lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Fri, 13 May 2022 16:40:36 +0200
From:   Phil Sutter <>
To:     netfilter <>,
        netfilter-devel <>
Subject: [ANNOUNCE] iptables 1.8.8 release


The Netfilter project proudly presents:

        iptables 1.8.8

This release contains new features:

* Add iptables-translate support for:
  * sctp match's --chunk-types option
  * connlimit match
  * multiport match's --ports option
  * tcpmss match
* Simplified translation of:
  * tcp match's --tcp-flags option
  * conntrack match
* Reject setuid executables in libxtables for safety reasons
* Support deleting builtin chains in iptables-nft
* Merged arptables-nft rule parser into iptables-nft one, thereby extending
  arptables-nft by:
  * '-C' and '-S' commands
  * Rule indexes with '-I' and '-R' commands
  * '-c N,M' counter syntax
* Drop support for multiple IPv4 ranges in *NAT targets which required a linux
  kernel before 2.6.11 anyway
* Use native log expression for NFLOG target with iptables-nft, this allows to
  use up to 127 character prefix strings
* Use native payload expressions when matching on TCP/UDP header fields in
* Debug output in iptables-nft and ebtables-nft when specifying '-v' multiple
* Debug output in iptables-restore (all variants) by passing '-v' option
  multiple times
* Better legacy iptables lock timeout implementation, making '-W' option obsolete
* Improved performance of iptables-save and -restore
* Use native meta expression when matching on fwmark value.

... and fixes:

* Avoid ebtables program abort for unknown table names
* Zeroing rule counters not functional in iptables-nft
* Incorrect stripping of odd (non-prefix) netmasks with nft-variants
* Wrong iptables-translate output for odd (non-prefix) netmasks
* Wrong translation of inverted conntrack state/status matches
* Buffer exhaustion with huge rulesets in nft-variants
* Deleting rules with SECMARK target not possible due to binary data mismatch
  (requires kernel update)
* Broken ebtables-translate with '-o' and custom chains
* Wrong translation of sctp match on more than a single field
* Fix for static linking
* Check command was always verbose in iptables-nft
* Wrong translation of '--random-full' option in ip6tables MASQUERADE
* Missing space in listing of mac match
* Misc memory leaks
* Misc testsuite fixes
* ebtables-nft drops user-defined chain policies when flushing
* Clarify synopsis in iptables-translate help text
* Potential double free with unrecognized base chains in iptables-nft
* Wrong ip6tables-nft help text (identical with iptables by accident)
* Extra whitespace after --nflog-prefix option of NFLOG target
* Sanitize behaviour for unprivileged callers, allow printing (extension) help
* Trying to use non-existent extensions caused misleading error messages
* iptables-nft-restore accepted standard targets as chain names
* Extra newline when printing MARK extension help
* Improved arptables-nft help output

... and documentation updates:

* sctp match types
* Drop documentation of ebtables-nft unsupported atomic options
* Misc typo fixes
* Support for shifted port ranges with DNAT
* (Limited) support for service names with DNAT and REDIRECT
* Review NAT extensions' documentation in man page
* LOG target's --log-macdecode option

You can download the new release from:

In case of bugs, file them via:


Happy firewalling!

View attachment "changes-iptables-1.8.8.txt" of type "text/plain" (10340 bytes)

Powered by blists - more mailing lists