- several man page fixes
- Support for nommu arches
- realm: remove static initializations
- libiptc: remove unused functions
- libiptc: avoid strict-aliasing warnings
- iprange: do accept non-ranges for xt_iprange v1
- iprange: warn on reverse range
- iprange: roll address parsing into a loop
- iprange: do accept non-ranges for xt_iprange v1 (log)
- iprange: warn on reverse range (log)
- libiptc: fix wrong maptype of base chain counters on restore
- iptables: fix undersized deletion mask creation
- style: reduce indent in xtables_check_inverse
- libxtables: hand argv to xtables_check_inverse
- iptables/extensions: make bundled options work again
- CONNMARK: print mark rules with mask 0xffffffff as set instead of xset
- iptables: take masks into consideration for replace command
- doc: explain experienced --hitcount limit
- doc: name resolution clarification
- iptables: expose option to zero packet/byte counters for a specific rule
- build: restore --disable-ipv6 functionality on system w/o v6 headers
- MARK: print mark rules with mask 0xffffffff as --set-mark instead of
--set-xmark
- DNAT: fix incorrect check during parsing
- extensions: add osf extension
- conntrack: fix --expires parsing
- dropped nf_ext_init remains from cloexec patch
- libxt_NFQUEUE: add new v1 version with queue-balance option
- xt_conntrack: revision 2 for enlarged state_mask member
- libxt_helper: fix invalid passed option to check_inverse
- libiptc: split v4 and v6
- extensions: collapse registration structures
- iptables: allow for parse-less extensions
- iptables: allow for help-less extensions
- extensions: remove empty help and parse functions
- xtables: add multi-registration functions
- extensions: collapse data variables to use multi-reg calls
- xtables: warn of missing version identifier in extensions
- multi binary: allow subcommand via argv[1]
- iptables: accept multiple IP address specifications for -s, -d
- several build fixes
- several man page fixes
- fixed two leaked file descriptors on sockets (rhbz#521397)
- several man page fixes
- iptables: replace open-coded sizeof by ARRAY_SIZE
- libip6t_policy: remove redundant functions
- policy: use direct xt_policy_info instead of ipt/ip6t
- policy: merge ipv6 and ipv4 variant
- extensions: add `cluster' match support
- extensions: add const qualifiers in print/save functions
- extensions: use NFPROTO_UNSPEC for .family field
- extensions: remove redundant casts
- iptables: close open file descriptors
- fix segfault if incorrect protocol name is used
- replace open-coded sizeof by ARRAY_SIZE
- do not include v4-only modules in ip6tables manpage
- use direct xt_policy_info instead of ipt/ip6t
- xtables: fix segfault if incorrect protocol name is used
- libxt_connlimit: initialize v6_mask
- SNAT/DNAT: add support for persistent multi-range NAT mappings
- blacklisting is not working, use "install X /bin/(true|false)" test
instead
- return private exit code 150 for disabled ipv6 support
- use script name for output messages
- fixed init script: start, stop and status
- support netfilter compiled into kernel in init script (rhbz#295611)
- dropped inversion for limit modules from man pages (rhbz#220780)
- fixed typo in ip6tables man page (rhbz#236185)
- fixed initscript for LSB conformance (rhbz#246953, rhbz#242459)
- provide iptc interface again, but unsupported (rhbz#216733)
- compile all extension, which are supported by the kernel-headers package
- review fixes (rhbz#225906)
- new version 1.3.4
- dropped free_opts patch (upstream fixed)
- made libipq PIC (#158623)
- additional configuration options for iptables startup script (#172929)
Thanks to Jan Gruenwald for the patch
- spec file cleanup (dropped linux_header define and usage)