From patchwork Sat Feb 24 21:06:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arturo Borrero Gonzalez X-Patchwork-Id: 877461 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netfilter.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zpgcd0g5Pz9sWG for ; Sun, 25 Feb 2018 08:06:25 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751468AbeBXVGX (ORCPT ); Sat, 24 Feb 2018 16:06:23 -0500 Received: from mail-wm0-f66.google.com ([74.125.82.66]:38289 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751428AbeBXVGX (ORCPT ); Sat, 24 Feb 2018 16:06:23 -0500 Received: by mail-wm0-f66.google.com with SMTP id z9so10553909wmb.3 for ; Sat, 24 Feb 2018 13:06:22 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:user-agent :mime-version:content-transfer-encoding; bh=wNZQr2Zp+6Xlh1fi8djKGqCkHl8B34fbQT8KRH6VUGs=; b=q/7OvhApMs23ADWtYMppC15IY6mBCNzkwQEUyCGIYT93lhBTDKo2wkTj21Pcm6WkfW ZSD8/P7i8/4xOicD+SxP2+YXa7r9Kly/ks6WwSWvtYoy4j6VObLttSldA1VirEsp+j0J jdgMIQW799XtXlhn45pnHCnMgeMj46TQclsxH0M8/CO2pF+YGLzjbMilPh5DRsugKJNz 2Jsp84iHeTsSsdNvRmz16S8KI66qREjDXtLcboiUtokU6Mo/uaGvEnkS0w8KJkYqzuE2 bBZLVtWpHzO0gejjRj8F6IdQJjBelTLHZNqCRJg/scajL9N4A7o2fVNIuIRBtSOS4k/P uk/w== X-Gm-Message-State: APf1xPD1ft5mCM4euwXw8s0e1OLIWvnbnfT2Enmv0FOdk5FpFiO5XOtN Q3bR9M161AlWvWFzJg6022xggOwz X-Google-Smtp-Source: AG47ELuLCh67ylIlJMQDSZLNmgCrleVNPBNkYGMrbmnWumeNNNWLO6+A/HdvmffLGjkq9kNOaD81uw== X-Received: by 10.28.35.77 with SMTP id j74mr4404014wmj.96.1519506381641; Sat, 24 Feb 2018 13:06:21 -0800 (PST) Received: from endurance (77.red-88-20-135.staticip.rima-tde.net. [88.20.135.77]) by smtp.gmail.com with ESMTPSA id y34sm10679159wry.19.2018.02.24.13.06.19 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 24 Feb 2018 13:06:20 -0800 (PST) Received: by endurance (sSMTP sendmail emulation); Sat, 24 Feb 2018 22:06:19 +0100 Subject: [nft PATCH v2 1/3] nftables: rearrange files and examples From: Arturo Borrero Gonzalez To: netfilter-devel@vger.kernel.org Date: Sat, 24 Feb 2018 22:06:19 +0100 Message-ID: <151950636353.13955.12971280407018844575.stgit@endurance> User-Agent: StGit/0.18 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Concatenate all family/hook examples into a single one by means of includes. Put all example files under examples/. Use the '.nft' prefix and mark them as executable files. Use a static shebang declaration, since these are examples meant for final systems and users. While at it, refresh also the sets_and_maps.nft example file and also add the 'netdev-ingress.nft' example file. Signed-off-by: Arturo Borrero Gonzalez --- v2: address comments by Florian & Pablo. Fix some typos Makefile.am | 6 ++-- configure.ac | 2 - files/Makefile.am | 1 - files/examples/arp-filter.nft | 6 ++++ files/examples/bridge-filter.nft | 7 ++++ files/examples/families_and_hooks.nft | 32 ++++++++++++++++++++ files/examples/inet-filter.nft | 7 ++++ files/examples/ipv4-filter.nft | 7 ++++ files/examples/ipv4-mangle.nft | 5 +++ files/examples/ipv4-nat.nft | 8 +++++ files/examples/ipv4-raw.nft | 6 ++++ files/examples/ipv6-filter.nft | 7 ++++ files/examples/ipv6-mangle.nft | 5 +++ files/examples/ipv6-nat.nft | 8 +++++ files/examples/ipv6-raw.nft | 6 ++++ files/examples/netdev-ingress.nft | 7 ++++ files/examples/sets_and_maps | 53 -------------------------------- files/examples/sets_and_maps.nft | 54 +++++++++++++++++++++++++++++++++ files/nftables/Makefile.am | 16 ---------- files/nftables/arp-filter | 6 ---- files/nftables/bridge-filter | 7 ---- files/nftables/inet-filter | 7 ---- files/nftables/ipv4-filter | 7 ---- files/nftables/ipv4-mangle | 5 --- files/nftables/ipv4-nat | 8 ----- files/nftables/ipv4-raw | 6 ---- files/nftables/ipv6-filter | 7 ---- files/nftables/ipv6-mangle | 5 --- files/nftables/ipv6-nat | 8 ----- files/nftables/ipv6-raw | 6 ---- 30 files changed, 168 insertions(+), 147 deletions(-) delete mode 100644 files/Makefile.am create mode 100755 files/examples/arp-filter.nft create mode 100755 files/examples/bridge-filter.nft create mode 100755 files/examples/families_and_hooks.nft create mode 100755 files/examples/inet-filter.nft create mode 100755 files/examples/ipv4-filter.nft create mode 100755 files/examples/ipv4-mangle.nft create mode 100755 files/examples/ipv4-nat.nft create mode 100755 files/examples/ipv4-raw.nft create mode 100755 files/examples/ipv6-filter.nft create mode 100755 files/examples/ipv6-mangle.nft create mode 100755 files/examples/ipv6-nat.nft create mode 100755 files/examples/ipv6-raw.nft create mode 100755 files/examples/netdev-ingress.nft delete mode 100755 files/examples/sets_and_maps create mode 100755 files/examples/sets_and_maps.nft delete mode 100644 files/nftables/Makefile.am delete mode 100644 files/nftables/arp-filter delete mode 100644 files/nftables/bridge-filter delete mode 100644 files/nftables/inet-filter delete mode 100644 files/nftables/ipv4-filter delete mode 100644 files/nftables/ipv4-mangle delete mode 100644 files/nftables/ipv4-nat delete mode 100644 files/nftables/ipv4-raw delete mode 100644 files/nftables/ipv6-filter delete mode 100644 files/nftables/ipv6-mangle delete mode 100644 files/nftables/ipv6-nat delete mode 100644 files/nftables/ipv6-raw -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/Makefile.am b/Makefile.am index 10aa40f..5ef61be 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2,7 +2,7 @@ ACLOCAL_AMFLAGS = -I m4 SUBDIRS = src \ include \ - doc \ - files + doc -EXTRA_DIST = tests +EXTRA_DIST = tests \ + files diff --git a/configure.ac b/configure.ac index 1a38653..408a6bc 100644 --- a/configure.ac +++ b/configure.ac @@ -140,8 +140,6 @@ AC_CONFIG_FILES([ \ include/linux/netfilter_ipv4/Makefile \ include/linux/netfilter_ipv6/Makefile \ doc/Makefile \ - files/Makefile \ - files/nftables/Makefile \ ]) AC_OUTPUT diff --git a/files/Makefile.am b/files/Makefile.am deleted file mode 100644 index a8394c0..0000000 --- a/files/Makefile.am +++ /dev/null @@ -1 +0,0 @@ -SUBDIRS = nftables diff --git a/files/examples/arp-filter.nft b/files/examples/arp-filter.nft new file mode 100755 index 0000000..13166bd --- /dev/null +++ b/files/examples/arp-filter.nft @@ -0,0 +1,6 @@ +#!/usr/sbin/nft -f + +table arp filter { + chain input { type filter hook input priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/examples/bridge-filter.nft b/files/examples/bridge-filter.nft new file mode 100755 index 0000000..7e3cad4 --- /dev/null +++ b/files/examples/bridge-filter.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +table bridge filter { + chain input { type filter hook input priority -200; } + chain forward { type filter hook forward priority -200; } + chain output { type filter hook output priority 200; } +} diff --git a/files/examples/families_and_hooks.nft b/files/examples/families_and_hooks.nft new file mode 100755 index 0000000..e6d9ee2 --- /dev/null +++ b/files/examples/families_and_hooks.nft @@ -0,0 +1,32 @@ +#!/usr/sbin/nft -f + +# Here is an example of different families, hooks and priorities in the +# nftables framework, all mixed together. +# This script is mean to be loaded with `nft -f ` +# For up-to-date information please visit https://wiki.nftables.org + +flush ruleset + +# native dual stack IPv4 & IPv6 family +include "./inet-filter.nft" + +# netdev family at ingress hook. Attached to a given NIC +include "./netdev-ingress.nft" + +# IPv4 family, typical iptables tables/chains layout +include "./ipv4-filter.nft" +include "./ipv4-mangle.nft" +include "./ipv4-nat.nft" +include "./ipv4-raw.nft" + +# IPv6 family, typical ip6tables tables/chains layout +include "./ipv6-filter.nft" +include "./ipv6-mangle.nft" +include "./ipv6-nat.nft" +include "./ipv6-raw.nft" + +# ARP family, typical arptables tables/chain layout +include "./arp-filter.nft" + +# bridge family, typical ebtables tables/chain layout +include "./bridge-filter.nft" diff --git a/files/examples/inet-filter.nft b/files/examples/inet-filter.nft new file mode 100755 index 0000000..e5c8c54 --- /dev/null +++ b/files/examples/inet-filter.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +table inet filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/examples/ipv4-filter.nft b/files/examples/ipv4-filter.nft new file mode 100755 index 0000000..73b11bc --- /dev/null +++ b/files/examples/ipv4-filter.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +table filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/examples/ipv4-mangle.nft b/files/examples/ipv4-mangle.nft new file mode 100755 index 0000000..2827ddf --- /dev/null +++ b/files/examples/ipv4-mangle.nft @@ -0,0 +1,5 @@ +#!/usr/sbin/nft -f + +table mangle { + chain output { type route hook output priority -150; } +} diff --git a/files/examples/ipv4-nat.nft b/files/examples/ipv4-nat.nft new file mode 100755 index 0000000..fd3bb40 --- /dev/null +++ b/files/examples/ipv4-nat.nft @@ -0,0 +1,8 @@ +#!/usr/sbin/nft -f + +table nat { + chain prerouting { type nat hook prerouting priority -100; } + chain input { type nat hook input priority 100; } + chain output { type nat hook output priority -100; } + chain postrouting { type nat hook postrouting priority 100; } +} diff --git a/files/examples/ipv4-raw.nft b/files/examples/ipv4-raw.nft new file mode 100755 index 0000000..91fc138 --- /dev/null +++ b/files/examples/ipv4-raw.nft @@ -0,0 +1,6 @@ +#!/usr/sbin/nft -f + +table raw { + chain prerouting { type filter hook prerouting priority -300; } + chain output { type filter hook output priority -300; } +} diff --git a/files/examples/ipv6-filter.nft b/files/examples/ipv6-filter.nft new file mode 100755 index 0000000..21f06a3 --- /dev/null +++ b/files/examples/ipv6-filter.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +table ip6 filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/examples/ipv6-mangle.nft b/files/examples/ipv6-mangle.nft new file mode 100755 index 0000000..e92dbef --- /dev/null +++ b/files/examples/ipv6-mangle.nft @@ -0,0 +1,5 @@ +#!/usr/sbin/nft -f + +table ip6 mangle { + chain output { type route hook output priority -150; } +} diff --git a/files/examples/ipv6-nat.nft b/files/examples/ipv6-nat.nft new file mode 100755 index 0000000..7437c19 --- /dev/null +++ b/files/examples/ipv6-nat.nft @@ -0,0 +1,8 @@ +#!/usr/sbin/nft -f + +table ip6 nat { + chain prerouting { type nat hook prerouting priority -100; } + chain input { type nat hook input priority 100; } + chain output { type nat hook output priority -100; } + chain postrouting { type nat hook postrouting priority 100; } +} diff --git a/files/examples/ipv6-raw.nft b/files/examples/ipv6-raw.nft new file mode 100755 index 0000000..812703a --- /dev/null +++ b/files/examples/ipv6-raw.nft @@ -0,0 +1,6 @@ +#!/usr/sbin/nft -f + +table ip6 raw { + chain prerouting { type filter hook prerouting priority -300; } + chain output { type filter hook output priority -300; } +} diff --git a/files/examples/netdev-ingress.nft b/files/examples/netdev-ingress.nft new file mode 100755 index 0000000..2585d15 --- /dev/null +++ b/files/examples/netdev-ingress.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +# mind the NIC, it must exists +table netdev filter { + chain loinput { type filter hook ingress device lo priority 0; } +} + diff --git a/files/examples/sets_and_maps b/files/examples/sets_and_maps deleted file mode 100755 index 58369a3..0000000 --- a/files/examples/sets_and_maps +++ /dev/null @@ -1,53 +0,0 @@ -#! /sbin/nft -nf -# -# Examples of set and map usage -# - -# symbolic anonymous set definition built from symbolic singleton definitions -define int_if1 = eth0 -define int_if2 = eth1 -define int_ifs = { $int_if1, $int_if2 } - -define ext_if1 = eth2 -define ext_if2 = eth3 -define ext_ifs = { $ext_if1, $ext_if2 } - -# recursive symbolic anonymous set definition -define local_ifs = { $int_ifs, $ext_ifs } - -# symbolic anonymous set definition -define tcp_ports = { ssh, domain, https, 123-125 } - -delete table filter -table filter { - # named set of type iface_index - set local_ifs { - type iface_index - } - - # named map of type iface_index : ipv4_addr - map nat_map { - type iface_index : ipv4_addr - } - - map jump_map { - type iface_index : verdict - } - - chain input_1 { counter; } - chain input_2 { counter; } - chain input { - type filter hook input priority 0 - - # symbolic anonymous sets - meta iif $local_ifs tcp dport $tcp_ports counter - - # literal anonymous set - meta iif { eth0, eth1 } counter - - meta iif @local_ifs counter - meta iif vmap @jump_map - - #meta iif vmap { eth0 : jump input1, eth1 : jump input2 } - } -} diff --git a/files/examples/sets_and_maps.nft b/files/examples/sets_and_maps.nft new file mode 100755 index 0000000..f5157b3 --- /dev/null +++ b/files/examples/sets_and_maps.nft @@ -0,0 +1,54 @@ +#!/usr/sbin/nft -f + +# This example file shows how to use sets and maps in the nftables framework. +# This script is meant to be loaded with `nft -f ` +# For up-to-date information please visit https://wiki.nftables.org + +# symbolic anonymous set definition built from symbolic singleton definitions +define int_if1 = eth0 +define int_if2 = eth1 +define int_ifs = { $int_if1, $int_if2 } + +define ext_if1 = eth2 +define ext_if2 = eth3 +define ext_ifs = { $ext_if1, $ext_if2 } + +# recursive symbolic anonymous set definition +define local_ifs = { $int_ifs, $ext_ifs } + +# symbolic anonymous set definition +define tcp_ports = { ssh, domain, https, 123-125 } + +delete table filter +table filter { + # named set of type iface_index + set local_ifs { + type iface_index + } + + # named map of type iface_index : ipv4_addr + map nat_map { + type iface_index : ipv4_addr + } + + map jump_map { + type iface_index : verdict + } + + chain input_1 { counter; } + chain input_2 { counter; } + chain input { + type filter hook input priority 0 + + # symbolic anonymous sets + meta iif $local_ifs tcp dport $tcp_ports counter + + # literal anonymous set + meta iif { eth0, eth1 } counter + + meta iif @local_ifs counter + meta iif vmap @jump_map + + #meta iif vmap { eth0 : jump input1, eth1 : jump input2 } + } +} diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am deleted file mode 100644 index 77d5c2a..0000000 --- a/files/nftables/Makefile.am +++ /dev/null @@ -1,16 +0,0 @@ - -pkgsysconfdir = ${sysconfdir}/nftables -dist_pkgsysconf_DATA = arp-filter \ - bridge-filter \ - inet-filter \ - ipv4-filter \ - ipv4-mangle \ - ipv4-nat \ - ipv4-raw \ - ipv6-filter \ - ipv6-mangle \ - ipv6-nat \ - ipv6-raw - -install-data-hook: - ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/* diff --git a/files/nftables/arp-filter b/files/nftables/arp-filter deleted file mode 100644 index bcabf28..0000000 --- a/files/nftables/arp-filter +++ /dev/null @@ -1,6 +0,0 @@ -#! @sbindir@nft -f - -table arp filter { - chain input { type filter hook input priority 0; } - chain output { type filter hook output priority 0; } -} diff --git a/files/nftables/bridge-filter b/files/nftables/bridge-filter deleted file mode 100644 index 2add455..0000000 --- a/files/nftables/bridge-filter +++ /dev/null @@ -1,7 +0,0 @@ -#! @sbindir@nft -f - -table bridge filter { - chain input { type filter hook input priority -200; } - chain forward { type filter hook forward priority -200; } - chain output { type filter hook output priority 200; } -} diff --git a/files/nftables/inet-filter b/files/nftables/inet-filter deleted file mode 100644 index f572db5..0000000 --- a/files/nftables/inet-filter +++ /dev/null @@ -1,7 +0,0 @@ -#! @sbindir@nft -f - -table inet filter { - chain input { type filter hook input priority 0; } - chain forward { type filter hook forward priority 0; } - chain output { type filter hook output priority 0; } -} diff --git a/files/nftables/ipv4-filter b/files/nftables/ipv4-filter deleted file mode 100644 index a4ca7f2..0000000 --- a/files/nftables/ipv4-filter +++ /dev/null @@ -1,7 +0,0 @@ -#! @sbindir@nft -f - -table filter { - chain input { type filter hook input priority 0; } - chain forward { type filter hook forward priority 0; } - chain output { type filter hook output priority 0; } -} diff --git a/files/nftables/ipv4-mangle b/files/nftables/ipv4-mangle deleted file mode 100644 index be564a5..0000000 --- a/files/nftables/ipv4-mangle +++ /dev/null @@ -1,5 +0,0 @@ -#! @sbindir@nft -f - -table mangle { - chain output { type route hook output priority -150; } -} diff --git a/files/nftables/ipv4-nat b/files/nftables/ipv4-nat deleted file mode 100644 index 130a729..0000000 --- a/files/nftables/ipv4-nat +++ /dev/null @@ -1,8 +0,0 @@ -#! @sbindir@nft -f - -table nat { - chain prerouting { type nat hook prerouting priority -100; } - chain input { type nat hook input priority 100; } - chain output { type nat hook output priority -100; } - chain postrouting { type nat hook postrouting priority 100; } -} diff --git a/files/nftables/ipv4-raw b/files/nftables/ipv4-raw deleted file mode 100644 index 19773ee..0000000 --- a/files/nftables/ipv4-raw +++ /dev/null @@ -1,6 +0,0 @@ -#! @sbindir@nft -f - -table raw { - chain prerouting { type filter hook prerouting priority -300; } - chain output { type filter hook output priority -300; } -} diff --git a/files/nftables/ipv6-filter b/files/nftables/ipv6-filter deleted file mode 100644 index ce4d7de..0000000 --- a/files/nftables/ipv6-filter +++ /dev/null @@ -1,7 +0,0 @@ -#! @sbindir@nft -f - -table ip6 filter { - chain input { type filter hook input priority 0; } - chain forward { type filter hook forward priority 0; } - chain output { type filter hook output priority 0; } -} diff --git a/files/nftables/ipv6-mangle b/files/nftables/ipv6-mangle deleted file mode 100644 index fa32402..0000000 --- a/files/nftables/ipv6-mangle +++ /dev/null @@ -1,5 +0,0 @@ -#! @sbindir@nft -f - -table ip6 mangle { - chain output { type route hook output priority -150; } -} diff --git a/files/nftables/ipv6-nat b/files/nftables/ipv6-nat deleted file mode 100644 index e781686..0000000 --- a/files/nftables/ipv6-nat +++ /dev/null @@ -1,8 +0,0 @@ -#! @sbindir@nft -f - -table ip6 nat { - chain prerouting { type nat hook prerouting priority -100; } - chain input { type nat hook input priority 100; } - chain output { type nat hook output priority -100; } - chain postrouting { type nat hook postrouting priority 100; } -} diff --git a/files/nftables/ipv6-raw b/files/nftables/ipv6-raw deleted file mode 100644 index 5ee56a8..0000000 --- a/files/nftables/ipv6-raw +++ /dev/null @@ -1,6 +0,0 @@ -#! @sbindir@nft -f - -table ip6 raw { - chain prerouting { type filter hook prerouting priority -300; } - chain output { type filter hook output priority -300; } -} From patchwork Sat Feb 24 21:06:33 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arturo Borrero Gonzalez X-Patchwork-Id: 877462 X-Patchwork-Delegate: fw@strlen.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netfilter.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zpgct26RYz9sW5 for ; Sun, 25 Feb 2018 08:06:38 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751474AbeBXVGi (ORCPT ); Sat, 24 Feb 2018 16:06:38 -0500 Received: from mail-wm0-f65.google.com ([74.125.82.65]:37763 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751428AbeBXVGh (ORCPT ); Sat, 24 Feb 2018 16:06:37 -0500 Received: by mail-wm0-f65.google.com with SMTP id m207so10567046wma.2 for ; Sat, 24 Feb 2018 13:06:37 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=zyVuDEO+2/zK6WTClKhSdLp0WdKISY8EcTFL4K14iyU=; b=bNzW5v0D+iovneAwolm0gjtp9mzLh1UNz3rhcgry1Vf4VWQ8XsR26XfgM3vLIghc0Q zlwWVLBgcuyfBa0lK+LfH0xDABVdpuBUOOQhKuhQc6wv4OrUjvuoWdLZOgzSg0Bs6nGI wpF1b2TFeosGf+XPChAG5t9VgSKZw8VVspNS8dQHUiP2lWDo9SyUwgHZ+4E4awPvPY+1 5fk2cVJHVeamFUIdn67pkdronVz24MLFg5QEKApNpdZE/sXEX55LTnqjJkqYweB3IRQc QQKPB4IQualSkxUgvH5pFAXrYmCTZ37/qty+k17x3WTmL/F39Xy2Fc+wkVgyYdvpfCmw m2zQ== X-Gm-Message-State: APf1xPAvpHwcOyjCWSEimWPrxvBkvolSd91udWOcFd4VxWBlbsoC7lnB 9LtRBdhoKcRbkVMiv0FeQZBVcbzL X-Google-Smtp-Source: AG47ELvF3tREN46wY4edrwgqdtU6M66W8iIkaoYCyjE9Dhcqi8HAiO5y8AlkdRoZUgQaJn0O+HluaA== X-Received: by 10.28.128.137 with SMTP id b131mr5100256wmd.121.1519506396197; Sat, 24 Feb 2018 13:06:36 -0800 (PST) Received: from endurance (77.red-88-20-135.staticip.rima-tde.net. [88.20.135.77]) by smtp.gmail.com with ESMTPSA id 3sm795665wry.29.2018.02.24.13.06.34 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 24 Feb 2018 13:06:35 -0800 (PST) Received: by endurance (sSMTP sendmail emulation); Sat, 24 Feb 2018 22:06:33 +0100 Subject: [nft PATCH v2 2/3] examples: add ct helper examples From: Arturo Borrero Gonzalez To: netfilter-devel@vger.kernel.org Date: Sat, 24 Feb 2018 22:06:33 +0100 Message-ID: <151950638675.13955.16352027104331884609.stgit@endurance> In-Reply-To: <151950636353.13955.12971280407018844575.stgit@endurance> References: <151950636353.13955.12971280407018844575.stgit@endurance> User-Agent: StGit/0.18 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Include some examples in the nftables tarball on using the ct helper infraestructure, inspired from wiki.nftables.org. Signed-off-by: Arturo Borrero Gonzalez --- v2: fix some typos files/examples/ct_helpers.nft | 43 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100755 files/examples/ct_helpers.nft -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/files/examples/ct_helpers.nft b/files/examples/ct_helpers.nft new file mode 100755 index 0000000..fecdea6 --- /dev/null +++ b/files/examples/ct_helpers.nft @@ -0,0 +1,43 @@ +#!/usr/sin/nft -f + +# This example file shows how to use ct helpers in the nftables framework. +# Note that nftables includes interesting improvements compared to how this +# was done with iptables, such as loading multiple helpers with a single rule +# This script is meant to be loaded with `nft -f ` +# You require linux kernel >= 4.12 and nft >= 0.8 +# For up-to-date information please visit https://wiki.nftables.org + +# Using ct helpers is an important security feature when doing stateful +# firewalling, since it mitigate certain networking attacks. +# More info at: https://home.regit.org/netfilter-en/secure-use-of-helpers/ + + +flush ruleset +table inet filter { + # declare helpers of this table + ct helper ftp-standard { + type "ftp" protocol tcp; + l3proto inet + } + ct helper sip-5060 { + type "sip" protocol udp; + l3proto inet + } + ct helper tftp-69 { + type "tftp" protocol udp + l3proto inet + } + + chain input { + type filter hook input priority 0; policy drop; + ct state established,related accept + + # assign a single helper in a single rule + tcp dport 21 ct helper set "ftp-standard" + + # assign multiple helpers in a single rule + ct helper set udp dport map { + 69 : "tftp-69", \ + 5060 : "sip-5060" } + } +} From patchwork Sat Feb 24 21:06:49 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arturo Borrero Gonzalez X-Patchwork-Id: 877463 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netfilter.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zpgdD4SqHz9sW5 for ; Sun, 25 Feb 2018 08:06:53 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751475AbeBXVGx (ORCPT ); Sat, 24 Feb 2018 16:06:53 -0500 Received: from mail-wm0-f67.google.com ([74.125.82.67]:38340 "EHLO mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751428AbeBXVGw (ORCPT ); Sat, 24 Feb 2018 16:06:52 -0500 Received: by mail-wm0-f67.google.com with SMTP id z9so10555034wmb.3 for ; Sat, 24 Feb 2018 13:06:52 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=xU8mHDmvROk7kduXV2YgFz/SxZ+1cnbsRXbJYx8xu+o=; b=rxBjtsWmrzGaxHh1yd7OfpSGNXkSOyuge1CnnZn6F9GxjrOrwoKBGmeE5PmZwoa/Si SiVQje1Wiz6vom4IB78vVS3W8mlykSsqKnyJpCksX+x6y8eCD2ZC+UqBhkfuLrLTfk3G /UVZKOesxZp7hbYj0DV6XZUNS8/AojaMUKcA4P7k8+McrzE2p5HZ5kGNfTlUXK6LNJRo /SDm1Dl0FPorEfUTllfsPq0F2+kQ7InD0m30HrLJCD/woFbqUuo1+8WsFCqEeMblSY7t m0/0JN/+Nnm4FhItzgCrk+JFQ99xrI35UDMvbl25LMpwTgqGZUojOcK9ns+4bFhobdLA xfHw== X-Gm-Message-State: APf1xPD2CPjUTB1uZcYy0y+p6XGrmgOAbEqhUPVmIWKWOPndnEWQ1Ix+ Toe14A3kI64pMHv7wZB4SVtpGpRI X-Google-Smtp-Source: AG47ELuzwONUb3l7Zvi4PepKXxGj53ua6iO6nUFMPU5aytXlRbZhYJo8fDvcfv5ZUVHPD+Hn6cFZug== X-Received: by 10.28.35.77 with SMTP id j74mr4404543wmj.96.1519506411568; Sat, 24 Feb 2018 13:06:51 -0800 (PST) Received: from endurance (77.red-88-20-135.staticip.rima-tde.net. [88.20.135.77]) by smtp.gmail.com with ESMTPSA id 62sm6440562wrf.24.2018.02.24.13.06.49 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 24 Feb 2018 13:06:50 -0800 (PST) Received: by endurance (sSMTP sendmail emulation); Sat, 24 Feb 2018 22:06:49 +0100 Subject: [nft PATCH v2 3/3] files: add load balance example From: Arturo Borrero Gonzalez To: netfilter-devel@vger.kernel.org Date: Sat, 24 Feb 2018 22:06:49 +0100 Message-ID: <151950640129.13955.17750717509870548057.stgit@endurance> In-Reply-To: <151950636353.13955.12971280407018844575.stgit@endurance> References: <151950636353.13955.12971280407018844575.stgit@endurance> User-Agent: StGit/0.18 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Include this example file in the tarball on how to do load balancing with nftables, inspired from https://wiki.nftables.org Signed-off-by: Arturo Borrero Gonzalez --- v2: fix some typos files/examples/load_balancing.nft | 54 +++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100755 files/examples/load_balancing.nft -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/files/examples/load_balancing.nft b/files/examples/load_balancing.nft new file mode 100755 index 0000000..2f03d27 --- /dev/null +++ b/files/examples/load_balancing.nft @@ -0,0 +1,54 @@ +#!/usr/sbin/nft -f + +# This example file shows how to implement load balancing using the nftables +# framework. +# This script is meant to be loaded with `nft -f ` +# You require linux kernel >= 4.12 and nft >= 0.7 +# For up-to-date information please visit https://wiki.nftables.org + +flush ruleset + +table ip nat { + chain prerouting { + type nat hook prerouting priority -300; + # round-robing load balancing between the 2 IPv4 addresses: + dnat to numgen inc mod 2 map { + 0 : 192.168.10.100, \ + 1 : 192.168.20.200 } + # emulate flow distribution with different backend weights using intervals: + dnat to numgen inc mod 10 map { + 0-5 : 192.168.10.100, \ + 6-9 : 192.168.20.200 } + # tcp port based distribution is also possible: + ip protocol tcp dnat to 192.168.1.100 : numgen inc mod 2 map { + 0 : 4040 ,\ + 1 : 4050 } + # consistent hash-based distribution: + dnat to jhash ip saddr . tcp dport mod 2 map { + 0 : 192.168.20.100, \ + 1 : 192.168.30.100 } + } +} + +table ip raw { + chain prerouting { + type filter hook prerouting priority -300; + # using stateless NAT, round-robing distribution (you could use hashing too): + tcp dport 80 notrack ip daddr set numgen inc mod 2 map { 0 : 192.168.1.100, 1 : 192.168.1.101 } + } +} + +table netdev mytable { + chain ingress { + # mind the NIC devices, they must exist in the system + type filter hook ingress device eth0 priority 0; + # using Direct Server Return (DSR), connectionless approach: + udp dport 53 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set numgen inc mod 2 map { + 0 : aa:aa:aa:aa:aa:aa, + 1 : bb:bb:bb:bb:bb:bb } fwd to eth1 + # using Direct Server Return (DSR), connection-oriented flows: + tcp dport 80 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set jhash ip saddr . tcp sport mod 2 map { + 0 : aa:aa:aa:aa:aa:aa, + 1 : bb:bb:bb:bb:bb:bb } fwd to eth1 + } +}