| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 May 2022 16:40:36 +0200
From: Phil Sutter <phil@...filter.org>
To: netfilter <netfilter@...r.kernel.org>,
netfilter-devel <netfilter-devel@...r.kernel.org>
Cc: netdev@...r.kernel.org, netfilter-announce@...ts.netfilter.org,
lwn@....net
Subject: [ANNOUNCE] iptables 1.8.8 release
Hi!
The Netfilter project proudly presents:
iptables 1.8.8
This release contains new features:
* Add iptables-translate support for:
* sctp match's --chunk-types option
* connlimit match
* multiport match's --ports option
* tcpmss match
* Simplified translation of:
* tcp match's --tcp-flags option
* conntrack match
* Reject setuid executables in libxtables for safety reasons
* Support deleting builtin chains in iptables-nft
* Merged arptables-nft rule parser into iptables-nft one, thereby extending
arptables-nft by:
* '-C' and '-S' commands
* Rule indexes with '-I' and '-R' commands
* '-c N,M' counter syntax
* Drop support for multiple IPv4 ranges in *NAT targets which required a linux
kernel before 2.6.11 anyway
* Use native log expression for NFLOG target with iptables-nft, this allows to
use up to 127 character prefix strings
* Use native payload expressions when matching on TCP/UDP header fields in
iptables-nft
* Debug output in iptables-nft and ebtables-nft when specifying '-v' multiple
times
* Debug output in iptables-restore (all variants) by passing '-v' option
multiple times
* Better legacy iptables lock timeout implementation, making '-W' option obsolete
* Improved performance of iptables-save and -restore
* Use native meta expression when matching on fwmark value.
... and fixes:
* Avoid ebtables program abort for unknown table names
* Zeroing rule counters not functional in iptables-nft
* Incorrect stripping of odd (non-prefix) netmasks with nft-variants
* Wrong iptables-translate output for odd (non-prefix) netmasks
* Wrong translation of inverted conntrack state/status matches
* Buffer exhaustion with huge rulesets in nft-variants
* Deleting rules with SECMARK target not possible due to binary data mismatch
(requires kernel update)
* Broken ebtables-translate with '-o' and custom chains
* Wrong translation of sctp match on more than a single field
* Fix for static linking
* Check command was always verbose in iptables-nft
* Wrong translation of '--random-full' option in ip6tables MASQUERADE
* Missing space in listing of mac match
* Misc memory leaks
* Misc testsuite fixes
* ebtables-nft drops user-defined chain policies when flushing
* Clarify synopsis in iptables-translate help text
* Potential double free with unrecognized base chains in iptables-nft
* Wrong ip6tables-nft help text (identical with iptables by accident)
* Extra whitespace after --nflog-prefix option of NFLOG target
* Sanitize behaviour for unprivileged callers, allow printing (extension) help
* Trying to use non-existent extensions caused misleading error messages
* iptables-nft-restore accepted standard targets as chain names
* Extra newline when printing MARK extension help
* Improved arptables-nft help output
... and documentation updates:
* sctp match types
* Drop documentation of ebtables-nft unsupported atomic options
* Misc typo fixes
* Support for shifted port ranges with DNAT
* (Limited) support for service names with DNAT and REDIRECT
* Review NAT extensions' documentation in man page
* LOG target's --log-macdecode option
You can download the new release from:
https://netfilter.org/projects/iptables/downloads.html#iptables-1.8.8
In case of bugs, file them via:
* https://bugzilla.netfilter.org
Happy firewalling!
View attachment "changes-iptables-1.8.8.txt" of type "text/plain" (10340 bytes)
Powered by blists - more mailing lists