[ANNOUNCE] nftables 0.9.5 release

Pablo Neira Ayuso pablo at netfilter.org
Sat Jun 6 13:21:24 CEST 2020


Hi!

The Netfilter project proudly presents:

        nftables 0.9.5

This release contains fixes and new features available up to the Linux
kernel 5.7 release.

* Support for set counters:

  table ip x {
            set y {
                    typeof ip saddr
                    counter
                    elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 }
            }

            chain z {
                    type filter hook output priority filter; policy accept;
                    ip daddr @y
            }
  }

  The counter statement in the set `y' definition turns on counters.

* Support for restoring set element counters via nft -f.

  # cat ruleset.nft
  table ip x {
        set y {
                typeof ip saddr
                counter
                elements = { 192.168.10.35 counter packets 1 bytes 84, 192.168.10.101 counter p
                             192.168.10.135 counter packets 0 bytes 0 }
        }

        chain z {
                type filter hook output priority filter; policy accept;
                ip daddr @y
        }
  }
  # nft -f ruleset.nft
  # nft list ruleset
  table ip x {
        set y {
                typeof ip saddr
                counter
                elements = { 192.168.10.35 counter packets 1 bytes 84, 192.168.10.101 counter p
                             192.168.10.135 counter packets 0 bytes 0 }
        }

        chain z {
                type filter hook output priority filter; policy accept;
                ip daddr @y
        }
  }

* Counters support for flowtables:

     table ip foo {
            flowtable bar {
                    hook ingress priority -100
                    devices = { eth0, eth1 }
                    counter
            }

            chain forward {
                    type filter hook forward priority filter;
                    flow add @bar counter
            }
     }

  You can list the counters via `conntrack -L':

  tcp      6 src=192.168.10.2 dst=10.0.1.2 sport=47278 dport=5201 packets=9 bytes=608 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47278 packets=8 bytes=428 [OFFLOAD] mark=0 secctx=null use=2
  tcp      6 src=192.168.10.2 dst=10.0.1.2 sport=47280 dport=5201 packets=1005763 bytes=44075714753 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47280 packets=967505 bytes=50310268 [OFFLOAD] mark=0 secctx=null use=2

  The [OFFLOAD] status bit specifies that this flow is exercising the
  flowtable fast datapath.

* typeof concatenations support for sets. You can use typeof to specify the
  datatype of the selector in sets, e.g.

     table ip foo {
            set whitelist {
                    typeof ip saddr . tcp dport
                    elements = { 192.168.10.35 . 80, 192.168.10.101 . 80 }
            }

            chain bar {
                    type filter hook prerouting priority filter; policy drop;
                    ip daddr . tcp dport @whitelist accept
            }
     }

  You can also use typeof concatenations in maps:

     table ip foo {
            map addr2mark {
                typeof ip saddr . tcp dport : meta mark
                elements = { 192.168.10.35 . 80 : 0x00000001,
                             192.168.10.135 . 80 : 0x00000002 }
            }

            chain bar {
                    type filter hook prerouting priority filter; policy drop;
                    meta mark set ip daddr . tcp dport map @addr2mark accept
            }
     }

* Support for concatenated ranges in anonymous sets.

  # nft add rule inet filter input ip daddr . tcp dport \
       { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept

* Allow to reject packets with 802.1q from the bridge family.

  # nft add rule bridge foo bar ether type vlan reject with tcp reset

* Support for matching on the conntrack ID

  You can fetch the conntrack ID via `--output id':

  # conntrack -L --output id
  udp      17 18 src=192.168.2.118 dst=192.168.2.1 sport=36424 dport=53 packets=2 bytes=122 src=192.168.2.1 dst=192.168.2.118 sport=53 dport=36424 packets=2 bytes=320 [ASSURED] mark=0 use=1 id=2779986232

  Then, a very simple single rule to update counters for packets
  matching this conntrack ID.

  # nft add rule foo bar ct id 2779986232 counter

  You can combine this new selector with the existing set and map features
  to build more advanced rules.

You can download this new release from:

http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.5
ftp://ftp.netfilter.org/pub/nftables/

To build the code, libnftnl 1.1.7 and libmnl >= 1.0.4 are required:

* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* http://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Have fun.
-------------- next part --------------
Brett Mastbergen (1):
      ct: Add support for the 'id' key

Florian Westphal (1):
      concat: provide proper dtype when parsing typeof udata

Laura Garcia Liebana (2):
      doc: add hashing expressions description
      build: fix tentative generation of nft.8 after disabled doc

Matt Turner (2):
      build: Include generated man pages in dist tarball
      build: Allow building from tarballs without yacc/lex

Michael Braun (7):
      main: fix ASAN -fsanitize=address error in get_optstring()
      utils: fix UBSAN warning in fls
      datatype: fix double-free resulting in use-after-free in datatype_free
      tests: dump generated use new nft tool
      main: fix get_optstring truncating output
      datatype: add frag-needed (ipv4) to reject options
      evaluate: enable reject with 802.1q

Pablo Neira Ayuso (32):
      segtree: broken error reporting with mappings
      parser_bison: proper ct timeout list initialization
      src: NAT support for intervals in maps
      include: resync nf_nat.h kernel header
      src: add netmap support
      src: add STMT_NAT_F_CONCAT flag and use it
      evaluate: fix crash when handling concatenation without map
      tests: py: concatenation, netmap and nat mappings
      mnl: restore --debug=netlink output with sets
      tests: py: remove range test with service names
      tests: shell: add NAT mappings tests
      evaluate: incorrect byteorder with typeof and integer_datatype
      nat: transform range to prefix expression when possible
      rule: memleak in __do_add_setelems()
      rule: fix element cache update in __do_add_setelems()
      src: add rule_stmt_insert_at() and use it
      src: add rule_stmt_append() and use it
      parser_bison: release extended priority string after parsing
      parser_bison: release helper type string after parsing
      src: ct_timeout: release policy string and state list
      src: fix netlink_get_setelem() memleaks
      evaluate: fix memleak in stmt_evaluate_reject_icmp()
      mnl: fix error rule reporting with missing table/chain and anonymous sets
      src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS
      libnftables: call nft_cmd_expand() only with CMD_ADD
      src: add CMD_OBJ_SETELEMS
      src: remove empty file
      mnl: add function to convert flowtable device list to array
      src: add devices to an existing flowtable
      src: delete devices to an existing flowtable
      src: allow flowtable definitions with no devices
      build: Bump version to v0.9.5

Phil Sutter (5):
      segtree: Fix missing expires value in prefixes
      segtree: Use expr_clone in get_set_interval_*()
      segtree: Merge get_set_interval_find() and get_set_interval_end()
      segtree: Fix get element command with prefixes
      JSON: Improve performance of json_events_cb()

Stefano Brivio (6):
      include: Resync nf_tables.h cache copy
      src: Set NFT_SET_CONCAT flag for sets with concatenated ranges
      build: Fix doc build, restore A2X assignment for doc/Makefile
      tests: py: Actually use all available hooks in bridge/chains.t
      evaluate: Perform set evaluation on implicitly declared (anonymous) sets
      tests: py: Enable anonymous set rule with concatenated ranges in inet/sets.t



More information about the netfilter-announce mailing list