Hi!
The Netfilter project proudly presents:
nftables 0.8.4
This release includes many fixes and following enhancements/new features:
- support to match ipv6 segment routing headers
- new 'meta ibrname' and 'meta obrname' to match the name
of the logical bridge a packet is passing through.
These new names replace the old (misnamed) 'ibriport'/'obriport'.
- 'nft -a' will now show handle identifier for all objects, including
tables and chains.
- nft can now delete objects by their handle number.
- support to update maps from the ruleset (packet path).
- the "--echo" option now prints handle id for tables and object too.
- "nft -f -" will now read from standard input
- support for flow tables.
Flow tables allow to accelerate packet forwarding in software.
They provide an alternative path that allow packets to bypass the
classic forwarding path.
You can select what flows to place in the offloading path through the
new flow offload expression.
See nft manual page or
https://lwn.net/Articles/738214/ for more information.
- add libnftables as highlevel library
This release of nftables now includes libnftables, a high-level
library to interact with the in-kernel nf_tables subsystem.
See ChangeLog that comes attached to this email for more details.
You can download it from:
http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.8.4
ftp://ftp.netfilter.org/pub/nftables/
To build the code, libnftnl 1.1.0 and libmnl >= 1.0.2 are required:
* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* http://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling!
Ahmed Abdelsalam (2):
src: handle rt0 and rt2 properly
src: Adding support for segment routing header 'srh'
Duncan Roe (3):
doc: nft.8 aim for consistent synopses throughout (again)
doc: nft.8 more spelling fixes
src: fix --debug mnl not producing output
Florian Westphal (34):
doc: add set information and example for run-time blackhole
netlink: use nftnl_flowtable_get/set
src: fix routing header support
tests: add srh test cases
tests: add test cases for vmap binop transfer
src: netlink_delinearize: don't assume element contains a value
src: segtree: use value expression length
evaluate: handle binop adjustment recursively
src: evaluate: add preliminary binop transfer support for vmaps
doc: describe table dormant flag
src: avoid errouneous assert with map+concat
tests: meta: icmp, icmpv6: don't kill required dependencies
payload: don't remove icmp family dependency in special cases
proto: permit icmp-in-ipv6 and icmpv6-in-ipv4
Revert "payload: don't remove icmp family dependency in special cases"
statement: print space before "{" in set add
netlink_delinearize: kill dependency before eval of 'redirect' stmt
tests: redirect: fix tests for upcoming nft-test.py fix
tests: mh: fix expected test output
tests: ct, meta: fixes for upcoming nft-test.py fix
nft-test: check start of rule with sets too
tests: ip6: fix 'missing payload' error
evaluate: move lhs fixup to a helper
evaluate: split binop xfer to separate function
evaluate: handle EXPR_MAPPING
evaluate: use recursive call for SET_REF handling
configure: don't enable xtables when --without-xtables is passed
scanner: add helpers token
src: rename ibrportname, obrportname
evaluate: reset eval context when evaluating set definitions
evaluate: clear expression context before cmd evaluation
doc: reword insert position, this expects rule handle to insert, not a
relative postition
Harsha Sharma (13):
src: print 'handle' attribute in tables
parser_bison: delete table via table handle
src: Print handle attribute in chains
parser_bison: delete chain via chain handle
src: list set handle and delete set via set handle
tests/shell: add tests for deletion of chains via chain handle
tests/shell: add tests for deletion of sets via set handle
src: extend nft to list object handle and delete objects via handle
doc/nft.xml: Add deletion for objects via handles
tests/shell: add tests for deletion of objects via object handle
rule: print handle attribute in more clearer manner
tests: shell: fix tests for deletion via handle attribute
src: Updates for mini-gmp.{c,h}
Laura Garcia Liebana (2):
tests: shell: autogenerate dump verification
src: support of dynamic map addition and update of elements
Pablo Neira Ayuso (42):
src: add variable expression and use it to allow redefinitions
tests: shell: redefine and undefine
tests: shell: set timeout and size combination coverage
src: support for flowtable listing
src: add support to add flowtables
src: delete flowtable
src: flow offload support
tests: shell: add flowtable tests
doc: nft: document flowtable
netlink: print chain handle with --echo --handle
netlink: print table handle with --echo --handle
rule: print object handle with --echo --handle
rule: broken handle listing of table and named objects
tests: shell: missing redirection to file
configure: bump libnftnl dependency
src: support for get element command
src: move monitor code to src/monitor.c
src: remove unused batch support checks
src: don't not dump set content from netlink_get_setelems()
src: update dynamic set updates from packet path syntax
Revert "src: update dynamic set updates from packet path syntax"
src: revisit syntax to update sets and maps from packet path
tests: update to new syntax to add/update set from packet path
rule: reset cache iff there is an existing cache
src: use mini-gmp 6.1.2 stable release
evaluate: do not inconditionally update cache from flush command
evaluate: propagate binop_transfer() adjustment to set key size
netlink: floating point exception with concatenations
tests: py: remove object ID from payload file
parser_bison: missing rules for IBRIDGENAME and OBRIDGENAME
src: use ibrname and obrname
mnl: remove non-batch netlink code
netlink: remove dead netlink_io_error() calls
netlink: pass cmd object to netlink function calls
netlink: netlink_list_chains() callers always wants all existing chains
netlink: don't pass location to netlink_list_*() function
netlink: remove unused function declarations
src: simplify netlink_get_setelems() and rename it to
netlink_list_setelems()
src: centralize netlink error reporting
netlink: no EINTR handling from netlink_get_setelem()
evaluate: missing flowtable evaluation from nested notation
rule: do not hardcode ingress when printing flowtable
Phil Sutter (35):
tests/shell: Use custom nft binary for ruleset listing
relational: Eliminate meta OPs
netlink: Fold netlink_gen_cmp() into netlink_gen_relational()
Combine redir and masq statements into nat
Support 'nft -f -' to read from stdin
tests/shell: Fix dump of chains/0016delete_handle_0
tests/shell: Fix flowtable test cases
flowtable: Make parsing a little more robust
tests/shell: Fix sporadic fail of include/0007glob_double_0
tests/shell: Allow to specify multiple testcases
tests/shell: Test flush and nat chain recreate in one go
Export libnftables (again)
ct: Fix output_fp bypass in ct_print()
libnftables: Fix for input without trailing newline
libnftables: Introduce nft_ctx_set_error()
libnftables: Support buffering output and error
libnftables: Simplify cookie integration
tests/py: Use libnftables instead of calling nft binary
tests/py: Review print statements in nft-test.py
tests/py: Allow passing multiple files to nft-test.py
cli: Drop String termination workaround
erec: Review erec_print()
libnftables: Fix forgotten bit after introducing error_fp
rule: Free table->objs in table_free()
segtree: Fix memory leaks
Review raw payload allocation points
segtree: Fix for last elem at interval end
tests/py: rt.t: Drop needless rule output
tests/py: Fix differences printing for rules with sets
Review .gitignore files contents
ct: Remove duplicate include of gmputil.h
libnftables: Keep cmds list outside of parser_state
parser_bison: Pass struct nft_ctx to parser_init()
rule: Free flowtable in handle_free()
statement: Fix get_rate() for zero byte_rate
Sabrina Dubroca (1):
expression: fix constant expression allocation on big endian with partial
bytes
