Eric Long (1): libnftables-json: fix raw payload expression documentation Florian Westphal (139): evaluate: set eval ctx for add/update statements with integer constants netlink: restore typeof interval map data type cache: include set elements in "nft set list" evaluate: do not abort when prefix map has non-map element parser: don't assert on scope underflows parser: reject zero-length interface names parser: reject zero-length interface names in flowtables netlink: delinearize: copy set keytype if needed tests: fix inet nat prio tests parser: allow ct timeouts to use time_spec values parser: permit gc-interval in map declarations evaluate: fix get element for concatenated set libnftables: refuse to open onput files other than named pipes or regular files scanner: restrict include directive to regular files tests: never merge across non-expression statements redux rule: never merge across non-expression statements tests: never merge across non-expression statements redux 2 meta: fix hour decoding when timezone offset is negative evaluate: fix rule replacement with anon sets evaluate: guard against NULL basetype evaluate: error out if basetypes are different evaluate: reject attempt to update a set evaluate: catch implicit map expressions without known datatype evaluate: fix double free on dtype release parser: tcpopt: fix tcp option parsing with NUM + length field evaluate: validate chain max length parser_bison: fix objref statement corruption parser_bison: fix memleak in meta set error handling meta: don't crash if meta key isn't known netlink: add and use nft_data_memcpy helper evaluate: fix bogus assertion failure with boolean datatype evaluate: prevent assert when evaluating very large shift values evaluate: turn assert into real error check parser_bison: make sure obj_free releases timeout policies parser_bison: fix ct scope underflow if ct helper section is duplicated parser_bison: fix memory leaks on hookspec error processing evaluate: stmt_nat: set reference must point to a map evaluate: fix gmp assertion with too-large reject code netlink: don't crash if prefix for < byte is requested evaluate: exthdr: statement arg must be not be a range src: reject large raw payload and concat expressions netlink: fix stack buffer overflow with sub-reg sized prefixes evaluate: fix stack overflow with huge priority string tcpopt: don't create exthdr expression without datatype intervals: BUG on prefix expressions without value parser_bison: error out on duplicated type/typeof/element keywords evaluate: don't crash if object map does not refer to a value netlink: fix stack overflow due to erroneous rounding datatype: do not assert when value exceeds expected width evaluate: error out when expression has no datatype evaluate: tproxy: move range error checks after arg evaluation payload: only assert if l2 header base has no length parser: reject raw payload expressions with 0 length evaluate: error out when store needs more than one 128bit register of align fixup rule: fix sym refcount assertion evaluate: don't assert on net/transport header conflict netlink_delinearize: move concat and value postprocessing to helpers src: permit use of constant values in set lookup keys parser_json: allow 0 offsets again parser: compact interval typeof rules parser: compact type/typeof set rules parser: allow typeof in objref maps netlink: allow typeof keywords with objref maps during listing parser: deduplicate map with data interval parser: allow to define maps that contain ct helpers src: do not merge a set with a erroneous one rule: do not crash if to-be-printed flowtable lacks priority src: allow to map key to nfqueue number rule: make cmd_free(NULL) valid netlink_delinarize: fix bogus munging of mask value src: add and use payload_expr_trim_force payload: return early if dependency is not a payload expression segtree: fix string data initialisation expression: tolerate named set protocol dependency json: prevent null deref if chain->policy is not set tests: shell: move flowtable with bogus priority to correct location evaluate: don't allow nat map with specified protocol netlink: fix stack buffer overrun when emitting ranged expressions json: make sure timeout list is initialised parser_bison: ensure all timeout policy names are released src: do not allow to chain more than 16 binops evaluate: don't allow merging interval set/map with non-interval one evaluate: move interval flag compat check after set key evaluation parser_bison: reject non-serializeable typeof expressions rule: return error if table does not exist evaluate: fix assertion failure with malformed map definitions evaluate: reject sets with no key evaluate: don't update cache for anonymous chains meta: fix tc classid parsing out-of-bounds access json: work around fuzzer-induced assert crashes json: fix error propagation when parsing binop lhs/rhs expression: don't try to import empty string evaluate: fix crash when generating reject statement error parser_json: only allow concatenations with 2 or more expressions evaluate: compact STMT_F_STATEFUL checks evaluate: only allow stateful statements in set and map definitions evalute: make vlan pcp updates work tests: py: remove huge-limit test cases tests: py: add missing json.output data tests: py: add payload merging test cases tests: py: fix up udp csum fixup output tests: py: extend raw payload match tests payload: don't kill dependency for proto_th netlink_delinerize: add more restrictions on meta nfproto removal tests: py: fix json single-flag output for fib & synproxy json: return error if table does not exist ct timeout: fix 'list object x' vs. 'list objects in table' confusion ct expectation: fix 'list object x' vs. 'list objects in table' confusion json: don't BUG when asked to list synproxies evaluate: bail out if ct saddr/daddr dependency cannot be inserted src: remove bogus empty file src: netlink: fix crash when ops doesn't support udata doc: add nat examples mnl: catch bogus expressions before crashing evaluate: don't BUG on unexpected base datatype evaluate: rename recursion counter to recursion.binop evaluate: restrict allowed subtypes of concatenations src: BASECHAIN flag no longer implies presence of priority expression json: reject too long interface names evaluate: make sure chain jump name comes with a null byte evaluate: avoid double-free on error handling of bogus objref maps evaluate: check that set type is identical before merging evaluate: prevent merge of sets with incompatible keys evaluate: check element key vs. set definition tests: bogons: fix missing file name when logging evaluate: fix crash with invalid elements in set json: BASECHAIN flag no longer implies presence of priority expression evaluate: maps: check element data mapping matches set data definition parser_json: reject non-concat expression parser_json: fix assert due to empty interface name parser_bison: fix memory leak when parsing flowtable hook declaration rule: allow src/dstnat prios in input and output src: remove utf-8 character in printf lines src: remove decnet support src: mnl: clean up hook listing code src: mnl: make family specification more strict when listing src: drop obsolete hook argument form hook dump functions src: mnl: prepare for listing all device netdev device hooks src: mnl: always dump all netdev hooks if no interface name was given Jeremy Sowden (10): scanner: treat invalid octal strings as strings evaluate: insert byte-order conversions for expressions between 9 and 15 bits netlink_delinearize: add postprocessing for payload binops evaluate: don't eval unary arguments netlink_delinearize: correct type and byte-order of shifts evaluate: handle invalid mapping expressions in stateful object statements gracefully. evaluate: add support for variables in map expressions py: move package source into src directory py: use setup.cfg to configure setuptools py: add pyproject.toml to support PEP-517-compatible build-systems Jose M. Guisado Gomez (1): py: replace distutils with setuptools Maks Mishin (1): evaluate: Fix incorrect checking the `base` variable in case of IPV6 Pablo Neira Ayuso (177): evaluate: fix shift exponent underflow in concatenation evaluation ct: use inet_service_type for proto-src and proto-dst intervals: restrict check missing elements fix to sets with no auto-merge optimize: wrap code to build concatenation in helper function optimize: fix incorrect expansion into concatenation with verdict map rule: add helper function to expand chain rules into commands optimize: select merge criteria based on candidates rules rule: expand standalone chain that contains rules optimize: ignore existing nat mapping optimize: infer family for nat mapping evaluate: print error on missing family in nat statement evaluate: infer family from mapping evaluate: expand value to range when nat mapping contains intervals src: expand table command before evaluation tests: shell: cover rule insertion by index parser_bison: allow to use quota in sets intervals: use expression location when translating to intervals optimize: assert nat type on nat statement helper optimize: support for redirect and masquerade evaluate: bogus missing transport protocol netlink_delinearize: do not reset protocol context for nat protocol expression evaluate: allow stateful statements with anonymous verdict maps evaluate: skip optimization if anonymous set uses stateful statement optimize: do not remove counter in verdict maps evaluate: set NFT_SET_EVAL flag if dynamic set already exists expression: define .clone for catchall set element libnftables: Drop cache in -c/--check mode evaluate: do not remove anonymous set with protocol flags and single element evaluate: revisit anonymous set with single element optimization evaluate: expand sets and maps before evaluation limit: display default burst when listing ruleset datatype: initialize TYPE_CT_LABEL slot in datatype array datatype: initialize TYPE_CT_EVENTBIT slot in datatype array tests: py: add map support json: expose dynamic flag netlink_linearize: skip set element expression in map statement key json: add missing map statement stub evaluate: validate maximum log statement prefix length src: expand create commands evaluate: clone unary expression datatype to deal with dynamic datatype json: deal appropriately with multidevice in chain evaluate: handle invalid mapping expressions gracefully monitor: add support for concatenated set ranges evaluate: reject set definition with no key tests: shell: use /bin/bash in sets/elem_opts_compat_0 evaluate: support shifts larger than the width of the left operand evaluate: relax type-checking for integer arguments in mark statements evaluate: set up integer type to shift expression evaluate: honor statement length in bitwise evaluation netlink_delinerize: incorrect byteorder in mark statement listing payload: set byteorder when completing expression evaluate: bail out if new flowtable does not specify hook and priority json: allow to specify comment on table json: allow to specify comment on chain evaluate: perform mark datatype compatibility check from maps evaluate: reject set in concatenation evaluate: fix memleak in prefix evaluation with wildcard interface name evaluate: place byteorder conversion before rshift in payload statement evaluate: reset statement length context only for set mappings evaluate: place byteorder conversion before rshift in payload expressions evaluate: bogus error when adding devices to flowtable doc: incorrect datatype description for icmpv6_type and icmpvx_code evaluate: add missing range checks for dup,fwd and payload statements evaluate: skip anonymous set optimization for concatenations evaluate: do not fetch next expression on runaway number of concatenation components evaluate: bail out if anonymous concat set defines a non concat expression evaluate: release key expression in error path of implicit map with unknown datatype evaluate: release mpz type in expr_evaluate_list() error path datatype: display 0s time datatype evaluate: skip byteorder conversion for selector smaller than 2 bytes netlink_linearize: add assertion to catch for buggy byteorder evaluate: permit use of host-endian constant values in set lookup keys expression: missing line in describe command with invalid expression proto: use hexadecimal to display ip frag-off field rule: fix ASAN errors in chain priority to textual names parser: allow to define maps that contain timeouts and expectations netlink_delinearize: restore binop syntax when listing ruleset for flags netlink_delinearize: reverse cross-day meta hour range evaluate: display "Range negative size" error datatype: use DTYPE_F_PREFIX only for IP address datatype netlink_delinearize: unused code in reverse cross-day meta hour range src: disentangle ICMP code types evaluate: bogus protocol conflicts in vlan with implicit dependencies cache: check for NFT_CACHE_REFRESH in current requested cache too scanner: inet_pton() allows for broader IPv4-Mapped IPv6 addresses monitor: too large shift exponent displaying payload expression cmd: skip variable set elements when collapsing commands evaluate: set on expr->len for catchall set elements segtree: set on EXPR_F_KERNEL flag for catchall elements in the cache intervals: fix element deletions with maps parser_bison: recursive table declaration in deprecated meter statement optimize: clone counter before insertion into set element parser_json: use stdin buffer if available libnftables: skip useable checks for /dev/stdin optimize: skip variables in nat statements datatype: reject rate in quota statement datatype: improve error reporting when time unit is not correct cache: rule by index requires full cache src: improve error reporting for unsupported chain type evaluate: honor statement length in integer evaluation netlink_linearize: use div_round_up in byteorder length meta: stash context statement length when generating payload/meta dependency cmd: provide better hint if chain is already declared with different type/hook/priority cache: populate chains on demand from error path cache: populate objects on demand from error path cache: populate flowtables on demand from error path cache: do not fetch set inconditionally on delete parser_bison: allow 0 burst in limit rate byte mode parser_json: fix handle memleak from error path cache: reset filter for each command cache: accumulate flags in batch cache: only dump rules for the given table cache: assert filter when calling nft_cache_evaluate() cache: clean up evaluate_cache_del() cache: remove full cache requirement when echo flag is set on cache: relax requirement for replace rule command cache: position does not require full cache proto: use NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag to mangle UDP checksum cache: initialize filter when fetching implicit chains optimize: compare expression length evaluate: reset statement length context before evaluating statement intervals: set internal element location with the deletion trigger scanner: better error reporting for CRLF line terminators exthdr: incomplete type 2 routing header definition datatype: clamp boolean value to 0 and 1 ipopt: use ipv4 address datatype for address field in ip options parser_bison: turn redundant ip option type field match into boolean evaluate: auto-merge is only available for singleton interval sets evaluate: optimize zero length range evaluate: release existing datatype when evaluating unary expression segtree: incomplete output in get element command with maps netlink: bogus concatenated set ranges with netlink message overrun optimize: incorrect comparison for reject statement optimize: compact bitmask matching in set/map optimize: expand expression list when merging into concatenation optimize: invalidate merge in case of duplicated key in set/map parser_bison: add selector_expr rule to restrict typeof_expr json: disallow empty concatenation Backport nftables tests/shell from 2a38f458f12b Revert "json: Print single set flag as non-array" Revert "src: print set element with multi-word description in single one line" Revert "evaluate: allow to re-use existing metered set" Revert mptcp tests for sets/typeof_sets_0 Partial revert in testcase/sets/set_stmt to remove last statement coverage Revert "evaluate: translate meter into dynamic set" Partial revert "tests: py: move meter tests to tests/shell" Revert "tests: shell: move flowtable with bogus priority to correct location" Amend "tests: shell: Fix ifname_based_hooks feature check" tests: py: extend ip frag-off coverage tests: py: debloat frag.t.payload.netdev tests: py: missing json output in never merge across non-expression statements tests: py: missing json output in meta.t with vlan mapping tests: py: complete icmp and icmpv6 update tests: py: drop redundant JSON outputs Revert "tests: py: fix json single-flag output for fib & synproxy" tests: py: fix WARNING with JSON evaluate: simplify payload statement evaluation for bitfields evaluate: reject unsupported expressions in payload statement for bitfields parser_json: reject empty jump/goto chain parser_json: allow statement stateful statement only in set elements parser_json: bail out on malformed statement in set mnl: flowtable support for extended netlink error reporting mnl: handle singleton element in netdevice set rule: skip fuzzy lookup if object name is not available cache: assert name is non-nul when looking up parser_bison: allow delete command with map via handle rule: print chain and flowtable devices in quotes evaluate: validate set expression type before accessing flags tests: monitor: enclose device names in quotes segtree: incorrect type when aggregating concatenated set ranges src: Add GPLv2+ header to .c files of recent creation mnl: set SO_SNDBUF before SO_SNDBUFFORCE update INSTALL file py: remove setup.py integration with autotools INSTALL: provide examples to install python bindings cache: chain listing implicitly sets on terse option build: Bump version to 1.0.6.1 Phil