lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Tue, 9 Aug 2022 21:54:38 +0200
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     netfilter <netfilter@...r.kernel.org>,
        netfilter-devel <netfilter-devel@...r.kernel.org>
Cc:     netdev@...r.kernel.org, netfilter-announce@...ts.netfilter.org,
        lwn@....net
Subject: [ANNOUNCE] nftables 1.0.5 release

Hi!

The Netfilter project proudly presents:

        nftables 1.0.5

This release contains bugfixes (highlights):

- Fixes for the -o/--optimize, run this --optimize option to automagically
  compact your ruleset using sets, maps and concatenations, eg.

     # cat ruleset.nft
     table ip x {
            chain y {
                    type nat hook postrouting priority srcnat; policy drop;
                    ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
                    ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
            }
     }

     # nft -o -c -f ruleset.nft
     Merging:
     ruleset.nft:4:3-52:                ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
     ruleset.nft:5:3-52:                ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
     into:
            snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 : 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 }

- Fix ethernet and vlan concatenations, eg. define a dynamic set which
  is populated from the packet path.

     add table netdev x
     add chain netdev x y { type filter hook ingress device enp0s25 priority 0; }
     add set netdev x macset { typeof ether daddr . vlan id; flags dynamic,timeout; }
     add rule netdev x y update @macset { ether daddr . vlan id timeout 60s }

  or simply match using a concatenation:

     add rule netdev x y ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } counter accept

- Fix ruleset listing with interface wildcard map, eg.

     table inet filter {
        chain INPUT {
            iifname vmap {
                "eth0" : jump input_lan,
                "wg*" : jump input_vpn
            }
        }
        chain input_lan {}
        chain input_vpn {}
     }

- Fix several regressions in the input lexer which broke valid rulesets.
- Fix slowdown with large lists of singleton interval elements.
- Fix set automerge feature for large lists of singleton interval elements.
- Fix bogus error reporting for exact overlaps.
- Fix segfault when adding elements to invalid set.
- fix device parsing in netdev family in json.

See changelog for more details (attached to this email).

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/

To build the code, libnftnl >= 1.2.3 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature requests, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.

View attachment "changes-nftables-1.0.5.txt" of type "text/plain" (3293 bytes)

Powered by blists - more mailing lists