Issue of Batch Filter NFTables 1.0.0

Altus Intel
Altus Intel
  • Date Time

Published Eating batch filter NFTables 1.0.0 Unifying Package Filtering Interfaces for IPv4, IPv6, ARP and Network Bridges (aimed at replacing IPTables, IP6Table, Arptables and Ebtables). The changes are required for the operation of NFTables 1.0.0, the changes are included in the Linux kernel 5.13. A significant change in the version number is not associated with any fundamental changes, but only a consequence of a sequential continuation of the numbering in decimal terms (last release was 0.9.9).

The NFTables package includes a batch filter components operating in the user space that Time as at the level of the core work provides the NF_Tables subsystem, which is part of the Linux kernel since release 3.13. At the kernel level, only a common interface is provided that does not depend on the specific protocol and providing the basic functions of extracting data from the packets, performing operations with data and flow control.

The filtering rules directly and protocol-specific handlers are compiled into the bytecode in the user space, after which this bytecode is loaded into the kernel using the NetLink interface and is performed in the kernel in a special virtual machine resembling BPF (Berkeley Packet Filters). Such an approach can significantly reduce the size of the filtering code operating at the kernel level and make all the rules for the analysis of the rules and logic of working with protocols into the user space.

Main innovations:

  • in Set-lists Added support for the element mask “*”, triggered for any packages that do not fall under other elements defined in the set. Table X {Map BlockList {Type IPv4_addr: Verdict Flags Interval Elements = {192.168.0.0/16: Accept, 10.0.0.0/8: Accept, *:
    drop}} Chain Y {Type Filter Hook Prerouting Priority 0; POLICY ACCEPT; IP Saddr vmap @blocklist}}
  • is given the ability to determine variables from the command line using the “–Define” option. # cat test.nft table netdev x {chain y {type filter hook ingress devices = $ dev priority 0; POLICY DROP; }} # NFT –Define dev = “{eth0, eth1}” -f test.nft
  • Map lists allowed the use of constant (stateful) expressions: Table inet Filter {map portmap {type inet_service: Verdict Counter Elements = {22 Counter Packets 0 Bytes 0: Jump SSH_Input, *
    COUNTER PACKETS 0 bytes 0: drop}} chain ssh_input {} chain wan_input {tcp dport vmap @portmap} chain prerouting {type filter hook prerouting priority raw; POLICY ACCEPT; iif vmap {“Lo”: jump wan_input}}}
/Media reports.

© 2025 - Altus Intel