| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z_1KxMUDT0D8e6wH@calendula>
Date: Mon, 14 Apr 2025 19:49:56 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter-devel@...r.kernel.org, netfilter@...r.kernel.org
Cc: netfilter-announce@...ts.netfilter.org, lwn@....net,
netdev@...r.kernel.org
Subject: [ANNOUNCE] nftables 1.1.2 release
Hi!
The Netfilter project proudly presents:
nftables 1.1.2
This release contains (in no particular order):
- Allow for protocol dependency on sets, eg.
table inet test {
set protos {
typeof meta l4proto
elements = { tcp, udp }
}
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
meta l4proto @protos tproxy to :1088
}
}
- Support for more advanced bitwise operations with statements:
... ct mark set ct mark & 0xffff0000 | meta mark & 0xffff
... meta mark set meta mark & 0xffff0000 | meta cpu << 8 | iif
This requires Linux kernel >= 6.13.
- Set element auto-merge now skips elements with timeout/expiration.
- Allow to use queue with typeof.
table inet t {
map get_queue_id {
typeof ip saddr . ip daddr . tcp dport : queue
elements = { 127.0.0.1 . 127.0.0.1 . 22 : 1,
127.0.0.1 . 127.0.0.2 . 22 : 2 }
}
chain test {
queue flags bypass to ip saddr . ip daddr . tcp dport map @get_queue_id
}
}
- Memory footprint reduction for set elements.
- Update nft monitor to reports flowtable events.
- Allow for listing sets with:
list sets inet foo
for consistency with existing commands. Previous versions require the 'table'
keyword for this to work, ie.
list sets table inet foo
- Support for merging bitmask matching in set/map with -o/--optimize
# nft -c -o -f ruleset.nft
Merging:
ruleset.nft:7:17-76: tcp flags & (fin | syn | rst | ack | urg) == fin | ack | urg
ruleset.nft:8:17-70: tcp flags & (fin | syn | rst | ack | urg) == fin | ack
ruleset.nft:9:17-64: tcp flags & (fin | syn | rst | ack | urg) == fin
ruleset.nft:10:17-70: tcp flags & (fin | syn | rst | ack | urg) == syn | ack
ruleset.nft:11:17-64: tcp flags & (fin | syn | rst | ack | urg) == syn
ruleset.nft:12:17-70: tcp flags & (fin | syn | rst | ack | urg) == rst | ack
ruleset.nft:13:17-64: tcp flags & (fin | syn | rst | ack | urg) == rst
ruleset.nft:14:17-70: tcp flags & (fin | syn | rst | ack | urg) == ack | urg
ruleset.nft:15:17-64: tcp flags & (fin | syn | rst | ack | urg) == ack
into:
tcp flags & (fin | syn | rst | ack | urg) == { fin | ack | urg, fin | ack, fin, syn | ack, syn, rst | ack, rst, ack | urg, ack }
- Use range expression to represent a range, instead of two comparisons.
- [ cmp gte reg 1 0x00005000 ]
- [ cmp lte reg 1 0x00005a00 ]
+ [ range eq reg 1 0x00005000 0x00005a00 ]
- Improve mptcp support with symbol table for subtypes:
set s13 {
typeof tcp option mptcp subtype
elements = { mp-join, dss }
}
# nft describe tcp option mptcp subtype
exthdr expression, datatype integer (mptcp option subtype) (basetype integer), 4 bits
pre-defined symbolic constants (in decimal):
mp-capable 0
mp-join 1
dss 2
add-addr 3
remove-addr 4
mp-prio 5
mp-fail 6
mp-fastclose 7
mp-tcprst 8
- Support for mangling bitfield headers, eg.
... ip dscp set ip dscp | 0x1
- Print set element with multi-word description in single one line.
If the set element:
- represents a mapping
- has a timeout
- has a comment
- has counter/quota/limit
- concatenation (already printed in a single line before this patch)
ie. if the set element requires several words, then print it in one
single line, eg.
table ip x {
set y {
typeof ip saddr
counter
elements = { 192.168.10.35 counter packets 0 bytes 0,
192.168.10.101 counter packets 0 bytes 0,
192.168.10.135 counter packets 0 bytes 0 }
}
}
- Fix extended error reporting with large set elements.
- Fix extended error reporting with large set elements.
- Fix incorrect removal of meta nfproto in listings.
... meta nfproto ipv4 ct mark 0x00000001
... meta nfproto ipv6 ct protocol 6
- Fix get command with interval sets/maps:
# nft get element x y { 1.1.1.2 }
table ip x {
map y {
typeof ip saddr : meta mark
counter
flags interval,timeout
elements = { 1.1.1.1-1.1.1.10 timeout 10m : 20 }
}
}
- Fix reset command with interval sets/maps too:
# nft reset element inet filter intervalset { 1.2.3.4 }
- Do not remove layer 4 protocol dependency when listing raw expressions, eg.
meta l4proto 91 @th,0,16 0x0 accept
- Fixes for -o/--optimize.
- Support for typeof in JSON.
... and a bunch of assorted fixes, manpage updates too and tests enhancements.
See changelog for more details (attached to this email).
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
[ NOTE: We have switched to .tar.xz files for releases. ]
To build the code, libnftnl >= 1.2.9 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
View attachment "changes-nftables-1.1.2.txt" of type "text/plain" (8444 bytes)
Powered by blists - more mailing lists