--- /dev/null
+#include <getopt.h>
+#include <stdio.h>
+#include <xtables.h>
+#include <linux/netfilter/xt_cgroup.h>
+
+static void cgroup_help(void)
+{
+ printf(
+"cgroup match options:\n"
+"[!] --cgroup fwid Match cgroup fwid\n");
+}
+
+static const struct option cgroup_opts[] = {
+ { "cgroup", 1, NULL, 'c' },
+ { .name = NULL }
+};
+
+static int
+cgroup_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry,
+ struct xt_entry_match **target)
+{
+ struct xt_cgroup_info *cgroupinfo
+ = (struct xt_cgroup_info *)(*target)->data;
+
+ switch (c) {
+ case 'c': /* TODO 1 or 0 */
+ /* use optarg, due libopt is used */
+ if (sscanf(optarg, "%u", &cgroupinfo->id) != 1)
+ return 1;
+
+ cgroupinfo->invert = invert;
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+cgroup_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_cgroup_info *info = (void *) match->data;
+
+ printf(" cgroup %s%u", info->invert ? "! ":"", info->id);
+}
+
+static void cgroup_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_cgroup_info *info = (void *) match->data;
+
+ printf("%s --cgroup %u", info->invert ? " !" : "", info->id);
+}
+
+static struct xtables_match cgroup_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "cgroup",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_cgroup_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_cgroup_info)),
+ .help = cgroup_help,
+ .print = cgroup_print,
+ .save = cgroup_save,
+ .parse = cgroup_parse,
+ .extra_opts = cgroup_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&cgroup_match);
+}
--- /dev/null
+.TP
+[\fB!\fP] \fB\-\-cgroup\fP \fIfwid\fP
+Match corresponding cgroup for this packet.
+
+Can be used to assign particular firewall policies for aggregated
+task/jobs on the system. This allows for more fine-grained firewall
+policies that only match for a subset of the system's processes.
+fwid is the maker set through the net_cls cgroup's id.
+.PP
+Example:
+.PP
+iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1
+\-j DROP
+.PP
+Available since Linux 3.14.
*
* Error corections by nmalykh@bilim.com (22.01.2005)
*/
-#define _BSD_SOURCE 1
+#define _DEFAULT_SOURCE 1
#define _ISOC99_SOURCE 1
#include <math.h>
#include <stdbool.h>
* Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr>
* Hervé Eychenne <rv@wallfire.org>
*/
-#define _BSD_SOURCE 1
+#define _DEFAULT_SOURCE 1
#define _ISOC99_SOURCE 1
#include <math.h>
#include <stdio.h>
#include <stdio.h>
#include <string.h>
#include <xtables.h>
+#define __aligned_u64 __u64 __attribute__((aligned(8)))
#include <linux/if_packet.h>
#include <linux/netfilter/xt_pkttype.h>
--- /dev/null
+#ifndef _XT_CGROUP_H
+#define _XT_CGROUP_H
+
+#include <linux/types.h>
+
+struct xt_cgroup_info {
+ __u32 id;
+ __u32 invert;
+};
+
+#endif /* _XT_CGROUP_H */
--- /dev/null
+<manifest>
+ <request>
+ <domain name="_"/>
+ </request>
+</manifest>
xtables_multi_SOURCES += xshared.c
xtables_multi_LDADD += ../libxtables/libxtables.la -lm
-iptables_batch_SOURCES = iptables-batch.c iptables.c xshared.c
-iptables_batch_LDFLAGS = ${xtables_multi_LDFLAGS}
-iptables_batch_LDADD = ${xtables_multi_LDADD}
-ip6tables_batch_SOURCES = iptables-batch.c ip6tables.c xshared.c
-ip6tables_batch_CFLAGS = ${AM_CFLAGS} -DIP6T
-ip6tables_batch_LDFLAGS = ${xtables_multi_LDFLAGS}
-ip6tables_batch_LDADD = ${xtables_multi_LDADD}
-
-sbin_PROGRAMS = xtables-multi iptables-batch ip6tables-batch
+sbin_PROGRAMS = xtables-multi
man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \
iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
ip6tables-save.8 iptables-extensions.8
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
+CFLAGS += -fPIE
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@
LDFLAGS = @LDFLAGS@
+LDFLAGS += -pie
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
exit 2
fi
-COMMANDS=(mktemp "$SAVE" "$RESTORE")
+COMMANDS=(tempfile "$SAVE" "$RESTORE")
for cmd in "${COMMANDS[@]}"; do
if ! command -v $cmd >/dev/null; then
umask 0700
-TMPFILE=$(mktemp)
+TMPFILE=$(tempfile -p iptap)
trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15
if ! "$SAVE" >"$TMPFILE"; then
+++ /dev/null
-/libtool.m4
-/lt*.m4
+++ /dev/null
-Index: iptables-1.4.12.1+16/iptables/iptables-apply
-===================================================================
---- iptables-1.4.12.1+16.orig/iptables/iptables-apply
-+++ iptables-1.4.12.1+16/iptables/iptables-apply
-@@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then
- exit 2
- fi
-
--COMMANDS=(tempfile "$SAVE" "$RESTORE")
-+COMMANDS=(mktemp "$SAVE" "$RESTORE")
-
- for cmd in "${COMMANDS[@]}"; do
- if ! command -v $cmd >/dev/null; then
-@@ -122,7 +122,7 @@ done
-
- umask 0700
-
--TMPFILE=$(tempfile -p iptap)
-+TMPFILE=$(mktemp)
- trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15
-
- if ! "$SAVE" >"$TMPFILE"; then
+++ /dev/null
----
- iptables/Makefile.am | 10
- iptables/iptables-batch.c | 468 ++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 477 insertions(+), 1 deletion(-)
-
-Index: iptables-1.4.12.1+16/iptables/Makefile.am
-===================================================================
---- iptables-1.4.12.1+16.orig/iptables/Makefile.am
-+++ iptables-1.4.12.1+16/iptables/Makefile.am
-@@ -24,7 +24,15 @@ endif
- xtables_multi_SOURCES += xshared.c
- xtables_multi_LDADD += ../libxtables/libxtables.la -lm
-
--sbin_PROGRAMS = xtables-multi
-+iptables_batch_SOURCES = iptables-batch.c iptables.c xshared.c
-+iptables_batch_LDFLAGS = ${xtables_multi_LDFLAGS}
-+iptables_batch_LDADD = ${xtables_multi_LDADD}
-+ip6tables_batch_SOURCES = iptables-batch.c ip6tables.c xshared.c
-+ip6tables_batch_CFLAGS = ${AM_CFLAGS} -DIP6T
-+ip6tables_batch_LDFLAGS = ${xtables_multi_LDFLAGS}
-+ip6tables_batch_LDADD = ${xtables_multi_LDADD}
-+
-+sbin_PROGRAMS = xtables-multi iptables-batch ip6tables-batch
- man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \
- iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
- ip6tables-save.8
-Index: iptables-1.4.12.1+16/iptables/iptables-batch.c
-===================================================================
---- /dev/null
-+++ iptables-1.4.12.1+16/iptables/iptables-batch.c
-@@ -0,0 +1,468 @@
-+/*
-+ * Author: Ludwig Nussel <ludwig.nussel@suse.de>
-+ * Update for iptables 1.4.3.x: Petr Uzel <petr.uzel@suse.cz>
-+ *
-+ * Based on the ipchains code by Paul Russell and Michael Neuling
-+ *
-+ * (C) 2000-2002 by the netfilter coreteam <coreteam@netfilter.org>:
-+ * Paul 'Rusty' Russell <rusty@rustcorp.com.au>
-+ * Marc Boucher <marc+nf@mbsi.ca>
-+ * James Morris <jmorris@intercode.com.au>
-+ * Harald Welte <laforge@gnumonks.org>
-+ * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-+ *
-+ * iptables-batch -- iptables batch processor
-+ *
-+ * See the accompanying manual page iptables(8) for information
-+ * about proper usage of this program.
