[ANNOUNCE] iptables 1.6.0 release

Pablo Neira Ayuso pablo at netfilter.org
Fri Dec 18 21:04:53 CET 2015


The Netfilter project proudly presents:

        iptables 1.6.0

This release includes accumulated fixes and enhancements for the
following matches:

* ah
* connlabel
* cgroup
* devgroup
* dst
* icmp6
* ipcomp
* ipv6header
* quota
* set
* socket
* string

and targets:

* CT

We also got rid of the very very old MIRROR and SAME targets and the
unclean match, that were removed from the kernel tree long time ago.
We also got patches to update different aspects of our manpages.

Moreover, this release includes the first official release of the
iptables over nftables infrastructure, which includes the following

* iptables-compat
* iptables-compat-save
* iptables-compat-restore
* ip6tables-compat
* ip6tables-compat-save
* ip6tables-compat-restore
* ebtables-compat
* arptables-compat

that have the same getopt-based parser as the native tool, so the
syntax remains the same, eg.

 # iptables-compat -P INPUT DROP
 # iptables-compat -A INPUT -m state --state ESTABLISHED,RELATED
 # iptables-compat -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
 # iptables-compat -A INPUT -m state --state INVALID -j LOG  --log-prefix "INVALID: "

This infrastructure will allow us to provide an easy path for users to
translate their iptables rulesets to the new nft syntax. Note that
this translation infrastructure and the compat glue code in the nft
userspace tool is still under development, so that is not included in
this release.

The development of ebtables-compat and arptables-compat utilities were
started by Giuseppe Longo, and followed up later on by Arturo Borrero.
This effort was partially covered by the Google Summer of Code

See ChangeLog that comes attached to this email for more details.

You can download it from:


Help us testing and report bugs, thanks!
-------------- next part --------------
Ana Rey (7):
      xtables-standalone: call nft_fini in the error path
      nft: fix memory leaks in nft_xtables_config_load
      iptables: nft: fix memory leaks in nft_fini
      extensions: libxt_devgroup: Fix the path of the group mappings file
      iptables-compat: homogenize error messages
      extensions: devgroup: fix showing and saving of dst-group
      iptables-compat: homogenize error messages with 'R' option

Andreas Herz (3):
      extension: libip6t_ipv6header: fix wrong headername in ipv6header for protocols
      extensions: icmp6: added missing icmpv6 dest-unreach codes
      added missing icmpv6 codes in REJECT

Anton Danilov (1):
      xtables: SET target: Add mapping of meta informations (skbinfo ipset extension)

Arturo Borrero (38):
      iptables-compat: kill add_*() invflags parameter
      nft-compat: create a separated object update type to rename chains
      nft-bridge: fix printing of inverted protocols, addresses
      nft-bridge: fix inversion of builtin matches
      iptables: xtables-eb: delete extra 'policy' printf
      iptables: xtables-eb: user-defined chains default policy is always RETURN
      iptables: xtables-eb: fix renaming of chains
      extensions: add ebt 802_3 extension
      ebtables-compat: fix counter listing
      ebtables-compat: fix printing of extension
      ebtables-compat: fix segfault in rules w/o target
      ebtables-compat: include /etc/ethertypes in tarball
      ebtables-compat: fix ACCEPT printing by simplifying logic
      include: cache copy of Linux header uapi/linux/netfilter_bridge/ebt_802_3.h
      ebtables-compat: add nft rule compat information to bridge rules
      ebtables-compat: prevent options overwrite
      ebtables-compat: prevent same matches to be included multiple times
      ebtables-compat: include rule counters in ebtables rules
      ebtables-compat: fix nft payload bases
      ebtables-compat: add 'ip' match extension
      ebtables-compat: add mark_m match extension
      extensions: cleanup commented code in ebtables-compat extensions
      libxtables: search first for AF-specific extension
      ebtables-compat: call extensions final checks
      ebtables-compat: finish target infrastructure
      ebtables-compat: add mark target extension
      ebtables-compat: add watchers support
      ebtables-compat: add log watcher extension
      arptables-compat: add mangle target extension
      libxt_quota: fix _save() invert syntax
      ebtables-compat: support nflog extension
      arptables-compat: add support for the CLASSIFY target
      arptables-compat: delete extra space in target printing
      ebtables-compat: add support for limit extension
      ebtables-compat: add a bridge-specific exit_error function
      ebtables-compat: fix rule deleting with -D in rules with no target
      list: fix prefetch dummy
      libxtables: find extensions based on family too

