| From: |
| Florian Westphal <fw-AT-strlen.de> |
| To: |
| netfilter <netfilter-AT-vger.kernel.org>, netfilter-devel <netfilter-devel-AT-vger.kernel.org> |
| Subject: |
| [ANNOUNCE] iptables 1.8.0 release |
| Date: |
| Fri, 6 Jul 2018 11:32:14 +0200 |
| Message-ID: |
| <20180706093214.6u3wefjg7mmtlmne@breakpoint.cc> |
| Archive-link: |
| Article |
Hi!
The Netfilter project proudly presents:
iptables 1.8
This release contains fixes and following new features:
- The ipv6 'srh' match can now match previous/next/last sid
- CONNMARK target now supports bit-shifting for restore,set and save-mark.
- DNAT now supports shifted portmap ranges.
A full change log is attached to this announcement.
This release introduces a more prominent distinction between the
'classic' iptables and 'new' iptables front-end that internally uses the
nf_tables API to talk to the kernel.
The '--version' option can be used to find out which interface is used internally:
iptables --version
iptables v1.8 (legacy)
iptables --version
iptables v1.8 (nf_tables)
legacy commandline tools:
ip6tables-legacy-save
ip6tables-legacy-restore
ip6tables-legacy
iptables-legacy-save
iptables-legacy-restore
iptables-legacy
nf_tables commandline tools:
ip6tables-nft-save
ip6tables-nft-restore
ip6tables-nft
iptables-nft-save
iptables-nft-restore
iptables-nft
new commands available with nf_tables backend:
1. xtables-monitor
This tools shows changes to the ruleset and can display
packet trace information for ruleset debugging. Examples:
Show ruleset evaluation results of packets that have been selected via
-j TRACE target:
# xtables-monitor --trace
PACKET: 10 fa6b77e1 IN=wlan0 MACSRC=51:1 ..SRC=2a00::1 .. DPORT=13024
TRACE: 10 fa6b77e1 raw:PREROUTING:return:
TRACE: 10 fa6b77e1 raw:PREROUTING:policy:DROP
PACKET: 10 ab9a14cf IN=wlan0 MACSRC=51:1 ..SRC=2a00::1 .. DPORT=21242
Show changes to ruleset:
# xtables-monitor --event
NEWGEN: GENID=14 PID=13331 NAME=iptables-nft
EVENT: -4 -t filter -A INPUT -s 10.0.0.0/8 -j DROP
NEWGEN: GENID=15 PID=13332 NAME=iptables-nft
EVENT: -6 -t filter -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
NEWGEN: GENID=16 PID=13334 NAME=ip6tables-nft
2. ebtables (aims to be a drop-in replacement for the 'ebtables' tool)
3. arptables (likewise, drop-in replacement for 'arptables' tool)
4. the 'translate' family of tools:
ip6tables-translate
ip6tables-restore-translate
iptables-restore-translate
iptables-translate
These are text converters that take iptables syntax and provide output
that can be read by the native nftables command line tool, nft.
We currently recommend that distributions install the 'legacy' versions
by default for stable/production releases.
For experimental releases we recommend that distributors make the
nf_tables commands available as an alternative so that the iptables,
ip6tables, iptables-restore, etc. commands are created as symbolic
links to xtables-nft-multi.
Advantages of the 'nf_tables' variant:
- No need to use the --wait option to iptables to avoid
concurrency issues (--wait is a no-op in the nf_tables versions)
- 3rd part daemons can monitor ruleset for changes instead of polling
current ruleset
- xtables-monitor command allows to debug ruleset using --trace option
in combination with the iptables TRACE target and display changes
to the ruleset configuration
- addition or removal of rules does not change internal state of other
matches such as limit or quota.
See ChangeLog that comes attached to this email for more details.
You can download it from:
http://www.netfilter.org/projects/iptables/downloads.html...
To build the code, libnftnl 1.1.1 and libmnl >= 1.0.3 are required:
* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling!
