iptables v1.4.12 Changelog:
======================================================================
Changes from 1.4.11.1:



Fernando Luis Vazquez Cao (1):
      doc: document IPv6 TOS mangling bug in old Linux kernels

Jakub Zawadzki (1):
      doc: fix group range in libxt_NFLOG's man

Jan Engelhardt (23):
      doc: include matches/targets in manpage again
      libipt_LOG: fix ignoring all but last flags
      libxt_RATEEST: use guided option parser
      iptables: consolidate target/match init call
      extensions: support for per-extension instance "global" variable space
      libxt_rateest: abolish global variables
      libxt_RATEEST: abolish global variables
      libip6t_HL: fix option names from ttl -> hl
      libxt_state: fix regression about inversion of main option
      libxt_hashlimit: use a more obvious expiry value by default
      build: bump soversion for recent data structure change
      build: attempt to fix building under Linux 2.4
      doc: mention multiple verbosity flags
      build: install modules in arch-dependent location
      doc: fix version string in ip6tables.8
      doc: the -m option cannot be inverted
      iptables: restore negation for -f
      libxtables: properly reject empty hostnames
      libxtables: ignore whitespace in the multiaddress argument parser
      option: remove last traces of intrapositional negation
      libxtables: set clone's initial data to NULL
      libxt_conntrack: restore network-byte order for v1,v2
      libxt_conntrack: move more data into the xt_option_entry

Jiri Popelka (5):
      iptables: Coverity: DEADCODE
      iptables: Coverity: NEGATIVE_RETURNS
      iptables: Coverity: REVERSE_INULL
      iptables: Coverity: VARARGS
      iptables: Coverity: RESOURCE_LEAK

Martin F. Krafft (1):
      iptables-apply: select default rule file depending on call name

Massimo Maggi (1):
      libxt_RATEEST: fix userspacesize field

Patrick McHardy (4):
      Merge branch 'master' of git://dev.medozas.de/iptables
      Merge branch 'master' of git://dev.medozas.de/iptables
      Merge branch 'master' of git://dev.medozas.de/iptables
      Bump version to 1.4.12


iptables v1.4.11.1 Changelog:
======================================================================
Changes from 1.4.11:


Elie De Brauwer (1):
      doc: fix trivial typo in libipt_SNAT

Jan Engelhardt (13):
      libxt_owner: restore inversion support
      build: remove dead code parts
      build: fix installation of symlinks
      build: fix absence of xml translator in IPv6-only builds
      doc: update GPL license text
      doc: iptables-xml should be in manpage section 1
      build: move basic preprocessor flags to regular_CPPFLAGS
      build: move kinclude's preprocessor flags to kinclude_CPPFLAGS
      src: move all libiptc pieces into its directory
      src: move all iptables pieces into a separate directory
      tests: add some sample rulesets to test save-restore cycle
      option: fix ignored negation before implicit extension loading
      build: re-add missing CPPFLAGS for libiptc

Maciej Żenczykowski (1):
      xtables-multi: fix absence of xml translator in IPv6-only builds

Mike Frysinger (1):
      build: move remaining preprocessor flags to CPPFLAGS

Patrick McHardy (1):
      Bump version to 1.4.11.1

Vlad Dogaru (1):
      doc: fix MASQUERADE section of man page



iptables v1.4.11 Changelog:
======================================================================
Changes from 1.4.10:


Changli Gao (1):
      iptables: fix the dead loop when meeting unknown options

Florian Westphal (3):
      libxt_conntrack: fix --ctdir save/dump output format
      libxt_time: fix random --datestart skips
      extensions: libxt_NFQUEUE: add v2 revision with --queue-bypass option

JP Abgrall (1):
      libxt_quota: make sure uint64 is not truncated

Jan Engelhardt (218):
      libxtables: change option precedence order to be intuitive
      libxt_TOS: avoid an undesired overflowing computation
      iptables: fix longopt reecognition and workaround getopt(3) behavior
      Revert "Revert "libxtables: change option precedence order to be intuitive""
      Merge branch 'master' of git://dev.medozas.de/iptables into m2
      iptables: reset options at the start of each command
      iptables: do not emit orig_opts twice
      include: update files with headers from Linux 2.6.37-rc1
      TPROXY: add support for revision 1
      socket: add support for revision 1
      build: fix globbing of extensions in other locales
      libxt_owner: output numeric IDs when save is requested
      Merge commit 'v1.4.10'
      build: stop on error in subcommand
      src: const annotations
      xt_comment: remove redundant cast
      src: use C99/POSIX types
      iptables: abort on empty interface specification
      xtables: reorder num_old substraction for clarity
      ip[6]tables: only call match's parse function when option char is in range
      ip[6]tables: only call target's parse function when option char is in range
      extensions: remove no longer necessary default: cases
      libxt_sctp: fix a typo
      libipt_CLUSTERIP: const annotations
      libxtables: do some option structure checking
      libxt_quota: print negation when it has been selected
      libxt_connlimit: reword help text to say prefix length
      libxt_connlimit: add a --connlimit-upto option
      libxt_connlimit: support for dstaddr-supporting revision 1
      libxt_connlimit: remove duplicate member that caused size change
      libxt_quota: clarifications on matching
      iptables: improve error reporting with extension loading troubles
      libxt_u32: enclose argument in quotes
      xtables: set custom opts to NULL on free
      iptables: warn when parameter limit is exceeded
      iptables: remove bogus address-of
      iptables: remove more redundant casts
      iptables: do not print trailing whitespaces
      src: collect do_command variables in a struct
      src: move large default: block from do_command6 into its own function
      src: share iptables_command_state across the two programs
      src: deduplicate find_proto function
      src: move OPT_FRAGMENT to the end so the list can be shared
      src: put shared option flags into xshared
      src: deduplicate and simplify implicit protocol extension loading
      src: unclutter command_default function
      src: move jump option handling from do_command6 into its own function
      src: move match option handling from do_command6 into its own functions
      iptables: fix error message for unknown options
      iptables: fix segfault target option parsing
      ip6tables: spacing fixes for -o argument
      libxt_devgroup: option whitespace update following v1.4.10-49-g7386635
      extensions: fix indent of vtable
      doc: fix wrong sentence about negation in xt_limit
      doc: fix misspelling of "field"
      extensions: remove redundant init functions
      Remove unused CVS expanded keywords
      libip6t_dst: remove unimplemented --dst-not-strict
      libip6t_hbh: remove unimplemented --hbh-not-strict
      extensions: add missing checks for specific flags
      libipt_ECN: set proper option flags
      doc: mention other possible nf_loggers for TRACE
      doc: fix odd partial sentence in libipt_TTL
      libxt_quota: require --quota to be specified
      doc: rateest options can be optional
      libxtables: fix memory scribble beyond end of array
      iptables: fix an inversion
      doc: add VERSION section to manpages
      extensions: add missing checks for specific flags (2)
      libxtables: guided option parser
      libxt_CHECKSUM: use guided option parser
      libxt_socket: use guided option parser
      libxtables: provide better final_check
      libxt_CONNSECMARK: use guided option parser
      libxtables: XTTYPE_UINT32 support
      libxt_cpu: use guided option parser
      libxtables: min-max option support
      libxt_cluster: use guided option parser
      libxtables: XTTYPE_UINT8 support
      libip[6]t_HL: use guided option parser
      libip[6]t_hl: use guided option parser
      libxtables: XTTYPE_UINT32RC support
      libip[6]t_ah: use guided option parser
      libip6t_frag: use guided option parser
      libxt_esp: use guided option parser
      libxtables: XTTYPE_STRING support
      libip[6]t_REJECT: use guided option parser
      libip6t_dst: use guided option parser
      libip6t_hbh: use guided option parser
      libip[6]t_icmp: use guided option parser
      libip6t_ipv6header: use guided option parser
      libipt_ECN: use guided option parser
      libipt_addrtype: use guided option parser
      libxt_AUDIT: use guided option parser
      libxt_CLASSIFY: use guided option parser
      libxt_DSCP: use guided option parser
      libxt_LED: use guided option parser
      libxt_SECMARK: use guided option parser
      libxt_TCPOPTSTRIP: use guided option parser
      libxt_comment: use guided option parser
      libxt_helper: use guided option parser
      libxt_physdev: use guided option parser
      libxt_pkttype: use guided option parser
      libxt_state: use guided option parser
      libxt_time: use guided option parser
      libxt_u32: use guided option parser
      doc: avoid duplicate entries in manpage
      libxtables: XTTYPE_MARKMASK32 support
      libxt_MARK: use guided option parser
      libxt_CONNMARK: use guided option parser
      libxtables: XTTYPE_UINT64 support
      libxt_quota: use guided option parser
      libxtables: linked-list name<->id map
      libxt_devgroup: use guided option parser
      libipt_realm: use guided option parser
      libxtables: XTTYPE_UINT16RC support
      libxt_length: use guided option parser
      libxt_tcpmss: use guided option parser
      libxtables: XTTYPE_UINT8RC support
      libxtables: XTTYPE_UINT64RC support
      libxt_connbytes: use guided option parser
      libxtables: XTTYPE_UINT16 support
      libxt_CT: use guided option parser
      libxt_NFQUEUE: use guided option parser
      libxt_TCPMSS: use guided option parser
      libxtables: pass struct xt_entry_{match,target} to x6 parser
      libxt_string: use guided option parser
      libxtables: XTTYPE_SYSLOGLEVEL support
      libip[6]t_LOG: use guided option parser
      libxtables: XTTYPE_ONEHOST support
      libxtables: XTTYPE_PORT support
      libxt_TPROXY: use guided option parser
      libipt_ULOG: use guided option parser
      build: bump libxtables ABI version
      libxt_TEE: use guided option parser
      xtoptions: respect return value in xtables_getportbyname
      libxt_TOS: use guided option parser
      libxt_tos: use guided option parser
      extensions: remove unused TOS code
      libxtables: XTTYPE_PORTRC support
      libxt_udp: use guided option parser
      libxt_dccp: use guided option parser
      libxt_tos: add inversion support back again
      libxtables: fix assignment in wrong offset (XTTYPE_UINT*RC)
      libxt_u32: add missing call to xtables_option_parse
      extensions: remove bogus use of XT_GETOPT_TABLEEND
      libxt_owner: remove ifdef IPT_COMM_OWNER
      libxtables: output name of extension on rev detect failure
      extensions: const annotations
      libxt_statistic: streamline and document possible placement of negation
      libxt_statistic: increase precision on create and dump
      libxtables: XTTYPE_DOUBLE support
      libxt_statistic: use guided option parser
      libxt_IDLETIMER: use guided option parser
      libxt_NFLOG: use guided option parser
      libxtables: support for XTTYPE_PLENMASK
      libxt_connlimit: use guided option parser
      libxt_recent: use guided option parser
      libxtables: do not overlay addr and mask parts, and cleanup
      libxtables: flag invalid uses of XTOPT_PUT
      libxtables: XTTYPE_PLEN support
      libxt_hashlimit: use guided option parser
      libxtables: XTTYPE_HOSTMASK support
      libxt_policy: use guided option parser
      libxt_owner: use guided option parser
      libxt_osf: use guided option parser
      libxt_multiport: use guided option parser
      libipt_NETMAP: use guided option parser
      libxt_limit: use guided option parser
      libxtables: XTTYPE_PROTOCOL support
      libxt_ipvs: use guided option parser
      doc: S/DNAT allows to omit IP addresses
      libxt_conntrack: use guided option parser
      libip6t_mh: use guided option parser
      libip6t_rt: use guided option parser
      libxtables: XTTYPE_ETHERMAC support
      libxt_mac: use guided option parser
      libipt_CLUSTERIP: use guided option parser
      libxt_iprange: use guided option parser
      libipt_DNAT: use guided option parser
      libipt_SNAT: use guided option parser
      libipt_MASQUERADE: use guided option parser
      libipt_REDIRECT: use guided option parser
      libipt_SAME: use guided option parser
      src: replace old IP*T_ALIGN macros
      src: combine default_command functions
      libxt_policy: option table fixes, improved error tracking
      libxtables: avoid running into .also checks when option not used
      libxt_policy: use XTTYPE_PROTOCOL type
      libxtables: collapse double protocol parsing
      libipt_[SD]NAT: flag up module name on error
      libipt_[SD]NAT: avoid false error about multiple destinations specified
      libxt_conntrack: correct printed module name
      libxt_conntrack: fix assignment to wrong member
      libxt_conntrack: resolve erroneous rev-2 port range message
      libip6t_rt: rt-0-not-strict should take no arg
      libxtables: retract _NE types and use a flag instead
      libxt_quota: readd missing XTOPT_PUT request
      libxtables: check for negative numbers in xtables_strtou*
      libxt_rateest: streamline case display of units
      doc: add some coded option examples to libxt_hashlimit
      doc: make usage of libxt_rateest more obvious
      doc: clarify that -p all is a special keyword only
      doc: use .IP list for TCPMSS
      doc: remove redundant .IP calls in libxt_time
      libxt_ipvs: restore network-byte order
      libxt_u32: --u32 option is required
      libip6t_rt: restore --rt-type storing
      libxtables: more detailed error message on multi-int parsing
      libxtables: use uintmax for xtables_strtoul
      libxtables: make multiint parser have greater range
      libxtables: unclutter xtopt_parse_mint
      libxtables: have xtopt_parse_mint interpret partially-spec'd ranges
      libxt_NFQUEUE: avoid double attempt at parsing
      libxt_NFQUEUE: add mutual exclusion between qnum and qbal
      libxt_time: always ignore libc timezone
      libxt_time: --utc and --localtz are mutually exclusive
      libxt_time: deprecate --localtz option, document kernel TZ caveats

Jozsef Kadlecsik (3):
      Fix listing/saving the new revision of the SET target
      Fix set match/target direction parser
      SET target revision 2 added

Li Yewang (1):
      xtables: fix typo in error message of xtables_register_match()

Lutz Jaenicke (2):
      libipt_REDIRECT: "--to-ports" is not mandatory
      libxt_devgroup: actually set XT_DEVGROUP_OPT_???GROUP flags

Maciej Zenczykowski (20):
      man pages: allow underscores in match and target names
      mark newly opened fds as FD_CLOEXEC (close on exec)
      xtables_ip6addr_to_numeric: fix typo in comment
      xtables: delay (statically built) match/target initialization
      v4: rename init_extensions() to init_extensions4()
      v6: rename init_extensions() to init_extensions6()
      xtables.h: init_extensions() no longer exists
      v4: rename for_each_chain() to for_each_chain4()
      v6: rename for_each_chain() to for_each_chain6()
      v4: rename flush_entries() to flush_entries4()
      v6: rename flush_entries() to flush_entries6()
      v4: rename delete_chain() to delete_chain4()
      v6: rename delete_chain() to delete_chain6()
      v4: rename print_rule() to print_rule4()
      v6: rename print_rule() to print_rule6()
      v4: rename do_command() to do_command4()
      v6: rename do_command() to do_command6()
      move 'int line' definition from ip6?tables.c into xtables.c
      convert ip6?tables-multi to actually use their own header files
      Don't load ip6?_tables module when already loaded

Maciej Żenczykowski (3):
      Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore}.
      Move common parts of libext{4,6}.a into libext.a
      combine ip6?tables-multi into xtables-multi

Mark Montague (1):
      iptables: documentation for iptables and ip6tables "security" tables

Max Kellerman (1):
      xtables: use strspn() to check if string needs to be quoted

Pablo Neira Ayuso (1):
      libxt_cluster: fix inversion in the cluster match

Patrick McHardy (16):
      Revert "libxtables: change option precedence order to be intuitive"
      Merge branch 'master' of git://dev.medozas.de/iptables
      extensions: libxt_conntrack: add support for specifying port ranges
      extensions: add extension for devgroup match
      Merge branch 'master' of git://dev.medozas.de/iptables
      Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables
      Merge branch 'opts' of git://dev.medozas.de/iptables
      Merge branch 'opts' of git://dev.medozas.de/iptables
      Merge branch 'floating/opts' of git://dev.medozas.de/iptables
      Merge branch 'opts' of git://dev.medozas.de/iptables
      Merge branch 'opts' of git://dev.medozas.de/iptables
      Merge branch 'master' of git://dev.medozas.de/iptables
      Merge branch 'opts' of git://dev.medozas.de/iptables
      Merge branch 'floating/opts' of git://dev.medozas.de/iptables
      Merge branch 'master' of git://dev.medozas.de/iptables
      Bump version to 1.4.11

Rob Leslie (1):
      iptables-restore: resolve confusing policy error message

Stefan Tomanek (2):
      ip(6)tables-multi: unify subcommand handling
      iptables: add -C to check for existing rules

Stephen Beahm (1):
      libipt_REDIRECT: avoid dereference of uninitialized pointer

Thomas Graf (2):
      libxt_AUDIT: add AUDIT target
      iptables: add manual page section for AUDIT target

Wes Campaigne (4):
      libxtables: avoid confusing use of ai_protocol=IPPROTO_IPV6
      xtables: fix excessive memory allocation in host_to_ipaddr
      xtables: fix the broken detection/removal of redundant addresses
      xtables: use all IPv6 addresses resolved from a hostname



iptables v1.4.10 Changelog:
======================================================================
Changes from 1.4.9:


Changli Gao (1):
      libxt_quota: don't ignore the quota value on deletion

Eric Dumazet (2):
      extensions: REDIRECT: add random help
      extension: add xt_cpu match

Hannes Eder (1):
      libxt_ipvs: user-space lib for netfilter matcher xt_ipvs

Jan Engelhardt (11):
      doc: let man(1) autoalign the text in xt_cpu
      doc: remove extra empty line from xt_cpu
      doc: minimal spelling updates to xt_cpu
      all: consistent syntax use in struct option
      doc: consistent use of markup
      xtables: remove unnecessary cast
      build: fix static linking
      iptables-xml: resolve compiler warnings
      iptables: limit chain name length to be consistent with targets
      libiptc: build with -Wl,--no-as-needed
      libiptc: add Libs.private to pkgconfig files

Luciano Coelho (2):
      extensions: add idletimer xt target extension
      extensions: libxt_IDLETIMER: use xtables_param_act when checking options

Michael S. Tsirkin (1):
      extensions: libxt_CHECKSUM extension

Patrick McHardy (6):
      extensions: libipt_LOG/libip6t_LOG: support macdecode option
      extensions: fix compilation of the new CHECKSUM target
      Merge branch 'master' into iptables-next
      Merge branch 'master' into iptables-next
      Merge branch 'iptables-next'
      Bump version to 1.4.10



iptables v1.4.9 Changelog:
======================================================================
Changes from 1.4.8:


Adam Nielsen (1):
      extensions: add the LED target

Eric Dumazet (1):
      extensions: REDIRECT: add random help

Jan Engelhardt (10):
      utils: add missing include flags to Makefile
      doc: xt_string: correct copy-and-pasting in manpage
      doc: xt_hashlimit: fix a typo
      doc: xt_LED: nroff formatting requirements
      includes: sync header files from Linux 2.6.35-rc1
      xtables: another try at chain name length checking
      xtables: remove xtables_set_revision function
      libxt_hashlimit: always print burst value
      libxt_conntrack: do print netmask
      xt_quota: also document negation

Jozsef Kadlecsik (1):
      libxt_set: new revision added

Luciano Coelho (2):
      extensions: libxt_rateest: fix typo in the man page
      extensions: libxt_rateest: fix bps options for iptables-save

Patrick McHardy (5):
      Revert "Revert "Merge branch 'iptables-next'""
      Merge branch 'master' of git://dev.medozas.de/iptables
      Merge branch 'master' of git://dev.medozas.de/iptables
      Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables
      Bump version to 1.4.9

Samuel Ortiz (1):
      extensions: libxt_quota.c: Support option negation

Shan Wei (2):
      xt_sctp: Trace DATA chunk that supports SACK-IMMEDIATELY extension
      xt_sctp: support FORWARD_TSN chunk type



iptables v1.4.8 Changelog:
======================================================================
Changes from 1.4.7:


Dmitry V. Levin (3):
      extensions: REDIRECT: fix --to-ports parser
      iptables: add noreturn attribute to exit_tryhelp()
      extensions: MASQUERADE: fix --to-ports parser

Jan Engelhardt (9):
      libxt_comment: avoid use of IPv4-specific examples
      libxt_CT: add a manpage
      iptables: correctly check for too-long chain/target/match names
      doc: libxt_MARK: no longer restricted to mangle table
      doc: remove claim that TCPMSS is limited to mangle
      libxt_recent: add a missing space in output
      doc: add manpage for libxt_osf
      libxt_osf: import nfnl_osf program
      extensions: add support for xt_TEE

Karl Hiramoto (1):
      iptables: optionally disable largefile support

Pablo Neira Ayuso (1):
      CT: fix --ctevents parsing

Patrick McHardy (7):
      extensions: add CT extension
      libxt_CT: print conntrack zone in ->print/->save
      Merge branch 'master' of git://dev.medozas.de/iptables into iptables-next
      xtables: fix compilation when debugging is enabled
      Merge branch 'iptables-next'
      Revert "Merge branch 'iptables-next'"
      Bump version to 1.4.8

Simon Lodal (1):
      libxt_conntrack: document --ctstate UNTRACKED

Vincent Bernat (1):
      iprange: fix xt_iprange v0 parsing



iptables v1.4.7 Changelog:
======================================================================
Changes from 1.4.6:


Dmitry V. Levin (1):
      libip4tc: Add static qualifier to dump_entry()

Jan Engelhardt (8):
      libipq: build as shared library
      recent: reorder cases in code (cosmetic cleanup)
      doc: fix recent manpage to reflect actual supported syntax
      doc: fix limit manpage to reflect actual supported syntax
      doc: mention requirement of additional packages for ipset
      policy: fix error message showing wrong option
      includes: header updates
      Lift restrictions on interface names

Patrick McHardy (1):
      iptables 1.4.7



iptables v1.4.6 Changelog:
======================================================================
Changes from 1.4.5:


Jan Engelhardt (20):
      iptables: manpage updates for augmented -Z syntax
      doc: mention maximum mark size in manpages
      Support for nommu arches
      realm: remove static initializations
      libiptc: remove unused functions
      libiptc: avoid strict-aliasing warnings
      iprange: do accept non-ranges for xt_iprange v1
      iprange: warn on reverse range
      iprange: roll address parsing into a loop
      iprange: do accept non-ranges for xt_iprange v1 (log)
      iprange: warn on reverse range (log)
      libiptc: fix wrong maptype of base chain counters on restore
      iptables: fix undersized deletion mask creation
      style: reduce indent in xtables_check_inverse
      libxtables: hand argv to xtables_check_inverse
      iptables/extensions: make bundled options work again
      CONNMARK: print mark rules with mask 0xffffffff as set instead of xset
      iptables: take masks into consideration for replace command
      doc: explain experienced --hitcount limit
      doc: name resolution clarification

Mohit Mehta (1):
      iptables: expose option to zero packet/byte counters for a specific rule

Olaf Rempel (1):
      build: restore --disable-ipv6 functionality on system w/o v6 headers

Patrick McHardy (7):
      Merge branch 'zero' of git://dev.medozas.de/iptables
      MARK: print mark rules with mask 0xffffffff as --set-mark instead of --set-xmark
      DNAT: fix incorrect check during parsing
      extensions: add osf extension
      conntrack: fix --expires parsing
      Merge branch 'master' of git://dev.medozas.de/iptables
      Bump version to v1.4.6

Tim Small (1):
      doc: update TCPMSS manpage with Linux 2.6.25 changes

sobtwmxt (1):
      doc: fix typo in length manpage



iptables v1.4.5 Changelog:
======================================================================
Changes from 1.4.4:


Florian Westphal (1):
      libxt_NFQUEUE: add new v1 version with queue-balance option

Jan Engelhardt (18):
      xt_conntrack: revision 2 for enlarged state_mask member
      libxt_helper: fix invalid passed option to check_inverse
      libiptc: split v4 and v6
      extensions: collapse registration structures
      iptables: allow for parse-less extensions
      iptables: allow for help-less extensions
      extensions: remove empty help and parse functions
      xtables: add multi-registration functions
      extensions: collapse data variables to use multi-reg calls
      xtables: warn of missing version identifier in extensions
      COMMIT_NOTES: notice to check for soversion bumps
      build: order of dependent libs is sensitive
      multi binary: allow subcommand via argv[1]
      build: fix struct size mismatch
      build: combine iptables-multi and iptables-static
      build: build only iptables-multi
      Merge branch 'stable'
      manpages: more fixes to minuses, hyphens, dashes

Laurence J. Lane (1):
      manpage: fix lintian warnings

Michael Granzow (1):
      iptables: accept multiple IP address specifications for -s, -d

Patrick McHardy (2):
      man: fix incorrect plural in libipt_set.man
      Bump version number to 1.4.5

Trent W. Buck (1):
      ipt_set: fix a typo in the manpage


iptables v1.4.4 Changelog:
======================================================================
Changes from 1.4.3.2:


Frank Tobin (1):
      libxt_tcp: fix a manpage syntax typo

Ian Bruce (1):
      libxt_tcp: manpage corrections and suggestions

Jan Engelhardt (15):
      Add new COMMIT_NOTES document
      xtables: use extern "C"
      extensions: add const qualifiers in print/save functions
      iptables: replace open-coded sizeof by ARRAY_SIZE
      addrtype: fix one manpage type
      manpages: do not include v4-only modules in ip6tables manpage
      libip6t_policy: remove redundant functions
      policy: use direct xt_policy_info instead of ipt/ip6t
      policy: merge ipv6 and ipv4 variant
      build: fix manpage collection
      extensions: use NFPROTO_UNSPEC for .family field
      DNAT/SNAT: add manpage documentation for --persistent flag
      extensions: remove redundant casts
      iptables: close open file descriptors
      manpages: markup corrections

Jozsef Kadlecsik (1):
      Updated set/SET match and target to support multiple ipset protocols.

Pablo Neira Ayuso (2):
      extensions: add `cluster' match support
      xtables: fix segfault if incorrect protocol name is used

Patrick McHardy (3):
      SNAT/DNAT: add support for persistent multi-range NAT mappings
      Merge branch 'stable' of git://dev.medozas.de/iptables
      Bump version

kd6lvw (1):
      libxt_connlimit: initialize v6_mask



iptables v1.4.3.2 Changelog:
======================================================================
Changes from 1.4.3.1:


Jan Engelhardt (12):
      libxt_tcpmss: fix an inversion while parsing --mss
      iptables-multi: support "iptables-static" as a callable name
      libxtables: reorder .version member
      build: do not run ldconfig for DESTDIR installations
      build: add configure option to disable ip6tables
      build: add configure option to disable ipv4 iptables
      libxtables: provide IPv6 zero address variable
      iptables: print negation extrapositioned
      Merge commit 'v1.4.3'
      Merge branch 'plus'
      CLASSIFY: document non-standard interpretation behavior
      libxt_conntrack: properly output negation symbol

Pablo Neira Ayuso (1):
      build: bump version to 1.4.3.2


iptables v1.4.3.1 Changelog:
======================================================================
Changes from 1.4.3:


Jan Engelhardt (2):
      iptables-save: minor corrections to the manpage markup
      libxt_hashlimit: add missing space for iptables-save output

Pablo Neira Ayuso (2):
      build: bump version to 1.4.3.1
      iptables: refer to dmesg if we hit EINVAL

Peter Volkov (2):
      libxtables: fix compile error due to incomplete change
      build: fix linker issue when LDFLAGS contains --as-needed



iptables v1.4.3 Changelog:
======================================================================
Changes from 1.4.2:


Bart De Schuymer (1):
      man: fix physdev manpage

Christian Perle (1):
      libxt_policy: cannot set spi/reqid numbers higher than 0x7fffffff

Christoph Paasch (1):
      libiptc: avoid compile warnings for iptc_insert_chain

Daniel Drake (1):
      libxt_owner: add more spaces to output

Eric Leblond (1):
      xt_NFLOG: Set default NFLOG qthreshold to 0

Jamal Hadi Salim (12):
      libxtables: Introduce global params structuring
      libxtables: define xtables_free_opts()
      libxtables: Add exit_error cb to xtables_globals
      libxtables: Make ip6tables, iptables and iptables-xml use xtables_globals
      libxtables: Replace direct exit_error() calls inside libxtables
      libxtables: simple aliasing macro for exit_error
      libxtables: set names of programs
      libxtables: add xtables_set_revision
      libxtables: make iptables and ip6tables use xtables_free_opts
      libxtables: consolidate merge_options into xtables_merge_options
      libxtables: consolidate init calls into one function
      libxtables: general follow-up cleanup

Jan Engelhardt (84):
      Move libipt_recent to libxt_recent
      libxt_recent: add IPv6 support
      manpage: use separate paragraphs for command syntax
      manpage: explain what rule-specification is
      libiptc: remove typedef indirection
      libiptc: remove indirections
      libiptc: remove unused iptc_get_raw_socket and iptc_check_packet
      libiptc: use hex output for hookmask
      libxt_conntrack: respect -n option during ruledump
      libiptc: make sockfd a per-handle thing
      libxt_conntrack: dump ctdir
      src: reuse the global modprobe_program variable
      src: use NFPROTO_ constants
      src: remove inclusion of iptables.h
      doc: fix a typo in libip6t_REJECT.man
      libiptc: guard chain index allocation for different malloc implementations
      src: remove unused include files
      iptables-save: output ! in position according to manpage
      rateest: guard against segfault
      env: augment deprecation notice
      build: resolve autotools suggestions
      doc: put iptables version into manpage
      doc: resynchronize markup in iptables,ip6tables.8.in
      doc: escape minus sign in manpages
      build: use regular = assignments in Makefile
      build: remove non-portable rule
      doc: escape minus sign in manpage (2)
      doc: augment ICMP manpage by type/code syntax
      src: remove redundant returns at end of void-returning functions
      src: remove redundant casts
      libxt_owner: use correct UID/GID boundaries
      extensions: use UINT_MAX constants over open-coded bits (1/2)
      extensions: use UINT_MAX constants over open-coded numbers (2/2)
      libxtables: prefix/order - fw_xalloc
      libxtables: prefix/order - modprobe and xtables.ko loading
      libxtables: prefix/order - match/target loading
      libxtables: prefix/order - libdir
      libxtables: prefix/order - strtoui
      libxtables: prefix/order - program_name
      libxtables: prefix/order - param_act
      libxtables: prefix/order - ipaddr/ipmask to ascii output
      libxtables: prefix/order - ascii to ipaddr/ipmask input
      libxtables: prefix - misc functions
      libxtables: prefix - parse and escaped output func
      libxtables: prefix/order - move check_inverse to xtables.c
      libxtables: prefix/order - move parse_protocol to xtables.c
      libbxtables: prefix names and order it #1
      libxtables: prefix names and order it #2
      libxtables: prefix names and order #3
      libxtables: move afinfo around
      Merge branch 'origin/master'
      libxtables: recognize IP6TABLES_LIB_DIR old-style environment variable
      build: move -ldl to proper LDADD
      libxtables: remove unused XT_LIB_DIR macro
      libxtables: decouple non-xtables parts from header
      src: remove iptables_rule_match indirection macro
      src: remove unused ipt_tryload macro
      libxtables: move compat defines to xtables.c
      src: consolidate duplicate code in iptables/internal.h
      libxtables: use const for vars holding literals
      libxt_string: fix undefined behavior/incorrect patlen calculation
      libxtables: flush before fork
      libipq: add missing doc for NF_ values
      build: restructure Makefile for include/ directory
      libipq: fix compile error
      build: remove unneeded -ldl from iptables_xml_LDADD
      libiptc: make library available as a shared library
      build: trigger reconfigure when extensions/GNUmakefile.in changes
      doc: do not put IPv4 doc into ip6tables.8
      doc: resynchronize manpage with in-code help
      libxtables: inline and remove unused OPTION_OFFSET macro
      libxtables: prefix exit_error to xtables_error
      extensions: remove unwanted/add needed includes for IPv6 exts
      extensions: remove unwanted/add needed includes for IPv4 exts
      libxt_policy: use bounded strtoui
      include: resynchronize headers with 2.6.29-rc5
      extensions: add missing limits.h include
      iptables: turn deprecation warning into enforcing mode
      Merge commit 'nf/master'
      libxt_connbytes: minor manpage adustments
      libxt_connbytes: document nf_ct_acct behavior
      libxtables: add -I/-L flags to pkgconfig files
      libxt_comment: output quotes must be escaped in
      iptables-save: module loading corrections

Jesper Dangaard Brouer (3):
      libiptc: fix chain rename bug in libiptc
      libiptc: fix whitespaces and typos
      libiptc: give credits to my self

Jir Moravec (1):
      libxt_TOS: fix compilation error

KOVACS Krisztian (2):
      Add iptables support for the TPROXY target
      Add iptables support for the socket match

Marc Fournier (1):
      doc: fix option typo in libxt_multiport

Pablo Neira Ayuso (5):
      iptables: fix error reporting with wrong/missing arguments
      state: report spaces in the state list parsing
      iptables: refer to dmesg when we hit error
      string: fix wrong pattern length calculation
      iptables: fix broken options-merging during libxtables rework

Patrick McHardy (5):
      Add SCTP/DCCP support to NAT targets
      Bump version to 1.4.3-rc1
      Merge branch 'master' of git://dev.medozas.de/iptables
      Merge branch 'master' of git://dev.medozas.de/iptables
      Bump version to 1.4.3

Shaul Karl (1):
      doc: fix one layout issue in iptables-restore.8

Stephen Hemminger (1):
      iptables: Add limits.h to get INT_MIN, INT_MAX, ...

Thomas Jarosch (2):
      Fix compile error in libxt_iprange.c using gcc 4.3.2
      Fix compile warnings using gcc 4.3.2


iptables v1.4.2 Changelog:
======================================================================
Changes from 1.4.2-rc1:

Jan Engelhard (1):
	build: fix iptables-static build

Jan Engelhardt (26):
	build: do not install ip{,6}tables.h
	Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables
	manpages: name and markup fixes
	src: remove dependency on libiptc headers
	src: drop libiptc from installation
	iptables-restore: fix segmentation fault with -tanything
	libxt_recent: do not allow both --set and --rttl
	Put xtables.c into its own library, libxtables.so
	manpages: correct erroneous markup
	physdev: remove extra space in output
	Warn about use of DROP in nat table
	Synchronize invert flag order with manpages
	build: fix dependency tracking for xtables.h.in
	build: fix initext.c dependency
	manpages: add missing --rsource,--rdest options to libxt_recent.man
	manpages: add missing rateest documentation
	manpages: add missing rateest match documentation
	libxt_mac: flatten casts in libxt_mac
	libxt_iprange: fix option names
	src: use regular includes
	src: Update comments
	build: prepare make tarball for git 1.6.0
	libxt_recent: do allow --rttl for --update
	src: update comments part II
	build: run ldconfig on `make install`
	doc: remove mentions of NAT in ip6tables manpage

Jesper Dangaard Brouer (1):
	libiptc: remove old fixme

Pablo Sebastian Greco (1):
	mark: fix invalid iptables-save output

Patrick McHardy (2):
	manpages: fix another typo in tcp manpage
	v1.4.2

Phil Oester (3):
	iptables-save: fix hashlimit output
	libxt_dscp: fix save of negated dscp match rules
	src: Missing limits.h includes

WANG Cong (1):
	manpages: Fix a typo in tcp man page



iptables v1.4.1-rc1 Changelog:
======================================================================
Changes from 1.4.0:

Peter Warasin:
	Fix CONNMARK mask initialisation

Jesper Dangaard Brouer:
	Inline functions iptcc_is_builtin() and set_changed()
	Introduce a counter for number of user defined chains
	Solving scalability issue: for chain list "name" searching

Patrick McHardy:
	Add RATEEST target extension
	Add rateest match extension
	Remove obsolete file
	Add netfilter.h
	Remove compiler.h inclusions
	Retry ruleset dump when kernel returns EAGAIN

Pablo Neira Ayuso:
	Cleanup several code wraparounds
	Check for malloc() return value in merge_opts()
	Check for merge_opts() return value

