Commit 4143719d authored by JackV's avatar JackV

Nftables section

parent 00b88cef
This diff is collapsed.
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="170"
height="50"
id="svg2"
sodipodi:version="0.32"
inkscape:version="0.92.4 5da689c313, 2019-01-14"
version="1.0"
sodipodi:docname="nf-hook-cell.svg"
inkscape:output_extension="org.inkscape.output.svg.inkscape"
inkscape:export-filename="/home/jengelh/pub/images/nf-packet-flow.png"
inkscape:export-xdpi="149.71034"
inkscape:export-ydpi="149.71034">
<defs
id="defs4">
<marker
inkscape:stockid="Arrow1Sstart"
orient="auto"
refY="0"
refX="0"
id="Arrow1Sstart"
style="overflow:visible"
inkscape:isstock="true">
<path
id="path888"
d="M 0,0 5,-5 -12.5,0 5,5 Z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.00000003pt;stroke-opacity:1"
transform="matrix(0.2,0,0,0.2,1.2,0)"
inkscape:connector-curvature="0" />
</marker>
<marker
inkscape:isstock="true"
style="overflow:visible"
id="marker1246"
refX="0"
refY="0"
orient="auto"
inkscape:stockid="Arrow1Mstart">
<path
transform="matrix(0.4,0,0,0.4,4,0)"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.00000003pt;stroke-opacity:1"
d="M 0,0 5,-5 -12.5,0 5,5 Z"
id="path1244"
inkscape:connector-curvature="0" />
</marker>
<marker
inkscape:stockid="Arrow1Mstart"
orient="auto"
refY="0"
refX="0"
id="Arrow1Mstart"
style="overflow:visible"
inkscape:isstock="true"
inkscape:collect="always">
<path
id="path882"
d="M 0,0 5,-5 -12.5,0 5,5 Z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.00000003pt;stroke-opacity:1"
transform="matrix(0.4,0,0,0.4,4,0)"
inkscape:connector-curvature="0" />
</marker>
<linearGradient
id="linearGradient3422">
<stop
style="stop-color:#ffffff;stop-opacity:1;"
offset="0"
id="stop3424" />
<stop
style="stop-color:#d0d0d0;stop-opacity:1;"
offset="1"
id="stop3426" />
</linearGradient>
<linearGradient
id="linearGradient3406">
<stop
style="stop-color:#bdff99;stop-opacity:1;"
offset="0"
id="stop3408" />
<stop
style="stop-color:#00e000;stop-opacity:1;"
offset="1"
id="stop3410" />
</linearGradient>
<linearGradient
inkscape:collect="always"
xlink:href="#linearGradient3422"
id="linearGradient1324"
gradientUnits="userSpaceOnUse"
gradientTransform="translate(-25,-26.47852)"
x1="670"
y1="786.47852"
x2="670"
y2="806.47852" />
<linearGradient
inkscape:collect="always"
xlink:href="#linearGradient3406"
id="linearGradient1436"
gradientUnits="userSpaceOnUse"
gradientTransform="translate(-25,-26.47852)"
x1="670"
y1="776.47852"
x2="670"
y2="786.47852" />
</defs>
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
gridtolerance="10000"
guidetolerance="10"
objecttolerance="50"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="4.4"
inkscape:cx="60.379148"
inkscape:cy="39.151947"
inkscape:document-units="px"
inkscape:current-layer="layer5"
width="1510px"
height="1052px"
showgrid="false"
inkscape:object-bbox="false"
inkscape:object-points="false"
inkscape:object-nodes="false"
inkscape:grid-points="true"
inkscape:window-width="1920"
inkscape:window-height="991"
inkscape:window-x="0"
inkscape:window-y="0"
units="px"
showguides="true"
inkscape:guide-bbox="true"
inkscape:window-maximized="1"
fit-margin-top="0"
fit-margin-left="0"
fit-margin-right="0"
fit-margin-bottom="0">
<inkscape:grid
type="xygrid"
id="grid2847"
visible="true"
enabled="true"
color="#000000"
opacity="0.1254902"
empcolor="#0000ff"
empopacity="0.1254902"
spacingx="5"
spacingy="5"
empspacing="5"
snapvisiblegridlinesonly="true"
originx="-619.875"
originy="-224.875" />
</sodipodi:namedview>
<metadata
id="metadata7">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<cc:license
rdf:resource="http://creativecommons.org/licenses/by-sa/4.0/" />
<dc:title>Netfilter packet flow and hook/table ordering</dc:title>
<dc:date>2014-Feb-28</dc:date>
<dc:creator>
<cc:Agent>
<dc:title>Jan Engelhardt &lt;jengelh@inai.de&gt;</dc:title>
</cc:Agent>
</dc:creator>
<dc:rights>
<cc:Agent>
<dc:title>Jan Engelhardt &lt;jengelh@inai.de&gt;</dc:title>
</cc:Agent>
</dc:rights>
<dc:source>http://inai.de/</dc:source>
<dc:language>en_US</dc:language>
<dc:subject>
<rdf:Bag>
<rdf:li>Xtables Conntrack iptables</rdf:li>
</rdf:Bag>
</dc:subject>
<dc:description>Shows the packet flow throughout Linux Networking, and Netfilter components.</dc:description>
<dc:contributor>
<cc:Agent>
<dc:title>Joshua Snyder &lt;josh@imagestream.com&gt;</dc:title>
</cc:Agent>
</dc:contributor>
</cc:Work>
<cc:License
rdf:about="http://creativecommons.org/licenses/by-sa/4.0/">
<cc:permits
rdf:resource="http://creativecommons.org/ns#Reproduction" />
<cc:permits
rdf:resource="http://creativecommons.org/ns#Distribution" />
<cc:requires
rdf:resource="http://creativecommons.org/ns#Notice" />
<cc:requires
rdf:resource="http://creativecommons.org/ns#Attribution" />
<cc:permits
rdf:resource="http://creativecommons.org/ns#DerivativeWorks" />
<cc:requires
rdf:resource="http://creativecommons.org/ns#ShareAlike" />
</cc:License>
</rdf:RDF>
</metadata>
<g
inkscape:groupmode="layer"
id="layer2"
inkscape:label="OSI layers"
style="display:inline"
transform="translate(-619.875,-725.125)" />
<g
inkscape:groupmode="layer"
id="layer3"
inkscape:label="Gray shaders"
style="display:inline"
transform="translate(-619.875,-725.125)" />
<g
inkscape:label="Boxes"
inkscape:groupmode="layer"
id="layer1"
style="display:inline"
transform="translate(-619.875,-725.125)" />
<g
inkscape:groupmode="layer"
id="layer6"
inkscape:label="Box text"
style="display:inline"
transform="translate(-619.875,-725.125)" />
<g
inkscape:groupmode="layer"
id="layer5"
inkscape:label="Arrows"
style="display:inline"
transform="translate(-619.875,-725.125)">
<text
id="text4154"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:7.25026369px;line-height:0%;font-family:Arial;-inkscape-font-specification:Arial;text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#ff0048;fill-opacity:1;stroke:none"
xml:space="preserve"
x="2736.0198"
y="336.78403">clone packet</text>
<g
id="g925"
transform="translate(2.1260048,-1.4065563)">
<rect
style="display:inline;fill:url(#linearGradient1436);fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:0.25;stroke-linecap:butt;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="use3376"
width="50"
height="10"
x="620"
y="750" />
<rect
style="display:inline;fill:url(#linearGradient1324);fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:0.25;stroke-linecap:butt;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="use3378"
width="50"
height="15"
x="620"
y="760" />
<text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:0%;font-family:Arial;text-align:center;writing-mode:lr-tb;text-anchor:middle;display:inline;fill:#000000;fill-opacity:1;stroke:none"
x="644.70215"
y="770.08545"
id="use3399"><tspan
style="font-size:10.00000191px;line-height:1"
sodipodi:role="line"
id="tspan3533"
x="644.70215"
y="770.08545">input</tspan></text>
<text
id="use3888"
y="759.10303"
x="644.89008"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:0%;font-family:Arial;text-align:center;writing-mode:lr-tb;text-anchor:middle;display:inline;fill:#000000;fill-opacity:1;stroke:none"
xml:space="preserve"><tspan
y="759.10303"
x="644.89008"
id="tspan1570"
sodipodi:role="line"
style="font-size:10.00000191px;line-height:1">filter</tspan></text>
<path
inkscape:connector-curvature="0"
id="path874"
d="m 673.9865,768.26182 h 21.69532"
style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow1Mstart)" />
<path
style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#marker1246)"
d="m 673.9865,754.96637 h 21.69532"
id="path1242"
inkscape:connector-curvature="0" />
<path
sodipodi:nodetypes="ccc"
inkscape:connector-curvature="0"
id="path1800"
d="m 645.34091,747.27272 v -15.56817 h 50.34091"
style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow1Sstart)" />
<flowRoot
transform="translate(-7.7272727,527.27273)"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.66666698px;line-height:1.25;font-family:'Open Sans Semibold';-inkscape-font-specification:'Open Sans Semibold, ';letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none"
id="flowRoot2048"
xml:space="preserve"><flowRegion
id="flowRegion2050"><rect
y="199.31818"
x="704.88635"
height="46.477268"
width="198.52274"
id="rect2052" /></flowRegion><flowPara
id="flowPara2054">Color: <flowSpan
id="flowSpan2056"
style="fill:#4eed3f;fill-opacity:1">Green</flowSpan> - IP<flowSpan
id="flowSpan2104"
