ProHoster > Blog > internet news > nftables 1.0.3 packet filter release

nftables 1.0.3 packet filter release

The nftables 1.0.3 packet filter release has been published, unifying packet filtering interfaces for IPv4, IPv6, ARP and network bridges (aimed at replacing iptables, ip6table, arptables and ebtables). Changes required for the nftables 1.0.3 release to work are included in the Linux 5.18 kernel.

The nftables package includes packet filter components that run in user space, while the kernel level is provided by the nf_tables subsystem, which has been part of the Linux kernel since release 3.13. At the kernel level, only a generic protocol-independent interface is provided that provides basic functions for extracting data from packets, performing operations on data, and controlling flow.

The filtering rules themselves and protocol-specific handlers are compiled into user-space bytecode, after which this bytecode is loaded into the kernel using the Netlink interface and executed in the kernel in a special virtual machine resembling BPF (Berkeley Packet Filters). This approach makes it possible to significantly reduce the size of the filtering code running at the kernel level and move all the functions of parsing rules and the logic of working with protocols into user space.

Main innovations:

  • Set-lists now support matching network interface names by a mask, for example, specified using the "*" character: table inet testifsets { set simple_wild { type ifname flags interval elements = { "abcdef*", "othername", "ppp0" } } chain v4icmp { type filter hook input priority 0; policy accept; iifname @simple_wild counter packets 0 bytes 0 iifname { "abcdef*", "eth0" } counter packets 0 bytes 0 } }
  • Implemented automatic union of intersecting set-list elements during operation. Previously, when setting the β€œauto-merge” option, the merge was performed at the stage of declaring the rules, but now it also works when incrementally adding new elements in the process. For example, in the declaration step, the list is set y { flags interval auto-merge elements = { 1.2.3.0, 1.2.3.255, 1.2.3.0/24, 3.3.3.3, 4.4.4.4, 4.4.4.4-4.4.4.8, 3.3.3.4 , 3.3.3.5 } } will become elements = { 1.2.3.0/24, 3.3.3.3-3.3.3.5, 4.4.4.4-4.4.4.8 } and then if we add new elements # nft add element ip xy { 1.2.3.0 -1.2.4.255, 3.3.3.6 } becomes elements = { 1.2.3.0-1.2.4.255, 3.3.3.3-3.3.3.6, 4.4.4.4-4.4.4.8 }

    When you remove individual items from the list that fall within existing ranged items, the range is reduced or split.

  • Added support for combining multiple address translation (NAT) rules into a map list in the rule optimizer called when specifying the "-o/--optimize" option. For example, for the set # cat ruleset.nft table ip x { chain y { type nat hook postrouting priority srcnat; policy drop; ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90 } }

    executing "nft -o -c -f ruleset.nft" will convert the separate "ip saddr" rules into a map list: snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 : 4.4.4.4 . 80, 2.2.2.2. 8001:5.5.5.5. 90}

    Similarly, raw expressions can be converted to map-lists: # cat ruleset.nft table ip x { […] chain nat_dns_acme { udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 goto nat_dns_dnstc udp length 62-78 @ th,160,128 0x0e31393032383939353831343037320e goto nat_dns_this_5301 udp length 62-78 @th,160,128 0x0e31363436323733373931323934300e goto nat_dns_saturn_5301 udp length 62-78 @th,160,128 0x0e32393535373539353636383732310 5302e goto nat_dns_saturn_62 udp length 78-160,128 @th,0 0x38353439353637323038363633390e5303e goto nat_dns_saturn_XNUMX drop } }

    after optimization, we get a map-list: udp length . @th,160,128 vmap { 47-63 . 0x0e373135363130333131303735353203 : goto nat_dns_dnstc, 62-78 . 0x0e31393032383939353831343037320e : goto nat_dns_this_5301, 62-78 . 0x0e31363436323733373931323934300e : goto nat_dns_saturn_5301, 62-78 . 0x0e32393535373539353636383732310e : goto nat_dns_saturn_5302, 62-78 . 0x0e38353439353637323038363633390e : goto nat_dns_saturn_5303 }

  • The use of raw expressions in concatenation operations is allowed. For example: # nft add rule xy ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } or table x { set y { typeof ip saddr . @ih,32,32 elements = { 1.1.1.1 . 0x14 } } }
  • Added support for specifying integer header fields in concatenation operations: table inet t { map m1 { typeof udp length . @ih,32,32 : verdict flags interval elements = { 20-80 . 0x14 : accept, 1-10 . 0xa : drop } } chain c { type filter hook input priority 0; policy drop; udp length . @ih,32,32 vmap @m1 } }
  • Added support for resetting TCP options (only works with Linux kernel 5.18+): tcp flags syn reset tcp option sack-perm
  • Faster execution of chain output commands ("nft list chain xy").

Source: opennet.ru

Add a comment