iptables v1.3.8 Changelog
======================================================================

- Fix build error of conntrack match
  [Yasuyuki Kozakai]

- Remove whitespace in ip6tables.c
  [Yasuyuki Kozakai]

- `-p all' and `-p 0' should be allowed in ip6tables
  [Yasuyuki Kozakai]

- hashlimit doc update
  [Jan Engelhardt]

- add --random option to DNAT and REDIRECT
  [Patrick McHardy]

- Makefile uses POSIX conform directory check
  [Roy Marples]

- Fix missing newlines in iptables-save/restore output
  [Pavol Rusnak]

- Update quota manpage for SMP
  [Phil Oester]

- Output for unspecified proto is `all' instead of `0'
  [Phil Oester]

- Fix iptables-save with --random option
  [Patrick McHardy]

- Remove unnecessary IP_NAT_RANGE_PROTO_RANDOM ifdefs
  [Patrick McHardy]

- Remove libnsl from LDLIBS
  [Patrick McHardy]

- Fix problem with iptables-restore and quotes
  [Pablo Neira Ayuso]

- Remove unnecessary includes
  [Patrick McHardy]

- Fix --modprobe parameter
  [Maurice van der Pot]

- ip6tables-restore should output error of modprobe after failed to load
  [Yasuyuki Kozakai]

- Add random option to SNAT
  [Eric Leblond]

- Fix missing space in error message
  [Patrick McHardy]

- Fixes for manpages of tcp, udp, and icmp{,6}
  [Yasuyuki Kozakai]

- Add ip6tables mh extension
  [Masahide Nakamura]

- Fix tcpmss manpage
  [Patrick McHardy]

- Add ip6tables TCPMSS extension
  [Arnaud Ebalard]

- Add UDPLITE multiport support
  [Patrick McHardy]

- Fix missing space in ruleset listing
  [Patrick McHardy]

- Remove extensions for unmaintained/obsolete patchlets
  [Patrick McHardy]

- Fix greedy debug grep
  [Patrick McHardy]

- Fix type in manpage
  [Thomas Aktaia]

- Fix compile/install error for iptables-xml with DO_MULTI=1
  [Lutz Jaenicke]



iptables v1.3.7 Changelog
======================================================================

Bugs fixed since 1.3.6:

- Fix compilation error with linux 2.6.19
  [ Patrick McHardy ]

- Fix LOG target segfault with --log-prefix ""
  [ Mike Frysinger, Bugzilla #516 ]

- Fix conflicting getsockopt optname values for IP6T_SO_GET_REVISION_{MATCH,TARGET}
  [ Yasuyuki KOZAKAI ]

- Fix -E (rename) in iptables/ip6tables
  [ Krzysztof Piotr Oledzki ]

- Fix /etc/network usage
  [ Pablo Neira ]

- Fix iptables-save not printing -s/-d ! 0/0
  [ Patrick McHardy ]

- Fix ip6tables-save unnecessarily printing -s/-d options for zero prefix length
  [ Daniel De Graaf ]

New features since 1.3.6:

- Add revision support for ip6tables
  [ R?mi Denis-Courmont ]

- Add port range support for ip6tables multiport match
  [ R?mi Denis-Courmont ]

- Add sctp match extension for ip6tables
  [ Patrick McHardy ]

- Add iptables-xml tool
  [ Amin Azez ]

- Add hashlimit support for ip6tables (needs kernel > 2.6.19)
  [ Patrick McHardy ]

- Use /lib/modules/$(shell uname -r)/build instead of /usr/src/linux to look for kernel source
  [ Patrick McHardy ]

- Add NFLOG target extension for iptables/ip6tables (needs kernel > 2.6.19)
  [ Patrick McHardy ]



iptables v1.3.6 Changelog
======================================================================

Bugs fixed since 1.3.5:

- Fix segfault on loading of invalid counters in ip[6]tables-restore
  [ Bugzilla #437, Olaf Rempel ]

- Fix double-free if a single match is used multiple times within a single rule
  [ Bugzilla #440, Harald Welte ]

- Don't try to resolve "-p all" using getprotoent()
  [ Bugzilla #446, Harald Welte ]

- Refuse never matching protocol specifications for ip6tables
  [ Yasuyuki Kozakai ]

- Fix iptables-save output of osf match
  [ Daniel De Graaf ]

- Fix esp/connbytes detection with newer kernels (x_tables)
  [ Harald Welte ]

- Fix loading of IPCMv6 match shared library
  [ Yasuyuki Kozakai ]

- Refuse invalid esp match SPI ranges 
  [ Yasuyuki Kozakai ]

- Fix out-of-bounds memory access when the unsupported "check" command was used
  [ Bugzilla #463, Larry Stefani, Harald Welte ]

- Fix out-of-bounds memory access when the "-c" option was used
  [ Bugzilla #462, Larry Stefani, Harald Welte ]

- Fix "Unknown error 4294967295" message
  [ Bugzilla #460, Patrick McHardy ]

- Use lower-case letters for realm match output
  [ Simon Lodal ]

- Fix example in connlimit manpage
  [ Phil Oester ]

- Refuse IP addresses as arguments to REDIRECT target
  [ Bugzilla #482, Phil Oester ]

- Fix set match negation
  [ Jozsef Kadlecsik ]

- Fix some compiler warnings
  [ Bugzilla #457, Phil Oester ]

- Refuse port ranges in ip6tables multiport match
  [ Bugzilla #451, Phil Oester ]

- Force user to specify --ipcmv6-type if ipcmv6 match is used
  [ Bugzilla #461, Yasuyuki Kozakai ]

- Fix libiptc symbol clash
  [ Bugzilla #456, Phil Oester ]

- Remove "hoho" message
  [ Pierre-Yves Ritschard ]

- Handle CIDR notation more sanely
  [ Bugzilla #422, Phil Oester ]

- Fix chain reference increment bug
  [ Jesper Brouer ]

- Fix counter clearing for policy counters
  [ Bugzilla #502, Andy Gay ]

- Remove warnings about interface names with non-alphanumeric characters
  [ Patrick McHardy ]

New features since 1.3.5:

- Support multiple matches of the same type within a single rule
  [ Jozsef Kadlecsik ]

- DCCP/SCTP support for multiport match (needs kernel >= 2.6.18)
  [ Patrick McHardy ]

