* [ANNOUNCE]: Release of iptables-1.4.11
@ 2011-05-26 16:53 ` Patrick McHardy
0 siblings, 0 replies; 19+ messages in thread
From: Patrick McHardy @ 2011-05-26 16:53 UTC (permalink / raw)
To: Netfilter Development Mailinglist, NetDev, netfilter-announce,
'netfilter@vger.kernel.org'
[-- Attachment #1: Type: text/plain, Size: 1096 bytes --]
The netfilter coreteam presents:
iptables version 1.4.10
the iptables release for the 2.6.39 kernels. Due to some mistakes
on my side we didn't have a release for longer than expected, so
this contains a rather large number of changes.
Changes include:
- various bugfixes, cleanups and documentation updates
- a new "guided option parser" from Jan, replacing a lot of the
open-coded option parsing by a data driven parser
- support for the current SET target as contained in 2.6.39
- support for the new devgroup match
- support for the new AUDIT target
- support for a new NFQUEUE bypass option, allowing to bypass the
queue if no userspace listener is present
- a new iptables option "-C" to check for existance of a rules
- a new xtables-multi binary which supports both IPv4 and IPv6
See the attached changelogs for the full list of changes.
Version 1.4.11 can be obtained from:
http://www.netfilter.org/projects/iptables/downloads.html
ftp://ftp.netfilter.org/pub/iptables/
git://git.netfilter.org/iptables.git
On behalf of the Netfilter Core Team.
Happy firewalling!
[-- Attachment #2: changes-iptables-1.4.11.txt --]
[-- Type: text/plain, Size: 14922 bytes --]
Changli Gao (1):
iptables: fix the dead loop when meeting unknown options
Florian Westphal (3):
libxt_conntrack: fix --ctdir save/dump output format
libxt_time: fix random --datestart skips
extensions: libxt_NFQUEUE: add v2 revision with --queue-bypass option
JP Abgrall (1):
libxt_quota: make sure uint64 is not truncated
Jan Engelhardt (218):
libxtables: change option precedence order to be intuitive
libxt_TOS: avoid an undesired overflowing computation
iptables: fix longopt reecognition and workaround getopt(3) behavior
Revert "Revert "libxtables: change option precedence order to be intuitive""
Merge branch 'master' of git://dev.medozas.de/iptables into m2
iptables: reset options at the start of each command
iptables: do not emit orig_opts twice
include: update files with headers from Linux 2.6.37-rc1
TPROXY: add support for revision 1
socket: add support for revision 1
build: fix globbing of extensions in other locales
libxt_owner: output numeric IDs when save is requested
Merge commit 'v1.4.10'
build: stop on error in subcommand
src: const annotations
xt_comment: remove redundant cast
src: use C99/POSIX types
iptables: abort on empty interface specification
xtables: reorder num_old substraction for clarity
ip[6]tables: only call match's parse function when option char is in range
ip[6]tables: only call target's parse function when option char is in range
extensions: remove no longer necessary default: cases
libxt_sctp: fix a typo
libipt_CLUSTERIP: const annotations
libxtables: do some option structure checking
libxt_quota: print negation when it has been selected
libxt_connlimit: reword help text to say prefix length
libxt_connlimit: add a --connlimit-upto option
libxt_connlimit: support for dstaddr-supporting revision 1
libxt_connlimit: remove duplicate member that caused size change
libxt_quota: clarifications on matching
iptables: improve error reporting with extension loading troubles
libxt_u32: enclose argument in quotes
xtables: set custom opts to NULL on free
iptables: warn when parameter limit is exceeded
iptables: remove bogus address-of
iptables: remove more redundant casts
iptables: do not print trailing whitespaces
src: collect do_command variables in a struct
src: move large default: block from do_command6 into its own function
src: share iptables_command_state across the two programs
src: deduplicate find_proto function
src: move OPT_FRAGMENT to the end so the list can be shared
src: put shared option flags into xshared
src: deduplicate and simplify implicit protocol extension loading
src: unclutter command_default function
src: move jump option handling from do_command6 into its own function
src: move match option handling from do_command6 into its own functions
iptables: fix error message for unknown options
iptables: fix segfault target option parsing
ip6tables: spacing fixes for -o argument
libxt_devgroup: option whitespace update following v1.4.10-49-g7386635
extensions: fix indent of vtable
doc: fix wrong sentence about negation in xt_limit
doc: fix misspelling of "field"
extensions: remove redundant init functions
Remove unused CVS expanded keywords
libip6t_dst: remove unimplemented --dst-not-strict
libip6t_hbh: remove unimplemented --hbh-not-strict
extensions: add missing checks for specific flags
libipt_ECN: set proper option flags
doc: mention other possible nf_loggers for TRACE
doc: fix odd partial sentence in libipt_TTL
libxt_quota: require --quota to be specified
doc: rateest options can be optional
libxtables: fix memory scribble beyond end of array
iptables: fix an inversion
doc: add VERSION section to manpages
extensions: add missing checks for specific flags (2)
libxtables: guided option parser
libxt_CHECKSUM: use guided option parser
libxt_socket: use guided option parser
libxtables: provide better final_check
libxt_CONNSECMARK: use guided option parser
libxtables: XTTYPE_UINT32 support
libxt_cpu: use guided option parser
libxtables: min-max option support
libxt_cluster: use guided option parser
libxtables: XTTYPE_UINT8 support
libip[6]t_HL: use guided option parser
libip[6]t_hl: use guided option parser
libxtables: XTTYPE_UINT32RC support
libip[6]t_ah: use guided option parser
libip6t_frag: use guided option parser
libxt_esp: use guided option parser
libxtables: XTTYPE_STRING support
libip[6]t_REJECT: use guided option parser
libip6t_dst: use guided option parser
libip6t_hbh: use guided option parser
libip[6]t_icmp: use guided option parser
libip6t_ipv6header: use guided option parser
libipt_ECN: use guided option parser
libipt_addrtype: use guided option parser
libxt_AUDIT: use guided option parser
libxt_CLASSIFY: use guided option parser
libxt_DSCP: use guided option parser
libxt_LED: use guided option parser
libxt_SECMARK: use guided option parser
libxt_TCPOPTSTRIP: use guided option parser
libxt_comment: use guided option parser
libxt_helper: use guided option parser
libxt_physdev: use guided option parser
libxt_pkttype: use guided option parser
libxt_state: use guided option parser
libxt_time: use guided option parser
libxt_u32: use guided option parser
doc: avoid duplicate entries in manpage
libxtables: XTTYPE_MARKMASK32 support
libxt_MARK: use guided option parser
libxt_CONNMARK: use guided option parser
libxtables: XTTYPE_UINT64 support
libxt_quota: use guided option parser
libxtables: linked-list name<->id map
libxt_devgroup: use guided option parser
libipt_realm: use guided option parser
libxtables: XTTYPE_UINT16RC support
libxt_length: use guided option parser
libxt_tcpmss: use guided option parser
libxtables: XTTYPE_UINT8RC support
libxtables: XTTYPE_UINT64RC support
libxt_connbytes: use guided option parser
libxtables: XTTYPE_UINT16 support
libxt_CT: use guided option parser
libxt_NFQUEUE: use guided option parser
libxt_TCPMSS: use guided option parser
libxtables: pass struct xt_entry_{match,target} to x6 parser
libxt_string: use guided option parser
libxtables: XTTYPE_SYSLOGLEVEL support
libip[6]t_LOG: use guided option parser
libxtables: XTTYPE_ONEHOST support
libxtables: XTTYPE_PORT support
libxt_TPROXY: use guided option parser
libipt_ULOG: use guided option parser
build: bump libxtables ABI version
libxt_TEE: use guided option parser
xtoptions: respect return value in xtables_getportbyname
libxt_TOS: use guided option parser
libxt_tos: use guided option parser
extensions: remove unused TOS code
libxtables: XTTYPE_PORTRC support
libxt_udp: use guided option parser
libxt_dccp: use guided option parser
libxt_tos: add inversion support back again
libxtables: fix assignment in wrong offset (XTTYPE_UINT*RC)
libxt_u32: add missing call to xtables_option_parse
extensions: remove bogus use of XT_GETOPT_TABLEEND
libxt_owner: remove ifdef IPT_COMM_OWNER
libxtables: output name of extension on rev detect failure
extensions: const annotations
libxt_statistic: streamline and document possible placement of negation
libxt_statistic: increase precision on create and dump
libxtables: XTTYPE_DOUBLE support
libxt_statistic: use guided option parser
libxt_IDLETIMER: use guided option parser
libxt_NFLOG: use guided option parser
libxtables: support for XTTYPE_PLENMASK
libxt_connlimit: use guided option parser
libxt_recent: use guided option parser
libxtables: do not overlay addr and mask parts, and cleanup
libxtables: flag invalid uses of XTOPT_PUT
libxtables: XTTYPE_PLEN support
libxt_hashlimit: use guided option parser
libxtables: XTTYPE_HOSTMASK support
libxt_policy: use guided option parser
libxt_owner: use guided option parser
libxt_osf: use guided option parser
libxt_multiport: use guided option parser
libipt_NETMAP: use guided option parser
libxt_limit: use guided option parser
libxtables: XTTYPE_PROTOCOL support
libxt_ipvs: use guided option parser
doc: S/DNAT allows to omit IP addresses
libxt_conntrack: use guided option parser
libip6t_mh: use guided option parser
libip6t_rt: use guided option parser
libxtables: XTTYPE_ETHERMAC support
libxt_mac: use guided option parser
libipt_CLUSTERIP: use guided option parser
libxt_iprange: use guided option parser
libipt_DNAT: use guided option parser
libipt_SNAT: use guided option parser
libipt_MASQUERADE: use guided option parser
libipt_REDIRECT: use guided option parser
libipt_SAME: use guided option parser
src: replace old IP*T_ALIGN macros
src: combine default_command functions
libxt_policy: option table fixes, improved error tracking
libxtables: avoid running into .also checks when option not used
libxt_policy: use XTTYPE_PROTOCOL type
libxtables: collapse double protocol parsing
libipt_[SD]NAT: flag up module name on error
libipt_[SD]NAT: avoid false error about multiple destinations specified
libxt_conntrack: correct printed module name
libxt_conntrack: fix assignment to wrong member
libxt_conntrack: resolve erroneous rev-2 port range message
libip6t_rt: rt-0-not-strict should take no arg
libxtables: retract _NE types and use a flag instead
libxt_quota: readd missing XTOPT_PUT request
libxtables: check for negative numbers in xtables_strtou*
libxt_rateest: streamline case display of units
doc: add some coded option examples to libxt_hashlimit
doc: make usage of libxt_rateest more obvious
doc: clarify that -p all is a special keyword only
doc: use .IP list for TCPMSS
doc: remove redundant .IP calls in libxt_time
libxt_ipvs: restore network-byte order
libxt_u32: --u32 option is required
libip6t_rt: restore --rt-type storing
libxtables: more detailed error message on multi-int parsing
libxtables: use uintmax for xtables_strtoul
libxtables: make multiint parser have greater range
libxtables: unclutter xtopt_parse_mint
libxtables: have xtopt_parse_mint interpret partially-spec'd ranges
libxt_NFQUEUE: avoid double attempt at parsing
libxt_NFQUEUE: add mutual exclusion between qnum and qbal
libxt_time: always ignore libc timezone
libxt_time: --utc and --localtz are mutually exclusive
libxt_time: deprecate --localtz option, document kernel TZ caveats
Jozsef Kadlecsik (3):
Fix listing/saving the new revision of the SET target
Fix set match/target direction parser
SET target revision 2 added
Li Yewang (1):
xtables: fix typo in error message of xtables_register_match()
Lutz Jaenicke (2):
libipt_REDIRECT: "--to-ports" is not mandatory
libxt_devgroup: actually set XT_DEVGROUP_OPT_???GROUP flags
Maciej Zenczykowski (20):
man pages: allow underscores in match and target names
mark newly opened fds as FD_CLOEXEC (close on exec)
xtables_ip6addr_to_numeric: fix typo in comment
xtables: delay (statically built) match/target initialization
v4: rename init_extensions() to init_extensions4()
v6: rename init_extensions() to init_extensions6()
xtables.h: init_extensions() no longer exists
v4: rename for_each_chain() to for_each_chain4()
v6: rename for_each_chain() to for_each_chain6()
v4: rename flush_entries() to flush_entries4()
v6: rename flush_entries() to flush_entries6()
v4: rename delete_chain() to delete_chain4()
v6: rename delete_chain() to delete_chain6()
v4: rename print_rule() to print_rule4()
v6: rename print_rule() to print_rule6()
v4: rename do_command() to do_command4()
v6: rename do_command() to do_command6()
move 'int line' definition from ip6?tables.c into xtables.c
convert ip6?tables-multi to actually use their own header files
Don't load ip6?_tables module when already loaded
Maciej Żenczykowski (3):
Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore}.
Move common parts of libext{4,6}.a into libext.a
combine ip6?tables-multi into xtables-multi
Mark Montague (1):
iptables: documentation for iptables and ip6tables "security" tables
Max Kellerman (1):
xtables: use strspn() to check if string needs to be quoted
Pablo Neira Ayuso (1):
libxt_cluster: fix inversion in the cluster match
Patrick McHardy (16):
Revert "libxtables: change option precedence order to be intuitive"
Merge branch 'master' of git://dev.medozas.de/iptables
extensions: libxt_conntrack: add support for specifying port ranges
extensions: add extension for devgroup match
Merge branch 'master' of git://dev.medozas.de/iptables
Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables
Merge branch 'opts' of git://dev.medozas.de/iptables
Merge branch 'opts' of git://dev.medozas.de/iptables
Merge branch 'floating/opts' of git://dev.medozas.de/iptables
Merge branch 'opts' of git://dev.medozas.de/iptables
Merge branch 'opts' of git://dev.medozas.de/iptables
Merge branch 'master' of git://dev.medozas.de/iptables
Merge branch 'opts' of git://dev.medozas.de/iptables
Merge branch 'floating/opts' of git://dev.medozas.de/iptables
Merge branch 'master' of git://dev.medozas.de/iptables
Bump version to 1.4.11
Rob Leslie (1):
iptables-restore: resolve confusing policy error message
Stefan Tomanek (2):
ip(6)tables-multi: unify subcommand handling
iptables: add -C to check for existing rules
Stephen Beahm (1):
libipt_REDIRECT: avoid dereference of uninitialized pointer
Thomas Graf (2):
libxt_AUDIT: add AUDIT target
iptables: add manual page section for AUDIT target
Wes Campaigne (4):
libxtables: avoid confusing use of ai_protocol=IPPROTO_IPV6
xtables: fix excessive memory allocation in host_to_ipaddr
xtables: fix the broken detection/removal of redundant addresses
xtables: use all IPv6 addresses resolved from a hostname
^ permalink raw reply [flat|nested] 19+ messages in thread
* [ANNOUNCE]: Release of iptables-1.4.11
@ 2011-05-26 16:53 ` Patrick McHardy
0 siblings, 0 replies; 19+ messages in thread
From: Patrick McHardy @ 2011-05-26 16:53 UTC (permalink / raw)
To: Netfilter Development Mailinglist, NetDev, netfilter-announce,
'netfilter@vger.kernel.org'
[-- Attachment #1: Type: text/plain, Size: 1096 bytes --]
The netfilter coreteam presents:
iptables version 1.4.10
the iptables release for the 2.6.39 kernels. Due to some mistakes
on my side we didn't have a release for longer than expected, so
this contains a rather large number of changes.
