Mailing List Archive

[ANNOUNCE] nftables 0.6 release
Hi!

The Netfilter project proudly presents:

nftables 0.6

This release contains many accumulated bug fixes and new features
availale up to the Linux 4.7-rc1 kernel release.

New features
============

* Rule replacement: You can replace any rule from the unique 64-bits
handle. You have to retrieve the handle from the ruleset listing.

# nft list ruleset -a
table ip filter {
chain input {
...
ct state new tcp dport ssh accept counter packets 0 bytes 0 # handle 4
}
}

Then, indicate this handle from the new rule that you want to
replace, eg.

# nft replace rule filter input handle 4 ct state new \
tcp dport { 22, 80} counter accept

* Flow table support: This provides a native replacement for the
hashlimit match in iptables. The rule below creates a 'ssh' flow table
declares a ratelimit of 10 packets per second for each source IP address:

# nft add rule filter input tcp dport 22 ct state new \
flow table ssh { ip saddr limit rate 10/second } accept

This is actually way more than hashlimit since you can use any selector
and build your own tuple of selectors through concatenations, eg.

# nft add rule filter input \
flow table acct { iif . ip saddr timeout 60s counter }

Then, if you want to list the content of the 'acct' flow table:

# nft list flow table acct
table ip filter {
flow table acct {
type iface_index . ipv4_addr
flags timeout
elements = { eth0 . 218.68.110.274 expires 3m56s : counter packets 1 bytes 98, eth0 . 180.29.103.19 expires 3m57s : counter packets 2 bytes 80, eth0 . 8.8.8.8 expires 3m44s : counter packets 1 bytes 84}
}
}

Note that this listing format is still unstable though, so don't make
tools to parse this output yet. Commands to empty flow tables and remove
specific entries are still missing.

Moreover, flow tables require a Linux kernel >= 4.3.

* New tracing infrastructure: Useful for ruleset debugging, you have
to enable tracing via:

# nft filter input tcp dport 10000 nftrace set 1
# nft filter input icmp type echo-request nftrace set 1

Then, you can monitor traces through:

# nft -nn monitor trace

That generates the following outputs:

trace id e1f5055f ip filter input packet: iif eth0 ether saddr
63:f6:4b:00:54:52 ether daddr c9:4b:a9:00:54:52 ip saddr 192.168.122.1
ip daddr 192.168.122.83 ip tos 0 ip ttl 64 ip id 32315 ip length 84
icmp type echo-request icmp code 0 icmp id 10087 icmp sequence 1
trace id e1f5055f ip filter input rule icmp type echo-request
nftrace set 1 (verdict continue)
trace id e1f5055f ip filter input verdict continue
trace id e1f5055f ip filter input
trace id 74e47ad2 ip filter input packet: iif vlan0 ether saddr
63:f6:4b:00:54:52 ether daddr c9:4b:a9:00:54:52 vlan pcp 0 vlan cfi 1
vlan id 1000 ip saddr 10.0.0.1 ip daddr 10.0.0.2 ip tos 0 ip ttl 64 ip
id 49030 ip length 84 icmp type echo-request icmp code 0 icmp id 10095
icmp sequence 1
trace id 74e47ad2 ip filter input rule icmp type echo-request
nftrace set 1 (verdict continue)
trace id 74e47ad2 ip filter input verdict continue
trace id 74e47ad2 ip filter input
trace id 3030de23 ip filter input packet: iif vlan0 ether saddr
63:f6:4b:00:54:52 ether daddr c9:4b:a9:00:54:52 vlan pcp 0 vlan cfi 1
vlan id 1000 ip saddr 10.0.0.1 ip daddr 10.0.0.2 ip tos 16 ip ttl 64
ip id 59062 ip length 60 tcp sport 55438 tcp dport 10000 tcp flags ==
syn tcp window 29200
trace id 3030de23 ip filter input rule tcp dport 10000 nftrace set
1 (verdict continue)
trace id 3030de23 ip filter input verdict continue
trace id 3030de23 ip filter input

The trace id is unique for each packet, there above you can see the
travel of this packet through the nft packet classifier.

* Ratelimiting enhancements: You can now specify ratelimits in terms
of bytes/second, eg.

# nft add rule filter forward \
limit rate 1024 mbytes/second counter accept

The rule above matches packets under the specified ratelimit. This
requires a Linux kernel >= 4.3 btw.

You can also indicate the amount of traffic that can go over the
threshold via 'burst', eg.

# nft add rule filter forward \
limit rate 1024 mbytes/second burst 10240 bytes counter accept

You may also need to match based on inverted logic, eg.

# nft add rule filter forward \
limit rate over 1024 mbytes/second log prefix "OVERLIMIT: " drop

* VLAN matching: You can match any vlan header field and combine this
with any of the existing upper layer header selectors, eg.

# nft add rule bridge filter prerouting vlan id 24 \
ip saddr 192.168.1.0/24 counter accept

* Packet duplication: When used from any of the supported layer 3 families,
this allows you to clone packets to a given destination address, eg.
duplicate all packets whose mark is 0xffff:

# nft add rule filter forward \
meta mark 0xffff dup to 172.20.0.2 counter

You can actually combine this new feature with maps:

# nft add rule filter forward meta mark 0xffff \
dup to meta mark map { \
0xffff : 172.20.0.2, \
0xeeee : 172.20.0.3 } counter

So the destination for the duplicated packet depends on the packet
mark.

You can also use this from layer 2 ingress, eg.

# nft add table netdev filter
# nft add chain netdev filter ingress { \
type filter hook ingress device eth0 priority 0\; }
# nft add rule netdev filter ingress dup to dummy0

In this case, you specify the nic that is used to transmit the
duplicated packet.

* Packet forwarding from the new ingress family, eg.

# nft add rule netdev filter ingress iif eth0 fwd to eth1

To forward packets that enter from eth0, then make them go through
eth1.

* String prefix matching through '*' (asterisk), eg.

# nft add filter forward iifname eth\* ...

This is equivalent to iptables ... -i eth+

* DSCP and ECN matching, eg.

# nft add rule filter forward ip dscp cs1 counter
# nft add rule ip6 filter forward ip6 dscp cs4 counter
# nft add rule ip filter forward ip ecn ce counter
# nft add rule ip6 filter forward ip6 ecn ce counter

* Stateless payload mangling, eg.

# nft add rule filter forward tcp dport 8080 tcp dport set 80

This rule above mangles the destination port from 8080 to 80. Beware
of interactions with conntrack, flows whose traffic is mangled must
be untracked. However, we don't support NOTRACK yet though in nft.

* Conntrack direction-based matching, eg. ct original saddr 1.2.3.4.

* Support for ICMP router advertisement and solicitation, eg.

# nft add rule ip filter input \
icmp type {router-advertisement, router-solicitation} counter accept

* Better listing support: You can perform selective listing of
objects, eg.

To display the existing declararation tables (without no content).

# nft list tables ip
table ip filter
# nft list tables ip6
table ip6 filter
# nft list tables
table ip filter
table ip6 filter

List existing chains, eg.

# nft list chains
table ip filter {
chain test1 {
}
chain test2 {
}
chain input {
type filter hook input priority 0; policy accept;
}
}

List existing set declaration, eg.

# nft list sets
table ip filter {
set libssh {
type ipv4_addr
}
}

Note the listing above shows no elements, to see the set content,
you must specify set name, eg.

# nft list set ip filter libssh
table ip filter {
set libssh {
type ipv4_addr
elements = { 163.123.166.2}
}
}

You can also list existing maps, eg.

# nft list map ip6 filter test
table ip6 filter {
map test {
type ipv6_addr : inet_service
elements = { 2001:db8::ff00:42:8329 : http}
}
}

In general, the same logic applies for every nft object, ie. generic
listing shows declarations, then if the object name is specified, the
its content is shown.

* Masquerading port range selection: Allows us to restricts the ports
that will be used in the masquerading.

# nft add rule nat postrouting ip protocol tcp masquerade to :1024-10024

* A new shell-based testsuite, to complement the existing python-based
unitary tests. Nothing fancy for users, but useful for us developers :)


Bugfixes
========

Not strictly limited to this list below, but some highlights:

* Resolve problems with prefixes in named sets, eg.

# nft add set filter blacklist { type ipv4_addr\; flags interval\; }
# nft add element filter blacklist { 192.168.1.0/24 }
# nft add element filter blacklist { 192.168.5.0/24, 192.168.7.0/24 }
# nft delete element filter blacklist { 192.168.5.0/24, 192.168.7.0/24 }

Note: this requires a couple of patches in Linux >= 4.7-rc1, I will
request submission to -stable asap.

* Resolve dynamic map evaluation problems, so this below now works:

# cat ruleset.file
table ip mangle {
map CLASS05 {
type ipv4_addr : mark
elements = { 192.168.0.10 : 0x00000001}
}

chain OUTPUT {
type route hook output priority 0; policy accept;
mark set ip saddr map @CLASS05
}
}
# nft -f ruleset.file

* Filtering based on layer 2 header selectors from the in inet family,
eg.

# nft add rule inet filter forward ether saddr 00:0f:54:0c:11:40 \
tcp dport 22 counter accept

* Fix wrong dependency handling, eg. ip protocol != tcp udp dport ssh

* Enforce ip6 proto with exthdr expression.

* Generate the correct bytecode on NAT redirection where ports are
specified, eg.

# nft add rule ip nat prerouting tcp dport 80 redirect to 1025-2048

* Printing of rule comments where misplace when listing the rule
handle, the example below shows the right output:

# nft list ruleset -a
table filter {
chain input {
...
iifname eth0 comment "test" # handle 1
}
}

* Restore matching of icmp redirect type and ct status snat and dnat.

Resources
=========

The nftables code can be obtained from:

* http://netfilter.org/projects/nftables/downloads.html
* ftp://ftp.netfilter.org/pub/nftables
* git://git.netfilter.org/nftables

To build the code, libnftnl 1.0.6 and libmnl >= 1.0.2 are required:

* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* http://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Make sure you create no duplicates already, thanks!

Happy testing!