[ANNOUNCE] nftables 1.0.2 release

[ANNOUNCE] nftables 1.0.2 release

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 3282 bytes --]

Hi!

The Netfilter project proudly presents:

        nftables 1.0.2

This release contains new features available up to the Linux kernel
5.17-rc release:

* New ruleset optimization -o/--optimize option. You can combine this
  option with the dry run mode (--check) to review the proposed ruleset
  updates without actually loading the ruleset, e.g.

        # nft -c -o -f ruleset.test
        Merging:
                 ruleset.nft:16:3-37:           ip daddr 192.168.0.1 counter accept
                 ruleset.nft:17:3-37:           ip daddr 192.168.0.2 counter accept
                 ruleset.nft:18:3-37:           ip daddr 192.168.0.3 counter accept
        into:
                 ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept

  This option also coalesces rules using concatenation+set, e.g.

      meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept
      meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 accept

   into:

      meta iifname . ip saddr . ip daddr { eth1 . 1.1.1.1 . 2.2.2.3, eth1 . 1.1.1.2 . 2.2.2.5 } accept

   and it uses verdict maps to coalesce rules with same selectors but different
   verdicts, e.g.

      ip saddr 1.1.1.1 ip daddr 2.2.2.2 accept
      ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop

   into:

      ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 : accept, 2.2.2.2 . 3.3.3.3 : drop }

- Support for ip and tcp options and sctp chunks in sets, e.g.

        set s5 {
               typeof ip option ra value
               elements = { 1, 1024 }
        }

        set s7 {
               typeof sctp chunk init num-inbound-streams
               elements = { 1, 4 }
        }

        chain c5 {
               ip option ra value @s5 accept
        }

        chain c7 {
               sctp chunk init num-inbound-streams @s7 accept
        }

- Support for tcp fastopen, md5sig and mptcp options.

- mp-tcp subtype matching support, e.g.

        tcp option mptcp subtype 1

- Improved kernel-side filtering via listing options.

- complete JSON support for flowtables.

... this release also include fixes (highlights):

- fix --terse option with anonymous sets.
- fix crash with `nft describe' on invalid field or datatype.
- Big Endian fixes for ct expiration, meta sk{u,g}uid, meta hour,
  ct label, meta {i,o}ifname with wildcard, payload matching with
  bitmasks.
- allow for quote strings as device names in flowtable declarations.
- ethernet matching with reject, e.g.

        ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject

- turn on dynamic flag if rule dynamically updates a set.

... and incremental documentation updates.

This release also includes libnftables C example code now available
under the examples/ folder.

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/

To build the code, libnftnl >= 1.2.1 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.

[-- Attachment #2: changes-nftables-1.0.2.txt --]
[-- Type: text/plain, Size: 5015 bytes --]

Eugene Crosser (1):
      netlink: Use abort() in case of netlink_abi_error

Florian Westphal (24):
      exthdr: fix type number saved in udata
      netlink_delinearize: use correct member type
      netlink_delinearize: rename misleading variable
      netlink_delinearize: binop: make accesses to expr->left/right conditional
      tcpopt: remove KIND keyword
      scanner: add tcp flex scope
      parser: split tcp option rules
      tcpopt: add md5sig, fastopen and mptcp options
      tests: py: add test cases for md5sig, fastopen and mptcp mnemonics
      mptcp: add subtype matching
      exthdr: fix tcpopt_find_template to use length after mask adjustment
      tests: py: add tcp subtype match test cases
      ipopt: drop unused 'ptr' argument
      exthdr: support ip/tcp options and sctp chunks in typeof expressions
      iptopt: fix crash with invalid field/type combo
      tests: add shift+and typeof test cases
      payload: skip templates with meta key set
      netlink_delinearize: and/shift postprocessing
      netlink_delinearize: zero shift removal
      evaluate: attempt to set_eval flag if dynamic updates requested
      src: silence compiler warnings
      json: add flow statement json export + parser
      parser_json: fix flowtable device datatype
      parser_json: permit empty device list

Jeremy Sowden (18):
      proto: short-circuit loops over upper protocols
      evaluate: correct typo's
      evaluate: reject: support ethernet as L2 protocol for inet table
      tests: shell: remove stray debug flag.
      build: fix autoconf warnings
      build: remove scanner.c and parser_bison.c with `maintainer-clean`
      tests: py: fix inet/sets.t netdev payload
      tests: py: fix inet/ip.t payloads
      tests: py: fix inet/ip_tcp.t test
      netlink_delinearize: fix typo
      src: remove arithmetic on booleans
      src: reduce indentation
      src: simplify logic governing storing payload dependencies
      tests: py: fix inet/ip.t bridge payload
      src: add a helper that returns a payload dependency for a particular base
      src: store more than one payload dependency
      tests: py: remove redundant payload expressions
      tests: shell: remove redundant payload expressions

Pablo Neira Ayuso (30):
      cache: do not skip populating anonymous set with -t
      mnl: different signedness compilation warning
      cli: remove #include <editline/history.h>
      cli: save history on ctrl-d with editline
      tests: shell: extend catchall tests for maps
      proto: revisit short-circuit loops over upper protocols
      erec: expose print_location() and line_location()
      src: error reporting with -f and read from stdin
      src: remove '$' in symbol_expr_print
      src: add ruleset optimization infrastructure
      optimize: merge rules with same selectors into a concatenation
      optimize: merge same selector with different verdict into verdict map
      optimize: merge several selectors with different verdict into verdict map
      src: do not use the nft_cache_filter object from mnl.c
      cache: do not set error code twice
      cache: add helper function to fill up the rule cache
      src: 'nft list chain' prints anonymous chains correctly
      libnftables: use xrealloc()
      parser_bison: missing synproxy support in map declarations
      optimize: add __expr_cmp()
      optimize: merge verdict maps with same lookup key
      optimize: check for payload base and offset when searching for mergers
      optimize: do not merge raw payload expressions
      iface: handle EINTR case when creating the cache
      examples: add libnftables example program
      examples: load ruleset from JSON
      netlink: check key is EXPR_CONCAT before accessing field
      segtree: memleak get element command
      build: Bump version to 1.0.2
      build: missing SUBIRS update

Phil Sutter (18):
      tests/py: Avoid duplicate records in *.got files
      exthdr: Fix for segfault with unknown exthdr
      mnl: Fix for missing info in rule dumps
      src: Fix payload statement mask on Big Endian
      meta: Fix {g,u}id_type on Big Endian
      meta: Fix hour_type size
      datatype: Fix size of time_type
      ct: Fix ct label value parser
      netlink_delinearize: Fix for escaped asterisk strings on Big Endian
      cache: Filter tables on kernel side
      cache: Filter rule list on kernel side
      cache: Filter chain list on kernel side
      cache: Filter set list on server side
      cache: Support filtering for a specific flowtable
      tests: py: Test connlimit statement
      scanner: Move 'maps' keyword into list cmd scope
      scanner: Some time units are only used in limit scope
      scanner: rt: Move seg-left keyword into scope

Pierre Ducroquet (1):
      doc: add undefine and redefine keywords

Stijn Tintel (1):
      parser: allow quoted string in flowtable_expr_member

Štěpán Němec (1):
      tests: shell: better parameters for the interval stack overflow test

Re: [ANNOUNCE] nftables 1.0.2 release

[Arturo Borrero Gonzalez]

On 2/21/22 17:09, Pablo Neira Ayuso wrote:
> Hi!
> 
> The Netfilter project proudly presents:
> 
>          nftables 1.0.2
> 


Hi there,

this release doesn't build out of the box:

[..]
Making all in examples
make[3]: Entering directory '/<<PKGBUILDDIR>>/examples'
gcc -DHAVE_CONFIG_H -I. -I..   -Wdate-time -D_FORTIFY_SOURCE=2  -g -O2 
-ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat 
-Werror=format-security -c -o nft-buffer.o nft-buffer.c
gcc -DHAVE_CONFIG_H -I. -I..   -Wdate-time -D_FORTIFY_SOURCE=2  -g -O2 
-ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat 
-Werror=format-security -c -o nft-json-file.o nft-json-file.c
nft-json-file.c:3:10: fatal error: nftables/libnftables.h: No such file 
or directory
     3 | #include <nftables/libnftables.h>
       |          ^~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
nft-buffer.c:3:10: fatal error: nftables/libnftables.h: No such file or 
directory
     3 | #include <nftables/libnftables.h>
       |          ^~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
[..]


Some options:
* make the missing header file properly available to the example files
* don't build the examples unless explicitly requested, not as part of 
the main program build

What do you suggest?

Re: [ANNOUNCE] nftables 1.0.2 release

[Pablo Neira Ayuso]

On Tue, Feb 22, 2022 at 04:28:39PM +0100, Arturo Borrero Gonzalez wrote:
> 
> 
> On 2/21/22 17:09, Pablo Neira Ayuso wrote:
> > Hi!
> > 
> > The Netfilter project proudly presents:
> > 
> >          nftables 1.0.2
> > 
> 
> 
> Hi there,
> 
> this release doesn't build out of the box:
> 
> [..]
> Making all in examples
> make[3]: Entering directory '/<<PKGBUILDDIR>>/examples'
> gcc -DHAVE_CONFIG_H -I. -I..   -Wdate-time -D_FORTIFY_SOURCE=2  -g -O2
> -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat
> -Werror=format-security -c -o nft-buffer.o nft-buffer.c
> gcc -DHAVE_CONFIG_H -I. -I..   -Wdate-time -D_FORTIFY_SOURCE=2  -g -O2
> -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat
> -Werror=format-security -c -o nft-json-file.o nft-json-file.c
> nft-json-file.c:3:10: fatal error: nftables/libnftables.h: No such file or
> directory
>     3 | #include <nftables/libnftables.h>
>       |          ^~~~~~~~~~~~~~~~~~~~~~~~
> compilation terminated.
> nft-buffer.c:3:10: fatal error: nftables/libnftables.h: No such file or
> directory
>     3 | #include <nftables/libnftables.h>
>       |          ^~~~~~~~~~~~~~~~~~~~~~~~
> compilation terminated.
> [..]
> 
> 
> Some options:
> * make the missing header file properly available to the example files
> * don't build the examples unless explicitly requested, not as part of the
> main program build
> 
> What do you suggest?

It is fixed here, both things you mentioned:

http://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3

Re: [ANNOUNCE] nftables 1.0.2 release

[Pablo Neira Ayuso]

On Tue, Feb 22, 2022 at 04:44:31PM +0100, Pablo Neira Ayuso wrote:
> On Tue, Feb 22, 2022 at 04:28:39PM +0100, Arturo Borrero Gonzalez wrote:
> > 
> > 
> > On 2/21/22 17:09, Pablo Neira Ayuso wrote:
> > > Hi!
> > > 
> > > The Netfilter project proudly presents:
> > > 
> > >          nftables 1.0.2
> > > 
> > 
> > 
> > Hi there,
> > 
> > this release doesn't build out of the box:
> > 
> > [..]
> > Making all in examples
> > make[3]: Entering directory '/<<PKGBUILDDIR>>/examples'
> > gcc -DHAVE_CONFIG_H -I. -I..   -Wdate-time -D_FORTIFY_SOURCE=2  -g -O2
> > -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat
> > -Werror=format-security -c -o nft-buffer.o nft-buffer.c
> > gcc -DHAVE_CONFIG_H -I. -I..   -Wdate-time -D_FORTIFY_SOURCE=2  -g -O2
> > -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat
> > -Werror=format-security -c -o nft-json-file.o nft-json-file.c
> > nft-json-file.c:3:10: fatal error: nftables/libnftables.h: No such file or
> > directory
> >     3 | #include <nftables/libnftables.h>
> >       |          ^~~~~~~~~~~~~~~~~~~~~~~~
> > compilation terminated.
> > nft-buffer.c:3:10: fatal error: nftables/libnftables.h: No such file or
> > directory
> >     3 | #include <nftables/libnftables.h>
> >       |          ^~~~~~~~~~~~~~~~~~~~~~~~
> > compilation terminated.
> > [..]
> > 
> > 
> > Some options:
> > * make the missing header file properly available to the example files
> > * don't build the examples unless explicitly requested, not as part of the
> > main program build
> > 
> > What do you suggest?
> 
> It is fixed here, both things you mentioned:
> 
> http://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3

Unfortunately, make distcheck did not catch this error since it uses
on libnftables local headers (my system already had previous version
headers).

Re: [ANNOUNCE] nftables 1.0.2 release

[Arturo Borrero Gonzalez]

On 2/22/22 16:44, Pablo Neira Ayuso wrote:
> It is fixed here, both things you mentioned:
> 
> http://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3


Worked! thanks.