本文是在“ Linux管理员”课程开始前夕编写的。
Red Hat Enterprise Linux 8 nftables. , nftables. DevOps-. , , nftables — iptables.
, nftables – userland-, nft . netfilter. nft.
: , .
, nftables -? , .
# nft list ruleset
… . , . ?
nftables , iptables. . , iptables, , , .
nftables . : ip, ip6, inet, arp, bridge netdev. inet , ipv4 ipv6. .
: , iptables, . nftables – , , . , , , .
.
# nft add table inet my_table
# nft list ruleset
table inet my_table {
}
, , . .
– , .
, . , , , . filter, input, priority 0 , .
# nft add chain inet my_table my_filter_chain { type filter hook input priority 0 \; }
: () , shell .
. , iptables. jump goto . , , .
# nft add chain inet my_table my_utility_chain
, , , , . SSH.
# nft add rule inet my_table my_filter_chain tcp dport ssh accept
, inet, IPv4, IPv6.
add . insert, .
# nft insert rule inet my_table my_filter_chain tcp dport http accept
, , .
# nft list ruleset
table inet my_table {
chain my_filter_chain {
type filter hook input priority 0; policy accept;
tcp dport http accept
tcp dport ssh accept
}
}
, http ssh, insert.
. .
- index, . add . insert, . 0.
# nft insert rule inet my_table my_filter_chain index 1 tcp dport nfs accept
# nft list ruleset
table inet my_table {
chain my_filter_chain {
type filter hook input priority 0; policy accept;
tcp dport http accept
tcp dport nfs accept
tcp dport ssh accept
}
}
# nft add rule inet my_table my_filter_chain index 0 tcp dport 1234 accept
# nft list ruleset
table inet my_table {
chain my_filter_chain {
type filter hook input priority 0; policy accept;
tcp dport http accept
tcp dport 1234 accept
tcp dport nfs accept
tcp dport ssh accept
}
}
: index insert iptables -I . , , , nftables 0. -, . "nft insert rule … index 0" .
- handle, , . add. , insert. handle , –handle .
# nft --handle list ruleset
table inet my_table { # handle 21
chain my_filter_chain { # handle 1
type filter hook input priority 0; policy accept;
tcp dport http accept # handle 3
tcp dport ssh accept # handle 2
}
}
# nft add rule inet my_table my_filter_chain handle 3 tcp dport 1234 accept
# nft insert rule inet my_table my_filter_chain handle 2 tcp dport nfs accept
# nft --handle list ruleset
table inet my_table { # handle 21
chain my_filter_chain { # handle 1
type filter hook input priority 0; policy accept;
tcp dport http accept # handle 3
tcp dport 1234 accept # handle 8
tcp dport nfs accept # handle 7
tcp dport ssh accept # handle 2
}
}
nftables handle , . , , .
handle , –echo –handle. CLI handle.
# nft --echo --handle add rule inet my_table my_filter_chain udp dport 3333 accept
add rule inet my_table my_filter_chain udp dport 3333 accept # handle 4
: nftables . handle.
handle add insert .
handle , .
# nft --handle list ruleset
table inet my_table { # handle 21
chain my_filter_chain { # handle 1
type filter hook input priority 0; policy accept;
tcp dport http accept # handle 3
tcp dport 1234 accept # handle 8
tcp dport nfs accept # handle 7
tcp dport ssh accept # handle 2
}
}
handle .
# nft delete rule inet my_table my_filter_chain handle 8
# nft --handle list ruleset
table inet my_table { # handle 21
chain my_filter_chain { # handle 1
type filter hook input priority 0; policy accept;
tcp dport http accept # handle 3
tcp dport nfs accept # handle 7
tcp dport ssh accept # handle 2
}
}
. .
.
# nft list table inet my_table
table inet my_table {
chain my_filter_chain {
type filter hook input priority 0; policy accept;
tcp dport http accept
tcp dport nfs accept
tcp dport ssh accept
}
}
.
# nft list chain inet my_table my_other_chain
table inet my_table {
chain my_other_chain {
udp dport 12345 log prefix "UDP-12345"
}
}
nftables . , , IP-, , .
inline-. , .
, 10.10.10.123 10.10.10.231.
# nft add rule inet my_table my_filter_chain ip saddr { 10.10.10.123, 10.10.10.231 } accept
# nft list ruleset
table inet my_table {
chain my_filter_chain {
type filter hook input priority 0; policy accept;
tcp dport http accept
tcp dport nfs accept
tcp dport ssh accept
ip saddr { 10.10.10.123, 10.10.10.231 } accept
}
, , . , .
, .
# nft add rule inet my_table my_filter_chain tcp dport { http, nfs, ssh } accept
: iptables ipset. nftables , ipset .
Nftables . , . , : ipv4_addr, inet_service, ether_addr.
.
# nft add set inet my_table my_set { type ipv4_addr \; }
# nft list sets
table inet my_table {
set my_set {
type ipv4_addr
}
}
@ . IP- .
# nft insert rule inet my_table my_filter_chain ip saddr @my_set drop
# nft list chain inet my_table my_filter_chain
table inet my_table {
chain my_filter_chain {
type filter hook input priority 0; policy accept;
ip saddr @my_set drop
tcp dport http accept
tcp dport nfs accept
tcp dport ssh accept
ip saddr { 10.10.10.123, 10.10.10.231 } accept
}
}
, , . .
# nft add element inet my_table my_set { 10.10.10.22, 10.10.10.33 }
# nft list set inet my_table my_set
table inet my_table {
set my_set {
type ipv4_addr
elements = { 10.10.10.22, 10.10.10.33 }
}
}
.
# nft add element inet my_table my_set { 10.20.20.0-10.20.20.255 }
Error: Set member cannot be range, missing interval flag on declaration
add element inet my_table my_set { 10.20.20.0-10.20.20.255 }
, . , , , .
. IP- . , .
# nft add set inet my_table my_range_set { type ipv4_addr \; flags interval \; }
# nft add element inet my_table my_range_set { 10.20.20.0/24 }
# nft list set inet my_table my_range_set
table inet my_table {
set my_range_set {
type ipv4_addr
flags interval
elements = { 10.20.20.0/24 }
}
}
: IP-. , 10.20.20.0-10.20.20.255 .
. , «.» .
IPv4-, IP- .
# nft add set inet my_table my_concat_set { type ipv4_addr . inet_proto . inet_service \; }
# nft list set inet my_table my_concat_set
table inet my_table {
set my_concat_set {
type ipv4_addr . inet_proto . inet_service
}
}
.
# nft add element inet my_table my_concat_set { 10.30.30.30 . tcp . telnet }
, (tcp, telnet) .
, .
# nft add rule inet my_table my_filter_chain ip saddr . meta l4proto . tcp dport @my_concat_set accept
# nft list chain inet my_table my_filter_chain
table inet my_table {
chain my_filter_chain {
...
ip saddr { 10.10.10.123, 10.10.10.231 } accept
meta nfproto ipv4 ip saddr . meta l4proto . tcp dport @my_concat_set accept
}
}
, inline-. , .
# nft add rule inet my_table my_filter_chain ip saddr . meta l4proto . udp dport { 10.30.30.30 . udp . bootps } accept
, nftables.
: nftables ipset, , hash:ip,port.
Verdict Map
Verdict map – nftables, , . , .
, , TCP UDP . verdict map, .
# nft add chain inet my_table my_tcp_chain
# nft add chain inet my_table my_udp_chain
# nft add rule inet my_table my_filter_chain meta l4proto vmap { tcp : jump my_tcp_chain, udp : jump my_udp_chain }
# nft list chain inet my_table my_filter_chain
table inet my_table {
chain my_filter_chain {
...
meta nfproto ipv4 ip saddr . meta l4proto . udp dport { 10.30.30.30 . udp . bootps } accept
meta l4proto vmap { tcp : jump my_tcp_chain, udp : jump my_udp_chain }
}
}
, verdict map.
# nft add map inet my_table my_vmap { type inet_proto : verdict \; }
. . , verdict map .
verdict map .
# nft add rule inet my_table my_filter_chain meta l4proto vmap @my_vmap
nftables – , . , .
# nft add table inet table_one
# nft add chain inet table_one my_chain
# nft add table inet table_two
# nft add chain inet table_two my_chain
# nft list ruleset
...
table inet table_one {
chain my_chain {
}
}
table inet table_two {
chain my_chain {
}
}
, , . iptables , .
. . , . table_one , table_two. . . , .
nftables . list nft , . nftables systemd.
# nft list ruleset > /root/nftables.conf
# nft -f /root/nftables.conf
, systemd . /etc/sysconfig/nftables.conf.
# systemctl enable nftables
# nft list ruleset > /etc/sysconfig/nftables.conf
: , RHEL-8, nftables /etc/nftables. iptables. /etc/sysconfig/nftables.conf, .
, nftables. nftables. , . nft . , , nftables.