🔨Dropping Packets Using nftables | A Modern Approach to Network Filtering🪚

Ronald BartelsRonald Bartels
3 min read

With the introduction of the Linux kernel 3.13, nftables emerged as a replacement for traditional netfilter tools like iptables, ip6tables, arptables, and ebtables. This next-generation framework brings several advantages, including reduced code duplication, better performance, and a unified tool for all filtering tasks.

In this article, we'll explore how to use nftables for packet filtering, focusing on its capabilities for dropping unwanted traffic efficiently.

Why Choose nftables?

Key Advantages:

  1. Unified Tool: nftables provides a single interface (nft) to manage rules across all layers.

  2. Performance: Significant improvements in handling large rule sets compared to iptables.

  3. Efficiency: Supports flowtable-based offloading for high-performance setups.

  4. Simplicity: Reduces code complexity by reusing core components.

Performance Insights:

Tests conducted by RedHat show nftables scales better with an increasing number of rules. Traditional iptables can experience significant performance degradation with large rule sets, while nftables maintains a more linear performance profile.

Basic nftables Configuration for Dropping Packets

Step 1: Create Tables and Chains

Unlike iptables, nftables does not include predefined tables or chains. You must create these before adding rules:

# Add a table for IPv4 filtering
nft add table ip filter

# Add an input chain for filtering packets
nft add chain ip filter in-chain { type filter hook input priority 0\; }

Step 2: Add a Rule to Drop Packets

To drop TCP packets destined for port 1234, add the following rule:

nft add rule ip filter in-chain tcp dport 1234 drop

This creates a stateless rule that checks incoming packets on the input chain and drops those matching the specified criteria.

Advanced Performance Optimisation with Flow Offloading

For complex rule sets or performance-constrained hardware (e.g., ARM-based devices), flow offloading can significantly enhance throughput. This feature caches actions (ACCEPT, DROP, NAT, etc.) for specific flows, bypassing rule checks for subsequent packets in the flow.

Flow Offloading Configuration

Here's an example configuration for enabling flow offloading:

table inet x {
    flowtable f {
        hook ingress priority 0; devices = { eth0, eth1 };
    }

    chain y {
        type filter hook forward priority 0; policy accept;
        ip protocol tcp flow offload @f
        counter packets 0 bytes 0
    }
}

Key Elements:

  • Flowtable f: Caches flow information for packets traversing eth0 and eth1.

  • Chain y: Offloads TCP traffic that matches specified rules to the flowtable.

With this setup, incoming packets are checked against the flowtable, significantly reducing the processing overhead.

Expected Performance Gains:

  • For systems with limited processing power, such as ARM64-based devices, a 2-3x increase in throughput can be achieved when using flow offloading.

Use Case | Dropping DoS Traffic

nftables excels in mitigating DoS attacks by efficiently filtering large volumes of packets. For instance, to block traffic from an entire subnet:

nft add rule ip filter in-chain ip saddr 192.168.0.0/16 drop

This rule ensures all packets originating from the 192.168.0.0/16 subnet are dropped, reducing the load on the network stack.

Best Practices & Tips

  1. Start Simple: Begin with basic rules and expand gradually to avoid overly complex configurations.

  2. Monitor Metrics: Use nft list ruleset and counters to track packet drops and rule effectiveness.

  3. Leverage Flowtables: For high-throughput networks, offloading critical flows can dramatically improve performance.

  4. Read the Documentation: The kernel nft documentation provides extensive details on advanced features.

nftables is a modern, efficient replacement for traditional netfilter tools, offering advanced capabilities for packet filtering and performance optimisation. Whether you're looking to drop packets, mitigate DoS attacks, or manage traffic flows, nftables provides the flexibility and efficiency required in today’s complex network environments.

3
Subscribe to my newsletter

Read articles from Ronald Bartels directly inside your inbox. Subscribe to the newsletter, and don't miss out.

LinuxDropping packetsNFT

Written by

Ronald Bartels
Ronald Bartels

Driving SD-WAN Adoption in South Africa