NFTABLES OVERVIEW Florian Maier, 2014-01-27 

problems of iptables ! • performance problems hen dealing with lots of rules (cloud services, ip reputation, complex, …) • Code duplication b/c of different filter families (classic, arp, bridge, ipv4/ipv6) • Binary exchange between user space and kernel • Not accessible via “official” libraries / interface 

History • ipchains (1997) • Linux 2.2 firewalling • Stateless • Developed by Paul “Rusty” Russel 

History • iptables (2000) • Linux 2.4 firewalling • Stateful tracking and full NAT support • In-extremis IPv6 support 

netfilter project • ’Rusty’ Russel developed iptables and funded Netfilter project • Netfilter coreteam was created to consolidate the community 

netfilter features • Filtering (internal state, protocol fields) • Connection tracking (stateful, helpers for FTP, …) • Network address translation (source & destination) 

netfilter components • Filtering component (accept, block, transform) • Connection tracking component • analyze traffic • maintain flow table • iptables (configuration tools and kernel interface) 

evolution via nfnetlink • low-level library for netfilter related kernel/userspace communication • First major evolution of Netfilter (Linux 2.6.14, 2005) • NFLOG: enhanced logging system • NFQUEUE: improved userspace decision system • NFCT: get information and update connection tracking entries • Another talk on it’s own 

New components • conntrack-tools / conntrackd • connection tracking replication daemon • The userspace daemon conntrackd can be used to enable high availability of cluster-based stateful firewalls • conntrack: command line tool to update and query connection tracking • ulogd2 • logging daemon • handle packets and connections logging 

latest changes • nfacct • efficient accounting system / a easy and efficient way to gather network statistics • first appeared in 2012 • ipset • efficient set handling • Address lists or more complex sets • Included in “Vanilla” kernel since 2011 (2.6.39) 

nftables • Initially developed 2008 • Revived and updated 2012 • Funding by Sophos / Astaro • Inspired by Berkeley Packet Filter • Google summer of code 2013 project 

nftables ! • New filtering system • iptables and filtering infrastructure replaced • No changes in hooks, connection tracking, helpers • New ruleset language • based in a grammar • accessible from a library 

architecture ! • Kernel • Tables: declared by user, attached to hook • User interface: nfnetlink socket (ADD, DELETE, DUMP) • Userspace • libmnl: low-level netlink interaction • libnftables: library handling low-level interaction with nftables Netlink’s API • nftables: command line utility to maintain ruleset 

building nftables ! • Libraries • libmnl: git://git.netfilter.org/libmnl • libnftables: http://git.netfilter.org/libnftnl/ libtoolize --force • $ aclocal • $ autoheader • $ automake --force-missing --add-missing • $ autoconf • Nftables • git://git.netfilter.org/nftables • Kernel • >= 3.13 

basic usage example ! root@nftablesbox:~/code/nftables# nft -f files/nftables/ipv4-filter root@nftablesbox:~/code/nftables# nft add rule ip filter output ip daddr 1.2.3.4 counter drop root@nftablesbox:~/code/nftables# nft list table filter 

complex usage example ! set web_servers { type ipv4_address elements = { 192.168.1.15 , 192.168.1.5} }
 map admin_map { type ipv4_address => verdict elements = { 192.168.0.44 => jump log_me_tender , \ 192.168.0.42 => jump log_me_true , 192.168.0.33 => accept } }
 chain forward { ct state established accept ip daddr @web_servers tcp dport ssh ip saddr map @admin_map ip daddr @web_servers tcp dport http log accept ip daddr @web_servers tcp dport https accept counter log drop }
 chain log_me_tender { log limit 10/minute accept } chain log_me_true { counter log accept } 

Questions? http://www.netfilter.org/