| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Aug 2019 13:58:07 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter <netfilter@...r.kernel.org>,
netfilter-devel <netfilter-devel@...r.kernel.org>
Cc: netdev@...r.kernel.org, lwn@....net
Subject: [ANNOUNCE] nftables 0.9.2 release
Hi!
The Netfilter project proudly presents:
nftables 0.9.2
This release contains fixes and new features, available up with Linux
kernels >= 5.3-rc.
* Transport header port matching, e.g.
add rule x y ip protocol { tcp, udp } th dport 53
This allows you to match on transport protocols with ports
regardless the layer 4 protocol type. You can also use this from
sets, maps and concatenations, e.g.
table inet filter {
set myset {
type ipv4_addr . inet_proto . inet_service
}
chain forward {
type filter hook forward priority filter; policy accept;
ip daddr . ip protocol . th dport @myset
}
}
* Allow to restore expiration for set elements:
add element ip x y { 1.1.1.1 timeout 30s expires 15s }
* Match on IPv4 options, e.g.
add rule x y ip option rr exists drop
You can also match on type, ptr, length and addr fields of routing
options, e.g.
add rule x y ip option rr type 1 drop
lsrr, rr, ssrr and ra IPv4 options are supported.
* Use prefix and ranges in statements, e.g.
iifname ens3 snat to 10.0.0.0/28
iifname ens3 snat to 10.0.0.1-10.0.0.15
* Allow for variables in chain definitions, e.g.
define default_policy = accept
add chain ip foo bar { type filter hook input priority filter; policy $default_policy }
also when specifying chain priority, either numeric or literal:
define prio = filter
define prionum = 10
define prioffset = "filter - 150"
add table ip foo
add chain ip foo bar { type filter hook input priority $prio; }
add chain ip foo ber { type filter hook input priority $prionum; }
add chain ip foo bor { type filter hook input priority $prioffset; }
* synproxy support, e.g.
table ip x {
chain y {
type filter hook prerouting priority raw; policy accept;
tcp dport 8888 tcp flags syn notrack
}
chain z {
type filter hook forward priority filter; policy accept;
tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm
ct state invalid drop
}
}
This ruleset above places the TCP port 8888 behind the synproxy.
* conntrack expectations via ruleset policy, e.g.
table x {
ct expectation myexpect {
protocol tcp
dport 5432
timeout 1h
size 12
l3proto ip
}
chain input {
type filter hook input priority 0;
ct state new tcp dport 8888 ct expectation set myexpect
ct state established,related counter accept
}
}
This ruleset creates an expectation on TCP port 5432 for each new TCP
connection to port 8888. This expectation expires after 1 hour and the
maximum number of expectation that are pending to be confirmed are 12.
* The libnftables library only exports only public symbols.
* ... and bug fixes.
See ChangeLog that comes attached to this email for more details.
You can download it from:
http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.2
ftp://ftp.netfilter.org/pub/nftables/
To build the code, libnftnl 1.1.4 and libmnl >= 1.0.3 are required:
* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* http://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling!
View attachment "changes-nftables-0.9.2.txt" of type "text/plain" (4129 bytes)
Powered by blists - more mailing lists