Latest upstream release: 1.6.0 Current version/release in rawhide: 1.4.21-16.el7 URL: http://ftp.netfilter.org/pub/iptables/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.
Created attachment 1107534 [details] [patch] Update to 1.6.0 (#1292990)
Scratch build failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12243706
(In reply to Upstream Release Monitoring from comment #0) > Latest upstream release: 1.6.0 > Current version/release in rawhide: 1.4.21-16.el7 > URL: http://ftp.netfilter.org/pub/iptables/ https://marc.info/?l=netfilter-devel&m=145046912422904 This release includes accumulated fixes and enhancements for the following matches: * ah * connlabel * cgroup * devgroup * dst * icmp6 * ipcomp * ipv6header * quota * set * socket * string and targets: * CT * REJECT * SET * SNAT * SNPT,DNPT * SYNPROXY * TEE We also got rid of the very very old MIRROR and SAME targets and the unclean match, that were removed from the kernel tree long time ago. We also got patches to update different aspects of our manpages. Moreover, this release includes the first official release of the iptables over nftables infrastructure, which includes the following utilities: * iptables-compat * iptables-compat-save * iptables-compat-restore * ip6tables-compat * ip6tables-compat-save * ip6tables-compat-restore * ebtables-compat * arptables-compat that have the same getopt-based parser as the native tool, so the syntax remains the same, eg. # iptables-compat -P INPUT DROP # iptables-compat -A INPUT -m state --state ESTABLISHED,RELATED # iptables-compat -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT # iptables-compat -A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID: " This infrastructure will allow us to provide an easy path for users to translate their iptables rulesets to the new nft syntax. Note that this translation infrastructure and the compat glue code in the nft userspace tool is still under development, so that is not included in this release. The development of ebtables-compat and arptables-compat utilities were started by Giuseppe Longo, and followed up later on by Arturo Borrero. This effort was partially covered by the Google Summer of Code program. See ChangeLog for more details: http://www.netfilter.org/projects/iptables/files/changes-iptables-1.6.0.txt
Is there any drawback with 1.6.0 ? Could it be included in Fedora 24 ?
Does it fixes an effect of bug #1300256? Current iptables-devel is not compatible with current rawhide's kernel-headers.
Created attachment 1123482 [details] Spec file changes for iptables-1.6.0 Maybe the libxtables.so.11 library should be sub-packaged so that the new nftables-compat tools I put into new subpackage do not install all the unneeded original iptables tools.
Just a reminder: libxtables.so changes SONAME, so iproute and maybe other reverse dependencies must be rebuilt.
Petr Pisar wrote in 0001-1.6.0-bump.patch : > [...] > %package nftables-compat > Summary: Compatibility iptables tools on top of nftables > Group: System Environment/Base > # Clashes on /etc/ethertypes > Conflicts: ebtables > [...] Maybe /etc/ethertypes should be moved from ebtables to setup package, to allow the parallel installation of iptables-1.6(nftables-compat) and ebtables.
(In reply to Xose Vazquez Perez from comment #4) > Is there any drawback with 1.6.0 ? Could it be included in Fedora 24 ? I have been waiting with the build till the tc stuff made it into the iproute-tc sub package.
(In reply to Xose Vazquez Perez from comment #8) > Petr Pisar wrote in 0001-1.6.0-bump.patch : > > > [...] > > %package nftables-compat > > Summary: Compatibility iptables tools on top of nftables > > Group: System Environment/Base > > # Clashes on /etc/ethertypes > > Conflicts: ebtables > > [...] > > Maybe /etc/ethertypes should be moved from ebtables to setup package, to > allow the parallel installation of iptables-1.6(nftables-compat) and > ebtables. Yes, that would be good, but for now the files are the same in iptables and ebtables.
Fixed in rawhide in package iptables-1.6.0-1.fc25