lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Tue, 27 Oct 2020 11:45:12 +0100
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     netfilter <netfilter@...r.kernel.org>,
        netfilter-devel <netfilter-devel@...r.kernel.org>
Cc:     netdev@...r.kernel.org, netfilter-announce@...ts.netfilter.org,
        lwn@....net
Subject: [ANNOUNCE] nftables 0.9.7 release

Hi!

The Netfilter project proudly presents:

        nftables 0.9.7

This release contains fixes and new features available up to the Linux
kernel 5.10-rc1 release.

* Support for implicit chain, e.g.

  table inet x {
        chain y {
             type filter hook input priority 0;
             tcp dport 22 jump {
                    ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
                    ip6 saddr ::1/128 accept;
             }
        }
  }

  This allows you to group rules without the need for an explicit
  chain definition.

* Support for ingress inet chains:

    table inet filter {
            chain ingress {
                    type filter hook ingress device "veth0" priority filter; policy accept;
            }
            chain input {
                    type filter hook input priority filter; policy accept;
            }
            chain forward {
                    type filter hook forward priority filter; policy accept;
            }
    }

  The inet family supports the ingress hook since Linux kernel 5.10-rc1,
  to filter IPv4 and IPv6 packet at the same location as the netdev ingress
  hook. This inet hook allows you to share sets and maps between the usual
  prerouting, input, forward, output, postrouting and this ingress hook.

* Support for reject from prerouting chain:

  table inet x {
      chain y {
            type filter hook prerouting priority 0; policy accept;

            tcp dport 22 reject with tcp reset
      }
  }

* Support for --terse option in json

  # nft --terse -j list ruleset

* Display set counters in json

  # nft -j list set

* Support for the reset command with json, ie.

  # nft -j reset counters

* Match on wildcard socket listeners, eg.

  table inet x {
       chain y {
             type filter hook prerouting priority -150; policy accept;
             socket transparent 1 socket wildcard 0 mark set 0x00000001
       }
  }

* Get elements from maps:

  # nft get element inet filter test "{ 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x42 }"
  table inet filter {
        map test {
                type ipv4_addr . ether_addr . inet_service : mark
                flags interval,timeout
                elements = { 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x00000042 }
        }
  }

* Allow to specify comments in sets, eg.

   table ip x {
        set s {
                type ipv4_addr;
                comment "list of unwanted traffic by IP address"
                elements = { 1.1.1.1, 1.2.3.4 }
        }
   }

  You can also specify comments in tables and stateful objects (such
  as quota, limit and counters).

* Support for defining empty sets in variables:

  define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443}
  define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {}

  table inet x {
       chain y {
            type filter hook input priority 0; policy drop;
            ct state new tcp dport { $BASE_ALLOWED_INCOMING_TCP_PORTS, $EXTRA_ALLOWED_INCOMING_TCP_PORTS } counter accept
       }
  }

* Allow to use variables in the log prefix string.

  define foo= "state"
  define bar = "match"

  table x {
        chain y {
            ct state invalid log prefix "invalid $foo $bar:"
        }
  }

* Allow to use variables in chain and flowtable definitions, e.g.

  define if_main = lo

  table netdev x {
        chain y {
            type filter hook ingress device $if_main priority -500; policy accept;
        }
  }

* Allow to define negative values in variables:

  define post = -10
  define for = "filter - 100"

  table inet global {
      chain forward {
          type filter hook prerouting priority $for
          policy accept
      }
      chain postrouting {
          type filter hook postrouting priority $post
          policy accept
      }
  }

* Improved error reporting on statements:

   # nft add rule x y jump test
   Error: Could not process rule: No such file or directory
   add rule x y jump test
                     ^^^^

   This error is displayed in case that the 'test' chain does not exist.

* Support for SCTP stateless NAT.

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.7

To build the code, libnftnl >= 1.1.8 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Have fun.

View attachment "changes-nftables-0.9.7.txt" of type "text/plain" (4867 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