Re: Waiting until first release of NFTABLES

All of lore.kernel.org
 help / color / mirror / Atom feed

From: trentbuck@gmail.com (Trent W. Buck)
To: netfilter@vger.kernel.org
Subject: Re: Waiting until first release of NFTABLES
Date: Tue, 25 Feb 2020 14:30:31 +1100	[thread overview]
Message-ID: <87a757qr6w.fsf@goll.lan> (raw)
In-Reply-To: e73f8381-66ea-18f7-9267-d8493de3dafd@satchell.net

Stephen Satchell <list@satchell.net> writes:

> On 2/24/20 5:12 PM, Trent W. Buck wrote:
>> Can't you use "ip netns" (or systemd-nspawn, or docker, or libvirt-qemu)
>> to set up a test network with a test firewall, then send packets into /
>> out of that test environment?
>>
>> OK, it's a bit fiddly to set up, but I don't see why you need any
>> special nftables-specific thing when you can just do regular
>> namespace/container/vm techniques.
>
> HOWTO link?

I don't have one, but this is a basic introduction to "ip netns":
https://lwn.net/Articles/580893/

Once the netns is set up, you'd do something like

    ip netns exec my-cool-namespace  nft --file=my-cool-firewall.nft
    ip netns exec my-cool-namespace  firefox gopher://porn.example.edu

Then look at nft's counters (add rule ... counter accept), or
kernel logs (add rule ... log accept), or
whatever diagnostics you normally do.

The fiddly part is turning that into a turnkey "solution" that can have
multiple namespaces hooked up to one another, and to the real internet.

next prev parent reply	other threads:[~2020-02-25  3:30 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-19 23:41 Waiting until first release of NFTABLES Stephen Satchell
2020-02-24  0:58 ` Trent W. Buck
2020-02-24  5:02   ` Stephen Satchell
2020-02-24  9:25     ` Reindl Harald
2020-02-24 16:24       ` Stephen Satchell
2020-02-25  1:12         ` Trent W. Buck
2020-02-25  1:18           ` Stephen Satchell
2020-02-25  3:30             ` Trent W. Buck [this message]
2020-03-13 22:05 ` Stephen Satchell
2020-03-14  1:01   ` Reindl Harald

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87a757qr6w.fsf@goll.lan \
    --to=trentbuck@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.