Announcement

Collapse
No announcement yet.

Netfilter Releases Nftables 1.0

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Netfilter Releases Nftables 1.0

    Phoronix: Netfilter Releases Nftables 1.0

    The Netfilter project has announced the release of Nftables 1.0.0 for their user-space code for interfacing with the Linux kernel's Nftables subsystem for network filtering and classification...

    https://www.phoronix.com/scan.php?pa...x=Nftables-1.0

  • #2
    I like NFTables better than IPTables. Why? Because I use variables/aliases. Example:

    Code:
    define External = ethbr0;
    define Internal = { ethbr10, ethbr20, ethbr30, vmbr0 };
    define Router = { 172.20.0.0/30 };
    define EngeniusAPs = { 172.20.0.8/29 };
    
    table inet filter {
    chain INPUT {
    type filter hook input priority filter;
    policy drop;
    ip6 nexthdr icmpv6 accept;
    iif ethbr0 ip daddr 172.20.0.1 ip protocol icmp accept;
    iif ethbr10 ip daddr {172.20.1.1,172.20.16.1} ip protocol icmp accept;
    ip saddr 172.20.5.4 ip daddr 172.20.5.1 ip protocol icmp accept;
    iif vmbr0 ip daddr {172.20.0.1,172.20.16.1} ip protocol icmp accept;
    ip saddr 172.20.16.4 accept;
    iif lo accept;
    ct state established,related accept
    iifname $External tcp dport { 53, 32482, 1022 } accept;
    iifname $Internal udp dport 53 accept;
    iifname {$External,$Internal} udp dport 123 accept;
    iifname {$External,$Internal} tcp dport 123 accept;
    iif {ethbr10,vmbr0} tcp dport { 53, 32482, 1022 } accept;
    iif {ethbr10,vmbr0} udp dport { 123 } accept;
    }
    
    chain forward {
    type filter hook forward priority 0;
    policy accept;
    iif { ethbr0, ethbr10 } oif ethbr30 accept;
    iif ethbr30 oif { ethbr0, ethbr10 } accept;
    ip saddr $EngeniusAPs oifname $Internal drop;
    iifname $Internal ip daddr $EngeniusAPs drop;
    iif { ethbr0, ethbr10, vmbr0 } ip daddr 172.20.5.4/30 accept;
    iif ethbr10 ip daddr 172.20.5.12/30 accept;
    ip saddr 172.20.5.4/30 oif { ethbr0, ethbr10, vmbr0 } accept;
    ip saddr 172.20.5.12/30 oif ethbr10 ct state established,related accept;
    }
    }
    Unfortunately, VBulletin removed leading spaces that are used for indentation between { and }.
    Last edited by GraysonPeddie; 19 August 2021, 10:00 PM.

    Comment


    • #3
      I don't use nftables because it has terrible problems with ipsets, for example a 1MB list of addresses consumes 1GB of memory. Apparently something to do with how nftables manages addresses in memory. Which makes nftables impossible to use since I've got a 5MB ipset of blocked addresses.

      Comment


      • #4
        I still use iptables too. It's the same to the kernel anyway. Ipsets are nicer than nft equivalents. In nft some words mean different things depending on where they are written. This is bad UX!

        Anyways I use variables with iptables, so that's nothing new.

        Comment


        • #5
          Originally posted by bash2bash View Post
          I don't use nftables because it has terrible problems with ipsets, for example a 1MB list of addresses consumes 1GB of memory. Apparently something to do with how nftables manages addresses in memory. Which makes nftables impossible to use since I've got a 5MB ipset of blocked addresses.
          Did you report this to netfilter bugzilla https://bugzilla.netfilter.org/ ?
          I searched it and didn't find this issue.
          Maybe they'll have a chance to fix it.

          Comment


          • #6
            I only found someone who reported it to firewalld github issues, but there was no real interest to fix anything, some people just confirmed there is a memory issue with nftables.

            Even if someone reported it today, it would take a year before it reached us normal users, I guess people just use iptables and that solves the problem.


            Originally posted by oibaf View Post

            Did you report this to netfilter bugzilla https://bugzilla.netfilter.org/ ?
            I searched it and didn't find this issue.
            Maybe they'll have a chance to fix it.

            Comment


            • #7
              Originally posted by bash2bash View Post
              I only found someone who reported it to firewalld github issues, but there was no real interest to fix anything, some people just confirmed there is a memory issue with nftables.

              Even if someone reported it today, it would take a year before it reached us normal users, I guess people just use iptables and that solves the problem.
              Why should firewalld devs fix a bug that is in nftables?

              It should be reported to the nftables bug tracker.

              Comment


              • #8
                I switched to iptables a long time ago, so I don't really follow who reports where. Since iptables is working fine, there is nothing to report

                Comment


                • #9
                  Just a tip, if you want scripting with iptables. Use a bash script that renders iptables-save format and pipe it's output to iptables-restore. It's atomic and you can use bash functions, variables and what else you want, including powerful ipsets.

                  I use ipsets for allow tcp/udp ports. Makes it possible to dynamically add/remove ports without reloading iptables.

                  Comment


                  • #10
                    Unfortunately you cannot check the status of iptables without root privileges.
                    Is this fixed in nftables?

                    Maybe ufw should add support for nftables.
                    When I do "ufw status" I cannot check status, I must do "sudo ufw status" and type in password to see if it is enabled or disabled. 😢

                    Comment

                    Working...
                    X