Author: ljlane Description: iptables source doesn't include a changelog. This is an amalgamation of external changelog files taken from ftp.netfilter.org. Index: b/Changelog =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ b/Changelog 2010-06-12 13:24:59.838583131 -0400 @@ -0,0 +1,2483 @@ +iptables v1.4.8 Changelog: +====================================================================== +Changes from 1.4.7: + + +Dmitry V. Levin (3): + extensions: REDIRECT: fix --to-ports parser + iptables: add noreturn attribute to exit_tryhelp() + extensions: MASQUERADE: fix --to-ports parser + +Jan Engelhardt (9): + libxt_comment: avoid use of IPv4-specific examples + libxt_CT: add a manpage + iptables: correctly check for too-long chain/target/match names + doc: libxt_MARK: no longer restricted to mangle table + doc: remove claim that TCPMSS is limited to mangle + libxt_recent: add a missing space in output + doc: add manpage for libxt_osf + libxt_osf: import nfnl_osf program + extensions: add support for xt_TEE + +Karl Hiramoto (1): + iptables: optionally disable largefile support + +Pablo Neira Ayuso (1): + CT: fix --ctevents parsing + +Patrick McHardy (7): + extensions: add CT extension + libxt_CT: print conntrack zone in ->print/->save + Merge branch 'master' of git://dev.medozas.de/iptables into iptables-next + xtables: fix compilation when debugging is enabled + Merge branch 'iptables-next' + Revert "Merge branch 'iptables-next'" + Bump version to 1.4.8 + +Simon Lodal (1): + libxt_conntrack: document --ctstate UNTRACKED + +Vincent Bernat (1): + iprange: fix xt_iprange v0 parsing + + + +iptables v1.4.7 Changelog: +====================================================================== +Changes from 1.4.6: + + +Dmitry V. Levin (1): + libip4tc: Add static qualifier to dump_entry() + +Jan Engelhardt (8): + libipq: build as shared library + recent: reorder cases in code (cosmetic cleanup) + doc: fix recent manpage to reflect actual supported syntax + doc: fix limit manpage to reflect actual supported syntax + doc: mention requirement of additional packages for ipset + policy: fix error message showing wrong option + includes: header updates + Lift restrictions on interface names + +Patrick McHardy (1): + iptables 1.4.7 + + + +iptables v1.4.6 Changelog: +====================================================================== +Changes from 1.4.5: + + +Jan Engelhardt (20): + iptables: manpage updates for augmented -Z syntax + doc: mention maximum mark size in manpages + Support for nommu arches + realm: remove static initializations + libiptc: remove unused functions + libiptc: avoid strict-aliasing warnings + iprange: do accept non-ranges for xt_iprange v1 + iprange: warn on reverse range + iprange: roll address parsing into a loop + iprange: do accept non-ranges for xt_iprange v1 (log) + iprange: warn on reverse range (log) + libiptc: fix wrong maptype of base chain counters on restore + iptables: fix undersized deletion mask creation + style: reduce indent in xtables_check_inverse + libxtables: hand argv to xtables_check_inverse + iptables/extensions: make bundled options work again + CONNMARK: print mark rules with mask 0xffffffff as set instead of xset + iptables: take masks into consideration for replace command + doc: explain experienced --hitcount limit + doc: name resolution clarification + +Mohit Mehta (1): + iptables: expose option to zero packet/byte counters for a specific rule + +Olaf Rempel (1): + build: restore --disable-ipv6 functionality on system w/o v6 headers + +Patrick McHardy (7): + Merge branch 'zero' of git://dev.medozas.de/iptables + MARK: print mark rules with mask 0xffffffff as --set-mark instead of --set-xmark + DNAT: fix incorrect check during parsing + extensions: add osf extension + conntrack: fix --expires parsing + Merge branch 'master' of git://dev.medozas.de/iptables + Bump version to v1.4.6 + +Tim Small (1): + doc: update TCPMSS manpage with Linux 2.6.25 changes + +sobtwmxt (1): + doc: fix typo in length manpage + + + +iptables v1.4.5 Changelog: +====================================================================== +Changes from 1.4.4: + + +Florian Westphal (1): + libxt_NFQUEUE: add new v1 version with queue-balance option + +Jan Engelhardt (18): + xt_conntrack: revision 2 for enlarged state_mask member + libxt_helper: fix invalid passed option to check_inverse + libiptc: split v4 and v6 + extensions: collapse registration structures + iptables: allow for parse-less extensions + iptables: allow for help-less extensions + extensions: remove empty help and parse functions + xtables: add multi-registration functions + extensions: collapse data variables to use multi-reg calls + xtables: warn of missing version identifier in extensions + COMMIT_NOTES: notice to check for soversion bumps + build: order of dependent libs is sensitive + multi binary: allow subcommand via argv[1] + build: fix struct size mismatch + build: combine iptables-multi and iptables-static + build: build only iptables-multi + Merge branch 'stable' + manpages: more fixes to minuses, hyphens, dashes + +Laurence J. Lane (1): + manpage: fix lintian warnings + +Michael Granzow (1): + iptables: accept multiple IP address specifications for -s, -d + +Patrick McHardy (2): + man: fix incorrect plural in libipt_set.man + Bump version number to 1.4.5 + +Trent W. Buck (1): + ipt_set: fix a typo in the manpage + + +iptables v1.4.4 Changelog: +====================================================================== +Changes from 1.4.3.2: + + +Frank Tobin (1): + libxt_tcp: fix a manpage syntax typo + +Ian Bruce (1): + libxt_tcp: manpage corrections and suggestions + +Jan Engelhardt (15): + Add new COMMIT_NOTES document + xtables: use extern "C" + extensions: add const qualifiers in print/save functions + iptables: replace open-coded sizeof by ARRAY_SIZE + addrtype: fix one manpage type + manpages: do not include v4-only modules in ip6tables manpage + libip6t_policy: remove redundant functions + policy: use direct xt_policy_info instead of ipt/ip6t + policy: merge ipv6 and ipv4 variant + build: fix manpage collection + extensions: use NFPROTO_UNSPEC for .family field + DNAT/SNAT: add manpage documentation for --persistent flag + extensions: remove redundant casts + iptables: close open file descriptors + manpages: markup corrections + +Jozsef Kadlecsik (1): + Updated set/SET match and target to support multiple ipset protocols. + +Pablo Neira Ayuso (2): + extensions: add `cluster' match support + xtables: fix segfault if incorrect protocol name is used + +Patrick McHardy (3): + SNAT/DNAT: add support for persistent multi-range NAT mappings + Merge branch 'stable' of git://dev.medozas.de/iptables + Bump version + +kd6lvw (1): + libxt_connlimit: initialize v6_mask + + + +iptables v1.4.3.2 Changelog: +====================================================================== +Changes from 1.4.3.1: + + +Jan Engelhardt (12): + libxt_tcpmss: fix an inversion while parsing --mss + iptables-multi: support "iptables-static" as a callable name + libxtables: reorder .version member + build: do not run ldconfig for DESTDIR installations + build: add configure option to disable ip6tables + build: add configure option to disable ipv4 iptables + libxtables: provide IPv6 zero address variable + iptables: print negation extrapositioned + Merge commit 'v1.4.3' + Merge branch 'plus' + CLASSIFY: document non-standard interpretation behavior + libxt_conntrack: properly output negation symbol + +Pablo Neira Ayuso (1): + build: bump version to 1.4.3.2 + + +iptables v1.4.3.1 Changelog: +====================================================================== +Changes from 1.4.3: + + +Jan Engelhardt (2): + iptables-save: minor corrections to the manpage markup + libxt_hashlimit: add missing space for iptables-save output + +Pablo Neira Ayuso (2): + build: bump version to 1.4.3.1 + iptables: refer to dmesg if we hit EINVAL + +Peter Volkov (2): + libxtables: fix compile error due to incomplete change + build: fix linker issue when LDFLAGS contains --as-needed + + + +iptables v1.4.3 Changelog: +====================================================================== +Changes from 1.4.2: + + +Bart De Schuymer (1): + man: fix physdev manpage + +Christian Perle (1): + libxt_policy: cannot set spi/reqid numbers higher than 0x7fffffff + +Christoph Paasch (1): + libiptc: avoid compile warnings for iptc_insert_chain + +Daniel Drake (1): + libxt_owner: add more spaces to output + +Eric Leblond (1): + xt_NFLOG: Set default NFLOG qthreshold to 0 + +Jamal Hadi Salim (12): + libxtables: Introduce global params structuring + libxtables: define xtables_free_opts() + libxtables: Add exit_error cb to xtables_globals + libxtables: Make ip6tables, iptables and iptables-xml use xtables_globals + libxtables: Replace direct exit_error() calls inside libxtables + libxtables: simple aliasing macro for exit_error + libxtables: set names of programs + libxtables: add xtables_set_revision + libxtables: make iptables and ip6tables use xtables_free_opts + libxtables: consolidate merge_options into xtables_merge_options + libxtables: consolidate init calls into one function + libxtables: general follow-up cleanup + +Jan Engelhardt (84): + Move libipt_recent to libxt_recent + libxt_recent: add IPv6 support + manpage: use separate paragraphs for command syntax + manpage: explain what rule-specification is + libiptc: remove typedef indirection + libiptc: remove indirections + libiptc: remove unused iptc_get_raw_socket and iptc_check_packet + libiptc: use hex output for hookmask + libxt_conntrack: respect -n option during ruledump + libiptc: make sockfd a per-handle thing + libxt_conntrack: dump ctdir + src: reuse the global modprobe_program variable + src: use NFPROTO_ constants + src: remove inclusion of iptables.h + doc: fix a typo in libip6t_REJECT.man + libiptc: guard chain index allocation for different malloc implementations + src: remove unused include files + iptables-save: output ! in position according to manpage + rateest: guard against segfault + env: augment deprecation notice + build: resolve autotools suggestions + doc: put iptables version into manpage + doc: resynchronize markup in iptables,ip6tables.8.in + doc: escape minus sign in manpages + build: use regular = assignments in Makefile + build: remove non-portable rule + doc: escape minus sign in manpage (2) + doc: augment ICMP manpage by type/code syntax + src: remove redundant returns at end of void-returning functions + src: remove redundant casts + libxt_owner: use correct UID/GID boundaries + extensions: use UINT_MAX constants over open-coded bits (1/2) + extensions: use UINT_MAX constants over open-coded numbers (2/2) + libxtables: prefix/order - fw_xalloc + libxtables: prefix/order - modprobe and xtables.ko loading + libxtables: prefix/order - match/target loading + libxtables: prefix/order - libdir + libxtables: prefix/order - strtoui + libxtables: prefix/order - program_name + libxtables: prefix/order - param_act + libxtables: prefix/order - ipaddr/ipmask to ascii output + libxtables: prefix/order - ascii to ipaddr/ipmask input + libxtables: prefix - misc functions + libxtables: prefix - parse and escaped output func + libxtables: prefix/order - move check_inverse to xtables.c + libxtables: prefix/order - move parse_protocol to xtables.c + libbxtables: prefix names and order it #1 + libxtables: prefix names and order it #2 + libxtables: prefix names and order #3 + libxtables: move afinfo around + Merge branch 'origin/master' + libxtables: recognize IP6TABLES_LIB_DIR old-style environment variable + build: move -ldl to proper LDADD + libxtables: remove unused XT_LIB_DIR macro + libxtables: decouple non-xtables parts from header + src: remove iptables_rule_match indirection macro + src: remove unused ipt_tryload macro + libxtables: move compat defines to xtables.c + src: consolidate duplicate code in iptables/internal.h + libxtables: use const for vars holding literals + libxt_string: fix undefined behavior/incorrect patlen calculation + libxtables: flush before fork + libipq: add missing doc for NF_ values + build: restructure Makefile for include/ directory + libipq: fix compile error + build: remove unneeded -ldl from iptables_xml_LDADD + libiptc: make library available as a shared library + build: trigger reconfigure when extensions/GNUmakefile.in changes + doc: do not put IPv4 doc into ip6tables.8 + doc: resynchronize manpage with in-code help + libxtables: inline and remove unused OPTION_OFFSET macro + libxtables: prefix exit_error to xtables_error + extensions: remove unwanted/add needed includes for IPv6 exts + extensions: remove unwanted/add needed includes for IPv4 exts + libxt_policy: use bounded strtoui + include: resynchronize headers with 2.6.29-rc5 + extensions: add missing limits.h include + iptables: turn deprecation warning into enforcing mode + Merge commit 'nf/master' + libxt_connbytes: minor manpage adustments + libxt_connbytes: document nf_ct_acct behavior + libxtables: add -I/-L flags to pkgconfig files + libxt_comment: output quotes must be escaped in + iptables-save: module loading corrections + +Jesper Dangaard Brouer (3): + libiptc: fix chain rename bug in libiptc + libiptc: fix whitespaces and typos + libiptc: give credits to my self + +Jirí Moravec (1): + libxt_TOS: fix compilation error + +KOVACS Krisztian (2): + Add iptables support for the TPROXY target + Add iptables support for the socket match + +Marc Fournier (1): + doc: fix option typo in libxt_multiport + +Pablo Neira Ayuso (5): + iptables: fix error reporting with wrong/missing arguments + state: report spaces in the state list parsing + iptables: refer to dmesg when we hit error + string: fix wrong pattern length calculation + iptables: fix broken options-merging during libxtables rework + +Patrick McHardy (5): + Add SCTP/DCCP support to NAT targets + Bump version to 1.4.3-rc1 + Merge branch 'master' of git://dev.medozas.de/iptables + Merge branch 'master' of git://dev.medozas.de/iptables + Bump version to 1.4.3 + +Shaul Karl (1): + doc: fix one layout issue in iptables-restore.8 + +Stephen Hemminger (1): + iptables: Add limits.h to get INT_MIN, INT_MAX, ... + +Thomas Jarosch (2): + Fix compile error in libxt_iprange.c using gcc 4.3.2 + Fix compile warnings using gcc 4.3.2 + + +iptables v1.4.2 Changelog: +====================================================================== +Changes from 1.4.2-rc1: + +Jan Engelhard (1): + build: fix iptables-static build + +Jan Engelhardt (26): + build: do not install ip{,6}tables.h + Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables + manpages: name and markup fixes + src: remove dependency on libiptc headers + src: drop libiptc from installation + iptables-restore: fix segmentation fault with -tanything + libxt_recent: do not allow both --set and --rttl + Put xtables.c into its own library, libxtables.so + manpages: correct erroneous markup + physdev: remove extra space in output + Warn about use of DROP in nat table + Synchronize invert flag order with manpages + build: fix dependency tracking for xtables.h.in + build: fix initext.c dependency + manpages: add missing --rsource,--rdest options to libxt_recent.man + manpages: add missing rateest documentation + manpages: add missing rateest match documentation + libxt_mac: flatten casts in libxt_mac + libxt_iprange: fix option names + src: use regular includes + src: Update comments + build: prepare make tarball for git 1.6.0 + libxt_recent: do allow --rttl for --update + src: update comments part II + build: run ldconfig on `make install` + doc: remove mentions of NAT in ip6tables manpage + +Jesper Dangaard Brouer (1): + libiptc: remove old fixme + +Pablo Sebastian Greco (1): + mark: fix invalid iptables-save output + +Patrick McHardy (2): + manpages: fix another typo in tcp manpage + v1.4.2 + +Phil Oester (3): + iptables-save: fix hashlimit output + libxt_dscp: fix save of negated dscp match rules + src: Missing limits.h includes + +WANG Cong (1): + manpages: Fix a typo in tcp man page + + + +iptables v1.4.1-rc1 Changelog: +====================================================================== +Changes from 1.4.0: + +Peter Warasin: + Fix CONNMARK mask initialisation + +Jesper Dangaard Brouer: + Inline functions iptcc_is_builtin() and set_changed() + Introduce a counter for number of user defined chains + Solving scalability issue: for chain list "name" searching + +Patrick McHardy: + Add RATEEST target extension + Add rateest match extension + Remove obsolete file + Add netfilter.h + Remove compiler.h inclusions + Retry ruleset dump when kernel returns EAGAIN + +Pablo Neira Ayuso: + Cleanup several code wraparounds + Check for malloc() return value in merge_opts() + Check for merge_opts() return value + +Jan Engelhardt: + Converts the iptables build infrastructure to autotools + Introduce strtonum() + Introduce common error messages + Add libxt_owner + Add libxt_tos + Add libxt_TOS + Add libxt_MARK r2 + Add libxt_connmark r1 + Print warning when dlopen fails + Add libxt_conntrack r0 + Bunch o' renames + Rename overlapping function names + Add more libxt_hashlimit checks + Add libxt_mark r1 + Add libxt_iprange r0 + Add libxt_iprange r1 + Give preference to iptables header files + Build adjustments + Add libxt_CONNMARK revision 1 + Add libxt_conntrack revision 1 + libxt_owner: UID/GID range support + Fix compilation of iptables-static build + Correct the family member value of libxt_mark revision 1 + Makefile: add a "tarball" target + Drop -W from CFLAGS and some tiny code cleanups + Fix -Wshadow warnings and clean up xt_sctp.h + Update the libxt_owner manpage with the UID/GID-range feature + Fix all remaining warnings (missing declarations, missing prototypes) + xtables.h: move non-exported parts to internal.h + Add support for xt_hashlimit match revision 1 + Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR + manpages: fix broken markup (missing close tags) + manpages: grammar and spelling + manpages: update to reflect fine-grained control + configure: split --enable-libipq from --enable-devel + Import iptables-apply + Add all necessary header files - compilation fix for various cases + Install libiptc header files because xtables.h depends on it + iptables: use C99 lists for struct options + RATEEST: add manpage + Implement AF_UNSPEC as a wildcard for extensions + Combine ipt and ip6t manpages + Resolve warnings on 64-bit compile + Wrap dlopen code into NO_SHARED_LIBS + Remove support for compilation of conditional extensions + Resolve libipt_set warnings + Update documentation about building the package + configure.ac: AC_SUBST must be separate + Dynamically create xtables.h.in with version + configure.ac: remove already-defined variables + Remove old functions, constants + Properly initialize revision for ip6tables targets + Makefile.am: use PACKAGE_TARNAME + iptables out-of-tree build directory + +Sven Schnelle: + Add libxt_TCPOPTSTRIP + +Max Kellermann: + Fix REDIRECT manpage + Whitespace cleanup + Use size_t + Escape strings + Unescape parameters + Allow empty strings in argument parser + Fix gcc warnings + +Naohiro Ooiwa: + Fix define value of SCTP chunk type + +Filippo Zangheri: + Remove useless white spaces from iptables-xml manpages + +James King: + libxt_iprange: Fix IP validation logic + +Shan Wei: + iptables-save: remove unnecessary code + +Henrik Nordstrom: + Make iptables-restore usable over a pipe + Add support for --set-counters to iptables -P + iptables --list-rules command + iptables --list chain rulenum + Make --set-counters (-c) accept comma separated counters + +Jamie Strandboge: + Fix ip6tables dest address printing + + + +iptables v1.4.1.1 Changelog +===================================================================== + +Henrik Nordstrom (1): + iptables: fix printing of line numbers with --line-numbers arg + +Jan Engelhardt (3): + ip6tables: fix printing of ipv6 network masks + build: fix `make install` when --disable-shared is used + iprange: kernel flags were not set + +Patrick McHardy (1): + v1.4.1.1 + + + +iptables v1.4.1 Changelog +====================================================================== + +Filippo Zangheri (1): + removes useless white spaces from iptables-xml manpages. + +Gáspár Lajos (1): + iptables: use C99 lists for struct options + +Henrik Nordstrom (5): + Make iptables-restore usable over a pipe + Add support for --set-counters to iptables -P + iptables --list-rules command + iptables --list chain rulenum + Make --set-counters (-c) accept comma separated counters + +James King (1): + [IPTABLES]: libxt_iprange: Fix IP validation logic + +Jamie Strandboge (1): + fix ip6tables dest address printing + +Jan Engelhardt (55): + Converts the iptables build infrastructure to autotools. + Introduce strtonum(), which works like string_to_number(), but passes + common error messages + libxt_owner + libxt_tos + libxt_TOS + libxt_MARK r2 + libxt_connmark r1 + print warning when dlopen fails + libxt_conntrack r0 + bunch o' renames + rename overlapping function names + libxt_hashlimit checks + libxt_mark r1 + libxt_iprange r0 + libxt_iprange r1 + Give preference to iptables header files + Build adjustments + libxt_CONNMARK revision 1 + [IPTABLES]: libxt_conntrack revision 1 + [IPTABLES]: libxt_owner: UID/GID range support + Fix compilation of iptables-static build + Correct the family member value of libxt_mark revision 1 + Makefile: add a "tarball" target + Drop -W from CFLAGS and some tiny code cleanups + Fix -Wshadow warnings and clean up xt_sctp.h + Update the libxt_owner manpage with the UID/GID-range feature + Fix all remaining warnings (missing declarations, missing prototypes) + xtables.h: move non-exported parts to internal.h + Add support for xt_hashlimit match revision 1 + Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR + manpages: fix broken markup (missing close tags) + manpages: grammar and spelling + manpages: update to reflect fine-grained control + configure: split --enable-libipq from --enable-devel + Add all necessary header files - compilation fix for various cases + Install libiptc header files because xtables.h depends on it + RATEEST: add manpage + Implement AF_UNSPEC as a wildcard for extensions + Combine ipt and ip6t manpages + Resolve warnings on 64-bit compile + Wrap dlopen code into NO_SHARED_LIBS + Remove support for compilation of conditional extensions + Resolve libipt_set warnings + Update documentation about building the package + configure.ac: AC_SUBST must be separate + Dynamically create xtables.h.in with version + configure.ac: remove already-defined variables + Remove old functions, constants + Makefile.am: use PACKAGE_TARNAME + iptables out-of-tree build directory + Update .gitignore + build: check for missing feature files + libxt_owner: add spaces to output + manpage updates + +Jesper Dangaard Brouer (3): + Inline functions iptcc_is_builtin() and set_changed(). + Introduce a counter for number of user defined chains. + Solving scalability issue: for chain list "name" searching. + +Kristof Provost (1): + REDIRECT: Allow symbolic port in REDIRECT --to-port + +Laszlo Attila Toth (1): + addrtype match: added revision 1 + +Lutz Jaenicke (1): + Fix iptables-save output of libxt_owner match + +Martin F. Krafft (1): + Import iptables-apply + +Max Kellermann (7): + Fix REDIRECT manpage + whitespace cleanup + use size_t + escape strings + unescape parameters + allow empty strings in argument parser + fix gcc warnings + +Naohiro Ooiwa (1): + Fix define value of SCTP chunk type. + +Pablo Neira Ayuso (2): + - cleanup several code wraparounds + bump iptables version to prepare 1.4.1 release + +Patrick McHardy (16): + Add RATEEST target extension + Add rateest match extension + Remove obsolete file + Add netfilter.h + Remove compiler.h inclusions. + Retry ruleset dump when kernel returns EAGAIN. + Properly initialize revision for ip6tables targets + Bump version to 1.4.1-rc1 + iptables 1.4.1-rc2 + manpages: consistent syntax + Resync header files with kernel + Bump version + libiptc: move variable definitions to head of function + iptables-xml: sparse fixes + sparse warning fixes: integer used as pointer + v1.4.1 + +Peter Warasin (1): + Fix CONNMARK mask initialisation + +Shan Wei (1): + iptables-save:remove unnecessary code. + +Sven Schnelle (1): + libxt_TCPOPTSTRIP + +Thomas Jacob (1): + Don't assume /bin/sh is bash + +Thomas Jarosch (1): + Add xtables version defines. + +Yasuyuki Kozakai (1): + Use s6_addr32 to access bits in int6_addr instead of incompatible name + + + +iptables v1.4.0 Changelog +====================================================================== +Changes from 1.4.0rc1: + +- Don't use dlfcn.h if NO_SHARED_LIBS is defined + [ Mike Frysinger ] + +- Fix showing help text for matches/targets with revision as user + [ Patrick McHardy ] + +- Print warnings to stderr + [ Max Kellermann ] + +- Fix sscanf type errors + [ Patrick McHardy ] + +- Always print mask in iptables-save + [ Jan Engelhardt ] + +- Don't silenty exit on failure to open /proc/net/{ip,ip6}_tables_names + [ Victor Stinner ] + +- Adds --table to iptables-restore + [ Peter Warasin ] + +- Make DO_MULTI=1 work for ip6tables* binaries + [ Hann-huei Chiou ] + +- Add ip6tables-{save,restore} to non-experimental target, fix strict aliasing +warnings + [ Patrick McHardy ] + +- Introducing libxt_*.man files. Sorted matches and modules + [ Laszlo Attila Toth ] + +- Install ip6tables-{save,restore} manpages + [ Patrick McHardy ] + +- Performance optimization in sorting chain during pull-out + [ Jesper Dangaard Brouer ] + +- Fix sockfd use accounting for kernels without autoloading + [ Patrick McHardy ] + +- use + [ Jan Engelhardt ] + +- Fix make/compile error for iptables-1.4.0rc1 + [ Jesper Dangaard Brouer ] + +- Fix for --random option in DNAT and REDIRECT + [ Tom Eastep ] + +- Document xt_statistic + [ Stefano Sabatini ] + +- sctp: fix - mistake to pass a pointer where array is required + [ Li Zefan ] + +- Fix connlimit output for inverted --connlimit-above: ! > is <=, not < + [ Patrick McHardy ] + +- Add NFLOG manpage + [ Patrick McHardy ] + +- Move libipt_DSCP.man to libxt_DSCP.man for ip6tables.8 + [ Yasuyuki Kozakai ] + +- Unifies libip[6]t_CONNSECMARK.man to libxt_CONNSECMARK.man + [ Yasuyuki Kozakai ] + +- Moves libipt_CLASSYFY.man to libxt_CLASSYFY.man for ip6tables.8 + [ Yasuyuki Kozakai ] + +- fix check_inverse() call + [ Jan Engelhardt ] + +- Bump version to 1.4.0 final + [ Pablo Neira Ayuso ] + + + +iptables v1.4.0rc1 Changelog +====================================================================== +Changes from 1.3.8: + +- Add support for generic xtables infrastructure (improved IPv6 support!) + [ Yasuyuki Kozakai ] + +- Deletes empty ->final_check() functions + [ Jan Engelhardt ] + +- Fix sparse warnings: non-C99 array declaration, incorrect function prototypes + [ Patrick McHardy ] + +- Remove last vestiges of NFC + [ Peter Riley ] + +- Make @msg argument a const char *, just like printf + [ Jan Engelhardt ] + +- Makes it possible to omit extra_opts of matches/targets if unnecessary + [ Jan Engelhardt ] + +- Fix "iptables getsockopt failed strangely" when querying revisions for non-existant matches and targets + [ Patrick McHardy] + +- Introduces DEST_IPT_LIBDIR in Makefile + [ Yasuyuki Kozakai ] + +- Change default KERNEL_DIR location and add KBUILD_OUTPUT + [ Sven Wegener ] + +- Removes obsolete KERNEL_64_USERSPACE_32 definitions + [ Yasuyuki Kozakai ] + +- Fix unused function warning + [ Patrick McHardy ] + + + +iptables v1.3.8 Changelog +====================================================================== + +- Fix build error of conntrack match + [Yasuyuki Kozakai] + +- Remove whitespace in ip6tables.c + [Yasuyuki Kozakai] + +- `-p all' and `-p 0' should be allowed in ip6tables + [Yasuyuki Kozakai] + +- hashlimit doc update + [Jan Engelhardt] + +- add --random option to DNAT and REDIRECT + [Patrick McHardy] + +- Makefile uses POSIX conform directory check + [Roy Marples] + +- Fix missing newlines in iptables-save/restore output + [Pavol Rusnak] + +- Update quota manpage for SMP + [Phil Oester] + +- Output for unspecified proto is `all' instead of `0' + [Phil Oester] + +- Fix iptables-save with --random option + [Patrick McHardy] + +- Remove unnecessary IP_NAT_RANGE_PROTO_RANDOM ifdefs + [Patrick McHardy] + +- Remove libnsl from LDLIBS + [Patrick McHardy] + +- Fix problem with iptables-restore and quotes + [Pablo Neira Ayuso] + +- Remove unnecessary includes + [Patrick McHardy] + +- Fix --modprobe parameter + [Maurice van der Pot] + +- ip6tables-restore should output error of modprobe after failed to load + [Yasuyuki Kozakai] + +- Add random option to SNAT + [Eric Leblond] + +- Fix missing space in error message + [Patrick McHardy] + +- Fixes for manpages of tcp, udp, and icmp{,6} + [Yasuyuki Kozakai] + +- Add ip6tables mh extension + [Masahide Nakamura] + +- Fix tcpmss manpage + [Patrick McHardy] + +- Add ip6tables TCPMSS extension + [Arnaud Ebalard] + +- Add UDPLITE multiport support + [Patrick McHardy] + +- Fix missing space in ruleset listing + [Patrick McHardy] + +- Remove extensions for unmaintained/obsolete patchlets + [Patrick McHardy] + +- Fix greedy debug grep + [Patrick McHardy] + +- Fix type in manpage + [Thomas Aktaia] + +- Fix compile/install error for iptables-xml with DO_MULTI=1 + [Lutz Jaenicke] + + + +iptables v1.3.7 Changelog +====================================================================== + +Bugs fixed since 1.3.6: + +- Fix compilation error with linux 2.6.19 + [ Patrick McHardy ] + +- Fix LOG target segfault with --log-prefix "" + [ Mike Frysinger, Bugzilla #516 ] + +- Fix conflicting getsockopt optname values for IP6T_SO_GET_REVISION_{MATCH,TARGET} + [ Yasuyuki KOZAKAI ] + +- Fix -E (rename) in iptables/ip6tables + [ Krzysztof Piotr Oledzki ] + +- Fix /etc/network usage + [ Pablo Neira ] + +- Fix iptables-save not printing -s/-d ! 0/0 + [ Patrick McHardy ] + +- Fix ip6tables-save unnecessarily printing -s/-d options for zero prefix length + [ Daniel De Graaf ] + +New features since 1.3.6: + +- Add revision support for ip6tables + [ R?mi Denis-Courmont ] + +- Add port range support for ip6tables multiport match + [ R?mi Denis-Courmont ] + +- Add sctp match extension for ip6tables + [ Patrick McHardy ] + +- Add iptables-xml tool + [ Amin Azez ] + +- Add hashlimit support for ip6tables (needs kernel > 2.6.19) + [ Patrick McHardy ] + +- Use /limodules/$(shell uname -r)/build instead of /usr/src/linux to look for kernel source + [ Patrick McHardy ] + +- Add NFLOG target extension for iptables/ip6tables (needs kernel > 2.6.19) + [ Patrick McHardy ] + + + +iptables v1.3.6 Changelog +====================================================================== + +Bugs fixed since 1.3.5: + +- Fix segfault on loading of invalid counters in ip[6]tables-restore + [ Bugzilla #437, Olaf Rempel ] + +- Fix double-free if a single match is used multiple times within a single rule + [ Bugzilla #440, Harald Welte ] + +- Don't try to resolve "-p all" using getprotoent() + [ Bugzilla #446, Harald Welte ] + +- Refuse never matching protocol specifications for ip6tables + [ Yasuyuki Kozakai ] + +- Fix iptables-save output of osf match + [ Daniel De Graaf ] + +- Fix esp/connbytes detection with newer kernels (x_tables) + [ Harald Welte ] + +- Fix loading of IPCMv6 match shared library + [ Yasuyuki Kozakai ] + +- Refuse invalid esp match SPI ranges + [ Yasuyuki Kozakai ] + +- Fix out-of-bounds memory access when the unsupported "check" command was used + [ Bugzilla #463, Larry Stefani, Harald Welte ] + +- Fix out-of-bounds memory access when the "-c" option was used + [ Bugzilla #462, Larry Stefani, Harald Welte ] + +- Fix "Unknown error 4294967295" message + [ Bugzilla #460, Patrick McHardy ] + +- Use lower-case letters for realm match output + [ Simon Lodal ] + +- Fix example in connlimit manpage + [ Phil Oester ] + +- Refuse IP addresses as arguments to REDIRECT target + [ Bugzilla #482, Phil Oester ] + +- Fix set match negation + [ Jozsef Kadlecsik ] + +- Fix some compiler warnings + [ Bugzilla #457, Phil Oester ] + +- Refuse port ranges in ip6tables multiport match + [ Bugzilla #451, Phil Oester ] + +- Force user to specify --ipcmv6-type if ipcmv6 match is used + [ Bugzilla #461, Yasuyuki Kozakai ] + +- Fix libiptc symbol clash + [ Bugzilla #456, Phil Oester ] + +- Remove "hoho" message + [ Pierre-Yves Ritschard ] + +- Handle CIDR notation more sanely + [ Bugzilla #422, Phil Oester ] + +- Fix chain reference increment bug + [ Jesper Brouer ] + +- Fix counter clearing for policy counters + [ Bugzilla #502, Andy Gay ] + +- Remove warnings about interface names with non-alphanumeric characters + [ Patrick McHardy ] + +New features since 1.3.5: + +- Support multiple matches of the same type within a single rule + [ Jozsef Kadlecsik ] + +- DCCP/SCTP support for multiport match (needs kernel >= 2.6.18) + [ Patrick McHardy ] + +- SELinux SECMARK target (needs kernel >= 2.6.18) + [ James Morris ] + +- SELinux CONNSECMARK target (needs kernel >= 2.6.18) + [ James Morris ] + +- Add documentation for DNAT target : syntax + [ Evan Miller ] + +- Add new exit value to indicate concurrency issues + [ Jesper Dangaard Brouer ] + +- Use gcc to build shared objects + [ Bugzilla #454, Phil Oester ] + +- Update quota match for version in current kernel, fix -D (needs kernel >= 2.6.18) + [ Phil Oester ] + +- Update MARK target documentation to include --and-mask/--or-mask + [ Eric Leblond ] + +- Add support for statistic match (needs kernel >= 2.6.18) + [ Patrick McHardy ] + +- Optionally read realm values from /etc/iproute2/rt_realms + [ Simon Lodal ] + +iptables v1.3.5 Changelog +====================================================================== +This version requires kernel >= 2.4.0 +This version recommends kernel >= 2.4.18 + +Bugs fixed from 1.3.4: + +- Fix conntrack --ctproto option in iptables-save + [ Phil Oester ] + +- Fix string match '--from' option in iptables-save + [ Michael Rash ] + +- Fix option parser of ttl match + [ Patrick McHardy ] + +- Get rid of gcc-4 warnings + [ Patrick McHardy ] + +- Fix spelling of 'address' in DNAT/SNAT manpage section + [ MJ Anthony ] + +- Fix 'tcp-rst' parsing in REJECT target + [ Torsten Hilbrich ] + +- Fix probing for supported revisions + [ Jones Desougi ] + +- Fix compilation of iptables on [old] systems that don't have IPT_F_GOTO + [ Harald Welte ] + +- Only set revisions on real targets, not on jumps + [ Pablo Neira ] + +- Fix memory leak in TC_COMMIT() of libiptc + [ Markus Sundberg ] + +- Correctly propagate errors of setsockopt to calling function + [ Harald Welte ] + +- Fix connbytes match iptables-save + [ Unknown ] + +- Fix sctp match compilation against recent kernel headers + [ Harald Welte ] + +- Fix conntrack match compilation against 2.4.0 kernel headers + [ Harald Welte ] + +Changes from 1.3.4: + +- Add support for ip6tables connmark match and target + [ Harald Welte ] + +- Add support for ip6tables state match + [ Harald Welte ] + +- Add support for new policy ip[6]tables match + [ Patrick McHardy ] + +- Major manpage update + [ Yasuyuki Kozakai ] + +- Remove ippool support, it has been deprecated by ipset long time ago + [ Harald Welte ] + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) + + +iptables v1.3.4 Changelog +====================================================================== +This version requires kernel >= 2.4.0 +This version recommends kernel >= 2.4.18 + +Bugs fixed from 1.3.3: + +- Fix parsing of NFQUEUE queue numbers + [ Eric Leblond ] + +- Add documentation of --queue-num parameter to NFQUEUE manpage + [ Eric Leblond ] + +- Fix 'hash-init' parameter of CLUSTERIP target + [ KOVACS Krisztian ] + +- Fix CONNMARK match and target: Marks are now always 32bit + [ Deti Fliegl ] + +- Print error message when multiple "--to" DNAT/SNAT args are used + with kernel >= 2.6.10 + [ Phil Oester ] + +- Fix compilation of connbytes match with 2.6.14 kernel + [ Harald Welte ] + +- Fix address inversion of conntrack match + [ Tom Eastep ] + +- Fix sorting of chain names + [ Robert de Barth ] + +Changes from 1.3.2: + +- Add support for DCCP port and type matching + [ Harald Welte ] + +- Add support for new in-kernel string match + [ Pablo Neira ] + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) + + +iptables v1.3.3 Changelog +====================================================================== +This version requires kernel >= 2.4.0 +This version recommends kernel >= 2.4.18 + +Bugs fixed from 1.3.2: + +- Fix use-after-free in merge_options() + [ Markus Sundberg ] + +- Fix support for SNAT and DNAT to ICMP ID ranges + [ Patrick McHardy ] + +Changes from 1.3.2: + +- Add support for new NFQUEUE targets for IPv4 and IPv6 + [ Harald Welte ] + +- Minor manpage updates + [ Harald Welte ] + +- Fix numberous gcc-4 warnings throughout the code + [ Harald Welte ] + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) + + +iptables v1.3.2 Changelog +====================================================================== +This version requires kernel >= 2.4.0 +This version recommends kernel >= 2.4.18 + +Bugs fixed from 1.3.1: + +- Fix TCPLAG version + [ Torsten Luettgert ] + +- More error checking in SET target + [ Michal Pokrywka ] + +- Fix optflags value for OPT_LINENUMBERS + [ Jonas Berlin ] + +- Allow NULL init function in ip6tables plugins + [ Jonas Berlin ] + +- Don't allow newlines in LOG prefix + [ Phil Oester ] + +- Introduce ip_conntrack_old_tuple to userspace header copy + [ Pablo Neira ] + +- Fix connbytes command line parsing bug + [ Piotrek Kaczmarek ] + +- Ignore unknown arguments in libipt_ULOG + [ Patrick McHardy ] + +- Correct error in multiport manpage wrt. "--ports" + [ Rusty Russell ] + +- Fix CONNMARK save/restore + [ Tom Eastep, Pawel Sikora ] + +- Make sure chain name doesn't start with '!' + [ Yasuyuki Kozakai ] + +- Prevent user to specify negative ports in SNAT/DNAT + [ Yasuyuki Kozakai ] + +- Fix deletion of targets where kernel size != userspace size + [ Pablo Neira ] + +- Fix save/restore of '! --uid-owner squid' problem in ip6t_owner + [ Harald Welte ] + +Changes from 1.3.1: + +- Add ``--log-uid'' option to ip6t_LOG target + [ Patrick McHardy ] + +- Improve REDIRECT manpage + [ Jonas Berlin ] + +- Add a number of missing manpage snippets + [ Jonas Berlin ] + +- Include FIN bit in mask of "--syn" bits + [ Harald Welte ] + +- Release previously merged options from merge_opts(), reduces memory-usage of + ipt ables-restore dramatically + [ Pablo Neira ] + +- OSF: changes to support connector notifications + [ Evgeniy Polyakov ] + +- Reduce code replication of parse_interface() + [ Yasuyuki Kozakai ] + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) + + +iptables v1.3.1 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs fixed from 1.3.0: + +- Fix CLUSTERIP rule deletion + [ Pablo Neira ] + +- Fix libip6t_random compilation + [ Harald Welte ] + +- Fix CONNMARK on 32bit userspace / 64bit kernel archs + [ Pablo Neira ] + +Changes from 1.3.0: + +- remove bogus NFC_* stuff in iptables + [ Pablo Neira ] + +- libiptc: don't sort builtin chains, restores iptables-1.2.x sort order + [ Olaf Rempel ] + + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) + + +iptables v1.3.0 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs fixed from 1.3.0rc1: + +- Fix realm match save/restore issue + [ Harald Welte ] + +- Fix hashlimit rule deletion from userspace + [ Samuel Jean ] + +- Fix hashlimit parameter handling / iptables-save + [ Nikolai Malykh ] + +- Fix multiport inversion + [ Phil Oester ] + +Bugs fixed from 1.2.11: + +- Fix compilation on systems where /bin/sh != bash + [ Jozsef Kadlecsik ] + +- Fix setting lib_dir in ip*tables-{save,restore} + [ Martin Josefsson ] + +- Fix module-autoloading in certain cases + [ Harald Welte ] + +- libipt_TTL: limit range of valid TTL to 0-255 + [ Maciej Soltysiak ] + +- libip6t_HL: limit range of valid HL to 0-255 + [ Maciej Soltysiak ] + +- libip{6}t_limit: Fix half-working limit invert check + [ Phil Oester ] + +- libipt_connbytes: Update to use the IP_CONNTRACK_ACCT counters + [ Harald Welte ] + +- libipt_conntrack: Fix typo + [ Phil Oester ] + +- libipt_dstlimit: Fix half-working invert check + [ Phil Oester ] + +- libipt_helper: Prevent user from using --helper multiple times + [ Nicolas Bouliane ] + +- libipt_iprange: Print error message if --dst-range used twice + [ Nicolas Bouliane ] + +- libipt_nth: Fix help message syntax + [ Harald Welte ] + +- libipt_psd: Fix option parsing + [ Pablo Neira ] + +- libipt_random: Fix help message syntax + [ Harald Welte ] + +- libipt_realm: Fix inversion of options + [ Simon Lodal ] + +- libipt_time: Fix C++ style delayed variable definition + [ Olivier Clerget ] + +- libipt_time: Print message about time match not adhering daylight saving + [ Phil Oester ] + +- libipt_tos: Print Error message if --tos is specified twice + [ Nicolas Bouliane ] + +- libipt_ttl: Cleanup ttl option parsing + [ Phil Oester ] + +- libipt_u32: Fix option parsing + [ Piotr Gasid'o ] + + +Changes from 1.2.11: + +- libiptc: complete rewrite for performance reasons + [ Harald Welte, Martin Josefsson ] + +- introduce "DO_MULTI=1" mode to build a muilti-call binary + [ Bastiaan Bakker ] + +- code cleanup, use C99 initializers + [ Harald Welte, Pablo Neira ] + +- Extension revision number support (if kernel supports the getsockopts). + [ Rusty Russell ] + +- Don't need ipt_entry_target()/ip6t_entry_target(). + [ Rusty Russell ] + +- Don't re-initialize libiptc/libip6t unless modprobe attempt succeeds. + [ Rusty Russell ] + +- Implement IPTABLES_LIB_DIR and IP6TABLES_LIB_DIR environment variables + [ Rusty Russell ] + +- Add manpage section about 'raw' table + [ Harald Welte ] + + +- libip{6}t_ROUTE: add ROUTE --tee mode + [ Patrick Schaaf ] + +- libip{6}t_multiport: Print Error message when `!' is used + [ Patrick McHardy, Phil Oester ] + +- New libip6t_physdev Match + [ Bart De Schuymer ] + +- libipt_CLUSTERIP: Fix compiler warning about const + [ Harald Welte ] + +- libipt_DNAT: Print Error message if `:' is used for port range +- libipt_SNAT: Print Error message if `:' is used for port range + [ Phil Oester ] + +- libipt_LOG: Add --log-uid option + [ John Lange ] + +- libipt_MARK: add bitwise operators + [ Henrik Nordstrom, Rusty Russell ] + +- libipt_SET: Update to ipset2 + [ Jozsef Kadlecsik ] + +- libipt_account: Update to 0.1.16 + [ Piotr Gasid'o ] + +- New libipt_comment Match + [ Brad Fisher ] + +- New libipt_hashlimit Match, supersedes dstlimit + [ Harald Welte ] + +- libipt_ttl: Use string_to_number() + [ Rusty Russell ] + + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) + + +iptables v1.2.11 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + + +Bugx Fixed from 1.2.10: + +- fix compilation on systems where /bin/sh != bash + [ Jozsef Kadlecsik ] + +Bugs Fixed from 1.2.9: + +- physdev match: fix new structure layout for kernel > 2.6.0-test8 + [ Bart De Schuymer ] + +- Better 64bit / 32bit split architecture detection +- IPv6 LOG target: Fix compiler warnings on 64bit +- LOG target: Fix compiler warnings on 64bit +- IPv6 MARK target: Use full 64bit mark on 64bit archs +- MARK target: Use full 64bit mark on 64bit archs +- SAME target: Fix 64bit/32bit splitarch problems +- ULOG target: Fix 64bit/32bit splitarch problems +- conntrack match: Fix 64bit/32bit splitarch problem +- IPv6 limit match: Fix 64bit/32bit splitarch problem +- limit match: Fix 64bit/32bit splitarch problem +- IPv6 mark match: Use full 64bit mark on 64bit archs +- mark match: Use full 64bit mark on 64bit archs +- owner match: Fix compiler warnings on 64bit + [ Martin Jofsefsson ] + +- connbytes match: Fix signedness / unsigned issue + [ Martin Josefsson ] + +- connlimit match: Fix '/0' netmask + [ David Ahern ] + +- ipv6 owner match: fix possibly not zero terminated string +- helper match: fix possibly not zero terminated string +- recent match: fix possibly not zero terminated string + [ Karsten Desler ] + +- ICMP match: fix '--icmp-type any' case + [ Harald Welte ] + +- CONNMARK target: major update (add mark/mask matching) + [ Henrik Nordstrom ] + +- DSCP target: Fix cosmetic help message problem + [ Maciej Soltysiak ] + +- string match: Fix iptables-save/restore for ascii strings with spaces + [ Michael Rash ] + +- ip(6)tables-restore: Make sure matches are used in the same order + [ Martin Josefsson ] + +- ip(6)tables-restore: Fix '--verbose' option +- ip(6)tables-restore: Add '--test' option +- ip(6)tables-restore: Complain about missing 'COMMIT' + [ Martin Josefsson ] + +- ip(6)tables-restore: Allow embedding of quote character in quoted strings + [ Michael Rash ] + +- libipq: Protect against spoofed queue messages (check if sender is kernel) + [ Harald Welte ] + + +Changes from 1.2.9: + +- time match: add 'datestart' and 'datestop' parameters + [ Fabrice Marie ] + +- modular manpage build, depending on actually compiled-in features + [ Henrik Nordstrom ] + +- additional documentation in manpage snippets formerly missing + [ Harald Welte ] + +- support new CLUSTERIP Target + [ Harald Welte ] + +- support new account match + [ Piotr Gasid'o ] + +- support new connrate match + [ Nuuti Kotivuori ] + +- support new dstlimit match + [ Harald Welte ] + +- support new 'set' match / 'SET' target + [ Jozsef Kadlecsik ] + +- osf match: add support for netlink reporting + [ Evgeniy Polyakov ] + +- new SCTP protocol match + [ Kiran Kumar ] + + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic/) + +Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng, +distributed as seperate package: (ftp://ftp.netfilter.org/pupatch-o-matic-ng) + + +iptables v1.2.10 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs Fixed from 1.2.9: + +- physdev match: fix new structure layout for kernel > 2.6.0-test8 + [ Bart De Schuymer ] + +- Better 64bit / 32bit split architecture detection +- IPv6 LOG target: Fix compiler warnings on 64bit +- LOG target: Fix compiler warnings on 64bit +- IPv6 MARK target: Use full 64bit mark on 64bit archs +- MARK target: Use full 64bit mark on 64bit archs +- SAME target: Fix 64bit/32bit splitarch problems +- ULOG target: Fix 64bit/32bit splitarch problems +- conntrack match: Fix 64bit/32bit splitarch problem +- IPv6 limit match: Fix 64bit/32bit splitarch problem +- limit match: Fix 64bit/32bit splitarch problem +- IPv6 mark match: Use full 64bit mark on 64bit archs +- mark match: Use full 64bit mark on 64bit archs +- owner match: Fix compiler warnings on 64bit + [ Martin Jofsefsson ] + +- connbytes match: Fix signedness / unsigned issue + [ Martin Josefsson ] + +- connlimit match: Fix '/0' netmask + [ David Ahern ] + +- ipv6 owner match: fix possibly not zero terminated string +- helper match: fix possibly not zero terminated string +- recent match: fix possibly not zero terminated string + [ Karsten Desler ] + +- ICMP match: fix '--icmp-type any' case + [ Harald Welte ] + +- CONNMARK target: major update (add mark/mask matching) + [ Henrik Nordstrom ] + +- DSCP target: Fix cosmetic help message problem + [ Maciej Soltysiak ] + +- string match: Fix iptables-save/restore for ascii strings with spaces + [ Michael Rash ] + +- ip(6)tables-restore: Make sure matches are used in the same order + [ Martin Josefsson ] + +- ip(6)tables-restore: Fix '--verbose' option +- ip(6)tables-restore: Add '--test' option +- ip(6)tables-restore: Complain about missing 'COMMIT' + [ Martin Josefsson ] + +- ip(6)tables-restore: Allow embedding of quote character in quoted strings + [ Michael Rash ] + +- libipq: Protect against spoofed queue messages (check if sender is kernel) + [ Harald Welte ] + + +Changes from 1.2.9: + +- time match: add 'datestart' and 'datestop' parameters + [ Fabrice Marie ] + +- modular manpage build, depending on actually compiled-in features + [ Henrik Nordstrom ] + +- additional documentation in manpage snippets formerly missing + [ Harald Welte ] + +- support new CLUSTERIP Target + [ Harald Welte ] + +- support new account match + [ Piotr Gasid'o ] + +- support new connrate match + [ Nuuti Kotivuori ] + +- support new dstlimit match + [ Harald Welte ] + +- support new 'set' match / 'SET' target + [ Jozsef Kadlecsik ] + +- osf match: add support for netlink reporting + [ Evgeniy Polyakov ] + +- new SCTP protocol match + [ Kiran Kumar ] + + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic/) + +Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng, +distributed as seperate package: (ftp://ftp.netfilter.org/pupatch-o-matic-ng) + + +iptables v1.2.9 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs Fixed from 1.2.8: + +- ip(6)tables-save/restore: fix memory leaks + [ Harald Welte, Martin Josefsson ] +- ip6tables: fix printout of odd length netmasks + [ Mikko Markus Torni ] +- condition match: fix iptables-save + [ Stephane Ouellette ] +- fuzzy match: fix ip(6)tables-save + [ Hime Aguiar e Oliveira Jr. ] +- mac match: fix ip(6)tables-save if used inverted (!) + [ David Zambonini, Martin Josefsson ] +- ip6tables udp match: check for invalid port ranges + [ Thomas Poehnitz ] +- LOG target: fix iptables-save (save loglevel numerically) + [ Thomas Woerner ] +- mport match: fix iptables-save (save numerically) + [ Thomas Woerner ] +- libipq: fix ipq_id_t definition on 'real' 64bit/64bit architectures + [ Ryan Veety ] +- libip6tc: fix ipv6_prefix_length endianness bugs + [ Mikko Markus Torni ] +- MASQUERADE target: don't accept negative port numbers + [ Yasuyuki Kozakai ] +- physdev match: fix new structure layout for kernel > 2.6.0-test8 + [ Bart De Schuymer ] + +Changes from 1.2.8: + +- build plugins for connlimit, iprange, realm, CLASSIFY, CONNMARK, NETMAP + [ Harald Welte ] +- libip(6)tc: Speedup due to inceremental chain cache updates + [ Harald Welte ] +- recent match: Update to version 0.3.1 that was submitted to the kernel + [ Stephen Frost ] +- physdev match: add --physdev-is-{in,out,bridge} option + [ Bart de Schuymer ] +- REJECT target: add support for ICMP administratively prohibited + [ Maciej Soltysiak ] +- conntrack match: add suport for CONFIRMED / unconfirmed state + [ Harald Welte ] +- ROUTE target: new option: continue traversal + [ Cedric de Launois ] +- varios cosmetic cleanups + [ Stephane Ouellette ] +- iptables/libiptc: add support for the new 'raw' table + [ Jozsef Kadlecsik ] + +Please note: Since version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic/) + + +iptables v1.2.8 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs Fixed from 1.2.7a: + +- fix ip6tables-save function of 'length' match + [ Gerry Skerbitz ] +- fix ip6tables-save function of 'mac' match + [ Kristian Gronfeldt Sorensen ] +- fix iptables-save function of 'ULOG' target + [ Jimmy Hedman ] +- fix iptables-save function of 'conntrack' match + [ Lutz Pressler ] +- fix iptables-save function of 'length' match + [ Gerry Skerbitz ] +- fix iptables-save function of 'mac' match + [ Kristian Gronfeldt Sorense ] +- fix iptables-save function of 'mark' match + [ Harald Welte ] +- fix iptables-save function of 'owner' match + [ Costa Tsaousis ] +- fix iptables-save function of 'pool' match + [ Oskar Berggren ] +- fix iptables-save function of 'tcpmss' match + [ Michael Schwendt ] +- fix iptables-save function of 'tos' match + [ Harald Welte ] +- fix save/print function of 'connmark' match + [ Harald Welte ] +- fix error message when invalid TCP flag is specified with 'tcp' match + [ Aaron Sethman ] + +Changes from 1.2.7a: + +- updated version of the ROUTE target + [ Cedric de Launois ] +- updated version of the 'recent' match + [ Stephen Frost ] +- update the RPC conntrack match, extend it to support filtering on procedures + [ Ian (Larry) Latter ] +- add support for hexstrings to the 'string' match + [ Michael Rash ] +- have iptables-restore print the line number in case of an error + [ Illes Marci ] +- big iptables.8 manpage update + [ Herve Eychenne ] +- print loglevel human-readable in ip6tables 'LOG' target + [ Michael Schwendt ] +- print loglevel human-readable in 'LOG' target + [ Michael Schwendt ] +- remove bogus code from 'ecn' match + [ Stephane Ouellette ] +- be more specific in help message of 'helper' match + [ Herve Eychenne ] +- fix semantic problem that '-p icmp -m icmp' was matching icmp type 0 instead + of 'any' + [ Harald Welte ] +- fix iptables rename-chain option + [ Maciej Soltysiak ] +- remove libipulog from iptables since it is distributed with ulogd + [ Harald Welte ] +- support new ip6tables 'HL' target + [ Maciej Soltysiak ] +- support new ip6tables 'condition' match + [ Stephane Ouellette ] +- support new ip6tables 'fuzzy' match + [ Maciej Soltysiak ] +- support new ip6tables 'hoplimit' match + [ Maciej Soltysiak ] +- support new iptables 'CLASSIFY' target + [ unknown ] +- support new iptables TARPIT target + [ Aaron Hopkins ] +- support new iptables 'condition' match + [ Stephane Ouellette ] +- support new iptables 'fuzzy' match + [ Hime Junior ] +- support new iptables 'physdev' match (for 2.5.x bridging) + [ Bart de Schumyer ] +- support new iptables 'u32' match (based on u32 tc filter) + [ Don Cohen ] + +Please note: As of version 1.2.7a, patch-o-matic is now no longer part of +iptables but rather distributed as a seperate package +(ftp://ftp.netfilter.org/pupatch-o-matic/) + + +iptables v1.2.7a (== fixed 1.2.7) Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs Fixed from 1.2.6a: + +- fix compiler warning in userspace support for ipv6 REJECT target + [ Fabrice Marie ] +- check for invalid portranges in tcp+udp helper (e.g. 2000:100) + [ Thomas Poehnitz ] +- fix save save/restore functions of ip6tables tcp/udp extension + [ Harald Welte / Andras Kis-Szabo ] +- check for invalid (out of range) nfmark values in MARK target + [ Alexey ??? ] +- fix save function of MASQUERADE userspace support + [ A. van Schie ] +- compile fixes for userspace suppot of experimental POOL target + [ ? ] +- fix save function of userspace support for ah and esp match + [ ? ] +- fix static build (NO_SHARED_LIBS) + [ Roberto Nibali ] +- fix save/restore function of userspace support for mport match + [ Bob Hockney ] +- update manpages to reflect recent changes + [ Herve Eychenne, Harald Welte ] +- remove all remnants of the 'check' option + [ ? ] + + +Changes from 1.2.6a: + +- patch-o-matic is now no longer part of iptables but rather distributed + as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic/) + [ Harald Welte ] +- userspace support for dscp match and target + [ Harald Welte ] +- userspace supprot for ecn match and target + [ Harald Welte ] +- userspace support for helper match + [ Martin Josefsson ] +- userspace supprot for conntrack match + [ Marc Boucher ] +- userspace support for pkttype match + [ Martin Ludvig ] +- userspace support for experimental ROUTE target + [ Cédric de Launois ] +- userspace support for experimental ipv6 ahesp match + [ Andras Kis-Szabo ] +- userspace support for experimental ipv6 option header match + [ Andras Kis-Szabo ] +- userspace support for experimental ipv6 routing header match + [ Andras Kis-Szabo ] +- add matching of process name to userspace support of owner match + [ Marc Boucher ] +- new version of userspace support for 'recent' match + [ Stephen Frost ] + + +iptables v1.2.6a (== fixed 1.2.6) Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs Fixed from 1.2.5: + +- Fix iptables segfault problem when using `!' without argument + [ Dionis Papavramidis, Harald Welte ] +- Fix PSD match for psd-delay-threshold > 100 + [ Steven Coenen, Dennis Koslowski ] +- ip6tables alignment fixes + [ Andreas Herrmann ] +- patch-o-matic: + - Fix NAT-related bug in TCP window tracking code + [ Jozsef Kadlecsik ] + - Fix support for DNAT of locally-originated connections (NAT in + LOCAL_OUT) + [ Henrik Nordstrom, Harald Welte ] + - Fix string match (is now SMP safe) + [ Gianni Tedesco ] + - Fix TFTP conntrack/nat helper (now also catches first packet) + [ Magnus Boden ] + +Changes from 1.2.5: + +- Added global PREFIX makefile variable for all paths + [ Harald Welte ] +- If compiled without any COPT_FLAGS, debugging is disabled. To enable + debugging, use -DIPTC_DEBUG + [ Harald Welte ] +- New ip6tables-restore and ip6tables-save manpage + [ Andras Kis-Szabo ] +- Sync ip6tables-restore and ip6tables-save with iptables-restore + [ Andras Kis-Szabo ] +- Sync ip6tables with iptables + [ Andras Kis-Szabo ] +- mangle table attaches now to all five netfilter hooks + [ Brad Chapman, Harald Welte ] +- iptables and ip6tables manpage updates + [ Herve Eychenne ] +- patch-o-matic program now supports removal of already-applied patches + [ Bob Hockney ] +- patch-o-matic program now supports patches to the userspace extensions + [ Fabrice Marie ] +- patch-o-matic: + - Extend recent match to support multiple recent lists + [ Stephen Frost ] + - New GRE and PPTP connection tracking and NAT helper + [ Harald Welte ] + - New CONNMARK target for marking all packets within one connection + [ Henrik Nordstrom ] + - New conntrack match, enables matching on more conntrack informatin + than state + [ Marc Boucher ] + - New DSCP match and target (DSCP header field obsoletes TOS) + [ Harald Welte ] + - New owner match extension: Match on process name + [ Marc Boucher ] + - Add support for bitwise AND / OR manipulation on nfmark + [ Fabrice Marie ] + - New experimental patch for disabling TCP connection tracking pickup + [ Harald Welte ] + - Add support for SACK in all NAT helpers + [ Harald Welte ] + - Make eggdrop botnet connection tracking support work with eggdrop + v1.6.x + [ Magnus Sandin ] + - Add support to REJECT for sending icmp-unreachable messages + from a fake source address + [ Fabrice Marie ] + - Add support for ntalk2 to talk NAT helper + [ Jozsef Kadlecsik ] + - Big update to newnat patch + [ Jozsef Kadlecsik, Paul P Komkoff ] + +iptables v1.2.6 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel >= 2.4.18 + +Bugs Fixed from 1.2.5: + +- Fix iptables segfault problem when using `!' without argument + [ Dionis Papavramidis, Harald Welte ] +- Fix PSD match for psd-delay-threshold > 100 + [ Steven Coenen, Dennis Koslowski ] +- ip6tables alignment fixes + [ Andreas Herrmann ] +- patch-o-matic: + - Fix NAT-related bug in TCP window tracking code + [ Jozsef Kadlecsik ] + - Fix support for DNAT of locally-originated connections (NAT in + LOCAL_OUT) + [ Henrik Nordstrom, Harald Welte ] + - Fix string match (is now SMP safe) + [ Gianni Tedesco ] + - Fix TFTP conntrack/nat helper (now also catches first packet) + [ Magnus Boden ] + +Changes from 1.2.5: + +- Added global PREFIX makefile variable for all paths + [ Harald Welte ] +- If compiled without any COPT_FLAGS, debugging is disabled. To enable + debugging, use -DIPTC_DEBUG + [ Harald Welte ] +- New ip6tables-restore and ip6tables-save manpage + [ Andras Kis-Szabo ] +- Sync ip6tables-restore and ip6tables-save with iptables-restore + [ Andras Kis-Szabo ] +- Sync ip6tables with iptables + [ Andras Kis-Szabo ] +- mangle table attaches now to all five netfilter hooks + [ Brad Chapman, Harald Welte ] +- iptables and ip6tables manpage updates + [ Herve Eychenne ] +- patch-o-matic program now supports removal of already-applied patches + [ Bob Hockney ] +- patch-o-matic program now supports patches to the userspace extensions + [ Fabrice Marie ] +- patch-o-matic: + - Extend recent match to support multiple recent lists + [ Stephen Frost ] + - New GRE and PPTP connection tracking and NAT helper + [ Harald Welte ] + - New CONNMARK target for marking all packets within one connection + [ Henrik Nordstrom ] + - New conntrack match, enables matching on more conntrack informatin + than state + [ Marc Boucher ] + - New DSCP match and target (DSCP header field obsoletes TOS) + [ Harald Welte ] + - New owner match extension: Match on process name + [ Marc Boucher ] + - Add support for bitwise AND / OR manipulation on nfmark + [ Fabrice Marie ] + - New experimental patch for disabling TCP connection tracking pickup + [ Harald Welte ] + - Add support for SACK in all NAT helpers + [ Harald Welte ] + - Make eggdrop botnet connection tracking support work with eggdrop + v1.6.x + [ Magnus Sandin ] + - Add support to REJECT for sending icmp-unreachable messages + from a fake source address + [ Fabrice Marie ] + - Add support for ntalk2 to talk NAT helper + [ Jozsef Kadlecsik ] + - Big update to newnat patch + [ Jozsef Kadlecsik, Paul P Komkoff ] + + +iptables v1.2.5 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel > 2.4.14 + +Bugs Fixed from 1.2.4: + +- make iptables-restore accept --table as well as -t option + [ Andreas Ferber ] +- make iptables-restore -v / --verbose option work + [ Marc Boucher ] +- fix iptables-save problems with saving "ppp+" style interface wildcards + [ Harald Welte ] +- make iptables accept '_' and '.' in interface names + [ Harald Welte ] +- Kernel bugfixes in patch-o-matic: + - Fix IRC NAT srcaddr fix (we used to nat DCC connectios to the + address of the IRC server + [ Bob Hockney ] + - Fix potential Oops in TOS target module + [ Edward Killips ] + - Fix problem when raw socket has cloned skb while netfilter doing + payload modification + [ Rusty Russell ] + - Fix memory leak in ipchains redirect code + [ Rusty Russell ] + - Fix reintroduced ECN problem with unclean match + [ Guillaume Morin ] + - Fix MAC adress match problem with small udp packets + [ Harald Welte ] + +Changes from 1.2.4: + +- Whole patch-o-matic system restructured - now supports multiple patch + repositories (submitted, pending, base, extra, newnat). + [ Jozsef Kadlecsik ] +- Add IPv6 support to the QUEUE target and libipq + [ Fernando Anton / James Morris ] +- New patch-o-matic patches: + -New IPV4OPTSSTRIP target to strip IP options + [ Fabrice Marie ] + - New ipv6header match to match IPv6 header options + [ Brad Chapman / Andras Kis-Szabo ] + - New helper match to match RELATED connections on their conntrack + helper + [ Martin Josefsson ] + - New quota match to have fixed IP quotas + [ Sam Johnston ] + - New recent match to match recently seen packets + [ Stephen Frost ] + + +iptables v1.2.4 Changelog +====================================================================== +This version requires kernel >= 2.4.4 +This version recommends kernel > 2.4.9 + +Bugs Fixed from 1.2.3: + +- make iptables-restore print error message instead of segfault when + processing broken / wrong input. + [ ] +- string_to_number fix in LOG, IPv6 LOG, TOS and FTOS target + [ ] +- fix iptables-save problems when saving MIRROR rules + [ Harald Welte ] +- fix IPv6 ICMP problems [ ] +- fix TTL increment in TTL target [ ] +- Kernel bugfixes in patch-o-matic: + - Fix printing of inner-packet in ICMP error messages (LOG target) + [ ] + - Decrement TTL when using MIRROR target at PRE_ROUTING [ ] + - fix undiscovered REJECT checkentry() bug (alignment) + [ Bert Hubert] + +Changes from 1.2.3: + +- New "make most-of-pom" feature for application of non-confliction + patches. This should be used instead of "make patch-o-matic" by most + users. + [ Harald Welte ] +- iptables-save and iptables-restore now included in the default install; + They are n - longer experimental for quite some time. + [ Harald Welte ] +- synchronize ip6tables-save/restore with iptables-save/restore + [ Harald Welte ] +- more precise save() function for ipt_limit rates + [ ] +- new improved version of nth-match. Added support for multiple counters, + added support for matching on individual packets in the counter cycle + [ Richard Wagner ] +- added manpage for ip6tables + [ ] +- updated libipq documentation + [ ] +- added timeout t - libipq recv function + [ ] +- New patch-o-matic patches: + - New random match + [ ] + - New ftp-fxp patch, imposes security risk but some people need it -sigh* + [ Magnus Sandin ] + - New H323 conntrack + nat modules + [ Jozsef Kadlecsik ] + - New version of tcp-window tracking patch, includes sysctl() + changeable timeouts + [ Jozsef Kadlecsik ] + + +iptables v1.2.3 Changelog +====================================================================== +This version requires kernel 2.4.4 or above. +This version recommends kernel 2.4.9 or above. + +Bugs Fixed from 