Projet

Général

Profil

Nftables » Historique » Version 19

Laurent GUERBY, 13/04/2014 11:58

1 1 Laurent GUERBY
{{>toc}}
2 1 Laurent GUERBY
3 1 Laurent GUERBY
h1. Nftables
4 1 Laurent GUERBY
5 1 Laurent GUERBY
h2. Liens
6 1 Laurent GUERBY
7 1 Laurent GUERBY
* https://wiki.archlinux.org/index.php/Nftables
8 12 Laurent GUERBY
* http://kernelnewbies.org/nftables_examples
9 1 Laurent GUERBY
* https://home.regit.org/netfilter-en/nftables-quick-howto/
10 2 Laurent GUERBY
* http://wiki.nftables.org/
11 14 Laurent GUERBY
* http://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting
12 13 Laurent GUERBY
* http://lwn.net/Articles/324251/ First release of nftables (with some documentation)
13 10 Laurent GUERBY
* http://lwn.net/Articles/324989/ Nftables: a new packet filtering engine By Jonathan Corbet March 24, 2009
14 10 Laurent GUERBY
* http://lwn.net/Articles/564095/ The return of nftables By Jonathan Corbet August 20, 2013
15 8 Laurent GUERBY
* http://ace-host.stuart.id.au/russell/files/tc/doc/
16 8 Laurent GUERBY
* http://people.netfilter.org/kaber/nfws2008/nftables.odp
17 1 Laurent GUERBY
* http://www.slideshare.net/ennael/2013-kernel-recipesnftables
18 10 Laurent GUERBY
* https://home.regit.org/wp-content/uploads/2013/09/2013_kernel_recipes_nftables.pdf
19 10 Laurent GUERBY
* release 0.099 http://marc.info/?l=netfilter-devel&m=139022351723837&w=2
20 10 Laurent GUERBY
* kernel first patch 
21 10 Laurent GUERBY
** http://www.spinics.net/lists/netdev/msg253683.html
22 10 Laurent GUERBY
** http://www.spinics.net/lists/netdev/msg253698.html
23 1 Laurent GUERBY
* http://workshop.netfilter.org/2013/wiki/images/e/ee/Nftables-osd-2013-developer.pdf
24 14 Laurent GUERBY
* http://www.spinics.net/lists/netfilter/
25 14 Laurent GUERBY
* http://www.spinics.net/lists/netfilter-devel/
26 15 Laurent GUERBY
* https://home.regit.org/2013/03/patrick-mchardy-oops-i-did-it-ipv6-nat/
27 16 Laurent GUERBY
** http://www.spinics.net/lists/netfilter-devel/msg22805.html
28 16 Laurent GUERBY
** http://www.spinics.net/lists/netfilter-devel/msg22815.html stateless ipv6 prefix translation
29 17 Laurent GUERBY
** http://lxr.free-electrons.com/source/net/ipv6/netfilter/ip6t_NPT.c
30 18 Laurent GUERBY
* http://computer-outlines.over-blog.com/article-nftables-1-nftables-installation-123263495.html
31 1 Laurent GUERBY
32 7 Laurent GUERBY
h2. Pre-requis
33 7 Laurent GUERBY
34 7 Laurent GUERBY
* Debian jessie
35 7 Laurent GUERBY
* Kernel from experimental: https://packages.debian.org/fr/experimental/linux-image-3.14-rc7-amd64
36 7 Laurent GUERBY
* libnfnl package compiled from https://github.com/aborrero/pkg-libnftnl (bientot dans debian sid: https://ftp-master.debian.org/new/libnftnl_1.0.0+git20140122-1.html)
37 7 Laurent GUERBY
* nftales package compiled from: http://mentors.debian.net/debian/pool/main/n/nftables/nftables_0.100-1.dsc
38 7 Laurent GUERBY
39 19 Laurent GUERBY
h2. Discussions
40 19 Laurent GUERBY
41 19 Laurent GUERBY
* http://www.spinics.net/lists/netfilter/msg55289.html
42 19 Laurent GUERBY
** https://bugzilla.netfilter.org/show_bug.cgi?id=914
43 19 Laurent GUERBY
** https://bugzilla.netfilter.org/show_bug.cgi?id=915
44 7 Laurent GUERBY
45 1 Laurent GUERBY
h2. Examples
46 1 Laurent GUERBY
47 3 Laurent GUERBY
h3. Tools
48 3 Laurent GUERBY
49 1 Laurent GUERBY
<pre>
50 1 Laurent GUERBY
root@h7:~# nft --version
51 1 Laurent GUERBY
nftables v0.100 (keith-alexander-filter)
52 1 Laurent GUERBY
root@h7:~# cat /proc/version 
53 1 Laurent GUERBY
Linux version 3.14-rc7-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.2 (Debian 4.8.2-16) ) #1 SMP Debian 3.14~rc7-1~exp1 (2014-03-17)
54 1 Laurent GUERBY
</pre>
55 1 Laurent GUERBY
56 5 Laurent GUERBY
h3. UDP counter
57 3 Laurent GUERBY
58 1 Laurent GUERBY
<pre>
59 1 Laurent GUERBY
root@h7:~# nft add rule filter output udp dport 0-65535 ip daddr 91.224.149.151 counter
60 1 Laurent GUERBY
root@h7:~# nft list chain filter output -a -n
61 1 Laurent GUERBY
table ip filter {
62 1 Laurent GUERBY
	chain output {
63 1 Laurent GUERBY
		 type filter hook output priority 0;
64 1 Laurent GUERBY
		 ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 171479 bytes 256167178 # handle 13
65 1 Laurent GUERBY
		 ip protocol udp udp dport >= 0 udp dport <= 65535 ip daddr 91.224.149.151 counter packets 0 bytes 0 # handle 15
66 1 Laurent GUERBY
	}
67 1 Laurent GUERBY
}
68 1 Laurent GUERBY
root@h7:~# iperf -c 91.224.149.151 -u -b 100M
69 1 Laurent GUERBY
------------------------------------------------------------
70 1 Laurent GUERBY
Client connecting to 91.224.149.151, UDP port 5001
71 1 Laurent GUERBY
Sending 1470 byte datagrams
72 1 Laurent GUERBY
UDP buffer size:  208 KByte (default)
73 1 Laurent GUERBY
------------------------------------------------------------
74 1 Laurent GUERBY
[  3] local 91.224.149.2 port 41909 connected with 91.224.149.151 port 5001
75 1 Laurent GUERBY
[ ID] Interval       Transfer     Bandwidth
76 1 Laurent GUERBY
[  3]  0.0-10.0 sec   120 MBytes   100 Mbits/sec
77 1 Laurent GUERBY
[  3] Sent 85471 datagrams
78 1 Laurent GUERBY
read failed: Connection refused
79 1 Laurent GUERBY
[  3] WARNING: did not receive ack of last datagram after 1 tries.
80 1 Laurent GUERBY
root@h7:~# nft list chain filter output -a -n
81 1 Laurent GUERBY
table ip filter {
82 1 Laurent GUERBY
	chain output {
83 1 Laurent GUERBY
		 type filter hook output priority 0;
84 1 Laurent GUERBY
		 ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 256951 bytes 384184664 # handle 13
85 1 Laurent GUERBY
		 ip protocol udp udp dport >= 0 udp dport <= 65535 ip daddr 91.224.149.151 counter packets 85457 bytes 128014586 # handle 15
86 1 Laurent GUERBY
	}
87 1 Laurent GUERBY
}
88 1 Laurent GUERBY
root@h7:~# nft delete rule filter output handle 15
89 1 Laurent GUERBY
root@h7:~# nft list chain filter output -a -n
90 1 Laurent GUERBY
table ip filter {
91 1 Laurent GUERBY
	chain output {
92 1 Laurent GUERBY
		 type filter hook output priority 0;
93 1 Laurent GUERBY
		 ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 256982 bytes 384190532 # handle 13
94 1 Laurent GUERBY
	}
95 1 Laurent GUERBY
96 1 Laurent GUERBY
</pre>
97 1 Laurent GUERBY
98 1 Laurent GUERBY
<pre>
99 1 Laurent GUERBY
nft add rule filter output udp dport 0-65535 counter
100 1 Laurent GUERBY
nft add rule filter input ip daddr 91.224.149.2 counter
101 3 Laurent GUERBY
</pre>
102 3 Laurent GUERBY
103 3 Laurent GUERBY
h3. Log
104 3 Laurent GUERBY
105 3 Laurent GUERBY
<pre>
106 4 Laurent GUERBY
root@h7:~# modprobe xt_LOG  
107 3 Laurent GUERBY
root@h7:~# nft add rule filter output ip daddr 91.224.149.151 counter
108 3 Laurent GUERBY
root@h7:~# nft add rule filter output ip daddr 91.224.149.151 log
109 3 Laurent GUERBY
root@h7:~# nft list chain filter output -a -n
110 3 Laurent GUERBY
table ip filter {
111 3 Laurent GUERBY
	chain output {
112 3 Laurent GUERBY
		 type filter hook output priority 0;
113 3 Laurent GUERBY
		 ip daddr 91.224.149.151 counter packets 0 bytes 0 # handle 16
114 3 Laurent GUERBY
		 ip daddr 91.224.149.151 log # handle 17
115 3 Laurent GUERBY
	}
116 3 Laurent GUERBY
}
117 3 Laurent GUERBY
root@h7:~# ping -c 1 91.224.149.151
118 3 Laurent GUERBY
PING 91.224.149.151 (91.224.149.151) 56(84) bytes of data.
119 3 Laurent GUERBY
64 bytes from 91.224.149.151: icmp_seq=1 ttl=64 time=2.53 ms
120 3 Laurent GUERBY
121 3 Laurent GUERBY
--- 91.224.149.151 ping statistics ---
122 3 Laurent GUERBY
1 packets transmitted, 1 received, 0% packet loss, time 0ms
123 3 Laurent GUERBY
rtt min/avg/max/mdev = 2.530/2.530/2.530/0.000 ms
124 3 Laurent GUERBY
125 3 Laurent GUERBY
Message from syslogd@h7 at Mar 28 14:38:08 ...
126 3 Laurent GUERBY
 kernel:[ 6797.701781] IN= OUT=eth0.3131 SRC=91.224.149.2 DST=91.224.149.151 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=7861 DF PROTO=ICMP TYPE=8 CODE=0 ID=26178 SEQ=1 UID=0 GID=0 
127 3 Laurent GUERBY
root@h7:~# nft list chain filter output -a -n
128 3 Laurent GUERBY
table ip filter {
129 3 Laurent GUERBY
	chain output {
130 4 Laurent GUERBY
		 type filter hook output priority 0;
131 1 Laurent GUERBY
		 ip daddr 91.224.149.151 counter packets 1 bytes 84 # handle 16
132 6 Mehdi Abaakouk
		 ip daddr 91.224.149.151 log # handle 17
133 6 Mehdi Abaakouk
	}
134 6 Mehdi Abaakouk
}
135 6 Mehdi Abaakouk
root@h7:~# nft delete rule filter output handle 17
136 6 Mehdi Abaakouk
root@h7:~# tail -1 /var/log/syslog 
137 6 Mehdi Abaakouk
Mar 28 14:38:08 h7 kernel: [ 6797.701781] IN= OUT=eth0.3131 SRC=91.224.149.2 DST=91.224.149.151 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=7861 DF PROTO=ICMP TYPE=8 CODE=0 ID=26178 SEQ=1 UID=0 GID=0 
138 6 Mehdi Abaakouk
</pre>