Opened 8 years ago
Closed 8 years ago
#7270 closed enhancement (fixed)
iptables-1.6.0
| Reported by: | Fernando de Oliveira | Owned by: | Fernando de Oliveira |
|---|---|---|---|
| Priority: | high | Milestone: | 7.9 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
http://www.netfilter.org/projects/iptables/files/iptables-1.6.0.tar.bz2
http://www.netfilter.org/projects/iptables/files/iptables-1.6.0.tar.bz2.sig
http://www.netfilter.org/files/coreteam-gpg-key-26D292E4.txt
http://www.netfilter.org/projects/iptables/downloads.html
md5sum 27ba3451cb622467fc9267a176f19a31
http://www.netfilter.org/news.html#2015-12-18
iptables 1.6.0 released The Netfilter Core Team has released iptables-1.6.0. This release includes the first release of the iptables over nftables compatibility tools, accumulated fixes and enhancements.
http://lists.netfilter.org/pipermail/netfilter-announce/2015/000217.html
and
http://lists.netfilter.org/pipermail/netfilter-announce/2015/000218.html
or
http://www.netfilter.org/projects/iptables/files/changes-iptables-1.6.0.txt
[ANNOUNCE] iptables 1.6.0 release
Pablo Neira Ayuso pablo at netfilter.org
Fri Dec 18 21:04:53 CET 2015
Hi!
The Netfilter project proudly presents:
iptables 1.6.0
This release includes accumulated fixes and enhancements for the
following matches:
* ah
* connlabel
* cgroup
* devgroup
* dst
* icmp6
* ipcomp
* ipv6header
* quota
* set
* socket
* string
and targets:
* CT
* REJECT
* SET
* SNAT
* SNPT,DNPT
* SYNPROXY
* TEE
We also got rid of the very very old MIRROR and SAME targets and the
unclean match, that were removed from the kernel tree long time ago.
We also got patches to update different aspects of our manpages.
Moreover, this release includes the first official release of the
iptables over nftables infrastructure, which includes the following
utilities:
* iptables-compat
* iptables-compat-save
* iptables-compat-restore
* ip6tables-compat
* ip6tables-compat-save
* ip6tables-compat-restore
* ebtables-compat
* arptables-compat
that have the same getopt-based parser as the native tool, so the
syntax remains the same, eg.
# iptables-compat -P INPUT DROP
# iptables-compat -A INPUT -m state --state ESTABLISHED,RELATED
# iptables-compat -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
# iptables-compat -A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID: "
This infrastructure will allow us to provide an easy path for users to
translate their iptables rulesets to the new nft syntax. Note that
this translation infrastructure and the compat glue code in the nft
userspace tool is still under development, so that is not included in
this release.
The development of ebtables-compat and arptables-compat utilities were
started by Giuseppe Longo, and followed up later on by Arturo Borrero.
This effort was partially covered by the Google Summer of Code
program.
See ChangeLog that comes attached to this email for more details.
You can download it from:
http://www.netfilter.org/projects/conntrack-tools/downloads.html
ftp://ftp.netfilter.org/pub/conntrack-tools/
Help us testing and report bugs, thanks! -------------- next part
-------------- Ana Rey (7):
• xtables-standalone: call nft_fini in the error path
• nft: fix memory leaks in nft_xtables_config_load
• iptables: nft: fix memory leaks in nft_fini
• extensions: libxt_devgroup: Fix the path of the group mappings
file
• iptables-compat: homogenize error messages
• extensions: devgroup: fix showing and saving of dst-group
• iptables-compat: homogenize error messages with 'R' option
Andreas Herz (3):
• extension: libip6t_ipv6header: fix wrong headername in ipv6header
for protocols
• extensions: icmp6: added missing icmpv6 dest-unreach codes
• added missing icmpv6 codes in REJECT
Anton Danilov (1):
• xtables: SET target: Add mapping of meta informations (skbinfo
ipset extension)
Arturo Borrero (38):
• iptables-compat: kill add_*() invflags parameter
• nft-compat: create a separated object update type to rename chains
• nft-bridge: fix printing of inverted protocols, addresses
• nft-bridge: fix inversion of builtin matches
• iptables: xtables-eb: delete extra 'policy' printf
• iptables: xtables-eb: user-defined chains default policy is always
RETURN
• iptables: xtables-eb: fix renaming of chains
• extensions: add ebt 802_3 extension
• ebtables-compat: fix counter listing
• ebtables-compat: fix printing of extension
• ebtables-compat: fix segfault in rules w/o target
• ebtables-compat: include /etc/ethertypes in tarball
• ebtables-compat: fix ACCEPT printing by simplifying logic
