Netfilter-announce has released the latest version of the package filter nftables 1.0.8. This package aims to unify packet filtration interfaces for IPV4, IPV6, ARP, and network bridges, with the goal of replacing IPTABLES, IP6Table, Arptables, and EBTABLES. The NFTABLES package includes user space components of the packet filter, while at the kernel level it provides the NF_TABLES subsystem, which has been part of the Linux kernel since version 3.13. At the kernel level, a general interface is provided that is not protocol-specific and offers basic functions for extracting data from packets, performing operations with data, and managing streams.
In the user space, filtering rules and specific processors for protocols are compiled into bytecode. This bytecode is then loaded into the kernel using the Netlink interface and executed in a special virtual machine similar to BPF (Berkeley Packet Filters). This approach significantly reduces the size of the filtering code operating at the kernel level and allows the analysis of rules and protocol logic to be performed in the user space.
The latest version of nftables introduces several key changes:
- Support for installing “Meta” and “CT” from other fields in the rules. For example, it is now possible to create a “META” label based on manipulations with an IP address from the DSCP header using the following syntax: Meta Mark Set IP DSCP. This feature provides greater flexibility in rule creation and manipulation.
- Improvements to the rule optimizer when using the -o (–optimize) option. This particularly enhances the packaging of expressions related to address translation (NAT). For instance, expressions such as “IP Saddr 10.141.11.0/24 Masquerade” and “IP Saddr 10.141.13.0/24 Masquerade TCP DPORT 83 TCP DPort 84 Redirect to: 8084” can now be combined into “IP Saddr {10.141.11.0/24, 10.141.13.0/24} Masquerade redirect to: tcp dport map {83: 8083, 84: 8084}”. This optimization makes rules more concise and improves performance.
- Support for stateful expressions in anonymous MAP registrations. This allows for the inclusion of counters within expressions. For example, expressions like “Meta Mark