Harald Welte's blog

iptables-1.3.3 is released

Today I've released iptables-1.3.3. Among some minor fixes (such as for the extremely important feature to SNAT and DNAT to/from ICMP ID _ranges_), it contains one major fix for an embarrassing use-after-free problem that was only introduced with 1.3.2. What do we learn from this? I need to review patches more carefully.

It also includes the NFQUEUE target, which is basically an extension to QUEUE. QUEUE only supports one queue number (0), so there can only be one userspace process be attached to it. This lead to the ugly hack of ipqmpd, the IP QUEUE multiplex daemon. Combining NFQUEUE with nfnetlink_queue (which is already in DaveM's net-2.6.14 tree), you can now have 65535 different queues, each heading to a separate userspace process. This is again one step ahead towards supporting "100% userspace conntrack helpers" which are sort of a strange hybrid variant of transparent proxies.

Harald Welte's blog

	RSS Harald's Web gnumonks.org hmw-consulting.de sysmocom.de Projects OpenBSC OsmocomBB OsmocomTETRA deDECTed.org gpl-violations.org gpl-devices.org OpenMoko gnufiish OpenEZX OpenBeacon OpenPCD librfid openmrtd opentom.org netfilter/iptables Categories Root (1075) ccc (26) dect (2) electronics (19) gsm (124) osmocom-bb (7) knf (4) linux (697) a780 (39) conferences (127) cyberjack (4) gnuradio (5) gpl-violations (138) gspc (6) mobile (29) mrtd (35) netfilter (117) openmoko (52) opentom (7) samsung (1) via (23) misc (18) osmocom (9) personal (111) bollywood (17) taiwan (3) photography (9) politics (30) swpat (3) tetra (3) Archives 2012 (21) May (4) April (2) March (8) February (1) January (6) 2011 (47) December (2) November (3) October (3) September (3) August (1) July (5) June (9) May (5) April (6) March (3) February (2) January (5) 2010 (96) 2009 (146) 2008 (106) 2007 (53) 2006 (154) 2005 (248) 2004 (198) 2003 (5) 2002 (1) Other Bloggers David Burgess Zecke Dieter Spaar Michael Lauer Stefan Schmidt Rusty Russell David Miller Martin Pool Jeremy Kerr Tim Pritlove (German) fukami (German) fefe (German) Bradley M. Kuhn Lawrence Lessig Kalyan Varma Aggregators kernelplanet.org planet.netfilter.org planet.openezx.org planet.openmoko.org planet.foss.in identi.ca twitter flattr Linked in Xing Articles on this blog/journal are licensed under a Creative Commons Attribution-NoDerivs 2.5 License. Contact/Impressum	Fri, 29 Jul 2005 iptables-1.3.3 is released Today I've released iptables-1.3.3. Among some minor fixes (such as for the extremely important feature to SNAT and DNAT to/from ICMP ID _ranges_), it contains one major fix for an embarrassing use-after-free problem that was only introduced with 1.3.2. What do we learn from this? I need to review patches more carefully. It also includes the NFQUEUE target, which is basically an extension to QUEUE. QUEUE only supports one queue number (0), so there can only be one userspace process be attached to it. This lead to the ugly hack of ipqmpd, the IP QUEUE multiplex daemon. Combining NFQUEUE with nfnetlink_queue (which is already in DaveM's net-2.6.14 tree), you can now have 65535 different queues, each heading to a separate userspace process. This is again one step ahead towards supporting "100% userspace conntrack helpers" which are sort of a strange hybrid variant of transparent proxies. [ /linux/netfilter \| permanent link ]