Issue of Nftables package filter 1.0.6

published release of the package filter nftables 1.0.6 , unifying packages filtering interfaces for IPV4, IPV6, ARP and network bridges (aimed at replacing IPTables, IP6Tables, Arptables and Ebtables). The NFTABLES package includes components of the packet filter working in the user space, while at the nucleus level the work provides the NF_TABALES subsystem, which is part of the Linux nucleus, starting with the production of 3.13. At the nucleus level, only a general interface is provided, which does not depend on a particular protocol and provides basic functions of data extraction from packages, performing operations with data and stream management.

directly filtration rules and specific processors for protocols are compiled into the bytcode in the user’s space, after which This bytcode is loaded into the core using the NetLink interface and is performed in the core in a special virtual machine resembling BPF (Berkeley Packet Filters). A similar approach can significantly reduce the size of the filtration code that operates at the nucleus level and remove all the functions of analyzing the rules and logic of working with protocols into the user space.

The main changes:

/Media reports cited above.