[ANNOUNCE] nftables 1.0.6 release

[ANNOUNCE] nftables 1.0.6 release

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 5093 bytes --]

Hi!

The Netfilter project proudly presents:

        nftables 1.0.6

This release contains enhancements and fixes:

- Fixes for the -o/--optimize, run this --optimize option to automagically
  compact your ruleset using sets, maps and concatenations.

eg.

     # cat ruleset.nft
     table ip x {
            chain y {
                   type filter hook input priority filter; policy drop;
                   meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept
                   meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 accept
                   meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accept
                   meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept
                   meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept
            }
     }
     # nft -o -c -f ruleset.nft
     Merging:
     ruleset.nft:4:17-74:                 meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept
     ruleset.nft:5:17-74:                 meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 accept
     ruleset.nft:6:17-77:                 meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accept
     ruleset.nft:7:17-83:                 meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept
     ruleset.nft:8:17-74:                 meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept
     into:
             iifname . ip saddr . ip daddr { eth1 . 1.1.1.1 . 2.2.2.3, eth1 . 1.1.1.2 . 2.2.2.4, eth1 . 1.1.1.2 . 2.2.3.0/24, eth1 . 1.1.1.2 . 2.2.4.0-2.2.4.10, eth2 . 1.1.1.3 . 2.2.2.5 } accept

+ The optimizer also compacts ruleset representations that already use simple
  sets, to turn them into set with concatenations, eg.

     # cat ruleset.nft
     table ip filter {
            chain input {
                   type filter hook input priority filter; policy drop;
                   iifname "lo" accept
                   ct state established,related accept comment "In traffic we originate, we trust"
                   iifname "enp0s31f6" ip saddr { 209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 udp sport 123 udp dport 32768-65535 accept
                   iifname "enp0s31f6" ip saddr { 64.59.144.17, 64.59.150.133 } ip daddr 10.0.0.149 udp sport 53 udp dport 32768-65535 accept
           }
     }
     # nft -o -c -f ruleset.nft
     Merging:
     ruleset.nft:6:22-149:                      iifname "enp0s31f6" ip saddr { 209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 udp sport 123 udp dport 32768-65535 accept
     ruleset.nft:7:22-143:                      iifname "enp0s31f6" ip saddr { 64.59.144.17, 64.59.150.133 } ip daddr 10.0.0.149 udp sport 53 udp dport 32768-65535 accept
     into:
                iifname . ip saddr . ip daddr . udp sport . udp dport { enp0s31f6 . 209.115.181.102 . 10.0.0.149 . 123 . 32768-65535, enp0s31f6 . 216.197.228.230 . 10.0.0.149 . 123 . 32768-65535, enp0s31f6 . 64.59.144.17 . 10.0.0.149 . 53 . 32768-65535, enp0s31f6 . 64.59.150.133 . 10.0.0.149 . 53 . 32768-65535 } accept

- Fix bytecode generation for concatenation of intervals where selectors use
  different byteorder datatypes, eg. IPv4 (network byte order) and meta mark
  (host byte order).

    table ip x {
           map w {
                 typeof ip saddr . meta mark : verdict
                 flags interval
                 counter
                 elements = {
                         127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : accept,
                         192.168.0.10-192.168.1.20 . 0x0000aa00-0x0000aaff : accept,
                 }
          }
          chain k {
                 type filter hook input priority filter; policy drop;
                 ip saddr . meta mark vmap @w
          }
    }

- fix match of uncommon protocol matches with raw expressions, eg.

     meta l4proto 91 @th,400,16 0x0 accept

- unbreak insertion of rules with intervals:

     insert rule x y tcp sport { 3478-3497, 16384-16387 } counter accept

- enhancements for the JSON API, including support for statements in sets and
  maps, and asorted fixes.
- extensions for the python nftables library to allow to load ruleset and
  perform dry run, support for external definition of variables, among others.
- allow to intercalate comments in set elements.
- allow for zero burst in byte ratelimits.
- fix element collapse routine when same set name and different family is used.
- ... and manpage updates.

See changelog for more details (attached to this email).

You can download this new release from:

https://www.netfilter.org/projects/nftables/downloads.html
https://www.netfilter.org/pub/nftables/

[ NOTE: We have switched to .tar.xz files for releases. ]

To build the code, libnftnl >= 1.2.4 and libmnl >= 1.0.4 are required:

* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html

Visit our wikipage for user documentation at:

* https://wiki.nftables.org

For the manpage reference, check man(8) nft.

In case of bugs and feature requests, file them via:

* https://bugzilla.netfilter.org

Happy firewalling.

