Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-66725

Rebase iptables onto version 1.8.11

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-10.0
    • rhel-10.0
    • iptables
    • None
    • iptables-1.8.11-6.el10
    • No
    • Low
    • Rebase
    • rhel-net-firewall
    • ssg_networking
    • 26
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Enhancement
    • Hide
      .RHEL 10 provides `iptables` version 1.8.11

      The `iptables` framework has been upgraded to version 1.8.11, which provides multiple bug fixes and enhancements. Notable changes include:

      * New `arptables-translate` utility

      * `ebtables-nft`:
      ** Print negations (exclamation marks) before the match they invert for consistency with `iptables`.
      ** Support `--replace` and `--list-rules` command options.

      * `iptables-translate`:
      ** Align protocol name lookups with `iptables`.
      ** Support socket match with `TPROXY` target.

      * `iptables`:
      ** Enable implicit extension lookup for `dccp` and `ipcomp` protocols so that no extra `-m <proto>` command option is needed after `-p <proto>`.

      * `iptables-save`:
      ** Avoid calls to the `getprotobynumber()` function for consistency and improved performance with huge rule sets.

      * `arptables-nft`:
      ** Fixed wrong formatting of `--h-type` values and `--proto-type` masks which caused misinterpretation by `arptables-restore`.
      ** Improved ineffective masks when specified in `--h-type`, `--opcode` and `--proto-type` matches.

      * `iptables-nft`:
      ** Fixed wrong error messages in corner-case error conditions.
      ** Fixed incorrect combination of inverted payload matches.

      For more details, see the link:https://www.netfilter.org/projects/iptables/[upstream documentation].
      Show
      .RHEL 10 provides `iptables` version 1.8.11 The `iptables` framework has been upgraded to version 1.8.11, which provides multiple bug fixes and enhancements. Notable changes include: * New `arptables-translate` utility * `ebtables-nft`: ** Print negations (exclamation marks) before the match they invert for consistency with `iptables`. ** Support `--replace` and `--list-rules` command options. * `iptables-translate`: ** Align protocol name lookups with `iptables`. ** Support socket match with `TPROXY` target. * `iptables`: ** Enable implicit extension lookup for `dccp` and `ipcomp` protocols so that no extra `-m <proto>` command option is needed after `-p <proto>`. * `iptables-save`: ** Avoid calls to the `getprotobynumber()` function for consistency and improved performance with huge rule sets. * `arptables-nft`: ** Fixed wrong formatting of `--h-type` values and `--proto-type` masks which caused misinterpretation by `arptables-restore`. ** Improved ineffective masks when specified in `--h-type`, `--opcode` and `--proto-type` matches. * `iptables-nft`: ** Fixed wrong error messages in corner-case error conditions. ** Fixed incorrect combination of inverted payload matches. For more details, see the link: https://www.netfilter.org/projects/iptables/ [upstream documentation].
    • Done
    • None

      There is a long list of improvements since version 1.8.10.

      One notable potential incompatibility is in ebtables-nft rule output format: The new version prints extrapositioned negations and warns if intrapositioned ones are used on input (though they are accepted).

              psutter@redhat.com Phil Sutter
              psutter@redhat.com Phil Sutter
              Phil Sutter Phil Sutter
              Tomas Dolezal Tomas Dolezal
              Jaroslav Klech Jaroslav Klech
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: