lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <aJNHt1OW7w6SBmsv@calendula>
Date: Wed, 6 Aug 2025 14:16:55 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter-devel@...r.kernel.org, netfilter@...r.kernel.org
Cc: netfilter-announce@...ts.netfilter.org, lwn@....net,
	netdev@...r.kernel.org
Subject: [ANNOUNCE] nftables 1.1.4 release

Hi!

The Netfilter project proudly presents:

        nftables 1.1.4

This release contains enhancements and fixes:

- Add conntrack information to monitor trace command.

    Example output ("conntrack: " lines are new):

    trace id 32 t PRE_RAW packet: iif "enp0s3" ether saddr [..]
    trace id 32 t PRE_RAW rule tcp flags syn meta nftrace set 1 (verdict continue)
    trace id 32 t PRE_RAW policy accept
    trace id 32 t PRE_MANGLE conntrack: ct direction original ct state new ct id 2641368242
    trace id 32 t PRE_MANGLE packet: iif "enp0s3" ether saddr [..]
    trace id 32 t ct_new_pre rule jump rpfilter (verdict jump rpfilter)
    trace id 32 t PRE_MANGLE policy accept
    trace id 32 t INPUT conntrack: ct direction original ct state new ct status dnat-done ct id 2641368242
    trace id 32 t INPUT packet: iif "enp0s3" [..]
    trace id 32 t public_in rule tcp dport 443 accept (verdict accept)

- Add a 'check' fib result to check for routes:

     ... fib daddr . iif check exists
     ... fib daddr . iif check missing

  Allow to use it in maps:

     ... fib daddr check vmap { missing : drop, exists : accept }

  and set statements too:

     ... meta mark set fib daddr check . ct mark map { exists . 0x00000000 : 0x0000000a, missing . 0x00000001 : 0x0000000b }

- Better error reporting with re-declarations set/map with different types:

     Error: Cannot merge set with existing datamap of same name
      set z {
          ^

- Reduce memory consumption in sets consisting of a concatenation of intervals:

     table inet x {
            set y {
                    typeof ip saddr . tcp dport
                    flags interval
                    elements = {
                            0.1.2.0-0.1.2.240 . 0-1,
                            ...
                    }
            }
     }

    Using the set that appears in this example above, with 100k elements.

    Before: 123.80 Mbytes
    After:   80.19 Mbytes (-35.23%)

- Reduce memory consumption in maps with intervals:

      table inet x {
             map y {
                        typeof ip saddr : ip saddr
                        flags interval
                        elements = {
                            1.0.2.0-1.0.2.240 : 1.0.2.10,
                            ...
             }
      }

    Using the set that appreas in this example above, with 100k elements.

    Before: 74.36 Mbytes
    After: 62.39 Mbytes (-16.10%)

- Restore meta hour matching on ranges spanning date boundaries, eg.

    ...meta hour "21:00"-"02:00"

  N.B: This broke in the previous nftables 1.1.3 release.

- Display number of set elements in listing:

    table ip t {
       set s {
           type ipv4_addr
           size 65535      # count 1
           flags dynamic
           counter
           elements = { 1.1.1.1 counter packets 1 bytes 11 }
       }

- Allow to delete map via handle

    delete map t handle 4000

  N.B: In previous version, this is already possible for sets, this is
       fixing an inconsistency.

- Harden json parser detected via fuzzy testing.

- Simplify json flag field representation when single flags is used,
  so instead:

        "flags": [
          "interval"
        ],

  use:

        "flags": "interval",

- Quote device name in basechain and flowtable declarations, eg.

 table netdev filter2 {
        chain Main_Ingress2 {
               type filter hook ingress devices = { "eth0", "lo" } priority -500; policy accept;
        }
 }

... as well as man nft(8) documentation updates, and improvements in
tests/py and tests/shell for better coverage.

See changelog for more details (attached to this email).

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/

To build the code, libnftnl >= 1.3.0 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature requests, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.

View attachment "changes-nftables-1.1.4.txt" of type "text/plain" (6004 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