Project

General

Profile

Nftables » History » Version 2

Laurent GUERBY, 03/28/2014 07:33 PM

1 1 Laurent GUERBY
{{>toc}}
2 1 Laurent GUERBY
3 1 Laurent GUERBY
h1. Nftables
4 1 Laurent GUERBY
5 1 Laurent GUERBY
h2. Liens
6 1 Laurent GUERBY
7 1 Laurent GUERBY
* https://wiki.archlinux.org/index.php/Nftables
8 1 Laurent GUERBY
* https://home.regit.org/netfilter-en/nftables-quick-howto/
9 2 Laurent GUERBY
* http://wiki.nftables.org/
10 1 Laurent GUERBY
11 1 Laurent GUERBY
h2. Examples
12 1 Laurent GUERBY
13 1 Laurent GUERBY
<pre>
14 1 Laurent GUERBY
root@h7:~# nft --version
15 1 Laurent GUERBY
nftables v0.100 (keith-alexander-filter)
16 1 Laurent GUERBY
root@h7:~# cat /proc/version 
17 1 Laurent GUERBY
Linux version 3.14-rc7-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.2 (Debian 4.8.2-16) ) #1 SMP Debian 3.14~rc7-1~exp1 (2014-03-17)
18 1 Laurent GUERBY
</pre>
19 1 Laurent GUERBY
20 1 Laurent GUERBY
<pre>
21 1 Laurent GUERBY
root@h7:~# nft add rule filter output udp dport 0-65535 ip daddr 91.224.149.151 counter
22 1 Laurent GUERBY
root@h7:~# nft list chain filter output -a -n
23 1 Laurent GUERBY
table ip filter {
24 1 Laurent GUERBY
	chain output {
25 1 Laurent GUERBY
		 type filter hook output priority 0;
26 1 Laurent GUERBY
		 ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 171479 bytes 256167178 # handle 13
27 1 Laurent GUERBY
		 ip protocol udp udp dport >= 0 udp dport <= 65535 ip daddr 91.224.149.151 counter packets 0 bytes 0 # handle 15
28 1 Laurent GUERBY
	}
29 1 Laurent GUERBY
}
30 1 Laurent GUERBY
root@h7:~# iperf -c 91.224.149.151 -u -b 100M
31 1 Laurent GUERBY
------------------------------------------------------------
32 1 Laurent GUERBY
Client connecting to 91.224.149.151, UDP port 5001
33 1 Laurent GUERBY
Sending 1470 byte datagrams
34 1 Laurent GUERBY
UDP buffer size:  208 KByte (default)
35 1 Laurent GUERBY
------------------------------------------------------------
36 1 Laurent GUERBY
[  3] local 91.224.149.2 port 41909 connected with 91.224.149.151 port 5001
37 1 Laurent GUERBY
[ ID] Interval       Transfer     Bandwidth
38 1 Laurent GUERBY
[  3]  0.0-10.0 sec   120 MBytes   100 Mbits/sec
39 1 Laurent GUERBY
[  3] Sent 85471 datagrams
40 1 Laurent GUERBY
read failed: Connection refused
41 1 Laurent GUERBY
[  3] WARNING: did not receive ack of last datagram after 1 tries.
42 1 Laurent GUERBY
root@h7:~# nft list chain filter output -a -n
43 1 Laurent GUERBY
table ip filter {
44 1 Laurent GUERBY
	chain output {
45 1 Laurent GUERBY
		 type filter hook output priority 0;
46 1 Laurent GUERBY
		 ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 256951 bytes 384184664 # handle 13
47 1 Laurent GUERBY
		 ip protocol udp udp dport >= 0 udp dport <= 65535 ip daddr 91.224.149.151 counter packets 85457 bytes 128014586 # handle 15
48 1 Laurent GUERBY
	}
49 1 Laurent GUERBY
}
50 1 Laurent GUERBY
root@h7:~# nft delete rule filter output handle 15
51 1 Laurent GUERBY
root@h7:~# nft list chain filter output -a -n
52 1 Laurent GUERBY
table ip filter {
53 1 Laurent GUERBY
	chain output {
54 1 Laurent GUERBY
		 type filter hook output priority 0;
55 1 Laurent GUERBY
		 ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 256982 bytes 384190532 # handle 13
56 1 Laurent GUERBY
	}
57 1 Laurent GUERBY
58 1 Laurent GUERBY
</pre>
59 1 Laurent GUERBY
60 1 Laurent GUERBY
<pre>
61 1 Laurent GUERBY
nft add rule filter output udp dport 0-65535 counter
62 1 Laurent GUERBY
nft add rule filter input ip daddr 91.224.149.2 counter
63 1 Laurent GUERBY
</pre>