| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YhO5Pn+6+dgAgSd9@salvia>
Date: Mon, 21 Feb 2022 17:09:34 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter <netfilter@...r.kernel.org>,
netfilter-devel <netfilter-devel@...r.kernel.org>
Cc: netdev@...r.kernel.org, netfilter-announce@...ts.netfilter.org,
lwn@....net
Subject: [ANNOUNCE] nftables 1.0.2 release
Hi!
The Netfilter project proudly presents:
nftables 1.0.2
This release contains new features available up to the Linux kernel
5.17-rc release:
* New ruleset optimization -o/--optimize option. You can combine this
option with the dry run mode (--check) to review the proposed ruleset
updates without actually loading the ruleset, e.g.
# nft -c -o -f ruleset.test
Merging:
ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter accept
ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter accept
ruleset.nft:18:3-37: ip daddr 192.168.0.3 counter accept
into:
ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept
This option also coalesces rules using concatenation+set, e.g.
meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept
meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 accept
into:
meta iifname . ip saddr . ip daddr { eth1 . 1.1.1.1 . 2.2.2.3, eth1 . 1.1.1.2 . 2.2.2.5 } accept
and it uses verdict maps to coalesce rules with same selectors but different
verdicts, e.g.
ip saddr 1.1.1.1 ip daddr 2.2.2.2 accept
ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop
into:
ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 : accept, 2.2.2.2 . 3.3.3.3 : drop }
- Support for ip and tcp options and sctp chunks in sets, e.g.
set s5 {
typeof ip option ra value
elements = { 1, 1024 }
}
set s7 {
typeof sctp chunk init num-inbound-streams
elements = { 1, 4 }
}
chain c5 {
ip option ra value @s5 accept
}
chain c7 {
sctp chunk init num-inbound-streams @s7 accept
}
- Support for tcp fastopen, md5sig and mptcp options.
- mp-tcp subtype matching support, e.g.
tcp option mptcp subtype 1
- Improved kernel-side filtering via listing options.
- complete JSON support for flowtables.
... this release also include fixes (highlights):
- fix --terse option with anonymous sets.
- fix crash with `nft describe' on invalid field or datatype.
- Big Endian fixes for ct expiration, meta sk{u,g}uid, meta hour,
ct label, meta {i,o}ifname with wildcard, payload matching with
bitmasks.
- allow for quote strings as device names in flowtable declarations.
- ethernet matching with reject, e.g.
ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject
- turn on dynamic flag if rule dynamically updates a set.
... and incremental documentation updates.
This release also includes libnftables C example code now available
under the examples/ folder.
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
To build the code, libnftnl >= 1.2.1 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
View attachment "changes-nftables-1.0.2.txt" of type "text/plain" (5016 bytes)
Powered by blists - more mailing lists