Nftables » Historique » Version 2
Version 1 (Laurent GUERBY, 28/03/2014 19:13) → Version 2/37 (Laurent GUERBY, 28/03/2014 19:33)
{{>toc}}
h1. Nftables
h2. Liens
* https://wiki.archlinux.org/index.php/Nftables
* https://home.regit.org/netfilter-en/nftables-quick-howto/
* http://wiki.nftables.org/
h2. Examples
<pre>
root@h7:~# nft --version
nftables v0.100 (keith-alexander-filter)
root@h7:~# cat /proc/version
Linux version 3.14-rc7-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.2 (Debian 4.8.2-16) ) #1 SMP Debian 3.14~rc7-1~exp1 (2014-03-17)
</pre>
<pre>
root@h7:~# nft add rule filter output udp dport 0-65535 ip daddr 91.224.149.151 counter
root@h7:~# nft list chain filter output -a -n
table ip filter {
chain output {
type filter hook output priority 0;
ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 171479 bytes 256167178 # handle 13
ip protocol udp udp dport >= 0 udp dport <= 65535 ip daddr 91.224.149.151 counter packets 0 bytes 0 # handle 15
}
}
root@h7:~# iperf -c 91.224.149.151 -u -b 100M
------------------------------------------------------------
Client connecting to 91.224.149.151, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 3] local 91.224.149.2 port 41909 connected with 91.224.149.151 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 120 MBytes 100 Mbits/sec
[ 3] Sent 85471 datagrams
read failed: Connection refused
[ 3] WARNING: did not receive ack of last datagram after 1 tries.
root@h7:~# nft list chain filter output -a -n
table ip filter {
chain output {
type filter hook output priority 0;
ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 256951 bytes 384184664 # handle 13
ip protocol udp udp dport >= 0 udp dport <= 65535 ip daddr 91.224.149.151 counter packets 85457 bytes 128014586 # handle 15
}
}
root@h7:~# nft delete rule filter output handle 15
root@h7:~# nft list chain filter output -a -n
table ip filter {
chain output {
type filter hook output priority 0;
ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 256982 bytes 384190532 # handle 13
}
</pre>
<pre>
nft add rule filter output udp dport 0-65535 counter
nft add rule filter input ip daddr 91.224.149.2 counter
</pre>
h1. Nftables
h2. Liens
* https://wiki.archlinux.org/index.php/Nftables
* https://home.regit.org/netfilter-en/nftables-quick-howto/
* http://wiki.nftables.org/
h2. Examples
<pre>
root@h7:~# nft --version
nftables v0.100 (keith-alexander-filter)
root@h7:~# cat /proc/version
Linux version 3.14-rc7-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.2 (Debian 4.8.2-16) ) #1 SMP Debian 3.14~rc7-1~exp1 (2014-03-17)
</pre>
<pre>
root@h7:~# nft add rule filter output udp dport 0-65535 ip daddr 91.224.149.151 counter
root@h7:~# nft list chain filter output -a -n
table ip filter {
chain output {
type filter hook output priority 0;
ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 171479 bytes 256167178 # handle 13
ip protocol udp udp dport >= 0 udp dport <= 65535 ip daddr 91.224.149.151 counter packets 0 bytes 0 # handle 15
}
}
root@h7:~# iperf -c 91.224.149.151 -u -b 100M
------------------------------------------------------------
Client connecting to 91.224.149.151, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 3] local 91.224.149.2 port 41909 connected with 91.224.149.151 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 120 MBytes 100 Mbits/sec
[ 3] Sent 85471 datagrams
read failed: Connection refused
[ 3] WARNING: did not receive ack of last datagram after 1 tries.
root@h7:~# nft list chain filter output -a -n
table ip filter {
chain output {
type filter hook output priority 0;
ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 256951 bytes 384184664 # handle 13
ip protocol udp udp dport >= 0 udp dport <= 65535 ip daddr 91.224.149.151 counter packets 85457 bytes 128014586 # handle 15
}
}
root@h7:~# nft delete rule filter output handle 15
root@h7:~# nft list chain filter output -a -n
table ip filter {
chain output {
type filter hook output priority 0;
ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 256982 bytes 384190532 # handle 13
}
</pre>
<pre>
nft add rule filter output udp dport 0-65535 counter
nft add rule filter input ip daddr 91.224.149.2 counter
</pre>