- Update from version 1.8.7 to 1.8.8 - Update of rootfile - Changelog Version 1.8.8 extensions: libxt_conntrack: use bitops for state negation extensions: libxt_conntrack: use bitops for status negation xtables: Call init_extensions6() for static builds xtables: Call init_extensions{,a,b}() for static builds iptables-nft: fix -Z option libxtables: exit if called by setuid executeable iptables-nft: allow removal of empty builtin chains extensions: tcpmss: add iptables-translate support nft-shared: set correct register value nft-shared: support native tcp port delinearize nft-shared: support native tcp port range delinearize nft-shared: support native udp port delinearize nft: prefer native expressions instead of udp match nft: prefer native expressions instead of tcp match nft-shared: add tcp flag dissection nft: add support for native tcp flag matching tests: shell: fix bashism nft: fix indentation error. tests: iptables-test: correct misspelt variable extensions: libxt_NFLOG: fix `--nflog-prefix` Python test-cases extensions: libxt_NFLOG: remove extra space when saving targets with prefixes build: replace `AM_PROG_LIBTOOL` and `AC_DISABLE_STATIC` with `LT_INIT` extensions: libxt_NFLOG: fix typo tests: iptables-test: rename variable tests: add `NOMATCH` test result tests: support explicit variant test result tests: NFLOG: enable `--nflog-range` tests xshared: Implement xtables lock timeout using signals extensions: libxt_NFLOG: use nft built-in logging instead of xt_NFLOG extensions: libxt_NFLOG: don't truncate log prefix on print/save extensions: libxt_NFLOG: disable `--nflog-range` Python test-cases fix build for missing ETH_ALEN definition libxtables: extend xlate infrastructure tests: xlate-test: support multiline expectation extensions: libxt_connlimit: add translation extensions: libxt_tcp: rework translation to use flags match representation extensions: libxt_conntrack: simplify translation using negation extensions: libxt_multiport: add translation for -m multiport --ports nft-shared: update context register for bitwise expression nft: pass struct nft_xt_ctx to parse_meta() nft: native mark matching support nft: pass handle to helper functions to build netlink payload nft: prepare for dynamic register allocation nft: split gen_payload() to allocate register and initialize expression configure: bump version for 1.8.8 release ip6tables: masquerade: use fully-random so that nft can understand the rule ebtables: Exit gracefully on invalid table names include: Drop libipulog.h nft: Fix bitwise expression avoidance detection xtables-translate: Fix translation of odd netmasks libxtables: Simplify xtables_ipmask_to_cidr() a bit nft: cache: Sort chains on demand only nft: Increase BATCH_PAGE_SIZE to support huge rulesets extensions: sctp: Explain match types in man page Eliminate inet_aton() and inet_ntoa() nft-arp: Make use of ipv4_addr_to_string() extensions: SECMARK: Implement revision 1 xtables: Make invflags 16bit wide xshared: Eliminate iptables_command_state->invert xshared: Merge invflags handling code ebtables-translate: Use shared ebt_get_current_chain() function Use proto_to_name() from xshared in more places extensions: sctp: Fix nftables translation extensions: sctp: Translate --chunk-types option libxtables: Drop leftover variable in xtables_numeric_to_ip6addr() extensions: libebt_ip6: Drop unused variables libxtables: Fix memleak in xtopt_parse_hostmask() nft: Avoid memleak in error path of nft_cmd_new() nft: Avoid buffer size warnings copying iface names iptables-apply: Drop unused variable extensions: libebt_ip6: Use xtables_ip6parse_any() libxtables: Introduce xtables_strdup() and use it everywhere extensions: libxt_string: Avoid buffer size warning for strncpy() doc: ebtables-nft.8: Adjust for missing atomic-options ebtables: Dump atomic waste nft: Fix for non-verbose check command tests/shell: Assert non-verbose mode is silent extensions: hashlimit: Fix tests with HZ=100 iptables-test: Make netns spawning more robust extensions: libxt_mac: Fix for missing space in listing nft: Use xtables_malloc() in mnl_err_list_node_add() nft: Use xtables_{m,c}alloc() everywhere tests: iptables-test: Fix missing chain case tests: xlate-test: Don't skip any input after the first empty line tests: xlate-test: Print errors to stderr tests: iptables-test: Print errors to stderr tests: xlate-test: Exit non-zero on error tests: iptables-test: Exit non-zero on error tests: shell: Return non-zero on error ebtables: Avoid dropping policy when flushing tests: iptables-test: Fix conditional colors on stderr nft: cache: Avoid double free of unrecognized base-chains nft: Check base-chain compatibility when adding to cache nft-chain: Introduce base_slot field nft: Delete builtin chains compatibly nft: Introduce builtin_tables_lookup() xshared: Store optstring in xtables_globals nft-shared: Introduce init_cs family ops callback xtables: Simplify addr_mask freeing nft: Add family ops callbacks wrapping different nft_cmd_* functions xtables-standalone: Drop version number from init errors libxtables: Introduce xtables_globals print_help callback arptables: Use standard data structures when parsing nft-arp: Introduce post_parse callback nft-shared: Make nft_check_xt_legacy() family agnostic xtables: Derive xtables_globals from family xtables: arptables accepts empty interface names nft: Merge xtables-arp-standalone.c into xtables-standalone.c Unbreak xtables-translate xlate-test: Print full path if testing all files extensions: hashlimit: Fix tests with HZ=1000 xshared: Merge and share parse_chain() nft: Change whitespace printing in save_rule callback xshared: Share print_iface() function xshared: Share save_rule_details() with legacy xshared: Share save_ipv{4,6}_addr() with legacy xshared: Share print_rule_details() with legacy xshared: Share print_fragment() with legacy xshared: Share print_header() with legacy iptables nft-shared: Drop unused function print_proto() xshared: Make load_proto() static xshared: Share print_match_save() between legacy ip*tables xshared: Share a common printhelp function xshared: Share exit_tryhelp() xtables_globals: Embed variant name in .program_version libxtables: Extend basic_exit_err() iptables-*-restore: Drop pointless line reference xtables: Drop xtables' family on demand feature xtables: Pull table validity check out of do_parse() xtables: Move struct nft_xt_cmd_parse to xshared.h xtables: Pass xtables_args to check_empty_interface() xtables: Pass xtables_args to check_inverse() xtables: Do not pass nft_handle to do_parse() xshared: Move do_parse to shared space xshared: Store parsed wait and wait_interval in xtables_args nft: Move proto_parse and post_parse callbacks to xshared iptables: Use xtables' do_parse() function ip6tables: Use the shared do_parse, too extensions: *NAT: Kill multiple IPv4 range support xshared: Fix response to unprivileged users nft: Use verbose flag to toggle debug output iptables-restore: Support for extra debug output nft: Set NFTNL_CHAIN_FAMILY in new chains ebtables: Support verbose mode nft: Add debug output to table creation nft: cache: Dump rules if debugging tests: iptables-test: Support variant deviation iptables.8: Describe the effect of multiple -v flags libxtables: Register only the highest revision extension Improve error messages for unsupported extensions nft: Simplify immediate parsing nft: Speed up immediate parsing xshared: Prefer xtables_chain_protos lookup over getprotoent nft: Don't pass command state opaque to family ops callbacks libxtables: Fix for warning in xtables_ipmask_to_numeric Simplify static build extension loading nft: Review static extension loading tests: shell: Fix 0004-return-codes_0 for static builds nft: Reject standard targets