iptables v1.2.6a (== fixed 1.2.6) Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18
Bugs Fixed from 1.2.5:
- Fix iptables segfault problem when using `!' without argument
[ Dionis Papavramidis, Harald Welte ]
- Fix PSD match for psd-delay-threshold > 100
[ Steven Coenen, Dennis Koslowski ]
- ip6tables alignment fixes
[ Andreas Herrmann ]
- patch-o-matic:
- Fix NAT-related bug in TCP window tracking code
[ Jozsef Kadlecsik ]
- Fix support for DNAT of locally-originated connections (NAT in
LOCAL_OUT)
[ Henrik Nordstrom, Harald Welte ]
- Fix string match (is now SMP safe)
[ Gianni Tedesco ]
- Fix TFTP conntrack/nat helper (now also catches first packet)
[ Magnus Boden ]
Changes from 1.2.5:
- Added global PREFIX makefile variable for all paths
[ Harald Welte ]
- If compiled without any COPT_FLAGS, debugging is disabled. To enable
debugging, use -DIPTC_DEBUG
[ Harald Welte ]
- New ip6tables-restore and ip6tables-save manpage
[ Andras Kis-Szabo ]
- Sync ip6tables-restore and ip6tables-save with iptables-restore
[ Andras Kis-Szabo ]
- Sync ip6tables with iptables
[ Andras Kis-Szabo ]
- mangle table attaches now to all five netfilter hooks
[ Brad Chapman, Harald Welte ]
- iptables and ip6tables manpage updates
[ Herve Eychenne ]
- patch-o-matic program now supports removal of already-applied patches
[ Bob Hockney ]
- patch-o-matic program now supports patches to the userspace extensions
[ Fabrice Marie ]
- patch-o-matic:
- Extend recent match to support multiple recent lists
[ Stephen Frost ]
- New GRE and PPTP connection tracking and NAT helper
[ Harald Welte ]
- New CONNMARK target for marking all packets within one connection
[ Henrik Nordstrom ]
- New conntrack match, enables matching on more conntrack informatin
than state
[ Marc Boucher ]
- New DSCP match and target (DSCP header field obsoletes TOS)
[ Harald Welte ]
- New owner match extension: Match on process name
[ Marc Boucher ]
- Add support for bitwise AND / OR manipulation on nfmark
[ Fabrice Marie ]
- New experimental patch for disabling TCP connection tracking pickup
[ Harald Welte ]
- Add support for SACK in all NAT helpers
[ Harald Welte ]
- Make eggdrop botnet connection tracking support work with eggdrop
v1.6.x
[ Magnus Sandin ]
- Add support to REJECT for sending icmp-unreachable messages
from a fake source address
[ Fabrice Marie ]
- Add support for ntalk2 to talk NAT helper
[ Jozsef Kadlecsik ]
- Big update to newnat patch
[ Jozsef Kadlecsik, Paul P Komkoff ]
The Netfilter HomePage: iptables 1.2.5
This version requires kernel >= 2.4.4 This version recommends kernel >
2.4.14
Bugs Fixed from 1.2.4:
* make iptables-restore accept --table as well as -t option
[ Andreas Ferber ]
* make iptables-restore -v / --verbose option work
[ Marc Boucher ]
* fix iptables-save problems with saving "ppp+" style interface
wildcards
[ Harald Welte ]
* make iptables accept '_' and '.' in interface names
[ Harald Welte ]
* Kernel bugfixes in patch-o-matic:
+ Fix IRC NAT srcaddr fix (we used to nat DCC connectios to the
address of the IRC server
[ Bob Hockney ]
+ Fix potential Oops in TOS target module
[ Edward Killips ]
+ Fix problem when raw socket has cloned skb while netfilter
doing payload modification
[ Rusty Russell ]
+ Fix memory leak in ipchains redirect code
[ Rusty Russell ]
+ Fix reintroduced ECN problem with unclean match
[ Guillaume Morin ]
+ Fix MAC adress match problem with small udp packets
[ Harald Welte ]
Changes from 1.2.4:
* Whole patch-o-matic system restructured - now supports multiple
patch repositories (submitted, pending, base, extra, newnat).
