Mailing List Archive

[ANNOUNCE] nftables 1.0.7 release
Hi!

The Netfilter project proudly presents:

nftables 1.0.7

This release contains enhancements and fixes such as:

- Support for vxlan/geneve/gre/gretap matching. This allows for simple
matching expressions on inner headers such matching on the VxLAN
encapsulated IPv4 header fields as well as:

... udp dport 4789 vxlan ip protocol udp
... udp dport 4789 vxlan ip saddr 1.2.3.0/24

This also works with sets and it can also be combined with
concatenations, such as:

... udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 }

This allows you to define a stateless filtering policy on the ingress hook
without requiring the classic data path round trip to first decapsulate
the VxLAN header and then filter from the vxlan0 netdevice.

This new feature requires Linux kernel >= 6.2.

- auto-merge support for partial set element deletion. This allows you
to partially delete an element or a subrange in an existing range.

# nft list ruleset
table ip x {
set y {
typeof tcp dport
flags interval
auto-merge
elements = { 24-30, 40-50 }
}
}

Then, delete element 25 which is contained in the 24-30 range:

# nft delete element ip x y { 25 }
# nft list ruleset
table ip x {
set y {
typeof tcp dport
flags interval
auto-merge
elements = { 24, 26-30, 40-50 }
}
}

This requires the following two kernel fixes:

5d235d6ce75c ("netfilter: nft_set_rbtree: skip elements in transaction from garbage collection")
c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection")

which are already scheduled for -stable kernel releases >= 5.10.

- Allow for NAT mapping with concatenation and ranges. This release
fixes mixed use of singleton concatenation and concatenation with
ranges, eg.

table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
dnat to ip daddr . tcp dport map { 10.1.1.136 . 80 : 1.1.2.69 . 1024, 10.1.1.10-10.1.1.20 . 8888-8889 : 1.1.2.69 . 2048-2049 } persistent
}
}

The example above shows how to define a destination nat mapping using the IPv4
destination address and the TCP destination port as key for the map lookup.
The 'persistent' flag tells the nat core to select the destination IPv4 address
specified as an IPv4 range through hashing the IPv4 source and destination
(to evenly distribute the load). If no IPv4 range is specified, then nat core
selects the singleton IPv4 destination address.

- Support for the lastuse statement. This allows you to know the last time a
rule or set element has be used:

table ip x {
set y {
typeof ip daddr . tcp dport
size 65535
flags dynamic,timeout
last
timeout 1h
}

chain z {
type filter hook output priority filter; policy accept;
update @y { ip daddr . tcp dport }
}
}
# nft list set ip x y
table ip x {
set y {
typeof ip daddr . tcp dport
size 65535
flags dynamic,timeout
last
timeout 1h
elements = { 172.217.17.14 . 443 last used 1s591ms timeout 1h expires 59m58s409ms,
172.67.69.19 . 443 last used 4s636ms timeout 1h expires 59m55s364ms,
142.250.201.72 . 443 last used 4s748ms timeout 1h expires 59m55s252ms,
172.67.70.134 . 443 last used 4s688ms timeout 1h expires 59m55s312ms,
35.241.9.150 . 443 last used 5s204ms timeout 1h expires 59m54s796ms,
138.201.122.174 . 443 last used 4s537ms timeout 1h expires 59m55s463ms,
34.160.144.191 . 443 last used 5s205ms timeout 1h expires 59m54s795ms,
130.211.23.194 . 443 last used 4s436ms timeout 1h expires 59m55s564ms }
}
}

This feature is available since Linux kernel >= 5.14. This requires the
following kernel fix:

860e874290fb ("netfilter: nft_last: copy content when cloning expression")

which is already scheduled for -stable Linux kernel release.

- Support for quota in sets. The following example shows how to define an
(optional) quota per IPv4 destination address:

table netdev x {
set y {
typeof ip daddr
size 65535
quota over 10000 mbytes
}

chain y {
type filter hook egress device "eth0" priority filter; policy accept;
ip daddr @y drop
}
}

Then, add a quota for 8.8.8.8.

# nft add element inet x y { 8.8.8.8 }
# ping -c 2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=8.14 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=7.82 ms

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 7.824/7.980/8.136/0.156 ms
# nft list ruleset
table netdev x {
set y {
type ipv4_addr
size 65535
quota over 10000 mbytes
elements = { 8.8.8.8 quota over 10000 mbytes used 196 bytes }
}

chain y {
type filter hook egress device "eth0" priority filter; policy accept;
ip daddr @y drop
}
}

you also can override the default set-defined quota per element:

# nft add element inet x y { 1.2.3.5 quota 5000 mbytes }

- Allow to use constant in set statement. The following example shows how to
add a set element from datapath as a concatenation of the Ethernet
destination address and a (constant) VLAN id (see VLAN id 123 is used below).

table netdev t {
set s {
typeof ether saddr . vlan id
size 2048
flags dynamic,timeout
timeout 1m
}

chain c {
type filter hook ingress device eth0 priority 0; policy accept;
ether type != 8021q update @s { ether daddr . 123 } counter
}
}


- New destroy command (it requires Linux kernel >= 6.3-rc), which allows to
inconditionally remove objects, because the delete command hits ENOENT if
the object does not exists.

destroy table ip filter

- fix ct proto-src and proto-dst when used from set/map statements. These are
the equivalent representation to th sport and th dport to access conntrack
tuple. The following example shows how to populate a map from the datapath:

table ip foo {
map pinned {
typeof ip saddr . ct original proto-dst : ip daddr . tcp dport
size 65535
flags dynamic,timeout
timeout 6m
}

chain pre {
type filter hook prerouting priority 0; policy accept;
meta l4proto tcp update @pinned { ip saddr . ct original proto-dst : ip daddr . tcp dport }
}
}

- fixes for the new -o/--optimize which allows you to optimize your ruleset.
- fix set elements deletion triggering a crash in previous releases.
- fix parsing of invalid invalid octal strings.
- ... and manpage updates.

See changelog for more details (attached to this email).

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/

[ NOTE: We have switched to .tar.xz files for releases. ]

To build the code, libnftnl >= 1.2.5 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature requests, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.