Published Edition of the batch filter nftables 0.9.9 Unifying Package Filtering Interfaces for IPv4, IPv6, ARP and Network Bridges (aimed at replacing IPTables, IP6Table, Arptables and EBTables). At the same time, published Release of the concomitant library libnftnl 1.2.0 providing a low-level API to interact with NF_Tables subsystem. The changes are required for the operation of the NFTables 0.9.9. Changes are included in the Linux 5.13-RC1 kernel.
The NFTables package includes a batch filter components operating in the user space, while at the level of the core work provides the NF_TABLES subsystem, which is included in the kernel. Linux starting from release 3.13. At the kernel level, only a common interface is provided that does not depend on the specific protocol and providing the basic functions of extracting data from the packets, performing operations with data and flow control.
The filtering rules directly and protocol-specific handlers are compiled into the bytecode in the user space, after which this bytecode is loaded into the kernel using the NetLink interface and is performed in the kernel in a special virtual machine resembling BPF (Berkeley Packet Filters). Such an approach can significantly reduce the size of the filtering code operating at the kernel level and make all the rules for the analysis of the rules and logic of working with protocols into the user space.
Main innovations:
- implemented Opportunity Flowtable handling to the side of the network adapter included Using the ‘Offload’ flag. FlowTable is a mechanism for optimizing the packet redirection path, in which the full passage of all rules processing chains apply only for the first package, and all other packets in the stream are directly directly. Table IP Global {Flowtable F {Hook Ingress Priority Filter + 1 Devices = {LAN3, LAN0, WAN} Flags Offload} Chain Forward {Type Filter Hook Forward Priority Filter; POLICY ACCEPT; IP Protocol {TCP, UDP} Flow Add @f} chain post {type nat hook postruting priority filter; POLICY ACCEPT; OIFNAME “WAN” MASQUERADE}}
- Added support for attachment to the flag table for binding to the owner, which allows you to ensure the exclusive use of the table to the process. When the process is completed, the table tied to it is automatically deleted. Information about the process is displayed in the dump of the rules in the comment form: Table IP X {# Progname NFT Flags Owner Chain Y {Type Filter Hook Input Priority Filter; POLICY ACCEPT; Counter Packets 1 Bytes 309}}