[ANNOUNCE] nftables 1.0.1 release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

The Netfilter project proudly presents:

        nftables 1.0.1

This release contains new features available up to the Linux kernel
5.16-rc1 release:

* Reduce memory footprint when loading large sets/maps.
* Speed up reload of large sets/maps.
* Speed up listing of specific tables in large ruleset, eg. large ruleset
  with ~100k lines.

     # nft list ruleset &> /dev/null
     real    0m3,049s
     user    0m2,080s
     sys     0m0,968s

    - Listing per table is now faster:

     # nft list table nat &> /dev/null
     real    0m1,969s
     user    0m1,412s
     sys     0m0,556s

     # nft list table filter &> /dev/null
     real    0m0,697s
     user    0m0,478s
     sys     0m0,220s

  Same speed up applies to listing specific chains/sets/maps.

* Speed up --terse option when listing a ruleset large sets/maps.
* Print raw payload expression in hexadecimal, eg. @ll,0,8 & 0x80 == 0x80

* egress hook support (available since 5.16-rc1).

  table netdev filter {
        chain egress {
                type filter hook egress devices = { eth0, eth1 } priority 0;
                meta priority set ip saddr map { 192.168.10.2 : abcd:2, 192.168.10.3 : abcd:3 }
        }
  }

* Allow to match and update bytes at inner header/payload offset
  (available  since 5.16-rc1).

  # nft add rule x y @ih,32,32 0x14000000 counter
  # nft add rule x y @ih,32,32 set 0x14000000 counter

... and fixes:

- Fix split declaration of set accross different files using the
  nested notation.
- Fix crash in python support with two instances of nftables handler.
- Fix incorrect range to prefix conversion.
- Fix -T/--numeric-time
- Incorrect meta protocol dependency removal in bridge, netdev and
  inet families.
- Unbreak support for older kernels (tested with Linux kernel 4.9.x)
- Optimize prefix match only for matching on big-endian.
- Restore use of variables with queue statement, eg. queue num $myq bypass
- Honor insert command and rule position handle in monitor mode.
- Bogus error in dynamic NAT map, eg.
- Disallow setuid on the nft executable.

  #nft add rule nat x y meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th

- Fix combination of map, concatenation with intervals and stateful
  expressions, eg.

  table ip filter {
       map forwport {
               type ipv4_addr . inet_proto . inet_service : verdict
               flags interval
               counter
               elements = { 10.133.89.138 . tcp . 8081 counter packets 0 bytes 0 : accept }
       }

       chain FORWARD {
               type filter hook forward priority filter; policy drop;
               iifname "enp0s8" ip daddr . ip protocol . th dport vmap @forwport counter
       }
  }

- Fix incorrect vlan offset when matching and updating tag, eg.

  # nft add rule bridge filter forward vlan id 100 vlan id set 200

- Fix use of constant in dynamic set, eg.

  table inet t {
       set s {
               type ipv4_addr . inet_service
               size 65536
               flags dynamic,timeout
               elements = { 192.168.7.1 . 22 }
       }

       chain c {
               type filter hook input priority 0;
               tcp dport 21 add @s { ip saddr . 22 timeout 1m }
       }
  }

... and incremental documentation updates.

The autotools build system now defaults to libedit/editline for the
nft --interactive shell.

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/

To build the code, libnftnl >= 1.2.1 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.
Chris Arges (1):
      cache: ensure evaluate_cache_list flags are set correctly

Duncan Roe (1):
      doc: libnflog handles `log group`, not libnfq

Florian Westphal (7):
      parser: permit symbolic define for 'queue num' again
      payload: don't adjust offsets of autogenerated dependency expressions
      netlink: dynset: set compound expr dtype based on set key definition
      tests: shell: auto-removal of chain hook on netns removal
      main: _exit() if setuid
      doc: update ct timeout section with the state names
      monitor: do not call interval_map_decompose() for concat intervals

Jeremy Sowden (6):
      rule: remove fake stateless output of named counters
      rule: fix stateless output after listing sets containing counters
      rule: replace three conditionals with one
      parser: add new `limit_bytes` rule
      parser: add `limit_rate_pkts` and `limit_rate_bytes` rules
      parser: extend limit syntax

Lukas Wunner (2):
      tests: py: Move netdev-specific tests to appropriate subdirectory
      src: Support netdev egress hook

Pablo Neira Ayuso (54):
      src: queue: consolidate queue statement syntax
      tests: shell: add nft-f/0022variables_0 dump file
      cache: skip set element netlink dump for add/delete element command
      cache: provide a empty list for flowtables and objects when request fails
      netlink_delinearize: incorrect meta protocol dependency kill
      netlink_delinearize: incorrect meta protocol dependency kill again
      rule: remove redundant meta protocol from the evaluation step
      datatype: time_print() ignores -T
      include: add NFT_CTX_OUTPUT_NUMERIC_TIME to NFT_CTX_OUTPUT_NUMERIC_ALL
      doc: Missing NFT_CTX_OUTPUT_NUMERIC_SYMBOL in libnftables documentation
      doc: refer to ulogd manpage
      meta: skip -T for hour and date format
      netlink: rework range_expr_to_prefix()
      doc: nfnetlink_log allows one single process through unicast
      src: revert hashtable for expression handlers
      tests: py: update ct expiration
      doc: fix synopsis of named counter, quota and ct {helper,timeout,expect}
      netlink: reset temporary set element stmt list after list splice
      monitor: display rule position handle
      monitor: honor NLM_F_APPEND flag for rules
      tests: monitor: update insert and replace commands
      monitor: honor NLM_F_EXCL netlink flag
      evaluate: check for concatenation in set data datatype
      evaluate: check for missing transport protocol match in nat map with concatenations
      cache: set on cache flags for nested notation
      cache: finer grain cache population for list commands
      cache: filter out tables that are not requested
      cache: filter out sets and maps that are not requested
      cache: unset NFT_CACHE_SETELEM with --terse listing
      configure: default to libedit for cli
      cache: always set on NFT_CACHE_REFRESH for listing
      cache: honor filter in set listing commands
      cache: honor table in set filtering
      cache: disable NFT_CACHE_SETELEM_BIT on --terse listing only
      tests: shell: add testcase for --terse
      evaluate: postpone transport protocol match check after nat expression evaluation
      datatype: add xinteger_type alias to print in hexadecimal
      src: raw payload match and mangle on inner header / payload data
      tests: py: remove verdict from closing end interval
      mnl: do not build nftnl_set element list
      evaluate: clone variable expression if there is more than one reference
      evaluate: grab reference in set expression evaluation
      tests: py: update rawpayload.t.json
      cache: move list filter under struct
      cache: do not populate cache if it is going to be flushed
      cache: missing family in cache filtering
      cache: filter out rules by chain
      tests: py: missing ip/dnat.t json updates
      tests: py: missing ip/snat.t json updates
      tests: py: missing json output update in ip6/meta.t
      tests: py: remove netdev coverage in ip/ip_tcp.t
      parser: allow for string raw payload base
      parser_json: add raw payload inner header match support
      build: Bump version to 1.0.1

Phil Sutter (5):
      tests: json_echo: Print errors to stderr
      tests: monitor: Print errors to stderr
      tests: monitor: Continue on error
      parser_json: Fix error reporting for invalid syntax
      tests: shell: Fix bogus testsuite failure with 250Hz

Xiao Liang (2):
      src: Optimize prefix match only if is big-endian
      src: Check range bounds before converting to prefix

Štěpán Němec (7):
      doc: libnftables-json: make the example valid libnftables JSON input
      tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")
      tests: run-tests.sh: ensure non-zero exit when $failed != 0
      tests: shell: README: copy edit
      tests: shell: README: $NFT does not have to be a path to a binary
      tests: shell: README: clarify test file name convention
      tests: shell: $NFT needs to be invoked unquoted


[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux