lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Sat, 6 Jun 2020 13:21:24 +0200
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     netfilter <netfilter@...r.kernel.org>,
        netfilter-devel <netfilter-devel@...r.kernel.org>
Cc:     netdev@...r.kernel.org, netfilter-announce@...ts.netfilter.org
Subject: [ANNOUNCE] nftables 0.9.5 release

Hi!

The Netfilter project proudly presents:

        nftables 0.9.5

This release contains fixes and new features available up to the Linux
kernel 5.7 release.

* Support for set counters:

  table ip x {
            set y {
                    typeof ip saddr
                    counter
                    elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 }
            }

            chain z {
                    type filter hook output priority filter; policy accept;
                    ip daddr @y
            }
  }

  The counter statement in the set `y' definition turns on counters.

* Support for restoring set element counters via nft -f.

  # cat ruleset.nft
  table ip x {
        set y {
                typeof ip saddr
                counter
                elements = { 192.168.10.35 counter packets 1 bytes 84, 192.168.10.101 counter p
                             192.168.10.135 counter packets 0 bytes 0 }
        }

        chain z {
                type filter hook output priority filter; policy accept;
                ip daddr @y
        }
  }
  # nft -f ruleset.nft
  # nft list ruleset
  table ip x {
        set y {
                typeof ip saddr
                counter
                elements = { 192.168.10.35 counter packets 1 bytes 84, 192.168.10.101 counter p
                             192.168.10.135 counter packets 0 bytes 0 }
        }

        chain z {
                type filter hook output priority filter; policy accept;
                ip daddr @y
        }
  }

* Counters support for flowtables:

     table ip foo {
            flowtable bar {
                    hook ingress priority -100
                    devices = { eth0, eth1 }
                    counter
            }

            chain forward {
                    type filter hook forward priority filter;
                    flow add @bar counter
            }
     }

  You can list the counters via `conntrack -L':

  tcp      6 src=192.168.10.2 dst=10.0.1.2 sport=47278 dport=5201 packets=9 bytes=608 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47278 packets=8 bytes=428 [OFFLOAD] mark=0 secctx=null use=2
  tcp      6 src=192.168.10.2 dst=10.0.1.2 sport=47280 dport=5201 packets=1005763 bytes=44075714753 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47280 packets=967505 bytes=50310268 [OFFLOAD] mark=0 secctx=null use=2

  The [OFFLOAD] status bit specifies that this flow is exercising the
  flowtable fast datapath.

* typeof concatenations support for sets. You can use typeof to specify the
  datatype of the selector in sets, e.g.

     table ip foo {
            set whitelist {
                    typeof ip saddr . tcp dport
                    elements = { 192.168.10.35 . 80, 192.168.10.101 . 80 }
            }

            chain bar {
                    type filter hook prerouting priority filter; policy drop;
                    ip daddr . tcp dport @whitelist accept
            }
     }

  You can also use typeof concatenations in maps:

     table ip foo {
            map addr2mark {
                typeof ip saddr . tcp dport : meta mark
                elements = { 192.168.10.35 . 80 : 0x00000001,
                             192.168.10.135 . 80 : 0x00000002 }
            }

            chain bar {
                    type filter hook prerouting priority filter; policy drop;
                    meta mark set ip daddr . tcp dport map @addr2mark accept
            }
     }

* Support for concatenated ranges in anonymous sets.

  # nft add rule inet filter input ip daddr . tcp dport \
       { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept

* Allow to reject packets with 802.1q from the bridge family.

  # nft add rule bridge foo bar ether type vlan reject with tcp reset

* Support for matching on the conntrack ID

  You can fetch the conntrack ID via `--output id':

  # conntrack -L --output id
  udp      17 18 src=192.168.2.118 dst=192.168.2.1 sport=36424 dport=53 packets=2 bytes=122 src=192.168.2.1 dst=192.168.2.118 sport=53 dport=36424 packets=2 bytes=320 [ASSURED] mark=0 use=1 id=2779986232

  Then, a very simple single rule to update counters for packets
  matching this conntrack ID.

  # nft add rule foo bar ct id 2779986232 counter

  You can combine this new selector with the existing set and map features
  to build more advanced rules.

You can download this new release from:

http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.5
ftp://ftp.netfilter.org/pub/nftables/

To build the code, libnftnl 1.1.7 and libmnl >= 1.0.4 are required:

* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* http://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Have fun.

View attachment "changes-nftables-0.9.5.txt" of type "text/plain" (3254 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