iptables v1.3.6 Changelog ====================================================================== Bugs fixed since 1.3.5: - Fix segfault on loading of invalid counters in ip[6]tables-restore [ Bugzilla #437, Olaf Rempel ] - Fix double-free if a single match is used multiple times within a single rule [ Bugzilla #440, Harald Welte ] - Don't try to resolve "-p all" using getprotoent() [ Bugzilla #446, Harald Welte ] - Refuse never matching protocol specifications for ip6tables [ Yasuyuki Kozakai ] - Fix iptables-save output of osf match [ Daniel De Graaf ] - Fix esp/connbytes detection with newer kernels (x_tables) [ Harald Welte ] - Fix loading of IPCMv6 match shared library [ Yasuyuki Kozakai ] - Refuse invalid esp match SPI ranges [ Yasuyuki Kozakai ] - Fix out-of-bounds memory access when the unsupported "check" command was used [ Bugzilla #463, Larry Stefani, Harald Welte ] - Fix out-of-bounds memory access when the "-c" option was used [ Bugzilla #462, Larry Stefani, Harald Welte ] - Fix "Unknown error 4294967295" message [ Bugzilla #460, Patrick McHardy ] - Use lower-case letters for realm match output [ Simon Lodal ] - Fix example in connlimit manpage [ Phil Oester ] - Refuse IP addresses as arguments to REDIRECT target [ Bugzilla #482, Phil Oester ] - Fix set match negation [ Jozsef Kadlecsik ] - Fix some compiler warnings [ Bugzilla #457, Phil Oester ] - Refuse port ranges in ip6tables multiport match [ Bugzilla #451, Phil Oester ] - Force user to specify --ipcmv6-type if ipcmv6 match is used [ Bugzilla #461, Yasuyuki Kozakai ] - Fix libiptc symbol clash [ Bugzilla #456, Phil Oester ] - Remove "hoho" message [ Pierre-Yves Ritschard ] - Handle CIDR notation more sanely [ Bugzilla #422, Phil Oester ] - Fix chain reference increment bug [ Jesper Brouer ] - Fix counter clearing for policy counters [ Bugzilla #502, Andy Gay ] - Remove warnings about interface names with non-alphanumeric characters [ Patrick McHardy ] New features since 1.3.5: - Support multiple matches of the same type within a single rule [ Jozsef Kadlecsik ] - DCCP/SCTP support for multiport match (needs kernel >= 2.6.18) [ Patrick McHardy ] - SELinux SECMARK target (needs kernel >= 2.6.18) [ James Morris ] - SELinux CONNSECMARK target (needs kernel >= 2.6.18) [ James Morris ] - Add documentation for DNAT target : syntax [ Evan Miller ] - Add new exit value to indicate concurrency issues [ Jesper Dangaard Brouer ] - Use gcc to build shared objects [ Bugzilla #454, Phil Oester ] - Update quota match for version in current kernel, fix -D (needs kernel >= 2.6.18) [ Phil Oester ] - Update MARK target documentation to include --and-mask/--or-mask [ Eric Leblond ] - Add support for statistic match (needs kernel >= 2.6.18) [ Patrick McHardy ] - Optionally read realm values from /etc/iproute2/rt_realms [ Simon Lodal ] iptables v1.3.5 Changelog ====================================================================== This version requires kernel >= 2.4.0 This version recommends kernel >= 2.4.18 Bugs fixed from 1.3.4: - Fix conntrack --ctproto option in iptables-save [ Phil Oester ] - Fix string match '--from' option in iptables-save [ Michael Rash ] - Fix option parser of ttl match [ Patrick McHardy ] - Get rid of gcc-4 warnings [ Patrick McHardy ] - Fix spelling of 'address' in DNAT/SNAT manpage section [ MJ Anthony ] - Fix 'tcp-rst' parsing in REJECT target [ Torsten Hilbrich ] - Fix probing for supported revisions [ Jones Desougi ] - Fix compilation of iptables on [old] systems that don't have IPT_F_GOTO [ Harald Welte ] - Only set revisions on real targets, not on jumps [ Pablo Neira ] - Fix memory leak in TC_COMMIT() of libiptc [ Markus Sundberg ] - Correctly propagate errors of setsockopt to calling function [ Harald Welte ] - Fix connbytes match iptables-save [ Unknown ] - Fix sctp match compilation against recent kernel headers [ Harald Welte ] - Fix conntrack match compilation against 2.4.0 kernel headers [ Harald Welte ] Changes from 1.3.4: - Add support for ip6tables connmark match and target [ Harald Welte ] - Add support for ip6tables state match [ Harald Welte ] - Add support for new policy ip[6]tables match [ Patrick McHardy ] - Major manpage update [ Yasuyuki Kozakai ] - Remove ippool support, it has been deprecated by ipset long time ago [ Harald Welte ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot) iptables v1.3.4 Changelog ====================================================================== This version requires kernel >= 2.4.0 This version recommends kernel >= 2.4.18 Bugs fixed from 1.3.3: - Fix parsing of NFQUEUE queue numbers [ Eric Leblond ] - Add documentation of --queue-num parameter to NFQUEUE manpage [ Eric Leblond ] - Fix 'hash-init' parameter of CLUSTERIP target [ KOVACS Krisztian ] - Fix CONNMARK match and target: Marks are now always 32bit [ Deti Fliegl ] - Print error message when multiple "--to" DNAT/SNAT args are used with kernel >= 2.6.10 [ Phil Oester ] - Fix compilation of connbytes match with 2.6.14 kernel [ Harald Welte ] - Fix address inversion