restore matching "any SPI id" by default (they unexpectedly defaulted to --spi 0 rather than --spi ALL) * -m cgroup: new module * -m dst: make ! --dst-len work * -m ipcomp: new module * -m socket: add --restore-skmark option * -j CT: add support for new zone options * -j REJECT: add missing ICMPv6 codes * -j TEE: make it possible to delete rules with -D ... -j * -j SNAT/DNAT: add randomize-full support * Thu Apr 24 2014 dmueller@suse.com - remove dependency on gpg-offline (blocks rebuilds and tarball integrity is checked by source-validator anyway) * Wed Apr 23 2014 dmueller@suse.com - remove dependency on sgmltool: doesn't seem to be used and reduces rebuild time on aarch64 by 8 hours * Sat Nov 23 2013 jengelh@inai.de - Update to new upstream release 1.4.21 * --nowildcard option for xt_socket, available since Linux kernel 3.11 * SYNPROXY support, available since Linux kernel 3.12 * Wed Aug 7 2013 jengelh@inai.de - Update to new upstream release 1.4.20 * Introduce a new revision for the set match with the counters support * Add locking to prevent concurrent instances * Fri May 31 2013 jengelh@inai.de - Update to new upstream release 1.4.19.1 * New connlabel and bpf matches - Remove 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch, 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch (are upstream) * Mon Apr 15 2013 jengelh@inai.de - libxt_state.so symlink was not installed (bnc#815182); fix by removing 0001-build-also-use-libtool-for-install-stage.patch, removing 0001-build-do-not-dereference-symlinks-on-installation.patch, adding 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch, adding 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch * Wed Mar 20 2013 cfarrell@suse.com - license update: GPL-2.0 and Artistic-2.0 GPL version does not have ^or later^ due to inclusion of numerous GPL 2 ^only^ files. Also, aggregation of Artistic-2.0 content * Mon Mar 4 2013 jengelh@inai.de - Update to new upstream release 1.4.18 * documentation updates - Create subpackage xtables-plugins, to aid packaging of xtadm - Add 0001-build-do-not-dereference-symlinks-on-installation.patch as a prerequisite for: - Add 0001-build-also-use-libtool-for-install-stage.patch to kill of undesired DT_RPATH entries * Tue Dec 25 2012 jengelh@inai.de - Update to new upstream release 1.4.17 * libxt_time: add support to ignore day transition * libxt_statistic: fix save output * Wed Nov 28 2012 sbrabec@suse.cz - Verify GPG signature * Thu Nov 15 2012 lnussel@suse.de - list all required binaries explicitly to make sure all of them are actually compiled * Thu Nov 15 2012 jengelh@inai.de - Always regenerate files due to SUSE's iptables-batch patch * Mon Oct 8 2012 jengelh@inai.de - Update to new upstream release 1.4.16.3 * This release includes aliasing support which translates command lines using obsolete extensions into new ones. The option parser now flags illegal negative numbers in some more extensions. A division by zero was resolved in libxt_limit as well. * Tue Jul 31 2012 jengelh@inai.de - Update to new upstream release 1.4.15 * libxt_recent: add --mask netmask * libxt_hashlimit: add support for byte-based operation * Sat May 26 2012 jengelh@inai.de - Update to new upstream release 1.4.14 * Support for the new cttimeout infrastructure. This allows you to attach specific timeout policies to flow via iptables CT target. * Tue Mar 27 2012 jengelh@medozas.de - Update to new upstream release 1.4.13 * Add the rpfilter, nfacct and IPv6 ECN extensions * Mon Jan 2 2012 jengelh@medozas.de - Update to newer git snapshot (v1.4.12.2-28-g2117f2b, but master branch), tag locally as 1.4.12.90. * ships missing pkgconfig files, compile fix for libnfnetlink * libxt_NFQUEUE: fix --queue-bypass ipt-save output * libxt_connbytes: fix handling of --connbytes FROM * libxt_recent: Add support for --reap option - split iptables-devel into libiptc-devel and libxtables-devel * Wed Dec 28 2011 puzel@suse.com - iptables-apply-mktemp-fix.patch (bnc#730161) * Wed Nov 30 2011 coolo@suse.com - add automake as buildrequire to avoid implicit dependency * Tue Oct 4 2011 jengelh@medozas.de - Update to a newer git snapshot of the stable branch (to v1.4.12.1-16-gd2b0eaa) * resolve failure to load extensions that depend on libm.so - rediff of iptables-batch due to fuzz - relax runtime requires * Thu Sep 1 2011 jengelh@medozas.de - Update to new upstream release 1.4.12.1 * regression fixes for the new (stricter) command-line parser - restore --includedir= in spec file - Put libxtables into its own subpackage so that one does not need a lockstep update of iproute2 on a new iptables package - Remove redundant fields (Autoreqprov defaults to on, License is inherited from main package) * Fri Aug 12 2011 draht@suse.de - include path is /usr/include * Mon Aug 8 2011 jengelh@medozas.de - Put include files into a separate directory to flag up missing CFLAGS. libipq.pc will now be provided. - Enable build of nfnl_osf, a tool to upload OS fingerprints to the kernel for use with xt_osf. * Fri Jul 22 2011 jengelh@medozas.de - Update to new upstream release 1.4.12 * Include lost match/target descriptions in manpage again * libxt_LOG: fix ignorance of all but the last flag * libxt_HL: restore hl-* option names * libxt_hashlimit: use a more obvious expiry value by default * libxt_RATEEST: fix find-and-delete of rules with -j RATEEST * ipv4: restore negation for the -f option * Reject empty host specifications (e.g. -s "") * libxt_conntrack: restore network byteordering for ABI v1 & v2 * Documentation updates * Wed Jun 8 2011 jengelh@medozas.de - Update to snapshot 1.4.11+git16 * libxt_owner: restore inversion support * option: fix ignored negation before implicit extension loading * build: fix installation of symlinks * build: fix absence of xml translator in IPv6-only builds - Drop merged patches * Sun May 29 2011 jengelh@medozas.de - Update to new upstream release 1.4.11 * stricter option parsing * support for the current xt_SET target as contained in 2.6.39 * support for the new xt_devgroup match * support for the new xt_AUDIT target * support for a new NFQUEUE bypass option, allowing to bypass the queue if no userspace listener is present * a new iptables option "-C" to check for existence of a rules - Fixes on top * allow negation of --uid-owner/--gid-owner again * fix installation of symlinks - Run spec-beautifier * Fri Oct 29 2010 jengelh@medozas.de - Update to new upstream release 1.4.10 * this is the release for the Linux 2.6.36 kernel * support for the cpu match, which can be used to improve cache locality when running multiple server instances * support for the IDLETIMER target, which can be used to notify userspace of interfaces being idle * support for the CHECKSUM target * support for the ipvs match * a fix for deletion of rules using the quota match * Mon Aug 9 2010 puzel@novell.com - update to new upstream release 1.4.9.1 * fixes a compilation problem with static linking in the 1.4.9 release * Wed Aug 4 2010 puzel@novell.com - update to new upstream release 1.4.9 * this is the release for the Linux 2.6.35 kernel * support for the LED target * a new version of the set extension for the upcoming release supporting IPv6 * negation support for the quota match * support for the SACK-IMMEDIATELY SCTP extension and FORWARD_TSN chunk type in the sctp match * documentation updates and various smaller bugfixes * Wed May 26 2010 jengelh@medozas.de - update to new upstream release 1.4.8 * this is the release for the Linux 2.6.34 kernel * add support for the new xt_CT extension * import the nfnl_osf program required for proper operation of the xt_osf extension * Sat Apr 24 2010 coolo@novell.com - buildrequire pkg-config to fix provides * Mon Mar 1 2010 jengelh@medozas.de - update to new upstream release 1.4.7 * libipq is built as a shared library * removal of some restrictions on interface names * documentation updates - rebase and fix linking of iptables-batch - fix libdir->libexecdir * Mon Feb 22 2010 jengelh@medozas.de - only run configure when needed - use %%_smp_mflags - use newer git snapshot to fix compile error due to missing ipt_DSCP.h in newer linux-glibc-devel (>= 2.6.32) * Wed Dec 30 2009 puzel@novell.com - fix bnc#561793 - do not include unclean module documentation in iptables manpage * Tue Dec 22 2009 jengelh@medozas.de - update specfile descriptions (bnc#553801) - update to iptables 1.4.6: * combine iptables subprograms into a new multi-purpose binary * support for new implementations: NFQUEUE v1, conntrack v2 * helper: fix invalid passed option to check_inverse * iprange accepts single host specifications again * iprange: do accept non-ranges for xt_iprange v1 * iprange: warn on reverse range * libiptc: fix wrong maptype of base chain counters on restore * iptables: fix undersized deletion mask creation * iptables/extensions: make bundled options work again * iptables: take masks into consideration for replace command * xtables: warn of missing version identifier in extensions * documentation updates - refresh iptables-batch * Thu Nov 12 2009 puzel@novell.com - remove outdated howtos (bnc#551748) * Wed Jul 15 2009 kay.sievers@novell.com - fix libdir/libexecdir on 64bit installation * Wed Jun 17 2009 puzel@novell.com - install iptables-apply * Wed Jun 17 2009 puzel@suse.cz - update to iptables-1.4.4 * support for the new features in the 2.6.30 kernel, namely the cluster match and persistent multi-range NAT mappings * support for the ipset set match and target * various minor fixes and cleanups * documentation updates * Mon May 11 2009 puzel@suse.cz - make explicit 'commit' in iptables-batch do nothing (bnc#500990) * Tue Apr 21 2009 puzel@suse.cz - update to 1.4.3.2 - numerous documentation updates and bugfixes - set of changes to move some of the iptables functionality to a shared library for tc and m_ipt - make libiptc available as shared library (closes bnc#487629) - IPv6 support for the recent match - TPROXY support - SCTP/DCCP NAT support - INCOMPATIBILITY: This release starts enforcing the deprecation of NAT filtering that was added in 1.4.2-rc1, filtering rules in the NAT tables will cause an error instead of a warning from now on. - rework iptables-batch.patch (libiptc interface has changed) - update howtos * Fri Jan 16 2009 prusnak@suse.cz - updated to 1.4.2 * remove dependency on libiptc headers * fix segmentation fault with -tanything * warn about use of DROP in nat table * do allow --rttl for --update * run ldconfig on `make install` * fix invalid iptables-save output * fix hashlimit output * Wed Sep 10 2008 prusnak@suse.cz - updated to 1.4.2-rc1 * libxt_TOS: make sure --set-tos value/mask is recognized * libiptc: fix scalability performance issue during initial ruleset parsing * xt_string: string extension case insensitive matching * ip6tables: add --goto support * Wed Sep 10 2008 prusnak@suse.cz - updated to 1.4.1.1 * iptables: fix printing of line numbers with --line-numbers arg * ip6tables: fix printing of ipv6 network masks * build: fix `make install` when --disable-shared is used * iprange: kernel flags were not set * Wed Sep 10 2008 prusnak@suse.cz - updated to 1.4.1 * iptables: use C99 lists for struct options * Make iptables-restore usable over a pipe * Add support for --set-counters to iptables -P * iptables --list-rules command * iptables --list chain rulenum * Make --set-counters (-c) accept comma separated counters * libxt_iprange: Fix IP validation logic * fix ip6tables dest address printing * Converts the iptables build infrastructure to autotools. * Introduce strtonum(), which works like string_to_number(), but passes * print warning when dlopen fails * libxt_owner: UID/GID range support * Fix compilation of iptables-static build * xtables.h: move non-exported parts to internal.h * Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR * manpages: fix broken markup (missing close tags) * manpages: update to reflect fine-grained control * configure: split --enable-libipq from --enable-devel * Add all necessary header files - compilation fix for various cases * Install libiptc header files because xtables.h depends on it * Implement AF_UNSPEC as a wildcard for extensions * Combine ipt and ip6t manpages * Resolve warnings on 64-bit compile * Wrap dlopen code into NO_SHARED_LIBS * Remove support for compilation of conditional extensions * Resolve libipt_set warnings * Update documentation about building the package * configure.ac: AC_SUBST must be separate * Dynamically create xtables.h.in with version * configure.ac: remove already-defined variables * Remove old functions, constants * Makefile.am: use PACKAGE_TARNAME * iptables out-of-tree build directory * Introduce a counter for number of user defined chains. * Solving scalability issue: for chain list "name" searching. * REDIRECT: Allow symbolic port in REDIRECT --to-port * Fix iptables-save output of libxt_owner match * allow empty strings in argument parser * Fix define value of SCTP chunk type. * cleanup several code wraparounds * Add RATEEST target extension * Add rateest match extension * Properly initialize revision for ip6tables targets * Resync header files with kernel * libiptc: move variable definitions to head of function * Fix CONNMARK mask initialisation * iptables-save:remove unnecessary code. * Don't assume /bin/sh is bash * Add xtables version defines. * Use s6_addr32 to access bits in int6_addr instead of incompatible name * Tue Jan 8 2008 prusnak@suse.cz - updated to 1.4.0: * Add support for generic xtables infrastructure (improved IPv6 support!) * Deletes empty ->final_check() functions * Fix sparse warnings: non-C99 array declaration, incorrect function prototypes * Remove last vestiges of NFC * Make @msg argument a const char *, just like printf * Makes it possible to omit extra_opts of matches/targets if unnecessary * Fix "iptables getsockopt failed strangely" when querying revisions for non-existant matches and targets * Introduces DEST_IPT_LIBDIR in Makefile * Change default KERNEL_DIR location and add KBUILD_OUTPUT * Removes obsolete KERNEL_64_USERSPACE_32 definitions * Fix unused function warning * Don't use dlfcn.h if NO_SHARED_LIBS is defined * Fix showing help text for matches/targets with revision as user * Print warnings to stderr * Fix sscanf type errors * Always print mask in iptables-save * Don't silenty exit on failure to open /proc/net/{ip,ip6}_tables_names * Adds --table to iptables-restore * Make DO_MULTI=1 work for ip6tables* binaries * Add ip6tables-{save,restore} to non-experimental target, fix strict aliasing warnings * Introducing libxt_*.man files. Sorted matches and modules * Install ip6tables-{save,restore} manpages * Performance optimization in sorting chain during pull-out * Fix sockfd use accounting for kernels without autoloading * use * Fix make/compile error for iptables-1.4.0rc1 * Fix for --random option in DNAT and REDIRECT * Document xt_statistic * sctp: fix - mistake to pass a pointer where array is required * Fix connlimit output for inverted --connlimit-above: ! > is <=, not < * Add NFLOG manpage * Move libipt_DSCP.man to libxt_DSCP.man for ip6tables.8 * Unifies libip[6]t_CONNSECMARK.man to libxt_CONNSECMARK.man * Moves libipt_CLASSYFY.man to libxt_CLASSYFY.man for ip6tables.8 * fix check_inverse() call - removed obsolete patch: * strict-aliasing-fix.diff (included in update) * Tue Jul 31 2007 prusnak@suse.cz - removed sed scripts in %%prep section from last update * not needed anymore * Thu Jul 26 2007 prusnak@suse.cz - updated to 1.3.8 * Fix build error of conntrack match * Remove whitespace in ip6tables.c * `-p all' and `-p 0' should be allowed in ip6tables * hashlimit doc update * add --random option to DNAT and REDIRECT * Makefile uses POSIX conform directory check * Fix missing newlines in iptables-save/restore output * Update quota manpage for SMP * Output for unspecified proto is `all' instead of `0' * Fix iptables-save with --random option * Remove unnecessary IP_NAT_RANGE_PROTO_RANDOM ifdefs * Remove libnsl from LDLIBS * Fix problem with iptables-restore and quotes * Remove unnecessary includes * Fix --modprobe parameter * ip6tables-restore should output error of modprobe after failed to load * Add random option to SNAT * Fix missing space in error message * Fixes for manpages of tcp, udp, and icmp{,6} * Add ip6tables mh extension * Fix tcpmss manpage * Add ip6tables TCPMSS extension * Add UDPLITE multiport support * Fix missing space in ruleset listing * Remove extensions for unmaintained/obsolete patchlets * Fix greedy debug grep * Fix type in manpage * Fix compile/install error for iptables-xml with DO_MULTI=1 - dropped obsolete patches: * newlines.diff (included in update) * shlibs.diff (done by sed in %%prep section) * extensions.diff * Wed May 9 2007 prusnak@suse.cz - added newlines to error messages (newlines.diff) [#271847] * Tue Mar 13 2007 prusnak@suse.cz - added initial setting of KERNEL_DIR variable in %%install section of spec file * Tue Jan 9 2007 prusnak@suse.cz - added experimental tools and extensions (removed by last update) * Wed Jan 3 2007 prusnak@suse.cz - updated to 1.3.7 * Add revision support for ip6tables * Add port range support for ip6tables multiport match * Add sctp match extension for ip6tables * Add iptables-xml tool * Add hashlimit support for ip6tables (needs kernel > 2.6.19) * Add NFLOG target extension for iptables/ip6tables (needs kernel > 2.6.19) * Bugfixes - updated debian-docs and moved into tar.bz2 * Thu Nov 16 2006 mjancar@suse.cz - allow setting KERNEL_DIR on commandline for build (#220851) * Tue Oct 17 2006 anosek@suse.cz - updated to version 1.3.6 * Support multiple matches of the same type within a single rule * DCCP/SCTP support for multiport match (needs kernel >= 2.6.18) * SELinux SECMARK target (needs kernel >= 2.6.18) * SELinux CONNSECMARK target (needs kernel >= 2.6.18) * Add support for statistic match (needs kernel >= 2.6.18) * Optionally read realm values from /etc/iproute2/rt_realms * Bugfixes * Wed Feb 1 2006 lnussel@suse.de - updated to version 1.3.5 * supports ip6tables state and conntrack \o/ (#145758) * Fri Jan 27 2006 mls@suse.de - converted neededforbuild to BuildRequires * Tue Jan 24 2006 schwab@suse.de - Fix building of shared libraries. * Tue Jan 17 2006 postadal@suse.cz - updated policy extension from upstream (policy-1.3.4.patch) * ported for changes in kernel * Tue Nov 15 2005 postadal@suse.cz - updated to version 1.3.4 - added RPM_OPT_FLAGS to CFLAGS - fixed strict aliasing (strict-aliasing-fix.patch) * Mon Aug 1 2005 lnussel@suse.de - add iptables-batch and ip6tables-batch * Mon Aug 1 2005 postadal@suse.cz - updated to version 1.3.3 * Wed Jul 27 2005 postadal@suse.cz - updated to version 1.3.2 * Wed Mar 9 2005 postadal@suse.cz - updated to version 1.3.1 (bug fixes) * Thu Feb 17 2005 postadal@suse.cz - updated to version 1.3.0 - removed obsoleted patch modules-secfix * Tue Nov 2 2004 postadal@suse.cz - fixed uninitialised variable [#47850] - CAN-2004-0986 * Tue Aug 17 2004 mludvig@suse.cz - Fixed mode for extensions/.policy-test6 * Thu Aug 5 2004 mludvig@suse.cz - Added IPv6 support to the 'policy' match. * Wed Aug 4 2004 postadal@suse.cz - updated to version 1.2.11 - removed obsoleted patch clusterip * Sat Apr 24 2004 lmb@suse.de - Add support for Cluster IP functionality. * Wed Apr 21 2004 mludvig@suse.cz - Added module for IPv6 conntrack from USAGI. * Wed Mar 24 2004 mludvig@suse.cz - Added policy module from patch-o-matic * Fri Feb 6 2004 postadal@suse.cz - updated to version 1.2.9. * Sat Jan 10 2004 adrian@suse.de - add %%defattr * Wed Jul 23 2003 postadal@suse.cz - updated to 1.2.8 * Tue Apr 8 2003 schwab@suse.de - Prefer sanitized kernel headers. * Thu Sep 5 2002 postadal@suse.cz - updated to bugfixed 1.2.7a version * Wed Aug 28 2002 postadal@suse.cz - added Requires %%{name} = %%{version} to devel package * Thu Aug 8 2002 nadvornik@suse.cz - updated to 1.2.7 * Wed Mar 27 2002 postadal@suse.cz - revert to compile it with kernel headers (#15448) * Fri Feb 1 2002 nadvornik@suse.cz - compiled with kernel headers from glibc * Tue Jan 15 2002 nadvornik@suse.cz - update to 1.2.5 * Wed Nov 14 2001 nadvornik@suse.cz - updated to 1.2.4 [bug #12104] - fixed problems with iptables-save/restore - iptables-1.2.4.debian.diff.bz2 contains documentation only, Makefile changes moved to separate patch * Sat Sep 22 2001 garloff@suse.de - Fix ipt_string support (compile fix). * Tue Jul 17 2001 garloff@suse.de - Update to iptables-1.2.2 - Appply debian patch: mostly docu stuff - Added COMPILE_EXPERIMENTAL flag to Makefile and pass it from RPM .spec file to compile and install ip(6)tables-save/restore apps. * Fri Apr 6 2001 kukuk@suse.de - changed neededforbuild from lx_suse to kernel-source * Tue Mar 27 2001 lmuelle@suse.de - update to 1.2.1a - add devel package with libipq stuff - minor spec file cleanup * Sun Jan 28 2001 olh@suse.de - update to 1.2, needed for ppc and sparc * Tue Dec 19 2000 nadvornik@suse.cz - compiled with lx_suse * Tue Oct 17 2000 nadvornik@suse.cz - update to 1.1.2 * Fri Sep 22 2000 ro@suse.de - up to 1.1.1 * Fri Jun 9 2000 ro@suse.de - fixed neededforbuild * Wed Jun 7 2000 nadvornik@suse.cz - new package 1.1.0