Hi!
The Netfilter project proudly presents:
nftables 1.0.3
This release contains new features available up to the Linux kernel 5.18 release:
* Support for wildcard interface name matching with sets:
table inet testifsets {
set simple_wild {
type ifname
flags interval
elements = { "abcdef*",
"othername",
"ppp0" }
}
chain v4icmp {
type filter hook input priority 0; policy accept;
iifname @simple_wild counter packets 0 bytes 0
iifname { "abcdef*", "eth0" } counter packets 0 bytes 0
}
}
* Support for runtime auto-merge of set elements. So far, the
auto-merge routine could only coalesce elements in the set
declaration.
# cat ruleset.nft
table ip x {
set y {
type ipv4_addr
flags interval
auto-merge
elements = { 1.2.3.0, 1.2.3.255, 1.2.3.0/24,
3.3.3.3, 4.4.4.4, 4.4.4.4-4.4.4.8,
3.3.3.4, 3.3.3.5 }
}
}
# nft -f ruleset.nft
table ip x {
set y {
type ipv4_addr
flags interval
auto-merge
elements = { 1.2.3.0/24, 3.3.3.3-3.3.3.5,
4.4.4.4-4.4.4.8 }
}
}
with this update, incremental runtime updates are also supported:
# nft add element ip x y { 1.2.3.0-1.2.4.255, 3.3.3.6 }
# nft list ruleset
table ip x {
set y {
type ipv4_addr
flags interval
auto-merge
elements = { 1.2.3.0-1.2.4.255, 3.3.3.3-3.3.3.6,
4.4.4.4-4.4.4.8 }
}
}
as shown above, new elements are merged into existing intervals
whenever possible.
This also supports for incremental runtime element removals that
result in adjusting/splitting the existing intervals.
* Enhancements for the ruleset optimization -o/--optimize option which
allows to coalesce several NAT rules into map:
# cat ruleset.nft
table ip x {
chain y {
type nat hook postrouting priority srcnat; policy drop;
ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
}
}
# nft -o -c -f ruleset.nft
Merging:
ruleset.nft:4:3-52: ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
ruleset.nft:5:3-52: ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
into:
snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 : 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 }
This infrastructure also learnt how to coalesce raw expressions into maps, for example:
# cat ruleset.nft
table ip x {
[...]
chain nat_dns_acme {
udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 goto nat_dns_dnstc
udp length 62-78 @th,160,128 0x0e31393032383939353831343037320e goto nat_dns_this_5301
udp length 62-78 @th,160,128 0x0e31363436323733373931323934300e goto nat_dns_saturn_5301
udp length 62-78 @th,160,128 0x0e32393535373539353636383732310e goto nat_dns_saturn_5302
udp length 62-78 @th,160,128 0x0e38353439353637323038363633390e goto nat_dns_saturn_5303
drop
}
}
When invoking 'nft' to request an optimization, several rules result
in a map:
# nft -c -o -f ruleset.
Merging:
ruleset.nft:8:17-98: udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 goto nat_dns_dnstc
ruleset.nft:9:17-102: udp length 62-78 @th,160,128 0x0e31393032383939353831343037320e goto nat_dns_this_5301
ruleset.nft:10:17-104: udp length 62-78 @th,160,128 0x0e31363436323733373931323934300e goto nat_dns_saturn_5301
ruleset.nft:11:17-104: udp length 62-78 @th,160,128 0x0e32393535373539353636383732310e goto nat_dns_saturn_5302
ruleset.nft:12:17-104: udp length 62-78 @th,160,128 0x0e38353439353637323038363633390e goto nat_dns_saturn_5303
into:
udp length . @th,160,128 vmap { 47-63 . 0x0e373135363130333131303735353203 : goto nat_dns_dnstc, 62-78 . 0x0e31393032383939353831343037320e : goto nat_dns_this_5301, 62-78 . 0x0e31363436323733373931323934300e : goto nat_dns_saturn_5301, 62-78 . 0x0e32393535373539353636383732310e : goto nat_dns_saturn_5302, 62-78 . 0x0e38353439353637323038363633390e : goto nat_dns_saturn_5303 }
* Support for raw expressions in concatenations. For example, in anonymous sets:
# nft add rule x y ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
And, in explicit set declarations:
table x {
set y {
typeof ip saddr . @ih,32,32
elements = { 1.1.1.1 . 0x14 }
}
}
(inner header/payload matching @ih keywork requires Linux kernel >= 5.16).
* Support for integer type protocol header fields in concatenations.
For example, the udp length field relies on the integer datatype as
shown by the 'nft describe' command:
# nft describe udp length
payload expression, datatype integer (integer), 16 bits
you can now use it in set and map declarations through 'typeof':
table inet t {
map m1 {
typeof udp length . @ih,32,32 : verdict
flags interval
elements = { 20-80 . 0x14 : accept,
1-10 . 0xa : drop }
}
chain c {
type filter hook input priority 0; policy drop;
udp length . @ih,32,32 vmap @m1
}
}
* Allow to reset TCP options (requires Linux kernel >= 5.18):
tcp flags syn reset tcp option sack-perm
* Speed up chain listing command, ie. nft list chain x y
... this release also includes fixes (highlights):
- fix invalid listing in verdict maps
- several fixes for -o/--optimize (added in previous 1.0.2 release).
- fix anonymous object maps, for example:
table inet filter {
ct helper sip-5060u {
type "sip" protocol udp
l3proto ip
}
ct helper sip-5060t {
type "sip" protocol tcp
l3proto ip
}
chain input {
type filter hook input priority filter; policy accept;
ct helper set ip protocol . th dport map { udp . 10000-20000 : "sip-5060u", tcp . 10000-20000 : "sip-5060t" }
}
}
- fix build problems in nftables-1.0.2 tarball.
- fix JSON chain listing (https://bugzilla.netfilter.org/show_bug.cgi?id=1580)
... and incremental documentation updates.
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
To build the code, libnftnl >= 1.2.1 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
Chander Govindarajan (2):
json: update json output ordering to place rules after chains
nft: simplify chain lookup in do_list_chain
Florian Westphal (20):
tests: add test case for flowtable with owner flag
src: add tcp option reset support
evaluate: init cmd pointer for new on-stack context
src: copy field_count for anonymous object maps as well
evaluate: make byteorder conversion on string base type a no-op
evaluate: keep prefix expression length
segtree: split prefix and range creation to a helper function
evaluate: string prefix expression must retain original length
src: make interval sets work with string datatypes
segtree: add string "range" reversal support
tests: add testcases for interface names in sets
segtree: use correct byte order for 'element get'
segtree: add support for get element with sets that contain ifnames
netlink: remove unused argument from helper function
src: allow use of base integer types as set keys in concatenations
tests: add concat test case with integer base type subkey
src: fix always-true assertions
netlink: swap byteorder for host-endian concat data
segtree: add pretty-print support for wildcard strings in concatenated sets
sets_with_ifnames: add test case for concatenated range
Jeremy Sowden (2):
examples: add .gitignore file
include: add missing `#include`
Lukas Straub (2):
meta: time: use uint64_t instead of time_t
meta: fix compiler warning in date_type_parse()
Martin Gignac (1):
tests: py: Add meta time tests without 'meta' keyword
Pablo Neira Ayuso (34):
examples: compile with `make check' and add AM_CPPFLAGS
optimize: fix vmap with anonymous sets
optimize: more robust statement merge with vmap
optimize: incorrect assert() for unexpected expression type
optimize: do not merge unsupported statement expressions
optimize: do not assume log prefix
rule: Avoid segfault with anonymous chains
expression: typeof verdict needs verdict datatype
src: allow to use typeof of raw expressions in set declaration
src: allow to use integer type header fields via typeof set declaration
optimize: Restore optimization for raw payload expressions
tests: py: add inet/vmap tests
tests: py: extend meta time coverage
src: add EXPR_F_KERNEL to identify expression in the kernel
src: replace interval segment tree overlap and automerge
src: remove rbtree datastructure
mnl: update mnl_nft_setelem_del() to allow for more reuse
intervals: add support to automerge with kernel elements
evaluate: allow for zero length ranges
intervals: support to partial deletion with automerge
src: restore interval sets work with string datatypes
intervals: unset EXPR_F_KERNEL for adjusted elements
intervals: add elements with EXPR_F_KERNEL to purge list only
intervals: fix deletion of multiple ranges with automerge
intervals: build list of elements to be added from cache
intervals: set on EXPR_F_KERNEL flag for new elements in set cache
optimize: incorrect logic in verdict comparison
optimize: do not clone unsupported statement
optimize: merge nat rules with same selectors into map
optimize: memleak in statement matrix
intervals: deletion should adjust range not yet in the kernel
netlink_delinearize: release last register on exit
intervals: fix compilation --with-mini-gmp
build: Bump version to 1.0.3
Phil Sutter (26):
scanner: icmp{,v6}: Move to own scope
scanner: igmp: Move to own scope
scanner: tcp: Move to own scope
scanner: synproxy: Move to own scope
scanner: comp: Move to own scope.
scanner: udp{,lite}: Move to own scope
scanner: dccp, th: Move to own scopes
scanner: osf: Move to own scope
scanner: ah, esp: Move to own scopes
scanner: dst, frag, hbh, mh: Move to own scopes
scanner: type: Move to own scope
scanner: rt: Extend scope over rt0, rt2 and srh
scanner: monitor: Move to own Scope
scanner: reset: move to own Scope
scanner: import, export: Move to own scopes
scanner: reject: Move to own scope
scanner: flags: move to own scope
scanner: policy: move to own scope
scanner: nat: Move to own scope
scanner: at: Move to own scope
scanner: meta: Move to own scope
scanner: dup, fwd, tproxy: Move to own scopes
scanner: Fix for ipportmap nat statements
tests: monitor: Hide temporary file names from error output
tests: py: Don't colorize output if stderr is redirected
intervals: Simplify element sanity checks
Sam James (2):
libnftables.map: export new nft_ctx_{get,set}_optimize API
build: explicitly pass --version-script to linker
