Published release packet filter nftables 1.0.2 , unifying packet filtering interfaces for IPv4, IPv6, ARP, and network bridges (aimed to replace iptables, ip6table, arptables and ebtables). Necessary for release nftables 1.0.2 changes included in Linux 5.17-rc.
The package includes nftables kernel packet filter components that run in user space, while providing subsystems nf_tables at work nucleus, part of the core Linux since release 3.13. At the level of the nucleus provides a common interface independent of a specific protocol and which base data retrieval functions from packet operations with the data and control flow.
Just filter rules and protocol-specific handlers are compiled into byte code in user space, then the bytecode is loaded into the kernel using Netlink interface and runs in the nucleus in a special virtual machine, resembling a BPF (Berkeley Packet Filters). Such an approach can significantly reduce the size of the filtering code running in the kernel, and to make all the rules and logic analysis function of protocols in the user space.
The main innovations:
- Added optimization rules mode is activated via a “-o” ( “–optimize”) of a new option, which can be combined with the option “–check” to test and optimize changes to a file with a set of rules without the actual download.
Optimization allows you to combine similar rules, for example rules: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 accept ip saddr 1.1.1.1 ip daddr 2.2.2.2 accept ip saddr 2.2.2.2 ip daddr 3.3.3.3 dropwill be merged into
meta iifname. ip saddr. ip daddr {eth1. 1.1.1.1. 2.2.2.3, eth1.
1.1.1.2. 2.2.2.5} accept ip saddr. ip daddr vmap {1.1.1.1. 2.2.2.2: accept, 2.2.2.2. 3.3.3.3
: Drop}Example of use:
# nft -c -o -f ruleset.test Merging: ruleset.nft: 16: 3-37: ip daddr 192.168.0.1 counter accept ruleset.nft: 17: 3 -37: ip 192.168.0.2 daddr counter accept ruleset.nft: 18: 3-37: ip 192.168.0.3 daddr counter accept into: daddr {ip 192.168.0.1, 192.168.0.2, 192.168.0.3} counter packets 0 0 bytes accept
- The set-list is implemented the ability to specify tcp-ip- and options, as well as the chunk-s sctp: set s5 {typeof ip option ra value elements = {1, 1024}} set s7 {typeof sctp chunk init num-inbound-streams elements = {1, 4}} chain c5 {ip option ra value @ s5 accept} chain c7 { sctp chunk init num-inbound-streams @ s7 accept}
- Added support for TCP-options fastopen, md5sig and mptcp.
- Added support for use in comparisons subtype mptcp: tcp option mptcp subtype 1
- Improved filtering code running in the kernel.
- For flowtable implemented full support for the format JSON.
- Given the opportunity to use the action “reject” in the operations of comparison Ethernet-frames. ether saddr aa: bb: cc: dd: ee: ff ip daddr 192.168.0.1 reject