Some days ago the new version of the packet filter nftables 0.9.3 was released, That develop as replacement for iptables, ip6table, arptables and ebtables due to the unification of packet filtering interfaces for IPv4, IPv6, ARP and network bridges.
The nftables package uses structural parts of the Netfilter infrastructureand connection tracking system (connection tracking system) or the registration subsystem. A compatibility layer is also provided for translating the existing iptables firewall rules to their nftables counterparts.
About Nftables
nftables includes packet filter components that work in user space, while at the kernel level, the subsystem nf_tables provides a part of the Linux kernel since version 3.13.
At the kernel level, only a common interface is provided which is independent of a specific protocol and provides basic functions for extracting data from packets, performing data operations, and controlling flow.
The filtering logic itself and the protocol-specific processors are compiled into a bytecode in user space, after which this bytecode is loaded into the kernel using the Netlink interface and run in a special virtual machine that looks like BPF (Berkeley Packet Filters).
This approach allows you to significantly reduce the size of the filtering code that runs at the kernel level and eliminate all parse rule functionality and the logic of working with protocols in user space.
The main advantages of nftables are:
- Architecture that is embedded in the core
- A syntax that consolidates IPtables tools into a single command line tool
- A compatibility layer that allows the use of IPtables rule syntax.
- A new easy to learn syntax.
- Simplified process of adding firewall rules.
- Improved bug reporting.
- Reduction in code replication.
- Better overall performance, retention, and incremental changes to rule filtering.
What's new in nftables 0.9.3?
In this new version of nftables 0.9.3 added support for matching packages over time. With this you can define the time and date intervals in which the rule will be activated and configure the activation on individual days of the week. Also added a new "-T" option to display epoch time in seconds.
Another of the changes that stands out is the support for restoring and saving SELinux tags (secmark), yes as well as the synproxy map list support, allowing you to define more than one rule per backend.
Of the other changes that stand out from this new version:
- Ability to dynamically remove set-set elements from packet processing rules.
- Support for VLAN mapping by identifier and protocol defined in the metadata of the network bridge interface
- Option "-t" ("–terse") to exclude set-set elements when displaying rules. When executing "nft -t list ruleset", it will show:
- Nft list rule set.
- The ability to specify more than one device in netdev strings (works with kernel 5.5 only) to combine common filter rules.
- Ability to add data type descriptions.
- Ability to build a CLI interface with the linenoise library instead of libreadline.
How to install the new version of nftables 0.9.3?
To get the new version at the moment only the source code can be compiled on your system. Although in a matter of days the already compiled binary packages will be available within the different Linux distributions.
Besides that the changes necessary for nftables 0.9.3 to work are included in the future Linux kernel branch 5.5. Therefore, in order to compile, you must have the following dependencies installed:
These can be compiled with:
./autogen.sh
./configure
make
make install
And for nftables 0.9.3 we download it from the following link. And the compilation is done with the following commands:
cd nftables
./autogen.sh
./configure
make
make install