After a year of development packet filter release , which is developing as a replacement for iptables, ip6table, arptables and ebtables by unifying packet filtering interfaces for IPv4, IPv6, ARP and network bridges. The nftables package includes packet filter components that run in user space, while the kernel level is provided by the nf_tables subsystem, which has been part of the Linux kernel since release 3.13.
At the kernel level, only a generic protocol-independent interface is provided that provides basic functions for extracting data from packets, performing operations on data, and controlling flow.
The filtering logic itself and protocol-specific handlers are compiled into user-space bytecode, after which this bytecode is loaded into the kernel using the Netlink interface and executed in a special virtual machine reminiscent of BPF (Berkeley Packet Filters). This approach makes it possible to significantly reduce the size of the filtering code running at the kernel level and move all the functions of parsing rules and the logic of working with protocols into user space.
Main innovations:
- IPsec support, allowing mapping of tunnel addresses based on packet, IPsec request ID, and SPI (Security Parameter Index) tag. For example,
... ipsec in ip saddr 192.168.1.0/24
... ipsec in spi 1-65536It is also possible to check if a route passes through an IPsec tunnel. For example, to block non-IPSec traffic:
... filter output rt ipsec missing drop
- Support for IGMP (Internet Group Management Protocol). For example, to drop incoming IGMP membership requests, you can use the rule
nft add rule netdev foo bar igmp type membership-query counter drop
- Ability to use variables to define jump chains (jump / goto). For example:
define dest = ber
add rule ip foo bar jump $dest - Support for masks for identifying operating systems (OS Fingerprint) based on TTL values ββin the header. For example, to mark packages depending on the sender's OS, you can use the command:
... meta mark set osf ttl skip name map { "Linux" : 0x1,
"Windows": 0x2,
"MacOS" : 0x3,
"unknown" : 0x0 }
... osf ttl skip version "Linux:4.20" - Ability to map the ARP address of the sender to the IPv4 address of the target system. For example, to increase the counter of ARP packets sent from the address 192.168.2.1, you can use the rule:
table arp x {
chain y {
type filter hook input priority filter; policy accept;
arp saddr ip 192.168.2.1 counter packets 1 bytes 46
}
} - Support for transparent forwarding of requests through a proxy (tproxy). For example, to redirect requests to port 80 to proxy port 8080:
table ip x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport 80 tproxy to :8080
}
} - Support for marking sockets with the ability to later get the set label via setsockopt() in SO_MARK mode. For example:
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport 8080 mark set socket mark
}
} - Support for specifying text names of priorities for chains. For example:
nft add chain ip x raw { type filter hook prerouting priority raw; }
nft add chain ip x filter { type filter hook prerouting priority filter; }
nft add chain ip x filter_later { type filter hook prerouting priority filter + 10; } - Support for SELinux labels (Secmark). For example, to define the tag "sshtag" in relation to the SELinux context, you can run:
nft add secmark inet filter sshtag "system_u:object_r:ssh_server_packet_t:s0"
And then use this label in the rules:
nft add rule inet filter input tcp dport 22 meta secmark set "sshtag"
nft add map inet filter secmapping { type inet_service : secmark; }
nft add element inet filter secmapping { 22 : "sshtag" }
nft add rule inet filter input meta secmark set tcp dport map @secmapping - The ability to specify ports assigned to protocols in plain text, as defined in the /etc/services file. For example:
nft add rule xy tcp dport "ssh"
nft list ruleset -l
table x {
chain y {
...
tcp dport "ssh"
}
} - Ability to check the type of network interface. For example:
add rule inet raw prerouting meta iifkind "vrf" accept
- Improved support for dynamically updating the contents of sets by explicitly specifying the "dynamic" flag. For example, to update the set "s" with the addition of the source address and reset the entry if there are no packets for 30 seconds:
add table x
add set xs { type ipv4_addr; size 128; timeout 30s; flags dynamic; }
add chain xy { type filter hook input priority 0; }
add rule xy update @s { ip saddr } - Ability to set a separate timeout condition. For example, to override the default timeout for packets arriving on port 8888, you can specify:
table ip filter {
ct timeout aggressive-tcp {
protocol tcp;
l3proto ip;
policy = {established: 100, close_wait: 4, close: 4}
}
chain output {
...
tcp dport 8888 ct timeout set "aggressive-tcp"
}
} - NAT support for the inet family:
table inet nat {
...
ip6 daddr dead::2::1 dnat to dead:2::99
} - Improved reporting of errors due to typos:
nft add chain filter test
Error: No such file or directory; did you mean table "filter" in family ip?
add chain filter test
^^^^^^ - Ability to specify interface names in sets:
set sc {
type inet_service . ifname
elements = { "ssh" . "eth0" }
} - Updated syntax for flowtable rules:
nft add table x
nft add flowtable x ft { hook ingress priority 0; devices = { eth0, wlan0 }; }
...
nft add rule x forward ip protocol { tcp, udp } flow add @ft - Improved JSON support.
Source: opennet.ru