Issue #12 resolved

New backend: nftables

Richard Hering
created an issue

hi, please add support for nftables, here ist the Netlink API for the nftables subsystem: http://git.netfilter.org/libnftnl/tree/

Comments (14)

  1. Alex Xu

    the solution is to use the correct function of nft. firstly, just like iptables, separate chains are supported so that one can be assigned to a firewall generator process like sshguard. secondly, for cases like this, instead of adding individual rules which is very inefficient at evaluation time, a set should be used, ipset or nft set.

    edit: it seems I was misled by the (very?) out-of-date documentation. the point is that nft (now?) supports sets.

  2. ballen

    Daniel Aleksandersen, following up on Alex's last post, nft sets should be workable to add and remove blocked IPs.

    On startup

    nft add set ip filter sshguard { type ipv4_addr\;}
    nft add set ip6 filter sshguard6 { type ipv6_addr\;}
    

    Add IPv4 Block

    nft add element ip filter sshguard { 1.2.3.4 }
    

    Add IPv6 Block

    nft add element ip6 filter sshguard6 { 2607:f8b0:4009:80d::200e }
    

    Remove IPv4 Block

    nft delete element ip filter sshguard { 1.2.3.4 }
    

    Remove IPv6 Block

    nft delete element ip6 filter sshguard6 { 2607:f8b0:4009:80d::200e }
    

    On teardown

    nft delete set ip filter sshguard
    nft delete set ip6 filter sshguard6
    

    User will be responsible for adding two rules similar to:

    nft insert rule ip filter input ip saddr @sshguard drop
    nft insert rule ip6 filter input ip6 saddr @sshguard6 drop
    
  3. Alex Xu

    fwiw the proposed solution doesn't work if the user chooses to use "inet" family. I think the best solution is just to document an example script and have the user adjust it for their own configuration.

  4. Log in to comment