Hi!
The Netfilter project proudly presents:
nftables 1.0.9
This release contains enhancements and fixes such as:
- Speed up chain listing:
# time nft list chain inet raw input
table inet raw {
chain input {
type filter hook input priority filter; policy accept;
ip6 saddr @bogons6 counter drop
}
}
before:
real 0m2,913s
user 0m1,345s
sys 0m1,568s
after:
real 0m0,056s
user 0m0,018s
sys 0m0,039s
- Allow custom conntrack timeouts to use time specification (not only
seconds), e.g.
table inet x {
ct timeout customtimeout {
protocol tcp
l3proto ip
policy = { established: 2m, close: 20s }
}
chain y {
type filter hook prerouting priority filter; policy accept;
tcp dport 8888 ct timeout set "customtimeout"
}
}
- Allow to combine dnat with numgen, eg.
... dnat to numgen inc mod 8 offset 0xc0a864c8
where offset 0xc0a864c8 represents 192.168.100.200, to fan out packets
using stateful DNAT from 192.168.100.200 to 192.168.100.207.
- Allow for using constants as key in dynamic sets.
table inet x {
chain y {
type filter hook input priority 0; policy drop;
udp dport 45378 add @dynmark { 10.2.3.4 timeout 3s : 0x00000002 }
}
}
- Fix get element command with concatenated set:
table ip filter {
set test {
type ipv4_addr . ether_addr . mark
flags interval
elements = { 198.51.100.0/25 . 00:0b:0c:ca:cc:10-c1:a0:c1:cc:10:00 . 0x0000006f, }
}
}
then allow to check if element is present with:
# nft get element ip filter test { 198.51.100.1 . 00:0b:0c:ca:cc:10 . 0x6f }
- Support for matching on the target address of a IPv6 neighbour
solicitation/advertisement.
... icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133 counter
- Provide a pyproject.toml config file and legacy setup.py script
to install Python support. Using pip:
python -m pip install py/
or, alternatively, legacy setup.py script:
cd py && python setup.py install
- Fix incorrect bytecode to set meta and ct mark using smaller size
selector results in incorrect bytecode, e.g. set meta mark to
ip dscp header field.
... meta mark set ip dscp
Support for this is available since 1.0.8, but bytecode generation
was not correct.
- Empty internal cache in -o/--optimize (which implicitly pulls in
-c/--check mode) otherwise stale objects remain in place, triggering BUG:
BUG: invalid input descriptor type 151665524
nft: erec.c:161: erec_print: Assertion `0' failed.
Aborted
- Fix memleak in prefix evaluation with wildcard interface name
The following ruleset:
table ip x {
chain y {
meta iifname { abcde*, xyz }
}
}
- Restore interval maps, broken since 1.0.7. e.g.
table inet filter {
counter TEST {
packets 0 bytes 0
}
map testmap {
type ipv4_addr : counter
flags interval
elements = { 192.168.0.0/24 : "TEST" }
}
}
- Restore bitwise operations in combination with maps, eg. jump to
chain depending on bitwise operation on packet mark.
table ip x {
map sctm_o0 {
type mark : verdict
elements = { 0x00000000 : jump sctm_o0_0, 0x00000001 : jump sctm_o0_1 }
}
chain sctm_o0_0 {
counter
}
chain sctm_o0_1 {
counter
}
chain SET_ctmark_RPLYroute {
meta mark >> 8 & 0xf vmap @sctm_o0
}
}
- Display default burst of 5 packets in limit statement, this was not
printed for historical reasons, now this is shown in the listing, e.g.
... limit rate 400/minute burst 5 packets accept
- Restore use of conntrack label in concatenations, eg.
... ct label . ct mark { 0x1 . 0x1 }
- Do not merge expressions across non-expression statements, e.g.
.... ether saddr 00:11:22:33:44:55 counter ether type 8021q
is not merged because the counter statement falls in between these
two candidate expressions that could be coalesced in one single
expression to match at ethernet source address offset and the
ether type field coming next.
- Fix crash with log prefix longer that 127 bytes.
- Fixes for JSON support.
- ... and many unsorted fixes found via proactive code inspection.
... as well as asorted fixes and manpage documentation updates.
See changelog for more details (attached to this email).
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
[ NOTE: We have switched to .tar.xz files for releases. ]
To build the code, libnftnl >= 1.2.6 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
The Netfilter project proudly presents:
nftables 1.0.9
This release contains enhancements and fixes such as:
- Speed up chain listing:
# time nft list chain inet raw input
table inet raw {
chain input {
type filter hook input priority filter; policy accept;
ip6 saddr @bogons6 counter drop
}
}
before:
real 0m2,913s
user 0m1,345s
sys 0m1,568s
after:
real 0m0,056s
user 0m0,018s
sys 0m0,039s
- Allow custom conntrack timeouts to use time specification (not only
seconds), e.g.
table inet x {
ct timeout customtimeout {
protocol tcp
l3proto ip
policy = { established: 2m, close: 20s }
}
chain y {
type filter hook prerouting priority filter; policy accept;
tcp dport 8888 ct timeout set "customtimeout"
}
}
- Allow to combine dnat with numgen, eg.
... dnat to numgen inc mod 8 offset 0xc0a864c8
where offset 0xc0a864c8 represents 192.168.100.200, to fan out packets
using stateful DNAT from 192.168.100.200 to 192.168.100.207.
- Allow for using constants as key in dynamic sets.
table inet x {
chain y {
type filter hook input priority 0; policy drop;
udp dport 45378 add @dynmark { 10.2.3.4 timeout 3s : 0x00000002 }
}
}
- Fix get element command with concatenated set:
table ip filter {
set test {
type ipv4_addr . ether_addr . mark
flags interval
elements = { 198.51.100.0/25 . 00:0b:0c:ca:cc:10-c1:a0:c1:cc:10:00 . 0x0000006f, }
}
}
then allow to check if element is present with:
# nft get element ip filter test { 198.51.100.1 . 00:0b:0c:ca:cc:10 . 0x6f }
- Support for matching on the target address of a IPv6 neighbour
solicitation/advertisement.
... icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133 counter
- Provide a pyproject.toml config file and legacy setup.py script
to install Python support. Using pip:
python -m pip install py/
or, alternatively, legacy setup.py script:
cd py && python setup.py install
- Fix incorrect bytecode to set meta and ct mark using smaller size
selector results in incorrect bytecode, e.g. set meta mark to
ip dscp header field.
... meta mark set ip dscp
Support for this is available since 1.0.8, but bytecode generation
was not correct.
- Empty internal cache in -o/--optimize (which implicitly pulls in
-c/--check mode) otherwise stale objects remain in place, triggering BUG:
BUG: invalid input descriptor type 151665524
nft: erec.c:161: erec_print: Assertion `0' failed.
Aborted
- Fix memleak in prefix evaluation with wildcard interface name
The following ruleset:
table ip x {
chain y {
meta iifname { abcde*, xyz }
}
}
- Restore interval maps, broken since 1.0.7. e.g.
table inet filter {
counter TEST {
packets 0 bytes 0
}
map testmap {
type ipv4_addr : counter
flags interval
elements = { 192.168.0.0/24 : "TEST" }
}
}
- Restore bitwise operations in combination with maps, eg. jump to
chain depending on bitwise operation on packet mark.
table ip x {
map sctm_o0 {
type mark : verdict
elements = { 0x00000000 : jump sctm_o0_0, 0x00000001 : jump sctm_o0_1 }
}
chain sctm_o0_0 {
counter
}
chain sctm_o0_1 {
counter
}
chain SET_ctmark_RPLYroute {
meta mark >> 8 & 0xf vmap @sctm_o0
}
}
- Display default burst of 5 packets in limit statement, this was not
printed for historical reasons, now this is shown in the listing, e.g.
... limit rate 400/minute burst 5 packets accept
- Restore use of conntrack label in concatenations, eg.
... ct label . ct mark { 0x1 . 0x1 }
- Do not merge expressions across non-expression statements, e.g.
.... ether saddr 00:11:22:33:44:55 counter ether type 8021q
is not merged because the counter statement falls in between these
two candidate expressions that could be coalesced in one single
expression to match at ethernet source address offset and the
ether type field coming next.
- Fix crash with log prefix longer that 127 bytes.
- Fixes for JSON support.
- ... and many unsorted fixes found via proactive code inspection.
... as well as asorted fixes and manpage documentation updates.
See changelog for more details (attached to this email).
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
[ NOTE: We have switched to .tar.xz files for releases. ]
To build the code, libnftnl >= 1.2.6 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
Attached Files:
-
changes-nftables-1.0.9.txt (14.5 KB)