User Tools

Site Tools


doc:howto:netfilter

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:netfilter [2014/02/16 09:29]
lorema
doc:howto:netfilter [2015/05/02 13:09] (current)
markues [nftables]
Line 14: Line 14:
 Please have a look at this most excellent scheme: **[[http://​upload.wikimedia.org/​wikipedia/​commons/​3/​37/​Netfilter-packet-flow.svg|Netfilter Packet Flow]]** by Jan Engelhardt to understand how a packet traverses netfilter. The green stuff is the domain of ''​iptables''​ and ''​ip6tables'',​ while the blue stuff is being handled by ''​ebtables''​. Please have a look at this most excellent scheme: **[[http://​upload.wikimedia.org/​wikipedia/​commons/​3/​37/​Netfilter-packet-flow.svg|Netfilter Packet Flow]]** by Jan Engelhardt to understand how a packet traverses netfilter. The green stuff is the domain of ''​iptables''​ and ''​ip6tables'',​ while the blue stuff is being handled by ''​ebtables''​.
  
-Do not make the mistake to place your LAN on the left side and the Internet on the right side in your mind. They are both on both sides! When a packet enters the Linux Kernel (= that is the ingress buffer of the [[wp>​Network interface controller|NIC]] /​[[wp>​Wireless network interface controller|WNIC]]) it always comes in on the left side, regardless on which [[doc:​networking:​network.interfaces|interface]] it arrives. It traverses the network stack and then netfilter and when it leaves, it always leaves at the right side. While the packet traverses netfilter, netfilter looks for rules that match that network packet. When a rules matches a packet, that rule is being applied to that particular packet. This means the packet is being send to the TARGET specified in that rule. As soon as the network packet ​is matching ​a rule, this rule is being applied to it, and the packet stops traversing that table of netfilter! There are few exceptions to this behavior, e.g. the TARGETs ''​-j LOG'',​ ''​-j CUSTOM_CHAIN''​ or ''​-j MARK''​.+Do not make the mistake to place your LAN on the left side and the Internet on the right side in your mind. They are both on both sides! When a packet enters the Linux Kernel (= that is the ingress buffer of the [[wp>​Network interface controller|NIC]] /​[[wp>​Wireless network interface controller|WNIC]]) it always comes in on the left side, regardless on which [[doc:​networking:​network.interfaces|interface]] it arrives. It traverses the network stack and then netfilter and when it leaves, it always leaves at the right side. While the packet traverses netfilter, netfilter looks for rules that match that network packet. When a rule matches a packet, that rule is being applied to that particular packet. This means the packet is being sent to the TARGET specified in that rule. As soon as the network packet ​matches ​a rule, this rule is applied to it, and the packet stops traversing that table of netfilter! There are few exceptions to this behavior, e.g. the TARGETs ''​-j LOG'',​ ''​-j CUSTOM_CHAIN''​ or ''​-j MARK''​.
  
 ===== Configuration ===== ===== Configuration =====
Line 129: Line 129:
  
 ===== nftables ===== ===== nftables =====
-[[wp>​nftables]] is the successor of netfilter. Its user space utility **''​nft''​** replaces the entire ''​{ip,​eb,​arp,​ip6}tables''​ user space tool set. It still uses the netfilter architecture for complex extensions and is part of the netfilter project. +Please ​see **[[doc/​howto/​nftables]]**.
-The command-line user space utility is called **''​nft''​** and there is an API and library interface to it (''​libnftables''​). There is also an iptables to nft handle userspace conversion tool which will ease migration. +
-nftables is a major departure in that there is no need for deep protocol awareness in the kernel modules as everything filter related is handled by a basic virtual machine. +
-  * [[http://​netfilter.org/​projects/​nftables/​|nftables homepage]] + [[http://​article.gmane.org/​gmane.comp.security.firewalls.netfilter.devel/​44685|Announcement]] +
-  * [[https://​home.regit.org/​netfilter-en/​nftables-quick-howto/​|Nftables quick howto]] +
-    * The user space utility is called **''​nft''​**,​ its input resembles slightly that of **''​[[/​doc/​howto/​packet.scheduler/​packet.scheduler|tc]]''​** +
-  * https://​dev.openwrt.org/​ticket/​14415 +
- +
-The OpenWrt developers are aware of the nftables developments,​ and will migrate as soon as OpenWrt adopts a 3.13 kernel. Linux kernel version 3.13 was released 2014-01-20, [[http://​lkml.indiana.edu/​hypermail/​linux/​kernel/​1311.0/​00914.html|Linux 3.12 released .. and no merge window yet .. and 4.0 plans?]]. +
- +
-  * Anybody who wants to help in development,​ shall feel free to send patches: +
-    * for the OpenWrt operating system, ​see https://​dev.openwrt.org/​wiki/​SubmittingPatches +
-    * for the [[:​doc:​uci|UCI]] wrapper C-language firewall, see http://​nbd.name/​gitweb.cgi?​p=firewall3.git;​a=summary +
-  * The proper place for technical discussion on nftables migration is the the OpenWrt development mailing list: https://​lists.openwrt.org/​cgi-bin/​mailman/​listinfo/​openwrt-devel +
-  * The proper place for general discussions/​ideas is the OpenWrt Forum: https://​forum.openwrt.org/​ +
-  * The proper place for documentation is either **this wiki page** or **[[doc/​howto/​nftables]]**. +
-    * The proper place for documentation of the C-language wrapper firewall is [[doc:​uci:​firewall]]. +
- +
 ==== Modules for match/​TARGET ==== ==== Modules for match/​TARGET ====
 To quickly obtain a current overview type: ''​opkg list iptables-mod-*''​. Install the user space module, kernel modules are listed as dependencies and will be installed as well. To quickly obtain a current overview type: ''​opkg list iptables-mod-*''​. Install the user space module, kernel modules are listed as dependencies and will be installed as well.
Line 164: Line 146:
 | iptables-mod-hashlimit ​       |   ​| ​  5554 | iptables extensions for hashlimit matching Includes: - libipt_hashlimit ​ | | iptables-mod-hashlimit ​       |   ​| ​  5554 | iptables extensions for hashlimit matching Includes: - libipt_hashlimit ​ |
 | iptables-mod-imq ​             |   ​| ​  2220 | iptables extension for IMQ support. Includes: - libipt_IMQ, use it's successor => ''​[[http://​www.linuxfoundation.org/​collaborate/​workgroups/​networking/​ifb|kmod-ifb]]''​ | | iptables-mod-imq ​             |   ​| ​  2220 | iptables extension for IMQ support. Includes: - libipt_IMQ, use it's successor => ''​[[http://​www.linuxfoundation.org/​collaborate/​workgroups/​networking/​ifb|kmod-ifb]]''​ |
-| iptables-mod-ipopt ​           |   ​| ​ 22438 | iptables extensions for matching/​changing IP packet options. Includes: - libipt_CLASSIFY - libipt_dscp/​DSCP - libipt_ecn/​ECN - libipt_length - libipt_mac - libipt_mark/​MARK - libipt_statistic - libipt_tcpmms ​- libipt_tos/​TOS - libipt_ttl/​TTL - libipt_unclean ​ |+| iptables-mod-ipopt ​           |   ​| ​ 22438 | iptables extensions for matching/​changing IP packet options. Includes: - libipt_CLASSIFY - libipt_dscp/​DSCP - libipt_ecn/​ECN - libipt_length - libipt_mac - libipt_mark/​MARK - libipt_statistic - libipt_tcpmss ​- libipt_tos/​TOS - libipt_ttl/​TTL - libipt_unclean ​ |
 | iptables-mod-ipp2p ​           |   ​| ​  3315 | IPP2P iptables extension ​ | | iptables-mod-ipp2p ​           |   ​| ​  3315 | IPP2P iptables extension ​ |
 | iptables-mod-iprange ​         |   ​| ​  3627 | iptables extensions for matching ip ranges. Includes: - libipt_iprange ​ | | iptables-mod-iprange ​         |   ​| ​  3627 | iptables extensions for matching ip ranges. Includes: - libipt_iprange ​ |
doc/howto/netfilter.1392539368.txt.bz2 · Last modified: 2014/02/16 09:29 by lorema