Arturo Borrero Gonzalez (1): tests/build/run-tests.sh: fix issues reported by shellcheck Brennan Paciorek (1): doc: document add chain device parameter Florian Westphal (48): exthdr: prefer raw_type instead of desc->type tests: shell: auto-run kmemleak if its available netlink: delinearize: copy set keytype if needed rule: allow src/dstnat prios in input and output ct expectation: fix 'list object x' vs. 'list objects in table' confusion tests: fix inet nat prio tests tests: add dynmap datapath add/delete test case parser: allow ct timeouts to use time_spec values parser: deduplicate map with data interval tests: shell: add test case for double-deactivation tests: add test with concatenation, vmap and timeout tests: add transaction stress test with parallel delete/add/flush and netns deletion tests: add one more chain jump in vmap test tests: add table validation check tests: update bad_expression test case tests: 30s-stress: add failslab and abort phase tests parser: permit gc-interval in map declarations tests/shell: expand vmap test case to also cause batch abort evaluate: fix get element for concatenated set tests: shell: 0043concatenated_ranges_0: re-enable all tests tests/shell: make delete_by_handle test work on older releases tests/shell: typeof_integer/raw: prefer @nh for payload matching tests: shell: fix dump validation message tests: shell: add sample ruleset reproducer tests/shell: add and use chain binding feature probe tests/shell: skip netdev_chain_0 if kernel requires netdev device tests/shell: skip map query if kernel lacks support tests/shell: skip inner matching tests if unsupported tests/shell: skip bitshift tests if kernel lacks support tests/shell: skip some tests if kernel lacks netdev egress support tests/shell: skip inet ingress tests if kernel lacks support tests/shell: skip destroy tests if kernel lacks support tests/shell: skip catchall tests if kernel lacks support tests/shell: skip test cases involving osf match if kernel lacks support tests/shell: skip test cases if ct expectation and/or timeout lacks support tests/shell: skip reset tests if kernel lacks support tests: shell: skip adding catchall elements if unuspported tests: shell: add feature probe for sets with more than one element tests: shell: add feature probe for sctp chunk matching tests: shell: skip flowtable-uaf if we lack table owner support rule: never merge across non-expression statements tests: never merge across non-expression statements redux libnftables: refuse to open onput files other than named pipes or regular files scanner: restrict include directive to regular files tests: never merge across non-expression statements redux 2 tests: add test for dormant on/off/on bug tests: shell: add vlan match test case evaluate: suggest != in negation error message Jeremy Sowden (5): py: move package source into src directory py: use setup.cfg to configure setuptools py: add pyproject.toml to support PEP-517-compatible build-systems doc: move man-pages to `dist_man_MANS` doc: move man-pages to `MAINTAINERCLEANFILES` Jorge Ortiz (1): evaluate: place byteorder conversion after numgen for IP address datatypes Nicolas Cavallari (1): icmpv6: Allow matching target address in NS/NA, redirect and MLD Pablo Neira Ayuso (33): meta: stash context statement length when generating payload/meta dependency update INSTALL file tests: shell: extend implicit chain map with flush command py: remove setup.py integration with autotools libnftables: Drop cache in -c/--check mode INSTALL: provide examples to install python bindings cache: chain listing implicitly sets on terse option evaluate: error out on meter overlap with an existing set/map declaration tests: shell: use minutes granularity in sets/0036add_set_element_expiration_0 evaluate: do not remove anonymous set with protocol flags and single element proto: use hexadecimal to display ip frag-off field tests: py: extend ip frag-off coverage tests: py: debloat frag.t.payload.netdev src: use internal_location for unspecified location at allocation time src: remove check for NULL before calling expr_free() src: simplify chain_alloc() rule: set internal_location for table and chain evaluate: revisit anonymous set with single element optimization doc: describe behaviour of {ip,ip6} length evaluate: fix memleak in prefix evaluation with wildcard interface name evaluate: expand sets and maps before evaluation evaluate: perform mark datatype