[ANNOUNCE] iptables 1.8.5 release

[ANNOUNCE] iptables 1.8.5 release

[Phil Sutter]

[-- Attachment #1: Type: text/plain, Size: 1834 bytes --]

Hi!

The Netfilter project proudly presents:

iptables 1.8.5

This release contains the following fixes and enhancements:

xtables-save/xtables-restore:
- Fix parser in `--noflush' mode incorrectly rejecting chain definitions
  and empty lines.
- Fix crash when restoring or dumping while other ruleset changes happen
  in parallel.

iptables-apply:
- Install the script along with `make install'.
- Introduce parameters `-c' (run command) and `-w' (save successfully
  applied rules to file).
- Use `mktemp' instead of `tempfile' for temporary files.

iptables-translate:
- Support `time' match and `NOTRACK' target.
- Fix for special interface names `*', `+' and `eth++'.

ebtables-nft:
- Full among match support, including sets with mixed MAC and MAC+IP
  entries.

extensions:
- connlabel: Numeric labels were rejected if a connlabel.conf existed in
             the system.
- IDLETIMER: Introduce `--alarm' option.

libxtables:
- Introduce xtables_fini() to properly deinit the library and close any
  loaded shared objects.

nfnl_osf:
- Fix lockup after loading the first line from fingerprints file.
- Improve error handling, don't silently exit when deleting a
  non-existing fingerprint.

General:
- Fixes for undefined behaviour.
- Replace a few unsafe calls to strcpy().
- Fix some warnings when compiling with clang.
- Various fixes for valgrind-detected problems such as memory leaks and
  reachable memory at program exit.

See ChangeLog that comes attached to this email for more details.

You can download it from:

http://www.netfilter.org/projects/iptables/downloads.html#iptables-1.8.5

To build the code, libnftnl 1.1.6 is required:

* http://netfilter.org/projects/libnftnl/downloads.html#libnftnl-1.1.6

In case of bugs and feature requests, file them via:

* https://bugzilla.netfilter.org

Happy firewalling!

[-- Attachment #2: iptables-1.8.5.txt --]
[-- Type: text/plain, Size: 4969 bytes --]

Arturo Borrero Gonzalez (1):
      .gitignore: add nano/vim swap file

Jeremy Sowden (1):
      extensions: AUDIT: fix man-page typo.

Jose M. Guisado Gomez (1):
      extensions: time: add translation and tests

Laurence J. Lane (6):
      iptables: install iptables-apply script and manpage
      iptables: cleanup "allows to" usage
      extensions: manpages: cleanup hyphens
      libipq: fix spelling in manpage
      iptables: mention iptables-apply(8) in manpages
      extensions: libxt_sctp: add manpage description

Maciej Żenczykowski (7):
      iptables: open eBPF programs in read only mode
      extensions: include strings.h for the definition of ffs()
      iptables: include sys/time.h to fix lack of struct timeval declaration
      libxt_IDLETIMER: fix target v1 help alignment and doc
      libiptc: do not typedef socklen_t on Android
      iptables: flush stdout after every verbose log.
      libip6t_srh.t: switch to lowercase, add /128 suffix, require success

Manoj Basapathi (1):
      extensions: IDLETIMER: Add alarm timer option

Pablo Neira Ayuso (9):
      build: bump dependency on libnftnl
      extensions: libxt_CT: add translation for NOTRACK
      nft-shared: skip check for jumpto if cs->target is unset
      nft: split parsing from netlink commands
      nft: calculate cache requirements from list of commands
      nft: restore among support
      nft: remove cache build calls
      nft: missing nft_fini() call in bridge family
      configure: bump version for 1.8.5 release

Phil Sutter (64):
      extensions: CLUSTERIP: Mark as deprecated in man page
      Fix DEBUG build
      xtables-restore: Fix parser feed from line buffer
      xtables-restore: Avoid access of uninitialized data
      extensions: time: Avoid undefined shift
      extensions: cluster: Avoid undefined shift
      libxtables: Avoid buffer overrun in xtables_compatible_revision()
      xtables-translate: Guard strcpy() call in xlate_ifname()
      extensions: among: Check call to fstat()
      xtables-translate: Fix for interface name corner-cases
      xtables-restore: fix for --noflush and empty lines
      tests: shell: Fix skip checks with --host mode
      xtables-translate: Fix for iface++
      ebtables: among: Support mixed MAC and MAC/IP entries
      nft: Drop pointless assignment
      iptables-test.py: Fix --host mode
      xtables: Align effect of -4/-6 options with legacy
      xtables: Drop -4 and -6 support from xtables-{save,restore}
      xtables: Review nft_init()
      connlabel: Allow numeric labels even if connlabel.conf exists
      nft: cache: Fix nft_release_cache() under stress
      nft: cache: Make nft_rebuild_cache() respect fake cache
      nft: cache: Simplify chain list allocation
      nft: cache: Review flush_cache()
      nft: cache: Fix for unused variable warnings
      nft: cache: Fix iptables-save segfault under stress
      xshared: Drop pointless assignment in add_param_to_argv()
      tests: shell: Improve ipt-restore/0001load-specific-table_0 a bit
      tests: shell: Extend ipt-restore/0004-restore-race_0
      tests: shell: Test -F in dump files
      tests: shell: Add test for nfbz#1391
      ebtables-restore: Drop custom table flush routine
      nft: cache: Eliminate init_chain_cache()
      nft: cache: Init per table set list along with chain list
      nft: cache: Fetch sets per table
      ebtables-restore: Table line to trigger implicit commit
      nft: cache: Simplify rule and set fetchers
      nft: cache: Improve fake cache integration
      nft: cache: Introduce struct nft_cache_req
      nft-cache: Fetch cache per table
      nft-cache: Introduce __fetch_chain_cache()
      nft: cache: Fetch cache for specific chains
      nft: cache: Optimize caching for flush command
      nft: Fix for '-F' in iptables dumps
      tests: shell: Implement --valgrind mode
      nft: cache: Re-establish cache consistency check
      nft: Clear all lists in nft_fini()
      nft: Fix leaks in ebt_add_policy_rule()
      nft: Fix leak when deleting rules
      ebtables: Free statically loaded extensions again
      libxtables: Introduce xtables_fini()
      nft: Use clear_cs() instead of open coding
      arptables: Fix leak in nft_arp_print_rule()
      nft: Fix leak when replacing a rule
      nft: Don't exit early after printing help texts
      iptables-test: Don't choke on empty lines
      nfnl_osf: Fix broken conversion to nfnl_query()
      nfnl_osf: Improve error handling
      nft: Merge nft_*_rule_find() functions
      nft: Drop save_counters callback from family_ops
      doc: libxt_MARK: OUTPUT chain is fine, too
      tests: shell: Fix syntax in ipt-restore/0010-noflush-new-chain_0
      include: Avoid undefined left-shift in xt_sctp.h
      build: bump dependency on libnftnl

gw.2010@tnode.com (1):
      iptables-apply: script and manpage update

Álvaro Santos (1):
      Fixed some man pages typos ('This modules' -> 'This module')