# enable systemd for Fedora-16 and RHEL-7

%if 0%{?fedora} > 15 || 0%{?rhel} > 6

    %bcond_without systemd

%else

    %bcond_with systemd

%endif

# install init scripts to /usr/libexec with systemd

%if %{with systemd}

    %define script_path %{_libexecdir}/iptables

%else

    %define script_path /etc/rc.d/init.d

%endif

# service legacy actions (RHBZ#748134)

%define legacy_actions %{_libexecdir}/initscripts/legacy-actions

# default service

%if 0%{?fedora} < 18 && 0%{?rhel} < 7

    %bcond_without default_service

%else

    %bcond_with default_service

%endif

Name: iptables

Summary: Tools for managing Linux kernel packet filtering capabilities

Version: 1.4.16.2

Release: 4%{?dist}

Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2

Source1: iptables.init

Source2: iptables-config

Source3: iptables.service

Source4: iptables.save-legacy

Group: System Environment/Base

URL: http://www.netfilter.org/

BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

License: GPLv2

# libnfnetlink-devel is requires for nfnl_osf

BuildRequires: libnfnetlink-devel

BuildRequires: libselinux-devel

BuildRequires: kernel-headers

Conflicts: kernel < 2.4.20

%if %{with systemd}

BuildRequires: systemd-units

%endif

%if %{_lib} == lib64

Provides: libxtables.so.7()(64bit)

%else

Provides: libxtables.so.7

%endif

%description

The iptables utility controls the network packet filtering code in the

Linux kernel. If you need to set up firewalls and/or IP masquerading,

you should install this package.

%package devel

Summary: Development package for iptables

Group: System Environment/Base

Requires: %{name} = %{version}-%{release}

Requires: pkgconfig

%description devel

iptables development headers and libraries.

The iptc interface is upstream marked as not public. The interface is not 

stable and may change with every new version. It is therefore unsupported.

%package services

Summary: iptables and ip6tables services for iptables

Group: System Environment/Base

Requires: %{name} = %{version}-%{release}

%if %{with systemd}

Requires(post): systemd-units

Requires(post): systemd-sysv

Requires(preun): systemd-units

Requires(postun): systemd-units

Conflicts: systemd < 38

Conflicts: filesystem < 3

%else

Requires(post): chkconfig

Requires(preun): chkconfig

%endif

# provide and obsolete old main package

Provides: %{name} = 1.4.16.1

Obsoletes: %{name} <= 1.4.16.1

# provide and obsolte ipv6 sub package

Provides: %{name}-ipv6 = 1.4.11.1

Obsoletes: %{name}-ipv6 <= 1.4.11.1

%description services

iptables services for IPv4 and IPv6

This package provides the services iptables and ip6tables that have been split

out of the base package since they are not active by default anymore.

%package utils

Summary: iptables and ip6tables services for iptables

Group: System Environment/Base

Requires: %{name} = %{version}-%{release}

%description utils

Utils for iptables.

Currently only provides nfnl_osf with the pf.os database.

%prep

%setup -q

%build

CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \

./configure --enable-devel --bindir=%{_bindir} --sbindir=%{_sbindir} --sysconfdir=/etc --libdir=%{_libdir} --libexecdir=%{_libdir} --mandir=%{_mandir} --includedir=%{_includedir} --datadir=%{_datadir}  --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr

# do not use rpath

sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool

sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool

rm -f include/linux/types.h

make %{?_smp_mflags}

%install

rm -rf %{buildroot}

make install DESTDIR=%{buildroot} 

# remove la file(s)

rm -f %{buildroot}/%{_libdir}/*.la

# install ip*tables.h header files

install -m 644 include/ip*tables.h %{buildroot}%{_includedir}/

install -d -m 755 %{buildroot}%{_includedir}/iptables

install -m 644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables/

# install ipulog header file

install -d -m 755 %{buildroot}%{_includedir}/libipulog/

install -m 644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog/

# install init scripts and configuration files

install -d -m 755 %{buildroot}%{script_path}

install -c -m 755 %{SOURCE1} %{buildroot}%{script_path}/iptables.init

sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init

install -c -m 755 ip6tables.init %{buildroot}%{script_path}/ip6tables.init

install -d -m 755 %{buildroot}/etc/sysconfig

install -c -m 755 %{SOURCE2} %{buildroot}/etc/sysconfig/iptables-config

sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config

install -c -m 755 ip6tables-config %{buildroot}/etc/sysconfig/ip6tables-config

%if %{with systemd}

# install systemd service files

install -d -m 755 %{buildroot}/%{_unitdir}

install -c -m 755 %{SOURCE3} %{buildroot}/%{_unitdir}

sed -e 's;iptables;ip6tables;g' -e 's;IPv4;IPv6;g' < %{SOURCE3} > ip6tables.service

install -c -m 755 ip6tables.service %{buildroot}/%{_unitdir}

%endif

# install legacy actions for service command

install -d %{buildroot}/%{legacy_actions}/iptables

install -d %{buildroot}/%{legacy_actions}/ip6tables

install -c -m 755 %{SOURCE4} %{buildroot}/%{legacy_actions}/iptables/save

sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/save > ip6tabes.save-legacy

install -c -m 755 ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/save

%clean

rm -rf %{buildroot}

%if %{with systemd}

%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig

%post services

if [ $1 -eq 1 ] ; then # Initial installation

   /bin/systemctl daemon-reload >/dev/null 2>&1 || :

%if %{with default_service}

   /bin/systemctl enable iptables.service >/dev/null 2>&1 || :

   /bin/systemctl enable ip6tables.service >/dev/null 2>&1 || :

%endif

fi

%preun services

if [ $1 -eq 0 ]; then # Package removal, not upgrade

   /bin/systemctl --no-reload disable iptables.service > /dev/null 2>&1 || :

   /bin/systemctl --no-reload disable ip6tables.service > /dev/null 2>&1 || :

   /bin/systemctl stop iptables.service > /dev/null 2>&1 || :

   /bin/systemctl stop ip6tables.service > /dev/null 2>&1 || :

fi

%postun services

/sbin/ldconfig

/bin/systemctl daemon-reload >/dev/null 2>&1 || :

if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall

   /bin/systemctl try-restart iptables.service >/dev/null 2>&1 || :

   /bin/systemctl try-restart ip6tables.service >/dev/null 2>&1 || :

fi

%triggerun -- iptables < 1.4.11.1-3

# To apply saved runlevel, use systemd-sysv-convert --apply iptables

%{_bindir}/systemd-sysv-convert --save iptables >/dev/null 2>&1 ||:

# Autostart

%if %{with default_service}

/bin/systemctl --no-reload enable iptables.service >/dev/null 2>&1 ||:

%endif

# Delete from sysv management, try to restart service

/sbin/chkconfig --del iptables >/dev/null 2>&1 || :

/bin/systemctl try-restart iptables.service >/dev/null 2>&1 || :

%triggerun -- iptables-ipv6 < 1.4.11.1-3

# To apply saved runlevel, use systemd-sysv-convert --apply iptables

%{_bindir}/systemd-sysv-convert --save ip6tables >/dev/null 2>&1 ||:

# Autostart

%if %{with default_service}

/bin/systemctl --no-reload enable ip6tables.service >/dev/null 2>&1 ||:

%endif

# Delete from sysv management, try to restart service

/sbin/chkconfig --del ip6tables >/dev/null 2>&1 || :

/bin/systemctl try-restart ip6tables.service >/dev/null 2>&1 || :

%else # no systemd

%post -p /sbin/ldconfig

%post services

/sbin/chkconfig --add iptables

/sbin/chkconfig --add ip6tables

%preun services

if [ $1 -eq 0 ]; then

   /sbin/chkconfig --del iptables

   /sbin/chkconfig --del ip6tables

fi

%postun -p /sbin/ldconfig

%endif # systemd

%files

%defattr(-,root,root)

