aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/utils/nftables
Commit message (Collapse)AuthorAgeFilesLines
* treewide: add support for "lto" in PKG_BUILD_FLAGSAndre Heider2023-03-211-3/+2
| | | | | | | | | | | | | | | | This reduces open coding and allows to easily add a knob to enable it treewide, where chosen packages can still opt-out via "no-lto". Some packages used LTO, but not the linker plugin. This unifies 'em all to attempt to produce better code. Quoting man gcc(1): "This improves the quality of optimization by exposing more code to the link-time optimizer." Also use -flto=auto instead of -flto=jobserver, as it's not guaranteed that every buildsystem uses +$(MAKE) correctly. Signed-off-by: Andre Heider <a.heider@gmail.com>
* nftables: update to 1.0.7Nick Hainke2023-03-191-2/+2
| | | | | | | Release Notes: https://marc.info/?l=netfilter-devel&m=167873533214563&w=2 Signed-off-by: Nick Hainke <vincent@systemli.org>
* nftables: update to 1.0.6Nick Hainke2023-01-062-27/+4
| | | | | | | | | | | | | | | | | | Remove upstreamed patches: - 0001-fix-nft.patch Upstream switched to "tar.xz" archives. old ipkg size: 273678 bin/packages/mips_24kc/base/nftables-json_1.0.5-2_mips_24kc.ipk new ipkg size: 271624 bin/packages/mips_24kc/base/nftables-json_1.0.6-1_mips_24kc.ipk Release Information: https://netfilter.org/projects/nftables/files/changes-nftables-1.0.6.txt Signed-off-by: Nick Hainke <vincent@systemli.org>
* nftables: backport fix to interval based rulesKevin Darbyshire-Bryant2022-09-262-1/+24
| | | | | | | | | 'rule inet dscpclassify dscp_match meta l4proto { udp } th dport { 3478 } th sport { 3478-3497, 16384-16387 } goto ct_set_ef' works with 'nft add', but not 'nft insert', the latter yields: "BUG: unhandled op 4". Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* nftables: update to 1.0.5Nick Hainke2022-08-282-52/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove upstreamed patch: - 0001-meta-don-t-use-non-POSIX-formats-in-strptime.patch Changes: 13248670 build: Bump version to 1.0.5 3432eebd tests/py: disable arp family for queue statement 180ce4d7 meta: don't use non-POSIX formats in strptime() c1c223f1 src: allow anon set concatenation with ether and vlan 87c3041b evaluate: search stacked header list for matching payload dep b1e3ed03 netlink_delinearize: also postprocess OP_AND in set element context f680055c tests: add a test case for ether and vlan listing dbd5f348 debug: dump the l2 protocol stack 0d9daa04 proto: track full stack of seen l2 protocols, not just cumulative offset 89688c94 netlink_delinearize: postprocess binary ands in concatenations 0542a431 netlink_delinearize: allow postprocessing on concatenated elements 8efab552 parser_json: fix device parsing in netdev family 76fae8f5 src: proto: support DF, LE PHB, VA for DSCP 446e76db doc: Document limitations of ipsec expression with xfrm_interface a2ddb38f cache: report an error message if cache initialization fails 649b8ce3 cache: validate handle string length 64c74ba5 cache: prepare nft_cache_evaluate() to return error 46980cdd rule: crash when uncollapsing command with unexisting table or set 8a6cdfaf cache: release pending rules when chain binding lookup fails e17337df evaluate: report missing interval flag when using prefix/range in concatenation 45c097c6 scanner: allow prefix in ip6 scope 6c23bfa5 segtree: fix map listing with interface wildcard 8623772a scanner: don't pop active flex scanner scope 994bf500 parser: add missing synproxy scope closure ed2426bc tests/py: Add a test for failing ipsec after counter 27107b49 evaluate: fix segfault when adding elements to invalid set 0f82b07f mnl: store netlink error location for set elements 15b3be2e src: remove NFT_NLATTR_LOC_MAX limit for netlink location error reporting f56e901a parser_bison: fix error location for set elements 6d1ee926 intervals: check for EXPR_F_REMOVE in case of element mismatch 5357cb7b intervals: fix crash when trying to remove element in empty set d54510f8 netlink_delinearize: memleak when parsing concatenation data 12a223ce libnftables: release top level scope b91bbf88 optimize: limit