Hi!
The Netfilter project proudly presents:
nftables 1.0.0
This release contains fixes, documentation updates and new features
available up to the Linux kernel 5.13 release, more specifically:
* Catch-all set element support: This allows users to define the
special wildcard set element for anything else not defined in
the set.
table x {
map blocklist {
type ipv4_addr : verdict
flags interval
elements = { 192.168.0.0/16 : accept, 10.0.0.0/8 : accept, * : drop }
}
chain y {
type filter hook prerouting priority 0; policy accept;
ip saddr vmap @blocklist
}
}
[. this feature is actually supported since 0.9.9, but it was not
included in the previous release announcement. ]
* Define variables from the command line through --define:
# cat test.nft
table netdev x {
chain y {
type filter hook ingress devices = $dev priority 0; policy drop;
}
}
# nft --define dev="{ eth0, eth1 }" -f test.nft
* Allow to use stateful expressions in maps:
table inet filter {
map portmap {
type inet_service : verdict
counter
elements = { 22 counter packets 0 bytes 0 : jump ssh_input, * counter packets 0 bytes 0 : drop }
}
chain ssh_input {
}
chain wan_input {
tcp dport vmap @portmap
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iif vmap { "lo" : jump wan_input }
}
}
* Add command to list the netfilter hooks pipeline for a given packet
family. If device is specified, then ingress path is also included.
# nft list hooks ip device eth0
family ip {
hook ingress {
+0000000010 chain netdev x y [nf_tables]
+0000000300 chain inet m w [nf_tables]
}
hook input {
-0000000100 chain ip a b [nf_tables]
+0000000300 chain inet m z [nf_tables]
}
hook forward {
-0000000225 selinux_ipv4_forward
0000000000 chain ip a c [nf_tables]
}
hook output {
-0000000225 selinux_ipv4_output
}
hook postrouting {
+0000000225 selinux_ipv4_postroute
}
}
* Allow to combine jhash, symhash and numgen expressions with the
queue statement, to fan out packets to userspace queues via
nfnetlink_queue.
... queue to symhash mod 65536
... queue flags bypass to numgen inc mod 65536
... queue to jhash oif . meta mark mod 32
You can also combine it with maps, to select the userspace queue
based on any other singleton key or concatenations:
... queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 }
* Expand variable containing set into multiple mappings
define interfaces = { eth0, eth1 }
table ip x {
chain y {
type filter hook input priority 0; policy accept;
iifname vmap { lo : accept, $interfaces : drop }
}
}
# nft -f x.nft
# nft list ruleset
table ip x {
chain y {
type filter hook input priority 0; policy accept;
iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop }
}
}
* Allow to combine verdict maps with interval concatenations
# nft add rule x y tcp dport . ip saddr vmap { 1025-65535 . 192.168.10.2 : accept }
* Simplify syntax for NAT mappings. You can specify an IP range:
... snat to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 }
Or a specific IP and port.
... dnat to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 }
Or a combination of range of IP addresses and ports.
... dnat to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2-10.141.10.5 . 8888-8999 }
And bugfixes.
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.9
To build the code, libnftnl >= 1.2.0 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
The Netfilter project proudly presents:
nftables 1.0.0
This release contains fixes, documentation updates and new features
available up to the Linux kernel 5.13 release, more specifically:
* Catch-all set element support: This allows users to define the
special wildcard set element for anything else not defined in
the set.
table x {
map blocklist {
type ipv4_addr : verdict
flags interval
elements = { 192.168.0.0/16 : accept, 10.0.0.0/8 : accept, * : drop }
}
chain y {
type filter hook prerouting priority 0; policy accept;
ip saddr vmap @blocklist
}
}
[. this feature is actually supported since 0.9.9, but it was not
included in the previous release announcement. ]
* Define variables from the command line through --define:
# cat test.nft
table netdev x {
chain y {
type filter hook ingress devices = $dev priority 0; policy drop;
}
}
# nft --define dev="{ eth0, eth1 }" -f test.nft
* Allow to use stateful expressions in maps:
table inet filter {
map portmap {
type inet_service : verdict
counter
elements = { 22 counter packets 0 bytes 0 : jump ssh_input, * counter packets 0 bytes 0 : drop }
}
chain ssh_input {
}
chain wan_input {
tcp dport vmap @portmap
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iif vmap { "lo" : jump wan_input }
}
}
* Add command to list the netfilter hooks pipeline for a given packet
family. If device is specified, then ingress path is also included.
# nft list hooks ip device eth0
family ip {
hook ingress {
+0000000010 chain netdev x y [nf_tables]
+0000000300 chain inet m w [nf_tables]
}
hook input {
-0000000100 chain ip a b [nf_tables]
+0000000300 chain inet m z [nf_tables]
}
hook forward {
-0000000225 selinux_ipv4_forward
0000000000 chain ip a c [nf_tables]
}
hook output {
-0000000225 selinux_ipv4_output
}
hook postrouting {
+0000000225 selinux_ipv4_postroute
}
}
* Allow to combine jhash, symhash and numgen expressions with the
queue statement, to fan out packets to userspace queues via
nfnetlink_queue.
... queue to symhash mod 65536
... queue flags bypass to numgen inc mod 65536
... queue to jhash oif . meta mark mod 32
You can also combine it with maps, to select the userspace queue
based on any other singleton key or concatenations:
... queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 }
* Expand variable containing set into multiple mappings
define interfaces = { eth0, eth1 }
table ip x {
chain y {
type filter hook input priority 0; policy accept;
iifname vmap { lo : accept, $interfaces : drop }
}
}
# nft -f x.nft
# nft list ruleset
table ip x {
chain y {
type filter hook input priority 0; policy accept;
iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop }
}
}
* Allow to combine verdict maps with interval concatenations
# nft add rule x y tcp dport . ip saddr vmap { 1025-65535 . 192.168.10.2 : accept }
* Simplify syntax for NAT mappings. You can specify an IP range:
... snat to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 }
Or a specific IP and port.
... dnat to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 }
Or a combination of range of IP addresses and ports.
... dnat to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2-10.141.10.5 . 8888-8999 }
And bugfixes.
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.9
To build the code, libnftnl >= 1.2.0 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
Attached Files:
-
changes-nftables-1.0.0.txt (5.70 KB)