iptables v1.4.2 Changelog: ====================================================================== Changes from 1.4.2-rc1: Jan Engelhard (1): build: fix iptables-static build Jan Engelhardt (26): build: do not install ip{,6}tables.h Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables manpages: name and markup fixes src: remove dependency on libiptc headers src: drop libiptc from installation iptables-restore: fix segmentation fault with -tanything libxt_recent: do not allow both --set and --rttl Put xtables.c into its own library, libxtables.so manpages: correct erroneous markup physdev: remove extra space in output Warn about use of DROP in nat table Synchronize invert flag order with manpages build: fix dependency tracking for xtables.h.in build: fix initext.c dependency manpages: add missing --rsource,--rdest options to libxt_recent.man manpages: add missing rateest documentation manpages: add missing rateest match documentation libxt_mac: flatten casts in libxt_mac libxt_iprange: fix option names src: use regular includes src: Update comments build: prepare make tarball for git 1.6.0 libxt_recent: do allow --rttl for --update src: update comments part II build: run ldconfig on `make install` doc: remove mentions of NAT in ip6tables manpage Jesper Dangaard Brouer (1): libiptc: remove old fixme Pablo Sebastian Greco (1): mark: fix invalid iptables-save output Patrick McHardy (2): manpages: fix another typo in tcp manpage v1.4.2 Phil Oester (3): iptables-save: fix hashlimit output libxt_dscp: fix save of negated dscp match rules src: Missing limits.h includes WANG Cong (1): manpages: Fix a typo in tcp man page iptables v1.4.1-rc1 Changelog: ====================================================================== Changes from 1.4.0: Peter Warasin: Fix CONNMARK mask initialisation Jesper Dangaard Brouer: Inline functions iptcc_is_builtin() and set_changed() Introduce a counter for number of user defined chains Solving scalability issue: for chain list "name" searching Patrick McHardy: Add RATEEST target extension Add rateest match extension Remove obsolete file Add netfilter.h Remove compiler.h inclusions Retry ruleset dump when kernel returns EAGAIN Pablo Neira Ayuso: Cleanup several code wraparounds Check for malloc() return value in merge_opts() Check for merge_opts() return value Jan Engelhardt: Converts the iptables build infrastructure to autotools Introduce strtonum() Introduce common error messages Add libxt_owner Add libxt_tos Add libxt_TOS Add libxt_MARK r2 Add libxt_connmark r1 Print warning when dlopen fails Add libxt_conntrack r0 Bunch o' renames Rename overlapping function names Add more libxt_hashlimit checks Add libxt_mark r1 Add libxt_iprange r0 Add libxt_iprange r1 Give preference to iptables header files Build adjustments Add libxt_CONNMARK revision 1 Add libxt_conntrack revision 1 libxt_owner: UID/GID range support Fix compilation of iptables-static build Correct the family member value of libxt_mark revision 1 Makefile: add a "tarball" target Drop -W from CFLAGS and some tiny code cleanups Fix -Wshadow warnings and clean up xt_sctp.h Update the libxt_owner manpage with the UID/GID-range feature Fix all remaining warnings (missing declarations, missing prototypes) xtables.h: move non-exported parts to internal.h Add support for xt_hashlimit match revision 1 Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR manpages: fix broken markup (missing close tags) manpages: grammar and spelling manpages: update to reflect fine-grained control configure: split --enable-libipq from --enable-devel Import iptables-apply Add all necessary header files - compilation fix for various cases Install libiptc header files because xtables.h depends on it iptables: use C99 lists for struct options RATEEST: add manpage Implement AF_UNSPEC as a wildcard for extensions Combine ipt and ip6t manpages Resolve warnings on 64-bit compile Wrap dlopen code into NO_SHARED_LIBS Remove support for compilation of conditional extensions Resolve libipt_set warnings Update documentation about building the package configure.ac: AC_SUBST must be separate Dynamically create xtables.h.in with version configure.ac: remove already-defined variables Remove old functions, constants Properly initialize revision for ip6tables targets Makefile.am: use PACKAGE_TARNAME iptables out-of-tree build directory Sven Schnelle: Add libxt_TCPOPTSTRIP Max Kellermann: Fix REDIRECT manpage Whitespace cleanup Use size_t Escape strings Unescape parameters Allow empty strings in argument parser Fix gcc warnings Naohiro Ooiwa: Fix define value of SCTP chunk type Filippo Zangheri: Remove useless white spaces from iptables-xml manpages James King: libxt_iprange: Fix IP validation logic Shan Wei: iptables-save: remove unnecessary code Henrik Nordstrom: Make iptables-restore usable over a pipe Add support for --set-counters to iptables -P iptables --list-rules command iptables --list chain rulenum Make --set-counters (-c) accept comma separated counters Jamie Strandboge: Fix ip6tables dest address printing iptables v1.4.1.1 Changelog ===================================================================== Henrik Nordstrom (1): iptables: fix printing of line numbers with --line-numbers arg Jan Engelhardt (3): ip6tables: fix printing of ipv6 network masks build: fix `make install` when --disable-shared is used iprange: kernel flags were not set Patrick McHardy (1): v1.4.1.1 iptables v1.4.1 Changelog ====================================================================== Filippo Zangheri (1): removes useless white spaces from iptables-xml manpages. Gáspár Lajos (1): iptables: use C99 lists for struct options Henrik Nordstrom (5): Make iptables-restore usable over a pipe Add support for --set-counters to iptables -P iptables --list-rules command iptables --list chain rulenum Make --set-counters (-c) accept comma separated counters James King (1): [IPTABLES]: libxt_iprange: Fix IP validation logic Jamie Strandboge (1): fix ip6tables dest address printing Jan Engelhardt (55): Converts the iptables build infrastructure to autotools. Introduce strtonum(), which works like string_to_number(), but passes common error messages libxt_owner libxt_tos libxt_TOS libxt_MARK r2 libxt_connmark r1 print warning when dlopen fails libxt_conntrack r0 bunch o' renames rename overlapping function names libxt_hashlimit checks libxt_mark r1 libxt_iprange r0 libxt_iprange r1 Give preference to iptables header files Build adjustments libxt_CONNMARK revision 1 [IPTABLES]: libxt_conntrack revision 1 [IPTABLES]: libxt_owner: UID/GID range support Fix compilation of iptables-static build Correct the family member value of libxt_mark revision 1 Makefile: add a "tarball" target Drop -W from CFLAGS and some tiny code cleanups Fix -Wshadow warnings and clean up xt_sctp.h Update the libxt_owner manpage with the UID/GID-range feature Fix all remaining warnings (missing declarations, missing