ProHoster > Blog > internet news > nftables 1.0.0 packet filter release

nftables 1.0.0 packet filter release

The nftables 1.0.0 packet filter release has been published, unifying packet filtering interfaces for IPv4, IPv6, ARP and network bridges (aimed at replacing iptables, ip6table, arptables and ebtables). Changes required for the nftables 1.0.0 release to work are included in the Linux 5.13 kernel. A significant change in the version number is not associated with any fundamental changes, but is only a consequence of the sequential continuation of the numbering in decimal terms (the last release was 0.9.9).

The nftables package includes packet filter components that run in user space, while the kernel level is provided by the nf_tables subsystem, which has been part of the Linux kernel since release 3.13. At the kernel level, only a generic protocol-independent interface is provided that provides basic functions for extracting data from packets, performing operations on data, and controlling flow.

The filtering rules themselves and protocol-specific handlers are compiled into user-space bytecode, after which this bytecode is loaded into the kernel using the Netlink interface and executed in the kernel in a special virtual machine resembling BPF (Berkeley Packet Filters). This approach makes it possible to significantly reduce the size of the filtering code running at the kernel level and move all the functions of parsing rules and the logic of working with protocols into user space.

Main innovations:

  • Added support for the mask element "*" in set lists, which works for any packages that do not match other elements defined in the set. table x { map blocklist { type ipv4_addr : verdict flags interval elements = { 192.168.0.0/16 : accept, 10.0.0.0/8 : accept, * : drop } } chain y { type filter hook prerouting priority 0; policy accept; ip saddr vmap @blocklist } }
  • The ability to define variables from the command line using the "--define" option is provided. # cat test.nft table netdev x { chain y { type filter hook ingress devices = $dev priority 0; policy drop; } } # nft --define dev="{ eth0, eth1 }" -f test.nft
  • Stateful expressions are allowed in map lists: table inet filter { map portmap { type inet_service : verdict counter elements = { 22 counter packets 0 bytes 0 : jump ssh_input, * counter packets 0 bytes 0 : drop } } chain ssh_input { } chain wan_input { tcp dport vmap @portmap } chain prerouting { type filter hook prerouting priority raw; policy accept; iif vmap { "lo" : jump wan_input } } }
  • Added "list hooks" command to list hooks for a given package family: # nft list hooks ip device eth0 family ip { hook ingress { +0000000010 chain netdev xy [nf_tables] +0000000300 chain inet mw [nf_tables] } hook input { -0000000100 chain ip ab [nf_tables] +0000000300 chain inet mz [nf_tables] } hook forward { -0000000225 selinux_ipv4_forward 0000000000 chain ip ac [nf_tables] } hook output { -0000000225 selinux_ipv4_output } hook postrouting { +0000000225 4 selinux_ipvXNUMX_postroute } }
  • Queue blocks allow jhash, symhash, and numgen expressions to be combined to distribute packets to user-space queues. ... queue to symhash mod 65536 ... queue flags bypass to numgen inc mod 65536 ... queue to jhash oif . meta mark mod 32 "queue" can also be combined with maplists to select a userspace queue based on arbitrary keys. ... queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 }
  • The ability to expand variables that include a set-list into several maps is provided. define interfaces = { eth0, eth1 } table ip x { chain y { type filter hook input priority 0; policy accept; iifname vmap { lo : accept, $interfaces : drop } } } # nft -f x.nft # nft list ruleset table ip x { chain y { type filter hook input priority 0; policy accept; iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop } } }
  • Allowed to combine vmaps (verdict map) at intervals: # nft add rule xy tcp dport . ip saddr vmap { 1025-65535 . 192.168.10.2 : accept }
  • Simplified mapping syntax for NAT. Address ranges are allowed: ... snat to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } or explicit IP addresses and ports: ... dnat to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 } or combinations of IP ranges and ports: … dnat to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2-10.141.10.5 . 8888-8999

Source: opennet.ru

Add a comment