forked from pool/nftables
Jan Engelhardt
dda4e0611e
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/nftables?expand=0&rev=67
317 lines
13 KiB
Plaintext
317 lines
13 KiB
Plaintext
-------------------------------------------------------------------
|
|
Tue May 31 13:34:12 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Update to release 1.0.3
|
|
* Support for wildcard interface name matching with sets
|
|
* Support for runtime auto-merge of set elements.
|
|
* Enhancements for the ruleset optimization -o/--optimize
|
|
option which allows to coalesce several NAT rules into map.
|
|
* Support for raw expressions in concatenations.
|
|
* Support for integer type protocol header fields in concatenations.
|
|
* Allow to reset TCP options (requires Linux kernel >= 5.18)
|
|
- Drop 0001-build-add-missing-AM_CPPFLAGS-to-examples.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 22 04:39:01 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Update to release 1.0.2
|
|
* New ruleset optimization -o/--optimize option.
|
|
* Support for IP and TCP options and SCTP chunks in sets.
|
|
* Support for tcp fastopen, md5sig and mptcp options.
|
|
* MP-TCP subtype matching support.
|
|
* JSON support for flowtables.
|
|
- Add 0001-build-add-missing-AM_CPPFLAGS-to-examples.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 18 22:15:03 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Update to release 1.0.1
|
|
* Reduce memory footprint when loading large sets/maps.
|
|
* Speed up reload of large sets/maps.
|
|
* Speed up listing of specific tables in large ruleset, e.g.
|
|
large ruleset with ~100k lines.
|
|
* Speed up --terse option when listing a ruleset large sets/maps.
|
|
* Print raw payload expression in hexadecimal, e.g.
|
|
"@ll,0,8 & 0x80 == 0x80"
|
|
* egress hook support (available since 5.16-rc1).
|
|
* Allow matching and update bytes at inner header/payload
|
|
offset (available since 5.16-rc1).
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 19 18:06:29 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Update to release 1.0.0
|
|
* Catch-all set element support.
|
|
* The command-line option --define is now recognized.
|
|
* Stateful expressions in maps.
|
|
* Allow combination of jhash, symhash and numgen expressions with
|
|
the queue statement.
|
|
* Allow combination of verdict maps with interval concatenations.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 25 23:20:59 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Update to release 0.9.9
|
|
* Flowtable hardware offload support
|
|
* Support for the table owner flag.
|
|
* 802.1ad (QinQ) support
|
|
* cgroupsv2 support.
|
|
* match on SCTP packet chunks (dependent on Linux 5.14)
|
|
* Allow to use verdict in set/map typeof definitions
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 15 22:28:26 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Update to release 0.9.8
|
|
* Complete support for matching ICMP header content fields.
|
|
* Added raw tcp option match support.
|
|
* Added ability to check for the presence of any tcp option.
|
|
* Support for rejecting traffic from the ingress chain.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 27 12:08:37 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Update to release 0.9.7
|
|
* Support for implicit chains
|
|
* Support for ingress inet chains
|
|
* Support for reject from prerouting chain
|
|
* Support for --terse option in json
|
|
* Support for the reset command with json
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 16 13:37:28 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Update to release 0.9.6
|
|
* Fix two ASAN runtime errors
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jun 6 12:03:35 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Update to release 0.9.5
|
|
* Support for set counters.
|
|
* Support for restoring set element counters via nft -f.
|
|
* Counter support for flowtables.
|
|
* typeof concatenations support for sets.
|
|
* Support for concatenated ranges in anonymous sets.
|
|
* Allow to reject packets with 802.1q from the bridge family.
|
|
* Support for matching on the conntrack ID.
|
|
- Drop anonset-crashfix.patch (upstream solved differently)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 7 11:41:07 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Add anonset-crashfix.patch [boo#1171321]
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 1 18:48:56 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Update to release 0.9.4
|
|
* Add a helper for concat expression handling.
|
|
* Add "typeof" build/parse/print support.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 9 09:39:52 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Add json, python [boo#1158723]
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 3 09:09:28 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Update to release 0.9.3
|
|
* meta: Introduce new conditions "time", "day" and "hour".
|
|
* src: add ability to set/get secmarks to/from connection.
|
|
* flowtable: add support for named flowtable listing.
|
|
* flowtable: add support for delete command by handle.
|
|
* json: add support for element deletion.
|
|
* Add `-T` as the short option for `--numeric-time`.
|
|
* meta: add ibrpvid and ibrvproto support
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 19 12:37:45 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Update to new upstream release 0.9.2
|
|
* Transport header port matching, e.g. "th dport 53"
|
|
* Support for matching on IPv4 options
|
|
* Support for synproxy
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jan 19 20:53:09 UTC 2019 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
|
|
|
|
- Remove unused dblatex BuildRequires, only needed for the optional
|
|
and disabled PDF generation (same contents as shipped manpage).
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jun 9 07:28:57 UTC 2018 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 0.9.0
|
|
* Support to check if packet matches an existing socket.
|
|
* Support to limit number of active connections by arbitrary
|
|
criteria, such as ip addresses, networks, conntrack zones or
|
|
any combination thereof.
|
|
* Added support for "audit" logging.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 11 07:30:10 UTC 2018 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 0.8.5
|
|
* support to add/insert a rule at a given index position
|
|
* meter statement now supports a configureable upper max size
|
|
* timeouts for sets can now be specified in milliseconds
|
|
* re-add iptables-like empty skeleton rulesets
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 2 06:08:00 UTC 2018 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 0.8.4
|
|
* Support to match IPv6 segment routing headers.
|
|
* New "meta ibrname" and "meta obrname" arguments to match the
|
|
name of the logical bridge a packet is passing through.
|
|
These new names replace the old (misnamed) "ibriport"/"obriport".
|
|
* `nft -a` will now show handle identifier for all objects,
|
|
including tables and chains.
|
|
* nft can now delete objects by their handle number.
|
|
* Support to update maps from the ruleset (packet path).
|
|
* the "--echo" option now prints handle id for tables and
|
|
object too.
|
|
* `nft -f -` will now read from standard input
|
|
* Support for flow tables, cf. man page or
|
|
https://lwn.net/Articles/738214/ .
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Mar 3 22:59:01 UTC 2018 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 0.8.3
|
|
* raw payload support to match headers that do not yet have
|
|
received a mnemonic.
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Feb 3 14:26:36 UTC 2018 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 0.8.2
|
|
* add secpath support
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 16 14:16:40 UTC 2018 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 0.8.1
|
|
* This release deprecates the "flow table" syntax in favor
|
|
of "meter".
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 13 08:39:41 UTC 2017 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 0.8
|
|
* This release contains new features available up to the
|
|
(upcoming) Linux 4.14 kernel release:
|
|
* Support for stateful objects, these objects are uniquely
|
|
identified by a user-defined name, you can refer to them from
|
|
rules, and there is a well established interface to operate
|
|
with them.
|
|
* Sort set elements when listing them, from lower to largest.
|
|
* TCP option matching and mangling support. This includes TCP
|
|
maximum segment size mangling.
|
|
* Add new "-s" option for listings without stateful information.
|
|
* Add new -c/--check option for nft, to tests if your ruleset
|
|
loads fine, into the kernel, this is a dry run mode.
|
|
* Connection tracking helper support.
|
|
* Add --echo option, to print the handle that the kernel
|
|
allocates to uniquely identify rules.
|
|
* Conntrack zone support
|
|
* Symmetric hash support
|
|
* Add support to include directories from nft natives scripts,
|
|
files are loaded in alphanumerical order.
|
|
* Allow to check if IPv6 extension header or TCP option exists
|
|
or is missing.
|
|
* Extend quota support to display used bytes.
|
|
* Add ct average matching, to match average bytes per packet a
|
|
connection has transferred so far, to map the existing
|
|
feature available in the iptables connbytes match.
|
|
* Allow to flush maps and flow tables.
|
|
* Allow to embed set definition into an existing set.
|
|
* Conntrack event filtering support via rule.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 20 22:35:41 UTC 2016 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 0.7
|
|
* Add new fib expression, which can be used to obtain the
|
|
output interface from the route table based on either source
|
|
or destination address of a packet.
|
|
* Support hashing of any arbitrary key combination, eg.
|
|
* Add number generation support. Useful for round-robin packet
|
|
mark setting.
|
|
* Add quota support, eg.
|
|
* Introduce routing expression, for routing related data with
|
|
support for nexthop
|
|
* Notrack support, to explicitly skip connection tracking for
|
|
matching packets.
|
|
* Support to set non-byte bound packet header fields, including
|
|
checksum adjustment.
|
|
* Add 'create set' and 'create element' commands.
|
|
* Allow to use variable reference for set element definitions.
|
|
* Allow to use variable definitions from element commands.
|
|
* Add support to flush set. You can use this new command to
|
|
remove all existing elements in a set.
|
|
* Inverted set lookups.
|
|
* Honor absolute and relative paths via include file, where:
|
|
* Support log flags, to enable logging TCP sequence and options.
|
|
* tc classid parser support, eg.
|
|
* Allow numeric connlabels, so if connlabel still works with
|
|
undefined labels.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 2 18:31:23 UTC 2016 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 0.6
|
|
* Rules may be replaced now
|
|
* Flow table support (requires Linux >= 4.3)
|
|
* Support for tracing
|
|
* Ratelimiting now supports units like bytes/second.
|
|
* Matchinv VLAN IDs, DSCP/ECN, ICMP RtAdv & RtSol
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 17 21:16:31 UTC 2015 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 0.5
|
|
* Support combinations of two or more selectors to build a tuple
|
|
* Timeout support for sets
|
|
* Dormant flag for tables
|
|
* Default chain policy specifiable on creation
|
|
|
|
-------------------------------------------------------------------
|
|
Sat May 23 23:06:12 UTC 2015 - mrueckert@suse.de
|
|
|
|
- set the url to the project page
|
|
- pass --disable-silent-rules to configure to allow gcc post build
|
|
check to work
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 16 01:25:00 UTC 2014 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 0.4
|
|
* Since Linux 3.18: support for global ruleset operations
|
|
* Since 3.17: full logging support for all the families,
|
|
including nfnetlink_log
|
|
* 3.16: automatic selection of the optimal set implementation
|
|
* 3.14: reject support for ip, ip6 and inet
|
|
* 3.18: reject support for bridge, and reject icmpx abstraction
|
|
* 3.18: masquerade support
|
|
* 3.19: redirect support
|
|
* Extend meta to support pkttype, cpu and devgroup matching.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 27 17:08:46 UTC 2014 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 0.3
|
|
* More compact syntax for the queue action
|
|
* Match input and output bridge interface name through "meta
|
|
ibriport" and "meta obriport"
|
|
* netlink event monitor, to monitor ruleset events, set changes, etc.
|
|
* New transaction infrastructure - fully atomic updates for all
|
|
object available in the upcoming 3.16.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 13 09:05:35 UTC 2014 - jengelh@inai.de
|
|
|
|
- Initial package for build.opensuse.org
|