Arturo Borrero Gonzalez (1):
      ebtables-compat: fix misplaced function attribute on ebt_print_error()

Dan Wilder (1):
      libxtables: move some code to avoid cautions in vfork man page

Daniel Borkmann (4):
      iptables: snat: add randomize-full support
      iptables: add libxt_cgroup frontend
      cgroup, man: improve man-page bits
      libxt_CT: add support for recently introduced zone options

Domen Puncer (1):
      libxtables: fix getaddrinfo return value usage

Felix Janda (5):
      consistently use <errno.h>
      include: remove libc5 support code
      include: Sync with ethernetdb.h from ebtables
      include Use <stdint.h> types from xtables.h
      include: Sync with upstream kernel headers

Florian Westphal (15):
      Merge branch 'stable-1.4.20'
      iptables.8: --policy is either ACCEPT or DROP
      extensions: libxt_connlabel: do not open config file from _init hook
      man: string: document icase
      tests: split into family and table specific files
      tests: add test case for xt_recent regression
      extensions: remove MIRROR
      extensions: remove SAME target
      extensions: remove 'unclean' match
      extensions: add more test cases for iptables-test.py
      extensions: SNPT,DNPT: fix save/print output
      extensions/libxt_recent.t: add test case for 3.19 regression
      extensions: libip6t_dst: make inversion work
      tests: remove old test cases
      man: using physdev match in OUTPUT is not supported anymore

Giuseppe Longo (33):
      nft: fix leak of rule and chain iterators
      nft: fix leak of chain iterator in nft_rule_list
      xtables: allow to zero chains via -Z
      nft: break loop after found matching chain
      nft: print counter issues
      nft: fix another memleak in nft_rule_list_cb
      xtables: nft: display rule by number via -L
      nft: associate table configuration to handle via nft_init
      nft: fix family operation lookup
      nft: load only the tables of the current family
      nft: refactoring parse operations for more genericity
      xtables: bootstrap ARP compatibility layer for nftables
      xtables: nft-arp: implements is_same op for ARP family
      xtables: arp: add rule replacement support
      xtables: arp: add delete operation
      xtables: arp: zeroing chain counters
      nft: arp: initialize flags in nft_arp_parse_meta
      nft: arp: add parse_target to nft_family_ops_arp
      nft: arp: fix possible string overflow
      nft: adds save_matches_and_target
      nft-arp: adds nft_arp_save_firewall
      xtables-events: prints arp rules
      nft-arp: fix is_same_interfaces arguments
      nft-arp: wrong condition in parse_payload
      nft: replace nft_rule_attr_get_u8
      nft: save: fix the printing of the counters
      nft-arp: remove wrong conditions
      nft: compare layer 4 protocol in first place
      nft: add nft_xt_ctx struct
      nft: fix syntax error in nft_parse_cmp()
      nft-ipv46: replace offset var with ctx->payload.offset
      ebtables-compat: fix print_header
      ebtables-compat: build ebtables extensions

Gustavo Zacarias (1):
      iptables-save: remove dlfcn.h include

Harout Hedeshian (2):
      extensions: libxt_socket: add --restore-skmark option
      extensions: libxt_socket: update man pages and tests for --restore-skmark

Jan Engelhardt (3):
      iptables: link against libnetfilter_conntrack
      build: resolve build error involving libnftnl
      extensions: restore matching any SPI id by default

Jiri Popelka (9):
      iptables: fix version in iptables(8)
      update FSF address in license text
      iptables: missing bracket in iptables-save(8)
      iptables-restore.8: missing -T in synopsis
      iptables-restore.8: file to read from can be specified as argument
      iptables-{save,restore}: warn that -b/--binary isn't implemented
      iptables-save: actually parse -M/--modprobe option
      iptables: add optional [seconds] argument to -w
      libxt_tcp: manpage correction

Jozsef Kadlecsik (1):
      Alignment problem between 64bit kernel 32bit userspace

Loganaden Velvindron (1):
      extensions: libxt_TEE: Trim kernel struct to allow deletion

Mart Frauenlob (2):
      extensions: libxt_set: Add missing hyphen to --bytes-eq synopsis in manpage
      libxtables: Print meaningful error message for an invalid MAC address string

Martin Topholm (1):
      extensions: libxt_SYNPROXY: initial manual page

Mike Frysinger (4):
      configure: fix 3rd arg w/AC_ARG_ENABLE
      build: add finer module blacklisting
      libiptc: fix fortify errors in debug code
      iptables: update gitignore list

Nicolas Dichtel (1):
      iptables: fix compilation when lib[mnl|nftables] are not in standard path

Pablo Neira Ayuso (186):
      add iptables unit test infrastructure
      extensions: libipt_ah: add unit test
      extensions: libip6t_ah: add unit test
      extensions: libipt_LOG: add unit test
      extensions: libxt_addrtype: add unit test
      extensions: libip6t_LOG: add unit test
      extensions: libxt_cluster: add unit test
      extensions: libxt_comment: add unit test
      extensions: libxt_AUDIT: add unit test
      extensions: libxt_CHECKSUM: add unit test
      extensions: libxt_CLASSIFY: add unit test
      extensions: libxt_connbytes: add unit test
      extensions: libxt_connlimit: add unit test
      extensions: libxt_connmark: add unit test
      extensions: libxt_CONNMARK: add unit test
      extensions: libxt_hashlimit: add unit test
      extensions: libxt_time: add unit test
      extensions: libxt_length: add unit test
      extensions: libxt_udp: add unit test
      extensions: libxt_tcp: add unit test
      extensions: libxt_tos: add unit test
      extensions: libxt_NFLOG: add unit test
      extensions: libxt_dccp: add unit test
      extensions: libxt_esp: add unit test
      extensions: libxt_helper: add unit test
      extensions: libipt_icmp: add unit test
      extensions: libxt_NFQUEUE: add unit test
      extensions: libipt_ttl.t: add unit test
      extensions: libxt_pkttype: add unit test
      extensions: libxt_CT: add unit test
      extensions: libxt_state: add unit test
      extensions: libxt_string: add unit test
      extensions: libxt_rateest: add unit test
      extensions: libxt_nfacct: add unit test
      extensions: libxt_mark: add unit test
      extensions: libipt_REJECT: add unit test
      extensions: libxt_sctp: add unit test
      extensions: libxt_NOTRACK: add unit test
      extensions: libipt_MASQUERADE: add unit test
      extensions: libxt_standard: add unit test
      extensions: libipt_ECN: add unit test
      extensions: libxt_TRACE: add unit test
      extensions: libxt_TOS: add unit test
      extensions: libxt_DSCP: add unit test
      extensions: libip6t_eui64: add unit test
      extensions: libxt_limit: add unit test
      extensions: libxt_conntrack: add unit test
      extensions: libipt_ULOG: add unit test
      extensions: libxt_multiport: add unit test
      extensions: libip6t_REJECT: add unit test
      extensions: libxt_dscp: add unit test
      extensions: libxt_cpu: add unit test
      extensions: libxt_quota: add unit test
      extensions: libxt_iprange: add unit test
      extensions: libxt_physdev: add unit test
      extensions: libxt_TEE: add unit test
      extensions: libipt_SNAT: add unit test
      extensions: libip6t_DNAT: add unit test
      extensions: libxt_owner: add unit test
      extensions: libxt_MARK: add unit test
      build: don't include tests in released tarball
      use nf_tables and nf_tables compatibility interface
      automatic creation of built-in table and chains
      rework automatic creation of built-in table and chains
      iptables: nft: add -f support
      nft: fix missing rule listing in custom chains with -L
      headers: remove unused compatibility definitions
      iptables: nft: move priority to chain instead of table
      iptables: nft: remove __nft_check_rule
      iptables: nft: use 64-bits handle
      iptables: nft: use chain types
      xtables-restore: add support for dormant tables
      nft: adapt chain rename to recent Patrick's updates
      xtables: fix crash due to using wrong globals
      xtables-restore: fix custom user chain restoration
      xtables: fix compilation warning
      xtables: purge out user-define chains from the kernel
      xtables-restore: support atomic commit
      xtables: nft: add protocol and flags for xtables over nf_tables
      xtables-restore: support test option `-t'
      nft: fix crash if TRACE is used
      xtables: ipv6: fix wrong error if -p is used
      xtables: ipv6: add missing break in nft_parse_payload_ipv6
      xtables: ipv6: fix -D with -p
      add xtables-events
      xtables-restore: add -4 and -6 support
      xtables-save: add -4 and -6 support
      nft: remove license for header file
      xtables: fix missing xtables_exit_error definition
      xtables-standalone: fix error message
      xtables-config: priority has to be per-chain to support
      nft: load tables and chains based on /etc/xtables.conf
      xtables: support family in /etc/xtables.conf file
      xtables-config: fix off by one in parsed strings from /etc/xtables.conf
      xtables: fix missing protocol and invflags
      xtables-config-parser: fix compilation warning
      iptables: update .gitignore
      xtables: add new container xtables_args structure
      xtables: add new nft_ops->post_parse hook
      xtables: remove unused leftover definitions
      xtables: fix compilation due to missing autogenerated header
      nft: don't call nft_init in nft_xtables_config_load
      xtables-restore: output the same error message that iptables-restore uses
      xtables: fix -p protocol
      nft: fix leaks in nft_xtables_config_load
      xtables: remove bogus comment on chain rename
      xtables: nft: remove lots of useless debugging messages
      xtables: do not proceed if nft_init fails
      xtables: fix missing afinfo configuration
      xtables: nft: display rule number via -S
      xtables-events: print usage on wrong arguments
      xtables-events: fix missing newline in table and chain events
      nft: fix built-in chain ordering of the nat table
      src: use nft_*_list_add_tail
      nft: break chain listing if only one if looked for
      nft: fix selective chain display via -S
      xtables: add -I chain rulenum
      xtables: remove bogus comment regarding rule replacement
      nft: no need for rule lookup if no position specified via -I
      xtables: fix typo in add_entry for the IPv6 case
      nft: fix match revision lookup for IPv6
      etc: add default IPv6 table and chain definitions
      xtables: use xtables_rule_matches_free
      nft: fix wrong flags handling in print_firewall_details
      nft: use xtables_print_num
      nft: generalize rule addition family hook
      xtables: nft-arp: fix endianess in nft_arp_parse_payload
      nft: consolidate nft_rule_find for ARP, IPv4 and IPv6
      nft: consolidate nft_rule_new to support ARP
      nft: consolidate nft_rule_* functions to support ARP
      include: cache netfilter_arp kernel headers
      nft: adapt nft_rule_expr_get to use uint32_t instead of size_t
      xtables: batch rule-set updates into one single netlink message
      xtables: fix missing ipt_entry for MASQUERADE target
      nft: pass ipt_entry to ->save_firewall hook
      nft: fix bad length when comparing extension data area
      nft: fix interface wildcard matching
      xtables-events: fix compilation due change in libnftables
      nft: fix inversion of built-in selectors
      nft: fix out of bound memory copy
      nft: fix wrong function to release iterator
      nft: fix inconsistent data type in NFT_EXPR_CMP_OP and NFT_EXPR_META_KEY
      configure: fix wrong reference to the conntrack-tools
      configure: rename --disable-xtables to --disable-nftables
      configure: conditional dependencies for nftables-compat
      xtables-restore: remove dependency with libip4tc
      xtables: add xtables-compat-multi for the nftables compatibility layer
      nft-compat: fix IP6T_F_GOTO flag handling
      nft-compat: fix wrong protocol context in initialization
      Merge branch 'nft-compat'
      iptables.8: update coreteam members from manpage
      Merge branch 'next-3.14'
      iptables: nft: generalize batch infrastructure
      iptables: nft: remove unused code
      iptables: nft: add tables and chains to the batch
      Makefile: fix static compilation iptables-compat without shared libraries
      iptables-compat: fix address prefix
      iptables-compat: nft: use nft_batch_begin and nft_batch_end from libnftnl
      iptables-compat: fix use after free in the batch send path
      iptables-compat: get rid of error reporting via perror
      Merge branch 'tests'
      iptables-compat: nft: fix user chain addition, deletion and rename
      iptables-compat: nft: fix error reporting
      arptables-compat: fix missing error reporting
      arptables-compat: allow to not specify a target
      arptables-compat: get output in sync with arptables -L -n --line-numbers
      arptables-compat: remove save code
      refresh nf_tables.h cached copy
      iptables-compat: fix chain policy reset with iptables -L -n
      iptables-compat: statify unused built-in table/chain functions
      iptables-compat: assume chain policy NF_ACCEPT when creating built-in chains
      iptables-compat: fix empty chains after first invocation of iptables-compat -L
      Merge branch 'ipset'
      nft: bootstrap ebtables-compat
      ebtables-compat: use ebtables_command_state in bootstrap code
      iptables: use flock() instead of abstract unix sockets
      Merge branch 'ebtables-compat'
      xshared: calm down compilation warning
      xtables-compat: remove unused fields from bridge and arp families
      iptables-compat: unset context flags in netlink delinearize step
      Merge branch 'ipset-next'
      extensions: fix several test errors
      iptables-compat: use new symbols in libnftnl
      iptables-compat: Keep xtables-config and xtables-events out from tree
      iptables 1.6.0 release
      iptables: fix static builds

