From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] iptables: Update to 1.8.2
Date: Tue, 05 Mar 2019 13:37:25 +0100 [thread overview]
Message-ID: <dd55a4637f9ac35e9cc71c446f0824a51887d5ba.camel@ipfire.org> (raw)
In-Reply-To: <393A9DC9-3752-4A73-904C-11A40EE1CEB9@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 8333 bytes --]
Hi Michael,
On Di, 2019-03-05 at 09:47 +0000, Michael Tremer wrote:
> Hi,
>
> I will just merge this and then we will see during testing of the
> Core Update.
Have deleted all the *legacy* binaries and as before, no problems at
all. Should i send another patch without them ?
>
> What could possibly go wrong?
Have currently no problems in focus.
Have build also nftables (with libnftnl with an extended iptables-1.8.2
version which incl. also ebtables, arptables, the translation stuff and
a lot more) to check there for some possible usage of the *legacy*
stuff. It is currently possible to use both (iptables beneath nftables)
which offers some funky new possiblities :D but in there the same, did
NOT needed the *legacy* binaries since all known iptables binaries are
still presant but possibly i have missed/overseen something.
At least all is working.
Best,
Erik
>
> Best,
> -Michael
>
> > On 4 Mar 2019, at 06:54, ummeegge <ummeegge(a)ipfire.org> wrote:
> >
> > Hi Michael,
> >
> > On So, 2019-03-03 at 16:04 +0000, Michael Tremer wrote:
> > > Hi,
> > >
> > > This release of iptables has some interesting changes:
> > >
> > > We now have multiple binaries with -legacy in name.
> >
> > Yes i was also a little in wonder about that although it looked a
> > little like a helper tool if nftables and iptables running at the
> > same
> > time. Looking at linuxfromscratch -->
> > http://www.linuxfromscratch.org/blfs/view/8.3/postlfs/iptables.html
> > if '--disable-nftables' has been set, there are no *-legacy*
> > binaries
> > listed under "Installed Programs:".
> > There is also the xtables-legacy-multi binary and looking into the
> > nftables-wiki -->
> >
https://wiki.nftables.org/wiki-nftables/index.php/Legacy_xtables_tools
> >
> > (please check the 'link to a summary') it appears that all
> > setsockopt
> > based tools are all now considered as 'legacy'.
> >
> > >
> > > Did you test this? Is there anything we need to think about?
> >
> > Am running iptables-1.8.2 currently with a backup of my production
> > machine with ~ 50 rules and a vast IPset configuration
> > (firewall.local)
> > and i haven´t recognized problems.
> >
> > Some other tests i made:
> > Made also a diff between 'iptables-legacy-save' and 'iptables-save'
> > whereby the output seems to be pretty much the same.
> > Moved then also all iptables-legacy* binaries away, restarted the
> > machine and all seems to work as it should.
> >
> > Since it is a little a sensible update, it is great to go for some
> > more
> > overviews/testings/thinking_abouts.
> >
> > Best,
> >
> >
> > Erik
> >
> > >
> > > -Michael
> > >
> > > > On 3 Mar 2019, at 08:09, Erik Kapfer <ummeegge(a)ipfire.org>
> > > > wrote:
> > > >
> > > > netfilter-layer7 has also been updated to v2.23 .
> > > >
> > > > Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
> > > > ---
> > > > config/rootfiles/common/iptables | 19 ++++++++++++-------
> > > > lfs/iptables | 17 +++++++++--------
> > > > 2 files changed, 21 insertions(+), 15 deletions(-)
> > > >
> > > > diff --git a/config/rootfiles/common/iptables
> > > > b/config/rootfiles/common/iptables
> > > > index d7584c0ad..9aa9e51cb 100644
> > > > --- a/config/rootfiles/common/iptables
> > > > +++ b/config/rootfiles/common/iptables
> > > > @@ -17,12 +17,8 @@ lib/libiptc.so.0.0.0
> > > > #lib/libxtables.la
> > > > lib/libxtables.so
> > > > lib/libxtables.so.12
> > > > -lib/libxtables.so.12.0.0
> > > > +lib/libxtables.so.12.2.0
> > > > #lib/xtables
> > > > -lib/xtables/libebt_802_3.so
> > > > -lib/xtables/libebt_ip.so
> > > > -lib/xtables/libebt_log.so
> > > > -lib/xtables/libebt_mark_m.so
> > > > lib/xtables/libip6t_DNAT.so
> > > > lib/xtables/libip6t_DNPT.so
> > > > lib/xtables/libip6t_HL.so
> > > > @@ -109,7 +105,6 @@ lib/xtables/libxt_layer7.so
> > > > lib/xtables/libxt_length.so
> > > > lib/xtables/libxt_limit.so
> > > > lib/xtables/libxt_mac.so
> > > > -lib/xtables/libxt_mangle.so
> > > > lib/xtables/libxt_mark.so
> > > > lib/xtables/libxt_multiport.so
> > > > lib/xtables/libxt_nfacct.so
> > > > @@ -136,14 +131,20 @@ lib/xtables/libxt_tos.so
> > > > lib/xtables/libxt_u32.so