Sutter (59): optimize: Clarify chain_optimize() array allocations netlink: Fix for potential NULL-pointer deref meta: parse_iso_date() returns boolean mnl: dump_nf_hooks() leaks memory in error path optimize: Do not return garbage from stack netlink_delinearize: Sanitize concat data element decoding xt: Fix fallback printing for extensions matching keywords xt: Fix translation error path tests: shell: Fix for unstable sets/0043concatenated_ranges_0 tests: shell: Stabilize sets/0043concatenated_ranges_0 test evaluate: Drop dead code from expr_evaluate_mapping() tests: monitor: Fix monitor JSON output for insert command tests: monitor: Fix time format in ct timeout test tests: monitor: Fix for wrong syntax in set-interval.t tests: monitor: Fix for wrong ordering in expected JSON output parser_json: Catch wrong "reset" payload parser_json: Fix typo in json_parse_cmd_add_object() parser_json: Proper ct expectation attribute parsing parser_json: Fix flowtable prio value parsing parser_json: Fix limit object burst value parsing parser_json: Fix synproxy object mss/wscale parsing parser_json: Wrong check in json_parse_ct_timeout_policy() parser_json: Catch nonsense ops in match statement parser_json: Default meter size to zero parser_bison: Fix for broken compatibility with older dumps tproxy: Drop artificial port printing restriction json: Support sets' auto-merge option cache: Optimize caching for 'list tables' command cache: Always set NFT_CACHE_TERSE for list cmd with --terse json: Order output like nft_cmd_expand() json: Support maps with concatenated data parser: json: Support for synproxy objects json: Accept more than two operands in binary expressions mergesort: Avoid accidental set element reordering json: Fix for memleak in __binop_expr_json doc: nft.8: Fix markup in ct expectation synopsis doc: nft.8: Highlight "hook" in flowtable description libnftables: Zero ctx->vars after freeing it json: Support typeof in set and map types netlink: Do not allocate a bogus flowtable priority expr netlink: Fix for potential crash parsing a flowtable netlink: Avoid crash upon missing NFTNL_OBJ_CT_TIMEOUT_ARRAY attribute tests: py: Document JSON mode in README tests: py: Fix some JSON equivalents tests: py: Warn if recorded JSON output matches the input tests: py: Drop needless recorded JSON outputs tests: py: Fix for storing payload into missing file tests: py: Properly fix JSON equivalents for netdev/reject.t doc: Fix typo in nat statement 'prefix' description netlink: Avoid potential NULL-ptr deref parsing set elem expressions netlink: Catch unknown types when deserializing objects netlink_delinearize: Replace some BUG()s by error messages netlink: Pass netlink_ctx to netlink_delinearize_setelem() netlink: Keep going after set element parsing failures cache: Tolerate object deserialization failures monitor: Recognize flowtable add/del events json: Dump flowtable hook spec only if present doc: nft.8: Minor NAT STATEMENTS section review src: netlink: netlink_delinearize_table() may return NULL Quan Tian (1): doc: clarify reject is supported at prerouting stage Sam James (1): Makefile.am: don't silence -Wimplicit-function-declaration Sebastian Walz (sivizius) (3): parser_json: release buffer returned by json_dumps parser_json: fix several expression memleaks from error path parser_json: fix crash in json_parse_set_stmt_list Son Dinh (1): dynset: avoid errouneous assert with ipv6 concat data Sriram Rajagopalan (1): nftables: do mot merge payloads on negation Thomas Haller (13): evaluate: fix check for truncation in stmt_evaluate_log_prefix() include: drop "format" attribute from nft_gmp_print() datatype: fix leak and cleanup reference counting for struct datatype netlink: handle invalid etype in set_make_key() parser_bison: fix length check for ifname in ifname_expr_alloc() netlink: fix buffer size for user data in netlink_delinearize_chain() json: fix use after free in table_flags_json() netlink_linearize: avoid strict-overflow warning in netlink_gen_bitwise() expression: cleanup expr_ops_by_type() and handle u32 input py: fix exception during cleanup of half-initialized Nftables json: use strtok_r() instead of strtok() rule: fix "const static" declaration mergesort: avoid cloning value in expr_msort_cmp() Xiao Liang (1): fib: Change data type of fib oifname to "ifname" Yi Chen (1): test: shell: Don't use system nft binary 谢致邦 (XIE Zhibang) (2): evaluate: fix check for unknown in cmd_op_to_name doc: update outdated route and pkttype info