lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20141216004041.GB11371@salvia>
Date:	Tue, 16 Dec 2014 01:40:41 +0100
From:	Pablo Neira Ayuso <pablo@...filter.org>
To:	netfilter-devel@...r.kernel.org
Cc:	netdev@...r.kernel.org, netfilter@...r.kernel.org,
	netfilter-announce@...ts.netfilter.org, lwn@....net,
	kaber@...sh.net
Subject: [ANNOUNCE] nftables 0.4 release

Hi!

The Netfilter project proudly presents:

        nftables 0.4

This release contains a lot of bug fixes and new features contained up
to the recent 3.18 kernel release (and some features coming up in the
yet unreleased 3.19-rc).

New features
============

* Add support for global ruleset operations (available since 3.18).
  Get rid of all tables, chains, and rules in one go:

        # nft flush ruleset

  List the ruleset for all existing families:

        # nft list ruleset

  You can save the ruleset and restore it via:

        # echo "flush ruleset" > ruleset.file
        # nft list ruleset >> ruleset.file
        # nft -f ruleset.file

  This mimics iptables-restore, including the ruleset for all
  supported families: ip, ip6, inet, bridge and arp.

* Full logging support for all the families, including nfnetlink_log
  support (available since 3.17).

* Automatic selection of the optimal set implementation (available
  since 3.16).

  You can tell the kernel to optimize your set representation base
  according to the space-time tradeoff, eg. optimize memory:

        # nft add set filter set1 { type ipv4_addr ; policy memory ; }

  Or optimize performance:

        # nft add set filter set1 { type ipv4_addr ; policy performance ; }

  You can also use this in maps:

        # nft add map filter map1 { type ipv4_addr : verdict ; policy performace ; }

  And indicate the expected size to assist the set selection routine:

        # nft add set filter set1 { type ipv4_addr ; size 1024 ; }

* Complete reject support (available for ip, ip6 and inet since 3.14.
  bridge support and the icmpx abstraction since 3.18).

        # nft add rule filter input reject with icmp type host-unreachable

  and for IPv6:

        # nft add rule ip6 filter input reject with icmpv6 type no-route

  you can the ICMPx abstraction from the inet table:

        # nft add rule inet filter input reject with icmpx type no-route

  and TCP traffic with the reset packets:

        # nft add rule filter input reject with tcp reset

* Masquerading support (available since 3.18).

        # nft add rule nat postrouting masquerade

* Redirect support (available since upcoming Linux kernel 3.19-rc).

        # nft add rule nat prerouting tcp dport 22 redirect to 2222

* Support for NAT flag: random, fully-random, persistent.

* Consistency checks for interferences between updates and ruleset dumps
  (initially available since 3.16, enhanced with ruleset generations
   since 3.18).

* Extend meta to support pkttype, cpu and devgroup matching.

* Automatic regression tests through our customized python shell
  script.

* Allow to disable libreadline and debug at configure stage.

* Full conversion to autotools.

Syntax changes
==============

* 'queue' flags are now expressed as a list of comma-separated symbols:

        # nft add filter input counter queue num 0-3 fanout,bypass

  for consistency with flags, that are always expressed like this.

* nft doesn't resolve names by default anymore. IP addresses are
  always expressed in the numeric representation. A new '-N' option
  allows you to request for the resolution.

Bug fixes
=========

* Crash with anonymous sets with lots of elements.

* Several annoying byteorder issues that resulted in incorrect bytecode
  generation and wrong listings.

* Endianness problems reported from little endian archs.

* Named verdict maps, eg.

        # nft add map filter my_vmap { type ipv4_addr : verdict\; }
        # nft add element filter my_vmap { 1.1.1.1 : drop, 2.2.2.2 : drop}
        # nft add rule filter input ip saddr vmap @my_vmap

* Crash in 'nft describe' with wrong expressions.

* Parsing of ether types.

* Crash on usage of basetypes, eg.

        # nft add rule filter input ct state 8 accept

  instead of 'ct state new'.

* Crash on wrong values when performing basetype parsing, eg.

     <cmdline>:1:29-31: Error: Could not parse conntrack state
     add rule test test ct state xxx accept
                                 ^^^

* Broken listing og meta and ct range expressions, eg.

        nft add rule filter input meta length 33-55 counter

* Don't display a BUG message on too large decimal/hexadecimal values.

Resources
=========

The nftables code can be obtained from:

* http://netfilter.org/projects/nftables/downloads.html
* ftp://ftp.netfilter.org/pub/nftables
* git://git.netfilter.org/nftables

To build the code, you libnftnl and libmnl are required:

* http://netfilter.org/projects/libnftnl/index.html

Thanks
======

Thanks to all our contributors, testers and bug reporters, whom have
all helped to get rid of a good bunch of bugs and push new features.

On behalf of the Netfilter Core Team,
Happy bytecode execution :)

View attachment "changes-nftables-0.4.txt" of type "text/plain" (7598 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