Provided below is a transcript of Pablo Neira Ayuso's workshop talk on nftables. The commands are executed on an embedded Linux system running Linux 4.9 with a custom rootfs image produced by the Yocto / Poky build system after a fresh boot and without automatically loading any modules related to netfilter;
# uname -a Linux eraser 4.9.0-yocto-standard #1 Thu Apr 6 10:16:10 EDT 2017 ppc ppc ppc GNU/Linux # lsmod
Make sure we have the right libraries loaded:
# ldconfig -p | grep libmnl libmnl.so.0 (libc6) => /usr/lib/libmnl.so.0 # ldconfig -p | grep libnftnl # nftables net link library libnftnl.so.4 (libc6) => /usr/lib/libnftnl.so.4 # nft Netfilter messages via NETLINK v0.30. nft: no command specified # lsmod nfnetlink 9027 0 - Live 0xf35ff000 # ldd /usr/sbin/nft linux-vdso32.so.1 (0x00100000) libmnl.so.0 => /usr/lib/libmnl.so.0 (0x0ffcf000) libnftnl.so.4 => /usr/lib/libnftnl.so.4 (0x0ff7e000) libreadline.so.7 => /usr/lib/libreadline.so.7 (0x0ff09000) libgmp.so.10 => /usr/lib/libgmp.so.10 (0x0fe68000) libc.so.6 => /lib/libc.so.6 (0x0fcb4000) libtinfo.so.5 => /lib/libtinfo.so.5 (0x0fc63000) /lib/ld.so.1 (0xb7d21000)
Some basic commands (~ 8:30)
# nft # no error shows that it's working # nft list ruleset nf_tables: (c) 2007-2009 Patrick McHardy# lsmod nf_tables 61783 0 - Live 0xf3877000 nfnetlink 9027 1 nf_tables, Live 0xf35ff000 # nft add table ip filter # filter is the table name # nft list ruleset table ip filter { } # nft add chain ip filter input { type filter hook input priority 0\;} # lower priority num is higher # nft list ruleset table ip filter { chain input { type filter hook input priority 0; policy accept; }
Create the counter rule (~20:30)
# nft add rule ip filter input counter # create a counter # nft list ruleset table ip filter { chain input { type filter hook input priority 0; policy accept; counter packets 0 bytes 0 } } # nft list ruleset table ip filter { chain input { type filter hook input priority 0; policy accept; counter packets 18 bytes 3821 } }
Sets (~22:00)
# nft add set ip filter test { type ipv4_addr\; } # nft describe ip saddr payload expression, datatype ipv4_addr (IPv4 address) (basetype integer), 32 bits # nft add element ip filter test { 127.0.0.0/24 } # note: didn't work in 4.9 kernel # nft add element ip filter test { 127.0.0.1 } # nft add rule ip filter input ip saddr @test counter # nft list ruleset table ip filter { set test { type ipv4_addr elements = { 127.0.0.1} } chain input { type filter hook input priority 0; policy accept; counter packets 329 bytes 75610 ip saddr @test counter packets 0 bytes 0 } } # ping 127.0.0.1 ... # nft list ruleset table ip filter { set test { type ipv4_addr elements = { 127.0.0.1} } chain input { type filter hook input priority 0; policy accept; counter packets 367 bytes 83585 ip saddr @test counter packets 8 bytes 672 } }
Maps (~29:00)
# nft add map ip filter test2 { type ipv4_addr : mark\; } # nft list ruleset table ip filter { ... map test2 { type ipv4_addr : mark } ... } # nft add element ip filter test2 { 127.0.0.1 : 0xa, 127.0.0.2 : 0xb } # nft add rule ip filter input meta mark set ip saddr map @test2 # nft list ruleset table ip filter { set test { type ipv4_addr elements = { 127.0.0.1} } map test2 { type ipv4_addr : mark elements = { 127.0.0.2 : 0x0000000b, 127.0.0.1 : 0x0000000a} } chain input { type filter hook input priority 0; policy accept; counter packets 4581 bytes 1102764 ip saddr @test counter packets 8 bytes 672 mark set ip saddr map @test2 } } # lsmod Not tainted nft_meta 9001 1 - Live 0xf1119000 nft_set_rbtree 6011 0 - Live 0xf110b000 nft_set_hash 14745 2 - Live 0xf1103000 nft_counter 5161 2 - Live 0xf10fd000 nf_tables_ipv4 5209 2 - Live 0xf10f7000 nf_tables 61783 9 nft_meta,nft_set_rbtree,nft_set_hash,nft_counter,nf_tables_ipv4, Live 0xf3877000 nfnetlink 9027 1 nf_tables, Live 0xf35ff000 # nft add rule ip filter input ct mark set ip saddr map @test2 # conntrack -L icmp 1 29 src=127.0.0.1 dst=127.0.0.1 type=8 code=0 id=2081 src=127.0.0.1 dst=127.0.0.1 type=0 code=0 id=2081 mark=10 use=1 ... 7 flow entries shown
Note above with conntrack output that we started a ping 127.0.0.1 in a different shell before running conntrack -L.
Implicit, Constant Map (~44:00)
# nft add rule ip filter input ct mark set ip saddr map { 127.0.0.1 : 0xa, 127.0.0.2 : 0xb }
Concatenation '.' (~47:00)
# nft add rule ip filter input meta iif . ip saddr { "eth0" . 192.168.0.102 } counter
Rule Deletion (~1:08:00)
# nft list ruleset -a # display handles with rules # nft delete rule ip filter input handle < num > # nft flush ruleset # nft list ruleset