as chain names when restoring libxtables: Implement notargets hash table libxtables: Boost rule target checks by announcing chain names xlate-test: Fix for empty source line on failure man: DNAT: Describe shifted port range feature Revert "libipt_[SD]NAT: avoid false error about multiple destinations specified" extensions: ipt_DNAT: Merge v1 and v2 parsers extensions: ipt_DNAT: Merge v1/v2 print/save code extensions: ipt_DNAT: Combine xlate functions also extensions: DNAT: Rename from libipt to libxt extensions: Merge IPv4 and IPv6 DNAT targets extensions: Merge REDIRECT into DNAT extensions: man: Document service name support in DNAT and REDIRECT extensions: MARK: Drop extra newline at end of help xshared: Move arp_opcodes into shared space xshared: Extend xtables_printhelp() for arptables libxtables: Drop xtables_globals 'optstring' field libxtables: Revert change to struct xtables_pprot extensions: DNAT: Merge core printing functions man: *NAT: Review --random* option descriptions extensions: LOG: Document --log-macdecode in man page nft: Fix EPERM handling for extensions without rev 0 xtables-translate: add missing argument and option to usage Fix a few doc typos iptables-test.py: print with color escapes only when stdout isatty
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/rootfiles/common/iptables | 8 +++----- lfs/iptables | 4 ++-- 2 files changed, 5 insertions(+), 7 deletions(-)
diff --git a/config/rootfiles/common/iptables b/config/rootfiles/common/iptables index b8bf748a5..ba1621324 100644 --- a/config/rootfiles/common/iptables +++ b/config/rootfiles/common/iptables @@ -13,15 +13,13 @@ lib/libipq.so.0.0.0 #lib/libxtables.la lib/libxtables.so lib/libxtables.so.12 -lib/libxtables.so.12.4.0 +lib/libxtables.so.12.6.0 #lib/xtables -lib/xtables/libip6t_DNAT.so lib/xtables/libip6t_DNPT.so lib/xtables/libip6t_HL.so lib/xtables/libip6t_LOG.so lib/xtables/libip6t_MASQUERADE.so lib/xtables/libip6t_NETMAP.so -lib/xtables/libip6t_REDIRECT.so lib/xtables/libip6t_REJECT.so lib/xtables/libip6t_SNAT.so lib/xtables/libip6t_SNPT.so @@ -37,12 +35,10 @@ lib/xtables/libip6t_mh.so lib/xtables/libip6t_rt.so lib/xtables/libip6t_srh.so lib/xtables/libipt_CLUSTERIP.so -lib/xtables/libipt_DNAT.so lib/xtables/libipt_ECN.so lib/xtables/libipt_LOG.so lib/xtables/libipt_MASQUERADE.so lib/xtables/libipt_NETMAP.so -lib/xtables/libipt_REDIRECT.so lib/xtables/libipt_REJECT.so lib/xtables/libipt_SNAT.so lib/xtables/libipt_TTL.so @@ -57,6 +53,7 @@ lib/xtables/libxt_CLASSIFY.so lib/xtables/libxt_CONNMARK.so lib/xtables/libxt_CONNSECMARK.so lib/xtables/libxt_CT.so +lib/xtables/libxt_DNAT.so lib/xtables/libxt_DSCP.so lib/xtables/libxt_HMARK.so lib/xtables/libxt_IDLETIMER.so @@ -66,6 +63,7 @@ lib/xtables/libxt_NFLOG.so lib/xtables/libxt_NFQUEUE.so lib/xtables/libxt_NOTRACK.so lib/xtables/libxt_RATEEST.so +lib/xtables/libxt_REDIRECT.so lib/xtables/libxt_SECMARK.so lib/xtables/libxt_SET.so lib/xtables/libxt_SYNPROXY.so diff --git a/lfs/iptables b/lfs/iptables index c2f0d56c5..275559bfe 100644 --- a/lfs/iptables +++ b/lfs/iptables @@ -24,7 +24,7 @@
include Config
-VER = 1.8.7 +VER = 1.8.8
THISAPP = iptables-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -41,7 +41,7 @@ objects = $(DL_FILE) \ $(DL_FILE) = $(DL_FROM)/$(DL_FILE) netfilter-layer7-v2.23.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.23.tar.gz
-$(DL_FILE)_BLAKE2 = fd4dcff142eaadde2a14ce3eb5e45d41c326752553b52900c77fd2e2a20c0685d0a04b95755995e914df47658834d52216d6465c2ae9cd6abc6eb122b95cc976 +$(DL_FILE)_BLAKE2 = 0da021cc7313b86af331768904956dab3eee3de245a7b03965129f3d7f13097fc03fbb1390167dcd971eff216eabad9e59b261a9c0f54bfc48a77453aa40d164 netfilter-layer7-v2.23.tar.gz_BLAKE2 = 5c8ab722f6fbc126f2f65ecf401de5fc40560c20e3be52f783db34410446185dcb6781b3148e4a174e8b2d2c290bec0342dea95e8cefc35c39345617fa7a8fdc
install : $(TARGET)
Reviewed-by: Peter Müller peter.mueller@ipfire.org
