[ANNOUNCE] nftables 1.0.3 release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

The Netfilter project proudly presents:

        nftables 1.0.3

This release contains new features available up to the Linux kernel 5.18 release:

* Support for wildcard interface name matching with sets:

     table inet testifsets {
        set simple_wild {
               type ifname
               flags interval
               elements = { "abcdef*",
                            "othername",
                            "ppp0" }
        }

        chain v4icmp {
                type filter hook input priority 0; policy accept;
                iifname @simple_wild counter packets 0 bytes 0
                iifname { "abcdef*", "eth0" } counter packets 0 bytes 0
        }
     }

* Support for runtime auto-merge of set elements. So far, the
  auto-merge routine could only coalesce elements in the set
  declaration.

     # cat ruleset.nft
     table ip x {
        set y {
                type ipv4_addr
                flags interval
                auto-merge
                elements = { 1.2.3.0, 1.2.3.255, 1.2.3.0/24,
                             3.3.3.3, 4.4.4.4, 4.4.4.4-4.4.4.8,
                             3.3.3.4, 3.3.3.5 }
        }
     }
     # nft -f ruleset.nft
     table ip x {
        set y {
                type ipv4_addr
                flags interval
                auto-merge
                elements = { 1.2.3.0/24, 3.3.3.3-3.3.3.5,
                             4.4.4.4-4.4.4.8 }
        }
     }

  with this update, incremental runtime updates are also supported:

     # nft add element ip x y { 1.2.3.0-1.2.4.255, 3.3.3.6 }
     # nft list ruleset
     table ip x {
        set y {
                type ipv4_addr
                flags interval
                auto-merge
                elements = { 1.2.3.0-1.2.4.255, 3.3.3.3-3.3.3.6,
                             4.4.4.4-4.4.4.8 }
        }
     }

   as shown above, new elements are merged into existing intervals
   whenever possible.

   This also supports for incremental runtime element removals that
   result in adjusting/splitting the existing intervals.

* Enhancements for the ruleset optimization -o/--optimize option which
  allows to coalesce several NAT rules into map:

     # cat ruleset.nft
     table ip x {
            chain y {
                    type nat hook postrouting priority srcnat; policy drop;
                    ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
                    ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
            }
     }

     # nft -o -c -f ruleset.nft
     Merging:
     ruleset.nft:4:3-52:                ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
     ruleset.nft:5:3-52:                ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
     into:
            snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 : 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 }

  This infrastructure also learnt how to coalesce raw expressions into maps, for example:

     # cat ruleset.nft
     table ip x {
            [...]

            chain nat_dns_acme {
                    udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 goto nat_dns_dnstc
                    udp length 62-78 @th,160,128 0x0e31393032383939353831343037320e goto nat_dns_this_5301
                    udp length 62-78 @th,160,128 0x0e31363436323733373931323934300e goto nat_dns_saturn_5301
                    udp length 62-78 @th,160,128 0x0e32393535373539353636383732310e goto nat_dns_saturn_5302
                    udp length 62-78 @th,160,128 0x0e38353439353637323038363633390e goto nat_dns_saturn_5303
                    drop
            }
     }

  When invoking 'nft' to request an optimization, several rules result
  in a map:

     # nft -c -o -f ruleset.
     Merging:
     ruleset.nft:8:17-98:                 udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 goto nat_dns_dnstc
     ruleset.nft:9:17-102:                 udp length 62-78 @th,160,128 0x0e31393032383939353831343037320e goto nat_dns_this_5301
     ruleset.nft:10:17-104:                 udp length 62-78 @th,160,128 0x0e31363436323733373931323934300e goto nat_dns_saturn_5301
     ruleset.nft:11:17-104:                 udp length 62-78 @th,160,128 0x0e32393535373539353636383732310e goto nat_dns_saturn_5302
     ruleset.nft:12:17-104:                 udp length 62-78 @th,160,128 0x0e38353439353637323038363633390e goto nat_dns_saturn_5303
     into:
        udp length . @th,160,128 vmap { 47-63 . 0x0e373135363130333131303735353203 : goto nat_dns_dnstc, 62-78 . 0x0e31393032383939353831343037320e : goto nat_dns_this_5301, 62-78 . 0x0e31363436323733373931323934300e : goto nat_dns_saturn_5301, 62-78 . 0x0e32393535373539353636383732310e : goto nat_dns_saturn_5302, 62-78 . 0x0e38353439353637323038363633390e : goto nat_dns_saturn_5303 }

* Support for raw expressions in concatenations. For example, in anonymous sets:

     # nft add rule x y ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }

  And, in explicit set declarations:

     table x {
            set y {
                    typeof ip saddr . @ih,32,32
                    elements = { 1.1.1.1 . 0x14 }
            }
     }

  (inner header/payload matching @ih keywork requires Linux kernel >= 5.16).

* Support for integer type protocol header fields in concatenations.

  For example, the udp length field relies on the integer datatype as
  shown by the 'nft describe' command:

     # nft describe udp length
     payload expression, datatype integer (integer), 16 bits

  you can now use it in set and map declarations through 'typeof':

     table inet t {
            map m1 {
                    typeof udp length . @ih,32,32 : verdict
                    flags interval
                    elements = { 20-80 . 0x14 : accept,
                                 1-10 . 0xa : drop }
            }

            chain c {
                    type filter hook input priority 0; policy drop;
                    udp length . @ih,32,32 vmap @m1
            }
     }

* Allow to reset TCP options (requires Linux kernel >= 5.18):

     tcp flags syn reset tcp option sack-perm

* Speed up chain listing command, ie. nft list chain x y

... this release also includes fixes (highlights):

- fix invalid listing in verdict maps
- several fixes for -o/--optimize (added in previous 1.0.2 release).
- fix anonymous object maps, for example:

      table inet filter {
             ct helper sip-5060u {
                     type "sip" protocol udp
                     l3proto ip
             }

             ct helper sip-5060t {
                     type "sip" protocol tcp
                     l3proto ip
             }

             chain input {
                     type filter hook input priority filter; policy accept;
                     ct helper set ip protocol . th dport map { udp . 10000-20000 : "sip-5060u", tcp . 10000-20000 : "sip-5060t" }
             }
      }

- fix build problems in nftables-1.0.2 tarball.
- fix JSON chain listing (https://bugzilla.netfilter.org/show_bug.cgi?id=1580)

... and incremental documentation updates.

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/

To build the code, libnftnl >= 1.2.1 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.
Chander Govindarajan (2):
      json: update json output ordering to place rules after chains
      nft: simplify chain lookup in do_list_chain

Florian Westphal (20):
      tests: add test case for flowtable with owner flag
      src: add tcp option reset support
      evaluate: init cmd pointer for new on-stack context
      src: copy field_count for anonymous object maps as well
      evaluate: make byteorder conversion on string base type a no-op
      evaluate: keep prefix expression length
      segtree: split prefix and range creation to a helper function
      evaluate: string prefix expression must retain original length
      src: make interval sets work with string datatypes
      segtree: add string "range" reversal support
      tests: add testcases for interface names in sets
      segtree: use correct byte order for 'element get'
      segtree: add support for get element with sets that contain ifnames
      netlink: remove unused argument from helper function
      src: allow use of base integer types as set keys in concatenations
      tests: add concat test case with integer base type subkey
      src: fix always-true assertions
      netlink: swap byteorder for host-endian concat data
      segtree: add pretty-print support for wildcard strings in concatenated sets
      sets_with_ifnames: add test case for concatenated range

Jeremy Sowden (2):
      examples: add .gitignore file
      include: add missing `#include`

Lukas Straub (2):
      meta: time: use uint64_t instead of time_t
      meta: fix compiler warning in date_type_parse()

Martin Gignac (1):
      tests: py: Add meta time tests without 'meta' keyword

Pablo Neira Ayuso (34):
      examples: compile with `make check' and add AM_CPPFLAGS
      optimize: fix vmap with anonymous sets
      optimize: more robust statement merge with vmap
      optimize: incorrect assert() for unexpected expression type
      optimize: do not merge unsupported statement expressions
      optimize: do not assume log prefix
      rule: Avoid segfault with anonymous chains
      expression: typeof verdict needs verdict datatype
      src: allow to use typeof of raw expressions in set declaration
      src: allow to use integer type header fields via typeof set declaration
      optimize: Restore optimization for raw payload expressions
      tests: py: add inet/vmap tests
      tests: py: extend meta time coverage
      src: add EXPR_F_KERNEL to identify expression in the kernel
      src: replace interval segment tree overlap and automerge
      src: remove rbtree datastructure
      mnl: update mnl_nft_setelem_del() to allow for more reuse
      intervals: add support to automerge with kernel elements
      evaluate: allow for zero length ranges
      intervals: support to partial deletion with automerge
      src: restore interval sets work with string datatypes
      intervals: unset EXPR_F_KERNEL for adjusted elements
      intervals: add elements with EXPR_F_KERNEL to purge list only
      intervals: fix deletion of multiple ranges with automerge
      intervals: build list of elements to be added from cache
      intervals: set on EXPR_F_KERNEL flag for new elements in set cache
      optimize: incorrect logic in verdict comparison
      optimize: do not clone unsupported statement
      optimize: merge nat rules with same selectors into map
      optimize: memleak in statement matrix
      intervals: deletion should adjust range not yet in the kernel
      netlink_delinearize: release last register on exit
      intervals: fix compilation --with-mini-gmp
      build: Bump version to 1.0.3

Phil Sutter (26):
      scanner: icmp{,v6}: Move to own scope
      scanner: igmp: Move to own scope
      scanner: tcp: Move to own scope
      scanner: synproxy: Move to own scope
      scanner: comp: Move to own scope.
      scanner: udp{,lite}: Move to own scope
      scanner: dccp, th: Move to own scopes
      scanner: osf: Move to own scope
      scanner: ah, esp: Move to own scopes
      scanner: dst, frag, hbh, mh: Move to own scopes
      scanner: type: Move to own scope
      scanner: rt: Extend scope over rt0, rt2 and srh
      scanner: monitor: Move to own Scope
      scanner: reset: move to own Scope
      scanner: import, export: Move to own scopes
      scanner: reject: Move to own scope
      scanner: flags: move to own scope
      scanner: policy: move to own scope
      scanner: nat: Move to own scope
      scanner: at: Move to own scope
      scanner: meta: Move to own scope
      scanner: dup, fwd, tproxy: Move to own scopes
      scanner: Fix for ipportmap nat statements
      tests: monitor: Hide temporary file names from error output
      tests: py: Don't colorize output if stderr is redirected
      intervals: Simplify element sanity checks

Sam James (2):
      libnftables.map: export new nft_ctx_{get,set}_optimize API
      build: explicitly pass --version-script to linker


[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux