ProHoster > Blog > internet news > nftables 1.0.7 packet filter release

nftables 1.0.7 packet filter release

The nftables 1.0.7 packet filter release has been published, unifying packet filtering interfaces for IPv4, IPv6, ARP and network bridges (aimed at replacing iptables, ip6table, arptables and ebtables). The nftables package includes packet filter components that run in user space, while the kernel level is provided by the nf_tables subsystem, which has been part of the Linux kernel since release 3.13. At the kernel level, only a generic protocol-independent interface is provided that provides basic functions for extracting data from packets, performing operations on data, and controlling flow.

The filtering rules themselves and protocol-specific handlers are compiled into user-space bytecode, after which this bytecode is loaded into the kernel using the Netlink interface and executed in the kernel in a special virtual machine resembling BPF (Berkeley Packet Filters). This approach makes it possible to significantly reduce the size of the filtering code running at the kernel level and move all the functions of parsing rules and the logic of working with protocols into user space.

Major changes:

  • For Linux 6.2+ kernel systems, support for vxlan, geneve, gre, and gretap protocol matching has been added, allowing simple expressions to check headers in encapsulated packets. For example, to check the IP address in the header of a nested packet from VxLAN, you can now use the rules (without the need to first deencapsulate the VxLAN header and bind the filter to the vxlan0 interface): ... udp dport 4789 vxlan ip protocol udp ... udp dport 4789 vxlan ip saddr 1.2.3.0. 24/4789 ... udp dport 1.2.3.4 vxlan ip saddr . vxlan ip daddr { 4.3.2.1 . XNUMX}
  • Implemented support for automatic merging of residuals after partial deletion of a set-list element, which allows deleting an element or part of a range from an existing range (previously, a range could only be deleted in its entirety). For example, after removing element 25 from a set list with ranges 24-30 and 40-50, 24, 26-30 and 40-50 will remain in the list. The fixes required for auto-merging to work will be offered in corrective releases of the 5.10+ stable branches of the kernel. # nft list ruleset table ip x { set y { typeof tcp dport flags interval auto-merge elements = { 24-30, 40-50 } } } # nft delete element ip xy { 25 } # nft list ruleset table ip x { set y { typeof tcp dport flags interval auto-merge elements = { 24, 26-30, 40-50 } } }
  • Allow contact and ranges to be used in address translation (NAT) mapping. table ip nat { chain prerouting { type nat hook prerouting priority dstnat; policy accept; dnat to ip daddr . tcp dport map { 10.1.1.136 . 80 : 1.1.2.69 . 1024, 10.1.1.10-10.1.1.20. 8888-8889 : 1.1.2.69 . 2048-2049 } persistent } }
  • Added support for the "last" expression, which allows you to find out the time of the last use of a rule element or set list. This feature has been supported since Linux kernel 5.14. table ip x { set y { typeof ip daddr . tcp dport size 65535 flags dynamic,timeout last timeout 1h } chain z { type filter hook output priority filter; policy accept; update @y { ip daddr . tcp dport } } } # nft list set ip xy table ip x { set y { typeof ip daddr . tcp dport size 65535 flags dynamic,timeout last timeout 1h elements = { 172.217.17.14 . 443 last used 1s591ms timeout 1h expires 59m58s409ms, 172.67.69.19 . 443 last used 4s636ms timeout 1h expires 59m55s364ms, 142.250.201.72 . 443 last used 4s748ms timeout 1h expires 59m55s252ms, 172.67.70.134 . 443 last used 4s688ms timeout 1h expires 59m55s312ms, 35.241.9.150 . 443 last used 5s204ms timeout 1h expires 59m54s796ms, 138.201.122.174 . 443 last used 4s537ms timeout 1h expires 59m55s463ms, 34.160.144.191 . 443 last used 5s205ms timeout 1h expires 59m54s795ms, 130.211.23.194 . 443 last used 4s436ms timeout 1h expires 59m55s564ms } } }
  • Added the ability to define quotas in set-lists. For example, to define a traffic quota for each target IP address, you can specify: table netdev x { set y { typeof ip daddr size 65535 quota over 10000 mbytes } chain y { type filter hook egress device "eth0" priority filter; policy accept; ip daddr @y drop } } # nft add element inet xy { 8.8.8.8 } # ping -c 2 8.8.8.8 # nft list ruleset table netdev x { set y { type ipv4_addr size 65535 quota over 10000 mbytes elements = { 8.8.8.8. 10000 quota over 196 mbytes used 0 bytes } } chain y { type filter hook egress device "ethXNUMX" priority filter; policy accept; ip daddr @y drop } }
  • The use of constants in set-lists is allowed. For example, when using a list of destination address and VLAN ID as the key, you can specify the VLAN number directly (daddr . 123): table netdev t { set s { typeof ether saddr . vlan id size 2048 flags dynamic,timeout timeout 1m } chain c { type filter hook ingress device eth0 priority 0; policy accept; ether type != 8021q update @s { ether daddr . 123 } counter } }
  • A new "destroy" command has been added to unconditionally delete objects (unlike the delete command, it does not generate ENOENT when trying to delete a missing object). Requires at least Linux 6.3-rc kernel to work. destroy table ip filter

Source: opennet.ru

Add a comment