nftables, one year later Éric Leblond Stamus Networks September 25, 2014 Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 1 / 40

nftables, one year later - Lagout · Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 11 / 40. Simplified kernel code ... { => jump logmetender

Embed Size (px)

Citation preview

nftables, one year later

Éric Leblond

Stamus Networks

September 25, 2014

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 1 / 40

1 Introduction

2 Nftables, an Iptables replacement

3 Nftables since last Kernel Recipes

4 The future

5 Conclusion

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 2 / 40

1 Introduction

2 Nftables, an Iptables replacement

3 Nftables since last Kernel Recipes

4 The future

5 Conclusion

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 3 / 40

Éric Leblond

co-founder of Stamus NetworksCompany providing network probe based on SuricataFocusing on bringing you the best of Suricata IDS technology

Netfilter Coreteam memberWork on kernel-userspace interactionKernel hackingUlogd2 maintainerPort of Openoffice firewall to Libreoffice

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 4 / 40

1 Introduction

2 Nftables, an Iptables replacement

3 Nftables since last Kernel Recipes

4 The future

5 Conclusion

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 5 / 40


A new filtering systemReplace iptables and the filtering infrastructureNo changes in

HooksConnection trackingHelpers

A new languageBased on a grammarAccessible from a library

Netlink based communicationAtomic modificationNotification system

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 6 / 40


A new filtering systemReplace iptables and the filtering infrastructureNo changes in

HooksConnection trackingHelpers

A new languageBased on a grammarAccessible from a library

Netlink based communicationAtomic modificationNotification system

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 6 / 40


A new filtering systemReplace iptables and the filtering infrastructureNo changes in

HooksConnection trackingHelpers

A new languageBased on a grammarAccessible from a library

Netlink based communicationAtomic modificationNotification system

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 6 / 40

A filtering based on a pseudo-state machine

Inspired by BPF4 registers1 verdictA extensive instructions set

Add Some Magic ?reg = pkt.payload[offset, len]reg = cmp(reg1, reg2, EQ)reg = pkt.meta(mark)reg = lookup(set, reg1)reg = ct(reg1, state)

Easy creation of new matchesreg1 = pkt.payload[offset_src_port, len]reg2 = pkt.payload[offset_dst_port, len]reg = cmp(reg1, reg2, EQ)

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 7 / 40

A filtering based on a pseudo-state machine

Inspired by BPF4 registers1 verdictA extensive instructions set

Add Some Magic ?reg = pkt.payload[offset, len]reg = cmp(reg1, reg2, EQ)reg = pkt.meta(mark)reg = lookup(set, reg1)reg = ct(reg1, state)

Easy creation of new matchesreg1 = pkt.payload[offset_src_port, len]reg2 = pkt.payload[offset_dst_port, len]reg = cmp(reg1, reg2, EQ)

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 7 / 40

A filtering based on a pseudo-state machine

Inspired by BPF4 registers1 verdictA extensive instructions set

Add Some Magic ?reg = pkt.payload[offset, len]reg = cmp(reg1, reg2, EQ)reg = pkt.meta(mark)reg = lookup(set, reg1)reg = ct(reg1, state)

Easy creation of new matchesreg1 = pkt.payload[offset_src_port, len]reg2 = pkt.payload[offset_dst_port, len]reg = cmp(reg1, reg2, EQ)

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 7 / 40


KernelTables: declared by user and attached to hookUser interface: nfnetlink socket


Userspacelibmnl: low level netlink interactionlibnftnl: library handling low-level interaction with nftables Netlink’sAPInftables: command line utility to maintain ruleset

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 8 / 40

Dynamic chain loading

Chain are created on-demandChain are created via a specific netlink messageNon-user chain are:

Of a specific typeBound to a given hook

Current chain typefilter: filtering tableroute: old mangle tablenat: network address translation table

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 9 / 40

From userspace syntax to kernel

Converting user inputOperation is made via a netlink messageThe userspace syntax must be converted

From a text message following a grammarTo a binary Netlink message


Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 10 / 40

From kernel to userspace syntax

Kernel send netlink messageIt must be converted back to text



i p f i l t e r output 8 7[ payload load 4b @ network header + 16 => reg 1 ][ b i t w i s e reg 1 = ( reg=1 & 0 x 0 0 f f f f f f ) ^ 0x00000000 ][ cmp eq reg 1 0x00500fd9 ][ counter pkts 7 bytes 588 ]

is translated to:i p daddr /24 counter packets 7 bytes 588 # handle 8

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 11 / 40

Simplified kernel code

A limited in-kernel sizeA limited set of operators and instructionsA state machineNo code dedicated to each match

One match on address use same code as a match on portNew matchs are possible without kernel modification

LOC count50000 LOC in userspaceonly 7000 LOC in kernel-space

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 12 / 40

Less kernel update

Pseudo state machine instructionCurrent instructions cover need found in previous 10 yearsNew instruction require very limited code

Development in userspaceA new match will not need a new kernelICMPv6 implementation is a single userspace patch

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 13 / 40

Set handling

Interests of setsOne single rule evaluationSimple and readable rulesetEvolution handling

Anonymous set

nf t add rule i p g loba l f i l t e r \i p daddr {192 .168 .0 .0 /24 , 192.168.1 .4 } \tcp dpor t {22 , 443} \accept

Named set

nf t add set g loba l ipv4_ad { type ipv4_address ; }nf t add element g loba l ipv4_ad { 192.168.1 .4 , 192.168.1 .5 }nf t delete element g loba l ipv4_ad { 192.168.1 .5 }nf t add rule i p g loba l f i l t e r i p saddr @ipv4_ad drop

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 14 / 40

Set handling

Interests of setsOne single rule evaluationSimple and readable rulesetEvolution handling

Anonymous set

nf t add rule i p g loba l f i l t e r \i p daddr {192 .168 .0 .0 /24 , 192.168.1 .4 } \tcp dpor t {22 , 443} \accept

Named set

nf t add set g loba l ipv4_ad { type ipv4_address ; }nf t add element g loba l ipv4_ad { 192.168.1 .4 , 192.168.1 .5 }nf t delete element g loba l ipv4_ad { 192.168.1 .5 }nf t add rule i p g loba l f i l t e r i p saddr @ipv4_ad drop

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 14 / 40

Set handling

Interests of setsOne single rule evaluationSimple and readable rulesetEvolution handling

Anonymous set

nf t add rule i p g loba l f i l t e r \i p daddr {192 .168 .0 .0 /24 , 192.168.1 .4 } \tcp dpor t {22 , 443} \accept

Named set

nf t add set g loba l ipv4_ad { type ipv4_address ; }nf t add element g loba l ipv4_ad { 192.168.1 .4 , 192.168.1 .5 }nf t delete element g loba l ipv4_ad { 192.168.1 .5 }nf t add rule i p g loba l f i l t e r i p saddr @ipv4_ad drop

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 14 / 40


Principle and interestAssociative mapping linking two notionsA match on the key trigger the use of the valueUsing addresses, interfaces, verdicts

ExamplesAnonymous mapping:

# nf t add rule f i l t e r output i p daddr vmap \{192 .168 .0 .0 /24 =\ > drop , =\ > accept }

Named mapping:

# nf t − inft > add map f i l t e r verdict_map { type ipv4_address => v e r d i c t ; }nft > add element f i l t e r verdict_map { 1 . 2 . 3 . 5 => drop }nft > add rule f i l t e r output i p daddr vmap @verdict_map

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 15 / 40


Principle and interestAssociative mapping linking two notionsA match on the key trigger the use of the valueUsing addresses, interfaces, verdicts

ExamplesAnonymous mapping:

# nf t add rule f i l t e r output i p daddr vmap \{192 .168 .0 .0 /24 =\ > drop , =\ > accept }

Named mapping:

# nf t − inft > add map f i l t e r verdict_map { type ipv4_address => v e r d i c t ; }nft > add element f i l t e r verdict_map { 1 . 2 . 3 . 5 => drop }nft > add rule f i l t e r output i p daddr vmap @verdict_map

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 15 / 40

Usage example

set web_servers {type ipv4_addresselements = { , 192.168.1 .5 }

}map admin_map {

type ipv4_address => v e r d i c telements = { => jump logmetender , \ => jump logmetrue , => accept }}chain forward {

c t s t a t e es tab l i shed accepti p daddr @web_servers tcp dpor t ssh i p saddr map @admin_mapi p daddr @web_servers tcp dpor t { h t tp , h t t ps } log acceptcounter log drop

}chain logmetender {

log l i m i t 10/ minute accept}chain logmetrue {

counter log accept}


Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 16 / 40

1 Introduction

2 Nftables, an Iptables replacement

3 Nftables since last Kernel Recipes

4 The future

5 Conclusion

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 17 / 40

Sexy trailer

The video


Video generationVideo generated with gourceVarious git history have been mergedFile path has been prefixed with project name

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 18 / 40


Man pageComplete description of nftMan page style:

Lot of thingsConcise description

A few things missing

A wikiOnly a howto for nowhttp://wiki.nftables.org/

Still incomplete but a good documentationWant to contribute: Ask on Netfilter mailing list to get an account

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 19 / 40

IPv4 and IPv6 filtering

Don’t mix the old and the newTables are defined relatively to a IP spaceMust declare a table

for each protocolfor each chain/hook

Basic filtering chains

table f i l t e r {chain i npu t { type f i l t e r hook i npu t p r i o r i t y 0 ; }chain forward { type f i l t e r hook forward p r i o r i t y 0 ; }chain output { type f i l t e r hook output p r i o r i t y 0 ; }

}table i p6 f i l t e r {

chain i np u t { type f i l t e r hook i npu t p r i o r i t y 0 ; }chain forward { type f i l t e r hook forward p r i o r i t y 0 ; }chain output { type f i l t e r hook output p r i o r i t y 0 ; }


Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 20 / 40

Handling of IPv4 and IPv6

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 21 / 40

Inet filtering

Kernel sideIntroduce a new NFPROTO_INET familyRealize dispatch later based on the effective familyActivate IPv4 and IPv6 features when needed


table i n e t f i l t e r {chain i np u t {

type f i l t e r hook i npu t p r i o r i t y 0 ;c t s t a t e es tab l ished , r e l a t e d accepti i f l o acceptc t s t a t e new i i f != l o tcp dpor t { ssh , 2200} \

tcp f l a g s == syn counter \log p r e f i x "SSH attempt " group 1 \accept

i p saddr 192.168.0 .0 /24 tcp dpor t { 9300 , 3142} counter accepti p6 saddr 2a03 :2880:2110: df07 : face : b00c : 0 : 1 drop


Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 22 / 40

Result: easy handling of IPv4 and IPv6

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 23 / 40

Atomic ruleset update (1/2)

Bring transaction to nftablesUpdate ruleset at once

Need transaction supportAll pass or abort

Need to handle table and rules

Problem of setThey exists at table levelThey are used at chain level

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 24 / 40

Atomic ruleset update (2/2)

Atomic ruleset updateatomically commit a set of rule-set updates incrementallybased on a generation counter/mask

00 active in the present, will be active in the next generation.01 active in the present, needs to zero its future, it becomes 00.10 inactive in the present, delete now.

Batch methodMethod

Start transactionSend modifications mixing set and ruleset updateCommit transaction

InterestLimit the number of netlink messages

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 25 / 40

Dynamic set choice (1/2)

Ipset usageChoose set typeAmong the possible choices

The set subsystemVarious set types are available


No selector exists

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 26 / 40

Dynamic set choice (2/2)

Constraint based selectionSelect set based on user constraintMemory usageLookup complexity


nf t add set f i l t e r set1 { type ipv4_addr ; s i ze 1024 ; }nf t add set f i l t e r set1 { type ipv4_addr ; p o l i c y memory ; }nf t add set f i l t e r set1 { type ipv4_addr ; p o l i c y performance ; }

StatusKernel space is implementedUserspace is not yet commited

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 27 / 40

Warning: NSFC


Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 28 / 40

The young guard

Guiseppe Longo Arturo Borrero Gonzales Alvaro Neira Ayuso Ana ReyGoogle Summer of Code Outreach Program

for Women

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 29 / 40

Ana Rey: nftables test system

Regression testTest nft command and check resultMost features are testedSponsored by OPWAlready led to fixes

Exampleany/queue.t: OKany/ct.t: WARNING: line: 59: ’nft add rule -nnn ip test-ip4 \

output ct expiration 30’: \’ct expiration 30’ mismatches ’ct expiration "30s"’

any/ct.t: WARNING: line: 61: ’nft add rule -nnn ip test-ip4 \output ct expiration != 233’: \’ct expiration != 233’ mismatches ’ct expiration != "3m53s"’

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 30 / 40

Arturo Borrero: Nftsync (1/2)

PrincipleDistribute ruleset across the networkSupport master/slaveDeploy ruleset for non gateway systems

ImplementationUse notification systemCollect update and distribute them

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 31 / 40

Nftsync (2/2)

Current stateBootstrapped during summerBasic mode workingNo encryption yet

Get it, try it, hack ithttp://git.netfilter.org/nft-sync/

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 32 / 40

Guiseppe Longo: ebtables compat layer

Provide tools compatibilityUse old tools with new nftables frameworkConvert old command lines to new internal syntax

Multi layer compatibilityBridge level: ebtablesIP level: iptables

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 33 / 40

1 Introduction

2 Nftables, an Iptables replacement

3 Nftables since last Kernel Recipes

4 The future

5 Conclusion

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 34 / 40


High level library for third party softwareNetwork managerFirewall management interfaces

It will be based on nftablesUsing same command lineProviding transaction feature

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 35 / 40

Complete import/export

Exporting rulesetCan currently be done via a single nft commandXML and JSON format

Importing rulesetNo single command to restorenft -f is not enoughnft import is needed

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 36 / 40

Unification with existing BPF

No real differenceDifferent keywords related to Netfilter


May be possible to merge

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 37 / 40

1 Introduction

2 Nftables, an Iptables replacement

3 Nftables since last Kernel Recipes

4 The future

5 Conclusion

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 38 / 40


A huge evolutionSolving iptables problemAn answer to new usages

Set handlingComplex matchesIPv4 and IPv6 in one table

Already usableMain features are hereCompatibility can be used

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 39 / 40

Questions ?

Do you have questions ? Thanks toNetfilter teamGoogle for GSoC 2014Outreach Program forWomen

More informationNetfilter :http://www.netfilter.org

Nftables wiki:http://wiki.nftables.org

Contact meMail:[email protected]

Twitter: @Regiteric

Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 40 / 40