Hi!
The Netfilter project proudly presents:
nftables 1.0.6
This release contains enhancements and fixes:
- Fixes for the -o/--optimize, run this --optimize option to automagically
compact your ruleset using sets, maps and concatenations.
eg.
# cat ruleset.nft
table ip x {
chain y {
type filter hook input priority filter; policy drop;
meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept
meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 accept
meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accept
meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept
meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept
}
}
# nft -o -c -f ruleset.nft
Merging:
ruleset.nft:4:17-74: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept
ruleset.nft:5:17-74: meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 accept
ruleset.nft:6:17-77: meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accept
ruleset.nft:7:17-83: meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept
ruleset.nft:8:17-74: meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept
into:
iifname . ip saddr . ip daddr { eth1 . 1.1.1.1 . 2.2.2.3, eth1 . 1.1.1.2 . 2.2.2.4, eth1 . 1.1.1.2 . 2.2.3.0/24, eth1 . 1.1.1.2 . 2.2.4.0-2.2.4.10, eth2 . 1.1.1.3 . 2.2.2.5 } accept
+ The optimizer also compacts ruleset representations that already use simple
sets, to turn them into set with concatenations, eg.
# cat ruleset.nft
table ip filter {
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept
ct state established,related accept comment "In traffic we originate, we trust"
iifname "enp0s31f6" ip saddr { 209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 udp sport 123 udp dport 32768-65535 accept
iifname "enp0s31f6" ip saddr { 64.59.144.17, 64.59.150.133 } ip daddr 10.0.0.149 udp sport 53 udp dport 32768-65535 accept
}
}
# nft -o -c -f ruleset.nft
Merging:
ruleset.nft:6:22-149: iifname "enp0s31f6" ip saddr { 209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 udp sport 123 udp dport 32768-65535 accept
ruleset.nft:7:22-143: iifname "enp0s31f6" ip saddr { 64.59.144.17, 64.59.150.133 } ip daddr 10.0.0.149 udp sport 53 udp dport 32768-65535 accept
into:
iifname . ip saddr . ip daddr . udp sport . udp dport { enp0s31f6 . 209.115.181.102 . 10.0.0.149 . 123 . 32768-65535, enp0s31f6 . 216.197.228.230 . 10.0.0.149 . 123 . 32768-65535, enp0s31f6 . 64.59.144.17 . 10.0.0.149 . 53 . 32768-65535, enp0s31f6 . 64.59.150.133 . 10.0.0.149 . 53 . 32768-65535 } accept
- Fix bytecode generation for concatenation of intervals where selectors use
different byteorder datatypes, eg. IPv4 (network byte order) and meta mark
(host byte order).
table ip x {
map w {
typeof ip saddr . meta mark : verdict
flags interval
counter
elements = {
127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : accept,
192.168.0.10-192.168.1.20 . 0x0000aa00-0x0000aaff : accept,
}
}
chain k {
type filter hook input priority filter; policy drop;
ip saddr . meta mark vmap @w
}
}
- fix match of uncommon protocol matches with raw expressions, eg.
meta l4proto 91 @th,400,16 0x0 accept
- unbreak insertion of rules with intervals:
insert rule x y tcp sport { 3478-3497, 16384-16387 } counter accept
- enhancements for the JSON API, including support for statements in sets and
maps, and asorted fixes.
- extensions for the python nftables library to allow to load ruleset and
perform dry run, support for external definition of variables, among others.
- allow to intercalate comments in set elements.
- allow for zero burst in byte ratelimits.
- fix element collapse routine when same set name and different family is used.
- ... and manpage updates.
See changelog for more details (attached to this email).
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
[ NOTE: We have switched to .tar.xz files for releases. ]
To build the code, libnftnl >= 1.2.4 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
The Netfilter project proudly presents:
nftables 1.0.6
This release contains enhancements and fixes:
- Fixes for the -o/--optimize, run this --optimize option to automagically
compact your ruleset using sets, maps and concatenations.
eg.
# cat ruleset.nft
table ip x {
chain y {
type filter hook input priority filter; policy drop;
meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept
meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 accept
meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accept
meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept
meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept
}
}
# nft -o -c -f ruleset.nft
Merging:
ruleset.nft:4:17-74: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept
ruleset.nft:5:17-74: meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 accept
ruleset.nft:6:17-77: meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accept
ruleset.nft:7:17-83: meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept
ruleset.nft:8:17-74: meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept
into:
iifname . ip saddr . ip daddr { eth1 . 1.1.1.1 . 2.2.2.3, eth1 . 1.1.1.2 . 2.2.2.4, eth1 . 1.1.1.2 . 2.2.3.0/24, eth1 . 1.1.1.2 . 2.2.4.0-2.2.4.10, eth2 . 1.1.1.3 . 2.2.2.5 } accept
+ The optimizer also compacts ruleset representations that already use simple
sets, to turn them into set with concatenations, eg.
# cat ruleset.nft
table ip filter {
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept
ct state established,related accept comment "In traffic we originate, we trust"
iifname "enp0s31f6" ip saddr { 209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 udp sport 123 udp dport 32768-65535 accept
iifname "enp0s31f6" ip saddr { 64.59.144.17, 64.59.150.133 } ip daddr 10.0.0.149 udp sport 53 udp dport 32768-65535 accept
}
}
# nft -o -c -f ruleset.nft
Merging:
ruleset.nft:6:22-149: iifname "enp0s31f6" ip saddr { 209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 udp sport 123 udp dport 32768-65535 accept
ruleset.nft:7:22-143: iifname "enp0s31f6" ip saddr { 64.59.144.17, 64.59.150.133 } ip daddr 10.0.0.149 udp sport 53 udp dport 32768-65535 accept
into:
iifname . ip saddr . ip daddr . udp sport . udp dport { enp0s31f6 . 209.115.181.102 . 10.0.0.149 . 123 . 32768-65535, enp0s31f6 . 216.197.228.230 . 10.0.0.149 . 123 . 32768-65535, enp0s31f6 . 64.59.144.17 . 10.0.0.149 . 53 . 32768-65535, enp0s31f6 . 64.59.150.133 . 10.0.0.149 . 53 . 32768-65535 } accept
- Fix bytecode generation for concatenation of intervals where selectors use
different byteorder datatypes, eg. IPv4 (network byte order) and meta mark
(host byte order).
table ip x {
map w {
typeof ip saddr . meta mark : verdict
flags interval
counter
elements = {
127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : accept,
192.168.0.10-192.168.1.20 . 0x0000aa00-0x0000aaff : accept,
}
}
chain k {
type filter hook input priority filter; policy drop;
ip saddr . meta mark vmap @w
}
}
- fix match of uncommon protocol matches with raw expressions, eg.
meta l4proto 91 @th,400,16 0x0 accept
- unbreak insertion of rules with intervals:
insert rule x y tcp sport { 3478-3497, 16384-16387 } counter accept
- enhancements for the JSON API, including support for statements in sets and
maps, and asorted fixes.
- extensions for the python nftables library to allow to load ruleset and
perform dry run, support for external definition of variables, among others.
- allow to intercalate comments in set elements.
- allow for zero burst in byte ratelimits.
- fix element collapse routine when same set name and different family is used.
- ... and manpage updates.
See changelog for more details (attached to this email).
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
[ NOTE: We have switched to .tar.xz files for releases. ]
To build the code, libnftnl >= 1.2.4 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
Attached Files:
-
changes-nftables-1.0.6.txt (4.05 KB)