[ANNOUNCE] nftables 1.0.8 release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

The Netfilter project proudly presents:

        nftables 1.0.8

This release contains enhancements and fixes such as:

- Support for setting meta and ct mark from other fields in rules,
  eg. set meta mark to ip dscp header field.

    ... meta mark set ip dscp

  You can also combining it with expressions such as:

    ... meta mark set ip dscp and 0x0f
    ... meta mark set ip dscp << 8
    ... meta mark set (ip dscp and 0xf) << 8

- Enhacements for -o/--optimize to deal with NAT statements, to compact
  masquerade statements:

     Merging:
     masq.nft:3:3-36:              ip saddr 10.141.11.0/24 masquerade
     masq.nft:4:3-36:              ip saddr 10.141.13.0/24 masquerade
     into:
                ip saddr { 10.141.11.0/24, 10.141.13.0/24 } masquerade

  ... and redirect statements too:

     Merging:
     redir.nft:3:3-32:              tcp dport 83 redirect to :8083
     redir.nft:4:3-32:              tcp dport 84 redirect to :8084
     into:
                redirect to :tcp dport map { 83 : 8083, 84 : 8084 }

- Support for stateful statements in anonymous maps, such as counters.

    ... meta mark { 0xa counter, 0xb counter }

  this can also be used in verdict maps:

    ... ip saddr vmap { 127.0.0.1 counter : drop, * counter : accept }

  this allows to compact 'ct state' matching in rulesets without losing
  the ability to count packets:

    ... ct state vmap { established counter : accept, \
                        related counter : accept, \
                        invalid counter : drop }

- Support for resetting stateful expressions in sets, maps and elements,
  e.g. counters:

    reset element t m '{ 1.2.3.4 }'
    reset map ip t m
    reset set ip t m

  Note that this feature requires Linux kernel >= 6.5-rc1.

- Simplify reset command syntax. This command allows you to reset
  stateful information in rules, such as counters and quotas:

    reset rules                  # reset all counters regardless family
    reset rules ip               # reset all counters for family 'ip'
    reset rules ip t             # reset all counters for table 'filter' in family 'ip'
    reset rules ip t c           # reset all counters in chain 'input'

  Similarly, you do not have to specify the table keyword anymore when
  resetting named stateful objects:

    reset counters
    reset counters ip
    reset counters ip filter

- Fix bogus error reporting on missing transport protocol when using
  layer 4 keys in maps:

    ... redirect to :tcp dport map { 83 : 8083, 84 : 8084 }

  This redirects traffic to the localhost ports depending on the TCP
  destination port, ie. packets going to TCP destination port 83 are
  redirected to localhost TCP port 8083.

- Provide a hint in unpriviledged namespaces to allow for large rulesets:

    # nft -f test.nft
    netlink: Error: Could not process rule: Message too long
    Please, rise /proc/sys/net/core/wmem_max on the host namespace. Hint: 4194304 bytes

  This has been an issue for people loading GeoIP sets from containers,
  with large IP source address sets.

- Allow for updating devices on existing netdev chain (This requires Linux kernel >= 6.3).

    This patch allows you to add/remove devices to an existing chain:

     # cat ruleset.nft
     table netdev x {
            chain y {
                    type filter hook ingress devices = { eth0 } priority 0; policy accept;
            }
     }
     # nft -f ruleset.nft
     # nft add chain netdev x y '{ devices = { eth1 };  }'
     # nft list ruleset
     table netdev x {
            chain y {
                    type filter hook ingress devices = { eth0, eth1 } priority 0; policy accept;
            }
     }
     # nft delete chain netdev x y '{ devices = { eth0 }; }'
     # nft list ruleset
     table netdev x {
            chain y {
                    type filter hook ingress devices = { eth1 } priority 0; policy accept;
            }
     }

- Make "nft list sets" include set elements in listing by default,
  please, use -t/--terse to fetch the sets without elements.

- Improve error reporting with suggestions on datatype mistypes:

     test.nft:3:11-14: Error: Could not parse Differentiated Services Code Point expression; did you you mean `cs0`?
                     ip dscp ccs0
                             ^^^^

  Provide a suggestion too for incorrect jump/goto to chain in map:

     # cat test.nft
     table ip x {
            map y {
                    typeof ip saddr : verdict
                    elements = { 1.2.3.4 : filter_server1 }
            }
     }
     # nft -f test.nft
     test.nft:4:26-39: Error: Could not parse netfilter verdict; did you mean `jump filter_server1'?
                     elements = { 1.2.3.4 : filter_server1 }
                                            ^^^^^^^^^^^^^^

- Support for constant values in concatenations. For example, allow to
  update a set from packet path using constants:

    ... update @s1 { ip saddr . 10.180.0.4 . 80 }

- broute support to short-circuit bridge logic from the bridge prerouting hook
  and pass up packets to the local IP stack.

    ... meta broute set 1

- JSON support for table and chain comments:

    # nft -j list ruleset
    {"nftables": [{"metainfo": {"version": "1.0.7", "release_name": "Old Doc Yak", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "test3", "handle": 4, "comment": "this is a comment"}}]}

- JSON support for inner/tunnel matching. This example shows how match
  on the IP dscp field encapsulated under vxlan header.

