nftables - the evolution of Linux Firewall

NF TABLESNF TABLES
Marian HackMan Marinov
Chief System Architect of SiteGround.com
<mm@1h.com>

HistoryHistory
➢ ipfw
➢ ipchains
➢ iptables
➢ arptables
➢ ebtables
➢ nftables

nftablesnftables
➢ Replacement of iptables, ip6tables,
arptables & ebtables
➢ including ipset
➢ Remove the duplicated code from all
modules
➢ Simplify the dual stack(IPv4/6) handling
➢ ip, ip6, inet, arp & bridge address families

nftablesnftables
➢ Merged mainstream in October 2013,
available since January 2014 in Linux kernel
3.13.
➢ It reuses the existing Netfilter building
blocks: hooks, conntrack, NAT, logging and
userspace queueing.
➢ It also reuses existing xtables extensions
through nft compat.

nftables flownftables flow
Routing
Decision
Routing
Decision
Local
Process
prerouting
input
output
forward postrouting
NETWORK
NETWORK

Routing
Decision
Routing
Decision
Local
Process
prerouting
input
output
forward postrouting
NETWORK
NETWORKRouting
Decision
ingress
nftables flownftables flow
with ingress filterwith ingress filter

nftables vs. iptablesnftables vs. iptables
➢ Tables and chains are fully configurable
list
tables [family]
table [family] <name>
chain [family] <table> <name>
add
table [family] <name>
chain [family] <table> <name> [chain definitions]
rule [family] <table> <chain> <rule definition>
table [family] <name> (shortcut for `add table`)
Families:
ip - IPv4
ip6 - IPv6
inet - IPv4 or v6
arp - arp
bridge - linux bridge

➢ Tables are without any predefined purpose
➢ there are no raw, filter, nat & mangle tables

➢ Tables are without any predefined purpose
➢ there are no raw, filter, nat & mangle tables
➢ By default there are no chains
➢ if there is no chain that would match the packet
it will not be touched by netfilter code
➢ Every chain has a type:
➢ filter
➢ nat (only the first packet of a flow hits this chain)
➢ route (mangle)

HooksHooks
➢ Base chains are the ones that are attached
to hooks
➢ Non-base chains are used for ordering
➢ All available hooks:
➢ ingress
➢ input
➢ output
➢ forward
➢ prerouting
➢ postrouting

➢ No distinction between matches and targets
anymore
➢ no difference between ACCEPT and -s
# nft insert rule filter input ct state established accept
VS.
# iptables -I INPUT -j ACCEPT -m conntrack --ctstate
ESTABLISHED

➢ You can specify several actions in one
single rule
# nft add rule filter forward tcp dport 22 log drop
VS.
# iptables -A FORWARD -p tcp --dport 22 -j LOG
# iptables -A FORWARD -p tcp --dport 22 -j DROP

➢ No built-in counter per chain and rules
➢ counters introduce delays in packet processing
➢ counters can be added to any chain using the
'counter' keyword
# nft add rule ip filter output ip daddr 1.2.3.4
counter drop

➢ New supported protocols without kernel
upgrades
➢ most of the logic in nftables is inside its
userspace
➢ it compiles the rules to VM bytecode in netlink
format and then it pushes this into the kernel via
the nftables Netlink API
➢ it provides generic set and map infrastructure

➢ Better support for dynamic ruleset updates
➢ iptables always replaces all rules
➢ even if you only delete one rule
➢ even if you only add one rule
➢ nftables uses linked-list to solve this issue

flush rulesetflush ruleset
table inet filter {table inet filter {
chain input {chain input {
type filter hook input priority 0; policy drop;type filter hook input priority 0; policy drop;
# established/related connections# established/related connections
ct state established,related acceptct state established,related accept
# invalid connections# invalid connections
ct state invalid dropct state invalid drop
# loopback interface# loopback interface
iif lo acceptiif lo accept

# ICMP# ICMP
# routers may also want: mld-listener-query, nd-router-solicit# routers may also want: mld-listener-query, nd-router-solicit
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big,ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big,
time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-
neighbor-advert } acceptneighbor-advert } accept
ip protocol icmp icmp type { destination-unreachable, router-advertisement,ip protocol icmp icmp type { destination-unreachable, router-advertisement,
time-exceeded, parameter-problem } accepttime-exceeded, parameter-problem } accept
# SSH (port 22)# SSH (port 22)
tcp dport ssh accepttcp dport ssh accept
# HTTP (ports 80 & 445)# HTTP (ports 80 & 445)
tcp dport { http, https } accepttcp dport { http, https } accept
}}
}}

➢ Basic Jump example:Basic Jump example:
table inet filter {table inet filter {
chain web {chain web {
tcp dport http accepttcp dport http accept
tcp dport 8080 accepttcp dport 8080 accept
}}
chain input {chain input {
type filter hook input priority 0;type filter hook input priority 0;
ip saddr 10.0.2.0/24 jump webip saddr 10.0.2.0/24 jump web
dropdrop
}}
}}

InterestingInteresting
➢ Concatenated Value Pairs
# nft add element traffic-filter dict { 192.168.0.1 :
drop, 192.168.0.2 : accept }
➢ Easy Data Export
# nft export json
➢ Multiple Actions
# nft add rule ip filter input ip protocol vmap
{ tcp : jump tcp-chain, udp : jump udp-chain,
icmp : jump icmp-chain }

JumpsJumps
➢accept (accept a packet)
➢reject (reject a packet)
➢drop (drop a packet)
➢snat (perform source NAT on a packet)
➢dnat (perform destination NAT on a packet)
➢log (log a packet)
➢counter (keep a counter on a packet; counters are
optional in nftables)
➢return (stop traversing the chain)
➢jump <chain> (jump to another chain)
➢goto <chain> (jump to another chain, but do not return)

Match argumentsMatch arguments
meta:
oif <output interface INDEX>
iif <input interface INDEX>
oifname <output interface NAME>
iifname <input interface NAME>
(oif and iif accept string arguments and are
converted to interface indexes)
(oifname and iifname are more dynamic, but
slower because of string matching)

icmp:
type <icmp type>
icmpv6:
type <icmpv6 type>
ip:
protocol <protocol>
daddr <destination address>
saddr <source address>
ip6:
daddr <destination address>
saddr <source address>

tcp:
dport <destination port>
sport <source port>
udp:
dport <destination port>
sport <source port>
ct:
state <new | established | related | invalid>

Load BalancingLoad Balancing
IPv4 performanceIPv4 performance
method req/sec %cpu
LVS-SNAT 313427.91 24.11
NFT-SNAT 289035.54 23.2
NFT-DNAT 303356.59 23.12
LVS-DSR 356212.05 4.78
NFT-DSR 393672.35 0.54
DSR - Direct Server Return
SLB - Server Load Balancing(SNAT/DNAT)

Kernel configurationKernel configuration
[*] Networking support --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
<M> Netfilter nf_tables support
<M> Netfilter nf_tables conntrack module
<M> Netfilter nf_tables counter module
<M> Netfilter nf_tables log module
<M> Netfilter nf_tables limit module
<M> Netfilter nf_tables masquerade support
<M> Netfilter nf_tables nat module
IP: Netfilter Configuration --->
<M> IPv4 nf_tables support
<M> IPv4 nf_tables route chain support
<M> IPv4 packet rejection
<M> IPv4 NAT
<M> IPv4 nf_tables nat chain support
<M> IPv4 masquerade support
<M> IPv4 masquerading support for nf_tables

Marian HackMan Marinov <mm@1h.com>
hackman @ irc.freenode.net
https://github.com/hackman

nftables - the evolution of Linux Firewall

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to nftables - the evolution of Linux Firewall (20)

More from Marian Marinov (20)

Recently uploaded (20)

nftables - the evolution of Linux Firewall