• include: cache copy of Linux header
uapi/linux/netfilter_bridge/ebt_802_3.h
• ebtables-compat: add nft rule compat information to bridge rules
• ebtables-compat: prevent options overwrite
• ebtables-compat: prevent same matches to be included multiple
times
• ebtables-compat: include rule counters in ebtables rules
• ebtables-compat: fix nft payload bases
• ebtables-compat: add 'ip' match extension
• ebtables-compat: add mark_m match extension
• extensions: cleanup commented code in ebtables-compat extensions
• libxtables: search first for AF-specific extension
• ebtables-compat: call extensions final checks
• ebtables-compat: finish target infrastructure
• ebtables-compat: add mark target extension
• ebtables-compat: add watchers support
• ebtables-compat: add log watcher extension
• arptables-compat: add mangle target extension
• libxt_quota: fix _save() invert syntax
• ebtables-compat: support nflog extension
• arptables-compat: add support for the CLASSIFY target
• arptables-compat: delete extra space in target printing
• ebtables-compat: add support for limit extension
• ebtables-compat: add a bridge-specific exit_error function
• ebtables-compat: fix rule deleting with -D in rules with no target
• list: fix prefetch dummy
• libxtables: find extensions based on family too
Arturo Borrero Gonzalez (1):
• ebtables-compat: fix misplaced function attribute on
ebt_print_error()
Dan Wilder (1):
• libxtables: move some code to avoid cautions in vfork man page
Daniel Borkmann (4):
• iptables: snat: add randomize-full support
• iptables: add libxt_cgroup frontend
• cgroup, man: improve man-page bits
• libxt_CT: add support for recently introduced zone options
Domen Puncer (1):
• libxtables: fix getaddrinfo return value usage
Felix Janda (5):
• consistently use <errno.h>
• include: remove libc5 support code
• include: Sync with ethernetdb.h from ebtables
• include Use <stdint.h> types from xtables.h
• include: Sync with upstream kernel headers
Florian Westphal (15):
• Merge branch 'stable-1.4.20'
• iptables.8: --policy is either ACCEPT or DROP
• extensions: libxt_connlabel: do not open config file from _init
hook
• man: string: document icase
• tests: split into family and table specific files
• tests: add test case for xt_recent regression
• extensions: remove MIRROR
• extensions: remove SAME target
• extensions: remove 'unclean' match
• extensions: add more test cases for iptables-test.py
• extensions: SNPT,DNPT: fix save/print output
• extensions/libxt_recent.t: add test case for 3.19 regression
• extensions: libip6t_dst: make inversion work
• tests: remove old test cases
• man: using physdev match in OUTPUT is not supported anymore
Giuseppe Longo (33):
• nft: fix leak of rule and chain iterators
• nft: fix leak of chain iterator in nft_rule_list
• xtables: allow to zero chains via -Z
• nft: break loop after found matching chain
• nft: print counter issues
• nft: fix another memleak in nft_rule_list_cb
• xtables: nft: display rule by number via -L
• nft: associate table configuration to handle via nft_init
• nft: fix family operation lookup
• nft: load only the tables of the current family
• nft: refactoring parse operations for more genericity
• xtables: bootstrap ARP compatibility layer for nftables
• xtables: nft-arp: implements is_same op for ARP family
• xtables: arp: add rule replacement support
• xtables: arp: add delete operation
• xtables: arp: zeroing chain counters
• nft: arp: initialize flags in nft_arp_parse_meta
• nft: arp: add parse_target to nft_family_ops_arp
• nft: arp: fix possible string overflow
• nft: adds save_matches_and_target
• nft-arp: adds nft_arp_save_firewall
• xtables-events: prints arp rules
• nft-arp: fix is_same_interfaces arguments
• nft-arp: wrong condition in parse_payload
• nft: replace nft_rule_attr_get_u8
• nft: save: fix the printing of the counters
• nft-arp: remove wrong conditions
• nft: compare layer 4 protocol in first place
• nft: add nft_xt_ctx struct
• nft: fix syntax error in nft_parse_cmp()
• nft-ipv46: replace offset var with ctx->payload.offset
• ebtables-compat: fix print_header
• ebtables-compat: build ebtables extensions
Gustavo Zacarias (1):
• iptables-save: remove dlfcn.h include
Harout Hedeshian (2):
• extensions: libxt_socket: add --restore-skmark option
• extensions: libxt_socket: update man pages and tests for
--restore-skmark
Jan Engelhardt (3):
• iptables: link against libnetfilter_conntrack
• build: resolve build error involving libnftnl
• extensions: restore matching any SPI id by default
Jiri Popelka (9):
• iptables: fix version in iptables(8)
• update FSF address in license text
• iptables: missing bracket in iptables-save(8)
• iptables-restore.8: missing -T in synopsis
• iptables-restore.8: file to read from can be specified as argument
• iptables-{save,restore}: warn that -b/--binary isn't implemented
• iptables-save: actually parse -M/--modprobe option
• iptables: add optional [seconds] argument to -w
• libxt_tcp: manpage correction
Jozsef Kadlecsik (1):
• Alignment problem between 64bit kernel 32bit userspace
Loganaden Velvindron (1):
• extensions: libxt_TEE: Trim kernel struct to allow deletion
Mart Frauenlob (2):
• extensions: libxt_set: Add missing hyphen to --bytes-eq synopsis
in manpage
• libxtables: Print meaningful error message for an invalid MAC
address string
Martin Topholm (1):
• extensions: libxt_SYNPROXY: initial manual page
Mike Frysinger (4):
• configure: fix 3rd arg w/AC_ARG_ENABLE
• build: add finer module blacklisting
• libiptc: fix fortify errors in debug code
• iptables: update gitignore list
Nicolas Dichtel (1):
• iptables: fix compilation when lib[mnl|nftables] are not in
standard path
Pablo Neira Ayuso (186):
• add iptables unit test infrastructure
• extensions: libipt_ah: add unit test
• extensions: libip6t_ah: add unit test
• extensions: libipt_LOG: add unit test
• extensions: libxt_addrtype: add unit test
• extensions: libip6t_LOG: add unit test
• extensions: libxt_cluster: add unit test
• extensions: libxt_comment: add unit test
• extensions: libxt_AUDIT: add unit test
• extensions: libxt_CHECKSUM: add unit test
• extensions: libxt_CLASSIFY: add unit test
• extensions: libxt_connbytes: add unit test
• extensions: libxt_connlimit: add unit test
• extensions: libxt_connmark: add unit test
• extensions: libxt_CONNMARK: add unit test
• extensions: libxt_hashlimit: add unit test
• extensions: libxt_time: add unit test
• extensions: libxt_length: add unit test
• extensions: libxt_udp: add unit test
• extensions: libxt_tcp: add unit test
• extensions: libxt_tos: add unit test
• extensions: libxt_NFLOG: add unit test
• extensions: libxt_dccp: add unit test
• extensions: libxt_esp: add unit test
• extensions: libxt_helper: add unit test
• extensions: libipt_icmp: add unit test
• extensions: libxt_NFQUEUE: add unit test
• extensions: libipt_ttl.t: add unit test
• extensions: libxt_pkttype: add unit test
• extensions: libxt_CT: add unit test
• extensions: libxt_state: add unit test
• extensions: libxt_string: add unit test
• extensions: libxt_rateest: add unit test
• extensions: libxt_nfacct: add unit test
• extensions: libxt_mark: add unit test
• extensions: libipt_REJECT: add unit test
• extensions: libxt_sctp: add unit test
• extensions: libxt_NOTRACK: add unit test
• extensions: libipt_MASQUERADE: add unit test
• extensions: libxt_standard: add unit test
• extensions: libipt_ECN: add unit test
• extensions: libxt_TRACE: add unit test
• extensions: libxt_TOS: add unit test
• extensions: libxt_DSCP: add unit test
• extensions: libip6t_eui64: add unit test
• extensions: libxt_limit: add unit test
• extensions: libxt_conntrack: add unit test
• extensions: libipt_ULOG: add unit test
• extensions: libxt_multiport: add unit test
• extensions: libip6t_REJECT: add unit test
• extensions: libxt_dscp: add unit test
• extensions: libxt_cpu: add unit test
• extensions: libxt_quota: add unit test
• extensions: libxt_iprange: add unit test
• extensions: libxt_physdev: add unit test
• extensions: libxt_TEE: add unit test
• extensions: libipt_SNAT: add unit test
• extensions: libip6t_DNAT: add unit test
• extensions: libxt_owner: add unit test
• extensions: libxt_MARK: add unit test
• build: don't include tests in released tarball
• use nf_tables and nf_tables compatibility interface
• automatic creation of built-in table and chains
• rework automatic creation of built-in table and chains
• iptables: nft: add -f support
• nft: fix missing rule listing in custom chains with -L
• headers: remove unused compatibility definitions
• iptables: nft: move priority to chain instead of table
• iptables: nft: remove __nft_check_rule
• iptables: nft: use 64-bits handle
• iptables: nft: use chain types
• xtables-restore: add support for dormant tables
• nft: adapt chain rename to recent Patrick's updates
• xtables: fix crash due to using wrong globals
• xtables-restore: fix custom user chain restoration
• xtables: fix compilation warning
• xtables: purge out user-define chains from the kernel
• xtables-restore: support atomic commit
