Difference between revisions of "Nft"

From Steak Wiki
Jump to navigationJump to search
 
(35 intermediate revisions by the same user not shown)
Line 10: Line 10:
 
which can convert an iptables rule to nft. Used like so:
 
which can convert an iptables rule to nft. Used like so:
 
  iptables-translate -I INPUT -p tcp --dport 22 -j DROP
 
  iptables-translate -I INPUT -p tcp --dport 22 -j DROP
and it will spit out the nft equivalent.
+
and it will give the nft equivalent. If you don't it, install iptables.
  
 
Second, you should know that in order to block ipv4 and ipv6, you should
 
Second, you should know that in order to block ipv4 and ipv6, you should
Line 21: Line 21:
 
  -I is nft insert
 
  -I is nft insert
 
  -A is nft add
 
  -A is nft add
Terrible... Add should be append.
+
Add used to be append. Confusing.
 
As with iptables, the order in which you execute the rules is important.
 
As with iptables, the order in which you execute the rules is important.
 +
 +
Fourth: you have to make your own tables, AND chains.
 +
 +
 +
===Create tables/chains===
 +
Just copied and pasted from debian wiki. There are
 +
example tables in devuan in /usr/share/doc/nftables, but
 +
it's about as simple as Owrt's firewall (which
 +
is not simple at all) so good luck.
 +
 +
There is also the option to type your rules in /etc/nftables.conf.
 +
But I'm old fashioned and prefer to use cmd line rules.
 +
 +
Create a basic IPv4/IPv6 dual-stack table:
 +
Create a chain for input IPv4/IPv6 dual-stack traffic:
 +
A rule to check that all is fine (IPv4/IPv6 dual-stack):
 +
 +
nft add table inet filter
 +
nft add chain inet filter input { type filter hook input priority 0 \; }
 +
nft add rule  inet filter input counter accept
 +
 +
Show all the previous:
 +
 +
nft list table inet filter
 +
 +
Gonna take a bit to memorize this.
  
 
===Allow/Block a single port===
 
===Allow/Block a single port===
 
Block the wan from accessing port 80:
 
Block the wan from accessing port 80:
  nft insert rule ip filter INPUT tcp dport 80 counter reject
+
  nft insert rule inet filter INPUT tcp dport 80 counter reject
 
Allow the lan to access port 80:
 
Allow the lan to access port 80:
 
  nft insert rule inet filter INPUT ip saddr 192.168.1.0/24 tcp dport 80 counter accept
 
  nft insert rule inet filter INPUT ip saddr 192.168.1.0/24 tcp dport 80 counter accept
 +
===Delete all rules===
 +
iptables -F
 +
vs
 +
nft flush ruleset
 +
fail. Should be just nft -F. I guess iptables has been 'nerft'. oh well.
 +
 +
===Delete rules in a chain only===
 +
 +
nft flush chain inet filter input
 +
note that you need the inet / ip specification there.
 +
reference: https://unix.stackexchange.com/questions/562850/nftables-remove-all-rules-in-chain
 +
 +
===List rules===
 +
nft list table inet filter
 +
vs
 +
iptables -L
 +
Fail. (this assumes you used my instructions for a ipv4/ipv6 table [inet] named filter.)
 +
 +
The rule listing of nft is easy to read, and includes stats without the
 +
need for iptables -v -L. +1
 +
 +
===Throttle traffic===
 +
This is a +1 over iptables. Without requiring traffic control (tc) you can do throttling with nft.
 +
 +
This is taken from the luci-app-nft-qos scripts in owrt. Note that I've only seen it there, and haven't tested
 +
it standalone in nft, yet.
 +
table inet nft-qos-static {
 +
        chain upload {
 +
                type filter hook postrouting priority filter; policy accept;
 +
                ip saddr <ipaddressofuser> limit rate over 850 kbytes/second drop
 +
        }
 +
 +
        chain download {
 +
                type filter hook prerouting priority filter; policy accept;
 +
                ip daddr <ipaddressofuser> limit rate over 850 kbytes/second drop
 +
        }
 +
}
 +
Use bandwidthd on owrt to see usage. It gets confusing as bandwidthd uses mbits or mibits, so online calculators will help.
 +
For reference sake the text config for nft-qos in owrt is the following:
 +
<pre>
 +
config default 'default'
 +
        option limit_mac_enable '0'
 +
        option priority_enable '0'
 +
        option limit_enable '1'
 +
 +
config download
 +
        option hostname 'ahostname'
 +
        option ipaddr 'iphere'
 +
        option rate '850'
 +
        option unit 'kbytes'
 +
 +
config upload
 +
        option hostname 'ahostname'
 +
        option ipaddr 'iphere'
 +
        option rate '850'
 +
        option unit 'kbytes'
 +
</pre>
 +
 +
===Tracing Traffic===
 +
From Openwrt wiki.
 +
https://openwrt.org/docs/guide-user/firewall/netfilter_iptables/netfilter_management
 +
Use nftables tracing to debug fw4 rules (22.03 and later)
 +
 +
Somethings, the nftables ruleset may exhibit unexpected behaviour, such as a packet being dropped while it should not. In that case, tracing can help: it allows to print all rules traversed by a given packet.
 +
 +
See https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing for the full explanation. The following is simply an adaptation of this wiki page to the fw4 ruleset.
 +
 +
You first need to add a tracing chain:
 +
 +
nft add chain inet fw4 trace_chain { type filter hook prerouting priority -301\; }
 +
 +
Then add one or more rules to match packets you are interested in, such as:
 +
 +
nft add rule inet fw4 trace_chain ip saddr 203.0.113.42 meta nftrace set 1
 +
nft add rule inet fw4 trace_chain udp dport 50014 meta nftrace set 1
 +
 +
Finally, you can look at the result of the trace (ideally in another terminal):
 +
 +
nft monitor trace
 +
 +
Beware, each traced packet will generate a huge amount of output!
 +
 +
To stop the tracing, remove the chain:
 +
 +
nft delete chain inet fw4 trace_chain
 +
 +
==Templates==
 +
After reading all the above nonsense, you just want something
 +
to copy and paste, here it is:
 +
nft flush ruleset
 +
nft add table inet filter
 +
nft add chain inet filter input { type filter hook input priority 0 \; }
 +
nft add rule  inet filter input counter accept
 +
nft insert rule inet filter input tcp dport 80 counter reject
 +
nft insert rule inet filter input ip saddr 192.168.1.0/24 tcp dport 80 counter accept
 +
 +
The bare minimum to block/allow a port.
 +
Compared to:
 +
iptables -F
 +
iptables -I INPUT -p tcp --dport 80 -j REJECT
 +
iptables -I INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
 +
 +
(gotcha: In this example adapted from Linux Firewalls by Suehring, the table happens to have the same name as the type of the chain, they: are both filter. Don't be confused, as the table could've been named any arbitrary name, yet the chain is a 'type' of filter. There are three chain types according to the book: filter, route, and nat. Note also there must be a single space after the 0 for priority followed by the backslash and semi-colon.)
 +
 +
==iptables vs nft: which is easier for the sysadmin?==
 +
I'm still undecided which is better. One thing
 +
to remember with nft is that the rules will
 +
start identical most of the time.
 +
 +
So a rule that is:
 +
nft insert rule inet filter INPUT tcp dport 80 counter reject
 +
Always has
 +
nft insert rule inet
 +
Which means you have to remember that part, cut
 +
it out, then focus on the rest of the rule. So all that matters is:
 +
filter INPUT tcp dport 80 counter reject
 +
vs:
 +
-I INPUT -p tcp --dport 80 -J REJECT
 +
 +
Which is better?
 +
 +
Nft has a higher learning curve, but seems to have more flexibility. It's a bit difficult to remember writing commands from the shell, so it favors scripting. I would imagine nft is geared towards power users. iptables remains a much easier introduction to firewall scripting, but having to write ip6tables and iptables scripts is a bit worse. I will have to wait until I understand both to make a judgement.

Latest revision as of 07:15, 11 September 2024

Nft is the successor to iptables.

There is only one book on the market I could find (08/2022) that currently deals with Nft, and that is Linux Firewalls by Steve Suehring (this page references the 4th edition).

Usage

First, you should know there is the handy tool

iptables-translate

which can convert an iptables rule to nft. Used like so:

iptables-translate -I INPUT -p tcp --dport 22 -j DROP

and it will give the nft equivalent. If you don't it, install iptables.

Second, you should know that in order to block ipv4 and ipv6, you should use: inet. Some rules, will have nft insert rule ip bla bla bla or nft insert rule ip6 bla bla bla. If you use inet instead of ip or ip6 it will cover both protocols. (Page 84). Any example rule online that only uses ip is incorrect.

Third:

-I is nft insert
-A is nft add

Add used to be append. Confusing. As with iptables, the order in which you execute the rules is important.

Fourth: you have to make your own tables, AND chains.


Create tables/chains

Just copied and pasted from debian wiki. There are example tables in devuan in /usr/share/doc/nftables, but it's about as simple as Owrt's firewall (which is not simple at all) so good luck.

There is also the option to type your rules in /etc/nftables.conf. But I'm old fashioned and prefer to use cmd line rules.

Create a basic IPv4/IPv6 dual-stack table: Create a chain for input IPv4/IPv6 dual-stack traffic: A rule to check that all is fine (IPv4/IPv6 dual-stack):

nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 \; }
nft add rule  inet filter input counter accept

Show all the previous:

nft list table inet filter

Gonna take a bit to memorize this.

Allow/Block a single port

Block the wan from accessing port 80:

nft insert rule inet filter INPUT tcp dport 80 counter reject

Allow the lan to access port 80:

nft insert rule inet filter INPUT ip saddr 192.168.1.0/24 tcp dport 80 counter accept

Delete all rules

iptables -F
vs
nft flush ruleset

fail. Should be just nft -F. I guess iptables has been 'nerft'. oh well.

Delete rules in a chain only

nft flush chain inet filter input

note that you need the inet / ip specification there. reference: https://unix.stackexchange.com/questions/562850/nftables-remove-all-rules-in-chain

List rules

nft list table inet filter
vs 
iptables -L

Fail. (this assumes you used my instructions for a ipv4/ipv6 table [inet] named filter.)

The rule listing of nft is easy to read, and includes stats without the need for iptables -v -L. +1

Throttle traffic

This is a +1 over iptables. Without requiring traffic control (tc) you can do throttling with nft.

This is taken from the luci-app-nft-qos scripts in owrt. Note that I've only seen it there, and haven't tested it standalone in nft, yet.

table inet nft-qos-static {
       chain upload {
               type filter hook postrouting priority filter; policy accept;
               ip saddr <ipaddressofuser> limit rate over 850 kbytes/second drop
       }
       chain download {
               type filter hook prerouting priority filter; policy accept;
               ip daddr <ipaddressofuser> limit rate over 850 kbytes/second drop
       }
}

Use bandwidthd on owrt to see usage. It gets confusing as bandwidthd uses mbits or mibits, so online calculators will help. For reference sake the text config for nft-qos in owrt is the following:

config default 'default'
        option limit_mac_enable '0'
        option priority_enable '0'
        option limit_enable '1'

config download
        option hostname 'ahostname'
        option ipaddr 'iphere'
        option rate '850'
        option unit 'kbytes'

config upload
        option hostname 'ahostname'
        option ipaddr 'iphere'
        option rate '850'
        option unit 'kbytes'

Tracing Traffic

From Openwrt wiki. https://openwrt.org/docs/guide-user/firewall/netfilter_iptables/netfilter_management Use nftables tracing to debug fw4 rules (22.03 and later)

Somethings, the nftables ruleset may exhibit unexpected behaviour, such as a packet being dropped while it should not. In that case, tracing can help: it allows to print all rules traversed by a given packet.

See https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing for the full explanation. The following is simply an adaptation of this wiki page to the fw4 ruleset.

You first need to add a tracing chain:

nft add chain inet fw4 trace_chain { type filter hook prerouting priority -301\; }

Then add one or more rules to match packets you are interested in, such as:

nft add rule inet fw4 trace_chain ip saddr 203.0.113.42 meta nftrace set 1 nft add rule inet fw4 trace_chain udp dport 50014 meta nftrace set 1

Finally, you can look at the result of the trace (ideally in another terminal):

nft monitor trace

Beware, each traced packet will generate a huge amount of output!

To stop the tracing, remove the chain:

nft delete chain inet fw4 trace_chain

Templates

After reading all the above nonsense, you just want something to copy and paste, here it is:

nft flush ruleset
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 \; }
nft add rule  inet filter input counter accept
nft insert rule inet filter input tcp dport 80 counter reject
nft insert rule inet filter input ip saddr 192.168.1.0/24 tcp dport 80 counter accept

The bare minimum to block/allow a port. Compared to:

iptables -F
iptables -I INPUT -p tcp --dport 80 -j REJECT
iptables -I INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT

(gotcha: In this example adapted from Linux Firewalls by Suehring, the table happens to have the same name as the type of the chain, they: are both filter. Don't be confused, as the table could've been named any arbitrary name, yet the chain is a 'type' of filter. There are three chain types according to the book: filter, route, and nat. Note also there must be a single space after the 0 for priority followed by the backslash and semi-colon.)

iptables vs nft: which is easier for the sysadmin?

I'm still undecided which is better. One thing to remember with nft is that the rules will start identical most of the time.

So a rule that is:

nft insert rule inet filter INPUT tcp dport 80 counter reject

Always has

nft insert rule inet

Which means you have to remember that part, cut it out, then focus on the rest of the rule. So all that matters is:

filter INPUT tcp dport 80 counter reject
vs:
-I INPUT -p tcp --dport 80 -J REJECT

Which is better?

Nft has a higher learning curve, but seems to have more flexibility. It's a bit difficult to remember writing commands from the shell, so it favors scripting. I would imagine nft is geared towards power users. iptables remains a much easier introduction to firewall scripting, but having to write ip6tables and iptables scripts is a bit worse. I will have to wait until I understand both to make a judgement.