Hi Michael,
On So, 2019-03-03 at 16:04 +0000, Michael Tremer wrote:
Hi,
This release of iptables has some interesting changes:
We now have multiple binaries with -legacy in name.
Yes i was also a little in wonder about that although it looked a little like a helper tool if nftables and iptables running at the same time. Looking at linuxfromscratch --> http://www.linuxfromscratch.org/blfs/view/8.3/postlfs/iptables.html if '--disable-nftables' has been set, there are no *-legacy* binaries listed under "Installed Programs:". There is also the xtables-legacy-multi binary and looking into the nftables-wiki --> https://wiki.nftables.org/wiki-nftables/index.php/Legacy_xtables_tools (please check the 'link to a summary') it appears that all setsockopt based tools are all now considered as 'legacy'.
Did you test this? Is there anything we need to think about?
Am running iptables-1.8.2 currently with a backup of my production machine with ~ 50 rules and a vast IPset configuration (firewall.local) and i havenĀ“t recognized problems.
Some other tests i made: Made also a diff between 'iptables-legacy-save' and 'iptables-save' whereby the output seems to be pretty much the same. Moved then also all iptables-legacy* binaries away, restarted the machine and all seems to work as it should.
Since it is a little a sensible update, it is great to go for some more overviews/testings/thinking_abouts.
Best,
Erik
-Michael
On 3 Mar 2019, at 08:09, Erik Kapfer ummeegge@ipfire.org wrote:
netfilter-layer7 has also been updated to v2.23 .
Signed-off-by: Erik Kapfer ummeegge@ipfire.org
config/rootfiles/common/iptables | 19 ++++++++++++------- lfs/iptables | 17 +++++++++-------- 2 files changed, 21 insertions(+), 15 deletions(-)
diff --git a/config/rootfiles/common/iptables b/config/rootfiles/common/iptables index d7584c0ad..9aa9e51cb 100644 --- a/config/rootfiles/common/iptables +++ b/config/rootfiles/common/iptables @@ -17,12 +17,8 @@ lib/libiptc.so.0.0.0 #lib/libxtables.la lib/libxtables.so lib/libxtables.so.12 -lib/libxtables.so.12.0.0 +lib/libxtables.so.12.2.0 #lib/xtables -lib/xtables/libebt_802_3.so -lib/xtables/libebt_ip.so -lib/xtables/libebt_log.so -lib/xtables/libebt_mark_m.so lib/xtables/libip6t_DNAT.so lib/xtables/libip6t_DNPT.so lib/xtables/libip6t_HL.so @@ -109,7 +105,6 @@ lib/xtables/libxt_layer7.so lib/xtables/libxt_length.so lib/xtables/libxt_limit.so lib/xtables/libxt_mac.so -lib/xtables/libxt_mangle.so lib/xtables/libxt_mark.so lib/xtables/libxt_multiport.so lib/xtables/libxt_nfacct.so @@ -136,14 +131,20 @@ lib/xtables/libxt_tos.so lib/xtables/libxt_u32.so lib/xtables/libxt_udp.so sbin/ip6tables +sbin/ip6tables-legacy +sbin/ip6tables-legacy-restore +sbin/ip6tables-legacy-save sbin/ip6tables-restore sbin/ip6tables-save sbin/iptables +sbin/iptables-legacy +sbin/iptables-legacy-restore +sbin/iptables-legacy-save sbin/iptables-restore sbin/iptables-save sbin/iptables-xml #sbin/nfnl_osf -sbin/xtables-multi +sbin/xtables-legacy-multi #usr/include/libipq.h #usr/include/libiptc #usr/include/libiptc/ipt_kernel_headers.h @@ -178,5 +179,9 @@ sbin/xtables-multi #usr/share/man/man8/iptables-save.8 #usr/share/man/man8/iptables.8 #usr/share/man/man8/nfnl_osf.8 +#usr/share/man/man8/xtables-legacy.8 +#usr/share/man/man8/xtables-monitor.8 +#usr/share/man/man8/xtables-nft.8 +#usr/share/man/man8/xtables-translate.8 #usr/share/xtables usr/share/xtables/pf.os diff --git a/lfs/iptables b/lfs/iptables index b4a2834b8..17817a9ef 100644 --- a/lfs/iptables +++ b/lfs/iptables @@ -1,7 +1,7 @@ ################################################################### ############ # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.6.2 +VER = 1.8.2
THISAPP = iptables-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -36,13 +36,13 @@ TARGET = $(DIR_INFO)/$(THISAPP) # Top-level Rules ################################################################### ############ objects = $(DL_FILE) \
- netfilter-layer7-v2.22.tar.gz
- netfilter-layer7-v2.23.tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE) -netfilter-layer7-v2.22.tar.gz = $(URL_IPFIRE)/netfilter-layer7- v2.22.tar.gz +netfilter-layer7-v2.23.tar.gz = $(URL_IPFIRE)/netfilter-layer7- v2.23.tar.gz
-$(DL_FILE)_MD5 = 7d2b7847e4aa8832a18437b8a4c1873d -netfilter-layer7-v2.22.tar.gz_MD5 = 98dff8a3d5a31885b73341633f69501f +$(DL_FILE)_MD5 = 944558e88ddcc3b9b0d9550070fa3599 +netfilter-layer7-v2.23.tar.gz_MD5 = 10910b6173d18e426cb56ae7e1300eeb
install : $(TARGET)
@@ -75,8 +75,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
# Layer7
- cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-
v2.22.tar.gz
- cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-
v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* \
- cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-
v2.23.tar.gz
- cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-
v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/* \ ./extensions/
# imq @@ -88,6 +88,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --libdir=/lib \ --includedir=/usr/include \ --enable-libipq \
--with-xtlibdir=/lib/xtables \-- 2.12.2