• xtables: nft: add protocol and flags for xtables over nf_tables
• xtables-restore: support test option `-t'
• nft: fix crash if TRACE is used
• xtables: ipv6: fix wrong error if -p is used
• xtables: ipv6: add missing break in nft_parse_payload_ipv6
• xtables: ipv6: fix -D with -p
• add xtables-events
• xtables-restore: add -4 and -6 support
• xtables-save: add -4 and -6 support
• nft: remove license for header file
• xtables: fix missing xtables_exit_error definition
• xtables-standalone: fix error message
• xtables-config: priority has to be per-chain to support
• nft: load tables and chains based on /etc/xtables.conf
• xtables: support family in /etc/xtables.conf file
• xtables-config: fix off by one in parsed strings from
/etc/xtables.conf
• xtables: fix missing protocol and invflags
• xtables-config-parser: fix compilation warning
• iptables: update .gitignore
• xtables: add new container xtables_args structure
• xtables: add new nft_ops->post_parse hook
• xtables: remove unused leftover definitions
• xtables: fix compilation due to missing autogenerated header
• nft: don't call nft_init in nft_xtables_config_load
• xtables-restore: output the same error message that
iptables-restore uses
• xtables: fix -p protocol
• nft: fix leaks in nft_xtables_config_load
• xtables: remove bogus comment on chain rename
• xtables: nft: remove lots of useless debugging messages
• xtables: do not proceed if nft_init fails
• xtables: fix missing afinfo configuration
• xtables: nft: display rule number via -S
• xtables-events: print usage on wrong arguments
• xtables-events: fix missing newline in table and chain events
• nft: fix built-in chain ordering of the nat table
• src: use nft_*_list_add_tail
• nft: break chain listing if only one if looked for
• nft: fix selective chain display via -S
• xtables: add -I chain rulenum
• xtables: remove bogus comment regarding rule replacement
• nft: no need for rule lookup if no position specified via -I
• xtables: fix typo in add_entry for the IPv6 case
• nft: fix match revision lookup for IPv6
• etc: add default IPv6 table and chain definitions
• xtables: use xtables_rule_matches_free
• nft: fix wrong flags handling in print_firewall_details
• nft: use xtables_print_num
• nft: generalize rule addition family hook
• xtables: nft-arp: fix endianess in nft_arp_parse_payload
• nft: consolidate nft_rule_find for ARP, IPv4 and IPv6
• nft: consolidate nft_rule_new to support ARP
• nft: consolidate nft_rule_* functions to support ARP
• include: cache netfilter_arp kernel headers
• nft: adapt nft_rule_expr_get to use uint32_t instead of size_t
• xtables: batch rule-set updates into one single netlink message
• xtables: fix missing ipt_entry for MASQUERADE target
• nft: pass ipt_entry to ->save_firewall hook
• nft: fix bad length when comparing extension data area
• nft: fix interface wildcard matching
• xtables-events: fix compilation due change in libnftables
• nft: fix inversion of built-in selectors
• nft: fix out of bound memory copy
• nft: fix wrong function to release iterator
• nft: fix inconsistent data type in NFT_EXPR_CMP_OP and
NFT_EXPR_META_KEY
• configure: fix wrong reference to the conntrack-tools
• configure: rename --disable-xtables to --disable-nftables
• configure: conditional dependencies for nftables-compat
• xtables-restore: remove dependency with libip4tc
• xtables: add xtables-compat-multi for the nftables compatibility
layer
• nft-compat: fix IP6T_F_GOTO flag handling
• nft-compat: fix wrong protocol context in initialization
• Merge branch 'nft-compat'
• iptables.8: update coreteam members from manpage
• Merge branch 'next-3.14'
• iptables: nft: generalize batch infrastructure
• iptables: nft: remove unused code
• iptables: nft: add tables and chains to the batch
• Makefile: fix static compilation iptables-compat without shared
libraries
• iptables-compat: fix address prefix
• iptables-compat: nft: use nft_batch_begin and nft_batch_end from
libnftnl
• iptables-compat: fix use after free in the batch send path
• iptables-compat: get rid of error reporting via perror
• Merge branch 'tests'
• iptables-compat: nft: fix user chain addition, deletion and rename
• iptables-compat: nft: fix error reporting
• arptables-compat: fix missing error reporting
• arptables-compat: allow to not specify a target
• arptables-compat: get output in sync with arptables -L -n
--line-numbers
• arptables-compat: remove save code
• refresh nf_tables.h cached copy
• iptables-compat: fix chain policy reset with iptables -L -n
