lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <YZZV42ERgpDbk/zL@salvia>
Date:   Thu, 18 Nov 2021 14:32:19 +0100
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     netfilter <netfilter@...r.kernel.org>,
        netfilter-devel <netfilter-devel@...r.kernel.org>
Cc:     netdev@...r.kernel.org, netfilter-announce@...ts.netfilter.org,
        lwn@....net
Subject: [ANNOUNCE] nftables 1.0.1 release

Hi!

The Netfilter project proudly presents:

        nftables 1.0.1

This release contains new features available up to the Linux kernel
5.16-rc1 release:

* Reduce memory footprint when loading large sets/maps.
* Speed up reload of large sets/maps.
* Speed up listing of specific tables in large ruleset, eg. large ruleset
  with ~100k lines.

     # nft list ruleset &> /dev/null
     real    0m3,049s
     user    0m2,080s
     sys     0m0,968s

    - Listing per table is now faster:

     # nft list table nat &> /dev/null
     real    0m1,969s
     user    0m1,412s
     sys     0m0,556s

     # nft list table filter &> /dev/null
     real    0m0,697s
     user    0m0,478s
     sys     0m0,220s

  Same speed up applies to listing specific chains/sets/maps.

* Speed up --terse option when listing a ruleset large sets/maps.
* Print raw payload expression in hexadecimal, eg. @ll,0,8 & 0x80 == 0x80

* egress hook support (available since 5.16-rc1).

  table netdev filter {
        chain egress {
                type filter hook egress devices = { eth0, eth1 } priority 0;
                meta priority set ip saddr map { 192.168.10.2 : abcd:2, 192.168.10.3 : abcd:3 }
        }
  }

* Allow to match and update bytes at inner header/payload offset
  (available  since 5.16-rc1).

  # nft add rule x y @ih,32,32 0x14000000 counter
  # nft add rule x y @ih,32,32 set 0x14000000 counter

... and fixes:

- Fix split declaration of set accross different files using the
  nested notation.
- Fix crash in python support with two instances of nftables handler.
- Fix incorrect range to prefix conversion.
- Fix -T/--numeric-time
- Incorrect meta protocol dependency removal in bridge, netdev and
  inet families.
- Unbreak support for older kernels (tested with Linux kernel 4.9.x)
- Optimize prefix match only for matching on big-endian.
- Restore use of variables with queue statement, eg. queue num $myq bypass
- Honor insert command and rule position handle in monitor mode.
- Bogus error in dynamic NAT map, eg.
- Disallow setuid on the nft executable.

  #nft add rule nat x y meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th

- Fix combination of map, concatenation with intervals and stateful
  expressions, eg.

  table ip filter {
       map forwport {
               type ipv4_addr . inet_proto . inet_service : verdict
               flags interval
               counter
               elements = { 10.133.89.138 . tcp . 8081 counter packets 0 bytes 0 : accept }
       }

       chain FORWARD {
               type filter hook forward priority filter; policy drop;
               iifname "enp0s8" ip daddr . ip protocol . th dport vmap @forwport counter
       }
  }

- Fix incorrect vlan offset when matching and updating tag, eg.

  # nft add rule bridge filter forward vlan id 100 vlan id set 200

- Fix use of constant in dynamic set, eg.

  table inet t {
       set s {
               type ipv4_addr . inet_service
               size 65536
               flags dynamic,timeout
               elements = { 192.168.7.1 . 22 }
       }

       chain c {
               type filter hook input priority 0;
               tcp dport 21 add @s { ip saddr . 22 timeout 1m }
       }
  }

... and incremental documentation updates.

The autotools build system now defaults to libedit/editline for the
nft --interactive shell.

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/

To build the code, libnftnl >= 1.2.1 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.

View attachment "changes-nftables-1.0.1.txt" of type "text/plain" (5071 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