[ANNOUNCE] iptables 1.8.9 release

[ANNOUNCE] iptables 1.8.9 release

[Phil Sutter]

[-- Attachment #1: Type: text/plain, Size: 1852 bytes --]

Hi!

The Netfilter project proudly presents:

        iptables 1.8.9

This release contains new features:

* arptables-nft: Support --exact flag
* Add --enable-profiling configure option, preparing for gcov/gprof
* Support more chunk types in sctp extension
* Print '--' in ip6tables' 'opt' column for consistency with iptables
* More verbose error messages if iptables-nft-restore fails
* Support '-p Length' with ebtables-nft, needed for 802_3 extension
* Merge all NAT extensions into a single DSO
* Install ebtables-translate tool

... and fixes:

* Misc compiler warnings
* Duplicate ETH_ALEN definition when building against musl libc
* Failing out-of-tree build
* Avoid symbol pollution by limiting scope of some in xtables.h
* Increase testsuites' code-coverage
* Using --init-table would crash ebtables-restore, reject it properly
* Fix potential read from garbage in string extension
* Add missing nf_log.h kernel header to dist
* Fix listing format with overly long 'prot' column entries
* Print numeric protocol values with --numeric
* Broken ebtables' among match with MAC+IP address entries
* Occasional wrong line number reported by failing iptables-nft-restore
* Multiple rules using among match broke ebtables-restore
* Renaming a chain in legacy iptables could crash the program
* A second bitwise expression in a rule would mangle the first one
* More strictly reject rules with unexpected content
* Many xtables-translate fixes
* Misc memory leaks and garbage access, satisfy valgrind's leak checker

... and documentation updates:

* Iptables exits when setuid, mention this in man page
* Improve NFQUEUE queue-balance documentation

You can download the new release from:

https://netfilter.org/projects/iptables/downloads.html#iptables-1.8.9

In case of bugs, file them via:

* https://bugzilla.netfilter.org

Happy firewalling!

[-- Attachment #2: changes-iptables-1.8.9.txt --]
[-- Type: text/plain, Size: 9084 bytes --]

Anton Luka Šijanec (1):
      xtables-monitor: add missing spaces in printed str

Ben Brown (1):
      build: Fix error during out of tree build

Erik Skultety (1):
      iptables: xshared: Ouptut '--' in the opt field in ipv6's fake mode

Florian Westphal (19):
      iptables.8: mention that iptables exits when setuid
      extensions: libxt_conntrack: remove always-false conditionals
      nft: fix ebtables among match when mac+ip addresses are used
      nft: support dissection of meta pkktype mode
      nft: prefer native 'meta pkttype' instead of xt match
      extensions: libxt_pkttype: support otherhost
      nft: support ttl/hoplimit dissection
      nft: prefer payload to ttl/hl module
      nft: un-break among match with concatenation
      Revert "nft: prefer payload to ttl/hl module"/'meta pkttype' match.
      nft: track each register individually
      tests: extend native delinearize script
      nft: check for unknown meta keys
      iptables-nft: exit nonzero when iptables-save cannot decode all expressions
      xlate: get rid of escape_quotes
      extensions: change expected output for new format
      xlate-test: avoid shell entanglements
      nft-bridge: work around recent "among" decode breakage
      extensions: add xt_statistics random mode translation

Markus Mayer (1):
      netfilter: add nf_log.h

Nick Hainke (1):
      treewide: use uint* instead of u_int*

Pablo Neira Ayuso (2):
      nft: replace nftnl_.*_nlmsg_build_hdr() by nftnl_nlmsg_build_hdr()
      nft-shared: replace nftnl_expr_get_data() by nftnl_expr_get()

Phil Sutter (136):
      xshared: Fix build for -Werror=format-security
      Revert "fix build for missing ETH_ALEN definition"
      tests: shell: Check overhead in iptables-save and -restore
      libxtables: Unexport init_extensions*() declarations
      arptables: Support -x/--exact flag
      iptables-legacy: Drop redundant include of xtables-multi.h
      xshared: Make some functions static
      Makefile: Add --enable-profiling configure option
      tests: shell: Add some more rules to 0002-verbose-output_0
      tests: shell: Extend iptables-xml test a bit
      tests: shell: Extend zero counters test a bit further
      extensions: libebt_standard.t: Test logical-{in,out} as well
      ebtables-restore: Deny --init-table
      extensions: string: Do not print default --to value
      extensions: string: Review parse_string() function
      extensions: string: Fix and enable tests
      nft: Exit if nftnl_alloc_expr fails
      libxtables: Move struct xtables_afinfo into xtables.h
      libxtables: Define XT_OPTION_OFFSET_SCALE in xtables.h
      libxtables: Fix unsupported extension warning corner case
      tests: shell: Fix testcases for changed ip6tables opts output
      xshared: Fix for missing space after 'prot' column
      xshared: Print protocol numbers if --numeric was given
      xtables-restore: Extend failure error message
      nft: Expand extended error reporting to nft_cmd, too
      tests: shell: Test delinearization of native nftables expressions
      ebtables: Drop unused OPT_* defines
      ebtables: Eliminate OPT_TABLE
      ebtables: Merge OPT_* flags with xshared ones
      nft-shared: Introduce __get_cmp_data()
      ebtables: Support '-p Length'
      ebtables: Fix among match
      nft: Fix meta statement parsing
      nft-bridge: Drop 'sreg_count' variable
      tests: iptables-test: Simplify '-N' option a bit
      tests: iptables-test: Simplify execute_cmd() calling
      tests: iptables-test: Pass netns to execute_cmd()
      tests: iptables-test: Test both variants by default
      extensions: among: Remove pointless fall through
      extensions: among: Fix for use with ebtables-restore
      extensions: libebt_stp: Eliminate duplicate space in output
      extensions: libip6t_dst: Fix output for empty options
      extensions: TCPOPTSTRIP: Do not print empty options
      extensions: libebt_log: Avoid empty log-prefix in output
      tests: IDLETIMER.t: Fix syntax, support for restore input
      tests: libebt_stp.t: Drop duplicate whitespace
      tests: shell: Fix expected output for ip6tables dst match
      tests: shell: Fix expected ebtables log target output
      libiptc: Fix for segfault when renaming a chain
      nft: Fix compile with -DDEBUG
      extensions: NFQUEUE: Document queue-balance limitation
      tests: iptables-test: Implement fast test mode
      tests: iptables-test: Cover for obligatory -j CONTINUE in ebtables
      tests: *.t: Fix expected output for simple calls
      tests: *.t: Fix for hexadecimal output
      tests: libebt_redirect.t: Plain redirect prints with trailing whitespace
      tests: libxt_length.t: Fix odd use-case output
      tests: libxt_recent.t: Add missing default values
      tests: libxt_tos.t, libxt_TOS.t: Add missing masks in output
      tests: libebt_vlan.t: Drop trailing whitespace from rules
      tests: libxt_connlimit.t: Add missing default values
      tests: *.t: Add missing all-one's netmasks to expected output
      extensions: DNAT: Fix bad IP address error reporting
      extensions: *NAT: Drop NF_NAT_RANGE_PROTO_RANDOM* flag checks
      extensions: DNAT: Use __DNAT_xlate for REDIRECT, too
      extensions: DNAT: Generate print, save and xlate callbacks
      extensions: DNAT: Rename some symbols
      extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE
      tests: xlate-test: Cleanup file reading loop
      tests: xlate-test.py: Introduce run_proc()
      tests: xlate-test: Replay results for reverse direction testing
      xshared: Share make_delete_mask() between ip{,6}tables
      nft-shared: Introduce port_match_single_to_range()
      extensions: libip*t_LOG: Merge extensions
      extensions: libebt_ip: Include kernel header
      extensions: libebt_arp, libebt_ip: Use xtables_ipparse_any()
      extensions: Collate ICMP types/codes in libxt_icmp.h
      extensions: Unify ICMP parser into libxt_icmp.h
      Drop extra newline from xtables_error() calls
      extensions: mark: Test double bitwise in a rule
      extensions: libebt_mark: Fix mark target xlate
      extensions: libebt_mark: Fix xlate test case
      extensions: libebt_redirect: Fix xlate return code
      extensions: libipt_ttl: Sanitize xlate callback
      extensions: CONNMARK: Fix xlate callback
      extensions: MARK: Sanitize MARK_xlate()
      extensions: TCPMSS: Use xlate callback for IPv6, too
      extensions: TOS: Fix v1 xlate callback
      extensions: ecn: Sanitize xlate callback
      extensions: tcp: Translate TCP option match
      extensions: libebt_log: Add comment to clarify xlate callback
      extensions: frag: Add comment to clarify xlate callback
      extensions: ipcomp: Add comment to clarify xlate callback
      libxtables: xt_xlate_add() to take care of spacing
      extensions: Leverage xlate auto-spacing
      extensions: libxt_conntrack: Drop extra whitespace in xlate
      extensions: xlate: Format sets consistently
      tests: shell: Test selective ebtables flushing
      tests: shell: Fix valgrind mode for 0008-unprivileged_0
      iptables-restore: Free handle with --test also
      iptables-xml: Free allocated chain strings
      nft: Plug memleak in nft_rule_zero_counters()
      iptables: Plug memleaks in print_firewall()
      xtables: Introduce xtables_clear_iptables_command_state()
      iptables: Properly clear iptables_command_state object
      xshared: Free data after printing help
      libiptc: Eliminate garbage access
      ebtables: Implement --check command
      tests: xlate: Use --check to verify replay
      nft: Fix for comparing ifname matches against nft-generated ones
      nft: Fix match generator for '! -i +'
      nft: Recognize INVAL/D interface name
      xtables-translate: Fix for interfaces with asterisk mid-string
      ebtables: Fix MAC address match translation
      Makefile: Create LZMA-compressed dist-files
      Drop INCOMPATIBILITIES file
      Drop libiptc/linux_stddef.h
      Makefile: Generate ip6tables man pages on the fly
      extensions: Makefile: Merge initext targets
      iptables/Makefile: Reorg variable assignments
      iptables/Makefile: Split nft-variant man page list
      Makefile: Fix for 'make distcheck'
      Makefile: Generate .tar.xz archive with 'make dist'
      include/Makefile: xtables-version.h is generated
      tests: Adjust testsuite return codes to automake guidelines
      Makefile.am: Integrate testsuites
      nft: Parse icmp header matches
      arptables: Check the mandatory ar_pln match
      nft: Increase rule parser strictness
      nft: Make rule parsing errors fatal
      nft: Reject tcp/udp extension without proper protocol match
      gitignore: Ignore utils/nfsynproxy
      gitignore: Ignore generated ip6tables man pages
      ebtables-translate: Install symlink
      Makefile: Replace brace expansion
      configure: Bump version for 1.8.9 release

Yi Chen (1):
      tests: add ebtables among testcase

Yuxuan Luo (1):
      xt_sctp: support a couple of new chunk types

Re: [ANNOUNCE] iptables 1.8.9 release

[Arturo Borrero Gonzalez]

On 1/12/23 12:20, Phil Sutter wrote:
> Hi!
> 
> The Netfilter project proudly presents:
> 
>          iptables 1.8.9
> 

Hi Phil,

thanks for the release!

I see the tarball includes now a etc/xtables.conf file [0]. Could you please clarify the expected usage of this file?

Do we intend users to have this in their systems? If so, what for.
It appears to be in nftables native format, so who or what mechanisms would be responsible for reading it in a system that
has no nftables installed?

Perhaps the file is only useful for development purposes?

This information would help me decide what to do with the file in the official Debian package.

regards.

[0] https://git.netfilter.org/iptables/tree/etc/xtables.conf

Re: [ANNOUNCE] iptables 1.8.9 release

[Pablo Neira Ayuso]

Hi Arturo,

On Sat, Jan 14, 2023 at 10:18:56PM +0100, Arturo Borrero Gonzalez wrote:
> On 1/12/23 12:20, Phil Sutter wrote:
> > Hi!
> > 
> > The Netfilter project proudly presents:
> > 
> >          iptables 1.8.9
> > 
> 
> Hi Phil,
> 
> thanks for the release!
> 
> I see the tarball includes now a etc/xtables.conf file [0]. Could you please clarify the expected usage of this file?
> 
> Do we intend users to have this in their systems? If so, what for.
> It appears to be in nftables native format, so who or what mechanisms would be responsible for reading it in a system that
> has no nftables installed?
> 
> Perhaps the file is only useful for development purposes?

I think this file just slipped through while enabling `make distcheck'
in a recent update, but let's wait for Phil to confirm this.

Re: [ANNOUNCE] iptables 1.8.9 release

[Phil Sutter]

Hi!

On Sun, Jan 15, 2023 at 08:13:42AM +0100, Pablo Neira Ayuso wrote:
> On Sat, Jan 14, 2023 at 10:18:56PM +0100, Arturo Borrero Gonzalez wrote:
> > On 1/12/23 12:20, Phil Sutter wrote:
> > > Hi!
> > > 
> > > The Netfilter project proudly presents:
> > > 
> > >          iptables 1.8.9
> > > 
> > 
> > Hi Phil,
> > 
> > thanks for the release!
> > 
> > I see the tarball includes now a etc/xtables.conf file [0]. Could you please clarify the expected usage of this file?
> > 
> > Do we intend users to have this in their systems? If so, what for.
> > It appears to be in nftables native format, so who or what mechanisms would be responsible for reading it in a system that
> > has no nftables installed?
> > 
> > Perhaps the file is only useful for development purposes?
> 
> I think this file just slipped through while enabling `make distcheck'
> in a recent update, but let's wait for Phil to confirm this.

Oh, I wasn't aware this file wasn't installed prior to my patches
enabling 'make dist'. This explains why Jan came up with a patch to
prevent installation. %)

So yes, this config is a leftover from an early approach of supporting a
configurable iptables-nft chain layout which never gained traction. One
should just ignore it, sorry for the mess this causes.

Cheers, Phil