Hi!
The Netfilter project proudly presents:
iptables 1.8.7
This release contains the following fixes and enhancements:
iptables-nft:
- Improved performance when matching on IP/MAC address prefixes if the
prefix is byte-aligned. In ideal cases, this doubles packet processing
performance.
*NOTE*: Older iptables versions will not recognize the mask and thus
omit them when listing the ruleset.
- Dump user-defined chains in lexical order. This way ruleset dumps
become stable and easily comparable.
- Avoid pointless table/chain creation. For instance, 'iptables-nft -L'
no longer creates missing base-chains.
ebtables-nft:
- Renaming user-defined chains was entirely broken.
extensions:
- Code for printing and parsing of MAC addresses was consolidated
internally, slightly reducing binary size. As a noticeable
side-effect, all MAC addresses are now printed in lower-case (affects
'mac'-extension).
- Fixed DCCP extension's match on 'INVALID' type, a meta-type which
should match any type value in the range from ten to fifteen. In the
past it matched on type value 10 only.
xtables-monitor:
- Don't print unrelated rules in the same chain when tracing.
- Flush output buffer after each rule when tracing to improve experience
when redirecting output.
- Print the table's family when tracing instead of whatever the user
specified on command line.
- Print the traced packet before the rule it traverses, not vice-versa.
- Recognize loopback interface and print "LOOPBACK" for link layer
header info instead of "LL=0x304".
xtables-translate:
- Correctly translate DCCP type matches (including 'INVALID').
See the attached changelog for more details.
You can download it from:
http://www.netfilter.org/projects/iptables/downloads.html#iptables-1.8.7
To build the code, libnftnl 1.1.6 is required:
* http://netfilter.org/projects/libnftnl/downloads.html#libnftnl-1.1.6
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling!
Florian Westphal (4):
xtables-monitor: fix rule printing
xtables-monitor: fix packet family protocol
xtables-monitor: print packet first
xtables-monitor: 'LL=0x304' is not very convenient, print LOOPBACK instead.
Pablo Neira Ayuso (1):
tests: shell: update format of registers in bitwise payloads.
Phil Sutter (21):
nft: Optimize class-based IP prefix matches
ebtables: Optimize masked MAC address matches
tests/shell: Add test for bitwise avoidance fixes
ebtables: Fix for broken chain renaming
iptables-test.py: Accept multiple test files on commandline
iptables-test.py: Try to unshare netns by default
libxtables: Extend MAC address printing/parsing support
xtables-arp: Don't use ARPT_INV_*
xshared: Merge some command option-related code
tests/shell: Test for fixed extension registration
extensions: dccp: Fix for DCCP type 'INVALID'
nft: Fix selective chain compatibility checks
nft: cache: Introduce nft_cache_add_chain()
nft: Implement nft_chain_foreach()
nft: cache: Move nft_chain_find() over
nft: Introduce struct nft_chain
nft: Introduce a dedicated base chain array
nft: cache: Sort custom chains by name
tests: shell: Drop any dump sorting in place
nft: Avoid pointless table/chain creation
tests/shell: Fix nft-only/0009-needless-bitwise_0
