The Netfilter project proudly presents:

        nftables 0.9.9

This release contains fixes, documentation updates and new features
available up to the Linux kernel 5.13-rc1 release. Highlights:

* Flowtable hardware offload support [1]: add a new 'offload' flag that
  turns on the flowtable hardware fastpath.

    table ip global {
            flowtable f {
                    hook ingress priority filter + 1
                    devices = { lan3, lan0, wan }
                    flags offload

            chain forward {
                    type filter hook forward priority filter; policy accept;
                    ip protocol { tcp, udp } flow add @f

            chain post {
                    type nat hook postrouting priority filter; policy accept;
                    oifname "wan" masquerade

  [1] https://www.kernel.org/doc/html/latest/networking/nf_flowtable.html

* Support for the table owner flag. This new flag allows a process to
  own a table in exclusivity. The owner process name is show as a
  comment. The table can be either removed by the owner process
  (explicit removal) or when the owner process is terminated.

    table ip x { # progname nft
            flags owner

            chain y {
                    type filter hook input priority filter; policy accept;
                    counter packets 1 bytes 309

  The example above shows a ruleset that is owned by nft which is
  running in interactive mode, ie. nft -i

* 802.1ad (QinQ) support:

  - Check that outer ethertype is 8021ad and outer vlan id is 321
  ... ether type 802.1ad vlan id 342

  - Check that outer ethertype is 8021ad and vlan id is 1 and inner
    ethertype is 802.1q and vlan id is 2, finally check that this
    QinQ frame encapsulates an IP packet.

  ... ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter

* cgroupsv2 support.

  - Check for that socket cgroupv2 ancestor level 1 is matching "system.slice"
  ... socket cgroupv2 level 1 "system.slice"

* match on SCTP packet chunks (available since the upcoming 5.14 release)

  - match if chunk type 'data' exists
  ... sctp chunk data exists
  - match on chunk type 'data' field 'type'
  ... sctp chunk data type 0

* x2 speed up time to load ruleset (via -f).
* Speed up time to print ruleset listing.

* Shortcut to check for set/unset bits in flags.

  - Check that snat and dnat ct status bits are unset.
  ... ct status ! snat,dnat

  - Check that the syn bit is set in the syn,ack bitmask
  ... tcp flags syn / syn,ack

  - Check that the fin and rst bits are not set in the syn,ack,fin,rst bitmask
  ... tcp flags != fin,rst / syn,ack,fin,rst

* Allow to use verdict in set/map typeof definitions

  add map x m { typeof iifname . ip protocol . th dport : verdict ;}

You can download this new release from:


To build the code, libnftnl >= 1.2.0 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.
Dominick Grift (1):
      files: improve secmark.nft example

Eric Garver (1):
      json: init parser state for every new buffer/file

Florian Westphal (54):
      json: fix icmpv6.t test cases
      json: limit: set default burst to 5
      json: ct: add missing rule
      json: icmp: refresh json output
      json: icmp: move expected parts to json.output
      json: ct: add missing test input
      exthdr: remove tcp dependency for tcp option matching
      src: evaluate: reset context maxlen value before prio evaluation
      tests: add icmp/6 test where dependency should be left alone
      payload: check icmp dependency before removing previous icmp expression
      testcases: move two dump files to correct location
      tests: add empty dynamic set
      evaluate: do not crash if dynamic set has no statements
      trace: do not remove icmp type from packet dump
      tests: extend dtype test case to cover expression with integer type
      evaluate: pick data element byte order, not dtype one
      evaluate: set evaluation context for set elements
      src: allow use of 'verdict' in typeof definitions
      parser: re-enable support for concatentation on map RHS
      parser: squash duplicated spec/specid rules
      parser: compact map RHS type
      parser: compact ct obj list types
      scanner: remove unused tokens
      scanner: introduce start condition stack
      scanner: queue: move to own scope
      scanner: ipsec: move to own scope
      scanner: rt: move to own scope
      scanner: socket: move to own scope
      scanner: ct: move to own scope
      scanner: ip: move to own scope
      scanner: ip6: move to own scope
      scanner: add fib scope
      scanner: add ether scope
      scanner: arp: move to own scope
      scanner: remove saddr/daddr from initial state
      scanner: vlan: move to own scope
      scanner: limit: move to own scope
      scanner: quota: move to own scope
      scanner: move until,over,used keywords away from init state
      scanner: secmark: move to own scope
      scanner: avoid -fasan heap overflow warnings
      scanner: add support for scope nesting
      scanner: counter: move to own scope
      scanner: log: move to own scope
      parser: add missing scope_close annotation for RT keyword
      parser: fix scope closure of COUNTER token
      netlink: don't crash when set elements are not evaluated as expected
      src: vlan: allow matching vlan id insider 802.1ad frame
      proto: add 8021ad as mnemonic for IEEE 802.1AD (0x88a8) ether type
      payload: be careful on vlan dependency removal
      tests: add 8021.AD vlan test cases
      proto: replace vlan ether type with 8021q
      evaluate: check if nat statement map specifies a transport header expr
      doc: tiny spelling fix in stateful object section s/an/a

Frank Wunderlich (1):
      nftables: add flags offload to flowtable

Jan Engelhardt (1):
      files: move example files away from /etc

Laura Garcia Liebana (1):
      parser: allow to load stateful ct connlimit elements in sets

Marco Oliverio (1):
      cache: check errno before invoking cache_release()

Pablo Neira Ayuso (62):
      evaluate: disallow ct original {s,d}ddr from concatenations
      src: add negation match on singleton bitmask value
      tests: shell: extend 0025empty_dynset_0 to cover multi-statement support
      evaluate: incorrect usage of stmt_binary_error() in reject
      table: rework flags printing
      table: support for the table owner flag
      mnl: remove nft_mnl_socket_reopen()
      cache: memleak list of chain
      expression: memleak in verdict_expr_parse_udata()
      src: move remaining cache functions in rule.c to cache.c
      segtree: release single element already contained in an interval
      tests: shell: flowtable add after delete in batch
      tests: shell: fix 0025empty_dynset_0
      doc: no need to define a set in ct state
      src: add datatype->describe()
      rule: remove semicolon in flowtable offload
      mnl: do not set flowtable flags twice
      parser_bison: simplify flowtable offload flag parser
      cache: rename chain_htable to cache_chain_ht
      src: split chain list in table
      evaluate: use chain hashtable for lookups
      cache: statify chain_cache_dump()
      cache: check for NULL chain in cache_init()
      cache: add hashtable cache for sets
      cache: bail out if chain list cannot be fetched from kernel
      Makefile: missing owner.h file
      parser_bison: missing relational operation on flag list
      tests: shell: remove missing modules
      src: unbreak deletion by table handle
      rule: skip fuzzy lookup for unexisting 64-bit handle
      src: pass chain name to chain_cache_find()
      src: consolidate nft_cache infrastructure
      src: consolidate object cache infrastructure
      cache: add hashtable cache for object
      cache: add hashtable cache for flowtable
      cache: add set_cache_del() and use it
      evaluate: add set to the cache
      evaluate: add flowtable to the cache
      cache: missing table cache for several policy objects
      evaluate: add object to the cache
      cache: add hashtable cache for table
      evaluate: remove chain from cache on delete chain command
      evaluate: remove set from cache on delete set command
      evaluate: remove flowtable from cache on delete flowtable command
      evaluate: remove object from cache on delete object command
      src: add cgroupsv2 support
      parser_bison: add set_elem_key_expr rule
      src: add set element catch-all support
      evaluate: don't crash on set definition with incorrect datatype
      tests: shell: don't assume fixed handle value in 
      netlink_delinearize: fix binary operation postprocessing with sets
      parser_bison: add shortcut syntax for matching flags without binary 
      src: use PRIu64 format
      datatype: skip cgroupv2 rootfs in listing
      doc: document cgroupv2
      libnftables: location-based error reporting for chain type
      cmd: typo in chain fuzzy lookup
      rule: skip exact matches on fuzzy lookup
      evaluate: allow == and != in the new shortcut syntax to match for flags
      expression: display an error on unknown datatype
      include: missing sctp_chunk.h in Makefile.am
      build: Bump version to v0.9.9

Pavel Tikhomirov (1):
      nftables: xt: fix misprint in nft_xt_compatible_revision

Phil Sutter (18):
      reject: Fix for missing dependencies in netdev family
      reject: Unify inet, netdev and bridge delinearization
      json: limit: Always include burst value
      json: Do not abbreviate reject statement object
      tests/py: Write dissenting payload into the right file
      tests/py: Add a test sanitizer and fix its findings
      erec: Sanitize erec location indesc
      monitor: Don't print newgen message with JSON output
      tests/py: Adjust payloads for fixed nat statement dumps
      mnl: Set NFTNL_SET_DATA_TYPE before dumping set elements
      tests/py: Fix for missing JSON equivalent in any/ct.t.json
      mnl: Increase BATCH_PAGE_SIZE to support huge rulesets
      doc: Reduce size of NAT statement synopsis
      scanner: sctp: Move to own scope
      json: Simplify non-tcpopt exthdr printing a bit
      exthdr: Implement SCTP Chunk matching
      doc: nft.8: Extend monitor description by trace
      expr_postprocess: Avoid an unintended fall through

Simon Ruderich (4):
      doc: add * to include example to actually include files
      doc: remove duplicate tables in synproxy example
      doc: move drop rule on a separate line in blackhole example
      doc: use symbolic names for chain priorities

Stefano Brivio (2):
      segtree: Fix range_mask_len() for subnet ranges exceeding unsigned int
      tests: Introduce 0043_concatenated_ranges_1 for subnets of different sizes

Štěpán Němec (3):
      tests: monitor: use correct $nft value in EXIT trap
      main: fix nft --help output fallout from 719e4427
      doc: nft: fix some typos and formatting issues

Reply via email to