- SELinux SECMARK target (needs kernel >= 2.6.18)
  [ James Morris ]

- SELinux CONNSECMARK target (needs kernel >= 2.6.18)
  [ James Morris ]

- Add documentation for DNAT target :<port> syntax
  [ Evan Miller ]

- Add new exit value to indicate concurrency issues
  [ Jesper Dangaard Brouer ]

- Use gcc to build shared objects
  [ Bugzilla #454, Phil Oester ]

- Update quota match for version in current kernel, fix -D (needs kernel >= 2.6.18)
  [ Phil Oester ]

- Update MARK target documentation to include --and-mask/--or-mask
  [ Eric Leblond ]

- Add support for statistic match (needs kernel >= 2.6.18)
  [ Patrick McHardy ]

- Optionally read realm values from /etc/iproute2/rt_realms
  [ Simon Lodal ]

iptables v1.3.5 Changelog
======================================================================
This version requires kernel >= 2.4.0
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.4:

- Fix conntrack --ctproto option in iptables-save
	[ Phil Oester ]

- Fix string match '--from' option in iptables-save
	[ Michael Rash ]

- Fix option parser of ttl match
	[ Patrick McHardy ]

- Get rid of gcc-4 warnings
	[ Patrick McHardy ]

- Fix spelling of 'address' in DNAT/SNAT manpage section
	[ MJ Anthony ]

- Fix 'tcp-rst' parsing in REJECT target
	[ Torsten Hilbrich ]

- Fix probing for supported revisions
	[ Jones Desougi ]

- Fix compilation of iptables on [old] systems that don't have IPT_F_GOTO
	[ Harald Welte ]

- Only set revisions on real targets, not on jumps
	[ Pablo Neira ]

- Fix memory leak in TC_COMMIT() of libiptc
	[ Markus Sundberg ]

- Correctly propagate errors of setsockopt to calling function
	[ Harald Welte ]

- Fix connbytes match iptables-save
	[ Unknown ]

- Fix sctp match compilation against recent kernel headers
	[ Harald Welte ]

- Fix conntrack match compilation against 2.4.0 kernel headers
	[ Harald Welte ]

Changes from 1.3.4:

- Add support for ip6tables connmark match and target 
	[ Harald Welte ]

- Add support for ip6tables state match
	[ Harald Welte ]

- Add support for new policy ip[6]tables match
	[ Patrick McHardy ]

- Major manpage update
	[ Yasuyuki Kozakai ]

- Remove ippool support, it has been deprecated by ipset long time ago
	[ Harald Welte ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot)


iptables v1.3.4 Changelog
======================================================================
This version requires kernel >= 2.4.0
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.3:

- Fix parsing of NFQUEUE queue numbers
	[ Eric Leblond ]

- Add documentation of --queue-num parameter to NFQUEUE manpage
	[ Eric Leblond ]

- Fix 'hash-init' parameter of CLUSTERIP target
	[ KOVACS Krisztian ]

- Fix CONNMARK match and target: Marks are now always 32bit
	[ Deti Fliegl ]

- Print error message when multiple "--to" DNAT/SNAT args are used
  with kernel >= 2.6.10
  	[ Phil Oester ]

- Fix compilation of connbytes match with 2.6.14 kernel
	[ Harald Welte ]

- Fix address inversion of conntrack match
	[ Tom Eastep ]

- Fix sorting of chain names 
	[ Robert de Barth ]

Changes from 1.3.2:

- Add support for DCCP port and type matching
	[ Harald Welte ]

- Add support for new in-kernel string match
	[ Pablo Neira ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot)


iptables v1.3.3 Changelog
======================================================================
This version requires kernel >= 2.4.0
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.2:

- Fix use-after-free in merge_options()
	[ Markus Sundberg ]

- Fix support for SNAT and DNAT to ICMP ID ranges
	[ Patrick McHardy ]

Changes from 1.3.2:

- Add support for new NFQUEUE targets for IPv4 and IPv6
	[ Harald Welte ]

- Minor manpage updates
	[ Harald Welte ]

- Fix numberous gcc-4 warnings throughout the code
	[ Harald Welte ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot)


iptables v1.3.2 Changelog
======================================================================
This version requires kernel >= 2.4.0
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.1:

- Fix TCPLAG version
	[ Torsten Luettgert ]

- More error checking in SET target
	[ Michal Pokrywka ]

- Fix optflags value for OPT_LINENUMBERS
	[ Jonas Berlin ]

- Allow NULL init function in ip6tables plugins
	[ Jonas Berlin ]

- Don't allow newlines in LOG prefix
	[ Phil Oester ]

- Introduce ip_conntrack_old_tuple to userspace header copy
	[ Pablo Neira ]

- Fix connbytes command line parsing bug
	[ Piotrek Kaczmarek ]

- Ignore unknown arguments in libipt_ULOG 
	[ Patrick McHardy ]

- Correct error in multiport manpage wrt. "--ports"
	[ Rusty Russell ]

- Fix CONNMARK save/restore 
	[ Tom Eastep, Pawel Sikora ]

- Make sure chain name doesn't start with '!' 
	[ Yasuyuki Kozakai ]

- Prevent user to specify negative ports in SNAT/DNAT
	[ Yasuyuki Kozakai ]

- Fix deletion of targets where kernel size != userspace size 
	[ Pablo Neira ]

- Fix save/restore of '! --uid-owner squid' problem in ip6t_owner
	[ Harald Welte ]

Changes from 1.3.1:

- Add ``--log-uid'' option to ip6t_LOG target
	[ Patrick McHardy ]

- Improve REDIRECT manpage
	[ Jonas Berlin ]

- Add a number of missing manpage snippets
	[ Jonas Berlin ]

- Include FIN bit in mask of "--syn" bits
	[ Harald Welte ]

- Release previously merged options from merge_opts(), reduces memory-usage of 
  ipt ables-restore dramatically 
	[ Pablo Neira ]

- OSF: changes to support connector notifications
	[ Evgeniy Polyakov ]

- Reduce code replication of parse_interface() 
	[ Yasuyuki Kozakai ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot)


iptables v1.3.1 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.0:

- Fix CLUSTERIP rule deletion
	[ Pablo Neira ]

- Fix libip6t_random compilation
	[ Harald Welte ]

- Fix CONNMARK on 32bit userspace / 64bit kernel archs
	[ Pablo Neira ]

