iptables: merge iptables-nftables-compat package

Merge the binary package into the main iptables package now that compat tools
are the main ones.

While at it, move all binaries to /usr/sbin/ instead of /sbin. No reason for
them to live there.

TODO:
 * actual tests for symlinking issues
 * adjust manpages
 * check update-alternatives
 * check relationships
 * check READMEs etc
 * wrap-and-sort
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>

debian/README.Debian

@@ -10,8 +10,7 @@ If you would like to migrate or translate your previous
 iptables/ip6tables/arptables/ebtables rulesets to nftables then keep reading.
 
 There are some tools in place to help you moving from iptables to nftables,
-(tools included in `iptables-nftables-compat` package) following 2 basic
-approaches:
+following 2 basic approaches:
 
  * command line translation
    (iptables-translate, iptables-restore-translate,
@@ -43,30 +42,25 @@ The legacy binaries are now installed as:
  * /sbin/arptables-legacy (in the arptables Debian package)
  * /sbin/ebtables-legacy (in the ebtables Debian package)
 
-The compat tools (tools which accepts the legacy syntax but use the nf_tables
+The nft-based tools (tools which accepts the legacy syntax but use the nf_tables
 kernel subsystem) are installed as:
 
- * /sbin/iptables-compat
- * /sbin/iptables-compat-restore
- * /sbin/iptables-compat-save
- * /sbin/ip6tables-compat
- * /sbin/ip6tables-compat-restore
- * /sbin/ip6tables-compat-save
- * /sbin/arptables-compat
- * /sbin/ebtables-compat
-
-All of them from the `iptables-nftables-compat` Debian package and have more
-default priority, which means that if you install that package, you will be
-using the compat tools instead of the legacy ones.
-
-You can change this at runtime using the `update-alternatives` command.
-
-NOTE: make sure you don't mix iptables-legacy and iptables-compat (nftables)
-rulesets in the same machine at the same time just for sanity and to avoid
-unexpected behaviours in your network.
-
-future
-======
-
-Right now Debian includes by default iptables-legacy in every system
-installation. In a mid-long term future this will change in favour of nftables.
+ * /sbin/iptables-nft
+ * /sbin/iptables-nft-restore
+ * /sbin/iptables-nft-save
+ * /sbin/ip6tables-nft
+ * /sbin/ip6tables-nft-restore
+ * /sbin/ip6tables-nft-save
+ * /sbin/arptables-nft
+ * /sbin/ebtables-nft
+
+The iptables Debian package install both and gives the nft version more
+priority by default in the update-alternatives system. This means that if you
+install that package, you will be using the compat tools instead of the legacy
+ones.
+Remember, you can change this at runtime using the `update-alternatives`
+command.
+
+NOTE: make sure you don't mix iptables-legacy and iptables-nft rulesets in the
+same machine at the same time just for sanity and to avoid unexpected
+behaviours in your network.

debian/control

@@ -29,6 +29,8 @@ Depends: libip4tc0 (=${binary:Version}),
          ${misc:Depends},
          ${shlibs:Depends}
 Suggests: kmod
+Breaks: iptables-nftables-compat (<< 1.6.2~)
+Replaces: iptables-nftables-compat (<< 1.6.2~)
 Description: administration tools for packet filtering and NAT
  iptables is the userspace command line program used to configure
  the Linux packet filtering ruleset. It is targeted towards system
@@ -177,34 +179,3 @@ Description: Development files for libip6tc
  sense of changing symbols and backward compatibility not guaranteed.
  .
  This package provides development files and static libraries.
-
-Package: iptables-nftables-compat
-Architecture: linux-any
-Priority: optional
-Depends: arptables,
-         ebtables,
-         iptables (=${binary:Version}),
-         libxtables12 (=${binary:Version}),
-         ${misc:Depends},
-         ${shlibs:Depends}
-Recommends: nftables
-Suggests: kmod
-Breaks: iptables (<< 1.6.2-1)
-Description: iptables compat tools for nftables
- this package includes the compat tools to load iptables, ip6tables, arptables
- and ebtables rules to the nf_tables kernel subsystem.
- .
- The tools are called: 'iptables-compat', 'iptables-compat-save',
- 'iptables-compat-restore', 'ip6tables-compat', 'ip6tables-compat-save',
- 'ip6tables-compat-restore', 'arptables-compat' and 'ebtables-compat'.
- .
- A basic way to understand this compat stuff is to load the ruleset
- skeleton, i.e: a first call `iptables-compat -L'. Then, you can use nft,
- i.e: `nft list ruleset'. Same for the other families.
- .
- Also, this package contains the translation tools, which are
- 'iptables-translate', 'ip6tables-translate', 'iptables-restore-translate',
- and 'ip6tables-restore-translate'.
- .
- These translation tools works by reading an input in iptables native syntax
- and then  printing the nftables syntax equivalent.

