lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Fri, 15 Jan 2021 23:28:57 +0100
From:   Phil Sutter <phil@...filter.org>
To:     netfilter@...r.kernel.org, netfilter-devel@...r.kernel.org
Cc:     netdev@...r.kernel.org, netfilter-announce@...ts.netfilter.org,
        lwn@....net
Subject: [ANNOUNCE] iptables 1.8.7 release

Hi!

The Netfilter project proudly presents:

iptables 1.8.7

This release contains the following fixes and enhancements:

iptables-nft:
- Improved performance when matching on IP/MAC address prefixes if the
  prefix is byte-aligned. In ideal cases, this doubles packet processing
  performance.
  *NOTE*: Older iptables versions will not recognize the mask and thus
          omit them when listing the ruleset.
- Dump user-defined chains in lexical order. This way ruleset dumps
  become stable and easily comparable.
- Avoid pointless table/chain creation. For instance, 'iptables-nft -L'
  no longer creates missing base-chains.

ebtables-nft:
- Renaming user-defined chains was entirely broken.

extensions:
- Code for printing and parsing of MAC addresses was consolidated
  internally, slightly reducing binary size. As a noticeable
  side-effect, all MAC addresses are now printed in lower-case (affects
  'mac'-extension).
- Fixed DCCP extension's match on 'INVALID' type, a meta-type which
  should match any type value in the range from ten to fifteen. In the
  past it matched on type value 10 only.

xtables-monitor:
- Don't print unrelated rules in the same chain when tracing.
- Flush output buffer after each rule when tracing to improve experience
  when redirecting output.
- Print the table's family when tracing instead of whatever the user
  specified on command line.
- Print the traced packet before the rule it traverses, not vice-versa.
- Recognize loopback interface and print "LOOPBACK" for link layer
  header info instead of "LL=0x304".

xtables-translate:
- Correctly translate DCCP type matches (including 'INVALID').

See the attached changelog for more details.

You can download it from:

http://www.netfilter.org/projects/iptables/downloads.html#iptables-1.8.7

To build the code, libnftnl 1.1.6 is required:

* http://netfilter.org/projects/libnftnl/downloads.html#libnftnl-1.1.6

In case of bugs and feature requests, file them via:

* https://bugzilla.netfilter.org

Happy firewalling!

View attachment "iptables-1.8.7.txt" of type "text/plain" (1312 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