nftables, far more than %s/ip/nf/g - home.regit.org · nftables, far more than %s/ip/nf/g Éric...
TRANSCRIPT
nftables, far more than %s/ip/nf/g
Éric Leblond
Nefilter Coreteam
February 18, 2015
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 1 / 65
1 Introduction
2 Netfilter in 2013
3 Iptables limitations
4 Nftables, an Iptables replacement
5 Advantages of the approach
6 An updated user experience
7 The future
8 Conclusion
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 2 / 65
Éric Leblond
Hacker and contractorCo founder of Stamus NetworksStarted and developped NuFW, the authenticating firewallCore developer of Suricata IDS/IPS
Netfilter Coreteam memberWork on kernel-userspace interactionKernel hackingulogd2 maintainerPort of Openoffice firewall to Libreoffice
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 4 / 65
History
ipchains (1997)Linux 2.2 firewallingstatelessDevelopped by Paul ’Rusty’ Russel
iptables (2000)Linux 2.4 firewallingStateful tracking and full NAT supportin-extremis IPv6 support
Netfilter project’Rusty’ Russel developed iptables and funded Netfilter projectNetfilter coreteam was created to consolidate the community
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 6 / 65
Features
Filtering and loggingFiltering
on protocol fieldson internal state
Packet manglingChange TOSChange TTLSet mark
Connection trackingStateful filteringHelper to support protocol like FTP
Network Address TranslationDestination Network Address TranslationSource Network Address TranslationSupport of vicious protocol like FTPÉric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 7 / 65
Netfilter inside kernel
HooksHooks at different points of network stackVerdict can be issued and skb can be modifiedTo each hook correspond at least tableDifferent families
filterrawnatmangle
Loading a module create the table
Connection tracking tasksMaintain a hash table with known flowsDetect dynamic connection opening for some protocols
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 8 / 65
Major components
Netfilter filteringIn charge of accepting, blocking, transforming packetsConfigured by ioctl
Connection trackingAnalyse traffic and maintain flow tableCost in term of performanceIncrease security
iptablesConfiguration toolsUpdate ruleset inside kernel
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 9 / 65
The nfnetlink (r)evolution
NfnetlinkFirst major evolution of Netfilter (Linux 2.6.14, 2005)Netfilter dedicated configuration and message passingmechanism
New interactionsNFLOG: enhanced logging systemNFQUEUE: improved userspace decision systemNFCT: get information and update connection tracking entries
Based on Netlinkdatagram-oriented messaging systempassing messages from kernel to user-space and vice-versa
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 10 / 65
Netlink
Header format
Payload format
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 11 / 65
Components created following 2.6.14
conntrack-toolsconntrackd
connection tracking replication daemonprovide high availabilitydevelopped by Pablo Neira Ayuso
conntrack: command line tool to update and query connectiontracking
ulogd2logging daemonhandle packets and connections logging
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 12 / 65
Latest changes
ipsetEfficient set handlingAddress list or more complex setReach vanilla kernel in 2011 (Linux 2.6.39)
nfacctEfficient accounting systemAppeared in 2012
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 13 / 65
Kernel code
How much code70000 LOC reside in kernelspacearound 50000 LOC in user-space
Iptables extensions111 iptables extensions.Various tasks:
tcpclusterbpfstatistic
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 14 / 65
Performance
Adding a rule The problemAtomic replacementof ruleset
Sent from kernelto userspaceModified andsent back byuserspace
Huge performanceimpact
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 16 / 65
Dynamic ruleset
Network gets dynamicFirewall can’t be static anymore
CloudIP reputation
Combinatory explosion : one rule per-server and protocol
Set handlingSet handling is made via ipsetEfficient but not as integrated as possible
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 17 / 65
Code duplication
Different filtering familyNetfilter classic filteringBrigde filteringArp filteringIPv4 and IPv6
Matches and targetSimilar code in numerous Netfilter moduleNothing is sharedManual parsing
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 18 / 65
Problem due to binary blob usage
ABI breakageBinary exchange between userspace and kernelNo modification possible without touching kernel
Trusting userspaceKernel is parsing a binary blobPossible to break the internal parser
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 19 / 65
Integration via exec
Frontend and iptablesNo officially available libraryFrontend fork iptables command
libiptablesAvailable inside iptables sourcesNot a public libraryAPI and ABI breakage are not checked during version upgrade
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 20 / 65
Lack of flexible table and chains configurations
Module loading is the keyChains are created when module initInduce a performance cost even without rules
No configuration is possibleChains are hardcodedFORWARD is created on a server
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 21 / 65
Nftables
A new filtering systemReplace iptables and the filtering infrastructureNo changes in
HooksConnection trackingHelpers
A new languageBased on a grammarAccessible from a library
Netlink based communicationAtomic modificationNotification system
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 23 / 65
History
Introduced in 2008Developped andpresented by PatrickMcHardy atNFWS2008Presentation took 3hoursAlpha stage in 2008
Development did stopPatrick McHardy did not finish the code aloneNobody did join the effort
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 24 / 65
Video Interlude
The video
http://www.youtube.com/watch?v=DQp1AI1p3f8
Video generationVideo generated with gourceVarious git history have been mergedFile path has been prefixed with project name
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 25 / 65
What explanations ?
Should have "Release often release early" ?Started by Patrick McHardy onlyAlmost complete work presented during NFWS 2008Complex to enter the project
Too early ?No user were demanding for that explicitlyIpset was available and fixing the set issueSolution for dynamic handling was sufficient
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 26 / 65
Development restarted in 2012
Funding by Sophos/AstaroPablo Neira Ayuso get funded by AstaroWork restart in 2012
Gaining momemtumTomasz Bursztyka joined the development team
Work on ConnmanLack of libs was painful to himStart to hack on nftables
Google summer of code3 studentsSome good results
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 27 / 65
A filtering based on a pseudo-state machine
Inspired by BPF4 registers1 verdictA extensive instructions set
Add Some Magic ?reg = pkt.payload[offset, len]reg = cmp(reg1, reg2, EQ)reg = pkt.meta(mark)reg = lookup(set, reg1)reg = ct(reg1, state)
Easy creation of new matchesreg1 = pkt.payload[offset_src_port, len]reg2 = pkt.payload[offset_dst_port, len]reg = cmp(reg1, reg2, EQ)
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 28 / 65
Architecture
KernelTables: declared by user and attached to hookUser interface: nfnetlink socket
ADDDELETEDUMP
Userspacelibmnl: low level netlink interactionlibnftables: library handling low-level interaction with nftablesNetlink’s APInftables: command line utility to maintain ruleset
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 29 / 65
Dynamic chain loading
Chain are created on-demandChain are created via a specific netlink messageNon-user chain are:
Of a specific typeBound to a given hook
Current chain typefilter: filtering tableroute: old mangle tablenat: network address translation table
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 30 / 65
From userspace syntax to kernel
Converting user inputOperation is made via a netlink messageThe userspace syntax must be converted
From a text message following a grammarTo a binary Netlink message
LinearizeTokenisationParsingEvaluationLinearization
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 31 / 65
From kernel to userspace syntax
Kernel send netlink messageIt must be converted back to text
ConversionDeliniearizationPostprocessingTextify
Example
i p f i l t e r output 8 7[ payload load 4b @ network header + 16 => reg 1 ][ b i t w i s e reg 1 = ( reg=1 & 0 x 0 0 f f f f f f ) ^ 0x00000000 ][ cmp eq reg 1 0x00500fd9 ][ counter pkts 7 bytes 588 ]
is translated to:i p daddr 217.15.80.0 /24 counter packets 7 bytes 588 # handle 8
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 32 / 65
Notification
Event based notificationEach rule update trigger an eventEvent is sent to userspace via nfnetlink
Userspace usageImplemented in libnftnlProgram can update his view on the ruleset without dump
Initial dumpFollow updates
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 33 / 65
A limited in-kernel sizeA limited set of operators and instructionsA state machineNo code dedicated to each match
One match on address use same code as a match on portNew matchs are possible without kernel modification
LOC count50000 LOC in userspaceonly 7000 LOC in kernel-space
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 35 / 65
Less kernel update
Pseudo state machine instructionCurrent instructions cover need found in previous 10 yearsNew instruction require very limited code
Development in userspaceA new match will not need a new kernelICMPv6 implementation is a single userspace patch
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 36 / 65
Example of ICMPv6
include/datatype.h | 2 ++include/payload.h | 14 +++++++++++src/parser.y | 33 +++++++++++++++++++++++++++---src/payload.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++src/scanner.l | 4 ++5 files changed, 109 insertions(+), 3 deletions(-)
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 37 / 65
Example of ICMPv6
s t a t i c const struct datatype icmp6_type_type = {. type = TYPE_ICMP6_TYPE,. name = " icmpv6_type " ,. desc = " ICMPv6 type " ,. by teorder = BYTEORDER_BIG_ENDIAN,. s ize = BITS_PER_BYTE,. basetype = &in teger_ type ,. sym_tbl = &icmp6_type_tbl ,
} ;
#define ICMP6HDR_FIELD(__name , __member ) \HDR_FIELD(__name , struct icmp6_hdr , __member )
#define ICMP6HDR_TYPE(__name , __type , __member ) \HDR_TYPE(__name , __type , struct icmp6_hdr , __member )
const struct payload_desc payload_icmp6 = {. name = " icmpv6 " ,. base = PAYLOAD_BASE_TRANSPORT_HDR,. templates = {
[ ICMP6HDR_TYPE] = ICMP6HDR_TYPE( " type " , &icmp6_type_type , icmp6_type ) ,[ ICMP6HDR_CODE] = ICMP6HDR_FIELD( " code " , icmp6_code ) ,[ICMP6HDR_CHECKSUM] = ICMP6HDR_FIELD( " checksum " , icmp6_cksum ) ,[ ICMP6HDR_PPTR] = ICMP6HDR_FIELD( " parameter−problem " , icmp6_pptr ) ,[ ICMP6HDR_MTU] = ICMP6HDR_FIELD( " packet−too−big " , icmp6_mtu ) ,[ ICMP6HDR_ID ] = ICMP6HDR_FIELD( " i d " , icmp6_id ) ,[ ICMP6HDR_SEQ] = ICMP6HDR_FIELD( " sequence " , icmp6_seq ) ,[ ICMP6HDR_MAXDELAY] = ICMP6HDR_FIELD( "max−delay " , icmp6_maxdelay ) ,
} ,} ;
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 38 / 65
Basic utilisation
File modenft -f ipv4-filter
Command line mode
nf t add rule i p f i l t e r i npu t tcp dpor t 80 dropnf t l i s t table f i l t e r −anf t delete rule f i l t e r output handle 10
CLI mode
# nf t − inft > l i s t table< c l i >:1:12−12: Er ro r : syntax er ro r , unexpected end of f i l e , expect ing s t r i n gl i s t table
^nft > l i s t table f i l t e rtable f i l t e r {
chain i npu t {i p saddr 1 . 2 . 3 . 4 counter packets 8 bytes 273
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 40 / 65
Set handling
Interests of setsOne single rule evaluationSimple and readable rulesetEvolution handling
Anonymous set
nf t add rule i p g loba l f i l t e r \i p daddr {192 .168 .0 .0 /24 , 192.168.1 .4 } \tcp dpor t {22 , 443} \accept
Named set
nf t add set g loba l ipv4_ad { type ipv4_addr ; }nf t add element g loba l ipv4_ad { 192.168.1 .4 , 192.168.1 .5 }nf t delete element g loba l ipv4_ad { 192.168.1 .5 }nf t add rule i p g loba l f i l t e r i p saddr @ipv4_ad drop
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 41 / 65
Mapping
Principle and interestAssociative mapping linking two notionsA match on the key trigger the use of the valueUsing addresses, interfaces, verdicts
ExamplesAnonymous mapping:
# nf t add rule f i l t e r output i p daddr vmap \{192 .168 .0 .0 /24 =\ > drop , 192.168.0.1 =\ > accept }
Named mapping:
# nf t − inft > add map f i l t e r verdict_map { type ipv4_address => v e r d i c t ; }nft > add element f i l t e r verdict_map { 1 . 2 . 3 . 5 => drop }nft > add rule f i l t e r output i p daddr vmap @verdict_map
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 42 / 65
Usage example
set web_servers {type ipv4_addresselements = { 192.168.1.15 , 192.168.1 .5 }
}map admin_map {
type ipv4_address => v e r d i c telements = { 192.168.0.44 => jump logmetender , \
192.168.0.42 => jump logmetrue , 192.168.0.33 => accept }}chain forward {
c t s t a t e es tab l i shed accepti p daddr @web_servers tcp dpor t ssh i p saddr map @admin_mapi p daddr @web_servers tcp dpor t h t t p log accepti p daddr @web_servers tcp dpor t h t t ps acceptcounter log drop
}chain logmetender {
log l i m i t 10/ minute accept}chain logmetrue {
counter log accept}
}
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 43 / 65
IPv4 and IPv6 filtering
Don’t mix the old and the newTables are defined relatively to a IP spaceMust declare a table
for each protocolfor each chain/hook
Basic filtering chains
table f i l t e r {chain i npu t { type f i l t e r hook i npu t p r i o r i t y 0; }chain forward { type f i l t e r hook forward p r i o r i t y 0; }chain output { type f i l t e r hook output p r i o r i t y 0; }
}table i p6 f i l t e r {
chain i np u t { type f i l t e r hook i npu t p r i o r i t y 0; }chain forward { type f i l t e r hook forward p r i o r i t y 0; }chain output { type f i l t e r hook output p r i o r i t y 0; }
}
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 44 / 65
Handling of IPv4 and IPv6
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 45 / 65
Inet filtering
Kernel sideIntroduce a new NFPROTO_INET familyRealize dispatch later based on the effective familyActivate IPv4 and IPv6 features when needed
Example
table i n e t f i l t e r {chain i np u t {
type f i l t e r hook i npu t p r i o r i t y 0;c t s t a t e es tab l ished , r e l a t e d accepti i f l o acceptc t s t a t e new i i f != l o tcp dpor t { ssh , 2200} \
tcp f l a g s == syn counter \log p r e f i x "SSH attempt " group 1 \accept
i p saddr 192.168.0 .0 /24 tcp dpor t { 9300 , 3142} counter accepti p6 saddr 2a03 :2880:2110: df07 : face : b00c : 0 : 1 drop
}}
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 46 / 65
Result: easy handling of IPv4 and IPv6
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 47 / 65
Dynamic set choice (1/2)
Ipset usageChoose set typeAmong the possible choices
The set subsystemVarious set types are available
hashrbtree
No selector exists
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 48 / 65
Dynamic set choice (2/2)
Constraint based selectionSelect set based on user constraintMemory usageLookup complexity
Syntax
nf t add set f i l t e r set1 { type ipv4_addr ; s i ze 1024 ; }nf t add set f i l t e r set1 { type ipv4_addr ; p o l i c y memory ; }nf t add set f i l t e r set1 { type ipv4_addr ; p o l i c y performance ; }
StatusAvailable in Linux 3.18And nftables v0.4.
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 49 / 65
Complete example
PolicyLaptop can access to outsideOnly SSH allowed in
But logged in ulogd via nflog
Default drop are logged too
VM PolicyLimited list of VMs can access to outsideNo entry
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 50 / 65
Complete example
table i p nat {chain pos t rou t i ng {
type nat hook pos t rou t i ng p r i o r i t y −150;i p saddr 192.168.56.0/24 o i f wlan0 masquerade
}table i n e t f i l t e r {
set l x cs {type ipv4_addrelements = { 192.168.56.4 , 192.168.56.18 , 192.168.56.42}
}chain i npu t {
type f i l t e r hook i npu t p r i o r i t y 0;c t s t a t e es tab l ished , r e l a t e d counter accepti i f l o acceptip6 nexthdr ipv6−icmp accepttcp dpor t ssh log group 2 p r e f i x "SSH access " accepti i f wlan0 droplog group 1 p r e f i x " INPUT d f l t drop " drop
}chain forward {
type f i l t e r hook forward p r i o r i t y 0;c t s t a t e es tab l ished , r e l a t e d counter accepti p saddr @lxcs c t s t a t e new acceptlog group 1 p r e f i x "FWD d f l t drop " drop
}
}
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 51 / 65
Complete example
Add a LXC container
nft > add element i n e t f i l t e r l x cs {192.168.56 .22}
Delete one
nft > delete element i n e t f i l t e r l x cs {192 .168 .56 .4 }
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 52 / 65
Warning: NSFC
THE FOLLOWING SLIDE CONTAINS IMAGES THAT MAY HURT THESENSITIVITY OF SOME CATS.
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 53 / 65
The young guard
Guiseppe Longo Arturo Borrero Gonzales Alvaro Neira Ayuso Ana ReyGoogle Summer of Code Outreach Program
for Women
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 54 / 65
Ana Rey: nftables test system
Regression testTest nft command and check resultMost features are testedSponsored by OPWAlready led to fixes
Exampleany/queue.t: OKany/ct.t: WARNING: line: 59: ’nft add rule -nnn ip test-ip4 \
output ct expiration 30’: \’ct expiration 30’ mismatches ’ct expiration "30s"’
any/ct.t: WARNING: line: 61: ’nft add rule -nnn ip test-ip4 \output ct expiration != 233’: \’ct expiration != 233’ mismatches ’ct expiration != "3m53s"’
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 55 / 65
Arturo Borrero: Nftsync (1/2)
PrincipleDistribute ruleset across the networkSupport master/slaveDeploy ruleset for non gateway systems
ImplementationUse notification systemCollect update and distribute them
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 56 / 65
Nftsync (2/2)
Current stateBootstrapped during summerBasic mode workingNo encryption yet
Get it, try it, hack ithttp://git.netfilter.org/nft-sync/
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 57 / 65
Guiseppe Longo: ebtables compat layer
Provide tools compatibilityUse old tools with new nftables frameworkConvert old command lines to new internal syntax
Multi layer compatibilityBridge level: ebtablesIP level: iptables
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 58 / 65
Complete import/export
Exporting rulesetCan currently be done via a single nft commandXML and JSON formatnft list ruleset is doing it in text mode
Importing rulesetnft -f is enoughNeeds a recent kernel
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 59 / 65
Libnftables
High level library for third party softwareNetwork managerFirewall management interfaces
It will be based on nftablesUsing same command lineProviding transaction feature
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 61 / 65
Unification with existing BPF
No real differenceDifferent keywords related to Netfilter
ctmeta
May be possible to merge
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 62 / 65
Conclusion
A huge evolutionSolving iptables problemAn answer to new usages
Set handlingComplex matchesIPv4 and IPv6 in one table
Already usableMain features are hereCompatibility can be used
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 64 / 65
Questions ?
Do you have questions ? Thanks toNetfilter teamGoogle for GSoC 2014Outreach Program forWomen
More informationNetfilter :http://www.netfilter.org
Nftables wiki:http://wiki.nftables.org
Contact meMail:[email protected]
Twitter: @Regiteric
Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g February 18, 2015 65 / 65