%doc COPYING INSTALL INCOMPATIBILITIES

%config(noreplace) %attr(0600,root,root) /etc/sysconfig/iptables-config

%config(noreplace) %attr(0600,root,root) /etc/sysconfig/ip6tables-config

%{_sbindir}/iptables*

%{_sbindir}/ip6tables*

%{_sbindir}/xtables-multi

%{_bindir}/iptables-xml

%{_mandir}/man1/iptables-xml*

%{_mandir}/man8/iptables*

%{_mandir}/man8/ip6tables*

%dir %{_libdir}/xtables

%{_libdir}/xtables/libipt*

%{_libdir}/xtables/libip6t*

%{_libdir}/xtables/libxt*

%{_libdir}/libip*tc.so.*

%{_libdir}/libxtables.so.*

%files devel

%defattr(-,root,root)

%dir %{_includedir}/iptables

%{_includedir}/iptables/*.h

%{_includedir}/*.h

%dir %{_includedir}/libiptc

%{_includedir}/libiptc/*.h

%dir %{_includedir}/libipulog

%{_includedir}/libipulog/*.h

%{_libdir}/libip*tc.so

%{_libdir}/libxtables.so

%{_libdir}/pkgconfig/libiptc.pc

%{_libdir}/pkgconfig/libip4tc.pc

%{_libdir}/pkgconfig/libip6tc.pc

%{_libdir}/pkgconfig/xtables.pc

%files services

%attr(0755,root,root) %{script_path}/iptables.init

%attr(0755,root,root) %{script_path}/ip6tables.init

%if %{with systemd}

%{_unitdir}/iptables.service

%{_unitdir}/ip6tables.service

%endif

%{legacy_actions}/iptables/save

%{legacy_actions}/ip6tables/save

%files utils

%{_sbindir}/nfnl_osf

%dir %{_datadir}/xtables

%{_datadir}/xtables/pf.os

%changelog

* Fri Nov  2 2012 Thomas Woerner <twoerner@redhat.com> 1.4.16.2-4

- fixed missing services for update of pre F-18 installations (rhbz#867960)

  - provide and obsolete old main package in services sub package

  - provide and obsolete old ipv6 sub package (pre F-17) in services sub package

* Sun Oct 14 2012 Dan Horák <dan[at]dany.cz> 1.4.16.2-3

- fix the compat provides for all 64-bit arches

* Fri Oct 12 2012 Thomas Woerner <twoerner@redhat.com> 1.4.16.2-2

- new sub package services providing the systemd services (RHBZ#862922)

- new sub package utils: provides nfnl_osf and the pf.os database

- using %{_libexecdir}/iptables as script path for the original init scripts

- added service iptables save funcitonality using the new way provided by 

  initscripts 9.37.1 (RHBZ#748134)

- added virtual provide for libxtables.so.7

* Mon Oct  8 2012 Thomas Woerner <twoerner@redhat.com> 1.4.16.2-1

- new version 1.4.16.2

  - build: support for automake-1.12

  - build: separate AC variable replacements from xtables.h

  - build: have `make clean` remove dep files too

  - doc: grammatical updates to libxt_SET

  - doc: clean up interpunction in state list for xt_conntrack

  - doc: deduplicate extension descriptions into a new manpage

  - doc: trim "state" manpage and reference conntrack instead

  - doc: have NOTRACK manpage point to CT instead

  - doc: mention iptables-apply in the SEE ALSO sections

  - extensions: libxt_addrtype: fix type in help message

  - include: add missing linux/netfilter_ipv4/ip_queue.h

  - iptables: fix wrong error messages

  - iptables: support for match aliases

  - iptables: support for target aliases

  - iptables-restore: warn about -t in rule lines

  - ip[6]tables-restore: cleanup to reduce one level of indentation

  - libip6t_frag: match any frag id by default

  - libxtables: consolidate preference logic

  - libxt_devgroup: consolidate devgroup specification parsing

  - libxt_devgroup: guard against negative numbers

  - libxt_LED: guard against negative numbers

  - libxt_NOTRACK: replace as an alias to CT --notrack

  - libxt_state: replace as an alias to xt_conntrack

  - libxt_tcp: print space before, not after "flags:"

