Mind Chasers Inc.
Mind Chasers Inc.

Transcipt of Pablo's Workshop Talk on nftables

Each working command and option presented during Pablo's talk is executed on a live Linux embedded system

Provided below is a transcript of Pablo Neira Ayuso's workshop talk on nftables. The commands are executed on an embedded Linux system running Linux 4.9 with a custom rootfs image produced by the Yocto / Poky build system after a fresh boot and without automatically loading any modules related to netfilter;

# uname -a
Linux eraser 4.9.0-yocto-standard #1 Thu Apr 6 10:16:10 EDT 2017 ppc ppc ppc GNU/Linux

# lsmod

Make sure we have the right libraries loaded:

# ldconfig -p | grep libmnl
	libmnl.so.0 (libc6) => /usr/lib/libmnl.so.0
	
# ldconfig -p | grep libnftnl	# nftables net link library
	libnftnl.so.4 (libc6) => /usr/lib/libnftnl.so.4
	
# nft
Netfilter messages via NETLINK v0.30.
nft: no command specified

# lsmod
nfnetlink 9027 0 - Live 0xf35ff000

# ldd /usr/sbin/nft
	linux-vdso32.so.1 (0x00100000)
	libmnl.so.0 => /usr/lib/libmnl.so.0 (0x0ffcf000)
	libnftnl.so.4 => /usr/lib/libnftnl.so.4 (0x0ff7e000)
	libreadline.so.7 => /usr/lib/libreadline.so.7 (0x0ff09000)
	libgmp.so.10 => /usr/lib/libgmp.so.10 (0x0fe68000)
	libc.so.6 => /lib/libc.so.6 (0x0fcb4000)
	libtinfo.so.5 => /lib/libtinfo.so.5 (0x0fc63000)
	/lib/ld.so.1 (0xb7d21000)

Some basic commands (~ 8:30)

# nft		# no error shows that it's working 

# nft list ruleset
nf_tables: (c) 2007-2009 Patrick McHardy 

# lsmod
nf_tables 61783 0 - Live 0xf3877000
nfnetlink 9027 1 nf_tables, Live 0xf35ff000

# nft add table ip filter	# filter is the table name

# nft list ruleset
table ip filter {
}

# nft add chain ip filter input { type filter hook input priority 0\;} 	# lower priority num is higher
		
# nft list ruleset
table ip filter {
	chain input {
		type filter hook input priority 0; policy accept;
	}

Create the counter rule (~20:30)

# nft add rule ip filter input counter # create a counter
		
# nft list ruleset
table ip filter {
	chain input {
		type filter hook input priority 0; policy accept;
		counter packets 0 bytes 0
	}
}

# nft list ruleset
table ip filter {
	chain input {
		type filter hook input priority 0; policy accept;
		counter packets 18 bytes 3821
	}
}

Sets (~22:00)


# nft add set ip filter test { type ipv4_addr\; }

# nft describe ip saddr
payload expression, datatype ipv4_addr (IPv4 address) (basetype integer), 32 bits

# nft add element ip filter test { 127.0.0.0/24 }  # note: didn't work in 4.9 kernel
	
# nft add element ip filter test { 127.0.0.1 }

# nft add rule ip filter input ip saddr @test counter

# nft list ruleset
table ip filter {
	set test {
		type ipv4_addr
		elements = { 127.0.0.1}
	}

	chain input {
		type filter hook input priority 0; policy accept;
		counter packets 329 bytes 75610
		ip saddr @test counter packets 0 bytes 0
	}
}

# ping 127.0.0.1
...

# nft list ruleset
table ip filter {
	set test {
		type ipv4_addr
		elements = { 127.0.0.1}
	}

	chain input {
		type filter hook input priority 0; policy accept;
		counter packets 367 bytes 83585
		ip saddr @test counter packets 8 bytes 672
	}
}

Maps (~29:00)

# nft add map ip filter test2 { type ipv4_addr : mark\; }

# nft list ruleset
table ip filter {
	...
	map test2 {
		type ipv4_addr : mark
	}
	...
}


# nft add element ip filter test2 { 127.0.0.1 : 0xa, 127.0.0.2 : 0xb }

# nft add rule ip filter input meta mark set ip saddr map @test2 

# nft list ruleset
table ip filter {
	set test {
		type ipv4_addr
		elements = { 127.0.0.1}
	}

	map test2 {
		type ipv4_addr : mark
		elements = { 127.0.0.2 : 0x0000000b, 127.0.0.1 : 0x0000000a}
	}

	chain input {
		type filter hook input priority 0; policy accept;
		counter packets 4581 bytes 1102764
		ip saddr @test counter packets 8 bytes 672
		mark set ip saddr map @test2
	}
}

# lsmod
    Not tainted
nft_meta 9001 1 - Live 0xf1119000
nft_set_rbtree 6011 0 - Live 0xf110b000
nft_set_hash 14745 2 - Live 0xf1103000
nft_counter 5161 2 - Live 0xf10fd000
nf_tables_ipv4 5209 2 - Live 0xf10f7000
nf_tables 61783 9 nft_meta,nft_set_rbtree,nft_set_hash,nft_counter,nf_tables_ipv4, Live 0xf3877000
nfnetlink 9027 1 nf_tables, Live 0xf35ff000

# nft add rule ip filter input  ct  mark set ip saddr map @test2 

# conntrack -L
icmp     1 29 src=127.0.0.1 dst=127.0.0.1 type=8 code=0 id=2081 src=127.0.0.1 dst=127.0.0.1 type=0 code=0 id=2081 mark=10 use=1
... 
7 flow entries shown

Note above with conntrack output that we started a ping 127.0.0.1 in a different shell before running conntrack -L.

Implicit, Constant Map (~44:00)

# nft add rule ip filter input ct mark set ip saddr map { 127.0.0.1 : 0xa, 127.0.0.2 : 0xb }

Concatenation '.' (~47:00)

# nft add rule ip filter input meta iif . ip saddr { "eth0" . 192.168.0.102 } counter

Rule Deletion (~1:08:00)

# nft list ruleset -a	# display handles with rules

# nft delete rule ip filter input handle < num > 

# nft flush ruleset

# nft list ruleset

Didn't find an answer to your question? Post your issue below or in our new FORUM, and we'll try our best to help you find a solution.

And please note that we update our site daily with new content related to our open source approach to network security and system design. If you would like to be notified about these changes, then please follow us on Twitter and join our mailing list.

share
subscribe to mailing list:

Please help us improve this article by adding your comment or question:

your email address will be kept private
authenticate with a 3rd party for enhanced features, such as image upload
previous month
next month
Su
Mo
Tu
Wd
Th
Fr
Sa
loading