[ANNOUNCE] nftables 1.0.6 release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

The Netfilter project proudly presents:

        nftables 1.0.6

This release contains enhancements and fixes:

- Fixes for the -o/--optimize, run this --optimize option to automagically
  compact your ruleset using sets, maps and concatenations.

eg.

     # cat ruleset.nft
     table ip x {
            chain y {
                   type filter hook input priority filter; policy drop;
                   meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept
                   meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 accept
                   meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accept
                   meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept
                   meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept
            }
     }
     # nft -o -c -f ruleset.nft
     Merging:
     ruleset.nft:4:17-74:                 meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept
     ruleset.nft:5:17-74:                 meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 accept
     ruleset.nft:6:17-77:                 meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accept
     ruleset.nft:7:17-83:                 meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept
     ruleset.nft:8:17-74:                 meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept
     into:
             iifname . ip saddr . ip daddr { eth1 . 1.1.1.1 . 2.2.2.3, eth1 . 1.1.1.2 . 2.2.2.4, eth1 . 1.1.1.2 . 2.2.3.0/24, eth1 . 1.1.1.2 . 2.2.4.0-2.2.4.10, eth2 . 1.1.1.3 . 2.2.2.5 } accept

+ The optimizer also compacts ruleset representations that already use simple
  sets, to turn them into set with concatenations, eg.

     # cat ruleset.nft
     table ip filter {
            chain input {
                   type filter hook input priority filter; policy drop;
                   iifname "lo" accept
                   ct state established,related accept comment "In traffic we originate, we trust"
                   iifname "enp0s31f6" ip saddr { 209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 udp sport 123 udp dport 32768-65535 accept
                   iifname "enp0s31f6" ip saddr { 64.59.144.17, 64.59.150.133 } ip daddr 10.0.0.149 udp sport 53 udp dport 32768-65535 accept
           }
     }
     # nft -o -c -f ruleset.nft
     Merging:
     ruleset.nft:6:22-149:                      iifname "enp0s31f6" ip saddr { 209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 udp sport 123 udp dport 32768-65535 accept
     ruleset.nft:7:22-143:                      iifname "enp0s31f6" ip saddr { 64.59.144.17, 64.59.150.133 } ip daddr 10.0.0.149 udp sport 53 udp dport 32768-65535 accept
     into:
                iifname . ip saddr . ip daddr . udp sport . udp dport { enp0s31f6 . 209.115.181.102 . 10.0.0.149 . 123 . 32768-65535, enp0s31f6 . 216.197.228.230 . 10.0.0.149 . 123 . 32768-65535, enp0s31f6 . 64.59.144.17 . 10.0.0.149 . 53 . 32768-65535, enp0s31f6 . 64.59.150.133 . 10.0.0.149 . 53 . 32768-65535 } accept

- Fix bytecode generation for concatenation of intervals where selectors use
  different byteorder datatypes, eg. IPv4 (network byte order) and meta mark
  (host byte order).

    table ip x {
           map w {
                 typeof ip saddr . meta mark : verdict
                 flags interval
                 counter
                 elements = {
                         127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : accept,
                         192.168.0.10-192.168.1.20 . 0x0000aa00-0x0000aaff : accept,
                 }
          }
          chain k {
                 type filter hook input priority filter; policy drop;
                 ip saddr . meta mark vmap @w
          }
    }

- fix match of uncommon protocol matches with raw expressions, eg.

     meta l4proto 91 @th,400,16 0x0 accept

- unbreak insertion of rules with intervals:

     insert rule x y tcp sport { 3478-3497, 16384-16387 } counter accept

- enhancements for the JSON API, including support for statements in sets and
  maps, and asorted fixes.
- extensions for the python nftables library to allow to load ruleset and
  perform dry run, support for external definition of variables, among others.
- allow to intercalate comments in set elements.
- allow for zero burst in byte ratelimits.
- fix element collapse routine when same set name and different family is used.
- ... and manpage updates.

See changelog for more details (attached to this email).

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/

[ NOTE: We have switched to .tar.xz files for releases. ]

To build the code, libnftnl >= 1.2.4 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature requests, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.
Alex Forster (1):
      json: fix 'add flowtable' command

Derek Hageman (1):
      rule: check address family in set collapse

Fernando Fernandez Mancera (8):
      json: add set statement list support
      json: add table map statement support
      json: fix json schema version verification
      json: fix empty statement list output in sets and maps
      json: add secmark object reference support
      json: add stateful object comment support
      py: support variables management and fix formatting
      doc: add nft_ctx_add_var() and nft_ctx_clear_vars() docs

Florian Westphal (11):
      tests: shell: check for a tainted kernel
      expr: update EXPR_MAX and add missing comments
      evaluate: un-break rule insert with intervals
      evaluate: allow implicit ether -> vlan dep
      doc: mention vlan matching in ip/ip6/inet families
      evaluate: add ethernet header size offset for implicit vlan dependency
      tests: py: add vlan test case for ip/inet family
      netlink_delinearize: fix decoding of concat data element
      netlink_linearize: fix timeout with map updates
      tests: add a test case for map update from packet path with concat
      doc: add/update can be used with maps too

Harald Welte (1):
      doc: payload-expression.txt: Mention that 'ih' exists

Jeremy Sowden (3):
      segtree: refactor decomposition of closed intervals
      segtree: fix decomposition of unclosed intervals containing address prefixes
      doc, src: make some spelling and grammatical improvements

Michael Braun (1):
      concat with dynamically sized fields like vlan id

Pablo Neira Ayuso (31):
      optimize: merging concatenation is unsupported
      optimize: check for mergeable rules
      optimize: expand implicit set element when merging into concatenation
      src: allow burst 0 for byte ratelimit and use it as default
      tests/py: missing userdata in netlink payload
      include: resync nf_tables.h cache copy
      evaluate: bogus datatype assertion in binary operation evaluation
      evaluate: datatype memleak after binop transfer
      parser_bison: display too many levels of nesting error
      rule: do not display handle for implicit chain
      netlink_delinearize: do not transfer binary operation to non-anonymous sets
      tests: shell: deletion from interval concatenation
      netlink_delinearize: complete payload expression in payload statement
      payload: do not kill dependency for proto_unknown
      optimize: handle prefix and range when merging into set + concatenation
      doc: document a few reset commands supported by the parser
      doc: no reset support for limit
      monitor: missing cache and set handle initialization
      src: support for selectors with different byteorder with interval concatenations
      doc: statements: fwd supports for sending packets via neighbouring layer
      scanner: munch full comment lines
      tests: py: missing json for different byteorder selector with interval concatenation
      netlink: swap byteorder of value component in concatenation of intervals
      evaluate: do not crash on runaway number of concatenation components
      netlink: statify __netlink_gen_data()
      netlink: add function to generate set element key data
      netlink: unfold function to generate concatenations for keys and data
      scanner: match full comment line in case of tie
      evaluate: fix compilation warning
      owner: Fix potential array out of bounds access
      build: Bump version to 1.0.6

Peter Collinson (1):
      py: extend python API to support libnftables API

Phil Sutter (9):
      doc: nft.8: Add missing '-T' in synopsis
      erec: Dump locations' expressions only if set
      monitor: Sanitize startup race condition
      Warn for tables with compat expressions in rules
      Makefile: Create LZMA-compressed dist-files
      xt: Delay libxtables access until translation
      xt: Purify enum nft_xt_type
      xt: Rewrite unsupported compat expression dumping
      xt: Fall back to generic printing from translation

Xiao Liang (1):
      src: Don't parse string as verdict in map


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux