[ANNOUNCE] iptables 1.8.0 release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

The Netfilter project proudly presents:

iptables 1.8

This release contains fixes and following new features:

- The ipv6 'srh' match can now match previous/next/last sid
- CONNMARK target now supports bit-shifting for restore,set and save-mark.
- DNAT now supports shifted portmap ranges.

A full change log is attached to this announcement.

This release introduces a more prominent distinction between the
'classic' iptables and 'new' iptables front-end that internally uses the
nf_tables API to talk to the kernel.

The '--version' option can be used to find out which interface is used internally:
    iptables --version
    iptables v1.8 (legacy)

    iptables --version
    iptables v1.8 (nf_tables)

legacy commandline tools:
ip6tables-legacy-save
ip6tables-legacy-restore
ip6tables-legacy
iptables-legacy-save
iptables-legacy-restore
iptables-legacy

nf_tables commandline tools:
ip6tables-nft-save
ip6tables-nft-restore
ip6tables-nft
iptables-nft-save
iptables-nft-restore
iptables-nft

new commands available with nf_tables backend:
1. xtables-monitor

This tools shows changes to the ruleset and can display
packet trace information for ruleset debugging.  Examples:
Show ruleset evaluation results of packets that have been selected via
-j TRACE target:
 # xtables-monitor --trace
    PACKET: 10 fa6b77e1 IN=wlan0 MACSRC=51:1 ..SRC=2a00::1 .. DPORT=13024
     TRACE: 10 fa6b77e1 raw:PREROUTING:return:
     TRACE: 10 fa6b77e1 raw:PREROUTING:policy:DROP
    PACKET: 10 ab9a14cf IN=wlan0 MACSRC=51:1 ..SRC=2a00::1 .. DPORT=21242

Show changes to ruleset:
 # xtables-monitor --event
  NEWGEN: GENID=14 PID=13331 NAME=iptables-nft
   EVENT: -4 -t filter -A INPUT -s 10.0.0.0/8 -j DROP
  NEWGEN: GENID=15 PID=13332 NAME=iptables-nft
   EVENT: -6 -t filter -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
  NEWGEN: GENID=16 PID=13334 NAME=ip6tables-nft

2. ebtables (aims to be a drop-in replacement for the 'ebtables' tool)
3. arptables (likewise, drop-in replacement for 'arptables' tool)

4. the 'translate' family of tools:
 ip6tables-translate
 ip6tables-restore-translate
 iptables-restore-translate
 iptables-translate

These are text converters that take iptables syntax and provide output
that can be read by the native nftables command line tool, nft.

We currently recommend that distributions install the 'legacy' versions
by default for stable/production releases.

For experimental releases we recommend that distributors make the
nf_tables commands available as an alternative so that the iptables,
ip6tables, iptables-restore, etc.  commands are created as symbolic
links to xtables-nft-multi.

Advantages of the 'nf_tables' variant:
 - No need to use the --wait option to iptables to avoid
   concurrency issues (--wait is a no-op in the nf_tables versions)
 - 3rd part daemons can monitor ruleset for changes instead of polling
   current ruleset
 - xtables-monitor command allows to debug ruleset using --trace option
   in combination with the iptables TRACE target and display changes
   to the ruleset configuration
 - addition or removal of rules does not change internal state of other
   matches such as limit or quota.

See ChangeLog that comes attached to this email for more details.

You can download it from:

http://www.netfilter.org/projects/iptables/downloads.html#iptables-1.8.0

To build the code, libnftnl 1.1.1 and libmnl >= 1.0.3 are required:

* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Happy firewalling!

Attachment: iptables-1.8.0.txt.gz
Description: application/gzip


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux