Hi!

The Netfilter project proudly presents:

        nftables 0.9.2

This release contains fixes and new features, available up with Linux
kernels >= 5.3-rc.

* Transport header port matching, e.g.

        add rule x y ip protocol { tcp, udp } th dport 53

  This allows you to match on transport protocols with ports
  regardless the layer 4 protocol type. You can also use this from
  sets, maps and concatenations, e.g.

        table inet filter {
            set myset {
                    type ipv4_addr . inet_proto . inet_service
            }

            chain forward {
                    type filter hook forward priority filter; policy accept;
                    ip daddr . ip protocol . th dport @myset
            }
        }

* Allow to restore expiration for set elements:

        add element ip x y { 1.1.1.1 timeout 30s expires 15s }

* Match on IPv4 options, e.g.

        add rule x y ip option rr exists drop

  You can also match on type, ptr, length and addr fields of routing
  options, e.g.

        add rule x y ip option rr type 1 drop

  lsrr, rr, ssrr and ra IPv4 options are supported.

* Use prefix and ranges in statements, e.g.

        iifname ens3 snat to 10.0.0.0/28
        iifname ens3 snat to 10.0.0.1-10.0.0.15

* Allow for variables in chain definitions, e.g.

    define default_policy = accept
    add chain ip foo bar { type filter hook input priority filter; policy $default_policy }

  also when specifying chain priority, either numeric or literal:

    define prio = filter
    define prionum = 10
    define prioffset = "filter - 150"

    add table ip foo
    add chain ip foo bar { type filter hook input priority $prio; }
    add chain ip foo ber { type filter hook input priority $prionum; }
    add chain ip foo bor { type filter hook input priority $prioffset; }

* synproxy support, e.g.

    table ip x {
            chain y {
                    type filter hook prerouting priority raw; policy accept;
                    tcp dport 8888 tcp flags syn notrack
            }

            chain z {
                    type filter hook forward priority filter; policy accept;
                    tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm
                    ct state invalid drop
            }
    }

  This ruleset above places the TCP port 8888 behind the synproxy.

* conntrack expectations via ruleset policy, e.g.

        table x {
                ct expectation myexpect {
                        protocol tcp
                        dport 5432
                        timeout 1h
                        size 12
                        l3proto ip
                }

                chain input {
                        type filter hook input priority 0;

                        ct state new tcp dport 8888 ct expectation set myexpect
                        ct state established,related counter accept
                }
        }

  This ruleset creates an expectation on TCP port 5432 for each new TCP
  connection to port 8888. This expectation expires after 1 hour and the
  maximum number of expectation that are pending to be confirmed are 12.

* The libnftables library only exports only public symbols.

* ... and bug fixes.

See ChangeLog that comes attached to this email for more details.

You can download it from:

http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.2
ftp://ftp.netfilter.org/pub/nftables/

To build the code, libnftnl 1.1.4 and libmnl >= 1.0.3 are required:

* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* http://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Happy firewalling!