Hi! The Netfilter project proudly presents: nftables 0.9.1 This release contains fixes and new features, available up with Linux kernels >= 5.2. * IPsec support, which allows matching on IPsec tunnel/beet addresses in xfrm state associated with a packet, IPsec request id and the SPI, eg. ... ipsec in ip saddr 192.168.1.0/24 ... ipsec out ip6 daddr @endpoints ... ipsec in spi 1-65536 You can also check if the route performs ipsec tunneling, eg. filter output rt ipsec missing drop otherwise, drop it. * IGMP matching support, eg. # nft add rule netdev foo bar igmp type membership-query counter drop If you want to drop IGMP membership queries from the ingress path. * Use variable to define jump / goto chain, eg. define dest = ber add table ip foo add chain ip foo bar {type filter hook input priority 0;} add chain ip foo ber add rule ip foo ber counter add rule ip foo bar jump $dest * Operating System fingerprint (osf) support, eg. ... meta mark set osf ttl skip name map { "Linux" : 0x1, "Windows" : 0x2, "MacOS" : 0x3, "unknown" : 0x0 } This allows you to mark packets based on the guessed OS. If osf does not guess the OS, then traffic falls under the "unknown" OS type. Note that the example above skips TTL header field checks. You can also check for specific OS version: ... osf ttl skip version "Linux:4.20" This passive fingerprinting is based on the OS definitions available through the pf.os file. * ARP sender and target IPv4 address matching, eg. table arp x { chain y { type filter hook input priority filter; policy accept; arp saddr ip 192.168.2.1 counter packets 1 bytes 46 } } this updates rule counters for ARP packets originated from the 192.168.2.1 address. * transparent proxy support (tproxy), eg. table ip x { chain y { type filter hook prerouting priority -150; policy accept; tcp dport 80 tproxy to :8080 } } * socket mark support, to retrieve the socket mark that is set via setsockopt() with SO_MARK by the process, eg. table inet x { chain y { type filter hook prerouting priority -150; policy accept; tcp dport 8080 mark set socket mark } } * Support for textual chain priorities, eg. nft add table ip x nft add chain ip x raw { type filter hook prerouting priority raw; } nft add chain ip x filter { type filter hook prerouting priority filter; } nft add chain ip x filter_later { type filter hook prerouting priority filter + 10; } which are listed in textual priority by default. You can disable this via -y option, eg. nft -y list ruleset. * Secmark support, eg. # nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\" This defines the "sshtag" for this secctx context string, then, you can use it from rules to set the secmark: # nft add rule inet filter input tcp dport 22 meta secmark set "sshtag" you may also combine this with maps: # nft add map inet filter secmapping { type inet_service : secmark\; } # nft add element inet filter secmapping { 22 : "sshtag" } # nft add rule inet filter input meta secmark set tcp dport map @secmapping * Honor /etc/services, eg. # nft add rule x y tcp dport \"ssh\" # nft list ruleset -l table x { chain y { ... tcp dport "ssh" } } You can list this numerically via -S option. * Interface kind support, eg. add rule inet raw prerouting meta iifkind "vrf" accept oifkind is also available from the output path. * Improve support for dynamic set updates, though explicit dynamic flag for set updates from the packet path. Syntax has been also updated, eg. # cat dynamic-sets.nft add table x add set x s { type ipv4_addr; size 128; timeout 30s; flags dynamic; } add chain x y { type filter hook input priority 0; } add rule x y update @s { ip saddr } This ruleset updates the set 's' by adding IPv4 source addresses. For each packets seen, the timer is refreshed, after 30 seconds of no packets seen for this address, this entry expires. # nft -f dynamic-sets.nft # nft list set x s table ip x { set s { type ipv4_addr size 128 flags dynamic,timeout timeout 30s elements = { 47.215.7.47 expires 26s484ms, 112.212.124.247 expires 25s268ms } } } use this 'dynamic' flag to indicate the kernel that this set will be updated from the packet path. You can also combine this with stateful expressions, eg. table ip x { set xyz { type ipv4_addr size 65535 flags dynamic,timeout timeout 1h } chain y { type filter hook output priority filter; policy accept; update @xyz { ip daddr counter } counter } } where each entry in 'xyz' gets a counter. * Support for connection tracking timeout policies, this allows to attach specific timeout policies to flows, eg. table ip filter { ct timeout agressive-tcp { protocol tcp; l3proto ip; policy = {established: 100, close_wait: 4, close: 4} } chain output { ... tcp dport 8888 ct timeout set "agressive-tcp" } } that allows you to override the default timeout policy (via /proc/sys/net/netfilter/nf_conntrack_*_timeout_* sysctl) for packets going to TCP dport 8888. * NAT support for the inet family, eg. table inet nat { ... ip6 daddr dead::2::1 dnat to dead:2::99 } * Improved error reporting through misspell suggestions: # nft add table filter # nft add chain filtre test Error: No such file or directory; did you mean table ‘filter’ in family ip? add chain filtre test ^^^^^^ * Print default policy in traces, eg. # nft add rule x y meta nftrace set 1 # nft monitor trace trace id 6f2db0af ip x y packet: ... trace id 6f2db0af ip x y rule meta nftrace set 1 (verdict continue) trace id 6f2db0af ip x y verdict continue trace id 6f2db0af ip x y policy accept * Allow interface names in sets, eg. set sc { type inet_service . ifname elements = { "ssh" . "eth0" } } * Update flowtable rule syntax. # nft add table x # nft add flowtable x ft { hook ingress priority 0\; devices = { eth0, wlan0 }\; } ... # nft add rule x forward ip protocol { tcp, udp } flow add @ft Prefer 'flow add @ft' for consistency with set and map syntax. * Improved JSON support. * Very simple python class which gives access to libnftables API via ctypes module. * A few library documentation updates, see: man(3) libnftables man(5) libnftables-json * And memory and file descriptor leak fixes, improved cache logic, among many other changes behind the scene... See ChangeLog that comes attached to this email for more details. You can download it from: http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.1 ftp://ftp.netfilter.org/pub/nftables/ To build the code, libnftnl 1.1.3 and libmnl >= 1.0.3 are required: * http://netfilter.org/projects/libnftnl/index.html * http://netfilter.org/projects/libmnl/index.html Visit our wikipage for user documentation at: * http://wiki.nftables.org For the manpage reference, check man(8) nft. In case of bugs and feature request, file them via: * https://bugzilla.netfilter.org Happy firewalling!