Hi!
The Netfilter project proudly presents:
iptables 1.8.5
This release contains the following fixes and enhancements:
xtables-save/xtables-restore:
- Fix parser in `--noflush' mode incorrectly rejecting chain definitions
and empty lines.
- Fix crash when restoring or dumping while other ruleset changes happen
in parallel.
iptables-apply:
- Install the script along with `make install'.
- Introduce parameters `-c' (run command) and `-w' (save successfully
applied rules to file).
- Use `mktemp' instead of `tempfile' for temporary files.
iptables-translate:
- Support `time' match and `NOTRACK' target.
- Fix for special interface names `*', `+' and `eth++'.
ebtables-nft:
- Full among match support, including sets with mixed MAC and MAC+IP
entries.
extensions:
- connlabel: Numeric labels were rejected if a connlabel.conf existed in
the system.
- IDLETIMER: Introduce `--alarm' option.
libxtables:
- Introduce xtables_fini() to properly deinit the library and close any
loaded shared objects.
nfnl_osf:
- Fix lockup after loading the first line from fingerprints file.
- Improve error handling, don't silently exit when deleting a
non-existing fingerprint.
General:
- Fixes for undefined behaviour.
- Replace a few unsafe calls to strcpy().
- Fix some warnings when compiling with clang.
- Various fixes for valgrind-detected problems such as memory leaks and
reachable memory at program exit.
See ChangeLog that comes attached to this email for more details.
You can download it from:
http://www.netfilter.org/projects/iptables/downloads.html#iptables-1.8.5
To build the code, libnftnl 1.1.6 is required:
* http://netfilter.org/projects/libnftnl/downloads.html#libnftnl-1.1.6
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling!
Arturo Borrero Gonzalez (1):
.gitignore: add nano/vim swap file
Jeremy Sowden (1):
extensions: AUDIT: fix man-page typo.
Jose M. Guisado Gomez (1):
extensions: time: add translation and tests
Laurence J. Lane (6):
iptables: install iptables-apply script and manpage
iptables: cleanup "allows to" usage
extensions: manpages: cleanup hyphens
libipq: fix spelling in manpage
iptables: mention iptables-apply(8) in manpages
extensions: libxt_sctp: add manpage description
Maciej Żenczykowski (7):
iptables: open eBPF programs in read only mode
extensions: include strings.h for the definition of ffs()
iptables: include sys/time.h to fix lack of struct timeval declaration
libxt_IDLETIMER: fix target v1 help alignment and doc
libiptc: do not typedef socklen_t on Android
iptables: flush stdout after every verbose log.
libip6t_srh.t: switch to lowercase, add /128 suffix, require success
Manoj Basapathi (1):
extensions: IDLETIMER: Add alarm timer option
Pablo Neira Ayuso (9):
build: bump dependency on libnftnl
extensions: libxt_CT: add translation for NOTRACK
nft-shared: skip check for jumpto if cs->target is unset
nft: split parsing from netlink commands
nft: calculate cache requirements from list of commands
nft: restore among support
nft: remove cache build calls
nft: missing nft_fini() call in bridge family
configure: bump version for 1.8.5 release
Phil Sutter (64):
extensions: CLUSTERIP: Mark as deprecated in man page
Fix DEBUG build
xtables-restore: Fix parser feed from line buffer
xtables-restore: Avoid access of uninitialized data
extensions: time: Avoid undefined shift
extensions: cluster: Avoid undefined shift
libxtables: Avoid buffer overrun in xtables_compatible_revision()
xtables-translate: Guard strcpy() call in xlate_ifname()
extensions: among: Check call to fstat()
xtables-translate: Fix for interface name corner-cases
xtables-restore: fix for --noflush and empty lines
tests: shell: Fix skip checks with --host mode
xtables-translate: Fix for iface++
ebtables: among: Support mixed MAC and MAC/IP entries
nft: Drop pointless assignment
iptables-test.py: Fix --host mode
xtables: Align effect of -4/-6 options with legacy
xtables: Drop -4 and -6 support from xtables-{save,restore}
xtables: Review nft_init()
connlabel: Allow numeric labels even if connlabel.conf exists
nft: cache: Fix nft_release_cache() under stress
nft: cache: Make nft_rebuild_cache() respect fake cache
nft: cache: Simplify chain list allocation
nft: cache: Review flush_cache()
nft: cache: Fix for unused variable warnings
nft: cache: Fix iptables-save segfault under stress
xshared: Drop pointless assignment in add_param_to_argv()
tests: shell: Improve ipt-restore/0001load-specific-table_0 a bit
tests: shell: Extend ipt-restore/0004-restore-race_0
tests: shell: Test -F in dump files
tests: shell: Add test for nfbz#1391
ebtables-restore: Drop custom table flush routine
nft: cache: Eliminate init_chain_cache()
nft: cache: Init per table set list along with chain list
nft: cache: Fetch sets per table
ebtables-restore: Table line to trigger implicit commit
nft: cache: Simplify rule and set fetchers
nft: cache: Improve fake cache integration
nft: cache: Introduce struct nft_cache_req
nft-cache: Fetch cache per table
nft-cache: Introduce __fetch_chain_cache()
nft: cache: Fetch cache for specific chains
nft: cache: Optimize caching for flush command
nft: Fix for '-F' in iptables dumps
tests: shell: Implement --valgrind mode
nft: cache: Re-establish cache consistency check
nft: Clear all lists in nft_fini()
nft: Fix leaks in ebt_add_policy_rule()
nft: Fix leak when deleting rules
ebtables: Free statically loaded extensions again
libxtables: Introduce xtables_fini()
nft: Use clear_cs() instead of open coding
arptables: Fix leak in nft_arp_print_rule()
nft: Fix leak when replacing a rule
nft: Don't exit early after printing help texts
iptables-test: Don't choke on empty lines
nfnl_osf: Fix broken conversion to nfnl_query()
nfnl_osf: Improve error handling
nft: Merge nft_*_rule_find() functions
nft: Drop save_counters callback from family_ops
doc: libxt_MARK: OUTPUT chain is fine, too
tests: shell: Fix syntax in ipt-restore/0010-noflush-new-chain_0
include: Avoid undefined left-shift in xt_sctp.h
build: bump dependency on libnftnl
gw.2010@xxxxxxxxx (1):
iptables-apply: script and manpage update
Álvaro Santos (1):
Fixed some man pages typos ('This modules' -> 'This module')
