| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Zpbc2XtUExOCriMP@calendula>
Date: Tue, 16 Jul 2024 22:49:29 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter-devel@...r.kernel.org, netfilter@...r.kernel.org,
netfilter-announce@...ts.netfilter.org, lwn@....net,
netdev@...r.kernel.org
Subject: [ANNOUNCE] nftables 1.1.0 release
Hi!
The Netfilter project proudly presents:
nftables 1.1.0
... after a release cycles of 8 months.
This release contains mostly fixes, listed in no particular order:
- Restore compatibility set element dump with <= 0.9.8
add element t s { 23 counter packets 10 bytes 20 timeout 10s }
add element t s { 42 timeout 10s counter packets 10 bytes 20 }
- Disallow ifname less than zero
meta iifname “”
Error: Empty string is not allowed
- Do not omit tproxy port for non-value expressions
tproxy ip to 127.0.0.1:8000
meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 8000, 1 : 8010 }
- Listing meta hour with negative time offset
TZ=UTC-4 nft add rule x y meta hour “22:00”
- Byteorder conversion with {ct,meta} statements
map mapv6 {
typeof ip6 dscp : meta mark;
}
meta mark set ip6 dscp map @map1
# resulting bytecode:
[ payload load 2b @ network header + 0 => reg 1 ]
[ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
[ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
[ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
[ lookup reg 1 set mapv6 dreg 1 ]
[ meta set mark with reg 1 ]
- Unbreak create set command
define ip-block-4 = { 1.1.1.1 }
create set netdev filter ip-block-4-test {
type ipv4_addr
flags interval
auto-merge
elements = $ip-block-4
}
- Restore rule replace command
replace rule ip t1 c1 handle 3 'jhash ip protocol . ip saddr mod 170 vmap { 0-94 : goto wan1, 95-169 : goto wan2, 170-269 }"
- Restore addition of netdevice to flowtable
create flowtable inet filter f1 { hook ingress priority 0; counter }
add flowtable inet filter f1 { devices = { dummy1 } ; }
- Byteorder conversion in set with concatenation and ranges
map ipsec_in {
typeof ipsec in reqid . iif : verdict
flags interval
}
ipsec in reqid . iif vmap @ipsec_in
# resulting bytecode:
[ xfrm load in 0 reqid => reg 1 ]
[ byteorder reg 1 = hton(reg 1, 4, 4) ]
[ meta load iif => reg 9 ]
[ byteorder reg 9 = hton(reg 9, 4, 4) ]
[ lookup reg 1 set ipsec_in dreg 0 ]
- Support for chain multidevice in JSON
- Lots of fixes to address input sanitization (UB):
* turn valuation assert() into errors
* turn evaluation error instead of crash
* parser crash
* expression with no datatype & incompatible key with datatype in set,
* OOB
* memleaks
- Fix monitor mode with set intervals & concatenation
- Unbreak tcp option with numbers
tcp option 254
- Unbreak {meta,ct} mark statement with maps
meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 }
- Reject large raw payload and concat expression
Error: Concatenation of size 544 exceeds maximum size of 512
udp length . @th,0,512 . @th,512,512 { 47-63 . 0xe373135363130 . 0x33131303735353203 }
- Search for group, rt_mark, rt_realms at:
/etc/iproute2/
/use/share/iproute2/
… and display values via nft describe
# nft describe meta rtclassid
meta expression, datatype realm (routing realm) (basetype integer), 32 bits
pre-defined symbolic constants from /etc/iproute2/rt_realms (in decimal):
cosmos 0
Reject statement with range
meta mark set 0-100
- Support for auto-merge flag in sets in JSON
- Print 0s in time datatype
- Speed up list tables by fetching tables only
- Skip byteorder conversion with 8-byte fields
set test {
type ipv4_addr . ether_addr . inet_proto
flags interval
}
ip saddr . ether saddr . meta l4proto @test counter
- Honor -t/--terse with list table and list set to speed up listing
- Allow for host-endian in set lookups
map ipsec_in {
typeof ipsec in reqid . iif : verdict
flags interval
}
ipsec in reqid . 100 @ipsec_in
- Better error report when destroy command is not supported (requires >= 6.3)
- Allow to define maps with:
* ct timeout
* ct expectation
* ct helper
- Translate meter into dynamic set
add rule t c tcp dport 80 meter m size 128 { ip saddr timeout 2s limit rate 10/second }
now becomes:
set m {
type ipv4_addr
size 128
flags dynamic,timeout
}
tcp dport 80 update @m { ip saddr timeout 2s limit rate 10/second burst 5 packets }
- No payload merge on negation
tcp sport != 22 tcp dport != 23
- JSON updates:
- List empty chain early before set/maps
- Support for maps with concatenated data
- Support for synproxy objects
- Restore binop syntax for flags for listing
tcp flags & (fin | syn | rst | ack ) == syn
- Cross-day meta hour issues
TZ=EADT $NFT add rule t c meta hour "03:00"-"14:00"
- Remove prefix notation from mark
meta mark & 0xffffff00 == 0xffffff00
instead of
meta mark 0xffffff00/24
- Use numeric icmp codes in listings (ICMP codes are dependent of ICMP type)
- Add table persist flag to JSON
- Support for variables in map expressions
define dst_map = { ::1234 : 5678 }
table ip6 nat {
map dst_map {
typeof ip6 daddr : tcp dport;
elements = $dst_map
}
chain prerouting {
ip6 nexthdr tcp redirect to ip6 daddr map @dst_map
}
}
- VLAN support:
# payload statement
ip saddr 10.1.1.1 icmp type echo-request vlan id set 321
# payload expression (QinQ matching)
ether type 8021ad vlan id 10 vlan type 8021q vlan id 100 vlan type ip accept
- Recycle existing cache if generation ID did not change, to speed up
incremental updates.
- Better error reporting when redefining chain
ruleset.nft:7:9-52: Error: Chain "input" already exists in table ip 'filter' with different declaration
type filter hook postrouting priority filter;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Issues with variables
define m = { 3, 4 }
add element ip a x \$m
add element ip a x { 5 }
- Broader IPv4-Mapped IPv6 (similar to iptables)
aaaa::1.2.3.4
- -f/--filename includes path relative to the current (the including) file's directory
- -I/--include: default include path now searched at the end.
- New string preprocessor (only for log statement)
define message=”test”
log prefix “my $message”
- Fix set element deletion is maps:
map m {
typeof ct bytes : meta priority
flags interval
elements = { 2048001-4000000 : 1:2 }
}
meta priority set ct bytes map @m
- Unbreak -o/--optimize with counter statements
# nft -c -o -f ruleset.nft
Merging:
ruleset.nft:5:17-45: ct state invalid counter drop
ruleset.nft :6:17-59: ct state established,related counter accept
into:
ct state vmap { invalid counter : drop, established counter : accept, related counter : accept }
Merging:
ruleset.nft:7:17-43: tcp dport 80 counter accept
ruleset.nft:8:17-44: tcp dport 123 counter accept
into:
tcp dport { 80, 123 } counter accept
Merging:
ruleset.nft:9:17-64: ip saddr 1.1.1.1 ip daddr 2.2.2.2 counter accept
ruleset.nft:10:17-62: ip saddr 1.1.1.2 ip daddr 3.3.3.3 counter drop
into:
ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 counter : accept, 1.1.1.2 . 3.3.3.3 counter : drop }
... including manpage updates too and tests enhancements.
See changelog for more details (attached to this email).
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
[ NOTE: We have switched to .tar.xz files for releases. ]
To build the code, libnftnl >= 1.2.7 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
View attachment "changes-nftables-1.1.0.txt" of type "text/plain" (16857 bytes)
Powered by blists - more mailing lists