  - libxt_u32: do bounds checking for @'s operands

  - libxt_*limit: avoid division by zero

  - Merge branch 'master' of git://git.inai.de/iptables

  - Merge remote-tracking branch 'nf/stable'

  - New set match revision with --return-nomatch flag support

- dropped fixrestore patch, upstream

* Wed Aug  1 2012 Thomas Woerner <twoerner@redhat.com> 1.4.15-1

- new version 1.4.15

  - extensions: add HMARK target

  - iptables-restore: fix parameter parsing (shows up with gcc-4.7)

  - iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)

  - libxtables: add xtables_ip[6]mask_to_cidr

  - libxt_devgroup: add man page snippet

  - libxt_hashlimit: add support for byte-based operation

  - libxt_recent: add --mask netmask

  - libxt_recent: remove unused variable

  - libxt_HMARK: correct a number of errors introduced by Pablo's rework

  - libxt_HMARK: fix ct case example

  - libxt_HMARK: fix output of iptables -L

  - Revert "iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)"

* Wed Jul 18 2012 Thomas Woerner <twoerner@redhat.com> 1.4.14-3

- added fixrestore patch submitted to upstream by fryasu (nfbz#774) 

  (RHBZ#825796)

* Wed Jul 18 2012 Thomas Woerner <twoerner@redhat.com> 1.4.14-2

- disabled libipq, removed upstream, not provided by kernel anymore

* Wed Jul 18 2012 Thomas Woerner <twoerner@redhat.com> 1.4.14-1

- new version 1.4.14

  - extensions: add IPv6 capable ECN match extension

  - extensions: add nfacct match

  - extensions: add rpfilter module

  - extensions: libxt_rateest: output all options in save hook

  - iptables: missing free() in function cache_add_entry()

  - iptables: missing free() in function delete_entry()

  - libiptc: fix retry path in TC_INIT

  - libiptc: Returns the position the entry was inserted

  - libipt_ULOG: fix --ulog-cprange

  - libxt_CT: add --timeout option

  - ip(6)tables-restore: make sure argv is NULL terminated

  - Revert "libiptc: Returns the position the entry was inserted"

  - src: mark newly opened fds as FD_CLOEXEC (close on exec)

  - tests: add rateest match rules

- dropped patch5 (cloexec), merged upstream

* Mon Apr 23 2012 Thomas Woerner <twoerner@redhat.com> 1.4.12.2-5

- reenable iptables default services

* Wed Feb 29 2012 Harald Hoyer <harald@redhat.com> 1.4.12.2-4

- install everything in /usr

  https://fedoraproject.org/wiki/Features/UsrMove

* Thu Feb 16 2012 Thomas Woerner <twoerner@redhat.com> 1.4.12.2-3

- fixed auto enable check for Fedora > 16 and added rhel > 6 check

* Wed Feb 15 2012 Thomas Woerner <twoerner@redhat.com> 1.4.12.2-2

- disabled autostart and auto enable for iptables.service and ip6tables.service

  for Fedora > 16

* Mon Jan 16 2012 Thomas Woerner <twoerner@redhat.com> 1.4.12.2-1

- new version 1.4.12.2 with new pkgconfig/libip4tc.pc and pkgconfig/libip6tc.pc

  - build: make check stage not fail when building statically

  - build: restore build order of modules

  - build: scan for unreferenced symbols

  - build: sort file list before build

  - doc: clarification on the meaning of -p 0

  - doc: document iptables-restore's -T option

  - doc: fix undesired newline in ip6tables-restore(8)

  - ip6tables-restore: implement missing -T option

  - iptables: move kernel version find routing into libxtables

  - libiptc: provide separate pkgconfig files

  - libipt_SAME: set PROTO_RANDOM on all ranges

  - libxtables: Fix file descriptor leak in xtables_lmap_init on error

  - libxt_connbytes: fix handling of --connbytes FROM

  - libxt_CONNSECMARK: fix spacing in output

  - libxt_conntrack: improve error message on parsing violation

  - libxt_NFQUEUE: fix --queue-bypass ipt-save output

  - libxt_RATEEST: link with -lm

  - libxt_statistic: link with -lm

  - Merge branch 'stable'

  - Merge branch 'stable' of git://dev.medozas.de/iptables

  - nfnl_osf: add missing libnfnetlink_CFLAGS to compile process

  - xtoptions: fill in fallback value for nvals

  - xtoptions: simplify xtables_parse_interface

* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.12.1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Mon Dec 12 2011 Thomas Woerner <twoerner@redhat.com> 1.4.12.1-1

- new version 1.4.12.1 with new pkgconfig/libipq.pc

  - build: abort autogen on subcommand failure

  - build: strengthen check for overlong lladdr components

  - build: workaround broken linux-headers on RHEL-5

  - doc: clarify libxt_connlimit defaults

  - doc: fix typo in libxt_TRACE

  - extensions: use multi-target registration

  - libip6t_dst: restore setting IP6T_OPTS_LEN flag

  - libip6t_frag: restore inversion support

  - libip6t_hbh: restore setting IP6T_OPTS_LEN flag

  - libipq: add pkgconfig file

  - libipt_ttl: document that negation is available

  - libxt_conntrack: fix --ctproto 0 output

  - libxt_conntrack: remove one misleading comment

  - libxt_dccp: fix deprecated intrapositional ordering of !

  - libxt_dccp: fix random output of ! on --dccp-option

  - libxt_dccp: provide man pages options in short help too

  - libxt_dccp: restore missing XTOPT_INVERT tags for options

  - libxt_dccp: spell out option name on save

  - libxt_dscp: restore inversion support

  - libxt_hashlimit: default htable-expire must be in milliseconds

  - libxt_hashlimit: observe new default gc-expire time when saving

  - libxt_hashlimit: remove inversion from hashlimit rev 0

  - libxt_owner: restore inversion support

  - libxt_physdev: restore inversion support

  - libxt_policy: remove superfluous inversion

  - libxt_set: put differing variable names in directly

  - libxt_set: update man page about kernel support on the feature

  - libxt_string: define _GNU_SOURCE for strnlen

  - libxt_string: escape the escaping char too

  - libxt_string: fix space around arguments

  - libxt_string: replace hex codes by char equivalents

  - libxt_string: simplify hex output routine

  - libxt_tcp: always print the mask parts

  - libxt_TCPMSS: restore build with IPv6-less libcs

  - libxt_TOS: update linux kernel version list for backported fix

  - libxt_u32: fix missing allowance for inversion

  - src: remove unused IPTABLES_MULTI define

  - tests: add negation tests for libxt_statistic

  - xtoptions: flag use of XTOPT_POINTER without XTOPT_PUT

- removed include/linux/types.h before build to be able to compile

* Tue Jul 26 2011 Thomas Woerner <twoerner@redhat.com> 1.4.12-2

- dropped temporary provide again

* Tue Jul 26 2011 Thomas Woerner <twoerner@redhat.com> 1.4.12-1.1

- added temporary provides for libxtables.so.6 to be able to rebuild iproute,

  which is part of the standard build environment

* Mon Jul 25 2011 Thomas Woerner <twoerner@redhat.com> 1.4.12-1

- new version 1.4.12 with support of all new features of kernel 3.0

  - build: attempt to fix building under Linux 2.4

  - build: bump soversion for recent data structure change

  - build: install modules in arch-dependent location

  - doc: fix group range in libxt_NFLOG's man

  - doc: fix version string in ip6tables.8

  - doc: include matches/targets in manpage again

  - doc: mention multiple verbosity flags

  - doc: the -m option cannot be inverted

  - extensions: support for per-extension instance global variable space

  - iptables-apply: select default rule file depending on call name

  - iptables: consolidate target/match init call

  - iptables: Coverity: DEADCODE

  - iptables: Coverity: NEGATIVE_RETURNS

  - iptables: Coverity: RESOURCE_LEAK

  - iptables: Coverity: REVERSE_INULL

  - iptables: Coverity: VARARGS

  - iptables: restore negation for -f

  - libip6t_HL: fix option names from ttl -> hl

  - libipt_LOG: fix ignoring all but last flags

  - libxtables: ignore whitespace in the multiaddress argument parser

  - libxtables: properly reject empty hostnames

  - libxtables: set clone's initial data to NULL

  - libxt_conntrack: move more data into the xt_option_entry

  - libxt_conntrack: restore network-byte order for v1,v2

  - libxt_hashlimit: use a more obvious expiry value by default

  - libxt_rateest: abolish global variables

  - libxt_RATEEST: abolish global variables

  - libxt_RATEEST: fix userspacesize field

  - libxt_RATEEST: use guided option parser

  - libxt_state: fix regression about inversion of main option

  - option: remove last traces of intrapositional negation

- complete changelog:

  http://www.netfilter.org/projects/iptables/files/changes-iptables-1.4.12.txt

* Thu Jul 21 2011 Thomas Woerner <twoerner@redhat.com> 1.4.11.1-4

- merged ipv6 sub package into main package

- renamed init scripts to /usr/libexec/ip*tables.init

* Fri Jul 15 2011 Thomas Woerner <twoerner@redhat.com> 1.4.11.1-3

- added support for native systemd file (rhbz#694738)

  - new iptables.service file

  - additional requires

  - moved sysv init scripts to /usr/libexec

  - added new post, preun and postun scripts and triggers

* Tue Jul 12 2011 Thomas Woerner <twoerner@redhat.com> 1.4.11.1-2

- dropped temporary provide again

- enabled smp build

* Tue Jul 12 2011 Thomas Woerner <twoerner@redhat.com> 1.4.11.1-1.1

-  added temporary provides for libxtables.so.5 to be able to rebuild iproute,

   which is part of the standard build environment

* Mon Jul 11 2011 Thomas Woerner <twoerner@redhat.com> 1.4.11.1-1

- new version 1.4.11.1, bug and doc fix release for 1.4.11

* Tue Jun  7 2011 Thomas Woerner <twoerner@redhat.com> 1.4.11-1

- new version 1.4.11 with all new features of 2.6.37-39 (not usable)

  - lots of changes and bugfixes for base and extensions

  - complete changelog:

    http://www.netfilter.org/projects/iptables/files/changes-iptables-1.4.11.txt

* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.10-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Mon Jan 10 2011 Thomas Woerner <twoerner@redhat.com> 1.4.10-1

- new version 1.4.10 with all new features of 2.6.36

  - all: consistent syntax use in struct option

  - build: fix static linking

  - doc: let man(1) autoalign the text in xt_cpu

  - doc: remove extra empty line from xt_cpu

  - doc: minimal spelling updates to xt_cpu

  - doc: consistent use of markup

  - extensions: libxt_quota: don't ignore the quota value on deletion

  - extensions: REDIRECT: add random help

  - extensions: add xt_cpu match

  - extensions: add idletimer xt target extension

  - extensions: libxt_IDLETIMER: use xtables_param_act when checking options

  - extensions: libxt_CHECKSUM extension

  - extensions: libipt_LOG/libip6t_LOG: support macdecode option

  - extensions: fix compilation of the new CHECKSUM target

  - extensions: libxt_ipvs: user-space lib for netfilter matcher xt_ipvs

  - iptables-xml: resolve compiler warnings

  - iptables: limit chain name length to be consistent with targets

  - libiptc: add Libs.private to pkgconfig files

  - libiptc: build with -Wl,--no-as-needed

  - xtables: remove unnecessary cast

- dropped xt_CHECKSUM, added upstream

* Tue Oct 12 2010 Thomas Woerner <twoerner@redhat.com> 1.4.9-2

- added xt_CHECKSUM patch from Michael S. Tsirkin (rhbz#612587)

* Wed Aug  4 2010 Thomas Woerner <twoerner@redhat.com> 1.4.9-1

- new version 1.4.9 with all new features of 2.6.35

  - doc: xt_hashlimit: fix a typo

  - doc: xt_LED: nroff formatting requirements

  - doc: xt_string: correct copy-and-pasting in manpage

  - extensions: add the LED target

  - extensions: libxt_quota.c: Support option negation

  - extensions: libxt_rateest: fix bps options for iptables-save

  - extensions: libxt_rateest: fix typo in the man page

  - extensions: REDIRECT: add random help

  - includes: sync header files from Linux 2.6.35-rc1

  - libxt_conntrack: do print netmask

  - libxt_hashlimit: always print burst value

  - libxt_set: new revision added

  - utils: add missing include flags to Makefile

  - xtables: another try at chain name length checking

  - xtables: remove xtables_set_revision function

  - xt_quota: also document negation

  - xt_sctp: Trace DATA chunk that supports SACK-IMMEDIATELY extension

  - xt_sctp: support FORWARD_TSN chunk type

* Fri Jul  2 2010 Thomas Woerner <twoerner@redhat.com> 1.4.8-1

- new version 1.4.8 all new features of 2.6.34 (rhbz#)

  - extensions: REDIRECT: fix --to-ports parser

  - iptables: add noreturn attribute to exit_tryhelp()

  - extensions: MASQUERADE: fix --to-ports parser

  - libxt_comment: avoid use of IPv4-specific examples

  - libxt_CT: add a manpage

  - iptables: correctly check for too-long chain/target/match names

  - doc: libxt_MARK: no longer restricted to mangle table

  - doc: remove claim that TCPMSS is limited to mangle

  - libxt_recent: add a missing space in output

  - doc: add manpage for libxt_osf

  - libxt_osf: import nfnl_osf program

  - extensions: add support for xt_TEE

  - CT: fix --ctevents parsing

  - extensions: add CT extension

  - libxt_CT: print conntrack zone in ->print/->save

  - xtables: fix compilation when debugging is enabled

  - libxt_conntrack: document --ctstate UNTRACKED

  - iprange: fix xt_iprange v0 parsing

* Wed Mar 24 2010 Thomas Woerner <twoerner@redhat.com> 1.4.7-2

- added default values for IPTABLES_STATUS_VERBOSE and

  IPTABLES_STATUS_LINENUMBERS in init script

- added missing lsb keywords Required-Start and Required-Stop to init script

* Fri Mar  5 2010 Thomas Woerner <twoerner@redhat.com> 1.4.7-1

- new version 1.4.7 with support for all new features of 2.6.33 (rhbz#570767)

  - libip4tc: Add static qualifier to dump_entry()

  - libipq: build as shared library

  - recent: reorder cases in code (cosmetic cleanup)

  - several man page and documentation fixes

  - policy: fix error message showing wrong option

  - includes: header updates

  - Lift restrictions on interface names

- fixed license and moved iptables-xml into base package according to review

* Wed Jan 27 2010 Thomas Woerner <twoerner@redhat.com> 1.4.6-2

- moved libip*tc and libxtables libs to /lib[64], added symlinks for .so libs

  to /usr/lib[64] for compatibility (rhbz#558796)

* Wed Jan 13 2010 Thomas Woerner <twoerner@redhat.com> 1.4.6-1

- new version 1.4.6 with support for all new features of 2.6.32

  - several man page fixes

  - Support for nommu arches

  - realm: remove static initializations

  - libiptc: remove unused functions

  - libiptc: avoid strict-aliasing warnings

  - iprange: do accept non-ranges for xt_iprange v1

  - iprange: warn on reverse range

  - iprange: roll address parsing into a loop

  - iprange: do accept non-ranges for xt_iprange v1 (log)

