Hello Pablo, Did this commit make into 0.9.4? https://patchwork.ozlabs.org/patch/1202696/ Thank you Serguei On 2020-04-01, 10:34 AM, "Pablo Neira Ayuso" <netfilter-owner@xxxxxxxxxxxxxxx on behalf of pablo@xxxxxxxxxxxxx> wrote: Hi! The Netfilter project proudly presents: nftables 0.9.4 This release contains fixes and new features available up to the Linux kernel 5.6 release. * Support for ranges in concatenations (requires Linux kernel >= 5.6), e.g. table ip foo { set whitelist { type ipv4_addr . ipv4_addr . inet_service flags interval elements = { 192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125 . 80 } } chain bar { type filter hook prerouting priority filter; policy drop; ip saddr . ip daddr . tcp dport @whitelist accept } } This creates a `whitelist' set whose elements are a concatenation. The interval flag specifies that this set might include ranges in concatenations. The example above is accepting all traffic coming from 192.168.10.35 to 192.168.10.40 (both addresses in the range are included), destination to 192.68.10.123 and TCP destination port 80. * typeof support for sets. You can use typeof to specify the datatype of the selector in sets, e.g. table ip foo { set whitelist { typeof ip saddr elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 } } chain bar { type filter hook prerouting priority filter; policy drop; ip daddr @whitelist accept } } You can also use typeof in maps: table ip foo { map addr2mark { typeof ip saddr : meta mark elements = { 192.168.10.35 : 0x00000001, 192.168.10.135 : 0x00000002 } } } * NAT mappings with concatenations. This allows you to specify the address and port to be used in the NAT mangling from maps, eg. nft add rule ip nat pre dnat ip addr . port to ip saddr map { 1.1.1.1 : 2.2.2.2 . 30 } You can also use this new feature with named sets: nft add map ip nat destinations { type ipv4_addr . inet_service : ipv4_addr . inet_service \; } nft add rule ip nat pre dnat ip addr . port to ip saddr . tcp dport map @destinations * Hardware offload support: Your nic driver must include support for this infrastructure. You have to enable offload via ethtool: # ethtool -K eth0 hw-tc-offload on Then, in nftables, you have to turn on the offload flag in the basechain definition. # cat file.nft table netdev x { chain y { type filter hook ingress device eth0 priority 10; flags offload; ip saddr 192.168.30.20 drop } } # nft -f file.nft Just a simple example to drop all traffic coming from 192.168.30.20 from the hardware. The Linux host see no packets at all from 192.168.30.20 after this since the nic filters out the packets. As of kernel 5.6, supported features are: - Matching on: -- packet header fields. -- input interface. - Actions available are: -- accept / drop action. -- Duplicate packet to port through `dup'. -- Mirror packet to port through `fwd'. * Enhancements to improve location-based error reporting, e.g. # nft delete rule ip y z handle 7 Error: Could not process rule: No such file or directory delete rule ip y z handle 7 ^ In this example above, the table `y' does not exist in your system. # nft delete rule ip x x handle 7 Error: Could not process rule: No such file or directory delete rule ip x x handle 7 ^ This means that rule handle 7 does not exist. # nft delete table twst Error: No such file or directory; did you mean table ‘test’ in family ip? delete table twst ^^^^ If you delete a table whose name has been mistyped, error reporting includes a suggestion. * Match on the slave interface through `meta sdif' and `meta sdifname', e.g. ... meta sdifname vrf1 ... * Support for right and left shifts: ... meta mark set meta mark lshift 1 or 0x1 ... This example shows how to shift one bit left the existing packet mark and set the less significant bit to 1. * New -V option to display extended version information, including compile time options: # nft -V nftables v0.9.4 (Jive at Five) cli: readline json: yes minigmp: no libxtables: yes * manpage documentation updates. * ... and bugfixes. See ChangeLog that comes attached to this email for more details. = Caveat = This new version enforces options before commands, ie. # nft list ruleset -a Error: syntax error, options must be specified before commands nft list ruleset -a ^ ~~ Just place the option before the command: # nft -a list ruleset ... [ ruleset listing here ] ... Make sure to update your scripts. You can download this new release from: http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.4 ftp://ftp.netfilter.org/pub/nftables/ To build the code, libnftnl 1.1.6 and libmnl >= 1.0.3 are required: * http://netfilter.org/projects/libnftnl/index.html * http://netfilter.org/projects/libmnl/index.html Visit our wikipage for user documentation at: * http://wiki.nftables.org For the manpage reference, check man(8) nft. In case of bugs and feature request, file them via: * https://bugzilla.netfilter.org Happy firewalling!
