$ git diff --patch-with-stat --summary df071a9b84515c3a8ab1dfbbc6f2626d17ebe933..3674d9a5e6d05beafde08e26367e7d8c5923c9fa
.abf.yml | 2 +-
...ared-Fix-build-for-Werror-format-security.patch | 29 ---
0ebf52fc951b2a4d98a166afb34af4f364bbeece.patch | 33 ---
ed4082a7405a5838c205a34c1559e289949200cc.patch | 29 +++
iptables.spec | 231 +++------------------
5 files changed, 58 insertions(+), 266 deletions(-)
delete mode 100644 0001-xshared-Fix-build-for-Werror-format-security.patch
delete mode 100644 0ebf52fc951b2a4d98a166afb34af4f364bbeece.patch
create mode 100644 ed4082a7405a5838c205a34c1559e289949200cc.patch
diff --git a/.abf.yml b/.abf.yml
index f8c9b8e..a9ecd62 100644
--- a/.abf.yml
+++ b/.abf.yml
@@ -1,2 +1,2 @@
sources:
- iptables-1.8.8.tar.bz2: 98783621a5e58ff55f83b1350523f3de41af621d
+ iptables-1.8.9.tar.xz: f47bc1026858d7078c8d0544bbb9bea5c08fd9ad
diff --git a/0001-xshared-Fix-build-for-Werror-format-security.patch b/0001-xshared-Fix-build-for-Werror-format-security.patch
deleted file mode 100644
index ba6d2db..0000000
--- a/0001-xshared-Fix-build-for-Werror-format-security.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From fe9bd3b29dd7661e6f74c24db8356014798d1d78 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <phil@nwl.cc>
-Date: Fri, 13 May 2022 16:51:58 +0200
-Subject: [PATCH] xshared: Fix build for -Werror=format-security
-
-Gcc complains about the omitted format string.
-
-Signed-off-by: Phil Sutter <phil@nwl.cc>
-(cherry picked from commit b72eb12ea5a61df0655ad99d5048994e916be83a)
----
- iptables/xshared.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/iptables/xshared.c b/iptables/xshared.c
-index fae5ddd5df93e..a8512d3808154 100644
---- a/iptables/xshared.c
-+++ b/iptables/xshared.c
-@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg)
- return;
-
- if (args->family != NFPROTO_ARP)
-- xtables_error(PARAMETER_PROBLEM, msg);
-+ xtables_error(PARAMETER_PROBLEM, "%s", msg);
-
- fprintf(stderr, "%s", msg);
- }
---
-2.34.1
-
diff --git a/0ebf52fc951b2a4d98a166afb34af4f364bbeece.patch b/0ebf52fc951b2a4d98a166afb34af4f364bbeece.patch
deleted file mode 100644
index ff34a75..0000000
--- a/0ebf52fc951b2a4d98a166afb34af4f364bbeece.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 0ebf52fc951b2a4d98a166afb34af4f364bbeece Mon Sep 17 00:00:00 2001
-From: Ben Brown <ben@demerara.io>
-Date: Wed, 25 May 2022 16:26:13 +0100
-Subject: build: Fix error during out of tree build
-
-Fixes the following error:
-
- ../../libxtables/xtables.c:52:10: fatal error: libiptc/linux_list.h: No such file or directory
- 52 | #include <libiptc/linux_list.h>
-
-Fixes: f58b0d7406451 ("libxtables: Implement notargets hash table")
-Signed-off-by: Ben Brown <ben@demerara.io>
-Signed-off-by: Phil Sutter <phil@nwl.cc>
----
- libxtables/Makefile.am | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libxtables/Makefile.am b/libxtables/Makefile.am
-index 8ff6b0ca..3bfded85 100644
---- a/libxtables/Makefile.am
-+++ b/libxtables/Makefile.am
-@@ -1,7 +1,7 @@
- # -*- Makefile -*-
-
- AM_CFLAGS = ${regular_CFLAGS}
--AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables ${kinclude_CPPFLAGS}
-+AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables -I${top_srcdir} ${kinclude_CPPFLAGS}
-
- lib_LTLIBRARIES = libxtables.la
- libxtables_la_SOURCES = xtables.c xtoptions.c getethertype.c
---
-cgit v1.2.3
-
diff --git a/ed4082a7405a5838c205a34c1559e289949200cc.patch b/ed4082a7405a5838c205a34c1559e289949200cc.patch
new file mode 100644
index 0000000..339a312
--- /dev/null
+++ b/ed4082a7405a5838c205a34c1559e289949200cc.patch
@@ -0,0 +1,29 @@
+From ed4082a7405a5838c205a34c1559e289949200cc Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 12 Jan 2023 14:38:44 +0100
+Subject: extensions: NAT: Fix for -Werror=format-security
+
+Have to pass either a string literal or format string to xt_xlate_add().
+
+Fixes: f30c5edce0413 ("extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ extensions/libxt_NAT.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/extensions/libxt_NAT.c b/extensions/libxt_NAT.c
+index da9f2201..2a634398 100644
+--- a/extensions/libxt_NAT.c
++++ b/extensions/libxt_NAT.c
+@@ -424,7 +424,7 @@ __NAT_xlate(struct xt_xlate *xl, const struct nf_nat_range2 *r,
+ if (r->flags & NF_NAT_RANGE_PROTO_OFFSET)
+ return 0;
+
+- xt_xlate_add(xl, tgt);
++ xt_xlate_add(xl, "%s", tgt);
+ if (strlen(range_str))
+ xt_xlate_add(xl, " to %s", range_str);
+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) {
+--
+cgit v1.2.3
+
diff --git a/iptables.spec b/iptables.spec
index d599485..57d2174 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -1,12 +1,4 @@
-# libip4tc and libip6tc are used by systemd,
-# libsystemd is used by wine
-%ifarch %{x86_64}
-%bcond_without compat32
-%else
-%bcond_with compat32
-%endif
-
-%global optflags %{optflags} -fno-strict-aliasing
+%global optflags %{optflags} -Oz -fno-strict-aliasing
%define dont_relink 1
# install init scripts to /usr/libexec with systemd
@@ -17,9 +9,7 @@
%define iptlibname %mklibname iptables %{major}
%define develname %mklibname -d iptables
%define iptdevelname %mklibname -d iptables
-%define lib32name libxtables%{major}
-%define iptlib32name libiptables%{major}
-%define devel32name libiptables-devel
+
%define iptc_develname %mklibname -d iptc
%define iptc_devel32name libiptc-devel
@@ -27,31 +17,25 @@
%define ipq_major 0
%define ipq_libname %mklibname ipq %{ipq_major}
%define ipq_develname %mklibname -d ipq
-%define ipq_lib32name libipq%{ipq_major}
-%define ipq_devel32name libipq-devel
%define ip4tc_major 2
%define ip4tc_libname %mklibname ip4tc %{ip4tc_major}
%define ip4tc_develname %mklibname -d ip4tc
-%define ip4tc_lib32name libip4tc%{ip4tc_major}
-%define ip4tc_devel32name libip4tc-devel
%define ip6tc_major 2
%define ip6tc_libname %mklibname ip6tc %{ip6tc_major}
%define ip6tc_develname %mklibname -d ip6tc
-%define ip6tc_lib32name libip6tc%{ip6tc_major}
-%define ip6tc_devel32name libip6tc-devel
Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities
URL: http://www.netfilter.org/projects/iptables
-Version: 1.8.8
-Release: 1
+Version: 1.8.9
+Release: 2
# pf.os: ISC license
# iptables-apply: Artistic Licence 2.0
License: GPLv2 and Artistic Licence 2.0 and ISC
Group: System/Kernel and hardware
-Source0: %{url}/files/%{name}-%{version}.tar.bz2
+Source0: %{url}/files/%{name}-%{version}.tar.xz
Source1: iptables.init
Source2: iptables-config
Source3: iptables.service
@@ -60,8 +44,7 @@ Source5: sysconfig_ip6tables
Source6: arptables-nft-helper
Patch2: iptables-1.2.8-libiptc.h.patch
Patch3: iptables-1.8.2-dont_read_garbage.patch
-Patch10: https://src.fedoraproject.org/rpms/iptables/raw/rawhide/f/0001-xshared-Fix-build-for-Werror-format-security.patch
-Patch11: 0ebf52fc951b2a4d98a166afb34af4f364bbeece.patch
+Patch100: https://git.netfilter.org/iptables/patch/?id=ed4082a7405a5838c205a34c1559e289949200cc.patch
# libnetfilter_conntrack is needed for xt_connlabel
BuildRequires: pkgconfig(libnetfilter_conntrack)
# libnfnetlink-devel is requires for nfnl_osf
@@ -84,12 +67,15 @@ Requires: %{name}-xtables = %{EVRD}
Requires(post): %{_sbindir}/update-alternatives
Requires(postun): %{_sbindir}/update-alternatives
Provides: userspace-ipfilter = %{version}
-%if %{with compat32}
-BuildRequires: devel(libmnl)
-BuildRequires: devel(libnftnl)
-BuildRequires: devel(libnfnetlink)
-BuildRequires: devel(libnetfilter_conntrack)
-%endif
+Obsoletes: libxtables12 < 1.8.9-1
+Obsoletes: libiptables12 < 1.8.9-1
+Obsoletes: libiptables-devel < 1.8.9-1
+Obsoletes: libipq0 < 1.8.9-1
+Obsoletes: libipq-devel < 1.8.9-1
+Obsoletes: libip4tc2 < 1.8.9-1
+Obsoletes: libip4tc-devel < 1.8.9-1
+Obsoletes: libip6tc2 < 1.8.9-1
+Obsoletes: libip6tc-devel < 1.8.9-1
%description
The iptables utility controls the network packet filtering code in the
@@ -270,161 +256,28 @@ Provides: iptables
%description nft
nftables compatibility for iptables, arptables and ebtables.
-%if %{with compat32}
-%package -n %{lib32name}
-Summary: Shared iptables library (32-bit)
-Group: System/Libraries
-
-%description -n %{lib32name}
-iptables controls the Linux kernel network packet filtering code. It allows you
-to set up firewalls and IP masquerading, etc.
-
-This package contains the shared iptables library.
-
-%package -n %{devel32name}
-Summary: Static library and header files for the iptables library (32-bit)
-Group: Development/C
-Requires: kernel-headers
-Requires: %{develname} = %{version}-%{release}
-Requires: %{lib32name} = %{version}-%{release}
-
-%description -n %{devel32name}
-iptables controls the Linux kernel network packet filtering code. It allows you
-to set up firewalls and IP masquerading, etc.
-
-This package contains the static iptables library.
-
-# ipq
-%package -n %{ipq_lib32name}
-Summary: Shared iptables library (32-bit)
-Group: System/Libraries
-
-%description -n %{ipq_lib32name}
-iptables controls the Linux kernel network packet filtering code. It allows you
-to set up firewalls and IP masquerading, etc.
-
-This package contains the ipq library.
-
-%package -n %{ipq_devel32name}
-Summary: Static library and header files for the iptables library
-Group: Development/C
-Requires: kernel-headers
-Requires: %{ipq_develname} = %{version}-%{release}
-Requires: %{ipq_lib32name} = %{version}-%{release}
-
-%description -n %{ipq_devel32name}
-iptables controls the Linux kernel network packet filtering code. It allows you
-to set up firewalls and IP masquerading, etc.
-
-This package contains the ipq library.
-
-#iptc
-%package -n %{iptc_devel32name}
-Summary: Static library and header files for the iptables library (32-bit)
-Group: Development/C
-Requires: kernel-headers
-Requires: %{iptc_develname} = %{EVRD}
-
-%description -n %{iptc_devel32name}
-iptables controls the Linux kernel network packet filtering code. It allows you
-to set up firewalls and IP masquerading, etc.
-
-This package contains the IPTC library.
-
-# ip4tc
-%package -n %{ip4tc_lib32name}
-Summary: Shared iptables library (32-bit)
-Group: System/Libraries
-
-%description -n %{ip4tc_lib32name}
-iptables controls the Linux kernel network packet filtering code. It allows you
-to set up firewalls and IP masquerading, etc.
-
-This package contains the IP4TC library.
-
-%package -n %{ip4tc_devel32name}
-Summary: Static library and header files for the iptables library (32-bit)
-Group: Development/C
-Requires: kernel-headers
-Requires: %{ip4tc_lib32name} = %{version}-%{release}
-Requires: %{iptc_devel32name} = %{version}-%{release}
-Requires: %{ip4tc_develname} = %{EVRD}
-
-%description -n %{ip4tc_devel32name}
-iptables controls the Linux kernel network packet filtering code. It allows you
-to set up firewalls and IP masquerading, etc.
-
-This package contains the development files for IPTC library.
-
-# ip6tc
-%package -n %{ip6tc_lib32name}
-Summary: Shared iptables library (32-bit)
-Group: System/Libraries
-
-%description -n %{ip6tc_lib32name}
-iptables controls the Linux kernel network packet filtering code. It allows you
-to set up firewalls and IP masquerading, etc.
-
-This package contains the IP6TC library.
-
-%package -n %{ip6tc_devel32name}
-Summary: Static library and header files for the iptables library (32-bit)
-Group: Development/C
-Requires: kernel-headers
-Requires: %{ip6tc_develname} = %{EVRD}
-Requires: %{ip6tc_lib32name} = %{version}-%{release}
-
-%description -n %{ip6tc_devel32name}
-iptables controls the Linux kernel network packet filtering code. It allows you
-to set up firewalls and IP masquerading, etc.
-
-This package contains the development files for IP6TC library.
-%endif
-
%prep
%autosetup -p1
./autogen.sh
-export CONFIGURE_TOP="$(pwd)"
-
-%if %{with compat32}
-mkdir build32
-cd build32
-%configure32 \
- --enable-devel \
- --with-xtlibdir=%{_prefix}/lib/xtables \
- --with-ksource=%{_prefix}/src/linux \
- --enable-libipq
-cd ..
-%endif
-mkdir build
-cd build
+%build
%configure \
--enable-devel \
--enable-bpf-compiler \
--with-xtlibdir=%{_libdir}/xtables \
--with-ksource=%{_prefix}/src/linux \
--enable-libipq
+
# do not use rpath
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
-%build
rm -f include/linux/types.h
-%if %{with compat32}
-%make_build -C build32
-%endif
-%make_build -C build
+%make_build
%install
-%if %{with compat32}
-%make_install -C build32
-# We need only the libs, not the binaries or
-# plugins
-rm -rf %{buildroot}%{_prefix}/lib/xtables
-%endif
-%make_install -C build
+%make_install
# install ip*tables.h header files
install -m 644 include/ip*tables.h %{buildroot}%{_includedir}/
@@ -454,10 +307,6 @@ install -c -m 644 %{SOURCE3} %{buildroot}/%{_unitdir}
sed -e 's;iptables;ip6tables;g' -e 's;IPv4;IPv6;g' -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' < %{SOURCE3} > ip6tables.service
install -c -m 644 ip6tables.service %{buildroot}/%{_unitdir}
-# install iptables-apply with man page
-install -m 755 iptables/iptables-apply %{buildroot}%{_sbindir}/
-install -m 644 build/iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8/
-
rm -f %{buildroot}%{_sysconfdir}/ethertypes
install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/
@@ -469,6 +318,12 @@ touch %{buildroot}%{_mandir}/man8/arptables-save.8
touch %{buildroot}%{_mandir}/man8/arptables-restore.8
touch %{buildroot}%{_mandir}/man8/ebtables.8
+# Drop xtables.conf, it's not used
+rm -f %{buildroot}%{_sysconfdir}/xtables.conf
+# fix absolute symlink
+rm -f %{buildroot}%{_bindir}/iptables-xml
+ln -s ../bin/xtables-legacy-multi %{buildroot}%{_bindir}/iptables-xml
+
%post
pfx=%{_sbindir}/iptables
pfx6=%{_sbindir}/ip6tables
@@ -561,6 +416,7 @@ fi
%{_bindir}/iptables-xml
%doc %{_mandir}/man1/iptables-xml*
%doc %{_mandir}/man8/xtables-legacy*
+%{_datadir}/xtables/iptables.xslt
%ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
%files xtables
@@ -629,6 +485,7 @@ fi
%{_sbindir}/ip{,6}tables-nft*
%{_sbindir}/ip{,6}tables{,-restore}-translate
%{_sbindir}/{eb,arp}tables-nft*
+%{_sbindir}/ebtables-translate
%{_sbindir}/xtables-nft-multi
%{_sbindir}/xtables-monitor
%dir %{_libdir}/xtables
@@ -638,41 +495,9 @@ fi
%doc %{_mandir}/man8/xtables-translate*
%doc %{_mandir}/man8/*-nft*
%doc %{_mandir}/man8/ip{,6}tables{,-restore}-translate*
+%doc %{_mandir}/man8//ebtables-translate.*
%ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
%ghost %{_sbindir}/{eb,arp}tables{,-save,-restore}
%ghost %{_libexecdir}/arptables-helper
%ghost %{_mandir}/man8/arptables{,-save,-restore}.8%{_extension}
%ghost %{_mandir}/man8/ebtables.8%{_extension}
-
-%if %{with compat32}
-%files -n %{ipq_lib32name}
-%{_prefix}/lib/libipq.so.*
-
-%files -n %{ip4tc_lib32name}
-%{_prefix}/lib/libip4tc.so.*
-
-%files -n %{ip6tc_lib32name}
-%{_prefix}/lib/libip6tc.so.*
-
-%files -n %{lib32name}
-%{_prefix}/lib/libxtables.so.%{major}*
-
-%files -n %{devel32name}
-%{_prefix}/lib/libxtables.so
-%{_prefix}/lib/pkgconfig/xtables.pc
-
-%files -n %{ipq_devel32name}
-%{_prefix}/lib/pkgconfig/libipq.pc
-%{_prefix}/lib/libipq.so
-
-%files -n %{iptc_devel32name}
-%{_prefix}/lib/pkgconfig/libiptc.pc
-
-%files -n %{ip4tc_devel32name}
-%{_prefix}/lib/libip4tc.so
-%{_prefix}/lib/pkgconfig/libip4tc.pc
-
-%files -n %{ip6tc_devel32name}
-%{_prefix}/lib/libip6tc.so
-%{_prefix}/lib/pkgconfig/libip6tc.pc
-%endif