| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| payload-check-icmp-dependency-before-removing-previo.patch | [PATCH] payload: check icmp dependency before removing previous icmp expression nft is too greedy when removing icmp dependencies. 'icmp code 1 type 2' did remove the type when printing. Be more careful and check that the icmp type dependency of the candidate expression (earlier icmp payload expression) has the same type dependency as the new expression. |
Florian Westphal <fw@strlen.de> | no | debian | upstream, https://git.netfilter.org/nftables/commit/?533565244d88 | 2021-07-20 |
| rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch | rule: Fix for potential off-by-one in cmd_add_loc() Using num_attrs as index means it must be at max one less than the array's size at function start. |
Phil Sutter <phil@nwl.cc> | no | 2021-06-11 | ||
| cache-rename-chain_htable-to-cache_chain_ht.patch | [PATCH nft 0.9.8] cache: rename chain_htable to cache_chain_ht upstream 3542e49cf539ecfcef6ef7c2d4befb7896ade2cd commit. Rename the hashtable chain that is used for fast cache lookups. |
Pablo Neira Ayuso <pablo@netfilter.org> | no | 2021-04-01 | ||
| src-split-chain-list-in-table.patch | [PATCH nft 0.9.8] src: split chain list in table upstream a3ac2527724dd27628e12caaa55f731b109e4586 commit. This patch splits table->lists in two: - Chains that reside in the cache are stored in the new tables->cache_chain and tables->cache_chain_ht. The hashtable chain cache allows for fast chain lookups. - Chains that defined via command line / ruleset file reside in tables->chains. Note that chains in the cache (already in the kernel) are not placed in the table->chains. By keeping separated lists, chains defined via command line / ruleset file can be added to cache. |
Pablo Neira Ayuso <pablo@netfilter.org> | no | 2021-04-01 | ||
| evaluate-init-cmd-pointer-for-new-on-stack-context.patch | [PATCH nft 0.9.8] evaluate: init cmd pointer for new on-stack context upstream 4e718641397c876315a87db441afc53139863122 commit else, this will segfault when trying to print the "table 'x' doesn't exist" error message. |
Florian Westphal <fw@strlen.de> | no | 2022-03-04 | ||
| rule-add-helper-function-to-expand-chain-rules-into-.patch | [PATCH nft 0.9.8] rule: add helper function to expand chain rules into commands upstream 784597a4ed63b9decb10d74fdb49a1b021e22728 commit. This patch adds a helper function to expand chain rules into commands. This comes in preparation for the follow up patch. |
Pablo Neira Ayuso <pablo@netfilter.org> | no | 2023-09-12 | ||
| rule-expand-standalone-chain-that-contains-rules.patch | [PATCH nft 0.9.8] rule: expand standalone chain that contains rules upstream 27c753e4a8d4744f479345e3f5e34cafef751602 commit. Otherwise rules that this chain contains are ignored when expressed using the following syntax: chain inet filter input2 { type filter hook input priority filter; policy accept; ip saddr 1.2.3.4 tcp dport { 22, 443, 123 } drop } When expanding the chain, remove the rule so the new CMD_OBJ_CHAIN case does not expand it again. |
Pablo Neira Ayuso <pablo@netfilter.org> | no | 2023-02-06 | ||
| src-expand-table-command-before-evaluation.patch | [PATCH nft 0.9.8] src: expand table command before evaluation upstream 3975430b12d97c92cdf03753342f2269153d5624 commit. The nested syntax notation results in one single table command which includes all other objects. This differs from the flat notation where there is usually one command per object. This patch adds a previous step to the evaluation phase to expand the objects that are contained in the table into independent commands, so both notations have similar representations. Remove the code to evaluate the nested representation in the evaluation phase since commands are independently evaluated after the expansion. The commands are expanded after the set element collapse step, in case that there is a long list of singleton element commands to be added to the set, to shorten the command list iteration. This approach also avoids interference with the object cache that is populated in the evaluation, which might refer to objects coming in the existing command list that is being processed. There is still a post_expand phase to detach the elements from the set which could be consolidated by updating the evaluation step to handle the CMD_OBJ_SETELEMS command type. This patch fixes 27c753e4a8d4 ("rule: expand standalone chain that contains rules") which broke rule addition/insertion by index because the expansion code after the evaluation messes up the cache. |
Pablo Neira Ayuso <pablo@netfilter.org> | no | 2023-09-12 |