%define build_devel 1 Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities Version: 1.3.3 Release: 3mdk Source: http://www.netfilter.org/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: ip6tables.init Source3: iptables.config Source4: ip6tables.config Source5: iptables-kernel-headers.tar.bz2 Patch1: iptables-1.3.2-stealth_grsecurity.patch.bz2 Patch2: iptables-1.2.8-imq.patch.bz2 Patch3: iptables-1.2.8-libiptc.h.patch.bz2 Patch4: iptables-1.3.2-fix_extension_test.patch.bz2 Patch5: iptables-1.3.2-ipp2p_extension.patch.bz2 Patch6: iptables-1.3.3-IFWLOG_extension.patch.bz2 Group: System/Kernel and hardware URL: http://netfilter.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-root License: GPL BuildPrereq: /usr/bin/perl BuildRequires: kernel-source >= 2.4.13-3mdk Requires: kernel >= 2.4.13 Provides: userspace-ipfilter Prereq: chkconfig, rpm-helper Conflicts: ipchains %description iptables controls the Linux kernel network packet filtering code. It allows you to set up firewalls and IP masquerading, etc. Install iptables if you need to set up firewalling for your network. Install this only if you are using the 2.4 or 2.6 kernels!! %package ipv6 Summary: IPv6 support for iptables Group: System/Kernel and hardware Requires: %name = %version-%release Prereq: chkconfig, rpm-helper %description ipv6 IPv6 support for iptables. iptables controls the Linux kernel network packet filtering code. It allows you to set up firewalls and IP masquerading, etc. IPv6 is the next version of the IP protocol. Install iptables-ipv6 if you need to set up firewalling for your network and you're using ipv6. %if %{build_devel} %package devel Summary: Development package for iptables Group: Development/C Requires: %{name} = %{version} %description devel The iptables utility controls the network packet filtering code in the Linux kernel. If you need to set up firewalls and/or IP masquerading, you should install this package. %endif %prep %setup -q -a 5 %patch1 -p1 -b .stealth %patch2 -p1 -b .imq %patch3 -p1 -b .libiptc %patch4 -p1 -b .fix_extension_test %patch5 -p1 -b .ipp2p %patch6 -p1 -b .IFWLOG cp %{SOURCE3} iptables.sample cp %{SOURCE4} ip6tables.sample chmod +x extensions/.IMQ-test chmod +x extensions/.ipp2p-test chmod +x extensions/.IFWLOG-test find . -type f | xargs perl -pi -e "s,/usr/local,%{_prefix},g" %build %serverbuild %ifarch alpha OPT=`echo $RPM_OPT_FLAGS | sed -e "s/-O./-O1/"` %else OPT="$RPM_OPT_FLAGS -DNDEBUG" %endif for i in linux-2.6* do find extensions -name '*.[ao]' -o -name '*.so' | xargs rm -f make COPT_FLAGS="$OPT" KERNEL_DIR=$PWD/$i LIBDIR=/lib all rm -fr $i/extensions mkdir -p $i/extensions mv extensions/*.so $i/extensions done %install rm -rf $RPM_BUILD_ROOT # Dunno why this happens. -- Geoff %makeinstall_std BINDIR=/sbin MANDIR=%{_mandir} LIBDIR=/lib COPT_FLAGS="$RPM_OPT_FLAGS -DNETLINK_NFLOG=4" KERNEL_DIR=/usr install-experimental %if %{build_devel} make install-devel DESTDIR=%{buildroot} KERNEL_DIR=/usr BINDIR=/sbin LIBDIR=%{_libdir} MANDIR=%{_mandir} %endif rm -fr %buildroot/lib/iptables for i in linux-*; do mkdir -p %buildroot/lib/iptables.d/$i done for i in linux-*/extensions/*.so; do for j in %buildroot/lib/iptables.d/*; do if [ -e %buildroot/lib/iptables.d/${i%%%/*}/${i##*/} ]; then : elif cmp -s $i $j/${i##*/}; then ln $j/${i##*/} %buildroot/lib/iptables.d/${i%%%/*}/ else cp $i %buildroot/lib/iptables.d/${i%%%/*}/ fi done done install -c -D -m755 %{SOURCE1} %buildroot%{_initrddir}/iptables install -c -D -m755 %{SOURCE2} %buildroot%{_initrddir}/ip6tables %clean rm -rf $RPM_BUILD_ROOT $RPM_BUILD_DIR/file.list.%{name} %post %_post_service iptables # run only on fresh installation if [ $1 = 1 ]; then /sbin/service iptables check fi %triggerpostun -- iptables < 1.2.9-8mdk # fix upgrade from mdk < 10.2 /sbin/service iptables check %preun %_preun_service iptables %_preun_service iptables %post ipv6 %_post_service ip6tables %preun ipv6 %_preun_service ip6tables %files %defattr(-,root,root,0755) %config(noreplace) %{_initrddir}/iptables /sbin/iptables /sbin/iptables-save /sbin/iptables-restore %{_mandir}/*/iptables* %dir /lib/iptables.d %dir /lib/iptables.d/* /lib/iptables.d/*/libipt* %doc INSTALL INCOMPATIBILITIES iptables.sample %files ipv6 %defattr(-,root,root,0755) %config(noreplace) %{_initrddir}/ip6tables /sbin/ip6tables /sbin/ip6tables-save /sbin/ip6tables-restore %{_mandir}/*/ip6tables* %dir /lib/iptables.d %dir /lib/iptables.d/* /lib/iptables.d/*/libip6t* %doc INSTALL INCOMPATIBILITIES ip6tables.sample %if %{build_devel} %files devel %defattr(-,root,root,0755) %{_includedir}/libipq.h %{_libdir}/libipq.a %{_libdir}/libiptc.a %{_mandir}/man3/* %endif %changelog * Wed Aug 10 2005 Samir Bellabes <sbellabes@mandriva.com> 1.3.3-3mdk - rebuild with new kernel headers 2.6.12-9mdk. * Wed Aug 3 2005 Samir Bellabes <sbellabes@mandriva.com> 1.3.3-2mdk - IFWLOG target * Fri Jul 29 2005 Samir Bellabes <sbellabes@mandriva.com> 1.3.3-1mdk - update to version 1.3.3 * Wed Jul 27 2005 Samir Bellabes <sbellabes@mandriva.com> 1.3.2-2mdk - update kernel headers to lastest versions (2.6.12-8mdk) and fix malformed path in iptables-kernel-headers.tar.bz2 - fix lot of extensions test : Makefile check for $KERNEL_DIR/net/*/*/*.c but we provide only headers files ($KERNEL_DIR/include/linux/*/*.h) So test failed every time, and we don't get extension. - add ipp2p extension, that is not in upstream iptables-1.3.2 - deleted extensions for linux-2.4 ( obsolete by now ) * Wed Jul 13 2005 Herton Ronaldo Krzesinski <herton@mandriva.com> 1.3.2-1mdk - new upstream version: 1.3.2. - redid stealth patch. - obsoleted patch CAN-2004-0986. - updated kernel headers to latest versions (2.6.12.2 & 2.4.31). * Sat Apr 02 2005 Luca Berra <bluca@vodka.it> 1.2.9-8mdk - update kernel headers, we now have 4 flavors - update initscript to test all flavors * Tue Nov 02 2004 Vincent Danen <vdanen@mandrakesoft.com> 1.2.9-7.1.101mdk - security fix for CAN-2004-0986 * Wed Jun 02 2004 Florin <florin@mandrakesoft.com> 1.2.9-7mdk - add new extenions: see the kernel changelog here below - netfilter (CLASSIFY CONNMARK IPMARK TARPIT addrtype condition connbytes h323-conntrack-nat owner-socketlookup pptp-conntrack-nat connlimit dstlimit iprange mport nth osf quota random time rtsp-conntrack) * Wed Jun 02 2004 Florin <florin@mandrakesoft.com> 1.2.9-6mdk - add the devel package * Sun Feb 15 2004 Luca Berra <bluca@vodka.it> 1.2.9-5mdk - fix detection of iptables version at boot (again) * Wed Jan 28 2004 Marcel Pol <mpol@mandrake.org> 1.2.9-4mdk - update-alternatives seems unreliable, sorry * Sun Jan 25 2004 Marcel Pol <mpol@mandrake.org> 1.2.9-3mdk - doh, I can't read * Sun Jan 25 2004 Luca Berra <bluca@vodka.it> 1.2.9-2mdk - compatible with both 2.4 and 2.6 (with and without pptp_conntrack) - added check option to initscripts - use alternatives (mpol) * Fri Nov 28 2003 Juan Quintela <quintela@mandrakesoft.com> 1.2.9-1mdk - IMQ should work now (cross fingers). - reddiff stealth patch. - 1.2.9. * Wed Oct 8 2003 Juan Quintela <quintela@mandrakesoft.com> 1.2.9-0rc1mdk - 1.2.9rc1. * Tue Aug 26 2003 Juan Quintela <quintela@mandrakesoft.com> 1.2.8-2mdk - added imq support. * Wed Jul 30 2003 Juan Quintela <quintela@mandrakesoft.com> 1.2.8-1mdk - stealth module support. - remove patch2 (anti chrash in iptables-restore), different solution upstream. - 1.2.8. * Fri Jul 25 2003 Per Øyvind Karlsen <peroyvind@sintrax.net> 1.2.7a-3mdk - rebuild - rm -rf $RPM_BUILD_ROOT at the beginning of %%install, not in %%prep - use %%make macro - use %%makeinstall_std macro * Thu Feb 27 2003 Florin <florin@mandrakesoft.com> 1.2.7a-2mdk - rebuild * Tue Dec 3 2002 Juan Quintela <quintela@mandrakesoft.com> 1.2.7a-1mdk - Prereq rpm-helper. - really include ipv6 manpages. - 1.2.7a. * Sat Apr 13 2002 Juan Quintela <quintela@mandrakesoft.com> 1.2.6a-1mdk - removed old comparation to remove default configuration in post install. - merge with iptables-1.2.5-3 form rh. * Mon Apr 8 2002 Vincent Danen <vdanen@mandrakesoft.com> 1.2.5-2mdk - Conflicts: ipchains * Tue Jan 29 2002 Juan Quintela <quintela@mandrakesoft.com> 1.2.5-1mdk - compile with -NDEBUG, as it is the only way to get compatibility. - fixed source tag. - 1.2.5. * Wed Nov 7 2001 Juan Quintela <quintela@mandrakesoft.com> 1.2.4-2mdk - Added support for newnat, now iptables should also work for 2.4 linus kernels. * Wed Oct 31 2001 Juan Quintela <quintela@mandrakesoft.com> 1.2.4-1mdk - %config are (noreplace) again. - 1.2.4 * Mon Oct 8 2001 Juan Quintela <quintela@mandrakesoft.com> 1.2.3-1mdk - remove .mport-test chmod. - Added Ben Reser <ben@reser.org> optimization of not flushing the channels before calling iptables-restore & adopted that for ip6tables. - removed this time also ip6tables if it is the default one. - removed cvs-fixes & save patches (integrated upstream). - 1.2.3. * Thu Sep 27 2001 Juan Quintela <quintela@mandrakesoft.com> 1.2.2-9mdk - /etc/sysconfig/iptables moved to %doc iptables.sample. - /etc/sysconfig/iptables moved to %doc ipt6ables.sample. - We need that because we don't want something for default in a firewall. - We remove the /etc/sysconfig/ip[6]tables if it is the default one, we need that to let drakgw to work, agreed with gc (drakgw author) on this change. * Mon Sep 24 2001 Juan Quintela <quintela@mandrakesoft.com> 1.2.2-8mdk - changed init level from 08 to 03 (vdanen). * Fri Sep 14 2001 Juan Quintela <quintela@mandrakesoft.com> 1.2.2-7mdk - remove the $NAME var as rpmlint don't like it :( * Fri Sep 14 2001 Juan Quintela <quintela@mandrakesoft.com> 1.2.2-6mdk - put a $NAME macro. - More fixes from Ben Reser <ben@reser.org>: - s/ipt6ables/ip6tables/ (I found another like this). * Thu Sep 13 2001 Juan Quintela <quintela@mandrakesoft.com> 1.2.2-5mdk - ipv6 initscript is the same style than ipv4 one. - %doc added - fix a lot of rpmlint errors. - merge the fixes of Ben Reser (some of them have conflicts). - vdanen merger a lof of Ben Reser fixes. - many fixes from Ben Reser <ben@reser.org>: - fixed segfault in iptables-restore - added ipv6 initscript - changed iptables initscript to use iptables-restore - added default config files in /etc/sysconfig - added ip6tables-save and ip6tables-restore - fixed mport-test * Sun Aug 5 2001 Chmouel Boudjnah <chmouel@mandrakesoft.com> 1.2.2-4mdk - Merge with rh changes (init/patches). * Mon Jun 25 2001 Juan Quintela <quintela@mandrakesoft.com> 1.2.2-3mdk - Simple rebuilt due to kernel changes. * Sat Jun 02 2001 Geoffrey Lee <snaitalk@mandrakesoft.com> 1.2.2-2mdk - Silently rebuild iptables. * Tue May 08 2001 Thierry Vignaud <tvignaud@mandrakesoft.com> 1.2.2-1mdk - new version * Thu Apr 19 2001 Geoffrey Lee <snailtalk@mandrakesoft.com> 1.2.1a-1mdk - Put 1.2.1a in cooker. - While I am at it, fix the URL, kernelnotes seems to be down. - No need to define NETLINK_NFGLOG=4 anymore. * Wed Mar 28 2001 Geoffrey Lee <snailtalk@mandrakesoft.com> 1.2.1-4mdk - Provides: userspace-ipfilter (Jay Beale). - use server macros * Sat Mar 24 2001 David BAUDENS <baudens@mandrakesoft.com> 1.2.1-3mdk - PPC: build with gcc - Requires: %%version-%%release and not only %%version * Fri Mar 23 2001 Geoffrey Lee <snailtalk@mandrakesoft.com> 1.2.1-2mdk - Patches from Abel Cheung <maddog@linuxhall.org> - Cleaner build routine. - (noreplace) and %%config for the SysV initscripts. * Sun Mar 18 2001 Geoffrey Lee <snailtalk@mandrakesoft.com> 1.2.1-1mdk - Update to 1.2.1. - Stock build w/o patch-o-matic was broke so fix it. * Mon Mar 05 2001 Geoffrey Lee <snailtalk@mandrakesoft.com> 1.2-4mdk - Really fix the init script (Sebastian Dransfeld). * Sun Mar 04 2001 Geoffrey Lee <snailtalk@mandrakesoft.com> 1.2-3mdk - Fix the broken iptables SysV init script (Sebastian Dransfeld). * Fri Mar 02 2001 Chmouel Boudjnah <chmouel@mandrakesoft.com> 1.2-2mdk - Merge with rh packages (build iptables-* add ipv6 package, add CVS fixes). * Tue Jan 09 2001 Geoffrey Lee <snailtalk@mandrakesoft.com> 1.2-1mdk - new and shiny source. * Sat Dec 16 2000 Geoffrey Lee <snailtalk@mandrakesoft.com> 1.1.2-2mdk - really build it on the alpha with egcs. * Sat Dec 16 2000 Geoffrey Lee <snailtalk@mandrakesoft.com> 1.1.2-1mdk - shamelessly rip a rpm from Red Hat. - update to 1.1.2. - build on alpha as well. * Thu Aug 17 2000 Bill Nottingham <notting@redhat.com> - build everywhere * Tue Jul 25 2000 Bernhard Rosenkraenzer <bero@redhat.com> - 1.1.1 * Thu Jul 13 2000 Prospector <bugzilla@redhat.com> - automatic rebuild * Tue Jun 27 2000 Preston Brown <pbrown@redhat.com> - move iptables to /sbin. - excludearch alpha for now, not building there because of compiler bug(?) * Fri Jun 9 2000 Bill Nottingham <notting@redhat.com> - don't obsolete ipchains either - update to 1.1.0 * Mon Jun 4 2000 Bill Nottingham <notting@redhat.com> - remove explicit kernel requirement * Tue May 2 2000 Bernhard Rosenkränzer <bero@redhat.com> - initial package