nftables Changelog

What's new in nftables 0.4

Dec 16, 2014

It provides access to a lot of new features, including global ruleset operations, improved logging support, masquerading and NAT, redirect support (will need a 3.19 kernel), and a lot of fixes.

New in nftables 0.099 (Jan 21, 2014)

nft: scanner: fixed problem with ipv6 address
nftables: delete debian/ directory
mnl: fix inconsistent name usage in nft_*_nlmsg_build_hdr calls
src: fix return code
files: replace interpreter during installation
rule: add flag to display rule handle as comment
doc: fix inversion of operator and object.
rule: list elements in set in any case
cli: add quit command
cli: reset terminal when CTRL+d is pressed
rule: display hook info
src: fix counter restoration
src: Add support for insertion inside rule list
src: Add icmpv6 support
nat: add mandatory family attribute
Suppress non working examples.
Update chain creation format.
display family in table listing
netlink: fix IPv6 prefix computation
src: Add support for IPv6 NAT
mnl: fix typo in comment
netlink: suppress useless variable
netlink: only flush asked table/chain
netlink: fix nft flush operation
expression: fix indent
jump: fix logic in netlink linearize
verdict: fix delinearize in case of jump
netlink: only display wanted chain in listing
log: s/threshold/queue-threshold/
meta: iif/oifname should be host byte order
statement: avoid huge rodata array
nftables: drop hard coded install using root user owner and group
expression: fix output of verdict maps
tests: fix test, commands now comes before the family and table name
rule: allow to list of existing tables
rule: fix nft list chain
netlink: return error if chain not found
main: fix error checking in nft_parse
tests: family-ipv4: update test to use current syntax
tests: expr-ct: update examples to use the current syntax
src: fix crash if nft -f wrong_file is passed
tests: family-ipv6: update to use the current syntax
payload: accept ethertype in hexadecimal
tests: family-bridge: update to use the current syntax
tests: feat-adjancent-load-merging: remove ip protocol from rule
meta: accept uid/gid in numerical
tests: expr-meta: update examples to use the current syntax
tests: obj-chain: update examples to use the current syntax
tests: dictionary: update examples to use the current syntax
tests: set: update examples to use the current syntax
tests: obj-table: update examples to use the current syntax
cli: complete basic functionality of the interactive mode
datatype: concat expression only releases dynamically allocated datatype
evaluate: fix range and comparison evaluation
src: get it sync with current include/linux/netfilter/nf_tables.h
rule: family field in struct handle is unsigned
meta: use if_nametoindex and if_indextoname
meta: replace rtnl_tc_handle2str and rtnl_tc_str2handle
src: use libnftables
netlink: fix network address prefix
datatype: fix table listing if name resolution is not available
mnl: use nft_*_list_add_tail
datatype: fix crash if wrong integer type is passed
log: convert group and qthreshold to use u16
datatype: fix wrong endianess in numeric ports
src: allow to specify the base chain type
meta: fix output display of meta length
datatype: fix mark parsing if string is used
payload: fix endianess of ARP operation code
netlink: use uint32_t instead of size_t for attribute length
src: add rule batching support
netlink_linearize: finish reject support
payload: fix ethernet type protocol matching
parser: fix warning on deprecated directive in bison
build: relax compilation not to break on warning
datatype: fix missing nul-terminated string in string_type_print
netlink: improve rule deletion per chain
meta: fix endianness in UID/GID
meta: relax restriction on UID/GID parsing
src: fix rule flushing atomically
mnl: don't set NLM_F_ACK flag in mnl_nft_rule_batch_[add|del]
mnl: print netlink message if if --debug=netlink in mnl_talk()
netlink: fix dictionary feature with data mappings
netlink: fix wrong type in attributes
scanner: rename address selector from 'eth' to 'ether'
scanner: add aliases to symbols for easier interaction with most shells
segtree: add new segtree debugging option
netlink: use stdout for debugging
parser: fix parsing of ethernet protocol types
payload: fix crash when wrong ethernet protocol type is used
payload: fix inconsistency in ethertype output
src: add new --debug=mnl option to enable libmnl debugging
src: use ':' instead of '=>' in dictionaries
datatype: add time type parser and adapt output
mnl: fix chain type autoloading
use new libnftnl library name
build: work around docbook2x-man inability to specify output file
templates: add IPv6 raw table template
netlink: wrap libnl object dumping in #ifdef DEBUG
lexer: fix some whitespace errors
Fix use of reserved names in header sandwich
kill obsolete TODO item
Allow newlines in sets and maps
Allow newlines in regular maps
build: remove double subdir in build output
build: fix installation when docs are not built
Add installation instructions
parser: fix common_block usage in chain and table blocks
parser: consistently use $@ for location of entire grouping
Add support for scoping and symbol binding
Add support for user-defined symbolic constants
Add more notes to INSTALL
expr: add support for cloning expressions
Fix multiple references to the same user defined symbolic expression
Release scopes during cleanup
Fix some memory leaks
netlink_linearize: remove two debugging printfs
ct: resync netlink header and properly add ct l3protocol support
netlink: add helper function for socket callback modification
netlink: consistent naming fixes
netlink: use libnl OBJ_CAST macro
netlink: move data related functions to netlink.c
datatype: maintain table of all datatypes and add registration/lookup function
datatype: add/move size and byte order information into data types
expressions: kill seperate sym_type datatype for symbols
add support for new set API and standalone sets
debug: allow runtime control of debugging output
netlink: fix bitmask element reconstruction
netlink: dump all chains when listing rules
netlink: fix binop RHS byteorder
payload: add DCCP packet type definitions
payload: fix two datatypes
parser: support bison >= 2.4
build: add 'archive' target
build: fix endless recursion with SUBDIRS=...
debug: properly parse debug levels
netlink: fix byteorder of RHS of relational meta expression
utils: fix invalid assertion in xrealloc()
netlink: fix creation of base chains with hooknum and priority 0
payload: fix crash with uncombinable protocols
netlink: fix nat stmt linearization/parsing
nat: validate protocol context when performing transport protocol mappings
netlink: add debugging for missing objects
don't use internal_location for files specified on command line
datatype: reject incompletely parsed integers in integer_type_parse()
add bridge filter table definitions
parser: fix parsing protocol names for protocols which are also keywords
evaluate: reintroduce type chekcs for relational expressions
segtree: fix segtree to properly support mappings
tests: add verdict map test
seqtree: update mapping data when keeping the base
payload: kill redundant payload protocol expressions during netlink postprocessing
expression: fix constant expression splicing
rules: change rule handle to 64 bit
netlink: fix endless loop on 64 bit when parsing binops
sets: fix sets using intervals
rule: reenable adjacent payload merging
cmd: fix handle use after free for implicit set declarations
tests: add loop detection tests
netlink: fix query requests
chains: add chain rename support
rule: add rule insertion (prepend) support
chains: add rename testcases
netlink_delinearize: don't reset source register after read
expr: kill EXPR_F_PRIMARY
datatype: parse/print in all basetypes subsequently
types: add ethernet address type
expr: fix concat expression type propagation
cmd/netlink: make sure we always have a location in netlink operations
mark: fix numeric mark value parsing
expr: catch missing and excess elements in concatenations
parser: include leading '.' in concat subexpression location
parser: fix size of internet protocol expressions matching keywords
nftables: fix supression of "permission denied" errors
nftables: shorten "could not process rule in batch" message
erec: fix error markup for errors starting at column 0
datatype: revert "fix crash if wrong integer type is passed"
meta: fix crash when parsing unresolvable mark values
parser: replace "vmap" keyword by "map"
Revert "parser: replace "vmap" keyword by "map""
expr: remove secmark from ct and meta expression
meta: don't require "meta" keyword for a subset of meta expressions
meta: fix mismerge
payload: fix name of eth_proto
expr: relational: don't surpress '==' for LHS binops in output
parser: fix compilation breakage
segtree: only use prefix expressions for ranges for selected datatypes
segtree: fix decomposition of unclosed intervals
build: fix recursive parser.h inclusion
set: make set flags output parsable
set: make set initializer parsable
datatype: validate port number in inet_service_type_parse
datatype: allow protocols by number in inet_protocol_type_parse
nftables: add additional --numeric level
src: operational limit match
parser: segfault in top scope define
examples: adjust new chain type syntax in sets_and_maps file
rule: missing set cleanup in do_command_list
parser: add 'delete map' syntax
help: fix of the -I option in help display
netlink: Use the right datatype for verdict
evaluate: Remove useless variable in expr_evaluate_bitwise()
erec: Handle returned value properly in erec_print
expression: Differentiate expr among anonymous structures in struct expr
src: Fix base chain printing
INSTALL: Update dependency list and repository URLs
src: Wrap netfilter hooks around human readable strings
src: Add priority keyword on base chain description
tests: Update bate chain creation according to latest syntax changes
src: Better error reporting if chain type is invalid
include: cache a copy of nfnetlink.h
debug: include verbose message in all BUG statements