[ANNOUNCE] iptables 1.8.10 release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

The Netfilter project proudly presents:

        iptables 1.8.10

This release contains new features:

- xtables-translate: Support rule insert with index
- Broute table support in ebtables-nft
- nft-variants' debug output (pass multiple '-v' flags) now contains
  sets if present
- Add mld-listener type names to icmp6 match
- Correctly parse meta mark statements in rules even though iptables-nft
  does not emit those

... and fixes:

- Compiler warnings with -Werror=format-security
- Needless install of unsupported xtables.conf file
- Wrong "unknown argument" error message in some corner cases
- ebtables-nft allowed implicitly calling targets by one of their
  options, require '-j <target>' first for consistency with legacy
- Various bugs in ebtables-translate
- Corner-case bug in iptables-nft-restore when deleting a rule inside
  the batch file
- Sloppy rule check command in ip6tables-legacy, producing
  false-positives
- Arptables-nft omitted some inverted options when listing rules
- Parser would not accept long-options with appended argument
  (in form '--opt=arg')
- Ip6tables-nft ignored counter argument ('-c')
- Wrong error message when listing a non-existent chain with
  iptables-nft
- Pointless creation of unused anonymous sets when deleting an
  ebtables-nft rule containing an among match
- Ineffective among match comparison causing ebtables-nft to potentially
  delete the wrong rule
- Sloppy iptables-restore parser accepting junk where chain counters are
  expected
- Missing target name validation in chain rename command
- Icmp match confused type 255 and code 255 with special type "any"
- NDEBUG compiler flag breaks iptables-nft
- Non-functional chain policy counters with iptables-nft
- Zeroing a rule's counters would zero chain policy counters with legacy
  iptables
- Reject '-m conntrack --ctproto 0', it will never match
- Stale meta expression when stripping a match on interface "+" (i.e.,
  any interface name)
- Harmless compiler warning with recent Linux headers

... and documentation updates:

- Add missing chunk types to SCTP match help text (use 'iptables -p sctp
  --help' to see them)
- Document possible false negatives when using 'string' match's BM
  algorithm
- Missing return codes 3 and 4 descriptions in iptables man page
- Misc minor fixes in man pages

You can download the new release from:

https://netfilter.org/projects/iptables/downloads.html#iptables-1.8.10

To build the code, libnftnl 1.2.6 is required:

* http://netfilter.org/projects/libnftnl/downloads.html#libnftnl-1.2.6

In case of bugs, file them via:

* https://bugzilla.netfilter.org

Happy firewalling!
Alyssa Ross (1):
  build: use pkg-config for libpcap

Arturo Borrero Gonzalez (1):
  iptables-test.py: make explicit use of python3

Florian Westphal (6):
  xtables-eb: fix crash when opts isn't reallocated
  iptables-nft: make builtin tables static
  iptables-nft: remove unused function argument
  include: update nf_tables uapi header
  ebtables-nft: add broute table emulation
  nft-ruleparse: parse meta mark set as MARK target

Jacek Tomasiak (2):
  iptables: Fix setting of ipv6 counters
  iptables: Fix handling of non-existent chains

Jan Engelhardt (1):
  xshared: dissolve should_load_proto

Jan Palus (1):
  nft: move processing logic out of asserts

Jeremy Sowden (1):
  man: string: document BM false negatives

Markus Boehme (1):
  ip6tables: Fix checking existence of rule

Pablo Neira Ayuso (3):
  nft: check for source and destination address in first place
  nft: use payload matching for layer 4 protocol
  nft-bridge: pass context structure to ops->add() to improve anonymous
    set support

Phil Sutter (76):
  extensions: NAT: Fix for -Werror=format-security
  etc: Drop xtables.conf
  Proper fix for "unknown argument" error message
  ebtables: Refuse unselected targets' options
  ebtables-translate: Drop exec_style
  ebtables-translate: Use OPT_* from xshared.h
  ebtables-translate: Ignore '-j CONTINUE'
  ebtables-translate: Print flush command after parsing is finished
  tests: xlate: Support testing multiple individual files
  tests: CLUSTERIP: Drop test file
  nft-shared: Lookup matches in iptables_command_state
  nft-shared: Use nft_create_match() in one more spot
  nft-shared: Simplify using nft_create_match()
  tests: xlate: Properly split input in replay mode
  tests: xlate: Print file names even if specified
  extensions: libebt_redirect: Fix target translation
  extensions: libebt_redirect: Fix for wrong syntax in translation
  extensions: libebt_ip: Do not use 'ip dscp' for translation
  extensions: libebt_ip: Translation has to match on ether type
  ebtables: ip and ip6 matches depend on protocol match
  xtables-translate: Support insert with index
  include: Add missing linux/netfilter/xt_LOG.h
  nft-restore: Fix for deletion of new, referenced rule
  tests: shell: Test for false-positive rule check
  utils: nfbpf_compile: Replace pcap_compile_nopcap()
  nft-shared: Drop unused include
  arptables: Fix parsing of inverted 'arp operation' match
  arptables: Don't omit standard matches if inverted
  xshared: Fix parsing of option arguments in same word
  nft: Introduce nft-ruleparse.{c,h}
  nft: Extract rule parsing callbacks from nft_family_ops
  nft: ruleparse: Create family-specific source files
  tests: shell: Sanitize nft-only/0009-needless-bitwise_0
  nft: Special casing for among match in compare_matches()
  nft: More verbose extension comparison debugging
  nft: Do not pass nft_rule_ctx to add_nft_among()
  nft: Include sets in debug output
  *tables-restore: Enforce correct counters syntax if present
  *tables: Reject invalid chain names when renaming
  ebtables: Improve invalid chain name detection
  tests: shell: Fix and extend chain rename test
  iptables-restore: Drop dead code
  iptables-apply: Eliminate shellcheck warnings
  extensions: libipt_icmp: Fix confusion between 255/255 and any
  tests: libipt_icmp.t: Enable tests with numeric output
  man: iptables.8: Extend exit code description
  man: iptables.8: Trivial spelling fixes
  man: iptables.8: Fix intra page reference
  man: iptables.8: Clarify --goto description
  man: Use HTTPS for links to netfilter.org
  man: iptables.8: Trivial font fixes
  man: iptables-restore.8: Fix --modprobe description
  man: iptables-restore.8: Consistently document -w option
  man: iptables-restore.8: Drop -W option from synopsis
  man: iptables-restore.8: Put 'file' in italics in synopsis
  man: iptables-restore.8: Start paragraphs in upper-case
  man: Trivial: Missing space after comma
  man: iptables-save.8: Clarify 'available tables'
  man: iptables-save.8: Fix --modprobe description
  man: iptables-save.8: Start paragraphs in upper-case
  extensions: libip6t_icmp: Add names for mld-listener types
  nft-ruleparse: Introduce nft_create_target()
  tests: iptables-test: Fix command segfault reports
  nft: Create builtin chains with counters enabled
  Revert "libiptc: fix wrong maptype of base chain counters on restore"
  tests: shell: Test chain policy counter behaviour
  Use SOCK_CLOEXEC/O_CLOEXEC where available
  nft: Pass nft_handle to add_{target,action}()
  nft: Introduce and use bool nft_handle::compat
  Add --compat option to *tables-nft and *-nft-restore commands
  tests: Test compat mode
  Revert --compat option related commits
  tests: shell: Fix for ineffective 0007-mid-restore-flush_0
  nft: Fix for useless meta expressions in rule
  include: linux: Update kernel.h
  build: Bump dependency on libnftnl

Quentin Armitage (1):
  extensions: Fix checking of conntrack --ctproto 0

Victor Julien (1):
  doc: fix example of xt_cpu

Xin Long (1):
  xt_sctp: add the missing chunk types in sctp_help

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux