News of the netfilter/iptables project
New coreteam member: Phil Sutter
The netfilter core team has invited Phil to join the coreteam.
Phil is a dedicated member of the Netfilter development community who
has already been responsible for recent updates in the iptables and
the nftables userspace codebase.
The Netfilter Core Team has released nfacct-1.0.2. This includes the quota support available since Linux kernel >= 3.16.
libnetfilter_acct 1.0.3 released
The Netfilter Core Team has released libnetfilter_acct-1.0.3. This release contains the quota support available in the Linux kernel >= 3.16.
conntrack-tools 1.4.4 released
The Netfilter Core Team has released conntrack-tools-1.4.4. This release includes NAT IPv6 support for state synchronization, list filtering with address masks, a new conntrackd.conf manpage, initial systemd integration and other minor documentation updates.
libnetfilter_conntrack 1.0.6 released
The Netfilter Core Team has released libnetfilter_conntrack-1.0.6. This release includes NAT IPv6 support, the new nfct_labels_get_path() interface, zones both for original and reply tuples and clang build fixes.
Statement of netfilter project on GPL enforcement
The netfilter project has released a public statement on GPL enforcement that is available by clicking here.
The Netfilter Core Team has released iptables-1.6.0. This release includes the first release of the iptables over nftables compatibility tools, accumulated fixes and enhancements.
The Netfilter Core Team has generated a new PGP key since the old one expired. We use this key to sign our software releases. For more information, please visit the PGP section in this homepage.
The Netfilter Core Team has released libnftnl-1.0.5, to resolve LIBVERSION and symbol versioning problems with the previous release.
conntrack-tools 1.4.3 released
The Netfilter Core Team has released conntrack-tools-1.4.3. This release includes accumulated bugfixes.
libnetfilter_conntrack 1.0.5 released
The Netfilter Core Team has released libnetfilter_conntrack-1.0.5. This release includes accumulated bugfixes.
The Netfilter Core Team has released ulogd-2.0.4. This release includes JSON output and bugfixes.
The Netfilter Core Team has released ulogd-2.0.3. This release includes improved support for database output and bugfixes.
conntrack-tools 1.4.2 released
The Netfilter Core Team has released conntrack-tools-1.4.2. This release includes bugfixes and the connlabel support.
The Netfilter Core Team has released ulogd-2.0.2. This release includes support for the graphite output and bugfixes.
The Netfilter Core Team has released nfacct-1.0.1. This release includes a new command to restore counters.
conntrack-tools 1.4.1 released
The Netfilter Core Team has released conntrack-tools-1.4.1. This release includes one bugfix for conntrackd.
We are happy to announce that our Netfilter core team fellow
Eric Leblond has become the official maintainer
of ulogd.
Netfilter core team updates
The Netfilter Core Team has been updated. We have to welcome new fellow hackers Eric Leblond and Florian Westphal . They have been invited to join us for their longstanding contributions to the Netfilter codebase. On the other hand, we have to say a big thank you to Harald Welte , Martin Josefsson and Yasuyuki Kozakai who have now entered the exclusive status of Emeritus core team members.
The Netfilter Core Team has released ulogd-2.0.1. This release includes support for the nfacct infrastructure (available since Linux kernel 3.4).
conntrack-tools 1.4.0 released
The Netfilter Core Team has released conntrack-tools-1.4.0. This release adds the new user-space helper infrastructure plus the NFSv3 and Oracle*TNS helpers. This requires a Linux kernel >= 3.6.
conntrack-tools 1.2.2 released
The Netfilter Core Team has released conntrack-tools-1.2.2. This release contains bugfixes.
The Netfilter Core Team has released iptables-1.4.15. This release includes support for new features added to Linux kernel 3.5 and one major bugfix if gcc-4.7 is used.
By popular demand, the Netfilter Core Team has released ulogd-2.0.0. Series 1.x has entered end-of-life. Any development effort will be targeted to 2.x series. Please, upgrade to 2.x.
conntrack-tools 1.2.1 released
The Netfilter Core Team has released conntrack-tools-1.2.1. It fixes compilation issue with 1.2.0.
conntrack-tools 1.2.0 released
The Netfilter Core Team has released conntrack-tools-1.2.0. This release includes the support for expectation synchronization and the new nfct tool (to be used with the new cttimeout infrastructure available since Linux kernel 3.4.0).
libnetfilter_conntrack 1.0.1 released
The Netfilter Core Team has released libnetfilter_conntrack-1.0.1. This update contains important improvements for the expectation support.
Secure use of iptables and connection tracking helpers
Eric Leblond has published an interesting article on the secure use of the Connection Tracking helpers in his blog.
The Netfilter Core Team has generated a new PGP key since the old one expired. We use this key to sign our software releases. For further information, please visit the PGP section in this homepage.
iptables 1.4.9.1 released
The Netfilter Core Team has released iptables-1.4.9.1.
ulogd 2.0.0beta4 released
The Netfilter Core Team has released ulogd 2.0.0beta4.
conntrack-tools 0.9.13 released
The Netfilter Core Team has released conntrack-tools-0.9.13. With regards to the command line tool, this release includes support for all the protocol helpers available in 2.6.30 that were missing so far (SCTP, UDPlite, DCCP and GRE). The daemon updates includes a fix for a memory leak that can be triggered under heavy load and if you set a hashtable in user-space that is smaller than the one in the kernel. Moreover, it adds initial support for DCCP and SCTP state-synchronization.
iptables 1.4.3.2 released
The Netfilter Core Team has released iptables-1.4.3.2 which contains accumulated bugfixes.
conntrack-tools 0.9.12 released
The Netfilter Core Team has released conntrack-tools-0.9.12 that includes a new `-S' option for the command line tool and a generic infrastructure to allow using different protocols to replicate state-changes, currently unicast UDP and multicast are supported.
iptables 1.4.3.1 released
The Netfilter Core Team has released iptables-1.4.3.1 which fixes compilation problems in 1.4.3 and a couple of minor issues.
Patrick McHardy has released nftables which is the intended successor of iptables. The project is still in alpha stage. You can get more info in this
link.
ulogd 2.0.0beta3 released
The Netfilter Core Team has released ulogd 2.0.0beta3. This is another development release of ulogd2, the re-incarnation of ulogd2 that includes flow and packet accounting capabilities. This release includes accumulated fixes.
ipset 2.5.0 has been released.
libnfnetlink 0.0.41, libnetfilter_queue 0.0.17 and libnetfilter_log 0.0.16 releases
The Netfilter Core Team has released several library updates:
This release set includes accumulated fixes.
conntrack-tools 0.9.11 released
The Netfilter Core Team has released conntrack-tools-0.9.11 that includes accumulated fixes, one improvement for the polling approach and a couple of new features.
ipset 2.4.8 has been released. This release contains one bugfix for hash-sets, the use of the new Jenkins' hash function for better performance and a couple of minor compilation fixes.
ipset 2.4.7 has been released. This release contains a compatibility fix for Linux kernels >= 2.6.28 and minor cleanup. There is no need to upgrade unless you want to use recent Linux kernels.
conntrack-tools 0.9.10 released
The Netfilter Core Team has released conntrack-tools-0.9.10. This release includes fixes, improvements; and new features like the new statistics options, multi-dedicated link support and polling (or batch-based) support for conntrackd; and the `-C' option for the command line interface to display the number of entries in the state and expectation tables. Feedback is welcome!
The ipset tree has moved to the Netfilter's git tree, the former subversion repository will not be updated any longer. Please, update your bookmarks.
libnfnetlink 0.0.40 released
The Netfilter Core Team has released libnfnetlink-0.0.40. This release includes a couple of updates and one fix for the interface2index infrastructure.
conntrack-tools 0.9.9 released
The Netfilter Core Team has released conntrack-tools-0.9.9. This release includes tons of updates, fixes and improvements. Upgrade is recommended.
libnetfilter_conntrack release
The netfilter core team has released libnetfilter_conntrack-0.0.98 that includes one major fix, a couple of minor fixes, the new attribute group API and cleanups.
conntrack-tools 0.9.8 released
The Netfilter Core Team has released conntrack-tools-0.9.8. This release includes tons of updates, fixes and improvements in the command line tool and the user-space daemon. Upgrade is recommended.
ulogd 2.0.0beta2 released
The Netfilter Core Team has released ulogd 2.0.0beta2. This is another development release of ulogd2, the re-incarnation of ulogd2 that includes flow and packet accounting capabilities. This release includes major improvements and fixes. We have also released libnetfilter_log-0.0.15 which is required by this ulogd2 release.
The Netfilter Core Team has released:
This release set includes several bugfixes. Please, upgrade!
iptables 1.4.1.1 released
The Netfilter Core Team has released iptables-1.4.1.1, a pure bugfix release for regressions reported against the 1.4.1 release.
We are moving from subversion to git. You can access Netfilter's git web from http://git.netfilter.org/. Please, update your bookmarks.
Netfilter workshop 2008 announced
The Netfilter workshop 2008 has been announced and the official webpage is online.
This years workshop will be held in Paris, France, from September, 29th to October, 3rd. More details are available at the workshop page.
The netfilter core team has released libnfnetlink-0.0.33. This release includes minor updates. Upgrade is recommended.
conntrack-tools 0.9.6 release
The netfilter core team has released conntrack-tools-0.9.6, another development release of the conntrack-tools. This upgrade includes tons of improvements, new features and bugfixes:
- IPv6 support and new manpage for conntrackd
- XML and timestamp support for conntrack
- Secmark support
- Improved performance
- Support for VLAN interfaces
- Support for related connections and NAT sequence adjustments (helpers)
- Improved statistics support
- Tons of cleanups and improvements from Max Kellermann
The netfilter core team has released libnetfilter_conntrack-0.0.89 which includes new features and minor fixes. This release explicitly mark as deprecated the old API as it will removed in the future. Upgrade is recommended.
The netfilter core team has released iptables-1.4.0. This is the first final release of the new iptables branch 1.4. This release contains lots of bugfixes and improvements for the previous release candidate which strongly improves IPv6 support. Please, upgrade!
Michael Rash's book on Linux Firewalls and IDS/IPS
Linux Firewalls is subtitled "Attack Detection and Response with iptables, psad,
and fwsnort", and focuses heavily on what is possible from an intrusion detection and prevention standpoint within the context of iptables. There are many books
that discuss firewall concepts and still other books that discuss intrusion detection, but none that really focus on the combination of the two technologies. Significant coverage in Linux Firewalls is devoted to seeing how attacks appear within iptables logs (with automated analysis performed by psad), and how the string match extension is used by fwsnort to detect application layer attacks. The book has two chapters on port knocking and Single Packet Authorization, and wraps up with a set of visualizations with Gnuplot and AfterGlow of iptables log data from the Honeynet project. The book is available for a substantial discount at:
http://www.nostarch.com/firewalls_mr.htm
An online site for the book is maintained here at:
http://www.cipherdyne.org/LinuxFirewalls
libnetfilter_conntrack release
The netfilter core team has released libnetfilter_conntrack-0.0.82 that includes TCP flags support and one bugfix for big-endian platforms. Upgrade is recommended.
The netfilter core team has released iptables-1.4.0rc1. This is the first release candidate of the new iptables branch 1.4. This release candidate adds support for the generic xtables infrastructure that strongly improves IPv6 support. Also several accumulated bugfixed are included. Test it!
Netfilter-related Linux kernel security updates
Nowadays, Linux Kernel related security issues are handled through the -stable series. Since the Netfilter project has part of his software in the Linux kernel, please do not expect to find updated kernel-related security announces in our security section. That section will contain only userspace-related problems (i.e. those regarding libraries and tools).
libnetfilter_queue release
The netfilter core team has released libnetfilter_queue-0.0.15 that contains the index2interface API introduced by Eric Leblond. Upgrade is recommended.