compatibility check from maps limit: display default burst when listing ruleset datatype: initialize TYPE_CT_LABEL slot in datatype array datatype: initialize TYPE_CT_EVENTBIT slot in datatype array tests: py: add map support json: expose dynamic flag netlink_linearize: skip set element expression in map statement key tests: shell: fix spurious errors in sets/0036add_set_element_expiration_0 json: add missing map statement stub doc: remove references to timeout in reset command evaluate: validate maximum log statement prefix length build: Bump version to 1.0.9 Phil Sutter (21): tests: monitor: Summarize failures per test case tests: shell: Review test-cases for destroy command tests: shell: Stabilize sets/reset_command_0 test tests: shell: Stabilize sets/0043concatenated_ranges_0 test evaluate: Drop dead code from expr_evaluate_mapping() tests: monitor: Fix monitor JSON output for insert command tests: monitor: Fix time format in ct timeout test tests: monitor: Fix for wrong syntax in set-interval.t tests: monitor: Fix for wrong ordering in expected JSON output parser_json: Catch wrong "reset" payload parser_json: Fix typo in json_parse_cmd_add_object() parser_json: Proper ct expectation attribute parsing parser_json: Fix flowtable prio value parsing parser_json: Fix limit object burst value parsing parser_json: Fix synproxy object mss/wscale parsing parser_json: Wrong check in json_parse_ct_timeout_policy() parser_json: Catch nonsense ops in match statement parser_json: Default meter size to zero tests: shell: features: Fix table owner flag check tests: shell: Fix for failing nft-f/sample-ruleset tests: shell: sets/reset_command_0: Fix drop_seconds() Thomas Haller (121): py: return boolean value from Nftables.__[gs]et_output_flag() json: use strtok_r() instead of strtok() nftutils: add and use wrappers for getprotoby{name,number}_r(), getservbyport_r() meta: don't assume time_t is 64 bit in date_type_print() meta: use reentrant localtime_r()/gmtime_r() functions gitignore: ignore cscope files src: add input flags for nft_ctx src: add input flag NFT_CTX_INPUT_NO_DNS to avoid blocking src: add input flag NFT_CTX_INPUT_JSON to enable JSON parsing py: fix exception during cleanup of half-initialized Nftables py: extract flags helper functions for set_debug()/get_debug() py: add Nftables.{get,set}_input_flags() API meta: define _GNU_SOURCE to get strptime() from src: add header and include it as first include: don't define _GNU_SOURCE in public header configure: use AC_USE_SYSTEM_EXTENSIONS to get _GNU_SOURCE include: include via configure: drop AM_PROG_CC_C_O autoconf check netlink: avoid "-Wenum-conversion" warning in dtype_map_from_kernel() netlink: avoid "-Wenum-conversion" warning in parser_bison.y datatype: avoid cast-align warning with struct sockaddr result from getaddrinfo() evaluate: fix check for truncation in stmt_evaluate_log_prefix() src: rework SNPRINTF_BUFFER_SIZE() and handle truncation evaluate: don't needlessly clear full string buffer in stmt_evaluate_log_prefix() src: suppress "-Wunused-but-set-variable" warning with "parser_bison.c" include: drop "format" attribute from nft_gmp_print() rule: fix "const static" declaration utils: call abort() after BUG() macro src: silence "implicit-fallthrough" warnings xt: avoid "-Wmissing-field-initializers" for "original_opts" tests/shell: rework command line parsing in "run-tests.sh" tests/shell: rework finding tests and add "--list-tests" option tests/shell: check test names before start and support directories tests/shell: export NFT_TEST_BASEDIR and NFT_TEST_TMPDIR for tests tests/shell: normalize boolean configuration in environment variables tests/shell: print test configuration tests/shell: run each test in separate namespace and allow rootless tests/shell: interpret an exit code of 77 from scripts as "skipped" tests/shell: support --keep-logs option (NFT_TEST_KEEP_LOGS=y) to preserve test output tests/shell: move the dump diff handling inside "test-wrapper.sh" tests/shell: rework printing of test results tests/shell: move taint check to "test-wrapper.sh" tests/shell: move valgrind wrapper script to separate script tests/shell: support running tests in parallel tests/shell: bind mount private /var/run/netns in test container tests/shell: skip test in rootless that hit socket buffer size limit tests/shell: record the test duration (wall time) in the result data tests/shell: fix "0003includepath_0" for different TMPDIR tests/shell: set TMPDIR for tests in "test-wrapper.sh" tests/shell: return 77/skip for tests that fail to create dummy device tests/shell: cleanup result handling in "test-wrapper.sh" tests/shell: cleanup print_test_result() and show TAINTED error code tests/shell: colorize terminal output with test result tests/shell: fix handling failures with VALGRIND=y tests/shell: print the NFT setting with the VALGRIND=y wrapper tests/shell: don't redirect error/warning messages to stderr tests/shell: redirect output of test script to file too tests/shell: print "kernel is tainted" separate from test result tests/shell: no longer enable verbose output when selecting a test tests/shell: record wall time of test run in result data tests/shell: set NFT_TEST_JOBS based on $(nproc) cache: avoid accessing uninitialized varible in implicit_chain_cache() datatype: rename "dtype_clone()" to datatype_clone() tests/shell: honor .nodump file for tests without nft dumps tests/shell: generate and add ".nft" dump files for existing tests tests/shell: add missing ".nodump" file for tests without dumps tests/shell: add ".nft" dump files for tests without dumps/ directory tests/shell: set valgrind's "--vgdb-prefix=" to orignal TMPDIR tests/shell: print number of completed tests to show progress tests/shell: skip tests if nft does not support JSON mode tests/shell: add "--quick" option to skip slow tests (via NFT_TEST_SKIP_slow=y) parser_bison: include for base C environment to "parser_bison.y" include: include in tests/shell: kill running child processes when aborting "run-tests.sh" tests/shell: ensure vgdb-pipe files are deleted from "nft-valgrind-wrapper.sh" datatype: fix leak and cleanup reference counting for struct datatype tests/shell: export NFT_TEST_RANDOM_SEED variable for tests tests/shell: add "random-source.sh" helper for random-source for sort/shuf tests/shell: add option to shuffle execution order of tests tests/shell: remove spurious .nft dump files tests/shell: drop unstable dump for "transactions/0051map_0" test tests/shell: add missing nft/nodump files for tests tests/shell: special handle base path starting with "./" tests/shell: in find_tests() use C locale for sorting tests names tools: add "tools/check-tree.sh" script to check consistency of nft dumps tests/shell: exit 77 from "run-tests.sh" if all tests were skipped tests/shell: accept $NFT_TEST_TMPDIR_TAG for the result directory tests/shell: honor CLICOLOR_FORCE to force coloring in run-tests.sh tests/build: capture more output from "tests/build/run-tests.sh" script tests/shell: add feature probing via "features/*.nft" files tests/shell: colorize NFT_TEST_SKIP_/NFT_TEST_HAVE_ in test output tests/shell: suggest 4Mb /proc/sys/net/core/{wmem_max,rmem_max} for rootless tests/shell: cleanup creating dummy interfaces in tests tests/shell: implement NFT_TEST_HAVE_json feature detection as script tests/shell: check diff in "maps/typeof_maps_0" and "sets/typeof_sets_0" test tests/shell: fix preserving ruleset diff after test tests/shell: set C locale in "run-tests.sh" tests/shell: don't show the exit status for failed tests tests/shell: colorize NFT_TEST_HAS_SOCKET_LIMITS tests/shell: simplify collecting error result in "test-wrapper.sh" netlink: fix leaking typeof_expr_data/typeof_expr_key in netlink_delinearize_set() libnftables: drop gmp_init() and mp_set_memory_functions() libnftables: move init-once guard inside xt_init() tests/shell: run `nft --check` on persisted dump files src: fix indentation/whitespace proto: add missing proto_definitions for PROTO_DESC_GENEVE include: fix missing definitions in / netlink: handle invalid etype in set_make_key() datatype: use "enum byteorder" instead of int in set_datatype_alloc() payload: use enum icmp_hdr_field_type in payload_may_dependency_kill_icmp() datatype: return const pointer from datatype_get() tests/shell: honor NFT_TEST_FAIL_ON_SKIP variable to fail on any skipped tests expression: cleanup expr_ops_by_type() and handle u32 input mergesort: avoid cloning value in expr_msort_cmp() include: include in datatype: use xmalloc() for allocating datatype in datatype_clone() tests/shell: mount all of "/var/run" in "test-wrapper.sh" tests/shell: preserve result directory with NFT_TEST_FAIL_ON_SKIP tests/shell: add "-S|--setup-host" option to set sysctl for rootless tests tests/shell: add missing "vlan_8021ad_tag.nodump" file tests/shell: use bash instead of /bin/sh for tests