statement is not supported yet 45a61a75 optimize: assume verdict is same when rules have no verdict fa409176 optimize: only merge OP_IMPLICIT and OP_EQ relational 29e62111 tests: shell: run -c -o on ruleset 887405df optimize: add unsupported statement 8f61a69e optimize: add hash expression support ca8fd77a optimize: add numgen expression support 721efd64 optimize: add binop expression support f7e901a2 optimize: add fib expression support 54b1e49f optimize: add xfrm expression support 0beaea37 optimize: add osf expression support d07fe8e8 optimize: fix verdict map merging 38d48fe5 optimize: fix reject statement f9939f89 optimize: remove comment after merging 8f10f33a optimize: do not print stateful information 3ac932e9 optimize: do not merge rules with set reference in rhs 64ebb03a optimize: do not compare relational expression rhs when collecting statements 59e3a592 intervals: Do not sort cached set elements over and over again d434de8b intervals: do not empty cache for maps 87ba510f intervals: do not report exact overlaps for new elements 498a5f0c rule: collapse set element commands 8fafe4e6 tests: shell: runtime set element automerge 638af0ce Revert "scanner: flags: move to own scope" Signed-off-by: Nick Hainke <vincent@systemli.org>
* nftables: fix parsing date expressionsJo-Philipp Wich2022-08-092-1/+50
| | | | | | | | Musl libc does not support the non-POSIX "%F" format for strptime() so replace all occurrences of it with an equivalent "%Y-%m-%d" format. Fixes: #10419 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Revert "nftables: fix parsing date expressions"Jo-Philipp Wich2022-08-092-50/+1
| | | | | | | | This reverts commit eada8925776aafa3ec47d66fb89bf7eae730edf7. The commit contained unrelated target changes. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* nftables: fix parsing date expressionsJo-Philipp Wich2022-08-092-1/+50
| | | | | | | | Musl libc does not support the non-POSIX "%F" format for strptime() so replace all occurrences of it with an equivalent "%Y-%m-%d" format. Fixes: #10419 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* nftables: update to 1.0.4Nick Hainke2022-06-241-2/+2
| | | | | | | | | | | | Needs libnftnl 1.2.2. 3eb0da9f build: Bump version to 1.0.4 a964d1b5 tests: shell: remove leftover modules on cleanup 818f7dde evaluate: reset ctx->set after set interval evaluation 3835de19 tests: shell: sets_with_ifnames release netns on exit 59bd944f optimize: segfault when releasing unsupported statement Signed-off-by: Nick Hainke <vincent@systemli.org>
* nftables: clean up MakefileNick Hainke2022-06-241-3/+4
| | | | | | Add PKG_LICENSE_FILES. Use SPDX. Signed-off-by: Nick Hainke <vincent@systemli.org>
* nftables: update to 1.0.3Nick Hainke2022-06-242-32/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove backport: - 001-examples-compile-with-make-check.patch 87fdf683 build: Bump version to 1.0.3 c4ec825b nft: simplify chain lookup in do_list_chain 4f6724f1 intervals: fix compilation --with-mini-gmp 4c20fe95 json: update json output ordering to place rules after chains 57741350 netlink_delinearize: release last register on exit d6fdb0d8 sets_with_ifnames: add test case for concatenated range 88b2345a segtree: add pretty-print support for wildcard strings in concatenated sets 806ab081 netlink: swap byteorder for host-endian concat data c224aa6b intervals: deletion should adjust range not yet in the kernel ea1f1c9f optimize: memleak in statement matrix 0a6dbfce optimize: merge nat rules with same selectors into map 743b0e81 optimize: do not clone unsupported statement c8b35039 optimize: incorrect logic in verdict comparison fc4da141 src: fix always-true assertions d1289bff intervals: set on EXPR_F_KERNEL flag for new elements in set cache 721b9dec tests: add concat test case with integer base type subkey 22b750aa src: allow use of base integer types as set keys in concatenations 3ed9fada intervals: build list of elements to be added from cache e45b4939 intervals: fix deletion of multiple ranges with automerge 3b7b22ae intervals: add elements with EXPR_F_KERNEL to purge list only ea31855d netlink: remove unused argument from helper function 48204bd7 intervals: Simplify element sanity checks ab1b21be intervals: unset EXPR_F_KERNEL for adjusted elements e0beff27 src: restore interval sets work with string datatypes 3e8d934e intervals: support to partial deletion with automerge 7a6e1604 evaluate: allow for zero length ranges 3da9643f intervals: add support to automerge with kernel elements 7b061e63 mnl: update mnl_nft_setelem_del() to allow for more reuse fdb8e0ff src: remove rbtree datastructure 81e36530 src: replace interval segment tree overlap and automerge f1cc44ed src: add EXPR_F_KERNEL to identify expression in the kernel ad43b84e segtree: add support for get element with sets that contain ifnames 06db2308 segtree: use correct byte order for 'element get' 4c6681a7 tests: add testcases for interface names in sets 5e393ea1 segtree: add string "range" reversal support 2fb4d7ea src: make interval sets work with string datatypes 403936c1 evaluate: string prefix expression must retain original length ada50f84 segtree: split prefix and range creation to a helper function ae7d32fc evaluate: keep prefix expression length d2b23984 evaluate: make byteorder conversion on string base type a no-op c36ecfc2 tests: py: Add meta time tests without 'meta' keyword 6fa4ff56 tests: py: Don't colorize output if stderr is redirected f561a0cc tests: monitor: Hide temporary file names from error output 75fea8a5 tests: py: extend meta time coverage 4460b839 meta: fix compiler warning in date_type_parse() 02100978 meta: time: use uint64_t instead of time_t 4e0026dc include: add missing `#include` ab74fb5b examples: add .gitignore file bcad4761 tests: py: add inet/vmap tests 214494aa optimize: Restore optimization for raw payload expressions 82762ab6 src: allow to use integer type header fields via typeof set declaration 64bb3f43 src: allow to use typeof of raw expressions in set declaration ff0f30e3 expression: typeof verdict needs verdict datatype 60f5c107 src: copy field_count for anonymous object maps as well 4cf97abf rule: Avoid segfault with anonymous chains 4e718641 evaluate: init cmd pointer for new on-stack context 1ea71c23 optimize: do not assume log prefix 3f36cc6c optimize: do not merge unsupported statement expressions 19960c8d optimize: incorrect assert() for unexpected expression type 3de1dbd2 optimize: more robust statement merge with vmap 99eb4696 optimize: fix vmap with anonymous sets e8f0fa21 scanner: Fix for ipportmap nat statements 59d184be scanner: dup, fwd, tproxy: Move to own scopes 069a0450 scanner: meta: Move to own scope 2165324d scanner: at: Move to own scope a67fce7f scanner: nat: Move to own scope 578467c1 scanner: policy: move to own scope a1669709 scanner: flags: move to own scope 020372d9 scanner: reject: Move to own scope 543bf3c2 scanner: import, export: Move to own scopes 88105810 scanner: reset: move to own Scope 8a7e430a scanner: monitor: Move to own Scope e5547017 scanner: rt: Extend scope over rt0, rt2 and srh 04c95f14 scanner: type: Move to own scope 62a95698 scanner: dst, frag, hbh, mh: Move to own scopes a060d912 scanner: ah, esp: Move to own scopes 4e215fdf scanner: osf: Move to own scope 5166b298 scanner: dccp, th: Move to own scopes 3e04a6e2 scanner: udp{,lite}: Move to own scope bbdcfbfa scanner: comp: Move to own scope. 232f2c32 scanner: synproxy: Move to own scope 26b53653 scanner: tcp: Move to own scope f5722119 scanner: igmp: Move to own scope a7d8cca9 scanner: icmp{,v6}: Move to own scope 5d837d27 src: add tcp option reset support 1d507ce7 build: explicitly pass --version-script to linker e98a9b83 libnftables.map: export new nft_ctx_{get,set}_optimize API 9eb98b3b tests: add test case for flowtable with owner flag 18a08fb7 examples: compile with `make check' and add AM_CPPFLAGS Signed-off-by: Nick Hainke <vincent@systemli.org>
* nftables: add CONFLICT between versionsEneas U de Queiroz2022-04-111-1/+2
| | | | | | Have nftables-json conflict with nftables-nojson. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* nftables: update to version 1.0.2Josef Schlehofer2022-03-073-47/+32
