nftables初体验

前言

之前耳闻是下一代。前段时间配了一台主机，折腾成家里的软路由。就一并来尝鲜一系列新东西，其中就包括。和、等一样，都是对底层 xtables 的封装，目前看来比更简洁易用，更易读，更容易理解，扩展性和也更好。但是目前各个发行版中对的支持还比较参差不齐，导致很多功能比还是有所缺失，所以个人感觉短期内还是替代不了（比如 tproxy 功能需要 linux kernel 4.19+，而即便是的内核版本也只是 4.18 ，所以都不支持）。所支持的功能列表及所以来的内核版本和内核模块可以在这里找到。

的功能分两块，一块是内核支持，这个受限于内核版本。另一部分是用户空间的库和工具。有些发行版会滚动更新内核，但是版本比较低，这时候如果要用就得自己编译。依赖库及命令行工具的代码仓库如下:

libmnl:
libnftnl:
nftables:

和一样，的高版本对依赖库的版本也有一定要求，系统自带的不一定符合要求，就得一个一个编译。我写了一个构建脚本: ，并且实测如果使用或者的话，可以宿主机编译，然后mount共享给子机也是可以的。

官方Wiki: 官方文档: 官方文档不是很全，这个文档更完整一些:

nftables与iptables

先贴一张的流程图。

以下是一些常用命令:

说明

iptables -t mangle -L

nft list table mangle

显示指定table(mangle)的所有chains

nft list ruleset

显示所有table的所有chains

iptables -t mangle -A V2RAY -j TRACE

nft add rule inet mangle V2RAY meta nftrace set 1

跟踪调试包

iptables -t mangle -A V2RAY -j LOG --log-level debug --log-prefix "###LOG PREFIX:"

nft add rule inet mangle V2RAY log prefix '"###LOG PREFIX:"' level debug flags all

输出内核日志

nftables与ebtables

另外如果要使用网桥包转路由，然后走比如tproxy需要增加如下配置:

echo "
net.ipv4.ip_forward=1
net.ipv4.ip_forward_use_pmtu=1
net.ipv4.conf.all.forwarding=1
net.ipv4.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1
# Configures below are used to support tproxy for bridge
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.route_localnet=1
net.ipv4.conf.default.route_localnet=1
" > /etc/sysctl.d/91-forwarding.conf ;
sysctl -p ;

nftables与ipset

部分参考对比如下:

ipset create V2RAY_BLACKLIST_IPV4 hash:ip family inet

nft add set ip v2ray BLACKLIST { type ipv4_addr\; }

ipset flush V2RAY_BLACKLIST_IPV4

nft flush set ip v2ray BLACKLIST

ipset add V2RAY_BLACKLIST_IPV4 $PPP_OUTER_IP

nft add element ip v2ray BLACKLIST { $PPP_OUTER_IP } ;

iptables -t mangle -A V2RAY -p tcp -m set --match-set V2RAY_BLACKLIST_IPV4 dst -j RETURN

nft add rule ip v2ray PREROUTING meta l4proto tcp ip daddr @BLACKLIST return

ipset create myset hash:ip,port,ip family inet

nft add set inet filter myset { type type ipv4_addr . inet_service . ipv4_addr : verdict \; }

ipset add myset 172.16.0.1,tcp:80,10.0.0.1

nft add element inet filter myset { 172.16.0.1 . 80 . 10.0.0.1 : accept } ;

iptables -t filter -A INPUT -m set --match-set myset src,dst,dst -j ACCEPT

nft add rule inet filter INPUT meta nfproto ipv4 ip saddr . tcp dport . ip daddr vmap @myset

nftables与iptables与NAT

echo "## Do not load the iptable_nat,ip_tables,ip6table_nat,ip6_tables module on boot.
blacklist iptable_nat
blacklist ip6table_nat

# Upper script will disable auto load , or using scripts below to force disable modules
# install iptable_nat /bin/true
# install ip6table_nat /bin/true
" | tee /etc/modprobe.d/disable-iptables.conf

另外我本地为了支持NAT和一些辅助功能开启的模块如下:

echo "
xt_nat
nf_reject_ipv4
nf_reject_ipv6
nf_tables_set
nf_log_ipv6
nf_log_ipv4
nf_log_common
nf_tables
nfnetlink
nf_nat
nf_conntrack
nf_defrag_ipv6
nf_defrag_ipv4
nft_log
nft_masq
nft_ct
nft_meta_bridge
nft_counter
nft_reject
nft_reject_inet
nft_reject_bridge
nft_chain_nat
nft_nat
" | tee /etc/modules-load.d/nftables-nat.conf

nftables与firewalld

nft list table inet security_firewall > /dev/null 2>&1 ;
if [ $? -eq 0 ]; then
    nft delete table inet security_firewall ;
fi
nft add table inet security_firewall ;

nft add table inet security_firewall ;

nft add chain inet security_firewall PREROUTING { type filter hook prerouting priority raw + 10\; policy accept\; }
nft add rule inet security_firewall PREROUTING icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept ;
nft add rule inet security_firewall PREROUTING meta nfproto ipv6 fib saddr . iif oif missing drop ;

nft add chain inet security_firewall INPUT { type filter hook input priority filter + 10\; policy accept\; }
nft add rule inet security_firewall INPUT ct state { established, related } accept
nft add rule inet security_firewall INPUT ct status dnat accept
# 这里 br0是我自己建的用于内网通信的桥接，添加了enp1s0f0和enp1s0f1 。 enp5s0是我用来调试的接口， WAN口的出口留了两个用于拨号， enp1s0f2 和 enp1s0f3
nft add rule inet security_firewall INPUT iifname { lo, br0, enp1s0f0, enp1s0f1, enp5s0 } accept
# Internal services -- begin
nft add rule inet security_firewall INPUT ip saddr {127.0.0.1/32, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8} tcp dport 22 ct state { new, untracked } accept
nft add rule inet security_firewall INPUT ip6 saddr {::1/128, fc00::/7, fe80::/10, fd00::/8, ff00::/8} tcp dport 22 ct state { new, untracked } accept
nft add rule inet security_firewall INPUT ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
nft add rule inet security_firewall INPUT tcp dport 53 ct state { new, untracked } accept
nft add rule inet security_firewall INPUT udp dport 53 ct state { new, untracked } accept
nft add rule inet security_firewall INPUT udp dport 67 ct state { new, untracked } accept
nft add rule inet security_firewall INPUT udp dport 547 ct state { new, untracked } accept
nft add rule inet security_firewall INPUT tcp dport 853 ct state { new, untracked } accept
# 其他自定义要放过的服务端口和协议
# Internal services -- end
nft add rule inet security_firewall INPUT meta l4proto { icmp, ipv6-icmp } accept
nft add rule inet security_firewall INPUT ct state { invalid } drop
nft add rule inet security_firewall INPUT reject with icmpx type admin-prohibited

nft add chain inet security_firewall OUTPUT { type filter hook output priority filter + 10\; policy accept\; }
nft add rule inet security_firewall OUTPUT  oifname "lo" accept
nft add rule inet security_firewall OUTPUT  ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable

nft add chain inet security_firewall FORWARD { type filter hook forward priority filter + 10\; policy accept\; }
nft add rule inet security_firewall FORWARD  ct state { established, related } accept
nft add rule inet security_firewall FORWARD  ct status dnat accept
# 这里 br0是我自己建的用于内网通信的桥接，添加了enp1s0f0和enp1s0f1 。 enp5s0是我用来调试的接口， WAN口的出口留了两个用于拨号， enp1s0f2 和 enp1s0f3
nft add rule inet security_firewall FORWARD  iifname { lo, br0, enp1s0f0, enp1s0f1, enp5s0 } accept
nft add rule inet security_firewall FORWARD  ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
#
nft add rule inet security_firewall FORWARD  meta l4proto { icmp, ipv6-icmp } accept
nft add rule inet security_firewall FORWARD  ct state { new, untracked } accept
#
nft add rule inet security_firewall FORWARD  ct state { invalid } drop
nft add rule inet security_firewall FORWARD  reject with icmpx type admin-prohibited

备注小记

要使用 tproxy (透明代理) 需要开启的内核模块: （其中 nft_tproxy 要求 linux kernel 4.19+） >

echo "
nf_tproxy_ipv4
nf_tproxy_ipv6
nf_socket_ipv4
nf_socket_ipv6
xt_TPROXY
nft_socket
nft_tproxy
" | tee /etc/modules-load.d/nftables-tproxy.conf

nftables Hook

Type

Families

Hooks

Description

filter

all

Standard chain type to use in doubt.

nat

ip, ip6, inet

prerouting, input, output, postrouting

Chains of this type perform Native Address Translation based on conntrack entries. Only the first packet of a connection actually traverses this chain - its rules usually define details of the created conntrack entry (NAT statements for instance).

route

ip, ip6

output

If a packet has traversed a chain of this type and is about to be accepted, a new route lookup is performed if relevant parts of the IP header have changed. This allows to e.g. implement policy routing selectors in nftables.

Standard priority names, family and hook compatibility matrix

The priority parameter accepts a signed integer value or a standard priority name which specifies the order in which chains with same hook value are traversed. The ordering is ascending, i.e. lower priority values have precedence over higher ones.

Name

Value

Families

Hooks

raw

-300

ip, ip6, inet

all

mangle

-150

ip, ip6, inet

all

dstnat

-100

ip, ip6, inet

prerouting

filter

ip, ip6, inet, arp, netdev

all

security

ip, ip6, inet

all

srcnat

100

ip, ip6, inet

postrouting

Standard priority names and hook compatibility for the bridge family

Name

Value

Hooks

dstnat

-300

prerouting

filter

-200

all

out

100

output

srcnat

300

postrouting

Previouslibatbus 的大幅优化 Next容器配置开发环境小计

Last updated 5 years ago

Was this helpful?