Hi!
The Netfilter project proudly presents:
nftables 1.0.8
This release contains enhancements and fixes such as:
- Support for setting meta and ct mark from other fields in rules,
eg. set meta mark to ip dscp header field.
... meta mark set ip dscp
You can also combining it with expressions such as:
... meta mark set ip dscp and 0x0f
... meta mark set ip dscp << 8
... meta mark set (ip dscp and 0xf) << 8
- Enhacements for -o/--optimize to deal with NAT statements, to compact
masquerade statements:
Merging:
masq.nft:3:3-36: ip saddr 10.141.11.0/24 masquerade
masq.nft:4:3-36: ip saddr 10.141.13.0/24 masquerade
into:
ip saddr { 10.141.11.0/24, 10.141.13.0/24 } masquerade
... and redirect statements too:
Merging:
redir.nft:3:3-32: tcp dport 83 redirect to :8083
redir.nft:4:3-32: tcp dport 84 redirect to :8084
into:
redirect to :tcp dport map { 83 : 8083, 84 : 8084 }
- Support for stateful statements in anonymous maps, such as counters.
... meta mark { 0xa counter, 0xb counter }
this can also be used in verdict maps:
... ip saddr vmap { 127.0.0.1 counter : drop, * counter : accept }
this allows to compact 'ct state' matching in rulesets without losing
the ability to count packets:
... ct state vmap { established counter : accept, \
related counter : accept, \
invalid counter : drop }
- Support for resetting stateful expressions in sets, maps and elements,
e.g. counters:
reset element t m '{ 1.2.3.4 }'
reset map ip t m
reset set ip t m
Note that this feature requires Linux kernel >= 6.5-rc1.
- Simplify reset command syntax. This command allows you to reset
stateful information in rules, such as counters and quotas:
reset rules # reset all counters regardless family
reset rules ip # reset all counters for family 'ip'
reset rules ip t # reset all counters for table 'filter' in family 'ip'
reset rules ip t c # reset all counters in chain 'input'
Similarly, you do not have to specify the table keyword anymore when
resetting named stateful objects:
reset counters
reset counters ip
reset counters ip filter
- Fix bogus error reporting on missing transport protocol when using
layer 4 keys in maps:
... redirect to :tcp dport map { 83 : 8083, 84 : 8084 }
This redirects traffic to the localhost ports depending on the TCP
destination port, ie. packets going to TCP destination port 83 are
redirected to localhost TCP port 8083.
- Provide a hint in unpriviledged namespaces to allow for large rulesets:
# nft -f test.nft
netlink: Error: Could not process rule: Message too long
Please, rise /proc/sys/net/core/wmem_max on the host namespace. Hint: 4194304 bytes
This has been an issue for people loading GeoIP sets from containers,
with large IP source address sets.
- Allow for updating devices on existing netdev chain (This requires Linux kernel >= 6.3).
This patch allows you to add/remove devices to an existing chain:
# cat ruleset.nft
table netdev x {
chain y {
type filter hook ingress devices = { eth0 } priority 0; policy accept;
}
}
# nft -f ruleset.nft
# nft add chain netdev x y '{ devices = { eth1 }; }'
# nft list ruleset
table netdev x {
chain y {
type filter hook ingress devices = { eth0, eth1 } priority 0; policy accept;
}
}
# nft delete chain netdev x y '{ devices = { eth0 }; }'
# nft list ruleset
table netdev x {
chain y {
type filter hook ingress devices = { eth1 } priority 0; policy accept;
}
}
- Make "nft list sets" include set elements in listing by default,
please, use -t/--terse to fetch the sets without elements.
- Improve error reporting with suggestions on datatype mistypes:
test.nft:3:11-14: Error: Could not parse Differentiated Services Code Point expression; did you you mean `cs0`?
ip dscp ccs0
^^^^
Provide a suggestion too for incorrect jump/goto to chain in map:
# cat test.nft
table ip x {
map y {
typeof ip saddr : verdict
elements = { 1.2.3.4 : filter_server1 }
}
}
# nft -f test.nft
test.nft:4:26-39: Error: Could not parse netfilter verdict; did you mean `jump filter_server1'?
elements = { 1.2.3.4 : filter_server1 }
^^^^^^^^^^^^^^
- Support for constant values in concatenations. For example, allow to
update a set from packet path using constants:
... update @s1 { ip saddr . 10.180.0.4 . 80 }
- broute support to short-circuit bridge logic from the bridge prerouting hook
and pass up packets to the local IP stack.
... meta broute set 1
- JSON support for table and chain comments:
# nft -j list ruleset
{"nftables": [{"metainfo": {"version": "1.0.7", "release_name": "Old Doc Yak", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "test3", "handle": 4, "comment": "this is a comment"}}]}
- JSON support for inner/tunnel matching. This example shows how match
on the IP dscp field encapsulated under vxlan header.
# udp dport 4789 vxlan ip dscp 0x02
[
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "udp"
}
},
"op": "==",
"right": 4789
}
},
{
"match": {
"left": {
"payload": {
"field": "dscp",
"protocol": "ip",
"tunnel": "vxlan"
}
},
"op": "==",
"right": 2
}
}
]
- JSON support for 'last used' statement, that tells when a rule/set
element has been used last time.
- Update 'nft list hooks' command to display registered bpf hooks in the
netfilter dataplane.
- disallow combining -i/--interactive and -f/--filename.
- distutils has been replaced with setuptools in nftables Python binding.
... as well as asorted fixes and manpage documentation updates.
See changelog for more details (attached to this email).
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
[ NOTE: We have switched to .tar.xz files for releases. ]
To build the code, libnftnl >= 1.2.6 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
Fernando Fernandez Mancera (1):
tests: extend tests for destroy command
Florian Westphal (17):
meta: don't crash if meta key isn't known
src: fix enum/integer mismatches
doc: list set/map flag keywords in a table
doc: add nat examples
netlink: restore typeof interval map data type
mnl: support bpf id decode in nft list hooks
src: permit use of constant values in set lookup keys
tests: shell: add test case for chain-in-use-splat
cache: include set elements in "nft set list"
json: dccp: remove erroneous const qualifier
evaluate: do not abort when prefix map has non-map element
parser: don't assert on scope underflows
parser: reject zero-length interface names
parser: reject zero-length interface names in flowtables
ct timeout: fix 'list object x' vs. 'list objects in table' confusion
src: avoid IPPROTO_MAX for array definitions
tests: json: add missing/expected json output
Jeremy Sowden (9):
evaluate: insert byte-order conversions for expressions between 9 and 15 bits
evaluate: don't eval unary arguments
tests: py: add test-cases for ct and packet mark payload expressions
tests: shell: rename and move bitwise test-cases
tests: shell: add test-cases for ct and packet mark payload expressions
netlink_delinearize: correct type and byte-order of shifts
json: formatting fixes
doc: correct NAT statement description
exthdr: add boolean DCCP option matching
Jose M. Guisado Gomez (1):
py: replace distutils with setuptools
Pablo Neira Ayuso (45):
Revert "evaluate: relax type-checking for integer arguments in mark statements"
parser_bison: simplify reset syntax
evaluate: support shifts larger than the width of the left operand
evaluate: relax type-checking for integer arguments in mark statements
evaluate: set up integer type to shift expression
evaluate: honor statement length in integer evaluation
evaluate: honor statement length in bitwise evaluation
netlink_delinerize: incorrect byteorder in mark statement listing
tests: py: extend test-cases for mark statements with bitwise expressions
payload: set byteorder when completing expression
intervals: use expression location when translating to intervals
optimize: assert nat type on nat statement helper
evaluate: bogus missing transport protocol
netlink_delinearize: do not reset protocol context for nat protocol expression
optimize: support for redirect and masquerade
main: Error out when combining -i/--interactive and -f/--file
mnl: set SO_SNDBUF before SO_SNDBUFFORCE
mnl: flowtable support for extended netlink error reporting
src: allow for updating devices on existing netdev chain
evaluate: bail out if new flowtable does not specify hook and priority
meta: skip protocol context update for nfproto with same table family
json: allow to specify comment on table
json: allow to specify comment on chain
mnl: handle singleton element in netdevice set
mnl: incomplete extended error reporting for singleton device in chain
tests: py: missing json updates on ct and meta mark payload expression
evaluate: allow stateful statements with anonymous verdict maps
evaluate: skip optimization if anonymous set uses stateful statement
optimize: do not remove counter in verdict maps
datatype: misspell support with symbol table parser for error reporting
datatype: add hint error handler
evaluate: set NFT_SET_EVAL flag if dynamic set already exists
tests: shell: fix spurious errors in terse listing in json
tests: shell: bogus EBUSY errors in transactions
src: add json support for last statement
json: add inner payload support
tests: shell: coverage for simple port knocking ruleset
tests: shell: cover refcount leak of mapping rhs
expression: define .clone for catchall set element
tests: shell: refcount memleak in map rhs with timeouts
netlink_linearize: use div_round_up in byteorder length
evaluate: place byteorder conversion before rshift in payload statement
tests: shell: cover old scanner bug
include: missing dccpopt.h breaks make distcheck
build: Bump version to 1.0.8
Phil Sutter (12):
Reduce signature of do_list_table()
Avoid a memleak with 'reset rules' command
xt: Fix translation error path
tests: shell: Fix for unstable sets/0043concatenated_ranges_0
tests: py: Document JSON mode in README
main: Make 'buf' variable branch-local
main: Call nft_ctx_free() before exiting
cli: Make cli_init() return to caller
tests: shell: Introduce valgrind mode
evaluate: Merge some cases in cmd_evaluate_list()
evaluate: Cache looked up set for list commands
Implement 'reset {set,map,element}' commands
Sriram Yagnaraman (1):
meta: introduce meta broute support
Thomas Haller (4):
libnftables: always initialize netlink socket in nft_ctx_new()
libnftables: drop unused argument nf_sock from nft_netlink()
libnftables: inline creation of nf_sock in nft_ctx_new()
libnftables: drop check for nf_sock in nft_ctx_free()
