[ANNOUNCE] Release of iptables 1.3.8

[ANNOUNCE] Release of iptables 1.3.8

[Pablo Neira Ayuso]

[-- Attachment #1.1: Type: text/plain, Size: 667 bytes --]

Hi!

The netfilter coreteam proudly presents:

	iptables version 1.3.8

This release contains lots of accumulated bugfixes, manpage updates, and
support for IPv6-MH, TCPMSS and port randomization for NAT. The
ChangeLog is attached to this mail. Upgrade is recommended.

Version 1.3.8 can be obtained from:

http://www.netfilter.org/projects/iptables/downloads.html
ftp://ftp.netfilter.org/pub/iptables/

Happy firewall,
Pablo (on behalf of the Netfilter Core Team)

-- 
"Países en desarrollo es el nombre con que los expertos designan a los
países arrollados por el desarrollo ajeno" -- Patas Arriba. La Escuela
del Mundo al Revés -- E. Galeano

[-- Attachment #1.2: ChangeLog --]
[-- Type: text/plain, Size: 1738 bytes --]

- Fix build error of conntrack match
	[Yasuyuki Kozakai]

- Remove whitespace in ip6tables.c
	[Yasuyuki Kozakai]

- `-p all' and `-p 0' should be allowed in ip6tables
	[Yasuyuki Kozakai]

- hashlimit doc update
	[Jan Engelhardt]

- add --random option to DNAT and REDIRECT
	[Patrick McHardy]

- Makefile uses POSIX conform directory check
	[Roy Marples]

- Fix missing newlines in iptables-save/restore output
	[Pavol Rusnak]

- Update quota manpage for SMP
	[Phil Oester]

- Output for unspecified proto is `all' instead of `0'
	[Phil Oester]

- Fix iptables-save with --random option
	[Patrick McHardy]

- Remove unnecessary IP_NAT_RANGE_PROTO_RANDOM ifdefs
	[Patrick McHardy]

- Remove libnsl from LDLIBS
	[Patrick McHardy]

- Fix problem with iptables-restore and quotes
	[Pablo Neira Ayuso]

- Remove unnecessary includes
	[Patrick McHardy]

- Fix --modprobe parameter
	[Maurice van der Pot]

- ip6tables-restore should output error of modprobe after failed to load
	[Yasuyuki Kozakai]

- Add random option to SNAT
	[Eric Leblond]

- Fix missing space in error message
	[Patrick McHardy]

- Fixes for manpages of tcp, udp, and icmp{,6}
	[Yasuyuki Kozakai]

- Add ip6tables mh extension
	[Masahide Nakamura]

- Fix tcpmss manpage
	[Patrick McHardy]

- Add ip6tables TCPMSS extension
	[Arnaud Ebalard]

- Add UDPLITE multiport support
	[Patrick McHardy]

- Fix missing space in ruleset listing
	[Patrick McHardy]

- Remove extensions for unmaintained/obsolete patchlets
	[Patrick McHardy]

- Fix greedy debug grep
	[Patrick McHardy]

- Fix type in manpage
	[Thomas Aktaia]

- Fix compile/install error for iptables-xml with DO_MULTI=1
	[Lutz Jaenicke]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [ANNOUNCE] Release of iptables 1.3.8

[David Ford]

http://bugs.gentoo.org/show_bug.cgi?id=166201


bug quote>

> I got this error after upgrading to sys-kernel/gentoo-sources-2.6.20(with
> net-firewall/iptables-1.3.7).
>
> # iptables --table mangle --append OUTPUT --jump MARK --set-mark 2
> iptables: Invalid argument
>
> dmesg says:
> ip_tables: MARK target: invalid size 16 != 24
>
> similar error occurs when using CONNMARK target, mark match and connmark match.
>
> I found an entry on the netfilter mailing list saying:
> The latest -git kernel includes compatibility functions for 32 bit
> userspace. You need to compile your iptables without the
> KERNEL_64_USERSPACE_32 thing though (edit main Makefile).
>
>
> I did so and removed -DKERNEL_64_USERSPACE_32 from the Makefile and it worked.

Any comments from netfilter team on this?

Thank you,
-david

Re: [ANNOUNCE] Release of iptables 1.3.8

[Patrick McHardy]

David Ford wrote:
> http://bugs.gentoo.org/show_bug.cgi?id=166201
> 
> 
> bug quote>
> 
>>I got this error after upgrading to sys-kernel/gentoo-sources-2.6.20(with
>>net-firewall/iptables-1.3.7).
>>
>># iptables --table mangle --append OUTPUT --jump MARK --set-mark 2
>>iptables: Invalid argument
>>
>>dmesg says:
>>ip_tables: MARK target: invalid size 16 != 24
>>
>>similar error occurs when using CONNMARK target, mark match and connmark match.
>>
>>I found an entry on the netfilter mailing list saying:
>>The latest -git kernel includes compatibility functions for 32 bit
>>userspace. You need to compile your iptables without the
>>KERNEL_64_USERSPACE_32 thing though (edit main Makefile).
>>
>>
>>I did so and removed -DKERNEL_64_USERSPACE_32 from the Makefile and it worked.
> 
> 
> Any comments from netfilter team on this?


Indeed, thanks for the reminder. The KERNEL_64_USERSPACE_32 stuff
needs to go.

Patches for that are welcome.

Re: [ANNOUNCE] Release of iptables 1.3.8

[Yasuyuki KOZAKAI]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 26 Jun 2007 11:21:58 +0200

> >>I did so and removed -DKERNEL_64_USERSPACE_32 from the Makefile and it worked.
> > 
> > 
> > Any comments from netfilter team on this?
> 
> 
> Indeed, thanks for the reminder. The KERNEL_64_USERSPACE_32 stuff
> needs to go.
> 
> Patches for that are welcome.

How state on this is ? If anyone doesn't do it until I come from dinner,
I'll take it. It conflicts some of xtasble patches I've updated.

-- Yasuyuki Kozakai

Re: [ANNOUNCE] Release of iptables 1.3.8

[Patrick McHardy]

Yasuyuki KOZAKAI wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Tue, 26 Jun 2007 11:21:58 +0200
>> Indeed, thanks for the reminder. The KERNEL_64_USERSPACE_32 stuff
>> needs to go.
>>
>> Patches for that are welcome.
>>     
>
> How state on this is ? If anyone doesn't do it until I come from dinner,
> I'll take it. It conflicts some of xtasble patches I've updated.

I don't think anyone is working on it so far.

Re: [ANNOUNCE] Release of iptables 1.3.8

[Yasuyuki KOZAKAI]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 28 Jun 2007 13:52:55 +0200

> Yasuyuki KOZAKAI wrote:
> > From: Patrick McHardy <kaber@trash.net>
> > Date: Tue, 26 Jun 2007 11:21:58 +0200
> >> Indeed, thanks for the reminder. The KERNEL_64_USERSPACE_32 stuff
> >> needs to go.
> >>
> >> Patches for that are welcome.
> >>     
> >
> > How state on this is ? If anyone doesn't do it until I come from dinner,
> > I'll take it. It conflicts some of xtasble patches I've updated.
> 
> I don't think anyone is working on it so far.

Done to commit. But I didn't kill KERNEL_64_USERSPACE_32 from Makefile,
SAME, and CLUSTERIP. They doesn't have compat layer in kernel
in the current.

-- Yasuyuki Kozakai

Re: [ANNOUNCE] Release of iptables 1.3.8

[Patrick McHardy]

Yasuyuki KOZAKAI wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Thu, 28 Jun 2007 13:52:55 +0200
>
>   
>> Yasuyuki KOZAKAI wrote:
>>     
>>> From: Patrick McHardy <kaber@trash.net>
>>> Date: Tue, 26 Jun 2007 11:21:58 +0200
>>>       
>>>> Indeed, thanks for the reminder. The KERNEL_64_USERSPACE_32 stuff
>>>> needs to go.
>>>>
>>>> Patches for that are welcome.
>>>>     
>>>>         
>>> How state on this is ? If anyone doesn't do it until I come from dinner,
>>> I'll take it. It conflicts some of xtasble patches I've updated.
>>>       
>> I don't think anyone is working on it so far.
>>     
>
> Done to commit. But I didn't kill KERNEL_64_USERSPACE_32 from Makefile,
> SAME, and CLUSTERIP. They doesn't have compat layer in kernel
> in the current.
>   

Thanks. I can fix CLUSTERIP. SANE is not too important since its
deprecated and unfixable broken wrt. 64 bit cleanness. At some
point we should remove it, I'll add it to feature-removal-schedule.

Re: [ANNOUNCE] Release of iptables 1.3.8

[Patrick McHardy]

Patrick McHardy wrote:
>>
>> Done to commit. But I didn't kill KERNEL_64_USERSPACE_32 from Makefile,
>> SAME, and CLUSTERIP. They doesn't have compat layer in kernel
>> in the current.
>>   
>
> Thanks. I can fix CLUSTERIP. SANE is not too important since its
> deprecated and unfixable broken wrt. 64 bit cleanness. At some
> point we should remove it, I'll add it to feature-removal-schedule.
>
>
>


BTW, I would suggest to remove it entirely, it just doesn't work
properly. Most people won't use it anyways because I guess no sane
distributor compiles 32 bit packages on a 64 bit kernel exactly
because this kind of crap. For people that actually use it it will
break once we add proper support to the kernel.

I'll fix CLUSTERIP now ..