Hi Michael, On So, 2019-03-03 at 16:04 +0000, Michael Tremer wrote: > Hi, > > This release of iptables has some interesting changes: > > We now have multiple binaries with -legacy in name. Yes i was also a little in wonder about that although it looked a little like a helper tool if nftables and iptables running at the same time. Looking at linuxfromscratch --> http://www.linuxfromscratch.org/blfs/view/8.3/postlfs/iptables.html if '--disable-nftables' has been set, there are no *-legacy* binaries listed under "Installed Programs:". There is also the xtables-legacy-multi binary and looking into the nftables-wiki --> https://wiki.nftables.org/wiki-nftables/index.php/Legacy_xtables_tools (please check the 'link to a summary') it appears that all setsockopt based tools are all now considered as 'legacy'. > > Did you test this? Is there anything we need to think about? Am running iptables-1.8.2 currently with a backup of my production machine with ~ 50 rules and a vast IPset configuration (firewall.local) and i havenĀ“t recognized problems. Some other tests i made: Made also a diff between 'iptables-legacy-save' and 'iptables-save' whereby the output seems to be pretty much the same. Moved then also all iptables-legacy* binaries away, restarted the machine and all seems to work as it should. Since it is a little a sensible update, it is great to go for some more overviews/testings/thinking_abouts. Best, Erik > > -Michael > > > On 3 Mar 2019, at 08:09, Erik Kapfer wrote: > > > > netfilter-layer7 has also been updated to v2.23 . > > > > Signed-off-by: Erik Kapfer > > --- > > config/rootfiles/common/iptables | 19 ++++++++++++------- > > lfs/iptables | 17 +++++++++-------- > > 2 files changed, 21 insertions(+), 15 deletions(-) > > > > diff --git a/config/rootfiles/common/iptables > > b/config/rootfiles/common/iptables > > index d7584c0ad..9aa9e51cb 100644 > > --- a/config/rootfiles/common/iptables > > +++ b/config/rootfiles/common/iptables > > @@ -17,12 +17,8 @@ lib/libiptc.so.0.0.0 > > #lib/libxtables.la > > lib/libxtables.so > > lib/libxtables.so.12 > > -lib/libxtables.so.12.0.0 > > +lib/libxtables.so.12.2.0 > > #lib/xtables > > -lib/xtables/libebt_802_3.so > > -lib/xtables/libebt_ip.so > > -lib/xtables/libebt_log.so > > -lib/xtables/libebt_mark_m.so > > lib/xtables/libip6t_DNAT.so > > lib/xtables/libip6t_DNPT.so > > lib/xtables/libip6t_HL.so > > @@ -109,7 +105,6 @@ lib/xtables/libxt_layer7.so > > lib/xtables/libxt_length.so > > lib/xtables/libxt_limit.so > > lib/xtables/libxt_mac.so > > -lib/xtables/libxt_mangle.so > > lib/xtables/libxt_mark.so > > lib/xtables/libxt_multiport.so > > lib/xtables/libxt_nfacct.so > > @@ -136,14 +131,20 @@ lib/xtables/libxt_tos.so > > lib/xtables/libxt_u32.so > > lib/xtables/libxt_udp.so > > sbin/ip6tables > > +sbin/ip6tables-legacy > > +sbin/ip6tables-legacy-restore > > +sbin/ip6tables-legacy-save > > sbin/ip6tables-restore > > sbin/ip6tables-save > > sbin/iptables > > +sbin/iptables-legacy > > +sbin/iptables-legacy-restore > > +sbin/iptables-legacy-save > > sbin/iptables-restore > > sbin/iptables-save > > sbin/iptables-xml > > #sbin/nfnl_osf > > -sbin/xtables-multi > > +sbin/xtables-legacy-multi > > #usr/include/libipq.h > > #usr/include/libiptc > > #usr/include/libiptc/ipt_kernel_headers.h > > @@ -178,5 +179,9 @@ sbin/xtables-multi > > #usr/share/man/man8/iptables-save.8 > > #usr/share/man/man8/iptables.8 > > #usr/share/man/man8/nfnl_osf.8 > > +#usr/share/man/man8/xtables-legacy.8 > > +#usr/share/man/man8/xtables-monitor.8 > > +#usr/share/man/man8/xtables-nft.8 > > +#usr/share/man/man8/xtables-translate.8 > > #usr/share/xtables > > usr/share/xtables/pf.os > > diff --git a/lfs/iptables b/lfs/iptables > > index b4a2834b8..17817a9ef 100644 > > --- a/lfs/iptables > > +++ b/lfs/iptables > > @@ -1,7 +1,7 @@ > > ################################################################### > > ############ > > # > > # > > # IPFire.org - A linux based > > firewall # > > -# Copyright (C) 2007-2018 IPFire Team > > # > > +# Copyright (C) 2007-2019 IPFire Team > > # > > # > > # > > # This program is free software: you can redistribute it and/or > > modify # > > # it under the terms of the GNU General Public License as published > > by # > > @@ -24,7 +24,7 @@ > > > > include Config > > > > -VER = 1.6.2 > > +VER = 1.8.2 > > > > THISAPP = iptables-$(VER) > > DL_FILE = $(THISAPP).tar.bz2 > > @@ -36,13 +36,13 @@ TARGET = $(DIR_INFO)/$(THISAPP) > > # Top-level Rules > > ################################################################### > > ############ > > objects = $(DL_FILE) \ > > - netfilter-layer7-v2.22.tar.gz > > + netfilter-layer7-v2.23.tar.gz > > > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -netfilter-layer7-v2.22.tar.gz = $(URL_IPFIRE)/netfilter-layer7- > > v2.22.tar.gz > > +netfilter-layer7-v2.23.tar.gz = $(URL_IPFIRE)/netfilter-layer7- > > v2.23.tar.gz > > > > -$(DL_FILE)_MD5 = 7d2b7847e4aa8832a18437b8a4c1873d > > -netfilter-layer7-v2.22.tar.gz_MD5 = > > 98dff8a3d5a31885b73341633f69501f > > +$(DL_FILE)_MD5 = 944558e88ddcc3b9b0d9550070fa3599 > > +netfilter-layer7-v2.23.tar.gz_MD5 = > > 10910b6173d18e426cb56ae7e1300eeb > > > > install : $(TARGET) > > > > @@ -75,8 +75,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > @cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) > > > > # Layer7 > > - cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7- > > v2.22.tar.gz > > - cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7- > > v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* \ > > + cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7- > > v2.23.tar.gz > > + cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7- > > v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/* \ > > ./extensions/ > > > > # imq > > @@ -88,6 +88,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > --libdir=/lib \ > > --includedir=/usr/include \ > > --enable-libipq \ > > + --with-xtlibdir=/lib/xtables \ > > --libexecdir=/lib \ > > --bindir=/sbin \ > > --sbindir=/sbin \ > > -- > > 2.12.2 > > > >