Hi!
The Netfilter project proudly presents:
nftables 1.0.9
This release contains enhancements and fixes such as:
- Speed up chain listing:
# time nft list chain inet raw input
table inet raw {
chain input {
type filter hook input priority filter; policy accept;
ip6 saddr @bogons6 counter drop
}
}
before:
real 0m2,913s
user 0m1,345s
sys 0m1,568s
after:
real 0m0,056s
user 0m0,018s
sys 0m0,039s
- Allow custom conntrack timeouts to use time specification (not only
seconds), e.g.
table inet x {
ct timeout customtimeout {
protocol tcp
l3proto ip
policy = { established: 2m, close: 20s }
}
chain y {
type filter hook prerouting priority filter; policy accept;
tcp dport 8888 ct timeout set "customtimeout"
}
}
- Allow to combine dnat with numgen, eg.
... dnat to numgen inc mod 8 offset 0xc0a864c8
where offset 0xc0a864c8 represents 192.168.100.200, to fan out packets
using stateful DNAT from 192.168.100.200 to 192.168.100.207.
- Allow for using constants as key in dynamic sets.
table inet x {
chain y {
type filter hook input priority 0; policy drop;
udp dport 45378 add @dynmark { 10.2.3.4 timeout 3s : 0x00000002
}
}
}
- Fix get element command with concatenated set:
table ip filter {
set test {
type ipv4_addr . ether_addr . mark
flags interval
elements = { 198.51.100.0/25 .
00:0b:0c:ca:cc:10-c1:a0:c1:cc:10:00 . 0x0000006f, }
}
}
then allow to check if element is present with:
# nft get element ip filter test { 198.51.100.1 . 00:0b:0c:ca:cc:10 . 0x6f }
- Support for matching on the target address of a IPv6 neighbour
solicitation/advertisement.
... icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133 counter
- Provide a pyproject.toml config file and legacy setup.py script
to install Python support. Using pip:
python -m pip install py/
or, alternatively, legacy setup.py script:
cd py && python setup.py install
- Fix incorrect bytecode to set meta and ct mark using smaller size
selector results in incorrect bytecode, e.g. set meta mark to
ip dscp header field.
... meta mark set ip dscp
Support for this is available since 1.0.8, but bytecode generation
was not correct.
- Empty internal cache in -o/--optimize (which implicitly pulls in
-c/--check mode) otherwise stale objects remain in place, triggering BUG:
BUG: invalid input descriptor type 151665524
nft: erec.c:161: erec_print: Assertion `0' failed.
Aborted
- Fix memleak in prefix evaluation with wildcard interface name
The following ruleset:
table ip x {
chain y {
meta iifname { abcde*, xyz }
}
}
- Restore interval maps, broken since 1.0.7. e.g.
table inet filter {
counter TEST {
packets 0 bytes 0
}
map testmap {
type ipv4_addr : counter
flags interval
elements = { 192.168.0.0/24 : "TEST" }
}
}
- Restore bitwise operations in combination with maps, eg. jump to
chain depending on bitwise operation on packet mark.
table ip x {
map sctm_o0 {
type mark : verdict
elements = { 0x00000000 : jump sctm_o0_0, 0x00000001 : jump
sctm_o0_1 }
}
chain sctm_o0_0 {
counter
}
chain sctm_o0_1 {
counter
}
chain SET_ctmark_RPLYroute {
meta mark >> 8 & 0xf vmap @sctm_o0
}
}
- Display default burst of 5 packets in limit statement, this was not
printed for historical reasons, now this is shown in the listing, e.g.
... limit rate 400/minute burst 5 packets accept
- Restore use of conntrack label in concatenations, eg.
... ct label . ct mark { 0x1 . 0x1 }
- Do not merge expressions across non-expression statements, e.g.
.... ether saddr 00:11:22:33:44:55 counter ether type 8021q
is not merged because the counter statement falls in between these
two candidate expressions that could be coalesced in one single
expression to match at ethernet source address offset and the
ether type field coming next.
- Fix crash with log prefix longer that 127 bytes.
- Fixes for JSON support.
- ... and many unsorted fixes found via proactive code inspection.
... as well as asorted fixes and manpage documentation updates.
See changelog for more details (attached to this email).
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
[ NOTE: We have switched to .tar.xz files for releases. ]
To build the code, libnftnl >= 1.2.6 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature requests, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
-------------- next part --------------
Arturo Borrero Gonzalez (1):
tests/build/run-tests.sh: fix issues reported by shellcheck
Brennan Paciorek (1):
doc: document add chain device parameter
Florian Westphal (48):
exthdr: prefer raw_type instead of desc->type
tests: shell: auto-run kmemleak if its available
netlink: delinearize: copy set keytype if needed
rule: allow src/dstnat prios in input and output
ct expectation: fix 'list object x' vs. 'list objects in
table' confusion
tests: fix inet nat prio tests
tests: add dynmap datapath add/delete test case
parser: allow ct timeouts to use time_spec values
parser: deduplicate map with data interval
tests: shell: add test case for double-deactivation
tests: add test with concatenation, vmap and timeout
tests: add transaction stress test with parallel delete/add/flush and
netns deletion
tests: add one more chain jump in vmap test
tests: add table validation check
tests: update bad_expression test case
tests: 30s-stress: add failslab and abort phase tests
parser: permit gc-interval in map declarations
tests/shell: expand vmap test case to also cause batch abort
evaluate: fix get element for concatenated set
tests: shell: 0043concatenated_ranges_0: re-enable all tests
tests/shell: make delete_by_handle test work on older releases
tests/shell: typeof_integer/raw: prefer @nh for payload matching
tests: shell: fix dump validation message
tests: shell: add sample ruleset reproducer
tests/shell: add and use chain binding feature probe
tests/shell: skip netdev_chain_0 if kernel requires netdev device
tests/shell: skip map query if kernel lacks support
tests/shell: skip inner matching tests if unsupported
tests/shell: skip bitshift tests if kernel lacks support
tests/shell: skip some tests if kernel lacks netdev egress support
tests/shell: skip inet ingress tests if kernel lacks support
tests/shell: skip destroy tests if kernel lacks support
tests/shell: skip catchall tests if kernel lacks support
tests/shell: skip test cases involving osf match if kernel lacks support
tests/shell: skip test cases if ct expectation and/or timeout lacks
support
tests/shell: skip reset tests if kernel lacks support
tests: shell: skip adding catchall elements if unuspported
tests: shell: add feature probe for sets with more than one element
tests: shell: add feature probe for sctp chunk matching
tests: shell: skip flowtable-uaf if we lack table owner support
rule: never merge across non-expression statements
tests: never merge across non-expression statements redux
libnftables: refuse to open onput files other than named pipes or regular
files
scanner: restrict include directive to regular files
tests: never merge across non-expression statements redux 2
tests: add test for dormant on/off/on bug
tests: shell: add vlan match test case
evaluate: suggest != in negation error message
Jeremy Sowden (5):
py: move package source into src directory
py: use setup.cfg to configure setuptools
py: add pyproject.toml to support PEP-517-compatible build-systems
doc: move man-pages to `dist_man_MANS`
doc: move man-pages to `MAINTAINERCLEANFILES`
Jorge Ortiz (1):
evaluate: place byteorder conversion after numgen for IP address datatypes
Nicolas Cavallari (1):
icmpv6: Allow matching target address in NS/NA, redirect and MLD
Pablo Neira Ayuso (33):
meta: stash context statement length when generating payload/meta
dependency
update INSTALL file
tests: shell: extend implicit chain map with flush command
py: remove setup.py integration with autotools
libnftables: Drop cache in -c/--check mode
INSTALL: provide examples to install python bindings
cache: chain listing implicitly sets on terse option
evaluate: error out on meter overlap with an existing set/map declaration
tests: shell: use minutes granularity in
sets/0036add_set_element_expiration_0
evaluate: do not remove anonymous set with protocol flags and single
element
proto: use hexadecimal to display ip frag-off field
tests: py: extend ip frag-off coverage
tests: py: debloat frag.t.payload.netdev
src: use internal_location for unspecified location at allocation time
src: remove check for NULL before calling expr_free()
src: simplify chain_alloc()
rule: set internal_location for table and chain
evaluate: revisit anonymous set with single element optimization
doc: describe behaviour of {ip,ip6} length
evaluate: fix memleak in prefix evaluation with wildcard interface name
evaluate: expand sets and maps before evaluation
evaluate: perform mark datatype compatibility check from maps
limit: display default burst when listing ruleset
datatype: initialize TYPE_CT_LABEL slot in datatype array
datatype: initialize TYPE_CT_EVENTBIT slot in datatype array
tests: py: add map support
json: expose dynamic flag
netlink_linearize: skip set element expression in map statement key
tests: shell: fix spurious errors in sets/0036add_set_element_expiration_0
json: add missing map statement stub
doc: remove references to timeout in reset command
evaluate: validate maximum log statement prefix length
build: Bump version to 1.0.9
Phil Sutter (21):
tests: monitor: Summarize failures per test case
tests: shell: Review test-cases for destroy command
tests: shell: Stabilize sets/reset_command_0 test
tests: shell: Stabilize sets/0043concatenated_ranges_0 test
evaluate: Drop dead code from expr_evaluate_mapping()
tests: monitor: Fix monitor JSON output for insert command
tests: monitor: Fix time format in ct timeout test
tests: monitor: Fix for wrong syntax in set-interval.t
tests: monitor: Fix for wrong ordering in expected JSON output
parser_json: Catch wrong "reset" payload
parser_json: Fix typo in json_parse_cmd_add_object()
parser_json: Proper ct expectation attribute parsing
parser_json: Fix flowtable prio value parsing
parser_json: Fix limit object burst value parsing
parser_json: Fix synproxy object mss/wscale parsing
parser_json: Wrong check in json_parse_ct_timeout_policy()
parser_json: Catch nonsense ops in match statement
parser_json: Default meter size to zero
tests: shell: features: Fix table owner flag check
tests: shell: Fix for failing nft-f/sample-ruleset
tests: shell: sets/reset_command_0: Fix drop_seconds()
Thomas Haller (121):
py: return boolean value from Nftables.__[gs]et_output_flag()
json: use strtok_r() instead of strtok()
nftutils: add and use wrappers for getprotoby{name,number}_r(),
getservbyport_r()
meta: don't assume time_t is 64 bit in date_type_print()
meta: use reentrant localtime_r()/gmtime_r() functions
gitignore: ignore cscope files
src: add input flags for nft_ctx
src: add input flag NFT_CTX_INPUT_NO_DNS to avoid blocking
src: add input flag NFT_CTX_INPUT_JSON to enable JSON parsing
py: fix exception during cleanup of half-initialized Nftables
py: extract flags helper functions for set_debug()/get_debug()
py: add Nftables.{get,set}_input_flags() API
meta: define _GNU_SOURCE to get strptime() from <time.h>
src: add <nft.h> header and include it as first
include: don't define _GNU_SOURCE in public header
configure: use AC_USE_SYSTEM_EXTENSIONS to get _GNU_SOURCE
include: include <std{bool,int}.h> via <nft.h>
configure: drop AM_PROG_CC_C_O autoconf check
netlink: avoid "-Wenum-conversion" warning in
dtype_map_from_kernel()
netlink: avoid "-Wenum-conversion" warning in parser_bison.y
datatype: avoid cast-align warning with struct sockaddr result from
getaddrinfo()
evaluate: fix check for truncation in stmt_evaluate_log_prefix()
src: rework SNPRINTF_BUFFER_SIZE() and handle truncation
evaluate: don't needlessly clear full string buffer in
stmt_evaluate_log_prefix()
src: suppress "-Wunused-but-set-variable" warning with
"parser_bison.c"
include: drop "format" attribute from nft_gmp_print()
rule: fix "const static" declaration
utils: call abort() after BUG() macro
src: silence "implicit-fallthrough" warnings
xt: avoid "-Wmissing-field-initializers" for
"original_opts"
tests/shell: rework command line parsing in "run-tests.sh"
tests/shell: rework finding tests and add "--list-tests" option
tests/shell: check test names before start and support directories
tests/shell: export NFT_TEST_BASEDIR and NFT_TEST_TMPDIR for tests
tests/shell: normalize boolean configuration in environment variables
tests/shell: print test configuration
tests/shell: run each test in separate namespace and allow rootless
tests/shell: interpret an exit code of 77 from scripts as
"skipped"
tests/shell: support --keep-logs option (NFT_TEST_KEEP_LOGS=y) to preserve
test output
tests/shell: move the dump diff handling inside
"test-wrapper.sh"
tests/shell: rework printing of test results
tests/shell: move taint check to "test-wrapper.sh"
tests/shell: move valgrind wrapper script to separate script
tests/shell: support running tests in parallel
tests/shell: bind mount private /var/run/netns in test container
tests/shell: skip test in rootless that hit socket buffer size limit
tests/shell: record the test duration (wall time) in the result data
