[ANNOUNCE] iptables 1.8.9 release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

The Netfilter project proudly presents:

        iptables 1.8.9

This release contains new features:

* arptables-nft: Support --exact flag
* Add --enable-profiling configure option, preparing for gcov/gprof
* Support more chunk types in sctp extension
* Print '--' in ip6tables' 'opt' column for consistency with iptables
* More verbose error messages if iptables-nft-restore fails
* Support '-p Length' with ebtables-nft, needed for 802_3 extension
* Merge all NAT extensions into a single DSO
* Install ebtables-translate tool

... and fixes:

* Misc compiler warnings
* Duplicate ETH_ALEN definition when building against musl libc
* Failing out-of-tree build
* Avoid symbol pollution by limiting scope of some in xtables.h
* Increase testsuites' code-coverage
* Using --init-table would crash ebtables-restore, reject it properly
* Fix potential read from garbage in string extension
* Add missing nf_log.h kernel header to dist
* Fix listing format with overly long 'prot' column entries
* Print numeric protocol values with --numeric
* Broken ebtables' among match with MAC+IP address entries
* Occasional wrong line number reported by failing iptables-nft-restore
* Multiple rules using among match broke ebtables-restore
* Renaming a chain in legacy iptables could crash the program
* A second bitwise expression in a rule would mangle the first one
* More strictly reject rules with unexpected content
* Many xtables-translate fixes
* Misc memory leaks and garbage access, satisfy valgrind's leak checker

... and documentation updates:

* Iptables exits when setuid, mention this in man page
* Improve NFQUEUE queue-balance documentation

You can download the new release from:

https://netfilter.org/projects/iptables/downloads.html#iptables-1.8.9

In case of bugs, file them via:

* https://bugzilla.netfilter.org

Happy firewalling!
Anton Luka Šijanec (1):
      xtables-monitor: add missing spaces in printed str

Ben Brown (1):
      build: Fix error during out of tree build

Erik Skultety (1):
      iptables: xshared: Ouptut '--' in the opt field in ipv6's fake mode

Florian Westphal (19):
      iptables.8: mention that iptables exits when setuid
      extensions: libxt_conntrack: remove always-false conditionals
      nft: fix ebtables among match when mac+ip addresses are used
      nft: support dissection of meta pkktype mode
      nft: prefer native 'meta pkttype' instead of xt match
      extensions: libxt_pkttype: support otherhost
      nft: support ttl/hoplimit dissection
      nft: prefer payload to ttl/hl module
      nft: un-break among match with concatenation
      Revert "nft: prefer payload to ttl/hl module"/'meta pkttype' match.
      nft: track each register individually
      tests: extend native delinearize script
      nft: check for unknown meta keys
      iptables-nft: exit nonzero when iptables-save cannot decode all expressions
      xlate: get rid of escape_quotes
      extensions: change expected output for new format
      xlate-test: avoid shell entanglements
      nft-bridge: work around recent "among" decode breakage
      extensions: add xt_statistics random mode translation

Markus Mayer (1):
      netfilter: add nf_log.h

Nick Hainke (1):
      treewide: use uint* instead of u_int*

Pablo Neira Ayuso (2):
      nft: replace nftnl_.*_nlmsg_build_hdr() by nftnl_nlmsg_build_hdr()
      nft-shared: replace nftnl_expr_get_data() by nftnl_expr_get()

Phil Sutter (136):
      xshared: Fix build for -Werror=format-security
      Revert "fix build for missing ETH_ALEN definition"
      tests: shell: Check overhead in iptables-save and -restore
      libxtables: Unexport init_extensions*() declarations
      arptables: Support -x/--exact flag
      iptables-legacy: Drop redundant include of xtables-multi.h
      xshared: Make some functions static
      Makefile: Add --enable-profiling configure option
      tests: shell: Add some more rules to 0002-verbose-output_0
      tests: shell: Extend iptables-xml test a bit
      tests: shell: Extend zero counters test a bit further
      extensions: libebt_standard.t: Test logical-{in,out} as well
      ebtables-restore: Deny --init-table
      extensions: string: Do not print default --to value
      extensions: string: Review parse_string() function
      extensions: string: Fix and enable tests
      nft: Exit if nftnl_alloc_expr fails
      libxtables: Move struct xtables_afinfo into xtables.h
      libxtables: Define XT_OPTION_OFFSET_SCALE in xtables.h
      libxtables: Fix unsupported extension warning corner case
      tests: shell: Fix testcases for changed ip6tables opts output
      xshared: Fix for missing space after 'prot' column
      xshared: Print protocol numbers if --numeric was given
      xtables-restore: Extend failure error message
      nft: Expand extended error reporting to nft_cmd, too
      tests: shell: Test delinearization of native nftables expressions
      ebtables: Drop unused OPT_* defines
      ebtables: Eliminate OPT_TABLE
      ebtables: Merge OPT_* flags with xshared ones
      nft-shared: Introduce __get_cmp_data()
      ebtables: Support '-p Length'
      ebtables: Fix among match
      nft: Fix meta statement parsing
      nft-bridge: Drop 'sreg_count' variable
      tests: iptables-test: Simplify '-N' option a bit
      tests: iptables-test: Simplify execute_cmd() calling
      tests: iptables-test: Pass netns to execute_cmd()
      tests: iptables-test: Test both variants by default
      extensions: among: Remove pointless fall through
      extensions: among: Fix for use with ebtables-restore
      extensions: libebt_stp: Eliminate duplicate space in output
      extensions: libip6t_dst: Fix output for empty options
      extensions: TCPOPTSTRIP: Do not print empty options
      extensions: libebt_log: Avoid empty log-prefix in output
      tests: IDLETIMER.t: Fix syntax, support for restore input
      tests: libebt_stp.t: Drop duplicate whitespace
      tests: shell: Fix expected output for ip6tables dst match
      tests: shell: Fix expected ebtables log target output
      libiptc: Fix for segfault when renaming a chain
      nft: Fix compile with -DDEBUG
      extensions: NFQUEUE: Document queue-balance limitation
      tests: iptables-test: Implement fast test mode
      tests: iptables-test: Cover for obligatory -j CONTINUE in ebtables
      tests: *.t: Fix expected output for simple calls
      tests: *.t: Fix for hexadecimal output
      tests: libebt_redirect.t: Plain redirect prints with trailing whitespace
      tests: libxt_length.t: Fix odd use-case output
      tests: libxt_recent.t: Add missing default values
      tests: libxt_tos.t, libxt_TOS.t: Add missing masks in output
      tests: libebt_vlan.t: Drop trailing whitespace from rules
      tests: libxt_connlimit.t: Add missing default values
      tests: *.t: Add missing all-one's netmasks to expected output
      extensions: DNAT: Fix bad IP address error reporting
      extensions: *NAT: Drop NF_NAT_RANGE_PROTO_RANDOM* flag checks
      extensions: DNAT: Use __DNAT_xlate for REDIRECT, too
      extensions: DNAT: Generate print, save and xlate callbacks
      extensions: DNAT: Rename some symbols
      extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE
      tests: xlate-test: Cleanup file reading loop
      tests: xlate-test.py: Introduce run_proc()
      tests: xlate-test: Replay results for reverse direction testing
      xshared: Share make_delete_mask() between ip{,6}tables
      nft-shared: Introduce port_match_single_to_range()
      extensions: libip*t_LOG: Merge extensions
      extensions: libebt_ip: Include kernel header
      extensions: libebt_arp, libebt_ip: Use xtables_ipparse_any()
      extensions: Collate ICMP types/codes in libxt_icmp.h
      extensions: Unify ICMP parser into libxt_icmp.h
      Drop extra newline from xtables_error() calls
      extensions: mark: Test double bitwise in a rule
      extensions: libebt_mark: Fix mark target xlate
      extensions: libebt_mark: Fix xlate test case
      extensions: libebt_redirect: Fix xlate return code
      extensions: libipt_ttl: Sanitize xlate callback
      extensions: CONNMARK: Fix xlate callback
      extensions: MARK: Sanitize MARK_xlate()
      extensions: TCPMSS: Use xlate callback for IPv6, too
      extensions: TOS: Fix v1 xlate callback
      extensions: ecn: Sanitize xlate callback
      extensions: tcp: Translate TCP option match
      extensions: libebt_log: Add comment to clarify xlate callback
      extensions: frag: Add comment to clarify xlate callback
      extensions: ipcomp: Add comment to clarify xlate callback
      libxtables: xt_xlate_add() to take care of spacing
      extensions: Leverage xlate auto-spacing
      extensions: libxt_conntrack: Drop extra whitespace in xlate
      extensions: xlate: Format sets consistently
      tests: shell: Test selective ebtables flushing
      tests: shell: Fix valgrind mode for 0008-unprivileged_0
      iptables-restore: Free handle with --test also
      iptables-xml: Free allocated chain strings
      nft: Plug memleak in nft_rule_zero_counters()
      iptables: Plug memleaks in print_firewall()
      xtables: Introduce xtables_clear_iptables_command_state()
      iptables: Properly clear iptables_command_state object
      xshared: Free data after printing help
      libiptc: Eliminate garbage access
      ebtables: Implement --check command
      tests: xlate: Use --check to verify replay
      nft: Fix for comparing ifname matches against nft-generated ones
      nft: Fix match generator for '! -i +'
      nft: Recognize INVAL/D interface name
      xtables-translate: Fix for interfaces with asterisk mid-string
      ebtables: Fix MAC address match translation
      Makefile: Create LZMA-compressed dist-files
      Drop INCOMPATIBILITIES file
      Drop libiptc/linux_stddef.h
      Makefile: Generate ip6tables man pages on the fly
      extensions: Makefile: Merge initext targets
      iptables/Makefile: Reorg variable assignments
      iptables/Makefile: Split nft-variant man page list
      Makefile: Fix for 'make distcheck'
      Makefile: Generate .tar.xz archive with 'make dist'
      include/Makefile: xtables-version.h is generated
      tests: Adjust testsuite return codes to automake guidelines
      Makefile.am: Integrate testsuites
      nft: Parse icmp header matches
      arptables: Check the mandatory ar_pln match
      nft: Increase rule parser strictness
      nft: Make rule parsing errors fatal
      nft: Reject tcp/udp extension without proper protocol match
      gitignore: Ignore utils/nfsynproxy
      gitignore: Ignore generated ip6tables man pages
      ebtables-translate: Install symlink
      Makefile: Replace brace expansion
      configure: Bump version for 1.8.9 release

Yi Chen (1):
      tests: add ebtables among testcase

Yuxuan Luo (1):
      xt_sctp: support a couple of new chunk types


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux