Hi!
The Netfilter project proudly presents:
nftables 1.0.1
This release contains new features available up to the Linux kernel
5.16-rc1 release:
* Reduce memory footprint when loading large sets/maps.
* Speed up reload of large sets/maps.
* Speed up listing of specific tables in large ruleset, eg. large ruleset
with ~100k lines.
# nft list ruleset &> /dev/null
real 0m3,049s
user 0m2,080s
sys 0m0,968s
- Listing per table is now faster:
# nft list table nat &> /dev/null
real 0m1,969s
user 0m1,412s
sys 0m0,556s
# nft list table filter &> /dev/null
real 0m0,697s
user 0m0,478s
sys 0m0,220s
Same speed up applies to listing specific chains/sets/maps.
* Speed up --terse option when listing a ruleset large sets/maps.
* Print raw payload expression in hexadecimal, eg. @ll,0,8 & 0x80 == 0x80
* egress hook support (available since 5.16-rc1).
table netdev filter {
chain egress {
type filter hook egress devices = { eth0, eth1 } priority 0;
meta priority set ip saddr map { 192.168.10.2 : abcd:2, 192.168.10.3 : abcd:3 }
}
}
* Allow to match and update bytes at inner header/payload offset
(available since 5.16-rc1).
# nft add rule x y @ih,32,32 0x14000000 counter
# nft add rule x y @ih,32,32 set 0x14000000 counter
... and fixes:
- Fix split declaration of set accross different files using the
nested notation.
- Fix crash in python support with two instances of nftables handler.
- Fix incorrect range to prefix conversion.
- Fix -T/--numeric-time
- Incorrect meta protocol dependency removal in bridge, netdev and
inet families.
- Unbreak support for older kernels (tested with Linux kernel 4.9.x)
- Optimize prefix match only for matching on big-endian.
- Restore use of variables with queue statement, eg. queue num $myq bypass
- Honor insert command and rule position handle in monitor mode.
- Bogus error in dynamic NAT map, eg.
- Disallow setuid on the nft executable.
#nft add rule nat x y meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th
- Fix combination of map, concatenation with intervals and stateful
expressions, eg.
table ip filter {
map forwport {
type ipv4_addr . inet_proto . inet_service : verdict
flags interval
counter
elements = { 10.133.89.138 . tcp . 8081 counter packets 0 bytes 0 : accept }
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
iifname "enp0s8" ip daddr . ip protocol . th dport vmap @forwport counter
}
}
- Fix incorrect vlan offset when matching and updating tag, eg.
# nft add rule bridge filter forward vlan id 100 vlan id set 200
- Fix use of constant in dynamic set, eg.
table inet t {
set s {
type ipv4_addr . inet_service
size 65536
flags dynamic,timeout
elements = { 192.168.7.1 . 22 }
}
chain c {
type filter hook input priority 0;
tcp dport 21 add @s { ip saddr . 22 timeout 1m }
}
}
... and incremental documentation updates.
The autotools build system now defaults to libedit/editline for the
nft --interactive shell.
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
To build the code, libnftnl >= 1.2.1 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
The Netfilter project proudly presents:
nftables 1.0.1
This release contains new features available up to the Linux kernel
5.16-rc1 release:
* Reduce memory footprint when loading large sets/maps.
* Speed up reload of large sets/maps.
* Speed up listing of specific tables in large ruleset, eg. large ruleset
with ~100k lines.
# nft list ruleset &> /dev/null
real 0m3,049s
user 0m2,080s
sys 0m0,968s
- Listing per table is now faster:
# nft list table nat &> /dev/null
real 0m1,969s
user 0m1,412s
sys 0m0,556s
# nft list table filter &> /dev/null
real 0m0,697s
user 0m0,478s
sys 0m0,220s
Same speed up applies to listing specific chains/sets/maps.
* Speed up --terse option when listing a ruleset large sets/maps.
* Print raw payload expression in hexadecimal, eg. @ll,0,8 & 0x80 == 0x80
* egress hook support (available since 5.16-rc1).
table netdev filter {
chain egress {
type filter hook egress devices = { eth0, eth1 } priority 0;
meta priority set ip saddr map { 192.168.10.2 : abcd:2, 192.168.10.3 : abcd:3 }
}
}
* Allow to match and update bytes at inner header/payload offset
(available since 5.16-rc1).
# nft add rule x y @ih,32,32 0x14000000 counter
# nft add rule x y @ih,32,32 set 0x14000000 counter
... and fixes:
- Fix split declaration of set accross different files using the
nested notation.
- Fix crash in python support with two instances of nftables handler.
- Fix incorrect range to prefix conversion.
- Fix -T/--numeric-time
- Incorrect meta protocol dependency removal in bridge, netdev and
inet families.
- Unbreak support for older kernels (tested with Linux kernel 4.9.x)
- Optimize prefix match only for matching on big-endian.
- Restore use of variables with queue statement, eg. queue num $myq bypass
- Honor insert command and rule position handle in monitor mode.
- Bogus error in dynamic NAT map, eg.
- Disallow setuid on the nft executable.
#nft add rule nat x y meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th
- Fix combination of map, concatenation with intervals and stateful
expressions, eg.
table ip filter {
map forwport {
type ipv4_addr . inet_proto . inet_service : verdict
flags interval
counter
elements = { 10.133.89.138 . tcp . 8081 counter packets 0 bytes 0 : accept }
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
iifname "enp0s8" ip daddr . ip protocol . th dport vmap @forwport counter
}
}
- Fix incorrect vlan offset when matching and updating tag, eg.
# nft add rule bridge filter forward vlan id 100 vlan id set 200
- Fix use of constant in dynamic set, eg.
table inet t {
set s {
type ipv4_addr . inet_service
size 65536
flags dynamic,timeout
elements = { 192.168.7.1 . 22 }
}
chain c {
type filter hook input priority 0;
tcp dport 21 add @s { ip saddr . 22 timeout 1m }
}
}
... and incremental documentation updates.
The autotools build system now defaults to libedit/editline for the
nft --interactive shell.
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
To build the code, libnftnl >= 1.2.1 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
Attached Files:
-
changes-nftables-1.0.1.txt (4.95 KB)