[ANNOUNCE] nftables 0.9.4 release

Pablo Neira Ayuso pablo at netfilter.org
Wed Apr 1 16:35:24 CEST 2020


Hi!

The Netfilter project proudly presents:

        nftables 0.9.4

This release contains fixes and new features available up to the Linux
kernel 5.6 release.

* Support for ranges in concatenations (requires Linux kernel >= 5.6),
  e.g.

    table ip foo {
           set whitelist {
                   type ipv4_addr . ipv4_addr . inet_service
                   flags interval
                   elements = { 192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125 . 80 }
           }

           chain bar {
                   type filter hook prerouting priority filter; policy drop;
                   ip saddr . ip daddr . tcp dport @whitelist accept
           }
    }

  This creates a `whitelist' set whose elements are a concatenation.
  The interval flag specifies that this set might include ranges in
  concatenations. The example above is accepting all traffic coming
  from 192.168.10.35 to 192.168.10.40 (both addresses in the range
  are included), destination to 192.68.10.123 and TCP destination
  port 80.

* typeof support for sets. You can use typeof to specify the datatype
  of the selector in sets, e.g.

     table ip foo {
            set whitelist {
                    typeof ip saddr
                    elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 }
            }

            chain bar {
                    type filter hook prerouting priority filter; policy drop;
                    ip daddr @whitelist accept
            }
     }

  You can also use typeof in maps:

     table ip foo {
            map addr2mark {
                typeof ip saddr : meta mark
                elements = { 192.168.10.35 : 0x00000001, 192.168.10.135 : 0x00000002 }
            }
     }

* NAT mappings with concatenations. This allows you to specify the address
  and port to be used in the NAT mangling from maps, eg.

      nft add rule ip nat pre dnat ip addr . port to ip saddr map { 1.1.1.1 : 2.2.2.2 . 30 }

  You can also use this new feature with named sets:

      nft add map ip nat destinations { type ipv4_addr . inet_service : ipv4_addr . inet_service \; }
      nft add rule ip nat pre dnat ip addr . port to ip saddr . tcp dport map @destinations

* Hardware offload support: Your nic driver must include support for this
  infrastructure. You have to enable offload via ethtool:

     # ethtool -K eth0 hw-tc-offload on

  Then, in nftables, you have to turn on the offload flag in the basechain
  definition.

     # cat file.nft
     table netdev x {
            chain y {
                type filter hook ingress device eth0 priority 10; flags offload;
                ip saddr 192.168.30.20 drop
            }
     }
     # nft -f file.nft

  Just a simple example to drop all traffic coming from 192.168.30.20
  from the hardware. The Linux host see no packets at all from
  192.168.30.20 after this since the nic filters out the packets.

  As of kernel 5.6, supported features are:

  - Matching on:
    -- packet header fields.
    -- input interface.

  - Actions available are:
    -- accept / drop action.
    -- Duplicate packet to port through `dup'.
    -- Mirror packet to port through `fwd'.

* Enhancements to improve location-based error reporting, e.g.

     # nft delete rule ip y z handle 7
     Error: Could not process rule: No such file or directory
     delete rule ip y z handle 7
                    ^

  In this example above, the table `y' does not exist in your system.

     # nft delete rule ip x x handle 7
     Error: Could not process rule: No such file or directory
     delete rule ip x x handle 7
                               ^

  This means that rule handle 7 does not exist.

     # nft delete table twst
     Error: No such file or directory; did you mean table ‘test’ in family ip?
     delete table twst
                  ^^^^

  If you delete a table whose name has been mistyped, error reporting
  includes a suggestion.

* Match on the slave interface through `meta sdif' and `meta
  sdifname', e.g.

        ... meta sdifname vrf1 ...

* Support for right and left shifts:

        ... meta mark set meta mark lshift 1 or 0x1 ...

  This example shows how to shift one bit left the existing packet
  mark and set the less significant bit to 1.

* New -V option to display extended version information, including
  compile time options:

     # nft -V
       nftables v0.9.4 (Jive at Five)
          cli:          readline
          json:         yes
          minigmp:      no
          libxtables:   yes

* manpage documentation updates.

* ... and bugfixes.

See ChangeLog that comes attached to this email for more details.

= Caveat =

This new version enforces options before commands, ie.

     # nft list ruleset -a
     Error: syntax error, options must be specified before commands
     nft list ruleset -a
        ^             ~~

Just place the option before the command:

     # nft -a list ruleset
     ... [ ruleset listing here ] ...

Make sure to update your scripts.

You can download this new release from:

http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.4
ftp://ftp.netfilter.org/pub/nftables/

To build the code, libnftnl 1.1.6 and libmnl >= 1.0.3 are required:

* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* http://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Happy firewalling!
-------------- next part --------------
Arturo Borrero Gonzalez (1):
      py: load the SONAME-versioned shared object

Benjamin Poirier (1):
      doc: Fix typo in IGMP section

Duncan Roe (1):
      doc: Clarify conditions under which a reject verdict is permissible

Florian Westphal (22):
      parser: add a helper for concat expression handling
      src: store expr, not dtype to track data in sets
      src: add "typeof" build/parse/print support
      mnl: round up the map data size too
      tests: add typeof test cases
      evaluate: print a hint about 'typeof' syntax on 0 keylen
      doc: mention 'typeof' as alternative to 'type' keyword
      meta: add slave device matching
      xfrm: spi is big-endian
      src: maps: update data expression dtype based on set
      evaluate: print correct statement name on family mismatch
      tests: 0034get_element_0: do not discard stderr
      tests: shell: avoid spurious failure when running in host namespace
      expression: use common code for expr_ops/expr_ops_by_type
      tests: add initial nat map test
      evaluate: process concat expressions when used as mapped-to expr
      netlink: handle concatenations on set elements mappings
      evaluate: add two new helpers
      src: allow nat maps containing both ip(6) address and port
      tests: nat: add and use maps with both address and service
      expressions: concat: add typeof support
      tests: update nat_addr_port with typeof+concat maps

Jan Engelhardt (1):
      src: compute mnemonic port name much easier

Jeremy Sowden (28):
      evaluate: fix expr_set_context call for shift binops.
      include: nf_tables: correct bitwise header comment.
      Update gitignore.
      src: white-space fixes.
      netlink_delinearize: fix typo.
      netlink_delinearize: remove commented out pr_debug statement.
      include: update nf_tables.h.
      netlink: add support for handling shift expressions.
      parser: add parenthesized statement expressions.
      evaluate: correct variable name.
      evaluate: change shift byte-order to host-endian.
      tests: shell: add bit-shift tests.
      tests: py: add missing JSON output.
      tests: py: add bit-shift tests.
      evaluate: add separate variables for lshift and xor binops.
      evaluate: simplify calculation of payload size.
      evaluate: don't evaluate payloads twice.
      evaluate: convert the byte-order of payload statement arguments.
      evaluate: no need to swap byte-order for values of fewer than 16 bits.
      netlink_delinearize: set shift RHS byte-order.
      src: fix leaks.
      main: add more information to `nft -V`.
      main: remove duplicates from option string.
      parser_bison: fix rshift statement expression.
      main: include '-d' in help.
      main: include '--reversedns' in help.
      main: interpolate default include path into help format-string.
      main: use one data-structure to initialize getopt_long(3) arguments and help.

Laurent Fasnacht (7):
      scanner: move the file descriptor to be in the input_descriptor structure
      scanner: move indesc list append in scanner_push_indesc
      scanner: remove parser_state->indescs static array
      Inclusion depth was computed incorrectly for glob includes.
      scanner: fix indesc_list stack to be in the correct order
      scanner: remove parser_state->indesc_idx
      tests: shell: add test for glob includes

Luis Ressel (1):
      netlink: Show the handles of unknown rules in "nft monitor trace"

Pablo Neira Ayuso (53):
      include: add nf_tables_compat.h to tarballs
      build: nftables 0.9.3 depends on libnftnl 1.1.5
      segtree: don't remove nul-root element from interval set
      proto: add proto_desc_id enumeration
      expr: add expr_ops_by_type()
      parser: add typeof keyword for declarations
      meta: add parse and build userdata interface
      exthdr: add exthdr_desc_id enum and use it
      exthdr: add parse and build userdata interface
      socket: add parse and build userdata interface
      osf: add parse and build userdata interface
      ct: add parse and build userdata interface
      numgen: add parse and build userdata interface
      hash: add parse and build userdata interface
      rt: add parse and build userdata interface
      fib: add parse and build userdata interface
      xfrm: add parse and build userdata interface
      main: enforce options before commands
      scanner: incorrect error reporting after file inclusion
      tests: shell: delete flowtable after flushing chain
      main: restore --debug
      evaluate: better error notice when interval flag is not set on
      tests: shell: set lookup and set update
      tests: shell: update list of rmmod modules
      tests: shell: validate error reporting with include and glob
      scanner: use list_is_first() from scanner_pop_indesc()
      parser: incorrect handle location
      src: initial extended netlink error reporting
      src: combine extended netlink error reporting with mispelling support
      mnl: extended error support for create command
      src: improve error reporting when setting policy on non-base chain
      src: improve error reporting when remove rules
      parser_bison: memleak in device parser
      mnl: do not use expr->identifier to fetch device name
      src: nat concatenation support with anonymous maps
      tests: shell: adjust tests to new nat concatenation syntax
      evaluate: stmt_evaluate_nat_map() only if stmt->nat.ipportmap == true
      src: support for offload chain flag
      netlink: remove unused parameter from netlink_gen_stmt_stateful()
      src: support for restoring element counters
      evaluate: add range specified flag setting (missing NF_NAT_RANGE_PROTO_SPECIFIED)
      src: support for counter in set definition
      tests: py: update nat expressions payload to include proto flags
      include: resync nf_tables.h cache copy
      src: add support for flowtable counter
      evaluate: display error if set statement is missing
      rule: add hook_spec
      parser_bison: store location of basechain definition
      evaluate: improve error reporting in netdev ingress chain
      evaluate: check for device in non-netdev chains
      parser_bison: simplify error in chain type and hook
      main: swap json and gmp fields in nft -V
      build: Bump version to v0.9.4

Phil Sutter (20):
      monitor: Do not decompose non-anonymous sets
      monitor: Fix for use after free when printing map elements
      tests: monitor: Support running individual test cases
      monitor: Fix output for ranges in anonymous sets
      tests: shell: Search diff tool once and for all
      cache: Fix for doubled output after reset command
      netlink: Fix leak in unterminated string deserializer
      netlink: Fix leaks in netlink_parse_cmp()
      netlink: Avoid potential NULL-pointer deref in netlink_gen_payload_stmt()
      tests: json_echo: Fix for Python3
      tests: json_echo: Support testing host binaries
      tests: monitor: Support testing host's nft binary
      tests: py: Support testing host binaries
      doc: nft.8: Describe element commands in their own section
      doc: nft.8: Mention wildcard interface matching
      scanner: Extend asteriskstring definition
      tests/py: Fix JSON output for changed timezone
      parser_json: Support ranges in concat expressions
      tests/py: Add tests involving concatenated ranges
      tests/py: Move tcpopt.t to any/ directory

Stefano Brivio (5):
      include: resync nf_tables.h cache copy
      src: Add support for NFTNL_SET_DESC_CONCAT
      src: Add support for concatenated set ranges
      tests: Introduce test for set with concatenated ranges
      tests: shell: Introduce test for insertion of overlapping and non-overlapping ranges

nl6720 (1):
      doc: Remove repeated paragraph and fix typo



More information about the netfilter-announce mailing list