Linux NFTABLES overview

Transcript

1. NFTABLES OVERVIEW Florian Maier, 2014-01-27

2. problems of iptables ! • performance problems hen dealing with

   lots of rules (cloud services, ip reputation, complex, …) • Code duplication b/c of different filter families (classic, arp, bridge, ipv4/ipv6) • Binary exchange between user space and kernel • Not accessible via “official” libraries / interface

3. History • ipchains (1997) • Linux 2.2 firewalling • Stateless

   • Developed by Paul “Rusty” Russel

4. History • iptables (2000) • Linux 2.4 firewalling • Stateful

   tracking and full NAT support • In-extremis IPv6 support

5. netfilter project • ’Rusty’ Russel developed iptables and funded Netfilter

   project • Netfilter coreteam was created to consolidate the community

6. netfilter features • Filtering (internal state, protocol fields) • Connection

   tracking (stateful, helpers for FTP, …) • Network address translation (source & destination)

7. netfilter components • Filtering component (accept, block, transform) • Connection

   tracking component • analyze traffic • maintain flow table • iptables (configuration tools and kernel interface)

8. evolution via nfnetlink • low-level library for netfilter related kernel/userspace

   communication • First major evolution of Netfilter (Linux 2.6.14, 2005) • NFLOG: enhanced logging system • NFQUEUE: improved userspace decision system • NFCT: get information and update connection tracking entries • Another talk on it’s own

9. New components • conntrack-tools / conntrackd • connection tracking replication

   daemon • The userspace daemon conntrackd can be used to enable high availability of cluster-based stateful firewalls • conntrack: command line tool to update and query connection tracking • ulogd2 • logging daemon • handle packets and connections logging

10. latest changes • nfacct • efficient accounting system / a

    easy and efficient way to gather network statistics • first appeared in 2012 • ipset • efficient set handling • Address lists or more complex sets • Included in “Vanilla” kernel since 2011 (2.6.39)

11. nftables • Initially developed 2008 • Revived and updated 2012

    • Funding by Sophos / Astaro • Inspired by Berkeley Packet Filter • Google summer of code 2013 project

12. nftables ! • New filtering system • iptables and filtering

    infrastructure replaced • No changes in hooks, connection tracking, helpers • New ruleset language • based in a grammar • accessible from a library

13. architecture ! • Kernel • Tables: declared by user, attached

    to hook • User interface: nfnetlink socket (ADD, DELETE, DUMP) • Userspace • libmnl: low-level netlink interaction • libnftables: library handling low-level interaction with nftables Netlink’s API • nftables: command line utility to maintain ruleset

14. building nftables ! • Libraries • libmnl: git://git.netfilter.org/libmnl • libnftables:

    http://git.netfilter.org/libnftnl/ libtoolize --force • $ aclocal • $ autoheader • $ automake --force-missing --add-missing • $ autoconf • Nftables • git://git.netfilter.org/nftables • Kernel • >= 3.13

15. basic usage example ! root@nftablesbox:~/code/nftables# nft -f files/nftables/ipv4-filter root@nftablesbox:~/code/nftables# nft

    add rule ip filter output ip daddr 1.2.3.4 counter drop root@nftablesbox:~/code/nftables# nft list table filter

16. complex usage example ! set web_servers { type ipv4_address elements

    = { 192.168.1.15 , 192.168.1.5} }
 map admin_map { type ipv4_address => verdict elements = { 192.168.0.44 => jump log_me_tender , \ 192.168.0.42 => jump log_me_true , 192.168.0.33 => accept } }
 chain forward { ct state established accept ip daddr @web_servers tcp dport ssh ip saddr map @admin_map ip daddr @web_servers tcp dport http log accept ip daddr @web_servers tcp dport https accept counter log drop }
 chain log_me_tender { log limit 10/minute accept } chain log_me_true { counter log accept }

17. Questions? http://www.netfilter.org/