Mailing List Archive

[ANNOUNCE] nftables 0.9.5 release
Hi!

The Netfilter project proudly presents:

nftables 0.9.5

This release contains fixes and new features available up to the Linux
kernel 5.7 release.

* Support for set counters:

table ip x {
set y {
typeof ip saddr
counter
elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 }
}

chain z {
type filter hook output priority filter; policy accept;
ip daddr @y
}
}

The counter statement in the set `y' definition turns on counters.

* Support for restoring set element counters via nft -f.

# cat ruleset.nft
table ip x {
set y {
typeof ip saddr
counter
elements = { 192.168.10.35 counter packets 1 bytes 84, 192.168.10.101 counter p
192.168.10.135 counter packets 0 bytes 0 }
}

chain z {
type filter hook output priority filter; policy accept;
ip daddr @y
}
}
# nft -f ruleset.nft
# nft list ruleset
table ip x {
set y {
typeof ip saddr
counter
elements = { 192.168.10.35 counter packets 1 bytes 84, 192.168.10.101 counter p
192.168.10.135 counter packets 0 bytes 0 }
}

chain z {
type filter hook output priority filter; policy accept;
ip daddr @y
}
}

* Counters support for flowtables:

table ip foo {
flowtable bar {
hook ingress priority -100
devices = { eth0, eth1 }
counter
}

chain forward {
type filter hook forward priority filter;
flow add @bar counter
}
}

You can list the counters via `conntrack -L':

tcp 6 src=192.168.10.2 dst=10.0.1.2 sport=47278 dport=5201 packets=9 bytes=608 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47278 packets=8 bytes=428 [OFFLOAD] mark=0 secctx=null use=2
tcp 6 src=192.168.10.2 dst=10.0.1.2 sport=47280 dport=5201 packets=1005763 bytes=44075714753 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47280 packets=967505 bytes=50310268 [OFFLOAD] mark=0 secctx=null use=2

The [OFFLOAD] status bit specifies that this flow is exercising the
flowtable fast datapath.

* typeof concatenations support for sets. You can use typeof to specify the
datatype of the selector in sets, e.g.

table ip foo {
set whitelist {
typeof ip saddr . tcp dport
elements = { 192.168.10.35 . 80, 192.168.10.101 . 80 }
}

chain bar {
type filter hook prerouting priority filter; policy drop;
ip daddr . tcp dport @whitelist accept
}
}

You can also use typeof concatenations in maps:

table ip foo {
map addr2mark {
typeof ip saddr . tcp dport : meta mark
elements = { 192.168.10.35 . 80 : 0x00000001,
192.168.10.135 . 80 : 0x00000002 }
}

chain bar {
type filter hook prerouting priority filter; policy drop;
meta mark set ip daddr . tcp dport map @addr2mark accept
}
}

* Support for concatenated ranges in anonymous sets.

# nft add rule inet filter input ip daddr . tcp dport \
{ 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept

* Allow to reject packets with 802.1q from the bridge family.

# nft add rule bridge foo bar ether type vlan reject with tcp reset

* Support for matching on the conntrack ID

You can fetch the conntrack ID via `--output id':

# conntrack -L --output id
udp 17 18 src=192.168.2.118 dst=192.168.2.1 sport=36424 dport=53 packets=2 bytes=122 src=192.168.2.1 dst=192.168.2.118 sport=53 dport=36424 packets=2 bytes=320 [ASSURED] mark=0 use=1 id=2779986232

Then, a very simple single rule to update counters for packets
matching this conntrack ID.

# nft add rule foo bar ct id 2779986232 counter

You can combine this new selector with the existing set and map features
to build more advanced rules.

You can download this new release from:

http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.5
ftp://ftp.netfilter.org/pub/nftables/

To build the code, libnftnl 1.1.7 and libmnl >= 1.0.4 are required:

* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* http://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Have fun.