Mailing List Archive

[ANNOUNCE] nftables 0.9.9 release
Hi!

The Netfilter project proudly presents:

nftables 0.9.9

This release contains fixes, documentation updates and new features
available up to the Linux kernel 5.13-rc1 release. Highlights:

* Flowtable hardware offload support [1]: add a new 'offload' flag that
turns on the flowtable hardware fastpath.

table ip global {
flowtable f {
hook ingress priority filter + 1
devices = { lan3, lan0, wan }
flags offload
}

chain forward {
type filter hook forward priority filter; policy accept;
ip protocol { tcp, udp } flow add @f
}

chain post {
type nat hook postrouting priority filter; policy accept;
oifname "wan" masquerade
}
}

[1] https://www.kernel.org/doc/html/latest/networking/nf_flowtable.html

* Support for the table owner flag. This new flag allows a process to
own a table in exclusivity. The owner process name is show as a
comment. The table can be either removed by the owner process
(explicit removal) or when the owner process is terminated.

table ip x { # progname nft
flags owner

chain y {
type filter hook input priority filter; policy accept;
counter packets 1 bytes 309
}
}

The example above shows a ruleset that is owned by nft which is
running in interactive mode, ie. nft -i

* 802.1ad (QinQ) support:

- Check that outer ethertype is 8021ad and outer vlan id is 321
... ether type 802.1ad vlan id 342

- Check that outer ethertype is 8021ad and vlan id is 1 and inner
ethertype is 802.1q and vlan id is 2, finally check that this
QinQ frame encapsulates an IP packet.

... ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter

* cgroupsv2 support.

- Check for that socket cgroupv2 ancestor level 1 is matching "system.slice"
... socket cgroupv2 level 1 "system.slice"

* match on SCTP packet chunks (available since the upcoming 5.14 release)

- match if chunk type 'data' exists
... sctp chunk data exists
- match on chunk type 'data' field 'type'
... sctp chunk data type 0

* x2 speed up time to load ruleset (via -f).
* Speed up time to print ruleset listing.

* Shortcut to check for set/unset bits in flags.

- Check that snat and dnat ct status bits are unset.
... ct status ! snat,dnat

- Check that the syn bit is set in the syn,ack bitmask
... tcp flags syn / syn,ack

- Check that the fin and rst bits are not set in the syn,ack,fin,rst bitmask
... tcp flags != fin,rst / syn,ack,fin,rst

* Allow to use verdict in set/map typeof definitions

add map x m { typeof iifname . ip protocol . th dport : verdict ;}

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.9

To build the code, libnftnl >= 1.2.0 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.