Hi!

The Netfilter project proudly presents:

        nftables 1.1.6

This release contains fixes:

- Complete lightweight tunnel template support, including vxlan, geneve
  and erspan, eg.

       table netdev global {
              tunnel t1 {
                      id 10
                      ip saddr 192.168.2.10
                      ip daddr 192.168.2.11
                      sport 1025
                      dport 20020
                      ttl 1
                      erspan {
                              version 1
                              index 2
                      }
              }
 
              tunnel t2 {
                      id 10
                      ip saddr 192.168.3.10
                      ip daddr 192.168.3.11
                      sport 1025
                      dport 21021
                      ttl 1
                      erspan {
                              version 1
                              index 2
                      }
              }
   
              chain in {
                      type filter hook ingress device veth0 priority 0;
    
                      tunnel name ip saddr map { 10.141.10.12 : "t1", 10.141.10.13 : "t2" } fwd to erspan1
              }
       }

   You have to create the erspan1 interface before loading your ruleset.

       ip link add dev erspan1 type erspan external

- Support for wildcard in netdev hooks, eg. add a basechain to filter
  ingress traffic for all existing vlan devices:

       table netdev t {
              chain c {
                      type filter hook ingress devices = { "vlan*", "veth0" } priority filter; policy accept;
              }
       }

- Support to pass up bridge frame to the bridge device for local
  processing, eg. pass up all bridge frames for de:ad:00:00:be:ef
  to the IP stack:

    table bridge global {
            chain pre {
                    type filter hook prerouting priority 0; policy accept;
                    ether daddr de:ad:00:00:be:ef meta pkttype set host ether daddr set meta ibrhwaddr accept
            }
    }

  The new meta ibrhwaddr provides the bridge hardware address which
  can be used to mangle the destination address.

  This requires a Linux kernel >= 6.18.

- New afl++ (american fuzzy lop++) fuzzer infrastructure, enable it with:

        ./configure --with-fuzzer

  and read tests/afl++/README to build and run tools/nft-afl.

- fib expression incorrect bytecode for Big Endian.

  Instead of:

       [ fib saddr . iif oif present => reg 1 ]
       [ cmp eq reg 1 0x01000000 ]

  generate:

       [ fib saddr . iif oif present => reg 1 ]
       [ cmp eq reg 1 0x00000001 ]

  among other Big Endian fixes.

... and man nft(8) documentation updates and more small fixes.

See changelog for more details (attached to this email).

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/

To build the code, libnftnl >= 1.3.1 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature requests, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.