- Update from version 1.8.7 to 1.8.8
- Update of rootfile
- Changelog Version 1.8.8 extensions: libxt_conntrack: use bitops for state negation extensions: libxt_conntrack: use bitops for status negation xtables: Call init_extensions6() for static builds xtables: Call init_extensions{,a,b}() for static builds iptables-nft: fix -Z option libxtables: exit if called by setuid executeable iptables-nft: allow removal of empty builtin chains extensions: tcpmss: add iptables-translate support nft-shared: set correct register value nft-shared: support native tcp port delinearize nft-shared: support native tcp port range delinearize nft-shared: support native udp port delinearize nft: prefer native expressions instead of udp match nft: prefer native expressions instead of tcp match nft-shared: add tcp flag dissection nft: add support for native tcp flag matching tests: shell: fix bashism nft: fix indentation error. tests: iptables-test: correct misspelt variable extensions: libxt_NFLOG: fix `--nflog-prefix` Python test-cases extensions: libxt_NFLOG: remove extra space when saving targets with prefixes build: replace `AM_PROG_LIBTOOL` and `AC_DISABLE_STATIC` with `LT_INIT` extensions: libxt_NFLOG: fix typo tests: iptables-test: rename variable tests: add `NOMATCH` test result tests: support explicit variant test result tests: NFLOG: enable `--nflog-range` tests xshared: Implement xtables lock timeout using signals extensions: libxt_NFLOG: use nft built-in logging instead of xt_NFLOG extensions: libxt_NFLOG: don't truncate log prefix on print/save extensions: libxt_NFLOG: disable `--nflog-range` Python test-cases fix build for missing ETH_ALEN definition libxtables: extend xlate infrastructure tests: xlate-test: support multiline expectation extensions: libxt_connlimit: add translation extensions: libxt_tcp: rework translation to use flags match representation extensions: libxt_conntrack: simplify translation using negation extensions: libxt_multiport: add translation for -m multiport --ports nft-shared: update context register for bitwise expression nft: pass struct nft_xt_ctx to parse_meta() nft: native mark matching support nft: pass handle to helper functions to build netlink payload nft: prepare for dynamic register allocation nft: split gen_payload() to allocate register and initialize expression configure: bump version for 1.8.8 release ip6tables: masquerade: use fully-random so that nft can understand the rule ebtables: Exit gracefully on invalid table names include: Drop libipulog.h nft: Fix bitwise expression avoidance detection xtables-translate: Fix translation of odd netmasks libxtables: Simplify xtables_ipmask_to_cidr() a bit nft: cache: Sort chains on demand only nft: Increase BATCH_PAGE_SIZE to support huge rulesets extensions: sctp: Explain match types in man page Eliminate inet_aton() and inet_ntoa() nft-arp: Make use of ipv4_addr_to_string() extensions: SECMARK: Implement revision 1 xtables: Make invflags 16bit wide xshared: Eliminate iptables_command_state->invert xshared: Merge invflags handling code ebtables-translate: Use shared ebt_get_current_chain() function Use proto_to_name() from xshared in more places extensions: sctp: Fix nftables translation extensions: sctp: Translate --chunk-types option libxtables: Drop leftover variable in xtables_numeric_to_ip6addr() extensions: libebt_ip6: Drop unused variables libxtables: Fix memleak in xtopt_parse_hostmask() nft: Avoid memleak in error path of nft_cmd_new() nft: Avoid buffer size warnings copying iface names iptables-apply: Drop unused variable extensions: libebt_ip6: Use xtables_ip6parse_any() libxtables: Introduce xtables_strdup() and use it everywhere extensions: libxt_string: Avoid buffer size warning for strncpy() doc: ebtables-nft.8: Adjust for missing atomic-options ebtables: Dump atomic waste nft: Fix for non-verbose check command tests/shell: Assert non-verbose mode is silent extensions: hashlimit: Fix tests with HZ=100 iptables-test: Make netns spawning more robust extensions: libxt_mac: Fix for missing space in listing nft: Use xtables_malloc() in mnl_err_list_node_add() nft: Use xtables_{m,c}alloc() everywhere tests: iptables-test: Fix missing chain case tests: xlate-test: Don't skip any input after the first empty line tests: xlate-test: Print errors to stderr tests: iptables-test: Print errors to stderr tests: xlate-test: Exit non-zero on error tests: iptables-test: Exit non-zero on error tests: shell: Return non-zero on error ebtables: Avoid dropping policy when flushing tests: iptables-test: Fix conditional colors on stderr nft: cache: Avoid double free of unrecognized base-chains nft: Check base-chain compatibility when adding to cache nft-chain: Introduce base_slot field nft: Delete builtin chains compatibly nft: Introduce builtin_tables_lookup() xshared: Store optstring in xtables_globals nft-shared: Introduce init_cs family ops callback xtables: Simplify addr_mask freeing nft: Add family ops callbacks wrapping different nft_cmd_* functions xtables-standalone: Drop version number from init errors libxtables: Introduce xtables_globals print_help callback arptables: Use standard data structures when parsing nft-arp: Introduce post_parse callback nft-shared: Make nft_check_xt_legacy() family agnostic xtables: Derive xtables_globals from family xtables: arptables accepts empty interface names nft: Merge xtables-arp-standalone.c into xtables-standalone.c Unbreak xtables-translate xlate-test: Print full path if testing all files extensions: hashlimit: Fix tests with HZ=1000 xshared: Merge and share parse_chain() nft: Change whitespace printing in save_rule callback xshared: Share print_iface() function xshared: Share save_rule_details() with legacy xshared: Share save_ipv{4,6}_addr() with legacy xshared: Share print_rule_details() with legacy xshared: Share print_fragment() with legacy xshared: Share print_header() with legacy iptables nft-shared: Drop unused function print_proto() xshared: Make load_proto() static xshared: Share print_match_save() between legacy ip*tables xshared: Share a common printhelp function xshared: Share exit_tryhelp() xtables_globals: Embed variant name in .program_version libxtables: Extend basic_exit_err() iptables-*-restore: Drop pointless line reference xtables: Drop xtables' family on demand feature xtables: Pull table validity check out of do_parse() xtables: Move struct nft_xt_cmd_parse to xshared.h xtables: Pass xtables_args to check_empty_interface() xtables: Pass xtables_args to check_inverse() xtables: Do not pass nft_handle to do_parse() xshared: Move do_parse to shared space xshared: Store parsed wait and wait_interval in xtables_args nft: Move proto_parse and post_parse callbacks to xshared iptables: Use xtables' do_parse() function ip6tables: Use the shared do_parse, too extensions: *NAT: Kill multiple IPv4 range support xshared: Fix response to unprivileged users nft: Use verbose flag to toggle debug output iptables-restore: Support for extra debug output nft: Set NFTNL_CHAIN_FAMILY in new chains ebtables: Support verbose mode nft: Add debug output to table creation nft: cache: Dump rules if debugging tests: iptables-test: Support variant deviation iptables.8: Describe the effect of multiple -v flags libxtables: Register only the highest revision extension Improve error messages for unsupported extensions nft: Simplify immediate parsing nft: Speed up immediate parsing xshared: Prefer xtables_chain_protos lookup over getprotoent nft: Don't pass command state opaque to family ops callbacks libxtables: Fix for warning in xtables_ipmask_to_numeric Simplify static build extension loading nft: Review static extension loading tests: shell: Fix 0004-return-codes_0 for static builds nft: Reject