| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Apr 2020 16:31:14 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter <netfilter@...r.kernel.org>,
netfilter-devel <netfilter-devel@...r.kernel.org>
Cc: netdev@...r.kernel.org, lwn@....net
Subject: [ANNOUNCE] nftables 0.9.4 release
Hi!
The Netfilter project proudly presents:
nftables 0.9.4
This release contains fixes and new features available up to the Linux
kernel 5.6 release.
* Support for ranges in concatenations (requires Linux kernel >= 5.6),
e.g.
table ip foo {
set whitelist {
type ipv4_addr . ipv4_addr . inet_service
flags interval
elements = { 192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125 . 80 }
}
chain bar {
type filter hook prerouting priority filter; policy drop;
ip saddr . ip daddr . tcp dport @whitelist accept
}
}
This creates a `whitelist' set whose elements are a concatenation.
The interval flag specifies that this set might include ranges in
concatenations. The example above is accepting all traffic coming
from 192.168.10.35 to 192.168.10.40 (both addresses in the range
are included), destination to 192.68.10.123 and TCP destination
port 80.
* typeof support for sets. You can use typeof to specify the datatype
of the selector in sets, e.g.
table ip foo {
set whitelist {
typeof ip saddr
elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 }
}
chain bar {
type filter hook prerouting priority filter; policy drop;
ip daddr @whitelist accept
}
}
You can also use typeof in maps:
table ip foo {
map addr2mark {
typeof ip saddr : meta mark
elements = { 192.168.10.35 : 0x00000001, 192.168.10.135 : 0x00000002 }
}
}
* NAT mappings with concatenations. This allows you to specify the address
and port to be used in the NAT mangling from maps, eg.
nft add rule ip nat pre dnat ip addr . port to ip saddr map { 1.1.1.1 : 2.2.2.2 . 30 }
You can also use this new feature with named sets:
nft add map ip nat destinations { type ipv4_addr . inet_service : ipv4_addr . inet_service \; }
nft add rule ip nat pre dnat ip addr . port to ip saddr . tcp dport map @destinations
* Hardware offload support: Your nic driver must include support for this
infrastructure. You have to enable offload via ethtool:
# ethtool -K eth0 hw-tc-offload on
Then, in nftables, you have to turn on the offload flag in the basechain
definition.
# cat file.nft
table netdev x {
chain y {
type filter hook ingress device eth0 priority 10; flags offload;
ip saddr 192.168.30.20 drop
}
}
# nft -f file.nft
Just a simple example to drop all traffic coming from 192.168.30.20
from the hardware. The Linux host see no packets at all from
192.168.30.20 after this since the nic filters out the packets.
As of kernel 5.6, supported features are:
- Matching on:
-- packet header fields.
-- input interface.
- Actions available are:
-- accept / drop action.
-- Duplicate packet to port through `dup'.
-- Mirror packet to port through `fwd'.
* Enhancements to improve location-based error reporting, e.g.
# nft delete rule ip y z handle 7
Error: Could not process rule: No such file or directory
delete rule ip y z handle 7
^
In this example above, the table `y' does not exist in your system.
# nft delete rule ip x x handle 7
Error: Could not process rule: No such file or directory
delete rule ip x x handle 7
^
This means that rule handle 7 does not exist.
# nft delete table twst
Error: No such file or directory; did you mean table ‘test’ in family ip?
delete table twst
^^^^
If you delete a table whose name has been mistyped, error reporting
includes a suggestion.
* Match on the slave interface through `meta sdif' and `meta
sdifname', e.g.
... meta sdifname vrf1 ...
* Support for right and left shifts:
... meta mark set meta mark lshift 1 or 0x1 ...
This example shows how to shift one bit left the existing packet
mark and set the less significant bit to 1.
* New -V option to display extended version information, including
compile time options:
# nft -V
nftables v0.9.4 (Jive at Five)
cli: readline
json: yes
minigmp: no
libxtables: yes
* manpage documentation updates.
* ... and bugfixes.
See ChangeLog that comes attached to this email for more details.
= Caveat =
This new version enforces options before commands, ie.
# nft list ruleset -a
Error: syntax error, options must be specified before commands
nft list ruleset -a
^ ~~
Just place the option before the command:
# nft -a list ruleset
... [ ruleset listing here ] ...
Make sure to update your scripts.
You can download this new release from:
http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.4
ftp://ftp.netfilter.org/pub/nftables/
To build the code, libnftnl 1.1.6 and libmnl >= 1.0.3 are required:
* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* http://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling!
View attachment "changes-nftables-0.9.4.txt" of type "text/plain" (7867 bytes)
Powered by blists - more mailing lists