- changed title to New backend: nftables
- removed responsible
- marked as enhancement
- marked as minor
New backend: nftables
hi, please add support for nftables, here ist the Netlink API for the nftables subsystem: http://git.netfilter.org/libnftnl/tree/
Comments (15)
-
-
It looks like there's a fork with nftables support here: https://github.com/atenart/sshguard.
-
- changed milestone to 2.0
Thanks for pointing that out. This should be pretty easy to include in 2.0.
-
I asked him to send his work upstream. Not sure why he’d fork and not submit it upstream in the first place.
-
Seems there's a bit of a demand for this feature. @da2x do you want to take a look at bringing those changes over?
-
I don’t have any experience with nftables, but I can look into this later. I was hoping to hear back from the fork; at least for testing.
-
-
assigned issue to
-
assigned issue to
-
- changed status to on hold
I'm putting this on hold until upstream fixes removing rules in a predictable fashion. It’s too easy to delete the wrong rule when trying to guess the correct handle to delete on someone else's system.
-
the solution is to use the correct function of nft. firstly, just like iptables, separate chains are supported so that one can be assigned to a firewall generator process like sshguard. secondly, for cases like this, instead of adding individual rules which is very inefficient at evaluation time, a set should be used, ipset or nft set.
edit: it seems I was misled by the (very?) out-of-date documentation. the point is that nft (now?) supports sets.
-
@da2x, following up on Alex's last post, nft sets should be workable to add and remove blocked IPs.
On startup
nft add set ip filter sshguard { type ipv4_addr\;} nft add set ip6 filter sshguard6 { type ipv6_addr\;}
Add IPv4 Block
nft add element ip filter sshguard { 1.2.3.4 }
Add IPv6 Block
nft add element ip6 filter sshguard6 { 2607:f8b0:4009:80d::200e }
Remove IPv4 Block
nft delete element ip filter sshguard { 1.2.3.4 }
Remove IPv6 Block
nft delete element ip6 filter sshguard6 { 2607:f8b0:4009:80d::200e }
On teardown
nft delete set ip filter sshguard nft delete set ip6 filter sshguard6
User will be responsible for adding two rules similar to:
nft insert rule ip filter input ip saddr @sshguard drop nft insert rule ip6 filter input ip6 saddr @sshguard6 drop
-
- changed status to open
-
Thank you, @ballen. That seems like a much simpler interface than working with nft chains.
This is being worked on in pull request #29.
-
fwiw the proposed solution doesn't work if the user chooses to use "inet" family. I think the best solution is just to document an example script and have the user adjust it for their own configuration.
-
- changed status to resolved
Resolved by commit 6b5caf2.
As with all the other firewall backends, this one is a shell script that easily can be modified by users.
-
- removed milestone
Removing milestone: 2.0 (automated comment)
- Log in to comment