Re: nftables

Re: nftables

[Patrick McHardy]

Varun Chandramohan wrote:
> Iam interested in hooking nftables to TC. Could you elaborate on this
> a little bit?
> And when you talk about in-kernel mangle table i suppose you mean the
> mangle table of iptables? 

OK first about mangle - usually tables with nftables should be created
by userspace. The mangle table contains special functionality that needs
to be implemented in the kernel (rerouting), so nftables (just as iptables)
includes some code and table definitions for this. The way it should be is
that rerouting is just a property that can be optionally specified for a
chain.

About TC - thats one of the more complicated things I suppose. The first
thing that needs to be investigated is whether hooking it natively (meaning
it is called directly, similar to the TC classifiers today) or through a TC
classifier would make more sense. The second approach is definitely less
intrusive, but the TC classifier is pretty much useless with nftables
and it imposes some undesirable limits. In the end each class should offer
a chain to attach rules to. I'd also suggest to have a table-like container
for each qdisc, so chains can be added that are not attached directly to
classes (which I'm not sure is possible when using a TC classifier).

What's further needed is:

- a way to transport the nftables netlink attributes to the kernel.
  Either encapsulated in TC attributes or the "normal" way, depending
  on how it is hooked.

- nftables needs to be taught about TC verdicts. Classes bound to the
  classifier should be treated similar to nftables chains (meaning a
  lookup is made and the reference is stored). Check out nft_data_init()
  for reference.

- the ruleset evaluation function probably needs to be split into a
  generic part, dealing with internal flow control, and the netfilter/
  TC specific part, dealing with netfilter verdicts and class IDs.

Fwd: nftables

[Juraj Gabčík]

Hi people!

First, I would like to introduce myself to you. My name is Juraj
Gabèík and I am a student at the Faculty of Informatics at the
University of ®ilina, Slovakia. My reason for writing to you is that I
would like to ask you for a favour. Now I am writing my bachelor's
theses about nftables and I  would be grateful to you for some
information I need concerning this issue. I found something on the
internet but it wasn't enough.

I am interested in the background of the processing of packet after
it's received by NIC: what queues it passes, where the rules can be
applied etc. Neither I could find any information about whether
nftables have the same structure of classes INPUT, OUTPUT and FORWARD
as iptables.

I need to compare the efficiency of the firewall created by iptables
and nftables and I would be very grateful if you could explain to me
the main differences between the processing of packet by means of
iptables and nftables. Also a demonstration of some rules written by
means of iptables and nftables (rules of the same meaning in both
cases) would be very helpful.

How to compile kernel supporting nftables?

If you would come up with something more that would help me or that
would be useful for my theses I would highly appreciate it. As I have
already mentioned, I am mainly concerned about the information related
to the background of the processing of the packet and the comparison
of the efficiency of iptables and nftables.

Hope to hear from you soon,

Juraj Gabèík

Re: nftables

[Jan Engelhardt]

On Friday 2011-04-29 11:33, Juraj Gabčík wrote:
>
>I am interested in the background of the processing of packet after
>it's received by NIC: what queues it passes, where the rules can be
>applied etc. Neither I could find any information about whether
>nftables have the same structure of classes INPUT, OUTPUT and FORWARD
>as iptables.
>
>I need to compare the efficiency of the firewall created by iptables
>and nftables and I would be very grateful if you could explain to me
>the main differences between the processing of packet by means of
>iptables and nftables.

Differences:

iptables (or more precisely the Xtables collective) uses a packed
table and no "indirect interpreter" - a module like xt_u32 is
optional -, which yields the speediest execution environment. This
packing is important the larger the ruleset becomes, and the smaller
the CPU caches are. It also has no limits on call depth.

Xtables does not use the Netlink protocol yet for conveying changes
to the kernel, but it is being pondered how to get it there. Netlink
attributes have some worrying limitations and no consensus was yet
reached on the packet format. The much-sought nlattr32 patches have
not appeared yet either, so the protocol effort is staggering, but I
hold high hopes someone is on nla32 - meanwhile, I utilize the time
by doing precursor work on the userspace components instead (the
option parsing patches posted - a large part of the code is reusable
for a Netlink variant).

nftables

[Juraj Gabčík]

Hi
I have a problem:
I try run nftables - i followed steps written here
http://lists.netfilter.org/pipermail/netfilter-cvslog/2009-March/006316.html
I downloaded kernel tree, and compile nftables into kernel
run new kernel wiht nftables support BUT when i wrote some rule f.e.
nft rule add inet filter output ip protocol tcp => drop , system
accepted it bud it doesnt have some effect - I still had internet
access
maybe problem is, that i have compiled iptables into kernel too - and
they are useful
so i tried compile kernel without iptables, but it crash
so can somebody advice me how to compile functional nftables?
sorry, my english is not very good :)

nftables

[Patrick Greiff]

Hi everyone,
i have a question about nftables.
at iptables i had a blacklist where i wrote in the ip that wanted to
hack me.
how can I integrate something into nftables? and also restart when the
ips are updated.

Re: nftables

[Fatih USTA]

Hi

You can use sets in nftables like iptables ipset.

http://wiki.nftables.org/wiki-nftables/index.php/Sets


Fatih USTA

On 28.04.2020 10:38, Patrick Greiff wrote:
> Hi everyone,
> i have a question about nftables.
> at iptables i had a blacklist where i wrote in the ip that wanted to
> hack me.
> how can I integrate something into nftables? and also restart when the
> ips are updated.
>

Re: nftables

[Fatih USTA]

http://wiki.nftables.org/wiki-nftables/index.php/Scripting

I think you should follow this guide and I send to example link to below.

https://github.com/chr0mag/geoipsets


Fatih USTA

On 28.04.2020 11:33, Patrick Greiff wrote:
> hi many thanks i was looking for that :)
> have a few more questions. I am still a beginner in the field and so I
> just learn ^^.
> I created nft add set ip filter blackhole {type ipv4_addr \;} and
> introduced an ip. but where is this file located?
> nft add rule ip filter input ip saddr @blackhole drop do I have to add
> this to my main.conf? or in the standard nftables.conf.
>
> Am 28.04.2020 um 09:50 schrieb Fatih USTA:
>> Hi
>>
>> You can use sets in nftables like iptables ipset.
>>
>> http://wiki.nftables.org/wiki-nftables/index.php/Sets
>>
>>
>> Fatih USTA
>>
>> On 28.04.2020 10:38, Patrick Greiff wrote:
>>> Hi everyone,
>>> i have a question about nftables.
>>> at iptables i had a blacklist where i wrote in the ip that wanted to
>>> hack me.
>>> how can I integrate something into nftables? and also restart when the
>>> ips are updated.
>>>

Re: nftables

[Trent W. Buck]

Fatih USTA <fatihusta86@gmail.com> writes:

> You can use sets in nftables like iptables ipset.
> http://wiki.nftables.org/wiki-nftables/index.php/Sets

See also sshguard[1] or fail2ban, for turnkey Intrusion Prevention Systems
(i.e. "block attackers by IP address").

Their nft-specific code is not very interesting:

https://bitbucket.org/sshguard/sshguard/src/master/src/fw/sshg-fw-nft-sets.sh
https://github.com/fail2ban/fail2ban/blob/bb0f732ae69894b22306dd7efa213513e3acd8a2/config/action.d/nftables.conf


[1] don't be fooled by the name; sshguard also handles postfix, dovecot, and NCSA (nginx/apache).