Patrick McHardy | 9 Dec 15:48 2009

: Release of iptables-1.4.6

The netfilter coreteam presents:

    iptables version 1.4.6

the iptables release for the 2.6.32 kernel. Changes include:

- manpage updates

- multiple smaller fixes for xt_iprange, xt_conntrack, iptables
  rule deletion and replacement, inverted argument parsing

- addition of the xt_osf extension

- code cleanups

See the changelog for more details.

Version 1.4.6 can be obtained from:

On behalf of the Netfilter Core Team.
Happy firewalling!
Jan Engelhardt (20):
      iptables: manpage updates for augmented -Z syntax
      doc: mention maximum mark size in manpages
(Continue reading)

Pablo Neira Ayuso | 23 Dec 21:32 2009

libnetfilter_conntrack 0.0.101 release


The Netfilter project presents libnetfilter_conntrack-0.0.101.

libnetfilter_conntrack is a userspace library providing a programming 
interface (API) to the in-kernel connection tracking state table. This 
library requires a linux kernel >= 2.6.18.

This release includes a one fix and several cleanups from Hannes Eder. 
See ChangeLog for more details.

You can download it from:

on behalf of the Netfilter Core Team.
Hannes Eder (3):
      api: use ANSI style function
      src: make symbols used only in file scope static
      snprintf: remove duplicate initializer entry

Pablo Neira Ayuso (2):
      setobjopt: don't autocomplete the reply tuple for ICMP[v6]
      configure: bump version to 0.0.101

(Continue reading)

Pablo Neira Ayuso | 28 Dec 19:56 2009

conntrack-tools 0.9.14 released


The Netfilter project presents another development release of the 
conntrack-tools. This release includes several fixes for the command 
line tool and lots of improvements for the daemon. Specifically I'd like 
to thank Hannes Eder, Vincent Jardin and Samuel Gauthier for their 
suggestions and contributions.

Please, see changelog attached for more details.

I'd also like to thank 6WIND <> for sponsoring the 
development of two new features that are included in this release: the 
new TCP-based state-synchronization approach and a new feature that 
allows to disable the internal and the external caches. They have also 
helped auditing the code and doing bug hunting.

Q: How stable are the conntrack-tools?
A: The daemon that allows to synchronize states between firewalls has 
been tested in a cluster environment composed of two stateful firewalls 
running Debian 5.0 (Lenny) with a Linux kernel 2.6.32, keepalived 
1.1.15, using conntrackd in FT-FW mode. The test consisted of 
downloading the Linux kernel source code in a tarball file via HTTP and 
randomly (in periods of 10 seconds) unplugging cablelinks to force the 
fail-over between the nodes. The results has shown no hangs/closure in 
any TCP connection.

Q: What are the conntrack-tools?
A: The conntrack-tools are:

- The userspace daemon so-called conntrackd that covers the specific
(Continue reading)