published release of the package filter nftables 1.0.5 , unifying packages filtering interfaces for IPV4, IPV6, ARP and network bridges (aimed at replacing IPTABles, IP6Tables, Arptables and EBTABLES). At the same time published the release of the related library libnftnl 1.2.3 , providing a low -level API for interacting with nf_tables subsystem. As at the nucleus level, the nf_tables subsystem, which is part of the Linux nucleus, starts with the release of 3.13. At the nucleus level, only a general interface is provided, which does not depend on a particular protocol and provides basic functions of data extraction from packages, performing operations with data and stream management.
directly filtering rules and specific processors for protocols are compiled into the bytcode in the user space, after which this bytcode is loaded in the core using the NetLink interface and is performed in the nucleus in a special virtual machine resembling BPF (Berkeley Packet Filters). A similar approach can significantly reduce the size of the filtration code that operates at the nucleus level and remove all the functions of analyzing the rules and logic of working with protocols into the user space.
The main changes:
- In the optimizer of the rules caused when indicating the option “-o/-Optimize”, problems with the combination of the rules, MAP and SET registrations have been solved. # Cat Ruleset.nft Table IP X {Chain Y {Type Nat Hook Postrooting Priority Srcnat; Policy Drop; IP Saddr 1.1.1.1.1.1 TCP DPORT 8000 SNAT To 4.4.4.4.4:80 IP Saddr 2.2.2.2 TCP DPORT 8001 SNAT To 5.5.5 : 3-52: IP Saddr 1.1.1.1 tcp dport 8000 Snat to 4.4.4.4 Saddr. TCP Dport Map {1.1.1.1. 8000: 4.4.4.4. 80, 2.2.2.2. 8001: 5.5.5.5. 90}
- When combining Ethernet and VLAN elements, the determination of a dynamic SET list filled on the basis of the parameters of the package paths is ensured. Add Table Netdev X Add Chain Netdev X Y {Type Filter Hook Ingress Device ENP0S25 Priority 0;
} Add Set Netdev X Macset {Typeof Ether Daddr. VLAN ID; Flags
Dynamic, Timeout; } Add Rule Netdev X Y Update @macset {Ether Daddr. VLAN ID Timeout 60S} Add Rule Netdev X Y Ether Saddr. VLAN ID {0a: 0b: 0c: 0d: 0e: 0f. 42,
0a: 0b: 0c: 0d: 0e: 0f. 4095} Counter Accept - A show of rules with MAP resistes containing masks in interfaces containing. Table Inet Filter {Chain Input {IIFNAME VMAP {“ETH0”: JUMP Input_lan, “Wg*”: Jump Input_vpn}} Chain Input_lan {{{}}}
- Removable regressive changes leading to the incorrect lexical analysis of the correct rules.
- Problems with slow processing and automatic fusion of large lists with elements that determine the intervals of values.
- Emergency completion was eliminated when the elements are added to an incorrect SET.