Bug 1292990

Created attachment 1107534 [details]
[patch] Update to 1.6.0 (#1292990)

Scratch build failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12243706

(In reply to Upstream Release Monitoring from comment #0)

> Latest upstream release: 1.6.0
> Current version/release in rawhide: 1.4.21-16.el7
> URL: http://ftp.netfilter.org/pub/iptables/

https://marc.info/?l=netfilter-devel&m=145046912422904

This release includes accumulated fixes and enhancements for the
following matches:

* ah
* connlabel
* cgroup
* devgroup
* dst
* icmp6
* ipcomp
* ipv6header
* quota
* set
* socket
* string

and targets:

* CT
* REJECT
* SET
* SNAT
* SNPT,DNPT
* SYNPROXY
* TEE

We also got rid of the very very old MIRROR and SAME targets and the
unclean match, that were removed from the kernel tree long time ago.
We also got patches to update different aspects of our manpages.

Moreover, this release includes the first official release of the
iptables over nftables infrastructure, which includes the following
utilities:

* iptables-compat
* iptables-compat-save
* iptables-compat-restore
* ip6tables-compat
* ip6tables-compat-save
* ip6tables-compat-restore
* ebtables-compat
* arptables-compat

that have the same getopt-based parser as the native tool, so the
syntax remains the same, eg.

 # iptables-compat -P INPUT DROP
 # iptables-compat -A INPUT -m state --state ESTABLISHED,RELATED
 # iptables-compat -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
 # iptables-compat -A INPUT -m state --state INVALID -j LOG  --log-prefix "INVALID: "

This infrastructure will allow us to provide an easy path for users to
translate their iptables rulesets to the new nft syntax. Note that
this translation infrastructure and the compat glue code in the nft
userspace tool is still under development, so that is not included in
this release.

The development of ebtables-compat and arptables-compat utilities were
started by Giuseppe Longo, and followed up later on by Arturo Borrero.
This effort was partially covered by the Google Summer of Code
program.

See ChangeLog for more details:
http://www.netfilter.org/projects/iptables/files/changes-iptables-1.6.0.txt

Is there any drawback with 1.6.0 ? Could it be included in Fedora 24 ?

Does it fixes an effect of bug #1300256? Current iptables-devel is not compatible with current rawhide's kernel-headers.

Created attachment 1123482 [details]
Spec file changes for iptables-1.6.0

Maybe the libxtables.so.11 library should be sub-packaged so that the new nftables-compat tools I put into new subpackage do not install all the unneeded original iptables tools.

Just a reminder: libxtables.so changes SONAME, so iproute and maybe other reverse dependencies must be rebuilt.

Petr Pisar wrote in 0001-1.6.0-bump.patch :

> [...]
> %package nftables-compat
> Summary: Compatibility iptables tools on top of nftables
> Group: System Environment/Base
> # Clashes on /etc/ethertypes
> Conflicts: ebtables
> [...]

Maybe /etc/ethertypes should be moved from ebtables to setup package, to allow the parallel installation of iptables-1.6(nftables-compat) and ebtables.

(In reply to Xose Vazquez Perez from comment #4)
> Is there any drawback with 1.6.0 ? Could it be included in Fedora 24 ?

I have been waiting with the build till the tc stuff made it into the iproute-tc sub package.

(In reply to Xose Vazquez Perez from comment #8)
> Petr Pisar wrote in 0001-1.6.0-bump.patch :
> 
> > [...]
> > %package nftables-compat
> > Summary: Compatibility iptables tools on top of nftables
> > Group: System Environment/Base
> > # Clashes on /etc/ethertypes
> > Conflicts: ebtables
> > [...]
> 
> Maybe /etc/ethertypes should be moved from ebtables to setup package, to
> allow the parallel installation of iptables-1.6(nftables-compat) and
> ebtables.

Yes, that would be good, but for now the files are the same in iptables and ebtables.

Fixed in rawhide in package iptables-1.6.0-1.fc25