Hi!
The Netfilter project proudly presents:
nftables 0.9.9
This release contains fixes, documentation updates and new features
available up to the Linux kernel 5.13-rc1 release. Highlights:
* Flowtable hardware offload support [1]: add a new 'offload' flag that
turns on the flowtable hardware fastpath.
table ip global {
flowtable f {
hook ingress priority filter + 1
devices = { lan3, lan0, wan }
flags offload
}
chain forward {
type filter hook forward priority filter; policy accept;
ip protocol { tcp, udp } flow add @f
}
chain post {
type nat hook postrouting priority filter; policy accept;
oifname "wan" masquerade
}
}
[1] https://www.kernel.org/doc/html/latest/networking/nf_flowtable.html
* Support for the table owner flag. This new flag allows a process to
own a table in exclusivity. The owner process name is show as a
comment. The table can be either removed by the owner process
(explicit removal) or when the owner process is terminated.
table ip x { # progname nft
flags owner
chain y {
type filter hook input priority filter; policy accept;
counter packets 1 bytes 309
}
}
The example above shows a ruleset that is owned by nft which is
running in interactive mode, ie. nft -i
* 802.1ad (QinQ) support:
- Check that outer ethertype is 8021ad and outer vlan id is 321
... ether type 802.1ad vlan id 342
- Check that outer ethertype is 8021ad and vlan id is 1 and inner
ethertype is 802.1q and vlan id is 2, finally check that this
QinQ frame encapsulates an IP packet.
... ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter
* cgroupsv2 support.
- Check for that socket cgroupv2 ancestor level 1 is matching "system.slice"
... socket cgroupv2 level 1 "system.slice"
* match on SCTP packet chunks (available since the upcoming 5.14 release)
- match if chunk type 'data' exists
... sctp chunk data exists
- match on chunk type 'data' field 'type'
... sctp chunk data type 0
* x2 speed up time to load ruleset (via -f).
* Speed up time to print ruleset listing.
* Shortcut to check for set/unset bits in flags.
- Check that snat and dnat ct status bits are unset.
... ct status ! snat,dnat
- Check that the syn bit is set in the syn,ack bitmask
... tcp flags syn / syn,ack
- Check that the fin and rst bits are not set in the syn,ack,fin,rst bitmask
... tcp flags != fin,rst / syn,ack,fin,rst
* Allow to use verdict in set/map typeof definitions
add map x m { typeof iifname . ip protocol . th dport : verdict ;}
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.9
To build the code, libnftnl >= 1.2.0 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
Dominick Grift (1):
files: improve secmark.nft example
Eric Garver (1):
json: init parser state for every new buffer/file
Florian Westphal (54):
json: fix icmpv6.t test cases
json: limit: set default burst to 5
json: ct: add missing rule
json: icmp: refresh json output
json: icmp: move expected parts to json.output
json: ct: add missing test input
exthdr: remove tcp dependency for tcp option matching
src: evaluate: reset context maxlen value before prio evaluation
tests: add icmp/6 test where dependency should be left alone
payload: check icmp dependency before removing previous icmp expression
testcases: move two dump files to correct location
tests: add empty dynamic set
evaluate: do not crash if dynamic set has no statements
trace: do not remove icmp type from packet dump
tests: extend dtype test case to cover expression with integer type
evaluate: pick data element byte order, not dtype one
evaluate: set evaluation context for set elements
src: allow use of 'verdict' in typeof definitions
parser: re-enable support for concatentation on map RHS
parser: squash duplicated spec/specid rules
parser: compact map RHS type
parser: compact ct obj list types
scanner: remove unused tokens
scanner: introduce start condition stack
scanner: queue: move to own scope
scanner: ipsec: move to own scope
scanner: rt: move to own scope
scanner: socket: move to own scope
scanner: ct: move to own scope
scanner: ip: move to own scope
scanner: ip6: move to own scope
scanner: add fib scope
scanner: add ether scope
scanner: arp: move to own scope
scanner: remove saddr/daddr from initial state
scanner: vlan: move to own scope
scanner: limit: move to own scope
scanner: quota: move to own scope
scanner: move until,over,used keywords away from init state
scanner: secmark: move to own scope
scanner: avoid -fasan heap overflow warnings
scanner: add support for scope nesting
scanner: counter: move to own scope
scanner: log: move to own scope
parser: add missing scope_close annotation for RT keyword
parser: fix scope closure of COUNTER token
netlink: don't crash when set elements are not evaluated as expected
src: vlan: allow matching vlan id insider 802.1ad frame
proto: add 8021ad as mnemonic for IEEE 802.1AD (0x88a8) ether type
payload: be careful on vlan dependency removal
tests: add 8021.AD vlan test cases
proto: replace vlan ether type with 8021q
evaluate: check if nat statement map specifies a transport header expr
doc: tiny spelling fix in stateful object section s/an/a
Frank Wunderlich (1):
nftables: add flags offload to flowtable
Jan Engelhardt (1):
files: move example files away from /etc
Laura Garcia Liebana (1):
parser: allow to load stateful ct connlimit elements in sets
Marco Oliverio (1):
cache: check errno before invoking cache_release()
Pablo Neira Ayuso (62):
evaluate: disallow ct original {s,d}ddr from concatenations
src: add negation match on singleton bitmask value
tests: shell: extend 0025empty_dynset_0 to cover multi-statement support
evaluate: incorrect usage of stmt_binary_error() in reject
table: rework flags printing
table: support for the table owner flag
mnl: remove nft_mnl_socket_reopen()
cache: memleak list of chain
expression: memleak in verdict_expr_parse_udata()
src: move remaining cache functions in rule.c to cache.c
segtree: release single element already contained in an interval
tests: shell: flowtable add after delete in batch
tests: shell: fix 0025empty_dynset_0
doc: no need to define a set in ct state
src: add datatype->describe()
rule: remove semicolon in flowtable offload
mnl: do not set flowtable flags twice
parser_bison: simplify flowtable offload flag parser
cache: rename chain_htable to cache_chain_ht
src: split chain list in table
evaluate: use chain hashtable for lookups
cache: statify chain_cache_dump()
cache: check for NULL chain in cache_init()
cache: add hashtable cache for sets
cache: bail out if chain list cannot be fetched from kernel
Makefile: missing owner.h file
parser_bison: missing relational operation on flag list
tests: shell: remove missing modules
src: unbreak deletion by table handle
rule: skip fuzzy lookup for unexisting 64-bit handle
src: pass chain name to chain_cache_find()
src: consolidate nft_cache infrastructure
src: consolidate object cache infrastructure
cache: add hashtable cache for object
cache: add hashtable cache for flowtable
cache: add set_cache_del() and use it
evaluate: add set to the cache
evaluate: add flowtable to the cache
cache: missing table cache for several policy objects
evaluate: add object to the cache
cache: add hashtable cache for table
evaluate: remove chain from cache on delete chain command
evaluate: remove set from cache on delete set command
evaluate: remove flowtable from cache on delete flowtable command
evaluate: remove object from cache on delete object command
src: add cgroupsv2 support
parser_bison: add set_elem_key_expr rule
src: add set element catch-all support
evaluate: don't crash on set definition with incorrect datatype
tests: shell: don't assume fixed handle value in cache/0008_delete_by_handle_0
netlink_delinearize: fix binary operation postprocessing with sets
parser_bison: add shortcut syntax for matching flags without binary operations
src: use PRIu64 format
datatype: skip cgroupv2 rootfs in listing
doc: document cgroupv2
libnftables: location-based error reporting for chain type
cmd: typo in chain fuzzy lookup
rule: skip exact matches on fuzzy lookup
evaluate: allow == and != in the new shortcut syntax to match for flags
expression: display an error on unknown datatype
include: missing sctp_chunk.h in Makefile.am
build: Bump version to v0.9.9
Pavel Tikhomirov (1):
nftables: xt: fix misprint in nft_xt_compatible_revision
Phil Sutter (18):
reject: Fix for missing dependencies in netdev family
reject: Unify inet, netdev and bridge delinearization
json: limit: Always include burst value
json: Do not abbreviate reject statement object
tests/py: Write dissenting payload into the right file
tests/py: Add a test sanitizer and fix its findings
erec: Sanitize erec location indesc
monitor: Don't print newgen message with JSON output
tests/py: Adjust payloads for fixed nat statement dumps
mnl: Set NFTNL_SET_DATA_TYPE before dumping set elements
tests/py: Fix for missing JSON equivalent in any/ct.t.json
mnl: Increase BATCH_PAGE_SIZE to support huge rulesets
doc: Reduce size of NAT statement synopsis
scanner: sctp: Move to own scope
json: Simplify non-tcpopt exthdr printing a bit
exthdr: Implement SCTP Chunk matching
doc: nft.8: Extend monitor description by trace
expr_postprocess: Avoid an unintended fall through
Simon Ruderich (4):
doc: add * to include example to actually include files
doc: remove duplicate tables in synproxy example
doc: move drop rule on a separate line in blackhole example
doc: use symbolic names for chain priorities
Stefano Brivio (2):
segtree: Fix range_mask_len() for subnet ranges exceeding unsigned int
tests: Introduce 0043_concatenated_ranges_1 for subnets of different sizes
Štěpán Němec (3):
tests: monitor: use correct $nft value in EXIT trap
main: fix nft --help output fallout from 719e4427
doc: nft: fix some typos and formatting issues
