| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Jun 2019 18:49:11 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter <netfilter@...r.kernel.org>,
netfilter-devel <netfilter-devel@...r.kernel.org>
Cc: netdev@...r.kernel.org
Subject: [ANNOUNCE] nftables 0.9.1 release
Hi!
The Netfilter project proudly presents:
nftables 0.9.1
This release contains fixes and new features, available up with Linux
kernels >= 5.2.
* IPsec support, which allows matching on IPsec tunnel/beet addresses in xfrm
state associated with a packet, IPsec request id and the SPI, eg.
... ipsec in ip saddr 192.168.1.0/24
... ipsec out ip6 daddr @endpoints
... ipsec in spi 1-65536
You can also check if the route performs ipsec tunneling, eg.
filter output rt ipsec missing drop
otherwise, drop it.
* IGMP matching support, eg.
# nft add rule netdev foo bar igmp type membership-query counter drop
If you want to drop IGMP membership queries from the ingress path.
* Use variable to define jump / goto chain, eg.
define dest = ber
add table ip foo
add chain ip foo bar {type filter hook input priority 0;}
add chain ip foo ber
add rule ip foo ber counter
add rule ip foo bar jump $dest
* Operating System fingerprint (osf) support, eg.
... meta mark set osf ttl skip name map { "Linux" : 0x1,
"Windows" : 0x2,
"MacOS" : 0x3,
"unknown" : 0x0 }
This allows you to mark packets based on the guessed OS. If osf does
not guess the OS, then traffic falls under the "unknown" OS type. Note
that the example above skips TTL header field checks.
You can also check for specific OS version:
... osf ttl skip version "Linux:4.20"
This passive fingerprinting is based on the OS definitions available
through the pf.os file.
* ARP sender and target IPv4 address matching, eg.
table arp x {
chain y {
type filter hook input priority filter; policy accept;
arp saddr ip 192.168.2.1 counter packets 1 bytes 46
}
}
this updates rule counters for ARP packets originated from the
192.168.2.1 address.
* transparent proxy support (tproxy), eg.
table ip x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport 80 tproxy to :8080
}
}
* socket mark support, to retrieve the socket mark that is set via setsockopt()
with SO_MARK by the process, eg.
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport 8080 mark set socket mark
}
}
* Support for textual chain priorities, eg.
nft add table ip x
nft add chain ip x raw { type filter hook prerouting priority raw; }
nft add chain ip x filter { type filter hook prerouting priority filter; }
nft add chain ip x filter_later { type filter hook prerouting priority filter + 10; }
which are listed in textual priority by default. You can disable this
via -y option, eg. nft -y list ruleset.
* Secmark support, eg.
# nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\"
This defines the "sshtag" for this secctx context string, then, you
can use it from rules to set the secmark:
# nft add rule inet filter input tcp dport 22 meta secmark set "sshtag"
you may also combine this with maps:
# nft add map inet filter secmapping { type inet_service : secmark\; }
# nft add element inet filter secmapping { 22 : "sshtag" }
# nft add rule inet filter input meta secmark set tcp dport map @secmapping
* Honor /etc/services, eg.
# nft add rule x y tcp dport \"ssh\"
# nft list ruleset -l
table x {
chain y {
...
tcp dport "ssh"
}
}
You can list this numerically via -S option.
* Interface kind support, eg.
add rule inet raw prerouting meta iifkind "vrf" accept
oifkind is also available from the output path.
* Improve support for dynamic set updates, though explicit dynamic flag for
set updates from the packet path. Syntax has been also updated, eg.
# cat dynamic-sets.nft
add table x
add set x s { type ipv4_addr; size 128; timeout 30s; flags dynamic; }
add chain x y { type filter hook input priority 0; }
add rule x y update @s { ip saddr }
This ruleset updates the set 's' by adding IPv4 source addresses. For
each packets seen, the timer is refreshed, after 30 seconds of no
packets seen for this address, this entry expires.
# nft -f dynamic-sets.nft
# nft list set x s
table ip x {
set s {
type ipv4_addr
size 128
flags dynamic,timeout
timeout 30s
elements = { 47.215.7.47 expires 26s484ms,
112.212.124.247 expires 25s268ms }
}
}
use this 'dynamic' flag to indicate the kernel that this set will be
updated from the packet path.
You can also combine this with stateful expressions, eg.
table ip x {
set xyz {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 1h
}
chain y {
type filter hook output priority filter; policy accept;
update @xyz { ip daddr counter } counter
}
}
where each entry in 'xyz' gets a counter.
* Support for connection tracking timeout policies, this allows
to attach specific timeout policies to flows, eg.
table ip filter {
ct timeout agressive-tcp {
protocol tcp;
l3proto ip;
policy = {established: 100, close_wait: 4, close: 4}
}
chain output {
...
tcp dport 8888 ct timeout set "agressive-tcp"
}
}
that allows you to override the default timeout policy
(via /proc/sys/net/netfilter/nf_conntrack_*_timeout_* sysctl) for
packets going to TCP dport 8888.
* NAT support for the inet family, eg.
table inet nat {
...
ip6 daddr dead::2::1 dnat to dead:2::99
}
* Improved error reporting through misspell suggestions:
# nft add table filter
# nft add chain filtre test
Error: No such file or directory; did you mean table ‘filter’ in family ip?
add chain filtre test
^^^^^^
* Print default policy in traces, eg.
# nft add rule x y meta nftrace set 1
# nft monitor trace
trace id 6f2db0af ip x y packet: ...
trace id 6f2db0af ip x y rule meta nftrace set 1 (verdict continue)
trace id 6f2db0af ip x y verdict continue
trace id 6f2db0af ip x y policy accept
* Allow interface names in sets, eg.
set sc {
type inet_service . ifname
elements = { "ssh" . "eth0" }
}
* Update flowtable rule syntax.
# nft add table x
# nft add flowtable x ft { hook ingress priority 0\; devices = { eth0, wlan0 }\; }
...
# nft add rule x forward ip protocol { tcp, udp } flow add @ft
Prefer 'flow add @ft' for consistency with set and map syntax.
* Improved JSON support.
* Very simple python class which gives access to libnftables API via
ctypes module.
* A few library documentation updates, see:
man(3) libnftables
man(5) libnftables-json
* And memory and file descriptor leak fixes, improved cache logic, among
many other changes behind the scene...
See ChangeLog that comes attached to this email for more details.
You can download it from:
http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.1
ftp://ftp.netfilter.org/pub/nftables/
To build the code, libnftnl 1.1.3 and libmnl >= 1.0.3 are required:
* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* http://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling!
View attachment "changes-nftables-0.9.1.txt" of type "text/plain" (21031 bytes)
Powered by blists - more mailing lists