Hi!
The Netfilter project proudly presents:
iptables 1.8.8
This release contains new features:
* Add iptables-translate support for:
* sctp match's --chunk-types option
* connlimit match
* multiport match's --ports option
* tcpmss match
* Simplified translation of:
* tcp match's --tcp-flags option
* conntrack match
* Reject setuid executables in libxtables for safety reasons
* Support deleting builtin chains in iptables-nft
* Merged arptables-nft rule parser into iptables-nft one, thereby extending
arptables-nft by:
* '-C' and '-S' commands
* Rule indexes with '-I' and '-R' commands
* '-c N,M' counter syntax
* Drop support for multiple IPv4 ranges in *NAT targets which required a linux
kernel before 2.6.11 anyway
* Use native log expression for NFLOG target with iptables-nft, this allows to
use up to 127 character prefix strings
* Use native payload expressions when matching on TCP/UDP header fields in
iptables-nft
* Debug output in iptables-nft and ebtables-nft when specifying '-v' multiple
times
* Debug output in iptables-restore (all variants) by passing '-v' option
multiple times
* Better legacy iptables lock timeout implementation, making '-W' option obsolete
* Improved performance of iptables-save and -restore
* Use native meta expression when matching on fwmark value.
... and fixes:
* Avoid ebtables program abort for unknown table names
* Zeroing rule counters not functional in iptables-nft
* Incorrect stripping of odd (non-prefix) netmasks with nft-variants
* Wrong iptables-translate output for odd (non-prefix) netmasks
* Wrong translation of inverted conntrack state/status matches
* Buffer exhaustion with huge rulesets in nft-variants
* Deleting rules with SECMARK target not possible due to binary data mismatch
(requires kernel update)
* Broken ebtables-translate with '-o' and custom chains
* Wrong translation of sctp match on more than a single field
* Fix for static linking
* Check command was always verbose in iptables-nft
* Wrong translation of '--random-full' option in ip6tables MASQUERADE
* Missing space in listing of mac match
* Misc memory leaks
* Misc testsuite fixes
* ebtables-nft drops user-defined chain policies when flushing
* Clarify synopsis in iptables-translate help text
* Potential double free with unrecognized base chains in iptables-nft
* Wrong ip6tables-nft help text (identical with iptables by accident)
* Extra whitespace after --nflog-prefix option of NFLOG target
* Sanitize behaviour for unprivileged callers, allow printing (extension) help
* Trying to use non-existent extensions caused misleading error messages
* iptables-nft-restore accepted standard targets as chain names
* Extra newline when printing MARK extension help
* Improved arptables-nft help output
... and documentation updates:
* sctp match types
* Drop documentation of ebtables-nft unsupported atomic options
* Misc typo fixes
* Support for shifted port ranges with DNAT
* (Limited) support for service names with DNAT and REDIRECT
* Review NAT extensions' documentation in man page
* LOG target's --log-macdecode option
You can download the new release from:
https://netfilter.org/projects/iptables/downloads.html#iptables-1.8.8
In case of bugs, file them via:
* https://bugzilla.netfilter.org
Happy firewalling!
Alexander Mikhalitsyn (2):
extensions: libxt_conntrack: use bitops for state negation
extensions: libxt_conntrack: use bitops for status negation
Erik Wilson (1):
xtables: Call init_extensions6() for static builds
Etienne Champetier (1):
xtables: Call init_extensions{,a,b}() for static builds
Florian Westphal (12):
iptables-nft: fix -Z option
libxtables: exit if called by setuid executeable
iptables-nft: allow removal of empty builtin chains
extensions: tcpmss: add iptables-translate support
nft-shared: set correct register value
nft-shared: support native tcp port delinearize
nft-shared: support native tcp port range delinearize
nft-shared: support native udp port delinearize
nft: prefer native expressions instead of udp match
nft: prefer native expressions instead of tcp match
nft-shared: add tcp flag dissection
nft: add support for native tcp flag matching
Jeremy Sowden (11):
tests: shell: fix bashism
nft: fix indentation error.
tests: iptables-test: correct misspelt variable
extensions: libxt_NFLOG: fix `--nflog-prefix` Python test-cases
extensions: libxt_NFLOG: remove extra space when saving targets with prefixes
build: replace `AM_PROG_LIBTOOL` and `AC_DISABLE_STATIC` with `LT_INIT`
extensions: libxt_NFLOG: fix typo
tests: iptables-test: rename variable
tests: add `NOMATCH` test result
tests: support explicit variant test result
tests: NFLOG: enable `--nflog-range` tests
Jethro Beekman (1):
xshared: Implement xtables lock timeout using signals
Kyle Bowman (3):
extensions: libxt_NFLOG: use nft built-in logging instead of xt_NFLOG
extensions: libxt_NFLOG: don't truncate log prefix on print/save
extensions: libxt_NFLOG: disable `--nflog-range` Python test-cases
Maciej Żenczykowski (1):
fix build for missing ETH_ALEN definition
Pablo Neira Ayuso (13):
libxtables: extend xlate infrastructure
tests: xlate-test: support multiline expectation
extensions: libxt_connlimit: add translation
extensions: libxt_tcp: rework translation to use flags match representation
extensions: libxt_conntrack: simplify translation using negation
extensions: libxt_multiport: add translation for -m multiport --ports
nft-shared: update context register for bitwise expression
nft: pass struct nft_xt_ctx to parse_meta()
nft: native mark matching support
nft: pass handle to helper functions to build netlink payload
nft: prepare for dynamic register allocation
nft: split gen_payload() to allocate register and initialize expression
configure: bump version for 1.8.8 release
Pavel Tikhomirov (1):
ip6tables: masquerade: use fully-random so that nft can understand the rule
Phil Sutter (134):
ebtables: Exit gracefully on invalid table names
include: Drop libipulog.h
nft: Fix bitwise expression avoidance detection
xtables-translate: Fix translation of odd netmasks
libxtables: Simplify xtables_ipmask_to_cidr() a bit
nft: cache: Sort chains on demand only
nft: Increase BATCH_PAGE_SIZE to support huge rulesets
extensions: sctp: Explain match types in man page
Eliminate inet_aton() and inet_ntoa()
nft-arp: Make use of ipv4_addr_to_string()
extensions: SECMARK: Implement revision 1
xtables: Make invflags 16bit wide
xshared: Eliminate iptables_command_state->invert
xshared: Merge invflags handling code
ebtables-translate: Use shared ebt_get_current_chain() function
Use proto_to_name() from xshared in more places
extensions: sctp: Fix nftables translation
extensions: sctp: Translate --chunk-types option
libxtables: Drop leftover variable in xtables_numeric_to_ip6addr()
extensions: libebt_ip6: Drop unused variables
libxtables: Fix memleak in xtopt_parse_hostmask()
nft: Avoid memleak in error path of nft_cmd_new()
nft: Avoid buffer size warnings copying iface names
iptables-apply: Drop unused variable
extensions: libebt_ip6: Use xtables_ip6parse_any()
libxtables: Introduce xtables_strdup() and use it everywhere
extensions: libxt_string: Avoid buffer size warning for strncpy()
doc: ebtables-nft.8: Adjust for missing atomic-options
ebtables: Dump atomic waste
nft: Fix for non-verbose check command
tests/shell: Assert non-verbose mode is silent
extensions: hashlimit: Fix tests with HZ=100
iptables-test: Make netns spawning more robust
extensions: libxt_mac: Fix for missing space in listing
nft: Use xtables_malloc() in mnl_err_list_node_add()
nft: Use xtables_{m,c}alloc() everywhere
tests: iptables-test: Fix missing chain case
tests: xlate-test: Don't skip any input after the first empty line
tests: xlate-test: Print errors to stderr
tests: iptables-test: Print errors to stderr
tests: xlate-test: Exit non-zero on error
tests: iptables-test: Exit non-zero on error
tests: shell: Return non-zero on error
ebtables: Avoid dropping policy when flushing
tests: iptables-test: Fix conditional colors on stderr
nft: cache: Avoid double free of unrecognized base-chains
nft: Check base-chain compatibility when adding to cache
nft-chain: Introduce base_slot field
nft: Delete builtin chains compatibly
nft: Introduce builtin_tables_lookup()
xshared: Store optstring in xtables_globals
nft-shared: Introduce init_cs family ops callback
xtables: Simplify addr_mask freeing
nft: Add family ops callbacks wrapping different nft_cmd_* functions
xtables-standalone: Drop version number from init errors
libxtables: Introduce xtables_globals print_help callback
arptables: Use standard data structures when parsing
nft-arp: Introduce post_parse callback
nft-shared: Make nft_check_xt_legacy() family agnostic
xtables: Derive xtables_globals from family
xtables: arptables accepts empty interface names
nft: Merge xtables-arp-standalone.c into xtables-standalone.c
Unbreak xtables-translate
xlate-test: Print full path if testing all files
extensions: hashlimit: Fix tests with HZ=1000
xshared: Merge and share parse_chain()
nft: Change whitespace printing in save_rule callback
xshared: Share print_iface() function
xshared: Share save_rule_details() with legacy
xshared: Share save_ipv{4,6}_addr() with legacy
xshared: Share print_rule_details() with legacy
xshared: Share print_fragment() with legacy
xshared: Share print_header() with legacy iptables
nft-shared: Drop unused function print_proto()
xshared: Make load_proto() static
xshared: Share print_match_save() between legacy ip*tables
xshared: Share a common printhelp function
xshared: Share exit_tryhelp()
xtables_globals: Embed variant name in .program_version
libxtables: Extend basic_exit_err()
iptables-*-restore: Drop pointless line reference
xtables: Drop xtables' family on demand feature
xtables: Pull table validity check out of do_parse()
xtables: Move struct nft_xt_cmd_parse to xshared.h
xtables: Pass xtables_args to check_empty_interface()
xtables: Pass xtables_args to check_inverse()
xtables: Do not pass nft_handle to do_parse()
xshared: Move do_parse to shared space
xshared: Store parsed wait and wait_interval in xtables_args
nft: Move proto_parse and post_parse callbacks to xshared
iptables: Use xtables' do_parse() function
ip6tables: Use the shared do_parse, too
extensions: *NAT: Kill multiple IPv4 range support
xshared: Fix response to unprivileged users
nft: Use verbose flag to toggle debug output
iptables-restore: Support for extra debug output
nft: Set NFTNL_CHAIN_FAMILY in new chains
ebtables: Support verbose mode
nft: Add debug output to table creation
nft: cache: Dump rules if debugging
tests: iptables-test: Support variant deviation
iptables.8: Describe the effect of multiple -v flags
libxtables: Register only the highest revision extension
Improve error messages for unsupported extensions
nft: Simplify immediate parsing
nft: Speed up immediate parsing
xshared: Prefer xtables_chain_protos lookup over getprotoent
nft: Don't pass command state opaque to family ops callbacks
libxtables: Fix for warning in xtables_ipmask_to_numeric
Simplify static build extension loading
nft: Review static extension loading
tests: shell: Fix 0004-return-codes_0 for static builds
nft: Reject standard targets as chain names when restoring
libxtables: Implement notargets hash table
libxtables: Boost rule target checks by announcing chain names
xlate-test: Fix for empty source line on failure
man: DNAT: Describe shifted port range feature
Revert "libipt_[SD]NAT: avoid false error about multiple destinations specified"
extensions: ipt_DNAT: Merge v1 and v2 parsers
extensions: ipt_DNAT: Merge v1/v2 print/save code
extensions: ipt_DNAT: Combine xlate functions also
extensions: DNAT: Rename from libipt to libxt
extensions: Merge IPv4 and IPv6 DNAT targets
extensions: Merge REDIRECT into DNAT
extensions: man: Document service name support in DNAT and REDIRECT
extensions: MARK: Drop extra newline at end of help
xshared: Move arp_opcodes into shared space
xshared: Extend xtables_printhelp() for arptables
libxtables: Drop xtables_globals 'optstring' field
libxtables: Revert change to struct xtables_pprot
extensions: DNAT: Merge core printing functions
man: *NAT: Review --random* option descriptions
extensions: LOG: Document --log-macdecode in man page
nft: Fix EPERM handling for extensions without rev 0
mizuta.takeshi@xxxxxxxxxxx (1):
xtables-translate: add missing argument and option to usage
Štěpán Němec (2):
Fix a few doc typos
iptables-test.py: print with color escapes only when stdout isatty