The netfilter core team has released libnfnetlink-0.0.30. This release includes several bugfixes and the index2interface API. Upgrade is strongly recommended.
conntrack-tools 0.9.5 release
The netfilter core team has released conntrack-tools-0.9.5. This release includes important improvements. Upgrade is strongly recommended.
libnetfilter_conntrack release
The netfilter core team has released libnetfilter_conntrack-0.0.81 that includes minor changes and bugfixes. Upgrade is recommended.
conntrack-tools 0.9.4 release
The netfilter core team has released conntrack-tools-0.9.4. This release includes several bugfixes and improvements. Upgrade is recommended.
libnetfilter_conntrack release
The netfilter core team has released libnetfilter_conntrack-0.0.80 that includes accumulated bugfixes. Upgrade is recommended.
The netfilter core team has released iptables-1.3.8 that contains lots
of accumulated bugfixes, manpage updates, and support for IPv6-MH, TCPMSS and
port randomization for NAT. Upgrade is recommended.
The netfilter core team has released conntrack-tools-0.9.3 that contains the userspace daemon so-called conntrackd and a command line interface known as conntrack. Both tools let system administrators interact with the Netfilter Connection Tracking System from userspace, covering specific aspects of highly available firewall settings. Upgrade is recommended.
libnetfilter_conntrack release
The netfilter core team has released libnetfilter_conntrack-0.0.75 that includes the new expectation API, some examples files under the utils/ directory and several bugfixes. Upgrade is recommended.
Netfilter Workshop in Karlsruhe, Germany
Following the lastest successful workshop in Sevilla, Andalusia, Spain in september 2005. We are happy to announce the next edition in the workshop series. This year the event will be hosted in Karlsruhe, Germany from September 11th to 14th, 2007. For more information, please visit the official website of the workshop.
The Netfilter Core Team has generated a new PGP key since the old one expired. We use this key to sign all software released by the project. For further information visit the PGP section in this homepage.
New netfilter core team member: Pablo Neira Ayuso
The Netfilter Core Team is proud to announce the addition of
Pablo Neira Ayuso as a new member.
He has repeatedly demonstrated high insight and coding standards,
and has already been responsible for several parts of the codebase,
especially ctnetlink, conntrack and conntrackd.
By joining the Core Team, Pablo will definitely help advance the
development of the Netfilter project to a higher level.
New iptables 1.3.7 release
The netfilter core team has released
iptables-1.3.7.
The 1.3.7 version is a maintainance release that contains accumulated bugfixes against iptables-1.3.6. This release fixes compilation issues with the recently released kernel 2.6.19.
New iptables 1.3.6 release
The netfilter core team has released
iptables-1.3.6.
The 1.3.6 version is a maintainance release that contains accumulated bugfixes against iptables-1.3.5.
New iptables 1.3.5 release
The netfilter core team has released
iptables-1.3.5.
The 1.3.5 version is a maintainance release that contains accumulated bugfixes against iptables-1.3.4. It also fixes some compilation issues with certain old kernel header versions.
The netfilter core team has released
ulogd-1.24,
The releases is a strict maintenance release, since all new development happens
in the ulogd-2.x branch.
Various fixes have been included since version 1.23, most imporantly errnoeus
printing of PROTO=0 when an IP packet in reality has a different layer four
protocol, and a postgresql plugin memory hole.
New ulogd-2.00beta1 release
The netfilter core team has released
ulogd-2.00beta1,
The releases is the first public beta of the next generation userspace logging
daemon. It features packet-based logging with the iptables ULOG and NFLOG
targets, as well as flow based logging (and accounting) via
ip_conntrack_netlink and libnetfilter_conntrack.
Stable production systems should stay with ulogd-1.x until the 2.00beta series
is over.
New libnfnetlink, libnetfilter_conntrack and conntrack releases
The netfilter core team has released
libnfnetlink-0.0.14,
libnetfilter_conntrack-0.0.30 and
conntrack-1.00beta1.
The releases now fully support nf_conntrack_netlink (which is expected in
kernel 2.6.16).
New iptables 1.3.4 release
The netfilter core team has released
iptables-1.3.4.
The 1.3.4 version is a maintainance release that contains accumulated bugfixes against iptables-1.3.3. It also fixes some compilation issues with iptables <= 1.3.3 and kernel >= 2.6.14.
New netfilter core team member: Yasuyuki Kozakai
The netfilter project announces that following its invitation, Yasuyuki Kozakai has
joined the netfilter core team. This is considered as an appreciation of
Yasuyukis ongoing contributions, especially in the nf_conntrack and ip6_tables
parts of the netfilter project.
Yasuyuki Kozakai is employed by Toshiba Co (Japan), and working for the USAGI project.
New planet.netfilter.org website goes online
The netfilter project has started the planet.netfilter.org website. It aggregates the RSS feeds of all (known) weblogs/diaries/journals of netfilter developers.
In addition to that, there is now a system-wide blosxom installation on people.netfilter.org. This means that
netfilter developers who have an account on people.netfilter.org can very easily set up their own blog. Instructions have been added to ~/README.
New libnfnetlink, libnfnetlink_conntrack and conntrack release
The netfilter project has released
libnfnetlink-0.0.10, libnfnetlink_conntrack-0.0.10 and conntrack-0.81.
Each of those three releases is the first official release of the
respective project. They're the counterparts to the first pieces of the
"next generation" netfilter subsystem that will be present in the 2.6.14
linux kernel release.
libnfnetlink is the low-level userspace library for nfnetlink based
communication between the kernel-side netfilter and the userspace world.
libnfnetlink_conntrack is the librarry for userspace access to the in-kernel
connection tracking table
conntrack is a commandline program for listing, querying, deleting, updating entries in the connection tracking table. It also supports real-time tracing of connection tracking state changes (conntrack events).
New iptables 1.3.3 release
The netfilter core team has released
iptables-1.3.3.
The 1.3.3 version is a maintainance release that contains accumulated bugfixes against iptables-1.3.2. It also adds support for the upcoming (kernel 2.6.14) NFQUEUE target.
New iptables 1.3.2 release
The netfilter core team has released
iptables-1.3.2.
The 1.3.2 version is a maintainance release that contains accumulated bugfixes against iptables-1.3.1. No new matches/targets have been added.
New iptables 1.3.1 release
The netfilter core team has released
iptables-1.3.1.
The 1.3.1 version contains some minor bugfixes against iptables-1.3.0.
New iptables 1.3.0 release
The netfilter core team has released
iptables-1.3.0.
The final 1.3.0 version contains some minor bugfixes and is otherwise identical to the 1.3.0rc1 release candidate.
1.3.x is a major update to 1.2.11. Apart from fixing numberous bugs, it contains the much-hyped libiptc rewrite.
New iptables 1.3.0rc1 release
The netfilter core team has released
iptables-1.3.0rc1.
This is a major update to 1.2.11. Apart from fixing numberous bugs, it contains the much-hyped libiptc rewrite.
No more patch-o-matic-ng releases
The netfilter project ceased to issue 'official' patch-o-matic-ng releases.
Please use the most current daily snapshot available from ftp.netfilter.org.
Updated patch-o-matic-ng release
The netfilter core team has released
patch-o-matic-ng-20040621. This is the second 'official' release of our collection of features available for kernels >= 2.4.19, and >= 2.6.0.
New iptables 1.2.11 release
The netfilter core team has released
iptables-1.2.11.
This is a minor update to 1.2.10, just fixing a makefile issue on systems where /bin/sh is not bash.
New iptables 1.2.10 release
The netfilter core team has released
iptables-1.2.10.
This is a maintainance release that contains lots of
bugfixes that have accumulated since iptables-1.2.9.
First patch-o-matic-ng release
The netfilter core team has released
patch-o-matic-ng-20040302. It is the first release of our collection of features available for kernels >= 2.4.19, and >= 2.6.0.
Out-of-court settlement with Allnet GmbH on GPL'd iptables
The Netfilter Core
Team has reached an amicable agreement with Allnet GmbH, a Germany-based vendor of
networking equipment. Allnet was using netfilter/iptables software in their
products without adhering to the obligations of the GPL.
For more information, see the full press release.
Core Team Announces Emeritus Members
The Netfilter Core
Team has long discussed the issue of Core Team members who are no
longer active. Dismissing them from the Core Team would deny them the benefits
of such a prestigious title, should any become apparent.
Hence the conclusion is that Marc Boucher, James Morris and Rusty
Russell are now "emeritus" members of the Netfilter Core Team.
In this status, their involvement in the Core Team will be merely
advisory. If they again become active and request reinstatement, they
will return to full Core Team membership.
New patch-o-matic release
The netfilter core team has released
patch-o-matic-20031219. It contains the most up-to-date bugfixes and new features available for kernels >= 2.4.19, including 2.4.24.
Please note that this release still does not yet support
the just-released 2.6.0 kernel series. Expect a so-called 'patch-o-matic-ng'
release for 2.6.x support in the next couple of weeks.
New iptables 1.2.9 release
The netfilter core team has released
iptables-1.2.9.
This is a maintainance release that contains lots of
bugfixes that have accumulated since iptables-1.2.8.
Proceedings of the second netfilter developer workshop
It's been quite some time since the second netfilter developer workshop.
Jozsef has now set up a small page containing some of the presentations and a summarry written by Harald.
New iptables release candidate
The netfilter core team has released
iptables-1.2.9rc1.
This is the first release candidate for the upcoming 1.2.9 release.
Please note that this is a release candidate not a final
release. It is supposed to be stable, but might still contain minor
glitches. If you are testing 1.2.9rc1 and run into bugs, please
immediately report them to
bugzilla.
New patch-o-matic release
The netfilter core team has released
patch-o-matic-20030912. It
contains the most up-to-date bugfixes and new features available for
kernels >= 2.4.18.
netfilter.org system downtime
Due to an unexpected event, we were forced to take down the
netfilter.org machine at the 19th of August. Because of the then
ongoing netfilter workshop, we've been unable to start work on bringing
the systems up again before Aug 21. As of now, www, mail (including
lists), ftp, rsync and anoncvs are back up again. >developer
cvs, bugzilla and cvsweb are still down. We are sorry for this
unconvenience.
The long-awaited reprint of the netfilter T-Shirt has now
arrived. They are plain white T-Shirts with the blue netfilter logo
(as in the upper left corner of the homepage) printed on front. The
shirts are available in sizes S,M,L,XL,XXL and are EUR 10 + shipping
(EUR 5 intl. for one t-shirt) each. We accept orders at tshirt@netfilter.org.
New coreteam member: Martin Josefsson
The netfilter core team has invited Martin Josefsson to join the
coreteam. Martin is a dedicated member of the Netfilter development
community with high insight and coding standards, who has already been
responsible for several parts of the codebase.
Netfilter Developer Workshop 2003
The netfilter core team proudly announces the second netfilter developer
workshop, taking place from Aug 18 - Aug 20 2003 in Budapest, Hungary.
New iptables-1.2.8 release
The netfilter core team has released iptables-1.2.8. It contains lots
of minor bugfixes that have accumulated since the 1.2.7a release.
netfilter/iptables bug tracking system
We finally started to use a full-fledged bug tracking system.
Please have a look at the netfilter/iptables bugzilla.
New patch-o-matic-20030107 release
The netfilter core team has released patch-o-matic-20030107. It contains
the most up-to-date bugfixes and new features available for kernels
>= 2.4.18.
New iptables-1.2.7a release
The netfilter core team has released iptables-1.2.7a and patch-o-matic-20020825. Both
contain important bugfixes for new bugs introduced by the
iptables-1.2.7 and patch-o-matic-20020806 release.
Due to yet unknown reasons, the netfilter and netfilter-devel
lists have been deleted from lists.samba.org . While
we are still investigating this problem, we have created new
mailinglists at lists.netfilter.org . It is not
clear whether there is a recent backup of the subscriber lists, so subscribing to the new lists
is strongly recommended.
Netfilter t-shirts are now available. They are plain white
t-shirts with the blue netfilter logo (as in the upper left corner of
the homepage) printed on front. The shirts are available in sizes
S,M,L,XL,XXL and are EUR 10 + shipping (EUR 5 intl. for one t-shirt)
each. Please direct orders to
tshirt@netfilter.org.
We have issued a security announcement about a bug in the ICMP
NAT code, resulting in a possible information leak
|