Jan Engelhardt:
	Converts the iptables build infrastructure to autotools
	Introduce strtonum()
	Introduce common error messages
	Add libxt_owner
	Add libxt_tos
	Add libxt_TOS
	Add libxt_MARK r2
	Add libxt_connmark r1
	Print warning when dlopen fails
	Add libxt_conntrack r0
	Bunch o' renames
	Rename overlapping function names
	Add more libxt_hashlimit checks
	Add libxt_mark r1
	Add libxt_iprange r0
	Add libxt_iprange r1
	Give preference to iptables header files
	Build adjustments
	Add libxt_CONNMARK revision 1
	Add libxt_conntrack revision 1
	libxt_owner: UID/GID range support
	Fix compilation of iptables-static build
	Correct the family member value of libxt_mark revision 1
	Makefile: add a "tarball" target
	Drop -W from CFLAGS and some tiny code cleanups
	Fix -Wshadow warnings and clean up xt_sctp.h
	Update the libxt_owner manpage with the UID/GID-range feature
	Fix all remaining warnings (missing declarations, missing prototypes)
	xtables.h: move non-exported parts to internal.h
	Add support for xt_hashlimit match revision 1
	Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR
	manpages: fix broken markup (missing close tags)
	manpages: grammar and spelling
	manpages: update to reflect fine-grained control
	configure: split --enable-libipq from --enable-devel
	Import iptables-apply
	Add all necessary header files - compilation fix for various cases
	Install libiptc header files because xtables.h depends on it
	iptables: use C99 lists for struct options
	RATEEST: add manpage
	Implement AF_UNSPEC as a wildcard for extensions
	Combine ipt and ip6t manpages
	Resolve warnings on 64-bit compile
	Wrap dlopen code into NO_SHARED_LIBS
	Remove support for compilation of conditional extensions
	Resolve libipt_set warnings
	Update documentation about building the package
	configure.ac: AC_SUBST must be separate
	Dynamically create xtables.h.in with version
	configure.ac: remove already-defined variables
	Remove old functions, constants
	Properly initialize revision for ip6tables targets
	Makefile.am: use PACKAGE_TARNAME
	iptables out-of-tree build directory

Sven Schnelle:
	Add libxt_TCPOPTSTRIP

Max Kellermann:
	Fix REDIRECT manpage
	Whitespace cleanup
	Use size_t
	Escape strings
	Unescape parameters
	Allow empty strings in argument parser
	Fix gcc warnings

Naohiro Ooiwa:
	Fix define value of SCTP chunk type

Filippo Zangheri:
	Remove useless white spaces from iptables-xml manpages

James King:
	libxt_iprange: Fix IP validation logic

Shan Wei:
	iptables-save: remove unnecessary code

Henrik Nordstrom:
	Make iptables-restore usable over a pipe
	Add support for --set-counters to iptables -P
	iptables --list-rules command
	iptables --list chain rulenum
	Make --set-counters (-c) accept comma separated counters

Jamie Strandboge:
	Fix ip6tables dest address printing



iptables v1.4.1.1 Changelog
=====================================================================

Henrik Nordstrom (1):
	iptables: fix printing of line numbers with --line-numbers arg

Jan Engelhardt (3):
	ip6tables: fix printing of ipv6 network masks
	build: fix `make install` when --disable-shared is used
	iprange: kernel flags were not set

Patrick McHardy (1):
	v1.4.1.1



iptables v1.4.1 Changelog
======================================================================

Filippo Zangheri (1):
	removes useless white spaces from iptables-xml manpages.

Gspr Lajos (1):
	iptables: use C99 lists for struct options

Henrik Nordstrom (5):
	Make iptables-restore usable over a pipe
	Add support for --set-counters to iptables -P
	iptables --list-rules command
	iptables --list chain rulenum
	Make --set-counters (-c) accept comma separated counters

James King (1):
	[IPTABLES]: libxt_iprange: Fix IP validation logic

Jamie Strandboge (1):
	fix ip6tables dest address printing

Jan Engelhardt (55):
	Converts the iptables build infrastructure to autotools.
	Introduce strtonum(), which works like string_to_number(), but passes
	common error messages
	libxt_owner
	libxt_tos
	libxt_TOS
	libxt_MARK r2
	libxt_connmark r1
	print warning when dlopen fails
	libxt_conntrack r0
	bunch o' renames
	rename overlapping function names
	libxt_hashlimit checks
	libxt_mark r1
	libxt_iprange r0
	libxt_iprange r1
	Give preference to iptables header files
	Build adjustments
	libxt_CONNMARK revision 1
	[IPTABLES]: libxt_conntrack revision 1
	[IPTABLES]: libxt_owner: UID/GID range support
	Fix compilation of iptables-static build
	Correct the family member value of libxt_mark revision 1
	Makefile: add a "tarball" target
	Drop -W from CFLAGS and some tiny code cleanups
	Fix -Wshadow warnings and clean up xt_sctp.h
	Update the libxt_owner manpage with the UID/GID-range feature
	Fix all remaining warnings (missing declarations, missing prototypes)
	xtables.h: move non-exported parts to internal.h
	Add support for xt_hashlimit match revision 1
	Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR
	manpages: fix broken markup (missing close tags)
	manpages: grammar and spelling
	manpages: update to reflect fine-grained control
	configure: split --enable-libipq from --enable-devel
	Add all necessary header files - compilation fix for various cases
	Install libiptc header files because xtables.h depends on it
	RATEEST: add manpage
	Implement AF_UNSPEC as a wildcard for extensions
	Combine ipt and ip6t manpages
	Resolve warnings on 64-bit compile
	Wrap dlopen code into NO_SHARED_LIBS
	Remove support for compilation of conditional extensions
	Resolve libipt_set warnings
	Update documentation about building the package
	configure.ac: AC_SUBST must be separate
	Dynamically create xtables.h.in with version
	configure.ac: remove already-defined variables
	Remove old functions, constants
	Makefile.am: use PACKAGE_TARNAME
	iptables out-of-tree build directory
	Update .gitignore
	build: check for missing feature files
	libxt_owner: add spaces to output
	manpage updates

Jesper Dangaard Brouer (3):
	Inline functions iptcc_is_builtin() and set_changed().
	Introduce a counter for number of user defined chains.
	Solving scalability issue: for chain list "name"	searching.

Kristof Provost (1):
	REDIRECT: Allow symbolic port in REDIRECT --to-port

Laszlo Attila Toth (1):
	addrtype match: added revision 1

Lutz Jaenicke (1):
	Fix iptables-save output of libxt_owner match

Martin F. Krafft (1):
	Import iptables-apply

Max Kellermann (7):
	Fix REDIRECT manpage
	whitespace cleanup
	use size_t
	escape strings
	unescape parameters
	allow empty strings in argument parser
	fix gcc warnings

Naohiro Ooiwa (1):
	Fix define value of SCTP chunk type.

Pablo Neira Ayuso (2):
	- cleanup several code wraparounds
	bump iptables version to prepare 1.4.1 release

Patrick McHardy (16):
	Add RATEEST target extension
	Add rateest match extension
	Remove obsolete file
	Add netfilter.h
	Remove compiler.h inclusions.
	Retry ruleset dump when kernel returns EAGAIN.
	Properly initialize revision for ip6tables targets
	Bump version to 1.4.1-rc1
	iptables 1.4.1-rc2
	manpages: consistent syntax
	Resync header files with kernel
	Bump version
	libiptc: move variable definitions to head of function
	iptables-xml: sparse fixes
	sparse warning fixes: integer used as pointer
	v1.4.1

Peter Warasin (1):
	Fix CONNMARK mask initialisation

Shan Wei (1):
	iptables-save:remove unnecessary code.

Sven Schnelle (1):
	libxt_TCPOPTSTRIP

Thomas Jacob (1):
	Don't assume /bin/sh is bash

Thomas Jarosch (1):
	Add xtables version defines.

Yasuyuki Kozakai (1):
	Use s6_addr32 to access bits in int6_addr instead of incompatible name



iptables v1.4.0 Changelog
======================================================================
Changes from 1.4.0rc1:

- Don't use dlfcn.h if NO_SHARED_LIBS is defined
	[ Mike Frysinger ]

- Fix showing help text for matches/targets with revision as user
	[ Patrick McHardy ]

- Print warnings to stderr
	[ Max Kellermann ]

- Fix sscanf type errors
	[ Patrick McHardy ]

- Always print mask in iptables-save
	[ Jan Engelhardt ]

- Don't silenty exit on failure to open /proc/net/{ip,ip6}_tables_names
	[ Victor Stinner ]

- Adds --table to iptables-restore
	[ Peter Warasin ]

- Make DO_MULTI=1 work for ip6tables* binaries
	[ Hann-huei Chiou ]

- Add ip6tables-{save,restore} to non-experimental target, fix strict aliasing
warnings
	[ Patrick McHardy ]

- Introducing libxt_*.man files. Sorted matches and modules
	[ Laszlo Attila Toth ]

- Install ip6tables-{save,restore} manpages
	[ Patrick McHardy ]

- Performance optimization in sorting chain during pull-out
	[ Jesper Dangaard Brouer ]

- Fix sockfd use accounting for kernels without autoloading
	[ Patrick McHardy ]

- use <linux/types.h>
	[ Jan Engelhardt ]

- Fix make/compile error for iptables-1.4.0rc1
	[ Jesper Dangaard Brouer ]

- Fix for --random option in DNAT and REDIRECT
	[ Tom Eastep ]

- Document xt_statistic
	[ Stefano Sabatini ]

- sctp: fix - mistake to pass a pointer where array is required
	[ Li Zefan ]

- Fix connlimit output for inverted --connlimit-above: ! > is <=, not <
	[ Patrick McHardy ]

- Add NFLOG manpage
	[ Patrick McHardy ]

- Move libipt_DSCP.man to libxt_DSCP.man for ip6tables.8
	[ Yasuyuki Kozakai ]

- Unifies libip[6]t_CONNSECMARK.man to libxt_CONNSECMARK.man
	[ Yasuyuki Kozakai ]

- Moves libipt_CLASSYFY.man to libxt_CLASSYFY.man for ip6tables.8
	[ Yasuyuki Kozakai ]

- fix check_inverse() call
	[ Jan Engelhardt ]

- Bump version to 1.4.0 final
	[ Pablo Neira Ayuso ]



iptables v1.4.0rc1 Changelog
======================================================================
Changes from 1.3.8:

- Add support for generic xtables infrastructure (improved IPv6 support!)
	[ Yasuyuki Kozakai ]

- Deletes empty ->final_check() functions
	[ Jan Engelhardt ]

- Fix sparse warnings: non-C99 array declaration, incorrect function prototypes
	[ Patrick McHardy ]

- Remove last vestiges of NFC
	[ Peter Riley ]

- Make @msg argument a const char *, just like printf
	[ Jan Engelhardt ]

- Makes it possible to omit extra_opts of matches/targets if unnecessary
	[ Jan Engelhardt ]

- Fix "iptables getsockopt failed strangely" when querying revisions for non-existant matches and targets
	[ Patrick McHardy]

- Introduces DEST_IPT_LIBDIR in Makefile
	[ Yasuyuki Kozakai ]

- Change default KERNEL_DIR location and add KBUILD_OUTPUT
	[ Sven Wegener ]

- Removes obsolete KERNEL_64_USERSPACE_32 definitions
	[ Yasuyuki Kozakai ]

- Fix unused function warning
	[ Patrick McHardy ]



iptables v1.3.8 Changelog
======================================================================

- Fix build error of conntrack match
	[Yasuyuki Kozakai]

- Remove whitespace in ip6tables.c
	[Yasuyuki Kozakai]

- `-p all' and `-p 0' should be allowed in ip6tables
	[Yasuyuki Kozakai]

- hashlimit doc update
	[Jan Engelhardt]

- add --random option to DNAT and REDIRECT
	[Patrick McHardy]

- Makefile uses POSIX conform directory check
	[Roy Marples]

- Fix missing newlines in iptables-save/restore output
	[Pavol Rusnak]

- Update quota manpage for SMP
	[Phil Oester]

- Output for unspecified proto is `all' instead of `0'
	[Phil Oester]

- Fix iptables-save with --random option
	[Patrick McHardy]

- Remove unnecessary IP_NAT_RANGE_PROTO_RANDOM ifdefs
	[Patrick McHardy]

- Remove libnsl from LDLIBS
	[Patrick McHardy]

- Fix problem with iptables-restore and quotes
	[Pablo Neira Ayuso]

- Remove unnecessary includes
	[Patrick McHardy]

- Fix --modprobe parameter
	[Maurice van der Pot]

- ip6tables-restore should output error of modprobe after failed to load
	[Yasuyuki Kozakai]

- Add random option to SNAT
	[Eric Leblond]

- Fix missing space in error message
	[Patrick McHardy]

- Fixes for manpages of tcp, udp, and icmp{,6}
	[Yasuyuki Kozakai]

- Add ip6tables mh extension
	[Masahide Nakamura]

- Fix tcpmss manpage
	[Patrick McHardy]

- Add ip6tables TCPMSS extension
	[Arnaud Ebalard]

- Add UDPLITE multiport support
	[Patrick McHardy]

- Fix missing space in ruleset listing
	[Patrick McHardy]

- Remove extensions for unmaintained/obsolete patchlets
	[Patrick McHardy]

- Fix greedy debug grep
	[Patrick McHardy]

- Fix type in manpage
	[Thomas Aktaia]

- Fix compile/install error for iptables-xml with DO_MULTI=1
	[Lutz Jaenicke]



iptables v1.3.7 Changelog
======================================================================

Bugs fixed since 1.3.6:

- Fix compilation error with linux 2.6.19
	[ Patrick McHardy ]

- Fix LOG target segfault with --log-prefix ""
	[ Mike Frysinger, Bugzilla #516 ]

- Fix conflicting getsockopt optname values for IP6T_SO_GET_REVISION_{MATCH,TARGET}
	[ Yasuyuki KOZAKAI ]

- Fix -E (rename) in iptables/ip6tables
	[ Krzysztof Piotr Oledzki ]

- Fix /etc/network usage
	[ Pablo Neira ]

- Fix iptables-save not printing -s/-d ! 0/0
	[ Patrick McHardy ]

- Fix ip6tables-save unnecessarily printing -s/-d options for zero prefix length
	[ Daniel De Graaf ]

New features since 1.3.6:

- Add revision support for ip6tables
	[ R?mi Denis-Courmont ]

- Add port range support for ip6tables multiport match
	[ R?mi Denis-Courmont ]

- Add sctp match extension for ip6tables
	[ Patrick McHardy ]

- Add iptables-xml tool
	[ Amin Azez ]

- Add hashlimit support for ip6tables (needs kernel > 2.6.19)
	[ Patrick McHardy ]

- Use /limodules/$(shell uname -r)/build instead of /usr/src/linux to look for kernel source
	[ Patrick McHardy ]

- Add NFLOG target extension for iptables/ip6tables (needs kernel > 2.6.19)
	[ Patrick McHardy ]



iptables v1.3.6 Changelog
======================================================================

Bugs fixed since 1.3.5:

- Fix segfault on loading of invalid counters in ip[6]tables-restore
	[ Bugzilla #437, Olaf Rempel ]

- Fix double-free if a single match is used multiple times within a single rule
	[ Bugzilla #440, Harald Welte ]

- Don't try to resolve "-p all" using getprotoent()
	[ Bugzilla #446, Harald Welte ]

- Refuse never matching protocol specifications for ip6tables
	[ Yasuyuki Kozakai ]

- Fix iptables-save output of osf match
	[ Daniel De Graaf ]

- Fix esp/connbytes detection with newer kernels (x_tables)
	[ Harald Welte ]

- Fix loading of IPCMv6 match shared library
	[ Yasuyuki Kozakai ]

- Refuse invalid esp match SPI ranges
	[ Yasuyuki Kozakai ]

- Fix out-of-bounds memory access when the unsupported "check" command was used
	[ Bugzilla #463, Larry Stefani, Harald Welte ]

- Fix out-of-bounds memory access when the "-c" option was used
	[ Bugzilla #462, Larry Stefani, Harald Welte ]

- Fix "Unknown error 4294967295" message
	[ Bugzilla #460, Patrick McHardy ]

- Use lower-case letters for realm match output
	[ Simon Lodal ]

- Fix example in connlimit manpage
	[ Phil Oester ]

- Refuse IP addresses as arguments to REDIRECT target
	[ Bugzilla #482, Phil Oester ]

- Fix set match negation
	[ Jozsef Kadlecsik ]

- Fix some compiler warnings
	[ Bugzilla #457, Phil Oester ]

- Refuse port ranges in ip6tables multiport match
	[ Bugzilla #451, Phil Oester ]

- Force user to specify --ipcmv6-type if ipcmv6 match is used
	[ Bugzilla #461, Yasuyuki Kozakai ]

- Fix libiptc symbol clash
	[ Bugzilla #456, Phil Oester ]

- Remove "hoho" message
	[ Pierre-Yves Ritschard ]

- Handle CIDR notation more sanely
	[ Bugzilla #422, Phil Oester ]

- Fix chain reference increment bug
	[ Jesper Brouer ]

- Fix counter clearing for policy counters
	[ Bugzilla #502, Andy Gay ]

- Remove warnings about interface names with non-alphanumeric characters
	[ Patrick McHardy ]

New features since 1.3.5:

- Support multiple matches of the same type within a single rule
	[ Jozsef Kadlecsik ]

- DCCP/SCTP support for multiport match (needs kernel >= 2.6.18)
	[ Patrick McHardy ]

- SELinux SECMARK target (needs kernel >= 2.6.18)
	[ James Morris ]

- SELinux CONNSECMARK target (needs kernel >= 2.6.18)
	[ James Morris ]

- Add documentation for DNAT target :<port> syntax
	[ Evan Miller ]

- Add new exit value to indicate concurrency issues
	[ Jesper Dangaard Brouer ]

- Use gcc to build shared objects
	[ Bugzilla #454, Phil Oester ]

- Update quota match for version in current kernel, fix -D (needs kernel >= 2.6.18)
	[ Phil Oester ]

- Update MARK target documentation to include --and-mask/--or-mask
	[ Eric Leblond ]

- Add support for statistic match (needs kernel >= 2.6.18)
	[ Patrick McHardy ]

- Optionally read realm values from /etc/iproute2/rt_realms
	[ Simon Lodal ]

iptables v1.3.5 Changelog
======================================================================
This version requires kernel >= 2.4.0
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.4:

- Fix conntrack --ctproto option in iptables-save
	[ Phil Oester ]

- Fix string match '--from' option in iptables-save
	[ Michael Rash ]

- Fix option parser of ttl match
	[ Patrick McHardy ]

- Get rid of gcc-4 warnings
	[ Patrick McHardy ]

- Fix spelling of 'address' in DNAT/SNAT manpage section
	[ MJ Anthony ]

- Fix 'tcp-rst' parsing in REJECT target
	[ Torsten Hilbrich ]

- Fix probing for supported revisions
	[ Jones Desougi ]

- Fix compilation of iptables on [old] systems that don't have IPT_F_GOTO
	[ Harald Welte ]

- Only set revisions on real targets, not on jumps
	[ Pablo Neira ]

- Fix memory leak in TC_COMMIT() of libiptc
	[ Markus Sundberg ]

- Correctly propagate errors of setsockopt to calling function
	[ Harald Welte ]

- Fix connbytes match iptables-save
	[ Unknown ]

- Fix sctp match compilation against recent kernel headers
	[ Harald Welte ]

- Fix conntrack match compilation against 2.4.0 kernel headers
	[ Harald Welte ]

Changes from 1.3.4:

- Add support for ip6tables connmark match and target
	[ Harald Welte ]

- Add support for ip6tables state match
	[ Harald Welte ]

- Add support for new policy ip[6]tables match
	[ Patrick McHardy ]

- Major manpage update
	[ Yasuyuki Kozakai ]

- Remove ippool support, it has been deprecated by ipset long time ago
	[ Harald Welte ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot)


iptables v1.3.4 Changelog
======================================================================
This version requires kernel >= 2.4.0
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.3:

- Fix parsing of NFQUEUE queue numbers
	[ Eric Leblond ]

- Add documentation of --queue-num parameter to NFQUEUE manpage
	[ Eric Leblond ]

- Fix 'hash-init' parameter of CLUSTERIP target
	[ KOVACS Krisztian ]

- Fix CONNMARK match and target: Marks are now always 32bit
	[ Deti Fliegl ]

- Print error message when multiple "--to" DNAT/SNAT args are used
	with kernel >= 2.6.10
		[ Phil Oester ]

- Fix compilation of connbytes match with 2.6.14 kernel
	[ Harald Welte ]

- Fix address inversion of conntrack match
	[ Tom Eastep ]

- Fix sorting of chain names
	[ Robert de Barth ]

Changes from 1.3.2:

- Add support for DCCP port and type matching
	[ Harald Welte ]

- Add support for new in-kernel string match
	[ Pablo Neira ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot)


iptables v1.3.3 Changelog
======================================================================
This version requires kernel >= 2.4.0
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.2:

- Fix use-after-free in merge_options()
	[ Markus Sundberg ]

- Fix support for SNAT and DNAT to ICMP ID ranges
	[ Patrick McHardy ]

Changes from 1.3.2:

- Add support for new NFQUEUE targets for IPv4 and IPv6
	[ Harald Welte ]

- Minor manpage updates
	[ Harald Welte ]

- Fix numberous gcc-4 warnings throughout the code
	[ Harald Welte ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot)


iptables v1.3.2 Changelog
======================================================================
This version requires kernel >= 2.4.0
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.1:

- Fix TCPLAG version
	[ Torsten Luettgert ]

- More error checking in SET target
	[ Michal Pokrywka ]

- Fix optflags value for OPT_LINENUMBERS
	[ Jonas Berlin ]

- Allow NULL init function in ip6tables plugins
	[ Jonas Berlin ]

- Don't allow newlines in LOG prefix
	[ Phil Oester ]

- Introduce ip_conntrack_old_tuple to userspace header copy
	[ Pablo Neira ]

- Fix connbytes command line parsing bug
	[ Piotrek Kaczmarek ]

- Ignore unknown arguments in libipt_ULOG
	[ Patrick McHardy ]

- Correct error in multiport manpage wrt. "--ports"
	[ Rusty Russell ]

- Fix CONNMARK save/restore
	[ Tom Eastep, Pawel Sikora ]

- Make sure chain name doesn't start with '!'
	[ Yasuyuki Kozakai ]

- Prevent user to specify negative ports in SNAT/DNAT
	[ Yasuyuki Kozakai ]

- Fix deletion of targets where kernel size != userspace size
	[ Pablo Neira ]

- Fix save/restore of '! --uid-owner squid' problem in ip6t_owner
	[ Harald Welte ]

Changes from 1.3.1:

- Add ``--log-uid'' option to ip6t_LOG target
	[ Patrick McHardy ]

- Improve REDIRECT manpage
	[ Jonas Berlin ]

- Add a number of missing manpage snippets
	[ Jonas Berlin ]

- Include FIN bit in mask of "--syn" bits
	[ Harald Welte ]

- Release previously merged options from merge_opts(), reduces memory-usage of
	ipt ables-restore dramatically
	[ Pablo Neira ]

- OSF: changes to support connector notifications
	[ Evgeniy Polyakov ]

- Reduce code replication of parse_interface()
	[ Yasuyuki Kozakai ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot)


iptables v1.3.1 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.0:

- Fix CLUSTERIP rule deletion
	[ Pablo Neira ]

- Fix libip6t_random compilation
	[ Harald Welte ]

- Fix CONNMARK on 32bit userspace / 64bit kernel archs
	[ Pablo Neira ]

Changes from 1.3.0:

- remove bogus NFC_* stuff in iptables
	[ Pablo Neira ]

- libiptc: don't sort builtin chains, restores iptables-1.2.x sort order
	[ Olaf Rempel ]


Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot)


iptables v1.3.0 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.0rc1:

- Fix realm match save/restore issue
	[ Harald Welte ]

- Fix hashlimit rule deletion from userspace
	[ Samuel Jean ]

- Fix hashlimit parameter handling / iptables-save
	[ Nikolai Malykh ]

- Fix multiport inversion
	[ Phil Oester ]

Bugs fixed from 1.2.11:

- Fix compilation on systems where /bin/sh != bash
	[ Jozsef Kadlecsik ]

- Fix setting lib_dir in ip*tables-{save,restore}
	[ Martin Josefsson ]

- Fix module-autoloading in certain cases
	[ Harald Welte ]

- libipt_TTL: limit range of valid TTL to 0-255
	[ Maciej Soltysiak ]

- libip6t_HL: limit range of valid HL to 0-255
	[ Maciej Soltysiak ]

- libip{6}t_limit: Fix half-working limit invert check
	[ Phil Oester ]

- libipt_connbytes: Update to use the IP_CONNTRACK_ACCT counters
	[ Harald Welte ]

- libipt_conntrack: Fix typo
	[ Phil Oester ]

- libipt_dstlimit: Fix half-working invert check
	[ Phil Oester ]

- libipt_helper: Prevent user from using --helper multiple times
	[ Nicolas Bouliane ]

- libipt_iprange: Print error message if --dst-range used twice
	[ Nicolas Bouliane ]

- libipt_nth: Fix help message syntax
	[ Harald Welte ]

- libipt_psd: Fix option parsing
	[ Pablo Neira ]

- libipt_random: Fix help message syntax
	[ Harald Welte ]

- libipt_realm: Fix inversion of options
	[ Simon Lodal ]

- libipt_time: Fix C++ style delayed variable definition
	[ Olivier Clerget ]

- libipt_time: Print message about time match not adhering daylight saving
	[ Phil Oester ]

- libipt_tos: Print Error message if --tos is specified twice
	[ Nicolas Bouliane ]

- libipt_ttl: Cleanup ttl option parsing
	[ Phil Oester ]

- libipt_u32: Fix option parsing
	[ Piotr Gasid'o ]


Changes from 1.2.11:

- libiptc: complete rewrite for performance reasons
	[ Harald Welte, Martin Josefsson ]

- introduce "DO_MULTI=1" mode to build a muilti-call binary
	[ Bastiaan Bakker ]

- code cleanup, use C99 initializers
	[ Harald Welte, Pablo Neira ]

- Extension revision number support (if kernel supports the getsockopts).
	[ Rusty Russell ]

- Don't need ipt_entry_target()/ip6t_entry_target().
	[ Rusty Russell ]

- Don't re-initialize libiptc/libip6t unless modprobe attempt succeeds.
	[ Rusty Russell ]

- Implement IPTABLES_LIB_DIR and IP6TABLES_LIB_DIR environment variables
	[ Rusty Russell ]

- Add manpage section about 'raw' table
	[ Harald Welte ]


- libip{6}t_ROUTE: add ROUTE --tee mode
	[ Patrick Schaaf ]

- libip{6}t_multiport: Print Error message when `!' is used
	[ Patrick McHardy, Phil Oester ]

- New libip6t_physdev Match
	[ Bart De Schuymer ]

- libipt_CLUSTERIP: Fix compiler warning about const
	[ Harald Welte ]

- libipt_DNAT: Print Error message if `:' is used for port range
- libipt_SNAT: Print Error message if `:' is used for port range
	[ Phil Oester ]

- libipt_LOG: Add --log-uid option
	[ John Lange ]

- libipt_MARK: add bitwise operators
	[ Henrik Nordstrom, Rusty Russell ]

- libipt_SET: Update to ipset2
	[ Jozsef Kadlecsik ]

- libipt_account: Update to 0.1.16
	[ Piotr Gasid'o ]

- New libipt_comment Match
	[ Brad Fisher ]

- New libipt_hashlimit Match, supersedes dstlimit
	[ Harald Welte ]

- libipt_ttl: Use string_to_number()
	[ Rusty Russell ]


Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot)


iptables v1.2.11 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18


Bugx Fixed from 1.2.10:

- fix compilation on systems where /bin/sh != bash
	[ Jozsef Kadlecsik ]

Bugs Fixed from 1.2.9:

- physdev match: fix new structure layout for kernel > 2.6.0-test8
	[ Bart De Schuymer ]

- Better 64bit / 32bit split architecture detection
- IPv6 LOG target: Fix compiler warnings on 64bit
- LOG target: Fix compiler warnings on 64bit
- IPv6 MARK target: Use full 64bit mark on 64bit archs
- MARK target: Use full 64bit mark on 64bit archs
- SAME target: Fix 64bit/32bit splitarch problems
- ULOG target: Fix 64bit/32bit splitarch problems
- conntrack match: Fix 64bit/32bit splitarch problem
- IPv6 limit match: Fix 64bit/32bit splitarch problem
- limit match: Fix 64bit/32bit splitarch problem
- IPv6 mark match: Use full 64bit mark on 64bit archs
- mark match: Use full 64bit mark on 64bit archs
- owner match: Fix compiler warnings on 64bit
	[ Martin Jofsefsson ]

- connbytes match: Fix signedness / unsigned issue
	[ Martin Josefsson ]

- connlimit match: Fix '/0' netmask
	[ David Ahern ]

- ipv6 owner match: fix possibly not zero terminated string
- helper match: fix possibly not zero terminated string
- recent match: fix possibly not zero terminated string
	[ Karsten Desler ]

- ICMP match: fix '--icmp-type any' case
	[ Harald Welte ]

- CONNMARK target: major update (add mark/mask matching)
	[ Henrik Nordstrom ]

- DSCP target: Fix cosmetic help message problem
	[ Maciej Soltysiak ]

- string match: Fix iptables-save/restore for ascii strings with spaces
	[ Michael Rash ]

- ip(6)tables-restore: Make sure matches are used in the same order
	[ Martin Josefsson ]

- ip(6)tables-restore: Fix '--verbose' option
- ip(6)tables-restore: Add '--test' option
- ip(6)tables-restore: Complain about missing 'COMMIT'
	[ Martin Josefsson ]

- ip(6)tables-restore: Allow embedding of quote character in quoted strings
	[ Michael Rash ]

- libipq: Protect against spoofed queue messages (check if sender is kernel)
	[ Harald Welte ]


Changes from 1.2.9:

- time match: add 'datestart' and 'datestop' parameters
	[ Fabrice Marie ]

- modular manpage build, depending on actually compiled-in features
	[ Henrik Nordstrom ]

- additional documentation in manpage snippets formerly missing
	[ Harald Welte ]

- support new CLUSTERIP Target
	[ Harald Welte ]

- support new account match
	[ Piotr Gasid'o ]

- support new connrate match
	[ Nuuti Kotivuori ]

- support new dstlimit match
	[ Harald Welte ]

- support new 'set' match / 'SET' target
	[ Jozsef Kadlecsik ]

- osf match: add support for netlink reporting
	[ Evgeniy Polyakov ]

- new SCTP protocol match
	[ Kiran Kumar ]


Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic/)

Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng,
distributed as seperate package: (ftp://ftp.netfilter.org/pupatch-o-matic-ng)


iptables v1.2.10 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.9:

- physdev match: fix new structure layout for kernel > 2.6.0-test8
	[ Bart De Schuymer ]

- Better 64bit / 32bit split architecture detection
- IPv6 LOG target: Fix compiler warnings on 64bit
- LOG target: Fix compiler warnings on 64bit
- IPv6 MARK target: Use full 64bit mark on 64bit archs
- MARK target: Use full 64bit mark on 64bit archs
- SAME target: Fix 64bit/32bit splitarch problems
- ULOG target: Fix 64bit/32bit splitarch problems
- conntrack match: Fix 64bit/32bit splitarch problem
- IPv6 limit match: Fix 64bit/32bit splitarch problem
- limit match: Fix 64bit/32bit splitarch problem
- IPv6 mark match: Use full 64bit mark on 64bit archs
- mark match: Use full 64bit mark on 64bit archs
- owner match: Fix compiler warnings on 64bit
	[ Martin Jofsefsson ]

- connbytes match: Fix signedness / unsigned issue
	[ Martin Josefsson ]

- connlimit match: Fix '/0' netmask
	[ David Ahern ]

- ipv6 owner match: fix possibly not zero terminated string
- helper match: fix possibly not zero terminated string
- recent match: fix possibly not zero terminated string
	[ Karsten Desler ]

- ICMP match: fix '--icmp-type any' case
	[ Harald Welte ]

- CONNMARK target: major update (add mark/mask matching)
	[ Henrik Nordstrom ]

- DSCP target: Fix cosmetic help message problem
	[ Maciej Soltysiak ]

- string match: Fix iptables-save/restore for ascii strings with spaces
	[ Michael Rash ]

- ip(6)tables-restore: Make sure matches are used in the same order
	[ Martin Josefsson ]

- ip(6)tables-restore: Fix '--verbose' option
- ip(6)tables-restore: Add '--test' option
- ip(6)tables-restore: Complain about missing 'COMMIT'
	[ Martin Josefsson ]

- ip(6)tables-restore: Allow embedding of quote character in quoted strings
	[ Michael Rash ]

- libipq: Protect against spoofed queue messages (check if sender is kernel)
	[ Harald Welte ]


Changes from 1.2.9:

- time match: add 'datestart' and 'datestop' parameters
	[ Fabrice Marie ]

- modular manpage build, depending on actually compiled-in features
	[ Henrik Nordstrom ]

- additional documentation in manpage snippets formerly missing
	[ Harald Welte ]

- support new CLUSTERIP Target
	[ Harald Welte ]

- support new account match
	[ Piotr Gasid'o ]

- support new connrate match
	[ Nuuti Kotivuori ]

- support new dstlimit match
	[ Harald Welte ]

- support new 'set' match / 'SET' target
	[ Jozsef Kadlecsik ]

- osf match: add support for netlink reporting
	[ Evgeniy Polyakov ]

- new SCTP protocol match
	[ Kiran Kumar ]


Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic/)

Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng,
distributed as seperate package: (ftp://ftp.netfilter.org/pupatch-o-matic-ng)


iptables v1.2.9 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.8:

- ip(6)tables-save/restore: fix memory leaks
	[ Harald Welte, Martin Josefsson ]
- ip6tables: fix printout of odd length netmasks
	[ Mikko Markus Torni ]
- condition match: fix iptables-save
	[ Stephane Ouellette ]
- fuzzy match: fix ip(6)tables-save
	[ Hime Aguiar e Oliveira Jr. ]
- mac match: fix ip(6)tables-save if used inverted (!)
	[ David Zambonini, Martin Josefsson ]
- ip6tables udp match: check for invalid port ranges
	[ Thomas Poehnitz ]
- LOG target: fix iptables-save (save loglevel numerically)
	[ Thomas Woerner ]
- mport match: fix iptables-save (save numerically)
	[ Thomas Woerner ]
- libipq: fix ipq_id_t definition on 'real' 64bit/64bit architectures
	[ Ryan Veety ]
- libip6tc: fix ipv6_prefix_length endianness bugs
	[ Mikko Markus Torni ]
- MASQUERADE target: don't accept negative port numbers
	[ Yasuyuki Kozakai ]
- physdev match: fix new structure layout for kernel > 2.6.0-test8
	[ Bart De Schuymer ]

Changes from 1.2.8:

- build plugins for connlimit, iprange, realm, CLASSIFY, CONNMARK, NETMAP
	[ Harald Welte ]
- libip(6)tc: Speedup due to inceremental chain cache updates
	[ Harald Welte ]
- recent match: Update to version 0.3.1 that was submitted to the kernel
	[ Stephen Frost ]
- physdev match: add --physdev-is-{in,out,bridge} option
	[ Bart de Schuymer ]
- REJECT target: add support for ICMP administratively prohibited
	[ Maciej Soltysiak ]
- conntrack match: add suport for CONFIRMED / unconfirmed state
	[ Harald Welte ]
- ROUTE target: new option: continue traversal
	[ Cedric de Launois ]
- varios cosmetic cleanups
	[ Stephane Ouellette ]
- iptables/libiptc: add support for the new 'raw' table
	[ Jozsef Kadlecsik ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic/)


iptables v1.2.8 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.7a:

- fix ip6tables-save function of 'length' match
	[ Gerry Skerbitz ]
- fix ip6tables-save function of 'mac' match
	[ Kristian Gronfeldt Sorensen ]
- fix iptables-save function of 'ULOG' target
	[ Jimmy Hedman ]
- fix iptables-save function of 'conntrack' match
	[ Lutz Pressler ]
- fix iptables-save function of 'length' match
	[ Gerry Skerbitz ]
- fix iptables-save function of 'mac' match
	[ Kristian Gronfeldt Sorense ]
- fix iptables-save function of 'mark' match
	[ Harald Welte ]
- fix iptables-save function of 'owner' match
	[ Costa Tsaousis ]
- fix iptables-save function of 'pool' match
	[ Oskar Berggren ]
- fix iptables-save function of 'tcpmss' match
	[ Michael Schwendt ]
- fix iptables-save function of 'tos' match
	[ Harald Welte ]
- fix save/print function of 'connmark' match
	[ Harald Welte ]
- fix error message when invalid TCP flag is specified with 'tcp' match
	[ Aaron Sethman ]

Changes from 1.2.7a:

- updated version of the ROUTE target
	[ Cedric de Launois ]
- updated version of the 'recent' match
	[ Stephen Frost ]
- update the RPC conntrack match, extend it to support filtering on procedures
	[ Ian (Larry) Latter ]
- add support for hexstrings to the 'string' match
	[ Michael Rash ]
- have iptables-restore print the line number in case of an error
	[ Illes Marci ]
- big iptables.8 manpage update
	[ Herve Eychenne ]
- print loglevel human-readable in ip6tables 'LOG' target
	[ Michael Schwendt ]
- print loglevel human-readable in 'LOG' target
	[ Michael Schwendt ]
- remove bogus code from 'ecn' match
	[ Stephane Ouellette ]
- be more specific in help message of 'helper' match
	[ Herve Eychenne ]
- fix semantic problem that '-p icmp -m icmp' was matching icmp type 0 instead
	of 'any'
	[ Harald Welte ]
- fix iptables rename-chain option
	[ Maciej Soltysiak ]
- remove libipulog from iptables since it is distributed with ulogd
	[ Harald Welte ]
- support new ip6tables 'HL' target
	[ Maciej Soltysiak ]
- support new ip6tables 'condition' match
	[ Stephane Ouellette ]
- support new ip6tables 'fuzzy' match
	[ Maciej Soltysiak ]
- support new ip6tables 'hoplimit' match
	[ Maciej Soltysiak ]
- support new iptables 'CLASSIFY' target
	[ unknown ]
- support new iptables TARPIT target
	[ Aaron Hopkins ]
- support new iptables 'condition' match
	[ Stephane Ouellette ]
- support new iptables 'fuzzy' match
	[ Hime Junior ]
- support new iptables 'physdev' match (for 2.5.x bridging)
	[ Bart de Schumyer ]
- support new iptables 'u32' match (based on u32 tc filter)
	[ Don Cohen ]

Please note: As of version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic/)


iptables v1.2.7a (== fixed 1.2.7) Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.6a:

- fix compiler warning in userspace support for ipv6 REJECT target
	[ Fabrice Marie ]
- check for invalid portranges in tcp+udp helper (e.g. 2000:100)
	[ Thomas Poehnitz ]
- fix save save/restore functions of ip6tables tcp/udp extension
	[ Harald Welte / Andras Kis-Szabo ]
- check for invalid (out of range) nfmark values in MARK target
	[ Alexey ??? ]
- fix save function of MASQUERADE userspace support
	[ A. van Schie ]
- compile fixes for userspace suppot of experimental POOL target
	[ ? ]
- fix save function of userspace support for ah and esp match
	[ ? ]
- fix static build (NO_SHARED_LIBS)
	[ Roberto Nibali ]
- fix save/restore function of userspace support for mport match
	[ Bob Hockney ]
- update manpages to reflect recent changes
	[ Herve Eychenne, Harald Welte ]
- remove all remnants of the 'check' option
	[ ? ]


Changes from 1.2.6a:

- patch-o-matic is now no longer part of iptables but rather distributed
	as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic/)
		[ Harald Welte ]
- userspace support for dscp match and target
	[ Harald Welte ]
- userspace supprot for ecn match and target
	[ Harald Welte ]
- userspace support for helper match
	[ Martin Josefsson ]
- userspace supprot for conntrack match
	[ Marc Boucher ]
- userspace support for pkttype match
	[ Martin Ludvig ]
- userspace support for experimental ROUTE target
	[ Cdric de Launois ]
- userspace support for experimental ipv6 ahesp match
	[ Andras Kis-Szabo ]
- userspace support for experimental ipv6 option header match
	[ Andras Kis-Szabo ]
- userspace support for experimental ipv6 routing header match
	[ Andras Kis-Szabo ]
- add matching of process name to userspace support of owner match
	[ Marc Boucher ]
- new version of userspace support for 'recent' match
	[ Stephen Frost ]


iptables v1.2.6a (== fixed 1.2.6) Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.5:

- Fix iptables segfault problem when using `!' without argument
	[ Dionis Papavramidis, Harald Welte ]
- Fix PSD match for psd-delay-threshold > 100
	[ Steven Coenen, Dennis Koslowski ]
- ip6tables alignment fixes
	[ Andreas Herrmann ]
- patch-o-matic:
	- Fix NAT-related bug in TCP window tracking code
		[ Jozsef Kadlecsik ]
	- Fix support for DNAT of locally-originated connections (NAT in
	  LOCAL_OUT)
	  	[ Henrik Nordstrom, Harald Welte ]
	- Fix string match (is now SMP safe)
		[ Gianni Tedesco ]
	- Fix TFTP conntrack/nat helper (now also catches first packet)
		[ Magnus Boden ]

Changes from 1.2.5:

- Added global PREFIX makefile variable for all paths
	[ Harald Welte ]
- If compiled without any COPT_FLAGS, debugging is disabled.  To enable
	debugging, use -DIPTC_DEBUG
		[ Harald Welte ]
- New ip6tables-restore and ip6tables-save manpage
	[ Andras Kis-Szabo ]
- Sync ip6tables-restore and ip6tables-save with iptables-restore
	[ Andras Kis-Szabo ]
- Sync ip6tables with iptables
	[ Andras Kis-Szabo ]
- mangle table attaches now to all five netfilter hooks
	[ Brad Chapman, Harald Welte ]
- iptables and ip6tables manpage updates
	[ Herve Eychenne ]
- patch-o-matic program now supports removal of already-applied patches
	[ Bob Hockney ]
- patch-o-matic program now supports patches to the userspace extensions
	[ Fabrice Marie ]
- patch-o-matic:
	- Extend recent match to support multiple recent lists
		[ Stephen Frost ]
	- New GRE and PPTP connection tracking and NAT helper
		[ Harald Welte ]
	- New CONNMARK target for marking all packets within one connection
		[ Henrik Nordstrom ]
	- New conntrack match, enables matching on more conntrack informatin
	  than state
	  	[ Marc Boucher ]
	- New DSCP match and target (DSCP header field obsoletes TOS)
		[ Harald Welte ]
	- New owner match extension: Match on process name
		[ Marc Boucher ]
	- Add support for bitwise AND / OR manipulation on nfmark
		[ Fabrice Marie ]
	- New experimental patch for disabling TCP connection tracking pickup
		[ Harald Welte ]
	- Add support for SACK in all NAT helpers
		[ Harald Welte ]
	- Make eggdrop botnet connection tracking support work with eggdrop
	  v1.6.x
	  	[ Magnus Sandin ]
	- Add support to REJECT for sending icmp-unreachable messages
	  from a fake source address
	  	[ Fabrice Marie ]
	- Add support for ntalk2 to talk NAT helper
		[ Jozsef Kadlecsik ]
	- Big update to newnat patch
		[ Jozsef Kadlecsik, Paul P Komkoff ]

iptables v1.2.6 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.5:

- Fix iptables segfault problem when using `!' without argument
	[ Dionis Papavramidis, Harald Welte ]
- Fix PSD match for psd-delay-threshold > 100
	[ Steven Coenen, Dennis Koslowski ]
- ip6tables alignment fixes
	[ Andreas Herrmann ]
- patch-o-matic:
	- Fix NAT-related bug in TCP window tracking code
		[ Jozsef Kadlecsik ]
	- Fix support for DNAT of locally-originated connections (NAT in
	  LOCAL_OUT)
	  	[ Henrik Nordstrom, Harald Welte ]
	- Fix string match (is now SMP safe)
		[ Gianni Tedesco ]
	- Fix TFTP conntrack/nat helper (now also catches first packet)
		[ Magnus Boden ]

Changes from 1.2.5:

- Added global PREFIX makefile variable for all paths
	[ Harald Welte ]
- If compiled without any COPT_FLAGS, debugging is disabled.  To enable
	debugging, use -DIPTC_DEBUG
		[ Harald Welte ]
- New ip6tables-restore and ip6tables-save manpage
	[ Andras Kis-Szabo ]
- Sync ip6tables-restore and ip6tables-save with iptables-restore
	[ Andras Kis-Szabo ]
- Sync ip6tables with iptables
	[ Andras Kis-Szabo ]
- mangle table attaches now to all five netfilter hooks
	[ Brad Chapman, Harald Welte ]
- iptables and ip6tables manpage updates
	[ Herve Eychenne ]
- patch-o-matic program now supports removal of already-applied patches
	[ Bob Hockney ]
- patch-o-matic program now supports patches to the userspace extensions
	[ Fabrice Marie ]
- patch-o-matic:
	- Extend recent match to support multiple recent lists
		[ Stephen Frost ]
	- New GRE and PPTP connection tracking and NAT helper
		[ Harald Welte ]
	- New CONNMARK target for marking all packets within one connection
		[ Henrik Nordstrom ]
	- New conntrack match, enables matching on more conntrack informatin
	  than state
	  	[ Marc Boucher ]
	- New DSCP match and target (DSCP header field obsoletes TOS)
		[ Harald Welte ]
	- New owner match extension: Match on process name
		[ Marc Boucher ]
	- Add support for bitwise AND / OR manipulation on nfmark
		[ Fabrice Marie ]
	- New experimental patch for disabling TCP connection tracking pickup
		[ Harald Welte ]
	- Add support for SACK in all NAT helpers
		[ Harald Welte ]
	- Make eggdrop botnet connection tracking support work with eggdrop
	  v1.6.x
	  	[ Magnus Sandin ]
	- Add support to REJECT for sending icmp-unreachable messages
	  from a fake source address
			[ Fabrice Marie ]
	- Add support for ntalk2 to talk NAT helper
		[ Jozsef Kadlecsik ]
	- Big update to newnat patch
		[ Jozsef Kadlecsik, Paul P Komkoff ]


iptables v1.2.5 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel > 2.4.14

Bugs Fixed from 1.2.4:

- make iptables-restore accept --table as well as -t option
	[ Andreas Ferber ]
- make iptables-restore -v / --verbose option work
	[ Marc Boucher ]
- fix iptables-save problems with saving "ppp+" style interface wildcards
	[ Harald Welte ]
- make iptables accept '_' and '.' in interface names
	[ Harald Welte ]
- Kernel bugfixes in patch-o-matic:
	 - Fix IRC NAT srcaddr fix (we used to nat DCC connectios to the
	   address of the IRC server
		[ Bob Hockney ]
	- Fix potential Oops in TOS target module
		[ Edward Killips ]
	- Fix problem when raw socket has cloned skb while netfilter doing
	  payload modification
		 [ Rusty Russell ]
	- Fix memory leak in ipchains redirect code
		[ Rusty Russell ]
	- Fix reintroduced ECN problem with unclean match
		[ Guillaume Morin ]
	- Fix MAC adress match problem with small udp packets
		[ Harald Welte ]

Changes from 1.2.4:

- Whole patch-o-matic system restructured - now supports multiple patch
	repositories (submitted, pending, base, extra, newnat).
	[ Jozsef Kadlecsik ]
- Add IPv6 support to the QUEUE target and libipq
	[ Fernando Anton / James Morris ]
- New patch-o-matic patches:
	-New IPV4OPTSSTRIP target to strip IP options
		[ Fabrice Marie ]
	- New ipv6header match to match IPv6 header options
		[ Brad Chapman / Andras Kis-Szabo ]
	- New helper match to match RELATED connections on their conntrack
		helper
		[ Martin Josefsson ]
	- New quota match to have fixed IP quotas
		[ Sam Johnston ]
	- New recent match to match recently seen packets
		[ Stephen Frost ]


iptables v1.2.4 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel > 2.4.9

Bugs Fixed from 1.2.3:

- make iptables-restore print error message instead of segfault when
	processing broken / wrong input.
	[ ]
- string_to_number fix in LOG, IPv6 LOG, TOS and FTOS target
	[ ]
- fix iptables-save problems when saving MIRROR rules
	[ Harald Welte ]
- fix IPv6 ICMP problems [ ]
- fix TTL increment in TTL target [ ]
- Kernel bugfixes in patch-o-matic:
	- Fix printing of inner-packet in ICMP error messages (LOG target)
		[ ]
	- Decrement TTL when using MIRROR target at PRE_ROUTING [ ]
	- fix undiscovered REJECT checkentry() bug (alignment)
	    [ Bert Hubert]

Changes from 1.2.3:

- New "make most-of-pom" feature for application of non-confliction
	patches. This should be used instead of "make patch-o-matic" by most
	users.
	[ Harald Welte ]
- iptables-save and iptables-restore now included in the default install;
	They are n	- longer experimental for quite some time.
	[ Harald Welte ]
- synchronize ip6tables-save/restore with iptables-save/restore
	[ Harald Welte ]
- more precise save() function for ipt_limit rates
	[ ]
- new improved version of nth-match. Added support for multiple counters,
	added support for matching on individual packets in the counter cycle
	[ Richard Wagner ]
- added manpage for ip6tables
	[ ]
- updated libipq documentation
	[ ]
- added timeout t	- libipq recv function
	[ ]
- New patch-o-matic patches:
	- New random match
		[ ]
	- New ftp-fxp patch, imposes security risk but some people need it -sigh*
		[ Magnus Sandin ]
	- New H323 conntrack + nat modules
		[ Jozsef Kadlecsik ]
	- New version of tcp-window tracking patch, includes sysctl()
		changeable timeouts
		[ Jozsef Kadlecsik ]


iptables v1.2.3 Changelog
======================================================================
This version requires kernel 2.4.4 or above.
This version recommends kernel 2.4.9 or above.

Bugs Fixed from 1.2.2:

- fix ICMPv6 support for IPv6
	[ Kis-Szab	- Andras ]
- fix problems with REJECT and iptables-restore / iptables-save
	[ Harald Welte ]
- fix possible string overflow in psd match
	[ Dennis Koslowski ]
- fix string match compile problems
	[ Gianni Tedesc	- ]
- support interfaces with '_' (underscore) in device names
	[ Harald Welte ]
- support rules without target in iptables-save
	[ Emmanuel Fleury ]
- correct handling of "eth+" type interface names in iptables-save/restore
	[ Harald Welte ]
- d	- incremental checksumming when altering TTL in TTL target
	[ Harald Welte ]
- fix no-srr case in ipv4options match
	[ Fabrice Marie ]
- Kernel bugfixes in patch-o-matic:
	- Fix unexported ip6_table symbols [ Brad Chapman ]
	- Decrement TTL in MIRROR target if used in FORWARD chain [ Harald
		Welte, Fabian Melzow ]
	- Replace SACKPERM TCP option with NOOP (instead of ENDOFOPT)
		[ Guillaume Morin ]

Changes from 1.2.2:

- New "make most-of-pom" feature for application of non-confliction
	patches. This should be used instead of "make patch-o-matic" by most
	users.
	[ Harald Welte ]
- support for statically linking iptables, without need for .s	- plugins
	[ David McCullough ]
- support for multiple ranges in SAME target
	[ Martin Josefsson ]
- support for router alert options in ipv4options match
	[ Fabrice Marie ]
- modprobe() modules when doing iptables-restore
	[ Andries van Schie ]
- remove obsolete fragment matching code in IPv6
	[ Kis-Szab	- Andras ]
- add support for dns hostnames t	- IPv6 code
	[ Kis-Szab	- Andras ]
- New patch-o-matic patches:
	- New multiport (mport) match
		[ Andreas Ferber ]
	- New nth match for matching every n-th packet
		[ Fabrice Marie ]
	- New realm match for matchin the routing realm
		[ Sampsa Ranta ]
	- New ctnetlink patch for manipulation of conntrack from userspace
		[ Jay Schulist ]
	- New REJECT Target for IPv6
		[ Harald Welte ]
	- New length match for IPv6
		[ Imran Patel ]
	- New multiport (mport) match for IPv6
		[ Andreas Ferber]


iptables v1.2.1 Changelog
======================================================================
This version requires kernel 2.4.0 or above.

Bugs Fixed from 1.2:

- Missing quotes around log-prefix
	[ Bart Theunissen ]
- Bug in save function of string match
	[ Gianni Tedesc	- ]
- ip6tables.c string buffer size fixes
	[ Andras Kis-Szab	- ]
- dependency problem with iptables-save / iptables-restore
	[ Harald Welte ]
- strtok problem with iptables-save / iptables-restore
	[ Harald Welte ]
- Problems with tcp/udp extension and multiple calls of do_command()
	[ Sven Koch ]
- Kernel bugfixes in patch-o-matic:
	- Updated rpc-record patch to work with 2.4.0
		[ Marc Boucher ]
	- New ftp-pasv patch for fixing PASV detection with some ftpd's
		[ Erik Hensema ]
	- Fix checksum calculation of TOS target
		[ Rusty Russell ]

Changes from 1.2:

- New `pending-patches' target
	[ Rusty Russell ]
- build all shared library extensions regardless of kernel tree
	[ Rusty Russell ]
- New counter-restore functions for iptables
	[ Harald Welte ]
- Added libiptc and libipulog t	- `devel' Makefile target
	[ Harald Welte ]
- Ported iptables-save/restore t	- IPv6
	[ Andras Kis-Szab	- ]
- Updated ULOG target (now in-kernel accumulation [= higher performance])
	[ Harald Welte ]
- Added fxp support t	- ftp-multi patch
	[ Magnus Sandin ]
- Implemented Boyer Moore Sublinear search algorithm for string match
	[ Gianni Tedesc	- ]
- Fixed tcp-window-tracking incompatibility with NAT helpers
	[ Harald Welte ]
- New patch-o-matic patches:
	- New generic sequence number offset API for nat helpers
		[ Harald Welte ]
	- New psd (port-scan-detection) match
		[ Dennis Koslowski, Markus Henning ]
	- New NETLINK target for old ipchains -o behaviour
		[ Gianni Tedesc	- ]
	- New SAME target as a special case of SNAT
		[ Martin Josefsson ]
	- Ported LOG target to IPv6
		[ Jan Rekorajski ]
	- Ported owner, limit, mac and multiport match to IPv6
		[ Jan Rekorajski ]


iptables v1.2.2 Changelog
======================================================================
This version requires kernel 2.4.1 or above.
This version recommends kernel 2.4.4 or above.

Bugs Fixed from 1.2.1a:

- fixes for SAME Target
	[ Martin Josefsson ]
- fixes for iplimit match in combination with iptables-save/-restore
	[ Gerd Knorr ]
- fix for TCP match in combination with iptables-save/-restore
	[ Ian Lynagh ]
- iptables-restore now deals correclty with spaces in --log-prefix
	[ Harald Welte ]
- fix in 'isapplied' script. It used t	- give false negatives
	[ Harald Welte ]
- fix in BALANCE target, target now uses full ip address range
	[ Martin Josefsson ]
- fix for NETLINK target, was sending wrong interface name
	[ Gianni Tedesc	- ]
- fix for collision of ftp and irc NAT helpers
	[ Harald Welte ]
- ip6tables brought in sync with iptables
	[ Kis-Szab	- Andras ]
- Kernel bugfixes in patch-o-matic:
	- Fix possible security vulnerability in ip_conntrack_ftp
		[ Cristian	- Lincoln Mattos, James Morris and Rusty ]

Changes from 1.2.1a:

- libiptc should now be usable from C++ applications
	[ Fabrice MAURIE ]
- seqoffset-,ftp-security, ... patches are combined in 2.4.4.patch
	[ Rusty Russell ]
- lots of old pre-2.4.1 patches now combined in 2.4.1.patch
	[ Rusty Russel ]
- IRC conntrack + nat cleanup
	[ Harald Welte ]
- string match cleanup
	[ Gianni Tedesc	- ]
- ULOG cleanup, new version. Fixes 'unable t	- send nflink' bug
	[ Harald Welte ]
- New patch-o-matic patches:
	- New NETMAP Target for mapping whole networks 1:1 to other addresses
		[ Svenning Soerensen ]
	- New length Target for matching packet length
		[ James Morris ]
	- New ipv4options match for matching IPv4 header options
		[ Fabrice MARIE ]
	- New IPv6 agr match for matching IPv6 global aggregatable unicast
		adresses
		[ Andras Kis-Szab	- ]
	- New pkttype match for matching link-layer multicast / broadcast
		packets
		[ Michal Ludvig ]
	- New time match for matching the packet's receive time
		[ Fabrice MARIE ]
	- New talk conntack + NAT helper module
		[ Jozsef Kadlecsik ]


iptables v1.2 Changelog
======================================================================
This version requires 2.4.0-test9 or above.

Bugs Fixed from 1.1.2:

- Now default installs int	- /usr/local/sbin, not /usr/local/bin.
- Only does IPv6 compilation on libc6.
- More header fixes for weird header combos.
- ip6tables now refers t	- "icmpv6" protocol, not "icmp".
	[ Harald Welte ]
- IPPROTO_ESP and AH defined in iptables for primitive headers.
- iptables multiple-DNS resolve fixed
	[ Harald Welte, Rusty ]
- Kernel bugfixes in patch-o-matic:
	- IPv6 netfilter fixes
		[ Harald Welte ]
	- Masquerade with fwmark routing fix
	- Dynamic hashsize optimization (NAT) + `hashsize=' module parameter.
	- NAT overlap fix
	- PPC/Sparc mangle table fix.

Changes from 1.1.2:

- New `install-devel' target
	[ James Morris ]
- libipq now has man pages!
	[ James Morris ]
- iptables-save and iptables-restore added (with man pages!)
	[ Harald Welte ]
- iptables now inserts modules if CONFIG_KMOD or --modprobe
	[ Harald Welte, Rusty ]
- New `experimental' and `install-experimental' targets.
- `--reject-with=echo-reply' removed in anticipation of the removal of
	kernel support.
- ttl match enhancements (greater or less than tests)
	[ Harald Welte ]
- Reworked patch-o-matic interface, t	- force reading of help.
- patch-o-matic updated for new 2.4 Makefiles
	[ Daniel Stone, Harald Welte ]
- patch-o-matic now supports non-IPv4 netfilter patches
	[ Harald Welte ]
- New patch-o-matic patches:
	- eggdrop bot connection tracking
		[ Magnus Sandin ]
	- FTOS target for full ToS mangling.
		[ Matthew G. Marsh ]
	- BALANCE target for simple load-balancing.
	- iplimit match for limiting number of connections.
		[ Gerd Knorr ]
	- IPv6 MARK target
		[ Harald Welte ]
	- IPv6 mark match
		[ Harald Welte ]


iptables v1.1.2 Changelog
======================================================================
This version requires 2.4.0-test9 or above.

Bugs Fixed from 1.1.1:

- Adding rules on UltraSparc now works
- string_to_number now handles overflow
	[ Jan Echternach ]
- Bug when using ridiculous rule numbers fixed

Changes from 1.1.1:

- patch-o-matic system added:
	- TTL alteration and ttl matching support -- Harald Welte
	- AH/ESP matching support -- Yon Uriarte
	- DROPPED table support -- Rusty
	- ftp-multi patch for non-standard ftp servers -- Harald Welte
	- IRC connection tracking & NAT -- Harald Welte
	- pool match and POOL target -- Patrick
	- RPC recording patch -- Marcelo Barbosa Lima
	- SNMP NAT support -- James Morris
	- string match for looking in packet's data -- Emmanuel Roger
	- tcp-MSS target for altering MSS -- Marc Boucher
	- ULOG target for advanced logging -- Harald Welte
- Minor const cleanups
	[ Jan Echternach ]
- iptables.8 updates
	[ Harald Welte, Rusty ]
- Better warnings for non-existant matches/missing libraries
	[ Harald Welte ]
- Improved isapplied script
