Lead Image © alphaspirit, 123RF.com
Linux nftables packet filter
Screened
The Linux kernel already contains a variety of packet filters, starting with ipfwadm and followed by ipchains and iptables. Kernel 3.13 saw the introduction of nftables [1], which uses the nft tool to create and manage rules. With the help of its own virtual machine, nftables ensures that rulesets are converted into bytecode, which is then loaded into the kernel. Not only does it improve performance, but it also allows administrators to enable new rules dynamically without having to reload the entire ruleset.
Parts of the old Netfilter framework use nftables, removing the need to develop new hooks, which are nothing more than certain points in the network stack of the Linux kernel at which a packet is inspected and, in the case of a match, one or more actions executed. For this purpose, tables that store chains exist at these hook points. The chains in turn contain the rules.
The way in which the individual packets are now checked against the rules is another new feature of nftables. The classification is now far more sophisticated and elegant than it was in the days of iptables. For example, address families now allow you to process different packages with a single rule. If you wanted to examine IPv4 and IPv6 packets in the past, you not only needed different rules, you even had to load them into the kernel with different tools: iptables and ip6tables.
The simple nftables inet table type includes both IPv4 and IPv6. Now, you can also merge different statements with nftables. With iptables, writing a packet to the log first and then performing another action, such as dropping the packet, was a very roundabout approach that required two rules:
iptables -A INPUT -p tcp --dport 23 -j LOG iptables -A INPUT -p tcp --dport 23 -j DROP
With nftables, this is reduced to a single
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Controlled container communication
Tune the iptables configuration for Docker by establishing your own forwarding rules. - Goodbye Iptables; Hello Nftables
-
IPv6 Tables
We design a basic set of ip6tables rules for an IPv6 firewall. -
Bpfilter offers a new approach to packet filtering in Linux
The netfilter layer is not getting any younger, and the iptables interface doesn't exactly impress with user friendliness. Bpfilter is the latest chance for Linux to adopt a state-of-art packet filter. -
A script for strict packet filter updates
Automatically create restrictive rules in Linux iptables packet filters.