Hi!
The Netfilter project proudly presents:
nftables 0.9.7
This release contains fixes and new features available up to the Linux
kernel 5.10-rc1 release.
* Support for implicit chain, e.g.
table inet x {
chain y {
type filter hook input priority 0;
tcp dport 22 jump {
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
ip6 saddr ::1/128 accept;
}
}
}
This allows you to group rules without the need for an explicit
chain definition.
* Support for ingress inet chains:
table inet filter {
chain ingress {
type filter hook ingress device "veth0" priority filter; policy accept;
}
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
}
The inet family supports the ingress hook since Linux kernel 5.10-rc1,
to filter IPv4 and IPv6 packet at the same location as the netdev ingress
hook. This inet hook allows you to share sets and maps between the usual
prerouting, input, forward, output, postrouting and this ingress hook.
* Support for reject from prerouting chain:
table inet x {
chain y {
type filter hook prerouting priority 0; policy accept;
tcp dport 22 reject with tcp reset
}
}
* Support for --terse option in json
# nft --terse -j list ruleset
* Display set counters in json
# nft -j list set
* Support for the reset command with json, ie.
# nft -j reset counters
* Match on wildcard socket listeners, eg.
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
socket transparent 1 socket wildcard 0 mark set 0x00000001
}
}
* Get elements from maps:
# nft get element inet filter test "{ 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x42 }"
table inet filter {
map test {
type ipv4_addr . ether_addr . inet_service : mark
flags interval,timeout
elements = { 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x00000042 }
}
}
* Allow to specify comments in sets, eg.
table ip x {
set s {
type ipv4_addr;
comment "list of unwanted traffic by IP address"
elements = { 1.1.1.1, 1.2.3.4 }
}
}
You can also specify comments in tables and stateful objects (such
as quota, limit and counters).
* Support for defining empty sets in variables:
define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443}
define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {}
table inet x {
chain y {
type filter hook input priority 0; policy drop;
ct state new tcp dport { $BASE_ALLOWED_INCOMING_TCP_PORTS, $EXTRA_ALLOWED_INCOMING_TCP_PORTS } counter accept
}
}
* Allow to use variables in the log prefix string.
define foo= "state"
define bar = "match"
table x {
chain y {
ct state invalid log prefix "invalid $foo $bar:"
}
}
* Allow to use variables in chain and flowtable definitions, e.g.
define if_main = lo
table netdev x {
chain y {
type filter hook ingress device $if_main priority -500; policy accept;
}
}
* Allow to define negative values in variables:
define post = -10
define for = "filter - 100"
table inet global {
chain forward {
type filter hook prerouting priority $for
policy accept
}
chain postrouting {
type filter hook postrouting priority $post
policy accept
}
}
* Improved error reporting on statements:
# nft add rule x y jump test
Error: Could not process rule: No such file or directory
add rule x y jump test
^^^^
This error is displayed in case that the 'test' chain does not exist.
* Support for SCTP stateless NAT.
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.7
To build the code, libnftnl >= 1.1.8 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Have fun.
The Netfilter project proudly presents:
nftables 0.9.7
This release contains fixes and new features available up to the Linux
kernel 5.10-rc1 release.
* Support for implicit chain, e.g.
table inet x {
chain y {
type filter hook input priority 0;
tcp dport 22 jump {
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
ip6 saddr ::1/128 accept;
}
}
}
This allows you to group rules without the need for an explicit
chain definition.
* Support for ingress inet chains:
table inet filter {
chain ingress {
type filter hook ingress device "veth0" priority filter; policy accept;
}
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
}
The inet family supports the ingress hook since Linux kernel 5.10-rc1,
to filter IPv4 and IPv6 packet at the same location as the netdev ingress
hook. This inet hook allows you to share sets and maps between the usual
prerouting, input, forward, output, postrouting and this ingress hook.
* Support for reject from prerouting chain:
table inet x {
chain y {
type filter hook prerouting priority 0; policy accept;
tcp dport 22 reject with tcp reset
}
}
* Support for --terse option in json
# nft --terse -j list ruleset
* Display set counters in json
# nft -j list set
* Support for the reset command with json, ie.
# nft -j reset counters
* Match on wildcard socket listeners, eg.
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
socket transparent 1 socket wildcard 0 mark set 0x00000001
}
}
* Get elements from maps:
# nft get element inet filter test "{ 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x42 }"
table inet filter {
map test {
type ipv4_addr . ether_addr . inet_service : mark
flags interval,timeout
elements = { 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x00000042 }
}
}
* Allow to specify comments in sets, eg.
table ip x {
set s {
type ipv4_addr;
comment "list of unwanted traffic by IP address"
elements = { 1.1.1.1, 1.2.3.4 }
}
}
You can also specify comments in tables and stateful objects (such
as quota, limit and counters).
* Support for defining empty sets in variables:
define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443}
define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {}
table inet x {
chain y {
type filter hook input priority 0; policy drop;
ct state new tcp dport { $BASE_ALLOWED_INCOMING_TCP_PORTS, $EXTRA_ALLOWED_INCOMING_TCP_PORTS } counter accept
}
}
* Allow to use variables in the log prefix string.
define foo= "state"
define bar = "match"
table x {
chain y {
ct state invalid log prefix "invalid $foo $bar:"
}
}
* Allow to use variables in chain and flowtable definitions, e.g.
define if_main = lo
table netdev x {
chain y {
type filter hook ingress device $if_main priority -500; policy accept;
}
}
* Allow to define negative values in variables:
define post = -10
define for = "filter - 100"
table inet global {
chain forward {
type filter hook prerouting priority $for
policy accept
}
chain postrouting {
type filter hook postrouting priority $post
policy accept
}
}
* Improved error reporting on statements:
# nft add rule x y jump test
Error: Could not process rule: No such file or directory
add rule x y jump test
^^^^
This error is displayed in case that the 'test' chain does not exist.
* Support for SCTP stateless NAT.
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.7
To build the code, libnftnl >= 1.1.8 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Have fun.
Attached Files:
-
changes-nftables-0.9.7.txt (4.75 KB)