[ANNOUNCE] nftables 0.4 release

Pablo Neira Ayuso pablo at netfilter.org
Tue Dec 16 01:40:41 CET 2014


The Netfilter project proudly presents:

        nftables 0.4

This release contains a lot of bug fixes and new features contained up
to the recent 3.18 kernel release (and some features coming up in the
yet unreleased 3.19-rc).

New features

* Add support for global ruleset operations (available since 3.18).
  Get rid of all tables, chains, and rules in one go:

        # nft flush ruleset

  List the ruleset for all existing families:

        # nft list ruleset

  You can save the ruleset and restore it via:

        # echo "flush ruleset" > ruleset.file
        # nft list ruleset >> ruleset.file
        # nft -f ruleset.file

  This mimics iptables-restore, including the ruleset for all
  supported families: ip, ip6, inet, bridge and arp.

* Full logging support for all the families, including nfnetlink_log
  support (available since 3.17).

* Automatic selection of the optimal set implementation (available
  since 3.16).

  You can tell the kernel to optimize your set representation base
  according to the space-time tradeoff, eg. optimize memory:

        # nft add set filter set1 { type ipv4_addr ; policy memory ; }

  Or optimize performance:

        # nft add set filter set1 { type ipv4_addr ; policy performance ; }

  You can also use this in maps:

        # nft add map filter map1 { type ipv4_addr : verdict ; policy performace ; }

  And indicate the expected size to assist the set selection routine:

        # nft add set filter set1 { type ipv4_addr ; size 1024 ; }

* Complete reject support (available for ip, ip6 and inet since 3.14.
  bridge support and the icmpx abstraction since 3.18).

        # nft add rule filter input reject with icmp type host-unreachable

  and for IPv6:

        # nft add rule ip6 filter input reject with icmpv6 type no-route

  you can the ICMPx abstraction from the inet table:

        # nft add rule inet filter input reject with icmpx type no-route

  and TCP traffic with the reset packets:

        # nft add rule filter input reject with tcp reset

* Masquerading support (available since 3.18).

        # nft add rule nat postrouting masquerade

* Redirect support (available since upcoming Linux kernel 3.19-rc).

        # nft add rule nat prerouting tcp dport 22 redirect to 2222

* Support for NAT flag: random, fully-random, persistent.

* Consistency checks for interferences between updates and ruleset dumps
  (initially available since 3.16, enhanced with ruleset generations
   since 3.18).

* Extend meta to support pkttype, cpu and devgroup matching.

* Automatic regression tests through our customized python shell

* Allow to disable libreadline and debug at configure stage.

* Full conversion to autotools.

Syntax changes

* 'queue' flags are now expressed as a list of comma-separated symbols:

        # nft add filter input counter queue num 0-3 fanout,bypass

  for consistency with flags, that are always expressed like this.

* nft doesn't resolve names by default anymore. IP addresses are
  always expressed in the numeric representation. A new '-N' option
  allows you to request for the resolution.

Bug fixes

* Crash with anonymous sets with lots of elements.

* Several annoying byteorder issues that resulted in incorrect bytecode
  generation and wrong listings.

* Endianness problems reported from little endian archs.

* Named verdict maps, eg.

        # nft add map filter my_vmap { type ipv4_addr : verdict\; }
        # nft add element filter my_vmap { : drop, : drop}
        # nft add rule filter input ip saddr vmap @my_vmap

* Crash in 'nft describe' with wrong expressions.

* Parsing of ether types.

* Crash on usage of basetypes, eg.

        # nft add rule filter input ct state 8 accept

  instead of 'ct state new'.

* Crash on wrong values when performing basetype parsing, eg.

     <cmdline>:1:29-31: Error: Could not parse conntrack state
     add rule test test ct state xxx accept

* Broken listing og meta and ct range expressions, eg.

        nft add rule filter input meta length 33-55 counter

* Don't display a BUG message on too large decimal/hexadecimal values.


The nftables code can be obtained from:

* http://netfilter.org/projects/nftables/downloads.html
* ftp://ftp.netfilter.org/pub/nftables
* git://git.netfilter.org/nftables

To build the code, you libnftnl and libmnl are required:

* http://netfilter.org/projects/libnftnl/index.html


Thanks to all our contributors, testers and bug reporters, whom have
all helped to get rid of a good bunch of bugs and push new features.

On behalf of the Netfilter Core Team,
Happy bytecode execution :)
-------------- next part --------------
Alvaro Neira (15):
      linealize: generate unary expression with the appropiate operation
      payload: generate dependency in the appropriate byteorder
      src: Enhance payload_gen_dependency()
      datatype: Enhance symbolic_constant_parse()
      nft: complete reject support
      evaluate: fix a crash if we specify ether type or meta nfproto in reject
      delinearize: list the icmpx reason with the string associated
      evaluate: reject: fix crash if we specify ether type or meta nfproto
      evaluate: reject: fix crash if we have transport protocol conflict from inet
      test: update and add the reject tests for ip, ip6, bridge and inet.
      evaluate: reject: accept a reject reason with incorrect network context
      evaluate: reject: check in bridge and inet the network context in reject
      evaluate: reject: check the context in reject without reason for bridge and inet tables
      evaluate: reject: enhance the error support throwing message with more details
      evaluate: reject: fix crash on NULL location with bridge and tcp reset

Alvaro Neira Ayuso (1):
      src: add specific byteorder to the struct proto_hdr_template

Ana Rey (15):
      src: Add support for pkttype in meta expresion
      src: Add support for cpu in meta expresion
      src: meta: Fix the size of cpu attribute
      src: Add devgroup support in meta expresion
      tests: Add automated regression testing
      tests: Add ip folder with test files
      tests: Add ip6 folder with test files.
      tests: Add inet folder with test files.
      tests: Add arp folder with test files.
      tests: Add bridge folder with test files.
      tests: Add any folder with test files.
      tests: regression: Delete all reference to wlan0 in test files
      tests: regression: Delete an unnecessary whitespace in an output messages
      meta: Add support for datatype devgroup
      src: Add cgroup support in meta expresion

Arturo Borrero (18):
      netlink: monitor: add a helper function to handle sets referenced by a rule
      netlink: monitor: fix how rules with intervals are printed
      doc: update documentation with 'monitor' and 'export'
      src: add `flush ruleset'
      netlink: include file and line in netlink ABI errors
      src: add set optimization options
      rule: rename do_command_list_cleanup() to table_cleanup()
      rule: factorize chain and table listing code
      src: add list ruleset command
      src: add nat persistent and random options
      src: add masquerade support
      tests: add tests for masquerade
      mnl: delete useless parameter nf_sock in batch functions
      src: add redirect support
      nft: don't resolve hostnames by default
      tests/regression: masquerade: fix invalid syntax
      tests/regression: redirect: fix invalid syntax
      parser: allow both nat_flags and port specification in redirect

David Kozub (1):
      build: add missing \ in src/Makefile.am (AM_CPPFLAGS)

Eric Leblond (2):
      scanner: fix reading of really long line
      datatype: fix name of icmp* code

Giorgio Dal Molin (2):
      build: add autotools support for the 'doc' subdir
      build: add autotools support for the 'files' subdir

Kevin Fenzi (1):
      doc: nft: Fix trivial error in man page where flush should be rename

Pablo Neira Ayuso (53):
      proto: initialize result expression in ethertype_parse()
      mnl: immediately return on errors in mnl_nft_ruleset_dump()
      mnl: check for NLM_F_DUMP_INTR when dumping object lists
      mnl: add nft_batch_continue() helper
      mnl: add nft_nlmsg_batch_current() helper
      src: rework batching logic to fix possible use of uninitialized pages
      main: propagate error to shell
      mnl: introduce NFT_NLMSG_MAXSIZE
      mnl: fix crashes when using sets with many elements
      src: add level option to the log statement
      src: don't return error in netlink_linearize_rule()
      include: refresh include/linux/nf_tables.h cached copy
      log: netlink_linearize: don't set level if user didn't specify
      src: fix 'describe' command when passing wrong expressions
      mnl: consistency checks across several netlink dumps
      mnl: use nft_batch_begin and nft_batch_end from libnftnl
      src: interpret the event type from the evaluation step
      netlink: use switch whenever possible in the monitor code
      utils: indicate file and line on memory allocation errors
      include: refresh cached copy of nf_tables.h
      build: use PKG_CHECK_MODULES to check for libmnl and libnftnl
      build: use AC_PROG_YACC and AM_PROG_LEX
      rename parser.y to parser_bison.y
      include: add cli.h
      build: autotools conversion
      netlink: don't bug on unknown events
      src: restore nft --debug
      parser: restore named vmap
      tests: regression: any/queue.t: use new syntax
      tests: regression: don't use -nnn for non-list commands
      tests: regression: fix bogus error due to bash
      tests: regression: test masquerade from nat/postrouting too
      datatype: fix crash when using basetype instead of symbolic constants
      datatype: relax datatype check in integer_type_parse()
      netlink_delinearize: clone on netlink_get_register(), release previous on _set()
      meta: set base field on clones
      tests: regression: fix "Listing is broken" instead of output mismatch
      tests: regression: any/ct: remove wrong output
      scanner: don't bug on too large values
      payload: fix endianess issue in payload_expr_pctx_update()
      src: generate set members using integer_type in the appropriate byteorder
      netlink_delinearize: fix listing of set members in host byteorder using integer_type
      netlink: fix listing of range set elements in host byteorder
      rule: fix segmentation faults on kernels without nftables support
      tests: regression: adapt nat tests to use random-fully
      tests: regression: redirect.t: fix bogus errors
      parser: use 'redirect to PORT' instead of 'redirect :PORT'
      tests: regression: fix wrong number of test files
      tests: regression: simplify run_test_file() in case `-e' is used
      tests: regression: log.t: this works for bridge and arp since 3.17
      build: restore --disable-debug
      datatype: missing byteorder in string_type
      Bump version to v0.4

Patrick McHardy (16):
      netlink: check and handle errors from netlink_delinearize_set()
      evaluate: fix concat expressions as map arguments
      payload: take endianess into account when updating the payload context
      datatype: take endianess into account in symbolic_constant_print()
      proto: fix byteorder of ETH_P_* values
      verdict type: handle verdict flags and encoded additional information
      parser: simplify monitor command parsing
      parser: compact log level grammar
      expr: make range_low()/range_high() usable outside of segtree
      queue: clean up queue statement
      parser: rearrange monitor/export rules
      dtype: remove unnecessary icmp* parse/print functions
      stmt: rename nat "random-fully" option to "fully-random"
      meta: properly align types in meta_template table
      dtype: fix memory leak in concat_type_destroy()
      datatype: print datatype name in datatype_print() BUG message

Steven Barth (2):
      build: allow disabling libreadline-support
      build: remove unnecessary libintl.h check

Yanchuan Nian (2):
      Fix memory leak in nft get operation
      Fix typo in chain hook parsing

Yuxuan Shui (1):
      payload: use proto_unknown for raw protocol header

More information about the netfilter-announce mailing list