| | | | | | | | | | | | | | | | | | | | | | | | | Changelog: https://lwn.net/ml/netdev/YhO5Pn+6+dgAgSd9@salvia/ Patches: removed: - 001-parser-allow-quoted-string-in-flowtable_expr_member: it is now part of upstream release [1] added: - 001-examples-compile-with-make-check.patch: backported from [2], it fixes: nft-json-file.c:3:10: fatal error: nftables/libnftables.h: No such file or directory 3 | #include <nftables/libnftables.h> | ^~~~~~~~~~~~~~~~~~~~~~~~ compilation terminated. [1] https://git.netfilter.org/nftables/commit/?h=v1.0.2&id=07af4429241c9832a613cb8620331ac54257d9df [2] https://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3 Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
* nftables: allow quoted string in flowtable_expr_memberStijn Tintel2021-12-312-1/+45
| | | | | | | This is required to be able to use flow offloading on devices with ifnames that start with a digit, like 6in4-wan6. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* nftables: bump to 1.0.1Stijn Tintel2021-12-011-3/+3
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* nftables: install package fileKevin Darbyshire-Bryant2021-11-301-0/+3
| | | | | | Install pc file so dnsmasq can find libnftables Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* nftables: install libnftables to staging dirDaniel Danzberger2021-11-201-1/+7
| | | | | | Makes libnftables library and headers available for other packages. Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
* nftables: bump to 1.0.0Stijn Tintel2021-10-191-3/+3
| | | | | | | | This introduces support for hardware flow offloading, which was added in in nftables 0.9.9. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: Jo-Philipp Wich <jo@mein.io>
* nftables: Activate link time optimization (LTO)Hauke Mehrtens2020-09-061-1/+4
| | | | | | | | | | | | | The ipk sizes for mips_24Kc change like this: old: nftables-json_0.9.6-1_mips_24kc.ipk 231.968 nftables-nojson_0.9.6-1_mips_24kc.ipk 204.731 new: nftables-json_0.9.6-2_mips_24kc.ipk 221.894 nftables-nojson_0.9.6-2_mips_24kc.ipk 193.932 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* nftables: Update to version 0.9.6Hauke Mehrtens2020-09-061-2/+2
| | | | | | | | | | | | | The ipk sizes for mips_24Kc change like this: old: nftables-json_0.9.3-1_mips_24kc.ipk 220.262 nftables-nojson_0.9.3-1_mips_24kc.ipk 192.937 new: nftables-json_0.9.6-1_mips_24kc.ipk 231.968 nftables-nojson_0.9.6-1_mips_24kc.ipk 204.731 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* nftables: implement no/json variantsKevin Darbyshire-Bryant2020-03-291-14/+26
| | | | | | | | | | | Replace the build time choice of json support with a package based choice. Users requiring a json aware version of 'nft' may now install nftables-json. The default choice to fulfill the 'nftables' package dependency is 'nftables-nojson' Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* nftables: bump to 0.9.3Kevin Darbyshire-Bryant2020-03-241-2/+2
| | | | Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* nftables: bump to version 0.9.2Konstantin Demin2019-09-012-31/+4
| | | | | | | | | | | | | | - exclude Python-related stuff from build - drop patches: * 010-uclibc-ng.patch, applied upstream ipkg size decrease by 2.8%: old: 194.851 nftables_0.9.0-2_arm_cortex-a7_neon-vfpv4.ipk new: 189.581 nftables_0.9.2-1_arm_cortex-a7_neon-vfpv4.ipk Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* nftables: Fix compilation with uClibc-ngRosen Penev2019-05-152-1/+29
| | | | | | | | Missing header for va_list. Signed-off-by: Rosen Penev <rosenp@gmail.com> Signed-off-by: Petr Štetiar <ynezz@true.cz> [updated with upstream version of the patch]
* nftables: allow to build with json supportRosy Song2018-08-011-1/+12
| | | | Signed-off-by: Rosy Song <rosysong@rosinson.com>
* nftables: bump to version 0.9.0Rosy Song2018-06-181-2/+2
| | | | Signed-off-by: Rosy Song <rosysong@rosinson.com>
* nftables: bump to 0.8.5 versionRosy Song2018-05-218-1594/+8
| | | | Signed-off-by: Rosy Song <rosysong@rosinson.com>
* nftables: update to 0.8.2, backport flowtable supportFelix Fietkau2018-02-216-0/+1581
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* nftables: update to version 0.8.2Hauke Mehrtens2018-02-152-3/+5
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* nftables: remove dependency on kmod-nf-natMatthias Schiffer2018-01-311-1/+1
| | | | | | | | | | | | For minimal firewall setups, NAT support may be unnecessary. It would be possible to further reduce the minimum number of installed modules, e.g. by separating IPv4 and IPv6 support or moving conntrack support into a separate kmod package. We go with a more complete kmod-nft-core for now, until a concrete usecase for smaller packages arises. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* nftables: update to 0.8.1Philip Prindeville2018-01-202-81/+6
| | | | | | | Note this requires libnftnl-1.0.8 or higher, so that update needs to be merged first. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* nftables: fix sha256sumHauke Mehrtens2017-12-311-1/+1
| | | | | | The mirror was delivering a file with a different hash. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* treewide: switch git.netfilter.org to HTTPSStijn Tintel2017-10-081-1/+1
| | | | | | | As git.netfilter.org seems to support HTTPS, use that instead of HTTP which is insecure, or GIT which is blocked on many corporate networks. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* nftables: remove date from versionHauke Mehrtens2017-08-091-1/+1
| | | | | | | We are using the normal 0.7 version of nftables, do not add an additional date to the version number. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* nftables: Update to 0.7Nick Brassel2017-07-152-3/+79
| | | | | | Updated nftables to latest. Signed-off-by: Nick Brassel <nick@tzarc.org>
* treewide: clean up and unify PKG_VERSION for git based downloadsFelix Fietkau2016-12-221-2/+0
| | | | | | Also use default defintions for PKG_SOURCE_SUBDIR, PKG_SOURCE Signed-off-by: Felix Fietkau <nbd@nbd.name>
* treewide: clean up download hashesFelix Fietkau2016-12-161-1/+1
| | | | | | Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* source: Switch to xz for packages and tools where possibleDaniel Engberg2016-10-061-1/+2
| | | | | | | | | | | * Change git packages to xz * Update mirror checksums in packages where they are used * Change a few source tarballs to xz if available upstream * Remove unused lines in packages we're touching, requested by jow- and blogic * We're relying more on xz-utils so add official mirror as primary source, master site as secondary. * Add SHA256 checksums to multiple git tarball packages Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* nftables: bump versionSteven Barth2015-04-201-2/+2
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 45513
* nftables: bump to 2015-03-24Steven Barth2015-03-301-2/+2
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 45158
* nftables: bump for minor fixesSteven Barth2015-01-201-3/+3
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 44062
* nftables: add missing patchSteven Barth2015-01-121-0/+8
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 43949
* nftables: bump again and disable building docsSteven Barth2015-01-121-2/+2
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 43948
* nftables: bump to latest and enable debuggingSteven Barth2015-01-121-3/+2
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 43944
* nftables: bump to latest git / all patches upstreamedSteven Barth2015-01-086-5030/+4
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 43870
* nftables: bump to release 0.4, cleanup our patchesSteven Barth2014-12-168-432/+333
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 43730
* nftables: mini-bump and patch cleanupSteven Barth2014-12-155-270/+435
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 43710
* nftables: bump to latest git, fix mini-gmp patchesSteven Barth2014-12-144-32/+36
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 43707
* nftables: bump to latest, fix minigmpSteven Barth2014-10-214-82/+9
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 43013
* nftables: bump to 2014-09-30, disable gmpSteven Barth2014-10-066-42/+5038
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 42802