From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter <netfilter@vger.kernel.org>,
netfilter-devel <netfilter-devel@vger.kernel.org>
Cc: netdev@vger.kernel.org, lwn@lwn.net
Subject: [ANNOUNCE] nftables 0.9.3 release
Date: Mon, 2 Dec 2019 22:17:37 +0100 [thread overview]
Message-ID: <20191202211737.xvmd6e6xxj4xvvjl@salvia> (raw)
[-- Attachment #1: Type: text/plain, Size: 3530 bytes --]
Hi!
The Netfilter project proudly presents:
nftables 0.9.3
This release contains fixes and new features available up to the
upcoming Linux kernel 5.5-rc release.
* time matching support. You can combine this with ranges to match
on specify date ranges:
meta time \"2019-12-24 16:00\" - \"2020-01-02 7:00\"
Hour ranges can be used too:
meta hour \"17:00\" - \"19:00\"
You can also match on a specificy week day:
meta day \"Fri\"
New -T option allows for printing time in seconds since Unix epoch.
* secmark restore / save support, eg.
ct secmark set meta secmark
meta secmark set ct secmark
* synproxy map support to improve scalability, eg.
table ip foo {
synproxy https-synproxy {
mss 1460
wscale 7
timestamp sack-perm
}
synproxy other-synproxy {
mss 1460
wscale 5
}
chain pre {
type filter hook prerouting priority raw; policy accept;
tcp dport 8888 tcp flags syn notrack
}
chain bar {
type filter hook forward priority filter; policy accept;
ct state invalid,untracked synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
}
}
iptables requires one single rule per backend which might limit
scalability in case of many backend servers.
* Dynamic set element deletion from the packet path, eg.
nft add rule ... delete @set5 { ip6 saddr . ip6 daddr }
to delete an entry from the set via rule based on the user-defined
matching criteria.
* meta bridge vlan id and protocol matching, eg.
meta ibrpvid 100
meta ibrvproto vlan
to match on the vlan over bridge device metadata.
* New -t/--terse option to exclude set elements from the ruleset listing:
# nft -t list ruleset
table ip x {
set y {
type ipv4_addr
}
}
instead of:
# nft list ruleset
table ip x {
set y {
type ipv4_addr
elements = { 192.168.10.2, 192.168.20.1,
192.168.4.4, 192.168.2.34 }
}
}
Useful in case your set contains many elements.
* Multidevice chain in netdev family (available since upcoming 5.5-rc)
add table netdev x
add chain netdev x y { \
type filter hook ingress devices = { eth0, eth1 } priority 0;
}
to consolidate common filter policies for several netdevices from
the ingress path.
* description support for data types, eg.
# nft describe ipv4_addr
datatype ipv4_addr (IPv4 address) (basetype integer), 32 bits
* linenoise support for cli via --with-cli=linenoise, ie.
./configure --with-cli=linenoise
as alternative to libreadline.
* manpage documentation updates.
* ... and bugfixes.
See ChangeLog that comes attached to this email for more details.
You can download it from:
http://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.3
ftp://ftp.netfilter.org/pub/nftables/
To build the code, libnftnl 1.1.4 and libmnl >= 1.0.3 are required:
* http://netfilter.org/projects/libnftnl/index.html
* http://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* http://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling!
[-- Attachment #2: changes-nftables-0.9.3.txt --]
[-- Type: text/plain, Size: 5064 bytes --]
Ander Juaristi (4):
netfilter: support for element deletion
evaluate: New internal helper __expr_evaluate_range
meta: Introduce new conditions 'time', 'day' and 'hour'
tests: add meta time test cases
Christian Göttsche (3):
statement: make secmark statements idempotent
src: add ability to set/get secmarks to/from connection
files: add example secmark config
Eric Garver (6):
cache: fix --echo with index/position
tests: shell: check that rule add with index works with echo
tests: shell: verify huge transaction returns expected number of rules
tests: shell: add huge JSON transaction
tests: shell: add huge transaction from firewalld
parser_json: fix crash on insert rule to bad references
Eric Jallot (10):
src: secmark: fix brace indentation and missing quotes in selctx output
src: parser_json: fix crash while restoring secmark object
src: obj: fix memleak in handle_free()
tests: shell: fix failed tests due to missing quotes
obj: fix memleak in parser_bison.y
flowtable: fix memleak in exit path
src: flowtable: add support for named flowtable listing
doc: fix missing family in plural forms list command.
src: flowtable: add support for delete command by handle
scanner: fix out-of-bound memory write in include_file()
Fernando Fernandez Mancera (5):
netlink_delinearize: fix wrong conversion to "list" in ct mark
src: add synproxy stateful object support
json: fix type mismatch on "ct expect" json exporting
json: tests: fix typo in ct expectation json test
tests: add stateful object update operation test
Florian Westphal (6):
src: json: add support for element deletion
src: evaluate: catch invalid 'meta day' values in eval step
evaluate: flag fwd and queue statements as terminal
src: meter: avoid double-space in list ruleset output
tests: check we can use "dynamic" set for lookups
expression: extend 'nft describe' to allow listing data types
Jeremy Sowden (11):
configure: remove unused AC_SUBST macros.
cli: remove unused declaration.
cli: add linenoise CLI implementation.
src: use `-T` as the short option for `--numeric-time`.
src: add --terse to suppress output of set elements.
doc: add missing output flag documentation.
main: add missing `OPT_NUMERIC_PROTO` long option.
main: remove duplicate output flag assignment.
py: add missing output flags.
src: add and use `set_is_meter` helper
doc: fix inconsistency in set statement documentation.
Michal Rostecki (1):
mnl: Fix -Wimplicit-function-declaration warnings
Pablo Neira Ayuso (15):
tests: shell: use-after-free from abort path
mnl: fix --echo buffer size again
libnftables: use-after-free in exit path
mnl: do not cache sender buffer size
tests: shell: delete flowtable after flush chain
libnftables: memleak when list of commands is empty
segtree: always close interval in non-anonymous sets
datatype: display description for header field < 8 bits
src: define flowtable device compound as a list
src: restore --echo with anonymous sets
src: add multidevice support for netdev chain
tests: shell: set reference from variable definition
segtree: restore automerge
netlink: off-by-one write in netdev chain device array
build: Bump version to v0.9.3
Phil Sutter (25):
parser_bison: Fix 'exists' keyword on Big Endian
mnl: Don't use nftnl_set_set()
monitor: Add missing newline to error message
tests/monitor: Fix for changed ct timeout format
rule: Fix for single line ct timeout printing
parser_json: Fix checking of parse_policy() return code
tproxy: Add missing error checking when parsing from netlink
main: Fix for misleading error with negative chain priority
Revert "main: Fix for misleading error with negative chain priority"
tests/py: Fix test script for Python3 tempfile
mnl: Replace use of untyped nftnl data setters
doc: Drop incorrect requirement for nft configs
libnftables: Store top_scope in struct nft_ctx
meta: Rewrite hour_type_print()
segtree: Check ranges when deleting elements
segtree: Fix get element for little endian ranges
cache: Reduce caching for get command
parser_bison: Avoid set references in odd places
files: Install sample scripts from files/examples
files: Drop shebangs from config files
scanner: Introduce numberstring
nft.8: Describe numgen expression
nft.8: Fix nat family spec position
tests/py: Set a fixed timezone in nft-test.py
segtree: Fix add and delete of element in same batch
Sergei Trofimovich (1):
nftables: don't crash in 'list ruleset' if policy is not set
Sven Auhagen (1):
mnl: remove artifical cap on 8 devices per flowtable
wenxu (1):
meta: add ibrpvid and ibrvproto support
next reply other threads:[~2019-12-02 21:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-02 21:17 Pablo Neira Ayuso [this message]
2019-12-03 7:59 ` [ANNOUNCE] nftables 0.9.3 release Paweł Krawczyk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191202211737.xvmd6e6xxj4xvvjl@salvia \
--to=pablo@netfilter.org \
--cc=lwn@lwn.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).