Netdev List
 help / color / mirror / Atom feed
* [ANNOUNCE] iptables 1.4.16.1 release
@ 2012-10-07 23:17 Pablo Neira Ayuso
  2012-10-08  0:14 ` Jan Engelhardt
  0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2012-10-07 23:17 UTC (permalink / raw)
  To: netfilter-devel; +Cc: netdev, netfilter, netfilter-announce, lwn

[-- Attachment #1: Type: text/plain, Size: 775 bytes --]

On Mon, Oct 08, 2012 at 12:24:41AM +0200, Pablo Neira Ayuso wrote:
Hi!

The Netfilter project proudly presents:

        iptables 1.4.16.1

This release fixes a major breakage introduced by:

commit cd2f9bdbb7f9b737e5d640aafeb78bcd8e3a7adf
Author: Jan Engelhardt <jengelh@inai.de>
Date:   Tue Sep 4 05:24:47 2012 +0200

    iptables: support for target aliases

This is really unfortunate, it seems this patch has been pushed
mainstream without sufficient testing. We are really sorry for the
inconvenience. Please, don't use 1.4.16, this bug reders it
completely useless.

See ChangeLog that comes attached to this email for more details.

You can download it from:

http://www.netfilter.org/projects/iptables/downloads.html
ftp://ftp.netfilter.org/pub/iptables/

Have fun!

[-- Attachment #2: changes-iptables-1.4.16.1.txt --]
[-- Type: text/plain, Size: 91 bytes --]

Pablo Neira Ayuso (2):
      iptables: fix standard target
      bump version to 1.4.16.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [ANNOUNCE] iptables 1.4.16.1 release
  2012-10-07 23:17 [ANNOUNCE] iptables 1.4.16.1 release Pablo Neira Ayuso
@ 2012-10-08  0:14 ` Jan Engelhardt
  0 siblings, 0 replies; 2+ messages in thread
From: Jan Engelhardt @ 2012-10-08  0:14 UTC (permalink / raw)
  To: Pablo Neira Ayuso
  Cc: netfilter-devel, netdev, netfilter, netfilter-announce, lwn


On Monday 2012-10-08 01:17, Pablo Neira Ayuso wrote:
>The Netfilter project proudly presents:
>
>        iptables 1.4.16.1
>
>iptables -I INPUT -j ACCEPT
>says:
>iptables: No chain/target/match by that name.
>This also breaks iptables-restore, of course. Jan, you'll have to explain
>me how you have tested this.

This was tested by adding rules with different targets that had both
aliases defined and those without.

 ./iptables/xtables-multi main4 -t raw -N foo
 ./iptables/xtables-multi main4 -t raw -A foo -j NOTRACK
 with kernels that had xt_CT and no xt_CT at all

 ./iptables/xtables-multi main4 -N foo
 ./iptables/xtables-multi main4 -A foo -m state --state NEW
 with kernels that had xt_conntrack.3, and xt_conntrack.3 removed
 (leaving only xt_conntrack.2)

 ./iptables/xtables-multi main4 -t raw -N bar
 ./iptables/xtables-multi main4 -t raw -A bar -j MARK --set-xmark 1
 ./iptables/xtables-multi main4 -t raw -A foo -j bar

plus of course the "standard" (no pun intended) testsuite that we
had so far:

 # ./iptables/xtables-multi restore6 tests/options-most.rules 
 WARNING: --localtz is being replaced by --kerneltz, since "local" is ambiguous.
 Note the kernel timezone has caveats - see manpage for details.

As you spotted, options-most.rules did not include -j <verdict>.

While v1.4.16-1-g2aaa7ec fixes -j verdict, it breaks NOTRACK in all
instances. To reuse a line, "you'll have to explain me how you have
tested this."

A patch to what I think should fly is posted as a reply hereto.
Please give that a spin.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2012-10-08  0:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-07 23:17 [ANNOUNCE] iptables 1.4.16.1 release Pablo Neira Ayuso
2012-10-08  0:14 ` Jan Engelhardt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox