From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] iptables: Update to 1.8.2
Date: Tue, 05 Mar 2019 09:47:37 +0000 [thread overview]
Message-ID: <393A9DC9-3752-4A73-904C-11A40EE1CEB9@ipfire.org> (raw)
In-Reply-To: <fdd52d71104ef3cc62a0fd2b48c0d14c0e2edd56.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 6721 bytes --]
Hi,
I will just merge this and then we will see during testing of the Core Update.
What could possibly go wrong?
Best,
-Michael
> On 4 Mar 2019, at 06:54, ummeegge <ummeegge(a)ipfire.org> wrote:
>
> Hi Michael,
>
> On So, 2019-03-03 at 16:04 +0000, Michael Tremer wrote:
>> Hi,
>>
>> This release of iptables has some interesting changes:
>>
>> We now have multiple binaries with -legacy in name.
> Yes i was also a little in wonder about that although it looked a
> little like a helper tool if nftables and iptables running at the same
> time. Looking at linuxfromscratch -->
> http://www.linuxfromscratch.org/blfs/view/8.3/postlfs/iptables.html
> if '--disable-nftables' has been set, there are no *-legacy* binaries
> listed under "Installed Programs:".
> There is also the xtables-legacy-multi binary and looking into the
> nftables-wiki -->
> https://wiki.nftables.org/wiki-nftables/index.php/Legacy_xtables_tools
> (please check the 'link to a summary') it appears that all setsockopt
> based tools are all now considered as 'legacy'.
>
>>
>> Did you test this? Is there anything we need to think about?
> Am running iptables-1.8.2 currently with a backup of my production
> machine with ~ 50 rules and a vast IPset configuration (firewall.local)
> and i haven´t recognized problems.
>
> Some other tests i made:
> Made also a diff between 'iptables-legacy-save' and 'iptables-save'
> whereby the output seems to be pretty much the same.
> Moved then also all iptables-legacy* binaries away, restarted the
> machine and all seems to work as it should.
>
> Since it is a little a sensible update, it is great to go for some more
> overviews/testings/thinking_abouts.
>
> Best,
>
>
> Erik
>
>>
>> -Michael
>>
>>> On 3 Mar 2019, at 08:09, Erik Kapfer <ummeegge(a)ipfire.org> wrote:
>>>
>>> netfilter-layer7 has also been updated to v2.23 .
>>>
>>> Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
>>> ---
>>> config/rootfiles/common/iptables | 19 ++++++++++++-------
>>> lfs/iptables | 17 +++++++++--------
>>> 2 files changed, 21 insertions(+), 15 deletions(-)
>>>
>>> diff --git a/config/rootfiles/common/iptables
>>> b/config/rootfiles/common/iptables
>>> index d7584c0ad..9aa9e51cb 100644
>>> --- a/config/rootfiles/common/iptables
>>> +++ b/config/rootfiles/common/iptables
>>> @@ -17,12 +17,8 @@ lib/libiptc.so.0.0.0
>>> #lib/libxtables.la
>>> lib/libxtables.so
>>> lib/libxtables.so.12
>>> -lib/libxtables.so.12.0.0
>>> +lib/libxtables.so.12.2.0
>>> #lib/xtables
>>> -lib/xtables/libebt_802_3.so
>>> -lib/xtables/libebt_ip.so
>>> -lib/xtables/libebt_log.so
>>> -lib/xtables/libebt_mark_m.so
>>> lib/xtables/libip6t_DNAT.so
>>> lib/xtables/libip6t_DNPT.so
>>> lib/xtables/libip6t_HL.so
>>> @@ -109,7 +105,6 @@ lib/xtables/libxt_layer7.so
>>> lib/xtables/libxt_length.so
>>> lib/xtables/libxt_limit.so
>>> lib/xtables/libxt_mac.so
>>> -lib/xtables/libxt_mangle.so
>>> lib/xtables/libxt_mark.so
>>> lib/xtables/libxt_multiport.so
>>> lib/xtables/libxt_nfacct.so
>>> @@ -136,14 +131,20 @@ lib/xtables/libxt_tos.so
>>> lib/xtables/libxt_u32.so
>>> lib/xtables/libxt_udp.so
>>> sbin/ip6tables
>>> +sbin/ip6tables-legacy
>>> +sbin/ip6tables-legacy-restore
>>> +sbin/ip6tables-legacy-save
>>> sbin/ip6tables-restore
>>> sbin/ip6tables-save
>>> sbin/iptables
>>> +sbin/iptables-legacy
>>> +sbin/iptables-legacy-restore
>>> +sbin/iptables-legacy-save
>>> sbin/iptables-restore
>>> sbin/iptables-save
>>> sbin/iptables-xml
>>> #sbin/nfnl_osf
>>> -sbin/xtables-multi
>>> +sbin/xtables-legacy-multi
>>> #usr/include/libipq.h
>>> #usr/include/libiptc
>>> #usr/include/libiptc/ipt_kernel_headers.h
>>> @@ -178,5 +179,9 @@ sbin/xtables-multi
>>> #usr/share/man/man8/iptables-save.8
>>> #usr/share/man/man8/iptables.8
>>> #usr/share/man/man8/nfnl_osf.8
>>> +#usr/share/man/man8/xtables-legacy.8
>>> +#usr/share/man/man8/xtables-monitor.8
>>> +#usr/share/man/man8/xtables-nft.8
>>> +#usr/share/man/man8/xtables-translate.8
>>> #usr/share/xtables
>>> usr/share/xtables/pf.os
>>> diff --git a/lfs/iptables b/lfs/iptables
>>> index b4a2834b8..17817a9ef 100644
>>> --- a/lfs/iptables
>>> +++ b/lfs/iptables
>>> @@ -1,7 +1,7 @@
>>> ###################################################################
>>> ############
>>> #
>>> #
>>> # IPFire.org - A linux based
>>> firewall #
>>> -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org>
>>> #
>>> +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org>
>>> #
>>> #
>>> #
>>> # This program is free software: you can redistribute it and/or
>>> modify #
>>> # it under the terms of the GNU General Public License as published
>>> by #
>>> @@ -24,7 +24,7 @@
>>>
>>> include Config
>>>
>>> -VER = 1.6.2
>>> +VER = 1.8.2
>>>
>>> THISAPP = iptables-$(VER)
>>> DL_FILE = $(THISAPP).tar.bz2
>>> @@ -36,13 +36,13 @@ TARGET = $(DIR_INFO)/$(THISAPP)
>>> # Top-level Rules
>>> ###################################################################
>>> ############
>>> objects = $(DL_FILE) \
>>> - netfilter-layer7-v2.22.tar.gz
>>> + netfilter-layer7-v2.23.tar.gz
>>>
>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>> -netfilter-layer7-v2.22.tar.gz = $(URL_IPFIRE)/netfilter-layer7-
>>> v2.22.tar.gz
>>> +netfilter-layer7-v2.23.tar.gz = $(URL_IPFIRE)/netfilter-layer7-
>>> v2.23.tar.gz
>>>
>>> -$(DL_FILE)_MD5 = 7d2b7847e4aa8832a18437b8a4c1873d
>>> -netfilter-layer7-v2.22.tar.gz_MD5 =
>>> 98dff8a3d5a31885b73341633f69501f
>>> +$(DL_FILE)_MD5 = 944558e88ddcc3b9b0d9550070fa3599
>>> +netfilter-layer7-v2.23.tar.gz_MD5 =
>>> 10910b6173d18e426cb56ae7e1300eeb
>>>
>>> install : $(TARGET)
>>>
>>> @@ -75,8 +75,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>> @cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
>>>
>>> # Layer7
>>> - cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-
>>> v2.22.tar.gz
>>> - cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-
>>> v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* \
>>> + cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-
>>> v2.23.tar.gz
>>> + cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-
>>> v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/* \
>>> ./extensions/
>>>
>>> # imq
>>> @@ -88,6 +88,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>> --libdir=/lib \
>>> --includedir=/usr/include \
>>> --enable-libipq \
>>> + --with-xtlibdir=/lib/xtables \
>>> --libexecdir=/lib \
>>> --bindir=/sbin \
>>> --sbindir=/sbin \
>>> --
>>> 2.12.2
>>>
>>
>>
>
next prev parent reply other threads:[~2019-03-05 9:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-03 8:09 Erik Kapfer
2019-03-03 16:04 ` Michael Tremer
2019-03-04 6:54 ` ummeegge
2019-03-05 9:47 ` Michael Tremer [this message]
2019-03-05 12:37 ` ummeegge
2019-03-05 13:50 ` Michael Tremer
2019-03-08 4:51 ` [PATCH] iptables: Commented legacy ip(6)tables entries from ROOTFILE Erik Kapfer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=393A9DC9-3752-4A73-904C-11A40EE1CEB9@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox