[ANNOUNCE] nftables 1.1.6 release

[ANNOUNCE] nftables 1.1.6 release

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 3354 bytes --]

Hi!

The Netfilter project proudly presents:

        nftables 1.1.6

This release contains fixes:

- Complete lightweight tunnel template support, including vxlan, geneve
  and erspan, eg.

       table netdev global {
              tunnel t1 {
                      id 10
                      ip saddr 192.168.2.10
                      ip daddr 192.168.2.11
                      sport 1025
                      dport 20020
                      ttl 1
                      erspan {
                              version 1
                              index 2
                      }
              }
 
              tunnel t2 {
                      id 10
                      ip saddr 192.168.3.10
                      ip daddr 192.168.3.11
                      sport 1025
                      dport 21021
                      ttl 1
                      erspan {
                              version 1
                              index 2
                      }
              }
   
              chain in {
                      type filter hook ingress device veth0 priority 0;
    
                      tunnel name ip saddr map { 10.141.10.12 : "t1", 10.141.10.13 : "t2" } fwd to erspan1
              }
       }

   You have to create the erspan1 interface before loading your ruleset.

       ip link add dev erspan1 type erspan external

- Support for wildcard in netdev hooks, eg. add a basechain to filter
  ingress traffic for all existing vlan devices:

       table netdev t {
              chain c {
                      type filter hook ingress devices = { "vlan*", "veth0" } priority filter; policy accept;
              }
       }

- Support to pass up bridge frame to the bridge device for local
  processing, eg. pass up all bridge frames for de:ad:00:00:be:ef
  to the IP stack:

    table bridge global {
            chain pre {
                    type filter hook prerouting priority 0; policy accept;
                    ether daddr de:ad:00:00:be:ef meta pkttype set host ether daddr set meta ibrhwaddr accept
            }
    }

  The new meta ibrhwaddr provides the bridge hardware address which
  can be used to mangle the destination address.

  This requires a Linux kernel >= 6.18.

- New afl++ (american fuzzy lop++) fuzzer infrastructure, enable it with:

        ./configure --with-fuzzer

  and read tests/afl++/README to build and run tools/nft-afl.

- fib expression incorrect bytecode for Big Endian.

  Instead of:

       [ fib saddr . iif oif present => reg 1 ]
       [ cmp eq reg 1 0x01000000 ]

  generate:

       [ fib saddr . iif oif present => reg 1 ]
       [ cmp eq reg 1 0x00000001 ]

  among other Big Endian fixes.

... and man nft(8) documentation updates and more small fixes.

See changelog for more details (attached to this email).

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/

To build the code, libnftnl >= 1.3.1 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature requests, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.

[-- Attachment #2: changes-nftables-1.1.6.txt --]
[-- Type: text/plain, Size: 5921 bytes --]

Christoph Anton Mitterer (8):
      doc: clarify evaluation of chains
      doc: minor improvements with respect to the term “ruleset”
      doc: describe include’s collation order to be that of the C locale
      doc: fix/improve documentation of jump/goto/return
      doc: add more documentation on bitmasks and sets
      doc: add overall description of the ruleset evaluation
      doc: fix/improve documentation of verdicts
      doc: minor improvements the `reject` statement

Fernando Fernandez Mancera (7):
      tunnel: add vxlan support
      tunnel: add tunnel object and statement json support
      tests: add tunnel shell and python tests
      meta: introduce meta ibrhwaddr support
      tests: shell: add packetpath test for meta ibrhwaddr
      rule: add missing documentation for cmd_obj enum
      tunnel: add missing tunnel object list support

Florian Westphal (19):
      tests: shell: skip two bitwise tests if multi-register support isn't available
      tests: py: objects.t: must use input, not output
      src: tunnel: handle tunnel delete command
      tests: shell: add regression tests for set flush+add bugs
      tests: shell: fix name based checks with CONFIG_MODULES=n
      tests: shell: type_route_chain: use in-tree nftables, not system-wide one
      tests: shell: add packetpath test for reject statement
      evaluate: tunnel: don't assume src is set
      src: tunnel src/dst must be a symbolic expression
      src: parser_bison: prevent multiple ip daddr/saddr definitions
      evaluate: reject tunnel section if another one is already present
      src: fix fmt string warnings
      src: parser_json: fix format string bugs
      evaluate: follow prefix expression recursively if needed
      doc: remove queue from verdict list
      src: add refcount asserts
      support for afl++ (american fuzzy lop++) fuzzer
      src: move fuzzer functionality to separate tool
      build: unbreak 'make distcheck'

