New backend: nftables

Comments (15)

1. 

   Kevin Zheng

   • changed title to New backend: nftables
   • removed responsible
   • marked as enhancement
   • marked as minor

   • 2015-10-12T18:45:59+00:00
2. 

   Ben Allen

   It looks like there's a fork with nftables support here: https://github.com/atenart/sshguard.

   • 2017-02-04T19:55:21+00:00
3. 

   Kevin Zheng

   • changed milestone to 2.0

   Thanks for pointing that out. This should be pretty easy to include in 2.0.

   • 2017-02-04T19:58:48+00:00
4. 

   Daniel Aleksandersen

   I asked him to send his work upstream. Not sure why he’d fork and not submit it upstream in the first place.

   • 2017-03-05T11:17:25+00:00
5. 

   Kevin Zheng

   Seems there's a bit of a demand for this feature. @da2x do you want to take a look at bringing those changes over?

   • 2017-03-13T21:25:37+00:00
6. 

   Daniel Aleksandersen

   I don’t have any experience with nftables, but I can look into this later. I was hoping to hear back from the fork; at least for testing.

   • 2017-03-14T12:16:08+00:00
7. 

   Daniel Aleksandersen

   • assigned issue to
     
     Daniel Aleksandersen

   • 2017-04-05T00:47:39+00:00
8. 

   Daniel Aleksandersen

   • changed status to on hold

   I'm putting this on hold until upstream fixes removing rules in a predictable fashion. It’s too easy to delete the wrong rule when trying to guess the correct handle to delete on someone else's system.

   • 2017-04-08T19:46:45+00:00
9. 

   Alex Xu

   the solution is to use the correct function of nft. firstly, just like iptables, separate chains are supported so that one can be assigned to a firewall generator process like sshguard. secondly, for cases like this, instead of adding individual rules which is very inefficient at evaluation time, a set should be used, ipset or nft set.

   edit: it seems I was misled by the (very?) out-of-date documentation. the point is that nft (now?) supports sets.

   • 2017-07-13T12:08:25+00:00
10. 

    Ben Allen

    @da2x, following up on Alex's last post, nft sets should be workable to add and remove blocked IPs.

    On startup

    nft add set ip filter sshguard { type ipv4_addr\;}
    nft add set ip6 filter sshguard6 { type ipv6_addr\;}
    

    Add IPv4 Block

    nft add element ip filter sshguard { 1.2.3.4 }
    

    Add IPv6 Block

    nft add element ip6 filter sshguard6 { 2607:f8b0:4009:80d::200e }
    

    Remove IPv4 Block

    nft delete element ip filter sshguard { 1.2.3.4 }
    

    Remove IPv6 Block

    nft delete element ip6 filter sshguard6 { 2607:f8b0:4009:80d::200e }
    

    On teardown

    nft delete set ip filter sshguard
    nft delete set ip6 filter sshguard6
    

    User will be responsible for adding two rules similar to:

    nft insert rule ip filter input ip saddr @sshguard drop
    nft insert rule ip6 filter input ip6 saddr @sshguard6 drop
    

    • 2017-08-08T05:07:53+00:00
11. 

    Daniel Aleksandersen

    • changed status to open

    • 2017-08-18T03:32:37+00:00
12. 

    Daniel Aleksandersen

    Thank you, @ballen. That seems like a much simpler interface than working with nft chains.

    This is being worked on in pull request #29.

    • 2017-08-18T03:59:08+00:00
13. 

    Alex Xu

    fwiw the proposed solution doesn't work if the user chooses to use "inet" family. I think the best solution is just to document an example script and have the user adjust it for their own configuration.

    • 2017-08-18T12:49:21+00:00
14. 

    Daniel Aleksandersen

    • changed status to resolved

    Resolved by commit 6b5caf2.

    As with all the other firewall backends, this one is a shell script that easily can be modified by users.

    • 2017-09-02T01:10:10+00:00
15. 

    Kevin Zheng

    • removed milestone

    Removing milestone: 2.0 (automated comment)

    • 2018-06-22T19:44:53+00:00
16. Log in to comment