Hi! The Netfilter project proudly presents: nftables 0.9.8 This release contains fixes, documentation updates and new features available up to the Linux kernel 5.11-rc1 release. * Complete support for matching ICMP header content fields. ... icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2 ... icmpv6 type packet-too-big icmpv6 mtu 1280 * Add raw tcp option match support ... tcp option @42,16,4 where you can specify @kind,offset,length * Allow to check for the presence of any tcp option ... tcp option 42 exists * Support for reject traffic from the ingress chain: table netdev x { chain y { type filter hook ingress device eth0 priority 0; policy accept; tcp dport 22 reject with tcp reset } } * Optimized bytecode generation for prefix match # nft --debug=netlink x y ip saddr 192.168.2.0/24 ip [ payload load 3b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0002a8c0 ] Resulting in two instructions instead of three (bitwise is removed on byte-boundaries). * Support for several statements per set element. The example below updates a set from the packet path (dynamic set), and it shows how to ratelimit first then count packets that go through per set element. table ip x { set y { type ipv4_addr size 65535 flags dynamic,timeout timeout 1h } chain z { type filter hook output priority filter; policy accept; update @y { ip daddr limit rate 1/second counter } } } You can also use the multi-statement support for (non-dynamic) sets. table ip x { set y { type ipv4_addr limit rate 1/second counter elements = { 1.1.1.1, 4.4.4.4, 5.5.5.5 } } chain y { type filter hook output priority filter; policy accept; ip daddr @y } } In this case, you can add new elements from the control plane: # nft add element x y { 6.6.6.6 } which run the specified rate limit and counter statements. This requires a Linux kernel >= 5.11-rc1. * editline support for nft -i (CLI), you can enable it at compile time: ./configure --with-cli=editline You can download this new release from: https://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.8 To build the code, libnftnl >= 1.1.9 and libmnl >= 1.0.4 are required: * https://netfilter.org/projects/libnftnl/index.html * https://netfilter.org/projects/libmnl/index.html Visit our wikipage for user documentation at: * https://wiki.nftables.org For the manpage reference, check man(8) nft. In case of bugs and feature request, file them via: * https://bugzilla.netfilter.org Happy firewalling. -------------- next part -------------- Florian Westphal (23): tests: json: add missing test case output tests: avoid warning and add missing json test cases json: add missing nat_type flag and netmap nat flag json: fix ip6 dnat test case after range to prefix transformation change parser: merge sack-perm/sack-permitted and maxseg/mss tcpopts: clean up parser -> tcpopt.c plumbing tcpopt: rename noop to nop tcpopt: split tcpopt_hdr_fields into per-option enum tcpopt: allow to check for presence of any tcp option tcp: add raw tcp option match support json: tcp: add raw tcp option match support exthdr: remove unused proto_key member from struct proto: reduce size of proto_desc structure src: add auto-dependencies for ipv4 icmp tests: fix exepcted payload of icmp expressions src: add auto-dependencies for ipv6 icmp6 tests: fix exepcted payload of icmpv6 expressions payload: auto-remove simple icmp/icmpv6 dependency expressions tests: icmp, icmpv6: avoid remaining warnings tests: ip: add one test case to cover both id and sequence tests: icmp, icmpv6: check we don't add second dependency nft: trace: print packet unconditionally json: don't leave dangling pointers on hlist Jeremy Sowden (3): doc: correct chain name in example of adding a rule tests: py: remove duplicate payloads. tests: py: update format of registers in bitwise payloads. Jose M. Guisado Gomez (5): evaluate: add netdev support for reject default tests: py: add netdev folder and reject.t icmp cases src: enable json echo output when reading native syntax monitor: add assignment check for json_echo monitor: fix formatting of if statements Pablo Neira Ayuso (19): tests: shell: exercise validation with nft -c parser_bison: allow to restore limit from dynamic set mnl: reply netlink error message might be larger than MNL_SOCKET_BUFFER_SIZE src: report EPERM for non-root users parser_bison: double close_scope() call for implicit chains tests: shell: timeouts later than 23 days build: search for python3 src: add support for multi-statement in dynamic sets and maps src: add set element multi-statement support src: disallow burst 0 in ratelimits tests: shell: set element multi-statement support src: set on flags to request multi-statement support cli: add libedit support cli: use plain readline() interface with libedit main: fix typo in cli definition include: resync nf_tables.h cache copy segtree: honor set element expiration evaluate: disallow ct original {s,d}ddr from maps build: Bump version to v0.9.8 Phil Sutter (8): tests/shell: Improve fix in sets/0036add_set_element_expiration_0 src: Support odd-sized payload matches src: Optimize prefix matches on byte-boundaries proto: Fix ARP header field ordering json: echo: Speedup seqnum_to_json() json: Fix seqnum_to_json() functionality doc: Document 'dccp type' match tests: py: Fix for changed concatenated ranges output