lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 2 Dec 2019 22:17:37 +0100
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     netfilter <netfilter@...r.kernel.org>,
        netfilter-devel <netfilter-devel@...r.kernel.org>
Cc:     netdev@...r.kernel.org, lwn@....net
Subject: [ANNOUNCE] nftables 0.9.3 release

Hi!

The Netfilter project proudly presents:

        nftables 0.9.3

This release contains fixes and new features available up to the
upcoming Linux kernel 5.5-rc release.

* time matching support. You can combine this with ranges to match
  on specify date ranges:

  meta time \"2019-12-24 16:00\" - \"2020-01-02 7:00\"

  Hour ranges can be used too:

  meta hour \"17:00\" - \"19:00\"

  You can also match on a specificy week day:

  meta day \"Fri\"

  New -T option allows for printing time in seconds since Unix epoch.

* secmark restore / save support, eg.

  ct secmark set meta secmark
  meta secmark set ct secmark

* synproxy map support to improve scalability, eg.

 table ip foo {
            synproxy https-synproxy {
                    mss 1460
                    wscale 7
                    timestamp sack-perm
            }

            synproxy other-synproxy {
                    mss 1460
                    wscale 5
            }

            chain pre {
                    type filter hook prerouting priority raw; policy accept;
                    tcp dport 8888 tcp flags syn notrack
            }

            chain bar {
                    type filter hook forward priority filter; policy accept;
                    ct state invalid,untracked synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
            }
  }

  iptables requires one single rule per backend which might limit
  scalability in case of many backend servers.

* Dynamic set element deletion from the packet path, eg.

  nft add rule ... delete @set5 { ip6 saddr . ip6 daddr }

  to delete an entry from the set via rule based on the user-defined
  matching criteria.

* meta bridge vlan id and protocol matching, eg.

        meta ibrpvid 100
        meta ibrvproto vlan

  to match on the vlan over bridge device metadata.

* New -t/--terse option to exclude set elements from the ruleset listing:

 # nft -t list ruleset
 table ip x {
        set y {
                type ipv4_addr
        }
 }

 instead of:

 # nft list ruleset
 table ip x {
        set y {
                type ipv4_addr
                elements = { 192.168.10.2, 192.168.20.1,
                             192.168.4.4, 192.168.2.34 }
        }
 }

 Useful in case your set contains many elements.

* Multidevice chain in netdev family (available since upcoming 5.5-rc)

  add table netdev x
  add chain netdev x y { \
        type filter hook ingress devices = { eth0, eth1 } priority 0;
  }

  to consolidate common filter policies for several netdevices from
  the ingress path.

* description support for data types, eg.

 # nft describe ipv4_addr
 datatype ipv4_addr (IPv4 address) (basetype integer), 32 bits

* linenoise support for cli via --with-cli=linenoise, ie.

  ./configure --with-cli=linenoise

  as alternative to libreadline.

* manpage documentation updates.

* ... and bugfixes.

See ChangeLog that comes attached to this email for more details.

You can download it from:

http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.3
ftp://ftp.netfilter.org/pub/nftables/

To build the code, libnftnl 1.1.4 and libmnl >= 1.0.3 are required:

* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* http://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Happy firewalling!

View attachment "changes-nftables-0.9.3.txt" of type "text/plain" (5065 bytes)

Powered by blists - more mailing lists