Ana Rey (7):
      xtables-standalone: call nft_fini in the error path
      nft: fix memory leaks in nft_xtables_config_load
      iptables: nft: fix memory leaks in nft_fini
      extensions: libxt_devgroup: Fix the path of the group mappings file
      iptables-compat: homogenize error messages
      extensions: devgroup: fix showing and saving of dst-group
      iptables-compat: homogenize error messages with 'R' option

Andreas Herz (3):
      extension: libip6t_ipv6header: fix wrong headername in ipv6header for protocols
      extensions: icmp6: added missing icmpv6 dest-unreach codes
      added missing icmpv6 codes in REJECT

Anton Danilov (1):
      xtables: SET target: Add mapping of meta informations (skbinfo ipset extension)

Arturo Borrero (38):
      iptables-compat: kill add_*() invflags parameter
      nft-compat: create a separated object update type to rename chains
      nft-bridge: fix printing of inverted protocols, addresses
      nft-bridge: fix inversion of builtin matches
      iptables: xtables-eb: delete extra 'policy' printf
      iptables: xtables-eb: user-defined chains default policy is always RETURN
      iptables: xtables-eb: fix renaming of chains
      extensions: add ebt 802_3 extension
      ebtables-compat: fix counter listing
      ebtables-compat: fix printing of extension
      ebtables-compat: fix segfault in rules w/o target
      ebtables-compat: include /etc/ethertypes in tarball
      ebtables-compat: fix ACCEPT printing by simplifying logic
      include: cache copy of Linux header uapi/linux/netfilter_bridge/ebt_802_3.h
      ebtables-compat: add nft rule compat information to bridge rules
      ebtables-compat: prevent options overwrite
      ebtables-compat: prevent same matches to be included multiple times
      ebtables-compat: include rule counters in ebtables rules
      ebtables-compat: fix nft payload bases
      ebtables-compat: add 'ip' match extension
      ebtables-compat: add mark_m match extension
      extensions: cleanup commented code in ebtables-compat extensions
      libxtables: search first for AF-specific extension
      ebtables-compat: call extensions final checks
      ebtables-compat: finish target infrastructure
      ebtables-compat: add mark target extension
      ebtables-compat: add watchers support
      ebtables-compat: add log watcher extension
      arptables-compat: add mangle target extension
      libxt_quota: fix _save() invert syntax
      ebtables-compat: support nflog extension
      arptables-compat: add support for the CLASSIFY target
      arptables-compat: delete extra space in target printing
      ebtables-compat: add support for limit extension
      ebtables-compat: add a bridge-specific exit_error function
      ebtables-compat: fix rule deleting with -D in rules with no target
      list: fix prefetch dummy
      libxtables: find extensions based on family too

Arturo Borrero Gonzalez (1):
      ebtables-compat: fix misplaced function attribute on ebt_print_error()

Dan Wilder (1):
      libxtables: move some code to avoid cautions in vfork man page

Daniel Borkmann (4):
      iptables: snat: add randomize-full support
      iptables: add libxt_cgroup frontend
      cgroup, man: improve man-page bits
      libxt_CT: add support for recently introduced zone options

Domen Puncer (1):
      libxtables: fix getaddrinfo return value usage

Felix Janda (5):
      consistently use <errno.h>
      include: remove libc5 support code
      include: Sync with ethernetdb.h from ebtables
      include Use <stdint.h> types from xtables.h
      include: Sync with upstream kernel headers

Florian Westphal (15):
      Merge branch 'stable-1.4.20'
      iptables.8: --policy is either ACCEPT or DROP
      extensions: libxt_connlabel: do not open config file from _init hook
      man: string: document icase
      tests: split into family and table specific files
      tests: add test case for xt_recent regression
      extensions: remove MIRROR
      extensions: remove SAME target
      extensions: remove 'unclean' match
      extensions: add more test cases for iptables-test.py
      extensions: SNPT,DNPT: fix save/print output
      extensions/libxt_recent.t: add test case for 3.19 regression
      extensions: libip6t_dst: make inversion work
      tests: remove old test cases
      man: using physdev match in OUTPUT is not supported anymore

Giuseppe Longo (33):
      nft: fix leak of rule and chain iterators
      nft: fix leak of chain iterator in nft_rule_list
      xtables: allow to zero chains via -Z
      nft: break loop after found matching chain
      nft: print counter issues
      nft: fix another memleak in nft_rule_list_cb
      xtables: nft: display rule by number via -L
      nft: associate table configuration to handle via nft_init
      nft: fix family operation lookup
      nft: load only the tables of the current family
      nft: refactoring parse operations for more genericity
      xtables: bootstrap ARP compatibility layer for nftables
      xtables: nft-arp: implements is_same op for ARP family
      xtables: arp: add rule replacement support
      xtables: arp: add delete operation
      xtables: arp: zeroing chain counters
      nft: arp: initialize flags in nft_arp_parse_meta
      nft: arp: add parse_target to nft_family_ops_arp
      nft: arp: fix possible string overflow
      nft: adds save_matches_and_target
      nft-arp: adds nft_arp_save_firewall
      xtables-events: prints arp rules
      nft-arp: fix is_same_interfaces arguments
      nft-arp: wrong condition in parse_payload
      nft: replace nft_rule_attr_get_u8
      nft: save: fix the printing of the counters
      nft-arp: remove wrong conditions
      nft: compare layer 4 protocol in first place
      nft: add nft_xt_ctx struct
      nft: fix syntax error in nft_parse_cmp()
      nft-ipv46: replace offset var with ctx->payload.offset
      ebtables-compat: fix print_header
      ebtables-compat: build ebtables extensions

Gustavo Zacarias (1):
      iptables-save: remove dlfcn.h include

Harout Hedeshian (2):
      extensions: libxt_socket: add --restore-skmark option
      extensions: libxt_socket: update man pages and tests for --restore-skmark

Jan Engelhardt (3):
      iptables: link against libnetfilter_conntrack
      build: resolve build error involving libnftnl
      extensions: restore matching any SPI id by default

Jiri Popelka (9):
      iptables: fix version in iptables(8)
      update FSF address in license text
      iptables: missing bracket in iptables-save(8)
      iptables-restore.8: missing -T in synopsis
      iptables-restore.8: file to read from can be specified as argument
      iptables-{save,restore}: warn that -b/--binary isn't implemented
      iptables-save: actually parse -M/--modprobe option
      iptables: add optional [seconds] argument to -w
      libxt_tcp: manpage correction

Jozsef Kadlecsik (1):
      Alignment problem between 64bit kernel 32bit userspace

Loganaden Velvindron (1):
      extensions: libxt_TEE: Trim kernel struct to allow deletion

Mart Frauenlob (2):
      extensions: libxt_set: Add missing hyphen to --bytes-eq synopsis in manpage
      libxtables: Print meaningful error message for an invalid MAC address string

Martin Topholm (1):
      extensions: libxt_SYNPROXY: initial manual page

Mike Frysinger (4):
      configure: fix 3rd arg w/AC_ARG_ENABLE
      build: add finer module blacklisting
      libiptc: fix fortify errors in debug code
      iptables: update gitignore list

Nicolas Dichtel (1):
      iptables: fix compilation when lib[mnl|nftables] are not in standard path

Pablo Neira Ayuso (186):
      add iptables unit test infrastructure
      extensions: libipt_ah: add unit test
      extensions: libip6t_ah: add unit test
      extensions: libipt_LOG: add unit test
      extensions: libxt_addrtype: add unit test
      extensions: libip6t_LOG: add unit test
      extensions: libxt_cluster: add unit test
      extensions: libxt_comment: add unit test
      extensions: libxt_AUDIT: add unit test
      extensions: libxt_CHECKSUM: add unit test
      extensions: libxt_CLASSIFY: add unit test
      extensions: libxt_connbytes: add unit test
      extensions: libxt_connlimit: add unit test
      extensions: libxt_connmark: add unit test
      extensions: libxt_CONNMARK: add unit test
      extensions: libxt_hashlimit: add unit test
      extensions: libxt_time: add unit test
      extensions: libxt_length: add unit test
      extensions: libxt_udp: add unit test
      extensions: libxt_tcp: add unit test
      extensions: libxt_tos: add unit test
      extensions: libxt_NFLOG: add unit test
      extensions: libxt_dccp: add unit test
      extensions: libxt_esp: add unit test
      extensions: libxt_helper: add unit test
      extensions: libipt_icmp: add unit test
      extensions: libxt_NFQUEUE: add unit test
      extensions: libipt_ttl.t: add unit test
      extensions: libxt_pkttype: add unit test
      extensions: libxt_CT: add unit test
      extensions: libxt_state: add unit test
      extensions: libxt_string: add unit test
      extensions: libxt_rateest: add unit test
      extensions: libxt_nfacct: add unit test
      extensions: libxt_mark: add unit test
      extensions: libipt_REJECT: add unit test
      extensions: libxt_sctp: add unit test
      extensions: libxt_NOTRACK: add unit test
      extensions: libipt_MASQUERADE: add unit test
      extensions: libxt_standard: add unit test
      extensions: libipt_ECN: add unit test
      extensions: libxt_TRACE: add unit test
      extensions: libxt_TOS: add unit test
      extensions: libxt_DSCP: add unit test
      extensions: libip6t_eui64: add unit test
      extensions: libxt_limit: add unit test
      extensions: libxt_conntrack: add unit test
      extensions: libipt_ULOG: add unit test
      extensions: libxt_multiport: add unit test
      extensions: libip6t_REJECT: add unit test
      extensions: libxt_dscp: add unit test
      extensions: libxt_cpu: add unit test
      extensions: libxt_quota: add unit test
      extensions: libxt_iprange: add unit test
      extensions: libxt_physdev: add unit test
      extensions: libxt_TEE: add unit test
      extensions: libipt_SNAT: add unit test
      extensions: libip6t_DNAT: add unit test
      extensions: libxt_owner: add unit test
      extensions: libxt_MARK: add unit test
      build: don't include tests in released tarball
      use nf_tables and nf_tables compatibility interface
      automatic creation of built-in table and chains
      rework automatic creation of built-in table and chains
      iptables: nft: add -f support
      nft: fix missing rule listing in custom chains with -L
      headers: remove unused compatibility definitions
      iptables: nft: move priority to chain instead of table
      iptables: nft: remove __nft_check_rule
      iptables: nft: use 64-bits handle
      iptables: nft: use chain types
      xtables-restore: add support for dormant tables
      nft: adapt chain rename to recent Patrick's updates
      xtables: fix crash due to using wrong globals
      xtables-restore: fix custom user chain restoration
      xtables: fix compilation warning
      xtables: purge out user-define chains from the kernel
      xtables-restore: support atomic commit
      xtables: nft: add protocol and flags for xtables over nf_tables
      xtables-restore: support test option `-t'
      nft: fix crash if TRACE is used
      xtables: ipv6: fix wrong error if -p is used
      xtables: ipv6: add missing break in nft_parse_payload_ipv6
      xtables: ipv6: fix -D with -p
      add xtables-events
      xtables-restore: add -4 and -6 support
      xtables-save: add -4 and -6 support
      nft: remove license for header file
      xtables: fix missing xtables_exit_error definition
      xtables-standalone: fix error message
      xtables-config: priority has to be per-chain to support
      nft: load tables and chains based on /etc/xtables.conf
      xtables: support family in /etc/xtables.conf file
      xtables-config: fix off by one in parsed strings from /etc/xtables.conf
      xtables: fix missing protocol and invflags
      xtables-config-parser: fix compilation warning
      iptables: update .gitignore
      xtables: add new container xtables_args structure
      xtables: add new nft_ops->post_parse hook
      xtables: remove unused leftover definitions
      xtables: fix compilation due to missing autogenerated header
      nft: don't call nft_init in nft_xtables_config_load
      xtables-restore: output the same error message that iptables-restore uses
      xtables: fix -p protocol
      nft: fix leaks in nft_xtables_config_load
      xtables: remove bogus comment on chain rename
      xtables: nft: remove lots of useless debugging messages
      xtables: do not proceed if nft_init fails
      xtables: fix missing afinfo configuration
      xtables: nft: display rule number via -S
      xtables-events: print usage on wrong arguments
      xtables-events: fix missing newline in table and chain events
      nft: fix built-in chain ordering of the nat table
      src: use nft_*_list_add_tail
      nft: break chain listing if only one if looked for
      nft: fix selective chain display via -S
      xtables: add -I chain rulenum
      xtables: remove bogus comment regarding rule replacement
      nft: no need for rule lookup if no position specified via -I
      xtables: fix typo in add_entry for the IPv6 case
      nft: fix match revision lookup for IPv6
      etc: add default IPv6 table and chain definitions
      xtables: use xtables_rule_matches_free
      nft: fix wrong flags handling in print_firewall_details
      nft: use xtables_print_num
      nft: generalize rule addition family hook
      xtables: nft-arp: fix endianess in nft_arp_parse_payload
      nft: consolidate nft_rule_find for ARP, IPv4 and IPv6
      nft: consolidate nft_rule_new to support ARP
      nft: consolidate nft_rule_* functions to support ARP
      include: cache netfilter_arp kernel headers
      nft: adapt nft_rule_expr_get to use uint32_t instead of size_t
      xtables: batch rule-set updates into one single netlink message
      xtables: fix missing ipt_entry for MASQUERADE target
      nft: pass ipt_entry to ->save_firewall hook
      nft: fix bad length when comparing extension data area
      nft: fix interface wildcard matching
      xtables-events: fix compilation due change in libnftables
      nft: fix inversion of built-in selectors
      nft: fix out of bound memory copy
      nft: fix wrong function to release iterator
      nft: fix inconsistent data type in NFT_EXPR_CMP_OP and NFT_EXPR_META_KEY
      configure: fix wrong reference to the conntrack-tools
      configure: rename --disable-xtables to --disable-nftables
      configure: conditional dependencies for nftables-compat
      xtables-restore: remove dependency with libip4tc
      xtables: add xtables-compat-multi for the nftables compatibility layer
      nft-compat: fix IP6T_F_GOTO flag handling
      nft-compat: fix wrong protocol context in initialization
      Merge branch 'nft-compat'
      iptables.8: update coreteam members from manpage
      Merge branch 'next-3.14'
      iptables: nft: generalize batch infrastructure
      iptables: nft: remove unused code
      iptables: nft: add tables and chains to the batch
      Makefile: fix static compilation iptables-compat without shared libraries
      iptables-compat: fix address prefix
      iptables-compat: nft: use nft_batch_begin and nft_batch_end from libnftnl
      iptables-compat: fix use after free in the batch send path
      iptables-compat: get rid of error reporting via perror
      Merge branch 'tests'
      iptables-compat: nft: fix user chain addition, deletion and rename
      iptables-compat: nft: fix error reporting
      arptables-compat: fix missing error reporting
      arptables-compat: allow to not specify a target
      arptables-compat: get output in sync with arptables -L -n --line-numbers
      arptables-compat: remove save code
      refresh nf_tables.h cached copy
      iptables-compat: fix chain policy reset with iptables -L -n
      iptables-compat: statify unused built-in table/chain functions
      iptables-compat: assume chain policy NF_ACCEPT when creating built-in chains
      iptables-compat: fix empty chains after first invocation of iptables-compat -L
      Merge branch 'ipset'
      nft: bootstrap ebtables-compat
      ebtables-compat: use ebtables_command_state in bootstrap code
      iptables: use flock() instead of abstract unix sockets
      Merge branch 'ebtables-compat'
      xshared: calm down compilation warning
      xtables-compat: remove unused fields from bridge and arp families
      iptables-compat: unset context flags in netlink delinearize step
      Merge branch 'ipset-next'
      extensions: fix several test errors
      iptables-compat: use new symbols in libnftnl
      iptables-compat: Keep xtables-config and xtables-events out from tree
      iptables 1.6.0 release
      iptables: fix static builds

Phil Oester (1):
      iptables-xml: fix segfault if missing space after -A

Ronald Wahl (1):
      libxtables: fix two off-by-one memory corruption bugs

Thomas Woerner (2):
      iptables-compat: Allow to insert into rule_count+1 position
      iptables-compat: Increase rule number only for the selected table and chain

Tomasz Bursztyka (41):
      headers: Make nf_tables.h up to date
      nft: Add support for chain rename options (-E)
      iptables: nft: Fix -D chain rulenum option
      iptables: nft: Refactor __nft_rule_check to return rule handle when relevant
      iptables: nft: Add support for -R option
      xtables: add IPv6 support
      nft: Split nft core to become family independant
      xtables: initialize xtables defaults even on listing rules
      xtables: policy can be changed only on builtin chain
      nft: Set the rule family when creating a new one
      nft: Handle error on adding rule expressions
      xtables: Remove useless parameter to nft_chain_list_find
      nft: add function to test for a builtin chain
      nft: Fix small memory leaks
      xtables: Do not dump before command parsing has been finished
      nft: Remove useless function
      nft: Optimize rule listing when chain and rulenum are provided
      nft: Make internal rule listing callback more generic
      nft: Remove useless test on rulenum in nft_rule_list()
      nft: Generalize nft_rule_list() against current family
      nft: Print unknown target data only when relevant
      nft: convert rule into a command state structure
      xtables: allow to reset the counters of an existing rule
      nft: Fix a minor compilation warning
      nft: skip unset tables on table configuration emulation
      xtables: arp: Store target entry properly and compare them relevantly
      extensions: add arptables' libxt_mangle.c for xtables-arp
      extensions: libxt_mangle: Fixes option issues
      nft: Header inclusion missing
      xtables: arp: Parse properly target options
      nft: fix wrong target size
      xtables: arp: Fix a compilation warning
      xtables: arp: inhibit -l option so only a fixed 6 bytes length arhln can be used
      include: Update nftables API header in sync with kernel's one
      nft: Use new libnftnl library name against former libnftables
      xtables: Add backward compatibility with -w option
      nft: Add useful debug output when a builtin table is created
      nft: A builtin chain might be created when restoring
      nft: Initialize a table only once
      nft: Remove useless error message
      nft: Pass a line after printing out a debug message

Ville Skyttä (1):
      iptables: Spelling fixes

Willem de Bruijn (1):
      include: add linux/filter.h

fan.du (1):
      iptables: Add IPv4/6 IPcomp match support