[ANNOUNCE] nftables 0.5 release

Pablo Neira Ayuso pablo at netfilter.org
Thu Sep 17 21:42:00 CEST 2015


The Netfilter project proudly presents:

	nftables 0.5

This release contains bug fixes and new features contained up to the
4.2 kernel release.

New features

* Concatenations: You can combine two or more selectors to build a
  tuple, then use it to look up for a matching in sets, eg.

  % nft add rule ip filter input ip saddr . tcp dport { \
       . 22 , \
       . 80 \
    } counter accept

  So nft will check if the source IP address AND the TCP destination port
  matches what you have in the literal set above, if so it will
  update the rule counter and accept the packet.

  You can also combine concatenations with verdict maps:

  % nft add rule ip filter input ether saddr . ip saddr . meta iif vmap { \
                3c:71:0e:39:bb:20 . . "wlan0" : accept, \
                3c:77:e0:39:aa:21 . . "wlan0" : drop }

  You can declare a set using concatenations, to dynamically update its content

  % nft add map filter accesslist { \
        type ether_addr . ipv4_addr . iface_index : verdict \; }
  % nft add rule filter input ether saddr . ip saddr . meta iif vmap @accesslist

  Then, add elements to the set:

  % nft add element filter accesslist { \
        3c:71:0e:39:bb:20 . . wlan0 : accept }

  On a different front, you can also combine concatenations with maps:

  % nft add rule ip nat prerouting dnat ip saddr . tcp dport map { \
       . 80 :, \
       . 22 : }

  In the example above, the destination address that is used in DNAT depends
  on the source IP address and the destination port of the packet.

  You require a Linux kernel >= 4.1 to use this new concatenation feature and
  nftables 0.5 of course.

* Add timeout support for sets: You can specify a lifetime for elements in your
  set declarations, eg.

  % nft add set filter whitelist { type ipv4_addr\; timeout 1h\; }
  % nft add element filter whitelist { }
  % nft list ruleset
  table ip filter {
        set whitelist {
                type ipv4_addr
                timeout 1h
                elements = { expires 59m56s}

  You can also create the set with no specific timeout:

  % nft add set filter whitelist { type ipv4_addr\; flags timeout\; }

  So you can indicate the timeout when adding the element:

  % nft add element filter whitelist { timeout 1h }

  You still can mix this with element that will reside permanently too:

  % nft add element filter whitelist { }

* Add comments per set element, eg.

  % nft add element filter whitelist { comment \"some host\" }

* Support for mini-gmp: If you're running nft from embedded devices,
  you may want to skip the libgmp dependency via:

  % ./configure --with-mini-gmp

  This compiles nft using the minimal gmp implementation that comes in
  the nftables tarball. Note that your nft binary avoids the libgmp
  dependency at the cost of getting a slightly larger binary.

* Dormant tables: You can disable the entire ruleset that is contained in a
  table by setting on the dormant flag:

  % nft add table filter { flags dormant\; }

  You can reenable it by typing:

  % nft add table filter

* Allow to specify default chain policy: You can specify the default chain
  policy by when you create the chain:

  % nft add chain filter input { \
        type filter hook input priority 0\; policy drop\; }

  You can also change it for an existing chain anytime by updating it via:

  % nft add chain filter input { policy accept\; }

Bug fixes

* Command per line ruleset representation: According to what I can find on the
  Internet, it seems some people like to maintain their ruleset in scripts so
  they can add comments and annotate things there. However, this is a problem
  for two reasons: There is no atomic update since rules are published to the
  packet path one after another and this increases the time that nft takes to
  reload your ruleset significantly.

  So, the solution to this problem consists of keeping your ruleset like this:

  % cat my-ruleset-file
  flush ruleset
  add table filter
  add set filter whitelist { type ipv4_addr; }
  add chain filter input { type filter hook input priority 0; }
  add rule filter input iif lo accept
  add rule filter input ct state established,related counter accept
  add rule filter input tcp dport { 22, 80 } counter accept
  add rule filter input ip saddr @whitelist counter accept
  add element filter whitelist { }
  add element filter whitelist { }
  add element filter whitelist { }

  You can also insert comments in the file through '#'.

  Then, you can atomically restore it via:

  % nft -f my-ruleset-file

  You can also use this command per line representation to apply
  incremental ruleset updates atomically:

  % cat incremental-ruleset-update
  delete element filter whitelist { }
  add element filter whitelist { }
  add element filter whitelist { }
  add element filter whitelist { }
  delete element filter whitelist { }
  % nft -f incremental-ruleset-update

* Fix monitor mode, ie. nft monitor, when reloading relatively large rulesets.

* Fix transport matching in bridge when no context is provided, eg.

  % nft add rule bridge filter input tcp dport 22

* Parsing of time, eg. ct expiration lt 1m30s

* Missing family when listing tables, ie.

  % nft list tables
  table ip nat
  table ip filter

* Propagate error to shell on evaluation problems, eg.

 % nft add chain filter input { type filter hook inputt priority 0\; }
 <cmdline>:1:43-48: Error: unknown chain hook inputt
 add chain filter input { type filter hook inputt priority 0; }
 % echo $?


The nftables code can be obtained from:

* http://netfilter.org/projects/nftables/downloads.html
* ftp://ftp.netfilter.org/pub/nftables
* git://git.netfilter.org/nftables

To build the code, libnftnl 1.0.5 and libmnl >= 1.0.2 are required:

* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html


Thanks to Patrick McHardy for finishing the concatenation support as
well as the set timeout and comment support; and Steven Barth for the
mini-gmp support.

Happy testing!
-------------- next part --------------
Alvaro Neira Ayuso (1):
      evaluate: clean up unused variables (pctx)

Arturo Borrero (5):
      doc: add a reference to the wiki page in the man page
      rule: delete extra space in rule indentation
      tests: regression: consider policy in base chain
      rule: fix chain details align indentations
      monitor: fix missing space after chain name

Eric Leblond (4):
      tests: regression: fix typo in README
      erec: fix buffer overflow
      erec: fix logic when reading from file
      payload: reorder case in a switch for consistency

Florian Westphal (8):
      datatype: avoid crash in debug mode when printing integers
      tests: avoid more warnings
      tests: meta: use root for uid/gid checks
      tests: validate generated netlink instructions
      tests: add two test cases using binop w. payload
      tests: use the src/nft binary instead of $PATH one
      tests: add 'awkward' prefix match expression
      src: fix build with debug off

Pablo Neira (1):
      netlink_delinearize: restore listing of host byteorder set elements

Pablo Neira Ayuso (67):
      tests: regression: named sets work
      tests: regression: revisit chain tests
      payload: assert when accessing inner transport header
      evaluate: reject: fix dependency generation from nft -f
      build: use -Wno-sign-compare to avoid compilation warning in mini-gmp.c
      src: modify pr_debug() to use printf and introduce to pr_gmp_debug()
      meta: register pkttype_type datatype
      rule: fix object order via nft -f
      main: display errors through stderr
      src: expose table flags
      src: allow to specify the default policy for base chains
      evaluate: missing break; in str2hooknum()
      netlink: fix crash when adding new non-base chain
      tests: regression: masquerade is only allowed from postrouting
      tests: regression: fix bogus warnings in any/mark.t
      src: introduce netlink_init_error()
      src: restore interface to index cache
      mnl: use new libnftnl batch API
      netlink_delinearize: pass ctx pointer to stmt_reject_postprocess()
      netlink_delinearize: keep pointer to current statement from rule_pp_ctx
      netlink_delinearize: add payload_match_expand()
      netlink_delinearize: consolidate range printing
      tests: regression: reduce code duplication a bit on error reporting
      tests: regression: fix warnings related to range listing
      tests: regression: fix NAT tests
      Merge branch 'next-4.1'
      datatype: default to display bitmask in hexadecimal
      proto: use bitmask_type for comp flags
      tests: regression: ip6: reduce warning noise
      parser_bison: allow to use mark as datatype for maps and sets
      netlink: fix use-after-free netlink_events_cache_deltable()
      src: add netdev family support
      payload: fix transport matching with no network layer info in bridge family
      rule: missing family when listing of tables
      src: set chain->hookstr from delinearization
      rule: add do_list_tables()
      netlink: release table object via table_free() in netlink_get_table()
      configure: fix --enable-debug
      main: return error to shell on evaluation problems
      netlink_delinearize: meta l4proto range printing broken on 32bit
      src: restore nft list tables
      Merge branch 'next-4.2'
      src: add cache infrastructure and use it for table objects
      src: add cmd_evaluate_list()
      rule: add reference counter to the table object
      src: add table declaration to cache
      src: use cache infrastructure for set objects
      src: add set declaration to cache
      src: early allocation of the set ID
      rule: add chain reference counter
      src: use cache infrastructure for chain objects
      evaluate: add cmd_evaluate_rename()
      src: add chain declarations to cache
      src: use cache infrastructure for rule objects
      src: use cache infrastructure for set element objects
      src: get rid of EINTR handling for nft_netlink()
      evaluate: display error on unexisting chain when listing
      netlink: don't call netlink_dump_*() from listing functions with --debug=netlink
      tests: sets: don't include listing in payload tests
      tests: redirect: fix payload display
      tests: display error when trying to run tests out of the root directory
      netlink: flush stdout after each event in monitor mode
      mnl: rework netlink socket receive path for events
      evaluate: use existing table object from evaluation context
      tests: add concatenations and maps; combine them too
      src: use new symbols in libnftnl
      Bump version to v0.5

Patrick McHardy (57):
      datatype: generate name for concat types
      datatype: add new subtypes field to account number of concat data types
      datatype: add define for maximum number of bits and mask of datatype id
      utils: add fls()
      datatype: change concat_type_alloc() to construct type from id
      parser: alloc specifying concat types in set declarations
      eval: refactor NAT evaluation functions
      evaluate: add missing datatype compat checks for statement arguments
      netlink_delinearize: fix error handling for invalid registers
      netlink: fix memory leaks
      netlink: remove unnecessary temporary variable
      netlink: style fixes
      netlink: style fixes
      netlink: readability fixes
      netlink_delinearize: rename netlink_parse_*_sreg/dreg functions
      netlink_delinearize: cleanup hard to read code
      concat: add concat subtype lookup/id helpers
      netlink_delinearize: add register parsing helper function
      netlink_linearize: add register dumping helper function
      parser: properly fix handling of large integer values
      set: remove unused set_clone() function
      expr: fix crash when listing non-verdict mappings
      meta: don't print meta keyword for unqualified meta stmts
      evaluate: verify named map is actually a map
      evaluate: properly set datatype of map expression
      evaluate: check that map expressions' datatype matches mappings
      evaluate: use stmt_evaluate_arg() in all cases
      set_elem: convert flag value to inclusive-OR binops during delinearize
      nft-test: don't use colors if output is not a tty
      netlink: fix use after free in netlink_get_table()
      netlink_delinarize: fix payload dependency killing of link layer dependencies
      parser: remove duplicated grammar for chain policy
      datatype: fix parsing of time type
      datatype: less strict time parsing
      datatype: seperate time parsing/printing from time_type
      parser: add a time_spec rule
      parser: fix inconsistencies in set expression rules
      expr: add set_elem_expr as container for set element attributes
      set: add timeout support for sets
      setelem: add timeout support for set elements
      setelem: add support for attaching comments to set elements
      nftables: add set statemet
      netlink_linearize: fix range cmp instruction generation
      ct: add maximum helper length value
      netlink_delinearize: remove obsolete fixme
      Merge remote-tracking branch 'origin/master' into next-4.1
      eval: prohibit variable sized types in concat expressions
      headers: sync headers for new register values
      netlink: pass expression to register allocation/release functions
      netlink_linearize: use NFT_REG32 values internally
      netlink_linearize: generate concat expressions
      netlink: pad constant concat sub-expressions
      netlink_delinearize: introduce register translation helper
      netlink_delinearize: handle relational and lookup concat expressions
      netlink: handle concat expressions in set data
      Merge remote-tracking branch 'origin/next-4.1'
      netlink_delinarize: fix merge conflict

Steven Barth (4):
      parser: rename VERSION token to HDRVERSION
      datatype: use mpz_set_str instead of gmp_sscanf
      erec: use stdio vasprintf instead of gmp_vasprintf
      build: add --with-mini-gmp switch to disable linking libgmp

More information about the netfilter-announce mailing list