[ANNOUNCE] nftables 0.4 release
Pablo Neira Ayuso
pablo at netfilter.org
Tue Dec 16 01:40:41 CET 2014
Hi!
The Netfilter project proudly presents:
nftables 0.4
This release contains a lot of bug fixes and new features contained up
to the recent 3.18 kernel release (and some features coming up in the
yet unreleased 3.19-rc).
New features
============
* Add support for global ruleset operations (available since 3.18).
Get rid of all tables, chains, and rules in one go:
# nft flush ruleset
List the ruleset for all existing families:
# nft list ruleset
You can save the ruleset and restore it via:
# echo "flush ruleset" > ruleset.file
# nft list ruleset >> ruleset.file
# nft -f ruleset.file
This mimics iptables-restore, including the ruleset for all
supported families: ip, ip6, inet, bridge and arp.
* Full logging support for all the families, including nfnetlink_log
support (available since 3.17).
* Automatic selection of the optimal set implementation (available
since 3.16).
You can tell the kernel to optimize your set representation base
according to the space-time tradeoff, eg. optimize memory:
# nft add set filter set1 { type ipv4_addr ; policy memory ; }
Or optimize performance:
# nft add set filter set1 { type ipv4_addr ; policy performance ; }
You can also use this in maps:
# nft add map filter map1 { type ipv4_addr : verdict ; policy performace ; }
And indicate the expected size to assist the set selection routine:
# nft add set filter set1 { type ipv4_addr ; size 1024 ; }
* Complete reject support (available for ip, ip6 and inet since 3.14.
bridge support and the icmpx abstraction since 3.18).
# nft add rule filter input reject with icmp type host-unreachable
and for IPv6:
# nft add rule ip6 filter input reject with icmpv6 type no-route
you can the ICMPx abstraction from the inet table:
# nft add rule inet filter input reject with icmpx type no-route
and TCP traffic with the reset packets:
# nft add rule filter input reject with tcp reset
* Masquerading support (available since 3.18).
# nft add rule nat postrouting masquerade
* Redirect support (available since upcoming Linux kernel 3.19-rc).
# nft add rule nat prerouting tcp dport 22 redirect to 2222
* Support for NAT flag: random, fully-random, persistent.
* Consistency checks for interferences between updates and ruleset dumps
(initially available since 3.16, enhanced with ruleset generations
since 3.18).
* Extend meta to support pkttype, cpu and devgroup matching.
* Automatic regression tests through our customized python shell
script.
* Allow to disable libreadline and debug at configure stage.
* Full conversion to autotools.
Syntax changes
==============
* 'queue' flags are now expressed as a list of comma-separated symbols:
# nft add filter input counter queue num 0-3 fanout,bypass
for consistency with flags, that are always expressed like this.
* nft doesn't resolve names by default anymore. IP addresses are
always expressed in the numeric representation. A new '-N' option
allows you to request for the resolution.
Bug fixes
=========
* Crash with anonymous sets with lots of elements.
* Several annoying byteorder issues that resulted in incorrect bytecode
generation and wrong listings.
* Endianness problems reported from little endian archs.
* Named verdict maps, eg.
# nft add map filter my_vmap { type ipv4_addr : verdict\; }
# nft add element filter my_vmap { 1.1.1.1 : drop, 2.2.2.2 : drop}
# nft add rule filter input ip saddr vmap @my_vmap
* Crash in 'nft describe' with wrong expressions.
* Parsing of ether types.
* Crash on usage of basetypes, eg.
# nft add rule filter input ct state 8 accept
instead of 'ct state new'.
* Crash on wrong values when performing basetype parsing, eg.
<cmdline>:1:29-31: Error: Could not parse conntrack state
add rule test test ct state xxx accept
^^^
* Broken listing og meta and ct range expressions, eg.
nft add rule filter input meta length 33-55 counter
* Don't display a BUG message on too large decimal/hexadecimal values.
Resources
=========
The nftables code can be obtained from:
* http://netfilter.org/projects/nftables/downloads.html
* ftp://ftp.netfilter.org/pub/nftables
* git://git.netfilter.org/nftables
To build the code, you libnftnl and libmnl are required:
* http://netfilter.org/projects/libnftnl/index.html
Thanks
======
Thanks to all our contributors, testers and bug reporters, whom have
all helped to get rid of a good bunch of bugs and push new features.
On behalf of the Netfilter Core Team,
Happy bytecode execution :)
-------------- next part --------------
Alvaro Neira (15):
linealize: generate unary expression with the appropiate operation
payload: generate dependency in the appropriate byteorder
src: Enhance payload_gen_dependency()
datatype: Enhance symbolic_constant_parse()
nft: complete reject support
evaluate: fix a crash if we specify ether type or meta nfproto in reject
delinearize: list the icmpx reason with the string associated
evaluate: reject: fix crash if we specify ether type or meta nfproto
evaluate: reject: fix crash if we have transport protocol conflict from inet
test: update and add the reject tests for ip, ip6, bridge and inet.
evaluate: reject: accept a reject reason with incorrect network context
evaluate: reject: check in bridge and inet the network context in reject
evaluate: reject: check the context in reject without reason for bridge and inet tables
evaluate: reject: enhance the error support throwing message with more details
evaluate: reject: fix crash on NULL location with bridge and tcp reset
Alvaro Neira Ayuso (1):
src: add specific byteorder to the struct proto_hdr_template
Ana Rey (15):
src: Add support for pkttype in meta expresion
src: Add support for cpu in meta expresion
src: meta: Fix the size of cpu attribute
src: Add devgroup support in meta expresion
tests: Add automated regression testing
tests: Add ip folder with test files
tests: Add ip6 folder with test files.
tests: Add inet folder with test files.
tests: Add arp folder with test files.
tests: Add bridge folder with test files.
tests: Add any folder with test files.
tests: regression: Delete all reference to wlan0 in test files
tests: regression: Delete an unnecessary whitespace in an output messages
meta: Add support for datatype devgroup
src: Add cgroup support in meta expresion
Arturo Borrero (18):
netlink: monitor: add a helper function to handle sets referenced by a rule
netlink: monitor: fix how rules with intervals are printed
doc: update documentation with 'monitor' and 'export'
src: add `flush ruleset'
netlink: include file and line in netlink ABI errors
src: add set optimization options
rule: rename do_command_list_cleanup() to table_cleanup()
rule: factorize chain and table listing code
src: add list ruleset command
src: add nat persistent and random options
src: add masquerade support
tests: add tests for masquerade
mnl: delete useless parameter nf_sock in batch functions
src: add redirect support
nft: don't resolve hostnames by default
tests/regression: masquerade: fix invalid syntax
tests/regression: redirect: fix invalid syntax
parser: allow both nat_flags and port specification in redirect
David Kozub (1):
build: add missing \ in src/Makefile.am (AM_CPPFLAGS)
Eric Leblond (2):
scanner: fix reading of really long line
datatype: fix name of icmp* code
Giorgio Dal Molin (2):
build: add autotools support for the 'doc' subdir
build: add autotools support for the 'files' subdir
Kevin Fenzi (1):
doc: nft: Fix trivial error in man page where flush should be rename
Pablo Neira Ayuso (53):
proto: initialize result expression in ethertype_parse()
mnl: immediately return on errors in mnl_nft_ruleset_dump()
mnl: check for NLM_F_DUMP_INTR when dumping object lists
mnl: add nft_batch_continue() helper
mnl: add nft_nlmsg_batch_current() helper
src: rework batching logic to fix possible use of uninitialized pages
main: propagate error to shell
mnl: introduce NFT_NLMSG_MAXSIZE
mnl: fix crashes when using sets with many elements
src: add level option to the log statement
src: don't return error in netlink_linearize_rule()
include: refresh include/linux/nf_tables.h cached copy
log: netlink_linearize: don't set level if user didn't specify
src: fix 'describe' command when passing wrong expressions
mnl: consistency checks across several netlink dumps
mnl: use nft_batch_begin and nft_batch_end from libnftnl
src: interpret the event type from the evaluation step
netlink: use switch whenever possible in the monitor code
utils: indicate file and line on memory allocation errors
include: refresh cached copy of nf_tables.h
build: use PKG_CHECK_MODULES to check for libmnl and libnftnl
build: use AC_PROG_YACC and AM_PROG_LEX
rename parser.y to parser_bison.y
include: add cli.h
build: autotools conversion
netlink: don't bug on unknown events
src: restore nft --debug
parser: restore named vmap
tests: regression: any/queue.t: use new syntax
tests: regression: don't use -nnn for non-list commands
tests: regression: fix bogus error due to bash
tests: regression: test masquerade from nat/postrouting too
datatype: fix crash when using basetype instead of symbolic constants
datatype: relax datatype check in integer_type_parse()
netlink_delinearize: clone on netlink_get_register(), release previous on _set()
meta: set base field on clones
tests: regression: fix "Listing is broken" instead of output mismatch
tests: regression: any/ct: remove wrong output
scanner: don't bug on too large values
payload: fix endianess issue in payload_expr_pctx_update()
src: generate set members using integer_type in the appropriate byteorder
netlink_delinearize: fix listing of set members in host byteorder using integer_type
netlink: fix listing of range set elements in host byteorder
rule: fix segmentation faults on kernels without nftables support
tests: regression: adapt nat tests to use random-fully
tests: regression: redirect.t: fix bogus errors
parser: use 'redirect to PORT' instead of 'redirect :PORT'
tests: regression: fix wrong number of test files
tests: regression: simplify run_test_file() in case `-e' is used
tests: regression: log.t: this works for bridge and arp since 3.17
build: restore --disable-debug
datatype: missing byteorder in string_type
Bump version to v0.4
Patrick McHardy (16):
netlink: check and handle errors from netlink_delinearize_set()
evaluate: fix concat expressions as map arguments
payload: take endianess into account when updating the payload context
datatype: take endianess into account in symbolic_constant_print()
proto: fix byteorder of ETH_P_* values
verdict type: handle verdict flags and encoded additional information
parser: simplify monitor command parsing
parser: compact log level grammar
expr: make range_low()/range_high() usable outside of segtree
queue: clean up queue statement
parser: rearrange monitor/export rules
dtype: remove unnecessary icmp* parse/print functions
stmt: rename nat "random-fully" option to "fully-random"
meta: properly align types in meta_template table
dtype: fix memory leak in concat_type_destroy()
datatype: print datatype name in datatype_print() BUG message
Steven Barth (2):
build: allow disabling libreadline-support
build: remove unnecessary libintl.h check
Yanchuan Nian (2):
Fix memory leak in nft get operation
Fix typo in chain hook parsing
Yuxuan Shui (1):
payload: use proto_unknown for raw protocol header
More information about the netfilter-announce
mailing list