#
# spec file for package nftables
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: nftables
Version: 0.9.0
Release: 2.1
Summary: Userspace utility to access the nf_tables packet filter
License: GPL-2.0-only
Group: Productivity/Networking/Security
Url: http://netfilter.org/projects/nftables/
#Git-Clone: git://git.netfilter.org/nftables
Source: http://ftp.netfilter.org/pub/nftables/nftables-%version.tar.bz2
Source2: http://ftp.netfilter.org/pub/nftables/nftables-%version.tar.bz2.sig
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: docbook2x
BuildRequires: flex
BuildRequires: gmp-devel
BuildRequires: pkg-config >= 0.21
BuildRequires: readline-devel
BuildRequires: xsltproc
BuildRequires: pkgconfig(libmnl) >= 1.0.3
BuildRequires: pkgconfig(libnftnl) >= 1.1.1
BuildRequires: pkgconfig(xtables) >= 1.6.1
%description
nf_tables is a firewalling mechanism in the Linux kernel, running
independently of, and thus parallel to, ip_tables, ip6_tables,
arp_tables and ebtables. nftables is the corresponsing userspace
frontend.
nftables features support for sets and dictionaries of arbitrary
types, support for different protocols, meta data types, access to
connection tracking and NAT, logging, atomic incremental and full
ruleset updates.
%package -n libnftables0
Summary: nftables firewalling command interface
Group: System/Libraries
%description -n libnftables0
libnftables is the nftables command line interface placed into a
library.
%package devel
Summary: Development files for the nftables command line interface
Group: Development/Libraries/C and C++
Requires: libnftables0 = %version
%description devel
libnftables is the nftables command line interface placed into a
library.
This package contains the header files for the library.
%prep
%setup -q
%build
mkdir bin
ln -s "%_bindir/docbook-to-man" bin/docbook2x-man
export PATH="$PATH:$PWD/bin"
mkdir obj
pushd obj/
%define _configure ../configure
%configure --disable-silent-rules \
--disable-static \
--docdir="%_docdir/%name" \
--includedir="%_includedir/%name"
make %{?_smp_mflags}
popd
%install
b="%buildroot"
%make_install -C obj
rm -f "%buildroot/%_libdir"/*.la
mkdir -p "$b/%_docdir/%name/examples"
mv "$b/%_sysconfdir/nftables"/* "$b/%_docdir/%name/examples/"
%post -n libnftables0 -p /sbin/ldconfig
%postun -n libnftables0 -p /sbin/ldconfig
%files
%defattr(-,root,root)
%license COPYING
%_sbindir/nft
%_mandir/man8/nft*
%_docdir/%name/
%files -n libnftables0
%_libdir/libnftables.so.*
%files devel
%_includedir/%name/
%_libdir/libnftables.so
%_libdir/pkgconfig/*.pc
%changelog
* Sat Jan 19 2019 Stefan Brüns <stefan.bruens@rwth-aachen.de>
- Remove unused dblatex BuildRequires, only needed for the optional
and disabled PDF generation (same contents as shipped manpage).
* Sat Jun 9 2018 jengelh@inai.de
- Update to new upstream release 0.9.0
* Support to check if packet matches an existing socket.
* Support to limit number of active connections by arbitrary
criteria, such as ip addresses, networks, conntrack zones or
any combination thereof.
* Added support for "audit" logging.
* Fri May 11 2018 jengelh@inai.de
- Update to new upstream release 0.8.5
* support to add/insert a rule at a given index position
* meter statement now supports a configureable upper max size
* timeouts for sets can now be specified in milliseconds
* re-add iptables-like empty skeleton rulesets
* Wed May 2 2018 jengelh@inai.de
- Update to new upstream release 0.8.4
* Support to match IPv6 segment routing headers.
* New "meta ibrname" and "meta obrname" arguments to match the
name of the logical bridge a packet is passing through.
These new names replace the old (misnamed) "ibriport"/"obriport".
* `nft -a` will now show handle identifier for all objects,
including tables and chains.
* nft can now delete objects by their handle number.
* Support to update maps from the ruleset (packet path).
* the "--echo" option now prints handle id for tables and
object too.
* `nft -f -` will now read from standard input
* Support for flow tables, cf. man page or
https://lwn.net/Articles/738214/ .
* Sat Mar 3 2018 jengelh@inai.de
- Update to new upstream release 0.8.3
* raw payload support to match headers that do not yet have
received a mnemonic.
* Sat Feb 3 2018 jengelh@inai.de
- Update to new upstream release 0.8.2
* add secpath support
* Tue Jan 16 2018 jengelh@inai.de
- Update to new upstream release 0.8.1
* This release deprecates the "flow table" syntax in favor
of "meter".
* Fri Oct 13 2017 jengelh@inai.de
- Update to new upstream release 0.8
* This release contains new features available up to the
(upcoming) Linux 4.14 kernel release:
* Support for stateful objects, these objects are uniquely
identified by a user-defined name, you can refer to them from
rules, and there is a well established interface to operate
with them.
* Sort set elements when listing them, from lower to largest.
* TCP option matching and mangling support. This includes TCP
maximum segment size mangling.
* Add new "-s" option for listings without stateful information.
* Add new -c/--check option for nft, to tests if your ruleset
loads fine, into the kernel, this is a dry run mode.
* Connection tracking helper support.
* Add --echo option, to print the handle that the kernel
allocates to uniquely identify rules.
* Conntrack zone support
* Symmetric hash support
* Add support to include directories from nft natives scripts,
files are loaded in alphanumerical order.
* Allow to check if IPv6 extension header or TCP option exists
or is missing.
* Extend quota support to display used bytes.
* Add ct average matching, to match average bytes per packet a
connection has transferred so far, to map the existing
feature available in the iptables connbytes match.
* Allow to flush maps and flow tables.
* Allow to embed set definition into an existing set.
* Conntrack event filtering support via rule.
* Tue Dec 20 2016 jengelh@inai.de
- Update to new upstream release 0.7
* Add new fib expression, which can be used to obtain the
output interface from the route table based on either source
or destination address of a packet.
* Support hashing of any arbitrary key combination, eg.
* Add number generation support. Useful for round-robin packet
mark setting.
* Add quota support, eg.
* Introduce routing expression, for routing related data with
support for nexthop
* Notrack support, to explicitly skip connection tracking for
matching packets.
* Support to set non-byte bound packet header fields, including
checksum adjustment.
* Add 'create set' and 'create element' commands.
* Allow to use variable reference for set element definitions.
* Allow to use variable definitions from element commands.
* Add support to flush set. You can use this new command to
remove all existing elements in a set.
* Inverted set lookups.
* Honor absolute and relative paths via include file, where:
* Support log flags, to enable logging TCP sequence and options.
* tc classid parser support, eg.
* Allow numeric connlabels, so if connlabel still works with
undefined labels.
* Thu Jun 2 2016 jengelh@inai.de
- Update to new upstream release 0.6
* Rules may be replaced now
* Flow table support (requires Linux >= 4.3)
* Support for tracing
* Ratelimiting now supports units like bytes/second.
* Matchinv VLAN IDs, DSCP/ECN, ICMP RtAdv & RtSol
* Thu Sep 17 2015 jengelh@inai.de
- Update to new upstream release 0.5
* Support combinations of two or more selectors to build a tuple
* Timeout support for sets
* Dormant flag for tables
* Default chain policy specifiable on creation
* Sat May 23 2015 mrueckert@suse.de
- set the url to the project page
- pass --disable-silent-rules to configure to allow gcc post build
check to work
* Tue Dec 16 2014 jengelh@inai.de
- Update to new upstream release 0.4
* Since Linux 3.18: support for global ruleset operations
* Since 3.17: full logging support for all the families,
including nfnetlink_log
* 3.16: automatic selection of the optimal set implementation
* 3.14: reject support for ip, ip6 and inet
* 3.18: reject support for bridge, and reject icmpx abstraction
* 3.18: masquerade support
* 3.19: redirect support
* Extend meta to support pkttype, cpu and devgroup matching.
* Fri Jun 27 2014 jengelh@inai.de
- Update to new upstream release 0.3
* More compact syntax for the queue action
* Match input and output bridge interface name through "meta
ibriport" and "meta obriport"
* netlink event monitor, to monitor ruleset events, set changes, etc.
* New transaction infrastructure - fully atomic updates for all
object available in the upcoming 3.16.
* Mon Jan 13 2014 jengelh@inai.de
- Initial package for build.opensuse.org