| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aTLn9DVZSFeGN3IP@chamomile>
Date: Fri, 5 Dec 2025 15:11:00 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter-devel@...r.kernel.org, netfilter@...r.kernel.org
Cc: netfilter-announce@...ts.netfilter.org, lwn@....net,
netdev@...r.kernel.org
Subject: [ANNOUNCE] nftables 1.1.6 release
Hi!
The Netfilter project proudly presents:
nftables 1.1.6
This release contains fixes:
- Complete lightweight tunnel template support, including vxlan, geneve
and erspan, eg.
table netdev global {
tunnel t1 {
id 10
ip saddr 192.168.2.10
ip daddr 192.168.2.11
sport 1025
dport 20020
ttl 1
erspan {
version 1
index 2
}
}
tunnel t2 {
id 10
ip saddr 192.168.3.10
ip daddr 192.168.3.11
sport 1025
dport 21021
ttl 1
erspan {
version 1
index 2
}
}
chain in {
type filter hook ingress device veth0 priority 0;
tunnel name ip saddr map { 10.141.10.12 : "t1", 10.141.10.13 : "t2" } fwd to erspan1
}
}
You have to create the erspan1 interface before loading your ruleset.
ip link add dev erspan1 type erspan external
- Support for wildcard in netdev hooks, eg. add a basechain to filter
ingress traffic for all existing vlan devices:
table netdev t {
chain c {
type filter hook ingress devices = { "vlan*", "veth0" } priority filter; policy accept;
}
}
- Support to pass up bridge frame to the bridge device for local
processing, eg. pass up all bridge frames for de:ad:00:00:be:ef
to the IP stack:
table bridge global {
chain pre {
type filter hook prerouting priority 0; policy accept;
ether daddr de:ad:00:00:be:ef meta pkttype set host ether daddr set meta ibrhwaddr accept
}
}
The new meta ibrhwaddr provides the bridge hardware address which
can be used to mangle the destination address.
This requires a Linux kernel >= 6.18.
- New afl++ (american fuzzy lop++) fuzzer infrastructure, enable it with:
./configure --with-fuzzer
and read tests/afl++/README to build and run tools/nft-afl.
- fib expression incorrect bytecode for Big Endian.
Instead of:
[ fib saddr . iif oif present => reg 1 ]
[ cmp eq reg 1 0x01000000 ]
generate:
[ fib saddr . iif oif present => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
among other Big Endian fixes.
... and man nft(8) documentation updates and more small fixes.
See changelog for more details (attached to this email).
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
To build the code, libnftnl >= 1.3.1 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
View attachment "changes-nftables-1.1.6.txt" of type "text/plain" (5922 bytes)
Powered by blists - more mailing lists