From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] iptables: Update to 1.8.2
Date: Tue, 05 Mar 2019 13:50:48 +0000
Message-ID: <1BA20647-5C7F-4518-BC54-CE96AE631200@ipfire.org>
In-Reply-To: <dd55a4637f9ac35e9cc71c446f0824a51887d5ba.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6101360940452965025=="
List-Id: <development.lists.ipfire.org>

--===============6101360940452965025==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

> On 5 Mar 2019, at 12:37, ummeegge <ummeegge(a)ipfire.org> wrote:
>=20
> Hi Michael,
>=20
> On Di, 2019-03-05 at 09:47 +0000, Michael Tremer wrote:
>> Hi,
>>=20
>> I will just merge this and then we will see during testing of the
>> Core Update.
> Have deleted all the *legacy* binaries and as before, no problems at
> all. Should i send another patch without them ?

If those are all symlinks, I guess it makes sense to remove them, because the=
y are more confusing than anything else.

Please submit another patch. Remember that I have already merged this one.

>=20
>>=20
>> What could possibly go wrong?
> Have currently no problems in focus.
> Have build also nftables (with libnftnl with an extended iptables-1.8.2=20
> version which incl. also ebtables, arptables, the translation stuff and
> a lot more) to check there for some possible usage of the *legacy*
> stuff. It is currently possible to use both (iptables beneath nftables)
> which offers some funky new possiblities :D but in there the same, did
> NOT needed the *legacy* binaries since all known iptables binaries are
> still presant but possibly i have missed/overseen something.

I do not think that there is any sense to build notables for IPFire 2. It is =
disabled in the kernel, we are using some extensions that only work for iptab=
les (l7 filter, geoid, ipp2p) and therefore we can never use it.