1.2.2: + +- fix ICMPv6 support for IPv6 + [ Kis-Szab - Andras ] +- fix problems with REJECT and iptables-restore / iptables-save + [ Harald Welte ] +- fix possible string overflow in psd match + [ Dennis Koslowski ] +- fix string match compile problems + [ Gianni Tedesc - ] +- support interfaces with '_' (underscore) in device names + [ Harald Welte ] +- support rules without target in iptables-save + [ Emmanuel Fleury ] +- correct handling of "eth+" type interface names in iptables-save/restore + [ Harald Welte ] +- d - incremental checksumming when altering TTL in TTL target + [ Harald Welte ] +- fix no-srr case in ipv4options match + [ Fabrice Marie ] +- Kernel bugfixes in patch-o-matic: + - Fix unexported ip6_table symbols [ Brad Chapman ] + - Decrement TTL in MIRROR target if used in FORWARD chain [ Harald + Welte, Fabian Melzow ] + - Replace SACKPERM TCP option with NOOP (instead of ENDOFOPT) + [ Guillaume Morin ] + +Changes from 1.2.2: + +- New "make most-of-pom" feature for application of non-confliction + patches. This should be used instead of "make patch-o-matic" by most + users. + [ Harald Welte ] +- support for statically linking iptables, without need for .s - plugins + [ David McCullough ] +- support for multiple ranges in SAME target + [ Martin Josefsson ] +- support for router alert options in ipv4options match + [ Fabrice Marie ] +- modprobe() modules when doing iptables-restore + [ Andries van Schie ] +- remove obsolete fragment matching code in IPv6 + [ Kis-Szab - Andras ] +- add support for dns hostnames t - IPv6 code + [ Kis-Szab - Andras ] +- New patch-o-matic patches: + - New multiport (mport) match + [ Andreas Ferber ] + - New nth match for matching every n-th packet + [ Fabrice Marie ] + - New realm match for matchin the routing realm + [ Sampsa Ranta ] + - New ctnetlink patch for manipulation of conntrack from userspace + [ Jay Schulist ] + - New REJECT Target for IPv6 + [ Harald Welte ] + - New length match for IPv6 + [ Imran Patel ] + - New multiport (mport) match for IPv6 + [ Andreas Ferber] + + +iptables v1.2.1 Changelog +====================================================================== +This version requires kernel 2.4.0 or above. + +Bugs Fixed from 1.2: + +- Missing quotes around log-prefix + [ Bart Theunissen ] +- Bug in save function of string match + [ Gianni Tedesc - ] +- ip6tables.c string buffer size fixes + [ Andras Kis-Szab - ] +- dependency problem with iptables-save / iptables-restore + [ Harald Welte ] +- strtok problem with iptables-save / iptables-restore + [ Harald Welte ] +- Problems with tcp/udp extension and multiple calls of do_command() + [ Sven Koch ] +- Kernel bugfixes in patch-o-matic: + - Updated rpc-record patch to work with 2.4.0 + [ Marc Boucher ] + - New ftp-pasv patch for fixing PASV detection with some ftpd's + [ Erik Hensema ] + - Fix checksum calculation of TOS target + [ Rusty Russell ] + +Changes from 1.2: + +- New `pending-patches' target + [ Rusty Russell ] +- build all shared library extensions regardless of kernel tree + [ Rusty Russell ] +- New counter-restore functions for iptables + [ Harald Welte ] +- Added libiptc and libipulog t - `devel' Makefile target + [ Harald Welte ] +- Ported iptables-save/restore t - IPv6 + [ Andras Kis-Szab - ] +- Updated ULOG target (now in-kernel accumulation [= higher performance]) + [ Harald Welte ] +- Added fxp support t - ftp-multi patch + [ Magnus Sandin ] +- Implemented Boyer Moore Sublinear search algorithm for string match + [ Gianni Tedesc - ] +- Fixed tcp-window-tracking incompatibility with NAT helpers + [ Harald Welte ] +- New patch-o-matic patches: + - New generic sequence number offset API for nat helpers + [ Harald Welte ] + - New psd (port-scan-detection) match + [ Dennis Koslowski, Markus Henning ] + - New NETLINK target for old ipchains -o behaviour + [ Gianni Tedesc - ] + - New SAME target as a special case of SNAT + [ Martin Josefsson ] + - Ported LOG target to IPv6 + [ Jan Rekorajski ] + - Ported owner, limit, mac and multiport match to IPv6 + [ Jan Rekorajski ] + + +iptables v1.2.2 Changelog +====================================================================== +This version requires kernel 2.4.1 or above. +This version recommends kernel 2.4.4 or above. + +Bugs Fixed from 1.2.1a: + +- fixes for SAME Target + [ Martin Josefsson ] +- fixes for iplimit match in combination with iptables-save/-restore + [ Gerd Knorr ] +- fix for TCP match in combination with iptables-save/-restore + [ Ian Lynagh ] +- iptables-restore now deals correclty with spaces in --log-prefix + [ Harald Welte ] +- fix in 'isapplied' script. It used t - give false negatives + [ Harald Welte ] +- fix in BALANCE target, target now uses full ip address range + [ Martin Josefsson ] +- fix for NETLINK target, was sending wrong interface name + [ Gianni Tedesc - ] +- fix for collision of ftp and irc NAT helpers + [ Harald Welte ] +- ip6tables brought in sync with iptables + [ Kis-Szab - Andras ] +- Kernel bugfixes in patch-o-matic: + - Fix possible security vulnerability in ip_conntrack_ftp + [ Cristian - Lincoln Mattos, James Morris and Rusty ] + +Changes from 1.2.1a: + +- libiptc should now be usable from C++ applications + [ Fabrice MAURIE ] +- seqoffset-,ftp-security, ... patches are combined in 2.4.4.patch + [ Rusty Russell ] +- lots of old pre-2.4.1 patches now combined in 2.4.1.patch + [ Rusty Russel ] +- IRC conntrack + nat cleanup + [ Harald Welte ] +- string match cleanup + [ Gianni Tedesc - ] +- ULOG cleanup, new version. Fixes 'unable t - send nflink' bug + [ Harald Welte ] +- New patch-o-matic patches: + - New NETMAP Target for mapping whole networks 1:1 to other addresses + [ Svenning Soerensen ] + - New length Target for matching packet length + [ James Morris ] + - New ipv4options match for matching IPv4 header options + [ Fabrice MARIE ] + - New IPv6 agr match for matching IPv6 global aggregatable unicast + adresses + [ Andras Kis-Szab - ] + - New pkttype match for matching link-layer multicast / broadcast + packets + [ Michal Ludvig ] + - New time match for matching the packet's receive time + [ Fabrice MARIE ] + - New talk conntack + NAT helper module + [ Jozsef Kadlecsik ] + + +iptables v1.2 Changelog +====================================================================== +This version requires 2.4.0-test9 or above. + +Bugs Fixed from 1.1.2: + +- Now default installs int - /usr/local/sbin, not /usr/local/bin. +- Only does IPv6 compilation on libc6. +- More header fixes for weird header combos. +- ip6tables now refers t - "icmpv6" protocol, not "icmp". + [ Harald Welte ] +- IPPROTO_ESP and AH defined in iptables for primitive headers. +- iptables multiple-DNS resolve fixed + [ Harald Welte, Rusty ] +- Kernel bugfixes in patch-o-matic: + - IPv6 netfilter fixes + [ Harald Welte ] + - Masquerade with fwmark routing fix + - Dynamic hashsize optimization (NAT) + `hashsize=' module parameter. + - NAT overlap fix + - PPC/Sparc mangle table fix. + +Changes from 1.1.2: + +- New `install-devel' target + [ James Morris ] +- libipq now has man pages! + [ James Morris ] +- iptables-save and iptables-restore added (with man pages!) + [ Harald Welte ] +- iptables now inserts modules if CONFIG_KMOD or --modprobe + [ Harald Welte, Rusty ] +- New `experimental' and `install-experimental' targets. +- `--reject-with=echo-reply' removed in anticipation of the removal of + kernel support. +- ttl match enhancements (greater or less than tests) + [ Harald Welte ] +- Reworked patch-o-matic interface, t - force reading of help. +- patch-o-matic updated for new 2.4 Makefiles + [ Daniel Stone, Harald Welte ] +- patch-o-matic now supports non-IPv4 netfilter patches + [ Harald Welte ] +- New patch-o-matic patches: + - eggdrop bot connection tracking + [ Magnus Sandin ] + - FTOS target for full ToS mangling. + [ Matthew G. Marsh ] + - BALANCE target for simple load-balancing. + - iplimit match for limiting number of connections. + [ Gerd Knorr ] + - IPv6 MARK target + [ Harald Welte ] + - IPv6 mark match + [ Harald Welte ] + + +iptables v1.1.2 Changelog +====================================================================== +This version requires 2.4.0-test9 or above. + +Bugs Fixed from 1.1.1: + +- Adding rules on UltraSparc now works +- string_to_number now handles overflow + [ Jan Echternach ] +- Bug when using ridiculous rule numbers fixed + +Changes from 1.1.1: + +- patch-o-matic system added: + - TTL alteration and ttl matching support -- Harald Welte + - AH/ESP matching support -- Yon Uriarte + - DROPPED table support -- Rusty + - ftp-multi patch for non-standard ftp servers -- Harald Welte + - IRC connection tracking & NAT -- Harald Welte + - pool match and POOL target -- Patrick + - RPC recording patch -- Marcelo Barbosa Lima + - SNMP NAT support -- James Morris + - string match for looking in packet's data -- Emmanuel Roger + - tcp-MSS target for altering MSS -- Marc Boucher + - ULOG target for advanced logging -- Harald Welte +- Minor const cleanups + [ Jan Echternach ] +- iptables.8 updates + [ Harald Welte, Rusty ] +- Better warnings for non-existant matches/missing libraries + [ Harald Welte ] +- Improved isapplied script