Hi! The Netfilter project proudly presents: nftables 1.0.0 This release contains fixes, documentation updates and new features available up to the Linux kernel 5.13 release, more specifically: * Catch-all set element support: This allows users to define the special wildcard set element for anything else not defined in the set. table x { map blocklist { type ipv4_addr : verdict flags interval elements = { 192.168.0.0/16 : accept, 10.0.0.0/8 : accept, * : drop } } chain y { type filter hook prerouting priority 0; policy accept; ip saddr vmap @blocklist } } [ this feature is actually supported since 0.9.9, but it was not included in the previous release announcement. ] * Define variables from the command line through --define: # cat test.nft table netdev x { chain y { type filter hook ingress devices = $dev priority 0; policy drop; } } # nft --define dev="{ eth0, eth1 }" -f test.nft * Allow to use stateful expressions in maps: table inet filter { map portmap { type inet_service : verdict counter elements = { 22 counter packets 0 bytes 0 : jump ssh_input, * counter packets 0 bytes 0 : drop } } chain ssh_input { } chain wan_input { tcp dport vmap @portmap } chain prerouting { type filter hook prerouting priority raw; policy accept; iif vmap { "lo" : jump wan_input } } } * Add command to list the netfilter hooks pipeline for a given packet family. If device is specified, then ingress path is also included. # nft list hooks ip device eth0 family ip { hook ingress { +0000000010 chain netdev x y [nf_tables] +0000000300 chain inet m w [nf_tables] } hook input { -0000000100 chain ip a b [nf_tables] +0000000300 chain inet m z [nf_tables] } hook forward { -0000000225 selinux_ipv4_forward 0000000000 chain ip a c [nf_tables] } hook output { -0000000225 selinux_ipv4_output } hook postrouting { +0000000225 selinux_ipv4_postroute } } * Allow to combine jhash, symhash and numgen expressions with the queue statement, to fan out packets to userspace queues via nfnetlink_queue. ... queue to symhash mod 65536 ... queue flags bypass to numgen inc mod 65536 ... queue to jhash oif . meta mark mod 32 You can also combine it with maps, to select the userspace queue based on any other singleton key or concatenations: ... queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 } * Expand variable containing set into multiple mappings define interfaces = { eth0, eth1 } table ip x { chain y { type filter hook input priority 0; policy accept; iifname vmap { lo : accept, $interfaces : drop } } } # nft -f x.nft # nft list ruleset table ip x { chain y { type filter hook input priority 0; policy accept; iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop } } } * Allow to combine verdict maps with interval concatenations # nft add rule x y tcp dport . ip saddr vmap { 1025-65535 . 192.168.10.2 : accept } * Simplify syntax for NAT mappings. You can specify an IP range: ... snat to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } Or a specific IP and port. ... dnat to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } Or a combination of range of IP addresses and ports. ... dnat to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2-10.141.10.5 . 8888-8999 } And bugfixes. You can download this new release from: https://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.9 To build the code, libnftnl >= 1.2.0 and libmnl >= 1.0.4 are required: * https://netfilter.org/projects/libnftnl/index.html * https://netfilter.org/projects/libmnl/index.html Visit our wikipage for user documentation at: * https://wiki.nftables.org For the manpage reference, check man(8) nft. In case of bugs and feature request, file them via: * https://bugzilla.netfilter.org Happy firewalling.
Duncan Roe (1): build: get `make distcheck` to pass again Florian Westphal (26): json: fix base chain output json: fix parse of flagcmp expression tests/py: fix error message json: catchall element support tests: py: update netdev reject test file tests: ct: prefer normal cmp tests: remove redundant test cases evaluate: remove anon sets with exactly one element tests: add test case for removal of anon sets with only a single element scanner: add list cmd parser scope src: add support for base hook dumping doc: add LISTING section json: tests: fix vlan.t cfi test case json: tests: add missing concat test case netlink_delinearize: add missing icmp id/sequence support payload: do not remove icmp echo dependency tests: add a icmp-reply only and icmpv6 id test cases evaluate: fix hash expression maxval parser: restrict queue num expressiveness src: add queue expr and flags to queue_stmt_alloc parser: add queue_stmt_compat parser: new queue flag input format src: queue: allow use of arbitrary queue expressions tests: extend queue testcases for new sreg support src: queue: allow use of MAP statement for queue number retrieval netlink_delinarize: don't check for set element if set is not populated Kerin Millar (1): json: Print warnings to stderr rather than stdout Pablo Neira Ayuso (59): statement: connlimit: remove extra whitespace in print function doc: nft: ct id does not allow for original|reply json: missing catchall expression stub with ./configure --without-json rule: rework CMD_OBJ_SETELEMS logic cmd: check for table mismatch first in error reporting netlink: quick sort array of devices src: add vlan dei evaluate: restore interval + concatenation in anonymous set evaluate: add set to cache once src: add xzalloc_array() and use it to allocate the expression hashtable src: replace opencoded NFT_SET_ANONYMOUS set flag check by set_is_anonymous() tests: shell: extend connlimit test tests: shell: cover split chain reference across tables evaluate: do not skip mapping elements evaluate: unbreak verdict maps with implicit map with interval concatenations evaluate: memleak in binary operation transfer to RHS netlink_delinearize: memleak in string netlink postprocessing segtree: memleak in error path of the set to segtree conversion netlink_delinearize: memleak when listing ct event rule parser_bison: memleak in osf flags rule: memleak of list of timeout policies evaluate: fix maps with key and data concatenations libnftables: fix memleak when first message in batch is used to report error parser_bison: string memleak in YYERROR path parser_bison: memleak in rate limit parser rule: obj_free() releases timeout state string cmd: incorrect table location in error reporting cmd: incorrect error reporting when table declaration exists netlink_delinearize: stmt and expr error path memleaks src: remove STMT_NAT_F_INTERVAL flags and interval keyword src: infer NAT mapping with concatenation from set src: support for nat with interval concatenation tests: py: extend coverage for dnat with classic range representation src: add --define key=value evaluate: fix inet nat with no layer 3 info libnftables: missing nft_ctx_add_var() symbol map update tests: py: add dnat to port without defining destination address parser_bison: missing initialization of ct timeout policy list parser_json: inconditionally initialize ct timeout list src: fix nft_ctx_clear_include_paths in libnftables.map src: expose nft_ctx_clear_vars as API parser_bison: stateful statement support in map parser_bison: parse number as reject icmp code src: promote 'reject with icmp CODE' syntax evaluate: error reporting for missing statements in set/map declaration tests: py: update new reject with icmp code syntax leftover tests: py: missing json update for numeric reject with icmp numeric expression: missing != in flagcmp expression print function netlink_linearize: incorrect netlink bytecode with binary operation and flags evaluate: disallow negation with binary operation tests: py: idempotent tcp flags & syn != 0 to tcp flag syn netlink_delinearize: skip flags / mask notation for singleton bitmask tests: py: tcp flags & (fin | syn | rst | ack) == syn tests: py: check more flag match transformations to compact syntax mnl: revisit hook listing tcpopt: bogus assertion on undefined options evaluate: expand variable containing set into multiple mappings netlink_delinearize: skip flags / mask notation for singleton bitmask again build: Bump version to v1.0.0 Phil Sutter (13): segtree: Fix segfault when restoring a huge interval set parser_bison: Fix for implicit declaration of isalnum parser_json: Fix for memleak in tcp option error path evaluate: Mark fall through case in str2hooknum() json: Drop pointless assignment in exthdr_expr_json() netlink: Avoid memleak in error path of netlink_delinearize_set() netlink: Avoid memleak in error path of netlink_delinearize_chain() netlink: Avoid memleak in error path of netlink_delinearize_table() netlink: Avoid memleak in error path of netlink_delinearize_obj() netlink_delinearize: Fix suspicious calloc() call rule: Fix for potential off-by-one in cmd_add_loc() tests: shell: Fix bogus testsuite failure with 100Hz tests/py: Make netns spawning more robust