Netfilter

Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from reaching sensitive locations within a network.

Netfilter represents a set of hooks inside the Linux kernel, allowing specific kernel modules to register callback functions with the kernel's networking stack. Those functions, usually applied to the traffic in the form of filtering and modification rules, are called for every packet that traverses the respective hook within the networking stack.

History

Rusty Russell started the netfilter/iptables project in 1998; he had also authored the project's predecessor, ipchains. As the project grew, he founded the Netfilter Core Team (or simply coreteam) in 1999. The software they produced (called netfilter hereafter) uses the GNU General Public License (GPL) license, and on 26 August 1999 it was merged into version 2.3.15 of the Linux kernel mainline and thus was in the 2.4.0 stable version.

In August 2003 Harald Welte became chairman of the coreteam. In April 2004, following a crack-down by the project on those distributing the project's software embedded in routers without complying with the GPL, a German court granted Welte an historic injunction against Sitecom Germany, which refused to follow the GPL's terms (see GPL-related disputes). In September 2007 Patrick McHardy, who led development for past years, was elected as new chairman of the coreteam.

Prior to iptables, the predominant software packages for creating Linux firewalls were ipchains in Linux kernel 2.2.x and ipfwadm in Linux kernel 2.0.x, which in turn was based on BSD's ipfw. Both ipchains and ipfwadm alter the networking code so they can manipulate packets, as Linux kernel lacked a general packets control framework until the introduction of Netfilter.

Whereas ipchains and ipfwadm combine packet filtering and NAT (particularly three specific kinds of NAT, called masquerading, port forwarding, and redirection), Netfilter separates packet operations into multiple parts, described below. Each connects to the Netfilter hooks at different points to access packets. The connection tracking and NAT subsystems are more general and more powerful than the rudimentary versions within ipchains and ipfwadm.

In 2017 IPv4 and IPv6 flow offload infrastructure was added, allowing a speedup of software flow table forwarding and hardware offload support.

Userspace utility programs

• iptables(8)
• ip6tables(8)
• ebtables(8)
• arptables(8)
• ipset(8)
• nftables(8)

iptables

The kernel modules named ip_tables, ip6_tables, arp_tables (the underscore is part of the name), and ebtables comprise the legacy packet filtering portion of the Netfilter hook system. They provide a table-based system for defining firewall rules that can filter or transform packets. The tables can be administered through the user-space tools iptables, ip6tables, arptables, and ebtables. Notice that although both the kernel modules and userspace utilities have similar names, each of them is a different entity with different functionality.

Each table is actually its own hook, and each table was introduced to serve a specific purpose. As far as Netfilter is concerned, it runs a particular table in a specific order with respect to other tables. Any table can call itself and it also can execute its own rules, which enables possibilities for additional processing and iteration.

Rules are organized into chains, or in other words, "chains of rules". These chains are named with predefined titles, including INPUT, OUTPUT and FORWARD. These chain titles help describe the origin in the Netfilter stack. Packet reception, for example, falls into PREROUTING, while the INPUT represents locally delivered data, and forwarded traffic falls into the FORWARD chain. Locally generated output passes through the OUTPUT chain, and packets to be sent out are in POSTROUTING chain.

Netfilter modules not organized into tables (see below) are capable of checking for the origin to select their mode of operation.

iptable_raw module

When loaded, registers a hook that will be called before any other Netfilter hook. It provides a table called raw that can be used to filter packets before they reach more memory-demanding operations such as Connection Tracking.

iptable_mangle module

Registers a hook and mangle table to run after Connection Tracking (see below) (but still before any other table), so that modifications can be made to the packet. This enables additional modifications by rules that follow, such as NAT or further filtering.

iptable_nat module

Registers two hooks: Destination Network Address Translation-based transformations ("DNAT") are applied before the filter hook, Source Network Address Translation-based transformations ("SNAT") are applied afterwards. The network address translation table (or "nat") that is made available to iptables is merely a "configuration database" for NAT mappings only, and not intended for filtering of any kind.

iptable_filter module

Registers the filter table, used for general-purpose filtering (firewalling).

security_filter module

Used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets. (These so-called "targets" refer to Security-Enhanced Linux markers.) Mandatory Access Control is implemented by Linux Security Modules such as SELinux. The security table is called following the call of the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before any MAC rules. This table provides the following built-in chains: INPUT (for packets coming into the computer itself), OUTPUT (for altering locally-generated packets before routing), and FORWARD (for altering packets being routed through the computer).

nftables

nftables is the new packet-filtering portion of Netfilter. nft is the new userspace utility that replaces iptables, ip6tables, arptables and ebtables.

nftables kernel engine adds a simple virtual machine into the Linux kernel, which is able to execute bytecode to inspect a network packet and make decisions on how that packet should be handled. The operations implemented by this virtual machine are intentionally made basic: it can get data from the packet itself, have a look at the associated metadata (inbound interface, for example), and manage connection tracking data. Arithmetic, bitwise and comparison operators can be used for making decisions based on that data. The virtual machine is also capable of manipulating sets of data (typically IP addresses), allowing multiple comparison operations to be replaced with a single set lookup.

This is in contrast to the legacy Xtables (iptables, etc.) code, which has protocol awareness so deeply built into the code that it has had to be replicated four times‍—‌for IPv4, IPv6, ARP, and Ethernet bridging‍—‌as the firewall engines are too protocol-specific to be used in a generic manner. The main advantages over iptables are simplification of the Linux kernel ABI, reduction of code duplication, improved error reporting, and more efficient execution, storage, and incremental, atomic changes of filtering rules.

Packet defragmentation

The nf_defrag_ipv4 module will defragment IPv4 packets before they reach Netfilter's connection tracking (nf_conntrack_ipv4 module). This is necessary for the in-kernel connection tracking and NAT helper modules (which are a form of "mini-ALGs") that only work reliably on entire packets, not necessarily on fragments.

The IPv6 defragmenter is not a module in its own right, but is integrated into the nf_conntrack_ipv6 module.

Connection tracking

One of the important features built on top of the Netfilter framework is connection tracking. Connection tracking allows the kernel to keep track of all logical network connections or sessions, and thereby relate all of the packets which may make up that connection. NAT relies on this information to translate all related packets in the same way, and iptables can use this information to act as a stateful firewall.