Hi!
The Netfilter project proudly presents:
iptables 1.8.12
This release contains the following fixes:
* Fix null dereference parsing bitwise operations.
* Refuse to run under file capabilities, ie. getauxval(AT_SECURE).
* Fix for all-zero mask on Big Endian in arptables-nft.
* Support adding and replacing a rule in the same batch in
iptables-nft.
*filter
-A FORWARD -m comment --comment "new rule being replaced"
-R FORWARD 1 -m comment --comment "new replacing rule"
COMMIT
* Print -X in xtables-monitor command for base chains.
* Remove incorrect libebt_redirect translations.
* Translate bare '-m sctp' match to '-p sctp' just like TCP and UDP.
* Support for info-request and info-reply icmp types.
* Fix interface comparisons in `-C` commands in iptables-nft.
* Several fixes for ip[6]tables-translate, the tool to ease migration
to nftables.
* Document flush behaviour with --noflush for user-defined chains.
See changelog for more details (attached to this email).
You can download this new release from:
https://www.netfilter.org/projects/iptables/downloads.html
https://www.netfilter.org/pub/iptables/
To build the code, libnftnl >= 1.2.6 is required:
http://netfilter.org/projects/libnftnl/downloads.html
In case of bugs and feature requests, file them via:
https://bugzilla.netfilter.org
Happy firewalling.
P.S: tarball and website update is available since yesterday, I could
not deliver this cover letter until today, apologies for this delay.
Achill Gilgenast (1):
configure: Avoid addition assignment operators
Alan Ross (1):
libxtables: refuse to run under file capabilities
Florian Westphal (2):
man: iptables-restore.8: document flush behaviour for user-defined chains
nft: revert compat expressions in userdata
Jeremy Sowden (2):
ip[6]tables-translate: fix test failures when WESP is defined
nft: fix interface comparisons in `-C` commands
Miao Wang (1):
extensions: libebt_redirect: prevent translation
Pablo Neira Ayuso (1):
configure: Bump version for 1.8.12 release
Phil Sutter (20):
nft: Drop interface mask leftovers from post_parse callbacks
nft: Make add_log() static
nft: ruleparse: Introduce nft_parse_rule_expr()
nft: __add_{match,target}() can't fail
nft: Introduce UDATA_TYPE_COMPAT_EXT
nft-ruleparse: Fallback to compat expressions in userdata
nft: Pass nft_handle into add_{action,match}()
nft: Embed compat extensions in rule userdata
tests: iptables-test: Add nft-compat variant
extensions: icmp: Support info-request/-reply type names
xshared: Accept an option if any given command allows it
extensions: sctp: Translate bare '-m sctp' match
libxtables: Promote xtopt_esize_by_type() as xtopt_psize getter
Revert "libxtables: Promote xtopt_esize_by_type() as xtopt_psize getter"
xtables-monitor: Print -X command for base chains, too
nft: Support replacing a rule added in the same batch
libxtables: Store all requested target types
ruleparse: arp: Fix for all-zero mask on Big Endian
tests: shell: Review nft-only/0009-needless-bitwise_0
configure: Auto-detect libz unless explicitly requested
Remy D. Farley (1):
iptables: fix null dereference parsing bitwise operations
Ćukasz Stelmach (1):
extensions: man: Add a note about route_localnet sysctl
