Tutorial: "nftables from ingress" (Pablo Neira Ayuso)


nftables was merged to Linux kernel 3.13, being announced as an ongoing development effort to overcome the existing limitations of the popular {ip,ip6,arp,eb}tables userspace tools and the xtables kernel framework.

nftables provides a new kernel framework for packet classification based on a virtual machine with an extensible network-specific instruction set that is accessible through a Netlink API. This comes with a new extended tracing infrastructure, dynamic ruleset updates through a 2-phase commit protocol, rule update monitoring, dynamic set instantiation to build flow tables.

From userspace, the project provides libraries for third party applications and the userspace nft utility that provides an expressive and extensible compiler for our rule-based network language with a human-friendly syntax which comes with scripting support as well as an interactive native shell.

Since 4.2, the Netfilter infrastructure now comes with a new ingress hook before prerouting that opens the window to adopt nftables to classify and filter traffic as alternative to tc. This tutorial introduces you to nf_tables features in general, and more specifically this will cover use-case examples from this new hook.