| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Dec 2019 22:17:37 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter <netfilter@...r.kernel.org>,
netfilter-devel <netfilter-devel@...r.kernel.org>
Cc: netdev@...r.kernel.org, lwn@....net
Subject: [ANNOUNCE] nftables 0.9.3 release
Hi!
The Netfilter project proudly presents:
nftables 0.9.3
This release contains fixes and new features available up to the
upcoming Linux kernel 5.5-rc release.
* time matching support. You can combine this with ranges to match
on specify date ranges:
meta time \"2019-12-24 16:00\" - \"2020-01-02 7:00\"
Hour ranges can be used too:
meta hour \"17:00\" - \"19:00\"
You can also match on a specificy week day:
meta day \"Fri\"
New -T option allows for printing time in seconds since Unix epoch.
* secmark restore / save support, eg.
ct secmark set meta secmark
meta secmark set ct secmark
* synproxy map support to improve scalability, eg.
table ip foo {
synproxy https-synproxy {
mss 1460
wscale 7
timestamp sack-perm
}
synproxy other-synproxy {
mss 1460
wscale 5
}
chain pre {
type filter hook prerouting priority raw; policy accept;
tcp dport 8888 tcp flags syn notrack
}
chain bar {
type filter hook forward priority filter; policy accept;
ct state invalid,untracked synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
}
}
iptables requires one single rule per backend which might limit
scalability in case of many backend servers.
* Dynamic set element deletion from the packet path, eg.
nft add rule ... delete @set5 { ip6 saddr . ip6 daddr }
to delete an entry from the set via rule based on the user-defined
matching criteria.
* meta bridge vlan id and protocol matching, eg.
meta ibrpvid 100
meta ibrvproto vlan
to match on the vlan over bridge device metadata.
* New -t/--terse option to exclude set elements from the ruleset listing:
# nft -t list ruleset
table ip x {
set y {
type ipv4_addr
}
}
instead of:
# nft list ruleset
table ip x {
set y {
type ipv4_addr
elements = { 192.168.10.2, 192.168.20.1,
192.168.4.4, 192.168.2.34 }
}
}
Useful in case your set contains many elements.
* Multidevice chain in netdev family (available since upcoming 5.5-rc)
add table netdev x
add chain netdev x y { \
type filter hook ingress devices = { eth0, eth1 } priority 0;
}
to consolidate common filter policies for several netdevices from
the ingress path.
* description support for data types, eg.
# nft describe ipv4_addr
datatype ipv4_addr (IPv4 address) (basetype integer), 32 bits
* linenoise support for cli via --with-cli=linenoise, ie.
./configure --with-cli=linenoise
as alternative to libreadline.
* manpage documentation updates.
* ... and bugfixes.
See ChangeLog that comes attached to this email for more details.
You can download it from:
http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.3
ftp://ftp.netfilter.org/pub/nftables/
To build the code, libnftnl 1.1.4 and libmnl >= 1.0.3 are required:
* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* http://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling!
View attachment "changes-nftables-0.9.3.txt" of type "text/plain" (5065 bytes)
Powered by blists - more mailing lists