Nftables

Last updated
Original author(s) The Netfilter Project
Developer(s) The Netfilter Project
Stable release
1.0.9 [1]   OOjs UI icon edit-ltr-progressive.svg / 19 October 2023;6 months ago (19 October 2023)
Preview release
Repository
Written in C
Operating system Linux
Platform Netfilter
Type packet filtering
License GPLv2
Website

nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014. [2]

Contents

nftables replaces the legacy iptables portions of Netfilter. Among the advantages of nftables over iptables is less code duplication and easier extension to new protocols. Among the disadvantages of nftables is that DPI that was provided by "iptables string match" like SNI filtering is not supported. [3]

nftables is configured via the user-space utility nft, while legacy tools are configured via the utilities iptables , ip6tables, arptables and ebtables frameworks.

nftables utilizes the building blocks of the Netfilter infrastructure, such as the existing hooks into the networking stack, connection tracking system, userspace queueing component, and logging subsystem.

nft

Command-line syntax

A command to drop any packets with destination IP address 1.2.3.4:

nft add rule ip filter output ip daddr 1.2.3.4 drop

Note that the new syntax differs significantly from that of iptables, in which the same rule would be written:

iptables -A OUTPUT -d 1.2.3.4 -j DROP

The new syntax can appear more verbose, but it is also far more flexible. nftables incorporates advanced data structures such as dictionaries, maps and concatenations that do not exist with iptables. Making use of these can significantly reduce the number of chains and rules needed to express a given packet filtering design.

The iptables-translate tool can be used to translate many existing iptables rules to equivalent nftables rules. [4] [5] Debian 10 (Buster), among other Linux distributions, uses nftables along with iptables-translate as the default packet filtering backend. [6]

History

The project was first publicly presented at Netfilter Workshop 2008 by Patrick McHardy from the Netfilter Core Team. [7] The first preview release of kernel and userspace implementation was given in March 2009. [8] Although the tool has been called "the biggest change to Linux firewalling since the introduction of iptables in 2001", it has received little press attention. [9] Notable hacker Fyodor Vaskovich (Gordon Lyon) said that he is "looking forward to its general release in the mainstream Linux kernel". [9]

The project stayed in alpha stage, and the official website was removed in 2009. In March 2010, emails from the author on the project mailing lists showed the project was still active and approaching a beta release, [10] [11] but the latter was never shipped officially. In October 2012, Pablo Neira Ayuso proposed a compatibility layer for iptables [12] and announced a possible inclusion of the project into mainstream kernel.

On 16 October 2013, Pablo Neira Ayuso submitted a nftables core pull request to the Linux kernel mainline tree. [13] It was merged into the kernel mainline on 19 January 2014, with the release of Linux kernel version 3.13. [2]

Overview

The nftables kernel engine adds a simple virtual machine to the Linux kernel which is able to execute bytecode to inspect a network packet and make decisions on how that packet should be handled. The operations implemented by this virtual machine are intentionally made basic. It can get data from the packet itself, have a look at the associated metadata (inbound interface, for example), and manage connection-tracking data. Arithmetic, bitwise and comparison operators can be used for making decisions based on that data. The virtual machine is also capable of manipulating sets of data (typically, IP addresses), allowing multiple comparison operations to be replaced with a single set lookup. [14]

The above-described organization is contrary to the iptables firewalling code, which has protocol awareness built-in so deeply into the logic that the code has had to be replicated four timesfor IPv4, IPv6, ARP, and Ethernet bridging as the firewall engines are too protocol-specific to be used in a generic manner. [14]

The main advantages of nftables over iptables are the simplification of the Linux kernel ABI, reduction of code duplication, improved error reporting, and more efficient execution, storage and incremental changes of filtering rules. Traditionally used iptables(8) , ip6tables(8) , arptables(8) and ebtables(8) (for IPv4, IPv6, ARP and Ethernet bridging, respectively) are intended to be replaced with nft(8) as a single unified implementation, providing firewall configuration on top of the in-kernel virtual machine.

nftables also offers an improved userspace API that allows atomic replacements of one or more firewall rules within a single Netlink transaction. This speeds up firewall configuration changes for setups having large rulesets; it can also help in avoiding race conditions while the rule changes are being executed. nftables also includes compatibility features to ease transition from previous firewalls, command-line utilities to convert rules in the iptables format, [15] and syntax-compatible versions of iptables commands that use the nftables backend. [16]

Related Research Articles

PF is a BSD licensed stateful packet filter, a central piece of software for firewalling. It is comparable to netfilter (iptables), ipfw, and ipfilter.

<span class="mw-page-title-main">Port forwarding</span> Computer networking feature

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway, by remapping the destination IP address and port number of the communication to an internal host.

IPFilter is an open-source software package that provides firewall services and network address translation (NAT) for many Unix-like operating systems. The author and software maintainer is Darren Reed. IPFilter supports both IPv4 and IPv6 protocols, and is a stateful firewall.

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization (SPA) exists, where only a single "knock" is needed, consisting of an encrypted packet.

iptables is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules. The filters are organized in different tables, which contain chains of rules for how to treat network traffic packets. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.

Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from reaching sensitive locations within a network.

Filesystem in Userspace (FUSE) is a software interface for Unix and Unix-like computer operating systems that lets non-privileged users create their own file systems without editing kernel code. This is achieved by running file system code in user space while the FUSE module provides only a bridge to the actual kernel interfaces.

FireHOL is a shell script designed as a wrapper for iptables written to ease the customization of the Linux kernel's firewall netfilter. FireHOL is free software and open-source, distributed under the terms of the GNU General Public License.

