The release of packet filter nftables 1.0.1 has been published, unifying packet filtering interfaces for IPv4, IPv6, ARP and network bridges (aimed at replacing iptables, ip6table, arptables and ebtables). The changes required for the nftables 1.0.1 release to work are included in the Linux kernel 5.16-rc1.
The nftables package includes packet filter components that run in user space, while the kernel level is provided by the nf_tables subsystem, which has been part of the Linux kernel since release 3.13. At the kernel level, only a generic protocol-independent interface is provided that provides basic functions for extracting data from packets, performing operations on data, and controlling flow.
The filtering rules themselves and protocol-specific handlers are compiled into user-space bytecode, after which this bytecode is loaded into the kernel using the Netlink interface and executed in the kernel in a special virtual machine resembling BPF (Berkeley Packet Filters). This approach makes it possible to significantly reduce the size of the filtering code running at the kernel level and move all the functions of parsing rules and the logic of working with protocols into user space.
Main innovations:
- Reduced memory consumption when loading large set and map lists.
- Reloading of set and map lists has been accelerated.
- The output of selected tables and chains in large rule sets has been accelerated. For example, the execution time of the “nft list ruleset” command to display a set of rules with 100 thousand rows is 3.049 seconds, and when outputting only the nat and filter tables (“nft list table nat”, “nft list table filter”) is reduced to 1.969 and 0.697 seconds.
- The execution of queries with the “--terse” option has been accelerated when processing rules with large set- and map-lists.
- It is possible to filter traffic from the “egress” chain, which is processed at the same level as the egress handler in the netdev chain (egress hook), i.e. at the stage when the driver receives a packet from the kernel network stack. table netdev filter { chain egress { type filter hook egress devices = { eth0, eth1 } priority 0; meta priority set ip saddr map { 192.168.10.2 : abcd:2, 192.168.10.3 : abcd:3 } } }
- Allows matching and modification of bytes in the header and contents of a packet at a given offset. # nft add rule xy @ih,32,32 0x14000000 counter # nft add rule xy @ih,32,32 set 0x14000000 counter
Source: opennet.ru