nftables wiki documentation updates

The Netfilter Team takes very seriously the documentation of the nftables project via it’s wiki.

I’ve dedicated several hours maintaining the pages:

Supported features compared to xtables

List of available translations via iptables-translate tool

Quick reference-nftables in 10 minutes

Configuring chains

 

Advertisements

Conntrack translation to nft

One more translation for the conntrack expression.

extensions: libxt_conntrack: Add translation to nft

This patch raises an issue with the inverted list of bitwise values. The syntax parser of nft returns an error when an inverted list of conntrack states are passed to nft.

 $ nft add rule ip filter INPUT ct state != new,related counter accept
 <cmdline>:1:41-41: Error: syntax error, unexpected comma, expecting end of file or newline or semicolon
 add rule ip filter INPUT ct state != new,related counter accept
                                         ^

After several days working of this issue I sent a patch to make it work, but it seems that the byte code regenerated is not correct.

 nft --debug=netlink add rule ip filter INPUT ct state != new,related,established,untracked counter accept
 ip filter INPUT
   [ ct load state => reg 1 ]
   [ cmp neq reg 1 0x0000004e ]
   [ counter pkts 0 bytes 0 ]
   [ immediate reg 0 accept ]

It should be something like:

 nft --debug=netlink add rule ip filter INPUT ct state new,related,established,untracked
 ip filter INPUT
   [ ct load state => reg 1 ]
   [ bitwise reg 1 = (reg=1 & 0x0000004e ) ^ 0x00000000 ]
   [ cmp eq reg 1 0x00000000 ]

I’ll be working further on this issue. To be continued…

 

 

Translation phase passed

The iptables to nftables translation patches released until now are the following:

extensions: libxt_ipcomp: Add translation to nft

extensions: libip6t_hbh: Add translation to nft

extensions: libxt_multiport: Add translation to nft

extensions: libxt_dscp: Add translation to nft

extensions: libip6t_frag: Add translation to nft

extensions: libxt_cgroup: Add translation to nft

And some other documentation fixes in the nftables package:

doc: fix compression parameter index

doc: fix old parameters and update datatypes

doc: Update datatypes

 

Sets and ranges of numbers in nftables

One of the things that I learned during my work translating the iptables multiport match to the native port handling interface of nft is that the port range syntax and sets are different.

So, for example, a port range approach in iptables could be:

$ sudo iptables-translate -t filter -A INPUT -p tcp -m multiport --dports 80:88 -j ACCEPT

the translation to nft is:

nft add rule ip filter INPUT ip protocol tcp tcp dport 80-88 counter accept

Or

nft add rule ip filter INPUT ip protocol tcp tcp dport { 80-88} counter accept

But, by design, they mean a very different thing. The first nft approach shows a simple port range but the second one created a set with one element which is a port range in it.

In reality, both works but the first one would fit better for just one port range structure.

Pending nft translations

I’ve compiled a rush list of pending nft translations to work on them this week. Hope to send a lot of patches along this week in order to solve many of them. Refer to the netfilter devel distribution list!

libebt_802_3.c XLATE_PENDING
libebt_ip.c XLATE_PENDING
libebt_limit.c XLATE_PENDING
libebt_log.c XLATE_PENDING
libebt_mark.c XLATE_PENDING
libebt_mark_m.c XLATE_PENDING
libebt_nflog.c XLATE_PENDING
libip6t_DNPT.c XLATE_PENDING
libip6t_dst.c XLATE_PENDING
libip6t_eui64.c XLATE_PENDING
libip6t_frag.c XLATE_PENDING
libip6t_hbh.c XLATE_PENDING
libip6t_HL.c XLATE_PENDING
libip6t_ipv6header.c XLATE_PENDING
libip6t_NETMAP.c XLATE_PENDING
libip6t_SNPT.c XLATE_PENDING
libipt_CLUSTERIP.c XLATE_PENDING
libipt_ECN.c XLATE_PENDING
libipt_NETMAP.c XLATE_PENDING
libipt_TTL.c XLATE_PENDING
libipt_ULOG.c XLATE_PENDING
libxt_addrtype.c XLATE_PENDING
libxt_AUDIT.c XLATE_PENDING
libxt_bpf.c XLATE_PENDING
libxt_cgroup.c XLATE_PENDING
libxt_CHECKSUM.c XLATE_PENDING
libxt_CLASSIFY.c XLATE_PENDING
libxt_cluster.c XLATE_PENDING
libxt_connbytes.c XLATE_PENDING
libxt_connlabel.c XLATE_PENDING
libxt_connlimit.c XLATE_PENDING
libxt_CONNMARK.c XLATE_PENDING
libxt_CONNSECMARK.c XLATE_PENDING
libxt_CT.c XLATE_PENDING
libxt_dscp.c XLATE_PENDING
libxt_DSCP.c XLATE_PENDING
libxt_ecn.c XLATE_PENDING
libxt_hashlimit.c XLATE_PENDING
libxt_HMARK.c XLATE_PENDING
libxt_IDLETIMER.c XLATE_PENDING
libxt_ipcomp.c XLATE_PENDING
libxt_ipvs.c XLATE_PENDING
libxt_LED.c XLATE_PENDING
libxt_mangle.c XLATE_PENDING
libxt_MARK.c XLATE_PENDING
libxt_multiport.c XLATE_PENDING
libxt_nfacct.c XLATE_PENDING
libxt_osf.c XLATE_PENDING
libxt_physdev.c XLATE_PENDING
libxt_policy.c XLATE_PENDING
libxt_quota.c XLATE_PENDING
libxt_rateest.c XLATE_PENDING
libxt_RATEEST.c XLATE_PENDING
libxt_recent.c XLATE_PENDING
libxt_rpfilter.c XLATE_PENDING
libxt_SECMARK.c XLATE_PENDING
libxt_set.c XLATE_PENDING
libxt_SET.c XLATE_PENDING
libxt_socket.c XLATE_PENDING
libxt_standard.c XLATE_PENDING
libxt_statistic.c XLATE_PENDING
libxt_string.c XLATE_PENDING
libxt_SYNPROXY.c XLATE_PENDING
libxt_tcpmss.c XLATE_PENDING
libxt_TCPMSS.c XLATE_PENDING
libxt_TCPOPTSTRIP.c XLATE_PENDING
libxt_time.c XLATE_PENDING
libxt_tos.c XLATE_PENDING
libxt_TOS.c XLATE_PENDING
libxt_TPROXY.c XLATE_PENDING
libxt_TRACE.c XLATE_PENDING
libxt_u32.c XLATE_PENDING

nftables in 10 minutes

It’s difficult to find a suitable reference of nftables. Some of them are incomplete, out-of-date or partially incorrect about the syntax.

For this reason, I’ve been working this week in creating a full nftables Quick Reference (all the quick that I could, cause nftables options are huge) called nftables in 10 minutes.

The idea is to have an “all in one” about nftables. Hope it helps to everyone who is introducing to nftables.

https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes

Compiling this reference, it allowed me to learn more deeply about nftables and the powerful of such tool.

Enjoy!

Internship just started!

The internship begins and I’m going to review the roadmap I proposed.

1) 23may – 3jun: Translate from iptables to nftables. Implementation of some missing translations.
2) 4jun – 17jun: Implementation of nth extension in nftables.
3) 18jun – 9 jul: Dynamic populated maps in nftables.
4) 9jul – 17 jul: Store partial values into nft variables.
5) 18jul – 24jul: Holiday.
6) 25jul – 23aug: Monitoring daemon implementation for dynamic load
balancing.

I’m going to start the first step improving some nftables documentation in order to be published in the official wiki.