nftables 也有表、规则链、规则的概念:
表是规则链的容器
表有几个family: ip/ip6/inet/arp/bridge/netdev; inet=ip和ip6的混合链是规则的容器
基本链的类型有: filter: 支持ip/ip6/inet/arp/bridge;不支持netdev(好像能支持?) route: 标记数据包,支持ip和ip6,只能用于output钩子。该功能类似iptables的mangle nat: NAT功能,支持ip和ip6. 基本链的钩子(hook)有: ip/ip6/inet的钩子有: prerouting,input, forward, output, postrouting. arp的钩子有: input, output. netdev的钩子有:ingress 链的优先级有: 数据包会遍历钩子上的链,直到走完所有链或被丢弃。以下是iptables的优先级参考 here's the list of different priority used in iptables: NF_IP_PRI_CONNTRACK_DEFRAG (-400): priority of defragmentation NF_IP_PRI_RAW (-300): traditional priority of the raw table placed before connection tracking operation NF_IP_PRI_SELINUX_FIRST (-225): SELinux operations NF_IP_PRI_CONNTRACK (-200): Connection tracking operations NF_IP_PRI_MANGLE (-150): mangle operation NF_IP_PRI_NAT_DST (-100): destination NAT NF_IP_PRI_FILTER (0): filtering operation, the filter table NF_IP_PRI_SECURITY (50): Place of security table where secmark can be set for example NF_IP_PRI_NAT_SRC (100): source NAT NF_IP_PRI_SELINUX_LAST (225): SELinux at packet exit NF_IP_PRI_CONNTRACK_HELPER (300): connection tracking at exit链的默认策略有:accept, drop, queue, continue, return.
规则:
handle 标识某个规则的数字,句柄号。插入规则的时候,position后就需要这个句柄号来定义位置。 matches 用于创建过滤器的匹配: matches很繁杂,具体参考https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes statement 数据包匹配后执行的语句。有log/reject/counter/limit/nat/queue/verdict statement。其中verdict statement可选值为: accept: Accept the packet and stop the remain rules evaluation. drop: Drop the packet and stop the remain rules evaluation. queue: Queue the packet to userspace and stop the remain rules evaluation. continue: Continue the ruleset evaluation with the next rule. return: Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept jump <chain>: Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued goto <chain>: Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement
钩子之间的关系:
Local process ^ | .-----------. .-----------. | | | Routing | | |-----> input / \---> | Decision |----> output \--> prerouting --->| Routing | .-----------. \ | Decision | --> postrouting | | / | |---------------> forward --------------------------- .-----------. 4.2内核后多了ingress钩子,ingress钩子与其他钩子的关系如下:
.-----------. | |-----> input ...---> ingress ---> prerouting --->| Routing | | Decision | | | | |-----> forward ... .-----------. 命令行语法:
表操作:
% nft list tables [<family>] # 显示所有表, 如果family不指定,则默认ip. % nft list table [<family>] <name> [-n] [-a] # 显示name指定的表, -n 表示数字形式显示 -a表示显示handle% nft (add | delete | flush) table [<family>] <name>链操作:
% nft (add|create) chain [<family>] <table> <name> [ { type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] } ] *注释1*% nft (delete | list | flush) chain [<family>] <table> <name>% nft rename chain [<family>] <table> <name> <newname>规则操作:
% nft add rule [<family>] <table> <chain> <matches> <statements>% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements>% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements>% nft delete rule [<family>] <table> <chain> [handle <handle>]其他:导出配置: % nft export (xml | json)
事件监控: % nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]
注释1: 链配置中的policy用来指定该链的默认策略。如果链配置不指定,则创建了一条看不到任何包的非基本链(类似iptables的自定义链) 。如果是netdev类型的链,必须要指定接口设备
命令行示例:
# ------- 表操作 ---------- % nft add table ip tbl_test1 % nft flush table ip tbl_test1 # 清掉tbl_test1表的所有规则 # ------- 链操作 --------- % nft add chain ip tbl_test1 chn_test1 {type filter hook input priority 0\; policy accept\;} # 花括号内的是链配置,bash中分号需要转义,如果不想转义,可以写成'{链配置}'的形式。 priority用来定义链的优先级 % nft add chain netdev tbl_test2 chn_eth0filter '{type filter hook ingress device eth0 priority 0; }' # netdev类型的表必须指定接口 % nft add chain ip tbl_test1 nonBaseChain2 # 创建一条非基本链,因为非基本链没有挂任何钩子,所以它不能看到任何数据包。它用于排列规则集合(jump到该链) % nft delete chain ip tbl_test1 chn_test1 # 删除链,删除前需要flush以下该链(nft flush chain tbl_test1 chn_test1),才能删除 # ------- 规则操作 --------- % nft add rule tbl_test chn_test1 ip daddr 8.8.8.8 counter # 目标地址为8.8.8.8的做计数, 使用nft list table tbl_name -nn 来查看表下的规则 % nft add rule tbl_test1 chn_test1 tcp dport != 22 accept # 运算符可以有 ==, !=, <=, >=, >, < 如果在bash中,需要\转义,或者使用eq ne le ge gt lt来代替 % nft add rule tbl_test1 chn_test1 position 2 ip daddr 127.0.0.9 drop # position指定相对位置,后跟handle号。add是在后面添加,insert是在前面插入。(每条规则都有handle号,nft list tbl_name -n -a就可以查看句柄号)。 % nft replace rule tbl_test1 chn_test handle 3 ip daddr 127.0.0.10 drop # 替换handle指定的规则规则 % nft delete rule tbl_test1 chn_test handle 3 #删除某规则 % nft add rule tbl_test1 chn_test ip6 nexthdr tcp # ip6下的tcp # --------导入导出、脚本操作-------- % cat << EOF > /etc/nftables.rules> #!/usr/local/sbin/nft -f> flush ruleset> add table filter> add chain filter input> add rule filter input meta iifname lo accept> EOF% chmod u+x /etc/nftables.rules% /etc/nftables.rules # 使用nft脚本执行。注意上面的解释器: #!/usr/local/sbin/nft % nft list ruleset > /etc/nftables.rules # 导出规则集合% nft flush ruleset # 冲掉规则集 % nft -f /etc/nftables.rules # 导入规则集合(记得先flush规则集,然后再导入) # ------ 规则集合 ----- % nft list ruleset # 列出规则集 % nft list ruleset ip6 # 列出ip6规则集 % nft flush ruleset ip6 # 冲掉ip6规则集 % nft export json >ruleset.json #导出规则集为json
脚本:
可以include,例如: #!/usr/sbin/nft -f include "ipv4-nat.ruleset" include "ipv6-nat.ruleset"定义变量: define google_dns = 8.8.8.8 #引用示例: add rule tb2 chn2 ip saddr $google_dns counter define ntp_server_set = { 84.77.40.132, 176.31.53.99, 81.19.96.148, 138.100.62.8 } #引用示例:add rule tb2 chn2 ip saddr $ntp_server_set counter 格式:#格式1:#!/usr/sbin/nft -fdefine ntp_servers = { 84.77.40.132, 176.31.53.99, 81.19.96.148, 138.100.62.8 }#flush table nattable ip nat { chain prerouting { type filter hook prerouting priority 0; policy accept; ip saddr $ntp_servers counter } chain postrouting { type filter hook postrouting priority 100; policy accept; }}#格式2:#!/usr/sbin/nft -fdefine ntp_servers = { 84.77.40.132, 176.31.53.99, 81.19.96.148, 138.100.62.8 }add table filteradd chain filter input { type filter hook input priority 0; }add rule filter input ip saddr $ntp_servers counter
脚本例子:
flush rulesettable t_firewall { chain c_incoming { type filter hook input priority 0; policy drop; # established/related connections ct state established,related accept # loopback interface iifname lo accept # icmp icmp type echo-request accept # open tcp ports: sshd (22), httpd (80) tcp dport {ssh, http} accept }}table ip6 t_firewall6 { chain c_incoming { type filter hook input priority 0; policy drop; # established/related connections ct state established,related accept # invalid connections ct state invalid drop # loopback interface iifname lo accept # icmp # routers may also want: mld-listener-query, nd-router-solicit icmpv6 type {echo-request,nd-neighbor-solicit} accept # open tcp ports: sshd (22), httpd (80) tcp dport { ssh, http} accept }} 上面保存位文件,使用命令:ntf -f ruleSet.rs 来生效
matches: (摘录自:https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes,更详细内容看这个链接吧)
格式: obj value obj operator value # 例如!=,<= obj value1-value2 obj != value1-value2 obj {value1,value2,value3}ipv4协议:
ip protocol tcp # 匹配高层协议: icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp ip protocol != tcp ip protocol 6ipv4数据包长度:
ip length != 333-453 ip length { 333, 553, 673, 838}ipv4 ttl:
ip ttl 33-55 ip ttl != 45-50ipv4地址:
ip saddr 192.168.2.0/24 ip saddr != 192.168.2.0/24 ip saddr 192.168.3.1 ip daddr 192.168.3.100 ip saddr != 1.1.1.1 ip saddr 1.1.1.1 ip saddr & 0xff == 1 ip saddr & 0.0.0.255 < 0.0.0.127 ip daddr 192.168.0.1-192.168.0.250 ip daddr { 192.168.0.1-192.168.0.250 } ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }ip版本号:
ip version 4ct连接状态:
ct state { new, established, related, untracked } ct state != related ct state established ct state 8ct方向:
ct direction original ct direction != original ct direction {reply, original}ct mark:
ct mark 0ct mark or 0x23 == 0x11Meta信息:
meta iifname "eth0" meta iifname {"eth0", "lo"} meta iifname "eth*" meta oifname "eth0" meta iif eth0 meta oif {eth0, lo} meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}其他:
ip hdrlength 15 tcp flags != syn tcp flags & (syn | ack) == syn | ack icmp type echo-request ether saddr 00:0f:54:0c:11:04 ether type vlan vlan id 4094
Statement:
限速: limit rate 400/minute limit rate 400/hour limit rate over 1023/second burst 10 packets limit rate 1025 kbytes/second limit rate 1023000 mbytes/second limit rate 1025 bytes/second burst 512 bytes limit rate 1025 kbytes/second burst 1023 kbytes limit rate 1025 mbytes/second burst 1025 kbytes limit rate 1025000 mbytes/second burst 1023 mbytesdnat:
dnat 192.168.3.2 dnat ct mark map { 0x00000014 : 1.2.3.4}snat:
snat 192.168.3.2 snat 2001:838:35f:1::-2001:838:35f:2:::100masquerade:
masquerade masquerade persistent,fully-random,random masquerade to :1024 masquerade to :1024-2048其他:
reject with icmp type net-prohibited #with <protocol> type <type> ip protocol tcp reject with tcp resetloglog level emerg