Hi!
The Netfilter project proudly presents:
iptables 1.8.4
This release contains the following fixes and enhancements:
libiptc:
- Generic libiptc.so shared object is no longer built, likely all users
link to libip4tc.so or libip6tc.so directly.
xtables-restore and xtables-save:
- Fix for wrong counter format in 'ebtables-nft-save -c' output.
- Print typical iptables-save comments in arptables- and ebtables-save,
too.
- Fix for spurious errors with odd characters in rule comments.
iptables-legacy:
- Add --suppl-groups option to owner match.
- Fix nfacct on mixed 64/32bit kernel/userland.
iptables-nft:
- Avoid endless loop when called as non-root user.
- Fix for table compatibility checking considering only non-interesting
tables.
- Remove support for /etc/xtables.conf.
- Various performance improvements when dealing with large rulesets.
- Fix --fragment option on Big Endian.
- Fix zeroing rule counters with TPROXY target.
iptables-restore:
- Restore support for '-4' and '-6' prefixes in rule lines.
ebtables-nft:
- Fix for spurious errors when using '-o' option in user-defined
chains.
- Add rudimental support for among match.
iptables-translate:
- Fix translation for conntrack status EXPECTED.
- Support SYNPROXY target.
See ChangeLog that comes attached to this email for more details.
You can download it from:
http://www.netfilter.org/projects/iptables/downloads.html#iptables-1.8.4
To build the code, libnftnl 1.1.5 is required:
* http://netfilter.org/projects/libnftnl/index.html
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling!
Adel Belhouane (1):
restore legacy behaviour of iptables-restore when rules start with -4/-6
Duncan Roe (1):
netfilter: hashlimit: prefer PRIu64 to avoid warnings on 32bit platforms
Fernando Fernandez Mancera (1):
utils: nfnl_osf: fix snprintf -Wformat-truncation warning
Florian Westphal (6):
extensions/libxt_MASQUERADE.man: random and random-fully are now identical
nft: exit in case we can't fetch current genid
ebtables: fix over-eager -o checks on custom chains
libiptc: axe non-building debug code
libiptc: silence two comiler warnings
ipables: xtables-restore: output filename option in help text
Jan Engelhardt (2):
build: remove -Wl,--no-as-needed and libiptc.so
src: replace IPTABLES_VERSION by PACKAGE_VERSION
Jose M. Guisado Gomez (1):
extensions: libxt_SYNPROXY: add xlate method
Joseph C. Sible (1):
doc: Note REDIRECT case of no IP address
Juliana Rodrigueiro (1):
extensions: nfacct: Fix alignment mismatch in xt_nfacct_match_info
Lukasz Pawelczyk (1):
extensions: libxt_owner: Add supplementary groups option
Phil Sutter (92):
xtables-restore: Fix program names in help texts
nft: Set socket receive buffer
nft: Pass nft_handle down to mnl_batch_talk()
nft: Move send/receive buffer sizes into nft_handle
xtables-save: Use argv[0] as program name
ebtables: Fix error message for invalid parameters
ebtables-save: Fix counter formatting
xtables-save: Unify *-save header/footer comments
xtables-save: Fix table compatibility check
nft: Make nft_for_each_table() more versatile
xtables-save: Avoid mixed code and declarations
xtables-save: Pass optstring/longopts to xtables_save_main()
xtables-save: Make COMMIT line optional
xtables-save: Pass format flags to do_output()
arptables-save: Merge into xtables_save_main()
ebtables-save: Merge into xtables_save_main()
nft: Set errno in nft_rule_flush()
xtables: Drop support for /etc/xtables.conf
doc: Install nft-variant man pages only if enabled
doc: Install ip{6,}tables-restore-translate.8 man pages
nft: Drop stale include directive
iptables-test: Support testing host binaries
tests/shell: Make ebtables-basic test more verbose
DEBUG: Print to stderr to not disturb iptables-save
nft: Use nftnl_*_set_str() functions
nft: Introduce nft_bridge_commit()
nft Increase mnl_talk() receive buffer size
nft: Fix add_bitwise_u16() on Big Endian
xtables_error() does not return
nft: Fix typo in nft_parse_limit() error message
nft: Get rid of NFT_COMPAT_EXPR_MAX define
tests/shell: Speed up ipt-restore/0004-restore-race_0
tests: shell: Support running for legacy/nft only
nft: Fix for add and delete of same rule in single batch
nft: Make nftnl_table_list_get() fetch only tables
xtables-restore: Minimize caching when flushing
nft: Pass nft_handle to flush_cache()
nft: Avoid nested cache fetching
nft: Extract cache routines into nft-cache.c
iptables-test: Run tests in lexical order
nft-cache: Introduce cache levels
nft-cache: Fetch only chains in nft_chain_list_get()
nft-cache: Cover for multiple fetcher invocation
nft-cache: Support partial cache per table
nft-cache: Support partial rule cache per chain
nft: Reduce cache overhead of nft_chain_builtin_init()
nft: Support nft_is_table_compatible() per chain
nft: Optimize flushing all chains of a table
xtables-restore: Treat struct nft_xt_restore_parse as const
xtables-restore: Use xt_params->program_name
xtables-restore: Introduce rule counter tokenizer function
xtables-restore: Constify struct nft_xt_restore_cb
iptables-restore: Constify struct iptables_restore_cb
xtables-restore: Drop local xtc_ops instance
xtables-restore: Drop chain_list callback
xtables-restore: Fix --table parameter check
xtables-restore: Unbreak *tables-restore
nft: Use ARRAY_SIZE() macro in nft_strerror()
iptables-xml: Use add_param_to_argv()
xshared: Introduce struct argv_store
xtables-arp: Use xtables_ipparse_multiple()
ip6tables, xtables-arp: Drop unused struct pprot
xshared: Share a common add_command() implementation
xshared: Share a common implementation of parse_rulenumber()
Merge CMD_* defines
xtables-arp: Drop generic_opt_check()
Replace TRUE/FALSE with true/false
xtables-arp: Integrate OPT_* defines into xshared.h
xtables-arp: Drop some unused variables
xtables-arp: Use xtables_parse_interface()
nft-arp: Use xtables_print_mac_and_mask()
xtables-restore: Integrate restore callbacks into struct nft_xt_restore_parse
xtables-restore: Introduce struct nft_xt_restore_state
xtables-restore: Introduce line parsing function
xtables-restore: Remove some pointless linebreaks
xtables-restore: Allow lines without trailing newline character
xtables-restore: Improve performance of --noflush operation
tests: shell: Add ipt-restore/0007-flush-noflush_0
nft: CMD_ZERO needs a rule cache
nft: Fix -Z for rules with NFTA_RULE_COMPAT
nft: family_ops: Pass nft_handle to 'add' callback
nft: family_ops: Pass nft_handle to 'rule_find' callback
nft: family_ops: Pass nft_handle to 'print_rule' callback
nft: family_ops: Pass nft_handle to 'rule_to_cs' callback
nft: Keep nft_handle pointer in nft_xt_ctx
nft: Eliminate pointless calls to nft_family_ops_lookup()
nft: Introduce NFT_CL_SETS cache level
nft: Support NFT_COMPAT_SET_ADD
nft: Bore up nft_parse_payload()
nft: Embed rule's table name in nft_xt_ctx
nft: Support parsing lookup expression
nft: bridge: Rudimental among extension support
Quentin Armitage (1):
extensions: fix iptables-{nft,translate} with conntrack EXPECTED
Shekhar Sharma (1):
iptables-tests: fix python3
