From iptables to nftables - how to delete rules

Message

eeckwrk99 · Post by **eeckwrk99** » Tue Apr 30, 2024 1:57 pm

I'm using a program that can be configured to use either iptables or nftables. I've been using iptables but now I'd like to switch to nftables.

When running, the program sets some rules. Some of these rules prevent my virtual machines (QEMU/KVM with virt-manager, using NAT) from having any Internet traffic.

Said rules (with iptables):

Code: Select all

# iptables-legacy -L -n -v

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 [...] some "ACCEPT" rules
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 [...] some "ACCEPT" rules
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 [...] some "ACCEPT" rules
     0     0 DROP       0    --  *      *       0.0.0.0/0           0.0.0.0/0

I manually delete these "DROP" rules whenever I need to use a virtual machine. However, I'm having trouble doing the same thing with nftables:

Code: Select all

# nft -a list ruleset

table ip filter { # handle 99
	chain INPUT { # handle 1
		type filter hook input priority filter; policy drop;
                [...] - some "accept" rules
		counter packets 0 bytes 0 drop # handle 11
	}

  	chain FORWARD { # handle 2
		type filter hook forward priority filter; policy drop;
                [...] - some "accept" rules
		counter packets 0 bytes 0 drop # handle 13
	}

  chain OUTPUT { # handle 3
		type filter hook output priority filter; policy drop;
                [...] - some "accept" rules
		counter packets 0 bytes 0 drop # handle 38
	}
}

These "counter" rules are the only ones listed containing "drop", all the others contain "accept".

Quoting nftables Wiki:

nftables Wiki wrote:policy is the default verdict statement to control the flow in the base chain. Possible values are: accept (default) and drop. Warning: Setting the policy to drop discards all packets that have not been accepted by the ruleset.

It seems that "policy drop" already implies that anything not listed as "accept" is blocked, so I guess I cannot delete "drop" rules just like with iptables since they're not listed.

Any suggestion on how to proceed? Should I add "accept" rules for each chain instead?

Thanks.

Post by **pietinger** » Tue Apr 30, 2024 3:07 pm

Normally, a firewall works in such a way that everything that has not been expressly permitted is prohibited. (There are some special situations where you allow everything and only forbid some things, but forget that right away).

There is a POLICY in iptables AND nftables - and - there are DROP rules in iptables and nftables. Please do not confuse the two.

Now the question arises why you need a DROP rule if the policy already drops everything that was not previously allowed. A sensible use is, for example, if you want to know HOW MANY packets were dropped due to a special DROP rule.

But I don't understand your problem right now, because YOU have a standard DROP policy in both rule works ...

In general, however, I would recommend simply logging all DROPS and then checking the message log to see where you still need to allow something.

Post by Hu » Tue Apr 30, 2024 3:29 pm

Perhaps it would also be useful to configure this unidentified program not to write rules that conflict with other uses of the machine. Either make it add rules that keep the VM working, or prohibit it adding rules that break the VM.

eeckwrk99 · Post by **eeckwrk99** » Tue Apr 30, 2024 5:11 pm

pietinger wrote:There is a POLICY in iptables AND nftables - and - there are DROP rules in iptables and nftables. Please do not confuse the two.

I think the program sets the exact same rules regardless of whether iptables or nftables is used. At least, the "accept" rules look identical (with different syntax, of course). While I can see the "drop" policy for both tools in the relevant chains, I can only see the drop rules for iptables, not nftables.

pietinger wrote:Now the question arises why you need a DROP rule if the policy already drops everything that was not previously allowed. But I don't understand your problem right now, because YOU have a standard DROP policy in both rule works ...

Indeed, seeing "DROP" rules with iptables don't make sense considering the policy for all chains is set to "DROP". But still, they're present. And they're not with nftables.

Hu wrote:Perhaps it would also be useful to configure this unidentified program not to write rules that conflict with other uses of the machine. Either make it add rules that keep the VM working, or prohibit it adding rules that break the VM.

Maybe I should've mentioned that I have no control over what the program does regarding the initial creation of rules. I can only add new ones or remove some of them once it's launched. All I know is that when using iptables, I have to remove these DROP rules for the three chains (INPUT, FORWARD, OUTPUT) to get Internet traffic with my VMs, else it wouldn't work. I'm now trying to do this with nftables instead, but I cannot see the equivalent "DROP" rules listed, they're just not listed.

RumpletonBongworth · Post by **RumpletonBongworth** » Sun Jun 23, 2024 9:43 am

eeckwrk99 wrote:
pietinger wrote:Now the question arises why you need a DROP rule if the policy already drops everything that was not previously allowed. But I don't understand your problem right now, because YOU have a standard DROP policy in both rule works ...
Indeed, seeing "DROP" rules with iptables don't make sense considering the policy for all chains is set to "DROP". But still, they're present. And they're not with nftables.

If you are not the author of the program to which you refer, and you have reason to believe that it employs a markedly different strategy for nftables than for iptables, then you should perhaps discuss the matter with its author.

For iptables, there is the concept of a built-in chain, as documented by iptables(8). Under the hood, these are merely chains whose names are reserved and which have pre-defined Netfilter hooks. Assuming that no ruleset has yet been loaded, when you run iptables(8) or iptables-save(8) for no other purpose that to list the ruleset, the filter table will suddenly spring into existence, along with its built-in chains, INPUT, OUTPUT and FORWARD. Now, any chain bearing a hook will have a default policy and any chain being automatically initialised in this way will always have its default policy as ACCEPT. It is impossible for them to initialise as DROP unless a ruleset has been restored - or a command issued - to that effect (iptables -P, for example).

In the case of nftables, there are no built-in tables/chains and it does not hide the concept of a hook from the user. Instead, all hooks must be explicit. Indeed, everything must be explicit. If using nft(8) directly and you want for a chain to exist, then you must tell it to create the chain. If you want the chain to have a hook, then you must also then declare its hook and its default policy. It is impossible for chains to simply spring into existence as they can with iptables. So, if "nft list ruleset" shows anything at all, then you have done something to bring that state of affairs about. It's not all that different for iptables. If you see any individual iptables rules whatsoever, then you have done something to bring about their existence and, again, if the default policy for any built-in chain is DROP then you have done something to make it so.

As far as I can tell from your initial post, the something in question is a program for which you are not the author and which employs a strategy of injecting dropping rules into chains that are not specially purposed - irrespective of what which rules might already be contained by them - and hoping for the best. Not an ideal strategy, if so. Or, perhaps it is the kind of program that expects to have control over the entire ruleset. In any case, it is a little more tricky to have nft delete individual rules than it is in the case of iptables. You got as far as listing the object handles in your initial post. Taking the rule with handle #11 as an example, you could delete it as follows.

Code: Select all

nft delete rule filter INPUT handle 11

If I were the author of the program in question, I might be inclined to create an entirely separate table to contain the injected drop rules within chains that are hooked at a numerically higher priority level, which is something that only nftables is capable of. That way, the users of this program would be able to delete all of the drop rules by issuing a single command to delete its enclosing table. Further, for iptables, the author of the program might consider inserting drop rules into the PREROUTING and OUTPUT chains of the raw table instead, since it would be much less likely to interfere with a pre-existing ruleset, while taking precedence over the filter table.

RumpletonBongworth · Post by **RumpletonBongworth** » Sun Jun 23, 2024 10:01 am

eeckwrk99 wrote:I'm now trying to do this with nftables instead, but I cannot see the equivalent "DROP" rules listed, they're just not listed.

I don't follow. The redacted nftables ruleset shown by your initial post shows rules that have "drop" as a verdict. You even made a point of noting their existence. Are those not the ones being injected by the program?