Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

nftables - the evolution of Linux Firewall

2,569 views

Published on

Linux-BG January 2017
nftables - the evolution of Linux Firewall

Published in: Education
  • Be the first to comment

nftables - the evolution of Linux Firewall

  1. 1. NF TABLESNF TABLES Marian HackMan Marinov Chief System Architect of SiteGround.com <mm@1h.com>
  2. 2. Who am I?Who am I?
  3. 3. HistoryHistory ➢ ipfw ➢ ipchains ➢ iptables ➢ arptables ➢ ebtables ➢ nftables
  4. 4. nftablesnftables ➢ Replacement of iptables, ip6tables, arptables & ebtables ➢ including ipset ➢ Remove the duplicated code from all modules ➢ Simplify the dual stack(IPv4/6) handling ➢ ip, ip6, inet, arp & bridge address families
  5. 5. nftablesnftables ➢ Merged mainstream in October 2013, available since January 2014 in Linux kernel 3.13. ➢ It reuses the existing Netfilter building blocks: hooks, conntrack, NAT, logging and userspace queueing. ➢ It also reuses existing xtables extensions through nft compat.
  6. 6. nftables flownftables flow Routing Decision Routing Decision Local Process prerouting input output forward postrouting NETWORK NETWORK
  7. 7. Routing Decision Routing Decision Local Process prerouting input output forward postrouting NETWORK NETWORKRouting Decision ingress nftables flownftables flow with ingress filterwith ingress filter
  8. 8. nftables vs. iptablesnftables vs. iptables ➢ Tables and chains are fully configurable list tables [family] table [family] <name> chain [family] <table> <name> add table [family] <name> chain [family] <table> <name> [chain definitions] rule [family] <table> <chain> <rule definition> table [family] <name> (shortcut for `add table`) Families: ip - IPv4 ip6 - IPv6 inet - IPv4 or v6 arp - arp bridge - linux bridge
  9. 9. nftables vs. iptablesnftables vs. iptables ➢ Tables and chains are fully configurable ➢ Tables are without any predefined purpose ➢ there are no raw, filter, nat & mangle tables
  10. 10. nftables vs. iptablesnftables vs. iptables ➢ Tables and chains are fully configurable ➢ Tables are without any predefined purpose ➢ there are no raw, filter, nat & mangle tables ➢ By default there are no chains ➢ if there is no chain that would match the packet it will not be touched by netfilter code ➢ Every chain has a type: ➢ filter ➢ nat (only the first packet of a flow hits this chain) ➢ route (mangle)
  11. 11. HooksHooks ➢ Base chains are the ones that are attached to hooks ➢ Non-base chains are used for ordering ➢ All available hooks: ➢ ingress ➢ input ➢ output ➢ forward ➢ prerouting ➢ postrouting
  12. 12. nftables vs. iptablesnftables vs. iptables ➢ No distinction between matches and targets anymore ➢ no difference between ACCEPT and -s # nft insert rule filter input ct state established accept VS. # iptables -I INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED
  13. 13. nftables vs. iptablesnftables vs. iptables ➢ You can specify several actions in one single rule # nft add rule filter forward tcp dport 22 log drop VS. # iptables -A FORWARD -p tcp --dport 22 -j LOG # iptables -A FORWARD -p tcp --dport 22 -j DROP
  14. 14. nftables vs. iptablesnftables vs. iptables ➢ No built-in counter per chain and rules ➢ counters introduce delays in packet processing ➢ counters can be added to any chain using the 'counter' keyword # nft add rule ip filter output ip daddr 1.2.3.4 counter drop
  15. 15. nftables vs. iptablesnftables vs. iptables ➢ New supported protocols without kernel upgrades ➢ most of the logic in nftables is inside its userspace ➢ it compiles the rules to VM bytecode in netlink format and then it pushes this into the kernel via the nftables Netlink API ➢ it provides generic set and map infrastructure
  16. 16. nftables vs. iptablesnftables vs. iptables ➢ Better support for dynamic ruleset updates ➢ iptables always replaces all rules ➢ even if you only delete one rule ➢ even if you only add one rule ➢ nftables uses linked-list to solve this issue
  17. 17. flush rulesetflush ruleset table inet filter {table inet filter { chain input {chain input { type filter hook input priority 0; policy drop;type filter hook input priority 0; policy drop; # established/related connections# established/related connections ct state established,related acceptct state established,related accept # invalid connections# invalid connections ct state invalid dropct state invalid drop # loopback interface# loopback interface iif lo acceptiif lo accept
  18. 18. # ICMP# ICMP # routers may also want: mld-listener-query, nd-router-solicit# routers may also want: mld-listener-query, nd-router-solicit ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big,ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd- neighbor-advert } acceptneighbor-advert } accept ip protocol icmp icmp type { destination-unreachable, router-advertisement,ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accepttime-exceeded, parameter-problem } accept # SSH (port 22)# SSH (port 22) tcp dport ssh accepttcp dport ssh accept # HTTP (ports 80 & 445)# HTTP (ports 80 & 445) tcp dport { http, https } accepttcp dport { http, https } accept }} }}
  19. 19. ➢ Basic Jump example:Basic Jump example: table inet filter {table inet filter { chain web {chain web { tcp dport http accepttcp dport http accept tcp dport 8080 accepttcp dport 8080 accept }} chain input {chain input { type filter hook input priority 0;type filter hook input priority 0; ip saddr 10.0.2.0/24 jump webip saddr 10.0.2.0/24 jump web dropdrop }} }}
  20. 20. InterestingInteresting ➢ Concatenated Value Pairs # nft add element traffic-filter dict { 192.168.0.1 : drop, 192.168.0.2 : accept } ➢ Easy Data Export # nft export json ➢ Multiple Actions # nft add rule ip filter input ip protocol vmap { tcp : jump tcp-chain, udp : jump udp-chain, icmp : jump icmp-chain }
  21. 21. JumpsJumps ➢accept (accept a packet) ➢reject (reject a packet) ➢drop (drop a packet) ➢snat (perform source NAT on a packet) ➢dnat (perform destination NAT on a packet) ➢log (log a packet) ➢counter (keep a counter on a packet; counters are optional in nftables) ➢return (stop traversing the chain) ➢jump <chain> (jump to another chain) ➢goto <chain> (jump to another chain, but do not return)
  22. 22. Match argumentsMatch arguments meta: oif <output interface INDEX> iif <input interface INDEX> oifname <output interface NAME> iifname <input interface NAME> (oif and iif accept string arguments and are converted to interface indexes) (oifname and iifname are more dynamic, but slower because of string matching)
  23. 23. Match argumentsMatch arguments icmp: type <icmp type> icmpv6: type <icmpv6 type> ip: protocol <protocol> daddr <destination address> saddr <source address> ip6: daddr <destination address> saddr <source address>
  24. 24. Match argumentsMatch arguments tcp: dport <destination port> sport <source port> udp: dport <destination port> sport <source port> ct: state <new | established | related | invalid>
  25. 25. Load BalancingLoad Balancing IPv4 performanceIPv4 performance method req/sec %cpu LVS-SNAT 313427.91 24.11 NFT-SNAT 289035.54 23.2 NFT-DNAT 303356.59 23.12 LVS-DSR 356212.05 4.78 NFT-DSR 393672.35 0.54 DSR - Direct Server Return SLB - Server Load Balancing(SNAT/DNAT)
  26. 26. Kernel configurationKernel configuration [*] Networking support ---> Networking options ---> [*] Network packet filtering framework (Netfilter) ---> Core Netfilter Configuration ---> <M> Netfilter nf_tables support <M> Netfilter nf_tables conntrack module <M> Netfilter nf_tables counter module <M> Netfilter nf_tables log module <M> Netfilter nf_tables limit module <M> Netfilter nf_tables masquerade support <M> Netfilter nf_tables nat module IP: Netfilter Configuration ---> <M> IPv4 nf_tables support <M> IPv4 nf_tables route chain support <M> IPv4 packet rejection <M> IPv4 NAT <M> IPv4 nf_tables nat chain support <M> IPv4 masquerade support <M> IPv4 masquerading support for nf_tables
  27. 27. Marian HackMan Marinov <mm@1h.com> hackman @ irc.freenode.net https://github.com/hackman

×