Red Hat Bugzilla – Bug 1292990
iptables-1.6.0 is available
Last modified: 2016-04-13 13:23:33 EDT
Latest upstream release: 1.6.0
Current version/release in rawhide: 1.4.21-16.el7
Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.
Created attachment 1107534 [details]
[patch] Update to 1.6.0 (#1292990)
Scratch build failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12243706
(In reply to Upstream Release Monitoring from comment #0)
> Latest upstream release: 1.6.0
> Current version/release in rawhide: 1.4.21-16.el7
> URL: http://ftp.netfilter.org/pub/iptables/
This release includes accumulated fixes and enhancements for the
We also got rid of the very very old MIRROR and SAME targets and the
unclean match, that were removed from the kernel tree long time ago.
We also got patches to update different aspects of our manpages.
Moreover, this release includes the first official release of the
iptables over nftables infrastructure, which includes the following
that have the same getopt-based parser as the native tool, so the
syntax remains the same, eg.
# iptables-compat -P INPUT DROP
# iptables-compat -A INPUT -m state --state ESTABLISHED,RELATED
# iptables-compat -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
# iptables-compat -A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID: "
This infrastructure will allow us to provide an easy path for users to
translate their iptables rulesets to the new nft syntax. Note that
this translation infrastructure and the compat glue code in the nft
userspace tool is still under development, so that is not included in
The development of ebtables-compat and arptables-compat utilities were
started by Giuseppe Longo, and followed up later on by Arturo Borrero.
This effort was partially covered by the Google Summer of Code
See ChangeLog for more details:
Is there any drawback with 1.6.0 ? Could it be included in Fedora 24 ?
Does it fixes an effect of bug #1300256? Current iptables-devel is not compatible with current rawhide's kernel-headers.
Created attachment 1123482 [details]
Spec file changes for iptables-1.6.0
Maybe the libxtables.so.11 library should be sub-packaged so that the new nftables-compat tools I put into new subpackage do not install all the unneeded original iptables tools.
Just a reminder: libxtables.so changes SONAME, so iproute and maybe other reverse dependencies must be rebuilt.
Petr Pisar wrote in 0001-1.6.0-bump.patch :
> %package nftables-compat
> Summary: Compatibility iptables tools on top of nftables
> Group: System Environment/Base
> # Clashes on /etc/ethertypes
> Conflicts: ebtables
Maybe /etc/ethertypes should be moved from ebtables to setup package, to allow the parallel installation of iptables-1.6(nftables-compat) and ebtables.
(In reply to Xose Vazquez Perez from comment #4)
> Is there any drawback with 1.6.0 ? Could it be included in Fedora 24 ?
I have been waiting with the build till the tc stuff made it into the iproute-tc sub package.
(In reply to Xose Vazquez Perez from comment #8)
> Petr Pisar wrote in 0001-1.6.0-bump.patch :
> > [...]
> > %package nftables-compat
> > Summary: Compatibility iptables tools on top of nftables
> > Group: System Environment/Base
> > # Clashes on /etc/ethertypes
> > Conflicts: ebtables
> > [...]
> Maybe /etc/ethertypes should be moved from ebtables to setup package, to
> allow the parallel installation of iptables-1.6(nftables-compat) and
Yes, that would be good, but for now the files are the same in iptables and ebtables.
Fixed in rawhide in package iptables-1.6.0-1.fc25