published Issues of the package filter nftables 1.0.7 , unifying packet filtration interfaces for IPV4, IPV6, ARP and network bridges (aimed at replacing IPTABLES, IP6Table, Arptables and EBTABES). The NFTABLES package includes components of the packet filter operating in the user space, while at the nucleus level the work provides the NF_TABALES subsystem, which is part of the Linux nucleus, starting with the production 3.13. At the nucleus level, only a general interface is provided, which does not depend on a particular protocol and provides basic functions of data extraction from packages, performing operations with data and stream management.
directly filtering rules and specific processors for protocols are compiled into the bytcode in the user space, after which this bytcode is loaded in the core using the Netlink interface and is performed in the nucleus in a special virtual machine resembling BPF (Berkeley Packet Filters). A similar approach can significantly reduce the size of the filtering code operating at the nucleus level and make all the functions of analyzing the rules and logic of working with protocols into the user space.
The main changes:
- For systems with the Linux 6.2+ core, support for comparison of the protocols of VXLAN, Geneve, GRETAP and GRETAP is added, which allows you to use simple expressions to check the headlines in encapsulated packages. For example, to check the IP address in the title of the invested package from VXLAN, now you can use the rules (without the need for preliminary deinkapsulation of the VXLAN header and linking the filter to the VXLAN0 interface): … UDP DPort 4789 VXLAN IP Protocol UDP … UDP DPort 4789 VXLAN IP Saddr 1.2.3.0/24 … UDP DPort 4789 VXLAN IP Saddr. VXLAN IP Daddr {1.2.3.4. 4.3.2.1}
- Support for automatic fusion of residues after partial removal of the SET-list element, which allows you to remove the element or part of the range from the existing range (earlier the range could be removed only entirely). For example, after removing the element 25 from a SET-list with ranges of 24-30 and 40-50, 24, 26-30 and 40-50 will remain in the list. Corrections necessary for the operation of auto -luggage will be proposed in the corrective issues of stable branches of the nucleus 5.10+. # NFT List Ruleset Table IP X {Set Y {Typeof TCP DPort Flags Interval Auto-Merge Elements = {24-30, 40-50}}} # nft Delete IP X Y {25} # NFT LIST RUSTRAL y {typeof tcp dport flags interval auto -merge elements = {24, 26-30, 40-50}}}