Contents
Complete nftlb ChangeLog
nftlb 0.6 (31 Mar 2020)
https://github.com/Skudonet/nftlb/releases/tag/v0.6
– farms: disable static sessions deletion after farm down
– sessions: delete static sessions when modifying the persistence structure
– farms: fix farm limit objects reload
– backends: fix start backend low priority with stateful object
– nft: fix delete filter elements when its not needed
– server: fix sigfault during a bad request
– server: return not found during a get farm that doesn’t exist
– policies: revert farms used counter in json dump
– sessions: fix backend marks used in session persistence
– sessions: support of deletion of timed sessions via API
– tests: add pre and post script for every test case
– farms: fix reload of tcpstrict and nfqueue
– server: unify api error messages and add verbose of the error
– server: fix sigsegv after requesting non existent URI key
– farms: fix helper rules generation
– nft: fix forward map reload based on backends
– src: apply pre and pos actionable when the attribute has changed
– nft: use backend marks in forward chain
– backends: reload farm in case of updating priority of a down backend
– backends: delete unused farm pointer in backends set priority
– backends: recalculate backends available when changing the backend priority
– src: remove unneeded debug messages
– policies: disable printing of automatic parameters and avoid the priority -1
– backends: fix backend action when is not available
– tests: improve api testing system and remove obsolete DESC parameter
– config: avoid to print unknown key as null
– nft: optimize static sessions rules to avoid to enter to dynamic map
– farms: do not return error when the farm doesn’t need to be rulerized
– server: fix sigsegv when returned rules generation error
– config: improve parsing error messages
– main: simplify previous nftlb tables check
– main: detect and clean any previous nftlb tables
– nft: avoid to flush the whole nft ruleset when deleting all farms
– config: improve api response messages
– nft: fix dynamic persistence rules
– farms: fix stateless dnat source MAC in order to ensure a consistent traffic
– server: modify source code to fully support ipv6
– sessions: introduce static and dynamic sessions support for DSR and stateless DNAT
– backends: use farm source address when available
– farms: disable network discovery when configured loopback network devices
– tests: rename api tests directories to a human-readable format
– tests: fix tests in order to force a given ether address
– backends: fix “force up status when configuring config_error”
– network: fix ether address discovery for ipv4 and ipv6
– farms: fix log level for some debug messages
– backends: force up status when configuring config_error
– policies: add support of _family_ attribute to introduce ipv6 policies
– backends: ensure to validate backends during map generation
– elements: start element when created
– farms: avoid configuring a config_err state
– farms: avoid to set priority 0
– policies: do not store elements
– nft: fix dynamic persistence rules
– network: introduce support of dual-stack in the networking layer
– nft: fix generation of ipv6 filter chain
– nft: add option to serialize nft commands
– nft: fix flow offload testing cases
– nft: refactorize farm log-prefix rules
– tests: fix flowoffload test output
– farms: introduce support of flow offload
– backends: delete unused parameter in backend switch
– nft: avoid to log per virtual service twice
– sessions: delete debug messages
– sessions: add static and dynamic session support
– farms: add support for local services
– nft: refactor chain base generation to add forward chain support
– tests: fix test files
– nft: simplify the chain and services name generation
– farms: enable several outbound interfaces for stateless dnat
– farms: fix won’t rulerize for stateless dnat without backends
– farms: support of stateless dnat direct clients
– farms: fix masquerade bit with masquerade
– farms: remove double generation of network interface index
– backends: use backend output interface whenever is possible
– backend: support of output interface per backend
– readme: delete low level networking input parameters
– backends: fix output interface calling when setting a new ip address
– farms: fix segfault when configuring stateless dnat
– backends: force to one element if the backend is uniquely identified
– nft: fix source address mapping in farm single port
– elements: fix flushing elements in policies
– farms: fix source address mapping with multiport virtual services
– nft: avoid sprintf over the same buffer
– farms: fix stopping farm while deleting service
– tests: allow to stop in an api call
– backends: fix backend status while removing all farms
– backends: enable mixed source natting per backend
– tests: refactor the test system for better maintenance
– policies: create sets with auto-merge by default
– policies: load elements if policy is not empty
– policies: optimize rulerization of policies
– nft: avoid zero marks
– backends: fix backend with mark 0x0
– backends: fix reload backends with source address
– farms: fix error parsing object in level -1 with limits
– server: add client request log info
– main: retrieve and print segfault signals
– tests: add api test to change the port per backend
– tests: enhance the api testing by not removing the reports files when it’s unknown
– backends: enable masquerade and configurable source address per backend
– farms: fix object rulerization
– policies: fix rules creation and deletion of policies
– tests: add api tests for policies
– farms: fix rulerize everything stops after wont rulerize
– farms: add api test case for deleting farms
– backends: fix priority generation after node deletion
– tests: create more api tests
– farms: make farms rulerize loop safe
– backends: fix priority generation
– main: implement daemon mode
– tests: classify the api testing system
– nft: fix filter table regeneration after farms flush
– tests: new api specific testing system
– server: fix rules deletion when deleting a backend
– backends: fix free of default macro defined log prefix
– nft: fix mark print output in backends map
– src: add support of log prefix
– tests: fix test nft output with the latest changes
– backends: add support of source address per backend
– readme: update rst rtlimit burst option
nftlb 0.5 (4 Jun 2019)
https://github.com/Skudonet/nftlb/releases/tag/v0.5
– farms: support of security policies for ingress modes
– backends: support of backend port natting
– backends: support of connection limits per backend
– nft: rewrite meters with stateful sets for limits
– server: support of Expect 100-Continue in PUT requests
– server: fix content length management to gather the request
– improve backends availability accounting
nftlb 0.4 (18 Mar 2019)
https://github.com/Skudonet/nftlb/releases/tag/v0.4
New features
– farms: add persistence between client and backend during a timeout
– policies: support of security policies per virtual service
– farms: support of queuing packets to userspace per service
– farms: support of tcp flow validation per service
– farms: support of max established connections per virtual service per source address
– farms: support of tcp resets per second allowed per virtual service per source address
– farms: support of new connections limit per second per virtual service and optional burst
– farms: add configurable hashing parameters
– src: support of delete all farms at once
Improvements
– nft: refactor farm rules generation code
– server: add long body support
– config: parsing json values hardening
– nft: fix helpers rules according to protocol
– readme: update the new parameter tcp-strict to avoid bogus tcp attacks
– farms: enable mac discovery for stateless dnat
– main: hide the key parameter when the process is running for security reasons
– nft: separate services by interface name for ingress modes
– farms: force the network data reload when changing the virtual ip
– farm: set masquerade if source addr is empty
– nft: add prerouting filter chain for marking and helpers
– buffer: remove debug messages
– farm: set default scheduler parameter for hash algorithm only
– config: use string keys as much as possible
– readme: add stateless nat mode option
– tests: allow launch of one single test without service
– buffer: fix code indentation
– backends: only actionable if the backend is available
– backends: declare actionable functions
– buffer: support of scalable buffer
– backends: enable restart of backends after configuration
– nft: apply reset action per farm and backends
– nft: generalize actions for add or deletion postrouting elements
– farms: rename farm source-addr attribute instead of src-addr
– config: print marks in hex format
– tests: support to launch tests through web api
– build: move -lev to LDADD
– build: move preprocessor flags to CPPFLAGS
Bugfixes
– config: return error when an object has not been selected
– backends: avoid go to config_error after setting dnat ip addresses
– nft: fix stateless dnat rules when the input and output interfaces are different
– nft: fix service name for stateless nat
– backend: fix backend validation during automated mac address request
– network: protect double free in handle
– server: fix double free segfault
– backends: fix backend validation when applying dsr mode
– farms: strim virtual interfaces for ingress chains
– nft: fix add element filter rules in reload
– nft: fix stateless dnat rules actions
– nft: avoid the use of filter chain and backend marks for ingress
– nft: avoid empty rules in filter chain when there is no backends
– backends: apply reload if changing the state of a backend
– nft: fix skb mark insertion from ct mark in filter chain
– nft: fix flush and delete chain filter
– nft: fix delete filter service and chain
– nft: fix delete elements from filter chain
– nft: avoid rules generation if there is no backend available
– backends: fix backend availability for ingress modes
– logs: fix set log level at startup
– objects: avoid buffer copy overlap
– buffer: fix typo in error message
– backends: fix backend going down
– Remove config.h file from .gitignore
– src: fix string copy sizes
– src: add a cleanup parsing structure to avoid null objects references
– config: fix farm mark json dump
– server: fix parse input body that produces buffer parsing error
nftlb 0.3 (15 Nov 2018)
https://github.com/Skudonet/nftlb/releases/tag/v0.3
This release is integrated in kubernetes as kube-nftlb https://github.com/Skudonet/kube-nftlb
New features
– network: generalize netlink request to ask for routing data
– farms: new mode stateless dnat
– farms: add l7 helpers support
– farms: add input logging support
– farms: support of farm renaming with the ‘newname’ attribute
– farms: add mark flow support per virtual service
– nft: add flow mark per backend and farm using masks
– src: add custom source ip address configuration instead of masquerading
Improvements
– events: generalize event loop
– farms: include new attributes for interface and mac address management
– network: add support to interoperate with some network discovery functions
– src: refactorization and api simplification
– events: generalize netlink event for dsr
– farms: make dsr counter global
– backends: include a new backend state config_error
– src: silent fallthrough warning
– backends: ensure the backends list is empty when configuring the
output interface
– farms: validate and rulerize per farm
– config: avoid to print auto-generated information of a farm
– farms: validate and check the farm status before rulerize
– server: expand the server buffer data
– readme: add new examples
– tests: improve diff output format
– nft: improve modularization of nft rules generation
– server: set SO_REUSEADDR socket flag
– main: initial signal handler skeleton
– server: add struct nftlb_client
– server: add struct nftlb_http_state
– server: add nftlb_http_send_response()
– server: add body response field to struct nftlb_http_state
– src: do no use EXIT_{SUCCESS,FAILURE}
– server: statify objects that are only used from server.c
– server: remove unnecessary definitions
Bugfixes
– config: dump configuration with indented JSON
– nft: fix dsr rules to set the mac address instead of matching
– backend: fix update backend status when switching from down to up
– nft: avoid add rules if no backends are available
– objects: set right initial state for farms and backends
– farms: fix start-stop actions
– backends: input validation for net_get_neigh_ether()
– nft: fix stateless nat backend to client rule
– nft: fix udp ipv6 services name
– server: fix some web server memory leaks
– tests: fix some tests cases
nftlb 0.2 (14 May 2018)
https://github.com/Skudonet/nftlb/releases/tag/v0.2
– 3 topologies supported: Destination NAT, Source NAT and Direct
Server Return. This enables the load balancer to be setup in
one-armed and two-armed network architectures.
– support for both IPv4 and IPv6 families.
– multilayer capabilities: MAC based LB in layer 2, IP based LB
with protocol-agnostic at layer 3, and support of UDP, TCP and
SCTP LB at layer 4.
– multiport support for ranges and lists of ports.
– support of multiple virtual services setup.
– schedulers available: weight, round robin, hash and symmetric
hash.
– priority support per backend.
– JSON API service for monitoring, automation and management.
– web service authentication with a security key.
– automated testbed.
nftlb 0.1 (27 Feb 2018)
– Initial version
