Bugs fixed since 1.3.5: - Fix segfault on loading of invalid counters in ip[6]tables-restore [ Bugzilla #437, Olaf Rempel ] - Fix double-free if a single match is used multiple times within a single rule [ Bugzilla #440, Harald Welte ] - Don't try to resolve "-p all" using getprotoent() [ Bugzilla #446, Harald Welte ] - Refuse never matching protocol specifications for ip6tables [ Yasuyuki Kozakai ] - Fix iptables-save output of osf match [ Daniel De Graaf ] - Fix esp/connbytes detection with newer kernels (x_tables) [ Harald Welte ] - Fix loading of IPCMv6 match shared library [ Yasuyuki Kozakai ] - Refuse invalid esp match SPI ranges [ Yasuyuki Kozakai ] - Fix out-of-bounds memory access when the unsupported "check" command was used [ Bugzilla #463, Larry Stefani, Harald Welte ] - Fix out-of-bounds memory access when the "-c" option was used [ Bugzilla #462, Larry Stefani, Harald Welte ] - Fix "Unknown error 4294967295" message [ Bugzilla #460, Patrick McHardy ] - Use lower-case letters for realm match output [ Simon Lodal ] - Fix example in connlimit manpage [ Phil Oester ] - Refuse IP addresses as arguments to REDIRECT target [ Bugzilla #482, Phil Oester ] - Fix set match negation [ Jozsef Kadlecsik ] - Fix some compiler warnings [ Bugzilla #457, Phil Oester ] - Refuse port ranges in ip6tables multiport match [ Bugzilla #451, Phil Oester ] - Force user to specify --ipcmv6-type if ipcmv6 match is used [ Bugzilla #461, Yasuyuki Kozakai ] - Fix libiptc symbol clash [ Bugzilla #456, Phil Oester ] - Remove "hoho" message [ Pierre-Yves Ritschard ] - Handle CIDR notation more sanely [ Bugzilla #422, Phil Oester ] - Fix chain reference increment bug [ Jesper Brouer ] - Fix counter clearing for policy counters [ Bugzilla #502, Andy Gay ] - Remove warnings about interface names with non-alphanumeric characters [ Patrick McHardy ] New features since 1.3.5: - Support multiple matches of the same type within a single rule [ Jozsef Kadlecsik ] - DCCP/SCTP support for multiport match (needs kernel >= 2.6.18) [ Patrick McHardy ] - SELinux SECMARK target (needs kernel >= 2.6.18) [ James Morris ] - SELinux CONNSECMARK target (needs kernel >= 2.6.18) [ James Morris ] - Add documentation for DNAT target : syntax [ Evan Miller ] - Add new exit value to indicate concurrency issues [ Jesper Dangaard Brouer ] - Use gcc to build shared objects [ Bugzilla #454, Phil Oester ] - Update quota match for version in current kernel, fix -D (needs kernel >= 2.6.18) [ Phil Oester ] - Update MARK target documentation to include --and-mask/--or-mask [ Eric Leblond ] - Add support for statistic match (needs kernel >= 2.6.18) [ Patrick McHardy ] - Optionally read realm values from /etc/iproute2/rt_realms [ Simon Lodal ]