[ANNOUNCE] nftables 0.9.8 release
Pablo Neira Ayuso
pablo at netfilter.org
Fri Jan 15 22:59:42 CET 2021
Hi!
The Netfilter project proudly presents:
nftables 0.9.8
This release contains fixes, documentation updates and new features
available up to the Linux kernel 5.11-rc1 release.
* Complete support for matching ICMP header content fields.
... icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2
... icmpv6 type packet-too-big icmpv6 mtu 1280
* Add raw tcp option match support
... tcp option @42,16,4
where you can specify @kind,offset,length
* Allow to check for the presence of any tcp option
... tcp option 42 exists
* Support for reject traffic from the ingress chain:
table netdev x {
chain y {
type filter hook ingress device eth0 priority 0; policy accept;
tcp dport 22 reject with tcp reset
}
}
* Optimized bytecode generation for prefix match
# nft --debug=netlink x y ip saddr 192.168.2.0/24
ip
[ payload load 3b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x0002a8c0 ]
Resulting in two instructions instead of three (bitwise is removed on
byte-boundaries).
* Support for several statements per set element. The example below
updates a set from the packet path (dynamic set), and it shows how
to ratelimit first then count packets that go through per set element.
table ip x {
set y {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 1h
}
chain z {
type filter hook output priority filter; policy accept;
update @y { ip daddr limit rate 1/second counter }
}
}
You can also use the multi-statement support for (non-dynamic) sets.
table ip x {
set y {
type ipv4_addr
limit rate 1/second counter
elements = { 1.1.1.1, 4.4.4.4, 5.5.5.5 }
}
chain y {
type filter hook output priority filter; policy accept;
ip daddr @y
}
}
In this case, you can add new elements from the control plane:
# nft add element x y { 6.6.6.6 }
which run the specified rate limit and counter statements.
This requires a Linux kernel >= 5.11-rc1.
* editline support for nft -i (CLI), you can enable it at compile time:
./configure --with-cli=editline
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.8
To build the code, libnftnl >= 1.1.9 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
-------------- next part --------------
Florian Westphal (23):
tests: json: add missing test case output
tests: avoid warning and add missing json test cases
json: add missing nat_type flag and netmap nat flag
json: fix ip6 dnat test case after range to prefix transformation change
parser: merge sack-perm/sack-permitted and maxseg/mss
tcpopts: clean up parser -> tcpopt.c plumbing
tcpopt: rename noop to nop
tcpopt: split tcpopt_hdr_fields into per-option enum
tcpopt: allow to check for presence of any tcp option
tcp: add raw tcp option match support
json: tcp: add raw tcp option match support
exthdr: remove unused proto_key member from struct
proto: reduce size of proto_desc structure
src: add auto-dependencies for ipv4 icmp
tests: fix exepcted payload of icmp expressions
src: add auto-dependencies for ipv6 icmp6
tests: fix exepcted payload of icmpv6 expressions
payload: auto-remove simple icmp/icmpv6 dependency expressions
tests: icmp, icmpv6: avoid remaining warnings
tests: ip: add one test case to cover both id and sequence
tests: icmp, icmpv6: check we don't add second dependency
nft: trace: print packet unconditionally
json: don't leave dangling pointers on hlist
Jeremy Sowden (3):
doc: correct chain name in example of adding a rule
tests: py: remove duplicate payloads.
tests: py: update format of registers in bitwise payloads.
Jose M. Guisado Gomez (5):
evaluate: add netdev support for reject default
tests: py: add netdev folder and reject.t icmp cases
src: enable json echo output when reading native syntax
monitor: add assignment check for json_echo
monitor: fix formatting of if statements
Pablo Neira Ayuso (19):
tests: shell: exercise validation with nft -c
parser_bison: allow to restore limit from dynamic set
mnl: reply netlink error message might be larger than MNL_SOCKET_BUFFER_SIZE
src: report EPERM for non-root users
parser_bison: double close_scope() call for implicit chains
tests: shell: timeouts later than 23 days
build: search for python3
src: add support for multi-statement in dynamic sets and maps
src: add set element multi-statement support
src: disallow burst 0 in ratelimits
tests: shell: set element multi-statement support
src: set on flags to request multi-statement support
cli: add libedit support
cli: use plain readline() interface with libedit
main: fix typo in cli definition
include: resync nf_tables.h cache copy
segtree: honor set element expiration
evaluate: disallow ct original {s,d}ddr from maps
build: Bump version to v0.9.8
Phil Sutter (8):
tests/shell: Improve fix in sets/0036add_set_element_expiration_0
src: Support odd-sized payload matches
src: Optimize prefix matches on byte-boundaries
proto: Fix ARP header field ordering
json: echo: Speedup seqnum_to_json()
json: Fix seqnum_to_json() functionality
doc: Document 'dccp type' match
tests: py: Fix for changed concatenated ranges output
More information about the netfilter-announce
mailing list