Hi! The Netfilter project proudly presents: nftables 1.1.4 This release contains enhancements and fixes: - Add conntrack information to monitor trace command. Example output ("conntrack: " lines are new): trace id 32 t PRE_RAW packet: iif "enp0s3" ether saddr [..] trace id 32 t PRE_RAW rule tcp flags syn meta nftrace set 1 (verdict continue) trace id 32 t PRE_RAW policy accept trace id 32 t PRE_MANGLE conntrack: ct direction original ct state new ct id 2641368242 trace id 32 t PRE_MANGLE packet: iif "enp0s3" ether saddr [..] trace id 32 t ct_new_pre rule jump rpfilter (verdict jump rpfilter) trace id 32 t PRE_MANGLE policy accept trace id 32 t INPUT conntrack: ct direction original ct state new ct status dnat-done ct id 2641368242 trace id 32 t INPUT packet: iif "enp0s3" [..] trace id 32 t public_in rule tcp dport 443 accept (verdict accept) - Add a 'check' fib result to check for routes: ... fib daddr . iif check exists ... fib daddr . iif check missing Allow to use it in maps: ... fib daddr check vmap { missing : drop, exists : accept } and set statements too: ... meta mark set fib daddr check . ct mark map { exists . 0x00000000 : 0x0000000a, missing . 0x00000001 : 0x0000000b } - Better error reporting with re-declarations set/map with different types: Error: Cannot merge set with existing datamap of same name set z { ^ - Reduce memory consumption in sets consisting of a concatenation of intervals: table inet x { set y { typeof ip saddr . tcp dport flags interval elements = { 0.1.2.0-0.1.2.240 . 0-1, ... } } } Using the set that appears in this example above, with 100k elements. Before: 123.80 Mbytes After: 80.19 Mbytes (-35.23%) - Reduce memory consumption in maps with intervals: table inet x { map y { typeof ip saddr : ip saddr flags interval elements = { 1.0.2.0-1.0.2.240 : 1.0.2.10, ... } } Using the set that appreas in this example above, with 100k elements. Before: 74.36 Mbytes After: 62.39 Mbytes (-16.10%) - Restore meta hour matching on ranges spanning date boundaries, eg. ...meta hour "21:00"-"02:00" N.B: This broke in the previous nftables 1.1.3 release. - Display number of set elements in listing: table ip t { set s { type ipv4_addr size 65535 # count 1 flags dynamic counter elements = { 1.1.1.1 counter packets 1 bytes 11 } } - Allow to delete map via handle delete map t handle 4000 N.B: In previous version, this is already possible for sets, this is fixing an inconsistency. - Harden json parser detected via fuzzy testing. - Simplify json flag field representation when single flags is used, so instead: "flags": [ "interval" ], use: "flags": "interval", - Quote device name in basechain and flowtable declarations, eg. table netdev filter2 { chain Main_Ingress2 { type filter hook ingress devices = { "eth0", "lo" } priority -500; policy accept; } } ... as well as man nft(8) documentation updates, and improvements in tests/py and tests/shell for better coverage. See changelog for more details (attached to this email). You can download this new release from: https://www.netfilter.org/projects/nftables/downloads.html https://www.netfilter.org/pub/nftables/ To build the code, libnftnl >= 1.3.0 and libmnl >= 1.0.4 are required: * https://netfilter.org/projects/libnftnl/index.html * https://netfilter.org/projects/libmnl/index.html Visit our wikipage for user documentation at: * https://wiki.nftables.org For the manpage reference, check man(8) nft. In case of bugs and feature requests, file them via: * https://bugzilla.netfilter.org Happy firewalling.