Dominick Grift (1): files: improve secmark.nft example Eric Garver (1): json: init parser state for every new buffer/file Florian Westphal (54): json: fix icmpv6.t test cases json: limit: set default burst to 5 json: ct: add missing rule json: icmp: refresh json output json: icmp: move expected parts to json.output json: ct: add missing test input exthdr: remove tcp dependency for tcp option matching src: evaluate: reset context maxlen value before prio evaluation tests: add icmp/6 test where dependency should be left alone payload: check icmp dependency before removing previous icmp expression testcases: move two dump files to correct location tests: add empty dynamic set evaluate: do not crash if dynamic set has no statements trace: do not remove icmp type from packet dump tests: extend dtype test case to cover expression with integer type evaluate: pick data element byte order, not dtype one evaluate: set evaluation context for set elements src: allow use of 'verdict' in typeof definitions parser: re-enable support for concatentation on map RHS parser: squash duplicated spec/specid rules parser: compact map RHS type parser: compact ct obj list types scanner: remove unused tokens scanner: introduce start condition stack scanner: queue: move to own scope scanner: ipsec: move to own scope scanner: rt: move to own scope scanner: socket: move to own scope scanner: ct: move to own scope scanner: ip: move to own scope scanner: ip6: move to own scope scanner: add fib scope scanner: add ether scope scanner: arp: move to own scope scanner: remove saddr/daddr from initial state scanner: vlan: move to own scope scanner: limit: move to own scope scanner: quota: move to own scope scanner: move until,over,used keywords away from init state scanner: secmark: move to own scope scanner: avoid -fasan heap overflow warnings scanner: add support for scope nesting scanner: counter: move to own scope scanner: log: move to own scope parser: add missing scope_close annotation for RT keyword parser: fix scope closure of COUNTER token netlink: don't crash when set elements are not evaluated as expected src: vlan: allow matching vlan id insider 802.1ad frame proto: add 8021ad as mnemonic for IEEE 802.1AD (0x88a8) ether type payload: be careful on vlan dependency removal tests: add 8021.AD vlan test cases proto: replace vlan ether type with 8021q evaluate: check if nat statement map specifies a transport header expr doc: tiny spelling fix in stateful object section s/an/a Frank Wunderlich (1): nftables: add flags offload to flowtable Jan Engelhardt (1): files: move example files away from /etc Laura Garcia Liebana (1): parser: allow to load stateful ct connlimit elements in sets Marco Oliverio (1): cache: check errno before invoking cache_release() Pablo Neira Ayuso (62): evaluate: disallow ct original {s,d}ddr from concatenations src: add negation match on singleton bitmask value tests: shell: extend 0025empty_dynset_0 to cover multi-statement support evaluate: incorrect usage of stmt_binary_error() in reject table: rework flags printing table: support for the table owner flag mnl: remove nft_mnl_socket_reopen() cache: memleak list of chain expression: memleak in verdict_expr_parse_udata() src: move remaining cache functions in rule.c to cache.c segtree: release single element already contained in an interval tests: shell: flowtable add after delete in batch tests: shell: fix 0025empty_dynset_0 doc: no need to define a set in ct state src: add datatype->describe() rule: remove semicolon in flowtable offload mnl: do not set flowtable flags twice parser_bison: simplify flowtable offload flag parser cache: rename chain_htable to cache_chain_ht src: split chain list in table evaluate: use chain hashtable for lookups cache: statify chain_cache_dump() cache: check for NULL chain in cache_init() cache: add hashtable cache for sets cache: bail out if chain list cannot be fetched from kernel Makefile: missing owner.h file parser_bison: missing relational operation on flag list tests: shell: remove missing modules src: unbreak deletion by table handle rule: skip fuzzy lookup for unexisting 64-bit handle src: pass chain name to chain_cache_find() src: consolidate nft_cache infrastructure src: consolidate object cache infrastructure cache: add hashtable cache for object cache: add hashtable cache for flowtable cache: add set_cache_del() and use it evaluate: add set to the cache evaluate: add flowtable to the cache cache: missing table cache for several policy objects evaluate: add object to the cache cache: add hashtable cache for table evaluate: remove chain from cache on delete chain command evaluate: remove set from cache on delete set command evaluate: remove flowtable from cache on delete flowtable command evaluate: remove object from cache on delete object command src: add cgroupsv2 support parser_bison: add set_elem_key_expr rule src: add set element catch-all support evaluate: don't crash on set definition with incorrect datatype tests: shell: don't assume fixed handle value in cache/0008_delete_by_handle_0 netlink_delinearize: fix binary operation postprocessing with sets parser_bison: add shortcut syntax for matching flags without binary operations src: use PRIu64 format datatype: skip cgroupv2 rootfs in listing doc: document cgroupv2 libnftables: location-based error reporting for chain type cmd: typo in chain fuzzy lookup rule: skip exact matches on fuzzy lookup evaluate: allow == and != in the new shortcut syntax to match for flags expression: display an error on unknown datatype include: missing sctp_chunk.h in Makefile.am build: Bump version to v0.9.9 Pavel Tikhomirov (1): nftables: xt: fix misprint in nft_xt_compatible_revision Phil Sutter (18): reject: Fix for missing dependencies in netdev family reject: Unify inet, netdev and bridge delinearization json: limit: Always include burst value json: Do not abbreviate reject statement object tests/py: Write dissenting payload into the right file tests/py: Add a test sanitizer and fix its findings erec: Sanitize erec location indesc monitor: Don't print newgen message with JSON output tests/py: Adjust payloads for fixed nat statement dumps mnl: Set NFTNL_SET_DATA_TYPE before dumping set elements tests/py: Fix for missing JSON equivalent in any/ct.t.json mnl: Increase BATCH_PAGE_SIZE to support huge rulesets doc: Reduce size of NAT statement synopsis scanner: sctp: Move to own scope json: Simplify non-tcpopt exthdr printing a bit exthdr: Implement SCTP Chunk matching doc: nft.8: Extend monitor description by trace expr_postprocess: Avoid an unintended fall through Simon Ruderich (4): doc: add * to include example to actually include files doc: remove duplicate tables in synproxy example doc: move drop rule on a separate line in blackhole example doc: use symbolic names for chain priorities Stefano Brivio (2): segtree: Fix range_mask_len() for subnet ranges exceeding unsigned int tests: Introduce 0043_concatenated_ranges_1 for subnets of different sizes Štěpán Němec (3): tests: monitor: use correct $nft value in EXIT trap main: fix nft --help output fallout from 719e4427 doc: nft: fix some typos and formatting issues