Scribd
Upload
347 views

Pablo Nftables Osd Userday 2013

nftables is a new kernel packet filtering framework that will replace iptables. It provides a single framework for long term evolution while maintaining backward compatibility. nftables provides a new user-friendly utility and library for interacting with it from user-space in an object-oriented way. The new framework builds on lessons learned from iptables and aims to improve areas like incremental rule updates and reporting of table/chain/rule changes.

Uploaded by

jchuang1977
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
347 views

Pablo Nftables Osd Userday 2013

nftables is a new kernel packet filtering framework that will replace iptables. It provides a single framework for long term evolution while maintaining backward compatibility. nftables provides a new user-friendly utility and library for interacting with it from user-space in an object-oriented way. The new framework builds on lessons learned from iptables and aims to improve areas like incremental rule updates and reporting of table/chain/rule changes.

Uploaded by

jchuang1977
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

nftables: a new packet filtering framework for Netfilter

[email protected] OSD 2013 Copenhag e! Denmark

nftables: "ntro

New kernel packet filtering framework to replace iptables. No changes in the core infrastr ct re:

Netfilter hooks Connection #racking S$stem N%#

Designe& from lessons learnt from iptables. 'ro(i&es backwar& compatibilit$ infrastr ct re. Nftables release& in )arch 200* b$ 'atrick )c+ar&$. C rrentl$ n&er acti(e &e(elopment.

nftables (s. iptables: %rchitect re

'se &o,state machine in kernel,space -similar to .'/0. 1egisters: 2 general p rpose -123 bits long each0 4 1 (er&ict. 'ro(i&es instr ction set -can be e5ten&e&0:

reg 6 pkt.pa$loa&7offset! len8 reg 6 imme&iate-(al e! len0 reg 6 cmp-reg1! reg2! 9:0 reg 6 b$teor&er-reg1! N#O+0 reg 6 pkt.meta-mark0 reg 6 -reg1 ; mask0 < 5or0 reg 6 look p-set! reg10 reg 6 ct-reg1! state0 reg 6 look p-set! &ata0

New e5tensions are implemente& sing this instr ction set. Netlink interface: kernel = serspace -http:>>1*32.lsi. s.es>?pablo>&ocs>spae.p&f0

nftables (s. iptables: %rchitect re

95tensions: )atches an& targets New e5tensions are written in C:


1 @in 5 kernel mo& le: 5tAblah.c 1 lib5tAblah.c file n&er ser,space iptables tree.

.inar$ arra$ containing the r le,set. comm nication kernel = serspace: Bse setsockopt-0>getsockopt-0 'oor incremental &$namic r le,set p&ates @imitations:

95ten&ing e5isting e5tensions

nftables (s. iptables: 1 le han&ling

%&&ing r le: match ip sa&&r 1.1.1.1 tcp &port 30! accept:


Step 1: 'arse comman& line Step 2: . il& r le from ser,space sing instr ction set:

1eg1 6 pkt.pa$loa&-offset-ip sa&&r0! 20 1eg2 6 imme&iate-1.1.1.1! 20 1egC 6 cmp-reg1! reg2! 9:0 1eg1 6 pkt.pa$loa&-offset-tcp &port0! 20 1eg2 6 imme&iate-30! 20 1egC 6 imme&iate-D1O'0

>> implicit ret rn if mismatch

Step 3: Con(ert that to netlink an& pass message with co&e to kernel. Step 1: D mp r le,set -to check which one to &elete0 Step 2: Delete b$ r le i&entifier

Deleting r le

nftables (s. iptables: 1 le han&ling

%&&ing r le: )atch ,s 1.1.1.1 ,p tcp D&port 30! accept:


Step 1: 'arse comman& line Step 2: . il& r le match an& target: se b ilt,in so rce! tcp match an& stan&ar& target Step 3: Eet r le,set from kernel -binar$0! p&ate it with r le Step 2: 'ass r le,set to kernel space (ia setsockopt-0 Step 1: 'arse comman& line Step 2: Con(ert r le to binar$. Step 3: D mp e5isting r leset -in binar$0. Step 2: /in& r le matching in r leset -binar$ comparisons0 Step F: "f fo n&. %llocate new r le,set! b il& it an& pass it to kernel,space.

Delete r le:

Nftables (s. "ptables from &e(eloper


"ptables pro(i&e& no thir& part$ librar$ @ibipt>libiptG probabl$! $o ha(e to work with binar$ blobs Nftables pro(i&es libnftables an& will pro(i&e high le(el librar$ to work in an obHect oriente& fashion.

nftables from serspace

Backward compatible:

Btilit$ &eri(ate& from iptables>ipGtables with same s$nta5. Io can se all e5isting 5tables mo& les. Io can still a&& new 5tables e5tensions in the same fashion. No nee& to learn new tilities if $o &onJt want to. No nee& for new &oc mentation. No nee& to p&ate $o r scripts. 5tables,e(ent : 1eporting changes in tables>chains>r les .etter incremental r le p&ate s pport: )atches internal state is not lost 9nable>&isable the chains per table that $o want K more impro(ements for 5tables $et to come

But also, new features without breaking backward compatibility :


nftables from serspace

New tilit$ nft -still n&er work0:

New s$nta5! new feat res. tcp &port L 30 6M accept! 22 6M &rop N ip &a&&r L 1*2.1G3.0.0>22 6M H mp chain1! 1*2.1G3.1.0>22 6M H mp chain2! N ip sa&&r . tcp &port L 1.1.1.1 . 30 6M accept! 1.1.1.2 . 22 6M &rop! N

/ast look ps:


nftables s mmar$

One single kernel framework for packet filtering allowing long term e(ol tion. #wo serspace tools:

.ackwar& compatible tilit$:

Same s$nta5 4 same feat res 4 new feat res New s$nta5 4 more cool new feat res

New tilit$:

Still work in progress. #here will be ser,frien&l$ &oc mentation.

Nftables s mmar$ -20

Erab the co&e

.ackwar& compatible tilit$:


Oernel: git:>>1*32.lsi. s.es>nftables @ibrar$: git:>>1*32.lsi. s.es>libnftables Bser,space: git:>>1*32.lsi. s.es>iptables,nftables @ibrar$: git:>>git.netfilter.org>libnl,nft Bser,space: git:>>git.netfilter.org>nftables

New tilit$:

nftables: a new packet filtering framework for Netfilter


[email protected] OSD 2013 Copenhag e! Denmark

You might also like