import nftables-0.9.8-12.el9

SOURCES/0021-json-Simplify-non-tcpopt-exthdr-printing-a-bit.patch

@@ -0,0 +1,49 @@
+From 92f73f85dbd6559905679133cdf61e70004c805d Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 4 May 2021 13:18:11 +0200
+Subject: [PATCH] json: Simplify non-tcpopt exthdr printing a bit
+
+This was just duplicate code apart from the object's name.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit fd81d3ec3ae8b8d1d54a708d63b2dab2c8508c90)
+---
+ src/json.c | 18 +++++++-----------
+ 1 file changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/src/json.c b/src/json.c
+index 1fb5015124e16..6607d83f4e8f8 100644
+--- a/src/json.c
++++ b/src/json.c
+@@ -696,21 +696,17 @@ json_t *exthdr_expr_json(const struct expr *expr, struct output_ctx *octx)
+ 
+ 		return json_pack("{s:o}", "tcp option", root);
+ 	}
+-	if (expr->exthdr.op == NFT_EXTHDR_OP_IPV4) {
+-		root = json_pack("{s:s}", "name", desc);
+ 
+-		if (!is_exists)
+-			json_object_set_new(root, "field", json_string(field));
+-
+-		return json_pack("{s:o}", "ip option", root);
+-	}
+-
+-	root = json_pack("{s:s}",
+-			 "name", desc);
++	root = json_pack("{s:s}", "name", desc);
+ 	if (!is_exists)
+ 		json_object_set_new(root, "field", json_string(field));
+ 
+-	return json_pack("{s:o}", "exthdr", root);
++	switch (expr->exthdr.op) {
++	case NFT_EXTHDR_OP_IPV4:
++		return json_pack("{s:o}", "ip option", root);
++	default:
++		return json_pack("{s:o}", "exthdr", root);
++	}
+ }
+ 
+ json_t *verdict_expr_json(const struct expr *expr, struct output_ctx *octx)
+-- 
+2.33.0
+

SOURCES/0022-scanner-introduce-start-condition-stack.patch

@@ -0,0 +1,167 @@
+From 80f3c19bc1b989ab7ba2b917193e8bd3f998ba39 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 8 Mar 2021 18:18:33 +0100
+Subject: [PATCH] scanner: introduce start condition stack
+
+Add a small initial chunk of flex start conditionals.
+
+This starts with two low-hanging fruits, numgen and j/symhash.
+
+NUMGEN and HASH start conditions are entered from flex when
+the corresponding expression token is encountered.
+
+Flex returns to the INIT condition when the bison parser
+has seen a complete numgen/hash statement.
+
+This intentionally uses a stack rather than BEGIN()
+to eventually support nested states.
+
+The scanner_pop_start_cond() function argument is not used yet, but
+will need to be used later to deal with nesting.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+(cherry picked from commit 5896772fe3c5f01696188ea04957a825ee601b12)
+---
+ include/parser.h   |  8 ++++++++
+ src/parser_bison.y | 11 +++++++----
+ src/scanner.l      | 36 +++++++++++++++++++++++++++++-------
+ 3 files changed, 44 insertions(+), 11 deletions(-)
+
+diff --git a/include/parser.h b/include/parser.h
+index 9baa3a4db789f..b2ebd7aa226c5 100644
+--- a/include/parser.h
++++ b/include/parser.h
+@@ -26,6 +26,12 @@ struct parser_state {
+ 	struct list_head		*cmds;
+ };
+ 
++enum startcond_type {
++	PARSER_SC_BEGIN,
++	PARSER_SC_EXPR_HASH,
++	PARSER_SC_EXPR_NUMGEN,
++};
++
+ struct mnl_socket;
+ 
+ extern void parser_init(struct nft_ctx *nft, struct parser_state *state,
+@@ -45,4 +51,6 @@ extern void scanner_push_buffer(void *scanner,
+ 				const struct input_descriptor *indesc,
+ 				const char *buffer);
+ 
++extern void scanner_pop_start_cond(void *scanner, enum startcond_type sc);
++
+ #endif /* NFTABLES_PARSER_H */
+diff --git a/src/parser_bison.y b/src/parser_bison.y
+index 8644f66106496..da3fafcd1eeb1 100644
+--- a/src/parser_bison.y
++++ b/src/parser_bison.y
+@@ -857,6 +857,9 @@ opt_newline		:	NEWLINE
+ 		 	|	/* empty */
+ 			;
+ 
++close_scope_hash	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
++close_scope_numgen	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
++
+ common_block		:	INCLUDE		QUOTED_STRING	stmt_separator
+ 			{
+ 				if (scanner_include_file(nft, scanner, $2, &@$) < 0) {
+@@ -4811,7 +4814,7 @@ numgen_type		:	INC		{ $$ = NFT_NG_INCREMENTAL; }
+ 			|	RANDOM		{ $$ = NFT_NG_RANDOM; }
+ 			;
+ 
+-numgen_expr		:	NUMGEN	numgen_type	MOD	NUM	offset_opt
++numgen_expr		:	NUMGEN	numgen_type	MOD	NUM	offset_opt	close_scope_numgen
+ 			{
+ 				$$ = numgen_expr_alloc(&@$, $2, $4, $5);
+ 			}
+@@ -4868,17 +4871,17 @@ xfrm_expr		:	IPSEC	xfrm_dir	xfrm_spnum	xfrm_state_key
+ 			}
+ 			;
+ 
+-hash_expr		:	JHASH		expr	MOD	NUM	SEED	NUM	offset_opt
++hash_expr		:	JHASH		expr	MOD	NUM	SEED	NUM	offset_opt	close_scope_hash
+ 			{
+ 				$$ = hash_expr_alloc(&@$, $4, true, $6, $7, NFT_HASH_JENKINS);
+ 				$$->hash.expr = $2;
+ 			}
+-			|	JHASH		expr	MOD	NUM	offset_opt
++			|	JHASH		expr	MOD	NUM	offset_opt	close_scope_hash
+ 			{
+ 				$$ = hash_expr_alloc(&@$, $4, false, 0, $5, NFT_HASH_JENKINS);
+ 				$$->hash.expr = $2;
+ 			}
+-			|	SYMHASH		MOD	NUM	offset_opt
++			|	SYMHASH		MOD	NUM	offset_opt	close_scope_hash
+ 			{
+ 				$$ = hash_expr_alloc(&@$, $3, false, 0, $4, NFT_HASH_SYM);
+ 			}
+diff --git a/src/scanner.l b/src/scanner.l
+index 8bde1fbe912d8..ec8f252fbc8c8 100644
+--- a/src/scanner.l
++++ b/src/scanner.l
+@@ -98,6 +98,8 @@ static void reset_pos(struct parser_state *state, struct location *loc)
+ 	state->indesc->column		= 1;
+ }
+ 
++static void scanner_push_start_cond(void *scanner, enum startcond_type type);
++
+ #define YY_USER_ACTION {					\
+ 	update_pos(yyget_extra(yyscanner), yylloc, yyleng);	\
+ 	update_offset(yyget_extra(yyscanner), yylloc, yyleng);	\
+@@ -193,6 +195,9 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
+ %option yylineno
+ %option nodefault
+ %option warn
++%option stack
++%s SCANSTATE_EXPR_HASH
++%s SCANSTATE_EXPR_NUMGEN
+ 
+ %%
+ 
+@@ -551,15 +556,21 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
+ "state"			{ return STATE; }
+ "status"		{ return STATUS; }
+ 
+-"numgen"		{ return NUMGEN; }
+-"inc"			{ return INC; }
+-"mod"			{ return MOD; }
+-"offset"		{ return OFFSET; }
++"numgen"		{ scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_NUMGEN); return NUMGEN; }
++<SCANSTATE_EXPR_NUMGEN>{
++	"inc"		{ return INC; }
++}
+ 
+-"jhash"			{ return JHASH; }
+-"symhash"		{ return SYMHASH; }
+-"seed"			{ return SEED; }
++"jhash"			{ scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_HASH); return JHASH; }
++"symhash"		{ scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_HASH); return SYMHASH; }
+ 
++<SCANSTATE_EXPR_HASH>{
++	"seed"		{ return SEED; }
++}
++<SCANSTATE_EXPR_HASH,SCANSTATE_EXPR_NUMGEN>{
++	"mod"		{ return MOD; }
++	"offset"	{ return OFFSET; }
++}
+ "dup"			{ return DUP; }
+ "fwd"			{ return FWD; }
+ 
+@@ -973,3 +984,14 @@ void scanner_destroy(struct nft_ctx *nft)
+ 	input_descriptor_list_destroy(state);
+ 	yylex_destroy(nft->scanner);
+ }
++
++static void scanner_push_start_cond(void *scanner, enum startcond_type type)
++{
++	yy_push_state((int)type, scanner);
++}
++
++void scanner_pop_start_cond(void *scanner, enum startcond_type t)
++{
++	yy_pop_state(scanner);
++	(void)yy_top_state(scanner); /* suppress gcc warning wrt. unused function */
++}
+-- 
+2.33.0
+

SOURCES/0023-scanner-sctp-Move-to-own-scope.patch

@@ -0,0 +1,93 @@
+From 5009b467a06a86f5dcc3218fb860cd81bc5e067f Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 4 May 2021 13:06:32 +0200
+Subject: [PATCH] scanner: sctp: Move to own scope
+
+This isolates only "vtag" token for now.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+(cherry picked from commit 0925d7e214825628e7db4a86d5ebbad578ab0777)
+
+ Conflicts:
+	include/parser.h
+	src/parser_bison.y
+	src/scanner.l
+ -> Context changes due to missing other scopes.
+---
+ include/parser.h   | 1 +
+ src/parser_bison.y | 5 +++--
+ src/scanner.l      | 8 ++++++--
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/include/parser.h b/include/parser.h
+index b2ebd7aa226c5..4e7b4ef430966 100644
+--- a/include/parser.h
++++ b/include/parser.h
+@@ -28,6 +28,7 @@ struct parser_state {
+ 
+ enum startcond_type {
+ 	PARSER_SC_BEGIN,
++	PARSER_SC_SCTP,
+ 	PARSER_SC_EXPR_HASH,
+ 	PARSER_SC_EXPR_NUMGEN,
+ };
+diff --git a/src/parser_bison.y b/src/parser_bison.y
+index da3fafcd1eeb1..383908fa3742f 100644
+--- a/src/parser_bison.y
++++ b/src/parser_bison.y
+@@ -859,6 +859,7 @@ opt_newline		:	NEWLINE
+ 
+ close_scope_hash	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
+ close_scope_numgen	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
++close_scope_sctp	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_SCTP); };
+ 
+ common_block		:	INCLUDE		QUOTED_STRING	stmt_separator
+ 			{
+@@ -4620,7 +4621,7 @@ primary_rhs_expr	:	symbol_expr		{ $$ = $1; }
+ 							 BYTEORDER_HOST_ENDIAN,
+ 							 sizeof(data) * BITS_PER_BYTE, &data);
+ 			}
+-			|	SCTP
++			|	SCTP	close_scope_sctp
+ 			{
+ 				uint8_t data = IPPROTO_SCTP;
+ 				$$ = constant_expr_alloc(&@$, &inet_protocol_type,
+@@ -5345,7 +5346,7 @@ dccp_hdr_field		:	SPORT		{ $$ = DCCPHDR_SPORT; }
+ 			|	TYPE		{ $$ = DCCPHDR_TYPE; }
+ 			;
+ 
+-sctp_hdr_expr		:	SCTP	sctp_hdr_field
++sctp_hdr_expr		:	SCTP	sctp_hdr_field	close_scope_sctp
+ 			{
+ 				$$ = payload_expr_alloc(&@$, &proto_sctp, $2);
+ 			}
+diff --git a/src/scanner.l b/src/scanner.l
+index ec8f252fbc8c8..c8e74e685f3d7 100644
+--- a/src/scanner.l
++++ b/src/scanner.l
+@@ -196,6 +196,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
+ %option nodefault
+ %option warn
+ %option stack
++%s SCANSTATE_SCTP
+ %s SCANSTATE_EXPR_HASH
+ %s SCANSTATE_EXPR_NUMGEN
+ 
+@@ -491,8 +492,11 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
+ 
+ "dccp"			{ return DCCP; }
+ 
+-"sctp"			{ return SCTP; }
+-"vtag"			{ return VTAG; }
++"sctp"			{ scanner_push_start_cond(yyscanner, SCANSTATE_SCTP); return SCTP; }
++
++<SCANSTATE_SCTP>{
++	"vtag"			{ return VTAG; }
++}
+ 
+ "rt"			{ return RT; }
+ "rt0"			{ return RT0; }
+-- 
+2.33.0
+

SOURCES/0025-include-missing-sctp_chunk.h-in-Makefile.am.patch

@@ -0,0 +1,29 @@
+From fe19063ce09d40ea94bf57c4af8b6c121aaf89e8 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 25 May 2021 14:04:36 +0200
+Subject: [PATCH] include: missing sctp_chunk.h in Makefile.am
+
+Fix make distcheck.
+
+Fixes: 0e3871cfd9a1 ("exthdr: Implement SCTP Chunk matching")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 117ceb4f527119a6d44bf5e23f2ff7a8d116658a)
+---
+ include/Makefile.am | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/Makefile.am b/include/Makefile.am
+index 42f24f35ce7a5..4cd907380ebaa 100644
+--- a/include/Makefile.am
++++ b/include/Makefile.am
+@@ -31,6 +31,7 @@ noinst_HEADERS = 	cli.h		\
+ 			osf.h		\
+ 			parser.h	\
+ 			proto.h		\
++			sctp_chunk.h	\
+ 			socket.h	\
+ 			rule.h		\
+ 			rt.h		\
+-- 
+2.33.0
+

SOURCES/0026-evaluate-fix-inet-nat-with-no-layer-3-info.patch

@@ -0,0 +1,41 @@
+From 0c371aeab906b6e65c4c86174cbe2fbca02891d1 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 20 Jul 2021 18:59:44 +0200
+Subject: [PATCH] evaluate: fix inet nat with no layer 3 info
+
+nft currently reports:
+
+ Error: Could not process rule: Protocol error
+ add rule inet x y meta l4proto tcp dnat to :80
+                                    ^^^^
+
+default to NFPROTO_INET family, otherwise kernel bails out EPROTO when
+trying to load the conntrack helper.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 9a36033ce50638a403d1421935cdd1287ee5de6b)
+---
+ src/evaluate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index bba685af720ed..73d6fd0e89bc2 100644
+--- a/src/evaluate.c
++++ b/src/evaluate.c
+@@ -2896,9 +2896,10 @@ static int nat_evaluate_family(struct eval_ctx *ctx, struct stmt *stmt)
+ 			stmt->nat.family = ctx->pctx.family;
+ 		return 0;
+ 	case NFPROTO_INET:
+-		if (!stmt->nat.addr)
++		if (!stmt->nat.addr) {
++			stmt->nat.family = NFPROTO_INET;
+ 			return 0;
+-
++		}
+ 		if (stmt->nat.family != NFPROTO_UNSPEC)
+ 			return 0;
+ 
+-- 
+2.34.1
+

SOURCES/0027-tests-py-add-dnat-to-port-without-defining-destinati.patch

@@ -0,0 +1,75 @@
+From 00d3745306aa87eeb2466dbb5e6958225de3354f Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 22 Jul 2021 17:43:56 +0200
+Subject: [PATCH] tests: py: add dnat to port without defining destination
+ address
+
+Add a test to cover dnat to port without destination address.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 0f27e258b37a592233d6ad5381cd1fae65e57514)
+---
+ tests/py/inet/dnat.t         |  1 +
+ tests/py/inet/dnat.t.json    | 20 ++++++++++++++++++++
+ tests/py/inet/dnat.t.payload |  7 +++++++
+ 3 files changed, 28 insertions(+)
+
+diff --git a/tests/py/inet/dnat.t b/tests/py/inet/dnat.t
+index b460af3925570..e4e169f2bc3ec 100644
+--- a/tests/py/inet/dnat.t
++++ b/tests/py/inet/dnat.t
+@@ -6,6 +6,7 @@ iifname "foo" tcp dport 80 redirect to :8080;ok
+ 
+ iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2;ok
+ iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443;ok
++meta l4proto tcp dnat to :80;ok;meta l4proto 6 dnat to :80
+ 
+ dnat ip to ct mark map { 0x00000014 : 1.2.3.4};ok
+ dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok
+diff --git a/tests/py/inet/dnat.t.json b/tests/py/inet/dnat.t.json
+index 1b8aba6297d36..c341a0455fea1 100644
+--- a/tests/py/inet/dnat.t.json
++++ b/tests/py/inet/dnat.t.json
+@@ -219,3 +219,23 @@
+     }
+ ]
+ 
++# meta l4proto tcp dnat to :80
++[
++    {
++        "match": {
++            "left": {
++                "meta": {
++                    "key": "l4proto"
++                }
++            },
++            "op": "==",
++            "right": 6
++        }
++    },
++    {
++        "dnat": {
++            "port": 80
++        }
++    }
++]
++
+diff --git a/tests/py/inet/dnat.t.payload b/tests/py/inet/dnat.t.payload
+index a741b9cbdb8d7..be5baf8fd4b47 100644
+--- a/tests/py/inet/dnat.t.payload
++++ b/tests/py/inet/dnat.t.payload
+@@ -77,3 +77,10 @@ inet
+   [ immediate reg 2 0x00005000 ]
+   [ nat dnat ip addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 flags 0x2 ]
+ 
++# meta l4proto tcp dnat to :80
++inet
++  [ meta load l4proto => reg 1 ]
++  [ cmp eq reg 1 0x00000006 ]
++  [ immediate reg 1 0x00005000 ]
++  [ nat dnat inet proto_min reg 1 flags 0x2 ]
++
+-- 
+2.34.1
+