Phil Oester (1):
      iptables-xml: fix segfault if missing space after -A

Ronald Wahl (1):
      libxtables: fix two off-by-one memory corruption bugs

Thomas Woerner (2):
      iptables-compat: Allow to insert into rule_count+1 position
      iptables-compat: Increase rule number only for the selected table and chain

Tomasz Bursztyka (41):
      headers: Make nf_tables.h up to date
      nft: Add support for chain rename options (-E)
      iptables: nft: Fix -D chain rulenum option
      iptables: nft: Refactor __nft_rule_check to return rule handle when relevant
      iptables: nft: Add support for -R option
      xtables: add IPv6 support
      nft: Split nft core to become family independant
      xtables: initialize xtables defaults even on listing rules
      xtables: policy can be changed only on builtin chain
      nft: Set the rule family when creating a new one
      nft: Handle error on adding rule expressions
      xtables: Remove useless parameter to nft_chain_list_find
      nft: add function to test for a builtin chain
      nft: Fix small memory leaks
      xtables: Do not dump before command parsing has been finished
      nft: Remove useless function
      nft: Optimize rule listing when chain and rulenum are provided
      nft: Make internal rule listing callback more generic
      nft: Remove useless test on rulenum in nft_rule_list()
      nft: Generalize nft_rule_list() against current family
      nft: Print unknown target data only when relevant
      nft: convert rule into a command state structure
      xtables: allow to reset the counters of an existing rule
      nft: Fix a minor compilation warning
      nft: skip unset tables on table configuration emulation
      xtables: arp: Store target entry properly and compare them relevantly
      extensions: add arptables' libxt_mangle.c for xtables-arp
      extensions: libxt_mangle: Fixes option issues
      nft: Header inclusion missing
      xtables: arp: Parse properly target options
      nft: fix wrong target size
      xtables: arp: Fix a compilation warning
      xtables: arp: inhibit -l option so only a fixed 6 bytes length arhln can be used
      include: Update nftables API header in sync with kernel's one
      nft: Use new libnftnl library name against former libnftables
      xtables: Add backward compatibility with -w option
      nft: Add useful debug output when a builtin table is created
      nft: A builtin chain might be created when restoring
      nft: Initialize a table only once
      nft: Remove useless error message
      nft: Pass a line after printing out a debug message

Ville Skytt? (1):
      iptables: Spelling fixes

Willem de Bruijn (1):
      include: add linux/filter.h

fan.du (1):
      iptables: Add IPv4/6 IPcomp match support

More information about the netfilter-announce mailing list