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with this program; if not, write to the Free Software
-+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ */
-+
-+#define _GNU_SOURCE
-+#include <stdio.h>
-+#include <ctype.h>
-+#include <stdlib.h>
-+#include <errno.h>
-+#include <string.h>
-+
-+#ifdef IP6T
-+#include <ip6tables.h>
-+#else
-+#include <iptables.h>
-+#endif
-+#include <xtables.h>
-+
-+#ifdef IP6T
-+#define prog_name ip6tables_globals.program_name
-+#define prog_ver ip6tables_globals.program_version
-+#else
-+#define prog_name iptables_globals.program_name
-+#define prog_ver iptables_globals.program_version
-+#endif
-+
-+static char* errstr = NULL;
-+
-+static unsigned current_line = 0;
-+
-+static char*
-+skipspace(char* ptr)
-+{
-+ while(*ptr && isspace(*ptr))
-+ ++ptr;
-+ return ptr;
-+}
-+
-+static char*
-+getliteral(char** ptr)
-+{
-+ char* start = *ptr;
-+ char* p = start;
-+
-+ while(*p && !isspace(*p))
-+ ++p;
-+
-+ if(*p)
-+ {
-+ *p = '\0';
-+ ++p;
-+ }
-+
-+ *ptr = p;
-+ return start;
-+}
-+
-+static char*
-+getstring(char** ptr)
-+{
-+ char* start = *ptr+1; // skip leading "
-+ char* p = start;
-+ char* o = start;
-+ int backslash = 0;
-+ int done = 0;
-+
-+ while(*p && !done)
-+ {
-+ if(backslash)
-+ {
-+ backslash = 0;
-+ // no escapes supported, just eat the backslash
-+ *o++ = *p++;
-+ }
-+ else if(*p == '\\')
-+ {
-+ backslash = 1;
-+ p++;
-+ }
-+ else if(*p == '"')
-+ {
-+ done = 1;
-+ }
-+ else
-+ {
-+ *o++ = *p++;
-+ }
-+ }
-+
-+ if(done)
-+ {
-+ *o = '\0';
-+ *p = '\0';
-+ ++p;
-+ *ptr = p;
-+ }
-+ else
-+ {
-+ errstr = "missing \" at end of string";
-+ start = NULL;
-+ }
-+ return start;
-+}
-+
-+// this is just a very basic method, not 100% shell compatible
-+static char*
-+getword(char** ptr)
-+{
-+ *ptr = skipspace(*ptr);
-+ if(**ptr == '"')
-+ return getstring(ptr);
-+ return getliteral(ptr);
-+}
-+
-+// destructive
-+static int
-+tokenize(int* argc, char* argv[], size_t nargvsize, char* iline)
-+{
-+ char* ptr = skipspace(iline);
-+ int ret = 0;
-+ char* word;
-+
-+ while(ptr && *ptr)
-+ {
-+ if(*ptr == '#')
-+ break;
-+ if(*argc >= nargvsize)
-+ {
-+ errstr = "too many arguments";
-+ ret = -1;
-+ break;
-+ }
-+ word = getword(&ptr);
-+ if(!word)
-+ {
-+ ret = -1;
-+ break;
-+ }
-+ argv[(*argc)++] = word;
-+ ++ret;
-+ }
-+ return ret;
-+}
-+
-+#ifdef DEBUG
-+static void
-+dumpargv(int argc, char* argv[])
-+{
-+ int i;
-+ for(i=0; i < argc; ++i)
-+ {
-+ printf("%s\"%s\"",i?" ":"", argv[i]);
-+ }
-+ puts("");
-+}
-+#endif
-+
-+struct table_handle
-+{
-+ char* name;
-+#ifdef IP6T
-+ struct ip6tc_handle *handle;
-+#else
-+ struct iptc_handle *handle;
-+#endif
-+};
-+
-+static struct table_handle* tables = NULL;
-+static unsigned num_tables;
-+struct table_handle* current_table;
-+
-+static void
-+alloc_tables(void)
-+{
-+ tables = realloc(tables, sizeof(struct table_handle) * num_tables);
-+}
-+
-+static void
-+set_current_table(const char* name)
-+{
-+ unsigned i;
-+
-+ if(!strcmp(name, current_table->name)) // same as last time?
-+ return;
-+
-+ for(i = 0; i < num_tables; ++i) // find already known table
-+ {
-+ if(!strcmp(name, tables[i].name))
-+ {
-+ current_table = &tables[i];
-+ return;
-+ }
-+ }
-+
-+ // table name not known, create new
-+ i = num_tables++;
-+ alloc_tables();
-+ current_table = &tables[i];
-+ current_table->name = strdup(name);
-+ current_table->handle = NULL;
-+}
-+
-+static int
-+find_table(int argc, char* argv[])
-+{
-+ int i;
-+ for(i = 0; i < argc; ++i)
-+ {
-+ if(!strcmp(argv[i], "-t") || !strcmp(argv[i], "--table"))
-+ {
-+ ++i;
-+ if(i >= argc)
-+ {
-+ fprintf(stderr, "line %d: missing table name after %s\n",
-+ current_line, argv[i]);
-+ return 0;
-+ }
-+ set_current_table(argv[i]);
-+ return 1;
-+ }
-+ }
-+
-+ // no -t specified
-+ set_current_table("filter");
-+
-+ return 1;
-+}
-+
-+static int
-+do_iptables(int argc, char* argv[])
-+{
-+ char *table = "filter";
-+ int ret = 0;
-+
-+ if(!find_table(argc, argv))
-+ return 0;
-+
-+#ifdef IP6T
-+ ret = do_command6(argc, argv, &table, ¤t_table->handle);
-+
-+ if (!ret)
-+ {
-+ fprintf(stderr, "line %d: %s\n", current_line, ip6tc_strerror(errno));
-+ }
-+ else
-+ {
-+ if(!table || strcmp(table, current_table->name))
-+ {
-+ fprintf(stderr, "line %d: expected table %s, got %s\n",
-+ current_line, current_table->name, table);
-+ exit(1);
-+ }
-+ }
-+#else
-+ ret = do_command4(argc, argv, &table, ¤t_table->handle);
-+
-+ if (!ret)
-+ {
-+ fprintf(stderr, "line %d: %s\n", current_line, iptc_strerror(errno));
-+ }
-+ else
-+ {
-+ if(!table || strcmp(table, current_table->name))
-+ {
-+ fprintf(stderr, "line %d: expected table %s, got %s\n",
-+ current_line, current_table->name, table);
-+ exit(1);
-+ }
-+ }
-+#endif
-+
-+ return ret;
-+}
-+
-+static int
-+do_commit(void)
-+{
-+ unsigned i;
-+ int ret = 1;
-+
-+ for(i = 0; i < num_tables; ++i)
-+ {
-+ if(tables[i].handle)
-+ {
-+#ifdef IP6T
-+ ret = ip6tc_commit(tables[i].handle);
-+ if (!ret)
-+ fprintf(stderr, "commit failed on table %s: %s\n", tables[i].name, ip6tc_strerror(errno));
-+ ip6tc_free(tables[i].handle);
-+ tables[i].handle = NULL;
-+#else
-+ ret = iptc_commit(tables[i].handle);
-+ if (!ret)
-+ fprintf(stderr, "commit failed on table %s: %s\n", tables[i].name, iptc_strerror(errno));
-+ iptc_free(tables[i].handle);
-+ tables[i].handle = NULL;
-+#endif
-+ }
-+ }
-+
-+ return ret;
-+}
-+
-+static void
-+help(void)
-+{
-+ fprintf(stderr, "Usage: %s [FILE]\n\n", prog_name);
-+ puts("Read iptables commands from FILE, commit them at EOF\n");
-+ puts("In addition to normal iptables calls the commands");
-+ puts("'commit' and 'exit' are understood.");
-+ exit(0);
-+}
-+
-+int
-+main(int argc, char *argv[])
-+{
-+ int ret = 1;
-+ int c;
-+ int numtok;
-+ size_t llen = 0;
-+ char* iline = NULL;
-+ ssize_t r = -1;
-+ int nargc = 0;
-+ char* nargv[256];
-+ FILE* fp = stdin;
-+
-+#ifdef IP6T
-+ prog_name = "ip6tables-batch";
-+#else
-+ prog_name = "iptables-batch";
-+#endif
-+
-+#ifdef IP6T
-+ c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
-+#else
-+ c = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
-+#endif
-+
-+ if(c < 0) {
-+ fprintf(stderr, "%s/%s Failed to initialize xtables\n",
-+ prog_name,
-+ prog_ver);
-+ exit(1);
-+ }
-+
-+#ifdef NO_SHARED_LIBS
-+ init_extensions();
-+#endif
-+ if(argc > 1)
-+ {
-+ if(!strcmp(argv[1], "--help") || !strcmp(argv[1], "-h"))
-+ {
-+ help();
-+ }
-+ else if(strcmp(argv[1], "-"))
-+ {
-+ fp = fopen(argv[1], "r");
-+ if(!fp)
-+ {
-+ perror("fopen");
-+ exit(1);
-+ }
-+ }
-+ }
-+
-+ num_tables = 4;
-+ alloc_tables();
-+ tables[0].name = "filter";
-+ tables[0].handle = NULL;
-+ tables[1].name = "mangle";
-+ tables[1].handle = NULL;
-+ tables[2].name = "nat";
-+ tables[2].handle = NULL;
-+ tables[3].name = "raw";
-+ tables[3].handle = NULL;
-+ current_table = &tables[0];
-+
-+ while((r = getline(&iline, &llen, fp)) != -1)
-+ {
-+ if(llen < 1 || !*iline)
-+ continue;
-+ if(iline[strlen(iline)-1] == '\n')
-+ iline[strlen(iline) -1 ] = '\0';
-+
-+ ++current_line;
-+ nargc = 0;
-+ errstr = NULL;
-+ numtok = tokenize(&nargc, nargv, (sizeof(nargv)/sizeof(nargv[0])), iline);
-+ if(numtok == -1)
-+ {
-+ }
-+ else if (numtok == 0)
-+ {
-+ continue;
-+ }
-+ else if(nargc < 1)
-+ {
-+ errstr = "insufficient number of arguments";
-+ }
-+
-+ if(errstr)
-+ {
-+ fprintf(stderr, "parse error in line %d: %s\n", current_line, errstr);
-+ ret = 0;
-+ break;
-+ }
-+
-+#ifdef DEBUG
-+ dumpargv(nargc, nargv);
-+#endif
-+
-+#ifdef IP6T
-+ if(!strcmp(nargv[0], "ip6tables"))
-+#else
-+ if(!strcmp(nargv[0], "iptables"))
-+#endif
-+ {
-+ ret = do_iptables(nargc, nargv);
-+ if(!ret) break;
-+ }
-+ else if(!strcmp(nargv[0], "exit"))
-+ {
-+ break;
-+ }
-+ else if(!strcmp(nargv[0], "commit"))
-+ {
-+ /* do nothing - see bnc#500990, comment #16 */
-+ }
-+ else
-+ {
-+ fprintf(stderr, "line %d: invalid command '%s'\n", current_line, nargv[0]);
-+ }
-+ }
-+
-+ if(ret)
-+ ret = do_commit();
-+
-+ exit(!ret);
-+}
+++ /dev/null
-* Fri Aug 16 2013 Anas Nashif <anas.nashif@intel.com> upstream/1.4.19.1@ed7885d
-- Update to 1.4.19.1
-
-* Mon Mar 18 2013 Anas Nashif <anas.nashif@intel.com> upstream/1.4.14@95689b2
-- Update package groups
-
+++ /dev/null
-<manifest>
- <request>
- <domain name="_"/>
- </request>
-</manifest>
-Name: iptables
-%define lname_ipq libipq
-%define lname_iptc libiptc
-%define lname_xt libxtables
-Version: 1.4.21
-Release: 0
-License: GPL-2.0+
-Summary: IP Packet Filter Administration utilities
-Group: Security/Network
-
-Url: http://netfilter.org/
-Source: ftp://ftp.netfilter.org/pub/iptables/%{name}-%{version}.tar.bz2
-Source1001: iptables.manifest
-BuildRequires: fdupes
-BuildRequires: libtool
-BuildRequires: pkgconfig >= 0.21
-BuildRequires: pkgconfig(libnfnetlink) >= 1.0.0
+Name: iptables
+Summary: Tools for managing Linux kernel packet filtering capabilities
+Version: 1.4.21
+Release: 1
+Group: System/Network
+Source: %{name}-%{version}.tar.gz
+URL: http://www.netfilter.org
+License: GPL-2.0+
+BuildRequires: kernel-headers
+Requires(post): /sbin/ldconfig
+Requires(postun): /sbin/ldconfig
%description
-iptables is used to set up, maintain, and inspect the tables of IP
-packet filter rules in the Linux kernel. This version requires kernel
-2.4.0 or newer.
