nftables osd 2013 developer

5/28/2018 Nftables Osd 2013 Developer

1/13

Nftables strikes back

[email protected] Workshop 2013Copenhague, Denmark
mailto:[email protected]:[email protected]


2/13

nftables: ntro

Ne! kernel packet filtering frame!ork to replace iptables.

No changes in the core infrastructure:

Netfilter hooks

Connection "racking #$stem

N%"

Designe& from lessons learnt from iptables.

'ro(i&es back!ar& compatibilit$ infrastructure.

Nftables release& in )arch 200* b$ 'atrick )c+ar&$.

Currentl$ un&er acti(e &e(elopment.


3/13

Nftables: %rchitecture 'seu&ostate machine in kernelspace -similar to '/.

egisters: general purpose -12 bits long each 4 1 (er&ict.

'ro(i&es instruction set -can be e5ten&e&:

reg 6 pkt.pa$loa&7offset, len8

reg 6 imme&iate-(alue, len

reg 6 cmp-reg1, reg2, 9 reg 6 b$teor&er-reg1, N";+

reg 6 pkt.meta-mark

reg 6 -reg1 < mask = 5or

reg 6 lookup-set, reg1

reg 6 ct-reg1, state

Ne! e5tensions are implemente& using this instruction set.

Netlink interface: kernel > userspace-http:??1*.lsi.us.es?pablo?&ocs?spae.p&f


4/13

Nftables: kernel co&e

net?netfilter?nfAtableAapi.c -netlink interface

net?ip(?netfilter?nftAchainArouteAip(.c

net?netfilter?nfAtableAcore.c -packet matchingloop

net?netfilter?nftApa$loa&.c -e5tensions

net?netfilter?nftAcompat.c


5/13

Nftables: Commit operation

Beneration mask: 2 bits per rule

00 acti(e no!, acti(e in the ne5t generation

01 inacti(e no!, acti(e in the ne5t generation

10 acti(e no!, inacti(e in the ne5t generation -!ill be &elete&

Blobal generation counter can be 0 or 1.

"ransaction begin: open socket an& sen& rule !ith commit flag -o!n b$process, then a&& to chain list an& the &irt$ list.

"ransaction en&: sen& commit comman&, bump generation counter,iterate o(er the list

n the nftA&oAchain path:

#tore current generation counter before entering rule matching loop.

f rule is ainacti(e -unlikel$ skip.


6/13

Nftables: serspace co&e

ibnftables

src?table.c

src?chain.c

src?rule.c

src?e5pression?pa$loa&.c

ptablesnftables:

iptables?nft.c

iptables?nftip(.c


7/13

Nftables: /eatures

Backwardcompatible:

tilit$ &eri(ate& from iptables?ipEtables !ith same s$nta5.

Fou can use e5isting an& a&& ne! 5tables mo&ules.

No nee& to learn ne! utilities if $ou &onGt !ant to. No nee& for ne!&ocumentation. No nee& to up&ate $our scripts.

But also, new featureswithout breaking backwardcompatibility:

5tablese(ent : eporting changes in tables?chains?rules

etter incremental rule up&ate support: )atches internal state is not lost

9nable?&isable the chains per table that $ou !ant H more impro(ements for 5tables $et to comeI


8/13

Nftables: e5amples

#ho! iptableslike utilit$ in action.


9/13

JesperGs has &o!n to earth rulesets..

%roun& 100000 rules.

... in a fanout tree. rules per chain, eg.

1*2.1E.0.0?2 K chain1 1*2.1E.1.0?2 K chain2

1*2.1E.2.0?2 K chain3 1*2.1E.3.0?2 K chain H

Worst case: With iptables 0 rule comparison until finalaction.

With nftables, Jesper can arrange his ruleset using fastlookup &ata structures.


10/13

'en&ing tasks

ri&ge an& %' support.

;bLectoriente& high le(el librar$ for 5tables-o(er nftables &e(elopers.

%&& nati(e interface nfAtables to 5tAhashlimit.c-100M netlink.

Documentation.


11/13

nftables summar$

;ne single kernel frame!ork for packetfiltering allo!ing long term e(olution.

"!o userspace tools:

ack!ar& compatible utilit$: #ame s$nta5 4 same features 4 ne! features

Ne! utilit$:

Ne! s$nta5 4 more cool ne! features #till !ork in progress.


12/13

Nftables summar$ -2

Brab the co&e

ack!ar& compatible utilit$:

ernel: git:??git.netfilter.org?nftables

ibrar$: git:??git.netfilter.org?libnftables -reOuires libmnl serspace: git:??git.netfilter.org?iptablesnftables

Ne! utilit$:

ibrar$: git:??git.netfilter.org?libnlnft

serspace: git:??git.netfilter.org?nftables


13/13

Nftables strikes back

[email protected] Workshop 2013Copenhague, Denmark
mailto:[email protected]:[email protected]

nftables osd 2013 developer

Documents