nftables
A modular packet filtering framework providing enhanced userspace control
nftables is the intended successor of the popular iptables, providing a new modular packet filtering framework e.g. for operating systems based on the popular Linux kernel. Besides a modular code base that is better suited for modern multiprotocol networking environments, the nftables project aims to introduce powerful new userspace tools which will allow users to dynamically perform packet filtering on custom protocols (including but not limited to new proposed internet standards as defined by the Internet Engineering Task Force). Existing packet filtering solutions would require a recompiled kernel module in the same situation. The end result is that users will have more autonomy on what gets filtered and how, which make them less dependent on the technical choices of vendors and communities. The nftables project has been accepted in Linux mainstream kernel.
- The project's own website: http://www.nftables.org/
Nftables provides a framework that can potentially replace all existing duplicated Linux packet classification frameworks such as BPF, {ip,ip6,arp,eb}tables and tc. As a proof to the community, the project will implement support for filter raw socket traffic using nftables as a drop-in replacement for the BPF (which originally designed in the nineties, it requires up to eight instructions to compare an IPv6 address). The result of this task is to deliver the patches to kernel mainstream that will provide this new userspace feature. This should also open some debate on the providing support to use nftables at other points of the networking stack such as ingress (for policing) and egress (for shaping).
Nftables will come with powerful userspace libraries, allowing third party userspace applications. The project will support distribution of rulesets over the network. This can facilitate the distribution of rulesets from one centralized unique point, which should help to make it easier for system administrators to maintain multiple firewalls. It should also be useful in a classical primary-backup high-availability setup. The architecture may also serve as a repository to distribute rule-set feeds that from some authority that you decide to trust. The initial version should already provide a basic infrastructure and features for the rule-set distribution software using one centralized point for rule-set distribution.
One key feature to motivate users to migrate to nftables is to provide a simple utility that translates their rule-sets to nftables. We already have a compatibility layer that uses a kernel extension denominated 'nft_compat' which allows you to use all existing {ip,ip6,arp,eb}tables target and matches from the nftables framework. However, the main problem with the current approach is that there is no real rule-set translation, instead we are re-using part of the existing x_tables kernel infrastructure.
Netfilter project (Spain)