[-- Attachment #2: changes-nftables-1.0.6.txt --]
[-- Type: text/plain, Size: 4143 bytes --]

Alex Forster (1):
      json: fix 'add flowtable' command

Derek Hageman (1):
      rule: check address family in set collapse

Fernando Fernandez Mancera (8):
      json: add set statement list support
      json: add table map statement support
      json: fix json schema version verification
      json: fix empty statement list output in sets and maps
      json: add secmark object reference support
      json: add stateful object comment support
      py: support variables management and fix formatting
      doc: add nft_ctx_add_var() and nft_ctx_clear_vars() docs

Florian Westphal (11):
      tests: shell: check for a tainted kernel
      expr: update EXPR_MAX and add missing comments
      evaluate: un-break rule insert with intervals
      evaluate: allow implicit ether -> vlan dep
      doc: mention vlan matching in ip/ip6/inet families
      evaluate: add ethernet header size offset for implicit vlan dependency
      tests: py: add vlan test case for ip/inet family
      netlink_delinearize: fix decoding of concat data element
      netlink_linearize: fix timeout with map updates
      tests: add a test case for map update from packet path with concat
      doc: add/update can be used with maps too

Harald Welte (1):
      doc: payload-expression.txt: Mention that 'ih' exists

Jeremy Sowden (3):
      segtree: refactor decomposition of closed intervals
      segtree: fix decomposition of unclosed intervals containing address prefixes
      doc, src: make some spelling and grammatical improvements

Michael Braun (1):
      concat with dynamically sized fields like vlan id

Pablo Neira Ayuso (31):
      optimize: merging concatenation is unsupported
      optimize: check for mergeable rules
      optimize: expand implicit set element when merging into concatenation
      src: allow burst 0 for byte ratelimit and use it as default
      tests/py: missing userdata in netlink payload
      include: resync nf_tables.h cache copy
      evaluate: bogus datatype assertion in binary operation evaluation
      evaluate: datatype memleak after binop transfer
      parser_bison: display too many levels of nesting error
      rule: do not display handle for implicit chain
      netlink_delinearize: do not transfer binary operation to non-anonymous sets
      tests: shell: deletion from interval concatenation
      netlink_delinearize: complete payload expression in payload statement
      payload: do not kill dependency for proto_unknown
      optimize: handle prefix and range when merging into set + concatenation
      doc: document a few reset commands supported by the parser
      doc: no reset support for limit
      monitor: missing cache and set handle initialization
      src: support for selectors with different byteorder with interval concatenations
      doc: statements: fwd supports for sending packets via neighbouring layer
      scanner: munch full comment lines
      tests: py: missing json for different byteorder selector with interval concatenation
      netlink: swap byteorder of value component in concatenation of intervals
      evaluate: do not crash on runaway number of concatenation components
      netlink: statify __netlink_gen_data()
      netlink: add function to generate set element key data
      netlink: unfold function to generate concatenations for keys and data
      scanner: match full comment line in case of tie
      evaluate: fix compilation warning
      owner: Fix potential array out of bounds access
      build: Bump version to 1.0.6

Peter Collinson (1):
      py: extend python API to support libnftables API

Phil Sutter (9):
      doc: nft.8: Add missing '-T' in synopsis
      erec: Dump locations' expressions only if set
      monitor: Sanitize startup race condition
      Warn for tables with compat expressions in rules
      Makefile: Create LZMA-compressed dist-files
      xt: Delay libxtables access until translation
      xt: Purify enum nft_xt_type
      xt: Rewrite unsupported compat expression dumping
      xt: Fall back to generic printing from translation

Xiao Liang (1):
      src: Don't parse string as verdict in map

Re: [ANNOUNCE] nftables 1.0.6 release

[Arturo Borrero Gonzalez]

On 12/22/22 00:30, Pablo Neira Ayuso wrote:
> 
> To build the code, libnftnl >= 1.2.4 and libmnl >= 1.0.4 are required:
> 

Hi,

when building nftables 1.0.6 for debian, the build system says that it 
should be fine to use libnftnl 1.2.2, which apparently is the latest 
release that added a new public symbol.

This can be a problem with the debian toolchain, or it can be for real 
that there are no new symbols since 1.2.2 and therefore the build-time 
dependency is on >= 1.2.2

No big deal, but it would be nice to clarify this.

Re: [ANNOUNCE] nftables 1.0.6 release

[Pablo Neira Ayuso]

On Thu, Dec 22, 2022 at 12:14:20PM +0100, Arturo Borrero Gonzalez wrote:
> On 12/22/22 00:30, Pablo Neira Ayuso wrote:
> > 
> > To build the code, libnftnl >= 1.2.4 and libmnl >= 1.0.4 are required:
> > 
> 
> Hi,
> 
> when building nftables 1.0.6 for debian, the build system says that it
> should be fine to use libnftnl 1.2.2, which apparently is the latest release
> that added a new public symbol.
> 
> This can be a problem with the debian toolchain, or it can be for real that
> there are no new symbols since 1.2.2 and therefore the build-time dependency
> is on >= 1.2.2
> 
> No big deal, but it would be nice to clarify this.

No new symbols in libnftnl 1.2.4, the pktconfig dependency was bumped
because of minor fixes included in libnftnl.

We can stop bumping the dependency for minor fixes in the future if
you prefer it this way.