prototypes) xtables.h: move non-exported parts to internal.h Add support for xt_hashlimit match revision 1 Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR manpages: fix broken markup (missing close tags) manpages: grammar and spelling manpages: update to reflect fine-grained control configure: split --enable-libipq from --enable-devel Add all necessary header files - compilation fix for various cases Install libiptc header files because xtables.h depends on it RATEEST: add manpage Implement AF_UNSPEC as a wildcard for extensions Combine ipt and ip6t manpages Resolve warnings on 64-bit compile Wrap dlopen code into NO_SHARED_LIBS Remove support for compilation of conditional extensions Resolve libipt_set warnings Update documentation about building the package configure.ac: AC_SUBST must be separate Dynamically create xtables.h.in with version configure.ac: remove already-defined variables Remove old functions, constants Makefile.am: use PACKAGE_TARNAME iptables out-of-tree build directory Update .gitignore build: check for missing feature files libxt_owner: add spaces to output manpage updates Jesper Dangaard Brouer (3): Inline functions iptcc_is_builtin() and set_changed(). Introduce a counter for number of user defined chains. Solving scalability issue: for chain list "name" searching. Kristof Provost (1): REDIRECT: Allow symbolic port in REDIRECT --to-port Laszlo Attila Toth (1): addrtype match: added revision 1 Lutz Jaenicke (1): Fix iptables-save output of libxt_owner match Martin F. Krafft (1): Import iptables-apply Max Kellermann (7): Fix REDIRECT manpage whitespace cleanup use size_t escape strings unescape parameters allow empty strings in argument parser fix gcc warnings Naohiro Ooiwa (1): Fix define value of SCTP chunk type. Pablo Neira Ayuso (2): - cleanup several code wraparounds bump iptables version to prepare 1.4.1 release Patrick McHardy (16): Add RATEEST target extension Add rateest match extension Remove obsolete file Add netfilter.h Remove compiler.h inclusions. Retry ruleset dump when kernel returns EAGAIN. Properly initialize revision for ip6tables targets Bump version to 1.4.1-rc1 iptables 1.4.1-rc2 manpages: consistent syntax Resync header files with kernel Bump version libiptc: move variable definitions to head of function iptables-xml: sparse fixes sparse warning fixes: integer used as pointer v1.4.1 Peter Warasin (1): Fix CONNMARK mask initialisation Shan Wei (1): iptables-save:remove unnecessary code. Sven Schnelle (1): libxt_TCPOPTSTRIP Thomas Jacob (1): Don't assume /bin/sh is bash Thomas Jarosch (1): Add xtables version defines. Yasuyuki Kozakai (1): Use s6_addr32 to access bits in int6_addr instead of incompatible name iptables v1.4.0 Changelog ====================================================================== Changes from 1.4.0rc1: - Don't use dlfcn.h if NO_SHARED_LIBS is defined [ Mike Frysinger ] - Fix showing help text for matches/targets with revision as user [ Patrick McHardy ] - Print warnings to stderr [ Max Kellermann ] - Fix sscanf type errors [ Patrick McHardy ] - Always print mask in iptables-save [ Jan Engelhardt ] - Don't silenty exit on failure to open /proc/net/{ip,ip6}_tables_names [ Victor Stinner ] - Adds --table to iptables-restore [ Peter Warasin ] - Make DO_MULTI=1 work for ip6tables* binaries [ Hann-huei Chiou ] - Add ip6tables-{save,restore} to non-experimental target, fix strict aliasing warnings [ Patrick McHardy ] - Introducing libxt_*.man files. Sorted matches and modules [ Laszlo Attila Toth ] - Install ip6tables-{save,restore} manpages [ Patrick McHardy ] - Performance optimization in sorting chain during pull-out [ Jesper Dangaard Brouer ] - Fix sockfd use accounting for kernels without autoloading [ Patrick McHardy ] - use [ Jan Engelhardt ] - Fix make/compile error for iptables-1.4.0rc1 [ Jesper Dangaard Brouer ] - Fix for --random option in DNAT and REDIRECT [ Tom Eastep ] - Document xt_statistic [ Stefano Sabatini ] - sctp: fix - mistake to pass a pointer where array is required [ Li Zefan ] - Fix connlimit output for inverted --connlimit-above: ! > is <=, not < [ Patrick McHardy ] - Add NFLOG manpage [ Patrick McHardy ] - Move libipt_DSCP.man to libxt_DSCP.man for ip6tables.8 [ Yasuyuki Kozakai ] - Unifies libip[6]t_CONNSECMARK.man to libxt_CONNSECMARK.man [ Yasuyuki Kozakai ] - Moves libipt_CLASSYFY.man to libxt_CLASSYFY.man for ip6tables.8 [ Yasuyuki Kozakai ] - fix check_inverse() call [ Jan Engelhardt ] - Bump version to 1.4.0 final [ Pablo Neira Ayuso ] iptables v1.4.0rc1 Changelog ====================================================================== Changes from 1.3.8: - Add support for generic xtables infrastructure (improved IPv6 support!) [ Yasuyuki Kozakai ] - Deletes empty ->final_check() functions [ Jan Engelhardt ] - Fix sparse warnings: non-C99 array declaration, incorrect function prototypes [ Patrick McHardy ] - Remove last vestiges of NFC [ Peter Riley ] - Make @msg argument a const char *, just like printf [ Jan Engelhardt ] - Makes it possible to omit extra_opts of matches/targets if unnecessary [ Jan Engelhardt ] - Fix "iptables getsockopt failed strangely" when querying revisions for non-existant matches and targets [ Patrick McHardy] - Introduces DEST_IPT_LIBDIR in Makefile [ Yasuyuki Kozakai ] - Change default KERNEL_DIR location and add KBUILD_OUTPUT [ Sven Wegener ] - Removes obsolete KERNEL_64_USERSPACE_32 definitions [ Yasuyuki Kozakai ] - Fix unused function warning [ Patrick McHardy ] iptables v1.3.8 Changelog ====================================================================== - Fix build error of conntrack match [Yasuyuki Kozakai] - Remove whitespace in ip6tables.c [Yasuyuki Kozakai] - `-p all' and `-p 0' should be allowed in ip6tables [Yasuyuki Kozakai] - hashlimit doc update [Jan Engelhardt] - add --random option to DNAT and REDIRECT [Patrick McHardy] - Makefile uses POSIX conform directory check [Roy Marples] - Fix missing newlines in iptables-save/restore output [Pavol Rusnak] - Update quota manpage for SMP [Phil Oester] - Output for unspecified proto is `all' instead of `0' [Phil Oester] - Fix iptables-save with --random option [Patrick McHardy] - Remove unnecessary IP_NAT_RANGE_PROTO_RANDOM ifdefs [Patrick McHardy] - Remove libnsl from LDLIBS [Patrick McHardy] - Fix problem with iptables-restore and quotes [Pablo Neira Ayuso] - Remove unnecessary includes [Patrick McHardy] - Fix --modprobe parameter [Maurice van der Pot] - ip6tables-restore should output error of modprobe after failed to load [Yasuyuki Kozakai] - Add random option to SNAT [Eric Leblond] - Fix missing space in error message [Patrick McHardy] - Fixes for manpages of tcp, udp, and icmp{,6} [Yasuyuki Kozakai] - Add ip6tables mh extension [Masahide Nakamura] - Fix tcpmss manpage [Patrick McHardy] - Add ip6tables TCPMSS extension [Arnaud Ebalard] - Add UDPLITE multiport support [Patrick McHardy] - Fix missing space in ruleset listing [Patrick McHardy] - Remove extensions for unmaintained/obsolete patchlets [Patrick McHardy] - Fix greedy debug grep [Patrick McHardy] - Fix type in manpage [Thomas Aktaia] - Fix compile/install error for iptables-xml with DO_MULTI=1 [Lutz Jaenicke] iptables v1.3.7 Changelog ====================================================================== Bugs fixed since 1.3.6: - Fix compilation error with linux 2.6.19 [ Patrick McHardy ] - Fix LOG target segfault with --log-prefix "" [ Mike Frysinger, Bugzilla #516 ] - Fix conflicting getsockopt optname values for IP6T_SO_GET_REVISION_{MATCH,TARGET} [ Yasuyuki KOZAKAI ] - Fix -E (rename) in iptables/ip6tables [ Krzysztof Piotr Oledzki ] - Fix /etc/network usage [ Pablo Neira ] - Fix iptables-save not printing -s/-d ! 0/0 [ Patrick McHardy ] - Fix ip6tables-save unnecessarily printing -s/-d options for zero prefix length [ Daniel De Graaf ] New features since 1.3.6: - Add revision support for ip6tables [ R?mi Denis-Courmont ] - Add port range support for ip6tables multiport match [ R?mi Denis-Courmont ] - Add sctp match extension for ip6tables [ Patrick McHardy ] - Add iptables-xml tool [ Amin Azez ] - Add hashlimit support for ip6tables (needs kernel > 2.6.19) [ Patrick McHardy ] - Use /limodules/$(shell uname -r)/build instead of /usr/src/linux to look for kernel source [ Patrick McHardy ] - Add NFLOG target extension for iptables/ip6tables (needs kernel > 2.6.19) [ Patrick McHardy ] iptables v1.3.6 Changelog ====================================================================== Bugs fixed since 1.3.5: - Fix segfault on loading of invalid counters in ip[6]tables-restore [ Bugzilla #437, Olaf Rempel ] - Fix double-free if a single match is used multiple times within a single rule [ Bugzilla #440, Harald Welte ] - Don't try to resolve "-p all" using getprotoent() [ Bugzilla #446, Harald Welte ] - Refuse never matching protocol specifications for ip6tables [ Yasuyuki Kozakai ] - Fix iptables-save output of osf match [ Daniel De Graaf ] - Fix esp/connbytes detection with newer kernels (x_tables) [ Harald Welte ] - Fix loading of IPCMv6 match shared library [ Yasuyuki Kozakai ] - Refuse invalid esp match SPI ranges [ Yasuyuki Kozakai ] - Fix out-of-bounds memory access when the unsupported "check" command was used [ Bugzilla #463, Larry Stefani, Harald Welte ] - Fix out-of-bounds memory access when the "-c" option was used [ Bugzilla #462, Larry Stefani, Harald Welte ] - Fix "Unknown error 4294967295" message [ Bugzilla #460, Patrick McHardy ] - Use lower-case letters for realm match output [ Simon Lodal ] - Fix example in connlimit manpage [ Phil Oester ] - Refuse IP addresses as arguments to REDIRECT target [ Bugzilla #482, Phil Oester ] - Fix set match negation [ Jozsef Kadlecsik ] - Fix some compiler warnings [ Bugzilla #457, Phil Oester ] - Refuse port ranges in ip6tables multiport match [ Bugzilla #451, Phil Oester ] - Force user to specify --ipcmv6-type if ipcmv6 match is used [ Bugzilla #461, Yasuyuki Kozakai ] - Fix libiptc symbol clash [ Bugzilla #456, Phil Oester ] - Remove "hoho" message [ Pierre-Yves Ritschard ] - Handle CIDR notation more sanely [ Bugzilla #422, Phil Oester ] - Fix chain reference increment bug [ Jesper Brouer ] - Fix counter clearing for policy counters [ Bugzilla #502, Andy Gay ] - Remove warnings about interface names with non-alphanumeric characters [ Patrick McHardy ] New features since 1.3.5: - Support multiple matches of the same type within a single rule [ Jozsef Kadlecsik ] - DCCP/SCTP support for multiport match (needs kernel >= 2.6.18) [ Patrick McHardy ] - SELinux SECMARK target (needs kernel >= 2.6.18) [ James Morris ] - SELinux CONNSECMARK target (needs kernel >= 2.6.18) [ James Morris ] - Add documentation for DNAT target : syntax [ Evan Miller ] - Add new exit value to indicate concurrency issues [ Jesper Dangaard Brouer ] - Use gcc to build shared objects [ Bugzilla #454, Phil Oester ] - Update quota match for version in current kernel, fix -D (needs kernel >= 2.6.18) [ Phil Oester ] - Update MARK target documentation to include --and-mask/--or-mask [ Eric Leblond ] - Add support for statistic match (needs kernel >= 2.6.18) [ Patrick McHardy ] - Optionally read realm values from /etc/iproute2/rt_realms [ Simon Lodal ] iptables v1.3.5 Changelog ====================================================================== This version requires kernel >= 2.4.0 This version recommends kernel >= 2.4.18 Bugs fixed from 1.3.4: - Fix conntrack --ctproto option in iptables-save [ Phil Oester ] - Fix string match '--from' option in iptables-save [ Michael Rash ] - Fix option parser of ttl match [ Patrick McHardy ] - Get rid of gcc-4 warnings [ Patrick McHardy ] - Fix spelling of 'address' in DNAT/SNAT manpage section [ MJ Anthony ] - Fix 'tcp-rst' parsing in REJECT target [ Torsten Hilbrich ] - Fix probing for supported revisions [ Jones Desougi ] - Fix compilation of iptables on [old] systems that don't have IPT_F_GOTO [ Harald Welte ] - Only set revisions on real targets, not on jumps [ Pablo Neira ] - Fix memory leak in TC_COMMIT() of libiptc [ Markus Sundberg ] - Correctly propagate errors of setsockopt to calling function [ Harald Welte ] - Fix connbytes match iptables-save [ Unknown ] - Fix sctp match compilation against recent kernel headers [ Harald Welte ] - Fix conntrack match compilation against 2.4.0 kernel headers [ Harald Welte ] Changes from 1.3.4: - Add support for ip6tables connmark match and target [ Harald Welte ] - Add support for ip6tables state match [ Harald Welte ] - Add support for new policy ip[6]tables match [ Patrick McHardy ] - Major manpage update [ Yasuyuki Kozakai ] - Remove ippool support, it has been deprecated by ipset long time ago [ Harald Welte ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) iptables v1.3.4 Changelog ====================================================================== This version requires kernel >= 2.4.0 This version recommends kernel >= 2.4.18 Bugs fixed from 1.3.3: - Fix parsing of NFQUEUE queue numbers [ Eric Leblond ] - Add documentation of --queue-num parameter to NFQUEUE manpage [ Eric Leblond ] - Fix 'hash-init' parameter of CLUSTERIP target [ KOVACS Krisztian ] - Fix CONNMARK match and target: Marks are now always 32bit [ Deti Fliegl ] - Print error message when multiple "--to" DNAT/SNAT args are used with kernel >= 2.6.10 [ Phil Oester ] - Fix compilation of connbytes match with 2.6.14 kernel [ Harald Welte ] - Fix address inversion of conntrack match [ Tom Eastep ] - Fix sorting of chain names [ Robert de Barth ] Changes from 1.3.2: - Add support for DCCP port and type matching [ Harald Welte ] - Add support for new in-kernel string match [ Pablo Neira ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) iptables v1.3.3 Changelog ====================================================================== This version requires kernel >= 2.4.0 This version recommends kernel >= 2.4.18 Bugs fixed from 1.3.2: - Fix use-after-free in merge_options() [ Markus Sundberg ] - Fix support for SNAT and DNAT to ICMP ID ranges [ Patrick McHardy ] Changes from 1.3.2: - Add support for new NFQUEUE targets for IPv4 and IPv6 [ Harald Welte ] - Minor manpage updates [ Harald Welte ] - Fix numberous gcc-4 warnings throughout the code [ Harald Welte ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) iptables v1.3.2 Changelog ====================================================================== This version requires kernel >= 2.4.0 This version recommends kernel >= 2.4.18 Bugs fixed from 1.3.1: - Fix TCPLAG version [ Torsten Luettgert ] - More error checking in SET target [ Michal Pokrywka ] - Fix optflags value for OPT_LINENUMBERS [ Jonas Berlin ] - Allow NULL init function in ip6tables plugins [ Jonas Berlin ] - Don't allow newlines in LOG prefix [ Phil Oester ] - Introduce ip_conntrack_old_tuple to userspace header copy [ Pablo Neira ] - Fix connbytes command line parsing bug [ Piotrek Kaczmarek ] - Ignore unknown arguments in libipt_ULOG [ Patrick McHardy ] - Correct error in multiport manpage wrt. "--ports" [ Rusty Russell ] - Fix CONNMARK save/restore [ Tom Eastep, Pawel Sikora ] - Make sure chain name doesn't start with '!' [ Yasuyuki Kozakai ] - Prevent user to specify negative ports in SNAT/DNAT [ Yasuyuki Kozakai ] - Fix deletion of targets where kernel size != userspace size [ Pablo Neira ] - Fix save/restore of '! --uid-owner squid' problem in ip6t_owner [ Harald Welte ] Changes from 1.3.1: - Add ``--log-uid'' option to ip6t_LOG target [ Patrick McHardy ] - Improve REDIRECT manpage [ Jonas Berlin ] - Add a number of missing manpage snippets [ Jonas Berlin ] - Include FIN bit in mask of "--syn" bits [ Harald Welte ] - Release previously merged options from merge_opts(), reduces memory-usage of ipt ables-restore dramatically [ Pablo Neira ] - OSF: changes to support connector notifications [ Evgeniy Polyakov ] - Reduce code replication of parse_interface() [ Yasuyuki Kozakai ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) iptables v1.3.1 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs fixed from 1.3.0: - Fix CLUSTERIP rule deletion [ Pablo Neira ] - Fix libip6t_random compilation [ Harald Welte ] - Fix CONNMARK on 32bit userspace / 64bit kernel archs [ Pablo Neira ] Changes from 1.3.0: - remove bogus NFC_* stuff in iptables [ Pablo Neira ] - libiptc: don't sort builtin chains, restores iptables-1.2.x sort order [ Olaf Rempel ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) iptables v1.3.0 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs fixed from 1.3.0rc1: - Fix realm match save/restore issue [ Harald Welte ] - Fix hashlimit rule deletion from userspace [ Samuel Jean ] - Fix hashlimit parameter handling / iptables-save [ Nikolai Malykh ] - Fix multiport inversion [ Phil Oester ] Bugs fixed from 1.2.11: - Fix compilation on systems where /bin/sh != bash [ Jozsef Kadlecsik ] - Fix setting lib_dir in ip*tables-{save,restore} [ Martin Josefsson ] - Fix module-autoloading in certain cases [ Harald Welte ] - libipt_TTL: limit range of valid TTL to 0-255 [ Maciej Soltysiak ] - libip6t_HL: limit range of valid HL to 0-255 [ Maciej Soltysiak ] - libip{6}t_limit: Fix half-working limit invert check [ Phil Oester ] - libipt_connbytes: Update to use the IP_CONNTRACK_ACCT counters [ Harald Welte ] - libipt_conntrack: Fix typo [ Phil Oester ] - libipt_dstlimit: Fix half-working invert check [ Phil Oester ] - libipt_helper: Prevent user from using --helper multiple times [ Nicolas Bouliane ] - libipt_iprange: Print error message if --dst-range used twice [ Nicolas Bouliane ] - libipt_nth: Fix help message syntax [ Harald Welte ] - libipt_psd: Fix option parsing [ Pablo Neira ] - libipt_random: Fix help message syntax [ Harald Welte ] - libipt_realm: Fix inversion of options [ Simon Lodal ] - libipt_time: Fix C++ style delayed variable definition [ Olivier Clerget ] - libipt_time: Print message about time match not adhering daylight saving [ Phil Oester ] - libipt_tos: Print Error message if --tos is specified twice [ Nicolas Bouliane ] - libipt_ttl: Cleanup ttl option parsing [ Phil Oester ] - libipt_u32: Fix option parsing [ Piotr Gasid'o ] Changes from 1.2.11: - libiptc: complete rewrite for performance reasons [ Harald Welte, Martin Josefsson ] - introduce "DO_MULTI=1" mode to build a muilti-call binary [ Bastiaan Bakker ] - code cleanup, use C99 initializers [ Harald Welte, Pablo Neira ] - Extension revision number support (if kernel supports the getsockopts). [ Rusty Russell ] - Don't need ipt_entry_target()/ip6t_entry_target(). [ Rusty Russell ] - Don't re-initialize libiptc/libip6t unless modprobe attempt succeeds. [ Rusty Russell ] - Implement IPTABLES_LIB_DIR and IP6TABLES_LIB_DIR environment variables [ Rusty Russell ] - Add manpage section about 'raw' table [ Harald Welte ] - libip{6}t_ROUTE: add ROUTE --tee mode [ Patrick Schaaf ] - libip{6}t_multiport: Print Error message when `!' is used [ Patrick McHardy, Phil Oester ] - New libip6t_physdev Match [ Bart De Schuymer ] - libipt_CLUSTERIP: Fix compiler warning about const [ Harald Welte ] - libipt_DNAT: Print Error message if `:' is used for port range - libipt_SNAT: Print Error message if `:' is used for port range [ Phil Oester ] - libipt_LOG: Add --log-uid option [ John Lange ] - libipt_MARK: add bitwise operators [ Henrik Nordstrom, Rusty Russell ] - libipt_SET: Update to ipset2 [ Jozsef Kadlecsik ] - libipt_account: Update to 0.1.16 [ Piotr Gasid'o ] - New libipt_comment Match [ Brad Fisher ] - New libipt_hashlimit Match, supersedes dstlimit [ Harald Welte ] - libipt_ttl: Use string_to_number() [ Rusty Russell ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) iptables v1.2.11 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugx Fixed from 1.2.10: - fix compilation on systems where /bin/sh != bash [ Jozsef Kadlecsik ] Bugs Fixed from 1.2.9: - physdev match: fix new structure layout for kernel > 2.6.0-test8 [ Bart De Schuymer ] - Better 64bit / 32bit split architecture detection - IPv6 LOG target: Fix compiler warnings on 64bit - LOG target: Fix compiler warnings on 64bit - IPv6 MARK target: Use full 64bit mark on 64bit archs - MARK target: Use full 64bit mark on 64bit archs - SAME target: Fix 64bit/32bit splitarch problems - ULOG target: Fix 64bit/32bit splitarch problems - conntrack match: Fix 64bit/32bit splitarch problem - IPv6 limit match: Fix 64bit/32bit splitarch problem - limit match: Fix 64bit/32bit splitarch problem - IPv6 mark match: Use full 64bit mark on 64bit archs - mark match: Use full 64bit mark on 64bit archs - owner match: Fix compiler warnings on 64bit [ Martin Jofsefsson ] - connbytes match: Fix signedness / unsigned issue [ Martin Josefsson ] - connlimit match: Fix '/0' netmask [ David Ahern ] - ipv6 owner match: fix possibly not zero terminated string - helper match: fix possibly not zero terminated string - recent match: fix possibly not zero terminated string [ Karsten Desler ] - ICMP match: fix '--icmp-type any' case [ Harald Welte ] - CONNMARK target: major update (add mark/mask matching) [ Henrik Nordstrom ] - DSCP target: Fix cosmetic help message problem [ Maciej Soltysiak ] - string match: Fix iptables-save/restore for ascii strings with spaces [ Michael Rash ] - ip(6)tables-restore: Make sure matches are used in the same order [ Martin Josefsson ] - ip(6)tables-restore: Fix '--verbose' option - ip(6)tables-restore: Add '--test' option - ip(6)tables-restore: Complain about missing 'COMMIT' [ Martin Josefsson ] - ip(6)tables-restore: Allow embedding of quote character in quoted strings [ Michael Rash ] - libipq: Protect against spoofed queue messages (check if sender is kernel) [ Harald Welte ] Changes from 1.2.9: - time match: add 'datestart' and 'datestop' parameters [ Fabrice Marie ] - modular manpage build, depending on actually compiled-in features [ Henrik Nordstrom ] - additional documentation in manpage snippets formerly missing [ Harald Welte ] - support new CLUSTERIP Target [ Harald Welte ] - support new account match [ Piotr Gasid'o ] - support new connrate match [ Nuuti Kotivuori ] - support new dstlimit match [ Harald Welte ] - support new 'set' match / 'SET' target [ Jozsef Kadlecsik ] - osf match: add support for netlink reporting [ Evgeniy Polyakov ] - new SCTP protocol match [ Kiran Kumar ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic/) Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng, distributed as seperate package: (ftp://ftp.netfilter.org/pupatch-o-matic-ng) iptables v1.2.10 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs Fixed from 1.2.9: - physdev match: fix new structure layout for kernel > 2.6.0-test8 [ Bart De Schuymer ] - Better 64bit / 32bit split architecture detection - IPv6 LOG target: Fix compiler warnings on 64bit - LOG target: Fix compiler warnings on 64bit - IPv6 MARK target: Use full 64bit mark on 64bit archs - MARK target: Use full 64bit mark on 64bit archs - SAME target: Fix 64bit/32bit splitarch problems - ULOG target: Fix 64bit/32bit splitarch problems - conntrack match: Fix 64bit/32bit splitarch problem - IPv6 limit match: Fix 64bit/32bit splitarch problem - limit match: Fix 64bit/32bit splitarch problem - IPv6 mark match: Use full 64bit mark on 64bit archs - mark match: Use full 64bit mark on 64bit archs - owner match: Fix compiler warnings on 64bit [ Martin Jofsefsson ] - connbytes match: Fix signedness / unsigned issue [ Martin Josefsson ] - connlimit match: Fix '/0' netmask [ David Ahern ] - ipv6 owner match: fix possibly not zero terminated string - helper match: fix possibly not zero terminated string - recent match: fix possibly not zero terminated string [ Karsten Desler ] - ICMP match: fix '--icmp-type any' case [ Harald Welte ] - CONNMARK target: major update (add mark/mask matching) [ Henrik Nordstrom ] - DSCP target: Fix cosmetic help message problem [ Maciej Soltysiak ] - string match: Fix iptables-save/restore for ascii strings with spaces [ Michael Rash ] - ip(6)tables-restore: Make sure matches are used in the same order [ Martin Josefsson ] - ip(6)tables-restore: Fix '--verbose' option - ip(6)tables-restore: Add '--test' option - ip(6)tables-restore: Complain about missing 'COMMIT' [ Martin Josefsson ] - ip(6)tables-restore: Allow embedding of quote character in quoted strings [ Michael Rash ] - libipq: Protect against spoofed queue messages (check if sender is kernel) [ Harald Welte ] Changes from 1.2.9: - time match: add 'datestart' and 'datestop' parameters [ Fabrice Marie ] - modular manpage build, depending on actually compiled-in features [ Henrik Nordstrom ] - additional documentation in manpage snippets formerly missing [ Harald Welte ] - support new CLUSTERIP Target [ Harald Welte ] - support new account match [ Piotr Gasid'o ] - support new connrate match [ Nuuti Kotivuori ] - support new dstlimit match [ Harald Welte ] - support new 'set' match / 'SET' target [ Jozsef Kadlecsik ] - osf match: add support for netlink reporting [ Evgeniy Polyakov ] - new SCTP protocol match [ Kiran Kumar ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic/) Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng, distributed as seperate package: (ftp://ftp.netfilter.org/pupatch-o-matic-ng) iptables v1.2.9 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs Fixed from 1.2.8: - ip(6)tables-save/restore: fix memory leaks [ Harald Welte, Martin Josefsson ] - ip6tables: fix printout of odd length netmasks [ Mikko Markus Torni ] - condition match: fix iptables-save [ Stephane Ouellette ] - fuzzy match: fix ip(6)tables-save [ Hime Aguiar e Oliveira Jr. ] - mac match: fix ip(6)tables-save if used inverted (!) [ David Zambonini, Martin Josefsson ] - ip6tables udp match: check for invalid port ranges [ Thomas Poehnitz ] - LOG target: fix iptables-save (save loglevel numerically) [ Thomas Woerner ] - mport match: fix iptables-save (save numerically) [ Thomas Woerner ] - libipq: fix ipq_id_t definition on 'real' 64bit/64bit architectures [ Ryan Veety ] - libip6tc: fix ipv6_prefix_length endianness bugs [ Mikko Markus Torni ] - MASQUERADE target: don't accept negative port numbers [ Yasuyuki Kozakai ] - physdev match: fix new structure layout for kernel > 2.6.0-test8 [ Bart De Schuymer ] Changes from 1.2.8: - build plugins for connlimit, iprange, realm, CLASSIFY, CONNMARK, NETMAP [ Harald Welte ] - libip(6)tc: Speedup due to inceremental chain cache updates [ Harald Welte ] - recent match: Update to version 0.3.1 that was submitted to the kernel [ Stephen Frost ] - physdev match: add --physdev-is-{in,out,bridge} option [ Bart de Schuymer ] - REJECT target: add support for ICMP administratively prohibited [ Maciej Soltysiak ] - conntrack match: add suport for CONFIRMED / unconfirmed state [ Harald Welte ] - ROUTE target: new option: continue traversal [ Cedric de Launois ] - varios cosmetic cleanups [ Stephane Ouellette ] - iptables/libiptc: add support for the new 'raw' table [ Jozsef Kadlecsik ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic/) iptables v1.2.8 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs Fixed from 1.2.7a: - fix ip6tables-save function of 'length' match [ Gerry Skerbitz ] - fix ip6tables-save function of 'mac' match [ Kristian Gronfeldt Sorensen ] - fix iptables-save function of 'ULOG' target [ Jimmy Hedman ] - fix iptables-save function of 'conntrack' match [ Lutz Pressler ] - fix iptables-save function of 'length' match [ Gerry Skerbitz ] - fix iptables-save function of 'mac' match [ Kristian Gronfeldt Sorense ] - fix iptables-save function of 'mark' match [ Harald Welte ] - fix iptables-save function of 'owner' match [ Costa Tsaousis ] - fix iptables-save function of 'pool' match [ Oskar Berggren ] - fix iptables-save function of 'tcpmss' match [ Michael Schwendt ] - fix iptables-save function of 'tos' match [ Harald Welte ] - fix save/print function of 'connmark' match [ Harald Welte ] - fix error message when invalid TCP flag is specified with 'tcp' match [ Aaron Sethman ] Changes from 1.2.7a: - updated version of the ROUTE target [ Cedric de Launois ] - updated version of the 'recent' match [ Stephen Frost ] - update the RPC conntrack match, extend it to support filtering on procedures [ Ian (Larry) Latter ] - add support for hexstrings to the 'string' match [ Michael Rash ] - have iptables-restore print the line number in case of an error [ Illes Marci ] - big iptables.8 manpage update [ Herve Eychenne ] - print loglevel human-readable in ip6tables 'LOG' target [ Michael Schwendt ] - print loglevel human-readable in 'LOG' target [ Michael Schwendt ] - remove bogus code from 'ecn' match [ Stephane Ouellette ] - be more specific in help message of 'helper' match [ Herve Eychenne ] - fix semantic problem that '-p icmp -m icmp' was matching icmp type 0 instead of 'any' [ Harald Welte ] - fix iptables rename-chain option [ Maciej Soltysiak ] - remove libipulog from iptables since it is distributed with ulogd [ Harald Welte ] - support new ip6tables 'HL' target [ Maciej Soltysiak ] - support new ip6tables 'condition' match [ Stephane Ouellette ] - support new ip6tables 'fuzzy' match [ Maciej Soltysiak ] - support new ip6tables 'hoplimit' match [ Maciej Soltysiak ] - support new iptables 'CLASSIFY' target [ unknown ] - support new iptables TARPIT target [ Aaron Hopkins ] - support new iptables 'condition' match [ Stephane Ouellette ] - support new iptables 'fuzzy' match [ Hime Junior ] - support new iptables 'physdev' match (for 2.5.x bridging) [ Bart de Schumyer ] - support new iptables 'u32' match (based on u32 tc filter) [ Don Cohen ] Please note: As of version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic/) iptables v1.2.7a (== fixed 1.2.7) Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs Fixed from 1.2.6a: - fix compiler warning in userspace support for ipv6 REJECT target [ Fabrice Marie ] - check for invalid portranges in tcp+udp helper (e.g. 2000:100) [ Thomas Poehnitz ] - fix save save/restore functions of ip6tables tcp/udp extension [ Harald Welte / Andras Kis-Szabo ] - check for invalid (out of range) nfmark values in MARK target [ Alexey ??? ] - fix save function of MASQUERADE userspace support [ A. van Schie ] - compile fixes for userspace suppot of experimental POOL target [ ? ] - fix save function of userspace support for ah and esp match [ ? ] - fix static build (NO_SHARED_LIBS) [ Roberto Nibali ] - fix save/restore function of userspace support for mport match [ Bob Hockney ] - update manpages to reflect recent changes [ Herve Eychenne, Harald Welte ] - remove all remnants of the 'check' option [ ? ] Changes from 1.2.6a: - patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic/) [ Harald Welte ] - userspace support for dscp match and target [ Harald Welte ] - userspace supprot for ecn match and target [ Harald Welte ] - userspace support for helper match [ Martin Josefsson ] - userspace supprot for conntrack match [ Marc Boucher ] - userspace support for pkttype match [ Martin Ludvig ] - userspace support for experimental ROUTE target [ Cédric de Launois ] - userspace support for experimental ipv6 ahesp match [ Andras Kis-Szabo ] - userspace support for experimental ipv6 option header match [ Andras Kis-Szabo ] - userspace support for experimental ipv6 routing header match [ Andras Kis-Szabo ] - add matching of process name to userspace support of owner match [ Marc Boucher ] - new version of userspace support for 'recent' match [ Stephen Frost ] iptables v1.2.6a (== fixed 1.2.6) Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs Fixed from 1.2.5: - Fix iptables segfault problem when using `!' without argument [ Dionis Papavramidis, Harald Welte ] - Fix PSD match for psd-delay-threshold > 100 [ Steven Coenen, Dennis Koslowski ] - ip6tables alignment fixes [ Andreas Herrmann ] - patch-o-matic: - Fix NAT-related bug in TCP window tracking code [ Jozsef Kadlecsik ] - Fix support for DNAT of locally-originated connections (NAT in LOCAL_OUT) [ Henrik Nordstrom, Harald Welte ] - Fix string match (is now SMP safe) [ Gianni Tedesco ] - Fix TFTP conntrack/nat helper (now also catches first packet) [ Magnus Boden ] Changes from 1.2.5: - Added global PREFIX makefile variable for all paths [ Harald Welte ] - If compiled without any COPT_FLAGS, debugging is disabled. To enable debugging, use -DIPTC_DEBUG [ Harald Welte ] - New ip6tables-restore and ip6tables-save manpage [ Andras Kis-Szabo ] - Sync ip6tables-restore and ip6tables-save with iptables-restore [ Andras Kis-Szabo ] - Sync ip6tables with iptables [ Andras Kis-Szabo ] - mangle table attaches now to all five netfilter hooks [ Brad Chapman, Harald Welte ] - iptables and ip6tables manpage updates [ Herve Eychenne ] - patch-o-matic program now supports removal of already-applied patches [ Bob Hockney ] - patch-o-matic program now supports patches to the userspace extensions [ Fabrice Marie ] - patch-o-matic: - Extend recent match to support multiple recent lists [ Stephen Frost ] - New GRE and PPTP connection tracking and NAT helper [ Harald Welte ] - New CONNMARK target for marking all packets within one connection [ Henrik Nordstrom ] - New conntrack match, enables matching on more conntrack informatin than state [ Marc Boucher ] - New DSCP match and target (DSCP header field obsoletes TOS) [ Harald Welte ] - New owner match extension: Match on process name [ Marc Boucher ] - Add support for bitwise AND / OR manipulation on nfmark [ Fabrice Marie ] - New experimental patch for disabling TCP connection tracking pickup [ Harald Welte ] - Add support for SACK in all NAT helpers [ Harald Welte ] - Make eggdrop botnet connection tracking support work with eggdrop v1.6.x [ Magnus Sandin ] - Add support to REJECT for sending icmp-unreachable messages from a fake source address [ Fabrice Marie ] - Add support for ntalk2 to talk NAT helper [ Jozsef Kadlecsik ] - Big update to newnat patch [ Jozsef Kadlecsik, Paul P Komkoff ] iptables v1.2.6 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs Fixed from 1.2.5: - Fix iptables segfault problem when using `!' without argument [ Dionis Papavramidis, Harald Welte ] - Fix PSD match for psd-delay-threshold > 100 [ Steven Coenen, Dennis Koslowski ] - ip6tables alignment fixes [ Andreas Herrmann ] - patch-o-matic: - Fix NAT-related bug in TCP window tracking code [ Jozsef Kadlecsik ] - Fix support for DNAT of locally-originated connections (NAT in LOCAL_OUT) [ Henrik Nordstrom, Harald Welte ] - Fix string match (is now SMP safe) [ Gianni Tedesco ] - Fix TFTP conntrack/nat helper (now also catches first packet) [ Magnus Boden ] Changes from 1.2.5: - Added global PREFIX makefile variable for all paths [ Harald Welte ] - If compiled without any COPT_FLAGS, debugging is disabled. To enable debugging, use -DIPTC_DEBUG [ Harald Welte ] - New ip6tables-restore and ip6tables-save manpage [ Andras Kis-Szabo ] - Sync ip6tables-restore and ip6tables-save with iptables-restore [ Andras Kis-Szabo ] - Sync ip6tables with iptables [ Andras Kis-Szabo ] - mangle table attaches now to all five netfilter hooks [ Brad Chapman, Harald Welte ] - iptables and ip6tables manpage updates [ Herve Eychenne ] - patch-o-matic program now supports removal of already-applied patches [ Bob Hockney ] - patch-o-matic program now supports patches to the userspace extensions [ Fabrice Marie ] - patch-o-matic: - Extend recent match to support multiple recent lists [ Stephen Frost ] - New GRE and PPTP connection tracking and NAT helper [ Harald Welte ] - New CONNMARK target for marking all packets within one connection [ Henrik Nordstrom ] - New conntrack match, enables matching on more conntrack informatin than state [ Marc Boucher ] - New DSCP match and target (DSCP header field obsoletes TOS) [ Harald Welte ] - New owner match extension: Match on process name [ Marc Boucher ] - Add support for bitwise AND / OR manipulation on nfmark [ Fabrice Marie ] - New experimental patch for disabling TCP connection tracking pickup [ Harald Welte ] - Add support for SACK in all NAT helpers [ Harald Welte ] - Make eggdrop botnet connection tracking support work with eggdrop v1.6.x [ Magnus Sandin ] - Add support to REJECT for sending icmp-unreachable messages from a fake source address [ Fabrice Marie ] - Add support for ntalk2 to talk NAT helper [ Jozsef Kadlecsik ] - Big update to newnat patch [ Jozsef Kadlecsik, Paul P Komkoff ] iptables v1.2.5 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel > 2.4.14 Bugs Fixed from 1.2.4: - make iptables-restore accept --table as well as -t option [ Andreas Ferber ] - make iptables-restore -v / --verbose option work [ Marc Boucher ] - fix iptables-save problems with saving "ppp+" style interface wildcards [ Harald Welte ] - make iptables accept '_' and '.' in interface names [ Harald Welte ] - Kernel bugfixes in patch-o-matic: - Fix IRC NAT srcaddr fix (we used to nat DCC connectios to the address of the IRC server [ Bob Hockney ] - Fix potential Oops in TOS target module [ Edward Killips ] - Fix problem when raw socket has cloned skb while netfilter doing payload modification [ Rusty Russell ] - Fix memory leak in ipchains redirect code [ Rusty Russell ] - Fix reintroduced ECN problem with unclean match [ Guillaume Morin ] - Fix MAC adress match problem with small udp packets [ Harald Welte ] Changes from 1.2.4: - Whole patch-o-matic system restructured - now supports multiple patch repositories (submitted, pending, base, extra, newnat). [ Jozsef Kadlecsik ] - Add IPv6 support to the QUEUE target and libipq [ Fernando Anton / James Morris ] - New patch-o-matic patches: -New IPV4OPTSSTRIP target to strip IP options [ Fabrice Marie ] - New ipv6header match to match IPv6 header options [ Brad Chapman / Andras Kis-Szabo ] - New helper match to match RELATED connections on their conntrack helper [ Martin Josefsson ] - New quota match to have fixed IP quotas [ Sam Johnston ] - New recent match to match recently seen packets [ Stephen Frost ] iptables v1.2.4 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel > 2.4.9 Bugs Fixed from 1.2.3: - make iptables-restore print error message instead of segfault when processing broken / wrong input. [ ] - string_to_number fix in LOG, IPv6 LOG, TOS and FTOS target [ ] - fix iptables-save problems when saving MIRROR rules [ Harald Welte ] - fix IPv6 ICMP problems [ ] - fix TTL increment in TTL target [ ] - Kernel bugfixes in patch-o-matic: - Fix printing of inner-packet in ICMP error messages (LOG target) [ ] - Decrement TTL when using MIRROR target at PRE_ROUTING [ ] - fix undiscovered REJECT checkentry() bug (alignment) [ Bert Hubert] Changes from 1.2.3: - New "make most-of-pom" feature for application of non-confliction patches. This should be used instead of "make patch-o-matic" by most users. [ Harald Welte ] - iptables-save and iptables-restore now included in the default install; They are n - longer experimental for quite some time. [ Harald Welte ] - synchronize ip6tables-save/restore with iptables-save/restore [ Harald Welte ] - more precise save() function for ipt_limit rates [ ] - new improved version of nth-match. Added support for multiple counters, added support for matching on individual packets in the counter cycle [ Richard Wagner ] - added manpage for ip6tables [ ] - updated libipq documentation [ ] - added timeout t - libipq recv function [ ] - New patch-o-matic patches: - New random match [ ] - New ftp-fxp patch, imposes security risk but some people need it -sigh* [ Magnus Sandin ] - New H323 conntrack + nat modules [ Jozsef Kadlecsik ] - New version of tcp-window tracking patch, includes sysctl() changeable timeouts [ Jozsef Kadlecsik ] iptables v1.2.3 Changelog ====================================================================== This version requires kernel 2.4.4 or above. This version recommends kernel 2.4.9 or above. Bugs Fixed from 1.2.2: - fix ICMPv6 support for IPv6 [ Kis-Szab - Andras ] - fix problems with REJECT and iptables-restore / iptables-save [ Harald Welte ] - fix possible string overflow in psd match [ Dennis Koslowski ] - fix string match compile problems [ Gianni Tedesc - ] - support interfaces with '_' (underscore) in device names [ Harald Welte ] - support rules without target in iptables-save [ Emmanuel Fleury ] - correct handling of "eth+" type interface names in iptables-save/restore [ Harald Welte ] - d - incremental checksumming when altering TTL in TTL target [ Harald Welte ] - fix no-srr case in ipv4options match [ Fabrice Marie ] - Kernel bugfixes in patch-o-matic: - Fix unexported ip6_table symbols [ Brad Chapman ] - Decrement TTL in MIRROR target if used in FORWARD chain [ Harald Welte, Fabian Melzow ] - Replace SACKPERM TCP option with NOOP (instead of ENDOFOPT) [ Guillaume Morin ] Changes from 1.2.2: - New "make most-of-pom" feature for application of non-confliction patches. This should be used instead of "make patch-o-matic" by most users. [ Harald Welte ] - support for statically linking iptables, without need for .s - plugins [ David McCullough ] - support for multiple ranges in SAME target [ Martin Josefsson ] - support for router alert options in ipv4options match [ Fabrice Marie ] - modprobe() modules when doing iptables-restore [ Andries van Schie ] - remove obsolete fragment matching code in IPv6 [ Kis-Szab - Andras ] - add support for dns hostnames t - IPv6 code [ Kis-Szab - Andras ] - New patch-o-matic patches: - New multiport (mport) match [ Andreas Ferber ] - New nth match for matching every n-th packet [ Fabrice Marie ] - New realm match for matchin the routing realm [ Sampsa Ranta ] - New ctnetlink patch for manipulation of conntrack from userspace [ Jay Schulist ] - New REJECT Target for IPv6 [ Harald Welte ] - New length match for IPv6 [ Imran Patel ] - New multiport (mport) match for IPv6 [ Andreas Ferber] iptables v1.2.1 Changelog ====================================================================== This version requires kernel 2.4.0 or above. Bugs Fixed from 1.2: - Missing quotes around log-prefix [ Bart Theunissen ] - Bug in save function of string match [ Gianni Tedesc - ] - ip6tables.c string buffer size fixes [ Andras Kis-Szab - ] - dependency problem with iptables-save / iptables-restore [ Harald Welte ] - strtok problem with iptables-save / iptables-restore [ Harald Welte ] - Problems with tcp/udp extension and multiple calls of do_command() [ Sven Koch ] - Kernel bugfixes in patch-o-matic: - Updated rpc-record patch to work with 2.4.0 [ Marc Boucher ] - New ftp-pasv patch for fixing PASV detection with some ftpd's [ Erik Hensema ] - Fix checksum calculation of TOS target [ Rusty Russell ] Changes from 1.2: - New `pending-patches' target [ Rusty Russell ] - build all shared library extensions regardless of kernel tree [ Rusty Russell ] - New counter-restore functions for iptables [ Harald Welte ] - Added libiptc and libipulog t - `devel' Makefile target [ Harald Welte ] - Ported iptables-save/restore t - IPv6 [ Andras Kis-Szab - ] - Updated ULOG target (now in-kernel accumulation [= higher performance]) [ Harald Welte ] - Added fxp support t - ftp-multi patch [ Magnus Sandin ] - Implemented Boyer Moore Sublinear search algorithm for string match [ Gianni Tedesc - ] - Fixed tcp-window-tracking incompatibility with NAT helpers [ Harald Welte ] - New patch-o-matic patches: - New generic sequence number offset API for nat helpers [ Harald Welte ] - New psd (port-scan-detection) match [ Dennis Koslowski, Markus Henning ] - New NETLINK target for old ipchains -o behaviour [ Gianni Tedesc - ] - New SAME target as a special case of SNAT [ Martin Josefsson ] - Ported LOG target to IPv6 [ Jan Rekorajski ] - Ported owner, limit, mac and multiport match to IPv6 [ Jan Rekorajski ] iptables v1.2.2 Changelog ====================================================================== This version requires kernel 2.4.1 or above. This version recommends kernel 2.4.4 or above. Bugs Fixed from 1.2.1a: - fixes for SAME Target [ Martin Josefsson ] - fixes for iplimit match in combination with iptables-save/-restore [ Gerd Knorr ] - fix for TCP match in combination with iptables-save/-restore [ Ian Lynagh ] - iptables-restore now deals correclty with spaces in --log-prefix [ Harald Welte ] - fix in 'isapplied' script. It used t - give false negatives [ Harald Welte ] - fix in BALANCE target, target now uses full ip address range [ Martin Josefsson ] - fix for NETLINK target, was sending wrong interface name [ Gianni Tedesc - ] - fix for collision of ftp and irc NAT helpers [ Harald Welte ] - ip6tables brought in sync with iptables [ Kis-Szab - Andras ] - Kernel bugfixes in patch-o-matic: - Fix possible security vulnerability in ip_conntrack_ftp [ Cristian - Lincoln Mattos, James Morris and Rusty ] Changes from 1.2.1a: - libiptc should now be usable from C++ applications [ Fabrice MAURIE ] - seqoffset-,ftp-security, ... patches are combined in 2.4.4.patch [ Rusty Russell ] - lots of old pre-2.4.1 patches now combined in 2.4.1.patch [ Rusty Russel ] - IRC conntrack + nat cleanup [ Harald Welte ] - string match cleanup [ Gianni Tedesc - ] - ULOG cleanup, new version. Fixes 'unable t - send nflink' bug [ Harald Welte ] - New patch-o-matic patches: - New NETMAP Target for mapping whole networks 1:1 to other addresses [ Svenning Soerensen ] - New length Target for matching packet length [ James Morris ] - New ipv4options match for matching IPv4 header options [ Fabrice MARIE ] - New IPv6 agr match for matching IPv6 global aggregatable unicast adresses [ Andras Kis-Szab - ] - New pkttype match for matching link-layer multicast / broadcast packets [ Michal Ludvig ] - New time match for matching the packet's receive time [ Fabrice MARIE ] - New talk conntack + NAT helper module [ Jozsef Kadlecsik ] iptables v1.2 Changelog ====================================================================== This version requires 2.4.0-test9 or above. Bugs Fixed from 1.1.2: - Now default installs int - /usr/local/sbin, not /usr/local/bin. - Only does IPv6 compilation on libc6. - More header fixes for weird header combos. - ip6tables now refers t - "icmpv6" protocol, not "icmp". [ Harald Welte ] - IPPROTO_ESP and AH defined in iptables for primitive headers. - iptables multiple-DNS resolve fixed [ Harald Welte, Rusty ] - Kernel bugfixes in patch-o-matic: - IPv6 netfilter fixes [ Harald Welte ] - Masquerade with fwmark routing fix - Dynamic hashsize optimization (NAT) + `hashsize=' module parameter. - NAT overlap fix - PPC/Sparc mangle table fix. Changes from 1.1.2: - New `install-devel' target [ James Morris ] - libipq now has man pages! [ James Morris ] - iptables-save and iptables-restore added (with man pages!) [ Harald Welte ] - iptables now inserts modules if CONFIG_KMOD or --modprobe [ Harald Welte, Rusty ] - New `experimental' and `install-experimental' targets. - `--reject-with=echo-reply' removed in anticipation of the removal of kernel support. - ttl match enhancements (greater or less than tests) [ Harald Welte ] - Reworked patch-o-matic interface, t - force reading of help. - patch-o-matic updated for new 2.4 Makefiles [ Daniel Stone, Harald Welte ] - patch-o-matic now supports non-IPv4 netfilter patches [ Harald Welte ] - New patch-o-matic patches: - eggdrop bot connection tracking [ Magnus Sandin ] - FTOS target for full ToS mangling. [ Matthew G. Marsh ] - BALANCE target for simple load-balancing. - iplimit match for limiting number of connections. [ Gerd Knorr ] - IPv6 MARK target [ Harald Welte ] - IPv6 mark match [ Harald Welte ] iptables v1.1.2 Changelog ====================================================================== This version requires 2.4.0-test9 or above. Bugs Fixed from 1.1.1: - Adding rules on UltraSparc now works - string_to_number now handles overflow [ Jan Echternach ] - Bug when using ridiculous rule numbers fixed Changes from 1.1.1: - patch-o-matic system added: - TTL alteration and ttl matching support -- Harald Welte - AH/ESP matching support -- Yon Uriarte - DROPPED table support -- Rusty - ftp-multi patch for non-standard ftp servers -- Harald Welte - IRC connection tracking & NAT -- Harald Welte - pool match and POOL target -- Patrick - RPC recording patch -- Marcelo Barbosa Lima - SNMP NAT support -- James Morris - string match for looking in packet's data -- Emmanuel Roger - tcp-MSS target for altering MSS -- Marc Boucher - ULOG target for advanced logging -- Harald Welte - Minor const cleanups [ Jan Echternach ] - iptables.8 updates [ Harald Welte, Rusty ] - Better warnings for non-existant matches/missing libraries [ Harald Welte ] - Improved isapplied script