[network/utils & libs] version bump nftables 0.9.3 & libnftnl 1.1.5

Beginning of December '19 source development released

  • nftables 0.9.3 [1]
  • libnftnl 1.1.5 [2]

Since each provides fixes for existing functionality it would be appreciated if a developer could be obliged to sponsor a PR for Master and 19.07


changelog nftables

Ander Juaristi (4):
netfilter: support for element deletion
evaluate: New internal helper __expr_evaluate_range
meta: Introduce new conditions 'time', 'day' and 'hour'
tests: add meta time test cases

Christian Göttsche (3):
statement: make secmark statements idempotent
src: add ability to set/get secmarks to/from connection
files: add example secmark config

Eric Garver (6):
cache: fix --echo with index/position
tests: shell: check that rule add with index works with echo
tests: shell: verify huge transaction returns expected number of rules
tests: shell: add huge JSON transaction
tests: shell: add huge transaction from firewalld
parser_json: fix crash on insert rule to bad references

Eric Jallot (10):
src: secmark: fix brace indentation and missing quotes in selctx output
src: parser_json: fix crash while restoring secmark object
src: obj: fix memleak in handle_free()
tests: shell: fix failed tests due to missing quotes
obj: fix memleak in parser_bison.y
flowtable: fix memleak in exit path
src: flowtable: add support for named flowtable listing
doc: fix missing family in plural forms list command.
src: flowtable: add support for delete command by handle
scanner: fix out-of-bound memory write in include_file()

Fernando Fernandez Mancera (5):
netlink_delinearize: fix wrong conversion to "list" in ct mark
src: add synproxy stateful object support
json: fix type mismatch on "ct expect" json exporting
json: tests: fix typo in ct expectation json test
tests: add stateful object update operation test

Florian Westphal (6):
src: json: add support for element deletion
src: evaluate: catch invalid 'meta day' values in eval step
evaluate: flag fwd and queue statements as terminal
src: meter: avoid double-space in list ruleset output
tests: check we can use "dynamic" set for lookups
expression: extend 'nft describe' to allow listing data types

Jeremy Sowden (11):
configure: remove unused AC_SUBST macros.
cli: remove unused declaration.
cli: add linenoise CLI implementation.
src: use -T as the short option for --numeric-time.
src: add --terse to suppress output of set elements.
doc: add missing output flag documentation.
main: add missing OPT_NUMERIC_PROTO long option.
main: remove duplicate output flag assignment.
py: add missing output flags.
src: add and use set_is_meter helper
doc: fix inconsistency in set statement documentation.

Michal Rostecki (1):
mnl: Fix -Wimplicit-function-declaration warnings

Pablo Neira Ayuso (15):
tests: shell: use-after-free from abort path
mnl: fix --echo buffer size again
libnftables: use-after-free in exit path
mnl: do not cache sender buffer size
tests: shell: delete flowtable after flush chain
libnftables: memleak when list of commands is empty
segtree: always close interval in non-anonymous sets
datatype: display description for header field < 8 bits
src: define flowtable device compound as a list
src: restore --echo with anonymous sets
src: add multidevice support for netdev chain
tests: shell: set reference from variable definition
segtree: restore automerge
netlink: off-by-one write in netdev chain device array
build: Bump version to v0.9.3

Phil Sutter (25):
parser_bison: Fix 'exists' keyword on Big Endian
mnl: Don't use nftnl_set_set()
monitor: Add missing newline to error message
tests/monitor: Fix for changed ct timeout format
rule: Fix for single line ct timeout printing
parser_json: Fix checking of parse_policy() return code
tproxy: Add missing error checking when parsing from netlink
main: Fix for misleading error with negative chain priority
Revert "main: Fix for misleading error with negative chain priority"
tests/py: Fix test script for Python3 tempfile
mnl: Replace use of untyped nftnl data setters
doc: Drop incorrect requirement for nft configs
libnftables: Store top_scope in struct nft_ctx
meta: Rewrite hour_type_print()
segtree: Check ranges when deleting elements
segtree: Fix get element for little endian ranges
cache: Reduce caching for get command
parser_bison: Avoid set references in odd places
files: Install sample scripts from files/examples
files: Drop shebangs from config files
scanner: Introduce numberstring
nft.8: Describe numgen expression
nft.8: Fix nat family spec position
tests/py: Set a fixed timezone in nft-test.py
segtree: Fix add and delete of element in same batch

Sergei Trofimovich (1):
nftables: don't crash in 'list ruleset' if policy is not set

Sven Auhagen (1):
mnl: remove artifical cap on 8 devices per flowtable

wenxu (1):
meta: add ibrpvid and ibrvproto support

changelog libnftnl

Ander Juaristi (2):
expr: meta: Make NFT_META_TIME_{NS, DAY, HOUR} known
expr: meta: Make NFT_DYNSET_OP_DELETE known

Eric Jallot (1):
flowtable: add support for handle attribute

Fernando Fernandez Mancera (1):
src: synproxy stateful object support

Manuel Messner (1):
flowtable: Fix symbol export for clang

Pablo Neira Ayuso (4):
flowtable: device array dynamic allocation
chain: multi-device support
flowtable: remove NFTA_FLOWTABLE_SIZE
build: libnftnl 1.1.5 release

Phil Sutter (11):
set: Export nftnl_set_list_lookup_byname()
obj: ct_timeout: Check return code of mnl_attr_parse_nested()
set_elem: Fix return code of nftnl_set_elem_set()
obj/tunnel: Fix for undefined behaviour
set: Don't bypass checks in nftnl_set_set_u{32,64}()
obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data()
set_elem: Validate nftnl_set_elem_set() parameters
obj/ct_timeout: Fix NFTA_CT_TIMEOUT_DATA parser
libnftnl.map: Export nftnl_{obj,flowtable}_set_data()
Deprecate untyped data setters
utils: Define __visible even if not supported by compiler


[1] https://netfilter.org/news.html#2019-12-02-d
[2] https://netfilter.org/news.html#2019-12-02

My personal experience with open source projects is that if you have a personal itch it is often quicker if you scratch it yourself. Getting someone else to scratch it for you is dependant upon them finding the itch sufficiently insistent.

You may find a kind hearted person who can do the bump 'blind' and without a use case, but I have been personally bitten a few times doing 'innocuous bumps' on packages that I don't use and things coming back to bite me.

Not every user has the capability to submit a PR.


Sure, the user's dependency on the package maintainer is clear. Tough luck if the maintainer is not considering it worthwhile to go along.


Others may use those packages in question however, yet might not necessarily be in a position to contribute to package maintenance in the distro's repo. There might be developers that maintain package they may not deploy on their production nodes, except perhaps for testing purposes on testing nodes.

On the other hand it would seem that FW4 is on the agenda for this year and which supposedly deploys either or both packages and thus might be good reason to keep up with the source code development.