New upstream version 1.0.0

sever-sever · Sep 4, 2021 · 3d9fb4f · 3d9fb4f
1 parent b63b60f
commit 3d9fb4f
Show file tree

Hide file tree

Showing 184 changed files with 14,386 additions and 16,517 deletions.
diff --git a/Make_global.am b/Make_global.am
@@ -18,4 +18,4 @@
 # set age to 0.
 # </snippet>
 #
-libnftables_LIBVERSION=1:0:0
+libnftables_LIBVERSION=2:0:1
diff --git a/configure b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for nftables 0.9.9.
+# Generated by GNU Autoconf 2.69 for nftables 1.0.0.
 #
 # Report bugs to <[email protected]>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='nftables'
 PACKAGE_TARNAME='nftables'
-PACKAGE_VERSION='0.9.9'
-PACKAGE_STRING='nftables 0.9.9'
+PACKAGE_VERSION='1.0.0'
+PACKAGE_STRING='nftables 1.0.0'
 PACKAGE_BUGREPORT='[email protected]'
 PACKAGE_URL=''
 
@@ -1373,7 +1373,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures nftables 0.9.9 to adapt to many kinds of systems.
+\`configure' configures nftables 1.0.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1444,7 +1444,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of nftables 0.9.9:";;
+     short | recursive ) echo "Configuration of nftables 1.0.0:";;
    esac
   cat <<\_ACEOF
 
@@ -1585,7 +1585,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-nftables configure 0.9.9
+nftables configure 1.0.0
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1863,7 +1863,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by nftables $as_me 0.9.9, which was
+It was created by nftables $as_me 1.0.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2212,7 +2212,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
 
-$as_echo "#define RELEASE_NAME \"Prudence Pimpleton\"" >>confdefs.h
+$as_echo "#define RELEASE_NAME \"Fearless Fosdick #2\"" >>confdefs.h
 
 
 ac_aux_dir=
@@ -2731,7 +2731,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='nftables'
- VERSION='0.9.9'
+ VERSION='1.0.0'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -14071,7 +14071,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by nftables $as_me 0.9.9, which was
+This file was extended by nftables $as_me 1.0.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -14137,7 +14137,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-nftables config.status 0.9.9
+nftables config.status 1.0.0
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

diff --git a/configure.ac b/configure.ac
@@ -1,5 +1,5 @@
-AC_INIT([nftables], [0.9.9], [[email protected]])
-AC_DEFINE([RELEASE_NAME], ["Prudence Pimpleton"], [Release name])
+AC_INIT([nftables], [1.0.0], [[email protected]])
+AC_DEFINE([RELEASE_NAME], ["Fearless Fosdick #2"], [Release name])
 
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_MACRO_DIR([m4])

diff --git a/doc/libnftables-json.5 b/doc/libnftables-json.5
@@ -2,12 +2,12 @@
 .\"     Title: libnftables-json
 .\"    Author: Phil Sutter <[email protected]>
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 05/25/2021
+.\"      Date: 08/19/2021
 .\"    Manual: \ \&
 .\"    Source: \ \&
 .\"  Language: English
 .\"
-.TH "LIBNFTABLES\-JSON" "5" "05/25/2021" "\ \&" "\ \&"
+.TH "LIBNFTABLES\-JSON" "5" "08/19/2021" "\ \&" "\ \&"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -1640,7 +1640,7 @@ or
 .PP
 \fBexpr\fR
 .RS 4
-ICMP type to reject with\&.
+ICMP code to reject with\&.
 .RE
 .sp
 All properties are optional\&.

diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc
@@ -904,7 +904,7 @@ Reject the packet and send the given error reply.
 *type*::
 	Type of reject, either *"tcp reset"*, *"icmpx"*, *"icmp"* or *"icmpv6"*.
 *expr*::
-	ICMP type to reject with.
+	ICMP code to reject with.
 
 All properties are optional.
 

diff --git a/doc/libnftables.3 b/doc/libnftables.3
@@ -2,12 +2,12 @@
 .\"     Title: libnftables
 .\"    Author: Phil Sutter <[email protected]>
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 05/25/2021
+.\"      Date: 08/19/2021
 .\"    Manual: \ \&
 .\"    Source: \ \&
 .\"  Language: English
 .\"
-.TH "LIBNFTABLES" "3" "05/25/2021" "\ \&" "\ \&"
+.TH "LIBNFTABLES" "3" "08/19/2021" "\ \&" "\ \&"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------

diff --git a/doc/nft.8 b/doc/nft.8
@@ -2,12 +2,12 @@
 .\"     Title: nft
 .\"    Author: [see the "AUTHORS" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 05/25/2021
+.\"      Date: 08/19/2021
 .\"    Manual: \ \&
 .\"    Source: \ \&
 .\"  Language: English
 .\"
-.TH "NFT" "8" "05/25/2021" "\ \&" "\ \&"
+.TH "NFT" "8" "08/19/2021" "\ \&" "\ \&"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -70,6 +70,12 @@ Read input from
 is \-, read from stdin\&.
 .RE
 .PP
+\fB\-D\fR, \fB\-\-define \fR\fB\fIname=value\fR\fR
+.RS 4
+Define a variable\&. You can only combine this option with
+\fI\-f\fR\&.
+.RE
+.PP
 \fB\-i\fR, \fB\-\-interactive\fR
 .RS 4
 Read input from an interactive readline CLI\&. You can use quit to exit, or use the EOF marker, normally this is CTRL\-D\&.
@@ -1489,6 +1495,21 @@ List all flowtables\&.
 T}
 .TE
 .sp 1
+.SH "LISTING"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+\fBlist { secmarks | synproxys | flow tables | meters | hooks }\fR [\fIfamily\fR]
+\fBlist { secmarks | synproxys | flow tables | meters | hooks } table\fR [\fIfamily\fR] \fItable\fR
+\fBlist ct { timeout | expectation | helper | helpers } table\fR [\fIfamily\fR] \fItable\fR
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Inspect configured objects\&. \fBlist hooks\fR shows the full hook pipeline, including those registered by kernel modules, such as nf_conntrack\&.
 .SH "STATEFUL OBJECTS"
 .sp
 .if n \{\
@@ -1499,6 +1520,7 @@ T}
 \fBdelete\fR \fItype\fR [\fIfamily\fR] \fItable\fR \fBhandle\fR \fIhandle\fR
 \fBlist counters\fR [\fIfamily\fR]
 \fBlist quotas\fR [\fIfamily\fR]
+\fBlist limits\fR [\fIfamily\fR]
 .fi
 .if n \{\
 .RE
@@ -4795,7 +4817,7 @@ T}
 .RS 4
 .\}
 .nf
-\fBvlan\fR {\fBid\fR | \fBcfi\fR | \fBpcp\fR | \fBtype\fR}
+\fBvlan\fR {\fBid\fR | \fBdei\fR | \fBpcp\fR | \fBtype\fR}
 .fi
 .if n \{\
 .RE
@@ -4833,10 +4855,10 @@ integer (12 bit)
 T}
 T{
 .sp
-cfi
+dei
 T}:T{
 .sp
-Canonical Format Indicator
+Drop Eligible Indicator
 T}:T{
 .sp
 integer (1 bit)
@@ -6984,8 +7006,8 @@ There are three types of conntrack expressions\&. Some conntrack expressions req
 .RS 4
 .\}
 .nf
-\fBct\fR {\fBstate\fR | \fBdirection\fR | \fBstatus\fR | \fBmark\fR | \fBexpiration\fR | \fBhelper\fR | \fBlabel\fR}
-\fBct\fR [\fBoriginal\fR | \fBreply\fR] {\fBl3proto\fR | \fBprotocol\fR | \fBbytes\fR | \fBpackets\fR | \fBavgpkt\fR | \fBzone\fR | \fBid\fR}
+\fBct\fR {\fBstate\fR | \fBdirection\fR | \fBstatus\fR | \fBmark\fR | \fBexpiration\fR | \fBhelper\fR | \fBlabel\fR | \fBcount\fR | \fBid\fR}
+\fBct\fR [\fBoriginal\fR | \fBreply\fR] {\fBl3proto\fR | \fBprotocol\fR | \fBbytes\fR | \fBpackets\fR | \fBavgpkt\fR | \fBzone\fR}
 \fBct\fR {\fBoriginal\fR | \fBreply\fR} {\fBproto\-src\fR | \fBproto\-dst\fR}
 \fBct\fR {\fBoriginal\fR | \fBreply\fR} {\fBip\fR | \fBip6\fR} {\fBsaddr\fR | \fBdaddr\fR}
 .fi
@@ -7590,9 +7612,9 @@ ip6 filter output log flags all
 .nf
 \fBreject\fR [ \fBwith\fR \fIREJECT_WITH\fR ]
 
-\fIREJECT_WITH\fR := \fBicmp type\fR \fIicmp_code\fR |
-                 \fBicmpv6 type\fR \fIicmpv6_code\fR |
-                 \fBicmpx type\fR \fIicmpx_code\fR |
+\fIREJECT_WITH\fR := \fBicmp\fR \fIicmp_code\fR |
+                 \fBicmpv6\fR \fIicmpv6_code\fR |
+                 \fBicmpx\fR \fIicmpx_code\fR |
                  \fBtcp reset\fR
 .fi
 .if n \{\
@@ -8350,16 +8372,20 @@ This statement passes the packet to userspace using the nfnetlink_queue handler\
 .RS 4
 .\}
 .nf
-\fBqueue\fR [\fBnum\fR \fIqueue_number\fR] [\fBbypass\fR]
-\fBqueue\fR [\fBnum\fR \fIqueue_number_from\fR \- \fIqueue_number_to\fR] [\fIQUEUE_FLAGS\fR]
+\fBqueue\fR [\fBflags\fR \fIQUEUE_FLAGS\fR] [\fBnum\fR \fIqueue_number\fR]
+\fBqueue\fR [\fBflags\fR \fIQUEUE_FLAGS\fR] [\fBnum\fR \fIqueue_number_from\fR \- \fIqueue_number_to\fR]
+\fBqueue\fR [\fBflags\fR \fIQUEUE_FLAGS\fR] [\fBto\fR \fIQUEUE_EXPRESSION\fR ]
 
 \fIQUEUE_FLAGS\fR := \fIQUEUE_FLAG\fR [\fB,\fR \fIQUEUE_FLAGS\fR]
 \fIQUEUE_FLAG\fR  := \fBbypass\fR | \fBfanout\fR
+\fIQUEUE_EXPRESSION\fR := \fBnumgen\fR | \fBhash\fR | \fBsymhash\fR | \fBMAP STATEMENT\fR
 .fi
 .if n \{\
 .RE
 .\}
 .sp
+QUEUE_EXPRESSION can be used to compute a queue number at run\-time with the hash or numgen expressions\&. It also allows to use the map statement to assign fixed queue numbers based on external inputs such as the source ip address or interface names\&.
+.sp
 .it 1 an-trap
 .nr an-no-space-flag 1
 .nr an-break-flag 1

diff --git a/doc/nft.txt b/doc/nft.txt
@@ -44,6 +44,10 @@ understanding of their meaning. You can get information about options by running
 *--file 'filename'*::
 	Read input from 'filename'. If 'filename' is -, read from stdin.
 
+*-D*::
+*--define 'name=value'*::
+	Define a variable. You can only combine this option with '-f'.
+
 *-i*::
 *--interactive*::
 	Read input from an interactive readline CLI. You can use quit to exit, or use the EOF marker,
@@ -683,6 +687,16 @@ and subtraction can be used to set relative priority, e.g. filter + 5 equals to
 *delete*:: Delete the specified flowtable.
 *list*:: List all flowtables.
 
+LISTING
+-------
+[verse]
+*list { secmarks | synproxys | flow tables | meters | hooks }* ['family']
+*list { secmarks | synproxys | flow tables | meters | hooks } table* ['family'] 'table'
+*list ct { timeout | expectation | helper | helpers } table* ['family'] 'table'
+
+Inspect configured objects.
+*list hooks* shows the full hook pipeline, including those registered by
+kernel modules, such as nf_conntrack.
 
 STATEFUL OBJECTS
 ----------------
@@ -691,6 +705,7 @@ STATEFUL OBJECTS
 *delete* 'type' ['family'] 'table' *handle* 'handle'
 *list counters* ['family']
 *list quotas* ['family']
+*list limits* ['family']
 
 Stateful objects are attached to tables and are identified by a unique name.
 They group stateful information from rules, to reference them in rules the

diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
@@ -21,7 +21,7 @@ ether_type
 VLAN HEADER EXPRESSION
 ~~~~~~~~~~~~~~~~~~~~~~
 [verse]
-*vlan* {*id* | *cfi* | *pcp* | *type*}
+*vlan* {*id* | *dei* | *pcp* | *type*}
 
 .VLAN header expression
 [options="header"]
@@ -30,8 +30,8 @@ VLAN HEADER EXPRESSION
 |id|
 VLAN ID (VID) |
 integer (12 bit)
-|cfi|
-Canonical Format Indicator|
+|dei|
+Drop Eligible Indicator|
 integer (1 bit)
 |pcp|
 Priority code point|
@@ -699,8 +699,8 @@ is true for the *zone*, if a direction is given, the zone is only matched if the
 zone id is tied to the given direction. +
 
 [verse]
-*ct* {*state* | *direction* | *status* | *mark* | *expiration* | *helper* | *label*}
-*ct* [*original* | *reply*] {*l3proto* | *protocol* | *bytes* | *packets* | *avgpkt* | *zone* | *id*}
+*ct* {*state* | *direction* | *status* | *mark* | *expiration* | *helper* | *label* | *count* | *id*}
+*ct* [*original* | *reply*] {*l3proto* | *protocol* | *bytes* | *packets* | *avgpkt* | *zone*}
 *ct* {*original* | *reply*} {*proto-src* | *proto-dst*}
 *ct* {*original* | *reply*} {*ip* | *ip6*} {*saddr* | *daddr*}
 

diff --git a/doc/statements.txt b/doc/statements.txt
@@ -163,9 +163,9 @@ REJECT STATEMENT
 ____
 *reject* [ *with* 'REJECT_WITH' ]
 
-'REJECT_WITH' := *icmp type* 'icmp_code' |
-                 *icmpv6 type* 'icmpv6_code' |
-                 *icmpx type* 'icmpx_code' |
+'REJECT_WITH' := *icmp* 'icmp_code' |
+                 *icmpv6* 'icmpv6_code' |
+                 *icmpx* 'icmpx_code' |
                  *tcp reset*
 ____
 
@@ -589,13 +589,19 @@ for details.
 
 [verse]
 ____
-*queue* [*num* 'queue_number'] [*bypass*]
-*queue* [*num* 'queue_number_from' - 'queue_number_to'] ['QUEUE_FLAGS']
+*queue* [*flags* 'QUEUE_FLAGS'] [*num* 'queue_number']
+*queue* [*flags* 'QUEUE_FLAGS'] [*num* 'queue_number_from' - 'queue_number_to']
+*queue* [*flags* 'QUEUE_FLAGS'] [*to* 'QUEUE_EXPRESSION' ]
 
 'QUEUE_FLAGS' := 'QUEUE_FLAG' [*,* 'QUEUE_FLAGS']
 'QUEUE_FLAG'  := *bypass* | *fanout*
+'QUEUE_EXPRESSION' := *numgen* | *hash* | *symhash* | *MAP STATEMENT*
 ____
 
+QUEUE_EXPRESSION can be used to compute a queue number
+at run-time with the hash or numgen expressions. It also
+allows to use the map statement to assign fixed queue numbers
+based on external inputs such as the source ip address or interface names.
 
 .queue statement values
 [options="header"]