  - iprange: warn on reverse range (log)

  - libiptc: fix wrong maptype of base chain counters on restore

  - iptables: fix undersized deletion mask creation

  - style: reduce indent in xtables_check_inverse

  - libxtables: hand argv to xtables_check_inverse

  - iptables/extensions: make bundled options work again

  - CONNMARK: print mark rules with mask 0xffffffff as set instead of xset

  - iptables: take masks into consideration for replace command

  - doc: explain experienced --hitcount limit

  - doc: name resolution clarification

  - iptables: expose option to zero packet/byte counters for a specific rule

  - build: restore --disable-ipv6 functionality on system w/o v6 headers

  - MARK: print mark rules with mask 0xffffffff as --set-mark instead of --set-xmark

  - DNAT: fix incorrect check during parsing

  - extensions: add osf extension

  - conntrack: fix --expires parsing

* Thu Dec 17 2009 Thomas Woerner <twoerner@redhat.com> 1.4.5-2

- dropped nf_ext_init remains from cloexec patch

* Thu Sep 17 2009 Thomas Woerner <twoerner@redhat.com> 1.4.5-1

- new version 1.4.5 with support for all new features of 2.6.31

  - libxt_NFQUEUE: add new v1 version with queue-balance option

  - xt_conntrack: revision 2 for enlarged state_mask member

  - libxt_helper: fix invalid passed option to check_inverse

  - libiptc: split v4 and v6

  - extensions: collapse registration structures

  - iptables: allow for parse-less extensions

  - iptables: allow for help-less extensions

  - extensions: remove empty help and parse functions

  - xtables: add multi-registration functions

  - extensions: collapse data variables to use multi-reg calls

  - xtables: warn of missing version identifier in extensions

  - multi binary: allow subcommand via argv[1]

  - iptables: accept multiple IP address specifications for -s, -d

  - several build fixes

  - several man page fixes

- fixed two leaked file descriptors on sockets (rhbz#521397)

* Mon Aug 24 2009 Thomas Woerner <twoerner@redhat.com> 1.4.4-1

- new version 1.4.4 with support for all new features of 2.6.30

  - several man page fixes

  - iptables: replace open-coded sizeof by ARRAY_SIZE

  - libip6t_policy: remove redundant functions

  - policy: use direct xt_policy_info instead of ipt/ip6t

  - policy: merge ipv6 and ipv4 variant

  - extensions: add `cluster' match support

  - extensions: add const qualifiers in print/save functions

  - extensions: use NFPROTO_UNSPEC for .family field

  - extensions: remove redundant casts

  - iptables: close open file descriptors

  - fix segfault if incorrect protocol name is used

  - replace open-coded sizeof by ARRAY_SIZE

  - do not include v4-only modules in ip6tables manpage

  - use direct xt_policy_info instead of ipt/ip6t

  - xtables: fix segfault if incorrect protocol name is used

  - libxt_connlimit: initialize v6_mask

  - SNAT/DNAT: add support for persistent multi-range NAT mappings

* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.3.2-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

* Wed Apr 15 2009 Thomas Woerner <twoerner@redhat.com> 1.4.3.2-1

- new version 1.4.3.2

- also install iptables/internal.h, needed for iptables.h and ip6tables.h

* Mon Mar 30 2009 Thomas Woerner <twoerner@redhat.com> 1.4.3.1-1

- new version 1.4.3.1

  - libiptc is now shared

  - supports all new features of the 2.6.29 kernel

- dropped typo_latter patch

* Thu Mar  5 2009 Thomas Woerner <twoerner@redhat.com> 1.4.2-3

- still more review fixes (rhbz#225906)

  - consistent macro usage

  - use sed instead of perl for rpath removal

  - use standard RPM CFLAGS, but also -fno-strict-aliasing (needed for libiptc*)