    # udp dport 4789 vxlan ip dscp 0x02
    [
        {
            "match": {
                "left": {
                    "payload": {
                        "field": "dport",
                        "protocol": "udp"
                    }
                },
                "op": "==",
                "right": 4789
            }
        },
        {
            "match": {
               "left": {
                    "payload": {
                        "field": "dscp",
                        "protocol": "ip",
                        "tunnel": "vxlan"
                    }
                },
                "op": "==",
                "right": 2
            }
        }
    ]

- JSON support for 'last used' statement, that tells when a rule/set
  element has been used last time.

- Update 'nft list hooks' command to display registered bpf hooks in the
  netfilter dataplane.

- disallow combining -i/--interactive and -f/--filename.

- distutils has been replaced with setuptools in nftables Python binding.

... as well as asorted fixes and manpage documentation updates.

See changelog for more details (attached to this email).

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/

[ NOTE: We have switched to .tar.xz files for releases. ]

To build the code, libnftnl >= 1.2.6 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature requests, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.
Fernando Fernandez Mancera (1):
      tests: extend tests for destroy command

Florian Westphal (17):
      meta: don't crash if meta key isn't known
      src: fix enum/integer mismatches
      doc: list set/map flag keywords in a table
      doc: add nat examples
      netlink: restore typeof interval map data type
      mnl: support bpf id decode in nft list hooks
      src: permit use of constant values in set lookup keys
      tests: shell: add test case for chain-in-use-splat
      cache: include set elements in "nft set list"
      json: dccp: remove erroneous const qualifier
      evaluate: do not abort when prefix map has non-map element
      parser: don't assert on scope underflows
      parser: reject zero-length interface names
      parser: reject zero-length interface names in flowtables
      ct timeout: fix 'list object x' vs. 'list objects in table' confusion
      src: avoid IPPROTO_MAX for array definitions
      tests: json: add missing/expected json output

Jeremy Sowden (9):
      evaluate: insert byte-order conversions for expressions between 9 and 15 bits
      evaluate: don't eval unary arguments
      tests: py: add test-cases for ct and packet mark payload expressions
      tests: shell: rename and move bitwise test-cases
      tests: shell: add test-cases for ct and packet mark payload expressions
      netlink_delinearize: correct type and byte-order of shifts
      json: formatting fixes
      doc: correct NAT statement description
      exthdr: add boolean DCCP option matching

Jose M. Guisado Gomez (1):
      py: replace distutils with setuptools

Pablo Neira Ayuso (45):
      Revert "evaluate: relax type-checking for integer arguments in mark statements"
      parser_bison: simplify reset syntax
      evaluate: support shifts larger than the width of the left operand
      evaluate: relax type-checking for integer arguments in mark statements
      evaluate: set up integer type to shift expression
      evaluate: honor statement length in integer evaluation
      evaluate: honor statement length in bitwise evaluation
      netlink_delinerize: incorrect byteorder in mark statement listing
      tests: py: extend test-cases for mark statements with bitwise expressions
      payload: set byteorder when completing expression
      intervals: use expression location when translating to intervals
      optimize: assert nat type on nat statement helper
      evaluate: bogus missing transport protocol
      netlink_delinearize: do not reset protocol context for nat protocol expression
      optimize: support for redirect and masquerade
      main: Error out when combining -i/--interactive and -f/--file
      mnl: set SO_SNDBUF before SO_SNDBUFFORCE
      mnl: flowtable support for extended netlink error reporting
      src: allow for updating devices on existing netdev chain
      evaluate: bail out if new flowtable does not specify hook and priority
      meta: skip protocol context update for nfproto with same table family
      json: allow to specify comment on table
      json: allow to specify comment on chain
      mnl: handle singleton element in netdevice set
      mnl: incomplete extended error reporting for singleton device in chain
      tests: py: missing json updates on ct and meta mark payload expression
      evaluate: allow stateful statements with anonymous verdict maps
      evaluate: skip optimization if anonymous set uses stateful statement
      optimize: do not remove counter in verdict maps
      datatype: misspell support with symbol table parser for error reporting
      datatype: add hint error handler
      evaluate: set NFT_SET_EVAL flag if dynamic set already exists
      tests: shell: fix spurious errors in terse listing in json
      tests: shell: bogus EBUSY errors in transactions
      src: add json support for last statement
      json: add inner payload support
      tests: shell: coverage for simple port knocking ruleset
      tests: shell: cover refcount leak of mapping rhs
      expression: define .clone for catchall set element
      tests: shell: refcount memleak in map rhs with timeouts
      netlink_linearize: use div_round_up in byteorder length
      evaluate: place byteorder conversion before rshift in payload statement
      tests: shell: cover old scanner bug
      include: missing dccpopt.h breaks make distcheck
      build: Bump version to 1.0.8

Phil Sutter (12):
      Reduce signature of do_list_table()
      Avoid a memleak with 'reset rules' command
      xt: Fix translation error path
      tests: shell: Fix for unstable sets/0043concatenated_ranges_0
      tests: py: Document JSON mode in README
      main: Make 'buf' variable branch-local
      main: Call nft_ctx_free() before exiting
      cli: Make cli_init() return to caller
      tests: shell: Introduce valgrind mode
      evaluate: Merge some cases in cmd_evaluate_list()
      evaluate: Cache looked up set for list commands
      Implement 'reset {set,map,element}' commands

Sriram Yagnaraman (1):
      meta: introduce meta broute support

Thomas Haller (4):
      libnftables: always initialize netlink socket in nft_ctx_new()
      libnftables: drop unused argument nf_sock from nft_netlink()
      libnftables: inline creation of nf_sock in nft_ctx_new()
      libnftables: drop check for nf_sock in nft_ctx_free()


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux