From pablo at netfilter.org Mon May 27 14:03:46 2019 From: pablo at netfilter.org (Pablo Neira Ayuso) Date: Mon, 27 May 2019 14:03:46 +0200 Subject: [ANNOUNCE] libnftnl 1.1.3 release Message-ID: <20190527120346.gz2dlmx2gstgkyld@salvia> Hi! The Netfilter project proudly presents: libnftnl 1.1.3 libnftnl is a userspace library providing a low-level netlink programming interface (API) to the in-kernel nf_tables subsystem. The library libnftnl has been previously known as libnftables. This library is currently used by nftables. See ChangeLog that comes attached to this email for more details. You can download it from: http://www.netfilter.org/projects/libnftnl/downloads.html ftp://ftp.netfilter.org/pub/libnftnl/ Happy firewalling. -------------- next part -------------- Fernando Fernandez Mancera (1): expr: osf: add version option support Florian Westphal (2): set_elem: close a padding hole src: libnftnl: export genid functions again Laura Garcia Liebana (2): Revert "expr: add map lookups for numgen statements" Revert "expr: add map lookups for hash statements" Pablo Neira Ayuso (2): udata: add NFTNL_UDATA_* definitions build: libnftnl 1.1.3 release Phil Sutter (12): chain: Support per chain rules list chain: Add lookup functions for chain list and rules in chain chain: Hash chain list by name object: Avoid obj_ops array overrun flowtable: Add missing break flowtable: Fix use after free in two spots flowtable: Fix memleak in nftnl_flowtable_parse_devs() flowtable: Fix for reading garbage src: chain: Add missing nftnl_chain_rule_del() src: chain: Fix nftnl_chain_rule_insert_at() src: rule: Support NFTA_RULE_POSITION_ID attribute include: Remove redundant declaration of nftnl_gen_nlmsg_parse() From pablo at netfilter.org Mon May 27 17:27:45 2019 From: pablo at netfilter.org (Pablo Neira Ayuso) Date: Mon, 27 May 2019 17:27:45 +0200 Subject: [ANNOUNCE] iptables 1.8.3 release Message-ID: <20190527152745.eml637zpc4vdued3@salvia> Hi! The Netfilter project proudly presents: iptables 1.8.3 iptables is the userspace command line program used to configure the Linux 2.4.x and later packet filtering ruleset. It is targeted towards system administrators. See ChangeLog that comes attached to this email for more details. You can download it from: http://www.netfilter.org/projects/iptables/downloads.html ftp://ftp.netfilter.org/pub/iptables/ Happy firewalling. -------------- next part -------------- Adam Gołębiowski (1): extensions: format-security fixes in libip[6]t_icmp Baruch Siach (5): ebtables: vlan: fix userspace/kernel headers collision xtables-monitor: fix build with older glibc include: fix build with kernel headers before 4.2 xtables-monitor: fix build with musl libc include: extend the headers conflict workaround to in6.h Florian Westphal (12): arptables-nft: use generic expression parsing function xtables: rename opcodes to arp_opcodes xtables: make all nft_parse_ helpers static arptables-nft: fix decoding of hlen on bigendian platforms tests: return-codes script is bash specific xtables: unify user chain add/flush for restore case xtables: add skip flag to objects xtables: add and use nft_build_cache xtables: add and set "implict" flag on transaction objects xtables: handle concurrent ruleset modifications tests: add test script for race-free restore extensions: SYNPROXY: should not be needed anymore on current kernels Lucas Stach (1): xtables-legacy: add missing config.h include Pablo Neira Ayuso (19): nft: add type field to builtin_table nft: move chain_cache back to struct nft_handle nft: move initialize to struct nft_handle xtables: constify struct builtin_table and struct builtin_chain extensions: libip6t_mh: fix bogus translation error xshared: check for maximum buffer length in add_param_to_argv() man: refer to iptables-translate and ip6tables nft: add struct nft_cache nft: statify nft_rebuild_cache() nft: add __nft_table_builtin_find() nft: add flush_cache() nft: cache table list nft: ensure cache consistency nft: keep original cache in case of ERESTART nft: don't skip table addition from ERESTART nft: don't care about previous state in ERESTART nft: do not retry on EINTR nft: reset netlink sender buffer size of socket restart configure: bump versions for 1.8.3 release Phil Sutter (84): libiptc: Extend struct xtc_ops ip6tables-restore: Merge into iptables-restore.c ip6tables-save: Merge into iptables-save.c xtables: Introduce per table chain caches arptables: Support --set-counters option ebtables: Use xtables_exit_err() xtables: Don't use native nftables comments extensions: libipt_realm: Document allowed realm values extensions: TRACE: Point at xtables-monitor in documentation nft: Simplify nftnl_rule_list_chain_save() nft: Review unclear return points xtables-restore: Review chain handling nft: Review is_*_compatible() routines nft: Reduce __nft_rule_del() signature nft: Reduce indenting level in flush_chain_cache() nft: Simplify per table chain cache update nft: Simplify nft_rule_insert() a bit nft: Introduce fetch_chain_cache() nft: Move nft_rule_list_get() above nft_chain_list_get() xtables: Implement per chain rule cache nft: Drop nft_chain_list_find() xtables: Optimize flushing a specific chain xtables: Optimize nft_chain_zero_counters() tests: Extend verbose output and return code tests xtables: Optimize user-defined chain deletion xtables: Optimize list command with given chain xtables: Optimize list rules command with given chain nft: Make use of nftnl_rule_lookup_byindex() nft: Simplify nft_is_chain_compatible() nft: Simplify flush_chain_cache() xtables: Set errno in nft_rule_check() if chain not found nft: Add new builtin chains to cache immediately xtables: Fix position of replaced rules in cache utils: Add a manpage for nfbpf_compile xtables: Fix for inserting rule at wrong position xtables: Speed up chain deletion in large rulesets arptables-nft: Fix listing rules without target arptables-nft: Fix MARK target parsing and printing arptables-nft: Fix CLASSIFY target printing arptables-nft: Remove space between *cnt= and value arptables-nft-save: Fix position of -j option arptables-nft: Don't print default h-len/h-type values tests: shell: Add arptables-nft verbose output test xtables: Catch errors when zeroing rule rounters ebtables: Fix rule listing with counters nft: Fix potential memleaks in nft_*_rule_find() arptables-nft: Set h-type/h-length masks by default, too extensions: Fix arptables extension tests xtables: Fix for crash when comparing rules with standard target xtables: Fix for false-positive rule matching Revert "ebtables: use extrapositioned negation consistently" xshared: Explicitly pass target to command_jump() xtables-save: Fix table not found error message nft: Don't assume NFTNL_RULE_USERDATA holds a comment nft: Introduce UDATA_TYPE_EBTABLES_POLICY ebtables-nft: Support user-defined chain policies nft: Eliminate dead code in __nft_rule_list xtables: Fix error message when zeroing a non-existent chain xtables: Move new chain check to where it belongs xtables: Fix error messages in commands with rule number xtables: Fix error message for chain renaming tests: Extend return codes check by error messages arptables: Print space before comma and counters xlate-test: Support testing host binaries tests/shell: Support testing host binaries doc: Install ip{6,}tables-translate.8 manpages extensions: AUDIT: Document ineffective --type option extensions: Fix ipvs vproto parsing extensions: Fix ipvs vproto option printing extensions: Add testcase for libxt_ipvs extensions: connlabel: Fallback on missing connlabel.conf doc: Add arptables-nft man pages doc: Adjust arptables man pages doc: Add ebtables man page doc: Adjust ebtables man page xtables-legacy.8: Remove stray colon xtables-save: Point at existing man page in help text extensions: Install symlinks as such man: iptables-save: Add note about module autoloading xtables: Don't leak iter in error path of __nft_chain_zero_counters() tests: Fix ipt-restore/0004-restore-race_0 testcase xtables: Fix for explicit rule flushes Drop release.sh Revert "build: don't include tests in released tarball" Sam Banks (1): extensions: libxt_osf.: Typo in manpage From pablo at netfilter.org Mon Aug 19 13:03:28 2019 From: pablo at netfilter.org (Pablo Neira Ayuso) Date: Mon, 19 Aug 2019 13:03:28 +0200 Subject: [ANNOUNCE] libnftnl 1.1.4 release Message-ID: <20190819110328.vnwmmox5ymabneib@salvia> Hi! The Netfilter project proudly presents: libnftnl 1.1.4 libnftnl is a userspace library providing a low-level netlink programming interface (API) to the in-kernel nf_tables subsystem. The library libnftnl has been previously known as libnftables. This library is currently used by nftables. See ChangeLog that comes attached to this email for more details. You can download it from: http://www.netfilter.org/projects/libnftnl/downloads.html ftp://ftp.netfilter.org/pub/libnftnl/ Happy firewalling. -------------- next part -------------- Brett Mastbergen (1): src: Add ct id support Fernando Fernandez Mancera (1): src: add synproxy support Florian Westphal (1): udata: fix sigbus crash on sparc Laura Garcia Liebana (1): src: enable set expiration date for set elements Pablo Neira Ayuso (2): include: resync nf_tables.h cache copy build: libnftnl 1.1.4 release Phil Sutter (1): expr: meta: Make NFT_META_{I,O}IFKIND known Stephen Suryaputra (1): src: add support for matching IPv4 options Stéphane Veyret (2): src: add ct expectation support examples: add ct expectation examples Thomas Petazzoni (1): Add Requires.private field to libnftnl.pc wenxu (1): expr: meta: Make NFT_META_BRI_IIF{VPROTO, PVID} known From pablo at netfilter.org Mon Dec 2 14:57:42 2019 From: pablo at netfilter.org (Pablo Neira Ayuso) Date: Mon, 2 Dec 2019 14:57:42 +0100 Subject: [ANNOUNCE] libnftnl 1.1.5 release In-Reply-To: <20190819110328.vnwmmox5ymabneib@salvia> References: <20190819110328.vnwmmox5ymabneib@salvia> Message-ID: <20191202135742.tdkuffglhefgzgnw@salvia> Hi! The Netfilter project proudly presents: libnftnl 1.1.5 libnftnl is a userspace library providing a low-level netlink programming interface (API) to the in-kernel nf_tables subsystem. The library libnftnl has been previously known as libnftables. This library is currently used by nftables. See ChangeLog that comes attached to this email for more details. You can download it from: http://www.netfilter.org/projects/libnftnl/downloads.html ftp://ftp.netfilter.org/pub/libnftnl/ Happy firewalling. -------------- next part -------------- Ander Juaristi (2): expr: meta: Make NFT_META_TIME_{NS, DAY, HOUR} known expr: meta: Make NFT_DYNSET_OP_DELETE known Eric Jallot (1): flowtable: add support for handle attribute Fernando Fernandez Mancera (1): src: synproxy stateful object support Manuel Messner (1): flowtable: Fix symbol export for clang Pablo Neira Ayuso (4): flowtable: device array dynamic allocation chain: multi-device support flowtable: remove NFTA_FLOWTABLE_SIZE build: libnftnl 1.1.5 release Phil Sutter (11): set: Export nftnl_set_list_lookup_byname() obj: ct_timeout: Check return code of mnl_attr_parse_nested() set_elem: Fix return code of nftnl_set_elem_set() obj/tunnel: Fix for undefined behaviour set: Don't bypass checks in nftnl_set_set_u{32,64}() obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data() set_elem: Validate nftnl_set_elem_set() parameters obj/ct_timeout: Fix NFTA_CT_TIMEOUT_DATA parser libnftnl.map: Export nftnl_{obj,flowtable}_set_data() Deprecate untyped data setters utils: Define __visible even if not supported by compiler From pablo at netfilter.org Mon Dec 2 15:25:24 2019 From: pablo at netfilter.org (Pablo Neira Ayuso) Date: Mon, 2 Dec 2019 15:25:24 +0100 Subject: [ANNOUNCE] arptables 0.0.5 release Message-ID: <20191202142524.sxyhei4w7vzmi62k@salvia> Hi! The Netfilter project presents: arptables 0.0.5 arptables is the userspace command line program used to configure the Linux 2.4.x and later ARP packet filtering ruleset. It is targeted towards system administrators. NOTE: This is a release of legacy software. Patches may still be accepted and pushed out to the git repository, which will remain active and accessible as usual although support for this software might be discontinued at some point. We are thankful to all the contributors of arptables over time and we also acknowledge it is time to move on. See ChangeLog that comes attached to this email for more details. You can download it from: ftp://ftp.netfilter.org/pub/arptables/ Happy firewalling. -------------- next part -------------- Arturo Borrero Gonzalez (2): arptables: cleanup sysvinit script arptables: legacy renaming Bart De Schuymer (2): add GPL text arptables: fix potential buffer overflow (author: dcb) Felix Janda (2): src: Use stdint types src: Remove support for libc5 Gustavo Zacarias (1): arptables: remove dead dynamic hooks code Jaromír Končický (2): make static analysis tool happy (false positive) fix potential buffer overflows reported by static analysis Jesper Dangaard Brouer (3): Add man pages for arptables-{save,restore} arptables: install man pages arptables: add missing long option --set-counters and update documentation Jonh Wendell (1): build an libarptc.a archive Pablo Neira Ayuso (3): src: cache in tree and use x_tables.h src: fix compilation warning arptables 0.0.5 release Phil Sutter (3): Add .gitignore Eliminate compiler warning about size passed to strncmp() libarptc: Simplify alloc_handle by using calloc() Zhang Chunyu (2): arptables: Add revision field for arptables userspace arptables: Add MARK target From pablo at netfilter.org Mon Dec 2 16:33:56 2019 From: pablo at netfilter.org (Pablo Neira Ayuso) Date: Mon, 2 Dec 2019 16:33:56 +0100 Subject: [ANNOUNCE] ebtables 2.0.11 release Message-ID: <20191202153356.xowrrxn26jlm5v4f@salvia> Hi! The Netfilter project presents: ebtables 2.0.11 ebtables is the userspace command line program used to configure the Linux 2.4.x and bridge packet filtering ruleset. It is targeted towards system administrators. NOTE: This is a release of legacy software. Patches may still be accepted and pushed out to the git repository, which will remain active and accessible as usual although support for this software might be discontinued at some point. We are thankful to all the contributors of ebtables over time and we also acknowledge it is time to move on. See ChangeLog that comes attached to this email for more details. You can download it from: ftp://ftp.netfilter.org/pub/ebtables/ Happy firewalling. -------------- next part -------------- Alin Năstac (1): ebtables: Allow RETURN target rules in user defined chains Arturo Borrero Gonzalez (3): ebtables: legacy renaming ebtables: drop .spec file ebtables: drop sysvinit script Bart De Schuymer (4): add RARP and update iana url add info about -Wl,-no-as-needed remove ebtables-restore binary from repository don't print IPv6 mask if it's all ones (based on patch by Mariusz Mazur ) Baruch Siach (1): include: Fix musl libc compatibility Bernie Harris (1): extensions: Add string filter to ebtables Duncan Roe (2): ebtables: Fix build errors and warnings extensions: ebt_string: take action if snprintf discards data Felix Janda (2): extensions: Use stdint types ethernetdb.h: Remove C++ specific compiler hint macro _THROW Florian Westphal (2): extensions: fix build failure on fc28 ebtablesd: avoid build warning Gargi Sharma (1): ebtables: extensions: Constify option struct Jan Engelhardt (7): build: update ebtables.h from kernel and drop local unused copy build: drop install -o/-g root build: rename sed source files to .in build: use autoconf-style placeholders in sed-ed files extensions: use __attribute__((constructor)) for autoregistration Add .gitignore build: move to automake Luis Fernando (1): workaround for kernel regression bug: IPv6 source/destination addresses are potentially not matched correctly Matthias Schiffer (4): include: sync linux/netfilter_bridge/ebt_ip.h with kernel Move ICMP type handling functions from ebt_ip6 to useful_functions.c ebt_ip: add support for matching ICMP type and code ebt_ip: add support for matching IGMP type Pablo Neira Ayuso (1): build: ebtables 2.0.11 release Pedro Alvarez (1): Add kernel headers needed from v3.16 Petri Gynther (1): fix compilation warning Phil Sutter (11): Use flock() for --concurrent option Fix locking if LOCKDIR does not exist extensions: among: Fix bitmask check Print IPv6 prefixes in CIDR notation Adjust .gitignore to renamed files extensions: Drop Makefile Allow customizing lockfile location at configure time extensions: Add AUDIT target Fix segfault with missing lockfile directory Fix incorrect IPv6 prefix formatting Drop ebtables-config from repository Sanket Shah (1): Add --noflush command line support for ebtables-restore From pablo at netfilter.org Mon Dec 2 22:25:28 2019 From: pablo at netfilter.org (Pablo Neira Ayuso) Date: Mon, 2 Dec 2019 22:25:28 +0100 Subject: [ANNOUNCE] ebtables 2.0.11 release In-Reply-To: References: <20191202153356.xowrrxn26jlm5v4f@salvia> Message-ID: <20191202212528.q4bqd5dlbt7vix5b@salvia> On Mon, Dec 02, 2019 at 08:30:25PM +0100, Jan Engelhardt wrote: > On Monday 2019-12-02 16:33, Pablo Neira Ayuso wrote: > > >You can download it from: > > > >ftp://ftp.netfilter.org/pub/ebtables/ > > There is a file called ebtables-2.0.11.tar.bz2 in there, but this is > actually a gz encoded object. (This confuses rpmbuild, which tries > to `bzip2 -d` it.) Just fixed this, thanks for reporting. > (Isn't it time to do xz or zstd anyway?) For the sake of saving bits over the wire, yes. Next time.