The nftables 1.0.6 packet filter release has been published, unifying packet filtering interfaces for IPv4, IPv6, ARP and network bridges (aimed at replacing iptables, ip6table, arptables and ebtables). The nftables package includes packet filter components that run in user space, while the kernel level is provided by the nf_tables subsystem, which has been part of the Linux kernel since release 3.13. At the kernel level, only a generic protocol-independent interface is provided that provides basic functions for extracting data from packets, performing operations on data, and controlling flow.
The filtering rules themselves and protocol-specific handlers are compiled into user-space bytecode, after which this bytecode is loaded into the kernel using the Netlink interface and executed in the kernel in a special virtual machine resembling BPF (Berkeley Packet Filters). This approach makes it possible to significantly reduce the size of the filtering code running at the kernel level and move all the functions of parsing rules and the logic of working with protocols into user space.
Major changes:
- In the rules optimizer called when specifying the "-o/--optimize" option, automatic packaging of rules has been set up by combining them and converting them into map- and set-lists. For example, the rules are # cat ruleset.nft table ip x { chain y { type filter hook input priority filter; policy drop; meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 accept meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accept meta iifname eth1 ip saddr 1.1.1.2 .2.2.4.0 ip daddr 2.2.4.10-2 accept meta iifname eth1.1.1.3 ip saddr 2.2.2.5 ip daddr 4 accept } } after "nft -o -c -f ruleset.nft" will be converted to the following: ruleset. nft:17:74-1: meta iifname eth1.1.1.1 ip saddr 2.2.2.3 ip daddr 5 accept ruleset.nft:17:74-1: meta iifname eth1.1.1.2 ip saddr 2.2.2.4 ip daddr 6 accept ruleset.nft: 17:77-1: meta iifname eth1.1.1.2 ip saddr 2.2.3.0 ip daddr 24/7 accept ruleset.nft:17:83-1: meta iifname eth1.1.1.2 ip saddr 2.2.4.0 ip daddr 2.2.4.10-8 accept ruleset.nft:17:74-2: meta iifname eth1.1.1.3 ip saddr 2.2.2.5 ip daddr 1 accept into: iifname . ip saddr . ip daddr { eth1.1.1.1 . 2.2.2.3. 1, eth1.1.1.2 . 2.2.2.4. 1, eth1.1.1.2 . 2.2.3.0. 24/1, eth1.1.1.2 . 2.2.4.0. 2.2.4.10-2, eth1.1.1.3 . 2.2.2.5. XNUMX } accept
- The optimizer can also condense rules that already use simple setlists into a more compact form, such as: # cat ruleset.nft table ip filter { chain input { type filter hook input priority filter; policy drop; iifname "lo" accept ct state established,related accept comment "In traffic we originate, we trust" iifname "enp0s31f6" ip saddr { 209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 udp sport 123 udp dport 32768-65535 accept iifname "enp0s31f6" ip saddr { 64.59.144.17, 64.59.150.133 } ip daddr 10.0.0.149 udp sport 53 udp dport 32768-65535 accept } } after running "nft -o -c -f ruleset.nft" will be packaged like this: ruleset.nft:6:22-149: iifname "enp0s31f6" ip saddr { 209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 udp sport 123 udp dport 32768-65535 accept ruleset.nft:7:22-143 0: iifname "enp31s6f64.59.144.17" ip saddr { 64.59.150.133, 10.0.0.149 } ip daddr 53 udp sport 32768 udp dport 65535-0 accept into: iifname . ip saddr . ip daddr . udp sport . udp dport { enp31s6f209.115.181.102 . 10.0.0.149 . 123 . 32768 . 65535-0, enp31s6f216.197.228.230 . 10.0.0.149 . 123 . 32768 . 65535-0, enp31s6f64.59.144.17 . 10.0.0.149. 53 . 32768 . 65535-0, enp31s6f64.59.150.133 . 10.0.0.149. 53 . 32768 . 65535-XNUMX } accept
- Resolved an issue with bytecode generation for merging intervals that use types with different endianness, such as IPv4 (network endian) and meta mark (system endian). table ip x { map w { typeof ip saddr . meta mark : verdict flags interval counter elements = { 127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : accept, 192.168.0.10-192.168.1.20 . 0x0000aa00-0x0000aaff : accept, } } chain k { type filter hook input priority filter; policy drop; ip saddr . meta mark vmap @w } }
- Improved rare protocol mappings when using raw expressions, for example: meta l4proto 91 @th,400,16 0x0 accept
- Fixed issues with enabling rules at intervals: insert rule xy tcp sport { 3478-3497, 16384-16387 } counter accept
- The JSON API has been improved to support expressions in set and map lists.
- In extensions to the nftables python library, rule sets are allowed to be loaded for processing in check mode ("-c") and support for external variable definition has been added.
- Adding comments is allowed in the elements of set-lists.
- It is allowed to specify zero value in byte ratelimit.
Source: opennet.ru