Merge https://github.com/aborrero/pkg-iptables

Conflicts: debian/control I was pushing to the wrong repo :-( Git-Dch: Ignore Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>

Merge https://github.com/aborrero/pkg-iptables
Conflicts: debian/control I was pushing to the wrong repo :-( Git-Dch: Ignore Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
b212e4e7 · Arturo Borrero Gonzalez · 568f9d17 · b59f8e65 · b212e4e7 · b212e4e7
Commit b212e4e7 authored Jan 15, 2016 by Arturo Borrero Gonzalez
--- a/debian/changelog
+++ b/debian/changelog
+iptables (1.6.0-1) unstable; urgency=medium
+
+  * [615f9fc] Imported Upstream version 1.6.0
+  * [7caa8f4] d/patches/0104-lintian_hyphens.patch: refresh patch
+  * [b1d1b79] d/patches/0301-install_iptables_apply.patch: refresh patch
+  * [a2adeaf] d/control: update build-deps
+  * [0c76237] d/control: Arturo is now Maintainer, Laurence is Uploader
+  * [c13773c] d/control: new iptables-nftables-compat binary package
+  * [05be2ad] d/control: Maintainer is now the alioth team
+  * [569bc44] d/: put arp and bridge modules in iptables-nftables-compat package
+  * [90738ae] d/copyright: refresh copyright file
+  * [57d17b1] iptables-nftables-compat: include compat tools (links)
+  * [4940e7a] d/control: recommends nftables in the iptables-nftables-compat package
+  * [7814c21] d/control: give more information in the description of iptables-nftables-compat
+  * [d41dd7d] d/control: bump libxtables10 to libxtables11
+  * [81bb804] d/control: the iptables-nftables-compat package depends on iptables
+  * [a5b4148] d/: wrap-and-sort
+  * [d0c6615] d/control: bump standars to 3.9.6
+  * [9ae565f] iptables-nftables-compat: link compat manpages to the originals
+  * [d0f191f] d/patches: refresh 0101-changelog.patch
+  * [ef507da] iptables-nftables-compat: link manpage also for xtables-compat-multi
+  * [453ee4c] d/control: add Vcs-Git and Vcs-Browser fields
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>  Fri, 15 Jan 2016 13:23:10 +0100
+
 iptables (1.4.21-2) unstable; urgency=medium

  * correct _dhopts var to enable autoreconf. Closes: #744968

--- a/debian/control
+++ b/debian/control
@@ -2,16 +2,28 @@ Source: iptables
 Section: net
 Priority: important
 Maintainer: iptables devel team <pkg-netfilter-devel@lists.alioth.debian.org>
-Uploaders: Laurence J. Lane <ljlane@debian.org>, Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
-Build-Depends: debhelper (>= 9), autoconf, automake, libtool (>=2.2.6), libnfnetlink-dev, libnetfilter-conntrack-dev, libnetfilter-conntrack3, dh-autoreconf, libnftnl-dev, libmnl-dev, flex, bison
-Standards-Version: 3.9.5
+Uploaders: Laurence J. Lane <ljlane@debian.org>,
+           Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+Build-Depends: autoconf,
+               automake,
+               bison,
+               debhelper (>= 9),
+               dh-autoreconf,
+               flex,
+               libmnl-dev,
+               libnetfilter-conntrack-dev,
+               libnetfilter-conntrack3,
+               libnfnetlink-dev,
+               libnftnl-dev,
+               libtool (>= 2.2.6)
+Standards-Version: 3.9.6
 Homepage: http://www.netfilter.org/
 Vcs-Git: https://alioth.debian.org/anonscm/git/pkg-netfilter/pkg-netfilter.git
 Vcs-Browser: https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=pkg-netfilter/pkg-netfilter.git

 Package: iptables
 Architecture: linux-any
-Depends: ${misc:Depends}, ${shlibs:Depends}, libxtables10 (=${binary:Version})
+Depends: libxtables11 (=${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
 Description: administration tools for packet filtering and NAT
 iptables is the userspace command line program used to configure
 the Linux packet filtering ruleset. It is targeted towards system
@@ -20,7 +32,7 @@ Description: administration tools for packet filtering and NAT
 iptables package also includes ip6tables. ip6tables is used for
 configuring the IPv6 packet filter

-Package: libxtables10
+Package: libxtables11
 Architecture: linux-any
 Depends: ${misc:Depends}, ${shlibs:Depends}
 Replaces: iptables (<< 1.4.16.3-3)
@@ -31,8 +43,8 @@ Description: netfilter xtables library
 Package: iptables-dev
 Architecture: linux-any
 Priority: optional
-Depends: ${misc:Depends}, iptables (=${binary:Version})
-Conflicts: iptables (<<1.4.2-2)
+Depends: iptables (=${binary:Version}), ${misc:Depends}
+Conflicts: iptables (<< 1.4.2-2)
 Breaks: linux-libc-dev (<< 3.5)
 Section: devel
 Description: iptables development files
@@ -44,7 +56,21 @@ Description: iptables development files
 Package: iptables-nftables-compat
 Architecture: linux-any
 Priority: optional
-Depends: ${misc:Depends}, ${shlibs:Depends}, libxtables10 (=${binary:Version})
+Depends: arptables,
+         ebtables,
+         iptables (=${binary:Version}),
+         libxtables11 (=${binary:Version}),
+         ${misc:Depends},
+         ${shlibs:Depends}
+Recommends: nftables
 Description: iptables compat tools for nftables
 this package includes the compat tools to load iptables, ip6tables, arptables
 and ebtables rules to the nf_tables kernel subsystem.
+ .
+ The tools are called: 'iptables-compat', 'iptables-compat-save',
+ 'iptables-compat-restore', 'ip6tables-compat', 'ip6tables-compat-save',
+ 'ip6tables-compat-restore', 'arptables-compat' and 'ebtables-compat'.
+ .
+ A basic way to understand this compat stuff is to load the ruleset
+ skeleton, i.e: a first call `iptables-compat -L'. Then, you can use nft,
+ i.e: `nft list ruleset'. Same for the other families.
--- a/debian/copyright
+++ b/debian/copyright
@@ -3,7 +3,7 @@ Upstream-Name: iptables
 Upstream-Contact: Netfilter Developer List <netfilter@vger.kernel.org>
 Source: http://ftp.netfilter.org/

-Files: iptables/*.c
+Files: *
 Copyright: 2000-2002, the netfilter coreteam <coreteam@netfilter.org>
                      Paul 'Rusty' Russell <rusty@rustcorp.com.au>
                      Marc Boucher <marc+nf@mbsi.ca>
@@ -12,6 +12,22 @@ Copyright: 2000-2002, the netfilter coreteam <coreteam@netfilter.org>
                      Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
 License: GPL-2

+Files: extensions/libebt_802_3.c
+Copyright: 2003 Chris Vitale <csv@bluetail.com>
+License: GPL-2
+
+Files: extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark*.c
+Copyright: 2002 Bart De Schuymer <bdschuym@pandora.be>
+License: GPL-2
+
+Files: extensions/libebt_limit.c
+Copyright: 2003 Tom Marshall <tommy@home.tig-grr.com>
+License: GPL-2
+
+Files: extensions/libebt_nflog.c
+Copyright: 2008 Peter Warasin <peter@endian.com>
+License: GPL-2
+
 Files: extensions/libip6t_DNAT.c
 Copyright: 2011, Patrick McHardy <kaber@trash.net>
 License: GPL-2
@@ -348,6 +364,28 @@ Files: iptables/iptables-xml.c
 Copyright: 2006, Ufo Mechanic <azez@ufomechanic.net>
 License: GPL-2

+Files: iptables/nft.c
+Copyright: 2012 Pablo Neira Ayuso <pablo@netfilter.org>
+License: GPL-2+
+
+Files: iptables/nft-arp.c
+Copyright: 2013 Pablo Neira Ayuso <pablo@netfilter.org>
+	   2013 Giuseppe Longo <giuseppelng@gmail.com>
+License: GPL-2+
+
+Files: iptables/nft-bridge.c
+Copyright: 2014 Giuseppe Longo <giuseppelng@gmail.com>
+License: GPL-2+
+
+Files: iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c
+Copyright: 2012-2013 Pablo Neira Ayuso <pablo@netfilter.org>
+	   2013 Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
+License: GPL-2+
+
+Files: iptables/xtables-arp.c iptables/xtables-eb.c
+Copyright: 2002 Bart De Schuymer <bdschuym@pandora.be>
+License: GPL-2+
+
 Files: libiptc/libip4tc.c
 Copyright: 1999, Paul ``Rusty'' Russell
 License: GPL-2
@@ -378,7 +416,7 @@ License: GPL-2
 Files: utils/pf.os
 Copyright: 2000-2003, Michal Zalewski <lcamtuf@coredump.cx>
           2003, Mike Frantzen <frantzen@w4g.org>
-License:
+License: custom
 Permission to use, copy, modify, and distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
 copyright notice and this permission notice appear in all copies.
@@ -412,6 +450,23 @@ License: GPL-2
 License version 2 can be found in the file
 `/usr/share/common-licenses/GPL-2'.

+License: GPL-2+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
+
 License: Artistic-2
 			 The "Artistic License"
 .

--- a/debian/iptables-dev.install
+++ b/debian/iptables-dev.install
-usr/include
-usr/share/man/man3
+include/linux/netfilter_ipv4/ip_queue.h usr/include/linux/netfilter_ipv4/
 lib/lib*.so
 lib/pkgconfig usr/lib
-include/linux/netfilter_ipv4/ip_queue.h usr/include/linux/netfilter_ipv4/
-
+usr/include
+usr/share/man/man3
--- a/debian/iptables-nftables-compat.install
+++ b/debian/iptables-nftables-compat.install
-usr/sbin/xtables-compat-multi		usr/sbin
-usr/sbin/ebtables-compat		usr/sbin
-usr/sbin/arptables-compat		usr/sbin
-usr/sbin/iptables-compat		usr/sbin
-usr/sbin/iptables-compat-save		usr/sbin
-usr/sbin/iptables-compat-restore	usr/sbin
-usr/sbin/ip6tables-compat		usr/sbin
-usr/sbin/ip6tables-compat-save		usr/sbin
-usr/sbin/ip6tables-compat-restore	usr/sbin
-lib/xtables/libebt_*.so
 lib/xtables/libarpt_*.so
+lib/xtables/libebt_*.so
+usr/sbin/*-compat*		sbin
+usr/sbin/xtables-compat-multi	sbin
--- a/debian/iptables-nftables-compat.links
+++ b/debian/iptables-nftables-compat.links
+usr/share/man/man8/arptables.8.gz		usr/share/man/man8/arptables-compat.8.gz
+usr/share/man/man8/ebtables.8.gz		usr/share/man/man8/ebtables-compat.8.gz
+usr/share/man/man8/iptables-restore.8.gz	usr/share/man/man8/ip6tables-compat-restore.8.gz
+usr/share/man/man8/iptables-restore.8.gz	usr/share/man/man8/iptables-compat-restore.8.gz
+usr/share/man/man8/iptables-save.8.gz		usr/share/man/man8/ip6tables-compat-save.8.gz
+usr/share/man/man8/iptables-save.8.gz		usr/share/man/man8/iptables-compat-save.8.gz
+usr/share/man/man8/iptables.8.gz		usr/share/man/man8/ip6tables-compat.8.gz
+usr/share/man/man8/iptables.8.gz		usr/share/man/man8/iptables-compat.8.gz
+usr/share/man/man8/xtables-multi.8.gz		usr/share/man/man8/xatbles-compat-multi.8.gz
--- a/debian/iptables.install
+++ b/debian/iptables.install
+iptables/iptables-apply usr/sbin
+iptables/iptables.xslt usr/share/iptables
 lib/libip*.so.*
-usr/sbin/xtables-multi sbin
+lib/xtables/libip*.so
+lib/xtables/libxt_*.so
 usr/sbin/ip6tables sbin
 usr/sbin/ip6tables-restore sbin
 usr/sbin/ip6tables-save sbin
@@ -7,9 +10,6 @@ usr/sbin/iptables sbin
 usr/sbin/iptables-restore sbin
 usr/sbin/iptables-save sbin
 usr/sbin/nf* usr/sbin
-lib/xtables/libip*.so
-lib/xtables/libxt_*.so
-iptables/iptables-apply usr/sbin
-iptables/iptables.xslt usr/share/iptables
-usr/share/man/man8
+usr/sbin/xtables-multi sbin
 usr/share/man/man1
+usr/share/man/man8
--- a/debian/iptables.links
+++ b/debian/iptables.links
+/sbin/xtables-multi /usr/bin/iptables-xml
 /usr/sbin/iptables-apply /usr/sbin/ip6tables-apply
 /usr/share/man/man8/iptables-apply.8.gz /usr/share/man/man8/ip6tables-apply.8.gz
-/sbin/xtables-multi /usr/bin/iptables-xml
--- a/debian/iptables.manpages
+++ b/debian/iptables.manpages
-iptables/*.8
 debian/*.8
+iptables/*.8
--- a/debian/libxtables10.install
+++ b/debian/libxtables10.install
--- a/debian/patches/0101-changelog.patch
+++ b/debian/patches/0101-changelog.patch
@@ -5,7 +5,438 @@ Description: iptables source doesn't include a changelog.

 --- /dev/null
 +++ b/Changelog
-@@ -0,0 +1,3505 @@
+@@ -0,0 +1,3936 @@
+iptables v1.6.0 Changelog:
+======================================================================
+Changes from 1.4.21:
+
+Ana Rey (7):
+      xtables-standalone: call nft_fini in the error path
+      nft: fix memory leaks in nft_xtables_config_load
+      iptables: nft: fix memory leaks in nft_fini
+      extensions: libxt_devgroup: Fix the path of the group mappings file
+      iptables-compat: homogenize error messages
+      extensions: devgroup: fix showing and saving of dst-group
+      iptables-compat: homogenize error messages with 'R' option
+
+Andreas Herz (3):
+      extension: libip6t_ipv6header: fix wrong headername in ipv6header for protocols
+      extensions: icmp6: added missing icmpv6 dest-unreach codes
+      added missing icmpv6 codes in REJECT
+
+Anton Danilov (1):
+      xtables: SET target: Add mapping of meta informations (skbinfo ipset extension)
+
+Arturo Borrero (38):
+      iptables-compat: kill add_*() invflags parameter
+      nft-compat: create a separated object update type to rename chains
+      nft-bridge: fix printing of inverted protocols, addresses
+      nft-bridge: fix inversion of builtin matches
+      iptables: xtables-eb: delete extra 'policy' printf
+      iptables: xtables-eb: user-defined chains default policy is always RETURN
+      iptables: xtables-eb: fix renaming of chains
+      extensions: add ebt 802_3 extension
+      ebtables-compat: fix counter listing
+      ebtables-compat: fix printing of extension
+      ebtables-compat: fix segfault in rules w/o target
+      ebtables-compat: include /etc/ethertypes in tarball
+      ebtables-compat: fix ACCEPT printing by simplifying logic
+      include: cache copy of Linux header uapi/linux/netfilter_bridge/ebt_802_3.h
+      ebtables-compat: add nft rule compat information to bridge rules
+      ebtables-compat: prevent options overwrite
+      ebtables-compat: prevent same matches to be included multiple times
+      ebtables-compat: include rule counters in ebtables rules
+      ebtables-compat: fix nft payload bases
+      ebtables-compat: add 'ip' match extension
+      ebtables-compat: add mark_m match extension
+      extensions: cleanup commented code in ebtables-compat extensions
+      libxtables: search first for AF-specific extension
+      ebtables-compat: call extensions final checks
+      ebtables-compat: finish target infrastructure
+      ebtables-compat: add mark target extension
+      ebtables-compat: add watchers support
+      ebtables-compat: add log watcher extension
+      arptables-compat: add mangle target extension
+      libxt_quota: fix _save() invert syntax
+      ebtables-compat: support nflog extension
+      arptables-compat: add support for the CLASSIFY target
+      arptables-compat: delete extra space in target printing
+      ebtables-compat: add support for limit extension
+      ebtables-compat: add a bridge-specific exit_error function
+      ebtables-compat: fix rule deleting with -D in rules with no target
+      list: fix prefetch dummy
+      libxtables: find extensions based on family too
+
+Arturo Borrero Gonzalez (1):
+      ebtables-compat: fix misplaced function attribute on ebt_print_error()
+
+Dan Wilder (1):
+      libxtables: move some code to avoid cautions in vfork man page
+
+Daniel Borkmann (4):
+      iptables: snat: add randomize-full support
+      iptables: add libxt_cgroup frontend
+      cgroup, man: improve man-page bits
+      libxt_CT: add support for recently introduced zone options
+
+Domen Puncer (1):
+      libxtables: fix getaddrinfo return value usage
+
+Felix Janda (5):
+      consistently use <errno.h>
+      include: remove libc5 support code
+      include: Sync with ethernetdb.h from ebtables
+      include Use <stdint.h> types from xtables.h
+      include: Sync with upstream kernel headers
+
+Florian Westphal (15):
+      Merge branch 'stable-1.4.20'
+      iptables.8: --policy is either ACCEPT or DROP
+      extensions: libxt_connlabel: do not open config file from _init hook
+      man: string: document icase
+      tests: split into family and table specific files
+      tests: add test case for xt_recent regression
+      extensions: remove MIRROR
+      extensions: remove SAME target
+      extensions: remove 'unclean' match
+      extensions: add more test cases for iptables-test.py
+      extensions: SNPT,DNPT: fix save/print output
+      extensions/libxt_recent.t: add test case for 3.19 regression
+      extensions: libip6t_dst: make inversion work
+      tests: remove old test cases
+      man: using physdev match in OUTPUT is not supported anymore
+
+Giuseppe Longo (33):
+      nft: fix leak of rule and chain iterators
+      nft: fix leak of chain iterator in nft_rule_list
+      xtables: allow to zero chains via -Z
+      nft: break loop after found matching chain
+      nft: print counter issues
+      nft: fix another memleak in nft_rule_list_cb
+      xtables: nft: display rule by number via -L
+      nft: associate table configuration to handle via nft_init
+      nft: fix family operation lookup
+      nft: load only the tables of the current family
+      nft: refactoring parse operations for more genericity
+      xtables: bootstrap ARP compatibility layer for nftables
+      xtables: nft-arp: implements is_same op for ARP family
+      xtables: arp: add rule replacement support
+      xtables: arp: add delete operation
+      xtables: arp: zeroing chain counters
+      nft: arp: initialize flags in nft_arp_parse_meta
+      nft: arp: add parse_target to nft_family_ops_arp
+      nft: arp: fix possible string overflow
+      nft: adds save_matches_and_target
+      nft-arp: adds nft_arp_save_firewall
+      xtables-events: prints arp rules
+      nft-arp: fix is_same_interfaces arguments
+      nft-arp: wrong condition in parse_payload
+      nft: replace nft_rule_attr_get_u8
+      nft: save: fix the printing of the counters
+      nft-arp: remove wrong conditions
+      nft: compare layer 4 protocol in first place
+      nft: add nft_xt_ctx struct
+      nft: fix syntax error in nft_parse_cmp()
+      nft-ipv46: replace offset var with ctx->payload.offset
+      ebtables-compat: fix print_header
+      ebtables-compat: build ebtables extensions
+
+Gustavo Zacarias (1):
+      iptables-save: remove dlfcn.h include
+
+Harout Hedeshian (2):
+      extensions: libxt_socket: add --restore-skmark option
+      extensions: libxt_socket: update man pages and tests for --restore-skmark
+
+Jan Engelhardt (3):
+      iptables: link against libnetfilter_conntrack
+      build: resolve build error involving libnftnl
+      extensions: restore matching any SPI id by default
+
+Jiri Popelka (9):
+      iptables: fix version in iptables(8)
+      update FSF address in license text
+      iptables: missing bracket in iptables-save(8)
+      iptables-restore.8: missing -T in synopsis
+      iptables-restore.8: file to read from can be specified as argument
+      iptables-{save,restore}: warn that -b/--binary isn't implemented
+      iptables-save: actually parse -M/--modprobe option
+      iptables: add optional [seconds] argument to -w
+      libxt_tcp: manpage correction
+
+Jozsef Kadlecsik (1):
+      Alignment problem between 64bit kernel 32bit userspace
+
+Loganaden Velvindron (1):
+      extensions: libxt_TEE: Trim kernel struct to allow deletion
+
+Mart Frauenlob (2):
+      extensions: libxt_set: Add missing hyphen to --bytes-eq synopsis in manpage
+      libxtables: Print meaningful error message for an invalid MAC address string
+
+Martin Topholm (1):
+      extensions: libxt_SYNPROXY: initial manual page
+
+Mike Frysinger (4):
+      configure: fix 3rd arg w/AC_ARG_ENABLE
+      build: add finer module blacklisting
+      libiptc: fix fortify errors in debug code
+      iptables: update gitignore list
+
+Nicolas Dichtel (1):
+      iptables: fix compilation when lib[mnl|nftables] are not in standard path
+
+Pablo Neira Ayuso (186):
+      add iptables unit test infrastructure
+      extensions: libipt_ah: add unit test
+      extensions: libip6t_ah: add unit test
+      extensions: libipt_LOG: add unit test
+      extensions: libxt_addrtype: add unit test
+      extensions: libip6t_LOG: add unit test
+      extensions: libxt_cluster: add unit test
+      extensions: libxt_comment: add unit test
+      extensions: libxt_AUDIT: add unit test
+      extensions: libxt_CHECKSUM: add unit test
+      extensions: libxt_CLASSIFY: add unit test
+      extensions: libxt_connbytes: add unit test
+      extensions: libxt_connlimit: add unit test
+      extensions: libxt_connmark: add unit test
+      extensions: libxt_CONNMARK: add unit test
+      extensions: libxt_hashlimit: add unit test
+      extensions: libxt_time: add unit test
+      extensions: libxt_length: add unit test
+      extensions: libxt_udp: add unit test
+      extensions: libxt_tcp: add unit test
+      extensions: libxt_tos: add unit test
+      extensions: libxt_NFLOG: add unit test
+      extensions: libxt_dccp: add unit test
+      extensions: libxt_esp: add unit test
+      extensions: libxt_helper: add unit test
+      extensions: libipt_icmp: add unit test
+      extensions: libxt_NFQUEUE: add unit test
+      extensions: libipt_ttl.t: add unit test
+      extensions: libxt_pkttype: add unit test
+      extensions: libxt_CT: add unit test
+      extensions: libxt_state: add unit test
+      extensions: libxt_string: add unit test
+      extensions: libxt_rateest: add unit test
+      extensions: libxt_nfacct: add unit test
+      extensions: libxt_mark: add unit test
+      extensions: libipt_REJECT: add unit test
+      extensions: libxt_sctp: add unit test
+      extensions: libxt_NOTRACK: add unit test
+      extensions: libipt_MASQUERADE: add unit test
+      extensions: libxt_standard: add unit test
+      extensions: libipt_ECN: add unit test
+      extensions: libxt_TRACE: add unit test
+      extensions: libxt_TOS: add unit test
+      extensions: libxt_DSCP: add unit test
+      extensions: libip6t_eui64: add unit test
+      extensions: libxt_limit: add unit test
+      extensions: libxt_conntrack: add unit test
+      extensions: libipt_ULOG: add unit test
+      extensions: libxt_multiport: add unit test
+      extensions: libip6t_REJECT: add unit test
+      extensions: libxt_dscp: add unit test
+      extensions: libxt_cpu: add unit test
+      extensions: libxt_quota: add unit test
+      extensions: libxt_iprange: add unit test
+      extensions: libxt_physdev: add unit test
+      extensions: libxt_TEE: add unit test
+      extensions: libipt_SNAT: add unit test
+      extensions: libip6t_DNAT: add unit test
+      extensions: libxt_owner: add unit test
+      extensions: libxt_MARK: add unit test
+      build: don't include tests in released tarball
+      use nf_tables and nf_tables compatibility interface
+      automatic creation of built-in table and chains
+      rework automatic creation of built-in table and chains
+      iptables: nft: add -f support
+      nft: fix missing rule listing in custom chains with -L
+      headers: remove unused compatibility definitions
+      iptables: nft: move priority to chain instead of table
+      iptables: nft: remove __nft_check_rule
+      iptables: nft: use 64-bits handle
+      iptables: nft: use chain types
+      xtables-restore: add support for dormant tables
+      nft: adapt chain rename to recent Patrick's updates
+      xtables: fix crash due to using wrong globals
+      xtables-restore: fix custom user chain restoration
+      xtables: fix compilation warning
+      xtables: purge out user-define chains from the kernel
+      xtables-restore: support atomic commit
+      xtables: nft: add protocol and flags for xtables over nf_tables
+      xtables-restore: support test option `-t'
+      nft: fix crash if TRACE is used
+      xtables: ipv6: fix wrong error if -p is used
+      xtables: ipv6: add missing break in nft_parse_payload_ipv6
+      xtables: ipv6: fix -D with -p
+      add xtables-events
+      xtables-restore: add -4 and -6 support
+      xtables-save: add -4 and -6 support
+      nft: remove license for header file
+      xtables: fix missing xtables_exit_error definition
+      xtables-standalone: fix error message
+      xtables-config: priority has to be per-chain to support
+      nft: load tables and chains based on /etc/xtables.conf
+      xtables: support family in /etc/xtables.conf file
+      xtables-config: fix off by one in parsed strings from /etc/xtables.conf
+      xtables: fix missing protocol and invflags
+      xtables-config-parser: fix compilation warning
+      iptables: update .gitignore
+      xtables: add new container xtables_args structure
+      xtables: add new nft_ops->post_parse hook
+      xtables: remove unused leftover definitions
+      xtables: fix compilation due to missing autogenerated header
+      nft: don't call nft_init in nft_xtables_config_load
+      xtables-restore: output the same error message that iptables-restore uses
+      xtables: fix -p protocol
+      nft: fix leaks in nft_xtables_config_load
+      xtables: remove bogus comment on chain rename
+      xtables: nft: remove lots of useless debugging messages
+      xtables: do not proceed if nft_init fails
+      xtables: fix missing afinfo configuration
+      xtables: nft: display rule number via -S
+      xtables-events: print usage on wrong arguments
+      xtables-events: fix missing newline in table and chain events
+      nft: fix built-in chain ordering of the nat table
+      src: use nft_*_list_add_tail
+      nft: break chain listing if only one if looked for
+      nft: fix selective chain display via -S
+      xtables: add -I chain rulenum
+      xtables: remove bogus comment regarding rule replacement
+      nft: no need for rule lookup if no position specified via -I
+      xtables: fix typo in add_entry for the IPv6 case
+      nft: fix match revision lookup for IPv6
+      etc: add default IPv6 table and chain definitions
+      xtables: use xtables_rule_matches_free
+      nft: fix wrong flags handling in print_firewall_details
+      nft: use xtables_print_num
+      nft: generalize rule addition family hook
+      xtables: nft-arp: fix endianess in nft_arp_parse_payload
+      nft: consolidate nft_rule_find for ARP, IPv4 and IPv6
+      nft: consolidate nft_rule_new to support ARP
+      nft: consolidate nft_rule_* functions to support ARP
+      include: cache netfilter_arp kernel headers
+      nft: adapt nft_rule_expr_get to use uint32_t instead of size_t
+      xtables: batch rule-set updates into one single netlink message
+      xtables: fix missing ipt_entry for MASQUERADE target
+      nft: pass ipt_entry to ->save_firewall hook
+      nft: fix bad length when comparing extension data area
+      nft: fix interface wildcard matching
+      xtables-events: fix compilation due change in libnftables
+      nft: fix inversion of built-in selectors
+      nft: fix out of bound memory copy
+      nft: fix wrong function to release iterator
+      nft: fix inconsistent data type in NFT_EXPR_CMP_OP and NFT_EXPR_META_KEY
+      configure: fix wrong reference to the conntrack-tools
+      configure: rename --disable-xtables to --disable-nftables
+      configure: conditional dependencies for nftables-compat
+      xtables-restore: remove dependency with libip4tc
+      xtables: add xtables-compat-multi for the nftables compatibility layer
+      nft-compat: fix IP6T_F_GOTO flag handling
+      nft-compat: fix wrong protocol context in initialization
+      Merge branch 'nft-compat'
+      iptables.8: update coreteam members from manpage
+      Merge branch 'next-3.14'
+      iptables: nft: generalize batch infrastructure
+      iptables: nft: remove unused code
+      iptables: nft: add tables and chains to the batch
+      Makefile: fix static compilation iptables-compat without shared libraries
+      iptables-compat: fix address prefix
+      iptables-compat: nft: use nft_batch_begin and nft_batch_end from libnftnl
+      iptables-compat: fix use after free in the batch send path
+      iptables-compat: get rid of error reporting via perror
+      Merge branch 'tests'
+      iptables-compat: nft: fix user chain addition, deletion and rename
+      iptables-compat: nft: fix error reporting
+      arptables-compat: fix missing error reporting
+      arptables-compat: allow to not specify a target
