iptables v1.4.5 Changelog:
======================================================================
Changes from 1.4.4:


Florian Westphal (1):
      libxt_NFQUEUE: add new v1 version with queue-balance option

Jan Engelhardt (18):
      xt_conntrack: revision 2 for enlarged state_mask member
      libxt_helper: fix invalid passed option to check_inverse
      libiptc: split v4 and v6
      extensions: collapse registration structures
      iptables: allow for parse-less extensions
      iptables: allow for help-less extensions
      extensions: remove empty help and parse functions
      xtables: add multi-registration functions
      extensions: collapse data variables to use multi-reg calls
      xtables: warn of missing version identifier in extensions
      COMMIT_NOTES: notice to check for soversion bumps
      build: order of dependent libs is sensitive
      multi binary: allow subcommand via argv[1]
      build: fix struct size mismatch
      build: combine iptables-multi and iptables-static
      build: build only iptables-multi
      Merge branch 'stable'
      manpages: more fixes to minuses, hyphens, dashes

Laurence J. Lane (1):
      manpage: fix lintian warnings

Michael Granzow (1):
      iptables: accept multiple IP address specifications for -s, -d

Patrick McHardy (2):
      man: fix incorrect plural in libipt_set.man
      Bump version number to 1.4.5

Trent W. Buck (1):
      ipt_set: fix a typo in the manpage


iptables v1.4.4 Changelog:
======================================================================
Changes from 1.4.3.2:


Frank Tobin (1):
      libxt_tcp: fix a manpage syntax typo

Ian Bruce (1):
      libxt_tcp: manpage corrections and suggestions

Jan Engelhardt (15):
      Add new COMMIT_NOTES document
      xtables: use extern "C"
      extensions: add const qualifiers in print/save functions
      iptables: replace open-coded sizeof by ARRAY_SIZE
      addrtype: fix one manpage type
      manpages: do not include v4-only modules in ip6tables manpage
      libip6t_policy: remove redundant functions
      policy: use direct xt_policy_info instead of ipt/ip6t
      policy: merge ipv6 and ipv4 variant
      build: fix manpage collection
      extensions: use NFPROTO_UNSPEC for .family field
      DNAT/SNAT: add manpage documentation for --persistent flag
      extensions: remove redundant casts
      iptables: close open file descriptors
      manpages: markup corrections

Jozsef Kadlecsik (1):
      Updated set/SET match and target to support multiple ipset protocols.

Pablo Neira Ayuso (2):
      extensions: add `cluster' match support
      xtables: fix segfault if incorrect protocol name is used

Patrick McHardy (3):
      SNAT/DNAT: add support for persistent multi-range NAT mappings
      Merge branch 'stable' of git://dev.medozas.de/iptables
      Bump version

kd6lvw (1):
      libxt_connlimit: initialize v6_mask



iptables v1.4.3.2 Changelog:
======================================================================
Changes from 1.4.3.1:


Jan Engelhardt (12):
      libxt_tcpmss: fix an inversion while parsing --mss
      iptables-multi: support "iptables-static" as a callable name
      libxtables: reorder .version member
      build: do not run ldconfig for DESTDIR installations
      build: add configure option to disable ip6tables
      build: add configure option to disable ipv4 iptables
      libxtables: provide IPv6 zero address variable
      iptables: print negation extrapositioned
      Merge commit 'v1.4.3'
      Merge branch 'plus'
      CLASSIFY: document non-standard interpretation behavior
      libxt_conntrack: properly output negation symbol

Pablo Neira Ayuso (1):
      build: bump version to 1.4.3.2


iptables v1.4.3.1 Changelog:
======================================================================
Changes from 1.4.3:


Jan Engelhardt (2):
      iptables-save: minor corrections to the manpage markup
      libxt_hashlimit: add missing space for iptables-save output

Pablo Neira Ayuso (2):
      build: bump version to 1.4.3.1
      iptables: refer to dmesg if we hit EINVAL

Peter Volkov (2):
      libxtables: fix compile error due to incomplete change
      build: fix linker issue when LDFLAGS contains --as-needed



iptables v1.4.3 Changelog:
======================================================================
Changes from 1.4.2:


Bart De Schuymer (1):
      man: fix physdev manpage

Christian Perle (1):
      libxt_policy: cannot set spi/reqid numbers higher than 0x7fffffff

Christoph Paasch (1):
      libiptc: avoid compile warnings for iptc_insert_chain

Daniel Drake (1):
      libxt_owner: add more spaces to output

Eric Leblond (1):
      xt_NFLOG: Set default NFLOG qthreshold to 0

Jamal Hadi Salim (12):
      libxtables: Introduce global params structuring
      libxtables: define xtables_free_opts()
      libxtables: Add exit_error cb to xtables_globals
      libxtables: Make ip6tables, iptables and iptables-xml use xtables_globals
      libxtables: Replace direct exit_error() calls inside libxtables
      libxtables: simple aliasing macro for exit_error
      libxtables: set names of programs
      libxtables: add xtables_set_revision
      libxtables: make iptables and ip6tables use xtables_free_opts
      libxtables: consolidate merge_options into xtables_merge_options
      libxtables: consolidate init calls into one function
      libxtables: general follow-up cleanup

Jan Engelhardt (84):
      Move libipt_recent to libxt_recent
      libxt_recent: add IPv6 support
      manpage: use separate paragraphs for command syntax
      manpage: explain what rule-specification is
      libiptc: remove typedef indirection
      libiptc: remove indirections
      libiptc: remove unused iptc_get_raw_socket and iptc_check_packet
      libiptc: use hex output for hookmask
      libxt_conntrack: respect -n option during ruledump
      libiptc: make sockfd a per-handle thing
      libxt_conntrack: dump ctdir
      src: reuse the global modprobe_program variable
      src: use NFPROTO_ constants
      src: remove inclusion of iptables.h
      doc: fix a typo in libip6t_REJECT.man
      libiptc: guard chain index allocation for different malloc implementations
      src: remove unused include files
      iptables-save: output ! in position according to manpage
      rateest: guard against segfault
      env: augment deprecation notice
      build: resolve autotools suggestions
      doc: put iptables version into manpage
      doc: resynchronize markup in iptables,ip6tables.8.in
      doc: escape minus sign in manpages
      build: use regular = assignments in Makefile
      build: remove non-portable rule
      doc: escape minus sign in manpage (2)
      doc: augment ICMP manpage by type/code syntax
      src: remove redundant returns at end of void-returning functions
      src: remove redundant casts
      libxt_owner: use correct UID/GID boundaries
      extensions: use UINT_MAX constants over open-coded bits (1/2)
      extensions: use UINT_MAX constants over open-coded numbers (2/2)
      libxtables: prefix/order - fw_xalloc
      libxtables: prefix/order - modprobe and xtables.ko loading
      libxtables: prefix/order - match/target loading
      libxtables: prefix/order - libdir
      libxtables: prefix/order - strtoui
      libxtables: prefix/order - program_name
      libxtables: prefix/order - param_act
      libxtables: prefix/order - ipaddr/ipmask to ascii output
      libxtables: prefix/order - ascii to ipaddr/ipmask input
      libxtables: prefix - misc functions
      libxtables: prefix - parse and escaped output func
      libxtables: prefix/order - move check_inverse to xtables.c
      libxtables: prefix/order - move parse_protocol to xtables.c
      libbxtables: prefix names and order it #1
      libxtables: prefix names and order it #2
      libxtables: prefix names and order #3
      libxtables: move afinfo around
      Merge branch 'origin/master'
      libxtables: recognize IP6TABLES_LIB_DIR old-style environment variable
      build: move -ldl to proper LDADD
      libxtables: remove unused XT_LIB_DIR macro
      libxtables: decouple non-xtables parts from header
      src: remove iptables_rule_match indirection macro
      src: remove unused ipt_tryload macro
      libxtables: move compat defines to xtables.c
      src: consolidate duplicate code in iptables/internal.h
      libxtables: use const for vars holding literals
      libxt_string: fix undefined behavior/incorrect patlen calculation
      libxtables: flush before fork
      libipq: add missing doc for NF_ values
      build: restructure Makefile for include/ directory
      libipq: fix compile error
      build: remove unneeded -ldl from iptables_xml_LDADD
      libiptc: make library available as a shared library
      build: trigger reconfigure when extensions/GNUmakefile.in changes
      doc: do not put IPv4 doc into ip6tables.8
      doc: resynchronize manpage with in-code help
      libxtables: inline and remove unused OPTION_OFFSET macro
      libxtables: prefix exit_error to xtables_error
      extensions: remove unwanted/add needed includes for IPv6 exts
      extensions: remove unwanted/add needed includes for IPv4 exts
      libxt_policy: use bounded strtoui
      include: resynchronize headers with 2.6.29-rc5
      extensions: add missing limits.h include
      iptables: turn deprecation warning into enforcing mode
      Merge commit 'nf/master'
      libxt_connbytes: minor manpage adustments
      libxt_connbytes: document nf_ct_acct behavior
      libxtables: add -I/-L flags to pkgconfig files
      libxt_comment: output quotes must be escaped in
      iptables-save: module loading corrections

Jesper Dangaard Brouer (3):
      libiptc: fix chain rename bug in libiptc
      libiptc: fix whitespaces and typos
      libiptc: give credits to my self

Jir Moravec (1):
      libxt_TOS: fix compilation error

KOVACS Krisztian (2):
      Add iptables support for the TPROXY target
      Add iptables support for the socket match

Marc Fournier (1):
      doc: fix option typo in libxt_multiport

Pablo Neira Ayuso (5):
      iptables: fix error reporting with wrong/missing arguments
      state: report spaces in the state list parsing
      iptables: refer to dmesg when we hit error
      string: fix wrong pattern length calculation
      iptables: fix broken options-merging during libxtables rework

Patrick McHardy (5):
      Add SCTP/DCCP support to NAT targets
      Bump version to 1.4.3-rc1
      Merge branch 'master' of git://dev.medozas.de/iptables
      Merge branch 'master' of git://dev.medozas.de/iptables
      Bump version to 1.4.3

Shaul Karl (1):
      doc: fix one layout issue in iptables-restore.8

Stephen Hemminger (1):
      iptables: Add limits.h to get INT_MIN, INT_MAX, ...

Thomas Jarosch (2):
      Fix compile error in libxt_iprange.c using gcc 4.3.2
      Fix compile warnings using gcc 4.3.2


iptables v1.4.2 Changelog:
======================================================================
Changes from 1.4.2-rc1:

Jan Engelhard (1):
	build: fix iptables-static build

Jan Engelhardt (26):
	build: do not install ip{,6}tables.h
	Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables
	manpages: name and markup fixes
	src: remove dependency on libiptc headers
	src: drop libiptc from installation
	iptables-restore: fix segmentation fault with -tanything
	libxt_recent: do not allow both --set and --rttl
	Put xtables.c into its own library, libxtables.so
	manpages: correct erroneous markup
	physdev: remove extra space in output
	Warn about use of DROP in nat table
	Synchronize invert flag order with manpages
	build: fix dependency tracking for xtables.h.in
	build: fix initext.c dependency
	manpages: add missing --rsource,--rdest options to libxt_recent.man
	manpages: add missing rateest documentation
	manpages: add missing rateest match documentation
	libxt_mac: flatten casts in libxt_mac
	libxt_iprange: fix option names
	src: use regular includes
	src: Update comments
	build: prepare make tarball for git 1.6.0
	libxt_recent: do allow --rttl for --update
	src: update comments part II
	build: run ldconfig on `make install`
	doc: remove mentions of NAT in ip6tables manpage

Jesper Dangaard Brouer (1):
	libiptc: remove old fixme

Pablo Sebastian Greco (1):
	mark: fix invalid iptables-save output

Patrick McHardy (2):
	manpages: fix another typo in tcp manpage
	v1.4.2

Phil Oester (3):
	iptables-save: fix hashlimit output
	libxt_dscp: fix save of negated dscp match rules
	src: Missing limits.h includes

WANG Cong (1):
	manpages: Fix a typo in tcp man page



iptables v1.4.1-rc1 Changelog:
======================================================================
Changes from 1.4.0:

Peter Warasin:
	Fix CONNMARK mask initialisation

Jesper Dangaard Brouer:
	Inline functions iptcc_is_builtin() and set_changed()
	Introduce a counter for number of user defined chains
	Solving scalability issue: for chain list "name" searching

Patrick McHardy:
	Add RATEEST target extension
	Add rateest match extension
	Remove obsolete file
	Add netfilter.h
	Remove compiler.h inclusions
	Retry ruleset dump when kernel returns EAGAIN

Pablo Neira Ayuso:
	Cleanup several code wraparounds
	Check for malloc() return value in merge_opts()
	Check for merge_opts() return value

Jan Engelhardt:
	Converts the iptables build infrastructure to autotools
	Introduce strtonum()
	Introduce common error messages
	Add libxt_owner
	Add libxt_tos
	Add libxt_TOS
	Add libxt_MARK r2
	Add libxt_connmark r1
	Print warning when dlopen fails
	Add libxt_conntrack r0
	Bunch o' renames
	Rename overlapping function names
	Add more libxt_hashlimit checks
	Add libxt_mark r1
	Add libxt_iprange r0
	Add libxt_iprange r1
	Give preference to iptables header files
	Build adjustments
	Add libxt_CONNMARK revision 1
	Add libxt_conntrack revision 1
	libxt_owner: UID/GID range support
	Fix compilation of iptables-static build
	Correct the family member value of libxt_mark revision 1
	Makefile: add a "tarball" target
	Drop -W from CFLAGS and some tiny code cleanups
	Fix -Wshadow warnings and clean up xt_sctp.h
	Update the libxt_owner manpage with the UID/GID-range feature
	Fix all remaining warnings (missing declarations, missing prototypes)
	xtables.h: move non-exported parts to internal.h
	Add support for xt_hashlimit match revision 1
	Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR
	manpages: fix broken markup (missing close tags)
	manpages: grammar and spelling
	manpages: update to reflect fine-grained control
	configure: split --enable-libipq from --enable-devel
	Import iptables-apply
	Add all necessary header files - compilation fix for various cases
	Install libiptc header files because xtables.h depends on it
	iptables: use C99 lists for struct options
	RATEEST: add manpage
	Implement AF_UNSPEC as a wildcard for extensions
	Combine ipt and ip6t manpages
	Resolve warnings on 64-bit compile
	Wrap dlopen code into NO_SHARED_LIBS
	Remove support for compilation of conditional extensions
	Resolve libipt_set warnings
	Update documentation about building the package
	configure.ac: AC_SUBST must be separate
	Dynamically create xtables.h.in with version
	configure.ac: remove already-defined variables
	Remove old functions, constants
	Properly initialize revision for ip6tables targets
	Makefile.am: use PACKAGE_TARNAME
	iptables out-of-tree build directory

Sven Schnelle:
	Add libxt_TCPOPTSTRIP

Max Kellermann:
	Fix REDIRECT manpage
	Whitespace cleanup
	Use size_t
	Escape strings
	Unescape parameters
	Allow empty strings in argument parser
	Fix gcc warnings

Naohiro Ooiwa:
	Fix define value of SCTP chunk type

Filippo Zangheri:
	Remove useless white spaces from iptables-xml manpages

James King:
	libxt_iprange: Fix IP validation logic

Shan Wei:
	iptables-save: remove unnecessary code

Henrik Nordstrom:
	Make iptables-restore usable over a pipe
	Add support for --set-counters to iptables -P
	iptables --list-rules command
	iptables --list chain rulenum
	Make --set-counters (-c) accept comma separated counters

Jamie Strandboge:
	Fix ip6tables dest address printing



iptables v1.4.1.1 Changelog
=====================================================================

Henrik Nordstrom (1):
	iptables: fix printing of line numbers with --line-numbers arg

Jan Engelhardt (3):
	ip6tables: fix printing of ipv6 network masks
	build: fix `make install` when --disable-shared is used
	iprange: kernel flags were not set

Patrick McHardy (1):
	v1.4.1.1



iptables v1.4.1 Changelog
======================================================================

Filippo Zangheri (1):
	removes useless white spaces from iptables-xml manpages.

Gspr Lajos (1):
	iptables: use C99 lists for struct options

Henrik Nordstrom (5):
	Make iptables-restore usable over a pipe
	Add support for --set-counters to iptables -P
	iptables --list-rules command
	iptables --list chain rulenum
	Make --set-counters (-c) accept comma separated counters

James King (1):
	[IPTABLES]: libxt_iprange: Fix IP validation logic

Jamie Strandboge (1):
	fix ip6tables dest address printing

Jan Engelhardt (55):
	Converts the iptables build infrastructure to autotools.
	Introduce strtonum(), which works like string_to_number(), but passes
	common error messages
	libxt_owner
	libxt_tos
	libxt_TOS
	libxt_MARK r2
	libxt_connmark r1
	print warning when dlopen fails
	libxt_conntrack r0
	bunch o' renames
	rename overlapping function names
	libxt_hashlimit checks
	libxt_mark r1
	libxt_iprange r0
	libxt_iprange r1
	Give preference to iptables header files
	Build adjustments
	libxt_CONNMARK revision 1
	[IPTABLES]: libxt_conntrack revision 1
	[IPTABLES]: libxt_owner: UID/GID range support
	Fix compilation of iptables-static build
	Correct the family member value of libxt_mark revision 1
	Makefile: add a "tarball" target
	Drop -W from CFLAGS and some tiny code cleanups
	Fix -Wshadow warnings and clean up xt_sctp.h
	Update the libxt_owner manpage with the UID/GID-range feature
	Fix all remaining warnings (missing declarations, missing prototypes)
	xtables.h: move non-exported parts to internal.h
	Add support for xt_hashlimit match revision 1
	Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR
	manpages: fix broken markup (missing close tags)
	manpages: grammar and spelling
	manpages: update to reflect fine-grained control
	configure: split --enable-libipq from --enable-devel
	Add all necessary header files - compilation fix for various cases
	Install libiptc header files because xtables.h depends on it
	RATEEST: add manpage
	Implement AF_UNSPEC as a wildcard for extensions
	Combine ipt and ip6t manpages
	Resolve warnings on 64-bit compile
	Wrap dlopen code into NO_SHARED_LIBS
	Remove support for compilation of conditional extensions
	Resolve libipt_set warnings
	Update documentation about building the package
	configure.ac: AC_SUBST must be separate
	Dynamically create xtables.h.in with version
	configure.ac: remove already-defined variables
	Remove old functions, constants
	Makefile.am: use PACKAGE_TARNAME
	iptables out-of-tree build directory
	Update .gitignore
	build: check for missing feature files
	libxt_owner: add spaces to output
	manpage updates

Jesper Dangaard Brouer (3):
	Inline functions iptcc_is_builtin() and set_changed().
	Introduce a counter for number of user defined chains.
	Solving scalability issue: for chain list "name"	searching.

Kristof Provost (1):
	REDIRECT: Allow symbolic port in REDIRECT --to-port

Laszlo Attila Toth (1):
	addrtype match: added revision 1

Lutz Jaenicke (1):
	Fix iptables-save output of libxt_owner match

Martin F. Krafft (1):
	Import iptables-apply

Max Kellermann (7):
	Fix REDIRECT manpage
	whitespace cleanup
	use size_t
	escape strings
	unescape parameters
	allow empty strings in argument parser
	fix gcc warnings

Naohiro Ooiwa (1):
	Fix define value of SCTP chunk type.

Pablo Neira Ayuso (2):
	- cleanup several code wraparounds
	bump iptables version to prepare 1.4.1 release

Patrick McHardy (16):
	Add RATEEST target extension
	Add rateest match extension
	Remove obsolete file
	Add netfilter.h
	Remove compiler.h inclusions.
	Retry ruleset dump when kernel returns EAGAIN.
	Properly initialize revision for ip6tables targets
	Bump version to 1.4.1-rc1
	iptables 1.4.1-rc2
	manpages: consistent syntax
	Resync header files with kernel
	Bump version
	libiptc: move variable definitions to head of function
	iptables-xml: sparse fixes
	sparse warning fixes: integer used as pointer
	v1.4.1

Peter Warasin (1):
	Fix CONNMARK mask initialisation

Shan Wei (1):
	iptables-save:remove unnecessary code.

Sven Schnelle (1):
	libxt_TCPOPTSTRIP

Thomas Jacob (1):
	Don't assume /bin/sh is bash

Thomas Jarosch (1):
	Add xtables version defines.

Yasuyuki Kozakai (1):
	Use s6_addr32 to access bits in int6_addr instead of incompatible name



iptables v1.4.0 Changelog
======================================================================
Changes from 1.4.0rc1:

- Don't use dlfcn.h if NO_SHARED_LIBS is defined
	[ Mike Frysinger ]

- Fix showing help text for matches/targets with revision as user
	[ Patrick McHardy ]

- Print warnings to stderr
	[ Max Kellermann ]

- Fix sscanf type errors
	[ Patrick McHardy ]

- Always print mask in iptables-save
	[ Jan Engelhardt ]

- Don't silenty exit on failure to open /proc/net/{ip,ip6}_tables_names
	[ Victor Stinner ]

- Adds --table to iptables-restore
	[ Peter Warasin ]

- Make DO_MULTI=1 work for ip6tables* binaries
	[ Hann-huei Chiou ]

- Add ip6tables-{save,restore} to non-experimental target, fix strict aliasing
warnings
	[ Patrick McHardy ]

- Introducing libxt_*.man files. Sorted matches and modules
	[ Laszlo Attila Toth ]

- Install ip6tables-{save,restore} manpages
	[ Patrick McHardy ]

- Performance optimization in sorting chain during pull-out
	[ Jesper Dangaard Brouer ]

- Fix sockfd use accounting for kernels without autoloading
	[ Patrick McHardy ]

- use <linux/types.h>
	[ Jan Engelhardt ]

- Fix make/compile error for iptables-1.4.0rc1
	[ Jesper Dangaard Brouer ]

- Fix for --random option in DNAT and REDIRECT
	[ Tom Eastep ]

- Document xt_statistic
	[ Stefano Sabatini ]

- sctp: fix - mistake to pass a pointer where array is required
	[ Li Zefan ]

- Fix connlimit output for inverted --connlimit-above: ! > is <=, not <
	[ Patrick McHardy ]

- Add NFLOG manpage
	[ Patrick McHardy ]

- Move libipt_DSCP.man to libxt_DSCP.man for ip6tables.8
	[ Yasuyuki Kozakai ]

- Unifies libip[6]t_CONNSECMARK.man to libxt_CONNSECMARK.man
	[ Yasuyuki Kozakai ]

- Moves libipt_CLASSYFY.man to libxt_CLASSYFY.man for ip6tables.8
	[ Yasuyuki Kozakai ]

- fix check_inverse() call
	[ Jan Engelhardt ]

- Bump version to 1.4.0 final
	[ Pablo Neira Ayuso ]



iptables v1.4.0rc1 Changelog
======================================================================
Changes from 1.3.8:

- Add support for generic xtables infrastructure (improved IPv6 support!)
	[ Yasuyuki Kozakai ]

- Deletes empty ->final_check() functions
	[ Jan Engelhardt ]

- Fix sparse warnings: non-C99 array declaration, incorrect function prototypes
	[ Patrick McHardy ]

- Remove last vestiges of NFC
	[ Peter Riley ]

- Make @msg argument a const char *, just like printf
	[ Jan Engelhardt ]

- Makes it possible to omit extra_opts of matches/targets if unnecessary
	[ Jan Engelhardt ]

- Fix "iptables getsockopt failed strangely" when querying revisions for non-existant matches and targets
	[ Patrick McHardy]

- Introduces DEST_IPT_LIBDIR in Makefile
	[ Yasuyuki Kozakai ]

- Change default KERNEL_DIR location and add KBUILD_OUTPUT
	[ Sven Wegener ]

- Removes obsolete KERNEL_64_USERSPACE_32 definitions
	[ Yasuyuki Kozakai ]

- Fix unused function warning
	[ Patrick McHardy ]



iptables v1.3.8 Changelog
======================================================================

- Fix build error of conntrack match
	[Yasuyuki Kozakai]

- Remove whitespace in ip6tables.c
	[Yasuyuki Kozakai]

- `-p all' and `-p 0' should be allowed in ip6tables
	[Yasuyuki Kozakai]

- hashlimit doc update
	[Jan Engelhardt]

- add --random option to DNAT and REDIRECT
	[Patrick McHardy]

- Makefile uses POSIX conform directory check
	[Roy Marples]

- Fix missing newlines in iptables-save/restore output
	[Pavol Rusnak]

- Update quota manpage for SMP
	[Phil Oester]

- Output for unspecified proto is `all' instead of `0'
	[Phil Oester]

- Fix iptables-save with --random option
	[Patrick McHardy]

- Remove unnecessary IP_NAT_RANGE_PROTO_RANDOM ifdefs
	[Patrick McHardy]

- Remove libnsl from LDLIBS
	[Patrick McHardy]

- Fix problem with iptables-restore and quotes
	[Pablo Neira Ayuso]

- Remove unnecessary includes
	[Patrick McHardy]

- Fix --modprobe parameter
	[Maurice van der Pot]

- ip6tables-restore should output error of modprobe after failed to load
	[Yasuyuki Kozakai]

- Add random option to SNAT
	[Eric Leblond]

- Fix missing space in error message
	[Patrick McHardy]

- Fixes for manpages of tcp, udp, and icmp{,6}
	[Yasuyuki Kozakai]

- Add ip6tables mh extension
	[Masahide Nakamura]

- Fix tcpmss manpage
	[Patrick McHardy]

- Add ip6tables TCPMSS extension
	[Arnaud Ebalard]

- Add UDPLITE multiport support
	[Patrick McHardy]

- Fix missing space in ruleset listing
	[Patrick McHardy]

- Remove extensions for unmaintained/obsolete patchlets
	[Patrick McHardy]

- Fix greedy debug grep
	[Patrick McHardy]

- Fix type in manpage
	[Thomas Aktaia]

- Fix compile/install error for iptables-xml with DO_MULTI=1
	[Lutz Jaenicke]



iptables v1.3.7 Changelog
======================================================================

Bugs fixed since 1.3.6:

- Fix compilation error with linux 2.6.19
	[ Patrick McHardy ]

- Fix LOG target segfault with --log-prefix ""
	[ Mike Frysinger, Bugzilla #516 ]

- Fix conflicting getsockopt optname values for IP6T_SO_GET_REVISION_{MATCH,TARGET}
	[ Yasuyuki KOZAKAI ]

- Fix -E (rename) in iptables/ip6tables
	[ Krzysztof Piotr Oledzki ]

- Fix /etc/network usage
	[ Pablo Neira ]

- Fix iptables-save not printing -s/-d ! 0/0
	[ Patrick McHardy ]

- Fix ip6tables-save unnecessarily printing -s/-d options for zero prefix length
	[ Daniel De Graaf ]

New features since 1.3.6:

- Add revision support for ip6tables
	[ R?mi Denis-Courmont ]

- Add port range support for ip6tables multiport match
	[ R?mi Denis-Courmont ]

- Add sctp match extension for ip6tables
	[ Patrick McHardy ]

- Add iptables-xml tool
	[ Amin Azez ]

- Add hashlimit support for ip6tables (needs kernel > 2.6.19)
	[ Patrick McHardy ]

- Use /limodules/$(shell uname -r)/build instead of /usr/src/linux to look for kernel source
	[ Patrick McHardy ]

- Add NFLOG target extension for iptables/ip6tables (needs kernel > 2.6.19)
	[ Patrick McHardy ]



iptables v1.3.6 Changelog
======================================================================

Bugs fixed since 1.3.5:

- Fix segfault on loading of invalid counters in ip[6]tables-restore
	[ Bugzilla #437, Olaf Rempel ]

- Fix double-free if a single match is used multiple times within a single rule
	[ Bugzilla #440, Harald Welte ]

- Don't try to resolve "-p all" using getprotoent()
	[ Bugzilla #446, Harald Welte ]

- Refuse never matching protocol specifications for ip6tables
	[ Yasuyuki Kozakai ]

- Fix iptables-save output of osf match
	[ Daniel De Graaf ]

- Fix esp/connbytes detection with newer kernels (x_tables)
	[ Harald Welte ]

- Fix loading of IPCMv6 match shared library
	[ Yasuyuki Kozakai ]

- Refuse invalid esp match SPI ranges
	[ Yasuyuki Kozakai ]

- Fix out-of-bounds memory access when the unsupported "check" command was used
	[ Bugzilla #463, Larry Stefani, Harald Welte ]

- Fix out-of-bounds memory access when the "-c" option was used
	[ Bugzilla #462, Larry Stefani, Harald Welte ]

- Fix "Unknown error 4294967295" message
	[ Bugzilla #460, Patrick McHardy ]

- Use lower-case letters for realm match output
	[ Simon Lodal ]

- Fix example in connlimit manpage
	[ Phil Oester ]

- Refuse IP addresses as arguments to REDIRECT target
	[ Bugzilla #482, Phil Oester ]

- Fix set match negation
	[ Jozsef Kadlecsik ]

- Fix some compiler warnings
	[ Bugzilla #457, Phil Oester ]

- Refuse port ranges in ip6tables multiport match
	[ Bugzilla #451, Phil Oester ]

- Force user to specify --ipcmv6-type if ipcmv6 match is used
	[ Bugzilla #461, Yasuyuki Kozakai ]

- Fix libiptc symbol clash
	[ Bugzilla #456, Phil Oester ]

- Remove "hoho" message
	[ Pierre-Yves Ritschard ]

- Handle CIDR notation more sanely
	[ Bugzilla #422, Phil Oester ]

- Fix chain reference increment bug
	[ Jesper Brouer ]

- Fix counter clearing for policy counters
	[ Bugzilla #502, Andy Gay ]

- Remove warnings about interface names with non-alphanumeric characters
	[ Patrick McHardy ]

New features since 1.3.5:

- Support multiple matches of the same type within a single rule
	[ Jozsef Kadlecsik ]

- DCCP/SCTP support for multiport match (needs kernel >= 2.6.18)
	[ Patrick McHardy ]

- SELinux SECMARK target (needs kernel >= 2.6.18)
	[ James Morris ]

- SELinux CONNSECMARK target (needs kernel >= 2.6.18)
	[ James Morris ]

- Add documentation for DNAT target :<port> syntax
	[ Evan Miller ]

- Add new exit value to indicate concurrency issues
	[ Jesper Dangaard Brouer ]

- Use gcc to build shared objects
	[ Bugzilla #454, Phil Oester ]

- Update quota match for version in current kernel, fix -D (needs kernel >= 2.6.18)
	[ Phil Oester ]

- Update MARK target documentation to include --and-mask/--or-mask
	[ Eric Leblond ]

- Add support for statistic match (needs kernel >= 2.6.18)
	[ Patrick McHardy ]

- Optionally read realm values from /etc/iproute2/rt_realms
	[ Simon Lodal ]

iptables v1.3.5 Changelog
======================================================================
This version requires kernel >= 2.4.0
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.4:

- Fix conntrack --ctproto option in iptables-save
	[ Phil Oester ]

- Fix string match '--from' option in iptables-save
	[ Michael Rash ]

- Fix option parser of ttl match
	[ Patrick McHardy ]

- Get rid of gcc-4 warnings
	[ Patrick McHardy ]

- Fix spelling of 'address' in DNAT/SNAT manpage section
	[ MJ Anthony ]

- Fix 'tcp-rst' parsing in REJECT target
	[ Torsten Hilbrich ]

- Fix probing for supported revisions
	[ Jones Desougi ]

- Fix compilation of iptables on [old] systems that don't have IPT_F_GOTO
	[ Harald Welte ]

- Only set revisions on real targets, not on jumps
	[ Pablo Neira ]

- Fix memory leak in TC_COMMIT() of libiptc
	[ Markus Sundberg ]

- Correctly propagate errors of setsockopt to calling function
	[ Harald Welte ]

- Fix connbytes match iptables-save
	[ Unknown ]

- Fix sctp match compilation against recent kernel headers
	[ Harald Welte ]

- Fix conntrack match compilation against 2.4.0 kernel headers
	[ Harald Welte ]

Changes from 1.3.4:

- Add support for ip6tables connmark match and target
	[ Harald Welte ]

- Add support for ip6tables state match
	[ Harald Welte ]

- Add support for new policy ip[6]tables match
	[ Patrick McHardy ]

- Major manpage update
	[ Yasuyuki Kozakai ]

- Remove ippool support, it has been deprecated by ipset long time ago
	[ Harald Welte ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot)


iptables v1.3.4 Changelog
======================================================================
This version requires kernel >= 2.4.0
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.3:

- Fix parsing of NFQUEUE queue numbers
	[ Eric Leblond ]

- Add documentation of --queue-num parameter to NFQUEUE manpage
	[ Eric Leblond ]

- Fix 'hash-init' parameter of CLUSTERIP target
	[ KOVACS Krisztian ]

- Fix CONNMARK match and target: Marks are now always 32bit
	[ Deti Fliegl ]

- Print error message when multiple "--to" DNAT/SNAT args are used
	with kernel >= 2.6.10
		[ Phil Oester ]

- Fix compilation of connbytes match with 2.6.14 kernel
	[ Harald Welte ]

- Fix address inversion of conntrack match
	[ Tom Eastep ]

- Fix sorting of chain names
	[ Robert de Barth ]

Changes from 1.3.2:

- Add support for DCCP port and type matching
	[ Harald Welte ]

- Add support for new in-kernel string match
	[ Pablo Neira ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot)


iptables v1.3.3 Changelog
======================================================================
This version requires kernel >= 2.4.0
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.2:

- Fix use-after-free in merge_options()
	[ Markus Sundberg ]

- Fix support for SNAT and DNAT to ICMP ID ranges
	[ Patrick McHardy ]

Changes from 1.3.2:

- Add support for new NFQUEUE targets for IPv4 and IPv6
	[ Harald Welte ]

- Minor manpage updates
	[ Harald Welte ]

- Fix numberous gcc-4 warnings throughout the code
	[ Harald Welte ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot)


iptables v1.3.2 Changelog
======================================================================
This version requires kernel >= 2.4.0
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.1:

- Fix TCPLAG version
	[ Torsten Luettgert ]

- More error checking in SET target
	[ Michal Pokrywka ]

- Fix optflags value for OPT_LINENUMBERS
	[ Jonas Berlin ]

- Allow NULL init function in ip6tables plugins
	[ Jonas Berlin ]

- Don't allow newlines in LOG prefix
	[ Phil Oester ]

- Introduce ip_conntrack_old_tuple to userspace header copy
	[ Pablo Neira ]

- Fix connbytes command line parsing bug
	[ Piotrek Kaczmarek ]

- Ignore unknown arguments in libipt_ULOG
	[ Patrick McHardy ]

- Correct error in multiport manpage wrt. "--ports"
	[ Rusty Russell ]

- Fix CONNMARK save/restore
	[ Tom Eastep, Pawel Sikora ]

- Make sure chain name doesn't start with '!'
	[ Yasuyuki Kozakai ]

- Prevent user to specify negative ports in SNAT/DNAT
	[ Yasuyuki Kozakai ]

- Fix deletion of targets where kernel size != userspace size
	[ Pablo Neira ]

- Fix save/restore of '! --uid-owner squid' problem in ip6t_owner
	[ Harald Welte ]

Changes from 1.3.1:

- Add ``--log-uid'' option to ip6t_LOG target
	[ Patrick McHardy ]

- Improve REDIRECT manpage
	[ Jonas Berlin ]

- Add a number of missing manpage snippets
	[ Jonas Berlin ]

- Include FIN bit in mask of "--syn" bits
	[ Harald Welte ]

- Release previously merged options from merge_opts(), reduces memory-usage of
	ipt ables-restore dramatically
	[ Pablo Neira ]

- OSF: changes to support connector notifications
	[ Evgeniy Polyakov ]

- Reduce code replication of parse_interface()
	[ Yasuyuki Kozakai ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot)


iptables v1.3.1 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.0:

- Fix CLUSTERIP rule deletion
	[ Pablo Neira ]

- Fix libip6t_random compilation
	[ Harald Welte ]

- Fix CONNMARK on 32bit userspace / 64bit kernel archs
	[ Pablo Neira ]

Changes from 1.3.0:

- remove bogus NFC_* stuff in iptables
	[ Pablo Neira ]

- libiptc: don't sort builtin chains, restores iptables-1.2.x sort order
	[ Olaf Rempel ]


Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot)


iptables v1.3.0 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.0rc1:

- Fix realm match save/restore issue
	[ Harald Welte ]

- Fix hashlimit rule deletion from userspace
	[ Samuel Jean ]

- Fix hashlimit parameter handling / iptables-save
	[ Nikolai Malykh ]

- Fix multiport inversion
	[ Phil Oester ]

Bugs fixed from 1.2.11:

- Fix compilation on systems where /bin/sh != bash
	[ Jozsef Kadlecsik ]

- Fix setting lib_dir in ip*tables-{save,restore}
	[ Martin Josefsson ]

- Fix module-autoloading in certain cases
	[ Harald Welte ]

- libipt_TTL: limit range of valid TTL to 0-255
	[ Maciej Soltysiak ]

- libip6t_HL: limit range of valid HL to 0-255
	[ Maciej Soltysiak ]

- libip{6}t_limit: Fix half-working limit invert check
	[ Phil Oester ]

- libipt_connbytes: Update to use the IP_CONNTRACK_ACCT counters
	[ Harald Welte ]

- libipt_conntrack: Fix typo
	[ Phil Oester ]

- libipt_dstlimit: Fix half-working invert check
	[ Phil Oester ]

- libipt_helper: Prevent user from using --helper multiple times
	[ Nicolas Bouliane ]

- libipt_iprange: Print error message if --dst-range used twice
	[ Nicolas Bouliane ]

- libipt_nth: Fix help message syntax
	[ Harald Welte ]

- libipt_psd: Fix option parsing
	[ Pablo Neira ]

- libipt_random: Fix help message syntax
	[ Harald Welte ]

- libipt_realm: Fix inversion of options
	[ Simon Lodal ]

- libipt_time: Fix C++ style delayed variable definition
	[ Olivier Clerget ]

- libipt_time: Print message about time match not adhering daylight saving
	[ Phil Oester ]

- libipt_tos: Print Error message if --tos is specified twice
	[ Nicolas Bouliane ]

- libipt_ttl: Cleanup ttl option parsing
	[ Phil Oester ]

- libipt_u32: Fix option parsing
	[ Piotr Gasid'o ]


Changes from 1.2.11:

- libiptc: complete rewrite for performance reasons
	[ Harald Welte, Martin Josefsson ]

- introduce "DO_MULTI=1" mode to build a muilti-call binary
	[ Bastiaan Bakker ]

- code cleanup, use C99 initializers
	[ Harald Welte, Pablo Neira ]

- Extension revision number support (if kernel supports the getsockopts).
	[ Rusty Russell ]

- Don't need ipt_entry_target()/ip6t_entry_target().
	[ Rusty Russell ]

- Don't re-initialize libiptc/libip6t unless modprobe attempt succeeds.
	[ Rusty Russell ]

- Implement IPTABLES_LIB_DIR and IP6TABLES_LIB_DIR environment variables
	[ Rusty Russell ]

- Add manpage section about 'raw' table
	[ Harald Welte ]


- libip{6}t_ROUTE: add ROUTE --tee mode
	[ Patrick Schaaf ]

- libip{6}t_multiport: Print Error message when `!' is used
	[ Patrick McHardy, Phil Oester ]

- New libip6t_physdev Match
	[ Bart De Schuymer ]

- libipt_CLUSTERIP: Fix compiler warning about const
	[ Harald Welte ]

- libipt_DNAT: Print Error message if `:' is used for port range
- libipt_SNAT: Print Error message if `:' is used for port range
	[ Phil Oester ]

- libipt_LOG: Add --log-uid option
	[ John Lange ]

- libipt_MARK: add bitwise operators
	[ Henrik Nordstrom, Rusty Russell ]

- libipt_SET: Update to ipset2
	[ Jozsef Kadlecsik ]

- libipt_account: Update to 0.1.16
	[ Piotr Gasid'o ]

- New libipt_comment Match
	[ Brad Fisher ]

- New libipt_hashlimit Match, supersedes dstlimit
	[ Harald Welte ]

- libipt_ttl: Use string_to_number()
	[ Rusty Russell ]


Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot)


iptables v1.2.11 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18


Bugx Fixed from 1.2.10:

- fix compilation on systems where /bin/sh != bash
	[ Jozsef Kadlecsik ]

Bugs Fixed from 1.2.9:

- physdev match: fix new structure layout for kernel > 2.6.0-test8
	[ Bart De Schuymer ]

- Better 64bit / 32bit split architecture detection
- IPv6 LOG target: Fix compiler warnings on 64bit
- LOG target: Fix compiler warnings on 64bit
- IPv6 MARK target: Use full 64bit mark on 64bit archs
- MARK target: Use full 64bit mark on 64bit archs
- SAME target: Fix 64bit/32bit splitarch problems
- ULOG target: Fix 64bit/32bit splitarch problems
- conntrack match: Fix 64bit/32bit splitarch problem
- IPv6 limit match: Fix 64bit/32bit splitarch problem
- limit match: Fix 64bit/32bit splitarch problem
- IPv6 mark match: Use full 64bit mark on 64bit archs
- mark match: Use full 64bit mark on 64bit archs
- owner match: Fix compiler warnings on 64bit
	[ Martin Jofsefsson ]

- connbytes match: Fix signedness / unsigned issue
	[ Martin Josefsson ]

- connlimit match: Fix '/0' netmask
	[ David Ahern ]

- ipv6 owner match: fix possibly not zero terminated string
- helper match: fix possibly not zero terminated string
- recent match: fix possibly not zero terminated string
	[ Karsten Desler ]

- ICMP match: fix '--icmp-type any' case
	[ Harald Welte ]

- CONNMARK target: major update (add mark/mask matching)
	[ Henrik Nordstrom ]

- DSCP target: Fix cosmetic help message problem
	[ Maciej Soltysiak ]

- string match: Fix iptables-save/restore for ascii strings with spaces
	[ Michael Rash ]

- ip(6)tables-restore: Make sure matches are used in the same order
	[ Martin Josefsson ]

- ip(6)tables-restore: Fix '--verbose' option
- ip(6)tables-restore: Add '--test' option
- ip(6)tables-restore: Complain about missing 'COMMIT'
	[ Martin Josefsson ]

- ip(6)tables-restore: Allow embedding of quote character in quoted strings
	[ Michael Rash ]

- libipq: Protect against spoofed queue messages (check if sender is kernel)
	[ Harald Welte ]


Changes from 1.2.9:

- time match: add 'datestart' and 'datestop' parameters
	[ Fabrice Marie ]

- modular manpage build, depending on actually compiled-in features
	[ Henrik Nordstrom ]

- additional documentation in manpage snippets formerly missing
	[ Harald Welte ]

- support new CLUSTERIP Target
	[ Harald Welte ]

- support new account match
	[ Piotr Gasid'o ]

- support new connrate match
	[ Nuuti Kotivuori ]

- support new dstlimit match
	[ Harald Welte ]

- support new 'set' match / 'SET' target
	[ Jozsef Kadlecsik ]

- osf match: add support for netlink reporting
	[ Evgeniy Polyakov ]

- new SCTP protocol match
	[ Kiran Kumar ]


Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic/)

Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng,
distributed as seperate package: (ftp://ftp.netfilter.org/pupatch-o-matic-ng)


iptables v1.2.10 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.9:

- physdev match: fix new structure layout for kernel > 2.6.0-test8
	[ Bart De Schuymer ]

- Better 64bit / 32bit split architecture detection
- IPv6 LOG target: Fix compiler warnings on 64bit
- LOG target: Fix compiler warnings on 64bit
- IPv6 MARK target: Use full 64bit mark on 64bit archs
- MARK target: Use full 64bit mark on 64bit archs
- SAME target: Fix 64bit/32bit splitarch problems
- ULOG target: Fix 64bit/32bit splitarch problems
- conntrack match: Fix 64bit/32bit splitarch problem
- IPv6 limit match: Fix 64bit/32bit splitarch problem
- limit match: Fix 64bit/32bit splitarch problem
- IPv6 mark match: Use full 64bit mark on 64bit archs
- mark match: Use full 64bit mark on 64bit archs
- owner match: Fix compiler warnings on 64bit
	[ Martin Jofsefsson ]

- connbytes match: Fix signedness / unsigned issue
	[ Martin Josefsson ]

- connlimit match: Fix '/0' netmask
	[ David Ahern ]

- ipv6 owner match: fix possibly not zero terminated string
- helper match: fix possibly not zero terminated string
- recent match: fix possibly not zero terminated string
	[ Karsten Desler ]

- ICMP match: fix '--icmp-type any' case
	[ Harald Welte ]

- CONNMARK target: major update (add mark/mask matching)
	[ Henrik Nordstrom ]

- DSCP target: Fix cosmetic help message problem
	[ Maciej Soltysiak ]

- string match: Fix iptables-save/restore for ascii strings with spaces
	[ Michael Rash ]

- ip(6)tables-restore: Make sure matches are used in the same order
	[ Martin Josefsson ]

- ip(6)tables-restore: Fix '--verbose' option
- ip(6)tables-restore: Add '--test' option
- ip(6)tables-restore: Complain about missing 'COMMIT'
	[ Martin Josefsson ]

- ip(6)tables-restore: Allow embedding of quote character in quoted strings
	[ Michael Rash ]

- libipq: Protect against spoofed queue messages (check if sender is kernel)
	[ Harald Welte ]


Changes from 1.2.9:

- time match: add 'datestart' and 'datestop' parameters
	[ Fabrice Marie ]

- modular manpage build, depending on actually compiled-in features
	[ Henrik Nordstrom ]

- additional documentation in manpage snippets formerly missing
	[ Harald Welte ]

- support new CLUSTERIP Target
	[ Harald Welte ]

- support new account match
	[ Piotr Gasid'o ]

- support new connrate match
	[ Nuuti Kotivuori ]

- support new dstlimit match
	[ Harald Welte ]

- support new 'set' match / 'SET' target
	[ Jozsef Kadlecsik ]

- osf match: add support for netlink reporting
	[ Evgeniy Polyakov ]

- new SCTP protocol match
	[ Kiran Kumar ]


Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic/)

Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng,
distributed as seperate package: (ftp://ftp.netfilter.org/pupatch-o-matic-ng)


iptables v1.2.9 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.8:

- ip(6)tables-save/restore: fix memory leaks
	[ Harald Welte, Martin Josefsson ]
- ip6tables: fix printout of odd length netmasks
	[ Mikko Markus Torni ]
- condition match: fix iptables-save
	[ Stephane Ouellette ]
- fuzzy match: fix ip(6)tables-save
	[ Hime Aguiar e Oliveira Jr. ]
- mac match: fix ip(6)tables-save if used inverted (!)
	[ David Zambonini, Martin Josefsson ]
- ip6tables udp match: check for invalid port ranges
	[ Thomas Poehnitz ]
- LOG target: fix iptables-save (save loglevel numerically)
	[ Thomas Woerner ]
- mport match: fix iptables-save (save numerically)
	[ Thomas Woerner ]
- libipq: fix ipq_id_t definition on 'real' 64bit/64bit architectures
	[ Ryan Veety ]
- libip6tc: fix ipv6_prefix_length endianness bugs
	[ Mikko Markus Torni ]
- MASQUERADE target: don't accept negative port numbers
	[ Yasuyuki Kozakai ]
- physdev match: fix new structure layout for kernel > 2.6.0-test8
	[ Bart De Schuymer ]

Changes from 1.2.8:

- build plugins for connlimit, iprange, realm, CLASSIFY, CONNMARK, NETMAP
	[ Harald Welte ]
- libip(6)tc: Speedup due to inceremental chain cache updates
	[ Harald Welte ]
- recent match: Update to version 0.3.1 that was submitted to the kernel
	[ Stephen Frost ]
- physdev match: add --physdev-is-{in,out,bridge} option
	[ Bart de Schuymer ]
- REJECT target: add support for ICMP administratively prohibited
	[ Maciej Soltysiak ]
- conntrack match: add suport for CONFIRMED / unconfirmed state
	[ Harald Welte ]
- ROUTE target: new option: continue traversal
	[ Cedric de Launois ]
- varios cosmetic cleanups
	[ Stephane Ouellette ]
- iptables/libiptc: add support for the new 'raw' table
	[ Jozsef Kadlecsik ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic/)


iptables v1.2.8 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.7a:

- fix ip6tables-save function of 'length' match
	[ Gerry Skerbitz ]
- fix ip6tables-save function of 'mac' match
	[ Kristian Gronfeldt Sorensen ]
- fix iptables-save function of 'ULOG' target
	[ Jimmy Hedman ]
- fix iptables-save function of 'conntrack' match
	[ Lutz Pressler ]
- fix iptables-save function of 'length' match
	[ Gerry Skerbitz ]
- fix iptables-save function of 'mac' match
	[ Kristian Gronfeldt Sorense ]
- fix iptables-save function of 'mark' match
	[ Harald Welte ]
- fix iptables-save function of 'owner' match
	[ Costa Tsaousis ]
- fix iptables-save function of 'pool' match
	[ Oskar Berggren ]
- fix iptables-save function of 'tcpmss' match
	[ Michael Schwendt ]
- fix iptables-save function of 'tos' match
	[ Harald Welte ]
- fix save/print function of 'connmark' match
	[ Harald Welte ]
- fix error message when invalid TCP flag is specified with 'tcp' match
	[ Aaron Sethman ]

Changes from 1.2.7a:

- updated version of the ROUTE target
	[ Cedric de Launois ]
- updated version of the 'recent' match
	[ Stephen Frost ]
- update the RPC conntrack match, extend it to support filtering on procedures
	[ Ian (Larry) Latter ]
- add support for hexstrings to the 'string' match
	[ Michael Rash ]
- have iptables-restore print the line number in case of an error
	[ Illes Marci ]
- big iptables.8 manpage update
	[ Herve Eychenne ]
- print loglevel human-readable in ip6tables 'LOG' target
	[ Michael Schwendt ]
- print loglevel human-readable in 'LOG' target
	[ Michael Schwendt ]
- remove bogus code from 'ecn' match
	[ Stephane Ouellette ]
- be more specific in help message of 'helper' match
	[ Herve Eychenne ]
- fix semantic problem that '-p icmp -m icmp' was matching icmp type 0 instead
	of 'any'
	[ Harald Welte ]
- fix iptables rename-chain option
	[ Maciej Soltysiak ]
- remove libipulog from iptables since it is distributed with ulogd
	[ Harald Welte ]
- support new ip6tables 'HL' target
	[ Maciej Soltysiak ]
- support new ip6tables 'condition' match
	[ Stephane Ouellette ]
- support new ip6tables 'fuzzy' match
	[ Maciej Soltysiak ]
- support new ip6tables 'hoplimit' match
	[ Maciej Soltysiak ]
- support new iptables 'CLASSIFY' target
	[ unknown ]
- support new iptables TARPIT target
	[ Aaron Hopkins ]
- support new iptables 'condition' match
	[ Stephane Ouellette ]
- support new iptables 'fuzzy' match
	[ Hime Junior ]
- support new iptables 'physdev' match (for 2.5.x bridging)
	[ Bart de Schumyer ]
- support new iptables 'u32' match (based on u32 tc filter)
	[ Don Cohen ]

Please note: As of version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pupatch-o-matic/)


iptables v1.2.7a (== fixed 1.2.7) Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.6a:

- fix compiler warning in userspace support for ipv6 REJECT target
	[ Fabrice Marie ]
- check for invalid portranges in tcp+udp helper (e.g. 2000:100)
	[ Thomas Poehnitz ]
- fix save save/restore functions of ip6tables tcp/udp extension
	[ Harald Welte / Andras Kis-Szabo ]
- check for invalid (out of range) nfmark values in MARK target
	[ Alexey ??? ]
- fix save function of MASQUERADE userspace support
	[ A. van Schie ]
- compile fixes for userspace suppot of experimental POOL target
	[ ? ]
- fix save function of userspace support for ah and esp match
	[ ? ]
- fix static build (NO_SHARED_LIBS)
	[ Roberto Nibali ]
- fix save/restore function of userspace support for mport match
	[ Bob Hockney ]
- update manpages to reflect recent changes
	[ Herve Eychenne, Harald Welte ]
- remove all remnants of the 'check' option
	[ ? ]


Changes from 1.2.6a:

- patch-o-matic is now no longer part of iptables but rather distributed
	as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic/)
		[ Harald Welte ]
- userspace support for dscp match and target
	[ Harald Welte ]
- userspace supprot for ecn match and target
	[ Harald Welte ]
- userspace support for helper match
	[ Martin Josefsson ]
- userspace supprot for conntrack match
	[ Marc Boucher ]
- userspace support for pkttype match
	[ Martin Ludvig ]
- userspace support for experimental ROUTE target
	[ Cdric de Launois ]
- userspace support for experimental ipv6 ahesp match
	[ Andras Kis-Szabo ]
- userspace support for experimental ipv6 option header match
	[ Andras Kis-Szabo ]
- userspace support for experimental ipv6 routing header match
	[ Andras Kis-Szabo ]
- add matching of process name to userspace support of owner match
	[ Marc Boucher ]
- new version of userspace support for 'recent' match
	[ Stephen Frost ]


iptables v1.2.6a (== fixed 1.2.6) Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.5:

- Fix iptables segfault problem when using `!' without argument
	[ Dionis Papavramidis, Harald Welte ]
- Fix PSD match for psd-delay-threshold > 100
	[ Steven Coenen, Dennis Koslowski ]
- ip6tables alignment fixes
	[ Andreas Herrmann ]
- patch-o-matic:
	- Fix NAT-related bug in TCP window tracking code
		[ Jozsef Kadlecsik ]
	- Fix support for DNAT of locally-originated connections (NAT in
	  LOCAL_OUT)
	  	[ Henrik Nordstrom, Harald Welte ]
	- Fix string match (is now SMP safe)
		[ Gianni Tedesco ]
	- Fix TFTP conntrack/nat helper (now also catches first packet)
		[ Magnus Boden ]

Changes from 1.2.5:

- Added global PREFIX makefile variable for all paths
	[ Harald Welte ]
- If compiled without any COPT_FLAGS, debugging is disabled.  To enable
	debugging, use -DIPTC_DEBUG
		[ Harald Welte ]
- New ip6tables-restore and ip6tables-save manpage
	[ Andras Kis-Szabo ]
- Sync ip6tables-restore and ip6tables-save with iptables-restore
	[ Andras Kis-Szabo ]
- Sync ip6tables with iptables
	[ Andras Kis-Szabo ]
- mangle table attaches now to all five netfilter hooks
	[ Brad Chapman, Harald Welte ]
- iptables and ip6tables manpage updates
	[ Herve Eychenne ]
- patch-o-matic program now supports removal of already-applied patches
	[ Bob Hockney ]
- patch-o-matic program now supports patches to the userspace extensions
	[ Fabrice Marie ]
- patch-o-matic:
	- Extend recent match to support multiple recent lists
		[ Stephen Frost ]
	- New GRE and PPTP connection tracking and NAT helper
		[ Harald Welte ]
	- New CONNMARK target for marking all packets within one connection
		[ Henrik Nordstrom ]
	- New conntrack match, enables matching on more conntrack informatin
	  than state
	  	[ Marc Boucher ]
	- New DSCP match and target (DSCP header field obsoletes TOS)
		[ Harald Welte ]
	- New owner match extension: Match on process name
		[ Marc Boucher ]
	- Add support for bitwise AND / OR manipulation on nfmark
		[ Fabrice Marie ]
	- New experimental patch for disabling TCP connection tracking pickup
		[ Harald Welte ]
	- Add support for SACK in all NAT helpers
		[ Harald Welte ]
	- Make eggdrop botnet connection tracking support work with eggdrop
	  v1.6.x
	  	[ Magnus Sandin ]
	- Add support to REJECT for sending icmp-unreachable messages
	  from a fake source address
	  	[ Fabrice Marie ]
	- Add support for ntalk2 to talk NAT helper
		[ Jozsef Kadlecsik ]
	- Big update to newnat patch
		[ Jozsef Kadlecsik, Paul P Komkoff ]

iptables v1.2.6 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel >= 2.4.18

Bugs Fixed from 1.2.5:

- Fix iptables segfault problem when using `!' without argument
	[ Dionis Papavramidis, Harald Welte ]
- Fix PSD match for psd-delay-threshold > 100
	[ Steven Coenen, Dennis Koslowski ]
- ip6tables alignment fixes
	[ Andreas Herrmann ]
- patch-o-matic:
	- Fix NAT-related bug in TCP window tracking code
		[ Jozsef Kadlecsik ]
	- Fix support for DNAT of locally-originated connections (NAT in
	  LOCAL_OUT)
	  	[ Henrik Nordstrom, Harald Welte ]
	- Fix string match (is now SMP safe)
		[ Gianni Tedesco ]
	- Fix TFTP conntrack/nat helper (now also catches first packet)
		[ Magnus Boden ]

Changes from 1.2.5:

- Added global PREFIX makefile variable for all paths
	[ Harald Welte ]
- If compiled without any COPT_FLAGS, debugging is disabled.  To enable
	debugging, use -DIPTC_DEBUG
		[ Harald Welte ]
- New ip6tables-restore and ip6tables-save manpage
	[ Andras Kis-Szabo ]
- Sync ip6tables-restore and ip6tables-save with iptables-restore
	[ Andras Kis-Szabo ]
- Sync ip6tables with iptables
	[ Andras Kis-Szabo ]
- mangle table attaches now to all five netfilter hooks
	[ Brad Chapman, Harald Welte ]
- iptables and ip6tables manpage updates
	[ Herve Eychenne ]
- patch-o-matic program now supports removal of already-applied patches
	[ Bob Hockney ]
- patch-o-matic program now supports patches to the userspace extensions
	[ Fabrice Marie ]
- patch-o-matic:
	- Extend recent match to support multiple recent lists
		[ Stephen Frost ]
	- New GRE and PPTP connection tracking and NAT helper
		[ Harald Welte ]
	- New CONNMARK target for marking all packets within one connection
		[ Henrik Nordstrom ]
	- New conntrack match, enables matching on more conntrack informatin
	  than state
	  	[ Marc Boucher ]
	- New DSCP match and target (DSCP header field obsoletes TOS)
		[ Harald Welte ]
	- New owner match extension: Match on process name
		[ Marc Boucher ]
	- Add support for bitwise AND / OR manipulation on nfmark
		[ Fabrice Marie ]
	- New experimental patch for disabling TCP connection tracking pickup
		[ Harald Welte ]
	- Add support for SACK in all NAT helpers
		[ Harald Welte ]
	- Make eggdrop botnet connection tracking support work with eggdrop
	  v1.6.x
	  	[ Magnus Sandin ]
	- Add support to REJECT for sending icmp-unreachable messages
	  from a fake source address
			[ Fabrice Marie ]
	- Add support for ntalk2 to talk NAT helper
		[ Jozsef Kadlecsik ]
	- Big update to newnat patch
		[ Jozsef Kadlecsik, Paul P Komkoff ]


iptables v1.2.5 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel > 2.4.14

Bugs Fixed from 1.2.4:

- make iptables-restore accept --table as well as -t option
	[ Andreas Ferber ]
- make iptables-restore -v / --verbose option work
	[ Marc Boucher ]
- fix iptables-save problems with saving "ppp+" style interface wildcards
	[ Harald Welte ]
- make iptables accept '_' and '.' in interface names
	[ Harald Welte ]
- Kernel bugfixes in patch-o-matic:
	 - Fix IRC NAT srcaddr fix (we used to nat DCC connectios to the
	   address of the IRC server
		[ Bob Hockney ]
	- Fix potential Oops in TOS target module
		[ Edward Killips ]
	- Fix problem when raw socket has cloned skb while netfilter doing
	  payload modification
		 [ Rusty Russell ]
	- Fix memory leak in ipchains redirect code
		[ Rusty Russell ]
	- Fix reintroduced ECN problem with unclean match
		[ Guillaume Morin ]
	- Fix MAC adress match problem with small udp packets
		[ Harald Welte ]

Changes from 1.2.4:

- Whole patch-o-matic system restructured - now supports multiple patch
	repositories (submitted, pending, base, extra, newnat).
	[ Jozsef Kadlecsik ]
- Add IPv6 support to the QUEUE target and libipq
	[ Fernando Anton / James Morris ]
- New patch-o-matic patches:
	-New IPV4OPTSSTRIP target to strip IP options
		[ Fabrice Marie ]
	- New ipv6header match to match IPv6 header options
		[ Brad Chapman / Andras Kis-Szabo ]
	- New helper match to match RELATED connections on their conntrack
		helper
		[ Martin Josefsson ]
	- New quota match to have fixed IP quotas
		[ Sam Johnston ]
	- New recent match to match recently seen packets
		[ Stephen Frost ]


iptables v1.2.4 Changelog
======================================================================
This version requires kernel >= 2.4.4
This version recommends kernel > 2.4.9

Bugs Fixed from 1.2.3:

- make iptables-restore print error message instead of segfault when
	processing broken / wrong input.
	[ ]
- string_to_number fix in LOG, IPv6 LOG, TOS and FTOS target
	[ ]
- fix iptables-save problems when saving MIRROR rules
	[ Harald Welte ]
- fix IPv6 ICMP problems [ ]
- fix TTL increment in TTL target [ ]
- Kernel bugfixes in patch-o-matic:
	- Fix printing of inner-packet in ICMP error messages (LOG target)
		[ ]
	- Decrement TTL when using MIRROR target at PRE_ROUTING [ ]
	- fix undiscovered REJECT checkentry() bug (alignment)
	    [ Bert Hubert]

Changes from 1.2.3:

- New "make most-of-pom" feature for application of non-confliction
	patches. This should be used instead of "make patch-o-matic" by most
	users.
	[ Harald Welte ]
- iptables-save and iptables-restore now included in the default install;
	They are n	- longer experimental for quite some time.
	[ Harald Welte ]
- synchronize ip6tables-save/restore with iptables-save/restore
	[ Harald Welte ]
- more precise save() function for ipt_limit rates
	[ ]
- new improved version of nth-match. Added support for multiple counters,
	added support for matching on individual packets in the counter cycle
	[ Richard Wagner ]
- added manpage for ip6tables
	[ ]
- updated libipq documentation
	[ ]
- added timeout t	- libipq recv function
	[ ]
- New patch-o-matic patches:
	- New random match
		[ ]
	- New ftp-fxp patch, imposes security risk but some people need it -sigh*
		[ Magnus Sandin ]
	- New H323 conntrack + nat modules
		[ Jozsef Kadlecsik ]
	- New version of tcp-window tracking patch, includes sysctl()
		changeable timeouts
		[ Jozsef Kadlecsik ]


iptables v1.2.3 Changelog
======================================================================
This version requires kernel 2.4.4 or above.
This version recommends kernel 2.4.9 or above.

Bugs Fixed from 1.2.2:

- fix ICMPv6 support for IPv6
	[ Kis-Szab	- Andras ]
- fix problems with REJECT and iptables-restore / iptables-save
	[ Harald Welte ]
- fix possible string overflow in psd match
	[ Dennis Koslowski ]
- fix string match compile problems
	[ Gianni Tedesc	- ]
- support interfaces with '_' (underscore) in device names
	[ Harald Welte ]
- support rules without target in iptables-save
	[ Emmanuel Fleury ]
- correct handling of "eth+" type interface names in iptables-save/restore
	[ Harald Welte ]
- d	- incremental checksumming when altering TTL in TTL target
	[ Harald Welte ]
- fix no-srr case in ipv4options match
	[ Fabrice Marie ]
- Kernel bugfixes in patch-o-matic:
	- Fix unexported ip6_table symbols [ Brad Chapman ]
	- Decrement TTL in MIRROR target if used in FORWARD chain [ Harald
		Welte, Fabian Melzow ]
	- Replace SACKPERM TCP option with NOOP (instead of ENDOFOPT)
		[ Guillaume Morin ]

Changes from 1.2.2:

- New "make most-of-pom" feature for application of non-confliction
	patches. This should be used instead of "make patch-o-matic" by most
	users.
	[ Harald Welte ]
- support for statically linking iptables, without need for .s	- plugins
	[ David McCullough ]
- support for multiple ranges in SAME target
	[ Martin Josefsson ]
- support for router alert options in ipv4options match
	[ Fabrice Marie ]
- modprobe() modules when doing iptables-restore
	[ Andries van Schie ]
- remove obsolete fragment matching code in IPv6
	[ Kis-Szab	- Andras ]
- add support for dns hostnames t	- IPv6 code
	[ Kis-Szab	- Andras ]
- New patch-o-matic patches:
	- New multiport (mport) match
		[ Andreas Ferber ]
	- New nth match for matching every n-th packet
		[ Fabrice Marie ]
	- New realm match for matchin the routing realm
		[ Sampsa Ranta ]
	- New ctnetlink patch for manipulation of conntrack from userspace
		[ Jay Schulist ]
	- New REJECT Target for IPv6
		[ Harald Welte ]
	- New length match for IPv6
		[ Imran Patel ]
	- New multiport (mport) match for IPv6
		[ Andreas Ferber]


iptables v1.2.1 Changelog
======================================================================
This version requires kernel 2.4.0 or above.

Bugs Fixed from 1.2:

- Missing quotes around log-prefix
	[ Bart Theunissen ]
- Bug in save function of string match
	[ Gianni Tedesc	- ]
- ip6tables.c string buffer size fixes
	[ Andras Kis-Szab	- ]
- dependency problem with iptables-save / iptables-restore
	[ Harald Welte ]
- strtok problem with iptables-save / iptables-restore
	[ Harald Welte ]
- Problems with tcp/udp extension and multiple calls of do_command()
	[ Sven Koch ]
- Kernel bugfixes in patch-o-matic:
	- Updated rpc-record patch to work with 2.4.0
		[ Marc Boucher ]
	- New ftp-pasv patch for fixing PASV detection with some ftpd's
		[ Erik Hensema ]
	- Fix checksum calculation of TOS target
		[ Rusty Russell ]

Changes from 1.2:

- New `pending-patches' target
	[ Rusty Russell ]
- build all shared library extensions regardless of kernel tree
	[ Rusty Russell ]
- New counter-restore functions for iptables
	[ Harald Welte ]
- Added libiptc and libipulog t	- `devel' Makefile target
	[ Harald Welte ]
- Ported iptables-save/restore t	- IPv6
	[ Andras Kis-Szab	- ]
- Updated ULOG target (now in-kernel accumulation [= higher performance])
	[ Harald Welte ]
- Added fxp support t	- ftp-multi patch
	[ Magnus Sandin ]
- Implemented Boyer Moore Sublinear search algorithm for string match
	[ Gianni Tedesc	- ]
- Fixed tcp-window-tracking incompatibility with NAT helpers
	[ Harald Welte ]
- New patch-o-matic patches:
	- New generic sequence number offset API for nat helpers
		[ Harald Welte ]
	- New psd (port-scan-detection) match
		[ Dennis Koslowski, Markus Henning ]
	- New NETLINK target for old ipchains -o behaviour
		[ Gianni Tedesc	- ]
	- New SAME target as a special case of SNAT
		[ Martin Josefsson ]
	- Ported LOG target to IPv6
		[ Jan Rekorajski ]
	- Ported owner, limit, mac and multiport match to IPv6
		[ Jan Rekorajski ]


iptables v1.2.2 Changelog
======================================================================
This version requires kernel 2.4.1 or above.
This version recommends kernel 2.4.4 or above.

Bugs Fixed from 1.2.1a:

- fixes for SAME Target
	[ Martin Josefsson ]
- fixes for iplimit match in combination with iptables-save/-restore
	[ Gerd Knorr ]
- fix for TCP match in combination with iptables-save/-restore
	[ Ian Lynagh ]
- iptables-restore now deals correclty with spaces in --log-prefix
	[ Harald Welte ]
- fix in 'isapplied' script. It used t	- give false negatives
	[ Harald Welte ]
- fix in BALANCE target, target now uses full ip address range
	[ Martin Josefsson ]
- fix for NETLINK target, was sending wrong interface name
	[ Gianni Tedesc	- ]
- fix for collision of ftp and irc NAT helpers
	[ Harald Welte ]
- ip6tables brought in sync with iptables
	[ Kis-Szab	- Andras ]
- Kernel bugfixes in patch-o-matic:
	- Fix possible security vulnerability in ip_conntrack_ftp
		[ Cristian	- Lincoln Mattos, James Morris and Rusty ]

Changes from 1.2.1a:

- libiptc should now be usable from C++ applications
	[ Fabrice MAURIE ]
- seqoffset-,ftp-security, ... patches are combined in 2.4.4.patch
	[ Rusty Russell ]
- lots of old pre-2.4.1 patches now combined in 2.4.1.patch
	[ Rusty Russel ]
- IRC conntrack + nat cleanup
	[ Harald Welte ]
- string match cleanup
	[ Gianni Tedesc	- ]
- ULOG cleanup, new version. Fixes 'unable t	- send nflink' bug
	[ Harald Welte ]
- New patch-o-matic patches:
	- New NETMAP Target for mapping whole networks 1:1 to other addresses
		[ Svenning Soerensen ]
	- New length Target for matching packet length
		[ James Morris ]
	- New ipv4options match for matching IPv4 header options
		[ Fabrice MARIE ]
	- New IPv6 agr match for matching IPv6 global aggregatable unicast
		adresses
		[ Andras Kis-Szab	- ]
	- New pkttype match for matching link-layer multicast / broadcast
		packets
		[ Michal Ludvig ]
	- New time match for matching the packet's receive time
		[ Fabrice MARIE ]
	- New talk conntack + NAT helper module
		[ Jozsef Kadlecsik ]


iptables v1.2 Changelog
======================================================================
This version requires 2.4.0-test9 or above.

Bugs Fixed from 1.1.2:

- Now default installs int	- /usr/local/sbin, not /usr/local/bin.
- Only does IPv6 compilation on libc6.
- More header fixes for weird header combos.
- ip6tables now refers t	- "icmpv6" protocol, not "icmp".
	[ Harald Welte ]
- IPPROTO_ESP and AH defined in iptables for primitive headers.
- iptables multiple-DNS resolve fixed
	[ Harald Welte, Rusty ]
- Kernel bugfixes in patch-o-matic:
	- IPv6 netfilter fixes
		[ Harald Welte ]
	- Masquerade with fwmark routing fix
	- Dynamic hashsize optimization (NAT) + `hashsize=' module parameter.
	- NAT overlap fix
	- PPC/Sparc mangle table fix.

Changes from 1.1.2:

- New `install-devel' target
	[ James Morris ]
- libipq now has man pages!
	[ James Morris ]
- iptables-save and iptables-restore added (with man pages!)
	[ Harald Welte ]
- iptables now inserts modules if CONFIG_KMOD or --modprobe
	[ Harald Welte, Rusty ]
- New `experimental' and `install-experimental' targets.
- `--reject-with=echo-reply' removed in anticipation of the removal of
	kernel support.
- ttl match enhancements (greater or less than tests)
	[ Harald Welte ]
- Reworked patch-o-matic interface, t	- force reading of help.
- patch-o-matic updated for new 2.4 Makefiles
	[ Daniel Stone, Harald Welte ]
- patch-o-matic now supports non-IPv4 netfilter patches
	[ Harald Welte ]
- New patch-o-matic patches:
	- eggdrop bot connection tracking
		[ Magnus Sandin ]
	- FTOS target for full ToS mangling.
		[ Matthew G. Marsh ]
	- BALANCE target for simple load-balancing.
	- iplimit match for limiting number of connections.
		[ Gerd Knorr ]
	- IPv6 MARK target
		[ Harald Welte ]
	- IPv6 mark match
		[ Harald Welte ]


iptables v1.1.2 Changelog
======================================================================
This version requires 2.4.0-test9 or above.

Bugs Fixed from 1.1.1:

- Adding rules on UltraSparc now works
- string_to_number now handles overflow
	[ Jan Echternach ]
- Bug when using ridiculous rule numbers fixed

Changes from 1.1.1:

- patch-o-matic system added:
	- TTL alteration and ttl matching support -- Harald Welte
	- AH/ESP matching support -- Yon Uriarte
	- DROPPED table support -- Rusty
	- ftp-multi patch for non-standard ftp servers -- Harald Welte
	- IRC connection tracking & NAT -- Harald Welte
	- pool match and POOL target -- Patrick
	- RPC recording patch -- Marcelo Barbosa Lima
	- SNMP NAT support -- James Morris
	- string match for looking in packet's data -- Emmanuel Roger
	- tcp-MSS target for altering MSS -- Marc Boucher
	- ULOG target for advanced logging -- Harald Welte
- Minor const cleanups
	[ Jan Echternach ]
- iptables.8 updates
	[ Harald Welte, Rusty ]
- Better warnings for non-existant matches/missing libraries
	[ Harald Welte ]
- Improved isapplied script
