iptables v1.2.6a (== fixed 1.2.6) Changelog ====================================================================== This version requires kernel >= 2.4.4 This version recommends kernel >= 2.4.18 Bugs Fixed from 1.2.5: - Fix iptables segfault problem when using `!' without argument [ Dionis Papavramidis, Harald Welte ] - Fix PSD match for psd-delay-threshold > 100 [ Steven Coenen, Dennis Koslowski ] - ip6tables alignment fixes [ Andreas Herrmann ] - patch-o-matic: - Fix NAT-related bug in TCP window tracking code [ Jozsef Kadlecsik ] - Fix support for DNAT of locally-originated connections (NAT in LOCAL_OUT) [ Henrik Nordstrom, Harald Welte ] - Fix string match (is now SMP safe) [ Gianni Tedesco ] - Fix TFTP conntrack/nat helper (now also catches first packet) [ Magnus Boden ] Changes from 1.2.5: - Added global PREFIX makefile variable for all paths [ Harald Welte ] - If compiled without any COPT_FLAGS, debugging is disabled. To enable debugging, use -DIPTC_DEBUG [ Harald Welte ] - New ip6tables-restore and ip6tables-save manpage [ Andras Kis-Szabo ] - Sync ip6tables-restore and ip6tables-save with iptables-restore [ Andras Kis-Szabo ] - Sync ip6tables with iptables [ Andras Kis-Szabo ] - mangle table attaches now to all five netfilter hooks [ Brad Chapman, Harald Welte ] - iptables and ip6tables manpage updates [ Herve Eychenne ] - patch-o-matic program now supports removal of already-applied patches [ Bob Hockney ] - patch-o-matic program now supports patches to the userspace extensions [ Fabrice Marie ] - patch-o-matic: - Extend recent match to support multiple recent lists [ Stephen Frost ] - New GRE and PPTP connection tracking and NAT helper [ Harald Welte ] - New CONNMARK target for marking all packets within one connection [ Henrik Nordstrom ] - New conntrack match, enables matching on more conntrack informatin than state [ Marc Boucher ] - New DSCP match and target (DSCP header field obsoletes TOS) [ Harald Welte ] - New owner match extension: Match on process name [ Marc Boucher ] - Add support for bitwise AND / OR manipulation on nfmark [ Fabrice Marie ] - New experimental patch for disabling TCP connection tracking pickup [ Harald Welte ] - Add support for SACK in all NAT helpers [ Harald Welte ] - Make eggdrop botnet connection tracking support work with eggdrop v1.6.x [ Magnus Sandin ] - Add support to REJECT for sending icmp-unreachable messages from a fake source address [ Fabrice Marie ] - Add support for ntalk2 to talk NAT helper [ Jozsef Kadlecsik ] - Big update to newnat patch [ Jozsef Kadlecsik, Paul P Komkoff ] The Netfilter HomePage: iptables 1.2.5 This version requires kernel >= 2.4.4 This version recommends kernel > 2.4.14 Bugs Fixed from 1.2.4: * make iptables-restore accept --table as well as -t option [ Andreas Ferber ] * make iptables-restore -v / --verbose option work [ Marc Boucher ] * fix iptables-save problems with saving "ppp+" style interface wildcards [ Harald Welte ] * make iptables accept '_' and '.' in interface names [ Harald Welte ] * Kernel bugfixes in patch-o-matic: + Fix IRC NAT srcaddr fix (we used to nat DCC connectios to the address of the IRC server [ Bob Hockney ] + Fix potential Oops in TOS target module [ Edward Killips ] + Fix problem when raw socket has cloned skb while netfilter doing payload modification [ Rusty Russell ] + Fix memory leak in ipchains redirect code [ Rusty Russell ] + Fix reintroduced ECN problem with unclean match [ Guillaume Morin ] + Fix MAC adress match problem with small udp packets [ Harald Welte ] Changes from 1.2.4: * Whole patch-o-matic system restructured - now supports multiple patch repositories (submitted, pending, base, extra, newnat). [ Jozsef Kadlecsik ] * Add IPv6 support to the QUEUE target and libipq [ Fernando Anton / James Morris ] * New patch-o-matic patches: + New IPV4OPTSSTRIP target to strip IP options [ Fabrice Marie ] + New ipv6header match to match IPv6 header options [ Brad Chapman / Andras Kis-Szabo ] + New helper match to match RELATED connections on their conntrack helper [ Martin Josefsson ] + New quota match to have fixed IP quotas [ Sam Johnston ] + New recent match to match recently seen packets [ Stephen Frost ] + The Netfilter HomePage: iptables 1.2.4 This version requires kernel >= 2.4.4 This version recommends kernel > 2.4.9 Bugs Fixed from 1.2.3: * make iptables-restore print error message instead of segfault when processing broken / wrong input. [ ???, Harald Welte ] * string_to_number fix in LOG, IPv6 LOG, TOS and FTOS target [ Daniel Roethlisberger, Dave Wolfe, ... ] * fix iptables-save problems when saving MIRROR rules [ Harald Welte ] * fix IPv6 ICMP problems [ Andras Kis-Szabo ] * fix TTL increment in TTL target [ Willy Tarreau ] * Kernel bugfixes in patch-o-matic: + Fix printing of inner-packet in ICMP error messages (LOG target) [ Jozsef Kadlecsik ] + Decrement TTL when using MIRROR target at PRE_ROUTING [ Fabian Melzow, Harald Welte ] + fix undiscovered REJECT checkentry() bug (alignment) [ Bert Hubert ] Changes from 1.2.3: * New "make most-of-pom" feature for application of non-confliction patches. This should be used instead of "make patch-o-matic" by most users. [ Harald Welte ] * iptables-save and iptables-restore now included in the default install; They are no longer experimental for quite some time. [ Harald Welte ] * synchronize ip6tables-save/restore with iptables-save/restore [ Harald Welte ] * more precise save() function for ipt_limit rates [ Michael Schwendt ] * new improved version of nth-match. Added support for multiple counters, added support for matching on individual packets in the counter cycle [ Richard Wagner ] * added manpage for ip6tables [ Andras Kis-Szabo ] * updated libipq documentation [ James Morris ] * added timeout to libipq recv function [ Joost Remijn ] * New patch-o-matic patches: + New random match [ Fabrice Marie ] + New ftp-fxp patch, imposes security risk but some people need it *sigh* [ Magnus Sandin ] + New H323 conntrack + nat modules [ Jozsef Kadlecsik ] + New version of tcp-window tracking patch, includes sysctl() changeable timeouts [ Jozsef Kadlecsik ] The Netfilter HomePage: iptables 1.2.3 This version requires kernel 2.4.4 or above. This version recommends kernel 2.4.9 or above. Bugs Fixed from 1.2.2: * fix ICMPv6 support for IPv6 [ Kis-Szabo Andras ] * fix problems with REJECT and iptables-restore / iptables-save [ Harald Welte ] * fix possible string overflow in psd match [ Dennis Koslowski ] * fix string match compile problems [ Gianni Tedesco ] * support interfaces with '_' (underscore) in device names [ Harald Welte ] * support rules without target in iptables-save [ Emmanuel Fleury ] * correct handling of "eth+" type interface names in iptables-save/restore [ Harald Welte ] * do incremental checksumming when altering TTL in TTL target [ Harald Welte ] * fix no-srr case in ipv4options match [ Fabrice Marie ] * Kernel bugfixes in patch-o-matic: + Fix unexported ip6_table symbols [ Brad Chapman ] + Decrement TTL in MIRROR target if used in FORWARD chain [ Harald Welte, Fabian Melzow ] + Replace SACKPERM TCP option with NOOP (instead of ENDOFOPT) [ Guillaume Morin ] Changes from 1.2.2: * New "make most-of-pom" feature for application of non-confliction patches. This should be used instead of "make patch-o-matic" by most users. [ Harald Welte ] * support for statically linking iptables, without need for .so plugins [ David McCullough ] * support for multiple ranges in SAME target [ Martin Josefsson ] * support for router alert options in ipv4options match [ Fabrice Marie ] * modprobe() modules when doing iptables-restore [ Andries van Schie ] * remove obsolete fragment matching code in IPv6 [ Kis-Szabo Andras ] * add support for dns hostnames to IPv6 code [ Kis-Szabo Andras ] * New patch-o-matic patches: + New multiport (mport) match [ Andreas Ferber ] + New nth match for matching every n-th packet [ Fabrice Marie ] + New realm match for matchin the routing realm [ Sampsa Ranta ] + New ctnetlink patch for manipulation of conntrack from userspace [ Jay Schulist ] + New REJECT Target for IPv6 [ Harald Welte ] + New length match for IPv6 [ Imran Patel ] + New multiport (mport) match for IPv6 [ Andreas Ferber] The Netfilter HomePage: iptables 1.2.2 This version requires kernel 2.4.1 or above. This version recommends kernel 2.4.4 or above. Bugs Fixed from 1.2.1a: * fixes for SAME Target [ Martin Josefsson ] * fixes for iplimit match in combination with iptables-save/-restore [ Gerd Knorr ] * fix for TCP match in combination with iptables-save/-restore [ Ian Lynagh ] * iptables-restore now deals correclty with spaces in --log-prefix [ Harald Welte ] * fix in 'isapplied' script. It used to give false negatives [ Harald Welte ] * fix in BALANCE target, target now uses full ip address range [ Martin Josefsson ] * fix for NETLINK target, was sending wrong interface name [ Gianni Tedesco ] * fix for collission of ftp and irc NAT helpers [ Harald Welte ] * ip6tables brought in sync with iptables [ Kis-Szabo Andras ] * Kernel bugfixes in patch-o-matic: + Fix possible security vulnerability in ip_conntrack_ftp [ Cristiano Lincoln Mattos, James Morris and Rusty ] Changes from 1.2.1a: * libiptc should now be usable from C++ applications [ Fabrice MAURIE ] * seqoffset-,ftp-security, ... patches are combined in 2.4.4.patch [ Rusty Russell ] * lots of old pre-2.4.1 patches now combined in 2.4.1.patch [ Rusty Russel ] * IRC conntrack + nat cleanup [ Harald Welte ] * string match cleanup [ Gianni Tedesco ] * ULOG cleanup, new version. Fixes 'unable to send nflink' bug [ Harald Welte ] * New patch-o-matic patches: + New NETMAP Target for mapping whole networks 1:1 to other addresses [ Svenning Soerensen ] + New length Target for matching packet length [ James Morris ] + New ipv4options match for matching IPv4 header options [ Fabrice MARIE ] + New IPv6 agr match for matching IPv6 global aggregatable unicast adresses [ Andras Kis-Szabo ] + New pkttype match for matching link-layer multicast / broadcast packets [ Michal Ludvig ] + New time match for matching the packet's receive time [ Fabrice MARIE ] + New talk conntack + NAT helper module [ Jozsef Kadlecsik ] The Netfilter HomePage: 1.2.1 This version requires kernel 2.4.0 or above. Bugs Fixed from 1.2: * Missing quotes around log-prefix [ Bart Theunissen ] * Bug in save function of string match [ Gianni Tedesco ] * ip6tables.c string buffer size fixes [ Andras Kis-Szabo ] * dependency problem with iptables-save / iptables-restore [ Harald Welte ] * strtok problem with iptables-save / iptables-restore [ Harald Welte ] * Problems with tcp/udp extension and multiple calls of do_command() [ Sven Koch ] * Kernel bugfixes in patch-o-matic: + Updated rpc-record patch to work with 2.4.0 [ Marc Boucher ] + New ftp-pasv patch for fixing PASV detection with some ftpd's [ Erik Hensema ] + Fix checksum calculation of TOS target [ Rusty Russell ] Changes from 1.2: * New `pending-patches' target [ Rusty Russell ] * build all shared library extensions regardless of kernel tree [ Rusty Russell ] * New counter-restore functions for iptables [ Harald Welte ] * Added libiptc and libipulog to `devel' Makefile target [ Harald Welte ] * Ported iptables-save/restore to IPv6 [ Andras Kis-Szabo ] * Updated ULOG target (now in-kernel accumulation [= higher performance]) [ Harald Welte ] * Added fxp support to ftp-multi patch [ Magnus Sandin ] * Implemented Boyer Moore Sublinear search algorithm for string match [ Gianni Tedesco ] * Fixed tcp-window-tracking incompatibility with NAT helpers [ Harald Welte ] * New patch-o-matic patches: + New generic sequence number offset API for nat helpers [ Harald Welte ] + New psd (port-scan-detection) match [ Dennis Koslowski, Markus Henning ] + New NETLINK target for old ipchains -o behaviour [ Gianni Tedesco ] + New SAME target as a special case of SNAT [ Martin Josefsson ] + Ported LOG target to IPv6 [ Jan Rekorajski ] + Ported owner, limit, mac and multiport match to IPv6 [ Jan Rekorajski ] The Netfilter HomePage: 1.2 This version requires 2.4.0-test9 or above. Bugs Fixed from 1.1.2: * Now default installs into /usr/local/sbin, not /usr/local/bin. * Only does IPv6 compilation on libc6. * More header fixes for weird header combos. * ip6tables now refers to "icmpv6" protocol, not "icmp". [ Harald Welte ] * IPPROTO_ESP and AH defined in iptables for primitive headers. * iptables multiple-DNS resolve fixed [ Harald Welte, Rusty ] * Kernel bugfixes in patch-o-matic: + IPv6 netfilter fixes [ Harald Welte ] + Masquerade with fwmark routing fix + Dynamic hashsize optimization (NAT) + `hashsize=' module parameter. + NAT overlap fix + PPC/Sparc mangle table fix. Changes from 1.1.2: * New `install-devel' target [ James Morris ] * libipq now has man pages! [ James Morris ] * iptables-save and iptables-restore added (with man pages!) [ Harald Welte ] * iptables now inserts modules if CONFIG_KMOD or --modprobe [ Harald Welte, Rusty ] * New `experimental' and `install-experimental' targets. * `--reject-with=echo-reply' removed in anticipation of the removal of kernel support. * ttl match enhancements (greater or less than tests) [ Harald Welte ] * Reworked patch-o-matic interface, to force reading of help. * patch-o-matic updated for new 2.4 Makefiles [ Daniel Stone, Harald Welte ] * patch-o-matic now supports non-IPv4 netfilter patches [ Harald Welte ] * New patch-o-matic patches: + eggdrop bot connection tracking [ Magnus Sandin ] + FTOS target for full ToS mangling. [ Matthew G. Marsh ] + BALANCE target for simple load-balancing. + iplimit match for limiting number of connections. [ Gerd Knorr ] + IPv6 MARK target [ Harald Welte ] + IPv6 mark match [ Harald Welte ] The Netfilter HomePage: 1.1.2 This version requires 2.4.0-test9 or above. Bugs Fixed from 1.1.1: * Adding rules on UltraSparc now works * string_to_number now handles overflow [ Jan Echternach ] * Bug when using ridiculous rule numbers fixed Changes from 1.1.1: * patch-o-matic system added: + TTL alteration and ttl matching support -- Harald Welte + AH/ESP matching support -- Yon Uriarte + DROPPED table support -- Rusty + ftp-multi patch for non-standard ftp servers -- Harald Welte + IRC connection tracking & NAT -- Harald Welte + pool match and POOL target -- Patrick + RPC recording patch -- Marcelo Barbosa Lima + SNMP NAT support -- James Morris + string match for looking in packet's data -- Emmanuel Roger + tcp-MSS target for altering MSS -- Marc Boucher + ULOG target for advanced logging -- Harald Welte * Minor const cleanups [ Jan Echternach ] * iptables.8 updates [ Harald Welte, Rusty ] * Better warnings for non-existant matches/missing libraries [ Harald Welte ] * Improved isapplied script