Shulou(Shulou.com)06/01 Report--

This article is about how to use nftables in CentOS 8. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Nftables is a netfilter project designed to replace the existing {ip,ip6,arp,eb} tables framework and provide a new packet filtering framework, a new user space utility (nft), and a compatibility layer for {ip,ip6} tables. It uses existing hooks, link tracking systems, user space queuing components, and netfilter logging subsystems.

Nftables mainly consists of three components: kernel implementation, libnl netlink communication and nftables user space. The kernel provides a netlink configuration interface and runtime rule set evaluation, libnl contains basic functions for communicating with the kernel, and user space can interact with users through nft.

This article mainly introduces the usage of the user space command line tool nft.

1. Nftables VS iptables

Like iptables, nftables consists of table, chain, and rule, where the table contains the chain, the chain contains the rule, and the rule is the real action. Compared with iptables, nftables has the following main changes:

The layout of iptables rules is based on continuous chunks of memory, that is, array layouts, while nftables rules use chained layouts. In fact, it is the difference between arrays and linked lists, as if Kubernetes users should be excited about this?

Most of the work of iptables is done in kernel mode, so if you want to add new features, you can only recompile the kernel; while most of the work of nftables is done in user mode, adding new features is very easy, and there is no need to change the kernel.

Iptables has a built-in chain, and even if you only need one chain, other chains will follow, while nftables does not have a built-in chain, you can register as needed. Because iptables has a built-in packet counter, there is a performance penalty even if these built-in chains are empty.

Simplified IPv4/IPv6 dual stack management

Native support for collections, dictionaries and mappings

Going back to nftables, let's take a look at what the default rule set is:

$nft list ruleset

Nothing, there is no built-in chain (if you turn off the firewalld service).

two。 Create a tabl

Each table of nftables has only one address cluster and only applies to packets of that cluster. The table can specify one of the five clusters:

Nftables cluster iptables command line tools ipiptablesip6ip6tablesinetiptables and ip6tablesarparptablesbridgeebtables

Inet applies to both IPv4 and IPv6 packets, that is, unifying the ip and ip6 clusters, making it easier to define rules, and the following examples will use the inet cluster.

Create a new table first:

$nft add table inet my_table

List all the rules:

$nft list rulesettable inet my_table {}

Now that there are no rules in the table, you need to create a chain to hold the rules.

3. Create chain

Chains are used to hold rules, and like tables, chains need to be displayed and created, because nftables does not have built-in chains. There are two types of chains:

Regular chain: do not need to specify hook type and priority, can be used to jump, logically classify rules.

Basic chain: the entry point of the packet, you need to specify the hook type and priority.

Create a regular chain:

$nft add chain inet my_table my_utility_chain

Create a basic chain:

$nft add chain inet my_table my_filter_chain {type filter hook input priority 0\;}

The backslash (\) is used to escape so that shell does not interpret the semicolon as the end of the command.

Priority takes an integer value, which can be negative, and chains with smaller values take precedence.

List all the rules in the chain:

$nft list chain inet my_table my_utility_chaintable inet my_table {chain my_utility_chain {}} $nft list chain inet my_table my_filter_chaintable inet my_table {chain my_filter_chain {type filter hook input priority 0; policy accept;} 4. Create a rule

Once you have tables and chains, you can create rules that are made up of statements or expressions that are included in the chain. Add a rule that allows SSH to log in:

$nft add rule inet my_table my_filter_chain tcp dport ssh accept

Add means to add a rule to the end of the chain, and if you want to add a rule to the beginning of the chain, you can use insert.

$nft insert rule inet my_table my_filter_chain tcp dport http accept

List all rules:

$nft list rulesettable inet my_table {chain my_filter_chain {type filter hook input priority 0; policy accept; tcp dport http accept tcp dport ssh accept}}

Notice that the http rule precedes the ssh rule because insert was previously used.

You can also insert a rule at a specified location in the chain, and there are two ways:

1. Use index to specify the index of the rule. Add means that the new rule is added after the rule in the index location, and inser means that the new rule is added in front of the rule in the index location. The value of index increases from 0.

$nft insert rule inet my_table my_filter_chain index 1 tcp dport nfs accept$ nft list rulesettable inet my_table {chain my_filter_chain {type filter hook input priority 0; policy accept Tcp dport http accept tcp dport nfs accept tcp dport ssh accept}} $nft add rule inet my_table my_filter_chain index 0 tcp dport 1234 accept$ nft list rulesettable inet my_table {chain my_filter_chain {type filter hook input priority 0; policy accept; tcp dport http accept tcp dport 1234 accept tcp dport nfs accept tcp dport ssh accept}}

Index is similar to the-I option of iptables, but there are two points to note: one is that the value of index starts at 0; the other is that index must point to an existing rule, such as nft insert rule. Index 0 is illegal.

2. Use handle to specify the handle to the rule. Add means that the new rule is added after the rule in the index location, and inser means that the new rule is added in front of the rule in the index location. The value of handle can be obtained through the parameter-- handle.

$nft-- handle list rulesettable inet my_table {# handle 10 chain my_filter_chain {# handle 2 type filter hook input priority 0; policy accept Tcp dport http accept # handle 4 tcp dport 1234 accept # handle 6 tcp dport nfs accept # handle 5 tcp dport ssh accept # handle 3}} $nft add rule inet my_table my_filter_chain handle 4 tcp dport 1234 accept$ nft insert rule inet my_table my_filter_chain handle 5 tcp dport nfs accept$ nft-handle list rulesettable inet my_table {# handle 10 chain my_filter_chain {# handle 2 type filter hook input priority 0 Policy accept; tcp dport http accept # handle 4 tcp dport 2345 accept # handle 8 tcp dport 1234 accept # handle 6 tcp dport 3456 accept # handle 9 tcp dport nfs accept # handle 5 tcp dport ssh accept # handle 3}}

In nftables, the handle value is fixed unless the rule is deleted, which provides a stable index for the rule. The value of index is variable, and it is possible to change as long as new rules are inserted. It is generally recommended that you use handle to insert new rules.

You can also get the handle value of the rule when you create the rule, just add the parameters-- echo and-- handle when you create the rule.

$nft-- echo-- handle add rule inet my_table my_filter_chain udp dport 3333 acceptadd rule inet my_table my_filter_chain udp dport 3333 accept # handle 105. Delete a rule

A single rule can only be deleted through its handle. First, you need to find the rule handle you want to delete:

$nft-- handle list rulesettable inet my_table {# handle 10 chain my_filter_chain {# handle 2 type filter hook input priority 0; policy accept Tcp dport http accept # handle 4 tcp dport 2345 accept # handle 8 tcp dport 1234 accept # handle 6 tcp dport 3456 accept # handle 9 tcp dport nfs accept # handle 5 tcp dport ssh accept # handle 3 udp dport 3333 accept # handle 10}}

Then use the handle value to delete the rule:

$nft delete rule inet my_table my_filter_chain handle 8$ nft-- handle list rulesettable inet my_table {# handle 10 chain my_filter_chain {# handle 2 type filter hook input priority 0; policy accept Tcp dport http accept # handle 4 tcp dport 1234 accept # handle 6 tcp dport 3456 accept # handle 9 tcp dport nfs accept # handle 5 tcp dport ssh accept # handle 3 udp dport 3333 accept # handle 10}} 6. List Rul

The previous examples list all the rules, and we can also list some of the rules according to our own needs. For example:

List all the rules in a table:

$nft list table inet my_tabletable inet my_table {chain my_filter_chain {type filter hook input priority 0; policy accept; tcp dport http accept tcp dport 1234 accept tcp dport 3456 accept tcp dport nfs accept tcp dport ssh accept udp dport 3333 accept}}

List all the rules in a chain:

$nft list chain inet my_table my_other_chaintable inet my_table {chain my_other_chain {udp dport 12345 log prefix "UDP-12345"} 7. Set

Nftables's syntax natively supports collections that can be used to match multiple IP addresses, port numbers, network cards, or any other condition.

Anonymous collection

Collections are divided into anonymous collections and named collections. Anonymous collections are more suitable for rules that do not need to be changed in the future.

For example, the following rule allows traffic from hosts whose source IP is in the range of 10.10.10.123 to 10.10.10.231.

$nft add rule inet my_table my_filter_chain ip saddr {10.10.123,10.10.10.231} accept$ nft list rulesettable inet my_table {chain my_filter_chain {type filter hook input priority 0; policy accept Tcp dport http accept tcp dport nfs accept tcp dport ssh accept ip saddr {10.10.10.123, 10.10.10.231} accept}}

The disadvantage of anonymous collections is that if you need to modify the collection, you have to replace the rules. If you need to modify the collection frequently later, it is recommended to use named collections.

The rules added in the previous example can also be simplified through collections:

$nft add rule inet my_table my_filter_chain tcp dport {http, nfs, ssh} accept

> iptables can use collections with ipset, but nftables natively supports collections, so there is no need for ipset.

Named collection

Nftables also supports naming collections, which can be modified. To create a collection, you need to specify the type of its element. Currently, the supported data types are:

Ipv4_addr: IPv4 address

Ipv6_addr: IPv6 address

Ether_addr: Ethernet (Ethernet) addr

Inet_proto: network protocol

Inet_service: network servic

Mark: tag typ

First create an empty named collection:

$nft add set inet my_table my_set {type ipv4_addr\;} $nft list setstable inet my_table {set my_set {type ipv4_addr}}

To reference a collection when adding a rule, you can use the @ symbol to follow the name of the collection. The following rule indicates that the IP address in the collection my_set is added to the blacklist.

$nft insert rule inet my_table my_filter_chain ip saddr @ my_set drop$ nft list chain inet my_table my_filter_chaintable inet my_table {chain my_filter_chain {type filter hook input priority 0; policy accept Ip saddr @ my_set drop tcp dport http accept tcp dport nfs accept tcp dport ssh accept ip saddr {10.10.10.123,10.10.10.231} accept}}

Add elements to the collection:

$nft add element inet my_table my_set {10.10.10.22,10.10.10.33} $nft list set inet my_table my_settable inet my_table {set my_set {type ipv4_addr elements = {10.10.10.22,10.10.10.33}}

If you add an interval to the collection, you will get an error:

$nft add element inet my_table my_set {10.20.20.0-10.20.20.255} Error: Set member cannot be range, missing interval flag on declarationadd element inet my_table my_set {10.20.20.0-10.20.20.255} ^ ^

To use intervals in a collection, you need to add a flag interval, because the kernel must confirm in advance the type of data stored in the collection in order to adopt the appropriate data structure.

Support interval

Create a named collection that supports intervals:

$nft add set inet my_table my_range_set {type ipv4_addr\; flags interval$ nft add element inet my_table my_range_set {10.20.20.0 flags interval$ nft add element inet my_table my_range_set 24} $nft list set inet my_table my_range_settable inet my_table {set my_range_set {type ipv4_addr flags interval elements = {10.20.20.0} 24}

> the subnet mask representation will be implicitly translated into the range of IP addresses, or you can directly use the range 10.20.20.0-10.20.20.255 to achieve the same effect.

Cascade different types

Named collections also support cascading different types of elements through cascading operators. To separate. For example, the following rule can match the IP address, protocol, and port number at once.

$nft add set inet my_table my_concat_set {type ipv4_addr. Inet_proto. Inet_service\;} $nft list set inet my_table my_concat_settable inet my_table {set my_concat_set {type ipv4_addr. Inet_proto. Inet_service}}

Add elements to the collection:

$nft add element inet my_table my_concat_set {10.30.30.30. Tcp. Telnet}

The collection that references cascading types in the rule is the same as before, but you need to indicate where each element in the collection corresponds to the rule.

$nft add rule inet my_table my_filter_chain ip saddr. Meta l4proto. Tcp dport @ my_concat_set accept

This means that if the source IP, protocol type, and destination port of the packet match 10.30.30.30, tcp, telnet, nftables will allow the packet to pass.

Anonymous collections can also use cascading elements, such as:

$nft add rule inet my_table my_filter_chain ip saddr. Meta l4proto. Udp dport {10.30.30.30. Udp. Bootps} accept

Now you should be able to understand the power of nftables collections.

Collections of nftables cascading types are similar to ipset aggregation types, such as hash:ip,port.

8. Dictionaries

Dictionary is an advanced feature of nftables, it can use different types of data and map matching conditions to a certain rule, and because of the way of hash mapping, it can perfectly avoid the performance overhead of chain rule jump.

For example, in order to logically separate the processing rules for TCP and UDP packets, you can use a dictionary so that the above requirements can be achieved through a rule.

$nft add chain inet my_table my_tcp_chain$ nft add chain inet my_table my_udp_chain$ nft add rule inet my_table my_filter_chain meta l4proto vmap {tcp: jump my_tcp_chain, udp: jump my_udp_chain} $nft list chain inet my_table my_filter_chaintable inet my_table {chain my_filter_chain {... Meta nfproto ipv4 ip saddr. Meta l4proto. Udp dport {10.30.30.30. Udp. Bootps} accept meta l4proto vmap {tcp: jump my_tcp_chain, udp: jump my_udp_chain}

Like collections, in addition to anonymous dictionaries, you can also create named dictionaries:

$nft add map inet my_table my_vmap {type inet_proto: verdict\;}

Add elements to the dictionary:

$nft add element inet my_table my_vmap {192.168.0.10: drop, 192.168.0.11: accept}

Later, you can reference the elements in the dictionary in the rule:

$nft add rule inet my_table my_filter_chain ip saddr vmap @ my_vmap9. Tables and namespaces

In nftables, each table is a separate namespace, which means that chains, collections, dictionaries, and so on in different tables can all have the same name. For example:

$nft add table inet table_one$ nft add chain inet table_one my_chain$ nft add table inet table_two$ nft add chain inet table_two my_chain$ nft list ruleset...table inet table_one {chain my_chain {}} table inet table_two {chain my_chain {}}

With this feature, different applications can manage the rules in their own tables without affecting each other, which cannot be done with iptables.

Of course, this feature also has drawbacks, because each table is treated as a separate firewall, so a packet must be released by the rules in all tables before it is really released, and even if table_one allows the packet to pass, the packet may still be rejected by table_two. To solve this problem, nftables introduces priority, and the higher the priority value, the lower the priority of the chain, so the chain with low priority value executes before the chain with high priority value. If the two chains have the same priority, they will enter a competitive state.

10. Backup and recovery

The rules in all the above examples are temporary. To take effect permanently, we can back up the rules and load them automatically after restarting. In fact, this is how nftables's systemd service works.

Backup rules:

$nft list ruleset > / root/nftables.conf

Load recovery:

$nft-f / root/nftables.conf

In CentOS 8, the rules for nftables.service are stored in / etc/nftables.conf, where some other sample rules for include are generally located in the / etc/sysconfig/nftables.conf file, but are commented out by default.

Thank you for reading! This is the end of this article on "how to use nftables in CentOS 8". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.