Linux 3.13 is out
Linux 3.13 is out bringing among other thing the first official release of nftables. nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework aka iptables.
nftables version in Linux 3.13 is not yet complete. Some important features are missing and will be introduced in the following Linux versions.
It is already usable in most cases but a complete support (read nftables at a better level than iptables) should be available in Linux 3.15.
nftables comes with a new command line tool named nft. nft is the successor of iptables and derivatives (ip6tables, arptables). And it has a completely different syntax.
Yes, if you are used to iptables, that’s a shock. But there is a compatibility layer that allow you to use iptables even if filtering is done with nftables in kernel.
There is only really few documentation available for now. You can find my nftables quick howto and there is some other initiatives that should be made public soon.
Some command line examples
Multiple targets on one line
Suppose you want to log and drop a packet with iptables, you had to write two rules. One for drop and one for logging:
iptables -A FORWARD -p tcp --dport 22 -j LOG iptables -A FORWARD -p tcp --dport 22 -j DROP
With nft, you can combined both targets:
nft add rule filter forward tcp dport 22 log drop
Easy set creation
Suppose you want to allow packets for different ports and allow different icmpv6 types. With iptables, you need to use something like:
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
With nft, sets can be use on any element in a rule:
nft add rule ip6 filter input tcp dport {telnet, http, https} accept nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
It is easier to write and it is more efficient on filtering side as there is only one rule added for each protocol.
You can also use named set to be able to make them evolve other time:
# nft -i # use interactive mode nft> add set global ipv4_ad { type ipv4_address;} nft> add element global ipv4_ad { 192.168.1.4, 192.168.1.5 } nft> add rule ip global filter ip saddr @ipv4_ad drop
And later when a new bad boy is detected:
# nft -i nft> add element global ipv4_ad { 192.168.3.4 }
Mapping
One advanced feature of nftables is mapping. It is possible to use to different type of data and to link them.
For example, we can associate iface and a dedicated rule set (stored in a chain and created before). In the example, the chains are named low_sec and high_sec:
# nft -i nft> add map filter jump_map { type ifindex : verdict; } nft> add element filter jump_map { eth0 : jump low_sec; } nft> add element filter jump_map { eth1 : jump high_sec; } nft> add rule filter input iif vmap @jump_map
Now, let’s say you have a new dynamic interface ppp1, it is easy to setup filtering for it. Simply add it in the jump_map mapping:
nft> add element filter jump_map { ppp1 : jump low_sec; }
On administration and kernel side
More speed at update
Adding a rule in iptables was getting dramatically slower with the number of rules and that’s explained why script using iptables call are taking a long time to complete. This is not anymore with nftables which is using atomic and fast operation to update rule sets.
Less kernel update
With iptables, each match or target was requiring a kernel module. So, you had to recompile kernel in case you forgot something or want to use something new.
this is not anymore the case with nftables. In nftables, most work is done in userspace and kernel only knows some basic instruction (filtering is implemented in a pseudo-state machine).
For example, icmpv6 support has been achieved via a simple patch of the nft tool.
This type of modification in iptables would have required kernel and iptables upgrade.
Hmm it seems like your website ate my first
comment (it was super long) so I guess I’ll just sum it up what I wrote and
say, I’m thoroughly enjoying your blog. I as well am an aspiring blog blogger
but I’m still new to everything. Do you have any points for rookie blog writers?
I’d definitely appreciate it.
Hi to every one, the contents present at this web page are truly
awesome for people experience, well, keep up the nice work fellows.
It’s an awesome post in support of all the web users; they will obtain advantage from it I am sure.
Good post. I learn something totally new and challenging on websites I
stumbleupon every day. It will always be exciting to read
articles from other authors and use a little something from their sites.
Hi to all, because I am truly keen of reading this weblog’s
post to be updated on a regular basis. It includes nice data.
you are really a excellent webmaster. The site loading speed is incredible.
It seems that you’re doing any unique trick. Also,
The contents are masterwork. you have performed a wonderful task in this matter!
Do you have any video of that? I’d like to find out more details.
Hi mates, good paragraph and pleasant urging commented at this place, I
am genuinely enjoying by these.
I was curious if you ever thought of changing the structure of your website?
Its very well written; I love what youve got to
say. But maybe you could a little more in the way of content so people could connect with it better.
Youve got an awful lot of text for only having 1 or two pictures.
Maybe you could space it out better?
THE MOST EFFECTIVE AND RELIABLE BOLA TANGKAS JUDI BANDAR
Agen-338a is an online bookie that works officially with the sbobet provider.
Agen-338a has served gambling members from the year 2010 until now and contains never given frustration in conditions of sbobet login. We
have been also one of the sbobet providers who have received several awards and have now become the number one site in Dalam negri.
We are also a site that is visited straight from the official sbobet provider to be vested with marketing football gambling products, internet
casinos, slots, shooting fish, etc. for the Indonesian community.
Every day there are more than 10, 1000 members who definitely play on our
official site and supply reviews that are very satisfied choosing us as the companion agent.
Our brand searches also exceed 10, 000 searches
per day and we are a 24/7 service site.
How to Register a Sbobet Account
We offer official sbobet accounts registration for all members who want to join with no fees or requirements.
We also confirm the simplicity in the sbobet list, because to complete the sbobet account registration process, only affirmation is required that you are 18+ and have a local financial institution to
make dealings. Sign up for sbobet can be through the registration form on the official website of Agen-338a or through our customer service who is prepared to
help you anytime. After filling in the registration form, the
member just needs to activate the ID with affirmation via our cs.
MBO99 MPO Slot Online Terbaru dan Terpercaya bagi setiap member yang bergabung bersama kami dengan memberikan dukungan slot bonus new member.
MBO99 Situs Slot Bet Kecil di Indonesia yang memberikan dukungan permainan mpo99 dengan slot bonus new member terlengkap di Indonesia
Thank You, Your Article is Very Interesting,
THANK YOU YOUR ARTICLE IS VERY INTERESTING, DON’T GIVE UP TO WORKING
Wow! This is a _GREAT_ initiative, really. Big step for consumer protection. I’d like to see it implemented. Hopefully the merchants won’t find an easy way around this restriction.
It’s an amazing Article in favor of all the web visitors;
they will get advantage from it I am sure.
I have a question though, how can we perform a packet filter based on a pattern e.g. In the IPTables, I could do a packet filter to block any line that contains
-A INPUT -p udp -m udp –dport 1514 -m string –string “some.exe” –algo bm -j DROP