Few days ago the launch of the new version of the packet filter "nftables 0.9.4" was announced, who it is developed as a replacement for iptables, ip6table, arptables and ebtables due to the unification of packet filtering interfaces for IPv4, IPv6, ARP and network bridges.
The nftables package includes packet filter components that work in user space, while at the kernel level, the nf_tables subsystem provides a part of the Linux kernel since version 3.13.
At the core level, only provides a common interface that is independent of a protocol specific and provides the basic functions to extract data from packets, perform data operations and control the flow.
All the direct filter rules and protocol-specific drivers they are compiled into a bytecode in user space, after which this bytecode is loaded into the kernel using the Netlink interface and executed in the kernel in a special virtual machine that resembles BPF (Berkeley Packet Filters).
Such an approach can significantly reduce the size of the filtering code that works at the kernel level and eliminate all the functions of parsing the rules and logic of working with protocols in user space.
Main new features of Nftables 0.9.4
All necessary changes for nftables 0.9.4 version to work are included in the branch of Linux kernel 5.6 and in it the support for ranges in combinations "Concatenation, specific addresses and port packets that simplify allocation."
For example, for a set of "whitelists" whose elements are combinations, the specification of the "range" indicator will indicate that the set can include ranges in the union.
Added ability to use joins on NAT links, allowing you to specify the address and port when defining NAT transforms based on map lists or named sets.
In addition, the support for hardware acceleration with the removal of some filtering operations. Acceleration it is enabled through the ethtool utility ("ethtool -K eth0 hw-tc-offload on"), After which it fires in nftables for the main chain using the" offload "flag.
When using Linux kernel 5.6, hardware acceleration is supportede to match the header fields and verify the incoming interface in combination with receive, drop, duplicate (dup) and forward packets (fwd).
In sets and lists of maps, it is possible to use the "typeof" directive, which determines the format of the element when matching.
Of the other changes that stand out from this version:
- Improved reporting of bug location in rules.
- Added support for verifying the slave interface by specifying "Meta sdif" or «meta sdif name«
- Added support for scrolling to the right or left. For example, to change the existing packet label to the left by 1 bit and set the smallest bit to 1.
- Implemented option "-V" to display information. Command line options must now be specified before commands. For example, you must specify «nft -a list ruleset»And execute«nft list ruleset -a»Will generate an error.
How to install the new version of nftables 0.9.4?
For those who are interested in being able to obtain the new version of nftables 0.9.4 at the moment only the source code can be compiled on your system. Although in a matter of days the already compiled binary packages will be available within the different Linux distributions.
To compile, you must have the following dependencies installed:
These can be compiled with:
./autogen.sh
./configure
make
make install
And for nftables 0.9.4 we download it from the following link. And the compilation is done with the following commands:
cd nftables
./autogen.sh
./configure
make
make install