List of updates since Linux kernel 3.13
Jump to navigation
Jump to search
A listing of the development progress on the kernel side. See also List of updates in the nft command line tool.
6.3
- Support for 'nft destroy'
6.2
- Support for inner header matching, such as "udp dport 6081 geneve ip saddr 10.141.11.2"
5.17
- fwd command in egress hook
5.16
- netdev egress hook
5.11
- multiple expression support for sets (e.g., so a set can have both a limit and a counter)
5.10
- Support for ingress hook in inet family
- Support for comments on tables, chains, sets, maps, stateful objects, etc.
5.7
- Support for stateful expressions (e.g. counters) on set elements
5.6
- Support for ranges (intervals) in concatenations
5.4
- meta time / hour / day
5.3
- conntrack support for the bridge family
- th expression for matching UDP/TCP headers in the same rule
- synproxy statement
5.2
- Support for NAT in inet family
5.0
- ipsec / xfrm expressions
4.20
- secmark support
4.19
- tproxy statement
4.18
- nftables NAT is no longer incompatible with iptables NAT
- connlimits (but buggy until 4.19.10!)
- ct count
- log level audit
4.16
- flowtable support
4.15
- Fetch single elements of a set (i.e, nft get element)
4.14
- PMTU calculation / MSS clamping (tcp option maxseg size set rt mtu)
4.12
4.10
- notrack support
- stateful objects
- nexthop and fib, for matching routing information
- improved packet mangling support
4.6
4.5
4.3
- Enhancements for the limit expression, support for ratelimit bytes/time unit.
- Dup expression (equivalent to the TEE target in iptables) for IPv4 and IPv6.
- VLAN header matching support when NIC support offloads.
4.2
- New 'netdev' family for filtering from ingress.
- Context to x_tables extensions to know if they run from nft_compat.
4.1
Major updates in the generic set infrastructure:
- Concatenations.
- Timeout per set elements.
- Comments per set elements.
- Dynamic set instantiation.
4.0
- Mostly fixes.
3.19
- redirect support.
3.18
- masquerading support.
- meta cpu, devgroup matching.
- reject bridge support.
- destroy table and its content, ie. nft flush ruleset.
3.17
- log and nflog support for ip, ip6, arp and bridge families.
3.16
- connlabel support.
3.15
- Comments per rule support.
- IPv4 reject support.
3.14
- set packet mark support.
- nfqueue support (only for ip and ip6 families).
- rule tracing support.
- IPv6 and inet reject support.
3.13
- nf_tables merged mainstream.