v0.6.0

Features

• Allow users to name set and use the same set in multiple rules (#314)
• User-defined set keys by combining compatible matchers (#313)
• Handle required and incompatible options in bfcli (#312)
• Add the rule ID to the logged data #309
• Allow counter and log keywords to be used in any order (#335)
• tcp.(d|s)port, udp.(d|s)port can be used as a set key (#329)
• Add support for marking packets (#336)
• Add new matcher to matcher on packet mark (#336)
• Ensure the daemon recovers when an error occurs when processing a request (#333)
• libbpfilter headers can be included in sources building without compiler extensions (#325)

Fixes

• Fix wrongful BPF link pin on program update (#327)
• iptables: properly generate ip4.(s|d)net and ip4.(s|d)addr matchers (#341)
• iptables: fix memory leak when replacing the ruleset (#327)
• iptables: fix the BPF link being discard when a BPF Netfilter program is updated (#327)
• iptables: fix missing hook options when replacing the ruleset (#327)

Developers

• Add a "Contributing" documentation page with all the current @todos (#326)
• Copy the packet size from the program's argument instead of computing it (#310)
• Mark git as optional build dependency (#319)
• Fix error in quick start doc (#317)
• Fix command to rename xxd symbols (#308)
• Do not use xxd -n on EPEL9 (#307)
• Store L3 proto in logs using the host byteorder (#337)
• Build libbpfilter as a shared library #332

Contributors

• @qdeslandes
• @AliGhaffarian (first contribution to the project in this release #317)
• @sudipm-mukherjee (first contribution to the project in this release #319)

Full Changelog: v0.5.0...v0.6.0

v0.5.0

Changes

• Add a new log keyword to log packets matched by a rule by @qdeslandes in #305
• Support IPv6 packets with extension headers by @qdeslandes in #294
• Pretty print matchers payload in bfcli (ruleset|chain) get by @qdeslandes in #299
• Speed up parsing for large ruleset (dynamically compute YY_READ_BUF_SIZE) by @SkohTV in #277
• Print the daemon version during initialization by @qdeslandes in #300

Matchers

• icmp.type and icmp.code by @vinxcls in #283
• icmpv6.type and icmpv6.code by @vinxcls in #294
• meta.probability by @qdeslandes in #285
• ip(4|6).(s|d)net by @qdeslandes in #296
• ip6.nexthdr by @vinxcls in #286

Fixes

• Fix the quick start command available in README.md by @qdeslandes in #263
• Use a lock file to prevent the daemon from starting twice, or fail to start due to leftover socket file by @qdeslandes in #270
• Fix unset rule index by @qdeslandes in #272
• Do not print counters for rules with counters disabled by @qdeslandes in #301
• Fix out-of-bounds write when parsing tcp.flags by @qdeslandes in #302

New Contributors

• @vinxcls made their first contribution in #283

Full Changelog: v0.4.0...v0.5.0

v0.4.0

Changes

• Customize bpffs path by @qdeslandes in #254
• Add support for BPF token by @qdeslandes in #247
• Named chains and add two-steps program definition by @qdeslandes in #241
• bfcli: add ruleset-get with counters by @tommy-u in #221
• Update the required kernel version and UAPI headers to the source tree by @qdeslandes in #240
• Build and test improvements by @qdeslandes in #243
• Use Fedora 42 for CI, disable false positive clang-tidy options by @qdeslandes in #244
• cli: refactor the commands parser by @qdeslandes in #253
• Use argp global variables to generate version flag in bpfilter and bfcli by @SkohTV in #252
• Add a benchmark for chain loading time by @qdeslandes in #256

Fixes

• cgen: fix port range bytecode generation by @qdeslandes in #239
• Fix typo in iptables.rst by @CorentinMre in #248
• Fix typos in documentation/website by @SkohTV in #250
• daemon: do not include bpf/bpf.h in program.c by @qdeslandes in #251
• core: matcher: rename IPv4 addr matcher enum value by @qdeslandes in #258
• core: helper: add BF_FLAGS() macro to generate bitflags by @qdeslandes in #255

New Contributors

• @tommy-u made their first contribution in #221
• @CorentinMre made their first contribution in #248
• @SkohTV made their first contribution in #250

Full Changelog: v0.3.0...v0.4.0

v0.3.0

Changes

• build: mark repository as safe for Git to read history by @qdeslandes in #226
• core: list: allow bf_list_ops to be NULL by @qdeslandes in #227
• Improve the iptables front-end by @qdeslandes in #228
• Improve the end-to-end tests to run each test on every hook by @qdeslandes in #232
• Add support for network and mount namespaces by @qdeslandes in #234
• core: list: add bf_list_move() to safely move an initialized list by @qdeslandes in #229
• tests: unit: only generate lcov.out if docs are build by @qdeslandes in #236
• doc: improve README.md and bpfilter.io landing page by @qdeslandes in #235

Fixes

• Fix benchreport commit details by @qdeslandes in #225
• cgen: ip4: fix IPv4 mask support by @qdeslandes in #231
• modify commands to get a working build from README by @adelavegaf in #233
• cli: set IPv4 masks to network byte order by @qdeslandes in #237
• cgen: fix instructions using proper set index by @qdeslandes in #238

New Contributors

• @adelavegaf made their first contribution in #233

Full Changelog: v0.2.1...v0.3.0

v0.2.0

Features

• Attach Netfilter programs to both IPv4 and IPv6 hooks to filter on both at the same time.
• BPF objects are now pinned under /sys/fs/bpf/bpfilter/bf_$HOOK_$ID directory. $HOOK being a shortcut to the hook's name (see
  _bf_program_genid()), and $ID being a unique ID for the program derived from the chain's properties.
• /sys/fs/bpf/bpfilter will be created when pinning a program and removed if empty when the daemon stops.
• Benchmark results are automatically published to qdeslandes/bpfilter-benchmark-results when the CI runs on main.

Bugs

• Fix typo in meta.l3_proto ICMPv6 protocol keyword: icmpv6 should be used instead of icmp6, as stated by the documentation.
• Fix segfault when using bpfilter with iptables.
• Fix support for BF_HOOK_NF_PRE_ROUTING and BF_HOOK_NF_POST_ROUTING.
• Fix out-of-bound access when copying a BPF map name.

Full changelog: v0.1.0...v0.2.0

v0.1.0

What's Changed

• Add missing header and definitions by @qdeslandes in #2
• Various build fixes by @qdeslandes in #3
• README: detail how to change the interface used by @qdeslandes in #4
• Make bpfilter a standalone userspace daemon by @qdeslandes in #5
• tests: use COUNTER for TestAssert by @qdeslandes in #6
• Add CMake install target by @qdeslandes in #7
• build: fix install on multiarch distros by @qdeslandes in #8
• Add basic CI by @rphibel in #10
• Add transient mode by @qdeslandes in #13
• Add CI workflow by @rphibel in #9
• Add support for BPF dynptr by @qdeslandes in #12
• Fix bpfilter.pc debug link flags by @qdeslandes in #15
• Update README.md to include required Linux version by @qdeslandes in #16
• Add support for Netfilter BPF programs by @qdeslandes in #17
• Bpfilter testing framework by @rphibel in #19
• Update bpfilter runtime directory and prevent BPF objects pinning on --transient run by @qdeslandes in #21
• Replace Criterion with CMocka for unit tests by @qdeslandes in #18
• doc: update kernel and libbpf requirements by @qdeslandes in #22
• build: set minimum CMake version to 3.20 by @qdeslandes in #23
• Various CMake fixes by @daandemeyer in #24
• Various improvement and bug fixes by @qdeslandes in #26
• General improvements by @qdeslandes in #27
• Various improvements by @qdeslandes in #28
• [Readme] add info on how to build and run the tests by @jordalgo in #29
• Enable self-hosted runners by @qdeslandes in #33
• tests: improve unit testing for bf_list by @qdeslandes in #35
• doc: document building and usage of iptables with bpfilter by @qdeslandes in #32
• Publish bpfilter documentation using GitHub pages by @qdeslandes in #36
• doc: update quick start guide in README.md by @qdeslandes in #37
• generator: fix IP header protocol field size by @qdeslandes in #38
• core: use BTF to find kernel structures field offsets by @qdeslandes in #39
• generator: grow instructions buffer when `bpfilter emits a fixup call by @qdeslandes in #40
• generator: add support for local BPF jump contexts by @qdeslandes in #41
• Logging from bpf programs by @qdeslandes in #42
• core: rule: fix prefix for last field dump by @qdeslandes in #43
• doc: remove todo.rst by @qdeslandes in #44
• core: make rule counter optional by @qdeslandes in #45
• generator: add support for codegen update by @qdeslandes in #46
• nftables support: add bf_nfmsg to represent Netfilter Netlink messages by @qdeslandes in #47
• nftables support: add bf_nfgroup for multipart Netlink messages by @qdeslandes in #48
• Fix documentation generation by installing libnl3-devel by @qdeslandes in #49
• xlate: nft: bf_nfgroup automatically set NLM_F_MULTI flag on multipart messages by @qdeslandes in #50
• Add boilerplate for nft front-end for nftables support by @qdeslandes in #51
• build: remove coverage requirement for code that can't be unit tested by @qdeslandes in #53
• Fix strings map pinning and detail support Ubuntu version. by @qdeslandes in #55
• nftables basic offload support by @qdeslandes in #54
• xlate: nft: fix counter support when translating nft bytecode by @qdeslandes in #57
• fix warning: ‘child’ may be used uninitialized by @ikruglov in #58
• Add custom target to build nftables and iptables from bpfilter's CMake by @qdeslandes in #59
• Fix the license identifier by @qdeslandes in #60
• doc: display bpfilter's logo in the sidebar by @qdeslandes in #63
• Fix typo in doc/overview.rst by @orangepanda83 in #62
• doc: list nftables and iptables build dependencies by @qdeslandes in #64
• Refactor log printer used in the generated BPF program to properly restore from serialised data by @qdeslandes in #68
• doc: fix GitHub pages CI by @qdeslandes in #69
• core: prevent crash if data.bin is smaller than bf_marsh structure by @qdeslandes in #70
• Add debug mode by @qdeslandes in #71
• Add CODEOWNERS by @qdeslandes in #72
• tests: add --group command line option to filter test groups by @qdeslandes in #74
• core: introduce bf_matcher structure by @qdeslandes in #75
• core: rule: add support for bf_matcher by @qdeslandes in #76
• Cleanup *_dump() function (and other minor fixes) by @qdeslandes in #77
• Fill bf_rule's matchers from ipt and nft front-ends by @qdeslandes in #78
• generator: matcher: use bf_matcher to create the BPF bytecode by @qdeslandes in #79
• core: rule: remove old matching criteria by @qdeslandes in #80
• doc: add links to FOSDEM 2024 and Scale21x talks by @qdeslandes in #81
• doc: clarify Ubuntu 22.04 LTW HWE situation by @qdeslandes in #84
• build: add Ubuntu 24.04 and Fedora 40 to CI by @qdeslandes in #85
• Refactor the generation of the bytecode to parse and detect a packet's protocols by @qdeslandes in #83
• Add assert_success() and assert_error() to check a function's return value by @qdeslandes in #87
• Refactor program management by @qdeslandes in #88
• Introduce bfcli: a generic command line interface to communicate with the daemon by @qdeslandes in #86
• Consolidate sources by @qdeslandes in #89
• matcher: ip: support ip.(s|d)addr in bfcli by @qdeslandes in #90
• TCP and UDP source/destination port filtering by @qdeslandes in #91
• TCP flags filtering by @qdeslandes in #92
• Fix iptables protocol filtering by @qdeslandes in #93
• doc: add bpfilter usage documentation by @qdeslandes in #94
• build: drop support for Fedora 38 and Ubuntu 23.10 by @qdeslandes in #95
• doc: improve README.md by @qdeslandes in #96
• Typo update - README.md by @shaikhyaser in #97
• IPv6 address filtering support by @qdeslandes in #98
• cli: add copyright header to cli.c by @qdeslandes in #99
• Follow Meta Open Source requirements by @qdeslandes in #100
• Add missing copyright headers, fix clang-format errors, enable mask support for ip6.(s|d)ddr by @qdeslandes in #101
• doc: modify the copyright template for Meta automatic validation by @qdeslandes in #102
• Documentation improvements by @qdeslandes in #107
• Various documentation improvements by @qdeslandes in #108
• First part of sets support by @qdeslandes in #109
• Big clean-up PR! by @qdeslandes in #111
• Support for sets filtering: phase II by @qdeslandes in https://github.com/facebook/bpfilte...