of conntrack match [ Tom Eastep ] - Fix sorting of chain names [ Robert de Barth ] Changes from 1.3.2: - Add support for DCCP port and type matching [ Harald Welte ] - Add support for new in-kernel string match [ Pablo Neira ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot) iptables v1.3.3 Changelog ====================================================================== This version requires kernel >= 2.4.0 This version recommends kernel >= 2.4.18 Bugs fixed from 1.3.2: - Fix use-after-free in merge_options() [ Markus Sundberg ] - Fix support for SNAT and DNAT to ICMP ID ranges [ Patrick McHardy ] Changes from 1.3.2: - Add support for new NFQUEUE targets for IPv4 and IPv6 [ Harald Welte ] - Minor manpage updates [ Harald Welte ] - Fix numberous gcc-4 warnings throughout the code [ Harald Welte ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot) iptables v1.3.2 Changelog ====================================================================== This version requires kernel >= 2.4.0 This version recommends kernel >= 2.4.18 Bugs fixed from 1.3.1: - Fix TCPLAG version [ Torsten Luettgert ] - More error checking in SET target [ Michal Pokrywka ] - Fix optflags value for OPT_LINENUMBERS [ Jonas Berlin ] - Allow NULL init function in ip6tables plugins [ Jonas Berlin ] - Don't allow newlines in LOG prefix [ Phil Oester ] - Introduce ip_conntrack_old_tuple to userspace header copy [ Pablo Neira ] - Fix connbytes command line parsing bug [ Piotrek Kaczmarek ] - Ignore unknown arguments in libipt_ULOG [ Patrick McHardy ] - Correct error in multiport manpage wrt. "--ports" [ Rusty Russell ] - Fix CONNMARK save/restore [ Tom Eastep, Pawel Sikora ] - Make sure chain name doesn't start with '!' [ Yasuyuki Kozakai ] - Prevent user to specify negative ports in SNAT/DNAT [ Yasuyuki Kozakai ] - Fix deletion of targets where kernel size != userspace size [ Pablo Neira ] - Fix save/restore of '! --uid-owner squid' problem in ip6t_owner [ Harald Welte ] Changes from 1.3.1: - Add ``--log-uid'' option to ip6t_LOG target [ Patrick McHardy ] - Improve REDIRECT manpage [ Jonas Berlin ] - Add a number of missing manpage snippets [ Jonas Berlin ] - Include FIN bit in mask of "--syn" bits [ Harald Welte ] - Release previously merged options from merge_opts(), reduces memory-usage of ipt ables-restore dramatically [ Pablo Neira ] - OSF: changes to support connector notifications [ Evgeniy Polyakov ] - Reduce code replication of parse_interface() [ Yasuyuki Kozakai ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot) iptables v1.3.1 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs fixed from 1.3.0: - Fix CLUSTERIP rule deletion [ Pablo Neira ] - Fix libip6t_random compilation [ Harald Welte ] - Fix CONNMARK on 32bit userspace / 64bit kernel archs [ Pablo Neira ] Changes from 1.3.0: - remove bogus NFC_* stuff in iptables [ Pablo Neira ] - libiptc: don't sort builtin chains, restores iptables-1.2.x sort order [ Olaf Rempel ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot) iptables v1.3.0 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs fixed from 1.3.0rc1: - Fix realm match save/restore issue [ Harald Welte ] - Fix hashlimit rule deletion from userspace [ Samuel Jean ] - Fix hashlimit parameter handling / iptables-save [ Nikolai Malykh ] - Fix multiport inversion [ Phil Oester ] Bugs fixed from 1.2.11: - Fix compilation on systems where /bin/sh != bash [ Jozsef Kadlecsik ] - Fix setting lib_dir in ip*tables-{save,restore} [ Martin Josefsson ] - Fix module-autoloading in certain cases [ Harald Welte ] - libipt_TTL: limit range of valid TTL to 0-255 [ Maciej Soltysiak ] - libip6t_HL: limit range of valid HL to 0-255 [ Maciej Soltysiak ] - libip{6}t_limit: Fix half-working limit invert check [ Phil Oester ] - libipt_connbytes: Update to use the IP_CONNTRACK_ACCT counters [ Harald Welte ] - libipt_conntrack: Fix typo [ Phil Oester ] - libipt_dstlimit: Fix half-working invert check [ Phil Oester ] - libipt_helper: Prevent user from using --helper multiple times [ Nicolas Bouliane ] - libipt_iprange: Print error message if --dst-range used twice [ Nicolas Bouliane ] - libipt_nth: Fix help message syntax [ Harald Welte ] - libipt_psd: Fix option parsing [ Pablo Neira ] - libipt_random: Fix help message syntax [ Harald Welte ] - libipt_realm: Fix inversion of options [ Simon Lodal ] - libipt_time: Fix C++ style delayed variable definition [ Olivier Clerget ] - libipt_time: Print message about time match not adhering daylight saving [ Phil Oester ] - libipt_tos: Print Error message if --tos is specified twice [ Nicolas Bouliane ] - libipt_ttl: Cleanup ttl option parsing [ Phil Oester ] - libipt_u32: Fix option parsing [ Piotr Gasid'o ] Changes from 1.2.11: - libiptc: complete rewrite for performance reasons [ Harald Welte, Martin Josefsson ] - introduce "DO_MULTI=1" mode to build a muilti-call binary [ Bastiaan Bakker ] - code cleanup, use C99 initializers [ Harald Welte, Pablo Neira ] - Extension revision number support (if kernel supports the getsockopts). [ Rusty Russell ] - Don't need ipt_entry_target()/ip6t_entry_target(). [ Rusty Russell ] - Don't re-initialize libiptc/libip6t unless modprobe attempt succeeds. [ Rusty Russell ] - Implement IPTABLES_LIB_DIR and IP6TABLES_LIB_DIR environment variables [ Rusty Russell ] - Add manpage section about 'raw' table [ Harald Welte ] - libip{6}t_ROUTE: add ROUTE --tee mode [ Patrick Schaaf ] - libip{6}t_multiport: Print Error message when `!' is used [ Patrick McHardy, Phil Oester ] - New libip6t_physdev Match [ Bart De Schuymer ] - libipt_CLUSTERIP: Fix compiler warning about const [ Harald Welte ] - libipt_DNAT: Print Error message if `:' is used for port range - libipt_SNAT: Print Error message if `:' is used for port range [ Phil Oester ] - libipt_LOG: Add --log-uid option [ John Lange ] - libipt_MARK: add bitwise operators [ Henrik Nordstrom, Rusty Russell ] - libipt_SET: Update to ipset2 [ Jozsef Kadlecsik ] - libipt_account: Update to 0.1.16 [ Piotr Gasid'o ] - New libipt_comment Match [ Brad Fisher ] - New libipt_hashlimit Match, supersedes dstlimit [ Harald Welte ] - libipt_ttl: Use string_to_number() [ Rusty Russell ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot) iptables v1.2.11 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugx Fixed from 1.2.10: - fix compilation on systems where /bin/sh != bash [ Jozsef Kadlecsik ] Bugs Fixed from 1.2.9: - physdev match: fix new structure layout for kernel > 2.6.0-test8 [ Bart De Schuymer ] - Better 64bit / 32bit split architecture detection - IPv6 LOG target: Fix compiler warnings on 64bit - LOG target: Fix compiler warnings on 64bit - IPv6 MARK target: Use full 64bit mark on 64bit archs - MARK target: Use full 64bit mark on 64bit archs - SAME target: Fix 64bit/32bit splitarch problems - ULOG target: Fix 64bit/32bit splitarch problems - conntrack match: Fix 64bit/32bit splitarch problem - IPv6 limit match: Fix 64bit/32bit splitarch problem - limit match: Fix 64bit/32bit splitarch problem - IPv6 mark match: Use full 64bit mark on 64bit archs - mark match: Use full 64bit mark on 64bit archs - owner match: Fix compiler warnings on 64bit [ Martin Jofsefsson ] - connbytes match: Fix signedness / unsigned issue [ Martin Josefsson ] - connlimit match: Fix '/0' netmask [ David Ahern ] - ipv6 owner match: fix possibly not zero terminated string - helper match: fix possibly not zero terminated string - recent match: fix possibly not zero terminated string [ Karsten Desler ] - ICMP match: fix '--icmp-type any' case [ Harald Welte ] - CONNMARK target: major update (add mark/mask matching) [ Henrik Nordstrom ] - DSCP target: Fix cosmetic help message problem [ Maciej Soltysiak ] - string match: Fix iptables-save/restore for ascii strings with spaces [ Michael Rash ] - ip(6)tables-restore: Make sure matches are used in the same order [ Martin Josefsson ] - ip(6)tables-restore: Fix '--verbose' option - ip(6)tables-restore: Add '--test' option - ip(6)tables-restore: Complain about missing 'COMMIT' [ Martin Josefsson ] - ip(6)tables-restore: Allow embedding of quote character in quoted strings [ Michael Rash ] - libipq: Protect against spoofed queue messages (check if sender is kernel) [ Harald Welte ] Changes from 1.2.9: - time match: add 'datestart' and 'datestop' parameters [ Fabrice Marie ] - modular manpage build, depending on actually compiled-in features [ Henrik Nordstrom ] - additional documentation in manpage snippets formerly missing [ Harald Welte ] - support new CLUSTERIP Target [ Harald Welte ] - support new account match [ Piotr Gasid'o ] - support new connrate match [ Nuuti Kotivuori ] - support new dstlimit match [ Harald Welte ] - support new 'set' match / 'SET' target [ Jozsef Kadlecsik ] - osf match: add support for netlink reporting [ Evgeniy Polyakov ] - new SCTP protocol match [ Kiran Kumar ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pub/patch-o-matic/) Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng, distributed as seperate package: (ftp://ftp.netfilter.org/pub/patch-o-matic-ng) iptables v1.2.10 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs Fixed from 1.2.9: - physdev match: fix new structure layout for kernel > 2.6.0-test8 [ Bart De Schuymer ] - Better 64bit / 32bit split architecture detection - IPv6 LOG target: Fix compiler warnings on 64bit - LOG target: Fix compiler warnings on 64bit - IPv6 MARK target: Use full 64bit mark on 64bit archs - MARK target: Use full 64bit mark on 64bit archs - SAME target: Fix 64bit/32bit splitarch problems - ULOG target: Fix 64bit/32bit splitarch problems - conntrack match: Fix 64bit/32bit splitarch problem - IPv6 limit match: Fix 64bit/32bit splitarch problem - limit match: Fix 64bit/32bit splitarch problem - IPv6 mark match: Use full 64bit mark on 64bit archs - mark match: Use full 64bit mark on 64bit archs - owner match: Fix compiler warnings on 64bit [ Martin Jofsefsson ] - connbytes match: Fix signedness / unsigned issue [ Martin Josefsson ] - connlimit match: Fix '/0' netmask [ David Ahern ] - ipv6 owner match: fix possibly not zero terminated string - helper match: fix possibly not zero terminated string - recent match: fix possibly not zero terminated string [ Karsten Desler ] - ICMP match: fix '--icmp-type any' case [ Harald Welte ] - CONNMARK target: major update (add mark/mask matching) [ Henrik Nordstrom ] - DSCP target: Fix cosmetic help message problem [ Maciej Soltysiak ] - string match: Fix iptables-save/restore for ascii strings with spaces [ Michael Rash ] - ip(6)tables-restore: Make sure matches are used in the same order [ Martin Josefsson ] - ip(6)tables-restore: Fix '--verbose' option - ip(6)tables-restore: Add '--test' option - ip(6)tables-restore: Complain about missing 'COMMIT' [ Martin Josefsson ] - ip(6)tables-restore: Allow embedding of quote character in quoted strings [ Michael Rash ] - libipq: Protect against spoofed queue messages (check if sender is kernel) [ Harald Welte ] Changes from 1.2.9: - time match: add 'datestart' and 'datestop' parameters [ Fabrice Marie ] - modular manpage build, depending on actually compiled-in features [ Henrik Nordstrom ] - additional documentation in manpage snippets formerly missing [ Harald Welte ] - support new CLUSTERIP Target [ Harald Welte ] - support new account match [ Piotr Gasid'o ] - support new connrate match [ Nuuti Kotivuori ] - support new dstlimit match [ Harald Welte ] - support new 'set' match / 'SET' target [ Jozsef Kadlecsik ] - osf match: add support for netlink reporting [ Evgeniy Polyakov ] - new SCTP protocol match [ Kiran Kumar ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pub/patch-o-matic/) Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng, distributed as seperate package: (ftp://ftp.netfilter.org/pub/patch-o-matic-ng) iptables v1.2.9 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs Fixed from 1.2.8: - ip(6)tables-save/restore: fix memory leaks [ Harald Welte, Martin Josefsson ] - ip6tables: fix printout of odd length netmasks [ Mikko Markus Torni ] - condition match: fix iptables-save [ Stephane Ouellette ] - fuzzy match: fix ip(6)tables-save [ Hime Aguiar e Oliveira Jr. ] - mac match: fix ip(6)tables-save if used inverted (!) [ David Zambonini, Martin Josefsson ] - ip6tables udp match: check for invalid port ranges [ Thomas Poehnitz ] - LOG target: fix iptables-save (save loglevel numerically) [ Thomas Woerner ] - mport match: fix iptables-save (save numerically) [ Thomas Woerner ] - libipq: fix ipq_id_t definition on 'real' 64bit/64bit architectures [ Ryan Veety ] - libip6tc: fix ipv6_prefix_length endianness bugs [ Mikko Markus Torni ] - MASQUERADE target: don't accept negative port numbers [ Yasuyuki Kozakai ] - physdev match: fix new structure layout for kernel > 2.6.0-test8 [ Bart De Schuymer ] Changes from 1.2.8: - build plugins for connlimit, iprange, realm, CLASSIFY, CONNMARK, NETMAP [ Harald Welte ] - libip(6)tc: Speedup due to inceremental chain cache updates [ Harald Welte ] - recent match: Update to version 0.3.1 that was submitted to the kernel [ Stephen Frost ] - physdev match: add --physdev-is-{in,out,bridge} option [ Bart de Schuymer ] - REJECT target: add support for ICMP administratively prohibited [ Maciej Soltysiak ] - conntrack match: add suport for CONFIRMED / unconfirmed state [ Harald Welte ] - ROUTE target: new option: continue traversal [ Cedric de Launois ] - varios cosmetic cleanups [ Stephane Ouellette ] - iptables/libiptc: add support for the new 'raw' table [ Jozsef Kadlecsik ] Please note: Since version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pub/patch-o-matic/) iptables v1.2.8 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs Fixed from 1.2.7a: - fix ip6tables-save function of 'length' match [ Gerry Skerbitz ] - fix ip6tables-save function of 'mac' match [ Kristian Gronfeldt Sorensen ] - fix iptables-save function of 'ULOG' target [ Jimmy Hedman ] - fix iptables-save function of 'conntrack' match [ Lutz Pressler ] - fix iptables-save function of 'length' match [ Gerry Skerbitz ] - fix iptables-save function of 'mac' match [ Kristian Gronfeldt Sorense ] - fix iptables-save function of 'mark' match [ Harald Welte ] - fix iptables-save function of 'owner' match [ Costa Tsaousis ] - fix iptables-save function of 'pool' match [ Oskar Berggren ] - fix iptables-save function of 'tcpmss' match [ Michael Schwendt ] - fix iptables-save function of 'tos' match [ Harald Welte ] - fix save/print function of 'connmark' match [ Harald Welte ] - fix error message when invalid TCP flag is specified with 'tcp' match [ Aaron Sethman ] Changes from 1.2.7a: - updated version of the ROUTE target [ Cedric de Launois ] - updated version of the 'recent' match [ Stephen Frost ] - update the RPC conntrack match, extend it to support filtering on procedures [ Ian (Larry) Latter ] - add support for hexstrings to the 'string' match [ Michael Rash ] - have iptables-restore print the line number in case of an error [ Illes Marci ] - big iptables.8 manpage update [ Herve Eychenne ] - print loglevel human-readable in ip6tables 'LOG' target [ Michael Schwendt ] - print loglevel human-readable in 'LOG' target [ Michael Schwendt ] - remove bogus code from 'ecn' match [ Stephane Ouellette ] - be more specific in help message of 'helper' match [ Herve Eychenne ] - fix semantic problem that '-p icmp -m icmp' was matching icmp type 0 instead of 'any' [ Harald Welte ] - fix iptables rename-chain option [ Maciej Soltysiak ] - remove libipulog from iptables since it is distributed with ulogd [ Harald Welte ] - support new ip6tables 'HL' target [ Maciej Soltysiak ] - support new ip6tables 'condition' match [ Stephane Ouellette ] - support new ip6tables 'fuzzy' match [ Maciej Soltysiak ] - support new ip6tables 'hoplimit' match [ Maciej Soltysiak ] - support new iptables 'CLASSIFY' target [ unknown ] - support new iptables TARPIT target [ Aaron Hopkins ] - support new iptables 'condition' match [ Stephane Ouellette ] - support new iptables 'fuzzy' match [ Hime Junior ] - support new iptables 'physdev' match (for 2.5.x bridging) [ Bart de Schumyer ] - support new iptables 'u32' match (based on u32 tc filter) [ Don Cohen ] Please note: As of version 1.2.7a, patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pub/patch-o-matic/) iptables v1.2.7a (== fixed 1.2.7) Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs Fixed from 1.2.6a: - fix compiler warning in userspace support for ipv6 REJECT target [ Fabrice Marie ] - check for invalid portranges in tcp+udp helper (e.g. 2000:100) [ Thomas Poehnitz ] - fix save save/restore functions of ip6tables tcp/udp extension [ Harald Welte / Andras Kis-Szabo ] - check for invalid (out of range) nfmark values in MARK target [ Alexey ??? ] - fix save function of MASQUERADE userspace support [ A. van Schie ] - compile fixes for userspace suppot of experimental POOL target [ ? ] - fix save function of userspace support for ah and esp match [ ? ] - fix static build (NO_SHARED_LIBS) [ Roberto Nibali ] - fix save/restore function of userspace support for mport match [ Bob Hockney ] - update manpages to reflect recent changes [ Herve Eychenne, Harald Welte ] - remove all remnants of the 'check' option [ ? ] Changes from 1.2.6a: - patch-o-matic is now no longer part of iptables but rather distributed as a seperate package (ftp://ftp.netfilter.org/pub/patch-o-matic/) [ Harald Welte ] - userspace support for dscp match and target [ Harald Welte ] - userspace supprot for ecn match and target [ Harald Welte ] - userspace support for helper match [ Martin Josefsson ] - userspace supprot for conntrack match [ Marc Boucher ] - userspace support for pkttype match [ Martin Ludvig ] - userspace support for experimental ROUTE target [ Cédric de Launois ] - userspace support for experimental ipv6 ahesp match [ Andras Kis-Szabo ] - userspace support for experimental ipv6 option header match [ Andras Kis-Szabo ] - userspace support for experimental ipv6 routing header match [ Andras Kis-Szabo ] - add matching of process name to userspace support of owner match [ Marc Boucher ] - new version of userspace support for 'recent' match [ Stephen Frost ] iptables v1.2.6a (== fixed 1.2.6) Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs Fixed from 1.2.5: - Fix iptables segfault problem when using `!' without argument [ Dionis Papavramidis, Harald Welte ] - Fix PSD match for psd-delay-threshold > 100 [ Steven Coenen, Dennis Koslowski ] - ip6tables alignment fixes [ Andreas Herrmann ] - patch-o-matic: - Fix NAT-related bug in TCP window tracking code [ Jozsef Kadlecsik ] - Fix support for DNAT of locally-originated connections (NAT in LOCAL_OUT) [ Henrik Nordstrom, Harald Welte ] - Fix string match (is now SMP safe) [ Gianni Tedesco ] - Fix TFTP conntrack/nat helper (now also catches first packet) [ Magnus Boden ] Changes from 1.2.5: - Added global PREFIX makefile variable for all paths [ Harald Welte ] - If compiled without any COPT_FLAGS, debugging is disabled. To enable debugging, use -DIPTC_DEBUG [ Harald Welte ] - New ip6tables-restore and ip6tables-save manpage [ Andras Kis-Szabo ] - Sync ip6tables-restore and ip6tables-save with iptables-restore [ Andras Kis-Szabo ] - Sync ip6tables with iptables [ Andras Kis-Szabo ] - mangle table attaches now to all five netfilter hooks [ Brad Chapman, Harald Welte ] - iptables and ip6tables manpage updates [ Herve Eychenne ] - patch-o-matic program now supports removal of already-applied patches [ Bob Hockney ] - patch-o-matic program now supports patches to the userspace extensions [ Fabrice Marie ] - patch-o-matic: - Extend recent match to support multiple recent lists [ Stephen Frost ] - New GRE and PPTP connection tracking and NAT helper [ Harald Welte ] - New CONNMARK target for marking all packets within one connection [ Henrik Nordstrom ] - New conntrack match, enables matching on more conntrack informatin than state [ Marc Boucher ] - New DSCP match and target (DSCP header field obsoletes TOS) [ Harald Welte ] - New owner match extension: Match on process name [ Marc Boucher ] - Add support for bitwise AND / OR manipulation on nfmark [ Fabrice Marie ] - New experimental patch for disabling TCP connection tracking pickup [ Harald Welte ] - Add support for SACK in all NAT helpers [ Harald Welte ] - Make eggdrop botnet connection tracking support work with eggdrop v1.6.x [ Magnus Sandin ] - Add support to REJECT for sending icmp-unreachable messages from a fake source address [ Fabrice Marie ] - Add support for ntalk2 to talk NAT helper [ Jozsef Kadlecsik ] - Big update to newnat patch [ Jozsef Kadlecsik, Paul P Komkoff ] iptables v1.2.6 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs Fixed from 1.2.5: - Fix iptables segfault problem when using `!' without argument [ Dionis Papavramidis, Harald Welte ] - Fix PSD match for psd-delay-threshold > 100 [ Steven Coenen, Dennis Koslowski ] - ip6tables alignment fixes [ Andreas Herrmann ] - patch-o-matic: - Fix NAT-related bug in TCP window tracking code [ Jozsef Kadlecsik ] - Fix support for DNAT of locally-originated connections (NAT in LOCAL_OUT) [ Henrik Nordstrom, Harald Welte ] - Fix string match (is now SMP safe) [ Gianni Tedesco ] - Fix TFTP conntrack/nat helper (now also catches first packet) [ Magnus Boden ] Changes from 1.2.5: - Added global PREFIX makefile variable for all paths [ Harald Welte ] - If compiled without any COPT_FLAGS, debugging is disabled. To enable debugging, use -DIPTC_DEBUG [ Harald Welte ] - New ip6tables-restore and ip6tables-save manpage [ Andras Kis-Szabo ] - Sync ip6tables-restore and ip6tables-save with iptables-restore [ Andras Kis-Szabo ] - Sync ip6tables with iptables [ Andras Kis-Szabo ] - mangle table attaches now to all five netfilter hooks [ Brad Chapman, Harald Welte ] - iptables and ip6tables manpage updates [ Herve Eychenne ] - patch-o-matic program now supports removal of already-applied patches [ Bob Hockney ] - patch-o-matic program now supports patches to the userspace extensions [ Fabrice Marie ] - patch-o-matic: - Extend recent match to support multiple recent lists [ Stephen Frost ] - New GRE and PPTP connection tracking and NAT helper [ Harald Welte ] - New CONNMARK target for marking all packets within one connection [ Henrik Nordstrom ] - New conntrack match, enables matching on more conntrack informatin than state [ Marc Boucher ] - New DSCP match and target (DSCP header field obsoletes TOS) [ Harald Welte ] - New owner match extension: Match on process name [ Marc Boucher ] - Add support for bitwise AND / OR manipulation on nfmark [ Fabrice Marie ] - New experimental patch for disabling TCP connection tracking pickup [ Harald Welte ] - Add support for SACK in all NAT helpers [ Harald Welte ] - Make eggdrop botnet connection tracking support work with eggdrop v1.6.x [ Magnus Sandin ] - Add support to REJECT for sending icmp-unreachable messages from a fake source address [ Fabrice Marie ] - Add support for ntalk2 to talk NAT helper [ Jozsef Kadlecsik ] - Big update to newnat patch [ Jozsef Kadlecsik, Paul P Komkoff ] iptables v1.2.5 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel > 2.4.14 Bugs Fixed from 1.2.4: - make iptables-restore accept --table as well as -t option [ Andreas Ferber ] - make iptables-restore -v / --verbose option work [ Marc Boucher ] - fix iptables-save problems with saving "ppp+" style interface wildcards [ Harald Welte ] - make iptables accept '_' and '.' in interface names [ Harald Welte ] - Kernel bugfixes in patch-o-matic: - Fix IRC NAT srcaddr fix (we used to nat DCC connectios to the address of the IRC server [ Bob Hockney ] - Fix potential Oops in TOS target module [ Edward Killips ] - Fix problem when raw socket has cloned skb while netfilter doing payload modification [ Rusty Russell ] - Fix memory leak in ipchains redirect code [ Rusty Russell ] - Fix reintroduced ECN problem with unclean match [ Guillaume Morin ] - Fix MAC adress match problem with small udp packets [ Harald Welte ] Changes from 1.2.4: - Whole patch-o-matic system restructured - now supports multiple patch repositories (submitted, pending, base, extra, newnat). [ Jozsef Kadlecsik ] - Add IPv6 support to the QUEUE target and libipq [ Fernando Anton / James Morris ] - New patch-o-matic patches: -New IPV4OPTSSTRIP target to strip IP options [ Fabrice Marie ] - New ipv6header match to match IPv6 header options [ Brad Chapman / Andras Kis-Szabo ] - New helper match to match RELATED connections on their conntrack helper [ Martin Josefsson ] - New quota match to have fixed IP quotas [ Sam Johnston ] - New recent match to match recently seen packets [ Stephen Frost ] iptables v1.2.4 Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel > 2.4.9 Bugs Fixed from 1.2.3: - make iptables-restore print error message instead of segfault when processing broken / wrong input. [ ] - string_to_number fix in LOG, IPv6 LOG, TOS and FTOS target [ ] - fix iptables-save problems when saving MIRROR rules [ Harald Welte ] - fix IPv6 ICMP problems [ ] - fix TTL increment in TTL target [ ] - Kernel bugfixes in patch-o-matic: - Fix printing of inner-packet in ICMP error messages (LOG target) [ ] - Decrement TTL when using MIRROR target at PRE_ROUTING [ ] - fix undiscovered REJECT checkentry() bug (alignment) [ Bert Hubert] Changes from 1.2.3: - New "make most-of-pom" feature for application of non-confliction patches. This should be used instead of "make patch-o-matic" by most users. [ Harald Welte ] - iptables-save and iptables-restore now included in the default install; They are n - longer experimental for quite some time. [ Harald Welte ] - synchronize ip6tables-save/restore with iptables-save/restore [ Harald Welte ] - more precise save() function for ipt_limit rates [ ] - new improved version of nth-match. Added support for multiple counters, added support for matching on individual packets in the counter cycle [ Richard Wagner ] - added manpage for ip6tables [ ] - updated libipq documentation [ ] - added timeout t - libipq recv function [ ] - New patch-o-matic patches: - New random match [ ] - New ftp-fxp patch, imposes security risk but some people need it -sigh* [ Magnus Sandin ] - New H323 conntrack + nat modules [ Jozsef Kadlecsik ] - New version of tcp-window tracking patch, includes sysctl() changeable timeouts [ Jozsef Kadlecsik ] iptables v1.2.3 Changelog ====================================================================== This version requires kernel 2.4.4 or above. This version recommends kernel 2.4.9 or above. Bugs Fixed from 1.2.2: - fix ICMPv6 support for IPv6 [ Kis-Szab - Andras ] - fix problems with REJECT and iptables-restore / iptables-save [ Harald Welte ] - fix possible string overflow in psd match [ Dennis Koslowski ] - fix string match compile problems [ Gianni Tedesc - ] - support interfaces with '_' (underscore) in device names [ Harald Welte ] - support rules without target in iptables-save [ Emmanuel Fleury ] - correct handling of "eth+" type interface names in iptables-save/restore [ Harald Welte ] - d - incremental checksumming when altering TTL in TTL target [ Harald Welte ] - fix no-srr case in ipv4options match [ Fabrice Marie ] - Kernel bugfixes in patch-o-matic: - Fix unexported ip6_table symbols [ Brad Chapman ] - Decrement TTL in MIRROR target if used in FORWARD chain [ Harald Welte, Fabian Melzow ] - Replace SACKPERM TCP option with NOOP (instead of ENDOFOPT) [ Guillaume Morin ] Changes from 1.2.2: - New "make most-of-pom" feature for application of non-confliction patches. This should be used instead of "make patch-o-matic" by most users. [ Harald Welte ] - support for statically linking iptables, without need for .s - plugins [ David McCullough ] - support for multiple ranges in SAME target [ Martin Josefsson ] - support for router alert options in ipv4options match [ Fabrice Marie ] - modprobe() modules when doing iptables-restore [ Andries van Schie ] - remove obsolete fragment matching code in IPv6 [ Kis-Szab - Andras ] - add support for dns hostnames t - IPv6 code [ Kis-Szab - Andras ] - New patch-o-matic patches: - New multiport (mport) match [ Andreas Ferber ] - New nth match for matching every n-th packet [ Fabrice Marie ] - New realm match for matchin the routing realm [ Sampsa Ranta ] - New ctnetlink patch for manipulation of conntrack from userspace [ Jay Schulist ] - New REJECT Target for IPv6 [ Harald Welte ] - New length match for IPv6 [ Imran Patel ] - New multiport (mport) match for IPv6 [ Andreas Ferber] iptables v1.2.1 Changelog ====================================================================== This version requires kernel 2.4.0 or above. Bugs Fixed from 1.2: - Missing quotes around log-prefix [ Bart Theunissen ] - Bug in save function of string match [ Gianni Tedesc - ] - ip6tables.c string buffer size fixes [ Andras Kis-Szab - ] - dependency problem with iptables-save / iptables-restore [ Harald Welte ] - strtok problem with iptables-save / iptables-restore [ Harald Welte ] - Problems with tcp/udp extension and multiple calls of do_command() [ Sven Koch ] - Kernel bugfixes in patch-o-matic: - Updated rpc-record patch to work with 2.4.0 [ Marc Boucher ] - New ftp-pasv patch for fixing PASV detection with some ftpd's [ Erik Hensema ] - Fix checksum calculation of TOS target [ Rusty Russell ] Changes from 1.2: - New `pending-patches' target [ Rusty Russell ] - build all shared library extensions regardless of kernel tree [ Rusty Russell ] - New counter-restore functions for iptables [ Harald Welte ] - Added libiptc and libipulog t - `devel' Makefile target [ Harald Welte ] - Ported iptables-save/restore t - IPv6 [ Andras Kis-Szab - ] - Updated ULOG target (now in-kernel accumulation [= higher performance]) [ Harald Welte ] - Added fxp support t - ftp-multi patch [ Magnus Sandin ] - Implemented Boyer Moore Sublinear search algorithm for string match [ Gianni Tedesc - ] - Fixed tcp-window-tracking incompatibility with NAT helpers [ Harald Welte ] - New patch-o-matic patches: - New generic sequence number offset API for nat helpers [ Harald Welte ] - New psd (port-scan-detection) match [ Dennis Koslowski, Markus Henning ] - New NETLINK target for old ipchains -o behaviour [ Gianni Tedesc - ] - New SAME target as a special case of SNAT [ Martin Josefsson ] - Ported LOG target to IPv6 [ Jan Rekorajski ] - Ported owner, limit, mac and multiport match to IPv6 [ Jan Rekorajski ] iptables v1.2.2 Changelog ====================================================================== This version requires kernel 2.4.1 or above. This version recommends kernel 2.4.4 or above. Bugs Fixed from 1.2.1a: - fixes for SAME Target [ Martin Josefsson ] - fixes for iplimit match in combination with iptables-save/-restore [ Gerd Knorr ] - fix for TCP match in combination with iptables-save/-restore [ Ian Lynagh ] - iptables-restore now deals correclty with spaces in --log-prefix [ Harald Welte ] - fix in 'isapplied' script. It used t - give false negatives [ Harald Welte ] - fix in BALANCE target, target now uses full ip address range [ Martin Josefsson ] - fix for NETLINK target, was sending wrong interface name [ Gianni Tedesc - ] - fix for collision of ftp and irc NAT helpers [ Harald Welte ] - ip6tables brought in sync with iptables [ Kis-Szab - Andras ] - Kernel bugfixes in patch-o-matic: - Fix possible security vulnerability in ip_conntrack_ftp [ Cristian - Lincoln Mattos, James Morris and Rusty ] Changes from 1.2.1a: - libiptc should now be usable from C++ applications [ Fabrice MAURIE ] - seqoffset-,ftp-security, ... patches are combined in 2.4.4.patch [ Rusty Russell ] - lots of old pre-2.4.1 patches now combined in 2.4.1.patch [ Rusty Russel ] - IRC conntrack + nat cleanup [ Harald Welte ] - string match cleanup [ Gianni Tedesc - ] - ULOG cleanup, new version. Fixes 'unable t - send nflink' bug [ Harald Welte ] - New patch-o-matic patches: - New NETMAP Target for mapping whole networks 1:1 to other addresses [ Svenning Soerensen ] - New length Target for matching packet length [ James Morris ] - New ipv4options match for matching IPv4 header options [ Fabrice MARIE ] - New IPv6 agr match for matching IPv6 global aggregatable unicast adresses [ Andras Kis-Szab - ] - New pkttype match for matching link-layer multicast / broadcast packets [ Michal Ludvig ] - New time match for matching the packet's receive time [ Fabrice MARIE ] - New talk conntack + NAT helper module [ Jozsef Kadlecsik ] iptables v1.2 Changelog ====================================================================== This version requires 2.4.0-test9 or above. Bugs Fixed from 1.1.2: - Now default installs int - /usr/local/sbin, not /usr/local/bin. - Only does IPv6 compilation on libc6. - More header fixes for weird header combos. - ip6tables now refers t - "icmpv6" protocol, not "icmp". [ Harald Welte ] - IPPROTO_ESP and AH defined in iptables for primitive headers. - iptables multiple-DNS resolve fixed [ Harald Welte, Rusty ] - Kernel bugfixes in patch-o-matic: - IPv6 netfilter fixes [ Harald Welte ] - Masquerade with fwmark routing fix - Dynamic hashsize optimization (NAT) + `hashsize=' module parameter. - NAT overlap fix - PPC/Sparc mangle table fix. Changes from 1.1.2: - New `install-devel' target [ James Morris ] - libipq now has man pages! [ James Morris ] - iptables-save and iptables-restore added (with man pages!) [ Harald Welte ] - iptables now inserts modules if CONFIG_KMOD or --modprobe [ Harald Welte, Rusty ] - New `experimental' and `install-experimental' targets. - `--reject-with=echo-reply' removed in anticipation of the removal of kernel support. - ttl match enhancements (greater or less than tests) [ Harald Welte ] - Reworked patch-o-matic interface, t - force reading of help. - patch-o-matic updated for new 2.4 Makefiles [ Daniel Stone, Harald Welte ] - patch-o-matic now supports non-IPv4 netfilter patches [ Harald Welte ] - New patch-o-matic patches: - eggdrop bot connection tracking [ Magnus Sandin ] - FTOS target for full ToS mangling. [ Matthew G. Marsh ] - BALANCE target for simple load-balancing. - iplimit match for limiting number of connections. [ Gerd Knorr ] - IPv6 MARK target [ Harald Welte ] - IPv6 mark match [ Harald Welte ] iptables v1.1.2 Changelog ====================================================================== This version requires 2.4.0-test9 or above. Bugs Fixed from 1.1.1: - Adding rules on UltraSparc now works - string_to_number now handles overflow [ Jan Echternach ] - Bug when using ridiculous rule numbers fixed Changes from 1.1.1: - patch-o-matic system added: - TTL alteration and ttl matching support -- Harald Welte - AH/ESP matching support -- Yon Uriarte - DROPPED table support -- Rusty - ftp-multi patch for non-standard ftp servers -- Harald Welte - IRC connection tracking & NAT -- Harald Welte - pool match and POOL target -- Patrick - RPC recording patch -- Marcelo Barbosa Lima - SNMP NAT support -- James Morris - string match for looking in packet's data -- Emmanuel Roger - tcp-MSS target for altering MSS -- Marc Boucher - ULOG target for advanced logging -- Harald Welte - Minor const cleanups [ Jan Echternach ] - iptables.8 updates [ Harald Welte, Rusty ] - Better warnings for non-existant matches/missing libraries [ Harald Welte ] - Improved isapplied script