From: Phil Sutter <phil@netfilter.org>
To: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org
Cc: netdev@vger.kernel.org, netfilter-announce@lists.netfilter.org,
lwn@lwn.net
Subject: [ANNOUNCE] iptables 1.8.6 release
Date: Sat, 31 Oct 2020 15:27:12 +0100 [thread overview]
Message-ID: <20201031142712.GA10193@orbyte.nwl.cc> (raw)
[-- Attachment #1: Type: text/plain, Size: 2382 bytes --]
Hi!
The Netfilter project proudly presents:
iptables 1.8.6
This release contains the following fixes and enhancements:
iptables-nft:
- Fix ip6tables error messages, they were incorrectly prefixed
'iptables:'.
- Fix for pointless 'bitwise' expression being added to each IP address
match, needlessly slowing down run-time performance (by 50% in worst
cases).
iptables-nft-restore:
- Correctly print the flushed chains in verbose mode, like legacy
restore does.
- Restoring multiple tables could fail if a ruleset flush happened in
parallel (e.g. via 'nft flush ruleset').
- Fix for bogus error messages if a refreshed transaction fails.
- Support basechain policy value of '-' (indicating to not change the
chain's policy).
- Fix for spurious errors in concurrent restore calls with '--noflush'.
iptables-legacy:
- Allow to configure lock file location via XTABLES_LOCKFILE environment
variable.
xtables-monitor:
- Fix printing of IP addresses in ip6tables rules.
xtables-translate:
- Exit gracefully when called with '--help'.
- Fix some memory leaks.
- Add support for conntrack '--ctstate' match.
- Fix translation of ICMP type 'any' match.
libxtables:
- Fix for lower extension revisions not supported by the kernel anymore
being retried each time the extension is used in a rule. This
significantly improves performance when restoring large rulesets which
extensively use e.g. conntrack match.
tests:
- Add help text to tests/shell/run-tests.sh.
- Test ip6tables error messages also, not just return codes.
General:
- Rejecting packets with ctstate INVALID might close good connections if
packet reordering happened. Document this and suggest to use DROP
target instead.
- Fix for iptables-apply script not being installed by 'make install'.
- Fix 'make uninstall', it was completely broken.
- Fix compiler warnings when building with NO_SHARED_LIBS.
- Extend 'make clean' to remove some generated man pages left in place.
- Fix for gcc-10 zero-length array warnings.
See the attached changelog for more details.
You can download it from:
http://www.netfilter.org/projects/iptables/downloads.html#iptables-1.8.6
To build the code, libnftnl 1.1.6 is required:
* http://netfilter.org/projects/libnftnl/downloads.html#libnftnl-1.1.6
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling!
[-- Attachment #2: iptables-1.8.6.txt --]
[-- Type: text/plain, Size: 2138 bytes --]
Arturo Borrero Gonzalez (1):
xtables-translate: don't fail if help was requested
Giuseppe Scrivano (1):
iptables: accept lock file name at runtime
Jan Engelhardt (2):
doc: document danger of applying REJECT to INVALID CTs
build: resolve iptables-apply not getting installed
Maciej Żenczykowski (1):
libxtables: compiler warning fixes for NO_SHARED_LIBS
Pablo Neira Ayuso (3):
extensions: libxt_conntrack: provide translation for DNAT and SNAT
--ctstate
iptables: replace libnftnl table list by linux list
iptables-nft: fix basechain policy configuration
Phil Sutter (31):
xtables-restore: Fix verbose mode table flushing
build: Fix for failing 'make uninstall'
xtables-translate: Use proper clear_cs function
tests: shell: Add help output to run-tests.sh
nft: Make table creation purely implicit
nft: Be lazy when flushing
nft: cache: Drop duplicate chain check
nft: Drop pointless nft_xt_builtin_init() call
nft: Turn nft_chain_save() into a foreach-callback
nft: Use nft_chain_find() in two more places
nft: Reorder enum nft_table_type
nft: Eliminate table list from cache
nft: Fix command name in ip6tables error message
tests: shell: Merge and extend return codes test
xtables-monitor: Fix ip6tables rule printing
nft: Fix for ruleset flush while restoring
Makefile: Add missing man pages to CLEANFILES
nft: cache: Check consistency with NFT_CL_FAKE, too
nft: Extend use of nftnl_chain_list_foreach()
nft: Fold nftnl_rule_list_chain_save() into caller
nft: Use nft_chain_find() in nft_chain_builtin_init()
nft: Fix for broken address mask match detection
extensions: libipt_icmp: Fix translation of type 'any'
libxtables: Make sure extensions register in revision order
libxtables: Simplify pending extension registration
libxtables: Register multiple extensions in ascending order
nft: Make batch_add_chain() return the added batch object
nft: Fix error reporting for refreshed transactions
libiptc: Avoid gcc-10 zero-length array warning
nft: Fix for concurrent noflush restore calls
tests: shell: Improve concurrent noflush restore test a bit
reply other threads:[~2020-10-31 14:46 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201031142712.GA10193@orbyte.nwl.cc \
--to=phil@netfilter.org \
--cc=lwn@lwn.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-announce@lists.netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).