nftables

nftables tutorial
tutorial
Pablo Neira Ayuso
<pablo@[Link]>

Userday Netfilter - June 2016

Netherlands
 Why this?
– Abuse of copy and paste from iptables

iptables ip6tables arptables ebtables

x_tables
– In the late 90s people were happy with shell scripts
– Avoid linear ruleset representations: Use concatenations
and maps.
– Better incremental updates.
– Simplify dual stack IPv4/IPv6 administration and layer 2.
– No more dash dash spellings.

Bye
Byebye
byeiptables
iptables
 Let's look at internals...
● Simple like...
”Consul” The Educated Monkey.
“Computing Device” by
William H. Robertson (1823-1898)

– Specific purpose VM
● 22 instructions

● 32/128 addressable regs

● Very simple bytecode verifications

● Extensible like...
– Netlink socket interface
Let's look at internals... (2)

Kernel

Netlink nftables
nft libnftnl sockets VM

Userspace

syscalls
 nftables internals
●
nft --debug=netlink add rule ip foo bar ct state new \ First
Firstoff:
off:
specify
specifyfamily,
family,
ip saddr [Link]-[Link] tcp dport 22 accept table
tableand
and
ip foo bar chain
chain
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp gte reg 1 0x0000a8c0 ]
[ cmp lte reg 1 0x0d00a8c0 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
[ immediate reg 0 accept ]
 nftables internals
●
nft --debug=netlink add rule ip foo bar ct state new \
ip saddr [Link]-[Link] tcp dport 22 accept
ip foo bar
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp gte reg 1 0x0000a8c0 ]
[ cmp lte reg 1 0x0d00a8c0 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
[ immediate reg 0 accept ]
 nftables internals
ip saddr packet
●
nft --debug=netlink add rule ip foo bar ct state new \
ip saddr [Link]-[Link] tcp dport 22 accept reg1 reg2 ... regN
ip foo bar reg1 >=x && reg1 <= x

[ ct load state => reg 1 ]

[ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp gte reg 1 0x0000a8c0 ]
[ cmp lte reg 1 0x0d00a8c0 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
[ immediate reg 0 accept ]
 nftables internals
Automatic
Automaticdependency
dependency
generation
generation(in(inyellow):
yellow):
●
nft --debug=netlink add rule ip foo bar ct state new \ ipipprotocol
ip saddr [Link]-[Link] tcp dport 22 accept protocoltcp
tcp
and
andmatch
matchforfor
ip foo bar destination
destinationport
port(in
(inblue)
blue)
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp gte reg 1 0x0000a8c0 ]
[ cmp lte reg 1 0x0d00a8c0 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
[ immediate reg 0 accept ]
 nftables internals
●
nft --debug=netlink add rule ip foo bar ct state new \
ip saddr [Link]-[Link] tcp dport 22 accept Ok,
Ok,let's
let'saccept
accept
this packet!
this packet!
ip foo bar
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp gte reg 1 0x0000a8c0 ]
[ cmp lte reg 1 0x0d00a8c0 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
[ immediate reg 0 accept ]
 Tables, chains and rules
● nft add table ip foo Tables
Tablesare
areempty
empty
by
bydefault
defaultand
andthey
theyhave
have
no
nospecial
specialsemantics
● nft add chain ip foo bar { \ semantics
type filter hook input priority 0; policy drop; \
}
● nft add rule ip foo bar \
ct state established,related accept
nft add rule ip foo bar \
ct state new tcp dport 22 accept

Table ip foo
 Tables, chains and rules
● nft add table ip foo Base
Basechains
chainssee
seetraffic
traffic
from
fromthe
thespecific
specifichook
hook
and
andpriority
● nft add chain ip foo bar { \ priority
type filter hook input priority 0; policy drop; \
}
● nft add rule ip foo bar \
ct state established,related accept
nft add rule ip foo bar \
ct state new tcp dport 22 accept

Table ip foo

Chain bar
 Tables, chains and rules
● nft add table ip foo You
Youcan
canappend
appendnewnew
rules
rulesand
andinsert
insertthem
them
● nft add chain ip foo bar { \
type filter hook input priority 0; policy drop; \
}
● nft add rule ip foo bar \
ct state established,related accept
nft add rule ip foo bar \
ct state new tcp dport 22 accept

Table ip foo

Chain bar
Rule Rule
 Expressions
● nft add rule ip foo bar tcp dport != 80
● nft add rule ip foo bar tcp dport 1-1024 Comparison:
Comparison: eq,
eq,neq,
neq,
Simple
Simple comparisons
comparisons
gt,
gt,gte,
gte,lt,lt,lte
lte
● nft add rule ip foo bar meta skuid 1000-1100
● nft add rule ip foo bar ip daddr [Link]/24
● nft add rule ip foo bar meta mark 0xffffff00/24
● nft add rule ip foo bar ct state new,established
● nft add rule ip foo bar ct mark and 0xffff == 0x123
● nft add rule ip foo bar ct mark set 10
● nft add rule ip foo bar ct mark set meta mark
 Expressions
● nft add rule ip foo bar tcp dport != 80
● nft add rule ip foo bar tcp dport 1-1024 Range
Range
● nft add rule ip foo bar meta skuid 1000-1100
● nft add rule ip foo bar ip daddr [Link]/24
● nft add rule ip foo bar meta mark 0xffffff00/24
● nft add rule ip foo bar ct state new,established
● nft add rule ip foo bar ct mark and 0xffff == 0x123
● nft add rule ip foo bar ct mark set 10
● nft add rule ip foo bar ct mark set meta mark
 Expressions
● nft add rule ip foo bar tcp dport != 80
● nft add rule ip foo bar tcp dport 1-1024 Prefixes
Prefixes
● nft add rule ip foo bar meta skuid 1000-1100
● nft add rule ip foo bar ip daddr [Link]/24
● nft add rule ip foo bar meta mark 0xffffff00/24
● nft add rule ip foo bar ct state new,established
● nft add rule ip foo bar ct mark and 0xffff == 0x123
● nft add rule ip foo bar ct mark set 10
● nft add rule ip foo bar ct mark set meta mark
 Expressions
● nft add rule ip foo bar tcp dport != 80
● nft add rule ip foo bar tcp dport 1-1024 Flags
Flags
● nft add rule ip foo bar meta skuid 1000-1100
● nft add rule ip foo bar ip daddr [Link]/24
● nft add rule ip foo bar meta mark 0xffffff00/24
● nft add rule ip foo bar ct state new,established
● nft add rule ip foo bar ct mark and 0xffff == 0x123
● nft add rule ip foo bar ct mark set 10
● nft add rule ip foo bar ct mark set meta mark
 Expressions
● nft add rule ip foo bar tcp dport != 80
● nft add rule ip foo bar tcp dport 1-1024 Bitwise
Bitwise++comparison
comparison
● nft add rule ip foo bar meta skuid 1000-1100
● nft add rule ip foo bar ip daddr [Link]/24
● nft add rule ip foo bar meta mark 0xffffff00/24
● nft add rule ip foo bar ct state new,established
● nft add rule ip foo bar ct mark and 0xffff == 0x123
● nft add rule ip foo bar ct mark set 10
● nft add rule ip foo bar ct mark set meta mark
 Expressions
● nft add rule ip foo bar tcp dport != 80
● nft add rule ip foo bar tcp dport 1-1024 Set
Setvalue
value
● nft add rule ip foo bar meta skuid 1000-1100
● nft add rule ip foo bar ip daddr [Link]/24
● nft add rule ip foo bar meta mark 0xffffff00/24
● nft add rule ip foo bar ct state new,established
● nft add rule ip foo bar ct mark and 0xffff == 0x123
● nft add rule ip foo bar ct mark set 10
● nft add rule ip foo bar ct mark set meta mark
 Rules
● Counters are optional (unlike iptables)
– nft add rule ip foo bar counter I Ialways
alwayswanted
wantedto to
log
logand
anddrop
dropwith
with
● Several actions in one rule one
onesingle
singlerule,
rule,heh
heh

– nft add rule ip foo bar ct state invalid \

log prefix “invalid: “ drop
● Interactive mode (no autocompletion yet)
– nft -i
nft> add table foo
 Sets and maps
● nft add rule ip foo bar tcp dport { 22, 80, 443 } counter
● nft add set ip foo whitelist { type ipv4_addr \; }
nft add rule ip foo bar ip daddr @whitelist counter accept
nft add element ip foo whitelist { \ The
Theuse
useof
ofbrackets
bracketsfrom
from
[Link], \ rules
rulesresult
resultinin
[Link] \ an
animplicit
implicitset
setdefinition
definition
}
● nft add table ip nat
nft add chain ip nat post { \
type nat hook postrouting priority 0\; }
nft add rule ip nat post snat ip saddr map { \
[Link]/24 : [Link] , \
[Link]/24 : [Link] \
}
 Sets and maps
● nft add rule ip foo bar tcp dport { 22, 80, 443 } counter
● nft add set ip foo whitelist { type ipv4_addr \; }
nft add rule ip foo bar ip daddr @whitelist counter accept
nft add element ip foo whitelist { \ Set
Setdeclarations
declarationsrequire
require
[Link], \ aa name and datatypefor
name and datatype for
[Link] \ elements
elements
}
● nft add table ip nat
nft add chain ip nat post { \
type nat hook postrouting priority 0\; }
nft add rule ip nat post snat ip saddr map { \
[Link]/24 : [Link] , \
[Link]/24 : [Link] \
}
 Sets and maps
● nft add rule ip foo bar tcp dport { 22, 80, 443 } counter
● nft add set ip foo whitelist { type ipv4_addr \; }
nft add rule ip foo bar ip daddr @whitelist counter accept
nft add element ip foo whitelist { \
[Link], \ Refer
Refertotoan
anexisting
existingset
set
through @
through @
[Link] \
}
● nft add table ip nat
nft add chain ip nat post { \
type nat hook postrouting priority 0\; }
nft add rule ip nat post snat ip saddr map { \
[Link]/24 : [Link] , \
[Link]/24 : [Link] \
}
 Sets and maps
● nft add rule ip foo bar tcp dport { 22, 80, 443 } counter
● nft add set ip foo whitelist { type ipv4_addr \; }
nft add rule ip foo bar ip daddr @whitelist counter accept
nft add element ip foo whitelist { \
[Link], \
[Link] \
} This
Thismap
mapallows
allowsyou
youto
to
source NAT depending
source NAT depending
● nft add table ip nat on
onyour
yoursource
sourceIP
IPaddress
address
nft add chain ip nat post { \
type nat hook postrouting priority 0\; }
nft add rule ip nat post snat ip saddr map { \
[Link]/24 : [Link] , \
[Link]/24 : [Link] \
}
 Set timeouts
Build
Buildyour
yourown
own
whitelists..
whitelists..
● nft add set ip foo whitelist { \ Specify
Specifyglobal
globaltimeouts
timeouts
for
for elements orininaa
elements or
type ipv4_addr; \ more
morefine
finegrain
grainfashion
fashion
timeout 1h; \
}
● nft add element ip foo whitelist { \
[Link],
[Link],
}
● nft add set ip foo whitelist { \
type ipv4_addr; flags timeout; \
}
● nft add element ip foo whitelist { [Link] timeout 10s }
 Dictionaries
● nft add chain ip foo tcp-chain
nft add chain ip foo udp-chain Jump
Jumpto
based
tonon-base
non-basechain
chain
based on the layer44
on the layer
nft add chain ip foo icmp-chain protocol
protocoltype
type

● nft add rule ip foo bar ip protocol vmap { \

tcp : jump tcp-chain, \
udp : jump udp-chain, \
icmp : jump icmp-chain
}
 Contenations
● nft add rule netdev foo bar \ Concatenate
Concatenateselectors
selectors
ether saddr . ip saddr . tcp dport { \ for
forfast
fastmatching
matchingusing
using
dot
dotseparated
separatedkeys
keys
c0:fe:00:c0:fe:00 . [Link] . 80,
and
andvalues
values
be:ef:00:be:ef:00 . [Link] . 22} \
counter accept
●
nft add rule netdev foo bar ip saddr . tcp dport vmap { \
[Link] . 22 : jump whitelist, \
[Link] . 80 : jump whitelist, \ … use this from sets
} … use this from sets
and maps
and maps
● nft add set netdev foo bar { \
type ether_addr . ipv4_addr \; }
●
nft add element netdev foo bar { \
00:ca:fe:00:be:ef . [Link],
00:ab:cd:ef:00:12 . [Link] \
}
 Flow tables
● nft add rule ip foo bar ct state new tcp dport 22 \
flow table ssh-spammer { \
ip saddr limit rate over 3/second
} log prefix \"New SSH connection: \" drop
● nft list flow table ssh-spammer

…
…ininblue
bluethetheselector,
selector,
iningreen the action,
green the action,
and
andininred
redthe
theflow
flow
table
tablename.
name.
 More actions
nft add rule foo bar reject with icmp type host-unreachable
nft add rule netdev foo ingress \
limit rate 10 mbytes/second accept
nft add rule netdev foo prerouting queue num 3
nft add rule netdev foo ingress \
ether daddr ab:cd:de:ff:00:01 fwd to vethXYZ
nft add rule netdev foo ingress ip daddr [Link] dup to dummy0
nft add rule nat postrouting snat [Link]
nft add rule nat postrouting masquerade
nft add rule foo prerouting tcp dport 80 tcp dport set 8080
 Comments
● nft add rule ip foo bar \
ip daddr [Link] counter accept\ Don't
Don'tforget
forget
why
whythings
thingsare
arethere...
there...
comment \“google dns\”
● nft add set ip foo dns-whitelist {\
type ipv4_addr\;
}
● nft add element ip foo dns-whitelist { \
[Link] comment “google dns”, \
[Link] comment “nasa dns”,
}
 Include
Includeother
otherruleset
rulesetfiles
files
Scripting define
and
and
definevariables
variables

#!/usr/sbin/nft

include "[Link]" Don't

Don'tuse
useshell
shellscripts,
scripts,
use
useour
ournative
nativescripts!
scripts!

#
# Allowed NTP servers
#
define ntp_servers = { [Link], [Link], [Link],
[Link] }

add rule netdev foo bar ip saddr $ntp_servers udp dport 123 counter
 Restoring ruleset Save
Saveand
andrestore
restoreyour
ruleset
ruleset
your

● echo “flush ruleset” > [Link]

● nft list ruleset >> [Link]
● nft -f [Link]
nft export ruleset json > [Link]

Monitoring updates
● nft monitor
● nft monitor new rules Monitor
Monitorruleset
ruleset
updates
updates
Tracing
● nft add rule foo prerouting meta trace 1
● nft monitor trace
 Learn more and help us
● Grab the code
● Kernel: [Link]
● Library: git://[Link]/libnftnl
● User-space: git://[Link]/nftables
● Documentation
● [Link]
● man nft
● Report bugs:
● [Link]
● Follows us @nftables
 nftables
nftables tutorial
tutorial
Pablo Neira Ayuso
<pablo@[Link]>

Userday Netfilter - June 2016

Netherlands