lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20140414113933.GA20756@macbook.localnet>
Date:	Mon, 14 Apr 2014 13:39:36 +0200
From:	Patrick McHardy <kaber@...sh.net>
To:	netfilter-devel@...r.kernel.org
Cc:	netfilter@...r.kernel.org, announce@...ts.netfilter.org,
	netdev@...r.kernel.org, coreteam@...filter.org
Subject: [ANNOUNCE]: Release of nftables 0.2

The netfilter project presents:

	nftables 0.2

This release contains a rather large number of bug fixes, syntax cleanups,
new features, support for all new features contained in the recent 3.14
kernel release as well as *drumroll* documentation.


Syntax changes
==============

* More consistency in data type names

  Data type names are used in set declarations. All address related types
  now follow the naming scheme *_addr, all protocol related types *_proto
  and the network interface related type iface_*. The arphrd type has been
  renamed to iface_type.

* Unqualified meta expressions

  A number of keys of the meta expressions can be used without the meta
  keyword for simplicity. These are mark, iif, iifname, iiftype, oif,
  oifname, oiftype, skuid, skgid, nftrace and rtclassid. The meta keyword
  may still be used if desired.

  - nft filter output meta skuid root accept

  becomes

  - nft filter output skuid root accept


New features
============

The more prominent new features include:

* Support for hybrid IPv4/IPv6 tables

  nftables now supports the "inet" family, which can be used to create
  hybrid tables that contain rules for both IPv4 and IPv6. This should
  greatly help reduce maintenance overhead for dual stack setups.

  To create a standard filter table, use the supplied table template:

  nft -f /etc/nftables/inet-filter

  Rules in the inet family can apply to either just IPv4, just IPv6 or
  both types of packets:

  nft inet filter input ip saddr 192.168.0.0/24 jump from_lan
  nft inet filter input ip6 saddr 2001::/64 jump from_lan
  nft inet filter input tcp dport ssh accept
  nft inet filter input iif lo accept

* Support to set meta keys

  Corresponding to the iptables MARK, CLASSIFY and TRACE targets, nftables
  now supports changing meta data associated with a packet.

  - nft filter input mark set 0x1

    will set the packet mark to 0x1.

  - nft filter input mark set mark | 0x1

    will OR the current value with 0x1.

  Using maps, you can do neat things like setting the mark dependant on
  the source address in a single rule:

  nft filter input mark set ip saddr map {
	192.168.0.0/24 : 0x1,
	192.168.1.0-192.168.1.64 : 0x2,
	192.168.2.1 : 0x3,
	* : 0x4
  }

  Or set it based on the network number using bitwise operations:

  nft filter input ip saddr 192.168.0.0/16 mark set ip saddr & 0xff00

  The packet classification can be changed in a similar fashion using
  "meta priority set ...", tracing can be enabled using "nftrace set 1".

* Support to set conntrack keys

  Similar to the meta keys feature, it is now possible to change data
  associated with connection tracking entries. At this time only the
  conntrack mark is supported.

  - nft filter input ct mark set mark

  will set the conntrack mark to the packet mark

  - nft filter output mark set ct mark

  will set the packet mark to the conntrack mark

  - nft filter output ct mark set 0x1

  will set the conntrack mark to the value 0x1.

* connlabel support

  Support for connection tracking labels (connlabels) has been added.
  connlabel.conf is parsed and the values can be used as symbolic
  constants in combination with the "ct label" expression.

  - nft filter input ct label clients,servers accept

  will accept packets of connections labeled with either clients or servers.

* Queue load balancing

  The queue statement now supports load balancing, CPU fanout, queue bypass
  etc.

  - nft filter output queue num 3 total 2 options fanout

  will queue packets to queue numbers 3 and 4 using CPU fanout.

* XML/JSON ruleset export

  Using "nft export <xml|json>", the ruleset can be exported in either format.
  A corresponding import facility will follow soon.

* Human readable comments in the ruleset

  nftables supports storing comments together with a rule in the ruleset
  that are displayed when listing the ruleset. The syntax is

  - nft filter input tcp dport ssh accept comment "SSH access"

  Please note that the syntax may change before the next release.

* Full file parsing

  nftables now recovers from errors during ruleset parsing and continues
  up to a threshold of 10 errors before aborting. This allows to quicker
  validate and fix up an erroneous ruleset.

* "create" command

  The create command can be used to create tables and chains, but unlike
  the add command it doesn't return an error if the object already exists.

* Misc

 A larger number of smaller improvements have been made to  error
 reporting, ruleset listing, and other parts have been made.
 

Bug fixes
=========

* Big endian support

  A number of problems on big endian architectures have been fixed. A
  single bugfix for the kernel is still in the queue, once it has hit
  -stable this release should be fully functional on big endian.

* Flag comparision for single flag values

  When no operation is explicitly specified in a relational expression,
  nftables determines the operation based on the data types of the
  right hand side expression. For bitmask types, the operation is a flag
  comparision, i.e.

  tcp flags syn,ack

  tests if either SYN or ACK is set. In the case that the right hand side
  consisted of only a single value, nftables so far incorrectly generated
  an equlity expression, IOW "tcp flags syn" would match on SYN and only
  SYN. Now the expected thing is done and all packets that have the SYN
  flag set will match.

* Operator precedence in ruleset listing

  When using bitwise expressions, the ruleset listing will now print
  expressions in when required by operator precedence.

* Symbolic variable existance and redefinitions

  nftables will check for existance of a symbolic variable at time of use
  instead of during evaluation. Redefinitions of existing variables now
  trigger an error.

* Map interval conflicts

  When maps contain overlapping ranges (ranges or prefix expressions), the
  ranges are prioritized based on their size. A smaller (more specific)
  range takes precedence over larger (less specific) ones. When the ranges
  have an identical size, no precedence can be determined and an error is
  returned if the associated data/verdict differs.
 
* Misc

  A number of crashes, failed assertions, incorrect definitions and more
  have been fixed.


Documentation
=============

Some reference documentation (man-page / PDF) has been added. Unfortunately
I did not manage to complete it so far, but work is ongoing and shouldn't
take very long anymore. The incomplete sections are mainly a number of
statement types, set and map declarations and higher order expressions.


Name
====

As Keith Alexander is no longer the director of the NSA and we don't know
specifics about the mischief committed by his successor Michael S. Rogers
yet, this release is simply called "Support Edward Snowden", which is a
timeless worthy cause. 

If you're in Germany, you can order some stickers to show your support for
asylum for Snowden at https://shop.digitalcourage.de/snowden.html for free.

$ nft -v
nftables v0.2 (Support Edward Snowden)


Resources
=========

The nftables code can be obtained from:

* http://netfilter.org/projects/nftables/downloads.html
* ftp://ftp.netfilter.org/pub/nftables
* git://git.netfilter.org/nftables

To build the code, you libnftnl and libmnl are required:

* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html

The iptables compatibility layer is available at:

* git://git.netfilter.org/iptables-nftables


The website updates are still in progress, but will be completed soon.


Outlook
=======

The pace of development is still increasing and lots of interesting things
are in the pipeline. Features currently worked on and most likely included
in the next version include:

* netlink event monitor - monitor ruleset events, set changes etc.

* support for concatenations - multidimensional exact matches in O(1)

* new transaction infrastructure - fully atomic updates for all object types

* set selection - automatic selection of the optimal set implementation

* JSON/XML import - the counterpart to the new ruleset export facility


Thanks
======

Thanks to all our contributors, testers and bug reporters, whom have all
helped to improve nftables.


On behalf of the Netfilter Core Team,
Happy bytecode execution :)

View attachment "shortlog.txt" of type "text/plain" (4989 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