standard targets as chain names when restoring libxtables: Implement notargets hash table libxtables: Boost rule target checks by announcing chain names xlate-test: Fix for empty source line on failure man: DNAT: Describe shifted port range feature Revert "libipt_[SD]NAT: avoid false error about multiple destinations specified" extensions: ipt_DNAT: Merge v1 and v2 parsers extensions: ipt_DNAT: Merge v1/v2 print/save code extensions: ipt_DNAT: Combine xlate functions also extensions: DNAT: Rename from libipt to libxt extensions: Merge IPv4 and IPv6 DNAT targets extensions: Merge REDIRECT into DNAT extensions: man: Document service name support in DNAT and REDIRECT extensions: MARK: Drop extra newline at end of help xshared: Move arp_opcodes into shared space xshared: Extend xtables_printhelp() for arptables libxtables: Drop xtables_globals 'optstring' field libxtables: Revert change to struct xtables_pprot extensions: DNAT: Merge core printing functions man: *NAT: Review --random* option descriptions extensions: LOG: Document --log-macdecode in man page nft: Fix EPERM handling for extensions without rev 0 xtables-translate: add missing argument and option to usage Fix a few doc typos iptables-test.py: print with color escapes only when stdout isatty
Signed-off-by: Adolf Belka adolf.belka@ipfire.org
config/rootfiles/common/iptables | 8 +++----- lfs/iptables | 4 ++-- 2 files changed, 5 insertions(+), 7 deletions(-)
diff --git a/config/rootfiles/common/iptables b/config/rootfiles/common/iptables index b8bf748a5..ba1621324 100644 --- a/config/rootfiles/common/iptables +++ b/config/rootfiles/common/iptables @@ -13,15 +13,13 @@ lib/libipq.so.0.0.0 #lib/libxtables.la lib/libxtables.so lib/libxtables.so.12 -lib/libxtables.so.12.4.0 +lib/libxtables.so.12.6.0 #lib/xtables -lib/xtables/libip6t_DNAT.so lib/xtables/libip6t_DNPT.so lib/xtables/libip6t_HL.so lib/xtables/libip6t_LOG.so lib/xtables/libip6t_MASQUERADE.so lib/xtables/libip6t_NETMAP.so -lib/xtables/libip6t_REDIRECT.so lib/xtables/libip6t_REJECT.so lib/xtables/libip6t_SNAT.so lib/xtables/libip6t_SNPT.so @@ -37,12 +35,10 @@ lib/xtables/libip6t_mh.so lib/xtables/libip6t_rt.so lib/xtables/libip6t_srh.so lib/xtables/libipt_CLUSTERIP.so -lib/xtables/libipt_DNAT.so lib/xtables/libipt_ECN.so lib/xtables/libipt_LOG.so lib/xtables/libipt_MASQUERADE.so lib/xtables/libipt_NETMAP.so -lib/xtables/libipt_REDIRECT.so lib/xtables/libipt_REJECT.so lib/xtables/libipt_SNAT.so lib/xtables/libipt_TTL.so @@ -57,6 +53,7 @@ lib/xtables/libxt_CLASSIFY.so lib/xtables/libxt_CONNMARK.so lib/xtables/libxt_CONNSECMARK.so lib/xtables/libxt_CT.so +lib/xtables/libxt_DNAT.so lib/xtables/libxt_DSCP.so lib/xtables/libxt_HMARK.so lib/xtables/libxt_IDLETIMER.so @@ -66,6 +63,7 @@ lib/xtables/libxt_NFLOG.so lib/xtables/libxt_NFQUEUE.so lib/xtables/libxt_NOTRACK.so lib/xtables/libxt_RATEEST.so +lib/xtables/libxt_REDIRECT.so lib/xtables/libxt_SECMARK.so lib/xtables/libxt_SET.so lib/xtables/libxt_SYNPROXY.so diff --git a/lfs/iptables b/lfs/iptables index c2f0d56c5..275559bfe 100644 --- a/lfs/iptables +++ b/lfs/iptables @@ -24,7 +24,7 @@
include Config
-VER = 1.8.7 +VER = 1.8.8
THISAPP = iptables-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -41,7 +41,7 @@ objects = $(DL_FILE) \ $(DL_FILE) = $(DL_FROM)/$(DL_FILE) netfilter-layer7-v2.23.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.23.tar.gz
-$(DL_FILE)_BLAKE2 = fd4dcff142eaadde2a14ce3eb5e45d41c326752553b52900c77fd2e2a20c0685d0a04b95755995e914df47658834d52216d6465c2ae9cd6abc6eb122b95cc976 +$(DL_FILE)_BLAKE2 = 0da021cc7313b86af331768904956dab3eee3de245a7b03965129f3d7f13097fc03fbb1390167dcd971eff216eabad9e59b261a9c0f54bfc48a77453aa40d164 netfilter-layer7-v2.23.tar.gz_BLAKE2 = 5c8ab722f6fbc126f2f65ecf401de5fc40560c20e3be52f783db34410446185dcb6781b3148e4a174e8b2d2c290bec0342dea95e8cefc35c39345617fa7a8fdc
install : $(TARGET)
-
Adolf Belka -
Peter Müller