Recent code updates for Capirca
7 views
Skip to first unread message
Tony
Sep 20, 2010, 10:44:06 PM9/20/10
to capirca-dev
Today the naming and iptables libraries have been updated to include
several new features as well as to fix some bugs that have been
found. The current revision is now 107. I will be building a new
download .tar.gz file to replace the current capirca-v93.tar.gz
download. There have been many improvements since R93, which you can
review here (http://code.google.com/p/capirca/source/list).
Thanks and appreciation to Evan Anderson (arg...@google.com) and Sean
Burford (sbur...@google.com) for their contributions and
improvements.
Below is a summary of the most recent updates.
R104: Lots of updates to iptables generator.
- add conntrack(stateful) filtering (now the default type of output)
(wat...@google.com)
- add target option 'nostate' to specify generation of old-style
stateless
filters (wat...@google.com)
- add sanity checking of allowed keywords (arg...@google.com)
- permit arbitrary target filters rather than just INPUT/OUTPUT/
FORWARD
to allow for generation of chains that can be linked to from an
existing
policy (wat...@google.com)
- more sanity checking of various conditions to avoid unexpected
results
(various)
- add function to automatically handle chain names that are too long,
so
instead of erroring out, we now try to generate meaningful short-
names
- abbreviation table should be expanded to meet your linguistic/
naming usage
(arg...@google.com)
- improved icmp handling (arg...@google.com)
- improve tcp flags handling (arg...@google.com)
- other cleanup, error handling, and minor fixits (various)
R105: update policy/sample.pol and minor tweaks to iptables
- minor updates to abbreviation_table conversions (wat...@google.com)
- target options update to sample.pol for iptables (wat...@google.com)
R106: Updates to naming library:
- adds checking to ensure network and service tokens
do not contain child tokens that are not defined themselves
(wat...@google.com)
- make GetService and friends raise an exception if the service
requested isn't defined. This makes it more in line with what
GetNetAddr and friends does
(wat...@google.com)
- Decide whether a service is an alias or not based on whether it
is a properly formed PORT/PROTO pair (ie. it contains a slash).
Previous default assumed that malformed or misspelled services
were PORT/PROTO pairs regardless of content.
(sbur...@google.com)
- Accept hash in service comments (eg. "A = 10002/tcp # serial #2")
(sbur...@google.com)
- Change variable name "next" -> "next_item" since "next" is reserved.
(sbur...@google.com)
R107: Iptables bug introduced with previous commit.
- target.append and return in __str__ of Class Iptables was indented
one
block too many, as a result it would return too early with only
first
header processed. (wat...@google.com)
several new features as well as to fix some bugs that have been
found. The current revision is now 107. I will be building a new
download .tar.gz file to replace the current capirca-v93.tar.gz
download. There have been many improvements since R93, which you can
review here (http://code.google.com/p/capirca/source/list).
Thanks and appreciation to Evan Anderson (arg...@google.com) and Sean
Burford (sbur...@google.com) for their contributions and
improvements.
Below is a summary of the most recent updates.
R104: Lots of updates to iptables generator.
- add conntrack(stateful) filtering (now the default type of output)
(wat...@google.com)
- add target option 'nostate' to specify generation of old-style
stateless
filters (wat...@google.com)
- add sanity checking of allowed keywords (arg...@google.com)
- permit arbitrary target filters rather than just INPUT/OUTPUT/
FORWARD
to allow for generation of chains that can be linked to from an
existing
policy (wat...@google.com)
- more sanity checking of various conditions to avoid unexpected
results
(various)
- add function to automatically handle chain names that are too long,
so
instead of erroring out, we now try to generate meaningful short-
names
- abbreviation table should be expanded to meet your linguistic/
naming usage
(arg...@google.com)
- improved icmp handling (arg...@google.com)
- improve tcp flags handling (arg...@google.com)
- other cleanup, error handling, and minor fixits (various)
R105: update policy/sample.pol and minor tweaks to iptables
- minor updates to abbreviation_table conversions (wat...@google.com)
- target options update to sample.pol for iptables (wat...@google.com)
R106: Updates to naming library:
- adds checking to ensure network and service tokens
do not contain child tokens that are not defined themselves
(wat...@google.com)
- make GetService and friends raise an exception if the service
requested isn't defined. This makes it more in line with what
GetNetAddr and friends does
(wat...@google.com)
- Decide whether a service is an alias or not based on whether it
is a properly formed PORT/PROTO pair (ie. it contains a slash).
Previous default assumed that malformed or misspelled services
were PORT/PROTO pairs regardless of content.
(sbur...@google.com)
- Accept hash in service comments (eg. "A = 10002/tcp # serial #2")
(sbur...@google.com)
- Change variable name "next" -> "next_item" since "next" is reserved.
(sbur...@google.com)
R107: Iptables bug introduced with previous commit.
- target.append and return in __str__ of Class Iptables was indented
one
block too many, as a result it would return too early with only
first
header processed. (wat...@google.com)
Reply all
Reply to author
Forward
0 new messages