Release of iptables-1.3.7

Release of iptables-1.3.7

[Netfilter Core Team]

Hi!

The netfilter coreteam proudly presents:

	iptables version 1.3.7

The 1.3.7 version contains accumulated bugfixes to the last 1.3.6
version. This comes a bit earlier after the last release than
usual because the endian annotations in 2.6.19 broke iptables
compilation, which is fixed with this version.

The ChangeLog is attached to this mail.

Version 1.3.7 can be obtained from:

	http://www.netfilter.org/projects/iptables/files/iptables-1.3.7.tar.bz2
	ftp://ftp.netfilter.org/pub/iptables/iptables-1.3.7.tar.bz2

More information can be found at the netfilter/iptables project
homepage, available at:

	http://www.netfilter.org/

Happy firewalling,
	Patrick (for the Netfilter Core Team)


As a side note: since usually Harald takes care of releases
and I'm quite unfamiliar with the process, there's a good
chance I messed something up. Please let me know about any
problems.

Re: Release of iptables-1.3.7

[Netfilter Core Team]

[-- Attachment #1: Type: text/plain, Size: 436 bytes --]

Netfilter Core Team wrote:
> Hi!
> 
> The netfilter coreteam proudly presents:
> 
> 	iptables version 1.3.7
> 
> The 1.3.7 version contains accumulated bugfixes to the last 1.3.6
> version. This comes a bit earlier after the last release than
> usual because the endian annotations in 2.6.19 broke iptables
> compilation, which is fixed with this version.
> 
> The ChangeLog is attached to this mail.

It should have been at least :)



[-- Attachment #2: changes-iptables-1.3.7.txt --]
[-- Type: text/plain, Size: 1149 bytes --]

Bugs fixed since 1.3.6:

- Fix compilation error with linux 2.6.19
  [ Patrick McHardy ]

- Fix LOG target segfault with --log-prefix ""
  [ Mike Frysinger, Bugzilla #516 ]

- Fix conflicting getsockopt optname values for IP6T_SO_GET_REVISION_{MATCH,TARGET}
  [ Yasuyuki KOZAKAI ]

- Fix -E (rename) in iptables/ip6tables
  [ Krzysztof Piotr Oledzki ]

- Fix /etc/network usage
  [ Pablo Neira ]

- Fix iptables-save not printing -s/-d ! 0/0
  [ Patrick McHardy ]

- Fix ip6tables-save unnecessarily printing -s/-d options for zero prefix length
  [ Daniel De Graaf ]

New features since 1.3.6:

- Add revision support for ip6tables
  [ R?mi Denis-Courmont ]

- Add port range support for ip6tables multiport match
  [ R?mi Denis-Courmont ]

- Add sctp match extension for ip6tables
  [ Patrick McHardy ]

- Add iptables-xml tool
  [ Amin Azez ]

- Add hashlimit support for ip6tables (needs kernel > 2.6.19)
  [ Patrick McHardy ]

- Use /lib/modules/$(shell uname -r)/build instead of /usr/src/linux to look for kernel source
  [ Patrick McHardy ]

- Add NFLOG target extension for iptables/ip6tables (needs kernel > 2.6.19)
  [ Patrick McHardy ]

Re: [ANNOUNCE] Release of iptables-1.3.7

[Yasuyuki KOZAKAI]

Hi,

DO_MULTI=1 causes build error because iptables-xml.c has same symbols
in ip[6]tables.c.

BTW, why we need to combine iptables-xml with other commands ? It doesn't
use any feature in ip[6]tables then binary size wouldn't be smaller
so much. Or anyone has plan to implement XML style output to
matches/targets ?

Anyway I'll apply this patch if no objection.

Regards,

-- Yasuyuki Kozakai

>From 52ed971f819cb0e7f32c95a75e3f5d052906519d Mon Sep 17 00:00:00 2001
From: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Date: Thu, 7 Dec 2006 21:06:03 +0900
Subject: fix error on compilation if DO_MULTI=1

---
 iptables-multi.c |    3 +++
 iptables-xml.c   |    8 +++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/iptables-multi.c b/iptables-multi.c
index 0563099..9e576ad 100644
--- a/iptables-multi.c
+++ b/iptables-multi.c
@@ -6,6 +6,7 @@
 int iptables_main(int argc, char **argv);
 int iptables_save_main(int argc, char **argv);
 int iptables_restore_main(int argc, char **argv);
+int iptables_xml_main(int argc, char **argv);
 
 int main(int argc, char **argv) {
   char *progname;
@@ -24,6 +25,8 @@ int main(int argc, char **argv) {
     
     if (!strcmp(progname, "iptables-restore"))
       return iptables_restore_main(argc, argv);
+    if (!strcmp(progname, "iptables-xml"))
+      return iptables_restore_main(argc, argv);
     
     fprintf(stderr, "iptables multi-purpose version: unknown applet name %s\n", progname);
     exit(1);
diff --git a/iptables-xml.c b/iptables-xml.c
index 34437e0..3a9a511 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -26,8 +26,9 @@
 /* no need to link with iptables.o */
 const char *program_name;
 const char *program_version;
-int line = 0;
 
+#ifndef IPTABLES_MULTI
+int line = 0;
 void
 exit_error(enum exittype status, char *msg, ...)
 {
@@ -41,6 +42,7 @@ exit_error(enum exittype status, char *m
 	/* On error paths, make sure that we don't leak memory */
 	exit(status);
 }
+#endif
 
 static void print_usage(const char *name, const char *version)
 	    __attribute__ ((noreturn));
@@ -66,7 +68,7 @@ print_usage(const char *name, const char
 	exit(1);
 }
 
-int
+static int
 parse_counters(char *string, struct ipt_counters *ctr)
 {
 	if (string != NULL)
@@ -605,7 +607,7 @@ do_rule(char *pcnt, char *bcnt, int argc
 
 #ifdef IPTABLES_MULTI
 int
-iptables_restore_main(int argc, char *argv[])
+iptables_xml_main(int argc, char *argv[])
 #else
 int
 main(int argc, char *argv[])
-- 
1.4.4

Re: [ANNOUNCE] Release of iptables-1.3.7

[Amin Azez]

Yasuyuki KOZAKAI wrote:
> Hi,
>
> DO_MULTI=1 causes build error because iptables-xml.c has same symbols
> in ip[6]tables.c.
>   
Thanks for the patch
> BTW, why we need to combine iptables-xml with other commands ? It doesn't
> use any feature in ip[6]tables then binary size wouldn't be smaller
> so much. Or anyone has plan to implement XML style output to
> matches/targets ?
>   
I do. I'll give it a little longer for anyone to feedback on the xml format.

Sam

Re: [ANNOUNCE] Release of iptables-1.3.7

[Carl-Daniel Hailfinger]

Hi,

it seems that the release has been signed with an expired key:

# gpg --verify iptables-1.3.7.tar.bz2.sig
gpg: Signature made Mon Dec  4 14:20:20 2006 CET using DSA key ID CA9A8D5B
gpg: Good signature from "Netfilter Core Team <coreteam@netfilter.org>"
gpg: Note: This key has expired!
Primary key fingerprint: 02AC E2A4 74DD 09D7 FD45  2E2E 35FA 89CC CA9A 8D5B

# gpg --list-keys CA9A8D5B
pub   1024D/CA9A8D5B 2001-09-15 [expired: 2006-09-14]
uid                  Netfilter Core Team <coreteam@netfilter.org>

I'd appreciate a clarification about this problem.

Regards,
Carl-Daniel

Re: [ANNOUNCE] Release of iptables-1.3.7

[Patrick McHardy]

Carl-Daniel Hailfinger wrote:
> it seems that the release has been signed with an expired key:
> 
> # gpg --verify iptables-1.3.7.tar.bz2.sig
> gpg: Signature made Mon Dec  4 14:20:20 2006 CET using DSA key ID CA9A8D5B
> gpg: Good signature from "Netfilter Core Team <coreteam@netfilter.org>"
> gpg: Note: This key has expired!
> Primary key fingerprint: 02AC E2A4 74DD 09D7 FD45  2E2E 35FA 89CC CA9A 8D5B
> 
> # gpg --list-keys CA9A8D5B
> pub   1024D/CA9A8D5B 2001-09-15 [expired: 2006-09-14]
> uid                  Netfilter Core Team <coreteam@netfilter.org>
> 
> I'd appreciate a clarification about this problem.


Yes, we currently don't have any other key.