NetFilter has recently released nftables 1.1.6, which aims to unify packet filtering interfaces for IPv4, IPv6, ARP, and network bridges, with the goal of eventually replacing older tools like iptables, ip6tables, arptables, and ebtables. Alongside this release, the accompanying library libnftnl 1.3.1 was also published, providing a low-level API for interacting with the nf_tables subsystem.
The nftables package consists of packet filter components that operate in user space, while the kernel-level functionalities are handled by the nf_tables subsystem, which has been integrated into the Linux kernel since version 3.13. The kernel provides a general interface independent of specific protocols, offering basic functions for packet data extraction, data operations, and flow control.
Filtering rules and protocol-specific handlers are compiled into bytecode in user space before being loaded into the kernel using the Netlink interface. They are then executed in a special virtual machine within the kernel, similar to Berkeley Packet Filters (BPF). This approach helps minimize the size of filtering code running at the kernel level and shifts rule parsing and protocol logic functions to the user space.
Key updates in the latest release include full support for lightweight tunnel templates such as vxlan, geneve, and erspan. Additionally, the release has added support for masks in network interface names in netdev handlers and implemented support for transmitting L2 frames to the network bridge interface on systems with the Linux 6.18+ kernel.
Furthermore, a new infrastructure for fuzzing testing using the afl++ toolkit has been incorporated, enabling users to perform fuzz testing during the build stage by including “–with-fuzzer” in the configuration.