debian/iptables-nftables-compat.install

-usr/lib/*/xtables/libarpt_*.so
-usr/lib/*/xtables/libebt_*.so
-usr/sbin/*-compat*		sbin
-usr/sbin/xtables-compat-multi	sbin
-usr/sbin/*translate*		sbin

debian/iptables-nftables-compat.links

-usr/share/man/man8/xtables-compat.8.gz		usr/share/man/man8/arptables-compat.8.gz
-usr/share/man/man8/xtables-compat.8.gz		usr/share/man/man8/ebtables-compat.8.gz
-usr/share/man/man8/xtables-compat.8.gz		usr/share/man/man8/ip6tables-compat-restore.8.gz
-usr/share/man/man8/xtables-compat.8.gz		usr/share/man/man8/ip6tables-compat-save.8.gz
-usr/share/man/man8/xtables-compat.8.gz		usr/share/man/man8/ip6tables-compat.8.gz
-usr/share/man/man8/xtables-compat.8.gz		usr/share/man/man8/iptables-compat-restore.8.gz
-usr/share/man/man8/xtables-compat.8.gz		usr/share/man/man8/iptables-compat-save.8.gz
-usr/share/man/man8/xtables-compat.8.gz		usr/share/man/man8/iptables-compat.8.gz
-usr/share/man/man8/xtables-compat.8.gz		usr/share/man/man8/xtables-compat-multi.8.gz

debian/iptables-nftables-compat.manpages

-debian/xtables-compat.8
-debian/xtables-translate.8

debian/iptables-nftables-compat.postinst

-#!/bin/sh
-
-set -e
-
-if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then
-	update-alternatives \
-	  --install /sbin/iptables iptables /sbin/iptables-compat 20 \
-	  --slave /sbin/iptables-restore iptables-restore /sbin/iptables-compat-restore \
-	  --slave /sbin/iptables-save iptables-save /sbin/iptables-compat-save
-	update-alternatives \
-	  --install /sbin/ip6tables ip6tables /sbin/ip6tables-compat-restore 20 \
-	  --slave /sbin/ip6tables-restore ip6tables-restore /sbin/ip6tables-compat-restore \
-	  --slave /sbin/ip6tables-save ip6tables-save /sbin/ip6tables-compat-save
-	update-alternatives \
-	  --install /sbin/arptables arptables /sbin/arptables-compat 20
-	update-alternatives \
-	  --install /sbin/ebtables ebtables /sbin/ebtables-compat 20
-fi
-
-#DEBHELPER#
-

debian/iptables-nftables-compat.prerm

-#!/bin/sh
-
-set -e
-
-if [ "$1" != "upgrade" ]; then
-    update-alternatives --remove iptables /sbin/iptables-compat
-    update-alternatives --remove ip6tables /sbin/ip6tables-compat
-    update-alternatives --remove arptables /sbin/arptables-compat
-    update-alternatives --remove ebtables /sbin/ebtables-compat
-fi
-
-#DEBHELPER#
-

debian/iptables.install

-iptables/iptables-apply usr/sbin
 iptables/iptables.xslt usr/share/iptables
 usr/lib/*/xtables/libip*.so
 usr/lib/*/xtables/libxt_*.so
-usr/sbin/ip6tables sbin
-usr/sbin/ip6tables-restore sbin
-usr/sbin/ip6tables-save sbin
-usr/sbin/iptables sbin
-usr/sbin/iptables-restore sbin
-usr/sbin/iptables-save sbin
-usr/sbin/nf* usr/sbin
-usr/sbin/xtables-multi sbin
+usr/sbin/*
+iptables/iptables-apply		usr/sbin
 usr/share/man/man1
 usr/share/man/man8
+usr/lib/*/xtables/libarpt_*.so
+usr/lib/*/xtables/libebt_*.so

debian/iptables.links

-/sbin/xtables-multi /usr/bin/iptables-xml
+/usr/sbin/xtables-legacy-multi		/usr/bin/iptables-xml
 /usr/sbin/iptables-apply /usr/sbin/ip6tables-apply

debian/iptables.manpages

 debian/xtables-multi.8
 iptables/*.8
 utils/nfnl_osf.8
+debian/xtables-compat.8
+debian/xtables-translate.8

debian/iptables.postinst

@@ -4,13 +4,25 @@ set -e
 
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then
 	update-alternatives \
-	  --install /sbin/ìptables iptables /sbin/iptables-legacy 10 \
-	  --slave /sbin/iptables-restore iptables-restore /sbin/iptables-legacy-restore \
-	  --slave /sbin/iptables-save iptables-save /sbin/iptables-legacy-save
+	  --install /usr/sbin/ìptables iptables /usr/sbin/iptables-legacy 10 \
+	  --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-legacy-restore \
+	  --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-legacy-save
 	update-alternatives \
-	  --install /sbin/ip6tables ip6tables /sbin/ip6tables-legacy 10 \
-	  --slave /sbin/ip6tables-restore ip6tables-restore /sbin/ip6tables-legacy-restore \
-	  --slave /sbin/ip6tables-save ip6tables-save /sbin/ip6tables-legacy-save
+	  --install /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-legacy 10 \
+	  --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-legacy-restore \
+	  --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-legacy-save
+        update-alternatives \
+          --install /usr/sbin/iptables iptables /usr/sbin/iptables-nft 20 \
+          --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-nft-restore \
+          --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-nft-save
+        update-alternatives \
+          --install /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-nft 20 \
+          --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-nft-restore \
+          --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-nft-save
+        update-alternatives \
+          --install /usr/sbin/arptables arptables /usr/sbin/arptables-nft 20
+        update-alternatives \
+          --install /usr/sbin/ebtables ebtables /usr/sbin/ebtables-nft 20
 fi
 
 #DEBHELPER#

debian/iptables.prerm

@@ -3,8 +3,12 @@
 set -e
 
 if [ "$1" != "upgrade" ]; then
-    update-alternatives --remove iptables /sbin/iptables-legacy
-    update-alternatives --remove ip6tables /sbin/ip6tables-legacy
+    update-alternatives --remove iptables /usr/sbin/iptables-legacy
+    update-alternatives --remove ip6tables /usr/sbin/ip6tables-legacy
+    update-alternatives --remove iptables /usr/sbin/iptables-nft
+    update-alternatives --remove ip6tables /usr/sbin/ip6tables-nft
+    update-alternatives --remove arptables /usr/sbin/arptables-nft
+    update-alternatives --remove ebtables /usr/sbin/ebtables-nft
 fi
 
 #DEBHELPER#

debian/rules

@@ -12,13 +12,3 @@ LIB_DIR := /usr/lib/$(DEB_HOST_MULTIARCH)
 override_dh_auto_configure:
 	dh_auto_configure -- --disable-libipq --enable-devel \
 			--libdir=$(LIB_DIR) --with-xtlibdir=$(LIB_DIR)/xtables
-
-override_dh_install:
-	dh_install
-	# leave room for having the nftables compat tools as the main binaries
-	mv debian/iptables/sbin/iptables debian/iptables/sbin/iptables-legacy
-	mv debian/iptables/sbin/iptables-restore debian/iptables/sbin/iptables-legacy-restore
-	mv debian/iptables/sbin/iptables-save debian/iptables/sbin/iptables-legacy-save
-	mv debian/iptables/sbin/ip6tables debian/iptables/sbin/ip6tables-legacy
-	mv debian/iptables/sbin/ip6tables-restore debian/iptables/sbin/ip6tables-legacy-restore
-	mv debian/iptables/sbin/ip6tables-save debian/iptables/sbin/ip6tables-legacy-save