• iptables-compat: statify unused built-in table/chain functions
• iptables-compat: assume chain policy NF_ACCEPT when creating
built-in chains
• iptables-compat: fix empty chains after first invocation of
iptables-compat -L
• Merge branch 'ipset'
• nft: bootstrap ebtables-compat
• ebtables-compat: use ebtables_command_state in bootstrap code
• iptables: use flock() instead of abstract unix sockets
• Merge branch 'ebtables-compat'
• xshared: calm down compilation warning
• xtables-compat: remove unused fields from bridge and arp families
• iptables-compat: unset context flags in netlink delinearize step
• Merge branch 'ipset-next'
• extensions: fix several test errors
• iptables-compat: use new symbols in libnftnl
• iptables-compat: Keep xtables-config and xtables-events out from
tree
• iptables 1.6.0 release
• iptables: fix static builds
Phil Oester (1):
• iptables-xml: fix segfault if missing space after -A
Ronald Wahl (1):
• libxtables: fix two off-by-one memory corruption bugs
Thomas Woerner (2):
• iptables-compat: Allow to insert into rule_count+1 position
• iptables-compat: Increase rule number only for the selected table
and chain
Tomasz Bursztyka (41):
• headers: Make nf_tables.h up to date
• nft: Add support for chain rename options (-E)
• iptables: nft: Fix -D chain rulenum option
• iptables: nft: Refactor __nft_rule_check to return rule handle
when relevant
• iptables: nft: Add support for -R option
• xtables: add IPv6 support
• nft: Split nft core to become family independant
• xtables: initialize xtables defaults even on listing rules
• xtables: policy can be changed only on builtin chain
• nft: Set the rule family when creating a new one
• nft: Handle error on adding rule expressions
• xtables: Remove useless parameter to nft_chain_list_find
• nft: add function to test for a builtin chain
• nft: Fix small memory leaks
• xtables: Do not dump before command parsing has been finished
• nft: Remove useless function
• nft: Optimize rule listing when chain and rulenum are provided
• nft: Make internal rule listing callback more generic
• nft: Remove useless test on rulenum in nft_rule_list()
• nft: Generalize nft_rule_list() against current family
• nft: Print unknown target data only when relevant
• nft: convert rule into a command state structure
• xtables: allow to reset the counters of an existing rule
• nft: Fix a minor compilation warning
• nft: skip unset tables on table configuration emulation
• xtables: arp: Store target entry properly and compare them
relevantly
• extensions: add arptables' libxt_mangle.c for xtables-arp
• extensions: libxt_mangle: Fixes option issues
• nft: Header inclusion missing
• xtables: arp: Parse properly target options
• nft: fix wrong target size
• xtables: arp: Fix a compilation warning
• xtables: arp: inhibit -l option so only a fixed 6 bytes length
arhln can be used
• include: Update nftables API header in sync with kernel's one
• nft: Use new libnftnl library name against former libnftables
• xtables: Add backward compatibility with -w option
• nft: Add useful debug output when a builtin table is created
• nft: A builtin chain might be created when restoring
• nft: Initialize a table only once
• nft: Remove useless error message
• nft: Pass a line after printing out a debug message
Ville Skytt? (1):
• iptables: Spelling fixes
Willem de Bruijn (1):
• include: add linux/filter.h
fan.du (1):
• iptables: Add IPv4/6 IPcomp match support
[ANNOUNCE] iptables 1.6.0 release
Pablo Neira Ayuso pablo at netfilter.org
Fri Dec 18 21:17:28 CET 2015
On Fri, Dec 18, 2015 at 09:13:55PM +0100, Jan Engelhardt wrote:
>
> On Friday 2015-12-18 21:04, Pablo Neira Ayuso wrote:
> > iptables 1.6.0
> >You can download it from:
> >http://www.netfilter.org/projects/conntrack-tools/downloads.html
> >ftp://ftp.netfilter.org/pub/conntrack-tools/
>
> There used to be a HTTP location for the downloads,
> http://netfilter.org/projects/iptables/files/ .
>
> This seems to be not pointing to the same directory as the ftp://
> location above, or, if they are deliberately different directories,
> the synchronization has not occurred yet. Is one of them
> (non-)official?
This should be:
http://www.netfilter.org/projects/iptables/downloads.html
ftp://ftp.netfilter.org/pub/iptables/
The website is compiling, the update should be upstream soon.
Change History (3)
comment:1 by , 8 years ago
| Priority: | highest → high |
|---|
comment:2 by , 8 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 8 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Fixed at r16742.