[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20141216004041.GB11371@salvia>
Date: Tue, 16 Dec 2014 01:40:41 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter-devel@...r.kernel.org
Cc: netdev@...r.kernel.org, netfilter@...r.kernel.org,
netfilter-announce@...ts.netfilter.org, lwn@....net,
kaber@...sh.net
Subject: [ANNOUNCE] nftables 0.4 release
Hi!
The Netfilter project proudly presents:
nftables 0.4
This release contains a lot of bug fixes and new features contained up
to the recent 3.18 kernel release (and some features coming up in the
yet unreleased 3.19-rc).
New features
============
* Add support for global ruleset operations (available since 3.18).
Get rid of all tables, chains, and rules in one go:
# nft flush ruleset
List the ruleset for all existing families:
# nft list ruleset
You can save the ruleset and restore it via:
# echo "flush ruleset" > ruleset.file
# nft list ruleset >> ruleset.file
# nft -f ruleset.file
This mimics iptables-restore, including the ruleset for all
supported families: ip, ip6, inet, bridge and arp.
* Full logging support for all the families, including nfnetlink_log
support (available since 3.17).
* Automatic selection of the optimal set implementation (available
since 3.16).
You can tell the kernel to optimize your set representation base
according to the space-time tradeoff, eg. optimize memory:
# nft add set filter set1 { type ipv4_addr ; policy memory ; }
Or optimize performance:
# nft add set filter set1 { type ipv4_addr ; policy performance ; }
You can also use this in maps:
# nft add map filter map1 { type ipv4_addr : verdict ; policy performace ; }
And indicate the expected size to assist the set selection routine:
# nft add set filter set1 { type ipv4_addr ; size 1024 ; }
* Complete reject support (available for ip, ip6 and inet since 3.14.
bridge support and the icmpx abstraction since 3.18).
# nft add rule filter input reject with icmp type host-unreachable
and for IPv6:
# nft add rule ip6 filter input reject with icmpv6 type no-route
you can the ICMPx abstraction from the inet table:
# nft add rule inet filter input reject with icmpx type no-route
and TCP traffic with the reset packets:
# nft add rule filter input reject with tcp reset
* Masquerading support (available since 3.18).
# nft add rule nat postrouting masquerade
* Redirect support (available since upcoming Linux kernel 3.19-rc).
# nft add rule nat prerouting tcp dport 22 redirect to 2222
* Support for NAT flag: random, fully-random, persistent.
* Consistency checks for interferences between updates and ruleset dumps
(initially available since 3.16, enhanced with ruleset generations
since 3.18).
* Extend meta to support pkttype, cpu and devgroup matching.
* Automatic regression tests through our customized python shell
script.
* Allow to disable libreadline and debug at configure stage.
* Full conversion to autotools.
Syntax changes
==============
* 'queue' flags are now expressed as a list of comma-separated symbols:
# nft add filter input counter queue num 0-3 fanout,bypass
for consistency with flags, that are always expressed like this.
* nft doesn't resolve names by default anymore. IP addresses are
always expressed in the numeric representation. A new '-N' option
allows you to request for the resolution.
Bug fixes
=========
* Crash with anonymous sets with lots of elements.
* Several annoying byteorder issues that resulted in incorrect bytecode
generation and wrong listings.
* Endianness problems reported from little endian archs.
* Named verdict maps, eg.
# nft add map filter my_vmap { type ipv4_addr : verdict\; }
# nft add element filter my_vmap { 1.1.1.1 : drop, 2.2.2.2 : drop}
# nft add rule filter input ip saddr vmap @my_vmap
* Crash in 'nft describe' with wrong expressions.
* Parsing of ether types.
* Crash on usage of basetypes, eg.
# nft add rule filter input ct state 8 accept
instead of 'ct state new'.
* Crash on wrong values when performing basetype parsing, eg.
<cmdline>:1:29-31: Error: Could not parse conntrack state
add rule test test ct state xxx accept
^^^
* Broken listing og meta and ct range expressions, eg.
nft add rule filter input meta length 33-55 counter
* Don't display a BUG message on too large decimal/hexadecimal values.
Resources
=========
The nftables code can be obtained from:
* http://netfilter.org/projects/nftables/downloads.html
* ftp://ftp.netfilter.org/pub/nftables
* git://git.netfilter.org/nftables
To build the code, you libnftnl and libmnl are required:
* http://netfilter.org/projects/libnftnl/index.html
Thanks
======
Thanks to all our contributors, testers and bug reporters, whom have
all helped to get rid of a good bunch of bugs and push new features.
On behalf of the Netfilter Core Team,
Happy bytecode execution :)
View attachment "changes-nftables-0.4.txt" of type "text/plain" (7598 bytes)
Powered by blists - more mailing lists