[ANNOUNCE] nftables 0.3 release

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [ANNOUNCE] nftables 0.3 release
@ 2014-06-25 15:52 Pablo Neira Ayuso
  2014-06-27 17:42 ` Robby Workman
  0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2014-06-25 15:52 UTC (permalink / raw)
  To: netfilter-devel; +Cc: netdev, netfilter, netfilter-announce, lwn, kaber

Hi!

The Netfilter project presents:

        nftables 0.3

This release contains bug fixes, syntax cleanups, new features, support
for all new features contained in the recent 3.15 kernel release.

Syntax changes
==============

* More compact syntax for the queue action, eg.

nft add rule test input queue num 1

  You can also express the multiqueue as a range, followed by options.

nft add rule test input queue num 1-3 bypass fanout

  Or just simply the options:

nft add rule test input queue bypass

New features
============

* Match input and output bridge interface name through 'meta ibriport'
  and 'meta obriport', e.g.

nft add rule bridge filter input meta ibriport br0 counter

* netlink event monitor, to monitor ruleset events, set changes, etc.
  The most simple way to monitor updates is to run:

nft monitor

* New transaction infrastructure - fully atomic updates for all
  object available in the upcoming 3.16.

Bug fixes
=========

* Fix crash when nftables / nfnetlink support is not present in the kernel.

* Fix crash when using multi-line command in interative mode, eg.

nft -i
nft> list \
.... table filter

* Fix wrong packet and bytes counters when the rule-set is reloaded.

* Fix wrong output in chain priorities

        type route hook output priority -1
                                        ^^

* Fix assertion when using non-equal comparison, eg.

nft add rule filter input ip protocol != icmp counter
                                      ^^

* Range inversions, eg.

nft add rule filter input != 192.168.0.1-192.168.0.10
                          ^^

* Fix 'meta iiftype ether'.

* Fix the udplite selector, due to missing code in the tokenizer.

Ongoing works
=============

There are several open fronts in terms of development:

* Full logging support for all the supported families (ip, ip6, arp,
  bridge and inet).

* Masquerading support.

* Better reject support, which allows you to indicate the explicit reject
  reason.

* JSON/XML import.

* reverse set lookups, eg.

ip saddr != { 192.168.0.1, 192.168.0.10, 192.168.0.11 }
         ^^

* more new meta selectors, packet type (unicast, multicast and broadcast),
  cpu, physical interface, realm, etc.

* support for concatenations - multidimensional exact matches in O(1) types

* set selection - automatic selection of the optimal set
  implementation.

Resources
=========

The nftables code can be obtained from:

* http://netfilter.org/projects/nftables/downloads.html
* ftp://ftp.netfilter.org/pub/nftables
* git://git.netfilter.org/nftables

To build the code, you libnftnl and libmnl are required:

* http://netfilter.org/projects/libnftnl/index.html

Thanks
======

Thanks to all our contributors, testers and bug reporters, whom have
all helped to improve nftables.

On behalf of the Netfilter Core Team,
Happy bytecode execution :)

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [ANNOUNCE] nftables 0.3 release
  2014-06-25 15:52 [ANNOUNCE] nftables 0.3 release Pablo Neira Ayuso
@ 2014-06-27 17:42 ` Robby Workman
  0 siblings, 0 replies; 2+ messages in thread
From: Robby Workman @ 2014-06-27 17:42 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

On Wed, 25 Jun 2014 17:52:10 +0200
Pablo Neira Ayuso <pablo@netfilter.org> wrote:

> The Netfilter project presents:
> 
>         nftables 0.3
> 
> This release contains bug fixes, syntax cleanups, new features,
> support for all new features contained in the recent 3.15 kernel
> release.


Hi Pablo,

I get this error after configure:

  checking for readline in -lreadline... no
  configure: error: No suitable version of libreadline found

It appears that you're depending on distro-specific enhancements to
readline, specifically that Fedora explicitly links libtinfo, Arch
explicitly links ncurses, etcetera, while according to upstream
readline, this should not occur -- from INSTALL file in readline:

The readline `configure' recognizes a single `--with-PACKAGE' option:

`--with-curses'
    This tells readline that it can find the termcap library functions
    (tgetent, et al.) in the curses library, rather than a separate
    termcap library.  Readline uses the termcap functions, but does not
    link with the termcap or curses library itself, allowing applications
    which link with readline the to choose an appropriate library.
    This option tells readline to link the example programs with the
    curses library rather than libtermcap.

I think this will be useful:
https://www.gnu.org/software/autoconf-archive/ax_lib_readline.html

-RW

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-06-27 17:50 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-06-25 15:52 [ANNOUNCE] nftables 0.3 release Pablo Neira Ayuso
2014-06-27 17:42 ` Robby Workman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).