| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-debian-bug-1038724.patch | cache: include set elements in "nft set list" Make "nft list sets" include set elements in listing by default. In nftables 1.0.0, "nft list sets" did not include the set elements, but with "--json" they were included. 1.0.1 and newer never include them. This causes a problem for people updating from 1.0.0 and relying on the presence of the set elements. Change nftables to always include the set elements. The "--terse" option is honored to get the "no elements" behaviour. |
Florian Westphal <fw@strlen.de> | no | 2023-06-18 | ||
| invalid-octal-fix.patch | fix handling of invalid octal strings . nft treats numeric strings beginning with a leading zero as octal, even if they contain non-octal digits (8 or 9), truncating the string as soon as one of these is reached. Thus the string "0308" will be incorrectly parsed as 24. This patch causes nft to reject such strings instead. |
Jeremy Sowden <jeremy@azazel.net> | yes | debian upstream | 2023-01-26 | |
| rule-add-helper-function-to-expand-chain-rules-into-.patch | [PATCH 1/3,nft] rule: add helper function to expand chain rules intoi commands [ upstream commit 784597a4ed63b9decb10d74fdb49a1b021e22728 ] This patch adds a helper function to expand chain rules into commands. This comes in preparation for the follow up patch. |
Pablo Neira Ayuso <pablo@netfilter.org> | no | 2023-02-06 | ||
| rule-expand-standalone-chain-that-contains-rules.patch | [PATCH 2/3,nft] rule: expand standalone chain that contains rules [ upstream 27c753e4a8d4744f479345e3f5e34cafef751602 commit ] Otherwise rules that this chain contains are ignored when expressed using the following syntax: chain inet filter input2 { type filter hook input priority filter; policy accept; ip saddr 1.2.3.4 tcp dport { 22, 443, 123 } drop } When expanding the chain, remove the rule so the new CMD_OBJ_CHAIN case does not expand it again. |
Pablo Neira Ayuso <pablo@netfilter.org> | no | 2023-02-06 | ||
| src-expand-table-command-before-evaluation.patch | [PATCH 3/3,nft] src: expand table command before evaluation [ upstream 3975430b12d97c92cdf03753342f2269153d5624 commit ] The nested syntax notation results in one single table command which includes all other objects. This differs from the flat notation where there is usually one command per object. This patch adds a previous step to the evaluation phase to expand the objects that are contained in the table into independent commands, so both notations have similar representations. Remove the code to evaluate the nested representation in the evaluation phase since commands are independently evaluated after the expansion. The commands are expanded after the set element collapse step, in case that there is a long list of singleton element commands to be added to the set, to shorten the command list iteration. This approach also avoids interference with the object cache that is populated in the evaluation, which might refer to objects coming in the existing command list that is being processed. There is still a post_expand phase to detach the elements from the set which could be consolidated by updating the evaluation step to handle the CMD_OBJ_SETELEMS command type. This patch fixes 27c753e4a8d4 ("rule: expand standalone chain that contains rules") which broke rule addition/insertion by index because the expansion code after the evaluation messes up the cache. |
Pablo Neira Ayuso <pablo@netfilter.org> | no | 2023-02-23 |