| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 May 2021 23:19:34 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter <netfilter@...r.kernel.org>,
netfilter-devel <netfilter-devel@...r.kernel.org>
Cc: netdev@...r.kernel.org, netfilter-announce@...ts.netfilter.org,
lwn@....net
Subject: [ANNOUNCE] nftables 0.9.9 release
Hi!
The Netfilter project proudly presents:
nftables 0.9.9
This release contains fixes, documentation updates and new features
available up to the Linux kernel 5.13-rc1 release. Highlights:
* Flowtable hardware offload support [1]: add a new 'offload' flag that
turns on the flowtable hardware fastpath.
table ip global {
flowtable f {
hook ingress priority filter + 1
devices = { lan3, lan0, wan }
flags offload
}
chain forward {
type filter hook forward priority filter; policy accept;
ip protocol { tcp, udp } flow add @f
}
chain post {
type nat hook postrouting priority filter; policy accept;
oifname "wan" masquerade
}
}
[1] https://www.kernel.org/doc/html/latest/networking/nf_flowtable.html
* Support for the table owner flag. This new flag allows a process to
own a table in exclusivity. The owner process name is show as a
comment. The table can be either removed by the owner process
(explicit removal) or when the owner process is terminated.
table ip x { # progname nft
flags owner
chain y {
type filter hook input priority filter; policy accept;
counter packets 1 bytes 309
}
}
The example above shows a ruleset that is owned by nft which is
running in interactive mode, ie. nft -i
* 802.1ad (QinQ) support:
- Check that outer ethertype is 8021ad and outer vlan id is 321
... ether type 802.1ad vlan id 342
- Check that outer ethertype is 8021ad and vlan id is 1 and inner
ethertype is 802.1q and vlan id is 2, finally check that this
QinQ frame encapsulates an IP packet.
... ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter
* cgroupsv2 support.
- Check for that socket cgroupv2 ancestor level 1 is matching "system.slice"
... socket cgroupv2 level 1 "system.slice"
* match on SCTP packet chunks (available since the upcoming 5.14 release)
- match if chunk type 'data' exists
... sctp chunk data exists
- match on chunk type 'data' field 'type'
... sctp chunk data type 0
* x2 speed up time to load ruleset (via -f).
* Speed up time to print ruleset listing.
* Shortcut to check for set/unset bits in flags.
- Check that snat and dnat ct status bits are unset.
... ct status ! snat,dnat
- Check that the syn bit is set in the syn,ack bitmask
... tcp flags syn / syn,ack
- Check that the fin and rst bits are not set in the syn,ack,fin,rst bitmask
... tcp flags != fin,rst / syn,ack,fin,rst
* Allow to use verdict in set/map typeof definitions
add map x m { typeof iifname . ip protocol . th dport : verdict ;}
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.9
To build the code, libnftnl >= 1.2.0 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
View attachment "changes-nftables-0.9.9.txt" of type "text/plain" (8094 bytes)
Powered by blists - more mailing lists