Re: nftables

Re: nftables

[Jan Engelhardt]

On Friday 2011-04-29 11:33, Juraj Gabčík wrote:
>
>I am interested in the background of the processing of packet after
>it's received by NIC: what queues it passes, where the rules can be
>applied etc. Neither I could find any information about whether
>nftables have the same structure of classes INPUT, OUTPUT and FORWARD
>as iptables.
>
>I need to compare the efficiency of the firewall created by iptables
>and nftables and I would be very grateful if you could explain to me
>the main differences between the processing of packet by means of
>iptables and nftables.

Differences:

iptables (or more precisely the Xtables collective) uses a packed
table and no "indirect interpreter" - a module like xt_u32 is
optional -, which yields the speediest execution environment. This
packing is important the larger the ruleset becomes, and the smaller
the CPU caches are. It also has no limits on call depth.

Xtables does not use the Netlink protocol yet for conveying changes
to the kernel, but it is being pondered how to get it there. Netlink
attributes have some worrying limitations and no consensus was yet
reached on the packet format. The much-sought nlattr32 patches have
not appeared yet either, so the protocol effort is staggering, but I
hold high hopes someone is on nla32 - meanwhile, I utilize the time
by doing precursor work on the userspace components instead (the
option parsing patches posted - a large part of the code is reusable
for a Netlink variant).

nftables

[Juraj Gabčík]

Hi
I have a problem:
I try run nftables - i followed steps written here
http://lists.netfilter.org/pipermail/netfilter-cvslog/2009-March/006316.html
I downloaded kernel tree, and compile nftables into kernel
run new kernel wiht nftables support BUT when i wrote some rule f.e.
nft rule add inet filter output ip protocol tcp => drop , system
accepted it bud it doesnt have some effect - I still had internet
access
maybe problem is, that i have compiled iptables into kernel too - and
they are useful
so i tried compile kernel without iptables, but it crash
so can somebody advice me how to compile functional nftables?
sorry, my english is not very good :)

nftables

[Patrick Greiff]

Hi everyone,
i have a question about nftables.
at iptables i had a blacklist where i wrote in the ip that wanted to
hack me.
how can I integrate something into nftables? and also restart when the
ips are updated.

Re: nftables

[Fatih USTA]

Hi

You can use sets in nftables like iptables ipset.

http://wiki.nftables.org/wiki-nftables/index.php/Sets


Fatih USTA

On 28.04.2020 10:38, Patrick Greiff wrote:
> Hi everyone,
> i have a question about nftables.
> at iptables i had a blacklist where i wrote in the ip that wanted to
> hack me.
> how can I integrate something into nftables? and also restart when the
> ips are updated.
>

Re: nftables

[Fatih USTA]

http://wiki.nftables.org/wiki-nftables/index.php/Scripting

I think you should follow this guide and I send to example link to below.

https://github.com/chr0mag/geoipsets


Fatih USTA

On 28.04.2020 11:33, Patrick Greiff wrote:
> hi many thanks i was looking for that :)
> have a few more questions. I am still a beginner in the field and so I
> just learn ^^.
> I created nft add set ip filter blackhole {type ipv4_addr \;} and
> introduced an ip. but where is this file located?
> nft add rule ip filter input ip saddr @blackhole drop do I have to add
> this to my main.conf? or in the standard nftables.conf.
>
> Am 28.04.2020 um 09:50 schrieb Fatih USTA:
>> Hi
>>
>> You can use sets in nftables like iptables ipset.
>>
>> http://wiki.nftables.org/wiki-nftables/index.php/Sets
>>
>>
>> Fatih USTA
>>
>> On 28.04.2020 10:38, Patrick Greiff wrote:
>>> Hi everyone,
>>> i have a question about nftables.
>>> at iptables i had a blacklist where i wrote in the ip that wanted to
>>> hack me.
>>> how can I integrate something into nftables? and also restart when the
>>> ips are updated.
>>>

Re: nftables

[Trent W. Buck]

Fatih USTA <fatihusta86@gmail.com> writes:

> You can use sets in nftables like iptables ipset.
> http://wiki.nftables.org/wiki-nftables/index.php/Sets

See also sshguard[1] or fail2ban, for turnkey Intrusion Prevention Systems
(i.e. "block attackers by IP address").

Their nft-specific code is not very interesting:

https://bitbucket.org/sshguard/sshguard/src/master/src/fw/sshg-fw-nft-sets.sh
https://github.com/fail2ban/fail2ban/blob/bb0f732ae69894b22306dd7efa213513e3acd8a2/config/action.d/nftables.conf


[1] don't be fooled by the name; sshguard also handles postfix, dovecot, and NCSA (nginx/apache).