SOURCES/0028-evaluate-pick-data-element-byte-order-not-dtype-one.patch

@@ -0,0 +1,36 @@
+From d5525024223f324c71edb9135f1938745d45acee Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 3 Feb 2021 17:57:06 +0100
+Subject: [PATCH] evaluate: pick data element byte order, not dtype one
+
+Some expressions have integer base type, not a specific one, e.g. 'ct zone'.
+In that case nft used the wrong byte order.
+
+Without this, nft adds
+elements = { "eth0" : 256, "eth1" : 512, "veth4" : 256 }
+instead of 1, 2, 3.
+
+This is not a 'display bug', the added elements have wrong byte order.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+(cherry picked from commit 84b1d078e86dea25c93e15c3e5a3160bbf77e4e7)
+---
+ src/evaluate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index 73d6fd0e89bc2..0543190fe777a 100644
+--- a/src/evaluate.c
++++ b/src/evaluate.c
+@@ -1583,7 +1583,7 @@ static int expr_evaluate_mapping(struct eval_ctx *ctx, struct expr **expr)
+ 		else
+ 			datalen = set->data->len;
+ 
+-		expr_set_context(&ctx->ectx, set->data->dtype, datalen);
++		__expr_set_context(&ctx->ectx, set->data->dtype, set->data->byteorder, datalen, 0);
+ 	} else {
+ 		assert((set->flags & NFT_SET_MAP) == 0);
+ 	}
+-- 
+2.34.1
+

SPECS/nftables.spec

@@ -1,6 +1,6 @@
 Name:           nftables
 Version:        0.9.8
-Release:        10%{?dist}
+Release:        12%{?dist}
 # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
 Epoch:          1
 Summary:        Netfilter Tables userspace utillites
@@ -34,11 +34,18 @@ Patch17: 0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch
 Patch18: 0018-doc-nft.8-Extend-monitor-description-by-trace.patch
 Patch19: 0019-tests-shell-NFT-needs-to-be-invoked-unquoted.patch
 Patch20: 0020-tests-shell-better-parameters-for-the-interval-stack.patch
+Patch21: 0021-json-Simplify-non-tcpopt-exthdr-printing-a-bit.patch
+Patch22: 0022-scanner-introduce-start-condition-stack.patch
+Patch23: 0023-scanner-sctp-Move-to-own-scope.patch
+Patch24: 0024-exthdr-Implement-SCTP-Chunk-matching.patch
+Patch25: 0025-include-missing-sctp_chunk.h-in-Makefile.am.patch
+Patch26: 0026-evaluate-fix-inet-nat-with-no-layer-3-info.patch
+Patch27: 0027-tests-py-add-dnat-to-port-without-defining-destinati.patch
+Patch28: 0028-evaluate-pick-data-element-byte-order-not-dtype-one.patch
 
-#BuildRequires: autogen
+BuildRequires: autoconf
-#BuildRequires: autoconf
+BuildRequires: automake
-#BuildRequires: automake
+BuildRequires: libtool
-#BuildRequires: libtool
 BuildRequires: make
 BuildRequires:  gcc
 BuildRequires: flex
@@ -76,7 +83,8 @@ The nftables python module provides an interface to libnftables via ctypes.
 %autosetup -p1
 
 %build
-#./autogen.sh
+autoreconf -fi
+rm -Rf autom4te*.cache config.h.in~
 %configure --disable-silent-rules --with-xtables --with-json \
 	--enable-python --with-python-bin=%{__python3}
 %make_build
@@ -143,6 +151,18 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
 %{python3_sitelib}/nftables/
 
 %changelog
+* Fri Jan 14 2022 Phil Sutter <psutter@redhat.com> - 1:0.9.8-12
+- evaluate: pick data element byte order, not dtype one
+
+* Wed Dec 08 2021 Phil Sutter <psutter@redhat.com> - 1:0.9.8-11
+- tests: py: add dnat to port without defining destination address
+- evaluate: fix inet nat with no layer 3 info
+- include: missing sctp_chunk.h in Makefile.am
+- exthdr: Implement SCTP Chunk matching
+- scanner: sctp: Move to own scope
+- scanner: introduce start condition stack
+- json: Simplify non-tcpopt exthdr printing a bit
+
 * Wed Dec 08 2021 Phil Sutter <psutter@redhat.com> - 1:0.9.8-10
 - tests: shell: better parameters for the interval stack overflow test
 - tests: shell: $NFT needs to be invoked unquoted