Georg Pfuetzenreuter (1):
      doc: fix tcpdump example

Gyorgy Sarvari (1):
      tests: shell: fix typo in vmap_timeout test script

Jeremy Sowden (2):
      doc: fix some man-page mistakes
      build: don't install ancillary files without systemd service file

Pablo Neira Ayuso (23):
      src: add tunnel template support
      tunnel: add erspan support
      src: add tunnel statement and expression support
      tunnel: add geneve support
      src: add expr_type_catchall() helper and use it
      src: replace compound_expr_add() by type safe set_expr_add()
      src: replace compound_expr_add() by type safe concat_expr_add()
      src: replace compound_expr_add() by type safe list_expr_add()
      segtree: rename set_compound_expr_add() to set_expr_add_splice()
      expression: replace compound_expr_clone() by type safe function
      expression: remove compound_expr_add()
      expression: replace compound_expr_remove() by type safe function
      expression: replace compound_expr_destroy() by type safe funtion
      expression: replace compound_expr_print() by type safe function
      src: replace compound_expr_alloc() by type safe function
      evaluate: simplify set to list normalisation for device expressions
      tests: shell: combine flowtable devices with variable expression
      parser_bison: remove leftover utf-8 character in error
      libnftables: do not re-add default include directory in include search path
      rule: skip CMD_OBJ_SETELEMS with no elements after set flush
      tests: shell: add device to sets/0075tunnel_0 to support older kernels
      tests: shell: refer to python3 in json prettify script
      build: Bump version to 1.1.6

Phil Sutter (38):
      table: Embed creating nft version into userdata
      tools: gitignore nftables.service file
      monitor: Quote device names in chain declarations, too
      tests: monitor: Label diffs to help users
      tests: monitor: Fix regex collecting expected echo output
      tests: monitor: Test JSON echo mode as well
      tests: monitor: Extend debug output a bit
      Makefile: Fix for 'make CFLAGS=...'
      mnl: Allow for updating devices on existing inet ingress hook chains
      monitor: Inform JSON printer when reporting an object delete event
      tests: monitor: Extend testcases a bit
      tests: monitor: Excercise all syntaxes and variants by default
      tests: py: Enable JSON and JSON schema by default
      tests: Prepare exit codes for automake
      tests: json_echo: Skip if run as non-root
      tests: shell: Skip packetpath/nat_ftp in fake root env
      tests: build: Do not assume caller's CWD
      tests: build: Avoid a recursive 'make check' run
      Makefile: Enable support for 'make check'
      fib: Fix for existence check on Big Endian
      mnl: Support simple wildcards in netdev hooks
      parser_bison: Accept ASTERISK_STRING in flowtable_expr_member
      tests: shell: Test ifname-based hooks
      mnl: Drop asterisk from end of NFTA_DEVICE_PREFIX strings
      datatype: Fix boolean type on Big Endian
      optimize: Fix verdict expression comparison
      tests: py: any/tcpopt.t.json: Fix JSON equivalent
      tests: py: any/ct.t.json.output: Drop leftover entry
      tests: py: inet/osf.t: Fix element ordering in JSON equivalents
      tests: py: Fix for using wrong payload path
      tests: py: Implement payload_record()
      tests: py: Do not rely upon '[end]' marker
      netlink: No need to reference array when passing as pointer
      datatype: Increase symbolic constant printer robustness
      tests: py: ip6/vmap.t: Drop double whitespace in rule
      netlink: Zero nft_data_linearize objects when populating
      utils: Cover for missing newline after BUG() messages
      doc: libnftables-json: Describe RULESET object

Ronan Pigott (1):
      doc: don't suggest to disable GSO

Yi Chen (1):
      tests: shell: add packetpath test for meta time expression.