[ANNOUNCE]: Release of nftables 0.2

Patrick McHardy kaber at trash.net
Mon Apr 14 14:05:03 CEST 2014

The netfilter project presents:

	nftables 0.2

This release contains a rather large number of bug fixes, syntax cleanups,
new features, support for all new features contained in the recent 3.14
kernel release as well as *drumroll* documentation.

Syntax changes

* More consistency in data type names

  Data type names are used in set declarations. All address related types
  now follow the naming scheme *_addr, all protocol related types *_proto
  and the network interface related type iface_*. The arphrd type has been
  renamed to iface_type.

* Unqualified meta expressions

  A number of keys of the meta expressions can be used without the meta
  keyword for simplicity. These are mark, iif, iifname, iiftype, oif,
  oifname, oiftype, skuid, skgid, nftrace and rtclassid. The meta keyword
  may still be used if desired.

  - nft filter output meta skuid root accept


  - nft filter output skuid root accept

New features

The more prominent new features include:

* Support for hybrid IPv4/IPv6 tables

  nftables now supports the "inet" family, which can be used to create
  hybrid tables that contain rules for both IPv4 and IPv6. This should
  greatly help reduce maintenance overhead for dual stack setups.

  To create a standard filter table, use the supplied table template:

  nft -f /etc/nftables/inet-filter

  Rules in the inet family can apply to either just IPv4, just IPv6 or
  both types of packets:

  nft inet filter input ip saddr jump from_lan
  nft inet filter input ip6 saddr 2001::/64 jump from_lan
  nft inet filter input tcp dport ssh accept
  nft inet filter input iif lo accept

* Support to set meta keys

  Corresponding to the iptables MARK, CLASSIFY and TRACE targets, nftables
  now supports changing meta data associated with a packet.

  - nft filter input mark set 0x1

    will set the packet mark to 0x1.

  - nft filter input mark set mark | 0x1

    will OR the current value with 0x1.

  Using maps, you can do neat things like setting the mark dependant on
  the source address in a single rule:

  nft filter input mark set ip saddr map { : 0x1, : 0x2, : 0x3,
	* : 0x4

  Or set it based on the network number using bitwise operations:

  nft filter input ip saddr mark set ip saddr & 0xff00

  The packet classification can be changed in a similar fashion using
  "meta priority set ...", tracing can be enabled using "nftrace set 1".

* Support to set conntrack keys

  Similar to the meta keys feature, it is now possible to change data
  associated with connection tracking entries. At this time only the
  conntrack mark is supported.

  - nft filter input ct mark set mark

  will set the conntrack mark to the packet mark

  - nft filter output mark set ct mark

  will set the packet mark to the conntrack mark

  - nft filter output ct mark set 0x1

  will set the conntrack mark to the value 0x1.

* connlabel support

  Support for connection tracking labels (connlabels) has been added.
  connlabel.conf is parsed and the values can be used as symbolic
  constants in combination with the "ct label" expression.

  - nft filter input ct label clients,servers accept

  will accept packets of connections labeled with either clients or servers.

* Queue load balancing

  The queue statement now supports load balancing, CPU fanout, queue bypass

  - nft filter output queue num 3 total 2 options fanout

  will queue packets to queue numbers 3 and 4 using CPU fanout.

* XML/JSON ruleset export

  Using "nft export <xml|json>", the ruleset can be exported in either format.
  A corresponding import facility will follow soon.

* Human readable comments in the ruleset

  nftables supports storing comments together with a rule in the ruleset
  that are displayed when listing the ruleset. The syntax is

  - nft filter input tcp dport ssh accept comment "SSH access"

  Please note that the syntax may change before the next release.

* Full file parsing

  nftables now recovers from errors during ruleset parsing and continues
  up to a threshold of 10 errors before aborting. This allows to quicker
  validate and fix up an erroneous ruleset.

* "create" command

  The create command can be used to create tables and chains, but unlike
  the add command it doesn't return an error if the object already exists.

* Misc

 A larger number of smaller improvements have been made to  error
 reporting, ruleset listing, and other parts have been made.

Bug fixes

* Big endian support

  A number of problems on big endian architectures have been fixed. A
  single bugfix for the kernel is still in the queue, once it has hit
  -stable this release should be fully functional on big endian.

* Flag comparision for single flag values

  When no operation is explicitly specified in a relational expression,
  nftables determines the operation based on the data types of the
  right hand side expression. For bitmask types, the operation is a flag
  comparision, i.e.

  tcp flags syn,ack

  tests if either SYN or ACK is set. In the case that the right hand side
  consisted of only a single value, nftables so far incorrectly generated
  an equlity expression, IOW "tcp flags syn" would match on SYN and only
  SYN. Now the expected thing is done and all packets that have the SYN
  flag set will match.

* Operator precedence in ruleset listing

  When using bitwise expressions, the ruleset listing will now print
  expressions in when required by operator precedence.

* Symbolic variable existance and redefinitions

  nftables will check for existance of a symbolic variable at time of use
  instead of during evaluation. Redefinitions of existing variables now
  trigger an error.

* Map interval conflicts

  When maps contain overlapping ranges (ranges or prefix expressions), the
  ranges are prioritized based on their size. A smaller (more specific)
  range takes precedence over larger (less specific) ones. When the ranges
  have an identical size, no precedence can be determined and an error is
  returned if the associated data/verdict differs.
* Misc

  A number of crashes, failed assertions, incorrect definitions and more
  have been fixed.


Some reference documentation (man-page / PDF) has been added. Unfortunately
I did not manage to complete it so far, but work is ongoing and shouldn't
take very long anymore. The incomplete sections are mainly a number of
statement types, set and map declarations and higher order expressions.


As Keith Alexander is no longer the director of the NSA and we don't know
specifics about the mischief committed by his successor Michael S. Rogers
yet, this release is simply called "Support Edward Snowden", which is a
timeless worthy cause. 

If you're in Germany, you can order some stickers to show your support for
asylum for Snowden at https://shop.digitalcourage.de/snowden.html for free.

$ nft -v
nftables v0.2 (Support Edward Snowden)


The nftables code can be obtained from:

* http://netfilter.org/projects/nftables/downloads.html
* ftp://ftp.netfilter.org/pub/nftables
* git://git.netfilter.org/nftables

To build the code, you libnftnl and libmnl are required:

* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html

The iptables compatibility layer is available at:

* git://git.netfilter.org/iptables-nftables

The website updates are still in progress, but will be completed soon.


The pace of development is still increasing and lots of interesting things
are in the pipeline. Features currently worked on and most likely included
in the next version include:

* netlink event monitor - monitor ruleset events, set changes etc.

* support for concatenations - multidimensional exact matches in O(1)

* new transaction infrastructure - fully atomic updates for all object types

* set selection - automatic selection of the optimal set implementation

* JSON/XML import - the counterpart to the new ruleset export facility


Thanks to all our contributors, testers and bug reporters, whom have all
helped to improve nftables.

On behalf of the Netfilter Core Team,
Happy bytecode execution :)

Ana Rey (4):
      src: proto: fixed a rreply symbol
      src: proto: fixed a rreply symbol
      nftables: Fix list of sets by family
      rule: fix crash in set listing

Arturo Borrero (4):
      netlink: delete unused variable
      netlink: fix chain attribute parsing
      src: fix expr_binary_error()-related compilation warnings
      ct: add support for setting ct mark

Arturo Borrero Gonzalez (2):
      ruleset: add XML/JSON export
      expression: fix constant expression allocation on big endian

Eric Leblond (1):
      src: add support for queue

Florian Westphal (6):
      netlink_delinearize: meta: fix wrong type in attributes
      ct: direction should be integer, not bitmask
      ct: connlabel matching support
      datatype: don't leak file ptr on error
      expr: do not suppress OP_EQ when RHS is bitmask type
      build: drop AC_FUNC_MALLOC/REALLOC

Pablo Neira Ayuso (7):
      netlink: add support to set meta keys
      build: use libnftnl instead of libnftables in configure.in
      bump release number to 0.100
      mnl: fix inclusion of last rule in batch page
      Merge branch 'master' into next-3.14
      meta: remove line break when printing priority
      src: add support for rule human-readable comments

Patrick McHardy (67):
      expr: replace PAYLOAD_PROTOCOL_EXPR by generic flag
      nftables: generic procotol contexts
      expr: add protocol context update callback
      proto: add helper function to update protocol context
      proto: add debugging for protocol context updates
      ct expr: protocol context updates and dynamic typing
      include: resync nftables.h with kernel
      nftables: add support for the "inet" family
      netlink_delinearize: remove implied meta expressions
      proto: add support for meta templates
      meta: add nfproto support
      meta: add l4proto support
      Merge remote-tracking branch 'origin/master' into next-3.14
      netlink_delinearize: fix compiler warning
      Merge remote-tracking branch 'origin/master' into next-3.14
      Merge remote-tracking branch 'origin/master' into next-3.14
      Merge remote-tracking branch 'origin/master' into next-3.14
      expr: remove secmark from ct and meta expression
      meta: don't require "meta" keyword for a subset of meta expressions
      Merge branch 'master' into next-3.14
      Merge branch 'master' into next-3.14
      Merge remote-tracking branch 'origin/master' into next-3.14
      Merge remote-tracking branch 'origin/master' into next-3.14
      parser: use symbolic expressions for parsing keywords as protocol values
      Merge remote-tracking branch 'origin/master' into next-3.14
      Merge remote-tracking branch 'origin/master' into next-3.14
      cmd: add create command for tables and chains
      set: add abstract set descriptions
      Revert "set: add abstract set descriptions"
      evaluate: determine implicit relational op before RHS constant checks
      scanner: don't update location's line_offset for newlines
      scanner: update last_line in struct location
      erec: skip includes with INDESC_INTERNAL
      parser: close scope when encountering an error in a table or chain block
      parser: recover from errors in any block
      parser: evaluate commands immediately after parsing
      tests: add two tests for error reporting
      parser: prohibit redefinitions of symbols and verify existance on use
      files: add inet filter table definition
      cmd: initialize cmd list and use list_splice_tail() for adding to command list
      netlink: add netlink specific location
      eval: use list_splice_tail() properly
      netlink_linearize: fix flagcmp op
      Merge branch 'next-3.14' of git.netfilter.org:nftables into next-3.14
      evaluate: use flagcmp for single RHS bitmask expression
      binop: take care of operator precedence when printing binop arguments
      netlink_delinarize: convert *all* bitmask values into individual bit values
      netlink: fix prefix expression handling
      expr: make expr_binary_error() usable outside of evaluation
      expr: add comparison function for singleton expressions
      set: abort on interval conflicts
      netlink: use set location for IO errors
      parser: add grammatical distinction for verdict maps
      set: properly account set size when merging recursive set definitions
      segtree: sort set elements before decomposition
      utils: fix -Wcast-align warnings on sparc
      parser: fix ether keyword clash
      Merge branch 'master' of git.netfilter.org:nftables
      gmputil: use MSF/LSF in import/export functions dependant on host byte order
      netlink: fix length value of concat data
      build: fix documentation build
      doc: documentation update
      datatypes: rename some types for more consistency
      doc: fix programlisting indentation
      doc: change documentation license to CC BY-SA 4.0
      doc: fix make install problems
      Bump version to v0.2

More information about the netfilter-announce mailing list