* [ANNOUNCE] nftables 1.0.0 release
@ 2021-08-19 17:36 Pablo Neira Ayuso
2021-08-20 0:44 ` Amish
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2021-08-19 17:36 UTC (permalink / raw)
To: netfilter, netfilter-devel; +Cc: netdev, netfilter-announce, lwn
[-- Attachment #1: Type: text/plain, Size: 4524 bytes --]
Hi!
The Netfilter project proudly presents:
nftables 1.0.0
This release contains fixes, documentation updates and new features
available up to the Linux kernel 5.13 release, more specifically:
* Catch-all set element support: This allows users to define the
special wildcard set element for anything else not defined in
the set.
table x {
map blocklist {
type ipv4_addr : verdict
flags interval
elements = { 192.168.0.0/16 : accept, 10.0.0.0/8 : accept, * : drop }
}
chain y {
type filter hook prerouting priority 0; policy accept;
ip saddr vmap @blocklist
}
}
[ this feature is actually supported since 0.9.9, but it was not
included in the previous release announcement. ]
* Define variables from the command line through --define:
# cat test.nft
table netdev x {
chain y {
type filter hook ingress devices = $dev priority 0; policy drop;
}
}
# nft --define dev="{ eth0, eth1 }" -f test.nft
* Allow to use stateful expressions in maps:
table inet filter {
map portmap {
type inet_service : verdict
counter
elements = { 22 counter packets 0 bytes 0 : jump ssh_input, * counter packets 0 bytes 0 : drop }
}
chain ssh_input {
}
chain wan_input {
tcp dport vmap @portmap
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iif vmap { "lo" : jump wan_input }
}
}
* Add command to list the netfilter hooks pipeline for a given packet
family. If device is specified, then ingress path is also included.
# nft list hooks ip device eth0
family ip {
hook ingress {
+0000000010 chain netdev x y [nf_tables]
+0000000300 chain inet m w [nf_tables]
}
hook input {
-0000000100 chain ip a b [nf_tables]
+0000000300 chain inet m z [nf_tables]
}
hook forward {
-0000000225 selinux_ipv4_forward
0000000000 chain ip a c [nf_tables]
}
hook output {
-0000000225 selinux_ipv4_output
}
hook postrouting {
+0000000225 selinux_ipv4_postroute
}
}
* Allow to combine jhash, symhash and numgen expressions with the
queue statement, to fan out packets to userspace queues via
nfnetlink_queue.
... queue to symhash mod 65536
... queue flags bypass to numgen inc mod 65536
... queue to jhash oif . meta mark mod 32
You can also combine it with maps, to select the userspace queue
based on any other singleton key or concatenations:
... queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 }
* Expand variable containing set into multiple mappings
define interfaces = { eth0, eth1 }
table ip x {
chain y {
type filter hook input priority 0; policy accept;
iifname vmap { lo : accept, $interfaces : drop }
}
}
# nft -f x.nft
# nft list ruleset
table ip x {
chain y {
type filter hook input priority 0; policy accept;
iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop }
}
}
* Allow to combine verdict maps with interval concatenations
# nft add rule x y tcp dport . ip saddr vmap { 1025-65535 . 192.168.10.2 : accept }
* Simplify syntax for NAT mappings. You can specify an IP range:
... snat to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 }
Or a specific IP and port.
... dnat to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 }
Or a combination of range of IP addresses and ports.
... dnat to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2-10.141.10.5 . 8888-8999 }
And bugfixes.
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.9
To build the code, libnftnl >= 1.2.0 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
[-- Attachment #2: changes-nftables-1.0.0.txt --]
[-- Type: text/plain, Size: 5837 bytes --]
Duncan Roe (1):
build: get `make distcheck` to pass again
Florian Westphal (26):
json: fix base chain output
json: fix parse of flagcmp expression
tests/py: fix error message
json: catchall element support
tests: py: update netdev reject test file
tests: ct: prefer normal cmp
tests: remove redundant test cases
evaluate: remove anon sets with exactly one element
tests: add test case for removal of anon sets with only a single element
scanner: add list cmd parser scope
src: add support for base hook dumping
doc: add LISTING section
json: tests: fix vlan.t cfi test case
json: tests: add missing concat test case
netlink_delinearize: add missing icmp id/sequence support
payload: do not remove icmp echo dependency
tests: add a icmp-reply only and icmpv6 id test cases
evaluate: fix hash expression maxval
parser: restrict queue num expressiveness
src: add queue expr and flags to queue_stmt_alloc
parser: add queue_stmt_compat
parser: new queue flag input format
src: queue: allow use of arbitrary queue expressions
tests: extend queue testcases for new sreg support
src: queue: allow use of MAP statement for queue number retrieval
netlink_delinarize: don't check for set element if set is not populated
Kerin Millar (1):
json: Print warnings to stderr rather than stdout
Pablo Neira Ayuso (59):
statement: connlimit: remove extra whitespace in print function
doc: nft: ct id does not allow for original|reply
json: missing catchall expression stub with ./configure --without-json
rule: rework CMD_OBJ_SETELEMS logic
cmd: check for table mismatch first in error reporting
netlink: quick sort array of devices
src: add vlan dei
evaluate: restore interval + concatenation in anonymous set
evaluate: add set to cache once
src: add xzalloc_array() and use it to allocate the expression hashtable
src: replace opencoded NFT_SET_ANONYMOUS set flag check by set_is_anonymous()
tests: shell: extend connlimit test
tests: shell: cover split chain reference across tables
evaluate: do not skip mapping elements
evaluate: unbreak verdict maps with implicit map with interval concatenations
evaluate: memleak in binary operation transfer to RHS
netlink_delinearize: memleak in string netlink postprocessing
segtree: memleak in error path of the set to segtree conversion
netlink_delinearize: memleak when listing ct event rule
parser_bison: memleak in osf flags
rule: memleak of list of timeout policies
evaluate: fix maps with key and data concatenations
libnftables: fix memleak when first message in batch is used to report error
parser_bison: string memleak in YYERROR path
parser_bison: memleak in rate limit parser
rule: obj_free() releases timeout state string
cmd: incorrect table location in error reporting
cmd: incorrect error reporting when table declaration exists
netlink_delinearize: stmt and expr error path memleaks
src: remove STMT_NAT_F_INTERVAL flags and interval keyword
src: infer NAT mapping with concatenation from set
src: support for nat with interval concatenation
tests: py: extend coverage for dnat with classic range representation
src: add --define key=value
evaluate: fix inet nat with no layer 3 info
libnftables: missing nft_ctx_add_var() symbol map update
tests: py: add dnat to port without defining destination address
parser_bison: missing initialization of ct timeout policy list
parser_json: inconditionally initialize ct timeout list
src: fix nft_ctx_clear_include_paths in libnftables.map
src: expose nft_ctx_clear_vars as API
parser_bison: stateful statement support in map
parser_bison: parse number as reject icmp code
src: promote 'reject with icmp CODE' syntax
evaluate: error reporting for missing statements in set/map declaration
tests: py: update new reject with icmp code syntax leftover
tests: py: missing json update for numeric reject with icmp numeric
expression: missing != in flagcmp expression print function
netlink_linearize: incorrect netlink bytecode with binary operation and flags
evaluate: disallow negation with binary operation
tests: py: idempotent tcp flags & syn != 0 to tcp flag syn
netlink_delinearize: skip flags / mask notation for singleton bitmask
tests: py: tcp flags & (fin | syn | rst | ack) == syn
tests: py: check more flag match transformations to compact syntax
mnl: revisit hook listing
tcpopt: bogus assertion on undefined options
evaluate: expand variable containing set into multiple mappings
netlink_delinearize: skip flags / mask notation for singleton bitmask again
build: Bump version to v1.0.0
Phil Sutter (13):
segtree: Fix segfault when restoring a huge interval set
parser_bison: Fix for implicit declaration of isalnum
parser_json: Fix for memleak in tcp option error path
evaluate: Mark fall through case in str2hooknum()
json: Drop pointless assignment in exthdr_expr_json()
netlink: Avoid memleak in error path of netlink_delinearize_set()
netlink: Avoid memleak in error path of netlink_delinearize_chain()
netlink: Avoid memleak in error path of netlink_delinearize_table()
netlink: Avoid memleak in error path of netlink_delinearize_obj()
netlink_delinearize: Fix suspicious calloc() call
rule: Fix for potential off-by-one in cmd_add_loc()
tests: shell: Fix bogus testsuite failure with 100Hz
tests/py: Make netns spawning more robust
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [ANNOUNCE] nftables 1.0.0 release
2021-08-19 17:36 [ANNOUNCE] nftables 1.0.0 release Pablo Neira Ayuso
@ 2021-08-20 0:44 ` Amish
2021-08-20 9:58 ` [PATCH nft] parser: permit symbolic defines for 'queue num' again Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: Amish @ 2021-08-20 0:44 UTC (permalink / raw)
To: Pablo Neira Ayuso, netfilter, netfilter-devel; +Cc: lwn
On 19/08/21 11:06 pm, Pablo Neira Ayuso wrote:
> * Allow to combine jhash, symhash and numgen expressions with the
> queue statement, to fan out packets to userspace queues via
> nfnetlink_queue.
>
> ... queue to symhash mod 65536
> ... queue flags bypass to numgen inc mod 65536
> ... queue to jhash oif . meta mark mod 32
>
> You can also combine it with maps, to select the userspace queue
> based on any other singleton key or concatenations:
>
> ... queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 }
I upgraded from nftables 0.9.9 to 1.0.0 (Arch Linux).
Earlier I had this statement which used to work in nftables 0.9.9:
define ips_queue = 0
add rule ip foo snortips queue num $ips_queue bypass
And it gave error in nftables 1.0.0:
Aug 20 05:51:00 amish nft[3540]: /etc/nftables4.conf:19:49-54: Error:
syntax error, unexpected bypass, expecting -
Aug 20 05:51:00 amish nft[3540]: add rule ip foo snortips queue num
$ips_queue bypass
So I changed the rule to:
define ips_queue = 0
add rule ip foo snortips queue flags bypass num $ips_queue
But it still gave me error:
Aug 20 05:54:51 amish nft[3649]: /etc/nftables4.conf:19:61-61: Error:
syntax error, unexpected newline, expecting -
Aug 20 05:54:51 amish nft[3649]: add rule ip foo snortips queue flags
bypass num $ips_queue
Then I replaced $ips_queue directly with 0 (zero), and it worked.
add rule ip foo snortips queue flags bypass num 0
So why isn't nftables allowing defined variable?
It used to work till nft 0.9.9
Regards,
Amish
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH nft] parser: permit symbolic defines for 'queue num' again
2021-08-20 0:44 ` Amish
@ 2021-08-20 9:58 ` Florian Westphal
0 siblings, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2021-08-20 9:58 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal, Amish
WHen I simplified the parser to restrict 'queue num' I forgot that
instead of range and immediate value its also allowed to pass in
a symbolic constant, e.g.
define myq = 0
add rule ... 'queue num $myq bypass'
Allow those as well and add a test case for this.
Fixes: 767f0af82a389 ("parser: restrict queue num expressiveness")
Reported-by: Amish <anon.amish@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/parser_bison.y | 1 +
tests/shell/testcases/nft-f/0012different_defines_0 | 7 +++++++
.../testcases/nft-f/dumps/0012different_defines_0.nft | 5 +++++
3 files changed, 13 insertions(+)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 2634b90c559b..2c96ea69d0b2 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3793,6 +3793,7 @@ queue_stmt_arg : QUEUENUM queue_stmt_expr_simple
queue_stmt_expr_simple : integer_expr
| range_rhs_expr
+ | symbol_expr
;
queue_stmt_expr : numgen_expr
diff --git a/tests/shell/testcases/nft-f/0012different_defines_0 b/tests/shell/testcases/nft-f/0012different_defines_0
index 0bdbd1b5f147..fe22858791a1 100755
--- a/tests/shell/testcases/nft-f/0012different_defines_0
+++ b/tests/shell/testcases/nft-f/0012different_defines_0
@@ -14,6 +14,8 @@ define d_ipv4_2 = 10.0.0.2
define d_ipv6 = fe0::1
define d_ipv6_2 = fe0::2
define d_ports = 100-222
+define d_qnum = 0
+define d_qnumr = 1-42
table inet t {
chain c {
@@ -29,6 +31,11 @@ table inet t {
ip daddr . meta iif vmap { \$d_ipv4 . \$d_iif : accept }
tcp dport \$d_ports
udp dport vmap { \$d_ports : accept }
+ tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue num \$d_qnum bypass
+ tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue num \$d_qnumr
+ tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue flags bypass,fanout num \$d_qnumr
+ tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue to symhash mod 2
+ tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue flags bypass to jhash tcp dport . tcp sport mod 4
}
}"
diff --git a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft
index 28094387ebed..e690f322436d 100644
--- a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft
+++ b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft
@@ -12,5 +12,10 @@ table inet t {
ip daddr . iif vmap { 10.0.0.0 . "lo" : accept }
tcp dport 100-222
udp dport vmap { 100-222 : accept }
+ tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass num 0
+ tcp sport 1 tcp dport 1 oifname "foobar" queue num 1-42
+ tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass,fanout num 1-42
+ tcp sport 1 tcp dport 1 oifname "foobar" queue to symhash mod 2
+ tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass to jhash tcp dport . tcp sport mod 4
}
}
--
2.31.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-20 9:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-19 17:36 [ANNOUNCE] nftables 1.0.0 release Pablo Neira Ayuso
2021-08-20 0:44 ` Amish
2021-08-20 9:58 ` [PATCH nft] parser: permit symbolic defines for 'queue num' again Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).