Ana Rey (7): xtables-standalone: call nft_fini in the error path nft: fix memory leaks in nft_xtables_config_load iptables: nft: fix memory leaks in nft_fini extensions: libxt_devgroup: Fix the path of the group mappings file iptables-compat: homogenize error messages extensions: devgroup: fix showing and saving of dst-group iptables-compat: homogenize error messages with 'R' option Andreas Herz (3): extension: libip6t_ipv6header: fix wrong headername in ipv6header for protocols extensions: icmp6: added missing icmpv6 dest-unreach codes added missing icmpv6 codes in REJECT Anton Danilov (1): xtables: SET target: Add mapping of meta informations (skbinfo ipset extension) Arturo Borrero (38): iptables-compat: kill add_*() invflags parameter nft-compat: create a separated object update type to rename chains nft-bridge: fix printing of inverted protocols, addresses nft-bridge: fix inversion of builtin matches iptables: xtables-eb: delete extra 'policy' printf iptables: xtables-eb: user-defined chains default policy is always RETURN iptables: xtables-eb: fix renaming of chains extensions: add ebt 802_3 extension ebtables-compat: fix counter listing ebtables-compat: fix printing of extension ebtables-compat: fix segfault in rules w/o target ebtables-compat: include /etc/ethertypes in tarball ebtables-compat: fix ACCEPT printing by simplifying logic include: cache copy of Linux header uapi/linux/netfilter_bridge/ebt_802_3.h ebtables-compat: add nft rule compat information to bridge rules ebtables-compat: prevent options overwrite ebtables-compat: prevent same matches to be included multiple times ebtables-compat: include rule counters in ebtables rules ebtables-compat: fix nft payload bases ebtables-compat: add 'ip' match extension ebtables-compat: add mark_m match extension extensions: cleanup commented code in ebtables-compat extensions libxtables: search first for AF-specific extension ebtables-compat: call extensions final checks ebtables-compat: finish target infrastructure ebtables-compat: add mark target extension ebtables-compat: add watchers support ebtables-compat: add log watcher extension arptables-compat: add mangle target extension libxt_quota: fix _save() invert syntax ebtables-compat: support nflog extension arptables-compat: add support for the CLASSIFY target arptables-compat: delete extra space in target printing ebtables-compat: add support for limit extension ebtables-compat: add a bridge-specific exit_error function ebtables-compat: fix rule deleting with -D in rules with no target list: fix prefetch dummy libxtables: find extensions based on family too Arturo Borrero Gonzalez (1): ebtables-compat: fix misplaced function attribute on ebt_print_error() Dan Wilder (1): libxtables: move some code to avoid cautions in vfork man page Daniel Borkmann (4): iptables: snat: add randomize-full support iptables: add libxt_cgroup frontend cgroup, man: improve man-page bits libxt_CT: add support for recently introduced zone options Domen Puncer (1): libxtables: fix getaddrinfo return value usage Felix Janda (5): consistently use include: remove libc5 support code include: Sync with ethernetdb.h from ebtables include Use types from xtables.h include: Sync with upstream kernel headers Florian Westphal (15): Merge branch 'stable-1.4.20' iptables.8: --policy is either ACCEPT or DROP extensions: libxt_connlabel: do not open config file from _init hook man: string: document icase tests: split into family and table specific files tests: add test case for xt_recent regression extensions: remove MIRROR extensions: remove SAME target extensions: remove 'unclean' match extensions: add more test cases for iptables-test.py extensions: SNPT,DNPT: fix save/print output extensions/libxt_recent.t: add test case for 3.19 regression extensions: libip6t_dst: make inversion work tests: remove old test cases man: using physdev match in OUTPUT is not supported anymore Giuseppe Longo (33): nft: fix leak of rule and chain iterators nft: fix leak of chain iterator in nft_rule_list xtables: allow to zero chains via -Z nft: break loop after found matching chain nft: print counter issues nft: fix another memleak in nft_rule_list_cb xtables: nft: display rule by number via -L nft: associate table configuration to handle via nft_init nft: fix family operation lookup nft: load only the tables of the current family nft: refactoring parse operations for more genericity xtables: bootstrap ARP compatibility layer for nftables xtables: nft-arp: implements is_same op for ARP family xtables: arp: add rule replacement support xtables: arp: add delete operation xtables: arp: zeroing chain counters nft: arp: initialize flags in nft_arp_parse_meta nft: arp: add parse_target to nft_family_ops_arp nft: arp: fix possible string overflow nft: adds save_matches_and_target nft-arp: adds nft_arp_save_firewall xtables-events: prints arp rules nft-arp: fix is_same_interfaces arguments nft-arp: wrong condition in parse_payload nft: replace nft_rule_attr_get_u8 nft: save: fix the printing of the counters nft-arp: remove wrong conditions nft: compare layer 4 protocol in first place nft: add nft_xt_ctx struct nft: fix syntax error in nft_parse_cmp() nft-ipv46: replace offset var with ctx->payload.offset ebtables-compat: fix print_header ebtables-compat: build ebtables extensions Gustavo Zacarias (1): iptables-save: remove dlfcn.h include Harout Hedeshian (2): extensions: libxt_socket: add --restore-skmark option extensions: libxt_socket: update man pages and tests for --restore-skmark Jan Engelhardt (3): iptables: link against libnetfilter_conntrack build: resolve build error involving libnftnl extensions: restore matching any SPI id by default Jiri Popelka (9): iptables: fix version in iptables(8) update FSF address in license text iptables: missing bracket in iptables-save(8) iptables-restore.8: missing -T in synopsis iptables-restore.8: file to read from can be specified as argument iptables-{save,restore}: warn that -b/--binary isn't implemented iptables-save: actually parse -M/--modprobe option iptables: add optional [seconds] argument to -w libxt_tcp: manpage correction Jozsef Kadlecsik (1): Alignment problem between 64bit kernel 32bit userspace Loganaden Velvindron (1): extensions: libxt_TEE: Trim kernel struct to allow deletion Mart Frauenlob (2): extensions: libxt_set: Add missing hyphen to --bytes-eq synopsis in manpage libxtables: Print meaningful error message for an invalid MAC address string Martin Topholm (1): extensions: libxt_SYNPROXY: initial manual page Mike Frysinger (4): configure: fix 3rd arg w/AC_ARG_ENABLE build: add finer module blacklisting libiptc: fix fortify errors in debug code iptables: update gitignore list Nicolas Dichtel (1): iptables: fix compilation when lib[mnl|nftables] are not in standard path Pablo Neira Ayuso (186): add iptables unit test infrastructure extensions: libipt_ah: add unit test extensions: libip6t_ah: add unit test extensions: libipt_LOG: add unit test extensions: libxt_addrtype: add unit test extensions: libip6t_LOG: add unit test extensions: libxt_cluster: add unit test extensions: libxt_comment: add unit test extensions: libxt_AUDIT: add unit test extensions: libxt_CHECKSUM: add unit test extensions: libxt_CLASSIFY: add unit test extensions: libxt_connbytes: add unit test extensions: libxt_connlimit: add unit test extensions: libxt_connmark: add unit test extensions: libxt_CONNMARK: add unit test extensions: libxt_hashlimit: add unit test extensions: libxt_time: add unit test extensions: libxt_length: add unit test extensions: libxt_udp: add unit test extensions: libxt_tcp: add unit test extensions: libxt_tos: add unit test extensions: libxt_NFLOG: add unit test extensions: libxt_dccp: add unit test extensions: libxt_esp: add unit test extensions: libxt_helper: add unit test extensions: libipt_icmp: add unit test extensions: libxt_NFQUEUE: add unit test extensions: libipt_ttl.t: add unit test extensions: libxt_pkttype: add unit test extensions: libxt_CT: add unit test extensions: libxt_state: add unit test extensions: libxt_string: add unit test extensions: libxt_rateest: add unit test extensions: libxt_nfacct: add unit test extensions: libxt_mark: add unit test extensions: libipt_REJECT: add unit test extensions: libxt_sctp: add unit test extensions: libxt_NOTRACK: add unit test extensions: libipt_MASQUERADE: add unit test extensions: libxt_standard: add unit test extensions: libipt_ECN: add unit test extensions: libxt_TRACE: add unit test extensions: libxt_TOS: add unit test extensions: libxt_DSCP: add unit test extensions: libip6t_eui64: add unit test extensions: libxt_limit: add unit test extensions: libxt_conntrack: add unit test extensions: libipt_ULOG: add unit test extensions: libxt_multiport: add unit test extensions: libip6t_REJECT: add unit test extensions: libxt_dscp: add unit test extensions: libxt_cpu: add unit test extensions: libxt_quota: add unit test extensions: libxt_iprange: add unit test extensions: libxt_physdev: add unit test extensions: libxt_TEE: add unit test extensions: libipt_SNAT: add unit test extensions: libip6t_DNAT: add unit test extensions: libxt_owner: add unit test extensions: libxt_MARK: add unit test build: don't include tests in released tarball use nf_tables and nf_tables compatibility interface automatic creation of built-in table and chains rework automatic creation of built-in table and chains iptables: nft: add -f support nft: fix missing rule listing in custom chains with -L headers: remove unused compatibility definitions iptables: nft: move priority to chain instead of table iptables: nft: remove __nft_check_rule iptables: nft: use 64-bits handle iptables: nft: use chain types xtables-restore: add support for dormant tables nft: adapt chain rename to recent Patrick's updates xtables: fix crash due to using wrong globals xtables-restore: fix custom user chain restoration xtables: fix compilation warning xtables: purge out user-define chains from the kernel xtables-restore: support atomic commit xtables: nft: add protocol and flags for xtables over nf_tables xtables-restore: support test option `-t' nft: fix crash if TRACE is used xtables: ipv6: fix wrong error if -p is used xtables: ipv6: add missing break in nft_parse_payload_ipv6 xtables: ipv6: fix -D with -p add xtables-events xtables-restore: add -4 and -6 support xtables-save: add -4 and -6 support nft: remove license for header file xtables: fix missing xtables_exit_error definition xtables-standalone: fix error message xtables-config: priority has to be per-chain to support nft: load tables and chains based on /etc/xtables.conf xtables: support family in /etc/xtables.conf file xtables-config: fix off by one in parsed strings from /etc/xtables.conf xtables: fix missing protocol and invflags xtables-config-parser: fix compilation warning iptables: update .gitignore xtables: add new container xtables_args structure xtables: add new nft_ops->post_parse hook xtables: remove unused leftover definitions xtables: fix compilation due to missing autogenerated header nft: don't call nft_init in nft_xtables_config_load xtables-restore: output the same error message that iptables-restore uses xtables: fix -p protocol nft: fix leaks in nft_xtables_config_load xtables: remove bogus comment on chain rename xtables: nft: remove lots of useless debugging messages xtables: do not proceed if nft_init fails xtables: fix missing afinfo configuration xtables: nft: display rule number via -S xtables-events: print usage on wrong arguments xtables-events: fix missing newline in table and chain events nft: fix built-in chain ordering of the nat table src: use nft_*_list_add_tail nft: break chain listing if only one if looked for nft: fix selective chain display via -S xtables: add -I chain rulenum xtables: remove bogus comment regarding rule replacement nft: no need for rule lookup if no position specified via -I xtables: fix typo in add_entry for the IPv6 case nft: fix match revision lookup for IPv6 etc: add default IPv6 table and chain definitions xtables: use xtables_rule_matches_free nft: fix wrong flags handling in print_firewall_details nft: use xtables_print_num nft: generalize rule addition family hook xtables: nft-arp: fix endianess in nft_arp_parse_payload nft: consolidate nft_rule_find for ARP, IPv4 and IPv6 nft: consolidate nft_rule_new to support ARP nft: consolidate nft_rule_* functions to support ARP include: cache netfilter_arp kernel headers nft: adapt nft_rule_expr_get to use uint32_t instead of size_t xtables: batch rule-set updates into one single netlink message xtables: fix missing ipt_entry for MASQUERADE target nft: pass ipt_entry to ->save_firewall hook nft: fix bad length when comparing extension data area nft: fix interface wildcard matching xtables-events: fix compilation due change in libnftables nft: fix inversion of built-in selectors nft: fix out of bound memory copy nft: fix wrong function to release iterator nft: fix inconsistent data type in NFT_EXPR_CMP_OP and NFT_EXPR_META_KEY configure: fix wrong reference to the conntrack-tools configure: rename --disable-xtables to --disable-nftables configure: conditional dependencies for nftables-compat xtables-restore: remove dependency with libip4tc xtables: add xtables-compat-multi for the nftables compatibility layer nft-compat: fix IP6T_F_GOTO flag handling nft-compat: fix wrong protocol context in initialization Merge branch 'nft-compat' iptables.8: update coreteam members from manpage Merge branch 'next-3.14' iptables: nft: generalize batch infrastructure iptables: nft: remove unused code iptables: nft: add tables and chains to the batch Makefile: fix static compilation iptables-compat without shared libraries iptables-compat: fix address prefix iptables-compat: nft: use nft_batch_begin and nft_batch_end from libnftnl iptables-compat: fix use after free in the batch send path iptables-compat: get rid of error reporting via perror Merge branch 'tests' iptables-compat: nft: fix user chain addition, deletion and rename iptables-compat: nft: fix error reporting arptables-compat: fix missing error reporting arptables-compat: allow to not specify a target arptables-compat: get output in sync with arptables -L -n --line-numbers arptables-compat: remove save code refresh nf_tables.h cached copy iptables-compat: fix chain policy reset with iptables -L -n iptables-compat: statify unused built-in table/chain functions iptables-compat: assume chain policy NF_ACCEPT when creating built-in chains iptables-compat: fix empty chains after first invocation of iptables-compat -L Merge branch 'ipset' nft: bootstrap ebtables-compat ebtables-compat: use ebtables_command_state in bootstrap code iptables: use flock() instead of abstract unix sockets Merge branch 'ebtables-compat' xshared: calm down compilation warning xtables-compat: remove unused fields from bridge and arp families iptables-compat: unset context flags in netlink delinearize step Merge branch 'ipset-next' extensions: fix several test errors iptables-compat: use new symbols in libnftnl iptables-compat: Keep xtables-config and xtables-events out from tree iptables 1.6.0 release iptables: fix static builds Phil Oester (1): iptables-xml: fix segfault if missing space after -A Ronald Wahl (1): libxtables: fix two off-by-one memory corruption bugs Thomas Woerner (2): iptables-compat: Allow to insert into rule_count+1 position iptables-compat: Increase rule number only for the selected table and chain Tomasz Bursztyka (41): headers: Make nf_tables.h up to date nft: Add support for chain rename options (-E) iptables: nft: Fix -D chain rulenum option iptables: nft: Refactor __nft_rule_check to return rule handle when relevant iptables: nft: Add support for -R option xtables: add IPv6 support nft: Split nft core to become family independant xtables: initialize xtables defaults even on listing rules xtables: policy can be changed only on builtin chain nft: Set the rule family when creating a new one nft: Handle error on adding rule expressions xtables: Remove useless parameter to nft_chain_list_find nft: add function to test for a builtin chain nft: Fix small memory leaks xtables: Do not dump before command parsing has been finished nft: Remove useless function nft: Optimize rule listing when chain and rulenum are provided nft: Make internal rule listing callback more generic nft: Remove useless test on rulenum in nft_rule_list() nft: Generalize nft_rule_list() against current family nft: Print unknown target data only when relevant nft: convert rule into a command state structure xtables: allow to reset the counters of an existing rule nft: Fix a minor compilation warning nft: skip unset tables on table configuration emulation xtables: arp: Store target entry properly and compare them relevantly extensions: add arptables' libxt_mangle.c for xtables-arp extensions: libxt_mangle: Fixes option issues nft: Header inclusion missing xtables: arp: Parse properly target options nft: fix wrong target size xtables: arp: Fix a compilation warning xtables: arp: inhibit -l option so only a fixed 6 bytes length arhln can be used include: Update nftables API header in sync with kernel's one nft: Use new libnftnl library name against former libnftables xtables: Add backward compatibility with -w option nft: Add useful debug output when a builtin table is created nft: A builtin chain might be created when restoring nft: Initialize a table only once nft: Remove useless error message nft: Pass a line after printing out a debug message Ville Skyttä (1): iptables: Spelling fixes Willem de Bruijn (1): include: add linux/filter.h fan.du (1): iptables: Add IPv4/6 IPcomp match support