tests/shell: fix "0003includepath_0" for different TMPDIR
tests/shell: set TMPDIR for tests in "test-wrapper.sh"
tests/shell: return 77/skip for tests that fail to create dummy device
tests/shell: cleanup result handling in "test-wrapper.sh"
tests/shell: cleanup print_test_result() and show TAINTED error code
tests/shell: colorize terminal output with test result
tests/shell: fix handling failures with VALGRIND=y
tests/shell: print the NFT setting with the VALGRIND=y wrapper
tests/shell: don't redirect error/warning messages to stderr
tests/shell: redirect output of test script to file too
tests/shell: print "kernel is tainted" separate from test result
tests/shell: no longer enable verbose output when selecting a test
tests/shell: record wall time of test run in result data
tests/shell: set NFT_TEST_JOBS based on $(nproc)
cache: avoid accessing uninitialized varible in implicit_chain_cache()
datatype: rename "dtype_clone()" to datatype_clone()
tests/shell: honor .nodump file for tests without nft dumps
tests/shell: generate and add ".nft" dump files for existing
tests
tests/shell: add missing ".nodump" file for tests without dumps
tests/shell: add ".nft" dump files for tests without dumps/
directory
tests/shell: set valgrind's "--vgdb-prefix=" to orignal
TMPDIR
tests/shell: print number of completed tests to show progress
tests/shell: skip tests if nft does not support JSON mode
tests/shell: add "--quick" option to skip slow tests (via
NFT_TEST_SKIP_slow=y)
parser_bison: include <nft.h> for base C environment to
"parser_bison.y"
include: include <stdlib.h> in <nft.h>
tests/shell: kill running child processes when aborting
"run-tests.sh"
tests/shell: ensure vgdb-pipe files are deleted from
"nft-valgrind-wrapper.sh"
datatype: fix leak and cleanup reference counting for struct datatype
tests/shell: export NFT_TEST_RANDOM_SEED variable for tests
tests/shell: add "random-source.sh" helper for random-source for
sort/shuf
tests/shell: add option to shuffle execution order of tests
tests/shell: remove spurious .nft dump files
tests/shell: drop unstable dump for "transactions/0051map_0"
test
tests/shell: add missing nft/nodump files for tests
tests/shell: special handle base path starting with "./"
tests/shell: in find_tests() use C locale for sorting tests names
tools: add "tools/check-tree.sh" script to check consistency of
nft dumps
tests/shell: exit 77 from "run-tests.sh" if all tests were
skipped
tests/shell: accept $NFT_TEST_TMPDIR_TAG for the result directory
tests/shell: honor CLICOLOR_FORCE to force coloring in run-tests.sh
tests/build: capture more output from "tests/build/run-tests.sh"
script
tests/shell: add feature probing via "features/*.nft" files
tests/shell: colorize NFT_TEST_SKIP_/NFT_TEST_HAVE_ in test output
tests/shell: suggest 4Mb /proc/sys/net/core/{wmem_max,rmem_max} for
rootless
tests/shell: cleanup creating dummy interfaces in tests
tests/shell: implement NFT_TEST_HAVE_json feature detection as script
tests/shell: check diff in "maps/typeof_maps_0" and
"sets/typeof_sets_0" test
tests/shell: fix preserving ruleset diff after test
tests/shell: set C locale in "run-tests.sh"
tests/shell: don't show the exit status for failed tests
tests/shell: colorize NFT_TEST_HAS_SOCKET_LIMITS
tests/shell: simplify collecting error result in
"test-wrapper.sh"
netlink: fix leaking typeof_expr_data/typeof_expr_key in
netlink_delinearize_set()
libnftables: drop gmp_init() and mp_set_memory_functions()
libnftables: move init-once guard inside xt_init()
tests/shell: run `nft --check` on persisted dump files
src: fix indentation/whitespace
proto: add missing proto_definitions for PROTO_DESC_GENEVE
include: fix missing definitions in <cache.h>/<headers.h>
netlink: handle invalid etype in set_make_key()
datatype: use "enum byteorder" instead of int in
set_datatype_alloc()
payload: use enum icmp_hdr_field_type in
payload_may_dependency_kill_icmp()
datatype: return const pointer from datatype_get()
tests/shell: honor NFT_TEST_FAIL_ON_SKIP variable to fail on any skipped
tests
expression: cleanup expr_ops_by_type() and handle u32 input
mergesort: avoid cloning value in expr_msort_cmp()
include: include <string.h> in <nft.h>
datatype: use xmalloc() for allocating datatype in datatype_clone()
tests/shell: mount all of "/var/run" in
"test-wrapper.sh"
tests/shell: preserve result directory with NFT_TEST_FAIL_ON_SKIP
tests/shell: add "-S|--setup-host" option to set sysctl for
rootless tests
tests/shell: add missing "vlan_8021ad_tag.nodump" file
tests/shell: use bash instead of /bin/sh for tests