packet filter release , which is developing as a replacement for iptables, ip6table, arptables and ebtables by unifying packet filtering interfaces for IPv4, IPv6, ARP and network bridges. The nftables package includes packet filter components that run in user space, while the kernel level is provided by the nf_tables subsystem, which has been part of the Linux kernel since release 3.13. The changes required for the nftables 0.9.3 release to work are included in the upcoming Linux 5.5 kernel branch.
At the kernel level, only a generic protocol-independent interface is provided that provides basic functions for extracting data from packets, performing operations on data, and controlling flow. The filtering logic itself and protocol-specific handlers are compiled into user-space bytecode, after which this bytecode is loaded into the kernel using the Netlink interface and executed in a special virtual machine reminiscent of BPF (Berkeley Packet Filters). This approach makes it possible to significantly reduce the size of the filtering code running at the kernel level and move all the functions of parsing rules and the logic of working with protocols into user space.
Main innovations:
- Support for matching packets by time. You can define both time and date ranges in which the rule will be triggered, as well as configure triggering on individual days of the week. Also added a new option "-T" to display the epochal time in seconds.
meta time \"2019-12-24 16:00\" -\"2020-01-02 7:00\"
meta hour \"17:00\" -\"19:00\"
meta day \"Fri\" - Support for restoring and saving SELinux marks (secmark).
ct secmark set meta secmark
meta secmark set ct secmark - Support for synproxy map lists, allowing you to define more than one rule per backend.
table ip foo {
synproxy https-synproxy {
msg 1460
wscale 7
timestamp sack-perm
}synproxy other-synproxy {
msg 1460
wscale 5
}chain pre {
type filter hook prerouting priority raw; policy accept;
tcp dport 8888 tcp flags syn notrack
}chain bar {
type filter hook forward priority filter; policy accept;
ct state invalid,untracked synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
}
} - Ability to dynamically remove set-set elements from packet processing rules.
nft add rule β¦ delete @set5 { ip6 saddr . ip6daddr}
- Support for VLAN mapping by ID and protocol defined in the network bridge interface metadata;
meta ibrpvid 100
meta ibrvproto vlan - The "-t" ("--terse") option to exclude set-set elements when displaying rules. Executing "nft -t list ruleset" will output:
table ip x {
set y {
type ipv4_addr
}
}And with "nft list ruleset"
table ip x {
set y {
type ipv4_addr
elements = { 192.168.10.2, 192.168.20.1,
192.168.4.4, 192.168.2.34}
}
} - Ability to specify more than one device in netdev chains (only works with kernel 5.5) to combine common filtering rules.
add table netdevx
add chain netdev xy { \
type filter hook ingress devices = { eth0, eth1 } priority 0;
} - Ability to add descriptions of data types.
#nft describe ipv4_addr
datatype ipv4_addr (IPv4 address) (basetype integer), 32 bits - Ability to build a CLI interface with the linenoise library instead of libreadline.
./configure --with-cli=linenoise
Source: opennet.ru