-Michael

>=20
> At least all is working.
>=20
> Best,
>=20
> Erik
>=20
>>=20
>> Best,
>> -Michael
>>=20
>>> On 4 Mar 2019, at 06:54, ummeegge <ummeegge(a)ipfire.org> wrote:
>>>=20
>>> Hi Michael,
>>>=20
>>> On So, 2019-03-03 at 16:04 +0000, Michael Tremer wrote:
>>>> Hi,
>>>>=20
>>>> This release of iptables has some interesting changes:
>>>>=20
>>>> We now have multiple binaries with -legacy in name.
>>>=20
>>> Yes i was also a little in wonder about that although it looked a
>>> little like a helper tool if nftables and iptables running at the
>>> same
>>> time. Looking at linuxfromscratch -->=20
>>> http://www.linuxfromscratch.org/blfs/view/8.3/postlfs/iptables.html
>>> if '--disable-nftables' has been set, there are no *-legacy*
>>> binaries
>>> listed under "Installed Programs:".
>>> There is also the xtables-legacy-multi binary and looking into the
>>> nftables-wiki -->
>>>=20
> https://wiki.nftables.org/wiki-nftables/index.php/Legacy_xtables_tools
>>>=20
>>> (please check the 'link to a summary') it appears that all
>>> setsockopt
>>> based tools are all now considered as 'legacy'.
>>>=20
>>>>=20
>>>> Did you test this? Is there anything we need to think about?
>>>=20
>>> Am running iptables-1.8.2 currently with a backup of my production
>>> machine with ~ 50 rules and a vast IPset configuration
>>> (firewall.local)
>>> and i haven=C2=B4t recognized problems.
>>>=20
>>> Some other tests i made:
>>> Made also a diff between 'iptables-legacy-save' and 'iptables-save'
>>> whereby the output seems to be pretty much the same.
>>> Moved then also all iptables-legacy* binaries away, restarted the
>>> machine and all seems to work as it should.
>>>=20
>>> Since it is a little a sensible update, it is great to go for some
>>> more
>>> overviews/testings/thinking_abouts.
>>>=20
>>> Best,
>>>=20
>>>=20
>>> Erik
>>>=20
>>>>=20
>>>> -Michael
>>>>=20
>>>>> On 3 Mar 2019, at 08:09, Erik Kapfer <ummeegge(a)ipfire.org>
>>>>> wrote:
>>>>>=20
>>>>> netfilter-layer7 has also been updated to v2.23 .
>>>>>=20
>>>>> Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
>>>>> ---
>>>>> config/rootfiles/common/iptables | 19 ++++++++++++-------
>>>>> lfs/iptables                     | 17 +++++++++--------
>>>>> 2 files changed, 21 insertions(+), 15 deletions(-)
>>>>>=20
>>>>> diff --git a/config/rootfiles/common/iptables
>>>>> b/config/rootfiles/common/iptables
>>>>> index d7584c0ad..9aa9e51cb 100644
>>>>> --- a/config/rootfiles/common/iptables
>>>>> +++ b/config/rootfiles/common/iptables
>>>>> @@ -17,12 +17,8 @@ lib/libiptc.so.0.0.0
>>>>> #lib/libxtables.la
>>>>> lib/libxtables.so
>>>>> lib/libxtables.so.12
>>>>> -lib/libxtables.so.12.0.0
>>>>> +lib/libxtables.so.12.2.0
>>>>> #lib/xtables
>>>>> -lib/xtables/libebt_802_3.so
>>>>> -lib/xtables/libebt_ip.so
>>>>> -lib/xtables/libebt_log.so
>>>>> -lib/xtables/libebt_mark_m.so
>>>>> lib/xtables/libip6t_DNAT.so
>>>>> lib/xtables/libip6t_DNPT.so
>>>>> lib/xtables/libip6t_HL.so
>>>>> @@ -109,7 +105,6 @@ lib/xtables/libxt_layer7.so
>>>>> lib/xtables/libxt_length.so
>>>>> lib/xtables/libxt_limit.so
>>>>> lib/xtables/libxt_mac.so
>>>>> -lib/xtables/libxt_mangle.so
>>>>> lib/xtables/libxt_mark.so
>>>>> lib/xtables/libxt_multiport.so
>>>>> lib/xtables/libxt_nfacct.so
>>>>> @@ -136,14 +131,20 @@ lib/xtables/libxt_tos.so
>>>>> lib/xtables/libxt_u32.so
>>>>> lib/xtables/libxt_udp.so
>>>>> sbin/ip6tables
>>>>> +sbin/ip6tables-legacy
>>>>> +sbin/ip6tables-legacy-restore
>>>>> +sbin/ip6tables-legacy-save
>>>>> sbin/ip6tables-restore
>>>>> sbin/ip6tables-save
>>>>> sbin/iptables
>>>>> +sbin/iptables-legacy
>>>>> +sbin/iptables-legacy-restore
>>>>> +sbin/iptables-legacy-save
>>>>> sbin/iptables-restore
>>>>> sbin/iptables-save
>>>>> sbin/iptables-xml
>>>>> #sbin/nfnl_osf
>>>>> -sbin/xtables-multi
>>>>> +sbin/xtables-legacy-multi
>>>>> #usr/include/libipq.h
>>>>> #usr/include/libiptc
>>>>> #usr/include/libiptc/ipt_kernel_headers.h
>>>>> @@ -178,5 +179,9 @@ sbin/xtables-multi
>>>>> #usr/share/man/man8/iptables-save.8
>>>>> #usr/share/man/man8/iptables.8
>>>>> #usr/share/man/man8/nfnl_osf.8
>>>>> +#usr/share/man/man8/xtables-legacy.8
>>>>> +#usr/share/man/man8/xtables-monitor.8
>>>>> +#usr/share/man/man8/xtables-nft.8
>>>>> +#usr/share/man/man8/xtables-translate.8
>>>>> #usr/share/xtables
>>>>> usr/share/xtables/pf.os
>>>>> diff --git a/lfs/iptables b/lfs/iptables
>>>>> index b4a2834b8..17817a9ef 100644
>>>>> --- a/lfs/iptables
>>>>> +++ b/lfs/iptables
>>>>> @@ -1,7 +1,7 @@
>>>>> ###############################################################
>>>>> ####
>>>>> ############
>>>>> #                                                             =20
>>>>>=20
>>>>>          #
>>>>> # IPFire.org - A linux based
>>>>> firewall                                         #
>>>>> -# Copyright (C) 2007-2018  IPFire Team  <info(a)ipfire.org>    =20
>>>>>=20
>>>>>           #
>>>>> +# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>    =20
>>>>>=20
>>>>>           #
>>>>> #                                                             =20
>>>>>=20
>>>>>          #
>>>>> # This program is free software: you can redistribute it and/or
>>>>> modify        #
>>>>> # it under the terms of the GNU General Public License as
>>>>> published
>>>>> by        #
>>>>> @@ -24,7 +24,7 @@
>>>>>=20
>>>>> include Config
>>>>>=20
>>>>> -VER        =3D 1.6.2
>>>>> +VER        =3D 1.8.2
>>>>>=20
>>>>> THISAPP    =3D iptables-$(VER)
>>>>> DL_FILE    =3D $(THISAPP).tar.bz2
>>>>> @@ -36,13 +36,13 @@ TARGET     =3D $(DIR_INFO)/$(THISAPP)
>>>>> # Top-level Rules
>>>>> ###############################################################
>>>>> ####
>>>>> ############
>>>>> objects =3D $(DL_FILE) \
>>>>> -	netfilter-layer7-v2.22.tar.gz
>>>>> +	netfilter-layer7-v2.23.tar.gz
>>>>>=20
>>>>> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>>>>> -netfilter-layer7-v2.22.tar.gz =3D $(URL_IPFIRE)/netfilter-
>>>>> layer7-
>>>>> v2.22.tar.gz
>>>>> +netfilter-layer7-v2.23.tar.gz =3D $(URL_IPFIRE)/netfilter-
>>>>> layer7-
>>>>> v2.23.tar.gz
>>>>>=20
>>>>> -$(DL_FILE)_MD5 =3D 7d2b7847e4aa8832a18437b8a4c1873d
>>>>> -netfilter-layer7-v2.22.tar.gz_MD5 =3D
>>>>> 98dff8a3d5a31885b73341633f69501f
>>>>> +$(DL_FILE)_MD5 =3D 944558e88ddcc3b9b0d9550070fa3599
>>>>> +netfilter-layer7-v2.23.tar.gz_MD5 =3D
>>>>> 10910b6173d18e426cb56ae7e1300eeb
>>>>>=20
>>>>> install : $(TARGET)
>>>>>=20
>>>>> @@ -75,8 +75,8 @@ $(TARGET) : $(patsubst
>>>>> %,$(DIR_DL)/%,$(objects))
>>>>> 	@cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
>>>>>=20
>>>>> 	# Layer7
>>>>> -	cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-
>>>>> v2.22.tar.gz
>>>>> -	cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-
>>>>> v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* \
>>>>> +	cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-
>>>>> v2.23.tar.gz
>>>>> +	cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-
>>>>> v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/* \
>>>>> 	                 ./extensions/
>>>>>=20
>>>>> 	# imq
>>>>> @@ -88,6 +88,7 @@ $(TARGET) : $(patsubst
>>>>> %,$(DIR_DL)/%,$(objects))
>>>>> 		--libdir=3D/lib \
>>>>> 		--includedir=3D/usr/include \
>>>>> 		--enable-libipq \
>>>>> +		--with-xtlibdir=3D/lib/xtables \
>>>>> 		--libexecdir=3D/lib \
>>>>> 		--bindir=3D/sbin \
>>>>> 		--sbindir=3D/sbin \
>>>>> --=20
>>>>> 2.12.2
>>>>>=20
>>>>=20
>>>>=20
>>=20
>>=20
>=20


--===============6101360940452965025==--