Linux IP Firewalling Chains, normally called ipchains, is free software to control the packet filter or firewall capabilities in the 2.2 series of Linux kernels. It superseded ipfirewall, but was replaced by iptables in the 2.4 series. Unlike iptables, ipchains is stateless.

<span class="mw-page-title-main">Firestarter (firewall)</span> Personal firewall

Firestarter is a personal firewall tool that uses the Netfilter (iptables/ipchains) system built into the Linux kernel. It has the ability to control both inbound and outbound connections. Firestarter provides a graphical interface for configuring firewall rules and settings. It provides real-time monitoring of all network traffic for the system. Firestarter also provides facilities for port forwarding, internet connection sharing and DHCP service.

libipq is a development library for iptables userspace packet queuing. Libipq provides an API for communicating with ip_queue.

ipfirewall Firewall software

ipfirewall or ipfw is a FreeBSD IP, stateful firewall, packet filter and traffic accounting facility. Its ruleset logic is similar to many other packet filters except IPFilter. ipfw is authored and maintained by FreeBSD volunteer staff members. Its syntax enables use of sophisticated filtering capabilities and thus enables users to satisfy advanced requirements. It can either be used as a loadable kernel module or incorporated into the kernel; use as a loadable kernel module where possible is highly recommended. ipfw was the built-in firewall of Mac OS X until Mac OS X 10.7 Lion in 2011 when it was replaced with the OpenBSD project's PF. Like FreeBSD, ipfw is open source. It is used in many FreeBSD-based firewall products, including m0n0wall and FreeNAS. A port of an early version of ipfw was used since Linux 1.1 as the first implementation of firewall available for Linux, until it was replaced by ipchains. A modern port of ipfw and the dummynet traffic shaper is available for Linux and Microsoft Windows. wipfw is a Windows port of an old (2001) version of ipfw.

Netlink is a socket family used for inter-process communication (IPC) between both the kernel and userspace processes, and between different userspace processes, in a way similar to the Unix domain sockets available on certain Unix-like operating systems, including its original incarnation as a Linux kernel interface, as well as in the form of a later implementation on FreeBSD. Similarly to the Unix domain sockets, and unlike INET sockets, Netlink communication cannot traverse host boundaries. However, while the Unix domain sockets use the file system namespace, Netlink sockets are usually addressed by process identifiers (PIDs).

<span class="mw-page-title-main">NuFW</span>

NuFW is a software package that extends Netfilter, the Linux kernel-internal packet filtering firewall module. NuFW adds authentication to filtering rules. NuFW is also provided as a hardware firewall, in the EdenWall firewalling appliance. NuFW has been restarted by the FFI and renamed into UFWI.

<span class="mw-page-title-main">Rusty Russell</span>

Rusty Russell is an Australian free software programmer and advocate, known for his work on the Linux kernel's networking subsystem and the Filesystem Hierarchy Standard.

<span class="mw-page-title-main">Fail2ban</span> Intrusion prevention software framework

Fail2Ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper.

The arptables computer software utility is a network administrator's tool for maintaining the Address Resolution Protocol (ARP) packet filter rules in the Linux kernel firewall modules.

Slirp is a software program that emulates a PPP, SLIP, or CSLIP connection to the Internet using a text-based shell account. Its original purpose became largely obsolete as dedicated dial-up PPP connections and broadband Internet access became widely available and inexpensive. It then found additional use in connecting mobile devices, such as PDAs, via their serial ports. Another significant use case is firewall piercing/port forwarding. One typical use of Slirp creates a general purpose network connection over a SSH session on which port forwarding is restricted. Another use case is to create external network connectivity for unprivileged containers.

firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework. firewalld's current default backend is nftables. Prior to v0.6.0, iptables was the default backend. Through its abstractions, firewalld acts as an alternative to nft and iptables command line programs. The name firewalld adheres to the Unix convention of naming system daemons by appending the letter "d".

<span class="mw-page-title-main">IPFire</span> Linux distribution

IPFire is a hardened open source Linux distribution that primarily performs as a router and a firewall; a standalone firewall system with a web-based management console for configuration.

References

  1. Pablo Neira Ayuso (19 October 2023). "nftables 1.0.9 release" . Retrieved 19 October 2023.
  2. 1 2 "nftables, the successor of iptables". Linux 3.13. kernelnewbies.org. 2014-01-19. Retrieved 2016-03-04.
  3. "How We Used eBPF to Build Programmable Packet Filtering in Magic Firewall".
  4. "Moving from iptables to nftables - nftables wiki".
  5. "List of available translations via iptables-translate tool - nftables wiki".
  6. "Nftables - Debian Wiki".
  7. "User day program – NFWS2008". workshop.netfilter.org. 2008-10-03. Retrieved 2014-02-22.
  8. initial release announcement.
  9. 1 2 Gray, Patrick (March 26, 2009). "NEWS: Linux Gets New Firewall". Risky.biz.
  10. "Linux Netfilter Devel – Re: Current state of nftables". Spinics.net. Retrieved 2014-01-20.
  11. "Linux Netfilter Devel – Re: Current state of nftables". Spinics.net. Retrieved 2014-01-20.
  12. "Linux Netfilter Devel – [RFC] back on nf_tables (plus compatibility layer)". Spinics.net. Retrieved 2014-01-20.
  13. "[PATCH 00/17] netfilter updates: nf_tables pull request". Marc.info. Retrieved 2014-01-20.
  14. 1 2 Jonathan Corbet (2013-08-20). "The return of nftables". LWN.net . Retrieved 2013-10-22.
  15. Neira Ayuso, Pablo. "nftables – nft command line tool". git.netfilter.org. Retrieved 24 January 2019.
  16. Arturo, Ral. "Netfilter Workshop 2018 Berlin summary". ral-arturo.org. Retrieved 24 January 2019.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.