Changes include:
- various bugfixes, cleanups and documentation updates
- a new "guided option parser" from Jan, replacing a lot of the
open-coded option parsing by a data driven parser
- support for the current SET target as contained in 2.6.39
- support for the new devgroup match
- support for the new AUDIT target
- support for a new NFQUEUE bypass option, allowing to bypass the
queue if no userspace listener is present
- a new iptables option "-C" to check for existance of a rules
- a new xtables-multi binary which supports both IPv4 and IPv6
See the attached changelogs for the full list of changes.
Version 1.4.11 can be obtained from:
http://www.netfilter.org/projects/iptables/downloads.html
ftp://ftp.netfilter.org/pub/iptables/
git://git.netfilter.org/iptables.git
On behalf of the Netfilter Core Team.
Happy firewalling!
[-- Attachment #2: changes-iptables-1.4.11.txt --]
[-- Type: text/plain, Size: 14938 bytes --]
Changli Gao (1):
iptables: fix the dead loop when meeting unknown options
Florian Westphal (3):
libxt_conntrack: fix --ctdir save/dump output format
libxt_time: fix random --datestart skips
extensions: libxt_NFQUEUE: add v2 revision with --queue-bypass option
JP Abgrall (1):
libxt_quota: make sure uint64 is not truncated
Jan Engelhardt (218):
libxtables: change option precedence order to be intuitive
libxt_TOS: avoid an undesired overflowing computation
iptables: fix longopt reecognition and workaround getopt(3) behavior
Revert "Revert "libxtables: change option precedence order to be intuitive""
Merge branch 'master' of git://dev.medozas.de/iptables into m2
iptables: reset options at the start of each command
iptables: do not emit orig_opts twice
include: update files with headers from Linux 2.6.37-rc1
TPROXY: add support for revision 1
socket: add support for revision 1
build: fix globbing of extensions in other locales
libxt_owner: output numeric IDs when save is requested
Merge commit 'v1.4.10'
build: stop on error in subcommand
src: const annotations
xt_comment: remove redundant cast
src: use C99/POSIX types
iptables: abort on empty interface specification
xtables: reorder num_old substraction for clarity
ip[6]tables: only call match's parse function when option char is in range
ip[6]tables: only call target's parse function when option char is in range
extensions: remove no longer necessary default: cases
libxt_sctp: fix a typo
libipt_CLUSTERIP: const annotations
libxtables: do some option structure checking
libxt_quota: print negation when it has been selected
libxt_connlimit: reword help text to say prefix length
libxt_connlimit: add a --connlimit-upto option
libxt_connlimit: support for dstaddr-supporting revision 1
libxt_connlimit: remove duplicate member that caused size change
libxt_quota: clarifications on matching
iptables: improve error reporting with extension loading troubles
libxt_u32: enclose argument in quotes
xtables: set custom opts to NULL on free
iptables: warn when parameter limit is exceeded
iptables: remove bogus address-of
iptables: remove more redundant casts
iptables: do not print trailing whitespaces
src: collect do_command variables in a struct
src: move large default: block from do_command6 into its own function
src: share iptables_command_state across the two programs
src: deduplicate find_proto function
src: move OPT_FRAGMENT to the end so the list can be shared
src: put shared option flags into xshared
src: deduplicate and simplify implicit protocol extension loading
src: unclutter command_default function
src: move jump option handling from do_command6 into its own function
src: move match option handling from do_command6 into its own functions
iptables: fix error message for unknown options
iptables: fix segfault target option parsing
ip6tables: spacing fixes for -o argument
libxt_devgroup: option whitespace update following v1.4.10-49-g7386635
extensions: fix indent of vtable
doc: fix wrong sentence about negation in xt_limit
doc: fix misspelling of "field"
extensions: remove redundant init functions
Remove unused CVS expanded keywords
libip6t_dst: remove unimplemented --dst-not-strict
libip6t_hbh: remove unimplemented --hbh-not-strict
extensions: add missing checks for specific flags
libipt_ECN: set proper option flags
doc: mention other possible nf_loggers for TRACE
doc: fix odd partial sentence in libipt_TTL
libxt_quota: require --quota to be specified
doc: rateest options can be optional
libxtables: fix memory scribble beyond end of array
iptables: fix an inversion
doc: add VERSION section to manpages
extensions: add missing checks for specific flags (2)
libxtables: guided option parser
libxt_CHECKSUM: use guided option parser
libxt_socket: use guided option parser
libxtables: provide better final_check
libxt_CONNSECMARK: use guided option parser
libxtables: XTTYPE_UINT32 support
libxt_cpu: use guided option parser
libxtables: min-max option support
libxt_cluster: use guided option parser
libxtables: XTTYPE_UINT8 support
libip[6]t_HL: use guided option parser
libip[6]t_hl: use guided option parser
libxtables: XTTYPE_UINT32RC support
libip[6]t_ah: use guided option parser
libip6t_frag: use guided option parser
libxt_esp: use guided option parser
libxtables: XTTYPE_STRING support
libip[6]t_REJECT: use guided option parser
libip6t_dst: use guided option parser
libip6t_hbh: use guided option parser
libip[6]t_icmp: use guided option parser
libip6t_ipv6header: use guided option parser
libipt_ECN: use guided option parser
libipt_addrtype: use guided option parser
libxt_AUDIT: use guided option parser
libxt_CLASSIFY: use guided option parser
libxt_DSCP: use guided option parser
libxt_LED: use guided option parser
libxt_SECMARK: use guided option parser
libxt_TCPOPTSTRIP: use guided option parser
libxt_comment: use guided option parser
libxt_helper: use guided option parser
libxt_physdev: use guided option parser
libxt_pkttype: use guided option parser
libxt_state: use guided option parser
libxt_time: use guided option parser
libxt_u32: use guided option parser
doc: avoid duplicate entries in manpage
libxtables: XTTYPE_MARKMASK32 support
libxt_MARK: use guided option parser
libxt_CONNMARK: use guided option parser
libxtables: XTTYPE_UINT64 support
libxt_quota: use guided option parser
libxtables: linked-list name<->id map
libxt_devgroup: use guided option parser
libipt_realm: use guided option parser
libxtables: XTTYPE_UINT16RC support
libxt_length: use guided option parser
libxt_tcpmss: use guided option parser
libxtables: XTTYPE_UINT8RC support
libxtables: XTTYPE_UINT64RC support
libxt_connbytes: use guided option parser
libxtables: XTTYPE_UINT16 support
libxt_CT: use guided option parser
libxt_NFQUEUE: use guided option parser
libxt_TCPMSS: use guided option parser
libxtables: pass struct xt_entry_{match,target} to x6 parser
libxt_string: use guided option parser
libxtables: XTTYPE_SYSLOGLEVEL support
libip[6]t_LOG: use guided option parser
libxtables: XTTYPE_ONEHOST support
libxtables: XTTYPE_PORT support
libxt_TPROXY: use guided option parser
libipt_ULOG: use guided option parser
build: bump libxtables ABI version
libxt_TEE: use guided option parser
xtoptions: respect return value in xtables_getportbyname
libxt_TOS: use guided option parser
libxt_tos: use guided option parser
extensions: remove unused TOS code
libxtables: XTTYPE_PORTRC support
libxt_udp: use guided option parser
libxt_dccp: use guided option parser
libxt_tos: add inversion support back again
libxtables: fix assignment in wrong offset (XTTYPE_UINT*RC)
libxt_u32: add missing call to xtables_option_parse
extensions: remove bogus use of XT_GETOPT_TABLEEND
libxt_owner: remove ifdef IPT_COMM_OWNER
libxtables: output name of extension on rev detect failure
extensions: const annotations
libxt_statistic: streamline and document possible placement of negation
libxt_statistic: increase precision on create and dump
libxtables: XTTYPE_DOUBLE support
libxt_statistic: use guided option parser
libxt_IDLETIMER: use guided option parser
libxt_NFLOG: use guided option parser
libxtables: support for XTTYPE_PLENMASK
libxt_connlimit: use guided option parser
libxt_recent: use guided option parser
libxtables: do not overlay addr and mask parts, and cleanup
libxtables: flag invalid uses of XTOPT_PUT
libxtables: XTTYPE_PLEN support
libxt_hashlimit: use guided option parser
libxtables: XTTYPE_HOSTMASK support
libxt_policy: use guided option parser
libxt_owner: use guided option parser
libxt_osf: use guided option parser
libxt_multiport: use guided option parser
libipt_NETMAP: use guided option parser
libxt_limit: use guided option parser
libxtables: XTTYPE_PROTOCOL support
libxt_ipvs: use guided option parser
doc: S/DNAT allows to omit IP addresses
libxt_conntrack: use guided option parser
libip6t_mh: use guided option parser
libip6t_rt: use guided option parser
libxtables: XTTYPE_ETHERMAC support
libxt_mac: use guided option parser
libipt_CLUSTERIP: use guided option parser
libxt_iprange: use guided option parser
libipt_DNAT: use guided option parser
libipt_SNAT: use guided option parser
libipt_MASQUERADE: use guided option parser
libipt_REDIRECT: use guided option parser
libipt_SAME: use guided option parser
src: replace old IP*T_ALIGN macros
src: combine default_command functions
libxt_policy: option table fixes, improved error tracking
libxtables: avoid running into .also checks when option not used
libxt_policy: use XTTYPE_PROTOCOL type
libxtables: collapse double protocol parsing
libipt_[SD]NAT: flag up module name on error
libipt_[SD]NAT: avoid false error about multiple destinations specified
libxt_conntrack: correct printed module name
libxt_conntrack: fix assignment to wrong member
libxt_conntrack: resolve erroneous rev-2 port range message
libip6t_rt: rt-0-not-strict should take no arg
libxtables: retract _NE types and use a flag instead
libxt_quota: readd missing XTOPT_PUT request
libxtables: check for negative numbers in xtables_strtou*
libxt_rateest: streamline case display of units
doc: add some coded option examples to libxt_hashlimit
doc: make usage of libxt_rateest more obvious
doc: clarify that -p all is a special keyword only
doc: use .IP list for TCPMSS
doc: remove redundant .IP calls in libxt_time
libxt_ipvs: restore network-byte order
libxt_u32: --u32 option is required
libip6t_rt: restore --rt-type storing
libxtables: more detailed error message on multi-int parsing
libxtables: use uintmax for xtables_strtoul
libxtables: make multiint parser have greater range
libxtables: unclutter xtopt_parse_mint
libxtables: have xtopt_parse_mint interpret partially-spec'd ranges
libxt_NFQUEUE: avoid double attempt at parsing
libxt_NFQUEUE: add mutual exclusion between qnum and qbal
libxt_time: always ignore libc timezone
libxt_time: --utc and --localtz are mutually exclusive
libxt_time: deprecate --localtz option, document kernel TZ caveats
Jozsef Kadlecsik (3):
Fix listing/saving the new revision of the SET target
Fix set match/target direction parser
SET target revision 2 added
Li Yewang (1):
xtables: fix typo in error message of xtables_register_match()
Lutz Jaenicke (2):
libipt_REDIRECT: "--to-ports" is not mandatory
libxt_devgroup: actually set XT_DEVGROUP_OPT_???GROUP flags
Maciej Zenczykowski (20):
man pages: allow underscores in match and target names
mark newly opened fds as FD_CLOEXEC (close on exec)
xtables_ip6addr_to_numeric: fix typo in comment
xtables: delay (statically built) match/target initialization
v4: rename init_extensions() to init_extensions4()
v6: rename init_extensions() to init_extensions6()
xtables.h: init_extensions() no longer exists
v4: rename for_each_chain() to for_each_chain4()
v6: rename for_each_chain() to for_each_chain6()
v4: rename flush_entries() to flush_entries4()
v6: rename flush_entries() to flush_entries6()
v4: rename delete_chain() to delete_chain4()
v6: rename delete_chain() to delete_chain6()
v4: rename print_rule() to print_rule4()
v6: rename print_rule() to print_rule6()
v4: rename do_command() to do_command4()
v6: rename do_command() to do_command6()
move 'int line' definition from ip6?tables.c into xtables.c
convert ip6?tables-multi to actually use their own header files
Don't load ip6?_tables module when already loaded
Maciej ������enczykowski (3):
Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore}.
Move common parts of libext{4,6}.a into libext.a
combine ip6?tables-multi into xtables-multi
Mark Montague (1):
iptables: documentation for iptables and ip6tables "security" tables
Max Kellerman (1):
xtables: use strspn() to check if string needs to be quoted
Pablo Neira Ayuso (1):
libxt_cluster: fix inversion in the cluster match
Patrick McHardy (16):
Revert "libxtables: change option precedence order to be intuitive"
Merge branch 'master' of git://dev.medozas.de/iptables
extensions: libxt_conntrack: add support for specifying port ranges
extensions: add extension for devgroup match
Merge branch 'master' of git://dev.medozas.de/iptables
Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables
Merge branch 'opts' of git://dev.medozas.de/iptables
Merge branch 'opts' of git://dev.medozas.de/iptables
Merge branch 'floating/opts' of git://dev.medozas.de/iptables
Merge branch 'opts' of git://dev.medozas.de/iptables
Merge branch 'opts' of git://dev.medozas.de/iptables
Merge branch 'master' of git://dev.medozas.de/iptables
Merge branch 'opts' of git://dev.medozas.de/iptables
Merge branch 'floating/opts' of git://dev.medozas.de/iptables
Merge branch 'master' of git://dev.medozas.de/iptables
Bump version to 1.4.11
Rob Leslie (1):
iptables-restore: resolve confusing policy error message
Stefan Tomanek (2):
ip(6)tables-multi: unify subcommand handling
iptables: add -C to check for existing rules
Stephen Beahm (1):
libipt_REDIRECT: avoid dereference of uninitialized pointer
Thomas Graf (2):
libxt_AUDIT: add AUDIT target
iptables: add manual page section for AUDIT target
Wes Campaigne (4):
libxtables: avoid confusing use of ai_protocol=IPPROTO_IPV6
xtables: fix excessive memory allocation in host_to_ipaddr
xtables: fix the broken detection/removal of redundant addresses
xtables: use all IPv6 addresses resolved from a hostname
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [ANNOUNCE]: Release of iptables-1.4.11
2011-05-26 16:53 ` Patrick McHardy
(?)
@ 2011-05-26 17:04 ` Patrick McHardy
2011-05-26 20:00 ` Lutz Jaenicke
2011-05-27 7:52 ` Arkadiusz Miskiewicz
-1 siblings, 2 replies; 19+ messages in thread
From: Patrick McHardy @ 2011-05-26 17:04 UTC (permalink / raw)
To: Netfilter Development Mailinglist, NetDev, netfilter-announce,
'netfilter@vger.kernel.org'
Am 26.05.2011 18:53, schrieb Patrick McHardy:
> The netfilter coreteam presents:
>
> iptables version 1.4.10
That's supposed to read 1.4.11 of course :)
>
> the iptables release for the 2.6.39 kernels. Due to some mistakes
> on my side we didn't have a release for longer than expected, so
> this contains a rather large number of changes.
>
> Changes include:
>
> - various bugfixes, cleanups and documentation updates
>
> - a new "guided option parser" from Jan, replacing a lot of the
> open-coded option parsing by a data driven parser
>
> - support for the current SET target as contained in 2.6.39
>
> - support for the new devgroup match
>
> - support for the new AUDIT target
>
> - support for a new NFQUEUE bypass option, allowing to bypass the
> queue if no userspace listener is present
>
> - a new iptables option "-C" to check for existance of a rules
>
> - a new xtables-multi binary which supports both IPv4 and IPv6
>
> See the attached changelogs for the full list of changes.
>
> Version 1.4.11 can be obtained from:
>
> http://www.netfilter.org/projects/iptables/downloads.html
> ftp://ftp.netfilter.org/pub/iptables/
> git://git.netfilter.org/iptables.git
>
> On behalf of the Netfilter Core Team.
> Happy firewalling!
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [ANNOUNCE]: Release of iptables-1.4.11
2011-05-26 16:53 ` Patrick McHardy
(?)
(?)
@ 2011-05-26 17:04 ` Patrick McHardy
-1 siblings, 0 replies; 19+ messages in thread
From: Patrick McHardy @ 2011-05-26 17:04 UTC (permalink / raw)
To: Netfilter Development Mailinglist, NetDev, netfilter-announce,
'netfilter@vger.kernel.org'
Am 26.05.2011 18:53, schrieb Patrick McHardy:
> The netfilter coreteam presents:
>
> iptables version 1.4.10
That's supposed to read 1.4.11 of course :)
>
> the iptables release for the 2.6.39 kernels. Due to some mistakes
> on my side we didn't have a release for longer than expected, so
> this contains a rather large number of changes.
>
> Changes include:
>
> - various bugfixes, cleanups and documentation updates
>
> - a new "guided option parser" from Jan, replacing a lot of the
> open-coded option parsing by a data driven parser
>
> - support for the current SET target as contained in 2.6.39
>
> - support for the new devgroup match
>
> - support for the new AUDIT target
>
> - support for a new NFQUEUE bypass option, allowing to bypass the
> queue if no userspace listener is present
>
> - a new iptables option "-C" to check for existance of a rules
>
> - a new xtables-multi binary which supports both IPv4 and IPv6
>
> See the attached changelogs for the full list of changes.
>
> Version 1.4.11 can be obtained from:
>
> http://www.netfilter.org/projects/iptables/downloads.html
> ftp://ftp.netfilter.org/pub/iptables/
> git://git.netfilter.org/iptables.git
>
> On behalf of the Netfilter Core Team.
> Happy firewalling!
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [ANNOUNCE]: Release of iptables-1.4.11
2011-05-26 16:53 ` Patrick McHardy
` (2 preceding siblings ...)
(?)
@ 2011-05-26 18:28 ` Eric Dumazet
2011-05-26 20:16 ` Jan Engelhardt
2011-05-27 7:40 ` Maciej Żenczykowski
-1 siblings, 2 replies; 19+ messages in thread
From: Eric Dumazet @ 2011-05-26 18:28 UTC (permalink / raw)
To: Patrick McHardy
Cc: Netfilter Development Mailinglist, NetDev, netfilter-announce,
'netfilter@vger.kernel.org'
Le jeudi 26 mai 2011 à 18:53 +0200, Patrick McHardy a écrit :
> The netfilter coreteam presents:
>
> iptables version 1.4.10
>
> the iptables release for the 2.6.39 kernels. Due to some mistakes
> on my side we didn't have a release for longer than expected, so
> this contains a rather large number of changes.
>
> Changes include:
>
...
> - a new iptables option "-C" to check for existance of a rules
Nice, but this still loads modules...
# lsmod | grep ipta
# ./iptables -C INPUT -p tcp
iptables: Bad rule (does a matching rule exist in that chain?).
# lsmod | grep ipta
iptable_filter 1730 0
ip_tables 15958 1 iptable_filter
x_tables 22998 3 iptable_filter,ip_tables,xt_tcpudp
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [ANNOUNCE]: Release of iptables-1.4.11
2011-05-26 17:04 ` Patrick McHardy
@ 2011-05-26 20:00 ` Lutz Jaenicke
2011-05-26 20:10 ` Jan Engelhardt
2011-05-27 7:52 ` Arkadiusz Miskiewicz
1 sibling, 1 reply; 19+ messages in thread
From: Lutz Jaenicke @ 2011-05-26 20:00 UTC (permalink / raw)
To: Netfilter Development Mailinglist
On Thu, May 26, 2011 at 07:04:20PM +0200, Patrick McHardy wrote:
> Am 26.05.2011 18:53, schrieb Patrick McHardy:
> > The netfilter coreteam presents:
> >
> > iptables version 1.4.10
>
> That's supposed to read 1.4.11 of course :)
Hmm. For reasons I do not (yet?) understand I do not get the
tag with "git pull" and configure.ac stays at 1.4.10 in
"master".
What am I doing wrong?
Best regards,
Lutz
--
Dr.-Ing. Lutz Jänicke
CTO
Innominate Security Technologies AG /protecting industrial networks/
tel: +49.30.921028-200
fax: +49.30.921028-020
Rudower Chaussee 13
D-12489 Berlin, Germany
www.innominate.com
Register Court: AG Charlottenburg, HR B 81603
Management Board: Dirk Seewald
Chairman of the Supervisory Board: Volker Bibelhausen
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [ANNOUNCE]: Release of iptables-1.4.11
2011-05-26 20:00 ` Lutz Jaenicke
@ 2011-05-26 20:10 ` Jan Engelhardt
2011-05-27 7:58 ` Lutz Jaenicke
0 siblings, 1 reply; 19+ messages in thread
From: Jan Engelhardt @ 2011-05-26 20:10 UTC (permalink / raw)
To: Lutz Jaenicke; +Cc: Netfilter Development Mailinglist
On Thursday 2011-05-26 22:00, Lutz Jaenicke wrote:
>On Thu, May 26, 2011 at 07:04:20PM +0200, Patrick McHardy wrote:
>> Am 26.05.2011 18:53, schrieb Patrick McHardy:
>> > The netfilter coreteam presents:
>> >
>> > iptables version 1.4.10
>>
>> That's supposed to read 1.4.11 of course :)
>
>Hmm. For reasons I do not (yet?) understand I do not get the
>tag with "git pull" and configure.ac stays at 1.4.10 in
>"master".
>
>What am I doing wrong?
That there is no tag, or even commit a potential tag could refer to.
Someone must have forgotten push.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [ANNOUNCE]: Release of iptables-1.4.11
2011-05-26 18:28 ` Eric Dumazet
@ 2011-05-26 20:16 ` Jan Engelhardt
2011-05-27 7:40 ` Maciej Żenczykowski
1 sibling, 0 replies; 19+ messages in thread
From: Jan Engelhardt @ 2011-05-26 20:16 UTC (permalink / raw)
To: Eric Dumazet
Cc: Patrick McHardy, Netfilter Development Mailinglist, NetDev,
netfilter-announce, 'netfilter@vger.kernel.org'
On Thursday 2011-05-26 20:28, Eric Dumazet wrote:
>Le jeudi 26 mai 2011 à 18:53 +0200, Patrick McHardy a écrit :
>> The netfilter coreteam presents:
>>
>> iptables version 1.4.10
>>
>> the iptables release for the 2.6.39 kernels. Due to some mistakes
>> on my side we didn't have a release for longer than expected, so
>> this contains a rather large number of changes.
>>
>> Changes include:
>>
>
>...
>> - a new iptables option "-C" to check for existance of a rules
>
>Nice, but this still loads modules...
So does iptables -S (and -L). :)
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [ANNOUNCE]: Release of iptables-1.4.11
2011-05-26 18:28 ` Eric Dumazet
2011-05-26 20:16 ` Jan Engelhardt
@ 2011-05-27 7:40 ` Maciej Żenczykowski
1 sibling, 0 replies; 19+ messages in thread
From: Maciej Żenczykowski @ 2011-05-27 7:40 UTC (permalink / raw)
To: Eric Dumazet
Cc: Patrick McHardy, Netfilter Development Mailinglist, NetDev,
netfilter-announce, netfilter
you could try with -M '' (or something like that) if you want to
prevent even xtables from being loaded.
Although that will probably still not prevent iptable_filter from
being loaded if ip_tables is already loaded...
On Thu, May 26, 2011 at 20:28, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> Le jeudi 26 mai 2011 à 18:53 +0200, Patrick McHardy a écrit :
>> The netfilter coreteam presents:
>>
>> iptables version 1.4.10
>>
>> the iptables release for the 2.6.39 kernels. Due to some mistakes
>> on my side we didn't have a release for longer than expected, so
>> this contains a rather large number of changes.
>>
>> Changes include:
>>
>
> ...
>> - a new iptables option "-C" to check for existance of a rules
>
> Nice, but this still loads modules...
>
> # lsmod | grep ipta
> # ./iptables -C INPUT -p tcp
> iptables: Bad rule (does a matching rule exist in that chain?).
> # lsmod | grep ipta
> iptable_filter 1730 0
> ip_tables 15958 1 iptable_filter
> x_tables 22998 3 iptable_filter,ip_tables,xt_tcpudp
>
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [ANNOUNCE]: Release of iptables-1.4.11
2011-05-26 17:04 ` Patrick McHardy
2011-05-26 20:00 ` Lutz Jaenicke
@ 2011-05-27 7:52 ` Arkadiusz Miskiewicz
2011-05-27 11:55 ` Pablo Neira Ayuso
1 sibling, 1 reply; 19+ messages in thread
From: Arkadiusz Miskiewicz @ 2011-05-27 7:52 UTC (permalink / raw)
To: shemminger; +Cc: Netfilter Development Mailinglist, NetDev
On Thursday 26 of May 2011, Patrick McHardy wrote:
> Am 26.05.2011 18:53, schrieb Patrick McHardy:
> > The netfilter coreteam presents:
> > iptables version 1.4.10
>
> That's supposed to read 1.4.11 of course :)
Too bad it breaks iproute2 build, hope to see fixed iproute2 release then
gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -
DRESOLVE_HOSTNAMES -DLIBDIR=\"/usr/lib/\" -DCONFIG_GACT -DCONFIG_GACT_PROB -
DIPT_LIB_DIR=\"/usr/lib64/xtables\" -Wl,-export-dynamic -shared -fpic -o
q_atm.so q_atm.c -latm
gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -
DRESOLVE_HOSTNAMES -DLIBDIR=\"/usr/lib/\" -DCONFIG_GACT -DCONFIG_GACT_PROB -
DIPT_LIB_DIR=\"/usr/lib64/xtables\" -Wl,-export-dynamic -shared -fpic -o
m_xt.so m_xt.c -lxtables
m_xt.c: In function ‘parse_ipt’:
m_xt.c:167:31: warning: passing argument 2 of ‘xtables_merge_options’ discards
‘const’ qualifier from pointer target type [enabled by default]
/usr/include/xtables.h:395:23: note: expected ‘struct option *’ but argument
is of type ‘const struct option *’
m_xt.c:167:31: warning: passing argument 3 of ‘xtables_merge_options’ from
incompatible pointer type [enabled by default]
/usr/include/xtables.h:395:23: note: expected ‘const struct option *’ but
argument is of type ‘unsigned int *’
m_xt.c:167:31: error: too few arguments to function ‘xtables_merge_options’
/usr/include/xtables.h:395:23: note: declared here
m_xt.c:127:6: warning: variable ‘res’ set but not used [-Wunused-but-set-
variable]
m_xt.c: In function ‘print_ipt’:
m_xt.c:312:30: warning: passing argument 2 of ‘xtables_merge_options’ discards
‘const’ qualifier from pointer target type [enabled by default]
/usr/include/xtables.h:395:23: note: expected ‘struct option *’ but argument
is of type ‘const struct option *’
m_xt.c:312:30: warning: passing argument 3 of ‘xtables_merge_options’ from
incompatible pointer type [enabled by default]
/usr/include/xtables.h:395:23: note: expected ‘const struct option *’ but
argument is of type ‘unsigned int *’
m_xt.c:312:30: error: too few arguments to function ‘xtables_merge_options’
/usr/include/xtables.h:395:23: note: declared here
make[1]: *** [m_xt.so] Błąd 1
rm emp_ematch.lex.c emp_ematch.yacc.c
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [ANNOUNCE]: Release of iptables-1.4.11
2011-05-26 20:10 ` Jan Engelhardt
@ 2011-05-27 7:58 ` Lutz Jaenicke
2011-05-27 8:32 ` Jan Engelhardt
0 siblings, 1 reply; 19+ messages in thread
From: Lutz Jaenicke @ 2011-05-27 7:58 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Development Mailinglist
On Thu, May 26, 2011 at 10:10:36PM +0200, Jan Engelhardt wrote:
> On Thursday 2011-05-26 22:00, Lutz Jaenicke wrote:
>
> >On Thu, May 26, 2011 at 07:04:20PM +0200, Patrick McHardy wrote:
> >> Am 26.05.2011 18:53, schrieb Patrick McHardy:
> >> > The netfilter coreteam presents:
> >> >
> >> > iptables version 1.4.10
> >>
> >> That's supposed to read 1.4.11 of course :)
> >
> >Hmm. For reasons I do not (yet?) understand I do not get the
> >tag with "git pull" and configure.ac stays at 1.4.10 in
> >"master".
> >
> >What am I doing wrong?
>
> That there is no tag, or even commit a potential tag could refer to.
> Someone must have forgotten push.
Maybe. If I perform a "git clone" the tag is in the packed refs.
The tag itself (also see gitweb) includes the modification of config.ac
to reflect the bumped version number...
Best regards,
Lutz
--
Dr.-Ing. Lutz Jänicke
CTO
Innominate Security Technologies AG /protecting industrial networks/
tel: +49.30.921028-200
fax: +49.30.921028-020
Rudower Chaussee 13
D-12489 Berlin, Germany
www.innominate.com
Register Court: AG Charlottenburg, HR B 81603
Management Board: Dirk Seewald
Chairman of the Supervisory Board: Volker Bibelhausen
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [ANNOUNCE]: Release of iptables-1.4.11
2011-05-27 7:58 ` Lutz Jaenicke
@ 2011-05-27 8:32 ` Jan Engelhardt
0 siblings, 0 replies; 19+ messages in thread
From: Jan Engelhardt @ 2011-05-27 8:32 UTC (permalink / raw)
To: Lutz Jaenicke; +Cc: Netfilter Development Mailinglist
On Friday 2011-05-27 09:58, Lutz Jaenicke wrote:
>> >> That's supposed to read 1.4.11 of course :)
>> >
>> >Hmm. For reasons I do not (yet?) understand I do not get the
>> >tag with "git pull" and configure.ac stays at 1.4.10 in
>> >"master".
>> >
>> >What am I doing wrong?
>>
>> That there is no tag, or even commit a potential tag could refer to.
>> Someone must have forgotten push.
>
>Maybe. If I perform a "git clone" the tag is in the packed refs.
>The tag itself (also see gitweb) includes the modification of config.ac
>to reflect the bumped version number...
`git remote update` only requests the branch heads, and since the
v1.4.11 tag is not reachable through any branch (again - ugh), it does
not get downloaded.
`git fetch origin --tags` retrieves it, but of course that does not fix
the underlying problem that a tag should be reachable[*] through a head.
[*] Since ancient versions are out of focus, no heads are
usually provided for these (e.g. v1.4.9.1); the fact that v1.4.9 is
reachable is merely a sideeffect.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [ANNOUNCE]: Release of iptables-1.4.11
2011-05-27 7:52 ` Arkadiusz Miskiewicz
@ 2011-05-27 11:55 ` Pablo Neira Ayuso
2011-05-30 9:05 ` Arkadiusz Miskiewicz
0 siblings, 1 reply; 19+ messages in thread
From: Pablo Neira Ayuso @ 2011-05-27 11:55 UTC (permalink / raw)
To: Arkadiusz Miskiewicz
Cc: shemminger, Netfilter Development Mailinglist, NetDev
On 27/05/11 09:52, Arkadiusz Miskiewicz wrote:
> On Thursday 26 of May 2011, Patrick McHardy wrote:
>> Am 26.05.2011 18:53, schrieb Patrick McHardy:
>>> The netfilter coreteam presents:
>>> iptables version 1.4.10
>>
>> That's supposed to read 1.4.11 of course :)
>
> Too bad it breaks iproute2 build, hope to see fixed iproute2 release then
>
> gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -
> DRESOLVE_HOSTNAMES -DLIBDIR=\"/usr/lib/\" -DCONFIG_GACT -DCONFIG_GACT_PROB -
> DIPT_LIB_DIR=\"/usr/lib64/xtables\" -Wl,-export-dynamic -shared -fpic -o
> q_atm.so q_atm.c -latm
> gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -
> DRESOLVE_HOSTNAMES -DLIBDIR=\"/usr/lib/\" -DCONFIG_GACT -DCONFIG_GACT_PROB -
> DIPT_LIB_DIR=\"/usr/lib64/xtables\" -Wl,-export-dynamic -shared -fpic -o
> m_xt.so m_xt.c -lxtables
> m_xt.c: In function ‘parse_ipt’:
> m_xt.c:167:31: warning: passing argument 2 of ‘xtables_merge_options’ discards
> ‘const’ qualifier from pointer target type [enabled by default]
> /usr/include/xtables.h:395:23: note: expected ‘struct option *’ but argument
> is of type ‘const struct option *’
> m_xt.c:167:31: warning: passing argument 3 of ‘xtables_merge_options’ from
> incompatible pointer type [enabled by default]
> /usr/include/xtables.h:395:23: note: expected ‘const struct option *’ but
> argument is of type ‘unsigned int *’
> m_xt.c:167:31: error: too few arguments to function ‘xtables_merge_options’
> /usr/include/xtables.h:395:23: note: declared here
> m_xt.c:127:6: warning: variable ‘res’ set but not used [-Wunused-but-set-
> variable]
> m_xt.c: In function ‘print_ipt’:
> m_xt.c:312:30: warning: passing argument 2 of ‘xtables_merge_options’ discards
> ‘const’ qualifier from pointer target type [enabled by default]
> /usr/include/xtables.h:395:23: note: expected ‘struct option *’ but argument
> is of type ‘const struct option *’
> m_xt.c:312:30: warning: passing argument 3 of ‘xtables_merge_options’ from
> incompatible pointer type [enabled by default]
> /usr/include/xtables.h:395:23: note: expected ‘const struct option *’ but
> argument is of type ‘unsigned int *’
> m_xt.c:312:30: error: too few arguments to function ‘xtables_merge_options’
> /usr/include/xtables.h:395:23: note: declared here
> make[1]: *** [m_xt.so] Błąd 1
> rm emp_ematch.lex.c emp_ematch.yacc.c
Backward compatibility was broken in the following iptables commit:
From 600f38db82548a683775fd89b6e136673e924097 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Fri, 29 Oct 2010 18:57:42 +0200
Subject: [PATCH] libxtables: change option precedence order to be intuitive
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [ANNOUNCE]: Release of iptables-1.4.11
2011-05-27 11:55 ` Pablo Neira Ayuso
@ 2011-05-30 9:05 ` Arkadiusz Miskiewicz
2011-05-30 10:18 ` Jan Engelhardt
0 siblings, 1 reply; 19+ messages in thread
From: Arkadiusz Miskiewicz @ 2011-05-30 9:05 UTC (permalink / raw)
To: Pablo Neira Ayuso, Netfilter Development Mailinglist; +Cc: NetDev
On Friday 27 of May 2011, Pablo Neira Ayuso wrote:
> On 27/05/11 09:52, Arkadiusz Miskiewicz wrote:
> > /usr/include/xtables.h:395:23: note: expected ‘const struct option *’ but
> > argument is of type ‘unsigned int *’
> > m_xt.c:312:30: error: too few arguments to function
> > ‘xtables_merge_options’ /usr/include/xtables.h:395:23: note: declared
> > here
> > make[1]: *** [m_xt.so] Błąd 1
> > rm emp_ematch.lex.c emp_ematch.yacc.c
>
> Backward compatibility was broken in the following iptables commit:
>
> From 600f38db82548a683775fd89b6e136673e924097 Mon Sep 17 00:00:00 2001
> From: Jan Engelhardt <jengelh@medozas.de>
> Date: Fri, 29 Oct 2010 18:57:42 +0200
> Subject: [PATCH] libxtables: change option precedence order to be intuitive
Another bug seems to be in Makefile.am
for i in ${v4_bin_links}; do ${LN_S} -f "${sbindir}/iptables-multi"
"${DESTDIR}${bindir}/$$i"; done;
for i in ${v4_sbin_links}; do ${LN_S} -f iptables-multi
"${DESTDIR}${sbindir}/$$i"; done;
for i in ${v6_sbin_links}; do ${LN_S} -f ip6tables-multi
"${DESTDIR}${sbindir}/$$i"; done;
These will point to nowhere since now there is xtables-multi only.
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [ANNOUNCE]: Release of iptables-1.4.11
2011-05-30 9:05 ` Arkadiusz Miskiewicz
@ 2011-05-30 10:18 ` Jan Engelhardt
0 siblings, 0 replies; 19+ messages in thread
From: Jan Engelhardt @ 2011-05-30 10:18 UTC (permalink / raw)
To: Arkadiusz Miskiewicz
Cc: Pablo Neira Ayuso, Netfilter Development Mailinglist, NetDev
On Monday 2011-05-30 11:05, Arkadiusz Miskiewicz wrote:
>On Friday 27 of May 2011, Pablo Neira Ayuso wrote:
>> On 27/05/11 09:52, Arkadiusz Miskiewicz wrote:
>
>> > /usr/include/xtables.h:395:23: note: expected ‘const struct option *’ but
>> > argument is of type ‘unsigned int *’
>> > m_xt.c:312:30: error: too few arguments to function
>> > ‘xtables_merge_options’ /usr/include/xtables.h:395:23: note: declared
>> > here
>> > make[1]: *** [m_xt.so] Błąd 1
>> > rm emp_ematch.lex.c emp_ematch.yacc.c
>>
>> Backward compatibility was broken in the following iptables commit:
>>
>> From 600f38db82548a683775fd89b6e136673e924097 Mon Sep 17 00:00:00 2001
>> From: Jan Engelhardt <jengelh@medozas.de>
>> Date: Fri, 29 Oct 2010 18:57:42 +0200
>> Subject: [PATCH] libxtables: change option precedence order to be intuitive
>
>Another bug seems to be in Makefile.am
>
> for i in ${v4_bin_links}; do ${LN_S} -f "${sbindir}/iptables-multi"
>"${DESTDIR}${bindir}/$$i"; done;
> for i in ${v4_sbin_links}; do ${LN_S} -f iptables-multi
>"${DESTDIR}${sbindir}/$$i"; done;
> for i in ${v6_sbin_links}; do ${LN_S} -f ip6tables-multi
>"${DESTDIR}${sbindir}/$$i"; done;
>
>These will point to nowhere since now there is xtables-multi only.
Patch created yesterday already; now sent out.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* iptables 1.4.11, cannot invert tcp flags
2011-05-26 16:53 ` Patrick McHardy
` (3 preceding siblings ...)
(?)
@ 2011-06-07 5:24 ` Olaf
2011-06-07 14:06 ` Patrick McHardy
-1 siblings, 1 reply; 19+ messages in thread
From: Olaf @ 2011-06-07 5:24 UTC (permalink / raw)
To: Netfilter Development Mailinglist
Hi all,
with 1.4.11 I can no longer invert --syn nor it's equivalent --tcp-flags
SYN,RST,ACK,FIN SYN.
Both show up 'normal' (tcp flags:0x17/0x02) instead of 'inverted' (tcp
flags:!0x17/0x02) when listing rules.
Works fine when using 1.4.10 or older versions.
Is inverting of tcp flags no longer supported? iptables -p tcp -h still
shows [!] as possible option.
Thanks Olaf
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: iptables 1.4.11, cannot invert tcp flags
2011-06-07 5:24 ` iptables 1.4.11, cannot invert tcp flags Olaf
@ 2011-06-07 14:06 ` Patrick McHardy
2011-06-07 21:22 ` Olaf
0 siblings, 1 reply; 19+ messages in thread
From: Patrick McHardy @ 2011-06-07 14:06 UTC (permalink / raw)
To: Olaf; +Cc: Netfilter Development Mailinglist, Jan Engelhardt
On 07.06.2011 07:24, Olaf wrote:
> Hi all,
>
>
> with 1.4.11 I can no longer invert --syn nor it's equivalent --tcp-flags
> SYN,RST,ACK,FIN SYN.
> Both show up 'normal' (tcp flags:0x17/0x02) instead of 'inverted' (tcp
> flags:!0x17/0x02) when listing rules.
> Works fine when using 1.4.10 or older versions.
It works for me when using "-p tcp -m tcp ! --syn", but not when
using "-p tcp ! --syn", so I guess something is broken in command
parsing for implicitly loaded matches.
CCed Jan, who can probably help.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: iptables 1.4.11, cannot invert tcp flags
2011-06-07 14:06 ` Patrick McHardy
@ 2011-06-07 21:22 ` Olaf
2011-06-07 21:29 ` Jan Engelhardt
0 siblings, 1 reply; 19+ messages in thread
From: Olaf @ 2011-06-07 21:22 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Development Mailinglist, Jan Engelhardt
On 2011-06-07 16:06, Patrick McHardy wrote:
>> with 1.4.11 I can no longer invert --syn nor it's equivalent --tcp-flags
>> SYN,RST,ACK,FIN SYN.
>> Both show up 'normal' (tcp flags:0x17/0x02) instead of 'inverted' (tcp
>> flags:!0x17/0x02) when listing rules.
>> Works fine when using 1.4.10 or older versions.
>
> It works for me when using "-p tcp -m tcp ! --syn", but not when
> using "-p tcp ! --syn", so I guess something is broken in command
> parsing for implicitly loaded matches.
>
> CCed Jan, who can probably help.
Sure looks that way :-)
Thanks Jan!
Olaf
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: iptables 1.4.11, cannot invert tcp flags
2011-06-07 21:22 ` Olaf
@ 2011-06-07 21:29 ` Jan Engelhardt
0 siblings, 0 replies; 19+ messages in thread
From: Jan Engelhardt @ 2011-06-07 21:29 UTC (permalink / raw)
To: Olaf; +Cc: Patrick McHardy, Netfilter Development Mailinglist
On Tuesday 2011-06-07 23:22, Olaf wrote:
> On 2011-06-07 16:06, Patrick McHardy wrote:
>
>>> with 1.4.11 I can no longer invert --syn nor it's equivalent --tcp-flags
>>> SYN,RST,ACK,FIN SYN.
>>> Both show up 'normal' (tcp flags:0x17/0x02) instead of 'inverted' (tcp
>>> flags:!0x17/0x02) when listing rules.
>>> Works fine when using 1.4.10 or older versions.
>>
>> It works for me when using "-p tcp -m tcp ! --syn", but not when
>> using "-p tcp ! --syn", so I guess something is broken in command
>> parsing for implicitly loaded matches.
>>
>> CCed Jan, who can probably help.
>
> Sure looks that way :-)
Fixes sent in.
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2011-06-07 21:29 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-05-26 16:53 [ANNOUNCE]: Release of iptables-1.4.11 Patrick McHardy
2011-05-26 16:53 ` Patrick McHardy
2011-05-26 17:04 ` Patrick McHardy
2011-05-26 20:00 ` Lutz Jaenicke
2011-05-26 20:10 ` Jan Engelhardt
2011-05-27 7:58 ` Lutz Jaenicke
2011-05-27 8:32 ` Jan Engelhardt
2011-05-27 7:52 ` Arkadiusz Miskiewicz
2011-05-27 11:55 ` Pablo Neira Ayuso
2011-05-30 9:05 ` Arkadiusz Miskiewicz
2011-05-30 10:18 ` Jan Engelhardt
2011-05-26 17:04 ` Patrick McHardy
2011-05-26 18:28 ` Eric Dumazet
2011-05-26 20:16 ` Jan Engelhardt
2011-05-27 7:40 ` Maciej Żenczykowski
2011-06-07 5:24 ` iptables 1.4.11, cannot invert tcp flags Olaf
2011-06-07 14:06 ` Patrick McHardy
2011-06-07 21:22 ` Olaf
2011-06-07 21:29 ` Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.