Hi!
The Netfilter project proudly presents:
nftables 1.0.7
This release contains enhancements and fixes such as:
- Support for vxlan/geneve/gre/gretap matching. This allows for simple
matching expressions on inner headers such matching on the VxLAN
encapsulated IPv4 header fields as well as:
... udp dport 4789 vxlan ip protocol udp
... udp dport 4789 vxlan ip saddr 1.2.3.0/24
This also works with sets and it can also be combined with
concatenations, such as:
... udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 }
This allows you to define a stateless filtering policy on the ingress hook
without requiring the classic data path round trip to first decapsulate
the VxLAN header and then filter from the vxlan0 netdevice.
This new feature requires Linux kernel >= 6.2.
- auto-merge support for partial set element deletion. This allows you
to partially delete an element or a subrange in an existing range.
# nft list ruleset
table ip x {
set y {
typeof tcp dport
flags interval
auto-merge
elements = { 24-30, 40-50 }
}
}
Then, delete element 25 which is contained in the 24-30 range:
# nft delete element ip x y { 25 }
# nft list ruleset
table ip x {
set y {
typeof tcp dport
flags interval
auto-merge
elements = { 24, 26-30, 40-50 }
}
}
This requires the following two kernel fixes:
5d235d6ce75c ("netfilter: nft_set_rbtree: skip elements in transaction from garbage collection")
c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection")
which are already scheduled for -stable kernel releases >= 5.10.
- Allow for NAT mapping with concatenation and ranges. This release
fixes mixed use of singleton concatenation and concatenation with
ranges, eg.
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
dnat to ip daddr . tcp dport map { 10.1.1.136 . 80 : 1.1.2.69 . 1024, 10.1.1.10-10.1.1.20 . 8888-8889 : 1.1.2.69 . 2048-2049 } persistent
}
}
The example above shows how to define a destination nat mapping using the IPv4
destination address and the TCP destination port as key for the map lookup.
The 'persistent' flag tells the nat core to select the destination IPv4 address
specified as an IPv4 range through hashing the IPv4 source and destination
(to evenly distribute the load). If no IPv4 range is specified, then nat core
selects the singleton IPv4 destination address.
- Support for the lastuse statement. This allows you to know the last time a
rule or set element has be used:
table ip x {
set y {
typeof ip daddr . tcp dport
size 65535
flags dynamic,timeout
last
timeout 1h
}
chain z {
type filter hook output priority filter; policy accept;
update @y { ip daddr . tcp dport }
}
}
# nft list set ip x y
table ip x {
set y {
typeof ip daddr . tcp dport
size 65535
flags dynamic,timeout
last
timeout 1h
elements = { 172.217.17.14 . 443 last used 1s591ms timeout 1h expires 59m58s409ms,
172.67.69.19 . 443 last used 4s636ms timeout 1h expires 59m55s364ms,
142.250.201.72 . 443 last used 4s748ms timeout 1h expires 59m55s252ms,
172.67.70.134 . 443 last used 4s688ms timeout 1h expires 59m55s312ms,
35.241.9.150 . 443 last used 5s204ms timeout 1h expires 59m54s796ms,
138.201.122.174 . 443 last used 4s537ms timeout 1h expires 59m55s463ms,
34.160.144.191 . 443 last used 5s205ms timeout 1h expires 59m54s795ms,
130.211.23.194 . 443 last used 4s436ms timeout 1h expires 59m55s564ms }
}
}
This feature is available since Linux kernel >= 5.14. This requires the
following kernel fix:
860e874290fb ("netfilter: nft_last: copy content when cloning expression")
which is already scheduled for -stable Linux kernel release.
- Support for quota in sets. The following example shows how to define an
(optional) quota per IPv4 destination address:
table netdev x {
set y {
typeof ip daddr
size 65535
quota over 10000 mbytes
}
chain y {
type filter hook egress device "eth0" priority filter; policy accept;
ip daddr @y drop
}
}
Then, add a quota for 8.8.8.8.
# nft add element inet x y { 8.8.8.8 }
# ping -c 2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=8.14 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=7.82 ms
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 7.824/7.980/8.136/0.156 ms
# nft list ruleset
table netdev x {
set y {
type ipv4_addr
size 65535
quota over 10000 mbytes
elements = { 8.8.8.8 quota over 10000 mbytes used 196 bytes }
}
chain y {
type filter hook egress device "eth0" priority filter; policy accept;
ip daddr @y drop
}
}
you also can override the default set-defined quota per element:
# nft add element inet x y { 1.2.3.5 quota 5000 mbytes }
- Allow to use constant in set statement. The following example shows how to
add a set element from datapath as a concatenation of the Ethernet
destination address and a (constant) VLAN id (see VLAN id 123 is used below).
table netdev t {
set s {
typeof ether saddr . vlan id
size 2048
flags dynamic,timeout
timeout 1m
}
chain c {
type filter hook ingress device eth0 priority 0; policy accept;
ether type != 8021q update @s { ether daddr . 123 } counter
}
}
- New destroy command (it requires Linux kernel >= 6.3-rc), which allows to
inconditionally remove objects, because the delete command hits ENOENT if
the object does not exists.
destroy table ip filter
- fix ct proto-src and proto-dst when used from set/map statements. These are
the equivalent representation to th sport and th dport to access conntrack
tuple. The following example shows how to populate a map from the datapath:
table ip foo {
map pinned {
typeof ip saddr . ct original proto-dst : ip daddr . tcp dport
size 65535
flags dynamic,timeout
timeout 6m
}
chain pre {
type filter hook prerouting priority 0; policy accept;
meta l4proto tcp update @pinned { ip saddr . ct original proto-dst : ip daddr . tcp dport }
}
}
- fixes for the new -o/--optimize which allows you to optimize your ruleset.
- fix set elements deletion triggering a crash in previous releases.
- fix parsing of invalid invalid octal strings.
- ... and manpage updates.
See changelog for more details (attached to this email).
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
[ NOTE: We have switched to .tar.xz files for releases. ]
To build the code, libnftnl >= 1.2.5 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
Fernando F. Mancera (1):
src: add support to command "destroy"
Florian Westphal (1):
evaluate: set eval ctx for add/update statements with integer constants
Jeremy Sowden (4):
scanner: treat invalid octal strings as strings
netlink_delinearize: add postprocessing for payload binops
evaluate: relax type-checking for integer arguments in mark statements
src: fix a couple of typo's in comments
Máté Eckl (1):
src: Update copyright header to GPLv2+ in socket.c
Pablo Neira Ayuso (43):
evaluate: fix shift exponent underflow in concatenation evaluation
ct: use inet_service_type for proto-src and proto-dst
src: Add GPLv2+ header to .c files of recent creation
src: add eval_proto_ctx()
src: add dl_proto_ctx()
src: add vxlan matching support
tests: py: add vxlan tests
tests: shell: add vxlan set tests
doc: add vxlan matching expression
src: display (inner) tag in --debug=proto-ctx
src: add gre support
tests: py: add gre tests
doc: add gre matching expression
src: add geneve matching support
tests: py: add geneve tests
doc: add geneve matching expression
src: add gretap support
tests: py: add gretap tests
doc: add gretap matching expression
optimize: payload expression requires inner_desc comparison
intervals: restrict check missing elements fix to sets with no auto-merge
tests: shell: extend runtime set element automerge to cover partial deletions
optimize: wrap code to build concatenation in helper function
optimize: fix incorrect expansion into concatenation with verdict map
optimize: select merge criteria based on candidates rules
rule: add helper function to expand chain rules into commands
rule: expand standalone chain that contains rules
optimize: ignore existing nat mapping
evaluate: print error on missing family in nat statement
evaluate: infer family from mapping
optimize: infer family for nat mapping
src: use start condition with new destroy command
parser_bison: missing close scope in destroy start condition
tests: shell: cover rule insertion by index
src: expand table command before evaluation
evaluate: expand value to range when nat mapping contains intervals
src: add last statement
parser_bison: allow to use quota in sets
cache: fetch more objects when resetting rule
tests: shell: use bash in 0011reset_0
src: improve error reporting for unsupported chain type
cmd: move command functions to src/cmd.c
build: Bump version to 1.0.7
Phil Sutter (10):
optimize: Clarify chain_optimize() array allocations
optimize: Do not return garbage from stack
netlink: Fix for potential NULL-pointer deref
meta: parse_iso_date() returns boolean
mnl: dump_nf_hooks() leaks memory in error path
Implement 'reset rule' and 'reset rules' commands
netlink_delinearize: Sanitize concat data element decoding
doc: nft.8: Document lower priority limit for nat type chains
xt: Fix fallback printing for extensions matching keywords
Reject invalid chain priority values in user space
