nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework. This presentation provides an overview of components and features.
lots of rules (cloud services, ip reputation, complex, …) • Code duplication b/c of different filter families (classic, arp, bridge, ipv4/ipv6) • Binary exchange between user space and kernel • Not accessible via “official” libraries / interface
communication • First major evolution of Netfilter (Linux 2.6.14, 2005) • NFLOG: enhanced logging system • NFQUEUE: improved userspace decision system • NFCT: get information and update connection tracking entries • Another talk on it’s own
daemon • The userspace daemon conntrackd can be used to enable high availability of cluster-based stateful firewalls • conntrack: command line tool to update and query connection tracking • ulogd2 • logging daemon • handle packets and connections logging
easy and efficient way to gather network statistics • first appeared in 2012 • ipset • efficient set handling • Address lists or more complex sets • Included in “Vanilla” kernel since 2011 (2.6.39)