[ANNOUNCE] Release of iptables-1.2.9rc1

[ANNOUNCE] Release of iptables-1.2.9rc1

[Netfilter Core Team]

[-- Attachment #1.1: Type: text/plain, Size: 1430 bytes --]

Hi!

The netfilter coreteam proudly presents:

	iptables version 1.2.9rc1

Version 1.2.9rc1 is the first release candidate of the upcoming 1.2.9
version.  Please note that this is a _release candidate_ and not the
final version.  It is supposed to be stable, but might still contain
some minor glitches.  If you are testing 1.2.9rc1 and run into any bugs,
please report them immediately to our bugzilla bug tracking system.

The ChangeLog is attached to this mail.

Version 1.2.9rc1 can be obtained from:

	http://www.netfilter.org/files/iptables-1.2.9rc1.tar.bz2
	ftp://ftp.netfilter.org/pub/iptables/iptables-1.2.9rc1.tar.bz2

Please note that since iptables-1.2.7 patch-o-matic is no longer part of
iptables, but distributed as a seperate package.  You can obtain the
latest release and daily CVS snapshots from:

	ftp://ftp.netfilter.org/pub/patch-o-matic/
	
More information can be found at the netfilter/iptables project homepage,
available at:

	http://www.netfilter.org/
	http://www.iptables.org/

Happy firewalling,

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #1.2: changes-iptables-1.2.9rc1.txt --]
[-- Type: text/plain, Size: 1931 bytes --]

iptables v1.2.9rc1 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.8:

- ip(6)tables-save/restore: fix memory leaks
	[ Harald Welte, Martin Josefsson ]
- ip6tables: fix printout of odd length netmasks
	[ Mikko Markus Torni ]
- condition match: fix iptables-save
	[ Stephane Ouellette ]
- fuzzy match: fix ip(6)tables-save
	[ Hime Aguiar e Oliveira Jr. ]
- mac match: fix ip(6)tables-save if used inverted (!)
	[ David Zambonini, Martin Josefsson ]
- ip6tables udp match: check for invalid port ranges
	[ Thomas Poehnitz ]
- LOG target: fix iptables-save (save loglevel numerically)
	[ Thomas Woerner ]
- mport match: fix iptables-save (save numerically)
	[ Thomas Woerner ]
- libipq: fix ipq_id_t definition on 'real' 64bit/64bit architectures
	[ Ryan Veety ]
- libip6tc: fix ipv6_prefix_length endianness bugs
	[ Mikko Markus Torni ]

Changes from 1.2.8:

- build plugins for connlimit, iprange, realm, CLASSIFY, CONNMARK, NETMAP
	[ Harald Welte ]
- libip(6)tc: Speedup due to inceremental chain cache updates
	[ Harald Welte ]
- recent match: Update to version 0.3.1 that was submitted to the kernel
	[ Stephen Frost ]
- physdev match: add --physdev-is-{in,out,bridge} option
	[ Bart de Schuymer ]
- REJECT target: add support for ICMP administratively prohibited 
	[ Maciej Soltysiak ]
- conntrack match: add suport for CONFIRMED / unconfirmed state
	[ Harald Welte ]
- ROUTE target: new option: continue traversal
	[ Cedric de Launois ]
- varios cosmetic cleanups
	[ Stephane Ouellette ]
- iptables/libiptc: add support for the new 'raw' table
	[ Jozsef Kadlecsik ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pub/patch-o-matic/)


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [ANNOUNCE] Release of iptables-1.2.9rc1

[Juan Carlos Castro y Castro]

No more anonymous CVS access for p-o-m? :(

Netfilter Core Team wrote:

>Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
>iptables but rather distributed as a seperate package
>(ftp://ftp.netfilter.org/pub/patch-o-matic/)
>  
>

Re: [ANNOUNCE] Release of iptables-1.2.9rc1

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 736 bytes --]

On Tue, Oct 07, 2003 at 08:48:26PM -0300, Juan Carlos Castro y Castro wrote:
> No more anonymous CVS access for p-o-m? :(

of course, anoncvs has even more than just iptables and patch-o-matic,
it has the homepage, the netfilter-extensions repository, documentation,
testsuite, ...

patch-o-matic is just no longer part of the iptables-*.tar.bz2 package.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Augmenting conntrack

[Scott MacKay]

Hello, 

I have been playing around with the QUEUE target of
iptables, mainly looking at simple packet mangling.  I
have been able to hunt thru code thanks to help from
the list, but think I may still have a issue to
resolve.

I want to perform some simple packet content
manipulation for TCP data, using the QUEUE interface
(since I so far have not done any kernel level
programming).  From a simple approach, I want to
mangle traffic going out a specific port on machine A
and de-mangle it when it comes in a specific port on
machine B.  My mangling only occurs on the payload of
TCP packets, not on the header so all the routing and
stuff should be OK.  I was planning to insert it into
PREROUTING (to catch it coming in) and POSTROUTING (to
catch it going out) on the interface.  
My current concern is connection tracking, mainly
because I believe NAT uses conntrack information. 
Looking at NF_IP_PRI values, it looks like CONNTRACK
may be called before I can de-mangle which I would
think can cause problems.
The only things I can think of which might work would
be to change the NF_IP_PRI_CONNTRACK value to be
higher than MANGLE (ugly, doubt it would work), alter
the conntrack module to de-mangle what it sees so it
can establish connection tracking OK (also ugly and
not sure where I would start), or maybe a conntrack
helper module (saw amanda did this, was not sure if I
could specify a fairly wide criterea).  
I was wondering, are there any thoughts on how to best
proceed or even on documentation that would help me
understand the netfilter & conntrack mechanism better?















__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: Augmenting conntrack

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 952 bytes --]

On Tue, Oct 14, 2003 at 04:50:26AM -0700, Scott MacKay wrote:
> The only things I can think of which might work would
> be to change the NF_IP_PRI_CONNTRACK value to be
> higher than MANGLE (ugly, doubt it would work), alter
> the conntrack module to de-mangle what it sees so it
> can establish connection tracking OK (also ugly and
> not sure where I would start), or maybe a conntrack
> helper module (saw amanda did this, was not sure if I
> could specify a fairly wide criterea).  

or put your queue rule into PREROUTING of the 'raw' table (see
patch-o-matic).

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Augmenting conntrack

[Scott MacKay]

aaah, I forgot about the raw table.  I think I tried
using that a bit back but had performance issues.  The
issues probably were unrelated to the raw table, I
would guess.  I will go and try that again first. 
Thanks!

--- Harald Welte <laforge@netfilter.org> wrote:
> On Tue, Oct 14, 2003 at 04:50:26AM -0700, Scott
> MacKay wrote:
> > The only things I can think of which might work
> would
> > be to change the NF_IP_PRI_CONNTRACK value to be
> > higher than MANGLE (ugly, doubt it would work),
> alter
> > the conntrack module to de-mangle what it sees so
> it
> > can establish connection tracking OK (also ugly
> and
> > not sure where I would start), or maybe a
> conntrack
> > helper module (saw amanda did this, was not sure
> if I
> > could specify a fairly wide criterea).  
> 
> or put your queue rule into PREROUTING of the 'raw'
> table (see
> patch-o-matic).


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com