lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20171012234941.GA892@salvia>
Date:   Fri, 13 Oct 2017 01:49:41 +0200
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     netfilter-devel@...r.kernel.org
Cc:     netdev@...r.kernel.org, netfilter@...r.kernel.org,
        netfilter-announce@...ts.netfilter.org, lwn@....net
Subject: [ANNOUNCE] nftables 0.8 release

Hi!

The Netfilter project proudly presents:

        nftables 0.8

This release contains new features available up to the (upcoming)
Linux 4.14 kernel release:

* Support for stateful objects, these objects are uniquely identified by
  a user-defined name, you can refer to them from rules, and there is a
  well established interface to operate with them, eg.

     # nft add counter filter test

  This creates a quota object whose name is 'test'.

     # nft list counters
     table ip filter {
            counter test {
                     packets 0 bytes 0
            }

  You can then refer to these objects from maps:

     # nft add table filter
     # nft add chain filter input { type filter hook input priority 0\; }
     # nft add map filter badguys { type ipv4_addr : counter \; }
     # nft add rule filter input counter name ip saddr map @badguys
     # nft add counter filter badguy1
     # nft add counter filter badguy2
     # nft add element filter badguys { 192.168.2.3 : "badguy1" }
     # nft add element filter badguys { 192.168.2.4 : "badguy2" }

  Implicit map definitions are supported too:

     table ip filter {
            counter http-traffic {
                    packets 8 bytes 672
            }

            chain input {
                    type filter hook input priority 0; policy accept;
                    counter name tcp dport map { 80 : "http-traffic", 443 : "http-traffic"}
            }
     }

  You can atomically dump and reset these objects:

     # nft reset counter ip filter badguy1
     counter test {
            packets 1024 bytes 100000
     }
     # nft reset counter ip filter badguy1
     counter test {
            packets 0 bytes 0
     }

  Currently: counters, quota and limit are supported. Note: limit is
  available starting 4.14-rc.

* Sort set elements when listing them, from lower to largest, eg.

     # nft add table x
     # nft add set x y { type ipv4_addr\; }
     # nft add element x y { 192.168.1.2, 192.168.1.1, 192.168.1.4, 192.168.1.3 }
     # nft list ruleset
     table ip x {
            set y {
                    type ipv4_addr
                    elements = { 192.168.1.1, 192.168.1.2,
                                 192.168.1.3, 192.168.1.4 }
            }
     }

  When listing very large sets, nft takes almost the same time as
  before, so impact of this new feature is negligible.

* TCP option matching and mangling support. This includes TCP maximum
  segment size mangling, eg.

    # nft add rule mangle forward tcp flags syn tcp option maxseg size set rt mtu

  People that own routers with ppp interfaces, you have no excuses to
  migrate to nftables, this is your replacement for the TCPMSS target ;-)

* Add new `-s' option for listings without stateful information:

     # nft -s list ruleset
     table ip filter {
            chain output {
                    type filter hook output priority 0; policy accept;
                    tcp dport https counter
                    tcp dport https quota 25 mbytes
            }
     }

* Add new -c/--check option for nft, to tests if your ruleset loads fine,
  into the kernel, this is a dry run mode, eg.

     # nft -c ruleset.nft

  You can also use it in incremental rule updates scenarios:

     # nft -c add rule x y counter

* Connection tracking helper support, eg.

     table ip filter {
             ct helper ftp-standard {
                    type "ftp" protocol tcp
             }

             chain y {
                    tcp dport ftp ct helper set "ftp-standard"
             }
     }

  Note for iptables users: In nftables, you have to specify what helper
  you want to enable specifically, then set it from rules, given the
  former automatic helper assignment approach is deprecated, see for
  more info: https://home.regit.org/netfilter-en/secure-use-of-helpers/

* Add --echo option, to print the handle that the kernel allocates to
  uniquely identify rules, eg.

     # nft --echo --handle add rule ip t c tcp dport {22, 80} accept
     add rule ip t c tcp dport { ssh, http } accept # handle 2

* Conntrack zone support, eg.

     table raw {
            chain pre {
                   type filter hook prerouting priority -300;
                   iif eth3 ct zone set 23
            }
            chain out {
                   type filter hook output priority -300;
                   oif eth3 ct zone set 23
            }
     }

* Symmetric hash support, eg.

     # nft add rule ip nat prerouting ct mark set symhash mod 2

* Add support to include directories from nft natives scripts, files are
  loaded in alphanumerical order, eg.

     include "/foo/*.nft"

  Assuming the following content on such folder:

        /foo
        /foo/02_rules.nft
        /foo/01_rules.nft

  "01_rules.nft" is loaded before "02_rules.nft".

* Allow to check if IPv6 extension header or TCP option exists or is
  missing, eg.

     # nft add rule ip6 x y exthdr frag exists drop
     # nft add rule inet x y tcp option window missing drop

  Same for fib lookups, eg.

     # nft add rule x y fib daddr oif exists accept

* Extend quota support to display wasted bytes, eg.

    table ip x {
            chain y {
                    type filter hook forward priority 0; policy accept;
                    quota over 200 mbytes used 1143 kbytes drop
            }
    }

  This is useful to restore quota between reboots.

* Add ct average matching, to match average bytes per packet a connection has
  transferred so far, to map the existing feature available in the
  iptables connbytes match.

   eg. match average pkt in both directions:
     # nft add rule x y ct avgpkt gt 100

   eg. match avgpkt in original direction:
     # nft add rule x y ct original avgpkt gt 200

* Allow to flush maps and flow tables, eg.

     # nft flush map filter map1
     # nft flush flow table filter ft-https

* Allow to embed set definition into an existing set, eg.

     # nft -f ruleset.nft
     define myset = {
           1.1.1.0,
           2.2.2.0,
     }
     add rule ip saddr { $myset, 3.3.3.0 }

  And scripting like now works too:

     define dnat_ports      = { 1234-1567 }
     define port_allow      = {
            53,             # dns
            $dnat_ports,    # dnat
     }

* Slightly better error reporting when ruleset loaded via nft -f, eg.

     # nft -f /home/test/x
     /home/test/x:4:17-70: Error: Could not process rule: No such file or directory
                    ip saddr { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 } jump x
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

  In the example above, the chain 'x' that this jump refers to does not exist.
  We can still do better and make it even more fine grain...

* Don't wraparound set elements when listing, eg.

    % nft list ruleset -nnn
    table ip t {
            set s {
                    type inet_service
                    elements = { 1, 2, 3, 4, 10,
                                 432, 433, 434, 435, 436,
                                 437, 438, 439, 440, 441,
                                 442, 443, 444, 445, 446,
                                 447, 448, 449, 450, 12345 }
            }
    }

  Current approach is rather simple, improvable since the number of
  elements to fit in is not calculated based of the number of terminal
  columns, but we can make it at some point.

* Allow to list sets in a table, eg.

     # nft list sets table inet filter

* Conntrack event filtering support via rule, eg.

     # nft add rule x y ct event new counter

... lots of bugfixes too:

* Fix wrong bytecode generation for IPv6 that may result in mismatching
  packets due to extensions placed before the transport header.
* Always print range expressions numerically. This has been a problem
  with network services, where character '-' is possible as part of the
  name.
* Replace getaddrinfo() by inet_service internal lookup table, we don't
  rely on /etc/services anymore, so we have a predictable input from the
  parser side.
* Do not round consumed quota bytes when listing then.
* Fix print of ip dnat address.
* Fix icmp matching in inet tables.
* Fix display of set keys with host byte endian byteorder.
* Fix nested set merge size adjustment, eg.

     # nft add rule ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }

* Fix missing seed option in hash expression in listings.
* Generate a random seed in hash expression if seed option is empty, eg.

     # nft add rule x y ct mark set jhash ip saddr mod 2

  generates a random seed internally, that is not displayed. If you want
  an explicit seed, you have to specify it.
* Allow to match ICMPv6 packets from IPv4, this is a firewall software so
  we should allow to match even things that don't make sense.
* Fix printing of range elements in named sets in monitor mode.
* Fix printing of optional attributes 'flags', 'gc-interval' and
  'timeout' in set declarations.
* Fix parsing of IPv4-Mapped IPv6 addresses.
* Fix lots of memory leaks.

... and lots of documentation updates! and regression tests!

Resources
=========

The nftables code can be obtained from:

* http://netfilter.org/projects/nftables/downloads.html
* ftp://ftp.netfilter.org/pub/nftables
* git://git.netfilter.org/nftables

To build the code, libnftnl 1.0.8 and libmnl >= 1.0.2 are required:

* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* http://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Make sure you create no duplicates already, thanks!

Happy firewalling!

View attachment "changes-nftables-0.8.txt" of type "text/plain" (16204 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