Projet

Général

Profil

Nftables » Historique » Version 10

« Précédent - Version 10/37 (diff) - Suivant » - Version actuelle
Laurent GUERBY, 30/03/2014 12:28


Nftables

Liens

Pre-requis

Examples

Tools

root@h7:~# nft --version
nftables v0.100 (keith-alexander-filter)
root@h7:~# cat /proc/version 
Linux version 3.14-rc7-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.2 (Debian 4.8.2-16) ) #1 SMP Debian 3.14~rc7-1~exp1 (2014-03-17)

UDP counter

root@h7:~# nft add rule filter output udp dport 0-65535 ip daddr 91.224.149.151 counter
root@h7:~# nft list chain filter output -a -n
table ip filter {
    chain output {
         type filter hook output priority 0;
         ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 171479 bytes 256167178 # handle 13
         ip protocol udp udp dport >= 0 udp dport <= 65535 ip daddr 91.224.149.151 counter packets 0 bytes 0 # handle 15
    }
}
root@h7:~# iperf -c 91.224.149.151 -u -b 100M
------------------------------------------------------------
Client connecting to 91.224.149.151, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  3] local 91.224.149.2 port 41909 connected with 91.224.149.151 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   120 MBytes   100 Mbits/sec
[  3] Sent 85471 datagrams
read failed: Connection refused
[  3] WARNING: did not receive ack of last datagram after 1 tries.
root@h7:~# nft list chain filter output -a -n
table ip filter {
    chain output {
         type filter hook output priority 0;
         ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 256951 bytes 384184664 # handle 13
         ip protocol udp udp dport >= 0 udp dport <= 65535 ip daddr 91.224.149.151 counter packets 85457 bytes 128014586 # handle 15
    }
}
root@h7:~# nft delete rule filter output handle 15
root@h7:~# nft list chain filter output -a -n
table ip filter {
    chain output {
         type filter hook output priority 0;
         ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 256982 bytes 384190532 # handle 13
    }

nft add rule filter output udp dport 0-65535 counter
nft add rule filter input ip daddr 91.224.149.2 counter

Log

root@h7:~# modprobe xt_LOG  
root@h7:~# nft add rule filter output ip daddr 91.224.149.151 counter
root@h7:~# nft add rule filter output ip daddr 91.224.149.151 log
root@h7:~# nft list chain filter output -a -n
table ip filter {
    chain output {
         type filter hook output priority 0;
         ip daddr 91.224.149.151 counter packets 0 bytes 0 # handle 16
         ip daddr 91.224.149.151 log # handle 17
    }
}
root@h7:~# ping -c 1 91.224.149.151
PING 91.224.149.151 (91.224.149.151) 56(84) bytes of data.
64 bytes from 91.224.149.151: icmp_seq=1 ttl=64 time=2.53 ms

--- 91.224.149.151 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.530/2.530/2.530/0.000 ms

Message from syslogd@h7 at Mar 28 14:38:08 ...
 kernel:[ 6797.701781] IN= OUT=eth0.3131 SRC=91.224.149.2 DST=91.224.149.151 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=7861 DF PROTO=ICMP TYPE=8 CODE=0 ID=26178 SEQ=1 UID=0 GID=0 
root@h7:~# nft list chain filter output -a -n
table ip filter {
    chain output {
         type filter hook output priority 0;
         ip daddr 91.224.149.151 counter packets 1 bytes 84 # handle 16
         ip daddr 91.224.149.151 log # handle 17
    }
}
root@h7:~# nft delete rule filter output handle 17
root@h7:~# tail -1 /var/log/syslog 
Mar 28 14:38:08 h7 kernel: [ 6797.701781] IN= OUT=eth0.3131 SRC=91.224.149.2 DST=91.224.149.151 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=7861 DF PROTO=ICMP TYPE=8 CODE=0 ID=26178 SEQ=1 UID=0 GID=0