Nftables Wiki:https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
Nftables HowTo: https://farkasity.gitbooks.io/nftables-howto-zh/content/
第一次看到nftables还是在Centos 8 What's New中,于是就开始研究下nftables到底是什么? 提供什么功能? 如何使用?
What is nftables?
nftables is the new packet classification framework that replaces the existing {ip,ip6,arp,eb}_tables infrastructure.
Centos 8已将iptables替换为nftables,因此是时候学习nftables与iptables之间的差异。
Centos 8中Firewalld守护进程使用nftables作为默认后端,在Centos 7中使用的是iptables作为后端。
nftables简化了双堆栈IPv4/IPv6的管理,它提供了inet基链来允许同时管理IPv4和IPv6流量。
nftables基于链式布局比iptables数组布局有更好的性能。
nftables hook
跟netfilter一样,也有下面5个钩子,常用的也就 input/output/forward 三个hook。
Local process ^ | .-----------. .-----------. | | | Routing | | |-----> input / ---> | Decision |----> output --> prerouting --->| Routing | .-----------. | Decision | --> postrouting | | / .-----------.---------------> forward ---------------------------
Linux kernel 4.2 中新增了ingress hook,This new hook basically provides an alternative to tc ingress filtering. You still need tc for traffic shaping/queue management.
.-----------. | |-----> input ... ---> ingress ---> prerouting --->| Routing | | Decision | | | |-----------|-----> forward ...
nftables三个概念:
table - 指包含chain的一个容器, 没有特定语义
chain - 指包含在一个table里的rule容器
rule - 指包含在chain里的action
1、Table
table语法
$ nft list tables [<family>]
$ nft list table [<family>] <name> [-n] [-a]
$ nft (add | delete | flush) table [<family>] <name>
table语法示例
- 查询所有表
$ nft list tables
- 创建inet表
$ nft add table inet tb_01
- 查询指定表
$ nft list table tb_01 -an
- 删除表
$ nft delete table inet tb_01
- 清除表
$ nft flush table inet tb_01
2、Chain
Chian可以创建的Type:
- filter
- router
- nat
Family支持的Hook:
- ip/ipv6/inet: prerouting, input, forward, output, postrouting
- arp: input, output
- netdev: ingress
Priority 参考值:
- NF_IP_PRI_NAT_DST (-100): destination NAT
- NF_IP_PRI_FILTER (0): filtering operation, the filter table
- NF_IP_PRI_SECURITY (50): Place of security table where secmark can be set for example
- NF_IP_PRI_NAT_SRC (100): source NAT
Policy是控制Chian中Flow的默认判决语句:
- accept
- drop
- queue
- continue
- return
chain语法
$ nft (add | create) chain [<family>] <table> <name> [ { type <filter|router|nat> hook <hook> [device <device>] priority <priority> ; [policy <policy> ; ] } ]
$ nft (delete | list | flush) chain [<family>] <table> <name>
$ nft rename chain [<family>] <table> <name> <newname>
chain语法示例
- 在table中添加type为filter的input chian, 优先级为0,Policy默认的动作为 drop
$ nft add chain inet tb_01 chain_01_input { type filter hook input priority 0 ; policy drop ; }
- 在table中添加type为filter的output chian, 优先级为0,Policy默认的动作为 accept
$ nft add chain inet tb_01 chain_01_output { type filter hook input priority 0 ; policy accept ; }
3、Rules
handle is an internal number that identifies a certain rule.
position is an internal number that is used to insert a rule before a certain handle.
matches 和 statements 因为内容太多,请参考文档 https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Rules
rule语法
$ nft add rule [<family>] <table> <chain> <matches> <statements>
$ nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements>
$ nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements>
$ nft delete rule [<family>] <table> <chain> [handle <handle>]
rule示例 <更多示例 https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management>
- 在chain里添加规则,开放22端口
$ nft add rule inet tb_01 chain_01_input tcp dport 22 accept
- 在chain里替换指定规则
$ nft replace rule inet tb_01 chain_01_input handle 2 tcp dport 22 drop
- 在chain里删除规则
$ nft delete rule inet tb_01 chain_01_input handle 2