Hi!
The Netfilter project proudly presents:
nftables 1.0.8
This release contains enhancements and fixes such as:
- Support for setting meta and ct mark from other fields in rules,
eg. set meta mark to ip dscp header field.
... meta mark set ip dscp
You can also combining it with expressions such as:
... meta mark set ip dscp and 0x0f
... meta mark set ip dscp << 8
... meta mark set (ip dscp and 0xf) << 8
- Enhacements for -o/--optimize to deal with NAT statements, to compact
masquerade statements:
Merging:
masq.nft:3:3-36: ip saddr 10.141.11.0/24 masquerade
masq.nft:4:3-36: ip saddr 10.141.13.0/24 masquerade
into:
ip saddr { 10.141.11.0/24, 10.141.13.0/24 } masquerade
... and redirect statements too:
Merging:
redir.nft:3:3-32: tcp dport 83 redirect to :8083
redir.nft:4:3-32: tcp dport 84 redirect to :8084
into:
redirect to :tcp dport map { 83 : 8083, 84 : 8084 }
- Support for stateful statements in anonymous maps, such as counters.
... meta mark { 0xa counter, 0xb counter }
this can also be used in verdict maps:
... ip saddr vmap { 127.0.0.1 counter : drop, * counter : accept }
this allows to compact 'ct state' matching in rulesets without losing
the ability to count packets:
... ct state vmap { established counter : accept, \
related counter : accept, \
invalid counter : drop }
- Support for resetting stateful expressions in sets, maps and elements,
e.g. counters:
reset element t m '{ 1.2.3.4 }'
reset map ip t m
reset set ip t m
Note that this feature requires Linux kernel >= 6.5-rc1.
- Simplify reset command syntax. This command allows you to reset
stateful information in rules, such as counters and quotas:
reset rules # reset all counters regardless family
reset rules ip # reset all counters for family 'ip'
reset rules ip t # reset all counters for table 'filter' in family 'ip'
reset rules ip t c # reset all counters in chain 'input'
Similarly, you do not have to specify the table keyword anymore when
resetting named stateful objects:
reset counters
reset counters ip
reset counters ip filter
- Fix bogus error reporting on missing transport protocol when using
layer 4 keys in maps:
... redirect to :tcp dport map { 83 : 8083, 84 : 8084 }
This redirects traffic to the localhost ports depending on the TCP
destination port, ie. packets going to TCP destination port 83 are
redirected to localhost TCP port 8083.
- Provide a hint in unpriviledged namespaces to allow for large rulesets:
# nft -f test.nft
netlink: Error: Could not process rule: Message too long
Please, rise /proc/sys/net/core/wmem_max on the host namespace. Hint: 4194304 bytes
This has been an issue for people loading GeoIP sets from containers,
with large IP source address sets.
- Allow for updating devices on existing netdev chain (This requires Linux kernel >= 6.3).
This patch allows you to add/remove devices to an existing chain:
# cat ruleset.nft
table netdev x {
chain y {
type filter hook ingress devices = { eth0 } priority 0; policy accept;
}
}
# nft -f ruleset.nft
# nft add chain netdev x y '{ devices = { eth1 }; }'
# nft list ruleset
table netdev x {
chain y {
type filter hook ingress devices = { eth0, eth1 } priority 0; policy accept;
}
}
# nft delete chain netdev x y '{ devices = { eth0 }; }'
# nft list ruleset
table netdev x {
chain y {
type filter hook ingress devices = { eth1 } priority 0; policy accept;
}
}
- Make "nft list sets" include set elements in listing by default,
please, use -t/--terse to fetch the sets without elements.
- Improve error reporting with suggestions on datatype mistypes:
test.nft:3:11-14: Error: Could not parse Differentiated Services Code Point expression; did you you mean `cs0`?
ip dscp ccs0
^^^^
Provide a suggestion too for incorrect jump/goto to chain in map:
# cat test.nft
table ip x {
map y {
typeof ip saddr : verdict
elements = { 1.2.3.4 : filter_server1 }
}
}
# nft -f test.nft
test.nft:4:26-39: Error: Could not parse netfilter verdict; did you mean `jump filter_server1'?
elements = { 1.2.3.4 : filter_server1 }
^^^^^^^^^^^^^^
- Support for constant values in concatenations. For example, allow to
update a set from packet path using constants:
... update @s1 { ip saddr . 10.180.0.4 . 80 }
- broute support to short-circuit bridge logic from the bridge prerouting hook
and pass up packets to the local IP stack.
... meta broute set 1
- JSON support for table and chain comments:
# nft -j list ruleset
{"nftables": [.{"metainfo": {"version": "1.0.7", "release_name": "Old Doc Yak", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "test3", "handle": 4, "comment": "this is a comment"}}]}
- JSON support for inner/tunnel matching. This example shows how match
on the IP dscp field encapsulated under vxlan header.
# udp dport 4789 vxlan ip dscp 0x02
[.
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "udp"
}
},
"op": "==",
"right": 4789
}
},
{
"match": {
"left": {
"payload": {
"field": "dscp",
"protocol": "ip",
"tunnel": "vxlan"
}
},
"op": "==",
"right": 2
}
}
]
- JSON support for 'last used' statement, that tells when a rule/set
element has been used last time.
- Update 'nft list hooks' command to display registered bpf hooks in the
netfilter dataplane.
- disallow combining -i/--interactive and -f/--filename.
- distutils has been replaced with setuptools in nftables Python binding.
... as well as asorted fixes and manpage documentation updates.
See changelog for more details (attached to this email).
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
[ NOTE: We have switched to .tar.xz files for releases. ]
To build the code, libnftnl >= 1.2.6 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
The Netfilter project proudly presents:
nftables 1.0.8
This release contains enhancements and fixes such as:
- Support for setting meta and ct mark from other fields in rules,
eg. set meta mark to ip dscp header field.
... meta mark set ip dscp
You can also combining it with expressions such as:
... meta mark set ip dscp and 0x0f
... meta mark set ip dscp << 8
... meta mark set (ip dscp and 0xf) << 8
- Enhacements for -o/--optimize to deal with NAT statements, to compact
masquerade statements:
Merging:
masq.nft:3:3-36: ip saddr 10.141.11.0/24 masquerade
masq.nft:4:3-36: ip saddr 10.141.13.0/24 masquerade
into:
ip saddr { 10.141.11.0/24, 10.141.13.0/24 } masquerade
... and redirect statements too:
Merging:
redir.nft:3:3-32: tcp dport 83 redirect to :8083
redir.nft:4:3-32: tcp dport 84 redirect to :8084
into:
redirect to :tcp dport map { 83 : 8083, 84 : 8084 }
- Support for stateful statements in anonymous maps, such as counters.
... meta mark { 0xa counter, 0xb counter }
this can also be used in verdict maps:
... ip saddr vmap { 127.0.0.1 counter : drop, * counter : accept }
this allows to compact 'ct state' matching in rulesets without losing
the ability to count packets:
... ct state vmap { established counter : accept, \
related counter : accept, \
invalid counter : drop }
- Support for resetting stateful expressions in sets, maps and elements,
e.g. counters:
reset element t m '{ 1.2.3.4 }'
reset map ip t m
reset set ip t m
Note that this feature requires Linux kernel >= 6.5-rc1.
- Simplify reset command syntax. This command allows you to reset
stateful information in rules, such as counters and quotas:
reset rules # reset all counters regardless family
reset rules ip # reset all counters for family 'ip'
reset rules ip t # reset all counters for table 'filter' in family 'ip'
reset rules ip t c # reset all counters in chain 'input'
Similarly, you do not have to specify the table keyword anymore when
resetting named stateful objects:
reset counters
reset counters ip
reset counters ip filter
- Fix bogus error reporting on missing transport protocol when using
layer 4 keys in maps:
... redirect to :tcp dport map { 83 : 8083, 84 : 8084 }
This redirects traffic to the localhost ports depending on the TCP
destination port, ie. packets going to TCP destination port 83 are
redirected to localhost TCP port 8083.
- Provide a hint in unpriviledged namespaces to allow for large rulesets:
# nft -f test.nft
netlink: Error: Could not process rule: Message too long
Please, rise /proc/sys/net/core/wmem_max on the host namespace. Hint: 4194304 bytes
This has been an issue for people loading GeoIP sets from containers,
with large IP source address sets.
- Allow for updating devices on existing netdev chain (This requires Linux kernel >= 6.3).
This patch allows you to add/remove devices to an existing chain:
# cat ruleset.nft
table netdev x {
chain y {
type filter hook ingress devices = { eth0 } priority 0; policy accept;
}
}
# nft -f ruleset.nft
# nft add chain netdev x y '{ devices = { eth1 }; }'
# nft list ruleset
table netdev x {
chain y {
type filter hook ingress devices = { eth0, eth1 } priority 0; policy accept;
}
}
# nft delete chain netdev x y '{ devices = { eth0 }; }'
# nft list ruleset
table netdev x {
chain y {
type filter hook ingress devices = { eth1 } priority 0; policy accept;
}
}
- Make "nft list sets" include set elements in listing by default,
please, use -t/--terse to fetch the sets without elements.
- Improve error reporting with suggestions on datatype mistypes:
test.nft:3:11-14: Error: Could not parse Differentiated Services Code Point expression; did you you mean `cs0`?
ip dscp ccs0
^^^^
Provide a suggestion too for incorrect jump/goto to chain in map:
# cat test.nft
table ip x {
map y {
typeof ip saddr : verdict
elements = { 1.2.3.4 : filter_server1 }
}
}
# nft -f test.nft
test.nft:4:26-39: Error: Could not parse netfilter verdict; did you mean `jump filter_server1'?
elements = { 1.2.3.4 : filter_server1 }
^^^^^^^^^^^^^^
- Support for constant values in concatenations. For example, allow to
update a set from packet path using constants:
... update @s1 { ip saddr . 10.180.0.4 . 80 }
- broute support to short-circuit bridge logic from the bridge prerouting hook
and pass up packets to the local IP stack.
... meta broute set 1
- JSON support for table and chain comments:
# nft -j list ruleset
{"nftables": [.{"metainfo": {"version": "1.0.7", "release_name": "Old Doc Yak", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "test3", "handle": 4, "comment": "this is a comment"}}]}
- JSON support for inner/tunnel matching. This example shows how match
on the IP dscp field encapsulated under vxlan header.
# udp dport 4789 vxlan ip dscp 0x02
[.
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "udp"
}
},
"op": "==",
"right": 4789
}
},
{
"match": {
"left": {
"payload": {
"field": "dscp",
"protocol": "ip",
"tunnel": "vxlan"
}
},
"op": "==",
"right": 2
}
}
]
- JSON support for 'last used' statement, that tells when a rule/set
element has been used last time.
- Update 'nft list hooks' command to display registered bpf hooks in the
netfilter dataplane.
- disallow combining -i/--interactive and -f/--filename.
- distutils has been replaced with setuptools in nftables Python binding.
... as well as asorted fixes and manpage documentation updates.
See changelog for more details (attached to this email).
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
[ NOTE: We have switched to .tar.xz files for releases. ]
To build the code, libnftnl >= 1.2.6 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
Attached Files:
-
changes-nftables-1.0.8.txt (5.22 KB)