-
-%package -n %lname_ipq
-Summary: Library to interface with the (old) ip_queue kernel mechanism
-
-%description -n %lname_ipq
-The Netfilter project provides a mechanism (ip_queue) for passing
-packets out of the stack for queueing to userspace, then receiving
-these packets back into the kernel with a verdict specifying what to
-do with the packets (such as ACCEPT or DROP). These packets may also
-be modified in userspace prior to reinjection back into the kernel.
-
-ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue!
-
-%package -n libipq-devel
-Summary: Development files for the ip_queue kernel mechanism
-Requires: %lname_ipq = %{version}
-
-%description -n libipq-devel
-The Netfilter project provides a mechanism (ip_queue) for passing
-packets out of the stack for queueing to userspace, then receiving
-these packets back into the kernel with a verdict specifying what to
-do with the packets (such as ACCEPT or DROP). These packets may also
-be modified in userspace prior to reinjection back into the kernel.
-
-ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue!
+The iptables utility controls the network packet filtering code in the
+Linux kernel. If you need to set up firewalls and/or IP masquerading,
+you should install this package.
+%package devel
+Summary: Development package for iptables
+Group: System/Network
+License: GPL-2.0+
+Requires: %{name} = %{version}
+Requires: pkgconfig
-%package -n xtables-plugins
-Summary: Match and Target Extension plugins for iptables
-Conflicts: iptables < 1.4.18
+%description devel
+iptables development headers and libraries.
-%description -n xtables-plugins
-Match and Target Extension plugins for iptables.
+The iptc interface is upstream marked as not public. The interface is not
+stable and may change with every new version. It is therefore unsupported.
-%package -n %lname_iptc
-Summary: Library for low-level ruleset generation and parsing
+%prep
+%setup -q
-%description -n %lname_iptc
-libiptc ("iptables cache") is used to retrieve from the kernel, parse,
-construct, and load new rulesets into the kernel.
-%package -n libiptc-devel
-Summary: Development files for libiptc, a packet filter ruleset library
-Requires: %lname_iptc = %{version}
-# NOT adding Obsoletes/Provides: iptables-devel, because that one has
-# been split into _two_ new pkgs (libxtables-devel, libiptc-devel).
-# NOTE: Please use pkgconfig(...) symbols for BuildRequires.
+%build
+export CFLAGS+=" $RPM_OPT_FLAGS -Wall -Werror -O2 -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wno-unused-value"
+export LDFLAGS+=" -Wl,--as-needed"
-%description -n libiptc-devel
-libiptc ("iptables cache") is used to retrieve from the kernel, parse,
-construct, and load new rulesets into the kernel.
+%configure --enable-devel --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr
-%package -n %lname_xt
-Summary: iptables extension interface
+# do not use rpath
+sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
+sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
-%description -n %lname_xt
-This library contains all the iptables code shared between iptables,
-ip6tables, their extensions, and for external integration for e.g.
-iproute2's m_xt.
+make %{?_smp_mflags}
-%package -n libxtables-devel
-Summary: Libraries, Headers and Development Man Pages for iptables
-Requires: %lname_xt = %{version}
-%description -n libxtables-devel
-This library contains all the iptables code shared between iptables,
-ip6tables, their extensions, and for external integration for e.g.
+%install
+make install DESTDIR=%{buildroot}
-Link your extension (iptables plugins) with $(pkg-config xtables
---libs) and place the plugin in the directory given by $(pkg-config
-xtables --variable=xtlibdir).
+# remove la file(s)
+rm -f %{buildroot}/%{_libdir}/*.la
-%prep
-%setup -q
-cp %{SOURCE1001} .
+# install ip*tables.h header files
+install -m 644 include/ip*tables.h %{buildroot}%{_includedir}/
+install -d -m 755 %{buildroot}%{_includedir}/iptables
+install -m 644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables/
-%build
-# bnc#561793 - do not include unclean module in iptables manpage
-rm -f extensions/libipt_unclean.man
-# includedir is overriden on purpose to detect projects that
-# fail to include libxtables_CFLAGS
-%configure --includedir=%{_includedir}/%{name}-%{version} --enable-libipq
-make %{?_smp_mflags}
+# install ipulog header file
+install -d -m 755 %{buildroot}%{_includedir}/libipulog/
+install -m 644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog/
-%install
-%make_install
-# iptables-apply is not installed by upstream Makefile
-install -m0755 iptables/iptables-apply %{buildroot}%{_sbindir}/
-install -m0644 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8/
-rm -f "%{buildroot}/%{_libdir}"/*.la;
-%fdupes %{buildroot}
+# remove man pages
+rm -rf %{buildroot}%{_mandir}
# License
mkdir -p %{buildroot}%{_datadir}/license
cp COPYING %{buildroot}%{_datadir}/license/iptables
-%post -n %lname_ipq -p /sbin/ldconfig
-
-%postun -n %lname_ipq -p /sbin/ldconfig
-
-%post -n %lname_iptc -p /sbin/ldconfig
-
-%postun -n %lname_iptc -p /sbin/ldconfig
-
-%post -n %lname_xt -p /sbin/ldconfig
-
-%postun -n %lname_xt -p /sbin/ldconfig
-
+%post -p /sbin/ldconfig
+%postun -p /sbin/ldconfig
%docs_package
%files
-%manifest %{name}.manifest
-%defattr(-,root,root)
-%{_bindir}/iptables*
+%manifest iptables.manifest
%{_sbindir}/iptables*
%{_sbindir}/ip6tables*
-%{_sbindir}/xtables*
-%{_sbindir}/nfnl_osf
-%{_libdir}/xtables
-%{_datadir}/xtables
+%{_sbindir}/xtables-multi
+%{_bindir}/iptables-xml
+%dir %{_libdir}/xtables
+%{_libdir}/xtables/libipt*
+%{_libdir}/xtables/libip6t*
+%{_libdir}/xtables/libxt*
+%{_libdir}/libip*tc.so.*
+%{_libdir}/libxtables.so.*
%{_datadir}/license/iptables
-%files -n %lname_ipq
-%manifest %{name}.manifest
-%defattr(-,root,root)
-%{_libdir}/libipq.so.0*
-
-%files -n libipq-devel
-%manifest %{name}.manifest
-%defattr(-,root,root)
-%dir %{_includedir}/%{name}-%{version}
-%{_includedir}/%{name}-%{version}/libipq*
-%{_libdir}/libipq.so
-%{_libdir}/pkgconfig/libipq.pc
-
-%files -n %lname_iptc
-%manifest %{name}.manifest
-%defattr(-,root,root)
-%{_libdir}/libiptc.so.0*
-%{_libdir}/libip4tc.so.0*
-%{_libdir}/libip6tc.so.0*
-
-%files -n libiptc-devel
-%manifest %{name}.manifest
-%defattr(-,root,root)
-%dir %{_includedir}/%{name}-%{version}
-%{_includedir}/%{name}-%{version}/libiptc*
+%files devel
+%dir %{_includedir}/iptables
+%{_includedir}/iptables/*.h
+%{_includedir}/*.h
+%dir %{_includedir}/libiptc
+%{_includedir}/libiptc/*.h
+%dir %{_includedir}/libipulog
+%{_includedir}/libipulog/*.h
%{_libdir}/libip*tc.so
-%{_libdir}/pkgconfig/libip*tc.pc
-
-%files -n %lname_xt
-%manifest %{name}.manifest
-%defattr(-,root,root)
-%{_libdir}/libxtables.so.*
-
-
-%files -n xtables-plugins
-%defattr(-,root,root)
-%_libdir/xtables/
-%_sbindir/nfnl_osf
-%_datadir/xtables/
-
-%files -n libxtables-devel
-%manifest %{name}.manifest
-%defattr(-,root,root)
-%dir %{_includedir}/%{name}-%{version}
-%{_includedir}/%{name}-%{version}/xtables.h
-%{_includedir}/%{name}-%{version}/xtables-version.h
%{_libdir}/libxtables.so
+%{_libdir}/pkgconfig/libiptc.pc
+%{_libdir}/pkgconfig/libip4tc.pc
+%{_libdir}/pkgconfig/libip6tc.pc
%{_libdir}/pkgconfig/xtables.pc
-
-%changelog
projects / platform / upstream / iptables.git / commitdiff