Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
MIgrating from ip(6)tables to nftables
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
pa4wdh
Guru
Guru


Joined: 16 Dec 2005
Posts: 351

PostPosted: Thu Feb 13, 2020 4:16 pm    Post subject: MIgrating from ip(6)tables to nftables Reply with quote

Hi All,

I'm a ip(6)tables fan and have pretty extensive rulesets and i'd like to check out nftables. I've done some first experiments and it looks alright.

Before i can migrate all my rulesets there are two features i need and according to de nftables wiki[1] are not supported (yet):
- The LED target (obviously not a hard requirement, but really nice to have)
- The string match
Both have a comment "Consider native", I don't really understand what they mean by that, I also can't find any nftables-native solution.

Does anyone here know how to use similar features with nftables?

[1]: https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

Free as in Freedom is not limited to software only:
Music: http://www.jamendo.com
Recipes: http://www.opensourcefood.com
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6217

PostPosted: Fri Feb 14, 2020 6:33 am    Post subject: Reply with quote

I guess they mean those things should now be done via a userspace program using the log/queue target. Batteries not included, naturally. I can see the reason for them changing it, but it is annoying.
Back to top
View user's profile Send private message
pa4wdh
Guru
Guru


Joined: 16 Dec 2005
Posts: 351

PostPosted: Fri Feb 14, 2020 8:46 am    Post subject: Reply with quote

Thanks for your answer Ant P.

I'm more than happy to write my own userspace program if that's what's needed. For the LED target i can see it's quite easy: Use the logging facility and have a userspace program to read the log and perform the LED actions. For the string match i don't see how i can send the complete packet to a user space program, perform the string match there, and send the result back to netfilter. Do you know to do that? (especially the sending to userspace and sending the result back 8) )
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

Free as in Freedom is not limited to software only:
Music: http://www.jamendo.com
Recipes: http://www.opensourcefood.com
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6217

PostPosted: Fri Feb 14, 2020 6:13 pm    Post subject: Reply with quote

That's done with net-libs/libnetfilter_queue. Docs for that are here, and there's a link to an off-site example that looks close to what you want.

There's also net-libs/nfqueue-bindings, but that's been p.masked recently.
Back to top
View user's profile Send private message
pa4wdh
Guru
Guru


Joined: 16 Dec 2005
Posts: 351

PostPosted: Sat Feb 15, 2020 10:19 am    Post subject: Reply with quote

Thanks, that is very useful Ant P.

I also found the "payload" option in nftables, for data that has a predictable location in the packet that might be a better (and better performing) option than nfqueue.

It's time to start experimenting again, thanks!
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

Free as in Freedom is not limited to software only:
Music: http://www.jamendo.com
Recipes: http://www.opensourcefood.com
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum