Slide 1

Slide 1 text

NFTABLES OVERVIEW Florian Maier, 2014-01-27

Slide 2

Slide 2 text

problems of iptables ! • performance problems hen dealing with lots of rules (cloud services, ip reputation, complex, …) • Code duplication b/c of different filter families (classic, arp, bridge, ipv4/ipv6) • Binary exchange between user space and kernel • Not accessible via “official” libraries / interface

Slide 3

Slide 3 text

History • ipchains (1997) • Linux 2.2 firewalling • Stateless • Developed by Paul “Rusty” Russel

Slide 4

Slide 4 text

History • iptables (2000) • Linux 2.4 firewalling • Stateful tracking and full NAT support • In-extremis IPv6 support

Slide 5

Slide 5 text

netfilter project • ’Rusty’ Russel developed iptables and funded Netfilter project • Netfilter coreteam was created to consolidate the community

Slide 6

Slide 6 text

netfilter features • Filtering (internal state, protocol fields) • Connection tracking (stateful, helpers for FTP, …) • Network address translation (source & destination)

Slide 7

Slide 7 text

netfilter components • Filtering component (accept, block, transform) • Connection tracking component • analyze traffic • maintain flow table • iptables (configuration tools and kernel interface)

Slide 8

Slide 8 text

evolution via nfnetlink • low-level library for netfilter related kernel/userspace communication • First major evolution of Netfilter (Linux 2.6.14, 2005) • NFLOG: enhanced logging system • NFQUEUE: improved userspace decision system • NFCT: get information and update connection tracking entries • Another talk on it’s own

Slide 9

Slide 9 text

New components • conntrack-tools / conntrackd • connection tracking replication daemon • The userspace daemon conntrackd can be used to enable high availability of cluster-based stateful firewalls • conntrack: command line tool to update and query connection tracking • ulogd2 • logging daemon • handle packets and connections logging

Slide 10

Slide 10 text

latest changes • nfacct • efficient accounting system / a easy and efficient way to gather network statistics • first appeared in 2012 • ipset • efficient set handling • Address lists or more complex sets • Included in “Vanilla” kernel since 2011 (2.6.39)

Slide 11

Slide 11 text

nftables • Initially developed 2008 • Revived and updated 2012 • Funding by Sophos / Astaro • Inspired by Berkeley Packet Filter • Google summer of code 2013 project

Slide 12

Slide 12 text

nftables ! • New filtering system • iptables and filtering infrastructure replaced • No changes in hooks, connection tracking, helpers • New ruleset language • based in a grammar • accessible from a library

Slide 13

Slide 13 text

architecture ! • Kernel • Tables: declared by user, attached to hook • User interface: nfnetlink socket (ADD, DELETE, DUMP) • Userspace • libmnl: low-level netlink interaction • libnftables: library handling low-level interaction with nftables Netlink’s API • nftables: command line utility to maintain ruleset

Slide 14

Slide 14 text

building nftables ! • Libraries • libmnl: git://git.netfilter.org/libmnl • libnftables: http://git.netfilter.org/libnftnl/ libtoolize --force • $ aclocal • $ autoheader • $ automake --force-missing --add-missing • $ autoconf • Nftables • git://git.netfilter.org/nftables • Kernel • >= 3.13

Slide 15

Slide 15 text

basic usage example ! root@nftablesbox:~/code/nftables# nft -f files/nftables/ipv4-filter root@nftablesbox:~/code/nftables# nft add rule ip filter output ip daddr 1.2.3.4 counter drop root@nftablesbox:~/code/nftables# nft list table filter

Slide 16

Slide 16 text

complex usage example ! set web_servers { type ipv4_address elements = { 192.168.1.15 , 192.168.1.5} }
 map admin_map { type ipv4_address => verdict elements = { 192.168.0.44 => jump log_me_tender , \ 192.168.0.42 => jump log_me_true , 192.168.0.33 => accept } }
 chain forward { ct state established accept ip daddr @web_servers tcp dport ssh ip saddr map @admin_map ip daddr @web_servers tcp dport http log accept ip daddr @web_servers tcp dport https accept counter log drop }
 chain log_me_tender { log limit 10/minute accept } chain log_me_true { counter log accept }

Slide 17

Slide 17 text

Questions? http://www.netfilter.org/