Hi!
The Netfilter project proudly presents:
nftables 0.8
This release contains new features available up to the (upcoming)
Linux 4.14 kernel release:
* Support for stateful objects, these objects are uniquely identified by
a user-defined name, you can refer to them from rules, and there is a
well established interface to operate with them, eg.
# nft add counter filter test
This creates a quota object whose name is 'test'.
# nft list counters
table ip filter {
counter test {
packets 0 bytes 0
}
You can then refer to these objects from maps:
# nft add table filter
# nft add chain filter input { type filter hook input priority 0\; }
# nft add map filter badguys { type ipv4_addr : counter \; }
# nft add rule filter input counter name ip saddr map @badguys
# nft add counter filter badguy1
# nft add counter filter badguy2
# nft add element filter badguys { 192.168.2.3 : "badguy1" }
# nft add element filter badguys { 192.168.2.4 : "badguy2" }
Implicit map definitions are supported too:
table ip filter {
counter http-traffic {
packets 8 bytes 672
}
chain input {
type filter hook input priority 0; policy accept;
counter name tcp dport map { 80 : "http-traffic", 443 : "http-traffic"}
}
}
You can atomically dump and reset these objects:
# nft reset counter ip filter badguy1
counter test {
packets 1024 bytes 100000
}
# nft reset counter ip filter badguy1
counter test {
packets 0 bytes 0
}
Currently: counters, quota and limit are supported. Note: limit is
available starting 4.14-rc.
* Sort set elements when listing them, from lower to largest, eg.
# nft add table x
# nft add set x y { type ipv4_addr\; }
# nft add element x y { 192.168.1.2, 192.168.1.1, 192.168.1.4, 192.168.1.3 }
# nft list ruleset
table ip x {
set y {
type ipv4_addr
elements = { 192.168.1.1, 192.168.1.2,
192.168.1.3, 192.168.1.4 }
}
}
When listing very large sets, nft takes almost the same time as
before, so impact of this new feature is negligible.
* TCP option matching and mangling support. This includes TCP maximum
segment size mangling, eg.
# nft add rule mangle forward tcp flags syn tcp option maxseg size set rt mtu
People that own routers with ppp interfaces, you have no excuses to
migrate to nftables, this is your replacement for the TCPMSS target ;-)
* Add new `-s' option for listings without stateful information:
# nft -s list ruleset
table ip filter {
chain output {
type filter hook output priority 0; policy accept;
tcp dport https counter
tcp dport https quota 25 mbytes
}
}
* Add new -c/--check option for nft, to tests if your ruleset loads fine,
into the kernel, this is a dry run mode, eg.
# nft -c ruleset.nft
You can also use it in incremental rule updates scenarios:
# nft -c add rule x y counter
* Connection tracking helper support, eg.
table ip filter {
ct helper ftp-standard {
type "ftp" protocol tcp
}
chain y {
tcp dport ftp ct helper set "ftp-standard"
}
}
Note for iptables users: In nftables, you have to specify what helper
you want to enable specifically, then set it from rules, given the
former automatic helper assignment approach is deprecated, see for
more info: https://home.regit.org/netfilter-en/secure-use-of-helpers/
* Add --echo option, to print the handle that the kernel allocates to
uniquely identify rules, eg.
# nft --echo --handle add rule ip t c tcp dport {22, 80} accept
add rule ip t c tcp dport { ssh, http } accept # handle 2
* Conntrack zone support, eg.
table raw {
chain pre {
type filter hook prerouting priority -300;
iif eth3 ct zone set 23
}
chain out {
type filter hook output priority -300;
oif eth3 ct zone set 23
}
}
* Symmetric hash support, eg.
# nft add rule ip nat prerouting ct mark set symhash mod 2
* Add support to include directories from nft natives scripts, files are
loaded in alphanumerical order, eg.
include "/foo/*.nft"
Assuming the following content on such folder:
/foo
/foo/02_rules.nft
/foo/01_rules.nft
"01_rules.nft" is loaded before "02_rules.nft".
* Allow to check if IPv6 extension header or TCP option exists or is
missing, eg.
# nft add rule ip6 x y exthdr frag exists drop
# nft add rule inet x y tcp option window missing drop
Same for fib lookups, eg.
# nft add rule x y fib daddr oif exists accept
* Extend quota support to display wasted bytes, eg.
table ip x {
chain y {
type filter hook forward priority 0; policy accept;
quota over 200 mbytes used 1143 kbytes drop
}
}
This is useful to restore quota between reboots.
* Add ct average matching, to match average bytes per packet a connection has
transferred so far, to map the existing feature available in the
iptables connbytes match.
eg. match average pkt in both directions:
# nft add rule x y ct avgpkt gt 100
eg. match avgpkt in original direction:
# nft add rule x y ct original avgpkt gt 200
* Allow to flush maps and flow tables, eg.
# nft flush map filter map1
# nft flush flow table filter ft-https
* Allow to embed set definition into an existing set, eg.
# nft -f ruleset.nft
define myset = {
1.1.1.0,
2.2.2.0,
}
add rule ip saddr { $myset, 3.3.3.0 }
And scripting like now works too:
define dnat_ports = { 1234-1567 }
define port_allow = {
53, # dns
$dnat_ports, # dnat
}
* Slightly better error reporting when ruleset loaded via nft -f, eg.
# nft -f /home/test/x
/home/test/x:4:17-70: Error: Could not process rule: No such file or directory
ip saddr { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 } jump x
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In the example above, the chain 'x' that this jump refers to does not exist.
We can still do better and make it even more fine grain...
* Don't wraparound set elements when listing, eg.
% nft list ruleset -nnn
table ip t {
set s {
type inet_service
elements = { 1, 2, 3, 4, 10,
432, 433, 434, 435, 436,
437, 438, 439, 440, 441,
442, 443, 444, 445, 446,
447, 448, 449, 450, 12345 }
}
}
Current approach is rather simple, improvable since the number of
elements to fit in is not calculated based of the number of terminal
columns, but we can make it at some point.
* Allow to list sets in a table, eg.
# nft list sets table inet filter
* Conntrack event filtering support via rule, eg.
# nft add rule x y ct event new counter
... lots of bugfixes too:
* Fix wrong bytecode generation for IPv6 that may result in mismatching
packets due to extensions placed before the transport header.
* Always print range expressions numerically. This has been a problem
with network services, where character '-' is possible as part of the
name.
* Replace getaddrinfo() by inet_service internal lookup table, we don't
rely on /etc/services anymore, so we have a predictable input from the
parser side.
* Do not round consumed quota bytes when listing then.
* Fix print of ip dnat address.
* Fix icmp matching in inet tables.
* Fix display of set keys with host byte endian byteorder.
* Fix nested set merge size adjustment, eg.
# nft add rule ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }
* Fix missing seed option in hash expression in listings.
* Generate a random seed in hash expression if seed option is empty, eg.
# nft add rule x y ct mark set jhash ip saddr mod 2
generates a random seed internally, that is not displayed. If you want
an explicit seed, you have to specify it.
* Allow to match ICMPv6 packets from IPv4, this is a firewall software so
we should allow to match even things that don't make sense.
* Fix printing of range elements in named sets in monitor mode.
* Fix printing of optional attributes 'flags', 'gc-interval' and
'timeout' in set declarations.
* Fix parsing of IPv4-Mapped IPv6 addresses.
* Fix lots of memory leaks.
... and lots of documentation updates! and regression tests!
Resources
=========
The nftables code can be obtained from:
* http://netfilter.org/projects/nftables/downloads.html
* ftp://ftp.netfilter.org/pub/nftables
* git://git.netfilter.org/nftables
To build the code, libnftnl 1.0.8 and libmnl >= 1.0.2 are required:
* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* http://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Make sure you create no duplicates already, thanks!
Happy firewalling!
The Netfilter project proudly presents:
nftables 0.8
This release contains new features available up to the (upcoming)
Linux 4.14 kernel release:
* Support for stateful objects, these objects are uniquely identified by
a user-defined name, you can refer to them from rules, and there is a
well established interface to operate with them, eg.
# nft add counter filter test
This creates a quota object whose name is 'test'.
# nft list counters
table ip filter {
counter test {
packets 0 bytes 0
}
You can then refer to these objects from maps:
# nft add table filter
# nft add chain filter input { type filter hook input priority 0\; }
# nft add map filter badguys { type ipv4_addr : counter \; }
# nft add rule filter input counter name ip saddr map @badguys
# nft add counter filter badguy1
# nft add counter filter badguy2
# nft add element filter badguys { 192.168.2.3 : "badguy1" }
# nft add element filter badguys { 192.168.2.4 : "badguy2" }
Implicit map definitions are supported too:
table ip filter {
counter http-traffic {
packets 8 bytes 672
}
chain input {
type filter hook input priority 0; policy accept;
counter name tcp dport map { 80 : "http-traffic", 443 : "http-traffic"}
}
}
You can atomically dump and reset these objects:
# nft reset counter ip filter badguy1
counter test {
packets 1024 bytes 100000
}
# nft reset counter ip filter badguy1
counter test {
packets 0 bytes 0
}
Currently: counters, quota and limit are supported. Note: limit is
available starting 4.14-rc.
* Sort set elements when listing them, from lower to largest, eg.
# nft add table x
# nft add set x y { type ipv4_addr\; }
# nft add element x y { 192.168.1.2, 192.168.1.1, 192.168.1.4, 192.168.1.3 }
# nft list ruleset
table ip x {
set y {
type ipv4_addr
elements = { 192.168.1.1, 192.168.1.2,
192.168.1.3, 192.168.1.4 }
}
}
When listing very large sets, nft takes almost the same time as
before, so impact of this new feature is negligible.
* TCP option matching and mangling support. This includes TCP maximum
segment size mangling, eg.
# nft add rule mangle forward tcp flags syn tcp option maxseg size set rt mtu
People that own routers with ppp interfaces, you have no excuses to
migrate to nftables, this is your replacement for the TCPMSS target ;-)
* Add new `-s' option for listings without stateful information:
# nft -s list ruleset
table ip filter {
chain output {
type filter hook output priority 0; policy accept;
tcp dport https counter
tcp dport https quota 25 mbytes
}
}
* Add new -c/--check option for nft, to tests if your ruleset loads fine,
into the kernel, this is a dry run mode, eg.
# nft -c ruleset.nft
You can also use it in incremental rule updates scenarios:
# nft -c add rule x y counter
* Connection tracking helper support, eg.
table ip filter {
ct helper ftp-standard {
type "ftp" protocol tcp
}
chain y {
tcp dport ftp ct helper set "ftp-standard"
}
}
Note for iptables users: In nftables, you have to specify what helper
you want to enable specifically, then set it from rules, given the
former automatic helper assignment approach is deprecated, see for
more info: https://home.regit.org/netfilter-en/secure-use-of-helpers/
* Add --echo option, to print the handle that the kernel allocates to
uniquely identify rules, eg.
# nft --echo --handle add rule ip t c tcp dport {22, 80} accept
add rule ip t c tcp dport { ssh, http } accept # handle 2
* Conntrack zone support, eg.
table raw {
chain pre {
type filter hook prerouting priority -300;
iif eth3 ct zone set 23
}
chain out {
type filter hook output priority -300;
oif eth3 ct zone set 23
}
}
* Symmetric hash support, eg.
# nft add rule ip nat prerouting ct mark set symhash mod 2
* Add support to include directories from nft natives scripts, files are
loaded in alphanumerical order, eg.
include "/foo/*.nft"
Assuming the following content on such folder:
/foo
/foo/02_rules.nft
/foo/01_rules.nft
"01_rules.nft" is loaded before "02_rules.nft".
* Allow to check if IPv6 extension header or TCP option exists or is
missing, eg.
# nft add rule ip6 x y exthdr frag exists drop
# nft add rule inet x y tcp option window missing drop
Same for fib lookups, eg.
# nft add rule x y fib daddr oif exists accept
* Extend quota support to display wasted bytes, eg.
table ip x {
chain y {
type filter hook forward priority 0; policy accept;
quota over 200 mbytes used 1143 kbytes drop
}
}
This is useful to restore quota between reboots.
* Add ct average matching, to match average bytes per packet a connection has
transferred so far, to map the existing feature available in the
iptables connbytes match.
eg. match average pkt in both directions:
# nft add rule x y ct avgpkt gt 100
eg. match avgpkt in original direction:
# nft add rule x y ct original avgpkt gt 200
* Allow to flush maps and flow tables, eg.
# nft flush map filter map1
# nft flush flow table filter ft-https
* Allow to embed set definition into an existing set, eg.
# nft -f ruleset.nft
define myset = {
1.1.1.0,
2.2.2.0,
}
add rule ip saddr { $myset, 3.3.3.0 }
And scripting like now works too:
define dnat_ports = { 1234-1567 }
define port_allow = {
53, # dns
$dnat_ports, # dnat
}
* Slightly better error reporting when ruleset loaded via nft -f, eg.
# nft -f /home/test/x
/home/test/x:4:17-70: Error: Could not process rule: No such file or directory
ip saddr { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 } jump x
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In the example above, the chain 'x' that this jump refers to does not exist.
We can still do better and make it even more fine grain...
* Don't wraparound set elements when listing, eg.
% nft list ruleset -nnn
table ip t {
set s {
type inet_service
elements = { 1, 2, 3, 4, 10,
432, 433, 434, 435, 436,
437, 438, 439, 440, 441,
442, 443, 444, 445, 446,
447, 448, 449, 450, 12345 }
}
}
Current approach is rather simple, improvable since the number of
elements to fit in is not calculated based of the number of terminal
columns, but we can make it at some point.
* Allow to list sets in a table, eg.
# nft list sets table inet filter
* Conntrack event filtering support via rule, eg.
# nft add rule x y ct event new counter
... lots of bugfixes too:
* Fix wrong bytecode generation for IPv6 that may result in mismatching
packets due to extensions placed before the transport header.
* Always print range expressions numerically. This has been a problem
with network services, where character '-' is possible as part of the
name.
* Replace getaddrinfo() by inet_service internal lookup table, we don't
rely on /etc/services anymore, so we have a predictable input from the
parser side.
* Do not round consumed quota bytes when listing then.
* Fix print of ip dnat address.
* Fix icmp matching in inet tables.
* Fix display of set keys with host byte endian byteorder.
* Fix nested set merge size adjustment, eg.
# nft add rule ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }
* Fix missing seed option in hash expression in listings.
* Generate a random seed in hash expression if seed option is empty, eg.
# nft add rule x y ct mark set jhash ip saddr mod 2
generates a random seed internally, that is not displayed. If you want
an explicit seed, you have to specify it.
* Allow to match ICMPv6 packets from IPv4, this is a firewall software so
we should allow to match even things that don't make sense.
* Fix printing of range elements in named sets in monitor mode.
* Fix printing of optional attributes 'flags', 'gc-interval' and
'timeout' in set declarations.
* Fix parsing of IPv4-Mapped IPv6 addresses.
* Fix lots of memory leaks.
... and lots of documentation updates! and regression tests!
Resources
=========
The nftables code can be obtained from:
* http://netfilter.org/projects/nftables/downloads.html
* ftp://ftp.netfilter.org/pub/nftables
* git://git.netfilter.org/nftables
To build the code, libnftnl 1.0.8 and libmnl >= 1.0.2 are required:
* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* http://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Make sure you create no duplicates already, thanks!
Happy firewalling!
Attached Files:
-
changes-nftables-0.8.txt (15.8 KB)