Note: basic testing done, wl, buttons, router detection, nvram cleaning, ... working!
BIG THX to user txnative from www.linksysinfo.org for testing/helping
Based on the work of txnative, thx for helping & testing
(Version 1.0 for FT)
Known Issues:
- wps button gpio 7 does not work?
- wireless temperature @GUI not working?
As part of this commit:
* Tomato's iptables is being updated from v1.4.14 (dated May 26th, 2012), to v1.6.2 (dated Feb 2, 2018).
* Note, v1.6 requires the installation of libmnl-dev. This has been added to the list of other apt-get items within README.md
* I have identified the changes/additions that Tomato devs made to the upstream source, and have separated this out into a (rather large) patch. This can be refactored by others if a better approach is put forth.
* All objects that were in Tomato but not upstream have also been added via the above mentioned patch file.
* Updated a few objects (as part of patch) to allow for compilation of the 1.6.2 codebase with the Tomato required extensions (e.g. TRIGGER).
* The new 1.6.2 code is placed in a new iptables-1.6.x direcotry. The old iptables-1.4.x directory remains as was, though it can be removed (maybe along with other now unused directories such as ntpc and ntpclient).
For record keeping purposes, the following
File ./extensions/libip6t_REJECT.c
This appears to be this patch:
https://b1nary.tk/fw/ea6700/src/linux/patches/linux-2.6.36.4-008_reject_with_src_addr_fail_policy.patch
File ./include/linux/netfilter_ipv6/ip6t_REJECT.h and /home/edriss/iptables/iptables-1.4.14/include/linux/netfilter_ipv6/ip6t_REJECT.h differ
This appears to be this patch:
https://b1nary.tk/fw/ea6700/src/linux/patches/linux-2.6.36.4-008_reject_with_src_addr_fail_policy.patch
File ./extensions/libxt_CONNMARK.c and /home/edriss/iptables/iptables-1.4.14/extensions/libxt_CONNMARK.c differ
This had added the --SET RETURN patch
File ./include/linux/netfilter/xt_connmark.h and /home/edriss/iptables/iptables-1.4.14/include/linux/netfilter/xt_connmark.h differ
This had added the --SET RETURN patch
File ./include/linux/netfilter_ipv4/ip_tables.h and /home/edriss/iptables/iptables-1.4.14/include/linux/netfilter_ipv4/ip_tables.h differ
This appears to be this performance patch:
http://svn.pikatech.com/warp/tags/3.0/3.0.0.121/warpwrt/wrt/target/linux/generic/patches-2.6.32/110-netfilter_match_speedup.patch
File ./iptables: xtoptions.c
This didn't exist in the upstream version. I have Merged the required changes from the libxtables directory version and Tomato version, and placed in iptables directory
File ./libiptc/libip4tc.c and /home/edriss/iptables/iptables-1.4.14/libiptc/libip4tc.c differ
This appears to be this performance patch:
http://svn.pikatech.com/warp/tags/3.0/3.0.0.121/warpwrt/wrt/target/linux/generic/patches-2.6.32/110-netfilter_match_speedup.patch
Directory: l7-protocols
The entire folder is added by Tomato.
The following files are not upstream, but only in Tomato:
iptables-1.6.x/include/linux/netfilter: xt_IMQ.h
iptables-1.6.x/extensions: libip6t_ROUTE.c
iptables-1.6.x/extensions: libip6t_ROUTE.man
iptables-1.6.x/extensions: libip6t_web.c
iptables-1.6.x/extensions: libip6t_webmon.c
iptables-1.6.x/extensions: libipt_account.c
iptables-1.6.x/extensions: libipt_condition.c
iptables-1.6.x/extensions: libipt_condition.man
iptables-1.6.x/extensions: libipt_geoip.c
iptables-1.6.x/extensions: libipt_geoip.man
iptables-1.6.x/extensions: libipt_ipp2p.c
iptables-1.6.x/extensions: libipt_ipp2p.man
iptables-1.6.x/extensions: libipt_layer7.c
iptables-1.6.x/extensions: libipt_layer7.man
iptables-1.6.x/extensions: libipt_ROUTE.c
iptables-1.6.x/extensions: libipt_ROUTE.man
iptables-1.6.x/extensions: libipt_tos.c
iptables-1.6.x/extensions: libipt_TOS.c
iptables-1.6.x/extensions: libipt_tos.man
iptables-1.6.x/extensions: libipt_TOS.man
iptables-1.6.x/extensions: libipt_TRIGGER.c
iptables-1.6.x/extensions: libipt_web.c
iptables-1.6.x/extensions: libipt_webmon.c
iptables-1.6.x/extensions: libipt_webstr.c
iptables-1.6.x/extensions: libxt_ethport.c
iptables-1.6.x/extensions: libxt_IMQ.c
iptables-1.6.x/extensions: libxt_IMQ.man
Below are the significant set of release notes, changes, and fixes betwee v1.4.14 and v1.6.2:
***********************************
*** 2018-Feb-02: iptables-1.6.2 ***
***********************************
Aastha Gupta (2):
iptables-translate: add test file for TCPMSS extension
iptables: iptables-compat translation for TCPMSS
Ahmed Abdelsalam (1):
extensions: add support for 'srh' match
Arushi Singhal (1):
iptables: extensions: Remove typedef in struct.
Baruch Siach (1):
utils: nfsynproxy: fix build with musl libc
Dan Williams (3):
libiptc: don't set_changed() when checking rules with module jumps
iptables-restore/ip6tables-restore: add --version/-V argument
iptables-restore.8: document -w/-W options
Elise Lennion (1):
extensions: libxt_hashlimit: Add translation to nft
Florian Westphal (2):
tests: xlate-test: no need to require superuser privileges
policy: add nft translation for simple policy none/strict use case
Gargi Sharma (2):
iptables: Constify option struct
extensions: libxt_TOS: Add translation to nft
Harsha Sharma (6):
iptables: Constify option struct
Update .gitignore
libxt_TOS: add tests for translation infrastructure
tests: xlate: print output in same way as nft-test.py
extensions: add tests for ipcomp protocol
extensions: libxt_hashlimit: Do not print default timeout and burst
James Cowgill (1):
extensions: libxt_hashlimit: fix 64-bit printf formats
Jan Engelhardt (2):
libxtables: remove unnecessary nesting from host_to_ip(6)addr
libxtables: abolish AI_CANONNAME
Juergen Borleis (1):
iptables: change large file support handling
Liping Zhang (2):
xshared: do not lock again and again if "-w" option is not specified
xshared: using the blocking file lock request when we wait indefinitely
Lorenzo Colitti (5):
iptables: set the path of the lock file via a configure option.
iptables: move XT_LOCK_NAME from CFLAGS to config.h.
iptables: remove duplicated argument parsing code
iptables-restore: support acquiring the lock.
iptables: insist that the lock is held.
Louis Sautier (1):
xtables-compat-restore: fix translation of mangle's OUTPUT
Mart Frauenlob (1):
iptables: extensions: Fix MARK target help
Max Laverse (1):
iptables: masquerade: add randomize-full support
Oliver Ford (4):
libxtables: Display weird character warning for wildcards
iptables: Fix crash on malformed iptables-restore
iptables: Add file output option to iptables-save
iptables-xml: Fix segfault on jump without a target
Pablo M. Bermudo Garay (8):
tests: add regression tests for xtables-translate
tests: xlate: remove python 3.5 dependency
tests: xlate: check if it is being run as root
tests: xlate: generalize owner
libip6t_icmp6: xlate: remove leftover space
xtables-translate: fix double space before comment
xtables-compat-restore: fix several memory leaks
xtables-compat: fix memory leak when listing
Pablo Neira Ayuso (7):
libxt_hashlimit: add new unit test to catch kernel bug
iptables-translate: print nft command for each expand rules via dns names
iptables-translate: print nft iff there are more expanded rules to print
iptables-compat: do not allow to delete populated user define chains
extensions: hashlimit: fix incorrect burst in translations
extensions: hashlimit: remove space before burst in translation to nft
iptables 1.6.2 release
Phil Sutter (8):
extensions: libxt_addrtype: Add translation to nft
xtables-translate: Avoid querying the kernel
utils: nfnl_osf: Fix synopsis in help text
utils: Add a man page for nfnl_osf
ip{,6}tables-restore: Don't ignore missing wait-interval value
ip{,6}tables-restore: Don't accept wait-interval without wait
extensions: libxt_tcpmss: Detect invalid ranges
libxt_recent: Remove ineffective checks for info->name
Rafael Buchbinder (1):
extensions: libxt_bpf: fix missing __NR_bpf declaration
Shyam Saini (2):
extensions: libxt_cluster: Add translation to nft
extensions: Add test for cluster nft translation
Thierry Du Tre (2):
extensions: ip6t_{S,D}NAT: multiple to-dst/to-src arguments not reported
extensions: ip6t_{S,D}NAT: add more tests
Varsha Rao (6):
iptables: Remove explicit static variables initalization.
iptables: Remove unnecessary braces.
iptables: xtables-eb: Remove const qualifier from struct option
extensions: libxt_tcpmss: Add test case for invalid ranges.
iptables: Remove const qualifier from struct option.
extensions: Add macro _DEFAULT_SOURCE.
Vincent Bernat (1):
iptables-restore/save: exit when given an unknown option
Vishwanath Pai (1):
netfilter: xt_hashlimit: add rate match mode
Xose Vazquez Perez (1):
iptables: update pf.os
Yogesh Prasad (1):
iptables: patch to correct linker flag sequence
huaibin Wang (1):
libxt_sctp: fix array out of range in print_chunk
shyam saini (1):
extensions: hashlimit: Rename 'flow table' keyword to meter
***********************************
*** 2017-Jan-27: iptables-1.6.1 ***
***********************************
Ana Rey (1):
extensions: libxt_udp: add translation to nft
Arpan Kapoor (1):
libxtables: Replace gethostbyname() with getaddrinfo()
Arturo Borrero (3):
extensions/libxt_rpfilter.man: fix typo, specifiy vs specify
iptables/xtables-arp.c: fix typo, wierd vs weird
extensions/libxt_tcp: fix nftables translate flags value, 'none' vs '0x0'
Arturo Borrero Gonzalez (1):
extensions: update Arturo Borrero email address
Brian Haley (1):
iptables-restore: add missing arguments to usage message
Florian Westphal (5):
iptables.8: mention iptables-save in -L documentation
iptables.8: nat table has four builtin chains
extensions: NETMAP: add ' to:' prefix when printing NETMAP target
extensions: NETMAP: fix iptables-save output
connlabel: clarify default config path
George Burgess IV (1):
libxt_multiport: remove an unused variable
Giuseppe Longo (1):
configure: make libmnl and libnftnl hard requirements
Guruswamy Basavaiah (4):
iptables: extensions: iptables-translate prints extra "nft" after printing any error
iptables-translate: translate iptables --flush
iptables-translate: Printing the table name before chain name.
iptables-translate: Don't print "nft" in iptables-restore-translate command
Gustavo Zacarias (1):
iptables: add xtables-config-parser.h to BUILT_SOURCES
Janani Ravichandran (1):
extensions: libip6t_rt.c: Add translation to nft
Jordan Yelloz (1):
extensions: added AR substitution
Keno Fischer (1):
build: Fix two compile errors during out-of-tree build
Laura Garcia Liebana (12):
extensions: libip6t_icmp6: Add translation to nft
extensions: libipt_LOG: Avoid to print the default log level in the translation
extensions: libipt_icmp: Add translation to nft
extensions: libipt_REJECT: Avoid to print the default reject with value in the translation
extensions: libip6t_REJECT: Avoid to print the default reject with value in the translation
extensions: libxt_ipcomp: Add translation to nft
extensions: libip6t_hbh: Add translation to nft
extensions: libxt_multiport: Add translation to nft
extensions: libxt_dscp: Add translation to nft
extensions: libip6t_frag: Add translation to nft
extensions: libxt_cgroup: Add translation to nft
extensions: libxt_conntrack: Add translation to nft
Liping Zhang (27):
extensions: libxt_limit: fix a wrong translation to nft rule
extensions: libxt_mark: fix a wrong translation to nft when mask is specified
extensions: libxt_TRACE: Add translation to nft
extensions: libipt_realm: fix order of mask and id when do nft translation
extensions: libxt_connlabel: fix crash when connlabel.conf is empty
extensions: libxt_connlabel: Add translation to nft
extensions: libxt_NFLOG: display nflog-size even if it is zero
extensions: libxt_NFLOG: translate to nft log snaplen if nflog-size is specified
extensions: libxt_NFLOG: add unit test to cover nflog-size with zero
extensions: libxt_connlabel: add unit test
iptables-translate: add in/out ifname wildcard match translation to nft
extensions: libxt_CLASSIFY: Add translation to nft
extensions: libipt_DNAT/SNAT: fix "OOM" when do translation to nft
extensions: libip[6]t_SNAT/DNAT: use the new nft syntax when do xlate
extensions: libip[6]t_REDIRECT: use new nft syntax when do xlate
extensions: libip6t_SNAT/DNAT: add square bracket in xlat output when port is specified
extensions: libipt_realm: add a missing space in translation
extensions: libxt_iprange: rename "ip saddr" to "ip6 saddr" in ip6tables-xlate
extensions: libxt_iprange: handle the invert flag properly in translation
extensions: libxt_devgroup: handle the invert flag properly in translation
extensions: libxt_ipcomp: add range support in translation
extensions: libxt_quota: add translation to nft
extensions: libxt_DSCP: add translation to nft
extensions: libxt_statistic: add translation to nft
extensions: LOG: add log flags translation to nft
extensions: libxt_connbytes: Add translation to nft
extensions: libxt_rpfilter: add translation to nft
Loganaden Velvindron (1):
libxt_TCPOPTSTRIP: Fix musl compatibility
Pablo M. Bermudo Garay (11):
extensions: iprange: remove extra space in translation
iptables-compat: use nft built-in comments support
xtables-translate: fix multiple spaces issue
include: xtables: fix struct definitions grepability
xtables-translate: fix issue with quotes
xtables-compat: fix comments listing
xtables-compat: remove useless functions
xtables-translate: add escape_quotes option to comment_xlate
xtables-compat: check if nft ruleset is compatible
xtables-compat: add rule cache
xtables-translate-restore: do not escape quotes
Pablo Neira Ayuso (13):
nft: xtables: add generic parsing infrastructure to interpret commands
nft: xtables-restore: add generic parsing infrastructure
nft: xtables: add the infrastructure to translate from iptables to nft
extensions: libxt_tcp: add translation to nft
extensions: libxt_state: add translation to nft
libxtables: fix leak in xt_buf object
extensions: rename xt_buf to xt_xlate
xtables: add xt_xlate_add_comment()
iptables-translate: pass ipt_entry and ip6t_entry to ->xlate()
libxtables: missing comment initialization in xt_xlate_alloc()
src: introduce struct xt_xlate_{mt,tg}_params
configure: update libnetfilter_conntrack version dependency
iptables 1.6.1 release
Phil Sutter (5):
extensions: libip6t_ah: Fix translation of plain '-m ah'
xtables-translate: Support setting standard chain policy
nft_ipv{4,6}_xlate: Respect prefix lengths
xtables-translate: Fix chain type when translating nat table
tcp_xlate: Enclose LH flag values in parentheses
Rami Rosen (1):
extensions: fix cgroup2 help message in libxt_cgroup.c.
Roberto García (7):
extensions: libip6t_LOG: Avoid to print the default log level in the translation
iptables: extensions: libxt_TEE: Add translation to nft
extensions: libxt_MARK: Add translation to nft
extensions: libxt_MARK: Add translation for revision 1 to nft
extensions: libxt_CONNMARK: Add translation to nft
iptables: extensions: libxt_MARK: Fix translation of --set-xmark option
iptables: extensions: libxt_ecn: Add translation to nft
Sami Kerola (1):
extensions: REJECT: do not adjust reject-with type footnote indentation
Shivani Bhardwaj (51):
extensions: libxt_mark: Add translation to nft
extensions: libxt_esp: Add translation to nft
extensions: libxt_NFLOG: Add translation to nft
extensions: libxt_iprange: Add translation to nft
extensions: libxt_mac: Add translation to nft
extensions: libxt_helper: Add translation to nft
extensions: libxt_NFLOG: Add group_info and remove multiple keywords
extensions: libxt_limit: Add translation to nft
include: xtables: Add enum for better nft translation code
extensions: libxt_mark: Fix inversion code
extensions: libxt_devgroup: Add translation to nft
extensions: libxt_cpu: Add translation to nft
extensions: libipt_ah: Add translation to nft
extensions: libxt_connmark: Add translation to nft
extensions: libxt_pkttype: Add translation to nft
extensions: libipt_REJECT: Add translation to nft
extensions: libipt_realm: Add translation to nft
extensions: libipt_SNAT: Add translation to nft
extensions: libipt_DNAT: Add translation to nft
iptables: nft-ipv6: Replace ip with ip6
extensions: libip6t_DNAT: Add translation to nft
extensions: libip6t_SNAT: Add translation to nft
extensions: libxt_length: Add translation to nft
extensions: libip6t_ah: Add translation to nft
extensions: libipt_ttl: Add translation to nft
extensions: libip6t_REJECT: Add translation to nft
extensions: libipt_LOG: Add translation to nft
extensions: libip6t_LOG: Add translation to nft
extensions: libip6t_hl: Add translation to nft
extensions: libipt_REDIRECT: Add translation to nft
extensions: libip6t_REDIRECT: Add translation to nft
iptables: nft-ipv6: Fix ipv6 flags
extensions: libxt_NFQUEUE: Add translation to nft
comment: Add translation to nft
extensions: libipt_MASQUERADE: Add translation to nft
extensions: libip6t_MASQUERADE: Add translation to nft
iptables: nft-ipv6: Use meta l4proto instead of nexthdr
extensions: libip6t_mh: Add translation to nft
extensions: libxt_owner: Add translation to nft
extensions: libxt_sctp: Add translation to nft
extensions: libxt_dccp: Add translation to nft
configure: Show support for connlabel
extensions: libxt_NFQUEUE: Fix bug with order of fanout and bypass
extensions: libxt_NFQUEUE: Unstack different versions
extensions: libxt_NFQUEUE: Add missing tests
extensions: libxt_connmark: Fix order of mask and mark
extensions: libxt_devgroup: Fix order of mask and id
configure: Remove flex check warning
configure: Fix assignment statement
iptables: xtables-arp: Use getaddrinfo()
extensions: libxt_mangle: Use getaddrinfo()
Shyam Saini (3):
libxtables: xtables: remove unnecessary debug code
libxtables: xtables: Use getnameinfo()
iptables: fix the wrong appending of jump verdict after the comment.
Subash Abhinov Kasiviswanathan (1):
xtables: Add an interval option for xtables lock wait
Tejun Heo (3):
libxt_cgroup: prepare for multi revisions
libxt_cgroup2: add support for cgroup2 path matching
extensions: libxt_cgroup: add unit test
Thomas Habets (1):
iptables-save: exit with error if unable to open proc file
Thomas Woerner (1):
ip6tables: Warn about use of DROP in nat table
Vishwanath Pai (3):
extensions: libxt_NFLOG: nflog-range does not truncate packets
extensions: libxt_hashlimit: Prepare libxt_hashlimit.c for revision 2
extensions: libxt_hashlimit: Create revision 2 of xt_hashlimit to support higher pps rates
Willem de Bruijn (3):
extensions/libxt_bpf.man: clarify BPF code generation with tcpdump
extensions: libxt_bpf: support ebpf pinned objects
iptables: on revision mismatch, do not call print/save
Xose Vazquez Perez (1):
iptables: update pf.os
***********************************
*** 2015-Dec-18: iptables-1.6.0 ***
***********************************
Ana Rey (7):
xtables-standalone: call nft_fini in the error path
nft: fix memory leaks in nft_xtables_config_load
iptables: nft: fix memory leaks in nft_fini
extensions: libxt_devgroup: Fix the path of the group mappings file
iptables-compat: homogenize error messages
extensions: devgroup: fix showing and saving of dst-group
iptables-compat: homogenize error messages with 'R' option
Andreas Herz (3):
extension: libip6t_ipv6header: fix wrong headername in ipv6header for protocols
extensions: icmp6: added missing icmpv6 dest-unreach codes
added missing icmpv6 codes in REJECT
Anton Danilov (1):
xtables: SET target: Add mapping of meta informations (skbinfo ipset extension)
Arturo Borrero (38):
iptables-compat: kill add_*() invflags parameter
nft-compat: create a separated object update type to rename chains
nft-bridge: fix printing of inverted protocols, addresses
nft-bridge: fix inversion of builtin matches
iptables: xtables-eb: delete extra 'policy' printf
iptables: xtables-eb: user-defined chains default policy is always RETURN
iptables: xtables-eb: fix renaming of chains
extensions: add ebt 802_3 extension
ebtables-compat: fix counter listing
ebtables-compat: fix printing of extension
ebtables-compat: fix segfault in rules w/o target
ebtables-compat: include /etc/ethertypes in tarball
ebtables-compat: fix ACCEPT printing by simplifying logic
include: cache copy of Linux header uapi/linux/netfilter_bridge/ebt_802_3.h
ebtables-compat: add nft rule compat information to bridge rules
ebtables-compat: prevent options overwrite
ebtables-compat: prevent same matches to be included multiple times
ebtables-compat: include rule counters in ebtables rules
ebtables-compat: fix nft payload bases
ebtables-compat: add 'ip' match extension
ebtables-compat: add mark_m match extension
extensions: cleanup commented code in ebtables-compat extensions
libxtables: search first for AF-specific extension
ebtables-compat: call extensions final checks
ebtables-compat: finish target infrastructure
ebtables-compat: add mark target extension
ebtables-compat: add watchers support
ebtables-compat: add log watcher extension
arptables-compat: add mangle target extension
libxt_quota: fix _save() invert syntax
ebtables-compat: support nflog extension
arptables-compat: add support for the CLASSIFY target
arptables-compat: delete extra space in target printing
ebtables-compat: add support for limit extension
ebtables-compat: add a bridge-specific exit_error function
ebtables-compat: fix rule deleting with -D in rules with no target
list: fix prefetch dummy
libxtables: find extensions based on family too
Arturo Borrero Gonzalez (1):
ebtables-compat: fix misplaced function attribute on ebt_print_error()
Dan Wilder (1):
libxtables: move some code to avoid cautions in vfork man page
Daniel Borkmann (4):
iptables: snat: add randomize-full support
iptables: add libxt_cgroup frontend
cgroup, man: improve man-page bits
libxt_CT: add support for recently introduced zone options
Domen Puncer (1):
libxtables: fix getaddrinfo return value usage
Felix Janda (5):
consistently use <errno.h>
include: remove libc5 support code
include: Sync with ethernetdb.h from ebtables
include Use <stdint.h> types from xtables.h
include: Sync with upstream kernel headers
Florian Westphal (15):
Merge branch 'stable-1.4.20'
iptables.8: --policy is either ACCEPT or DROP
extensions: libxt_connlabel: do not open config file from _init hook
man: string: document icase
tests: split into family and table specific files
tests: add test case for xt_recent regression
extensions: remove MIRROR
extensions: remove SAME target
extensions: remove 'unclean' match
extensions: add more test cases for iptables-test.py
extensions: SNPT,DNPT: fix save/print output
extensions/libxt_recent.t: add test case for 3.19 regression
extensions: libip6t_dst: make inversion work
tests: remove old test cases
man: using physdev match in OUTPUT is not supported anymore
Giuseppe Longo (33):
nft: fix leak of rule and chain iterators
nft: fix leak of chain iterator in nft_rule_list
xtables: allow to zero chains via -Z
nft: break loop after found matching chain
nft: print counter issues
nft: fix another memleak in nft_rule_list_cb
xtables: nft: display rule by number via -L
nft: associate table configuration to handle via nft_init
nft: fix family operation lookup
nft: load only the tables of the current family
nft: refactoring parse operations for more genericity
xtables: bootstrap ARP compatibility layer for nftables
xtables: nft-arp: implements is_same op for ARP family
xtables: arp: add rule replacement support
xtables: arp: add delete operation
xtables: arp: zeroing chain counters
nft: arp: initialize flags in nft_arp_parse_meta
nft: arp: add parse_target to nft_family_ops_arp
nft: arp: fix possible string overflow
nft: adds save_matches_and_target
nft-arp: adds nft_arp_save_firewall
xtables-events: prints arp rules
nft-arp: fix is_same_interfaces arguments
nft-arp: wrong condition in parse_payload
nft: replace nft_rule_attr_get_u8
nft: save: fix the printing of the counters
nft-arp: remove wrong conditions
nft: compare layer 4 protocol in first place
nft: add nft_xt_ctx struct
nft: fix syntax error in nft_parse_cmp()
nft-ipv46: replace offset var with ctx->payload.offset
ebtables-compat: fix print_header
ebtables-compat: build ebtables extensions
Gustavo Zacarias (1):
iptables-save: remove dlfcn.h include
Harout Hedeshian (2):
extensions: libxt_socket: add --restore-skmark option
extensions: libxt_socket: update man pages and tests for --restore-skmark
Jan Engelhardt (3):
iptables: link against libnetfilter_conntrack
build: resolve build error involving libnftnl
extensions: restore matching any SPI id by default
Jiri Popelka (9):
iptables: fix version in iptables(8)
update FSF address in license text
iptables: missing bracket in iptables-save(8)
iptables-restore.8: missing -T in synopsis
iptables-restore.8: file to read from can be specified as argument
iptables-{save,restore}: warn that -b/--binary isn't implemented
iptables-save: actually parse -M/--modprobe option
iptables: add optional [seconds] argument to -w
libxt_tcp: manpage correction
Jozsef Kadlecsik (1):
Alignment problem between 64bit kernel 32bit userspace
Loganaden Velvindron (1):
extensions: libxt_TEE: Trim kernel struct to allow deletion
Mart Frauenlob (2):
extensions: libxt_set: Add missing hyphen to --bytes-eq synopsis in manpage
libxtables: Print meaningful error message for an invalid MAC address string
Martin Topholm (1):
extensions: libxt_SYNPROXY: initial manual page
Mike Frysinger (4):
configure: fix 3rd arg w/AC_ARG_ENABLE
build: add finer module blacklisting
libiptc: fix fortify errors in debug code
iptables: update gitignore list
Nicolas Dichtel (1):
iptables: fix compilation when lib[mnl|nftables] are not in standard path
Pablo Neira Ayuso (186):
add iptables unit test infrastructure
extensions: libipt_ah: add unit test
extensions: libip6t_ah: add unit test
extensions: libipt_LOG: add unit test
extensions: libxt_addrtype: add unit test
extensions: libip6t_LOG: add unit test
extensions: libxt_cluster: add unit test
extensions: libxt_comment: add unit test
extensions: libxt_AUDIT: add unit test
extensions: libxt_CHECKSUM: add unit test
extensions: libxt_CLASSIFY: add unit test
extensions: libxt_connbytes: add unit test
extensions: libxt_connlimit: add unit test
extensions: libxt_connmark: add unit test
extensions: libxt_CONNMARK: add unit test
extensions: libxt_hashlimit: add unit test
extensions: libxt_time: add unit test
extensions: libxt_length: add unit test
extensions: libxt_udp: add unit test
extensions: libxt_tcp: add unit test
extensions: libxt_tos: add unit test
extensions: libxt_NFLOG: add unit test
extensions: libxt_dccp: add unit test
extensions: libxt_esp: add unit test
extensions: libxt_helper: add unit test
extensions: libipt_icmp: add unit test
extensions: libxt_NFQUEUE: add unit test
extensions: libipt_ttl.t: add unit test
extensions: libxt_pkttype: add unit test
extensions: libxt_CT: add unit test
extensions: libxt_state: add unit test
extensions: libxt_string: add unit test
extensions: libxt_rateest: add unit test
extensions: libxt_nfacct: add unit test
extensions: libxt_mark: add unit test
extensions: libipt_REJECT: add unit test
extensions: libxt_sctp: add unit test
extensions: libxt_NOTRACK: add unit test
extensions: libipt_MASQUERADE: add unit test
extensions: libxt_standard: add unit test
extensions: libipt_ECN: add unit test
extensions: libxt_TRACE: add unit test
extensions: libxt_TOS: add unit test
extensions: libxt_DSCP: add unit test
extensions: libip6t_eui64: add unit test
extensions: libxt_limit: add unit test
extensions: libxt_conntrack: add unit test
extensions: libipt_ULOG: add unit test
extensions: libxt_multiport: add unit test
extensions: libip6t_REJECT: add unit test
extensions: libxt_dscp: add unit test
extensions: libxt_cpu: add unit test
extensions: libxt_quota: add unit test
extensions: libxt_iprange: add unit test
extensions: libxt_physdev: add unit test
extensions: libxt_TEE: add unit test
extensions: libipt_SNAT: add unit test
extensions: libip6t_DNAT: add unit test
extensions: libxt_owner: add unit test
extensions: libxt_MARK: add unit test
build: don't include tests in released tarball
use nf_tables and nf_tables compatibility interface
automatic creation of built-in table and chains
rework automatic creation of built-in table and chains
iptables: nft: add -f support
nft: fix missing rule listing in custom chains with -L
headers: remove unused compatibility definitions
iptables: nft: move priority to chain instead of table
iptables: nft: remove __nft_check_rule
iptables: nft: use 64-bits handle
iptables: nft: use chain types
xtables-restore: add support for dormant tables
nft: adapt chain rename to recent Patrick's updates
xtables: fix crash due to using wrong globals
xtables-restore: fix custom user chain restoration
xtables: fix compilation warning
xtables: purge out user-define chains from the kernel
xtables-restore: support atomic commit
xtables: nft: add protocol and flags for xtables over nf_tables
xtables-restore: support test option `-t'
nft: fix crash if TRACE is used
xtables: ipv6: fix wrong error if -p is used
xtables: ipv6: add missing break in nft_parse_payload_ipv6
xtables: ipv6: fix -D with -p
add xtables-events
xtables-restore: add -4 and -6 support
xtables-save: add -4 and -6 support
nft: remove license for header file
xtables: fix missing xtables_exit_error definition
xtables-standalone: fix error message
xtables-config: priority has to be per-chain to support
nft: load tables and chains based on /etc/xtables.conf
xtables: support family in /etc/xtables.conf file
xtables-config: fix off by one in parsed strings from /etc/xtables.conf
xtables: fix missing protocol and invflags
xtables-config-parser: fix compilation warning
iptables: update .gitignore
xtables: add new container xtables_args structure
xtables: add new nft_ops->post_parse hook
xtables: remove unused leftover definitions
xtables: fix compilation due to missing autogenerated header
nft: don't call nft_init in nft_xtables_config_load
xtables-restore: output the same error message that iptables-restore uses
xtables: fix -p protocol
nft: fix leaks in nft_xtables_config_load
xtables: remove bogus comment on chain rename
xtables: nft: remove lots of useless debugging messages
xtables: do not proceed if nft_init fails
xtables: fix missing afinfo configuration
xtables: nft: display rule number via -S
xtables-events: print usage on wrong arguments
xtables-events: fix missing newline in table and chain events
nft: fix built-in chain ordering of the nat table
src: use nft_*_list_add_tail
nft: break chain listing if only one if looked for
nft: fix selective chain display via -S
xtables: add -I chain rulenum
xtables: remove bogus comment regarding rule replacement
nft: no need for rule lookup if no position specified via -I
xtables: fix typo in add_entry for the IPv6 case
nft: fix match revision lookup for IPv6
etc: add default IPv6 table and chain definitions
xtables: use xtables_rule_matches_free
nft: fix wrong flags handling in print_firewall_details
nft: use xtables_print_num
nft: generalize rule addition family hook
xtables: nft-arp: fix endianess in nft_arp_parse_payload
nft: consolidate nft_rule_find for ARP, IPv4 and IPv6
nft: consolidate nft_rule_new to support ARP
nft: consolidate nft_rule_* functions to support ARP
include: cache netfilter_arp kernel headers
nft: adapt nft_rule_expr_get to use uint32_t instead of size_t
xtables: batch rule-set updates into one single netlink message
xtables: fix missing ipt_entry for MASQUERADE target
nft: pass ipt_entry to ->save_firewall hook
nft: fix bad length when comparing extension data area
nft: fix interface wildcard matching
xtables-events: fix compilation due change in libnftables
nft: fix inversion of built-in selectors
nft: fix out of bound memory copy
nft: fix wrong function to release iterator
nft: fix inconsistent data type in NFT_EXPR_CMP_OP and NFT_EXPR_META_KEY
configure: fix wrong reference to the conntrack-tools
configure: rename --disable-xtables to --disable-nftables
configure: conditional dependencies for nftables-compat
xtables-restore: remove dependency with libip4tc
xtables: add xtables-compat-multi for the nftables compatibility layer
nft-compat: fix IP6T_F_GOTO flag handling
nft-compat: fix wrong protocol context in initialization
Merge branch 'nft-compat'
iptables.8: update coreteam members from manpage
Merge branch 'next-3.14'
iptables: nft: generalize batch infrastructure
iptables: nft: remove unused code
iptables: nft: add tables and chains to the batch
Makefile: fix static compilation iptables-compat without shared libraries
iptables-compat: fix address prefix
iptables-compat: nft: use nft_batch_begin and nft_batch_end from libnftnl
iptables-compat: fix use after free in the batch send path
iptables-compat: get rid of error reporting via perror
Merge branch 'tests'
iptables-compat: nft: fix user chain addition, deletion and rename
iptables-compat: nft: fix error reporting
arptables-compat: fix missing error reporting
arptables-compat: allow to not specify a target
arptables-compat: get output in sync with arptables -L -n --line-numbers
arptables-compat: remove save code
refresh nf_tables.h cached copy
iptables-compat: fix chain policy reset with iptables -L -n
iptables-compat: statify unused built-in table/chain functions
iptables-compat: assume chain policy NF_ACCEPT when creating built-in chains
iptables-compat: fix empty chains after first invocation of iptables-compat -L
Merge branch 'ipset'
nft: bootstrap ebtables-compat
ebtables-compat: use ebtables_command_state in bootstrap code
iptables: use flock() instead of abstract unix sockets
Merge branch 'ebtables-compat'
xshared: calm down compilation warning
xtables-compat: remove unused fields from bridge and arp families
iptables-compat: unset context flags in netlink delinearize step
Merge branch 'ipset-next'
extensions: fix several test errors
iptables-compat: use new symbols in libnftnl
iptables-compat: Keep xtables-config and xtables-events out from tree
iptables 1.6.0 release
iptables: fix static builds
Phil Oester (1):
iptables-xml: fix segfault if missing space after -A
Ronald Wahl (1):
libxtables: fix two off-by-one memory corruption bugs
Thomas Woerner (2):
iptables-compat: Allow to insert into rule_count+1 position
iptables-compat: Increase rule number only for the selected table and chain
Tomasz Bursztyka (41):
headers: Make nf_tables.h up to date
nft: Add support for chain rename options (-E)
iptables: nft: Fix -D chain rulenum option
iptables: nft: Refactor __nft_rule_check to return rule handle when relevant
iptables: nft: Add support for -R option
xtables: add IPv6 support
nft: Split nft core to become family independant
xtables: initialize xtables defaults even on listing rules
xtables: policy can be changed only on builtin chain
nft: Set the rule family when creating a new one
nft: Handle error on adding rule expressions
xtables: Remove useless parameter to nft_chain_list_find
nft: add function to test for a builtin chain
nft: Fix small memory leaks
xtables: Do not dump before command parsing has been finished
nft: Remove useless function
nft: Optimize rule listing when chain and rulenum are provided
nft: Make internal rule listing callback more generic
nft: Remove useless test on rulenum in nft_rule_list()
nft: Generalize nft_rule_list() against current family
nft: Print unknown target data only when relevant
nft: convert rule into a command state structure
xtables: allow to reset the counters of an existing rule
nft: Fix a minor compilation warning
nft: skip unset tables on table configuration emulation
xtables: arp: Store target entry properly and compare them relevantly
extensions: add arptables' libxt_mangle.c for xtables-arp
extensions: libxt_mangle: Fixes option issues
nft: Header inclusion missing
xtables: arp: Parse properly target options
nft: fix wrong target size
xtables: arp: Fix a compilation warning
xtables: arp: inhibit -l option so only a fixed 6 bytes length arhln can be used
include: Update nftables API header in sync with kernel's one
nft: Use new libnftnl library name against former libnftables
xtables: Add backward compatibility with -w option
nft: Add useful debug output when a builtin table is created
nft: A builtin chain might be created when restoring
nft: Initialize a table only once
nft: Remove useless error message
nft: Pass a line after printing out a debug message
Ville Skyttä (1):
iptables: Spelling fixes
Willem de Bruijn (1):
include: add linux/filter.h
fan.du (1):
iptables: Add IPv4/6 IPcomp match support
************************************
*** 2013-Nov-22: iptables-1.4.21 ***
************************************
Eric Dumazet (1):
xt_socket: add --nowildcard flag
Florian Westphal (3):
extensions: libxt_socket: update man page
doc: add libnetfilter_queue pointer to libxt_NFQUEUE.man
doc: merge ip6table man pages into ipv4 ones
Jozsef Kadlecsik (1):
extensions: libxt_set, libxt_SET: check the set family too
Kevin Cernekee (1):
ip6tables: Use consistent exit code for EAGAIN
Laurence J. Lane (8):
iptables: libxt_hashlimit.man: correct address
iptables: libxt_conntrack.man extraneous commas
iptables: libip(6)t_REJECT.man default icmp types
iptables: iptables-xm1.1 correct man section
iptables: libxt_recent.{c,man} dead URL
iptables: libxt_string.man add examples
extensions: libxt_LOG: use generic syslog reference in manpage
iptables: extensions/GNUMakefile.in use CPPFLAGS
Lutz Jaenicke (1):
iptables: correctly reference generated file
Pablo Neira Ayuso (7):
Merge branch 'stable-1.4.20'
Merge branch 'stable-1.4.20'
ip[6]tables: fix incorrect alignment in commands_v_options
build: add software version to manpage first line at configure stage
extensions: libxt_cluster: add note on arptables-jf
utils: nfsynproxy: fix error while compiling the BPF filter
iptables 1.4.21 release
Patrick McHardy (2):
extensions: add SYNPROXY extension
utils: add nfsynproxy tool
Phil Oester (4):
iptables: state match incompatibilty across versions
libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masks
iptables: improve chain name validation
iptables: spurious error in load_extension
stephen hemminger (1):
xtables: trivial spelling fix
************************************
*** 2013-Aug-08: iptables-1.4.20 ***
************************************
Alexey Perevalov (1):
doc: clarify DEBUG usage macro
Andy Spencer (1):
iptables: use autoconf to process .in man pages
Eric Leblond (1):
configure: display summary
Florian Westphal (2):
extensions: libipt_ULOG: man page should mention NFLOG as replacement
extensions: libxt_connlabel: use libnetfilter_conntrack
Jozsef Kadlecsik (2):
Introduce a new revision for the set match with the counters support
libxt_CT: Add the "NOTRACK" alias
Mart Frauenlob (7):
libip6t_mh: Correct command to list named mh types in manpage
extensions: libxt_DNAT: rename IPv4 manpage and tell about IPv6 support
extensions: libxt_REDIRECT: rename IPv4 manpage and tell about IPv6 support
extensions: libxt_NETMAP: rename IPv4 manpage and tell about IPv6 support
extensions: libxt_SNAT: rename IPv4 manpage and tell about IPv6 support
extensions: libxt_MASQUERADE: rename IPv4 manpage and tell about IPv6 support
extensions: libxt_LOG: rename IPv4 manpage and tell about IPv6 support
Pablo Neira Ayuso (7):
extensions: libxt_LED: fix parsing of delay
Merge branch 'stable'
Merge branch 'stable'
ip{6}tables-restore: fix breakage due to new locking approach
libxt_recent: restore minimum value for --seconds
iptables-xml: fix parameter parsing (similar to 2165f38)
iptables 1.4.20 release
Patrick McHardy (1):
extensions: add copyright statements
Phil Oester (7):
xtables: improve get_modprobe handling
ip[6]tables: Add locking to prevent concurrent instances
iptables: Fix connlabel.conf install location
ip6tables: don't print out /128
libip6t_LOG: target output is different to libipt_LOG
build: additional include path required after UAPI changes
iptables: iptables-xml: Fix various parsing bugs
Russell Senior (1):
libxt_recent: restore reap functionality to recent module
Willem de Bruijn (1):
build: fail in configure on missing dependency with --enable-bpf-compiler
holger@eitzenberger.org (1):
extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter
2013-May-29: iptables-1.4.19.1
Florian Westphal (1):
Revert "extensions: add connlabel match" duplicate
Michael Roth (1):
doc: mention SNAT in INPUT chain since kernel 2.6.36
Pablo Neira Ayuso (2):
build: bump version to 1.4.19
iptables 1.4.19.1 release
************************************
*** 2013-May-29: iptables-1.4.19 ***
************************************
Florian Westphal (3):
libxt_NFQUEUE: fix bypass option documentation
extensions: add connlabel match
extensions: add connlabel match
Mart Frauenlob (3):
ip[6]tables: show --protocol instead of --proto in usage
libxt_recent: Fix missing space in manpage for --mask option
extensions: libxt_multiport: Update manpage to list valid protocols
Nicolas Dichtel (1):
utils: nfnl_osf: use the right nfnetlink lib
Pablo Neira Ayuso (11):
libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependency
Revert "build: resolve link failure for ip6t_NETMAP"
libxt_osf: fix missing --ttl and --log in save output
libxt_osf: fix bad location for location in --genre
libip6t_SNPT: add manpage
libip6t_DNPT: add manpage
Merge branch 'stable'
utils: updates .gitignore to include nfbpf_compile
extensions: libxt_bpf: clarify --bytecode argument
libxtables: fix parsing of dotted network mask format
build: bump version to 1.4.19
Patrick McHardy (1):
libxt_conntrack: fix state match alias state parsing
Willem de Bruijn (2):
extensions: add libxt_bpf extension
utils: nfbpf_compile
************************************
*** 2013-Mar-03: iptables-1.4.18 ***
************************************
Florian Westphal (1):
doc: rpfilter: invert option should have own paragraph
Jan Engelhardt (11):
build: resolve link failure for ip6t_NETMAP
doc: fixup omissions in ip6tables-restore.8
doc: document iptables-restore's -t option
doc: document iptables-restore's -v option
doc: document iptables-restore's -M option
doc: document iptables-restore's -h option
doc: name the supported log levels for ipt_LOG
doc: mention -m in the manpage
doc: document the -4 and -6 options
extensions: S/DNPT: add missing save function
build: bump SONAME for libxtables
Jozsef Kadlecsik (3):
Introduce match/target aliases
Add the "state" alias to the "conntrack" match
Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables
Pablo Neira Ayuso (7):
iptables: remove unused leftover definitions
libxtables: add xtables_rule_matches_free
libxtables: add xtables_print_num
Merge branch 'stable' into 'master'
doc: document nat table for IPv6
doc: iptables provides up to 5 independent tables
build: bump version to 1.4.18
Ulrich Weber (3):
extensions: libip6t_DNPT: fix wording in DNPT target
extension: libip6t_DNAT: allow port DNAT without address
extensions: libip6t_DNAT: set IPv6 DNAT --to-destination
************************************
*** 2012-Dec-25: iptables-1.4.17 ***
************************************
Florian Westphal (1):
libxt_time: add support to ignore day transition
Jozsef Kadlecsik (1):
Manpage update: matches are evaluated in the order they are specified.
Pablo Neira Ayuso (2):
Merge branch 'next' branch that contains new features scheduled for Linux kernel 3.7
bump version to 1.4.17
Patrick McHardy (7):
Convert the NAT targets to use the kernel supplied nf_nat.h header
extensions: add IPv6 MASQUERADE extension
extensions: add IPv6 SNAT extension
extensions: add IPv6 DNAT target
extensions: add IPv6 REDIRECT extension
extensions: add IPv6 NETMAP extension
extensions: add NPT extension
Tom Eastep (1):
extensions: libxt_statistic: Fix save output
**************************************
*** 2012-Oct-18: iptables-1.4.16.3 ***
**************************************
Jan Engelhardt (2):
build: remove symlink-only extensions from static object list
build: resolve compile abort in libxt_limit on RHEL5
Pablo Neira Ayuso (1):
bump iptables to 1.4.16.3
**************************************
*** 2012-Oct-08: iptables-1.4.16.2 ***
**************************************
Jan Engelhardt (1):
iptables: restore NOTRACK functionality, target aliasing
Pablo Neira Ayuso (1):
bump version to 1.4.16.2
**************************************
*** 2012-Oct-08: iptables-1.4.16.1 ***
**************************************
Pablo Neira Ayuso (2):
iptables: fix standard target
bump version to 1.4.16.1
************************************
*** 2012-Oct-08: iptables-1.4.16 ***
************************************
Andreas Schwab (1):
libxt_tcp: print space before, not after "flags:"
Jan Engelhardt (23):
iptables-restore: warn about -t in rule lines
doc: grammatical updates to libxt_SET
libxt_u32: do bounds checking for @'s operands
libxt_devgroup: consolidate devgroup specification parsing
libxt_devgroup: guard against negative numbers
libxt_LED: guard against negative numbers
libxt_*limit: avoid division by zero
Merge remote-tracking branch 'nf/stable'
build: support for automake-1.12
build: separate AC variable replacements from xtables.h
build: have `make clean` remove dep files too
libxtables: consolidate preference logic
iptables: support for target aliases
libxt_NOTRACK: replace as an alias to CT --notrack
iptables: support for match aliases
libxt_state: replace as an alias to xt_conntrack
Merge branch 'master' of git://git.inai.de/iptables
doc: clean up interpunction in state list for xt_conntrack
doc: deduplicate extension descriptions into a new manpage
doc: trim "state" manpage and reference conntrack instead
doc: have NOTRACK manpage point to CT instead
doc: mention iptables-apply in the SEE ALSO sections
Merge branch 'master' of git://git.inai.de/iptables
Jozsef Kadlecsik (1):
New set match revision with --return-nomatch flag support
Michal Kubeček (1):
libip6t_frag: match any frag id by default
Pablo Neira Ayuso (6):
include: add missing linux/netfilter_ipv4/ip_queue.h
ip[6]tables-restore: cleanup to reduce one level of indentation
include: add missing linux/netfilter_ipv4/ip_queue.h
iptables: fix wrong error messages
extensions: libxt_addrtype: fix type in help message
bump version to 1.4.16
************************************
*** 2012-Jul-31: iptables-1.4.15 ***
************************************
Denys Fedoryshchenko (1):
libxt_recent: add --mask netmask
Eldad Zack (1):
libxt_recent: remove unused variable
Florian Westphal (2):
libxt_devgroup: add man page snippet
libxt_hashlimit: add support for byte-based operation
Hans Schillstrom (3):
extensions: add HMARK target
libxt_HMARK: fix output of iptables -L
libxt_HMARK: correct a number of errors introduced by Pablo's rework
Pablo Neira Ayuso (6):
libxtables: add xtables_ip[6]mask_to_cidr
libxt_HMARK: fix ct case example
iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)
Revert "iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)"
iptables-restore: fix parameter parsing (shows up with gcc-4.7)
bump version to 1.4.15
M_ars
lancethepants
snowman58
pedro
xuzhun
Johan Källström
M_ars
kille72
edrikk