ProHoster > Blog > internet news > nftables 0.9.5 packet filter release

nftables 0.9.5 packet filter release

Published packet filter release nftables 0.9.5, which is developing as a replacement for iptables, ip6table, arptables and ebtables by unifying packet filtering interfaces for IPv4, IPv6, ARP and network bridges. The nftables package includes packet filter components that run in user space, while the kernel level is provided by the nf_tables subsystem, which has been part of the Linux kernel since release 3.13. Changes required for the release of nftables 0.9.5 to work are included in the kernel Linux 5.7.

At the kernel level, only a generic protocol-independent interface is provided that provides basic functions for extracting data from packets, performing operations on data, and controlling flow. The filtering rules themselves and protocol-specific handlers are compiled into user-space bytecode, after which this bytecode is loaded into the kernel using the Netlink interface and executed in the kernel in a special virtual machine resembling BPF (Berkeley Packet Filters). This approach makes it possible to significantly reduce the size of the filtering code running at the kernel level and move all the functions of parsing rules and the logic of working with protocols into user space.

Main innovations:

  • Added support for packet and traffic counters associated with set elements. Counters are enabled using the "counter" keyword:

    table ip x {
    set y {
    typeof ip saddr
    counter
    elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 }
    }

    chain z {
    type filter hook output priority filter; policy accept;
    ip daddr@y
    }
    }

  • To set the initial values ​​of the counters, for example, to restore the past counters after a restart, the set can use the "nft -f" command:

    # cat ruleset.nft
    table ip x {
    set y {
    typeof ip saddr
    counter
    elements = { 192.168.10.35 counter packets 1 bytes 84, 192.168.10.101 \
    counter p 192.168.10.135 counter packets 0 bytes 0 }
    }

    chain z {
    type filter hook output priority filter; policy accept;
    ip daddr@y
    }
    }
    # nft -f ruleset.nft
    #nft list ruleset
    table ip x {
    set y {
    typeof ip saddr
    counter
    elements = { 192.168.10.35 counter packets 1 bytes 84, 192.168.10.101 \
    counter p 192.168.10.135 counter packets 0 bytes 0 }
    }

    chain z {
    type filter hook output priority filter; policy accept;
    ip daddr@y
    }
    }

  • Support for counters has also been added to the flowtable:

    table ip foo {
    flowtable {
    hook ingress priority -100
    devices = { eth0, eth1 }
    counter
    }

    chain-forward {
    type filter hook forward priority filter;
    flow add @bar counter
    }
    }

    You can view the list of counters with the command "conntrack -L":

    tcp 6 src=192.168.10.2 dst=10.0.1.2 sport=47278 dport=5201 packets=9 bytes=608 \
    src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47278 packets=8 bytes=428 [OFFLOAD] mark=0 \
    secctx=null use=2 tcp 6 src=192.168.10.2 dst=10.0.1.2 sport=47280 dport=5201 \
    packets=1005763 bytes=44075714753 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47280 \
    packets=967505 bytes=50310268 [OFFLOAD] mark=0 secctx=null use=2

  • In sets for attachments (concatenation, certain bindings of addresses and ports that simplify comparison), it is possible to use the "typeof" directive, which defines the data type of elements for the constituent parts of the elements of the set:

    table ip foo {
    set whitelist {
    typeof ip saddr . tcp dport
    elements = { 192.168.10.35 . 80, 192.168.10.101. 80}
    }

    chain bar {
    type filter hook prerouting priority filter; policy drop;
    ip daddr . tcp dport@whitelist accept
    }
    }

  • The typeof directive now also applies to map-list appends:

    table ip foo {
    map addr2mark {
    typeof ip saddr . tcp dport : meta mark
    elements = { 192.168.10.35 . 80 : 0x00000001
    192.168.10.135 . 80 : 0x00000002
    }

    chain bar {
    type filter hook prerouting priority filter; policy drop;
    meta mark set ip daddr . tcp dport map @addr2mark accept
    }
    }

  • Added support for range joins in anonymous (unnamed) sets:

    # nft add rule inet filter input ip daddr . tcp dport\
    { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8. 80-443 } accept

  • Granted the ability to drop packets with 802.1q (VLAN) flags when processing network bridges:

    # nft add rule bridge foo bar ether type vlan reject with tcp reset

  • Added support for matching by TCP session ID (conntrack ID). You can use the "--output id" option to determine the conntrack ID:

    # conntrack -L --output id
    udp 17 18 src=192.168.2.118 dst=192.168.2.1 sport=36424 dport=53 packets=2 \
    bytes=122 src=192.168.2.1 dst=192.168.2.118 sport=53 dport=36424 packets=2 bytes=320 \
    [ASSURED] mark=0 use=1 id=2779986232

    # nft add rule foo bar ct id 2779986232 counter

Source: opennet.ru

Add a comment