ProHoster > Blog > internet news > nftables 1.0.7 packet filter release

nftables 1.0.7 packet filter release

The nftables 1.0.7 packet filter has been released. It unifies packet filtering interfaces for IPv4, IPv6, ARP, and network bridges (aimed at replacing iptables, ip6table, arptables, and ebtables). The nftables package includes user-space packet filter components, while kernel-level functionality is provided by the nf_tables subsystem, which is part of the kernel. Linux Since release 3.13, only a generic protocol-independent interface is provided at the kernel level, providing basic functionality for extracting data from packets, performing data operations, and flow control.

The filtering rules themselves and protocol-specific handlers are compiled into bytecode in user space, after which this bytecode is loaded into the kernel using the Netlink interface and executed in the kernel in a special virtual machine, reminiscent of BPF (Berkeley Packet Filters). This approach allows for a significant reduction in the size of the filtering code running at the kernel level and moves all rule parsing and protocol logic into user space.

Major changes:

  • For systems with a kernel Linux 6.2+ adds support for matching the vxlan, geneve, gre, and gretap protocols, allowing you to use simple expressions to check headers in encapsulated packets. For example, to check IP addresses in the header of the embedded packet from VxLAN, you can now use rules (without the need to first de-encapsulate the VxLAN header and bind the filter to the vxlan0 interface): ... udp dport 4789 vxlan ip protocol udp ... udp dport 4789 vxlan ip saddr 1.2.3.0/24 ... udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 }
  • Implemented support for automatic merging of residuals after partial deletion of a set-list element, which allows deleting an element or part of a range from an existing range (previously, a range could only be deleted in its entirety). For example, after removing element 25 from a set list with ranges 24-30 and 40-50, 24, 26-30 and 40-50 will remain in the list. The fixes required for auto-merging to work will be offered in corrective releases of the 5.10+ stable branches of the kernel. # nft list ruleset table ip x { set y { typeof tcp dport flags interval auto-merge elements = { 24-30, 40-50 } } } # nft delete element ip xy { 25 } # nft list ruleset table ip x { set y { typeof tcp dport flags interval auto-merge elements = { 24, 26-30, 40-50 } } }
  • Allow contact and ranges to be used in address translation (NAT) mapping. table ip nat { chain prerouting { type nat hook prerouting priority dstnat; policy accept; dnat to ip daddr . tcp dport map { 10.1.1.136 . 80 : 1.1.2.69 . 1024, 10.1.1.10-10.1.1.20. 8888-8889 : 1.1.2.69 . 2048-2049 } persistent } }
  • Added support for the "last" expression, which allows you to find out the last time a rule element or set-list was used. This feature has been supported since the core. Linux 5.14. table ip x { set y { typeof ip daddr . tcp dport size 65535 flags dynamic,timeout last timeout 1h } chain z { type filter hook output priority filter; policy accept; update @y { ip daddr . tcp dport } } } # nft list set ip xy table ip x { set y { typeof ip daddr . tcp dport size 65535 flags dynamic,timeout last timeout 1h elements = { 172.217.17.14 . 443 last used 1s591ms timeout 1h expires 59m58s409ms, 172.67.69.19 . 443 last used 4s636ms timeout 1h expires 59m55s364ms, 142.250.201.72 . 443 last used 4s748ms timeout 1h expires 59m55s252ms, 172.67.70.134 . 443 last used 4s688ms timeout 1h expires 59m55s312ms, 35.241.9.150 . 443 last used 5s204ms timeout 1h expires 59m54s796ms, 138.201.122.174 . 443 last used 4s537ms timeout 1h expires 59m55s463ms, 34.160.144.191 . 443 last used 5s205ms timeout 1h expires 59m54s795ms, 130.211.23.194 . 443 last used 4s436ms timeout 1h expires 59m55s564ms } } }
  • Added the ability to define quotas in set-lists. For example, to define a traffic quota for each target IP address, you can specify: table netdev x { set y { typeof ip daddr size 65535 quota over 10000 mbytes } chain y { type filter hook egress device "eth0" priority filter; policy accept; ip daddr @y drop } } # nft add element inet xy { 8.8.8.8 } # ping -c 2 8.8.8.8 # nft list ruleset table netdev x { set y { type ipv4_addr size 65535 quota over 10000 mbytes elements = { 8.8.8.8. 10000 quota over 196 mbytes used 0 bytes } } chain y { type filter hook egress device "ethXNUMX" priority filter; policy accept; ip daddr @y drop } }
  • The use of constants in set-lists is allowed. For example, when using a list of destination address and VLAN ID as the key, you can specify the VLAN number directly (daddr . 123): table netdev t { set s { typeof ether saddr . vlan id size 2048 flags dynamic,timeout timeout 1m } chain c { type filter hook ingress device eth0 priority 0; policy accept; ether type != 8021q update @s { ether daddr . 123 } counter } }
  • A new "destroy" command has been added for unconditional deletion of objects (unlike the delete command, it does not generate ENOENT when attempting to delete a missing object). Requires at least the kernel. Linux 6.3-rc. destroy table ip filter

Source: opennet.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers 🔥 Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster