nftables is a project that provides packet filtering and packet classification on Linux
The release of the nftables 1.0.7 packet filter has been published, which comes with some improvements, corrections as well as some new features.
For those unfamiliar with nftables, you should know that this unifies packet filtering interfaces for IPv4, IPv6, ARP, and network bridging (intended to replace iptables, ip6table, arptables, and ebtables). At the same time, the libnftnl 1.2.3 companion library was released, which provides a low-level API for interfacing with the nf_tables subsystem.
The nftables package includes packet filter components that work in user space, while at the kernel level, the nf_tables subsystem provides a part of the Linux kernel since version 3.13.
At the core level, only provides a common interface that is independent of a protocol specific and provides the basic functions to extract data from packets, perform data operations and control the flow.
All the direct filter rules and protocol-specific drivers they are compiled into a bytecode in user space, after which this bytecode is loaded into the kernel using the Netlink interface and executed in the kernel in a special virtual machine that resembles BPF (Berkeley Packet Filters).
Main new features of Nftables 1.0.7
In this new version that comes from nftables 1.0.7, for the Linux 6.2+ kernel systems, was added support for vxlan, geneve, gre and gretap protocol matching, which allows simple expressions to check headers in encapsulated packets.
For example, to check the IP address in the header of a nested VxLAN packet, you can now use rules (without the need to first unencapsulate the VxLAN header and bind the filter to the vxlan0 interface):
In addition to this, it is also highlighted thatand implemented support for automatic merging of residues after partial removal of an item from the configuration list, allowing an item or part of a range to be removed from an existing range (previously, a range could only be removed in its entirety).
For example, after removing item 25 from a list set with ranges 24-30 and 40-50, 24, 26-30, and 40-50 will remain in the list. The fixes required for automatic merging to work will be provided in patch releases of the 5.10+ stable kernel branches.
It also stands out that it was added support for the expression "last", who allows to find out the last time the element of the rule or configuration list was used. This feature has been supported since Linux kernel 5.14.
On the other hand, it is also highlighted that a new “destroy” command has been added to remove objects unconditionally (unlike the remove command, it does not raise ENOENT when trying to remove a missing object). It requires at least Linux 6.3-rc kernel to work.
- The use of constants in set-lists is allowed. For example, using a list of the destination address and VLAN ID as the key, you can directly specify the VLAN number (daddr . 123):
- Added the ability to define quotas on configuration lists. For example, to define a traffic quota for each destination IP address, you can specify .
- Allow contacts and ranges to be used in address translation (NAT) mapping.
Finally for those interested in knowing more about it About this new version, you can check the details In the following link.
How to install the new version of nftables 1.0.7?
For those who are interested in being able to get the new version of nftables 1.0.7 at the moment only the source code can be compiled on your system. Although in a matter of days the already compiled binary packages will be available within the different Linux distributions.
To compile, you must have the following dependencies installed:
These can be compiled with:
./autogen.sh ./configure make make install
And for nftables 1.0.5 we download it from the following link. And the compilation is done with the following commands:
cd nftables ./autogen.sh ./configure make make install