[ Jozsef Kadlecsik ]
* Add IPv6 support to the QUEUE target and libipq
[ Fernando Anton / James Morris ]
* New patch-o-matic patches:
+ New IPV4OPTSSTRIP target to strip IP options
[ Fabrice Marie ]
+ New ipv6header match to match IPv6 header options
[ Brad Chapman / Andras Kis-Szabo ]
+ New helper match to match RELATED connections on their
conntrack helper
[ Martin Josefsson ]
+ New quota match to have fixed IP quotas
[ Sam Johnston ]
+ New recent match to match recently seen packets
[ Stephen Frost ]
+
The Netfilter HomePage: iptables 1.2.4
This version requires kernel >= 2.4.4 This version recommends kernel >
2.4.9
Bugs Fixed from 1.2.3:
* make iptables-restore print error message instead of segfault when
processing broken / wrong input.
[ ???, Harald Welte ]
* string_to_number fix in LOG, IPv6 LOG, TOS and FTOS target
[ Daniel Roethlisberger, Dave Wolfe, ... ]
* fix iptables-save problems when saving MIRROR rules
[ Harald Welte ]
* fix IPv6 ICMP problems [ Andras Kis-Szabo ]
* fix TTL increment in TTL target [ Willy Tarreau ]
* Kernel bugfixes in patch-o-matic:
+ Fix printing of inner-packet in ICMP error messages (LOG
target) [ Jozsef Kadlecsik ]
+ Decrement TTL when using MIRROR target at PRE_ROUTING [
Fabian Melzow, Harald Welte ]
+ fix undiscovered REJECT checkentry() bug (alignment) [ Bert
Hubert ]
Changes from 1.2.3:
* New "make most-of-pom" feature for application of non-confliction
patches. This should be used instead of "make patch-o-matic" by
most users.
[ Harald Welte ]
* iptables-save and iptables-restore now included in the default
install; They are no longer experimental for quite some time.
[ Harald Welte ]
* synchronize ip6tables-save/restore with iptables-save/restore
[ Harald Welte ]
* more precise save() function for ipt_limit rates
[ Michael Schwendt ]
* new improved version of nth-match. Added support for multiple
counters, added support for matching on individual packets in the
counter cycle
[ Richard Wagner ]
* added manpage for ip6tables
[ Andras Kis-Szabo ]
* updated libipq documentation
[ James Morris ]
* added timeout to libipq recv function
[ Joost Remijn ]
* New patch-o-matic patches:
+ New random match
[ Fabrice Marie ]
+ New ftp-fxp patch, imposes security risk but some people need
it *sigh*
[ Magnus Sandin ]
+ New H323 conntrack + nat modules
[ Jozsef Kadlecsik ]
+ New version of tcp-window tracking patch, includes sysctl()
changeable timeouts
[ Jozsef Kadlecsik ]
The Netfilter HomePage: iptables 1.2.3
This version requires kernel 2.4.4 or above. This version recommends
kernel 2.4.9 or above.
Bugs Fixed from 1.2.2:
* fix ICMPv6 support for IPv6
[ Kis-Szabo Andras ]
* fix problems with REJECT and iptables-restore / iptables-save
[ Harald Welte ]
* fix possible string overflow in psd match
[ Dennis Koslowski ]
* fix string match compile problems
[ Gianni Tedesco ]
* support interfaces with '_' (underscore) in device names
[ Harald Welte ]
* support rules without target in iptables-save
[ Emmanuel Fleury ]
* correct handling of "eth+" type interface names in
iptables-save/restore
[ Harald Welte ]
* do incremental checksumming when altering TTL in TTL target
[ Harald Welte ]
* fix no-srr case in ipv4options match
[ Fabrice Marie ]
* Kernel bugfixes in patch-o-matic:
+ Fix unexported ip6_table symbols [ Brad Chapman ]
+ Decrement TTL in MIRROR target if used in FORWARD chain [
Harald Welte, Fabian Melzow ]
+ Replace SACKPERM TCP option with NOOP (instead of ENDOFOPT) [
Guillaume Morin ]
Changes from 1.2.2:
* New "make most-of-pom" feature for application of non-confliction
patches. This should be used instead of "make patch-o-matic" by
most users.
[ Harald Welte ]
* support for statically linking iptables, without need for .so
plugins
[ David McCullough ]
* support for multiple ranges in SAME target
[ Martin Josefsson ]
* support for router alert options in ipv4options match
[ Fabrice Marie ]
* modprobe() modules when doing iptables-restore
[ Andries van Schie ]
* remove obsolete fragment matching code in IPv6
[ Kis-Szabo Andras ]
* add support for dns hostnames to IPv6 code
[ Kis-Szabo Andras ]
* New patch-o-matic patches:
+ New multiport (mport) match
[ Andreas Ferber ]
+ New nth match for matching every n-th packet
[ Fabrice Marie ]
+ New realm match for matchin the routing realm
[ Sampsa Ranta ]
+ New ctnetlink patch for manipulation of conntrack from
userspace
[ Jay Schulist ]
+ New REJECT Target for IPv6
[ Harald Welte ]
+ New length match for IPv6
[ Imran Patel ]
+ New multiport (mport) match for IPv6
[ Andreas Ferber]
The Netfilter HomePage: iptables 1.2.2
This version requires kernel 2.4.1 or above. This version recommends
kernel 2.4.4 or above.
Bugs Fixed from 1.2.1a:
* fixes for SAME Target
[ Martin Josefsson ]
* fixes for iplimit match in combination with iptables-save/-restore
[ Gerd Knorr ]
* fix for TCP match in combination with iptables-save/-restore
[ Ian Lynagh ]
* iptables-restore now deals correclty with spaces in --log-prefix
[ Harald Welte ]
* fix in 'isapplied' script. It used to give false negatives
[ Harald Welte ]
* fix in BALANCE target, target now uses full ip address range
[ Martin Josefsson ]
* fix for NETLINK target, was sending wrong interface name
[ Gianni Tedesco ]
* fix for collission of ftp and irc NAT helpers
[ Harald Welte ]
* ip6tables brought in sync with iptables
[ Kis-Szabo Andras ]
* Kernel bugfixes in patch-o-matic:
+ Fix possible security vulnerability in ip_conntrack_ftp
[ Cristiano Lincoln Mattos, James Morris and Rusty ]
Changes from 1.2.1a:
* libiptc should now be usable from C++ applications
[ Fabrice MAURIE ]
* seqoffset-,ftp-security, ... patches are combined in 2.4.4.patch
[ Rusty Russell ]
* lots of old pre-2.4.1 patches now combined in 2.4.1.patch
[ Rusty Russel ]
* IRC conntrack + nat cleanup
[ Harald Welte ]
* string match cleanup
[ Gianni Tedesco ]
* ULOG cleanup, new version. Fixes 'unable to send nflink' bug
[ Harald Welte ]
* New patch-o-matic patches:
+ New NETMAP Target for mapping whole networks 1:1 to other
addresses
[ Svenning Soerensen ]
+ New length Target for matching packet length
[ James Morris ]
+ New ipv4options match for matching IPv4 header options
[ Fabrice MARIE ]
+ New IPv6 agr match for matching IPv6 global aggregatable
unicast adresses
[ Andras Kis-Szabo ]
+ New pkttype match for matching link-layer multicast /
broadcast packets
[ Michal Ludvig ]
+ New time match for matching the packet's receive time
[ Fabrice MARIE ]
+ New talk conntack + NAT helper module
[ Jozsef Kadlecsik ]
The Netfilter HomePage: 1.2.1
This version requires kernel 2.4.0 or above.
Bugs Fixed from 1.2:
* Missing quotes around log-prefix
[ Bart Theunissen ]
* Bug in save function of string match
[ Gianni Tedesco ]
* ip6tables.c string buffer size fixes
[ Andras Kis-Szabo ]
* dependency problem with iptables-save / iptables-restore
[ Harald Welte ]
* strtok problem with iptables-save / iptables-restore
[ Harald Welte ]
* Problems with tcp/udp extension and multiple calls of do_command()
[ Sven Koch ]
* Kernel bugfixes in patch-o-matic:
+ Updated rpc-record patch to work with 2.4.0
[ Marc Boucher ]
+ New ftp-pasv patch for fixing PASV detection with some ftpd's
[ Erik Hensema ]
+ Fix checksum calculation of TOS target
[ Rusty Russell ]
Changes from 1.2:
* New `pending-patches' target
[ Rusty Russell ]
* build all shared library extensions regardless of kernel tree
[ Rusty Russell ]
* New counter-restore functions for iptables
[ Harald Welte ]
* Added libiptc and libipulog to `devel' Makefile target
[ Harald Welte ]
* Ported iptables-save/restore to IPv6
[ Andras Kis-Szabo ]
* Updated ULOG target (now in-kernel accumulation [= higher
performance])
[ Harald Welte ]
* Added fxp support to ftp-multi patch
[ Magnus Sandin ]
* Implemented Boyer Moore Sublinear search algorithm for string
match
[ Gianni Tedesco ]
* Fixed tcp-window-tracking incompatibility with NAT helpers
[ Harald Welte ]
* New patch-o-matic patches:
+ New generic sequence number offset API for nat helpers
[ Harald Welte ]
+ New psd (port-scan-detection) match
[ Dennis Koslowski, Markus Henning ]
+ New NETLINK target for old ipchains -o behaviour
[ Gianni Tedesco ]
+ New SAME target as a special case of SNAT
[ Martin Josefsson ]
+ Ported LOG target to IPv6
[ Jan Rekorajski ]
+ Ported owner, limit, mac and multiport match to IPv6
[ Jan Rekorajski ]
The Netfilter HomePage: 1.2
This version requires 2.4.0-test9 or above.
Bugs Fixed from 1.1.2:
* Now default installs into /usr/local/sbin, not /usr/local/bin.
* Only does IPv6 compilation on libc6.
* More header fixes for weird header combos.
* ip6tables now refers to "icmpv6" protocol, not "icmp".
[ Harald Welte ]
* IPPROTO_ESP and AH defined in iptables for primitive headers.
* iptables multiple-DNS resolve fixed
[ Harald Welte, Rusty ]
* Kernel bugfixes in patch-o-matic:
+ IPv6 netfilter fixes
[ Harald Welte ]
+ Masquerade with fwmark routing fix
+ Dynamic hashsize optimization (NAT) + `hashsize=' module
parameter.
+ NAT overlap fix
+ PPC/Sparc mangle table fix.
Changes from 1.1.2:
* New `install-devel' target
[ James Morris ]
* libipq now has man pages!
[ James Morris ]
* iptables-save and iptables-restore added (with man pages!)
[ Harald Welte ]
* iptables now inserts modules if CONFIG_KMOD or --modprobe
[ Harald Welte, Rusty ]
* New `experimental' and `install-experimental' targets.
* `--reject-with=echo-reply' removed in anticipation of the removal
of kernel support.
* ttl match enhancements (greater or less than tests)
[ Harald Welte ]
* Reworked patch-o-matic interface, to force reading of help.
* patch-o-matic updated for new 2.4 Makefiles
[ Daniel Stone, Harald Welte ]
* patch-o-matic now supports non-IPv4 netfilter patches
[ Harald Welte ]
* New patch-o-matic patches:
+ eggdrop bot connection tracking
[ Magnus Sandin ]
+ FTOS target for full ToS mangling.
[ Matthew G. Marsh ]
+ BALANCE target for simple load-balancing.
+ iplimit match for limiting number of connections.
[ Gerd Knorr ]
+ IPv6 MARK target
[ Harald Welte ]
+ IPv6 mark match
[ Harald Welte ]
The Netfilter HomePage: 1.1.2
This version requires 2.4.0-test9 or above.
Bugs Fixed from 1.1.1:
* Adding rules on UltraSparc now works
* string_to_number now handles overflow
[ Jan Echternach ]
* Bug when using ridiculous rule numbers fixed
Changes from 1.1.1:
* patch-o-matic system added:
+ TTL alteration and ttl matching support -- Harald Welte
+ AH/ESP matching support -- Yon Uriarte
+ DROPPED table support -- Rusty
+ ftp-multi patch for non-standard ftp servers -- Harald Welte
+ IRC connection tracking & NAT -- Harald Welte
+ pool match and POOL target -- Patrick
+ RPC recording patch -- Marcelo Barbosa Lima
+ SNMP NAT support -- James Morris
+ string match for looking in packet's data -- Emmanuel Roger
+ tcp-MSS target for altering MSS -- Marc Boucher
+ ULOG target for advanced logging -- Harald Welte
* Minor const cleanups
[ Jan Echternach ]
* iptables.8 updates
[ Harald Welte, Rusty ]
* Better warnings for non-existant matches/missing libraries
[ Harald Welte ]
* Improved isapplied script