Date post: | 24-May-2015 |
Category: |
Software |
Upload: | anne-nicolas |
View: | 1,087 times |
Download: | 0 times |
nftables, one year later
Éric Leblond
Stamus Networks
September 25, 2014
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 1 / 40
1 Introduction
2 Nftables, an Iptables replacement
3 Nftables since last Kernel Recipes
4 The future
5 Conclusion
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 2 / 40
1 Introduction
2 Nftables, an Iptables replacement
3 Nftables since last Kernel Recipes
4 The future
5 Conclusion
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 3 / 40
Éric Leblond
co-founder of Stamus NetworksCompany providing network probe based on SuricataFocusing on bringing you the best of Suricata IDS technology
Netfilter Coreteam memberWork on kernel-userspace interactionKernel hackingUlogd2 maintainerPort of Openoffice firewall to Libreoffice
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 4 / 40
1 Introduction
2 Nftables, an Iptables replacement
3 Nftables since last Kernel Recipes
4 The future
5 Conclusion
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 5 / 40
Nftables
A new filtering systemReplace iptables and the filtering infrastructureNo changes in
HooksConnection trackingHelpers
A new languageBased on a grammarAccessible from a library
Netlink based communicationAtomic modificationNotification system
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 6 / 40
Nftables
A new filtering systemReplace iptables and the filtering infrastructureNo changes in
HooksConnection trackingHelpers
A new languageBased on a grammarAccessible from a library
Netlink based communicationAtomic modificationNotification system
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 6 / 40
Nftables
A new filtering systemReplace iptables and the filtering infrastructureNo changes in
HooksConnection trackingHelpers
A new languageBased on a grammarAccessible from a library
Netlink based communicationAtomic modificationNotification system
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 6 / 40
A filtering based on a pseudo-state machine
Inspired by BPF4 registers1 verdictA extensive instructions set
Add Some Magic ?reg = pkt.payload[offset, len]reg = cmp(reg1, reg2, EQ)reg = pkt.meta(mark)reg = lookup(set, reg1)reg = ct(reg1, state)
Easy creation of new matchesreg1 = pkt.payload[offset_src_port, len]reg2 = pkt.payload[offset_dst_port, len]reg = cmp(reg1, reg2, EQ)
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 7 / 40
A filtering based on a pseudo-state machine
Inspired by BPF4 registers1 verdictA extensive instructions set
Add Some Magic ?reg = pkt.payload[offset, len]reg = cmp(reg1, reg2, EQ)reg = pkt.meta(mark)reg = lookup(set, reg1)reg = ct(reg1, state)
Easy creation of new matchesreg1 = pkt.payload[offset_src_port, len]reg2 = pkt.payload[offset_dst_port, len]reg = cmp(reg1, reg2, EQ)
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 7 / 40
A filtering based on a pseudo-state machine
Inspired by BPF4 registers1 verdictA extensive instructions set
Add Some Magic ?reg = pkt.payload[offset, len]reg = cmp(reg1, reg2, EQ)reg = pkt.meta(mark)reg = lookup(set, reg1)reg = ct(reg1, state)
Easy creation of new matchesreg1 = pkt.payload[offset_src_port, len]reg2 = pkt.payload[offset_dst_port, len]reg = cmp(reg1, reg2, EQ)
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 7 / 40
Architecture
KernelTables: declared by user and attached to hookUser interface: nfnetlink socket
ADDDELETEDUMP
Userspacelibmnl: low level netlink interactionlibnftnl: library handling low-level interaction with nftables Netlink’sAPInftables: command line utility to maintain ruleset
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 8 / 40
Dynamic chain loading
Chain are created on-demandChain are created via a specific netlink messageNon-user chain are:
Of a specific typeBound to a given hook
Current chain typefilter: filtering tableroute: old mangle tablenat: network address translation table
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 9 / 40
From userspace syntax to kernel
Converting user inputOperation is made via a netlink messageThe userspace syntax must be converted
From a text message following a grammarTo a binary Netlink message
LinearizeTokenisationParsingEvaluationLinearization
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 10 / 40
From kernel to userspace syntax
Kernel send netlink messageIt must be converted back to text
ConversionDelinearizationPostprocessingTextify
Example
i p f i l t e r output 8 7[ payload load 4b @ network header + 16 => reg 1 ][ b i t w i s e reg 1 = ( reg=1 & 0 x 0 0 f f f f f f ) ^ 0x00000000 ][ cmp eq reg 1 0x00500fd9 ][ counter pkts 7 bytes 588 ]
is translated to:i p daddr 217.15.80.0 /24 counter packets 7 bytes 588 # handle 8
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 11 / 40
Simplified kernel code
A limited in-kernel sizeA limited set of operators and instructionsA state machineNo code dedicated to each match
One match on address use same code as a match on portNew matchs are possible without kernel modification
LOC count50000 LOC in userspaceonly 7000 LOC in kernel-space
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 12 / 40
Less kernel update
Pseudo state machine instructionCurrent instructions cover need found in previous 10 yearsNew instruction require very limited code
Development in userspaceA new match will not need a new kernelICMPv6 implementation is a single userspace patch
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 13 / 40
Set handling
Interests of setsOne single rule evaluationSimple and readable rulesetEvolution handling
Anonymous set
nf t add rule i p g loba l f i l t e r \i p daddr {192 .168 .0 .0 /24 , 192.168.1 .4 } \tcp dpor t {22 , 443} \accept
Named set
nf t add set g loba l ipv4_ad { type ipv4_address ; }nf t add element g loba l ipv4_ad { 192.168.1 .4 , 192.168.1 .5 }nf t delete element g loba l ipv4_ad { 192.168.1 .5 }nf t add rule i p g loba l f i l t e r i p saddr @ipv4_ad drop
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 14 / 40
Set handling
Interests of setsOne single rule evaluationSimple and readable rulesetEvolution handling
Anonymous set
nf t add rule i p g loba l f i l t e r \i p daddr {192 .168 .0 .0 /24 , 192.168.1 .4 } \tcp dpor t {22 , 443} \accept
Named set
nf t add set g loba l ipv4_ad { type ipv4_address ; }nf t add element g loba l ipv4_ad { 192.168.1 .4 , 192.168.1 .5 }nf t delete element g loba l ipv4_ad { 192.168.1 .5 }nf t add rule i p g loba l f i l t e r i p saddr @ipv4_ad drop
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 14 / 40
Set handling
Interests of setsOne single rule evaluationSimple and readable rulesetEvolution handling
Anonymous set
nf t add rule i p g loba l f i l t e r \i p daddr {192 .168 .0 .0 /24 , 192.168.1 .4 } \tcp dpor t {22 , 443} \accept
Named set
nf t add set g loba l ipv4_ad { type ipv4_address ; }nf t add element g loba l ipv4_ad { 192.168.1 .4 , 192.168.1 .5 }nf t delete element g loba l ipv4_ad { 192.168.1 .5 }nf t add rule i p g loba l f i l t e r i p saddr @ipv4_ad drop
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 14 / 40
Mapping
Principle and interestAssociative mapping linking two notionsA match on the key trigger the use of the valueUsing addresses, interfaces, verdicts
ExamplesAnonymous mapping:
# nf t add rule f i l t e r output i p daddr vmap \{192 .168 .0 .0 /24 =\ > drop , 192.168.0.1 =\ > accept }
Named mapping:
# nf t − inft > add map f i l t e r verdict_map { type ipv4_address => v e r d i c t ; }nft > add element f i l t e r verdict_map { 1 . 2 . 3 . 5 => drop }nft > add rule f i l t e r output i p daddr vmap @verdict_map
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 15 / 40
Mapping
Principle and interestAssociative mapping linking two notionsA match on the key trigger the use of the valueUsing addresses, interfaces, verdicts
ExamplesAnonymous mapping:
# nf t add rule f i l t e r output i p daddr vmap \{192 .168 .0 .0 /24 =\ > drop , 192.168.0.1 =\ > accept }
Named mapping:
# nf t − inft > add map f i l t e r verdict_map { type ipv4_address => v e r d i c t ; }nft > add element f i l t e r verdict_map { 1 . 2 . 3 . 5 => drop }nft > add rule f i l t e r output i p daddr vmap @verdict_map
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 15 / 40
Usage example
set web_servers {type ipv4_addresselements = { 192.168.1.15 , 192.168.1 .5 }
}map admin_map {
type ipv4_address => v e r d i c telements = { 192.168.0.44 => jump logmetender , \
192.168.0.42 => jump logmetrue , 192.168.0.33 => accept }}chain forward {
c t s t a t e es tab l i shed accepti p daddr @web_servers tcp dpor t ssh i p saddr map @admin_mapi p daddr @web_servers tcp dpor t { h t tp , h t t ps } log acceptcounter log drop
}chain logmetender {
log l i m i t 10/ minute accept}chain logmetrue {
counter log accept}
}
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 16 / 40
1 Introduction
2 Nftables, an Iptables replacement
3 Nftables since last Kernel Recipes
4 The future
5 Conclusion
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 17 / 40
Sexy trailer
The video
http://youtu.be/fUTgQw75ikA
Video generationVideo generated with gourceVarious git history have been mergedFile path has been prefixed with project name
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 18 / 40
Documentation
Man pageComplete description of nftMan page style:
Lot of thingsConcise description
A few things missing
A wikiOnly a howto for nowhttp://wiki.nftables.org/
Still incomplete but a good documentationWant to contribute: Ask on Netfilter mailing list to get an account
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 19 / 40
IPv4 and IPv6 filtering
Don’t mix the old and the newTables are defined relatively to a IP spaceMust declare a table
for each protocolfor each chain/hook
Basic filtering chains
table f i l t e r {chain i npu t { type f i l t e r hook i npu t p r i o r i t y 0 ; }chain forward { type f i l t e r hook forward p r i o r i t y 0 ; }chain output { type f i l t e r hook output p r i o r i t y 0 ; }
}table i p6 f i l t e r {
chain i np u t { type f i l t e r hook i npu t p r i o r i t y 0 ; }chain forward { type f i l t e r hook forward p r i o r i t y 0 ; }chain output { type f i l t e r hook output p r i o r i t y 0 ; }
}
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 20 / 40
Handling of IPv4 and IPv6
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 21 / 40
Inet filtering
Kernel sideIntroduce a new NFPROTO_INET familyRealize dispatch later based on the effective familyActivate IPv4 and IPv6 features when needed
Example
table i n e t f i l t e r {chain i np u t {
type f i l t e r hook i npu t p r i o r i t y 0 ;c t s t a t e es tab l ished , r e l a t e d accepti i f l o acceptc t s t a t e new i i f != l o tcp dpor t { ssh , 2200} \
tcp f l a g s == syn counter \log p r e f i x "SSH attempt " group 1 \accept
i p saddr 192.168.0 .0 /24 tcp dpor t { 9300 , 3142} counter accepti p6 saddr 2a03 :2880:2110: df07 : face : b00c : 0 : 1 drop
}}
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 22 / 40
Result: easy handling of IPv4 and IPv6
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 23 / 40
Atomic ruleset update (1/2)
Bring transaction to nftablesUpdate ruleset at once
Need transaction supportAll pass or abort
Need to handle table and rules
Problem of setThey exists at table levelThey are used at chain level
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 24 / 40
Atomic ruleset update (2/2)
Atomic ruleset updateatomically commit a set of rule-set updates incrementallybased on a generation counter/mask
00 active in the present, will be active in the next generation.01 active in the present, needs to zero its future, it becomes 00.10 inactive in the present, delete now.
Batch methodMethod
Start transactionSend modifications mixing set and ruleset updateCommit transaction
InterestLimit the number of netlink messages
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 25 / 40
Dynamic set choice (1/2)
Ipset usageChoose set typeAmong the possible choices
The set subsystemVarious set types are available
hashrbtree
No selector exists
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 26 / 40
Dynamic set choice (2/2)
Constraint based selectionSelect set based on user constraintMemory usageLookup complexity
Syntax
nf t add set f i l t e r set1 { type ipv4_addr ; s i ze 1024 ; }nf t add set f i l t e r set1 { type ipv4_addr ; p o l i c y memory ; }nf t add set f i l t e r set1 { type ipv4_addr ; p o l i c y performance ; }
StatusKernel space is implementedUserspace is not yet commited
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 27 / 40
Warning: NSFC
THE FOLLOWING SLIDE CONTAINS IMAGES THAT MAY HURT THESENSITIVITY OF SOME CATS.
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 28 / 40
The young guard
Guiseppe Longo Arturo Borrero Gonzales Alvaro Neira Ayuso Ana ReyGoogle Summer of Code Outreach Program
for Women
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 29 / 40
Ana Rey: nftables test system
Regression testTest nft command and check resultMost features are testedSponsored by OPWAlready led to fixes
Exampleany/queue.t: OKany/ct.t: WARNING: line: 59: ’nft add rule -nnn ip test-ip4 \
output ct expiration 30’: \’ct expiration 30’ mismatches ’ct expiration "30s"’
any/ct.t: WARNING: line: 61: ’nft add rule -nnn ip test-ip4 \output ct expiration != 233’: \’ct expiration != 233’ mismatches ’ct expiration != "3m53s"’
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 30 / 40
Arturo Borrero: Nftsync (1/2)
PrincipleDistribute ruleset across the networkSupport master/slaveDeploy ruleset for non gateway systems
ImplementationUse notification systemCollect update and distribute them
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 31 / 40
Nftsync (2/2)
Current stateBootstrapped during summerBasic mode workingNo encryption yet
Get it, try it, hack ithttp://git.netfilter.org/nft-sync/
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 32 / 40
Guiseppe Longo: ebtables compat layer
Provide tools compatibilityUse old tools with new nftables frameworkConvert old command lines to new internal syntax
Multi layer compatibilityBridge level: ebtablesIP level: iptables
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 33 / 40
1 Introduction
2 Nftables, an Iptables replacement
3 Nftables since last Kernel Recipes
4 The future
5 Conclusion
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 34 / 40
Libnftables
High level library for third party softwareNetwork managerFirewall management interfaces
It will be based on nftablesUsing same command lineProviding transaction feature
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 35 / 40
Complete import/export
Exporting rulesetCan currently be done via a single nft commandXML and JSON format
Importing rulesetNo single command to restorenft -f is not enoughnft import is needed
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 36 / 40
Unification with existing BPF
No real differenceDifferent keywords related to Netfilter
ctmeta
May be possible to merge
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 37 / 40
1 Introduction
2 Nftables, an Iptables replacement
3 Nftables since last Kernel Recipes
4 The future
5 Conclusion
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 38 / 40
Conclusion
A huge evolutionSolving iptables problemAn answer to new usages
Set handlingComplex matchesIPv4 and IPv6 in one table
Already usableMain features are hereCompatibility can be used
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 39 / 40
Questions ?
Do you have questions ? Thanks toNetfilter teamGoogle for GSoC 2014Outreach Program forWomen
More informationNetfilter :http://www.netfilter.org
Nftables wiki:http://wiki.nftables.org
Contact meMail:[email protected]
Twitter: @Regiteric
Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 40 / 40