List of updates since Linux kernel 3.13: Difference between revisions
Jump to navigation
Jump to search
(add 4.16 reference) |
(a few more updates) |
||
(8 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
A listing of the development progress. | A listing of the development progress on the kernel side. See also [[List of updates in the nft command line tool]]. | ||
== 3. | == 6.5 == | ||
* Allow using a map in a set lookup expression (discarding the value) | |||
== 6.3 == | |||
* Support for 'nft destroy' | |||
== 6.2 == | |||
* Support for inner header matching, such as "udp dport 6081 geneve ip saddr 10.141.11.2" | |||
== 5.17 == | |||
* fwd command in egress hook | |||
== 5.16 == | |||
* netdev egress hook | |||
* meta iiftype, meta oiftype | |||
== 5.11 == | |||
* multiple expression support for sets (e.g., so a set can have both a limit and a counter) | |||
== 5.10 == | |||
* Support for ingress hook in inet family | |||
* Support for comments on tables, chains, sets, maps, stateful objects, etc. | |||
== 5.9 == | |||
* Trying to add a object when a "conflicting" object exists (e.g., base chain with same name but different hook, map element with same key but different value) now returns EEXIST; in older kernels it returned EBUSY. | |||
== 5.7 == | |||
* Support for stateful expressions (e.g. counters) on set elements | |||
== 5.6 == | |||
* Support for ranges (intervals) in [[concatenations]] | |||
== 5.4 == | |||
* meta time / hour / day | |||
* delete set elements from packet path | |||
== 5.3 == | |||
* [[Bridge filtering#Stateful_filtering|conntrack support for the ''bridge'' family]] | |||
* th expression for [[Matching packet headers#Matching_UDP.2FTCP_headers_in_the_same_rule|matching UDP/TCP headers in the same rule]] | |||
* [[synproxy]] statement | |||
== 5.2 == | |||
* Support for NAT in inet family | |||
== 5.0 == | |||
* ipsec / xfrm expressions | |||
== 4.20 == | |||
* [[secmark]] support | |||
== 4.19 == | |||
* tproxy statement | |||
== 4.18 == | |||
* nftables NAT is no longer incompatible with iptables NAT | |||
* [[connlimits]] (but buggy until 4.19.10!) | |||
* [[Meters#Doing_connlimit_with_nft|ct count]] | |||
* log level audit | |||
== 4.16 == | |||
* flowtable support | |||
== 4.15 == | |||
* | * Fetch single elements of a set (i.e, nft get element) | ||
== | == 4.14 == | ||
* set | * PMTU calculation / MSS clamping ([[Mangling_packet_headers#Mangling TCP options|tcp option maxseg size set rt mtu]]) | ||
== | == 4.12 == | ||
* | * [[Setting_packet_connection_tracking_metainformation#ct_helper_set_-_Assign_conntrack_helper|ct helper set]] | ||
== | == 4.10 == | ||
* | * notrack support | ||
* [[stateful objects]] | |||
* nexthop and fib, for [[matching routing information]] | |||
* improved [[Mangling packet headers|packet mangling]] support | |||
== | == 4.6 == | ||
* | * [[Ruleset debug/tracing]] | ||
== | == 4.5 == | ||
* | * [[Meters]] | ||
== 3 | == 4.3 == | ||
* | * Enhancements for the limit expression, support for ratelimit bytes/time unit. | ||
* Dup expression (equivalent to the ''TEE'' target in iptables) for IPv4 and IPv6. | |||
* VLAN header matching support when NIC support offloads. | |||
== 4. | == 4.2 == | ||
* | * New 'netdev' family for filtering from ingress. | ||
* Context to x_tables extensions to know if they run from nft_compat. | |||
== 4.1 == | == 4.1 == | ||
Line 44: | Line 122: | ||
Major updates in the generic set infrastructure: | Major updates in the generic set infrastructure: | ||
* Concatenations. | * [[Concatenations]]. | ||
* Timeout per set elements. | * Timeout per set elements. | ||
* Comments per set elements. | * Comments per set elements. | ||
* Dynamic set instantiation. | * Dynamic set instantiation. | ||
== 4. | == 4.0 == | ||
* Mostly fixes. | |||
== 3.19 == | |||
* redirect support. | |||
== 3.18 == | |||
* masquerading support. | |||
* meta cpu, devgroup matching. | |||
* reject bridge support. | |||
* destroy table and its content, ie. ''nft flush ruleset''. | |||
== 3.17 == | |||
* | * log and nflog support for ip, ip6, arp and bridge families. | ||
== | == 3.16 == | ||
* | * connlabel support. | ||
== | == 3.15 == | ||
* | * Comments per rule support. | ||
* IPv4 reject support. | |||
== | == 3.14 == | ||
* | * set packet mark support. | ||
* nfqueue support (only for ip and ip6 families). | |||
* rule tracing support. | |||
* IPv6 and inet reject support. | |||
== | == 3.13 == | ||
* | * nf_tables merged mainstream. |
Latest revision as of 14:16, 1 May 2024
A listing of the development progress on the kernel side. See also List of updates in the nft command line tool.
6.5
- Allow using a map in a set lookup expression (discarding the value)
6.3
- Support for 'nft destroy'
6.2
- Support for inner header matching, such as "udp dport 6081 geneve ip saddr 10.141.11.2"
5.17
- fwd command in egress hook
5.16
- netdev egress hook
- meta iiftype, meta oiftype
5.11
- multiple expression support for sets (e.g., so a set can have both a limit and a counter)
5.10
- Support for ingress hook in inet family
- Support for comments on tables, chains, sets, maps, stateful objects, etc.
5.9
- Trying to add a object when a "conflicting" object exists (e.g., base chain with same name but different hook, map element with same key but different value) now returns EEXIST; in older kernels it returned EBUSY.
5.7
- Support for stateful expressions (e.g. counters) on set elements
5.6
- Support for ranges (intervals) in concatenations
5.4
- meta time / hour / day
- delete set elements from packet path
5.3
- conntrack support for the bridge family
- th expression for matching UDP/TCP headers in the same rule
- synproxy statement
5.2
- Support for NAT in inet family
5.0
- ipsec / xfrm expressions
4.20
- secmark support
4.19
- tproxy statement
4.18
- nftables NAT is no longer incompatible with iptables NAT
- connlimits (but buggy until 4.19.10!)
- ct count
- log level audit
4.16
- flowtable support
4.15
- Fetch single elements of a set (i.e, nft get element)
4.14
- PMTU calculation / MSS clamping (tcp option maxseg size set rt mtu)
4.12
4.10
- notrack support
- stateful objects
- nexthop and fib, for matching routing information
- improved packet mangling support
4.6
4.5
4.3
- Enhancements for the limit expression, support for ratelimit bytes/time unit.
- Dup expression (equivalent to the TEE target in iptables) for IPv4 and IPv6.
- VLAN header matching support when NIC support offloads.
4.2
- New 'netdev' family for filtering from ingress.
- Context to x_tables extensions to know if they run from nft_compat.
4.1
Major updates in the generic set infrastructure:
- Concatenations.
- Timeout per set elements.
- Comments per set elements.
- Dynamic set instantiation.
4.0
- Mostly fixes.
3.19
- redirect support.
3.18
- masquerading support.
- meta cpu, devgroup matching.
- reject bridge support.
- destroy table and its content, ie. nft flush ruleset.
3.17
- log and nflog support for ip, ip6, arp and bridge families.
3.16
- connlabel support.
3.15
- Comments per rule support.
- IPv4 reject support.
3.14
- set packet mark support.
- nfqueue support (only for ip and ip6 families).
- rule tracing support.
- IPv6 and inet reject support.
3.13
- nf_tables merged mainstream.