Friday, July 15, 2016

The Future of IPtables: NFtables

What is nftables?

nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework. Basically, this project provides a new packet filtering framework, a new userspace utility and also a compatibility layer for {ip,ip6}tables. nftables is built upon the building blocks of the Netfilter infrastructure such as the existing hooks, the connection tracking system, the userspace queueing component and the logging subsystem.

What is the status of nftables?

It is currently under development.

Running nftables

You require the following software in order to run the new nft userspace utility:
  • nftables's Linux kernel tree
  • libmnl: the minimalistic Netlink library
  • libnftnl: the user-space library for low-level interaction with nftables Netlink's API over libmnl.
  • nftables userspace utility
This new utility uses a new syntax that is different from {ip,ip6,eb,arp}tables.

Running {ip,ip6}tables compatibility

The nftables project provides a backward compatibility layer that allows you run iptables/ip6tables (using the same syntax) over the nftables infrastructure:
  • nftables's Linux kernel tree
  • libmnl: the minimalistic Netlink library
  • libnftnl: the user-space library for low-level interaction with nftables Netlink's API over libmnl.
  • iptables-nftables: the user-space utility that provides the xtables command line utility to add rule using {ip,ip6}tables syntax.

Main Features

  • Pseudo-state machine in kernel-space: the userspace utility nftables interprets the rule-set provided by the user (using a new syntax), it compiles it into the pseudo-state machine bytecode and then it transfers it to the kernel via the nftables Netlink's API. Roughly, the idea behind nftables is similar to the Berkeley Packet Filters (BPF).
  • Fast lookups through performance data structures: The new syntax allows you to arrange you rule-set in a very performance way contrary to purely linear-list based filtering policies. Nftables allows you to use set-based action mappings, ie. for a matching element in the set, issue the action specified by the user.
  • Reduce the amount of code in kernel-space. You can express the packet selectors for all existing protocols using the instruction-set provided by the nftables pseudo-state machine. That means that we do not need a specific extension in kernel-space for each protocol that you want to support. As a side effect, you are likely not need to upgrade your kernel to obtain new features as it has been designed to keep most of the logic in user-space.
  • Unified interface to replace iptables/ip6tables/arptables/ebtables utilities. Thus, we will be able to fully get rid of all the existing code replication in kernel and user-space.

Git trees

Documentation

You can check the nftables HOWTO documentation.

No comments:

Post a Comment