Changes from 1.3.0:

- remove bogus NFC_* stuff in iptables
	[ Pablo Neira ]

- libiptc: don't sort builtin chains, restores iptables-1.2.x sort order
	[ Olaf Rempel ]


Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot)


iptables v1.3.0 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.0rc1:

- Fix realm match save/restore issue
	[ Harald Welte ]

- Fix hashlimit rule deletion from userspace
	[ Samuel Jean ]

- Fix hashlimit parameter handling / iptables-save
	[ Nikolai Malykh ]

- Fix multiport inversion
	[ Phil Oester ]

Bugs fixed from 1.2.11:

- Fix compilation on systems where /bin/sh != bash
	[ Jozsef Kadlecsik ]

- Fix setting lib_dir in ip*tables-{save,restore}
	[ Martin Josefsson ]

- Fix module-autoloading in certain cases
	[ Harald Welte ]

- libipt_TTL: limit range of valid TTL to 0-255
	[ Maciej Soltysiak ]

- libip6t_HL: limit range of valid HL to 0-255
	[ Maciej Soltysiak ]

- libip{6}t_limit: Fix half-working limit invert check 
	[ Phil Oester ]

- libipt_connbytes: Update to use the IP_CONNTRACK_ACCT counters
	[ Harald Welte ]

- libipt_conntrack: Fix typo
	[ Phil Oester ]

- libipt_dstlimit: Fix half-working invert check 
	[ Phil Oester ]

- libipt_helper: Prevent user from using --helper multiple times
	[ Nicolas Bouliane ]

- libipt_iprange: Print error message if --dst-range used twice
	[ Nicolas Bouliane ]

- libipt_nth: Fix help message syntax
	[ Harald Welte ]

- libipt_psd: Fix option parsing
	[ Pablo Neira ]

- libipt_random: Fix help message syntax
	[ Harald Welte ]

- libipt_realm: Fix inversion of options
	[ Simon Lodal ]

- libipt_time: Fix C++ style delayed variable definition
	[ Olivier Clerget ]

- libipt_time: Print message about time match not adhering daylight saving
	[ Phil Oester ]

- libipt_tos: Print Error message if --tos is specified twice
	[ Nicolas Bouliane ]

- libipt_ttl: Cleanup ttl option parsing
	[ Phil Oester ]

- libipt_u32: Fix option parsing
	[ Piotr Gasid'o ]


Changes from 1.2.11:

- libiptc: complete rewrite for performance reasons
	[ Harald Welte, Martin Josefsson ]

- introduce "DO_MULTI=1" mode to build a muilti-call binary
	[ Bastiaan Bakker ]

- code cleanup, use C99 initializers
	[ Harald Welte, Pablo Neira ]

- Extension revision number support (if kernel supports the getsockopts).
	[ Rusty Russell ]

- Don't need ipt_entry_target()/ip6t_entry_target().
	[ Rusty Russell ]

- Don't re-initialize libiptc/libip6t unless modprobe attempt succeeds.
	[ Rusty Russell ]

- Implement IPTABLES_LIB_DIR and IP6TABLES_LIB_DIR environment variables
	[ Rusty Russell ]

- Add manpage section about 'raw' table
	[ Harald Welte ]


- libip{6}t_ROUTE: add ROUTE --tee mode
	[ Patrick Schaaf ]

- libip{6}t_multiport: Print Error message when `!' is used
	[ Patrick McHardy, Phil Oester ]

- New libip6t_physdev Match
	[ Bart De Schuymer ]

- libipt_CLUSTERIP: Fix compiler warning about const
	[ Harald Welte ]

- libipt_DNAT: Print Error message if `:' is used for port range
- libipt_SNAT: Print Error message if `:' is used for port range
	[ Phil Oester ]

- libipt_LOG: Add --log-uid option
	[ John Lange ]

- libipt_MARK: add bitwise operators
	[ Henrik Nordstrom, Rusty Russell ]

- libipt_SET: Update to ipset2
	[ Jozsef Kadlecsik ]

- libipt_account: Update to 0.1.16
	[ Piotr Gasid'o ]

- New libipt_comment Match
	[ Brad Fisher ]

- New libipt_hashlimit Match, supersedes dstlimit
	[ Harald Welte ]

- libipt_ttl: Use string_to_number()
	[ Rusty Russell ]


Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot)


iptables v1.2.11 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18


Bugx Fixed from 1.2.10:

- fix compilation on systems where /bin/sh != bash
	[ Jozsef Kadlecsik ]

Bugs Fixed from 1.2.9:

- physdev match: fix new structure layout for kernel > 2.6.0-test8
	[ Bart De Schuymer ]

- Better 64bit / 32bit split architecture detection
- IPv6 LOG target: Fix compiler warnings on 64bit
- LOG target: Fix compiler warnings on 64bit
- IPv6 MARK target: Use full 64bit mark on 64bit archs
- MARK target: Use full 64bit mark on 64bit archs
- SAME target: Fix 64bit/32bit splitarch problems
- ULOG target: Fix 64bit/32bit splitarch problems
- conntrack match: Fix 64bit/32bit splitarch problem
- IPv6 limit match: Fix 64bit/32bit splitarch problem
- limit match: Fix 64bit/32bit splitarch problem
- IPv6 mark match: Use full 64bit mark on 64bit archs
- mark match: Use full 64bit mark on 64bit archs
- owner match: Fix compiler warnings on 64bit
	[ Martin Jofsefsson ]

- connbytes match: Fix signedness / unsigned issue
	[ Martin Josefsson ]

- connlimit match: Fix '/0' netmask
	[ David Ahern ]

- ipv6 owner match: fix possibly not zero terminated string
- helper match: fix possibly not zero terminated string
- recent match: fix possibly not zero terminated string
	[ Karsten Desler ]

- ICMP match: fix '--icmp-type any' case
	[ Harald Welte ]

- CONNMARK target: major update (add mark/mask matching)
	[ Henrik Nordstrom ]

- DSCP target: Fix cosmetic help message problem 
	[ Maciej Soltysiak ]

- string match: Fix iptables-save/restore for ascii strings with spaces
	[ Michael Rash ]

- ip(6)tables-restore: Make sure matches are used in the same order
	[ Martin Josefsson ]

- ip(6)tables-restore: Fix '--verbose' option
- ip(6)tables-restore: Add '--test' option
- ip(6)tables-restore: Complain about missing 'COMMIT'
	[ Martin Josefsson ]

- ip(6)tables-restore: Allow embedding of quote character in quoted strings
	[ Michael Rash ]
	
- libipq: Protect against spoofed queue messages (check if sender is kernel)
	[ Harald Welte ]


Changes from 1.2.9:

- time match: add 'datestart' and 'datestop' parameters
	[ Fabrice Marie ]

- modular manpage build, depending on actually compiled-in features
	[ Henrik Nordstrom ]

- additional documentation in manpage snippets formerly missing
	[ Harald Welte ]

- support new CLUSTERIP Target
	[ Harald Welte ]

- support new account match
	[ Piotr Gasid'o ]

- support new connrate match
	[ Nuuti Kotivuori ]

- support new dstlimit match
	[ Harald Welte ]

- support new 'set' match / 'SET' target
	[ Jozsef Kadlecsik ]

- osf match: add support for netlink reporting
	[ Evgeniy Polyakov ]

- new SCTP protocol match
	[ Kiran Kumar ]


Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pub/patch-o-matic/)

Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng,
distributed as seperate package: (ftp://ftp.netfilter.org/pub/patch-o-matic-ng)


iptables v1.2.10 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.9:

- physdev match: fix new structure layout for kernel > 2.6.0-test8
	[ Bart De Schuymer ]

- Better 64bit / 32bit split architecture detection
- IPv6 LOG target: Fix compiler warnings on 64bit
- LOG target: Fix compiler warnings on 64bit
- IPv6 MARK target: Use full 64bit mark on 64bit archs
- MARK target: Use full 64bit mark on 64bit archs
- SAME target: Fix 64bit/32bit splitarch problems
- ULOG target: Fix 64bit/32bit splitarch problems
- conntrack match: Fix 64bit/32bit splitarch problem
- IPv6 limit match: Fix 64bit/32bit splitarch problem
- limit match: Fix 64bit/32bit splitarch problem
- IPv6 mark match: Use full 64bit mark on 64bit archs
- mark match: Use full 64bit mark on 64bit archs
- owner match: Fix compiler warnings on 64bit
	[ Martin Jofsefsson ]

- connbytes match: Fix signedness / unsigned issue
	[ Martin Josefsson ]

- connlimit match: Fix '/0' netmask
	[ David Ahern ]

- ipv6 owner match: fix possibly not zero terminated string
- helper match: fix possibly not zero terminated string
- recent match: fix possibly not zero terminated string
	[ Karsten Desler ]

- ICMP match: fix '--icmp-type any' case
	[ Harald Welte ]

- CONNMARK target: major update (add mark/mask matching)
	[ Henrik Nordstrom ]

- DSCP target: Fix cosmetic help message problem 
	[ Maciej Soltysiak ]

- string match: Fix iptables-save/restore for ascii strings with spaces
	[ Michael Rash ]

- ip(6)tables-restore: Make sure matches are used in the same order
	[ Martin Josefsson ]

- ip(6)tables-restore: Fix '--verbose' option
- ip(6)tables-restore: Add '--test' option
- ip(6)tables-restore: Complain about missing 'COMMIT'
	[ Martin Josefsson ]

- ip(6)tables-restore: Allow embedding of quote character in quoted strings
	[ Michael Rash ]
	
- libipq: Protect against spoofed queue messages (check if sender is kernel)
	[ Harald Welte ]


Changes from 1.2.9:

- time match: add 'datestart' and 'datestop' parameters
	[ Fabrice Marie ]

- modular manpage build, depending on actually compiled-in features
	[ Henrik Nordstrom ]

- additional documentation in manpage snippets formerly missing
	[ Harald Welte ]

- support new CLUSTERIP Target
	[ Harald Welte ]

- support new account match
	[ Piotr Gasid'o ]

- support new connrate match
	[ Nuuti Kotivuori ]

- support new dstlimit match
	[ Harald Welte ]

- support new 'set' match / 'SET' target
	[ Jozsef Kadlecsik ]

- osf match: add support for netlink reporting
	[ Evgeniy Polyakov ]

- new SCTP protocol match
	[ Kiran Kumar ]


Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pub/patch-o-matic/)

Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng,
distributed as seperate package: (ftp://ftp.netfilter.org/pub/patch-o-matic-ng)


iptables v1.2.9 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.8:

- ip(6)tables-save/restore: fix memory leaks
	[ Harald Welte, Martin Josefsson ]
- ip6tables: fix printout of odd length netmasks
	[ Mikko Markus Torni ]
- condition match: fix iptables-save
	[ Stephane Ouellette ]
- fuzzy match: fix ip(6)tables-save
	[ Hime Aguiar e Oliveira Jr. ]
- mac match: fix ip(6)tables-save if used inverted (!)
	[ David Zambonini, Martin Josefsson ]
- ip6tables udp match: check for invalid port ranges
	[ Thomas Poehnitz ]
- LOG target: fix iptables-save (save loglevel numerically)
	[ Thomas Woerner ]
- mport match: fix iptables-save (save numerically)
	[ Thomas Woerner ]
- libipq: fix ipq_id_t definition on 'real' 64bit/64bit architectures
	[ Ryan Veety ]
- libip6tc: fix ipv6_prefix_length endianness bugs
	[ Mikko Markus Torni ]
- MASQUERADE target: don't accept negative port numbers
	[ Yasuyuki Kozakai ]
- physdev match: fix new structure layout for kernel > 2.6.0-test8
	[ Bart De Schuymer ]

Changes from 1.2.8:

- build plugins for connlimit, iprange, realm, CLASSIFY, CONNMARK, NETMAP
	[ Harald Welte ]
- libip(6)tc: Speedup due to inceremental chain cache updates
	[ Harald Welte ]
- recent match: Update to version 0.3.1 that was submitted to the kernel
	[ Stephen Frost ]
- physdev match: add --physdev-is-{in,out,bridge} option
	[ Bart de Schuymer ]
- REJECT target: add support for ICMP administratively prohibited 
	[ Maciej Soltysiak ]
- conntrack match: add suport for CONFIRMED / unconfirmed state
	[ Harald Welte ]
- ROUTE target: new option: continue traversal
	[ Cedric de Launois ]
- varios cosmetic cleanups
	[ Stephane Ouellette ]
- iptables/libiptc: add support for the new 'raw' table
	[ Jozsef Kadlecsik ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pub/patch-o-matic/)


iptables v1.2.8 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.7a:

- fix ip6tables-save function of 'length' match
	[ Gerry Skerbitz ]
- fix ip6tables-save function of 'mac' match
	[ Kristian Gronfeldt Sorensen ]
- fix iptables-save function of 'ULOG' target
	[ Jimmy Hedman ]
- fix iptables-save function of 'conntrack' match
	[ Lutz Pressler ]
- fix iptables-save function of 'length' match
	[ Gerry Skerbitz ]
- fix iptables-save function of 'mac' match
	[ Kristian Gronfeldt Sorense ]
- fix iptables-save function of 'mark' match
	[ Harald Welte ]
- fix iptables-save function of 'owner' match
	[ Costa Tsaousis ]
- fix iptables-save function of 'pool' match
	[ Oskar Berggren ]
- fix iptables-save function of 'tcpmss' match
	[ Michael Schwendt ]
- fix iptables-save function of 'tos' match
	[ Harald Welte ]
- fix save/print function of 'connmark' match
	[ Harald Welte ]
- fix error message when invalid TCP flag is specified with 'tcp' match
	[ Aaron Sethman ]

Changes from 1.2.7a:

- updated version of the ROUTE target
	[ Cedric de Launois ]
- updated version of the 'recent' match
	[ Stephen Frost ]
- update the RPC conntrack match, extend it to support filtering on procedures
	[ Ian (Larry) Latter ]
- add support for hexstrings to the 'string' match
	[ Michael Rash ]
- have iptables-restore print the line number in case of an error
	[ Illes Marci ]
- big iptables.8 manpage update
	[ Herve Eychenne ]
- print loglevel human-readable in ip6tables 'LOG' target
	[ Michael Schwendt ]
- print loglevel human-readable in 'LOG' target
	[ Michael Schwendt ]
- remove bogus code from 'ecn' match
	[ Stephane Ouellette ]
- be more specific in help message of 'helper' match
	[ Herve Eychenne ]
- fix semantic problem that '-p icmp -m icmp' was matching icmp type 0 instead
  of 'any'
	[ Harald Welte ]
- fix iptables rename-chain option
	[ Maciej Soltysiak ]
- remove libipulog from iptables since it is distributed with ulogd
	[ Harald Welte ]
- support new ip6tables 'HL' target
	[ Maciej Soltysiak ]
- support new ip6tables 'condition' match
	[ Stephane Ouellette ]
- support new ip6tables 'fuzzy' match
	[ Maciej Soltysiak ]
- support new ip6tables 'hoplimit' match
	[ Maciej Soltysiak ]
- support new iptables 'CLASSIFY' target
	[ unknown ]
- support new iptables TARPIT target
	[ Aaron Hopkins ]
- support new iptables 'condition' match
	[ Stephane Ouellette ]
- support new iptables 'fuzzy' match
	[ Hime Junior ]
- support new iptables 'physdev' match (for 2.5.x bridging)
	[ Bart de Schumyer ]
- support new iptables 'u32' match (based on u32 tc filter)
	[ Don Cohen ]

Please note: As of version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pub/patch-o-matic/)


iptables v1.2.7a (== fixed 1.2.7) Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.6a:

- fix compiler warning in userspace support for ipv6 REJECT target
	[ Fabrice Marie ]
- check for invalid portranges in tcp+udp helper (e.g. 2000:100)
	[ Thomas Poehnitz ]
- fix save save/restore functions of ip6tables tcp/udp extension
	[ Harald Welte / Andras Kis-Szabo ]
- check for invalid (out of range) nfmark values in MARK target
	[ Alexey ??? ]
- fix save function of MASQUERADE userspace support
	[ A. van Schie ]
- compile fixes for userspace suppot of experimental POOL target
	[ ? ]
- fix save function of userspace support for ah and esp match
	[ ? ]
- fix static build (NO_SHARED_LIBS)
	[ Roberto Nibali ]
- fix save/restore function of userspace support for mport match
	[ Bob Hockney ]
- update manpages to reflect recent changes
	[ Herve Eychenne, Harald Welte ]
- remove all remnants of the 'check' option
	[ ? ]


Changes from 1.2.6a:

- patch-o-matic is now no longer part of iptables but rather distributed
  as a seperate package (ftp://ftp.netfilter.org/pub/patch-o-matic/)
  	[ Harald Welte ]
- userspace support for dscp match and target
	[ Harald Welte ] 
- userspace supprot for ecn match and target
	[ Harald Welte ]
- userspace support for helper match
	[ Martin Josefsson ]
- userspace supprot for conntrack match
	[ Marc Boucher ]
- userspace support for pkttype match
	[ Martin Ludvig ]
- userspace support for experimental ROUTE target
	[ Cdric de Launois ]
- userspace support for experimental ipv6 ahesp match
	[ Andras Kis-Szabo ]
- userspace support for experimental ipv6 option header match
	[ Andras Kis-Szabo ]
- userspace support for experimental ipv6 routing header match
	[ Andras Kis-Szabo ]
- add matching of process name to userspace support of owner match
	[ Marc Boucher ]
- new version of userspace support for 'recent' match
	[ Stephen Frost ]


iptables v1.2.6a (== fixed 1.2.6) Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.5:

- Fix iptables segfault problem when using `!' without argument
	[ Dionis Papavramidis, Harald Welte ]
- Fix PSD match for psd-delay-threshold > 100
	[ Steven Coenen, Dennis Koslowski ]
- ip6tables alignment fixes 
	[ Andreas Herrmann ]
- patch-o-matic:
	- Fix NAT-related bug in TCP window tracking code
		[ Jozsef Kadlecsik ]
	- Fix support for DNAT of locally-originated connections (NAT in
	  LOCAL_OUT) 
	  	[ Henrik Nordstrom, Harald Welte ]
	- Fix string match (is now SMP safe)
		[ Gianni Tedesco ]
	- Fix TFTP conntrack/nat helper (now also catches first packet)
		[ Magnus Boden ]

Changes from 1.2.5:

- Added global PREFIX makefile variable for all paths
	[ Harald Welte ]
- If compiled without any COPT_FLAGS, debugging is disabled.  To enable
  debugging, use -DIPTC_DEBUG
  	[ Harald Welte ]
- New ip6tables-restore and ip6tables-save manpage
	[ Andras Kis-Szabo ] 
- Sync ip6tables-restore and ip6tables-save with iptables-restore
	[ Andras Kis-Szabo ]
- Sync ip6tables with iptables
	[ Andras Kis-Szabo ]
- mangle table attaches now to all five netfilter hooks
	[ Brad Chapman, Harald Welte ]
- iptables and ip6tables manpage updates
	[ Herve Eychenne ]
- patch-o-matic program now supports removal of already-applied patches
	[ Bob Hockney ]
- patch-o-matic program now supports patches to the userspace extensions
	[ Fabrice Marie ]
- patch-o-matic:
	- Extend recent match to support multiple recent lists
		[ Stephen Frost ]
	- New GRE and PPTP connection tracking and NAT helper
		[ Harald Welte ]
	- New CONNMARK target for marking all packets within one connection
		[ Henrik Nordstrom ]
	- New conntrack match, enables matching on more conntrack informatin
	  than state
	  	[ Marc Boucher ]
	- New DSCP match and target (DSCP header field obsoletes TOS)
		[ Harald Welte ]
	- New owner match extension: Match on process name
		[ Marc Boucher ]
	- Add support for bitwise AND / OR manipulation on nfmark
		[ Fabrice Marie ]
	- New experimental patch for disabling TCP connection tracking pickup
		[ Harald Welte ]
	- Add support for SACK in all NAT helpers
		[ Harald Welte ]
	- Make eggdrop botnet connection tracking support work with eggdrop
	  v1.6.x 
	  	[ Magnus Sandin ]
	- Add support to REJECT for sending icmp-unreachable messages
	  from a fake source address
	  	[ Fabrice Marie ]
	- Add support for ntalk2 to talk NAT helper
		[ Jozsef Kadlecsik ]
	- Big update to newnat patch
		[ Jozsef Kadlecsik, Paul P Komkoff ]

iptables v1.2.6 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.5:

- Fix iptables segfault problem when using `!' without argument
	[ Dionis Papavramidis, Harald Welte ]
- Fix PSD match for psd-delay-threshold > 100
	[ Steven Coenen, Dennis Koslowski ]
- ip6tables alignment fixes 
	[ Andreas Herrmann ]
- patch-o-matic:
	- Fix NAT-related bug in TCP window tracking code
		[ Jozsef Kadlecsik ]
	- Fix support for DNAT of locally-originated connections (NAT in
	  LOCAL_OUT) 
	  	[ Henrik Nordstrom, Harald Welte ]
	- Fix string match (is now SMP safe)
		[ Gianni Tedesco ]
	- Fix TFTP conntrack/nat helper (now also catches first packet)
		[ Magnus Boden ]

Changes from 1.2.5:

- Added global PREFIX makefile variable for all paths
	[ Harald Welte ]
- If compiled without any COPT_FLAGS, debugging is disabled.  To enable
  debugging, use -DIPTC_DEBUG
  	[ Harald Welte ]
- New ip6tables-restore and ip6tables-save manpage
	[ Andras Kis-Szabo ] 
- Sync ip6tables-restore and ip6tables-save with iptables-restore
	[ Andras Kis-Szabo ]
- Sync ip6tables with iptables
	[ Andras Kis-Szabo ]
- mangle table attaches now to all five netfilter hooks
	[ Brad Chapman, Harald Welte ]
- iptables and ip6tables manpage updates
	[ Herve Eychenne ]
- patch-o-matic program now supports removal of already-applied patches
	[ Bob Hockney ]
- patch-o-matic program now supports patches to the userspace extensions
	[ Fabrice Marie ]
- patch-o-matic:
	- Extend recent match to support multiple recent lists
		[ Stephen Frost ]
	- New GRE and PPTP connection tracking and NAT helper
		[ Harald Welte ]
	- New CONNMARK target for marking all packets within one connection
		[ Henrik Nordstrom ]
	- New conntrack match, enables matching on more conntrack informatin
	  than state
	  	[ Marc Boucher ]
	- New DSCP match and target (DSCP header field obsoletes TOS)
		[ Harald Welte ]
	- New owner match extension: Match on process name
		[ Marc Boucher ]
	- Add support for bitwise AND / OR manipulation on nfmark
		[ Fabrice Marie ]
	- New experimental patch for disabling TCP connection tracking pickup
		[ Harald Welte ]
	- Add support for SACK in all NAT helpers
		[ Harald Welte ]
	- Make eggdrop botnet connection tracking support work with eggdrop
	  v1.6.x 
	  	[ Magnus Sandin ]
	- Add support to REJECT for sending icmp-unreachable messages
	  from a fake source address
  		[ Fabrice Marie ]
	- Add support for ntalk2 to talk NAT helper
		[ Jozsef Kadlecsik ]
	- Big update to newnat patch
		[ Jozsef Kadlecsik, Paul P Komkoff ]


iptables v1.2.5 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel > 2.4.14

Bugs Fixed from 1.2.4:

- make iptables-restore accept --table as well as -t option
	[ Andreas Ferber ]
- make iptables-restore -v / --verbose option work
	[ Marc Boucher ]
- fix iptables-save problems with saving "ppp+" style interface wildcards
	[ Harald Welte ]
- make iptables accept '_' and '.' in interface names
	[ Harald Welte ]
- Kernel bugfixes in patch-o-matic:
	 - Fix IRC NAT srcaddr fix (we used to nat DCC connectios to the
	   address of the IRC server
		[ Bob Hockney ]
	- Fix potential Oops in TOS target module
		[ Edward Killips ]
	- Fix problem when raw socket has cloned skb while netfilter doing
	  payload modification
		 [ Rusty Russell ]
	- Fix memory leak in ipchains redirect code
		[ Rusty Russell ]
	- Fix reintroduced ECN problem with unclean match
		[ Guillaume Morin ]
	- Fix MAC adress match problem with small udp packets
		[ Harald Welte ]

Changes from 1.2.4:

- Whole patch-o-matic system restructured - now supports multiple patch
  repositories (submitted, pending, base, extra, newnat).
	[ Jozsef Kadlecsik ]
- Add IPv6 support to the QUEUE target and libipq
	[ Fernando Anton / James Morris ]
- New patch-o-matic patches:
	-New IPV4OPTSSTRIP target to strip IP options
		[ Fabrice Marie ]
	- New ipv6header match to match IPv6 header options
		[ Brad Chapman / Andras Kis-Szabo ]
	- New helper match to match RELATED connections on their conntrack
		helper
		[ Martin Josefsson ]
	- New quota match to have fixed IP quotas
		[ Sam Johnston ]
	- New recent match to match recently seen packets
		[ Stephen Frost ]


iptables v1.2.4 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel > 2.4.9

Bugs Fixed from 1.2.3:

- make iptables-restore print error message instead of segfault when
	processing broken / wrong input.
	[ ]
- string_to_number fix in LOG, IPv6 LOG, TOS and FTOS target
	[ ]
- fix iptables-save problems when saving MIRROR rules
	[ Harald Welte ]
- fix IPv6 ICMP problems [ ]
- fix TTL increment in TTL target [ ]
- Kernel bugfixes in patch-o-matic:
	- Fix printing of inner-packet in ICMP error messages (LOG target)
		[ ]
	- Decrement TTL when using MIRROR target at PRE_ROUTING [ ]
	- fix undiscovered REJECT checkentry() bug (alignment) 
	    [ Bert Hubert]

Changes from 1.2.3:

- New "make most-of-pom" feature for application of non-confliction
	patches. This should be used instead of "make patch-o-matic" by most
	users.
	[ Harald Welte ]
- iptables-save and iptables-restore now included in the default install;
	They are n	- longer experimental for quite some time.
	[ Harald Welte ]
- synchronize ip6tables-save/restore with iptables-save/restore
	[ Harald Welte ]
- more precise save() function for ipt_limit rates
	[ ]
- new improved version of nth-match. Added support for multiple counters,
	added support for matching on individual packets in the counter cycle
	[ Richard Wagner ]
- added manpage for ip6tables
	[ ]
- updated libipq documentation
	[ ]
- added timeout t	- libipq recv function
	[ ]
- New patch-o-matic patches:
	- New random match
		[ ]
	- New ftp-fxp patch, imposes security risk but some people need it -sigh*
		[ Magnus Sandin ]
	- New H323 conntrack + nat modules
		[ Jozsef Kadlecsik ]
	- New version of tcp-window tracking patch, includes sysctl()
		changeable timeouts
		[ Jozsef Kadlecsik ]


iptables v1.2.3 Changelog
======================================================================
This version requires kernel 2.4.4 or above.
This version recommends kernel 2.4.9 or above.

Bugs Fixed from 1.2.2:

- fix ICMPv6 support for IPv6
	[ Kis-Szab	- Andras ]
- fix problems with REJECT and iptables-restore / iptables-save
	[ Harald Welte ]
- fix possible string overflow in psd match
	[ Dennis Koslowski ]
- fix string match compile problems
	[ Gianni Tedesc	- ]
- support interfaces with '_' (underscore) in device names
	[ Harald Welte ]
- support rules without target in iptables-save
	[ Emmanuel Fleury ]
- correct handling of "eth+" type interface names in iptables-save/restore
	[ Harald Welte ]
- d	- incremental checksumming when altering TTL in TTL target
	[ Harald Welte ]
- fix no-srr case in ipv4options match
	[ Fabrice Marie ]
- Kernel bugfixes in patch-o-matic:
	- Fix unexported ip6_table symbols [ Brad Chapman ]
	- Decrement TTL in MIRROR target if used in FORWARD chain [ Harald
		Welte, Fabian Melzow ]
	- Replace SACKPERM TCP option with NOOP (instead of ENDOFOPT)
		[ Guillaume Morin ]

Changes from 1.2.2:

- New "make most-of-pom" feature for application of non-confliction
	patches. This should be used instead of "make patch-o-matic" by most
	users.
	[ Harald Welte ]
- support for statically linking iptables, without need for .s	- plugins
	[ David McCullough ]
- support for multiple ranges in SAME target
	[ Martin Josefsson ]
- support for router alert options in ipv4options match
	[ Fabrice Marie ]
- modprobe() modules when doing iptables-restore
	[ Andries van Schie ]
- remove obsolete fragment matching code in IPv6
	[ Kis-Szab	- Andras ]
- add support for dns hostnames t	- IPv6 code
	[ Kis-Szab	- Andras ]
- New patch-o-matic patches:
	- New multiport (mport) match
		[ Andreas Ferber ]
	- New nth match for matching every n-th packet
		[ Fabrice Marie ]
	- New realm match for matchin the routing realm
		[ Sampsa Ranta ]
	- New ctnetlink patch for manipulation of conntrack from userspace
		[ Jay Schulist ]
	- New REJECT Target for IPv6
		[ Harald Welte ]
	- New length match for IPv6
		[ Imran Patel ]
	- New multiport (mport) match for IPv6
		[ Andreas Ferber]


iptables v1.2.1 Changelog
======================================================================
This version requires kernel 2.4.0 or above.

Bugs Fixed from 1.2:

- Missing quotes around log-prefix
	[ Bart Theunissen ]
- Bug in save function of string match
	[ Gianni Tedesc	- ]
- ip6tables.c string buffer size fixes
	[ Andras Kis-Szab	- ]
- dependency problem with iptables-save / iptables-restore
	[ Harald Welte ]
- strtok problem with iptables-save / iptables-restore
	[ Harald Welte ]
- Problems with tcp/udp extension and multiple calls of do_command()
	[ Sven Koch ]
- Kernel bugfixes in patch-o-matic:
	- Updated rpc-record patch to work with 2.4.0
		[ Marc Boucher ]
	- New ftp-pasv patch for fixing PASV detection with some ftpd's
		[ Erik Hensema ]
	- Fix checksum calculation of TOS target
		[ Rusty Russell ]

Changes from 1.2:

- New `pending-patches' target
	[ Rusty Russell ]
- build all shared library extensions regardless of kernel tree
	[ Rusty Russell ]
- New counter-restore functions for iptables
	[ Harald Welte ]
- Added libiptc and libipulog t	- `devel' Makefile target
	[ Harald Welte ]
- Ported iptables-save/restore t	- IPv6
	[ Andras Kis-Szab	- ]
- Updated ULOG target (now in-kernel accumulation [= higher performance])
	[ Harald Welte ]
- Added fxp support t	- ftp-multi patch
	[ Magnus Sandin ]
- Implemented Boyer Moore Sublinear search algorithm for string match
	[ Gianni Tedesc	- ]
- Fixed tcp-window-tracking incompatibility with NAT helpers
	[ Harald Welte ]
- New patch-o-matic patches:
	- New generic sequence number offset API for nat helpers
		[ Harald Welte ]
	- New psd (port-scan-detection) match
		[ Dennis Koslowski, Markus Henning ]
	- New NETLINK target for old ipchains -o behaviour
		[ Gianni Tedesc	- ]
	- New SAME target as a special case of SNAT
		[ Martin Josefsson ]
	- Ported LOG target to IPv6
		[ Jan Rekorajski ]
	- Ported owner, limit, mac and multiport match to IPv6
		[ Jan Rekorajski ]


iptables v1.2.2 Changelog
======================================================================
This version requires kernel 2.4.1 or above.
This version recommends kernel 2.4.4 or above.

Bugs Fixed from 1.2.1a:

- fixes for SAME Target
	[ Martin Josefsson ]
- fixes for iplimit match in combination with iptables-save/-restore
	[ Gerd Knorr ]
- fix for TCP match in combination with iptables-save/-restore
	[ Ian Lynagh ]
- iptables-restore now deals correclty with spaces in --log-prefix
	[ Harald Welte ]
- fix in 'isapplied' script. It used t	- give false negatives
	[ Harald Welte ]
- fix in BALANCE target, target now uses full ip address range
	[ Martin Josefsson ]
- fix for NETLINK target, was sending wrong interface name
	[ Gianni Tedesc	- ]
- fix for collision of ftp and irc NAT helpers
	[ Harald Welte ]
- ip6tables brought in sync with iptables
	[ Kis-Szab	- Andras ]
- Kernel bugfixes in patch-o-matic:
	- Fix possible security vulnerability in ip_conntrack_ftp
		[ Cristian	- Lincoln Mattos, James Morris and Rusty ]

Changes from 1.2.1a:

- libiptc should now be usable from C++ applications
	[ Fabrice MAURIE ]
- seqoffset-,ftp-security, ... patches are combined in 2.4.4.patch
	[ Rusty Russell ]
- lots of old pre-2.4.1 patches now combined in 2.4.1.patch
	[ Rusty Russel ]
- IRC conntrack + nat cleanup
	[ Harald Welte ]
- string match cleanup
	[ Gianni Tedesc	- ]
- ULOG cleanup, new version. Fixes 'unable t	- send nflink' bug
	[ Harald Welte ]
- New patch-o-matic patches:
	- New NETMAP Target for mapping whole networks 1:1 to other addresses
		[ Svenning Soerensen ]
	- New length Target for matching packet length
		[ James Morris ]
	- New ipv4options match for matching IPv4 header options
		[ Fabrice MARIE ]
	- New IPv6 agr match for matching IPv6 global aggregatable unicast
		adresses
		[ Andras Kis-Szab	- ]
	- New pkttype match for matching link-layer multicast / broadcast
		packets
		[ Michal Ludvig ]
	- New time match for matching the packet's receive time
		[ Fabrice MARIE ]
	- New talk conntack + NAT helper module
		[ Jozsef Kadlecsik ]


iptables v1.2 Changelog
======================================================================
This version requires 2.4.0-test9 or above.

Bugs Fixed from 1.1.2:

- Now default installs int	- /usr/local/sbin, not /usr/local/bin.
- Only does IPv6 compilation on libc6.
- More header fixes for weird header combos.
- ip6tables now refers t	- "icmpv6" protocol, not "icmp".
	[ Harald Welte ]
- IPPROTO_ESP and AH defined in iptables for primitive headers.
- iptables multiple-DNS resolve fixed
	[ Harald Welte, Rusty ]
- Kernel bugfixes in patch-o-matic:
	- IPv6 netfilter fixes
		[ Harald Welte ]
	- Masquerade with fwmark routing fix
	- Dynamic hashsize optimization (NAT) + `hashsize=' module parameter.
	- NAT overlap fix
	- PPC/Sparc mangle table fix.

Changes from 1.1.2:

- New `install-devel' target
	[ James Morris ]
- libipq now has man pages!
	[ James Morris ]
- iptables-save and iptables-restore added (with man pages!)
	[ Harald Welte ]
- iptables now inserts modules if CONFIG_KMOD or --modprobe
	[ Harald Welte, Rusty ]
- New `experimental' and `install-experimental' targets.
- `--reject-with=echo-reply' removed in anticipation of the removal of
	kernel support.
- ttl match enhancements (greater or less than tests)
	[ Harald Welte ]
- Reworked patch-o-matic interface, t	- force reading of help.
- patch-o-matic updated for new 2.4 Makefiles
	[ Daniel Stone, Harald Welte ]
- patch-o-matic now supports non-IPv4 netfilter patches
	[ Harald Welte ]
- New patch-o-matic patches:
	- eggdrop bot connection tracking
		[ Magnus Sandin ]
	- FTOS target for full ToS mangling.
		[ Matthew G. Marsh ]
	- BALANCE target for simple load-balancing.
	- iplimit match for limiting number of connections.
		[ Gerd Knorr ]
	- IPv6 MARK target
		[ Harald Welte ]
	- IPv6 mark match
		[ Harald Welte ]


iptables v1.1.2 Changelog
======================================================================
This version requires 2.4.0-test9 or above.

Bugs Fixed from 1.1.1:

- Adding rules on UltraSparc now works
- string_to_number now handles overflow
	[ Jan Echternach ]
- Bug when using ridiculous rule numbers fixed

Changes from 1.1.1:

- patch-o-matic system added:
	- TTL alteration and ttl matching support -- Harald Welte
	- AH/ESP matching support -- Yon Uriarte
	- DROPPED table support -- Rusty
	- ftp-multi patch for non-standard ftp servers -- Harald Welte
	- IRC connection tracking & NAT -- Harald Welte
	- pool match and POOL target -- Patrick
	- RPC recording patch -- Marcelo Barbosa Lima
	- SNMP NAT support -- James Morris
	- string match for looking in packet's data -- Emmanuel Roger
	- tcp-MSS target for altering MSS -- Marc Boucher
	- ULOG target for advanced logging -- Harald Welte
- Minor const cleanups
	[ Jan Echternach ]
- iptables.8 updates
	[ Harald Welte, Rusty ]
- Better warnings for non-existant matches/missing libraries
	[ Harald Welte ]
- Improved isapplied script
