lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Thu, 17 Sep 2015 21:42:00 +0200
From:	Pablo Neira Ayuso <pablo@...filter.org>
To:	netfilter-devel@...r.kernel.org
Cc:	netdev@...r.kernel.org, netfilter@...r.kernel.org,
	netfilter-announce@...ts.netfilter.org, lwn@....net,
	kaber@...sh.net
Subject: [ANNOUNCE] nftables 0.5 release

Hi!

The Netfilter project proudly presents:

	nftables 0.5

This release contains bug fixes and new features contained up to the
4.2 kernel release.

New features
============

* Concatenations: You can combine two or more selectors to build a
  tuple, then use it to look up for a matching in sets, eg.

  % nft add rule ip filter input ip saddr . tcp dport { \
                1.1.1.1 . 22 , \
                1.1.1.1 . 80 \
    } counter accept

  So nft will check if the source IP address AND the TCP destination port
  matches what you have in the literal set above, if so it will
  update the rule counter and accept the packet.

  You can also combine concatenations with verdict maps:

  % nft add rule ip filter input ether saddr . ip saddr . meta iif vmap { \
                3c:71:0e:39:bb:20 . 192.168.1.120 . "wlan0" : accept, \
                3c:77:e0:39:aa:21 . 192.168.1.204 . "wlan0" : drop }

  You can declare a set using concatenations, to dynamically update its content
  instead:

  % nft add map filter accesslist { \
        type ether_addr . ipv4_addr . iface_index : verdict \; }
  % nft add rule filter input ether saddr . ip saddr . meta iif vmap @accesslist

  Then, add elements to the set:

  % nft add element filter accesslist { \
        3c:71:0e:39:bb:20 . 192.168.1.120 . wlan0 : accept }

  On a different front, you can also combine concatenations with maps:

  % nft add rule ip nat prerouting dnat ip saddr . tcp dport map { \
                192.168.1.120 . 80 : 1.2.3.4, \
                192.168.1.204 . 22 : 4.3.2.1 }

  In the example above, the destination address that is used in DNAT depends
  on the source IP address and the destination port of the packet.

  You require a Linux kernel >= 4.1 to use this new concatenation feature and
  nftables 0.5 of course.

* Add timeout support for sets: You can specify a lifetime for elements in your
  set declarations, eg.

  % nft add set filter whitelist { type ipv4_addr\; timeout 1h\; }
  % nft add element filter whitelist { 192.168.1.234 }
  % nft list ruleset
  table ip filter {
        set whitelist {
                type ipv4_addr
                timeout 1h
                elements = { 1.2.3.4 expires 59m56s}
        }
  }

  You can also create the set with no specific timeout:

  % nft add set filter whitelist { type ipv4_addr\; flags timeout\; }

  So you can indicate the timeout when adding the element:

  % nft add element filter whitelist { 192.168.2.123 timeout 1h }

  You still can mix this with element that will reside permanently too:

  % nft add element filter whitelist { 192.168.2.180 }

* Add comments per set element, eg.

  % nft add element filter whitelist { 192.168.0.1 comment \"some host\" }

* Support for mini-gmp: If you're running nft from embedded devices,
  you may want to skip the libgmp dependency via:

  % ./configure --with-mini-gmp

  This compiles nft using the minimal gmp implementation that comes in
  the nftables tarball. Note that your nft binary avoids the libgmp
  dependency at the cost of getting a slightly larger binary.

* Dormant tables: You can disable the entire ruleset that is contained in a
  table by setting on the dormant flag:

  % nft add table filter { flags dormant\; }

  You can reenable it by typing:

  % nft add table filter

* Allow to specify default chain policy: You can specify the default chain
  policy by when you create the chain:

  % nft add chain filter input { \
        type filter hook input priority 0\; policy drop\; }

  You can also change it for an existing chain anytime by updating it via:

  % nft add chain filter input { policy accept\; }

Bug fixes
=========

* Command per line ruleset representation: According to what I can find on the
  Internet, it seems some people like to maintain their ruleset in scripts so
  they can add comments and annotate things there. However, this is a problem
  for two reasons: There is no atomic update since rules are published to the
  packet path one after another and this increases the time that nft takes to
  reload your ruleset significantly.

  So, the solution to this problem consists of keeping your ruleset like this:

  % cat my-ruleset-file
  flush ruleset
  add table filter
  add set filter whitelist { type ipv4_addr; }
  add chain filter input { type filter hook input priority 0; }
  add rule filter input iif lo accept
  add rule filter input ct state established,related counter accept
  add rule filter input tcp dport { 22, 80 } counter accept
  add rule filter input ip saddr @whitelist counter accept
  add element filter whitelist { 192.168.1.120 }
  add element filter whitelist { 192.168.1.121 }
  add element filter whitelist { 192.168.1.204 }

  You can also insert comments in the file through '#'.

  Then, you can atomically restore it via:

  % nft -f my-ruleset-file

  You can also use this command per line representation to apply
  incremental ruleset updates atomically:

  % cat incremental-ruleset-update
  delete element filter whitelist { 192.168.1.204 }
  add element filter whitelist { 192.168.2.20 }
  add element filter whitelist { 192.168.3.11 }
  add element filter whitelist { 192.168.4.24 }
  delete element filter whitelist { 192.168.1.120 }
  % nft -f incremental-ruleset-update

* Fix monitor mode, ie. nft monitor, when reloading relatively large rulesets.

* Fix transport matching in bridge when no context is provided, eg.

  % nft add rule bridge filter input tcp dport 22

* Parsing of time, eg. ct expiration lt 1m30s

* Missing family when listing tables, ie.

  % nft list tables
  table ip nat
  table ip filter

* Propagate error to shell on evaluation problems, eg.

 % nft add chain filter input { type filter hook inputt priority 0\; }
 <cmdline>:1:43-48: Error: unknown chain hook inputt
 add chain filter input { type filter hook inputt priority 0; }
                                           ^^^^^^
 % echo $?
 1

Resources
=========

The nftables code can be obtained from:

* http://netfilter.org/projects/nftables/downloads.html
* ftp://ftp.netfilter.org/pub/nftables
* git://git.netfilter.org/nftables

To build the code, libnftnl 1.0.5 and libmnl >= 1.0.2 are required:

* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html

Thanks
======

Thanks to Patrick McHardy for finishing the concatenation support as
well as the set timeout and comment support; and Steven Barth for the
mini-gmp support.

Happy testing!

View attachment "changes-nftables-0.5.txt" of type "text/plain" (8085 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