Issue of NFTables 1.0.1 batch filter

Altus Intel
Altus Intel
  • Date Time

Published Eating a batch filter NFTables 1.0.1 Unifying Package Filtering Interfaces for IPv4, IPv6, ARP and Network Bridges (aimed at replacing IPTables, IP6Table, Arptables and EBTables). The changes required for the operation of NFTables 1.0.1. Changes are included in the Linux 5.16-RC1 kernel.

The NFTables package includes a batch filter components operating in the user space, while at the level of the kernel, the NF_TABLES subsystem is included in the kernel. Linux starting from release 3.13. At the kernel level, only a common interface is provided that does not depend on the specific protocol and providing the basic functions of data extraction from the packets, performing operations with data and flow control.

The filtering rules directly and protocol-specific handlers are compiled into the bytecode in the user space, after which this bytecode is loaded into the kernel using the NetLink interface and is performed in the kernel in a special virtual machine resembling BPF (Berkeley Packet Filters). Such an approach can significantly reduce the size of the filtering code operating at the kernel level and make all the rules for the analysis of the rules and logic of working with protocols into the user space.

Main innovations:

  • reduced memory consumption when loading large Set- and Map lists.
  • Accelerated Restart Set and Map Lists.
  • is accelerated withdrawal of favorite tables and chains in large sets of rules. For example, the execution time of the “NFT List Ruleset” command for outputting a set of rules numbering 100 thousand rows is 3.049 seconds, and when displaying only NAT and FILTER tables (“NFT List Table Nat”, “NFT List Table Filter”) is reduced to 1.969 and 0.697 seconds.
  • is accelerated by the execution of requests with the “–terse” option when processing rules with large set- and Map lists.
  • is the possibility of filtering traffic from the “Egress” chain, processed at the same level that the EGRESS processor in the NetDev chain (Hook Egress), i.e. At the stage when the driver receives a package from the nuclear power stack. Table NetDev Filter {Chain Egress {Type Filter Hook Egress Devices = {Eth0, ETH1} Priority 0; Meta Priority SET IP SADDR MAP {192.168.10.2: ABCD: 2,
    192.168.10.3: ABCD: 3}}}
  • allowed mapping and changing bytes in the header and the contents of the package on a given displacement. # NFT Add Rule X Y @ Ih, 32,32 0x14000000 Counter # NFT Add Rule X Y @ IH, 32,32 SET 0x14000000 Counter
/Media reports.

© 2024 - Altus Intel