New backend: nftables

Issue #12 resolved
Richard Hering
created an issue

hi, please add support for nftables, here ist the Netlink API for the nftables subsystem: http://git.netfilter.org/libnftnl/tree/

Comments (14)

  1. Alex Xu

    the solution is to use the correct function of nft. firstly, just like iptables, separate chains are supported so that one can be assigned to a firewall generator process like sshguard. secondly, for cases like this, instead of adding individual rules which is very inefficient at evaluation time, a set should be used, ipset or nft set.

    edit: it seems I was misled by the (very?) out-of-date documentation. the point is that nft (now?) supports sets.

  2. ballen

    @Daniel Aleksandersen, following up on Alex's last post, nft sets should be workable to add and remove blocked IPs.

    On startup

    nft add set ip filter sshguard { type ipv4_addr\;}
    nft add set ip6 filter sshguard6 { type ipv6_addr\;}
    

    Add IPv4 Block

    nft add element ip filter sshguard { 1.2.3.4 }
    

    Add IPv6 Block

    nft add element ip6 filter sshguard6 { 2607:f8b0:4009:80d::200e }
    

    Remove IPv4 Block

    nft delete element ip filter sshguard { 1.2.3.4 }
    

    Remove IPv6 Block

    nft delete element ip6 filter sshguard6 { 2607:f8b0:4009:80d::200e }
    

    On teardown

    nft delete set ip filter sshguard
    nft delete set ip6 filter sshguard6
    

    User will be responsible for adding two rules similar to:

    nft insert rule ip filter input ip saddr @sshguard drop
    nft insert rule ip6 filter input ip6 saddr @sshguard6 drop
    
  3. Alex Xu

    fwiw the proposed solution doesn't work if the user chooses to use "inet" family. I think the best solution is just to document an example script and have the user adjust it for their own configuration.

  4. Log in to comment