published release of the package filter nftables 1.0.3 , unifying packages filtering interfaces for IPV4, IPV6, ARP and network bridges (aimed at replacing IPTABles, IP6Tables, Arptables and Ebtables). The NFTBALES 1.0.3 necessary for the operation of the release of the Linux 5.18 nucleus.
The NFTables package includes the components of the packet filter operating in the user space, while the NF_Tables subsystem, which is part of the Linux nucleus, starts at the nucleus level. Starting from release 3.13. At the nucleus level, only a general interface is provided, which does not depend on a particular protocol and provides basic functions of data extraction from packages, performing operations with data and stream management.
directly filtering rules and specific processors for protocols are compiled into the bytcode in the user space, after which this bytcode is loaded in the core using the NetLink interface and is performed in the nucleus in a special virtual machine resembling BPF (Berkeley Packet Filters). A similar approach can significantly reduce the size of the filtration code that operates at the nucleus level and remove all the functions of analyzing the rules and logic of working with protocols into the user space.
The main innovations:
- In SET resigions, support for comparing the names of network interfaces in the mask, for example, specified using the symbol “*”: Table Inet Testifsets {Set Simple_wild {Type Ifname Flags Intervals = {“ABCDEF*”, “OTERNAM”, “OTERNAM PPP0 “}} Chain V4icmp {Type Filter Hook Input Priority 0; Policy Accept; IIFNAME @Simple_wild Counter Packets 0 Bytes 0 IIFNAME {“ABCDEF*”, “ETH0”} Counter Packets 0 bytes 0}}
- Implementation of an automatic association of intersecting elements of the SET-list during operation. Previously, when setting the Auto-Merge option, the association was carried out at the stage of announcement of the rules, and now it also works with the increalt adding new elements during the work. For example, at the announcement stage, the SET Y {Flags Interval Auto -merge Elements = {1.2.3.0, 1.2.3.255, 1.2.3.0/24, 3.3.3.3.4.4.4, 4.4.4.4.4.4.8, 3.3.3.4 , 3.3.3.5}}
will be turned into elements = {1.2.3.0/24, 3.3.3-3.3.3.3.5, 4.4.4.4.4.4.8}
And then if you add new elements # nft add element ip x y {1.2.3.0-1.2.4.255, 3.3.3.6}
It will take the form of elements = {1.2.3.0-1.2.4.255, 3.3.3.3-3.3.3.6, 4.4.4.4-4.4.4.8}when removed from the list of individual elements that fall into existing elements with ranges, the range is reduced or divided by the range .
- In the optimizer of the rules called when indicating the option
“-o/-Optimize”, supporting the combination of several rules for broadcasting addresses (NAT) into MAP registrations. For example, for a set of # Cat Ruleset.nft Table IP X {Chain Y {Type Nat Hook Postrooting Priority Srcnat; Policy Drop; IP Saddr 1.1.1.1.1.1 TCP DPORT 8000 SNAT to 4.4.4.4.4:80 IP Saddr 2.2.2.2 TCP DPORT 8001 SNAT To 5.5.5 Converting separate rules “IP Saddr” into MAP list: