lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 02 Apr 2020 08:38:10 -0400
From:   sbezverk <sbezverk@...il.com>
To:     Pablo Neira Ayuso <pablo@...filter.org>,
        netfilter <netfilter@...r.kernel.org>,
        netfilter-devel <netfilter-devel@...r.kernel.org>
CC:     <netdev@...r.kernel.org>, <lwn@....net>
Subject: Re: [ANNOUNCE] nftables 0.9.4 release

Hello Pablo,

Did this commit make into 0.9.4?

https://patchwork.ozlabs.org/patch/1202696/

Thank you
Serguei

On 2020-04-01, 10:34 AM, "Pablo Neira Ayuso" <netfilter-owner@...r.kernel.org on behalf of pablo@...filter.org> wrote:

    Hi!
    
    The Netfilter project proudly presents:
    
            nftables 0.9.4
    
    This release contains fixes and new features available up to the Linux
    kernel 5.6 release.
    
    * Support for ranges in concatenations (requires Linux kernel >= 5.6),
      e.g.
    
        table ip foo {
               set whitelist {
                       type ipv4_addr . ipv4_addr . inet_service
                       flags interval
                       elements = { 192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125 . 80 }
               }
    
               chain bar {
                       type filter hook prerouting priority filter; policy drop;
                       ip saddr . ip daddr . tcp dport @whitelist accept
               }
        }
    
      This creates a `whitelist' set whose elements are a concatenation.
      The interval flag specifies that this set might include ranges in
      concatenations. The example above is accepting all traffic coming
      from 192.168.10.35 to 192.168.10.40 (both addresses in the range
      are included), destination to 192.68.10.123 and TCP destination
      port 80.
    
    * typeof support for sets. You can use typeof to specify the datatype
      of the selector in sets, e.g.
    
         table ip foo {
                set whitelist {
                        typeof ip saddr
                        elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 }
                }
    
                chain bar {
                        type filter hook prerouting priority filter; policy drop;
                        ip daddr @whitelist accept
                }
         }
    
      You can also use typeof in maps:
    
         table ip foo {
                map addr2mark {
                    typeof ip saddr : meta mark
                    elements = { 192.168.10.35 : 0x00000001, 192.168.10.135 : 0x00000002 }
                }
         }
    
    * NAT mappings with concatenations. This allows you to specify the address
      and port to be used in the NAT mangling from maps, eg.
    
          nft add rule ip nat pre dnat ip addr . port to ip saddr map { 1.1.1.1 : 2.2.2.2 . 30 }
    
      You can also use this new feature with named sets:
    
          nft add map ip nat destinations { type ipv4_addr . inet_service : ipv4_addr . inet_service \; }
          nft add rule ip nat pre dnat ip addr . port to ip saddr . tcp dport map @destinations
    
    * Hardware offload support: Your nic driver must include support for this
      infrastructure. You have to enable offload via ethtool:
    
         # ethtool -K eth0 hw-tc-offload on
    
      Then, in nftables, you have to turn on the offload flag in the basechain
      definition.
    
         # cat file.nft
         table netdev x {
                chain y {
                    type filter hook ingress device eth0 priority 10; flags offload;
                    ip saddr 192.168.30.20 drop
                }
         }
         # nft -f file.nft
    
      Just a simple example to drop all traffic coming from 192.168.30.20
      from the hardware. The Linux host see no packets at all from
      192.168.30.20 after this since the nic filters out the packets.
    
      As of kernel 5.6, supported features are:
    
      - Matching on:
        -- packet header fields.
        -- input interface.
    
      - Actions available are:
        -- accept / drop action.
        -- Duplicate packet to port through `dup'.
        -- Mirror packet to port through `fwd'.
    
    * Enhancements to improve location-based error reporting, e.g.
    
         # nft delete rule ip y z handle 7
         Error: Could not process rule: No such file or directory
         delete rule ip y z handle 7
                        ^
    
      In this example above, the table `y' does not exist in your system.
    
         # nft delete rule ip x x handle 7
         Error: Could not process rule: No such file or directory
         delete rule ip x x handle 7
                                   ^
    
      This means that rule handle 7 does not exist.
    
         # nft delete table twst
         Error: No such file or directory; did you mean table ‘test’ in family ip?
         delete table twst
                      ^^^^
    
      If you delete a table whose name has been mistyped, error reporting
      includes a suggestion.
    
    * Match on the slave interface through `meta sdif' and `meta
      sdifname', e.g.
    
            ... meta sdifname vrf1 ...
    
    * Support for right and left shifts:
    
            ... meta mark set meta mark lshift 1 or 0x1 ...
    
      This example shows how to shift one bit left the existing packet
      mark and set the less significant bit to 1.
    
    * New -V option to display extended version information, including
      compile time options:
    
         # nft -V
           nftables v0.9.4 (Jive at Five)
              cli:          readline
              json:         yes
              minigmp:      no
              libxtables:   yes
    
    * manpage documentation updates.
    
    * ... and bugfixes.
    
    See ChangeLog that comes attached to this email for more details.
    
    = Caveat =
    
    This new version enforces options before commands, ie.
    
         # nft list ruleset -a
         Error: syntax error, options must be specified before commands
         nft list ruleset -a
            ^             ~~
    
    Just place the option before the command:
    
         # nft -a list ruleset
         ... [ ruleset listing here ] ...
    
    Make sure to update your scripts.
    
    You can download this new release from:
    
    http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.4
    ftp://ftp.netfilter.org/pub/nftables/
    
    To build the code, libnftnl 1.1.6 and libmnl >= 1.0.3 are required:
    
    * http://netfilter.org/projects/libnftnl/index.html
    * http://netfilter.org/projects/libmnl/index.html
    
    Visit our wikipage for user documentation at:
    
    * http://wiki.nftables.org
    
    For the manpage reference, check man(8) nft.
    
    In case of bugs and feature request, file them via:
    
    * https://bugzilla.netfilter.org
    
    Happy firewalling!
    


Powered by blists - more mailing lists