* [ANNOUNCE] nftables 1.0.1 release
@ 2021-11-18 13:32 Pablo Neira Ayuso
0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2021-11-18 13:32 UTC (permalink / raw)
To: netfilter, netfilter-devel; +Cc: netdev, netfilter-announce, lwn
[-- Attachment #1: Type: text/plain, Size: 3914 bytes --]
Hi!
The Netfilter project proudly presents:
nftables 1.0.1
This release contains new features available up to the Linux kernel
5.16-rc1 release:
* Reduce memory footprint when loading large sets/maps.
* Speed up reload of large sets/maps.
* Speed up listing of specific tables in large ruleset, eg. large ruleset
with ~100k lines.
# nft list ruleset &> /dev/null
real 0m3,049s
user 0m2,080s
sys 0m0,968s
- Listing per table is now faster:
# nft list table nat &> /dev/null
real 0m1,969s
user 0m1,412s
sys 0m0,556s
# nft list table filter &> /dev/null
real 0m0,697s
user 0m0,478s
sys 0m0,220s
Same speed up applies to listing specific chains/sets/maps.
* Speed up --terse option when listing a ruleset large sets/maps.
* Print raw payload expression in hexadecimal, eg. @ll,0,8 & 0x80 == 0x80
* egress hook support (available since 5.16-rc1).
table netdev filter {
chain egress {
type filter hook egress devices = { eth0, eth1 } priority 0;
meta priority set ip saddr map { 192.168.10.2 : abcd:2, 192.168.10.3 : abcd:3 }
}
}
* Allow to match and update bytes at inner header/payload offset
(available since 5.16-rc1).
# nft add rule x y @ih,32,32 0x14000000 counter
# nft add rule x y @ih,32,32 set 0x14000000 counter
... and fixes:
- Fix split declaration of set accross different files using the
nested notation.
- Fix crash in python support with two instances of nftables handler.
- Fix incorrect range to prefix conversion.
- Fix -T/--numeric-time
- Incorrect meta protocol dependency removal in bridge, netdev and
inet families.
- Unbreak support for older kernels (tested with Linux kernel 4.9.x)
- Optimize prefix match only for matching on big-endian.
- Restore use of variables with queue statement, eg. queue num $myq bypass
- Honor insert command and rule position handle in monitor mode.
- Bogus error in dynamic NAT map, eg.
- Disallow setuid on the nft executable.
#nft add rule nat x y meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th
- Fix combination of map, concatenation with intervals and stateful
expressions, eg.
table ip filter {
map forwport {
type ipv4_addr . inet_proto . inet_service : verdict
flags interval
counter
elements = { 10.133.89.138 . tcp . 8081 counter packets 0 bytes 0 : accept }
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
iifname "enp0s8" ip daddr . ip protocol . th dport vmap @forwport counter
}
}
- Fix incorrect vlan offset when matching and updating tag, eg.
# nft add rule bridge filter forward vlan id 100 vlan id set 200
- Fix use of constant in dynamic set, eg.
table inet t {
set s {
type ipv4_addr . inet_service
size 65536
flags dynamic,timeout
elements = { 192.168.7.1 . 22 }
}
chain c {
type filter hook input priority 0;
tcp dport 21 add @s { ip saddr . 22 timeout 1m }
}
}
... and incremental documentation updates.
The autotools build system now defaults to libedit/editline for the
nft --interactive shell.
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/
To build the code, libnftnl >= 1.2.1 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
[-- Attachment #2: changes-nftables-1.0.1.txt --]
[-- Type: text/plain, Size: 5070 bytes --]
Chris Arges (1):
cache: ensure evaluate_cache_list flags are set correctly
Duncan Roe (1):
doc: libnflog handles `log group`, not libnfq
Florian Westphal (7):
parser: permit symbolic define for 'queue num' again
payload: don't adjust offsets of autogenerated dependency expressions
netlink: dynset: set compound expr dtype based on set key definition
tests: shell: auto-removal of chain hook on netns removal
main: _exit() if setuid
doc: update ct timeout section with the state names
monitor: do not call interval_map_decompose() for concat intervals
Jeremy Sowden (6):
rule: remove fake stateless output of named counters
rule: fix stateless output after listing sets containing counters
rule: replace three conditionals with one
parser: add new `limit_bytes` rule
parser: add `limit_rate_pkts` and `limit_rate_bytes` rules
parser: extend limit syntax
Lukas Wunner (2):
tests: py: Move netdev-specific tests to appropriate subdirectory
src: Support netdev egress hook
Pablo Neira Ayuso (54):
src: queue: consolidate queue statement syntax
tests: shell: add nft-f/0022variables_0 dump file
cache: skip set element netlink dump for add/delete element command
cache: provide a empty list for flowtables and objects when request fails
netlink_delinearize: incorrect meta protocol dependency kill
netlink_delinearize: incorrect meta protocol dependency kill again
rule: remove redundant meta protocol from the evaluation step
datatype: time_print() ignores -T
include: add NFT_CTX_OUTPUT_NUMERIC_TIME to NFT_CTX_OUTPUT_NUMERIC_ALL
doc: Missing NFT_CTX_OUTPUT_NUMERIC_SYMBOL in libnftables documentation
doc: refer to ulogd manpage
meta: skip -T for hour and date format
netlink: rework range_expr_to_prefix()
doc: nfnetlink_log allows one single process through unicast
src: revert hashtable for expression handlers
tests: py: update ct expiration
doc: fix synopsis of named counter, quota and ct {helper,timeout,expect}
netlink: reset temporary set element stmt list after list splice
monitor: display rule position handle
monitor: honor NLM_F_APPEND flag for rules
tests: monitor: update insert and replace commands
monitor: honor NLM_F_EXCL netlink flag
evaluate: check for concatenation in set data datatype
evaluate: check for missing transport protocol match in nat map with concatenations
cache: set on cache flags for nested notation
cache: finer grain cache population for list commands
cache: filter out tables that are not requested
cache: filter out sets and maps that are not requested
cache: unset NFT_CACHE_SETELEM with --terse listing
configure: default to libedit for cli
cache: always set on NFT_CACHE_REFRESH for listing
cache: honor filter in set listing commands
cache: honor table in set filtering
cache: disable NFT_CACHE_SETELEM_BIT on --terse listing only
tests: shell: add testcase for --terse
evaluate: postpone transport protocol match check after nat expression evaluation
datatype: add xinteger_type alias to print in hexadecimal
src: raw payload match and mangle on inner header / payload data
tests: py: remove verdict from closing end interval
mnl: do not build nftnl_set element list
evaluate: clone variable expression if there is more than one reference
evaluate: grab reference in set expression evaluation
tests: py: update rawpayload.t.json
cache: move list filter under struct
cache: do not populate cache if it is going to be flushed
cache: missing family in cache filtering
cache: filter out rules by chain
tests: py: missing ip/dnat.t json updates
tests: py: missing ip/snat.t json updates
tests: py: missing json output update in ip6/meta.t
tests: py: remove netdev coverage in ip/ip_tcp.t
parser: allow for string raw payload base
parser_json: add raw payload inner header match support
build: Bump version to 1.0.1
Phil Sutter (5):
tests: json_echo: Print errors to stderr
tests: monitor: Print errors to stderr
tests: monitor: Continue on error
parser_json: Fix error reporting for invalid syntax
tests: shell: Fix bogus testsuite failure with 250Hz
Xiao Liang (2):
src: Optimize prefix match only if is big-endian
src: Check range bounds before converting to prefix
Štěpán Němec (7):
doc: libnftables-json: make the example valid libnftables JSON input
tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")
tests: run-tests.sh: ensure non-zero exit when $failed != 0
tests: shell: README: copy edit
tests: shell: README: $NFT does not have to be a path to a binary
tests: shell: README: clarify test file name convention
tests: shell: $NFT needs to be invoked unquoted
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-11-18 13:32 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-18 13:32 [ANNOUNCE] nftables 1.0.1 release Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.