The Netfilter project proudly presents:

        nftables 1.0.2

This release contains new features available up to the Linux kernel
5.17-rc release:

* New ruleset optimization -o/--optimize option. You can combine this
  option with the dry run mode (--check) to review the proposed ruleset
  updates without actually loading the ruleset, e.g.

        # nft -c -o -f ruleset.test
                 ruleset.nft:16:3-37:           ip daddr counter 
                 ruleset.nft:17:3-37:           ip daddr counter 
                 ruleset.nft:18:3-37:           ip daddr counter 
                 ip daddr {,, } counter 
packets 0 bytes 0 accept

  This option also coalesces rules using concatenation+set, e.g.

      meta iifname eth1 ip saddr ip daddr accept
      meta iifname eth1 ip saddr ip daddr accept


      meta iifname . ip saddr . ip daddr { eth1 . ., eth1 . . } accept

   and it uses verdict maps to coalesce rules with same selectors but different
   verdicts, e.g.

      ip saddr ip daddr accept
      ip saddr ip daddr drop


      ip saddr . ip daddr vmap { . : accept, . 
: drop }

- Support for ip and tcp options and sctp chunks in sets, e.g.

        set s5 {
               typeof ip option ra value
               elements = { 1, 1024 }

        set s7 {
               typeof sctp chunk init num-inbound-streams
               elements = { 1, 4 }

        chain c5 {
               ip option ra value @s5 accept

        chain c7 {
               sctp chunk init num-inbound-streams @s7 accept

- Support for tcp fastopen, md5sig and mptcp options.

- mp-tcp subtype matching support, e.g.

        tcp option mptcp subtype 1

- Improved kernel-side filtering via listing options.

- complete JSON support for flowtables.

... this release also include fixes (highlights):

- fix --terse option with anonymous sets.
- fix crash with `nft describe' on invalid field or datatype.
- Big Endian fixes for ct expiration, meta sk{u,g}uid, meta hour,
  ct label, meta {i,o}ifname with wildcard, payload matching with
- allow for quote strings as device names in flowtable declarations.
- ethernet matching with reject, e.g.

        ether saddr aa:bb:cc:dd:ee:ff ip daddr reject

- turn on dynamic flag if rule dynamically updates a set.

... and incremental documentation updates.

This release also includes libnftables C example code now available
under the examples/ folder.

You can download this new release from:


To build the code, libnftnl >= 1.2.1 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.
Eugene Crosser (1):
      netlink: Use abort() in case of netlink_abi_error

Florian Westphal (24):
      exthdr: fix type number saved in udata
      netlink_delinearize: use correct member type
      netlink_delinearize: rename misleading variable
      netlink_delinearize: binop: make accesses to expr->left/right conditional
      tcpopt: remove KIND keyword
      scanner: add tcp flex scope
      parser: split tcp option rules
      tcpopt: add md5sig, fastopen and mptcp options
      tests: py: add test cases for md5sig, fastopen and mptcp mnemonics
      mptcp: add subtype matching
      exthdr: fix tcpopt_find_template to use length after mask adjustment
      tests: py: add tcp subtype match test cases
      ipopt: drop unused 'ptr' argument
      exthdr: support ip/tcp options and sctp chunks in typeof expressions
      iptopt: fix crash with invalid field/type combo
      tests: add shift+and typeof test cases
      payload: skip templates with meta key set
      netlink_delinearize: and/shift postprocessing
      netlink_delinearize: zero shift removal
      evaluate: attempt to set_eval flag if dynamic updates requested
      src: silence compiler warnings
      json: add flow statement json export + parser
      parser_json: fix flowtable device datatype
      parser_json: permit empty device list

Jeremy Sowden (18):
      proto: short-circuit loops over upper protocols
      evaluate: correct typo's
      evaluate: reject: support ethernet as L2 protocol for inet table
      tests: shell: remove stray debug flag.
      build: fix autoconf warnings
      build: remove scanner.c and parser_bison.c with `maintainer-clean`
      tests: py: fix inet/sets.t netdev payload
      tests: py: fix inet/ip.t payloads
      tests: py: fix inet/ip_tcp.t test
      netlink_delinearize: fix typo
      src: remove arithmetic on booleans
      src: reduce indentation
      src: simplify logic governing storing payload dependencies
      tests: py: fix inet/ip.t bridge payload
      src: add a helper that returns a payload dependency for a particular base
      src: store more than one payload dependency
      tests: py: remove redundant payload expressions
      tests: shell: remove redundant payload expressions

Pablo Neira Ayuso (30):
      cache: do not skip populating anonymous set with -t
      mnl: different signedness compilation warning
      cli: remove #include <editline/history.h>
      cli: save history on ctrl-d with editline
      tests: shell: extend catchall tests for maps
      proto: revisit short-circuit loops over upper protocols
      erec: expose print_location() and line_location()
      src: error reporting with -f and read from stdin
      src: remove '$' in symbol_expr_print
      src: add ruleset optimization infrastructure
      optimize: merge rules with same selectors into a concatenation
      optimize: merge same selector with different verdict into verdict map
      optimize: merge several selectors with different verdict into verdict map
      src: do not use the nft_cache_filter object from mnl.c
      cache: do not set error code twice
      cache: add helper function to fill up the rule cache
      src: 'nft list chain' prints anonymous chains correctly
      libnftables: use xrealloc()
      parser_bison: missing synproxy support in map declarations
      optimize: add __expr_cmp()
      optimize: merge verdict maps with same lookup key
      optimize: check for payload base and offset when searching for mergers
      optimize: do not merge raw payload expressions
      iface: handle EINTR case when creating the cache
      examples: add libnftables example program
      examples: load ruleset from JSON
      netlink: check key is EXPR_CONCAT before accessing field
      segtree: memleak get element command
      build: Bump version to 1.0.2
      build: missing SUBIRS update

Phil Sutter (18):
      tests/py: Avoid duplicate records in *.got files
      exthdr: Fix for segfault with unknown exthdr
      mnl: Fix for missing info in rule dumps
      src: Fix payload statement mask on Big Endian
      meta: Fix {g,u}id_type on Big Endian
      meta: Fix hour_type size
      datatype: Fix size of time_type
      ct: Fix ct label value parser
      netlink_delinearize: Fix for escaped asterisk strings on Big Endian
      cache: Filter tables on kernel side
      cache: Filter rule list on kernel side
      cache: Filter chain list on kernel side
      cache: Filter set list on server side
      cache: Support filtering for a specific flowtable
      tests: py: Test connlimit statement
      scanner: Move 'maps' keyword into list cmd scope
      scanner: Some time units are only used in limit scope
      scanner: rt: Move seg-left keyword into scope

Pierre Ducroquet (1):
      doc: add undefine and redefine keywords

Stijn Tintel (1):
      parser: allow quoted string in flowtable_expr_member

Štěpán Němec (1):
      tests: shell: better parameters for the interval stack overflow test

Reply via email to