Difference between revisions of "List of updates since Linux kernel 3.13"

From nftables wiki
Jump to navigation Jump to search
(add 4.15 references)
(cross-link to cli updates page)
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
A listing of the development progress.
A listing of the development progress on the kernel side. See also [[List of updates in the nft command line tool]].


== 3.13 ==
== 6.3 ==
 
* Support for 'nft destroy'
 
== 6.2 ==
 
* Support for inner header matching, such as "udp dport 6081 geneve ip saddr 10.141.11.2"
 
== 5.17 ==
 
* fwd command in egress hook
 
== 5.16 ==
 
* netdev egress hook
 
== 5.11 ==
 
* multiple expression support for sets (e.g., so a set can have both a limit and a counter)
 
== 5.10 ==
 
* Support for ingress hook in inet family
* Support for comments on tables, chains, sets, maps, stateful objects, etc.
 
== 5.7 ==
 
* Support for stateful expressions (e.g. counters) on set elements
 
== 5.6 ==
 
* Support for ranges (intervals) in [[concatenations]]
 
== 5.4 ==
 
* meta time / hour / day
 
== 5.3 ==
 
* [[Bridge filtering#Stateful_filtering|conntrack support for the ''bridge'' family]]
* th expression for [[Matching packet headers#Matching_UDP.2FTCP_headers_in_the_same_rule|matching UDP/TCP headers in the same rule]]
* [[synproxy]] statement
 
== 5.2 ==
 
* Support for NAT in inet family
 
== 5.0 ==
 
* ipsec / xfrm expressions
 
== 4.20 ==
 
* [[secmark]] support
 
== 4.19 ==
 
* tproxy statement
 
== 4.18 ==
 
* nftables NAT is no longer incompatible with iptables NAT
* [[connlimits]] (but buggy until 4.19.10!)
* [[Meters#Doing_connlimit_with_nft|ct count]]
* log level audit
 
== 4.16 ==
 
* flowtable support
 
== 4.15 ==


* nf_tables merged mainstream.
* Fetch single elements of a set (i.e, nft get element)


== 3.14 ==
== 4.14 ==


* set packet mark support.
* PMTU calculation / MSS clamping ([[Mangling_packet_headers#Mangling TCP options|tcp option maxseg size set rt mtu]])
* nfqueue support (only for ip and ip6 families).
* rule tracing support.
* IPv6 and inet reject support.


== 3.15 ==
== 4.12 ==


* Comments per rule support.
* [[Setting_packet_connection_tracking_metainformation#ct_helper_set_-_Assign_conntrack_helper|ct helper set]]
* IPv4 reject support.


== 3.16 ==
== 4.10 ==


* connlabel support.
* notrack support
* [[stateful objects]]
* nexthop and fib, for [[matching routing information]]
* improved [[Mangling packet headers|packet mangling]] support


== 3.17 ==
== 4.6 ==


* log and nflog support for ip, ip6, arp and bridge families.
* [[Ruleset debug/tracing]]


== 3.18 ==
== 4.5 ==


* masquerading support.
* [[Meters]]
* meta cpu, devgroup matching.
* reject bridge support.
* destroy table and its content, ie. ''nft flush ruleset''.


== 3.19 ==
== 4.3 ==


* redirect support.
* Enhancements for the limit expression, support for ratelimit bytes/time unit.
* Dup expression (equivalent to the ''TEE'' target in iptables) for IPv4 and IPv6.
* VLAN header matching support when NIC support offloads.


== 4.0 ==
== 4.2 ==


* Mostly fixes.
* New 'netdev' family for filtering from ingress.
* Context to x_tables extensions to know if they run from nft_compat.


== 4.1 ==
== 4.1 ==
Line 44: Line 113:
Major updates in the generic set infrastructure:
Major updates in the generic set infrastructure:


* Concatenations.
* [[Concatenations]].
* Timeout per set elements.
* Timeout per set elements.
* Comments per set elements.
* Comments per set elements.
* Dynamic set instantiation.
* Dynamic set instantiation.


== 4.2 ==
== 4.0 ==
 
* Mostly fixes.
 
== 3.19 ==
 
* redirect support.
 
== 3.18 ==
 
* masquerading support.
* meta cpu, devgroup matching.
* reject bridge support.
* destroy table and its content, ie. ''nft flush ruleset''.
 
== 3.17 ==
 
* log and nflog support for ip, ip6, arp and bridge families.
 
== 3.16 ==


* New 'netdev' family for filtering from ingress.
* connlabel support.
* Context to x_tables extensions to know if they run from nft_compat.


== 4.3 ==
== 3.15 ==


* Enhancements for the limit expression, support for ratelimit bytes/time unit.
* Comments per rule support.
* Dup expression (equivalent to the ''TEE'' target in iptables) for IPv4 and IPv6.
* IPv4 reject support.
* VLAN header matching support when NIC support offloads.


== 4.10 ==
== 3.14 ==


* notrack support
* set packet mark support.
* nfqueue support (only for ip and ip6 families).
* rule tracing support.
* IPv6 and inet reject support.


== 4.15 ==
== 3.13 ==


* Fetch single elements of a set (i.e, nft get element)
* nf_tables merged mainstream.

Latest revision as of 15:17, 5 January 2024

A listing of the development progress on the kernel side. See also List of updates in the nft command line tool.

6.3

  • Support for 'nft destroy'

6.2

  • Support for inner header matching, such as "udp dport 6081 geneve ip saddr 10.141.11.2"

5.17

  • fwd command in egress hook

5.16

  • netdev egress hook

5.11

  • multiple expression support for sets (e.g., so a set can have both a limit and a counter)

5.10

  • Support for ingress hook in inet family
  • Support for comments on tables, chains, sets, maps, stateful objects, etc.

5.7

  • Support for stateful expressions (e.g. counters) on set elements

5.6

5.4

  • meta time / hour / day

5.3

5.2

  • Support for NAT in inet family

5.0

  • ipsec / xfrm expressions

4.20

4.19

  • tproxy statement

4.18

  • nftables NAT is no longer incompatible with iptables NAT
  • connlimits (but buggy until 4.19.10!)
  • ct count
  • log level audit

4.16

  • flowtable support

4.15

  • Fetch single elements of a set (i.e, nft get element)

4.14

4.12

4.10

4.6

4.5

4.3

  • Enhancements for the limit expression, support for ratelimit bytes/time unit.
  • Dup expression (equivalent to the TEE target in iptables) for IPv4 and IPv6.
  • VLAN header matching support when NIC support offloads.

4.2

  • New 'netdev' family for filtering from ingress.
  • Context to x_tables extensions to know if they run from nft_compat.

4.1

Major updates in the generic set infrastructure:

  • Concatenations.
  • Timeout per set elements.
  • Comments per set elements.
  • Dynamic set instantiation.

4.0

  • Mostly fixes.

3.19

  • redirect support.

3.18

  • masquerading support.
  • meta cpu, devgroup matching.
  • reject bridge support.
  • destroy table and its content, ie. nft flush ruleset.

3.17

  • log and nflog support for ip, ip6, arp and bridge families.

3.16

  • connlabel support.

3.15

  • Comments per rule support.
  • IPv4 reject support.

3.14

  • set packet mark support.
  • nfqueue support (only for ip and ip6 families).
  • rule tracing support.
  • IPv6 and inet reject support.

3.13

  • nf_tables merged mainstream.