View previous topic :: View next topic |
Author |
Message |
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 806
|
Posted: Thu Feb 13, 2020 4:16 pm Post subject: MIgrating from ip(6)tables to nftables |
|
|
Hi All,
I'm a ip(6)tables fan and have pretty extensive rulesets and i'd like to check out nftables. I've done some first experiments and it looks alright.
Before i can migrate all my rulesets there are two features i need and according to de nftables wiki[1] are not supported (yet):
- The LED target (obviously not a hard requirement, but really nice to have)
- The string match
Both have a comment "Consider native", I don't really understand what they mean by that, I also can't find any nftables-native solution.
Does anyone here know how to use similar features with nftables?
[1]: https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Fri Feb 14, 2020 6:33 am Post subject: |
|
|
I guess they mean those things should now be done via a userspace program using the log/queue target. Batteries not included, naturally. I can see the reason for them changing it, but it is annoying. |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 806
|
Posted: Fri Feb 14, 2020 8:46 am Post subject: |
|
|
Thanks for your answer Ant P.
I'm more than happy to write my own userspace program if that's what's needed. For the LED target i can see it's quite easy: Use the logging facility and have a userspace program to read the log and perform the LED actions. For the string match i don't see how i can send the complete packet to a user space program, perform the string match there, and send the result back to netfilter. Do you know to do that? (especially the sending to userspace and sending the result back ) _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Fri Feb 14, 2020 6:13 pm Post subject: |
|
|
That's done with net-libs/libnetfilter_queue. Docs for that are here, and there's a link to an off-site example that looks close to what you want.
There's also net-libs/nfqueue-bindings, but that's been p.masked recently. |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 806
|
Posted: Sat Feb 15, 2020 10:19 am Post subject: |
|
|
Thanks, that is very useful Ant P.
I also found the "payload" option in nftables, for data that has a predictable location in the packet that might be a better (and better performing) option than nfqueue.
It's time to start experimenting again, thanks! _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9645 Location: almost Mile High in the USA
|
Posted: Wed Mar 24, 2021 8:56 am Post subject: |
|
|
Anyone happen to know when iptables too will be deprecated completely? :(
Just noticed my iptables commands didn't work on another machine I was working on and found nftables documentation which seems to indicate it's a replacement, once again (ipfw anyone? others? when will linux firewall rules settle down? ever?)...
So far iptables should still work fine for now after finding the kernel options that I was missing. Sigh. Compile again... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3310 Location: Rasi, Finland
|
Posted: Wed Mar 24, 2021 9:48 am Post subject: |
|
|
IIRC nftables has some "raw" commands which are in iptables format syntax.
Anyways. You can use nftables like iptables, that is run multiple nft commands in a shell script. Or you can create "nft native" rulefile. I don't really know if they are relly called "rulefiles".
Here's one old file I created for one of my boxes: /etc/nft/basic_rules.nft: | #!/sbin/nft -f
# Before work - we clean our working table.
flush ruleset
# Define / set some variables
# ...so that when change is needed it _could_ be easier(?).
define wanif = ethmb0
define wlanif = wlanusb0
define lanif = ethcard0
# ipv4 NATting
# Note that when natting you cannot use 'inet'.
table ip ipreroute {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
# We have DNSd too!
ip daddr { 1.1.1.1, 8.8.4.4, 8.8.8.8, 165.193.78.252 } dnat to 10.0.0.1
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname $wanif masquerade
}
} |
Also see nft quick reference. _________________ ..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 806
|
Posted: Wed Mar 24, 2021 9:50 am Post subject: |
|
|
I'm not aware of any deprecation plans.
If you prefer the iptables syntax you can also have the iptables tools which use nftables as a backend, so to you it'll be like nothing has changed, but in the kernel you're using the nftables stuff. As for as i know you can do that by setting the nftables useflag for net-firewall/iptables.
Next to that i can highly recommend learning the nftables. I've migrated a ~1500 rule iptables setup and a similar amount of rules for ip6tables to a single nftables ruleset of ~2000 rules and never looked back. I got so used to the nftables syntax that iptables looks a bit old fashioned now. Espescially sets can make your ruleset a lot easier to read. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9645 Location: almost Mile High in the USA
|
Posted: Wed Mar 24, 2021 3:48 pm Post subject: |
|
|
I suppose right now it's a deployment issue, wanted to deploy a simple firewall on a remote system. Of course the hazards of screwing up a rule exists - do something that's familiar when working something risky...
... experiment something risky on something that you don't have to worry too much about ...
... and then migrate over once familiar.
Ah, oh well. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Princess Nell l33t
Joined: 15 Apr 2005 Posts: 916
|
Posted: Sun Jul 31, 2022 10:17 pm Post subject: |
|
|
This thread seems to have been dormant for a while, but just in case: have you tried the iptables-restore-translate tool described in the nftables wiki? You'll need to build net-firewall/iptables with nftables USE flag to get those extra tools. |
|
Back to top |
|
|
|