Transcipt of Pablo's Workshop Talk on nftables

Each working command and option presented during Pablo's talk is executed on a live Linux embedded system

Provided below is a transcript of Pablo Neira Ayuso's workshop talk on nftables. The commands are executed on an embedded Linux system running Linux 4.9 with a custom rootfs image produced by the Yocto / Poky build system after a fresh boot and without automatically loading any modules related to netfilter;

# uname -a
Linux eraser 4.9.0-yocto-standard #1 Thu Apr 6 10:16:10 EDT 2017 ppc ppc ppc GNU/Linux

# lsmod

Make sure we have the right libraries loaded:

# ldconfig -p | grep libmnl
	libmnl.so.0 (libc6) => /usr/lib/libmnl.so.0
	
# ldconfig -p | grep libnftnl	# nftables net link library
	libnftnl.so.4 (libc6) => /usr/lib/libnftnl.so.4
	
# nft
Netfilter messages via NETLINK v0.30.
nft: no command specified

# lsmod
nfnetlink 9027 0 - Live 0xf35ff000

# ldd /usr/sbin/nft
	linux-vdso32.so.1 (0x00100000)
	libmnl.so.0 => /usr/lib/libmnl.so.0 (0x0ffcf000)
	libnftnl.so.4 => /usr/lib/libnftnl.so.4 (0x0ff7e000)
	libreadline.so.7 => /usr/lib/libreadline.so.7 (0x0ff09000)
	libgmp.so.10 => /usr/lib/libgmp.so.10 (0x0fe68000)
	libc.so.6 => /lib/libc.so.6 (0x0fcb4000)
	libtinfo.so.5 => /lib/libtinfo.so.5 (0x0fc63000)
	/lib/ld.so.1 (0xb7d21000)

Some basic commands (~ 8:30)

# nft		# no error shows that it's working 

# nft list ruleset
nf_tables: (c) 2007-2009 Patrick McHardy 

# lsmod
nf_tables 61783 0 - Live 0xf3877000
nfnetlink 9027 1 nf_tables, Live 0xf35ff000

# nft add table ip filter	# filter is the table name

# nft list ruleset
table ip filter {
}

# nft add chain ip filter input { type filter hook input priority 0\;} 	# lower priority num is higher
		
# nft list ruleset
table ip filter {
	chain input {
		type filter hook input priority 0; policy accept;
	}

Create the counter rule (~20:30)

# nft add rule ip filter input counter # create a counter
		
# nft list ruleset
table ip filter {
	chain input {
		type filter hook input priority 0; policy accept;
		counter packets 0 bytes 0
	}
}

# nft list ruleset
table ip filter {
	chain input {
		type filter hook input priority 0; policy accept;
		counter packets 18 bytes 3821
	}
}

Sets (~22:00)


# nft add set ip filter test { type ipv4_addr\; }

# nft describe ip saddr
payload expression, datatype ipv4_addr (IPv4 address) (basetype integer), 32 bits

# nft add element ip filter test { 127.0.0.0/24 }  # note: didn't work in 4.9 kernel
	
# nft add element ip filter test { 127.0.0.1 }

# nft add rule ip filter input ip saddr @test counter

# nft list ruleset
table ip filter {
	set test {
		type ipv4_addr
		elements = { 127.0.0.1}
	}

	chain input {
		type filter hook input priority 0; policy accept;
		counter packets 329 bytes 75610
		ip saddr @test counter packets 0 bytes 0
	}
}

# ping 127.0.0.1
...

# nft list ruleset
table ip filter {
	set test {
		type ipv4_addr
		elements = { 127.0.0.1}
	}

	chain input {
		type filter hook input priority 0; policy accept;
		counter packets 367 bytes 83585
		ip saddr @test counter packets 8 bytes 672
	}
}

Maps (~29:00)

# nft add map ip filter test2 { type ipv4_addr : mark\; }

# nft list ruleset
table ip filter {
	...
	map test2 {
		type ipv4_addr : mark
	}
	...
}


# nft add element ip filter test2 { 127.0.0.1 : 0xa, 127.0.0.2 : 0xb }

# nft add rule ip filter input meta mark set ip saddr map @test2 

# nft list ruleset
table ip filter {
	set test {
		type ipv4_addr
		elements = { 127.0.0.1}
	}

	map test2 {
		type ipv4_addr : mark
		elements = { 127.0.0.2 : 0x0000000b, 127.0.0.1 : 0x0000000a}
	}

	chain input {
		type filter hook input priority 0; policy accept;
		counter packets 4581 bytes 1102764
		ip saddr @test counter packets 8 bytes 672
		mark set ip saddr map @test2
	}
}

# lsmod
    Not tainted
nft_meta 9001 1 - Live 0xf1119000
nft_set_rbtree 6011 0 - Live 0xf110b000
nft_set_hash 14745 2 - Live 0xf1103000
nft_counter 5161 2 - Live 0xf10fd000
nf_tables_ipv4 5209 2 - Live 0xf10f7000
nf_tables 61783 9 nft_meta,nft_set_rbtree,nft_set_hash,nft_counter,nf_tables_ipv4, Live 0xf3877000
nfnetlink 9027 1 nf_tables, Live 0xf35ff000

# nft add rule ip filter input  ct  mark set ip saddr map @test2 

# conntrack -L
icmp     1 29 src=127.0.0.1 dst=127.0.0.1 type=8 code=0 id=2081 src=127.0.0.1 dst=127.0.0.1 type=0 code=0 id=2081 mark=10 use=1
... 
7 flow entries shown

Note above with conntrack output that we started a ping 127.0.0.1 in a different shell before running conntrack -L.

Implicit, Constant Map (~44:00)

# nft add rule ip filter input ct mark set ip saddr map { 127.0.0.1 : 0xa, 127.0.0.2 : 0xb }

Concatenation '.' (~47:00)

# nft add rule ip filter input meta iif . ip saddr { "eth0" . 192.168.0.102 } counter

Rule Deletion (~1:08:00)

# nft list ruleset -a	# display handles with rules

# nft delete rule ip filter input handle < num > 

# nft flush ruleset

# nft list ruleset

Help us improve this article by adding your comment or question:

email addresses are neither displayed nor shared