style="fill:#4a4ad7;fill-opacity:1" /></flowPara><flowPara
id="flowPara2172"><flowSpan
id="flowSpan2174"
style="fill:#4a4ad7;fill-opacity:1"> Blue</flowSpan> - MAC</flowPara></flowRoot> <flowRoot
xml:space="preserve"
id="flowRoot2134"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.66666698px;line-height:1.25;font-family:'Open Sans Semibold';-inkscape-font-specification:'Open Sans Semibold, ';letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none"
transform="translate(-7.7272727,563.63637)"><flowRegion
id="flowRegion2126"><rect
id="rect2124"
width="198.52274"
height="46.477268"
x="704.88635"
y="199.31818" /></flowRegion><flowPara
id="flowPara2132">Hook</flowPara></flowRoot> <flowRoot
transform="translate(-7.7272727,550.00001)"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.66666698px;line-height:1.25;font-family:'Open Sans Semibold';-inkscape-font-specification:'Open Sans Semibold, ';letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none"
id="flowRoot2146"
xml:space="preserve"><flowRegion
id="flowRegion2138"><rect
y="199.31818"
x="704.88635"
height="46.477268"
width="198.52274"
id="rect2136" /></flowRegion><flowPara
id="flowPara2144">Chain</flowPara></flowRoot> </g>
</g>
<g
inkscape:groupmode="layer"
id="layer4"
inkscape:label="GB layer text"
style="display:inline"
transform="translate(-619.875,-725.125)" />
</svg>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="50.25"
height="25.25"
id="svg2"
sodipodi:version="0.32"
inkscape:version="0.92.4 5da689c313, 2019-01-14"
version="1.0"
sodipodi:docname="nf-logic-cell.svg"
inkscape:output_extension="org.inkscape.output.svg.inkscape"
inkscape:export-filename="/home/jengelh/pub/images/nf-packet-flow.png"
inkscape:export-xdpi="149.71034"
inkscape:export-ydpi="149.71034">
<defs
id="defs4">
<linearGradient
id="linearGradient3422">
<stop
style="stop-color:#ffffff;stop-opacity:1;"
offset="0"
id="stop3424" />
<stop
style="stop-color:#d0d0d0;stop-opacity:1;"
offset="1"
id="stop3426" />
</linearGradient>
<linearGradient
inkscape:collect="always"
xlink:href="#linearGradient3422"
id="linearGradient1580"
gradientUnits="userSpaceOnUse"
gradientTransform="translate(-105,53)"
x1="750"
y1="777"
x2="750"
y2="807" />
</defs>
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
gridtolerance="10000"
guidetolerance="10"
objecttolerance="50"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="4.4"
inkscape:cx="12.992398"
inkscape:cy="57.0593"
inkscape:document-units="px"
inkscape:current-layer="layer5"
width="1510px"
height="1052px"
showgrid="false"
inkscape:object-bbox="false"
inkscape:object-points="false"
inkscape:object-nodes="false"
inkscape:grid-points="true"
inkscape:window-width="1920"
inkscape:window-height="991"
inkscape:window-x="0"
inkscape:window-y="0"
units="px"
showguides="true"
inkscape:guide-bbox="true"
inkscape:window-maximized="1"
fit-margin-top="0"
fit-margin-left="0"
fit-margin-right="0"
fit-margin-bottom="0">
<inkscape:grid
type="xygrid"
id="grid2847"
visible="true"
enabled="true"
color="#000000"
opacity="0.1254902"
empcolor="#0000ff"
empopacity="0.1254902"
spacingx="5"
spacingy="5"
empspacing="5"
snapvisiblegridlinesonly="true"
originx="-619.875"
originy="-144.875" />
</sodipodi:namedview>
<metadata
id="metadata7">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<cc:license
rdf:resource="http://creativecommons.org/licenses/by-sa/4.0/" />
<dc:title>Netfilter packet flow and hook/table ordering</dc:title>
<dc:date>2014-Feb-28</dc:date>
<dc:creator>
<cc:Agent>
<dc:title>Jan Engelhardt &lt;jengelh@inai.de&gt;</dc:title>
</cc:Agent>
</dc:creator>
<dc:rights>
<cc:Agent>
<dc:title>Jan Engelhardt &lt;jengelh@inai.de&gt;</dc:title>
</cc:Agent>
</dc:rights>
<dc:source>http://inai.de/</dc:source>
<dc:language>en_US</dc:language>
<dc:subject>
<rdf:Bag>
<rdf:li>Xtables Conntrack iptables</rdf:li>
</rdf:Bag>
</dc:subject>
<dc:description>Shows the packet flow throughout Linux Networking, and Netfilter components.</dc:description>
<dc:contributor>
<cc:Agent>
<dc:title>Joshua Snyder &lt;josh@imagestream.com&gt;</dc:title>
</cc:Agent>
</dc:contributor>
</cc:Work>
<cc:License
rdf:about="http://creativecommons.org/licenses/by-sa/4.0/">
<cc:permits
rdf:resource="http://creativecommons.org/ns#Reproduction" />
<cc:permits
rdf:resource="http://creativecommons.org/ns#Distribution" />
<cc:requires
rdf:resource="http://creativecommons.org/ns#Notice" />
<cc:requires
rdf:resource="http://creativecommons.org/ns#Attribution" />
<cc:permits
rdf:resource="http://creativecommons.org/ns#DerivativeWorks" />
<cc:requires
rdf:resource="http://creativecommons.org/ns#ShareAlike" />
</cc:License>
</rdf:RDF>
</metadata>
<g
inkscape:groupmode="layer"
id="layer2"
inkscape:label="OSI layers"
style="display:inline"
transform="translate(-619.875,-829.875)" />
<g
inkscape:groupmode="layer"
id="layer3"
inkscape:label="Gray shaders"
style="display:inline"
transform="translate(-619.875,-829.875)" />
<g
inkscape:label="Boxes"
inkscape:groupmode="layer"
id="layer1"
style="display:inline"
transform="translate(-619.875,-829.875)">
<rect
rx="10"
ry="10"
style="display:inline;fill:url(#linearGradient1580);fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:0.25;stroke-linecap:butt;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="use26136"
width="50"
height="25"
x="620"
y="830" />
</g>
<g
inkscape:groupmode="layer"
id="layer6"
inkscape:label="Box text"
style="display:inline"
transform="translate(-619.875,-829.875)">
<text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:0%;font-family:Arial;text-align:center;writing-mode:lr-tb;text-anchor:middle;display:inline;fill:#000000;fill-opacity:1;stroke:none"
x="645.17578"
y="841.02051"
id="text3265"><tspan
sodipodi:role="line"
id="tspan3267"
x="645.17578"
y="841.02051"
style="font-size:10px;line-height:1">routing</tspan><tspan
sodipodi:role="line"
x="645.17578"
y="851.02051"
id="tspan13842"
style="font-size:10px;line-height:1">decision</tspan></text>
</g>
<g
inkscape:groupmode="layer"
id="layer5"
inkscape:label="Arrows"
style="display:inline"
transform="translate(-619.875,-829.875)">
<text
id="text4154"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:7.25026369px;line-height:0%;font-family:Arial;-inkscape-font-specification:Arial;text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#ff0048;fill-opacity:1;stroke:none"
xml:space="preserve"
x="2736.0198"
y="336.78403">clone packet</text>
</g>
<g
inkscape:groupmode="layer"
id="layer4"
inkscape:label="GB layer text"
style="display:inline"
transform="translate(-619.875,-829.875)" />
</svg>
...@@ -180,9 +180,109 @@ default via 192.168.0.1 dev wlp2s0 <clipped> ...@@ -180,9 +180,109 @@ default via 192.168.0.1 dev wlp2s0 <clipped>
--- ---
## NFtables vs IPtables vs firewalld vs others ## What is NFtables?
NFtables is a program that allows us to control Linux's internal
packet filter (firewall) allowing us to block out unwanted traffic
---
## NFtables vs IPtables vs firewalld (& co.)
* **iptables**: frontend for `xt_*` kernel modules, old (1998)
* **nftables**: frontend for `nf_*` kernel modules, "new" (2014)
* **firewalld & co.**: allow easier configuration, under the hood all use iptables
---
## Overview of Linux packet filtering
<img src="assets/Netfilter-packet-flow.svg" style="background-color: white; min-width: 100%" />
Source: [Wikipedia](https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg)
---
## How to read this graph
<img src="assets/nf-hook-cell.png" style="background-color: white; min-width: 100%" />
---
## How to read this graph /2
<img src="assets/nf-logic-cell.svg" style="min-width: 30%" />
* **Bridge check**: check if the packet needs to be routed on a bridged interface
* **Routing decision**: decide if we want a program to receive the packet (input)
or if we need to __forward__ it to somewhere else
* **Conntrack**: linux checks if this packet is related to others (eg. TCP connection)
---
### Important things to know
* **bridging**: we instruct the linux kernel to forward MAC packets between
2 separate interfaces (like a switch)
* The **routing decision** step is also what decides the output interface,
the __forward__ hook is the first to know the output interface
* There are **4** chains: **filter** and **nat** (common), mangle and raw (rarely used)
* There are **5** hooks:
* filter: **input**, **forward**, **output**
* nat: **prerouting**, **postrouting**
---
## nftables hierarchy