+      arptables-compat: get output in sync with arptables -L -n --line-numbers
+      arptables-compat: remove save code
+      refresh nf_tables.h cached copy
+      iptables-compat: fix chain policy reset with iptables -L -n
+      iptables-compat: statify unused built-in table/chain functions
+      iptables-compat: assume chain policy NF_ACCEPT when creating built-in chains
+      iptables-compat: fix empty chains after first invocation of iptables-compat -L
+      Merge branch 'ipset'
+      nft: bootstrap ebtables-compat
+      ebtables-compat: use ebtables_command_state in bootstrap code
+      iptables: use flock() instead of abstract unix sockets
+      Merge branch 'ebtables-compat'
+      xshared: calm down compilation warning
+      xtables-compat: remove unused fields from bridge and arp families
+      iptables-compat: unset context flags in netlink delinearize step
+      Merge branch 'ipset-next'
+      extensions: fix several test errors
+      iptables-compat: use new symbols in libnftnl
+      iptables-compat: Keep xtables-config and xtables-events out from tree
+      iptables 1.6.0 release
+      iptables: fix static builds
+
+Phil Oester (1):
+      iptables-xml: fix segfault if missing space after -A
+
+Ronald Wahl (1):
+      libxtables: fix two off-by-one memory corruption bugs
+
+Thomas Woerner (2):
+      iptables-compat: Allow to insert into rule_count+1 position
+      iptables-compat: Increase rule number only for the selected table and chain
+
+Tomasz Bursztyka (41):
+      headers: Make nf_tables.h up to date
+      nft: Add support for chain rename options (-E)
+      iptables: nft: Fix -D chain rulenum option
+      iptables: nft: Refactor __nft_rule_check to return rule handle when relevant
+      iptables: nft: Add support for -R option
+      xtables: add IPv6 support
+      nft: Split nft core to become family independant
+      xtables: initialize xtables defaults even on listing rules
+      xtables: policy can be changed only on builtin chain
+      nft: Set the rule family when creating a new one
+      nft: Handle error on adding rule expressions
+      xtables: Remove useless parameter to nft_chain_list_find
+      nft: add function to test for a builtin chain
+      nft: Fix small memory leaks
+      xtables: Do not dump before command parsing has been finished
+      nft: Remove useless function
+      nft: Optimize rule listing when chain and rulenum are provided
+      nft: Make internal rule listing callback more generic
+      nft: Remove useless test on rulenum in nft_rule_list()
+      nft: Generalize nft_rule_list() against current family
+      nft: Print unknown target data only when relevant
+      nft: convert rule into a command state structure
+      xtables: allow to reset the counters of an existing rule
+      nft: Fix a minor compilation warning
+      nft: skip unset tables on table configuration emulation
+      xtables: arp: Store target entry properly and compare them relevantly
+      extensions: add arptables' libxt_mangle.c for xtables-arp
+      extensions: libxt_mangle: Fixes option issues
+      nft: Header inclusion missing
+      xtables: arp: Parse properly target options
+      nft: fix wrong target size
+      xtables: arp: Fix a compilation warning
+      xtables: arp: inhibit -l option so only a fixed 6 bytes length arhln can be used
+      include: Update nftables API header in sync with kernel's one
+      nft: Use new libnftnl library name against former libnftables
+      xtables: Add backward compatibility with -w option
+      nft: Add useful debug output when a builtin table is created
+      nft: A builtin chain might be created when restoring
+      nft: Initialize a table only once
+      nft: Remove useless error message
+      nft: Pass a line after printing out a debug message
+
+Ville Skyttä (1):
+      iptables: Spelling fixes
+
+Willem de Bruijn (1):
+      include: add linux/filter.h
+
+fan.du (1):
+      iptables: Add IPv4/6 IPcomp match support
+
+
 +iptables v1.4.21 Changelog:
 +======================================================================
 +Changes from 1.4.20: