Nftables » Historique » Version 17
« Précédent -
Version 17/37
(diff) -
Suivant » -
Version actuelle
Laurent GUERBY, 30/03/2014 17:06
Nftables¶
Liens¶
- https://wiki.archlinux.org/index.php/Nftables
- http://kernelnewbies.org/nftables_examples
- https://home.regit.org/netfilter-en/nftables-quick-howto/
- http://wiki.nftables.org/
- http://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting
- http://lwn.net/Articles/324251/ First release of nftables (with some documentation)
- http://lwn.net/Articles/324989/ Nftables: a new packet filtering engine By Jonathan Corbet March 24, 2009
- http://lwn.net/Articles/564095/ The return of nftables By Jonathan Corbet August 20, 2013
- http://ace-host.stuart.id.au/russell/files/tc/doc/
- http://people.netfilter.org/kaber/nfws2008/nftables.odp
- http://www.slideshare.net/ennael/2013-kernel-recipesnftables
- https://home.regit.org/wp-content/uploads/2013/09/2013_kernel_recipes_nftables.pdf
- release 0.099 http://marc.info/?l=netfilter-devel&m=139022351723837&w=2
- kernel first patch
- http://workshop.netfilter.org/2013/wiki/images/e/ee/Nftables-osd-2013-developer.pdf
- http://www.spinics.net/lists/netfilter/
- http://www.spinics.net/lists/netfilter-devel/
- https://home.regit.org/2013/03/patrick-mchardy-oops-i-did-it-ipv6-nat/
Pre-requis¶
- Debian jessie
- Kernel from experimental: https://packages.debian.org/fr/experimental/linux-image-3.14-rc7-amd64
- libnfnl package compiled from https://github.com/aborrero/pkg-libnftnl (bientot dans debian sid: https://ftp-master.debian.org/new/libnftnl_1.0.0+git20140122-1.html)
- nftales package compiled from: http://mentors.debian.net/debian/pool/main/n/nftables/nftables_0.100-1.dsc
Examples¶
Tools¶
root@h7:~# nft --version nftables v0.100 (keith-alexander-filter) root@h7:~# cat /proc/version Linux version 3.14-rc7-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.2 (Debian 4.8.2-16) ) #1 SMP Debian 3.14~rc7-1~exp1 (2014-03-17)
UDP counter¶
root@h7:~# nft add rule filter output udp dport 0-65535 ip daddr 91.224.149.151 counter root@h7:~# nft list chain filter output -a -n table ip filter { chain output { type filter hook output priority 0; ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 171479 bytes 256167178 # handle 13 ip protocol udp udp dport >= 0 udp dport <= 65535 ip daddr 91.224.149.151 counter packets 0 bytes 0 # handle 15 } } root@h7:~# iperf -c 91.224.149.151 -u -b 100M ------------------------------------------------------------ Client connecting to 91.224.149.151, UDP port 5001 Sending 1470 byte datagrams UDP buffer size: 208 KByte (default) ------------------------------------------------------------ [ 3] local 91.224.149.2 port 41909 connected with 91.224.149.151 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 120 MBytes 100 Mbits/sec [ 3] Sent 85471 datagrams read failed: Connection refused [ 3] WARNING: did not receive ack of last datagram after 1 tries. root@h7:~# nft list chain filter output -a -n table ip filter { chain output { type filter hook output priority 0; ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 256951 bytes 384184664 # handle 13 ip protocol udp udp dport >= 0 udp dport <= 65535 ip daddr 91.224.149.151 counter packets 85457 bytes 128014586 # handle 15 } } root@h7:~# nft delete rule filter output handle 15 root@h7:~# nft list chain filter output -a -n table ip filter { chain output { type filter hook output priority 0; ip protocol udp udp dport >= 0 udp dport <= 65535 counter packets 256982 bytes 384190532 # handle 13 }
nft add rule filter output udp dport 0-65535 counter nft add rule filter input ip daddr 91.224.149.2 counter
Log¶
root@h7:~# modprobe xt_LOG root@h7:~# nft add rule filter output ip daddr 91.224.149.151 counter root@h7:~# nft add rule filter output ip daddr 91.224.149.151 log root@h7:~# nft list chain filter output -a -n table ip filter { chain output { type filter hook output priority 0; ip daddr 91.224.149.151 counter packets 0 bytes 0 # handle 16 ip daddr 91.224.149.151 log # handle 17 } } root@h7:~# ping -c 1 91.224.149.151 PING 91.224.149.151 (91.224.149.151) 56(84) bytes of data. 64 bytes from 91.224.149.151: icmp_seq=1 ttl=64 time=2.53 ms --- 91.224.149.151 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.530/2.530/2.530/0.000 ms Message from syslogd@h7 at Mar 28 14:38:08 ... kernel:[ 6797.701781] IN= OUT=eth0.3131 SRC=91.224.149.2 DST=91.224.149.151 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=7861 DF PROTO=ICMP TYPE=8 CODE=0 ID=26178 SEQ=1 UID=0 GID=0 root@h7:~# nft list chain filter output -a -n table ip filter { chain output { type filter hook output priority 0; ip daddr 91.224.149.151 counter packets 1 bytes 84 # handle 16 ip daddr 91.224.149.151 log # handle 17 } } root@h7:~# nft delete rule filter output handle 17 root@h7:~# tail -1 /var/log/syslog Mar 28 14:38:08 h7 kernel: [ 6797.701781] IN= OUT=eth0.3131 SRC=91.224.149.2 DST=91.224.149.151 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=7861 DF PROTO=ICMP TYPE=8 CODE=0 ID=26178 SEQ=1 UID=0 GID=0