| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 31 May 2022 12:13:23 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter <netfilter@...r.kernel.org>,
netfilter-devel <netfilter-devel@...r.kernel.org>
Cc: netdev@...r.kernel.org, netfilter-announce@...ts.netfilter.org,
lwn@....net
Subject: [ANNOUNCE] nftables 1.0.3 release
Hi!
The Netfilter project proudly presents:
nftables 1.0.3
This release contains new features available up to the Linux kernel 5.18 release:
* Support for wildcard interface name matching with sets:
table inet testifsets {
set simple_wild {
type ifname
flags interval
elements = { "abcdef*",
"othername",
"ppp0" }
}
chain v4icmp {
type filter hook input priority 0; policy accept;
iifname @simple_wild counter packets 0 bytes 0
iifname { "abcdef*", "eth0" } counter packets 0 bytes 0
}
}
* Support for runtime auto-merge of set elements. So far, the
auto-merge routine could only coalesce elements in the set
declaration.
# cat ruleset.nft
table ip x {
set y {
type ipv4_addr
flags interval
auto-merge
elements = { 1.2.3.0, 1.2.3.255, 1.2.3.0/24,
3.3.3.3, 4.4.4.4, 4.4.4.4-4.4.4.8,
3.3.3.4, 3.3.3.5 }
}
}
# nft -f ruleset.nft
table ip x {
set y {
type ipv4_addr
flags interval
auto-merge
elements = { 1.2.3.0/24, 3.3.3.3-3.3.3.5,
4.4.4.4-4.4.4.8 }
}
}
with this update, incremental runtime updates are also supported:
# nft add element ip x y { 1.2.3.0-1.2.4.255, 3.3.3.6 }
# nft list ruleset
table ip x {
set y {
type ipv4_addr
flags interval
auto-merge
elements = { 1.2.3.0-1.2.4.255, 3.3.3.3-3.3.3.6,
4.4.4.4-4.4.4.8 }
}
}
as shown above, new elements are merged into existing intervals
whenever possible.
This also supports for incremental runtime element removals that
result in adjusting/splitting the existing intervals.
* Enhancements for the ruleset optimization -o/--optimize option which
allows to coalesce several NAT rules into map:
# cat ruleset.nft
table ip x {
chain y {
type nat hook postrouting priority srcnat; policy drop;
ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
}
}
# nft -o -c -f ruleset.nft
Merging:
ruleset.nft:4:3-52: ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
ruleset.nft:5:3-52: ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
into:
snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 : 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 }
This infrastructure also learnt how to coalesce raw expressions into maps, for example:
# cat ruleset.nft
table ip x {
[...]
chain nat_dns_acme {
udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 goto nat_dns_dnstc
udp length 62-78 @th,160,128 0x0e31393032383939353831343037320e goto nat_dns_this_5301
udp length 62-78 @th,160,128 0x0e31363436323733373931323934300e goto nat_dns_saturn_5301
udp length 62-78 @th,160,128 0x0e32393535373539353636383732310e goto nat_dns_saturn_5302
udp length 62-78 @th,160,128 0x0e38353439353637323038363633390e goto nat_dns_saturn_5303
drop
}
}
When invoking 'nft' to request an optimization, several rules result
in a map:
# nft -c -o -f ruleset.
Merging:
ruleset.nft:8:17-98: udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 goto nat_dns_dnstc
ruleset.nft:9:17-102: udp length 62-78 @th,160,128 0x0e31393032383939353831343037320e goto nat_dns_this_5301
ruleset.nft:10:17-104: udp length 62-78 @th,160,128 0x0e31363436323733373931323934300e goto nat_dns_saturn_5301
ruleset.nft:11:17-104: udp length 62-78 @th,160,128 0x0e32393535373539353636383732310e goto nat_dns_saturn_5302
ruleset.nft:12:17-104: udp length 62-78 @th,160,128 0x0e38353439353637323038363633390e goto nat_dns_saturn_5303
into:
udp length . @th,160,128 vmap { 47-63 . 0x0e373135363130333131303735353203 : goto nat_dns_dnstc, 62-78 . 0x0e31393032383939353831343037320e : goto nat_dns_this_5301, 62-78 . 0x0e31363436323733373931323934300e : goto nat_dns_saturn_5301, 62-78 . 0x0e32393535373539353636383732310e : goto nat_dns_saturn_5302, 62-78 . 0x0e38353439353637323038363633390e : goto nat_dns_saturn_5303 }
* Support for raw expressions in concatenations. For example, in anonymous sets:
# nft add rule x y ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
And, in explicit set declarations:
table x {
set y {
typeof ip saddr . @ih,32,32
elements = { 1.1.1.1 . 0x14 }
}
}
(inner header/payload matching @ih keywork requires Linux kernel >= 5.16).
* Support for integer type protocol header fields in concatenations.
For example, the udp length field relies on the integer datatype as
shown by the 'nft describe' command:
# nft describe udp length
payload expression, datatype integer (integer), 16 bits
you can now use it in set and map declarations through 'typeof':
table inet t {
map m1 {
typeof udp length . @ih,32,32 : verdict
flags interval
elements = { 20-80 . 0x14 : accept,
1-10 . 0xa : drop }
}
chain c {
type filter hook input priority 0; policy drop;
udp length . @ih,32,32 vmap @m1
}
}
* Allow to reset TCP options (requires Linux kernel >= 5.18):
tcp flags syn reset tcp option sack-perm
* Speed up chain listing command, ie. nft list chain x y
... this release also includes fixes (highlights):
- fix invalid listing in verdict maps
- several fixes for -o/--optimize (added in previous 1.0.2 release).
- fix anonymous object maps, for example:
table inet filter {
ct helper sip-5060u {
type "sip" protocol udp
l3proto ip
}
ct helper sip-5060t {
type "sip" protocol tcp
l3proto ip
}
chain input {
type filter hook input priority filter; policy accept;
ct helper set ip protocol . th dport map { udp . 10000-20000 : "sip-5060u", tcp . 10000-20000 : "sip-5060t" }
}
}
- fix build problems in nftables-1.0.2 tarball.
- fix JSON chain listing (https://bugzilla.netfilter.org/show_bug.cgi?id=1580)
... and incremental documentation updates.
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
To build the code, libnftnl >= 1.2.1 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
View attachment "changes-nftables-1.0.3.txt" of type "text/plain" (4946 bytes)
Powered by blists - more mailing lists