The release of packet filter nftables 1.0.2 has been published, unifying packet filtering interfaces for IPv4, IPv6, ARP and network bridges (aimed at replacing iptables, ip6table, arptables and ebtables). The changes required for the nftables 1.0.2 release to work are included in the Linux kernel 5.17-rc.
The nftables package includes packet filter components that run in user space, while the kernel level is provided by the nf_tables subsystem, which has been part of the Linux kernel since release 3.13. At the kernel level, only a generic protocol-independent interface is provided that provides basic functions for extracting data from packets, performing operations on data, and controlling flow.
The filtering rules themselves and protocol-specific handlers are compiled into user-space bytecode, after which this bytecode is loaded into the kernel using the Netlink interface and executed in the kernel in a special virtual machine resembling BPF (Berkeley Packet Filters). This approach makes it possible to significantly reduce the size of the filtering code running at the kernel level and move all the functions of parsing rules and the logic of working with protocols into user space.
Main innovations:
- A rules optimization mode has been added, enabled using the new "-o" ("--optimize") option, which can be combined with the "--check" option to check and optimize changes to the ruleset file without actually loading it. Optimization allows you to combine similar rules, for example, the rules: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 accept ip saddr 1.1.1.1 ip daddr 2.2.2.2 accept ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop
will be combined into meta iifname . ip saddr. ip daddr { eth1 . 1.1.1.1. 2.2.2.3, eth1 . 1.1.1.2. 2.2.2.5 } accept ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 : accept, 2.2.2.2 . 3.3.3.3 : drop }
Example usage: # nft -c -o -f ruleset.test Merging: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter accept ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter accept ruleset.nft:18:3-37: ip daddr 192.168.0.3 counter accept into: ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept
- The set lists implement the ability to specify ip and tcp options, as well as sctp chunks: set s5 { typeof ip option ra value elements = { 1, 1024 } } set s7 { typeof sctp chunk init num-inbound-streams elements = { 1, 4 } } chain c5 { ip option ra value @s5 accept } chain c7 { sctp chunk init num-inbound-streams @s7 accept }
- Added support for TCP options fastopen, md5sig and mptcp.
- Added support for using the mp-tcp subtype in mappings: tcp option mptcp subtype 1
- Improved kernel-side filtering code.
- Flowtable now has full support for the JSON format.
- The ability to use the βrejectβ action in Ethernet frame matching operations has been provided. ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject
Source: opennet.ru