lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200401143114.yfdfej6bldpk5inx@salvia>
Date:   Wed, 1 Apr 2020 16:31:14 +0200
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     netfilter <netfilter@...r.kernel.org>,
        netfilter-devel <netfilter-devel@...r.kernel.org>
Cc:     netdev@...r.kernel.org, lwn@....net
Subject: [ANNOUNCE] nftables 0.9.4 release

Hi!

The Netfilter project proudly presents:

        nftables 0.9.4

This release contains fixes and new features available up to the Linux
kernel 5.6 release.

* Support for ranges in concatenations (requires Linux kernel >= 5.6),
  e.g.

    table ip foo {
           set whitelist {
                   type ipv4_addr . ipv4_addr . inet_service
                   flags interval
                   elements = { 192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125 . 80 }
           }

           chain bar {
                   type filter hook prerouting priority filter; policy drop;
                   ip saddr . ip daddr . tcp dport @whitelist accept
           }
    }

  This creates a `whitelist' set whose elements are a concatenation.
  The interval flag specifies that this set might include ranges in
  concatenations. The example above is accepting all traffic coming
  from 192.168.10.35 to 192.168.10.40 (both addresses in the range
  are included), destination to 192.68.10.123 and TCP destination
  port 80.

* typeof support for sets. You can use typeof to specify the datatype
  of the selector in sets, e.g.

     table ip foo {
            set whitelist {
                    typeof ip saddr
                    elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 }
            }

            chain bar {
                    type filter hook prerouting priority filter; policy drop;
                    ip daddr @whitelist accept
            }
     }

  You can also use typeof in maps:

     table ip foo {
            map addr2mark {
                typeof ip saddr : meta mark
                elements = { 192.168.10.35 : 0x00000001, 192.168.10.135 : 0x00000002 }
            }
     }

* NAT mappings with concatenations. This allows you to specify the address
  and port to be used in the NAT mangling from maps, eg.

      nft add rule ip nat pre dnat ip addr . port to ip saddr map { 1.1.1.1 : 2.2.2.2 . 30 }

  You can also use this new feature with named sets:

      nft add map ip nat destinations { type ipv4_addr . inet_service : ipv4_addr . inet_service \; }
      nft add rule ip nat pre dnat ip addr . port to ip saddr . tcp dport map @destinations

* Hardware offload support: Your nic driver must include support for this
  infrastructure. You have to enable offload via ethtool:

     # ethtool -K eth0 hw-tc-offload on

  Then, in nftables, you have to turn on the offload flag in the basechain
  definition.

     # cat file.nft
     table netdev x {
            chain y {
                type filter hook ingress device eth0 priority 10; flags offload;
                ip saddr 192.168.30.20 drop
            }
     }
     # nft -f file.nft

  Just a simple example to drop all traffic coming from 192.168.30.20
  from the hardware. The Linux host see no packets at all from
  192.168.30.20 after this since the nic filters out the packets.

  As of kernel 5.6, supported features are:

  - Matching on:
    -- packet header fields.
    -- input interface.

  - Actions available are:
    -- accept / drop action.
    -- Duplicate packet to port through `dup'.
    -- Mirror packet to port through `fwd'.

* Enhancements to improve location-based error reporting, e.g.

     # nft delete rule ip y z handle 7
     Error: Could not process rule: No such file or directory
     delete rule ip y z handle 7
                    ^

  In this example above, the table `y' does not exist in your system.

     # nft delete rule ip x x handle 7
     Error: Could not process rule: No such file or directory
     delete rule ip x x handle 7
                               ^

  This means that rule handle 7 does not exist.

     # nft delete table twst
     Error: No such file or directory; did you mean table ‘test’ in family ip?
     delete table twst
                  ^^^^

  If you delete a table whose name has been mistyped, error reporting
  includes a suggestion.

* Match on the slave interface through `meta sdif' and `meta
  sdifname', e.g.

        ... meta sdifname vrf1 ...

* Support for right and left shifts:

        ... meta mark set meta mark lshift 1 or 0x1 ...

  This example shows how to shift one bit left the existing packet
  mark and set the less significant bit to 1.

* New -V option to display extended version information, including
  compile time options:

     # nft -V
       nftables v0.9.4 (Jive at Five)
          cli:          readline
          json:         yes
          minigmp:      no
          libxtables:   yes

* manpage documentation updates.

* ... and bugfixes.

See ChangeLog that comes attached to this email for more details.

= Caveat =

This new version enforces options before commands, ie.

     # nft list ruleset -a
     Error: syntax error, options must be specified before commands
     nft list ruleset -a
        ^             ~~

Just place the option before the command:

     # nft -a list ruleset
     ... [ ruleset listing here ] ...

Make sure to update your scripts.

You can download this new release from:

http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.4
ftp://ftp.netfilter.org/pub/nftables/

To build the code, libnftnl 1.1.6 and libmnl >= 1.0.3 are required:

* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* http://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Happy firewalling!

View attachment "changes-nftables-0.9.4.txt" of type "text/plain" (7867 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