Nftables » Historique » Version 17
« Précédent -
Version 17/37
(diff) -
Suivant » -
Version actuelle
Laurent GUERBY, 30/03/2014 17:06
Nftables¶
Liens¶
- https://wiki.archlinux.org/index.php/Nftables
- http://kernelnewbies.org/nftables_examples
- https://home.regit.org/netfilter-en/nftables-quick-howto/
- http://wiki.nftables.org/
- http://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting
- http://lwn.net/Articles/324251/ First release of nftables (with some documentation)
- http://lwn.net/Articles/324989/ Nftables: a new packet filtering engine By Jonathan Corbet March 24, 2009
- http://lwn.net/Articles/564095/ The return of nftables By Jonathan Corbet August 20, 2013
- http://ace-host.stuart.id.au/russell/files/tc/doc/
- http://people.netfilter.org/kaber/nfws2008/nftables.odp
- http://www.slideshare.net/ennael/2013-kernel-recipesnftables
- https://home.regit.org/wp-content/uploads/2013/09/2013_kernel_recipes_nftables.pdf
- release 0.099 http://marc.info/?l=netfilter-devel&m=139022351723837&w=2
- kernel first patch
- http://workshop.netfilter.org/2013/wiki/images/e/ee/Nftables-osd-2013-developer.pdf
- http://www.spinics.net/lists/netfilter/
- http://www.spinics.net/lists/netfilter-devel/
- https://home.regit.org/2013/03/patrick-mchardy-oops-i-did-it-ipv6-nat/
Pre-requis¶
- Debian jessie
- Kernel from experimental: https://packages.debian.org/fr/experimental/linux-image-3.14-rc7-amd64
- libnfnl package compiled from https://github.com/aborrero/pkg-libnftnl (bientot dans debian sid: https://ftp-master.debian.org/new/libnftnl_1.0.0+git20140122-1.html)
- nftales package compiled from: http://mentors.debian.net/debian/pool/main/n/nftables/nftables_0.100-1.dsc
Examples¶
Tools¶
root@h7:~# nft --version nftables v0.100 (keith-alexander-filter) root@h7:~# cat /proc/version Linux version 3.14-rc7-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.2 (Debian 4.8.2-16) ) #1 SMP Debian 3.14~rc7-1~exp1 (2014-03-17)
UDP counter¶
root@h7:~# nft add rule filter output udp dport 0-65535 ip daddr 91.224.149.151 counter
root@h7:~# nft list chain filter output -a -n
table ip filter {
chain output {
type filter hook output priority 0;
ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 171479 bytes 256167178 # handle 13
ip protocol udp udp dport >= 0 udp dport <= 65535 ip daddr 91.224.149.151 counter packets 0 bytes 0 # handle 15
}
}
root@h7:~# iperf -c 91.224.149.151 -u -b 100M
------------------------------------------------------------
Client connecting to 91.224.149.151, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 3] local 91.224.149.2 port 41909 connected with 91.224.149.151 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 120 MBytes 100 Mbits/sec
[ 3] Sent 85471 datagrams
read failed: Connection refused
[ 3] WARNING: did not receive ack of last datagram after 1 tries.
root@h7:~# nft list chain filter output -a -n
table ip filter {
chain output {
type filter hook output priority 0;
ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 256951 bytes 384184664 # handle 13
ip protocol udp udp dport >= 0 udp dport <= 65535 ip daddr 91.224.149.151 counter packets 85457 bytes 128014586 # handle 15
}
}
root@h7:~# nft delete rule filter output handle 15
root@h7:~# nft list chain filter output -a -n
table ip filter {
chain output {
type filter hook output priority 0;
ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 256982 bytes 384190532 # handle 13
}
nft add rule filter output udp dport 0-65535 counter nft add rule filter input ip daddr 91.224.149.2 counter
Log¶
root@h7:~# modprobe xt_LOG
root@h7:~# nft add rule filter output ip daddr 91.224.149.151 counter
root@h7:~# nft add rule filter output ip daddr 91.224.149.151 log
root@h7:~# nft list chain filter output -a -n
table ip filter {
chain output {
type filter hook output priority 0;
ip daddr 91.224.149.151 counter packets 0 bytes 0 # handle 16
ip daddr 91.224.149.151 log # handle 17
}
}
root@h7:~# ping -c 1 91.224.149.151
PING 91.224.149.151 (91.224.149.151) 56(84) bytes of data.
64 bytes from 91.224.149.151: icmp_seq=1 ttl=64 time=2.53 ms
--- 91.224.149.151 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.530/2.530/2.530/0.000 ms
Message from syslogd@h7 at Mar 28 14:38:08 ...
kernel:[ 6797.701781] IN= OUT=eth0.3131 SRC=91.224.149.2 DST=91.224.149.151 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=7861 DF PROTO=ICMP TYPE=8 CODE=0 ID=26178 SEQ=1 UID=0 GID=0
root@h7:~# nft list chain filter output -a -n
table ip filter {
chain output {
type filter hook output priority 0;
ip daddr 91.224.149.151 counter packets 1 bytes 84 # handle 16
ip daddr 91.224.149.151 log # handle 17
}
}
root@h7:~# nft delete rule filter output handle 17
root@h7:~# tail -1 /var/log/syslog
Mar 28 14:38:08 h7 kernel: [ 6797.701781] IN= OUT=eth0.3131 SRC=91.224.149.2 DST=91.224.149.151 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=7861 DF PROTO=ICMP TYPE=8 CODE=0 ID=26178 SEQ=1 UID=0 GID=0