Hi!
The Netfilter project proudly presents:
nftables 0.8.3
This release includes a few fixes since last release plus following
enhancements:
- ifname_type, so its possible to match interface names via sets:
table inet t {
set s {
type ifname
elements = { "eth0",
"eth1" }
}
chain c {
iifname @s accept
oifname @s accept
}
}
- raw payload support to match headers that do not yet have
a more human-readable mnemonic. This also allows to match
udp and tcp port numbers in a single rule, because the raw
payload expression doesn't enforce a protocol dependency on
the network header. Example:
input meta l4proto {tcp, udp} @th,16,16 { dns, http }
matches both udp and tcp dport 53 and 80 in single rule.
See ChangeLog that comes attached to this email for more details.
You can download it from:
http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.8.3
ftp://ftp.netfilter.org/pub/nftables/
To build the code, libnftnl 1.0.9 and libmnl >= 1.0.2 are required:
* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* http://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling!
Arturo Borrero Gonzalez (4):
nftables: rearrange files and examples
examples: add ct helper examples
files: add load balance example
meta: introduce datatype ifname_type
Baruch Siach (1):
src: fix build with older glibc
David Fabian (1):
Added undefine/redefine keywords
Duncan Roe (1):
doc/nft.xml: fix typo
Florian Westphal (16):
tests: enable sets test case 27
tests: add test case for sets updated from packet path
payload: don't decode past last valid template
include: fix build failure
tests: meta.t: fix test case for anonymous set automerge
payload: use integer_type when initializing a raw expression
payload: don't resolve expressions using the inet pseudoheader
src: make raw payloads work
doc: document raw protocol expression
tests: add raw payload test cases.
doc: mention meta l4proto and ipv6 nexthdr issue wrt. extension headers
doc: remove ipv6 address FIXME
doc: add example for rule add/delete
parser: use nf_key_proto
src: datatype: prefer sscanf, avoid strncpy
build: Bump version to v0.8.3
Harsha Sharma (2):
libnftables: don't crash when no commands are specified
src: Use snprintf() over strncpy()
Laura Garcia Liebana (1):
parser: support of maps with timeout
Pablo Neira Ayuso (11):
src: pass family to payload_dependency_kill()
payload: add payload_dependency_release() helper function
src: add payload_dependency_exists()
src: get rid of __payload_dependency_kill()
payload: add payload_may_dependency_kill()
netlink_delinearize: add meta_may_dependency_kill()
src: bail out when exporting ruleset with unsupported output
segtree: check for overlapping elements at insertion
tests: shell: regression test for bugzilla 1228
configure: misc updates
netlink: remove non-batching routines
Phil Sutter (10):
evaluate: Enable automerge feature for anonymous sets
Review switch statements for unmarked fall through cases
monitor: Make trace events respect output_fp
monitor: Make JSON/XML output respect output_fp
cli: Drop pointless check in cli_append_multiline()
erec: Avoid passing negative offset to fseek()
evaluate: Fix memleak in stmt_reject_gen_dependency()
hash: Fix potential null-pointer dereference in hash_expr_cmp()
netlink: Complain if setting O_NONBLOCK fails
netlink_delinearize: Fix resource leaks
Ville Skyttä (2):
configure: Make missing docbook2man an error if man build requested
src: Spelling fixes
