nftables 0.9.4 packet filter release

Published packet filter release nftables 0.9.4, which is developing as a replacement for iptables, ip6table, arptables and ebtables by unifying packet filtering interfaces for IPv4, IPv6, ARP and network bridges. The nftables package includes packet filter components that run in user space, while the kernel level is provided by the nf_tables subsystem, which has been part of the Linux kernel since release 3.13. The changes required for the release of nftables 0.9.4 to work are included in the future kernel branch Linux 5.6.

At the kernel level, only a generic protocol-independent interface is provided that provides basic functions for extracting data from packets, performing operations on data, and controlling flow. The filtering rules themselves and protocol-specific handlers are compiled into user-space bytecode, after which this bytecode is loaded into the kernel using the Netlink interface and executed in the kernel in a special virtual machine resembling BPF (Berkeley Packet Filters). This approach makes it possible to significantly reduce the size of the filtering code running at the kernel level and move all the functions of parsing rules and the logic of working with protocols into user space.

Main innovations:

• Support for ranges in joins (concatenation, certain bindings of addresses and ports that simplify matching). For example, for a "whitelist" set whose elements are an attachment, specifying the "interval" flag will indicate that the set can include ranges in the attachment (for the attachment "ipv4_addr . ipv4_addr . inet_service" it was previously possible to list exact matches like "192.168.10.35. 192.68.11.123", and now you can specify groups of addresses "80-192.168.10.35-192.168.10.40"):

  table ip foo {
  set whitelist {
  type ipv4_addr . ipv4_addr. inet_service
  flags interval
  elements = { 192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125 . 80}
  }

  chain bar {
  type filter hook prerouting priority filter; policy drop;
  ip saddr . ip daddr . tcp dport@whitelist accept
  }
  }

• In sets and map-lists, it is possible to use the "typeof" directive, which determines the format of the element when mapping.
  For example:

  table ip foo {
  set whitelist {
  typeof ip saddr
  elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 }
  }

  chain bar {
  type filter hook prerouting priority filter; policy drop;
  ip daddr @whitelist accept
  }
  }

  table ip foo {
  map addr2mark {
  typeof ip saddr : meta mark
  elements = { 192.168.10.35 : 0x00000001, 192.168.10.135 : 0x00000002 }
  }
  }

• Added the ability to use attachments in NAT bindings, which allows you to specify an address and port when defining NAT translations based on map lists or named sets:

  nft add rule ip nat pre dnat ip addr . port to ip saddr map { 1.1.1.1 : 2.2.2.2 . thirty }

  nft add map ip nat destinations { type ipv4_addr . inet_service : ipv4_addr . inet_service\\; }
  nft add rule ip nat pre dnat ip addr . port to ip saddr. tcp dport map @destinations

• Support for hardware acceleration with the removal of some filtering operations on the shoulders of the network card. Acceleration is enabled through the ethtool utility ("ethtool -K eth0 hw-tc-offload on"), after which it is activated in nftables for the main chain using the "offload" flag. When using the Linux 5.6 kernel, hardware acceleration is supported for header field matching and incoming interface inspection in combination with receiving, dropping, duplicating (dup), and forwarding (fwd) packets. In the example below, operations for dropping packets coming from the address 192.168.30.20 are performed at the network card level, without passing the packets to the kernel:

  # cat file.nft
  table netdev x {
  chain y {
  type filter hook ingress device eth0 priority 10; flags offload;
  ip saddr 192.168.30.20 drop
  }
  }
  # nft -f file.nft

• Improved information about the place of an error in the rules.

  # nft delete rule ip yz handle 7
  Error: Could not process rule: No such file or directory
  delete rule ip yz handle 7
  ^

  # nft delete rule ip xx handle 7
  Error: Could not process rule: No such file or directory
  delete rule ip xx handle 7
  ^

  # nft delete table twst
  Error: No such file or directory; did you mean table ‘test' in family ip?
  delete table twist
  ^^^^

  The first example shows that table 'y' is not present in the system, the second shows that the '7' handler is missing, and the third shows a typo hint when typing the table name.

• Added support for checking the slave interface via specifying "meta sdif" or "meta sdifname":

  ... meta sdifname vrf1 ...

• Added support for shift right or left operation. For example, to shift an existing packet label left by 1 bit and set the lower bit to 1:

  … meta mark set meta mark lshift 1 or 0x1 …

• Implemented "-V" option to display extended version information.

  #nft -V
  nftables v0.9.4 (Jive at Five)
  cli:readline
  json:yes
  minigmp:no
  libxtables: yes

• Command line options must now be specified before commands. For example, you need to specify "nft -a list ruleset", and running "nft list ruleset -a" will result in an error.

  Source: opennet.ru