> > > > lib/xtables/libxt_udp.so
> > > > sbin/ip6tables
> > > > +sbin/ip6tables-legacy
> > > > +sbin/ip6tables-legacy-restore
> > > > +sbin/ip6tables-legacy-save
> > > > sbin/ip6tables-restore
> > > > sbin/ip6tables-save
> > > > sbin/iptables
> > > > +sbin/iptables-legacy
> > > > +sbin/iptables-legacy-restore
> > > > +sbin/iptables-legacy-save
> > > > sbin/iptables-restore
> > > > sbin/iptables-save
> > > > sbin/iptables-xml
> > > > #sbin/nfnl_osf
> > > > -sbin/xtables-multi
> > > > +sbin/xtables-legacy-multi
> > > > #usr/include/libipq.h
> > > > #usr/include/libiptc
> > > > #usr/include/libiptc/ipt_kernel_headers.h
> > > > @@ -178,5 +179,9 @@ sbin/xtables-multi
> > > > #usr/share/man/man8/iptables-save.8
> > > > #usr/share/man/man8/iptables.8
> > > > #usr/share/man/man8/nfnl_osf.8
> > > > +#usr/share/man/man8/xtables-legacy.8
> > > > +#usr/share/man/man8/xtables-monitor.8
> > > > +#usr/share/man/man8/xtables-nft.8
> > > > +#usr/share/man/man8/xtables-translate.8
> > > > #usr/share/xtables
> > > > usr/share/xtables/pf.os
> > > > diff --git a/lfs/iptables b/lfs/iptables
> > > > index b4a2834b8..17817a9ef 100644
> > > > --- a/lfs/iptables
> > > > +++ b/lfs/iptables
> > > > @@ -1,7 +1,7 @@
> > > > ###############################################################
> > > > ####
> > > > ############
> > > > #
> > > >
> > > > #
> > > > # IPFire.org - A linux based
> > > > firewall #
> > > > -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org>
> > > >
> > > > #
> > > > +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org>
> > > >
> > > > #
> > > > #
> > > >
> > > > #
> > > > # This program is free software: you can redistribute it and/or
> > > > modify #
> > > > # it under the terms of the GNU General Public License as
> > > > published
> > > > by #
> > > > @@ -24,7 +24,7 @@
> > > >
> > > > include Config
> > > >
> > > > -VER = 1.6.2
> > > > +VER = 1.8.2
> > > >
> > > > THISAPP = iptables-$(VER)
> > > > DL_FILE = $(THISAPP).tar.bz2
> > > > @@ -36,13 +36,13 @@ TARGET = $(DIR_INFO)/$(THISAPP)
> > > > # Top-level Rules
> > > > ###############################################################
> > > > ####
> > > > ############
> > > > objects = $(DL_FILE) \
> > > > - netfilter-layer7-v2.22.tar.gz
> > > > + netfilter-layer7-v2.23.tar.gz
> > > >
> > > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> > > > -netfilter-layer7-v2.22.tar.gz = $(URL_IPFIRE)/netfilter-
> > > > layer7-
> > > > v2.22.tar.gz
> > > > +netfilter-layer7-v2.23.tar.gz = $(URL_IPFIRE)/netfilter-
> > > > layer7-
> > > > v2.23.tar.gz
> > > >
> > > > -$(DL_FILE)_MD5 = 7d2b7847e4aa8832a18437b8a4c1873d
> > > > -netfilter-layer7-v2.22.tar.gz_MD5 =
> > > > 98dff8a3d5a31885b73341633f69501f
> > > > +$(DL_FILE)_MD5 = 944558e88ddcc3b9b0d9550070fa3599
> > > > +netfilter-layer7-v2.23.tar.gz_MD5 =
> > > > 10910b6173d18e426cb56ae7e1300eeb
> > > >
> > > > install : $(TARGET)
> > > >
> > > > @@ -75,8 +75,8 @@ $(TARGET) : $(patsubst
> > > > %,$(DIR_DL)/%,$(objects))
> > > > @cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
> > > >
> > > > # Layer7
> > > > - cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-
> > > > v2.22.tar.gz
> > > > - cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-
> > > > v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* \
> > > > + cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-
> > > > v2.23.tar.gz
> > > > + cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-
> > > > v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/* \
> > > > ./extensions/
> > > >
> > > > # imq
> > > > @@ -88,6 +88,7 @@ $(TARGET) : $(patsubst
> > > > %,$(DIR_DL)/%,$(objects))
> > > > --libdir=/lib \
> > > > --includedir=/usr/include \
> > > > --enable-libipq \
> > > > + --with-xtlibdir=/lib/xtables \
> > > > --libexecdir=/lib \
> > > > --bindir=/sbin \
> > > > --sbindir=/sbin \
> > > > --
> > > > 2.12.2
> > > >
> > >
> > >
>
>
next prev parent reply other threads:[~2019-03-05 12:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-03 8:09 Erik Kapfer
2019-03-03 16:04 ` Michael Tremer
2019-03-04 6:54 ` ummeegge
2019-03-05 9:47 ` Michael Tremer
2019-03-05 12:37 ` ummeegge [this message]
2019-03-05 13:50 ` Michael Tremer
2019-03-08 4:51 ` [PATCH] iptables: Commented legacy ip(6)tables entries from ROOTFILE Erik Kapfer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dd55a4637f9ac35e9cc71c446f0824a51887d5ba.camel@ipfire.org \
--to=ummeegge@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox