New backend: nftables

Issue #12 resolved
Richard Hering
created an issue

hi, please add support for nftables, here ist the Netlink API for the nftables subsystem:

Comments (14)

  1. Alex Xu

    the solution is to use the correct function of nft. firstly, just like iptables, separate chains are supported so that one can be assigned to a firewall generator process like sshguard. secondly, for cases like this, instead of adding individual rules which is very inefficient at evaluation time, a set should be used, ipset or nft set.

    edit: it seems I was misled by the (very?) out-of-date documentation. the point is that nft (now?) supports sets.

  2. ballen

    @Daniel Aleksandersen, following up on Alex's last post, nft sets should be workable to add and remove blocked IPs.

    On startup

    nft add set ip filter sshguard { type ipv4_addr\;}
    nft add set ip6 filter sshguard6 { type ipv6_addr\;}

    Add IPv4 Block

    nft add element ip filter sshguard { }

    Add IPv6 Block

    nft add element ip6 filter sshguard6 { 2607:f8b0:4009:80d::200e }

    Remove IPv4 Block

    nft delete element ip filter sshguard { }

    Remove IPv6 Block

    nft delete element ip6 filter sshguard6 { 2607:f8b0:4009:80d::200e }

    On teardown

    nft delete set ip filter sshguard
    nft delete set ip6 filter sshguard6

    User will be responsible for adding two rules similar to:

    nft insert rule ip filter input ip saddr @sshguard drop
    nft insert rule ip6 filter input ip6 saddr @sshguard6 drop
  3. Alex Xu

    fwiw the proposed solution doesn't work if the user chooses to use "inet" family. I think the best solution is just to document an example script and have the user adjust it for their own configuration.

  4. Log in to comment