Hi!
The Netfilter project proudly presents:
nftables 0.9.8
This release contains fixes, documentation updates and new features
available up to the Linux kernel 5.11-rc1 release.
* Complete support for matching ICMP header content fields.
... icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2
... icmpv6 type packet-too-big icmpv6 mtu 1280
* Add raw tcp option match support
... tcp option @42,16,4
where you can specify @kind,offset,length
* Allow to check for the presence of any tcp option
... tcp option 42 exists
* Support for reject traffic from the ingress chain:
table netdev x {
chain y {
type filter hook ingress device eth0 priority 0; policy accept;
tcp dport 22 reject with tcp reset
}
}
* Optimized bytecode generation for prefix match
# nft --debug=netlink x y ip saddr 192.168.2.0/24
ip
[. payload load 3b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x0002a8c0 ]
Resulting in two instructions instead of three (bitwise is removed on
byte-boundaries).
* Support for several statements per set element. The example below
updates a set from the packet path (dynamic set), and it shows how
to ratelimit first then count packets that go through per set element.
table ip x {
set y {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 1h
}
chain z {
type filter hook output priority filter; policy accept;
update @y { ip daddr limit rate 1/second counter }
}
}
You can also use the multi-statement support for (non-dynamic) sets.
table ip x {
set y {
type ipv4_addr
limit rate 1/second counter
elements = { 1.1.1.1, 4.4.4.4, 5.5.5.5 }
}
chain y {
type filter hook output priority filter; policy accept;
ip daddr @y
}
}
In this case, you can add new elements from the control plane:
# nft add element x y { 6.6.6.6 }
which run the specified rate limit and counter statements.
This requires a Linux kernel >= 5.11-rc1.
* editline support for nft -i (CLI), you can enable it at compile time:
./configure --with-cli=editline
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.8
To build the code, libnftnl >= 1.1.9 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
The Netfilter project proudly presents:
nftables 0.9.8
This release contains fixes, documentation updates and new features
available up to the Linux kernel 5.11-rc1 release.
* Complete support for matching ICMP header content fields.
... icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2
... icmpv6 type packet-too-big icmpv6 mtu 1280
* Add raw tcp option match support
... tcp option @42,16,4
where you can specify @kind,offset,length
* Allow to check for the presence of any tcp option
... tcp option 42 exists
* Support for reject traffic from the ingress chain:
table netdev x {
chain y {
type filter hook ingress device eth0 priority 0; policy accept;
tcp dport 22 reject with tcp reset
}
}
* Optimized bytecode generation for prefix match
# nft --debug=netlink x y ip saddr 192.168.2.0/24
ip
[. payload load 3b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x0002a8c0 ]
Resulting in two instructions instead of three (bitwise is removed on
byte-boundaries).
* Support for several statements per set element. The example below
updates a set from the packet path (dynamic set), and it shows how
to ratelimit first then count packets that go through per set element.
table ip x {
set y {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 1h
}
chain z {
type filter hook output priority filter; policy accept;
update @y { ip daddr limit rate 1/second counter }
}
}
You can also use the multi-statement support for (non-dynamic) sets.
table ip x {
set y {
type ipv4_addr
limit rate 1/second counter
elements = { 1.1.1.1, 4.4.4.4, 5.5.5.5 }
}
chain y {
type filter hook output priority filter; policy accept;
ip daddr @y
}
}
In this case, you can add new elements from the control plane:
# nft add element x y { 6.6.6.6 }
which run the specified rate limit and counter statements.
This requires a Linux kernel >= 5.11-rc1.
* editline support for nft -i (CLI), you can enable it at compile time:
./configure --with-cli=editline
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.8
To build the code, libnftnl >= 1.1.9 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
Attached Files:
-
changes-nftables-0.9.8.txt (3.11 KB)